Point One Percent — pop-pay

it only takes 0.1% of Hallucination to drain 100% of your wallet.

The runtime security layer for AI agent commerce. Drop-in CLI + MCP server. Card credentials are injected directly into the browser DOM via CDP — they never enter the agent's context window. One hallucinated prompt can't drain a wallet it can't see.

Install

Choose your preferred method:

brew install 100xpercent/tap/pop-pay

curl -fsSL https://raw.githubusercontent.com/100xPercent/pop-pay/main/install.sh | sh

npm install -g pop-pay

npx -y pop-pay <command>

All install paths expose the same binaries: pop-pay, pop-launch, pop-init-vault, pop-unlock.

Also available as @100xpercent/mcp-server-pop-pay — identical package under the MCP @scope/mcp-server-<name> convention. Tracks the same version on every release.

Using Python? Check out pop-pay-python — pip install pop-pay. Same security model, same vault format, independent release cycle — safe to switch between runtimes.

Quick Start (CLI)

1. Initialize the encrypted credential vault

pop-pay init-vault

This encrypts your card credentials into ~/.config/pop-pay/vault.enc (AES-256-GCM). For stronger protection (blocks agents with shell access):

pop-pay init-vault --passphrase   # one-time setup
pop-pay unlock                     # run once per session

2. Launch Chrome with CDP remote debugging

pop-pay launch

This opens a Chromium instance on http://localhost:9222 that pop-pay injects credentials into. Your agent (via MCP, browser automation, or x402) then drives the checkout flow — card details never leave the browser process.

3. Plug into your agent

The CLI launches infrastructure; the actual payment tool calls come from your agent. Two supported paths:

• MCP server — add pop-pay to any MCP-compatible client (Claude Code, Cursor, Windsurf, OpenClaw). See MCP Server below.
• x402 HTTP — pay for API calls via the x402 payment protocol.

Full CLI reference: pop-pay --help.

MCP Server (optional)

Add to your MCP client

Standard config for any MCP-compatible client:

{
  "mcpServers": {
    "pop-pay": {
      "command": "npx",
      "args": ["-y", "pop-pay", "launch-mcp"],
      "env": {
        "POP_CDP_URL": "http://localhost:9222"
      }
    }
  }
}

claude mcp add --scope user pop-pay -- npx -y pop-pay launch-mcp

openclaw mcp add pop-pay -- npx -y pop-pay launch-mcp

docker-compose up -d

MCP Tools

Tip for Claude Code users: Add the following to your project's CLAUDE.md to help the agent know when to call pop-pay: "When you encounter a payment form or checkout page, use the request_virtual_card tool. For billing/contact info forms, use request_purchaser_info first."

Configuration

Core variables in ~/.config/pop-pay/.env. See ENV_REFERENCE.md for the full list.

Guardrail Mode

To enable LLM mode, see Integration Guide §1.

Providers

Priority: Stripe Issuing → BYOC Local → Mock.

Security

See THREAT_MODEL.md for the full STRIDE analysis and COMPLIANCE_FAQ.md for enterprise details.

Architecture

• TypeScript — MCP server, CDP injection engine, guardrails, CLI
• Rust (napi-rs) — Native security layer: XOR-split salt storage, scrypt key derivation
• Node.js crypto — AES-256-GCM vault encryption (OpenSSL binding)
• Chrome DevTools Protocol — Direct DOM injection via raw WebSocket

Documentation

• Threat Model — STRIDE analysis, 5 security primitives, 10 attack scenarios
• Guardrail Benchmark — Cross-model evaluation (Anthropic / OpenAI / Gemini) across 585 payloads, 11 attack categories
• Compliance FAQ — PCI DSS, SOC 2, GDPR details
• Environment Reference — All POP_* environment variables
• Integration Guide — Setup for Claude Code, Node.js SDK, and browser agents
• Categories Cookbook — POP_ALLOWED_CATEGORIES patterns and examples

License

MIT