pop-pay

pop-pay

Stop AI agents leaking your card or making hallucinated purchases. No SaaS, No login, Fully local. A runtime security layer that protects AI agents during online purchases. It sits between the agent and payment forms

Category
访问服务器

README

npm version License: MIT CI Node.js

<p align="center"> <picture> <img src="https://raw.githubusercontent.com/100xPercent/pop-pay-python/main/project_banner.png" alt="Point One Percent (AgentPay)" width="800"> </picture> </p>

Point One Percent — pop-pay

<p align="left"><i>it only takes <b>0.1%</b> of Hallucination to drain <b>100%</b> of your wallet.</i></p>

The runtime security layer for AI agent commerce. Drop-in CLI + MCP server. Card credentials are injected directly into the browser DOM via CDP — they never enter the agent's context window. One hallucinated prompt can't drain a wallet it can't see.

<p align="center"> <img src="https://raw.githubusercontent.com/100xPercent/pop-pay-python/main/assets/runtime_demo.gif" alt="Point One Percent — live CDP injection demo" width="800"> </p>

Install

Choose your preferred method:

<details> <summary>Homebrew (macOS)</summary>

brew install 100xpercent/tap/pop-pay

</details>

<details> <summary>curl (Linux / macOS) — bootstraps via npm; requires Node.js 18+</summary>

curl -fsSL https://raw.githubusercontent.com/100xPercent/pop-pay/main/install.sh | sh

</details>

<details> <summary>npm (global)</summary>

npm install -g pop-pay

</details>

<details> <summary>npx (no install — one-off runs)</summary>

npx -y pop-pay <command>

</details>

All install paths expose the same binaries: pop-pay, pop-launch, pop-init-vault, pop-unlock.

Also available as @100xpercent/mcp-server-pop-pay — identical package under the MCP @scope/mcp-server-<name> convention. Tracks the same version on every release.

Using Python? Check out pop-pay-pythonpip install pop-pay. Same security model, same vault format, independent release cycle — safe to switch between runtimes.

Quick Start (CLI)

1. Initialize the encrypted credential vault

pop-pay init-vault

This encrypts your card credentials into ~/.config/pop-pay/vault.enc (AES-256-GCM). For stronger protection (blocks agents with shell access):

pop-pay init-vault --passphrase   # one-time setup
pop-pay unlock                     # run once per session

2. Launch Chrome with CDP remote debugging

pop-pay launch

This opens a Chromium instance on http://localhost:9222 that pop-pay injects credentials into. Your agent (via MCP, browser automation, or x402) then drives the checkout flow — card details never leave the browser process.

3. Plug into your agent

The CLI launches infrastructure; the actual payment tool calls come from your agent. Two supported paths:

  • MCP server — add pop-pay to any MCP-compatible client (Claude Code, Cursor, Windsurf, OpenClaw). See MCP Server below.
  • x402 HTTP — pay for API calls via the x402 payment protocol.

Full CLI reference: pop-pay --help.

MCP Server (optional)

Add to your MCP client

Standard config for any MCP-compatible client:

{
  "mcpServers": {
    "pop-pay": {
      "command": "npx",
      "args": ["-y", "pop-pay", "launch-mcp"],
      "env": {
        "POP_CDP_URL": "http://localhost:9222"
      }
    }
  }
}

<img src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20MCP%20Server&color=0098FF" alt="Install in VS Code"> <img alt="Install in VS Code Insiders" src="https://img.shields.io/badge/VS_Code_Insiders-VS_Code_Insiders?style=flat-square&label=Install%20MCP%20Server&color=24bfa5"> <img src="https://img.shields.io/badge/Cursor-Cursor?style=flat-square&label=Install%20MCP%20Server&color=5C2D91" alt="Install in Cursor">

<details> <summary>Claude Code</summary>

Claude Code uses its own CLI — the JSON config above is not needed.

claude mcp add --scope user pop-pay -- npx -y pop-pay launch-mcp

--scope user makes it available across all projects. To remove: claude mcp remove pop-pay

</details>

<details> <summary>Cursor / Windsurf / VS Code</summary>

Add the JSON config above to:

  • Cursor: ~/.cursor/mcp.json
  • Windsurf: ~/.codeium/windsurf/mcp_config.json
  • VS Code (Copilot): .vscode/mcp.json in project root

</details>

<details> <summary>OpenClaw / NemoClaw</summary>

OpenClaw has its own CLI — the JSON config above is not needed.

openclaw mcp add pop-pay -- npx -y pop-pay launch-mcp

Or add to ~/.openclaw/mcp_servers.json using the JSON config above.

For System Prompt templates and NemoClaw sandbox setup, see Integration Guide §4.

</details>

<details> <summary>Docker</summary>

docker-compose up -d

Runs the MCP server + headless Chromium with CDP. Mount your encrypted vault from the host.

</details>

MCP Tools

Tool Description
request_virtual_card Issue a virtual card and inject credentials into the checkout page via CDP. Automatically scans the page for hidden prompt injections.
request_purchaser_info Auto-fill billing/contact info (name, address, email, phone). Automatically scans the page for hidden prompt injections.
request_x402_payment Pay for API calls via the x402 HTTP payment protocol.

Tip for Claude Code users: Add the following to your project's CLAUDE.md to help the agent know when to call pop-pay: "When you encounter a payment form or checkout page, use the request_virtual_card tool. For billing/contact info forms, use request_purchaser_info first."

Configuration

Core variables in ~/.config/pop-pay/.env. See ENV_REFERENCE.md for the full list.

Variable Default Description
POP_ALLOWED_CATEGORIES ["aws","cloudflare"] Approved vendor categories — see Categories Cookbook
POP_MAX_PER_TX 100.0 Max USD per transaction
POP_MAX_DAILY 500.0 Max USD per day
POP_BLOCK_LOOPS true Block hallucination/retry loops
POP_AUTO_INJECT true Enable CDP card injection
POP_GUARDRAIL_ENGINE keyword keyword (zero-cost) or llm (semantic)

Guardrail Mode

keyword (default) llm
Mechanism Keyword matching on reasoning string Semantic analysis via LLM
Cost Zero — no API calls One LLM call per request
Best for Development, low-risk workflows Production, high-value transactions

To enable LLM mode, see Integration Guide §1.

Providers

Provider Description
BYOC (default) Bring Your Own Card — encrypted vault credentials, local CDP injection.
Stripe Issuing Real virtual cards via Stripe API. Requires POP_STRIPE_KEY.
Lithic Multi-issuer adapter (Stripe Issuing / Lithic).
Mock Test mode with generated card numbers for development.

Priority: Stripe Issuing → BYOC Local → Mock.

Security

Layer Defense
Context Isolation Card credentials never enter the agent's context window or logs
Encrypted Vault AES-256-GCM with XOR-split salt and native scrypt key derivation (Rust)
TOCTOU Guard Domain verified at the moment of CDP injection — blocks redirect attacks
Repr Redaction Automatic masking (****-4242) in all MCP responses, logs, and tracebacks

See THREAT_MODEL.md for the full STRIDE analysis and COMPLIANCE_FAQ.md for enterprise details.

Architecture

  • TypeScript — MCP server, CDP injection engine, guardrails, CLI
  • Rust (napi-rs) — Native security layer: XOR-split salt storage, scrypt key derivation
  • Node.js crypto — AES-256-GCM vault encryption (OpenSSL binding)
  • Chrome DevTools Protocol — Direct DOM injection via raw WebSocket

Documentation

License

MIT

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选