pop-pay 0.1.0

package/dist/core/models.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PaymentIntentSchema = exports.GuardrailPolicySchema = void 0;
+const zod_1 = require("zod");
+exports.GuardrailPolicySchema = zod_1.z.object({
+    allowedCategories: zod_1.z.array(zod_1.z.string()).default([]),
+    maxAmountPerTx: zod_1.z.number().positive(),
+    maxDailyBudget: zod_1.z.number().positive(),
+    blockHallucinationLoops: zod_1.z.boolean().default(true),
+    webhookUrl: zod_1.z.string().nullable().default(null),
+});
+exports.PaymentIntentSchema = zod_1.z.object({
+    agentId: zod_1.z.string(),
+    requestedAmount: zod_1.z.number().positive(),
+    targetVendor: zod_1.z.string().max(200),
+    reasoning: zod_1.z.string().max(2000),
+    pageUrl: zod_1.z.string().nullable().default(null),
+});
+//# sourceMappingURL=models.js.map

package/dist/core/models.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"models.js","sourceRoot":"","sources":["../../src/core/models.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AAEX,QAAA,qBAAqB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5C,iBAAiB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAClD,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,uBAAuB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClD,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAChD,CAAC,CAAC;AAIU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;IACnB,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC;IACjC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;IAC/B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAC7C,CAAC,CAAC"}

package/dist/core/state.d.ts

@@ -0,0 +1,15 @@
+export declare class PopStateTracker {
+    private db;
+    dailySpendTotal: number;
+    constructor(dbPath?: string);
+    private initDb;
+    private getTodaySpent;
+    canSpend(amount: number, maxDailyBudget: number): boolean;
+    addSpend(amount: number): void;
+    recordSeal(sealId: string, amount: number, vendor: string, status?: string, maskedCard?: string | null, expirationDate?: string | null): void;
+    getSealMaskedCard(sealId: string): string;
+    markUsed(sealId: string): void;
+    isUsed(sealId: string): boolean;
+    close(): void;
+}
+//# sourceMappingURL=state.d.ts.map

package/dist/core/state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.d.ts","sourceRoot":"","sources":["../../src/core/state.ts"],"names":[],"mappings":"AAEA,qBAAa,eAAe;IAC1B,OAAO,CAAC,EAAE,CAAoB;IAC9B,eAAe,EAAE,MAAM,CAAC;gBAEZ,MAAM,GAAE,MAAuB;IAO3C,OAAO,CAAC,MAAM;IAoBd,OAAO,CAAC,aAAa;IAQrB,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO;IAKzD,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAY9B,UAAU,CACR,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,MAAM,GAAE,MAAiB,EACzB,UAAU,GAAE,MAAM,GAAG,IAAW,EAChC,cAAc,GAAE,MAAM,GAAG,IAAW,GACnC,IAAI;IASP,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM;IAOzC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAM9B,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAO/B,KAAK,IAAI,IAAI;CAGd"}

package/dist/core/state.js

@@ -0,0 +1,84 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PopStateTracker = void 0;
+const better_sqlite3_1 = __importDefault(require("better-sqlite3"));
+class PopStateTracker {
+    db;
+    dailySpendTotal;
+    constructor(dbPath = "pop_state.db") {
+        this.db = new better_sqlite3_1.default(dbPath);
+        this.db.pragma("journal_mode = WAL");
+        this.initDb();
+        this.dailySpendTotal = this.getTodaySpent();
+    }
+    initDb() {
+        this.db.exec(`
+      CREATE TABLE IF NOT EXISTS daily_budget (
+        date TEXT PRIMARY KEY,
+        spent_amount REAL
+      )
+    `);
+        this.db.exec(`
+      CREATE TABLE IF NOT EXISTS issued_seals (
+        seal_id TEXT PRIMARY KEY,
+        amount REAL,
+        vendor TEXT,
+        status TEXT,
+        masked_card TEXT,
+        expiration_date TEXT,
+        timestamp DATETIME DEFAULT CURRENT_TIMESTAMP
+      )
+    `);
+    }
+    getTodaySpent() {
+        const today = new Date().toISOString().slice(0, 10);
+        const row = this.db
+            .prepare("SELECT spent_amount FROM daily_budget WHERE date = ?")
+            .get(today);
+        return row?.spent_amount ?? 0.0;
+    }
+    canSpend(amount, maxDailyBudget) {
+        const spentToday = this.getTodaySpent();
+        return spentToday + amount <= maxDailyBudget;
+    }
+    addSpend(amount) {
+        const today = new Date().toISOString().slice(0, 10);
+        this.db
+            .prepare(`INSERT INTO daily_budget (date, spent_amount)
+         VALUES (?, ?)
+         ON CONFLICT(date) DO UPDATE SET spent_amount = spent_amount + ?`)
+            .run(today, amount, amount);
+        this.dailySpendTotal = this.getTodaySpent();
+    }
+    recordSeal(sealId, amount, vendor, status = "Issued", maskedCard = null, expirationDate = null) {
+        this.db
+            .prepare(`INSERT INTO issued_seals (seal_id, amount, vendor, status, masked_card, expiration_date)
+         VALUES (?, ?, ?, ?, ?, ?)`)
+            .run(sealId, amount, vendor, status, maskedCard, expirationDate);
+    }
+    getSealMaskedCard(sealId) {
+        const row = this.db
+            .prepare("SELECT masked_card FROM issued_seals WHERE seal_id = ?")
+            .get(sealId);
+        return row?.masked_card ?? "";
+    }
+    markUsed(sealId) {
+        this.db
+            .prepare("UPDATE issued_seals SET status = 'Used' WHERE seal_id = ?")
+            .run(sealId);
+    }
+    isUsed(sealId) {
+        const row = this.db
+            .prepare("SELECT status FROM issued_seals WHERE seal_id = ?")
+            .get(sealId);
+        return row?.status === "Used";
+    }
+    close() {
+        this.db.close();
+    }
+}
+exports.PopStateTracker = PopStateTracker;
+//# sourceMappingURL=state.js.map

package/dist/core/state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.js","sourceRoot":"","sources":["../../src/core/state.ts"],"names":[],"mappings":";;;;;;AAAA,oEAAsC;AAEtC,MAAa,eAAe;IAClB,EAAE,CAAoB;IAC9B,eAAe,CAAS;IAExB,YAAY,SAAiB,cAAc;QACzC,IAAI,CAAC,EAAE,GAAG,IAAI,wBAAQ,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QACrC,IAAI,CAAC,MAAM,EAAE,CAAC;QACd,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;IAC9C,CAAC;IAEO,MAAM;QACZ,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC;;;;;KAKZ,CAAC,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC;;;;;;;;;;KAUZ,CAAC,CAAC;IACL,CAAC;IAEO,aAAa;QACnB,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CAAC,sDAAsD,CAAC;aAC/D,GAAG,CAAC,KAAK,CAAyC,CAAC;QACtD,OAAO,GAAG,EAAE,YAAY,IAAI,GAAG,CAAC;IAClC,CAAC;IAED,QAAQ,CAAC,MAAc,EAAE,cAAsB;QAC7C,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;QACxC,OAAO,UAAU,GAAG,MAAM,IAAI,cAAc,CAAC;IAC/C,CAAC;IAED,QAAQ,CAAC,MAAc;QACrB,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpD,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;;yEAEiE,CAClE;aACA,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9B,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;IAC9C,CAAC;IAED,UAAU,CACR,MAAc,EACd,MAAc,EACd,MAAc,EACd,SAAiB,QAAQ,EACzB,aAA4B,IAAI,EAChC,iBAAgC,IAAI;QAEpC,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;mCAC2B,CAC5B;aACA,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;IACrE,CAAC;IAED,iBAAiB,CAAC,MAAc;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CAAC,wDAAwD,CAAC;aACjE,GAAG,CAAC,MAAM,CAAwC,CAAC;QACtD,OAAO,GAAG,EAAE,WAAW,IAAI,EAAE,CAAC;IAChC,CAAC;IAED,QAAQ,CAAC,MAAc;QACrB,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,2DAA2D,CAAC;aACpE,GAAG,CAAC,MAAM,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,CAAC,MAAc;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CAAC,mDAAmD,CAAC;aAC5D,GAAG,CAAC,MAAM,CAAmC,CAAC;QACjD,OAAO,GAAG,EAAE,MAAM,KAAK,MAAM,CAAC;IAChC,CAAC;IAED,KAAK;QACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;CACF;AA/FD,0CA+FC"}

package/dist/engine/guardrails.d.ts

@@ -0,0 +1,6 @@
+import type { PaymentIntent, GuardrailPolicy } from "../core/models.js";
+export declare function matchVendor(vendorName: string, allowedCategories: string[], pageDomain?: string): boolean;
+export declare class GuardrailEngine {
+    evaluateIntent(intent: PaymentIntent, policy: GuardrailPolicy): Promise<[boolean, string]>;
+}
+//# sourceMappingURL=guardrails.d.ts.map

package/dist/engine/guardrails.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guardrails.d.ts","sourceRoot":"","sources":["../../src/engine/guardrails.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAMxE,wBAAgB,WAAW,CACzB,UAAU,EAAE,MAAM,EAClB,iBAAiB,EAAE,MAAM,EAAE,EAC3B,UAAU,GAAE,MAAW,GACtB,OAAO,CAuCT;AAmBD,qBAAa,eAAe;IACpB,cAAc,CAClB,MAAM,EAAE,aAAa,EACrB,MAAM,EAAE,eAAe,GACtB,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;CAsE9B"}

package/dist/engine/guardrails.js

@@ -0,0 +1,128 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GuardrailEngine = void 0;
+exports.matchVendor = matchVendor;
+function tokenize(s) {
+    return new Set(s.toLowerCase().split(/[\s\-_./]+/).filter(Boolean));
+}
+function matchVendor(vendorName, allowedCategories, pageDomain = "") {
+    const vendorLower = vendorName.toLowerCase();
+    const vendorTokens = tokenize(vendorName);
+    const allowedLower = allowedCategories.map((c) => c.toLowerCase());
+    const pageDomainTokens = pageDomain
+        ? new Set(pageDomain
+            .toLowerCase()
+            .replace(/^www\./, "")
+            .split(/[\s\-_./]+/)
+            .filter((tok) => tok && tok.length >= 4))
+        : new Set();
+    // Exact match
+    if (allowedLower.includes(vendorLower))
+        return true;
+    // Token-in-allowed
+    for (const tok of vendorTokens) {
+        if (allowedLower.includes(tok))
+            return true;
+    }
+    // Allowed-subset-of-vendor
+    for (const cat of allowedLower) {
+        const catTokens = tokenize(cat);
+        catTokens.delete("");
+        if (catTokens.size > 0 && [...catTokens].every((t) => vendorTokens.has(t)))
+            return true;
+    }
+    // Page domain match
+    if (pageDomain) {
+        for (const cat of allowedLower) {
+            const catTokens = tokenize(cat);
+            catTokens.delete("");
+            if (catTokens.size > 0 && [...catTokens].every((t) => pageDomainTokens.has(t)))
+                return true;
+        }
+    }
+    return false;
+}
+const KNOWN_VENDOR_DOMAINS = {
+    aws: ["amazonaws.com", "aws.amazon.com"],
+    amazon: ["amazon.com", "amazon.co.uk", "amazon.co.jp"],
+    github: ["github.com"],
+    cloudflare: ["cloudflare.com"],
+    openai: ["openai.com", "platform.openai.com"],
+    stripe: ["stripe.com", "dashboard.stripe.com"],
+    anthropic: ["anthropic.com", "claude.ai"],
+    google: ["google.com", "cloud.google.com", "console.cloud.google.com"],
+    microsoft: ["microsoft.com", "azure.microsoft.com", "portal.azure.com"],
+    wikipedia: ["wikipedia.org", "wikimedia.org", "donate.wikimedia.org"],
+    digitalocean: ["digitalocean.com", "cloud.digitalocean.com"],
+    heroku: ["heroku.com", "dashboard.heroku.com"],
+    vercel: ["vercel.com", "app.vercel.com"],
+    netlify: ["netlify.com", "app.netlify.com"],
+};
+class GuardrailEngine {
+    async evaluateIntent(intent, policy) {
+        // Rule 1: Vendor/Category check
+        if (!matchVendor(intent.targetVendor, policy.allowedCategories)) {
+            return [false, "Vendor not in allowed categories"];
+        }
+        // Rule 2: Hallucination/Loop detection
+        if (policy.blockHallucinationLoops) {
+            const reasoningLower = intent.reasoning.toLowerCase();
+            const loopKeywords = ["retry", "failed again", "loop", "ignore previous", "stuck"];
+            for (const kw of loopKeywords) {
+                if (reasoningLower.includes(kw)) {
+                    return [false, "Hallucination or infinite loop detected in reasoning"];
+                }
+            }
+            // Rule 3: Injection pattern detection
+            const injectionPatterns = [
+                /\{.*".*".*:/,
+                /output\s*:/,
+                /you are now/,
+                /ignore (all |previous |your |the )/,
+                /already (approved|authorized|confirmed)/,
+                /system (says|has|override)/,
+            ];
+            for (const pattern of injectionPatterns) {
+                if (pattern.test(reasoningLower)) {
+                    return [false, "Potential prompt injection detected in reasoning"];
+                }
+            }
+            // User-defined extra keywords from env
+            const extraKeywordsRaw = process.env.POP_EXTRA_BLOCK_KEYWORDS ?? "";
+            const extraKeywords = extraKeywordsRaw
+                .split(",")
+                .map((kw) => kw.trim().toLowerCase())
+                .filter(Boolean);
+            for (const kw of extraKeywords) {
+                if (reasoningLower.includes(kw)) {
+                    return [false, `Blocked by custom keyword policy: '${kw}'`];
+                }
+            }
+        }
+        // Rule 4: page_url domain cross-validation
+        if (intent.pageUrl) {
+            try {
+                const parsed = new URL(intent.pageUrl);
+                let netloc = parsed.hostname.toLowerCase();
+                if (netloc.startsWith("www."))
+                    netloc = netloc.slice(4);
+                const vendorTokens = tokenize(intent.targetVendor);
+                for (const [knownVendor, knownDomains] of Object.entries(KNOWN_VENDOR_DOMAINS)) {
+                    if (vendorTokens.has(knownVendor)) {
+                        const domainOk = knownDomains.some((d) => netloc === d || netloc.endsWith("." + d));
+                        if (!domainOk) {
+                            return [false, "Page URL domain does not match expected vendor domain"];
+                        }
+                        break;
+                    }
+                }
+            }
+            catch {
+                // Invalid URL — skip domain validation
+            }
+        }
+        return [true, "Approved"];
+    }
+}
+exports.GuardrailEngine = GuardrailEngine;
+//# sourceMappingURL=guardrails.js.map

package/dist/engine/guardrails.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"guardrails.js","sourceRoot":"","sources":["../../src/engine/guardrails.ts"],"names":[],"mappings":";;;AAMA,kCA2CC;AA/CD,SAAS,QAAQ,CAAC,CAAS;IACzB,OAAO,IAAI,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;AACtE,CAAC;AAED,SAAgB,WAAW,CACzB,UAAkB,EAClB,iBAA2B,EAC3B,aAAqB,EAAE;IAEvB,MAAM,WAAW,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;IAC7C,MAAM,YAAY,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC1C,MAAM,YAAY,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACnE,MAAM,gBAAgB,GAAG,UAAU;QACjC,CAAC,CAAC,IAAI,GAAG,CACL,UAAU;aACP,WAAW,EAAE;aACb,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;aACrB,KAAK,CAAC,YAAY,CAAC;aACnB,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC,CAC3C;QACH,CAAC,CAAC,IAAI,GAAG,EAAU,CAAC;IAEtB,cAAc;IACd,IAAI,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpD,mBAAmB;IACnB,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IAC9C,CAAC;IAED,2BAA2B;IAC3B,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;QAChC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACrB,IAAI,SAAS,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IAC1F,CAAC;IAED,oBAAoB;IACpB,IAAI,UAAU,EAAE,CAAC;QACf,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;YAChC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACrB,IAAI,SAAS,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC9F,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,oBAAoB,GAA6B;IACrD,GAAG,EAAE,CAAC,eAAe,EAAE,gBAAgB,CAAC;IACxC,MAAM,EAAE,CAAC,YAAY,EAAE,cAAc,EAAE,cAAc,CAAC;IACtD,MAAM,EAAE,CAAC,YAAY,CAAC;IACtB,UAAU,EAAE,CAAC,gBAAgB,CAAC;IAC9B,MAAM,EAAE,CAAC,YAAY,EAAE,qBAAqB,CAAC;IAC7C,MAAM,EAAE,CAAC,YAAY,EAAE,sBAAsB,CAAC;IAC9C,SAAS,EAAE,CAAC,eAAe,EAAE,WAAW,CAAC;IACzC,MAAM,EAAE,CAAC,YAAY,EAAE,kBAAkB,EAAE,0BAA0B,CAAC;IACtE,SAAS,EAAE,CAAC,eAAe,EAAE,qBAAqB,EAAE,kBAAkB,CAAC;IACvE,SAAS,EAAE,CAAC,eAAe,EAAE,eAAe,EAAE,sBAAsB,CAAC;IACrE,YAAY,EAAE,CAAC,kBAAkB,EAAE,wBAAwB,CAAC;IAC5D,MAAM,EAAE,CAAC,YAAY,EAAE,sBAAsB,CAAC;IAC9C,MAAM,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;IACxC,OAAO,EAAE,CAAC,aAAa,EAAE,iBAAiB,CAAC;CAC5C,CAAC;AAEF,MAAa,eAAe;IAC1B,KAAK,CAAC,cAAc,CAClB,MAAqB,EACrB,MAAuB;QAEvB,gCAAgC;QAChC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAChE,OAAO,CAAC,KAAK,EAAE,kCAAkC,CAAC,CAAC;QACrD,CAAC;QAED,uCAAuC;QACvC,IAAI,MAAM,CAAC,uBAAuB,EAAE,CAAC;YACnC,MAAM,cAAc,GAAG,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YACtD,MAAM,YAAY,GAAG,CAAC,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,iBAAiB,EAAE,OAAO,CAAC,CAAC;YACnF,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;gBAC9B,IAAI,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;oBAChC,OAAO,CAAC,KAAK,EAAE,sDAAsD,CAAC,CAAC;gBACzE,CAAC;YACH,CAAC;YAED,sCAAsC;YACtC,MAAM,iBAAiB,GAAG;gBACxB,aAAa;gBACb,YAAY;gBACZ,aAAa;gBACb,oCAAoC;gBACpC,yCAAyC;gBACzC,4BAA4B;aAC7B,CAAC;YACF,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;gBACxC,IAAI,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;oBACjC,OAAO,CAAC,KAAK,EAAE,kDAAkD,CAAC,CAAC;gBACrE,CAAC;YACH,CAAC;YAED,uCAAuC;YACvC,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,EAAE,CAAC;YACpE,MAAM,aAAa,GAAG,gBAAgB;iBACnC,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;iBACpC,MAAM,CAAC,OAAO,CAAC,CAAC;YACnB,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;gBAC/B,IAAI,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;oBAChC,OAAO,CAAC,KAAK,EAAE,sCAAsC,EAAE,GAAG,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;QACH,CAAC;QAED,2CAA2C;QAC3C,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBACvC,IAAI,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;gBAC3C,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC;oBAAE,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAExD,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;gBACnD,KAAK,MAAM,CAAC,WAAW,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,CAAC;oBAC/E,IAAI,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;wBAClC,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAChD,CAAC;wBACF,IAAI,CAAC,QAAQ,EAAE,CAAC;4BACd,OAAO,CAAC,KAAK,EAAE,uDAAuD,CAAC,CAAC;wBAC1E,CAAC;wBACD,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,uCAAuC;YACzC,CAAC;QACH,CAAC;QAED,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAC5B,CAAC;CACF;AA1ED,0CA0EC"}

package/dist/engine/injector.d.ts

@@ -0,0 +1,87 @@
+/**
+ * PopBrowserInjector: CDP-based browser injector with iframe + Shadow DOM traversal.
+ *
+ * Connects to an already-running Chromium browser (via --remote-debugging-port)
+ * and auto-fills credit card fields on the active page — including fields inside
+ * Stripe and other third-party payment iframes. Also fills billing detail fields
+ * (name, address, email) that live in the main page frame.
+ *
+ * New in TS port: Shadow DOM piercing support.
+ */
+export declare const CARD_NUMBER_SELECTORS: string[];
+export declare const EXPIRY_SELECTORS: string[];
+export declare const CVV_SELECTORS: string[];
+export declare const FIRST_NAME_SELECTORS: string[];
+export declare const LAST_NAME_SELECTORS: string[];
+export declare const FULL_NAME_SELECTORS: string[];
+export declare const STREET_SELECTORS: string[];
+export declare const ZIP_SELECTORS: string[];
+export declare const EMAIL_SELECTORS: string[];
+export declare const PHONE_SELECTORS: string[];
+export declare const PHONE_COUNTRY_CODE_SELECTORS: string[];
+export declare const COUNTRY_SELECTORS: string[];
+export declare const STATE_SELECTORS: string[];
+export declare const CITY_SELECTORS: string[];
+export declare function ssrfValidateUrl(url: string): string | null;
+export interface InjectionResult {
+    cardFilled: boolean;
+    billingFilled: boolean;
+    blockedReason: string;
+    billingDetails?: {
+        filled: string[];
+        failed: string[];
+        skipped: string[];
+    };
+}
+export interface BillingInfo {
+    firstName: string;
+    lastName: string;
+    street: string;
+    city: string;
+    state: string;
+    country: string;
+    zip: string;
+    email: string;
+    phone: string;
+    phoneCountryCode: string;
+}
+export interface PageSnapshot {
+    url: string;
+    title: string;
+    html: string;
+    frames: {
+        url: string;
+        html: string;
+    }[];
+}
+export declare function verifyDomainToctou(pageUrl: string, approvedVendor: string): string | null;
+export declare class PopBrowserInjector {
+    private cdpUrl;
+    private headless;
+    constructor(cdpUrl?: string, headless?: boolean);
+    injectPaymentInfo(opts: {
+        sealId: string;
+        cardNumber: string;
+        cvv: string;
+        expirationDate: string;
+        pageUrl?: string;
+        approvedVendor?: string;
+    }): Promise<InjectionResult>;
+    injectBillingOnly(opts: {
+        pageUrl?: string;
+        approvedVendor?: string;
+    }): Promise<InjectionResult>;
+    pageSnapshot(pageUrl?: string): Promise<PageSnapshot | null>;
+    private findBestTarget;
+    private fillCardAcrossFrames;
+    private fillCardInContext;
+    private fillCardInShadowDom;
+    private fillInputViaEval;
+    private selectOption;
+    private fillBillingField;
+    private fillBillingFields;
+    private loadBillingInfo;
+    private enableBlackout;
+    static maskedCard(cardNumber: string): string;
+}
+//# sourceMappingURL=injector.d.ts.map

package/dist/engine/injector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"injector.d.ts","sourceRoot":"","sources":["../../src/engine/injector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAsDH,eAAO,MAAM,qBAAqB,UAUjC,CAAC;AAEF,eAAO,MAAM,gBAAgB,UAS5B,CAAC;AAEF,eAAO,MAAM,aAAa,UAUzB,CAAC;AAKF,eAAO,MAAM,oBAAoB,UAMhC,CAAC;AAEF,eAAO,MAAM,mBAAmB,UAM/B,CAAC;AAEF,eAAO,MAAM,mBAAmB,UAM/B,CAAC;AAEF,eAAO,MAAM,gBAAgB,UAQ5B,CAAC;AAEF,eAAO,MAAM,aAAa,UAQzB,CAAC;AAEF,eAAO,MAAM,eAAe,UAM3B,CAAC;AAEF,eAAO,MAAM,eAAe,UAQ3B,CAAC;AAEF,eAAO,MAAM,4BAA4B,UAQxC,CAAC;AAEF,eAAO,MAAM,iBAAiB,UAM7B,CAAC;AAEF,eAAO,MAAM,eAAe,UAQ3B,CAAC;AAEF,eAAO,MAAM,cAAc,UAO1B,CAAC;AAyBF,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAyB1D;AA6BD,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,OAAO,CAAC;IACpB,aAAa,EAAE,OAAO,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE;QAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CAC5E;AAED,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACzC;AAKD,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,cAAc,EAAE,MAAM,GACrB,MAAM,GAAG,IAAI,CA8Df;AA2ED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,QAAQ,CAAU;gBAEd,MAAM,GAAE,MAAgC,EAAE,QAAQ,GAAE,OAAe;IAQzE,iBAAiB,CAAC,IAAI,EAAE;QAC5B,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,cAAc,EAAE,MAAM,CAAC;QACvB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,GAAG,OAAO,CAAC,eAAe,CAAC;IAqEtB,iBAAiB,CAAC,IAAI,EAAE;QAC5B,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,GAAG,OAAO,CAAC,eAAe,CAAC;IA0CtB,YAAY,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;YA2DpD,cAAc;YAqCd,oBAAoB;YAoDpB,iBAAiB;YA8BjB,mBAAmB;YA8FnB,gBAAgB;YAwChB,YAAY;YAyEZ,gBAAgB;YAqChB,iBAAiB;IAkE/B,OAAO,CAAC,eAAe;YAkBT,cAAc;IAgD5B,MAAM,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM;CAI9C"}