pop-pay 0.1.0

package/dist/mcp-server.js

@@ -0,0 +1,334 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * pop-pay MCP Server — stdio transport.
+ * Tools: request_virtual_card, request_purchaser_info, request_x402_payment
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const zod_1 = require("zod");
+const node_crypto_1 = require("node:crypto");
+const dotenv_1 = require("dotenv");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+const client_js_1 = require("./client.js");
+const stripe_mock_js_1 = require("./providers/stripe-mock.js");
+const byoc_local_js_1 = require("./providers/byoc-local.js");
+const guardrails_js_1 = require("./engine/guardrails.js");
+async function main() {
+    // Load .env from config dir first, then fallback
+    const configEnv = (0, node_path_1.join)((0, node_os_1.homedir)(), ".config", "pop-pay", ".env");
+    if ((0, node_fs_1.existsSync)(configEnv)) {
+        (0, dotenv_1.config)({ path: configEnv });
+    }
+    else {
+        (0, dotenv_1.config)();
+    }
+    // Load vault credentials
+    let vaultCreds = {};
+    try {
+        const { vaultExists, loadVault, loadKeyFromKeyring, OSS_WARNING } = await import("./vault.js");
+        if (vaultExists()) {
+            const keyringKey = await loadKeyFromKeyring();
+            if (!keyringKey) {
+                process.stderr.write(OSS_WARNING);
+            }
+            vaultCreds = await loadVault();
+        }
+    }
+    catch { }
+    // Set vault creds as env defaults
+    if (vaultCreds.card_number)
+        process.env.POP_BYOC_NUMBER ??= vaultCreds.card_number;
+    if (vaultCreds.cvv)
+        process.env.POP_BYOC_CVV ??= vaultCreds.cvv;
+    if (vaultCreds.exp_month)
+        process.env.POP_BYOC_EXP_MONTH ??= vaultCreds.exp_month;
+    if (vaultCreds.exp_year)
+        process.env.POP_BYOC_EXP_YEAR ??= vaultCreds.exp_year;
+    // Configuration
+    const allowedCategories = JSON.parse(process.env.POP_ALLOWED_CATEGORIES ?? '["aws", "cloudflare"]');
+    const maxPerTx = parseFloat(process.env.POP_MAX_PER_TX ?? "100.0");
+    const maxDaily = parseFloat(process.env.POP_MAX_DAILY ?? "500.0");
+    const blockLoops = (process.env.POP_BLOCK_LOOPS ?? "true").toLowerCase() === "true";
+    const stripeKey = process.env.POP_STRIPE_KEY;
+    const webhookUrl = process.env.POP_WEBHOOK_URL ?? null;
+    const policy = {
+        allowedCategories,
+        maxAmountPerTx: maxPerTx,
+        maxDailyBudget: maxDaily,
+        blockHallucinationLoops: blockLoops,
+        webhookUrl,
+    };
+    // Provider selection
+    let provider;
+    if (stripeKey) {
+        const { StripeIssuingProvider } = await import("./providers/stripe-real.js");
+        provider = new StripeIssuingProvider(stripeKey);
+    }
+    else if (process.env.POP_BYOC_NUMBER) {
+        provider = new byoc_local_js_1.LocalVaultProvider();
+    }
+    else {
+        provider = new stripe_mock_js_1.MockStripeProvider();
+    }
+    // Engine selection
+    let engine;
+    const engineType = (process.env.POP_GUARDRAIL_ENGINE ?? "keyword").toLowerCase();
+    if (engineType === "llm") {
+        const { HybridGuardrailEngine, LLMGuardrailEngine } = await import("./engine/llm-guardrails.js");
+        engine = new HybridGuardrailEngine(new LLMGuardrailEngine({
+            apiKey: process.env.POP_LLM_API_KEY ?? "",
+            baseUrl: process.env.POP_LLM_BASE_URL ?? undefined,
+            model: process.env.POP_LLM_MODEL ?? "gpt-4o-mini",
+            useJsonMode: true,
+        }));
+    }
+    else {
+        engine = new guardrails_js_1.GuardrailEngine();
+    }
+    const client = new client_js_1.PopClient(provider, policy, engine);
+    // Snapshot cache for security scans
+    const snapshotCache = new Map();
+    const SNAPSHOT_CACHE_MAX = 200;
+    // Hidden element detection regex
+    const HIDDEN_STYLE_RE = /(?:style\s*=\s*["'](?:[^"']*(?:display\s*:\s*none|visibility\s*:\s*hidden|opacity\s*:\s*0|font-size\s*:\s*0|height\s*:\s*0|width\s*:\s*0))[^"']*["'])|(?:class\s*=\s*["'](?:[^"']*(?:hidden|visually-hidden|sr-only|d-none))[^"']*["'])/i;
+    const PRICE_RE = /[\$\u00a3\u20ac\u00a5]\s?\d+(?:\.\d{2})?/g;
+    async function scanPage(pageUrl) {
+        const snapshotId = (0, node_crypto_1.randomUUID)();
+        const flags = [];
+        // SSRF guard
+        try {
+            const parsed = new URL(pageUrl);
+            if (parsed.protocol !== "https:") {
+                return { flags: ["invalid_url"], snapshotId, safe: false, error: "pop-pay only accepts https:// URLs." };
+            }
+        }
+        catch {
+            return { flags: ["invalid_url"], snapshotId, safe: false, error: "Invalid URL." };
+        }
+        // Fetch HTML
+        let html = "";
+        try {
+            const resp = await fetch(pageUrl, { redirect: "follow", signal: AbortSignal.timeout(10000) });
+            html = await resp.text();
+            const finalUrl = new URL(resp.url);
+            const origUrl = new URL(pageUrl);
+            if (finalUrl.hostname !== origUrl.hostname) {
+                flags.push("unexpected_redirect");
+            }
+        }
+        catch (e) {
+            flags.push("ssl_anomaly");
+            return { flags, snapshotId, safe: false, error: `Error fetching page: ${e.message}` };
+        }
+        // Prompt injection scan
+        const instructionKeywords = [
+            "ignore", "instead", "system", "user", "override", "instruction", "always", "never", "prompt",
+        ];
+        let hiddenInstructionsDetected = false;
+        let match;
+        const re = new RegExp(HIDDEN_STYLE_RE.source, "gi");
+        while ((match = re.exec(html)) !== null) {
+            const context = html.slice(match.index + match[0].length, match.index + match[0].length + 300).toLowerCase();
+            if (instructionKeywords.some((kw) => context.includes(kw))) {
+                hiddenInstructionsDetected = true;
+                break;
+            }
+        }
+        if (hiddenInstructionsDetected)
+            flags.push("hidden_instructions_detected");
+        // Price mismatch
+        const prices = new Set(html.match(PRICE_RE) ?? []);
+        if (prices.size > 2)
+            flags.push("price_mismatch");
+        // Cache
+        if (snapshotCache.size >= SNAPSHOT_CACHE_MAX) {
+            let oldest = null;
+            let oldestTime = Infinity;
+            for (const [k, v] of snapshotCache) {
+                if (v.timestamp.getTime() < oldestTime) {
+                    oldest = k;
+                    oldestTime = v.timestamp.getTime();
+                }
+            }
+            if (oldest)
+                snapshotCache.delete(oldest);
+        }
+        snapshotCache.set(pageUrl, { snapshotId, timestamp: new Date(), flags });
+        const safe = !flags.includes("hidden_instructions_detected");
+        return { flags, snapshotId, safe, error: null };
+    }
+    function ssrfValidateUrl(url) {
+        try {
+            const parsed = new URL(url);
+            if (!["http:", "https:"].includes(parsed.protocol)) {
+                return "Only http/https URLs are allowed.";
+            }
+        }
+        catch {
+            return "Invalid URL.";
+        }
+        return null;
+    }
+    // MCP Server
+    const server = new mcp_js_1.McpServer({ name: "pop-pay", version: "0.1.0" });
+    server.tool("request_virtual_card", "Request a one-time virtual credit card for an automated purchase. ONLY call when card input fields are visible on the checkout page.", {
+        requested_amount: zod_1.z.number().positive().describe("Amount to authorize"),
+        target_vendor: zod_1.z.string().describe("Human-readable vendor name (e.g. 'AWS', 'Wikipedia')"),
+        reasoning: zod_1.z.string().describe("Agent reasoning for the payment"),
+        page_url: zod_1.z.string().optional().describe("Current checkout page URL"),
+    }, async ({ requested_amount, target_vendor, reasoning, page_url }) => {
+        // Security scan
+        let scanNote = "";
+        if (page_url) {
+            const cached = snapshotCache.get(page_url);
+            let scanResult;
+            if (cached && Date.now() - cached.timestamp.getTime() < 5 * 60 * 1000) {
+                scanResult = {
+                    flags: cached.flags,
+                    snapshotId: cached.snapshotId,
+                    safe: !cached.flags.includes("hidden_instructions_detected"),
+                    error: null,
+                };
+            }
+            else {
+                scanResult = await scanPage(page_url);
+            }
+            if (scanResult.error) {
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: `Payment rejected. Security scan failed: ${scanResult.error} Snapshot ID: ${scanResult.snapshotId}.`,
+                        },
+                    ],
+                };
+            }
+            if (!scanResult.safe) {
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: `Payment rejected. Security scan detected hidden prompt injection. Snapshot ID: ${scanResult.snapshotId}. Flags: ${scanResult.flags.join(", ")}. Do not retry this payment.`,
+                        },
+                    ],
+                };
+            }
+        }
+        else {
+            scanNote = " (security scan skipped \u2014 no page_url provided)";
+        }
+        const intent = {
+            agentId: "mcp-agent",
+            requestedAmount: requested_amount,
+            targetVendor: target_vendor,
+            reasoning,
+            pageUrl: page_url ?? null,
+        };
+        const seal = await client.processPayment(intent);
+        if (seal.status === "Rejected") {
+            return {
+                content: [
+                    { type: "text", text: `Payment rejected by guardrails. Reason: ${seal.rejectionReason}` },
+                ],
+            };
+        }
+        const last4 = seal.cardNumber?.slice(-4) ?? "????";
+        const maskedCard = `****-****-****-${last4}`;
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `Payment approved. Card Issued: ${maskedCard}, Expiry: ${seal.expirationDate}, Amount: ${seal.authorizedAmount}${scanNote}`,
+                },
+            ],
+        };
+    });
+    server.tool("request_purchaser_info", "Auto-fill purchaser/billing info (name, email, phone, address) from the user's pre-configured profile. Call when on a billing/contact info page WITHOUT card fields visible.", {
+        target_vendor: zod_1.z.string().describe("Human-readable vendor or event name"),
+        page_url: zod_1.z.string().optional().describe("Current page URL"),
+        reasoning: zod_1.z.string().optional().describe("Why billing info is needed"),
+    }, async ({ target_vendor, page_url, reasoning }) => {
+        const pageDomain = page_url
+            ? new URL(page_url).hostname.toLowerCase().replace(/^www\./, "")
+            : "";
+        const vendorAllowed = (0, guardrails_js_1.matchVendor)(target_vendor, allowedCategories, pageDomain);
+        if (!vendorAllowed) {
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: `Vendor '${target_vendor}' is not in your allowed categories. Update POP_ALLOWED_CATEGORIES to add it.`,
+                    },
+                ],
+            };
+        }
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `Billing info request acknowledged for '${target_vendor}'. Browser injection is not yet implemented in the TypeScript version. Please fill billing fields manually.`,
+                },
+            ],
+        };
+    });
+    server.tool("request_x402_payment", "Pay for an API call or service using the x402 HTTP payment protocol.", {
+        amount: zod_1.z.number().positive().describe("Payment amount"),
+        service_url: zod_1.z.string().describe("Service URL to pay"),
+        reasoning: zod_1.z.string().describe("Reason for the payment"),
+    }, async ({ amount, service_url, reasoning }) => {
+        const walletKey = process.env.POP_X402_WALLET_KEY ?? "";
+        if (!walletKey) {
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: "x402 payment rejected: POP_X402_WALLET_KEY environment variable is not set.",
+                    },
+                ],
+            };
+        }
+        const ssrfError = ssrfValidateUrl(service_url);
+        if (ssrfError) {
+            return {
+                content: [
+                    { type: "text", text: `x402 payment rejected: SSRF validation failed. ${ssrfError}` },
+                ],
+            };
+        }
+        const intent = {
+            agentId: "mcp-agent-x402",
+            requestedAmount: amount,
+            targetVendor: service_url,
+            reasoning,
+            pageUrl: service_url,
+        };
+        const seal = await client.processPayment(intent);
+        if (seal.status === "Rejected") {
+            return {
+                content: [
+                    { type: "text", text: `x402 payment rejected by guardrails. Reason: ${seal.rejectionReason}` },
+                ],
+            };
+        }
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `x402 payment approved (STUBBED). seal_id=${seal.sealId}, amount=$${amount.toFixed(2)}, service_url=${service_url}. Note: actual x402 blockchain payment is not yet implemented.`,
+                },
+            ],
+        };
+    });
+    // Start stdio transport
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+} // end main
+main().catch((err) => {
+    process.stderr.write(`pop-pay MCP server fatal error: ${err}\n`);
+    process.exit(1);
+});
+//# sourceMappingURL=mcp-server.js.map

package/dist/mcp-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-server.js","sourceRoot":"","sources":["../src/mcp-server.ts"],"names":[],"mappings":";;AACA;;;GAGG;;AAEH,oEAAoE;AACpE,wEAAiF;AACjF,6BAAwB;AACxB,6CAAyC;AACzC,mCAAgC;AAChC,qCAAqC;AACrC,yCAAiC;AACjC,qCAAkC;AAGlC,2CAAwC;AACxC,+DAAgE;AAChE,6DAA+D;AAC/D,0DAAsE;AAGtE,KAAK,UAAU,IAAI;IAEnB,iDAAiD;IACjD,MAAM,SAAS,GAAG,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAChE,IAAI,IAAA,oBAAU,EAAC,SAAS,CAAC,EAAE,CAAC;QAC1B,IAAA,eAAM,EAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;IAC9B,CAAC;SAAM,CAAC;QACN,IAAA,eAAM,GAAE,CAAC;IACX,CAAC;IAED,yBAAyB;IACzB,IAAI,UAAU,GAA2B,EAAE,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,kBAAkB,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;QAC/F,IAAI,WAAW,EAAE,EAAE,CAAC;YAClB,MAAM,UAAU,GAAG,MAAM,kBAAkB,EAAE,CAAC;YAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YACpC,CAAC;YACD,UAAU,GAAG,MAAM,SAAS,EAAE,CAAC;QACjC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IAEV,kCAAkC;IAClC,IAAI,UAAU,CAAC,WAAW;QAAE,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,UAAU,CAAC,WAAW,CAAC;IACnF,IAAI,UAAU,CAAC,GAAG;QAAE,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,UAAU,CAAC,GAAG,CAAC;IAChE,IAAI,UAAU,CAAC,SAAS;QAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,UAAU,CAAC,SAAS,CAAC;IAClF,IAAI,UAAU,CAAC,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,UAAU,CAAC,QAAQ,CAAC;IAE/E,gBAAgB;IAChB,MAAM,iBAAiB,GAAa,IAAI,CAAC,KAAK,CAC5C,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,uBAAuB,CAC9D,CAAC;IACF,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC,CAAC;IACnE,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,CAAC;IAClE,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,MAAM,CAAC,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC;IACpF,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAC7C,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,IAAI,CAAC;IAEvD,MAAM,MAAM,GAAoB;QAC9B,iBAAiB;QACjB,cAAc,EAAE,QAAQ;QACxB,cAAc,EAAE,QAAQ;QACxB,uBAAuB,EAAE,UAAU;QACnC,UAAU;KACX,CAAC;IAEF,qBAAqB;IACrB,IAAI,QAA6B,CAAC;IAClC,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;QAC7E,QAAQ,GAAG,IAAI,qBAAqB,CAAC,SAAS,CAAC,CAAC;IAClD,CAAC;SAAM,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;QACvC,QAAQ,GAAG,IAAI,kCAAkB,EAAE,CAAC;IACtC,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG,IAAI,mCAAkB,EAAE,CAAC;IACtC,CAAC;IAED,mBAAmB;IACnB,IAAI,MAAuB,CAAC;IAC5B,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;IACjF,IAAI,UAAU,KAAK,KAAK,EAAE,CAAC;QACzB,MAAM,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;QACjG,MAAM,GAAG,IAAI,qBAAqB,CAChC,IAAI,kBAAkB,CAAC;YACrB,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE;YACzC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,SAAS;YAClD,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,aAAa;YACjD,WAAW,EAAE,IAAI;SAClB,CAAC,CACI,CAAC;IACX,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,IAAI,+BAAe,EAAE,CAAC;IACjC,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,qBAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAEvD,oCAAoC;IACpC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAoE,CAAC;IAClG,MAAM,kBAAkB,GAAG,GAAG,CAAC;IAE/B,iCAAiC;IACjC,MAAM,eAAe,GACnB,0OAA0O,CAAC;IAC7O,MAAM,QAAQ,GAAG,2CAA2C,CAAC;IAE7D,KAAK,UAAU,QAAQ,CAAC,OAAe;QAMrC,MAAM,UAAU,GAAG,IAAA,wBAAU,GAAE,CAAC;QAChC,MAAM,KAAK,GAAa,EAAE,CAAC;QAE3B,aAAa;QACb,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;YAChC,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACjC,OAAO,EAAE,KAAK,EAAE,CAAC,aAAa,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,qCAAqC,EAAE,CAAC;YAC3G,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,KAAK,EAAE,CAAC,aAAa,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QACpF,CAAC;QAED,aAAa;QACb,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC9F,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;YACjC,IAAI,QAAQ,CAAC,QAAQ,KAAK,OAAO,CAAC,QAAQ,EAAE,CAAC;gBAC3C,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAC1B,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAwB,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;QACxF,CAAC;QAED,wBAAwB;QACxB,MAAM,mBAAmB,GAAG;YAC1B,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ;SAC9F,CAAC;QACF,IAAI,0BAA0B,GAAG,KAAK,CAAC;QACvC,IAAI,KAAK,CAAC;QACV,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACpD,OAAO,CAAC,KAAK,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACxC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;YAC7G,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;gBAC3D,0BAA0B,GAAG,IAAI,CAAC;gBAClC,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,0BAA0B;YAAE,KAAK,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;QAE3E,iBAAiB;QACjB,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QACnD,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAElD,QAAQ;QACR,IAAI,aAAa,CAAC,IAAI,IAAI,kBAAkB,EAAE,CAAC;YAC7C,IAAI,MAAM,GAAkB,IAAI,CAAC;YACjC,IAAI,UAAU,GAAG,QAAQ,CAAC;YAC1B,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,aAAa,EAAE,CAAC;gBACnC,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,UAAU,EAAE,CAAC;oBACvC,MAAM,GAAG,CAAC,CAAC;oBACX,UAAU,GAAG,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;gBACrC,CAAC;YACH,CAAC;YACD,IAAI,MAAM;gBAAE,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC3C,CAAC;QACD,aAAa,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAEzE,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,8BAA8B,CAAC,CAAC;QAC7D,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAClD,CAAC;IAED,SAAS,eAAe,CAAC,GAAW;QAClC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC5B,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACnD,OAAO,mCAAmC,CAAC;YAC7C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,cAAc,CAAC;QACxB,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,aAAa;IACb,MAAM,MAAM,GAAG,IAAI,kBAAS,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAEpE,MAAM,CAAC,IAAI,CACT,sBAAsB,EACtB,sIAAsI,EACtI;QACE,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QACvE,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,sDAAsD,CAAC;QAC1F,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,iCAAiC,CAAC;QACjE,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,2BAA2B,CAAC;KACtE,EACD,KAAK,EAAE,EAAE,gBAAgB,EAAE,aAAa,EAAE,SAAS,EAAE,QAAQ,EAAE,EAAE,EAAE;QACjE,gBAAgB;QAChB,IAAI,QAAQ,GAAG,EAAE,CAAC;QAClB,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC3C,IAAI,UAAU,CAAC;YACf,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;gBACtE,UAAU,GAAG;oBACX,KAAK,EAAE,MAAM,CAAC,KAAK;oBACnB,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,IAAI,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,8BAA8B,CAAC;oBAC5D,KAAK,EAAE,IAAI;iBACZ,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,UAAU,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACxC,CAAC;YACD,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;gBACrB,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,2CAA2C,UAAU,CAAC,KAAK,iBAAiB,UAAU,CAAC,UAAU,GAAG;yBAC3G;qBACF;iBACF,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;gBACrB,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,kFAAkF,UAAU,CAAC,UAAU,YAAY,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,8BAA8B;yBACnL;qBACF;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,sDAAsD,CAAC;QACpE,CAAC;QAED,MAAM,MAAM,GAAkB;YAC5B,OAAO,EAAE,WAAW;YACpB,eAAe,EAAE,gBAAgB;YACjC,YAAY,EAAE,aAAa;YAC3B,SAAS;YACT,OAAO,EAAE,QAAQ,IAAI,IAAI;SAC1B,CAAC;QACF,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QAEjD,IAAI,IAAI,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC/B,OAAO;gBACL,OAAO,EAAE;oBACP,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,2CAA2C,IAAI,CAAC,eAAe,EAAE,EAAE;iBACnG;aACF,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;QACnD,MAAM,UAAU,GAAG,kBAAkB,KAAK,EAAE,CAAC;QAE7C,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE,kCAAkC,UAAU,aAAa,IAAI,CAAC,cAAc,aAAa,IAAI,CAAC,gBAAgB,GAAG,QAAQ,EAAE;iBAClI;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,wBAAwB,EACxB,8KAA8K,EAC9K;QACE,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,qCAAqC,CAAC;QACzE,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC;QAC5D,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,4BAA4B,CAAC;KACxE,EACD,KAAK,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE;QAC/C,MAAM,UAAU,GAAG,QAAQ;YACzB,CAAC,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;YAChE,CAAC,CAAC,EAAE,CAAC;QACP,MAAM,aAAa,GAAG,IAAA,2BAAW,EAAC,aAAa,EAAE,iBAAiB,EAAE,UAAU,CAAC,CAAC;QAChF,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAe;wBACrB,IAAI,EAAE,WAAW,aAAa,+EAA+E;qBAC9G;iBACF;aACF,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE,0CAA0C,aAAa,6GAA6G;iBAC3K;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,sBAAsB,EACtB,sEAAsE,EACtE;QACE,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,gBAAgB,CAAC;QACxD,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;QACtD,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wBAAwB,CAAC;KACzD,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,EAAE,EAAE;QAC3C,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACxD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAe;wBACrB,IAAI,EAAE,6EAA6E;qBACpF;iBACF;aACF,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,eAAe,CAAC,WAAW,CAAC,CAAC;QAC/C,IAAI,SAAS,EAAE,CAAC;YACd,OAAO;gBACL,OAAO,EAAE;oBACP,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,kDAAkD,SAAS,EAAE,EAAE;iBAC/F;aACF,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAkB;YAC5B,OAAO,EAAE,gBAAgB;YACzB,eAAe,EAAE,MAAM;YACvB,YAAY,EAAE,WAAW;YACzB,SAAS;YACT,OAAO,EAAE,WAAW;SACrB,CAAC;QACF,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QAEjD,IAAI,IAAI,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC/B,OAAO;gBACL,OAAO,EAAE;oBACP,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,gDAAgD,IAAI,CAAC,eAAe,EAAE,EAAE;iBACxG;aACF,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE,4CAA4C,IAAI,CAAC,MAAM,aAAa,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,iBAAiB,WAAW,gEAAgE;iBACxL;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,wBAAwB;IACxB,MAAM,SAAS,GAAG,IAAI,+BAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAEhC,CAAC,CAAC,WAAW;AAEb,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,GAAG,IAAI,CAAC,CAAC;IACjE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/providers/base.d.ts

@@ -0,0 +1,5 @@
+import type { PaymentIntent, GuardrailPolicy, VirtualSeal } from "../core/models.js";
+export interface VirtualCardProvider {
+    issueCard(intent: PaymentIntent, policy: GuardrailPolicy): Promise<VirtualSeal>;
+}
+//# sourceMappingURL=base.d.ts.map

package/dist/providers/base.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.d.ts","sourceRoot":"","sources":["../../src/providers/base.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErF,MAAM,WAAW,mBAAmB;IAClC,SAAS,CAAC,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;CACjF"}

package/dist/providers/base.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=base.js.map

package/dist/providers/base.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.js","sourceRoot":"","sources":["../../src/providers/base.ts"],"names":[],"mappings":""}

package/dist/providers/byoc-local.d.ts

@@ -0,0 +1,12 @@
+import type { VirtualCardProvider } from "./base.js";
+import type { PaymentIntent, GuardrailPolicy, VirtualSeal } from "../core/models.js";
+export declare class LocalVaultProvider implements VirtualCardProvider {
+    readonly cardNumber: string;
+    readonly expMonth: string;
+    readonly expYear: string;
+    readonly cvv: string;
+    readonly billingInfo: Record<string, string>;
+    constructor();
+    issueCard(intent: PaymentIntent, policy: GuardrailPolicy): Promise<VirtualSeal>;
+}
+//# sourceMappingURL=byoc-local.d.ts.map

package/dist/providers/byoc-local.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"byoc-local.d.ts","sourceRoot":"","sources":["../../src/providers/byoc-local.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErF,qBAAa,kBAAmB,YAAW,mBAAmB;IAC5D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;;IA4BvC,SAAS,CAAC,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,WAAW,CAAC;CAuBtF"}

package/dist/providers/byoc-local.js

@@ -0,0 +1,56 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LocalVaultProvider = void 0;
+const node_crypto_1 = require("node:crypto");
+class LocalVaultProvider {
+    cardNumber;
+    expMonth;
+    expYear;
+    cvv;
+    billingInfo;
+    constructor() {
+        this.cardNumber = process.env.POP_BYOC_NUMBER ?? "";
+        this.expMonth = process.env.POP_BYOC_EXP_MONTH ?? "";
+        this.expYear = process.env.POP_BYOC_EXP_YEAR ?? "";
+        this.cvv = process.env.POP_BYOC_CVV ?? "";
+        if (!this.cardNumber || !this.expMonth || !this.expYear || !this.cvv) {
+            throw new Error("Missing BYOC environment variables. Check POP_BYOC_NUMBER, POP_BYOC_EXP_MONTH, POP_BYOC_EXP_YEAR, POP_BYOC_CVV.");
+        }
+        this.billingInfo = {
+            firstName: process.env.POP_BILLING_FIRST_NAME?.trim() ?? "",
+            lastName: process.env.POP_BILLING_LAST_NAME?.trim() ?? "",
+            street: process.env.POP_BILLING_STREET?.trim() ?? "",
+            city: process.env.POP_BILLING_CITY?.trim() ?? "",
+            state: process.env.POP_BILLING_STATE?.trim() ?? "",
+            country: process.env.POP_BILLING_COUNTRY?.trim() ?? "",
+            zip: process.env.POP_BILLING_ZIP?.trim() ?? "",
+            email: process.env.POP_BILLING_EMAIL?.trim() ?? "",
+            phone: process.env.POP_BILLING_PHONE?.trim() ?? "",
+            phoneCountryCode: process.env.POP_BILLING_PHONE_COUNTRY_CODE?.trim() ?? "",
+        };
+    }
+    async issueCard(intent, policy) {
+        if (intent.requestedAmount > policy.maxAmountPerTx) {
+            return {
+                sealId: (0, node_crypto_1.randomUUID)(),
+                cardNumber: null,
+                cvv: null,
+                expirationDate: null,
+                authorizedAmount: 0.0,
+                status: "Rejected",
+                rejectionReason: "Amount exceeds policy limit",
+            };
+        }
+        return {
+            sealId: (0, node_crypto_1.randomUUID)(),
+            cardNumber: this.cardNumber,
+            cvv: this.cvv,
+            expirationDate: `${this.expMonth}/${this.expYear}`,
+            authorizedAmount: intent.requestedAmount,
+            status: "Issued",
+            rejectionReason: null,
+        };
+    }
+}
+exports.LocalVaultProvider = LocalVaultProvider;
+//# sourceMappingURL=byoc-local.js.map

package/dist/providers/byoc-local.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"byoc-local.js","sourceRoot":"","sources":["../../src/providers/byoc-local.ts"],"names":[],"mappings":";;;AAAA,6CAAyC;AAIzC,MAAa,kBAAkB;IACpB,UAAU,CAAS;IACnB,QAAQ,CAAS;IACjB,OAAO,CAAS;IAChB,GAAG,CAAS;IACZ,WAAW,CAAyB;IAE7C;QACE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACpD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC;QACrD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QACnD,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;QAE1C,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;YACrE,MAAM,IAAI,KAAK,CACb,iHAAiH,CAClH,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,WAAW,GAAG;YACjB,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,IAAI,EAAE;YAC3D,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,IAAI,EAAE,IAAI,EAAE;YACzD,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,IAAI,EAAE;YACpD,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,IAAI,EAAE,IAAI,EAAE;YAChD,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,IAAI,EAAE,IAAI,EAAE;YAClD,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,IAAI,EAAE,IAAI,EAAE;YACtD,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,EAAE;YAC9C,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,IAAI,EAAE,IAAI,EAAE;YAClD,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,IAAI,EAAE,IAAI,EAAE;YAClD,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE,IAAI,EAAE,IAAI,EAAE;SAC3E,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,MAAqB,EAAE,MAAuB;QAC5D,IAAI,MAAM,CAAC,eAAe,GAAG,MAAM,CAAC,cAAc,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,IAAA,wBAAU,GAAE;gBACpB,UAAU,EAAE,IAAI;gBAChB,GAAG,EAAE,IAAI;gBACT,cAAc,EAAE,IAAI;gBACpB,gBAAgB,EAAE,GAAG;gBACrB,MAAM,EAAE,UAAU;gBAClB,eAAe,EAAE,6BAA6B;aAC/C,CAAC;QACJ,CAAC;QAED,OAAO;YACL,MAAM,EAAE,IAAA,wBAAU,GAAE;YACpB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,cAAc,EAAE,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,OAAO,EAAE;YAClD,gBAAgB,EAAE,MAAM,CAAC,eAAe;YACxC,MAAM,EAAE,QAAQ;YAChB,eAAe,EAAE,IAAI;SACtB,CAAC;IACJ,CAAC;CACF;AAxDD,gDAwDC"}

package/dist/providers/stripe-mock.d.ts

@@ -0,0 +1,6 @@
+import type { VirtualCardProvider } from "./base.js";
+import type { PaymentIntent, GuardrailPolicy, VirtualSeal } from "../core/models.js";
+export declare class MockStripeProvider implements VirtualCardProvider {
+    issueCard(intent: PaymentIntent, policy: GuardrailPolicy): Promise<VirtualSeal>;
+}
+//# sourceMappingURL=stripe-mock.d.ts.map

package/dist/providers/stripe-mock.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stripe-mock.d.ts","sourceRoot":"","sources":["../../src/providers/stripe-mock.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErF,qBAAa,kBAAmB,YAAW,mBAAmB;IACtD,SAAS,CAAC,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,WAAW,CAAC;CA4BtF"}

package/dist/providers/stripe-mock.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MockStripeProvider = void 0;
+const node_crypto_1 = require("node:crypto");
+class MockStripeProvider {
+    async issueCard(intent, policy) {
+        if (intent.requestedAmount > policy.maxAmountPerTx) {
+            return {
+                sealId: (0, node_crypto_1.randomUUID)(),
+                cardNumber: null,
+                cvv: null,
+                expirationDate: null,
+                authorizedAmount: 0.0,
+                status: "Rejected",
+                rejectionReason: `Exceeds single transaction limit of ${policy.maxAmountPerTx}`,
+            };
+        }
+        const cardNumber = Array.from({ length: 16 }, () => Math.floor(Math.random() * 10)).join("");
+        const cvv = Array.from({ length: 3 }, () => Math.floor(Math.random() * 10)).join("");
+        const expDate = new Date(Date.now() + 365 * 24 * 60 * 60 * 1000);
+        const expirationDate = `${String(expDate.getMonth() + 1).padStart(2, "0")}/${String(expDate.getFullYear()).slice(-2)}`;
+        return {
+            sealId: (0, node_crypto_1.randomUUID)(),
+            cardNumber,
+            cvv,
+            expirationDate,
+            authorizedAmount: intent.requestedAmount,
+            status: "Issued",
+            rejectionReason: null,
+        };
+    }
+}
+exports.MockStripeProvider = MockStripeProvider;
+//# sourceMappingURL=stripe-mock.js.map

package/dist/providers/stripe-mock.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stripe-mock.js","sourceRoot":"","sources":["../../src/providers/stripe-mock.ts"],"names":[],"mappings":";;;AAAA,6CAAyC;AAIzC,MAAa,kBAAkB;IAC7B,KAAK,CAAC,SAAS,CAAC,MAAqB,EAAE,MAAuB;QAC5D,IAAI,MAAM,CAAC,eAAe,GAAG,MAAM,CAAC,cAAc,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,IAAA,wBAAU,GAAE;gBACpB,UAAU,EAAE,IAAI;gBAChB,GAAG,EAAE,IAAI;gBACT,cAAc,EAAE,IAAI;gBACpB,gBAAgB,EAAE,GAAG;gBACrB,MAAM,EAAE,UAAU;gBAClB,eAAe,EAAE,uCAAuC,MAAM,CAAC,cAAc,EAAE;aAChF,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC7F,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrF,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QACjE,MAAM,cAAc,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAEvH,OAAO;YACL,MAAM,EAAE,IAAA,wBAAU,GAAE;YACpB,UAAU;YACV,GAAG;YACH,cAAc;YACd,gBAAgB,EAAE,MAAM,CAAC,eAAe;YACxC,MAAM,EAAE,QAAQ;YAChB,eAAe,EAAE,IAAI;SACtB,CAAC;IACJ,CAAC;CACF;AA7BD,gDA6BC"}

package/dist/providers/stripe-real.d.ts

@@ -0,0 +1,9 @@
+import type { VirtualCardProvider } from "./base.js";
+import type { PaymentIntent, GuardrailPolicy, VirtualSeal } from "../core/models.js";
+export declare class StripeIssuingProvider implements VirtualCardProvider {
+    private stripe;
+    private cardholderId;
+    constructor(apiKey: string);
+    issueCard(intent: PaymentIntent, policy: GuardrailPolicy): Promise<VirtualSeal>;
+}
+//# sourceMappingURL=stripe-real.d.ts.map

package/dist/providers/stripe-real.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stripe-real.d.ts","sourceRoot":"","sources":["../../src/providers/stripe-real.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErF,qBAAa,qBAAsB,YAAW,mBAAmB;IAC/D,OAAO,CAAC,MAAM,CAAM;IACpB,OAAO,CAAC,YAAY,CAAuB;gBAE/B,MAAM,EAAE,MAAM;IAUpB,SAAS,CAAC,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,WAAW,CAAC;CAkEtF"}

package/dist/providers/stripe-real.js

@@ -0,0 +1,84 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StripeIssuingProvider = void 0;
+const node_crypto_1 = require("node:crypto");
+class StripeIssuingProvider {
+    stripe;
+    cardholderId = null;
+    constructor(apiKey) {
+        // Lazy import — stripe is an optional dependency
+        try {
+            const Stripe = require("stripe");
+            this.stripe = new Stripe(apiKey);
+        }
+        catch {
+            throw new Error("stripe package required. Install with: npm install stripe");
+        }
+    }
+    async issueCard(intent, policy) {
+        try {
+            if (intent.requestedAmount > policy.maxAmountPerTx) {
+                return {
+                    sealId: (0, node_crypto_1.randomUUID)(),
+                    cardNumber: null,
+                    cvv: null,
+                    expirationDate: null,
+                    authorizedAmount: 0.0,
+                    status: "Rejected",
+                    rejectionReason: "Amount exceeds policy limit",
+                };
+            }
+            if (!this.cardholderId) {
+                const cardholder = await this.stripe.issuing.cardholders.create({
+                    type: "individual",
+                    name: "POP Agent",
+                    billing: {
+                        address: {
+                            line1: "123 AI St",
+                            city: "San Francisco",
+                            state: "CA",
+                            postal_code: "94105",
+                            country: "US",
+                        },
+                    },
+                });
+                this.cardholderId = cardholder.id;
+            }
+            const card = await this.stripe.issuing.cards.create({
+                cardholder: this.cardholderId,
+                type: "virtual",
+                currency: "usd",
+                spending_controls: {
+                    spending_limits: [
+                        {
+                            amount: Math.round(intent.requestedAmount * 100),
+                            interval: "all_time",
+                        },
+                    ],
+                },
+            });
+            return {
+                sealId: (0, node_crypto_1.randomUUID)(),
+                cardNumber: `****${card.last4}`,
+                cvv: "***",
+                expirationDate: `${card.exp_month}/${card.exp_year}`,
+                authorizedAmount: intent.requestedAmount,
+                status: "Issued",
+                rejectionReason: null,
+            };
+        }
+        catch (e) {
+            return {
+                sealId: (0, node_crypto_1.randomUUID)(),
+                cardNumber: null,
+                cvv: null,
+                expirationDate: null,
+                authorizedAmount: 0.0,
+                status: "Rejected",
+                rejectionReason: String(e.message ?? e),
+            };
+        }
+    }
+}
+exports.StripeIssuingProvider = StripeIssuingProvider;
+//# sourceMappingURL=stripe-real.js.map

package/dist/providers/stripe-real.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stripe-real.js","sourceRoot":"","sources":["../../src/providers/stripe-real.ts"],"names":[],"mappings":";;;AAAA,6CAAyC;AAIzC,MAAa,qBAAqB;IACxB,MAAM,CAAM;IACZ,YAAY,GAAkB,IAAI,CAAC;IAE3C,YAAY,MAAc;QACxB,iDAAiD;QACjD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;YACjC,IAAI,CAAC,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAC/E,CAAC;IACH,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,MAAqB,EAAE,MAAuB;QAC5D,IAAI,CAAC;YACH,IAAI,MAAM,CAAC,eAAe,GAAG,MAAM,CAAC,cAAc,EAAE,CAAC;gBACnD,OAAO;oBACL,MAAM,EAAE,IAAA,wBAAU,GAAE;oBACpB,UAAU,EAAE,IAAI;oBAChB,GAAG,EAAE,IAAI;oBACT,cAAc,EAAE,IAAI;oBACpB,gBAAgB,EAAE,GAAG;oBACrB,MAAM,EAAE,UAAU;oBAClB,eAAe,EAAE,6BAA6B;iBAC/C,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACvB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC;oBAC9D,IAAI,EAAE,YAAY;oBAClB,IAAI,EAAE,WAAW;oBACjB,OAAO,EAAE;wBACP,OAAO,EAAE;4BACP,KAAK,EAAE,WAAW;4BAClB,IAAI,EAAE,eAAe;4BACrB,KAAK,EAAE,IAAI;4BACX,WAAW,EAAE,OAAO;4BACpB,OAAO,EAAE,IAAI;yBACd;qBACF;iBACF,CAAC,CAAC;gBACH,IAAI,CAAC,YAAY,GAAG,UAAU,CAAC,EAAE,CAAC;YACpC,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC;gBAClD,UAAU,EAAE,IAAI,CAAC,YAAY;gBAC7B,IAAI,EAAE,SAAS;gBACf,QAAQ,EAAE,KAAK;gBACf,iBAAiB,EAAE;oBACjB,eAAe,EAAE;wBACf;4BACE,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,eAAe,GAAG,GAAG,CAAC;4BAChD,QAAQ,EAAE,UAAU;yBACrB;qBACF;iBACF;aACF,CAAC,CAAC;YAEH,OAAO;gBACL,MAAM,EAAE,IAAA,wBAAU,GAAE;gBACpB,UAAU,EAAE,OAAO,IAAI,CAAC,KAAK,EAAE;gBAC/B,GAAG,EAAE,KAAK;gBACV,cAAc,EAAE,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,QAAQ,EAAE;gBACpD,gBAAgB,EAAE,MAAM,CAAC,eAAe;gBACxC,MAAM,EAAE,QAAQ;gBAChB,eAAe,EAAE,IAAI;aACtB,CAAC;QACJ,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,OAAO;gBACL,MAAM,EAAE,IAAA,wBAAU,GAAE;gBACpB,UAAU,EAAE,IAAI;gBAChB,GAAG,EAAE,IAAI;gBACT,cAAc,EAAE,IAAI;gBACpB,gBAAgB,EAAE,GAAG;gBACrB,MAAM,EAAE,UAAU;gBAClB,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC;aACxC,CAAC;QACJ,CAAC;IACH,CAAC;CACF;AAhFD,sDAgFC"}

package/dist/vault.d.ts

@@ -0,0 +1,23 @@
+/**
+ * pop-pay credential vault — AES-256-GCM encrypted credential storage.
+ *
+ * Security model:
+ * - Credentials are encrypted at rest using AES-256-GCM with a machine-derived key.
+ * - The key is derived from a stable machine identifier using scrypt.
+ * - Plaintext credentials never touch disk after init-vault completes.
+ * - OSS version uses a public salt (documented limitation).
+ * - Option B passphrase mode: key derived from user passphrase via PBKDF2-HMAC-SHA256
+ *   (600k iterations); stored in OS keyring for the session.
+ */
+export declare const OSS_WARNING: string;
+export declare function deriveKeyFromPassphrase(passphrase: string): Buffer;
+export declare function storeKeyInKeyring(key: Buffer): void;
+export declare function loadKeyFromKeyring(): Promise<Buffer | null>;
+export declare function clearKeyring(): Promise<void>;
+export declare function encryptCredentials(creds: Record<string, string>, salt?: Buffer, keyOverride?: Buffer): Buffer;
+export declare function decryptCredentials(blob: Buffer, salt?: Buffer, keyOverride?: Buffer): Record<string, string>;
+export declare function vaultExists(): boolean;
+export declare function loadVault(): Promise<Record<string, string>>;
+export declare function saveVault(creds: Record<string, string>, keyOverride?: Buffer): void;
+export declare function secureWipeEnv(envPath: string): void;
+//# sourceMappingURL=vault.d.ts.map

package/dist/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAkBH,eAAO,MAAM,WAAW,QAKwC,CAAC;AA4EjE,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAGlE;AAGD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CASnD;AAED,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAOjE;AAED,wBAAsB,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC,CAKlD;AAED,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC7B,IAAI,CAAC,EAAE,MAAM,EACb,WAAW,CAAC,EAAE,MAAM,GACnB,MAAM,CASR;AAED,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,EACZ,IAAI,CAAC,EAAE,MAAM,EACb,WAAW,CAAC,EAAE,MAAM,GACnB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAoBxB;AAED,wBAAgB,WAAW,IAAI,OAAO,CAErC;AAqBD,wBAAsB,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAkCjE;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAenF;AAED,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAKnD"}