pop-pay 0.1.0

package/dist/vault.js

@@ -0,0 +1,283 @@
+"use strict";
+/**
+ * pop-pay credential vault — AES-256-GCM encrypted credential storage.
+ *
+ * Security model:
+ * - Credentials are encrypted at rest using AES-256-GCM with a machine-derived key.
+ * - The key is derived from a stable machine identifier using scrypt.
+ * - Plaintext credentials never touch disk after init-vault completes.
+ * - OSS version uses a public salt (documented limitation).
+ * - Option B passphrase mode: key derived from user passphrase via PBKDF2-HMAC-SHA256
+ *   (600k iterations); stored in OS keyring for the session.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OSS_WARNING = void 0;
+exports.deriveKeyFromPassphrase = deriveKeyFromPassphrase;
+exports.storeKeyInKeyring = storeKeyInKeyring;
+exports.loadKeyFromKeyring = loadKeyFromKeyring;
+exports.clearKeyring = clearKeyring;
+exports.encryptCredentials = encryptCredentials;
+exports.decryptCredentials = decryptCredentials;
+exports.vaultExists = vaultExists;
+exports.loadVault = loadVault;
+exports.saveVault = saveVault;
+exports.secureWipeEnv = secureWipeEnv;
+const node_crypto_1 = require("node:crypto");
+const crypto = __importStar(require("node:crypto"));
+const node_fs_1 = require("node:fs");
+const node_os_1 = require("node:os");
+const node_path_1 = require("node:path");
+const node_child_process_1 = require("node:child_process");
+const VAULT_DIR = (0, node_path_1.join)((0, node_os_1.homedir)(), ".config", "pop-pay");
+const VAULT_PATH = (0, node_path_1.join)(VAULT_DIR, "vault.enc");
+const KEYRING_SERVICE = "pop-pay-vault";
+const KEYRING_USERNAME = "derived-key-hex";
+// OSS public salt — intentionally documented as a security limitation.
+const OSS_SALT = Buffer.from("pop-pay-oss-v1-public-salt-2026");
+exports.OSS_WARNING = "\n\u26a0\ufe0f  pop-pay SECURITY NOTICE: Running from source build (OSS mode).\n" +
+    "   Vault encryption uses a public salt. An agent with shell execution\n" +
+    "   tools could derive the vault key from public information.\n" +
+    "   For stronger security: install via npm (`npm install pop-pay`)\n" +
+    "   or use `pop-pay init-vault --passphrase` (coming soon).\n";
+function getMachineId() {
+    // Linux: /etc/machine-id
+    try {
+        const mid = (0, node_fs_1.readFileSync)("/etc/machine-id", "utf8").trim();
+        if (mid)
+            return Buffer.from(mid);
+    }
+    catch { }
+    // macOS: IOPlatformUUID
+    if ((0, node_os_1.platform)() === "darwin") {
+        try {
+            const result = (0, node_child_process_1.execSync)("ioreg -rd1 -c IOPlatformExpertDevice", {
+                timeout: 5000,
+                encoding: "utf8",
+            });
+            for (const line of result.split("\n")) {
+                if (line.includes("IOPlatformUUID")) {
+                    const parts = line.split('"');
+                    return Buffer.from(parts[parts.length - 2]);
+                }
+            }
+        }
+        catch { }
+    }
+    // Windows: MachineGuid from registry
+    if ((0, node_os_1.platform)() === "win32") {
+        try {
+            const result = (0, node_child_process_1.execSync)('reg query "HKLM\\SOFTWARE\\Microsoft\\Cryptography" /v MachineGuid', { timeout: 5000, encoding: "utf8" });
+            const match = result.match(/MachineGuid\s+REG_SZ\s+(.+)/);
+            if (match)
+                return Buffer.from(match[1].trim());
+        }
+        catch { }
+    }
+    // Fallback: generate and store random ID
+    const fallbackPath = (0, node_path_1.join)(VAULT_DIR, ".machine_id");
+    if ((0, node_fs_1.existsSync)(fallbackPath)) {
+        return (0, node_fs_1.readFileSync)(fallbackPath);
+    }
+    const fallbackId = (0, node_crypto_1.randomBytes)(32);
+    (0, node_fs_1.mkdirSync)(VAULT_DIR, { recursive: true });
+    (0, node_fs_1.writeFileSync)(fallbackPath, fallbackId, { mode: 0o600 });
+    return fallbackId;
+}
+function getUsername() {
+    try {
+        return Buffer.from((0, node_os_1.userInfo)().username);
+    }
+    catch { }
+    return Buffer.from(process.env.USER ?? process.env.USERNAME ?? "unknown");
+}
+function deriveKey(salt, keyOverride) {
+    if (keyOverride)
+        return keyOverride;
+    const machineId = getMachineId();
+    const username = getUsername();
+    // Try Rust napi-rs hardened path first
+    if (!salt) {
+        try {
+            const native = require("../native/pop-pay-native.node");
+            const key = native.deriveKey(machineId, username);
+            if (key)
+                return Buffer.from(key);
+        }
+        catch { }
+        salt = OSS_SALT;
+    }
+    const password = Buffer.concat([machineId, Buffer.from(":"), username]);
+    // scrypt: n=2^14, r=8, p=1, dklen=32 (matches Python)
+    return (0, node_crypto_1.scryptSync)(password, salt, 32, { N: 2 ** 14, r: 8, p: 1 });
+}
+function deriveKeyFromPassphrase(passphrase) {
+    const machineId = getMachineId();
+    return (0, node_crypto_1.pbkdf2Sync)(passphrase, machineId, 600_000, 32, "sha256");
+}
+// Keyring helpers (optional keytar dependency)
+function storeKeyInKeyring(key) {
+    try {
+        const keytar = require("keytar");
+        keytar.setPassword(KEYRING_SERVICE, KEYRING_USERNAME, key.toString("hex"));
+    }
+    catch {
+        throw new Error("keytar package required for passphrase mode. Install with: npm install keytar");
+    }
+}
+async function loadKeyFromKeyring() {
+    try {
+        const keytar = require("keytar");
+        const hexKey = await keytar.getPassword(KEYRING_SERVICE, KEYRING_USERNAME);
+        if (hexKey)
+            return Buffer.from(hexKey, "hex");
+    }
+    catch { }
+    return null;
+}
+async function clearKeyring() {
+    try {
+        const keytar = require("keytar");
+        await keytar.deletePassword(KEYRING_SERVICE, KEYRING_USERNAME);
+    }
+    catch { }
+}
+function encryptCredentials(creds, salt, keyOverride) {
+    const key = deriveKey(salt, keyOverride);
+    const nonce = (0, node_crypto_1.randomBytes)(12); // 96-bit random nonce
+    const cipher = crypto.createCipheriv("aes-256-gcm", key, nonce);
+    const plaintext = Buffer.from(JSON.stringify(creds));
+    const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const tag = cipher.getAuthTag(); // 16 bytes
+    // Format: nonce (12) + ciphertext + tag (16) — matches Python cryptography lib output
+    return Buffer.concat([nonce, encrypted, tag]);
+}
+function decryptCredentials(blob, salt, keyOverride) {
+    if (blob.length < 28) {
+        // 12 nonce + at least 16 GCM tag
+        throw new Error("vault.enc is corrupted or too small");
+    }
+    const key = deriveKey(salt, keyOverride);
+    const nonce = blob.subarray(0, 12);
+    const tag = blob.subarray(blob.length - 16);
+    const ciphertext = blob.subarray(12, blob.length - 16);
+    const decipher = crypto.createDecipheriv("aes-256-gcm", key, nonce);
+    decipher.setAuthTag(tag);
+    try {
+        const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+        return JSON.parse(plaintext.toString("utf8"));
+    }
+    catch {
+        throw new Error("Failed to decrypt vault \u2014 wrong key (machine changed?) or corrupted vault.\n" +
+            "Re-run: pop-init-vault");
+    }
+}
+function vaultExists() {
+    return (0, node_fs_1.existsSync)(VAULT_PATH);
+}
+function writeVaultMode() {
+    let mode = "oss";
+    try {
+        const native = require("../native/pop-pay-native.node");
+        mode = native.isHardened() ? "hardened" : "oss";
+    }
+    catch { }
+    const markerPath = (0, node_path_1.join)(VAULT_DIR, ".vault_mode");
+    (0, node_fs_1.writeFileSync)(markerPath, mode, { mode: 0o600 });
+}
+function readVaultMode() {
+    const markerPath = (0, node_path_1.join)(VAULT_DIR, ".vault_mode");
+    try {
+        return (0, node_fs_1.readFileSync)(markerPath, "utf8").trim();
+    }
+    catch {
+        return "unknown";
+    }
+}
+async function loadVault() {
+    // Downgrade check
+    const vaultMode = readVaultMode();
+    if (vaultMode === "hardened") {
+        try {
+            const native = require("../native/pop-pay-native.node");
+            if (!native.isHardened()) {
+                throw new Error("Vault was created with a hardened build, but the native extension is missing or not hardened.\n" +
+                    "Reinstall via npm: npm install pop-pay");
+            }
+        }
+        catch (e) {
+            if (e.code === "MODULE_NOT_FOUND") {
+                throw new Error("Vault requires hardened build but native module not found. Reinstall via npm: npm install pop-pay");
+            }
+            throw e;
+        }
+    }
+    const blob = (0, node_fs_1.readFileSync)(VAULT_PATH);
+    // Try passphrase-derived key from keyring first
+    const passphraseKey = await loadKeyFromKeyring();
+    if (passphraseKey) {
+        try {
+            return decryptCredentials(blob, undefined, passphraseKey);
+        }
+        catch {
+            // Wrong key — fall through to machine-derived key
+        }
+    }
+    return decryptCredentials(blob);
+}
+function saveVault(creds, keyOverride) {
+    (0, node_fs_1.mkdirSync)(VAULT_DIR, { recursive: true });
+    const blob = encryptCredentials(creds, undefined, keyOverride);
+    // Atomic write: tmp → rename
+    const tmpPath = VAULT_PATH + ".tmp";
+    (0, node_fs_1.writeFileSync)(tmpPath, blob, { mode: 0o600 });
+    const fs = require("node:fs");
+    fs.renameSync(tmpPath, VAULT_PATH);
+    fs.chmodSync(VAULT_PATH, 0o600);
+    fs.chmodSync(VAULT_DIR, 0o700);
+    // Verify the vault is readable
+    const verifyBlob = (0, node_fs_1.readFileSync)(VAULT_PATH);
+    decryptCredentials(verifyBlob, undefined, keyOverride);
+    // Write mode marker
+    writeVaultMode();
+}
+function secureWipeEnv(envPath) {
+    if (!(0, node_fs_1.existsSync)(envPath))
+        return;
+    const size = (0, node_fs_1.statSync)(envPath).size;
+    (0, node_fs_1.writeFileSync)(envPath, Buffer.alloc(size, 0));
+    (0, node_fs_1.unlinkSync)(envPath);
+}
+//# sourceMappingURL=vault.js.map

package/dist/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmGH,0DAGC;AAGD,8CASC;AAED,gDAOC;AAED,oCAKC;AAED,gDAaC;AAED,gDAwBC;AAED,kCAEC;AAqBD,8BAkCC;AAED,8BAeC;AAED,sCAKC;AA5PD,6CAA8E;AAC9E,oDAAsC;AACtC,qCAAmG;AACnG,qCAAsD;AACtD,yCAAiC;AACjC,2DAA8C;AAE9C,MAAM,SAAS,GAAG,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;AACxD,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,WAAW,CAAC,CAAC;AAEhD,MAAM,eAAe,GAAG,eAAe,CAAC;AACxC,MAAM,gBAAgB,GAAG,iBAAiB,CAAC;AAE3C,uEAAuE;AACvE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;AAEnD,QAAA,WAAW,GACtB,kFAAkF;IAClF,yEAAyE;IACzE,gEAAgE;IAChE,qEAAqE;IACrE,8DAA8D,CAAC;AAEjE,SAAS,YAAY;IACnB,yBAAyB;IACzB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3D,IAAI,GAAG;YAAE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IAEV,wBAAwB;IACxB,IAAI,IAAA,kBAAQ,GAAE,KAAK,QAAQ,EAAE,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,6BAAQ,EAAC,sCAAsC,EAAE;gBAC9D,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,MAAM;aACjB,CAAC,CAAC;YACH,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtC,IAAI,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;oBACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC9B,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;gBAC9C,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC;IAED,qCAAqC;IACrC,IAAI,IAAA,kBAAQ,GAAE,KAAK,OAAO,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,6BAAQ,EACrB,oEAAoE,EACpE,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CACpC,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;YAC1D,IAAI,KAAK;gBAAE,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC;IAED,yCAAyC;IACzC,MAAM,YAAY,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IACpD,IAAI,IAAA,oBAAU,EAAC,YAAY,CAAC,EAAE,CAAC;QAC7B,OAAO,IAAA,sBAAY,EAAC,YAAY,CAAC,CAAC;IACpC,CAAC;IACD,MAAM,UAAU,GAAG,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC;IACnC,IAAA,mBAAS,EAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,IAAA,uBAAa,EAAC,YAAY,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACzD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,WAAW;IAClB,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,CAAC,IAAA,kBAAQ,GAAE,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,SAAS,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,SAAS,CAAC,IAAa,EAAE,WAAoB;IACpD,IAAI,WAAW;QAAE,OAAO,WAAW,CAAC;IAEpC,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;IAE/B,uCAAuC;IACvC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,OAAO,CAAC,+BAA+B,CAAC,CAAC;YACxD,MAAM,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAClD,IAAI,GAAG;gBAAE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;QACV,IAAI,GAAG,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IACxE,sDAAsD;IACtD,OAAO,IAAA,wBAAU,EAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;AACpE,CAAC;AAED,SAAgB,uBAAuB,CAAC,UAAkB;IACxD,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,OAAO,IAAA,wBAAU,EAAC,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;AAClE,CAAC;AAED,+CAA+C;AAC/C,SAAgB,iBAAiB,CAAC,GAAW;IAC3C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,CAAC,WAAW,CAAC,eAAe,EAAE,gBAAgB,EAAE,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,+EAA+E,CAChF,CAAC;IACJ,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,kBAAkB;IACtC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,eAAe,EAAE,gBAAgB,CAAC,CAAC;QAC3E,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,IAAI,CAAC;AACd,CAAC;AAEM,KAAK,UAAU,YAAY;IAChC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,MAAM,CAAC,cAAc,CAAC,eAAe,EAAE,gBAAgB,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;AACZ,CAAC;AAED,SAAgB,kBAAkB,CAChC,KAA6B,EAC7B,IAAa,EACb,WAAoB;IAEpB,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC,CAAC,sBAAsB;IACrD,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAChE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC5E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,WAAW;IAC5C,sFAAsF;IACtF,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,SAAgB,kBAAkB,CAChC,IAAY,EACZ,IAAa,EACb,WAAoB;IAEpB,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACrB,iCAAiC;QACjC,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IACpE,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACjF,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,mFAAmF;YACjF,wBAAwB,CAC3B,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAgB,WAAW;IACzB,OAAO,IAAA,oBAAU,EAAC,UAAU,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,cAAc;IACrB,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,OAAO,CAAC,+BAA+B,CAAC,CAAC;QACxD,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IAClD,IAAA,uBAAa,EAAC,UAAU,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IAClD,IAAI,CAAC;QACH,OAAO,IAAA,sBAAY,EAAC,UAAU,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,SAAS;IAC7B,kBAAkB;IAClB,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;IAClC,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,OAAO,CAAC,+BAA+B,CAAC,CAAC;YACxD,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;gBACzB,MAAM,IAAI,KAAK,CACb,iGAAiG;oBAC/F,wCAAwC,CAC3C,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;gBAClC,MAAM,IAAI,KAAK,CACb,mGAAmG,CACpG,CAAC;YACJ,CAAC;YACD,MAAM,CAAC,CAAC;QACV,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,IAAA,sBAAY,EAAC,UAAU,CAAC,CAAC;IAEtC,gDAAgD;IAChD,MAAM,aAAa,GAAG,MAAM,kBAAkB,EAAE,CAAC;IACjD,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,OAAO,kBAAkB,CAAC,IAAI,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC;QAC5D,CAAC;QAAC,MAAM,CAAC;YACP,kDAAkD;QACpD,CAAC;IACH,CAAC;IACD,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC;AAClC,CAAC;AAED,SAAgB,SAAS,CAAC,KAA6B,EAAE,WAAoB;IAC3E,IAAA,mBAAS,EAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,kBAAkB,CAAC,KAAK,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IAC/D,6BAA6B;IAC7B,MAAM,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;IACpC,IAAA,uBAAa,EAAC,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9C,MAAM,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IAC9B,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IACnC,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAChC,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAC/B,+BAA+B;IAC/B,MAAM,UAAU,GAAG,IAAA,sBAAY,EAAC,UAAU,CAAC,CAAC;IAC5C,kBAAkB,CAAC,UAAU,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IACvD,oBAAoB;IACpB,cAAc,EAAE,CAAC;AACnB,CAAC;AAED,SAAgB,aAAa,CAAC,OAAe;IAC3C,IAAI,CAAC,IAAA,oBAAU,EAAC,OAAO,CAAC;QAAE,OAAO;IACjC,MAAM,IAAI,GAAG,IAAA,kBAAQ,EAAC,OAAO,CAAC,CAAC,IAAI,CAAC;IACpC,IAAA,uBAAa,EAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9C,IAAA,oBAAU,EAAC,OAAO,CAAC,CAAC;AACtB,CAAC"}

package/package.json

@@ -0,0 +1,71 @@
+{
+  "name": "pop-pay",
+  "version": "0.1.0",
+  "description": "Point One Percent - Semantic Payment Guardrail for AI Agents. It only takes 0.1% of hallucination to drain 100% of your wallet.",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "pop-launch": "dist/cli.js",
+    "pop-init-vault": "dist/cli-vault.js",
+    "pop-unlock": "dist/cli-vault.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "build:native": "cd native && npm run build",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "eslint src/",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "ai",
+    "agent",
+    "payment",
+    "guardrail",
+    "security",
+    "mcp",
+    "virtual-card",
+    "cdp",
+    "browser-automation",
+    "checkout"
+  ],
+  "author": "Point One Percent Team",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/TPEmist/pop-pay.git"
+  },
+  "homepage": "https://github.com/TPEmist/pop-pay#readme",
+  "bugs": {
+    "url": "https://github.com/TPEmist/pop-pay/issues"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.12.0",
+    "better-sqlite3": "^11.0.0",
+    "dotenv": "^16.4.0",
+    "zod": "^3.23.0"
+  },
+  "optionalDependencies": {
+    "@anthropic-ai/sdk": "^0.30.0",
+    "openai": "^4.60.0",
+    "stripe": "^17.0.0",
+    "keytar": "^7.9.0",
+    "ws": "^8.17.0"
+  },
+  "devDependencies": {
+    "@types/better-sqlite3": "^7.6.0",
+    "@types/node": "^20.0.0",
+    "typescript": "^5.5.0",
+    "vitest": "^2.0.0",
+    "eslint": "^9.0.0"
+  },
+  "files": [
+    "dist/",
+    "native/pop-pay-native.*.node",
+    "README.md",
+    "LICENSE"
+  ]
+}