Caution · Ungoverned Agent Traffic

Form 0.1% — Variant Transaction Audit

A runtime oversight authority for AI agent commerce.

pop-pay is the guardrail that sits between the agent and the payment rail. The card never enters the LLM context. The policy was written before the transaction happened.

Install the Guardrail Read §02 — Structural Guarantees

§01

The ungoverned agent transaction.

Every AI agent that holds a card is a variance waiting to be filed. Prompt injection, tool-use drift, over-permissioned keys — the failure modes are already documented. The question is who watches the transaction at runtime.

Context Leakage

Card data in the LLM context window survives logs, prompt caches, and intermediate tool calls.

Prompt Injection

An attacker-controlled page instructs the agent to exfiltrate or redirect funds. The model complies.

Scope Drift

A "buy a book" instruction becomes a $4,000 gift card order. No runtime check catches the category mismatch.

Audit Gaps

When a transaction goes wrong, provenance is the first thing asked for. Most agent frameworks keep none.

§02

Structural guarantees, not best-effort heuristics.

Classified · Method

Card never enters LLM context.

Credentials live in an AES-256-GCM sealed vault. The agent receives a handle, not a secret. Structural, not a prompt instruction the model can forget.

Policy is evaluated before dispatch.

Amount, merchant category, velocity, and destination are checked against a declarative policy at the moment of transaction — not hoped for in a system prompt.

Every variance is filed.

Approved, denied, flagged — each decision carries a signed, replayable record. Provenance is the product.

§03

Install.

Form 0.1-I · Field Installation · TRIPLICATE Serial No. INST-19610414-0QX8SX

Form Code

0.1-I

Revision

2026-04

Parity

Node · Python

Classification

Public

NPM

npm install pop-pay

# installs as a global binary and library

PIP

pip install pop-pay

# same binary, Python parity build

Source

github.com/100xPercent/pop-pay # Node reference implementation github.com/100xPercent/pop-pay-python # Python parity build

License

MIT — authored by the pop-pay

Runtime

Node ≥ 22.12 · Python ≥ 3.11

Filed · 2026-04-14 Authorized by: Office of the pop-pay

§04

Technical dossier.

Document 04-A

Threat Model

The complete failure-mode map for AI agent commerce. Attack classes, detection posture, and structural vs. heuristic defenses.

Read →

Document 04-B

Red-Team Methodology

How pop-pay is tested. 500-payload corpus, category criteria, reproducible harness, results reported openly.

Read →

Classified

Document 04-C

Vault Cryptography

Key derivation, sealed storage, canary file, and the public encrypted challenge. AES-256-GCM at rest with compiled-salt hardening.

Read →

§05

Coordinated disclosure.

Internal · Red Team

The bounty program is currently in an internal red-team phase. Public tiers and Hall of Fame will open after internal hardening completes. Until then, coordinated disclosure is the path — findings are acknowledged and triaged on a 72-hour SLA.

Disclosure Address

security@pop-pay.ai — PGP key on request. Please include a reproducible PoC and the commit SHA you tested against.

Canary · Live Challenge

vault.enc.challenge — public encrypted file shipped with the package. Extraction reports fall under the same coordinated-disclosure channel.