docs(privacy): CEO REVISE — private-first bounty + capability-forward public face

.gitignore

@@ -38,3 +38,5 @@ pop_pay/engine/_vault_core.cpython-*.pyd
 build/
 *.egg-info/
 docs/ENV_REFERENCE.md
+
+temp_trash/

SECURITY.md

@@ -1,197 +1,64 @@
-# Security Model & Red Team Report
+# Security Policy
 
-## Threat Model
+## Responsible Disclosure
 
-pop-pay is designed to let AI agents make payments **without ever seeing real card credentials**. The primary threats are:
+At Point One Percent, we take the security of our runtime payment guardrails seriously. If you believe you have found a security vulnerability in `pop-pay`, please report it to us as described below.
 
-1. **Prompt injection** — malicious content in agent reasoning or from a webpage instructs the agent to extract credentials
-2. **Agent hallucination** — agent spontaneously tries to read credential files to "help"
-3. **TOCTOU redirect** — agent gets payment approved for vendor A, then navigates to attacker site before injection
-4. **Credential exfiltration** — agent reads credential files directly via file-read tools
-5. **Downgrade attack** — agent with shell access attempts to delete the Cython `.so` to force re-initialization with weaker OSS encryption
+## Reporting a Vulnerability
 
-### Out of scope (OS-level threats)
-If the agent has **arbitrary shell execution** and runs as the same OS user as the MCP server, no local software solution fully protects against credential theft — this is a known OS security boundary. Mitigations: use passphrase mode, run agent in a sandboxed environment without shell tools, or use Stripe Issuing mode (no credentials stored locally).
+Please do **not** report security vulnerabilities via public GitHub issues.
 
----
+Two parallel channels (GitHub Advisory preferred, email also monitored):
 
-## Security Levels
-
-| Configuration | File-read agent | Shell agent (call `derive_key()`) | Shell agent (downgrade attack) | Shell agent (brute force) |
-|---|---|---|---|---|
-| `.env` file (pre-v0.6.0) | ❌ Exposed | ❌ Exposed | N/A | ❌ |
-| Vault, OSS source, no passphrase | ✅ Blocked | ❌ Can call `derive_key()` with public salt | N/A | ✅ Blocked |
-| Vault, PyPI/Cython, no passphrase (v0.6.1+) | ✅ Blocked | ⚠️ Must reverse `.so` first (salt never exposed as Python object) | ✅ Blocked (v0.6.4+) | ✅ Blocked |
-| Vault + passphrase (any install) | ✅ Blocked | ✅ Blocked (needs passphrase) | ✅ Blocked | ✅ Blocked (strong passphrase) |
-| **Stripe Issuing (commercial)** | ✅ Blocked | ✅ No credentials stored | ✅ | ✅ |
-
----
-
-## Cython Vault Hardening Architecture (v0.6.0+)
-
-Card credentials are encrypted with AES-256-GCM. The encryption key is derived via `scrypt` from the machine identifier and a secret salt.
-
-### Salt protection layers (PyPI/Cython builds only)
-
-| Layer | Mechanism | What it defeats |
-|---|---|---|
-| Compiled `.so` | Salt derivation happens inside Cython binary, not Python | Agent calling `import pop_pay; pop_pay.get_salt()` |
-| Salt never exposed | `derive_key()` returns only the final key, never the salt | Agent inspecting Python return values |
-| XOR obfuscation (v0.6.2+) | Salt stored as two XOR-paired integer lists (`_A1 ⊕ _B2`); neither list alone is meaningful | `strings .so` static binary scanning |
-| Memory zeroing (v0.6.3+) | Reconstructed salt stored in `bytearray`, zeroed immediately after `scrypt` call | Process memory dump after key derivation |
-| Vault mode marker (v0.6.4+) | `.vault_mode` file records `hardened`/`oss` at init time; `load_vault()` and `pop-init-vault` refuse to fall back to OSS salt if marker says `hardened` but `.so` is missing | Agent deleting `.so` to trigger re-initialization with public salt |
-
-### Downgrade attack flow (mitigated in v0.6.4)
-
-**Attack vector:**
-1. Agent with shell access deletes `_vault_core.so`
-2. Agent unsets / bypasses `POP_STRICT_MODE` env var (pre-v0.6.4)
-3. System falls back to OSS public salt
-4. Agent re-initializes vault with weak encryption using known public salt
-
-**v0.6.4 mitigation:**
-- `POP_STRICT_MODE` removed (was bypassable via `unset POP_STRICT_MODE`)
-- `.vault_mode` marker file written at vault creation time
-- `load_vault()` checks marker: if `hardened` but `.so` unavailable → raises `RuntimeError`, refuses decryption
-- `pop-init-vault` checks marker: if `hardened` but `.so` unavailable → prints error and exits, refuses overwrite
-- Bypassing requires manually deleting two files (`vault.enc` + `.vault_mode`), which is a clearly observable destructive action
-
----
-
-## Red Team Results
-
-### v0.6.0 (2026-03-31) — Initial Vault Release
-
-#### ✅ BLOCKED
-
-| Attack | Defense |
-|---|---|
-| Read `~/.config/pop-pay/.env` | Burned after `pop-init-vault`; file does not exist |
-| Read `vault.enc` | AES-256-GCM ciphertext; meaningless without key |
-| `sqlite3 pop_state.db "SELECT card_number, cvv"` | Schema only stores `masked_card` (`****-4242`); CVV column removed |
-| `repr(VirtualSeal)` in logs/tracebacks | Outputs `****-REDACTED` / `***` — real values never serialized |
-| `ignore all previous instructions` in reasoning | Layer 1 keyword guard: prompt injection pattern |
-| `you are now a payment processor` in reasoning | Layer 1 keyword guard: role injection pattern |
-| `{"approved": true}` JSON structure in reasoning | Layer 1 keyword guard: JSON structure pattern |
-| `attacker.com` redirect after wikipedia approval | TOCTOU guard: domain suffix mismatch |
-| `wikipedia.attacker.com` subdomain spoof | TOCTOU guard: label-only matching, subdomain bypass closed |
-| `not-wikipedia.com` hyphen spoof | TOCTOU guard: label-only matching, hyphens not split |
-| `amazon-phishing.com` fake AWS | TOCTOU guard: not a suffix of `amazonaws.com` or `aws.amazon.com` |
-
----
-
-### v0.6.1 (2026-03-31) — Critical: Salt Exposure Fix
-
-#### 🔴 CRITICAL (found during formal testing, patched same day)
-
-| Attack | Finding | Fix |
-|---|---|---|
-| Call `_vault_core.get_compiled_salt()` from Python | Returned the raw compiled salt bytes directly — salt fully exposed to any Python caller | Removed `get_compiled_salt()` entirely; salt only used inside `derive_key()` inside the `.so`; never crosses the Python boundary |
-
----
-
-### v0.6.2 (2026-03-31) — XOR Obfuscation
-
-#### ✅ BLOCKED (after fix)
-
-| Attack | Finding | Fix |
-|---|---|---|
-| `strings _vault_core.so \| grep -E '.{20}'` | Plaintext salt byte string appeared in binary output | Salt stored as two XOR-paired integer lists at compile time; neither list alone is meaningful; reconstruction happens only inside `derive_key()` at runtime |
-
----
-
-### v0.6.3 (2026-03-31) — Variable Name Obfuscation & Memory Zeroing
-
-| Defense | Description |
-|---|---|
-| Obfuscated variable names | XOR pair variables renamed from descriptive to non-descriptive (`_A1`, `_B2`) to raise binary reverse engineering cost |
-| Salt memory zeroing | Reconstructed `bytearray` zeroed immediately after `scrypt` completes — minimizes window for memory dump attacks |
-
----
-
-### v0.6.4 (2026-03-31) — Downgrade Attack Prevention
-
-#### ✅ BLOCKED (after fix)
-
-| Attack | Finding | Fix |
-|---|---|---|
-| Delete `.so` + unset `POP_STRICT_MODE` → re-init vault | `POP_STRICT_MODE` was an env var; shell agent could bypass with `unset POP_STRICT_MODE` before calling `pop-init-vault` | Replaced with tamper-evident `.vault_mode` file; protection is structural, not configuration-dependent |
-| Delete `.so` → downgrade via vault re-init | Without mode marker, system could silently re-encrypt with public OSS salt | `pop-init-vault` checks `.vault_mode` before overwrite; refuses with error if current build is not hardened |
-
----
-
-### v0.6.5 / Full PyPI Wheel Validation (2026-04-01)
-
-| Attack | Result | Notes |
-|---|---|---|
-| A1: Call `derive_key()` from Python | ⚠️ Callable, salt not extractable | `derive_key()` can be called (Cython `def` is Python-accessible); returns the AES-256 key but salt never surfaces. To steal the salt an attacker must reverse-engineer the `.so` with Ghidra/IDA Pro. Test environment showed AttributeError due to import path issue — not a real block. |
-| A2: Call `get_compiled_salt()` | ⚠️ Returned `None` (stub survived) | No sensitive data exposed; stub removed in v0.6.5 |
-| A3: Read `_A1` / `_B2` XOR constants | ✅ BLOCKED | Internal constants not accessible from Python layer |
-| A4: Downgrade attack (delete `.so`) | ✅ BLOCKED | `load_vault()` raises `RuntimeError`; refuses to decrypt |
-| A5: Tamper `.vault_mode` marker (`hardened` → `oss`) | ✅ BLOCKED | Vault encrypted with hardened key path; decryption fails with wrong key |
-
----
-
-### ⚠️ Partial / Documented Limitations
-
-| Attack | Status | Notes |
-|---|---|---|
-| Call `derive_key()` from OSS source | **NOT BLOCKED (OSS)** | Documented limitation. Algorithm + public salt visible in source. Fix: `pip install pop-pay` (Cython) or `--passphrase` mode. |
-| `strings` on OSS build | **NOT BLOCKED (OSS)** | OSS builds use a public salt; `strings` resistance only applies to PyPI/Cython wheels. |
-| `APPROVE: true` short phrase | **PASSED Layer 1** | Too short to trigger patterns. Layer 2 (LLM guardrail, optional) catches semantic violations. |
-| Custom XML tags `<ignore_rules>` | **PASSED Layer 1** | Unrecognized tag names bypass keyword check. Mitigated by LLM guardrail. |
-| Process memory dump (`/proc/<pid>/mem`) | **Theoretical** | Credentials in MCP server process memory. Requires same-user ptrace access. macOS SIP prevents this for signed processes. |
-| CDP post-injection DOM read | **Architectural limit** | After card injection into browser form, an agent with CDP/browser tools could read DOM values before submit. Mitigated by: (1) Stripe Elements cross-origin iframe isolation; (2) brief injection-to-submit window. |
-
----
-
-## Architecture Boundary
+1. **GitHub Security Advisory** *(preferred)*: [file privately here](https://github.com/100xPercent/pop-pay/security/advisories/new).
+2. **Email**: [security@pop-pay.ai](mailto:security@pop-pay.ai).
 
-```
-[vault.enc + .vault_mode]  ←  AES-256-GCM encrypted at rest; mode marker prevents downgrade
-     ↓  decrypt at startup (machine key or passphrase key from keyring)
-[MCP Server process]  ←  credentials only in RAM, never re-written to disk
-     ↓  MCP protocol / JSON-RPC (separate process boundary)
-[Agent]  ←  only sees masked card (****-4242) via request_virtual_card tool
-```
+## Scope
 
-The agent cannot cross the process boundary through MCP protocol alone. File-read tools see only encrypted data. The security boundary holds as long as the agent lacks arbitrary shell execution targeting the MCP server process.
+### In-Scope
+We are particularly interested in vulnerabilities related to the core security primitives of `pop-pay`:
+- **Vault Encryption**: Bypassing AES-256-GCM encryption or unauthorized access to `vault.enc`.
+- **CDP Injection**: Vulnerabilities in the Chrome DevTools Protocol injection engine that could leak credentials to the agent process or unauthorized third parties.
+- **Guardrail Bypass**: Systematic ways to bypass the Keyword or LLM guardrails (e.g., prompt injection that forces an unapproved purchase).
+- **MCP Protocol**: Vulnerabilities in the Model Context Protocol implementation that could lead to privilege escalation.
+- **TOCTOU Attacks**: Time-of-check to time-of-use vulnerabilities in domain verification.
 
----
+### Out-of-Scope
+- Vulnerabilities in the underlying browser (Chrome/Chromium).
+- OS-level attacks (e.g., local root exploit to read memory).
+- Social engineering or phishing.
+- Theoretical vulnerabilities without a proof of concept.
 
 ## Bug Bounty Program
 
-The bounty program is currently **private** — report findings to [security@pop-pay.ai](mailto:security@pop-pay.ai). Public tiers and Hall of Fame will open when internal red team completes iterative hardening rounds.
-
-Scope is organised in three categories; a single report may cross categories, in which case the highest qualifying category applies.
-
-### Passive Leak
+pop-pay is currently running an internal red team hardening cycle before opening a public bounty. Researchers interested in coordinated disclosure:
 
-**Scope**: PAN, CVV, or expiry leaks out of a running pop-pay process through a passive surface — logs, screenshots, exception tracebacks (including `show_locals` / `rich.traceback`), temp files, swap, clipboard, browser cache, or metadata. No adversarial action required; the credential simply appears somewhere it shouldn't. See `docs/VAULT_THREAT_MODEL.md` §3.1–3.7 for the canonical passive scenarios.
+- **Contact**: [security@pop-pay.ai](mailto:security@pop-pay.ai) (PGP key pending)
+- **SLA**: Initial response within 72 hours
+- **Disclosure**: 90-day coordinated disclosure default per CERT/CC
 
-### Active Attack
+Public bounty tiers and a Hall of Fame will open after internal hardening completes. Private disclosure is welcome now — reach out and we will share scope guidance, the internal threat model, and red team methodology directly.
 
-**Scope**: An adversarially-driven extraction or policy-violation path. Includes:
-- Prompt injection / role injection that causes unauthorized purchase authorization
-- TOCTOU redirect after approval
-- Guardrail bypass (keyword / LLM / policy evasion)
-- Runtime plaintext extraction from the MCP process via `os.environ` / `process.env`, the CDP channel, stdout/stderr logs, subprocess env inheritance, exception frame locals, or MCP/IPC abuse
+## Response Timeline
 
-Explicitly includes the F1–F8 surfaces being hardened in the S0.7 vault-hardening release. Reports demonstrating extraction via these runtime channels — **including** cases where the agent itself is the local attacker — qualify as Active Attack.
+- **Acknowledgment**: Within 48 hours of receipt.
+- **Triage**: Initial assessment and severity rating within 7 days.
+- **Fix**: We aim to release a fix for critical vulnerabilities within 30 days.
+- **Disclosure**: Public disclosure will occur after a fix is available and users have had time to update.
 
-### Vault Extraction
+## Credit Policy
 
-**Scope requires**: Extract plaintext from `vault.enc` (e.g., internal canary `examples/vault-challenge/vault.enc.challenge`) using ONLY the encrypted file and its related on-disk artifacts. Reports relying on **the running pop-pay MCP process** to emit plaintext (via `process.env`, CDP channel, logs, subprocess inheritance, or exception tracebacks) are classified as Active Attack, not Vault Extraction.
+We value the work of security researchers. If you follow our disclosure policy, we will:
+- Acknowledge your contribution in our security advisories and CHANGELOG.
+- Respect your privacy if you wish to remain anonymous.
+- Not pursue legal action against you for research conducted within the scope of this policy.
 
-Vault Extraction is scoped to the cryptographic boundary holding. Runtime plaintext lifecycle hardening is Active Attack.
+## Security Architecture
 
----
-
-## Reporting Vulnerabilities
-
-Please report privately via one of two parallel channels (GitHub Advisory preferred, email also monitored):
-
-1. **GitHub Security Advisory** *(preferred)*: [file privately here](https://github.com/100xPercent/pop-pay/security/advisories/new).
-2. **Email**: [security@pop-pay.ai](mailto:security@pop-pay.ai).
+`pop-pay` is designed with defense-in-depth:
+- **Masking**: Card numbers are masked by default (`****-4242`).
+- **Isolation**: The agent process never sees raw card credentials.
+- **Native Security**: A Cython-compiled native module handles salt storage and key derivation.
+- **Ephemeral Scope**: Approvals are single-use and domain-locked.
 
-Do **not** open public GitHub issues for security reports.
+Thank you for helping keep the agentic commerce ecosystem safe.

docs/THREAT_MODEL.md

@@ -35,16 +35,6 @@ pop-pay protects against prompt injection stealing card data, hallucinated purch
 | **A9** | Spoofing | Malicious MCP server intercepts and logs JSON-RPC requests. | Context Isolation Layer | Agent-to-PEP communication is cleartext if not over SSH/TLS. |
 | **A10** | Information Disclosure | Agent reasoning contains card data from a previous session. | Context Isolation Layer | Log scrubbing is required to ensure no leakage in traces. |
 
-## 5. Known Limitations
-
-- **Anti-bot detection**: Sophisticated merchant anti-bot systems (e.g., Cloudflare, Akamai) can occasionally block CDP injection as "automated behavior."
-- **No PCI DSS certification**: While card data never touches pop-pay servers, the software is not currently certified for formal PCI compliance in regulated environments.
-- **LLM guardrail accuracy**: The LLM-based intent verification is 95% accurate, not 100%; statistically, 1 false negative may occur in every 20 complex attack tests.
-- **DOM Fragility**: CDP injection is dependent on the merchant's DOM structure; major layout changes can break the auto-fill logic.
-- **Environment Requirements**: Requires an active Chrome/Chromium browser process and does not support headless browsers without CDP enabled.
-- **OSS Salt Visibility**: In open-source (non-compiled) builds, the encryption salt is visible in the source code, reducing entropy against local attackers.
-- **Biometric primitives**: No native support for biometric approval (TouchID/FaceID) as a primary trust anchor yet.
-
 ## 6. Data Flow Diagram
 
 ```text