Use when the user asks to buy a product from the Shopify store. Orchestrates checkout with credit card details injected via keypo-signer vault exec (biometric policy — Touch ID required).
Orchestrate a Shopify purchase with credit card secrets injected at runtime from the keypo-signer vault. The agent never sees or handles card data — Touch ID acts as the human-in-the-loop approval.
For vault usage rules, see skills/keypo-signer/SKILL.md.
Run these checks in parallel before starting:
# 1. Vault has address secrets in open tier + card secrets in biometric tier
keypo-signer vault list
# Expect: SHIPPING_FIRST_NAME, SHIPPING_LAST_NAME, etc. in "open"
# Expect: CARD_NUMBER, NAME_ON_CARD, EXPIRATION_MONTH, EXPIRATION_YEAR, SECURITY_CODE in "biometric"
If vault secrets are missing, tell the user to set up the vault — do not attempt to store secrets yourself.
Query the store's JSON API to find products and their variant IDs:
curl -s https://shop.keypo.io/products.json | jq '.products[] | {title, handle, price: .variants[0].price, variant_id: .variants[0].id}'
Build the product URL as: https://shop.keypo.io/products/<handle>?variant=<variant_id>
demo/checkout/run-with-vault.sh <product-url> [size]
Path note:
run-with-vault.shis indemo/checkout/. Always run from the repo root or use an absolute path.
This triggers keypo-signer vault exec --env .env.vault-template which will:
Wait for the user to authenticate via Touch ID before proceeding.
Watch stdout for checkout status:
Navigating to URL — browser launchingAttempting to add product to cart — add to cartEntering contact email — checkout startedEntering card details — payment fieldsClicking Pay now button — submitting orderhas completed — successhas a checkout error — failure, inspect browserTell the user whether the checkout succeeded or failed. If succeeded, note that they should check their email for the order confirmation.
Note: An
Error sending email/ECONNREFUSED 127.0.0.1:587error is expected — there is no local SMTP server. This does not affect the order; it only means the bot's internal notification email was not sent. The Shopify order confirmation is sent separately by Shopify.
These rules are absolute — violating them breaks the security model.
vault get — this retrieves plaintext secrets. Use only vault exec..env files with real card values.CARD_* fields in .env.vault-template — they must remain blank.See skills/keypo-signer/SKILL.md for the complete vault safety rules.