@aeon-ai-pay/aigateway 0.1.0

package/skills/aigateway/references/x402-protocol.md

@@ -0,0 +1,143 @@
+# x402 Protocol (v2)
+
+A native HTTP payment protocol that monetizes APIs via blockchain. aigateway only supports **x402 v2**.
+
+## How It Works
+
+The x402 protocol extends HTTP with a two-phase payment flow using HTTP status code `402 Payment Required`:
+
+```
+Phase 1: Discovery
+  Client  ──GET /resource──>  Server
+  Client  <──HTTP 402──       Server (returns payment requirements)
+
+Phase 2: Payment
+  Client  ──GET /resource──>  Server
+           + PAYMENT-SIGNATURE header (Base64-encoded signed PaymentPayload)
+  Client  <──HTTP 200──       Server (returns resource + PAYMENT-RESPONSE header)
+```
+
+## Payment Requirements (402 Response)
+
+When the server returns 402, the response body follows the v2 `PaymentRequired` shape:
+
+```json
+{
+  "x402Version": 2,
+  "error": "PAYMENT-SIGNATURE header is required",
+  "resource": {
+    "url": "https://api.example.com/resource",
+    "description": "x402pay",
+    "mimeType": "application/json"
+  },
+  "accepts": [
+    {
+      "scheme": "exact",
+      "network": "eip155:56",
+      "networkId": "56",
+      "amount": "5000000000000001",
+      "asset": "0x55d398326f99059fF775485246999027B3197955",
+      "payTo": "0xRecipient...",
+      "maxTimeoutSeconds": 300,
+      "extra": {
+        "name": "USDT",
+        "version": "2",
+        "network": "BSC"
+      },
+      "tokenSymbol": "USDT",
+      "tokenDecimals": 18
+    }
+  ]
+}
+```
+
+### Top-level fields
+
+| Field | Type | Notes |
+|-------|------|-------|
+| `x402Version` | int | Always `2` |
+| `resource` | object | `ResourceInfo`: `{ url, description, mimeType }` |
+| `accepts` | array | List of `PaymentRequirements` the server will accept |
+| `error` | string | Prompt text — `"PAYMENT-SIGNATURE header is required"` on first request |
+
+### `accepts[]` element (`PaymentRequirements`)
+
+| Field | Type | Notes |
+|-------|------|-------|
+| `scheme` | string | `"exact"` |
+| `network` | string | CAIP-2 — `"eip155:56"` for BSC |
+| `networkId` | string | Chain ID as string — `"56"` |
+| `amount` | string | Exact atomic-unit amount **(with order-matching suffix — do not round)** |
+| `asset` | string | Token contract address |
+| `payTo` | string | Recipient address |
+| `maxTimeoutSeconds` | int | Payment validity window in seconds |
+| `extra` | object | EIP-712 domain params — `name` + `version` (token EIP-712 domain) |
+| `tokenSymbol` | string | Informational, e.g. `"USDT"` |
+| `tokenDecimals` | int | Informational, e.g. `18` |
+
+## PAYMENT-SIGNATURE Header
+
+The client signs an EIP-712 typed data structure and sends it as a Base64-encoded request header named **`PAYMENT-SIGNATURE`** (the legacy v1 `X-PAYMENT` header is no longer supported).
+
+Decoded payload follows the v2 `PaymentPayload` shape:
+
+```json
+{
+  "x402Version": 2,
+  "resource": { "url": "...", "description": "x402pay", "mimeType": "application/json" },
+  "accepted": { /* the chosen PaymentRequirements */ },
+  "payload": {
+    "authorization": {
+      "from": "0xPayer...",
+      "to":   "0xPayee...",
+      "value": "5000000000000001",
+      "validAfter":  "1700000000",
+      "validBefore": "1700000900",
+      "nonce": "0x..."
+    },
+    "signature": "0x..."
+  },
+  "extensions": {}
+}
+```
+
+Notes:
+- `authorization.value` **must equal** `accepts[i].amount` (the unique order-matching amount).
+- Signature is EIP-712 over the token's `TransferWithAuthorization` domain — or a Facilitator-mediated domain when the token contract does not support ERC-3009 (e.g. BSC USDT).
+
+## PAYMENT-RESPONSE Header
+
+On success, the server returns a `PAYMENT-RESPONSE` response header (Base64-encoded JSON). Decoded content:
+
+```json
+{
+  "success": true,
+  "transaction": "0xabc...def",
+  "network": "bsc",
+  "payer": "0xPayer..."
+}
+```
+
+## Core Concepts
+
+### Unique Amount Matching
+
+The server generates a slightly adjusted unique amount for each order (e.g. `5.000001 USDT` instead of `5.00`). This allows the server to match a specific order via cache lookup using the on-chain transfer amount alone — no order ID is needed inside the signed payload.
+
+### Facilitator
+
+An intermediary service responsible for:
+1. Verifying the signed payment payload (`POST /verify`)
+2. Submitting the transaction on-chain (`POST /settle`)
+3. Returning the settlement transaction hash
+
+### Supported Networks
+
+| Network | CAIP-2 | Chain ID | Token |
+|---------|--------|----------|-------|
+| BSC Mainnet | `eip155:56` | `56` | USDT (BEP-20) |
+
+## Client Libraries (aigateway uses)
+
+- `@aeon-ai-pay/axios` — Axios interceptor that automatically handles 402 responses
+- `@aeon-ai-pay/evm` — EVM signing utilities (EIP-712, ERC-3009, Facilitator scheme)

package/src/balance.mjs

@@ -0,0 +1,92 @@
+/**
+ * 钱包余额查询（共享模块）
+ */
+import { privateKeyToAccount } from "viem/accounts";
+import { createPublicClient, http, formatUnits } from "viem";
+import { bsc } from "viem/chains";
+import { BSC_RPC_URL, USDT_BSC, FACILITATOR_ADDRESS } from "./constants.mjs";
+
+const ERC20_BALANCE_ABI = [
+  {
+    name: "balanceOf",
+    type: "function",
+    stateMutability: "view",
+    inputs: [{ name: "account", type: "address" }],
+    outputs: [{ name: "", type: "uint256" }],
+  },
+];
+
+const ERC20_ALLOWANCE_ABI = [
+  {
+    name: "allowance",
+    type: "function",
+    stateMutability: "view",
+    inputs: [
+      { name: "owner", type: "address" },
+      { name: "spender", type: "address" },
+    ],
+    outputs: [{ name: "", type: "uint256" }],
+  },
+];
+
+let cachedClient = null;
+
+function getClient() {
+  if (!cachedClient) {
+    cachedClient = createPublicClient({
+      chain: bsc,
+      transport: http(BSC_RPC_URL, { timeout: 6000, retryCount: 1 }),
+    });
+  }
+  return cachedClient;
+}
+
+/**
+ * 通过地址查询 BNB 和 USDT 余额（不需要私钥）
+ * @param {string} address - EVM 地址
+ */
+export async function getBalanceByAddress(address) {
+  const client = getClient();
+
+  const [bnbRaw, usdtRaw] = await Promise.all([
+    client.getBalance({ address }),
+    client.readContract({
+      address: USDT_BSC,
+      abi: ERC20_BALANCE_ABI,
+      functionName: "balanceOf",
+      args: [address],
+    }),
+  ]);
+
+  return {
+    address,
+    bnb: formatUnits(bnbRaw, 18),
+    usdt: formatUnits(usdtRaw, 18),
+    bnbRaw,
+    usdtRaw,
+  };
+}
+
+/**
+ * 通过私钥查询钱包 BNB 和 USDT 余额
+ * @param {string} privateKey
+ */
+export async function getWalletBalance(privateKey) {
+  const account = privateKeyToAccount(privateKey);
+  return getBalanceByAddress(account.address);
+}
+
+/**
+ * 查询 session key 对 facilitator 的 USDT allowance
+ * @param {string} ownerAddress - session key 地址
+ * @returns {bigint} 当前 allowance（wei）
+ */
+export async function getAllowance(ownerAddress) {
+  const client = getClient();
+  return client.readContract({
+    address: USDT_BSC,
+    abi: ERC20_ALLOWANCE_ABI,
+    functionName: "allowance",
+    args: [ownerAddress, FACILITATOR_ADDRESS],
+  });
+}

package/src/commands/clean.mjs

@@ -0,0 +1,65 @@
+import { existsSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+import { execFileSync } from "node:child_process";
+import { emitOk, logInfo, logError } from "../output.mjs";
+
+export async function clean() {
+  const home = homedir();
+  const removed = [];
+
+  // 1. 用 skills CLI 移除（覆盖所有工具）
+  try {
+    execFileSync("npx", ["skills", "remove", "aigateway", "-g", "-y"], {
+      stdio: "inherit",
+      timeout: 30000,
+    });
+    logInfo("Removed aigateway skill via skills CLI");
+    removed.push("skills");
+  } catch {
+    // skills CLI 不可用，手动清理 Claude Code
+    const skillDir = join(home, ".claude", "skills", "aigateway");
+    if (existsSync(skillDir)) {
+      rmSync(skillDir, { recursive: true, force: true });
+      logInfo(`Removed skill: ${skillDir}`);
+      removed.push(skillDir);
+    }
+  }
+
+  // 2. 卸载全局包
+  try {
+    execFileSync("npm", ["uninstall", "-g", "@aeon-ai-pay/aigateway"], {
+      stdio: "inherit",
+      timeout: 30000,
+    });
+    logInfo("Uninstalled @aeon-ai-pay/aigateway globally");
+    removed.push("npm-global");
+  } catch {
+    logInfo("Global package not installed, skipping uninstall");
+  }
+
+  // 3. 清理 npm 缓存
+  try {
+    execFileSync("npm", ["cache", "clean", "--force"], {
+      stdio: "inherit",
+      timeout: 30000,
+    });
+    logInfo("npm cache cleaned");
+    removed.push("npm-cache");
+  } catch {
+    logError("Failed to clean npm cache, skipping");
+  }
+
+  // 4. 清理 npx 缓存
+  const npxCache = join(home, ".npm", "_npx");
+  if (existsSync(npxCache)) {
+    rmSync(npxCache, { recursive: true, force: true });
+    logInfo(`Removed npx cache: ${npxCache}`);
+    removed.push("npx-cache");
+  }
+
+  logInfo("\nClean complete. Reinstall with:");
+  logInfo("  npm install -g @aeon-ai-pay/aigateway@latest");
+
+  emitOk("clean", { removed }, { success: true, removed });
+}

package/src/commands/create-card-status.mjs

@@ -0,0 +1,67 @@
+import { resolve } from "../config.mjs";
+import { POLL_INTERVAL, MAX_POLLS } from "../constants.mjs";
+import { sanitizeOutput } from "../sanitize.mjs";
+import { emitOk, emitErr, logInfo } from "../output.mjs";
+
+export async function status(opts) {
+  const { default: axios } = await import("axios");
+  const serviceUrl = resolve(opts.serviceUrl, "AIGATEWAY_SERVICE_URL", "serviceUrl");
+  const { orderNo, poll, appId } = opts;
+
+  if (!serviceUrl) {
+    emitErr("create-card-status", "SERVICE_URL_MISSING", {
+      message: "Missing service URL. Set env AIGATEWAY_SERVICE_URL if you need to override the built-in default.",
+      appId,
+    });
+    return;
+  }
+
+  const url = `${serviceUrl}/open/ai/x402/card/status?orderNo=${encodeURIComponent(orderNo)}&appId=${encodeURIComponent(appId)}`;
+
+  if (!poll) {
+    try {
+      const res = await axios.get(url);
+      const sanitized = sanitizeOutput(res.data);
+      emitOk("create-card-status", { appId, ...sanitized }, sanitized);
+    } catch (error) {
+      emitErr("create-card-status", "SERVICE_UNAVAILABLE", {
+        message: error.message,
+        status: error.response?.status,
+        data: error.response?.data,
+        appId,
+      });
+    }
+    return;
+  }
+
+  logInfo(`Polling ${url} every ${POLL_INTERVAL / 1000}s (max ${MAX_POLLS} times)`);
+
+  for (let i = 1; i <= MAX_POLLS; i++) {
+    try {
+      const res = await axios.get(url);
+      const model = res.data?.model;
+
+      logInfo(
+        `[${i}/${MAX_POLLS}] orderStatus=${model?.orderStatus} channelStatus=${model?.channelStatus} cardStatus=${model?.cardStatus || "-"}`,
+      );
+
+      if (model?.orderStatus === "SUCCESS" || model?.orderStatus === "FAIL") {
+        const sanitized = sanitizeOutput(res.data);
+        emitOk("create-card-status", { appId, ...sanitized }, sanitized);
+        return;
+      }
+    } catch (e) {
+      logInfo(`[${i}/${MAX_POLLS}] Error: ${e.message}`);
+    }
+
+    if (i < MAX_POLLS) {
+      await new Promise((r) => setTimeout(r, POLL_INTERVAL));
+    }
+  }
+
+  emitErr("create-card-status", "POLL_TIMEOUT", {
+    orderNo,
+    appId,
+    message: "Polling timeout. Card may still be provisioning.",
+  });
+}

package/src/commands/create-card.mjs

@@ -0,0 +1,333 @@
+/**
+ * create-card：通过 x402 协议在 BSC 上用 USDT 支付，发一张一次性虚拟卡
+ *
+ * 服务端路径：GET {serviceUrl}/open/ai/x402/card/create?amount=<usd>&appId=<merchant>
+ * 流程：fetch payment requirements → balance + allowance 检查
+ *      → （余额不足时）走 funding.mjs/fundSessionKey 充值
+ *      → x402 EIP-712 签名提交 → 可选轮询 status
+ */
+import { createX402Api, decodePaymentResponse, fetchPaymentRequirements } from "../x402.mjs";
+import { resolve } from "../config.mjs";
+import { getWalletBalance, getAllowance } from "../balance.mjs";
+import { sanitizeOutput } from "../sanitize.mjs";
+import axios from "axios";
+import {
+  MIN_AMOUNT, MAX_AMOUNT, POLL_INTERVAL, MAX_POLLS,
+} from "../constants.mjs";
+import { WalletConnectError } from "../walletconnect.mjs";
+import {
+  fundSessionKey,
+  promptTopupAmount,
+  MIN_TOPUP_USDT,
+  TOPUP_PRESETS,
+} from "../funding.mjs";
+import { emitOk, emitErr, logInfo } from "../output.mjs";
+
+export async function createCard(opts) {
+  logInfo("Creating Agent Card...");
+  const serviceUrl = resolve(opts.serviceUrl, "AIGATEWAY_SERVICE_URL", "serviceUrl");
+  const privateKey = resolve(opts.privateKey, "EVM_PRIVATE_KEY", "privateKey");
+  const { amount, poll, appId, dryRun } = opts;
+  const amountNum = parseFloat(amount);
+
+  if (!serviceUrl) {
+    emitErr("create-card", "SERVICE_URL_MISSING", {
+      message: "Missing service URL. Set env AIGATEWAY_SERVICE_URL if you need to override the built-in default.",
+      appId,
+    });
+    return;
+  }
+  if (!privateKey) {
+    emitErr("create-card", "WALLET_NOT_CONFIGURED", { appId });
+    return;
+  }
+  if (isNaN(amountNum) || amountNum < MIN_AMOUNT) {
+    emitErr("create-card", "AMOUNT_OUT_OF_RANGE", {
+      message: `Amount must be at least $${MIN_AMOUNT}. Allowed range: $${MIN_AMOUNT} ~ $${MAX_AMOUNT} USD.`,
+      min: MIN_AMOUNT,
+      max: MAX_AMOUNT,
+      appId,
+    });
+    return;
+  }
+  if (amountNum > MAX_AMOUNT) {
+    emitErr("create-card", "AMOUNT_OUT_OF_RANGE", {
+      message: `Amount must not exceed $${MAX_AMOUNT}. Allowed range: $${MIN_AMOUNT} ~ $${MAX_AMOUNT} USD.`,
+      min: MIN_AMOUNT,
+      max: MAX_AMOUNT,
+      appId,
+    });
+    return;
+  }
+
+  const url = `${serviceUrl}/open/ai/x402/card/create?amount=${encodeURIComponent(amount)}&appId=${encodeURIComponent(appId)}`;
+  logInfo("Fetching payment requirements...");
+  let requiredUsdt;
+  let paymentReq;
+  try {
+    paymentReq = await fetchPaymentRequirements(url);
+    requiredUsdt = paymentReq.amountUsdt;
+    logInfo(`Required: ${requiredUsdt} USDT (pay to ${paymentReq.payTo})`);
+  } catch (e) {
+    emitErr("create-card", "PAYMENT_FETCH_FAILED", {
+      message: `Failed to fetch payment requirements: ${e.message}`,
+      appId,
+    });
+    return;
+  }
+
+  logInfo("Checking wallet...");
+  let needTopup = false;
+  let needGas = false;
+  let sessionAddress;
+  let topupAmount = null;
+  let balanceInitialUsdt = null;
+
+  try {
+    const { address, usdt, bnb, bnbRaw } = await getWalletBalance(privateKey);
+    sessionAddress = address;
+    balanceInitialUsdt = usdt;
+    const usdtNum = parseFloat(usdt);
+    logInfo(`Wallet: ${address}`);
+    logInfo(`Balance: ${usdt} USDT, ${bnb} BNB`);
+
+    const allowance = await getAllowance(address);
+    const requiredWei = BigInt(paymentReq.amountWei);
+    if (requiredWei === 0n) {
+      emitErr("create-card", "INVALID_PAYMENT_AMOUNT", {
+        message: "Server returned invalid payment amount (0). Please retry later.",
+        appId,
+      });
+      return;
+    }
+    if (allowance >= requiredWei) {
+      logInfo("Allowance sufficient, no approve needed.");
+    } else {
+      logInfo(`Allowance ${allowance} < required ${requiredWei}; approve needed.`);
+      if (bnbRaw === 0n) {
+        needGas = true;
+        logInfo("No BNB for approve gas, will request BNB transfer.");
+      }
+    }
+
+    if (usdtNum < requiredUsdt) {
+      needTopup = true;
+      const shortfall = requiredUsdt - usdtNum;
+      const minTopup = Math.max(MIN_TOPUP_USDT, Math.ceil(shortfall));
+      logInfo(`USDT insufficient: have ${usdtNum}, need ${requiredUsdt}, shortfall ${shortfall.toFixed(6)} (top-up minimum: ${minTopup} USDT)`);
+
+      if (opts.topupAmount != null && String(opts.topupAmount).trim() !== "") {
+        const amt = Number(opts.topupAmount);
+        if (!Number.isFinite(amt) || amt <= 0) {
+          emitErr("create-card", "AMOUNT_INVALID", {
+            message: `Invalid --topup-amount: ${opts.topupAmount}`,
+            appId,
+          });
+          return;
+        }
+        if (amt < minTopup) {
+          emitErr("create-card", "TOPUP_AMOUNT_TOO_SMALL", {
+            message: `--topup-amount ${amt} USDT is below the ${minTopup} USDT minimum for this call.`,
+            minTopup,
+            appId,
+          });
+          return;
+        }
+        topupAmount = String(opts.topupAmount);
+        logInfo(`Using --topup-amount: ${topupAmount} USDT`);
+      } else if (process.stdin.isTTY) {
+        topupAmount = await promptTopupAmount(minTopup);
+        logInfo(`Selected top-up amount: ${topupAmount} USDT`);
+      } else {
+        const presets = TOPUP_PRESETS.filter((v) => v >= minTopup);
+        emitErr("create-card", "TOPUP_REQUIRED", {
+          message: `USDT balance is below the ${minTopup} USDT minimum for this call. Choose a top-up amount and rerun with --topup-amount <usdt>.`,
+          minTopup,
+          required: requiredUsdt,
+          currentBalance: balanceInitialUsdt,
+          address: sessionAddress,
+          appId,
+          presets,
+          hint: `Rerun: aigateway wallet-topup --amount <usdt> --app-id ${appId}`,
+        });
+        return;
+      }
+    }
+  } catch (e) {
+    emitErr("create-card", "BALANCE_CHECK_FAILED", {
+      message: `Balance check failed: ${e.message}`,
+      appId,
+    });
+    return;
+  }
+
+  // Dry-run：跑完前置检查就退出
+  if (dryRun) {
+    const preview = {
+      dryRun: true,
+      appId,
+      url,
+      paymentRequirements: {
+        amountUsdt: requiredUsdt,
+        amountWei: paymentReq.amountWei,
+        asset: paymentReq.asset,
+        payTo: paymentReq.payTo,
+        orderNo: paymentReq.orderNo,
+      },
+      wallet: { address: sessionAddress },
+      decision: { needTopup, needGas, topupAmount },
+      will: [
+        ...(needTopup ? ["fund_usdt_via_walletconnect"] : []),
+        ...(needGas ? ["fund_bnb_via_walletconnect"] : []),
+        "approve_or_skip",
+        "sign_payment_eip712",
+        "submit_to_facilitator",
+        ...(poll ? ["poll_status"] : []),
+      ],
+    };
+    emitOk("create-card", preview, { success: true, ...preview });
+    return;
+  }
+
+  // WalletConnect 充值
+  if (needTopup || needGas) {
+    logInfo("Funding flow triggered...");
+    try {
+      await fundSessionKey({
+        sessionAddress,
+        usdtAmount: needTopup ? topupAmount : null,
+        needGas,
+      });
+    } catch (e) {
+      if (e instanceof WalletConnectError) {
+        emitErr("create-card", e.code, { message: e.message, address: sessionAddress, appId });
+      } else {
+        emitErr("create-card", "FUNDING_FAILED", { message: e.message, address: sessionAddress, appId });
+      }
+      return;
+    }
+
+    logInfo("Re-checking wallet balance...");
+    try {
+      const { usdt, bnbRaw } = await getWalletBalance(privateKey);
+      const usdtNum = parseFloat(usdt);
+      if (needGas && bnbRaw === 0n) {
+        emitErr("create-card", "INSUFFICIENT_BNB", {
+          message: "No BNB for approve transaction after funding. Run 'aigateway wallet-gas' to add BNB manually.",
+          address: sessionAddress,
+          appId,
+        });
+        return;
+      }
+      if (usdtNum < requiredUsdt) {
+        emitErr("create-card", "INSUFFICIENT_USDT", {
+          message: "Still insufficient USDT after funding.",
+          required: `${requiredUsdt} USDT`,
+          available: `${usdt} USDT`,
+          address: sessionAddress,
+          appId,
+        });
+        return;
+      }
+    } catch (e) {
+      emitErr("create-card", "BALANCE_CHECK_FAILED", {
+        message: `Balance re-check failed: ${e.message}`,
+        appId,
+      });
+      return;
+    }
+  }
+
+  const { client } = createX402Api(privateKey);
+  logInfo(`Creating card: $${amount} USD via ${url}`);
+
+  try {
+    const { x402HTTPClient } = await import("@aeon-ai-pay/core/client");
+    const httpClient = new x402HTTPClient(client);
+
+    const raw402 = paymentReq.raw402Response;
+    const getHeader = (name) => {
+      const value = raw402.headers[name] ?? raw402.headers[name.toLowerCase()];
+      return typeof value === "string" ? value : undefined;
+    };
+    const paymentRequired = httpClient.getPaymentRequiredResponse(getHeader, raw402.data);
+    const paymentPayload = await client.createPaymentPayload(paymentRequired);
+    const paymentHeaders = httpClient.encodePaymentSignatureHeader(paymentPayload);
+
+    const response = await axios.get(url, {
+      headers: { ...paymentHeaders, "Access-Control-Expose-Headers": "PAYMENT-RESPONSE" },
+    });
+    const paymentResponse = decodePaymentResponse(response.headers);
+    const orderNo = paymentReq.orderNo || response.data?.model?.orderNo || response.data?.orderNo;
+
+    const sanitizedData = sanitizeOutput(response.data);
+    const successData = {
+      appId,
+      orderNo,
+      data: sanitizedData,
+      paymentResponse,
+    };
+
+    function findCardStatus(obj) {
+      if (!obj || typeof obj !== 'object') return null;
+      if (obj.cardStatus) return obj.cardStatus;
+      for (const v of Object.values(obj)) {
+        const found = findCardStatus(v);
+        if (found) return found;
+      }
+      return null;
+    }
+    const initialOrderStatus = response.data?.model?.orderStatus;
+    const initialCardStatus = findCardStatus(response.data);
+    const cardReady = initialOrderStatus === "SUCCESS" || initialOrderStatus === "FAIL" || initialCardStatus === "ACTIVE";
+
+    if (cardReady) {
+      logInfo(`Card ready (orderStatus=${initialOrderStatus}, cardStatus=${initialCardStatus}), no polling needed.`);
+      emitOk("create-card", successData, { success: true, ...successData });
+      return;
+    }
+
+    if (poll && orderNo) {
+      logInfo(`\nPolling status for orderNo: ${orderNo}`);
+      const pollResult = await pollStatus(serviceUrl, orderNo, appId);
+      successData.pollResult = pollResult;
+      emitOk("create-card", successData, { success: true, ...successData, pollResult });
+      return;
+    }
+
+    if (poll && !orderNo) {
+      logInfo("Warning: No orderNo available for polling. Query status manually.");
+    }
+    emitOk("create-card", successData, { success: true, ...successData });
+  } catch (error) {
+    emitErr("create-card", "PAYMENT_FAILED", {
+      message: error.message,
+      status: error.response?.status,
+      data: error.response?.data,
+      appId,
+    });
+  }
+}
+
+async function pollStatus(serviceUrl, orderNo, appId) {
+  for (let i = 1; i <= MAX_POLLS; i++) {
+    if (i > 1) {
+      const delay = i <= 5 ? 2000 : POLL_INTERVAL;
+      await new Promise((r) => setTimeout(r, delay));
+    }
+    try {
+      const res = await axios.get(
+        `${serviceUrl}/open/ai/x402/card/status?orderNo=${encodeURIComponent(orderNo)}&appId=${encodeURIComponent(appId)}`,
+      );
+      const model = res.data?.model;
+      logInfo(`[${i}/${MAX_POLLS}] orderStatus=${model?.orderStatus} channelStatus=${model?.channelStatus}`);
+      if (model?.orderStatus === "SUCCESS" || model?.orderStatus === "FAIL" || model?.cardStatus === "ACTIVE") {
+        return sanitizeOutput(model);
+      }
+    } catch (e) {
+      logInfo(`[${i}/${MAX_POLLS}] Poll error: ${e.message}`);
+    }
+  }
+  logInfo(`Polling timeout after ${MAX_POLLS} attempts. Check manually with: aigateway create-card-status --order-no ${orderNo}`);
+  return null;
+}