Follow-up to the agent-readiness work: the discovery endpoints were live and spec-correct, but a same-origin CORS lock stopped cross-origin agents (and the orank probe) from reading them. This playground shows the fix.
Every response carried:
Access-Control-Allow-Origin: https://orchestkit.yonyon.ai
A browser-based agent on any other origin → blocked from reading /ask, /api/mcp, the cards, llms feeds.
Public, read-only site → open:
Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: Content-Type, Accept
Plus OPTIONS preflight handlers on /ask and /api/mcp.
orank's methodology probes several well-known filenames — all now resolve to the server card.
| Path | Resolves to |
|---|---|
| /.well-known/mcp | server card |
| /.well-known/mcp/server-card.json | server card |
| /.well-known/mcp.json | server card (new) |
| /.well-known/mcp/manifest.json | server card (new) |
| /mcp.json | server card (new) |
curl -s -D- -o /dev/null https://orchestkit.yonyon.ai/.well-known/agent-card.json | grep -i access-control(click above — once deployed, this cross-origin fetch succeeds; before the fix it threw a CORS error)
PR branch feat/agent-readiness-cors. The playground itself is a cross-origin client — after deploy, the live fetch below proves agents can read the endpoint.