Cross-Origin Agent Access

Follow-up to the agent-readiness work: the discovery endpoints were live and spec-correct, but a same-origin CORS lock stopped cross-origin agents (and the orank probe) from reading them. This playground shows the fix.

The bug

BEFORE

Every response carried:

Access-Control-Allow-Origin:
  https://orchestkit.yonyon.ai

A browser-based agent on any other origin → blocked from reading /ask, /api/mcp, the cards, llms feeds.

AFTER

Public, read-only site → open:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods:
  GET, POST, OPTIONS
Access-Control-Allow-Headers:
  Content-Type, Accept

Plus OPTIONS preflight handlers on /ask and /api/mcp.

New MCP discovery paths

orank's methodology probes several well-known filenames — all now resolve to the server card.

PathResolves to
/.well-known/mcpserver card
/.well-known/mcp/server-card.jsonserver card
/.well-known/mcp.jsonserver card (new)
/.well-known/mcp/manifest.jsonserver card (new)
/mcp.jsonserver card (new)

Verify the CORS header yourself

curl -s -D- -o /dev/null https://orchestkit.yonyon.ai/.well-known/agent-card.json | grep -i access-control
(click above — once deployed, this cross-origin fetch succeeds; before the fix it threw a CORS error)

PR branch feat/agent-readiness-cors. The playground itself is a cross-origin client — after deploy, the live fetch below proves agents can read the endpoint.