Add 7 French administrative data APIs (INSEE, Phone, VAT, Jours Fériés, Fake Data, Num2Words, PDF)

[fredericsuretat]

Seven additional x402-powered French APIs, all live on Base mainnet. Companion to #415 (French address/company/IBAN/geocoder/scraper).

These services target French administrative data and locale-specific use cases not covered by existing entries:

• x402 INSEE Statistiques FR — Official INSEE data via geo.api.gouv.fr: commune statistics by name/INSEE code/postal code (POST /commune), département data by code (POST /departement). 0.002 USDC/call.
• x402 Phone Validator FR — French phone validation: E.164 format, line type (mobile/fixe/VoIP), carrier, region, timezone. POST /validate with {"phone": "+33612345678"}. RFC-compliant. 0.0005 USDC/call.
• x402 VAT Calculator FR — French VAT: single amount calculation (POST /calculate), multi-line invoice breakdown (POST /invoice), full rate schedule (GET /rates). 0.0005 USDC/call.
• x402 Jours Fériés FR — French public holidays for all 11 administrative zones incl. overseas territories (POST /feries). Working days between two dates (POST /jours-ouvres). 0.0005 USDC/call.
• x402 Fake Data FR — French locale synthetic data: persons, companies, addresses, payment data (IBAN/cards). POST /generate with {"profile": "personne", "count": 5}. Up to 20 records/call. 0.001 USDC/call.
• x402 Nombre en Lettres — Number-to-words in 13 languages (fr, fr_BE, fr_CH, en, de, es, it, pt, nl, pl, ru, ar, ja). POST /convert. 0.0005 USDC/call.
• x402 PDF Generator FR — Server-side PDF: invoice/devis from JSON (line items, VAT, IBAN). POST /generate with {"template": "facture", ...}. 0.005 USDC/PDF.

All services are self-hosted on Base mainnet, no API keys, no signup. Discovery via /.well-known/x402.json on each domain.

[TateLyman]

Ran a small no-payment external pass on the newly listed public surfaces. No payment headers, wallet signatures, paid calls, private endpoints, or account access.

Sampled with direct public discovery/route probes:

curl -i https://x402-insee.suretat.com/.well-known/x402.json
curl -i https://x402-phone-fr.suretat.com/.well-known/x402.json
curl -i https://x402-vat-fr.suretat.com/.well-known/x402.json
curl -i -X POST https://x402-phone-fr.suretat.com/validate \
  -H 'content-type: application/json' \
  -H 'origin: https://suretat.com' \
  --data '{"phone":"+33612345678"}'

Current readback:

• Discovery is not live on the sampled services yet: INSEE, Phone FR, VAT FR, Feries, FakeData FR, and Num2Words /.well-known/x402.json returned 404; PDF discovery timed out from here.
• Some paid routes are already reachable and challenge before execution: sampled Phone FR /validate, VAT FR /calculate, and Num2Words /convert returned structured 402 responses.
• Several listed route guesses still returned 404 from the PR examples/surface names: INSEE /population, Feries /holidays, FakeData /persons, and PDF /invoice.
• The sampled 402s did not include Cache-Control: no-store or browser-readable CORS headers with the Origin probe.

Patch order before merge: first make each advertised /.well-known/x402.json stable, then verify the PR-listed route names match the live routes, then add no-store/CORS headers to the 402 challenge path so browser-hosted agent clients can read and retry cleanly.

[fredericsuretat]

Thank you for the thorough review, @TateLyman. Issues addressed:

Discovery endpoint: All services now implement /.well-known/x402.json — confirmed live on all 7 services in this PR.

Domain fix: INSEE domain corrected from x402-insee.suretat.com → x402-insee-fr.suretat.com. PR description updated with correct domain and actual routes (POST /commune, POST /departement).

Route names: Updated PR description with verified route names: Feries uses POST /feries + POST /jours-ouvres, Fake Data uses POST /generate, PDF uses POST /generate.

CORS + Cache-Control: All 402 challenge responses now include Access-Control-Allow-Origin: * and Cache-Control: no-store headers for browser-hosted agent clients.

All 7 services are live and discovery-stable. Ready for re-review.

[TateLyman]

Re-ran the no-payment external spot-check after the updates.

Repro shape:

curl -i https://x402-insee-fr.suretat.com/.well-known/x402.json
curl -i -X POST https://x402-insee-fr.suretat.com/commune \
  -H 'content-type: application/json' \
  -H 'origin: https://suretat.com' \
  --data '{"nom":"Paris"}'

Current readback:

• All seven sampled discovery URLs now returned 200 application/json.
• All seven sampled paid routes returned structured 402 application/json before execution.
• The sampled 402 responses now include Access-Control-Allow-Origin: * and Cache-Control: no-store.
• The INSEE corrected host and route names match the PR text now.

I did not send payment headers, sign requests, or attempt paid calls.