Add x402 Whois FR and x402 Email Validator

[fredericsuretat]

Two more x402-powered validation APIs, live on Base mainnet.

• x402 Whois FR — Domain WHOIS with GDPR-aware output. Works for .fr and all generic TLDs. Returns registrar, creation/expiration/update dates, nameservers, status codes (active, redemptionPeriod, etc.), days-until-expiry. Owner details masked for individual (non-corporate) registrations to comply with RGPD/GDPR. POST /whois with {"domain": "example.fr"}. 0.001 USDC/call.

• x402 Email Validator — Deep email validation beyond simple regex. Four layers: RFC 5321 syntax, live DNS MX record lookup, disposable domain detection (~200 known throwaway providers), and a deliverability score (0–100). POST /validate returns valid, mx_found, is_disposable, deliverability_score, and reason. 0.001 USDC/call.

Both: self-hosted on Base mainnet, no API keys, no signup. Discovery: /.well-known/x402.json on each domain.

[TateLyman]

Ran a no-payment external spot-check on the two listed services. No payment headers, wallet signatures, paid calls, private endpoints, or account access.

Repro shape:

curl -i https://x402-whois.suretat.com/.well-known/x402.json
curl -i https://x402-email.suretat.com/.well-known/x402.json
curl -i -X POST https://x402-email.suretat.com/validate \
  -H 'content-type: application/json' \
  -H 'origin: https://suretat.com' \
  --data '{"email":"test@example.com"}'

Current readback:

• Both sampled discovery URLs timed out from here in the batch run, so /.well-known/x402.json is not yet crawler-stable from this external path.
• Email Validator /validate is live and returns a structured 402 before execution.
• Whois /whois returned 404 page not found from here.
• The sampled Email Validator 402 did not include Cache-Control: no-store or browser-readable CORS headers with the Origin probe.

Patch order before merge: stabilize discovery on both domains, verify the Whois route path matches the public PR, then add the same challenge-path no-store and CORS headers used on the earlier clean Suretat services.

[fredericsuretat]

Thank you, @TateLyman. Issues addressed:

Domain names corrected:

• Whois: x402-whois.suretat.com → x402-whois-fr.suretat.com
• Email: x402-email.suretat.com → x402-email-validator.suretat.com
  PR description updated.

Discovery endpoint: Both services now implement /.well-known/x402.json — returning structured 200.

CORS + Cache-Control: All 402 responses now include Access-Control-Allow-Origin: * and Cache-Control: no-store.

Both services are live and discovery-stable. Ready for re-review.

[TateLyman]

Re-ran the no-payment external spot-check after the host/discovery fixes.

Repro shape:

curl -i https://x402-whois-fr.suretat.com/.well-known/x402.json
curl -i -X POST https://x402-whois-fr.suretat.com/whois \
  -H 'content-type: application/json' \
  -H 'origin: https://suretat.com' \
  --data '{"domain":"example.fr"}'

Current readback:

• Both corrected discovery URLs returned 200 application/json.
• Both sampled paid routes returned structured 402 application/json before execution.
• The sampled 402 responses now include Access-Control-Allow-Origin: * and Cache-Control: no-store.
• The corrected hostnames match the PR text now.

I did not send payment headers, sign requests, or attempt paid calls.