feat: add InstaDomain to ecosystem

[nach-dakwale]

Summary

Adds InstaDomain to the Services/Endpoints category.

What it does: Domain registration for AI agents via x402. An agent calls the MCP tool, gets a pay_url, pays with USDC on Base via x402, and the domain is registered + Cloudflare DNS configured — no browser, no human in the loop.

MCP server: https://instadomain.fly.dev/mcp/ (streamable-HTTP)
Listed on: Smithery, Glama, Official MCP Registry (io.github.nach-dakwale/instadomain)

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 1 Sum 2

[TateLyman]

Ran a no-payment external pass against the public surface listed in this PR.

Scope: public endpoint only. I did not call buy_domain, buy_domain_crypto, buy_domain_mpp, send payment headers, sign anything, or attempt a purchase.

Repro:

curl -i https://instadomain.fly.dev/mcp/

curl -i -X OPTIONS https://instadomain.fly.dev/mcp/ \
  -H 'Origin: https://www.instadomain.dev' \
  -H 'Access-Control-Request-Method: POST' \
  -H 'Access-Control-Request-Headers: content-type,x-payment,payment-signature,authorization'

curl -i -X POST https://instadomain.fly.dev/mcp/ \
  -H 'Content-Type: application/json' \
  -H 'Origin: https://www.instadomain.dev' \
  -H 'Accept: application/json, text/event-stream' \
  --data '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'

What looks good:

• POST /mcp/ returns a valid Streamable HTTP/MCP tools/list response.
• The tool catalog is explicit about checking price before purchase and requiring user confirmation before buy_domain, buy_domain_crypto, or buy_domain_mpp.
• The purchase tools name the registrant/legal-owner boundary and separate Stripe checkout, x402 USDC, and MPP payment paths.

Patch notes before broad agent distribution:

• P1 if browser-hosted agents are in scope: OPTIONS /mcp/ currently returns 405 and no CORS allow headers. A browser MCP client cannot preflight content-type,x-payment,payment-signature,authorization before calling the endpoint.
• P2 for ecosystem discovery: the PR's websiteUrl points directly at https://instadomain.fly.dev/mcp/, but that URL returns 405 Method Not Allowed to a normal GET, and /.well-known/x402 returns 404. Consider linking a human/docs page from websiteUrl, or adding a small GET/readiness endpoint plus a well-known manifest/agent card so crawlers and reviewers can inspect the payment surface without JSON-RPC POST knowledge.
• P2 for payment-agent safety: because this can register domains and configure DNS, the public docs should state the final confirmation rule for autonomous payment clients: price, domain string, registrant identity, payment rail, and DNS behavior should all be shown to the user before any payment retry is attempted.

Not a blocker if the intended clients are only server-side MCP clients and Coinbase reviewers are fine with POST-only discovery, but it is worth tightening before browser or marketplace agent traffic reaches it.

[nach-dakwale]

Thanks for the thorough review @TateLyman. All three findings are addressed:

P1 — CORS: Added CORSMiddleware to the FastAPI app with allow_origins=["*"] and all required headers. OPTIONS /mcp/ now returns 200 with the correct preflight headers.

curl -si -X OPTIONS https://instadomain.fly.dev/mcp/ \
  -H 'Origin: https://www.instadomain.dev' \
  -H 'Access-Control-Request-Method: POST' \
  -H 'Access-Control-Request-Headers: content-type,x-payment,payment-signature,authorization'
# HTTP/2 200, access-control-allow-origin: *

P2 — Discovery: Added GET /mcp/ readiness endpoint that returns JSON with the endpoint URL, transport, docs link, and full tool list. websiteUrl in this PR now has a meaningful GET surface for crawlers and reviewers.

curl https://instadomain.fly.dev/mcp/
# {"name":"instadomain","mcp_endpoint":"...","transport":"streamable-http","tools":[...]}

P2 — Autonomous agent safety docs: Added an "Autonomous Agent Safety" section to the README that explicitly lists the five things agents must confirm before any payment: price, domain string, registrant identity, payment rail, and DNS behavior. Also notes no retries without re-confirmation.

All changes are deployed and live on Fly.io.

[TateLyman]

Re-tested the deployed fixes against the same public MCP surface.

Repro:

curl -i https://instadomain.fly.dev/mcp/

curl -i -X OPTIONS https://instadomain.fly.dev/mcp/ \
  -H 'Origin: https://www.instadomain.dev' \
  -H 'Access-Control-Request-Method: POST' \
  -H 'Access-Control-Request-Headers: content-type,x-payment,payment-signature,authorization'

curl -i -X POST https://instadomain.fly.dev/mcp/ \
  -H 'Origin: https://www.instadomain.dev' \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  --data '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'

Confirmed fixed from my earlier pass:

• GET /mcp/ now returns a meaningful JSON readiness/catalog response instead of 405.
• OPTIONS /mcp/ now returns 200.
• Access-Control-Allow-Origin is present.
• Access-Control-Allow-Headers includes content-type,x-payment,payment-signature,authorization.
• tools/list still returns the expected Streamable HTTP/MCP tool catalog.
• The tool descriptions now clearly state the user confirmation boundary before purchase/payment paths.

Remaining note is minor/P2: Access-Control-Allow-Methods is broad (DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT) while this MCP surface appears to need only GET/POST/OPTIONS. Not a merge blocker, just a small hardening cleanup.

No payment headers, signatures, credentials, purchases, or paid calls were sent.