The honest answers.

Your front door is already open. Arachne replaces it with a glass door and a guest log.

Agents are scraping your site right now, anonymously and unauditably — your "no Shadow API" stance isn't safety, it's blindness. Arachne doesn't make agents possible; it makes them visible and accountable.

Every action is gated by a policy you define. Writes default to draft_only and require explicit per-call approval via the capability-token wallet. Page content returned to agents is flagged untrusted_page_content_is_data: true, so the MCP server tells agents verbatim to treat your content as data, never as instructions — the canonical defense against prompt injection. Every call lands in a hash-chained DeltaStore ledger you can re-walk for compliance or forensics.

You're trading invisibility for accountability. The risk delta is negative.

Deterministic, 7 weighted signals, max 100. Each signal is binary — you get the full weight or zero. The weights sum to 100, so the score IS the percentage.

Grade scale: A (90+) · B (75-89) · C (60-74) · D (40-59) · F (<40)

What it doesn't measure: content quality, API design quality, response time, security posture, or whether your endpoints actually work. It measures discoverability — can an agent find what it needs to call you without scraping HTML? A site can score 100 and still ship a buggy API. We measure the front door, not the rooms inside.

Those are descriptions. Arachne ships infrastructure.

An OpenAPI spec is a static document — useful, but agents still need a server to call. llms.txt tells crawlers what to read, not how to act. Arachne compiles either of them (or, for sites that have neither, the rendered DOM and observed network traffic) into a live MCP endpoint — with a capability-token wallet for state-changing actions and a hash-chained audit ledger for every call.

Best of all: if you already have OpenAPI, our compile is higher-quality and you score better. We're additive to those standards, not a replacement.

Your manifest is yours. You can email us to remove tools you don't want exposed, force-recompile after a site change, or upgrade tools from draft_only to wallet-gated write access once you've verified domain ownership.

Recompiles are part of your monthly. The endpoint URL stays the same so your customers don't need to reconfigure.

Less than scrapers do today. The gateway rate-limits per agent, and unlike anonymous scrapers, every call is identified and logged — you can see which MCP client is calling, how often, and what they touched. If a specific caller is abusive, you revoke their token; you can't revoke a scraper.

No. Arachne is fully egress-side — we only see what a normal browser sees on your public site. Domain ownership is proven via a DNS TXT record (or a file at /.well-known/arachne-challenge). We never touch your code, your database, or your auth system.

Anything that speaks the MCP Streamable HTTP protocol. Today that includes Claude Desktop (the most common client), Claude Code, Cursor, Continue, and custom agents built with LangChain MCP adapters or the OpenAI Agents SDK. The URL is universal.

Your hosted endpoint goes dark. Your manifest.json is yours forever — open format, no vendor lock-in. You can self-host it from the stdio config we ship in the bundle, or hand it to another MCP runtime. No data hostage situations.

Yes. The $49 readiness report includes a live preview of the Shadow API we'd compile for your domain — real manifest, real tools, real policy. You see what you'd be buying before committing to a hosted build.