Public-surface scans
Readiness scans inspect publicly accessible pages and signals such as robots.txt, sitemap.xml, llms.txt, JSON-LD, forms, and API references.
Security posture
Governed agent access starts with boundaries.
Arachne turns public websites into evidence-backed Shadow APIs. The system is designed to scan only authorized public surfaces, require domain verification before write-class workflows, and keep agent activity auditable through tokens, logs, drift checks, and artifact history.
What Arachne will not do
No bypassing, no hidden access, no silent writes.
The default posture is read-only and draft-only until the customer verifies control and explicitly enables stronger capabilities.
No access-control bypass
Arachne does not log into private accounts, defeat paywalls, bypass access controls, or crawl behind authentication unless a customer authorizes a separate integration.
No write actions by default
State-changing workflows are compiled as governed actions. They remain draft-only or approval-gated until domain ownership and policy controls are in place.
Controls
The hosted Shadow API is built for inspection.
Every production-grade endpoint needs more than a manifest. Arachne adds verification, approval policy, token identity, logging, and change tracking around the generated surface.
Domain verification
Customers prove ownership with a DNS TXT record or a file served under /.well-known/arachne-verification.txt. Verified domains unlock higher-trust workflows.
Capability-token wallet
Hosted actions can require capability tokens, approval gates, expiration, scope limits, and revocation instead of anonymous, unbounded calls.
Audit ledger
Usage events, billing quantities, capability-token activity, and approval events are recorded so operators can review what agents touched and when.
Prompt-injection stance
Page content is treated as data, not instruction. Evidence maps and risk profiles separate source observations from executable policy.
Drift monitoring
Rescans compare the live site with the compiled baseline and flag route, tool, selector, confidence, and risk changes before agents depend on stale assumptions.
Artifact history
Compiled artifacts are versioned with Delta-backed snapshots, making it possible to inspect exactly what changed between compiles or drift checks.
Customer data stays customer-owned.
Arachne does not sell customer scan data or use customer-submitted website data to train public AI models. Reports, logs, generated artifacts, and hosted endpoint records are used to provide, secure, audit, support, and improve the Arachne service.
Operations
Customer controls
Hosted customers can request exported deliverables, endpoint deactivation, token revocation, audit records, or deletion of Arachne-related records by contacting Solstice AI Studio.
Export
Download the manifest, MCP config, evidence map, normalized capabilities, risk profile, reports, and customer README.
Deactivate
Hosted endpoints can be disabled without changing the customer website. Self-hosting remains possible from the exported bundle.
Contact
Security, privacy, deletion, and audit-log requests can be sent to [email protected].