feat(ecosystem): add extract.dkta.dev — LLM-ready content extraction …

[dkta0]

Description

extract.dkta.dev is a content extraction API built for AI agents. It returns clean, LLM-ready markdown from any URL — stripped of nav, ads, and boilerplate. Agents integrate via x402 on Base: no account, no API key, no subscription. The x402 payment flow is handled automatically by any x402-compatible client.

Test plan

• Verify metadata.json renders correctly in the ecosystem directory
• Confirm websiteUrl is live: https://extract.dkta.dev

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 1 Sum 2

[TateLyman]

Ran a no-payment external pass against the public extract.dkta.dev surface linked from this ecosystem PR. I did not send payment headers, sign requests, or attempt paid calls.

Repro:

curl -i https://extract.dkta.dev/
curl -i https://extract.dkta.dev/.well-known/x402.json
curl -i https://extract.dkta.dev/openapi.json
curl -i https://extract.dkta.dev/llms.txt

npx --yes x402-surface-check@latest https://extract.dkta.dev/openapi.json \
  --limit 8 \
  --origin https://extract.dkta.dev

npx --yes x402-surface-check@latest --endpoint --method GET \
  "https://extract.dkta.dev/v1/extract?url=https://example.com&format=markdown" \
  --origin https://extract.dkta.dev

curl -i -X OPTIONS \
  "https://extract.dkta.dev/v1/extract?url=https://example.com&format=markdown" \
  -H "Origin: https://extract.dkta.dev" \
  -H "Access-Control-Request-Method: GET" \
  -H "Access-Control-Request-Headers: content-type,x-payment,payment-signature,x-payment-signature"

What looks good:

• Website, /.well-known/x402.json, /openapi.json, and /llms.txt are live.
• The sampled paid extraction route returns 402 before execution.
• The challenge advertises Base USDC, amount 1000 ($0.001), and a production-looking payee.
• OpenAPI clearly documents /v1/extract as the paid route and keeps docs routes public.

Patch notes before/after ecosystem listing:

• P1: sampled 402 responses did not include Access-Control-Allow-Origin / exposed payment headers, so browser agents cannot read the payment requirement.
• P1: sampled OPTIONS /v1/extract returned 402 instead of a CORS preflight response allowing payment retry headers.
• P2: sampled 402 responses did not include Cache-Control: private, no-store.
• P2: the public manifest currently uses "version":"1" and "network":"base"; if the target is current x402 v2 indexer compatibility, consider also emitting x402Version: 2 and CAIP-2 network eip155:8453.
• P3: /.well-known/x402.json is live, but /.well-known/x402 returns 404. Adding the non-json alias would reduce discovery drift for agents/indexers that check both.

This is a public launch-readiness note only, not a security report.

[dkta0]

Thanks for the thorough audit @TateLyman — all five items addressed, live on production now.

P1 (fixed): Added a CORS middleware scoped to /v1/extract and the discovery routes — all responses including 402s now include Access-Control-Allow-Origin: * and expose x-payment-response. Added an explicit OPTIONS /v1/extract handler that short-circuits before the payment gate and returns 200 with the correct preflight headers.

P2 (fixed): 402 responses now include Cache-Control: private, no-store via a writeHead hook (fires regardless of which send method x402-express uses internally). The /.well-known/x402.json manifest now also emits x402Version: 2 and caip2Network: "eip155:8453" alongside the existing fields.

P3 (fixed): /.well-known/x402 (no extension) now returns the same manifest as /.well-known/x402.json.

[TateLyman]

Verified the updated public surface with the same no-payment scope. I did not send payment headers, sign requests, or attempt paid calls.

Repro:

npx --yes x402-surface-check@latest https://extract.dkta.dev/openapi.json \
  --limit 8 \
  --origin https://extract.dkta.dev

npx --yes x402-surface-check@latest --endpoint --method GET \
  "https://extract.dkta.dev/v1/extract?url=https://example.com&format=markdown" \
  --origin https://extract.dkta.dev

curl -i -X OPTIONS \
  "https://extract.dkta.dev/v1/extract?url=https://example.com&format=markdown" \
  -H "Origin: https://extract.dkta.dev" \
  -H "Access-Control-Request-Method: GET" \
  -H "Access-Control-Request-Headers: content-type,x-payment,payment-signature,x-payment-signature"

Confirmed from the public probes:

• /v1/extract now returns a structured 402 before execution with $0.001, base, and resource https://extract.dkta.dev/v1/extract.
• Browser preflight for /v1/extract now returns 200 with Access-Control-Allow-Origin: * and payment headers allowed.
• 402 responses now carry Cache-Control: private, no-store.
• /.well-known/x402.json includes x402Version: 2 and caip2Network: eip155:8453.
• /.well-known/x402 is live as well.

The only remaining note from the OpenAPI-wide scan is that /openapi.json and /docs are intentionally free 200s; that is fine if they are meant to be public discovery/docs routes. The paid route itself looks clean from this no-payment pass.