feat: add Jorkal NFT Data API to ecosystem

[jorkal-crypto]

Adds Jorkal NFT Data API to the x402 ecosystem directory.

API: https://vercel-deploy-alpha-puce.vercel.app

Pay-per-request Solana NFT market data — floor prices, active listings, collection stats, and wallet NFTs. Payments via USDC on Base mainnet (eip155:8453).

• 4 endpoints at $0.001–$0.005 USDC per call
• x402 v2 with Bazaar discovery extension
• No API key or signup required
• x402scan listing: https://www.x402scan.com/server/8c591070-fcf5-4f18-becb-e829c1f42640

Note: logo is a placeholder — happy to replace with a proper logo if required.

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 1 Sum 2

[TateLyman]

Ran a no-payment external pass against the public Jorkal surface. No payment headers or paid calls were sent.

Repro:

npx --yes x402-surface-check@latest https://vercel-deploy-alpha-puce.vercel.app/openapi.json --limit 8 --origin https://vercel-deploy-alpha-puce.vercel.app
curl -i https://vercel-deploy-alpha-puce.vercel.app/.well-known/x402
curl -i -X OPTIONS https://vercel-deploy-alpha-puce.vercel.app/floor/degods \
  -H "Origin: https://vercel-deploy-alpha-puce.vercel.app" \
  -H "Access-Control-Request-Method: GET" \
  -H "Access-Control-Request-Headers: x-payment,content-type,authorization"

What looks good:

• /.well-known/x402, /openapi.json, and /llms.txt are public and machine-readable.
• All 8 sampled OpenAPI GET routes returned structured 402 challenges before execution.
• Browser preflight returns 204 with Access-Control-Allow-Origin: *, Access-Control-Allow-Methods: GET, OPTIONS, and Access-Control-Allow-Headers: x-payment, content-type, authorization.
• Observed challenge prices match the docs range ($0.001 to $0.010) and the live rail is Base mainnet USDC (eip155:8453, 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913).
• The challenge top-level resource.url matched the charged URL in the sampled routes.

Patch notes before/after merge:

• P2: the paid 402 responses currently send Cache-Control: public, max-age=0, must-revalidate. For payment challenges, I would switch these to no-store/private or otherwise bypass shared caches so a challenge cannot be replayed from an intermediary cache boundary.
• P2: the accepts[] entries do not repeat the canonical resource URL. The top-level resource.url is present, but mirroring the charged URL into each accept leg or documenting the top-level field as the authoritative binding makes wallet spend maps/replay checks easier.
• P3: the OpenAPI paths are concrete examples such as /floor/degods while also declaring path parameters like symbol. If the intent is arbitrary collection symbols/wallets, templated paths such as /floor/{symbol} and /wallet/{address}/nfts will work better for client generators.

I did not send X-PAYMENT, sign any request, or attempt a paid call.