Changelog

March 9, 2026

Atomic usage tracking — Rate limits are now enforced atomically at the database level. Concurrent requests can no longer bypass monthly quotas.
Input validation — All filter parameters (section, result, device, quality, page_type) are now validated against allowlists. Invalid values return a clear error message instead of being passed to the database.
IP rate limiting — Added a global rate limit of 30 requests per minute per IP address, applied before any database calls. Protects against brute-force key guessing and abuse.
Non-root container — The Docker container now runs as a non-root user (appuser).
CORS origins — Restricted allowed origins to known clients (claude.ai, testlibrary.klickstark.de) while keeping wildcard for MCP desktop clients that don't send Origin headers.

Launched this documentation site (VitePress).
Setup guides for Claude Desktop, Claude Code, Cursor, ChatGPT, and custom MCP clients.
Full tools reference with parameters, example prompts, and output formats.
REST API docs with curl examples for non-MCP integrations.

Deployed the MCP server to Railway with Streamable HTTP transport.
API key authentication with SHA-256 hashing — keys are never stored in plain text.
Per-user monthly usage tracking and plan-based limits.
Health check endpoint at /health.
Server URL: https://mcp-server-production-c654.up.railway.app/mcp

1,600+ A/B test results from 23 sources.
7 MCP tools: keyword search, semantic search, section insights, patterns, test details, wireframe briefs, statistics.
Supabase backend with full-text search (PostgreSQL) and semantic search (pgvector embeddings).
Published on PyPI as ab-test-kb-mcp for local stdio usage.