v2026.4.11

What's Changed

Features

• Domain-based module routing — Introduced 14 domain categories and 38 question types with auto-generated cross-reference routing tables from module metadata. The server instructions now dynamically build a routing table so the LLM knows which tools to use for any question type.
• Expanded cross-reference routing — Added +38 routing hints across 21 modules, improving coverage for underserved question types like animal/vet drugs (3→5), tobacco/vaping (4→8), vehicle safety (3→5), and presidential comparison.
• --list-modules CLI flag — New flag with domain grouping and --json output for programmatic module discovery.
• ClinicalTrials.gov v2 overhaul — Expanded from 5 to 10 tools covering all API endpoints: metadata, enums, field values, field sizes, size stats, and geo-search. Added typed interfaces for all v2 response shapes.
• NHTSA enhancements — New tools and improved descriptions for vehicle recalls, complaints, safety ratings, VIN decoding, and car seat inspection stations.
• New analysis prompts — Added prompts for environmental justice, government contractors, water quality, and pharma pricing investigations.
• HTML entity decoding — Integrated he library for proper HTML entity decoding across DOJ News, GovInfo, Congress, and other modules with HTML content.

Security

• Patched 11 dependency vulnerabilities:
  • fast-xml-parser 5.4.1 → 5.5.11 (2 CVEs — entity expansion bypass)
  • hono 4.12.8 → 4.12.12 (5 CVEs — path traversal, cookie handling, IP matching, middleware bypass)
  • path-to-regexp 8.3.0 → 8.4.2 (2 ReDoS)
  • lodash-es 4.17.23 → 4.18.1 (prototype pollution + code injection)
  • picomatch 4.0.3 → 4.0.4 (method injection in POSIX character classes)
• FDA error detection — Added checkError() to the FDA SDK to catch API errors returned as 200-OK-with-error-body.

Tests

• Sandbox security test suite — 25 new tests validating WASM sandbox isolation: no filesystem/network/Node.js access, no state leakage between executions, timeout and memory limit enforcement, prototype pollution containment, and prompt injection resistance.
• Module structure & instructions tests — Enhanced validation for domains, cross-references, clear_cache dispatch, and instruction builder output.
• Total tests: 922 (up from ~600 in v2026.3.9)

Documentation

• Updated architecture guide with domain taxonomy and routing table documentation
• Improved getting-started and MCP usage guides
• Updated adding-modules guide with new metadata fields

Full Changelog: v2026.3.9...v2026.4.11

v2026.3.9

What's New in v2026.3.9

FDA Module Overhaul — 9 → 25 tools

Expanded FDA (OpenFDA) coverage from 8 endpoints to all 25 available endpoints across 8 categories:

• Drug: adverse events, labels, NDC directory, shortages, recalls, approvals
• Device: 510(k) clearances, classification, PMA, UDI, enforcement, registrations, recalls, COVID-19 serology
• Food: recalls, adverse events (CAERS)
• Animal/Veterinary: adverse event reports (1.3M+ records)
• Tobacco: problem reports (vaping/e-cigarette focus)
• Other: historical FDA documents (1913–2014), NSDE, substance data, UNII
• Generic fda_count tool — aggregate any endpoint by any field

Code Mode — WASM-Sandboxed Context Reduction

New code_mode tool that runs LLM-generated JavaScript against tool output in a QuickJS WASM sandbox. Only the script's output enters context — 98–100% reduction in benchmarks across 11 real-world scenarios. 10-second timeout, 64MB memory limit, no filesystem or network access.

Bug Fixes

• CFPB complaint_trends — Fixed HTTP 400: trend_interval was missing from the tool's parameter schema
• FBI API reliability — Increased retry count from 2 → 4 for the notoriously flaky FBI CDE gateway
• VitePress docs build — Fixed HTML tags in JSDoc (<html><body><pre>) breaking Vue compiler

Infrastructure

• CalVer versioning — Switched from SemVer to calendar-based versions (YYYY.M.D)
• Draft release workflow — Prepare Release creates a draft; publishing triggers npm + GitHub Packages
• CI hardened — Added permissions: contents: read, concurrency groups, paths-ignore for docs-only changes
• Dockerfile — Multi-stage build, tested with live API calls through HTTP Stream transport
• Mermaid diagrams — Added vitepress-plugin-mermaid for docs
• lastUpdated — Docs pages now show when they were last modified
• Glama integration — Added glama.json for MCP directory listing
• GitHub Sponsors — Added FUNDING.yml

Server Instructions

• Added code mode strategy guide (when to use, when not to, large-response tool hints)
• Updated routing table with new FDA tools, added DRUG SHORTAGES, ANIMAL/VET, TOBACCO/VAPING, and FDA SUBSTANCE routes
• Updated drug_safety and drug_pipeline prompts with new FDA tools

Meta

• New src/apis/fda/types.ts — 25 TypeScript interfaces, shared annotation types, endpoint constants
• FDA meta.ts updated with 25 doc links, auth config, rate limit details
• Updated README with features section, example prompts, Claude Desktop config

Full Changelog: v1.1.0...v2026.3.9

v1.1.0

v1.1.0 — Co-located Modules, VitePress Docs & Typed Contracts

🏗️ Architecture

• Co-located API modules — Each API is now a self-contained folder (src/apis/{name}/) with sdk.ts, meta.ts, tools.ts, prompts.ts, and index.ts. No more split across src/sdk/ and src/modules/.
• Auto-discovery — server.ts dynamically discovers API modules at startup. Adding a new API = create a folder, no wiring needed.
• Typed module contracts — New ModuleMeta and ApiModule interfaces in shared/types.ts with satisfies checks. Compile-time enforcement of module shape.
• Standardized responses — Refactored all modules to use shared response helpers (tableResponse, timeseriesResponse, listResponse, recordResponse), reducing token usage.

📚 Documentation

• VitePress docs site replacing Jekyll — full sidebar navigation, dark mode, search
• Auto-generated pages — Tools, Data Sources, API Keys, and homepage all generated from compiled module metadata
• TypeDoc API reference integrated into docs with all SDK function signatures, types, and constants
• Showcase analyses — Worst-case/best-case impact, presidential scorecard, deficit comparison migrated to docs

🔧 SDK Improvements

• BEA — New dataset discovery and detailed data retrieval tools (NIPA, Regional, GDPbyIndustry, ITA, IIP, MNE, FixedAssets, InputOutput, and more)
• EIA — Pagination support with offset and length limits
• Congress — Updated SDK to match Congress.gov API v3 Swagger schema
• FBI — Rewritten for new CDE API with enum validation
• DOJ News — New module with press releases and blog entries
• NIH RePORTER — New module and SDK integration
• CFPB — New complaint endpoints and improved API execution
• NAEP — Improved API execution and capabilities
• BLS — Merged duplicate constants (cpiSeries, industrySeries)
• FEC — Lookup constants moved to SDK with as const for TypeDoc visibility
• Token bucket rate limiter — FIFO fairness with batch release

🔒 Security

• Hono CVEs fixed — Upgraded transitive dependency to resolve SSE injection, cookie injection, and file access vulnerabilities
• HTTP transport — Now binds to 127.0.0.1 by default (localhost only). Set MCP_HOST=0.0.0.0 for external access.

⚡ Performance

• MCP instructions compressed — Cross-referencing guide reduced from ~12K to ~2K tokens (83% reduction) with no loss of routing knowledge

🧹 Housekeeping

• Issue and PR templates for better contribution guidelines
• Module structure validation tests (713 tests passing)
• engines: { node: ">=18.0.0" } in package.json
• README badges (npm version, downloads, license)
• Cleaned up 28 duplicate helper functions, unused imports, stale comments across all modules

Full Changelog: v1.0.1...v1.1.0