Skip to content

v3.7.0 — bootstrap-channel handling and audit logging

Choose a tag to compare

View all tags
@vsits-proxy-builder vsits-proxy-builder released this 26 May 01:13
· 53 commits to main since this release
v3.7.0
f259f4f

Bootstrap-channel handling and audit logging. Adds explicit handling for Claude Code v2.1.150's /api/claude_cli/bootstrap endpoint, with local audit logging at ~/.claude/cache-fix-bootstrap-log.jsonl (5 MB cap, .1 rotation). Forward-compatible record fields land the schema v3.8.0's anomaly-detection extension will populate.

Behavior change for existing cache-fix users

Prior versions returned 404 for any Anthropic API path other than /v1/messages and /health, so bootstrap-section content was not previously reaching CC for cache-fix users. v3.7.0 default mode is audit: bootstrap responses now proxy through to CC and are logged locally for inspection.

Users who want to preserve v3.6.2's de-facto block behavior should set CACHE_FIX_BOOTSTRAP_MODE=block in the proxy environment, which short-circuits the upstream call and returns a 200 with an empty JSON body. The block event itself is still logged — auditability of blocks matters more than log volume.

Background

CC v2.1.150 added a prompt-section consumer (nAA() / heron_brook) that reads server-supplied strings from /api/claude_cli/bootstrap and merges them into the agent's behavioral-instructions prompt. We filed the behavior with Anthropic via HackerOne VDP on 2026-05-25; the report was closed as Informative on 2026-05-26, with Anthropic treating TLS as the transport-integrity boundary and declining to add application-layer authenticity checks. v3.7.0 gives cache-fix users local visibility into bootstrap-channel content (audit mode) and an opt-in path to drop it (block mode).

Full disposition record: docs/disclosure/heron-brook-2026-05.md. Wire-level reproducer: cnighswonger/heron-brook-poc.

Also changed

  • tools/quota-statusline.sh: autoselect d/h vs h/m time format, unified burn-warmup gate (#143). Durations ≥ 1 day render as Nd Hh; below a day, Hh Mm. Burn-rate warmup is now a unified 5-minute gate for both Q5h and Q7d. Contributed by @schuay — thank you.

Tests

831 → 850 (+20): bootstrap-defense unit suite, proxy-server bootstrap integration, and a new 300s warmup-gate pin closing a contract gap in the statusline suite.

Upgrade

npm install -g claude-code-cache-fix@3.7.0

No-op for existing users on the default audit mode; opt into block by setting CACHE_FIX_BOOTSTRAP_MODE=block in the proxy environment before restart.

Assets 2
Loading