v3.7.1 — bootstrap-defense extended to env-var-selected GrowthBook surface

Summary

Cache-fix v3.7.1 extends bootstrap-defense to cover a new prompt-injection surface that landed in Claude Code v2.1.152. v3.7.0 audited the original tengu_heron_brook channel; v3.7.1 also audits the env-var-selected GrowthBook surface (CLAUDE_CODE_SYSTEM_PROMPT_GB_FEATURE) that activates in remote-control mode, closing the coverage gap for the same threat class.

Default behavior is unchanged from v3.7.0. Existing users running bootstrap-defense in audit mode get expanded coverage on upgrade — no new behavior class, no opt-out required. Two new opt-in capabilities ship alongside for security-forward operators.

This is a maintenance-mode patch release under the security-extension carve-out formalized this release: same feature, same threat class, defaults unchanged, directive-endorsed scope.

What's new

New audit-log fields (schema v1 → v2). Each ~/.claude/cache-fix-bootstrap-log.jsonl record now carries:

• surface — which consumer pattern fired ("bootstrap" for legacy tengu_heron_brook, "prompt_injection_gb" for env-var-selected key)
• prompt_key — the GrowthBook key read as prompt source (or null)
• prompt_value_hash — SHA-256 of the flag value, first 16 hex chars (never the value itself; PII discipline preserved)
• remote_mode — whether CLAUDE_CODE_REMOTE is set
• stripped_keys — keys removed from the response in allowlist mode ([] otherwise)

Multi-surface responses (e.g. both the legacy key and the env-var-selected key present) emit one record per detected surface, correlated by shared request_id + timestamp window. v1 record readers are unaffected — all v1 fields remain unchanged.

New allowlist mode alongside the existing audit (default) and block. Strips non-allowlisted prompt-source-eligible keys from the bootstrap response body before it reaches CC. Opt-in via:

export CACHE_FIX_BOOTSTRAP_MODE=allowlist
# default allowlist is ["tengu_heron_brook"]; configure with:
export CACHE_FIX_BOOTSTRAP_ALLOWED_KEYS=tengu_heron_brook,my_other_legit_key
# or explicit empty for deny-all:
export CACHE_FIX_BOOTSTRAP_ALLOWED_KEYS=

Other GrowthBook flag keys in the response pass through untouched — allowlist mode only filters prompt-source-eligible keys. Marked experimental because Anthropic could add new legitimate prompt-source keys in future CC releases that would need allowlist updates.

Upgrade

npm install -g claude-code-cache-fix@3.7.1

No config changes required for the default audit mode. Existing CACHE_FIX_BOOTSTRAP_MODE=block users get unchanged block semantics (empty 200 from onRequest, no flag map reaches the on-disk GrowthBook cache).

Out of scope (deferred to a later release)

• Stale on-disk GrowthBook cache reuse. If CC reads a flag value cached from a prior bootstrap fetch that didn't pass through this proxy run, v3.7.1 will not emit a fresh audit record for that session. Users wanting belt-and-suspenders here should run block or allowlist mode — both prevent new injection-class keys from reaching the on-disk cache going forward.
• Granular block mode (parse → strip-specific-keys → re-serialize as the default block behavior). allowlist mode is the granular-strip path for v3.7.1; the existing empty-200 block contract is preserved unchanged.
• Content-pattern key filtering. Current allowlist is key-name-only.

Validation

• Tests: 850 → 871 (+21), full suite green on the tagged commit
• Docker smoke test (docs/release-tests/v3.7.1-docker-smoke-2026-05-27.md) — five-section verdict GREEN against node:22-alpine
• Codex cross-LLM review approved at the release HEAD under the amended workflow

References

• Directive (#153) — full design Q&A
• PR #154 — implementation
• docs/disclosure/heron-brook-2026-05.md — original heron_brook disclosure for the v3.7.0 surface
• Full CHANGELOG entry