On April 25, 2026, a Claude Max 20x subscriber opened GitHub issue #53262 against anthropics/claude-code. The issue's author, sasha-id, had spent $200.98 on extra-usage credits over a billing cycle while the dashboard kept reporting that 86% of his weekly Max-plan capacity was untouched. The plan was paying for itself; the bill was not. After cloning affected repositories, testing orphan branches, and isolating individual commit messages until one stuck, sasha-id identified the trigger: a single case-sensitive string, HERMES.md, present anywhere in a recent commit message, was rerouting Claude Code's API requests off the included plan quota and onto pay-as-you-go extra usage.
The story hit Hacker News on April 29 and accumulated 1218 points and 512 comments, mostly arguing about the support-team response sasha-id had pasted into the issue. That argument is interesting; it is not the article. The article is the mechanism that produced the bill in the first place — a mechanism Anthropic has now publicly named, which has structural implications for how Pro and Max plan subscribers should think about the cost of an API call.
The minimal repro
Sasha-id's reproduction is six lines of bash and requires no project files. From the issue body:
# This FAILS with "out of extra usage" (routes to extra usage billing)
mkdir /tmp/test-fail && cd /tmp/test-fail
git init && echo test > test.txt && git add . && git commit -m "add HERMES.md"
claude -p "say hello" --model "claude-opus-4-6[1m]"
# => API Error: 400 "You're out of extra usage..."
A control branch with the lowercase string hermes.md returns Hello! and bills against the plan quota normally. The trigger is the case-sensitive string HERMES.md in the commit message itself, not the presence of any file with that name on disk. A file named HERMES.md with a clean commit message works. An orphan branch with no history works. The classifier is case-sensitive, content-bound, and reading recent commit messages.
That last point is the load-bearing one.
What HERMES is, and why the classifier looks for it
HERMES is, per public documentation of the incident, a reference to Hermes Agent: an open-source self-improving AI agent built by Nous Research that uses Claude as one of its underlying models. It is, in Anthropic's billing taxonomy, a third-party harness — software that wraps Claude API calls but is not Anthropic's own first-party Claude Code client.
The reason a classifier was looking for the string HERMES.md at all is that on April 4, 2026, Anthropic introduced a policy change restricting Claude Pro and Max subscribers from running their flat-rate plan quota through third-party agentic tools. Anthropic's Head of Claude Code, Boris Cherny, explained on X — quoted in public reporting on the policy — that the company's subscriptions were not built for the usage patterns of these third-party tools, and that the policy applies to all third-party harnesses and would be rolled out further. Pro and Max subscribers running third-party harnesses would, going forward, see those harnesses' usage routed to pay-as-you-go extra-usage billing rather than the included plan quota.
The implementation question — how does the API actually decide which client harness made a given request — is where the HERMES.md case lives. A Claude Code engineer at Anthropic, reported on across multiple outlets covering the bug, described it precisely: "this was a bug with the 3rd party harness detection and how we pull git status into the system prompt". Claude Code includes recent git status output in the agent's system prompt, to ground the agent in repository state. The third-party-harness classifier was reading the system prompt and string-matching against known harness names. When it saw HERMES.md in a commit message, it concluded the user was running Hermes Agent and routed accordingly. The string had no relationship to actual harness use; the classifier had no way to know that.
The trigger surface
The repro table sasha-id published in the GitHub issue is the cleanest available map of what does and doesn't trip the classifier, and it is worth reading carefully. The table below combines those rows with one earlier published case, the OpenClaw string covered in the previously-published Claude Code String Matcher Billing piece, which produced refusals rather than billing rerouting but appears to be in the same classifier family.
| Commit-message string | Effect | Mechanism (per Anthropic and reporting) | Source |
|---|---|---|---|
HERMES.md (case-sensitive) |
Routes to extra-usage billing | 3rd-party harness detection, classifier read of git status in system prompt | GitHub #53262 |
OpenClaw |
Refusal or extra-usage routing | Same family of classifier, different effect | HN 47963204; previously covered |
hermes.md (lowercase) |
Works | Classifier is case-sensitive | GitHub #53262 |
HERMES.txt |
Works | Extension matters; only .md triggers |
GitHub #53262 |
AGENTS.md |
Works | First-party convention, not a third-party signal | GitHub #53262 |
README.md |
Works | Generic, not a classifier signal | GitHub #53262 |
File on disk named HERMES.md, clean commit message |
Works | Trigger is commit-message content, not file presence | GitHub #53262 |
| Orphan branch with no history | Works | No git status content reaches the system prompt |
GitHub #53262 |
The pattern is uniform: the classifier reads system-prompt content character-for-character, case-sensitively, looking for known harness names. Each row in the table is a known-good trigger identified by sasha-id; the table is necessarily incomplete, because Anthropic has not published the full list of strings the classifier flags. The two strings publicly known to be on the list, HERMES.md and OpenClaw, were both surfaced by user binary-search after billing or refusal effects became impossible to ignore.
Mitigation, until the architecture changes
The right operator response to this class of problem, until the routing decision is made deterministic on the client, is to scan recent commits for known triggers and warn the operator before the request hits the wire. A pre-commit-and-audit script that does both:
#!/usr/bin/env bash
# audit-and-block: warn on known classifier triggers in commit messages.
# Drop in .git/hooks/pre-commit or run periodically in CI.
set -euo pipefail
# Currently-known classifier triggers (case-sensitive).
TRIGGERS=( "HERMES.md" "OpenClaw" )
# Audit recent history.
since="${SINCE:-30 days ago}"
for t in "${TRIGGERS[@]}"; do
hits=$(git log --since="$since" --grep="$t" --oneline || true)
[ -n "$hits" ] && echo "WARN: '$t' in recent commits:" && echo "$hits"
done
# Block this commit if message contains any trigger.
msg_file="${1:-.git/COMMIT_EDITMSG}"
[ -f "$msg_file" ] || exit 0
for t in "${TRIGGERS[@]}"; do
grep -F -q -- "$t" "$msg_file" && {
echo "ERROR: commit message contains '$t' (Claude Code billing trigger)" >&2
exit 1
}
done
exit 0
The script is intentionally conservative: it warns on past commits (which the user cannot rewrite without disrupting collaborators) and blocks new commits (which the user can still alter). The list of triggers will grow as more become public; the maintenance cost is non-zero, and it is paid by the operator, not the vendor.
The support subplot
The HN argument that drew most of the comments was about the support response sasha-id pasted into the issue, which declared that Anthropic was "unable to issue compensation for degraded service or technical errors that result in incorrect billing routing." An Anthropic employee posting from a throwaway account on the HN thread confirmed the support text was Claude-generated. After the issue went viral, Thariq announced full refunds and matching extra-usage credits to all affected users, in a public post on X and a follow-up GitHub comment. The HN thread's testimony, including gift-card subscriptions billed to bouncing email addresses, random small-amount invoices, and accounts suspended on first sign-up, suggests this is not the only billing surface where machine-generated support is operating without operator override.
The interesting structural fact is that the support-LLM and the billing-routing classifier are two failure modes of the same architecture choice: content-based machine classification with no first-class manual-override path. The fix to the HERMES.md bug, deployed within days, was to refine the classifier to ignore the trigger when it appeared only in commit messages. The fix to the support-response problem was to wait until HN front-paged it. Neither fix changes the architecture.
What this is
For finops purposes, the HERMES.md case is a small line item. For architecture purposes, it is more interesting than the dollar amount suggests. Plan-tier enforcement via classification of system-prompt content means the routing decision for an API call is no longer a property of the call itself; it is a property of what the user-controllable system-prompt contents look like to the classifier on the day the call is made. The cost of an operation is therefore non-deterministic on the client side. This is uncacheable cost variance, the kind of property that finops dashboards cannot model and capacity-planning meetings cannot quantify. The diagnostic for an enterprise customer is whether the classifier produces stable bills across identical workloads on different repositories. The HERMES.md case answers that question in the negative.
The fix is to move third-party-harness gating to a more stable signal than user-controllable system-prompt content — client identity, request signing, or explicit toggle on the account. The fix is not, on the evidence, to keep the classifier and add more strings to it. The next case in this family will not be HERMES.md.
Top comments (0)