When enterprises approve an AI coding agent, they typically start with two questions. First, will source code leak. Second, will the agent run commands recklessly. The former can be mitigated through commercial APIs, data-not-for-training terms, and DLP gateways; the latter through permission prompts, sandboxing, and code review. Now there is a third question: who controls the agent’s instruction layer?
Two recent threads have pushed this question into the open. One comes from thereallo.dev’s reverse engineering of Claude Code 2.1.196: when conditions like China timezone and unofficial endpoint are both satisfied, the client embeds a weak visible marker into the date string of the system prompt. The other comes from GitHub issue #62061: Claude Code once had a mechanism for reading additional system prompt from server-side configuration.
These two threads make the third question concrete. Claude Code is not an editor plugin that only provides completion suggestions. It can read codebases, modify files, run shell commands, invoke Git, connect to MCP tools, and potentially access local credentials and internal network resources. When enterprises place it into their development environments, they are effectively onboarding a privileged development runtime.
In this incident, geo-identification and account bans are indeed real risks. Users who rely on unofficial endpoints, enterprise gateways, transit proxies, resale services, and China-related model services in particular face concerns about account risk control and sudden workflow interruptions. However, the deeper issue lies in enterprise control plane and audit. If part of the context window and policy layer of a high-privilege agent can be remotely changed by a closed-source vendor, and enterprises by default cannot see what has changed, this goes beyond the usual account-ban problem and becomes a question of control over the development environment.
Security researcher thereallo.dev disclosed in Claude Code Is Steganographically Marking Requests that he reverse-engineered the Claude Code 2.1.196 binary and found that the client modifies the date string in the system prompt under specific conditions.
The logic revealed in the reverse-engineered snippet is more nuanced
than a blanket timezone check. The process begins exclusively when a
custom ANTHROPIC_BASE_URL (pointing to an endpoint other
than the official api.anthropic.com) is set. Once a custom
endpoint is active, the classifier evaluates the system timezone and the
target host against a list of known domains and AI lab keywords. A China
timezone alone, without a custom endpoint configuration, produces no
mark whatsoever.
This classification mechanism is encoded covertly by modifying the
Today's date is YYYY-MM-DD. line inside the system
prompt:
| Classification Condition | Date Separator | Apostrophe in Today's |
Unicode Character |
|---|---|---|---|
Default: official endpoint or no known /
lab match |
- |
Standard apostrophe ' |
ASCII U+0027 |
Custom endpoint + known domain |
- |
Right single quotation mark ’ |
U+2019 |
Custom endpoint + lab keyword |
- |
Modifier letter apostrophe ʼ |
U+02BC |
Custom endpoint + both known and lab
match |
- |
Modifier letter prime ʹ |
U+02B9 |
Custom endpoint + China timezone (Asia/Shanghai or
Asia/Urumqi) |
/ |
Determined by the known / lab condition
above |
- |
In this encoding, changing the date separator from - to
/ (e.g., from 2026-06-30 to
2026/06/30) explicitly flags the China timezones.
Meanwhile, the four visually similar Unicode variants of the apostrophe
serve to fingerprint the classification of the endpoint.
thereallo also published an accompanying cc-domains.js
list. The list contains 147 known domains and 11 lab keywords. The
keywords include deepseek, moonshot,
minimax, xaminim, zhipu,
bigmodel, baichuan, stepfun,
01ai, dashscope, and volces. The
domain categories include identifiers related to Chinese companies and
services such as alibaba, alipay,
antgroup, baidu, netease, and
sankuai.
Crucially, this mechanism does not establish an extra network exfiltration channel, nor does it present any remote code execution risk. It functions entirely as an in-place, prompt-level steganographic fingerprint embedded directly into the system prompt. While not officially acknowledged by Anthropic, this is precisely what enterprise security teams must pay attention to: it does not append an obvious request field or trigger a permission dialog. Instead, it weaves environment classification directly into a standard system prompt line. To the model, it is part of the context; to most enterprise log audits, these tiny textual variations are easily overlooked as noise.
So there is no need to beat around the bush. The trigger conditions
and lists disclosed by thereallo are clearly designed around China
timezones, China-related endpoints, Chinese AI labs, and transit/resale
scenarios. For Chinese users, this is not “overthinking”—it is a
tangible usage risk. Customizing ANTHROPIC_BASE_URL in
itself does not constitute abuse. Alibaba Cloud’s Model
Studio documentation and Ask Sage’s Claude
Code integration documentation both treat it as a standard
integration approach. Enterprise gateways, regionalized services, and
compliance proxies may all require changing the base URL.
What is most easily independently verifiable from this disclosure is
the binary identity: @anthropic-ai/[email protected] does
exist on npm with a darwin-arm64 platform package; the downloaded
binary’s SHA256 matches what thereallo published in the original
article; the macOS signature is valid with
TeamIdentifier=Q6L2SF6YDW. This at least indicates that the
controversy points to an officially signed and distributed Anthropic
client, not a dubious third-party repackage.
This has drawn substantial discussion on Hacker News. The community debate is focused: vendors have commercial motives for client-side marking to counter resellers, anti-resale, and anti-distillation; but embedding markers using an obfuscated list and invisible characters in the system prompt crosses the transparency expectations many enterprises hold for a local development tool.
Another thread comes from GitHub issue #62061.
This issue notes that Claude Code v2.1.150 once introduced a
tengu_heron_brook mechanism: the client could read a piece
of text from Anthropic’s server-side configuration or experiment system
and append it to the local agent’s system prompt.
There is no need to read minified functions or understand GrowthBook implementation details here. The high-level implication is sufficient: a locally running coding agent’s system prompt does not come entirely from the local install package, project files, or user configuration. It once had a channel that could read an additional system prompt from the vendor’s server.
The maintainer’s response on the Anthropic issue also broadly
acknowledged the existence of such experiments. He said the team
sometimes runs experiments on system prompt changes to evaluate quality
and avoid regressions, and provided
CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 and
DISABLE_GROWTHBOOK=1 as opt-out mechanisms. This response
is not a formal security advisory, but it is sufficient to show that
remote system prompt experiments are not community imagination.
This does not amount to remote code execution. Claude Code’s security documentation explicitly states that permission rules are enforced by the client, not by model prompts. Changes to the system prompt would not automatically bypass the permission system.
But enterprises cannot look only at this layer. The system prompt
determines what the agent wants to do; the permission system determines
what it can do. Once developers relax allow rules, enable auto mode, or
use --dangerously-skip-permissions for the sake of
efficiency, the distance between these two layers shrinks. Anthropic
itself states in its auto
mode engineering explanation that fully skipping permission prompts
is not safe in most scenarios.
The real risk is combinatorial: the local permission layer allows the agent to read and write files and run commands; the context instruction layer determines the agent’s behavioral tendencies; the vendor policy layer determines which remote experiments, risk controls, account rules, and client configurations take effect.
An ordinary IDE plugin at most changes the editor experience. An AI coding agent changes the local development loop. It can read repos, run tests, install dependencies, modify CI, call internal network tools, and commit code. If such a tool has a default-invisible remote instruction layer, security reviews cannot only ask “does it upload source code.” They must also ask: where do its instructions come from, when do they change, and who can see them after they change.
This must also be viewed in the context of Anthropic’s vendor behavior. Anthropic is a company with a strong policy posture. It holds clear positions on security, compliance, competitive use, regional access, and third-party wrapping, and it enforces these positions.
Anthropic’s Commercial Terms restrict customers from using the service to build competitive products, train competing models, or resell services without approval. The Supported Countries page also states that Anthropic reserves the right to deny service based on the majority ownership attribution of an entity. These terms are not unusual in themselves. It is normal for large model companies to protect compute, models, and business boundaries.
The issue is that AI coding agents have now entered the main development path. Once vendor boundaries are enforced, they can directly become engineering continuity problems.
TechCrunch reported that Windsurf claimed Anthropic restricted its Claude 3.x first-party capacity with less than five days’ notice, citing competitive relationship concerns. WIRED reported that Anthropic revoked OpenAI’s API access to Claude, with Anthropic explaining that OpenAI’s use violated the terms of service. VentureBeat reported that Anthropic strengthened technical protections to prevent third-party applications from masquerading as the official Claude Code client, affecting users of third-party harnesses such as OpenCode.
These incidents do not imply that Anthropic would maliciously cut off services to ordinary enterprises. There is no evidence for that conclusion. But they amply illustrate that when an enterprise ties its development workflow to a single closed-source client, a single model vendor, and a single account system, the vendor’s business judgments, regional policies, and risk control systems enter the business continuity assessment.
In the past, if a compiler vendor stopped service, enterprises could at least keep compiling locally. Today, if the agent workflow depends on cloud models, official client recognition, account policies, and remote configuration, a single policy change by the vendor could disrupt a team’s development rhythm.
Outright banning Claude Code is not the right answer. A ban would merely push usage to personal accounts, personal computers, and shadow IT. A more realistic approach is to acknowledge the productivity value of AI coding agents while governing them as privileged development runtimes.
First, disable bypass by default. Enterprises should use settings, MDM, or
system configuration to disable
--dangerously-skip-permissions and
bypassPermissions. Auto mode can be piloted, but should be
restricted to low-risk repositories, isolated environments, and
rollback-safe tasks. Tasks involving production credentials, cloud
resources, CI configuration, dependency installation, and Git write
operations should still retain human confirmation.
Second, sandbox the agent. Do not let the agent inherit the
developer’s host-machine SSH keys, cloud credentials, production
kubeconfig, package registry tokens, and all .env files by
default. High-privilege tasks should run in containers, VMs, or remote
dev environments, with only necessary directories mounted, restricted
network egress, and environments destroyed after task completion. When
full automation is required, isolation is more reliable than trusting
prompts.
Third, establish an enterprise audit surface. Claude Code’s Monitoring documentation provides OpenTelemetry and raw API body logging, but raw bodies are off by default, and enabling them records full conversation history, which may carry source code and private data into logging systems. Enterprises must define their own audit granularity: tool name, Bash command, MCP server, file path, model request summary, rejection reason, policy hit records. By default, do not write complete prompts and complete source code into logs unless sanitization, access control, and retention policies are already in place.
Fourth, separate the vendor control plane from the enterprise control
plane. Anthropic’s server-managed settings indicate that the client can
pull policies from Anthropic servers. Enterprises cannot rely solely on
vendor remote policies to protect themselves. Critical restrictions must
reside in local configuration, device management, network gateways, and
repository rules. For environments that do not need remote experiments,
CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 and
DISABLE_GROWTHBOOK=1 should be considered as a
baseline.
Fifth, maintain fallback options. Enterprises should prepare at least two fallback paths: model fallback and client fallback. Model fallback can be a combination of Anthropic API, AWS Bedrock, Vertex, OpenAI, Google, or local open-source models. Client fallback can be a combination of Claude Code, OpenCode, Codex CLI, internal harnesses, or IDE agents. Do not let the unavailability of a single vendor account directly equate to the team being unable to develop today.
When procuring, several questions must also be asked clearly: whether system prompt experiments are visible; what the lifecycle of feature flags and bootstrap cache is; whether enterprises can disable non-essential remote experiments; how to audit complete request bodies without leaking source code; how binary updates, signing, and version approval are controlled. If a vendor cannot answer these questions, it does not mean the tool cannot be used, but it should go into the risk register.
The value of an AI coding agent comes from delegation of authority. Without the ability to read the repo, run tests, and modify files, it is merely a chat box. But once authority is delegated, trust cannot be sustained by brand, model capability, or vendor goodwill alone.
The two threads exposed in this Claude Code incident—one is a prompt-level marker targeting China-related endpoints and timezones, the other is a remote system prompt experiment. Both may have reasonable product explanations: anti-resale, anti-abuse, quality experiments, canary releases. But reasonable motives are not the same as acceptable control. For enterprises, the behavior of a high-privilege agent should be visible, recordable, constrainable, and rollbackable.
So the question is not “should your company keep using Claude Code.” The more precise question is: does your company have the capability to manage Claude Code as a privileged development runtime.
If the answer is yes, keep using it, and use it even more boldly. Sandbox it, connect it to audit, disable bypass, maintain multi-model fallback, and let the agent take on more execution work.
If the answer is no, then the risk is not specific to Claude Code. The risk is that the company has already handed its local development environment to a control plane that is closed-source, remotely mutable, and not fully auditable by default—while believing it merely installed a plugin.