A developer shipped a commit with the message "Update HERMES.md instructions." Nothing unusual. A markdown file in a project directory, part of a standard agentic workflow. The next morning, their Claude Code subscription quota was untouched, but their pay-as-you-go credits had been drained. Over $200 in unexpected charges. The subscription they were paying for had been silently bypassed.
This is the HERMES.md billing bug. And the reason every team running AI coding tools in production should care about it is not the $200. It is the mechanism.
Table of Contents#
- What actually happened
- The mechanism that should concern you
- Why this is not just a bug report
- The support response that made it worse
- Enterprise risk is not hypothetical
- The governance gaps this exposes
- What teams should do right now
- The precedent that matters
- FAQ
What Actually Happened#
Between April 25 and 27, 2026, a developer discovered that the exact, case-sensitive string "HERMES.md" appearing in recent git commit messages caused Claude Code to silently reroute API requests. Instead of billing against the user's included Max or Pro subscription quota, the system routed those requests to the "extra usage" pay-as-you-go billing tier.
The developer who found it had to do the diagnostic work themselves. They created a minimal reproduction case, testing multiple permutations. Lowercase "hermes.md" did not trigger the bug. Having a file named HERMES.md on disk did not trigger it. The trigger was specifically the string appearing in commit messages, which Claude Code packages into the system prompt as context for the model.
The discovery was published as a GitHub issue with full reproduction steps. A PSA was posted on Reddit's r/ClaudeAI, where it received 212 upvotes. The Hacker News discussion hit 1,208 points with 510 comments. A second Hacker News thread about the related "OpenClaw" keyword triggering similar billing anomalies received 333 points and 230 comments.
This was not a fringe complaint. The developer community recognized the severity immediately.
The Mechanism That Should Concern You#
The root cause, as confirmed by an Anthropic representative on Hacker News, was "an overactive anti-abuse system." Here is what that means technically.
Claude Code includes recent git commit history in the system prompt it sends to the model. This gives the model useful context about what you have been working on. That system prompt is then parsed server-side by Anthropic's infrastructure before the request reaches the model.
A heuristic in Anthropic's billing router, designed to detect certain usage patterns, was scanning this commit history content. When it found the string "HERMES.md," it flagged the request and rerouted it from the user's subscription quota to the pay-as-you-go billing tier.
The key details matter. The system did not block the request. It did not return an error. It did not notify the user. It silently changed which billing bucket the request drew from. The user's subscription quota remained untouched while their separately purchased credits were consumed.
This means a well-designed anti-abuse system was behaving like a financial penalty applied in secret, triggered by the content of a developer's own commit messages.
For teams that use conventional filenames like CLAUDE.md, HERMES.md, or similar agent specification files in their workflows, this is a direct exposure. Any commit message referencing these files could have triggered the same behavior.
If you are building production-ready multi-agent systems, you are almost certainly committing changes to configuration files with names exactly like this. The attack surface was not exotic. It was a normal part of the agentic development workflow.
Why This Is Not Just a Bug Report#
Every software system has bugs. What makes this incident significant for practitioners is the category of bug it represents: content-triggered billing modification without disclosure.
Consider what this means structurally. The billing outcome for an API request was determined not by your subscription tier, not by your usage volume, not by any documented policy, but by a specific string inside user-generated content that happened to be included in the system prompt. The user had no way to know this rule existed. The user had no way to predict or avoid the trigger. The user received no notification when the rerouting occurred.
This is fundamentally different from the billing issues teams are used to managing. Rate limit overages are tied to documented limits. Pricing tier changes are announced. Even the April 4, 2026 OpenClaw policy change, where Anthropic moved third-party harness usage to pay-as-you-go billing, was a public policy decision that users could adjust for.
The HERMES.md bug was none of those things. It was an undisclosed, content-based billing rule that existed inside a system the user had no visibility into.
For teams managing AI infrastructure costs, the implication is clear: the billing determinism you assume when budgeting for AI tooling may not exist. And you would not know it was missing until the charges appeared.
I have written about how agentic apps cost so little to build and so much to run. This incident adds a new dimension to that cost unpredictability. It is not just token consumption that can surprise you. The billing path itself can change based on content you did not know was being evaluated.
The Support Response That Made It Worse#
What elevated this from a technical incident to a trust crisis was Anthropic's initial customer support response.
When affected users contacted support, they received replies that acknowledged the incorrect billing but stated that Anthropic was "unable to issue compensation for degraded service or technical errors that result in incorrect billing routing."
Read that sentence again. The vendor confirmed the user was billed incorrectly due to a bug in the vendor's own system. And the initial policy was: no refund.
This is the part that should concern enterprise procurement teams. The initial response suggested that incorrect billing caused by technical errors in the vendor's infrastructure was, as a matter of policy, not the vendor's financial responsibility. If that policy had held, it would have established a precedent where AI tooling vendors could bill incorrectly due to their own bugs and face no obligation to make customers whole.
The policy did not hold. Following significant backlash on Hacker News and Reddit, Anthropic reversed course. The company confirmed the bug was fixed and stated that affected users would receive refunds and extra credits. But the reversal was driven by public pressure, not by internal quality processes.
That sequence matters. The fix happened because the story went viral, not because the support system was designed to catch and correct billing errors at the individual customer level.
Enterprise Risk Is Not Hypothetical#
For teams standardizing on AI coding tools, the HERMES.md incident creates three categories of risk that need explicit mitigation.
Unpredictable and uncontrolled spend. If billing can be rerouted based on arbitrary content in a developer's commit history, budgets become unreliable. A team could be operating within their subscription allocation and still receive unexpected pay-as-you-go charges because a developer committed a file with a name that triggered an undisclosed heuristic. Financial predictability, the foundation of enterprise tooling procurement, breaks down.
Service disruption. When the pay-as-you-go credits were exhausted, users received "400: You're out of extra usage" errors. Their work stopped. Their subscription quota was still available, but the system was not drawing from it. From the user's perspective, they were blocked from a tool they were paying for, with no clear explanation of why.
Compliance and audit gaps. For regulated industries, billing tied to opaque, content-based heuristics rather than explicit policy creates a governance problem. How do you prove to an auditor that costs are being incurred according to contractual terms when the vendor's billing decisions are made by server-side heuristics scanning user-generated content? The answer is you cannot.
For context on how these kinds of silent failures compound in agent systems, see my post on the agent observability gap. The same lack of visibility that makes debugging agent pipelines difficult also makes it impossible to detect billing anomalies in real time.
The Governance Gaps This Exposes#
The incident exposed five specific governance failures that apply beyond Anthropic to any AI tooling provider.
Opaque billing mechanisms. The existence of a billing rule tied to a specific, case-sensitive string within user content was never disclosed. Customers cannot manage costs if the rules governing those costs are hidden.
Silent rerouting instead of blocking. A well-designed anti-abuse system should block a suspicious request and return a clear error. Anthropic's system did the opposite. It silently changed the billing path while allowing the request to proceed. This transforms a security measure into an invisible financial penalty.
First-line support failure. The initial refund denial suggests that support workflows were not equipped to handle novel billing bugs. Whether automated or script-driven, the support system defaulted to denying compensation for the vendor's own technical error. That default is the wrong one.
Reactive policy correction. The refund decision came after public backlash, not through internal quality processes. This indicates that the internal mechanisms for identifying and escalating critical customer-impacting bugs are insufficient for the scale of the product.
Inadequate change management. Deploying a heuristic that scans user content and modifies billing without testing for false positives and without communicating the rule to customers is a change management failure. In any enterprise-grade system, a change with direct financial consequences for customers would require extensive validation before deployment.
These gaps are not unique to Anthropic. They are structural risks in any AI tooling platform where billing, content processing, and anti-abuse systems intersect. Teams evaluating AI vendors should be asking about all five.
What Teams Should Do Right Now#
Based on this incident, here is a practical audit checklist for development, finance, and operations teams.
Immediate steps:
Audit your commit history. Run a case-sensitive search across recent repositories for the string "HERMES.md" in commit messages. If found, check whether billing anomalies correlate with those commits.
Reconcile billing data. Export granular usage data from your AI tooling accounts. Compare extra usage charges against subscription quota consumption. Look for periods where pay-as-you-go credits were consumed while subscription quota remained available. That pattern is the signature of this class of bug.
Request refunds if affected. If you find billing anomalies matching this pattern, open a support case with the specific data and timestamps.
Proactive mitigation:
Isolate billing for third-party tools. If you use any third-party coding agents or harnesses, use dedicated API keys with separate billing. Do not rely on CLI credential reuse where billing policies may be in flux.
Set up financial guardrails. Configure budget alerts and anomaly detection specifically on pay-as-you-go billing buckets. Export usage data to cost observability platforms for continuous monitoring. The context window cost lever post covers the broader principles of managing AI infrastructure costs.
Sanitize prompts. If your AI tools allow it, configure them to exclude metadata like full git commit histories from prompts. Implement internal conventions for commit messages that avoid including filenames that could trigger unknown heuristics.
Update vendor governance. Require AI service providers to explicitly disclose any content-based billing or routing logic in their terms of service. Mandate that anti-abuse systems fail closed with clear errors rather than silently rerouting to different billing paths.
The Precedent That Matters#
The HERMES.md bug is the first widely documented case of content-triggered billing modification in AI tooling. It will not be the last.
As AI coding tools become more deeply integrated into development workflows, they consume more context. They read your files, your commit history, your project structure, your documentation. All of that content flows through server-side systems that make decisions. Some of those decisions are about model behavior. Some are about safety. And apparently, some are about billing.
The question for enterprise teams is not whether this specific bug affects them. It is whether their vendor governance frameworks account for the possibility that AI tooling providers are making billing decisions based on the content of their work, without disclosure.
The broader pattern here is that AI systems are introducing new categories of vendor risk that existing procurement and governance frameworks do not address. Traditional SaaS billing is deterministic and documented. AI tooling billing increasingly involves server-side logic that evaluates user content in ways that are not visible to the customer.
This is not a call to stop using AI coding tools. The productivity gains are real and substantial. But it is a call to treat AI tooling vendors with the same scrutiny you apply to any infrastructure provider that has access to your proprietary content and controls your costs.
The HERMES.md incident demonstrated that your commit messages can change your bill. That fact alone justifies a governance review.
For teams building agent systems where these risks compound, start with the production agent safety checklist and the agent observability framework. The architectural patterns that prevent silent failures in agent systems are the same patterns that protect you from silent billing anomalies.
FAQ#
What is the HERMES.md billing bug in Claude Code?#
The HERMES.md billing bug was a defect in Anthropic's Claude Code where the case-sensitive string "HERMES.md" appearing in recent git commit messages caused API requests to be silently rerouted from the user's subscription quota to pay-as-you-go billing. The bug was caused by an overactive anti-abuse system that parsed commit history included in the model's system prompt. Users were charged against their extra usage credits while their subscription quota remained untouched.
How much did the HERMES.md bug cost affected users?#
One developer reported over $200 in unexpected charges. The exact total across all affected users has not been disclosed. The financial impact was compounded by service disruption, as users received "out of extra usage" errors even though their primary subscription quota was still available.
Did Anthropic issue refunds for the HERMES.md billing bug?#
Initially, no. Anthropic's support team acknowledged the incorrect billing but stated they were "unable to issue compensation for degraded service or technical errors that result in incorrect billing routing." After significant public backlash on Hacker News (1,208 points, 510 comments) and Reddit (212 upvotes), Anthropic reversed its stance and confirmed that affected users would receive full refunds and extra credits.
How can teams check if they were affected by the HERMES.md bug?#
Teams should run a case-sensitive search for the string "HERMES.md" in recent git commit messages and then cross-reference those dates with billing data from their Anthropic account. The signature pattern is pay-as-you-go credits being consumed while subscription quota remained available. If anomalies are found, open a support case with timestamps and billing data.
What does the HERMES.md bug mean for enterprise AI governance?#
The incident exposed that AI tooling providers can make billing decisions based on undisclosed heuristics that scan user-generated content. Enterprise teams should update vendor governance frameworks to require disclosure of all content-based billing logic, mandate that anti-abuse systems fail with clear errors rather than silent billing rerouting, and implement financial monitoring specifically designed to detect billing anomalies in AI tooling.
Is the HERMES.md billing bug related to the OpenClaw billing change?#
They are separate but related issues. On April 4, 2026, Anthropic publicly changed its policy so that usage via third-party harnesses like OpenClaw would be billed separately from subscriptions. That was a transparent policy change. The HERMES.md bug was an undisclosed server-side heuristic that silently modified billing based on commit message content. The OpenClaw change was communicated. The HERMES.md behavior was not.
What should teams do to prevent similar billing issues with AI tools?#
Teams should isolate billing with dedicated API keys for different tools, set up budget alerts on pay-as-you-go billing buckets, configure AI tools to exclude git commit history from prompts where possible, and update vendor contracts to require disclosure of content-based billing logic. Regular billing reconciliation comparing subscription quota usage against pay-as-you-go charges should become a standard operational practice.