[BUG] v2.1.150 adds server-side system prompt injection via `tengu_heron_brook` feature flag
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
v2.1.150 introduced a function (nAA in the minified source) that reads an arbitrary string from two network-backed data sources and injects it verbatim into the system prompt:
- Bootstrap API response (
GET /api/claude_cli/bootstrap) — theclient_datafield, validated only asz.record(z.unknown())(any JSON object), cached to disk - GrowthBook feature flag
tengu_heron_brook— refreshes every 60 seconds with background sync, also cached to disk
The string is registered as a peer-level system prompt section alongside anti_verbosity, thinking_guidance, action_caution, etc. Whatever value Anthropic assigns to this flag gets injected into the instructions of an AI agent with shell access.
Previous versions had a stub for this (ant_model_override) but it always returned null. v2.1.150 is the first version where the slot has live logic.
The changelog describes this as "Internal infrastructure improvements (no user-facing changes)."
This is related to #25141 (lack of transparency for experimental features) and #28941 (unauthorized server-side feature flag push).
What Should Happen?
The system prompt should never be modified by server-side content without user knowledge and consent. The current implementation silently injects arbitrary strings into the prompt with no notification, no opt-in, and no audit trail.
Error Messages/Logs
Steps to Reproduce
npm pack @anthropic-ai/claude-code-linux-x64@2.1.150 --pack-destination /tmp
tar xzf /tmp/anthropic-ai-claude-code-linux-x64-2.1.150.tgz
strings package/claude | grep -oP 'function nAA\(\)\{[^}]+\}'
strings package/claude | grep -oP '.{0,60}heron_brook.{0,60}'
The first command shows the function reading from clientDataCache and GrowthBook. The second shows it registered in the system prompt builder array. Compare with v2.1.149 where heron_brook is absent and ant_model_override returns null.
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
2.1.149
Claude Code Version
2.1.150
Platform
Anthropic API
Operating System
Other Linux
Terminal/Shell
Other
Additional Information
CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 blocks the bootstrap fetch. DISABLE_GROWTHBOOK=1 blocks the live GrowthBook SDK.
Cached feature values persisted to disk from a prior unguarded session are still read.
Also posted about this in other places:
This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗