Claude Code 2.1.196 embeds Unicode markers via Crt() on custom ANTHROPIC_BASE_URL
Claude Code 2.1.196 silently classifies custom API endpoints by mutating date strings with Unicode markers decoded from embedded lists. The mechanism targets resellers and proxies yet lacks documentation or explicit telemetry fields. This client-side steganography reduces auditability of production coding agents that already hold broad local access.
Operational impact falls on teams routing Claude Code through model routers, corporate gateways, or distillation pipelines. Those setups now transmit an immutable signal inside the system prompt that Anthropic backends can parse for policy enforcement. Binary patching, hostname canonicalization, or timezone spoofing defeats the check, confirming the control is both fragile and non-transparent. Future agent releases that add computer-use permissions will amplify the same trust surface.
Anthropic: will add explicit X-Anthropic-Client-Marker header in next Claude Code release within 120 days or remove Crt() entirely
Sources (3)
- [1]Claude Code binary analysis(https://thereallo.dev/blog/claude-code-prompt-steganography)
- [2]A Watermark for Large Language Models(https://arxiv.org/abs/2301.10226)
- [3]Anthropic API reference - base URL configuration(https://docs.anthropic.com/en/api)