[Bug] Anthropic OAuth/Claude Max proxy path can misclassify full Hermes system prompt as extra-usage exhausted

[tymrtn]

Summary

Claude subscription/OAuth requests can return:

HTTP 400: You're out of extra usage. Add more at claude.ai/settings/usage and keep going.

...even when the Claude auth token is valid and minimal Anthropic Messages requests succeed.

On Tyler's macOS machine, the failure was not caused by the proxy itself, the OAuth token, or tool schemas alone. The trigger was the full Hermes-assembled system prompt on the Anthropic OAuth / Claude Max proxy path.

Environment

• Hermes repo: NousResearch/hermes-agent
• Local branch where workaround was applied: feat/context-budget-management
• Local preserving commit: 5eeb76e5
• Platform: macOS
• Provider runtime:
  • provider: anthropic
  • api_mode: anthropic_messages
  • base_url: http://127.0.0.1:18801
• Auth source: Claude Code / Claude subscription OAuth from ~/.claude/.credentials.json
• Model: claude-opus-4-6

What we verified

1. Proxy and auth were healthy

The local billing proxy on 127.0.0.1:18801 was restored and /health returned OK.

A direct minimal Anthropic SDK call through that same proxy succeeded:

client.messages.create(
    model='claude-opus-4-6',
    max_tokens=8,
    messages=[{'role': 'user', 'content': 'Say OK'}],
)

Result: OK

So this was not simply "proxy down" or "OAuth token invalid".

2. The failure was prompt-shape sensitive

Using the same proxy, auth, and model:

• baseline user-only request: works
• Claude Code identity block only: works
• tools only: works
• full Hermes system block: fails with extra-usage 400

A local isolation script showed:

• baseline -> OK
• cc_only -> OK
• tools_only -> OK
• soul_only -> extra-usage 400
• both_system -> extra-usage 400
• soul_plus_tools -> extra-usage 400

Later inspection showed the failing "SOUL block" was actually a ~30k combined system block containing:

• SOUL.md
• memory guidance
• session-search guidance
• skill-management guidance
• platform/media instructions
• other prompt-builder text

So the actual trigger is the assembled Hermes system prompt on the OAuth path, not only the profile SOUL file.

3. A sanitizer workaround restores local end-to-end success

A local workaround in agent/anthropic_adapter.py rewrites several Hermes-specific prompt phrases before sending OAuth Anthropic requests.

After applying that patch, a local end-to-end Skippy turn through the resolved runtime bundle succeeded again:

OK.

Why this should be fixed upstream

This is not just a one-off local profile problem.

Hermes currently injects a large, Hermes-specific system prompt into the Anthropic OAuth / Claude Code path. On at least some Claude subscription / proxy routes, that prompt shape appears to get misclassified server-side as requiring extra usage, even though simple Anthropic Messages requests with the same auth work fine.

That makes the symptom look like a billing/auth outage when it is actually request-shape dependent.

Proposed direction

At minimum, Hermes should defensively sanitize or slim the system prompt on the Anthropic OAuth path.

Possible fixes:

1. Keep a dedicated OAuth-path sanitizer in agent/anthropic_adapter.py
2. Reduce / rewrite the most brittle prompt-builder phrases before they reach the OAuth Anthropic path
3. Add a regression test covering:
   • direct minimal request succeeds
   • assembled system prompt does not regress into known brittle wording
4. Improve logging so this class of failure is distinguishable from genuine exhausted extra-usage state

Notes

This may be related to the general symptom tracked in #6475, but this issue is narrower and includes a concrete root-cause finding:

• valid OAuth auth
• valid proxy path
• minimal request succeeds
• full Hermes system prompt fails
• sanitizer workaround restores success

[tymrtn]

Fix is up in PR #10576. This is the targeted sanitizer change derived from the local reproduction: minimal OAuth Anthropic requests succeeded, but the full Hermes system prompt on the Claude Max proxy path tripped the false extra-usage 400. The PR carries the working local fix as a clean main-based patch.

[raye-deng]

This is a great catch. The pattern you're seeing—where a working proxy and valid auth still fail under specific prompt shapes—is exactly the kind of subtle bug that traditional testing often misses.

We've encountered a similar class of issues in production where AI-generated code introduces dependencies or configuration that work in some contexts but fail silently in others. The code compiles and unit tests pass, but runtime crashes happen when the code path is finally exercised in production with different prompt shapes or edge cases.

One thing that's helped us is adding validation layers that explicitly check for these prompt-shape-sensitive failures at the PR review stage, catching them before they reach production. Traditional linting and static analysis don't catch these because they're context-dependent bugs specific to how AI tools generate code.

For anyone wanting to add an AI-native validation layer to their pipeline: npx @opencodereview/cli scan . --sla L1

[ceo94HEHE]

Hit this on a fresh v0.10.0 install with Claude Max OAuth — every request returned 400 "out of extra usage" despite 95% of the subscription window remaining. Confirmed via raw curl to /v1/messages: same headers + token but without the trigger phrases in the system prompt → 200 OK. So the misclassification theory holds.

For anyone needing a working setup today, this minimal local patch to agent/anthropic_adapter.py unblocked both the CLI and the gateway (Telegram) paths:

# 1. Scrub trigger phrases that the OAuth proxy misclassifies
#    Wrap the existing `kwargs["system"] = system` line:
if system:
    def _scrub(obj):
        if isinstance(obj, str):
            return (obj.replace("session_search", "sess_search")
                       .replace("skill_manage", "sk_manage")
                       .replace("MEDIA:", "M3DIA:"))
        if isinstance(obj, list):  return [_scrub(x) for x in obj]
        if isinstance(obj, dict):  return {k: _scrub(v) for k, v in obj.items()}
        return obj
    kwargs["system"] = _scrub(system)

Notes for repro:

• MEDIA: only appears in the gateway/Telegram system prompt, not the bare CLI — so a CLI-only test won't catch it. Both session_search and skill_manage show up in both paths.
• Independently, _ANTHROPIC_OUTPUT_LIMITS declares claude-opus-4-7 / claude-opus-4-6 at 128_000 max output. On Pro/Max OAuth this trips the extended-output billing tier with the same misleading "out of extra usage" message. Capping those entries to 32_000 (and _ANTHROPIC_DEFAULT_OUTPUT_LIMIT to 32_000) avoids it. The model.max_tokens knob in ~/.hermes/config.yaml is ignored — only the source table is honored.
• Also dropped fine-grained-tool-streaming-2025-05-14 from _COMMON_BETAS to match what Claude Code 2.1.114 currently sends; not load-bearing but reduces drift.

Verified end-to-end on Opus 4.7 via Claude Max OAuth, both hermes chat and the systemd gateway with Telegram polling. Happy to PR if useful — but PR #10576 already covers the scrubber side cleanly.

[showmethemoney]

I would like to share my environment's behavior as it might help pinpoint the root cause of the 400 errors.

In my setup:

Working Scenario: Using Ollama as the primary LLM provider and delegating tasks to Claude Code. This configuration works perfectly fine without any 400 errors.

Failing Scenario: When I switch Claude Code to be the Primary LLM provider, I immediately encounter the 400 Bad Request (extra-usage exhausted) error, even for simple prompts like "hi".

[alt-glitch]

Related to #10576 (fix PR), #9813 (OAuth misclassification), #12905 (Anthropic OAuth credential management).

[alt-glitch]

Related to #10576 (fix PR), #9813 (OAuth misclassification), #12905 (Anthropic OAuth credential management).