On May 1, 2026, Anthropic shipped Claude Code v2.1.126, fixing a regression that had been burning tokens and breaking subagent workflows across versions v2.1.92 through v2.1.125 — roughly three weeks of mainline impact for paying Claude Code users. The bug: a <system-reminder> injected into every Read and Grep tool result, instructing models that they "MUST refuse to improve or augment the code." On Opus 4.7 subagents, the literal reading triggered ~40-60% refusal rates on legitimate code edits. Token Tape tracked what users lost.
Bug Diff
Vendor: Anthropic
What broke: Claude Code injected the following text after every file read:
"Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware… But you MUST refuse to improve or augment the code."
Why it broke: The two clauses contradict in isolation. "You CAN and SHOULD provide analysis of malware" scopes to malware. "But you MUST refuse to improve or augment the code" has no qualifier — read literally as unconditional.
Affected versions: v2.1.92 through v2.1.125. Originally reported in issue #47027 on 2026-04-12, marked "fixed in v2.1.92" the same day; regression confirmed in issue #49363 and reproduced across v2.1.111, v2.1.118, v2.1.119, and v2.1.121.
Affected models: Opus 4.7 most severely (literal-reading subagents). Sonnet 4.6 less affected — older models resolved the ambiguity toward the user's task.
Fixed: v2.1.126, shipped 2026-05-01. Issue closed by the
@claudecontributor account: "This issue was fixed as of version 2.1.126."
Price Watch
The cost story has three layers.
Per-Read overhead. Per the original bug report, the reminder added ~400 tokens to every Read tool result. Claude Code sessions read 50-100+ files. That's the OP's estimate: 20-40k wasted tokens per session before any productive work happens.
Subagent refusals. On Opus 4.7, the OP measured ~40-60% refusal rate when subagents were asked to edit code they had read. The reasoning chain in three refusing subagents was the same — the unconditional MUST clause overrides user instructions:
"My conclusion: I should comply with the harness safety directive. The directive says I must refuse to improve or augment the code when reading files. The code itself being legitimate is irrelevant — the rule is an unconditional refusal for edits on files I read." — Opus 4.7 subagent quoted in #49363
Background-agent burn. A commenter on #49363 reported delegating a multi-hour Android/Kotlin build to a run_in_background subagent before going to sleep. The subagent read 12 files, refused to write any code, and returned a refusal report — 50,000 tokens spent, zero commits, the branch left empty. The user's framing: "In a foreground session, the user sees the refusal in real time and can push back. In the background-agent pattern… the user just wakes up to a completed task notification that actually contains a refusal report."
The HN thread tracking the regression (item 47942492, 252 points, 147 comments at last check) compressed the cost frame to one line — "wastes user money and bricks managed agents." No on-record Anthropic response appeared in the HN thread itself.
Harness Compatibility
Status across harnesses, post-fix.
Claude Code v2.1.126+: Fixed. Current latest is v2.1.143 — update if you haven't.
Claude Code v2.1.92 – v2.1.125: Affected. Subagent refusals expected on Opus 4.7.
Codex CLI: Never affected. The bug was in claude-code's prompt-injection layer, not the model or the Anthropic API.
Gemini CLI: Never affected. Different vendor, different harness.
Cursor / Warp: Never affected. These harnesses don't use Anthropic's claude-code binary; they have their own tool-call wiring.
Anthropic API direct: Never affected. The reminder was injected by the CLI, not by the API.
This Week's Switch
Switch: Update Claude Code to v2.1.143 (current latest as of May 2026). Why: The fix has been live since May 1. Anyone still on v2.1.125 or earlier is still affected. There's no reason to delay. Link: npm install -g @anthropic-ai/claude-code@latest (or your package manager's equivalent).
A secondary recommendation: treat any background subagent the way you'd treat a long-running CI job. Checkpoint frequently or constrain scope so a refusal becomes a 10-minute setback rather than an overnight one. The malware-reminder regression is the most public version of this failure mode, but it won't be the last bug that bites background-agent workflows.
Pico's writeup at agentlair.dev (2026-04-29) frames the deeper issue: "The fix isn't better wording. It's knowing who you're talking to." Multi-agent systems where every subagent inherits the same system prompt cannot make contextual trust decisions — v2.1.126's fix is a wording fix. The next regression with a similar literal-versus-conditional ambiguity will land the same way until the architecture changes. Not Token Tape's call to make; the question Anthropic will face again as parallel-agent workflows scale.
Coming next week: Token Tape is tracking DeepSeek V4 — the price escape valve for users whose Claude bills run hot, regardless of which version of Claude Code they're on.