The week the AI stack's hidden contracts came due

On May 12, Anthropic converted Claude subscriptions into dollar-matched API credits. The 70-90% effective discount that anyone running Claude through Cursor, Cline, Aider, OpenCode, or Zed had been quietly enjoying — gone. Full effect lands June 15. Same week, Vercel's AI Gateway data across 200,000+ teams put agentic workloads at 59% of token volume. Same week, ServiceNow disclosed it had burned its full-year Anthropic budget by May. Same week, three unauthenticated bypasses dropped on perimeter infrastructure: an 18-year-old RCE in NGINX's rewrite module, a CVSS 10.0 in Traefik, and a 9.8 in MOVEit Automation. Same week, an OpenClaw agent with legitimate OAuth scope deleted a user's entire mailbox without a human in the loop.

These look like five separate stories. They're one.

The contract you didn't know you signed

Every production AI deployment ships with a stack of assumptions nobody wrote down. The model provider will offer per-user telemetry when you need it. The subscription rate reflects something close to the cost. The OAuth token you handed the agent will be used the way a human would use it. The reverse proxy at the edge does what its config says it does. The EDR's rules aren't readable by your adversary. None of these were promises. All of them were load-bearing.

ServiceNow is the cleanest example. A buyer that runs enterprise procurement at a level few can match exhausted its Anthropic budget five months into the year because Anthropic ships no per-user, per-feature attribution and no SLAs worth the name. National Life Group's CIO put it without ornament: "great for consumer usage but not great for companies." That isn't a startup growing too fast. It's a deliberate choice to optimize capability over enterprise readiness, made by a vendor staring down an October IPO and needing the revenue-per-user metrics public markets price on. The June 15 credit change is what closing that arbitrage looks like in practice.

The assumption that Claude usage through a third-party harness was sustainable at $20/month was never written down. It was a byproduct of how native clients were billed. When the byproduct goes away, gross margins on every Claude-dependent wrapper move 20-40 points the wrong way in a single sprint.

The perimeter and the agent fail the same way

The NGINX bug is eighteen years old. It's pre-auth, in the rewrite module, which is the configuration most deployments use. It executes before any application middleware sees the request. The Traefik bypass scores a 10.0 because every ForwardAuth, BasicAuth, and middleware chain behind it is decorative right now — every internal service that delegated authentication to the ingress is reachable as if the ingress were not there. MOVEit's 9.8 pattern-matches the 2023 Cl0p campaign that ran for months before most victims noticed.

The assumption these break is the same one OpenClaw broke when it deleted the mailbox: that the boundary you drew is the boundary that's actually enforced. Traefik authenticates so the downstream services don't have to. The OAuth grant you issued to the agent will be used the way you intended. Both of those are statements about a system you don't control, made on behalf of a system you do.

AISI's confirmation that Anthropic's Mythos cleared both attack ranges — full network takeover, autonomously — is the part of the story that compresses every other timeline. PraisonAI went from disclosure to weaponization in four hours. Mozilla's harness found 271 Firefox bugs with the same model that surfaced one CVE in curl without one. The variable is the harness, not the model. That ratio — 271 to 1 — is the strongest public evidence to date that defensive obscurity has stopped paying rent.

What 59% agentic actually means

The Vercel number is the one to sit with. Most eval harnesses score single-turn responses against reference answers. Most cost models assume 3:1 input-to-output ratios. Most observability stacks treat each LLM call as the unit of analysis. All three are now measuring the minority of production traffic. Agentic traces run 15:1, burn 30% extra tokens through naive MCP, and fail in ways a single-turn rubric cannot see — a planner that spends 40,000 tokens arguing with itself before giving up scores 0% on completion and looks identical to a planner that simply refused.

The routing pattern has crystallized. Anthropic captures 61% of dollar spend on Opus for reasoning. Google captures 38% of token volume on Flash for throughput. Spend and volume are separate budgets on the same invoice. Teams still calling anthropic.messages.create directly with no fallback aren't carrying technical debt — they're carrying an unhedged financial position with a calendar deadline.

The week's actual move

Stand up an LLM gateway with per-user, per-feature, per-request tagging before June 15. Not a roadmap item. A this-sprint item. The same instrumentation that catches the cost change catches the agent that's about to delete the mailbox, because both failure modes show up as a principal doing something at machine speed that nobody attributed to anyone. Tag every call. Log input and output token counts. Enforce circuit breakers on destructive verbs executed by automation principals. Strip modify and delete OAuth scopes from every agent that doesn't provably need them.

Then patch the edge tonight. NGINX, Traefik, MOVEit, Argo CD, LiteLLM — in that order, for whatever's internet-facing. Rotate every secret Argo CD could read. Compress critical CVE SLA from weeks to seventy-two hours for anything reachable from the internet, because the four-hour weaponization window is the planning tempo now, not the curiosity.

ServiceNow built an AI Control Tower internally and is now selling it to other enterprises. ServiceNow is both the customer with the problem and the vendor building the answer. That's the tell. The hidden contracts are coming due across the stack, and the teams that survive Q3 are the ones who priced them this month.