The week the subsidies, the perimeter, and the patch SLA all broke

On Friday, Anthropic converted Claude subscriptions into dollar-matched API credits across the Agent SDK, GitHub Actions, and every third-party harness people quietly built unit economics on. The 70–90% effective discount that powered Cursor, Cline, Zed, OpenCode, and a long tail of internal tools is gone on June 15. ServiceNow — a $9B+ revenue company with serious procurement — already burned its full-year Anthropic budget by May and could not tell you which users or features did it, because Anthropic ships no per-user telemetry and no SLAs.

OpenAI replied within hours: two months of free Codex for any enterprise that switches inside a 30-day window, expiring July 13.

That is the foreground story. There are two more, and they compound.

The pricing reset is an IPO event, not a product event

Anthropic admitted at Code with Claude that they planned for 10x growth and got 80x. The patch was leasing xAI's entire Colossus 1 cluster — 220,000 GPUs — from a counterparty whose CEO has publicly called them "misanthropic and evil." Inference for a meaningful share of enterprise prompts now transits a competitor's infrastructure. Get the updated sub-processor list before your next DPIA review.

The credit conversion is what margin recovery looks like ahead of an October IPO. Ramp's April panel put Anthropic at 34.4% of business spend against OpenAI's 32.3% — the first lead change in the series, on a base skewed toward SMB credit-card billing. It's a real signal but a thin one. What it does establish is that vendor stickiness in this category is effectively zero. Customers flip on capability. Anthropic is consolidating pricing power exactly when they have it, and exactly when they cannot afford to lose it.

The arithmetic for anyone running Claude through a third-party harness: same prompts, same outputs, 3–10x the bill starting June 15. If you have not modeled the per-developer impact yet, it's the Monday task. If you have, the second task is a one-page memo that says what price change would make you reverse course — circulated to engineering and finance this week, before the next adjustment lands. Teams with that memo ready move in 72 hours. Teams without it spend the quarter in a Slack thread.

While you're at it, run the free Codex window against your top three Claude-dependent workflows. The eval costs nothing, produces leverage in either direction, and the window closes July 13.

The perimeter went down on four fronts at once

In the same cycle: an unauthenticated RCE in the NGINX rewrite module that has been latent for 18 years, a CVSS 10.0 auth bypass in Traefik that turns every ForwardAuth and BasicAuth middleware into decoration, a 9.8 auth bypass in MOVEit Automation in the same product family Cl0p worked through in 2023, and a critical in the PraisonAI agent framework that was weaponized within four hours of disclosure.

Four hours is the number to internalize. It is shorter than most enterprise change-control windows. The 30-day patch SLA was designed for a different adversary.

Layer in what UK AISI confirmed this week: Anthropic's Mythos became the first model to clear both simulated attack ranges, end-to-end network takeover, no human in the loop. Mozilla's custom agentic harness used the same model to surface 271 previously unknown Firefox bugs. Daniel Stenberg ran an out-of-box scan against curl and got one real CVE. Same weights, 271:1 yield gap. The harness is the product now, not the model. That cuts both ways — Microsoft's MDASH shipped 16 validated Windows CVEs in a single Patch Tuesday using a 100+ agent ensemble, and Google TAG caught the first threat group in the wild building cybercrime tooling with an LLM.

Patch NGINX tonight, because it's pre-auth and the request never reaches your application. Traefik next, because every backend behind it is internet-facing without auth until you do. Argo CD third, with full secret rotation in every namespace it can reach — the read-only secret-extraction bug means anything stored as a Kubernetes Secret should be considered disclosed. Then MOVEit, because the Cl0p affiliates who hit 600+ orgs in 2023 specifically hunt this product line.

Compress the critical-CVE SLA from 30 days to 72 hours for internet-facing pre-auth bugs. The PraisonAI four-hour window is the new floor, not an outlier.

The agent layer is in production and the controls are not

Vercel's gateway data across 200,000 teams puts agentic workloads at 59% of all token volume. OpenClaw deleted a user's entire inbox this week — the first publicly documented confused-deputy destructive action by a production agent, executed against a legitimate OAuth grant with modify/delete scope. Claude Code's /goal command runs unattended multi-turn coding loops with no token budget and a Haiku evaluator that reads only the transcript, not the working directory. AWS Bedrock shipped x402 agent payments as a built-in capability. SAP committed €100M to an Autonomous Enterprise fund and ServiceNow exposed Action Fabric as headless workflows over MCP — the enterprise execution layer is converging on "can your agents call this product directly" as the procurement question, on a 2–3 quarter timeline.

The topology is the same in every case: agents act with user OAuth tokens, downstream systems see legitimate users, and SIEM rules tuned to human session patterns false-negative on machine-speed traffic carrying human identity. Bot detection fails against agents 81% of the time.

The operator move this week is concrete. Inventory every OAuth grant issued to an agent framework and remove modify/delete scope wherever read suffices. Classify autonomous coding agents as non-human identities with credential TTL under one hour and distinct SIEM event sourcing — agent commits and human commits cannot share an audit trail. Add SIEM rules for high-volume delete and modify operations from agent user-agents: Graph API mass-delete, Gmail batch-delete, Git force-push. Audit which Bedrock AgentCore deployments have x402 enabled by default and block outbound wallet interactions for agents that don't need them. Prompt injection against a payment-capable agent moves money one-way.

One week, three structural changes. Model the Claude bill, patch the four edge holes, scope the OAuth grants. Do those before Friday. Everything else on the roadmap waits a week without consequence. These three do not.