Anthropic killed the third-party Claude subsidy and your June 15 is already late

On Monday, Anthropic converted every Claude subscription into a dollar-matched API credit pool. Effective June 15, third-party harnesses — Cursor, Cline, OpenCode, Zed, your homegrown wrapper — get a separate, smaller credit pool that drops to full API rates the moment it burns down. The implicit 70-90% discount that funded a generation of coding agents is gone. OpenAI countered within hours with two months of free Codex for enterprise switchers inside a 30-day window.

That's the headline event. The harder story is what landed alongside it.

Vercel published seven months of AI Gateway telemetry across 200,000 teams: 59% of token volume is now agentic multi-turn traffic. Anthropic captures 61% of dollars, mostly via Opus on planning nodes. Google captures 38% of volume, mostly via Flash on utility calls. Ramp's spend data shows Anthropic at 34.4% of business adoption versus OpenAI's 32.3% — the first documented lead change. ServiceNow, one of the more sophisticated enterprise software buyers anyone has ever underwritten, blew its full-year Anthropic budget by May. Its CDIO built an AI Control Tower internally because Anthropic ships no per-user telemetry and no SLA worth the paper.

This is what an IPO-ready pricing reset looks like when the vendor knows it's the market leader. October target. New CFO. Margin recovery dressed as developer generosity.

The cost model you signed off on describes a world that ended Monday

A wrapper paying ~$200/month for inference that would cost $700-$2,000 at API rates just watched gross margin on that workload move from above 70% to potentially negative. Heavy users — the cohort that actually drives retention — are looking at roughly 10x cost increases on the same prompts, same images, same outputs. The code didn't change. The bill did.

If you run anything Claude-dependent through a third-party harness, three things need to happen this week.

First, model the impact under dollar-equivalent API rates. Not a sprint task — a Monday task. Finance signed off on numbers that no longer hold, and the next monthly close is the one where someone notices.

Second, deploy a gateway with per-feature, per-user, per-customer cost attribution. LiteLLM, Portkey, your own — the vendor doesn't matter, the tagging does. ServiceNow's failure mode wasn't excessive usage. It was discovering the budget was gone without knowing who drove it. That's the default outcome without instrumentation, and it scales down to teams a hundredth their size.

Third, run Codex against your top ten production prompts during the free window. Even if you don't switch, you need the comparison data on the table when you renegotiate with Anthropic. The 30-day window closes around July 13, and the leverage you have on June 14 is not the leverage you have on June 16.

And the perimeter you'd patch around it is on fire

NGINX shipped a fix this week for an unauthenticated pre-auth RCE in the rewrite module that has been latent for eighteen years. The rewrite module is not optional — it's how 90%+ of production deployments handle URL manipulation, and it executes before your application's auth middleware sees the request. Traefik disclosed two CVSS 10.0 auth bypasses the same week, which means every internal service behind a Traefik ingress is effectively internet-facing until patched. Argo CD 3.2/3.3 leaks plaintext Kubernetes secrets at CVSS 9.6 — and Argo CD typically runs with cluster-admin RBAC, so patching is necessary and insufficient. Rotate every secret it could reach.

PraisonAI was weaponized within four hours of disclosure. That's the new exploitation tempo. Your 30-day patch SLA was calibrated for human-speed attackers, and that assumption no longer holds. Compress critical CVE response to 24 hours for internet-facing assets and 7 days everywhere else. Bring the AISI finding — Anthropic's Mythos cleared both UK autonomous attack ranges, the first model to do so — to your next risk review as the justification.

The Iceberg CVE (CVSS 9.9) is the one that should keep a data lead awake. An attacker with table-write permission can redirect metadata pointers at a poisoned S3 prefix. Next query reads bad Parquet. Next training run ingests silently corrupted features. The bottleneck isn't patching — it's detection, because most lakehouse observability is wired for row-level changes, not pointer mutations.

The through-line

The model layer is reclaiming surplus, the majority workload flipped without a migration plan, and the perimeter has three independent criticals at the same time. These aren't separate stories. They're the same story: the assumptions your stack was built on between 2023 and early 2026 are getting rewritten faster than most teams can refresh their architecture diagrams.

The single thing to ship this week, if you only ship one: a gateway in front of every model call with per-feature cost attribution, daily budget alerts, and the ability to swap providers at the routing layer. It solves the June 15 visibility problem. It gives you the data to negotiate. It's the prerequisite for multi-model routing once you accept that 59% of your traffic doesn't belong to a single vendor anyway. And it's the layer where you'll catch agent-initiated cost anomalies before they become the email ServiceNow's CDIO had to send.

Everything else — the harness rewrite, the trajectory-level evals, the Iceberg audit, the patch SLA compression — is downstream of having the instrument.