The day three regimes broke at once — and what to do about it

Three things happened on the same Friday, and they're going to keep happening together for a while.

The Supreme Court ruled 6-3 that Trump's IEEPA tariffs are unconstitutional — tariffs are taxes, and only Congress can tax. Roberts wrote it. Gorsuch and Barrett joined the three liberals. The reciprocal tariffs (10% baseline up to 34% on China) and the 25% tariffs on Canadian, Chinese, and Mexican goods are void. There's a $175–200B refund pool sitting on the table, and Trump has already telegraphed two years of litigation to slow-walk it. McConnell, Murkowski, Collins, Sullivan, Cassidy, and Tillis make legislative reimposition a non-starter. Executive trade authority just got structurally amputated.

That ruling landed on top of Q4 GDP at 1.4% against a 3% consensus, core PCE at 3.0%, and the savings rate at 3.6% — its lowest since 2022. Your input costs are about to fall. Your customers are running out of money. The Fed isn't cutting before June.

Meanwhile, Google shipped Gemini 3.1 Pro at 77.1% on ARC-AGI-2 — more than double its predecessor, against Opus 4.6's 68.8% and GPT-5.2's 52.9%, at unchanged pricing, deployed across six surfaces simultaneously. And one practitioner who actually instrumented his API calls found Gemini Pro burned 350,000 tokens fixing an Express.js bug that Opus solved with 23,000. Both got it right. The benchmark winner was 15x more expensive per correct answer.

And a prompt-injected GitHub issue title drove Cline's Claude-based triage bot into arbitrary command execution, poisoned the GitHub Actions cache, and walked out with publishing tokens for npm, VS Code Marketplace, and OpenVSX. The blast radius is millions of developers on auto-update.

These aren't three stories. They're one: the contracts you wrote in 2023 — about who sets trade policy, what software is worth, and where your trust boundary lives — are all being repriced at once.

SaaS isn't dipping. It's being sorted.

$1T in software market cap evaporated in three weeks. $285B of it dropped in the days after Anthropic's last release, when non-engineers realized they could replace paid subscriptions with a weekend of Cursor and Claude. Salesforce is now running three pricing models for Agentforce in parallel because nobody — including the market leader — knows what replaces per-seat revenue when the seats are agents.

The sorting framework that's holding up across every analysis I read this week is brutally simple. Software that's in the path of doing work — Stripe moving money, CrowdStrike blocking threats, Shopify executing fulfillment — survives and gets stronger. Software that generates paperwork about work — DocuSign, Monday.com, Zendesk — gets eaten because the agent does the work and skips the paperwork entirely. The scary middle (Atlassian, Salesforce, HubSpot) is on a 12–24 month clock with a cliff at the end.

The test isn't "do you have AI features." The test is: if I removed the technical difficulty of building this, does the product still exist? Canva passed by reframing itself as an AI platform with design tools. Deel passed by burying 100+ local compliance entities into a moat code can't replicate. Most seat-priced collaboration SaaS won't.

The model layer is a battery, not a brand.

Gemini's 24-point reasoning lead at lower price is real. Opus's 15x token efficiency advantage on actual coding work is also real. Both can be true because benchmark leadership and cost-per-correct-answer are now decoupled metrics, and almost nobody is measuring the second one.

If you're still hardcoded to a single foundation model provider, you're paying a tax on a moat that's expired. Leadership is rotating quarterly. OpenAI is closing $100B+ at $850B in valuation while losing on distribution to Google and on efficiency to Anthropic — the market is simultaneously pricing in their decline and funding their survival, which tells you exactly nothing about what to bet on. Build the model abstraction. Route per task. Measure cost-per-correct-answer on your workload, not theirs.

Your CI/CD now has a natural-language RCE.

The Cline attack isn't an incident. It's a category. Any LLM agent that ingests untrusted text (issue titles, PR descriptions, comments) and has tool-use or execution privileges is a remote code execution endpoint with a chatbot interface. Anthropic's own data shows users grant agents more autonomy over time, not less — auto-approval rates climb, oversight doesn't. That's automation complacency, the textbook precondition for supply-chain compromise.

Cursor published the only credible reference architecture this week: agents run free inside a constrained sandbox, human approval only at boundary crossings — primarily network egress. It's not perfect (filesystem and credential access are still soft), but it's the floor. Below the floor, you're shipping vibes.

Layered onto this: LLM coding agents are exfiltrating up to 350K tokens of proprietary code per task to external APIs that your DLP doesn't inspect. Two Google insider IP-theft cases hit in weeks, including Tensor designs allegedly routed to Iran. Federal trade-secret cases are up 20% YoY with AI named as the accelerant. The exfiltration channel your 2024 controls were designed for — files, attachments, USB — isn't where the data is moving anymore.

What to do this week

Pick three. Not five.

One, get your CFO and your trade counsel in a room and quantify your IEEPA tariff exposure across the last two years. The companies that file refund claims first, renegotiate supplier contracts first, and reprice end products first will capture margin the slow ones leave on the table. The window is months, not quarters, before the rest of the market re-rates.

Two, run a token-economics audit on every LLM call in production. Not cost-per-token — cost-per-correct-answer. If you don't have eval harnesses on your top three workloads by end of sprint, you can't know whether Gemini 3.1 Pro is a 24-point upgrade or a 15x bill, and the answer is different for every workload.

Three, inventory every AI agent in your organization with write access to a CI/CD pipeline, a credential, or a publishing token. Restrict to read-only by Friday. Implement Cursor-style boundary gating by end of sprint. If a prompt-injected issue title can reach your npm tokens, you don't have an AI strategy — you have a breach waiting on a calendar.