Your edge auth is fiction tonight, and your AI bill broke this morning

Two things happened this week that don't belong in the same sentence, except they do, because they're both about the same failure: you trusted the layer in front of your work to do its job, and it didn't.

First the proxy. NGINX disclosed a pre-authentication RCE in its rewrite module that has been sitting in the source tree for eighteen years. The rewrite module — the thing approximately every production NGINX deployment uses — fires before any application auth middleware sees the request. Same week, Traefik shipped a CVSS 10.0 authentication bypass (CVE-2026-35051, CVE-2026-39858) that makes ForwardAuth, BasicAuth, and every middleware config ornamental until patched. PraisonAI was weaponized four hours after disclosure yesterday. CISA added LiteLLM, Ollama, and three other AI tools to the KEV catalog inside ten days.

The practical version: any service whose security model assumes "NGINX/Traefik handles auth at the edge" is internet-facing right now whether or not you meant for it to be. Application-layer auth is the only real control until those binaries are updated. Patch order is boring: NGINX first because the install base is largest, Traefik second, Argo CD (CVSS 9.6 plaintext-secret extraction) third, then rotate every Kubernetes Secret the controller could reach. If MOVEit Automation is in your environment, treat CVE-2026-4670 as a Cl0p invitation that hasn't been opened yet.

The deeper signal in the security stack is worse than any single CVE. TrustedSec used LLMs to reverse-engineer five commercial EDR products in days. All five share the same bones — YARA rules, Lua engines decryptable in one pass, allowlists. UK AISI confirmed Anthropic's Mythos cleared both of their hardest attack ranges autonomously, end to end, full network takeover. Google TAG caught the first real threat actor using AI to build a working cybercrime tool. Microsoft's MDASH found sixteen exploitable Windows flaws in a single Patch Tuesday cycle.

The time constants are wrong. A 30-day patch SLA was defensible against human-paced adversaries reading advisories and writing exploits over weekends. It is indefensible against a harness that takes a CVE and produces a working PoC inside an afternoon. Seven days is the new floor for internet-facing assets, and even that is generous.

The bill broke too

While that was happening at the network edge, the economic edge of your AI stack quietly repriced.

Anthropic converted every Claude subscription to dollar-matched API credits. Starting June 15, programmatic usage through Cursor, Cline, OpenCode, Zed, Conductor, Aider, the Agent SDK, GitHub Actions — anything that wasn't a first-party Claude client — draws against a credit pool equal to your plan's dollar value. The 70-90% implicit discount that made third-party harnesses economically viable is gone. Effective per-developer cost on those tools jumps somewhere between three and ten times, with no code change required to feel it.

OpenAI answered within hours: two months of free Codex for any enterprise that switches inside thirty days. The Ramp data explains the timing. Anthropic crossed OpenAI in business spend share, 34.4% to 32.3%, and OpenAI is buying back the lead at the precise moment Claude developers are annoyed with the other vendor. Anthropic, for its part, hired a CFO and is targeting an October IPO. The credit-matching change is margin recovery wearing a policy-update costume, and there will be at least one more pricing adjustment before the S-1.

The canary on the enterprise side has already sung. ServiceNow — which is roughly the most sophisticated enterprise software buyer alive — exhausted its full-year Anthropic budget by May, and could not tell you which users or workloads burned it, because Anthropic ships no per-user, per-tool usage telemetry and no SLAs. National Life Group's CIO said it on the record: great for consumer, not great for companies. ServiceNow is now selling AI Control Tower to other enterprises trying to solve the same problem ServiceNow couldn't solve for itself.

This is the part that matters more than the pricing change. Your AI cost problem is an observability problem the vendor offloaded onto you. Without per-user, per-feature attribution, you cannot govern spend, you cannot detect a compromised API key burning tokens at 3 AM, and you cannot make the routing decisions that would cut your bill in half — Vercel's production data shows agentic workloads are 59% of token volume, with Anthropic capturing 61% of spend on reasoning while Google captures 38% of volume on utility. Tier your routing or pay the premium tier for everything.

What to do this week

Three concrete moves, in order, before next Friday.

Patch NGINX, Traefik, and Argo CD tonight, not Saturday. Rotate every Kubernetes Secret reachable from Argo CD during the vulnerable window — patching alone doesn't close it. If you run LiteLLM 1.81.16 through 1.83.7, upgrade and rotate every upstream provider API key stored in its database. The KEV listing is not theoretical.

Deploy a per-tenant, per-feature LLM gateway with token tagging and daily budget alerts before June 15. LiteLLM (patched) or Portkey will do. ServiceNow could not catch this passively at $9B revenue. You will not catch it on a finance dashboard either. The instrumentation is the deliverable; the cost optimization is what comes after.

Start the Codex evaluation under OpenAI's free promo this week, on your own harness, against your own load-bearing workflows. Even if you don't switch, the comparison data is leverage in the next Anthropic conversation, and the conversation is happening whether you bring data to it or not. The thirty-day window expires in thirty days. Calendars don't slip for the people who run them.

The teams that file this week's tickets keep the budget. The teams that forward the pricing page to Slack explain the overrun in August.