The primary actor

Agents

An agent is a language model that doesn't just answer β€” it acts. Given a goal, it decides its own steps, uses tools, watches the results, and keeps going until it's done. This is the deep tour: what makes something an agent, the parts it's built from, the loop that drives it, and every dial you can turn in Claude Code β€” inside VS Code.

Augmented LLM Tool use Autonomy Permissions
First principles

What makes something an "agent"?

A plain chatbot maps one prompt to one reply. An agent adds three things that turn a text model into something that can get real work done:

  • πŸ› οΈTools β€” it can take actions in the world: read and edit files, run commands, search the web.
  • 🧠Memory & retrieval β€” it can pull in context: your project files, standing instructions, past conversation.
  • πŸ”A loop with judgement β€” it decides what to do next based on what just happened, and repeats until the goal is met.

Anthropic calls this foundation the "augmented LLM" β€” a model wrapped with tools, retrieval, and memory. The defining trait of an agent (versus a fixed workflow) is that the model chooses its own path: how many steps to take, which tools to call, and when to stop.

🧠 LLM πŸ› οΈ Tools 🧠 Memory πŸ“₯ Retrieval πŸ” Loop model + tools + memory + retrieval + a loop = an agent

Where it sits

The autonomy spectrum

"Agent" isn't binary β€” it's the far end of a spectrum of how much the system decides for itself. Anthropic draws a sharp line between a workflow (you script the steps) and an agent (the model scripts them).

less autonomy more autonomy πŸ’¬ Chatbot one prompt β†’ one reply no tools, no loop 🧩 Workflow you script the steps in code predictable path πŸ€– Agent the model picks its own steps ← Claude Code lives here
πŸ“

Claude Code is an interactive agent

It's fully agentic β€” it decides its own path β€” but it keeps a human in the loop: it can pause for permission, and you can interrupt or steer it at any moment. That's the sweet spot between raw autonomy and control.


Under the hood

Anatomy of the Claude Code agent

Claude Code is an agentic harness β€” the machinery wrapped around the model. Five parts work together:

🧠

The brain β€” the model

A Claude model (Opus, Sonnet, Haiku, Fable) does the reasoning: understanding the task, writing solutions, judging results.

πŸ› οΈ

The hands β€” tools

Read, Write, Edit, Grep, Bash, WebFetch, and more β€” the concrete actions the agent can take.

πŸ“š

The memory β€” context

The context window, plus CLAUDE.md project instructions and cross-session auto-memory.

πŸ”

The engine β€” the loop

The cycle that ties it together: gather context, act, verify, decide, repeat.

πŸ›‘οΈ

The guardrails β€” permissions & safety

Permission modes, allow/deny rules, sandboxing, checkpoints, and human approval keep autonomy bounded and reversible.


The engine

The agent loop & the tool-use protocol

Mechanically, the loop is a conversation between the model and its environment. The model emits a tool-use request; the harness runs it and returns a tool-result; the model reads that and decides the next move. That back-and-forth repeats.

🧠 Model reasons & decides 🌍 Environment files Β· shell Β· web tool_use β†’ "Edit auth.ts line 8" tool_result β†’ "done / error / output" repeat until the goal is reached πŸ’‘ the model can request several tools at once β€” they run in parallel

Zoomed out, each trip around that protocol is one of five phases. This is the same loop covered on the In Claude Code page β€” here's the short version:

🧭 Gather context

Read files, search, load memory & git state.

🧠 Reason

Plan the next concrete step.

πŸ› οΈ Act

Call one or more tools.

πŸ‘€ Observe

Read the results.

πŸ”€ Decide

Loop, delegate, or stop.

πŸ” Repeat

Until the goal is met.


The hands

The toolbox

Tools are what give the agent agency. Claude Code ships with a broad built-in set, grouped by what they do β€” plus any tools you connect through MCP servers.

πŸ“„ Files

Read, Write, Edit β€” read, create, and precisely modify files (Read handles images, PDFs, notebooks).

πŸ”Ž Search

Glob (find files by pattern) and Grep (regex content search, ripgrep-based).

⌨️ Execution

Bash / PowerShell to run commands, tests, and git β€” with read-only commands auto-approved.

🌐 Web

WebSearch for results and WebFetch to pull a page in and read it.

βœ… Task & planning

Task/todo tools to track multi-step work, and plan-mode tools to design before editing.

πŸ§‘β€πŸ”§ Delegation

The Agent/Task tool spawns subagents; Skill runs a skill. (Subagents get their own page next.)

πŸ”Œ MCP

mcp__server__tool β€” anything a connected MCP server exposes: databases, browsers, APIs.

πŸ’¬ Interaction

Ask clarifying questions, send files, and push notifications back to you.

πŸ”

Tools carry their own permission logic

Reading and searching are safe and usually run freely; writing, executing, and web access default to asking. Every tool declares whether it needs approval β€” that's the security boundary in action (see Permissions).


The brain

Models & reasoning

You choose which Claude model powers the agent, trading speed and cost against raw capability. Pick with /model in-session, the --model flag, or a settings file.

ModelFeelReach for it when…
haikuFast & lightSimple, mechanical tasks; quick iteration; cheap subagents.
sonnetBalancedEveryday coding β€” the sensible default for most work.
opusDeep reasoningHard problems, architecture, tricky debugging.
fableMost capableLong autonomous sessions and deep root-cause investigations.
opusplanMixedOpus while planning, Sonnet while executing β€” capability where it counts, cheaper elsewhere.

🧩 Extended thinking

Let the model reason longer before acting on a hard problem. In VS Code, toggle it from the / menu; the reasoning shows as expandable blocks.

⚑ Effort levels

Reasoning effort (low β†’ max) tunes how much thinking the agent spends per step β€” dial it up for the gnarly parts, down for the routine.

🏷️

Aliases vs. pinned IDs

Aliases like opus or sonnet always resolve to the latest version; full IDs like claude-opus-4-8 pin an exact model for reproducibility. Long-context variants (e.g. sonnet[1m]) trade some cost for a much larger window.


The dial

Permissions & autonomy

Permissions decide how much the agent may do without asking. You set a mode for the overall posture and rules for the fine print.

ModeWhat it doesUse when…
defaultAsks before the first use of each tool that changes thingsExploring a new codebase; you want to see every action.
planRead-only β€” investigates and proposes, makes no editsYou want a plan before any changes land.
acceptEditsAuto-approves file edits & routine file commandsThe task is clear and you trust the direction.
autoRuns with background safety checksLarger tasks where you want flow with guardrails.
bypassPermissions ⚠️Skips prompts entirely (still blocks the truly dangerous)Only in isolated VMs/containers β€” full system access.

How a rule is decided

For any single action, rules are checked in a fixed order β€” the first match wins:

1 Β· Denyblocked outright 2 Β· Askprompt the human 3 Β· Allowruns automatically first matching rule decides

Rules are patterns scoped to a tool. A few examples:

# allow β€” run without asking Bash(npm run test:*) Read(src/**) WebFetch(domain:docs.claude.com) # ask β€” always confirm Bash(git push:*) # deny β€” never, even if asked Read(./.env) Bash(rm -rf *)

Manage these interactively with /permissions, or commit them in .claude/settings.json so your whole team shares the same guardrails.


What it remembers

Memory & context

An agent is only as good as what it can see. Claude Code layers three kinds of memory into the context window:

  • πŸ“ŒCLAUDE.md β€” standing project instructions loaded every session: build commands, conventions, architecture. Keep it tight (aim ~200 lines).
  • 🧠Auto-memory β€” notes the agent writes itself across sessions from your corrections, loaded on demand so it doesn't crowd the window.
  • πŸ’¬The live context window β€” the current conversation, files read, and tool outputs. Finite, so it's managed carefully.
πŸ—œοΈ

Auto-compaction

When the window fills, Claude Code trims the oldest tool outputs first, then summarises older conversation β€” preserving your requests and key code so the loop keeps running. Use /context to see what's taking up space. Heavy reading is best pushed into subagents so it never touches the main window.


Where it runs

Five ways to run the agent

The same agent loop drives every one of these β€” they differ only in how you interact with it.

⌨️

Interactive terminal

Run claude for a full human-in-the-loop REPL. You see every step and can interrupt with Esc. Best for hands-on development.

🧩

VS Code extension

The same loop in a graphical panel β€” diffs, plan review, @-mentions, session history. Best for IDE-integrated work.

πŸ€–

Headless / print mode

claude -p "…" runs non-interactively and prints a result β€” pre-approve tools with --allowedTools. Best for CI/CD and scripts.

☁️

Cloud sessions

Run in Anthropic-managed VMs from claude.ai/code β€” no local setup, isolated execution. Best for cloud-native workflows.

🧰

The Claude Agent SDK

Drive the exact same agent loop from your own Python or TypeScript program β€” same tools, context management, permissions, and subagent machinery β€” to embed an agent in a product or pipeline. Best for building custom, production agents.


Staying in control

Safety & guardrails

Autonomy is only useful if it's safe. Claude Code layers several independent protections so no single failure lets the agent do harm.

πŸ” Permissions (policy)

The first boundary β€” allow/ask/deny rules and modes decide what runs without you.

πŸ“¦ Sandboxing (OS)

Optional kernel-level isolation of the shell's filesystem & network β€” survives even prompt injection.

↩️ Checkpoints

Every file edit is snapshotted and reversible β€” rewind to undo the agent's changes.

πŸͺ Hooks

Your own scripts run before/after tool use to enforce custom, deterministic checks.

πŸ™‹ Human-in-the-loop

You review changes, answer prompts, and can interrupt or redirect at any moment.

πŸ›‘οΈ Trust verification

Opening a new repo prompts a trust check, so a malicious CLAUDE.md or setting can't act silently.

⚠️

The golden rule

Bounded autonomy beats maximal autonomy. Give the agent the least access it needs, keep dangerous actions behind a prompt, and review before you approve β€” especially anything that touches the outside world (deploys, pushes, sending messages), which checkpoints can't undo.


How to think about it

Design principles

1 Β· Start simple

A plain LLM call beats an over-engineered agent. Add agentic complexity only when a task genuinely needs discovery and iteration.

2 Β· Prefer workflows when the path is known

If you can predict the steps, script them. Save true agency for open-ended problems.

3 Β· Make actions observable & reversible

Diffs, checkpoints, and permission prompts turn autonomy into something you can trust and audit.

Next up

One agent is powerful. Many are a team.

Everything here describes a single agent. The real leverage comes when the agent delegates to specialised helpers with their own isolated contexts β€” subagents. That's the next page.