Is Claude Code CLI a chat tool or an agent runtime?

Both, and that's the source of most confusion. The terminal binary is interactive, but the same harness exposes hooks, skills, subagents, and an SDK that lets you script it as a non-interactive agent runtime.

Should I use Claude Code CLI or build on the raw Anthropic API?

If you need tool use with files, bash, and git in a real working directory, use Claude Code. If you need a stateless inference endpoint with your own orchestration, use the API. Building Claude Code's tool harness from scratch is a six-month project.

Does Claude Code CLI lock me to Anthropic models?

Claude Code and the Agent SDK can route sampling requests through a proxy via ANTHROPIC_BASE_URL, and OpenRouter documents an Agent SDK integration path. That does not make the harness provider-neutral: prompt caching, context-management, and tool-use behavior still need end-to-end tests against the exact proxy/model path.

What's the actual monthly cost at agent-engineer scale?

Claude Max currently has 5x and 20x tiers at $100/mo and $200/mo, respectively, and includes Claude Code access. Heavy metered API users can still rack up visible daily token spend, especially on long agent loops with poor cache reuse. Pick subscription or API billing based on attribution needs, not only headline price.

Is the 1M context window actually usable?

On Sonnet 4.5+, yes for ingestion-heavy work like codebase Q&A. Latency degrades past ~400K tokens and prompt caching helps massively. For agent loops that grow context turn-over-turn, compaction beats raw context length.

Claude Code CLI: What Operators Actually Need to Know (2026)

I've been running Claude Code CLI as my daily driver for sustained stretches across the last year, and I also build production agent runtimes for a living. That means I look at Claude Code through two lenses: the IDE replacement my hands use for most of a working day, and the agent harness I might fork, embed, or replace. Most writeups cover the first lens. Almost none cover the second. The gap matters because the same binary is both, and the architectural decisions Anthropic made for the IDE use case have non-obvious consequences when you push it into agentic, headless, or multi-machine territory.

TL;DR

Use Claude Code CLI as your primary coding agent if you write Anthropic-targeted code, want a tool harness you don't have to build yourself, and can accept that the runtime is opinionated about file editing, bash, and git workflows. Use the Agent SDK (@anthropic-ai/claude-agent-sdk for TypeScript, claude-agent-sdk for Python) to embed the same harness inside your own application. Don't build production multi-tenant agents directly on the interactive CLI; it's tuned for a single operator at a single working directory and will fight you on concurrency, identity, and cost attribution. Claude Max 5x/20x is a reasonable default for individual heavy users who fit subscription billing; metered API access is correct for embedded agent products where operators control the loop.

The mental model

Claude Code is three things wearing one binary.

First, it's a terminal coding agent: an interactive REPL bound to a working directory, with file-edit, bash-execute, web-fetch, and git tools wired into a model loop. You type, it edits, you accept or reject. This is the surface most reviews cover.

Second, it's a harness specification: a documented contract for how an agent gets tools, how those tools surface permissions, how subagents nest, how skills load progressively, how hooks intercept events, and how output streams back. The harness is the part Anthropic spent the most engineering on, and the part competitors visibly copy patterns from.

Third, it's an agent SDK: @anthropic-ai/claude-agent-sdk (TypeScript) and claude-agent-sdk (Python) expose the same harness as a programmable runtime you can embed in your own services. The interactive CLI is one consumer of the SDK; you can be another.

The reason this matters: when someone asks "should I use Claude Code?" the answer depends on which of the three they actually mean. The CLI is excellent at one job. The harness is mature, heavily used, and among the more battle-tested agent loops I've shipped against, though I haven't run a controlled comparison across the full field and any "most production-tested" claim should be read as marketing, not measurement. The SDK is mid-maturity and rough at the edges where it stops looking like the CLI's own use case.

A precise definition: Claude Code CLI is an agent harness with a default interactive frontend, where the harness is the load-bearing thing and the frontend is replaceable.

The landscape

The competitors I've actually used in anger:

Cursor: IDE-native, multi-model, optimized for in-editor flow. Different shape entirely; comparison is more like "VS Code vs vim" than "tool A vs tool B."
Aider: terminal coding agent, model-agnostic, lighter harness. Closer in form factor to Claude Code but with a different opinion: aider treats the model as fungible, Claude Code treats Claude as load-bearing.
OpenAI Codex CLI: Anthropic's pattern, OpenAI's models. As of 2026-05-07, directionally the harness depth feels shallower than Claude Code's on the tool-use loops I run daily, though I have not benchmarked them head to head and the gap has been narrowing release over release. Treat that as my impression from regular use, not a measured claim.
Continue.dev: open source, IDE-embedded, BYO-model. The thing operators reach for when self-hosting the surface is the requirement.
OpenClaw / pi-mono / custom harnesses: when you've outgrown the off-the-shelf tools and need to embed an agent loop in something larger. I run a pi-mono-based loop locally and lean on it enough to have opinions, though the specific deployment and fork are not public, so treat the production-grade framing as anecdote rather than something auditable. The tradeoff is clear either way: a minimal harness is fast and legible, and you own everything Claude Code gives you for free.

Group them on two axes: opinionated-vs-fungible (does it bet on a specific model) and interactive-vs-embeddable (is it a terminal you type into or a runtime you call). Claude Code is opinionated and both. Aider is fungible and interactive-only. pi-mono is opinionated and embeddable-only. Among the harnesses I have actually run, the Agent SDK is unusual in combining an embeddable runtime with a working interactive reference implementation (the CLI itself) you can study, copy patterns from, and diverge from when your needs do. There may be others I haven't tried; the observation is about the shape, not a market census.

What actually matters operationally

Vendor pages talk about features. Operators care about a different list.

Tool surface and permission model. Claude Code's permission system is the single biggest reason it works in production. Rules are declarative allow/deny/ask entries with tool-specific pattern syntax, with managed, user, project, and local scopes. Current docs say Bash commands are parsed and matched against permission rules; examples use patterns like Bash(npm run test *), not regexes. WebFetch(domain:docs.anthropic.com) scopes a fetch tool to a host. Confirm the current pattern grammar at https://code.claude.com/docs/en/settings before writing rules you plan to rely on, because the syntax has shifted across releases and assuming regex semantics where there are none is the kind of mistake that turns a denylist into theatre. Building this layer from scratch is months of work. Most competing harnesses get permissions wrong, too coarse or too loose, and operators find out in production.

Prompt caching behavior. Claude Code uses Anthropic's ephemeral cache aggressively (5-minute TTL, with the 1-hour beta available). The harness slices the system prompt, tool definitions, and conversation history into cache-friendly segments. At agent-loop scale this is one of the largest cost levers in the system: a long, stable prefix (system prompt + tool schema + early conversation) reused turn after turn is exactly the shape prompt caching is built for, and a loop that ignores it pays full input-token price on every step. Engineers writing their own loop on top of the API without setting cache_control blocks are generally leaving meaningful spend on the table; the exact savings depend on prefix length, cache-hit rate, and model, and any number quoted without those is marketing.

Context management. The CLI auto-compacts when it approaches model context limits. The compaction prompt is good, better than what most engineers write themselves, but the failure mode is silent: a long agent run can quietly lose load-bearing facts after compaction, and the next tool call goes sideways. In practice this means agent prompts should restate critical constraints periodically, not assume they live forever in context.

Subagents and parallelism. The Agent tool spawns a subagent in a fresh context window, runs it to completion, and returns the result. The parent agent never sees the subagent's intermediate tool calls, which protects context but means operators can't intervene mid-run. If a task needs operator-in-the-loop steering, the subagent pattern is wrong; if it's truly fire-and-forget research or a parallel build, it's exactly right.

Cost attribution and observability. Out of the box, the interactive CLI shows a session cost at exit. That's roughly it. For team or production deployments, operators have to wire their own OpenTelemetry exporter (the SDK has hooks; the CLI surfaces less), or front the whole thing with LiteLLM or OpenRouter to get per-request billing logs. I would not deploy an embedded Claude Code runtime to a shared team without solving cost attribution first; the moment more than one person is sharing a budget, "session cost at exit" stops being an answer.

Lock-in. The harness is portable in name (the SDK is open source) but the prompt engineering, tool definitions, and reasoning patterns are tuned for Claude. Switching to a non-Anthropic model through the SDK's gateway routing works for code completion-grade tasks; it falls off a cliff for the multi-step tool-use loops where Claude Code earns its keep. Plan accordingly.

Detailed teardowns

Claude Code CLI (the interactive binary)

Position: Opinionated, interactive, the reference implementation of the harness.

Architecture. A Node.js binary distributed via npm (@anthropic-ai/claude-code). Connects to the Anthropic API directly by default; supports Bedrock and Vertex routing via env vars. State (chat history, project settings, hooks, skills) lives in ~/.claude/ and <project>/.claude/. Tool execution happens in your local shell with the permissions you configured. Streaming UI is built on Ink.

Cost / scale / ops. Two ways to pay: a Claude subscription (Pro or one of the Max tiers) or metered API spend. Anthropic's help center checked on 2026-05-07 listed Max 5x at $100/month and Max 20x at $200/month, both with Claude Code access, with prices subject to change. Directionally: Pro is fine for light use and starts to bite on rate limits once a session turns into an actual agent loop; Max tiers are where heavy daily users land; metered API is correct when you want per-call attribution or your usage is bursty enough that a flat subscription leaves money on the table. Sonnet-class models are noticeably cheaper to run a full day than Opus-class for the same workload, often by a multiple rather than a percentage. The real hidden cost most operators miss isn't a per-seat fee; it's prompt-cache misses on long-idle sessions. Walk away from an active session past the cache TTL and the next tool call rebuilds against a cold cache, which can turn a routine task into a noticeably more expensive one. Watch for it.

Right call when: you're an individual engineer or a small team where each engineer runs their own agent. You're targeting code that lives on a real filesystem with real git. You can accept Anthropic-only models for the agentic work.

Wrong call when: you need multi-tenant agent serving, web-based UX, or model fungibility as a hard requirement. You want a managed cloud agent with no local install. You're trying to embed an agent loop inside your own product (use the SDK, not the CLI).

Claude Agent SDK (TypeScript and Python)

Position: Opinionated, embeddable, the same harness as a library.

Architecture. @anthropic-ai/claude-agent-sdk (TS) and claude-agent-sdk (Python) expose query() and a streaming async generator over Claude's tool-use loop. You provide system prompts, tools (custom + built-in), permission callbacks, and hook handlers. The SDK manages the agentic loop, prompt caching, and compaction. You manage everything else: deployment, identity, multi-tenant isolation, persistence, billing.

Cost / scale / ops. Pay-as-you-go API token cost. No platform markup; you're calling Anthropic directly (or Bedrock / Vertex). Operationally: you own the runtime. That includes sandboxing tool execution (the SDK will happily run rm -rf if you wire Bash without permission gates), persisting conversation state across requests (the SDK is stateless between query() calls), and observability. Plan on three to six weeks of platform work before an SDK-based agent is production-grade.

Right call when: you're building an agent product or an internal agent platform and you want the harness without the interactive frontend. You can invest in the surrounding platform.

Wrong call when: you want to ship in a week. You need a UI; the SDK gives you a runtime, not a frontend.

Cursor (for comparison)

Position: Opinionated, IDE-embedded.

Architecture. A VS Code fork with Anthropic, OpenAI, and (now) several other providers behind a unified UI. Tool surface is closer to "edit, search, run" with an agent mode that approximates Claude Code's loop.

Right call when: you live in an IDE and want LLM features as a first-class part of editing. Pair-programming-shaped workflows where you stay in the file.

Wrong call when: you want a headless agent, a programmable runtime, or you live in the terminal anyway. The Cursor agent loop is good but visibly behind Claude Code's harness on tool-use depth (as of 2026-05-07).

pi-mono (custom harnesses, briefly)

Position: Opinionated, embeddable, no batteries.

Architecture. A minimal agent harness in TypeScript. Hand-rolled tool calling, hand-rolled context management, hand-rolled everything. I run a pi-mono-based loop in production for one of my own internal apps; I am not linking the deployment or the fork because neither has a public verification path, so treat the production claim as my anecdote rather than something you can audit. The reason I reached for a custom harness was specific: I needed a loop I could reason about end-to-end at the millisecond level, and I needed to embed it inside an existing service that already had its own concurrency model and sandboxing.

Right call when: you've genuinely outgrown the SDK and you know specifically why. "I want full control" is not a good enough reason on its own; full control of a poorly understood loop is worse than a partial-control SDK.

Wrong call when: you haven't shipped Claude Code or the SDK at scale yet. You haven't earned the complexity budget.

The standards layer

There isn't one yet for agent harnesses.

Model Context Protocol (MCP) is the closest thing to an interop standard in this space. Claude Code consumes MCP servers natively; you can point it at any compliant server (filesystem, Postgres, Linear, Atlassian, hundreds of community servers) and the tools surface inside Claude Code with the same permission gates as built-in tools. As of 2026-05-07 the spec is stable enough to build on but the ecosystem is uneven: official servers from Anthropic, Linear, and Vercel are production-grade; community servers vary wildly on auth handling and error semantics.

What MCP doesn't standardize: the agent loop itself, prompt caching semantics, hook contracts, skill loading, subagent dispatch, observability schemas. All of those are Claude Code-specific. If a competing harness emerges that claims compatibility, ask which of those it actually preserves; "MCP support" is necessary but very far from sufficient for portability.

ACSS (the spec I work on for unrelated reasons) attempts to standardize the deeper layer: contract shapes, observability semantics, identity, memory governance. None of the major commercial harnesses including Claude Code conform to it. That's not a criticism of Claude Code; it's an observation that the cross-vendor agent interop story is roughly where Kubernetes was in 2015.

Things nobody talks about

The 5-minute prompt cache TTL is one of the biggest cost variables in your day, and almost nobody mentions it. Walk away from Claude Code for six minutes during an active session and the next tool call may rebuild against a cold cache. On a long agent run with a fat system prompt and a deep conversation, that can turn a routine next step into a visible cost jump. Anthropic's prompt-caching docs also describe a 1-hour TTL option; opt in only after checking pricing, model support, and cache-breakpoint behavior for the model you use.

Subagent costs hide. When you spawn a subagent via the Agent tool, that subagent has its own context, runs its own model calls, and the cost lands on the same bill. The interactive UI is not the accounting surface I would trust for fan-out workflows. If you build flows that fan out, instrument with the SDK's usage and hook surfaces so you can see per-subagent spend.

Hooks run with shell access on lifecycle events. PreToolUse, PostToolUse, Stop, UserPromptSubmit, SessionStart, and related hooks execute commands as your shell user. That's the source of their power and a credible blast radius if you install a hook from an untrusted plugin. Claude Code now supports plugins and marketplaces; treat any plugin hook as executable code. Read every hook script before installing a plugin you didn't write.

Settings precedence is layered, and the layers are not the two most engineers think they are. The current docs list managed settings highest, then command-line arguments, local project settings (.claude/settings.local.json), shared project settings (.claude/settings.json), and user settings (~/.claude/settings.json). Some array/object fields merge rather than simply replace. Do not commit the precedence order to memory and reason from it. Check the current settings doc at https://code.claude.com/docs/en/settings or run /status inside a session to see the effective config before assuming a project-level allow grants what you think it grants. The failure mode I have hit: assumed a user-level deny was the floor, shipped a project config that broadened it, found out later.

File ownership and CWD assumptions. The CLI assumes one working directory per session and writes state into <cwd>/.claude/. Run two Claude Code instances in the same directory and you will eventually see them step on each other's state files. Use git worktrees for parallel sessions; it's the only pattern I've found that doesn't bite.

Compaction is not lossless and the loss is silent. When the harness compacts, it summarizes prior conversation into a shorter form and continues. Critical constraints stated 30 turns ago can vanish from the compacted summary if the compactor judged them stale. There's no warning. Pattern: restate load-bearing constraints (security rules, output formats, deadlines) in CLAUDE.md, not just in chat, because CLAUDE.md is reloaded on every turn.

Implementation patterns

Pattern 1: Locked-down project settings for a coding agent

For a project where you want Claude Code to edit, run tests, and use git, drop something like the following in <repo>/.claude/settings.json. Treat it as a starter denylist, not a containment boundary:

{
  "permissions": {
    "allow": [
      "Read",
      "Edit",
      "Write",
      "Glob",
      "Grep",
      "Bash(npm run *)",
      "Bash(pnpm run *)",
      "Bash(git add *)",
      "Bash(git commit *)",
      "Bash(git diff *)",
      "Bash(git log *)",
      "Bash(git status)",
      "Bash(git branch *)",
      "WebFetch(domain:docs.anthropic.com)",
      "WebFetch(domain:nodejs.org)"
    ],
    "deny": [
      "Bash(rm *)",
      "Bash(git push *)",
      "Bash(git reset --hard *)",
      "Bash(sudo *)",
      "Bash(curl *)"
    ]
  }
}

Read this for what it is: a friction layer against the obvious footguns, not a no-destructive-commands guarantee. A broad Bash(npm run *) allow lets any matching package script run with your shell privileges, and npm run test plus a malicious script can do anything rm could. Bash(git commit *) runs your local git hooks, which are arbitrary code. The denylist names rm but does not catch find -delete, mv target /dev/null, redirecting over a tracked file with >, or a Python one-liner that calls shutil.rmtree. Wildcard allows on package managers also cover unvetted scripts if the package file changes, which is the supply-chain path most denylists miss entirely.

If the threat model is "I trust the code in this repo and want a guard against my own typos," the config above is fine and worth shipping. If the threat model is "agent-authored code or an untrusted dependency might try to do harm," real containment lives one layer down: a container or VM per session, a non-root user, a read-only mount for everything outside the working tree, and a much narrower allowlist of exact commands rather than tool:* wildcards. The settings.json layer is policy; sandboxing is enforcement, and the two are not substitutes.

Working examples for several stacks live at https://github.com/MPIsaac-Per/agentinfra-examples; confirm the repo is reachable before relying on it.

Pattern 2: Embedded SDK agent with permission gating

Use the Agent SDK when building a service that needs the harness without the interactive frontend. Pin exact versions; do not use latest. The example below is plain JavaScript against @anthropic-ai/claude-agent-sdk as documented at https://platform.claude.com/docs/en/agent-sdk/typescript (verified 2026-05-07); add TypeScript annotations only after confirming the current PermissionResult shape.

async function runAgent(userPrompt, allowedDomains) {
  const { query } = await import("@anthropic-ai/claude-agent-sdk");

  const result = query({
    prompt: userPrompt,
    options: {
      model: "<your-claude-model>",
      systemPrompt: "You are a documentation research agent. Cite every claim.",
      canUseTool: async (toolName, input = {}, _options) => {
        if (toolName === "WebFetch") {
          const url = input.url ?? "";
          const ok = allowedDomains.some(d => url.startsWith(`https://${d}`));
          return ok
            ? { behavior: "allow", updatedInput: input }
            : { behavior: "deny", message: "domain not allowed" };
        }
        if (toolName === "Bash") {
          return { behavior: "deny", message: "bash disabled in this agent" };
        }
        return { behavior: "allow", updatedInput: input };
      },
    },
  });

  for await (const message of result) {
    if (message.type === "result") return message;
  }
}

The canUseTool callback is an async runtime approval hook, not the single policy boundary for a multi-tenant agent service. The documented evaluation order at https://code.claude.com/docs/en/agent-sdk/permissions (verified 2026-05-07) runs PreToolUse hooks, deny rules, allow rules, ask rules, permission mode, canUseTool, then PostToolUse hooks. Treating it as the sole gate is the production failure mode I flag the most: a single async callback bug, a missed toolName, or a thrown exception inside the closure and a tenant gets bash. Layer it. Static permissions.deny rules in settings.json for anything categorically forbidden (Bash(rm *), Bash(sudo *), network egress to unapproved domains). Permission mode set to a tight default rather than acceptEdits or bypassPermissions. PreToolUse hooks for audit logging and policy that needs to run regardless of the SDK consumer. Container-per-session sandboxing for Bash and Write, not just a callback that returns deny. The canUseTool callback is then where you encode the dynamic per-tenant logic the static layers can't express, knowing that if it fails open, the layers underneath still hold. Verify the SDK version and current method signatures at the Agent SDK docs before deploying.

Pattern 3: PreToolUse hook to log every bash command

Drop this script at ~/.claude/hooks/log-bash.sh and wire it into ~/.claude/settings.json under hooks.PreToolUse. This gives you an audit trail without slowing the agent loop.

#!/usr/bin/env bash
set -euo pipefail
INPUT="$(cat)"
TOOL="$(jq -r '.tool_name' <<<"$INPUT")"
if [[ "$TOOL" == "Bash" ]]; then
  CMD="$(jq -r '.tool_input.command' <<<"$INPUT")"
  printf '[%s] %s\n' "$(date -u +%FT%TZ)" "$CMD" >> ~/.claude/bash-audit.log
fi
exit 0

Hooks read JSON from stdin, exit 0 to allow the tool call, exit 2 to block. Anything you write to stderr surfaces in the agent's view. Production posture: every hook script is owned by your user and chmod 700; hooks installed by plugins should be code-reviewed before activation.

Decision framework

A short tree, not a matrix.

Are you an individual engineer or a small team running on a real working filesystem? Use the Claude Code CLI. Pick the Claude Pro/Max tier that matches your usage, currently Max 5x at $100/month or Max 20x at $200/month per Anthropic's help center. Lock down project settings.json. Stop reading and start using it.
Are you building an agent product or internal agent platform? Use the Agent SDK. Budget three to six weeks of platform work before production. Plan observability, multi-tenant isolation, and per-request cost attribution from day one. Don't try to wrap the interactive CLI; you'll fight it.
Are you locked into non-Anthropic models for compliance, cost, or strategic reasons? Use Aider or Continue.dev for the interactive case, build on raw provider SDKs for the embedded case. Claude Code's value is tightly coupled to Claude's tool-use behaviors; routing it through OpenRouter to a non-Anthropic model is a degraded experience, not a free swap.
Are you trying to run multi-tenant agents with strict per-tenant isolation? None of the off-the-shelf tools are right out of the box. Either build on the Agent SDK with hard sandboxing (containers per session, not just permission callbacks) or build a custom harness on top of the raw API. Be honest about the months of work this represents.

Where I'd bet: the harness layer (permissions, hooks, MCP, skills, subagents) is converging toward Claude Code's shape across the industry. The model layer is competitive and will stay so. The standards layer is going to take three more years to settle. Build on Claude Code today, design your platform so you can swap the underlying agent runtime in 2027 if the standards picture changes, and don't pay anyone for "vendor neutrality" that doesn't exist yet.

I could be wrong. I haven't run Claude Code at the multi-thousand-tenant scale; if you're operating there, the platform-engineering tradeoffs may flip. Test on your own workload before committing.