---
title: "AI Coding Agents in 2026: Claude Code vs Codex vs opencode"
description: "A vendor-neutral comparison of the three AI coding agents that matter in 2026 — Claude Code, Codex, and opencode: how the agent loop works, where each one fits, a decision table, and how to run them without handing over the keys."
author: Aleksei Aleinikov
date: 2026-07-14
lang: en
tags: [ai-coding-agents, claude-code, codex, opencode, agentic-coding, developer-tools, llm]
canonical: https://www.alekseialeinikov.com/en/blog/topics/ai/ai-coding-agents-2026-claude-code-vs-codex-vs-opencode
source: alekseialeinikov.com
---

# AI Coding Agents in 2026: Claude Code vs Codex vs opencode

Two years ago, AI in the editor meant autocomplete: it guessed the next line and you pressed Tab. In 2026 it means something categorically different — an **agent** that reads your repo, edits files across it, runs your tests, reads the errors, and tries again, all from a single instruction. The tool stopped suggesting and started *doing*.

Three names dominate that shift: **Claude Code**, **Codex**, and **opencode**. They look similar in a demo and are marketed as rivals, but they make genuinely different bets on lock-in, control, and openness. This is a vendor-neutral guide to what they actually are, how the thing under all of them works, and how to choose — and run — one without handing over the keys to your codebase.

## First, What a Coding Agent Actually Is

The word "agent" gets thrown around loosely, so pin it down. A coding agent is not one clever prompt — it's a **loop**.

![The agent loop: your prompt goes to the model, which plans a step, calls tools to read/edit files and run commands, observes the result, and repeats until the task is done and it shows you a diff.](https://www.alekseialeinikov.com/blog/ai-coding-agents-loop-2026.webp)

You give a goal — *"add JWT auth to the API."* Then:

1. **The model plans** the next concrete step.
2. **It acts** — calls tools to read files, edit code, run a command, grep the repo.
3. **It observes** the result — test output, a stack trace, the new file contents.
4. **It loops** — feeds that back in and plans again, until the task is actually done.
5. **It stops** and shows you a diff to review and approve.

That loop is the whole idea, and it's why an agent is powerful and risky at the same time: **between your prompt and the result, it takes actions on its own.** Autocomplete could only ever suggest; an agent edits your files and runs your shell. Every tool below is a different wrapper around this same loop.

## The Three That Matter

**Claude Code** — Anthropic's agent. It began as a terminal tool and now runs across the terminal, IDE, desktop app, and the browser — including managed cloud sessions that chew through long tasks in parallel while your machine is off. It's tied to Claude models, closed-source, MCP-native, and asks permission before edits and commands. If you already trust Claude for code, it's the most polished way to let it act.

**Codex** — OpenAI's coding agent, and the one that pushes the loop the furthest. It runs in two modes: a **cloud agent** that grinds through long tasks in an isolated, managed sandbox — so you can fire off several jobs at once and walk away — and a **local CLI** for hands-on work at the keyboard. It's tied to OpenAI's frontier models, which are still some of the strongest at real code, and its cloud agent is a mature, isolated place to hand off long work. The CLI is open; the models and the managed service are proprietary. The trade is clear: you accept the OpenAI ecosystem, and in return you get one of the strongest model-plus-cloud combinations on the market.

**opencode** — the open-source outlier. A terminal agent that is **model-agnostic**: you point it at whichever provider you want — Anthropic, OpenAI, Google, or a local model — and the agent itself is open-source, so you can read it, extend it, and self-host it. Its bet is *no lock-in and full auditability*.

## Where Each One Sits

Strip away the branding and the three separate on two axes: **how open they are** (closed vs open-source) and **how locked to one model vendor** they are. Notice what is *not* an axis anymore: where it runs. Both Claude Code and Codex now run locally *and* offer a managed cloud, so that stopped being the dividing line.

![Positioning matrix on two axes — closed vs open source, and locked to one vendor vs any model. Claude Code and Codex sit together in the closed, vendor-locked corner and both also run local and in a managed cloud; opencode sits alone in the open, any-model corner.](https://www.alekseialeinikov.com/blog/ai-coding-agents-positioning-2026.webp)

Here is the same decision as a table:

| | **Claude Code** | **Codex** | **opencode** |
|---|---|---|---|
| **Vendor** | Anthropic | OpenAI | Open-source (community) |
| **Models** | Claude only | OpenAI only | Any — bring your own |
| **Where it runs** | Local + managed cloud | Local CLI + managed cloud | Local / self-hosted |
| **Openness** | Closed | CLI open, service/model closed | Fully open-source |
| **MCP support** | Native | Yes | Yes |
| **Auditability** | Trust the vendor | Trust the vendor | Read the source |
| **Best for** | Deep Claude users, polished all-surface | Delegating & parallelizing long tasks, hands-off cloud runs | Avoiding lock-in, local-only, self-hosting |

The pattern is clear: the two proprietary agents cluster together — polished, model-locked, vendor-trusted — and **opencode is the deliberate counterweight** for teams that refuse model lock-in or need to audit what the agent does.

## How to Actually Choose

Ignore the demos; they all look magical for ten minutes. Choose on three real constraints:

- **Model lock-in.** Do you want to be tied to one model family? Claude Code binds you to Claude, Codex to OpenAI. opencode lets you swap models — including running a local one for sensitive code — without changing your workflow.
- **Where it runs.** This used to split them, but no longer: both Claude Code and Codex run locally *and* offer a managed cloud that chews through long, parallel tasks while you do something else. opencode is the local / self-hosted one — no vendor cloud at all, which is the whole point if you need everything on your own infrastructure. So don't choose on "local vs cloud"; choose on whose cloud you're willing to send code to, if any.
- **Openness and auditability.** In a regulated or security-sensitive shop, "we can read exactly what the agent does" is not a nice-to-have. That's opencode's home turf; the proprietary tools ask you to trust the vendor instead.

In practice the switching cost is low — the loop is the same everywhere — so trying two is cheap and often clarifying. Pick the default that matches your constraints, not the one with the best launch video.

## Letting It Act Without Letting It Loose

Here's the part the demos skip. A coding agent is, mechanically, **a program that edits your source and runs shell commands on your behalf**. That is enormous leverage and a genuine attack surface. The failure mode isn't the model being dumb — it's the model being *capable* and *unsupervised*.

![Four guardrails: permission prompts before edits and commands, sandboxed execution in a container or VM, scoped tool/MCP access with deny-by-default, and a human reviewing the diff before it merges.](https://www.alekseialeinikov.com/blog/ai-coding-agents-governance-2026.webp)

Treat every agent like a new junior developer who somehow has root. Four guardrails make that safe:

1. **Permission prompts.** Approve edits and shell commands *before* they run, not after. All three support this — leave it on, especially for anything that touches the network or the filesystem outside the repo.
2. **Sandboxed execution.** Run the agent in a container or a microVM, never directly on your host or anything near production. If it runs `rm -rf` or a poisoned dependency's postinstall, the blast radius should be a throwaway sandbox. For the isolation trade-offs, see [MicroVMs in 2026: Firecracker vs gVisor for Secure Workloads](https://www.alekseialeinikov.com/en/blog/topics/devops/microvms-firecracker-vs-gvisor-secure-workloads-2026).
3. **Scoped tool access.** An agent's power comes from the tools it can call. Allow-list them — and if it reaches external tools over MCP, control *which* servers and *which* tools it can touch, deny-by-default. This is exactly the per-tool permission problem covered in [User-Level Permission Controls for MCP Tool Access](https://www.alekseialeinikov.com/en/blog/topics/security/user-level-permission-controls-mcp-tool-access-gateway-2026).
4. **Human reviews the diff.** The agent proposes; you decide. Read the change before it commits. The moment you let an agent merge unattended, you've replaced code review with faith.

None of this is exotic — it's least-privilege, applied to a very capable new kind of process. The agent that can rewrite your codebase in a minute can also break it in a minute; the guardrails are what turn that speed into leverage instead of a liability.

## The Field Rule

The three agents are more alike than their marketing suggests: the same plan-act-observe loop, wrapped differently — and the two proprietary ones, Claude Code and Codex, are near-twins that both now run locally and in a managed cloud. So choose on what actually differs — **openness and model lock-in** — and run whichever you pick like a powerful junior: sandboxed, permission-gated, tool-scoped, and never merging without a human on the button. Claude Code if you live in Claude and want the most polished experience; **Codex if you want OpenAI's frontier models with a mature cloud agent to hand long, parallel work to**; opencode if you refuse lock-in and want open source you control. If you just want a strong set-and-forget default and don't mind the OpenAI ecosystem, Codex is the easiest one to bet on. Get the guardrails right first, and any of the three becomes leverage instead of a gamble.
