Coding agents — the 2026 landscape¶

By the middle of 2026 "agents" has stopped being a buzzword and become a product category. Four vendors — Anthropic, GitHub/Microsoft, OpenAI, and Google — each ship a multi-surface stack of autonomous coding tools that share a recognisable shape: a model in a tool-use loop, a project-level instructions file, a Model Context Protocol bus to external tools, a sandbox of some kind, and a way to delegate work either to your editor or to a remote VM. The vendor stacks differ in detail and in philosophy, but the underlying primitives have converged to a degree that was not obvious twelve months earlier. This page is the hub that ties the four vendor-specific pages — claude-agents, github-copilot-agents, codex-agents, and antigravity-agents — into a single mental model of the category. A more granular side-by-side lives on agents-comparison; this page is the umbrella narrative.

What "agents" means in 2026¶

The word "agent" gets stretched across at least five distinct things in current vendor marketing, and the differences matter when picking a tool. The crudest separation is the older inline-autocomplete experience, which is not an agent — a 2021-style Copilot suggestion that completes the next line of code is a one-shot prediction with no tool use, no planning, and no loop. A chatbot — a Q&A panel that talks about code but neither reads nor writes files — is also not an agent. Both still ship inside every vendor's product, but they are infrastructure for the agent surface, not the agent itself.

The core meaning of "agent" in 2026 is a model running an agentic loop: gather context → plan → call a tool → observe the result → reason about what changed → repeat, until the task is done or the agent stops to ask the human. Anthropic's documentation describes this as a four-phase cycle of "gather context, take action, verify work, iterate" (Agent loop docs); the same shape sits inside Copilot agent mode, Codex's TUI, and Antigravity's editor surface. The loop is what makes the agent feel autonomous: it decides what to read, what to write, when to run a test, and when it has finished.

From there the category branches into four execution styles. Agent mode is the synchronous, in-editor form — the developer has the file open, the agent edits it live, terminal commands stream in real time, every diff is reviewable immediately. Cloud agents are asynchronous and remote — the work runs on a sandbox VM somewhere else, often on GitHub Actions or a vendor-managed runner, and the developer reviews the resulting pull request hours later. Hybrid agents start in the editor and promote themselves to the cloud when the job gets long; OpenAI calls this the cloud/local hand-off and treats it as a headline feature. Meta-agents sit one layer up: they do not edit an existing codebase, they generate one — GitHub Spark turns a single prompt into a deployed app, and Antigravity's Manager Surface fleet-views many sub-agents at once.

Each of those four styles is recognisable across all four vendors, with different naming and slightly different defaults. The rest of this page maps the territory.

The four vendor families¶

Claude (Anthropic)¶

Anthropic ships exactly one agent harness and wraps it in four surfaces. The harness is the Claude Agent SDK (formerly the Claude Code SDK, renamed in late 2025 to reflect its use beyond coding). The wrappers are the Claude Code CLI, the VS Code and JetBrains extensions, the desktop app, and Claude Code on the web at claude.ai/code, which runs the same harness in an Anthropic-managed sandbox VM. Inside the harness sit four orthogonal extension points — sub-agents (isolated spawnable agent instances with their own tool allowlist and model), Skills (capability packages loaded via progressive disclosure), hooks (deterministic lifecycle interceptors), and MCP servers (external tool sources) — and a fifth, plugins, that bundles the other four for distribution.

The distinctive thing about the Claude stack is its Unix-shaped composability. Configuration is files in a .claude/ directory; Skills are folders containing a SKILL.md; sub-agents are Markdown files with YAML frontmatter; hooks are JSON entries in settings.json. None of those primitives replace each other — they compose. Anthropic also positioned SKILL.md as an open specification at agentskills.io, and by early 2026 the same format was being read by Codex CLI, Cursor, Gemini CLI, and others. Details on every primitive, the agent loop's exact contract, and the May 2026 TrustFall vulnerability all live on the dedicated claude-agents page.

GitHub Copilot (GitHub/Microsoft)¶

Copilot's evolution from autocomplete-only to agent-stack is the messiest of the four because it has the longest brand history. In 2026 the brand covers four agent surfaces under a shared control plane (Copilot policies, GitHub identity, premium-request metering): agent mode runs synchronously in VS Code, Visual Studio 2026, JetBrains IDEs, Eclipse, and Xcode; the cloud agent (formerly known as "Copilot Workspace", sunset in May 2025 and absorbed) runs asynchronously inside a GitHub Actions sandbox triggered by assigning a Copilot user to an issue; GitHub Spark generates entire deployed apps from a single prompt; and Copilot Extensions / third-party agents let Anthropic Claude and OpenAI Codex be assigned to GitHub issues as alternative cloud agents that share Copilot's billing surface (third-party agents docs).

What makes Copilot distinctive is its deep integration with the GitHub ecosystem: every cloud-agent session is a real GitHub Actions run, complete with logs and reproducibility; the egress firewall on agent sandboxes is enforced at the network layer rather than the application layer; setup is configured through a normal Actions workflow file at .github/workflows/copilot-setup-steps.yml. Spark, the meta-agent, is the leanest "describe app, get deployed app" experience of any vendor, with a generated GitHub repo, GitHub-based auth, and a managed Azure Container Apps runtime. The full surface map, the firewall details, the custom-agent file format, and the June 2026 transition to usage-based billing all live on github-copilot-agents.

Codex (OpenAI)¶

Codex is OpenAI's umbrella brand for autonomous coding, relaunched in May 2025 (the original 2021 "Codex" was a model, not an agent — the names collide because OpenAI revived the brand). The stack is multi-surface from day one: a CLI (since September 2025 a Rust binary that binds to Landlock, Seatbelt, and seccomp), an IDE extension for VS Code, Cursor, Windsurf, and JetBrains 2025.3+, a hosted Cloud product at chatgpt.com/codex that runs tasks on ephemeral VMs, and a desktop app. All four surfaces share the same ~/.codex/config.toml, the same MCP registry, and the same project-level AGENTS.md discovery rules.

Two design choices distinguish Codex from its peers. First, multi-surface with shared state: starting a task in the CLI, promoting it to Cloud for a long compute run, then pulling the resulting diff back into the local working tree is a single workflow rather than three separate ones. Second, AGENTS.md as cross-vendor standard: the format was introduced by Codex but is now governed under the Linux Foundation's Agentic AI Foundation, with adoption by Copilot's coding agent, Claude Code, Cursor, Aider, Antigravity, and 60,000+ open-source projects per the spec's own counter. Defaults today run on GPT-5.3-Codex (400K context, 128K output) with a GPT-5.4-Codex Plus/Pro snapshot rolling out; the codex-agents page covers the model lineup, the three sandbox modes, the four approval policies, GitHub PR-comment triggers (@codex review, @codex implement), and the third-party-agent role inside Copilot.

Antigravity (Google)¶

Antigravity is the youngest of the four — launched on November 18, 2025 alongside Gemini 3 Pro — and the one most willing to break with the editor-centric pattern. Where the other three stacks treat the agent as a sidekick to an editor, Antigravity inverts the relationship: the Manager Surface is a top-level view that fleet-watches multiple parallel agents, each producing a stream of persisted artifacts (plans, diffs, screenshots, terminal transcripts, browser session recordings) that prove what they did. The Editor View is a familiar VS Code-shaped surface for synchronous in-the-loop work, the Browser Surface is a controlled Chromium instance that agents drive directly to test running apps, and the artifact stream is the audit substrate that makes long-horizon multi-agent work reviewable.

Antigravity is also unusually multi-model: the picker exposes Gemini 3 Pro and Flash alongside Claude Sonnet 4.5 / 4.6, Claude Opus 4.6, and GPT-OSS 120B from launch day, all bundled into a free public preview. The lineage matters too: independent reviewers consistently describe Antigravity as a Windsurf-lineage product on a forked-VS-Code substrate, following Google's roughly 2.4 billion USD Windsurf licensing-plus-acquihire deal in mid-2025. The full surface taxonomy, the artifact model, the multi-model picker, the November 2025 and January 2026 security disclosures (Embrace The Red, Pillar Security), and the Bug Hunters known-issues catalogue all live on antigravity-agents.

Shared infrastructure standards emerging¶

The most striking thing about reading the four vendor stacks in sequence is how much they have converged on shared primitives. Four years ago each vendor would have invented its own configuration format, its own tool protocol, and its own instructions file. In 2026 three pieces of shared infrastructure are visible across all four.

Model Context Protocol (MCP) is the cross-vendor tool-call bus. Originally an Anthropic protocol, it is now consumed natively by Claude Code, Codex, GitHub Copilot (agent mode and cloud agent), and Antigravity, with the same JSON schema (mcpServers object mapping server names to command/args or url invocations) and the same two transports (STDIO for local processes, HTTP/SSE for remote endpoints). A team that authors an MCP server once can wire it into any of the four agents with minimal per-vendor glue. The protocol details are summarised below.

AGENTS.md is the cross-vendor instructions file. A free-form Markdown document at the repository root, it captures coding conventions, build commands, testing rules, and "don't touch" directives. Originally a Codex convention, it is now governed as an open standard under the Linux Foundation's Agentic AI Foundation and read by Copilot's coding agent, Claude Code, Antigravity, Cursor, Aider, Devin, Junie, Windsurf, and tens of thousands of open-source projects. The format is summarised below.

The sub-agent + skills + hooks pattern is the cross-vendor extension pattern. Claude pioneered the explicit three-way split (sub-agents for context isolation, Skills for capability packages, hooks for lifecycle interceptors); Copilot's "custom agents", "prompt files", and "agent skills" map onto the same triad; Codex's slash commands, /review mode, and rolling-out skills system fills the same niche; Antigravity's .antigravity/ folder uses the same shape. The naming differs, the file formats differ, but the conceptual model — small composable units of agent customisation — is the same.

Why this convergence? Two pressures. First, interop: developers refuse to maintain four parallel sets of agent configuration, and the second-mover vendors have learned that compatibility with AGENTS.md and MCP costs them almost nothing and gains them every customer who already has those files. Second, security review fatigue: enterprise teams will not greenlight four different sandbox models, four different tool-call protocols, and four different audit pipelines. A shared protocol reduces the per-vendor security review to a smaller delta on top of a common baseline. Both pressures point the same way, and 2026 is the year the category settled.

Execution environments¶

Where the agent loop actually runs is one of the most consequential choices in the stack. Three patterns are visible across the four vendors.

Local in-editor. Agent mode in Copilot, Codex's IDE extension, Antigravity's Editor View, and Claude Code's CLI and IDE extensions all execute the agent loop on the developer's machine. Tool calls hit the local filesystem, the local terminal, and the local network. Latency is low (no cloud round-trip), iteration is fast, and the developer has full visibility of every change as it happens. The trade-off is blast radius: an agent with shell access on a developer laptop can do anything the developer can do, including reading credentials and rewriting Git history.

Cloud sandbox. Copilot's cloud agent runs on ephemeral GitHub Actions runners with a built-in egress firewall. Codex Cloud runs on OpenAI-managed VMs with off-by-default network access. Claude Code on the web runs on Anthropic-managed sandboxes with a filesystem allowlist and a Unix-socket network proxy. The agent has its own credentials (a scoped GitHub token, an OpenAI session token, a sandboxed Anthropic token) rather than the developer's; the blast radius is bounded to the VM. The trade-off is latency, cost (you pay for the runner minutes plus the model tokens), and asynchronous-only workflow — you delegate, walk away, and come back to a draft PR.

Hybrid. OpenAI emphasises the bi-directional hand-off: start in the CLI, promote to Cloud when the run gets long, pull the diff back. Copilot ships a "Cloud" entry in the agent picker that creates a remote issue from the editor. Claude Code has /web-setup that bridges a local terminal session to a hosted web session. Antigravity stays editor-centric but its Manager Surface implicitly orchestrates remote-feeling parallel agents on the local machine. The hybrid pattern lets developers pick latency for short tasks and isolation for long ones without changing tools.

Cost shape follows execution shape: local agents pay only for model tokens; cloud agents pay tokens plus compute-minutes plus storage. Approval policies, sandbox modes, and allowlists are the controls that constrain the blast radius in each environment; security disclosures throughout 2025-2026 consistently targeted misconfigured defaults rather than fundamental architecture flaws, which is itself a sign the category has matured.

The MCP ecosystem¶

Model Context Protocol is the closest thing the agent category has to a USB-C: a stable, vendor-neutral way to plug a tool into any agent that speaks the protocol. The schema is a JSON object listing servers, each with either a command (for a STDIO transport, where the agent spawns a local process) or a url (for an HTTP/SSE transport, where the agent talks to a remote endpoint). A trimmed example that all four agents will accept with minor variations:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/home/dev"]
    },
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": { "GITHUB_TOKEN": "${GITHUB_TOKEN}" }
    }
  }
}

At session start each agent asks each running server for its tool list, resource list, and prompt list; tool names are namespaced (mcp__github__create_issue) to avoid collision, and the agent then exposes those tools to the model the same way it exposes its built-in tools. The vendor-specific bits live in where the file is read from — ~/.gemini/antigravity/mcp_config.json for Antigravity, ~/.codex/config.toml's [mcp_servers.*] blocks for Codex, .vscode/mcp.json or user-scope mcp.json for Copilot, .mcp.json at repo root for Claude Code — but the schema is interoperable enough that a project can carry one file and a thin per-vendor adapter.

The security surface is the elephant in the room. By late 2025 there were on the order of 200,000 publicly indexed STDIO MCP servers, the vast majority unsigned, unaudited, and capable of arbitrary code execution as the agent's user. The two recurring attack patterns are: a malicious server returning tool descriptions or tool results that contain prompt-injection payloads (the agent reads tool output as model input, so the payload steers the agent's next decisions); and a benign-looking server registration triggering the agent to spawn an arbitrary local command. The May 2026 TrustFall disclosure showed both patterns chaining together — a cloned repo's .mcp.json and .claude/settings.json registered an attacker-controlled MCP server and ran hooks under attacker control through a single user "trust this project" click (The Register). The "Embrace The Red" series in 2025 documented similar mechanics across multiple vendors (Embrace The Red).

Each vendor's mitigation story shares structure: a granular allowlist of servers and tools, an approval prompt before write tools execute, sandboxing of the agent's filesystem and network reach, and (for the cloud surfaces) an egress firewall. Best practice as of mid-2026 is to pin MCP server versions, prefer HTTP transports with OAuth (which surface a consent screen), and audit STDIO server commands the way one audits a shell script.

AGENTS.md as a cross-cutting spec¶

AGENTS.md is the cross-vendor analogue of README.md. It started as an OpenAI Codex convention in 2025 — a free-form Markdown file at the project root that a coding agent reads before every task to absorb the project's conventions, build commands, testing rules, and contribution etiquette. By late 2025 the convention had been picked up by Cursor, Gemini CLI, Windsurf, Devin, Aider, Junie, GitHub Copilot's coding agent, Anthropic's Claude Code, Amp, Factory, and Antigravity, and by early 2026 the open specification was governed under the Linux Foundation's Agentic AI Foundation (agents.md). A minimal example:

# AGENTS.md

## Project overview
TypeScript monorepo. PNPM workspaces; Turborepo for orchestration.

## Setup commands
- Install: `pnpm install`
- Test: `pnpm test`
- Lint: `pnpm lint`

## Code style
- TypeScript strict mode; single quotes; no semicolons.
- Prefer functional patterns; avoid mutable shared state.

## PR conventions
- Title: `[scope] short summary`
- Always include a Test Plan section.

## Don't touch
- `infrastructure/terraform/` — managed by the platform team.
- Any file under `secrets/` or `.env.*`.

Discovery rules vary slightly. Codex walks from the Git root down to the current working directory and concatenates each AGENTS.md it finds along the way (with a configurable size budget); Claude Code reads a similar tree of .claude/rules/ files; Antigravity reads AGENTS.md plus a wider .antigravity/ folder; Copilot reads .github/copilot-instructions.md and increasingly recognises AGENTS.md for cross-tool compatibility. Across all four, nested files closer to the cwd take effective precedence in the prompt.

Why the convention took hold where, say, an agents.json schema did not: free-form prose is easy to author, easy to read, and the same file serves human onboarding as well as agent onboarding. The cross-vendor interpretation is not perfectly consistent — some agents treat Don't touch directives strictly, others as soft hints — but the format is portable enough that a single file can ground sessions across four different vendors' agents.

The security baseline¶

The common adversary across the category is prompt injection — attacker-controlled text reaching the agent's reasoning context (through a file, a web page, an MCP tool result, a code comment, a commit message, or a pull-request body) and steering it into actions the user did not authorise. Every published exploit against an agent in 2025-2026 is some variant of this pattern.

The shared defence-in-depth pattern across all four vendors looks like this:

Sandboxing. Codex uses Apple Seatbelt on macOS and Landlock + seccomp on Linux for the local CLI. Claude Code added an October 2025 sandbox runtime with a filesystem allowlist and Unix-socket network proxy, enabled by default in the web product. Copilot's cloud agent runs in GitHub Actions runners with a built-in egress firewall. Antigravity's preview build has documented sandbox-escape incidents (find_by_name honouring -X, disclosed by Pillar Security and patched February 28, 2026 — Bug Hunters).
Allowlists. Per-project lists of MCP servers, tools, and (for cloud agents) network domains the agent may reach. The Antigravity webhook.site incident in November 2025 came down to an allowlist default that was too permissive (Embrace The Red).
Approval policies. Codex exposes four levels (untrusted, on-failure, on-request, never); Copilot surfaces terminal commands for approval before execution; Claude Code's hook system can block tool calls deterministically; Antigravity gates dangerous actions through a per-agent permission policy.
Identity scoping. Cloud agents run with scoped tokens (a fresh per-session GitHub token, not the user's PAT; a sandboxed Anthropic session; an ephemeral OpenAI session) so a compromised agent cannot drain the user's full credential set.

Notable disclosures: TrustFall (Adversa AI, May 2026) — one-click RCE in Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI via the project-trust prompt batching MCP registration with hook execution. Embrace The Red MCP prompt-injection series (2025) — STDIO server tool descriptions and tool results as injection vectors across multiple agents. Pillar Security find_by_name escape (January 2026) — Antigravity tool wrapper honouring fd's -X flag. Antigravity webhook exfiltration (November 2025) — default allowlist enabling outbound POST to webhook.site. The pattern across all four is that exploits target defaults and configurations rather than the underlying loop, which is reassuring architecturally and uncomfortable operationally — a misconfigured agent on a developer's laptop is still a credible threat.

A November 2025 Anthropic report described what it called suspected state-sponsored use of Claude Code against dozens of organisations, with the agent reportedly executing 80-90% of the operation autonomously. That episode is part of why hooks, allowlisting, network proxying, and the move to hosted sandboxes have all become headline features rather than power-user knobs across the category.

Pricing patterns¶

Pricing is where the four vendors look most different on paper and most similar in trajectory.

Anthropic sells Claude Code through a subscription tier (Pro at $20/mo, Max 5x at $100/mo, Max 20x at $200/mo, Team at $30/seat, Enterprise custom) that covers in-product usage, and a per-token API tier that the Agent SDK consumes when self-hosted. Bedrock, Vertex, and Microsoft Foundry act as alternative routing surfaces.

GitHub Copilot runs on a premium-request meter: each plan ships a monthly bucket (Free 50, Pro 300, Pro+ 1500, Business 300, Enterprise 1000), overage is $0.04 per premium request, and a cloud-agent session consumes one premium request plus the GitHub Actions minutes it burned. The June 1, 2026 transition to fully usage-based billing is the explicit acknowledgement that bucket accounting cannot price long-horizon agent work cleanly.

OpenAI Codex is included in every paid ChatGPT plan (Plus $20, Pro from $100, Business/Edu/Enterprise per-seat), with rate limits resetting on a rolling 5-hour window for ChatGPT-backed usage. API-key users pay token rates ($1.75/M input, $14.00/M output on gpt-5.3-codex). OpenAI is also moving toward a usage-based credit model that meters compute-hours and tokens for Cloud sessions.

Antigravity is free public preview. There is no enterprise SKU yet; external Claude and GPT-OSS calls inside Antigravity are not metered against the user. That economics is plainly transitional — the question is how Google will price third-party inference once paid SKUs arrive.

The direction of travel is consistent: usage-based-by-default. Per-session and per-request meters mis-price agent work because the variance in cost per task is enormous (a five-minute lint fix vs. a three-hour migration burn the same "session" but two orders of magnitude apart in tokens and compute). Expect every vendor to be on usage-based metering by 2027.

Where the category is going¶

Five forces are visibly shaping the next twelve to eighteen months.

Multi-agent orchestration. Antigravity's Manager Surface is the first product to bake fleet-views of parallel agents into the IDE, but the pattern is being copied: Codex's experimental multi-agent worktree orchestration, Claude Code's sub-agent pattern, Copilot's third-party-agent slots all point the same way. The unit of work is moving from "one developer with one agent" to "one developer orchestrating several".

Longer-horizon tasks. Model context windows have stretched to 400K (GPT-5.3-Codex) and 256K (GPT-5-Codex, Claude Opus 4.7), and the agentic tuning is increasingly aimed at multi-hour task horizons rather than one-shot completions. The Wiz public report of a 50,000-line Python-to-Go migration in roughly twenty hours of Claude Code is the kind of horizon that did not exist in 2024.

Persistent artefacts. Antigravity's artifact model — every plan, screenshot, terminal transcript, and browser session captured as a reviewable unit — addresses the gap that one-shot diffs leave behind. Other vendors have piecewise equivalents (Codex Cloud session transcripts, Copilot Actions logs, Claude Code session files) but Antigravity is the first to treat the artifact stream as a first-class product surface. Expect peer products to ship variants.

Cross-vendor agent-to-agent protocols. A2A — agent-to-agent — is the next protocol layer after MCP: a way for one vendor's agent to delegate sub-tasks to another vendor's agent over a shared schema. Early standardisation work is visible in the same Linux Foundation orbit that hosts AGENTS.md. Whether it succeeds the way MCP did is the year's open question.

Agent ops as a discipline. Allowlists, audit logs, secret scoping, sandboxing, runbook automation, and incident response for agent-driven systems are becoming distinct operational concerns rather than sub-bullets of "DevOps". Bug Hunters disclosure pages, public sandbox documentation, and SOC2 / DPA coverage for agent products are markers of this professionalisation.

How to pick¶

A short decision matrix to close on, condensed from the side-by-side analysis on agents-comparison:

If you...	Reach for	Why
Live inside GitHub already (issues, PRs, Actions)	GitHub Copilot	Native GH identity, ephemeral Actions runners, third-party agent slots for Claude and Codex
Want a deeply configurable Unix-shaped agent with sub-agents, hooks, Skills	Claude (Claude Code)	File-and-folder configuration, plugin marketplaces, sandbox runtime, model strength on long reasoning
Want shared CLI/IDE/Cloud state with bi-directional hand-off	Codex	Same `config.toml` and `AGENTS.md` across surfaces; `codex pull` between cloud and local
Want fleet-view orchestration of multiple parallel agents with persisted artifacts	Antigravity	Manager Surface, controlled Browser Surface, multi-model picker, free preview
Need to generate a brand-new app from a single prompt	GitHub Spark	App-builder meta-agent; deployed runtime; backing repo with two-way sync
Need strict data-locality and zero-data-retention	Claude Code (self-hosted SDK) or Codex CLI (API key)	Local execution, no cloud surface; ZDR-friendly
Want minimum lock-in via portable configuration	Any — write `AGENTS.md` and an MCP server set	Portable across all four vendors today
Prefer free for now	Antigravity (preview) or Codex (Free/Go tier with `-nano`)	Both viable for low-volume usage

The honest summary: the four vendor stacks are now close enough that the choice is rarely "which is the best agent" and usually "which ecosystem you already live in". GitHub-native teams pick Copilot; OpenAI-paying teams pick Codex; teams that value composability and deep configurability pick Claude; teams excited by fleet-orchestration of long-horizon work pick Antigravity. Cross-vendor portability through AGENTS.md, MCP, and SKILL.md means that the cost of being wrong is lower than it has ever been. The vendor pages — claude-agents, github-copilot-agents, codex-agents, antigravity-agents — go to the depth required to make any of those choices well.

Sources¶

Changelog¶

2026-05-11 — Hub page created; synthesises four vendor sub-pages (claude-agents, github-copilot-agents, codex-agents, antigravity-agents) with cross-cutting analysis (confidence 85)