Kartik Rathi
← Back to Blog

How Claude Code Works

1/17/2026Kartik Rathi#AI#Claude#Code Interpreter#Agentic AI#Sandbox#LLM

Deep dive into Claude Code's architecture: secure sandbox execution, web-based isolation, programmatic tool calling, and agentic task completion for production coding.

How Claude Code Works: Secure Sandbox + Agentic Execution

Anthropic's Claude Code (2025-2026) revolutionized AI coding assistants. Unlike basic code completion, Claude Code executes code in isolated sandboxes, handles multi-step tasks autonomously, and integrates with your full codebase – all while maintaining enterprise-grade security.

Recent updates include web-based sandboxing and programmatic tool calling (PTC), making it production-ready for complex workflows.

Core Architecture: Dual Security Boundaries

Claude Code operates within two hardened boundaries:

┌─────────────────────────────────────┐
│        Claude Code Sandbox          │
│  ┌───────────────────────────────┐  │
│  │ Filesystem Isolation          │  │ ← Only approved directories
│  │ Network Isolation             │  │ ← Approved servers only
│  │ Python/Node.js Execution      │  │
│  │ Package Installation          │  │
│  └───────────────────────────────┘  │
└─────────────────────────────────────┘

Filesystem Isolation: Claude accesses only specific directories (your repo clone), preventing system file tampering.

Network Isolation: Only approved endpoints (GitHub, npm, PyPI). No arbitrary outbound connections.

Execution Flow (Web Version)

When you start a Claude Code session on the web:

graph TD
    A[User: "Fix this bug"] --> B[Clone repo to Anthropic VM]
    B --> C[Launch isolated sandbox]
    C --> D[Claude analyzes code]
    D --> E[Write changes + run tests]
    E --> F[Push to review branch]
    F --> G[User: Create PR]

Key innovation: Credentials (Git tokens, API keys) never enter the sandbox.

Programmatic Tool Calling (PTC) - The Secret Sauce

PTC enables batch tool execution inside Claude's generated scripts.

# Claude generates this script:
def analyze_sales_data():
    df = pd.read_csv("sales.csv")
    metrics = compute_kpis(df)  # Calls YOUR tool
    report = generate_pdf(metrics)  # Calls YOUR tool  
    return report

# Your tools must opt-in:
tools = [
    {
        "name": "compute_kpis",
        "allowed_callers": ["claude-code-execution-v1"]
    }
]

3-Step PTC Flow:

  1. Claude writes script calling your tools
  2. Sandbox executes → emits tool requests
  3. Host resolves tools → feeds results back
  4. Claude gets final processed output only

Artifacts: Live Code Previews

Claude's Artifacts render code/HTML alongside chat (Claude 3.5 Sonnet feature).

Chat: "Build a dashboard"

[Live Artifact Window: Interactive React app + editable code]

Implementation: XML-tagged rendering decisions hidden from user.

Computer Use API (Beta)

For agentic desktop automation (Oct 2024 beta, maturing 2026):

# Claude perceives screen → acts
tools.claude_computer_use(
    instructions="Open VS Code → navigate to main.py → fix the bug on line 42"
)

Vision + Action Loop:

  1. Screenshot → Vision model → "Current state: cursor at line 37"
  2. Generate action: {"type": "key_press", "key": "down"}
  3. Execute → New screenshot → Repeat

Production Security Model

User Repo ──(clone)──> Anthropic VM ──(sandbox)──> Claude Code

                          └─── No credentials leak

Risk mitigations (post-prompt injection concerns):

  • No shell access beyond approved dirs
  • Network whitelisting
  • Ephemeral sessions (destroyed post-task)
  • Audit logging of all actions

Real-World Example: My Workflow

At Arcap REIT AI, I use Claude Code for:

# Natural language → Production changes
"Optimize our RAG retriever: add BM25 hybrid search, 
 re-rank top-10 results, evaluate with RAGAS"

# Claude Code:
1. Analyzes current FastAPI + Qdrant code
2. Adds hybrid retriever (semantic + keyword)  
3. Runs RAGAS eval 12% precision gain
4. Pushes PR with test coverage

Time saved: 4 hours → 20 minutes.

Comparison: Claude Code vs. Others

FeatureClaude CodeCursorGitHub Copilot
Sandbox Exec✅ Python/Node
Full Repo Access✅ Isolated✅ Local✅ Local
PR Generation✅ Auto-branch
Tool Calling✅ PTC
SecurityEnterpriseLocalLocal

2026 Outlook

  1. Native GraphRAG integration
  2. Multi-modal sandboxes (vision + code)
  3. Team collaboration (shared sessions)
  4. Open-source sandbox runtime

Claude Code isn't just a coding assistant – it's an autonomous engineering agent with production-grade isolation. The sandbox + PTC combo makes it uniquely suited for enterprise workflows where security matters as much as velocity.

Try it: claude.ai/code or Anthropic API with code_execution tool.

Based on Anthropic docs. Jan 17, 2026.