Code-as-Action Agent
also known as CodeAct Agent, Code-Writing Agent, Python-Action ReAct, Executable Code Actions
Have the agent emit a code snippet as its action each step, executed in a constrained interpreter, instead of emitting JSON tool calls; tool composition becomes function nesting and control flow inside the snippet.
This pattern helps complete certain larger patterns —
- specialisesReAct★★— Interleave a single thought, a single tool call, and a single observation per step so the agent reasons over fresh evidence.
Context
A team is building an agent whose steps frequently need to compose multiple tool results: fetch a list, filter it by some predicate, then call a second tool for each remaining item. The model is strong at writing short snippets of Python or JavaScript, and the deployment can host a sandboxed interpreter that the agent's actions can run in.
Problem
When the action channel is JSON tool calls, the agent has to unroll every composition across many turns. Expressing 'fetch orders, keep the ones over a threshold, then call refund on each' takes a turn for the fetch, a turn to inspect, then one turn per refund, with the whole intermediate list passing through the context window each time. Token cost balloons and the natural composability of a programming language (loops, conditionals, local variables) has to be faked through bespoke meta-tools or multi-turn glue.
Forces
- Programming languages express composition (loops, conditionals, function nesting) natively.
- JSON tool-call format flattens that composition into a sequence of turns.
- Executing model-generated code is a real security surface.
- Models trained on code emit composed actions more compactly than JSON ones.
Example
A data-analysis agent needs to fetch a list of orders, filter to those over a threshold, and call a second tool for each one. With JSON tool calls, it takes a turn per order plus glue. The team switches to Code-as-Action: each step the agent emits a small Python snippet that runs in a constrained interpreter, so the whole composition is one snippet — fetch, filter, loop, call. Tool composition becomes ordinary control flow, and the conversation collapses from twenty turns to one.
Diagram
Solution
Therefore:
Replace the JSON tool-call channel with a code-snippet channel. The agent emits a Python (or DSL) snippet; the host executes it in a sandboxed interpreter that pre-imports the available tools as functions and an allow-list of safe builtins/modules. Tool results are returned as Python values usable by subsequent code. The agent can compose tools inside one snippet (loops, conditionals, intermediate variables) and observe the printed output. Bracket every snippet with a sandbox that whitelists imports and prevents arbitrary IO.
What this pattern forbids. The agent may only execute Python operations against the explicitly allowlisted imports and tool functions; arbitrary import or system calls fail at the sandbox boundary.
The smaller patterns that complete this one —
- usesCode Execution★★— Let the model emit code, run it in a sandbox, and treat the run as the answer instead of trusting the model to compute in its head.
- usesSandbox Isolation★★— Run agent-emitted code or actions in a contained environment with restricted filesystem, network, and process privileges.
And the patterns that stand alongside it, or against it —
- alternative-toTool Use★★— Let the LLM produce typed calls against an external toolkit instead of producing free-form text the surrounding system has to parse.
- alternative-toParallel Tool Calls★★— Allow the model to emit several independent tool calls in one assistant turn; the host executes them in parallel.
- complementsStructured Output★★— Constrain the model's output to conform to a JSON Schema (or similar typed shape).
- composes-withMCP-as-Code-API★— Materialize MCP servers as a directory of typed code wrappers so the agent writes code that imports them and large tool outputs flow between calls inside the sandbox without ever entering the model's context window.
- alternative-toJSON-Only Action Schema✕— Anti-pattern: restrict the agent's action language to JSON tool-call dictionaries even for tasks where code-as-action (functions composing, loops, conditionals over results) would be the natural shape.
- complementsCode-Then-Execute with Dataflow Analysis★— Have the agent emit code in a sandbox DSL whose values are statically tagged trusted/tainted via dataflow analysis before execution, enabling per-value policy enforcement.
Neighbourhood
Click any neighbour to follow the language. Scroll to zoom, drag to pan.
Used in recipes
Used in frameworks
- Cline
Edits + terminal commands are first-class agent actions; apply_patch + editor tools surface diffs; auto-approve gates which become silent.
- AutoGen
CodeExecutorAgent generates and executes code; an alternative is AssistantAgent + PythonCodeExecutionTool.
- CAMEL-AI
CodeExecutionToolkit supports executing model-emitted code across sandboxes; the framework treats execute_code as a first-class action. Does not adopt the CodeAct label.
- OpenHands
Tools include bash + file edit + browser; tools are the agent's capability surface for acting on code.
- Aider
Edits are the action; every edit auto-commits to git.
- Codex CLI
apply_patch is the diff-application primitive; model emits structured create/update/delete operations.
- DB-GPT
SQL and Python.
- MetaGPT
Data Interpreter is MetaGPT's code-as-action agent that writes and executes Python code to solve analytics tasks; the framework also outputs full code projects through the softwar…
- Replit Agent
Agent writes code, sets up project, and shows live preview; file edits and command runs are the action surface.
- TaskWeaver
Core architecture is code-first.
Show 21 more
- ChatDev
- ModelScope-Agent
Agents generate and emit code as artifacts; Code Genesis is the multi-agent code-generation project that produces production-ready software projects from natural language requirem…
- OpenAgents
Data Agent runs Python.
- CodeFuse
- Tongyi Lingma
Agent mode authors and applies code edits directly.
- Zed AI
Write profile and Inline Assistant edit files; terminal commands are tool calls; restore-checkpoint button surfaces after each edit.
- Plandex
Diffs and shell commands are the primitive actions, staged before application.
- MarsCode
- Pochi
Edits and command execution are the agent's primitive actions; custom agents define readFile/writeToFile/executeCommand seams.
- smolagents
The framework's defining thesis. CodeAgent writes actions as code rather than JSON tool calls. Bumped from first-class to core because removing this pattern removes the framework.
- Roo Code
File edits and command execution are the primitive actions in Code/Debug modes; documented as native file system access and terminal control.
- CodeBuddy
- CodeGeeX
- Sourcegraph Cody
Cody focuses more on chat + completions + customizable prompts than autonomous edits; SmartApply/Execute and code-edits exist in VS Code.
- v0
Generated code IS the deliverable; deploy / PR are the action options.
- Comate (Wenxin Kuaima)
- Lovable
Agent mode applies file diffs directly to the project; diffs and summaries are visible.
- Open Interpreter
Action is always a code block emitted by the model and executed via exec(); Open Interpreter equips a function-calling model with an exec() function.
- Qwen-Agent
The agent autonomously writes code and executes it in a Docker sandbox via the built-in Code Interpreter tool; observation = execution result.
- GPT Engineer
Output of each call is whole files / patches written to disk — the model's emitted code is the action. AI writes and executes the code.
- Sweep
Legacy: edits applied to a branch and pushed as PR. Current JetBrains product: tab edits.
References
Provenance
- Source: patterns/code-as-action.md on GitHub · commit
4fa1213· view history - Added to catalog:
- Last updated:
- Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.