Skip to main content

Why this comes up

A common question from teams evaluating agent tooling is: “CLI-based agents feel faster and simpler — why route everything through MCP?” The short answer: speed and security are not the same axis. A raw CLI gives an agent broad, largely unscoped access to a machine, which is hard to observe and hard to constrain. MCP gives you a typed, per-tool boundary that Runlayer can authenticate, scope, scan, and audit. In practice most CLI agent frameworks also speak MCP under the hood, so the “CLI vs. MCP” framing is usually a question of where the control point lives, not whether MCP is involved at all.
Runlayer governs both surfaces. You do not have to choose: MCP traffic flows through the Runlayer gateway, and CLI / IDE activity is captured through client hooks and Sessions.

What raw CLI access means for an agent

Handing an agent a shell or an unrestricted CLI typically grants:
  • The ability to run arbitrary commands, read and write any file the process can reach, and make outbound network calls.
  • Access that is scoped to the user or service account, not to an individual capability. You cannot easily allow read a ticket while denying delete a repository — it is one blanket grant.
  • Limited structured visibility. Command output is unstructured text, so detecting data exfiltration, secret leakage, or destructive actions requires parsing free-form shell history after the fact.
This is why unconstrained CLI access maps to several risks described in Security Threats and the MCP Security Best Practices checklist.

Why MCP is easier to secure

MCP exposes tools as discrete, typed operations. That structure is what makes governance possible:
ControlRaw CLIMCP through Runlayer
IdentityMachine / user accountPer-connector identity, OAuth broker, agent accounts
AuthorizationAll-or-nothing shell accessPer-tool policies and role scoping
Input / output inspectionUnstructured textToolGuard scans args and results (PII, credentials, intent)
AuditShell history, if enabledStructured audit logs per tool call
Runtime behaviorHard to modelAgentGuard session-level trajectory monitoring
Because each MCP tool call is a discrete event, Runlayer can allow, alert, mask, or block at the granularity of a single operation instead of an entire session.

”But the CLI feels faster”

Two things are usually behind the perceived speed difference:
  1. Most CLI agent runtimes already wrap MCP. The CLI is a front end; the tool calls it issues are frequently MCP calls. Adding Runlayer as the control point does not change the interaction model — it adds policy, scanning, and audit to traffic that was already MCP.
  2. Local execution latency. For genuinely local tools, Runlayer runs the CLI as a controlled local proxy rather than removing it. See Local MCPs: the AI client launches runlayer run <server-id>, which authenticates, checks policy, and forwards the request to the local MCP with minimal overhead.
So the tradeoff is not “fast CLI vs. slow MCP.” It is “ungoverned access vs. governed access,” and Runlayer keeps the governed path fast.

How Runlayer covers both surfaces

  • MCP servers — proxied through the Runlayer gateway so every tool call is authenticated, policy-checked, scanned, and logged.
  • CLI and IDE agents — captured through client hooks, which record shell commands, file reads and writes, web fetches, and local tool activity alongside MCP calls. Hooks can also block unmanaged Shadow MCP sources.
  • Custom agent runtimes — integrate the Runlayer Hooks SDK (TypeScript or Python) to send the same lifecycle and tool events through the hook pipeline.
The recommended path is MCP through the gateway for connectors, plus hooks for any CLI/IDE surface you cannot proxy — so you get one consistent control and audit plane regardless of how the agent invokes tools.

MCP Security Best Practices

The full checklist for safely deploying MCP servers.

Security Threats

Threat model for agent tool access, including unrestricted execution.

Sessions

Monitor CLI and IDE agent activity through client hooks.

Local MCPs

How the Runlayer CLI proxies local MCP servers with minimal overhead.