Why this comes up
A common question from teams evaluating agent tooling is: “CLI-based agents feel faster and simpler — why route everything through MCP?” The short answer: speed and security are not the same axis. A raw CLI gives an agent broad, largely unscoped access to a machine, which is hard to observe and hard to constrain. MCP gives you a typed, per-tool boundary that Runlayer can authenticate, scope, scan, and audit. In practice most CLI agent frameworks also speak MCP under the hood, so the “CLI vs. MCP” framing is usually a question of where the control point lives, not whether MCP is involved at all.Runlayer governs both surfaces. You do not have to choose: MCP traffic flows
through the Runlayer gateway, and CLI / IDE activity is
captured through client hooks and Sessions.
What raw CLI access means for an agent
Handing an agent a shell or an unrestricted CLI typically grants:- The ability to run arbitrary commands, read and write any file the process can reach, and make outbound network calls.
- Access that is scoped to the user or service account, not to an individual
capability. You cannot easily allow
read a ticketwhile denyingdelete a repository— it is one blanket grant. - Limited structured visibility. Command output is unstructured text, so detecting data exfiltration, secret leakage, or destructive actions requires parsing free-form shell history after the fact.
Why MCP is easier to secure
MCP exposes tools as discrete, typed operations. That structure is what makes governance possible:| Control | Raw CLI | MCP through Runlayer |
|---|---|---|
| Identity | Machine / user account | Per-connector identity, OAuth broker, agent accounts |
| Authorization | All-or-nothing shell access | Per-tool policies and role scoping |
| Input / output inspection | Unstructured text | ToolGuard scans args and results (PII, credentials, intent) |
| Audit | Shell history, if enabled | Structured audit logs per tool call |
| Runtime behavior | Hard to model | AgentGuard session-level trajectory monitoring |
”But the CLI feels faster”
Two things are usually behind the perceived speed difference:- Most CLI agent runtimes already wrap MCP. The CLI is a front end; the tool calls it issues are frequently MCP calls. Adding Runlayer as the control point does not change the interaction model — it adds policy, scanning, and audit to traffic that was already MCP.
- Local execution latency. For genuinely local tools, Runlayer runs the CLI
as a controlled local proxy rather than removing it. See
Local MCPs: the AI client launches
runlayer run <server-id>, which authenticates, checks policy, and forwards the request to the local MCP with minimal overhead.
How Runlayer covers both surfaces
- MCP servers — proxied through the Runlayer gateway so every tool call is authenticated, policy-checked, scanned, and logged.
- CLI and IDE agents — captured through client hooks, which record shell commands, file reads and writes, web fetches, and local tool activity alongside MCP calls. Hooks can also block unmanaged Shadow MCP sources.
- Custom agent runtimes — integrate the Runlayer Hooks SDK (TypeScript or Python) to send the same lifecycle and tool events through the hook pipeline.
Related
MCP Security Best Practices
The full checklist for safely deploying MCP servers.
Security Threats
Threat model for agent tool access, including unrestricted execution.
Sessions
Monitor CLI and IDE agent activity through client hooks.
Local MCPs
How the Runlayer CLI proxies local MCP servers with minimal overhead.