What this page solves
Do not give an agent a random pile of CLIs. Give it a small stack with predictable output, clear safety rules, and commands that map to real development tasks.
Recommended starter stack
| Need | CLI | Why it belongs in the stack | Approval boundary | |---|---|---|---| | GitHub state | GitHub CLI | PRs, issues, releases, workflows with JSON output | merge, close, delete, edit | | Code search | ripgrep | fast repository and log search | writing or deleting files | | JSON parsing | jq | deterministic JSON inspection and transforms | overwriting files | | Data analysis | DuckDB CLI | SQL over CSV, Parquet, JSON, local datasets | INSERT/UPDATE/DELETE, external DB writes | | Secret scanning | Gitleaks | report leaked secrets before commits | allowlist edits, secret rotation | | Vulnerability scanning | Trivy | dependency, container, IaC, SBOM reports | dependency upgrades, policy edits | | Preview deploy | Vercel CLI / Wrangler | preview-first deployment workflows | production deploy and env changes | | Payment testing | Stripe CLI | test-mode webhook validation | live money movement |
Selection rules
1. Prefer tools with JSON, SARIF, CSV, or markdown output. 2. Prefer read-only commands as the first step. 3. Require approval for deploy, delete, refund, merge, production mutation, and database writes. 4. Put safe commands and approval-required commands in AGENTS.md. 5. Use MCP or API tools when a remote service needs typed tools and scoped policy.
Copyable AGENTS.md starter
Allowed without approval:
- rg searches
- jq reads and projections
- gh repo/pr/issue read-only commands with --json
- gitleaks/trivy/semgrep report generation
- npm test and local build checks
Requires approval:
- gh pr merge, gh issue close, release delete
- vercel deploy --prod, wrangler deploy
- stripe live refunds, cancellations, customer updates
- database INSERT/UPDATE/DELETE/DROP/migrations
- dependency upgrades and security ignore-rule changes