Default recommendation
Use CLI when the workflow is local, shell-native, already trusted by developers, or needs to run in CI. Use MCP when the agent needs typed tool discovery, remote policy, server-side auth, or a narrower permission boundary.
Decision matrix
| Scenario | CLI | MCP | Recommendation |
|---|---|---|---|
| Read local repo files | Strong | Weak | CLI |
| Search code and logs | Strong | Medium | CLI first |
| Inspect GitHub PRs | Strong | Strong | CLI locally, MCP for org-level policy |
| Deploy preview builds | Strong | Medium | CLI with approval gates |
| Production SaaS actions | Medium | Strong | MCP/API with scoped tools |
| Database reads | Strong | Strong | CLI for local, MCP/API for remote policy |
| Browser exploration | Medium | Strong | MCP for exploration, CLI for repeatable tests |
| CI automation | Strong | Medium | CLI |
Best pattern
Provide both when possible: CLI for terminal workflows and CI, MCP/API for typed discovery, remote execution boundaries, and stricter permissions.
Practical rule
If the operation can delete, charge money, deploy production, or mutate customer data, prefer the interface with the narrowest permission boundary and the clearest approval path.