I like this approach ... BUT the big win for me is audit logs. CLIs naturally leave a trail you can replay.

ALSO... the permission boundary is clearer. You can whitelist commands, flags, working dir... it becomes manageable.

HOWEVER... packaging still matters. A “small” CLI that pulls in a giant runtime kills the benefit.

I want the discipline of small protocol plus big cache. Cheap models can summarize what they did and avoid full context in every step...