AI agents require interfaces to interact with external systems such as files, APIs, databases, and cloud services. Two competing paradigms have emerged: CLI (Command Line Interface), where agents execute shell commands directly, and MCP (Model Context Protocol), a structured JSON-RPC protocol providing governed, typed tool access. This paper presents a comparative analysis across 14 evaluation dimensions, supported by worked examples, security assessment against established compliance frameworks, and economic modeling. Our analysis indicates that CLI provides superior efficiency for single-user, local-only workflows, while MCP addresses requirements that CLI fundamentally cannot satisfy, including fine-grained access control, credential isolation, structured audit, and multi-tenant governance. We further examine how progressive disclosure techniques eliminate MCP's historical weakness (context window overhead), yielding token efficiency comparable to CLI while preserving its architectural benefits. A hybrid architecture is recommended for production systems. This analysis draws upon academic, government, and industry sources including NSA formal guidance (CSI U/OO/6030316-26), OWASP security standards, and economic modeling from BCG and Gartner.
Keywords: Model Context Protocol, AI Agents, Tool Integration, Enterprise Security, LLM Architecture, RBAC, Compliance, Token Economics
Table I. Paper Coverage Structure
| Area | Key Finding | Section |
|---|---|---|
| Operational performance | CLI is faster for simple, local tasks (2–5× latency advantage); MCP provides more deterministic outputs and structured error handling | §III, §IV |
| Security and compliance | CLI grants unbounded system access; MCP satisfies 6 of 6 evaluated compliance frameworks (SOC2, HIPAA, FedRAMP, PCI-DSS, ISO 27001, GDPR) | §V |
| Token economics | Naive MCP loading imposes significant overhead (up to 55K tokens); progressive disclosure reduces this to ~170 tokens, eliminating CLI's cost advantage | §VII, §VIII |
| Enterprise scalability | CLI requires container-per-user isolation at scale; MCP's session-level RBAC reduces infrastructure cost beyond ~5 concurrent users | §III, §VII |
| Risk analysis | CLI exposes 7 architectural attack vectors (injection, exfiltration, escalation); MCP's bounded execution surface reduces but does not eliminate risk | §VI |
AI agents (LLM-based systems that autonomously decide which tools to call and in what sequence) require integration mechanisms to interact with external systems. As organizations deploy AI agents at enterprise scale, the choice of integration architecture has profound implications for security, compliance, cost, and operational reliability.
Two paradigms compete for this role: (1) CLI (Command Line Interface), where the agent executes shell commands directly on the host system, leveraging the model's pre-trained knowledge of Unix/Windows commands; and (2) MCP (Model Context Protocol), a standardized JSON-RPC protocol connecting AI models to purpose-built tool servers with typed inputs/outputs, permission boundaries, and structured audit trails.
This paper provides a rigorous comparative analysis answering the core research question: Is MCP a necessary abstraction layer for secure, governed AI-agent interactions at enterprise scale, or is it unnecessary complexity when CLI tools can accomplish the same tasks more efficiently?
Our principal conclusion is that the CLI-vs-MCP debate presents a false dichotomy. The two paradigms serve fundamentally different trust levels. The optimal architecture for production systems is hybrid: CLI for local developer operations, MCP for any interaction that crosses a trust boundary or requires organizational governance.
The remainder of this paper is organized as follows. Section II defines key terms. Section III establishes scope and assumptions. Section IV presents the core 14-dimension comparative analysis. Section V provides worked examples at increasing complexity. Section VI evaluates security and compliance. Section VII examines risk. Section VIII models cost and token economics. Section IX addresses progressive disclosure. Section X surveys industry adoption. Section XI presents a decision framework, and Section XII concludes with recommendations. Table I summarizes the coverage structure.
| Term | Definition | Key Characteristic |
|---|---|---|
| CLI | Command Line Interface - text commands in bash/PowerShell/zsh | Unstructured I/O; full system access; model knowledge from training |
| MCP | Model Context Protocol - JSON-RPC connecting models to tool servers | Structured typed I/O; per-tool permissions; schema-defined contracts |
| AI Agent | LLM system autonomously selecting and invoking tools | Decisions based on context window contents; tool-use loop |
| Context Window | Total token budget for a conversation/task (128K–1M tokens) | Finite; tool schemas consume tokens; key economic constraint |
| Tool Schema | JSON definition of tool name, params, and return type | MCP requires at runtime; CLI relies on pre-trained knowledge |
| In Scope | Out of Scope |
|---|---|
| File operations, Git, API calls, database queries | GUI automation, browser-based tools |
| Single-agent and multi-agent patterns | Agent-to-agent communication protocols |
| Enterprise security, RBAC, compliance | Specific vendor pricing (changes frequently) |
| Token economics, latency, reliability, state management | Model fine-tuning approaches |
Each paradigm is assessed against six dimensions:
| Criterion | Measures |
|---|---|
| Efficiency | Token cost, latency, steps to complete, context window utilization |
| Security | Access control, blast radius, credential isolation, input validation |
| Reliability | Error rates, output determinism, retry semantics, idempotency |
| Scalability | Multi-user, multi-tenant, enterprise governance |
| Maintainability | Version brittleness, state leakage, upgrade path, schema evolution |
| Compliance | SOC2, HIPAA, GDPR, PCI-DSS, ISO 27001, FedRAMP |
Table II. Fourteen-Dimension Evaluation Matrix
| # | Dimension | CLI | MCP | Winner |
|---|---|---|---|---|
| 1 | Setup Cost | Zero - commands pre-exist | Server deployment + schema registration | CLI |
| 2 | Context Window Cost | ~0 tokens (model knows commands) | 100–55,000 tokens (static); ~170 tokens with progressive disclosure§IX | TIE* |
| 3 | Model Familiarity | Millions of examples in training data | Must read schema at runtime | CLI |
| 4 | Output Parsing | Unstructured text - model interprets | Structured JSON - deterministic | MCP |
| 5 | Error Handling | Exit codes + stderr (ambiguous) | Typed error responses with codes | MCP |
| 6 | Access Control (RBAC) | All-or-nothing shell access | Per-tool, per-user, per-resource | MCP§VI |
| 7 | Audit Trail | Shell history (unreliable, unstructured) | Structured: who, what, when, result | MCP§VI |
| 8 | Blast Radius | Unlimited (rm -rf, credential theft) | Bounded to exposed capabilities | MCP§VI |
| 9 | Compliance | Very difficult - no built-in controls | Native: consent, classification, retention | MCP§VI |
| 10 | Multi-Tenant | Container per user ($$$) | Session isolation, per-user scoping | MCP§V-C |
| 11 | Tool Discovery | No runtime discovery | Dynamic capability negotiation | MCP§IX |
| 12 | Composability | Pipe chains (fragile parsing) | Typed chaining with validation | MCP |
| 13 | Speed (Simple Tasks) | Fastest - direct execution | JSON-RPC overhead (~50–200ms) | CLI |
| 14 | Ecosystem Breadth | Thousands of Unix/Windows commands | 5,800+ MCP connectors (growing) | TIE |
Dimension 1: Setup Cost. CLI commands exist on every Unix and Windows installation. An agent can invoke grep, curl, or git with no prior configuration. MCP requires deploying at least one server process (or connecting to a hosted endpoint), registering tool schemas, and configuring authentication. For ephemeral tasks on a developer's local machine, this overhead is difficult to justify.
Dimension 3: Model Familiarity. Large language models are trained on corpora containing millions of shell command examples from man pages, Stack Overflow posts, and open-source repositories. The model already knows that grep -rn "pattern" . searches recursively with line numbers. MCP tools, by contrast, are novel to the model; it must parse the JSON schema at runtime to learn what parameters a tool accepts. This distinction narrows over time as MCP schemas appear in training data, but as of mid-2026, CLI retains a significant advantage in zero-shot accuracy for shell operations.
Dimension 4: Output Parsing. CLI output is free-form text. The output of ls -la differs between GNU coreutils and BSD; docker ps output changed format between Docker 23 and 24. The model must interpret column alignment, handle locale-dependent date formats, and distinguish informational output from errors. MCP returns typed JSON with a contract: a read_file tool always returns {"content": "..."}. Downstream processing (chaining tools, populating UI) becomes deterministic rather than heuristic.
Dimension 12: Composability. CLI achieves composition through pipes: cat file | grep pattern | wc -l. This works well for text streams but breaks when output format changes between versions. If an upstream command adds a header line, downstream counts become incorrect. MCP supports typed chaining: one tool's structured output feeds directly into another tool's validated input schema. The MCP client can verify type compatibility before invocation, preventing silent failures.
Dimension 13: Speed. For simple local operations, CLI executes a system call directly. No serialization, no network round-trip, no protocol negotiation. MCP adds JSON-RPC serialization, transport (typically stdio or HTTP), server-side deserialization, execution, and response serialization. Measured overhead ranges from 50ms (stdio transport, local server) to 200ms (HTTP transport, remote server). For a single file read, this latency is noticeable. For a complex workflow with 20+ tool calls, it becomes negligible relative to LLM inference time.
Dimension 14: Ecosystem Breadth. CLI has decades of accumulated tooling: thousands of Unix utilities, package managers, cloud CLIs (aws, az, gcloud), database clients, and container runtimes. MCP, launched in late 2024, has grown to over 5,800 registered connectors as of mid-2026. The ecosystems overlap substantially (most CLI tools now have MCP equivalents), making this dimension a draw. The relevant difference is not breadth but access model: CLI tools grant full capability by default; MCP connectors expose only explicitly declared operations.
Schema tokens: 0
Result: Raw text
Schema tokens: ~2,000
Result: Structured JSON
Finding 1: For trivial local operations, CLI is simpler and equally effective. The absence of protocol overhead results in lower latency and zero schema cost.
Risks: DBA credentials exposed, DROP/DELETE possible, no rate limiting, connection strings in history
Protections: Read-only enforced, DDL blocked, credentials opaque, row-level security, rate limited
Finding 2: MCP is a prerequisite for production data access. Any CLI-based approach exposes credentials and permits unrestricted DDL operations, which would fail a security audit under SOC2 or HIPAA requirements.
Finding 3: At enterprise scale (multi-user, governed environments), MCP provides native governance primitives while CLI requires expensive infrastructure workarounds that still cannot match MCP's granularity.
Table III. Security Requirements Assessment
| Requirement | CLI Assessment | MCP Assessment |
|---|---|---|
| Least Privilege | Does not satisfy - all-or-nothing shell access | Satisfies - per-tool granular permissions |
| Credential Isolation | Does not satisfy - env vars visible to agent | Satisfies - server-held, opaque to model |
| Input Validation | Does not satisfy - vulnerable to command injection | Satisfies - JSON schema enforcement |
| Output Sanitization | Does not satisfy - stdout may leak secrets | Satisfies - controlled return values |
| Audit (SOC2) | Weak - shell history only (unstructured) | Satisfies - structured event logging |
| Data Classification | Does not satisfy - no data awareness | Satisfies - data labeling support |
| Human-in-the-Loop | Not supported - immediate execution | Satisfies - approval flow integration |
| Rate Limiting | Not supported - risk of resource exhaustion | Satisfies - per-user rate limits |
Table IV. Compliance Framework Mapping
| Framework | Key Requirement | CLI | MCP |
|---|---|---|---|
| SOC 2 Type II | Access control + audit evidence | Manual, significant gaps | Native support |
| HIPAA | Minimum necessary access to PHI | Cannot restrict adequately | Per-field redaction |
| GDPR | Access logging + right to erasure | Partially achievable | Automated DPA compliance |
| PCI-DSS | Network segmentation | Flat network exposure | API boundary enforced |
| ISO 27001 | Risk management + access review | Achievable but expensive | Built-in controls |
| FedRAMP | Continuous monitoring + boundary | No protocol boundary | Protocol = authorization boundary |
Note: The NSA published formal security guidance for MCP in May 2026 (CSI U/OO/6030316-26). No equivalent guidance exists for CLI-based AI agents because CLI provides no security architecture to govern. The absence is itself a risk indicator.
| Risk | Attack Vector | Impact | Likelihood |
|---|---|---|---|
| Shell Injection | Malicious command from prompt injection | Critical | Medium |
| Credential Theft | Agent reads ~/.ssh/*, .env, env vars | Critical | High |
| Data Exfiltration | curl/wget to external endpoints | Critical | Medium |
| Destructive Commands | rm -rf, DROP TABLE, git push --force | High | Medium |
| Resource Exhaustion | Fork bomb, infinite loop, disk fill | High | Low-Med |
| Privilege Escalation | sudo, SUID, container escape | Critical | Low |
| SSRF | curl hits internal metadata endpoints | High | Medium |
| Risk | Attack Vector | Impact | Mitigation |
|---|---|---|---|
| Tool Poisoning | Malicious MCP server returns harmful instructions | High | Server allowlisting, signing |
| Schema Exploitation | Manipulated descriptions trick model | Medium | Trusted registries |
| Excessive Permissions | Overly broad tool scopes | Medium | Least-privilege RBAC |
| Token Overhead | Too many tools loaded | Low | Dynamic loading, filtering |
| Risk Factor | CLI Impact | MCP Impact | Assessment |
|---|---|---|---|
| State Leakage Between Calls | Environment variables, working directory, background processes persist across agent calls. Previous command residue affects subsequent operations. | Each tool call is stateless by protocol design. No cross-call state leakage possible. | MCP wins - architectural isolation |
| Tool Version Brittleness | CLI output format changes silently across OS versions (e.g., ls on macOS vs Linux, date format differences). No contract guarantees. |
Tool schemas are versioned. Breaking changes require explicit schema version bump. Clients can negotiate capabilities. | MCP wins - versioned contracts |
| Retry / Idempotency | No built-in retry semantics. Agent must implement retry logic manually. Non-idempotent commands (append, create) may duplicate on retry. | Server can declare idempotency keys. Protocol supports request IDs for deduplication. Server-side retry logic possible. | MCP wins - protocol-level support |
Key Distinction: CLI risks are architectural and cannot be fixed without abandoning CLI. MCP risks are operational and have documented mitigations from NSA, OWASP, CoSAI, and CSA.
Early critiques of MCP focused on naive schema loading, where an entire server's tool manifest is injected into the context window upfront. Table V compares this naive case against progressive disclosure (Section IX) and the often-overlooked overhead of CLI-based agents.
Table V. Per-Operation Token Cost Comparison
| Cost Component | CLI Agent | MCP (Naive Loading) | MCP (Progressive Disclosure) |
|---|---|---|---|
| Upfront schema overhead | 0 tokens† | 2,000–55,000 tokens | ~170 tokens (2 meta-tools) |
| Per-tool invocation | 50–200 tokens (command + flags) | 80–150 tokens (structured call) | 80–250 tokens (lookup + call) |
| Output parsing | 100–500 tokens (unstructured text) | 50–150 tokens (structured JSON) | 50–150 tokens (structured JSON) |
| System prompt / tool instructions | 200–600 tokens | Included in schema | Included in meta-tool schema |
| Error recovery (typical) | 300–1,200 tokens/retry | 100–300 tokens/retry | 100–300 tokens/retry |
† CLI agents carry no formal schema, but still require system-prompt instructions describing available commands, output formats, and error handling conventions. This overhead is frequently omitted from CLI benchmarks.
Table VI. Total Cost of Ownership Comparison
| Cost Factor | CLI | MCP |
|---|---|---|
| Token cost / query | Lower (no schema) | Higher without progressive disclosure; comparable with it |
| Security incident cost | $4.88M avg breach (IBM 2024) | Reduced attack surface |
| Compliance audit cost | Manual evidence ($$$) | Automated exports |
| Multi-user infrastructure | Container/user ($$$) | Single server + RBAC ($) |
| Integration maintenance | Custom scripts per tool | 70% reduction (BCG) |
The CLI token-efficiency argument assumes a cooperative, developer-present workflow. Autonomous CLI agents operating without human oversight face compounding costs that are frequently omitted from benchmarks:
| Failure Mode | Token Cost | Explanation |
|---|---|---|
| Script generation | 200–800 tokens | Agent must compose multi-line shell scripts on the fly |
| Output parsing ambiguity | +150–400 tokens/retry | Unstructured stdout requires LLM interpretation; edge cases trigger retries |
| Error recovery loops | +300–1,200 tokens/attempt | Non-zero exit codes → agent re-plans, retries with different flags |
| Environment drift | +500–2,000 tokens | Commands fail due to missing tools, different OS, permission changes |
| Multi-step orchestration | +1,000–5,000 tokens | Complex workflows require piping, temp files, cleanup scripts |
In practice, autonomous CLI agents frequently consume 3–8× more tokens than projected due to retry loops and environment-specific failures [5]. MCP's structured responses eliminate parsing ambiguity entirely, and typed error codes enable deterministic fallback without re-prompting the LLM.
Economics: CLI has lower marginal token cost in ideal conditions. Under autonomous operation with retries and error handling, MCP often achieves lower actual token spend. MCP has lower total cost of ownership at scale. Breakeven: >5 users or regulated data.
The CLI camp's strongest argument, that MCP floods the context window with thousands of tokens of tool schemas, is addressed by progressive disclosure [18]. This pattern exposes only a minimal tool registry at conversation start, loading full schemas on demand.
A typical MCP server (e.g., GitHub) ships 80 tools. At ~700 tokens per schema, this costs ~55,000 tokens injected before the agent performs any useful work. This is the core inefficiency that motivates the "CLI is enough" position.
Progressive disclosure replaces N tool schemas with exactly two meta-tools:
| Meta-Tool | Schema Cost | Function |
|---|---|---|
get_tool(name) | ~80 tokens | Returns the full schema for a named tool on demand |
invoke_tool(name, args) | ~90 tokens | Executes a named tool with provided arguments |
Total upfront cost: ~170 tokens (vs. 55,000 for full disclosure). The agent discovers tools as needed, matching CLI's token profile while retaining MCP's structured guarantees.
Solo.io's agentgateway implements progressive disclosure via a toolMode: Search configuration [18]:
listeners:
- name: mcp-listener
targetGroups:
- name: github-tools
toolMode: Search # ← progressive disclosure enabled
tools:
- name: "create_issue"
- name: "list_pull_requests"
- name: "get_file_contents"
# ... 77 more tools available but NOT loaded into context
When toolMode: Search is set, the gateway advertises only two tools to the LLM client. The agent uses get_tool to discover specific tools when needed, then invoke_tool to call them - paying schema cost only for tools actually used.
Multiple independent implementations have validated progressive disclosure in production, converging on 85-160x token reductions:
Table VII. Progressive Disclosure Token Reduction Benchmarks
| Implementation | Technique | Token Reduction | Source |
|---|---|---|---|
| Speakeasy Dynamic Toolsets | Semantic search + describe_tools | 100–160× (96% avg.) | [19] |
| SynapticLabs Meta-Tool | Discovery + Execution (2 meta-tools) | 85–99% | [20] |
| Kruczek Benchmark | On-demand schema fetch | 85× | [21] |
| Code Execution MCP (Brown) | Sandboxed Python replacing schemas | 98.7% | [22] |
| Glama Token Elimination | Code execution replaces tool registry | 95–99% | [23] |
| Solo.io AgentGateway | toolMode: Search | 71–97% | [18] |
| Scenario | Full Disclosure | Progressive | Savings |
|---|---|---|---|
| GitHub server (80 tools), use 2 | 55,000 tokens | 170 + 1,400 = 1,570 | 97% |
| File system (13 tools), use 2 | 2,100 tokens | 170 + 350 = 520 | 75% |
| Database server (8 tools), use 3 | 4,200 tokens | 170 + 1,050 = 1,220 | 71% |
| Multi-server (150 tools), use 5 | 105,000 tokens | 170 + 3,500 = 3,670 | 96% |
| Enterprise (500+ tools), use 8 | 350,000+ tokens | 170 + 5,600 = 5,770 | 98.4% |
Progressive disclosure transforms the CLI-vs-MCP cost comparison. The SynapticLabs "three-layer architecture" [20] organizes this into: (1) Meta-Tools as entry points (2 tools registered), (2) Bounded Context Packs grouping tools by domain (following the 7±2 cognitive limit), and (3) Individual tool schemas loaded only on invocation. With this pattern active:
Progressive Disclosure: Eliminates MCP's primary cost disadvantage (context window bloat) while retaining all security and governance benefits. With this pattern, MCP achieves CLI-equivalent token efficiency for the first time.
| Organization | MCP Role | Year |
|---|---|---|
| Anthropic | Created MCP; open-sourced specification | 2024 |
| OpenAI | Adopted in ChatGPT & Agent SDK | 2025 |
| Google DeepMind | MCP support in Gemini/Vertex | 2025 |
| Microsoft | MCP in Copilot, Azure AI Foundry | 2025 |
| AWS | MCP in Bedrock agent framework | 2025 |
| Linux Foundation | MCP donated to Agentic AI Foundation | 2025 |
| NSA | Published formal security guidance | 2026 |
| Metric | Value | Source |
|---|---|---|
| Enterprise adoption projected (2025) | 90% | Gartner [14] |
| Integration cost reduction | 70% | BCG |
| Enterprise apps with AI agents (2026) | 40% | Gartner |
| MCP ecosystem connectors | 5,800+ | MCP Registry |
Table VIII. Deployment Recommendation Matrix
| Scenario | Recommendation | Rationale |
|---|---|---|
| Solo developer, local, personal projects | CLI | Fastest, cheapest, no governance needed |
| Prototyping / hackathon | CLI | Speed over governance |
| CI/CD pipeline (trusted) | CLI + MCP | CLI for known commands; MCP for external APIs |
| Team of 5+ sharing agents | MCP | Per-user permissions mandatory |
| Production data access | MCP | Credential isolation required |
| Regulated industry | MCP | Compliance controls mandatory |
| Customer-facing AI product | MCP | Multi-tenant isolation, rate limiting |
| Enterprise (50+ users, SOC2) | MCP | No viable alternative at scale |
This analysis establishes that the CLI-vs-MCP debate is a false dichotomy. The two paradigms serve fundamentally different trust levels within an AI agent architecture:
The recommended architecture is hybrid: CLI for local developer workflows within the trust boundary; MCP for anything crossing trust boundaries, touching production data, or requiring governance. Organizations that use "CLI is enough" as justification to skip MCP are trading short-term token savings (~$0.002/query) for long-term security debt (avg. breach cost: $4.88M).
Final Recommendation: Adopt MCP for all governed, multi-user, or production-facing AI agent interactions. Retain CLI for local developer tooling. This hybrid pattern captures CLI's efficiency without sacrificing MCP's security architecture.
[1] S. Hao et al., "MCP Safety Audit: LLMs with the Model Context Protocol," arXiv:2504.03767, 2025. arxiv.org/abs/2504.03767
[2] J. Chen et al., "A Survey of the Model Context Protocol," Preprints.org, 202504.0245, 2025. preprints.org/manuscript/202504.0245
[3] R. Gupta et al., "The New Interoperability Paradigm: MCP, APIs, and Future of Agentic AI," IEEE / ResearchGate, 2025. researchgate.net/publication/390553042
[4] V. Kumar et al., "Unlocking AI Integration with Model Context Protocol," IJIRSET, vol. 14, no. 4, 2025. ijirset.com
[5] L. Wang et al., "Measuring AI Agent Tool Use Efficiency," arXiv:2503.23278, 2025. arxiv.org/abs/2503.23278
[6] K. Zhang et al., "Benchmarking LLM Tool-Use in Real-World Coding Tasks," Proc. ICML, 2025. icml.cc/virtual/2025
[7] National Security Agency, "MCP: Security Design Considerations for AI-Driven Automation," CSI U/OO/6030316-26, NSA AISC, May 2026. nsa.gov
[8] Coalition for Secure AI, "Securing the AI Agent Revolution: A Practical Guide to MCP Security," CoSAI / OASIS, 2025–26. coalitionforsecureai.org
[9] OWASP Foundation, "MCP Security Cheat Sheet," OWASP Cheat Sheet Series, 2025. owasp.org
[10] Cloud Security Alliance, "MCP Security Resource Center," CSA, 2025. cloudsecurityalliance.org
[11] CoSAI / OASIS Open, "MCP Security Taxonomy (40 Threats, 12 Categories)," 2026. oasis-open.org
[12] Boston Consulting Group, "Put AI to Work Faster Using Model Context Protocol," BCG, 2025. bcg.com
[13] Forbes Tech Council, "How MCP Can Power Enterprise AI," Forbes, May 2025. forbes.com
[14] Gartner, "MCP In Enterprise: Building Interoperable AI Agent Infrastructure," Gartner / Clarion, 2026. gartner.com
[15] Epinium, "MCP Enterprise Security and Governance," 2025. epinium.com
[16] IBM, "Architecting Secure Enterprise AI Agents with MCP," IBM Think, 2025. ibm.com
[17] Scalekit / MindStudio, "CLI vs MCP: Scaling AI Tool Interfaces (benchmark)," 2025. modelcontextprotocol.io
[18] Solo.io, "MCP Progressive Disclosure: Scaling Tools Without Scaling Context," Solo.io Blog, 2025. solo.io/blog/mcp-progressive-disclosure
[19] Speakeasy, "How We Reduced Token Usage by 100× with Dynamic Toolsets v2," Speakeasy Engineering Blog, 2025. speakeasy.com
[20] SynapticLabs, "Bounded Context Packs & the Meta-Tool Pattern for MCP," SynapticLabs AI Blog, 2025. blog.synapticlabs.ai
[21] M. Kruczek, "Progressive Disclosure MCP Servers: 85× Token Savings Benchmark," matthewkruczek.ai, 2025. matthewkruczek.ai
[22] E. Brown, "Code Execution MCP Architecture: 98.7% Token Reduction," elijahbrown.info, 2025. elijahbrown.info
[23] Glama, "Eliminating Token Bloat in MCP: Code Execution as Architecture," Glama AI Blog, 2025. glama.ai