I doesn't matter how it "should" work. In the real world you need to interact with external systems which don't have granular enough permission schemes.
People out here letting Claude code run CLIs using their own user permissions are morons waiting to have their data deleted.
CLI enables the actions to be made on behalf of you, the external service is not aware whether it's you or AI making the calls. With MCP, Sentry knows it's AI making the call so can be smarter about the security. There is many MCP annotation hints on tools to mark the as destructive, read-only etc.
That's interesting, but that still sounds like something a proper auth/token permission system would more than address. You're also actively choosing to limit what functionality MCP provides, which is fine, but there are many ways to do the same via the API or CLI tooling.
I'm not saying you are wrong to do this, I just don't think it's enough to convince me that yes this is the one true approach you should use.
People out here letting Claude code run CLIs using their own user permissions are morons waiting to have their data deleted.