can the user manipulate the value which is returned by php_sapi_name()?

I have a script which looks like this:

if( php_sapi_name() !== "cli" ){
   die( "NoAccess" );
}

// Do some admin stuff

This script should only (!) be called through command line. Is the code above safe? Or can somebody call the script through HTTP and execute it beyond the if condition?

php_sapi_name()'s return value is safe to rely on. It's not generated from user data.

You shouldn't have this script accessible to your web server though if you don't want it to be called from your web server. If you cared about safety, this script wouldn't be accessible at all.

You also mentioned .htaccess... don't use that, use a proper config file elsewhere. .htaccess has to be loaded and parsed for every request, which is not efficient.