MCPlexer Review 2026: The Cross-Harness MCP Gateway for Multi-Agent Workflows
In-depth review of MCPlexer — a unified MCP operating layer that provides directory-scoped routing, durable workers, task management, browser control, and cross-harness delegation across Claude Code, Codex, Cursor, and six other AI coding tools.
The MCP ecosystem is fragmenting fast. Every major AI coding tool now speaks the Model Context Protocol, but each runs its own MCP server stack, its own tool configurations, and its own authentication state. For developers who switch between Claude Code for architecture work, Codex for implementation, and Cursor for quick edits, this means maintaining three separate MCP environments — each with slightly different capabilities, permissions, and failure modes.
MCPlexer aims to be the unified operating layer that sits between your AI tools and your infrastructure. Think of it as what direnv does for environment variables, but for MCP: based on your current working directory, MCPlexer automatically routes your coding agent to the right tools, with the right permissions, and the right credentials. It’s a single Go binary that replaces fragmented per-tool MCP configurations with a centralized, directory-scoped routing system — and then layers on durable task workers, browser control, approval workflows, and cross-harness delegation.

What MCPlexer Does
At its core, MCPlexer is an MCP gateway with directory-aware context switching. When you define a workspace, you bind it to a directory tree. The tools, policies, and servers available to your coding agent depend on which directory you’re in. Move from your open-source project to your work repository, and the toolset changes automatically — with different credentials, different permissions, and different audit requirements.
The routing engine reads the working directory directly from the kernel (in stdio mode), making workspace binding tamper-proof. Rules are sorted by specificity, the longest path prefix wins, and deny rules stop the evaluation chain immediately. Beyond routing, MCPlexer provides durable task workers that keep agents running across sessions with stable IDs and leases, a built-in OAuth 2.0 + PKCE layer for provider authentication, a full audit trail for every tool call, and a human-in-the-loop approval system with a PWA dashboard that pushes OS notifications.
Use Cases
- Teams running multiple AI coding agents simultaneously, each needing different tool permissions per project — route Claude Code to GitHub + Linear APIs in one workspace, Codex to internal docs in another.
- Solo developers wanting safety guardrails — allow file edits in public repos but require manual approval for private or production repositories.
- Security-conscious organizations deploying AI coding agents at scale with “no self-approval” policies and full audit trails for compliance.
- Multi-agent orchestration — use durable workers and the task manager to coordinate parallel code review, testing, and documentation agents.
Key Features
Directory-Scoped MCP Routing
The routing model is MCPlexer’s defining feature. Workspaces are bound to directory trees, and the active workspace is determined by your current working directory — read directly from the kernel for tamper resistance. Rules cascade by path specificity: the longest matching prefix determines which tools are available, deny rules halt evaluation immediately, and sorting is deterministic. This is genuinely novel in the MCP ecosystem and solves real multi-project pain.
Cross-Harness Delegation and Durable Workers
Agents can delegate work across models and tools: a Claude Code instance handling architecture can spawn a worker to run tests or inspect files, then receive results for review. Workers are durable — they persist across sessions with stable IDs and lease-based state tracking, enabling long-running agent workflows that survive restarts.
Human-in-the-Loop Approvals
Per-route approval requirements with SSE streaming to a PWA dashboard. The “no self-approval shortcut” design ensures agents cannot authorize their own destructive operations. Approval requests appear with OS notifications on the operator’s device, closing the loop without requiring constant attention.
Built-in OAuth 2.0 + PKCE
Provider templates for GitHub, Linear, Google, and ClickUp with automatic token refresh. Credentials are injected transparently into tool calls — agents see auth scopes, not pasted tokens. Secrets at rest are encrypted with age (filippo.io/age), avoiding plaintext credential storage.
Self-Configurable via MCP Control Server
MCPlexer exposes its own configuration as MCP tools (19 tools via the control server), meaning agents can configure routing rules, workspaces, and server connections by talking to MCPlexer directly. YAML config is also supported for version-controlled, GitOps-style management.
Pricing
MCPlexer is free and open-source under AGPL-3.0-or-later. Self-hosted as a single Go binary with no managed service. For organizations needing non-copyleft terms, commercial licenses are available from Don Works (Revitt) — pricing requires contacting the author. Infrastructure costs are borne by the operator.
Common Questions
How does MCPlexer compare to Anthropic’s official MCP Gateway? Anthropic’s gateway focuses on basic proxying and auth. MCPlexer is effectively a superset — it adds directory-scoped routing, durable workers, cross-harness delegation, browser control, and human-in-the-loop approvals. Choose the official gateway for simple proxying; choose MCPlexer for multi-agent orchestration.
Is this production-ready? With 3 GitHub stars, a single contributor, and a June 2026 creation date, MCPlexer is firmly early-stage. The feature set is ambitious and well-designed, but it lacks production case studies, community validation, and long-term reliability data. Consider it a promising alpha for teams comfortable with bleeding-edge infrastructure.
Verdict
MCPlexer is the most ambitious MCP infrastructure project to emerge in 2026. The directory-scoped routing concept alone solves a real headache for polyglot developers, and the layered features (workers, approvals, audit, OAuth) add up to a genuinely comprehensive operating layer for AI coding agents.
The caveats are significant: AGPL licensing may deter commercial adoption, the project is weeks old with virtually no community, and the “unified everything” scope risks becoming maintenance-heavy for a solo developer. But the architecture is sound, the code is clean (pure Go, single binary), and the design decisions — tamper-proof CWD reading, no self-approval, age-encrypted secrets — reflect serious security thinking. For teams already running multiple AI coding harnesses and willing to invest in early-stage infrastructure, MCPlexer is worth a serious evaluation. For everyone else, it’s a project to watch closely.
Explore the best AI Coding tools
Related Articles
agent-run Review 2026: Run Coding Agents in a Sandbox Smaller Than a Megabyte
In-depth review of agent-run — a tiny standalone binary that runs pi, opencode, codex, or claude inside a Bubblewrap sandbox so AI coding agents can't touch anything outside your project.
Best AI Agent Tools in 2026: From Coding Assistants to Autonomous Workers
Complete guide to AI agent tools in 2026 — Claude Code, Codex, Cursor, Manus, and more. Which agents actually deliver on the promise of autonomous work?
Best AI Coding Tools in 2026: Cursor vs GitHub Copilot
Compare the top 5 AI coding tools of 2026: Cursor, GitHub Copilot, Claude Code, v0, and Windsurf. Find the best AI pair programmer for your workflow.
Bolt.new Review: In-Browser Full-Stack App Builder with Live Preview
A comprehensive review of Bolt.new, the AI tool that generates and previews full-stack web applications instantly in your browser with interactive feedback.
Subscribe to the 9bests weekly — get the full list free
Hand-picked AI tool reviews and updates every week. Subscribe to receive this full list + 7 more quick-reference sheets (writing / image / video / audio / chat models / data / API cost).
Subscribe free & get it →Independent reviews — ratings aren't influenced by vendor payments · double opt-in · unsubscribe anytime