Jul 08, 2026 ai-code

MCPlexer Review 2026: The Cross-Harness MCP Gateway for Multi-Agent Workflows

In-depth review of MCPlexer — a unified MCP operating layer that provides directory-scoped routing, durable workers, task management, browser control, and cross-harness delegation across Claude Code, Codex, Cursor, and six other AI coding tools.

The MCP ecosystem is fragmenting fast. Every major AI coding tool now speaks the Model Context Protocol, but each runs its own MCP server stack, its own tool configurations, and its own authentication state. For developers who switch between Claude Code for architecture work, Codex for implementation, and Cursor for quick edits, this means maintaining three separate MCP environments — each with slightly different capabilities, permissions, and failure modes.

MCPlexer aims to be the unified operating layer that sits between your AI tools and your infrastructure. Think of it as what direnv does for environment variables, but for MCP: based on your current working directory, MCPlexer automatically routes your coding agent to the right tools, with the right permissions, and the right credentials. It’s a single Go binary that replaces fragmented per-tool MCP configurations with a centralized, directory-scoped routing system — and then layers on durable task workers, browser control, approval workflows, and cross-harness delegation.

MCPlexer

What MCPlexer Does

At its core, MCPlexer is an MCP gateway with directory-aware context switching. When you define a workspace, you bind it to a directory tree. The tools, policies, and servers available to your coding agent depend on which directory you’re in. Move from your open-source project to your work repository, and the toolset changes automatically — with different credentials, different permissions, and different audit requirements.

The routing engine reads the working directory directly from the kernel (in stdio mode), making workspace binding tamper-proof. Rules are sorted by specificity, the longest path prefix wins, and deny rules stop the evaluation chain immediately. Beyond routing, MCPlexer provides durable task workers that keep agents running across sessions with stable IDs and leases, a built-in OAuth 2.0 + PKCE layer for provider authentication, a full audit trail for every tool call, and a human-in-the-loop approval system with a PWA dashboard that pushes OS notifications.

Use Cases

  • Teams running multiple AI coding agents simultaneously, each needing different tool permissions per project — route Claude Code to GitHub + Linear APIs in one workspace, Codex to internal docs in another.
  • Solo developers wanting safety guardrails — allow file edits in public repos but require manual approval for private or production repositories.
  • Security-conscious organizations deploying AI coding agents at scale with “no self-approval” policies and full audit trails for compliance.
  • Multi-agent orchestration — use durable workers and the task manager to coordinate parallel code review, testing, and documentation agents.

Key Features

Directory-Scoped MCP Routing

The routing model is MCPlexer’s defining feature. Workspaces are bound to directory trees, and the active workspace is determined by your current working directory — read directly from the kernel for tamper resistance. Rules cascade by path specificity: the longest matching prefix determines which tools are available, deny rules halt evaluation immediately, and sorting is deterministic. This is genuinely novel in the MCP ecosystem and solves real multi-project pain.

Cross-Harness Delegation and Durable Workers

Agents can delegate work across models and tools: a Claude Code instance handling architecture can spawn a worker to run tests or inspect files, then receive results for review. Workers are durable — they persist across sessions with stable IDs and lease-based state tracking, enabling long-running agent workflows that survive restarts.

Human-in-the-Loop Approvals

Per-route approval requirements with SSE streaming to a PWA dashboard. The “no self-approval shortcut” design ensures agents cannot authorize their own destructive operations. Approval requests appear with OS notifications on the operator’s device, closing the loop without requiring constant attention.

Built-in OAuth 2.0 + PKCE

Provider templates for GitHub, Linear, Google, and ClickUp with automatic token refresh. Credentials are injected transparently into tool calls — agents see auth scopes, not pasted tokens. Secrets at rest are encrypted with age (filippo.io/age), avoiding plaintext credential storage.

Self-Configurable via MCP Control Server

MCPlexer exposes its own configuration as MCP tools (19 tools via the control server), meaning agents can configure routing rules, workspaces, and server connections by talking to MCPlexer directly. YAML config is also supported for version-controlled, GitOps-style management.

Pricing

MCPlexer is free and open-source under AGPL-3.0-or-later. Self-hosted as a single Go binary with no managed service. For organizations needing non-copyleft terms, commercial licenses are available from Don Works (Revitt) — pricing requires contacting the author. Infrastructure costs are borne by the operator.

Common Questions

How does MCPlexer compare to Anthropic’s official MCP Gateway? Anthropic’s gateway focuses on basic proxying and auth. MCPlexer is effectively a superset — it adds directory-scoped routing, durable workers, cross-harness delegation, browser control, and human-in-the-loop approvals. Choose the official gateway for simple proxying; choose MCPlexer for multi-agent orchestration.

Is this production-ready? With 3 GitHub stars, a single contributor, and a June 2026 creation date, MCPlexer is firmly early-stage. The feature set is ambitious and well-designed, but it lacks production case studies, community validation, and long-term reliability data. Consider it a promising alpha for teams comfortable with bleeding-edge infrastructure.

Verdict

MCPlexer is the most ambitious MCP infrastructure project to emerge in 2026. The directory-scoped routing concept alone solves a real headache for polyglot developers, and the layered features (workers, approvals, audit, OAuth) add up to a genuinely comprehensive operating layer for AI coding agents.

The caveats are significant: AGPL licensing may deter commercial adoption, the project is weeks old with virtually no community, and the “unified everything” scope risks becoming maintenance-heavy for a solo developer. But the architecture is sound, the code is clean (pure Go, single binary), and the design decisions — tamper-proof CWD reading, no self-approval, age-encrypted secrets — reflect serious security thinking. For teams already running multiple AI coding harnesses and willing to invest in early-stage infrastructure, MCPlexer is worth a serious evaluation. For everyone else, it’s a project to watch closely.

Explore the best AI Coding tools

Related Articles

Subscribe to the 9bests weekly — get the full list free

Hand-picked AI tool reviews and updates every week. Subscribe to receive this full list + 7 more quick-reference sheets (writing / image / video / audio / chat models / data / API cost).

Subscribe free & get it →

Independent reviews — ratings aren't influenced by vendor payments · double opt-in · unsubscribe anytime