mcplexer
Directory-scoped MCP routing and tool control
Route, scope, and secure every AI tool call based on your working directory. Like direnv for MCP. Desktop app or CLI. Local-first. Auditable. Open source.
Built for security-conscious teams
Full control over what AI tools can do on your machine. Directory-scoped policies, human-in-the-loop approvals, complete audit trail.
Open Source
MIT licensed. Pure Go, single binary, zero CGO. Build from source or go install. Runs anywhere Go compiles to.
direnv for MCP
Workspaces bind to directory trees. In stdio mode, your actual CWD determines which policies apply — tamper-proof, inherited from the parent process.
Tool Approvals
Per-route approval requirements. Pending requests stream via SSE to the dashboard. Configurable timeouts, resolution tracking, self-approval prevention.
Self-Configurable via MCP
Run mcplexer control-server to expose 19 MCP tools. Create workspaces, routes, and servers from Claude or any MCP client. Read-only mode available.
OAuth 2.0 + PKCE
Built-in OAuth flows with PKCE. Provider templates for GitHub, Linear, Google, and more. Automatic token refresh. Credentials injected into downstream env vars.
Full Audit Trail
Every tool call logged with workspace, matched route, auth scope, latency. Parameter redaction via per-scope hints. SSE streaming and query API.
Your CWD is your security context
In stdio mode, MCPlexer reads your actual working directory from the OS — no client can fake it. The most specific matching workspace wins. Route rules evaluate deny-first through the workspace ancestor chain.
Route rules match by path glob specificity, then tool pattern specificity, then priority. Deny stops the chain. No match falls back to the workspace default policy.
Four ways to configure
Desktop app for quick setup. YAML for version control. Web UI for visual management. MCP tools for AI-native configuration.
Electron app with system tray, native approval notifications, and bundled Go binary. macOS (Apple Silicon & Intel).
- name: frontend
root_path: ~/projects/app
default_policy: deny
Checked into git. Seeded on startup. YAML-sourced items auto-pruned when removed from file.
localhost:8080/api/v1/routes \
-d '{"name":"allow-github",...}'
Full CRUD on all entities. Real-time dashboard with SSE. API-created items persist across YAML reloads.
# 19 MCP tools exposed
# list_servers, create_route...
Configure MCPlexer from Claude or any MCP client. Read-only mode available for safe introspection.
Up and running in three steps
Install
Clone the repo and run make install. Builds the Go binary, web UI, and Electron shell, then installs MCPlexer.app to /Applications. macOS (Apple Silicon & Intel). CLI available on all platforms.
Launch
Open the app — it starts the Go server, shows a system tray icon, and loads the dashboard. Native notifications for approval requests.
Control
Manage everything from the dashboard, REST API, MCP control server, or YAML config.
And everything else
Local First
No cloud, no telemetry. SQLite database, age-encrypted secrets, everything on your machine.
Stdio + Unix Socket
Stdio for single client, Unix socket for multi-client. CWD injection bridge for Claude Desktop.
Live Dashboard
Real-time metrics, session tracking, approval queue, audit stream. Full web UI for management.
Process Lifecycle
Downstream process management with restart policies, idle timeouts, instance pooling per auth scope.
age Encryption
Secrets encrypted at rest with filippo.io/age. Auto-generated keys. Managed via CLI or control server.
Dry Run
Test routing decisions without execution. CLI or API. See exactly which rule matches and why.
Ready to take control?
Build and install the desktop app on macOS (Apple Silicon & Intel). Or install the CLI on any platform.
go install github.com/revittco/mcplexer@latestor install the CLI directly