Skip to main content

open source · cross-harness AI runtime

Cross-harness runtime for serious AI work.

MCPlexer gives Claude Code, Codex, OpenCode, Cursor, Grok, Pi, Gemini, and other MCP clients the same operating layer: delegations, workers, tasks, memory, browser control, approvals, audit, workspaces, sandboxing, and routed MCP servers.

$ one slim surface · mcpx__search_tools + mcpx__execute_code + secret refs

liveDelegation ledger and worker review loop liveAI-first tasks, memory, mesh, and skills wiredBrowser control available across harnessesApprovals, audit, workspaces, and guards active

Built for the harnesses and tools agents actually use

  • Claude Code
  • Codex
  • OpenCode
  • Cursor
  • Grok
  • Pi
  • Gemini CLI
  • Windsurf
  • custom MCP clients
  • local daemon
  • AGPL source

Full feature list

One runtime for the whole agent operating model.

The important part is not a single dashboard. It is that the same primitives are available across harnesses: work can be delegated, remembered, audited, approved, routed, restricted, and continued.

Harness

One slim tool surface

Every harness sees discovery, batched execution, and secret refs instead of loading a giant static tool list into context.

Delegations

Cross-harness delegation

Delegate between models and harnesses with ease: keep the parent strategic while workers inspect files, run tests, draft changes, and return for scored review.

Workers

Durable AI workers

Manual, scheduled, mesh-triggered, and delegation-backed workers with model profiles, caps, approvals, and live run output.

Tasks

AI-first task manager

A work ledger designed for LLMs: stable IDs, leases, status events, offers, assignments, context packets, and attachments.

Memory

Cross-harness memory

Persistent facts and notes survive model swaps, client swaps, and machines, with consolidation, invalidation, and sharing.

Browser

Remote-capable browser control

Drive visible Chrome, Playwright sessions, and desktop surfaces through the same routed MCP layer, including worker and peer workflows.

Workspaces

Directory-scoped routing

The real working directory decides which servers, tools, auth scopes, routes, and approval policies are available.

Restrictions

Sandboxing and tool gates

Capability presets, allowlists, deny rules, shell guard, sanitizer guard, schedule guard, sandbox guard, and downstream sandboxing.

Approvals

No self-approval shortcut

Sensitive calls pause for review in another session or the dashboard, with OS notifications and a worker approval queue.

Audit

Everything leaves evidence

Tool calls, worker dispatches, model sends, denials, approvals, mesh triggers, memory events, and route decisions are searchable.

Servers

MCP server fabric

GitHub, Linear, Slack, Gmail, Calendar, Postgres, Vercel, WordPress, WooCommerce, Reddit, Telegram, browsers, and custom servers.

Secrets

Auth scopes, not pasted tokens

OAuth and API keys are encrypted at rest, injected only into matching routes, and kept out of transcripts through secret refs.

Mesh

Agent-to-agent coordination

Agents discover peers, exchange findings, offer tasks, send targeted questions, and coordinate across paired machines.

Skills

Reusable playbooks

Search, install, publish, compose, and sync skills so agents load only the guidance they need for the current job.

Models

Model routing and ranks

Capacity routing, provider profiles, cost dashboards, review scores, and leaderboards show which cheap models actually work.

Dashboard

Installable operations view

PWA dashboard for approvals, audit, live signals, workspaces, routes, servers, model providers, backups, and recovery.

Plan

Delegate the work that burns context

Frontier sessions define architecture, scope, and acceptance criteria. Workers do broad inspection, implementation, test loops, and log triage in bounded contexts.

Run

Keep agents working across sessions

Tasks, memory, skills, and mesh give agents durable coordination primitives instead of making every chat rediscover the same project state.

Control

Expose power without losing the boundary

Workspace routing, approvals, audit, tool restrictions, sandboxing, and encrypted auth scopes make powerful MCP servers usable in real repos.

Browser control

Beats Claude Chrome because it is a shared runtime capability.

A browser tied to one chat helps that chat. MCPlexer achieves browser control with brw — a real, visible Chrome window for agents — exposed as routed infrastructure, so the capability works across any harness, durable workers, and paired machines while staying auditable.

Explore brw
  • Cross-harness: Claude Code, Codex, OpenCode, Cursor, Grok, Pi, Gemini, and workers can all use it.
  • Remote-capable: a paired machine or worker can use the browser near the login, network, display, or local service.
  • Semantic-first: snapshots, find, click text, type, press, tabs, and screenshots as fallback.
  • Audited and scoped: browser actions are still routed tool calls with approvals and workspace policy.
  • Visible or clean-room: use real Chrome tabs for human-visible state, or Playwright sessions for automation.

MCP server fabric

Wire up broad capability without flooding every context.

Downstream servers sit behind routes, auth scopes, workspace policy, approvals, and audit. Agents discover what they need when they need it.

Code

GitHubLinearClickUpVercel

Comms

SlackGmailCalendarTelegramOpenWA

Data

PostgresSQLitefetchcustomer MCP

Browser

brwPlaywrightHammerspoon

Content

WordPressWooCommerceObsidianExcalidraw

AI

LM Studiomodel providersskillsmemorytaskmesh

AI-native setup

Configure it by talking to your agent.

Inside ~/.mcplexer, the agent can provision servers, import OpenAPI specs, write routes, set auth scopes, inspect audit, and manage approvals. In ordinary project repos, it only sees the slim universal surface.

example prompt

> Wire GitHub, Linear, Gmail, Calendar, Postgres, browser control, and a cheap worker model into this workspace. Require approval for write tools and give Codex the same surface Claude Code gets.

Power with boundaries

Serious agents need serious constraints.

Workspace-scoped routing
Human approvals with self-approval blocked
Searchable audit with redaction
Encrypted auth scopes and secret refs
Sandboxing and tool restrictions
Downstream command guard
Read our security and design notes

Build agent systems that continue across tools, models, and machines.

MCPlexer is open source infrastructure for people pushing past one model, one chat, and one tool list.