MCPlexer
AI Tool Governance for Enterprise Teams
One control plane for every AI tool call. Policy enforcement, approval workflows, and complete audit trails — deployed and managed for you.
Everything you need to govern AI tools
Full control over what AI can do across your organization. Directory-scoped policies, human-in-the-loop approvals, and a complete audit trail.
Directory & Resource Scoping
Different AI policies per project, automatically enforced by working directory. Restrict agents to specific repos, channels, or schemas with per-route allowlists.
Human-in-the-Loop Approvals
Review and approve AI tool calls before they execute. Native desktop notifications. Configurable per team and project.
Complete Audit Trail
Every AI action logged and searchable. Credential redaction built in. Real-time streaming and historical queries.
One-Click Authentication
Pre-built OAuth flows for GitHub, Linear, Google, and more. Credentials encrypted at rest and injected automatically.
Unified Tool Dashboard
Real-time monitoring of all AI activity. Approval queue, audit stream, and server health in one view.
Agent-to-Agent Communication
Built-in mesh networking lets AI agents collaborate across projects and workspaces. Controlled and auditable.
Configure MCPlexer by talking to your agent
MCPlexer's primary configuration surface is MCP itself. Open a terminal at ~/.mcplexer, run your usual coding agent (Claude Code, OpenCode, Codex, Gemini-CLI), and let it drive: provision new MCP servers, set up OAuth flows, write routing rules, manage approvals — all through mcpx__* and mcplexer__* control tools the gateway exposes to its own clients. The web dashboard is for review and visibility, not setup.
Directory-scoped admin surface. The full admin tool set is visible only when the agent's working directory is at or under ~/.mcplexer. From any other project directory the agent sees only the universal surface — mcpx__search_tools, mcpx__execute_code, secret__prompt, and mesh__* — so a coding agent in your project tree can't mutate gateway configuration, only call tools.
Click "Add server", fill the form, paste OAuth credentials, click "Test", hop to a routes screen, define rules, save, hop back to test, repeat for the next server.
> "Add the Linear MCP server, set up OAuth, route it to my consulting projects, and require approvals for any write operation."
Universal · always visible
- mcpx__search_tools
- mcpx__execute_code
- secret__prompt
- mesh__send / mesh__receive
Admin · only inside ~/.mcplexer
- mcpx__provision_mcp / create_addon / import_openapi
- mcpx__approve_tool_call / deny_tool_call
- mcpx__reload_server / flush_cache
- mcplexer__list/get/create/update/delete_workspace
- mcplexer__list/get/create/update/delete_server
- mcplexer__list/create/update/delete_route
- mcplexer__list/get/create/update/delete_auth_scope
- mcplexer__status / query_audit
All admin tools are full CRUD — there is no read-only fallback, and there is no path that requires raw SQL against the SQLite file. The same tools are callable as JavaScript inside mcpx__execute_code, which runs in a Goja sandbox with hard CPU and memory limits — so your agent can chain dozens of provisioning calls without round-tripping every result through its context window.
Deployed and managed for you
We handle the setup, configuration, and ongoing support. Your team gets the tools and visibility — without the overhead.
Deploy
We install MCPlexer on your team's machines. Native macOS app with system tray integration. Your data never leaves your network.
Configure
We set up policies for each project directory. Who can use which tools. What requires approval. What gets blocked.
Monitor
Your team gets a real-time dashboard showing all AI activity. Approval queues. Audit logs. Complete control.
Built for production
Native Desktop App
Runs in your system tray. Approval notifications appear instantly on your desktop. No browser tab to keep open, no CLI to remember. macOS native — Apple Silicon and Intel.
Encrypted by Default
All credentials encrypted at rest with age encryption. API keys, OAuth tokens, and secrets are never stored in plaintext. Auto-generated encryption keys with zero configuration.
Multi-Agent Orchestration
Built-in mesh networking enables AI agents to share findings, coordinate tasks, and collaborate across projects. Priority-based message routing with full audit visibility.
Who it's for
Engineering Teams
Control what AI can do in your codebase. Different policies for frontend, backend, and infrastructure. Approval workflows for destructive operations.
Security-Conscious Orgs
Complete audit trail for compliance. Credential redaction. On-premise deployment with zero data egress. Policy enforcement at the tool level.
Multi-Project Shops
Different tool policies per client or project. Directory-scoped security means switching context is automatic. One gateway, many workspaces.
How MCPlexer mitigates the MCP STDIO RCE class
In April 2026, OX Security disclosed a systemic vulnerability in the Model Context Protocol's STDIO transport: MCP hosts spawn whatever shell command a downstream config declares, and several major hosts expose that surface to unauthenticated network input. Anthropic confirmed the behaviour is by design and that sanitisation is the host's responsibility. Estimated exposure: 200,000 servers, 150M+ downloads, RCE on platforms including Cursor, Windsurf, Claude Code, Gemini-CLI, LangFlow, LiteLLM, Flowise, and Upsonic.
MCPlexer is exactly the kind of host the disclosure targets — every configured stdio downstream becomes an exec.CommandContext call. We treat it as our responsibility. Six concrete defences ship in every build:
Authenticated control plane
Every /api/v1/* and /api/p2p/* request requires a per-install token (~/.mcplexer/api-key, mode 0600) — supplied as a session cookie to the dashboard or a Bearer header to scripts. Health and OAuth callbacks are the only exceptions.
Downstream command guard
Shells (sh, bash, zsh, pwsh, cmd) are rejected as the command field. Shell-eval flags (-c, -e, --eval, --call, -Command) are rejected on any runner — defeating OX's npx -c argument-injection bypass. Shell metacharacters and path traversal in the command string are rejected.
Validate at registration AND spawn
The same guard runs in the API write path and again at exec time. A malicious config in your YAML, your DB, or your seeded data can never reach exec.Command.
No env passthrough to subprocesses
MCPLEXER_* and AGE_* env vars are stripped before spawning downstream MCP servers. A compromised npx-launched server cannot read the age key and decrypt the secrets blob.
Sandboxed code execution
JS executed via mcpx__execute_code runs in a Goja VM with a hard recursion cap and a heap-growth watchdog. A while(true) push() interrupts in milliseconds instead of OOM-ing the daemon.
Approval gate for tool calls
Self-approval (resolver session matching requester) is rejected for every approver type, including dashboard. The previous dashboard short-circuit — which let any caller with the API token self-approve their own MCP request — is closed.
Defence in depth. These controls don't rely on each other. The command guard would block a shell config even if the API token were exfiltrated; the env-stripping holds even if a downstream server is malicious; the auth gate keeps random local processes off the API in the first place. Power users who genuinely need a shell as a downstream can set MCPLEXER_UNSAFE_DOWNSTREAM_COMMANDS=1 with informed consent.
Ready to secure your AI tooling?
We deploy and manage MCPlexer for your team. Native desktop app, custom policies, and ongoing support — so you can focus on building.
Book a DemoDeployed and managed by Revitt