worker-bridge
worker-bridge lets you delegate scoped coding tasks to external AI coding agents (Codex, Claude Code, OpenCode, etc.) in isolated git worktrees, with independent verification of results—all over the Model Context Protocol (MCP).
worker_delegate— Start a coding task (feature, bug fix, refactor, migration) on a specified AI worker inside an isolated git worktree. Configure the objective, target repo path, worker (codex,claude-code,opencode, etc.), permission level (read_only,workspace_write,full_access), verification commands (e.g.,["pytest -q"]), base git ref, and whether to block or return immediately with atask_id.worker_status— Poll a task bytask_idto retrieve its status, summary, changed files, independent verification result, and artifact paths (diff + manifest). Without atask_id, lists recent tasks.list_workers— Discover which AI coding workers are installed and healthy on the current machine, along with their capabilities.worker_cancel— Cancel a running or queued task and terminate its entire worker process tree.worker_logs— Retrieve the normalized, secret-safe event log for a task (e.g.,worker.started, progress,worker.completed, verification events), with optional pagination via anafterevent ID.
Key design features: each task runs in its own git worktree on a fresh branch (leaving the main repo untouched), verification commands are run independently by the orchestrator (not the worker), logs have secrets redacted, and concurrency limits are enforced across processes.
Delegates coding tasks to OpenAI's Codex CLI agent for code generation and editing in isolated worktrees with independent verification.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@worker-bridgeImplement a function to sort users by name and add unit tests."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
worker-bridge
Delegate coding tasks to external AI coding agents — in isolated git worktrees, with independent verification — from any agent, over MCP.
worker-bridge lets one AI agent hand a scoped coding job (implement a feature, fix a cross-file bug, run a migration) to an external coding CLI — Codex, Claude Code, OpenCode, or any command-line agent — inside an isolated git worktree, then independently verifies the diff itself before handing it back. It exposes this as an MCP server, so any MCP-capable client (Claude Code, Cursor, Windsurf, Cline, Continue, …) can use it with zero code.
Dispatching agents is commodity. worker-bridge is about dispatching with a provable chain of custody: isolated execution, host-wide concurrency limits, an independent verification gate, and secret-safe event logs.
Why
Isolation by default — each task runs in its own
git worktreeon a fresh branch. Workers never touch your working tree.Independent verification — the orchestrator runs your verification commands (
pytest -q,npm test, …) itself, separately from the worker, and records the result. A worker can't mark its own homework.Cross-process safety — task ownership is an atomic SQLite claim and concurrency is enforced by DB-backed leases, so many independently-launched runners can share one host without double-executing a task or overrunning limits.
Windows-aware — cancellation kills the whole worker process tree (validated by command line, so a recycled PID is never killed).
Secret-safe — connection strings, PEM keys, and cloud key IDs are redacted before anything is persisted.
Multi-worker — run the same task on several workers and compare, or run an implementer + a reviewer.
These guarantees come from an independent production audit of the engine; see
docs/audit.mdfor the findings.
Related MCP server: unlimited-mcp
Install
pip install worker-bridge-mcpYou also need at least one worker CLI on your PATH — e.g. Codex, Claude Code, or OpenCode. Run worker-bridge workers list to see what's detected.
Use it as an MCP server
The server runs over stdio. Add it to your MCP client:
Claude Code
claude mcp add worker-bridge -- worker-bridge-mcpCursor / Windsurf / Cline / Continue — add to the client's MCP config (mcp.json / settings):
{
"mcpServers": {
"worker-bridge": {
"command": "worker-bridge-mcp"
}
}
}Optional environment:
{
"mcpServers": {
"worker-bridge": {
"command": "worker-bridge-mcp",
"env": { "WORKER_BRIDGE_HOME": "/path/to/state", "WORKER_BRIDGE_MAX_CONCURRENCY": "4" }
}
}
}Tools
Tool | What it does |
| Start a scoped coding task on a worker in an isolated worktree; returns a |
| Poll a task: status, summary, changed files, verification result, artifact paths. |
| Which coding workers are installed and healthy on this machine. |
| Cancel a task and terminate its worker process tree. |
| Normalized event stream for a task (progress, completion, verification). |
Typical flow, from the host agent's side: call worker_delegate(objective=…, repository=…, verify=["pytest -q"]), then poll worker_status(task_id) until it's succeeded/failed. The changed files land in an isolated worktree plus a diff artifact; nothing is merged into your branch automatically.
Use it as a CLI
worker-bridge workers list
worker-bridge tasks create --objective "Add a --json flag" --repo /abs/path/repo --worker codex --verify "pytest -q"
worker-bridge tasks start <task_id> --wait
worker-bridge tasks show <task_id>Use it as a Python library
import asyncio
from worker_bridge import WorkerBridge
bridge = WorkerBridge()
task = bridge.create_task({
"objective": "Add a --json flag to the CLI",
"worker": "codex",
"workspace": {"repository": "/abs/path/to/repo", "isolation": "git_worktree"},
"verification": {"commands": ["pytest -q"]},
})
result = asyncio.run(bridge.start_task(task["task_id"]))
print(result["status"], result["result"]["metadata"]["verification"]["ok"])Workers
Built-in adapters:
codex, claude-code, opencode — the mainstream coding CLIs.
zcode-glm — Claude Code pointed at an Anthropic-compatible endpoint (default Z.ai GLM). A template for any alternate endpoint: subclass or construct with a different
base_url/model; the auth token is read from an env var by name (ZCODE_AUTH_TOKEN) so it never lands in a task spec or result.vscode (experimental) — delegates into a running VS Code window via the companion
vscode-extension/(a loopback HTTP bridge on127.0.0.1:9394). Install/run the extension first; without it the worker fails closed cleanly. Seevscode-extension/README.md.mock — deterministic, for tests.
Any other non-interactive coding CLI can be linked without code:
worker-bridge workers link my-agent --command-json '["my-agent","run","{prompt}"]'Accepting work
A task's changes live in an isolated worktree and are never merged automatically. When you're satisfied, worker-bridge tasks accept <task_id> copies the verified changes back into the source repository (under a repository lock, refusing symlink escapes). Only independently-verified successful tasks can be accepted.
Configuration
State lives under WORKER_BRIDGE_HOME (default ~/.worker-bridge/): the SQLite store, worktrees, and artifacts. Tunables via env or ~/.worker-bridge/config.yaml:
Env | Default | Meaning |
|
| State root |
|
| Global concurrent workers (host-wide) |
|
| Concurrent workers per repository |
| — | Override the SQLite path |
Storage safety
Workspace allocation is designed so a delegation can never quietly eat the disk:
Containment — the worker root and the target repository must never contain each other (checked by path math, not names), so a task can never recursively copy earlier tasks' workspaces into itself. Copying a repo at or above the bridge home requires an explicit
allow_profile_copyopt-in, and copy sources containing symlinks/junctions are refused outright.Copy budgets + disk reserve —
copyisolation measures the source first (honoring cache/VCS exclusions like.git,node_modules,__pycache__) and refuses anything over 2 GiB / 50k files; the copy must also leave at least max(10 GiB, 5% of capacity) free on disk.Two-phase allocation — the destination is planned and persisted (
allocation_state: "allocating") before any filesystem mutation, and the mutation runs under a timeout. A crash, kill, or hang always leaves a task record naming the directory it was building, a cleanfailed/timed_outstate, and a swept partial tree — never an unfindable half-copied giant.Prune —
worker-bridge workspaces prune(dry-run by default;--applyto delete,--include-pausedto widen) and theworker_pruneMCP tool reclaim worktrees of terminal tasks plus orphan directories no task record references. Accepted tasks reclaim their worktree automatically.
Security
Custom/read-only permission profiles are checked after execution and are not an OS sandbox — the real filesystem boundary is the worker client's own sandbox (Codex workspace-write, etc.), which the bridge selects per profile. Symlink escapes are detected and fail the task; a raw path-traversal write by a sandbox-less worker cannot be seen post-hoc. Do not point a full_access worker at hostile input without a container. Secrets are redacted from the event log and store.
License
MIT — see LICENSE.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/trollbot2012/worker-bridge'
If you have feedback or need assistance with the MCP directory API, please join our Discord server