DollhouseMCP

Open-source AI customization through modular elements.

Website · Browse the Collection · NPM Package · Discord

How It Works

 CREATE or EDIT                    PORTFOLIO                   ACTIVATE → USE
 ─────────────────────────────────────────────────────────────────────────────

 "Create a skill for            📁 ~/.dollhouse/portfolio/    "Activate the Dollhouse
  writing blog posts"                                              Expert ensemble"
                                 37 starter elements:
 "Edit the code review      ──▶  personas · skills ·       ──▶  Your AI now has
  persona to add security"       templates · agents ·           new behavior,
                                 memories · ensembles           capabilities, and
  persona · skill · template                                    permission policies
  agent · memory · ensemble      + everything you create
                                 + community installs

Pick any path to start:

• Activate a starter element from your portfolio — your AI immediately changes
• Create any element type (persona, skill, template, agent, memory, ensemble) by describing what you want in plain English
• Edit any existing element to refine it
• Browse the community collection and install elements made by other users

Your portfolio (~/.dollhouse/portfolio/ on macOS/Linux, %USERPROFILE%\.dollhouse\portfolio\ on Windows) is a local folder that holds all your Dollhouse elements. It ships with 37 starters — including the dollhouse-expert-suite ensemble (persona + knowledge base) you can activate for guided help. Everything you create or install lands here. Share back to the community or sync to GitHub whenever you're ready.

Quick Start

v2.0.0 is now available. DollhouseMCP v2 is the default release. Release notes | Migration guide | Report issues

DollhouseMCP installs on any MCP-compatible AI client — Claude Code, Claude Desktop, Cursor, Gemini, Codex, and local LLMs. Core element management (create, activate, search, browse) works across all platforms. Advanced features (Gatekeeper confirmation flows, agentic loop execution) have been tested extensively on Claude Code and should work on any client that supports standard MCP tool call/response patterns.

Interactive Setup (any platform):

npx @dollhousemcp/mcp-server@latest --web

Opens a browser-based setup wizard with one-click install for Claude Desktop, Claude Code, Cursor, VS Code, Codex, Gemini CLI, Windsurf, Cline, and LM Studio. Detects existing installations, supports auto-updating and pinned versions.

Permission hook support in the setup wizard currently breaks down like this:

Claude Code (one command):

claude mcp add -s user dollhousemcp -- npx -y @dollhousemcp/mcp-server

Claude Desktop (one-click install):

Download the DollhouseMCP Desktop Extension (.mcpb file) and double-click it. Claude Desktop handles the rest — no terminal required.

Other platforms — see the Quick Start Guide or run the interactive setup above.

Then start a conversation:

"What DollhouseMCP tools do you have available?"
"List all available Dollhouse personas"
"Activate the Dollhouse debug detective persona"

DollhouseMCP ships with 38 Dollhouse elements across all 6 types. Just describe what you want in natural language.

First time? The Public Beta Onboarding Guide walks you from install to your first activated Dollhouse persona in under 10 minutes.

Dollhouse Elements: Behavior, Capabilities, and Permissions

Dollhouse elements are modular building blocks that customize your AI. When you activate a Dollhouse element, you're not just changing a prompt — you're changing what tools the AI can access, what commands it can run, and what operations require your approval.

*Skills Compatibility

Dollhouse Skills (introduced July 2025) predate the agent skills format later adopted by Claude/Anthropic. DollhouseMCP includes a built-in lossless bidirectional converter between the two formats.

• Import: Convert agent skills → Dollhouse Skills via convert_skill_format. Once converted, they're first-class Dollhouse elements — combinable with Personas, Templates, and other Skills inside Ensembles, managed by Dollhouse Agents, and protected by Gatekeeper policies.
• Export: Convert Dollhouse Skills → agent skills for platforms that don't have DollhouseMCP installed.
• Roundtrip: The converter supports a lossless mode that preserves everything in both directions. A safe mode is also available that sanitizes potentially risky patterns during conversion.

Full Skills Converter documentation

All Dollhouse elements are readable markdown or YAML files stored in your local portfolio. You own them, you control them. When interacting with your AI, use "Dollhouse" to disambiguate — say "activate the Dollhouse code review persona" or "run the Dollhouse research agent" to ensure the AI uses DollhouseMCP elements rather than native platform features.

MCP-AQL: How Your AI Talks to DollhouseMCP

Most MCP servers expose dozens of individual tools, each consuming context tokens and forcing the LLM to pick the right one from a flat list. DollhouseMCP takes a different approach.

MCP-AQL (Model Context Protocol – Advanced Agent API Adapter Query Language) organizes all operations into 5 semantic endpoints — CRUDE: Create, Read, Update, Delete, Execute. The A pulls quadruple duty: Advanced query capabilities, Agent-first design, API consolidation, and Adapter layer to bridge other MCP servers and APIs to work directly with LLMs. Each endpoint groups operations by what they do to state, giving the LLM clear semantic signals about the consequences of each action:

Why This Matters

• Semantic clarity — The LLM knows that calling mcp_aql_read is always safe. Calling mcp_aql_delete is always destructive. No guessing.

• Host-level permission control — MCP clients like Claude Code can set different approval policies per endpoint (auto-approve reads, require confirmation for deletes).

• Progressive disclosure through introspection — The LLM starts with just 5 tool endpoints. It discovers operations, parameters, element formats, and usage examples at runtime by asking the server:

  json

  { "operation": "introspect", "params": { "query": "operations" } }
  { "operation": "introspect", "params": { "query": "format", "name": "persona" } }
  

  This is progressive disclosure built into the protocol — the LLM only loads what it needs, when it needs it. Unlike client-side solutions that require special harness support (like Claude Code's deferred tool loading), MCP-AQL's introspection works on any MCP client because it's just a standard tool call that returns structured data. No fancy client features required. The server describes itself.

  Elements use the same principle: YAML frontmatter provides metadata for quick scanning, full markdown content loads only when activated. The LLM can list 200 elements at a glance and deep-dive into the ones it needs.

• Token efficiency — 5 endpoints at ~4,300 tokens vs ~29,600 for ~40 discrete tools (85% reduction). Single mode reduces further to ~350 tokens.

Full MCP-AQL documentation — protocol design, CRUDE pattern rationale, introspection system, endpoint modes, and debugging.

The Gatekeeper: Elements Control Permissions

Every MCP-AQL operation passes through the Gatekeeper — a server-side permission system that Dollhouse elements directly control. When you activate a Dollhouse Persona, Skill, or Ensemble, its permission policies take effect immediately.

 Example: Activate a "read-only analyst" persona

 ┌─────────────────────────────────────────────────────────────────┐
 │  Persona: read-only-analyst                                     │
 │                                                                 │
 │  gatekeeper:                                                    │
 │    allow:  [list_elements, search, get_element, introspect]     │
 │    deny:   [create_element, edit_element, delete_element,       │
 │             execute_agent, confirm_operation]                    │
 └─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
 ┌─────────────────────────────────────────────────────────────────┐
 │  What the LLM CAN do:           What the LLM CANNOT do:        │
 │                                                                 │
 │  ✓ List and search elements     ✗ Create new elements           │
 │  ✓ Read element details         ✗ Edit existing elements        │
 │  ✓ Introspect operations        ✗ Delete anything               │
 │  ✓ Activate/deactivate          ✗ Run agents                    │
 │                                 ✗ Confirm any gated operation   │
 └─────────────────────────────────────────────────────────────────┘

This works even if the MCP client has "Always Allow" enabled. The Gatekeeper runs server-side — after the client approves the tool call, the Gatekeeper still enforces the active element's policies. A deny from any active element cannot be overridden by the LLM or the client.

Use the two gatekeeper surfaces differently:

• allow / confirm / deny are for MCP-AQL operation patterns like read_*, edit_*, delete_element, and execute_agent
• externalRestrictions is for external tool and hook patterns like Read:*, Edit:*, Bash:git status*, and Bash:rm *

How Policy Resolution Works

 deny  >  confirm  >  allow  >  route default
 (highest priority)              (lowest priority)

1. Element deny — hard-blocked, cannot be confirmed or bypassed
2. Element confirm — requires user confirmation even if the route default is auto-approve
3. Element allow — auto-approves operations that would normally require confirmation
4. Route default — the endpoint's built-in permission level (reads auto-approve, deletes confirm)

Policies stack across all active elements. If one persona allows an operation but another denies it, deny wins. This lets you compose elements with confidence — a security-focused persona can lock down operations while a skill adds capabilities.

What This Means in Practice

• Activate a read-only persona → the LLM can only browse and search, even if you've given the MCP client full access
• Activate a security analyst ensemble → delete_element and rm -rf * are denied, but code review tools work normally
• Deactivate the restrictive element → full access returns immediately
• Nuclear sandbox → deny: ['confirm_operation'] blocks ALL confirmations, making the session completely read-only until the element is deactivated

Platform compatibility: The Gatekeeper enforces policies server-side — deny and allow decisions work on any MCP client. The confirmation flow (where the LLM calls confirm_operation in response to a block) has been tested extensively on Claude Code and the DollhouseMCP Bridge. It should work on any MCP client where the LLM can interpret structured tool responses and make follow-up tool calls, but has not been rigorously verified on all platforms.

Gatekeeper documentation — confirmation flows, element policy syntax, sandbox model, external tool restrictions, and the session-allow problem.

Portfolio

Your Dollhouse elements live in a local portfolio at ~/.dollhouse/portfolio/ (macOS/Linux) or %USERPROFILE%\.dollhouse\portfolio\ (Windows). Ask your AI to "open the portfolio browser" (or call open_portfolio_browser via MCP-AQL) to browse them visually. Activation is done through the LLM — ask it to "activate the Dollhouse code review persona" and it handles the rest.

• Local-first — Everything works offline. No account required.
• 37 bundled elements — 7 personas, 7 skills, 8 templates, 7 agents, 3 memories, 5 ensembles ship with the server as starter content. Includes the dollhouse-expert-suite ensemble (persona + knowledge base memory) for guided help, and a Session Monitor agent that keeps your LLM synchronized with server state changes.
• GitHub sync — Optionally back up your portfolio to a GitHub repository and share elements with others.
• Community Collection — Browse the collection to see what's available, then install elements directly from your AI. Or submit your own.

GitHub Portfolio Sync Guide — back up to GitHub, sync between machines, submit to the community.

Dollhouse Agent Execution

Dollhouse Agents don't just run — every step passes through the MCP server, back to the LLM, and through the Gatekeeper. The LLM makes semantic decisions; the server handles programmatic enforcement. Neither side operates alone.

 ┌───────────────┐
 │   HUMAN       │
 │  (optional)   │◄──── LLM asks for guidance
 │               │      when autonomy evaluator
 │ Approve, deny,│      says "pause"
 │ or guide      │
 └───────┬───────┘
         │ responds to LLM
         ▼
 ┌─────────────┐     ┌─────────────────────────────┐     ┌─────────────┐
 │             │     │  DollhouseMCP MCP Server     │     │             │
 │    LLM      │────▶│                              │────▶│    LLM      │
 │             │     │  1. Gatekeeper checks policy  │     │             │
 │  Decides    │     │  2. Autonomy Evaluator scores │     │  Records    │
 │  next       │     │  3. Danger Zone enforcement   │     │  step and   │
 │  action     │     │  4. Execute or block          │     │  continues  │
 │             │     │  5. Return result + autonomy  │     │  or pauses  │
 │             │◀────│     guidance to LLM           │◀────│             │
 └─────────────┘     └─────────────────────────────┘     └─────────────┘
        │                                                       │
        └──────────────── repeats every step ───────────────────┘

Each step in the loop:

• Gatekeeper checks every operation against active element policies — deny, confirm, or allow
• Autonomy Evaluator scores whether the agent should continue autonomously or pause for human input
• Danger Zone enforces hard blocks on high-risk operations (file deletion, external API calls, system commands)
• Step recording creates an audit trail of every decision and outcome
• The LLM receives autonomy guidance with each response — continue, pause, or escalate — so it never operates unmonitored

This means a Dollhouse Agent can't silently escalate. Every action is visible, every step is evaluated, and active element policies are enforced throughout the entire execution.

Platform note: The agentic loop relies on the LLM making sequential MCP tool calls and interpreting structured responses — standard MCP behavior. It has been tested extensively on Claude Code and the DollhouseMCP Bridge. The server-side enforcement (Gatekeeper, Danger Zone, step recording) is platform-independent. The LLM's ability to follow autonomy guidance (continue/pause/escalate) depends on the LLM's capability to interpret structured tool responses, which may vary across platforms.

Full Agent Execution documentation — the agentic loop, security enforcement, human-in-the-loop control, agent composition, resilience policies, and execution lifecycle operations.

More Features

• Web Portfolio Browser — Built-in web console for browsing and managing your portfolio visually. Ask your AI to "open the portfolio browser" or run npm run web standalone.
• Batch Operations — Execute multiple operations in a single MCP-AQL request for efficient workflows
• Activation Persistence — Elements activated in a session are restored on server restart. No re-activation needed.
• Universal Backup — Built-in backup service for portfolio elements with restore capability
• Cache Memory Budget — Configurable memory budget for collection and index caches to control resource usage
• NLP Discovery — Jaccard similarity and Shannon entropy scoring for intelligent element search and discovery
• Cross-Element Relationships — GraphRAG-style mapping between elements for finding related content
• Security Hardened — Input sanitization, path traversal prevention, YAML injection protection, file locking, DOMPurify sanitization, content validation against hundreds of attack vectors. Security docs
• Cross-Platform — Tested on Windows, macOS, and Linux across Node.js 20+

Installation Options

The Quick Start above covers the fastest path. For more control:

Local Install (Recommended for Multiple Configs)

mkdir -p ~/mcp-servers && cd ~/mcp-servers
npm install @dollhousemcp/mcp-server

Then point your MCP client at node <path>/node_modules/@dollhousemcp/mcp-server/dist/index.js.

MCP-AQL Endpoint Modes

Note: CRUDE and Single are controlled by MCP_AQL_ENDPOINT_MODE. Discrete mode uses a different variable: MCP_INTERFACE_MODE=discrete.

Common Configuration

Full environment variable reference · MCP client setup for other platforms

Documentation

Contributing

We welcome contributions — bug reports, feature requests, documentation, code, and community elements.

git clone https://github.com/DollhouseMCP/mcp-server.git
cd mcp-server
npm install && npm run build && npm test

See CONTRIBUTING.md for the full development workflow, branch strategy, and code style guide.

Community

• GitHub Discussions — Questions, ideas, and showcase
• GitHub Issues — Bug reports and feature requests
• Discord — Real-time chat
• Browse the Collection — Community-contributed Dollhouse elements you can install
• Collection Repository — Source repo for submissions and contributions

License

AGPL-3.0-or-later — free to use, modify, and distribute. Network use requires source disclosure. See LICENSE for full terms.

Copyright 2024-2026 Mick Darling / DollhouseMCP