-
Notifications
You must be signed in to change notification settings - Fork 3
First Time Setup Guide
How to set up VCP and Dev Buddy from scratch.
1. Install VCP plugin → /plugin install vcp@vcp
2. Run /vcp-init → Configure project standards
3. Install Dev Buddy plugin → /plugin install vcp@dev-buddy
4. Run /dev-buddy-config → Configure AI presets + pipelines
5. Run your first pipeline → /dev-buddy-requirements <description>
You can install either plugin independently. VCP works without Dev Buddy, and Dev Buddy works without VCP (though VCP adds security-aware analysis to Dev Buddy's requirements gathering).
/plugin marketplace add Z-M-Huang/vcp
This registers the VCP marketplace so you can install plugins from it. You only need to do this once.
/plugin install vcp@vcp
What happens immediately after install:
- The
security-context.tshook activates (SessionStart) — it injects VCP rule summaries into the AI's context at the start of every session - The
security-gate.tshook activates (PreToolUse) — it checks every Write, Edit, and Bash call against 21 regex patterns for dangerous code - The
test-quality-warning.tshook activates (PostToolUse) — it warns when generated test code has mock-abuse patterns - The
stop-reminder.tshook activates (Stop) — it reminds you to run VCP checks when Claude finishes a task
These work without any configuration. Before you run /vcp-init, the context hook outputs a reminder to initialize rather than full project rules.
/vcp-init
This is an interactive process. Here's what you'll see at each step:
If this is your first time running /vcp-init on this machine:
The skill asks:
Do you want to use the default VCP public standards, or a custom repository URL?
What to choose:
-
Default (recommended) — Uses
https://raw.githubusercontent.com/Z-M-Huang/vcp/main/standards/manifest.json. This is the official, maintained standards repository. Choose this unless your organization hosts custom standards. - Custom URL — Point to your own standards repository. Only relevant for enterprises with custom security policies.
This creates ~/.vcp/config.json (the global config). It's shared across all your projects on this machine.
If you've already run /vcp-init on another project:
The skill detects the existing ~/.vcp/config.json and reuses it. You skip straight to project setup.
The skill scans your project root for dependency manifests:
| File Found | Frameworks Detected |
|---|---|
package.json |
React, Vue, Express, Next.js, etc. from dependencies
|
requirements.txt / pyproject.toml
|
Django, Flask, FastAPI, etc. |
go.mod |
Go modules |
Cargo.toml |
Rust crates |
pom.xml / build.gradle
|
Java/Kotlin frameworks |
Gemfile |
Ruby gems |
Dockerfile / .github/workflows/
|
DevOps tools |
Based on the scan, the skill proposes which scopes to enable:
Based on your project, I recommend enabling these scopes:
- web-frontend (React detected)
- web-backend (Express detected)
Do you want to adjust these?
How to decide:
| Scope | Enable when... | Effect |
|---|---|---|
web-frontend |
You have client-side code (React, Vue, Svelte, Angular) | Adds 4 standards: frontend security, structure, performance, accessibility |
web-backend |
You have server-side code (Express, Django, FastAPI, Rails) | Adds 6 standards: backend security, structure, data access, API design, realtime, caching |
database |
You write SQL directly or use ORMs with raw queries | Adds 2 standards: encryption, schema security |
mobile |
You build native or cross-platform mobile apps | Adds 2 standards: mobile security, platform config |
desktop |
You build Electron or Tauri apps | Adds 1 standard: desktop security |
cli |
Your project is a command-line tool | Adds 1 standard: CLI security and quality |
devops |
You have Dockerfiles, CI/CD, Terraform, or Kubernetes configs | Adds 4 standards: container, CI/CD, IaC, K8s security |
agentic-ai |
You build AI agents or tools | Adds 4 standards: agent security, tool security, permissions, supply chain |
Core standards (security, architecture, quality, error handling, testing, dependency management, root cause analysis) are always active regardless of scope settings.
The skill asks about compliance frameworks and severity:
Do any compliance frameworks apply to this project? (GDPR, PCI DSS, HIPAA)
Only add compliance if your project truly requires it. Each framework adds a full standard with many rules. Don't add them "just in case."
What severity threshold? (critical / high / medium / low)
Recommended: Start with medium (the default). This reports critical, high, and medium findings. You can always adjust later with /vcp-config set severity to high.
The skill presents the complete proposed config and asks for confirmation:
Here's the proposed
.vcp/config.json:{ "version": "1.0", "scopes": { "web-frontend": true, "web-backend": true }, "compliance": [], "frameworks": ["react", "express"], "exclude": ["node_modules/**", "dist/**"], "severity": "medium", "ignore": [], "pluginRoot": "/home/user/.claude/plugins/cache/vcp/vcp/..." }Does this look correct?
Review and confirm. The config is written to .vcp/config.json in your project root.
Run a quick test:
/vcp-context
You should see a formatted block of rules grouped by scope. If you see core rules plus your enabled scopes, everything is working.
/plugin install vcp@dev-buddy
What happens after install:
Dev Buddy auto-creates its config files on first use. No manual init step required. Guidance injection and review validation are handled directly by the stage skills — no separate hooks are needed.
/dev-buddy-config
This launches a web portal in your browser for visual configuration. If your environment doesn't support browser auto-open (e.g., SSH, Docker), navigate to the printed URL manually.
The portal has three tabs: AI Presets, Pipeline Config, and Chatroom. See Web Portal Guide for a detailed walk-through of each tab.
The portal opens on the AI Presets tab. You'll see one preset already configured:
-
anthropic-subscription — Your Claude Code subscription. Uses the Task tool. No API key needed. Supports
sonnet,opus, andhaikumodels.
If you only plan to use your Claude subscription: You're done with presets. Skip to pipeline config.
If you want to add external providers (API or CLI):
- Click + Add Preset
- Choose a type:
- API — For OpenRouter, direct Anthropic API, or any compatible endpoint
- CLI — For Codex CLI or similar tools
- Fill in the fields (see Web Portal Guide for field-by-field details)
- Click Test Connectivity to verify before saving
- Click Add Preset
Switch to the Pipeline Config tab. You'll see the default pipelines:
Feature pipeline (9 stages): Requirements → Planning → 3 Plan Reviews → Implementation → 3 Code Reviews
Bug-fix pipeline (7 stages): 2 RCA → Plan Review → Implementation → 3 Code Reviews
All stages use anthropic-subscription by default. To customize:
- Change a stage's Provider dropdown to use a different preset
- Change the Model dropdown for that stage
- Drag stages to reorder them
- Click + Add Stage to add more review stages
- Click x to remove a stage
- Click Save Config
To get 5 specialist agents instead of one during requirements gathering, set this environment variable:
export CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1This spawns Technical, UX/Domain, Security, Performance, and Architecture specialists in parallel during requirements gathering. Without it, a single agent handles everything.
/dev-buddy-requirements Add a login page with email and password
See Running Your First Pipeline for what to expect at each stage.
After your pipeline completes (or on any existing code):
/vcp-audit src/
This scans your code against all applicable standards and reports findings with severity, file locations, and fixes.
For a quick pre-commit check:
/vcp-pre-commit-review
Install VCP, run /vcp-init, and use the skills:
-
/vcp-audit— Full codebase audit -
/vcp-pre-commit-review— Pre-commit gate -
/vcp-dependency-check— Dependency verification -
/vcp-context— Re-inject rules after context compaction
The security gate runs automatically on every Write/Edit/Bash call.
Install Dev Buddy and run pipelines directly. Dev Buddy auto-creates config files with defaults on first use. When VCP is also installed, Dev Buddy's Security Analyst gets VCP rule context, but this is optional.
If you're using the VCP Docker image (zhironghuang/vcp:latest), Bun, Claude Code, Codex CLI, and Gemini CLI are pre-installed. Follow the same setup steps inside the container:
docker exec -it vcp-docker bash
# Then inside the container:
/plugin marketplace add Z-M-Huang/vcp
/plugin install vcp@vcp
/vcp-init
/plugin install vcp@dev-buddy
/dev-buddy-configThe ~/.claude directory is persisted via volume mount, so plugins and settings survive container restarts.
- How Configuration Works — Understand what each setting does downstream
- Configuration Recipes — Example configurations for common scenarios
- Web Portal Guide — Detailed walk-through of the Dev Buddy web portal
- Running Your First Pipeline — What to expect during pipeline execution
- Daily VCP Workflow — Recommended daily usage patterns
VCP Wiki
Guides
- First-Time Setup Guide
- How Configuration Works
- Configuration Recipes
- Web Portal Guide
- Daily VCP Workflow
- Troubleshooting
VCP Plugin
- Configuration
- Skills Reference
- Three‐Layer Enforcement Model
- Hooks Reference
- Security Gate Patterns
- Shared Modules
Dev Buddy Plugin
- Dev Buddy Quick Start
- Dev Buddy Configuration
- Stage Skills Guide
- AI Provider Presets
- System Prompts Reference
- Chatroom
MCP Doc Plugin
Standards
Project
VCP Wiki (中文)
指南
VCP 插件
Dev Buddy 插件
MCP Doc 插件
标准
项目