-
Notifications
You must be signed in to change notification settings - Fork 3
Roadmap
Z-M-Huang edited this page Mar 15, 2026
·
19 revisions
VCP is in active development (v0.3.0). The VCP plugin is functional with 41 standards, 10 skills, and real-time security gate enforcement. The Dev Buddy plugin adds multi-AI pipeline orchestration for feature development, bug fixing, and multi-model deliberation.
- Security — Security-first checklist derived from OWASP Top 10 and CWE
- Architecture — Clean architecture, SRP, separation of concerns
- Root Cause Analysis — Decision framework for fixing bugs at the right level
- Frontend Structure — Component organization, state management, folder conventions
- Code Quality — Consistency, duplication elimination, dead code removal
- Frontend Security — XSS prevention, auth token handling, CSP, CORS
- Error Handling — Edge cases, boundary validation, structured errors
- Frontend Performance — Bundle discipline, lazy loading, rendering optimization
- Testing — Test real behavior, not AI assumptions
- Backend Structure — HTTP/business logic separation, service layers
- Dependency Management — Prevent slopsquatting and supply chain attacks
- Backend Security — Injection prevention, auth, secrets management
- Backend Data Access — Query safety, migration patterns, connection management
- Guard skills — Enforcement hooks and skills (4 skills, 0 hooks)
- Audit skills — Codebase assessment (2 skills, 1 agent)
- Testing skills — Test quality enforcement (3 skills, 1 hook)
- GDPR & CCPA/CPRA — Data deletion, retention, consent, PII handling
- PCI DSS v4.0 — Tokenization, card masking, CDE isolation
- HIPAA — PHI encryption, audit logging, retention, minimum necessary
- Database Encryption — TDE, column-level, key management
- Database Schema Security — RLS, data classification, audit triggers, masking
- Standards Manifest — manifest.json for AI skill discovery and routing
- Skill Routing Design — Context detection, .vcp/config.json config, standard loading
- Proactive security context — SessionStart hook and
/vcp-contextskill for standards injection - CWE-22 Path Traversal — Path canonicalization, traversal sequence blocking, allowlists
- CWE-434 File Upload — Magic byte validation, size limits, storage outside webroot
- Mobile Security — Keychain/KeyStore, certificate pinning, deep links, biometrics, platform config
- DevOps Security — Containers, CI/CD pipelines, IaC, Kubernetes
- Web Accessibility — WCAG 2.2, semantic HTML, keyboard nav, ARIA, color contrast
- API Design & Security — REST pagination, RFC 9457 errors, GraphQL depth limiting, gRPC auth
- Realtime Communication — WebSocket auth, origin validation, SSE resumption
- Caching Security — Cache poisoning, cache deception, sensitive data in caches
- Desktop Security — Electron context isolation, Tauri capabilities, IPC validation
- CLI Security & Quality — Shell injection, argument injection, exit codes, signals, XDG
- Dev Buddy plugin — Multi-AI pipeline orchestration with configurable stages, 6 system prompts, 0 hooks, and multi-provider support
- Accessibility Compliance — ADA, Section 508/504, EAA, PSBAR, AODA, ACA, EN 301 549, WCAG conformance mapping
- Multi-model chatroom — Standalone
/dev-buddy-chatroomskill for multi-model deliberation with configurable participants and consensus rounds
- Custom Rule Repositories — Allow organizations to add their own VCP-compatible standards
- Conformance Model — MUST/SHOULD/MAY with objective pass/fail criteria
- Agentic AI Security — 5 standards covering OWASP ASI Top 10 (ASI01–ASI10): agent security, tool security, permissions, supply chain, communication
- Issue Triage Pipeline — Auto-label and deduplicate community issues
- Codex CLI Support — Adapt standards for OpenAI Codex CLI
- Gemini CLI Support — Adapt standards for Google Gemini CLI
- Migration Plan Tooling — Analyze existing codebases against VCP (separate repo)
| Version | Target | Key Deliverables |
|---|---|---|
| 0.1.0 | Done | Initial release — 35 standards across 11 scopes, 10 skills, 1 agent, 4 hooks, security gate (21 patterns / 9 CWEs) |
| 0.2.4 | Done | One-shot runner (/dev-buddy-once), CLI template validation, runtime placeholder enforcement, orchestrator --cwd flag, VCP-aware security analysis |
| 0.2.5 | Done | Orchestrator sequential execution enforcement, spawn/completion verification gates, JSON shape validation, requirements-gatherer defense-in-depth, agentic-ai scope (5 standards, OWASP ASI Top 10), strengthened core standards (TLS verification, framework-specific sinks, debug mode) |
| 0.2.6 | Done | Per-stage parallel reviews, session resume, accessibility compliance standard, standard reference URLs in context, API provider timeout enforcement, Docker image |
| 0.2.10 | Done | Versioned stage file naming, multi-file output directories (user-story/, plan/), lightweight API task runner, in-form preset testing, stages validation, consolidated review guidelines |
| 0.2.13 | Done | Configurable max_output_tokens for OpenAI presets |
| 0.2.14 | Done | Phased implementation reviews, streaming one-shot output |
| 0.2.15 | Done | Batched phased reviews with review_interval
|
| 0.3.0 | Current | Multi-model chatroom (/dev-buddy-chatroom), chatroom config + web portal tab, loader semantic validation |
| 1.0.0 | TBD | Marketplace publication, pinned standard releases, conformance model |
VCP Wiki
Guides
- First-Time Setup Guide
- How Configuration Works
- Configuration Recipes
- Web Portal Guide
- Daily VCP Workflow
- Troubleshooting
VCP Plugin
- Configuration
- Skills Reference
- Three‐Layer Enforcement Model
- Hooks Reference
- Security Gate Patterns
- Shared Modules
Dev Buddy Plugin
- Dev Buddy Quick Start
- Dev Buddy Configuration
- Stage Skills Guide
- AI Provider Presets
- System Prompts Reference
- Chatroom
MCP Doc Plugin
Standards
Project
VCP Wiki (中文)
指南
VCP 插件
Dev Buddy 插件
MCP Doc 插件
标准
项目