Skip to content

Standards Overview

Jump to bottom
Z-M-Huang edited this page Feb 25, 2026 · 10 revisions

Standards Overview

VCP includes 41 standards organized into 12 scopes. All standards are fetched at runtime from the manifest — no local copy is needed.

How Standards Are Loaded

  1. Skills (or the shared TypeScript module) fetch manifest.json (v2) from GitHub
  2. The v2 manifest's scopes object maps scope names to per-scope manifest files in standards/scopes/
  3. Each scope manifest is fetched and its standards are flattened into a unified list
  4. Standards are filtered based on the project's .vcp/config.json scopes and compliance settings
  5. Each applicable standard is fetched individually using its full HTTPS URL (validated before fetch)
  6. The ## Rules section is extracted from each standard

Standards by Scope

Core (12 standards, applies: always)

These standards apply to every VCP-configured project regardless of scope settings.

ID Severity Title Description
core-security critical Security Input validation, output encoding, parameterized queries, secrets management, cryptography, authentication, authorization, deserialization, data protection, timing attacks, key lifecycle, prototype pollution
core-secure-defaults critical Secure Defaults No hardcoded fallback secrets, no default credentials, secure crypto defaults, default-deny permissions, fail-secure, no debug in production, startup validation
core-api-design-security high API Design Security Safe-path-is-easy-path, no caller algorithm selection, semantic types, never ignore security failures, configuration cliffs, explicit opt-in for dangerous ops
core-dependency-management critical Dependency Management Lockfile hygiene, version pinning, package verification, slopsquatting detection, supply chain tools
core-architecture high Architecture Single responsibility, separation of concerns, dependency direction, layer boundaries
core-root-cause-analysis high Root Cause Analysis Fix at the right level, trace to origin, break the death spiral
core-code-quality high Code Quality Consistency, duplication elimination, dead code removal, naming conventions, strategic comments for AI context preservation
core-error-handling high Error Handling Edge cases, boundary validation, structured errors, never swallow errors
core-testing high Testing Test real behavior, meaningful assertions, edge cases, no mock-only tests
core-attack-surface high Attack Surface Analysis Entry point mapping, access level classification, exposure-proportional security, attack surface reduction
core-data-flow-security critical Data Flow Security Source-sink analysis, taint tracking, undefended path detection, ReDoS prevention
core-concurrency-security high Concurrency Security TOCTOU prevention, idempotency keys, database transaction isolation, optimistic concurrency, advisory locks

Web Frontend (4 standards, applies: web-frontend)

ID Severity Title Description
web-frontend-security critical Frontend Security XSS prevention, CSP, CORS, auth token handling, iframe sandboxing, clickjacking, SRI, DOM XSS sinks, postMessage validation, third-party script sandboxing
web-frontend-structure high Frontend Structure Component organization, state management, folder conventions
web-frontend-accessibility high Web Accessibility WCAG 2.2, semantic HTML, keyboard navigation, ARIA, color contrast, focus management
web-frontend-performance medium Frontend Performance Bundle discipline, lazy loading, code splitting, rendering optimization

Web Backend (6 standards, applies: web-backend)

ID Severity Title Description
web-backend-security critical Backend Security Injection prevention, authentication, authorization, secrets management, rate limiting, SSRF, path traversal, file upload, XXE, request smuggling, DB TLS, JWT security, OAuth/OIDC
web-backend-structure high Backend Structure HTTP/business logic separation, service layers, middleware conventions
web-backend-data-access high Backend Data Access Query safety, migration patterns, connection management, ORM usage
web-backend-api-design high API Design and Security REST pagination, RFC 9457 errors, GraphQL depth limiting, gRPC auth, idempotency, persisted queries, unsafe API consumption, business flow protection
web-backend-realtime high Realtime Communication WebSocket auth, origin validation, message schema validation, SSE resumption
web-backend-caching high Caching Security Cache poisoning, cache deception, sensitive data in caches, Redis ACLs

Database (2 standards, applies: database)

ID Severity Title Description
database-encryption critical Database Encryption TDE, column-level encryption, key management, PII protection
database-schema-security high Database Schema Security Row-level security, data classification, audit triggers, masking

Mobile (2 standards, applies: mobile)

ID Severity Title Description
mobile-security critical Mobile Security Keychain/KeyStore, certificate pinning, deep links, biometrics, IPC, background data, app attestation, binary protections, backup exclusion, privacy controls
mobile-platform-configuration high Mobile Platform Configuration ATS, Network Security Config, permissions, WebView, cross-platform frameworks

Desktop (1 standard, applies: desktop)

ID Severity Title Description
desktop-security critical Desktop Application Security Electron context isolation, Tauri capabilities, IPC validation, CSP, auto-update verification, code signing, DevTools, preload integrity, native modules, IPC prototype pollution

CLI (1 standard, applies: cli)

ID Severity Title Description
cli-security-and-quality high CLI Security and Quality Shell injection, argument injection, secure temp files, exit codes, signals, XDG compliance

DevOps (4 standards, applies: devops)

ID Severity Title Description
devops-container-security critical Container Security Non-root containers, multi-stage builds, pinned digests, capability dropping, image scanning, cosign provenance, minimal base images, seccomp/AppArmor, Docker socket, rootless mode
devops-cicd-security critical CI/CD Pipeline Security SHA-pinned actions, minimum permissions, script injection prevention, OIDC auth, SLSA provenance attestation, pull_request_target restrictions
devops-iac-security high Infrastructure as Code Security No hardcoded creds, least-privilege IAM, encrypted storage, locked state files, policy-as-code CI, drift detection, module pinning
devops-kubernetes-security high Kubernetes Security Pod security, RBAC, network policies, external secret managers, mTLS with Istio, secure ingress, Falco runtime monitoring, cluster hardening

Agentic AI (5 standards, applies: agentic-ai)

Standards for AI agent development — MCP servers, multi-agent systems, and LLM tool use. Covers all 10 categories of the OWASP Agentic AI Security Initiative Top 10 (Dec 2025).

ID Severity Title Description
agentic-ai-agent-security critical Agent Security Prompt injection defense (ASI01), sandboxed code execution (ASI05), RAG/memory poisoning prevention (ASI06), human oversight requirements (ASI09)
agentic-ai-tool-security critical Tool Security Tool allowlists, MCP server vetting, tool argument validation, invocation audit logging (ASI02)
agentic-ai-permissions critical Agent Permissions Least privilege, credential scoping, session-scoped tokens, rogue agent detection, filesystem/network isolation (ASI03, ASI10)
agentic-ai-supply-chain critical Agentic Supply Chain MCP server integrity, tool descriptor tampering, model provenance, agent persona verification (ASI04)
agentic-ai-communication high Agent Communication Authenticated inter-agent messaging, message integrity, circuit breakers, cascading failure prevention (ASI07, ASI08)

Compliance (4 standards, applies: compliance:{framework})

These are only loaded when the corresponding compliance framework is configured in .vcp/config.json.

ID Severity Applies When Description
compliance-gdpr critical "gdpr" in compliance Data deletion, retention, consent, PII handling, CCPA/CPRA
compliance-pci-dss critical "pci-dss" in compliance Tokenization, card masking, CDE isolation, PCI DSS v4.0
compliance-hipaa critical "hipaa" in compliance PHI encryption, audit logging, retention, minimum necessary
compliance-accessibility critical "accessibility" in compliance ADA, Section 508/504, EAA, PSBAR, AODA, ACA, EN 301 549, WCAG conformance mapping, accessibility statements, VPAT/ACR, complaint handling

Severity Levels

Severity Meaning Examples
critical Security vulnerabilities or compliance violations SQL injection, hardcoded secrets, missing encryption
high Architectural violations that cause long-term damage SRP violations, layer bleeding, missing error handling
medium Quality issues that accumulate over time Code duplication, naming inconsistency, bundle bloat
low Minor style or convention issues (None currently — all standards are medium or above)

Cross-References

Standards reference each other and external resources:

  • OWASP Top 10:2025 — Web application security risks
  • OWASP ASVS v5.0 — Application security verification
  • OWASP Mobile Top 10 — Mobile application security risks
  • OWASP API Security Top 10 — API security risks
  • OWASP Agentic AI Security Top 10 (ASI) — AI agent security risks (ASI01–ASI10)
  • CWE (Common Weakness Enumeration) — Vulnerability taxonomy
  • WCAG 2.2 — Web accessibility guidelines
  • OpenSSF — Open source security guidance

Viewing Standards

All standards are in the standards/ directory with flat {scope}-{topic}.md naming. Scope manifests are in standards/scopes/.

See Standards Format Specification for the structure and writing guidelines.

VCP Repository | Report a Problem | Propose a Standard | Apache License 2.0 | English | 中文

VCP Wiki

Guides

VCP Plugin

Dev Buddy Plugin

MCP Doc Plugin

Standards

Project

VCP Wiki (中文)

指南

VCP 插件

Dev Buddy 插件

MCP Doc 插件

标准

项目

Clone this wiki locally