{"id":45483254,"url":"https://github.com/z-m-huang/vcp","last_synced_at":"2026-04-18T14:04:51.205Z","repository":{"id":338243032,"uuid":"1157086960","full_name":"Z-M-Huang/vcp","owner":"Z-M-Huang","description":"Vibe Coding Protocal - Security-first protocol for AI-generated code, multiple standards with real-time enforcement and multi-AI pipeline orchestration","archived":false,"fork":false,"pushed_at":"2026-04-01T00:40:59.000Z","size":53944,"stargazers_count":7,"open_issues_count":8,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-02T07:40:52.991Z","etag":null,"topics":["ai-coding","claude-code","claude-skills","security","security-audit","vibe-coding"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Z-M-Huang.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-13T12:15:00.000Z","updated_at":"2026-04-01T00:40:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"eab5cdc7-f950-4bd6-9ca5-5556509181b0","html_url":"https://github.com/Z-M-Huang/vcp","commit_stats":null,"previous_names":["z-m-huang/vcp"],"tags_count":29,"template":false,"template_full_name":null,"purl":"pkg:github/Z-M-Huang/vcp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Z-M-Huang%2Fvcp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Z-M-Huang%2Fvcp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Z-M-Huang%2Fvcp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Z-M-Huang%2Fvcp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Z-M-Huang","download_url":"https://codeload.github.com/Z-M-Huang/vcp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Z-M-Huang%2Fvcp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31422898,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T02:22:46.605Z","status":"ssl_error","status_checked_at":"2026-04-05T02:22:33.263Z","response_time":75,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-coding","claude-code","claude-skills","security","security-audit","vibe-coding"],"created_at":"2026-02-22T16:32:53.331Z","updated_at":"2026-04-13T00:25:49.953Z","avatar_url":"https://github.com/Z-M-Huang.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"right\"\u003e\u003ca href=\"https://github.com/Z-M-Huang/vcp/wiki/Home.zh\"\u003e中文文档\u003c/a\u003e\u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"assets/logo.png\" alt=\"VCP Logo\" width=\"400\"\u003e\n\n\u003cimg src=\"assets/hero.png\" alt=\"VCP — Multi-AI Pipelines with Built-in Security\" width=\"700\"\u003e\n\n# VCP — Vibe Coding Protocol\n\n**Multi-AI development pipelines with built-in security enforcement.**\n\n![Visitors](https://visitor-badge.laobi.icu/badge?page_id=Z-M-Huang.vcp\u0026style=flat-square)\n![GitHub release](https://img.shields.io/github/v/release/Z-M-Huang/vcp?style=flat-square)\n![GitHub license](https://img.shields.io/github/license/Z-M-Huang/vcp?style=flat-square)\n![GitHub last commit](https://img.shields.io/github/last-commit/Z-M-Huang/vcp?style=flat-square)\n![Windows](https://img.shields.io/badge/Windows-0078D6?style=flat-square\u0026logo=windows\u0026logoColor=white)\n![macOS](https://img.shields.io/badge/macOS-000000?style=flat-square\u0026logo=apple\u0026logoColor=white)\n![Linux](https://img.shields.io/badge/Linux-FCC624?style=flat-square\u0026logo=linux\u0026logoColor=black)\n\n![41 Standards](https://img.shields.io/badge/Standards-41-blue?style=flat-square)\n![12 Scopes](https://img.shields.io/badge/Scopes-12-green?style=flat-square)\n![OWASP Top 10](https://img.shields.io/badge/OWASP_Top_10-Covered-critical?style=flat-square)\n![21 Skills](https://img.shields.io/badge/Skills-21-blue?style=flat-square)\n![9 Agents](https://img.shields.io/badge/Agents-9-green?style=flat-square)\n![6 Hooks](https://img.shields.io/badge/Hooks-6-orange?style=flat-square)\n\n\u003c/div\u003e\n\nOne AI writing and reviewing its own code is like grading your own homework. VCP orchestrates **multiple AI models** through structured pipelines — then enforces 41 security and quality standards with real-time blocking.\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"assets/pipeline.png\" alt=\"Multi-AI Pipeline Orchestration\" width=\"800\"\u003e\n\u003c/div\u003e\n\n```\n❌ VCP Security Gate — BLOCKED:\n   CWE-798: Hardcoded secret detected. Use environment variables or a secret manager.\n```\n\n---\n\n## Table of Contents\n\n- [Quick Start](#quick-start)\n- [Three Plugins, One Protocol](#three-plugins-one-protocol)\n- [Why This Matters](#why-this-matters)\n- [The Echo Chamber Problem](#the-echo-chamber-problem)\n- [Dev Buddy — Multi-AI Pipeline](#dev-buddy--multi-ai-pipeline)\n- [VCP — Three-Layer Enforcement](#vcp--three-layer-enforcement)\n- [Standards Coverage](#standards-coverage)\n- [Organization-Wide Standards](#organization-wide-standards)\n- [Configuration](#configuration)\n- [Core Philosophy](#core-philosophy)\n- [Documentation](#documentation)\n- [How to Contribute](#how-to-contribute)\n- [Repo Structure](#repo-structure)\n- [References](#references)\n- [License](#license)\n\n---\n\n## Quick Start\n\n**Prerequisites:** [Claude Code](https://code.claude.com/) and [Bun](https://bun.sh/). See the [Getting Started guide](https://github.com/Z-M-Huang/vcp/wiki/Getting-Started) for full setup.\n\n```bash\n# Add the VCP marketplace\n/plugin marketplace add Z-M-Huang/vcp\n\n# Install the plugin\n/plugin install vcp@vcp\n\n# Initialize your project\n/vcp-init\n```\n\nThat's it. Standards are injected at session start, dangerous patterns are blocked on every write, and 10 scanning skills are available on demand.\n\n### Docker\n\nPrefer a containerized environment? VCP provides a ready-to-use Docker image with Claude Code, Codex CLI, Gemini CLI, and all dependencies pre-installed:\n\n```bash\ncd docker/\ncp .env.example .env\n# Edit .env with your API keys and host paths\ndocker compose up -d\ndocker exec -it vcp-docker bash\n```\n\nSee [`docker/README.md`](docker/README.md) for full setup instructions, volume mounts, and platform-specific configuration.\n\n---\n\n## Three Plugins, One Protocol\n\nVCP ships three complementary plugins:\n\n| Plugin | What It Does | Install |\n|--------|-------------|---------|\n| **VCP** | Standards enforcement — 41 standards, real-time blocking, 10 skills | `/plugin install vcp@vcp` |\n| **Dev Buddy** | Multi-AI pipeline — configurable stages with role-based prompts, cross-model review gates, specialist analysis team | `/plugin install vcp@dev-buddy` |\n| **mcp-doc** | Documentation manifest generator — indexes project docs as MCP resources with search, path-lookup, and tree-view tools | `/install vcp@mcp-doc` |\n\nUse VCP alone for standards enforcement. Add Dev Buddy when you want structured multi-AI workflows with cross-model review.\n\n---\n\n## Why This Matters\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"assets/why-vcp.png\" alt=\"Without guardrails vs With VCP\" width=\"800\"\u003e\n\u003c/div\u003e\n\nAI coding assistants produce code fast. They also produce code that's **2.74x more likely to contain security vulnerabilities**, **40% more complex**, and architecturally unsound at scale:\n\n| Problem | Data | Source |\n|---------|------|--------|\n| Security vulnerabilities | 2.74x higher rate than human code; 45% of AI code has vulnerabilities | CodeRabbit 2025, Veracode 2025 |\n| Code duplication | 8-fold increase across 211M lines analyzed | GitClear 2024 |\n| Complexity growth | 40% increase in AI-assisted repositories | CMU 2025 |\n| Hallucinated packages | ~20% of recommendations reference non-existent packages | Lasso Security |\n| Refactoring collapse | Dropped from 25% to \u003c10% of changed lines | GitClear 2024 |\n\n**The death spiral:** AI generates working code fast. A bug appears. AI patches the symptom, not the root cause. The patch breaks assumptions elsewhere. Each fix compounds the problem — hack on top of hack. The codebase becomes unmaintainable within months.\n\nVCP breaks this cycle by making the AI aware of engineering principles *before* it writes code, not after.\n\n---\n\n## The Echo Chamber Problem\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"assets/echo-chamber.png\" alt=\"The Echo Chamber Problem\" width=\"800\"\u003e\n\u003c/div\u003e\n\nWhen a single AI family writes and reviews code, it shares the same training biases, the same blind spots, and the same failure modes. A Claude model reviewing Claude-generated code — or GPT reviewing GPT — misses the same classes of bugs because the models share architectural lineage and training distributions. Cross-model review breaks this pattern: routing code through independent models from different providers catches issues that same-family review consistently overlooks. Dev Buddy makes this practical with structured pipelines that enforce cross-model review at every stage.\n\n---\n\n## Dev Buddy — Multi-AI Pipeline\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"assets/dev-buddy-pipeline.png\" alt=\"Multi-AI Pipeline Orchestration\" width=\"800\"\u003e\n\u003c/div\u003e\n\nOne AI writing and reviewing its own code is like grading your own homework. Dev Buddy implements a **Ralph loop** workflow — fresh context per iteration, specs on disk, iterate until correct. It orchestrates **multiple AI models** through 6 stages with task-based dependencies that literally prevent skipping stages.\n\n### The 6 Stages\n\n| Stage | What Happens | Multi-AI |\n|-------|-------------|----------|\n| **Discovery** | Explore codebase + running app. Map code paths, patterns, impact points. Source of truth audit. | Yes |\n| **Requirements + UAT** | Define ACs (Given/When/Then + misinterpretation + partial implementation trap). Design Playwright UAT scenarios. | Yes |\n| **Decomposition** | Break into ~50 LOC units. Each unit gets its own plan file with interface contracts, test stubs, and data flow traces. | Yes |\n| **Build** | Per-unit implementation with fresh context. Orchestrator independently runs backpressure. | Single |\n| **Code Review** | Flow tracing (point + path + intent). Stub/orphan detection. Cross-unit integration. | Yes |\n| **UAT** | Execute Playwright tests + all mechanical backpressure against running app. | Single |\n\n**Two nested loops + review gate:**\n- **Inner (BUILD -\u003e CODE REVIEW):** per-unit Ralph loop — fresh context from disk, implement, mechanical backpressure (test/typecheck/lint), retry up to `max_build_attempts`. Code review can send units back for rework.\n- **Outer (UAT):** integration Ralph loop — real Playwright UAT against running app. Failures identify affected units and loop back through BUILD and CODE REVIEW.\n- **User checkpoints** after Discovery, Requirements, and Decompose — approve, reject, or provide additional context.\n\n### Enforcement Stack\n\n```\nLayer 1: Unit plan + contracts   \u003c- intent, data flow traces, authoritative sources\nLayer 2: Mechanical backpressure \u003c- compilation, types, lint errors\nLayer 3: Orchestrator verify     \u003c- subagent lies, missing sections, source violations\nLayer 4: Code review (multi-AI)  \u003c- flow tracing, stub detection, drift probe\nLayer 5: UAT (Playwright)        \u003c- real user scenario failures\nLayer 6: User checkpoint         \u003c- everything above missed\nLayer 7: TaskManagement          \u003c- process compliance (no skipping)\nLayer 8: Plan files on disk      \u003c- state survival after compaction\n```\n\n### Quick Start\n\n```bash\n# Install dev-buddy alongside VCP\n/plugin install vcp@dev-buddy\n\n# Run the full Ralph workflow\n/dev-buddy-ralph Add user authentication with JWT\n\n# Configure pipeline stages and providers via web portal\n/dev-buddy-config\n```\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"assets/real-screenshot.png\" alt=\"Real pipeline in action — 5 concurrent reviews across MiniMax, Qwen, Kimi, GLM, Codex\" width=\"800\"\u003e\n\u003c/div\u003e\n\n---\n\n## VCP — Three-Layer Enforcement\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"assets/three-layer-enforcement.png\" alt=\"Three-Layer Enforcement: Prevent, Scan, Block\" width=\"800\"\u003e\n\u003c/div\u003e\n\nNo single layer catches everything. Layer 1 prevents violations at the source. Layer 3 blocks the most dangerous patterns instantly. Layer 2 catches the nuanced issues through deep analysis. Together they provide defense in depth.\n\n### Layer 1: Proactive Context — Prevent Before Writing\n\nAt session start, VCP injects a compact summary of all applicable rules into the AI's context. The AI internalizes security, architecture, testing, and quality rules *while it writes code* — preventing violations at the source.\n\nRun `/vcp-context` to re-inject rules at any time (useful after context compaction in long sessions).\n\n### Layer 2: On-Demand Scanning — Deep Analysis\n\nSkills scan code against 41 standards across 12 scopes using AI-driven analysis:\n\n| Skill | What It Does |\n|-------|-------------|\n| `/vcp-audit` | Full audit against all applicable standards — security, architecture, quality, compliance |\n| `/vcp-pre-commit-review` | Reviews all changed files before commit, produces PASS/BLOCK verdict |\n| `/vcp-dependency-check` | Lockfile hygiene, version ranges, package existence, typosquatting detection |\n| `/vcp-review-tests` | Test quality: over-mocking, tautological tests, missing edge cases |\n| `/vcp-coverage-gaps` | Maps source to test files, finds untested functions and missing edge cases |\n| `/vcp-test-plan` | Generates test plans with unit/integration tests, edge cases, and mock guidance |\n| `/vcp-root-cause-check` | Analyzes bug fixes for root cause vs. symptom patching |\n\n### Layer 3: Real-Time Blocking — Stop Dangerous Code Instantly\n\nA security gate hook runs on every `Write`, `Edit`, and `Bash` call, blocking dangerous patterns before they reach disk:\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e21 patterns across 9 CWEs\u003c/strong\u003e — click to expand\u003c/summary\u003e\n\n| CWE | What It Catches |\n|-----|----------------|\n| CWE-798 | Hardcoded secrets, AWS keys, private keys, JWT tokens, DB connection strings, Bearer tokens, API key prefixes |\n| CWE-89 | SQL injection via string concatenation and template literals |\n| CWE-95 | Code injection via dangerous dynamic code execution with user input |\n| CWE-79 | XSS via `innerHTML` with variable assignment |\n| CWE-502 | Insecure deserialization: unsafe Python object loading, unsafe YAML, node-serialize |\n| CWE-643 | XPath injection via string concatenation |\n| CWE-1321 | Prototype pollution via `__proto__` or `constructor.prototype` |\n| CWE-1336 | Server-side template injection (SSTI): Jinja2, Handlebars with variable input |\n| CWE-116 | Encoded data piped to shell execution |\n\n\u003c/details\u003e\n\n### Coverage Backed by Industry Standards\n\nVCP standards are mapped against authoritative security frameworks:\n\n- **OWASP Top 10:2025** — All 10 categories covered\n- **OWASP Agentic AI Security Top 10 (ASI)** — All 10 categories covered (ASI01–ASI10)\n- **CWE Top 25:2024** — 19/25 covered (6 uncovered are memory-safety, out of scope for managed languages)\n- **OWASP API Security Top 10:2023** — All 10 categories addressed\n- **OWASP ASVS v5.0** — 15/17 chapters covered\n- **OWASP Docker Security** — 11/13 controls covered\n\n---\n\n## Standards Coverage\n\n41 standards across 12 scopes:\n\n| Scope | Standards | What They Cover |\n|-------|-----------|----------------|\n| **Core** (always active) | 12 | Security, architecture, root cause analysis, code quality, error handling, testing, dependency management, secure defaults, API misuse prevention, attack surface analysis, data flow security, concurrency security |\n| **Web Frontend** | 4 | XSS prevention, CSP, accessibility (WCAG 2.2), performance, component structure |\n| **Web Backend** | 6 | Injection prevention, API design, data access, WebSocket/SSE, caching security, backend structure |\n| **Database** | 2 | Encryption (TDE, column-level, key management), schema security (RLS, masking, audit) |\n| **Mobile** | 2 | Keychain/KeyStore, certificate pinning, deep links, biometrics, attestation, platform configuration |\n| **Desktop** | 1 | Electron context isolation, Tauri capabilities, IPC validation, code signing |\n| **CLI** | 1 | Shell injection, argument injection, exit codes, signal handling |\n| **DevOps** | 4 | Containers, CI/CD, Infrastructure as Code, Kubernetes |\n| **Agentic AI** | 5 | Agent security (prompt injection, code execution, memory poisoning), tool security (MCP vetting, allowlists), permissions (least privilege, rogue detection), supply chain (MCP integrity, model provenance), communication (inter-agent auth, cascading failures) — OWASP ASI Top 10 |\n| **Compliance — GDPR** | 1 | Data deletion, retention, consent, PII handling |\n| **Compliance — PCI DSS** | 1 | Tokenization, card masking, CDE isolation |\n| **Compliance — HIPAA** | 1 | PHI encryption, audit logging, retention, minimum necessary |\n| **Compliance — Accessibility** | 1 | ADA, Section 508/504, EAA, PSBAR, AODA, ACA, EN 301 549, WCAG conformance mapping, accessibility statements, VPAT/ACR |\n\nAll standards follow a consistent format: **WHY** (the principle), **WHAT** (numbered actionable rules), **HOW** (code examples and anti-patterns). See [`standards/README.md`](standards/README.md) for the format specification.\n\n---\n\n## Organization-Wide Standards\n\nVCP's manifest system lets organizations enforce their own rules across all projects and developers — alongside or instead of VCP defaults.\n\n```\nRoot Manifest (manifest.json)\n├── core scope     → https://your-org.github.io/standards/scopes/core.json\n│   ├── core-security.md      (VCP default)\n│   ├── core-architecture.md  (VCP default)\n│   └── org-coding-style.md   (your custom standard)\n├── web-backend    → https://your-org.github.io/standards/scopes/web-backend.json\n│   ├── web-backend-security.md   (VCP default)\n│   └── org-api-conventions.md    (your custom standard)\n└── org-internal   → https://your-org.github.io/standards/scopes/org-internal.json\n    ├── org-logging-policy.md     (your custom standard)\n    └── org-data-classification.md (your custom standard)\n```\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eSet up for your organization\u003c/strong\u003e — click to expand\u003c/summary\u003e\n\n#### 1. Create your standards\n\nWrite markdown files following the [VCP format spec](standards/README.md). Each standard has YAML frontmatter, a principle, numbered rules with code examples, and anti-patterns.\n\n#### 2. Create scope manifests\n\nJSON files listing your standards with severity and tags:\n\n```json\n{\n  \"scope\": \"org-internal\",\n  \"standards\": [\n    {\n      \"id\": \"org-logging-policy\",\n      \"url\": \"https://your-org.github.io/standards/org-logging-policy.md\",\n      \"severity\": \"high\",\n      \"tags\": [\"logging\", \"compliance\"]\n    }\n  ]\n}\n```\n\n#### 3. Create a root manifest\n\nPoint to your scope manifests (include VCP defaults or replace them):\n\n```json\n{\n  \"version\": \"2.0\",\n  \"repository\": \"https://github.com/your-org/vcp-standards\",\n  \"scopes\": {\n    \"core\": {\n      \"manifest\": \"https://your-org.github.io/standards/scopes/core.json\",\n      \"applies\": \"always\"\n    },\n    \"org-internal\": {\n      \"manifest\": \"https://your-org.github.io/standards/scopes/org-internal.json\",\n      \"applies\": \"always\"\n    }\n  }\n}\n```\n\n#### 4. Point VCP to your manifest\n\nSet the URL globally (applies to all projects) or per-project:\n\n```bash\n# Global — all projects on this machine use your org's standards\n/vcp-config global set standards_url https://your-org.github.io/standards/manifest.json\n\n# Per-project — override for a specific repo\n/vcp-config set standards_url https://your-org.github.io/standards/manifest.json\n```\n\n\u003c/details\u003e\n\n**What this enables:**\n\n- **Consistent enforcement** — Every developer using AI coding tools follows the same rules\n- **Mix and match** — Include VCP's default standards alongside your own, or replace them entirely\n- **Central updates** — Update a standard once, every project picks it up on next session\n- **Schema validation** — Manifests are validated against [published JSON schemas](schemas/) for correctness\n\n---\n\n## Configuration\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eVCP uses two config files\u003c/strong\u003e — click to expand\u003c/summary\u003e\n\n| File | Scope | Purpose |\n|------|-------|---------|\n| `~/.vcp/config.json` | Global (machine-wide) | Standards URL, plugin path, default severity/scopes/compliance/ignore |\n| `.vcp/config.json` | Project | Scopes, compliance frameworks, severity threshold, frameworks, exclude patterns, ignore rules |\n\nManage via natural language with `/vcp-config`:\n\n```\n/vcp-config ignore core-architecture          # Suppress a standard\n/vcp-config ignore core-security/rule-3       # Suppress a specific rule\n/vcp-config ignore CWE-798                    # Suppress a security gate pattern\n/vcp-config enable database scope             # Toggle a scope\n/vcp-config add gdpr compliance               # Add a compliance framework\n/vcp-config set severity to high              # Change severity threshold\n/vcp-config global show                       # View global config\n```\n\n\u003c/details\u003e\n\n---\n\n## Core Philosophy\n\n1. **Security comes first.** No feature is worth a vulnerability.\n2. **Architecture comes second.** Every change respects the system's structure.\n3. **Fix the root cause, not the symptom.** Trace bugs to where they originate. Break the death spiral.\n4. **Principled, not prescriptive.** Explain WHY, not just WHAT. Allow alternatives that satisfy the principle.\n5. **AI-parseable.** Standards are structured for machine consumption — consistent format, unambiguous rules.\n\n---\n\n## Documentation\n\nFull documentation is on the **[VCP Wiki](https://github.com/Z-M-Huang/vcp/wiki)**:\n\n- **[Getting Started](https://github.com/Z-M-Huang/vcp/wiki/Getting-Started)** — Prerequisites, installation, first scan\n- **[Configuration](https://github.com/Z-M-Huang/vcp/wiki/Configuration)** — Scopes, compliance, severity, ignore rules\n- **[Skills Reference](https://github.com/Z-M-Huang/vcp/wiki/Skills-Reference)** — All 10 skills with usage and examples\n- **[Dev Buddy Quick Start](https://github.com/Z-M-Huang/vcp/wiki/Dev-Buddy-Quick-Start)** — Multi-AI pipeline setup and first run\n- **[Dev Buddy Configuration](https://github.com/Z-M-Huang/vcp/wiki/Dev-Buddy-Configuration)** — Pipeline stages, providers, models\n- **[FAQ](https://github.com/Z-M-Huang/vcp/wiki/FAQ)** — Common questions and troubleshooting\n\n---\n\n## How to Contribute\n\n- **Report a vibe coding problem** — Encountered a real issue from AI-generated code? [Open a problem report](https://github.com/Z-M-Huang/vcp/issues/new?template=vibe-coding-problem.yml). Your experience directly informs which standards we prioritize.\n- **Propose a new standard** — Have an idea that would prevent a class of AI coding problems? [Propose a standard](https://github.com/Z-M-Huang/vcp/issues/new?template=standard-proposal.yml). Review the [format spec](standards/README.md) first.\n- **Contribute to existing standards** — Pick an [open issue](https://github.com/Z-M-Huang/vcp/issues), read the requirements, and submit a PR.\n\n---\n\n## Repo Structure\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eProject layout\u003c/strong\u003e — click to expand\u003c/summary\u003e\n\n```\nvcp/\n├── standards/           # 41 AI-optimized principled standards across 12 scopes\n│   ├── manifest.json    # Root manifest — full HTTPS URLs, org-customizable\n│   ├── scopes/          # Per-scope manifest files\n│   ├── core-*.md        # Universal: security, architecture, testing, etc.\n│   ├── web-*.md         # Frontend and backend web standards\n│   ├── database-*.md    # Encryption, schema security\n│   ├── mobile-*.md      # Credential storage, cert pinning, biometrics\n│   ├── desktop-*.md     # Electron/Tauri isolation, IPC security\n│   ├── cli-*.md         # Shell injection, argument injection, exit codes\n│   ├── devops-*.md      # Containers, CI/CD, IaC, Kubernetes\n│   ├── agentic-ai-*.md  # Agent security, tool security, permissions, supply chain, communication\n│   └── compliance-*.md  # GDPR, PCI DSS, HIPAA, Accessibility\n├── schemas/             # JSON schemas for config and manifest validation\n├── plugins/vcp/         # VCP plugin — standards enforcement (skills, hooks, agents)\n├── plugins/dev-buddy/   # Dev Buddy plugin — multi-AI pipeline orchestration\n├── plugins/mcp-doc/     # mcp-doc plugin — documentation manifest generator\n├── docker/              # Docker image — Claude Code, Codex CLI, Gemini CLI\n└── .claude-plugin/      # Marketplace manifest\n```\n\n\u003c/details\u003e\n\n---\n\n## References\n\n### Research\n\n- [CodeRabbit — State of AI vs Human Code Generation (Dec 2025)](https://www.coderabbit.ai/whitepapers/state-of-AI-vs-human-code-generation-report) — 2.74x vulnerability rate across 470 PRs\n- [GitClear — AI Copilot Code Quality 2025](https://www.gitclear.com/ai_assistant_code_quality_2025_research) — 211M lines, 4x growth in code clones\n- [Veracode — 2025 GenAI Code Security](https://www.veracode.com/resources/analyst-reports/2025-genai-code-security-report/) — 45% AI code has security vulnerabilities\n- [CMU — Speed at the Cost of Quality (arXiv 2511.04427)](https://arxiv.org/abs/2511.04427) — 40.7% complexity increase\n- [Spracklen et al. — Package Hallucinations (USENIX Security 2025)](https://arxiv.org/abs/2406.10279) — 205,474 hallucinated package names\n\n### Frameworks\n\n- [OWASP Top 10:2025](https://owasp.org/Top10/2025/) — [OWASP ASVS v5.0](https://owasp.org/www-project-application-security-verification-standard/) — [OWASP API Security Top 10:2023](https://owasp.org/API-Security/) — [CWE Top 25:2024](https://cwe.mitre.org/top25/) — [OWASP Agentic AI Security Top 10 (Dec 2025)](https://genai.owasp.org/2025/12/09/owasp-genai-security-project-releases-top-10-risks-and-mitigations-for-agentic-ai-security/)\n\n---\n\n## License\n\n[Apache License 2.0](LICENSE.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fz-m-huang%2Fvcp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fz-m-huang%2Fvcp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fz-m-huang%2Fvcp/lists"}