security ide vscode startup product devlog build-in-public hcode

HCode Product Baseline: Midterms Tomorrow, Product Thinking Today

Mundrathi Vasanth Adithya
Mundrathi Vasanth Adithya
· 7 min read

I do not know why my brain works like this.

My midterms are tomorrow. The normal thing to do would be to sit down, open the PDFs, and study like a responsible person. Instead, my brain keeps doing everything except studying. It keeps drifting back to HCode.

The funny part is: I am not even scared of these mids. For most of them, all it takes is one focused hour of reading the PDF, writing down the key points, and then walking into the exam and finishing it in under 30 minutes. That part feels manageable.

What my brain actually wants to do tonight is think about product shape, platform direction, and how to make HCode feel less like a bundle of experiments and more like a real product with a clear direction.

So this is the March 10 vlog. Not a feature launch. Not a polished release. More like a product-baseline checkpoint.

What HCode Is Becoming

HCode is a security-focused IDE built on top of Code - OSS. The goal is no longer just “fork VS Code and add security tools.” That idea is too loose.

The real direction now is this: HCode should ship as a startup-ready product baseline, not as a collection of disconnected experiments.

That means the repo needs to answer a much more serious question:

If I open this codebase a month from now, will it still feel like one coherent product instead of ten late-night ideas glued together?

That is the lens I am using now.

flowchart LR A["Code - OSS base"] --> B["HCode product identity"] B --> C["Unified security workflow surface"] C --> D["Built-in extensions"] D --> E["MCP and ACE control-plane baseline"] E --> F["Startup-ready product baseline"]

Product Positioning

The current product shape combines:

  • A dedicated HCode application identity with separate app names, data folders, and bundle identifiers.
  • A unified HCode sidebar surface for security workflows.
  • Built-in extensions for tools, devices, bug bounty operations, skills, CTF helpers, MCP, theming, and ACE control-plane scaffolding.

This is the first time HCode feels like it has a baseline that is bigger than “cool devlog material.” It has a shape.

What changed recently is that this baseline is no longer just about bundling security panels into a VS Code fork. The newest layer is the ACE addition.

ACE gives HCode a control-plane direction:

  • Provider registry and direct provider execution commands.
  • Personas and skill-pack metadata.
  • A minimal ACP coordinator with bounded worker runs and deterministic validation.
  • Live MCP bridge status plus start and stop controls.

That addition matters because it moves HCode from being just a security IDE shell into something closer to an operator workspace with runtime coordination.

Current Product Identity

The HCode identity is already distinct at the product layer:

  • Product name: HCode
  • Long name: HCode - Security IDE
  • Application name: hcode
  • Data folder: .hcode
  • Bundle identifier: com.hcode.app

That matters more than it sounds. Product identity is where a fork stops being a rename joke and starts becoming its own software.

What Is Already Validated

This baseline is not theoretical. The repository has already been checked for the following conditions:

  • Product metadata is HCode-specific in product.json.
  • Workspace diagnostics are clean for the touched HCode files.
  • VS Code build tasks start successfully.
  • Core transpile and typecheck watchers recover and report zero compile errors.
  • Extension build output reaches compilation instead of failing on manifest schema errors.
  • ACE provider runtime and ACP runtime are wired into the current extension entrypoint.
  • The MCP server exports a live runtime API consumed by ACE bridge actions.

That does not mean the whole system is finished. It means the floor is now solid enough to stand on.

flowchart TD A["Product identity"] --> B["Build tasks start"] B --> C["Watchers recover cleanly"] C --> D["Extensions compile"] D --> E["ACE and ACP wired"] E --> F["MCP runtime exported live"] F --> G["Usable startup baseline"]

Included HCode Surfaces

This is the current product surface I can point to without hand-waving.

Some of these existed as ideas earlier, but the big feature shift in this baseline is that ACE is now part of the product surface instead of just a loose concept.

Core Extensions

  • extensions/hcode-tools Unified HCode sidebar container, security tool registry, and execution surface.
  • extensions/hcode-devices SSH device inventory, remote command dispatch, and cross-platform bootstrap profiles.
  • extensions/hcode-bugbounty Program tracking, scope management, finding lifecycle, and Markdown export.
  • extensions/hcode-skills Playbook-driven workflows with local and device-backed execution.
  • extensions/hcode-ctf Decoder panel, hash identification, and XOR brute force helpers.
  • extensions/hcode-mcp-server HTTP MCP endpoint for external agent and tool access.
  • extensions/hcode-ace ACE dashboard, provider registry, provider execution commands, personas, skill-pack metadata, minimal ACP coordinator, and live MCP bridge controls.
  • extensions/theme-hcode HCode dark product theme.
graph TD H["HCode"] --> T["hcode-tools"] H --> D["hcode-devices"] H --> B["hcode-bugbounty"] H --> S["hcode-skills"] H --> C["hcode-ctf"] H --> M["hcode-mcp-server"] H --> A["hcode-ace"] H --> TH["theme-hcode"] M --> X["External agents"] A --> M

The important shift here is that these surfaces now make sense together. Tools feed workflows. Devices extend execution. Bug bounty support adds operational structure. MCP opens the platform to external agents. ACE starts pushing HCode toward a control-plane model instead of just a UI shell.

So if I had to summarize the new features added in this phase, they would be:

  • HCode-specific product identity across app name, data folder, and bundle ID.
  • Unified HCode sidebar and security workflow surface.
  • Live MCP runtime exposure for external agents.
  • ACE addition with provider execution, personas, skill-pack metadata, ACP runtime wiring, and MCP bridge controls.
  • A cleaner baseline where the extensions are starting to behave like one product instead of separate experiments.

Why This Baseline Matters

I keep coming back to this thought: if HCode stayed as a pile of half-connected extensions, it would always be interesting but never durable.

This baseline changes that.

It is now suitable for:

  • Internal demos.
  • Early customer walkthroughs.
  • Developer onboarding around a concrete HCode direction.

That is a very different sentence from “here is my side project fork.”

This is why I keep calling it a startup baseline. Not because it is complete. Because it is coherent enough to build on seriously.

What Is Still Missing

There are still real gaps. They just are not baseline blockers.

  • ACE provider routing can execute real provider HTTP requests, but still depends on real credentials, tenant-specific endpoints, and operator validation against live services.
  • ACP exists today as a bounded runtime for short worker plans, but not yet as a full scheduler with persistence, retries, orchestration, or long-lived state.
  • Some extension manifests still exist as early scaffolds without full implementation behind them.
  • Runtime UX polish, credentialed end-to-end acceptance testing, and packaged-build validation across macOS, Linux, and Windows are still pending.
  • MCP is loopback-bound and supports optional bearer-token protection, but packaging and deployment guidance still need work.

This is the part I care about getting right in writing: missing pieces do not automatically mean weak baseline. They just define the next layer of work.

If I keep pushing HCode forward from here, this is the order that makes the most sense:

  1. Finish ACE request execution and model routing.
  2. Deepen ACP from a bounded coordinator-worker runtime into a production scheduler.
  3. Expand ACE and MCP runtime validation with real provider credentials and operator workflows.
  4. Add packaged-build validation on macOS, Linux, and Windows.
  5. Consolidate partial extension scaffolds into shipped or removed product surfaces.

That sequence matters. Without routing and validation, the control plane is just decorative. Without packaging validation, the product is still repo-first instead of user-first.

Run Notes

One practical detail I like: HCode already uses its own product identity and data folders, so it is separated from standard VS Code at the product level.

For local development, the repo should be driven through the defined tasks instead of random launch flags:

  • VS Code - Build
  • Run Dev
  • Run Dev Sessions

That sounds small, but it is part of product maturity too. Good products need repeatable run paths.

Product Summary

HCode is no longer just a renamed Code - OSS tree.

The repo now contains a coherent product foundation with:

  • Distinct product identity.
  • Unified security workflow surface.
  • Remote-device operations.
  • Bug bounty workflow management.
  • Skill-based execution.
  • MCP exposure for external agents.
  • A functional ACE control-plane baseline with provider execution, bounded ACP runs, personas, skill-pack metadata, and live MCP bridge controls.

I am treating this as a product foundation with clear runtime gaps, not as an unstructured prototype.

Final Thought Before I Pretend To Study

I should probably be reading lecture PDFs right now.

Instead, I spent this time thinking about product identity, validation baselines, runtime boundaries, and how to turn HCode into something I can keep building without losing the plot.

Honestly, I am okay with that.

The midterms will get their one focused hour. They always do.

But HCode is becoming something more interesting than an exam score. It is becoming a real product surface, with structure and direction.

That is what my brain wanted to work on tonight.

Still building.

— Vasanth