Skip to content

ROADMAP.md

Latest commit

 

History

History
578 lines (492 loc) · 41.6 KB

ROADMAP.md

File metadata and controls

578 lines (492 loc) · 41.6 KB

Roadmap

Version: v0.2 draft · Updated: 2026-05-17 · Supersedes: v0.1 (2025-04-23)

Forward-looking plan for Vigil Browser — a lean, privacy-respecting Chromium fork built on ungoogled-chromium-windows with a Brave-style chromium_src/ overlay system, a dark new-tab page, and uBlock Origin pre-installed.

This roadmap is dense by design. Every claim about a competitor or upstream is footnoted to a URL in the Appendix. Items with no source are internal observations from this repo's tree.

Charter & non-goals

Charter. Vigil ships the privacy-and-defaults browser that an IT admin would build for themselves — preconfigured for a sysadmin/clinic/power-user audience, with no telemetry, no rewards, no crypto, no in-browser LLM, no in-browser VPN service. The reference is "Brave Origin, but free" — Brave's own $60 one-time paid bloat-removal tier confirms the audience exists.12

Non-goals. These are off-table by design (see Rejected for full reasoning): crypto wallets, Web3 name resolution, BAT-style sponsored ads, integrated LLM chatbots, integrated paid VPN service, integrated mail/calendar/feeds, gamer/RGB features, novelty tab paradigms (Arc), referral-link rewriting,3 and telemetry-by-default.

Audience signal. The maintainer's sibling projects — BetterNext (a NextDNS companion) and VoyanceFirewall (a clinic/enterprise Windows lock-down tool) — point at the same user: the person who installs the browser on someone else's machine and wants the result to stay clean. Wherever the roadmap mentions clinic/kiosk/admin features, that's the alignment.

Status snapshot (Phase 0 audit)

What ships in master today:

  • v0.1.0 · Chromium 145.0.7632.1594 · Windows-only build pipeline.
  • Brave-style chromium_src/ overlay system targeting chrome://settings, chrome://flags, chrome://history, chrome://bookmarks, chrome://downloads, chrome://extensions, and the security-interstitial CSS, with a single dark "IT-admin" Vigil theme.
  • initial_preferences JSON sets first-run defaults: bookmark bar on, Safe Browsing off, DNT on, autofill off, translate off, network prediction off, default search = Google with suggest_url.
  • setup_extensions.py fetches the latest uBlock Origin Chromium build from gorhill/uBlock's GitHub Releases and stages it under Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/<v>/ plus a default_extensions/<id>.json external-extensions pointer.
  • Patches restore the Chrome Web Store and Google search engine (otherwise stripped by ungoogled).
  • Custom dark new-tab HTML (ntp/newtab.html) with clock, search, configurable shortcuts, settings panel.
  • Generated Vigil "shield + eye" icon set via Pillow (branding/generate_icons.py); branding text/icons applied from branding.json at build time via apply_overlays.py.
  • CI: hand-chained 12-stage build for x64, 16-stage for x86, additional chain for arm64, all dodging the GitHub Actions 6-hour single-job limit.

What's stubbed, broken, or missing on inspection (drives the Now tier):

  • The custom NTP is copied to chrome/browser/resources/new_tab_page_custom/ and build_outputs/ntp/, but nothing rewrites chrome://newtab to serve it, so the dark NTP in ntp/newtab.html likely never loads as the default new tab. See apply_overlays.py:47-68 & package.py:106-112.
  • default_search_provider_data ships Google with suggest_url — contradicts the "privacy-focused defaults" line in the README, and is exactly the issue the audience left Chrome over.
  • Safe Browsing disabled with no offline replacement; users lose phishing protection.
  • No code signing ⇒ SmartScreen Defender warning on every install, hurting trust badly.
  • No auto-updater — users must manually grab releases.
  • CHANGELOG.md is malformed (literal %Y->- and merge-commit text on the version line).
  • No test suite, no CONTRIBUTING.md, no ARCHITECTURE.md — bus-factor of one.
  • The 28-stage CI chain is a known time-bomb: any single failed step requires manual restart.

Themes

ID Theme Posture
T1 Privacy hardening (curated, not novelty) Adopt patches that work; reject anything that breaks parity-fingerprinting
T2 Anti-bloat & audit-defaults Vigil's wedge: ship Brave Origin's promise free
T3 IT-admin / clinic readiness ADMX, kiosk, policy-managed defaults, MSI installer
T4 Build & distribution pipeline maturity Code-signed, attested, auto-updated, multi-channel
T5 First-run & sensible defaults The defaults are the product
T6 Extension ecosystem (MV2 long-tail) Preserve Manifest V2 against upstream removal
T7 UX polish — parity wins, no novelty tax Verticals, workspaces, split, reader; not Arc-style invention
T8 Platform coverage Windows-first; Linux earned; macOS later
T9 Sibling-project integration BetterNext & VoyanceFirewall as native panels, not extensions
T10 Project health Docs, tests, contributing, governance

Now — v0.2.0 (~6 weeks)

Things that are wrong or missing today and are cheap to fix. Each lands with a unit-test or smoke-test where applicable.

Defaults & first-run [T2, T5]

  • N1 · Fix the search-engine contradiction. Swap default_search_provider_data from Google to a privacy-respecting default. Recommended primary: DuckDuckGo (HTML form & suggest endpoint); ship Brave Search, Startpage, Kagi, Mojeek and Google as one-click alternates. Rationale: matches the README line and removes the implicit handshake that the current suggest_url performs on every keystroke. (See initial_preferences:19-30.) Source: PrivacyGuides DNS/Search list.5
  • N2 · HTTPS-First (Balanced) ON by default. Set HttpsOnlyMode & the chrome://flags/#https-only-mode-setting flag so Vigil ships HTTPS-First now, ahead of Chrome 154's October 2026 default-on plan.67 Marketing copy writes itself.
  • N3 · Wire the custom NTP correctly. Today ntp/newtab.html is installed but not registered as chrome://newtab. Either (a) override the NTP via a small chromium_src/ patch to chrome/browser/ui/views/new_tab_page/, or (b) ship it as a bundled extension that claims chrome_url_overrides.newtab (the Brave/Cromite approach). Option (b) is the smaller blast radius and is the recommended first path.
  • N4 · Restore replacement for disabled Safe Browsing. Either (a) ship a local hosts-file blocklist via --host-rules-file baked into the initial_preferences distribution block, or (b) keep Safe Browsing enabled but disable the upload-side telemetry only. Current "off entirely" position is a usability regression with no privacy benefit because uBO already covers most of it. Source: PrivacyGuides browser criteria.8
  • N5 · Permissions-Policy default-deny for high-risk surfaces. Set Permissions-Policy at the enterprise-policy level for usb=(), serial=(), hid=(), bluetooth=(), idle-detection=(), local-fonts=(), payment=(). CVE-2026-5276 (Edge WebUSB)9 and CVE-2026-4680 (Chrome FedCM UAF)10 make this hardening, not paranoia. Override via a vigil://device-access settings page in a later release. Reference: Permissions-Policy spec.11
  • N6 · Drop the Privacy Sandbox retired-surface flags. Topics, Protected Audience API, and Attribution Reporting were retired by Google in October 20251213; even if upstream Chromium still exposes the flags, Vigil should disable them in initial_preferences and remove their entries from the Vigil settings overlay.

Build & release pipeline [T4]

  • N7 · CI refactor — reusable workflow + matrix. The current 28-stage hand-chained workflow (.github/workflows/main.yml) is brittle. Split into one reusable workflow accepting (arch, stage), called by a matrix (arch &times; stage) with needs: only on the prior stage of the same arch. Move arm64 onto the GitHub-hosted ARM64 runner (GA in private repos as of Jan 202614) to halve arm build time.
  • N8 · Code-sign Windows binaries via SignPath Foundation. SignPath has a free OSS program that issues an HSM-backed cert to "SignPath Foundation" and signs releases via approved GitHub Actions.1516 Fallback: Azure Trusted (Artifact) Signing, $9.99/mo for 5k sigs.1718 This single change removes the SmartScreen warning that is currently the #1 trust issue.
  • N9 · SLSA build provenance attestations. Add actions/attest-build-provenance to every artifact-emitting job. Free for public repos, single step.1920
  • N10 · Reproducible-build groundwork. Set enable_resource_allowlist_generation=false only in instrumented PGO builds (per Chromium's own deterministic-build doc),21 document the env-var diff between build hosts in a new docs/build-environment.md. Brave's reproducible-builds issue is still open after 7 years22 — partial determinism is the realistic target.
  • N11 · Fix CHANGELOG.md. Replace the literal %Y->- placeholder; adopt the Keep-a-Changelog format and write a tag-driven generator in devutils/changelog.py.
  • N12 · Pin and document toolchain versions. flags.windows.gn should record clang, rustc, ninja, gn revisions per release; expose at chrome://version via overlay.

Project health [T10]

  • N13 · Write CONTRIBUTING.md and ARCHITECTURE.md. ARCHITECTURE = how the chromium_src/ overlay, patches, and initial_preferences interact (Brave's docs are an excellent model23); CONTRIBUTING = how to add an overlay, how to add a patch, how to bump Chromium. Both unblock external PRs.
  • N14 · Add a smoke test in CI. Boot the built installer in a Windows VM, navigate to a test page, confirm: bundled uBO loaded, initial_preferences applied, new-tab page = Vigil NTP, search-engine default = N1 choice. Use [Playwright]24 or Selenium with the already-built chromedriver output.
  • N15 · Publish a winget manifest. Vigil.Browser in microsoft/winget-pkgs, auto-PR on every release tag via a small action (the upstream project ships .github/actions/winget/ infra to crib from).2526

Next — v0.3 / v0.4 (one quarter)

Manifest V2 long-tail [T6]

  • X1 · Carry an MV2-retention patch set against each Chromium bump. Chrome 138 was the last MV2-supporting stable; 139 removed it including the ExtensionManifestV2Availability policy.2728 Brave, Thorium, Cromite, and Supermium all carry MV2-keep-alive patches.2930 This is the feature that justifies a Chromium fork to a sysadmin audience in 2026. Publish a written "MV2 Policy" doc as part of v0.3.
  • X2 · AMO → CRX bridge (research, not commit). Investigate a Vigil-side converter that ingests a Firefox .xpi and re-packs as CRX3 via crx3 npm tool, then surfaces in a Vigil-branded installer page. CRX3 requires Web-Store-signed keys for off-store install since Chrome 7531 — the practical implementation is a developer-mode allowlist plus the conversion tool. Mark RESEARCH in v0.3, ship in v0.5 if feasible.
  • X3 · Force-install Vigil-recommended extension set. Use the existing external-extensions JSON mechanism plus a Vigil-only ExtensionInstallForcelist template (defaults to just uBO, documented). Reference: uBO deploy guide,32 Chromium extension-policy admin doc.33
  • X4 · Sideload-without-developer-mode-warning toggle. Patch the warning banner so signed CRX from an admin-trusted publisher key list installs cleanly. (Already in roadmap v0.1; keep.)

Privacy hardening (curated) [T1]

  • X5 · Backport Iridium's WebRTC patches. Per-connection identity (no 30-day reuse), fresh ECDHE keypair per connection, RSA self-signed-cert keysize 2048. Small, network-layer, no Web-API spoofing — the safe kind.3435
  • X6 · DoH first-run picker (sticky, no fallback). Pre-populate Quad9, NextDNS, Cloudflare, Mullvad, AdGuard, ControlD as named entries; offer "custom" with hostname validation. Reference: PrivacyGuides DNS list,36 AdGuard DNS provider list.37 Pair with BetterNext integration in Y1.
  • X7 · Strip Client Hints (UA-CH). UA-CH was retained from the Privacy Sandbox cull,12 but is a fingerprinting vector. Default accept_ch_browser_policy=disabled or equivalent; offer per-site override via a flag.
  • X8 · Anti-fingerprinting "Strict" toggle (off by default). A curated, opinionated subset of Cromite's protections (canvas, audio, font-list clamp, navigator.hardwareConcurrency bucketed to {2,4,8}, screen.avail* hidden)38not full Brave farbling. Documented breakage list. Off by default per the Mullvad caveat that customization defeats fingerprint uniformity.8
  • X9 · Encrypted Client Hello (ECH) audit. ECH is on by default upstream;39 Vigil should never expose a "disable ECH" toggle (some corporate filters demand it). Document.

IT-admin readiness [T3]

  • X10 · Ship a Vigil ADMX template (vigil.admx + vigil.adml). A documented subset of Chrome's ~400 enterprise policies:40 URLBlocklist, URLAllowlist, ExtensionInstallForcelist, ExtensionInstallBlocklist, HomepageLocation, NewTabPageLocation, IncognitoModeAvailability, ProxyMode, ManagedBookmarks, DefaultSearchProviderEnabled, AlwaysOpenPdfExternally, AutofillAddressEnabled, ScreenCaptureAllowed, ClipboardAllowedForUrls, DownloadDirectory, ManagedConfigurationPerOrigin. Mirror Microsoft Edge's ADMX pattern.41 This is the single biggest IT-admin adoption blocker.
  • X11 · Ship an MSI installer alongside the EXE. Required for Group Policy / Intune Win32App deployment.42 Use the [WiX Toolset]43 to wrap the existing mini_installer outputs.
  • X12 · Vigil-Kiosk variant. A separately-branded build that boots straight into a pinned URL, hides chrome, auto-restarts on crash, integrates with Windows Task Scheduler watchdog. Reference: Chromium kiosk-public-session doc.44 Clinic alignment with VoyanceFirewall.
  • X13 · chrome://policy Vigil-themed override. Currently the overlay set themes flags, settings, etc.; add policy — the page sysadmins check first.

UX polish — parity, not novelty [T7]

  • X14 · Vertical tabs. Edge ships,45 Zen built its identity on it,46 Brave just relit #brave-scrollable-tab-strip and ships a toolbar toggle.47 Chromium has the #side-panel-pinned-2 family; expose a built-in toggle in Vigil's themed settings page.
  • X15 · Split view (2-pane). Brave shipped 2026 split-view, Zen does 2×2.48 Vigil ships 2-pane only; multi-pane deferred.
  • X16 · Tab hibernation (a.k.a. Sleeping Tabs). Chromium has the discard primitive; Edge49 exposes it. Surface in Vigil's settings overlay with per-domain exception list.
  • X17 · Reader Mode (proper). Chromium ships a "Distill page" prototype; Brave's SpeedReader is MPL-2.0 and well-documented50 but heavy. Phase 1: expose the upstream distiller as a one-click toolbar button + Markdown export.
  • X18 · Command palette (Ctrl+Shift+P). Floorp 12.14.0 shipped one;51 Vivaldi's "Quick Commands" is the model.52 Wraps existing chrome actions; no new commands needed.
  • X19 · NTP widgets ship v2. Today: clock, search, shortcuts, settings. Add: weather (Open-Meteo, no API key), top-sites (existing Chromium MV API), bookmark folder, RSS quick-feed (3 items), notes (localStorage). All optional, all in the existing settings panel. Keep <320 KB total.

Distribution & updates [T4]

  • X20 · Auto-updater via Velopack. Cross-platform Rust updater with delta packages, GitHub-Releases backend, staged rollouts (added 2026).5354 Avoid Omaha 4 — too heavy for a solo-maintained fork.5556
  • X21 · Scoop + Chocolatey manifests. Auto-publish on tag.57
  • X22 · Two release channels. vigil-stable follows upstream stable; vigil-canary follows upstream beta/canary once a week. Both via the same matrix workflow from N7.
  • X23 · Portable build (no installer). Sentinel file portable_data/ next to chrome.exe triggers --user-data-dir=.\portable_data; already a Supermium pattern.30

Later — v0.5+ (after v0.4 ships)

Platform coverage [T8]

  • L1 · Linux build (AppImage + deb + rpm + Flatpak). Use the same chromium_src/ overlay set; package the ungoogled-chromium Linux scripts. Validate by mirroring Cromite's release matrix.58 Defer macOS until L1 is stable for two releases.
  • L2 · macOS build. Inherit from upstream [ungoogled-chromium-macos]59; reuse Vigil overlays. Code-sign separately (Apple Developer ID, ~$99/yr).
  • L3 · ARM64 native runner for builds. Move arm64 stages to the GA ARM64 GitHub-hosted runner.14

Adblock at the engine layer [T1]

  • L4 · Migrate from bundled uBO to adblock-rust consumed as a crate. Brave's network-layer engine; MPL-2.0; supports ABP + uBO syntax + cosmetic + scriptlet + resource-replacement; 2026 FlatBuffers refactor cut memory ~75% / ~45 MB per platform;6061 Firefox 149 silently shipped it Mar 2026. Two-phase: consume as a bundled extension first (gasanache wrapper pattern), then absorb into the binary in v0.7+. Bundled uBO remains the default until parity is verified.

Sibling-project integration [T9]

  • Y1 · "Network Filter Companion" panel. Detects NextDNS / Pi-hole / AdGuard Home / Mullvad DNS in the active network stack and surfaces a live block-stats & allow/deny side panel. This is the natural home for BetterNext's feature surface, brought in-tree as a bundled extension or a chrome://network-filter overlay. Existing community NextDNS browser extensions are weak,626364 confirming the gap.
  • Y2 · VoyanceFirewall hand-off. A "Locked-Down Profile" wizard (1-click) that loads a documented Vigil ADMX subset for clinic/kiosk and writes a sentinel for VoyanceFirewall to detect and supplement at the network layer.
  • Y3 · "Panic" hotkey. Opera GX has it;65 clinic audience needs it (patient walks up to a kiosk). Ctrl+Alt+Shift+P: close all windows, clear session, return to lock screen.

Power-user UX [T7]

  • L5 · Local Workspaces (no M365 lock-in). Match Edge's Workspaces feature without requiring an Entra ID + OneDrive for Business license.66 Storage = a JSON file in the profile, with optional WebDAV/SMB share endpoint for shared-team usage.
  • L6 · Tab Stacks & Tab Islands. Vivaldi's three stacking styles;67 Opera's Tab Islands.65 Cheap UI win, all primitives already in Chromium.
  • L7 · Mouse gestures & rocker gestures. Floorp 12.x has them native, Vivaldi has them as Command Chains.52 Ship a small built-in implementation; reject the bundled-extension route.
  • L8 · CPU/RAM/Network throttle (Opera GX "GX Control" equivalent). Per-tab caps for kiosk/clinic where the browser must not starve the host.65

Self-host & resilience

  • L9 · Vigil Sync (BIP39 seed, AES, self-hostable). Brave's go-sync server is AGPL/MPL6869 and uses 32-byte BIP39 seeds with AES-128-CTR + HMAC; fork it as vigil-sync, host nothing, document running it on a NAS / Synology / Raspberry Pi. Decision required: do we want to host anything. Default answer: no.
  • L10 · Offline filter updates. Bundle a 24h-fresh EasyList + EasyPrivacy + uBO-cosmetics + PeterLowe in the installer so a freshly-installed Vigil works air-gapped for the first month. Auto-update afterwards.

Tor & advanced privacy

  • L11 · "Private window with Tor connectivity" (Brave parity). Brave's onion-routed private mode — not Tor Browser parity, with the warning Brave ships.70 Decision required: maintenance cost of carrying Tor patches vs. value.

Under Consideration — needs user-research or validation

  • U1 · Tampermonkey-compatible user-script loader, no extension. Eliminates a popular sideload need.
  • U2 · Android build via upstream [ungoogled-chromium-android]71. Real cost of carrying a mobile pipeline solo is unknown; Cromite proves it's possible but it's a second-class effort.58
  • U3 · Per-site default-search override. "On accounting.example always use DuckDuckGo; on wikipedia.org use Mojeek." Niche but matches the IT-admin audience.
  • U4 · "Glance" hover-preview tabs. Zen feature;72 users either love it or never touch it.
  • U5 · Reading-mode Markdown export. Pairs with X17; trivial if reader-mode ships; decided in v0.5 once X17 lands.
  • U6 · Boost-style per-site CSS overrides. Arc's defining feature;73 Arc is dead.74 Useful, niche, kinda spooky from a security standpoint — would need a separate "user styles" enable-toggle.
  • U7 · Aero-glass titlebar option for legacy Windows. Supermium ships it.30 Vigil's audience overlaps; check installation telemetry (which we don't have, so — ask).
  • U8 · Built-in PWA installer + Tabbed PWA support. Tabbed-PWA is OT only and Chrome-OS-prioritized;75 Vigil could be the Windows-first first mover. Decision gate: clinic single-app deployments asking for it.
  • U9 · SponsorBlock / ClearURLs / I Still Don't Care About Cookies as opt-in default extensions. Was in v0.1 roadmap; demote to UC until user signal — Vigil's default-extension set should stay one item long.
  • U10 · CRX-from-AMO converter. See X2. Defer to v0.5+ once research is done.
  • U11 · "Spoof WebGPU info" patch. Open ungoogled-chromium enhancement request (#3670, Feb 2026).76 Track upstream.
  • U12 · UDP SOCKS5 for QUIC. Open ungoogled-chromium enhancement request (#3696, Mar 2026).76
  • U13 · Per-profile avatars. Open ungoogled-chromium enhancement request (#3747, Apr 2026).76
  • U14 · Multi-column bookmark dropdown. Open ungoogled-chromium enhancement request (#3781, May 2026).76
  • U15 · Accessibility audit. Verify the Vigil dark theme overlays pass WCAG AA contrast on all chrome:// pages we override; add prefers-contrast: more overrides where they fail. No source — this is internal review of our own settings overlay chromium_src/chrome/browser/resources/settings/settings.html.
  • U16 · Telemetry: explicit no-telemetry posture document. Vigil has no telemetry today by virtue of inheritance from ungoogled-chromium. State it. Define what would count as telemetry (e.g. uBO update pings to GitHub Releases — we keep, document).
  • U17 · Internationalization. Vigil currently inherits all of Chromium's locales. Our overlays of settings.html/flags.html/history.html/etc. only ship the English copy; audit whether $i18n{} placeholders are preserved through overlays.
  • U18 · First-run import wizard for Chrome / Edge / Brave. Today initial_preferences disables import on first run (import_bookmarks: false, import_history: false, import_search_engine: false — see initial_preferences:11-17). That is the right default for privacy, but it strands the migrating user. Add a post-first-run "Import from another browser" wizard in the Vigil-themed settings page, with a clear "what gets imported" list and per-category toggles. Reuses Chromium's chrome://settings/importData.
  • U19 · Per-tab network inspector and tracker log. A human-readable side-panel log of blocked requests, source extension, and rule that fired — surfaced from uBO's logger API. Was in v0.1 roadmap; demote to UC pending user signal.
  • U20 · Site-specific profile launcher. "This domain always opens in a clean session." Pairs with L6 (tab stacks); decision in v0.5.

Rejected — explicit non-goals

Each line is the contradiction between a competitor feature and Vigil's philosophy. If a future maintainer wants to revisit, they need to argue against the source linked here.

  • Crypto wallet, BAT-style sponsored ads, Web3 name resolution (.brave / .eth / .bit). Brave's full implementation;777879 Mises is the Web3 fork.8081 Audience mismatch + recurring user complaints about the surface.82 Vigil's wedge is being the un-crypto privacy browser.
  • Integrated LLM chatbot ("Leo AI" equivalent). Brave Leo,83 Edge Copilot,84 Sidekick,85 Dia (post-Arc).74 Each adds a CVE class (e.g. prompt injection in Leo86), telemetry, and a maintenance burden Vigil cannot afford. Users who want this can install a Chrome extension.
  • Integrated paid VPN service. Brave Firewall+VPN at $9.99/mo87 is squarely a SaaS product. Vigil ships integration with already-deployed VPNs (Mullvad, Tailscale, ProtonVPN via the system stack), not its own.
  • Brave Talk / integrated video conferencing. Jitsi exists.88 Out of scope.
  • Integrated mail / calendar / RSS reader (Vivaldi pattern).89 Floorp couldn't sustain a feed reader; the maintenance cost is 2× the rest of the project.
  • Razer Chroma / RGB lighting / gamer features (Opera GX).65 Audience mismatch.
  • Referral-link rewriting / install-source affiliate codes.3 Vigil's install must be telemetry-free.
  • Telemetry on by default (Edge / Chrome behavior). Audited via the [Brave deviations list]90 as the floor.
  • Novelty tab paradigms (Arc Spaces as a UI primitive). Arc died.74 Vigil's vertical tabs / workspaces / split view ship as features on top of the standard chrome, not as a replacement chrome.
  • Closed-source UI layer (Vivaldi pattern).91 Vigil is MIT/BSD from the installer to the icon-PNG renderer in branding/generate_icons.py.
  • Web Environment Integrity / Privacy Sandbox Topics & Protected Audience APIs. Topics / Protected Audience / Attribution Reporting retired Oct 2025;12 disable in initial_preferences regardless of upstream state.
  • Backwards compatibility with Windows 7/8. Supermium covers that audience.30 Vigil targets Win 10 22H2 minimum.

Risk & dependency map

Risk Trigger Mitigation
Upstream Chromium ships a patch that breaks an overlay Every 4-6 weeks (Chromium stable cadence) chromium_src/ is per-file replacement — the build fails to compile rather than silently misbehaves,23 which is detected by N14 smoke test
Manifest V2 enforcement tightens further Possible Chromium 150-155 window X1 (carry MV2 patch); fallback L4 (adblock-rust at network layer means uBO is not the only line of defense)
uBO MV3-only release (uBO Lite) becomes the only release gorhill/uBlock cadence L4; documented user-facing notice
SignPath OSS program declines Vigil Possible — clinic/political concerns Fallback to Azure Trusted Signing at $9.99/mo17 — budget <$120/yr
GitHub Actions 6h job limit changes Unlikely but historical precedent N7 matrix means each stage is <5h; reusable workflow means a runner switch is a one-line change
GitHub Releases hosting limits hit At ~50 releases × 3 arch × 200MB Add a CDN mirror (Cloudflare R2 free tier covers it); document
Solo maintainer bus-factor Always N13 (docs); N14 (tests); accept the risk — this is OSS
Brave Origin captures the no-bloat audience first They have momentum1 Stay free + open-source + on winget; Brave's $60 is the moat we beat
Arc-style "browser death" cycle Industry, not technical Refuse novelty (Rejected list); never depend on a service we don't host

Release rhythm

  • Cadence. Track ungoogled-chromium-windows releases (currently every ~2-3 weeks within a major)92. Vigil version = <chromium>-<ucw>-vigil.<n>. Drop 0.x prefix when v1.0 ships (target: after N1-N15 + X1 + X10 + X20 all land — the smallest set that defines the product).
  • Channels. Stable (default) + Canary (X22). No "Beta" channel until a third contributor exists.
  • Source of truth. GitHub Releases. winget & scoop & chocolatey pull from there. No third-party mirrors authoritatively distribute Vigil installers.

Open questions for the maintainer

  1. Default search engine (N1) — DuckDuckGo, Brave Search, Startpage, or Kagi as the first-run pick?
  2. DRM (Widevine) — ship enabled (clinic training-video reality93) or off like Helium?
  3. Telemetry posture document — do uBO update pings to GitHub Releases count as telemetry that needs an opt-out?
  4. Brave Origin response — do we publish a comparison table on the README?
  5. Sibling-project boundary — does BetterNext become a Vigil-only extension shipped in the installer (Y1), stay a separate browser extension, or ship as both?

These are the v0.2 design-review prompts, not yet decisions.

Appendix: Sources

The following list is the union of citations across this roadmap. Sources are grouped by research direction. Every roadmap claim above maps to one of these URLs.

Upstream & competitor projects

Privacy / community signal

Standards, specs & CVEs

Build, distribution, signing

IT-admin / enterprise

DNS providers list reference

Tooling references

Footnotes

  1. PrivacyGuides news: Brave Launches Paid Bloat-Free Brave Origin — https://www.privacyguides.org/news/2026/04/21/brave-launches-paid-bloat-free-brave-origin/ 2

  2. PrivacyGuides forum on Brave Origin — https://discuss.privacyguides.net/t/brave-launches-paid-bloat-free-brave-origin/37300

  3. PrivacyGuides Brave caveats — https://www.privacyguides.org/en/desktop-browsers/#brave 2

  4. Internal: see CHANGELOG.md (note: malformed; N11).

  5. PrivacyGuides search engines — https://www.privacyguides.org/en/search-engines/

  6. Google security blog: HTTPS by default — https://security.googleblog.com/2025/10/https-by-default.html

  7. chrome://flags HTTPS-Only Mode (via roundup) — https://techpp.com/2026/04/07/best-chrome-flags/

  8. PrivacyGuides desktop browsers — https://www.privacyguides.org/en/desktop-browsers/ 2

  9. CVE-2026-5276 Edge WebUSB — https://windowsnews.ai/article/cve-2026-5276-microsoft-edge-webusb-vulnerability-requires-immediate-patching.409595

  10. CVE-2026-4680 Chrome FedCM — https://windowsnews.ai/article/chrome-fedcm-vulnerability-cve-2026-4680-critical-use-after-free-flaw-patched-in-version-14607680165.408068

  11. Permissions-Policy on developer.chrome.com — https://developer.chrome.com/docs/privacy-security/permissions-policy

  12. Privacy Sandbox status — https://privacysandbox.google.com/overview/status 2 3

  13. Google retires Topics/PAAPI (AdExchanger, Oct 2025) — https://www.adexchanger.com/privacy/google-pulls-the-plug-on-topics-paapi-and-other-major-privacy-sandbox-apis-as-the-cma-says-cheerio/

  14. GitHub Actions ARM64 GA in private repos (Jan 2026) — https://github.blog/changelog/2026-01-29-arm64-standard-runners-are-now-available-in-private-repositories/ 2

  15. SignPath Foundation — https://signpath.org/

  16. SignPath OSS solutions — https://signpath.io/solutions/open-source-community

  17. Azure Trusted Signing pricing — https://azure.microsoft.com/en-us/pricing/details/trusted-signing/ 2

  18. Azure Artifact Signing FAQ — https://learn.microsoft.com/en-us/azure/artifact-signing/faq

  19. actions/attest-build-provenance — https://github.com/actions/attest-build-provenance

  20. GitHub docs: artifact attestations — https://docs.github.com/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds

  21. Chromium deterministic builds doc — https://chromium.googlesource.com/chromium/src/+/HEAD/docs/deterministic_builds.md

  22. Brave reproducible-builds issue #5830 — https://github.com/brave/brave-browser/issues/5830

  23. Brave wiki: Patching Chromium / chromium_src overlays — https://github.com/brave/brave-browser/wiki/Patching-Chromium 2

  24. Playwright (Chromium-channel automation) — https://playwright.dev/docs/browsers#google-chrome--microsoft-edge

  25. microsoft/winget-pkgs — https://github.com/microsoft/winget-pkgs

  26. winget repository guide — https://learn.microsoft.com/en-us/windows/package-manager/package/repository

  27. Chrome Manifest V2 deprecation timeline — https://developer.chrome.com/docs/extensions/develop/migrate/mv2-deprecation-timeline

  28. Chromium MV2 phase-out blog — https://blog.chromium.org/2024/05/manifest-v2-phase-out-begins.html

  29. Thorium MV2 retention — https://github.com/Alex313031/thorium/releases

  30. Supermium repo — https://github.com/win32ss/supermium 2 3 4

  31. CRX3 npm tool — https://www.npmjs.com/package/crx3

  32. uBlock Origin deploy guide — https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin

  33. Chromium extension policy admin doc — https://www.chromium.org/administrators/configuring-policy-for-extensions/

  34. Iridium differences-from-Chromium — https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium

  35. Iridium customizations (DeepWiki) — https://deepwiki.com/iridium-browser/iridium-browser-windows/6-iridium-customizations

  36. PrivacyGuides DNS providers — https://www.privacyguides.org/en/dns/

  37. AdGuard DNS providers reference — https://adguard-dns.io/kb/general/dns-providers/

  38. Cromite FEATURES.md — https://github.com/uazo/cromite/blob/master/docs/FEATURES.md

  39. Chrome ECH chromestatus — https://chromestatus.com/feature/6196703843581952

  40. Chrome Enterprise policy list — https://chromeenterprise.google/policies/

  41. Microsoft Edge configure-for-enterprise docs — https://learn.microsoft.com/en-us/deployedge/configure-microsoft-edge

  42. Edge Intune MAM overview — https://learn.microsoft.com/en-us/intune/intune-service/apps/mamedge-overview

  43. WiX Toolset (MS-RL/MIT) — https://wixtoolset.org/

  44. Chromium kiosk public-session docs — https://chromium.googlesource.com/chromium/src/+/main/docs/enterprise/kiosk_public_session.md

  45. Edge vertical tabs — https://www.microsoft.com/en-us/edge/features/vertical-tabs

  46. Zen Workspaces manual — https://docs.zen-browser.app/user-manual/workspaces

  47. Brave latest release notes (2026) — https://brave.com/latest/

  48. Zen Split-view manual — https://docs.zen-browser.app/user-manual/split-view

  49. Edge sleeping tabs — https://www.microsoft.com/en-us/edge/features/sleeping-tabs

  50. Brave SpeedReader blog — https://brave.com/blog/speed-reader/

  51. Floorp 12.14.0 command palette — https://github.com/Floorp-Projects/Floorp/releases

  52. Vivaldi feature surface — https://vivaldi.com/features/ 2

  53. Velopack — https://velopack.io/

  54. Velopack docs: migrating from Squirrel — https://docs.velopack.io/migrating/squirrel

  55. Omaha 4 tutorial — https://omaha-consulting.com/chromium-updater-omaha-4-tutorial

  56. Omaha 4 protocol — https://chromium.googlesource.com/chromium/src/+/f4b7e04ec3114a76e645dc49ff09adb90643821b/docs/updater/protocol_4.md

  57. Scoop app-manifests wiki — https://github.com/ScoopInstaller/Scoop/wiki/App-Manifests

  58. Cromite repo — https://github.com/uazo/cromite 2

  59. ungoogled-chromium-macos — https://github.com/ungoogled-software/ungoogled-chromium-macos

  60. brave/adblock-rust — https://github.com/brave/adblock-rust

  61. Brave adblock memory-reduction post — https://brave.com/privacy-updates/36-adblock-memory-reduction/

  62. NextDNS extension (community) — https://github.com/JackStuart/NextDNS-Extension

  63. NextDNS browser-plugin request — https://help.nextdns.io/t/p8hfsaw/browser-plugin-extension-for-easy-allow-and-block

  64. NXEnhanced (NextDNS) — https://github.com/hjk789/NXEnhanced

  65. Opera GX features — https://www.opera.com/gx/features 2 3 4

  66. Edge Workspaces docs — https://learn.microsoft.com/en-us/deployedge/microsoft-edge-workspaces

  67. Vivaldi tab stacks — https://help.vivaldi.com/desktop/tabs/tab-stacks/

  68. Brave Sync v2 docs — https://github.com/brave/brave-browser/wiki/Brave-Sync-v2

  69. Brave go-sync server — https://github.com/brave/go-sync

  70. Brave: What is a Private Window with Tor — https://support.brave.app/hc/en-us/articles/360018121491

  71. ungoogled-chromium-android — https://github.com/ungoogled-software/ungoogled-chromium-android

  72. Zen Browser feature page — https://zen-browser.app/

  73. Arc Spaces docs — https://resources.arc.net/hc/en-us/articles/19228064149143

  74. Arc browser discontinuation, ghacks — https://www.ghacks.net/2025/05/27/arc-browser-has-been-discontinued-but-the-companys-building-a-new-browser-dia/ 2 3

  75. Tabbed application mode docs — https://developer.chrome.com/docs/capabilities/tabbed-application-mode

  76. ungoogled-chromium open issues — https://github.com/ungoogled-software/ungoogled-chromium/issues 2 3 4

  77. Brave Wallet — https://brave.com/wallet/

  78. Brave Rewards — https://brave.com/brave-rewards/

  79. Brave .brave TLD — https://brave.com/blog/brave-tld/

  80. Mises browser — https://www.mises.site/

  81. Mises browser core — https://github.com/mises-id/mises-browser-core

  82. Brave issue #43030 (Disable crypto by default) — https://github.com/brave/brave-browser/issues/43030

  83. Brave Leo AI — https://brave.com/leo/

  84. Edge Copilot disable guide — https://www.datastudios.org/post/how-to-disable-microsoft-copilot-in-windows-edge-microsoft-365-apps-and-organizational-environmen

  85. Sidekick browser review — https://browserprompt.com/tool-specific/sidekick-browser-review

  86. Brave issue #55576 (Leo prompt injection) — https://github.com/brave/brave-browser/issues

  87. Brave Firewall + VPN — https://brave.com/firewall-vpn/

  88. Brave Privacy Features (incl. Brave Talk) — https://brave.com/privacy-features/

  89. Vivaldi mail/calendar/feed bundle announcement — https://vivaldi.com/blog/vivaldi-mail-calendar-feed-reader-are-here/

  90. Brave wiki: Deviations from Chromium — https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)

  91. Vivaldi closed-source UI explainer — https://vivaldi.com/blog/technology/why-isnt-vivaldi-browser-open-source/

  92. ungoogled-chromium-windows releases — https://github.com/ungoogled-software/ungoogled-chromium-windows/releases

  93. Helium DRM caveat write-up — https://browsers.to/helium