Categories
vybdocs organizes rules into 8 built-in categories. Every rule belongs to exactly one category. Categories are used to group related rules in reports, the web UI, and the Evidence Pack.
The 8 categories
| Category | Prefix | What it covers |
|---|---|---|
frontend | fe- | UI framework rules, component patterns, CSS constraints |
backend | be- | Server-side patterns, API design, database access |
security | sec- | Security vulnerabilities, secrets handling, input validation |
llms | llm- | Rules governing AI model usage, prompt injection, output handling |
data | dat- | Data schemas, migration patterns, PII handling |
deployment | dep- | Infrastructure, environment configuration, container rules |
scaling | scl- | Performance, caching, concurrency patterns |
dependencies | pkg- | Package restrictions, version pinning, license compliance |
frontend
Frontend rules govern how UI code is written. Common uses:
- Enforce a specific UI framework (React, Vue, Svelte)
- Ban direct DOM manipulation in framework-managed code
- Require specific component patterns (error boundaries, suspense wrappers)
- Restrict CSS-in-JS approaches
- Enforce accessibility patterns
categories:
frontend:
rules:
- id: fe-001
name: no-direct-dom
severity: warn
pattern: "document\\.getElementById|document\\.querySelector"
remediation: Use React refs (useRef) instead of direct DOM access.
- id: fe-002
name: require-error-boundary
severity: info
pattern: "class.*extends.*Component(?!.*ErrorBoundary)"
remediation: Wrap class components with an ErrorBoundary HOC.
backend
Backend rules govern server-side code patterns:
- ORM usage requirements (no raw SQL in application code)
- API response format standards
- Authentication middleware requirements
- Logging patterns
categories:
backend:
rules:
- id: be-001
name: no-raw-sql
severity: warn
pattern: "db\\.query\\(['\"]SELECT|db\\.query\\(['\"]INSERT"
remediation: Use the ORM query builder instead of raw SQL strings.
- id: be-002
name: require-auth-middleware
severity: block
pattern: "router\\.(get|post|put|delete)\\(['\"]/"
exclude:
- "**/public/**"
- "**/health**"
remediation: All routes must pass through the authMiddleware() wrapper.
security
Security rules are the most commonly set to block severity. They cover:
- Injection attack vectors (eval, Function constructor, innerHTML)
- Hardcoded credentials
- Insecure cryptography patterns
- Path traversal risks
- Prototype pollution
categories:
security:
rules:
- id: sec-001
name: no-eval
severity: block
pattern: "\\beval\\s*\\(|new\\s+Function\\s*\\("
maps-to:
- framework: soc2
control: CC7.1
- id: sec-002
name: no-md5-sha1
severity: block
pattern: "createHash\\(['\"]md5['\"]|createHash\\(['\"]sha1['\"]"
remediation: Use SHA-256 or SHA-3. MD5 and SHA-1 are cryptographically broken.
llms
LLM rules are unique to AI-assisted codebases. They govern how AI model calls are made and how outputs are handled:
- Require system prompt validation
- Block unsanitized AI output being written to the DOM
- Enforce token budget constraints
- Require structured output schemas for AI calls
- Ban direct model switching without approval
categories:
llms:
rules:
- id: llm-001
name: require-output-schema
severity: warn
pattern: "openai\\.chat\\.completions\\.create|anthropic\\.messages\\.create"
remediation: >
AI completions must use structured output schemas.
Pass a response_format or tool_choice to guarantee
typed, validated output.
- id: llm-002
name: no-raw-ai-output-to-dom
severity: block
pattern: "innerHTML\\s*=.*completion|dangerouslySetInnerHTML.*completion"
remediation: >
Sanitize AI output with DOMPurify before inserting
into the DOM. Raw AI output may contain XSS payloads.
maps-to:
- framework: eu-ai-act
control: Art.9.5
data
Data rules govern schema integrity and PII handling:
- Require migration files for schema changes
- Ban direct PII logging
- Enforce data retention annotations
- Require field-level encryption markers for sensitive columns
categories:
data:
rules:
- id: dat-001
name: no-pii-logging
severity: block
pattern: "console\\.(log|info|debug).*\\b(email|phone|ssn|dob)\\b"
remediation: >
Remove PII from log statements. Use structured logging
with field redaction for any user data.
maps-to:
- framework: hipaa
control: "164.312(a)(2)(iv)"
deployment
Deployment rules enforce safe infrastructure patterns:
- Ban hardcoded environment-specific values
- Require health check endpoints
- Enforce Docker image pinning (no
:latesttags) - Require resource limits in container manifests
categories:
deployment:
rules:
- id: dpl-001
name: no-latest-docker-tag
severity: warn
pattern: "image:.*:latest"
remediation: >
Pin Docker images to a specific digest or version tag.
Using :latest causes non-deterministic builds.
scaling
Scaling rules prevent patterns that break under load:
- Ban N+1 query patterns
- Require cache-aside pattern for expensive computations
- Enforce connection pooling
- Flag unbounded loops over database results
categories:
scaling:
rules:
- id: scl-001
name: no-select-star
severity: warn
pattern: "SELECT \\*"
remediation: >
Enumerate columns explicitly in SELECT statements.
SELECT * transfers unnecessary data and breaks
when columns are added or removed.
dependencies
Dependency rules control what packages are allowed:
- Ban specific packages (lodash, moment.js)
- Require specific alternatives (date-fns, dayjs)
- Enforce license compliance (no GPL in commercial code)
- Pin major versions
categories:
dependencies:
rules:
- id: pkg-001
name: no-moment
severity: warn
pattern: "from 'moment'|require\\('moment'\\)"
remediation: >
Use date-fns or dayjs instead of moment.js.
Moment is in maintenance mode and adds 67kB gzipped.
- id: pkg-002
name: no-gpl-packages
severity: block
pattern: "\"license\":\\s*\"GPL"
remediation: >
GPL-licensed packages cannot be used in commercial products.
Find an MIT or Apache 2.0 licensed alternative.
Category conventions
- ID prefix: Use the category prefix (
fe-,sec-, etc.) plus a zero-padded number:fe-001,sec-023. - One concern per rule: Rules should match one specific pattern. Compound rules are harder to remediate and harder to map to compliance controls.
- Remediation is required: Every
block-severity rule must have aremediationfield explaining exactly what to do.
Next: Severity Reference