Skip to main content

Packs

A pack is a curated set of rules designed for a specific context. Rather than writing rules from scratch, you apply a pack and immediately get a production-ready set of constraints tuned for your vertical or stack.

The 5 built-in packs

eu-fintech
MiFID II, PSD2, GDPR — for EU-regulated financial servicesus-healthtech-phi
HIPAA Security Rule — for US healthtech handling protected health informationus-fintech
PCI-DSS, SOC 2 — for US payment and financial applicationseu-saas-general
GDPR, EU AI Act — for general-purpose SaaS products operating in the EUus-saas-general
SOC 2 Type II baseline — for general-purpose SaaS products in the US market

Applying a pack

vyb init --pack eu-fintech

This merges the pack's rules into your .vyb/spec.yaml. If a spec already exists, the pack is merged — existing rules are preserved, and pack rules are added unless they conflict (your rules win).

To initialize a fresh project with a pack:

mkdir my-project && cd my-project
git init
vyb init --pack us-healthtech-phi

Pack structure

Internally, a pack is a YAML file with the same structure as a spec's categories block, plus metadata:

Example pack structure
pack:
  id: eu-fintech
  name: EU Fintech Pack
  version: 2.1.0
  description: >
    Rule pack for EU-regulated financial services.
    Covers MiFID II order handling, PSD2 authentication,
    GDPR data minimization, and EU AI Act article 9 requirements.
  frameworks:
    - eu-ai-act
    - soc2
    - gdpr

categories:
  security:
    rules:
      - id: sec-001
        name: no-eval
        severity: block
        ...
  data:
    rules:
      - id: dat-001
        name: no-pii-logging
        severity: block
        ...

Extending a pack

After applying a pack, add your own rules freely:

.vyb/spec.yaml
# Pack rules are merged in here automatically.
# You can add custom rules in any category:

categories:
  frontend:
    rules:
      # This rule is not in any pack — it's specific to our stack
      - id: fe-001
        name: no-direct-dom
        severity: warn
        pattern: "document\\.getElementById"
        remediation: Use React refs instead of direct DOM access.

Overriding pack rules

To override a pack rule, define a rule with the same id in your spec. Your spec's version takes precedence:

categories:
  security:
    rules:
      # Pack defines sec-001 at severity: warn
      # We upgrade it to block:
      - id: sec-001
        severity: block

You can upgrade severity (allowed by the ratchet) but not downgrade it.

Disabling a pack rule

To disable a specific rule from an applied pack:

categories:
  dependencies:
    rules:
      - id: pkg-001
        enabled: false    # disable the pack's no-lodash rule for this project

Custom packs

Beyond the 5 built-in packs, you can create custom packs for your organization's standards. Custom packs work identically to built-in packs — they live in .vyb/packs/, can be shared via npm, and can be applied with vyb init --pack <name>.

See Enterprise Vibe Coding for a full walkthrough of creating and sharing a custom pack for your engineering standards.

Emitting a pack

If you have built up rules in your spec that you want to package and share:

vyb pack --emit

This generates a distributable pack YAML in .vyb/packs/ based on your current spec. You can then publish it to npm, share it via git, or distribute it as a file.

Next: EU Fintech Pack