Enterprise vibe coding — now possible

The constraint engine for AI-generated code

A single spec.
Every commit, refracted
through it.

Declare your enterprise constraints once. Vybdocs enforces them on every AI-generated change, then publishes a signed evidence pack mapped to SOC 2, the EU AI Act, HIPAA, and DORA. Auditors accept it on first read.

brew install vybdocs Read the spec →

v0.4.0·MIT·ED25519

vyb check — core-platform · PR #2148

$vyb check

◇ PASS dep-001pinned dependencies

◇ PASS sec-003no hardcoded secrets

◆ BLOCKsec-001eval() detected in auth.ts

◇ PASS llm-002no raw prompt concatenation

◇ PASS fe-004no dangerouslySetInnerHTML

◇ PASS dep-004no banned packages

◆ BLOCKsec-007unvalidated env var in query

◇ PASS llm-001model pinned to version

6 passed2 blocked22 files · 0.4s

vybdocs / vyb check

2 violations — merge blocked until resolved

blocked

Evidence pack pending

SOC 2 · EU AI Act · HIPAA · DORA — emits on clean merge

Frameworks attested

SOC 2 Type IICC6.1, CC6.7, CC7.2

EU AI ActArt. 15 (accuracy)

HIPAA§ 164.312(a)(2)(iv)

DORAArt. 28 (ICT risk)

ISO 27001A.12.1.2

Why it matters

AI writes the code.
Nobody signs it.

The EU AI Act enforcement begins August 2, 2026. Cursor audit logs explicitly exclude prompts and generated code. Your auditor will ask. You need an answer.

01 · Blind spots

Cursor excludes prompts from its audit log

Every AI coding tool generates code. None of them sign it. When your SOC 2 auditor asks for a non-repudiable record of AI contributions to your codebase, there is no artifact to show.

02 · Enforcement

EU AI Act enforcement begins Aug 2, 2026

COSO Feb 2026 requires a signed, non-editable audit trail for AI contributions to code in scope. No AI IDE vendor offers this. The deadline is not a forecast — it is a date.

03 · Budget owners

Two budgets. One product. Zero overlap.

Engineering owns constraint enforcement. GRC owns the audit trail. Vybdocs is bought by both — engineering velocity and GRC compliance from a single spec file.

The workflow

Declare. Enforce. Attest.

Three steps. One spec file. A signed evidence pack on every merge.

01 — Declare

declare your constraints

Write a .vyb/spec.yaml — or let the MCP server draft one in Claude Desktop. Eight categories: frontend, backend, security, LLMs, data, deployment, scaling, dependencies.

vyb init --pack eu-fintech
vyb propose-rule
# → adds rule via Claude Desktop

02 — Enforce

enforce at PR time

A pre-receive hook or GitHub Action runs vyb check on every pull request. Rules evaluate AST-level changes across Cursor, Claude Code, Copilot, and Cline.

vyb check
◆ BLOCK  sec-001  no eval()
◇ PASS   dep-004  pinned deps
◇ PASS   llm-002  no raw prompts

03 — Attest

attest with a signed pack

On clean merge, vybdocs emits a hash-chained, Ed25519-signed Evidence Pack — mapped to SOC 2, EU AI Act, HIPAA, and DORA. Auditors accept it on first read.

vyb pack --emit
# → vyb-2026-05-17-9af2c1.json
# → auditor-evidence.pdf
# spec-hash: 9af2c1d3 b5e078ff

The artifact

The evidence pack auditors
actually accept.

Every merged pull request generates a PDF and JSON evidence pack — hash-chained from the spec forward to the commit. Immutable. Signed. Framework-mapped.

Ed25519 signature on every pack
Each evidence pack is signed with your org key — or your local key for OSS users. Verifiable at vybdocs.com/ev/{hash}.
SHA-256 hash chain from spec to commit
The chain links your spec hash to each rule evaluation and the final commit. Any tampering breaks the chain.
Pre-mapped to SOC 2, EU AI Act, HIPAA, DORA
Each rule evaluation includes its framework clause mapping. The PDF is structured to slot directly into audit evidence binders.
Machine-readable JSON + human-readable PDF
Both formats emitted on every merge. The JSON feeds your GRC platform; the PDF goes to your auditor.

VYBDOCS · EVIDENCEVYB-2026-05-17-9AF2C1

A signed record
of compliance,
refracted.

Pull request #2148 against core-platform. Twenty-two rules evaluated against twenty-three changes. One violation resolved before merge. The chain that follows is hash-linked and signed.

repocore-platformauthorj.lin@acme.io · cursor 0.43spec-hash9af2c1d3 b5e078ff …signed2026-05-17 14:22:08Zverifyvybdocs.com/ev/9af2c1

Frameworks Attested

SOC 2 Type IICC6.1, CC6.7, CC7.2

EU AI ActArt. 15 (accuracy)

HIPAA§ 164.312(a)(2)(iv)

DORAArt. 28 (ICT risk)

Chain

Vertical rule packs

Your vertical, pre-loaded.

Run vyb init --pack eu-fintech and get 40+ production-hardened rules for your regulatory context in thirty seconds.

EU · Fintech

eu-fintech

DORA, EU AI Act, PCI-DSS for European financial services. Maps to EBA guidelines on ICT risk.

44 rules · 6 categories

US · Health

us-healthtech-phi

HIPAA PHI safeguards, HITECH, FDA 21 CFR Part 11 for US digital health teams handling patient data.

38 rules · 5 categories

US · Fintech

us-fintech

SOC 2 Type II, SOX IT controls, NIST CSF for US financial technology companies and payment processors.

41 rules · 6 categories

EU · SaaS

eu-saas-general

GDPR, EU AI Act, ePrivacy for European B2B SaaS. Covers data residency, consent, and LLM output transparency.

36 rules · 5 categories

US · SaaS

us-saas-general

SOC 2, CCPA, and NIST AI RMF for US-based B2B SaaS. The standard baseline for Series A+ engineering orgs.

33 rules · 5 categories

Pricing

Start free. Scale precisely.

OSS CLI is MIT-licensed and always free. Upgrade for hosted workspaces, SSO, and the auditor evidence pack.

Open source

OSS

MIT-licensed forever

Full CLI — vyb check, init, pack
All 5 vertical rule packs
Local Ed25519 signing
BYO API key authoring
vyb ui — localhost:7777 dashboard
MCP server for Claude Desktop

brew install vybdocs

A single spec.Every commit, refractedthrough it.

AI writes the code.Nobody signs it.