Policy packs / UiPath
UiPath REFramework Baseline
Production-readiness floor for transactional REFramework projects.
Why this pack
The UiPath Robotic Enterprise Framework is the de facto template for transactional automations: every UI action sits inside a retry scope, every config value comes from an asset, every exception is logged with a transaction reference, and orchestrator tags drive scheduling. This pack codifies those expectations as a Flowcerta policy floor so a regression — a hardcoded credential creeping into a Get Asset replacement, a writeline left in production code, a try/catch swallowed exception — fails the scan instead of failing an audit.
Aligned with: UiPath REFramework template · UiPath Workflow Analyzer baseline rules (ST-/UI-)
Environment profiles
The pack ships with severity thresholds tuned per environment so the same workflow gets stricter as it promotes toward production.
Surface findings without blocking the build. Only criticals fail.
Production-equivalent gate. Highs and above block promotion.
Strictest gate. Mediums and above block — no surprises in prod.
Rules included (28)
Connection strings carry credentials and routing info — both should come from assets, not code.
A variable named "apiKey" with a literal default still leaks a credential into source control.
REFramework expects all credentials via Orchestrator assets. A literal in code is an instant fail.
A catch that does nothing is the silent failure that costs you a Friday afternoon postmortem.
A retry loop without a ceiling is a runaway bot waiting for the right outage.
Transient failures are the single biggest cause of bot crashes. No retry = no resilience.
WriteLine writes to the local console — invisible in Orchestrator. Always use Log Message.
Reference to a package on the CoE deny-list (older Web automation libs, deprecated activity packs).
Wraps swallow the exception the retry scope needs to see — guarantees the retry never fires.
A selector built on dynamic runtime attributes breaks the moment the target app updates its DOM.
Stop Workflow inside a transaction skips the REFramework finally block — connections leak.
REFramework wraps every UI interaction in Try/Catch + Retry Scope. Unwrapped clicks are a tell.
REFramework logs every transaction. Missing log calls break Bot Insight-equivalent telemetry.
Large Invoke Code blocks hide logic from Workflow Analyzer. Move to a custom activity library.
Mega-flowcharts hide control flow. Break into sub-flowcharts or sequences per state.
Environment-specific ports belong in config. Mediums catch portability regressions.
Database names diverge across dev/staging/prod — keep them in the Config dictionary.
Repeated Invoke Workflow File inside a loop multiplies loader overhead — usually a refactor signal.
Workflows deeper than ~5 levels are unmaintainable. REFramework extracts subroutines for a reason.
REFramework conventions (str_, int_, dt_) make variables auditable at a glance.
in_/out_/io_ prefixes are REFramework canon. A missing prefix is a workflow-contract smell.
Orchestrator tags drive triggers and SLAs. Missing tags break scheduled runs silently.
Invoked workflows should match the REFramework template (in_TransactionItem, out_TransactionItem, etc.).
Scope-shadowing variables produce subtle runtime bugs that survive review.
A workflow taking 12 arguments has a design problem. Encapsulate in a config object.
A literal Delay defeats Retry Scope timing. Use element-exist + retry pattern instead.
"Sequence", "Assign" — default names make the workflow read like a stranger's code.
Two activities with the same display name make logs and Bot Insight traces ambiguous.