Nomion: Building an RPA Quality Platform with 560+ Validation Rules

In the world of Robotic Process Automation, deploying a bot to production is like launching a rocket—you want to catch problems on the ground, not in flight. This is why I built Nomion, a quality gate that validates automation workflows against 560+ configurable rules before they reach production.

The Problem: RPA Quality at Scale

Enterprise RPA programs often deploy hundreds of bots across critical business processes. Without quality controls, you get:

Security vulnerabilities: Hardcoded credentials, exposed API keys, missing encryption
Performance issues: Nested loops, missing pagination, inefficient selectors
Maintenance nightmares: Poor naming conventions, missing documentation, tight coupling
Production failures: Missing exception handling, improper error recovery

Traditional code review doesn't scale when you have 50 developers building bots across 3 different platforms.

The Solution: Automated Quality Gates

Nomion acts as an automated quality gate that:

Ingests automation files (Blue Prism exports, UiPath packages, Power Automate solutions)
Validates against platform-specific rulesets
Reports violations with severity levels and remediation guidance
Configures rules per team/project needs

Think of it as ESLint for RPA.

Platform Coverage

Blue Prism (321+ Rules)

Blue Prism's XML-based .bpprocess and .bpobject files enable deep static analysis:

Category	Rules	Focus
Variables (VAR)	45	Naming, exposure, initialization
Security (SEC)	38	Password handling, encryption
Pages (PAGE)	32	Structure, documentation
Work Queue (QUE)	28	Queue handling best practices
Environment (ENV)	24	Environment variable usage
Navigation (NAV)	22	Page navigation patterns
Exceptions (EXC)	42	Error handling coverage
General (GEN)	90	Best practices, standards

UiPath (88 Rules)

UiPath's .xaml workflows and .nupkg packages are analyzed for:

Selector quality (0-100 scoring based on fragility indicators)
REFramework compliance (proper state machine implementation)
Security (credential handling, config management)
Performance (6.29ms average validation, 9,537 workflows/minute throughput)

Power Automate (154 Rules) - Production Ready

Power Automate's JSON-based flows enable comprehensive validation:

Category	Rules	Examples
Security	17	Hardcoded credentials, DLP policies
Performance	17	Nested loops, pagination, timeouts
Error Handling	17	Try-catch, run-after configuration
Naming	21	Action names, variable conventions
Connections	11	Connection references, service principals
Triggers	11	Security, frequency, filters
Data Operations	16	SharePoint, Dataverse, SQL practices
ALM/DevOps	8	Source control, environment design

Real-world validation: Successfully analyzed 11 flows across 8 solutions, detecting 8 security issues and 16 naming violations.

Architecture

Backend (ASP.NET Core 8)

REST API for file ingestion and validation orchestration
Streaming validation for large files (100MB+ support)
Rule configuration with severity levels and enable/disable toggles

Frontend (Next.js 15 + React 19)

Drag-and-drop upload with real-time progress
Interactive reports with filtering and sorting
Rule configuration UI for team customization
Export options (CSV, Excel, PDF)

Key Features

1. Platform-Aware Validation

Rules are automatically filtered based on file type. Upload a .bpprocess and you get Blue Prism rules. Upload a .nupkg and you get UiPath rules.

2. Severity Levels

Each rule has a configurable severity:

Error: Must fix before production
Warning: Should fix, but not blocking
Info: Best practice recommendation

3. Real-Time Feedback

Validation typically completes in under 100ms for most files, with streaming support for larger packages.

4. Rule Customization

Teams can:

Enable/disable specific rules
Adjust severity levels
Create custom rule groups

Example: Power Automate Security Scan

{
  "violations": [
    {
      "ruleId": "SEC-001",
      "severity": "Error",
      "message": "Hardcoded API key detected in HTTP action",
      "location": "actions.HTTP_Request.inputs.headers.Authorization",
      "remediation": "Use environment variables or Azure Key Vault"
    },
    {
      "ruleId": "SEC-005",
      "severity": "Warning",
      "message": "Connection not using service principal",
      "location": "connectionReferences.shared_sharepointonline",
      "remediation": "Configure service principal for production"
    }
  ]
}

Performance Metrics

Metric	Value
Average validation time	6.29ms
Throughput	9,537 workflows/minute
Max file size	100MB
Test coverage	100% (321/323 tests)

Integration Points

Nomion is designed for CI/CD integration:

# Azure DevOps example
- task: NomionValidation@1
  inputs:
    filePath: '$(Build.ArtifactStagingDirectory)/*.bprelease'
    failOnError: true
    severityThreshold: 'Warning'

Lessons Learned

1. XML/JSON Parsing is the Easy Part

The hard part is understanding platform semantics. What makes a "good" Blue Prism object vs a "bad" one? This required deep domain expertise.

2. Rule Configurability is Essential

Every organization has different standards. Making rules configurable (not just on/off, but severity levels and thresholds) was critical for adoption.

3. False Positives Kill Adoption

A rule that fires incorrectly once will be disabled forever. Precision matters more than recall in quality tools.

4. Speed Enables Adoption

If validation takes 10 seconds, developers skip it. Sub-100ms validation means it can run on every save.

What's Next

Additional platforms: Automation Anywhere, Microsoft Power Apps
Custom rule authoring: UI for creating organization-specific rules
Historical tracking: Trend analysis across deployments
IDE integration: VS Code and Blue Prism extensions

Try It Out

Nomion is designed to integrate into your automation development workflow. Whether you're building a single bot or managing an enterprise RPA program, quality gates catch issues before your customers do.

Launch Nomion →

Building quality into automation isn't optional—it's essential. Nomion makes it automatic.