Documentation Index
Fetch the complete documentation index at: https://mintlify.com/plawio/veto/llms.txt
Use this file to discover all available pages before exploring further.
The veto diff command shows what changed between two policy versions and optionally replays historical calls to see the impact.
Syntax
veto diff [policy-path] [options]
veto diff --old <path> --new <path> [options]
Description
Compares policy versions to show:
- Structural changes: Added/removed/modified rules
- Scope changes: Which tools are affected
- Impact analysis: How historical calls would be affected (optional)
Arguments
Policy Path
Compare working file against git HEAD.
Example:
veto diff veto/rules/financial.yaml
Options
Old/New Paths
--old <path>
--new <path>
veto diff --old ./rules-v1 --new ./rules-v2
Log File
Replay historical calls from JSONL log file to see impact.
Example:
veto diff financial.yaml --log calls.jsonl
text - Human-readable (default)json - Machine-readable JSON
Example:
Examples
Compare Against Git HEAD
veto diff veto/rules/financial.yaml
Veto Policy Diff
================
Comparing:
Old: HEAD:veto/rules/financial.yaml
New: veto/rules/financial.yaml
Structural Changes:
ADDED RULES (1):
+ block-crypto-transfers
Severity: critical
Tools: transfer_funds
Description: Block cryptocurrency transfers
MODIFIED RULES (1):
~ block-large-transfers
- action: require_approval
+ action: block
- value: 10000
+ value: 5000
REMOVED RULES (0)
Affected Tools:
- transfer_funds (2 rules changed)
Summary:
Old rules: 5
New rules: 6
Added: 1
Modified: 1
Removed: 0
Compare Two Directories
veto diff --old ./rules-v1 --new ./rules-v2
Veto Policy Diff
================
Comparing:
Old: ./rules-v1
New: ./rules-v2
Structural Changes:
ADDED RULES (3):
+ require-mfa-admin
+ block-weekend-deploys
+ log-sensitive-queries
MODIFIED RULES (2):
~ block-large-transfers
~ require-invoice-approval
REMOVED RULES (1):
- legacy-email-rule
Affected Tools:
- transfer_funds
- approve_invoice
- deploy_app
- query_database
Summary:
Old rules: 12
New rules: 14
Added: 3
Modified: 2
Removed: 1
Impact Analysis
veto diff financial.yaml --log calls.jsonl
Veto Policy Diff
================
Comparing:
Old: HEAD:veto/rules/financial.yaml
New: veto/rules/financial.yaml
Structural Changes:
...
Impact Analysis:
================
Log file: calls.jsonl
Total lines: 1000
Valid calls: 950
Invalid lines: 50
Old Policy Decisions:
Allow: 800 (84.2%)
Require Approval: 100 (10.5%)
Block: 50 (5.3%)
New Policy Decisions:
Allow: 750 (78.9%)
Require Approval: 120 (12.6%)
Block: 80 (8.4%)
Transitions:
allow → block: 40 calls
allow → require_approval: 20 calls
require_approval → block: 10 calls
Changed by Tool:
transfer_funds: 50 calls affected
approve_invoice: 20 calls affected
Sample Changed Calls:
[Line 42] transfer_funds
Arguments: {"amount": 6000, "recipient": "user@example.com"}
Old: allow (no matching rule)
New: block (rule: block-large-transfers)
Reason: Amount 6000 exceeds new threshold of 5000
[Line 123] transfer_funds
Arguments: {"amount": 8000, "currency": "BTC"}
Old: require_approval (rule: require-approval-large)
New: block (rule: block-crypto-transfers)
Reason: Cryptocurrency transfers now blocked
(showing 2 of 70 changed calls)
Additional Blocked: 50 calls
Additional Requiring Approval: 20 calls
JSON Output
veto diff financial.yaml --format json
{
"timestamp": "2024-03-04T12:00:00.000Z",
"projectDir": "/path/to/project",
"sources": {
"mode": "implicit-git-file",
"old": "HEAD:veto/rules/financial.yaml",
"new": "veto/rules/financial.yaml"
},
"structural": {
"addedRuleIds": ["block-crypto-transfers"],
"removedRuleIds": [],
"modifiedRuleIds": ["block-large-transfers"],
"ruleChanges": [
{
"kind": "added",
"ruleId": "block-crypto-transfers",
"scopes": ["transfer_funds"],
"summary": "Added rule for transfer_funds",
"fieldChanges": []
},
{
"kind": "modified",
"ruleId": "block-large-transfers",
"scopes": ["transfer_funds"],
"summary": "Modified action, conditions",
"fieldChanges": [
{
"field": "action",
"oldValue": "require_approval",
"newValue": "block"
}
]
}
],
"changesByScope": [
{
"scope": "transfer_funds",
"added": [],
"removed": [],
"modified": []
}
],
"unchangedTools": ["approve_invoice", "send_email"]
},
"impact": null,
"summary": {
"oldRules": 5,
"newRules": 6,
"added": 1,
"modified": 1,
"removed": 0,
"changedScopes": 1,
"unchangedTools": 2,
"hasChanges": true
}
}
{"tool": "transfer_funds", "arguments": {"amount": 100}, "timestamp": "2024-03-01T10:00:00Z"}
{"tool": "approve_invoice", "arguments": {"amount": 500}, "timestamp": "2024-03-01T10:01:00Z"}
{"tool": "transfer_funds", "arguments": {"amount": 6000}, "timestamp": "2024-03-01T10:02:00Z"}
tool - Tool namearguments - Tool arguments object
Optional fields:
timestamp - ISO 8601 timestampsessionId - Session identifieruserId - User identifieragentId - Agent identifier
Use Cases
Pre-Deployment Review
# Before deploying to production
veto diff veto/rules/financial.yaml --log production-calls-7d.jsonl
Pull Request Review
# In CI, compare against main branch
git diff main...HEAD --name-only | grep 'veto/rules/'
veto diff veto/rules/financial.yaml
Policy Audit
# Compare old and new rule sets
veto diff --old ./rules-2024-01 --new ./rules-2024-03 --format json > audit-report.json
Rollback Analysis
# See what would change if you rolled back
veto diff --old ./rules-current --new ./rules-backup-2024-02-01
Workflows
Update Rule Safely
# 1. Edit rule
vim veto/rules/financial.yaml
# 2. See what changed
veto diff veto/rules/financial.yaml
# 3. Check impact
veto diff veto/rules/financial.yaml --log recent-calls.jsonl
# 4. If safe, apply
veto policy apply --file veto/rules/financial.yaml
CI Policy Validation
# .github/workflows/veto-diff.yml
name: Veto Policy Diff
on:
pull_request:
paths:
- 'veto/rules/**'
jobs:
diff:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/setup-node@v3
with:
node-version: 20
- run: npm install -g veto-cli
- run: |
for file in $(git diff --name-only origin/main...HEAD | grep 'veto/rules/'); do
echo "Checking $file"
veto diff "$file" --format text
done
Historical Impact Report
#!/bin/bash
# Export tool calls from last 7 days
veto cloud logs --days 7 --format jsonl > calls-7d.jsonl
# Generate impact report
veto diff veto/rules/financial.yaml --log calls-7d.jsonl --format json > impact-report.json
# Email to team
jq '.impact' impact-report.json | mail -s "Policy Impact Analysis" team@company.com
Troubleshooting
Git File Not Found
Error: Unable to load HEAD version of veto/rules/financial.yaml
# Ensure file is committed
git add veto/rules/financial.yaml
git commit -m "Add financial rules"
# Or compare two files explicitly
veto diff --old financial-old.yaml --new financial-new.yaml
Warning: Invalid lines: 50
# Validate JSONL format
jq -c . calls.jsonl > /dev/null
# Or check line 42 (example)
sed -n '42p' calls.jsonl | jq .
No Changes Detected
No changes detected between policies.
- Verify you’re comparing the right files
- Check that changes are syntactically different (not just whitespace)
Best Practices
1. Review Before Applying
Always diff before applying:
veto diff veto/rules/financial.yaml
veto policy apply --file veto/rules/financial.yaml
2. Use Log Files for Important Changes
# For critical policies, always check impact
veto diff production-policy.yaml --log prod-calls-30d.jsonl
3. Archive Diffs
# Save diff reports for audit trail
veto diff --old ./rules-v1 --new ./rules-v2 --format json > diff-v1-to-v2.json
git add diff-v1-to-v2.json
4. Automate in CI
# Fail CI if diff shows high impact
veto diff veto/rules/ --log recent.jsonl --format json | \
jq -e '.impact.additionalBlocked < 100'
Next Steps
