Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/plawio/veto/llms.txt

Use this file to discover all available pages before exploring further.

The veto policy apply command deploys policy files to your local environment or Veto Cloud.

Syntax

veto policy apply --file <path> [options]

Description

Applies a policy YAML file by:
  • Local: Validates and loads rules into local Veto instance
  • Cloud: Pushes rules to Veto Cloud (creates draft for review)

Required Options

File Path

--file <path>
Path to policy YAML file to apply. Example: 
--file ./veto/rules/financial.yaml

Optional Settings

Target

--target <local|cloud>
Where to apply the policy:
  • local - Apply to local Veto instance (default)
  • cloud - Push to Veto Cloud
Example: 
--target cloud

Project ID

--project <id>
Veto Cloud project ID (required for cloud target). Example: 
--project proj_abc123

JSON Output

--json
Output result as JSON instead of human-readable text. Example: 
--json

Examples

Apply Locally (Default)

veto policy apply --file ./veto/rules/financial.yaml
Output: 
Applying policy: financial.yaml

✓ Parsed 3 rules
✓ Validated schema
✓ Applied to local instance

Rules:
  - block-large-transfers (severity: critical)
  - require-approval-over-1000 (severity: high)
  - log-all-transactions (severity: low)

Local policy updated successfully.

Apply to Cloud

veto policy apply \
  --file ./veto/rules/financial.yaml \
  --target cloud \
  --project proj_abc123
Output: 
Applying policy to Veto Cloud: financial.yaml

✓ Authenticated with Veto Cloud
✓ Parsed 3 rules
✓ Validated schema
✓ Created draft policy

Draft ID: draft_xyz789
Review at: https://app.veto.so/policies/draft/xyz789

Next steps:
  1. Review the draft in Veto Cloud
  2. Approve to activate
  3. Or make changes and re-apply

Apply Multiple Files

Use shell globbing or multiple commands: 
# Apply all YAML files in rules directory
for file in veto/rules/*.yaml; do
  veto policy apply --file "$file"
done

Apply with JSON Output

veto policy apply --file ./veto/rules/financial.yaml --json
Output: 
{
  "ok": true,
  "data": {
    "target": "local",
    "filePath": "./veto/rules/financial.yaml",
    "rulesApplied": 3,
    "rules": [
      {
        "id": "block-large-transfers",
        "name": "Block Large Transfers",
        "severity": "critical",
        "enabled": true
      },
      {
        "id": "require-approval-over-1000",
        "name": "Require Approval Over $1000",
        "severity": "high",
        "enabled": true
      },
      {
        "id": "log-all-transactions",
        "name": "Log All Transactions",
        "severity": "low",
        "enabled": true
      }
    ]
  }
}

Validation

Before applying, the command validates:

Schema Validation

  • YAML syntax is correct
  • Required fields are present
  • Field types are correct
  • Operators are valid

Semantic Validation

  • Rule IDs are unique
  • Tool names are valid
  • Conditions reference valid fields
  • Dependency rules exist

Example Validation Error

veto policy apply --file ./veto/rules/broken.yaml
Output: 
Error: Policy validation failed

File: ./veto/rules/broken.yaml
Line 8: Missing required field 'action'
Line 12: Invalid operator 'invalid_op' - must be one of: equals, not_equals, contains, not_contains, greater_than, less_than

Fix these errors and try again.

Cloud Workflow

1. Authenticate

First, log in to Veto Cloud: 
veto cloud login

2. Select Project

Set active project: 
veto cloud project use proj_abc123

3. Apply Policy

Push policy to cloud: 
veto policy apply \
  --file ./veto/rules/financial.yaml \
  --target cloud

4. Review Draft

Review the draft in Veto Cloud web UI: 
https://app.veto.so/policies/draft/xyz789

5. Approve or Iterate

  • Approve: Draft becomes active policy
  • Iterate: Make changes and re-apply

File Format

Policy files use YAML format: 
rules:
  - id: unique-rule-id
    name: Human Readable Name
    description: What this rule does
    enabled: true
    severity: high
    action: block  # block, require_approval, allow
    tools:
      - tool_name
    conditions:
      - field: arguments.amount
        operator: greater_than
        value: 1000

Common Scenarios

Apply After Generation

# Generate policy
veto policy generate \
  --tool transfer_funds \
  --prompt "block transfers over $500" \
  --save ./veto/rules/financial.yaml

# Apply locally
veto policy apply --file ./veto/rules/financial.yaml

# Test it
veto guard check --tool transfer_funds --args '{"amount": 600}'

Update Existing Policy

# Edit policy file
vim ./veto/rules/financial.yaml

# Re-apply (overwrites previous version)
veto policy apply --file ./veto/rules/financial.yaml

# Verify changes
veto scan

Deploy to Production (Cloud)

# Apply to cloud
veto policy apply \
  --file ./veto/rules/financial.yaml \
  --target cloud \
  --project proj_prod_123

# Monitor application logs for policy decisions
veto cloud logs --project proj_prod_123

Troubleshooting

File Not Found

veto policy apply --file ./missing.yaml
Output: 
Error: File not found: ./missing.yaml
Solution: 
# Check file path
ls ./veto/rules/

# Use correct path
veto policy apply --file ./veto/rules/financial.yaml

Invalid YAML

Error: Failed to parse YAML: Unexpected token
Solution: 
# Validate YAML syntax
yamllint ./veto/rules/financial.yaml

# Or use online validator
cat ./veto/rules/financial.yaml | pbcopy
# Paste into https://www.yamllint.com/

Cloud Authentication Failed

Error: Cloud authentication failed: No credentials found
Solution: 
# Log in to Veto Cloud
veto cloud login

# Or set API key
export VETO_API_KEY=your-key-here

# Try again
veto policy apply --file ./veto/rules/financial.yaml --target cloud

Rule ID Conflict

Error: Rule ID 'block-large-transfers' already exists
Solution:
  • Change rule ID to be unique
  • Or remove existing rule first
  • Or overwrite with --force (if available)

Best Practices

1. Version Control

Commit policy files to git: 
git add veto/rules/
git commit -m "Add financial policies"

2. Test Locally First

# Always test locally before cloud
veto policy apply --file ./veto/rules/new.yaml --target local
veto guard check --tool <name> --args '{}'

# Then push to cloud
veto policy apply --file ./veto/rules/new.yaml --target cloud

3. Use Meaningful Filenames

# Good
veto/rules/financial-transfers.yaml
veto/rules/email-security.yaml
veto/rules/database-access.yaml

# Bad
veto/rules/policy1.yaml
veto/rules/rules.yaml
veto/rules/stuff.yaml

4. Document Your Rules

Add clear descriptions: 
rules:
  - id: block-large-transfers
    name: Block Large Transfers
    description: |
      Prevents financial transfers over $10,000 to protect against
      unauthorized large transactions. Added after incident #1234.
      Last updated: 2024-03-01

5. Organize by Domain

veto/rules/
  financial/
    transfers.yaml
    invoices.yaml
  communication/
    email.yaml
    slack.yaml
  security/
    access-control.yaml
    data-protection.yaml

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us