Documentation Index
Fetch the complete documentation index at: https://mintlify.com/plawio/veto/llms.txt
Use this file to discover all available pages before exploring further.
The veto policy generate command creates policy rules from natural language descriptions using AI.
Syntax
veto policy generate --tool <name> --prompt <text> [options]
Description
Generates policy YAML rules from plain English descriptions. Uses AI to understand your intent and create appropriate conditions, actions, and constraints.
Required Options
Name of the tool to create a policy for.
Example:
Prompt
Natural language description of what the policy should do.
Example:
--prompt "block transfers over $500 to unverified recipients"
Optional Settings
Save Path
Save generated YAML to a file.
Example:
--save ./veto/rules/financial.yaml
Target
Where to apply the policy:
local - Generate for local use (default)cloud - Generate and push to Veto Cloud
Example:
Mode Hint
--mode-hint <auto|deterministic|llm>
auto - Let AI decide (default)deterministic - Prefer rule-based conditionsllm - Prefer LLM-based evaluation
Example:
--mode-hint deterministic
JSON Output
Output result as JSON instead of human-readable text.
Example:
Examples
Generate Financial Rule
veto policy generate \
--tool transfer_funds \
--prompt "block transfers over $500 to unverified recipients"
rules:
- id: block-large-unverified-transfers
name: Block Large Unverified Transfers
description: Prevent transfers over $500 to recipients that are not verified
enabled: true
severity: high
action: block
tools:
- transfer_funds
conditions:
- field: arguments.amount
operator: greater_than
value: 500
- field: arguments.recipient.verified
operator: equals
value: false
condition_groups:
- logic: and
conditions: [0, 1]
Generate and Save
veto policy generate \
--tool approve_invoice \
--prompt "require approval for invoices above $5000" \
--save ./veto/rules/invoices.yaml
Generated policy for approve_invoice
Mode: deterministic
Rules: 1
Saved to: ./veto/rules/invoices.yaml
Generate with Deterministic Hint
veto policy generate \
--tool send_email \
--prompt "block emails to external domains" \
--mode-hint deterministic
rules:
- id: block-external-emails
name: Block External Emails
description: Prevent sending emails to domains outside company.com
enabled: true
severity: medium
action: block
tools:
- send_email
conditions:
- field: arguments.to
operator: not_contains
value: '@company.com'
Generate with LLM Hint
veto policy generate \
--tool execute_code \
--prompt "block code that appears malicious or unsafe" \
--mode-hint llm
rules:
- id: block-malicious-code
name: Block Malicious Code
description: Use LLM to detect and block potentially malicious code execution
enabled: true
severity: critical
action: block
tools:
- execute_code
llm_guard:
model: gpt-4
prompt: |
Analyze this code for malicious intent:
{{arguments.code}}
Block if the code:
- Accesses sensitive files
- Makes unauthorized network requests
- Performs destructive operations
Generate for Cloud
veto policy generate \
--tool deploy_app \
--prompt "require approval before deploying to production" \
--target cloud \
--save ./veto/rules/deployment.yaml
Generated policy for deploy_app
Mode: deterministic
Rules: 1
Saved to: ./veto/rules/deployment.yaml
Pushed to Veto Cloud as draft
Review at: https://app.veto.so/policies/draft/abc123
JSON Output
veto policy generate \
--tool delete_database \
--prompt "always block database deletion" \
--json
{
"ok": true,
"data": {
"target": "local",
"toolName": "delete_database",
"prompt": "always block database deletion",
"yaml": "rules:\n - id: block-database-deletion\n name: Block Database Deletion\n description: Prevent all database deletion operations\n enabled: true\n severity: critical\n action: block\n tools:\n - delete_database\n",
"ruleCount": 1,
"mode": "deterministic",
"warnings": []
}
}
Prompt Examples
Financial
# Block high-value transactions
--prompt "block transfers over $10000"
# Require approval for expense reports
--prompt "require approval for expense reports over $1000"
# Allow only specific payment methods
--prompt "only allow credit card payments, block crypto"
Communication
# Block external emails
--prompt "block emails to addresses outside @company.com"
# Require approval for mass emails
--prompt "require approval before sending to more than 100 recipients"
# Block sensitive data in messages
--prompt "block messages containing SSN or credit card numbers"
Browser Automation
# Block navigation to untrusted sites
--prompt "block navigation to sites not in approved whitelist"
# Require approval for form submissions
--prompt "require approval before submitting forms with PII"
# Allow read-only browsing
--prompt "allow browsing but block all clicks and form fills"
Data Access
# Block access to sensitive tables
--prompt "block queries against users or payments tables"
# Limit query results
--prompt "block queries that return more than 1000 rows"
# Require approval for writes
--prompt "require approval for any INSERT, UPDATE, or DELETE"
Filesystem/Shell
# Block destructive commands
--prompt "block any command containing rm -rf"
# Allow read-only operations
--prompt "allow ls and cat but block all write operations"
# Require approval for sudo
--prompt "require approval for any command with sudo"
Deployment
# Gate production deploys
--prompt "require approval before deploying to production"
# Block risky deploy times
--prompt "block deploys on Friday after 3pm"
# Require rollback plan
--prompt "require rollback_plan field for all deploys"
How It Works
- Analysis: AI analyzes your prompt and tool name
- Tool Discovery: Checks workspace for tool definitions and parameters
- Rule Generation: Creates appropriate conditions and actions
- Validation: Validates generated YAML syntax
- Output: Returns formatted YAML or saves to file
Common Patterns
Block Pattern
--prompt "block [action] when [condition]"
--prompt "never allow [action]"
--prompt "prevent [action] if [condition]"
Approval Pattern
--prompt "require approval for [action]"
--prompt "ask before [action] when [condition]"
--prompt "human review needed for [action]"
Allow Pattern
--prompt "allow [action] only if [condition]"
--prompt "permit [action] when [condition]"
Troubleshooting
Warning: Tool 'xyz' not discovered in workspace scan.
- Tool will still generate, but may be generic
- Add tool definition to your codebase
- Run
veto scan to verify tool discovery
Generation Failed
Error: Policy generation failed: Unable to connect to generation service
# Check connectivity
veto doctor
# Verify API key (if using cloud)
echo $VETO_API_KEY
# Try local generation
veto policy generate --tool <name> --prompt "<text>" --target local
Invalid YAML Output
Error: Generated YAML is invalid: Unexpected token
- Report this as a bug
- Manually edit the YAML
- Try a simpler prompt
Best Practices
1. Be Specific
❌ Bad: --prompt "secure this"
✅ Good: --prompt "block transfers over $500 to unverified recipients"
2. Include Thresholds
❌ Bad: --prompt "block large amounts"
✅ Good: --prompt "block amounts over $10000"
3. Specify Actions
❌ Bad: --prompt "handle sensitive data"
✅ Good: --prompt "require approval for queries with SSN"
4. Save Generated Rules
# Always save to a file for version control
veto policy generate \
--tool <name> \
--prompt "<text>" \
--save ./veto/rules/<name>.yaml
5. Review Before Applying
# Generate and review
veto policy generate --tool <name> --prompt "<text>" > review.yaml
cat review.yaml
# Apply after review
veto policy apply --file review.yaml
Next Steps
