sudo for AI agents.
Stop agents from deleting files, leaking secrets, or pushing to prod — without slowing anyone down.
docs.veto.so · veto.so · npm · PyPI
AI agents can execute code, call APIs, and modify production systems. Veto is the permission layer that sits between every agent action and execution — validating, blocking, or routing to human approval before anything runs.
const veto = await Veto.init(); // loads ./veto/veto.config.yaml + rules
const guarded = veto.wrap(tools); // inject guardrails — types preserved
// pass guarded to your agent. done.The agent is unaware it's being governed. Your tools are unchanged. No behavior change for the AI.
┌───────────┐ ┌────────────┐ ┌──────────────┐
│ AI Agent │────────▶│ Veto │────────▶│ Your Tools │
│ (LLM) │ │ (Guard) │ │ (Handlers) │
└───────────┘ └────────────┘ └──────────────┘
│
┌─────┴──────┐
│ YAML Rules │ block · allow · ask
└────────────┘
- Agent calls a tool
- Veto intercepts and validates (deterministic conditions first, optional LLM for semantic rules)
- allow → executes normally · block → denied with reason · ask → human approval queue
| Package | Language | Install | Description |
|---|---|---|---|
veto-sdk |
TypeScript | npm install veto-sdk |
SDK for guarded agentic apps |
veto |
Python | pip install veto |
Same API, all major LLM providers |
veto-cli |
TypeScript | npm install -g veto-cli |
Interactive studio + headless automation |
npm install veto-sdk
npx veto init # creates ./veto/veto.config.yaml + default rulesimport { Veto } from 'veto-sdk';
const veto = await Veto.init();
const guarded = veto.wrap(myTools); // LangChain, Vercel AI SDK, or any custom toolspip install veto
veto initfrom veto import Veto
veto = await Veto.init()
guarded = veto.wrap(my_tools)Rules are YAML files in ./veto/rules/. Static conditions run locally with no API call. LLM validation is opt-in for semantic rules.
rules:
- id: block-large-transfers
name: Block transfers over $1,000
action: block
tools: [transfer_funds]
conditions:
- field: arguments.amount
operator: greater_than
value: 1000
- id: require-approval-for-push
name: Require human approval before pushing to main
action: ask
tools: [git_push]
description: "Intercept any push targeting the main branch."Actions: block · allow · warn · log · ask (human-in-the-loop)
→ Full TypeScript SDK docs · Python SDK docs
npx veto-cli@latest # launch interactive Veto Studio (TUI)
npx veto-cli@latest policy generate \
--tool transfer_funds \
--prompt "block over $500 to unverified recipients"
npx veto-cli@latest guard check \
--tool transfer_funds --args '{"amount": 600}' --json
npx veto-cli@latest scan --fail-uncovered # CI gate: exit 1 on unguarded tools- Deterministic-first — Static conditions run locally, zero latency, no API call. LLM validation only when you need semantic reasoning.
- Provider agnostic — Works with OpenAI, Anthropic, Google, LangChain, Vercel AI SDK, and any custom tool-calling setup.
- Human-in-the-loop —
askaction routes sensitive decisions to an approval queue instead of auto-blocking. - Audit trail — Every decision logged with tool name, arguments, rule matched, and outcome. Exportable as JSON or CSV.
- Local-first — No cloud required. Fully offline. Optional Veto Cloud for team sync and dashboard.
- Zero-config defaults —
veto initgenerates sensible baseline rules. Production-hardened in under 10 minutes.
npx skills add PlawIO/vetoInstalls veto-policy-runtime — gives Claude Code, Cursor, and Windsurf safe, non-destructive policy operations without any SDK integration. Ideal for teams that want guardrails at the coding-agent level.
The OSS SDK runs entirely local. Veto Cloud adds:
- Natural language → policy YAML (no manual YAML writing)
- Central policy sync across all team repos
- Dashboard: decisions, blocked calls, pending approvals
- Approval workflows for human-in-the-loop at scale
- SSO, audit export, compliance reporting
See CONTRIBUTING.md. On your first PR, a bot will ask you to sign the CLA — takes 30 seconds, one comment.
Report vulnerabilities to security@plaw.io. See SECURITY.md for the full disclosure policy.
Apache-2.0 © Plaw, Inc.