Veto/docs

Interactive REPL

Use Veto Studio (`npx veto-cli@latest`) for full-screen policy authoring, with legacy line REPL available via `--legacy`.

Veto Studio is the default interactive experience.

It is keyboard-first (↑/↓, Enter, Tab, Esc, /, q) and optimized for one goal:

  • save a valid first policy in under 2 minutes

Studio includes:

  • startup workspace picker (for multi-repo roots)
  • scoped discovery defaults that exclude examples/** and tests
  • command palette actions (create policy, simulate, explain, rescan, export)
  • review/save flow with YAML preview and coverage impact

Start Studio

# Canonical package (default behavior)
npx veto-cli@latest

# Explicit Studio entrypoints
npx veto-cli@latest studio
npx veto-cli@latest repl
npx veto-cli@latest --repl

# Legacy REPL compatibility path
npx veto-cli@latest repl --legacy

# Compatibility wrapper (still supported)
npx veto-sdk@latest

Studio flags

# Force renderer
npx veto-cli@latest studio --renderer ink
npx veto-cli@latest studio --renderer ansi
npx veto-cli@latest studio --renderer opentui

# Pick workspace directly
npx veto-cli@latest studio --directory ./packages/sdk

# Include examples/tests in discovery
npx veto-cli@latest studio --include-examples --include-tests

# Explicitly allow local template-only generation
npx veto-cli@latest studio --demo-template

Renderer behavior:

  • ink is the default on Node.js terminals.
  • if renderer startup fails, Studio falls back automatically (ink -> ansi, or opentui -> ink/ansi) with a warning line.

Generation reliability

Studio generation is quality-gated:

  • no silent template fallback by default
  • if no endpoint is configured, Studio opens setup guidance
  • template generation is opt-in only:
    • npx veto-cli@latest studio --demo-template, or
    • studio.generation.allowTemplateFallback: true in config

Supported generation paths:

  1. Cloud: set VETO_API_KEY
  2. Kernel: set validation.mode: kernel and kernel.*
  3. Self-hosted: set llm.baseUrl and model settings

Cloud login and device approval

npx veto-cli@latest cloud login
npx veto-cli@latest cloud whoami

Device login opens a verification URL in dashboard. Approve the session there, then return to terminal to continue.

Headless companion commands

npx veto-cli@latest policy generate --tool approve_invoice --prompt "do not approve invoices above 50 dollars" --save ./veto/rules/approve-invoice.yaml --json
npx veto-cli@latest policy apply --file ./veto/rules/approve-invoice.yaml --target cloud --json
echo '{"amount":120}' | npx veto-cli@latest guard check --tool approve_invoice --mode local --json

Semantics update: negated approval phrasing

Natural-language phrases like:

  • "do not approve invoices above 50"

now map to action block by default.

require_approval is now reserved for explicit intent:

  • "require approval"
  • "ask for approval"

Legacy REPL (--legacy)

The line-based REPL is still available unchanged for compatibility.

Core commands:

  • /scan
  • /test <tool>({args})
  • /test-suite
  • /explain <ruleId>
  • /list
  • /load <file>
  • /export [file]
  • /clear
  • /quit

History remains persisted at:

~/.veto_history

Troubleshooting

If npx veto-cli@latest throws module import errors under ~/.npm/_npx, the temporary npx install is corrupted.

Run with an isolated npm cache:

npm_config_cache=/tmp/veto-npx-cache npx -y veto-cli@latest

Then retry normal invocation:

npx -y veto-cli@latest

Output Validation & Redaction

Validate and transform tool outputs before they are returned to the model.

Event Webhooks

Send real-time validation alerts to Slack, PagerDuty, generic webhooks, or SIEMs.

On this page

Start StudioStudio flagsGeneration reliabilityCloud login and device approvalHeadless companion commandsSemantics update: negated approval phrasingLegacy REPL (--legacy)Troubleshooting