Policy Packs
Built-in policy packs you can extend and customize with YAML.
Veto ships with six built-in policy packs. Add an extends field in your YAML file to inherit one, then override or append rules.
version: "1.0"
extends: "@veto/coding-agent"
rules:
# Override an inherited rule by reusing its id.
- id: coding-agent-block-dangerous-shell-commands
name: Override shell command block
action: block
tools: [run_shell]
conditions:
- field: arguments.command
operator: contains
value: shutdown
# Add a new rule alongside inherited rules.
- id: custom-prod-path-guard
name: Block writes to prod path
action: block
tools: [write_file]
conditions:
- field: arguments.path
operator: starts_with
value: /prodMerge behavior
When extends is set:
- Veto loads the parent pack first.
- Veto merges your
rulesandoutput_ruleson top. - If your rule ID matches a pack rule ID, your rule fully replaces the pack rule.
- New rule IDs are appended after pack rules.
If the pack name is invalid (for example @veto/does-not-exist), Veto logs an error and skips that policy file.
Available packs
@veto/coding-agent
Purpose: block dangerous shell behavior and sensitive file writes.
Included rules:
coding-agent-block-dangerous-shell-commandscoding-agent-restrict-sensitive-file-writescoding-agent-block-path-traversal-writes
@veto/financial
Purpose: enforce transfer limits, currency controls, and cumulative transfer caps.
Included rules:
financial-transfer-limit-per-transactionfinancial-currency-allowlistfinancial-cumulative-transfer-cap
@veto/browser-automation
Purpose: reduce browser automation abuse from risky URLs, password field input, and automatic submissions.
Included rules:
browser-automation-block-malicious-urlsbrowser-automation-block-password-inputbrowser-automation-block-form-submissions
@veto/data-access
Purpose: protect database access with SQL injection blocking, row limits, and output redaction for sensitive data.
Included input rules:
data-access-block-sql-injection-patternsdata-access-limit-row-count
Included output rules:
data-access-redact-emaildata-access-redact-ssn
@veto/communication
Purpose: protect messaging/email flows with recipient limits, credential leakage blocking, and output redaction.
Included rules:
comm-block-mass-recipientscomm-block-sensitive-content
Included output rules:
comm-redact-pii-in-output
@veto/deployment
Purpose: enforce human approval for production deploys and block risky force/skip-check deployments.
Included rules:
deploy-require-approval-productiondeploy-block-force-push
Auto-apply behavior in protect()
When you call protect() without an explicit policy source (configDir, pack, inline rules, or apiKey) and no local ./veto config exists, Veto auto-selects built-in packs based on tool names.
Heuristic categories and pattern keywords:
@veto/financial:transfer,payment,balance,withdraw,deposit,invoice,refund,charge,payout,wire,bank,fund,money,wallet@veto/browser-automation:navigate,click,goto,browse,scroll,type_text,fill_form,screenshot,open_url,submit_form,page,tab,browser@veto/data-access:query,sql,database,select,insert,table,fetch_record,read_record,db,collection,document,find,aggregate@veto/coding-agent:exec,shell,command,terminal,bash,run_code,write_file,edit_file,read_file,delete_file,mkdir,code,script@veto/communication:email,send_email,send_message,notify,sms,slack,message,mail,notification,chat,reply@veto/deployment:deploy,publish,release,push,rollback,provision,terraform,kubernetes,k8s,docker,helm,ci_cd
If tool names match multiple categories, Veto loads all matching packs and merges their rules.
If no patterns match, Veto falls back to allow-all behavior.