Skip to main content
The veto policy generate command creates policy rules from natural language descriptions using AI.

Syntax

veto policy generate --tool <name> --prompt <text> [options]

Description

Generates policy YAML rules from plain English descriptions. Uses AI to understand your intent and create appropriate conditions, actions, and constraints.

Required Options

Tool Name

--tool <name>
Name of the tool to create a policy for. Example: 
--tool transfer_funds

Prompt

--prompt <text>
Natural language description of what the policy should do. Example: 
--prompt "block transfers over $500 to unverified recipients"

Optional Settings

Save Path

--save <path>
Save generated YAML to a file. Example: 
--save ./veto/rules/financial.yaml

Target

--target <local|cloud>
Where to apply the policy:
  • local - Generate for local use (default)
  • cloud - Generate and push to Veto Cloud
Example: 
--target cloud

Mode Hint

--mode-hint <auto|deterministic|llm>
Hint at the preferred rule type:
  • auto - Let AI decide (default)
  • deterministic - Prefer rule-based conditions
  • llm - Prefer LLM-based evaluation
Example: 
--mode-hint deterministic

JSON Output

--json
Output result as JSON instead of human-readable text. Example: 
--json

Examples

Generate Financial Rule

veto policy generate \
  --tool transfer_funds \
  --prompt "block transfers over $500 to unverified recipients"
Output: 
rules:
  - id: block-large-unverified-transfers
    name: Block Large Unverified Transfers
    description: Prevent transfers over $500 to recipients that are not verified
    enabled: true
    severity: high
    action: block
    tools:
      - transfer_funds
    conditions:
      - field: arguments.amount
        operator: greater_than
        value: 500
      - field: arguments.recipient.verified
        operator: equals
        value: false
    condition_groups:
      - logic: and
        conditions: [0, 1]

Generate and Save

veto policy generate \
  --tool approve_invoice \
  --prompt "require approval for invoices above $5000" \
  --save ./veto/rules/invoices.yaml
Output: 
Generated policy for approve_invoice
Mode: deterministic
Rules: 1

Saved to: ./veto/rules/invoices.yaml

Generate with Deterministic Hint

veto policy generate \
  --tool send_email \
  --prompt "block emails to external domains" \
  --mode-hint deterministic
Output: 
rules:
  - id: block-external-emails
    name: Block External Emails
    description: Prevent sending emails to domains outside company.com
    enabled: true
    severity: medium
    action: block
    tools:
      - send_email
    conditions:
      - field: arguments.to
        operator: not_contains
        value: '@company.com'

Generate with LLM Hint

veto policy generate \
  --tool execute_code \
  --prompt "block code that appears malicious or unsafe" \
  --mode-hint llm
Output: 
rules:
  - id: block-malicious-code
    name: Block Malicious Code
    description: Use LLM to detect and block potentially malicious code execution
    enabled: true
    severity: critical
    action: block
    tools:
      - execute_code
    llm_guard:
      model: gpt-4
      prompt: |
        Analyze this code for malicious intent:
        {{arguments.code}}
        
        Block if the code:
        - Accesses sensitive files
        - Makes unauthorized network requests
        - Performs destructive operations

Generate for Cloud

veto policy generate \
  --tool deploy_app \
  --prompt "require approval before deploying to production" \
  --target cloud \
  --save ./veto/rules/deployment.yaml
Output: 
Generated policy for deploy_app
Mode: deterministic
Rules: 1

Saved to: ./veto/rules/deployment.yaml
Pushed to Veto Cloud as draft

Review at: https://app.veto.so/policies/draft/abc123

JSON Output

veto policy generate \
  --tool delete_database \
  --prompt "always block database deletion" \
  --json
Output: 
{
  "ok": true,
  "data": {
    "target": "local",
    "toolName": "delete_database",
    "prompt": "always block database deletion",
    "yaml": "rules:\n  - id: block-database-deletion\n    name: Block Database Deletion\n    description: Prevent all database deletion operations\n    enabled: true\n    severity: critical\n    action: block\n    tools:\n      - delete_database\n",
    "ruleCount": 1,
    "mode": "deterministic",
    "warnings": []
  }
}

Prompt Examples

Financial

# Block high-value transactions
--prompt "block transfers over $10000"

# Require approval for expense reports
--prompt "require approval for expense reports over $1000"

# Allow only specific payment methods
--prompt "only allow credit card payments, block crypto"

Communication

# Block external emails
--prompt "block emails to addresses outside @company.com"

# Require approval for mass emails
--prompt "require approval before sending to more than 100 recipients"

# Block sensitive data in messages
--prompt "block messages containing SSN or credit card numbers"

Browser Automation

# Block navigation to untrusted sites
--prompt "block navigation to sites not in approved whitelist"

# Require approval for form submissions
--prompt "require approval before submitting forms with PII"

# Allow read-only browsing
--prompt "allow browsing but block all clicks and form fills"

Data Access

# Block access to sensitive tables
--prompt "block queries against users or payments tables"

# Limit query results
--prompt "block queries that return more than 1000 rows"

# Require approval for writes
--prompt "require approval for any INSERT, UPDATE, or DELETE"

Filesystem/Shell

# Block destructive commands
--prompt "block any command containing rm -rf"

# Allow read-only operations
--prompt "allow ls and cat but block all write operations"

# Require approval for sudo
--prompt "require approval for any command with sudo"

Deployment

# Gate production deploys
--prompt "require approval before deploying to production"

# Block risky deploy times
--prompt "block deploys on Friday after 3pm"

# Require rollback plan
--prompt "require rollback_plan field for all deploys"

How It Works

  1. Analysis: AI analyzes your prompt and tool name
  2. Tool Discovery: Checks workspace for tool definitions and parameters
  3. Rule Generation: Creates appropriate conditions and actions
  4. Validation: Validates generated YAML syntax
  5. Output: Returns formatted YAML or saves to file

Common Patterns

Block Pattern

--prompt "block [action] when [condition]"
--prompt "never allow [action]"
--prompt "prevent [action] if [condition]"

Approval Pattern

--prompt "require approval for [action]"
--prompt "ask before [action] when [condition]"
--prompt "human review needed for [action]"

Allow Pattern

--prompt "allow [action] only if [condition]"
--prompt "permit [action] when [condition]"

Troubleshooting

Tool Not Found Warning

Warning: Tool 'xyz' not discovered in workspace scan.
Solution:
  • Tool will still generate, but may be generic
  • Add tool definition to your codebase
  • Run veto scan to verify tool discovery

Generation Failed

Error: Policy generation failed: Unable to connect to generation service
Solution: 
# Check connectivity
veto doctor

# Verify API key (if using cloud)
echo $VETO_API_KEY

# Try local generation
veto policy generate --tool <name> --prompt "<text>" --target local

Invalid YAML Output

Error: Generated YAML is invalid: Unexpected token
Solution:
  • Report this as a bug
  • Manually edit the YAML
  • Try a simpler prompt

Best Practices

1. Be Specific

❌ Bad: --prompt "secure this" ✅ Good: --prompt "block transfers over $500 to unverified recipients"

2. Include Thresholds

❌ Bad: --prompt "block large amounts" ✅ Good: --prompt "block amounts over $10000"

3. Specify Actions

❌ Bad: --prompt "handle sensitive data" ✅ Good: --prompt "require approval for queries with SSN"

4. Save Generated Rules

# Always save to a file for version control
veto policy generate \
  --tool <name> \
  --prompt "<text>" \
  --save ./veto/rules/<name>.yaml

5. Review Before Applying

# Generate and review
veto policy generate --tool <name> --prompt "<text>" > review.yaml
cat review.yaml

# Apply after review
veto policy apply --file review.yaml

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us