Skip to main content

What are Policy Packs?

Policy packs are pre-built, production-ready collections of security rules designed for specific AI agent use cases. Instead of writing guardrails from scratch, you can extend a policy pack and customize only what you need. Each pack contains:
  • Input validation rules - Block or require approval for dangerous tool calls
  • Output redaction rules - Automatically redact PII from tool responses
  • Best practice defaults - Security configurations vetted for production use

Available Policy Packs

Coding Agent

Baseline guardrails for AI coding assistants and development agents

Financial

Guardrails for payment processing and money transfer operations

Deployment

Safety controls for CI/CD and production deployment tools

Data Access

Protection for database queries and data retrieval operations

Browser Automation

Safety defaults for web scraping and browser control agents

Communication

Guardrails for email, messaging, and notification tools

How to Use Policy Packs

Extend a Policy Pack

Use the extends field in your veto.config.yaml to inherit all rules from a pack:
veto.config.yaml
version: "1.0"
extends: "@veto/coding-agent"

# Your custom configuration here
mode: "strict"

Override Individual Rules

You can disable or customize specific rules from the pack:
veto.config.yaml
version: "1.0"
extends: "@veto/financial"

rules:
  # Disable a specific rule
  - id: financial-transfer-limit-per-transaction
    enabled: false
  
  # Override the threshold
  - id: financial-cumulative-transfer-cap
    conditions:
      - field: arguments.amount
        operator: greater_than
        value: 25000  # Custom threshold

Add Custom Rules

Extend the pack with your own additional rules:
veto.config.yaml
version: "1.0"
extends: "@veto/deployment"

rules:
  # Add a new rule specific to your infrastructure
  - id: custom-block-weekend-deploys
    name: Block weekend deployments
    action: block
    tools:
      - deploy
    conditions:
      - field: context.timestamp
        operator: matches
        value: "(Sat|Sun)"

Pack Reference Format

All policy packs use this format: 
version: "1.0"
name: pack-name
description: What the pack protects against

rules:
  - id: unique-rule-id
    name: Human-readable rule name
    description: What this rule does
    enabled: true
    severity: critical | high | medium | low
    action: block | require_approval | warn | log
    tools:
      - tool_name_1
      - tool_name_2
    conditions:
      - field: arguments.field_name
        operator: equals | contains | greater_than | ...
        value: threshold_value

output_rules:  # Optional: redaction rules
  - id: output-rule-id
    action: redact
    tools: [...]
    output_conditions: [...]
    redact_with: "[REDACTED]"

Pack Naming Convention

All built-in policy packs use the @veto/ namespace:
  • @veto/coding-agent
  • @veto/financial
  • @veto/deployment
  • @veto/data-access
  • @veto/browser-automation
  • @veto/communication
You can reference them with or without the namespace: 
# Both work:
extends: "@veto/coding-agent"
extends: "coding-agent"

Programmatic Usage

Load policy packs programmatically in TypeScript: 
import { Veto } from 'veto-sdk';

const veto = await Veto.init({
  configPath: './veto',  // Will load veto.config.yaml
});

// The pack rules are automatically loaded and applied
const wrappedTools = veto.wrap(myTools);

Best Practices

If your agent has a primary function (e.g., financial operations), extend that pack first. You can layer additional rules on top.
Before deploying to production, run in mode: "log" to see what would be blocked:
mode: "log"  # Logs decisions without blocking
Policy packs use reasonable defaults, but you should tune thresholds (amounts, row counts, etc.) based on your specific requirements.
Use veto.getHistoryStats() to track which rules are triggering most often:
const stats = veto.getHistoryStats();
console.log(`Blocked: ${stats.deniedCalls}, Allowed: ${stats.allowedCalls}`);

Next Steps

Browse Policy Packs

Explore detailed documentation for each pack

Write Custom Rules

Learn the complete rule YAML syntax

Build docs developers (and LLMs) love

Get started for freeTalk to us