Skip to content

cookbook.md

Latest commit

Β 

History

History
233 lines (159 loc) Β· 3.97 KB

cookbook.md

File metadata and controls

233 lines (159 loc) Β· 3.97 KB

Cookbook

Recipes for common tasks. Each one is self-contained.

Basics

Skip verification for safe commands

Your team runs terraform plan constantly. No need to authenticate every time.

Add to ~/.veto/rules.toml:

[whitelist]
commands = [
    "terraform plan*",
    "docker ps*",
    "kubectl get*",
]

Verify: veto check "terraform plan" β†’ ALLOW

Set up PIN

Use PIN instead of (or alongside) Touch ID. Works on all platforms.

veto auth set-pin
# Enter new PIN (minimum 4 characters): ****
# Confirm PIN: ****

Set PIN as default auth:

# ~/.veto/config.toml
[auth]
default = "pin"

Verify: veto auth test pin

Set up TOTP

Use Google Authenticator, Authy, or any RFC 6238 app.

veto auth setup-totp
# Scan QR code with authenticator app
# Enter 6-digit code to verify: 123456

Verify: veto auth test totp

View what's been blocked

# All entries
veto log

# Last 5
veto log -n 5

# Only denied commands
veto log --filter DENIED

# Live tail
veto log -f

Log format: [timestamp] RESULT RISK auth_method "command"

Intermediate

Create custom rules

Mark specific commands as CRITICAL β€” strongest auth required.

Add to ~/.veto/rules.toml:

[[critical]]
category = "database-drop"
patterns = [
    "drop database*",
    "DROP DATABASE*",
    "dropdb*",
]
reason = "Database destruction"

Verify:

veto check -v "drop database production"
# Risk: CRITICAL
# Category: database-drop
# Reason: Database destruction

Approve remotely via Telegram

Get approval requests on your phone. Useful when you're away from the keyboard.

Setup (3 minutes):

  1. Message @BotFather on Telegram β†’ /newbot β†’ name it β†’ copy the bot token
  2. Message @userinfobot β†’ copy your chat ID
  3. Configure veto:
veto auth setup-telegram
# Enter bot token: [paste]
  1. Add to ~/.veto/config.toml:
[auth.telegram]
enabled = true
chat_id = "123456789"
timeout_seconds = 60
  1. Important: Open your bot in Telegram and tap Start

Verify: veto auth test telegram β€” you should receive a message.

Reply /allow or /deny to approve or reject commands.

Use veto in Docker/CI

veto works without a system keychain. It falls back to encrypted file storage automatically.

No special setup needed. Just install and run.

Configure auth per risk level

Different auth strength for different risk levels:

# ~/.veto/config.toml
[auth.levels]
low = "confirm"          # y/n prompt
medium = "pin"           # PIN
high = "touchid"         # biometric
critical = "telegram"    # remote approval

[auth.fallback]
touchid = "pin"          # Touch ID unavailable β†’ PIN
telegram = "totp"        # Telegram timeout β†’ TOTP

Advanced

Integrate veto check into scripts

Use exit codes to build custom workflows:

veto check -q "dangerous command"
case $? in
    0) echo "ALLOW" ;;
    1) echo "LOW" ;;
    2) echo "MEDIUM" ;;
    3) echo "HIGH" ;;
    4) echo "CRITICAL" ;;
esac

Challenge-Response authentication

Prevent AI from reusing credentials. veto generates a one-time code that only you can see.

Enable per rule:

# ~/.veto/rules.toml
[[critical]]
category = "destructive"
patterns = ["rm -rf *"]
reason = "Recursive force delete"
challenge = true

Flow:

  1. AI triggers the rule β†’ veto generates a 4-digit code
  2. Code appears as a macOS notification (or Telegram message)
  3. AI can't see it β€” asks you for the code
  4. You provide it β†’ AI retries with VETO_RESPONSE=<PIN><code> (e.g., 12344827)

Properties: 4 digits, 60-second expiry, single-use, command-bound.

Temporarily allow a blocked command

If veto blocks a command you actually want to run:

# Allow once (interactive β€” select from recent denials)
veto allow

# Allow with TTL
veto allow "docker system prune*" --ttl 1h

Or override a denied command:

VETO_FORCE=yes <command>