🛡️ Human-in-the-loop confirmation for AI Agents
"I let my AI run terraform destroy.
Because I can stop it with one touch."
npm install? No. yaml config? No. Just:
curl -fsSL https://raw.githubusercontent.com/runkids/veto/main/install.sh | bash
veto setup claude # or: gemini / cursor / opencodeYour AI now asks before it destroys.
How does it work?
+-----------+ +-----------+ +-----------+
| AI Agent |---->| veto gate |---->| Terminal |
+-----------+ +-----+-----+ +-----------+
|
+-----v-----+
| Risk Check|
+-----+-----+
|
+---------------+---------------+
| | |
v v v
+--------+ +--------+ +--------+
| Low | | High | |Critical|
| [pass] | |[auth] | |[block] |
+--------+ +--------+ +--------+
veto setup adds a hook to your AI tool's config:
| Tool | Config Location |
|---|---|
| Claude Code | ~/.claude/settings.json |
| Gemini CLI | ~/.gemini/settings.json |
| Cursor CLI | .cursor/hooks.json |
| OpenCode | ~/.opencode/plugins/ |
👆 Touch ID · 🔢 PIN · 🔐 OTP · 📱 Telegram
Install · Claude Code · Gemini CLI · Config · Rules
veto is a UX layer, not a security sandbox.
| What veto IS | What veto is NOT |
|---|---|
| Human-in-the-loop for AI agents | A replacement for OS sandboxing |
"Are you sure?" before rm -rf |
Comprehensive security solution |
| Pattern-based risk detection | Bulletproof malware defense |
| 10-second setup | Complex security infrastructure |
"But can't I just use sudo?"
sudogates privilege escalation. AI agents run as you — they don't need root torm -rf ~/Documents. veto gates agent actions, not permissions.
"Heuristics can be bypassed!"
True. veto catches the 99% case: AI confidently running
git push --forceorterraform destroy. It's a seatbelt, not an airbag — and most accidents don't need an airbag.
Works with
Claude Code · Gemini CLI · Cursor CLI · OpenCode
Runs on
macOS (x86/ARM) · Linux (x86/ARM)
Built with Rust.