# Veto

> The boundary between AI agents and money. A policy + risk engine plus an on-chain enforcement contract for AI agent payments. Any agent. Any payment rail. Safe transactions.

Veto is operated by **Investech Global LLC** (Delaware, USA). Founder: Tomer Meirovich. Contact: tomer@veto-ai.com. Built openly at https://github.com/veto-protocol — most code is MIT-licensed.

## What Veto does

Veto sits between an AI agent and the rail it's about to spend on. Every spend hits Veto first, runs through an 8-stage risk engine, and emerges as one of three verdicts:

- **Allow** — the spend is in policy and clean. Settle proceeds.
- **Deny** — at least one stage objected. Spend is refused.
- **Escalate** — the engine is uncertain. Pause for human review.

Every verdict ships with an Ed25519-signed JWT receipt that anyone can verify offline against the public JWKS at https://veto-ai.com/.well-known/jwks.json — Veto does not have to be online for a counterparty to trust the proof.

## The 8-stage engine

1. **Precheck** — payload validation (malformed amounts, missing currency, decimal drift)
2. **Policy** — agent's allowlist, blocklist, per-tx caps, daily / monthly caps, schedule
3. **Prompt-injection** — 17 regex patterns + obfuscation detection (base64 blobs, non-ASCII script blocks, "ignore previous" trickery)
4. **Merchant fraud (typosquat)** — Levenshtein distance > 0.75 against ~36 canonical brand registry; e.g. `api-anthropc.com` loses to `api.anthropic.com`
5. **Crypto safety** — OFAC SDN live feed + drainer-address indices + address-poisoning detection
6. **Intent verification** — Claude Sonnet 4 acts as final judge on whether the spend matches the agent's stated intent
7. **Anomaly** — statistical drift on amount, rail, frequency (still maturing — needs traffic to be useful)
8. **Behavioral baseline** — per-agent fingerprint of normal behavior (still maturing — needs traffic)

## On-chain hard-stop

`VetoGuardedAccount` is a smart contract on Base (and 4 other EVM chains via CREATE2 same-address deploy) that physically refuses to release funds without a fresh, scope-locked, Veto-signed mandate. The mandate is bound via EIP-712 to `(chain, contract, jti, exp, recipient, amount, token)`. A second use of the same `jti` reverts `MandateAlreadySpent()` with selector `0xffa64355`.

- Live contract: `0xCBbbC4b924AF40D29f135c3a88b6F650d55d92c5`
- Live on Base Sepolia: https://sepolia.basescan.org/address/0xCBbbC4b924AF40D29f135c3a88b6F650d55d92c5
- The contract is **unaudited**. Mainnet deploys gate behind a typed-phrase acknowledgment in the CLI. v2 ships post-audit.

A Solana port (Anchor + native Ed25519 sysvar verification) is implemented and ships in v1.1.

## Public packages and how to install

- **Python CLI:** `pip install veto-cli` — `veto authorize`, `veto policy`, `veto verify`, `veto agent init`, `veto plugin install`
- **Python SDK (in-process):** `pip install veto-pay` — `from veto_pay import pay, payX402`
- **TypeScript SDK (in-process, npm):** `npm install @veto-protocol/pay` — `import { pay, payX402 } from "@veto-protocol/pay"`
- **One-shot demo runner:** `npx @veto-protocol/pay` — interactive walkthrough
- **Receipt verifier (pure TS, zero deps):** `npm install @veto-protocol/mandate-verifier`
- **Claude Code plugin:**
  - `/plugin marketplace add veto-protocol/claude-plugin` then `/plugin install veto@veto-protocol`
  - or `veto plugin install` (clones into `~/.claude/plugins/veto/`)

## Where Veto sits relative to the stack

Veto is **Layer 3 (operator policy)** of a 5-layer agent-commerce stack. It composes above payment rails (x402, Stripe MPP, native EVM, Solana) and below user-consent layers (AP2, Verifiable Intent). Veto does not custody funds — the smart contract holds them; Veto signs the mandate that releases them.

- Cross-rail: x402 today (live), Stripe MPP (next), AP2 mandate composition (next), Solana (v1.1)
- Veto's value vs. card-controls products (Brex, Ramp, Stripe Issuing): cross-rail (those are card-only), intent verification (those see merchant+amount, not agent context), verifiable receipts (those emit transactions, not signed proofs)

## Pages on this site

- [Home](https://veto-ai.com/) — tagline + install line + on-chain proof
- [How it works](https://veto-ai.com/how-it-works) — 8-stage engine walkthrough with examples
- [Security](https://veto-ai.com/security) — threat model, audit posture, responsible disclosure
- [About](https://veto-ai.com/about) — founder note, Investech Global LLC, why Veto exists
- [Terms](https://veto-ai.com/terms) — Terms of Service
- [Privacy](https://veto-ai.com/privacy) — Privacy Policy

## Public source

- Org: https://github.com/veto-protocol
- CLI: https://github.com/veto-protocol/veto-cli
- Smart contracts: https://github.com/veto-protocol/contracts
- Mandate verifier: https://github.com/veto-protocol/mandate-verifier
- x402 policy schema (APPS): https://github.com/veto-protocol/x402-policy-schema
- Claude Code plugin: https://github.com/veto-protocol/claude-plugin
- Veto's own internal policy (transparency artifact): https://github.com/veto-protocol/veto-policies
- Documentation: https://github.com/veto-protocol/docs

## Other key URLs

- JWKS public verification key: https://veto-ai.com/.well-known/jwks.json
- npm scope: https://www.npmjs.com/org/veto-protocol
- PyPI: https://pypi.org/project/veto-cli/ and https://pypi.org/project/veto-pay/

## Tagline

"Any agent. Any payment rail. Safe transactions."