# Veto

> Veto (SQL Safety & Cost Oracle) is a deterministic MCP tool that vets Postgres SQL for safety, correctness, and cost **before** an AI coding agent runs it. It returns a structured verdict — `ok`, `warn`, or `block`. No LLM in the core; it never connects to your database.

## What it does
- Catches destructive operations: DELETE/UPDATE without WHERE, DROP TABLE, TRUNCATE, lock-heavy ALTER TABLE (type changes, NOT NULL without a default, validated constraints), and destructive statements hidden inside CTEs (e.g. `WITH x AS (DELETE FROM users RETURNING *) SELECT * FROM x`).
- Works with any Postgres — Supabase, Neon, RDS, self-hosted — and any migration tool. Tuned on real-world migrations to avoid false positives: routine `DROP POLICY` / `DROP INDEX` / `DROP FUNCTION` and lock-light `ALTER`s (enable RLS, add a nullable column) come back `ok` or `warn`, not `block`.
- Catches correctness traps — SQL that parses and runs but silently returns the wrong rows: `= NULL` instead of `IS NULL`, `NOT IN (subquery)` that returns nothing when the subquery yields a NULL, and a `LEFT JOIN` that a `WHERE` filter silently turns into an inner join.
- Flags `SELECT *` and, when given a schema, sequential scans on large tables via a real `EXPLAIN` plan run on a disposable scratch Postgres (always rolled back — your database is never touched).
- Deterministic: the same SQL always yields the same verdict. The calling agent narrates the structured output to the human.

## How to use it
- MCP endpoint (Streamable HTTP): https://vetosql.com/mcp
- Tool: `analyze_sql` — input `sql` (required), `schema` (optional DDL, enables cost analysis), `rowCountHints` (optional).
- Add to an MCP client: `{"mcpServers":{"veto":{"url":"https://vetosql.com/mcp"}}}`

## Pro: custom org policies
- The built-in rules are the same for everyone. Pro adds **custom org policies** — team-defined rules on your own tables (e.g. "never DELETE from `payments`", "no `TRUNCATE` on `audit_*`"), enforced on top of the built-ins. This is what takes Veto from a linter to a governance layer.
- Policies are **declarative data, validated and never executed** (zod-checked, glob not regex, AST-matched) — the safety tool can't itself become an injection hole.
- Set them once with the `set_policies` tool using a Pro key (an agent can author the JSON from a plain-language instruction). Policies are stored on the key, so every later `analyze_sql` call made with that key enforces them automatically — nothing extra per call.

## Why it exists
AI coding agents (Claude Code, Cursor, Cline) now write and run database migrations and queries, and can confidently execute destructive or expensive SQL ("the agent dropped prod"). Read-only roles block legitimate writes and have been bypassed; LLM self-review is non-deterministic. Veto is the deterministic gate the agent consults before executing — reproducible, auditable, zero blast radius.

## Links
- Home: https://vetosql.com
- Docs: https://vetosql.com/docs/
- About: https://vetosql.com/about/
- Blog: https://vetosql.com/blog/
- Compare: https://vetosql.com/compare/
- MCP: https://vetosql.com/mcp
- GitHub (public docs + MCP manifest): https://github.com/metaweardigital/veto-mcp
- Extended (full site summary): https://vetosql.com/llms-full.txt