Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.getunbound.ai/llms.txt

Use this file to discover all available pages before exploring further.

What are Tool Policies?

Tool Policies allow you to monitor and control actions taken by AI coding tools in your organization. Create policies to track, warn on, or block terminal commands executed by AI agents or MCP tool calls made through integrated servers like GitHub, Linear, Sentry, and more. Gateway URL: https://gateway.getunbound.ai/policies/tool-policies

Policy Types

When you click Create Policy, you’ll be asked to choose what you want to monitor:

Terminal Commands

Monitor shell commands executed by AI coding tools like Claude Code, Cursor, Roo Code, and Cline.
  • Select a Command Family (e.g., delete_file, git_action, remote_access)
  • Define a Target Pattern to match specific paths, branches, or operations
  • Supports exact match, glob patterns (/etc/*), and regex (.*\.env$)
Natural language rules: Instead of a command family and pattern, you can describe the policy in plain English — for example, “block any command that writes to the production database.” The gateway evaluates these via LLM, so policy authoring doesn’t require knowledge of specific command family names.

MCP Actions

Monitor tool calls made through MCP (Model Context Protocol) servers.
  • Select an MCP Server (e.g., GitHub, Linear, Sentry)
  • Select the MCP Tool to monitor (e.g., create_pull_request, create_issue)
  • Optionally filter by tool action type (e.g., read, write) to apply policies to all tools of a certain kind
Canonical groups offer broader targeting: select a logical service group (e.g., “code repository writes”) to apply a policy to all matching tools across any connected MCP server, without naming individual servers or tools. Canonical groups and tool action types are mutually exclusive targeting modes.
If you are building an MCP server that calls back into Unbound for policy checks, manage your MCP credentials from Connect → MCP Keys in the dashboard.

Actions

Each tool policy has an action that determines what happens when a match is found:
ActionBehavior
BlockReject the command or tool call entirely. The action is prevented from executing.
WarnAllow the action but flag it for review. Users receive a warning notification.
AuditSilently log the action for monitoring. No user-facing impact. Available for reporting and analytics.
Require Slack ApprovalHold the command in a pending state and send an interactive Slack DM to the developer. The approver can Allow Once, Allow for 1 hour, or Deny. The agent retries automatically after a decision. Requires the Slack integration to be configured.

Applying to Users

By default, a tool policy with no user groups applies to everyone in your organization. To restrict a policy to specific teams, assign it to one or more user groups during creation or editing.
  • No user groups selected — The policy applies organization-wide
  • User groups selected — The policy applies only to members of those groups
  • When a user group is modified, policy enforcement updates automatically for all affected users
Policies can also be scoped to specific AI tools — for example, enforce a policy for Claude Code without applying it to Cursor or Codex. Select one or more applications during policy creation.
You can manage user groups from the User Groups page. Create groups based on teams, roles, or projects to apply different policies to different sets of users.

Policy Coverage & Health

The Health view in the Tool Policies dashboard shows which command families and MCP tool categories have no active policies — coverage gaps where agent actions are completely unmonitored. Each policy also carries a health score (0–100) based on how well it matches real observed traffic. Open it from the Tool Policies page by clicking Health (for terminal commands) or MCP Health.

Policy Recommendations

The dashboard proactively surfaces policy suggestions based on observed agent activity. Each recommendation identifies either a complete gap (no policy covers this command or tool type at all) or a partial gap (a policy exists but doesn’t match all observed variants). Recommendations appear automatically as your agents run. You can create the suggested policy directly from the recommendation card, or dismiss it.

Quick Example

Let’s create a policy to audit when AI tools delete files in sensitive directories:
  1. Go to Tool Policies and click Create Policy
  2. Select Terminal Commands
  3. Fill in the form:
    • Name: “Audit Sensitive File Deletions”
    • Command Family: delete_file
    • Target Field: path
    • Target Pattern: /etc/* or *.env
  4. Set Action to Audit
  5. Optionally select User Groups to limit the policy to specific teams
  6. Click Preview Impact to see historical matches
  7. Click Create Policy
Use Preview Impact when creating a policy to see how many historical commands match your pattern before deploying.

Tool Policies vs Security Policies

Tool policies and security policies serve different purposes and are managed independently:
Tool PoliciesSecurity Policies
PurposeControl terminal commands and MCP tool callsProtect sensitive data with guardrails, routing rules
CoversTerminal command families, MCP server/tool actionsPII detection, secrets detection, regex patterns, ban lists, routing
User group scopingDirectly on the tool policyDirectly on the security policy
ActionsBlock, Warn, Audit, Require Slack ApprovalBlock, Redact, Warn, Route

Slack Integration

Set up Slack for interactive approval workflows

CLI Policy Management

Create and manage tool policies from the terminal

Tool Policy Hooks

Integrate policy checks directly into your agent or framework