Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.getunbound.ai/llms.txt

Use this file to discover all available pages before exploring further.

Your AI coding tools — Claude Code, Cursor, Codex, Copilot, and more — now route through Unbound. We see every prompt, every terminal command, and every MCP tool call your agents make, and we enforce your policies inline, before anything runs. Nothing changes for your developers. Everything changes for your security team. This playbook walks you through what’s in the platform, what each part is for, and how to get value fast.

1. Getting started (5 minutes)

1

Sign in

Go to your Unbound gateway at gateway.getunbound.ai — or your organization’s custom tenant domain, if you have one.
2

Connect your first tool

Open Connect → AI Coding Tools, pick your tool, and follow the one-line setup. For Claude Code and Codex, choose Subscription mode — keep your existing Claude / OpenAI subscription while Unbound observes and enforces via hooks.
3

Roll out to your team (admins)

Open Connect → Device Deployment, choose the tool and platform (macOS / Windows), and copy the single MDM install command. It deploys Unbound to every user on a device with no per-developer setup.
Once a tool is connected, its activity starts flowing into Unbound immediately.

2. The dashboard — your home base

Your landing page is an at-a-glance health view of your whole org: devices and tools connected, agentic activity (terminal commands and MCP calls), how many actions were blocked / warned / allowed, total spend, and recommendations. It’s built to be skimmed — start here each day, then click into whatever needs attention.

3. See what your AI tools are actually doing

Before you write a single policy, get visibility. Open AI Tools Discovery → Summary. This is your mission control: it inventories every AI tool detected across your org and flags risk. Three things to check on day one:

Shadow AI tools

Unsanctioned AI tools developers installed on their own. Review the list and decide what’s approved.

Unconfigured Full-Auto users

Developers running with auto-accept and no deny rules and sandboxing off — the highest-risk setups. The Permissions sub-page shows exactly who.

Unverified MCP servers

MCP servers whose publisher is unofficial or unknown. The MCP Servers sub-page flags each one so you can spot shadow MCP.
The other sub-pages — Users, Tools, Tool Rules, Skills, Setup — let you drill into per-developer detail. You don’t need them on day one.

4. Tool Policies — guardrails on what AI can do

Tool Policies govern the actions AI agents take — the terminal commands they run and the MCP tools they call — and stop the dangerous ones before they execute. Find them under Policies → Tool Policies.

What each action does

ActionStops the operation?Logged?What your developer sees
AuditNoYesNothing — it runs normally and you get a log entry
WarnNoYesA warning, then it proceeds
BlockYesYesAn error explaining the block
Require Slack ApprovalPausesYesA Slack DM to approve or deny; the agent retries after the decision (needs the Slack integration)
If your developers run agentic workflows, start with Audit to learn what’s normal, then tighten to Warn / Block. A hard Block mid-chain returns an error that can interrupt a multi-step agent task.

Three ways to create a policy

  1. Guided form (UI). Open Policies → Tool Policies and click Create Policy, then choose Terminal Commands or MCP Actions. Build the rule with dropdowns: When (command family) → If (field to match + pattern) → Then (action) → optionally scope to User Groups. A live preview shows the rule in plain English as you build it.
  2. Describe it in plain English. The create dialog has a “Describe a policy or paste a command…” box. Type what you want — e.g. “Block any database command that drops or truncates” — and Unbound fills in the form.
  3. Ask your AI agent (CLI). Any developer onboarded with the Unbound CLI can ask their agent (Claude Code, Cursor, Codex) to create the policy. The agent runs the unbound CLI for you. Requires the CLI installed and logged in with an Admin role. 
    unbound policy tool create-mcp \
  --name "Block destructive GitHub actions" \
  --mcp-server github \
  --mcp-action-type destructive \
  --action BLOCK \
  --custom-message "Destructive GitHub actions are blocked — contact your admin."

Command families you can target (terminal commands)

Unbound classifies every command an agent runs into a family, grouped by area:
AreaFamilies
SystemUpdate System File, Environment Setup, Package Management, Build Operation
FilesystemRead File, Write File, Delete File
ProcessProcess Management, Execute Script, Update Cron
NetworkRemote Access, Data Transfer, Remote Execution, Container Operation
CloudCloud Read, Cloud Provision, Cloud Destroy, Cloud IAM, Cloud Secrets, Cloud Config
SecurityAccess Password, Privilege Escalation, Environment Exposure
GitGit Action
DatabaseDatabase Read, Database Write, Database Admin
Each family matches on specific fields — e.g. Database Admin matches on database, table, operation, environment; Delete File matches on path.

Worked example A — Stop AI from destroying production infrastructure

The real risk: AI coding agents increasingly run with cloud and database credentials. One misfired command — terraform destroy, kubectl delete namespace production, aws rds delete-db-instance, DROP DATABASE prod — can wipe an environment in seconds. Layer the four actions by severity:
  • Block what is never legitimate — Command Family Database Admin, Match Against Operation, Pattern DROP* (add a rule for TRUNCATE*); and Command Family Cloud Destroy, Match Against Environment, Pattern *prod*.
  • Require Slack Approval for destructive actions that are sometimes valid, so a human signs off in-channel first — Command Family Cloud Destroy, Match Against Environment, Pattern *staging*.
  • Warn on risky-but-common actions so the developer gets a heads-up without being blocked — Command Family Git Action, Match Against Operation, Pattern push --force*.
  • Audit first when you don’t yet know what’s normal — Command Family Cloud Destroy, Match Against Any — log everything, tighten later.
Test it: a terraform destroy against production is blocked; against staging it’s held for Slack approval; a routine terraform plan runs as usual.

Worked example B — Gate destructive MCP actions across your tools

The real risk: an AI agent wired to the GitHub, Linear, or Sentry MCP can delete a repository, wipe issues and comments, or remove a Sentry project — irreversibly, in a single tool call, with no terminal command to catch it. Control them by action type:
  • Block the never-automate actions — MCP Server GitHub, action type destructive.
  • Require Slack Approval for destructive actions you occasionally need — MCP Server Linear, action type destructive (covers delete_comment, delete_attachment, delete_status_update).
  • Audit to learn which MCP tools your agents actually reach for before you enforce — any server, action type destructive.
You can also target a single tool by name (e.g. delete_comment) instead of a whole action type. Test it: deleting a GitHub repository is blocked; deleting a Linear comment is held for Slack approval.
PolicyFamily / ServerActionWhy it matters
Block destructive DB opsDatabase Admin (DROP*, TRUNCATE*)BlockAI should never drop or wipe a database
Block production cloud teardownCloud Destroy (environment = *prod*)BlockOne command can delete a live environment
Approve staging teardownCloud Destroy (environment = *staging*)Require Slack ApprovalSometimes valid — keep a human in the loop
Warn on force-pushGit Action (operation = push --force*)WarnForce-push can overwrite shared history
Block deletes in protected pathsDelete File (path = */prod/*)BlockDeleting critical files is destructive
Gate destructive MCP callsAny server, action type destructiveRequire Slack ApprovalHuman approval for irreversible MCP actions
Start with these, watch your logs, then expand.

5. Guardrails — content inspection

Where Tool Policies govern what AI agents do, Guardrails (under Policies → Security Policies) inspect the content of requests and responses. They act inline — on a request before it reaches the model, and on a response before it reaches your developer:
  • PII Detection — emails, phone numbers, and other personal data.
  • Secrets Detection — API keys, passwords, tokens.
  • Actions: Redact (mask the sensitive value before the model sees it), Block, or Audit.

6. Where to find things

You’re looking forGo to
Every request / prompt through the gatewayLogs
Terminal commands AI executed (family, risk, policy match)Analytics → Tool Use → Terminal Run
MCP tool calls AI madeAnalytics → Tool Use → MCP Actions
Guardrail activity (redactions, blocks)Analytics → Data Security

7. Settings you should know (admins)

Under Settings:
  • Integrations — connect Slack (required for the Require Slack Approval action).
  • Policy Enforcement — choose what happens if Unbound is ever unreachable: Allow (operations run as usual — the default) or Block (operations are denied). Pick based on your risk tolerance.
  • Users & User Groups — invite teammates, assign roles (Admin / Member), and create groups to scope policies to specific teams.

8. (Optional) LLM Gateway features

If your organization uses Unbound as its LLM gateway (routing model traffic through us), you’ll also see Models, Model Policies, Cost Policies, Cost Management, and Billing. These let you control which models are allowed, cap spend per user or team, and manage invoices. If you only use Unbound to govern AI coding tools, you can skip this section — these pages won’t appear in your nav.

9. Troubleshooting

  • Policy not firing? Confirm it’s Active and scoped to the right user group (empty = everyone).
  • MCP policy not matching? Check the exact MCP server name on the MCP Servers page.
  • Command classified differently than you expected? Open the command in Analytics → Tool Use → Terminal Run — the family and risk score are shown on every entry.
  • “Require Slack Approval” not prompting? Connect Slack under Settings → Integrations.
Questions? Reach us in Slack or email support@unboundsecurity.ai.