> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getunbound.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Tool Policy Examples

> Ready-to-use Tool Policy examples with a prompt you can give your agent to see each one fire

Each example below is a real, high-impact scenario. For every one you get the policy to create (**When → If → Then**) and a **prompt** you can paste into your AI agent to see the policy fire. Every command here is classified the way shown — the family and field values are what Unbound's classifier actually extracts. MCP examples target either a specific tool by name or a whole **action type** (read / write / destructive).

<Note>
  Create these under **Policies → Tool Policies → Create Policy**. Leave **User Groups** empty to apply org-wide, or scope to a team. The four actions are **Audit**, **Warn**, **Block**, and **Require Slack Approval** (the last needs the [Slack integration](/integrations/slack)). **Warn** is supported on **Claude Code** and **Copilot** only — on other tools, use **Audit** or **Block**.
</Note>

## Examples

### Block destructive database operations

**Risk:** an agent with DB credentials runs `DROP DATABASE` or `TRUNCATE` and wipes data irreversibly.

* **When** Command Family = **Database Admin**
* **If** Match Against = **Operation**, Pattern = `DROP*` (add a second rule for `TRUNCATE*`)
* **Then** **Block**

**Try it:** *"Drop the production database."* → the agent's `DROP DATABASE prod;` is **blocked**. A normal `SELECT` is untouched.

### Block production infrastructure teardown

**Risk:** an agent with cloud credentials deletes a live environment.

* **When** Command Family = **Cloud Destroy**
* **If** Match Against = **Environment**, Pattern = `*prod*`
* **Then** **Block**

**Try it:** *"Delete the production namespace in our cluster."* → `kubectl delete namespace production` is **blocked** (the classifier reads `production` from the target and tags the environment). Same for `aws rds delete-db-instance --db-instance-identifier prod-db`.

### Require approval to tear down staging

**Risk:** staging teardown is sometimes legitimate, but you still want a human in the loop.

* **When** Command Family = **Cloud Destroy**
* **If** Match Against = **Environment**, Pattern = `staging`
* **Then** **Require Slack Approval**

**Try it:** *"Tear down the staging namespace."* → `kubectl delete namespace staging` is **held**, and an approver gets a Slack DM to Allow or Deny.

### Audit every git push

**Risk:** agents push code — including force-pushes that can overwrite shared history. Log them all so you can see what your agents ship.

* **When** Command Family = **Git Action**
* **If** Match Against = **Operation**, Pattern = `push`
* **Then** **Audit**

**Try it:** *"Push my changes to origin/main."* → `git push origin main` runs as usual and is logged in **Analytics → Tool Use → Terminal Run**. (The classifier records the operation as `push` for plain and force-pushes alike, so this one rule covers both.)

### Audit every file deletion

**Risk:** you don't yet know what your agents delete — get visibility before you enforce.

* **When** Command Family = **Delete File**
* **If** Match Against = **Path**, Pattern = `*`
* **Then** **Audit**

**Try it:** *"Delete the build directory."* → `rm -rf build/` runs as usual, with a log entry in **Analytics → Tool Use → Terminal Run**. Tighten the path later (e.g. `*/prod/*`) and switch to **Block**.

### Block deleting files from a repo (GitHub)

**Risk:** an agent removes source files through the GitHub MCP, no terminal command involved.

* **MCP Server** = **GitHub**, **Tool** = `delete_file`
* **Then** **Block**

**Try it:** *"Remove the old config file from the repo."* → the `delete_file` call is **blocked**.

### Require approval before merging a PR (GitHub)

**Risk:** an agent self-merges a pull request with no human review.

* **MCP Server** = **GitHub**, **Tool** = `merge_pull_request`
* **Then** **Require Slack Approval**

**Try it:** *"Merge PR #128."* → the merge is **held** for Slack approval.

### Block posting to Slack

**Risk:** an agent posts to channels — noise at best, data exfiltration at worst.

* **MCP Server** = **Slack**, **Tool** = `slack_send_message`
* **Then** **Block**

**Try it:** *"Post this update to #engineering."* → the message is **blocked** before it sends.

### Warn before editing Notion docs

**Risk:** an agent edits shared team documentation.

* **MCP Server** = **Notion**, **Tool** = `notion-update-page`
* **Then** **Warn** *(Claude Code & Copilot)*

**Try it:** *"Update the launch checklist in Notion."* → the edit proceeds with a **warning** surfaced to the user.

### Audit all destructive Linear actions

**Risk:** you want a record of every deletion an agent makes in Linear.

* **MCP Server** = **Linear**, **Action type** = **destructive**
* **Then** **Audit**

**Try it:** *"Delete that Linear comment."* → the call is **audited** (this action type covers `delete_comment`, `delete_attachment`, and `delete_status_update`).

## Recommended starting policies

The set most teams enable on day one. Start here, watch your logs, then expand.

| Policy                        | Family / Server                                | Action                 | Why it matters                               |
| ----------------------------- | ---------------------------------------------- | ---------------------- | -------------------------------------------- |
| Block destructive DB ops      | Database Admin (`DROP*`, `TRUNCATE*`)          | Block                  | AI should never drop or wipe a database      |
| Block production teardown     | Cloud Destroy (`environment = *prod*`)         | Block                  | One command can delete a live environment    |
| Block production SSH          | Remote Access (`host = *.production.internal`) | Block                  | AI shouldn't SSH into production             |
| Audit git pushes              | Git Action (`operation = push`)                | Audit                  | Track every code change AI initiates         |
| Audit file deletions          | Delete File (`path = *`)                       | Audit                  | See what your agents delete before enforcing |
| Require approval to merge PRs | GitHub (`merge_pull_request`)                  | Require Slack Approval | Keep a human in the loop on merges           |
| Block posting to Slack        | Slack (`slack_send_message`)                   | Block                  | Stop agents messaging your workspace         |

<Tip>
  Don't know the family or pattern? In the create dialog, type what you want in plain English — e.g. *"Block any database command that drops or truncates"* — and Unbound fills in the form. Or ask your AI agent to create it with the `unbound` CLI (see [the playbook](/playbook/introduction)).
</Tip>