Skip to main content
Playbook: Onboarding · Recommended Starting Policies · Threat Model · Tool Policy Examples
Your AI coding agents can run anything a developer can — including the handful of commands that wipe a database, tear down production, or leak a secret. This is the pack that draws the line. It covers the highest-impact actions across every command family Unbound classifies. The genuinely catastrophic and production-scoped actions are stopped; everything else is audited so you build the evidence to decide what to lock down next. The family and field values below are exactly what Unbound’s classifier extracts.
Create these under Policies → Tool Policies → Create Policy. Leave User Groups empty to apply org-wide, or scope to a team. The four actions are Audit, Warn, Block, and Require Slack Approval (the last needs the Slack integration). Warn is supported on Claude Code and Copilot only — on other tools, use Audit or Block (Block delivers the same outcome; Warn is just the UX nicety where the agent surfaces an inline confirmation).
This pack covers terminal commands — what your agents run through the shell. For policies on MCP tool calls (GitHub, Slack, Notion, Linear, the filesystem MCP, …), see Tool Policy Examples. For the threat-modelling view of this same pack (the one-pager to share with your security team), see Threat Model. For the reasoning behind each default — why it blocks, warns, or audits — see What each default protects. For platform background, see the Onboarding Playbook.

Live in three steps

1

Apply the pack

Drop in the whole pack — the high-risk actions enforced, everything else on Audit. The dangerous handful is stopped; routine work is logged, not interrupted.
2

Watch your agents work

Give it a few days. Every audited action — and every enforced one — lands in Analytics → Tool Use → Terminal Run, attributed to the user and session. Now you can see exactly what your agents do — not guess.
3

Tune to your data

Promote any noisy Audit rule to enforcement once you’ve seen the traffic, or relax one that’s getting in the way. Your enforcement is now shaped by your team’s traffic, not generic defaults.
Rolling out safely. Pin the pack to one team first (scope via User Groups) and let it run for a week before going org-wide. Any rule can be disabled or moved back to Audit instantly from Policies → Tool Policies — enforcement isn’t a one-way door. If a single rule turns noisy mid-rollout, narrow its scope (tighter pattern or smaller user group) rather than turning the whole pack off.

Enforce — stop or confirm

The actions that can cost you a weekend: irreversible operations, production-scoped changes, and hard security boundaries. The agent is stopped — or asked to confirm — before it runs one. The Try it column gives a natural-language prompt you can paste into your AI agent — Claude Code, Cursor, Copilot, etc. — to watch the policy fire end-to-end. The arrow shows the command the agent will issue that Unbound catches.
PolicyWhy enforcedCommand Family · Match (If)Try it (prompt → command Unbound catches)
Production cloud destructionIrreversible teardown of a live environment; no undoCloud Destroy · Environment *prod*“Delete the prod-payments-api CloudFormation stack — we’re done with v1.”aws cloudformation delete-stack --stack-name prod-payments-api
Kubernetes resource deletionDeletes live cluster resources; trivial to fat-fingerCloud Destroy · Provider kubectl, Operation delete“Clean up the test-ns namespace in our cluster.”kubectl delete namespace test-ns
Deployment to productionShips to prod; one command, real user impactCloud Provision · Environment *prod*“Kick off a CodeDeploy deployment for the webapp application to the prod-app deployment group from s3://releases/webapp/latest.zip.”aws deploy create-deployment --application-name webapp --deployment-group-name prod-app --s3-location bucket=releases,key=webapp/latest.zip,bundleType=zip
kubectl apply to productionMutates the prod cluster directly, bypassing reviewCloud Provision · Provider kubectl + Environment *prod*“Apply deployment.yaml against the prod cluster — pass —context prod explicitly.”kubectl apply -f deployment.yaml --context prod -n prod
IAM policy attachmentGrants standing privilege; widens every later blast radiusCloud IAM · Operation *attach*policy*“Attach arn:aws:iam::aws:policy/AdministratorAccess to the ci-deploy-role IAM role.”aws iam attach-role-policy --role-name ci-deploy-role --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
Kubernetes RBAC / service-account creationRewrites who-can-do-what in the clusterCloud IAM · Provider kubectl, Operation create“Give the build service account cluster-admin so CI can deploy.”kubectl create clusterrolebinding ci-admin --clusterrole=cluster-admin --serviceaccount=ci:build
Secret deletionA deleted secret can’t be recoveredCloud Secrets · Operation delete.*|remove.*“Delete the prod/db/password secret from Secrets Manager.”aws secretsmanager delete-secret --secret-id prod/db/password
kubectl context switch to productionAims every following command at prod by defaultCloud Config · Provider kubectl, Operation use-context, Environment *prod*“Switch my kubectl context to the prod cluster.”kubectl config use-context prod-cluster
Cloud project or account switchSilently redirects later commands to a prod accountCloud Config · Provider gcloud|aws, Operation set|configure“Point gcloud at the prod-proj project.”gcloud config set project prod-proj
Database DROPDrops a table irreversiblyDatabase Admin or Database Write · Operation *DROP*“Reset the schema for a clean rebuild — run DROP TABLE customers; against local Postgres.”psql -c "DROP TABLE customers;"
Database TRUNCATEWipes a table’s rows with no undoDatabase Admin or Database Write · Operation *TRUNCATE*“Reset the events table — TRUNCATE TABLE events; so the identity counter resets too.”psql -c "TRUNCATE TABLE events;"
Production database adminHeavyweight ops on the live database; a bad one is an outageDatabase Admin · Environment *prod*“Reclaim disk on the prod database — run VACUUM FULL.”psql -h prod-db -U admin -d appdb -c "VACUUM FULL;"
Production database writesMutates live production dataDatabase Write · Environment *prod*“Mark every user in the prod database as inactive.”psql -h prod-db -U admin -d appdb -c "UPDATE users SET active=false;"
Database DELETEAn unscoped delete can empty a tableDatabase Write · Operation *DELETE*“Delete all rows from the users table.”psql -c "DELETE FROM users;"
Container stop / kill / removalTears down a running serviceContainer Operation · Operation rm|stop|kill“Force-remove the old auth container.”docker rm -f auth-api-old
Production container operationsTouches a live prod containerContainer Operation · Container *prod*“The prod-api Docker container is hanging — restart it with docker restart prod-api.”docker restart prod-api
SSH to production hostsInteractive access to a production boxRemote Access · Host *prod*|*production*“SSH into prod-web-1 and check the nginx logs.”ssh deploy@prod-web-1
SSH as rootRoot shell on a remote host; full controlRemote Access · User root“SSH into the build server as root to fix the disk.”ssh root@host
Remote script execution on productionRuns arbitrary code on a prod hostRemote Execution · Target Host *prod*|*production*“Run deploy.sh on prod-host over SSH.”ssh deploy@prod-host 'bash deploy.sh'
Escalate to rootBecomes root; the trust boundary moves and can’t move backPrivilege Escalation · Method sudo|su“Drop me into an interactive root shell — sudo su -.”sudo su -
Delete files in system pathsDeleting under /etc, /usr, /var, /opt breaks the machineDelete File · Path /etc/*|/usr/*|/var/*|/opt/*“Remove the /etc/example config directory.”rm -rf /etc/example
Direct push to main/masterWrites to the shared branch without reviewGit Action · Operation push + Branch main|master“Push my fix straight to main.”git push origin main
Modify system filesEdits host config every other process depends onUpdate System File · any“Add a hosts entry pointing api.example.com to 10.0.0.5.”echo "10.0.0.5 api.example.com" | sudo tee -a /etc/hosts
Some commands match more than one rule by design — e.g. kubectl apply --context prod matches both kubectl apply to production and the broader Deployment to production. That’s intentional layered coverage, but it means a single command can be enforced by either. If you’d rather one rule own that path, scope Deployment to production to exclude kubectl (add a provider constraint) once you’ve decided which rule should.

Audit — log silently

Routine, but worth a paper trail. These never interrupt anyone — they quietly build the evidence you’ll use to decide what to lock down next. Same demo flow as above — paste the prompt into your agent and watch the matching command land in Analytics → Tool Use → Terminal Run.
PolicyWhy auditCommand Family · Match (If)Try it (prompt → command Unbound logs)
Terraform applyProvisioning is daily work; log it, don’t wall itCloud Provision · Provider terraform, Operation apply“From infra/terraform/, run terraform apply -auto-approve to roll out the new S3 bucket.”terraform apply -auto-approve
Kubernetes scaleRoutine capacity change; worth a record, not a stopCloud Provision · Provider kubectl, Operation scale“Scale the web deployment to 3 replicas.”kubectl scale deployment web --replicas=3
Helm install / upgradeStandard deploy step; log to learn the baselineCloud Provision · Provider helm, Operation install|upgrade“Upgrade the payments-api Helm release to the latest chart.”helm upgrade payments-api ./chart
EC2 instance launchSpinning up infra is normal; track who and whatCloud Provision · Provider aws, Operation run-instances“Launch a t3.medium EC2 instance using AMI ami-0abcdef1234567890 for a load test.”aws ec2 run-instances --image-id ami-0abcdef1234567890 --instance-type t3.medium
Secret retrievalReading secrets is daily work; log now, tighten laterCloud Secrets · Operation get-secret-value|read|get-parameter“Fetch the db-password secret from Secrets Manager.”aws secretsmanager get-secret-value --secret-id db-password
Secret creation or updateRotation and creation are legitimate; keep a trailCloud Secrets · Operation create.*|put.*|update.*“Create a new Secrets Manager secret called stripe-key.”aws secretsmanager create-secret --name stripe-key --secret-string "<value>"
Vault accessRoutine secret reads; visibility before frictionCloud Secrets · Provider vault“Read the secret/app/db value from Vault.”vault kv get secret/app/db
Container execDevs shell into containers constantly; log, don’t blockContainer Operation · Operation exec“Exec into the running app Docker container with docker exec -it app sh and print env.”docker exec -it app sh
Container image pushNormal publish step; record itContainer Operation · Operation push“Push the latest image to our registry.”docker push registry/app:latest
Database UPDATEApps patch rows legitimately; audit, don’t wallDatabase Write · Operation *UPDATE*“Run UPDATE settings SET value = 1000 WHERE key = 'rate_limit'; against Postgres.”psql -c "UPDATE settings SET value = 1000 WHERE key = 'rate_limit';"
IAM access-key creationKeys rotate during onboarding; track, don’t stopCloud IAM · Operation create-access-key|create-login-profile|create-service-specific-credential“Create a new IAM access key for the ci-user.”aws iam create-access-key --user-name ci-user
Process termination (incl. SIGKILL)Killing a stuck process is routine; log itProcess Management · any“Force-kill process 4242 — it’s stuck.”kill -9 4242
Whole-environment dumpCommon debug move, but a real leak risk — keep eyes on itEnvironment Exposure · Method env|printenv“Print my env vars so I can find the SECRET one.”env | grep SECRET
Data upload to external endpointsLegit uploads and exfiltration look alike; watch the pattern firstData Transfer · Operation upload|send“Upload report.csv to https://export.example.com/upload via curl.”curl -X POST -F "file=@report.csv" https://export.example.com/upload
Plus a family-wide safety net. The pack also adds one Audit rule with Match = any to each high-risk family, so every command that lands in that family is logged — even ones the specific rules above don’t name. Why Audit, not block: a match-any rule would catch routine work too, so it logs for visibility while you learn the baseline, then you tighten from the data.
Family-wide Audit rule (Match = any)
Cloud Destroy · Cloud Provision · Cloud IAM
Database Admin · Database Write
Remote Access · Remote Execution · Privilege Escalation
Delete File · Access Password · Environment Exposure · Data Transfer
These family-wide Audit rules are the biggest driver of analytics volume — they log every classified command in the family. That’s exactly what you want while you’re learning your baseline; once you’ve seen a few days of activity, narrow to the targeted rules above (or add retention/rollup) so the signal stays sharp.

Two layers of coverage

This pack is built in two complementary layers, so a risky operation is caught by one layer or the other:
  • Precise, production-scoped rules key on the environment Unbound’s classifier reads straight from the command — a host like prod-db.internal, a container named prod-api, a namespace production. When a command names its environment, it gets the tighter, production-specific treatment.
  • Family-wide Audit rules sit underneath every high-risk family (e.g. Audit all cloud resource destruction, Audit all database writes) and log everything that lands in that family, however it’s named.
The specific rule fires when the target names its environment; the family rule has your back when it doesn’t. Together they give you broad, defense-in-depth coverage across the high-risk families, and the audit trail shows you anything worth tightening next.

Go live

Create these by hand with the When → If → Then values above, or ask your Unbound contact to seed the whole pack — you’ll be live in minutes. Review a few days of analytics, promote what matters from Audit to enforcement, relax anything noisy, and you’ve got enforcement tuned to how your team actually works.