hostname: "mcp"
tailnet: "your-tailnet.ts.net"
state_dir: "~/.local/share/turnscale"

servers:
  github:
    url: "http://localhost:8091/mcp"
    transport: "streamable-http"
  slack:
    url: "http://localhost:8092/mcp"
    transport: "streamable-http"

# Access policies — evaluated top-to-bottom, first match wins
policies:
  - name: "admin"
    match:
      identity: ["you@github"]
    allow: ["*"]

  - name: "ai-agents"
    match:
      tags: ["tag:ai-agent"]
    allow: ["github", "slack"]
    deny_tools: ["mcp__github__delete_*"]

  - name: "default-deny"
    match:
      identity: ["*"]
    deny: ["*"]