message PolicyConfig {
  string version = 1;            // Config version
  string data_dir = 2;           // Data storage directory
  LogLevel log_level = 3;
  repeated ServerPolicy servers = 4;
  ScoringPolicy scoring = 5;    // Optional risk scoring policies
}

message ServerPolicy {
  string server = 1;            // Server wildcard (e.g., "github-*")
  Action default_action = 2;    // ALLOW or DENY by default
  repeated ToolRule tools = 3;  // Per-tool rules
}

message ToolRule {
  string tool = 1;              // Tool wildcard (e.g., "create_*")
  Action action = 2;            // ALLOW or DENY
}

message ScoringPolicy {
  repeated string sensitive_fields = 1;
  repeated string allowed_tools = 2;
  repeated string blocked_actions = 3;
  repeated string allowed_action_patterns = 4;   // Glob patterns
  repeated string blocked_action_patterns = 5;   // Override allowed
  repeated DataClassification sensitive_classifications = 6;
  string custom_rules = 7;                        // JSON-encoded
}

PolicyConfig
  ├── ServerPolicy ("github-*")
  │   ├── default_action: ALLOW
  │   ├── ToolRule ("create_*") → DENY
  │   └── ToolRule ("list_*") → ALLOW
  ├── ServerPolicy ("slack-*")
  │   ├── default_action: ALLOW
  │   └── ToolRule ("send_message") → ALLOW
  └── ScoringPolicy
      ├── blocked_action_patterns: ["data:field:pii_sensitive.*"]
      └── sensitive_classifications: [PII_SENSITIVE, FINANCIAL]