invariantlabs-ai · skanehira · Aug 22, 2025 · Aug 22, 2025
diff --git a/README.md b/README.md
@@ -73,18 +73,19 @@ For this, create a `~/.mcp-scan/guardrails_config.yml` with the following conten
 
 ```yml
 <client-name>:  # your client's shorthand (e.g., cursor, claude, windsurf)
-  <server-name>:  # your server's name according to the mcp config (e.g., whatsapp-mcp)
-    guardrails:
-      secrets: block # block calls/results with secrets
-
-      custom_guardrails:
-        - name: "Filter tool results with 'error'"
-          id: "error_filter_guardrail"
-          action: block # or just 'log'
-          content: |
-            raise "An error was found." if:
-              (msg: ToolOutput)
-              "error" in msg.content
+  servers:
+    <server-name>:  # your server's name according to the mcp config (e.g., whatsapp-mcp)
+      guardrails:
+        secrets: block # block calls/results with secrets
+
+        custom_guardrails:
+          - name: "Filter tool results with 'error'"
+            id: "error_filter_guardrail"
+            action: block # or just 'log'
+            content: |
+              raise "An error was found." if:
+                (msg: ToolOutput)
+                "error" in msg.content
 ```
 From then on, all calls proxied via `mcp-scan proxy` will be checked against your configured guardrailing rules for the current client/server.