diff --git a/config/bascule-dev.toml b/config/bascule-dev.toml
new file mode 100644
index 0000000..c7adeb2
--- /dev/null
+++ b/config/bascule-dev.toml
@@ -0,0 +1,13 @@
+# Bascule dev configuration — permissive auth for local development.
+# Run: bascule --config config/bascule-dev.toml
+
+listen_addr = "127.0.0.1:2223"
+ca_key_path = "/dev/null"
+host_key_path = "/dev/null"
+dispatch_mode = "direct"
+auth_mode = "permissive"
+
+[elevation]
+operator_ttl_secs = 3600
+admin_ttl_secs = 1800
+emergency_ttl_secs = 900
diff --git a/config/bascule-hetzner.toml b/config/bascule-hetzner.toml
new file mode 100644
index 0000000..a48ce6f
--- /dev/null
+++ b/config/bascule-hetzner.toml
@@ -0,0 +1,14 @@
+# Bascule Hetzner configuration — reference only.
+# The actual Bascule on Hetzner is deployed as a K8s pod.
+# This file documents the connection details for bascule-proxy.
+
+# Hetzner Bascule is at NodePort 30222 on any worker node:
+#   178.104.110.197:30222  (okd-worker-0)
+#   178.104.110.212:30222  (okd-worker-1)
+#   91.98.67.43:30222      (okd-worker-2)
+#
+# Auth: OIDC via Keycloak at auth.guildhouse.dev
+# Realm: depends on deployment (guildhouse-ops, entropy-opposition, etc.)
+#
+# Pod: bascule-gateway in guildhouse-infra namespace
+# Service: bascule-gateway:2222 (ClusterIP) → NodePort 30222