User-level allow/deny lists for project MCP servers, by server name.
Sourced only from the user's own configuration — the home config.toml, the
global ~/.deepagents/.env, and shell-exported env — never from a repo, so a
committed .mcp.json cannot self-approve. A committed project .env is
specifically prevented from setting the env forms of these lists (see
config._PROJECT_DOTENV_DENIED_ENV_KEYS). See load_mcp_server_trust_lists.
The "reject wins" invariant — a name in both lists is only rejected — is
enforced in __post_init__, so every instance is disjoint no matter how it
was constructed; callers need not pre-subtract.
Server names pre-approved to load from an untrusted project config.
Server names always rejected; reject wins over enabled and over trust.
Non-None when the user's config.toml existed but its trust policy
could not be fully read: the file was unreadable/unparseable, its [mcp]
value was not a table, or its disabled_project_servers was a wrong type
that could not be interpreted as a deny list. Callers must treat this as
fail-closed (do not grant whole-config project trust) and surface it, rather
than proceeding with a deny list that may not have loaded — use load_failed
for that check. Note the resolved enabled/disabled sets are not
necessarily empty here: names from a still-readable source (the env vars)
continue to apply. Excluded from equality so a failed load still compares
equal to empty lists for tests that only care about the resolved names.
Whether the user's trust policy failed to load (see read_error).
Callers gating on trust MUST check this and fail closed: a failed load
means a configured deny may be missing, so whole-config project trust
must not be honored. Named so the fail-closed contract is discoverable
rather than resting on every caller remembering the read_error
sentinel.