Non-None when the user's config.toml existed but its trust policy
could not be fully read: the file was unreadable/unparseable, its [mcp]
value was not a table, or its disabled_project_servers was a wrong type
that could not be interpreted as a deny list. Callers must treat this as
fail-closed (do not grant whole-config project trust) and surface it, rather
than proceeding with a deny list that may not have loaded — use load_failed
for that check. Note the resolved enabled/disabled sets are not
necessarily empty here: names from a still-readable source (the env vars)
continue to apply. Excluded from equality so a failed load still compares
equal to empty lists for tests that only care about the resolved names.