load_mcp_server_trust_lists(
config_path: Path | None = None,
) -> McpServerTrustLists| Name | Type | Description |
|---|---|---|
config_path | Path | None | Default: NoneConfig file to read. Defaults to |
Load per-server project MCP allow/deny lists from user-level config.
Security boundary: this reads the [mcp] table only from the user-level
config.toml (DEFAULT_CONFIG_PATH, i.e. ~/.deepagents/config.toml) and
the DEEPAGENTS_CODE_ENABLED_PROJECT_MCP_SERVERS /
DEEPAGENTS_CODE_DISABLED_PROJECT_MCP_SERVERS process env vars — never from
a project's .mcp.json or any repo-committed file. There is no
project-level config.toml discovery, so an attacker who commits a
malicious .mcp.json plus an in-repo config cannot pre-approve their own
servers; the approval must live in the user's home config. This mirrors
Claude Code's "untrusted folder → only non-checked-in settings" rule.
Source resolution differs by list, matching each one's security direction:
enabled (permissive): the env var, when set, replaces the TOML list
(env-beats-config, as elsewhere). Clearing it via an empty env value is
fail-closed — it only ever pre-approves fewer servers.disabled (restrictive): the env var unions with the TOML list — denies
accumulate and a lower-effort source can never silently empty a deny
entry set in the other, which would be a fail-open. There is
deliberately no way to remove a configured deny via env.Rejection wins: a name appearing in both the enabled and disabled result is
reported only in disabled.