Check whether a resolved skill directory has been trusted.
Warning:
This resolves target_dir and checks raw membership; it does NOT do
the resolve()-to-self re-verification that load_trusted_skill_dirs
performs on each stored entry. It is therefore not the
containment-enforcement primitive — enforcement builds the allowlist
from load_trusted_skill_dirs, which drops post-approval symlink swaps.
Use this only for informational "is this exact resolved dir on record?"
checks.
Note that this check happens to fail closed, not open: because it
resolves the query target_dir, a stored directory later swapped for a
symlink is reported not trusted (the query resolves to the swap
target, which is not the stored key), forcing a re-prompt — the safe
direction. It is excluded from enforcement for being an exact-membership
test that skips the resolve-to-self recheck, not because it could grant
access the user never approved.
The lookup resolves target_dir (via _normalize), but trust_skill_dir
stores the expanduser-only _approved_key. In the live flow the two
coincide because callers approve an already-resolved path, so the keys
are identical. A caller that trusted a non-canonical path would see a
false negative here (the only failure direction, and the safe one). Pass
an already-resolved directory to keep the check meaningful.
Directory to check; resolved before lookup.
Path to the trust store file. Defaults to
~/.deepagents/.state/skill_trust.json.