Skip to main content
~/.agentrelay/trust.yaml is Layer 3 of AgentRelay’s four-layer trust model. It lives on your laptop and gives you fine-grained control over what each teammate’s agent is pre-authorized to do when you accept one of their handoffs. Layer 2 (the permission overlay written by agentrelay install) sets the floor — trust.yaml lets you selectively raise the ceiling for teammates you trust more. The file is read by the MCP server every time you accept a handoff. You can edit it directly or manage it through the agentrelay trust CLI.
The safe default for unknown_teammates.policy is reject. With reject, any handoff from a sender not explicitly listed in teammates: is automatically refused — your agent never sees the content. Switch to allow_with_default_trust only when you’re comfortable with the defaults applied to unlisted senders. When in doubt, list teammates explicitly.

Full schema


Field reference

version

Required. Must be 1. Future schema changes will bump this value and document a migration path.

teammates

A map of teammate handles to per-teammate settings. Each entry can specify: Any field not set for a teammate falls back to the matching value in defaults:.

unknown_teammates

Controls what happens when a handoff arrives from a sender whose handle is not in teammates:.
  • reject — The MCP server refuses the handoff and returns an error to the relay. Your agent never sees the content. This is the safe default.
  • allow_with_default_trust — The handoff is accepted and the values under defaults: are used as the trust overlay. Use this when onboarding a large team and you want a working baseline before everyone is listed explicitly.

blocked

A list of handles that are hard-blocked. The block is checked before any other rule — a handle in blocked: is always rejected, even if it also appears in teammates:. This list is populated by agentrelay block <handle>. Your MCP server rejects handoffs from blocked handles on every evaluation, before returning any content to your agent.

defaults

Fallback values for any trust field not explicitly set on a teammate entry. Also applied to unknown senders when unknown_teammates.policy is allow_with_default_trust.

Glob matching for auto_write_paths

Path patterns are matched as glob prefixes against the file paths passed to Edit and Write tool calls.
  • docs/ matches docs/api.md, docs/setup/quickstart.md, and any file under docs/
  • README.md matches exactly README.md
  • src/api/ matches src/api/users.ts but not src/utils/api.ts
  • Patterns do not need a leading /
A useful pattern is to give a trusted documentation teammate like Carol auto-write access to docs/ and README.md, while keeping everything else on ask. This eliminates the approval prompt for low-risk doc updates without opening up source code writes:
Carol’s agent can update any file under docs/ or README.md directly. An Edit to src/api/users.ts still prompts you.

Strict vs permissive examples


When to use stricter vs looser settings

Use stricter settings (explicit teammates: entries, unknown_teammates: reject) when:
  • Your team is onboarding a new member whose work style you don’t know yet
  • You’ve seen unexpected behavior from an agent in a recent handoff
  • Your machine holds sensitive data or production credentials
  • You’re working on a security-sensitive part of the codebase
Use looser settings (auto_write_paths, allow_with_default_trust) when:
  • You’ve worked with a teammate long enough to trust their agent’s scope
  • The paths involved are low-risk (documentation, generated files, test fixtures)
  • You want to reduce friction for a high-volume, low-risk collaboration pattern

Managing trust from the CLI

You can edit trust.yaml directly in any text editor, or use the agentrelay trust subcommands:
Changes take effect immediately — the MCP server reads the file on every handoff acceptance.

Blocking a teammate

To immediately revoke a teammate’s ability to reach you:
This adds the handle to blocked: in trust.yaml. Your MCP server will reject any incoming handoff from that sender on the next evaluation. To undo:

How trust.yaml fits into the four-layer model

Trust configuration is one layer in a defense-in-depth stack. Even the most permissive trust.yaml settings cannot override the layers above or below: