~/.agentrelay/trust.yaml is Layer 3 of AgentRelay’s four-layer trust model. It lives on your laptop and gives you fine-grained control over what each teammate’s agent is pre-authorized to do when you accept one of their handoffs. Layer 2 (the permission overlay written by agentrelay install) sets the floor — trust.yaml lets you selectively raise the ceiling for teammates you trust more.
The file is read by the MCP server every time you accept a handoff. You can edit it directly or manage it through the agentrelay trust CLI.
Full schema
Field reference
version
Required. Must be 1. Future schema changes will bump this value and document a migration path.
teammates
A map of teammate handles to per-teammate settings. Each entry can specify:
Any field not set for a teammate falls back to the matching value in
defaults:.
unknown_teammates
Controls what happens when a handoff arrives from a sender whose handle is not in teammates:.
reject— The MCP server refuses the handoff and returns an error to the relay. Your agent never sees the content. This is the safe default.allow_with_default_trust— The handoff is accepted and the values underdefaults:are used as the trust overlay. Use this when onboarding a large team and you want a working baseline before everyone is listed explicitly.
blocked
A list of handles that are hard-blocked. The block is checked before any other rule — a handle in blocked: is always rejected, even if it also appears in teammates:. This list is populated by agentrelay block <handle>. Your MCP server rejects handoffs from blocked handles on every evaluation, before returning any content to your agent.
defaults
Fallback values for any trust field not explicitly set on a teammate entry. Also applied to unknown senders when unknown_teammates.policy is allow_with_default_trust.
Glob matching for auto_write_paths
Path patterns are matched as glob prefixes against the file paths passed to Edit and Write tool calls.
docs/matchesdocs/api.md,docs/setup/quickstart.md, and any file underdocs/README.mdmatches exactlyREADME.mdsrc/api/matchessrc/api/users.tsbut notsrc/utils/api.ts- Patterns do not need a leading
/
Strict vs permissive examples
When to use stricter vs looser settings
Use stricter settings (explicitteammates: entries, unknown_teammates: reject) when:
- Your team is onboarding a new member whose work style you don’t know yet
- You’ve seen unexpected behavior from an agent in a recent handoff
- Your machine holds sensitive data or production credentials
- You’re working on a security-sensitive part of the codebase
auto_write_paths, allow_with_default_trust) when:
- You’ve worked with a teammate long enough to trust their agent’s scope
- The paths involved are low-risk (documentation, generated files, test fixtures)
- You want to reduce friction for a high-volume, low-risk collaboration pattern
Managing trust from the CLI
You can edittrust.yaml directly in any text editor, or use the agentrelay trust subcommands:
Blocking a teammate
To immediately revoke a teammate’s ability to reach you:blocked: in trust.yaml. Your MCP server will reject any incoming handoff from that sender on the next evaluation. To undo:
How trust.yaml fits into the four-layer model
Trust configuration is one layer in a defense-in-depth stack. Even the most permissivetrust.yaml settings cannot override the layers above or below: