Add GitLab group and repo scoped trust rules (parity with GitHub trust granularity)

[jhulten]

Feature request: Support GitLab path-scoped trust entries in git_domains

Summary

dotagents currently does not appear to honor path-scoped trust entries for GitLab sources. A trust entry like gitlab.com/gitlab-org/ai does not allow a source such as https://gitlab.com/gitlab-org/ai/skills, which forces users to trust the entire gitlab.com domain instead of a narrower GitLab group or repository path.

This makes least-privilege trust difficult for GitLab-hosted skills and creates a gap relative to the GitHub trust model, which already supports more granular trust by org and repo.

Environment

• dotagents version: 1.17.0
• OS: macOS
• Command: dotagents install --user
• Source type: GitLab HTTPS source

Reproduction

Use a config like this:

[[skills]]
name = "*"
source = "https://gitlab.com/gitlab-org/ai/skills"
ref = "main"
exclude = [
  "gitlab-clickhouse",
  "gitlab-psql",
  "self-service-performance-testing",
  "run-in-tmux-pane",
]

[trust]
git_domains = ["gitlab.com/gitlab-org/ai"]

Then run:

dotagents install --user

Actual result

dotagents rejects the source as untrusted:

Source "https://gitlab.com/gitlab-org/ai/skills" is not trusted.

Expected result

A trust entry scoped to gitlab.com/gitlab-org/ai should allow descendants under that path. Sibling paths outside that scope should remain untrusted.

Impact

This blocks users from using a narrow trust policy for GitLab-hosted sources and forces them to trust all of gitlab.com, which is broader than many users want for security or compliance reasons.

Request

Please add or document GitLab trust behavior so path-scoped entries work consistently for GitLab sources, ideally with parity to the existing GitHub trust granularity.

[jhulten]

And while I worked with an agent to create the description, I am a human. 😃