Problem

Deep-research should be explicit and fail-closed about both role assignment and internal agent-to-agent access. Today, role inference and broad allowlisting can make workflow permissions wider than intended.

For a workflow built around planner / orchestrator / scout / analyst / skeptic / verifier / writer separation, this is too permissive.

Goal

Tighten deep-research so that:

• roles are explicit
• unknown or missing roles fail closed
• internal allowlisting is no broader than necessary
• the workflow follows least-privilege more strictly

Scope

Update workflow installation/policy handling so deep-research is stricter about:

• explicit role assignment
• role validation
• internal agent-to-agent allowlisting
• keeping orchestration powers limited to the agents that actually need them

Primary files

• src/installer/install.ts
• src/installer/subagent-allowlist.ts
• src/installer/workflow-spec.ts
• workflows/deep-research/workflow.yml

Implementation notes

• Deep-research agents should have explicit roles
• Missing or unknown roles should fail rather than silently falling back to inference in security-relevant paths
• Internal allowlisting should be audited and narrowed where possible
• Keep orchestrator responsibilities separate from research/synthesis/verifier roles

Acceptance criteria

• workflows with missing roles fail validation
• workflows with unknown roles fail validation
• deep-research internal allowlisting is narrower and explicit
• least-privilege boundaries are clearer and not dependent on agent name heuristics

Test plan

Add tests for:

• missing role fails validation
• unknown role fails validation
• explicit roles install correctly
• internal allowlisting is restricted as expected for deep-research

Non-goals

• full workflow architecture redesign
• generic taint engine
• local-context preflight