[role]
name = "explorer"
display-name = "explorer + cargo-check (read-only analyst with build probe)"
description = "Read-only analyst that may run cargo-family commands for build/test introspection. No edits, no git, no non-cargo shell."
spawnable = true
claude-subagent-type = "Explore"

[capabilities]
# Ordered list — text.md fragments concatenated in this order
required = [
  "tools::read-only",
  "tools::cargo-only-bash",
  "output::report-format",
  "output::severity-grade",
]

[tools]
# Tool allowlist — anything not in this list is denied
allowed = ["Read", "Glob", "Grep", "WebFetch", "Bash"]
# Bash restricted by tools::cargo-only-bash — cargo invocations only
bash-patterns-allowed = ['^cargo( |$)']

[escalation]
policy = "ask-via-return"