chore(capacity,triage): configure capacity buckets + widen triage scope for directive

[MScottAdams]

Summary

Dogfoods the #1419 capacity-allocation engine on directive itself and widens the triage subscription to the framework's architecture labels. Config-only — no framework code changes.

• Capacity buckets — adds plan.policy.capacityAllocation to PROJECT-DEFINITION.vbrief.json: 4 advisory buckets (new-capability 45% / technical-debt 20% / agentic-debt 20% / cognitive-debt 15%), 30-day window, minSampleSize 20, defaultBucket: new-capability. Match labels grounded in directive's actual label set.
• Triage scope — extends plan.policy.triageScope with 5 framework-architecture labels (source-of-truth, rfc, patterns, context-engineering, determinism); append-only audit rows recorded in vbrief/.eval/subscription-history.jsonl.

Current behavior

Capacity runs in advisory mode (source: typed, verify:capacity OK). It will stay advisory until either the backfill tool (#1606) classifies the existing completed vBRIEFs, or ~20 new completions accrue via scope:complete. This is the expected forward-only-until-backfill path.

Follow-ups filed

• feat(capacity): ship the deferred capacity:backfill tool (#1419 history classifier) #1606 — ship the deferred task capacity:backfill tool + brownfield cold-start → backfill nudge
• feat(capacity,onboarding): offer capacity-bucket setup in greenfield onboarding (triage:welcome --onboard + setup skill) #1608 — greenfield onboarding: offer capacity-bucket setup in triage:welcome --onboard / setup skill

Test plan

• python -m json.tool — PROJECT-DEFINITION is valid JSON
• task capacity:show — source: typed, all 4 buckets render
• task verify:capacity — OK (advisory posture)
• task validate — all 809 markdown files pass
• task check — 7665 passed, 5 skipped
• pre-commit + pre-push gates (branch-protection, encoding) pass

Notes

No CHANGELOG.md entry: this configures directive's own project policy (dogfooding), not consumer-facing framework behavior. Refs #1419.

[greptile-apps]

Greptile Summary

This config-only PR dogfoods the capacity-allocation engine on the directive project itself and widens the triage subscription to 5 framework-architecture labels.

• Capacity buckets: Adds capacityAllocation to PROJECT-DEFINITION.vbrief.json with 4 advisory buckets (new-capability 45% / technical-debt 20% / agentic-debt 20% / cognitive-debt 15%), a 30-day window, minSampleSize: 20, and defaultBucket: \"new-capability\". Targets sum exactly to 1.0 and all 5 newly scoped labels have explicit bucket homes.
• Triage scope: Extends triageScope with source-of-truth, rfc, patterns, context-engineering, and determinism; each addition is recorded as an append-only audit row in subscription-history.jsonl, though the new rows use a different actor handle (user:msadams) than the two existing rows (user:msada).

Confidence Score: 4/5

Safe to merge with one data quality fix: the actor identifier in the new subscription-history rows differs from the existing rows, fragmenting the audit trail for this user.

The PROJECT-DEFINITION.vbrief.json changes are clean — bucket targets sum to 1.0, all five new triage labels have explicit bucket homes, and the updated timestamp is current. The only real concern is in subscription-history.jsonl, where the two historical rows record actor user:msada but the five new rows record user:msadams. Because this is an append-only audit log, any tooling that filters by actor will see an incomplete picture of this user's subscription history.

vbrief/.eval/subscription-history.jsonl — actor handle inconsistency between existing and new rows.

Important Files Changed

Filename	Overview
vbrief/.eval/subscription-history.jsonl	Appends 5 new subscription-change audit rows for framework-architecture labels; existing rows use actor "user:msada" but new rows use "user:msadams", breaking attribution consistency in the append-only audit log.
vbrief/PROJECT-DEFINITION.vbrief.json	Adds 5 labels to triageScope and a 4-bucket capacityAllocation config (targets sum to 1.0, all new triage labels have an explicit bucket home, enforcement set to "advise"); updated timestamp is current.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Labeled Issue] --> B{Label in triageScope?}
    B -- No --> C[Ignored by triage]
    B -- Yes --> D{Label matches a bucket?}
    D -- new-capability labels\nenha, beta, skills --> E[new-capability 45%]
    D -- technical-debt labels\nrefactor, test-debt, bug,\ntooling, ci-cd --> F[technical-debt 20%]
    D -- agentic-debt labels\nharness, context-engineering,\ndeterminism, patterns, etc. --> G[agentic-debt 20%]
    D -- cognitive-debt labels\ndocs, source-of-truth,\nrfc, design, etc. --> H[cognitive-debt 15%]
    D -- No match --> I[defaultBucket: new-capability]
    E & F & G & H & I --> J[capacityAllocation report\nenforcement: advise]

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
vbrief/.eval/subscription-history.jsonl:3-7
**Actor identifier mismatch breaks audit attribution**

The two existing rows use `"actor": "user:msada"` while all five new rows use `"actor": "user:msadams"`. Any tooling that queries this audit log by actor (e.g., `actor == "user:msada"`) will silently miss these new subscription events, and a query for `"user:msadams"` will miss the historical ones. The entire subscription history for this user is now split across two distinct identifiers, making the log unreliable as a complete audit trail. If `msadams` is the correct handle, the two old rows should be corrected; if `msada` is canonical, the new rows need updating.

_{Reviews (2): Last reviewed commit: "fix: address Greptile review findings (b..." | Re-trigger Greptile}

[deft-slizard]

Machine-readable verdict

{
  "slizard_verdict": {
    "schema_version": 1,
    "decision": "comment",
    "severity": {
      "P0": 0,
      "P1": 0,
      "P2": 0,
      "P3": 0
    },
    "confidence": 0.46,
    "decision_confidence": 0.46,
    "finding_count": 0,
    "merge_impact": "non-blocking",
    "version": "slizard v0.3.1347",
    "analysis_outcome": "clean_without_rationale",
    "head_sha": "65fb014c7ceb196727c6b5b676e1603c23628c5f"
  }
}

**SLizard Review** — 0 findings across 2 file(s) · confidence 0.46

⚠️ Low-confidence clean review — 0 findings at confidence 0.46 (below 0.60). The reviewer could not confirm whether zero findings reflects clean code or insufficient analytical depth.

Files reviewed:

• vbrief/.eval/subscription-history.jsonl
• vbrief/PROJECT-DEFINITION.vbrief.json

Unchecked dimensions

The following analytical categories could not be verified in this review:

• Call graph: no edges resolved for changed files
• Import specifiers: not cross-referenced against manifest
• Codebase context: limited retrieval (0 chunks)

Recommendation: A human reviewer should spot-check the files above, especially those with risk tags.

All deterministic checks passed. The confidence gap is in the LLM analytical layer — the categories listed above were not verified.

⚠️ Confidence gap: This review produced 0 findings at confidence 0.46 (below 0.60). No clean-review rationale was captured — the reviewer cannot confirm whether the clean result reflects genuine absence of issues or insufficient analytical confidence. Manual review is recommended.

Deterministic checks: passed — vBRIEF traceability checks passed.

Review coverage

• Reviewed files: vbrief/.eval/subscription-history.jsonl, vbrief/PROJECT-DEFINITION.vbrief.json
• Skipped files: none
• Source: github @ 65fb014c7ceb

Context used

• Static findings: 1
• Static tools: description-diff-consistency
• Graph/blast radius: 0 changed node(s), 0 affected node(s)
• Vector context chunks: 0
• Context availability: full
• Review categories: default
• Deterministic checks:
  398/399 passed, 1 failed: description-diff-consistency

  vbrief-traceability=passed, markdown-fences=passed, unused-exports=passed, query-docstring=passed, xss-sprintf=passed, markdown-xref=passed, aria-target=passed, semantic-role=passed, aria-containment=passed, redundant-assertion=passed, tautological-assertion=passed, resource-lifecycle=passed, cross-diff-consistency=passed, redundant-css-block=passed, template-placeholder=passed, void-async-signal=passed, spread-override=passed, json-indent-consistency=passed, dep-swap=passed, powershell-scoping=passed, diff-truncation=passed, exception-type-contract=passed, dead-none-guard=passed, access-declaration=passed, unused-option=passed, css-property-interaction=passed, jsx-style-indent=passed, regex-breadth=passed, cartesian-fan-out=passed, exec-stdout-parse=passed, sentinel-error-wiring=passed, hardcoded-filemode=passed, api-response-shape=passed, python-cli-arg=passed, taskfile-namespace=passed, vbrief-schema=passed, go-shell-injection=passed, go-discarded-error=passed, go-json-field-exposure=passed, go-mutable-exported-slice=passed, go-silent-error-branch=passed, go-comment-log-contradiction=passed, go-unconditional-message=passed, inline-style-proliferation=passed, unnecessary-nonnull-assertion=passed, double-cast=passed, unguarded-await-cast=passed, ssrf-guard-completeness=passed, error-message-leak=passed, puppeteer-resource-cap=passed, trivial-argument=passed, unused-imports=passed, duplicate-import=passed, dead-store=passed, phantom-import=passed, fetch-timeout-guard=passed, log-level-expected-path=passed, unified-diff-construction=passed, sentinel-index-assertion=passed, unguarded-map-lookup=passed, unbounded-prompt-injection=passed, description-diff-consistency=failed, render-branch-symmetry=passed, go-gorm-unchained-error=passed, go-gorm-rowsaffected-noop=passed, error-handling-loop-break=passed, sync-state-batching=passed, sync-revoke-object-url=passed, go-like-wildcard-injection=passed, go-basename-dedup-gap=passed, go-missing-seed-in-migrate=passed, go-write-then-read-unfiltered=passed, go-direct-db-access=passed, async-handler-try-catch=passed, chat-sdk-history=passed, dead-code-ternary=passed, go-context-background=passed, go-git-arg-order=passed, go-n-plus-one=passed, go-nested-transaction=passed, go-ref-injection=passed, go-scanner-error=passed, go-toctou-db=passed, go-unused-validated-field=passed, hardcoded-literal=passed, hardcoded-undefined-field=passed, python-exception=passed, python-path-construction=passed, python-isdigit-int=passed, deprecated-python-utcnow=passed, python-variable-shadow=passed, frozen-dataclass-mutable-field=passed, sentinel-value=passed, sibling-constant=passed, url-interpolation=passed, jsx-guard-removal=passed, asymmetric-clamp=passed, optional-prop-guard=passed, server-lifecycle=passed, go-asymmetric-org-scope=passed, fetch-body-scope-omission=passed, regex-breadth-inconsistency=passed, typeof-object-array-guard=passed, test-production-divergence=passed, argument-axis-mismatch=passed, click-propagation-gap=passed, sanitization-gap=passed, response-shape-consistency=passed, keydown-target-guard=passed, changelog-test-count=passed, unbounded-metadata-assignment=passed, unchecked-json-response=passed, response-body-leak=passed, json-syntax=passed, requestid-route-param=passed, dict-key-as-value=passed, redundant-transitive-call=passed, incomplete-iteration=passed, empty-nested-array-return=passed, call-site-parameter-consistency=passed, markdown-heading-level=passed, cross-section-order-contradiction=passed, dangling-reference=passed, typescript-compilation=passed, go-compilation=passed, useref-dead-store=passed, fetch-redirect-guard=passed, response-body-buffering=passed, svg-content-type=passed, conditional-mode-exclusion=passed, join-separator-inconsistency=passed, prompt-injection-guard=passed, asymmetric-guard=passed, unsafe-json-cast=passed, storage-unsafe-cast=passed, markdown-single-line-interpolation=passed, postmessage-origin-guard=passed, css-iframe-scope=passed, markdown-entry-completeness=passed, python-set-duplicate=passed, state-setter-symmetry=passed, changelog-sibling-truncation=passed, ternary-exhaustiveness=passed, exclusive-output-constraint=passed, nullish-fallback-regression=passed, shell-pipefail=passed, vbrief-acceptance-contradiction=passed, css-property-diff=passed, go-sync-call-labeled-background=passed, prompt-guardrail-conflict=passed, prompt-identity-duplication=passed, asymmetric-truncation=passed, claim-source-tracing=passed, go-duplicate-event-publish=passed, go-create-without-cleanup=passed, go-find-then-create-without-cleanup=passed, go-persist-without-validate=passed, ts-put-without-get=passed, go-fetch-id-without-liveness=passed, go-event-subscribe-without-publish=passed, go-log-aggregation-run-scoping=passed, falsy-string-fallback=passed, useeffect-unstable-prop-dep=passed, unused-state-read=passed, blob-mime-mismatch=passed, parseint-nan-guard=passed, shared-state-across-map=passed, context-menu-click-guard=passed, touch-action-ancestor=passed, usestate-innerwidth-matchmedia=passed, prefix-match-loop=passed, hardcoded-new-field=passed, enum-subset-completeness=passed, optional-guard-fallthrough=passed, html-template-token=passed, label-association=passed, empty-src-img=passed, jsx-prose-link-mismatch=passed, try-catch-scope=passed, viewport-meta-accessibility=passed, go-github-api-response-id=passed, go-github-api-pagination=passed, go-gorm-first-without-errrecordnotfound=passed, fetch-cache-consistency=passed, oauth-session-state-binding=passed, go-switch-exhaustiveness=passed, go-test-mutex-asymmetry=passed, nextjs-suspense-boundary=passed, nullable-nested-response=passed, nullish-coalesce-empty-url=passed, asymmetric-callback-state-reset=passed, go-docstring-contract-mismatch=passed, replace-dollar-pattern=passed, conditional-fallthrough-gap=passed, sanitization-completeness=passed, bare-selector-fallback=passed, element-inspector-metadata=passed, sanitization-context-mismatch=passed, json-escape-completeness=passed, catch-block-guard-parity=passed, early-exit-guard-subset=passed, html-escape-context-collision=passed, cross-file-inline-duplication=passed, collection-gate-ordering=passed, regex-denylist-anchor-gap=passed, handler-validation-symmetry=passed, go-http-handler-body-persist-without-authz=passed, go-first-element-without-disambiguation=passed, ternary-wrapper-asymmetry=passed, promise-then-without-outer-catch=passed, effect-persist-hydration-race=passed, css-animation-ref=passed, idb-open-lifecycle=passed, interactive-role-mismatch=passed, array-duplicate-field=passed, mid-file-static-import=passed, changelog-section-deletion=passed, comment-anchored-regex=passed, source-string-test=passed, weak-version-sort-assertion=passed, stale-state-getter-deps=passed, diff-eof-newline=passed, screenshot-timeout-cdn=passed, go-sprintf-json-body=passed, go-deft-install-deposit=passed, go-deft-install-bootstrap=passed, observer-boundary-mismatch=passed, hook-return-shape-mismatch=passed, layout-record-flat-coord-access=passed, raw-vs-effective-state=passed, unstable-mapped-key=passed, parallel-state-init-divergence=passed, value-callback-prop-coherence=passed, cap-expansion-order=passed, cross-file-comment-claim=passed, useeffect-cleanup=passed, filter-ratio-threshold=passed, setter-argument-asymmetry=passed, panel-scoped-notification=passed, unawaited-async-dependency=passed, prompt-html-anti-pattern=passed, go-empty-collection-write-guard=passed, go-inconsistent-error-wrapping=passed, sentinel-substring-guard=passed, hardcoded-color-in-themed-context=passed, modal-escape-handler=passed, property-read-without-write-path=passed, iframe-nav-intercept-completeness=passed, tagname-case-sensitivity=passed, guard-clause-subsumption=passed, effect-cleanup-race=passed, style-template-injection=passed, textarea-min-height=passed, greedy-lookahead-futility=passed, window-open-null-guard=passed, orphaned-ambient-declaration=passed, char-ordinal-bounds=passed, stale-ref-callback-race=passed, missing-init-check=passed, stderr-redirect=passed, gitignore-tracked-file=passed, eager-defeats-lazy-import=passed, redundant-call-in-scope=passed, test-source-list-diff=passed, mixed-dict-access-pattern=passed, md-fragile-regex-lookahead=passed, misleading-none-branch=passed, discarded-validation-return=passed, loopback-range=passed, trust-proxy=passed, fly-toml-schema=passed, dockerfile-copy-shell-op=passed, dockerfile-build-secret=passed, string-dispatch=passed, python-toctou-file-lock=passed, python-non-reentrant-lock=passed, go-sibling-handler-guard=passed, stale-test-assertion=passed, go-batch-response-counter=passed, go-single-status-error-handler=passed, go-base64-body-size-mismatch=passed, dict-write-lookup-asymmetry=passed, identical-branch=passed, postmessage-targetorigin-regression=passed, react-namespace-import=passed, comment-payload-contradiction=passed, conditional-gating-dead-path=passed, go-mock-interface-completeness=passed, toggle-setter-mismatch=passed, localhost-in-allowlist=passed, unawaited-waitfor=passed, cli-example-validator=passed, python-tz-comparison-asymmetry=passed, missing-wildcard-guard=passed, react-ref-hydration-trigger=passed, react-unused-callback-dep=passed, scope-intent-mismatch=passed, supabase-join-path-mismatch=passed, incomplete-optional-property-guard=passed, retry-reenqueue-without-guard=passed, stale-self-call-in-callback=passed, empty-body-control-flow=passed, self-increment-comparison=passed, sequential-replace-dedup=passed, breaking-export-removal=passed, vacuous-test-assertion=passed, silent-fallible-coalesce=passed, dual-threshold-warning=passed, unresolved-relative-import=passed, coalescing-callback-dispatch=passed, removed-event-propagation-stopper=passed, jsx-inline-style-scope-leak=passed, hook-after-early-return=passed, fs-access-overwrite=passed, type-import-divergence=passed, conditional-state-no-clear=passed, gated-operation-silent-persist=passed, hardcoded-sentinel-dead-path=passed, swift-filepath-disclosure=passed, swift-lba-overflow=passed, swift-xpc-listener-validation=passed, python-weak-substring-match=passed, python-docstring-class-ref=passed, python-autonomy-enabled-guard=passed, python-reviewer-disagreement-reason=passed, python-mirror-function=passed, python-unused-subprocess-output=passed, python-narrow-exception-handler=passed, python-service-replay-except-gap=passed, usememo-missing-dep=passed, localstorage-stale-cache=passed, localstorage-scope=passed, dead-action-variant=passed, switch-param-forwarding-gap=passed, changelog-entry-style=passed, artifact-conversation-log-kind=passed, artifact-export-placeholder-regex=passed, artifact-card-scope-slug-collision=passed, vbrief-edge-completeness=passed, pr-body-vbrief-scope=passed, abort-signal-timeout-guard=passed, whitespace-control-char=passed, transient-error-permanent-state=passed, unused-variable=passed, postmessage-source-null-check=passed, atob-encoding-check=passed, phantom-identity-fallback-check=passed, workflow-comment-secret=passed, rls-circular-dep=passed, writable-stream-abort=passed, error-type-shadowing=passed, unguarded-iteration-component=passed, ci-checksum-provenance=passed, drizzle-updated-at-hook=passed, auth-allowlist-open-fallback=passed, nextauth-v5-env-naming=passed, process-env-nonnull-assertion=passed, ci-build-missing-secrets=passed, react-error-cache-nav-reset=passed, shell-injection-template=passed, flag-reset=passed, excess-property=passed, timestamp-sanitization-reuse=passed, boolean-null-guard=passed, catch-typeof-swallow=passed, optional-strict-compare=passed, leaked-debug-text=passed, inconsistent-component-import=passed, wrong-domain-copy=passed, unconditional-lfs-filter=passed, toml-config-injection=passed, dead-popen-timeout-except=passed, python-unused-local=passed, async-event-lock-no-recovery=passed, webkit-cancel-compat=passed, dom-cleanup-racing-interaction=passed, nonstandard-code-fence=passed, vba-value2-single-cell=passed, vba-doc-error-handler=passed, officejs-doc-sync-batching=passed, regex-word-boundary-method-name=passed, sliding-window-dedup=passed, double-localstorage-key-write=passed, new-class-missing-option=passed, branch-reset-asymmetry=passed, changelog-placeholder=passed, cockpit-state-before-try=passed, format-conversion-fallthrough=passed, normalize-to-empty=passed, sql-cursor-pagination-index=passed, temporary-debug-flag=passed, debug-console-log=passed, mock-api-preview=passed, canvas-phosphor-lifecycle=passed, theme-codegen=passed, graph-incompleteness=passed, orphaned-module=passed, graph-validation-gap=passed, lockfile-version-suppression=passed
• Degraded context: Decision downgraded: review confidence 0.46 below 0.6 (issue #245).

Suggested verification

• (agent) Spot-check the highest-risk changed files and confirm the clean review did not skip relevant files or context.
• (static) Review 1 deterministic/static finding(s) included in the evidence set.

Agent verification brief

• PR/CR: deftai/directive#1610
• Head SHA: 65fb014c7ceb196727c6b5b676e1603c23628c5f
• Decision: approve
• Highest-risk claims: none
• Reviewed files: vbrief/.eval/subscription-history.jsonl, vbrief/PROJECT-DEFINITION.vbrief.json
• Skipped files: none
• Evidence sources: static analysis, call graph/blast radius, deterministic checks
• Known blind spots: Decision downgraded: review confidence 0.46 below 0.6 (issue #245).

Decision: comment
Merge impact: non-blocking
Review confidence: 0.46
Decision confidence: 0.46
Finding confidence: n/a
Reason: Findings are advisory under the current severity/confidence policy.
Important files: 2 changed file(s) reviewed; no finding hotspots identified.
Review scope: 2 files, 82 additions, 1 deletions

_{slizard v0.3.1347}

[greptile-apps]

Actor identifier mismatch breaks audit attribution

The two existing rows use "actor": "user:msada" while all five new rows use "actor": "user:msadams". Any tooling that queries this audit log by actor (e.g., actor == "user:msada") will silently miss these new subscription events, and a query for "user:msadams" will miss the historical ones. The entire subscription history for this user is now split across two distinct identifiers, making the log unreliable as a complete audit trail. If msadams is the correct handle, the two old rows should be corrected; if msada is canonical, the new rows need updating.

Prompt To Fix With AI

This is a comment left during a code review.
Path: vbrief/.eval/subscription-history.jsonl
Line: 3-7

Comment:
**Actor identifier mismatch breaks audit attribution**

The two existing rows use `"actor": "user:msada"` while all five new rows use `"actor": "user:msadams"`. Any tooling that queries this audit log by actor (e.g., `actor == "user:msada"`) will silently miss these new subscription events, and a query for `"user:msadams"` will miss the historical ones. The entire subscription history for this user is now split across two distinct identifiers, making the log unreliable as a complete audit trail. If `msadams` is the correct handle, the two old rows should be corrected; if `msada` is canonical, the new rows need updating.

How can I resolve this? If you propose a fix, please make it concise.