delimit-cli 4.5.13 → 4.6.0

package/gateway/ai/outreach_substantive.py

@@ -0,0 +1,676 @@
+"""Substantive-outreach payload, gate, and dispatch (LED-2214b).
+
+Implements the autonomous-github-outreach architecture ratified by the
+2026-05-11 deliberation (A1 + Codex payload amendment, B3 + Claude reg-O
+target-side veto, C1 single-responsibility daemon). Transcript:
+``/home/delimit/delimit-private/deliberations/2026-05-11-autonomous-github-outreach-architecture.md``.
+
+The three SHIFT-1 holes this module closes:
+
+* **Empty-payload dispatch** — the old generic ``outreach`` task type
+  could be dispatched on a bare "engage user" target with no evidence
+  anchor. Twenty-nine LEDs (LED-915–965) had to be bulk-cancelled in
+  2026-05 because of this class of failure. The dataclass enforces
+  required evidence fields at construction time, so empty-payload
+  dispatch is structurally impossible.
+* **Reg-O / banking veto** — a perfectly substantive bug report on a
+  banking-fintech repo still violates SHIFT-1 (KYC would deanonymize
+  the operating account). ``is_banking_adjacent`` runs at both the scanner layer
+  (impossible-by-construction) and the submit-time gate (defense in
+  depth) so a regulator-adjacent target never reaches dispatch and
+  never reaches submission.
+* **Covert commercial outreach** — even with a substantive technical
+  anchor, the agent might leak "btw try delimit-cli". The content gate
+  rejects forbidden phrases including our own product names, and
+  requires at least one concrete technical anchor (commit hash, spec
+  path, issue number, or CVE) before allowing submission.
+
+Public surface:
+
+* :class:`SubstantiveCandidate` — typed payload schema for dispatch.
+* :func:`is_banking_adjacent` — reg-O / fintech / banking classifier.
+* :func:`extract_technical_anchors` — anchor extraction for content gate.
+* :func:`check_substantive_content` — content-shape gate.
+* :func:`evaluate_substantive_payload` — composite gate (target then content).
+* :func:`build_candidate_from_github_target` — scanner-level constructor.
+* :func:`dispatch_substantive_outreach` — wraps :func:`dispatch_task`
+  with task_type='outreach_substantive' and the typed payload.
+
+Not part of this module: the daemon (:mod:`ai.outreach_loop_daemon`)
+that ticks scanner → file ledger → dispatch.
+"""
+
+from __future__ import annotations
+
+import logging
+import re
+from dataclasses import asdict, dataclass, field
+from typing import Any, Dict, List, Optional, Tuple
+
+logger = logging.getLogger("delimit.ai.outreach_substantive")
+
+
+# ---------------------------------------------------------------------------
+# Constants — keep these auditable. Edits require panel deliberation per
+# the CLAUDE.md SHIFT-1 constitutional binding.
+# ---------------------------------------------------------------------------
+
+PROPOSED_ACTIONS = ("comment", "issue", "pr")
+
+# CLAUDE.md SHIFT-1 HARD VETO. KYC will deanonymize the operating account
+# on any of these target classes regardless of brand cover, so the target
+# never enters the dispatch queue. Keyword match runs over the repo name +
+# description + topics; any hit blocks the target.
+#
+# Conservative by design — false positives cost zero (we just don't
+# engage), false negatives risk constitutional violation.
+BANKING_ADJACENT_KEYWORDS: Tuple[str, ...] = (
+    # Direct
+    "bank", "banking", "credit-union", "credit union",
+    # Brokerage / capital markets
+    "broker", "brokerage", "securities", "custodian", "custody",
+    "clearinghouse", "clearing-house", "settlement",
+    # Payments / cards
+    "payment", "payments", "card-issuer", "card issuer", "issuer-processor",
+    "acquirer", "merchant-acquirer", "interchange", "ach ", "swift ",
+    # Lending
+    "lender", "lending", "mortgage", "underwriting", "underwrite",
+    # Insurance (reg-adjacent under McCarran-Ferguson)
+    "insurance", "insurer", "reinsurer", "underwriter",
+    # Crypto-fiat onramps (FinCEN-regulated MSBs)
+    "msb", "money-services-business", "money services business",
+    "onramp", "off-ramp", "fiat-onramp",
+    # Wealth / advisors (RIA / IAR regulated)
+    "wealth-management", "wealth management", "registered investment",
+    "ria-firm", "broker-dealer", "broker dealer",
+    # Compliance / AML / KYC vendors (likely reg-O downstream)
+    "aml-platform", "kyc-platform", "kyc-provider", "kyc provider",
+    "bsa-aml", "sanctions-screening", "ofac-screening",
+    # Regulator-adjacent
+    "regulator", "regulatory-reporting", "fr-y-9c", "call-report",
+    "fdic", "occ-supervised", "frb-supervised", "finra", "sec-registered",
+    # Reg-O specifically
+    "reg-o", "regulation-o", "regulation o", "regulation-w",
+    # Stablecoins / fintech with clear bank rails
+    "stablecoin", "neobank", "challenger-bank", "core-banking",
+    "core banking", "ledger-banking", "open-banking",
+)
+
+# Self-references and commercial phrasing the agent must never emit on
+# a third-party repo. Per panel verdict + Codex amendment, we ban our
+# own product names too — substantive contributions stand on technical
+# merit alone, not on naming the upstream tool.
+#
+# Matching is case-insensitive, word-boundary aware where it matters
+# (e.g. "delimit" must not flag "delimited" or "delimiter").
+FORBIDDEN_PHRASES: Tuple[str, ...] = (
+    # Commercial framing
+    "we built", "we made", "we created", "we developed", "we ship",
+    "our tool", "our product", "our cli", "our service", "our platform",
+    "you should try", "you might try", "you may want to try",
+    "you could try", "give it a try", "give us a try",
+    "check out our", "have a look at our", "take a look at our",
+    "btw try", "btw, try", "by the way try",
+    # Generic non-substantive
+    "thanks for the project", "great project", "love the project",
+    "interesting project",
+)
+
+# Word-boundary product names. Ban "delimit" and "delimit-cli" as
+# standalone tokens; don't false-positive on "delimited" or "delimiter".
+FORBIDDEN_PRODUCT_TOKENS: Tuple[str, ...] = (
+    "delimit", "delimit-cli", "delimit.ai", "delimitdev",
+)
+
+# Minimum content length below which a body cannot be substantive
+# regardless of anchors. Calibrated to "two-sentence bug report".
+MIN_BODY_LENGTH = 200
+
+# Patterns for technical-anchor extraction. At least one must hit.
+_COMMIT_HASH_RE = re.compile(r"\b[0-9a-f]{7,40}\b", re.IGNORECASE)
+_ISSUE_REF_RE = re.compile(r"#\d{1,7}\b")
+_CVE_RE = re.compile(r"\bCVE-\d{4}-\d{4,7}\b", re.IGNORECASE)
+_SPEC_PATH_RE = re.compile(
+    r"(?:^|[\s`])(?:[A-Za-z0-9_\-/\.]+/)?(?:openapi|swagger|asyncapi)"
+    r"[\w\-/]*\.(?:ya?ml|json)\b",
+    re.IGNORECASE,
+)
+_FILE_PATH_RE = re.compile(
+    r"(?:^|[\s`])[A-Za-z0-9_\-/.]+\.(?:py|ts|tsx|js|jsx|go|rs|java|"
+    r"rb|c|cc|cpp|h|md|ya?ml|json|toml|proto)\b"
+)
+
+
+# ---------------------------------------------------------------------------
+# Payload schema
+# ---------------------------------------------------------------------------
+
+
+@dataclass(frozen=True)
+class SubstantiveCandidate:
+    """Typed dispatch payload for substantive github outreach.
+
+    The dataclass is ``frozen=True`` (immutable) and the constructor
+    enforces every required field — there is no path to a partially
+    populated ``SubstantiveCandidate``, which is the entire point of
+    the Codex amendment to A1. The scanner builds one of these or
+    nothing; the dispatcher refuses to fire on anything else.
+
+    Fields:
+        repo: ``owner/name`` of the target repository. Required.
+        category: One of ``pain_thread``, ``adoption_lead``,
+            ``competitor_user``, ``own_repo_activity``. Required.
+        target_artifact: Canonical URL of the artifact we'd act on
+            (the issue, the PR, the repo root, etc.). Required.
+        evidence_refs: Non-empty list of concrete technical anchors
+            extracted from the target — issue numbers, commit hashes,
+            spec paths, CVE IDs. Empty list raises at construction.
+        proposed_action: One of ``comment``, ``issue``, ``pr``.
+        subcategory: Optional finer-grained label (e.g.
+            ``openapi_spec``). Allowed to be empty.
+        venture: Sourcing venture (e.g. ``delimit``). Default ``delimit``.
+        fingerprint: Scanner fingerprint for idempotency. Optional.
+    """
+
+    repo: str
+    category: str
+    target_artifact: str
+    evidence_refs: Tuple[str, ...]
+    proposed_action: str
+    subcategory: str = ""
+    venture: str = "delimit"
+    fingerprint: str = ""
+
+    def __post_init__(self):
+        # Mirror normal validate-on-construct ergonomics for a frozen
+        # dataclass. We use object.__setattr__ only for normalisation
+        # before validation; validation itself just raises.
+        if not self.repo or "/" not in self.repo:
+            raise ValueError(
+                f"SubstantiveCandidate.repo must be 'owner/name', got {self.repo!r}"
+            )
+        if self.category not in {
+            "pain_thread", "adoption_lead", "competitor_user", "own_repo_activity",
+        }:
+            raise ValueError(
+                f"SubstantiveCandidate.category invalid: {self.category!r}"
+            )
+        if not self.target_artifact:
+            raise ValueError("SubstantiveCandidate.target_artifact is required")
+        if not self.evidence_refs:
+            raise ValueError(
+                "SubstantiveCandidate.evidence_refs cannot be empty — "
+                "empty-payload dispatch is structurally forbidden (LED-2214b)"
+            )
+        if self.proposed_action not in PROPOSED_ACTIONS:
+            raise ValueError(
+                f"SubstantiveCandidate.proposed_action must be one of "
+                f"{PROPOSED_ACTIONS}, got {self.proposed_action!r}"
+            )
+        # Coerce evidence_refs to a tuple if a list slipped in. (frozen
+        # dataclasses don't auto-coerce; we go through object.__setattr__.)
+        if not isinstance(self.evidence_refs, tuple):
+            object.__setattr__(self, "evidence_refs", tuple(self.evidence_refs))
+
+    def to_dict(self) -> Dict[str, Any]:
+        d = asdict(self)
+        d["evidence_refs"] = list(self.evidence_refs)
+        return d
+
+
+# ---------------------------------------------------------------------------
+# Reg-O / banking target-side veto
+# ---------------------------------------------------------------------------
+
+
+def is_banking_adjacent(target: Dict[str, Any]) -> Tuple[bool, str]:
+    """Return ``(is_adjacent, matched_keyword)``.
+
+    Scans a target dict for any banking / fintech / regulator-adjacent
+    keyword across the fields the scanner emits today (``canonical_url``,
+    ``rationale``, ``content_snippet``, and the optional ``repo_topics``
+    + ``repo_description`` if present). Match is substring + case
+    insensitive on the lowercased haystack.
+
+    The first-match-wins return makes the logged reason actionable
+    ("matched 'broker-dealer' in repo_description"). Callers should
+    treat any True return as a hard veto — no override path exists at
+    the scanner layer, by design.
+    """
+    haystack_parts: List[str] = []
+    for key in (
+        "canonical_url", "rationale", "content_snippet",
+        "repo_topics", "repo_description", "repo", "source_id",
+    ):
+        value = target.get(key)
+        if isinstance(value, list):
+            haystack_parts.extend(str(v) for v in value)
+        elif value is not None:
+            haystack_parts.append(str(value))
+    haystack = " ".join(haystack_parts).lower()
+    for kw in BANKING_ADJACENT_KEYWORDS:
+        if kw in haystack:
+            return True, kw
+    return False, ""
+
+
+# ---------------------------------------------------------------------------
+# Technical-anchor extraction + content gate
+# ---------------------------------------------------------------------------
+
+
+def extract_technical_anchors(text: str) -> Dict[str, List[str]]:
+    """Extract all technical anchors found in ``text``.
+
+    Returns a dict with keys ``commits``, ``issues``, ``cves``,
+    ``spec_paths``, ``file_paths``. Empty lists mean nothing of that
+    type was found. A non-empty union across any key is sufficient to
+    satisfy the substantive-content gate.
+
+    Spec paths are matched explicitly (openapi/swagger/asyncapi) and
+    are also captured by the broader file-path regex, but the spec
+    list is the load-bearing signal for adoption-lead targets.
+    """
+    if not text:
+        return {"commits": [], "issues": [], "cves": [], "spec_paths": [], "file_paths": []}
+    return {
+        "commits": _COMMIT_HASH_RE.findall(text),
+        "issues": _ISSUE_REF_RE.findall(text),
+        "cves": _CVE_RE.findall(text),
+        "spec_paths": [m.strip("` ") for m in _SPEC_PATH_RE.findall(text)],
+        "file_paths": [m.strip("` ") for m in _FILE_PATH_RE.findall(text)],
+    }
+
+
+def _hits_forbidden_product_token(text_lower: str) -> Optional[str]:
+    """Return the first product token present as a word, else None."""
+    for token in FORBIDDEN_PRODUCT_TOKENS:
+        pattern = r"\b" + re.escape(token) + r"\b"
+        if re.search(pattern, text_lower):
+            return token
+    return None
+
+
+def check_substantive_content(
+    body: str,
+    proposed_action: str,
+) -> Dict[str, Any]:
+    """Validate a draft body against the SHIFT-1 content rules.
+
+    Order of checks (load-bearing — do not reorder without panel
+    deliberation):
+
+      1. Type / length floor — empty or under-length bodies block.
+      2. Forbidden product tokens — bans our own names (defends against
+         "btw try delimit-cli" class).
+      3. Forbidden commercial phrases — bans the broader "we built /
+         our tool / you should try" class.
+      4. Technical anchor — must have at least one commit hash, issue
+         ref, CVE, spec path, or file path. Without an anchor the body
+         is "thanks for the project" by definition.
+
+    The function does NOT enforce target-side reg-O veto — that lives
+    at :func:`is_banking_adjacent`, called separately by
+    :func:`evaluate_substantive_payload`. Splitting them keeps the
+    failure modes distinguishable in logs and ledger entries.
+
+    Returns:
+        Dict with keys ``verdict`` (``"allow"`` | ``"block"``),
+        ``reason``, ``violations`` (list of strings), ``anchors``
+        (the extracted-anchors dict).
+    """
+    violations: List[str] = []
+    if not isinstance(body, str) or not body.strip():
+        return {
+            "verdict": "block",
+            "reason": "empty_body",
+            "violations": ["body is empty"],
+            "anchors": {},
+        }
+    if proposed_action not in PROPOSED_ACTIONS:
+        return {
+            "verdict": "block",
+            "reason": "invalid_proposed_action",
+            "violations": [f"proposed_action must be one of {PROPOSED_ACTIONS}"],
+            "anchors": {},
+        }
+    if len(body) < MIN_BODY_LENGTH:
+        violations.append(
+            f"body length {len(body)} < MIN_BODY_LENGTH={MIN_BODY_LENGTH}"
+        )
+
+    body_lower = body.lower()
+    product_hit = _hits_forbidden_product_token(body_lower)
+    if product_hit:
+        violations.append(f"forbidden_product_token: {product_hit!r}")
+    for phrase in FORBIDDEN_PHRASES:
+        if phrase in body_lower:
+            violations.append(f"forbidden_phrase: {phrase!r}")
+
+    anchors = extract_technical_anchors(body)
+    has_anchor = any(anchors[k] for k in anchors)
+    if not has_anchor:
+        violations.append(
+            "no_technical_anchor: body must cite a commit hash, "
+            "issue number, CVE, spec path, or source file path"
+        )
+
+    if violations:
+        return {
+            "verdict": "block",
+            "reason": violations[0].split(":")[0],
+            "violations": violations,
+            "anchors": anchors,
+        }
+    return {
+        "verdict": "allow",
+        "reason": "ok",
+        "violations": [],
+        "anchors": anchors,
+    }
+
+
+# ---------------------------------------------------------------------------
+# Composite gate: target-side veto BEFORE content
+# ---------------------------------------------------------------------------
+
+
+def evaluate_substantive_payload(
+    body: str,
+    proposed_action: str,
+    target: Optional[Dict[str, Any]] = None,
+    repo: str = "",
+    repo_description: str = "",
+    repo_topics: Optional[List[str]] = None,
+) -> Dict[str, Any]:
+    """Full pre-submit gate: reg-O target veto, then content shape.
+
+    Per the 2026-05-11 panel verdict + Claude's reg-O target-side veto
+    amendment: target classification is checked FIRST. A perfectly
+    substantive bug report on a banking-adjacent repo still violates
+    SHIFT-1, so the gate refuses regardless of content quality.
+
+    Callers can pass either:
+      * a full ``target`` dict (forwarded to :func:`is_banking_adjacent`),
+      * or the discrete ``repo`` / ``repo_description`` / ``repo_topics``
+        fields, which we wrap in a synthetic target.
+
+    Returns:
+        Dict with ``verdict``, ``reason``, ``violations``, ``anchors``,
+        and ``stage`` (``"target"`` or ``"content"``) indicating where
+        the gate fired.
+    """
+    if target is None:
+        target = {
+            "repo": repo,
+            "repo_description": repo_description,
+            "repo_topics": repo_topics or [],
+        }
+    elif repo or repo_description or repo_topics:
+        # Caller passed both — merge, keyword scan looks at union.
+        target = {
+            **target,
+            **({"repo": repo} if repo else {}),
+            **({"repo_description": repo_description} if repo_description else {}),
+            **({"repo_topics": repo_topics} if repo_topics else {}),
+        }
+
+    adjacent, matched = is_banking_adjacent(target)
+    if adjacent:
+        return {
+            "verdict": "block",
+            "reason": "banking_adjacent_target",
+            "violations": [f"banking_adjacent_target: matched keyword {matched!r}"],
+            "anchors": {},
+            "stage": "target",
+        }
+
+    content_result = check_substantive_content(body, proposed_action)
+    content_result["stage"] = "content"
+    return content_result
+
+
+# ---------------------------------------------------------------------------
+# Scanner-level constructor
+# ---------------------------------------------------------------------------
+
+
+_FINGERPRINT_REPO_RE = re.compile(
+    r"^github:(?:issue|repo|fork|star|outreach):([^:]+/[^:]+)(?::|$)"
+)
+_URL_REPO_RE = re.compile(
+    r"^https?://github\.com/([^/]+/[^/]+?)(?:/|$|#|\?)"
+)
+
+
+def _repo_from_target(target: Dict[str, Any]) -> str:
+    repo = (target.get("repo") or "").strip()
+    if repo and "/" in repo:
+        return repo
+    fingerprint = target.get("fingerprint", "")
+    m = _FINGERPRINT_REPO_RE.match(fingerprint)
+    if m:
+        return m.group(1)
+    url = target.get("canonical_url", "")
+    m = _URL_REPO_RE.match(url)
+    if m:
+        return m.group(1)
+    return ""
+
+
+_CATEGORY_TO_ACTION = {
+    "pain_thread": "comment",
+    "adoption_lead": "issue",
+    "competitor_user": "comment",
+    "own_repo_activity": "comment",
+}
+
+
+def build_candidate_from_github_target(
+    target: Dict[str, Any],
+    category: str,
+    subcategory: str = "",
+) -> Optional[SubstantiveCandidate]:
+    """Build a :class:`SubstantiveCandidate` or return None.
+
+    The function returns None — *not* raises — when the target cannot
+    yield a substantive payload. This is the structural-impossibility
+    guarantee: callers that get None must NOT dispatch.
+
+    Reasons for None return:
+      * Target classified banking-adjacent (SHIFT-1 hard veto).
+      * Repo could not be derived from fingerprint or URL.
+      * No technical anchor extractable from snippet + rationale.
+      * Category not in the mapped action table.
+
+    The reg-O check happens here too, not just at submit time, so
+    banking-adjacent targets never reach the agent prompt at all.
+    Defense in depth: scanner + submit gate both veto.
+    """
+    adjacent, matched = is_banking_adjacent(target)
+    if adjacent:
+        logger.info(
+            "build_candidate: banking-adjacent veto fingerprint=%s matched=%s",
+            target.get("fingerprint"), matched,
+        )
+        return None
+
+    repo = _repo_from_target(target)
+    if not repo:
+        logger.info(
+            "build_candidate: repo unresolved fingerprint=%s url=%s",
+            target.get("fingerprint"), target.get("canonical_url"),
+        )
+        return None
+
+    if category not in _CATEGORY_TO_ACTION:
+        logger.info("build_candidate: unmapped category=%s", category)
+        return None
+
+    snippet = target.get("content_snippet", "") or ""
+    rationale = target.get("rationale", "") or ""
+    anchors = extract_technical_anchors(f"{snippet}\n{rationale}")
+    evidence_refs: List[str] = []
+    for key in ("issues", "spec_paths", "cves", "commits", "file_paths"):
+        for ref in anchors.get(key, []):
+            label = f"{key[:-1] if key.endswith('s') else key}:{ref}"
+            if label not in evidence_refs:
+                evidence_refs.append(label)
+    if not evidence_refs:
+        logger.info(
+            "build_candidate: no_technical_anchor fingerprint=%s category=%s",
+            target.get("fingerprint"), category,
+        )
+        return None
+
+    target_artifact = target.get("canonical_url") or target.get("fingerprint", "")
+    if not target_artifact:
+        return None
+
+    try:
+        return SubstantiveCandidate(
+            repo=repo,
+            category=category,
+            target_artifact=target_artifact,
+            evidence_refs=tuple(evidence_refs),
+            proposed_action=_CATEGORY_TO_ACTION[category],
+            subcategory=subcategory or "",
+            venture=target.get("venture", "delimit"),
+            fingerprint=target.get("fingerprint", "") or "",
+        )
+    except ValueError as exc:
+        logger.warning(
+            "build_candidate: construction failed for fingerprint=%s: %s",
+            target.get("fingerprint"), exc,
+        )
+        return None
+
+
+# ---------------------------------------------------------------------------
+# Dispatch wrapper
+# ---------------------------------------------------------------------------
+
+
+OUTREACH_SUBSTANTIVE_TASK_TYPE = "outreach_substantive"
+
+
+def dispatch_substantive_outreach(
+    candidate: SubstantiveCandidate,
+    target: Dict[str, Any],
+    ledger_item_id: str = "",
+) -> Dict[str, Any]:
+    """Dispatch a substantive outreach task — only fires on a real payload.
+
+    The payload is the :class:`SubstantiveCandidate` — its construction
+    has already enforced that every required evidence field is present.
+    The task_type ``outreach_substantive`` is distinct from the legacy
+    ``outreach`` type (which still serves reddit / x branches) so a
+    regression that tries to dispatch a non-substantive github task on
+    the old type does not silently route to the new agent.
+
+    The agent that picks up this task is expected to call
+    ``delimit_substantive_content_check`` BEFORE submitting any draft
+    body, and ``delimit_external_pr_check`` BEFORE submitting if the
+    action is ``pr``. Those gates live in :mod:`ai.server`.
+    """
+    if not isinstance(candidate, SubstantiveCandidate):
+        # Belt-and-suspenders: the dataclass cannot be constructed
+        # without the required fields, but a caller might still pass
+        # a stray dict. Refuse rather than coerce.
+        raise TypeError(
+            "dispatch_substantive_outreach requires a SubstantiveCandidate "
+            f"instance, got {type(candidate).__name__}"
+        )
+
+    # Late-bound import to keep the foundation module light and the
+    # cyclic-import surface clean.
+    from ai.agent_dispatch import dispatch_task, link_ledger_item
+
+    constraints = [
+        "no-deploy", "no-secrets", "no-destructive",
+        "shift-1-quiet-attraction",
+        "must-call-delimit_substantive_content_check-before-submit",
+    ]
+    if candidate.proposed_action == "pr":
+        constraints.append("must-call-delimit_external_pr_check-before-submit")
+
+    tools_needed = [
+        "delimit_substantive_content_check",
+        "delimit_sensor_github_issue",
+    ]
+    if candidate.proposed_action == "pr":
+        tools_needed.append("delimit_external_pr_check")
+
+    variables: Dict[str, Any] = {
+        "candidate": candidate.to_dict(),
+        "venture": candidate.venture,
+        "repo": candidate.repo,
+        "category": candidate.category,
+        "subcategory": candidate.subcategory,
+        "target_artifact": candidate.target_artifact,
+        "evidence_refs": list(candidate.evidence_refs),
+        "proposed_action": candidate.proposed_action,
+        "source_url": target.get("canonical_url", ""),
+        "source_fingerprint": candidate.fingerprint,
+        "author": target.get("author", ""),
+        "rationale": target.get("rationale", ""),
+    }
+
+    title = (
+        f"[{candidate.venture.upper()}] Substantive {candidate.proposed_action} "
+        f"on {candidate.repo} ({candidate.category})"
+    )
+
+    description = (
+        "Substantive-outreach task (LED-2214b architecture).\n"
+        f"Repo: {candidate.repo}\n"
+        f"Category: {candidate.category}"
+        f"{' / ' + candidate.subcategory if candidate.subcategory else ''}\n"
+        f"Action: {candidate.proposed_action}\n"
+        f"Target: {candidate.target_artifact}\n"
+        f"Evidence: {', '.join(candidate.evidence_refs)}\n"
+        "\n"
+        "SHIFT-1 constraints:\n"
+        " - Pseudonymous account only; no founder identity.\n"
+        " - Real technical contribution only. No 'we built' / 'our tool' / "
+        "'btw try' framing. Never name our own product in the body.\n"
+        " - delimit_substantive_content_check is MANDATORY pre-submit.\n"
+        " - delimit_external_pr_check is MANDATORY when proposed_action='pr'.\n"
+    )
+
+    context = (
+        "Substantive autonomous outreach via the LED-2214b architecture. "
+        "The pseudonymous-substantive-contribution carve-out (CLAUDE.md SHIFT-1, "
+        "2026-05-04) permits this provided the activity is a genuine technical "
+        "contribution. The pre-submit gate stack enforces that. If the gate "
+        "blocks, file the rejection reason on the linked ledger item and stop."
+    )
+
+    result = dispatch_task(
+        title=title,
+        description=description,
+        assignee="any",
+        priority="P1",
+        tools_needed=tools_needed,
+        constraints=constraints,
+        context=context,
+        task_type=OUTREACH_SUBSTANTIVE_TASK_TYPE,
+        venture=candidate.venture,
+        variables=variables,
+        external_key=(
+            f"outreach_substantive:{candidate.fingerprint}"
+            if candidate.fingerprint
+            else f"outreach_substantive:{candidate.repo}:{candidate.target_artifact}"
+        ),
+    )
+    task_id = result.get("task_id", "")
+    if task_id and ledger_item_id:
+        try:
+            link_ledger_item(task_id, ledger_item_id)
+        except Exception as exc:  # link is best-effort
+            logger.warning(
+                "dispatch_substantive_outreach: link_ledger_item failed "
+                "task=%s ledger=%s err=%s",
+                task_id, ledger_item_id, exc,
+            )
+    return result