feat: migrate codeql-resolver to Agent Teams with peer-to-peer coordination

[JacobPEvans]

Parent

Part of #14 (epic: migrate workaround orchestration patterns to native Claude Agent Teams)

Summary

Migrate the codeql-resolver plugin from its current Command→Agent→Skill batching architecture to use native Agent Teams for true parallel execution with inter-agent communication.

Current Architecture (Workaround)

/resolve-codeql (command/orchestrator)
├── Batch 1 → codeql-permissions-auditor (agent)
├── Batch 2 → codeql-expression-injector (agent)
└── Batch 3 → codeql-generic-resolver (agent)

Limitations of current approach:

• One-way communication (command → agents → JSON output)
• Fixed batch size (max 5 alerts per agent)
• No inter-agent messaging (agents can't cross-check each other's work)
• No dynamic load balancing (fast agents can't help slow ones)
• No shared context during execution
• Single point of failure (command orchestrator)
• ~2000 lines of manual orchestration code

Proposed Architecture (Agent Teams)

/resolve-codeql (team lead - delegate mode)
├── permissions-auditor (teammate)
│   ├── Owns: permissions alerts
│   ├── Reads: codeql-permission-classification skill
│   └── Messages: verifier teammate for cross-check
├── injection-resolver (teammate)
│   ├── Owns: expression injection alerts
│   ├── Reads: github-workflow-security-patterns skill
│   └── Messages: verifier for cross-check
├── generic-resolver (teammate)
│   ├── Owns: other alert types
│   ├── Can escalate to: lead for human review
│   └── Messages: verifier for cross-check
└── verifier (teammate - NEW)
    ├── Cross-checks: all other teammates' fixes
    ├── Re-runs: CodeQL analysis after fixes
    └── Reports: final summary to lead

Key Improvements

1. True parallelism: All teammates work simultaneously
2. Cross-checking: New verifier teammate reviews all fixes
3. Dynamic claiming: Teammates self-claim alerts from shared task list
4. Inter-agent messaging: Teammates can ask questions and share patterns
5. Escalation: Generic resolver can ask permissions auditor for help
6. Plan approval: Lead reviews each teammate's approach before implementation

Migration Strategy

1. Keep existing agents as reference (don't delete yet)
2. Create new team-based command alongside existing command
3. Enable feature flag check: use teams if available, fall back to batching
4. Once validated, deprecate old batching approach

Acceptance Criteria

• Team spawns with correct roles and models
• Shared task list populated from CodeQL alert discovery
• Teammates self-claim and resolve alerts in parallel
• Verifier teammate cross-checks all fixes
• Inter-agent messaging works for escalation
• Graceful fallback to existing batching when teams disabled
• Before/after alert count verification
• Token cost comparison documented (teams vs batching)

Dependencies

• Depends on: agent-teams-orchestrator plugin (feat: create agent-teams-orchestrator plugin with team lifecycle management #15) for lifecycle patterns

Estimated Impact

• Lines reduced: ~500 (batching logic, manual coordination)
• Throughput: ~3x faster (true parallel vs sequential batches)
• Quality: Higher (cross-checking between teammates)
• Token cost: ~2x higher (4 teammates vs 3 sequential agents)

[JacobPEvans]

Parent epic: #14 | Depends on: #15

[claude]

This issue has had no activity for 30+ days. Is this still relevant?

[claude]

This issue and #17 could potentially be addressed together as a single effort. Both create code review workflows using Agent Teams with peer-to-peer coordination, share similar team architectures (security/performance/test reviewer roles), and both depend on the same foundation (#15). Developing them together would allow sharing template patterns and avoiding duplication.