feat: migrate codeql-resolver to Agent Teams with peer-to-peer coordination #16
Description
Parent
Part of #14 (epic: migrate workaround orchestration patterns to native Claude Agent Teams)
Summary
Migrate the codeql-resolver plugin from its current Command→Agent→Skill batching architecture to use native Agent Teams for true parallel execution with inter-agent communication.
Current Architecture (Workaround)
/resolve-codeql (command/orchestrator)
├── Batch 1 → codeql-permissions-auditor (agent)
├── Batch 2 → codeql-expression-injector (agent)
└── Batch 3 → codeql-generic-resolver (agent)
Limitations of current approach:
- One-way communication (command → agents → JSON output)
- Fixed batch size (max 5 alerts per agent)
- No inter-agent messaging (agents can't cross-check each other's work)
- No dynamic load balancing (fast agents can't help slow ones)
- No shared context during execution
- Single point of failure (command orchestrator)
- ~2000 lines of manual orchestration code
Proposed Architecture (Agent Teams)
/resolve-codeql (team lead - delegate mode)
├── permissions-auditor (teammate)
│ ├── Owns: permissions alerts
│ ├── Reads: codeql-permission-classification skill
│ └── Messages: verifier teammate for cross-check
├── injection-resolver (teammate)
│ ├── Owns: expression injection alerts
│ ├── Reads: github-workflow-security-patterns skill
│ └── Messages: verifier for cross-check
├── generic-resolver (teammate)
│ ├── Owns: other alert types
│ ├── Can escalate to: lead for human review
│ └── Messages: verifier for cross-check
└── verifier (teammate - NEW)
├── Cross-checks: all other teammates' fixes
├── Re-runs: CodeQL analysis after fixes
└── Reports: final summary to lead
Key Improvements
- True parallelism: All teammates work simultaneously
- Cross-checking: New verifier teammate reviews all fixes
- Dynamic claiming: Teammates self-claim alerts from shared task list
- Inter-agent messaging: Teammates can ask questions and share patterns
- Escalation: Generic resolver can ask permissions auditor for help
- Plan approval: Lead reviews each teammate's approach before implementation
Migration Strategy
- Keep existing agents as reference (don't delete yet)
- Create new team-based command alongside existing command
- Enable feature flag check: use teams if available, fall back to batching
- Once validated, deprecate old batching approach
Acceptance Criteria
- Team spawns with correct roles and models
- Shared task list populated from CodeQL alert discovery
- Teammates self-claim and resolve alerts in parallel
- Verifier teammate cross-checks all fixes
- Inter-agent messaging works for escalation
- Graceful fallback to existing batching when teams disabled
- Before/after alert count verification
- Token cost comparison documented (teams vs batching)
Dependencies
- Depends on: agent-teams-orchestrator plugin (feat: create agent-teams-orchestrator plugin with team lifecycle management #15) for lifecycle patterns
Estimated Impact
- Lines reduced: ~500 (batching logic, manual coordination)
- Throughput: ~3x faster (true parallel vs sequential batches)
- Quality: Higher (cross-checking between teammates)
- Token cost: ~2x higher (4 teammates vs 3 sequential agents)