Fix dedup clustering: only strong matches cluster

Moderate matches (same package, different CWE/version/files) were being
union-find merged into clusters, causing unrelated advisories targeting
the same repo to appear as duplicates. Now only strong matches (package
AND cwe/version/files overlap) cluster. Moderate and weak matches are
still reported as informational signals for the agent's semantic
analysis layer.

Found via live testing against anticomputer/vulnerable-test-app: an AI
slop report (CWE-94, version <= 99.0.0) was incorrectly clustered with
two legitimate SQL injection reports (CWE-89, version <= 0.0.1) because
all three shared the same Go package.

Author: anticomputer

src/seclab_taskflows/mcp_servers/pvr_ghsa.py

@@ -453,7 +453,7 @@ def union(x, y):
                     "match_level": result["match_level"],
                     "reasons": result["reasons"],
                 })
-                if result["match_level"] in ("strong", "moderate"):
+                if result["match_level"] == "strong":
                     union(i, j)
 
     # Build clusters from union-find