perf(ai): Merge severity classification into specialized agents (save ~18% tokens)

Optimized AI pipeline by integrating severity classification into the 5 specialized agents,
eliminating duplicate AI calls and reducing token usage.

BEFORE (2 AI calls per group):
1. AI Severity Classifier: ~150 tokens/group → classify severity
2. Specialized Agents: ~600 tokens/group → generate fixes
Total: ~750 tokens/group × 29 groups = 21,750 tokens = $0.011/PR

AFTER (1 AI call per group):
1. Specialized Agents: ~600 tokens/group → classify severity + generate fixes
Total: ~600 tokens/group × 29 groups = 17,400 tokens = $0.009/PR

SAVINGS: ~150 tokens/group (20% reduction) = ~18% cost reduction

Changes by file:

specialized-agents.ts (all 5 agents):
- Added concise SEVERITY CLASSIFICATION section to each agent's system prompt
- SecurityAgent: CRITICAL=SQL injection/RCE, HIGH=bugs/weaknesses, MEDIUM=smells, LOW=style/checkstyle
- PerformanceAgent: CRITICAL=crashes/leaks, HIGH=N² algorithms, MEDIUM=suboptimal, LOW=style
- ArchitectureAgent: CRITICAL=circular deps, HIGH=god classes, MEDIUM=design smells, LOW=style
- CodeQualityAgent: HIGH=logic bugs/NPE, MEDIUM=complexity, LOW=style/checkstyle (99.9%)
- DependencyAgent: CRITICAL=CVE with exploit, HIGH=CVE/deprecated, MEDIUM=outdated, LOW=style
- CheckStyle emphasis: "checkstyle=LOW 99.9% of cases" in all agents

v9-grouped-report-formatter.ts:
- Removed separate enrichIssuesWithSeverityClassification() call
- Moved group severity update logic AFTER enrichIssuesWithAI() (agents now classify)
- Flow change: issues → enrichIssuesWithAI (classify + fix) → update groups → report

ai-enrichment.ts:
- Removed enrichIssuesWithSeverityClassification() function (no longer needed)
- Removed unused imports (classifyIssueSeverity, Severity, SeverityClassificationInput)
- Updated header comments to reflect new optimization

Technical details:
- JSON output structure unchanged (backwards compatible)
- Severity classification now happens in agent.generateFixSuggestion()
- Agents already returned severity in JSON, now they actually classify it
- CheckStyle guidance integrated: "DesignForExtensionCheck, naming conventions, line length = LOW"

Cost analysis:
- Per-group savings: 150 tokens (~$0.0001)
- Per-PR savings: 4,350 tokens (~$0.002) for 29 groups
- Percentage savings: ~18% reduction in AI costs
- Latency savings: 1 fewer API call per group (29 fewer calls/PR)

This optimization maintains the same quality while reducing costs and latency!

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: alpsla

packages/agents/src/two-branch/agents/specialized-agents.ts

@@ -410,6 +410,12 @@ export class SecurityAgent extends BaseSpecializedAgent {
 
 ⚠️ CRITICAL: Output ONLY the JSON response. NO thinking process, NO reasoning, NO "First, I...", NO "Let me...". Start DIRECTLY with JSON.
 
+SEVERITY CLASSIFICATION:
+🔴 CRITICAL: SQL injection, command injection, RCE, auth bypass, hardcoded credentials, data loss
+🟠 HIGH: Potential bugs (NPE, resource leaks), security weaknesses, crypto issues
+🟡 MEDIUM: Code smells, maintainability issues, moderate complexity
+🟢 LOW: Style/formatting/documentation (checkstyle=LOW 99.9% of cases)
+
 Output ONLY this JSON (nothing else):
 {
   "severity": "critical|high|medium|low",
@@ -519,6 +525,12 @@ export class PerformanceAgent extends BaseSpecializedAgent {
 
 ⚠️ CRITICAL: Output ONLY the JSON response. NO thinking process, NO reasoning, NO "First, I...", NO "Let me...". Start DIRECTLY with JSON.
 
+SEVERITY CLASSIFICATION:
+🔴 CRITICAL: System crashes, memory leaks causing outages, infinite loops
+🟠 HIGH: N² algorithms in hot paths, significant resource waste, scalability blockers
+🟡 MEDIUM: Suboptimal algorithms, minor inefficiencies
+🟢 LOW: Style/formatting/documentation (checkstyle=LOW 99.9% of cases)
+
 Output ONLY this JSON (nothing else):
 {
   "severity": "critical|high|medium|low",
@@ -557,6 +569,12 @@ export class ArchitectureAgent extends BaseSpecializedAgent {
 
 ⚠️ CRITICAL: Output ONLY the JSON response. NO thinking process, NO reasoning, NO "First, I...", NO "Let me...". Start DIRECTLY with JSON.
 
+SEVERITY CLASSIFICATION:
+🔴 CRITICAL: Circular dependencies breaking builds, major SOLID violations causing outages
+🟠 HIGH: God classes (1000+ lines), tight coupling blocking features
+🟡 MEDIUM: Minor design smells, moderate complexity
+🟢 LOW: Style/formatting/documentation (checkstyle=LOW 99.9% of cases)
+
 Output ONLY this JSON (nothing else):
 {
   "severity": "critical|high|medium|low",
@@ -623,6 +641,14 @@ export class CodeQualityAgent extends BaseSpecializedAgent {
 
 ⚠️ CRITICAL: Output ONLY the JSON response. NO thinking process, NO reasoning, NO "First, I...", NO "Let me...". Start DIRECTLY with JSON.
 
+SEVERITY CLASSIFICATION (CRITICAL for CodeQuality):
+🔴 CRITICAL: Never for code quality (reserved for security/crashes)
+🟠 HIGH: Logic bugs, potential NPE, incorrect exception handling
+🟡 MEDIUM: Complexity warnings, code duplication, refactoring candidates
+🟢 LOW: Style/formatting/documentation/naming (checkstyle/PMD naming rules = LOW)
+
+⚠️ CHECKSTYLE = LOW (99.9%): DesignForExtensionCheck, naming conventions, line length, imports, Javadoc
+
 Output ONLY this JSON (nothing else):
 {
   "severity": "critical|high|medium|low",
@@ -887,6 +913,12 @@ export class DependencyAgent extends BaseSpecializedAgent {
 
 ⚠️ CRITICAL: Output ONLY the JSON response. NO thinking process, NO reasoning, NO "First, I...", NO "Let me...". Start DIRECTLY with JSON.
 
+SEVERITY CLASSIFICATION:
+🔴 CRITICAL: Known CVE with exploit code, RCE vulnerabilities, authentication bypass
+🟠 HIGH: CVEs without public exploit, deprecated packages, security weaknesses
+🟡 MEDIUM: Outdated dependencies, minor vulnerabilities
+🟢 LOW: Style/formatting/documentation (checkstyle=LOW 99.9% of cases)
+
 Output ONLY this JSON (nothing else):
 {
   "severity": "critical|high|medium|low",

packages/agents/src/two-branch/analyzers/v9-grouped-report-formatter.ts

@@ -26,7 +26,7 @@ import {
   cleanAIContent,
   getUserFriendlyTitle
 } from '../report/formatter-utils';
-import { getCuratedResourcesForRule, enrichIssuesWithAI, enrichIssuesWithSeverityClassification } from '../report/ai-enrichment';
+import { getCuratedResourcesForRule, enrichIssuesWithAI } from '../report/ai-enrichment';
 import {
   detectCategory,
   calculateRiskLevel,
@@ -379,21 +379,19 @@ export class V9GroupedReportFormatter {
     // Store repoPath for snippet extraction
     this.repoPath = metadata.repoPath || null;
 
-    // SESSION 13 FIX #2 (MANDATORY): AI-powered severity classification FIRST
-    // This re-classifies severity intelligently (e.g., Javadoc HIGH → LOW)
-    // Cost: ~150 tokens per group = ~$0.0001 per group = ~$0.002 per PR
-    // This is a CORE FEATURE - always enabled for consistent, high-quality results
-    // If AI fails, gracefully falls back to original severity (handled in catch blocks)
-    // SESSION 13 FIX #3 (CONFIG-BASED): Pass modelConfigResolver for config-based Qwen model
-    const severityClassifiedIssues = await enrichIssuesWithSeverityClassification(issues, groups, this.modelConfigResolver);
+    // OPTIMIZATION: Severity classification now integrated into specialized agents (saves ~150 tokens per group)
+    // Each agent classifies severity AS PART of generating fix suggestions (1 AI call instead of 2)
+    // Cost: ~600 tokens per group = ~$0.0003 per group = ~$0.009 per PR (was ~$0.011 before)
 
-    // SESSION 13 FIX #4 (BUG-87): Update group severities based on AI-classified issues
+    // BUG-76: AI-enrich issues (includes severity classification + fix generation in 1 call)
+    const enrichedIssues = await this.enrichIssuesWithAI(issues, groups);
+
+    // Update group severities based on AI-classified issues
     // After AI classification updates individual issue severities, we need to update
     // each group's severity to reflect the AI-classified issues (not original severities)
-    // Match issues to groups by rule + tool (not severity, since it changed)
     const updatedGroups = groups.map(group => {
-      // Find all issues in this group (match by rule + tool, not severity)
-      const groupIssues = severityClassifiedIssues.filter(issue =>
+      // Find all issues in this group (match by rule + tool, not severity, since it changed)
+      const groupIssues = enrichedIssues.filter(issue =>
         issue.rule === group.rule && issue.tool === group.tool
       );
 
@@ -418,10 +416,10 @@ export class V9GroupedReportFormatter {
       };
     });
 
-    // SESSION 13 FIX #5 (BUG-88): Recalculate blockingCount after AI severity classification
+    // Recalculate blockingCount after AI severity classification
     // The original blockingCount was calculated before AI changed severities (high → low)
     // Now we need to count blocking issues using AI-classified severities
-    const updatedBlockingCount = severityClassifiedIssues.filter(i =>
+    const updatedBlockingCount = enrichedIssues.filter(i =>
       (i.category === 'NEW' || i.category === 'EXISTING_MODIFIED') &&
       (i.severity === 'critical' || i.severity === 'high')
     ).length;
@@ -432,10 +430,6 @@ export class V9GroupedReportFormatter {
     // Also update decision based on updated blocking count
     metadata.decision = updatedBlockingCount > 0 ? 'DECLINED' : 'APPROVED';
 
-    // BUG-76: AI-enrich issues BEFORE generating report sections
-    // This runs in parallel and adds fixSuggestion to each issue
-    const enrichedIssues = await this.enrichIssuesWithAI(severityClassifiedIssues, updatedGroups);
-
     console.log(`\n[DEBUG-PR#] ====== Before generateHeader ======`);
     console.log(`[DEBUG-PR#] Passing metadata.prNumber: ${metadata.prNumber}`);
     console.log(`[DEBUG-PR#] ====================================\n`);

packages/agents/src/two-branch/report/ai-enrichment.ts

@@ -4,22 +4,15 @@
  * Handles AI-powered issue enrichment with fix suggestions AND severity classification.
  * Extracted from v9-grouped-report-formatter.ts for better modularity.
  *
- * Strategy: 1 AI call per group (cost-optimized)
- * Cost: ~600 tokens per group = $0.0003 per group
- *
- * SESSION 13 FIX #2 (PROPER): Integrated AI Severity Classifier
- * - Severity classification happens PER GROUP (not per issue)
- * - Uses cheap models for classification (~150 tokens per group)
- * - Total cost: ~29 groups × 150 tokens = ~4,350 tokens = ~$0.002
+ * OPTIMIZATION: Severity classification integrated into specialized agents
+ * - Each agent classifies severity AS PART of generating fix suggestions
+ * - 1 AI call per group (was 2 before: classify + enrich)
+ * - Cost: ~600 tokens per group = $0.0003 per group = ~$0.009 per PR
+ * - Savings: ~150 tokens per group (was ~$0.011, now ~$0.009)
  */
 
 import { EnrichedIssue } from './types';
 import { IssueGroup } from '../utils/issue-grouping';
-import {
-  classifyIssueSeverity,
-  type Severity,
-  type SeverityClassificationInput
-} from '../services/ai-severity-classifier';
 
 /**
  * Get curated educational resources for specific rules
@@ -54,108 +47,6 @@ export function getCuratedResourcesForRule(ruleId: string): Array<{ title: strin
   return map[normalized] || [];
 }
 
-/**
- * SESSION 13 FIX #2 (PROPER): AI-powered severity classification
- *
- * Re-classifies issue severity intelligently using AI, per group.
- * This replaces the hardcoded severity mapping approach.
- *
- * Strategy:
- * - Classify ONE representative issue per group
- * - Apply the classified severity to ALL issues in that group
- * - Cost-optimized: ~150 tokens per group = ~$0.0001 per group
- *
- * @param issues - All issues to re-classify
- * @param groups - Issue groups for efficient processing
- * @param modelConfigResolver - Model configuration resolver (from Supabase)
- * @returns Issues with AI-classified severity
- */
-export async function enrichIssuesWithSeverityClassification(
-  issues: EnrichedIssue[],
-  groups: IssueGroup[],
-  modelConfigResolver: any | null
-): Promise<EnrichedIssue[]> {
-  // SESSION 13 FIX #2 (MANDATORY): AI severity classification is now always enabled
-  // This is a core feature that provides intelligent severity analysis
-  // If AI fails, we gracefully fall back to original severity (handled in catch blocks)
-
-  console.log(`[AI Severity] Starting severity classification for ${groups.length} groups...`);
-  const startTime = Date.now();
-
-  try {
-    // Process groups in parallel (29 groups × ~150 tokens = ~4,350 tokens = ~$0.002)
-    const classificationPromises = groups.map(async (group) => {
-      const groupIssues = issues.filter(i =>
-        i.rule === group.rule && i.tool === group.tool && i.severity === group.severity
-      );
-
-      if (groupIssues.length === 0) return;
-
-      // Pick representative issue (first with code snippet)
-      const representative = groupIssues.find(i => i.snippet) || groupIssues[0];
-
-      // Save original severity for comparison
-      const originalSeverity = representative.severity as Severity;
-
-      try {
-        const classificationInput: SeverityClassificationInput = {
-          tool: representative.tool,
-          rule: representative.rule,
-          originalSeverity,
-          title: representative.message || representative.rule,
-          description: representative.message || '',
-          codeSnippet: representative.snippet
-        };
-
-        // Get model from config resolver (uses Qwen via OpenRouter)
-        // SESSION 13 FIX #3 (CONFIG-BASED): Use config resolver to get model configuration
-        // Severity classification doesn't need a specific role, use code_quality as default
-        let model: string | undefined;
-        if (modelConfigResolver) {
-          const modelConfig = await modelConfigResolver.getModelConfiguration(
-            'code_quality', // Severity classification uses code quality role
-            'java',        // Default to java (works for all languages)
-            'medium'       // Default to medium repo size
-          );
-          model = modelConfig.primary_model;
-        }
-
-        // Call AI Severity Classifier with config-based model
-        const classification = await classifyIssueSeverity(classificationInput, model);
-
-        // Apply classified severity to ALL issues in this group
-        for (const issue of groupIssues) {
-          issue.severity = classification.severity;
-          issue.severityReasoning = classification.reasoning;
-          issue.severityConfidence = classification.confidence;
-        }
-
-        // Log severity changes
-        if (classification.severity !== originalSeverity) {
-          console.log(`[AI Severity] ✅ ${group.rule}: ${originalSeverity} → ${classification.severity} (${classification.confidence} confidence)`);
-        }
-
-      } catch (error: any) {
-        console.warn(`[AI Severity] ⚠️  Failed for ${group.rule}:`, error.message);
-        // Keep original severity on error
-      }
-    });
-
-    await Promise.all(classificationPromises);
-
-    const duration = Date.now() - startTime;
-    const reclassifiedCount = issues.filter(i => i.severityReasoning).length;
-    console.log(`[AI Severity] Completed: ${reclassifiedCount}/${issues.length} issues re-classified in ${duration}ms`);
-
-    return issues;
-
-  } catch (error: any) {
-    console.error('[AI Severity] Fatal error:', error.message);
-    // Return issues with original severity
-    return issues;
-  }
-}
-
 /**
  * Enrich issues with AI-generated fix suggestions
  *