Skip to content

perf(security-guard): reduce Claude token cost ~32% via turn cap, relevance gate, and conciseness #1940

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lpcox merged 5 commits into from
Apr 12, 2026
Merged

perf(security-guard): reduce Claude token cost ~32% via turn cap, relevance gate, and conciseness #1940

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
512d551
Initial plan
Copilot Apr 12, 2026
e066513
perf: optimize security-guard Claude token usage
Copilot Apr 12, 2026
b097159
Update .github/workflows/security-guard.lock.yml
lpcox Apr 12, 2026
dab56b4
Update .github/workflows/security-guard.md
lpcox Apr 12, 2026
c161fe5
fix: recompile security-guard.lock.yml to match .md frontmatter
lpcox Apr 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 27 additions & 15 deletions .github/workflows/security-guard.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 25 additions & 3 deletions .github/workflows/security-guard.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ permissions:
issues: read
engine:
id: claude
max-turns: 25
max-turns: 8
tools:
github:
toolsets: [pull_requests, repos]
Expand All @@ -23,7 +23,7 @@ safe-outputs:
enabled: false
add-comment:
max: 1
timeout-minutes: 10
timeout-minutes: 15
steps:
- name: Fetch PR changed files
id: pr-diff
Expand All @@ -42,14 +42,34 @@ steps:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
GH_REPO: ${{ github.repository }}

- name: Check security relevance
id: security-relevance
if: github.event.pull_request.number
run: |
SECURITY_RE="host-iptables|setup-iptables|squid-config|docker-manager|seccomp-profile|domain-patterns|entrypoint\.sh|Dockerfile|containers/"
COUNT=$(gh api "repos/${GH_REPO}/pulls/${PR_NUMBER}/files" \
--paginate --jq '.[].filename' \
| grep -cE "$SECURITY_RE" || true)
echo "security_files_changed=$COUNT" >> "$GITHUB_OUTPUT"
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
GH_REPO: ${{ github.repository }}
---

# Security Guard

You are a security-focused AI agent that carefully reviews pull requests in this repository to identify changes that could weaken the security posture or extend the security boundaries of the Agentic Workflow Firewall (AWF).
## Security Relevance Check

**Security-critical files changed in this PR:** ${{ steps.security-relevance.outputs.security_files_changed }}

> If this value is `0`, no security-critical files were modified. Use `noop` immediately without further analysis — this PR does not require a security review.

## Repository Context

You are a security-focused AI agent that carefully reviews pull requests in this repository to identify changes that could weaken the security posture or extend the security boundaries of the Agentic Workflow Firewall (AWF).

This repository implements a **network firewall for AI agents** that provides L7 (HTTP/HTTPS) egress control using Squid proxy and Docker containers. The firewall restricts network access to a whitelist of approved domains.

### Critical Security Components
Expand Down Expand Up @@ -134,6 +154,8 @@ Look for these types of security-weakening changes:

## Output Format

**IMPORTANT: Be concise.** Report each security finding in ≤ 150 words. Maximum 5 findings total.

If you find security concerns:
1. Add a comment to the PR explaining each concern
2. For each issue, provide:
Expand Down
Loading