perf: optimize firewall-issue-dispatcher token usage

[lpcox]

Summary

Optimizes the firewall-issue-dispatcher workflow to reduce token usage and improve reliability.

Changes

• Switch toolsets: [default] → [issues] — removes ~16 unused MCP tools from agent context
• Use cli-proxy with GraphQL batch fetch — single gh api graphql call fetches all issues + comments at once, replacing sequential MCP list_issues + get_issue_comments calls that consumed multiple agent turns
• Trim prompt — removed verbose architecture section (agent can read AGENTS.md if needed), streamlined instructions from ~80 lines to ~50 lines
• Explicit batch-then-filter workflow — agent fetches all data in one turn, filters locally, then creates outputs. Eliminates back-and-forth discovery turns.

Expected Impact

Metric	Before	After
MCP tools in context	~22 (default)	~6 (issues)
Discovery turns	3-5 (list → filter → view each)	1 (single GraphQL batch)
Prompt tokens	~80 lines	~50 lines
Architecture context	Inline (~20 lines)	On-demand via AGENTS.md

The workflow had a 75% failure rate with $12.81 wasted on failed runs (issue #1901). These changes reduce per-run token consumption and minimize the number of turns needed for the discovery phase, which is where most failures occurred.

Closes #1901

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	85.85%	85.95%	📈 +0.10%
Statements	85.76%	85.85%	📈 +0.09%
Functions	87.54%	87.54%	➡️ +0.00%
Branches	78.56%	78.61%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.3% → 86.6% (+0.36%)	85.9% → 86.2% (+0.35%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Optimizes the Firewall Issue Dispatcher agentic workflow prompt and GitHub tool configuration to reduce token usage by shrinking the MCP tool context and shifting issue discovery into a single batched fetch.

Changes:

• Restricts GitHub MCP toolset from default to issues.
• Reworks the prompt to do a single batched GraphQL fetch (via gh api graphql) and local filtering, instead of iterative MCP discovery.
• Regenerates the compiled lock workflow to reflect the updated frontmatter/prompt.

Show a summary per file

File	Description
.github/workflows/firewall-issue-dispatcher.md	Switches GitHub toolset and rewrites discovery instructions around a single GraphQL batch fetch + local filtering.
.github/workflows/firewall-issue-dispatcher.lock.yml	Recompiled lock file reflecting updated prompt/frontmatter hashes and embedded prompt blocks.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 2

[Copilot]

The prompt now requires running gh api graphql, but this workflow does not enable a shell/gh execution tool (no tools: bash and no imported safe-input for gh). As-is, the agent likely cannot execute the batch fetch step. Enable a constrained bash tool (ideally allowlisted to gh api graphql only) or switch the batch fetch back to GitHub MCP tools.

[Copilot]

The GraphQL query fetches only first: 50 issues and comments(first: 100) with no pagination, so it will silently miss additional awf issues or comments (which can lead to skipped audits or duplicate tracking issues if the audit link is beyond the first 100 comments). Add cursor pagination (pageInfo/endCursor) and use gh api graphql --paginate (and/or explicitly document/enforce the limits).

[github-actions]

Smoke Test Results

✅ GitHub MCP: #1894 perf: optimize secret-digger-claude token usage, #1892 ci: disable threat detection in all workflows
✅ Playwright: github.com title contains "GitHub"
✅ File write: /tmp/gh-aw/agent/smoke-test-claude-24284801988.txt created
✅ Bash verify: file contents confirmed

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🤖 Smoke Test Results

Test	Status
GitHub MCP (perf: optimize secret-digger-claude token usage)	✅
GitHub.com connectivity (HTTP 200)	✅
File write/read (smoke-test-copilot-24284801989.txt)	✅

Overall: PASS

PR: perf: optimize firewall-issue-dispatcher token usage by @lpcox (no assignees)

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke test (Codex) results:

• PR titles: "perf: optimize secret-digger-claude token usage"; "ci: disable threat detection in all workflows"
• GitHub MCP (last 2 merged PRs): ✅
• safeinputs-gh PR query: ❌ (tool unavailable in this run)
• Playwright (github.com title contains "GitHub"): ✅
• Tavily web search: ❌ (tool unavailable in this run)
• File write + bash cat verify: ✅
• Discussion query + mystical discussion comment: ❌ (required discussion-query tool unavailable)
• Build (npm ci && npm run build): ✅
  Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

All connectivity checks passed:

Service	Check	Result
Redis	PING → host.docker.internal:6379	✅ PONG
PostgreSQL	pg_isready → host.docker.internal:5432	✅ Accepting connections
PostgreSQL	SELECT 1 on smoketest DB as postgres	✅ Returned 1

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1904 · ● 769K · ◷