Optimize security-guard Claude token usage via prompt cache alignment and smaller diff payloads (#2085)

* Initial plan

* chore: optimize security-guard workflow token usage

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/9a210269-8ac9-41e3-919f-856a1265a617

* chore: refine security-guard diff truncation handling

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/9a210269-8ac9-41e3-919f-856a1265a617

* chore: align security-guard max turns env with workflow limit

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/81eb38a8-a633-497a-8d84-e626733b6f8a

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: Copilot

.github/workflows/security-guard.lock.yml

@@ -11,7 +11,7 @@ permissions:
   issues: read
 engine:
   id: claude
-  max-turns: 12
+  max-turns: 10
 features:
   cli-proxy: true
 tools:
@@ -32,14 +32,22 @@ steps:
     if: github.event.pull_request.number
     run: |
       DELIM="GHAW_PR_FILES_$(date +%s)"
+      DIFF_LIMIT=5000
+      DIFF_TMP="$(mktemp)"
       {
         echo "PR_FILES<<${DELIM}"
         gh api "repos/${GH_REPO}/pulls/${PR_NUMBER}/files" \
           --paginate --jq '.[] | "### " + .filename + " (+" + (.additions|tostring) + "/-" + (.deletions|tostring) + ")\n" + (.patch // "") + "\n"' \
-          | head -c 8000 || true
+          > "$DIFF_TMP" || true
+        DIFF_SIZE="$(wc -c < "$DIFF_TMP" | tr -d ' ')"
+        head -c "$DIFF_LIMIT" "$DIFF_TMP" || true
+        if [ "$DIFF_SIZE" -gt "$DIFF_LIMIT" ]; then
+          echo -e "\n[DIFF TRUNCATED at ${DIFF_LIMIT} bytes — use get_file_contents for full context]"
+        fi
         echo ""
         echo "${DELIM}"
       } >> "$GITHUB_OUTPUT"
+      rm -f "$DIFF_TMP"
     env:
       GH_TOKEN: ${{ github.token }}
       PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -101,14 +109,6 @@ This repository implements a **network firewall for AI agents** that provides L7
    - Wildcard pattern security (prevents overly broad patterns)
    - Protocol prefix handling
 
-## Changed Files (Pre-fetched)
-
-The following PR diff has been pre-computed. Focus your security analysis on these changes:
-
-```
-${{ steps.pr-diff.outputs.PR_FILES }}
-```
-
 ## Your Task
 
 Analyze PR #${{ github.event.pull_request.number }} in repository ${{ github.repository }}.
@@ -170,4 +170,12 @@ If no security issues are found:
 - Do not add a comment (use noop safe-output)
 - The PR passes the security review
 
-**SECURITY**: Be thorough but avoid false positives. Focus on actual security weakening, not code style or refactoring that maintains the same security level.
+**SECURITY**: Be thorough but avoid false positives. Focus on actual security weakening, not code style or refactoring that maintains the same security level.
+
+## Changed Files (Pre-fetched)
+
+The following PR diff has been pre-computed. Focus your security analysis on these changes:
+
+```
+${{ steps.pr-diff.outputs.PR_FILES }}
+```