perf(security-guard): reduce Claude token cost ~32% via turn cap, relevance gate, and conciseness (#1940)

* Initial plan

* perf: optimize security-guard Claude token usage

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/00d5e462-2f28-4220-93d6-fe070a8913f5

* Update .github/workflows/security-guard.lock.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update .github/workflows/security-guard.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix: recompile security-guard.lock.yml to match .md frontmatter

The lock file hash was stale after frontmatter changes (max-turns,
timeout, steps). Recompiled with gh aw compile + post-processing.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Landon Cox <landon.cox@microsoft.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 4 people

.github/workflows/security-guard.lock.yml

@@ -11,7 +11,7 @@ permissions:
   issues: read
 engine:
   id: claude
-  max-turns: 25
+  max-turns: 8
 tools:
   github:
     toolsets: [pull_requests, repos]
@@ -23,7 +23,7 @@ safe-outputs:
     enabled: false
   add-comment:
     max: 1
-timeout-minutes: 10
+timeout-minutes: 15
 steps:
   - name: Fetch PR changed files
     id: pr-diff
@@ -42,14 +42,34 @@ steps:
       GH_TOKEN: ${{ github.token }}
       PR_NUMBER: ${{ github.event.pull_request.number }}
       GH_REPO: ${{ github.repository }}
+
+  - name: Check security relevance
+    id: security-relevance
+    if: github.event.pull_request.number
+    run: |
+      SECURITY_RE="host-iptables|setup-iptables|squid-config|docker-manager|seccomp-profile|domain-patterns|entrypoint\.sh|Dockerfile|containers/"
+      COUNT=$(gh api "repos/${GH_REPO}/pulls/${PR_NUMBER}/files" \
+        --paginate --jq '.[].filename' \
+        | grep -cE "$SECURITY_RE" || true)
+      echo "security_files_changed=$COUNT" >> "$GITHUB_OUTPUT"
+    env:
+      GH_TOKEN: ${{ github.token }}
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      GH_REPO: ${{ github.repository }}
 ---
 
 # Security Guard
 
-You are a security-focused AI agent that carefully reviews pull requests in this repository to identify changes that could weaken the security posture or extend the security boundaries of the Agentic Workflow Firewall (AWF).
+## Security Relevance Check
+
+**Security-critical files changed in this PR:** ${{ steps.security-relevance.outputs.security_files_changed }}
+
+> If this value is `0`, no security-critical files were modified. Use `noop` immediately without further analysis — this PR does not require a security review.
 
 ## Repository Context
 
+You are a security-focused AI agent that carefully reviews pull requests in this repository to identify changes that could weaken the security posture or extend the security boundaries of the Agentic Workflow Firewall (AWF).
+
 This repository implements a **network firewall for AI agents** that provides L7 (HTTP/HTTPS) egress control using Squid proxy and Docker containers. The firewall restricts network access to a whitelist of approved domains.
 
 ### Critical Security Components
@@ -134,6 +154,8 @@ Look for these types of security-weakening changes:
 
 ## Output Format
 
+**IMPORTANT: Be concise.** Report each security finding in ≤ 150 words. Maximum 5 findings total.
+
 If you find security concerns:
 1. Add a comment to the PR explaining each concern
 2. For each issue, provide: