perf: optimize security-guard token usage

- Restrict GitHub toolsets from [default] (52 tools) to
  [pull_requests, repos] (only tools actually used)
- Add pre-compute step to fetch PR diff before agent starts,
  reducing tool calls needed for initial PR analysis
- Add max-turns: 15 to prevent runaway token consumption
- Add explicit network: allowed: [github] to restrict egress
- Update prompt to reference pre-fetched diff data

Closes #1647

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lpcox

.github/aw/actions-lock.json

@@ -50,6 +50,11 @@
       "version": "v0.65.3",
       "sha": "6b4da262b8f7e0e253d1ae84f400a843b918a4ab"
     },
+    "github/gh-aw-actions/setup@v0.65.5": {
+      "repo": "github/gh-aw-actions/setup",
+      "version": "v0.65.5",
+      "sha": "15b2fa31e9a1b771c9773c162273924d8f5ea516"
+    },
     "github/gh-aw/actions/setup@v0.42.0": {
       "repo": "github/gh-aw/actions/setup",
       "version": "v0.42.0",