feat: add daily token optimization advisor workflows

[lpcox]

Summary

Adds two daily agentic workflows that read the latest token usage reports and produce concrete optimization recommendations for the most expensive workflow.

New Workflows

copilot-token-optimizer — Reads token-usage-report issues, analyzes the most expensive Copilot workflow, downloads run artifacts to compare loaded vs used tools, and creates an issue with:

• Tool trimming recommendations (with estimated savings)
• Pre-agent step suggestions for deterministic work
• Prompt optimization opportunities
• GitHub toolset restriction advice
• Cache improvement strategies

claude-token-optimizer — Same pattern for Claude workflows (claude-token-usage-report), with additional Anthropic-specific analysis:

• Cache write vs read cost amortization (writes cost 12.5x more)
• Per-turn cache write/read breakdown
• Cache write rate metrics

Design

• Schedule: daily, after the analyzer workflows run
• Labels: copilot-token-optimization / claude-token-optimization
• close-older-issues: true — auto-closes previous optimization issues
• skip-if-match — prevents duplicate open issues
• 10-minute timeout
• Strict mode enabled

Relationship to Analyzers

token-usage-analyzer (daily) → creates usage report issue
token-optimizer (daily)      → reads report → creates optimization issue

Ref: #1604

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	85.81%	85.91%	📈 +0.10%
Statements	85.69%	85.79%	📈 +0.10%
Functions	86.71%	86.71%	➡️ +0.00%
Branches	78.50%	78.55%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.1% → 86.5% (+0.40%)	85.6% → 86.0% (+0.39%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Adds two new daily “token optimization advisor” agentic workflows that consume the latest token usage report issues and create actionable optimization recommendation issues for the most expensive workflow.

Changes:

• Introduces copilot-token-optimizer workflow prompt and compiled lock workflow.
• Introduces claude-token-optimizer workflow prompt and compiled lock workflow.
• Configures daily scheduling, skip-if-match, safe-output issue creation, and auto-closing prior optimization issues.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/copilot-token-optimizer.md	New Copilot optimizer agent prompt: locate latest report, analyze worst workflow + artifacts, and open an optimization issue.
.github/workflows/copilot-token-optimizer.lock.yml	Compiled GitHub Actions workflow for the Copilot optimizer.
.github/workflows/claude-token-optimizer.md	New Claude optimizer agent prompt, including Anthropic-specific cache write/read analysis guidance.
.github/workflows/claude-token-optimizer.lock.yml	Compiled GitHub Actions workflow for the Claude optimizer.

Comments suppressed due to low confidence (6)

.github/workflows/copilot-token-optimizer.md:69

• <workflow-name> is ambiguous here: the usage report may list the workflow display name (e.g. "Smoke Copilot") rather than the workflow file stem (e.g. smoke-copilot). As written, cat .github/workflows/<workflow-name>.md will fail for display names with spaces/case. Consider adding an explicit step to resolve the workflow file by matching the name: field inside .github/workflows/*.lock.yml (or by using the run URL/ID from the report directly) before trying to read the source file.

Read the workflow's `.md` source file to understand its configuration:

```bash
cat ".github/workflows/<workflow-name>.md"

**.github/workflows/claude-token-optimizer.md:70**
* Same `<workflow-name>` ambiguity as the Copilot optimizer: if the report contains a workflow display name, `.github/workflows/<workflow-name>.md` will not exist. Add a deterministic mapping step (e.g., find the workflow file whose `name:` matches the report, or use the run ID/URL from the report) before attempting to `cat` the `.md`.

Read the workflow's .md source file to understand its configuration:

cat ".github/workflows/<workflow-name>.md"

**.github/workflows/copilot-token-optimizer.md:101**
* `grep` will exit with status 1 when there are no matching tool-call lines, and `find ... -exec grep ... \;` will propagate that non-zero status. In an agentic workflow this often gets treated as a command failure even though “no matches” is a valid outcome. Add `|| true` (and optionally `grep -h`) so the analysis doesn’t fail when there are simply no tool-call markers in the log.

Check agent stdio log for tool calls

find "$TMPDIR" -name "agent-stdio.log" -exec grep "^●" {} ;

**.github/workflows/claude-token-optimizer.md:101**
* Same `grep` exit-code problem: `find ... -exec grep ... \;` will fail the command when there are no matches. Add `|| true` (and optionally `-h`) so the workflow doesn’t treat “no tool calls found” as an error.

Check agent stdio log for tool calls

find "$TMPDIR" -name "agent-stdio.log" -exec grep "^●" {} ;

**.github/workflows/copilot-token-optimizer.md:88**
* `gh run list --workflow "<workflow-name>.lock.yml"` assumes the workflow identifier matches a `.lock.yml` filename derived from the report. In practice, the report may contain a workflow display name (with spaces) or a different identifier, so this lookup can return an empty list and leave `RUN_ID` blank. Consider deriving the workflow identifier from the report’s run URL/ID (preferred), or explicitly resolving workflow name ↔ file mapping before calling `gh run list`, and handle the “no successful run found” case gracefully.

Find the latest successful run

RUN_ID=$(gh run list --repo "$GITHUB_REPOSITORY"
--workflow ".lock.yml"
--status success --limit 1
--json databaseId --jq '.[0].databaseId')

**.github/workflows/claude-token-optimizer.md:88**
* `gh run list --workflow "<workflow-name>.lock.yml"` can fail to find runs if `<workflow-name>` comes from the report’s display name or otherwise doesn’t match the actual workflow filename, resulting in an empty/invalid `RUN_ID`. Consider using the run URL/ID already present in the report (or adding an explicit workflow-name→file resolution step) and add handling for “no successful run found”.

# Find the latest successful run
RUN_ID=$(gh run list --repo "$GITHUB_REPOSITORY" \
  --workflow "<workflow-name>.lock.yml" \
  --status success --limit 1 \
  --json databaseId --jq '.[0].databaseId')

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

schedule: daily compiles to a scattered cron, and the generated schedule currently runs before the Claude token usage analyzer. In the repo, claude-token-usage-analyzer.lock.yml is scheduled at 48 19 * * *, but this optimizer is at 33 12 * * *, so it may frequently run without a fresh report (or create recommendations from stale data). Consider switching to an explicit cron schedule (or a workflow_run trigger on the analyzer) so the optimizer reliably runs after the analyzer, consistent with the PR description.

[Copilot]

The instruction to create an issue when no report exists will create an open issue with the copilot-token-optimization label (via safe-outputs). Because skip-if-match blocks when any open issue has that label, the workflow can end up permanently skipping on subsequent days until someone manually closes that “no report found” issue. Prefer emitting a noop (report-as-issue) or creating an unlabelled/non-blocking issue in this branch so the optimizer can run automatically once reports start appearing.

This issue also appears in the following locations of the same file:

• line 65
• line 83
• line 99

Suggested change

	If no report exists, create a brief issue stating that no token usage report was found and that the `copilot-token-usage-analyzer` workflow should run first. Then stop.
	If no report exists, do **not** create a normal issue. Instead, emit a noop/report-as-issue style result stating that no token usage report was found and that the `copilot-token-usage-analyzer` workflow should run first. Then stop.

[Copilot]

Same issue as the Copilot optimizer: creating an issue when no report exists will leave an open issue with claude-token-optimization, which then causes skip-if-match to skip all future runs until manual intervention. Prefer noop (report-as-issue) or otherwise avoid creating an open, label-matching issue in the “no report found” path.

This issue also appears in the following locations of the same file:

• line 66
• line 83
• line 99

Suggested change

	If no report exists, create a brief issue stating that no token usage report was found and that the `claude-token-usage-analyzer` workflow should run first. Then stop.
	If no report exists, do **not** create an issue. Instead, return a no-op result briefly stating that no token usage report was found and that the `claude-token-usage-analyzer` workflow should run first. Then stop.

[github-actions]

Smoke Test: PASS

• ✅ GitHub MCP: perf: reduce smoke-copilot token usage with pre-steps and tool trimming #1613 perf: reduce smoke-copilot token usage; fix: add picomatch overrides for GHSA-c2c7-rcm5-vvqj #1446 fix: add picomatch overrides for GHSA-c2c7-rcm5-vvqj
• ✅ Playwright: github.com title contains "GitHub"
• ✅ File write: smoke-test-claude-23916622154.txt created and verified
• ✅ Bash: file contents confirmed

💥 [THE END] — Illustrated by Smoke Claude for issue #1620

[github-actions]

Smoke Test Results — PASS

✅ GitHub MCP: #1613 perf: reduce smoke-copilot token usage with pre-steps and tool trimming / #1446 fix: add picomatch overrides for GHSA-c2c7-rcm5-vvqj
✅ Playwright: github.com title contains "GitHub"
✅ File write: smoke-test-claude-23916962136.txt created and verified
✅ Bash: file contents confirmed

💥 [THE END] — Illustrated by Smoke Claude for issue #1620

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1620 · ◷

[github-actions]

🤖 Smoke Test Results — Copilot Engine

Test	Result
GitHub MCP (list PRs)	✅ Last merged: #1613 "perf: reduce smoke-copilot token usage…"
GitHub.com connectivity	⚠️ Pre-step output not resolved (${{ steps.smoke-data.outputs.SMOKE_HTTP_CODE }})
File write/read	⚠️ Pre-step output not resolved (${{ steps.smoke-data.outputs.SMOKE_FILE_PATH }})
Bash tool	✅ echo "bash works" succeeded

Overall: PARTIAL — MCP + Bash verified; pre-step outputs not injected into prompt.

PR by @lpcox · Reviewer: @Mossaka

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

All checks passed.

Service	Check	Result
Redis (host.docker.internal:6379)	PING	✅ PONG
PostgreSQL (host.docker.internal:5432)	pg_isready	✅ accepting connections
PostgreSQL smoketest db	SELECT 1	✅ returned 1

Note: redis-cli was unavailable; Redis was tested via nc — response was +PONG.

🔌 Service connectivity validated by Smoke Services

[github-actions]

Smoke Test Results

• perf: reduce smoke-copilot token usage with pre-steps and tool trimming
• fix: prevent Squid config injection via --allow-domains and --allow-urls
• GitHub MCP merged-PR review: ✅
• safeinputs-gh PR query: ❌ (tool unavailable in this run)
• Playwright github.com title check: ❌ (MCP EACCES writing /tmp/gh-aw/mcp-logs/playwright)
• Tavily search: ❌ (tool unavailable in this run)
• File write/read (/tmp/gh-aw/agent/smoke-test-codex-23916962135.txt): ✅
• Discussion query + mystical discussion comment: ❌ (discussion query/write path unavailable)
• npm ci && npm run build: ✅
• Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex