[deep-report] Fix list_code_scanning_alerts token bloat: strip rule.help CWE docs (6K → <500 tokens per call)

[github-actions]

Problem Statement

The MCP Structural Analysis (2026-05-06, #30611) identified list_code_scanning_alerts as the most bloated GitHub MCP tool: each call consumes ~6,000 tokens because the rule.help field embeds full CWE documentation for every identical alert in the list. This penalizes any agent that inspects security alerts.

Root Cause

The rule.help field contains ~1,500 tokens of CWE documentation repeated once per alert — even when multiple alerts share the same rule. Deduplicating or stripping this field before returning results would reduce the payload by ~90%.

Expected Impact

• Reduces per-call token cost from ~6,000 to <500 tokens
• Allows security-focused agents to scan more alerts per context window
• Improves usefulness rating from 2/5 to 4/5

Suggested Fix

Option A (preferred): Strip rule.help from the MCP tool response and provide it separately on demand.
Option B: Deduplicate rule.help — include it once per unique rule ID rather than per alert instance.
Option C: Add a include_rule_help: false parameter to opt out.

Estimated Effort

Medium (1–2 hours)

Data Source

MCP Structural Analysis — 2026-05-06 (#30611)

Generated by DeepReport - Intelligence Gathering Agent

Generated by DeepReport - Intelligence Gathering Agent · ● 330.7K · ◷

• expires on May 8, 2026, 3:35 PM UTC

[pelikhan]

@lpcox this is the heaviest tool in the github mcp. should the gateway deal with it?

[lpcox]

Tracking issue created in gh-aw-mcpg: https://github.com/github/gh-aw-mcpg/issues?q=is:issue+label:gateway+label:from-gh-aw

The tracking issue proposes adding a [servers.github.tool_response_filters] config block to the gateway — allowing per-tool jq expressions (e.g., list_code_scanning_alerts = "map(del(.rule.help))") to strip bloated fields before responses reach the agent. This builds on the existing gojq-based middleware in internal/middleware/jqschema.go and requires changes to internal/config/config_core.go and the server request path.

Generated by Gateway Issue Dispatcher · ● 1.3M · ◷