diff --git a/.github/workflows/code-scanning-fixer.md b/.github/workflows/code-scanning-fixer.md
index 16b684e2e5..6a455c0b5c 100644
--- a/.github/workflows/code-scanning-fixer.md
+++ b/.github/workflows/code-scanning-fixer.md
@@ -60,7 +60,7 @@ You are a security-focused code analysis agent that automatically fixes code sca
 
 Your goal is to:
 1. **Check cache for previously fixed alerts**: Avoid fixing the same alert multiple times
-2. **List all open alerts**: Find all open code scanning alerts (prioritizing by severity: critical, high, medium, low, warning, note, error)
+2. **List open high-risk alerts**: Find open critical/high code scanning alerts (prioritizing critical over high)
 3. **Select an unfixed alert**: Pick the highest severity unfixed alert that hasn't been fixed recently
 4. **Analyze the vulnerability**: Understand the security issue and its context
 5. **Generate a fix**: Create code changes that address the security issue
@@ -84,7 +84,10 @@ Use the GitHub MCP server to list all open code scanning alerts:
   - `owner`: "githubnext" (the repository owner)
   - `repo`: "gh-aw" (the repository name)
   - `state`: "open"
-  - Do NOT filter by severity - get all alerts
+  - `severity`: "critical,high" (required to prevent oversized MCP responses)
+- Medium/low/warning/note/error are intentionally excluded in this workflow so each run stays within MCP context limits
+- Do NOT send `head_limit` to the default GitHub MCP tool (`list_code_scanning_alerts` does not support it)
+- If using a custom wrapper that explicitly documents `head_limit`, you may use `head_limit: 20`
 - Sort the results by severity (prioritize: critical > high > medium > low > warning > note > error)
 - If no open alerts are found, log "No unfixed security alerts found. All alerts have been addressed!" and exit gracefully
 - If you encounter tool errors, report them clearly and exit gracefully rather than trying workarounds
@@ -92,7 +95,7 @@ Use the GitHub MCP server to list all open code scanning alerts:
 
 ### 3. Select an Unfixed Alert
 
-From the list of all open alerts (sorted by severity):
+From the list of open high-risk alerts (sorted by severity):
 - Exclude any alert numbers that are in the cache (already fixed)
 - Select the first alert from the filtered list (highest severity unfixed alert)
 - If no unfixed alerts remain, exit gracefully with message: "No unfixed security alerts found. All alerts have been addressed!"
@@ -189,7 +192,7 @@ After successfully creating the pull request:
 
 ## Security Guidelines
 
-- **All Severity Levels**: Fix security alerts of all severities (prioritizing critical, high, medium, low, warning, note, error in that order)
+- **High-Risk Only**: This workflow only processes critical/high alerts to keep MCP responses bounded and actionable
 - **Minimal Changes**: Make only the changes necessary to fix the security issue
 - **No Breaking Changes**: Ensure the fix doesn't break existing functionality
 - **Best Practices**: Follow security best practices for the specific vulnerability type
diff --git a/.github/workflows/github-mcp-structural-analysis.md b/.github/workflows/github-mcp-structural-analysis.md
index a5fffc1ed8..4cf05b1974 100644
--- a/.github/workflows/github-mcp-structural-analysis.md
+++ b/.github/workflows/github-mcp-structural-analysis.md
@@ -75,7 +75,9 @@ Test ONE representative tool from each toolset with minimal parameters:
 3. **issues**: `list_issues` - List issues with perPage=1
 4. **pull_requests**: `list_pull_requests` - List PRs with perPage=1
 5. **actions**: `list_workflows` - List workflows with perPage=1
-6. **code_security**: `list_code_scanning_alerts` - List alerts with minimal params
+6. **code_security**: `list_code_scanning_alerts`
+   - Required guard params: `state: open`, `severity: critical,high`
+   - `head_limit` note: the GitHub MCP server's `list_code_scanning_alerts` tool does not support `head_limit`; use `head_limit: 20` only with custom wrappers that explicitly document support
 7. **discussions**: `list_discussions` (if available)
 8. **labels**: `get_label` - Get a single label
 9. **users**: `get_user` (if available)
diff --git a/AGENTS.md b/AGENTS.md
index b043295e2f..f30d53784a 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -166,6 +166,8 @@ network:
 - **Never use `mode: remote`** — it does not work with the GitHub Actions token (`GITHUB_TOKEN`) and requires a special PAT or GitHub App token
 - Never rely on direct `api.github.com` access in Copilot workflows
 - **Never use direct GitHub CLI API reads in agent prompts** (for example: `gh api`, `gh repo view`, `gh pr list`) — use MCP `github` tools instead
+- **Guard `list_code_scanning_alerts` calls in workflow prompts**: always include `state: open` and `severity: critical,high` to avoid oversized MCP responses
+- **`head_limit` compatibility**: do **not** send `head_limit` to the default GitHub MCP tool; use `head_limit: 20` only with custom wrappers after verifying support in wrapper docs or wrapper-specific tests
 
 See [GitHub MCP Server Documentation](skills/github-mcp-server/SKILL.md) for complete configuration details.