Target Workflow
File: .github/workflows/daily-firewall-report.md
Engine: copilot (inferred from run data; no explicit engine in frontmatter)
7-day token usage: ~2,620,126 tokens across 1 run (~2,620,126 avg/run, 40 turns avg)
Why This Workflow
daily-firewall-report is the highest-token non-haiku daily scheduled workflow in the 7-day window, consuming ~2.6M tokens per run on the copilot/sonnet stack. The prompt divides naturally into two fully independent workstreams: a 5-phase chart generation block (collect 30-day data → CSV → matplotlib → upload) and a 6-step firewall analysis pipeline (collect 7-day runs → audit each → aggregate → report). These can run concurrently and both contain phases that are purely extractive or data-formatting work — ideal for a smaller model.
Optimization 1 — Inline Sub-Agents
LLM Expert Reasoning
- Chart generation is fully decoupled: Phases 1–5 of the "Trend Charts Requirement" section use a separate 30-day window and produce only chart URLs — they never depend on the main analysis and can run as a standalone sub-agent in parallel with Steps 1–2.
- Data aggregation is purely extractive: Steps 2–4 (call
audit per run, extract JSON fields, accumulate counts) require no synthesis or judgment — classic Haiku territory for structured-data extraction and tabulation.
- Parallelism opportunity is concrete: Chart generation and the
logs/audit calls in Steps 1–2 target different date ranges and can execute simultaneously, reducing wall-clock time as well as main-model turns.
- Both sections score high on Independence and Size dimensions, the two strongest signals for meaningful token savings without quality risk.
- Main model retains all synthesis work: Sections 5 (Report) and 6 (Create Discussion) involve narrative judgment and remain in the main agent.
Proposed Sub-Agents
1. firewall-chart-generator (small)
Extracted task: Collects 30-day firewall data, generates two trend charts, and returns upload URLs.
Why small: Pure data collection → CSV creation → matplotlib chart generation → upload sequence; no narrative judgment required.
Score: 9/10 (independence: 3, model-adequacy: 2, parallelism: 2, size: 2)
Estimated savings: ~390k tokens/run (~15%)
Agent definition (copy-paste ready)
## agent: `firewall-chart-generator`
---
description: Collects 30-day firewall data and generates two trend charts
model: small
---
Generate 2 firewall trend charts for the past 30 days and upload them.
1. Use the `logs` tool: `{firewall: true, start_date: "-30d", count: 100}`
2. Use the `audit` tool on each returned run to collect daily request counts and blocked domain frequencies
3. Create `/tmp/gh-aw/python/data/firewall_requests.csv` (columns: date, allowed, blocked, total)
4. Create `/tmp/gh-aw/python/data/blocked_domains.csv` (columns: domain, count)
5. Generate charts using Python/seaborn (300 DPI, 12×7 in, professional styling, grid lines):
- Chart 1: stacked area/multi-line showing allowed vs blocked by day → `/tmp/gh-aw/python/charts/firewall_requests_trends.png`
- Chart 2: horizontal bar of top 10–15 most-blocked domains → `/tmp/gh-aw/python/charts/blocked_domains_frequency.png`
6. Upload both charts using the `upload_asset` safe-output tool
7. Output the two asset URLs on the final line as: `CHART1_URL=<url1> CHART2_URL=<url2>`
If fewer than 7 days of data are available, generate charts with available data and add a note.
Invocation change in main prompt:
Before:
## 📊 Trend Charts Requirement
**IMPORTANT**: Generate exactly 2 trend charts that showcase firewall activity patterns over time.
### Chart Generation Process
**Phase 1: Data Collection**
Collect data for the past 30 days (or available data) from firewall audit logs:
...
[5 phases of detailed chart generation instructions]
After:
## 📊 Trend Charts
Use the `firewall-chart-generator` agent to collect 30-day firewall data, generate the two trend charts, and return their upload URLs. Record the returned `CHART1_URL` and `CHART2_URL` values for embedding in Section 5 of the report.
2. firewall-data-aggregator (small)
Extracted task: Audits each firewall-enabled run and returns aggregated domain and policy statistics.
Why small: Structured JSON extraction across multiple audit results — enumerating fields, summing counts, building frequency tables — matches the "extracting specific fields from structured text" heuristic exactly.
Score: 7/10 (independence: 2, model-adequacy: 2, parallelism: 1, size: 2)
Estimated savings: ~260k tokens/run (~10%)
Agent definition (copy-paste ready)
## agent: `firewall-data-aggregator`
---
description: Audits provided run IDs and returns aggregated firewall domain statistics
model: small
---
You receive a JSON array of workflow run IDs. Audit each run and return aggregated statistics.
For each run ID in the input array:
1. Call the `audit` tool with the run ID
2. Extract from `firewall_analysis`: total_requests, allowed_requests, blocked_requests, blocked_domains[], requests_by_domain{}
3. If `policy_analysis` is present, extract: policy_summary, rule_hits[], denied_requests[]
Aggregate across all runs:
- Master blocked-domain frequency map: domain → {total_blocks, workflows[]}
- Overall totals: workflow_runs_analyzed, total_requests, allowed_requests, blocked_requests, unique_blocked_domains
- Policy rule hit totals keyed by rule ID (when policy_analysis available)
- Denied requests grouped by domain+rule (when policy_analysis available)
Output a single JSON object with keys: `totals`, `blocked_domains`, `policy_rules`, `denied_requests`.
Do not add commentary — return only the JSON object.
Invocation change in main prompt:
Before:
### Step 2: Analyze Firewall Logs from Collected Runs
For each run collected in Step 1:
1. Use the `audit` tool from the agentic-workflows MCP server to get detailed firewall information
...
### Step 3: Parse and Analyze Firewall Logs
Use the JSON output from the `audit` tool to extract firewall information.
...
### Step 4: Aggregate Results
Combine data from all workflows...
After:
### Step 2–4: Audit and Aggregate Firewall Data
Pass the list of run IDs from Step 1 to the `firewall-data-aggregator` agent.
Use the returned JSON object (keys: `totals`, `blocked_domains`, `policy_rules`, `denied_requests`) as the data source for Step 5 (Generate Report).
Frontmatter Change Required
Add to frontmatter:
features:
inline-agents: true
Estimated Impact
| Metric |
Before |
After (estimated) |
| Avg tokens/run |
~2,620,126 |
~1,970,000 (~25% reduction) |
| Main-model context saved |
— |
~650,000 tokens/run |
| Parallelism opportunity |
None |
Chart generation runs concurrently with Step 1–2 data collection |
Implementation Steps
- Add
features: inline-agents: true to the frontmatter of .github/workflows/daily-firewall-report.md
- Replace the "Trend Charts Requirement" section with the single-line
firewall-chart-generator invocation
- Replace Steps 2–4 with the single-line
firewall-data-aggregator invocation
- Add both agent blocks at the bottom of
.github/workflows/daily-firewall-report.md, after all workflow content
- Compile:
gh aw compile daily-firewall-report
- Test:
gh workflow run daily-firewall-report.yml
References:
Generated by Daily Sub-Agent Optimizer · ● 291.3K · ◷
Target Workflow
File:
.github/workflows/daily-firewall-report.mdEngine: copilot (inferred from run data; no explicit
enginein frontmatter)7-day token usage: ~2,620,126 tokens across 1 run (~2,620,126 avg/run, 40 turns avg)
Why This Workflow
daily-firewall-reportis the highest-token non-haiku daily scheduled workflow in the 7-day window, consuming ~2.6M tokens per run on the copilot/sonnet stack. The prompt divides naturally into two fully independent workstreams: a 5-phase chart generation block (collect 30-day data → CSV → matplotlib → upload) and a 6-step firewall analysis pipeline (collect 7-day runs → audit each → aggregate → report). These can run concurrently and both contain phases that are purely extractive or data-formatting work — ideal for a smaller model.Optimization 1 — Inline Sub-Agents
LLM Expert Reasoning
auditper run, extract JSON fields, accumulate counts) require no synthesis or judgment — classic Haiku territory for structured-data extraction and tabulation.logs/auditcalls in Steps 1–2 target different date ranges and can execute simultaneously, reducing wall-clock time as well as main-model turns.Proposed Sub-Agents
1.
firewall-chart-generator(small)Extracted task: Collects 30-day firewall data, generates two trend charts, and returns upload URLs.
Why small: Pure data collection → CSV creation → matplotlib chart generation → upload sequence; no narrative judgment required.
Score: 9/10 (independence: 3, model-adequacy: 2, parallelism: 2, size: 2)
Estimated savings: ~390k tokens/run (~15%)
Agent definition (copy-paste ready)
Invocation change in main prompt:
Before:
After:
2.
firewall-data-aggregator(small)Extracted task: Audits each firewall-enabled run and returns aggregated domain and policy statistics.
Why small: Structured JSON extraction across multiple audit results — enumerating fields, summing counts, building frequency tables — matches the "extracting specific fields from structured text" heuristic exactly.
Score: 7/10 (independence: 2, model-adequacy: 2, parallelism: 1, size: 2)
Estimated savings: ~260k tokens/run (~10%)
Agent definition (copy-paste ready)
Invocation change in main prompt:
Before:
After:
Frontmatter Change Required
Add to frontmatter:
Estimated Impact
Implementation Steps
features: inline-agents: trueto the frontmatter of.github/workflows/daily-firewall-report.mdfirewall-chart-generatorinvocationfirewall-data-aggregatorinvocation.github/workflows/daily-firewall-report.md, after all workflow contentgh aw compile daily-firewall-reportgh workflow run daily-firewall-report.ymlReferences: