WASM guard rejects GitHub API responses larger than 16KB, silently failing the agent

[theletterf]

Summary

The WASM guard's call_backend has a hard 16,384-byte result size cap. When the GitHub API returns a response larger than this, the guard logs Result too large: <size> > 16384 and returns code -1, which cascades into a full agent job failure with no useful output.

Observed behaviour

[guard:wasm] Result too large: 17969 > 16384
[guard:wasm] [guard:github] ERROR: <<< call_backend FAILED with code -1
[guard] [github] <<< call_backend FAILED with code -1

Because no RPC messages are ever written, the job ends with:

ERR_SYSTEM: rpc-messages.jsonl is present but zero bytes — MCP telemetry capture failed

Steps to reproduce

1. Trigger any gh-aw workflow against a PR in a repository whose GitHub API response for GET /repos/{owner}/{repo}/pulls/{number} exceeds 16KB.
2. The guard rejects the response and the agent produces zero output.

Environment

• gh-aw-mcpg: v0.3.9 (confirmed); also present in v0.3.17 per release notes (no fix listed)
• gh-aw-firewall/agent: 0.25.49
• Workflow: gh-aw-docs-review on elastic/docs-content PR #6648
• PR API response size: 17,969 bytes (1.6KB over the 16KB cap)

Expected behaviour

The guard should either:

• Accept responses larger than 16KB (increase or remove the cap), or
• Return a truncated/summarised response rather than failing with code -1

Impact

Any workflow run against a PR in a large repo where the PR API payload exceeds 16KB will silently fail with ERR_SYSTEM. The error message gives no indication that the root cause is a guard size limit, making this very hard to diagnose.

[lpcox]

@theletterf creating a new gateway version that should fix this. will ping you when it's consumable through a new gh-aw version.

[lpcox]

@theletterf please try v0.75.3. it includes a pr that should fix your issue, but let me know if you are still having problems.

https://github.com/github/gh-aw/releases/tag/v0.75.3