TL;DR: Copilot's context window is shared across your files, chat history, and system prompts. A typical TypeScript file wastes 60% of that budget on comments and whitespace. Install the CleanMyPrompt VS Code extension or run
npm install -g cleanmyprompt— thenCMP: Squeeze + Redact Filebefore referencing any file in Copilot Chat. 30–50% token reduction, zero secrets transmitted.
"Context Window Exceeded" — Here's What's Actually Happening
GitHub Copilot has a fixed token budget per session. That budget is shared across:
- The system prompt Copilot injects automatically
- Every
#file:reference you add - Your entire chat history in the current session
- The file Copilot is currently editing
- The model's response
When Copilot starts giving worse suggestions, losing context from earlier in the conversation, or shows a context window warning — your budget is exhausted.
Here's what makes it worse: most of what you're sending, Copilot doesn't need.
The Real Numbers: How Much Is Noise
Run any real-world source file through a token counter and the breakdown is striking:
| What's in your file | Share of tokens |
|---|---|
| Actual logic Copilot needs | ~40% |
| Comments and JSDoc blocks | ~25% |
| Import boilerplate | ~15% |
| Blank lines and whitespace | ~10% |
| Debug logs and unused code | ~10% |
60% of what you send to Copilot is noise it either ignores or infers. A 400-line TypeScript service file runs roughly 2,300 tokens. Add five related files via #codebase and you've burned 10,000–15,000 tokens on context before writing a single message.
The Second Problem: You're Leaking Secrets
Context budget is only half the issue. The other half is what that context contains.
A typical development scenario:
DATABASE_URL=postgres://admin:s3cur3P@ss@prod-db.internal:5432/mydb
OPENAI_API_KEY=sk-proj-xxxxxxxxxxxxxxxxxxxxxxxxxxx
STRIPE_SECRET_KEY=sk_live_xxxxxxxxxxxxxxxxxxxxxxxxx
SENDGRID_API_KEY=SG.xxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxx
You paste this into Copilot Chat: "Help me write a connection pool."
Your live Stripe key and OpenAI API key just went to GitHub's API endpoint. With Copilot's multi-model support, the same context may be routed to OpenAI, Anthropic, or Google depending on your plan — and you may not know which.
This isn't theoretical. It's the default workflow for millions of developers.
The Fix: Redact + Compress Before Copilot Sees It
Both problems — too many tokens, secret exposure — are solved in the same place: before the text reaches the model.
In VS Code: CleanMyPrompt Extension
Install from the Marketplace (search CleanMyPrompt, publisher cleanmyprompt). Once installed:
Inline diagnostics — squiggly underlines appear immediately under secrets in any open file. Hover to see the finding type (OPENAI-KEY, STRIPE-KEY, EMAIL, etc.) and severity.
One-command fix:
Ctrl+Shift+P → CMP: Fix File # redact secrets
Ctrl+Shift+P → CMP: Squeeze File # compress tokens
Ctrl+Shift+P → CMP: Fix All Open Files # sweep every open tab
Before → After on a typical config file:
// BEFORE (sends live secrets, 2,340 tokens)
const client = new OpenAI({ apiKey: 'sk-proj-xxxxxxxxxxxxxxxxxxxxxxxxxxx' });
const db = new Pool({ connectionString: 'postgres://admin:s3cur3P@ss@prod.internal/mydb' });
// This function handles all payment processing
// Author: Sarah Chen, updated 2025-03-15
// TODO: add retry logic
function processPayment(amount: number, customerId: string) {
// AFTER (no secrets, 1,290 tokens — 45% less)
const client = new OpenAI({ apiKey: '[OPENAI-KEY]' });
const db = new Pool({ connectionString: '[DB-CONN-STRING]' });
function processPayment(amount: number, customerId: string) {
Copilot still understands everything it needs. It just doesn't see the secrets or the noise.
The CLI: Fix at Scale for Teams and CI
For teams, per-file VS Code fixes don't scale. The CleanMyPrompt CLI handles bulk processing:
Install
npm install -g cleanmyprompt
Single file — redact before pasting to Copilot Chat
cmp fix src/config/database.ts # redact secrets in-place
cmp squeeze src/services/payment.ts # compress tokens in-place
Whole project — build a clean reference copy
cmp fix --recursive src/ --output .cmp-clean/
echo ".cmp-clean/" >> .gitignore
# Now reference .cmp-clean/ files in Copilot Chat instead of src/
Pre-commit hook — block secrets before they're committed
cmp install-hook # installs into .git/hooks/pre-commit
Every git commit now scans staged files. If secrets are found, the commit is blocked:
[CleanMyPrompt] Scanning staged files...
src/config.ts
✗ OPENAI-KEY HIGH Line 3
✗ STRIPE-KEY HIGH Line 7
⚠ Commit blocked — 2 secrets found. Run `cmp fix <file>` to redact.
GitHub Actions — catch what developers miss
- name: Scan for secrets
run: npx cleanmyprompt scan --recursive src/ --fail-on-findings
Token Savings by File Type
| File | Before | After | Saved |
|---|---|---|---|
| TypeScript service (400 lines) | 2,340 | 1,290 | 45% |
| Python FastAPI endpoint (280 lines) | 1,820 | 980 | 46% |
| Java Spring controller (320 lines) | 2,100 | 1,150 | 45% |
.env file (post-redaction) |
420 | 240 | 43% |
| SQL migration (180 lines) | 980 | 610 | 38% |
A team of 10 developers making 5 context injections per hour for 6 hours saves ~270,000 tokens per day. At GPT-4o input pricing, that's real, measurable money — before even counting the security benefit.
What Gets Caught That Other Scanners Miss
CleanMyPrompt catches contextual secrets — the patterns regex-only tools miss because they look at structure, not just prefixes:
# These all get caught:
os.environ["STRIPE_SECRET"] = "sk_live_xxx" # → [HARDCODED-SECRET]
process.env.OPENAI_KEY = "sk-proj-xxx" # → [HARDCODED-SECRET]
headers["Authorization"] = "Bearer eyJhb..." # → [BEARER-TOKEN]
headers["X-API-Key"] = "live_key_xxx" # → [API-KEY]
# _authToken=npm_xxxxxxxxxxxxx (in .npmrc) # → [NPM-TOKEN]
Provider-specific formats are also detected: Anthropic (sk-ant-), Hugging Face (hf_), Replicate (r8_), SendGrid (SG.), Twilio SID (AC[32 hex]), Slack tokens (xoxb-), GitHub Actions tokens (ghs_), Azure Storage keys, Discord webhooks, Cloudinary URLs, PEM private keys.
Why This Matters Right Now
GitHub Copilot's multi-model rollout means you don't always control which model processes your code. The same context may go to OpenAI, Anthropic, or Google depending on your plan and the task. Each has different data handling and retention policies.
At the same time, regulated-industry adoption of AI coding tools is accelerating. A healthcare developer pasting patient data into Copilot Chat is a potential HIPAA incident. A fintech developer pasting transaction logs is a potential SOC 2 violation.
Redaction and compression aren't optional extras. They're the difference between a fast, safe workflow and one that's quietly creating liability.
Install Now
VS Code Extension — Ctrl+Shift+X → search CleanMyPrompt → Install
CLI:
npm install -g cleanmyprompt
cmp --help
REST API (for pipelines):
curl -X POST https://cleanmyprompt.io/api/v1/clean \
-H "Content-Type: application/json" \
-d '{"text": "your code here", "redact": true, "squeeze": true}'
Frequently Asked Questions
Does the VS Code extension send my code to CleanMyPrompt servers?
No. All processing happens locally inside your VS Code instance. No code, no file contents, no metadata leaves your machine. There is no telemetry.
Will squeezing my code break Copilot's understanding of it?
No. Compression only removes noise — comments, blank lines, unused imports, debug logs. The logic, variable names, types, and structure are untouched. Copilot's understanding improves because the signal-to-noise ratio is higher.
What's the difference between cmp fix and cmp squeeze?
cmp fix redacts secrets (API keys, PII, credentials) by replacing them with labeled placeholders like [OPENAI-KEY]. cmp squeeze compresses tokens by stripping structural noise (comments, whitespace, imports). They're complementary — run fix first, then squeeze.
Does this work with Cursor, Windsurf, Cline, and other AI editors?
Yes. The VS Code extension works in any VS Code-based editor. The CLI works independently of any editor. Redact and compress the file, then paste or reference it in whatever AI tool you're using.
What is GitHub Copilot's context window limit?
It varies by model. GPT-4o has a 128K token limit; Claude 3.5 Sonnet has 200K; Gemini 1.5 Pro has 1M. However, Copilot's actual usable context per session is smaller because the system prompt, chat history, and editor context all share the same budget.
Can I use this in a CI pipeline?
Yes. npx cleanmyprompt scan --fail-on-findings exits with code 1 if secrets are found, which blocks the pipeline. SARIF output is supported for GitHub Security tab integration.
Related: How to Cut Copilot Token Costs by 50% · CleanMyPrompt for VS Code — Full Guide · Introducing the CleanMyPrompt CLI