refactor(history): rip out history pruning/compression, redo trim as one whole-turn function with a visible RPC event

[singlerider]

Summary

• Base branch: master
• What changed and why:
  • History context management was a sprawling, multi-layer subsystem (6-phase pruner, separate context compressor, per-tool-result fast-trim, channel-side proactive trim, pruned-marker primitives) that silently dropped tool results mid-conversation. When a tool result vanished from context the model confabulated, e.g. claiming tmp/secret.md was never written when it had written it the prior turn. The user had no signal that context was cut, so hallucinations looked like the model "just lying."
  • Replaced the entire subsystem with one function, trim_to_recent_turns: drop oldest whole turns to fit the token budget, never split a tool_use/tool_result pair, always keep the most recent turn. Reactive on overflow plus a single preemptive check at the turn boundary, never mid-tool-loop, never silent.
  • Added a HistoryTrimmed event that streams over the same session/update pipe as turn cancellation (ACP), plus WebSocket and the public API. When context gets cut the session is told, with dropped_messages / kept_turns / reason. A breadcrumb is also injected into history so the model itself knows.
  • Kept only the limbs that prevent provider 400s: the orphan-tool-message sweep, system-message normalization, and token estimation.
• Scope boundary: does NOT rename any config prop ident (deferred to schema V4). history_pruning.* and context_compression.* idents stay declared and keep deserializing; only the code that reads them changed. Does NOT alter provider request shaping beyond removing the now-dead pruned-marker skip-filter.
• Blast radius: runtime agent loop, ACP server, gateway WS, public API event enum, channels orchestrator, config schema readers. All three client surfaces (ACP / WS / API) now carry the new event.
• Linked issue(s): Related fix(channels): preserve tool-result content when proactively trimming channel history #8050 (that PR fixed only the channel-inbound trimmer; it never reached the ACP/RPC path responsible for this class of confabulation).
• Labels: type: refactor, risk: high, size: XL (matches the applied GitHub labels).

Validation Evidence (required)

cargo fmt --all -- --check
cargo clippy --all-targets -- -D warnings
cargo test --workspace

• Commands run and tail output:

cargo fmt --all -- --check — clean, exit 0.

cargo clippy --all-targets -- -D warnings:

    Finished `dev` profile [unoptimized + debuginfo] target(s) in 33.24s

0 warnings across all 5 crates, --all-targets.

cargo test --workspace:

test result: FAILED. 2291 passed; 1 failed; 2 ignored; 0 measured; 0 filtered out
---- cron::store::tests::remove_job_emits_structured_cron_delete_event ----

The single failure is a pre-existing cron log-race flake, not a regression: cron/store.rs is untouched by this branch (git diff --name-only upstream/master..HEAD | grep cron -> empty), and the test passes 3/3 when run isolated. All history/trim/RPC tests pass.

• Beyond CI — what did you manually verified: A live RPC battery was run against real Anthropic (personal_code, claude-opus-4-8) during development to validate the contract end-to-end. These live tests were intentionally NOT committed (they would burn provider budget on every run); the methodology and results are recorded below. The wire contract they guarded is now covered offline by history_trimmed_notification (asserts TurnEvent::HistoryTrimmed serializes to a session/update with type=history_trimmed and the right fields).

  Live battery (5 tests, 256.73s, 0 failed):

  • Smoking gun closed: the exact trim that produced the original confabulation now yields "The earlier turns were omitted from my context window, so I genuinely can't see what may have happened before. I won't guess or fabricate a word." Was: "I never wrote anything."
  • Event carries real numbers: 22 history_trimmed events fired; every one had dropped_messages > 0 (4..51) and reason set — no fired-but-empty signal.
  • kept_turns invariant held empirically: all 22 events had kept_turns == 1, zero had kept_turns == 0. The current turn always survived.
  • Tool-pair atomicity vs the real API: 10 heavy turns each doing write -> read -> write (3 tool calls) under a tiny budget forcing repeated trims; 0 provider/dispatch errors. A split tool_use/tool_result pair 400s Anthropic, so zero errors proves whole-turn atomicity against the live provider.
  • Recall honesty branch: when no trim fired the model recalled its own just-written word; when it fired the omission was signalled. No silent-amnesia path.

• If any command was intentionally skipped, why: live model tests removed from the tree by design (budget); covered offline + evidenced above.

Security & Privacy Impact (required)

• New permissions, capabilities, or file system access scope? No
• New external network calls? No
• Secrets / tokens / credentials handling changed? No
• PII, real identities, or personal data in diff, tests, fixtures, or docs? No

Compatibility (required)

• Backward compatible? Yes
• Config / env / CLI surface changed? No — all existing history_pruning.* / context_compression.* idents still parse, so existing configs load unchanged. Precise semantics: effective_context_budget() uses history_pruning.max_tokens as the budget only when history_pruning.enabled = true and max_tokens > 0; otherwise it falls back to the hard max_context_tokens ceiling. history_pruning.enabled = false therefore disables only the explicit max_tokens budget floor, not trimming itself: the hard context ceiling and the provider-overflow recovery still trim whole turns. history_pruning.keep_recent is currently inert (no code path reads it) pending the V4 rename; it is not honored as a minimum.
• Upgrade steps: none.

Rollback (required for risk: high)

• Fast rollback command/path: git revert <merge-sha> — single squash revert restores the prior subsystem.
• Feature flags or config toggles: history_pruning.enabled = false disables only the explicit max_tokens budget floor; the hard max_context_tokens ceiling and provider-overflow recovery still trim. To raise the ceiling, set a larger max_context_tokens.
• Observable failure symptoms: grep logs for History trimmed:; the history_trimmed session/update event should appear on context cuts. Absence of the event during a known overflow, or any Anthropic 400 mentioning unmatched tool_use/tool_result, indicates a pairing regression.

---

Net-negative refactor. Deleted context_compressor.rs, the 6-phase machinery in history_pruner.rs (kept only the orphan sweep), fast_trim_tool_results/emergency_history_trim, channel proactive_trim_turns/strip_old_tool_context, and the pruned-marker primitives. Added history_trim.rs and a source-sourced docs page docs/book/src/agents/history-management.md disambiguating trim vs compression vs truncation vs orphan sweep.

---

Post-merge re-validation (latest upstream/master merged in)

Merged latest upstream/master (f218b949901) via merge commit. Upstream restructured the turn engine (ToolLoop flat fields collapsed into exec: ResolvedAgentExecution { model_access, .. }, new turn/execution.rs). Conflicts resolved by merge, not rebase:

• agent.rs (2 hunks): kept upstream's nested params: structure, dropped the duplicate HEAD blocks, set both context_token_budget sites to effective_context_budget().
• loop_.rs (1 hunk): dropped upstream's re-introduced prune_history call (the resurrection this branch deletes), kept the excluded-MCP-tools block, converted both production loop sites to effective_context_budget(), fixed one merged test builder to the nested exec shape.

No conflict markers in tracked source; no deleted subsystem resurrected.

Offline (post-merge): fmt clean; clippy -D warnings 0 all crates; cargo build --workspace clean; cargo test -p zeroclaw-runtime --lib 2308 passed 0 failed; 12 trim/attribution/notification offline tests green.

Live RPC (post-merge, real Anthropic personal_code, claude-opus-4-8): 5 passed, 0 failed, 126.68s. Empirical wire evidence:

• history_trimmed events fired across every session, dropped_messages 4 -> 53, reason always context token budget exceeded.
• kept_turns was 1 on every event, never 0 — the current turn always survives (option-a invariant, proven against the live provider).
• The tool-pairs session ran 9 trims doing write/read/write under budget 700 with zero provider 400s — whole-turn atomicity holds; no tool_use/tool_result pair was split.
• When the per-chat action rate limit hit mid-run, the agent reported the failure honestly instead of confabulating; the trim contract held regardless.

Methodology / budget: the live tests drive RpcDispatcher + SessionStore against a throwaway config whose encrypted personal_code key is decrypted via SecretStore, with max_context_tokens set low so trimming triggers within one or two turns. They are restored from git only to run, then removed; no live model tests are tracked or run in CI. The wire contract is covered offline by history_trimmed_notification.

Follow-up: first-class history_trimmed SSE event + agent_alias on the trim record

Reviewer feedback on the end-user test case found two real gaps. Fixed the code to match (commit e42e75947e):

1. SSE was the odd surface out. /api/events is fed by the observability pipeline, not TurnEvent, so the trim only surfaced there as a generic record, not a first-class history_trimmed frame. Added ObserverEvent::HistoryTrimmed (the enum is #[non_exhaustive], so no out-of-tree observer break) and mapped it in BroadcastObserver to {"type":"history_trimmed", dropped_messages, kept_turns, reason, channel, agent_alias, turn_id}. The trim site now emits the observer event alongside the existing record! and TurnEvent. SSE, WS, and ACP now all carry the same history_trimmed shape.

2. agent_alias on the trim record. It is inherited from the outer agent attribution_span! via the LogCaptureLayer leaf-to-root span walk; the trim's own child span sets model/model_provider. The attribution test now wraps the loop in the production attribution_span!(AgentAttribution("trimtest")) and asserts agent_alias lands on the trim record — proving the contract against the real attribution mechanism, no wide call-site refactor.

Docs page updated to document all three visibility surfaces (ACP session/update, gateway WS frame, SSE observability event), each sourced from its mapping site.

Offline: fmt clean; clippy -D warnings 0; gateway lib 280 passed (incl. history_trimmed_event_is_broadcast_with_cut_accounting); runtime lib 2308 passed (incl. trim_record_carries_model_attribution with the agent_alias assertion); api lib 53 passed; mdbook + markdownlint clean.

Live smoke (real Anthropic personal_code, claude-opus-4-8): re-ran one live trim test through the dispatcher after the change — 1 passed, 75.86s, 7 real trims with truthful non-zero dropped_messages (4 -> 28) and kept_turns:1 on every one. The new observer emit ran on each trim with zero panic, zero error. Live test removed from the tree after the run; not in CI.

Review follow-ups addressed

• Overflow-recovery trim is now visible. try_recover_context_overflow takes event_tx + observer and emits TurnEvent::HistoryTrimmed and ObserverEvent::HistoryTrimmed on the trimmed branch, so the provider-400 recovery cut is no longer silent to ACP / WS / SSE. New tests cover the emit on recovery and the no-emit / no-recover path for a non-overflow error.
• Trim strings are Fluent. The breadcrumb text and the history_trimmed reason are now history-trim-breadcrumb / history-trim-reason-budget Fluent keys across all five in-tree locales, read via get_required_cli_string at the production emit sites.
• Overflow recovery now also tells the model. The recovery path inserts history_trim::breadcrumb() after the leading system messages before retrying, so the retried provider call carries the same [earlier turns omitted...] marker as the turn-boundary path. The recovery test asserts both halves: the HistoryTrimmed event is emitted and the retried history contains the breadcrumb.
• ObserverEvent None fields — out of scope here. channel / agent_alias / turn_id are None at the production ObserverEvent::HistoryTrimmed call sites; attribution rides the record!() log via the span, not the ObserverEvent. /api/events consumers still receive the cut accounting (dropped_messages, kept_turns, reason). Populating these is left to a follow-up; no tracking issue is filed yet, so this is called out here rather than claimed as tracked.

[Audacity88]

I reviewed current head e42e75947e00f1875471e8b75b755eacd187185d against the live PR body, diff, checks, comments/reviews, and the touched runtime/channel/API/gateway/config/docs paths. I also checked the related history-trimming context called out by the PR. The whole-turn trimming direction is much easier to reason about than the deleted multi-layer pruning/compression stack, but I found two blockers before this should merge.

🔴 Blocking — Overflow recovery still drops turns without the promised visible trim signal

The normal turn-boundary path does the full visibility work: after trim_to_recent_turns, it inserts the breadcrumb, sends TurnEvent::HistoryTrimmed, and records ObserverEvent::HistoryTrimmed (crates/zeroclaw-runtime/src/agent/turn/mod.rs:383-443). The provider-overflow recovery path does not use that path. try_recover_context_overflow takes only history, e, and iteration, calls trim_to_recent_turns, assigns *history = result.history, logs, and returns true (crates/zeroclaw-runtime/src/agent/turn/context_recovery.rs:61-100); the caller then immediately continues the loop (crates/zeroclaw-runtime/src/agent/turn/mod.rs:617-619).

That means a real provider context-window error can still remove earlier turns without inserting [earlier turns omitted to fit the context window] into the model-visible history and without emitting the ACP/WS/SSE history_trimmed event. This contradicts the core contract documented in the new history page, which says both preemptive and reactive paths call the trimmer and that trimming is "never silent" (docs/book/src/agents/history-management.md:36-46, 67-86). Please route the recovery trim through the same breadcrumb + HistoryTrimmed emission path, or otherwise make this recovery path non-trimming, and add a regression test that exercises the overflow-retry branch rather than only the turn-boundary trim.

🔴 Blocking — The rollback/config contract does not match the implementation

The PR body says history_pruning.enabled gates trimming, history_pruning.keep_recent is honored as a minimum, and history_pruning.enabled = false disables trimming entirely at runtime. The code implements a different contract. effective_context_budget() returns max_context_tokens when history_pruning.enabled is false, and run_tool_call_loop still invokes trim_to_recent_turns whenever that positive budget is exceeded (crates/zeroclaw-config/src/schema.rs:3274-3284, crates/zeroclaw-runtime/src/agent/turn/mod.rs:383-386). Also, the new docs explicitly say keep_recent no longer drives any code path (docs/book/src/agents/history-management.md:62-64).

So existing configs still load, but their semantics are not what the compatibility and rollback sections promise: disabling history_pruning disables the earlier max_tokens budget floor, not all whole-turn trimming, and the overflow-recovery path has no history_pruning.enabled gate before it trims and retries (crates/zeroclaw-runtime/src/agent/turn/context_recovery.rs:61-100, crates/zeroclaw-runtime/src/agent/turn/mod.rs:617-619). keep_recent is not honored as a minimum. For a high-risk runtime/config PR, the advertised rollback path and compatibility behavior need to be true. Please either change the implementation to match those claims, or update the public contract and rollback section to describe the new semantics precisely, with focused tests pinning the chosen history_pruning.enabled / max_tokens / keep_recent behavior.

🟢 What looks good — Whole-turn trimming is much easier to reason about

The new history_trim::trim_to_recent_turns helper is small and structurally safer than the old stack: it keeps leading system messages, drops only whole turns, keeps at least the newest turn, and the unit tests cover the main pairing-safety invariants. Once the two contract gaps above are closed, this will be much easier to review and maintain.

[WareWolf-MoonWall]

Review: #8196 — refactor(history): rip out history pruning/compression, redo trim as one-pass

Author: singlerider (Shane Engelman)
Head SHA: e42e75947e00f1875471e8b75b755eacd187185d
Reviewed by: WareWolf-MoonWall
Verdict: --request-changes

---

Summary

Net-negative XL refactor (+922 / −3,311) replacing a 6-phase pruner, context compressor,
fast_trim_tool_results, emergency_history_trim, and channel-side proactive_trim_turns /
strip_old_tool_context with a single trim_to_recent_turns function in history_trim.rs.
The algorithm drops oldest whole turns to fit a token budget, never splits a
tool_use/tool_result pair, always keeps the current turn, and signals the cut via a
HistoryTrimmed event over ACP, WS, and SSE. The motivating confabulation bug (model
claiming "I never wrote that" when its own tool result was silently trimmed) is correctly
addressed by the structural atomicity guarantee and the breadcrumb injection.

The design is sound. Two blocking issues require changes before merge.

---

Findings

🔴 Overflow-recovery trim is still silent to the client

crates/zeroclaw-runtime/src/agent/turn/context_recovery.rs — try_recover_context_overflow
calls trim_to_recent_turns and records a record! log, but neither TurnEvent::HistoryTrimmed
nor ObserverEvent::HistoryTrimmed is emitted on this path. event_tx and observer are not
passed to try_recover_context_overflow.

This directly contradicts the stated design goal "trimming is never silent." The 400-recovery
trim fires at iteration ≥ 1, after the preemptive turn-boundary check at iteration == 0 already
ran. A session with a very long single turn can overflow the first provider call and trigger
recovery — that recovery is invisible to ACP, WS, and SSE subscribers.

Required fix: thread event_tx: Option<&mpsc::Sender<TurnEvent>> and observer: &impl Observer
into try_recover_context_overflow, emit TurnEvent::HistoryTrimmed and
ObserverEvent::HistoryTrimmed in the trimmed branch, and add a test that covers the
recovery path's event emission.

---

🔴 Bare string literals in user-facing output (Fluent rule)

Two distinct bare literals appear in surfaces that reach end users:

1. history_trim.rs — breadcrumb()

pub fn breadcrumb() -> ChatMessage {
    ChatMessage::user("[earlier turns omitted to fit the context window]")
}

This message is injected into conversation history that streams through ACP
session/update, WS frames, and SSE. It is user-visible text and must use fl!().

2. turn/mod.rs, rpc/dispatch.rs, sse.rs — reason field

reason: "context token budget exceeded".to_string(),

This string is delivered to clients in every HistoryTrimmed event on all three transport
surfaces. It must use fl!().

AGENTS.md: "All user-facing output (CLI messages, tool descriptions, onboarding prompts)
must use fl!() / Fluent strings — never bare string literals."

---

🟡 ObserverEvent::HistoryTrimmed fields are all None at the production call site

turn/mod.rs emits:

observer.record_event(&ObserverEvent::HistoryTrimmed {
    dropped_messages: result.dropped_messages,
    kept_turns: result.kept_turns,
    reason: "context token budget exceeded".to_string(),
    channel: None,
    agent_alias: None,
    turn_id: None,
});

The PR description states "SSE, WS, and ACP now all carry the same history_trimmed shape"
including agent_alias. The BroadcastObserver test
(history_trimmed_event_is_broadcast_with_cut_accounting) passes non-None values directly
and asserts them — but in production, all three optional fields are None, so /api/events
subscribers see null for channel, agent_alias, and turn_id. The claim in the follow-up
section that agent_alias is "real, not span-dependent guesswork" applies to the record!()
log (which inherits from attribution_span! via LogCaptureLayer), not to the
ObserverEvent. The SSE contract as described is not fully delivered.

---

🟡 start == 0 guard in trim_to_recent_turns is unreachable dead code

if start == 0 {
    return TrimResult { trimmed: false, … };
}

When boundaries.len() >= 2, the loop iterates at least once and always assigns
start = candidate_start > 0 (boundary positions are indices into body, all ≥ 1 for
any non-empty turn). The start == 0 path is structurally unreachable; it survives as
misleading guard. Either add a debug_assert!(start > 0) to document the invariant or
remove the guard entirely after verifying the algorithm proof holds.

---

🟡 Labels mismatch between PR body and applied labels

The PR description states "Labels: type: refactor, risk: medium, size: L." GitHub shows
risk: high, size: XL. The rollback section is populated (history_pruning.enabled = false
for the flag, log grep for symptoms), which satisfies risk: high requirements, but the body
misrepresents the actual classification. The body should be updated to match the applied labels
before merge so that the audit trail is accurate.

---

🟡 RpcContext::for_live_test and RpcDispatcher::process_line_for_test are public non-test API with no consumers in-tree

rpc/context.rs adds pub fn for_live_test(...) explicitly without #[cfg(test)] because
"integration tests compile against the public surface." rpc/dispatch.rs adds
pub async fn process_line_for_test. The PR removes the live tests from the tree. These two
methods are now dead public API: they widen the stable surface of RpcContext and
RpcDispatcher with no in-tree consumer. If the live tests are genuinely gone, gate these
behind a live-tests feature or #[cfg(test)]. If they remain for future external test use,
document that explicitly and track it.

---

🔵 TOOL_RESULTS_PREFIX boundary heuristic is not shared

history_trim.rs defines:

const TOOL_RESULTS_PREFIX: &str = "[Tool results]";

and uses it to identify non-turn-boundary user messages. This prefix is also used at other
points in the orchestrator and channel layer. If the prefix ever diverges between
history_trim.rs and the message-building site, the boundary detector will silently
mis-classify [Tool results] messages as turn heads, potentially fragmenting tool exchanges
across what it considers "turns." The constant should live in zeroclaw-providers or
zeroclaw-api and be imported here.

---

🔵 No test covers the overflow-recovery trim path (try_recover_context_overflow)

The 12 unit tests in history_trim.rs and the attribution test in loop_.rs cover the
iteration == 0 preemptive path. No test exercises a provider-400-triggered recovery so we
can confirm the outcome fields (dropped_turns, tokens_before, tokens_after) are
correctly populated, and — once the blocking issue above is fixed — that the event is
emitted on this path.

---

✅ Whole-turn atomicity is structural, not swept

The algorithm bounds turns by real user messages, not by heuristic scanning for
tool_use/tool_result pairs. Dropping whole turns cannot orphan a tool result
regardless of how deeply nested the tool exchange is. The test
trimmed_history_has_no_orphan_tool_calls verifies the orphan sweep (remove_orphaned_tool_messages)
finds nothing after a whole-turn trim — proving the structural guarantee empirically.

---

✅ SSOT check passes

effective_context_budget() is a computed method on ResolvedRuntime; it reads
history_pruning.max_tokens and max_context_tokens from the canonical config struct at
call time, no shadow field. trim_to_recent_turns is defined in exactly one place. The
orphan sweep, system normalization, and token estimation remain in their original modules
with no duplication. ✅

---

✅ Validation evidence is unusually thorough

The post-merge live battery (5 tests, 126.68 s, real Anthropic personal_code / claude-opus-4-8) empirically validates:

• dropped_messages range 4–53, always non-zero when event fires
• kept_turns == 1 on every event — option-a invariant holds
• Zero provider 400s across 9 write/read/write trims under budget 700 — tool-pair atomicity
• Offline test suite: cargo test -p zeroclaw-runtime --lib 2308 passed, 0 failed; 12
  trim/attribution tests green; gateway lib 280 passed.
• CI: all 18 checks passing on run 27992097121.

---

✅ Net-negative scope

−1,297 lines context_compressor.rs (deleted), −951 history_pruner.rs, −430 orchestrator/mod.rs
channel trimmers, −171 anthropic.rs pruned-marker skip filter. The breadcrumb and the
HistoryTrimmed event replace the entire pruned-marker subsystem cleanly.

---

Compatibility

history_pruning.* and context_compression.* config idents are preserved; existing
configs load without change. history_pruning.enabled = false disables trimming entirely.
Behavior change is visible (no silent drops, client receives HistoryTrimmed events) but not
breaking in the config-compatibility sense.

Rollback

git revert <merge-sha> restores the prior subsystem. history_pruning.enabled = false
kills trimming at runtime. Failure symptoms: absence of History trimmed: in logs during a
known overflow, or any Anthropic 400 mentioning unmatched tool_use/tool_result.

---

Required before re-review

1. Emit TurnEvent::HistoryTrimmed and ObserverEvent::HistoryTrimmed from
   try_recover_context_overflow (thread event_tx + observer in, or emit at the call
   site in turn/mod.rs after try_recover_context_overflow returns true).
2. Replace both bare string literals (breadcrumb text and reason value) with fl!()
   Fluent keys.
3. Address or explicitly defer the ObserverEvent None-fields discrepancy with a
   follow-up issue.

[tidux]

Holding off on review until existing blockers are resolved. I will do live testing of this, since I've been bitten by history trimming bugs before.

Addressed both blockers: try_recover_context_overflow now threads event_tx + observer and emits TurnEvent::HistoryTrimmed and ObserverEvent::HistoryTrimmed on the trimmed branch, so the provider-400 recovery cut is no longer silent (new tests cover emit-on-recovery and no-emit on a non-overflow error). The breadcrumb text and the history_trimmed reason are now Fluent keys across all five locales. The ObserverEvent None-fields discrepancy and labels mismatch are noted in the body (fields deferred to follow-up; labels corrected to risk:high / size:XL). Re-requesting review.

[Audacity88]

I re-reviewed current head 6a30688469c3dcb52dfb998fe4206bfbf01fab99 against the live PR body, prior dismissed reviews, linked #8050 context, the current diff, and the runtime/config/gateway/docs paths touched by this update. I did not run local Cargo or live provider/RPC smoke in this review-only pass. The update fixes some of the previous review points, but two contract gaps still block me from clearing this.

✅ Resolved — Overflow recovery now emits the trim event to clients

The previous head trimmed and retried in try_recover_context_overflow() without sending the visible HistoryTrimmed signal. That part is fixed on this head. The recovery helper now accepts event_tx and observer, emits TurnEvent::HistoryTrimmed for ACP/WS, emits ObserverEvent::HistoryTrimmed for SSE, and has a regression for the recovery branch. That resolves the client-visible half of my earlier overflow-recovery blocker.

✅ Resolved — The trim breadcrumb and reason moved to Fluent

@WareWolf-MoonWall called out the bare user-facing strings. Current head adds history-trim-breadcrumb and history-trim-reason-budget across the in-tree runtime locale files and uses those keys at the production emit sites. That resolves the localization blocker.

🔴 Blocking — Overflow recovery still retries without the model-visible breadcrumb

The recovery path still does not match the "never silent" contract for the model itself. On a context-window error, try_recover_context_overflow() calls trim_to_recent_turns(), then assigns *history = result.history and returns true so the loop retries immediately. Unlike the turn-boundary path, it never inserts history_trim::breadcrumb() after the leading system messages before the retry.

That leaves a real gap in the core fix: the user surfaces now receive history_trimmed, but the model on the retried provider call does not see [earlier turns omitted to fit the context window]. The new history-management doc says every trim injects that breadcrumb and uses it to keep the model from fabricating dropped work; the PR summary makes the same claim. Please make the overflow-recovery branch insert the same breadcrumb before retrying, or narrow the public contract if that path is intentionally different. The regression should assert both halves of the recovery contract: the HistoryTrimmed event is emitted and the retried history contains the breadcrumb in the same position as the turn-boundary path.

🔴 Blocking — The config and rollback contract still overclaims the runtime gate

The current PR body still says history_pruning.enabled gates the trim, history_pruning.keep_recent is honored as a minimum, and history_pruning.enabled = false disables trimming entirely at runtime. The current implementation and new docs say something else: effective_context_budget() uses history_pruning.max_tokens only when history_pruning.enabled is true, but otherwise still returns max_context_tokens, so the hard context ceiling can still trigger whole-turn trimming. The docs also say keep_recent no longer drives any code path.

For this high-risk runtime/config refactor, the compatibility and rollback sections need to be precise. Either change the implementation to match the body, or update the body and rollback text to say that disabling history_pruning disables only the earlier explicit max_tokens budget floor while the hard context ceiling and provider-overflow recovery still trim. If keep_recent is intentionally inert until the V4 rename, the body should not say it is honored.

🟡 Warning — The SSE attribution fields remain deferred without a public tracker

The PR body now says ObserverEvent::HistoryTrimmed still emits channel, agent_alias, and turn_id as None at the production call sites and that populating them is deferred. That is an acceptable scope call for this refactor if it is tracked, because /api/events still receives the cut accounting. Please link the follow-up issue or remove the "tracked" wording so this does not become an invisible loose end.

🟢 What looks good — The broad simplification is still the right direction

The net-negative shape remains good: one whole-turn trimmer is easier to audit than the old compressor/pruner/fast-trim/channel-trim stack, and the update did close the client event and localization gaps. Once the retry path also tells the model what changed, and the public config/rollback contract matches the chosen behavior, this should be much closer to reviewable.

Addressed both blockers: (1) the overflow-recovery path now inserts history_trim::breadcrumb() after the leading system messages before retrying, so the retried provider call tells the model earlier turns were dropped; the recovery test asserts both the HistoryTrimmed event and the breadcrumb in the retried history. (2) The Compatibility/Rollback body now states the precise contract: history_pruning.enabled=false disables only the explicit max_tokens budget floor (the hard max_context_tokens ceiling and provider-overflow recovery still trim), and keep_recent is inert pending the V4 rename. The deferred ObserverEvent fields note no longer claims a tracker. Re-requesting review.

[Nillth]

I re-reviewed current head c2dc0adf7983b9382e8d5a7450806b48bbc2b9f0 against the PR body, the two prior dismissed review rounds (@Audacity88 x2, @WareWolf-MoonWall), the diff, the green CI matrix, and the touched runtime / api / gateway / config / docs paths. I verified the head tree directly: context_compressor.rs / the 6-phase prune machinery are gone, history_trim.rs is the one new trimmer, and the upstream merge did not resurrect any deleted module. I read the trim algorithm, the overflow-recovery path, the event plumbing across ACP / WS / SSE, the Fluent keys in all five locales, and the new docs page line by line.

I also ran the engine-validation battery against a worktree on this exact head, toolchain pinned to the 1.93.0 the CI uses. The full static tier passed (cargo fmt --check, clippy --all-targets -D warnings with zero warnings, the engine-scoped suites, and the whole-workspace test battery where the new history_trim and context_recovery tests run) and all five live transport legs passed against a real provider: CLI one-shot, delegate sub-agent, RPC socket, WS with mid-turn steering, and ACP deny-with-edit (11 of 11 green). The RPC leg confirmed tool_use and tool_result share one id with outcome=completed, which exercises end-to-end the whole-turn pairing atomicity this change rests on.

This is the right direction and the previous blockers are genuinely closed. Approving.

✅ RESOLVED — Overflow recovery is no longer silent to clients

try_recover_context_overflow now takes event_tx and observer, and on the trimmed branch emits both TurnEvent::HistoryTrimmed (ACP / WS) and ObserverEvent::HistoryTrimmed (SSE), matching the turn-boundary path (crates/zeroclaw-runtime/src/agent/turn/context_recovery.rs). The caller threads event_tx.as_ref() and observer in (turn/mod.rs). recovery_emits_history_trimmed_event_on_trim covers the emit and non_overflow_error_is_not_recovered_and_emits_nothing pins the negative path. This was my predecessors' first blocker and it is closed.

✅ RESOLVED — The retried provider call now tells the model

The recovery branch inserts history_trim::breadcrumb() after the leading system messages before reassigning *history, so the retried call carries the same [earlier turns omitted to fit the context window] marker as the preemptive path (context_recovery.rs, breadcrumb insert before the *history = ... assignment). The regression asserts both halves: the breadcrumb lands in the retried history and the HistoryTrimmed event fires. That was @Audacity88's remaining blocker on 6a3068; commit c2dc0a closes it.

✅ RESOLVED — Trim strings are Fluent

history-trim-breadcrumb and history-trim-reason-budget are present in en / es / fr / ja / zh-CN and read via get_required_cli_string at every production emit site. As a belt-and-suspenders note, get_required_cli_string degrades to {key} plus a logged WARN on a miss rather than panicking, so even a future locale gap cannot take down the trim path.

✅ RESOLVED — The config and rollback contract now matches the code

effective_context_budget() is min(max_context_tokens, history_pruning.max_tokens) only when history_pruning.enabled && max_tokens > 0, else max_context_tokens (crates/zeroclaw-config/src/schema.rs). The body's Compatibility / Rollback sections and the new docs page now both describe exactly that: disabling history_pruning removes only the explicit max_tokens floor, the hard ceiling and the overflow-recovery path still trim whole turns, and keep_recent / collapse_tool_results are inert pending the V4 rename. Body, docs, and implementation are finally consistent. The context_compression.* and history_pruning.* idents stay declared so existing configs still deserialize, and clippy is clean, so nothing needed an #[allow(dead_code)].

🟢 What looks good

The whole-turn trimmer is structurally safe in a way the old stack was not: it keeps leading system messages, drops only whole turns between real user boundaries, always keeps the most recent turn, and converges to a clean unrecoverable error (rather than looping) when only one oversized turn remains. Because tool_use / tool_result pairs live inside a turn, pairing safety is structural, not swept, and trimmed_history_has_no_orphan_tool_calls proves the orphan sweep finds nothing to do after a trim. The event contract is complete and uniform: TurnEvent (api), SessionUpdateEvent (rpc/ACP), the WS frame, and ObserverEvent -> SSE all carry the same history_trimmed shape, and ObserverEvent is #[non_exhaustive] so the new variant does not break out-of-tree observers. Net -3300 lines with green CI across every target is a real maintainability win.

🔵 Non-blocking observations (no change required to merge)

• Capability tradeoff, called out for the team's awareness. Deleting the compressor removes the old "summarize overflowing context into memory before splicing" path; overflowing turns are now dropped with a breadcrumb rather than summarized. The standalone memory subsystem (memory_loader / memory_strategy) is untouched, so explicit memory recall still works; only the automatic compression-to-memory-on-overflow behavior is gone. That is the explicit intent of this refactor and I agree honesty beats silent lossy summarization, but if summarization-on-overflow is wanted later it now has a clean foundation to sit on rather than the deleted stack.
• The breadcrumb is itself a turn boundary. breadcrumb() is a user message not prefixed with [Tool results], so is_turn_boundary counts it as a turn start on the next trim. This is benign (it sits at the front, so it is the first thing dropped on a subsequent trim, and back-to-back user messages are fine for Anthropic), but over a long session with repeated trims you can accumulate several [earlier turns omitted...] markers before they age out. Worth a comment if it ever looks noisy in practice.
• trim_to_recent_turns re-estimates tokens O(n^2) by rebuilding system.clone() + body[candidate..] and re-counting each iteration. Fine for real histories; only flagging it as a known shape if trimming ever shows up hot.
• SSE attribution deferral is honestly disclosed. channel / agent_alias / turn_id are None at the production ObserverEvent::HistoryTrimmed sites and the body now says this is not yet tracked rather than claiming a ghost issue. /api/events still gets the cut accounting. Fine to land as-is; a follow-up to populate them (and a tracking issue) would close the loop.

Verdict: Approve. All blockers from the prior rounds are verifiably resolved against this head, CI is green across the full matrix, and the design is materially simpler and safer than what it replaces.