Compress session tokens to reduce context window usage #98
Description
Problem
Session tokens are now included in the content body of every tool response (fix for #96 / agent _meta visibility issue). Each token is ~250-293 characters of opaque base64+HMAC that consumes agent context window on every tool call.
Proposed optimizations
The token payload can be losslessly compressed by ~35-46% using a combination of:
- Omit empty string fields —
cond: "",aid: ""etc. are not included in the JSON; reconstructed with defaults on decode. (~25 char savings, trivial to implement) - Compact UUID — Store
sidas raw 16-byte base64url (22 chars) instead of hex-with-dashes (36 chars). (~14 char savings, trivial) - Zlib deflate before base64url encoding — JSON structure compresses well. (~28 additional char savings, adds
deflateRawSync/inflateRawSynccalls) - Truncate HMAC to 128-bit — Use 32 hex chars instead of 64. 128-bit HMAC is still cryptographically far beyond brute-force range. (~32 char savings)
Impact estimate
| Strategy | Token size | Reduction |
|---|---|---|
| Current (mid-session) | 293 chars | — |
| Omit empty + compact UUID | 217 chars | 26% |
| + zlib deflate | 189 chars | 35% |
| + 128-bit HMAC | 157 chars | 46% |
Notes
- All optimizations are lossless — decode produces identical
SessionPayload - Options 1-2 have zero runtime cost; 3-4 add marginal complexity
- Existing tokens would fail decode after this change (breaking for in-flight sessions), so this should be versioned or deployed with a token format migration