Day 3 · Lesson 2 — Context Engineering: Sessions & Memory
The "now" of a conversation, and how to keep it from rotting.
A session is the container for a single conversation: its history and its working memory. Simple in theory, until you hit a stateless runtime, a growing token bill, and a hard rule that one user's data must never touch another's. This lesson is the workbench and how to keep it tidy.
From Lesson 1: the session is the workbench; what's the filing cabinet?
Memory, curated knowledge across sessions. The session is temporary and task-specific; this lesson is all about managing that temporary desk well.
Every session is tied to one user and holds two things:1
A production runtime is stateless; it keeps nothing after a request. So the session must be saved to a database and reloaded at the start of every turn. That reload is on the hot path, which makes session performance a first-class concern.1
As the conversation grows, the history sent each turn balloons, hitting context-window limits, cost, latency, and context rot. Compaction trims it while preserving what matters. Three strategies, simplest to smartest:1
KEEP LAST N sliding window: keep the most recent N turns, drop the rest
TOKEN TRUNCATION add messages newest-first until a token budget is hit
RECURSIVE SUMMARY older turns replaced by an LLM-generated summary, prefixed
to the recent verbatim messages (expensive → run in background)
And you must decide when to compact, the trigger:
Compaction is really memory generation applied to one session, distilling the transcript into key facts. That's the bridge to Lesson 3.
When several agents collaborate, the architecture must decide how they share history:1
A wrinkle worth knowing: because each framework couples its session schema to its own objects, an ADK agent can't natively read a LangGraph session. True cross-framework sharing needs a framework-agnostic layer, memory (Lesson 3), which stores processed facts, not raw events.
The paper's most emphatic security rule: strict isolation. A session belongs to one user; the store must enforce that one user can never reach another's data (ACLs, authn/authz on every request). That's I Identity + C Compliance. Best practice: redact PII before it's ever persisted, shrinking the breach blast radius (C). And per-agent cryptographic identity (SPIFFE IDs) on every session-driven call yields an auditable trail (E Evidence).
Ladder read: deterministic event ordering + TTL retention policies + isolation are exactly the L3 Controlled disciplines. A session store without ACLs and PII redaction is a data-leak waiting at L1.
Pick a compaction strategy on purpose (keep-N is fine to start) and run summarisation in the background. Never leave the full transcript growing unbounded into the context window.
For multi-agent work, decide shared vs separate history deliberately; it shapes coupling and debuggability. And agree a session retention (TTL) policy as a team norm.
Mandate strict per-user isolation + PII redaction before persistence as a platform requirement, with a managed session store on the hot path. This is a compliance line, not an optimisation.
Recall, don't re-read.
A session's two components are —
Events = the chronological transcript (user/agent/tool); state = the working scratchpad the agent mutates. Both scoped to one conversation, one user.
The most emphatic session security rule is —
Isolation via ACLs + authn/authz: one user must never reach another's session. Plus redact PII before persisting. Identity and compliance, enforced.
Replacing older turns with an LLM-generated digest is —
Recursive summarization is the smartest and priciest option, so run it in the background. Keep-N and token truncation just drop old messages; summarization preserves their gist.
Answer two questions for one agent: what happens to its history at turn 500? (compaction or crash?) and could user A ever see user B's session? (isolation or incident?). Both have to have crisp answers before production.
Context Engineering (Day 3), "Sessions" pp.12–26; the ADK
docs show the compaction plugins
(ContextFilterPlugin, EventsCompactionConfig) in practice.
Up next → Day 3 · Lesson 3: Memory vs RAG — the filing cabinet. Why memory makes an agent an expert on the user while RAG makes it an expert on facts, and the declarative-vs-procedural split.
Related: ← Day 3 L1 · Day 1 L6: token cost · Course home