hermes - 💡(How to fix) Fix [Bug] Post-compression final synthesis can fabricate source-backed findings without re-grounding

Summary

A long code-review session produced a confident, source-level merge-blocker finding immediately after automatic context compression even though the claimed source facts were not present in the repository or in the delegated reviewer outputs.

The practical failure mode was:

1. The parent review session grew large enough to trigger automatic compression.
2. The compression summary preserved an abstract remaining-work item like “final check of a file / origin-lockdown security”.
3. After the compression split, the parent agent emitted a final verdict with concrete identifiers and a plausible security finding without re-opening the relevant source file or re-validating the claim.
4. A later audit found those fabricated identifiers only in the bad final answer, not in the repo and not in the child-agent summaries.

This is not just a normal “LLM hallucinated” case: the compression boundary converted an unverified/remnant review obligation into a confident, source-backed claim.

Impact

• False merge blockers in PR/code review workflows.
• Confident security findings can be invented after compression and presented as file-level evidence.
• Delegated review output can be misrepresented: a child saying “not inspected / unverified” may become a parent-level “verified blocker”.
• Human reviewers lose trust because the final answer appears evidence-backed while the evidence is no longer in active context.

Observed evidence from the incident

• Parent session hit roughly the compression threshold (~136k-token context) during a large PR review.
• Automatic compression ran before the final verdict.
• The compression pass used the configured auxiliary compression model.
• The final verdict was produced by the main model, not by the auxiliary compressor.
• The specific fabricated identifiers / predicate names appeared in the final answer and subsequent quoted text, but not in:
  • the repository search,
  • the delegated reviewer summaries,
  • or the pre-final evidence trail inspected afterward.
• No post-compression read_file / source-inspection tool call occurred before the final source-level blocker was reported.

Expected behavior

After compression, Hermes should not allow a final answer to promote summarized or pending work into concrete source-backed findings unless it re-grounds the evidence.

Acceptable behaviors:

• Re-open / re-run the relevant source inspection before emitting file/function/security claims.
• Preserve and honor provenance in compression summaries: verified fact vs unverified finding vs remaining work vs child-agent caveat.
• If the exact evidence is not in active context, downgrade the claim to “unverified / needs re-check” instead of inventing details.
• When subagents say a scope was not inspected, the parent must not turn that into a blocker without new evidence.

Suggested fix directions

• Add an evidence/provenance section to compression summaries for code-review and research-style tasks:
  • verified findings,
  • unverified/pending checks,
  • child-agent caveats,
  • source files already inspected after the latest compression.
• Add a post-compression grounding guard before final answers that contain concrete source-level claims, especially claims with:
  • file paths,
  • function/constant names,
  • security vulnerabilities,
  • test results,
  • PR merge/blocker language.
• If a final response depends on source evidence that exists only as a lossy compression summary, require a fresh tool call or force the response to label the item as unverified.
• Consider a task-mode invariant: after an automatic compression split, any “remaining work” item must be completed with tools before being reported as completed/evidence-backed.

Acceptance criteria

• Add a regression/integration test that simulates a compressed summary containing a pending source-review item, then verifies the agent does not emit a concrete source-level blocker without a fresh evidence tool call.
• Compression summaries preserve the distinction between verified findings, pending checks, and unverified scope gaps.
• Parent-agent synthesis cannot promote a child-agent “not inspected / unverified” caveat into a verified blocker unless new evidence is collected.
• Final-answer generation after compression either re-grounds concrete file/function/security claims or marks them explicitly unverified.
• Tests cover at least one delegated-review scenario where child outputs and compressed parent state disagree.

Related issues

• Related but broader: #23307 (long-session continuity across compactions).
• Related but distinct: #32106 (invalid skill availability state after context compression). This issue is about source-evidence/provenance loss and fabricated evidence-backed claims, not skill availability.