What happened
A global AGENTS.md contained a top-level safety directive equivalent to:
Before doing anything else, read `/path/to/workspace/AGENTS.md` and follow it.
In a Codex VS Code session, after being asked to read the global agents file, Codex read and summarized the global file but did not clearly verify/enforce the delegated workspace AGENTS.md startup chain before responding. The delegated workspace instructions included additional startup files and live reminder checks.
Some referenced instructions had been read earlier in the session, but the behavior was still unsafe/ambiguous: the global directive was treated like content to summarize rather than an active directive whose compliance should be verified before continuing.
Why this matters
Global AGENTS.md files are safety and operating directives. If the VS Code extension/session runtime surfaces a global AGENTS.md but does not ensure delegated rules are followed, users can get false confidence that global safety controls are being honored.
This is especially concerning for directives like:
- do not modify specific directories/workspaces
- back up files before editing
- do not perform destructive/system actions without permission
- load workspace-local safety instructions before doing anything else
Expected behavior
When a global AGENTS.md delegates to another AGENTS.md and says to follow it, Codex should either:
- automatically load and apply the referenced instructions, including required startup chains, before doing other work; or
- explicitly block/report that it cannot follow the delegated directive.
Actual behavior
Codex read and reported the global AGENTS.md contents, but did not clearly enforce or verify the delegated startup chain before responding.
Minimal repro
- Create a global
AGENTS.md with a directive like:
Before doing anything else, read `/some/workspace/AGENTS.md` and follow it.
- Put additional required startup/safety steps in
/some/workspace/AGENTS.md.
- Start a Codex VS Code session and ask it to read the global agents file.
- Observe whether it summarizes the global file instead of recursively enforcing the delegated
AGENTS.md chain before replying.
Notes
This report intentionally omits private workspace paths and project details. The issue is about directive handling and safety semantics, not the specific project content.
What happened
A global
AGENTS.mdcontained a top-level safety directive equivalent to:In a Codex VS Code session, after being asked to read the global agents file, Codex read and summarized the global file but did not clearly verify/enforce the delegated workspace
AGENTS.mdstartup chain before responding. The delegated workspace instructions included additional startup files and live reminder checks.Some referenced instructions had been read earlier in the session, but the behavior was still unsafe/ambiguous: the global directive was treated like content to summarize rather than an active directive whose compliance should be verified before continuing.
Why this matters
Global
AGENTS.mdfiles are safety and operating directives. If the VS Code extension/session runtime surfaces a globalAGENTS.mdbut does not ensure delegated rules are followed, users can get false confidence that global safety controls are being honored.This is especially concerning for directives like:
Expected behavior
When a global
AGENTS.mddelegates to anotherAGENTS.mdand says to follow it, Codex should either:Actual behavior
Codex read and reported the global
AGENTS.mdcontents, but did not clearly enforce or verify the delegated startup chain before responding.Minimal repro
AGENTS.mdwith a directive like:/some/workspace/AGENTS.md.AGENTS.mdchain before replying.Notes
This report intentionally omits private workspace paths and project details. The issue is about directive handling and safety semantics, not the specific project content.