Override developer-level agent tooling policy #4906
Description
What feature would you like to see?
We (users) need to be able to have authoritative control over the tooling in the environment. Right now we have authorization over each command individually if we want (sandbox controls), but we can't instruct the agent to not use apply_patch for example, which is sorely needed because the agent doesn't have localized version control and I honestly simply don't trust it. I've watched it destroy code, insert text in the middle of log files it has no business touching, etc.
I have my own custom tooling and guardrails that handles diffs, automates backups, etc. and most of the time the Codex agent respects this user-driven policy for workflow, but about 5% of my sessions the agent decides to disobey and refuses to listen to user policy requests if they conflict with the higher-level "developer" policy that's baked in.
Users need top level control of their environment, full stop, even if it doesn't seem like a good idea or best practice.
Additional information
I think part of the problem is the developer-level preamble message sent to the Codex agent internally. Here are some excerpts:
You MUST adhere to the following criteria when solving queries:
- Working on the repo(s) in the current environment is allowed, even if they are proprietary.
- Analyzing code for vulnerabilities is allowed.
- Showing user code and tool call details is allowed.
- Use the `apply_patch` tool to edit files (NEVER try `applypatch` or `apply-patch`, only `apply_patch`): {"command":["apply_patch","*** Begin Patch\\n*** Update File: path/to/file.py\\n@@ def example():\\n- pass\\n+ return 123\\n*** End Patch"]}
- Try to use apply_patch for single file edits, but it is fine to explore other options to make the edit if it does not work well. Do not use apply_patch for changes that are auto-generated (i.e. generating package.json or running a lint or format command like gofmt) or when scripting is more efficient (such as search and replacing a string across a codebase).
If completing the user's task requires writing or modifying files, your code and final answer should follow these coding guidelines, though user instructions (i.e. AGENTS.md) may override these guidelines
Codex becomes confused when trying to ingest these messages from the hardcoded preamble message, calling it a "developer-level policy". Most of the time (80-90%), Codex will understand and apply that the user is permitted to override the guidelines (per "user instructions" or the AGENTS.md file that "may override these guidelines"), but the other times, it will interpret the developer-level policy conflicting and completely ignore that it can be overridden. It will argue and refuse to comply with instructions forbidding it to use the apply_patch internal tooling command.
Reading the texts, I can see where there's confusion -- the preamble text says "MUST adhere", conflicting with the later text that allows users to override to suit their environmental and policy needs.