Eight agent surfaces, one audit language.

Project instructions, rules, commands, hooks, MCP servers, subagents, permissions, review loops, and repo hygiene around the Claude Code baseline.

• Structured CLAUDE.md plus smaller modular rules consistently outperformed long monolithic guidance.
• Hooks and permission posture produced the biggest safety improvements once teams moved beyond a single local-user setup.
• The strongest score jumps came from making verification commands explicit and preserving repo-owned agent assets instead of hiding them in personal config.

AGENTS.md quality, config precedence, approvals, sandbox posture, MCP wiring, hooks, review surfaces, local-vs-cloud behavior, and GitHub Action alignment.

• Config precedence largely held, but minimal reasoning profiles now collide with web search in a way older docs did not capture.
• The live GitHub Action source has started moving faster than the prose docs, so source-backed checks need freshness gates.
• Most trust-boundary and MCP behavior remained stable enough to keep Codex as one of the strongest runtime-validated surfaces.

GEMINI.md hierarchy, JSON config shape, trusted folders, sandbox and policy controls, MCP transport, hooks, CI output formats, extensions, and rate-limit resilience.

• Subdirectory GEMINI.md files loaded eagerly rather than just-in-time, which matters a lot for large monorepos.
• The model field now requires object format, and legacy CI assumptions like plain --json no longer reflect current runtime.
• Policy mode, hooks migration, and rate-limit retry behavior surfaced as major operational differentiators.

Instruction-file loading, CLI-vs-VS Code boundaries, org policy controls, MCP schema, cloud-agent readiness, prompt files, enterprise governance, and BYOK behavior.

• Copilot CLI read not only Copilot instructions but also AGENTS.md and CLAUDE.md unless custom instructions were disabled.
• VS Code settings often did not translate to CLI behavior, so Nerviq now treats those surfaces more independently.
• BYOK worked locally with OpenAI, while GitHub-managed access and third-party MCP remained strongly shaped by org policy.

MDC rule structure, rule trigger types, legacy .cursorrules drift, privacy mode, MCP config, background agents, automations, BugBot, and context-provider hygiene.

• Agent mode silently ignored .cursorrules, making MDC rules the real enforceable contract.
• Privacy Mode being off by default and .cursorignore shell bypasses made security guidance much sharper.
• Cursor’s MCP surface proved powerful but brittle: wrong root keys, overlarge tool inventories, and no-debounce automations all caused silent failures or runaway behavior.

Rule trigger types, instruction budgets, workflows, skills, memories, trust posture, MCP whitelist behavior, enterprise settings, and cross-surface alignment with AGENTS.md.

• Memories were workspace-scoped rather than cross-project, which invalidated a common assumption and forced check updates.
• Zero Data Retention changed retention, not transmission, so security messaging needed to become much more precise.
• The lack of a supported CLI/headless surface and the 300-line accuracy drop became the dominant practical caveats.

Git safety, config precedence, model-role split, convention loading, architect mode, lint/test loops, repo-map usage, CI execution, ignore behavior, and cost controls.

• Convention files were never auto-discovered; they had to be explicitly passed and often explicitly referenced in the prompt.
• Default auto-commit bypassed pre-commit hooks unless teams opted back into verification behavior.
• Architect mode clearly improved planning quality but carried a measurable cost premium over standard edit mode.

Instruction precedence, config merge behavior, permission rules, plugin hooks, MCP schema, headless run surfaces, skills, agents, server mode, and secret exposure paths.

• AGENTS.md was the reliable instruction surface, while CLAUDE.md fallback and global loading behaved less predictably than older guidance implied.
• run --command became the real headless execution boundary, and JSON mode behaved as JSONL rather than a single JSON blob.
• Plugin hook coverage was better than expected, but debug config and bash access still left real secret-exposure caveats.