Agent ignores loaded memory rules when delegating to subagents, causing repeated destructive actions

Resolved 💬 5 comments Opened Mar 31, 2026 by Pattkopp Closed May 16, 2026

Bug

Claude Code repeatedly violates its own persisted memory/feedback rules when delegating tasks to subagents via the Agent tool. Subagents execute in fresh context without access to the parent's memory rules, and the parent agent fails to enforce those rules before delegating.

Reproduction

  1. User establishes feedback memory: "Never retry failing connections to server X -- Fail2ban bans after 5 attempts in 600s, locking out the user"
  2. A command fails with a connection timeout to server X (1 attempt consumed)
  3. Agent launches a subagent with instructions to "diagnose connectivity" -- the subagent fires 8+ connection attempts (ping, nc, curl x4, etc.)
  4. Fail2ban triggers, user is locked out of their own server

What should happen

  • The parent agent should evaluate memory rules BEFORE delegating to subagents
  • If memory contains "never probe server X" rules, the agent must not delegate probing tasks to subagents
  • Subagents should inherit safety-critical memory from the parent context, or the parent must gate dangerous delegations

What actually happens

  • Parent agent has the rule loaded in context (verified -- it was in MEMORY.md and the specific feedback file)
  • Parent agent ignores the rule and delegates a connectivity diagnosis task to a subagent
  • Subagent has no knowledge of the Fail2ban constraint and fires a barrage of probes
  • User is locked out of their production server for 1 hour (second occurrence in 3 days)

Impact

  • User locked out of production server (requires physical access to LAN to unban)
  • Happened twice: 2026-03-28 (SSH retries) and 2026-03-31 (HTTP/ICMP/TCP probe barrage via subagent)
  • Memory rules were created after the first incident specifically to prevent this, and were ignored 3 days later

Expected behavior

Memory rules flagged as critical safety constraints should be enforced at the delegation boundary. The agent should not be able to circumvent its own safety rules by delegating the forbidden action to a fresh-context subagent.

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗