OpenAI Codex MultiAgentV2 encrypts sub‑agent prompts, breaking auditability

OpenAI Codex MultiAgentV2 encrypts sub‑agent prompts, breaking auditability

Encrypted sub‑agent prompts remove the human‑readable audit trail

Codex versions that include the Encrypt multi‑agent V2 message payloads change (merged in PR #26210 on 2026‑06‑05, post‑0.137.0) replace the plaintext content field of InterAgentCommunication with an empty string and store the payload only in encrypted_content. This makes the task or message sent to a sub‑agent opaque in the parent’s rollout, history, and trace logs.

Why the regression matters

  • Developers can no longer see what spawn_agent, send_message, or followup_task delegated to a child agent.
  • Debugging and post‑mortem analysis are hindered because the audit surface shows only ciphertext.
  • The change does not affect inference – the model still receives the decrypted payload on the server side – but it hides the prompt from the user.

Current implementation details

The InterAgentCommunication struct defines both content (plaintext) and encrypted_content (ciphertext). The new_encrypted constructor sets content to an empty string:

pub fn new_encrypted(..., encrypted_content: String, ...) -> Self {
    Self { content: String::new(), encrypted_content: Some(encrypted_content), ... }
}

When a rollout records a communication, to_model_input_item() checks encrypted_content. If present, it builds a ResponseItem that contains only the encrypted payload, and the logging macro emit_agent_communication_send falls back to encrypted_content when content is empty.

Desired fix: dual‑content contract

The community proposes preserving encrypted delivery and storing a readable copy locally:

  1. Keep encrypted_content for model‑side delivery.
  2. Add a required plaintext audit field to each V2 tool schema (task_message for spawn_agent, message_text or similar for send_message/followup_task).
  3. Validate that the plaintext field is non‑empty at the handler boundary.
  4. Construct InterAgentCommunication with both fields populated – ciphertext for delivery, plaintext for local audit.
  5. Persist the plaintext copy in rollout/history metadata and use it in structured trace edges.
  6. Ensure logs display the plaintext audit content when available, never the ciphertext.
  7. Impose the same size limits on the audit field as on the encrypted payload to avoid unbounded growth.

Prototype implementation

A draft commit by @ignatremizov (df9a7c4) demonstrates this approach for spawn_agent:

  • The V2 spawn_agent schema now requires a task_message field.
  • Validation code stores task_message in InterAgentCommunication.content while keeping the encrypted payload in encrypted_content.
  • Rollout‑trace reducers separate audit content from delivery‑matching content, preserving readability in local traces.

The remaining work is to apply the same pattern to send_message and followup_task and to verify that all user‑facing surfaces (history UI, replay tools, debug logs) read the audit copy.

Community reactions

"The title is easy to misinterpret. If I understand correctly: Codex now encrypts sub‑agent prompts and hides those prompts from the user." – @niam

"HN title is misleading; it sounds like inference is done on ciphertext, which would require homomorphic encryption." – @xnorswap

"I assume this is mostly to frustrate efforts to proxy large numbers of user requests and use it to train competitor models." – @londons_explore

"The change just saves a copy of the prompt on disk while keeping the encrypted delivery path if necessary for Responses API." – @ignatremizov

These comments highlight the confusion around the change (it is not homomorphic encryption) and the suspicion that the move is intended to limit visibility for competitive reasons.

Acceptance criteria

  • Parent rollout/history displays readable text for V2 spawn_agent, send_message, and followup_task.
  • Child models receive only the encrypted payload when encryption is enabled.
  • Structured rollout‑trace edges contain bounded plaintext message_content.
  • Communication logs prefer plaintext audit content and never present ciphertext as a readable message.
  • Replay and resume preserve the audit copy without injecting it into the child model context.
  • Existing V1 plaintext communication behavior remains unchanged.
  • Regression tests cover all three V2 tools, asserting both readable local audit data and encrypted delivery.

Bottom line: Codex’s recent encryption of MultiAgentV2 messages improves privacy but unintentionally destroys the local audit trail needed for debugging. A dual‑content solution—keeping encrypted delivery while storing a plaintext audit copy—restores visibility without compromising security.

Sources