OpenAI Codex MultiAgentV2 encrypts sub‑agent prompts, breaking auditability
OpenAI Codex MultiAgentV2 encrypts sub‑agent prompts, breaking auditability
Encrypted sub‑agent prompts remove the human‑readable audit trail
Codex versions that include the Encrypt multi‑agent V2 message payloads change (merged in PR #26210 on 2026‑06‑05, post‑0.137.0) replace the plaintext content field of InterAgentCommunication with an empty string and store the payload only in encrypted_content. This makes the task or message sent to a sub‑agent opaque in the parent’s rollout, history, and trace logs.
Why the regression matters
- Developers can no longer see what
spawn_agent,send_message, orfollowup_taskdelegated to a child agent. - Debugging and post‑mortem analysis are hindered because the audit surface shows only ciphertext.
- The change does not affect inference – the model still receives the decrypted payload on the server side – but it hides the prompt from the user.
Current implementation details
The InterAgentCommunication struct defines both content (plaintext) and encrypted_content (ciphertext). The new_encrypted constructor sets content to an empty string:
pub fn new_encrypted(..., encrypted_content: String, ...) -> Self {
Self { content: String::new(), encrypted_content: Some(encrypted_content), ... }
}
When a rollout records a communication, to_model_input_item() checks encrypted_content. If present, it builds a ResponseItem that contains only the encrypted payload, and the logging macro emit_agent_communication_send falls back to encrypted_content when content is empty.
Desired fix: dual‑content contract
The community proposes preserving encrypted delivery and storing a readable copy locally:
- Keep
encrypted_contentfor model‑side delivery. - Add a required plaintext audit field to each V2 tool schema (
task_messageforspawn_agent,message_textor similar forsend_message/followup_task). - Validate that the plaintext field is non‑empty at the handler boundary.
- Construct
InterAgentCommunicationwith both fields populated – ciphertext for delivery, plaintext for local audit. - Persist the plaintext copy in rollout/history metadata and use it in structured trace edges.
- Ensure logs display the plaintext audit content when available, never the ciphertext.
- Impose the same size limits on the audit field as on the encrypted payload to avoid unbounded growth.
Prototype implementation
A draft commit by @ignatremizov (df9a7c4) demonstrates this approach for spawn_agent:
- The V2
spawn_agentschema now requires atask_messagefield. - Validation code stores
task_messageinInterAgentCommunication.contentwhile keeping the encrypted payload inencrypted_content. - Rollout‑trace reducers separate audit content from delivery‑matching content, preserving readability in local traces.
The remaining work is to apply the same pattern to send_message and followup_task and to verify that all user‑facing surfaces (history UI, replay tools, debug logs) read the audit copy.
Community reactions
"The title is easy to misinterpret. If I understand correctly: Codex now encrypts sub‑agent prompts and hides those prompts from the user." – @niam
"HN title is misleading; it sounds like inference is done on ciphertext, which would require homomorphic encryption." – @xnorswap
"I assume this is mostly to frustrate efforts to proxy large numbers of user requests and use it to train competitor models." – @londons_explore
"The change just saves a copy of the prompt on disk while keeping the encrypted delivery path if necessary for Responses API." – @ignatremizov
These comments highlight the confusion around the change (it is not homomorphic encryption) and the suspicion that the move is intended to limit visibility for competitive reasons.
Acceptance criteria
- Parent rollout/history displays readable text for V2
spawn_agent,send_message, andfollowup_task. - Child models receive only the encrypted payload when encryption is enabled.
- Structured rollout‑trace edges contain bounded plaintext
message_content. - Communication logs prefer plaintext audit content and never present ciphertext as a readable message.
- Replay and resume preserve the audit copy without injecting it into the child model context.
- Existing V1 plaintext communication behavior remains unchanged.
- Regression tests cover all three V2 tools, asserting both readable local audit data and encrypted delivery.
Bottom line: Codex’s recent encryption of MultiAgentV2 messages improves privacy but unintentionally destroys the local audit trail needed for debugging. A dual‑content solution—keeping encrypted delivery while storing a plaintext audit copy—restores visibility without compromising security.