LIVE|CLI v0.144.0·model GPT-5.6 Sol·verified 2026-07-09
Codex Insider
The unofficial wire for OpenAI Codex.
WatchdogJul 14, 2026

Codex now encrypts the prompts it sends to sub-agents — and your local audit trail went with them

A PR merged June 5 encrypts multi-agent v2 message payloads, so spawn_agent, send_message, and followup_task no longer write readable task text to your local rollout history. An open bug report calls it a regression. OpenAI has not replied on the issue.

RSS~3 min read
TL;DR the 15-second answer

A PR merged June 5 encrypts multi-agent v2 message payloads, so spawn_agent, send_message, and followup_task no longer write readable task text to your local rollout history. An open bug report calls it a regression. OpenAI has not replied on the issue.

When a Codex agent delegates work to a sub-agent, the instructions it hands down used to be plain text you could read in your own rollout history. As of a pull request merged on June 5, 2026, they are ciphertext. The change landed quietly, and the first substantial public discussion of it came more than a month later.

What actually changed

PR #26210, authored by jif-oai and merged June 5, encrypts the message parameter on three multi-agent tools: spawn_agent, send_message, and followup_task. Codex now stores the delegated instruction in InterAgentCommunication.encrypted_content and leaves the plaintext content field empty. The receiving agent gets an agent_message input item carrying ciphertext, which the Responses layer decrypts internally. The ciphertext is what persists — through history, through rollouts, and through compaction.

The PR’s stated reasoning is confidentiality between coordinating agents. Task text previously traveled as ordinary assistant-message JSON through tool arguments and history, which meant a parent model and any intermediate system in the chain could read it. Encrypting the payload closes that path. Multi-agent v1 is untouched by the change.

The part that broke

On June 13, a developer using the handle ignatremizov filed issue #28058, titled “Regression: encrypted MultiAgentV2 messages remove readable task audit trail.” The complaint is narrow and worth stating precisely, because it is easy to overstate. The reporter is not asking OpenAI to revert the encryption. The argument is that encrypted delivery to the child agent and a readable local record for the operator are two different things, and the PR collapsed them into one.

With plaintext gone from local rollout history, trace reduction, and the parent-side debug surfaces, a question as basic as what task did this spawn_agent call actually give the child? no longer has an answer you can retrieve from your own machine. The proposed fix in the issue is a required plaintext audit field carried alongside the encrypted message — the child still receives ciphertext, the operator still gets a readable log.

The issue is tagged CLI, bug, and subagent. It is still open. As of July 14 no maintainer reply appears on the thread.

Who this hits

The reporter is explicit that the behavior is not subscription-specific, not model-specific, and not platform-specific. It affects Codex builds after 0.137.0, which is where PR #26210 lands.

That detail is worth pinning down, because the Hacker News thread that pushed this story into view — north of 350 points — drifted away from it. Several highly-ranked comments there frame the encryption as tied to particular models, and others attribute it to OpenAI protecting proprietary orchestration techniques from competitors and resellers. The first claim contradicts the issue itself. The second is speculation about motive; the PR description talks about confidentiality between coordinating agents and says nothing about trade secrets. We are not in a position to verify what OpenAI’s internal reasoning was, and neither is the thread.

What to do about it

If you run multi-agent Codex workflows and rely on reading delegated task text after the fact — for debugging a run that went sideways, for quality control, for any retrospective on what a sub-agent was actually told — that capability is gone on current versions, and there is no flag documented to bring it back. Your options today are to pin below 0.137.0, to instrument your own logging at the point where you construct the delegation, or to add your weight to #28058 and wait.

We will update this story if OpenAI responds on the issue, ships an audit field, or documents a way to opt out.