OpenAI Codex now encrypts multi-agent prompts — what it means if you build on sub-agents
A merged Codex CLI change (PR #26210, June 5 2026) makes MultiAgentV2 sub-agent instructions ciphertext-only in your local logs. spawn_agent, send_message and followup_task no longer store readable task text — here's what breaks for anyone debugging or auditing a Codex agent fleet, and the current workarounds.
OpenAI’s Codex CLI now encrypts the prompts your parent agent sends to its sub-agents. The change landed in PR #26210 (“Encrypt multi-agent v2 message payloads”), merged on June 5, 2026. If you run Codex sub-agents, the task instructions that used to sit in plaintext in your local session history are now stored as ciphertext only.
Key facts:
- The change affects MultiAgentV2 — specifically the
messageargument of thespawn_agent,send_message, andfollowup_tasktool calls. (Source: openai/codex PR #26210) - It ships in Codex versions post-0.137.0. (Source: Issue #28058)
- Inter-agent task text is now stored in
InterAgentCommunication.encrypted_content, with the plaintextcontentfield left empty. - The ciphertext is decryptable by OpenAI’s Responses backend, not by you locally.
- Multi-agent v1 is unchanged — only the v2 path is affected. (Source: PR #26210)
message argument returned by the model, Codex forwards only that ciphertext, and Responses decrypts it internally for the recipient model." (Source: openai/codex PR #26210)What this means if you’re building on Codex sub-agents
If you orchestrate work with Codex sub-agents, you can no longer read what one agent told another. That removes a debugging and audit surface most agent builders lean on daily:
- Debugging gets harder. When a sub-agent goes off the rails, the first question is “what task did it actually get?” That text is now opaque in rollouts, logs, and telemetry.
- Compliance/audit trails break. If you need a human-readable record of what instructions ran — for review, safety, or a customer contract — the local trail is gone.
- It’s a regression, not a feature request. The community bug report (Issue #28058, labeled
CLI,bug,subagent) frames it as unintended lost auditability and proposes a plaintext audit companion field alongside the encrypted payload.
Why OpenAI likely did it
There’s no official statement, so treat motive as speculation. On the Hacker News thread (405 points, 238 comments), the leading theory is competitive: multi-agent orchestration prompts are trained IP, and OpenAI doesn’t want resellers or rivals training on them — the same logic behind guarding raw reasoning traces. One commenter speculated the payload may not even be text but a latent-space representation.
Current workarounds (per community reports): multi-agent v1 is unaffected, so pinning to it or building custom orchestration over the app-server RPC API keeps prompts visible. Some builders who need a fully auditable harness are moving fleet work to alternatives like Claude Code, where sub-agent prompts stay inspectable locally. If you’re comparing the two harnesses under autonomy, we ran them head-to-head on the same task.
Sources
Source: openai/codex PR #26210