Tools · · 2 min read

OpenAI Codex now encrypts multi-agent prompts — what it means if you build on sub-agents

A merged Codex CLI change (PR #26210, June 5 2026) makes MultiAgentV2 sub-agent instructions ciphertext-only in your local logs. spawn_agent, send_message and followup_task no longer store readable task text — here's what breaks for anyone debugging or auditing a Codex agent fleet, and the current workarounds.


OpenAI’s Codex CLI now encrypts the prompts your parent agent sends to its sub-agents. The change landed in PR #26210 (“Encrypt multi-agent v2 message payloads”), merged on June 5, 2026. If you run Codex sub-agents, the task instructions that used to sit in plaintext in your local session history are now stored as ciphertext only.

Key facts:

  • The change affects MultiAgentV2 — specifically the message argument of the spawn_agent, send_message, and followup_task tool calls. (Source: openai/codex PR #26210)
  • It ships in Codex versions post-0.137.0. (Source: Issue #28058)
  • Inter-agent task text is now stored in InterAgentCommunication.encrypted_content, with the plaintext content field left empty.
  • The ciphertext is decryptable by OpenAI’s Responses backend, not by you locally.
  • Multi-agent v1 is unchanged — only the v2 path is affected. (Source: PR #26210)
GitHub PR #26210 'Encrypt multi-agent v2 message payloads', merged by jif-oai, +677/-62 across 34 files, with the Why and What changed sections listed
The merged PR spells out the intent: "agent instructions stay encrypted between model calls. Responses encrypts the message argument returned by the model, Codex forwards only that ciphertext, and Responses decrypts it internally for the recipient model." (Source: openai/codex PR #26210)

What this means if you’re building on Codex sub-agents

If you orchestrate work with Codex sub-agents, you can no longer read what one agent told another. That removes a debugging and audit surface most agent builders lean on daily:

  • Debugging gets harder. When a sub-agent goes off the rails, the first question is “what task did it actually get?” That text is now opaque in rollouts, logs, and telemetry.
  • Compliance/audit trails break. If you need a human-readable record of what instructions ran — for review, safety, or a customer contract — the local trail is gone.
  • It’s a regression, not a feature request. The community bug report (Issue #28058, labeled CLI, bug, subagent) frames it as unintended lost auditability and proposes a plaintext audit companion field alongside the encrypted payload.
GitHub issue #28058 'Regression: encrypted MultiAgentV2 messages remove readable task audit trail', open, filed against openai/codex
Issue #28058 documents the regression against Codex CLI post-0.137.0 and points back at PR #26210 as the cause. (Source: openai/codex Issue #28058)

Why OpenAI likely did it

There’s no official statement, so treat motive as speculation. On the Hacker News thread (405 points, 238 comments), the leading theory is competitive: multi-agent orchestration prompts are trained IP, and OpenAI doesn’t want resellers or rivals training on them — the same logic behind guarding raw reasoning traces. One commenter speculated the payload may not even be text but a latent-space representation.

Hacker News thread 'Codex starts encrypting sub-agent prompts', 405 points, 238 comments, top comment discussing latent-space representation and RL rollouts
The HN discussion split between "inevitable IP protection" and "unacceptable loss of visibility for safety and QA." (Source: Hacker News, 405 points)

Current workarounds (per community reports): multi-agent v1 is unaffected, so pinning to it or building custom orchestration over the app-server RPC API keeps prompts visible. Some builders who need a fully auditable harness are moving fleet work to alternatives like Claude Code, where sub-agent prompts stay inspectable locally. If you’re comparing the two harnesses under autonomy, we ran them head-to-head on the same task.

Sources

Source: openai/codex PR #26210