RC RANDOM CHAOS

Codex's sub-agent prompt encryption wiped out local audit trails

· via Hacker News

Original source

Codex starts encrypting sub-agent prompts

Hacker News →

A recent change to OpenAI’s Codex CLI (PR #26210, merged June 2026) encrypts the message payloads exchanged between agents in its MultiAgentV2 system. The model-facing message parameter is now marked as encrypted and stored only as ciphertext in encrypted_content, while the plaintext content field is left empty. The delivery encryption itself is reasonable as privacy hardening, but a follow-up issue (#28058) flags an unintended side effect: the readable task and message text also vanished from local rollout history, traces, and parent-side debug surfaces.

The practical cost is that operators can no longer answer basic questions after the fact — what task a spawn_agent call handed to a child agent, what a send_message delivered, or why a given child thread existed at all. The reporter traces the behavior through the code, showing that InterAgentCommunication::new_encrypted() deliberately initializes plaintext content as empty and that downstream history, trace, and communication-log paths all fall back to emitting the ciphertext when plaintext is missing. The issue is distinct from #26753, which concerns 400 errors on encrypted tool schemas; this one is purely about auditability once the schema is accepted.

The proposed fix keeps encrypted delivery intact but adds a required, non-encrypted plaintext companion field (e.g. task_message) to each tool, persisted in rollout, trace edges, and logs while never being fed back into the child model’s context. A prototype already implements this dual-content contract for spawn_agent; the remaining work is extending it to send_message and followup_task, size-bounding the audit field, and matching tool calls to delivered items by ciphertext or ID rather than plaintext. The broader lesson is a familiar tension: encrypting inter-agent communication for privacy shouldn’t silently destroy the local observability that makes multi-agent runs debuggable.

Read the full article

Continue reading at Hacker News →

This is an AI-generated summary. Read the original for the full story.