OpenAI Codex encrypts sub‑agent prompts, removing human‑readable audit trails
A recent change encrypts MultiAgentV2 payloads, hiding sub‑agent instructions from rollout logs and raising auditability concerns for developers.

OpenAI's recent update to Codex's MultiAgentV2 layer encrypts the payloads sent to sub‑agents, turning previously readable task descriptions into ciphertext. The change landed in the #26210 merge on June 5 2026 and is enabled by default in releases after version 0.137.0. As a result, the rollout and history views no longer show the human‑readable instructions that spawned a sub‑agent. Developers who rely on those logs for debugging, compliance, or insight now face a blind spot.
What happened
The change originated in pull request #26210, which marks the model‑facing message parameter as encrypted and stores the ciphertext in InterAgentCommunication.encrypted_content while leaving InterAgentCommunication.content empty. This modification is not tied to any specific model; it applies to all MultiAgentV2 operations (spawn_agent, send_message, followup_task) once MultiAgentV2 is enabled.
Because the content field is cleared, the rollout UI, CLI history, and any local trace files only display the encrypted blob. Issue #28058 documents how this regression makes it impossible to answer basic questions such as “what task did the spawn_agent call give the child?” or “why does a sub‑thread appear in the rollout after the fact?”
The developer community on Hacker News reacted strongly, calling the move user‑hostile and comparing it to DRM. Commentators speculate that the opaque payloads may be intended to protect proprietary prompt data from being harvested for training, but the lack of a parallel plaintext audit copy raises transparency concerns.
Why it matters
Without a readable audit trail, developers lose a primary debugging instrument; tracing why a sub‑agent behaved a certain way now requires decryption keys that are not exposed to end users. Compliance regimes that mandate traceability of automated decisions (e.g., GDPR, SOC 2) may consider the hidden payload a violation, forcing teams to implement additional controls. On the other hand, encrypting prompts reduces the risk of accidental leakage of proprietary instructions through logs or third‑party integrations, which can be a significant security benefit.
- Encrypting prompts prevents accidental leakage of proprietary instructions to logs or third‑party tools.
- It aligns with internal security policies that treat prompt text as sensitive data.
- Reduces the attack surface for malicious actors who might scrape rollout histories.
- Developers lose the ability to inspect sub‑agent tasks without decrypting, hampering debugging.
- Regulatory audits that require traceability of automated decisions become more difficult.
- Existing tooling that parses rollout text for metrics or CI integration breaks.
How to think about it
If you need full visibility, pin your Codex client to a version earlier than 0.137.0 or disable the MultiAgentV2 flag in the client configuration; this restores the content field but also disables any downstream features that depend on MultiAgentV2. Submit a feature request on the Codex repository to expose a non‑encrypted audit copy alongside the encrypted payload. In the meantime, capture the plaintext task yourself before calling spawn_agent—store it in your own log or metadata store. Monitor OpenAI's changelog for a future release that adds an audit_content field, and design your pipelines to tolerate both encrypted and clear‑text modes.
FAQ
Can I revert the encryption change?+
How can I retain a readable audit trail?+
spawn_agent, or request that OpenAI add an audit_content field. Some teams wrap the API call in a helper that writes the task to a separate database while still sending the encrypted payload.Does encryption affect token usage or cost?+
- engineering·5 min readUnpacking GPT-5.6 Sol Ultra in Codex: Alias or Advanced Pro Model Integration?
The integration of GPT-5.6 Sol Ultra into OpenAI's Codex sparks debate: is it a simple alias for existing features or a true 'pro model' with advanced capabilities? This matters for developer…
- security·4 min readEU Advances 'Chat Control' Legislation, Threatening Private Communications and Digital Anonymity
The EU is pushing forward with 'Chat Control' legislation, threatening private communications and anonymous digital interactions through undemocratic processes. Developers should understand the…
- security·3 min readDanish Police Raid Privacy Activist Lars Andersen Over Surveillance Protest
Danish privacy activist Lars Andersen was raided by police after targeting pro-surveillance politicians with GPS tracking devices.
The week’s highest-signal tech and AI stories, synthesized into a five-minute read. One email a week, no spam, unsubscribe anytime.