AI News HubLIVE
In-site rewrite2 min read

OpenAI encrypts Codex agent instructions, blocking local audit trail

OpenAI has encrypted multi-agent v2 messages in its Codex CLI, hiding agent instructions from local history and raising developer concerns about debugging and auditability.

SourceHacker News AIAuthor: nyku

OpenAI hides Codex agent instructions behind encryption, leaving developers in the dark

Developers worry encrypted MultiAgentV2 messages will make debugging and auditing harder

Thomas Claburn

Thomas Claburn

AI AND SOFTWARE REPORTER

Published wed 15 Jul 2026 // 00:00 UTC

OpenAI has never been as open as its name suggests and is becoming even less so.

The free-spending AI giant recently revised the multi-agent orchestration in its Codex command line interface to encrypt messages passed to subagents.

OpenAI's Codex supports multi-agent orchestration, a way to have a parent agent spawn child agents or delegate tasks to other agents that may call out to different models.

REG AD

Codex/GPT-5.6 introduced a protocol called multi-agent v2 that appears to be geared toward letting the runtime allocate work instead of leaving those decisions to user-declared configuration settings.

REG AD

Multi-agent v2 is still under development and OpenAI hasn't formally documented it yet. Developers, however, have observed changes made to Codex to accommodate the new agent plumbing – and some are concerned by the new arrangements.

Last month, OpenAI devs merged a pull request (a suggested code change) to encrypt multi-agent v2 message payloads – the text instruction passed between agents. The pull request prefaces its explanatory text with the word "Why" but doesn't actually offer a reason for the change.

It states: "Multi-agent v2 currently routes agent instructions through normal tool arguments and inter-agent context. That means the parent model can emit plaintext task text, Codex can persist it in history/rollouts, and the recipient can receive it as ordinary assistant-message JSON.

"This changes the v2 path so agent instructions stay encrypted between model calls: Responses [An OpenAI API - Ed] encrypts the message argument returned by the model, Codex forwards only that ciphertext, and Responses decrypts it internally for the recipient model."

A desire to enhance privacy and security, or conceal data that would be useful for model distillation, are sound reasons for these changes. Yet OpenAI has not said why it made the change.

In the absence of clear communication from OpenAI, developers have urged the company to ensure that its implementation doesn't sacrifice auditability to accommodate other concerns.

An issue opened by Ignat Remizov, CTO at payment service Zolvat, says, "The encrypted delivery path is understandable as privacy hardening, but it also removes the human-readable task/message text from local rollout history, trace reduction, and parent-side audit/debug surfaces."

MORE CONTEXT

Patchpocalypse Now: Microsoft tops last month's record with 622 Patch Tuesday CVEs

If you want Claude to speak nicely to you, try Hindi or Arabic

New York becomes first state to halt datacenter buildouts

DeepMind bigbrain calls for America to set AI standards before it's too late

Remizov's concern is that developers and code maintainers will have less information to assess the instructions an agent received and the actions it took.

REG AD

"Guys, we don’t want to build Skynet and then be unable to audit what it’s doing," he quips.

Other developers, echoing Remizov's concern about the loss of observability, speculate that OpenAI has locked its agent messaging down to keep competitors from seeing how its multi-agent implementation works.

OpenAI did not immediately respond to a request for comment. ®