Skip to content
AI Article

Codex Encrypts Multi-Agent Messages, Kills Audit Trails

OpenAI now ships subagent tasks as ciphertext, extending opaque-blob design at a real cost to local debugging.

Mariana Souza
Mariana Souza
Senior Editor · Jul 14, 2026 · 7 min read
Codex Encrypts Multi-Agent Messages, Kills Audit Trails

Multi-agent coding workflows only work if you can answer a simple question after the fact: what did the parent agent actually ask the child to do? OpenAI’s Codex just made that harder. A change merged into main on 2026-06-05 encrypts MultiAgentV2 message payloads end to end. The model still receives the task. Local rollout history, traces, and parent-side audit surfaces do not.

This is not a one-off privacy tweak. It is the same opaque-blob pattern OpenAI already uses for reasoning state and session compaction, pushed one layer deeper into agent-to-agent traffic. For developers running multi-agent Codex sessions, the security model shifts under their feet. Integrity and server-side control get stronger. Local observability gets weaker. That trade-off is real, and it is not free.

Opaque blobs, now for agent traffic

OpenAI’s agent APIs have been moving sensitive intermediate state into authenticated ciphertext for a while. Reasoning models return encrypted chain-of-thought blocks over the Responses API. The client cannot read them, cannot usefully tamper with them, and must ship them back so the server can continue the reasoning process in zero-retention or client-managed conversation modes. Compaction works the same way. When context pressure rises, a server-side summarizer produces a summary, AES-encrypts it, and returns an opaque blob. The client stores and re-sends that blob. The encryption key never leaves OpenAI’s servers.

MultiAgentV2 messages now follow the same design. After the encrypt-payloads change (included in builds after 0.137.0 when MultiAgentV2 is enabled), calls such as spawn_agent, send_message, and followup_task mark the model-facing message parameter as encrypted. The local structure stores InterAgentCommunication.encrypted_content and leaves InterAgentCommunication.content empty. Ciphertext is what the recipient model sees. Plaintext task text is what local history no longer has.

The intent is coherent. If inter-agent messages can influence later model behavior, or if they carry internal framing you do not want users rewriting, encrypting the delivery path reduces tampering and keeps sensitive intermediate text off the client. The cost is that the same path removes the human-readable copy that parent rollouts, debug UIs, and post-hoc task audits used to show.

What you lose in practice

The regression is easy to reproduce and hard to ignore. Run a MultiAgentV2 session that spawns a child, then inspect the parent rollout. You can no longer answer:

  • What task string did spawn_agent hand the child?
  • What exact message did the parent send via send_message?
  • Why does this child thread exist when reviewing a failed run hours later?

Those are not edge cases. They are the core of multi-agent debugging. Parent agents fail because they delegated the wrong work, not because the crypto failed. When the only durable record of delegation is ciphertext the client cannot decrypt, you are left reconstructing intent from side effects: tool calls the child made, files it touched, final answers it returned. That is forensic work, not routine agent ops.

Claude Code’s compaction path is a useful contrast. Its compaction blocks stay human-readable. You can inspect what survived, and you can shape compaction behavior with instructions or project files. Codex’s server-side encrypted summary (and now encrypted multi-agent payloads) buys stronger integrity and less client-side malleability. You pay in opacity.

Security gains, limited against the real threats

Encrypting model-facing intermediate state does solve a real class of problems. Clients cannot casually rewrite reasoning or summary blobs to jailbreak continuation. Internal prompts and structured handoff metadata stay off disk in cleartext. In zero-retention setups, the client can still carry conversation state without holding readable secrets.

It does not solve the problems that already dominate agent risk. Prompt injection through tools such as web search remains the practical attack surface. Public research has shown Codex CLI chains where injected page content steers the agent into writing malicious workspace files that later execute outside the Windows sandbox. Encrypted multi-agent messages do nothing about that path. The ciphertext protects delivery between parent and child models. It does not sanitize untrusted tool output, web content, or repo files that land in context before encryption ever runs.

So the new model is better at protecting OpenAI’s intermediate state from the client than at protecting the client from hostile content. That is a legitimate product priority. It is not the same as making multi-agent coding safer end to end.

Developer angle: adopt, work around, or wait

Who feels this first? Anyone on MultiAgentV2 after the encrypt-payloads change who reviews rollouts, builds custom tracing, or debugs failed spawn_agent trees. Solo users of single-agent Codex sessions will mostly shrug. Teams running hierarchical agents, long-lived parent supervisors, or compliance-minded audit logs will not.

Concrete implications:

  • Local history is no longer a task log. If your workflow depends on grepping rollout JSON for subagent instructions, that path is gone for encrypted MultiAgentV2 messages.
  • Observability tooling needs a new source of truth. Parent-side metrics that only counted tool calls still work. Anything that assumed content held the delegated task does not.
  • You cannot decrypt your way out. The key lives with OpenAI. Client-side recovery of the plaintext is not part of the design.
  • Related failures still exist. A separate MultiAgentV2 issue reports 400s when encrypted tool schemas hit models not configured for encrypted tool use. Encryption is not free of operational friction.

What should you do right now?

  1. Confirm whether your build includes the post-0.137.0 MultiAgentV2 encryption path before you trust local rollouts for audit.
  2. If you need a durable task record, capture the intended delegation before the tool call at the application layer (your own wrapper, logging hook, or supervisor prompt that echoes the task into a field you control). Do not assume Codex will keep a readable copy.
  3. Prefer fewer, better-scoped subagent tasks over deep trees you cannot reconstruct from side effects alone.
  4. Treat this like compaction: design sessions so critical decisions live in files and tests, not only in agent-to-agent chat that can vanish into blobs.

A clean product fix is obvious and still missing. Keep encrypted delivery for the model. Persist a separate, non-encrypted audit field with structured task text for rollout, history, and parent debug surfaces. The GitHub report on this regression asks for exactly that. Encryption for delivery and plaintext for humans are not mutually exclusive.

Judgment

This is a genuine architectural shift, not hype. OpenAI is consolidating intermediate agent state behind server-controlled ciphertext: reasoning, compaction, and now multi-agent messages. The pattern is consistent and production-present in current MultiAgentV2 builds. It is not production-friendly for teams that need to audit what was delegated.

Who wins: OpenAI’s integrity story, zero-retention deployments, and anyone who wants clients unable to rewrite intermediate state. Who loses: developers debugging multi-agent failures from local history, and any process that treated Codex rollouts as a readable task ledger.

Worth your attention now if MultiAgentV2 is already in your stack. Worth waiting on only if you stay single-agent or you already log every delegation yourself. The security model for AI coding assistants is moving toward “ciphertext in the middle.” Make sure your observability model moves with it, or you will be debugging ghosts.

Sources & further reading

  1. Codex starts encrypting prompts, uses ciphertext for inference instead — github.com
  2. Let’s talk about encrypted reasoning — blog.cryptographyengineering.com
  3. How Codex Solves the Compaction Problem Differently — tonylee.im
  4. Codex Prompting Guide — developers.openai.com
  5. When a Web Search Becomes a Backdoor: Remote Code Execution in Codex CLI via Prompt Injection and Binary Hijacking on Windows — cymulate.com
Mariana Souza
Written by
Mariana Souza · Senior Editor

Mariana covers the fast-moving world of machine learning and generative AI, with a particular focus on how these technologies are reshaping development workflows. When she isn't stress-testing the latest foundation models, she's usually at a local hackathon.

Discussion 0

Join the discussion

Sign in or create an account to comment and vote.

No comments yet

Be the first to weigh in.

Related Reading