Codex is OpenAI’s terminal coding agent, and its MultiAgentV2 mode lets a lead agent spawn sub-agents to split up a job. PR #26210, merged June 5, encrypted the message payloads on all three handoff tools: spawn_agent, send_message, followup_task.
Encrypted against whom, though? InterAgentCommunication::new_encrypted() deliberately leaves the plaintext content field empty and stuffs everything into encrypted_content. Your local rollout history, your debug surfaces, your traces — all ciphertext. So the one question you actually need answered when a sub-agent goes off the rails, what task did the parent hand it?, is now unanswerable on your own machine.
Why it blew up
359 points and 217 comments on HN. The leading theory is that OpenAI treats these prompts like raw reasoning traces and doesn’t want anyone distilling them. Plausible. But nobody’s demanding the model’s chain of thought — just the instruction one of your agents gave another, on hardware you own. Delivery to the model can stay encrypted; that has nothing to do with wiping the local record.
The fix nobody has shipped
The issue proposes a required plaintext task_message companion field: model still gets ciphertext, humans still get an audit trail. Maintainers haven’t responded. Still open.
You Might Also Like
- Openai Codex Record and Replay Demo a mac Task Once the Agent Repeats it Forever
- Hermes Agent by Nous Research Might be the Open Source ai Agent That Finally Remembers Everything
- Langchains gtm Agent Drove 250 More Conversions now the Framework Behind it is Open Source
- Openai Acquires Astral and now Controls the Tools 81k Python Developers Depend on
- Openai Codex Plugins Bring Slack Figma and Notion to 1 6 Million Developers

Leave a comment