TL;DR
– Codex CLI’s MultiAgentV2 now encrypts all sub-agent instructions in local logs after PR #26210 (merged June 5, 2026), leaving developers with unreadable ciphertext where task descriptions used to be.
– Only OpenAI’s Responses backend can decrypt these messages. Your local client, your audit tools, and even the parent agent itself cannot recover plaintext.
– For GPT-5.6 Sol and Terra models, the encryption is mandatory with no toggle to disable it.
– GitHub Issue #28058 remains open, asking OpenAI to add a plaintext audit companion field alongside the encrypted payload.
Codex MultiAgentV2 encrypts agent instructions between parent and sub-agents as of PR #26210, merged June 5, 2026. The Responses API encrypts task text in the cloud, sends only ciphertext to your local Codex client. And decrypts it internally for the recipient model. You cannot read what one agent told another. Neither can the parent agent that wrote the instruction. For anyone running Codex sub-agents in production, this is not a security update you asked for.
It is a forced regression in observability that breaks debugging, compliance, and audit workflows in a single merge.
What Changed in Codex MultiAgentV2?
MultiAgentV2 used to route agent instructions through normal tool arguments and inter-agent context in plaintext.
You could open session history and read exactly what the parent told each sub-agent. Codex persisted those messages in history and rollouts. Recipients received them as ordinary assistant-message JSON that any developer tooling could parse and inspect.
PR #26210 changed that flow completely.
Now the model-facing `message` parameter is marked as encrypted. When the parent agent spawns a sub-agent, OpenAI’s Responses API encrypts the task text before it ever reaches your local context. Your Codex client receives ciphertext, stores it. And forwards that same ciphertext back to Responses when the sub-agent needs to read it. Responses decrypts the message internally for the recipient model.
The open-source Codex client has no way to recover the plaintext. The encryption happens inside OpenAI’s infrastructure. The decryption keys live there too. You get the encrypted blob and nothing else. And there is no local decryption path for developers, audit tools, or even the parent agent itself.
Why Can’t Developers Debug Sub-Agents Anymore?
Here is where it gets painful for anyone actually shipping multi-agent pipelines. When a sub-agent misbehaves, your first question is straightforward: what task did it actually receive? You open the session logs looking for the handoff between parent and child.
You find encrypted strings where readable instructions used to sit.
You can still see outcomes. Tools called, commands run, outputs produced. All of that remains visible in session history and telemetry. But the instruction that triggered the whole sequence is now opaque.
When the most basic debugging question is “what did you tell the agent to do?” and you cannot answer it from logs, you have a real operational problem.
Ignat Remizov, CTO at payment service Zolvat, filed GitHub Issue #28058 over exactly this.
He described the encryption path as “understandable as privacy hardening” but stressed that it “removes the human-readable task/message text from local rollout history, trace reduction. And parent-side audit/debug surfaces.” His proposed fix is simple and worth watching: add a plaintext audit companion field alongside the encrypted payload so developers can restore human-readable trails without weakening the privacy design. The issue remains open without a fix.
Is This a Security Feature or a Compliance Problem?
Several sources frame this as a regression in transparency rather than a new opt-in security feature. Developers did not receive a toggle or configuration option to keep sub-agent instructions readable. For the larger GPT-5.6 variants Sol and Terra, the encryption of sub-agent instruction payloads is mandatory.
There is no developer-facing switch to disable it.
If you build AI automation for clients in regulated industries, this is where the story gets serious.
Teams needing human-readable records of what instructions ran for review, safety checks, or contractual obligations now find that the local trail of delegation text is gone. You cannot produce an audit log of agent instructions because those instructions no longer exist in readable form on your infrastructure.
The parent agent itself no longer sees the exact instructions it handed to child agents. Children cannot peek at each other’s instructions either. Multi-agent communications are effectively invisible at the orchestration layer, and OpenAI holds the only key.
Here is what that means in practice.
If a client asks why your agent did something specific, you can pull up tool calls and command outputs. You cannot show the reasoning chain or the delegation text that set the whole thing in motion. For any shop doing client work under contracts that require auditability of automated decisions, Codex MultiAgentV2 just made your compliance posture materially worse.
What Should Small Operators Do Right Now?
My agency runs multi-agent pipelines for content and automation work. Losing visibility into inter-agent communication is not something I can absorb quietly. Here is what I recommend if you are in the same position.
First, capture instructions before they enter the encryption path.
Log the task text at your application layer before you pass it to Codex’s agent-spawning calls. If you control the orchestration code that dispatches sub-agents, you can record the plaintext instruction in your own logging system before Codex ever encrypts it. This is a workaround, not a fix. But it gives you an audit trail that does not depend on OpenAI’s backend cooperatively handing back plaintext it has decided to encrypt.
Second, stop relying on Codex’s internal session logs for compliance documentation. Those logs are now incomplete by design. Build your own logging at the tool and execution layers. Capture what tools were called, what commands ran, and what instructions your code dispatched. Treat Codex’s session history as a secondary signal, not your primary record.
Third, watch GitHub Issue #28058. If OpenAI ships a companion audit field, your logging strategy simplifies overnight.
Until then, plan as though you are on your own for observability.
Finally, evaluate whether Codex MultiAgentV2 belongs in regulated workloads at all right now. If your clients require full audit trails of AI-driven decisions, encrypted inter-agent communication may disqualify the tool from that scope of work. That is a difficult sentence to write since Codex is otherwise strong at multi-agent orchestration. But “strong” and “auditable” are different things, and right now Codex is only the first.
The irony is worth sitting with.
Codex remains open source. You can read every line of the client code on GitHub. You just cannot read what your own agents are saying to each other when they run on it. That asymmetry between code transparency and operational opacity is a design choice, not an accident. Think carefully before you build a business on top of infrastructure that can audit itself but will not let you audit it.
Sources
– The Register: OpenAI hides Codex agent instructions behind encryption, leaving developers in the dark
– 7minAI: Codex encrypts multi-agent prompts
– Tickrwire: OpenAI Codex encryption
– TLDevTech: Codex just made multi-agent comms invisible
