OpenAI hides Codex agent instructions behind encryption, leaving developers in the dark
Developers worry encrypted MultiAgentV2 messages will make debugging and auditing harder
AI and ML
OpenAI hides Codex agent instructions behind encryption, leaving developers in the dark
Developers worry encrypted MultiAgentV2 messages will make debugging and auditing harder
OpenAI has never been as open as its name suggests and is becoming even less so.
The free-spending AI giant recently revised the multi-agent orchestration in its Codex command line interface to encrypt messages passed to subagents.
OpenAI's Codex supports multi-agent orchestration, a way to have a parent agent spawn child agents or delegate tasks to other agents that may call out to different models.
Codex/GPT-5.6 introduced a protocol called multi-agent v2 that appears to be geared toward letting the runtime allocate work instead of leaving those decisions to user-declared configuration settings.
Multi-agent v2 is still under development and OpenAI hasn't formally documented it yet. Developers, however, have observed changes made to Codex to accommodate the new agent plumbing – and some are concerned by the new arrangements.
Last month, OpenAI devs merged a pull request (a suggested code change) to encrypt multi-agent v2 message payloads – the text instruction passed between agents. The pull request prefaces its explanatory text with the word "Why" but doesn't actually offer a reason for the change.
It states: "Multi-agent v2 currently routes agent instructions through normal tool arguments and inter-agent context. That means the parent model can emit plaintext task text, Codex can persist it in history/rollouts, and the recipient can receive it as ordinary assistant-message JSON.
"This changes the v2 path so agent instructions stay encrypted between model calls: Responses [An OpenAI API - Ed] encrypts the message argument returned by the model, Codex forwards only that ciphertext, and Responses decrypts it internally for the recipient model."
A desire to enhance privacy and security, or conceal data that would be useful for model distillation, are sound reasons for these changes. Yet OpenAI has not said why it made the change.
In the absence of clear communication from OpenAI, developers have urged the company to ensure that its implementation doesn't sacrifice auditability to accommodate other concerns.
An issue opened by Ignat Remizov, CTO at payment service Zolvat, says, "The encrypted delivery path is understandable as privacy hardening, but it also removes the human-readable task/message text from local rollout history, trace reduction, and parent-side audit/debug surfaces."
Remizov's concern is that developers and code maintainers will have less information to assess the instructions an agent received and the actions it took.
"Guys, we don’t want to build Skynet and then be unable to audit what it’s doing," he quips.
Other developers, echoing Remizov's concern about the loss of observability, speculate that OpenAI has locked its agent messaging down to keep competitors from seeing how its multi-agent implementation works.
OpenAI did not immediately respond to a request for comment. ®
Originally published on The Register

