Codex Sub-Agent Prompts Are Encrypted—So Where Did Your Debugging Trail Go?
Codex sub-agent prompts, encrypted prompts, and Codex MultiAgentV2 now collide with a hard engineering question: how do you protect agent messages without deleting the audit trail? The answer is not to turn encryption off. It is to keep encrypted delivery and store a bounded, local, human-readable audit record separately.
That distinction sounds obvious. It was not preserved by the initial implementation.
A Hacker News story about Codex encrypting sub-agent prompts was moving quickly today (218 points and 138 comments when checked). The underlying report is more precise—and more useful—than the headline: an encryption change in Codex's MultiAgentV2 path can make delegated task and message content opaque in history and traces. That is a debugging regression, not a reason to abandon encrypted agent-to-agent communication.
What happened to Codex sub-agent prompts?
According to Codex issue #28058, the behavior affects builds containing the MultiAgentV2 encryption change, merged June 5, 2026, when MultiAgentV2 is enabled (described in the report as post-0.137.0).
The reported flow is brutally simple:
- A parent agent delegates work or sends a follow-up.
- The model-facing
messagepayload is encrypted. - The encrypted value is stored as
encrypted_content. - The ordinary
contentfield is left empty. - Later, the rollout/history/log path has ciphertext where an engineer expects the instruction that was delegated.
Encryption did its job: the recipient-model path gets protected payload. But observability got kneecapped: the person trying to answer “what exactly did we ask this sub-agent to do?” does not get a readable answer.
Why encrypted prompts are not the bug
Let's be exact. Encrypting agent-to-agent traffic can be a sane privacy boundary. Delegated tasks may include repository context, customer data, incident notes, or instructions you do not want copied indiscriminately through every model-facing surface.
The bad design is treating the delivery representation as the only representation.
A ciphertext blob is a fine transport artifact. It is a terrible operational record.
When an agent system fails, you need to reconstruct a chain of decisions:
- Which agent was assigned the task?
- What was it told to investigate?
- Was the follow-up instruction malformed?
- Did the task expand after a retry?
- Which message caused the bad change?
If your trace viewer answers every one of those questions with opaque payloads, you built a secure black box. Congratulations: it is equally hard for attackers and your on-call engineer to inspect.
How to keep encrypted delivery and a readable audit trail
The issue proposes the right architecture: split the message into two deliberately different fields.
transport_message: encrypted ciphertext for the recipient model
message_text: bounded plaintext audit metadata for local history
The source report suggests keeping the encrypted message for delivery while adding a required plaintext companion such as task_message for spawn_agent and message_text for send_message / followup_task.
That is the contract every multi-agent framework should make explicit:
| Concern | Correct representation |
|---|---|
| Recipient model input | encrypted payload |
| Local rollout/history UI | readable, bounded audit text |
| Trace correlation | ciphertext or message ID |
| Incident investigation | audit text plus IDs, timestamps, and actor metadata |
Do not derive the audit record later by decrypting production traces. That turns every trace viewer into a decryption client and expands the blast radius. Write the audit metadata at the handler boundary—where the plaintext still exists—and protect its storage, access controls, retention, and redaction as first-class security concerns.
How to debug Codex MultiAgentV2 safely
If your Codex runs use MultiAgentV2, test both sides of the contract. A passing agent run is not enough.
1. Capture a delegated task
Create a run that exercises all three operations:
spawn_agent("inspect the auth retry bug")
send_message(child, "focus on the token refresh branch")
followup_task(child, "add a regression test")
2. Assert the recipient path is encrypted
The recipient model input should contain the encrypted transport value, not the audit copy. If the local audit field leaks into model input, you have defeated the boundary you just claimed to build.
3. Assert history stays readable
Your rollout UI and structured logs should show a concise, plaintext audit record for each operation. The report notes that simply populating runtime content is not sufficient if the conversion/persistence path still emits the encrypted version.
4. Put a hard cap on audit text
Audit fields are not an excuse to copy an unbounded context window into logs. Apply the same—or stricter—size limit as the corresponding delegated message. Redact known secrets before persistence.
5. Test the failure case
The regression test should prove both properties at once:
assert recipient_input.message == encrypted_payload
assert rollout_event.message_content == readable_audit_text
assert rollout_event.message_content != encrypted_payload
That third assertion matters. Otherwise someone will "fix" observability by dumping ciphertext into a field with a comforting name.
The engineering rule: security boundaries need observability boundaries
The industry is rushing to make agents delegate more work. That makes inter-agent messages infrastructure, not implementation detail. Infrastructure needs two things simultaneously:
- a confidentiality model for transport and model inputs;
- an observability model for operators who must debug the system.
One cannot be an accidental side effect of the other.
The healthy version of this design has separate retention and access policies too. A recipient model may need a ciphertext payload for a short-lived task. An auditor may need a redacted summary for longer. An incident responder may need privileged access to fuller local metadata. Those are different actors with different needs; collapsing them into one message field is how systems become impossible to reason about.
Bottom line
"Codex encrypts sub-agent prompts" is a clickable headline. The durable lesson is sharper: never let a transport-security upgrade silently erase the evidence needed to operate the system.
Keep the delivery payload encrypted. Persist a bounded, access-controlled, human-readable audit copy locally. Test both paths. Anything less is agent orchestration by vibes.
Top comments (0)