- Message Encryption: Codex’s newer MultiAgentV2 path encrypts messages passed between agents while preserving recipient delivery.
- Local Record: The local object keeps unreadable ciphertext while its ordinary plaintext field remains empty.
- Audit Gap: A user-filed issue says developers may lose readable delegation records needed for audits and debugging.
- Proposed Remedy: A separate plaintext companion could restore local inspectability without rolling back encrypted delivery.
OpenAI’s coding agent, Codex, now encrypts MultiAgentV2 message payloads. According to a user-filed complaint, local history may lose readable task audit trails. On July 14, the encrypted-message audit complaint remained open with no linked fix. Codex users face a record-keeping issue involving messages between agents as a result.
OpenAI introduced the mechanism when it merged pull request #26210 on June 5. MultiAgentV2, Codex’s newer multi-agent messaging path, keeps encrypted text, or ciphertext, in the local message record. OpenAI’s service decrypts that text for the recipient. A child agent can receive its assignment while the developer lacks readable task text in local history, complicating audits and debugging.
OpenAI so far has not provided a response or resolution. for the issue which forces developers to distinguish agent handoffs from locally inspectable records of what Codex actually delegated.
How Codex Encrypts Messages
MultiAgentV2 marks parameters used by spawn_agent, send_message, and followup_task as encrypted. Each operation creates agents, sends messages, or assigns follow-up work. Codex places the task in encrypted_content with an empty plaintext content field instead of writing readable instructions into the parent context.
Recipient requests carry the ciphertext in an agent_message item through the Responses API, the service path to the model. OpenAI’s service decrypts it then for the recipient model. Encrypted items persist across history, rollout, compaction, telemetry, and app-server schema paths, while MultiAgentV1 remains unchanged. Model delivery and a readable durable record are separate properties.
Once the service decrypts an agent_message, the recipient model can act on it during the run. Local persistence gives a developer evidence of what instruction crossed the agent boundary after the model has responded. A completed handoff alone cannot reveal whether an unexpected result followed the assigned task or diverged from it.
Under the reported behavior, Codex history conversion selects encrypted_content whenever that field is present. A transient plaintext value would not create a readable saved ResponseItem.
Debuggers could see that delegation occurred but lack the instruction needed to determine whether the problem began with a bad task, misunderstood follow-up, or later execution error. MultiAgentV2-enabled Codex CLI builds following version 0.137.0 may be affected.
User Ignatremizov, who opened the issue on GitHub, argues that encrypted delivery and local accountability should coexist:
“The goal is not necessarily to revert encrypted delivery. The concern is that encrypted delivery should not fully remove local human auditability for subagent delegation.”
ignatremizov, GitHub issue author (via GitHub)
The Missing Audit Copy Is Still Only a Proposed Fix
In May 2026, OpenAI documented Codex’s ability to export operational details that help maintainers reconstruct activity around a run. Its OpenTelemetry export, based on a standard for operational traces, can capture user prompts, tool approvals, tool results, Model Context Protocol server use, and network-proxy decisions. Codex logs could also associate endpoint alerts with the surrounding request, tool activity, approval decisions, results, and network-policy events.
Readable delegation records perform a different job. Tool telemetry identifies actions and surrounding events, but it does not reproduce the task that created a child thread or the message sent between agents. Without both pieces, a maintainer can identify what a child agent did yet still be unable to compare the result with its assignment.
OpenAI’s more recent work on automated Codex agent orchestration increases the practical value of reconstructing handoffs. Automated dispatch can place more task boundaries between the user’s request and the final output. Exact instructions at each boundary help maintainers investigate a failure.
Ignatremizov’s proposed remedy would retain encrypted recipient delivery while adding a bounded plaintext companion for local rollout, history, trace, and debugging records. No shipped correction currently provides that copy. A linked Codex patch that writes the companion into local history without changing encrypted delivery would provide the first verifiable resolution.


