Back to Home

Codex Just Made Multi-Agent Comms Invisible

Codex Just Made Multi-Agent Communication Invisible — And That's a Good Thing

OpenAI's Codex CLI just shipped a quiet but seismic change to how its multi-agent system works. Starting with PR #26210 — merged into main on June 5 — every message passed between agents in MultiAgentV2 is now encrypted end-to-end through the Responses API. The parent agent no longer sees what it told its children. The children can't peek at each other's instructions. The entire inter-agent conversation has gone opaque, and privacy advocates are cheering.

What Actually Changed

Before this PR, Codex's multi-agent v2 routed agent instructions through plaintext tool arguments and inter-agent context. If you spawned a worker agent, the task description was visible in rollout history, trace logs, and debug surfaces. You could read exactly what the parent instructed the child to do.

Not anymore. Here's what the new message flow looks like:

  • The model calls a v2 tool (spawn_agent, send_message, followup_task) with a "message" argument — but that value is now ciphertext.
  • Codex stores the task as encrypted inter-agent communication: the "content" field is empty, and "encrypted_content" holds the ciphertext.
  • When building the recipient request, Codex forwards the ciphertext using a new "encrypted_content" input item type in the Responses API.
  • Only Responses decrypts it internally for the recipient model. No one else — not the developer, not the audit log, not the parent agent — can read it.

Privacy First, Debugging Second

The reasoning is straightforward: agent workflows are increasingly being used in sensitive environments — code review, financial analysis, internal tooling — where the content of inter-agent communication shouldn't be visible to anyone but the intended recipient. Making that content human-readable in logs was a liability waiting to be exploited.

But the trade-off is real. The GitHub issue tracker already has developers raising concerns about the loss of auditability. Issue #28058, filed by ignatremizov, spells it out clearly: developers can no longer answer basic questions like "What task did this spawn_agent call give the child agent?" or "Why did a child thread exist when reviewing a rollout after the fact?"

The Bigger Picture

This move signals something bigger than just a security patch. It's OpenAI drawing a line in the sand: multi-agent systems are evolving from debugging curiosities into production infrastructure, and production infrastructure needs encryption-by-default. The days of transparent agent chit-chat are over.

For developers building on Codex, this means adapting workflows. Debugging now requires explicit opt-in from the agent itself rather than passive log inspection. Trace reduction and parent-side audit surfaces need new approaches. But for everyone else — the users deploying AI agents in real-world environments — this is the kind of hardening that makes multi-agent systems viable outside of a sandbox.

What's Next

The PR landed with 4 commits, 22 passing checks out of 31, and a "regenerate" iteration before final merge. It's already live in any build post-0.137.0 with MultiAgentV2 enabled. If you haven't updated your Codex CLI yet, you're about to see your first encrypted agent handoff — and you won't be able to read a word of it.

That's exactly the point.

Comments

No comments yet. Be the first to share your thoughts!