# Codex now encrypts messages passed to subagents

> Source: <https://github.com/openai/codex/issues/28058>
> Published: 2026-07-11 10:06:40+00:00

-
[Notifications](/login?return_to=%2Fopenai%2Fcodex)You must be signed in to change notification settings -
[Fork 14.4k](/login?return_to=%2Fopenai%2Fcodex)

# Regression: encrypted MultiAgentV2 messages remove readable task audit trail #28058

[CLIIssues related to the Codex CLI](https://github.com/openai/codex/issues?q=state%3Aopen%20label%3A%22CLI%22)Issues related to the Codex CLI

[bugSomething isn't working](https://github.com/openai/codex/issues?q=state%3Aopen%20label%3A%22bug%22)Something isn't working

[subagentIssues involving subagents or multi-agent features](https://github.com/openai/codex/issues?q=state%3Aopen%20label%3A%22subagent%22)Issues involving subagents or multi-agent features

## Description

### What version of Codex CLI is running?

Upstream `main`

after [#26210](https://github.com/openai/codex/pull/26210) (`Encrypt multi-agent v2 message payloads`

, merged 2026-06-05). This appears to affect versions that include that change and enable MultiAgentV2 (post-0.137.0).

### What subscription do you have?

Not subscription-specific.

### Which model were you using?

Not model-specific. This concerns MultiAgentV2 `spawn_agent`

, `send_message`

, and `followup_task`

message handling.

### What platform is your computer?

Not platform-specific.

### What terminal emulator and version are you using (if applicable)?

Not terminal-specific.

### Codex doctor report

Not applicable. The regression is visible from the merged code behavior in [#26210](https://github.com/openai/codex/pull/26210) rather than from local environment state.

### What issue are you seeing?

[#26210](https://github.com/openai/codex/pull/26210) makes MultiAgentV2 agent task/message payloads opaque to Codex by marking the model-facing `message`

parameter as encrypted, storing only `InterAgentCommunication.encrypted_content`

, and leaving `InterAgentCommunication.content`

empty.

The encrypted delivery path is understandable as privacy hardening, but it also removes the human-readable task/message text from local rollout history, trace reduction, and parent-side audit/debug surfaces. That makes it difficult to answer basic questions such as:

- What task did this
`spawn_agent`

call give the child agent? - What message was sent to a subagent?
- Why did a child thread exist when reviewing a rollout after the fact?

This is different from [#26753](https://github.com/openai/codex/issues/26753), which reports request validation failures for encrypted tool schemas. This issue is about auditability and debuggability after the encrypted schema is accepted.

### What steps can reproduce the bug?

- Use a build containing
[Encrypt multi-agent v2 message payloads #26210](https://github.com/openai/codex/pull/26210)with MultiAgentV2 enabled. - Have the model call
`spawn_agent`

,`send_message`

, or`followup_task`

. - Inspect the parent rollout/history/trace for the subagent task.
- The task/message content is hidden behind ciphertext rather than being available as human-readable audit text.

### What is the expected behavior?

Codex should preserve a human-readable, structured audit copy of the subagent task/message while still allowing encrypted delivery to the recipient model.

A possible shape is to keep the encrypted `message`

field for model delivery, but add a separate non-encrypted audit field for the readable task text. The audit field should be persisted in rollout/history/trace metadata so users and maintainers can inspect what was delegated without needing to decrypt model-delivery ciphertext.

### Additional information

Related PR/issues:

- Encryption change:
[Encrypt multi-agent v2 message payloads #26210](https://github.com/openai/codex/pull/26210) - Related but distinct schema-validation issue:
[MultiAgentV2 encrypted spawn_agent schema returns 400: model not configured for encrypted tool use #26753](https://github.com/openai/codex/issues/26753)

The goal is not necessarily to revert encrypted delivery. The concern is that encrypted delivery should not fully remove local human auditability for subagent delegation.

## Metadata

## Metadata

### Assignees

### Labels

[CLIIssues related to the Codex CLI](https://github.com/openai/codex/issues?q=state%3Aopen%20label%3A%22CLI%22)Issues related to the Codex CLI

[bugSomething isn't working](https://github.com/openai/codex/issues?q=state%3Aopen%20label%3A%22bug%22)Something isn't working

[subagentIssues involving subagents or multi-agent features](https://github.com/openai/codex/issues?q=state%3Aopen%20label%3A%22subagent%22)Issues involving subagents or multi-agent features
