OpenAI has modified the command-line application Codex so that messages between AI agents are now transmitted encrypted and are no longer readable locally. The change, merged in June, affects Multi-Agent Version 2 with the tools spawn_agent, send_message, and followup_task. Developers can no longer track which tasks an agent has delegated to another.
Update encrypts three central tools of the Codex CLI
The basis of the change is a pull request in the official Codex repository, which an OpenAI developer merged on June 5, 2026. Before the change, task text between agents traveled in plaintext through tool arguments and history logs. Since then, OpenAI’s Responses service encrypts the message argument, Codex forwards only the ciphertext, and Responses decrypts it internally for the receiving model. The three tools spawn_agent, send_message, and followup_task of Multi-Agent Version 2 are affected; the older Version 1 remains unchanged. Local message objects now show an empty plaintext field, while the actual content is stored only in encrypted form. Developers who run Codex through their own interfaces or scripts thereby lose direct access to the task descriptions an agent sends to a subordinate agent.
Developers say they lack verifiability for delegated tasks
Software developer Ignat Remizov, who describes himself as technical lead at the company Zolvat, reported the problem on June 13, 2026, in a GitHub issue as a regression. His concern is not the encryption itself but the loss of local traceability: users can no longer determine which task was assigned to a newly spawned sub-agent or what message was sent to it. Remizov proposes keeping the encrypted message field for model transmission while additionally storing a separate, unencrypted audit field for the readable task description in the history data. For teams running Codex in regulated industries, this means internal evidence of automatically delegated work steps can no longer be reconstructed in full from local logs. More than a month after the report, the issue remains open; a statement from OpenAI staff is still missing from the discussion thread.
Trade press and developer forums criticize lack of transparency
In mid-July, several trade publications picked up the open GitHub issue and framed it as a governance problem. Industry analyst Pareekh Jain of Pareekh Consulting warned in InfoWorld that without insight into how agents delegate and execute tasks, it would become harder to audit decisions, investigate incidents, and demonstrate compliance. In parallel, a debate over the change unfolded on the discussion platform Hacker News. Several commenters noted they use Codex mostly through their own integrations rather than the official interface, and that the encryption makes debugging their own tooling harder. Other participants speculated about competitive motives behind the change. As of this article’s publication, OpenAI has not responded to the criticism either in the GitHub issue or in an official statement.
What matters now is whether OpenAI adopts Remizov’s proposal for a separate audit field or leaves the encryption as is. For companies using Codex in regulated industries such as financial services or healthcare for automated development steps, that decision determines whether delegated work can still be documented in full going forward. No specific date for a response from the company is known yet.


