Codex starts encrypting sub-agent prompts
425 points
• 3 days ago
• Article
Link
在为 MultiAgentV2 消息引入加密负载传输后,Codex CLI 出现了显著的回归问题。尽管 pull request #26210 的加密更新旨在增强隐私性,但它无意中消除了对 agent 任务的人类可读审计链。将主要消息内容标记为已加密后,系统在本地历史、 trace 日志和 parent-side debug 界面中不再显示纯文本的任务细节。
该改动导致开发者无法方便地查看分派给 subagents 的具体任务,增加了调试工作流的难度,也让人在 rollout 期间难以弄清为何会启动某些 child threads 。目前系统只在加密字段中保存通信负载,而可读内容字段被保空。因此用户在查看交互历史时看到的只是不可读的 ciphertext,而不是实际发送给 subagents 的指令。
拟议的解决方案是在继续保留 model 所需的加密传输路径的同时,引入一个用于审计的强制性非加密纯文本伴随字段。通过为任务提供明文字段,系统既能保持对模型的安全传输支持,又能为开发者保留可见性。该审计字段应持久化到本地历史和 trace 元数据中,确保用户无需解密主负载就能随时检查被委派的指令。
用户对当前实现表示强烈不满,指出这使得高级 agent 功能难以使用和维护。鉴于部分 frontier models 现在强制采用 MultiAgentV2 及其加密 schema,可观测性的丧失已不再是可选权衡,而成为限制性的默认行为。社区普遍认为,健全的 introspection 对于运维透明至关重要,隐藏 agent 指令并未带来实质性的安全收益,反而妨碍了高效开发。
A significant regression has been identified in the Codex CLI following the implementation of encrypted payload delivery for MultiAgentV2 messages. While the encryption update, introduced in pull request #26210, aims to improve privacy, it inadvertently removes the human-readable audit trail for agent tasks. By marking the primary message content as encrypted, the system no longer displays plain-text task details in local history, trace logs, or parent-side debug interfaces.
This change prevents developers from easily inspecting what tasks are being delegated to subagents, making it difficult to debug workflows or understand why specific child threads were initialized during a rollout. Currently, the system stores the communication payload solely in an encrypted field, leaving the readable content field empty. Consequently, when users attempt to review their interaction history, they are presented with opaque ciphertext instead of the instructions actually sent to the subagents.
The proposed solution involves maintaining the encrypted delivery path for the model while simultaneously introducing a mandatory, non-encrypted plaintext companion field for auditing purposes. By including a clear text field for tasks, the system could preserve visibility for developers without compromising the secure delivery mechanism required by the model. This audit field would be persisted in local history and trace metadata, ensuring that users can inspect delegated instructions at any time without needing to decrypt the primary payload.
Users have expressed deep frustration with the current implementation, noting that it renders advanced agent features difficult to use and maintain. With certain frontier models now forcing the use of MultiAgentV2 and its encrypted schema, the loss of observability is no longer an optional tradeoff but a restrictive default. The consensus among the community is that robust introspection is essential for operational transparency, and that concealing agent instructions hinders effective development rather than providing meaningful security.
250 comments • Comments Link
Codex 已开始对从 main agents 发送到 sub-agents 的 prompts 进行加密,以阻止用户检查这些自动化工作流中下发的指令。
这种加密并不能防止 OpenAI 自行查看数据,因为后端保留了解密并对 prompts 进行推理所需的密钥;它的效果更多是将这些内部操作细节对终端用户隐藏起来。
其战略动机似乎是多方面的:既要保护专有的编排方法(即模型如何高效管理 sub-agent 任务的"secret sauce"),又要防止第三方对模型进行蒸馏并在黑市转售。
开发者认为,这一做法剥夺了关键的透明性,降低了工具的可用性,因为用户无法再审计或调试 sub-agent 执行前的推理轨迹。
随着越来越多复杂且具有随机性的 agentic systems 被使用,观测能力的下降与这种使用之间出现了明显的紧张关系,人们开始担忧这些"black-box"系统的性能和成本难以验证。
一些参与者指出,这一趋势反映了行业向"appliance-like" AI 界面转变的方向,在这种模式下,用户被鼓励不去理解底层逻辑,而只是消费最终产出。
值得注意的是,这种加密专门针对 parent-to-subagent 的通信,而将其他会话数据保留为明文,表明其采取了一种有针对性的做法来封锁专有的编排工作流。
人们把这种做法与 Claude 等其他平台进行了比较——在这些平台上,类似的专有"思考"轨迹也被遮蔽——这标志着整个行业正从早期 LLM APIs 的透明性向更封闭的方向转变。
围绕该公告产生的困惑(最初许多人误以为这是朝同态加密方向发展)凸显了开发者对 AI 工具中隐私与可验证性的强烈需求。
虽然有人为此辩护,认为这是应对资源密集型爬取和非法市场行为的必要措施,但另一些人则视其为不可接受的倒退,认为这会迫使用户依赖专有的 harnesses,限制用户的主体性。
总体讨论反映出对转向不透明 agentic AI 工作流的深刻怀疑。尽管提供商将这些变化描述为保护竞争优势并减轻爬取等风险的必要手段,许多开发者却认为这是敌对行为,损害了审计与调试 AI 的能力,并阻碍了将 AI 安全地集成到生产环境中的努力。普遍观点是,透明性是构建可靠软件的基本要求,而对 agent prompts 的加密意味着从协作性的 "white-box" 开发时代向更具限制性、易被供应商锁定的生态系统的转变。 • Codex has begun encrypting the prompts sent from main agents to sub-agents, preventing users from inspecting the instructions being dispatched in these automated workflows.
• This encryption does not secure data against OpenAI, as the backend retains the keys to decrypt and process the prompts for inference; rather, it effectively hides these internal operational details from the end-user.
• The strategic motivation appears to be a combination of protecting proprietary orchestration methods—the "secret sauce" of how models effectively manage sub-agent tasks—and preventing third-party model distillation and black-market reselling.
• Developers argue that this change degrades the utility of the tool by removing critical transparency, as users can no longer audit or debug the reasoning traces that precede sub-agent actions.
• There is a clear tension between the growing use of complex, stochastic agentic systems and the loss of observability, leading to concerns about "black-box" systems that make it difficult to verify performance or costs.
• Some participants suggest this trend reflects an industry-wide move toward "appliance-like" AI interfaces, where users are discouraged from understanding the underlying logic in favor of just consuming a finished output.
• The encryption specifically targets parent-to-subagent communication, while leaving other session data in plaintext, suggesting a surgical approach to closing off proprietary orchestration workflows.
• Comparisons were drawn to other platforms like Claude, where similar proprietary "thinking" traces are obscured, marking a broader shift away from the early transparency of LLM APIs.
• The confusion surrounding the announcement—initially misinterpreted by many as a move toward homomorphic encryption—highlights the intense desire among developers for privacy and verifiability in AI tooling.
• While some defend the change as a necessary measure against resource-intensive scraping and illicit market practices, others view it as an unacceptable regression that forces reliance on proprietary harnesses and limits user agency.
The discussion reflects a deep skepticism regarding the shift toward opaque, agentic AI workflows. While providers frame these changes as necessary for protecting competitive advantages and mitigating risks like data scraping, many developers perceive it as a hostile move that compromises the ability to audit, debug, and safely integrate AI into production environments. The prevailing sentiment is that transparency is a fundamental requirement for building reliable software, and the move to encrypt agent prompts marks a departure from the collaborative, "white-box" era of development toward a more restrictive, vendor-locked ecosystem.