Codex 开始对提示词进行加密,并使用密文进行推理。
Codex starts encrypting sub-agent prompts

原始链接: https://github.com/openai/codex/issues/28058

**摘要:MultiAgentV2 中的可审计性回归问题 (PR #26210)** PR #26210 为 `MultiAgentV2` 操作(`spawn_agent`、`send_message`、`followup_task`)引入了负载加密,这导致本地汇总历史记录、跟踪信息和审计日志中不再包含人类可读的内容。由于 `InterAgentCommunication` 对象中的明文负载被不透明的密文所取代,系统目前无法让用户和维护人员检查子智能体任务或消息历史,从而阻碍了必要的调试与监管工作。 虽然加密对于传输过程中的隐私保护是有益的,但目前的实现方式导致操作透明度不足。为解决此问题,系统应采用双重结构:在保留用于安全模型交付的加密字段的同时,为日志和元数据添加非加密的审计字段。这将允许用户在无需解密面向模型负载的情况下,审查任务委派和智能体行为。此问题与模式验证错误不同,专门针对 0.137.0 版本发布后对保持人类可读审计追踪的需求。

OpenAI 的 Codex 已开始加密从主“编排”代理发送给子代理的提示词。这一变化出现在 Sol 和 Terra 等模型中,它掩盖了这些指令,使得只有 OpenAI 的后端能够查看。 Hacker News 上的社区讨论表明,此举很可能是为了保护 OpenAI 的知识产权——特别是其多智能体编排技术,并防止竞争对手提炼其模型,或阻止非法经销商抓取其服务。 开发者对此举感到不满,他们指出这制造了一个“黑箱”,妨碍了必要的审计和故障排查。当子代理表现异常时,用户无法再通过检查初始提示词来优化或调试流程。批评者认为,此举将维护企业的“护城河”置于开发者的实用性和可靠性之上。尽管一些人认为这是向类似 SaaS 的封闭系统发展的必然演变,但另一些人则将其视为透明度的一种倒退,使 AI 编程栈在生产环境中的可靠性降低。一些用户表示,这种转变以及对内省式审计功能的丧失,正促使他们去探索替代模型或本地解决方案。
相关文章

原文

What version of Codex CLI is running?

Upstream main after #26210 (Encrypt multi-agent v2 message payloads, merged 2026-06-05). This appears to affect versions that include that change and enable MultiAgentV2 (post-0.137.0).

What subscription do you have?

Not subscription-specific.

Which model were you using?

Not model-specific. This concerns MultiAgentV2 spawn_agent, send_message, and followup_task message handling.

What platform is your computer?

Not platform-specific.

What terminal emulator and version are you using (if applicable)?

Not terminal-specific.

Codex doctor report

Not applicable. The regression is visible from the merged code behavior in #26210 rather than from local environment state.

What issue are you seeing?

#26210 makes MultiAgentV2 agent task/message payloads opaque to Codex by marking the model-facing message parameter as encrypted, storing only InterAgentCommunication.encrypted_content, and leaving InterAgentCommunication.content empty.

The encrypted delivery path is understandable as privacy hardening, but it also removes the human-readable task/message text from local rollout history, trace reduction, and parent-side audit/debug surfaces. That makes it difficult to answer basic questions such as:

  • What task did this spawn_agent call give the child agent?
  • What message was sent to a subagent?
  • Why did a child thread exist when reviewing a rollout after the fact?

This is different from #26753, which reports request validation failures for encrypted tool schemas. This issue is about auditability and debuggability after the encrypted schema is accepted.

What steps can reproduce the bug?

  1. Use a build containing Encrypt multi-agent v2 message payloads #26210 with MultiAgentV2 enabled.
  2. Have the model call spawn_agent, send_message, or followup_task.
  3. Inspect the parent rollout/history/trace for the subagent task.
  4. The task/message content is hidden behind ciphertext rather than being available as human-readable audit text.

What is the expected behavior?

Codex should preserve a human-readable, structured audit copy of the subagent task/message while still allowing encrypted delivery to the recipient model.

A possible shape is to keep the encrypted message field for model delivery, but add a separate non-encrypted audit field for the readable task text. The audit field should be persisted in rollout/history/trace metadata so users and maintainers can inspect what was delegated without needing to decrypt model-delivery ciphertext.

Additional information

Related PR/issues:

The goal is not necessarily to revert encrypted delivery. The concern is that encrypted delivery should not fully remove local human auditability for subagent delegation.

联系我们 contact @ memedata.com