Codex starts encrypting sub-agent prompts

embedding-shape 413 points 244 comments July 14, 2026
github.com · View on Hacker News

Discussion Highlights (20 comments)

pshirshov

I wonder if they are gonna stop us from using gpt subscriptions in alternative harnesses. If not - that doesn't matter much, codex cli is a remarkably unremarkable harness.

pradeep1177

Then why to even keep codex open source?

minraws

~~Finally someone doing it correctly. Love this change.~~ Edit: F really misunderstood the change, the title is misleading AF. I should have read the post before commenting lmao. Absolutely hate it, now I guess... sigh.. Incase the title gets changed it used to say, "Codex starts encrypting prompts, uses ciphertext for inference instead"

flexagoon

Ah I was wondering why the Chinese black market resellers stopped working yesterday, I guess that's it

londons_explore

I assume this is mostly to frustrate efforts to proxy large numbers of user requests and responses and use it to train competitor models.

iknownothow

Could someone explain to me where exactly the encryption is happening? I assumed that the main agent makes calls to sub-agents locally. Does Codex work in such a way where the main agent makes calls to sub-agents in the backend (openai server) before reaching local?

xnorswap

HN Title is ( edit: was ) very misleading, it makes it sound like inference is being done directly on ciphertext, which would require homomorphic encryption well advanced of what is known.

mpeg

The title is a bit confusing, they're not using ciphertext for inference – they're passing ciphertext around in cases where an agent calls into another agent without exposing the plaintext to the end-user Inference is still done in plaintext after this multi-agent message gets decrypted in the server side

niam

This title is easy to misinterpret. If I understand correctly: Codex now encrypts sub-agent prompts and hides those prompts from the user. edit: originally was "Codex starts encrypting prompts, uses cyphertext for inference instead"

smalltorch

Using ciphertext for inference would mean it's not a very secure ciphertext. These two ideas don't compute for me. Same thing with homomorphic encryption. I don't get it. If you can gain any knowledge from a ciphertext, you just found a way to exploit the ciphertext to me.

fortuitous-frog

No normative opinion on whether this is justified or not, but noting that this is only for parent -> subagent spawns/messages, and only for the `multi_agent_v2` feature (currently experimental / off by default). Notably, subagent output is still in plaintext. EDIT: Title was now clarified. But wanted to expand that this is actually enabled for 5.6 Ultra it appears, which does subagent orchestration more natively in the API rather than direct tool calls; they are beginning to treat subagents as similar to chain-of-thought traces (already encrypted) rather than traditional tool calls.

next_xibalba

This is very obviously a countermeasure against distillers, illicit resellers, and the like. The scale and competence of the Chinese black (grey?) market has become a serious threat that can’t be ignored.

ashu1461

Is it mainly about how the main/orchestrator agent communicates with its subagents ? If desired the user can always see what the sub agent is doing in detail ? Isn't it the same in case of claude as well ?

jagged-chisel

“Starts”? How’s this not already a TLS connection?

resonious

I guess this implies that non-Codex harnesses get a little bit worse? In wondering what's so special about their subagents system that they feel the need to hide these messages...

jstummbillig

What's the idea here? Why does this seem important to OpenAI?

kosolam

But codex is opensource, no?

jiayo

If we're viewing this as a _bad_ thing, I don't really see that it is any different than how Claude encrypts it's thinking. Take a peek at your ~/.claude jsonl files. You're sending thinking ciphertext back and forth to Anthropic. Presumably the thinking is either considered proprietary, or, more likely, leaks embarrassing or confidential information.

nojito

If I were to guess this is to stop distilling and all of those blackmarket resellers.

greatgib

They always talk about transparency and all but it never was as opaque as it is going on now. There is no possible audit trail. No possible way to review what happened to validate the result. But even worse, no you will be billed somehow randomly. 20 sub agents started to do something we don't know. No way to now if it was legitimate, if it is just burning tokens or agents doing the same work on loop...

Semantic search powered by Rivestack pgvector
14,015 stories · 131,331 chunks indexed