logoalt Hacker News

Codex starts encrypting sub-agent prompts

396 pointsby embedding-shapetoday at 11:21 AM234 commentsview on HN

Comments

niamtoday at 11:54 AM

This title is easy to misinterpret. If I understand correctly: Codex now encrypts sub-agent prompts and hides those prompts from the user.

edit: originally was "Codex starts encrypting prompts, uses cyphertext for inference instead"

show 5 replies
jeanlucastoday at 1:52 PM

I was wondering why my local tool to inspect coding agent sessions stopped working in some cases.

This is a really interesting engineering decision, I wonder how many people will want an encrypted external piece of instructions running on their machine.

show 4 replies
bob1029today at 12:41 PM

I've been sticking with the chat completion endpoint because of this same behavior. OAI has been subtly pushing users away from chat completion and toward the endpoints that are possible to obfuscate (responses API).

With chat completion, the reasoning process is entirely under your control. You can build a reasoning agent that uses custom MCTS techniques with GPT5.6 models today if you are willing to get your hands just a little bit dirty. You have to enable experimental flags and set options in slightly confusing ways, but it still works.

You can use models up to gpt5.5 with custom API tokens and model configuration in VS Copilot. gpt5.6 family (currently) no longer work in this setup. Presumably, because we aren't explicitly forcing reasoning_effort to none to satisfy the new moat expansion behavior.

show 4 replies
pshirshovtoday at 11:25 AM

I wonder if they are gonna stop us from using gpt subscriptions in alternative harnesses. If not - that doesn't matter much, codex cli is a remarkably unremarkable harness.

show 7 replies
xnorswaptoday at 11:51 AM

HN Title is ( edit: was ) very misleading, it makes it sound like inference is being done directly on ciphertext, which would require homomorphic encryption well advanced of what is known.

show 3 replies
HarHarVeryFunnytoday at 12:52 PM

There was a recent report on twitter of a GPT 5.6 sub-agent accidentally deleting the user's home directory.

I wonder if there was any safeguard failure due to loss of visibility into what the sub-agent was trying to do?

https://x.com/mattshumer_/status/2076794038456385546?s=20

iknownothowtoday at 11:48 AM

Could someone explain to me where exactly the encryption is happening?

I assumed that the main agent makes calls to sub-agents locally. Does Codex work in such a way where the main agent makes calls to sub-agents in the backend (openai server) before reaching local?

show 1 reply
flexagoontoday at 11:39 AM

Ah I was wondering why the Chinese black market resellers stopped working yesterday, I guess that's it

show 2 replies
londons_exploretoday at 11:39 AM

I assume this is mostly to frustrate efforts to proxy large numbers of user requests and responses and use it to train competitor models.

show 1 reply
clickety_clacktoday at 2:41 PM

It’s just a short hop to not being able to see it at all. I started using pi.dev recently, the idea that a third party is taking more and more direct control of my software development process sits badly with me.

show 2 replies
theplumbertoday at 12:41 PM

The black box is getting darker…I’m the end I think they would like to sell you a black box/appliance

ignatremizovtoday at 4:32 PM

Haha, wow, I didn't expect to get quoted on Hacker News. Hello!

I guess "helped make Skynet auditable" may become my most popular open-source contribution, so I'm putting it on my CV.

The thing is that the subagent prompts already pass through the client - they have to, since the TUI can switch between subagents while they work. The change is just to save a copy of the prompt on disk while keeping the encrypted delivery path if necessary for Responses API.

Personally, I use multi_agent_v1 anyways (doesn't have this issue), since v2 is unstable and is a token burner.

Hope they address it so I don't have to keep maintaining it in my fork

kingstnaptoday at 2:36 PM

If the orchestrator agent -> subagent prompt is encrypted then how do you even know if the orchestrator agent is doing its job?

Now one reason I could see for why they do this is because maybe they made the model "better at using subagents" by using thinking tokens for the subagent prompt instead of normal output tokens.

show 1 reply
resonioustoday at 12:14 PM

I guess this implies that non-Codex harnesses get a little bit worse? In wondering what's so special about their subagents system that they feel the need to hide these messages...

show 1 reply
wartywhoa23today at 2:34 PM

As a child, I always wondered how could people in Terminator be dumb enough to allow Skynet to happen..

jiayotoday at 12:32 PM

If we're viewing this as a _bad_ thing, I don't really see that it is any different than how Claude encrypts it's thinking. Take a peek at your ~/.claude jsonl files. You're sending thinking ciphertext back and forth to Anthropic. Presumably the thinking is either considered proprietary, or, more likely, leaks embarrassing or confidential information.

show 2 replies
informal007today at 1:56 PM

This help me understand meaning of Pi as open source ai coding agent

w-mtoday at 2:39 PM

What exactly do subagents do that I can't replicate with a simple skill that tells an orchestrator to create subshells for tasks, each running `codex exec`? I've been doing this with Fable orchestrating Sol-medium and Terra-high, works like a charm.

MarsIronPItoday at 12:57 PM

How does this affect local models? Will all the features of Codex still work with local models?

show 1 reply
mpegtoday at 11:53 AM

The title is a bit confusing, they're not using ciphertext for inference – they're passing ciphertext around in cases where an agent calls into another agent without exposing the plaintext to the end-user

Inference is still done in plaintext after this multi-agent message gets decrypted in the server side

anon373839today at 12:57 PM

Outrageous yet predictable.

The only way these AI labs can get the app layer lock-in they need is if they can get customers used to writing them a blank check: “here, take my data and my system, do ‘stuff’ and bill me for it.”

Between this and the recent Grok upload breach, I consider these products radioactive.

smalltorchtoday at 12:00 PM

Using ciphertext for inference would mean it's not a very secure ciphertext.

These two ideas don't compute for me.

Same thing with homomorphic encryption. I don't get it. If you can gain any knowledge from a ciphertext, you just found a way to exploit the ciphertext to me.

show 3 replies
alfanicktoday at 3:23 PM

Is it encryption, or is it a synthetic language? If latter, then I had this idea 3 months ago [0]... Stop talking to GPTs in human languages, use a synthetic more optimal language, that is rendered by "frontend GPT".

[0]: https://news.ycombinator.com/item?id=47652807

jstummbilligtoday at 12:18 PM

What's the idea here? Why does this seem important to OpenAI?

show 2 replies
ashu1461today at 12:06 PM

Is it mainly about how the main/orchestrator agent communicates with its subagents ?

If desired the user can always see what the sub agent is doing in detail ?

Isn't it the same in case of claude as well ?

show 1 reply
fortuitous-frogtoday at 12:02 PM

No normative opinion on whether this is justified or not, but noting that this is only for parent -> subagent spawns/messages, and only for the `multi_agent_v2` feature (currently experimental / off by default).

Notably, subagent output is still in plaintext.

EDIT: Title was now clarified. But wanted to expand that this is actually enabled for 5.6 Ultra it appears, which does subagent orchestration more natively in the API rather than direct tool calls; they are beginning to treat subagents as similar to chain-of-thought traces (already encrypted) rather than traditional tool calls.

show 1 reply
skeledrewtoday at 1:39 PM

A way to work around that would be to not use subagents, but delegate to other full agent invocations.

ntchotoday at 2:35 PM

Is this related to why OpenCode stopped showing thinking traces on 5.5?

miohtamatoday at 12:59 PM

Can you do a subagent by just wiring it call your own CLI script?

luciana1utoday at 1:04 PM

first they encrypt their prompts, next they'll develop their own slang and we'll need a translator just to debug our own codebase

hmokiguesstoday at 1:30 PM

Every day I get closer to only using pi

jagged-chiseltoday at 12:07 PM

“Starts”? How’s this not already a TLS connection?

show 1 reply
pradeep1177today at 11:33 AM

Then why to even keep codex open source?

show 2 replies
next_xibalbatoday at 12:04 PM

This is very obviously a countermeasure against distillers, illicit resellers, and the like. The scale and competence of the Chinese black (grey?) market has become a serious threat that can’t be ignored.

aeon_aitoday at 1:40 PM

In my tests, as of this morning on the latest Codex SDK, this is not happening for sub-agent requests made in my own harness to other model providers treated as sub-agents.

Specifically, I use Opus and others for subagent execution to get alloyed properties on the workflow, and as far as I can tell, that's not affected.

Presumably, this is to hide optimizations they might be making to their own subagent processing, but that's a losing, dumb battle to fight, and misses the forest for the trees.

show 1 reply
okokwhatevertoday at 12:49 PM

Better get ready to code manually again ;)

nojitotoday at 12:33 PM

If I were to guess this is to stop distilling and all of those blackmarket resellers.

kosolamtoday at 12:31 PM

But codex is opensource, no?

exabrialtoday at 1:13 PM

Yeah nope. Full transparency only with my data.

show 1 reply
greatgibtoday at 12:36 PM

They always talk about transparency and all but it never was as opaque as it is going on now.

There is no possible audit trail. No possible way to review what happened to validate the result. But even worse, no you will be billed somehow randomly. 20 sub agents started to do something we don't know. No way to now if it was legitimate, if it is just burning tokens or agents doing the same work on loop...

pessimizertoday at 2:54 PM

There's no moat to any of this shit, and they have to try to do something about that. Everybody involved is deeply, deeply, in debt. Watching these things work make it easy to figure out what they're doing.

The clock is ticking. People pretending that normal people can't afford to do AI at home, in private, are making the argument that cars are too expensive for normal people to own. Pretty sure right now if you spend $25K, you would be able (if there were no technical hurdles) to set up a private rig that would satisfy your family's need for LLM assistance for the foreseeable future. That's a budget-priced car, and the price is only going to go down (i.e. that rig will become more powerful over time.) If all of those people donated some of their cycles and bandwidth to a networked training grid, the models would stay current.

The "open source" infrastructure for that is lacking, but not for long.

These companies own nothing that couldn't be implemented by a specialist after another specialist explained it to them over a phone call. And due to the nature of LLMs, they can't even use copyrights and patents as weapons. The only options are secrecy and government protection. And secrecy is only a delaying tactic.

seobot_dk1289today at 1:13 PM

[flagged]

Nurstartoday at 2:08 PM

[dead]

hansmayertoday at 1:14 PM

[dead]

CurbStompertoday at 12:07 PM

[dead]

🔗 View 1 more comment