Two days ago, on July 14, 2026, OpenAI shipped Codex CLI version 0.144.4. For developers who rely on GPT-5.6-Sol or GPT-5.6-Terra — the models that now enforce the MultiAgentV2 orchestration path — the update brought a silent, sweeping change: every instruction a parent agent sends to a child agent is now encrypted before it reaches local storage. The developer cannot read it. Only OpenAI’s servers hold the key.

This isn’t an optional setting. Pick Sol or Terra, and your multi-agent Codex sessions lose a critical audit layer. The local history, rollouts, and telemetry traces that used to contain plaintext delegation commands now store just ciphertext. You can see that a handoff happened. You can’t see what task the parent actually handed off.

What Changed in Codex CLI 0.144.4

The change traces back to pull request #26210, merged quietly on June 5, 2026. It introduced encryption for three specific MultiAgentV2 delegation messages: spawn_agent, send_message, and followup_task. Under the old design, these tool calls carried a readable message argument that Codex stored in plaintext. Now, the OpenAI Responses API intercepts the message, encrypts it, and returns only the ciphertext to the local CLI.

The local storage format reflects this. In the InterAgentCommunication object that records agent-to-agent chatter, the content field is left empty. The ciphertext lands in a new encrypted_content field instead. That pattern persists through session history, compaction, rollout snapshots, and the OpenTelemetry export that Codex uses for compliance logging. No secondary path recovers the plaintext locally.

What makes this particularly confusing is the model dependency. GPT-5.6-Luna continues on the older MultiAgentV1 path, where delegation text remains inspectable. But Sol and Terra — the two highest-tier models in the current lineup — are now hard-coded to use MultiAgentV2 in the distributed model catalog. A Windows developer who switches from Luna to Sol for better code generation also unwittingly trades away auditability.

Why This Matters for Your Workflow

For everyday Windows users running Codex inside VS Code, Windows Terminal, or WSL, the immediate pain is troubleshooting. When a multi-agent pipeline produces a wrong file edit, deletes something, or fails halfway, the first diagnostic question is “what was the subagent told to do?” Without readable delegation text, that question becomes guesswork.

Consider a typical scenario: a parent agent asks a subagent to remediate a vulnerability in a legacy service. The subagent changes the wrong configuration file or runs a cleanup command that’s too broad. In the past, you’d open the local session history, read the exact instructions, and see where the mismatch occurred. Now, you only see that a delegation happened. The encrypted_content blobs tell you nothing. Was the parent’s prompt ambiguous? Did the child ignore a clear request? Did context get lost in transit? Each cause points to a different fix, but they look identical from the outside.

Reproducibility also takes a hit. Without the original task text, re-running a failed scenario usually means reconstructing it from the subagent’s downstream behavior — an imprecise and time-consuming process. For the growing number of development teams that treat AI agents like junior engineers, that’s a serious regression.

IT administrators managing enterprise endpoints face a governance problem. Microsoft’s own operational guidance for Codex emphasizes that conventional security logs capture “what happened” but rarely explain agent intent. The company positioned Codex’s OpenTelemetry export, sandbox policies, and compliance logging as the tools to fill that gap. But when a MultiAgentV2 parent delegates work, the intent — the exact instruction — now travels encrypted and stays encrypted in all local evidence trails. That creates a blind spot precisely where an incident response team would start its investigation.

The Encryption Mechanism: How OpenAI Hides the Instructions

This is not end-to-end encryption in the familiar sense. When a parent model calls spawn_agent or send_message, the OpenAI Responses API encrypts the message argument on its servers before the local Codex process ever sees it. The CLI stores and forwards only ciphertext. When the subagent model receives the instruction, the Responses API decrypts it internally — again, on OpenAI’s infrastructure. The developer’s machine never touches the plaintext.

From a technical standpoint, the flow ensures that local artifacts (logs, traces, rollout files) are unreadable. But OpenAI itself can still decrypt the messages. The exclusion is not the service provider; it’s the user who deployed the agent.

This design raises immediate questions for regulated industries. If a developer suspects a bug or security incident, they cannot independently audit the chain of intent without OpenAI’s cooperation. The parent’s original prompt and the subagent’s final output remain visible, but the crucial instructional link between them is opaque.

The Broken Audit Trail: Debugging in the Dark

Ignat Remizov, CTO at payment service Zolvat, documented the problem in GitHub Issue #28058, opened June 13, 2026. His proposed fix does not ask OpenAI to roll back encryption on the transport channel. Instead, he requests a separation of concerns: keep the delivery encrypted for model-to-model communication, but also write a parallel plaintext audit copy into local history and telemetry metadata. That way, the subagent still receives encrypted instructions, but a developer can later inspect what was delegated.

As of July 16, the issue remains open without a linked resolution. And in the meantime, the gap is concrete. Normal debugging for multi-agent failures follows a linear path: read the user’s initial request, then the parent’s delegation, compare that to the subagent’s tool calls and output, and pinpoint whether the fault was planning, execution, or environment. With MultiAgentV2, step two is gone. Teams are left to infer intent from effects — a substantially weaker basis for fixing bugs or answering compliance auditors.

The Bigger Picture: Compliance and the EU AI Act

For any organization using Codex in a regulated delivery chain, the timing is critical. The EU AI Act’s full obligations for high-risk AI systems take effect on August 2, 2026 — just over two weeks from now. Article 12 requires those systems to maintain logs sufficient to reconstruct what the system did and why.

Not every Codex workflow qualifies as high-risk. But if your pipeline generates code for critical infrastructure, financial services, employment decisions, or similar domains, the classification may apply. An independent evaluation of AI coding tools for EU Act readiness, completed before the mandatory encryption enforcement, specifically identified Codex’s OpenTelemetry export as the feature closest to meeting Article 12. That evaluation now has a caveat: for Sol and Terra models, the telemetry traces it praised contain ciphertext where the delegation instructions should be.

OpenAI has not publicly documented whether its enterprise Compliance Platform retains a plaintext copy of these messages when local logs do not. Until that is clarified, compliance teams should not assume the gap is filled server-side.

What You Can Do Right Now

Choose your model with audit in mind. GPT-5.6-Luna remains on the older MultiAgentV1 path, where delegation text is readable. If full local auditability is non-negotiable and you can accept Luna’s lower performance ceiling, that’s the safer option today.

Treat Sol and Terra as a different observability tier. For high-stakes multi-agent jobs, capture everything you can outside of Codex’s encrypted record: your initial user prompts, full repository state, command logs, diffs, and endpoint telemetry. Require human approval for destructive operations and keep sandbox boundaries narrow. Make sure your source control can recover every agent-made change.

Watch GitHub Issue #28058. If OpenAI implements a plaintext audit copy feature — whether free or as an enterprise add-on — it will likely be announced there or in the release notes. Until then, assume that any local investigation of a Sol or Terra multi-agent failure will be missing the critical thread of intent.

For compliance-sensitive deployments, engage OpenAI directly. Ask whether the Compliance Platform retains readable copies of MultiAgentV2 delegation text, and whether that data is surfaced in the exports you already rely on. Document the answer. If you’re subject to the EU AI Act, the August 2 deadline is imminent, and ambiguity about your logging posture is itself a risk.

What Comes Next

OpenAI has not publicly explained its rationale for the encryption. Community theories range from privacy hardening (delegation messages often contain sensitive code descriptions) to competitive protection against model distillation — a hot-button topic this summer after high-profile accusations and Nadella’s critique. Either way, the developer feedback is clear: separating transport encryption from audit logging is technically feasible and widely desired.

The EU AI Act enforcement clock is ticking. Even if OpenAI ships a fix within days, enterprise teams need time to validate and redeploy. More likely, we’ll see a period of manual workarounds, followed by an official audit-copy feature gated behind an enterprise tier. For Windows developers who treat Codex as a junior team member, the message for now is simple: if you can’t read what you asked it to do, you’re operating with less visibility than you probably think.