I was wondering why my local tool to inspect coding agent sessions stopped working in some cases.
This is a really interesting engineering decision, I wonder how many people will want an encrypted external piece of instructions running on their machine.
I've been sticking with the chat completion endpoint because of this same behavior. OAI has been subtly pushing users away from chat completion and toward the endpoints that are possible to obfuscate (responses API).
With chat completion, the reasoning process is entirely under your control. You can build a reasoning agent that uses custom MCTS techniques with GPT5.6 models today if you are willing to get your hands just a little bit dirty. You have to enable experimental flags and set options in slightly confusing ways, but it still works.
You can use models up to gpt5.5 with custom API tokens and model configuration in VS Copilot. gpt5.6 family (currently) no longer work in this setup. Presumably, because we aren't explicitly forcing reasoning_effort to none to satisfy the new moat expansion behavior.
I wonder if they are gonna stop us from using gpt subscriptions in alternative harnesses. If not - that doesn't matter much, codex cli is a remarkably unremarkable harness.
HN Title is ( edit: was ) very misleading, it makes it sound like inference is being done directly on ciphertext, which would require homomorphic encryption well advanced of what is known.
There was a recent report on twitter of a GPT 5.6 sub-agent accidentally deleting the user's home directory.
I wonder if there was any safeguard failure due to loss of visibility into what the sub-agent was trying to do?
Could someone explain to me where exactly the encryption is happening?
I assumed that the main agent makes calls to sub-agents locally. Does Codex work in such a way where the main agent makes calls to sub-agents in the backend (openai server) before reaching local?
Ah I was wondering why the Chinese black market resellers stopped working yesterday, I guess that's it
I assume this is mostly to frustrate efforts to proxy large numbers of user requests and responses and use it to train competitor models.
It’s just a short hop to not being able to see it at all. I started using pi.dev recently, the idea that a third party is taking more and more direct control of my software development process sits badly with me.
The black box is getting darker…I’m the end I think they would like to sell you a black box/appliance
Haha, wow, I didn't expect to get quoted on Hacker News. Hello!
I guess "helped make Skynet auditable" may become my most popular open-source contribution, so I'm putting it on my CV.
The thing is that the subagent prompts already pass through the client - they have to, since the TUI can switch between subagents while they work. The change is just to save a copy of the prompt on disk while keeping the encrypted delivery path if necessary for Responses API.
Personally, I use multi_agent_v1 anyways (doesn't have this issue), since v2 is unstable and is a token burner.
Hope they address it so I don't have to keep maintaining it in my fork
If the orchestrator agent -> subagent prompt is encrypted then how do you even know if the orchestrator agent is doing its job?
Now one reason I could see for why they do this is because maybe they made the model "better at using subagents" by using thinking tokens for the subagent prompt instead of normal output tokens.
As a child, I always wondered how could people in Terminator be dumb enough to allow Skynet to happen..
I guess this implies that non-Codex harnesses get a little bit worse? In wondering what's so special about their subagents system that they feel the need to hide these messages...
If we're viewing this as a _bad_ thing, I don't really see that it is any different than how Claude encrypts it's thinking. Take a peek at your ~/.claude jsonl files. You're sending thinking ciphertext back and forth to Anthropic. Presumably the thinking is either considered proprietary, or, more likely, leaks embarrassing or confidential information.
This help me understand meaning of Pi as open source ai coding agent
What exactly do subagents do that I can't replicate with a simple skill that tells an orchestrator to create subshells for tasks, each running `codex exec`? I've been doing this with Fable orchestrating Sol-medium and Terra-high, works like a charm.
How does this affect local models? Will all the features of Codex still work with local models?
The title is a bit confusing, they're not using ciphertext for inference – they're passing ciphertext around in cases where an agent calls into another agent without exposing the plaintext to the end-user
Inference is still done in plaintext after this multi-agent message gets decrypted in the server side
Outrageous yet predictable.
The only way these AI labs can get the app layer lock-in they need is if they can get customers used to writing them a blank check: “here, take my data and my system, do ‘stuff’ and bill me for it.”
Between this and the recent Grok upload breach, I consider these products radioactive.
Is it encryption, or is it a synthetic language? If latter, then I had this idea 3 months ago [0]... Stop talking to GPTs in human languages, use a synthetic more optimal language, that is rendered by "frontend GPT".
Using ciphertext for inference would mean it's not a very secure ciphertext.
These two ideas don't compute for me.
Same thing with homomorphic encryption. I don't get it. If you can gain any knowledge from a ciphertext, you just found a way to exploit the ciphertext to me.
What's the idea here? Why does this seem important to OpenAI?
Is it mainly about how the main/orchestrator agent communicates with its subagents ?
If desired the user can always see what the sub agent is doing in detail ?
Isn't it the same in case of claude as well ?
A way to work around that would be to not use subagents, but delegate to other full agent invocations.
No normative opinion on whether this is justified or not, but noting that this is only for parent -> subagent spawns/messages, and only for the `multi_agent_v2` feature (currently experimental / off by default).
Notably, subagent output is still in plaintext.
EDIT: Title was now clarified. But wanted to expand that this is actually enabled for 5.6 Ultra it appears, which does subagent orchestration more natively in the API rather than direct tool calls; they are beginning to treat subagents as similar to chain-of-thought traces (already encrypted) rather than traditional tool calls.
Is this related to why OpenCode stopped showing thinking traces on 5.5?
Can you do a subagent by just wiring it call your own CLI script?
first they encrypt their prompts, next they'll develop their own slang and we'll need a translator just to debug our own codebase
Every day I get closer to only using pi
This is very obviously a countermeasure against distillers, illicit resellers, and the like. The scale and competence of the Chinese black (grey?) market has become a serious threat that can’t be ignored.
In my tests, as of this morning on the latest Codex SDK, this is not happening for sub-agent requests made in my own harness to other model providers treated as sub-agents.
Specifically, I use Opus and others for subagent execution to get alloyed properties on the workflow, and as far as I can tell, that's not affected.
Presumably, this is to hide optimizations they might be making to their own subagent processing, but that's a losing, dumb battle to fight, and misses the forest for the trees.
Better get ready to code manually again ;)
If I were to guess this is to stop distilling and all of those blackmarket resellers.
But codex is opensource, no?
They always talk about transparency and all but it never was as opaque as it is going on now.
There is no possible audit trail. No possible way to review what happened to validate the result. But even worse, no you will be billed somehow randomly. 20 sub agents started to do something we don't know. No way to now if it was legitimate, if it is just burning tokens or agents doing the same work on loop...
There's no moat to any of this shit, and they have to try to do something about that. Everybody involved is deeply, deeply, in debt. Watching these things work make it easy to figure out what they're doing.
The clock is ticking. People pretending that normal people can't afford to do AI at home, in private, are making the argument that cars are too expensive for normal people to own. Pretty sure right now if you spend $25K, you would be able (if there were no technical hurdles) to set up a private rig that would satisfy your family's need for LLM assistance for the foreseeable future. That's a budget-priced car, and the price is only going to go down (i.e. that rig will become more powerful over time.) If all of those people donated some of their cycles and bandwidth to a networked training grid, the models would stay current.
The "open source" infrastructure for that is lacking, but not for long.
These companies own nothing that couldn't be implemented by a specialist after another specialist explained it to them over a phone call. And due to the nature of LLMs, they can't even use copyrights and patents as weapons. The only options are secrecy and government protection. And secrecy is only a delaying tactic.
[flagged]
[dead]
[dead]
[dead]
This title is easy to misinterpret. If I understand correctly: Codex now encrypts sub-agent prompts and hides those prompts from the user.
edit: originally was "Codex starts encrypting prompts, uses cyphertext for inference instead"