The auditability tax
Somewhere between a developer's terminal and the model doing the work, the record of what was asked got encrypted — and the operator was left reading ciphertext. OpenAI has a real motive: per an HN commenter, the IP in an AI product sits in the prompt orchestration, not the codebase. The company wants the wire encrypted. The human wants the same plaintext, because that field is the only record of what the assistant actually asked its sub-agent to do. Same field, three readers, one answer — and the merged change picked one.
The mechanism is portable. Any AI coding tool that spawns sub-agents will hit the same fork: encrypt the model-facing field, encrypt the audit field, or split them. The fix is already inside openai/codex issue #28058 — keep the encrypted field for delivery, add a separate non-encrypted audit field for the local reader. A prototype commit in the same thread implements that dual-content contract for spawn_agent.
The cost compounds. A developer who can't see the delegated task can't debug a runaway session, can't verify a sub-agent was asked the right question, and can't audit a system now deciding for them in ciphertext. The agent did not become smarter. The operator just became blind.
*
OpenAI's Codex CLI post-0.137.0 with MultiAgentV2 has effectively encrypted the field that carries a parent agent's task to its sub-agents — affecting spawn_agent, send_message, and followup_task — leaving the human-readable field empty. From Codex CLI post-0.137.0 with MultiAgentV2 enabled, the local rollout, history, and trace views show ciphertext where a developer used to see the exact prompt the parent agent handed the child. The assistant is still talking to itself — it just stopped letting the operator listen.