A developer opens a terminal, triggers a complex multi-step AI workflow, and waits for the result. The output is wrong—a hallucination or a logic loop—so they dive into the internal logs to trace the failure. Instead of a clear sequence of prompts and responses, they find a wall of encrypted gibberish. The transparency that usually allows a developer to pinpoint exactly where an agent went off the rails has vanished, replaced by a security layer that protects the data but blinds the operator.
The Encryption Wall in Codex CLI 0.137.0
This visibility crisis emerged in Codex CLI builds following version 0.137.0, specifically when the MultiAgentV2 architecture is enabled. MultiAgentV2 is designed to allow multiple AI agents to collaborate on complex tasks, but a recent shift in how these agents communicate has rendered their internal dialogue unreadable to humans. The issue stems from PR #26210, which was merged on June 5, 2026. Once this change hit the build, every environment utilizing MultiAgentV2 began experiencing the same phenomenon: the audit trail for agent-to-agent communication became encrypted.
This is not a configuration error or a bug tied to a specific subscription tier, model choice, or operating system. Whether a developer is running the CLI on Linux, macOS, or Windows, the result is the same. The core functions that drive the agentic workflow—`spawn_agent` for creating new agents, `send_message` for inter-agent communication, and `followup_task` for sequential processing—now produce logs that are effectively black boxes. While the development team has begun implementing prototypes to fix this, the rollout is fragmented. The `spawn_agent` function has seen a proposed structural implementation via snapshot commits, but `send_message` and `followup_task` remain problematic. Because the fix requires a comprehensive update to the history playback system and the debug UI, the associated issues remain open.
The Technical Friction Between Security and Observability
To understand why the logs disappeared, one must look at the `InterAgentCommunication` structure. In builds prior to 0.137.0, agent communications were stored in a way that allowed for easy auditing. However, the introduction of the `new_encrypted()` constructor changed the data flow entirely. This constructor now initializes the `content` field—the plain-text field humans read—as an empty string. The actual payload is shifted exclusively into the `encrypted_content` field. Even if the system temporarily populates the `content` field during runtime, the `ResponseItem` automatically recorded in the persistent storage only captures the encrypted version.
This creates a sharp contrast with previous technical hurdles. For instance, issue #26753 was a straightforward validation error where an encryption tool schema returned a 400 error, preventing the request from even entering the system. That was a failure of access. The current MultiAgentV2 issue is a failure of insight. The system is working perfectly—the requests are successful, the agents are communicating, and the tasks are being completed—but the record of that success is illegible. The security lock intended to protect the data has inadvertently locked out the debugger.
To resolve this, a dual-content contract has been proposed. Instead of choosing between total transparency and total encryption, the system would store two distinct versions of the message. The encrypted payload would be sent to the receiving model to maintain security, while a separate, mandatory plain-text field called `task_message` would be stored for local auditing. To prevent this from bloating the system or degrading performance, the `task_message` field would be subject to strict size limits, ensuring that rollout data and context items do not grow indefinitely. This architectural pivot acknowledges that for an AI system to be reliable, the human operator must be able to verify the reasoning process without compromising the security of the transport layer.
Finding the equilibrium between rigorous encryption and operational transparency is the next major hurdle for the Codex ecosystem. The move toward a dual-storage design suggests that in the world of autonomous agents, the ability to audit the process is just as critical as the security of the data itself.




