Codex starts encrypting sub-agent prompts

Codex starts encrypting sub-agent prompts

Codex 开始对子代理提示词进行加密

Regression: encrypted MultiAgentV2 messages remove readable task audit trail #28058 回归问题:加密的 MultiAgentV2 消息导致可读的任务审计追踪丢失 #28058

Description: #26210 makes MultiAgentV2 agent task/message payloads opaque to Codex by marking the model-facing message parameter as encrypted, storing only InterAgentCommunication.encrypted_content, and leaving InterAgentCommunication.content empty. The encrypted delivery path is understandable as privacy hardening, but it also removes the human-readable task/message text from local rollout history, trace reduction, and parent-side audit/debug surfaces. 描述: #26210 通过将面向模型的消息参数标记为加密,仅存储 InterAgentCommunication.encrypted_content 并将 InterAgentCommunication.content 留空,使得 MultiAgentV2 代理的任务/消息负载对 Codex 变得不透明。虽然加密传输路径作为隐私加固是可以理解的,但它同时也从本地部署历史、追踪记录以及父级审计/调试界面中移除了人类可读的任务/消息文本。

That makes it difficult to answer basic questions such as: What task did this spawn_agent call give the child agent? What message was sent to a subagent? Why did a child thread exist when reviewing a rollout after the fact? This is different from #26753, which reports request validation failures for encrypted tool schemas. This issue is about auditability and debuggability after the encrypted schema is accepted. 这使得回答基本问题变得困难,例如:此 spawn_agent 调用给子代理分配了什么任务?发送给子代理的消息是什么?事后审查部署时,为什么会出现子线程?这与 #26753 不同,后者报告的是加密工具模式的请求验证失败。本问题关注的是加密模式被接受后的可审计性和可调试性。

What is the expected behavior? Codex should preserve a human-readable, structured audit copy of the subagent task/message while still allowing encrypted delivery to the recipient model. A possible shape is to keep the encrypted message field for model delivery, but add a separate non-encrypted audit field for the readable task text. The audit field should be persisted in rollout/history/trace metadata so users and maintainers can inspect what was delegated without needing to decrypt model-delivery ciphertext. 预期行为是什么? Codex 应保留一份人类可读的、结构化的子代理任务/消息审计副本,同时仍允许向接收模型进行加密传输。一种可能的方案是保留用于模型传输的加密消息字段,但增加一个独立的非加密审计字段用于存储可读的任务文本。该审计字段应持久化在部署/历史/追踪元数据中,以便用户和维护者无需解密模型传输的密文即可检查委派的内容。

Source analysis: Upstream InterAgentCommunication::new_encrypted() deliberately initializes content as an empty string and stores the payload only in encrypted_content. The conversion used for recipient history then emits only the encrypted payload whenever encrypted_content is present. Merely populating the runtime content field would therefore not create a readable persisted ResponseItem; the fix also needs an explicit local audit persistence path. 源码分析: 上游的 InterAgentCommunication::new_encrypted() 特意将 content 初始化为空字符串,并仅将负载存储在 encrypted_content 中。用于接收方历史记录的转换逻辑在检测到 encrypted_content 存在时,只会输出加密后的负载。因此,仅仅填充运行时的 content 字段并不能创建可读的持久化 ResponseItem;修复方案还需要一条明确的本地审计持久化路径。