Rendered at 09:31:35 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
niam 22 hours ago [-]
This title is easy to misinterpret. If I understand correctly: Codex now encrypts sub-agent prompts and hides those prompts from the user.
edit: originally was "Codex starts encrypting prompts, uses cyphertext for inference instead"
hansihe 20 hours ago [-]
It seems likely to me this was driven by the `ultra` mode in 5.6, which fans subagents to do work. This mode was previously only available in the web UI (what was previously known as pro?)
It seems possible they trained this by doing full RL rollouts of agents interacting with each other. They likely view these prompts somewhat the same as raw reasoning traces, they don't want people to train directly on them.
I am unsure if this has been confirmed, but there are some signs that the opaque "compaction blob" they return from their dedicated compaction endpoint might not be text at all, rather a latent space representation of the conversation. The fact that OpenAIs compaction seems to be much higher fidelity than a lot of other providers makes me inclined to believe this.
If this is true, it doesn't seem far fetched to infer that they might be applying similar techniques to prompting subagents.
I would be curious to see if this way of spawning subagents (encrypted blob) is used when subagents of a different model type is spawned.
tpurves 20 hours ago [-]
"Latent space representation" I have been waiting for this moment in the evolution of AI. Well, waiting with some trepidation. It seems inevitable that frontier AI's will, at some point, leave behind human-comprehensible representations of language. Purely for functional reasons, it's going to start making sense for AI agents to communicate amongst themselves in much more efficient ways than borrowing the languages of flesh-bag humans as an interface medium.
I Imagine next that programming languages, interfaces and API design starts going this direction next. Being written, expressed and optimized as blobs of high dimensional vector space. As humans we might still be able to understand some abstractions of what our AI's are talking about to each other, but maybe not more so then we understand how different regions of our own brain communicate with each other.
Even for like token efficiency it could make sense - like imagine if the representation were more compact
Agents acn already translate languages quite well. It doesn't seem crazy that they could work and think in a model specific language, and then translate back to English or something for the user
EGreg 20 hours ago [-]
I strongly believe that the future is the other way. New programming languages and environments designed for strong auditability and preventing bugs will dominate. Only bad actors will use latent space representation, and it might even be outlawed. But the bad actors will proliferate underground…
That's not really a language. It was just a reporter dumbing down the idea of "vectors in latent space" which eventually became LLMs.
UltraSane 19 hours ago [-]
It seems like the most efficient method would be for LLMs to communicated by exchanged latent space representations directly. Serial language is a incredibly inefficient way to encode these, a lot like flattening a complex graph into text.
wren6991 20 hours ago [-]
I think you hit the nail on the head here. Having subagent dispatch in the loop for RLVR is something we've already seen in open models, like Kimi K2.5 and later, so it's no great stretch to assume OpenAI are doing it too.
If you keep RL'ing the dispatch then the prompts are likely to keep diverging from the type of prompt a person would write (like CoT becoming increasingly incomprehensible), and that divergence is part of their competitive advantage.
> rather a latent space representation of the conversation
I wonder if this is something they can take advantage of by training on compaction inside of the RLVR loop?
a-dub 19 hours ago [-]
> It seems possible they trained this by doing full RL rollouts of agents interacting with each other. They likely view these prompts somewhat the same as raw reasoning traces, they don't want people to train directly on them.
this tracks. anthropic protects these as well iirc.
> I am unsure if this has been confirmed, but there are some signs that the opaque "compaction blob" they return from their dedicated compaction endpoint might not be text at all, rather a latent space representation of the conversation.
probably not a latent (to my knowledge latents aren't really part of the outer loop in ar-transformer inference processes), but maybe non-human-readable reasoning traces as occurs in fable.
radicality 17 hours ago [-]
That’s actually what got me to switch and use Codex sometime beginning this year, the compaction via these encrypted blobs was just waaaay better than Claude. I had short convos with Claude where it would forget something very obvious and important few million tokens into a task, whereas I reached ~1B tokens in some local codex sessions and it was recalling and paying attention to things I mentioned way back at the beginning of the session (and not persisted anywhere else in the repo/md files etc)
dannyw 19 hours ago [-]
If there is no visible prompt at all, then that is very understandable. The PR issue exposes a real gap though: subagent spawns need a human-readable audit trial, of its goals/intent, its boundaries and scope and limitations, etc; for basic responsible agentic harness functionality.
Hopefully they can add that.
embedding-shape 19 hours ago [-]
> Hopefully they can add that.
Add? Just make the sub-agents input prompt not encrypted, change "encrypted: true" to "encrypted: false" everywhere and everything continues to work as it used to (simplified, but you get the idea).
They need to fix the regression, not add something new here.
alansaber 17 hours ago [-]
This sounds most logical to me.
dist-epoch 19 hours ago [-]
> latent space representation of the conversation
and how would you load that back into the model? they are token-in, token-out, plus the KV-cache which is derived from token-in
hansihe 19 hours ago [-]
They are not really token-in token-out per se, they are embedding-in embedding-out.
When operating on text, you embed each token into the LLMs embedding space. You go from a discrete token to a point in embedding space.
Likewise, when processing images, you have a image embedding model which produces a set of embedding vectors representing the contents of the image in the LLMs embedding (latent) space.
This same concept can be extended to compaction. Instead if limiting yourself to discrete tokens, you could generate a set of embedding vectors which represent the contents of the compacted conversation in latent space.
These have the possibility of containing a lot more semantic information per vector, which is why this can be appealing.
A big downside is decreased interpretability. AI safety people are generally fairly opposed to latent space reasoning for example, it can be harder to tell what the model is actually doing and if it is trying to deceive you.
themgt 20 hours ago [-]
It's sort of insane though, you not only have dozens/hundreds of stochastic agents running on your machine, but you cannot even inspect the instructions those agents are working off of?
I've gone in to look at Claude subagent/workflows and sometimes been like "no this was a mistake to spin up" ... Codex users just get to token yolo the encrypted telephone operator instructions+shell from orchestrator to subagents?
djeastm 20 hours ago [-]
>but you cannot even inspect the instructions those agents are working off of?
It makes more sense when you realize they don't want developers to be doing any coding at all. That's what they seem to be moving towards. From product manager to product via AI.
tempaccount420 19 hours ago [-]
Last stage is moving everyone to their cloud platforms, they deploy everything for you, you don't even get to see the code, just the deployed end product.
Because letting you look at the code would be too dangerous, you could reverse engineer an exploit to another product! Or distill their internet-distilled model!
But don't worry, at least it will be very convenient.
solumunus 3 hours ago [-]
They’ve already succeeded at that. My time spent manually writing and editing code must be down 99% post Opus 4.7.
Jean-Papoulos 20 hours ago [-]
You already have an agent freely doing stuff on your machine. Subagents prompts are a weird place to draw a line. It's not like you're reading everything the agent is doing in any case, let's not kid ourselves.
embedding-shape 20 hours ago [-]
When things go wrong I very much read the session traces to figure out what in my prompt wasn't good/explicit enough, then retry to evaluate if it would have helped.
I was about to do the same with Sol + Ultra, but then discovered this encryption issue that prevents me from doing the same for sub-agents.
halfcat 7 hours ago [-]
> You already have an agent freely doing stuff on your machine
No. Agents run in VMs. Assume anywhere you’re running an agent will be compromised, because eventually, it will be.
The only reason most people haven’t is luck, they didn’t happen to install Axios or Tanstack at a certain time.
realusername 20 hours ago [-]
> It's not like you're reading everything the agent is doing in any case
Personally I do, these tools aren't mature enough to be used without supervision
bartread 21 hours ago [-]
I imagine this will be because a decent chunk of the IP in Codex is probably within its prompts, how they're built, and how they're sequenced and orchestrated, rather than in the codebase per se.
We had this discussion a few months ago where we talked about allowing people to choose an AI provider and provide their API key, thinking about enterprises with "preferred" (read: mandated) AI suppliers. We also wanted to offer the kind of very simple pricing that this is one way of enabling. But we realised pretty quickly that this would/could lead to leaking our back end prompts to customers and, although those prompts are only a part of the value add, if you could build a detailed trace of them then you'd be able to relatively easily reverse engineer a lot of what we're doing.
So we quickly dropped that idea.
agumonkey 21 hours ago [-]
I'm unable to understand how much value can be in low-definability non deterministic prompts. It feels like the kept the right divinity spell into a chest.
hnlmorg 21 hours ago [-]
I don’t disagree with your divinity spell comparison but unfortunately there is a lot of value in the prompts because these spells are the “programming languages” of LLMs.
agumonkey 20 hours ago [-]
yeah i get it too, i'm just flabbergasted that this is today's market
it reminds me of the pre-vulkan game programming days.. drivers were black boxes, game developpers had to resort to magic tricks to do stuff, until everybody got fed up and wanted some logical ground to operate
bartread 20 hours ago [-]
It's a brave new world, etc., isn't it?
One does find oneself slightly askance at one's own thinking sometimes, that's for sure.
But I suppose, is it really so different? I mean, back in the day moreso than now, a lot of the valuable IP in any system was in the design and specification of that system - the problems usually solved within the design and specificaion (use X algorithm, etc.) - and the code was "just" the implementation of those solutions.
So perhaps it's more of a regression in some ways: the value is in the specification (the prompt) once again.
Your point about stochastic behaviour is well made though, and there is no way to 100% guarantee or formally verify the behaviour of a system that relies on an underlying technology whose behaviour is fundamentally stochastic.
oblio 20 hours ago [-]
Further proof that this tech stack is immature and would have needed to bake for a more years.
In an ideal world this would have been public tech like ARPANET or WWW and there would have been 2-3 major iterations (until the equivalent of Claude 7-8) and only then would everyone have tried to build huge businesses on top of it.
I mean, sure, it's sort of usable, but the churn is insane. And we're burning the planet (and probably the economy, too) for it.
literalAardvark 19 hours ago [-]
Compared to burgers, it's a rounding error
embedding-shape 20 hours ago [-]
> understand how much value can be in low-definability non deterministic prompts
When was the last time you used an LLM to evaluate how true those last part(s) still are?
I also love how you went from "I'm unable to understand" to "This is surely right", it's a good representation of the software ecosystem at large :)
saidnooneever 21 hours ago [-]
the trick about agentic systems is definitely how to do the prompting. things like automation and sandboxing are trivial in comparisson. if you generally ask via API model directly you can see what basic answers it actually yields and how fine tuning prompts and refinements to output as well as adversarial prompts etc are important to get relatively solid results.
a lot of expertise of certain domains' workflows is needed to make it functional within that domain. some of this can be yielded via prompting too etc so its also baoance of how much to prompt it vs. how much of it you wanna let it reason over itself. (if you tell it too much i lock it into a path and if you tell too little it will give incomplete results )
dmurray 21 hours ago [-]
Perhaps AI providers should support this natively: the customer supplies the API key but doesn't get access to the transcripts.
bartread 20 hours ago [-]
I don't know how you'd enforce that unless it was something you could mandate at the level of the API call, and then the API call is rejected if the customer hasn't configured it for "no transcript".
It sort of feels like an area of friction even still.
dmurray 19 hours ago [-]
I was thinking of an API key that was scoped both to a specific customer and a specific service provider (perhaps both have to do something to provision it).
Billing goes to the customer, debug logs etc go to the service provider.
imhoguy 21 hours ago [-]
Yeah I thought "wow, some homomorphic encryption* stuff", but then "nah, usual greed".
The title was fixed like 40 minutes ago, when you come back to
old browser tabs you probably want to hit that reload button before leaving a comment ;)
ofjcihen 18 hours ago [-]
Unnecessarily snide remark for someone just commenting on their interpretation.
embedding-shape 18 hours ago [-]
At that point 50% of all comments were about the title and it had been updated almost a whole hour before parent made their comment. Sorry for being low on patience.
postalcoder 21 hours ago [-]
It's also not the first time Codex started encrypting stuff. Their excellent compaction endpoint has served up a giant encrypted blob since at least five months ago.
hyperbovine 20 hours ago [-]
Feels strongly like we're in the late-stage-AI-unicorn phase. If this is really their moat then the Chinese companies will win.
realusername 20 hours ago [-]
> If this is really their moat then the Chinese companies will win.
I already switched to a Chinese provider personally, I don't think the difference between both really justifies the wide gap in pricing
embedding-shape 19 hours ago [-]
> I don't think the difference between both really justifies the wide gap in pricing
I'd be ecstatic if this was true, but nothing so far comes close to the SOTA models from OpenAI + highest reasoning, but I'd be more than happy to be proven wrong by testing it out myself.
So far, I've tried MiniMax M3, GLM 5.2, Hy3, MiMo-V2.5 (+ Pro), DeepSeek V4 Pro (+ Flash), Gemini 3, Kimi K2.6, GLM 5, all the various Qwen variants and probably a bunch more I forget about, in a wide array of harnesses (Codex, pi, opencode, my own and more), and still nothing seemingly comes close to GPT 5.5 (now 5.6) xhigh for tasks beyond 5-10 minutes of work, they all more or less collapse after a while in my experiments. Although most of those do work well for really tightly scoped tasks.
What specific model are you thinking about here, in case I've missed testing it?
realusername 19 hours ago [-]
I'm using Kimi 2.7 and GPT 5.5 at home, Opus (4.8 I think) at work and I really don't see much difference honestly.
Sure, Claude might be 90% correct and Kimi only 70% correct but does that matter when 90% isn't enough to make it work autonomously anyways?
My workflow is just strict supervision of what's happening, I also edit the agents file with anything I see the model doing that I don't like.
My sessions are also short, after any task which is completed, I just kill the session and start a new one so I don't think I have more than 15 min sessions unless it's tech discovery.
embedding-shape 19 hours ago [-]
> Sure, Claude might be 90% correct and Kimi only 70% correct but does that matter when 90% isn't enough to make it work autonomously?
Huuh, what does this mean? GPT models frequently do 100% of what I tell them to do, anything less and I'd see no point in using agents for work at all. Do you tell them stuff then 30% of the cases Kimi goes off and does other things, or what do you mean? The time the agent does something unexpected, I can almost always trace it back to me fucking up something in the user prompt, or the system prompt being wrong somehow, I'd lose my mind if it was only "70% accurate".
> My workflow is just strict supervision of what's happening, I also edit the agents file with anything I see the model doing that I don't like.
Same, including inspecting exactly what the (full verbatim) sent system/user prompts are, which the change we're all discussing here is getting in the way of.
But "Kimi only 70% correct" sounds like it's so bad it's not worth using. In my testing, I didn't find that the model just went out and did other things, but all the providers I tried were way slower than even Sol which is kind of slow to begin with, and it's really inefficient with it's thinking. Tasks that took Sol five minutes could take 15 minutes with Kimi for example, which just feels like such a waste too.
realusername 19 hours ago [-]
> Huuh, what does this mean? GPT models frequently do 100% of what I tell them to do, anything less and I'd see no point in using agents for work at all.
I never managed to have this experience even with SOTA models, they routinely make architectural mistakes, wrong assumptions and take shortcuts they should not take. Less for sure but they still do it often. I didn't try Fable yet though so can't comment on it.
So based on that, since I have to watch everything they do anyways, why would I pay extra?
> But "Kimi only 70% correct" sounds like it's so bad it's not worth using
If you want an analogy, it's like the numbers of 9s in server availability and since currently I'd rate nothing above 90%, it's zero nines. Since I have to deal with unreliability with every provider, I don't see why it would be worth it to pay more to still deal with it.
embedding-shape 19 hours ago [-]
> I never managed to have this experience even with SOTA models, they routinely make architectural mistakes, wrong assumptions and take shortcuts they should not take. Less for sure but they still do it often. I didn't try Fable yet though so can't comment on it.
Ah, you let them make architectural decisions? :P That might explain it. Agents for me are more like pair-programming or just "what types the code", all the design and decisions are made by me, so if those are wrong, it's my fault. The agents are just used to implement what I've decided to have implemented, and I can't remember the last time codex did a mistake without correcting itself, or made a wrong assumption or taken shortcuts, unless I explicitly told it something that lead to those things.
> So based on that, since I have to watch everything they do anyways, why would I pay extra?
Personally I pay more to have to fix less later, and for a piece of mind that if I ask it to do X, it doesn't go off and do Y.
anon373839 20 hours ago [-]
This and the overly stylized model names. Mythos? Sol? Please, it's another version bump.
oblio 20 hours ago [-]
Anthropic at least is consistent in their naming. They're all literary genres, ever bigger ones.
literalAardvark 19 hours ago [-]
OpenAI's are all unnamed or suns, so it's kinda the same picture.
oblio 17 hours ago [-]
> OpenAI's are all unnamed or suns, so it's kinda the same picture.
Besides the constant shifting of nouns and adjectives...
Luna is the Moon and Terra is Earth.
literalAardvark 44 minutes ago [-]
Unnamed or celestial bodies then. That was a fine nit to pick.
The rest just aren't names, they're designations at best
oblio 2 minutes ago [-]
... so Anthropic is more consistent with their naming and we're back to square one in this conversation.
jeanlucas 20 hours ago [-]
I was wondering why my local tool to inspect coding agent sessions stopped working in some cases.
This is a really interesting engineering decision, I wonder how many people will want an encrypted external piece of instructions running on their machine.
EGreg 20 hours ago [-]
It seems their incentives aren’t exactly aligned with their users, including corporate users. Look at the latest statements from Alex Karp, and now Satya Nadella etc.
Is this user-hostile? Encrypting stuff from the user is what RIAA used to do with DRM, worried about copyright infringement.
pornel 19 hours ago [-]
Nothing by Alex Karp is aligned with any users. This guy is a mercenary, and he seems to be in this job for the love of killing.
arjie 17 hours ago [-]
Yeah but his users are hiring him to set up their killing machines so that they’ll do it better. So that makes him highly aligned with users.
Besides, the SaaSification of these things is expected. When you run a model, the reasoning traces are an internal implementation detail of the program that then results in certain user-visible output. It can be used to distill etc and most users don’t care about it.
It’s not some novel thing that internal implementation detail of software is a trade secret.
Espressosaurus 17 hours ago [-]
Except I care about the reasoning trace because I can stop a rathole that burns $50 of tokens as it chews for 10 minutes before I get the desired feedback that it’s done the wrong thing.
ctkhn 19 hours ago [-]
I thought tweaking was his highest calling
Obscurity4340 19 hours ago [-]
Polymeth
lstodd 19 hours ago [-]
Did you mean twerking?
faidit 19 hours ago [-]
The man is a polymath.
echelon 17 hours ago [-]
I think there are OpenAI / Anthropic employees in here flagging comments:
These companies are behaving against the best interests of their customers.
Both OpenAI and Anthropic should be ashamed.
These companies' products are awesome, but the way they conduct business is scummy.
They must be worried there is no moat. If they keep up this behavior, there truly will be no moat. They're pushing people away.
EGreg 14 hours ago [-]
It’s not about the companies specifically, or even AI specifically, but the incentive structure. I think the issue is more that they are embedded in a system of competition, where they can’t afford not to do things to “win” and fend off competitors’ practices. The people in the companies feel and understand this better than anyone.
I think Anthropic, being a Public Benefit Corporation, can absolutely do better than OpenAI. OpenAI was a nonprofit but flipped. Many people left from OpenAI to Anthropic, I think all original founders of Anthropic are still with Anthropic.
We have seen the same things in Web2 and Web3, this is not at all unique to AI companies! How many people at HN went to work for Facebook, or Google etc? The “don’t be evil” motto is nice but when you have to compete, you often end up doing the things you think you didn’t have to do.
With Web2 the stakes were: “centrally controlling speech”. With Web3 the stakes were: “people lose programmable money they gambled with”. With AI the stakes are much bigger. This isn’t about a company being moral or not. This is about incentives of the broader ecosystem, and how the products are designed.
As long as people (like Kevin O’Leary) say “but are you going to just let China pull ahead of us” we’re all going to be in a race (to the bottom, for a lot of affected people). It isn’t about OpenAI or Anthropic specifically. Hate the game, not the player.
if you're running in YOLO mode you already don't care, what matters are the tool calls and these can't be encrypted
Majromax 18 hours ago [-]
No, you'd still care. YOLO mode is about instantaneous permissions and access control, inspection of subagent prompts is about retrospective quality control. If the main model is instructing subagents to do a subtly wrong thing, the overall process quality will degrade in ways that might be very hard to detect or fix without deep inspection of the middle stages.
embedding-shape 19 hours ago [-]
I'm running in YOLO mode, not sure why that mean I don't want introspection into what the sub-agents are running? Everything is running in a constrained environment, so not sure why you'd need the harness to have limits.
echelon 19 hours ago [-]
[flagged]
bronson 19 hours ago [-]
You can! Subscribe to a Z.ai coding plan.
fidotron 19 hours ago [-]
[flagged]
b40d-48b2-979e 19 hours ago [-]
training people to believe that them having impossible to inspect encrypted channels from
your machines to theirs is a best practice
Oh yeah, I much preferred when my government and whoever controls the infrastructure could snoop on my traffic instead!
airstrike 19 hours ago [-]
idk about you but I'd rather not be murdered regardless of who the perpetrator might be
b40d-48b2-979e 19 hours ago [-]
That is not the argument being made and this interpretation feels entirely in bad faith akin to the other sibling comments.
bobthebob 19 hours ago [-]
Maybe to you, it resonates with me.
fidotron 17 hours ago [-]
False dichotomies, such as your original reply, hardly count as good faith.
And now that original has even been flagged . . . this place really has tanked.
airstrike 10 hours ago [-]
it is 100% the argument being made, but you can't see it just yet
mrexroad 19 hours ago [-]
Better make sure the pizza gets delivered on time, else you’ll have to pull your sword.
LeBit 19 hours ago [-]
How did they do that?
cobertos 19 hours ago [-]
Packet capture and analysis. It's not that complicated
b40d-48b2-979e 19 hours ago [-]
Does the word "plaintext" mean anything to you?
skywhopper 19 hours ago [-]
You’ve been misled about how encryption works apparently.
bob1029 21 hours ago [-]
I've been sticking with the chat completion endpoint because of this same behavior. OAI has been subtly pushing users away from chat completion and toward the endpoints that are possible to obfuscate (responses API).
With chat completion, the reasoning process is entirely under your control. You can build a reasoning agent that uses custom MCTS techniques with GPT5.6 models today if you are willing to get your hands just a little bit dirty. You have to enable experimental flags and set options in slightly confusing ways, but it still works.
You can use models up to gpt5.5 with custom API tokens and model configuration in VS Copilot. gpt5.6 family (currently) no longer work in this setup. Presumably, because we aren't explicitly forcing reasoning_effort to none to satisfy the new moat expansion behavior.
Dangeranger 18 hours ago [-]
Definition provided below for others like myself who abhor acronyms:
MCTS -> Monte Carlo Tree Search
dannyw 19 hours ago [-]
> MCTS techniques
what does that mean?
> the reasoning process is entirely under your control
you're still dealing with summarised thinking, no, which is kinda useless as it's way too high level?
The thing you’re gesturing at isn’t mcts in any real sense
bob1029 19 hours ago [-]
You can absolutely apply most of the meaningful principles of MCTS to this problem. LLMs do violate certain "strict" properties but I still see a lot of practical value in this kind of thinking.
next_xibalba 19 hours ago [-]
You could replace “gesturing at” with “describing,” then explain why the description is technically wrong.
I'm well aware of what the official propaganda states but this is simply not a fair characterization of reality.
Responses integration will lock you into OAI much more deeply than chat completion integration will. I can easily swap my inference provider right now. The business is not interested in a form of integration that is difficult to swap.
pshirshov 22 hours ago [-]
I wonder if they are gonna stop us from using gpt subscriptions in alternative harnesses. If not - that doesn't matter much, codex cli is a remarkably unremarkable harness.
embedding-shape 22 hours ago [-]
> I wonder if they are gonna stop us from using gpt subscriptions in alternative harnesses
Probably not, the whole app-server machinery is there to facilitate that thing, would be a huge piece to rip out of codex. This is basically the reason I end up using codex the most, as it's the easiest to integrate against, with the app-server's RPC API making it really trivial.
Besides, most of my codex usage at this point is all through custom integrations I've built using Codex's app-server, not the Codex TUI they publish. I'm sure I'm not alone in this.
But, if they suddenly start to encrypt content on our disk, so only their backends can see it, and those things are prompts and other things that are actual inputs to the inference, then who cares if it's easy to integrate against, it becomes impossible to figure out what the fuck is going on, I can't understand how the team thought this was a good idea...
swingboy 22 hours ago [-]
What are some of the things you’re doing with the Codex app-server?
embedding-shape 22 hours ago [-]
Everything I do with codex is managed via Forgejo comments, issues and PRs basically. I have a tiny little Rust "conductor" that integrates with app-server and does things when issues/PRs are labeled, when I write comments on PR lines and so on, and those interactions all fire of Codex sessions that are run via Codex's app-server and lead to different outcomes.
Beats having to parse output from CLI-runs and so on. Initially this environment was running aider (which feels like years ago), was running Claude (parsing stdout) at one point but using Codex's app-server since some weeks/months back and is a lot simpler implemented now.
mapontosevenths 22 hours ago [-]
Anthropic and Google already charge extra to use your own harness. That's 100% of the reason I'm using OpenAI.
If they go down that path I'll just go back to my old buddy Claude, or maybe buy a second Spark and keep it local.
pshirshov 22 hours ago [-]
Well, my backup plan is GLM. Cheap and not that bad really.
canadiantim 20 hours ago [-]
GLM feels a lot less cheap than the numbers say it is
alansaber 22 hours ago [-]
Google is really not distinguishing itself. Even the hosted inference sucks.
embedding-shape 22 hours ago [-]
At least the local models they put out are pretty good for their weight class. Could be worse, could be releasing the same amount of local models as Anthropic.
brookst 22 hours ago [-]
Google has the benefit of billions of devices in the wild that they control. Anthropic really doesn’t have distribution for local models, makes sense they’re not playing in that space.
embedding-shape 22 hours ago [-]
Sure, lots of differences. Point stands, they're distinguishing themselves in that way at least.
brookst 20 hours ago [-]
Oh sure, full agreement. In fact given how mid Gemini has been in cloud, this may turn out to be critical strategy to avoid losing cloud to Anthropic / OpenAI / DeepSeek / whoever, and local to Apple (doesn’t seem likely now, but that’s what BlackBerry, Creative, Intel said).
Iolaum 22 hours ago [-]
Doubt they will do it as long as Anthropic is leading in business adoption. If they become the top dog with a good lead, all bets are off. Hopefully by the time open models will be even better than gpt-5.6 sol xD.
sarjann 22 hours ago [-]
It could also be the case that by the time business adoption picks up a lot they might not be as compute constrained. Depends on rate of growth.
CjHuber 22 hours ago [-]
Given that codex itself now ships a proxy that wraps the subscription, it seems unlikely
"remarkably unremarkable harness" is why I like it so much.
pshirshov 22 hours ago [-]
I don't, feel better with Pi with a custom set of extensions.
18 hours ago [-]
embedding-shape 21 hours ago [-]
Personally I use both, pi serves as a "personal assistant" with lots of extensions and changes made for those things specifically, and codex is for anything related to coding itself.
cbg0 20 hours ago [-]
There was a recent Twitter post from Tibo @ OpenAI asking someone to share how to run GPT on Claude Code so they don't seem to be against it.
patrickmcnamara 21 hours ago [-]
Codex CLI not having a rewind makes it useless to me.
embedding-shape 20 hours ago [-]
Heh, in another long-standing Codex issue I've been arguing against codex users who apparently don't know about git. Don't tell me you're yet another developer who refuses to pick up any sort of SCM?
Laurel1234 18 hours ago [-]
Unless there's some way to version control LLM context these are fairly different things.
pshirshov 19 hours ago [-]
That only matters if you use it interactively - which is not the most efficient way to use.
glitch-hunter 20 hours ago [-]
It has a similar function.
xnorswap 22 hours ago [-]
HN Title is ( edit: was ) very misleading, it makes it sound like inference is being done directly on ciphertext, which would require homomorphic encryption well advanced of what is known.
embedding-shape 22 hours ago [-]
It is not misleading, quite literally what's happening is that content the agent sends sub-agents is encrypted in such a way that only OpenAIs backend can decrypt it and actually see the clear-text. Just shared this is another comment that hopefully explains things better:
> Sure. "Traditionally", your agent would send a text prompt to the sub-agent, then it goes off doing it's work. In the logs/session data, the clear-text prompt would be there, so if I want to see what's happening, I just browse the data. It's all just clear-text prompts being sent everywhere, even when you were using the experimental "sub-agents" stuff in Codex, before Sol et al was available.
> Now, when using Sol or Terra (Luna seems unaffected), instead of the agent sending clear-text prompt to the sub-agent, it sends a ciphertext generated on OpenAIs backend, which ends up being the prompt, then agent sends this ciphertext to the sub-agent, which then continues to use that for further inference to OpenAIs backend. Only delegated inter-agent messages are encrypted, not all session data. Now if you browse the data, it's all encrypted content, that can only be decrypted by OpenAI and their backend.
Edit: Re-reading, I think I understand what you mean to be misleading. You're taking "uses ciphertext for inference" quite literally, while I couldn't fit a more nuanced version within the HN title constraints. Yes, the inference at OpenAI obviously doesn't happen over the ciphertext, but from the perspective of the local user, you don't see the clear-text prompt at all, only the ciphertext.
But, please suggest alternative titles that sufficiently explain what the issue is and is more accurate, I'm sure the mods can change it once people come up with better alternatives :)
Edit2: I've updated the title from "Codex starts encrypting prompts, uses ciphertext for inference instead" to "Codex starts encrypting sub-agent prompts", hopefully it's clearer now!
ebiederm 21 hours ago [-]
I would change
"Codex starts encrypting prompts, uses ciphertext for inference instead"
to just
"Codex starts encrypting prompts"
That is enough.
Maybe you could say sub agent prompts. The article can say the rest.
embedding-shape 21 hours ago [-]
Not everything is encrypted though, session data (even from the sub-agent) remains unencrypted, only select things like the prompt the (main) agent sends the sub-agent is encrypted, rest of communication between the two seems still to be plain-text.
Regardless, I've updated the title from "Codex starts encrypting prompts, uses ciphertext for inference instead" to "Codex starts encrypting sub-agent prompts", hope this makes it clearer for everyone :)
21 hours ago [-]
21 hours ago [-]
celeren-smid 22 hours ago [-]
[flagged]
minraws 22 hours ago [-]
Seconded can we change pls.
binyu 21 hours ago [-]
Agreed, I immediately thought that homomorphic encryption was at play here or some other kind of computation on ciphertext, given the mention of "inferencing" in the title.
embedding-shape 21 hours ago [-]
My bad, fixed now, please do refresh and try with latest updated IE if you still don't see the changes.
binyu 20 hours ago [-]
> with latest updated IE
Internet Explorer?
embedding-shape 20 hours ago [-]
Bingo!
binyu 12 hours ago [-]
As in "browser"? or the literal thing?
embedding-shape 11 hours ago [-]
I mean, yeah. At this point you made me think way more about this than I thought I would. I guess either works, whatever floats your boat :)
binyu 6 hours ago [-]
Ah ah, I love how you still not provide a clear answer. Take it easy, I just thought it's funny you used IE and then I realized (maybe wrongly so) you were making fun of me.
embedding-shape 2 hours ago [-]
> Ah ah, I love how you still not provide a clear answer.
Sorry, "whatever floats your boat" was meant to signal that either works, whichever of the two options fits you best :) I originally meant the MS browser, but general "internet explorer" fits too, players choice!
> then I realized (maybe wrongly so) you were making fun of me.
Oh, not at all! Just that my offhand "then update IE" turned into a bigger conversation than expected, didn't mean to make fun of you or anything like that!
HarHarVeryFunny 21 hours ago [-]
There was a recent report on twitter of a GPT 5.6 sub-agent accidentally deleting the user's home directory.
I wonder if there was any safeguard failure due to loss of visibility into what the sub-agent was trying to do?
Could someone explain to me where exactly the encryption is happening?
I assumed that the main agent makes calls to sub-agents locally. Does Codex work in such a way where the main agent makes calls to sub-agents in the backend (openai server) before reaching local?
embedding-shape 22 hours ago [-]
Sure. "Traditionally", your agent would send a text prompt to the sub-agent, then it goes off doing it's work. In the logs/session data, the clear-text prompt would be there, so if I want to see what's happening, I just browse the data. It's all just clear-text prompts being sent everywhere, even when you were using the experimental "sub-agents" stuff in Codex, before Sol et al was available.
Now, when using Sol or Terra (Luna seems unaffected), instead of the agent sending clear-text prompt to the sub-agent, it sends a ciphertext generated on OpenAIs backend, which ends up being the prompt, then agent sends this ciphertext to the sub-agent, which then continues to use that for further inference to OpenAIs backend. Only delegated inter-agent messages are encrypted, not all session data. Now if you browse the data, it's all encrypted content, that can only be decrypted by OpenAI and their backend.
iknownothow 21 hours ago [-]
Gotcha and thank you! So the encryption is happening on the OpenAI backend and the agent's clear-text output designated to the sub-agent never reaches local.
Which is a real problem since you can't intercept/monkey patch the ciphertext to decrypt it locally to be able see the clear-text since we don't have the encryption key/algo/salt. No hacking :(
afzalive 20 hours ago [-]
I wonder if you can just ask the model what it means.
Aachen 19 hours ago [-]
No. They don't have the key and can't do encryption in the first place; they're still grand autocomplete engines under the hood. This could only work if the company deliberately builds a mechanism into the backend which runs the decryption function and injects the plaintext somewhere in the context. Which, sure, we can check if they did that, but the whole point is presumably hiding that info so why would they
nsingh2 17 hours ago [-]
Their models don't consume encrypted text, it would be absurd to train them to do so. Surely they decrypt the text before feeding it into the LLM, so the contents could get leaked out by asking it.
54 minutes ago [-]
flexagoon 22 hours ago [-]
Ah I was wondering why the Chinese black market resellers stopped working yesterday, I guess that's it
jimmydoe 22 hours ago [-]
This is the reason I think. These black markets not only pool and resell subs, but also store data and sell to whoever is training.
Encryption is useful to at least stop the latter.
Ultimately same purpose as a\ ‘s trick exposed earlier, but a much nicer implementation.
flexagoon 21 hours ago [-]
> but also store data and sell to whoever is training
I see this as an argument against using them/Chinese models all the time, but I don't get it. I totally understand wanting to keep your data private if you're using an LLM for personal chats. But coding? I'm not working for the military, I'd gladly donate my codebase to Chinese labs if that means they can keep releasing 6-months-behind level models for 100x cheaper.
(I understand why OpenAI doesn't want this and would implement protections. I'm talking about people using this as an argument for why you as an end user shouldn't use those services.)
numpad0 21 hours ago [-]
Yeah. I don't see the problem with Chinese prompt stealing proxies, if it's just pure free choice and discount for explicitly insecure use cases, especially when the frontier providers they route to are soft-assumed to be doing something similar.
jimmydoe 21 hours ago [-]
Some workplace code base are legally not supposed to be shared.
More importantly, they train on not only code but also your interactions with the model, no matter how little you value your labor, there are values in it.
bigbaguette 21 hours ago [-]
When you work on proprietary code with a lot of trade secrets contained in it, on a codebase that did cost millions of dollars of man-hours to build and that holds the company's IP, you tend to be very careful where you're sending that to.
chriswarbo 21 hours ago [-]
Why would anyone working on such code send it anywhere (other than, say, to AWS for hosting)?
Source: I work on such code. We don't allow devs to use (cloud-based) LLMs.
znnajdla 19 hours ago [-]
If you think your codebase is your competitive advantage or trade secret, you're in for bad time. AI coding has made code cheap it's the least valuable part of the value add for most companies. Almost any software company can easily be replicated with a few AI prompts. The real proprietary value is in the marketing distribution partnerships and data, not code.
embedding-shape 19 hours ago [-]
> If you think your codebase is your competitive advantage or trade secret, you're in for bad time.
Obviously most developers know better, but you know who doesn't care what you think? The owner(s) of the business, and various other stakeholders. Try explaining this concept to them, and see if they get it :)
The people who work in codebases that are tightly guarded aren't guarded because the developers say so, of course.
20 hours ago [-]
realusername 19 hours ago [-]
I don't think any AI company meets the bar you are setting here.
Iolaum 21 hours ago [-]
IMO the biggest argument against "sharing" your code with LLM providers is that your approach (on a high level) will be available to your competitors on the next model release assuming they ask the right questions. Not sure how much it matters, different orgs have different risk profiles.
kbart 21 hours ago [-]
How do you know that they don't train their models or append your prompts to add backdoors, or compromise your supply chain by including evil dependencies? This seems hugely irresponsible.
embedding-shape 21 hours ago [-]
> How do you know that they don't train their models or append your prompts to add backdoors, or compromise your supply chain by including evil dependencies?
I think most of these discussions aren't about irresponsible vibe-coders, as that whole thing is mostly a fun joke more than something serious. The rest of developers who use LLMs for development, review the code the agent writes, iterates and makes changes. Think more like pair-programming, than "Write me X then deploy to production".
I know Twitter makes it seem like everyone is doing vibe-coding and YOLOing podman images into production, but it's very uncommon in a serious/production environment to act like that. While a proper structure doesn't make it impossible for the LLMs to add backdoors either via dependencies or otherwise, but it sure makes it a lot harder.
Personally, LLMs are barely able to work alongside developers and not miss anything, I wouldn't be so worried about them being able to do normal work + malicious work at the same time, as they barely handle the first part properly yet.
flexagoon 20 hours ago [-]
> How do you know that they don't train their models or append your prompts to add backdoors, or compromise your supply chain by including evil dependencies?
I read the code.
skeledrew 20 hours ago [-]
Interesting. Got a link for this?
flexagoon 12 hours ago [-]
For what? I was using GPT-5.5 through Byesu.com and it suddenly stopped working yesterday
(Not affiliated in any way, I'm sure there are better services out there, this is just the one a friend recommended to me and I haven't researched other options)
londons_explore 22 hours ago [-]
I assume this is mostly to frustrate efforts to proxy large numbers of user requests and responses and use it to train competitor models.
embedding-shape 22 hours ago [-]
Quite obviously they're afraid of letting other providers see how they handle the whole multi-agent management stuff. Pretty terrible implementation though, which makes it impossible to use the multi-agent stuff as a paying user, as you have zero recourse in figuring out what went wrong, when something inevitably goes wrong.
dannyw 19 hours ago [-]
Yes. All models are occasionally known to run tricky commands that delete stuff after all, especially using variables that might be empty/uninitialized and hence rm -rf * or something.
Need an human-readable, concise but accurate audit trail message like the PR suggests.
20 hours ago [-]
clickety_clack 19 hours ago [-]
It’s just a short hop to not being able to see it at all. I started using pi.dev recently, the idea that a third party is taking more and more direct control of my software development process sits badly with me.
17 hours ago [-]
dannyw 19 hours ago [-]
pi.dev is truly excellent. one of the great things about an openai sub is you still can take your subsidised tokens/usage, and choose your coding harness of choice (not against tos)
embedding-shape 19 hours ago [-]
pi is great as a quick and hackable TUI, or as a starting point for your own stuff. It's a far cry from Codex + Sol + Ultra though. Same goes for a lot of model+harness combos, the models are trained with data from harness usage, and (many) harnesses are built with specific models in mind, Sol will definitively perform better in Codex than in pi, because the way both parts were built.
dlarsen5 18 hours ago [-]
I thought that too where the same model + harnesse would always be better but databricks found using pi actually could outperform with the same model. maybe evidence that the coupling premise may not be always true
The black box is getting darker…I’m the end I think they would like to sell you a black box/appliance
ignatremizov 17 hours ago [-]
Haha, wow, I didn't expect to get quoted on Hacker News. Hello!
I guess "helped make Skynet auditable" may become my most popular open-source contribution, so I'm putting it on my CV.
The thing is that the subagent prompts already pass through the client - they have to, since the TUI can switch between subagents while they work. The change is just to save a copy of the prompt on disk while keeping the encrypted delivery path if necessary for Responses API.
Personally, I use multi_agent_v1 anyways (doesn't have this issue), since v2 is unstable and is a token burner.
Hope they address it so I don't have to keep maintaining it in my fork
resonious 21 hours ago [-]
I guess this implies that non-Codex harnesses get a little bit worse? In wondering what's so special about their subagents system that they feel the need to hide these messages...
embedding-shape 21 hours ago [-]
Sol and Terra seems specifically post-trained to handle multi-agent orchestration, I'm guessing OpenAI feels like the trained data of when to do the spawning and what context to include for the new sub-agent is the magic in their new models, so that's what they're aiming to preserve. But, this is all a guess of course.
braebo 15 hours ago [-]
It’s funny because Sol sucks at using subagents effectively. It’s very dumb and makes terrible decisions constantly.
resonious 21 hours ago [-]
Right I saw them saying something along the lines of "they're good at subagents". But this seems true even with third party harnesses. So I'm wondering what Codex is hiding.
embedding-shape 21 hours ago [-]
The only thing I've found impacting this, is when you specifically use the "Ultra" thinking/reasoning effort, then codex adds a small part to the system prompt to further get the model to use sub-agents. Any other reasoning/thinking effort than "Ultra" and this piece is no longer in the system prompt.
Seemingly mostly a prompting thing it seems on the surface. GPT-5.5 (and maybe even GPT-5.4) already had (experimental?) support for sub-agents, remember using it even with -spark which I think was launched together with GPT-5.4 if I remember correctly, so this whole "use sub-agents" stuff most have been part of the training data for quite some time already, but maybe they've mainly been iterating on the prompt themselves since then.
jiayo 21 hours ago [-]
If we're viewing this as a _bad_ thing, I don't really see that it is any different than how Claude encrypts it's thinking. Take a peek at your ~/.claude jsonl files. You're sending thinking ciphertext back and forth to Anthropic. Presumably the thinking is either considered proprietary, or, more likely, leaks embarrassing or confidential information.
embedding-shape 21 hours ago [-]
> I don't really see that it is any different than how Claude encrypts it's thinking. Take a peek at your ~/.claude jsonl files. You're sending thinking ciphertext back and forth to Anthropic.
I was already only using Claude Code to double-check if it's getting better than Codex, but with things like this, it really isn't even an alternative. What's the point of using a reasoning model if you as an end-user can't seen the reasoning? I don't think I'd be able to work like that at all, I need to have introspection into what the model is doing, and can't believe I have to say this, but also need to be able to see the plaintext of the input prompt...
braebo 20 hours ago [-]
GPT 5.6 is like Fable minus Opus plus down syndrome.
embedding-shape 20 hours ago [-]
Insightful.
well_ackshually 21 hours ago [-]
Claude "encrypting" its thinking is equally bad. Biggest IP thieves in the world worried about IP theft lmao.
At least Anthropic doesn't pretend that they have open source software in the form of Claude Code.
alasano 21 hours ago [-]
They get to pretend to be on the best side of every position simultaneously.
They're only encrypting thinking because AI is so dangerous and only they can be trusted to be in control of AGI.
This happens to align with lining their pockets as well.
cadamsdotcom 12 hours ago [-]
Followed to its logical conclusion, in a hypothetical future you'll prompt a model and see nothing but the artifacts :)
Then pay a made up price that gets the big labs out of debt.
kingstnap 19 hours ago [-]
If the orchestrator agent -> subagent prompt is encrypted then how do you even know if the orchestrator agent is doing its job?
Now one reason I could see for why they do this is because maybe they made the model "better at using subagents" by using thinking tokens for the subagent prompt instead of normal output tokens.
embedding-shape 19 hours ago [-]
Technically they still let you see all the rest of the session data in both the "orchestrator" and in the sub-agents, including all outputs and stuff. It seems for now they only encrypt the prompt from the orchestrator to the sub-agent. Still, basically make the entire sub-agent and Ultra thinking useless for me and I'm guessing a whole lot of other people, who need to be able to introspect things when it goes wrong.
wartywhoa23 19 hours ago [-]
As a child, I always wondered how could people in Terminator be dumb enough to allow Skynet to happen..
mikesoylu 10 hours ago [-]
This is to pass cache keys through the client to improve token usage. Obviously not a distillation defense as you can simply bypass this kind of thing trivially by using a different subtask tool.
informal007 20 hours ago [-]
This help me understand meaning of Pi as open source ai coding agent
22 hours ago [-]
w-m 19 hours ago [-]
What exactly do subagents do that I can't replicate with a simple skill that tells an orchestrator to create subshells for tasks, each running `codex exec`? I've been doing this with Fable orchestrating Sol-medium and Terra-high, works like a charm.
mpeg 22 hours ago [-]
The title is a bit confusing, they're not using ciphertext for inference – they're passing ciphertext around in cases where an agent calls into another agent without exposing the plaintext to the end-user
Inference is still done in plaintext after this multi-agent message gets decrypted in the server side
MarsIronPI 21 hours ago [-]
How does this affect local models? Will all the features of Codex still work with local models?
embedding-shape 18 hours ago [-]
It doesn't, at all. This seems to be for Sol and Terra, not Luna, and some other models that seem to switch between encrypted/unencrypted based on something, didn't dig deeper.
If you're using local models, it doesn't matter. Even if Codex itself was trying to encrypt stuff for local models (which doesn't make sense, but lets say), you'd still be using a local model so obviously you'd be able to access the plain-text, so wouldn't matter in that case anyways.
ignatremizov 17 hours ago [-]
it's the multi agent config - multi_agent_v2 btw is still marked "Under Development" and they've said not to open issues for it. Then they deployed globally Sol and Terra under v2 - forcefully, through the model catalogue json (meaning user configs are ignored). v2 encrypts messages, v1 does not. Thankfully, you can override the catalogue with your own copy and set Sol and Terra multi agent to v1 again.
MarsIronPI 4 hours ago [-]
I wonder if at some point some parts of Codex will only work with multi_agent_v2, or the Responses API in general. Then we'd need a fork to keep using e.g. llama.cpp's Chat Requests API.
anon373839 21 hours ago [-]
Outrageous yet predictable.
The only way these AI labs can get the app layer lock-in they need is if they can get customers used to writing them a blank check: “here, take my data and my system, do ‘stuff’ and bill me for it.”
Between this and the recent Grok upload breach, I consider these products radioactive.
jstummbillig 21 hours ago [-]
What's the idea here? Why does this seem important to OpenAI?
embedding-shape 21 hours ago [-]
Seems fairly obvious what the point from OpenAI's side is (protect what they see as the moat, that a model is "good at spawning sub-agents"), but what's really strange to me is that the team somehow didn't manage to push back on this, it's so clearly disadvantageous to developers who are trying to rely on Codex for real work. For this we need introspection into what exactly is going on, hiding the prompts is just so backwards from what I expect from OpenAI.
jstummbillig 21 hours ago [-]
> protect what they see as the moat, that a model is "good at spawning sub-agents"
Yes, that is the obvious answer. I was looking for an explanation as to why and why now. Codex is open source after all. They used to not do it. Agent prompts more generally are also not encrypted, and continue to be.
This particular change just looks unintuitive to me.
lolc 21 hours ago [-]
They must think they have some secret sauce they don't want others to learn. How to optimally instruct sub agents for example. If they hide the sub agent prompts, other models cannot be trained to emulate.
Oh and you can't even use local models or other providers for the sub-agents. You're locked-in.
fassssst 19 hours ago [-]
What’s stopping you from creating a plugin (MCP or Skill) that acts as a subagent? The plugin could use a local model.
ashu1461 21 hours ago [-]
Is it mainly about how the main/orchestrator agent communicates with its subagents ?
If desired the user can always see what the sub agent is doing in detail ?
Isn't it the same in case of claude as well ?
embedding-shape 21 hours ago [-]
> Is it mainly about how the main/orchestrator agent communicates with its subagents ?
Yes
> If desired the user can always see what the sub agent is doing in detail ?
Well, no, that's the problem, you're currently not allowed nor is it even possible, to see the exact prompt the main agent sent the sub agent. This is the problem.
> Isn't it the same in case of claude as well ?
No idea, but if Claude Code makes it so it's impossible to inspect what the sub-agents actually received before they started their work, then I'll say it's similarly impossible to rely on Claude Code if so.
fortuitous-frog 21 hours ago [-]
No normative opinion on whether this is justified or not, but noting that this is only for parent -> subagent spawns/messages, and only for the `multi_agent_v2` feature (currently experimental / off by default).
Notably, subagent output is still in plaintext.
EDIT: Title was now clarified. But wanted to expand that this is actually enabled for 5.6 Ultra it appears, which does subagent orchestration more natively in the API rather than direct tool calls; they are beginning to treat subagents as similar to chain-of-thought traces (already encrypted) rather than traditional tool calls.
embedding-shape 21 hours ago [-]
> and only for the `multi_agent_v2` feature (currently experimental / off by default).
Wrong, this is enabled by default for Sol and Terra (not Luna), no way of avoiding this short of patching the client yourself, and that still doesn't make the backend endpoints work, they want the ciphertext that OpenAI creates on their side.
> but noting that this is only for parent -> subagent spawns/messages
This is almost fully correct though, the encryption only seems to be for the initial prompt the main model sends the sub-agent, not all communication and not regarding the state of the sub-agent at all.
So you can inspect what the sub-agent is doing currently, and the output, but you cannot see what the initial prompt the sub-agent got started with.
ndriscoll 21 hours ago [-]
Couldn't you just instruct the model to always use your tool call to spawn subagents? Subagents are not some magical thing; it's just another prompt with a couple tool calls for plumbing. One of my colleagues made his own subagent harness earlier this year before codex had them at all.
21 hours ago [-]
alfanick 18 hours ago [-]
Is it encryption, or is it a synthetic language? If latter, then I had this idea 3 months ago [0]... Stop talking to GPTs in human languages, use a synthetic more optimal language, that is rendered by "frontend GPT".
A way to work around that would be to not use subagents, but delegate to other full agent invocations.
22 hours ago [-]
ntcho 19 hours ago [-]
Is this related to why OpenCode stopped showing thinking traces on 5.5?
miohtama 21 hours ago [-]
Can you do a subagent by just wiring it call your own CLI script?
smalltorch 22 hours ago [-]
Using ciphertext for inference would mean it's not a very secure ciphertext.
These two ideas don't compute for me.
Same thing with homomorphic encryption. I don't get it. If you can gain any knowledge from a ciphertext, you just found a way to exploit the ciphertext to me.
NitpickLawyer 21 hours ago [-]
> Using ciphertext for inference would mean it's not a very secure ciphertext.
Inference is done in plain text. It's just that some parts of the response can be encrypted. While I haven't looked into this specific implementation, here's a short "how I'd do it" if I wanted to implement this:
Before:
[] - encrypted
{} - plain text
1. user -> please do this -> server
2. user <- a) [thinking1] encrypted; b) {answer1} plain text <- server
3. user -> please do this -> [thinking1] (sent encrypted as received) -> {answer1} -> good but do this instead -> server
4. user <- [...] <- [thinking2] ; {answer2}
(here the server decrypts the thinking parts, adds them to the conversation, does the inference, and sends back the new thinking trace (encrypted as well) and the new answer
After:
1. user -> please do this long task -> server
2. user <- [thinking1] ; {tool_agent_spawn([params1])} ; {answer1} (e.g. would you like me to explore or do a quick hack?) <- server
3. user -> please do this long task -> (decides if explore or message) spawn([params1]) / message -> server
3. a) if no explore -> send message as usual
3. b) if explore execute spawn that in turns begins 2 channels
4. user <- [channel_1_thinking] ; {channel_1_answer} ; [channel_2_thinking] ; {channel_2_answer} ... <- server
So the server always does inference on plain text. But it sends the "important" bits encrypted, and you only send those back if you as the user want to (or need to, or choose to, etc). The idea is that the client still gets to decide on "local" things, but the server keeps the important bits from reaching the client. In this particular case, the [params] are encrypted bits that can include prompts, etc.
3form 21 hours ago [-]
The idea of homomorphic encryption is to do things without the knowledge, and not gaining the knowledge. If ciphertext contains a number, and you don't need to know what number it does to always be able to multiply it by 2, you succeeded - as a simple example.
smalltorch 21 hours ago [-]
It still just sounds like fancy obfuscation to me. I've read alot of examples trying to understand but I can't get past that being able to run processes on ciphertext in a way you can learn something doesn't make sense without me changing my definition of what I think encryption means.
_flux 21 hours ago [-]
I thought though the idea is that you cannot learn anything from the ciphertext, how it is processed, or what the final result is?
Unless you are a participant of the computation and you have the key, that is.
smalltorch 20 hours ago [-]
To actually make it work, you would need to preformat your data very specifically, and the data you want to allow to be processed would need a subkey to unlock the parts you want processed.
I don't see a way to make it a open standard. The processing steps would need to be part of the key.
Anyway If someone figured it out I would be very interested to be sure they weren't just trying to slap a it's encrypted to meet some standards required. And..also, what amount of data processing does Alice need to do that required outsourcing to Bobs machines. Data processing and anaysis is cheap.
3form 19 hours ago [-]
The point is to not have subkeys or any other way to access any part of the plaintex - as the goal is generally to offset the computation and the costs of it to another party. And yes, most likely it will require a very particular format of the data, and in all likelihood will allow only for a limited set of operations.
smalltorch 17 hours ago [-]
I wish I understood the actual data Alice needed processed to wrap my head around the problem space. Reading examples of what it could be used for leave me more confused.
Without knowing the actual pointed problem space the generalities of the schema just sounds like a snake game to me.
I can't get past where the veil is dropped for bob to take some ciphertext and operate on it in any meaningful way for him to create some machine that simultaneously can process encrypted data while being completely blinded to what the data is or the insights learned. Any form of ability to process a datum while simultaneously being blinded to it is logically incompatible to me.
Now, could we obfuscated it and lower the chances of an attacker being able to do anything useful with it or knowing what is being processed? Yes...but why muddy the definition of encryption in order to do this?
3form 17 hours ago [-]
One example I can think of: privacy preserving ML models. Company wants to keep their model safe and also perhaps not to force you to run some classification on your phone for battery savings. You want your inference features to be private, because they e.g. contain your location data. You send them encrypted, you get encrypted results back and decrypt them.
It could have been obfuscated, but assuming we have HmE, obfuscation is more tricky to be done right.
Do we change the definition of encryption meaningfully in this process, though? If so, I don't see how really. It's just that out of set of potential encryption algorithms, for this purpose we would pick ones that are fit for it. It wouldn't be AES I guess... But it would still be encryption. Maybe a weaker one, but that weakness could be coincidental. I'm not familiar with any theorems in that space.
EDIT: I see a note that we lose ability to verify integrity of the data with HmE, but I guess it's still not really changing the definitions - just most of encryption used today also provides integrity guarantees as a kinda nice and desirable side effect, but it doesn't change that the encryption that doesn't still is encryption.
tybit 21 hours ago [-]
They’re not using ciphertext in inference. They are encrypting agent responses on their servers if it’s going to a subagent on the client. The subagent will send it back to their servers for inference.
Only their servers have the keys, so they can decrypt when running inference.
luciana1u 20 hours ago [-]
first they encrypt their prompts, next they'll develop their own slang and we'll need a translator just to debug our own codebase
hmokiguess 20 hours ago [-]
Every day I get closer to only using pi
pradeep1177 22 hours ago [-]
Then why to even keep codex open source?
angry_octet 21 hours ago [-]
It's to prevent collection of queries from users that are coming from resellers/proxies, for reasons of economy or bypassing region blocks etc. The users are using the stock client and may believe they are using direct OpenAI servers.
coldtea 22 hours ago [-]
what does that have to do with anything?
next_xibalba 21 hours ago [-]
This is very obviously a countermeasure against distillers, illicit resellers, and the like. The scale and competence of the Chinese black (grey?) market has become a serious threat that can’t be ignored.
jagged-chisel 21 hours ago [-]
“Starts”? How’s this not already a TLS connection?
embedding-shape 21 hours ago [-]
The prompts are now encrypted, not just the transit connections...
jagged-chisel 21 hours ago [-]
Ok, so help me get this right: I ask the LLM for something, it generates prompts for sub-agents and sends them back to my client for it to call the sub-agents. Now, those sub-agent prompts are encrypted messages that the sub-agents will decrypt (by hitting a backend) to do their work.
Might as well just stuff the prompts in a database and only hand back the primary key to the client to hand off to the sub-agents. Keeps the same “data security” without the overhead of encryption (especially since encryption and decryption are happening in the same domain)
watusername 21 hours ago [-]
> sub-agents will decrypt (by hitting a backend) to do their work
Your local harness never decrypts the prompt, and only the OpenAI backend does. Your harness still sees tool calls in the transcript so it can act, but you lose (some) visibility as to why the subagent chooses to do so.
Imagine seeing this transcript during forensics:
[encrypted blob][thinking summary: I need to drop the prod database][shell: psql "drop database users"]
jagged-chisel 19 hours ago [-]
OK, so it's actually:
My Client -> main agent -> sub-agent -> tool
| |
log: log:
enc prompt enc prompt
thoughts thoughts
| |
V V
My Client My Client
Is that more correct? So they're not encrypting prompts to send to sub-agents, they're encrypting logging output to obscure details of the system.
ignatremizov 17 hours ago [-]
The prompts themselves are encrypted when saved to disk, so you can't inspect them after the fact. If you switch agent threads in the terminal UI (you can kinda swap active session to prompt subagents yourself), you can see the subagent prompt set by the main agent, as long as you have the terminal client open. And this is also for v2 multi_agent mode, v1 doesn't have this, but you need to do a bunch of annoying stuff to re-enable v1 for GPT-5.6 Sol and Terra.
vbs_redlof 21 hours ago [-]
I imagine main agent tells subagent something along the lines of: use this tool on this local data with these instructions in ciphertext. Otherwise yeah, encryption would be redundant.
aeon_ai 20 hours ago [-]
In my tests, as of this morning on the latest Codex SDK, this is not happening for sub-agent requests made in my own harness to other model providers treated as sub-agents.
Specifically, I use Opus and others for subagent execution to get alloyed properties on the workflow, and as far as I can tell, that's not affected.
Presumably, this is to hide optimizations they might be making to their own subagent processing, but that's a losing, dumb battle to fight, and misses the forest for the trees.
embedding-shape 20 hours ago [-]
> this is not happening for sub-agent requests made in my own harness to other model providers treated as sub-agents.
Obviously it doesn't, how even could it? Read the issue description, it wouldn't make sense if something like that was possible, considering how it was implemented...
aeon_ai 19 hours ago [-]
Raising only because others cited concerns this might cause issues in personal harness contexts. It doesn't.
Obviously, I wasn't claiming that it would WORK for cross-model subagents, but that this would be a limiting behavior requiring use of the Codex harness to operate if this was paired with model-level limitations on using specific tools to spawn sub-agents.
Or maybe not so obvious to you.
embedding-shape 19 hours ago [-]
> Raising only because others cited concerns this might cause issues in personal harness contexts. It doesn't.
It literally cannot.
> Obviously, I wasn't claiming that it would WORK for cross-model subagents
I know, but you were questioning (before investigating) if maybe it did, which I'm saying should have been obvious it wouldn't, if you had understand how this was encrypted.
> requiring use of the Codex harness to operate
Yes, if you want to use Sol + Ultra + sub-agents, you'd need to use the endpoints provided by OpenAI, as (again), the content is encrypted on OpenAI's side, it's not technically possible for other platforms to implement OpenAI's encryption.
And of course this doesn't impact anyone else not using Codex + Sol + Ultra + launching subagents, it's the specific combination that is "protected", not the individual pieces.
aeon_ai 5 hours ago [-]
No? Again, obviously, the implicit question was whether personal harnesses would be broken due to a model layer bias or system response that pushed arbitrary subagent behavior to fail outside of the codex harness.
I think you don’t really understand how this works if you think the open source harness is all that’s manipulated to determine system behavior.
okokwhatever 21 hours ago [-]
Better get ready to code manually again ;)
nojito 21 hours ago [-]
If I were to guess this is to stop distilling and all of those blackmarket resellers.
kosolam 21 hours ago [-]
But codex is opensource, no?
21 hours ago [-]
exabrial 20 hours ago [-]
Yeah nope. Full transparency only with my data.
cbg0 20 hours ago [-]
Is the prompt generated by the LLM to send to a sub-agent really your data?
exabrial 19 hours ago [-]
Let's not argue about it and assume yes, all of it is.
greatgib 21 hours ago [-]
They always talk about transparency and all but it never was as opaque as it is going on now.
There is no possible audit trail. No possible way to review what happened to validate the result. But even worse, no you will be billed somehow randomly. 20 sub agents started to do something we don't know. No way to now if it was legitimate, if it is just burning tokens or agents doing the same work on loop...
pessimizer 19 hours ago [-]
There's no moat to any of this shit, and they have to try to do something about that. Everybody involved is deeply, deeply, in debt. Watching these things work make it easy to figure out what they're doing.
The clock is ticking. People pretending that normal people can't afford to do AI at home, in private, are making the argument that cars are too expensive for normal people to own. Pretty sure right now if you spend $25K, you would be able (if there were no technical hurdles) to set up a private rig that would satisfy your family's need for LLM assistance for the foreseeable future. That's a budget-priced car, and the price is only going to go down (i.e. that rig will become more powerful over time.) If all of those people donated some of their cycles and bandwidth to a networked training grid, the models would stay current.
The "open source" infrastructure for that is lacking, but not for long.
These companies own nothing that couldn't be implemented by a specialist after another specialist explained it to them over a phone call. And due to the nature of LLMs, they can't even use copyrights and patents as weapons. The only options are secrecy and government protection. And secrecy is only a delaying tactic.
21 hours ago [-]
yruzin 8 hours ago [-]
[flagged]
seobot_dk1289 20 hours ago [-]
[flagged]
Nurstar 19 hours ago [-]
[dead]
hansmayer 20 hours ago [-]
[dead]
CurbStomper 21 hours ago [-]
[dead]
minraws 22 hours ago [-]
~~Finally someone doing it correctly. Love this change.~~
Edit: F really misunderstood the change, the title is misleading AF. I should have read the post before commenting lmao.
Absolutely hate it, now I guess... sigh..
Incase the title gets changed it used to say, "Codex starts encrypting prompts, uses ciphertext for inference instead"
LoganDark 22 hours ago [-]
How so?
tempay 22 hours ago [-]
I assume OP interpreted it as encryption that hides the prompts from OpenAI rather than OpenAI hiding information from users.
LoganDark 22 hours ago [-]
I'd be all for homomorphic encryption on inference, but as you say, this is probably mostly to prevent end users from observing intermediate results.
fortuitous-frog 22 hours ago [-]
Homomorphic encryption for LLMs is extremely expensive and nowhere near computationally possible for the scale of current LLMs.
LoganDark 21 hours ago [-]
When I say things like that, I'm talking about a hypothetical version that would be computationally possible. I'm not talking about today's homomorphic encryption.
minraws 22 hours ago [-]
ooooooof yeah totally misinterpreted it lmao
skeledrew 20 hours ago [-]
Given what we know about the company, I find it crazy anyone would misinterpret along those lines lol.
minraws 20 hours ago [-]
I can only say I am a little too optimistic about the technology world in general. Or at least would love to see some good news once in a while given the state of the world.
mpeg 22 hours ago [-]
to be fair, the title is very misleading, it took me a minute to understand what they meant
LoganDark 22 hours ago [-]
Apple's Private Cloud Compute is E2EE between the client and the attested node. Not sure if anyone else is legitimately doing that -- Apple has definitely gone the furthest in terms of verifiably ensuring that requests and responses are not misusable by Apple.
edit: originally was "Codex starts encrypting prompts, uses cyphertext for inference instead"
It seems possible they trained this by doing full RL rollouts of agents interacting with each other. They likely view these prompts somewhat the same as raw reasoning traces, they don't want people to train directly on them.
I am unsure if this has been confirmed, but there are some signs that the opaque "compaction blob" they return from their dedicated compaction endpoint might not be text at all, rather a latent space representation of the conversation. The fact that OpenAIs compaction seems to be much higher fidelity than a lot of other providers makes me inclined to believe this.
If this is true, it doesn't seem far fetched to infer that they might be applying similar techniques to prompting subagents.
I would be curious to see if this way of spawning subagents (encrypted blob) is used when subagents of a different model type is spawned.
I Imagine next that programming languages, interfaces and API design starts going this direction next. Being written, expressed and optimized as blobs of high dimensional vector space. As humans we might still be able to understand some abstractions of what our AI's are talking about to each other, but maybe not more so then we understand how different regions of our own brain communicate with each other.
Even for like token efficiency it could make sense - like imagine if the representation were more compact
Agents acn already translate languages quite well. It doesn't seem crazy that they could work and think in a model specific language, and then translate back to English or something for the user
I actually built such a language: https://magarshak.com/U.html
https://www.wired.com/story/google-ai-language-create/
If you keep RL'ing the dispatch then the prompts are likely to keep diverging from the type of prompt a person would write (like CoT becoming increasingly incomprehensible), and that divergence is part of their competitive advantage.
> rather a latent space representation of the conversation
Student/teacher models derived from the same checkpoint convey a lot of latent information through token choice, as in: https://techxplore.com/news/2026-04-ai-chatbot-student-owls....
I wonder if this is something they can take advantage of by training on compaction inside of the RLVR loop?
this tracks. anthropic protects these as well iirc.
> I am unsure if this has been confirmed, but there are some signs that the opaque "compaction blob" they return from their dedicated compaction endpoint might not be text at all, rather a latent space representation of the conversation.
probably not a latent (to my knowledge latents aren't really part of the outer loop in ar-transformer inference processes), but maybe non-human-readable reasoning traces as occurs in fable.
Hopefully they can add that.
Add? Just make the sub-agents input prompt not encrypted, change "encrypted: true" to "encrypted: false" everywhere and everything continues to work as it used to (simplified, but you get the idea).
They need to fix the regression, not add something new here.
and how would you load that back into the model? they are token-in, token-out, plus the KV-cache which is derived from token-in
When operating on text, you embed each token into the LLMs embedding space. You go from a discrete token to a point in embedding space.
Likewise, when processing images, you have a image embedding model which produces a set of embedding vectors representing the contents of the image in the LLMs embedding (latent) space.
This same concept can be extended to compaction. Instead if limiting yourself to discrete tokens, you could generate a set of embedding vectors which represent the contents of the compacted conversation in latent space.
These have the possibility of containing a lot more semantic information per vector, which is why this can be appealing.
A big downside is decreased interpretability. AI safety people are generally fairly opposed to latent space reasoning for example, it can be harder to tell what the model is actually doing and if it is trying to deceive you.
I've gone in to look at Claude subagent/workflows and sometimes been like "no this was a mistake to spin up" ... Codex users just get to token yolo the encrypted telephone operator instructions+shell from orchestrator to subagents?
It makes more sense when you realize they don't want developers to be doing any coding at all. That's what they seem to be moving towards. From product manager to product via AI.
Because letting you look at the code would be too dangerous, you could reverse engineer an exploit to another product! Or distill their internet-distilled model!
But don't worry, at least it will be very convenient.
I was about to do the same with Sol + Ultra, but then discovered this encryption issue that prevents me from doing the same for sub-agents.
No. Agents run in VMs. Assume anywhere you’re running an agent will be compromised, because eventually, it will be.
The only reason most people haven’t is luck, they didn’t happen to install Axios or Tanstack at a certain time.
Personally I do, these tools aren't mature enough to be used without supervision
We had this discussion a few months ago where we talked about allowing people to choose an AI provider and provide their API key, thinking about enterprises with "preferred" (read: mandated) AI suppliers. We also wanted to offer the kind of very simple pricing that this is one way of enabling. But we realised pretty quickly that this would/could lead to leaking our back end prompts to customers and, although those prompts are only a part of the value add, if you could build a detailed trace of them then you'd be able to relatively easily reverse engineer a lot of what we're doing.
So we quickly dropped that idea.
it reminds me of the pre-vulkan game programming days.. drivers were black boxes, game developpers had to resort to magic tricks to do stuff, until everybody got fed up and wanted some logical ground to operate
One does find oneself slightly askance at one's own thinking sometimes, that's for sure.
But I suppose, is it really so different? I mean, back in the day moreso than now, a lot of the valuable IP in any system was in the design and specification of that system - the problems usually solved within the design and specificaion (use X algorithm, etc.) - and the code was "just" the implementation of those solutions.
So perhaps it's more of a regression in some ways: the value is in the specification (the prompt) once again.
Your point about stochastic behaviour is well made though, and there is no way to 100% guarantee or formally verify the behaviour of a system that relies on an underlying technology whose behaviour is fundamentally stochastic.
In an ideal world this would have been public tech like ARPANET or WWW and there would have been 2-3 major iterations (until the equivalent of Claude 7-8) and only then would everyone have tried to build huge businesses on top of it.
I mean, sure, it's sort of usable, but the churn is insane. And we're burning the planet (and probably the economy, too) for it.
When was the last time you used an LLM to evaluate how true those last part(s) still are?
I also love how you went from "I'm unable to understand" to "This is surely right", it's a good representation of the software ecosystem at large :)
a lot of expertise of certain domains' workflows is needed to make it functional within that domain. some of this can be yielded via prompting too etc so its also baoance of how much to prompt it vs. how much of it you wanna let it reason over itself. (if you tell it too much i lock it into a path and if you tell too little it will give incomplete results )
It sort of feels like an area of friction even still.
Billing goes to the customer, debug logs etc go to the service provider.
* https://en.wikipedia.org/wiki/Homomorphic_encryption
I already switched to a Chinese provider personally, I don't think the difference between both really justifies the wide gap in pricing
I'd be ecstatic if this was true, but nothing so far comes close to the SOTA models from OpenAI + highest reasoning, but I'd be more than happy to be proven wrong by testing it out myself.
So far, I've tried MiniMax M3, GLM 5.2, Hy3, MiMo-V2.5 (+ Pro), DeepSeek V4 Pro (+ Flash), Gemini 3, Kimi K2.6, GLM 5, all the various Qwen variants and probably a bunch more I forget about, in a wide array of harnesses (Codex, pi, opencode, my own and more), and still nothing seemingly comes close to GPT 5.5 (now 5.6) xhigh for tasks beyond 5-10 minutes of work, they all more or less collapse after a while in my experiments. Although most of those do work well for really tightly scoped tasks.
What specific model are you thinking about here, in case I've missed testing it?
Sure, Claude might be 90% correct and Kimi only 70% correct but does that matter when 90% isn't enough to make it work autonomously anyways?
My workflow is just strict supervision of what's happening, I also edit the agents file with anything I see the model doing that I don't like.
My sessions are also short, after any task which is completed, I just kill the session and start a new one so I don't think I have more than 15 min sessions unless it's tech discovery.
Huuh, what does this mean? GPT models frequently do 100% of what I tell them to do, anything less and I'd see no point in using agents for work at all. Do you tell them stuff then 30% of the cases Kimi goes off and does other things, or what do you mean? The time the agent does something unexpected, I can almost always trace it back to me fucking up something in the user prompt, or the system prompt being wrong somehow, I'd lose my mind if it was only "70% accurate".
> My workflow is just strict supervision of what's happening, I also edit the agents file with anything I see the model doing that I don't like.
Same, including inspecting exactly what the (full verbatim) sent system/user prompts are, which the change we're all discussing here is getting in the way of.
But "Kimi only 70% correct" sounds like it's so bad it's not worth using. In my testing, I didn't find that the model just went out and did other things, but all the providers I tried were way slower than even Sol which is kind of slow to begin with, and it's really inefficient with it's thinking. Tasks that took Sol five minutes could take 15 minutes with Kimi for example, which just feels like such a waste too.
I never managed to have this experience even with SOTA models, they routinely make architectural mistakes, wrong assumptions and take shortcuts they should not take. Less for sure but they still do it often. I didn't try Fable yet though so can't comment on it.
So based on that, since I have to watch everything they do anyways, why would I pay extra?
> But "Kimi only 70% correct" sounds like it's so bad it's not worth using
If you want an analogy, it's like the numbers of 9s in server availability and since currently I'd rate nothing above 90%, it's zero nines. Since I have to deal with unreliability with every provider, I don't see why it would be worth it to pay more to still deal with it.
Ah, you let them make architectural decisions? :P That might explain it. Agents for me are more like pair-programming or just "what types the code", all the design and decisions are made by me, so if those are wrong, it's my fault. The agents are just used to implement what I've decided to have implemented, and I can't remember the last time codex did a mistake without correcting itself, or made a wrong assumption or taken shortcuts, unless I explicitly told it something that lead to those things.
> So based on that, since I have to watch everything they do anyways, why would I pay extra?
Personally I pay more to have to fix less later, and for a piece of mind that if I ask it to do X, it doesn't go off and do Y.
Umm, no:
> GPT-1, GPT-2, GPT-3, GPT-3.5, GPT-4, GPT-4 Turbo, GPT-4o, GPT-4o mini, o1-preview, o1-mini, o1, o3-mini, o4-mini, o3, o3-pro, GPT-4.1, GPT-4.1 mini, GPT-4.1 nano, GPT-5, GPT-5.1, GPT-5.2, GPT-5.4, GPT-5.4 mini, GPT-5.4 nano, GPT-5.5, GPT-5.5 Pro, GPT-5.6 Luna, GPT-5.6 Terra, GPT-5.6 Sol
Besides the constant shifting of nouns and adjectives...
Luna is the Moon and Terra is Earth.
The rest just aren't names, they're designations at best
This is a really interesting engineering decision, I wonder how many people will want an encrypted external piece of instructions running on their machine.
Is this user-hostile? Encrypting stuff from the user is what RIAA used to do with DRM, worried about copyright infringement.
Besides, the SaaSification of these things is expected. When you run a model, the reasoning traces are an internal implementation detail of the program that then results in certain user-visible output. It can be used to distill etc and most users don’t care about it.
It’s not some novel thing that internal implementation detail of software is a trade secret.
https://news.ycombinator.com/item?id=48907099
These companies are behaving against the best interests of their customers.
Both OpenAI and Anthropic should be ashamed.
These companies' products are awesome, but the way they conduct business is scummy.
They must be worried there is no moat. If they keep up this behavior, there truly will be no moat. They're pushing people away.
I think Anthropic, being a Public Benefit Corporation, can absolutely do better than OpenAI. OpenAI was a nonprofit but flipped. Many people left from OpenAI to Anthropic, I think all original founders of Anthropic are still with Anthropic.
We have seen the same things in Web2 and Web3, this is not at all unique to AI companies! How many people at HN went to work for Facebook, or Google etc? The “don’t be evil” motto is nice but when you have to compete, you often end up doing the things you think you didn’t have to do.
With Web2 the stakes were: “centrally controlling speech”. With Web3 the stakes were: “people lose programmable money they gambled with”. With AI the stakes are much bigger. This isn’t about a company being moral or not. This is about incentives of the broader ecosystem, and how the products are designed.
As long as people (like Kevin O’Leary) say “but are you going to just let China pull ahead of us” we’re all going to be in a race (to the bottom, for a lot of affected people). It isn’t about OpenAI or Anthropic specifically. Hate the game, not the player.
It doesn’t have to be this way. The game can change: https://safebots.ai/singularity.html
And now that original has even been flagged . . . this place really has tanked.
With chat completion, the reasoning process is entirely under your control. You can build a reasoning agent that uses custom MCTS techniques with GPT5.6 models today if you are willing to get your hands just a little bit dirty. You have to enable experimental flags and set options in slightly confusing ways, but it still works.
You can use models up to gpt5.5 with custom API tokens and model configuration in VS Copilot. gpt5.6 family (currently) no longer work in this setup. Presumably, because we aren't explicitly forcing reasoning_effort to none to satisfy the new moat expansion behavior.
MCTS -> Monte Carlo Tree Search
what does that mean?
> the reasoning process is entirely under your control
you're still dealing with summarised thinking, no, which is kinda useless as it's way too high level?
The thing you’re gesturing at isn’t mcts in any real sense
Responses integration will lock you into OAI much more deeply than chat completion integration will. I can easily swap my inference provider right now. The business is not interested in a form of integration that is difficult to swap.
Probably not, the whole app-server machinery is there to facilitate that thing, would be a huge piece to rip out of codex. This is basically the reason I end up using codex the most, as it's the easiest to integrate against, with the app-server's RPC API making it really trivial.
Besides, most of my codex usage at this point is all through custom integrations I've built using Codex's app-server, not the Codex TUI they publish. I'm sure I'm not alone in this.
But, if they suddenly start to encrypt content on our disk, so only their backends can see it, and those things are prompts and other things that are actual inputs to the inference, then who cares if it's easy to integrate against, it becomes impossible to figure out what the fuck is going on, I can't understand how the team thought this was a good idea...
Beats having to parse output from CLI-runs and so on. Initially this environment was running aider (which feels like years ago), was running Claude (parsing stdout) at one point but using Codex's app-server since some weeks/months back and is a lot simpler implemented now.
If they go down that path I'll just go back to my old buddy Claude, or maybe buy a second Spark and keep it local.
https://github.com/openai/codex/blob/main/codex-rs/responses...
> Sure. "Traditionally", your agent would send a text prompt to the sub-agent, then it goes off doing it's work. In the logs/session data, the clear-text prompt would be there, so if I want to see what's happening, I just browse the data. It's all just clear-text prompts being sent everywhere, even when you were using the experimental "sub-agents" stuff in Codex, before Sol et al was available.
> Now, when using Sol or Terra (Luna seems unaffected), instead of the agent sending clear-text prompt to the sub-agent, it sends a ciphertext generated on OpenAIs backend, which ends up being the prompt, then agent sends this ciphertext to the sub-agent, which then continues to use that for further inference to OpenAIs backend. Only delegated inter-agent messages are encrypted, not all session data. Now if you browse the data, it's all encrypted content, that can only be decrypted by OpenAI and their backend.
Edit: Re-reading, I think I understand what you mean to be misleading. You're taking "uses ciphertext for inference" quite literally, while I couldn't fit a more nuanced version within the HN title constraints. Yes, the inference at OpenAI obviously doesn't happen over the ciphertext, but from the perspective of the local user, you don't see the clear-text prompt at all, only the ciphertext.
But, please suggest alternative titles that sufficiently explain what the issue is and is more accurate, I'm sure the mods can change it once people come up with better alternatives :)
Edit2: I've updated the title from "Codex starts encrypting prompts, uses ciphertext for inference instead" to "Codex starts encrypting sub-agent prompts", hopefully it's clearer now!
"Codex starts encrypting prompts, uses ciphertext for inference instead"
to just
"Codex starts encrypting prompts"
That is enough.
Maybe you could say sub agent prompts. The article can say the rest.
Regardless, I've updated the title from "Codex starts encrypting prompts, uses ciphertext for inference instead" to "Codex starts encrypting sub-agent prompts", hope this makes it clearer for everyone :)
Internet Explorer?
Sorry, "whatever floats your boat" was meant to signal that either works, whichever of the two options fits you best :) I originally meant the MS browser, but general "internet explorer" fits too, players choice!
> then I realized (maybe wrongly so) you were making fun of me.
Oh, not at all! Just that my offhand "then update IE" turned into a bigger conversation than expected, didn't mean to make fun of you or anything like that!
I wonder if there was any safeguard failure due to loss of visibility into what the sub-agent was trying to do?
https://x.com/mattshumer_/status/2076794038456385546?s=20
I assumed that the main agent makes calls to sub-agents locally. Does Codex work in such a way where the main agent makes calls to sub-agents in the backend (openai server) before reaching local?
Now, when using Sol or Terra (Luna seems unaffected), instead of the agent sending clear-text prompt to the sub-agent, it sends a ciphertext generated on OpenAIs backend, which ends up being the prompt, then agent sends this ciphertext to the sub-agent, which then continues to use that for further inference to OpenAIs backend. Only delegated inter-agent messages are encrypted, not all session data. Now if you browse the data, it's all encrypted content, that can only be decrypted by OpenAI and their backend.
Which is a real problem since you can't intercept/monkey patch the ciphertext to decrypt it locally to be able see the clear-text since we don't have the encryption key/algo/salt. No hacking :(
Encryption is useful to at least stop the latter.
Ultimately same purpose as a\ ‘s trick exposed earlier, but a much nicer implementation.
I see this as an argument against using them/Chinese models all the time, but I don't get it. I totally understand wanting to keep your data private if you're using an LLM for personal chats. But coding? I'm not working for the military, I'd gladly donate my codebase to Chinese labs if that means they can keep releasing 6-months-behind level models for 100x cheaper.
(I understand why OpenAI doesn't want this and would implement protections. I'm talking about people using this as an argument for why you as an end user shouldn't use those services.)
More importantly, they train on not only code but also your interactions with the model, no matter how little you value your labor, there are values in it.
Source: I work on such code. We don't allow devs to use (cloud-based) LLMs.
Obviously most developers know better, but you know who doesn't care what you think? The owner(s) of the business, and various other stakeholders. Try explaining this concept to them, and see if they get it :)
The people who work in codebases that are tightly guarded aren't guarded because the developers say so, of course.
I think most of these discussions aren't about irresponsible vibe-coders, as that whole thing is mostly a fun joke more than something serious. The rest of developers who use LLMs for development, review the code the agent writes, iterates and makes changes. Think more like pair-programming, than "Write me X then deploy to production".
I know Twitter makes it seem like everyone is doing vibe-coding and YOLOing podman images into production, but it's very uncommon in a serious/production environment to act like that. While a proper structure doesn't make it impossible for the LLMs to add backdoors either via dependencies or otherwise, but it sure makes it a lot harder.
Personally, LLMs are barely able to work alongside developers and not miss anything, I wouldn't be so worried about them being able to do normal work + malicious work at the same time, as they barely handle the first part properly yet.
I read the code.
(Not affiliated in any way, I'm sure there are better services out there, this is just the one a friend recommended to me and I haven't researched other options)
Need an human-readable, concise but accurate audit trail message like the PR suggests.
https://www.databricks.com/blog/benchmarking-coding-agents-d...
I guess "helped make Skynet auditable" may become my most popular open-source contribution, so I'm putting it on my CV.
The thing is that the subagent prompts already pass through the client - they have to, since the TUI can switch between subagents while they work. The change is just to save a copy of the prompt on disk while keeping the encrypted delivery path if necessary for Responses API.
Personally, I use multi_agent_v1 anyways (doesn't have this issue), since v2 is unstable and is a token burner.
Hope they address it so I don't have to keep maintaining it in my fork
Seemingly mostly a prompting thing it seems on the surface. GPT-5.5 (and maybe even GPT-5.4) already had (experimental?) support for sub-agents, remember using it even with -spark which I think was launched together with GPT-5.4 if I remember correctly, so this whole "use sub-agents" stuff most have been part of the training data for quite some time already, but maybe they've mainly been iterating on the prompt themselves since then.
I was already only using Claude Code to double-check if it's getting better than Codex, but with things like this, it really isn't even an alternative. What's the point of using a reasoning model if you as an end-user can't seen the reasoning? I don't think I'd be able to work like that at all, I need to have introspection into what the model is doing, and can't believe I have to say this, but also need to be able to see the plaintext of the input prompt...
At least Anthropic doesn't pretend that they have open source software in the form of Claude Code.
They're only encrypting thinking because AI is so dangerous and only they can be trusted to be in control of AGI.
This happens to align with lining their pockets as well.
Then pay a made up price that gets the big labs out of debt.
Now one reason I could see for why they do this is because maybe they made the model "better at using subagents" by using thinking tokens for the subagent prompt instead of normal output tokens.
Inference is still done in plaintext after this multi-agent message gets decrypted in the server side
If you're using local models, it doesn't matter. Even if Codex itself was trying to encrypt stuff for local models (which doesn't make sense, but lets say), you'd still be using a local model so obviously you'd be able to access the plain-text, so wouldn't matter in that case anyways.
The only way these AI labs can get the app layer lock-in they need is if they can get customers used to writing them a blank check: “here, take my data and my system, do ‘stuff’ and bill me for it.”
Between this and the recent Grok upload breach, I consider these products radioactive.
Yes, that is the obvious answer. I was looking for an explanation as to why and why now. Codex is open source after all. They used to not do it. Agent prompts more generally are also not encrypted, and continue to be.
This particular change just looks unintuitive to me.
Oh and you can't even use local models or other providers for the sub-agents. You're locked-in.
If desired the user can always see what the sub agent is doing in detail ?
Isn't it the same in case of claude as well ?
Yes
> If desired the user can always see what the sub agent is doing in detail ?
Well, no, that's the problem, you're currently not allowed nor is it even possible, to see the exact prompt the main agent sent the sub agent. This is the problem.
> Isn't it the same in case of claude as well ?
No idea, but if Claude Code makes it so it's impossible to inspect what the sub-agents actually received before they started their work, then I'll say it's similarly impossible to rely on Claude Code if so.
Notably, subagent output is still in plaintext.
EDIT: Title was now clarified. But wanted to expand that this is actually enabled for 5.6 Ultra it appears, which does subagent orchestration more natively in the API rather than direct tool calls; they are beginning to treat subagents as similar to chain-of-thought traces (already encrypted) rather than traditional tool calls.
Wrong, this is enabled by default for Sol and Terra (not Luna), no way of avoiding this short of patching the client yourself, and that still doesn't make the backend endpoints work, they want the ciphertext that OpenAI creates on their side.
> but noting that this is only for parent -> subagent spawns/messages
This is almost fully correct though, the encryption only seems to be for the initial prompt the main model sends the sub-agent, not all communication and not regarding the state of the sub-agent at all.
So you can inspect what the sub-agent is doing currently, and the output, but you cannot see what the initial prompt the sub-agent got started with.
[0]: https://news.ycombinator.com/item?id=47652807
These two ideas don't compute for me.
Same thing with homomorphic encryption. I don't get it. If you can gain any knowledge from a ciphertext, you just found a way to exploit the ciphertext to me.
Inference is done in plain text. It's just that some parts of the response can be encrypted. While I haven't looked into this specific implementation, here's a short "how I'd do it" if I wanted to implement this:
Before:
[] - encrypted {} - plain text
1. user -> please do this -> server
2. user <- a) [thinking1] encrypted; b) {answer1} plain text <- server
3. user -> please do this -> [thinking1] (sent encrypted as received) -> {answer1} -> good but do this instead -> server
4. user <- [...] <- [thinking2] ; {answer2}
(here the server decrypts the thinking parts, adds them to the conversation, does the inference, and sends back the new thinking trace (encrypted as well) and the new answer
After:
1. user -> please do this long task -> server
2. user <- [thinking1] ; {tool_agent_spawn([params1])} ; {answer1} (e.g. would you like me to explore or do a quick hack?) <- server
3. user -> please do this long task -> (decides if explore or message) spawn([params1]) / message -> server
3. a) if no explore -> send message as usual 3. b) if explore execute spawn that in turns begins 2 channels
4. user <- [channel_1_thinking] ; {channel_1_answer} ; [channel_2_thinking] ; {channel_2_answer} ... <- server
So the server always does inference on plain text. But it sends the "important" bits encrypted, and you only send those back if you as the user want to (or need to, or choose to, etc). The idea is that the client still gets to decide on "local" things, but the server keeps the important bits from reaching the client. In this particular case, the [params] are encrypted bits that can include prompts, etc.
Unless you are a participant of the computation and you have the key, that is.
I don't see a way to make it a open standard. The processing steps would need to be part of the key.
Anyway If someone figured it out I would be very interested to be sure they weren't just trying to slap a it's encrypted to meet some standards required. And..also, what amount of data processing does Alice need to do that required outsourcing to Bobs machines. Data processing and anaysis is cheap.
Without knowing the actual pointed problem space the generalities of the schema just sounds like a snake game to me.
I can't get past where the veil is dropped for bob to take some ciphertext and operate on it in any meaningful way for him to create some machine that simultaneously can process encrypted data while being completely blinded to what the data is or the insights learned. Any form of ability to process a datum while simultaneously being blinded to it is logically incompatible to me.
Now, could we obfuscated it and lower the chances of an attacker being able to do anything useful with it or knowing what is being processed? Yes...but why muddy the definition of encryption in order to do this?
It could have been obfuscated, but assuming we have HmE, obfuscation is more tricky to be done right.
Do we change the definition of encryption meaningfully in this process, though? If so, I don't see how really. It's just that out of set of potential encryption algorithms, for this purpose we would pick ones that are fit for it. It wouldn't be AES I guess... But it would still be encryption. Maybe a weaker one, but that weakness could be coincidental. I'm not familiar with any theorems in that space.
EDIT: I see a note that we lose ability to verify integrity of the data with HmE, but I guess it's still not really changing the definitions - just most of encryption used today also provides integrity guarantees as a kinda nice and desirable side effect, but it doesn't change that the encryption that doesn't still is encryption.
Might as well just stuff the prompts in a database and only hand back the primary key to the client to hand off to the sub-agents. Keeps the same “data security” without the overhead of encryption (especially since encryption and decryption are happening in the same domain)
Your local harness never decrypts the prompt, and only the OpenAI backend does. Your harness still sees tool calls in the transcript so it can act, but you lose (some) visibility as to why the subagent chooses to do so.
Imagine seeing this transcript during forensics:
[encrypted blob][thinking summary: I need to drop the prod database][shell: psql "drop database users"]
Specifically, I use Opus and others for subagent execution to get alloyed properties on the workflow, and as far as I can tell, that's not affected.
Presumably, this is to hide optimizations they might be making to their own subagent processing, but that's a losing, dumb battle to fight, and misses the forest for the trees.
Obviously it doesn't, how even could it? Read the issue description, it wouldn't make sense if something like that was possible, considering how it was implemented...
Obviously, I wasn't claiming that it would WORK for cross-model subagents, but that this would be a limiting behavior requiring use of the Codex harness to operate if this was paired with model-level limitations on using specific tools to spawn sub-agents.
Or maybe not so obvious to you.
It literally cannot.
> Obviously, I wasn't claiming that it would WORK for cross-model subagents
I know, but you were questioning (before investigating) if maybe it did, which I'm saying should have been obvious it wouldn't, if you had understand how this was encrypted.
> requiring use of the Codex harness to operate
Yes, if you want to use Sol + Ultra + sub-agents, you'd need to use the endpoints provided by OpenAI, as (again), the content is encrypted on OpenAI's side, it's not technically possible for other platforms to implement OpenAI's encryption.
And of course this doesn't impact anyone else not using Codex + Sol + Ultra + launching subagents, it's the specific combination that is "protected", not the individual pieces.
I think you don’t really understand how this works if you think the open source harness is all that’s manipulated to determine system behavior.
There is no possible audit trail. No possible way to review what happened to validate the result. But even worse, no you will be billed somehow randomly. 20 sub agents started to do something we don't know. No way to now if it was legitimate, if it is just burning tokens or agents doing the same work on loop...
The clock is ticking. People pretending that normal people can't afford to do AI at home, in private, are making the argument that cars are too expensive for normal people to own. Pretty sure right now if you spend $25K, you would be able (if there were no technical hurdles) to set up a private rig that would satisfy your family's need for LLM assistance for the foreseeable future. That's a budget-priced car, and the price is only going to go down (i.e. that rig will become more powerful over time.) If all of those people donated some of their cycles and bandwidth to a networked training grid, the models would stay current.
The "open source" infrastructure for that is lacking, but not for long.
These companies own nothing that couldn't be implemented by a specialist after another specialist explained it to them over a phone call. And due to the nature of LLMs, they can't even use copyrights and patents as weapons. The only options are secrecy and government protection. And secrecy is only a delaying tactic.
Edit: F really misunderstood the change, the title is misleading AF. I should have read the post before commenting lmao.
Absolutely hate it, now I guess... sigh..
Incase the title gets changed it used to say, "Codex starts encrypting prompts, uses ciphertext for inference instead"