Remix.run Logo
embedding-shape 5 hours ago

Sure. "Traditionally", your agent would send a text prompt to the sub-agent, then it goes off doing it's work. In the logs/session data, the clear-text prompt would be there, so if I want to see what's happening, I just browse the data. It's all just clear-text prompts being sent everywhere, even when you were using the experimental "sub-agents" stuff in Codex, before Sol et al was available.

Now, when using Sol or Terra (Luna seems unaffected), instead of the agent sending clear-text prompt to the sub-agent, it sends a ciphertext generated on OpenAIs backend, which ends up being the prompt, then agent sends this ciphertext to the sub-agent, which then continues to use that for further inference to OpenAIs backend. Only delegated inter-agent messages are encrypted, not all session data. Now if you browse the data, it's all encrypted content, that can only be decrypted by OpenAI and their backend.

iknownothow 5 hours ago | parent [-]

Gotcha and thank you! So the encryption is happening on the OpenAI backend and the agent's clear-text output designated to the sub-agent never reaches local.

Which is a real problem since you can't intercept/monkey patch the ciphertext to decrypt it locally to be able see the clear-text since we don't have the encryption key/algo/salt. No hacking :(

afzalive 3 hours ago | parent [-]

I wonder if you can just ask the model what it means.

Aachen 2 hours ago | parent [-]

No. They don't have the key and can't do encryption in the first place; they're still grand autocomplete engines under the hood. This could only work if the company deliberately builds a mechanism into the backend which runs the decryption function and injects the plaintext somewhere in the context. Which, sure, we can check if they did that, but the whole point is presumably hiding that info so why would they

nsingh2 44 minutes ago | parent [-]

Their models don't consume encrypted text, it would be absurd to train them to do so. Surely they decrypt the text before feeding it into the LLM, so the contents could get leaked out by asking it.