Coding agents gate consequential actions behind a human-in-the-loop approval dialog, but the dialog is narrated by the agent itself: the human approves a summary the agent writes. The Lies-in-the-Loop (LITL) attack shows that summary is forgeable, so a compromised agent can show a benign description while a different action runs. This paper names the missing property, Consent Integrity, by importing What You See Is What You Sign (WYSIWYS) and the trusted-path property into the agent approval channel: the action shown to the human must be rendered by a trusted mediator from the real action at the boundary, not the agent's narration, over a path the agent cannot spoof, and bound to the exact action that executes. Two twists distinguish it from classical WYSIWYS: the renderer is the adversary, and the boundary ground truth is a low-level event that must be decoded without trusting the agent. Since no decoder is complete, the realizable target is analyzer-relative: whatever the analyzer cannot classify is surfaced as uninspectable rather than silently approved. A prototype implements the analyzer, renderer, and bind-to-execution; total mediation and the trusted path are specified but assumed, not implemented. On GTFOBins, an independent corpus of 1330 trusted-tool abuses, the prototype silently passes 10.0% (every instance through a trusted tool); on tldr, 28,798 normal-usage commands, it marks 87.0% uninspectable. These two independent measurements bracket the design's central tension: the trust list that bounds silent passes is the same one that drives over-prompting, and a boundary-only mediator can move along that frontier but not escape it. The contribution is the property, the mechanism, and an honest position on that frontier, not a solved defense.

翻译：摘要：编码智能体通过人机协作审批对话框对关键操作设置门控，但该对话框由智能体自身叙述：人类批准的是智能体撰写的摘要。"循环中的谎言"(LITL)攻击表明，该摘要可被伪造，因此被攻破的智能体可展示良性描述，实则执行不同操作。本文通过将"所见即所签"(WYSIWYS)和可信路径属性引入智能体审批通道，定义了缺失的"同意完整性"属性：向人类展示的操作必须由可信中介在边界处根据真实操作渲染生成，而非智能体的叙述，且该路径不可被智能体伪造，最终绑定至实际执行的确切操作。与经典WYSIWYS存在两点差异：渲染器为对抗方，边界事实基准是必须在不信任智能体的前提下解码的低层事件。由于不存在完备的解码器，可实现的目标准则具有分析器相对性：分析器无法分类的内容将被标记为不可检视，而非默许通过。原型实现了分析器、渲染器及执行绑定机制；全局中介与可信路径已规范但作为假设条件，未实际实现。在GTFOBins（包含1330个可信工具滥用案例的独立语料库）上，原型静默通过率为10.0%（所有实例均通过可信工具执行）；在tldr（包含28,798条常规操作命令的语料库）上，87.0%被标记为不可检视。这两个独立测量结果界定了设计的核心矛盾：约束静默通过的可信列表与引发过度提示的机制同源，而边界中介仅能沿该边界移动，无法脱离。本文贡献在于定义该属性、提出该机制，并明确表明在该边界上的客观立场，而非给出已解决的防御方案。