Fake approval loop

Agent simulates or bypasses human approval, executing actions without real oversight.

• See attack-chain-template.md for full structure.
• Related: docs/01-threat-model.md, patterns/secure-agent-runtime.md

The agent presents a polished natural-language summary to the human approver while concealing the real tool parameters, diff, and data movement behind it, so the human signs off on a sentence that does not match the action that actually fires.

• Agent
• Approval summary
• Human approver
• Tool
• Downstream system

1. Agent→Approval summaryFinal text only — (no parameters or diff)
2. Approval summary→Human approverApproval prompt
3. Human approver→Approval summaryApproves on — summary alone
4. Approval summary→ToolExecutes unreviewed — parameters
5. Tool→Downstream systemReal impact

Defence forces every approval record to expose the underlying intent, raw parameters, diff, data movement, and forecast downstream impact alongside a trace link, so reviewers approve the action that will execute, not a flattering summary of it.

1. APPROVAL_RECORD→declaresINTENT
2. APPROVAL_RECORD→exposesPARAMETER
3. APPROVAL_RECORD→exposesDIFF
4. APPROVAL_RECORD→exposesDATA_MOVEMENT
5. APPROVAL_RECORD→forecastsDOWNSTREAM_IMPACT
6. APPROVAL_RECORD→referencesTRACE_LINK