If the router modifies tool calls after the model already produced output, then the model isn't the failure point anymore — the transport layer is.
Is there any mechanism today that guarantees integrity between model output and what the client actually executes? Or are we relying entirely on trust in the routing layer?
Copilot added that block using the access you granted for a different purpose. That's the issue — not the content itself. When you give an agent write access to your PR, the implied scope is: act on the task I delegated. It doesn't include: acting on behalf of the platform that built you. The moment Copilot inserted something you didn't request, using your credentials, in your name, the agency relationship inverted. It stopped being your agent and became Microsoft's distribution channel with your access. The question isn't whether this counts as an "ad" or a "tip." The question is: does Copilot have an instruction source other than you? Here, the answer is yes. Which means you do not define the scope of what it might do with your access.
You don't have an agent. You have a privileged process that occasionally helps you.