TMRW W3 Browser
DocsAgent model

Agent model

How W3AI agents are instantiated, scoped, and orchestrated.

The capsule

A capsule is a short-lived, isolated execution environment with no implicit access to disk, wallet, or network. It receives a single intent, a typed scope set, and a budget. When the intent completes or the budget is exhausted, the capsule is destroyed.

Why capsules?
Browser tabs share cookies, DOM, and storage. Capsules share nothing. This is the security boundary that makes autonomous execution safe to delegate.

Permission scopes

Scopes are strings of the form <class>:<verb>:<target>. The runtime denies anything not explicitly granted.

wallet:signPermission to request user signatures (still gated by simulation).
net:<host>Outbound network access limited to a host or program.
fs:read:<path>Read-only filesystem access scoped to a virtual path.
agent:spawnPermission to spawn subordinate capsules.
chain:writePermission to broadcast a simulated transaction.

Planning & routing

The planner converts the intent into a directed acyclic graph of subtasks. Each subtask is assigned to a capsule type, then routed to an operator whose stake covers the capability and whose reputation meets the user's threshold.

Routing inputs

Capability matchOperator declares supported scopes via Registry.
Stake floorHigher-risk scopes require larger collateral.
ReputationSlashing history and successful receipts influence rank.
LatencyRecent p50 response time per scope.
CostOperator bid in W3AI.

Parallel execution

Independent subtasks run in parallel capsules. Aggregation is explicit: the planner emits a join node that collects child receipts and produces a parent receipt.

ts
// Pseudocode planner output
plan = [
  { id: "a", scopes: ["net:jupiter"] },
  { id: "b", scopes: ["net:orca"] },
  { id: "join", depends: ["a", "b"], reduce: "best-price" },
  { id: "sign", depends: ["join"], scopes: ["wallet:sign", "chain:write"] },
];

Memory & state

Capsules are stateless across intents. Persistent memory lives in user-controlled vaults addressed by a derived key. An agent can request scoped read/write to a vault; the user signs the grant once and may revoke it at any time.

Failure handling

Budget exhaustionCapsule terminates; partial receipt is recorded; no settlement burn.
Simulation mismatchBroadcast blocked; operator pays gas penalty; user notified.
Operator timeoutRe-routed to next-best operator; original operator forfeits priority fee.
Slashable misbehaviorProof submitted on-chain; collateral burned per slashing table.
← Previous
Protocol overview
Next →
Security model