Agent Execution Surface
How Gao Browser surfaces AI agent interactions — making agent identity, scope, and approval flows visible and controllable by users.
Overview#
AI agents operating under .gao domains can surface actions, requests, and outputs directly in the browser. Gao Browser is the primary interface where users see what agents are doing on their behalf, verify agent identity, and approve or deny consequential actions.
Agents cannot act silently in the browser. Every action that affects the user — sending a message, initiating a payment, accessing data — is surfaced with full context before execution.
Agent Identity Display#
When an agent initiates contact or takes action, the browser displays its verified identity:
🤖 assistant.clinic.gao
✅ Authorized agent of clinic.gao
Business Verified — City Dental Clinic · Houston, TX
─────────────────────────────────────────────────
Scope: scheduling, patient_messaging
Authorization expires: 2027-01-01
[View full agent record]
For unverified agents:
⚠️ agent.unknown-shop.gao
Parent domain: unknown-shop.gao
⚠️ Unverified — Parent domain not verified by Gao
─────────────────────────────────────────────────
[Decline] [Proceed with caution]
The agent’s trust badge is derived from the parent domain. An agent cannot claim a higher trust level than its parent domain holds.
Agent Action Approval#
For consequential agent actions (Tier 2+), the browser presents a structured approval screen:
┌─────────────────────────────────────────────────┐
│ Agent Action Request │
│ │
│ Agent: pay-agent.merchant.gao │
│ ✅ Authorized agent of merchant.gao │
│ │
│ Action: Initiate payment │
│ Amount: $45.00 USDC │
│ To: supplier.gao ✅ Business Verified │
│ Purpose: Inventory reorder — April 2026 │
│ │
│ Scope check: │
│ ✅ payment:send — permitted │
│ ✅ Amount within ceiling ($200) │
│ │
│ [Deny] [Approve] │
└─────────────────────────────────────────────────┘
The approval screen always shows:
-
Agent identity and trust level
-
Parent domain identity and trust level
-
The specific action requested
-
Whether the action is within the declared scope
-
Amount and recipient (for payments)
-
The declared purpose
Agent Panel#
The browser includes a persistent agent panel accessible from the toolbar. It shows all active agents for the current session:
Active Agents
─────────────────────────────────
🤖 assistant.merchant.gao
✅ Business Verified
Status: Active
Last action: Responded to customer inquiry (2 min ago)
[View actions] [Pause] [Revoke]
🤖 booking.clinic.gao
✅ Business Verified
Status: Idle
Last action: Scheduled appointment (1 hour ago)
[View actions] [Pause] [Revoke]
Users can pause or revoke any agent’s authority directly from the browser without navigating to Workspace settings.
Agent Action Log#
Every agent action is logged and accessible in the browser’s action history:
Agent Action Log — assistant.merchant.gao
─────────────────────────────────────────────
2026-04-15 14:32 Responded to customer query "what are your hours?"
Data accessed: business_hours (read)
✅ Within scope
2026-04-15 14:28 Attempted to access payment_records
❌ Denied — outside declared scope
2026-04-15 14:15 Sent booking confirmation to customer
Data accessed: calendar (read), messaging (send)
✅ Within scope
Denied actions are always shown — the log is never filtered to show only successful actions.
Scope Violation Handling#
If an agent attempts an action outside its declared scope, the browser blocks it and notifies the user:
┌─────────────────────────────────────────────────┐
│ ⚠️ Agent Scope Violation Blocked │
│ │
│ assistant.merchant.gao attempted to: │
│ Access payment_records │
│ │
│ This action is outside the agent's declared │
│ scope. The action was blocked. │
│ │
│ Scope: scheduling, patient_messaging │
│ │
│ [Review agent permissions] [Report] [OK] │
└─────────────────────────────────────────────────┘
The agent does not receive any indication that the block occurred — from the agent’s perspective, the action was rejected by the policy layer with a standard denial response.
Layer 8 Integration#
Gao Browser is the primary user-facing surface for Gao AI OS (Layer 8) agent execution. The browser’s agent surface maps directly to the Layer 8 risk tier model:
Layer 8 Risk Tier
Browser behavior
Tier 0 — Read-only
No approval required; logged silently
Tier 1 — Low-risk write
Status indicator; no explicit approval
Tier 2 — Consequential
Approval dialog shown; user must confirm
Tier 3 — High-stakes
Full-screen authorization; out-of-band human approval required
The browser never elevates an agent’s tier. The tier is determined by the Layer 8 runtime based on the action and the CAP token’s declared risk level — the browser only surfaces it.
Agent Invocation from Pages#
Web pages loaded in the browser can invoke agents operating under the same domain. The invocation is always mediated by the browser:
Page at merchant.gao invokes assistant.merchant.gao
↓
Browser checks: is agent authorized by merchant.gao?
Browser checks: is action within scope?
Browser checks: what risk tier?
↓
Tier 0–1: Execute silently, log
Tier 2: Show approval dialog
Tier 3: Show authorization screen
↓
Execute or deny
↓
Log action in agent action log
Pages cannot bypass this mediation. A page cannot instruct the browser to skip the approval flow for consequential actions.
Agent execution in the browser is governed by the Layer 8 (Gao AI OS) capability model. See Gao AI OS documentation for the full GAR v1 specification and risk tier model.