Node plugin isolation via workerd sidecar

[BenjaminPrice]

EmDash's plugin sandbox is what sets it apart from WordPress. But on the Node deployment path, plugins run in the same process with no isolation. The manifest exists but nothing enforces it.

I've been working on a way to bring plugin isolation to Node by running workerd as a sidecar process. Astro stays on Node. Plugins run in workerd with bindings scoped to what their manifest declares. Same runtime as Cloudflare, same APIs, same 128MB memory limit. Plugin bundles work without changes.

The plan is to use the Dynamic Worker Loader API for hot plugin add/remove when it's available, and fall back to static capnp config with a workerd restart when it's not. workerd would start as an optional dependency. Without it, plugins load in-process like they do today, with manifest validation warnings in dev mode. Over time the goal is to make workerd required.

Backing services for content, media, email, and auth run as a single HTTP server in Node with path-based routing. KV uses workerd's built-in SQLite-backed namespaces.

[neuhaus]

I noticed this in the description:

cpuMs, memoryMb, and subrequests are Cloudflare platform features, not standalone workerd.

Is there an obvious way to add these resource limits?