Plugin host: per-invocation resource limits (memory, fuel, wall-clock, host-call counters)

[tayebmokni]

Summary

Enforce all per-invocation runtime limits documented in §4.5: memory, fuel, wall-clock, host-call concurrency, HTTP fetches, DB queries, KV bytes written. First limit to trip wins; the host injects a trap (closes wazero context). Filter handlers return neutral value, action handlers log failure. Errors feed the circuit breaker (separate issue).

Design reference

• docs/02-plugin-system.md §4.5 (the limits table)

Acceptance criteria

• Memory limit: enforced via wazero WithMemoryLimitPages, configurable per manifest (server.memory_limit_mb, default 64MB)
• Fuel limit: custom counter via wazero Listener or experimental fuel API; configurable per manifest (server.fuel_per_invocation, default 50,000,000)
• Wall-clock: context.WithTimeout(parent, manifest.server.invocation_timeout_ms), default 250ms
• Host-call concurrency: mutex on the Instance ensures only one host call in flight per instance
• HTTP fetches per invocation: counter incremented in host_http_request, default cap 8
• DB queries per invocation: counter in host_db_query/host_db_exec, default cap 32
• KV bytes written per invocation: counter, default cap 1MB
• On any limit trip: wazero Module context closed deterministically, plugin trap is caught, hook returns neutral value (filter: input unchanged; action: logged-but-success)
• Trap details captured: which limit tripped, plugin slug, hook name, request_id
• Tests: each limit independently triggerable in a test plugin; trap is recovered cleanly without crashing host

Dependencies

#6 (host scaffolding), #9 (instance pool)

Complexity

L