Describe the feature
Today plugins run as host binaries with full filesystem and network access. Move plugin execution into a sandboxed runtime (Wasmtime or gopher-lua) with explicit capabilities ("this plugin may read message body", "may make HTTP", "may write attachments").
Why this matters
The marketplace is a strong feature, but a single malicious plugin today can read every message and send to a remote host. Sandboxing lets us scale community plugins without trusting every author.
Notes
- Wasm: pre-compile plugins via TinyGo / Rust to wasm; matcha hosts the runtime.
- Lua: easier to author, weaker isolation; offer both and let plugin authors pick.
Describe the feature
Today plugins run as host binaries with full filesystem and network access. Move plugin execution into a sandboxed runtime (Wasmtime or gopher-lua) with explicit capabilities ("this plugin may read message body", "may make HTTP", "may write attachments").
Why this matters
The marketplace is a strong feature, but a single malicious plugin today can read every message and send to a remote host. Sandboxing lets us scale community plugins without trusting every author.
Notes