Extensibility Radar: hyperscale sandboxes, extensions get a standards track, and prompt-to-plugin

2026-06-26T00:00:00-04:00

Welcome to Extensibility Radar, a weekly read on the meta layer of software extensibility: the infrastructure that decides what end users and customers can customize, automate, and modify in the software they already use. Plugin platforms, sandboxes for untrusted code, agentic-web actuation, and the policies that govern plugin ecosystems. Not individual plugins, and not generic AI tooling.

The substrate for running other people's code is becoming a first-class product this week, and the rules around it are starting to get formalized.

Infrastructure: AWS turns per-user code isolation into a managed product

On June 22, AWS shipped Lambda MicroVMs to general availability. The pitch is narrow and on-theme: a managed primitive for giving each end user their own isolated environment to run code the app developer did not write. It is Firecracker-backed (the same isolation under Lambda's reported 15-trillion-plus monthly invocations) and supports snapshot-resume for near-instant warm starts with auto-suspend on idle. Each environment runs up to 8 hours, with 16 vCPU, 32 GB memory, and 32 GB disk on ARM64. At GA, that covers five regions (N. Virginia, Ohio, Oregon, Ireland, Tokyo).

AWS frames the use case explicitly as multi-tenant apps that "hand each end user their own dedicated execution environment in which to safely run code that the application developer did not write," naming AI coding assistants, interactive code environments, user-supplied game-server scripts, and data-analytics platforms.

Why it matters: this is the safe-execution problem that every product hits the moment it lets customers run their own scripts, customizations, or agent-generated code. There is already a competitive lane here (E2B, Modal, Daytona, Cloudflare Sandboxes, Fly Machines). The news is a hyperscaler making per-end-user isolation a managed product rather than something you assemble yourself, and shipping it GA rather than as a preview.

Standards: extensions reach a standards track, the agentic web stays contested

Two threads moved in opposite directions this week.

The W3C WebExtensions Working Group held its first meeting on June 25. This is a newly chartered, standards-track Working Group, not a rename of the long-running WebExtensions Community Group. The Community Group still exists and keeps incubating cross-browser extension work informally; the Working Group sits above it as the body that can publish formal W3C Recommendations. The large cross-browser extension ecosystem spanning Chrome, Firefox, Edge, and Safari now has a path from loose proposal to formal standard.

No API decisions yet: 13 participants from Mozilla, Apple, Google, Microsoft, 1Password, and Capital One set process, made minutes public-by-default, and fixed the division of labor (the Community Group incubates, the Working Group writes normative spec text). Next meeting is July 23, with the chair rotating to Apple's Timothy Hatcher.

Meanwhile, WebMCP, the protocol that lets a user's agent actuate websites on their behalf, had an active week of design work and an open question about whether to formalize it at all. Substantive issues advanced (dynamic tool definitions, persistent tools via workers, per-tool run-location annotations), and Apple's Mike Wyrzykowski opened issue #192 asking whether to transition it to a Working Group. The catch: this remains an early-stage Community Group draft, and the venue is contested. WebKit's standards position is "oppose" (closed June 11 on duplication, venue, security, and consent grounds), and Mozilla's position is still open.

Why it matters: extensions are graduating to a standards track the same week the agentic-web equivalent has one browser vendor on record to "oppose" and another still undecided. The significance for extensions is structural, not technical: a path from Community Group draft to formal W3C standard.

End-user programming: Figma makes plugin authoring a writing task

At Config 2026, Figma announced generative plugins: describe a tool's behavior, controls, and parameters in natural language, and Figma's agent generates a working plugin, with "no local dev environment or plugin API knowledge required." Cited examples are accessibility audits, layout generators, and vector pattern builders.

The qualifiers carry the story. This is rolling out gradually, not yet GA. At launch, generated plugins live inside a single file and can be shared with anyone who has file access. Publishing to the Community and private publishing to your organization are described as arriving "in the coming months."

Why it matters: the barrier to building your own tool is dropping fast for a large non-developer audience, but this is not yet a marketplace capability.

Governance: marketplaces race to make trust machine-verifiable

Two items frame the same tension.

Atlassian launched "Enterprise Certified," a new marketplace trust tier replacing the Cloud Fortified badge. It adds machine-verified signals admins filter on (SOC 2, ISO 27001, penetration testing, bug-bounty participation, partner trust centers) plus verified-field markers on each app's Privacy and Security tab. Rollout begins Q3 2026; Cloud Fortified retires by end of 2026.

And the counter-example: security firm Manifold disclosed 23 code-executing ClawHub plugins published under the official @openclaw/ and @clawhub/ scopes by 15 unaffiliated accounts, violating ClawHub's own "scope must match publish owner" rule. The plugins ran with payment, host-command, and API privileges; no malware was found in the reviewed versions. The point is the gap: the official-namespace trust signal was policy-only, with no technical enforcement behind it. ClawHub has since added a dispute process.

Why it matters: marketplaces are racing to make trust machine-verifiable, and where that trust is only policy-deep, it breaks.

Also worth knowing

Wasmtime patched a WASI sandbox-confinement bypass (GHSA-4ch3-9j33-3pmj, CVSS 6.5). A guest with read-only file access could bypass per-preopen FilePerms by hard-linking or renaming files into write-permitted directories. This is the engine running untrusted customer code on platforms like Shopify Functions and Fastly Compute, so it is worth a patch-status check even at moderate severity. Coordinated same-day fix across four release branches on June 24.

Worth stating plainly: webhook and event standards (Standard Webhooks, CloudEvents, AsyncAPI) and URL-scheme registries were quiet this week. Nothing at the capability level, only routine maintenance.

On the radar

June 30: Atlassian Marketplace V2 API full sunset (/rest/2/); also the deadline for app bug-bounty programs to go public to keep Marketplace badges.
June 30: Shopify Scripts stop executing entirely (migrate to Functions).
July 9: Cloudflare Sandbox SDK drops HTTP and WebSocket transports from new releases; migrate to RPC.
July 12–14: Local-First Conf 2026, Berlin, theme "user empowerment in an age of fluid software."
July 23: Next W3C WebExtensions WG meeting (chair rotates to Apple).
July 28: target ship date for the MCP 2026-07-28 spec. The release candidate is already out; its Extensions framework folds in MCP Apps, which launched as the first official MCP extension back in January.