docs(adr): T4 scripted modifiers forward-design
T3 Wave 5 (T32). New forward-design document at
docs/adr/T4-scripted-modifiers-design.md capturing where T4 would land
if/when it becomes a priority:
- Why T4 is deferred (security surface area)
- Sandbox candidates evaluated (QuickJS recommended; Duktape, vanilla
WASM, custom interpreter, Web Workers, vm2 / isolated-vm rejected
with rationale)
- Descriptor shape extension preserving T3 backwards compatibility
via the type: 'data' | 'scripted' discriminator already reserved
on CustomModifierDescriptor
- Permission model sketch (read/write self/board, history, effects,
random — granted/prompt defaults per permission)
- Validation strategy (static analysis + runtime sandbox enforcement,
whitelist over blacklist for forbidden globals, source/AST size
caps, loop-bound checks)
- T3 → T4 ejection path (a T3 descriptor can generate equivalent
scripted source as a starting point)
- 7 open questions blocking T4 kickoff (DSL surface, multiplayer
determinism, editor experience, sharing trust, rate limiting,
versioning, failure mode)
Joey Yakimowich-Payne
52752ecf33