omc345 notes

Yo, fam, Cloudflare just dropped EmDash—a beta CMS that's basically WordPress reborn for 2026. Built on Astro 6.0, fully JS/TypeScript, serverless, and actually secure. Let's break it down without the fluff. Why does this even exist? 🚀

1. WHY? WordPress Security Sucks, Hosting Evolved 💀

The pain before:

WordPress powers 40% of the web, but it's 24yo tech from VPS days.
Plugins? 96% of vulns come from 'em (per 2025/2026 reports). They hook straight into DB/filesystem—no isolation. One bad plugin = site pwned.
Hosting: Always-on servers wasting cash/idle compute. No true scale-to-zero.
Modern web: Serverless (upload JS, done), AI agents scraping content for free, devs using Astro/TS not PHP.

OLD WP WORLD ❌                 EMDASH WORLD ✅
════════════════                 ═══════════════
  Plugins = Nuke Button            Plugins = Sandboxed
  Servers always hum               Scale to ZERO ⚡
  GPL lock-in                      MIT freedom
  Password hacks                   Passkeys default

Ohhh moment: EmDash fixes WP's core flaws (security, scale, extensibility) while keeping "easy publish" magic. Built w/ AI agents in weeks. Open source (MIT), no WP code copied.

2. Big Picture: Where EmDash Fits 🗺️

EmDash = Full-stack serverless CMS for content sites.

Frontend: Astro (fast, content-first framework).
Backend: Cloudflare Workers (or any Node.js)—serverless runtime.
Plugins: Run in Dynamic Workers (sandboxed isolates).
Admin: Playground at emdashcms.com, CLI, AI skills.
Deploy: 1-click to Cloudflare, npm create emdash@latest locally.

REQUEST FLOW:
User ──► EmDash (Astro pages) ──► Dynamic Worker Plugins ──► DB/Media
  │                                   │ (sandboxed caps)       │ (KV/D1?)
  └─────────────── x402 Payments ─────┘

Runs anywhere, but shines on Cloudflare's global edge (zero cold starts, bill only CPU).

3. HOW Plugins Work: Sandboxed Superpowers ⚙️

Why plugins first? WP's #1 killer feature... but deadly.

Mechanics (step-by-step):

Plugin declares capabilities in manifest (e.g., read:content, email:send).
Runs in isolated Dynamic Worker (V8 isolate—no shared memory/DB access).
Hooks into events like content:afterSave.
Gets bindings (ctx.email, ctx.log)—only what it asks for. No net access unless whitelisted hostname.
Install: Review perms upfront (like OAuth scopes). No "trust the black box."

// Example: Email on publish
definePlugin({
  capabilities: ["read:content", "email:send"],
  hooks: {
    "content:afterSave": async (event, ctx) => {
      // Safe: Only these powers. No DB hacks.
    }
  }
});

Edge cases:

Network? Declare exact hostname.
License? Yours—plugins independent (no GPL force).
Marketplace? No lock-in; trust via perms, not reviews (WP queue: 800+ plugins).

Result: Plugins can't escape sandbox. Platforms approve by caps, not code review.

TRUST EVOLUTION:
WP ❌ ──► Full access? YOLO
         │
         ▼
EmDash ✅ ──► Declared caps → Bindings → Isolate

4. Other Bangers: x402, Scale, AI-Native 🎯

x402 Payments (AI-proof biz model):

Why? Bots scrape free; humans drove ad traffic.
How: Built-in. Tag content → Set price/Wallet → 402 response → Agent pays.

Client Req ──► 402 Payment Req ──► Pay ──► Content ✅

Scale-to-Zero:

Traffic Spike ──► Instant Isolates ──► Handle RPS ──► Bill CPU only ──► Zero idle 💸

Astro Theming:

Pages/layouts/components + seed JSON for schemas.
No DB access—safe.

AI-Native:

CLI/MCP for agents (upload media, schemas).
Skills: Auto-port WP themes, build blocks.

Auth/Schemas/Import:

Passkeys default, pluggable SSO.
Admin schemas → Custom collections (bye ACF hacks).
WP import: WXR or exporter plugin.

BURN THIS IN: TL;DR 🔒

EmDash = WP 2.0: Secure plugins via Workers, serverless Astro CMS, x402-ready.
Key unlock: Plugins declare → sandbox → trust without marketplace jail.
Deploy now: GitHub emdash-cms/emdash. Playground: emdashcms.com.

You tracking, bro? Wanna dive into Dynamic Workers or Astro setup? 😂

Original article