Import observation here 💭 as result of working on this the last day or so.

Because I chose to go the route of using plugins to enhance the existing events functionality with permissions the distinction between modules that exist on the application sandbox by permanently and automatically and modules that are defined with Sandbox.module became important.

Right now the 'default' modules are: ajax, events, errors and database. Datastore access, networking, the ability to generate errors and events are so crucial that any application launched with Sandbox.of should have reliable access to them.

This means the way we augment default modules and expose their APIs is different from 'client' modules (i.e. modules defined with Sandbox.module.

Further, the manner in which client modules and the resulting application access plugin behavior differs.

Client modules only have access to default modules, while the application has access to both default and client module APIs. Consequently, client modules can only access plugged-in behavior of default modules via the plugin API. If a client needs some behavior defined by a plugin that is not an extension of a default module, the client must access the behavior via an event.

Also, client modules must opt-in to using specified plugins of default modules. The original behavior of the default module is still available on the sandbox, even after a plugin has been applied.