Re: Securing Actions and Procedures

Christoph,
All,

Excellent. I hope that the group's discussions, here, in upcoming months, on these topics, can be of use to your project and, optimistically, to some unfolding MCP- and WebMCP-related discussions.

Brainstorming, one could provide inline JSON content or URLs referencing JSON or JSON-LD resources in attributes, annotations, or decorators:

@metadata('{"property": "value"}')
function(...)
{

}

@metadata("https://example.org/security-category-1.json")
function(...)
{

}

That is, content passed to attributes, annotations, or decorators could be, beyond lengthy lists of argument values for parameters, inline JSON or JSON-LD content or URLs referencing such resources.

Inline or referenced resources could be reusable. Multiple actions, procedures, functions, or methods could reference the same resources: "security-category-1.json".

With respect to MCP and WebMCP, inline or referenced JSON or JSON-LD content could contain security-related metadata both: (1) used during secured execution in runtime environments, and (2) presented through MCP APIs' tools descriptions. Both execution-related metadata and API-presentational metadata could be derived from that data in the inline or referenced JSON or JSON-LD resources.

Interestingly, perhaps these inline or referenced and reusable JSON or JSON-LD resources could be composable or compositable.

@metadata("https://example.org/security-resource-use-3.json")
@metadata("https://example.org/security-category-1.json")
function(...)
{

}

Thank you. What do you think of these ideas?


Best regards,
Adam

________________________________
From: Christoph <christoph@christophdorn.com>
Sent: Tuesday, February 24, 2026 2:54 PM
To: public-pm-kr@w3.org <public-pm-kr@w3.org>
Subject: Re: Securing Actions and Procedures

Yes! I am very much interested in this.

I am looking for a way to attach any type of metadata by mapping to a schema. This metadata will be used for all kinds of purposes as a "function" can represent any type of "action" on an "entity" in my system.

Christoph


On Tue, Feb 24, 2026, at 2:48 PM, Adam Sobieski wrote:
PM-KR Community Group,

Hello. In some programming languages (e.g., C#, Java, and JavaScript), developers can use attributes, annotations, or decorators to provide metadata on functions and methods. Approaches for representing procedural knowledge, including programmatic and executable approaches, could, then, include expressiveness for providing metadata on actions and procedures.


In C#, attributes resemble:

[metadata(...)]
public void function(...)
{

}

In Java, annotations resemble:

@metadata(...)
public void function(...)
{

}

In JavaScript, decorators resemble:

@metadata(...)
function(...)
{

}


Metadata could be used to declare preconditions and effects for actions and procedures (see also: STRIPS, ADL, PDDL). Extensible metadata could also simplify a number of important scenarios such as: computer security, access-control, and user- and agentic-permission-related topics.

As interesting, here are some initial hyperlinks about these topics:


.NET

https://en.wikipedia.org/wiki/Code_Access_Security


Java

https://apereo.github.io/cas/7.3.x/planning/Architecture.html


MCP

https://modelcontextprotocol.io/specification/2025-06-18/server/tools

https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1483

https://modelcontextprotocol-security.io/build/tool-metadata-spec/


WebMCP

https://github.com/webmachinelearning/webmcp/issues/44

https://github.com/webmachinelearning/webmcp/issues/45


BPMN

https://ceur-ws.org/Vol-2218/paper17.pdf

https://www.researchgate.net/publication/31367121_A_BPMN_Extension_for_the_Modeling_of_Security_Requirements_in_Business_Processes


Is there any interest, in this group, in considering and discussing comparative approaches (the above and any others) for providing expressiveness to simplify securing actions and procedures?

Are there any other hyperlinks to recommend and share on these topics?


Best regards,
Adam Sobieski