Re: Securing Actions and Procedures from Christoph on 2026-02-26 (public-pm-kr@w3.org from February 2026)

From: Christoph <christoph@christophdorn.com>
Date: Wed, 25 Feb 2026 19:16:20 -0500
To: "Adam Sobieski" <adamsobieski@hotmail.com>, "public-pm-kr@w3.org" <public-pm-kr@w3.org>
Message-Id: <5f299b4c-9f05-4094-b9b4-65284f7e4276@app.fastmail.com>
Hi Adam,

The ability to attach multiple resources to the same function is an essential feature to me.

I find the need to tag actions from multiple domain perspectives. This allows for quick and dirty schema additions when working on the edge.

The resources must be completely independent at the attachment layer to allow co-locating any meaning.

I combine these direct attached schemas using higher-order schemas into an ontology/model.

The key takeaway:

1) Attach concrete things first
2) Allow for mapping concrete to more abstract later
3) Abstract can evolve into new concrete things to attach

This is an interactive evolution process that can scale.

I am in the process of using this approach to model my components & APIs visually from all kinds of perspectives.
The beauty is of course building abstract visualization models that ontologies can leverage to render themselves.

Christoph


On Wed, Feb 25, 2026, at 7:02 PM, Adam Sobieski wrote:
> Christoph,
> All,
> 
> Excellent. I hope that the group's discussions, here, in upcoming months, on these topics, can be of use to your project and, optimistically, to some unfolding MCP- and WebMCP-related discussions.
> 
> Brainstorming, one could provide inline JSON content or URLs referencing JSON or JSON-LD resources in attributes, annotations, or decorators:
> 
> @metadata('{"property": "value"}')
> function(...)
> {
> 
> }
> 
> @metadata("https://example.org/security-category-1.json")
> function(...)
> {
> 
> }
> 
> That is, content passed to attributes, annotations, or decorators could be, beyond lengthy lists of argument values for parameters, inline JSON or JSON-LD content or URLs referencing such resources.
> 
> Inline or referenced resources could be reusable. Multiple actions, procedures, functions, or methods could reference the same resources: "security-category-1.json".
> 
> With respect to MCP and WebMCP, inline or referenced JSON or JSON-LD content could contain security-related metadata both: (1) used during secured execution in runtime environments, and (2) presented through MCP APIs' tools descriptions. Both execution-related metadata and API-presentational metadata could be derived from that data in the inline or referenced JSON or JSON-LD resources.
> 
> Interestingly, perhaps these inline or referenced and reusable JSON or JSON-LD resources could be composable or compositable.
> 
> @metadata("https://example.org/security-resource-use-3.json")
> @metadata("https://example.org/security-category-1.json")
> function(...)
> {
> 
> }
> 
> Thank you. What do you think of these ideas?
> 
> 
> Best regards,
> Adam
> 
> 
> *From:* Christoph <christoph@christophdorn.com>
> *Sent:* Tuesday, February 24, 2026 2:54 PM
> *To:* public-pm-kr@w3.org <public-pm-kr@w3.org>
> *Subject:* Re: Securing Actions and Procedures
> 
> Yes! I am very much interested in this.
> 
> I am looking for a way to attach any type of metadata by mapping to a schema. This metadata will be used for all kinds of purposes as a "function" can represent any type of "action" on an "entity" in my system.
> 
> Christoph
> 
> 
> On Tue, Feb 24, 2026, at 2:48 PM, Adam Sobieski wrote:
>> PM-KR Community Group,
>> 
>> Hello. In some programming languages (e.g., C#, Java, and JavaScript), developers can use attributes, annotations, or decorators to provide metadata on functions and methods. Approaches for representing procedural knowledge, including programmatic and executable approaches, could, then, include expressiveness for providing metadata on actions and procedures.
>> 
>> 
>> In C#, attributes resemble:
>> 
>> [metadata(...)]
>> public void function(...)
>> {
>> 
>> }
>> 
>> In Java, annotations resemble:
>> 
>> @metadata(...)
>> public void function(...)
>> {
>> 
>> }
>> 
>> In JavaScript, decorators resemble:
>> 
>> @metadata(...)
>> function(...)
>> {
>> 
>> }
>> 
>> 
>> Metadata could be used to declare preconditions and effects for actions and procedures (see also: STRIPS, ADL, PDDL). Extensible metadata could also simplify a number of important scenarios such as: computer security, access-control, and user- and agentic-permission-related topics.
>> 
>> As interesting, here are some initial hyperlinks about these topics:
>> 
>> 
>> *_.NET_*
>> 
>> https://en.wikipedia.org/wiki/Code_Access_Security
>> 
>> 
>> *_Java_*
>> 
>> https://apereo.github.io/cas/7.3.x/planning/Architecture.html
>> 
>> 
>> *_MCP_*
>> 
>> https://modelcontextprotocol.io/specification/2025-06-18/server/tools
>> 
>> https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1483
>> 
>> https://modelcontextprotocol-security.io/build/tool-metadata-spec/
>> 
>> 
>> *_WebMCP_*
>> 
>> https://github.com/webmachinelearning/webmcp/issues/44
>> 
>> https://github.com/webmachinelearning/webmcp/issues/45
>> 
>> 
>> *_BPMN_*
>> 
>> https://ceur-ws.org/Vol-2218/paper17.pdf
>> 
>> https://www.researchgate.net/publication/31367121_A_BPMN_Extension_for_the_Modeling_of_Security_Requirements_in_Business_Processes
>> 
>> 
>> Is there any interest, in this group, in considering and discussing comparative approaches (the above and any others) for providing expressiveness to simplify securing actions and procedures?
>> 
>> Are there any other hyperlinks to recommend and share on these topics?
>> 
>> 
>> Best regards,
>> Adam Sobieski
>> 
>
Received on Thursday, 26 February 2026 00:16:46 UTC