+1 to @sjfink: passing large objects inline should probably be adopted as an anti-pattern.
> I'm also adding an extra thought to our thread: if we want to communicate a "user_id" and "app_id" to the actions, but any action can edit the incoming event, how would we make sure that some important fields like these ones can't be overwritten by other actions in a sequence and they can be securely passed through and trusted ? @ddascal <ddas...@adobe.com> I just opened this PR that prototypes the idea of "final" parameters that might be applicable. This came up in discussion with Steve where he suggested that any defined parameter (if it has a value) should be considered final. This would mean that parameters on a package that have a default value cannot be overridden by a binding or an action in the package. I implemented a variant of this [1] that applies to certain openwhisk actions where an action may carry a "final" annotation which prevents an incoming request from overriding any of its predefined parameters. In a more general perspective, we can give up on default parameters in favor of final parameters everywhere. Or a compromise where parameters may have defaults and may be overriden from package to binding to action but not from invoke time parameters (as in the pull request). -r [1] https://github.com/openwhisk/openwhisk/pull/1710
