feat: ACT/ECT strategy, package restructure, draft -01/-02 prep

Strategic work for IETF submission of draft-nennemann-act-01 and
draft-nennemann-wimse-ect-02:

Package restructure:
- move ACT and ECT refimpls to workspace/packages/{act,ect}/
- ietf-act and ietf-ect distribution names (sibling packages)
- cross-spec interop test plan (INTEROP-TEST-PLAN.md)

ACT draft -01 revisions:
- rename 'par' claim to 'pred' (align with ECT)
- rename 'Agent Compact Token' to 'Agent Context Token' (semantic
  alignment with ECT family)
- add Applicability section (MCP, OpenAI, LangGraph, A2A, CrewAI)
- add DAG vs Linear Delegation Chains section (differentiator vs
  txn-tokens-for-agents actchain, Agentic JWT, AIP/IBCTs)
- add Related Work: AIP, SentinelAgent, Agentic JWT, txn-tokens-for-agents,
  HDP, SCITT-AI-agent-execution
- pin SCITT arch to -22, note AUTH48 status

Outreach drafts:
- Emirdag liaison email (SCITT-AI coordination)
- OAuth ML response on txn-tokens-for-agents-06

Strategy document:
- STRATEGY.md with phased action plan, risk register, timeline

Submodule:
- update workspace/drafts/ietf-wimse-ect pointer to -02 commit

workspace/packages/act/tests/test_lifecycle.py

@@ -0,0 +1,103 @@
+"""Tests for act.lifecycle module."""
+
+import time
+import uuid
+
+import pytest
+
+from act.crypto import generate_ed25519_keypair, sign
+from act.errors import ACTCapabilityError, ACTPhaseError
+from act.lifecycle import transition_to_record
+from act.token import (
+    ACTMandate,
+    ACTRecord,
+    Capability,
+    Delegation,
+    ErrorClaim,
+    TaskClaim,
+    decode_jws,
+    encode_jws,
+)
+from act.crypto import verify
+
+
+@pytest.fixture
+def keys():
+    iss_priv, iss_pub = generate_ed25519_keypair()
+    sub_priv, sub_pub = generate_ed25519_keypair()
+    return iss_priv, iss_pub, sub_priv, sub_pub
+
+
+@pytest.fixture
+def mandate(keys):
+    iss_priv, _, _, _ = keys
+    m = ACTMandate(
+        alg="EdDSA", kid="iss-key",
+        iss="agent-a", sub="agent-b", aud="agent-b",
+        iat=1772064000, exp=1772064900,
+        jti=str(uuid.uuid4()),
+        task=TaskClaim(purpose="test"),
+        cap=[Capability(action="read.data"), Capability(action="write.result")],
+        delegation=Delegation(depth=0, max_depth=2, chain=[]),
+    )
+    return m
+
+
+class TestTransitionToRecord:
+    def test_basic_transition(self, mandate, keys):
+        _, _, sub_priv, sub_pub = keys
+        record, compact = transition_to_record(
+            mandate, sub_kid="sub-key", sub_private_key=sub_priv,
+            exec_act="read.data", pred=[], status="completed",
+        )
+        assert isinstance(record, ACTRecord)
+        assert record.exec_act == "read.data"
+        assert record.kid == "sub-key"
+        assert record.iss == mandate.iss  # preserved
+        # Verify signature
+        _, _, sig, si = decode_jws(compact)
+        verify(sub_pub, sig, si)
+
+    def test_with_hashes(self, mandate, keys):
+        _, _, sub_priv, _ = keys
+        record, _ = transition_to_record(
+            mandate, sub_kid="k", sub_private_key=sub_priv,
+            exec_act="write.result", pred=[], status="completed",
+            inp_hash="abc", out_hash="def",
+        )
+        assert record.inp_hash == "abc"
+        assert record.out_hash == "def"
+
+    def test_with_error(self, mandate, keys):
+        _, _, sub_priv, _ = keys
+        record, _ = transition_to_record(
+            mandate, sub_kid="k", sub_private_key=sub_priv,
+            exec_act="read.data", pred=[], status="failed",
+            err=ErrorClaim(code="timeout", detail="request timed out"),
+        )
+        assert record.status == "failed"
+        assert record.err is not None
+        assert record.err.code == "timeout"
+
+    def test_rejects_bad_exec_act(self, mandate, keys):
+        _, _, sub_priv, _ = keys
+        with pytest.raises(ACTCapabilityError):
+            transition_to_record(
+                mandate, sub_kid="k", sub_private_key=sub_priv,
+                exec_act="delete.everything", pred=[],
+            )
+
+    def test_preserves_phase1_claims(self, mandate, keys):
+        _, _, sub_priv, _ = keys
+        record, _ = transition_to_record(
+            mandate, sub_kid="k", sub_private_key=sub_priv,
+            exec_act="read.data", pred=[], status="completed",
+        )
+        assert record.iss == mandate.iss
+        assert record.sub == mandate.sub
+        assert record.aud == mandate.aud
+        assert record.iat == mandate.iat
+        assert record.exp == mandate.exp
+        assert record.jti == mandate.jti
+        assert record.task == mandate.task
+        assert record.cap == mandate.cap