feat: polish draft-01 for submission — claim renames, review fixes, refimpl docs

Draft improvements:
- Rename ext -> ect_ext, clarify iss/aud requirements per level
- Add algorithm agility guidance and RFC 8725 reference
- Add HTTP header size constraints and body transport fallback
- Add cross-level parent reference semantics
- Add emerging agent protocols (A2A, MCP) to Related Work
- Fix HTTP error handling (403 not 401), IANA +jwt suffix note
- Add workflow consistency check to DAG validation
- Add defense-in-depth note for acyclicity check

Supporting files:
- Fix blog post outdated claim names (par -> pred, ext -> ect_ext)
- Update refimpl README with -00 vs -01 migration mapping
- Add refimpl IMPROVEMENTS.md section 6 with -01 migration tasks

refimpl/IMPROVEMENTS.md

@@ -7,7 +7,7 @@ Suggestions that could make the implementations more robust, spec-strict, or pro
 ## 1. **Spec alignment** ✅
 
 - **ext size/depth (Section 4.2.7)**  
-  **Done.** Both refimpls reject when serialized `ext` exceeds 4096 bytes or JSON depth exceeds 5 (`ValidateExt` / `validate_ext`). Used in create and verify.
+  **Done.** Both refimpls reject when serialized `ect_ext` exceeds 4096 bytes or JSON depth exceeds 5 (`ValidateExt` / `validate_ext`). Used in create and verify.
 
 - **jti / wid format**  
   **Done.** Optional UUID (RFC 9562) validation: `CreateOptions.ValidateUUIDs` / `VerifyOptions.ValidateUUIDs` (Go), `validate_uuids` (Python). Helpers: `ValidUUID` / `valid_uuid`.
@@ -58,3 +58,18 @@ Suggestions that could make the implementations more robust, spec-strict, or pro
 ---
 
 **Summary:** All listed improvements are implemented. For production, also consider: key rotation, WIT integration, and metrics around verify/create latency and error kinds.
+
+---
+
+## 6. **draft-01 migration** (NOT YET IMPLEMENTED)
+
+The refimpl was built against draft-nennemann-wimse-ect-00. The -01 draft introduced breaking changes that need to be reflected:
+
+- **Rename `par` to `pred`**: The predecessor claim was renamed. Update struct fields, JSON tags, serialization/deserialization, tests, and testdata.
+- **Remove `pol` and `pol_decision`**: Policy claims were removed from the core spec. Deployments should use `ect_ext` for domain-specific claims like policy decisions.
+- **Remove `sub`**: The `sub` claim is not part of the ECT specification. Remove from types and examples.
+- **Update `typ` default**: Prefer `exec+jwt` over `wimse-exec+jwt`. Both must be accepted for backward compatibility.
+- **Add L1 support**: The -01 draft introduces unsigned JSON ECTs (Level 1). The refimpl currently only supports L2 (signed JWS).
+- **Add L3 support**: The -01 draft introduces audit ledger requirements for Level 3. The existing in-memory ledger needs hash chain and receipt support.
+- **Update `MaxParLength` naming**: Rename to `MaxPredLength` to match the new claim name.
+- **Update hash format**: The -01 draft specifies SHA-256 base64url without algorithm prefix (no `sha-256:` prefix), consistent with RFC 9449.

refimpl/README.md

@@ -1,6 +1,18 @@
 # WIMSE Execution Context Tokens — Reference Implementations
 
-This directory contains **reference implementations** of [Execution Context Tokens (ECTs)](../draft-nennemann-wimse-execution-context-00.txt) for the WIMSE (Workload Identity in Multi System Environments) draft. Each refimpl provides ECT creation, verification, DAG validation, and an in-memory audit ledger.
+> **Note**: These reference implementations were built against **draft-nennemann-wimse-ect-00**.
+> The current draft (**-01**) introduced several claim name changes and structural updates:
+>
+> | -00 (refimpl) | -01 (current draft) | Notes |
+> |---------------|---------------------|-------|
+> | `par`         | `pred`              | Predecessor task IDs |
+> | `pol`, `pol_decision` | removed (use `ect_ext`) | Policy claims moved to extension object |
+> | `sub`         | not defined         | Standard JWT claim, not part of ECT spec |
+> | `typ: wimse-exec+jwt` | `typ: exec+jwt` (preferred) | Both accepted for backward compat |
+>
+> The refimpl update to -01 is tracked in IMPROVEMENTS.md.
+
+This directory contains **reference implementations** of Execution Context Tokens (ECTs) for the WIMSE (Workload Identity in Multi System Environments) draft. Each refimpl provides ECT creation, verification, DAG validation, and an in-memory audit ledger.
 
 ## Implementations
 
@@ -11,11 +23,11 @@ This directory contains **reference implementations** of [Execution Context Toke
 
 ## Scope (all refimpls)
 
-- **ECT format**: JWT (JWS Compact Serialization) with required/optional claims per the spec (Section 4).
-- **Creation**: Build and sign ECTs with ES256; `kid` and `typ: wimse-exec+jwt` in the JOSE header.
-- **Verification**: Full Section 7 procedure (parse, typ/alg, key resolution, signature, claims, optional DAG).
-- **DAG validation**: Section 6 (uniqueness, parent existence, temporal ordering, acyclicity, parent policy).
-- **Ledger**: Interface plus in-memory append-only store (Section 9).
+- **ECT format**: JWT (JWS Compact Serialization) with required/optional claims per the spec.
+- **Creation**: Build and sign ECTs with ES256; `kid` and `typ` in the JOSE header.
+- **Verification**: Full verification procedure (parse, typ/alg, key resolution, signature, claims, optional DAG).
+- **DAG validation**: Uniqueness, parent existence, temporal ordering, acyclicity, parent policy.
+- **Ledger**: Interface plus in-memory append-only store.
 
 No WIT/WPT issuance or full WIMSE stack; refimpls use key resolution only. Suitable for conformance testing and as a template for production integrations.
 
@@ -41,8 +53,8 @@ python3 -m pytest tests/ -v
 
 ## Specification
 
-- **Draft**: `draft-nennemann-wimse-execution-context-00`
-- **Sections**: 4 (format), 5 (HTTP header), 6 (DAG), 7 (verification), 9 (ledger interface).
+- **Current draft**: `draft-nennemann-wimse-ect-01`
+- **Refimpl implements**: `-00` claim names (see migration note above)
 
 ## License