feat: polish draft-01 for submission — claim renames, review fixes, refimpl docs

Draft improvements:
- Rename ext -> ect_ext, clarify iss/aud requirements per level
- Add algorithm agility guidance and RFC 8725 reference
- Add HTTP header size constraints and body transport fallback
- Add cross-level parent reference semantics
- Add emerging agent protocols (A2A, MCP) to Related Work
- Fix HTTP error handling (403 not 401), IANA +jwt suffix note
- Add workflow consistency check to DAG validation
- Add defense-in-depth note for acyclicity check

Supporting files:
- Fix blog post outdated claim names (par -> pred, ext -> ect_ext)
- Update refimpl README with -00 vs -01 migration mapping
- Add refimpl IMPROVEMENTS.md section 6 with -01 migration tasks

refimpl/README.md

@@ -1,6 +1,18 @@
 # WIMSE Execution Context Tokens — Reference Implementations
 
-This directory contains **reference implementations** of [Execution Context Tokens (ECTs)](../draft-nennemann-wimse-execution-context-00.txt) for the WIMSE (Workload Identity in Multi System Environments) draft. Each refimpl provides ECT creation, verification, DAG validation, and an in-memory audit ledger.
+> **Note**: These reference implementations were built against **draft-nennemann-wimse-ect-00**.
+> The current draft (**-01**) introduced several claim name changes and structural updates:
+>
+> | -00 (refimpl) | -01 (current draft) | Notes |
+> |---------------|---------------------|-------|
+> | `par`         | `pred`              | Predecessor task IDs |
+> | `pol`, `pol_decision` | removed (use `ect_ext`) | Policy claims moved to extension object |
+> | `sub`         | not defined         | Standard JWT claim, not part of ECT spec |
+> | `typ: wimse-exec+jwt` | `typ: exec+jwt` (preferred) | Both accepted for backward compat |
+>
+> The refimpl update to -01 is tracked in IMPROVEMENTS.md.
+
+This directory contains **reference implementations** of Execution Context Tokens (ECTs) for the WIMSE (Workload Identity in Multi System Environments) draft. Each refimpl provides ECT creation, verification, DAG validation, and an in-memory audit ledger.
 
 ## Implementations
 
@@ -11,11 +23,11 @@ This directory contains **reference implementations** of [Execution Context Toke
 
 ## Scope (all refimpls)
 
-- **ECT format**: JWT (JWS Compact Serialization) with required/optional claims per the spec (Section 4).
-- **Creation**: Build and sign ECTs with ES256; `kid` and `typ: wimse-exec+jwt` in the JOSE header.
-- **Verification**: Full Section 7 procedure (parse, typ/alg, key resolution, signature, claims, optional DAG).
-- **DAG validation**: Section 6 (uniqueness, parent existence, temporal ordering, acyclicity, parent policy).
-- **Ledger**: Interface plus in-memory append-only store (Section 9).
+- **ECT format**: JWT (JWS Compact Serialization) with required/optional claims per the spec.
+- **Creation**: Build and sign ECTs with ES256; `kid` and `typ` in the JOSE header.
+- **Verification**: Full verification procedure (parse, typ/alg, key resolution, signature, claims, optional DAG).
+- **DAG validation**: Uniqueness, parent existence, temporal ordering, acyclicity, parent policy.
+- **Ledger**: Interface plus in-memory append-only store.
 
 No WIT/WPT issuance or full WIMSE stack; refimpls use key resolution only. Suitable for conformance testing and as a template for production integrations.
 
@@ -41,8 +53,8 @@ python3 -m pytest tests/ -v
 
 ## Specification
 
-- **Draft**: `draft-nennemann-wimse-execution-context-00`
-- **Sections**: 4 (format), 5 (HTTP header), 6 (DAG), 7 (verification), 9 (ledger interface).
+- **Current draft**: `draft-nennemann-wimse-ect-01`
+- **Refimpl implements**: `-00` claim names (see migration note above)
 
 ## License