# WIMSE Execution Context Tokens — Reference Implementations

> **Note**: These reference implementations were built against **draft-nennemann-wimse-ect-00**.
> The current draft (**-01**) introduced several claim name changes and structural updates:
>
> | -00 (refimpl) | -01 (current draft) | Notes |
> |---------------|---------------------|-------|
> | `par`         | `pred`              | Predecessor task IDs |
> | `pol`, `pol_decision` | removed (use `ect_ext`) | Policy claims moved to extension object |
> | `sub`         | not defined         | Standard JWT claim, not part of ECT spec |
> | `typ: wimse-exec+jwt` | `typ: exec+jwt` (preferred) | Both accepted for backward compat |
>
> The refimpl update to -01 is tracked in IMPROVEMENTS.md.

This directory contains **reference implementations** of Execution Context Tokens (ECTs) for the WIMSE (Workload Identity in Multi System Environments) draft. Each refimpl provides ECT creation, verification, DAG validation, and an in-memory audit ledger.

## Implementations

| Language | Path      | Description |
|----------|-----------|-------------|
| **Go**   | [go-lang/](go-lang/) | Production-ready Go library and demo. Config via env; optional JTI replay cache. |
| **Python** | [python/](python/) | Python 3.9+ library and demo. Same API surface and env-based config. |

## Scope (all refimpls)

- **ECT format**: JWT (JWS Compact Serialization) with required/optional claims per the spec.
- **Creation**: Build and sign ECTs with ES256; `kid` and `typ` in the JOSE header.
- **Verification**: Full verification procedure (parse, typ/alg, key resolution, signature, claims, optional DAG).
- **DAG validation**: Uniqueness, parent existence, temporal ordering, acyclicity, parent policy.
- **Ledger**: Interface plus in-memory append-only store.

No WIT/WPT issuance or full WIMSE stack; refimpls use key resolution only. Suitable for conformance testing and as a template for production integrations.

### Replay cache (multi-instance)

The optional JTI replay cache (`JTICache` / `JtiCache`) is **in-memory only**. For multiple verifier instances behind a load balancer, replay detection must be shared. Use a distributed store (e.g. Redis, database) and implement the same contract as `JTISeen`: a function that returns true if the JTI was already seen, and ensure each verified JTI is recorded (e.g. with TTL). See go-lang/README and python/README for configuration and how to plug in a custom `JTISeen` / `jti_seen`.

## Quick start

**Go**

```bash
cd refimpl/go-lang && go run ./cmd/demo
go test ./...
```

**Python**

```bash
cd refimpl/python && pip install -e . && python3 demo.py
python3 -m pytest tests/ -v
```

## Specification

- **Current draft**: `draft-nennemann-wimse-ect-01`
- **Refimpl implements**: `-00` claim names (see migration note above)

## License

Same as the Internet-Draft (IETF Trust). Code components under Revised BSD per BCP 78/79.