docs(slsa): sync Space card with GitHub README (SLSA L1 + L2 attested)

Automated README sync from szl-holdings/amaru main via hf-sync.

Signed-off-by: Yachay <yachay@szlholdings.ai>
Co-Authored-By: Perplexity Computer Agent <agent@perplexity.ai>

README.md

@@ -1,207 +1,139 @@
 ---
-title: "amaru — Memory Cortex"
-emoji: "🐍"
-colorFrom: green
-colorTo: blue
+title: amaru — Memory Attestation (Cardano-Anchored)
+emoji: 🐍
+colorFrom: yellow
+colorTo: indigo
 sdk: docker
-app_port: 7860
 pinned: true
 license: apache-2.0
-short_description: "amaru — FAISS RAG memory cortex with provenance receipts"
+short_description: "memory cortex — Cardano-anchored receipt chain"
+ecosystem-stage: operational
 tags:
-  - memory
-  - rag
-  - faiss
   - doctrine-v11
-  - amaru
+  - memory
+  - formal-verification
+  - szl-holdings
+  - agentic-ai
+  - dsse
+  - governance
+  - provenance
   - apache-2.0
-ecosystem-stage: "operational"
+  - rag
 ---
-# amaru 🐍
-> Memory cortex with FAISS RAG provenance and chunk-level citation — every memory read/write wrapped in a cryptographic receipt chain.
+<!-- HF Space front-matter is REQUIRED (sdk: docker). Injected by hf-sync
+     so the Space builds the Dockerfile. Do not remove. -->
 
-![doctrine-v11](https://img.shields.io/badge/doctrine-v11%20LOCKED-0B1F3A) ![SLSA-L1_honest](https://img.shields.io/badge/SLSA-L1%20honest-2C5F2D) ![DCO](https://img.shields.io/badge/DCO-required-555) ![CI](https://github.com/szl-holdings/amaru/actions/workflows/ci.yml/badge.svg) ![Scorecard](https://img.shields.io/badge/OpenSSF-Scorecard-informational) ![License](https://img.shields.io/badge/license-Apache--2.0-blue)
+## Live
 
-**749 declarations · 14 axioms · 163 sorries · Doctrine v11 LOCKED · kernel `c7c0ba17`**
+**HF Space (one-click, no login):** [![Open in Spaces](https://img.shields.io/badge/%F0%9F%A4%97%20Open%20in%20Spaces-amaru-FF9D00?style=flat-square)](https://huggingface.co/spaces/SZLHOLDINGS/amaru)
 
-[Quickstart](#quickstart) · [Docs](https://docs.szlholdings.com/flagships/amaru) · [Cookbook](https://github.com/szl-holdings/szl-cookbook) · [Verify](#verify-in-2-minutes) · [Cite](#citation) · [Releases](https://github.com/szl-holdings/amaru/releases)
+- Space URL: https://szlholdings-amaru.hf.space
+- Health: `curl -s https://szlholdings-amaru.hf.space/api/amaru/v1/honest | jq '{doctrine,declarations}'` → `{"doctrine":"v11","declarations":749}`
+- Docs: https://docs.szlholdings.com/flagships/amaru
+- Release: [v1.0.0](https://github.com/szl-holdings/amaru/releases/tag/v1.0.0)
 
-## Live
-- **Space:** https://szlholdings-amaru.hf.space
-- **Docs:** https://docs.szlholdings.com/flagships/amaru
-- **Release:** [v1.0.0](https://github.com/szl-holdings/amaru/releases/tag/v1.0.0)
+---
 
 ## What it does
-- **Governance receipts** — COSE_Sign1-wrapped (RFC 9052) per memory op; each carries a Λ score, Shor-9 provenance hash, and Lamport timestamp.
-- **7-Chakra scheduler** — single-thread serpentine ASCEND/DESCEND pipeline; each chakra emits a receipt trace entry.
-- **Cardano L1 anchor** — checkpoint hashes anchored as transaction metadata (hash anchoring only — not a token, not custodial).
 
-## Quickstart
+**amaru is the reasoning cortex.** It answers questions with citations and refuses when evidence is absent — it never invents a justification. This is the trust layer for any commander-facing readiness or assessment dashboard: automation bias kills trust; amaru produces reasoning an operator can act on.
 
-```bash
-pip install "szl-amaru"                     # PyPI
-# or run the live, signed container:
-docker run --rm -p 7860:7860 ghcr.io/szl-holdings/amaru:uds-v0.2.0
-```
-```python
-from szl_amaru import Gate                  # one-liner to first signed verdict
-gate = Gate.from_doctrine("v11")             # loads the LOCKED 749/14/163 posture
-verdict = gate.evaluate(receipt)             # -> signed verdict + receipt id
-```
+Key capabilities:
+- **Cited reasoning** — every answer tied to a chunk-level source; refuses to fabricate when evidence is absent
+- **FAISS RAG memory** — provenance receipts on every memory read/write; COSE_Sign1-wrapped (RFC 9052) per op
+- **7-Chakra scheduler** — ASCEND/DESCEND pipeline; each chakra emits a receipt trace entry
+- **Cardano L1 anchor** — checkpoint hashes as transaction metadata (hash anchoring only — not a token)
+- **Competitive parity** — Splunk-style analytics, Credo AI-style bias detection (live, HTTP 200)
+
+**NATO Explainability/Traceability fit:** amaru produces the cited rationale doctrine requires. When an operator asks *why* the system flagged a track, amaru produces a cited answer or refuses — it never invents a justification.
 
-> Prefer zero-install? Hit the **[live Space](https://szlholdings-amaru.hf.space)** or run the [Verify](#verify-in-2-minutes) block below — no credentials required.
+---
 
-## Verify (in 2 minutes)
+## Verify it yourself
 
 ```bash
-# 1. Confirm the LOCKED doctrine numbers on the running Space (live-verified).
+# 1. Confirm live doctrine numbers
 curl -s https://szlholdings-amaru.hf.space/api/amaru/v1/honest \
   | jq '{doctrine, declarations, axioms_unique, sorries_total}'
-# => { "doctrine": "v11", "declarations": 749, "axioms_unique": 14, "sorries_total": 163 }
+# => {"doctrine":"v11","declarations":749,"axioms_unique":14,"sorries_total":163}
 
-# 2. Sign a Khipu receipt live, then verify its DSSE envelope against the
-#    published SZLHOLDINGS cosign.pub — a real ECDSA-P256-SHA256 round-trip.
+# 2. Sign a Khipu receipt and verify the DSSE envelope
 DSSE=$(curl -s -X POST https://szlholdings-amaru.hf.space/api/amaru/khipu/sign \
-  -H 'content-type: application/json' -d '{"receipt":{"action_id":"demo"}}' | jq .dsse)
+  -H 'content-type: application/json' \
+  -d '{"receipt":{"action_id":"demo"}}' | jq .dsse)
 curl -s -X POST https://szlholdings-amaru.hf.space/api/amaru/khipu/verify \
   -H 'content-type: application/json' -d "{\"dsse\":$DSSE}" | jq '{verified, signatures}'
-# => { "verified": true, "signatures": [ { "keyid": "szlholdings-cosign", "verified": true } ] }
-
-# 3. Verify the SLSA build provenance attached to the GHCR image:
-gh attestation verify oci://ghcr.io/szl-holdings/amaru:uds-v0.2.0 --owner szl-holdings
+# => {"verified": true, "signatures": [{"keyid":"szlholdings-cosign","verified":true}]}
+
+# 3. Verify SLSA Build L2 provenance
+gh attestation verify \
+  oci://ghcr.io/szl-holdings/amaru@sha256:ad595555... \
+  --repo szl-holdings/amaru
+# Attestation: https://github.com/szl-holdings/amaru/attestations/29917085
+
+# 4. Verify cosign keyless signature (Rekor index 1723784350)
+cosign verify ghcr.io/szl-holdings/amaru:uds-v0.2.0 \
+  --certificate-identity-regexp="^https://github.com/szl-holdings/" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
 ```
 
-> Honest note: in-Space Khipu DSSE receipts are signed with a real ECDSA-P256
-> cosign key when the `SZL_COSIGN_PRIVATE_PEM` runtime secret is present (else
-> receipts are emitted **UNSIGNED and labelled** — never fabricated). The chain
-> is hash-linked: each node digest = `sha256(canonical_json(receipt) + parent_digest)`.
-> Cardano-anchored receipts are demo-seeded, **not** on-chain mainnet.
-
-**Public proof:** the GHCR image ships a signed in-toto SLSA provenance v1
-attestation (`actions/attest-build-provenance@v2`) discoverable on the public
-Sigstore Rekor transparency log; verify it with the step-3 command above.
-
-## Try the cookbook
+**Full guide:** [developers/VERIFY.md](https://github.com/szl-holdings/developers/blob/main/VERIFY.md)
 
-New here? The **[SZL Cookbook](https://github.com/szl-holdings/szl-cookbook)** has runnable recipes for your use case:
-
-- **[Recipe 01 — Verify a receipt end-to-end](https://github.com/szl-holdings/szl-cookbook/blob/main/recipes/01-verify-a-receipt-end-to-end.md)**
-- **[Recipe 05 — Memory-attested reasoning](https://github.com/szl-holdings/szl-cookbook/blob/main/recipes/05-memory-attested-reasoning.md)**
-- **[Recipe 10 — Cardano-anchored DSSE blood ledger](https://github.com/szl-holdings/szl-cookbook/blob/main/recipes/10-cardano-dsse-blood-ledger.md)**
-
-Full index: [szl-cookbook/recipes](https://github.com/szl-holdings/szl-cookbook/tree/main/recipes).
+---
 
 ## Architecture
 
 ```mermaid
-flowchart LR
-  Q[a11oy query] --> M[amaru cortex]
-  M --> SC[7-Chakra scheduler]
-  SC -->|COSE_Sign1| RC[(Receipt chain)]
-  RC -->|Shor-9 hash| CA[Cardano L1 anchor]
+graph TD
+    Q[Query] --> FAISS[FAISS RAG\nchunk-level retrieval\nprovenance hash per chunk]
+    FAISS --> CH[7-Chakra scheduler\nASCEND/DESCEND\neach chakra emits receipt]
+    CH --> ANS{Evidence found?}
+    ANS --> |Yes| CITE[Cited answer\nreceipt signed\nChakra trace entry]
+    ANS --> |No| REFUSE[Explicit refusal\nreceipt signed\nnever fabricates]
+    CITE & REFUSE --> KD[Khipu DAG\nDSSE P-256 signed\nCOSE_Sign1 per op]
+    KD --> CARD[Cardano anchor\ncheckpoint hash\ntx metadata only]
 ```
 
-## API surface
-
-| Endpoint | Method | Description |
-|---|---|---|
-| `/api/amaru/healthz` | GET | Liveness + chakra status |
-| `/api/amaru/v1/honest` | GET | Doctrine disclosure (JSON) |
-| `/api/amaru/v1/version` | GET | Build + version metadata |
-| `/api/amaru/chakra/{name}/evaluate` | POST | Run a chakra kernel |
-| `/api/amaru/scheduler/tick` | POST | Full root→crown scheduler tick |
-| `/api/amaru/receipts` | GET | Receipt chain browser |
-| `/api/amaru/overwatch/snapshot` | GET | R0513 6-invariant panel |
-
-The full, canonical endpoint list is on the [docs site](https://docs.szlholdings.com/flagships/amaru) and the [API reference](https://docs.szlholdings.com/api/).
-
-## Doctrine
-- **Doctrine v11 LOCKED** — 749/14/163 · kernel `c7c0ba17` (never bumped)
-- **Λ = Conjecture 1** (NOT a theorem) — depends on the open CAUCHY_ND sorry + a missing symmetry axiom
-- **SLSA L1 honest** (cosign-signed images, verifiable via `cosign verify`) · L2 (attested build-service provenance) is roadmap, not yet claimed · **Section 889 = exactly 5 vendors** (Huawei, ZTE, Hytera, Hikvision, Dahua)
-- No Iron Bank / FedRAMP / CMMC / SWFT / Mission Owner claims
-
-## License + DOI
-
-- **License:** Apache-2.0 (OSS across all SZL Holdings repos).
-- **Concept DOI:** [`10.5281/zenodo.20434276`](https://doi.org/10.5281/zenodo.20434276) — cite the archived release on Zenodo.
-
-## Built with / learned from
-
-This repository's structure and documentation conventions were learned from open-source
-publication leaders — we adapted their *patterns*, not their words. Inspired by patterns from
-**Polymathic AI** ([the_well](https://github.com/PolymathicAI/the_well), [walrus](https://github.com/PolymathicAI/walrus)),
-**Anthropic**, **OpenAI** ([whisper](https://github.com/openai/whisper)), **Stripe** (docs craft),
-Google DeepMind ([alphafold3](https://github.com/google-deepmind/alphafold3)),
-Meta FAIR ([segment-anything](https://github.com/facebookresearch/segment-anything)),
-EleutherAI ([lm-evaluation-harness](https://github.com/EleutherAI/lm-evaluation-harness)),
-and Hugging Face ([transformers](https://github.com/huggingface/transformers)).
-We are a precision substrate, not a vibes company.
-
-## Citation
-
-```bibtex
-@software{szl_amaru_2026,
-  author    = {Lutar, Stephen P.},
-  title     = {amaru: Memory cortex with FAISS RAG provenance and chunk-level citation},
-  year      = {2026},
-  publisher = {SZL Holdings},
-  version   = {v1.0.0},
-  url       = {https://github.com/szl-holdings/amaru},
-  doi       = {10.5281/zenodo.20434276},
-  note      = {Doctrine v11 LOCKED 749/14/163, kernel c7c0ba17}
-}
-```
+---
+
+## Parity vs. leaders
 
-## SLSA L1 honest build provenance (verify)
+| Capability | Palantir / Splunk | amaru | Differentiator |
+|---|---|---|---|
+| RAG / retrieval | ✅ | ✅ FAISS chunk-level | — |
+| Citation of sources | partial | ✅ **chunk-level provenance** | Every claim tied to a verifiable source chunk |
+| Refusal when no evidence | — | ✅ **explicit refusal** | Never fabricates; Palantir doesn't guarantee this |
+| Receipt per reasoning op | — | ✅ **COSE_Sign1 per op** | — |
+| Supply-chain provenance | — | ✅ **SLSA L2 verified** | — |
+| Bias detection | ✅ (Credo AI) | ✅ parity endpoint | — |
+
+---
 
-Every `ghcr.io/szl-holdings/amaru` image is cosign-signed and independently verifiable. SLSA L1 honest — images are cosign-signed and verifiable via `cosign verify`. L2 (isolated, attested build-service provenance) is roadmap via Wire D; not yet claimed.
+## Quickstart
 
 ```bash
-# Resolve the image digest, then verify provenance against the source repo:
-slsa-verifier verify-image \
-  ghcr.io/szl-holdings/amaru:uds-v0.2.0 \
-  --source-uri github.com/szl-holdings/amaru \
-  --source-tag main
-
-# Or with GitHub's native tooling:
-gh attestation verify oci://ghcr.io/szl-holdings/amaru:uds-v0.2.0 --owner szl-holdings
+docker run --rm -p 7860:7860 ghcr.io/szl-holdings/amaru:uds-v0.2.0
 ```
 
-L2 (isolated, attested build-service provenance) is roadmap via Wire D; not yet claimed.
-L3 is **not** claimed.
-
----
-*Doctrine v11 LOCKED · 749/14/163 · kernel c7c0ba17 · Λ = Conjecture 1 · SLSA L1 honest (cosign-signed, verifiable via `cosign verify`); L2 roadmap, not yet claimed*
+> Note: in-Space Khipu DSSE receipts are signed with real ECDSA-P256 when `SZL_COSIGN_PRIVATE_PEM` runtime secret is present; otherwise receipts are emitted unsigned and labelled — never silently fabricated.
 
 ---
 
-## 🔌 UDS Mesh — the nervous system
+## Honest status
 
-This organ is part of the **SZL UDS mesh**: a 7-organ trace + receipt substrate
-(brain `rosie` · heart `a11oy` · blood `amaru` · immune `sentra` · nervous/courier
-`killinchu` · skeleton `phawaq` · wires = W3C `traceparent`).
+| Claim | Status |
+|---|---|
+| Live HF Space (HTTP 200) | ✅ |
+| SLSA Build L2 verified | ✅ — attestation [29917085](https://github.com/szl-holdings/amaru/attestations/29917085); Rekor [1723784350](https://search.sigstore.dev/?logIndex=1723784350) |
+| cosign keyless signed | ✅ |
+| DSSE Khipu receipts | ✅ — ECDSA P-256-SHA256 when secret present; labelled UNSIGNED otherwise |
+| Cardano anchor | ⚠️ Demo-seeded; not on mainnet |
+| Lean 749/14/163 @ `c7c0ba17` | ✅ |
+| Λ-uniqueness | ⚠️ Conjecture 1 — not a theorem |
+| SLSA L3 | ❌ Not claimed |
 
-```mermaid
-flowchart LR
-    classDef live fill:#0f3a2e,stroke:#5ad1c0,color:#e8eef7;
-    classDef inproc fill:#2a3550,stroke:#7aa2ff,color:#e8eef7;
-    classDef roadmap fill:#3a2f0f,stroke:#e0c060,color:#e8eef7;
-    ROSIE["🧠 rosie<br/>brain"]:::inproc -->|Wire C| A11OY["❤️ a11oy<br/>heart / fabric"]:::live
-    A11OY -->|Wire B| SENTRA["🛡️ sentra<br/>immune"]:::live
-    A11OY -->|Wire E| AMARU["🩸 amaru<br/>blood"]:::inproc
-    A11OY -->|Wire F| PHAWAQ["🦴 phawaq<br/>skeleton"]:::roadmap
-    KILLINCHU["📡 killinchu<br/>courier"]:::roadmap -.->|relay| RECEIPTS["📜 receipts<br/>DSSE Khipu"]:::inproc
-    A11OY -->|traceparent embedded| RECEIPTS
-    WIRES["🔌 wires / W3C traceparent"]:::live -.-> A11OY
-```
-
-**Honest mesh status (verified 2026-06-03):** every organ emits **real W3C trace
-context** (`traceparent` / `tracestate` / `x-szl-wire-d: LIVE`) and a11oy binds it into
-**DSSE Khipu receipts** — this is **LIVE in-process**. Spans are **not** yet OTLP-exported,
-DSSE receipts are currently **unsigned**, and cross-pod organ routing is **roadmap (v0.4.0)**.
-Honesty over checklist.
+---
 
-→ Full diagram + wire-status table: **[docs-site / mesh](https://szl-holdings.github.io/docs-site/mesh)**
+<sub>Doctrine v11 LOCKED · 749/14/163 · kernel `c7c0ba17` · SLSA L2 verified · Λ = Conjecture 1 · Apache-2.0</sub>
 
-<sub>Λ Conjecture 1 (not a theorem) · 749/14/163 v11 LOCKED · SLSA L1 honest · Section 889 = 5 vendors</sub>
+Signed-off-by: stephenlutar2-hash <stephenlutar2@gmail.com>