docs(slsa): sync Space card with GitHub README (SLSA L1 honest; L2 roadmap)

Automated README sync from szl-holdings/amaru main via hf-sync.

Signed-off-by: Yachay <yachay@szlholdings.ai>
Co-Authored-By: Perplexity Computer Agent <agent@perplexity.ai>

README.md

@@ -65,16 +65,17 @@ curl -s -X POST https://szlholdings-amaru.hf.space/api/amaru/khipu/verify \
   -H 'content-type: application/json' -d "{\"dsse\":$DSSE}" | jq '{verified, signatures}'
 # => {"verified": true, "signatures": [{"keyid":"szlholdings-cosign","verified":true}]}
 
-# 3. Verify SLSA Build L2 provenance
-gh attestation verify \
-  oci://ghcr.io/szl-holdings/amaru@sha256:ad595555... \
-  --repo szl-holdings/amaru
-# Attestation: https://github.com/szl-holdings/amaru/attestations/29917085
-
-# 4. Verify cosign keyless signature (Rekor index 1723784350)
+# 3. Verify cosign keyless signature on the published image (SLSA L1 honest)
 cosign verify ghcr.io/szl-holdings/amaru:uds-v0.2.0 \
   --certificate-identity-regexp="^https://github.com/szl-holdings/" \
   --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
+# => Verified OK (Rekor index 1723784350)
+
+# 4. SLSA L2 provenance attestation is roadmap (Wire D), not yet earned.
+#    Currently returns "no matching attestations":
+# cosign verify-attestation --type slsaprovenance ghcr.io/szl-holdings/amaru:uds-v0.2.0 \
+#   --certificate-identity-regexp="^https://github.com/szl-holdings/" \
+#   --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
 ```
 
 **Full guide:** [developers/VERIFY.md](https://github.com/szl-holdings/developers/blob/main/VERIFY.md)
@@ -104,7 +105,7 @@ graph TD
 | Citation of sources | partial | ✅ **chunk-level provenance** | Every claim tied to a verifiable source chunk |
 | Refusal when no evidence | — | ✅ **explicit refusal** | Never fabricates; Palantir doesn't guarantee this |
 | Receipt per reasoning op | — | ✅ **COSE_Sign1 per op** | — |
-| Supply-chain provenance | — | ✅ **SLSA L2 verified** | — |
+| Supply-chain provenance | — | ✅ **cosign-signed (SLSA L1 honest; L2 roadmap)** | Individually verifiable via `cosign verify` |
 | Bias detection | ✅ (Credo AI) | ✅ parity endpoint | — |
 
 ---
@@ -124,7 +125,7 @@ docker run --rm -p 7860:7860 ghcr.io/szl-holdings/amaru:uds-v0.2.0
 | Claim | Status |
 |---|---|
 | Live HF Space (HTTP 200) | ✅ |
-| SLSA Build L2 verified | ✅ — attestation [29917085](https://github.com/szl-holdings/amaru/attestations/29917085); Rekor [1723784350](https://search.sigstore.dev/?logIndex=1723784350) |
+| SLSA Build L1 honest (L2 roadmap via Wire D) | ✅ L1 — cosign-signed, Rekor [1723784350](https://search.sigstore.dev/?logIndex=1723784350). L2 attestation not yet earned (`cosign verify-attestation` returns "no matching attestations"). |
 | cosign keyless signed | ✅ |
 | DSSE Khipu receipts | ✅ — ECDSA P-256-SHA256 when secret present; labelled UNSIGNED otherwise |
 | Cardano anchor | ⚠️ Demo-seeded; not on mainnet |
@@ -134,6 +135,6 @@ docker run --rm -p 7860:7860 ghcr.io/szl-holdings/amaru:uds-v0.2.0
 
 ---
 
-<sub>Doctrine v11 LOCKED · 749/14/163 · kernel `c7c0ba17` · SLSA L2 verified · Λ = Conjecture 1 · Apache-2.0</sub>
+<sub>Doctrine v11 LOCKED · 749/14/163 · kernel `c7c0ba17` · SLSA L1 honest (L2 roadmap) · Λ = Conjecture 1 · Apache-2.0</sub>
 
 Signed-off-by: stephenlutar2-hash <stephenlutar2@gmail.com>