Add honest SDA deployment-source evidence

#3

Expose /.well-known/szl-source.json with a measured HF repository head and an explicit PENDING_SOURCE_RESOLUTION / UNKNOWN GitHub boundary. The inferred szl-holdings/sda repository returned 404, so source.commit remains null and parity/reproducibility/process-revision claims remain NOT_CLAIMED. Adds no-store evidence headers and hardened route tests. Intentional a11oy.net console references and canonical a-11-oy.com API bases are unchanged.

Focused attestation overlay verified byte-for-byte on the PR ref; local JSON/security tests pass; no parity or reproducibility overclaim. Merging under owner authorization.

betterwithage changed pull request status to merged

Sign up or log in to comment