fix(schema): allow SLSA Level 0 for software-only platforms (TRACE v0.2)

schemas/trace-claim.json

@@ -62,7 +62,7 @@
       "type": "object",
       "required": ["slsa_level", "digest"],
       "properties": {
-        "slsa_level": {"type": "integer", "minimum": 1, "maximum": 3},
+        "slsa_level": {"type": "integer", "minimum": 0, "maximum": 3},
         "builder": {"type": "string"},
         "digest": {"type": "string", "pattern": "^sha(256:[0-9a-f]{64}|384:[0-9a-f]{96})$"},
         "provenance_uri": {"type": "string", "format": "uri"}

src/trace_tests/modules/tr_sca.py

@@ -8,7 +8,7 @@
 from trace_tests.result import Finding, Status
 
 _DIGEST_RE = re.compile(r"^sha(256:[0-9a-f]{64}|384:[0-9a-f]{96})$")
-_SLSA_LEVELS = frozenset({1, 2, 3})
+_SLSA_LEVELS = frozenset({0,1, 2, 3})
 
 
 def check(trace: dict[str, Any]) -> list[Finding]:
@@ -28,7 +28,7 @@ def check(trace: dict[str, Any]) -> list[Finding]:
     else:
         findings.append(Finding(
             "TR-SCA-001", Status.FAIL,
-            f"TR-SCA-001: build_provenance.slsa_level must be 1, 2, or 3, got {slsa_level!r}",
+            f"TR-SCA-001: build_provenance.slsa_level must be 0,1, 2, or 3, got {slsa_level!r}",
         ))
 
     digest = prov.get("digest", "")

tests/test_level0.py

@@ -40,7 +40,7 @@ def test_policy_enforcement_mode_known(self, valid_level0):
         assert valid_level0["policy"]["enforcement_mode"] in VALID_ENFORCEMENT
 
     def test_build_provenance_slsa_level_range(self, valid_level0):
-        assert valid_level0["build_provenance"]["slsa_level"] in (1, 2, 3)
+        assert valid_level0["build_provenance"]["slsa_level"] in (0,1, 2, 3)
 
     def test_build_provenance_digest_format(self, valid_level0):
         assert DIGEST_RE.match(valid_level0["build_provenance"]["digest"])