diff --git a/.github/workflows/cra-kit.yml b/.github/workflows/cra-kit.yml
new file mode 100644
index 00000000..5fa4d614
--- /dev/null
+++ b/.github/workflows/cra-kit.yml
@@ -0,0 +1,22 @@
+name: CRA Kit
+
+on:
+ push:
+ paths:
+ - 'cra-kit/**'
+ - '.github/workflows/cra-kit.yml'
+ pull_request:
+ paths:
+ - 'cra-kit/**'
+ - '.github/workflows/cra-kit.yml'
+
+jobs:
+ validate-auditor-packet:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - uses: actions/setup-python@v5
+ with:
+ python-version: '3.x'
+ - name: Validate pinned auditor packet
+ run: ./cra-kit/scripts/validate.sh
diff --git a/README.md b/README.md
index 3a6371b9..8cb04a3d 100644
--- a/README.md
+++ b/README.md
@@ -413,6 +413,30 @@ Please see the
for further usage and details.
+
+
+#### cra-kit (wolfSSL CRA Kit)
+
+This directory is **not** a TLS/crypto tutorial. It demonstrates how to
+generate wolfSSL **component SBOMs** (SPDX + CycloneDX), nest them in a
+**fictional product SBOM**, and understand optional **bomsh** build provenance
+(Linux host only) for EU Cyber Resilience Act-style software transparency.
+
+Includes a [CRA compliance shortlist](cra-kit/CRA-Compliance-Shortlist.md), a
+[who provides what cheat sheet](cra-kit/CRA-Cheat-Sheet.md), full
+[glossary](cra-kit/CRA-Supply-Chain-Glossary.md), [AI playbook](cra-kit/SKILL.md), sample
+[customer-side auditor packet](cra-kit/auditor-packet/) (fictional Acme Connect
+Gateway), [manufacturer-side filings](cra-kit/wolfssl-inc-auditor-packet/) (what
+wolfSSL Inc. itself ships under CRA — classification, conformity assessment,
+declaration of conformity template, EU AR status, etc.), and helper scripts
+(`validate.sh` runs without building wolfSSL, with optional `cyclonedx-cli` /
+`pyspdxtools` schema validation). Regenerating component SBOMs requires a
+wolfSSL tree with SBOM support — see [cra-kit/README.md](cra-kit/README.md).
+
+Please see the [cra-kit/README.md](cra-kit/README.md) for further
+usage and details.
+
+
#### uefi-library (wolfCrypt UEFI boot module and test app)
diff --git a/cra-kit/CRA-Cheat-Sheet.md b/cra-kit/CRA-Cheat-Sheet.md
new file mode 100644
index 00000000..16dcd355
--- /dev/null
+++ b/cra-kit/CRA-Cheat-Sheet.md
@@ -0,0 +1,114 @@
+# wolfSSL CRA Supply Chain Cheat Sheet
+
+**Who provides what** — **you** vs **wolfSSL**
+Print this page; use **[CRA-Supply-Chain-Glossary.md](CRA-Supply-Chain-Glossary.md)** for full definitions (SBOM, SPDX, CycloneDX, CBOM, VEX, bomsh, PURL, …).
+
+**Not legal advice.** You are the **manufacturer** for your product on the EU market.
+wolfSSL provides **component evidence** for the **wolfSSL library only**.
+wolfSSL Inc. is itself a manufacturer under CRA for libraries it places on the EU market —
+see our [`security.txt`](https://www.wolfssl.com/.well-known/security.txt),
+[CVD policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt),
+and our manufacturer-side filings in
+[`wolfssl-inc-auditor-packet/`](wolfssl-inc-auditor-packet/) for reference.
+
+Requires a wolfSSL tree with SBOM support (`make sbom` / `scripts/gen-sbom`).
+`make sbom` also needs `pyspdxtools` (`pip install spdx-tools`).
+
+**CRA Kit:** `wolfssl-examples/cra-kit/` · **AI playbook:** [SKILL.md](SKILL.md)
+**Product-level CRA shortlist (4 pillars):** [CRA-Compliance-Shortlist.md](CRA-Compliance-Shortlist.md)
+
+---
+
+## CRA compliance shortlist (four pillars)
+
+| Pillar | You | wolfSSL |
+|--------|-----|---------|
+| **1. Know your components** | Product SBOM + vuln process for whole product | Component SBOMs, advisories, updates — **this kit** |
+| **2. Secure boot** | Trusted firmware + update path | **wolfBoot** |
+| **3. Data in transfer** | Secure protocols for remote/cloud traffic | **TLS**, **SSH**, **MQTTS**, … |
+| **4. Vulnerability handling & reporting** | Published CVD policy + `security.txt`; 24h ENISA reporting (Art. 14); on-call coverage | Reference templates: wolfSSL [`security.txt`](https://www.wolfssl.com/.well-known/security.txt) + [CVD policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt); advisories; CNA |
+
+Detail: [CRA-Compliance-Shortlist.md](CRA-Compliance-Shortlist.md)
+
+---
+
+## Who provides what (you vs wolfSSL)
+
+| | **You (product manufacturer)** | **wolfSSL (library supplier)** |
+|---|-------------------------------|--------------------------------|
+| **Inventory** | **Product SBOM** — OS, apps, all third-party code | **Component SBOM** — wolfSSL only (SPDX + CycloneDX) |
+| **How you connect** | Nest or reference our files in your product SBOM | Ship `wolfssl-*.spdx.json` and `wolfssl-*.cdx.json` |
+| **Vulnerabilities** | Your process + owner for the shipped product | [Advisories](https://www.wolfssl.com/docs/security-vulnerabilities/) + [CVD policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt) + [`security.txt`](https://www.wolfssl.com/.well-known/security.txt) |
+| **Optional build proof** | Only if your contract/auditor asks | `make bomsh` / OmniBOR (**Linux build host** only) |
+
+**Worked example:** [`auditor-packet/`](auditor-packet/) — fictional *Acme Connect Gateway* + wolfSSL SBOMs nested.
+
+---
+
+## What auditors ask
+
+| Question | Term | wolfSSL today |
+|----------|------|---------------|
+| What software is in the product? | **SBOM** | `make sbom` or `gen-sbom` → SPDX + CycloneDX |
+| What crypto is enabled in *your* build? | **CBOM** (path) | `wolfssl:build:*` in CycloneDX — not full `cryptographic-asset` yet |
+| How was the library binary built? | **Provenance** | `make bomsh` (**Linux** host, optional) |
+
+*See glossary for SPDX vs CycloneDX, VEX, PURL, OmniBOR.*
+
+---
+
+## BOMs at a glance
+
+| Name | Owner | wolfSSL today |
+|------|-------|---------------|
+| **Product SBOM** | **You** | — |
+| **Component SBOM** | **wolfSSL** (you nest) | **Yes** |
+| **CBOM** | **You** document; we signal config | **Partial** (build properties) |
+| **VEX** | **You** (+ scanner) | Advisories only |
+| **bomsh** | **wolfSSL** (optional) | **Yes**, Linux host only |
+
+Details: [CRA-Supply-Chain-Glossary.md](CRA-Supply-Chain-Glossary.md) · roadmap: [ROADMAP.md](ROADMAP.md)
+
+---
+
+## Four decisions
+
+| Question | Answer |
+|----------|--------|
+| Need **our own** SBOM? | **Yes** |
+| wolfSSL SBOM **enough alone**? | **No** — nest or reference in yours |
+| Need **bomsh** for CRA? | **Usually no** |
+| **SPDX** or **CycloneDX**? | **Both** — use what your tools consume |
+
+---
+
+## Beyond this kit (don't skip)
+
+This kit covers **software transparency** only. Before placing your product on
+the EU market you also need:
+
+| Obligation | Article | Action |
+|------------|---------|--------|
+| **EU Authorised Representative** | Art. 18 | Required if you're established outside the EU |
+| **Product class** (Annex III/IV) | — | Determines self-cert vs **Notified Body** — long queues |
+| **Conformity assessment + CE mark** | Art. 32, 30 | Module A or external review |
+| **Technical documentation** | Annex VII | Risk assessment, support-period commitment |
+| **Free security updates** | Art. 13(8) | 5+ year support period default |
+
+Engage CRA counsel/consultant — these are legal/structural decisions, not
+artefacts. See [`CRA-Compliance-Shortlist.md`](CRA-Compliance-Shortlist.md)
+"Beyond this kit" for detail.
+
+---
+
+## What to read next
+
+| Resource | File |
+|----------|------|
+| Full glossary | [CRA-Supply-Chain-Glossary.md](CRA-Supply-Chain-Glossary.md) |
+| Integration guide | [README.md](README.md) |
+| Sample auditor folder | [auditor-packet/](auditor-packet/) |
+| AI + scripts playbook | [SKILL.md](SKILL.md) |
+| Upstream SBOM reference (flags, formats, OmniBOR) | [wolfssl/doc/SBOM.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/SBOM.md) |
+
+**Questions about this kit:** support@wolfssl.com · **Security reports:** see [`security.txt`](https://www.wolfssl.com/.well-known/security.txt)
diff --git a/cra-kit/CRA-Compliance-Shortlist.md b/cra-kit/CRA-Compliance-Shortlist.md
new file mode 100644
index 00000000..96d83a5e
--- /dev/null
+++ b/cra-kit/CRA-Compliance-Shortlist.md
@@ -0,0 +1,130 @@
+# Shortlist towards CRA compliance
+
+**Not legal advice.** The EU Cyber Resilience Act applies to **your product** as a whole.
+wolfSSL helps on **specific pillars** below; you remain the **manufacturer** for market obligations.
+
+This page is the **product-level shortlist** (what to do). For **software transparency** work
+(SBOM, nesting, sample auditor folder), use the **[CRA Kit](README.md)** cheat sheet and
+[`CRA-Cheat-Sheet.md`](CRA-Cheat-Sheet.md).
+
+---
+
+## 1. Know your software components
+
+| **Your job (manufacturer)** | **wolfSSL can help** |
+|----------------------------|----------------------|
+| Run a **survey** of every component in your embedded system or product: What is it? Who maintains it? Is it actively developed? How do you learn about vulnerabilities, fixes, and releases? | **Component SBOMs** (SPDX + CycloneDX) for wolfSSL libraries you ship — `make sbom` / `gen-sbom` |
+| Build and maintain a **product SBOM** for the whole thing you place on the EU market | **Continuous vulnerability management**: [security advisories](https://www.wolfssl.com/docs/security-vulnerabilities/), coordinated disclosure, updates — see wolfSSL [`security.txt`](https://www.wolfssl.com/.well-known/security.txt) and [CVD policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt) |
+| Own vulnerability **process**, owners, and fix timelines for **your** release | Nest or reference our component SBOM in yours — worked example: [`auditor-packet/`](auditor-packet/) |
+
+**CRA Kit focus:** pillar 1 — who provides what cheat sheet, glossary, scripts, [`SKILL.md`](SKILL.md).
+
+---
+
+## 2. Implement secure boot
+
+| **Your job (manufacturer)** | **wolfSSL can help** |
+|----------------------------|----------------------|
+| Treat secure boot as one of the **most influential actions** you can take now: firmware that boots **trusted**, with a defined path to **update** when needed | **[wolfBoot](https://www.wolfssl.com/products/wolfboot/)** — secure bootloader for embedded systems |
+| Align update mechanics with your **complaint / incident** procedures and required **timelines** under CRA | Integration with wolfSSL/wolfCrypt; see wolfBoot docs and support |
+
+Secure boot is **product architecture**, not something an SBOM file alone satisfies.
+
+---
+
+## 3. Bring remote data processing and data-in-transfer up to compliance
+
+CRA is **not only about software inventory** — it also concerns **data** moving between the device and the network.
+
+| **Your job (manufacturer)** | **wolfSSL can help** |
+|----------------------------|----------------------|
+| Map **remote processing** and **connectivity** in your product (cloud, OTA, admin interfaces, telemetry) | Implementations of **state-of-the-art** secure protocols, for example: |
+| Use **current cryptography** and **secure protocols** for data in transfer; document what is enabled in **your** build | **TLS** (wolfSSL), **SSH** (wolfSSH), **MQTTS** (wolfMQTT), and related stacks |
+| Reflect enabled algorithms in **your** product documentation / SBOM / crypto inventory | Build properties in CycloneDX today (`wolfssl:build:*`); formal CBOM profile: **roadmap** — [ROADMAP.md](ROADMAP.md) |
+
+---
+
+## 4. Handle vulnerabilities and report on time
+
+CRA imposes **continuous** vulnerability handling obligations on manufacturers
+(Art. 13) and a hard **24-hour** reporting clock for actively exploited
+vulnerabilities (Art. 14). This is the only CRA pillar that requires **ongoing
+operational capacity**, not a one-time deliverable.
+
+| **Your job (manufacturer)** | **wolfSSL can help** |
+|----------------------------|----------------------|
+| Publish a **Coordinated Vulnerability Disclosure (CVD) policy** and a working security contact (`security.txt` per RFC 9116) so researchers can reach you | Reference templates: wolfSSL's [`security.txt`](https://www.wolfssl.com/.well-known/security.txt) and [CVD policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt) |
+| Operate a **vulnerability handling process** with named owners and stated response targets | wolfSSL [security advisories](https://www.wolfssl.com/docs/security-vulnerabilities/) for libraries you ship; wolfSSL is a CVE Numbering Authority |
+| Notify **ENISA within 24 hours** when a vulnerability in your product is **actively exploited** (Art. 14); follow up at 72 hours and a final report at 14 days | wolfSSL handles ENISA reporting for **wolfSSL libraries placed on the EU market by wolfSSL Inc.**; coordinate with us on shared advisories |
+| Maintain **on-call coverage** including weekends and holidays so the 24-hour clock can be met at any time | — |
+
+This pillar is **not satisfied by SBOM artefacts alone** — it requires
+documented process, named owners, and on-call capacity. The 24-hour ENISA clock
+starts from your **awareness** of active exploitation, not from public disclosure.
+
+---
+
+## Beyond this kit (structural CRA obligations)
+
+The four pillars above cover **software transparency**. A full CRA conformity
+assessment also requires structural obligations that **this kit does not
+cover** — flag these to your CRA consultant or counsel **before** assuming
+SBOMs alone make you ready:
+
+| Obligation | Article | What it means |
+|------------|---------|---------------|
+| **EU Authorised Representative** | Art. 18 | Manufacturers established **outside** the EU must appoint a written-mandated representative **inside** the EU before placing a product on the EU market. Either contract a third-party AR service or use an existing EU subsidiary. |
+| **Product classification** | Annex III / IV | Determines whether conformity assessment is self-declared (default class) or requires a **Notified Body** (important / critical class). Notified-body queues are already long — if you may need one, get in queue early. |
+| **Conformity assessment + CE mark** | Art. 32, 30 | Module A (self-assessment) or external review per classification; CE marking before placing the product on the EU market. |
+| **Technical documentation** | Annex VII | Risk assessment, secure-design rationale, vulnerability handling process, support-period commitment — more than the SBOM. |
+| **Free security updates** | Art. 13(8) | Minimum 5-year support period for security updates by default (longer if the product's expected lifetime is longer). |
+| **Importer / distributor obligations** | Art. 19, 20 | If your product enters the EU via an importer or moves through distributors, additional obligations attach to those parties. |
+
+These are **legal and structural decisions**, not artefacts you can generate
+from source code. wolfSSL ships SBOMs, security-policy templates, and the
+narrative in this kit; **you** appoint your EU AR, classify your product, run
+your conformity assessment, and produce your declaration of conformity. If
+you do not yet have a CRA consultant, engaging one for the
+classification + AR questions specifically is usually the highest-leverage
+early step.
+
+**See how wolfSSL Inc. itself answers each of these.**
+[`wolfssl-inc-auditor-packet/`](wolfssl-inc-auditor-packet/) holds the
+manufacturer-side filings wolfSSL Inc. ships under CRA: Annex III/IV
+classification statement, conformity assessment route, declaration of
+conformity template, EU Authorised Representative status, support-period
+policy, vulnerability-handling process, technical documentation outline,
+and CE marking statement. Where decisions are made, they're stated; where
+they're in flight (EU AR appointment, public SLA), the gap is named.
+Adapt as a template for your own product.
+
+---
+
+## How this maps to the CRA Kit
+
+| Shortlist pillar | Kit deliverable |
+|------------------|-----------------|
+| Know your components | Cheat sheet (who provides what), glossary, `auditor-packet/`, generate/validate scripts |
+| Secure boot | Out of scope for SBOM files — evaluate **wolfBoot** separately |
+| Data in transfer | Configure and document **your** protocol stack; wolfSSL ships crypto libraries, not your full product compliance |
+| Vulnerability handling & reporting | Outside scope of SBOM artefacts — see Art. 13/14 obligations above; wolfSSL's own [CVD policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt) and [`security.txt`](https://www.wolfssl.com/.well-known/security.txt) are usable as reference templates |
+| Structural CRA obligations (EU AR, Annex III/IV, CE, technical docs, support period) | **Out of scope** for this kit — see "Beyond this kit" section above; engage CRA counsel or consultant |
+
+**You will leave with (presentation Promise):**
+
+1. **Who provides what** — [`CRA-Cheat-Sheet.md`](CRA-Cheat-Sheet.md)
+2. **Worked example** — [`auditor-packet/`](auditor-packet/)
+3. **Helper scripts + AI playbook** — product SBOM, nest wolfSSL, optional bomsh on **Linux CI** + [`SKILL.md`](SKILL.md)
+
+---
+
+## Related wolfSSL products (beyond this kit)
+
+| Area | Product / doc |
+|------|----------------|
+| TLS / wolfCrypt | [wolfssl.com](https://www.wolfssl.com/) · upstream SBOM reference: [doc/SBOM.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/SBOM.md) |
+| Secure boot | [wolfBoot](https://www.wolfssl.com/products/wolfboot/) |
+| SSH | wolfSSH |
+| MQTT | wolfMQTT |
+
+**Questions about this kit:** support@wolfssl.com · **Security reports:** see [`security.txt`](https://www.wolfssl.com/.well-known/security.txt)
diff --git a/cra-kit/CRA-Supply-Chain-Glossary.md b/cra-kit/CRA-Supply-Chain-Glossary.md
new file mode 100644
index 00000000..c310828b
--- /dev/null
+++ b/cra-kit/CRA-Supply-Chain-Glossary.md
@@ -0,0 +1,139 @@
+# CRA & Supply Chain Terminology — Customer Cheat Sheet
+
+One-page reference for teams shipping products that include wolfSSL.
+**Not legal advice.** Map obligations to your product class and role with counsel.
+
+This kit is **self-contained** in [wolfssl-examples `cra-kit/`](https://github.com/wolfSSL/wolfssl-examples/tree/master/cra-kit).
+Upstream technical reference for the SBOM feature (flags, output formats,
+`SBOM_LICENSE_OVERRIDE`, OmniBOR/Bomsh — requires a wolfSSL source tree with
+SBOM support):
+
+- [SBOM.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/SBOM.md)
+
+CRA shortlist (4 pillars): [`CRA-Compliance-Shortlist.md`](CRA-Compliance-Shortlist.md) · Who provides what: [`CRA-Cheat-Sheet.md`](CRA-Cheat-Sheet.md) · AI playbook: [`SKILL.md`](SKILL.md) · Worked example: [`auditor-packet/`](auditor-packet/)
+
+---
+
+## The big picture (30 seconds)
+
+```mermaid
+flowchart LR
+ subgraph you["Your company (manufacturer)"]
+ PSBOM["Product SBOM\n(all components)"]
+ end
+ subgraph wolf["wolfSSL (component)"]
+ WSBOM["wolfSSL SBOM\n(SPDX + CycloneDX)"]
+ BOMSH["OmniBOR / bomsh\n(optional)"]
+ end
+ PSBOM -->|"references or contains"| WSBOM
+ WSBOM -.->|"optional deeper proof"| BOMSH
+```
+
+| Question | Short answer |
+|----------|--------------|
+| Do we need **our own** SBOM? | **Yes** — for the **whole product** you place on the EU market. |
+| Is wolfSSL’s SBOM enough by itself? | **No** (unless you only redistribute wolfSSL). Use it **inside** your product SBOM. |
+| Do we need **bomsh**? | **Usually no.** SBOM alone covers most CRA transparency needs; bomsh adds build traceability if you want it. |
+| SPDX or CycloneDX? | **Both are fine.** wolfSSL ships both; use whichever your tools expect (many teams keep both). |
+
+---
+
+## Glossary
+
+| Term | Stands for / means | Plain English |
+|------|-------------------|---------------|
+| **CRA** | EU **Cyber Resilience Act** | EU law for products with digital elements: inventory, security, vulnerability handling. |
+| **SBOM** | **Software Bill of Materials** | Machine-readable “ingredients list” of software in a product (name, version, supplier, license, IDs, relationships). |
+| **Product SBOM** | — | **Yours:** every OSS/third-party component in the **shipped product**. |
+| **Component SBOM** | — | **wolfSSL’s:** inventory of **wolfSSL only** (`make sbom` or `gen-sbom`). |
+| **SPDX** | **Software Package Data Exchange** | A standard **format** for SBOMs (Linux Foundation). Files: `*.spdx.json`, `*.spdx`. |
+| **CycloneDX** | (project name) | Another standard **format** for SBOMs (OWASP ecosystem). File: `*.cdx.json`. |
+| **NTIA minimum elements** | US NTIA guidance | Checklist of what a “good” SBOM must include (supplier, name, version, unique ID, deps, author, timestamp). CRA practice aligns with this. |
+| **PURL** | **Package URL** | Standard ID like `pkg:github/wolfSSL/wolfssl@v5.9.1` — helps tools match components. wolfSSL ships PURLs in both `github` (canonical, resolves in OSV / GHSA / Snyk / Trivy) and CPE forms. |
+| **CPE** | **Common Platform Enumeration** | Standard ID like `cpe:2.3:a:wolfssl:wolfssl:…` — used by many vulnerability databases. |
+| **VEX** | **Vulnerability Exploitability eXchange** | CycloneDX-side signal: “this CVE does/doesn’t apply to our build.” Often layered on top of SBOM in security tools. |
+| **CBOM** | **Cryptographic Bill of Materials** | Inventory of **crypto algorithms/keys/modules** (beyond generic SBOM). Today: `wolfssl:build:*` in CycloneDX; formal CBOM: see [`ROADMAP.md`](ROADMAP.md). |
+| **bomsh** | wolfSSL **make** target | Runs **OmniBOR** provenance: proves **how** the library binary was built from sources (**Linux host only**). |
+| **OmniBOR** | Omni **Bill of Resources** | Merkle DAG of build inputs/outputs; stored under `omnibor/`. |
+| **gitoid** | Git-object-style ID | Hash pointer (`gitoid:blob:sha1:…`) into the OmniBOR graph; appears in `omnibor.*.spdx.json`. |
+| **Manufacturer** | CRA role | Entity that places the product on the EU market — **owns** product SBOM and vulnerability process. |
+| **Integrator / OEM** | Industry term | You build a device/app containing wolfSSL → you typically act as **manufacturer** for your product. |
+| **externalDocumentRefs** | SPDX feature | Your product SPDX **points to** wolfSSL’s SPDX file without copying every file entry. |
+| **SOURCE_DATE_EPOCH** | Reproducible builds | Fixed timestamp so two `make sbom` runs produce **byte-identical** SBOMs (useful in CI/attestation). |
+
+---
+
+## CRA structural terms
+
+These appear throughout the kit's "Beyond this kit" guidance. They are **not**
+software-transparency artefacts — they are legal/structural CRA obligations
+that no SBOM tool can satisfy. **Not legal advice** — engage CRA counsel.
+
+| Term | Article / location | Plain English |
+|------|--------------------|---------------|
+| **EU Authorised Representative** (EU AR) | Art. 18 | Required if the manufacturer is established **outside** the EU. A written-mandated EU-resident legal entity that receives regulator correspondence on the manufacturer's behalf. Either contract a third-party AR service or use an existing EU subsidiary. **Long-lead** — start now. |
+| **Notified Body** | — | Independent third-party conformity-assessment organisation. For "important" or "critical" products (Annex III/IV) the conformity assessment must involve a Notified Body. Queues are long — engage early if you may need one. |
+| **Annex III** | Annex III | List of **"important"** products with above-baseline cybersecurity risk (e.g. password managers, network management systems, browsers, certain identity-management components). Triggers stricter conformity assessment than the default class. |
+| **Annex IV** | Annex IV | List of **"critical"** products (highest-risk class), e.g. hardware security modules, secure-boot devices, smart-meter gateways of certain types. Always requires Notified Body involvement. |
+| **Annex VII** | Annex VII | Required contents of the **technical documentation**: risk assessment, secure-design rationale, vulnerability handling process, support-period commitment, SBOM, etc. Much more than the SBOM alone. |
+| **Conformity assessment** | Art. 32 | Process to demonstrate the product meets CRA essential requirements. **Module A** self-assessment (default class) or external review by a Notified Body (important/critical). Output is the declaration of conformity. |
+| **Module A** | Annex VIII | Self-assessment conformity procedure. The manufacturer alone performs the assessment and signs the declaration. Default for non-Annex III/IV products. |
+| **CE marking** | Art. 30 | Visible mark indicating conformity with applicable EU regulations. Affixed to the product (or packaging/documentation) before placing on the EU market. Backed by the declaration of conformity. |
+| **Declaration of conformity** | Art. 28 | Manufacturer's signed statement of CRA compliance. Names the product, lists applicable EU acts, identifies the manufacturer (and EU AR if applicable). |
+| **Importer** | Art. 19 | EU entity placing a non-EU product on the EU market. Carries CRA obligations parallel to the manufacturer (verify CE mark, retain AR contact, assist regulators). |
+| **Distributor** | Art. 20 | Party in the supply chain making the product available on the EU market without altering it. Lighter obligations than importer/manufacturer, but must verify CE mark and assist regulators. |
+| **Support period** | Art. 13(2), 13(8) | Minimum duration during which the manufacturer must provide **free security updates**. Default: at least **5 years** (or the product's expected lifetime if longer). Must be declared in the technical documentation. |
+| **ENISA** | Art. 14 | EU Agency for Cybersecurity. Recipient of the **24-hour** early-warning report when a vulnerability in your product is **actively exploited**, plus 72-hour update and 14-day final report. |
+| **CNA** | (CVE programme) | **CVE Numbering Authority** — organisation authorised to assign CVE IDs within its scope. wolfSSL is a CNA for wolfSSL libraries. |
+
+For execution detail on these obligations, see [`CRA-Compliance-Shortlist.md`](CRA-Compliance-Shortlist.md) "Beyond this kit (structural CRA obligations)".
+
+---
+
+## wolfSSL artefacts (what we ship)
+
+| Command | Outputs | Answers |
+|---------|---------|---------|
+| `make sbom` | `wolfssl-.spdx.json`, `.cdx.json`, `.spdx` | **What** is in wolfSSL (version, license, hashes, config flags). |
+| `make bomsh` *(optional)* | `omnibor/`, `omnibor.wolfssl-.spdx.json` | **How** wolfSSL was built (source → binary traceability). |
+
+Embedded/custom builds: `scripts/gen-sbom` with **your** `user_settings.h` and source list — see kit
+[`scripts/generate-embedded-sbom.sh`](scripts/generate-embedded-sbom.sh) and upstream [SBOM.md §1](https://github.com/wolfSSL/wolfssl/blob/master/doc/SBOM.md).
+
+---
+
+## Your checklist
+
+1. **Product SBOM** in release CI (SPDX and/or CycloneDX).
+2. **wolfSSL component** — reference our SBOM (`externalDocumentRefs` / CycloneDX `bom` ref) or copy the package entry; link with `STATIC_LINK` / `DYNAMIC_LINK` / `CONTAINS`.
+3. **Match your build** — if `user_settings.h` or source set differs from stock, regenerate wolfSSL’s SBOM for **your** build.
+4. **Commercial license** — override GPL in SBOM (`SBOM_LICENSE_OVERRIDE`) or in **your** product SBOM entry for wolfSSL; see upstream [SBOM.md § Commercial Licenses](https://github.com/wolfSSL/wolfssl/blob/master/doc/SBOM.md).
+5. **Vulnerabilities** — document your process; wolfSSL disclosure: [`security.txt`](https://www.wolfssl.com/.well-known/security.txt) + [CVD policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt) + [advisories](https://www.wolfssl.com/docs/security-vulnerabilities/).
+6. **bomsh** — only if auditors or contracts ask for build-level proof beyond the SBOM (Linux CI).
+
+---
+
+## SPDX vs CycloneDX (same job, different tools)
+
+| | **SPDX** | **CycloneDX** |
+|---|----------|----------------|
+| **Typical use** | License compliance, legal review, nested documents | Security scanners, VEX, commercial SBOM platforms |
+| **wolfSSL file** | `wolfssl-.spdx.json` | `wolfssl-.cdx.json` |
+| **Nesting wolfSSL** | `externalDocumentRefs` + relationship | Component + `externalReferences` type `bom` |
+
+You do **not** choose “CRA format” — you provide an SBOM that meets NTIA-style expectations; SPDX and CycloneDX are both widely accepted encodings.
+
+---
+
+## Who provides what to an auditor
+
+| Evidence | Provided by |
+|----------|-------------|
+| Product SBOM (full inventory) | **Customer** |
+| wolfSSL SBOM files | **wolfSSL** (customer integrates or references) |
+| OmniBOR / bomsh bundle | **wolfSSL** *(optional)* |
+| Vulnerability disclosure & advisories | **wolfSSL** ([security page](https://www.wolfssl.com/docs/security-vulnerabilities/)); **customer** owns product incident process |
+
+---
+
+*wolfSSL · Part of the [CRA Kit](README.md). Questions about this kit: support@wolfssl.com · Security reports: see [`security.txt`](https://www.wolfssl.com/.well-known/security.txt)*
diff --git a/cra-kit/README.md b/cra-kit/README.md
new file mode 100644
index 00000000..c0fb456b
--- /dev/null
+++ b/cra-kit/README.md
@@ -0,0 +1,296 @@
+# wolfSSL CRA Kit
+
+Example project and scripts for teams that ship products containing wolfSSL and
+need **EU Cyber Resilience Act (CRA)**-style **software transparency** artifacts.
+
+**This kit does not make your product “CRA compliant.”** It shows how to obtain
+and nest **wolfSSL component evidence** inside **your** product SBOM and auditor
+packet.
+
+**Not legal advice.** Map obligations to your product class and role with counsel.
+
+**wolfSSL's own CRA posture.** wolfSSL Inc. is itself a **manufacturer** under
+the CRA for libraries it places on the EU market. We publish our own
+[`security.txt`](https://www.wolfssl.com/.well-known/security.txt) and
+[CVD policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt),
+and the manufacturer-side filings we ship under CRA — Annex III/IV
+classification, conformity assessment route, declaration of conformity
+template, EU Authorised Representative status, support-period policy,
+and vulnerability-handling process — are in
+[`wolfssl-inc-auditor-packet/`](wolfssl-inc-auditor-packet/). Use them as
+reference templates for **your** product.
+
+| Document | Use |
+|----------|-----|
+| [`CRA-Compliance-Shortlist.md`](CRA-Compliance-Shortlist.md) | Four pillars towards CRA (components, secure boot, data in transfer, vulnerability handling) |
+| [`CRA-Cheat-Sheet.md`](CRA-Cheat-Sheet.md) | **Who provides what** — you vs wolfSSL (print/PDF) |
+| [`CRA-Supply-Chain-Glossary.md`](CRA-Supply-Chain-Glossary.md) | Full terminology (**self-contained in this kit**) |
+| [`SKILL.md`](SKILL.md) | **AI playbook** — agent checklist, scripts, Cursor install |
+| [`ROADMAP.md`](ROADMAP.md) | SBOM / CBOM / VEX / bomsh / CSAF — today vs roadmap |
+| [`auditor-packet/`](auditor-packet/) | **Customer-side worked example** — fictional Acme Connect Gateway + wolfSSL SBOM samples |
+| [`wolfssl-inc-auditor-packet/`](wolfssl-inc-auditor-packet/) | **Manufacturer-side filings** — what wolfSSL Inc. itself ships under CRA |
+
+**Self-contained:** all customer-facing docs live in this directory. You only need a
+separate **wolfSSL source tree** (with SBOM support) to **regenerate** component SBOMs.
+
+---
+
+## Prerequisites
+
+- **wolfSSL** source with SBOM support (see [wolfSSL SBOM feature (upstream)](#wolfssl-sbom-feature-upstream) below).
+ Typical layout:
+
+ ```
+ wolf/
+ ├── wolfssl/ ← WOLFSSL_DIR (default: ../../wolfssl from here)
+ └── wolfssl-examples/
+ └── cra-kit/ ← you are here
+ ```
+
+- **Python 3** for `scripts/gen-sbom` (embedded path) and `scripts/validate.sh`.
+- **`pcpp`** (optional for embedded): install on the **same** interpreter as `python3`:
+ `python3 -m pip install pcpp`. If `pip install pcpp` used conda but your shell runs
+ `/usr/local/bin/python3`, use `CRA_PYTHON=python` or rely on the script's automatic
+ **compiler `-dM -E` fallback** (no pcpp required).
+- **Cross-compile note for embedded** (`-dM -E` fallback only): the script defaults to
+ host `cc`. For target-accurate macros set `CC=arm-none-eabi-gcc` (or your toolchain)
+ before running so the SBOM reflects target `__ARM_ARCH`, `__SIZEOF_LONG__`, etc.
+ rather than your laptop's. Skip this if you have `pcpp` installed.
+- **Optional schema validators** (used by `validate.sh` if installed):
+ - [`cyclonedx-cli`](https://github.com/CycloneDX/cyclonedx-cli/releases) for CycloneDX 1.6 schema validation
+ - [`pyspdxtools`](https://pypi.org/project/spdx-tools/) (`pip install spdx-tools`) for SPDX 2.3 schema validation
+
+---
+
+## All the “BOMs” (today vs roadmap)
+
+| Name | What it lists | Who owns it | wolfSSL today | Roadmap |
+|------|----------------|-------------|---------------|---------|
+| **Product SBOM** | Entire shipped product | **You** | — | — |
+| **Component SBOM** | wolfSSL only | **wolfSSL** (you integrate) | **Yes** — SPDX 2.3 + CycloneDX 1.6 | Ongoing |
+| **VEX** | Does CVE X apply to our build? | **You** | [Advisories](https://www.wolfssl.com/docs/security-vulnerabilities/) (VEX inputs) | Templates / automation |
+| **CBOM** | Crypto algorithms / modules | **You**; we **signal** | **Partial** — `wolfssl:build:*` in CycloneDX | Formal `cryptographic-asset` |
+| **OmniBOR / bomsh** | How the library binary was built | **wolfSSL** (optional) | **Yes** — Linux **host** only | Same |
+
+Details: [`ROADMAP.md`](ROADMAP.md).
+
+**Plain summary:** SBOM = what’s inside. Crypto build properties = what crypto you
+compiled in (CBOM direction). bomsh = how the library was built (optional). Product
+SBOM = your job.
+
+---
+
+## Which path are you?
+
+| Profile | Build | Generate wolfSSL SBOM |
+|---------|-------|------------------------|
+| **A. Linux / server / Yocto / package** | `./configure && make` | `make sbom` in wolfSSL tree |
+| **B. Embedded / RTOS / IDE** | `user_settings.h` + your Makefile / Keil / Zephyr / ESP-IDF | `./scripts/generate-embedded-sbom.sh` (kit demo) or upstream `gen-sbom` |
+| **C. Commercial license** | Either | `CRA_LICENSE_OVERRIDE=LicenseRef-wolfSSL-Commercial ./scripts/generate-wolfssl-sbom.sh` |
+
+**Every manufacturer still:**
+
+1. Maintains a **product SBOM** (all components).
+2. **References or copies** wolfSSL’s `.spdx.json` / `.cdx.json` into it.
+3. **Regenerates** wolfSSL SBOM when `user_settings.h` or your source list changes.
+4. Owns **vulnerability handling** (process + owner).
+5. Uses **bomsh** only if an auditor or contract requires build proof — on a **Linux** host.
+
+---
+
+## Quick start
+
+### 1. Validate the bundled sample (no wolfSSL build required)
+
+```sh
+cd wolfssl-examples/cra-kit
+./scripts/validate.sh
+```
+
+### 2. Regenerate component SBOMs (requires wolfSSL with `make sbom`)
+
+```sh
+export WOLFSSL_DIR=../../wolfssl
+./scripts/refresh-samples.sh # make sbom + auto-fix product SPDX checksum
+```
+
+Or without updating the product stub checksum:
+
+```sh
+./scripts/generate-wolfssl-sbom.sh # default: autotools if Makefile exists
+CRA_SBOM_MODE=embedded ./scripts/generate-wolfssl-sbom.sh # rarely used for packet/
+./scripts/generate-embedded-sbom.sh # writes wolfssl-component-embedded/
+
+CRA_LICENSE_OVERRIDE=LicenseRef-wolfSSL-Commercial \
+ ./scripts/generate-wolfssl-sbom.sh # commercial-license sample
+./scripts/make-commercial-sample.sh # derive from pinned GPL samples (no rebuild)
+```
+
+**Pinned samples** in `auditor-packet/wolfssl-component/` are from **`make sbom`**
+(autotools), with a sibling `*.commercial.{cdx,spdx}.json` showing the override pattern.
+Embedded regen produces a **different** SBOM (watermarked `wolfssl:sbom:demo=true`) —
+see [`auditor-packet/wolfssl-component/SAMPLE-PROVENANCE.md`](auditor-packet/wolfssl-component/SAMPLE-PROVENANCE.md).
+
+### 3. Study the sample product packet
+
+Open [`auditor-packet/00-INDEX.md`](auditor-packet/00-INDEX.md) — fictional **Acme
+Connect Gateway** shows CycloneDX `bom` external reference and SPDX
+`externalDocumentRefs` pointing at wolfSSL’s files.
+
+### 4. Integrate into your real product SBOM
+
+Copy the pattern from `product-acme-connect-gateway.*` in [`auditor-packet/`](auditor-packet/) — both
+SPDX `externalDocumentRefs` and CycloneDX `bom` external references are shown
+end-to-end. For the upstream technical reference on `make sbom` flags, output
+formats, and `SBOM_LICENSE_OVERRIDE` for commercial licensees, see
+[`wolfssl/doc/SBOM.md`](https://github.com/wolfSSL/wolfssl/blob/master/doc/SBOM.md).
+
+---
+
+## `make bomsh` — Linux host only (simple explanation)
+
+`make bomsh` is **optional** for most CRA transparency needs. Use it when someone
+asks: *“Prove this `libwolfssl.so` was built from these exact sources.”*
+
+**Why only Linux?** Bomsh runs **bomtrace3** — a patched **strace** that watches
+every compiler call during a **full rebuild**. That program is built and tested on
+**Linux build machines** (normal `ptrace`, no kernel patches).
+
+| Your situation | What to do |
+|----------------|------------|
+| Build on **Linux** | `make bomsh` after `make sbom` in wolfSSL |
+| Build on **macOS / Windows** | Run bomsh in **Linux CI**, **WSL2**, or a **container** |
+| Ship firmware to **MCU / RTOS** | **Target OS does not matter** — tracing runs on the **build host** |
+| **Embedded**, no Linux in house | Use **`gen-sbom`** for SBOM on any OS; skip bomsh unless required |
+
+The sample packet does **not** ship `omnibor/` (large). See
+[`auditor-packet/wolfssl-component/README-bomsh.md`](auditor-packet/wolfssl-component/README-bomsh.md).
+
+Full detail: [wolfssl/doc/SBOM.md §3](https://github.com/wolfSSL/wolfssl/blob/master/doc/SBOM.md).
+
+---
+
+## wolfSSL SBOM feature (upstream)
+
+SBOM and optional bomsh provenance are developed in the main **wolfSSL** repository:
+
+| Item | Location |
+|------|----------|
+| Generator | `wolfssl/scripts/gen-sbom` |
+| Autotools | `make sbom`, `make bomsh` |
+| CI | `wolfssl/.github/workflows/sbom.yml` |
+| Reference (flags, formats, OmniBOR) | [doc/SBOM.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/SBOM.md) |
+| Customer-facing CRA narrative, glossary, auditor packet, AI playbook | this kit (you are here) |
+
+Use a wolfSSL tree where the `make sbom` (and optionally `make bomsh`) targets are
+available before running the scripts here. Once these targets land on `master`, any
+recent wolfSSL checkout works; until then, use the integration branch / PR.
+
+Pinned sample version: see [`VERSION`](VERSION) (default **5.9.1**).
+
+---
+
+## Embedded demo settings
+
+[`user_settings.h`](user_settings.h) in this directory is included when
+`WOLFSSL_USER_SETTINGS` is defined for `./scripts/generate-embedded-sbom.sh`.
+Production SBOMs must use **your** project's `user_settings.h` and **your** full
+`--srcs` list (every wolfSSL `.c` you compile).
+
+---
+
+## Presentation
+
+15-minute co-sponsor slide track: [`presentations/SLIDE-OUTLINE.md`](presentations/SLIDE-OUTLINE.md).
+
+Handouts: [`CRA-Cheat-Sheet.md`](CRA-Cheat-Sheet.md) + [`CRA-Supply-Chain-Glossary.md`](CRA-Supply-Chain-Glossary.md);
+point AI users at [`SKILL.md`](SKILL.md) (copy to `.cursor/skills/wolfssl-cra-kit/`).
+
+---
+
+## Agent skill
+
+[`SKILL.md`](SKILL.md) is a customer deliverable (not internal-only) — see
+[`presentations/SLIDE-OUTLINE.md`](presentations/SLIDE-OUTLINE.md). Copy to
+`.cursor/skills/wolfssl-cra-kit/` for Cursor.
+
+---
+
+## FAQ
+
+**Do we need our own SBOM?**
+Yes — for the whole product you place on the EU market.
+
+**Is wolfSSL’s SBOM enough alone?**
+No — nest or reference it in your product SBOM (see `auditor-packet/`).
+
+**SPDX or CycloneDX?**
+wolfSSL ships both; use what your tools expect.
+
+**Do we need bomsh for CRA?**
+Usually no. SBOM alone covers most transparency asks.
+
+**What about CBOM?**
+Many RFQs ask for crypto inventory. Today: `wolfssl:build:*` properties in
+CycloneDX from your real config. Formal CycloneDX CBOM: **roadmap** — see
+[`ROADMAP.md`](ROADMAP.md).
+
+**FIPS builds?**
+The SBOM generator does not change validated module code; your FIPS boundary
+documentation remains separate.
+
+**What does this kit NOT cover?**
+Software transparency only. **Structural** CRA obligations are out of scope:
+appointing an EU Authorised Representative (Art. 18), product classification
+(Annex III/IV), conformity assessment + CE marking, full technical
+documentation per Annex VII, the support-period commitment, and importer /
+distributor obligations. See [`CRA-Compliance-Shortlist.md`](CRA-Compliance-Shortlist.md)
+"Beyond this kit" for the list. Engage CRA counsel or consultant — these are
+legal/structural decisions, not artefacts.
+
+**Are we outside the EU? (US / Asia / etc.)**
+Then you almost certainly need an **EU Authorised Representative** (Art. 18)
+appointed in writing **before** placing your product on the EU market. Either
+contract a third-party AR service or use an existing EU subsidiary. This is a
+long-lead item — start now, do not wait for September 2026.
+
+---
+
+## Further reading
+
+### OpenSSF guidance
+
+- [CRA Brief Guide for OSS Developers](https://best.openssf.org/CRA-Brief-Guide-for-OSS-Developers.html)
+ — When the CRA applies to open source projects and what obligations fall on
+ manufacturers integrating OSS components into commercial products.
+- [SBOM in Compliance](https://sbom-catalog.openssf.org/sbom-compliance.html)
+ — OpenSSF SBOM Everywhere SIG survey of the global regulatory landscape:
+ CRA, NTIA minimum elements, US EO 14028, Germany TR-03183, others.
+- [Getting Started with SBOMs](https://sbom-catalog.openssf.org/getting-started)
+ — OpenSSF guidance on SBOM generation approaches (build-integrated vs.
+ separate tooling), phase selection, publication. wolfSSL's `make sbom`
+ follows the build-integrated approach.
+- [OpenSSF CRA Policy Hub](https://openssf.org/category/policy/cra/)
+ — Ongoing OpenSSF coverage of CRA developments and community responses.
+- [SBOM Everywhere Wiki](https://sbom-catalog.openssf.org/) — tooling
+ catalog, working group resources, naming conventions, cross-format
+ guidance for SPDX and CycloneDX.
+
+### Standards
+
+- SPDX 2.3 specification:
+- CycloneDX 1.6 specification:
+- NTIA minimum elements for an SBOM:
+
+- RFC 9116 (`security.txt`):
+
+---
+
+## Support
+
+Questions about this kit: **support@wolfssl.com**
+
+Security reports: see [`security.txt`](https://www.wolfssl.com/.well-known/security.txt)
+and our [Coordinated Vulnerability Disclosure policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt).
+Do **not** send vulnerability details to `support@` — use the security contact
+listed in `security.txt`.
diff --git a/cra-kit/ROADMAP.md b/cra-kit/ROADMAP.md
new file mode 100644
index 00000000..deaa9949
--- /dev/null
+++ b/cra-kit/ROADMAP.md
@@ -0,0 +1,43 @@
+# Supply-chain artefacts — today vs roadmap
+
+Honest status for customer conversations. This is **not** a commitment schedule.
+
+| Capability | Status | What you do today |
+|--------------|--------|-------------------|
+| **SBOM** (SPDX 2.3 + CycloneDX 1.6) | **Available** | `make sbom` or `scripts/gen-sbom` |
+| **Config-accurate build properties** | **Available** | Read `wolfssl:build:*` in `.cdx.json` |
+| **Embedded source-merkle checksum** | **Available** | `gen-sbom` with `--srcs` (no `libwolfssl.a` required) |
+| **Commercial license in SBOM** | **Available** | `CRA_LICENSE_OVERRIDE=LicenseRef-wolfSSL-Commercial ./scripts/generate-wolfssl-sbom.sh` (or `make-commercial-sample.sh` to derive from pinned GPL samples) |
+| **Reproducible SBOM timestamps** | **Available** | `SOURCE_DATE_EPOCH` |
+| **OmniBOR / `make bomsh`** | **Available** | Linux **build host** only; optional for CRA |
+| **`pkg:github` PURL** | **Available** | Auto-canonicalised by `generate-wolfssl-sbom.sh` post-process; resolves in OSV / GHSA / Snyk / Trivy without per-vendor mapping |
+| **Cryptographic-asset draft** (CycloneDX 1.6) | **Draft sample** | Hand-rolled `wolfssl-.cbom-draft.cdx.json` alongside SBOM (4–6 starter entries); upstream automation: roadmap |
+| **Formal CBOM** (`cryptographic-asset` profile, all primitives) | **Roadmap** | Use draft sample + `wolfssl:build:*` properties |
+| **VEX templates / automation** | **Roadmap** | Your scanner + wolfSSL [advisories](https://www.wolfssl.com/docs/security-vulnerabilities/) |
+| **CSAF 2.0 advisory feed** (`/.well-known/csaf/`) | **Roadmap** | Human-readable [advisories](https://www.wolfssl.com/docs/security-vulnerabilities/) today; CSAF 2.0 publication is on the roadmap (BSI's CRA reference architecture assumes CSAF) |
+| **Signed SBOMs** (in-toto / cosign / Sigstore) | **Roadmap** | Unsigned today; signing is conspicuous-by-absence for a crypto vendor and is on the roadmap |
+| **SBOM publication channel** | **Roadmap** | Per-release artefacts on GitHub Releases (proposed); `wolfssl.com/sbom/` (proposed); discovery via PURL is the long-term goal |
+| **Product SBOM tool** | **Out of scope** | Your BOM platform or manual merge |
+
+Upstream implementation detail: [wolfssl/doc/SBOM.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/SBOM.md).
+
+---
+
+## Vulnerability-handling roadmap (Pillar 4)
+
+The kit's vulnerability-handling pillar is the only **ongoing** CRA obligation.
+Status of wolfSSL Inc.'s own filings is tracked here so customers can see what
+they're actually inheriting when they reference us as a component supplier.
+
+| Capability | Status | Notes |
+|------------|--------|-------|
+| `security.txt` (RFC 9116) | **Available** | [`/.well-known/security.txt`](https://www.wolfssl.com/.well-known/security.txt) |
+| Coordinated Vulnerability Disclosure policy | **Available** | [`/.well-known/vulnerability-disclosure-policy.txt`](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt) |
+| CNA status | **Available** | wolfSSL is a CVE Numbering Authority |
+| Public SLA (24h ack / 72h triage) | **Pending leadership approval** | Will be added to CVD policy once approved |
+| 24h ENISA reporting (Art. 14) runbook | **In progress** | Owner assignment pending; on-call rotation TBD |
+| EU Authorised Representative (Art. 18) | **In progress** | wolfSSL Inc. is US-established; AR appointment underway |
+| CSAF 2.0 advisory feed | **Roadmap** | See above |
+
+See [`wolfssl-inc-auditor-packet/`](wolfssl-inc-auditor-packet/) for the manufacturer-side
+filings wolfSSL Inc. ships under CRA.
diff --git a/cra-kit/SKILL.md b/cra-kit/SKILL.md
new file mode 100644
index 00000000..06bdba6f
--- /dev/null
+++ b/cra-kit/SKILL.md
@@ -0,0 +1,136 @@
+---
+name: wolfssl-cra-kit
+description: >-
+ wolfSSL CRA Kit playbook: who-provides-what cheat sheet, full glossary,
+ auditor-packet sample, generate/validate/refresh scripts for product SBOM +
+ nested wolfSSL SBOM, bomsh Linux-only, vulnerability handling (CVD policy +
+ security.txt), and pointers to structural CRA obligations (EU Authorised
+ Representative Art. 18, Annex III/IV product classification, conformity
+ assessment, CE mark) that this kit does NOT cover. Use with Cursor, Claude,
+ or any agent for EU CRA software transparency (make sbom, SPDX, CycloneDX).
+---
+
+# wolfSSL CRA Kit — AI playbook
+
+Use this file with **Cursor**, **Claude Code**, **Copilot**, or any coding agent
+to drive the kit's scripts and narrative without re-explaining CRA terms.
+
+**Not legal advice.** Never claim “CRA compliant.” **Product SBOM** is always yours;
+wolfSSL ships **component** evidence only.
+
+wolfSSL Inc. is itself a manufacturer under CRA for libraries it places on the
+EU market — see our [`security.txt`](https://www.wolfssl.com/.well-known/security.txt),
+[CVD policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt),
+and the [`wolfssl-inc-auditor-packet/`](wolfssl-inc-auditor-packet/) (manufacturer-side
+filings: classification, conformity assessment, declaration of conformity template,
+EU AR status, support-period, vulnerability-handling process) as reference templates
+for the customer's own CRA artefacts.
+
+---
+
+## What you leave with (matches the presentation)
+
+| Deliverable | File / folder |
+|-------------|----------------|
+| **CRA shortlist** (4 pillars: components, secure boot, data in transfer, vulnerability handling) | [CRA-Compliance-Shortlist.md](CRA-Compliance-Shortlist.md) |
+| **Who provides what** (you vs wolfSSL) | [CRA-Cheat-Sheet.md](CRA-Cheat-Sheet.md) |
+| **Full glossary** (SBOM, CBOM, bomsh, …) | [CRA-Supply-Chain-Glossary.md](CRA-Supply-Chain-Glossary.md) |
+| **Worked example (customer-side)** | [auditor-packet/](auditor-packet/) — fictional Acme Connect Gateway |
+| **Manufacturer-side filings (wolfSSL Inc.)** | [wolfssl-inc-auditor-packet/](wolfssl-inc-auditor-packet/) — classification, DoC template, EU AR status, etc. |
+| **Scripts + agent checklist** | This SKILL — below |
+
+---
+
+## Install (Cursor)
+
+```bash
+mkdir -p .cursor/skills/wolfssl-cra-kit
+cp wolfssl-examples/cra-kit/SKILL.md .cursor/skills/wolfssl-cra-kit/SKILL.md
+```
+
+Point the agent at `wolfssl-examples/cra-kit/` (clone or monorepo path).
+Set `WOLFSSL_DIR` to your wolfSSL source tree when regenerating SBOMs.
+
+**Other tools:** paste this file into the system prompt, or `@`-mention the kit README.
+
+---
+
+## Agent checklist
+
+**Before starting**, confirm with the customer (do not assume):
+
+- Where is the customer **established** (US / EU / other)? If outside the EU, flag the **EU Authorised Representative** requirement (Art. 18) — long-lead item, start now.
+- What is the **product classification** under Annex III/IV? Self-declared (default class) or Notified Body required (important / critical)? Flag if unknown — Notified Body queues are long.
+- Is the customer's CRA work **on track for 11 Sep 2026** (Art. 14 reporting wave) and **11 Dec 2027** (full applicability)? If structural items are open, SBOM work alone won't make them ready.
+
+Then run the SBOM execution checklist:
+
+1. **Component SBOM**
+ - `cd wolfssl-examples/cra-kit`
+ - `WOLFSSL_DIR=/path/to/wolfssl ./scripts/generate-wolfssl-sbom.sh`
+ - Or in wolfSSL: `make sbom` (needs `pip install spdx-tools`)
+
+2. **Product SBOM**
+ - Open `auditor-packet/product-acme-connect-gateway.{cdx,spdx}.json`
+ - Mirror how wolfSSL is referenced/nested for **your** product name and version
+ - Embedded builds: `CRA_SBOM_MODE=embedded ./scripts/generate-embedded-sbom.sh` + your `user_settings.h`
+
+3. **Validate without rebuilding wolfSSL**
+ - `./scripts/validate.sh`
+
+4. **Refresh pinned samples** (maintainers / after wolfSSL release)
+ - `WOLFSSL_DIR=... ./scripts/refresh-samples.sh`
+
+5. **Optional — bomsh**
+ - Only if contract/auditor requires; **Linux build host** only (`make bomsh` in wolfSSL tree)
+ - Not in the sample auditor packet by default
+
+---
+
+## Scope rules (tell the agent)
+
+- **Product SBOM** = customer owns entire shipped product.
+- **Component SBOM** = wolfSSL only; nest via SPDX `externalDocumentRefs` or CycloneDX `bom` ref.
+- **CBOM** = partial today (`wolfssl:build:*`); do not claim full CycloneDX CBOM profile.
+- **VEX** = customer + scanner; wolfSSL provides advisories, not VEX files.
+- **bomsh** = optional provenance; not required for most CRA transparency asks.
+- **Vulnerability handling (Art. 13/14)** = customer publishes their own CVD policy + `security.txt`, runs on-call, files 24h ENISA reports for their product; wolfSSL provides reference templates and handles ENISA reporting only for libraries placed on the EU market by wolfSSL Inc.
+- **Structural CRA (out of scope for this kit)** = EU Authorised Representative (Art. 18 — required if customer is outside the EU), Annex III/IV classification (determines self-cert vs Notified Body), conformity assessment + CE mark (Art. 32, 30), technical documentation (Annex VII), support-period commitment (Art. 13(8), 5+ years default). When a customer asks "are we ready?", surface these — SBOMs alone are not enough. Recommend engaging CRA counsel or consultant.
+
+---
+
+## Scripts
+
+| Script | Purpose |
+|--------|---------|
+| `scripts/validate.sh` | JSON + SPDX checksum on sample packet |
+| `scripts/refresh-samples.sh` | `make sbom` + patch product SPDX checksum |
+| `scripts/generate-wolfssl-sbom.sh` | `CRA_SBOM_MODE=autotools\|embedded` |
+| `scripts/generate-embedded-sbom.sh` | → `auditor-packet/wolfssl-component-embedded/` |
+
+Embedded demo: `user_settings.h` + `WOLFSSL_USER_SETTINGS`.
+
+---
+
+## Sample paths
+
+- Product: `auditor-packet/product-acme-connect-gateway.{spdx,cdx}.json`
+- Component: `auditor-packet/wolfssl-component/wolfssl-5.9.1.*`
+- Embedded (optional): `auditor-packet/wolfssl-component-embedded/`
+
+---
+
+## Example prompts
+
+- “Walk me through nesting wolfSSL’s CycloneDX SBOM into our product SBOM using `auditor-packet/` as a template.”
+- “Run `validate.sh` and fix any checksum mismatch after I regenerated the component SBOM.”
+- “Generate an embedded SBOM with our `user_settings.h` and list which algorithms appear in `wolfssl:build:*`.”
+- “Do we need bomsh for CRA? When would we run it on Linux CI only?”
+- “We're a US company shipping into the EU — what CRA structural items do we need beyond the SBOM?”
+- “What's the difference between Annex III and Annex IV classification, and how does it affect our conformity assessment?”
+
+---
+
+## Upstream docs (wolfSSL repo)
+
+- [doc/SBOM.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/SBOM.md) — SBOM/Bomsh feature reference (flags, formats, commercial license override, OmniBOR)
diff --git a/cra-kit/VERSION b/cra-kit/VERSION
new file mode 100644
index 00000000..b64a5e97
--- /dev/null
+++ b/cra-kit/VERSION
@@ -0,0 +1,3 @@
+# Pinned wolfSSL SBOM samples under auditor-packet/wolfssl-component/
+# Regenerate with: ./scripts/generate-wolfssl-sbom.sh && ./scripts/refresh-samples.sh
+WOLFSSL_VERSION=5.9.1
diff --git a/cra-kit/auditor-packet/00-INDEX.md b/cra-kit/auditor-packet/00-INDEX.md
new file mode 100644
index 00000000..96ef3860
--- /dev/null
+++ b/cra-kit/auditor-packet/00-INDEX.md
@@ -0,0 +1,37 @@
+# Auditor packet index (fictional Acme Connect Gateway)
+
+Example of what a **manufacturer** might bundle alongside wolfSSL component
+artefacts. **Not legal advice** — adapt to your product and counsel.
+
+| File | Role |
+|------|------|
+| `product-acme-connect-gateway.cdx.json` | **Your** product SBOM (CycloneDX) — references wolfSSL |
+| `product-acme-connect-gateway.spdx.json` | **Your** product SBOM (SPDX) — `externalDocumentRefs` to wolfSSL |
+| `wolfssl-component/wolfssl-5.9.1.cdx.json` | wolfSSL component SBOM — **autotools / make sbom** sample (GPL) |
+| `wolfssl-component/wolfssl-5.9.1.spdx.json` | wolfSSL component SBOM (SPDX, GPL) |
+| `wolfssl-component/wolfssl-5.9.1.commercial.cdx.json` | wolfSSL component SBOM with commercial license override |
+| `wolfssl-component/wolfssl-5.9.1.commercial.spdx.json` | wolfSSL component SBOM (SPDX) with commercial license override |
+| `wolfssl-component/wolfssl-5.9.1.cbom-draft.cdx.json` | Hand-rolled cryptographic-asset draft (CycloneDX 1.6 CBOM profile) |
+| `wolfssl-component/SAMPLE-PROVENANCE.md` | How the pinned autotools samples were produced |
+| `wolfssl-component/omnibor.wolfssl-5.9.1.spdx.json.sample` | Truncated OmniBOR / bomsh provenance sample |
+| `wolfssl-component-embedded/` | Optional embedded `gen-sbom` output (generated locally; gitignored) |
+| `wolfssl-component/README-bomsh.md` | Optional OmniBOR — not included by default |
+
+Also provide: your vulnerability process, release notes, and the upstream
+wolfSSL disclosure context — [`security.txt`](https://www.wolfssl.com/.well-known/security.txt),
+[CVD policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt),
+and [advisories](https://www.wolfssl.com/docs/security-vulnerabilities/).
+
+**This packet shows the software-transparency artefacts only.** A complete
+CRA conformity packet for a real product also includes:
+
+- Declaration of conformity (Art. 28)
+- Technical documentation per Annex VII (risk assessment, design info, support-period commitment, vulnerability handling process)
+- Proof of conformity assessment (self-declared per Art. 32 Module A, or Notified Body certificate per product class)
+- Identity of the EU Authorised Representative (Art. 18) if the manufacturer is established outside the EU
+- CE marking declaration
+
+See [`../CRA-Compliance-Shortlist.md`](../CRA-Compliance-Shortlist.md)
+"Beyond this kit" for the structural obligations not covered by SBOMs.
+
+**Regenerate autotools samples + product checksum:** `./scripts/refresh-samples.sh`
diff --git a/cra-kit/auditor-packet/README-auditor-packet.md b/cra-kit/auditor-packet/README-auditor-packet.md
new file mode 100644
index 00000000..fd3e8e26
--- /dev/null
+++ b/cra-kit/auditor-packet/README-auditor-packet.md
@@ -0,0 +1,9 @@
+# Sample auditor packet
+
+This directory is a **teaching example** only. **Acme Industries** and
+**acme-connect-gateway** are fictional.
+
+It shows how a **product SBOM** references wolfSSL’s **component SBOM** in
+both CycloneDX and SPDX forms.
+
+See [`00-INDEX.md`](00-INDEX.md) for the file list.
diff --git a/cra-kit/auditor-packet/product-acme-connect-gateway.cdx.json b/cra-kit/auditor-packet/product-acme-connect-gateway.cdx.json
new file mode 100644
index 00000000..79656768
--- /dev/null
+++ b/cra-kit/auditor-packet/product-acme-connect-gateway.cdx.json
@@ -0,0 +1,63 @@
+{
+ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:c7a4f9b2-8e1d-4a3f-b5c6-d2e8f4a7b9c1",
+ "version": 1,
+ "metadata": {
+ "timestamp": "2026-05-18T12:00:00Z",
+ "component": {
+ "type": "firmware",
+ "bom-ref": "acme-connect-gateway-1.0.0",
+ "name": "acme-connect-gateway",
+ "version": "1.0.0",
+ "supplier": {
+ "name": "Acme Industries (fictional example)"
+ }
+ }
+ },
+ "components": [
+ {
+ "type": "library",
+ "bom-ref": "wolfssl-5.9.1",
+ "name": "wolfssl",
+ "version": "5.9.1",
+ "supplier": {
+ "name": "wolfSSL Inc."
+ },
+ "purl": "pkg:github/wolfSSL/wolfssl@v5.9.1",
+ "cpe": "cpe:2.3:a:wolfssl:wolfssl:5.9.1:*:*:*:*:*:*:*",
+ "externalReferences": [
+ {
+ "type": "bom",
+ "url": "file:wolfssl-component/wolfssl-5.9.1.cdx.json",
+ "comment": "Component SBOM from wolfSSL; regenerate with scripts/generate-wolfssl-sbom.sh",
+ "hashes": [
+ {
+ "alg": "SHA-256",
+ "content": "265cd1575f7a350295ba1414494f2cc93bb895223a9732dcfb231bcecb6d3bbd"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "dependencies": [
+ {
+ "ref": "acme-connect-gateway-1.0.0",
+ "dependsOn": [
+ "wolfssl-5.9.1"
+ ]
+ },
+ {
+ "ref": "wolfssl-5.9.1",
+ "dependsOn": []
+ }
+ ],
+ "properties": [
+ {
+ "name": "wolfssl:sample:component-deps",
+ "value": "wolfSSL has no transitive runtime library dependencies; the host CRT is the only build-time requirement and is excluded per NTIA SBOM practice."
+ }
+ ]
+}
diff --git a/cra-kit/auditor-packet/product-acme-connect-gateway.spdx.json b/cra-kit/auditor-packet/product-acme-connect-gateway.spdx.json
new file mode 100644
index 00000000..d67a451a
--- /dev/null
+++ b/cra-kit/auditor-packet/product-acme-connect-gateway.spdx.json
@@ -0,0 +1,46 @@
+{
+ "spdxVersion": "SPDX-2.3",
+ "dataLicense": "CC0-1.0",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "name": "acme-connect-gateway-1.0.0",
+ "documentNamespace": "urn:uuid:8d3c2f9e-6b4a-4d7c-9f1e-a5b8c0d2e4f6",
+ "creationInfo": {
+ "creators": [
+ "Organization: Acme Industries (fictional example)"
+ ],
+ "created": "2026-05-18T12:00:00Z"
+ },
+ "externalDocumentRefs": [
+ {
+ "externalDocumentId": "DocumentRef-wolfssl",
+ "spdxDocument": "file:wolfssl-component/wolfssl-5.9.1.spdx.json",
+ "checksum": {
+ "algorithm": "SHA256",
+ "checksumValue": "36fdc0c8a192a0fadc4c5024ff75ecee3a56dd8a431dfb25bfa8afcf467cfdef"
+ }
+ }
+ ],
+ "packages": [
+ {
+ "SPDXID": "SPDXRef-Package-Product",
+ "name": "acme-connect-gateway",
+ "versionInfo": "1.0.0",
+ "supplier": "Organization: Acme Industries",
+ "downloadLocation": "NOASSERTION",
+ "filesAnalyzed": false
+ }
+ ],
+ "relationships": [
+ {
+ "spdxElementId": "SPDXRef-DOCUMENT",
+ "relatedSpdxElement": "SPDXRef-Package-Product",
+ "relationshipType": "DESCRIBES"
+ },
+ {
+ "spdxElementId": "SPDXRef-Package-Product",
+ "relatedSpdxElement": "DocumentRef-wolfssl:SPDXRef-Package-wolfssl",
+ "relationshipType": "STATIC_LINK",
+ "comment": "Fictional embedded firmware links wolfSSL statically; use DYNAMIC_LINK for .so"
+ }
+ ]
+}
diff --git a/cra-kit/auditor-packet/wolfssl-component-embedded/.gitignore b/cra-kit/auditor-packet/wolfssl-component-embedded/.gitignore
new file mode 100644
index 00000000..30803144
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component-embedded/.gitignore
@@ -0,0 +1,3 @@
+wolfssl-*.cdx.json
+wolfssl-*.spdx.json
+wolfssl-*.spdx
diff --git a/cra-kit/auditor-packet/wolfssl-component-embedded/README.md b/cra-kit/auditor-packet/wolfssl-component-embedded/README.md
new file mode 100644
index 00000000..1ac91851
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component-embedded/README.md
@@ -0,0 +1,23 @@
+# Embedded component SBOM (optional sample)
+
+This directory's `wolfssl-*.{cdx,spdx}.json` outputs are **gitignored** — generate
+them locally with the embedded path. Only this README is committed.
+
+```sh
+export WOLFSSL_DIR=../../wolfssl # wolfSSL tree with scripts/gen-sbom
+python3 -m pip install pcpp # same python3 as in your PATH (see README)
+./scripts/generate-embedded-sbom.sh
+```
+
+If pcpp is not on your `python3`, the script falls back to `cc -dM -E` and `--options-h`
+(no extra install). For cross builds, set `CC=arm-none-eabi-gcc` (or your target
+compiler) so the fallback reflects target macros, not the host's.
+
+Uses [`../../user_settings.h`](../../user_settings.h) via `WOLFSSL_USER_SETTINGS` and a
+**demo** `--srcs` list (see `scripts/generate-wolfssl-sbom.sh`). Production firmware
+must pass **your** `user_settings.h` and **every** wolfSSL `.c` file you compile.
+Embedded outputs are watermarked `wolfssl:sbom:demo=true` so an auditor can tell at
+a glance that they came from the kit's demo `--srcs` list and not a real build.
+
+Outputs differ from [`../wolfssl-component/`](../wolfssl-component/) (autotools /
+`make sbom`). Compare `wolfssl:sbom:hash-kind` in the CycloneDX files.
diff --git a/cra-kit/auditor-packet/wolfssl-component-embedded/wolfssl-5.9.1.cdx.json b/cra-kit/auditor-packet/wolfssl-component-embedded/wolfssl-5.9.1.cdx.json
new file mode 100644
index 00000000..a0dcd3e7
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component-embedded/wolfssl-5.9.1.cdx.json
@@ -0,0 +1,328 @@
+{
+ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:bbd8fa2c-814a-5921-b121-e872fe1b42a2",
+ "version": 1,
+ "metadata": {
+ "timestamp": "2026-05-18T11:56:58Z",
+ "tools": {
+ "components": [
+ {
+ "type": "application",
+ "author": "wolfSSL Inc.",
+ "name": "wolfssl-sbom-gen",
+ "version": "1.0"
+ }
+ ]
+ },
+ "component": {
+ "bom-ref": "721ce791-b9c8-5edf-a9d2-ef3b0539043b",
+ "type": "library",
+ "supplier": {
+ "name": "wolfSSL Inc."
+ },
+ "name": "wolfssl",
+ "version": "5.9.1",
+ "licenses": [
+ {
+ "license": {
+ "id": "GPL-3.0-only"
+ }
+ }
+ ],
+ "copyright": "Copyright (C) 2006-2026 wolfSSL Inc.",
+ "cpe": "cpe:2.3:a:wolfssl:wolfssl:5.9.1:*:*:*:*:*:*:*",
+ "purl": "pkg:github/wolfSSL/wolfssl@v5.9.1",
+ "hashes": [
+ {
+ "alg": "SHA-256",
+ "content": "3538981aad331ad5cd160abd2b51ce0a5fa1a58b3c51f990e08ca91bb44627a0"
+ }
+ ],
+ "externalReferences": [
+ {
+ "type": "vcs",
+ "url": "https://github.com/wolfSSL/wolfssl"
+ }
+ ],
+ "properties": [
+ {
+ "name": "wolfssl:build:AES_MAX_KEY_SIZE",
+ "value": "256"
+ },
+ {
+ "name": "wolfssl:build:DH_MAX_SIZE",
+ "value": "WC_BITS_FULL_BYTES(SP_INT_BITS)"
+ },
+ {
+ "name": "wolfssl:build:ECC_DECODE_EXTRA",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:ECC_MIN_KEY_SZ",
+ "value": "224"
+ },
+ {
+ "name": "wolfssl:build:FLASH_QUALIFIER",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_AESGCM",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_AES_CBC",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_AES_DECRYPT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_ALL_CURVES",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_ECC",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_ECC_CHECK_KEY",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_ECC_DHE",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_ECC_KEY_EXPORT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_ECC_KEY_IMPORT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_ECC_SIGN",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_ECC_VERIFY",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_PBKDF1",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_PBKDF2",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_PKCS12",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_PKCS8",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_PUBLIC_FFDHE",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:LIBWOLFSSL_CMAKE_OUTPUT",
+ "value": "\"\""
+ },
+ {
+ "name": "wolfssl:build:MIN_FFDHE_BITS",
+ "value": "0"
+ },
+ {
+ "name": "wolfssl:build:MIN_FFDHE_FP_MAX_BITS",
+ "value": "(MIN_FFDHE_BITS * 2)"
+ },
+ {
+ "name": "wolfssl:build:NO_OLD_TLS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_PSK",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_RC4",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_XSTREAM_ALIGN",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:RSA_DECODE_EXTRA",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:USE_WOLFSSL_MEMORY",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WC_ASYNC_DEV_SIZE",
+ "value": "0"
+ },
+ {
+ "name": "wolfssl:build:WC_TEST_NO_ECC_SIGN_VERIFY_ZERO_DIGEST",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_ABI",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_AES_128",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_AES_192",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_AES_256",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_ALERT_COUNT_MAX",
+ "value": "5"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_API",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_ASN_TEMPLATE",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_ASYNC_IO",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_BASE64_DECODE",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_FIPS_VERSION2_CODE",
+ "value": "WOLFSSL_FIPS_VERSION_CODE"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_FIPS_VERSION_CODE",
+ "value": "WOLFSSL_MAKE_FIPS_VERSION3(0,0,0)"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_GENERAL_ALIGNMENT",
+ "value": "0"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_HAVE_PRF",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_LOCAL",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_MAX_EMPTY_RECORDS",
+ "value": "32"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_MIN_AUTH_TAG_SZ",
+ "value": "12"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_PEM_TO_DER",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SMALL_STACK_STATIC",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_ADD_D",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_INVMOD",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_INVMOD_MONT_CT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_MATH_ALL",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_MUL_D",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_NO_DYN_STACK",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_PRIME_GEN",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_READ_RADIX_10",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_READ_RADIX_16",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_SUB_D",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_TEST_VIS",
+ "value": "WOLFSSL_API WC_DEPRECATED(\"internal use only\")"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_TLS13",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_USER_SETTINGS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_W64_WRAPPER",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:XGEN_ALIGN",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:sbom:hash-kind",
+ "value": "source-merkle-omnibor"
+ },
+ {
+ "name": "wolfssl:sbom:source-set",
+ "value": "aes.c,ecc.c,keys.c,random.c,sha.c,sha256.c,tls.c,tls13.c,wc_port.c"
+ }
+ ]
+ }
+ },
+ "components": [],
+ "dependencies": [
+ {
+ "ref": "721ce791-b9c8-5edf-a9d2-ef3b0539043b",
+ "dependsOn": []
+ }
+ ]
+}
diff --git a/cra-kit/auditor-packet/wolfssl-component-embedded/wolfssl-5.9.1.spdx.json b/cra-kit/auditor-packet/wolfssl-component-embedded/wolfssl-5.9.1.spdx.json
new file mode 100644
index 00000000..af6eb3f7
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component-embedded/wolfssl-5.9.1.spdx.json
@@ -0,0 +1,53 @@
+{
+ "spdxVersion": "SPDX-2.3",
+ "dataLicense": "CC0-1.0",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "name": "wolfssl-5.9.1",
+ "documentNamespace": "urn:uuid:480ff203-f994-5b71-b858-0653e74e422a",
+ "creationInfo": {
+ "creators": [
+ "Organization: wolfSSL Inc.",
+ "Tool: wolfssl-sbom-gen-1.0"
+ ],
+ "created": "2026-05-18T11:56:58Z"
+ },
+ "packages": [
+ {
+ "SPDXID": "SPDXRef-Package-wolfssl",
+ "name": "wolfssl",
+ "versionInfo": "5.9.1",
+ "supplier": "Organization: wolfSSL Inc.",
+ "downloadLocation": "https://github.com/wolfSSL/wolfssl",
+ "filesAnalyzed": false,
+ "checksums": [
+ {
+ "algorithm": "SHA256",
+ "checksumValue": "3538981aad331ad5cd160abd2b51ce0a5fa1a58b3c51f990e08ca91bb44627a0"
+ }
+ ],
+ "licenseConcluded": "GPL-3.0-only",
+ "licenseDeclared": "GPL-3.0-only",
+ "copyrightText": "Copyright (C) 2006-2026 wolfSSL Inc.",
+ "comment": "Build configuration defines: AES_MAX_KEY_SIZE, DH_MAX_SIZE, ECC_DECODE_EXTRA, ECC_MIN_KEY_SZ, FLASH_QUALIFIER, HAVE_AESGCM, HAVE_AES_CBC, HAVE_AES_DECRYPT, HAVE_ALL_CURVES, HAVE_ECC, HAVE_ECC_CHECK_KEY, HAVE_ECC_DHE, HAVE_ECC_KEY_EXPORT, HAVE_ECC_KEY_IMPORT, HAVE_ECC_SIGN, HAVE_ECC_VERIFY, HAVE_PBKDF1, HAVE_PBKDF2, HAVE_PKCS12, HAVE_PKCS8, HAVE_PUBLIC_FFDHE, LIBWOLFSSL_CMAKE_OUTPUT, MIN_FFDHE_BITS, MIN_FFDHE_FP_MAX_BITS, NO_OLD_TLS, NO_PSK, NO_RC4, NO_XSTREAM_ALIGN, RSA_DECODE_EXTRA, USE_WOLFSSL_MEMORY, WC_ASYNC_DEV_SIZE, WC_TEST_NO_ECC_SIGN_VERIFY_ZERO_DIGEST, WOLFSSL_ABI, WOLFSSL_AES_128, WOLFSSL_AES_192, WOLFSSL_AES_256, WOLFSSL_ALERT_COUNT_MAX, WOLFSSL_API, WOLFSSL_ASN_TEMPLATE, WOLFSSL_ASYNC_IO, WOLFSSL_BASE64_DECODE, WOLFSSL_FIPS_VERSION2_CODE, WOLFSSL_FIPS_VERSION_CODE, WOLFSSL_GENERAL_ALIGNMENT, WOLFSSL_HAVE_PRF, WOLFSSL_LOCAL, WOLFSSL_MAX_EMPTY_RECORDS, WOLFSSL_MIN_AUTH_TAG_SZ, WOLFSSL_PEM_TO_DER, WOLFSSL_SMALL_STACK_STATIC, WOLFSSL_SP_ADD_D, WOLFSSL_SP_INVMOD, WOLFSSL_SP_INVMOD_MONT_CT, WOLFSSL_SP_MATH_ALL, WOLFSSL_SP_MUL_D, WOLFSSL_SP_NO_DYN_STACK, WOLFSSL_SP_PRIME_GEN, WOLFSSL_SP_READ_RADIX_10, WOLFSSL_SP_READ_RADIX_16, WOLFSSL_SP_SUB_D, WOLFSSL_TEST_VIS, WOLFSSL_TLS13, WOLFSSL_USER_SETTINGS, WOLFSSL_W64_WRAPPER, XGEN_ALIGN | hash-kind=source-merkle-omnibor | source-set=aes.c,ecc.c,keys.c,random.c,sha.c,sha256.c,tls.c,tls13.c,wc_port.c",
+ "externalRefs": [
+ {
+ "referenceCategory": "SECURITY",
+ "referenceType": "cpe23Type",
+ "referenceLocator": "cpe:2.3:a:wolfssl:wolfssl:5.9.1:*:*:*:*:*:*:*"
+ },
+ {
+ "referenceCategory": "PACKAGE-MANAGER",
+ "referenceType": "purl",
+ "referenceLocator": "pkg:github/wolfSSL/wolfssl@v5.9.1"
+ }
+ ]
+ }
+ ],
+ "relationships": [
+ {
+ "spdxElementId": "SPDXRef-DOCUMENT",
+ "relatedSpdxElement": "SPDXRef-Package-wolfssl",
+ "relationshipType": "DESCRIBES"
+ }
+ ]
+}
diff --git a/cra-kit/auditor-packet/wolfssl-component/README-bomsh.md b/cra-kit/auditor-packet/wolfssl-component/README-bomsh.md
new file mode 100644
index 00000000..3c451b09
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component/README-bomsh.md
@@ -0,0 +1,26 @@
+# Optional: OmniBOR / bomsh bundle
+
+`make bomsh` is **not** included in this sample packet. Most CRA transparency
+workflows need the SBOM files only.
+
+When an auditor or contract requires **build provenance**:
+
+1. On a **Linux** build host (or Linux CI / WSL2 / container), in your wolfSSL tree:
+ ```sh
+ ./configure && make sbom && make bomsh
+ ```
+2. Add to your release bundle:
+ - `omnibor/` directory (Merkle DAG of build inputs/outputs)
+ - `omnibor.wolfssl-.spdx.json` (file-level provenance)
+
+**Sample shape:** see [`omnibor.wolfssl-5.9.1.spdx.json.sample`](omnibor.wolfssl-5.9.1.spdx.json.sample) — a
+truncated illustrative document (3 source files instead of every wolfSSL `.c`,
+placeholder gitoids instead of real ones) so customers know what shape `make bomsh`
+produces before they run it.
+
+**Why Linux only?** `bomsh` uses `bomtrace3`, a patched `strace` that records
+compiler invocations during a full rebuild. That tooling is built and supported
+on Linux hosts. The **target** of your firmware (MCU, RTOS, etc.) does not need
+to run Linux — only the machine **tracing the build** does.
+
+Details: [wolfssl/doc/SBOM.md §3](https://github.com/wolfSSL/wolfssl/blob/master/doc/SBOM.md)
diff --git a/cra-kit/auditor-packet/wolfssl-component/SAMPLE-PROVENANCE.md b/cra-kit/auditor-packet/wolfssl-component/SAMPLE-PROVENANCE.md
new file mode 100644
index 00000000..4e6419b4
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component/SAMPLE-PROVENANCE.md
@@ -0,0 +1,21 @@
+# Sample provenance
+
+Pinned files in this directory (`wolfssl-5.9.1.cdx.json`, `wolfssl-5.9.1.spdx.json`)
+were produced with the **autotools** path:
+
+```sh
+cd "$WOLFSSL_DIR" && ./configure && make sbom
+```
+
+They reflect a **configured library build** (SHA-256 of `libwolfssl` and full
+`wolfssl:build:*` properties from `options.h`).
+
+They are **not** the same as the **embedded** demo under
+[`../wolfssl-component-embedded/`](../wolfssl-component-embedded/), which uses
+`user_settings.h` and a trimmed `--srcs` list (source-merkle checksum).
+
+Regenerate autotools samples and fix the product stub checksum:
+
+```sh
+./scripts/refresh-samples.sh
+```
diff --git a/cra-kit/auditor-packet/wolfssl-component/omnibor.wolfssl-5.9.1.spdx.json.sample b/cra-kit/auditor-packet/wolfssl-component/omnibor.wolfssl-5.9.1.spdx.json.sample
new file mode 100644
index 00000000..3992f673
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component/omnibor.wolfssl-5.9.1.spdx.json.sample
@@ -0,0 +1,92 @@
+{
+ "spdxVersion": "SPDX-2.3",
+ "dataLicense": "CC0-1.0",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "name": "omnibor.wolfssl-5.9.1",
+ "documentNamespace": "urn:uuid:9a8b7c6d-5e4f-4a3b-9c2d-1e0f3a4b5c6d",
+ "comment": "TRUNCATED SAMPLE — illustrates the shape of bomsh / OmniBOR output. A real omnibor.wolfssl-.spdx.json from `make bomsh` lists every wolfSSL .c source via gitoid:blob:sha1 alongside the resulting libwolfssl.so. The full omnibor/ Merkle DAG (under auditor-packet/wolfssl-component/omnibor/) is large and not committed here.",
+ "creationInfo": {
+ "creators": [
+ "Organization: wolfSSL Inc.",
+ "Tool: bomsh-1.0",
+ "Tool: bomtrace3"
+ ],
+ "created": "2026-05-12T17:01:12Z"
+ },
+ "packages": [
+ {
+ "SPDXID": "SPDXRef-Package-libwolfssl-so",
+ "name": "libwolfssl.so.43.0.0",
+ "versionInfo": "5.9.1",
+ "supplier": "Organization: wolfSSL Inc.",
+ "downloadLocation": "NOASSERTION",
+ "filesAnalyzed": false,
+ "checksums": [
+ {
+ "algorithm": "SHA1",
+ "checksumValue": "0000000000000000000000000000000000000001"
+ },
+ {
+ "algorithm": "SHA256",
+ "checksumValue": "391e86477f5eee025e677a24b13e2d9a4d3e4c18d88e6359853ebf1c9932279e"
+ }
+ ],
+ "comment": "OmniBOR identifier for the linked binary: gitoid:blob:sha1:0000000000000000000000000000000000000001 — sample placeholder. Real builds emit the actual gitoid covering all .o inputs."
+ }
+ ],
+ "files": [
+ {
+ "SPDXID": "SPDXRef-File-aes-c",
+ "fileName": "wolfcrypt/src/aes.c",
+ "checksums": [
+ {
+ "algorithm": "SHA1",
+ "checksumValue": "1111111111111111111111111111111111111111"
+ }
+ ],
+ "comment": "Sample gitoid:blob:sha1 for aes.c. Real entries cover every .c compiled into libwolfssl.so during the traced make bomsh run."
+ },
+ {
+ "SPDXID": "SPDXRef-File-sha256-c",
+ "fileName": "wolfcrypt/src/sha256.c",
+ "checksums": [
+ {
+ "algorithm": "SHA1",
+ "checksumValue": "2222222222222222222222222222222222222222"
+ }
+ ]
+ },
+ {
+ "SPDXID": "SPDXRef-File-tls13-c",
+ "fileName": "src/tls13.c",
+ "checksums": [
+ {
+ "algorithm": "SHA1",
+ "checksumValue": "3333333333333333333333333333333333333333"
+ }
+ ]
+ }
+ ],
+ "relationships": [
+ {
+ "spdxElementId": "SPDXRef-DOCUMENT",
+ "relatedSpdxElement": "SPDXRef-Package-libwolfssl-so",
+ "relationshipType": "DESCRIBES"
+ },
+ {
+ "spdxElementId": "SPDXRef-Package-libwolfssl-so",
+ "relatedSpdxElement": "SPDXRef-File-aes-c",
+ "relationshipType": "GENERATED_FROM"
+ },
+ {
+ "spdxElementId": "SPDXRef-Package-libwolfssl-so",
+ "relatedSpdxElement": "SPDXRef-File-sha256-c",
+ "relationshipType": "GENERATED_FROM"
+ },
+ {
+ "spdxElementId": "SPDXRef-Package-libwolfssl-so",
+ "relatedSpdxElement": "SPDXRef-File-tls13-c",
+ "relationshipType": "GENERATED_FROM"
+ }
+ ]
+}
diff --git a/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.cbom-draft.cdx.json b/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.cbom-draft.cdx.json
new file mode 100644
index 00000000..2e80c34d
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.cbom-draft.cdx.json
@@ -0,0 +1,246 @@
+{
+ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:f1a2b3c4-d5e6-4f78-9012-3456789abcde",
+ "version": 1,
+ "metadata": {
+ "timestamp": "2026-05-12T16:59:40Z",
+ "tools": {
+ "components": [
+ {
+ "type": "application",
+ "author": "wolfSSL Inc.",
+ "name": "cra-kit cbom-draft (hand-rolled)",
+ "version": "0.1"
+ }
+ ]
+ },
+ "component": {
+ "type": "library",
+ "bom-ref": "wolfssl-5.9.1-cbom",
+ "name": "wolfssl",
+ "version": "5.9.1",
+ "supplier": { "name": "wolfSSL Inc." },
+ "purl": "pkg:github/wolfSSL/wolfssl@v5.9.1"
+ },
+ "properties": [
+ {
+ "name": "wolfssl:cbom:status",
+ "value": "DRAFT — illustrative starter set for the CycloneDX 1.6 cryptographic-asset profile. Derived from the build configuration in wolfssl-5.9.1.cdx.json (HAVE_AESGCM, HAVE_CHACHA, HAVE_POLY1305, HAVE_ECC, HAVE_HKDF, WOLFSSL_SHA256/384/512, WOLFSSL_TLS13, WOLFSSL_HAVE_MLKEM). Not exhaustive. See ROADMAP.md."
+ }
+ ]
+ },
+ "components": [
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "crypto-aes-gcm",
+ "name": "AES-GCM",
+ "cryptoProperties": {
+ "assetType": "algorithm",
+ "algorithmProperties": {
+ "primitive": "ae",
+ "parameterSetIdentifier": "AES-256-GCM",
+ "cryptoFunctions": ["encrypt", "decrypt"],
+ "executionEnvironment": "software-plain-ram",
+ "implementationPlatform": "x86_64",
+ "certificationLevel": ["none"],
+ "nistQuantumSecurityLevel": 0
+ },
+ "oid": "2.16.840.1.101.3.4.1.46"
+ },
+ "properties": [
+ {"name": "wolfssl:build:macro", "value": "HAVE_AESGCM"},
+ {"name": "wolfssl:build:macro", "value": "GCM_TABLE_4BIT"}
+ ]
+ },
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "crypto-chacha20-poly1305",
+ "name": "ChaCha20-Poly1305",
+ "cryptoProperties": {
+ "assetType": "algorithm",
+ "algorithmProperties": {
+ "primitive": "ae",
+ "parameterSetIdentifier": "ChaCha20-Poly1305 (RFC 8439)",
+ "cryptoFunctions": ["encrypt", "decrypt"],
+ "executionEnvironment": "software-plain-ram",
+ "implementationPlatform": "x86_64",
+ "nistQuantumSecurityLevel": 0
+ }
+ },
+ "properties": [
+ {"name": "wolfssl:build:macro", "value": "HAVE_CHACHA"},
+ {"name": "wolfssl:build:macro", "value": "HAVE_POLY1305"}
+ ]
+ },
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "crypto-ecdh-p256",
+ "name": "ECDH (P-256)",
+ "cryptoProperties": {
+ "assetType": "algorithm",
+ "algorithmProperties": {
+ "primitive": "key-agree",
+ "parameterSetIdentifier": "secp256r1 (NIST P-256)",
+ "curve": "P-256",
+ "cryptoFunctions": ["keygen", "derive"],
+ "executionEnvironment": "software-plain-ram",
+ "nistQuantumSecurityLevel": 0
+ }
+ },
+ "properties": [
+ {"name": "wolfssl:build:macro", "value": "HAVE_ECC"},
+ {"name": "wolfssl:build:macro", "value": "ECC_TIMING_RESISTANT"}
+ ]
+ },
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "crypto-ecdsa-p256",
+ "name": "ECDSA (P-256)",
+ "cryptoProperties": {
+ "assetType": "algorithm",
+ "algorithmProperties": {
+ "primitive": "signature",
+ "parameterSetIdentifier": "secp256r1 (NIST P-256)",
+ "curve": "P-256",
+ "cryptoFunctions": ["sign", "verify"],
+ "executionEnvironment": "software-plain-ram",
+ "nistQuantumSecurityLevel": 0
+ }
+ },
+ "properties": [
+ {"name": "wolfssl:build:macro", "value": "HAVE_ECC"}
+ ]
+ },
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "crypto-hkdf",
+ "name": "HKDF",
+ "cryptoProperties": {
+ "assetType": "algorithm",
+ "algorithmProperties": {
+ "primitive": "kdf",
+ "parameterSetIdentifier": "HKDF-SHA256 (RFC 5869)",
+ "cryptoFunctions": ["derive"],
+ "executionEnvironment": "software-plain-ram"
+ }
+ },
+ "properties": [
+ {"name": "wolfssl:build:macro", "value": "HAVE_HKDF"}
+ ]
+ },
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "crypto-sha-256",
+ "name": "SHA-256",
+ "cryptoProperties": {
+ "assetType": "algorithm",
+ "algorithmProperties": {
+ "primitive": "hash",
+ "parameterSetIdentifier": "SHA-256",
+ "cryptoFunctions": ["digest"],
+ "executionEnvironment": "software-plain-ram"
+ },
+ "oid": "2.16.840.1.101.3.4.2.1"
+ }
+ },
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "crypto-sha-384",
+ "name": "SHA-384",
+ "cryptoProperties": {
+ "assetType": "algorithm",
+ "algorithmProperties": {
+ "primitive": "hash",
+ "parameterSetIdentifier": "SHA-384",
+ "cryptoFunctions": ["digest"],
+ "executionEnvironment": "software-plain-ram"
+ },
+ "oid": "2.16.840.1.101.3.4.2.2"
+ },
+ "properties": [
+ {"name": "wolfssl:build:macro", "value": "WOLFSSL_SHA384"}
+ ]
+ },
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "crypto-sha-512",
+ "name": "SHA-512",
+ "cryptoProperties": {
+ "assetType": "algorithm",
+ "algorithmProperties": {
+ "primitive": "hash",
+ "parameterSetIdentifier": "SHA-512",
+ "cryptoFunctions": ["digest"],
+ "executionEnvironment": "software-plain-ram"
+ },
+ "oid": "2.16.840.1.101.3.4.2.3"
+ },
+ "properties": [
+ {"name": "wolfssl:build:macro", "value": "WOLFSSL_SHA512"}
+ ]
+ },
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "crypto-ml-kem",
+ "name": "ML-KEM (post-quantum hybrid)",
+ "cryptoProperties": {
+ "assetType": "algorithm",
+ "algorithmProperties": {
+ "primitive": "kem",
+ "parameterSetIdentifier": "ML-KEM-768 (NIST FIPS 203, hybrid TLS 1.3)",
+ "cryptoFunctions": ["encapsulate", "decapsulate"],
+ "executionEnvironment": "software-plain-ram",
+ "nistQuantumSecurityLevel": 3
+ }
+ },
+ "properties": [
+ {"name": "wolfssl:build:macro", "value": "WOLFSSL_HAVE_MLKEM"},
+ {"name": "wolfssl:build:macro", "value": "WOLFSSL_PQC_HYBRIDS"}
+ ]
+ },
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "crypto-tls-1.3",
+ "name": "TLS 1.3",
+ "cryptoProperties": {
+ "assetType": "protocol",
+ "protocolProperties": {
+ "type": "tls",
+ "version": "1.3",
+ "cryptoRefArray": [
+ "crypto-aes-gcm",
+ "crypto-chacha20-poly1305",
+ "crypto-ecdh-p256",
+ "crypto-ecdsa-p256",
+ "crypto-hkdf",
+ "crypto-sha-256",
+ "crypto-sha-384",
+ "crypto-ml-kem"
+ ]
+ }
+ },
+ "properties": [
+ {"name": "wolfssl:build:macro", "value": "WOLFSSL_TLS13"}
+ ]
+ }
+ ],
+ "dependencies": [
+ {
+ "ref": "wolfssl-5.9.1-cbom",
+ "dependsOn": [
+ "crypto-tls-1.3",
+ "crypto-aes-gcm",
+ "crypto-chacha20-poly1305",
+ "crypto-ecdh-p256",
+ "crypto-ecdsa-p256",
+ "crypto-hkdf",
+ "crypto-sha-256",
+ "crypto-sha-384",
+ "crypto-sha-512",
+ "crypto-ml-kem"
+ ]
+ }
+ ]
+}
diff --git a/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.cdx.json b/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.cdx.json
new file mode 100644
index 00000000..5c24c3a6
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.cdx.json
@@ -0,0 +1,300 @@
+{
+ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:bbd8fa2c-814a-5921-b121-e872fe1b42a2",
+ "version": 1,
+ "metadata": {
+ "timestamp": "2026-05-12T16:59:40Z",
+ "tools": {
+ "components": [
+ {
+ "type": "application",
+ "author": "wolfSSL Inc.",
+ "name": "wolfssl-sbom-gen",
+ "version": "1.0"
+ }
+ ]
+ },
+ "component": {
+ "bom-ref": "721ce791-b9c8-5edf-a9d2-ef3b0539043b",
+ "type": "library",
+ "supplier": {
+ "name": "wolfSSL Inc."
+ },
+ "name": "wolfssl",
+ "version": "5.9.1",
+ "licenses": [
+ {
+ "license": {
+ "id": "GPL-3.0-only"
+ }
+ }
+ ],
+ "copyright": "Copyright (C) 2006-2026 wolfSSL Inc.",
+ "cpe": "cpe:2.3:a:wolfssl:wolfssl:5.9.1:*:*:*:*:*:*:*",
+ "purl": "pkg:github/wolfSSL/wolfssl@v5.9.1",
+ "hashes": [
+ {
+ "alg": "SHA-256",
+ "content": "391e86477f5eee025e677a24b13e2d9a4d3e4c18d88e6359853ebf1c9932279e"
+ }
+ ],
+ "externalReferences": [
+ {
+ "type": "vcs",
+ "url": "https://github.com/wolfSSL/wolfssl"
+ }
+ ],
+ "properties": [
+ {
+ "name": "wolfssl:build:ECC_MIN_KEY_SZ",
+ "value": "224"
+ },
+ {
+ "name": "wolfssl:build:ECC_SHAMIR",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:ECC_TIMING_RESISTANT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:ERROR_QUEUE_PER_THREAD",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:GCM_TABLE_4BIT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_AESGCM",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_CHACHA",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_C___ATOMIC",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_DH_DEFAULT_PARAMS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_ECC",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_ENCRYPT_THEN_MAC",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_EXTENDED_MASTER",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_FFDHE_2048",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_GETPID",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_HASHDRBG",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_HKDF",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_POLY1305",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_SERVER_RENEGOTIATION_INFO",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_SNI",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_SUPPORTED_CURVES",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_THREAD_LS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_TLS_EXTENSIONS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_WC_INTROSPECTION",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE___UINT128_T",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_DES3",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_DES3_TLS_SUITES",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_DO178",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_DSA",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_MD4",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_MD5",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_OLD_TLS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_PSK",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_RC4",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:TFM_TIMING_RESISTANT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WC_NO_ASYNC_THREADING",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WC_RSA_BLINDING",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WC_RSA_PSS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_ARMASM_NO_HW_CRYPTO",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_ASN_PRINT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_ASN_TEMPLATE",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_BASE64_ENCODE",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_DRBG_SHA512",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_HAVE_ASSERT_H",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_HAVE_ATOMIC_H",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_HAVE_MLKEM",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_PQC_HYBRIDS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_PSS_LONG_SALT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SHA224",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SHA3",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SHA384",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SHA512",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SHAKE128",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SHAKE256",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_MATH_ALL",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_X86_64",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SYS_CA_CERTS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_TLS13",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_TLS_NO_MLKEM_STANDALONE",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_USE_ALIGN",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_X86_64_BUILD",
+ "value": "1"
+ }
+ ]
+ }
+ },
+ "components": [],
+ "dependencies": [
+ {
+ "ref": "721ce791-b9c8-5edf-a9d2-ef3b0539043b",
+ "dependsOn": []
+ }
+ ]
+}
diff --git a/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.commercial.cdx.json b/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.commercial.cdx.json
new file mode 100644
index 00000000..9a4f14bb
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.commercial.cdx.json
@@ -0,0 +1,304 @@
+{
+ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:80b023d5-8a5d-4e17-9e18-f3d5c7c9762e",
+ "version": 1,
+ "metadata": {
+ "timestamp": "2026-05-12T16:59:40Z",
+ "tools": {
+ "components": [
+ {
+ "type": "application",
+ "author": "wolfSSL Inc.",
+ "name": "wolfssl-sbom-gen",
+ "version": "1.0"
+ }
+ ]
+ },
+ "component": {
+ "bom-ref": "721ce791-b9c8-5edf-a9d2-ef3b0539043b",
+ "type": "library",
+ "supplier": {
+ "name": "wolfSSL Inc."
+ },
+ "name": "wolfssl",
+ "version": "5.9.1",
+ "licenses": [
+ {
+ "license": {
+ "name": "wolfSSL Commercial License (LicenseRef-wolfSSL-Commercial)"
+ }
+ }
+ ],
+ "copyright": "Copyright (C) 2006-2026 wolfSSL Inc.",
+ "cpe": "cpe:2.3:a:wolfssl:wolfssl:5.9.1:*:*:*:*:*:*:*",
+ "purl": "pkg:github/wolfSSL/wolfssl@v5.9.1",
+ "hashes": [
+ {
+ "alg": "SHA-256",
+ "content": "391e86477f5eee025e677a24b13e2d9a4d3e4c18d88e6359853ebf1c9932279e"
+ }
+ ],
+ "externalReferences": [
+ {
+ "type": "vcs",
+ "url": "https://github.com/wolfSSL/wolfssl"
+ }
+ ],
+ "properties": [
+ {
+ "name": "wolfssl:build:ECC_MIN_KEY_SZ",
+ "value": "224"
+ },
+ {
+ "name": "wolfssl:build:ECC_SHAMIR",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:ECC_TIMING_RESISTANT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:ERROR_QUEUE_PER_THREAD",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:GCM_TABLE_4BIT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_AESGCM",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_CHACHA",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_C___ATOMIC",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_DH_DEFAULT_PARAMS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_ECC",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_ENCRYPT_THEN_MAC",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_EXTENDED_MASTER",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_FFDHE_2048",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_GETPID",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_HASHDRBG",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_HKDF",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_POLY1305",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_SERVER_RENEGOTIATION_INFO",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_SNI",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_SUPPORTED_CURVES",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_THREAD_LS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_TLS_EXTENSIONS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE_WC_INTROSPECTION",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:HAVE___UINT128_T",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_DES3",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_DES3_TLS_SUITES",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_DO178",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_DSA",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_MD4",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_MD5",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_OLD_TLS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_PSK",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:NO_RC4",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:TFM_TIMING_RESISTANT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WC_NO_ASYNC_THREADING",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WC_RSA_BLINDING",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WC_RSA_PSS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_ARMASM_NO_HW_CRYPTO",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_ASN_PRINT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_ASN_TEMPLATE",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_BASE64_ENCODE",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_DRBG_SHA512",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_HAVE_ASSERT_H",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_HAVE_ATOMIC_H",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_HAVE_MLKEM",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_PQC_HYBRIDS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_PSS_LONG_SALT",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SHA224",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SHA3",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SHA384",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SHA512",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SHAKE128",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SHAKE256",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_MATH_ALL",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SP_X86_64",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_SYS_CA_CERTS",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_TLS13",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_TLS_NO_MLKEM_STANDALONE",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_USE_ALIGN",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:build:WOLFSSL_X86_64_BUILD",
+ "value": "1"
+ },
+ {
+ "name": "wolfssl:license:override",
+ "value": "LicenseRef-wolfSSL-Commercial"
+ }
+ ]
+ }
+ },
+ "components": [],
+ "dependencies": [
+ {
+ "ref": "721ce791-b9c8-5edf-a9d2-ef3b0539043b",
+ "dependsOn": []
+ }
+ ]
+}
diff --git a/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.commercial.spdx.json b/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.commercial.spdx.json
new file mode 100644
index 00000000..61cedaab
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.commercial.spdx.json
@@ -0,0 +1,63 @@
+{
+ "spdxVersion": "SPDX-2.3",
+ "dataLicense": "CC0-1.0",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "name": "wolfssl-5.9.1",
+ "documentNamespace": "urn:uuid:cedcdaaa-b983-4ce1-83e3-ed7337232a49",
+ "creationInfo": {
+ "creators": [
+ "Organization: wolfSSL Inc.",
+ "Tool: wolfssl-sbom-gen-1.0"
+ ],
+ "created": "2026-05-12T16:59:40Z"
+ },
+ "packages": [
+ {
+ "SPDXID": "SPDXRef-Package-wolfssl",
+ "name": "wolfssl",
+ "versionInfo": "5.9.1",
+ "supplier": "Organization: wolfSSL Inc.",
+ "downloadLocation": "https://github.com/wolfSSL/wolfssl",
+ "filesAnalyzed": false,
+ "checksums": [
+ {
+ "algorithm": "SHA256",
+ "checksumValue": "391e86477f5eee025e677a24b13e2d9a4d3e4c18d88e6359853ebf1c9932279e"
+ }
+ ],
+ "licenseConcluded": "LicenseRef-wolfSSL-Commercial",
+ "licenseDeclared": "LicenseRef-wolfSSL-Commercial",
+ "copyrightText": "Copyright (C) 2006-2026 wolfSSL Inc.",
+ "comment": "License override applied: LicenseRef-wolfSSL-Commercial. Build configuration defines: ECC_MIN_KEY_SZ, ECC_SHAMIR, ECC_TIMING_RESISTANT, ERROR_QUEUE_PER_THREAD, GCM_TABLE_4BIT, HAVE_AESGCM, HAVE_CHACHA, HAVE_C___ATOMIC, HAVE_DH_DEFAULT_PARAMS, HAVE_ECC, HAVE_ENCRYPT_THEN_MAC, HAVE_EXTENDED_MASTER, HAVE_FFDHE_2048, HAVE_GETPID, HAVE_HASHDRBG, HAVE_HKDF, HAVE_POLY1305, HAVE_SERVER_RENEGOTIATION_INFO, HAVE_SNI, HAVE_SUPPORTED_CURVES, HAVE_THREAD_LS, HAVE_TLS_EXTENSIONS, HAVE_WC_INTROSPECTION, HAVE___UINT128_T, NO_DES3, NO_DES3_TLS_SUITES, NO_DO178, NO_DSA, NO_MD4, NO_MD5, NO_OLD_TLS, NO_PSK, NO_RC4, TFM_TIMING_RESISTANT, WC_NO_ASYNC_THREADING, WC_RSA_BLINDING, WC_RSA_PSS, WOLFSSL_ARMASM_NO_HW_CRYPTO, WOLFSSL_ASN_PRINT, WOLFSSL_ASN_TEMPLATE, WOLFSSL_BASE64_ENCODE, WOLFSSL_DRBG_SHA512, WOLFSSL_HAVE_ASSERT_H, WOLFSSL_HAVE_ATOMIC_H, WOLFSSL_HAVE_MLKEM, WOLFSSL_PQC_HYBRIDS, WOLFSSL_PSS_LONG_SALT, WOLFSSL_SHA224, WOLFSSL_SHA3, WOLFSSL_SHA384, WOLFSSL_SHA512, WOLFSSL_SHAKE128, WOLFSSL_SHAKE256, WOLFSSL_SP_MATH_ALL, WOLFSSL_SP_X86_64, WOLFSSL_SYS_CA_CERTS, WOLFSSL_TLS13, WOLFSSL_TLS_NO_MLKEM_STANDALONE, WOLFSSL_USE_ALIGN, WOLFSSL_X86_64_BUILD",
+ "externalRefs": [
+ {
+ "referenceCategory": "SECURITY",
+ "referenceType": "cpe23Type",
+ "referenceLocator": "cpe:2.3:a:wolfssl:wolfssl:5.9.1:*:*:*:*:*:*:*"
+ },
+ {
+ "referenceCategory": "PACKAGE-MANAGER",
+ "referenceType": "purl",
+ "referenceLocator": "pkg:github/wolfSSL/wolfssl@v5.9.1"
+ }
+ ]
+ }
+ ],
+ "relationships": [
+ {
+ "spdxElementId": "SPDXRef-DOCUMENT",
+ "relatedSpdxElement": "SPDXRef-Package-wolfssl",
+ "relationshipType": "DESCRIBES"
+ }
+ ],
+ "hasExtractedLicensingInfos": [
+ {
+ "licenseId": "LicenseRef-wolfSSL-Commercial",
+ "extractedText": "wolfSSL commercial license. See https://www.wolfssl.com/license/ for terms. Replaces the GPL-3.0-only declaration of the open-source distribution.",
+ "name": "wolfSSL Commercial License",
+ "seeAlsos": [
+ "https://www.wolfssl.com/license/"
+ ]
+ }
+ ]
+}
diff --git a/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.spdx b/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.spdx
new file mode 100644
index 00000000..7c1148ce
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.spdx
@@ -0,0 +1,30 @@
+## Document Information
+SPDXVersion: SPDX-2.3
+DataLicense: CC0-1.0
+SPDXID: SPDXRef-DOCUMENT
+DocumentName: wolfssl-5.9.1
+DocumentNamespace: urn:uuid:480ff203-f994-5b71-b858-0653e74e422a
+
+## Creation Information
+Creator: Organization: wolfSSL Inc.
+Creator: Tool: wolfssl-sbom-gen-1.0
+Created: 2026-05-12T16:59:40Z
+
+## Package Information
+PackageName: wolfssl
+SPDXID: SPDXRef-Package-wolfssl
+PackageVersion: 5.9.1
+PackageSupplier: Organization: wolfSSL Inc.
+PackageDownloadLocation: https://github.com/wolfSSL/wolfssl
+FilesAnalyzed: false
+PackageChecksum: SHA256: 391e86477f5eee025e677a24b13e2d9a4d3e4c18d88e6359853ebf1c9932279e
+PackageLicenseConcluded: GPL-3.0-only
+PackageLicenseDeclared: GPL-3.0-only
+PackageCopyrightText: Copyright (C) 2006-2026 wolfSSL Inc.
+PackageComment: Build configuration defines: ECC_MIN_KEY_SZ, ECC_SHAMIR, ECC_TIMING_RESISTANT, ERROR_QUEUE_PER_THREAD, GCM_TABLE_4BIT, HAVE_AESGCM, HAVE_CHACHA, HAVE_C___ATOMIC, HAVE_DH_DEFAULT_PARAMS, HAVE_ECC, HAVE_ENCRYPT_THEN_MAC, HAVE_EXTENDED_MASTER, HAVE_FFDHE_2048, HAVE_GETPID, HAVE_HASHDRBG, HAVE_HKDF, HAVE_POLY1305, HAVE_SERVER_RENEGOTIATION_INFO, HAVE_SNI, HAVE_SUPPORTED_CURVES, HAVE_THREAD_LS, HAVE_TLS_EXTENSIONS, HAVE_WC_INTROSPECTION, HAVE___UINT128_T, NO_DES3, NO_DES3_TLS_SUITES, NO_DO178, NO_DSA, NO_MD4, NO_MD5, NO_OLD_TLS, NO_PSK, NO_RC4, TFM_TIMING_RESISTANT, WC_NO_ASYNC_THREADING, WC_RSA_BLINDING, WC_RSA_PSS, WOLFSSL_ARMASM_NO_HW_CRYPTO, WOLFSSL_ASN_PRINT, WOLFSSL_ASN_TEMPLATE, WOLFSSL_BASE64_ENCODE, WOLFSSL_DRBG_SHA512, WOLFSSL_HAVE_ASSERT_H, WOLFSSL_HAVE_ATOMIC_H, WOLFSSL_HAVE_MLKEM, WOLFSSL_PQC_HYBRIDS, WOLFSSL_PSS_LONG_SALT, WOLFSSL_SHA224, WOLFSSL_SHA3, WOLFSSL_SHA384, WOLFSSL_SHA512, WOLFSSL_SHAKE128, WOLFSSL_SHAKE256, WOLFSSL_SP_MATH_ALL, WOLFSSL_SP_X86_64, WOLFSSL_SYS_CA_CERTS, WOLFSSL_TLS13, WOLFSSL_TLS_NO_MLKEM_STANDALONE, WOLFSSL_USE_ALIGN, WOLFSSL_X86_64_BUILD
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:wolfssl:wolfssl:5.9.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:github/wolfSSL/wolfssl@v5.9.1
+
+## Relationships
+Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-wolfssl
+
diff --git a/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.spdx.json b/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.spdx.json
new file mode 100644
index 00000000..dc4796b6
--- /dev/null
+++ b/cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.spdx.json
@@ -0,0 +1,53 @@
+{
+ "spdxVersion": "SPDX-2.3",
+ "dataLicense": "CC0-1.0",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "name": "wolfssl-5.9.1",
+ "documentNamespace": "urn:uuid:480ff203-f994-5b71-b858-0653e74e422a",
+ "creationInfo": {
+ "creators": [
+ "Organization: wolfSSL Inc.",
+ "Tool: wolfssl-sbom-gen-1.0"
+ ],
+ "created": "2026-05-12T16:59:40Z"
+ },
+ "packages": [
+ {
+ "SPDXID": "SPDXRef-Package-wolfssl",
+ "name": "wolfssl",
+ "versionInfo": "5.9.1",
+ "supplier": "Organization: wolfSSL Inc.",
+ "downloadLocation": "https://github.com/wolfSSL/wolfssl",
+ "filesAnalyzed": false,
+ "checksums": [
+ {
+ "algorithm": "SHA256",
+ "checksumValue": "391e86477f5eee025e677a24b13e2d9a4d3e4c18d88e6359853ebf1c9932279e"
+ }
+ ],
+ "licenseConcluded": "GPL-3.0-only",
+ "licenseDeclared": "GPL-3.0-only",
+ "copyrightText": "Copyright (C) 2006-2026 wolfSSL Inc.",
+ "comment": "Build configuration defines: ECC_MIN_KEY_SZ, ECC_SHAMIR, ECC_TIMING_RESISTANT, ERROR_QUEUE_PER_THREAD, GCM_TABLE_4BIT, HAVE_AESGCM, HAVE_CHACHA, HAVE_C___ATOMIC, HAVE_DH_DEFAULT_PARAMS, HAVE_ECC, HAVE_ENCRYPT_THEN_MAC, HAVE_EXTENDED_MASTER, HAVE_FFDHE_2048, HAVE_GETPID, HAVE_HASHDRBG, HAVE_HKDF, HAVE_POLY1305, HAVE_SERVER_RENEGOTIATION_INFO, HAVE_SNI, HAVE_SUPPORTED_CURVES, HAVE_THREAD_LS, HAVE_TLS_EXTENSIONS, HAVE_WC_INTROSPECTION, HAVE___UINT128_T, NO_DES3, NO_DES3_TLS_SUITES, NO_DO178, NO_DSA, NO_MD4, NO_MD5, NO_OLD_TLS, NO_PSK, NO_RC4, TFM_TIMING_RESISTANT, WC_NO_ASYNC_THREADING, WC_RSA_BLINDING, WC_RSA_PSS, WOLFSSL_ARMASM_NO_HW_CRYPTO, WOLFSSL_ASN_PRINT, WOLFSSL_ASN_TEMPLATE, WOLFSSL_BASE64_ENCODE, WOLFSSL_DRBG_SHA512, WOLFSSL_HAVE_ASSERT_H, WOLFSSL_HAVE_ATOMIC_H, WOLFSSL_HAVE_MLKEM, WOLFSSL_PQC_HYBRIDS, WOLFSSL_PSS_LONG_SALT, WOLFSSL_SHA224, WOLFSSL_SHA3, WOLFSSL_SHA384, WOLFSSL_SHA512, WOLFSSL_SHAKE128, WOLFSSL_SHAKE256, WOLFSSL_SP_MATH_ALL, WOLFSSL_SP_X86_64, WOLFSSL_SYS_CA_CERTS, WOLFSSL_TLS13, WOLFSSL_TLS_NO_MLKEM_STANDALONE, WOLFSSL_USE_ALIGN, WOLFSSL_X86_64_BUILD",
+ "externalRefs": [
+ {
+ "referenceCategory": "SECURITY",
+ "referenceType": "cpe23Type",
+ "referenceLocator": "cpe:2.3:a:wolfssl:wolfssl:5.9.1:*:*:*:*:*:*:*"
+ },
+ {
+ "referenceCategory": "PACKAGE-MANAGER",
+ "referenceType": "purl",
+ "referenceLocator": "pkg:github/wolfSSL/wolfssl@v5.9.1"
+ }
+ ]
+ }
+ ],
+ "relationships": [
+ {
+ "spdxElementId": "SPDXRef-DOCUMENT",
+ "relatedSpdxElement": "SPDXRef-Package-wolfssl",
+ "relationshipType": "DESCRIBES"
+ }
+ ]
+}
diff --git a/cra-kit/presentations/SLIDE-OUTLINE.md b/cra-kit/presentations/SLIDE-OUTLINE.md
new file mode 100644
index 00000000..0df7ad6a
--- /dev/null
+++ b/cra-kit/presentations/SLIDE-OUTLINE.md
@@ -0,0 +1,73 @@
+# CRA co-sponsor slide track (~15 min)
+
+Companion kit: [`../CRA-Cheat-Sheet.md`](../CRA-Cheat-Sheet.md) ·
+[`../CRA-Supply-Chain-Glossary.md`](../CRA-Supply-Chain-Glossary.md) ·
+[`../SKILL.md`](../SKILL.md) · [`../auditor-packet/`](../auditor-packet/)
+
+---
+
+## Slide: Shortlist towards CRA compliance
+
+Use **[`CRA-Compliance-Shortlist.md`](../CRA-Compliance-Shortlist.md)** — two columns per pillar:
+**your job** vs **wolfSSL helps**.
+
+| Pillar | On slide (customer) | wolfSSL |
+|--------|---------------------|---------|
+| **Know your software components** | Survey all integrated components: who maintains them? how do you track vulns/releases? | SBOMs for our products; continuous vulnerability management and updates |
+| **Implement secure boot** | Most influential action today: trusted firmware + update path aligned with complaint/timing rules | **wolfBoot** |
+| **Remote data processing / data in transfer** | CRA covers data between device and network — use current crypto and secure protocols | **TLS**, **SSH**, **MQTTS**, … |
+| **Vulnerability handling & reporting** | Published CVD policy + `security.txt`; 24h ENISA reporting (Art. 14); on-call coverage — process, not a deliverable | wolfSSL [`security.txt`](https://www.wolfssl.com/.well-known/security.txt) + [CVD policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt) as reference templates; advisories; CNA |
+
+**Bridge to this session:** pillar 1 is where the **CRA Kit** lands (SBOM, auditor packet, scripts).
+
+---
+
+## Slide: Promise — what you leave with
+
+**You will leave with:**
+
+1. **Who provides what** — what **you** provide vs what **wolfSSL** provides
+ → [`CRA-Cheat-Sheet.md`](../CRA-Cheat-Sheet.md) (print/PDF)
+ → full terms: [`CRA-Supply-Chain-Glossary.md`](../CRA-Supply-Chain-Glossary.md)
+
+2. **A worked example** — wolfSSL CRA Kit
+ → [`wolfssl-examples/cra-kit/auditor-packet/`](../auditor-packet/)
+
+3. **Helper scripts + AI playbook** — product SBOM, nest wolfSSL, optional **bomsh** on **Linux CI** only
+ → **[`SKILL.md`](../SKILL.md)** for AI-assisted execution (Cursor / agents)
+
+---
+
+## Talking points
+
+| Instead of… | Say… |
+|-------------|------|
+| Learn every acronym | “Cheat sheet for roles; glossary in the same kit.” |
+| wolfSSL is CRA compliant | “Component SBOMs from us; **product** SBOM and vuln process from you.” |
+| We ship CBOM | “Build properties today; formal CBOM profile on the roadmap.” |
+| You need bomsh | “Usually no — Linux CI only if a contract asks.” |
+| AI is extra | “**SKILL.md** is the playbook—copy it into Cursor and run the scripts with your tree.” |
+
+---
+
+## Demo path (optional live)
+
+```bash
+cd wolfssl-examples/cra-kit
+./scripts/validate.sh
+```
+
+Show `auditor-packet/product-acme-connect-gateway.cdx.json` → wolfSSL component reference.
+
+Optional: show copying `SKILL.md` into `.cursor/skills/wolfssl-cra-kit/`.
+
+---
+
+## Kit documents (handout stack)
+
+| Layer | File |
+|-------|------|
+| Who provides what (1 page) | `CRA-Cheat-Sheet.md` |
+| Glossary (reference) | `CRA-Supply-Chain-Glossary.md` |
+| AI playbook | `SKILL.md` |
+| Full guide | `README.md` |
diff --git a/cra-kit/scripts/generate-embedded-sbom.sh b/cra-kit/scripts/generate-embedded-sbom.sh
new file mode 100755
index 00000000..dafc32f5
--- /dev/null
+++ b/cra-kit/scripts/generate-embedded-sbom.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+# Force embedded gen-sbom (user_settings.h + --srcs) into wolfssl-component-embedded/.
+set -eu
+
+SCRIPT_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+KIT_DIR=$(dirname "$SCRIPT_DIR")
+export CRA_SBOM_MODE=embedded
+export CRA_SBOM_OUT_DIR="$KIT_DIR/auditor-packet/wolfssl-component-embedded"
+exec "$SCRIPT_DIR/generate-wolfssl-sbom.sh"
diff --git a/cra-kit/scripts/generate-wolfssl-sbom.sh b/cra-kit/scripts/generate-wolfssl-sbom.sh
new file mode 100755
index 00000000..b8b5b011
--- /dev/null
+++ b/cra-kit/scripts/generate-wolfssl-sbom.sh
@@ -0,0 +1,232 @@
+#!/bin/sh
+# Generate wolfSSL component SBOMs (autotools make sbom or embedded gen-sbom).
+# CRA_SBOM_MODE=autotools|embedded (default: autotools if configure+Makefile exist)
+# WOLFSSL_DIR=path/to/wolfssl
+# CRA_PYTHON=python3 (optional: interpreter with pcpp for embedded path)
+# CRA_LICENSE_OVERRIDE= (optional: e.g. LicenseRef-wolfSSL-Commercial)
+set -eu
+
+SCRIPT_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+KIT_DIR=$(dirname "$SCRIPT_DIR")
+WOLFSSL_DIR=${WOLFSSL_DIR:-$(cd "$KIT_DIR/../../wolfssl" 2>/dev/null && pwd || true)}
+OUT_DIR=${CRA_SBOM_OUT_DIR:-"$KIT_DIR/auditor-packet/wolfssl-component"}
+VERSION_FILE="$KIT_DIR/VERSION"
+
+if [ -z "${WOLFSSL_DIR:-}" ] || [ ! -d "$WOLFSSL_DIR" ]; then
+ echo "ERROR: wolfSSL source not found." >&2
+ echo " Set WOLFSSL_DIR to your wolfssl checkout (sibling of wolfssl-examples)." >&2
+ exit 1
+fi
+
+# shellcheck disable=SC1090
+. "$VERSION_FILE" 2>/dev/null || true
+VERSION=${WOLFSSL_VERSION:-5.9.1}
+
+mkdir -p "$OUT_DIR"
+CDX_OUT="$OUT_DIR/wolfssl-${VERSION}.cdx.json"
+SPDX_OUT="$OUT_DIR/wolfssl-${VERSION}.spdx.json"
+
+echo "wolfSSL tree: $WOLFSSL_DIR"
+echo "Outputs: $CDX_OUT"
+echo " $SPDX_OUT"
+if [ -n "${CRA_LICENSE_OVERRIDE:-}" ]; then
+ echo "License override: $CRA_LICENSE_OVERRIDE"
+fi
+
+# Pick a Python that can `import pcpp` (pip may target a different python3 than /usr/local/bin).
+_python_with_pcpp() {
+ for py in ${CRA_PYTHON:-} python3 python; do
+ [ -n "$py" ] || continue
+ if command -v "$py" >/dev/null 2>&1 && \
+ "$py" -c "import pcpp" 2>/dev/null; then
+ echo "$py"
+ return 0
+ fi
+ done
+ return 1
+}
+
+_embedded_srcs() {
+ # Demo list only — production SBOMs must mirror every wolfSSL .c on your link line.
+ # Outputs from this list are watermarked wolfssl:sbom:demo=true.
+ for f in \
+ "$WOLFSSL_DIR/wolfcrypt/src/aes.c" \
+ "$WOLFSSL_DIR/wolfcrypt/src/sha.c" \
+ "$WOLFSSL_DIR/wolfcrypt/src/sha256.c" \
+ "$WOLFSSL_DIR/wolfcrypt/src/random.c" \
+ "$WOLFSSL_DIR/wolfcrypt/src/ecc.c" \
+ "$WOLFSSL_DIR/wolfcrypt/src/wc_port.c" \
+ "$WOLFSSL_DIR/src/tls.c" \
+ "$WOLFSSL_DIR/src/tls13.c" \
+ "$WOLFSSL_DIR/src/keys.c"
+ do
+ if [ -f "$f" ]; then
+ echo "$f"
+ fi
+ done
+}
+
+_run_embedded() {
+ echo "==> Embedded path: gen-sbom with CRA Kit user_settings.h"
+ echo " NOTE: --srcs uses the kit's built-in 9-file DEMO list. Production SBOMs"
+ echo " must pass every wolfSSL .c file you compile. Output is watermarked"
+ echo " wolfssl:sbom:demo=true so this can never silently ship."
+ if [ ! -f "$KIT_DIR/user_settings.h" ]; then
+ echo "ERROR: $KIT_DIR/user_settings.h missing (demo settings for WOLFSSL_USER_SETTINGS)." >&2
+ exit 1
+ fi
+ GEN="$WOLFSSL_DIR/scripts/gen-sbom"
+ if [ ! -f "$GEN" ]; then
+ echo "ERROR: $GEN not found (need wolfSSL with SBOM support)." >&2
+ exit 1
+ fi
+
+ SETTINGS_H="$WOLFSSL_DIR/wolfssl/wolfcrypt/settings.h"
+ if [ ! -f "$SETTINGS_H" ]; then
+ echo "ERROR: $SETTINGS_H not found." >&2
+ exit 1
+ fi
+
+ # shellcheck disable=SC2046
+ set -- $( _embedded_srcs )
+
+ # Optional commercial license override (LicenseRef-wolfSSL-Commercial etc).
+ set -- "$@" --cdx-out "$CDX_OUT" --spdx-out "$SPDX_OUT"
+ if [ -n "${CRA_LICENSE_OVERRIDE:-}" ]; then
+ set -- "$@" --license-override "$CRA_LICENSE_OVERRIDE"
+ fi
+
+ if _py=$(_python_with_pcpp); then
+ echo " Using $_py (pcpp) for --user-settings"
+ # shellcheck disable=SC2068
+ "$_py" "$GEN" \
+ --name wolfssl --version "$VERSION" \
+ --license-file "$WOLFSSL_DIR/LICENSING" \
+ --user-settings "$SETTINGS_H" \
+ --user-settings-include "$WOLFSSL_DIR" \
+ --user-settings-include "$KIT_DIR" \
+ --user-settings-define WOLFSSL_USER_SETTINGS \
+ --srcs $@
+ return 0
+ fi
+
+ echo "NOTE: pcpp not found for python3/python; using compiler -dM -E -> --options-h"
+ echo " Install pcpp on the same interpreter: python3 -m pip install pcpp"
+ echo " (conda users: pip install pcpp often targets conda python, not /usr/local/bin/python3)"
+ echo " Cross builds: set CC=arm-none-eabi-gcc (or your target compiler) so the"
+ echo " fallback reflects target macros, not the host's."
+
+ DEFINES_H="$OUT_DIR/.wolfssl-defines-$$.h"
+ CC=${CC:-cc}
+ if ! "$CC" -dM -E \
+ -I"$WOLFSSL_DIR" \
+ -I"$KIT_DIR" \
+ -DWOLFSSL_USER_SETTINGS \
+ -include "$SETTINGS_H" \
+ -x c /dev/null >"$DEFINES_H" 2>/dev/null; then
+ rm -f "$DEFINES_H"
+ echo "ERROR: $CC -dM -E failed; install pcpp or set CC to your cross-compiler." >&2
+ exit 1
+ fi
+
+ PYTHON=python3
+ command -v python3 >/dev/null 2>&1 || PYTHON=python
+ # shellcheck disable=SC2068
+ "$PYTHON" "$GEN" \
+ --name wolfssl --version "$VERSION" \
+ --license-file "$WOLFSSL_DIR/LICENSING" \
+ --options-h "$DEFINES_H" \
+ --srcs $@
+ rm -f "$DEFINES_H"
+}
+
+_run_autotools() {
+ echo "==> Autotools path: make sbom"
+ (cd "$WOLFSSL_DIR" && {
+ if [ ! -f Makefile ]; then
+ echo " Running ./configure first..."
+ ./configure
+ fi
+ if [ -n "${CRA_LICENSE_OVERRIDE:-}" ]; then
+ make sbom SBOM_LICENSE_OVERRIDE="$CRA_LICENSE_OVERRIDE"
+ else
+ make sbom
+ fi
+ cp -f "wolfssl-${VERSION}.cdx.json" "$CDX_OUT"
+ cp -f "wolfssl-${VERSION}.spdx.json" "$SPDX_OUT"
+ if [ -f "wolfssl-${VERSION}.spdx" ]; then
+ cp -f "wolfssl-${VERSION}.spdx" "$OUT_DIR/"
+ fi
+ })
+}
+
+MODE=${CRA_SBOM_MODE:-}
+case "$MODE" in
+ embedded) _run_embedded ;;
+ autotools) _run_autotools ;;
+ "")
+ if [ -f "$WOLFSSL_DIR/Makefile" ] && [ -f "$WOLFSSL_DIR/configure" ]; then
+ MODE=autotools
+ _run_autotools
+ else
+ MODE=embedded
+ _run_embedded
+ fi
+ ;;
+ *)
+ echo "ERROR: CRA_SBOM_MODE must be 'autotools' or 'embedded', not '$MODE'" >&2
+ exit 1
+ ;;
+esac
+
+# ---- Post-process: PURL canonicalization + demo watermarks ----------------
+# gen-sbom emits pkg:generic/wolfssl@X — we canonicalize to pkg:github so OSV /
+# GHSA / Snyk / Trivy match without per-vendor mapping. Embedded outputs from
+# the kit's 9-file demo --srcs list also get a wolfssl:sbom:demo property so a
+# downstream auditor cannot mistake them for production-complete SBOMs.
+CDX_OUT="$CDX_OUT" SPDX_OUT="$SPDX_OUT" CRA_SBOM_MODE_FINAL="$MODE" \
+python3 <<'PY' || echo "WARN: post-process skipped (python3 missing or JSON malformed)"
+import json, os, pathlib
+
+cdx = pathlib.Path(os.environ["CDX_OUT"])
+spdx = pathlib.Path(os.environ["SPDX_OUT"])
+demo = os.environ.get("CRA_SBOM_MODE_FINAL") == "embedded"
+
+GENERIC = "pkg:generic/wolfssl@"
+GITHUB = "pkg:github/wolfSSL/wolfssl@v"
+
+def canonicalize_purl(s):
+ if isinstance(s, str) and s.startswith(GENERIC):
+ return GITHUB + s[len(GENERIC):]
+ return s
+
+if cdx.exists():
+ d = json.loads(cdx.read_text())
+ comp = d.get("metadata", {}).get("component", {})
+ comp["purl"] = canonicalize_purl(comp.get("purl", ""))
+ if demo:
+ props = comp.setdefault("properties", [])
+ if not any(p.get("name") == "wolfssl:sbom:demo" for p in props):
+ props.append({
+ "name": "wolfssl:sbom:demo",
+ "value": "true (built-in --srcs list, not production-complete)"
+ })
+ cdx.write_text(json.dumps(d, indent=2) + "\n")
+ print(f"Post-processed {cdx.name}: PURL canonicalized" + (", demo watermark added" if demo else ""))
+
+if spdx.exists():
+ d = json.loads(spdx.read_text())
+ for pkg in d.get("packages", []):
+ for ref in pkg.get("externalRefs", []):
+ if ref.get("referenceType") == "purl":
+ ref["referenceLocator"] = canonicalize_purl(ref.get("referenceLocator", ""))
+ if demo:
+ existing = pkg.get("comment", "")
+ marker = "DEMO ARTIFACT (built-in --srcs list, not production-complete)."
+ if marker not in existing:
+ pkg["comment"] = (marker + " " + existing).strip()
+ spdx.write_text(json.dumps(d, indent=2) + "\n")
+ print(f"Post-processed {spdx.name}: PURL canonicalized" + (", demo watermark added" if demo else ""))
+PY
+
+echo "Done."
diff --git a/cra-kit/scripts/make-commercial-sample.sh b/cra-kit/scripts/make-commercial-sample.sh
new file mode 100755
index 00000000..1af699cc
--- /dev/null
+++ b/cra-kit/scripts/make-commercial-sample.sh
@@ -0,0 +1,76 @@
+#!/bin/sh
+# Produce a commercial-license-override sample alongside the pinned GPL samples.
+#
+# This script is illustrative: it derives wolfssl-.commercial.{cdx,spdx}.json
+# from the GPL pinned files by swapping the license fields and adding a
+# wolfssl:license:override property. Auditors see the same build configuration,
+# the same hashes of the source list, and a different license declaration —
+# exactly the diff a paying wolfSSL customer's SBOM should show.
+#
+# In production, regenerate via:
+# CRA_LICENSE_OVERRIDE=LicenseRef-wolfSSL-Commercial \
+# ./scripts/generate-wolfssl-sbom.sh
+set -eu
+
+SCRIPT_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+KIT_DIR=$(dirname "$SCRIPT_DIR")
+
+# shellcheck disable=SC1090
+. "$KIT_DIR/VERSION"
+COMP_DIR="$KIT_DIR/auditor-packet/wolfssl-component"
+GPL_CDX="$COMP_DIR/wolfssl-${WOLFSSL_VERSION}.cdx.json"
+GPL_SPDX="$COMP_DIR/wolfssl-${WOLFSSL_VERSION}.spdx.json"
+COMMERCIAL_CDX="$COMP_DIR/wolfssl-${WOLFSSL_VERSION}.commercial.cdx.json"
+COMMERCIAL_SPDX="$COMP_DIR/wolfssl-${WOLFSSL_VERSION}.commercial.spdx.json"
+LICENSE_ID=${CRA_LICENSE_OVERRIDE:-LicenseRef-wolfSSL-Commercial}
+
+[ -f "$GPL_CDX" ] || { echo "ERROR: $GPL_CDX not found (run refresh-samples first)" >&2; exit 1; }
+[ -f "$GPL_SPDX" ] || { echo "ERROR: $GPL_SPDX not found (run refresh-samples first)" >&2; exit 1; }
+
+GPL_CDX="$GPL_CDX" GPL_SPDX="$GPL_SPDX" \
+COMMERCIAL_CDX="$COMMERCIAL_CDX" COMMERCIAL_SPDX="$COMMERCIAL_SPDX" \
+LICENSE_ID="$LICENSE_ID" \
+python3 <<'PY'
+import json, os, pathlib, uuid
+
+gpl_cdx = pathlib.Path(os.environ["GPL_CDX"])
+gpl_spdx = pathlib.Path(os.environ["GPL_SPDX"])
+out_cdx = pathlib.Path(os.environ["COMMERCIAL_CDX"])
+out_spdx = pathlib.Path(os.environ["COMMERCIAL_SPDX"])
+license_id = os.environ["LICENSE_ID"]
+
+# --- CycloneDX side ----
+d = json.loads(gpl_cdx.read_text())
+d["serialNumber"] = "urn:uuid:" + str(uuid.uuid4())
+comp = d.get("metadata", {}).get("component", {})
+comp["licenses"] = [{"license": {"name": "wolfSSL Commercial License (" + license_id + ")"}}]
+props = comp.setdefault("properties", [])
+if not any(p.get("name") == "wolfssl:license:override" for p in props):
+ props.append({"name": "wolfssl:license:override", "value": license_id})
+out_cdx.write_text(json.dumps(d, indent=2) + "\n")
+print(f"Wrote {out_cdx.name} (license override: {license_id})")
+
+# --- SPDX side ----
+d = json.loads(gpl_spdx.read_text())
+d["documentNamespace"] = "urn:uuid:" + str(uuid.uuid4())
+d["hasExtractedLicensingInfos"] = [
+ {
+ "licenseId": license_id,
+ "extractedText": (
+ "wolfSSL commercial license. See https://www.wolfssl.com/license/ for terms. "
+ "Replaces the GPL-3.0-only declaration of the open-source distribution."
+ ),
+ "name": "wolfSSL Commercial License",
+ "seeAlsos": ["https://www.wolfssl.com/license/"],
+ }
+]
+for pkg in d.get("packages", []):
+ pkg["licenseConcluded"] = license_id
+ pkg["licenseDeclared"] = license_id
+ existing = pkg.get("comment", "")
+ marker = f"License override applied: {license_id}."
+ if marker not in existing:
+ pkg["comment"] = (marker + " " + existing).strip()
+out_spdx.write_text(json.dumps(d, indent=2) + "\n")
+print(f"Wrote {out_spdx.name} (license override: {license_id})")
+PY
diff --git a/cra-kit/scripts/refresh-samples.sh b/cra-kit/scripts/refresh-samples.sh
new file mode 100755
index 00000000..3bb47d76
--- /dev/null
+++ b/cra-kit/scripts/refresh-samples.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+# Regenerate pinned autotools samples and sync the product SBOM hashes
+# (SPDX externalDocumentRef checksum + CycloneDX bom externalReference hash).
+set -eu
+
+SCRIPT_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+KIT_DIR=$(dirname "$SCRIPT_DIR")
+
+export CRA_SBOM_MODE=autotools
+export CRA_SBOM_OUT_DIR="$KIT_DIR/auditor-packet/wolfssl-component"
+"$SCRIPT_DIR/generate-wolfssl-sbom.sh"
+
+# shellcheck disable=SC1090
+. "$KIT_DIR/VERSION"
+COMPONENT_SPDX="$KIT_DIR/auditor-packet/wolfssl-component/wolfssl-${WOLFSSL_VERSION}.spdx.json"
+COMPONENT_CDX="$KIT_DIR/auditor-packet/wolfssl-component/wolfssl-${WOLFSSL_VERSION}.cdx.json"
+PRODUCT_SPDX="$KIT_DIR/auditor-packet/product-acme-connect-gateway.spdx.json"
+PRODUCT_CDX="$KIT_DIR/auditor-packet/product-acme-connect-gateway.cdx.json"
+
+COMPONENT_SPDX="$COMPONENT_SPDX" COMPONENT_CDX="$COMPONENT_CDX" \
+PRODUCT_SPDX="$PRODUCT_SPDX" PRODUCT_CDX="$PRODUCT_CDX" \
+python3 <<'PY'
+import hashlib, json, os, pathlib
+
+component_spdx = pathlib.Path(os.environ["COMPONENT_SPDX"])
+component_cdx = pathlib.Path(os.environ["COMPONENT_CDX"])
+product_spdx = pathlib.Path(os.environ["PRODUCT_SPDX"])
+product_cdx = pathlib.Path(os.environ["PRODUCT_CDX"])
+
+# --- SPDX side: pin externalDocumentRef checksum ---------------------------
+spdx_digest = hashlib.sha256(component_spdx.read_bytes()).hexdigest()
+doc = json.loads(product_spdx.read_text())
+refs = doc.get("externalDocumentRefs") or []
+if not refs:
+ raise SystemExit("product SPDX has no externalDocumentRefs")
+refs[0].setdefault("checksum", {})["algorithm"] = "SHA256"
+refs[0]["checksum"]["checksumValue"] = spdx_digest
+product_spdx.write_text(json.dumps(doc, indent=2) + "\n")
+print(f"Updated {product_spdx.name} externalDocumentRef checksum -> {spdx_digest}")
+
+# --- CycloneDX side: pin component externalReference hash ------------------
+cdx_digest = hashlib.sha256(component_cdx.read_bytes()).hexdigest()
+prod = json.loads(product_cdx.read_text())
+patched = False
+for comp in prod.get("components", []):
+ if comp.get("name") == "wolfssl":
+ for ref in comp.get("externalReferences", []):
+ if ref.get("type") == "bom":
+ ref["hashes"] = [{"alg": "SHA-256", "content": cdx_digest}]
+ patched = True
+ break
+ if patched:
+ break
+if not patched:
+ raise SystemExit("product CDX has no wolfssl bom externalReference to pin")
+product_cdx.write_text(json.dumps(prod, indent=2) + "\n")
+print(f"Updated {product_cdx.name} CycloneDX bom hash -> {cdx_digest}")
+PY
+
+"$SCRIPT_DIR/validate.sh"
diff --git a/cra-kit/scripts/validate.sh b/cra-kit/scripts/validate.sh
new file mode 100755
index 00000000..49259952
--- /dev/null
+++ b/cra-kit/scripts/validate.sh
@@ -0,0 +1,135 @@
+#!/bin/sh
+# Sanity checks on the example auditor packet.
+#
+# Mandatory: JSON parse, SPDX externalDocumentRef checksum, CycloneDX bom hash (if pinned).
+# Best-effort: CycloneDX 1.6 schema (cyclonedx-cli) and SPDX 2.3 schema (pyspdxtools)
+# validation, when those tools are installed locally.
+set -eu
+
+SCRIPT_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+KIT_DIR=$(dirname "$SCRIPT_DIR")
+AP="$KIT_DIR/auditor-packet"
+PRODUCT_CDX="$AP/product-acme-connect-gateway.cdx.json"
+PRODUCT_SPDX="$AP/product-acme-connect-gateway.spdx.json"
+
+fail() { echo "FAIL: $*" >&2; exit 1; }
+ok() { echo "OK: $*"; }
+
+command -v python3 >/dev/null 2>&1 || fail "python3 required"
+
+# shellcheck disable=SC1090
+. "$KIT_DIR/VERSION" 2>/dev/null || WOLFSSL_VERSION=5.9.1
+WOLF_CDX="$AP/wolfssl-component/wolfssl-${WOLFSSL_VERSION}.cdx.json"
+WOLF_SPDX="$AP/wolfssl-component/wolfssl-${WOLFSSL_VERSION}.spdx.json"
+
+for f in "$PRODUCT_CDX" "$PRODUCT_SPDX" "$WOLF_CDX" "$WOLF_SPDX"; do
+ [ -f "$f" ] || fail "missing $f"
+ python3 -c "import json; json.load(open('$f'))" || fail "invalid JSON: $f"
+ ok "$(basename "$f") parses"
+done
+
+# CycloneDX 1.6 serialNumber must match urn:uuid:; auditors with strict
+# validators (cyclonedx-cli) reject anything else. Catch this even when the tool
+# isn't installed.
+PRODUCT_CDX="$PRODUCT_CDX" WOLF_CDX="$WOLF_CDX" python3 <<'PY'
+import json, os, re, sys
+UUID = re.compile(r"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$", re.I)
+errors = []
+for env in ("PRODUCT_CDX", "WOLF_CDX"):
+ path = os.environ[env]
+ sn = json.load(open(path)).get("serialNumber", "")
+ if not UUID.match(sn):
+ errors.append(f"{os.path.basename(path)}: serialNumber {sn!r} is not urn:uuid:")
+if errors:
+ sys.exit("CycloneDX serialNumber violation(s):\n " + "\n ".join(errors))
+print("OK: CycloneDX serialNumbers are valid urn:uuid:")
+PY
+
+PRODUCT_SPDX="$PRODUCT_SPDX" WOLF_SPDX="$WOLF_SPDX" python3 <<'PY'
+import hashlib, json, os, sys
+
+product = json.load(open(os.environ["PRODUCT_SPDX"]))
+wolf = open(os.environ["WOLF_SPDX"], "rb").read()
+digest = hashlib.sha256(wolf).hexdigest()
+refs = product.get("externalDocumentRefs") or []
+if not refs:
+ sys.exit("product SPDX has no externalDocumentRefs")
+chk = refs[0].get("checksum", {}).get("checksumValue", "")
+if chk.lower() != digest.lower():
+ sys.exit(
+ f"SPDX checksum mismatch:\n embedded={chk}\n actual ={digest}\n"
+ "Run scripts/refresh-samples.sh after regenerating wolfSSL SBOM."
+ )
+print("OK: product SPDX checksum matches wolfssl-component SBOM")
+PY
+
+PRODUCT_CDX="$PRODUCT_CDX" WOLF_CDX="$WOLF_CDX" python3 <<'PY'
+import hashlib, json, os, sys
+
+prod = json.load(open(os.environ["PRODUCT_CDX"]))
+wolf_bytes = open(os.environ["WOLF_CDX"], "rb").read()
+digest = hashlib.sha256(wolf_bytes).hexdigest()
+comps = prod.get("components") or []
+wolf = next((c for c in comps if c.get("name") == "wolfssl"), None)
+if not wolf:
+ sys.exit("product CDX has no wolfssl component")
+if not wolf.get("supplier", {}).get("name"):
+ sys.exit("product CDX wolfssl component has no supplier (NTIA min-elements gap)")
+refs = wolf.get("externalReferences") or []
+bom = next((r for r in refs if r.get("type") == "bom"), None)
+if not bom:
+ sys.exit("wolfssl component has no bom externalReference")
+hashes = bom.get("hashes") or []
+if not hashes:
+ sys.exit("wolfssl component bom externalReference has no hashes (run refresh-samples.sh)")
+got = hashes[0].get("content", "").lower()
+if got == "to_be_pinned_by_refresh_samples":
+ sys.exit("wolfssl component bom hash is the unpinned placeholder; run refresh-samples.sh")
+if got != digest.lower():
+ sys.exit(
+ f"CycloneDX bom hash mismatch:\n embedded={got}\n actual ={digest}\n"
+ "Run scripts/refresh-samples.sh after regenerating wolfSSL SBOM."
+ )
+print("OK: product CycloneDX bom hash matches wolfssl-component CDX")
+print("OK: product CycloneDX wolfssl component has supplier")
+PY
+
+# ---- Optional: cyclonedx-cli schema validation ----------------------------
+CDX_TOOL=
+if command -v cyclonedx-cli >/dev/null 2>&1; then
+ CDX_TOOL=cyclonedx-cli
+elif command -v cyclonedx >/dev/null 2>&1; then
+ CDX_TOOL=cyclonedx
+fi
+if [ -n "$CDX_TOOL" ]; then
+ for cdx in "$PRODUCT_CDX" "$WOLF_CDX"; do
+ if "$CDX_TOOL" validate \
+ --input-file "$cdx" \
+ --input-format json \
+ --input-version v1_6 \
+ --fail-on-errors >/dev/null 2>&1; then
+ ok "$(basename "$cdx") passes CycloneDX 1.6 schema validation ($CDX_TOOL)"
+ else
+ fail "$(basename "$cdx") fails CycloneDX 1.6 schema validation ($CDX_TOOL)"
+ fi
+ done
+else
+ echo "NOTE: cyclonedx-cli not installed; skipping CycloneDX 1.6 schema validation."
+ echo " Install: https://github.com/CycloneDX/cyclonedx-cli/releases"
+fi
+
+# ---- Optional: pyspdxtools schema validation ------------------------------
+if command -v pyspdxtools >/dev/null 2>&1; then
+ for spdx in "$PRODUCT_SPDX" "$WOLF_SPDX"; do
+ if pyspdxtools -i "$spdx" >/dev/null 2>&1; then
+ ok "$(basename "$spdx") passes SPDX 2.3 schema validation (pyspdxtools)"
+ else
+ fail "$(basename "$spdx") fails SPDX 2.3 schema validation (pyspdxtools)"
+ fi
+ done
+else
+ echo "NOTE: pyspdxtools not installed; skipping SPDX 2.3 schema validation."
+ echo " Install: pip install spdx-tools"
+fi
+
+ok "auditor packet validation passed"
diff --git a/cra-kit/user_settings.h b/cra-kit/user_settings.h
new file mode 100644
index 00000000..c8cb8b0b
--- /dev/null
+++ b/cra-kit/user_settings.h
@@ -0,0 +1,12 @@
+/* Demo user_settings.h for CRA Kit embedded SBOM generation.
+ * Production: replace with your project's user_settings.h (or point gen-sbom at it). */
+#ifndef CRA_EVIDENCE_USER_SETTINGS_H
+#define CRA_EVIDENCE_USER_SETTINGS_H
+
+#define WOLFSSL_TLS13
+#define HAVE_AESGCM
+#define HAVE_ECC
+#define NO_PSK
+#define NO_OLD_TLS
+
+#endif /* CRA_EVIDENCE_USER_SETTINGS_H */
diff --git a/cra-kit/wolfssl-inc-auditor-packet/00-INDEX.md b/cra-kit/wolfssl-inc-auditor-packet/00-INDEX.md
new file mode 100644
index 00000000..d8611a41
--- /dev/null
+++ b/cra-kit/wolfssl-inc-auditor-packet/00-INDEX.md
@@ -0,0 +1,26 @@
+# wolfSSL Inc. CRA filings — index
+
+| File | CRA reference | Status |
+|------|---------------|--------|
+| [`classification-statement.md`](classification-statement.md) | Annex III / IV | ✅ Decided — Class I (default), self-certification |
+| [`conformity-assessment-route.md`](conformity-assessment-route.md) | Art. 32, Annex VIII | ✅ Module A self-assessment |
+| [`declaration-of-conformity.template.md`](declaration-of-conformity.template.md) | Art. 28 | 🟡 Template ready; signature pending product release alignment |
+| [`eu-authorised-representative.md`](eu-authorised-representative.md) | Art. 18 | 🟠 In progress — appointment underway |
+| [`support-period-policy.md`](support-period-policy.md) | Art. 13(2), 13(8) | ✅ Decided — 5-year minimum, longer for LTS lines |
+| [`vulnerability-handling-process.md`](vulnerability-handling-process.md) | Art. 13, 14 | 🟡 Process documented; public SLA pending leadership approval |
+| [`technical-documentation-outline.md`](technical-documentation-outline.md) | Annex VII | 🟠 In progress — outline complete; per-release packet on roadmap |
+| [`ce-marking-statement.md`](ce-marking-statement.md) | Art. 30 | 🟡 Will affix on first CRA-applicable release after 11 Dec 2027 |
+
+## Reading order for new customers
+
+1. **`classification-statement.md`** — what wolfSSL is (and isn't) under Annex III/IV
+2. **`conformity-assessment-route.md`** — why Module A self-assessment fits this classification
+3. **`vulnerability-handling-process.md`** — the only continuous obligation
+4. **`support-period-policy.md`** — what we commit to maintain, for how long
+5. **`eu-authorised-representative.md`** — how a US-established manufacturer satisfies Art. 18
+6. **`declaration-of-conformity.template.md`** + **`technical-documentation-outline.md`** + **`ce-marking-statement.md`** — the formal output
+
+## CRA timeline anchors
+
+- **11 Sep 2026** — Art. 14 vulnerability reporting obligations start (24h ENISA early-warning, 72h follow-up, 14-day final report).
+- **11 Dec 2027** — Full CRA applicability; conformity assessment, CE marking, declaration of conformity, technical documentation, and support-period commitments all in force for products placed on the EU market from this date.
diff --git a/cra-kit/wolfssl-inc-auditor-packet/README.md b/cra-kit/wolfssl-inc-auditor-packet/README.md
new file mode 100644
index 00000000..f038652c
--- /dev/null
+++ b/cra-kit/wolfssl-inc-auditor-packet/README.md
@@ -0,0 +1,49 @@
+# wolfSSL Inc. — manufacturer-side CRA filings
+
+This directory shows what wolfSSL Inc. itself ships **as the manufacturer**
+for libraries it places on the EU market under the Cyber Resilience Act
+(Regulation (EU) 2024/2847). The customer-facing
+[`auditor-packet/`](../auditor-packet/) shows what **a customer** assembles
+when they ship a product containing wolfSSL; this packet is its mirror
+image — what we file ourselves.
+
+**Why this exists.** Earlier versions of the kit told customers to declare
+themselves manufacturers, appoint EU Authorised Representatives, classify
+their products under Annex III/IV, and run ENISA reporting rotations —
+without showing what wolfSSL had done on any of those fronts. The kit's
+audience reasonably read that as *"do as we say, not as we do."* This
+directory closes that gap. Where a decision is made, it is stated.
+Where a decision is in flight, the placeholder names what is missing
+and why, so customers can see the work in progress rather than a polished
+fiction.
+
+**Status conventions used below:**
+
+- ✅ **Decided & published** — wolfSSL Inc. has made and published this decision.
+- 🟡 **Decided internally, publication pending** — internal sign-off; awaits final review.
+- 🟠 **In progress** — actively being worked on; target dates given where known.
+- ⏳ **Pending leadership decision** — the call has not yet been made.
+
+**Not legal advice.** These artefacts are templates and statements of position;
+they are not, and do not replace, the actual signed legal documents wolfSSL Inc.
+files with EU regulators or its EU Authorised Representative.
+
+---
+
+## Contents
+
+See [`00-INDEX.md`](00-INDEX.md) for the file list and CRA article mapping.
+
+## Use as a template
+
+Customers shipping their own products into the EU can copy the structure here,
+fill in their own product details, and adapt the placeholders. Where wolfSSL
+Inc.'s position is firm (e.g. Class I self-certification per Art. 32 Module A
+for the wolfSSL library), the supporting reasoning is included so customers can
+calibrate their own decisions.
+
+## Customer-facing analogue
+
+If you are looking for the customer-side worked example (a fictional product,
+*Acme Connect Gateway*, that includes wolfSSL), see
+[`../auditor-packet/`](../auditor-packet/).
diff --git a/cra-kit/wolfssl-inc-auditor-packet/ce-marking-statement.md b/cra-kit/wolfssl-inc-auditor-packet/ce-marking-statement.md
new file mode 100644
index 00000000..3b5556ec
--- /dev/null
+++ b/cra-kit/wolfssl-inc-auditor-packet/ce-marking-statement.md
@@ -0,0 +1,64 @@
+# CE marking — wolfSSL libraries
+
+**Status:** 🟡 Will affix from first CRA-applicable release after 11 Dec 2027
+**CRA reference:** Art. 30 (rules and conditions for affixing the CE marking)
+
+## Decision
+
+wolfSSL Inc. will affix the CE marking to wolfSSL libraries placed on the EU
+market from **11 Dec 2027** (full CRA applicability date) onwards, having
+completed the Annex VIII Module A self-assessment per
+[`conformity-assessment-route.md`](conformity-assessment-route.md).
+
+## How CE marking is affixed for software products
+
+CRA Art. 30 specifies that the CE marking shall be affixed visibly, legibly,
+and indelibly. For software products that lack a physical surface, the
+established practice (per the Blue Guide on the implementation of EU product
+rules) is to affix the marking:
+
+1. **In the documentation** that accompanies the product (release notes, README, or a dedicated `LEGAL/` directory in the release tarball).
+2. **On the website** where the product is downloaded or distributed (`wolfssl.com` product page).
+3. **In a machine-readable form**, where applicable (e.g. as a property in the SBOM).
+
+wolfSSL will use all three locations.
+
+## What CE marking represents
+
+The CE marking is the manufacturer's declaration that:
+
+- The product conforms to all applicable Union harmonisation legislation (here, the CRA and any other EU acts that apply, e.g. RED if shipped as part of radio equipment).
+- The conformity assessment procedure has been completed (Module A self-assessment).
+- A declaration of conformity (Art. 28) has been drawn up and signed.
+- Technical documentation (Annex VII) is held and available to authorities on request.
+
+It is **not** a quality mark, a certification, or a guarantee. It is a
+manufacturer's self-declaration of regulatory conformity.
+
+## Where the CE mark will appear in wolfSSL releases
+
+- `LEGAL/CE-marking.txt` — text statement plus the CE logo (PDF) in the release tarball
+- `wolfssl-.cdx.json` — `metadata.properties[].name = "wolfssl:ce-marking"`, value "applied" with date
+- Release notes — visible CE statement section
+- wolfssl.com release page — CE marking image alongside download link
+
+## What this means for customers
+
+If you ship a finished product into the EU containing wolfSSL, you affix CE
+marking to **your finished product**, not to the wolfSSL component. Your CE
+marking is backed by **your** declaration of conformity, **your** technical
+documentation, and **your** conformity assessment. wolfSSL's component-level
+CE marking does not transfer to your product.
+
+If your finished product is also subject to other CE-required directives
+(e.g. the Radio Equipment Directive, Machinery Regulation), the CE marking
+covers all applicable acts collectively — list each in your declaration of
+conformity.
+
+## References
+
+- CRA Art. 30 (CE marking)
+- CRA Art. 28 (Declaration of conformity)
+- Commission Notice "The Blue Guide on the implementation of EU product rules"
+- [`conformity-assessment-route.md`](conformity-assessment-route.md)
+- [`declaration-of-conformity.template.md`](declaration-of-conformity.template.md)
diff --git a/cra-kit/wolfssl-inc-auditor-packet/classification-statement.md b/cra-kit/wolfssl-inc-auditor-packet/classification-statement.md
new file mode 100644
index 00000000..0276710d
--- /dev/null
+++ b/cra-kit/wolfssl-inc-auditor-packet/classification-statement.md
@@ -0,0 +1,55 @@
+# Classification statement — wolfSSL libraries (Annex III / IV)
+
+**Status:** ✅ Decided & published
+**CRA reference:** Annex III, Annex IV; Art. 6 (classes of products with digital elements)
+
+## Decision
+
+wolfSSL Inc. classifies the following products as **default class** ("Class I")
+for CRA purposes:
+
+| Product | Classification | Rationale |
+|---------|----------------|-----------|
+| **wolfSSL** (TLS library) | **Default class** (not Annex III, not Annex IV) | A general-purpose TLS / cryptographic library is not a finished product type listed in Annex III or Annex IV. The library is integrated by manufacturers into their own products; those manufacturers carry the classification of their finished product. |
+| **wolfCrypt** (cryptographic library) | **Default class** | Same reasoning. FIPS 140-3 validation of wolfCrypt does not change CRA classification — FIPS validates the cryptographic module against US/Canadian government standards, not against EU CRA Annex III/IV criteria. |
+| **wolfBoot** (secure bootloader) | **Default class** | Bootloader software shipped as a library or reference image is integrated into a hardware product whose manufacturer classifies the finished device. |
+| **wolfSSH** (SSH library) | **Default class** | Library, not a finished SSH server product. |
+| **wolfMQTT** (MQTT library) | **Default class** | Library, not a finished broker/client product. |
+
+## Reasoning
+
+Annex III and Annex IV list **finished product categories** (password managers,
+network management systems, browsers, hardware security modules, smart meters
+of certain types, etc.). wolfSSL Inc. does not ship any such finished product
+on the EU market. Customers integrate our libraries into their own products
+and place those finished products on the EU market under their own brand —
+those customers carry the Annex III/IV classification of the finished product
+they ship.
+
+If a customer's product falls into Annex III or IV, the customer's conformity
+assessment route is determined by **their** product's classification, not by
+the classification of the library they integrate. wolfSSL provides component
+SBOMs, security advisories, CVD policy, vulnerability handling, and technical
+support that customers can incorporate into their own conformity assessment.
+
+## Counter-example
+
+Were wolfSSL Inc. to ship, for example, a turnkey **password manager** product
+under its own brand on the EU market, that product would be Annex III ("important")
+and would require Notified Body involvement in conformity assessment. We do not
+ship such a product.
+
+## What this means for customers
+
+If you ship a product on the EU market that contains wolfSSL, classify your
+**finished product** under Annex III/IV — not the wolfSSL library inside it.
+If your finished product is default class, you can self-assess (Module A); if
+it's Annex III or IV, your route may require a Notified Body. wolfSSL's
+classification doesn't determine yours.
+
+## References
+
+- [`../CRA-Compliance-Shortlist.md`](../CRA-Compliance-Shortlist.md) — "Beyond this kit (structural CRA obligations)"
+- [`../CRA-Supply-Chain-Glossary.md`](../CRA-Supply-Chain-Glossary.md) — Annex III, Annex IV, Notified Body definitions
+- CRA text Annex III: list of important products
+- CRA text Annex IV: list of critical products
diff --git a/cra-kit/wolfssl-inc-auditor-packet/conformity-assessment-route.md b/cra-kit/wolfssl-inc-auditor-packet/conformity-assessment-route.md
new file mode 100644
index 00000000..e86cef15
--- /dev/null
+++ b/cra-kit/wolfssl-inc-auditor-packet/conformity-assessment-route.md
@@ -0,0 +1,56 @@
+# Conformity assessment route — wolfSSL libraries
+
+**Status:** ✅ Decided & published (route only; per-release execution begins 11 Dec 2027)
+**CRA reference:** Art. 32, Annex VIII
+
+## Decision
+
+wolfSSL Inc. follows **Annex VIII Module A — internal control (self-assessment)**
+for libraries it places on the EU market.
+
+## Why Module A
+
+Module A is the appropriate route when:
+
+- The product is **default class** under Annex III/IV (see [`classification-statement.md`](classification-statement.md)).
+- The manufacturer maintains internal documentation of design, risk assessment, and conformity testing.
+- No Notified Body involvement is required.
+
+All three apply to wolfSSL libraries.
+
+## What Module A requires
+
+Module A obligates wolfSSL Inc. to:
+
+1. **Maintain technical documentation** per Annex VII covering each released library version. See [`technical-documentation-outline.md`](technical-documentation-outline.md).
+2. **Take all necessary measures** so each library version conforms to CRA essential requirements (Annex I).
+3. **Affix the CE marking** to each conformant version (or, for software products, include it in the documentation that accompanies the product). See [`ce-marking-statement.md`](ce-marking-statement.md).
+4. **Draw up and sign a written declaration of conformity** (Art. 28). See [`declaration-of-conformity.template.md`](declaration-of-conformity.template.md).
+5. **Keep technical documentation and the declaration** for **10 years** after the product is placed on the EU market (or for the duration of the support period, whichever is longer).
+
+## Notified Body engagement — not used
+
+Notified Body involvement is required when a product is classified as
+**Annex III "important class II"** or **Annex IV "critical"**. wolfSSL libraries
+are neither. We have evaluated TÜV Süd as a Notified Body candidate (per
+internal correspondence with our DACH team and a customer recommendation in
+May 2026) and concluded that engagement is not required for the libraries
+themselves. Customers whose finished products fall into Annex III/IV may
+engage a Notified Body for **their own** product; wolfSSL provides component
+SBOMs, advisories, and CVD documentation that the customer's Notified Body
+can incorporate.
+
+## What this means for customers
+
+If your finished product is default class, you follow Module A like we do.
+If your finished product is Annex III or IV, you may need a Notified Body
+for your product — wolfSSL's component artefacts (SBOMs, CVD policy,
+advisories, support-period statement) feed into your Notified Body
+submission as supplier evidence.
+
+## References
+
+- CRA Art. 32: conformity assessment procedures
+- CRA Annex VIII: conformity assessment modules (Module A is internal control)
+- CRA Annex I: essential cybersecurity requirements
+- [`../CRA-Supply-Chain-Glossary.md`](../CRA-Supply-Chain-Glossary.md) — Module A, Conformity assessment, Notified Body
diff --git a/cra-kit/wolfssl-inc-auditor-packet/declaration-of-conformity.template.md b/cra-kit/wolfssl-inc-auditor-packet/declaration-of-conformity.template.md
new file mode 100644
index 00000000..5fdf8815
--- /dev/null
+++ b/cra-kit/wolfssl-inc-auditor-packet/declaration-of-conformity.template.md
@@ -0,0 +1,77 @@
+# Declaration of conformity — template
+
+**Status:** 🟡 Template ready; per-release signed declarations begin 11 Dec 2027
+**CRA reference:** Art. 28, Annex V (declaration of conformity contents)
+
+This template will be customised and signed for each conformant wolfSSL release
+placed on the EU market from 11 Dec 2027 onwards. Customers may adapt this
+template for their own products.
+
+---
+
+## EU Declaration of Conformity
+
+**1. Product identification**
+
+- Name: [PRODUCT NAME, e.g. wolfSSL]
+- Version: [VERSION, e.g. 5.9.1]
+- Type: [TYPE, e.g. cryptographic / TLS library, software product placed on the market]
+- Unique identifier: [PURL, e.g. `pkg:github/wolfSSL/wolfssl@v5.9.1`]
+
+**2. Manufacturer**
+
+- Name: wolfSSL Inc.
+- Postal address: [WOLFSSL INC. REGISTERED OFFICE — to be filled]
+- Email: [TO BE FILLED — kept synchronised with `/.well-known/security.txt` once wolfSSL Inc.'s security alias is provisioned]
+- Website: https://www.wolfssl.com/
+
+**3. EU Authorised Representative** (Art. 18, required for non-EU manufacturers)
+
+- Name: [TO BE FILLED — see `eu-authorised-representative.md`]
+- Postal address: [TO BE FILLED]
+- Mandate effective date: [TO BE FILLED]
+
+**4. Object of the declaration**
+
+This declaration of conformity is issued under the sole responsibility of the
+manufacturer and applies to the object of the declaration described in
+section 1.
+
+**5. Conformity statement**
+
+The object of the declaration described above is in conformity with the
+relevant Union harmonisation legislation:
+
+- **Regulation (EU) 2024/2847 (Cyber Resilience Act)** — essential requirements set out in Annex I.
+
+**6. References to relevant standards or specifications**
+
+- [HARMONISED STANDARDS USED, once published — likely candidates: EN 18031 series, ETSI EN 303 645 for IoT-relevant deployments]
+- Or, where harmonised standards are not yet available: a description of the technical specifications applied (see Annex VII technical documentation).
+
+**7. Conformity assessment procedure**
+
+Annex VIII **Module A — internal control** (see [`conformity-assessment-route.md`](conformity-assessment-route.md)).
+No Notified Body involvement required for default-class products.
+
+**8. Additional information**
+
+- Software bill of materials: see corresponding `wolfssl-.cdx.json` and `.spdx.json` (released alongside the binary).
+- Vulnerability handling process: [`vulnerability-handling-process.md`](vulnerability-handling-process.md) and [https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt).
+- Support period: [`support-period-policy.md`](support-period-policy.md).
+
+**9. Signature**
+
+- Place: [LOCATION OF ISSUE]
+- Date: [DATE OF ISSUE]
+- Name and function: [SIGNATORY NAME, e.g. Larry Stefonic, CEO, wolfSSL Inc.]
+- Signature: ___________________
+
+---
+
+## Notes for customers adapting this template
+
+1. Fields in `[BRACKETS]` must be filled before signature.
+2. The declaration must be drawn up in **at least one of the official languages** of the Member State where the product is placed on the market. English is generally accepted but verify with your EU Authorised Representative.
+3. The signed declaration is part of the **technical documentation** (Annex VII) and must be retained for **10 years**.
+4. The declaration accompanies the product. For software products, this typically means including it in the release tarball, in a `LEGAL/` directory, or alongside the SBOMs.
diff --git a/cra-kit/wolfssl-inc-auditor-packet/eu-authorised-representative.md b/cra-kit/wolfssl-inc-auditor-packet/eu-authorised-representative.md
new file mode 100644
index 00000000..36c1fe23
--- /dev/null
+++ b/cra-kit/wolfssl-inc-auditor-packet/eu-authorised-representative.md
@@ -0,0 +1,63 @@
+# EU Authorised Representative — wolfSSL Inc.
+
+**Status:** 🟠 In progress — appointment underway; target completion before 11 Sep 2026
+**CRA reference:** Art. 18
+
+## Why an EU AR is required
+
+wolfSSL Inc. is established in the **United States** (Edmonds, Washington). CRA
+Art. 18 requires manufacturers established outside the EU to appoint, **in
+writing**, an Authorised Representative inside the EU before placing a product
+on the EU market. The AR:
+
+- Receives correspondence from EU market surveillance authorities and ENISA on the manufacturer's behalf.
+- Holds the technical documentation (Annex VII) and declaration of conformity (Art. 28) for **10 years** post-placement, available to authorities on request.
+- Cooperates with authorities on corrective action where the product presents a cybersecurity risk.
+
+The AR does **not** transfer manufacturer obligations — wolfSSL Inc. remains
+the manufacturer and bears the substantive obligations. The AR is a single
+point of contact in the EU.
+
+## Current state
+
+🟠 **wolfSSL Inc. is finalising the EU AR appointment.** Two paths were evaluated:
+
+1. **Use an existing wolfSSL EU presence.** wolfSSL has business operations in
+ the DACH region (Germany / Austria / Switzerland). Nominating an existing
+ EU-resident wolfSSL legal entity as the AR is the simplest path if such an
+ entity exists with the appropriate legal capacity to act as AR.
+2. **Contract a third-party AR service.** Several vendors (e.g. Obelis, Authrep,
+ Casa Group) offer AR-as-a-service across CE-marking regulations. Cost is
+ typically EUR 1500–4000/year per regulation; lead time 4–6 weeks.
+
+The internal call was made by wolfSSL leadership in [DATE TO BE CONFIRMED]. The
+written mandate will be in place before 11 Sep 2026 (Art. 14 vulnerability
+reporting onset) and certainly before 11 Dec 2027 (full CRA applicability).
+
+## Placeholder identity
+
+Once the appointment is signed:
+
+- **Name:** [TO BE FILLED]
+- **Address:** [TO BE FILLED]
+- **Email:** [TO BE FILLED]
+- **Mandate effective date:** [TO BE FILLED]
+- **Mandate scope:** all wolfSSL libraries placed on the EU market by wolfSSL Inc. under CRA.
+
+## What this means for customers
+
+If your company is established **outside the EU** (US / UK post-Brexit / Asia /
+elsewhere), you face the same Art. 18 obligation. wolfSSL's choice of AR does
+not satisfy your obligation — you appoint your own.
+
+The single-most-important advice we can give: **start now**. AR appointments
+take weeks to months including legal review on both sides; the lead time
+compounds with conformity assessment timelines and is the most common
+last-minute blocker for non-EU manufacturers.
+
+## References
+
+- CRA Art. 18 (Authorised Representative)
+- CRA Art. 19 (Importer obligations) — what an EU importer carries if no AR is in place
+- [`../CRA-Compliance-Shortlist.md`](../CRA-Compliance-Shortlist.md) — "Beyond this kit"
+- [`../CRA-Supply-Chain-Glossary.md`](../CRA-Supply-Chain-Glossary.md) — EU Authorised Representative
diff --git a/cra-kit/wolfssl-inc-auditor-packet/support-period-policy.md b/cra-kit/wolfssl-inc-auditor-packet/support-period-policy.md
new file mode 100644
index 00000000..9d83c9a8
--- /dev/null
+++ b/cra-kit/wolfssl-inc-auditor-packet/support-period-policy.md
@@ -0,0 +1,54 @@
+# Support-period policy — wolfSSL libraries
+
+**Status:** ✅ Decided & published
+**CRA reference:** Art. 13(2), Art. 13(8)
+
+## Commitment
+
+wolfSSL Inc. commits to providing **free security updates** for wolfSSL
+libraries for a **minimum of 5 years** from the release date of each version
+placed on the EU market under CRA, in accordance with Art. 13(2) and 13(8).
+
+For versions designated **Long-Term Support (LTS)**, the support period is
+extended to match the LTS commitment, which is currently up to **10 years** for
+specific releases (e.g. those certified to FIPS 140-3 or covered by commercial
+LTS contracts).
+
+## Scope of "security update"
+
+A security update under this policy is any release that:
+
+- Addresses a vulnerability disclosed via wolfSSL's [Coordinated Vulnerability Disclosure policy](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt) or assigned a CVE by wolfSSL as a CNA;
+- Is published as a tagged GitHub release with accompanying SBOM (`*.cdx.json`, `*.spdx.json`) and security advisory;
+- Carries the same conformity assessment as the original release (Module A self-assessment, see [`conformity-assessment-route.md`](conformity-assessment-route.md)).
+
+Feature updates are not security updates and are not in scope of this commitment.
+
+## Release line policy
+
+| Release line | Support period | Notes |
+|--------------|----------------|-------|
+| Mainline releases | **5 years** from release date | Default per Art. 13(8) |
+| LTS releases | **10 years** from release date | Designated explicitly at release time |
+| FIPS 140-3-certified versions | Bound to FIPS certificate validity | May extend or shorten depending on NIST recertification |
+| Commercial-license customers | Per commercial agreement | Often extends past CRA minimum; never less than CRA minimum |
+
+## Where this is published
+
+- This policy file (committed to [github.com/wolfSSL/wolfssl-examples](https://github.com/wolfSSL/wolfssl-examples)).
+- Each per-release declaration of conformity references the support period applicable to that release.
+- Customer-visible: [wolfSSL release notes](https://github.com/wolfSSL/wolfssl/releases) note the support window.
+
+## What this means for customers
+
+If you embed a wolfSSL release in your product:
+
+- **Match or exceed** wolfSSL's support window in your own product's support-period commitment. CRA does not allow a customer to commit to a shorter support window than they can actually deliver — if your product's commitment is 7 years, you cannot rely on a wolfSSL version with only 5 years of remaining support.
+- **Plan upgrades** before wolfSSL's support window for your embedded version expires.
+- **Consider an LTS version** if your product's support window is 7+ years, or **a commercial-license LTS contract** if you need supplier-side support beyond the public commitment.
+
+## References
+
+- CRA Art. 13(2): support period default 5 years (or product expected lifetime if longer)
+- CRA Art. 13(8): vulnerability handling effectiveness during support period
+- [`../CRA-Compliance-Shortlist.md`](../CRA-Compliance-Shortlist.md) — pillar 4 + "Beyond this kit"
diff --git a/cra-kit/wolfssl-inc-auditor-packet/technical-documentation-outline.md b/cra-kit/wolfssl-inc-auditor-packet/technical-documentation-outline.md
new file mode 100644
index 00000000..98d0409f
--- /dev/null
+++ b/cra-kit/wolfssl-inc-auditor-packet/technical-documentation-outline.md
@@ -0,0 +1,88 @@
+# Technical documentation outline — Annex VII
+
+**Status:** 🟠 In progress — outline complete; per-release populated documents on roadmap
+**CRA reference:** Annex VII (technical documentation contents)
+
+CRA Annex VII enumerates the contents of the technical documentation file that
+manufacturers must maintain (and retain for **10 years** after market placement)
+for each conformant product. This file is not made public; it is held by the
+manufacturer (and the EU AR) and produced to authorities on request.
+
+## Outline of wolfSSL Inc.'s per-release technical documentation file
+
+For each wolfSSL library version placed on the EU market under CRA, the
+following sections are populated:
+
+### 1. General description
+
+- Product name, version, intended purpose
+- Variants and configurations (e.g. FIPS-validated build, embedded build, commercial-license build)
+- Identification of integrated components (the wolfSSL SBOM itself)
+
+### 2. Design and manufacturing
+
+- Architectural description (TLS state machine, cryptographic API surfaces, build system)
+- Source-tree organisation (where to find what)
+- Build instructions and reproducibility settings (`SOURCE_DATE_EPOCH`, `make sbom`, `make bomsh`)
+- Reference to the SBOM: `wolfssl-.cdx.json`, `.spdx.json`
+
+### 3. Cybersecurity risk assessment
+
+- Threat model: what wolfSSL is designed to protect, what it is not
+- Attack surface analysis (network-facing TLS handshake, parser surfaces, key management)
+- Risk-mitigation choices (timing-resistance flags, side-channel hardening, deprecated algorithm exclusions)
+- Reference to relevant external assessments (FIPS 140-3 Cryptographic Module Validation Program reports, third-party penetration tests where commissioned)
+
+### 4. List of harmonised standards applied
+
+- [TO BE FILLED once CRA harmonised standards are published]
+- Where standards are not available: technical specifications applied (e.g. RFC 5246, RFC 8446 for TLS; FIPS 140-3 for the FIPS-validated build)
+
+### 5. Conformity assessment route
+
+- Annex VIII Module A (self-assessment) — see [`conformity-assessment-route.md`](conformity-assessment-route.md)
+
+### 6. Vulnerability handling
+
+- CVD policy (link to `/.well-known/vulnerability-disclosure-policy.txt`)
+- Process narrative (see [`vulnerability-handling-process.md`](vulnerability-handling-process.md))
+- Per-release: any open advisories at time of release, with their CVE IDs
+
+### 7. Support-period commitment
+
+- See [`support-period-policy.md`](support-period-policy.md)
+- Per-release: explicit support window dates
+
+### 8. Declaration of conformity
+
+- Signed declaration per Art. 28 — see [`declaration-of-conformity.template.md`](declaration-of-conformity.template.md)
+
+### 9. Software bill of materials
+
+- `wolfssl-.cdx.json` (CycloneDX 1.6)
+- `wolfssl-.spdx.json` (SPDX 2.3)
+- Optional: `omnibor.wolfssl-.spdx.json` (build provenance via `make bomsh`)
+- Optional: `wolfssl-.cbom-draft.cdx.json` (cryptographic-asset draft)
+
+### 10. CE marking
+
+- See [`ce-marking-statement.md`](ce-marking-statement.md)
+
+## Retention
+
+- **10 years** from the date the product is placed on the EU market, or for the duration of the support period (whichever is longer).
+- Held by wolfSSL Inc. **and** the EU Authorised Representative ([`eu-authorised-representative.md`](eu-authorised-representative.md)).
+
+## What this means for customers
+
+You maintain a parallel Annex VII file for **your** finished product. wolfSSL's
+component artefacts (SBOMs, advisories, CVD policy, support-period commitment)
+populate the **upstream component** sections of your file; you populate the
+finished-product sections (architecture, threat model, conformity assessment).
+Our file is not yours; yours integrates ours.
+
+## References
+
+- CRA Annex VII (technical documentation)
+- CRA Art. 31 (technical documentation retention)
+- [`../CRA-Compliance-Shortlist.md`](../CRA-Compliance-Shortlist.md) — Annex VII row in "Beyond this kit"
diff --git a/cra-kit/wolfssl-inc-auditor-packet/vulnerability-handling-process.md b/cra-kit/wolfssl-inc-auditor-packet/vulnerability-handling-process.md
new file mode 100644
index 00000000..c6b1644a
--- /dev/null
+++ b/cra-kit/wolfssl-inc-auditor-packet/vulnerability-handling-process.md
@@ -0,0 +1,95 @@
+# Vulnerability handling process — wolfSSL Inc.
+
+**Status:** 🟡 Process documented; public SLA pending leadership approval
+**CRA reference:** Art. 13 (vulnerability handling), Art. 14 (active-exploitation reporting)
+
+## Discovery → report → triage → fix → disclosure
+
+```
+ ┌────────────────────────┐
+ │ External report │
+ │ · security.txt │
+ │ · GitHub Security tab │
+ │ · Customer support │
+ └──────────┬─────────────┘
+ │
+ ▼
+ ┌────────────────────────┐
+ │ wolfSSL PSIRT (rotating│
+ │ on-call, target 24h │
+ │ acknowledgement) │
+ └──────────┬─────────────┘
+ │
+ ┌──────────┴─────────────┐
+ ▼ ▼
+ ┌────────────────┐ ┌──────────────────┐
+ │ Triage (72h): │ │ Active exploit? │
+ │ severity, CVSS,│ ────▶ │ Yes ─▶ ENISA 24h │
+ │ scope, fix plan│ │ No ─▶ standard │
+ └────────┬───────┘ └──────────────────┘
+ │
+ ▼
+ ┌────────────────┐
+ │ Fix + advisory │
+ │ (CVE assigned │
+ │ as CNA) │
+ └────────┬───────┘
+ │
+ ▼
+ ┌────────────────┐
+ │ Coordinated │
+ │ disclosure + │
+ │ release │
+ └────────────────┘
+```
+
+## Public-facing artefacts
+
+| Artefact | Location | Purpose |
+|----------|----------|---------|
+| `security.txt` (RFC 9116) | [`/.well-known/security.txt`](https://www.wolfssl.com/.well-known/security.txt) | Single canonical contact entry; researchers reach the right inbox without guessing |
+| Coordinated Vulnerability Disclosure policy | [`/.well-known/vulnerability-disclosure-policy.txt`](https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt) | How wolfSSL handles reports: scope, expectations, safe-harbor |
+| Security advisories | [https://www.wolfssl.com/docs/security-vulnerabilities/](https://www.wolfssl.com/docs/security-vulnerabilities/) | Per-CVE narrative, affected versions, mitigations |
+| CVE Numbering Authority | wolfSSL is a [CNA](https://www.cve.org/PartnerInformation/ListofPartners) | wolfSSL assigns CVE IDs within the wolfSSL libraries scope |
+
+## Service-level targets (proposed; pending leadership approval)
+
+| Stage | Target | Notes |
+|-------|--------|-------|
+| Acknowledgement of receipt | **24 hours** | From any channel listed in `security.txt`. Pending public approval to commit. |
+| Initial triage (severity, validity, fix plan) | **72 hours** | Pending public approval to commit. |
+| ENISA early-warning notification | **24 hours from awareness of active exploitation** (Art. 14(1)) | Hard regulatory deadline — not negotiable. |
+| ENISA follow-up report | **72 hours from awareness** (Art. 14(2)) | Hard regulatory deadline. |
+| ENISA final report | **14 days from CSIRT notification of CVE-published or vendor-published advisory** (Art. 14(3)) | Hard regulatory deadline. |
+| Coordinated public disclosure | Typically 90 days from triage; case-by-case | Negotiable with reporter. |
+
+These targets are not yet publicly committed in the CVD policy. Once the
+leadership decision is taken, the CVD policy at `/.well-known/vulnerability-disclosure-policy.txt`
+will be updated to include them.
+
+## On-call coverage
+
+🟠 **In progress.** Continuous 24/7/365 coverage including weekends and
+holidays is the only Art. 14 obligation that requires sustained staffing,
+not a one-time deliverable. Owner assignment and rotation policy are
+under leadership discussion.
+
+The current interim arrangement is a single primary contact during business
+hours plus a documented escalation path; this does not satisfy the 24h ENISA
+clock for incidents reported overnight or on holidays. Closing this gap
+before 11 Sep 2026 is the highest-priority action item in this packet.
+
+## What this means for customers
+
+When you ship a product containing wolfSSL:
+
+- **Your own pillar-4 obligation is independent of ours.** You publish your own `security.txt`, your own CVD policy, run your own on-call. Our process does not satisfy yours.
+- **Coordinate on shared advisories.** When wolfSSL issues an advisory affecting versions you ship, we will (where possible) coordinate with downstream manufacturers via the CNA process. Subscribe to wolfSSL release notes / advisories so you see them promptly.
+- **ENISA reporting is split.** wolfSSL Inc. files for libraries it places on the EU market by name; **you** file for your finished product. The 24h clock starts from each manufacturer's awareness independently.
+
+## References
+
+- CRA Art. 13: vulnerability handling, support period, security updates
+- CRA Art. 14: notification obligations (24h, 72h, 14 days)
+- [`../CRA-Compliance-Shortlist.md`](../CRA-Compliance-Shortlist.md) — pillar 4
+- [`../CRA-Supply-Chain-Glossary.md`](../CRA-Supply-Chain-Glossary.md) — ENISA, CNA, Conformity assessment