Add CRA Evidence Kit for customer SBOM integration

[sameehj]

Summary

Adds a self-contained CRA Evidence Kit under cra-evidence/ for customers who ship products containing wolfSSL and need EU CRA–style software transparency (SBOM inventory and optional build provenance).

This is not a compliance product: it shows how to obtain, validate, and nest wolfSSL component SBOMs inside a customer-owned product SBOM. Legal obligations remain with the manufacturer.

What’s included

• Evidence Map (EVIDENCE-MAP.md) — one-page handout: who owns what, Friday path, bomsh Linux-only
• Glossary (CRA-Supply-Chain-Glossary.md) — customer terminology (self-contained in this repo)
• Sample auditor packet (auditor-packet/) — fictional Acme Connect Gateway product SBOM referencing wolfSSL component SBOMs (SPDX + CycloneDX)
  • wolfssl-component/ — pinned autotools / make sbom samples (what the product stub references)
  • wolfssl-component-embedded/ — pinned embedded / user_settings.h + gen-sbom demo (different hash / source-merkle properties)
• Scripts
  • validate.sh — JSON sanity + product SPDX checksum sync (no wolfSSL build required)
  • refresh-samples.sh — regen autotools samples + update product stub checksum
  • generate-wolfssl-sbom.sh / generate-embedded-sbom.sh — regen component SBOMs when WOLFSSL_DIR is set
• CI — .github/workflows/cra-evidence.yml runs validate.sh on changes under cra-evidence/

Customer paths covered

Profile	How the kit helps
Linux / autotools / packages	make sbom → nest in product SBOM; see autotools samples
Embedded / RTOS / user_settings.h	gen-sbom demo with kit user_settings.h; see embedded samples
Optional provenance	make bomsh documented as Linux build host only, not shipped in packet

Upstream dependency

Regenerating component SBOMs requires a wolfSSL tree with SBOM support (scripts/gen-sbom, make sbom). Pinned samples target wolfSSL 5.9.1 (see VERSION).

Related wolfSSL work: [link your wolfSSL SBOM/bomsh PR or branch here, e.g. feat/sbom-bomsh]

Integration guide (implementation detail | PR pending): https://github.com/MarkAtwood/wolfssl/blob/578fbee8902b98f48798c1fc2cec2a0e75dcb1f3/doc/CRA.md

Glossary note

cra-evidence/CRA-Supply-Chain-Glossary.md is the customer-facing copy in this kit. wolfssl/doc/CRA-Supply-Chain-Glossary.md should stay in sync when both repos ship (see wolfSSL doc/CRA.md).

Test plan

• CI: CRA Evidence Kit workflow passes on this PR
• Local: cd cra-evidence && ./scripts/validate.sh (no wolfSSL build)
• Optional: with WOLFSSL_DIR set, ./scripts/refresh-samples.sh and re-run validate.sh
• Spot-check: product externalDocumentRefs / CycloneDX bom ref point at wolfssl-component/ files
• Compare autotools vs embedded CDX: different hashes and wolfssl:sbom:hash-kind

Reviewer focus

• Wording avoids “CRA compliant”; scope is component evidence only
• Product SBOM remains customer responsibility
• Embedded README / 00-INDEX describe pinned embedded samples (if not updated in this PR, follow-up)

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #574

Scan targets checked: wolfssl-examples-bugs, wolfssl-examples-src

No new issues found in the changed files. ✅