cra-kit: address Atwood review (shell safety, validation, samples)

Quote "$@" in gen-sbom --srcs (drop SC2068 disables), pass JSON paths to
python via env var in validate.sh to prevent filename injection, and fail
non-zero instead of warning when SBOM post-processing breaks. Rename the
user_settings.h guard to CRA_KIT_USER_SETTINGS_H, clarify the serialNumber
regex accepts v4 (product) and v5 (component) UUIDs, untrack the gitignored
embedded sample SBOMs, document the SHA-512 CBOM omission, and note sample
timestamp differences in SAMPLE-PROVENANCE.md.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>

Author: sameehj

cra-kit/auditor-packet/wolfssl-component-embedded/wolfssl-5.9.1.cdx.json

@@ -19,3 +19,16 @@ Regenerate autotools samples and fix the product stub checksum:
 ```sh
 ./scripts/refresh-samples.sh
 ```
+
+## A note on timestamps
+
+The sample SBOMs carry different `metadata.timestamp` / `created` values because
+they were generated at different times, not in a single run:
+
+- `wolfssl-component/` (autotools): `2026-05-12`
+- `wolfssl-component-embedded/` (embedded demo): `2026-05-18`
+- `product-acme-connect-gateway.*` (product stub): `2026-05-18`
+
+This is expected for hand-pinned samples and does not affect validation
+(`scripts/validate.sh` checks cross-document checksums, not timestamps).
+Regenerating via `refresh-samples.sh` will update them to the current time.