MMPlugs Logo

Docs / MMCRA Toolkit / Export a Compliance Bundle

Export a Compliance Bundle

Export a Compliance Bundle

The Compliance Bundle is the single ZIP you hand to a regulator under CRA Article 31 or to an EU customer asking for your "technical file." Everything the toolkit has generated for the plugin in one archive, with a README manifest naming every file.

Build a bundle

Two ways:

  1. Per plugin — go to CRA Toolkit → Compliance Bundle, pick a plugin, click Build bundle.
  2. All plugins — go to the Dashboard, run the Bundle all bulk action across every plugin with a complete artifact set.

Each bundle takes a few seconds to assemble.

What's inside

cra-technical-file-<slug>-YYYYMMDD-HHMMSS.zip
├── README.md
├── sbom/
│   └── <slug>-YYYYMMDD-HHMMSS.cdx.json
├── vdp/
│   └── vulnerability-disclosure-YYYYMMDD-HHMMSS.html
├── doc/
│   └── doc-<slug>-YYYYMMDD-HHMMSS.html
├── scan/
│   ├── scan-<slug>-YYYYMMDD-HHMMSS.html
│   └── scan-<slug>-YYYYMMDD-HHMMSS.json
└── audit-log/
    └── <slug>-audit-YYYYMMDD-HHMMSS.csv

The bundle picks up the latest version of each artifact at the moment of build. If you haven't generated something yet (no scan, no DoC), the corresponding folder is simply missing — the README manifest notes which artifacts are present and which aren't.

README manifest

The bundle includes a README.md listing every file with a one-line description. The header includes:

  • Plugin slug
  • Toolkit version that built the bundle
  • UTC timestamp
  • Your license fingerprint as a watermark

The disclaimer that you remain responsible for substantive compliance.

Output

Bundles write to wp-content/uploads/mmcra/bundles/cra-technical-file-<slug>-YYYYMMDD-HHMMSS.zip. The directory has a .htaccess deny rule — files only serve through the toolkit's signed admin download handler.

The audit log records every bundle build with the SHA-256 hash of the ZIP contents.

License-gated

Bundle export requires an active license. The 14-day grace window applies.

What the bundle proves

  • SBOM — Annex II Software Bill of Materials
  • VDP — Article 13 vulnerability disclosure
  • DoC — Annex V Declaration of Conformity
  • Scan report — Annex II Section 2 attack surface evidence
  • Audit log — Article 31 record-keeping evidence

If a regulator requests your technical file, this is the one artifact you send them.

Keep historical bundles

Generate a new bundle each time you ship a new plugin version. Don't overwrite — the timestamp in the filename keeps them separate. Article 31 wants 10 years of evidence. Move old bundles to cold storage if disk space is a concern; do not delete them.