- Moved spdm/src/*.c src/spdm/*.c (11 source files)
  - Moved spdm/wolfspdm/*.h wolftpm/spdm/*.h (7 public headers)
  - Moved spdm/src/spdm_internal.h src/spdm/spdm_internal.h
  - Moved spdm/test/unit_test.c src/spdm/unit_test.c
  - Moved spdm/README.md src/spdm/README.md
  - Deleted spdm/include.am, created src/spdm/include.am
  - Renamed all #include <wolfspdm/...> #include <wolftpm/spdm/...> across all files
  - Added SPDM headers to wolftpm/include.am (as nobase_include_HEADERS)
  - Updated Makefile.am: include spdm/include.am include src/spdm/include.am
  - Removed -I/spdm from configure.ac and examples/spdm/include.am (no longer needed

- Renamed spdm_demo to spdm_ctrl: file, binary, internal demo_* functions to ctrl_*, all references in
  include.am, spdm_test.sh, .gitignore, CLAUDE.md, both READMEs
  - README mentions Nations: title updated to Nuvoton NPCT75x and Nations NS350 TPMs, added Nations build section
  - README section header renamed from Demo Commands to Setup/Control Commands
  - README added reset pin control section: documents GPIO reset requirement, Pi-specific example, custom hardware
  design guidance
  - Moved spdm_tcg.c to common build section, no longer conditional on Nuvoton/Nations in src/spdm/include.am
  - Removed redundant wolfSSL options include from spdm_internal.h since tpm2_types.h handles this
  - Added WOLFTPM_SPDM_TCG generic guard as auto-define in spdm_types.h, replaced ~30 occurrences of #if        defined(WOLFSPDM_NUVOTON) || defined(WOLFSPDM_NATIONS) across all files

… codes from SPDM now return immediately

  instead of falling through to cleartext retry
  - Fixed same SPDM cleartext fallback in TPM2_SendCommandAuth(): same pattern applied
  - Added VdCode validation in wolfTPM2_SPDM_SecuredExchange(): verifies response matches expected TPM2_CMD
  vendor code before accepting payload

  - Upgraded NS350 firmware from 0.1.0.15 to 0.1.0.16 which adds TPM_CMD support under PSK mode (previously returned Vd_InvalidCode)
  - PSK mode: GET_CAPABILITIES and NEGOTIATE_ALGORITHMS are not mandatory, can go directly from GET_VERSION to PSK_EXCHANGE (noted for future optimization)
  - Identity key mode: END_SESSION is mandatory (noted for future addition to test sequence)
  - All 17/17 hardware tests pass on new firmware
  - Fixed SPDM cleartext fallback in TPM2_SendCommand(): positive error codes from SPDM now return immediately instead of falling through to cleartext
  retry
  - Fixed same SPDM cleartext fallback in TPM2_SendCommandAuth(): same pattern applied
  - Added VdCode validation in wolfTPM2_SPDM_SecuredExchange(): verifies response matches expected TPM2_CMD vendor code before accepting payload
  - Enabled auto-connect for Nations: changed guard from WOLFSPDM_NUVOTON to WOLFTPM_SPDM_TCG and replaced wolfTPM2_SpdmConnectNuvoton() with generic
  wolfTPM2_SpdmConnect() so auto-SPDM works for both vendors
  - Added VdCode validation in wolfSPDM_TCG_VendorCmdClear(): verifies response vendor code matches expected value after parsing

  - NATIONS_PSK mode check (tpm2_spdm.c) - Only affects PSK mode which was already broken (raw path instead of VENDOR_DEFINED)
  - END_SESSION (tpm2_wrap.c) - New behavior but only adds an END_SESSION before the existing cleanup. If it fails, cleanup still proceeds.
  - Nations auto-connect (tpm2_wrap.c:279) - Only fires when spdmOnlyDetected is true (TPM locked in SPDM-only mode and TPM2_Startup returned
  TPM_RC_DISABLED). Normal operation never hits this path.
  - VdCode validation (spdm_tcg.c) - This one could theoretically break something if a response VdCode doesn't match. But all callers like
  wolfSPDM_TCG_GetPubKey() already validate VdCode independently (line 316-321), so the existing code was already checking this for specific commands.
  - VCA skip in PSK (spdm_psk.c) - Changes the transcript hash. Needs firmware 0.1.0.16 + NS350 to also skip VCA. Vision confirmed this works.
  - TPM_CMD_Lx defines / comments - No behavioral change.