Skip to content

CRA Compliance — accompanying documentation

This page is the formal “accompanying documentation” required by CRA Art. 10 for the four CRE8EVE-shipped SDKs that are in scope under CRA Annex III as Class I important products (identity-management software):

  • @rakomi/nodepackages/sdk/
  • RakomiSDK (Swift) — packages/swift/
  • rakomi_flutter (Dart) — packages/flutter/
  • @rakomi/react-nativepackages/react-native/

Two package sets are referenced on this page and they are deliberately distinct:

  • CRA-scoped manufacturer products (overall): @rakomi/node, RakomiSDK (Swift), rakomi_flutter, @rakomi/react-native — the four customer-shipped SDKs in CRA Annex III scope.
  • JS-family publish set (published / publishable now): @rakomi/node, @rakomi/sdk-core, @rakomi/react, @rakomi/react-native — the four npm packages with per-package SECURITY.md. The completeness gate on this page clears the JS-family publish; native Swift/Flutter documentation is tracked separately and is not yet published.
CRA Art. 10 requirementWhere it lives in this docs site
Intended purpose + intended userEach SDK’s package README + Getting Started guide (each quickstart leads with intended purpose/user)
Manufacturer identification (CRE8EVE Sp. z o.o.)compliance/manufacturer.md (+ root SECURITY.md § Manufacturer)
Conformity assessment evidencehttps://github.com/rakomidev/rakomi-js/tree/main/security/cra-vulnerability-records/
Cybersecurity risk assessment summarysecurity/threat-model/traceability-matrix.yaml (categorised by CWE)
Vulnerability disclosure policyPer-package SECURITY.md (packages/{sdk,sdk-core,react,react-native}/SECURITY.md) + https://rakomi.com/.well-known/security.txt
Coordinated disclosure contactsecurity@rakomi.com (CAA iodef channel for both rakomi.com + rakomi.dev zones)
Configuration recommendations + secure default settingssdk/secure-defaults (one shared page, per-runtime subsections)
Support period / end-of-life (Art. 13(8))SDK Support & Lifecycle + machine-readable sdk-support.json — dated windows of at least 5 years (60 months) per MAJOR attach at 1.0
Software bill of materials (SBOM)Per-package sbom.cdx.json (CycloneDX format, not SPDX). Present today for @rakomi/node + @rakomi/react; generated at first publish for @rakomi/sdk-core + @rakomi/react-native
Patch / update policySemVer + CHANGELOG.md + GitHub Releases per package

The full dated, version-scoped completeness assessment lives at compliance/art10-completeness — the artifact the first public npm publish is gated on.

Article 11 — essential cybersecurity requirements

Section titled “Article 11 — essential cybersecurity requirements”

The four SDKs above are scoped under Annex III §1. The Rakomi platform itself (API, dashboard, accounts, docs, status, playground, jwks-mirror) is not in CRA Class-I scope — it is hosted infrastructure delivered as a service, not a “product with digital elements” placed on the EU market.

The public OAuth playground (playground.rakomi.dev) is explicitly out of scope — it is a sandbox demo for evaluation, not customer-shipped software. Demo credentials are publicly documented; the demo persona is fictitious (GDPR Art.4(1) non-PII).

Article 13 — vulnerability handling (14-day SLA)

Section titled “Article 13 — vulnerability handling (14-day SLA)”

CRA Art. 13 requires manufacturers to handle vulnerabilities through a coordinated disclosure process within 14 days of becoming aware, for products in scope. The Rakomi vulnerability triage process and incident-response runbook are in security/.

Article 14 — vulnerability records (10-year retention)

Section titled “Article 14 — vulnerability records (10-year retention)”

Each CRA-jurisdiction finding (cra_jurisdiction: true in the traceability matrix) gets a record file in security/cra-vulnerability-records/ with the 10-year retention note in the header. Records are immutable once closed (append-only edits).

The mirror at https://jwks.rakomi.dev/.well-known/jwks.json exists for auditors and compliance reviewers — a stable human-accessible URL serving the live signing keys plus a tamper-evident rotation log at https://jwks.rakomi.dev/transparency. SDKs DO NOT consume this endpoint (per ADR-004 §D8 — coupling SDKs to .dev would force a breaking release across all four CRA-scoped packages); SDKs use https://api.rakomi.com/.well-known/jwks.json exclusively.

  • security/threat-model/regulatory-applicability.md — broader regulatory mapping (NIS2 / ISO 27001 / SOC 2 / GDPR)
  • _bmad-output/implementation-artifacts/adr-004-domain-strategy.md — domain strategy ADR
  • _bmad-output/implementation-artifacts/infra-14-rakomi-dev-services.md — story file for the *.rakomi.dev services