CRA Compliance — accompanying documentation
This page is the formal “accompanying documentation” required by CRA Art. 10 for the four CRE8EVE-shipped SDKs that are in scope under CRA Annex III as Class I important products (identity-management software):
@rakomi/node—packages/sdk/RakomiSDK(Swift) —packages/swift/rakomi_flutter(Dart) —packages/flutter/@rakomi/react-native—packages/react-native/
Two package sets are referenced on this page and they are deliberately distinct:
- CRA-scoped manufacturer products (overall):
@rakomi/node,RakomiSDK(Swift),rakomi_flutter,@rakomi/react-native— the four customer-shipped SDKs in CRA Annex III scope. - JS-family publish set (published / publishable now):
@rakomi/node,@rakomi/sdk-core,@rakomi/react,@rakomi/react-native— the four npm packages with per-packageSECURITY.md. The completeness gate on this page clears the JS-family publish; native Swift/Flutter documentation is tracked separately and is not yet published.
Article 10 — accompanying documentation
Section titled “Article 10 — accompanying documentation”| CRA Art. 10 requirement | Where it lives in this docs site |
|---|---|
| Intended purpose + intended user | Each SDK’s package README + Getting Started guide (each quickstart leads with intended purpose/user) |
| Manufacturer identification (CRE8EVE Sp. z o.o.) | compliance/manufacturer.md (+ root SECURITY.md § Manufacturer) |
| Conformity assessment evidence | https://github.com/rakomidev/rakomi-js/tree/main/security/cra-vulnerability-records/ |
| Cybersecurity risk assessment summary | security/threat-model/traceability-matrix.yaml (categorised by CWE) |
| Vulnerability disclosure policy | Per-package SECURITY.md (packages/{sdk,sdk-core,react,react-native}/SECURITY.md) + https://rakomi.com/.well-known/security.txt |
| Coordinated disclosure contact | security@rakomi.com (CAA iodef channel for both rakomi.com + rakomi.dev zones) |
| Configuration recommendations + secure default settings | sdk/secure-defaults (one shared page, per-runtime subsections) |
| Support period / end-of-life (Art. 13(8)) | SDK Support & Lifecycle + machine-readable sdk-support.json — dated windows of at least 5 years (60 months) per MAJOR attach at 1.0 |
| Software bill of materials (SBOM) | Per-package sbom.cdx.json (CycloneDX format, not SPDX). Present today for @rakomi/node + @rakomi/react; generated at first publish for @rakomi/sdk-core + @rakomi/react-native |
| Patch / update policy | SemVer + CHANGELOG.md + GitHub Releases per package |
The full dated, version-scoped completeness assessment lives at
compliance/art10-completeness— the artifact the first public npm publish is gated on.
Article 11 — essential cybersecurity requirements
Section titled “Article 11 — essential cybersecurity requirements”The four SDKs above are scoped under Annex III §1. The Rakomi platform itself (API, dashboard, accounts, docs, status, playground, jwks-mirror) is not in CRA Class-I scope — it is hosted infrastructure delivered as a service, not a “product with digital elements” placed on the EU market.
The public OAuth playground (playground.rakomi.dev) is explicitly out of scope — it is a sandbox demo for evaluation, not customer-shipped software. Demo credentials are publicly documented; the demo persona is fictitious (GDPR Art.4(1) non-PII).
Article 13 — vulnerability handling (14-day SLA)
Section titled “Article 13 — vulnerability handling (14-day SLA)”CRA Art. 13 requires manufacturers to handle vulnerabilities through a coordinated disclosure process within 14 days of becoming aware, for products in scope. The Rakomi vulnerability triage process and incident-response runbook are in security/.
Article 14 — vulnerability records (10-year retention)
Section titled “Article 14 — vulnerability records (10-year retention)”Each CRA-jurisdiction finding (cra_jurisdiction: true in the traceability matrix) gets a record file in security/cra-vulnerability-records/ with the 10-year retention note in the header. Records are immutable once closed (append-only edits).
JWKS audit transparency
Section titled “JWKS audit transparency”The mirror at https://jwks.rakomi.dev/.well-known/jwks.json exists for auditors and compliance reviewers — a stable human-accessible URL serving the live signing keys plus a tamper-evident rotation log at https://jwks.rakomi.dev/transparency. SDKs DO NOT consume this endpoint (per ADR-004 §D8 — coupling SDKs to .dev would force a breaking release across all four CRA-scoped packages); SDKs use https://api.rakomi.com/.well-known/jwks.json exclusively.
See also
Section titled “See also”security/threat-model/regulatory-applicability.md— broader regulatory mapping (NIS2 / ISO 27001 / SOC 2 / GDPR)_bmad-output/implementation-artifacts/adr-004-domain-strategy.md— domain strategy ADR_bmad-output/implementation-artifacts/infra-14-rakomi-dev-services.md— story file for the*.rakomi.devservices