SDK Support & Lifecycle
Rakomi publishes dated support windows for every SDK major version — the kind of lifecycle contract an auditor can cite. This page is the human view of our machine-readable support policy.
CRA-aligned support
🛡️ CRA-aligned support policy
Dated support contract per major version — at least 5 years (60 months) (CRA Art. 13(8)) — and coordinated vulnerability disclosure (CRA Art. 14).
Note: this is a documentation and policy posture, not a completed conformity assessment. The EU Declaration of Conformity and CE marking attach at the CRA application date (December 2027) and are not yet issued.
The policy
- Each major version receives a dated support window of at least 5 years (60 months).
- The current (N) and previous (N-1) major are supported in parallel.
- The previous major (N-1) receives security fixes only.
- Pre-1.0 (
0.x) packages carry no stability or support guarantee (SemVer 2.0.0 §4) until version 1.0.
Status legend
- Active — current major (N); receives all fixes.
- Maintenance — previous major (N-1); supported in parallel.
- Security-only — N-1 receives security & critical-regression fixes only.
- EOL — past its supported-until date; no further updates.
Support windows
Policy generated 2026-06-18
The dates below are rendered from the canonical machine-readable policy at
/.well-known/sdk-support.json — you can verify
this page is not hand-typed.
No GA versions are published yet.
Dated support windows (at least 5 years / 60 months) attach at version 1.0. Pre-1.0
(0.x) packages carry no stability or support guarantee. When the first GA
version ships, its dated window appears here automatically.
| Version | Status | Released | EOL | Notes |
|---|---|---|---|---|
| No published versions yet — see the note above. | ||||
Provenance & SBOM
Once published, each package ships with build provenance you can verify yourself:
npm audit signatures Available from the first public release — no signatures exist yet (pre-publish).
| Package | npm | SBOM (CycloneDX) | Releases | Security |
|---|---|---|---|---|
@rakomi/node | npm | sbom.cdx.json | Releases | SECURITY.md |
@rakomi/sdk-core | npm | generated at first publish | Releases | SECURITY.md |
@rakomi/react | npm | sbom.cdx.json | Releases | SECURITY.md |
@rakomi/react-native | npm | generated at first publish | Releases | SECURITY.md |
Releases, SECURITY.md and SBOM links resolve publicly from the first public release — pre-publish the source repository is private; the same files also ship inside each published npm tarball.
Verify us yourself
Don't take our word for it. From the first public release you can confirm every supply-chain claim on this page from outside our CI — these are the exact commands a skeptic runs:
- Verify registry signatures + provenance for the installed tree
npm audit signatures - Verify the provenance attestation for a published version
gh attestation verify --repo rakomidev/rakomi-js "$(npm pack @rakomi/sdk-core@latest --silent)" - Re-pack from this source at the immutable per-package tag and compare the SHA-512 digest
git checkout sdk-core/v<version> && npm ci && npm pack --workspace @rakomi/sdk-core
Full walk-through: VERIFY.md — resolves publicly from the first public release.
What provenance proves — and what it does not
Each published package carries build provenance (SLSA Build L2) generated from this public repository via OpenID Connect trusted publishing — the bytes you install are cryptographically bound to the source you can read here.
It does not claim a bit-for-bit reproducible build against any private canonical source: shared internals are inlined at build time, and the readable source here is the real, inspectable source those bytes were produced from. The substantiated claim is provenance + signatures + a public npm pack you can re-run — not reproducibility against a hidden oracle.
How this repository works (per-release clean-room snapshots)
Each published version is a self-contained clean-room snapshot committed as a zero-parent (orphan) tree — there is deliberately no linear git ancestry between releases. The version history you should follow lives in the npm version timeline and the CHANGELOG, not in git parent links. Zero-parent commits here are the model working as designed, not a sign of tampering.
This public repository is a published artifact, not a development fork: pull requests are not merged into a per-release orphan tree. Development happens upstream; each release re-publishes a fresh snapshot. Report bugs, ask questions, or open a feature request through the channels listed in each package’s SECURITY.md, and report vulnerabilities privately via GitHub private vulnerability reporting (never in a public issue).
Security advisories (GHSA) describe a fix as "fixed in version 0.x.y — see the immutable per-package tag" rather than as a commit diff: under the orphan model the authoritative, verifiable reference is the published version and its signed, immutable tag, which provenance binds to the exact source you can read.
More
- Machine-readable policy:
/.well-known/sdk-support.json - CRA accompanying documentation: CRA compliance
- Responsible disclosure: Security · Security posture: Trust