LukuID SDK

Multi-language SDK for interacting with LukuID devices and parsing, exporting, and verifying .luku forensic evidence files.

This repository is licensed under Apache License 2.0 (SPDX: Apache-2.0). See LICENSE.

Build Status

Published Status

Supported platforms

• JavaScript / TypeScript
• React web apps (via the JavaScript SDK)
• Rust
• Python
• Swift (Swift Package Manager and CocoaPods)
• Android / Kotlin

Public distribution channels

Platform	Public package
JavaScript / TypeScript	npm install @lukuid/sdk
React web apps	npm install @lukuid/sdk
Rust	cargo add lukuid-sdk
Python	python -m pip install lukuid-sdk
Swift Package Manager	.package(url: "https://github.com/lukuid/sdk.git", from: "1.0.16")
CocoaPods	pod 'LukuIDSDK', '~> 1.0'
Android / Maven Central	implementation("com.lukuid:lukuid-sdk-android:1.0.16")

The JavaScript release also publishes:

• @lukuid/core
• @lukuid/transport-webble
• @lukuid/transport-webusb
• @lukuid/transport-serial-node
• @lukuid/transport-ble-node

Android releases are also mirrored to GitHub Packages for private or pinned enterprise distribution.

Versioning and release

The SDK release version is governed by a single source of truth: VERSION.

When you want to cut a new SDK release:

1. Update the canonical semver and sync every derived manifest: python3 scripts/version_sync.py apply 1.0.8
2. Verify that every managed package file matches: python3 scripts/version_sync.py check
3. Review the resulting manifest changes and commit them normally.
4. Create the release tag as v1.0.8 after the release commit is on main.

The release workflows do not publish on every merge. They only publish when all of the following are true:

• the ref is a semver tag in the form vX.Y.Z
• the tag version matches VERSION
• the tagged commit is reachable from main

This means a normal merge without a version bump is safe: CI can still test and build the SDK, but no package will be published.

If you merge release-relevant changes without bumping the version, the repository simply remains ahead of the last published SDK release until you later update VERSION, run the sync script, commit the versioned manifests, and tag that commit. Reusing an already-published version number is not safe, because registry publishes are immutable and the publish jobs will fail once they try to push an existing version.

What this SDK does

The SDK provides:

• device communication helpers
• .luku parsing
• offline verification of .luku archives
• trust profile support (prod, test, development)
• export helpers for valid LukuID devices

What this SDK does not do

The SDK does not itself create production trust.

Production-valid evidence depends on:

• valid device attestation chains
• trusted roots and intermediates
• verifier trust profile configuration

Documentation

• JavaScript
• Rust
• Python
• Apple
• Android
• Verification
• Snippets

Related repositories

• .luku specification: dotluku
• CLI: lukuid-cli

Trust profiles

By default, verification should use the prod trust profile.

Non-production profiles exist for:

• testing
• staging
• development devices
• reflashing / JTAG workflows

See TRUST_PROFILES.md.

Compatibility

This SDK follows the canonical .luku specification. See COMPATIBILITY.md.

License

Apache License 2.0 (SPDX: Apache-2.0). See LICENSE.