From 985a0a314803368690ad5e82167c5346e7deb6fa Mon Sep 17 00:00:00 2001
From: Robert DeLanghe <1240090+bdelanghe@users.noreply.github.com>
Date: Mon, 22 Jun 2026 20:38:16 -0400
Subject: [PATCH] =?UTF-8?q?feat(keeper):=20attestLaunch=20client=20(L2=20l?=
 =?UTF-8?q?aunch=20attestation)=20=E2=80=94=20v0.4.0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add attestLaunch(subject, manifest) forwarding the attest-launch door method, so a
launcher (a guest signer door) can produce a signed L2 over a room + its held
doors. Pairs with door-keeper #9.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 jsr.json      |  2 +-
 lib/keeper.ts | 35 +++++++++++++++++++++++++++++++++++
 package.json  |  2 +-
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/jsr.json b/jsr.json
index 9f22a1c..9b55398 100644
--- a/jsr.json
+++ b/jsr.json
@@ -1,6 +1,6 @@
 {
   "name": "@bounded-systems/door-kit",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "license": "PolyForm-Noncommercial-1.0.0",
   "exports": {
     "./keeper": "./lib/keeper.ts",
diff --git a/lib/keeper.ts b/lib/keeper.ts
index b54747a..97ad768 100644
--- a/lib/keeper.ts
+++ b/lib/keeper.ts
@@ -316,6 +316,41 @@ export async function importAndPush(
   });
 }
 
+/** A launch (L2) attestation request: attest that a room was launched holding
+ *  exactly these doors. `manifest` is the room's resolved door set — authority is
+ *  the held references, so the daemon digests it into the attestation. */
+export type AttestLaunchOptions = {
+  /** The launched room/box id (the subject of the launch attestation). */
+  subject: string;
+  /** The room's resolved door set / manifest (authority = held references). */
+  manifest: unknown;
+};
+
+/** keeperd's verdict for an attest-launch: `ok` carries the signed L2 plus its
+ *  content-address (`l2LaunchDigest`, what an L3 write links back to). */
+export type AttestLaunchResult =
+  | {
+      status: "ok";
+      subject: string;
+      manifestDigest: string;
+      l2LaunchDigest: string;
+      attestation: unknown;
+    }
+  | { status: "error"; code: string; message: string };
+
+/**
+ * Ask a signer door to produce a signed **L2 launch attestation** over a room +
+ * the doors it holds. The launcher acts THROUGH the door — the signing key never
+ * leaves the daemon (ocap credential isolation). The human is a guest too, so the
+ * launcher is just the launching guest's own signer door.
+ */
+export async function attestLaunch(options: AttestLaunchOptions): Promise<AttestLaunchResult> {
+  return request<AttestLaunchResult>("attest-launch", {
+    subject: options.subject,
+    manifest: options.manifest,
+  });
+}
+
 /**
  * Sign arbitrary data via keeperd.
  *
diff --git a/package.json b/package.json
index 178c102..49aa3df 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@bounded-systems/door-kit",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "private": true,
   "type": "module",
   "description": "In-box door-client SDK for claude-box's capability doors (keeper/scout/concierge/spawn), over the guest-room protocol.",