@membox-cloud/membox 0.1.0

package/README.md

@@ -0,0 +1,169 @@
+# @membox-cloud/membox
+
+Zero-knowledge encrypted memory sync for [OpenClaw](https://openclaw.ai).
+
+Keep your local Markdown memory (`MEMORY.md`, `memory/*.md`) as the source of truth, with an encrypted cloud backup for sync, recovery, and multi-device support.
+
+## Install
+
+```bash
+openclaw plugins install @membox-cloud/membox
+```
+
+## Prerequisites
+
+- OpenClaw >= 2026.3.7
+- A [membox.cloud](https://membox.cloud) account (GitHub, Google, or email login)
+
+## Quick Start
+
+### 1. Setup
+
+```bash
+openclaw membox setup
+```
+
+This will:
+- Start device authorization via `membox.cloud`
+- Prompt for a vault passphrase (never sent to server)
+- Create a new account master key for first-device setup, or request trusted-device approval for an existing vault
+- Generate recovery materials on first-device setup
+- Run initial upload or pull depending on whether the vault already exists
+
+**Save the recovery code** displayed at the end. Without it and your passphrase, encrypted data cannot be recovered.
+
+### 2. Sync
+
+```bash
+openclaw membox sync
+```
+
+Upload local changes to the encrypted cloud replica.
+
+### 3. Pull
+
+```bash
+openclaw membox pull
+openclaw membox pull --preview
+```
+
+Download remote changes. Use `--preview` to inspect before applying.
+
+### 4. Status
+
+```bash
+openclaw membox status
+```
+
+Show vault state, sync cursor, and device info.
+
+### 5. Restore
+
+```bash
+openclaw membox restore
+```
+
+Restore access on a new device with your recovery bundle and recovery code.
+
+### 6. Trusted-device approval
+
+On an existing unlocked device:
+
+```bash
+openclaw membox grants approve-pending
+```
+
+Approve pending new-device requests and transfer the encrypted account master key.
+
+## CLI Commands
+
+| Command | Description |
+|---------|-------------|
+| `membox setup` | Initial setup and device authorization |
+| `membox unlock` | Unlock vault for the current session |
+| `membox restore` | Restore vault access from the recovery bundle |
+| `membox sync` | Upload local changes to cloud |
+| `membox pull` | Download remote changes |
+| `membox status` | Show vault status |
+| `membox grants approve-pending` | Approve pending trusted-device requests |
+| `membox pause` | Pause automatic sync |
+| `membox resume` | Resume automatic sync |
+
+## Agent Tools
+
+The plugin also registers LLM-callable tools:
+
+- `membox_status` - Check vault status
+- `membox_sync` - Trigger sync
+- `membox_setup_start` - Begin setup flow
+- `membox_setup_poll` - Poll pending browser authorization
+- `membox_setup_finish` - Finish setup from local passphrase and recovery-code files
+- `membox_unlock` - Unlock the vault from a local passphrase file
+- `membox_unlock_secret_enable` - Explicitly opt this machine into managed local auto-unlock
+- `membox_unlock_secret_disable` - Disable the managed local auto-unlock secret
+- `membox_grants_approve_pending` - Approve trusted-device requests
+- `membox_pull` - Preview or apply remote changes
+- `membox_restore` - Restore with local recovery-code and passphrase files
+
+Security note:
+
+- Secret-bearing tools read from local files so the model does not need the vault passphrase or recovery code inline.
+- First-device tool-only setup should always provide a local `recovery_code_output_file` so the recovery code never needs to travel through the model.
+- Managed unlock is explicit opt-in. When enabled, the passphrase is kept in the local keychain for future auto-unlock on that machine.
+- On Unix-like systems, passphrase and recovery-code files should be private, for example `chmod 600 /path/to/file`.
+
+## Configuration
+
+In your OpenClaw plugin config:
+
+```json
+{
+  "serverUrl": "https://membox.cloud"
+}
+```
+
+The default server is `https://membox.cloud`. Override with `serverUrl` for self-hosted deployments.
+
+## Local Development
+
+Run the following commands from the repository root:
+
+```bash
+source ./scripts/dev-env.sh
+pnpm --filter @membox-cloud/membox build
+openclaw plugins install -l ./apps/openclaw-plugin
+openclaw plugins doctor
+```
+
+The plugin's `serverUrl` is environment-driven in local development. Source `scripts/dev-env.sh` in every terminal where you run `openclaw membox ...`, or it will fall back to the default production URL.
+
+For local verification, all plugin debug logs can be redirected into the repository `./logs/` directory by exporting `MEMBOX_LOG_FILE` before starting OpenClaw.
+
+For a full manual validation flow, see `./MANUAL-DUAL-DEVICE-CHECKLIST.md`.
+
+For an agent-first install + pairing flow, see `./AGENT-WORKFLOW.md` and run `bash scripts/install-membox-agent-stack.sh` from the repository root.
+
+For release, production rollout, and final human-owned checks, see `./RELEASE-CHECKLIST.md`.
+
+If native `keytar` support is unavailable on your machine, setup/unlock will now fail closed by default instead of silently writing secrets in plaintext. For local sandbox testing only, you can opt into the old file-based fallback with `MEMBOX_ALLOW_INSECURE_FILE_KEYCHAIN=1`.
+
+## Security Model
+
+- **Zero-knowledge**: encryption/decryption happens locally. The server never sees plaintext.
+- **Key hierarchy**: `passphrase -> URK -> AMK -> DEK`
+  - URK (User Root Key): derived from passphrase via Argon2id
+  - AMK (Account Master Key): random, wrapped by URK
+  - DEK (Data Encryption Key): per-object, wrapped by AMK
+- **Recovery**: recovery code + passphrase can restore AMK on a new device
+- **Device approval**: existing devices can grant key material to new devices via Ed25519-signed encrypted grants
+
+## Known Limitations (v0.1.0-alpha)
+
+- Requires a reachable Membox API endpoint
+- No selective file sync (all memory files are included)
+- Conflict resolution strategies: `local-wins`, `remote-wins`, `conflict-copy`
+- Auto-sync interval is not yet configurable
+
+## License
+
+Private - see repository for details.

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+declare const memboxPlugin: {
+    id: string;
+    name: string;
+    description: string;
+    register(api: OpenClawPluginApi): void;
+};
+export default memboxPlugin;

package/dist/index.js

@@ -0,0 +1,159 @@
+import { resolveConfig } from "./src/config.js";
+import { createStatusTool } from "./src/tools/status.js";
+import { createSyncTool } from "./src/tools/sync.js";
+import { createSetupStartTool } from "./src/tools/setup-start.js";
+import { createSetupPollTool } from "./src/tools/setup-poll.js";
+import { createSetupFinishTool } from "./src/tools/setup-finish.js";
+import { createUnlockTool } from "./src/tools/unlock.js";
+import { createUnlockSecretDisableTool, createUnlockSecretEnableTool, } from "./src/tools/unlock-secret.js";
+import { createApprovePendingGrantsTool } from "./src/tools/grants-approve-pending.js";
+import { createPullTool } from "./src/tools/pull.js";
+import { createRestoreTool } from "./src/tools/restore.js";
+import { injectVaultStatus } from "./src/hooks/prompt-inject.js";
+import { onGatewayStart, onGatewayStop } from "./src/hooks/gateway-lifecycle.js";
+const memboxPlugin = {
+    id: "membox",
+    name: "Membox Vault",
+    description: "Encrypted memory sync for Membox",
+    register(api) {
+        const cfg = resolveConfig(api.pluginConfig);
+        api.logger.info(`membox loaded, server: ${cfg.serverUrl}`);
+        // CLI commands
+        api.registerCli(({ program }) => {
+            const vault = program
+                .command("membox")
+                .description("Encrypted memory sync");
+            vault
+                .command("setup")
+                .description("Set up encrypted sync")
+                .action(async () => {
+                const { setupAction } = await import("./src/cli/setup.js");
+                await setupAction(cfg);
+            });
+            vault
+                .command("unlock")
+                .description("Unlock vault for this session")
+                .action(async () => {
+                const { unlockAction } = await import("./src/cli/unlock.js");
+                await unlockAction();
+            });
+            const unlockSecret = vault
+                .command("unlock-secret")
+                .description("Manage the local agent-managed unlock secret");
+            unlockSecret
+                .command("enable")
+                .description("Enable managed unlock on this machine")
+                .action(async () => {
+                const { readPassphrase } = await import("./src/cli/passphrase-input.js");
+                const { enableManagedUnlockAction } = await import("./src/cli/unlock.js");
+                const passphrase = await readPassphrase("Vault passphrase: ");
+                await enableManagedUnlockAction(passphrase);
+            });
+            unlockSecret
+                .command("disable")
+                .description("Disable managed unlock on this machine")
+                .action(async () => {
+                const { disableManagedUnlockAction } = await import("./src/cli/unlock.js");
+                await disableManagedUnlockAction();
+            });
+            vault
+                .command("restore")
+                .description("Restore vault access from a recovery bundle")
+                .action(async () => {
+                const { restoreAction } = await import("./src/cli/restore.js");
+                await restoreAction(cfg);
+            });
+            vault
+                .command("sync")
+                .description("Sync local changes to cloud")
+                .option("--on-conflict <strategy>", "conflict strategy: local-wins | remote-wins | conflict-copy", "conflict-copy")
+                .action(async (opts) => {
+                const { syncAction } = await import("./src/cli/sync.js");
+                await syncAction({ onConflict: opts.onConflict });
+            });
+            vault
+                .command("pull")
+                .description("Pull remote changes")
+                .option("--preview", "show changes without downloading")
+                .option("--on-conflict <strategy>", "conflict strategy: local-wins | remote-wins | conflict-copy", "conflict-copy")
+                .action(async (opts) => {
+                const { pullAction } = await import("./src/cli/pull.js");
+                await pullAction({ preview: opts.preview, onConflict: opts.onConflict });
+            });
+            vault
+                .command("status")
+                .description("Show vault status")
+                .action(async () => {
+                const { statusAction } = await import("./src/cli/status.js");
+                await statusAction();
+            });
+            vault
+                .command("grants")
+                .description("Manage trusted-device approvals")
+                .command("approve-pending")
+                .description("Approve pending new-device requests using this unlocked device")
+                .action(async () => {
+                const { approvePendingGrantsAction } = await import("./src/cli/grants.js");
+                await approvePendingGrantsAction();
+            });
+            vault
+                .command("pause")
+                .description("Pause auto-sync")
+                .action(async () => {
+                const { pauseAction } = await import("./src/cli/pause.js");
+                await pauseAction();
+                const { getAutoSync } = await import("./src/hooks/gateway-lifecycle.js");
+                getAutoSync()?.stop();
+            });
+            vault
+                .command("resume")
+                .description("Resume auto-sync")
+                .action(async () => {
+                const { resumeAction } = await import("./src/cli/pause.js");
+                await resumeAction();
+                const { getAutoSync, startAutoSync } = await import("./src/hooks/gateway-lifecycle.js");
+                let as = getAutoSync();
+                if (!as) {
+                    as = await startAutoSync();
+                }
+                if (as) {
+                    as.start();
+                    as.triggerNow();
+                }
+            });
+        }, { commands: ["membox"] });
+        // Agent tools (LLM-callable)
+        api.registerTool(() => [
+            createStatusTool(),
+            createSyncTool(),
+            createSetupStartTool(cfg),
+            createSetupPollTool(cfg),
+            createSetupFinishTool(cfg),
+            createUnlockTool(),
+            createUnlockSecretEnableTool(),
+            createUnlockSecretDisableTool(),
+            createApprovePendingGrantsTool(),
+            createPullTool(),
+            createRestoreTool(cfg),
+        ], {
+            names: [
+                "membox_status",
+                "membox_sync",
+                "membox_setup_start",
+                "membox_setup_poll",
+                "membox_setup_finish",
+                "membox_unlock",
+                "membox_unlock_secret_enable",
+                "membox_unlock_secret_disable",
+                "membox_grants_approve_pending",
+                "membox_pull",
+                "membox_restore",
+            ],
+        });
+        // Hooks
+        api.on("before_prompt_build", injectVaultStatus);
+        api.on("gateway_start", onGatewayStart);
+        api.on("gateway_stop", onGatewayStop);
+    },
+};
+export default memboxPlugin;

package/dist/src/api/account.d.ts

@@ -0,0 +1,3 @@
+import type { AccountMe } from "../contract-types.js";
+import type { MemboxApiClient } from "./client.js";
+export declare function getAccountMe(c: MemboxApiClient): Promise<AccountMe>;

package/dist/src/api/account.js

@@ -0,0 +1,3 @@
+export function getAccountMe(c) {
+    return c.get("/account/me");
+}

package/dist/src/api/client.d.ts

@@ -0,0 +1,21 @@
+export declare class ApiError extends Error {
+    status: number;
+    code: string;
+    constructor(status: number, code: string, message: string);
+}
+/**
+ * Typed HTTP client for the Membox API.
+ * Handles auth headers and automatic token refresh on 401.
+ */
+export declare class MemboxApiClient {
+    private baseUrl;
+    private getAccessToken;
+    private getRefreshToken;
+    private onTokenRefresh;
+    constructor(baseUrl: string, getAccessToken: () => Promise<string | null>, getRefreshToken: () => Promise<string | null>, onTokenRefresh: (accessToken: string, refreshToken: string) => Promise<void>);
+    request<T>(method: string, path: string, body?: unknown, retry?: boolean): Promise<T>;
+    private tryRefresh;
+    get<T>(path: string): Promise<T>;
+    post<T>(path: string, body?: unknown): Promise<T>;
+    del<T>(path: string): Promise<T>;
+}

package/dist/src/api/client.js

@@ -0,0 +1,107 @@
+import { debugLog } from "../debug-logger.js";
+export class ApiError extends Error {
+    status;
+    code;
+    constructor(status, code, message) {
+        super(message);
+        this.status = status;
+        this.code = code;
+        this.name = "ApiError";
+    }
+}
+/**
+ * Typed HTTP client for the Membox API.
+ * Handles auth headers and automatic token refresh on 401.
+ */
+export class MemboxApiClient {
+    baseUrl;
+    getAccessToken;
+    getRefreshToken;
+    onTokenRefresh;
+    constructor(baseUrl, getAccessToken, getRefreshToken, onTokenRefresh) {
+        this.baseUrl = baseUrl;
+        this.getAccessToken = getAccessToken;
+        this.getRefreshToken = getRefreshToken;
+        this.onTokenRefresh = onTokenRefresh;
+    }
+    async request(method, path, body, retry = true) {
+        const url = `${this.baseUrl}${path}`;
+        const headers = {
+            "Content-Type": "application/json",
+        };
+        const token = await this.getAccessToken();
+        if (token) {
+            headers["Authorization"] = `Bearer ${token}`;
+        }
+        debugLog.apiRequest(method, url);
+        const t0 = Date.now();
+        let res;
+        try {
+            res = await fetch(url, {
+                method,
+                headers,
+                body: body ? JSON.stringify(body) : undefined,
+            });
+        }
+        catch (err) {
+            debugLog.apiError(method, url, err);
+            throw err;
+        }
+        debugLog.apiResponse(method, url, res.status, Date.now() - t0);
+        if (res.status === 401 && retry) {
+            debugLog.info("api-client", "Got 401, attempting token refresh...");
+            const refreshed = await this.tryRefresh();
+            if (refreshed) {
+                return this.request(method, path, body, false);
+            }
+        }
+        if (!res.ok) {
+            const err = (await res.json().catch(() => null));
+            const apiErr = new ApiError(res.status, err?.error?.code ?? "unknown", err?.error?.message ?? res.statusText);
+            debugLog.apiError(method, url, apiErr);
+            throw apiErr;
+        }
+        // Handle 204 No Content
+        if (res.status === 204) {
+            return undefined;
+        }
+        return res.json();
+    }
+    async tryRefresh() {
+        const rt = await this.getRefreshToken();
+        if (!rt) {
+            debugLog.warn("api-client", "Token refresh skipped: no refresh token");
+            return false;
+        }
+        const url = `${this.baseUrl}/auth/token/refresh`;
+        try {
+            debugLog.apiRequest("POST", url);
+            const t0 = Date.now();
+            const res = await fetch(url, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({ refresh_token: rt }),
+            });
+            debugLog.apiResponse("POST", url, res.status, Date.now() - t0);
+            if (!res.ok)
+                return false;
+            const data = (await res.json());
+            await this.onTokenRefresh(data.access_token, data.refresh_token);
+            debugLog.info("api-client", "Token refresh succeeded");
+            return true;
+        }
+        catch (err) {
+            debugLog.apiError("POST", url, err);
+            return false;
+        }
+    }
+    get(path) {
+        return this.request("GET", path);
+    }
+    post(path, body) {
+        return this.request("POST", path, body);
+    }
+    del(path) {
+        return this.request("DELETE", path);
+    }
+}

package/dist/src/api/device-flow.d.ts

@@ -0,0 +1,9 @@
+import type { DeviceStartRequest, DeviceStartResponse, DevicePollResponse, TokenResponse } from "../contract-types.js";
+import type { MemboxApiClient } from "./client.js";
+export declare function startDeviceFlow(client: MemboxApiClient, params: DeviceStartRequest): Promise<DeviceStartResponse>;
+export declare function pollDeviceFlowOnce(client: MemboxApiClient, deviceCode: string): Promise<DevicePollResponse>;
+/**
+ * Poll the device code endpoint until authorization is granted, denied, or expired.
+ * Respects the server's interval and backs off on slow_down responses.
+ */
+export declare function pollDeviceFlow(client: MemboxApiClient, deviceCode: string, interval: number, expiresIn: number): Promise<TokenResponse>;

package/dist/src/api/device-flow.js

@@ -0,0 +1,55 @@
+export async function startDeviceFlow(client, params) {
+    return client.post("/device/start", params);
+}
+export async function pollDeviceFlowOnce(client, deviceCode) {
+    return client.get(`/device/poll/${deviceCode}`);
+}
+/**
+ * Poll the device code endpoint until authorization is granted, denied, or expired.
+ * Respects the server's interval and backs off on slow_down responses.
+ */
+export async function pollDeviceFlow(client, deviceCode, interval, expiresIn) {
+    const deadline = Date.now() + expiresIn * 1000;
+    let waitMs = interval * 1000;
+    let transientErrors = 0;
+    const MAX_TRANSIENT_ERRORS = 5;
+    while (Date.now() < deadline) {
+        await sleep(waitMs);
+        let res;
+        try {
+            res = await pollDeviceFlowOnce(client, deviceCode);
+            transientErrors = 0; // reset on success
+        }
+        catch (err) {
+            transientErrors++;
+            if (transientErrors >= MAX_TRANSIENT_ERRORS) {
+                throw new Error(`Device code polling failed after ${MAX_TRANSIENT_ERRORS} consecutive errors: ${err instanceof Error ? err.message : String(err)}`);
+            }
+            waitMs = Math.min(waitMs + 1000, 10000); // backoff on transient error
+            continue;
+        }
+        switch (res.status) {
+            case "access_granted":
+                return {
+                    access_token: res.access_token,
+                    refresh_token: res.refresh_token,
+                    token_type: res.token_type ?? "Bearer",
+                    expires_in: res.expires_in,
+                    device_id: res.device_id,
+                };
+            case "slow_down":
+                waitMs = Math.min(waitMs + 1000, 10000);
+                break;
+            case "expired_token":
+                throw new Error("Device code expired. Please try again.");
+            case "denied":
+                throw new Error("Device authorization was denied.");
+            case "authorization_pending":
+                break;
+        }
+    }
+    throw new Error("Device code flow timed out.");
+}
+function sleep(ms) {
+    return new Promise((r) => setTimeout(r, ms));
+}

package/dist/src/api/devices.d.ts

@@ -0,0 +1,10 @@
+import type { DeviceSummary, DeviceGrantOut, DeviceGrantApproveInput, GenericMessage } from "../contract-types.js";
+import type { MemboxApiClient } from "./client.js";
+export declare function listDevices(c: MemboxApiClient): Promise<DeviceSummary[]>;
+export declare function revokeDevice(c: MemboxApiClient, deviceId: string): Promise<GenericMessage>;
+export declare function revokeCurrentDevice(c: MemboxApiClient): Promise<GenericMessage>;
+export declare function requestGrant(c: MemboxApiClient, targetDeviceId: string): Promise<DeviceGrantOut>;
+export declare function getPendingGrants(c: MemboxApiClient): Promise<DeviceGrantOut[]>;
+export declare function approveGrant(c: MemboxApiClient, grantId: string, body: DeviceGrantApproveInput): Promise<DeviceGrantOut>;
+export declare function rejectGrant(c: MemboxApiClient, grantId: string): Promise<GenericMessage>;
+export declare function getGrant(c: MemboxApiClient, grantId: string): Promise<DeviceGrantOut>;

package/dist/src/api/devices.js

@@ -0,0 +1,24 @@
+export function listDevices(c) {
+    return c.get("/devices/");
+}
+export function revokeDevice(c, deviceId) {
+    return c.post(`/devices/${deviceId}/revoke`);
+}
+export function revokeCurrentDevice(c) {
+    return c.post("/devices/self/revoke");
+}
+export function requestGrant(c, targetDeviceId) {
+    return c.post(`/devices/${targetDeviceId}/grants`);
+}
+export function getPendingGrants(c) {
+    return c.get("/devices/grants/pending");
+}
+export function approveGrant(c, grantId, body) {
+    return c.post(`/devices/grants/${grantId}/approve`, body);
+}
+export function rejectGrant(c, grantId) {
+    return c.post(`/devices/grants/${grantId}/reject`);
+}
+export function getGrant(c, grantId) {
+    return c.get(`/devices/grants/${grantId}`);
+}

package/dist/src/api/recovery.d.ts

@@ -0,0 +1,5 @@
+import type { RecoveryMaterialStatus, RecoveryMaterialUpload, RecoveryBundleDownload, RecoveryDownloadInput, GenericMessage } from "../contract-types.js";
+import type { MemboxApiClient } from "./client.js";
+export declare function getRecoveryStatus(c: MemboxApiClient): Promise<RecoveryMaterialStatus>;
+export declare function uploadRecoveryMaterial(c: MemboxApiClient, input: RecoveryMaterialUpload): Promise<GenericMessage>;
+export declare function downloadRecoveryBundle(c: MemboxApiClient, input?: RecoveryDownloadInput): Promise<RecoveryBundleDownload>;

package/dist/src/api/recovery.js

@@ -0,0 +1,9 @@
+export function getRecoveryStatus(c) {
+    return c.get("/recovery/materials");
+}
+export function uploadRecoveryMaterial(c, input) {
+    return c.post("/recovery/materials", input);
+}
+export function downloadRecoveryBundle(c, input) {
+    return c.post("/recovery/bundle/download", input ?? { material_type: "recovery_bundle" });
+}

package/dist/src/api/sync.d.ts

@@ -0,0 +1,9 @@
+import type { SyncStatusResponse, SyncChangesResponse, SyncCommitInput, SyncCommitResponse, BinaryUploadInput, BinaryUploadResponse, BinaryDownloadResponse, ManifestResponse } from "../contract-types.js";
+import type { MemboxApiClient } from "./client.js";
+export declare function getSyncStatus(c: MemboxApiClient): Promise<SyncStatusResponse>;
+export declare function getSyncChanges(c: MemboxApiClient, cursor: number): Promise<SyncChangesResponse>;
+export declare function commitObject(c: MemboxApiClient, input: SyncCommitInput): Promise<SyncCommitResponse>;
+export declare function uploadBlob(c: MemboxApiClient, input: BinaryUploadInput): Promise<BinaryUploadResponse>;
+export declare function downloadBlob(c: MemboxApiClient, blobKey: string): Promise<BinaryDownloadResponse>;
+export declare function getManifest(c: MemboxApiClient, objectId: string, version?: number): Promise<ManifestResponse>;
+export declare function deleteObject(c: MemboxApiClient, objectId: string): Promise<void>;

package/dist/src/api/sync.js

@@ -0,0 +1,22 @@
+export function getSyncStatus(c) {
+    return c.get("/sync/status");
+}
+export function getSyncChanges(c, cursor) {
+    return c.get(`/sync/changes?cursor=${cursor}`);
+}
+export function commitObject(c, input) {
+    return c.post("/sync/objects/commit", input);
+}
+export function uploadBlob(c, input) {
+    return c.post("/sync/blobs/upload", input);
+}
+export function downloadBlob(c, blobKey) {
+    return c.get(`/sync/blobs/${encodeURIComponent(blobKey)}`);
+}
+export function getManifest(c, objectId, version) {
+    const q = version != null ? `?version=${version}` : "";
+    return c.get(`/sync/objects/${objectId}/manifest${q}`);
+}
+export function deleteObject(c, objectId) {
+    return c.del(`/sync/objects/${objectId}`);
+}

package/dist/src/cli/bootstrap.d.ts

@@ -0,0 +1,37 @@
+import type { AccountMe, Platform, TokenResponse } from "../contract-types.js";
+import type { memboxConfig } from "../config.js";
+import { type DeviceKeyPair } from "../crypto/device-keys.js";
+import { MemboxApiClient } from "../api/client.js";
+import { type PendingSetupState } from "../store/pending-setup.js";
+export interface AuthorizedDeviceContext {
+    baseUrl: string;
+    deviceName: string;
+    platform: Platform;
+    deviceKeys: DeviceKeyPair;
+    tokens: TokenResponse;
+    client: MemboxApiClient;
+    account: AccountMe;
+}
+export interface SetupAuthorizationStatus {
+    status: "not_started" | "authorization_pending" | "slow_down" | "authorized" | "denied" | "expired";
+    pendingSetup: PendingSetupState | null;
+    retryAfterSeconds?: number;
+    message?: string;
+}
+export declare function toB64(data: Uint8Array): string;
+export declare function fromB64(value: string): Uint8Array;
+export declare function detectPlatform(): Platform;
+export declare function tryOpenUrl(url: string): boolean;
+export declare function clearPendingSetupArtifacts(): Promise<void>;
+export declare function ensurePendingDeviceAuthorization(cfg: memboxConfig): Promise<{
+    pendingSetup: PendingSetupState;
+    created: boolean;
+}>;
+export declare function pollPendingDeviceAuthorizationOnce(cfg: memboxConfig): Promise<SetupAuthorizationStatus>;
+export declare function authorizeDevice(cfg: memboxConfig): Promise<AuthorizedDeviceContext>;
+export declare function persistVaultSecrets(params: {
+    deviceKeys: DeviceKeyPair;
+    passphrase: string;
+    amk: Uint8Array;
+    refreshToken: string;
+}): Promise<void>;