@membox-cloud/membox 0.1.0

package/dist/src/cli/bootstrap.js

@@ -0,0 +1,326 @@
+import { execFile } from "node:child_process";
+import { hostname } from "node:os";
+import { API_PREFIX, PLUGIN_VERSION } from "../constants.js";
+import { deriveURK } from "../crypto/kdf.js";
+import { wrapAMK } from "../crypto/keys.js";
+import { generateDeviceKeyPair, } from "../crypto/device-keys.js";
+import { getAccountMe } from "../api/account.js";
+import { MemboxApiClient } from "../api/client.js";
+import { pollDeviceFlow, pollDeviceFlowOnce, startDeviceFlow, } from "../api/device-flow.js";
+import { ACCOUNTS, getBytes, getString, storeBytes, storeString, clearPendingSetupSecrets, } from "../store/keychain.js";
+import { deletePendingSetup, isPendingSetupExpired, readPendingSetup, writePendingSetup, } from "../store/pending-setup.js";
+export function toB64(data) {
+    return Buffer.from(data).toString("base64");
+}
+export function fromB64(value) {
+    return new Uint8Array(Buffer.from(value, "base64"));
+}
+export function detectPlatform() {
+    switch (process.platform) {
+        case "darwin":
+            return "macos";
+        case "win32":
+            return "windows";
+        case "linux":
+            return "linux";
+        default:
+            return "unknown";
+    }
+}
+export function tryOpenUrl(url) {
+    if (process.platform === "linux" &&
+        !process.env.DISPLAY &&
+        !process.env.WAYLAND_DISPLAY) {
+        return false;
+    }
+    try {
+        const cmd = process.platform === "darwin"
+            ? "open"
+            : process.platform === "win32"
+                ? "start"
+                : "xdg-open";
+        execFile(cmd, [url], { shell: process.platform === "win32" }, () => { });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function createAnonymousClient(baseUrl) {
+    return new MemboxApiClient(baseUrl, async () => null, async () => null, async () => { });
+}
+function createAuthenticatedClient(params) {
+    let accessToken = params.accessToken ?? null;
+    let refreshToken = params.refreshToken;
+    return new MemboxApiClient(params.baseUrl, async () => accessToken, async () => refreshToken, async (access, refresh) => {
+        accessToken = access;
+        refreshToken = refresh;
+        await storeString(params.refreshTokenAccount, refresh);
+    });
+}
+function pendingSetupBaseUrl(cfg) {
+    return cfg.serverUrl + API_PREFIX;
+}
+function describeAccount(account) {
+    return account.display_name ?? account.primary_email ?? account.user_id;
+}
+async function storePendingSetupDeviceKeys(deviceKeys) {
+    await storeBytes(ACCOUNTS.PENDING_SETUP_ED25519_PRIVATE, deviceKeys.ed25519.privateKey);
+    await storeBytes(ACCOUNTS.PENDING_SETUP_ED25519_PUBLIC, deviceKeys.ed25519.publicKey);
+    await storeBytes(ACCOUNTS.PENDING_SETUP_X25519_PRIVATE, deviceKeys.x25519.privateKey);
+    await storeBytes(ACCOUNTS.PENDING_SETUP_X25519_PUBLIC, deviceKeys.x25519.publicKey);
+}
+async function loadPendingSetupDeviceKeys() {
+    const [ed25519Private, ed25519Public, x25519Private, x25519Public,] = await Promise.all([
+        getBytes(ACCOUNTS.PENDING_SETUP_ED25519_PRIVATE),
+        getBytes(ACCOUNTS.PENDING_SETUP_ED25519_PUBLIC),
+        getBytes(ACCOUNTS.PENDING_SETUP_X25519_PRIVATE),
+        getBytes(ACCOUNTS.PENDING_SETUP_X25519_PUBLIC),
+    ]);
+    if (!ed25519Private ||
+        !ed25519Public ||
+        !x25519Private ||
+        !x25519Public) {
+        throw new Error("Pending setup secrets are incomplete. Start setup again to regenerate device authorization.");
+    }
+    return {
+        ed25519: {
+            privateKey: ed25519Private,
+            publicKey: ed25519Public,
+        },
+        x25519: {
+            privateKey: x25519Private,
+            publicKey: x25519Public,
+        },
+    };
+}
+export async function clearPendingSetupArtifacts() {
+    await clearPendingSetupSecrets();
+    await deletePendingSetup();
+}
+async function loadActivePendingSetup(cfg) {
+    const pendingSetup = await readPendingSetup();
+    if (!pendingSetup) {
+        return null;
+    }
+    if (pendingSetup.server_url !== cfg.serverUrl || isPendingSetupExpired(pendingSetup)) {
+        await clearPendingSetupArtifacts();
+        return null;
+    }
+    return pendingSetup;
+}
+async function createPendingSetup(cfg) {
+    const deviceName = hostname();
+    const platform = detectPlatform();
+    const deviceKeys = generateDeviceKeyPair();
+    const baseUrl = pendingSetupBaseUrl(cfg);
+    const tempClient = createAnonymousClient(baseUrl);
+    const deviceStart = await startDeviceFlow(tempClient, {
+        device_name: deviceName,
+        platform,
+        plugin_version: PLUGIN_VERSION,
+        sign_public_key_b64: toB64(deviceKeys.ed25519.publicKey),
+        kex_public_key_b64: toB64(deviceKeys.x25519.publicKey),
+    });
+    try {
+        await storePendingSetupDeviceKeys(deviceKeys);
+    }
+    catch (error) {
+        throw new Error(`Failed to persist pending setup device keys in the local keychain: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    const pendingSetup = {
+        status: "pending",
+        server_url: cfg.serverUrl,
+        device_name: deviceName,
+        platform,
+        device_code: deviceStart.device_code,
+        user_code: deviceStart.user_code,
+        verification_uri: deviceStart.verification_uri,
+        verification_uri_complete: deviceStart.verification_uri_complete,
+        interval_seconds: deviceStart.interval,
+        expires_at: new Date(Date.now() + deviceStart.expires_in * 1000).toISOString(),
+        started_at: new Date().toISOString(),
+    };
+    try {
+        await writePendingSetup(pendingSetup);
+    }
+    catch (error) {
+        throw new Error(`Failed to persist pending setup state on disk: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    return pendingSetup;
+}
+export async function ensurePendingDeviceAuthorization(cfg) {
+    const existing = await loadActivePendingSetup(cfg);
+    if (existing) {
+        return { pendingSetup: existing, created: false };
+    }
+    const created = await createPendingSetup(cfg);
+    return { pendingSetup: created, created: true };
+}
+async function finalizePendingAuthorization(cfg, pendingSetup, tokens) {
+    await storeString(ACCOUNTS.PENDING_SETUP_REFRESH_TOKEN, tokens.refresh_token);
+    const client = createAuthenticatedClient({
+        baseUrl: pendingSetupBaseUrl(cfg),
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        refreshTokenAccount: ACCOUNTS.PENDING_SETUP_REFRESH_TOKEN,
+    });
+    const account = await getAccountMe(client);
+    const authorizedSetup = {
+        ...pendingSetup,
+        status: "authorized",
+        device_id: tokens.device_id,
+        user_id: account.user_id,
+        account_label: describeAccount(account),
+        authorized_at: new Date().toISOString(),
+    };
+    await writePendingSetup(authorizedSetup);
+    return { pendingSetup: authorizedSetup, account };
+}
+export async function pollPendingDeviceAuthorizationOnce(cfg) {
+    const pendingSetup = await loadActivePendingSetup(cfg);
+    if (!pendingSetup) {
+        return {
+            status: "not_started",
+            pendingSetup: null,
+            message: "No pending setup authorization is active.",
+        };
+    }
+    if (pendingSetup.status === "authorized") {
+        return {
+            status: "authorized",
+            pendingSetup,
+            message: "Browser authorization is already complete.",
+        };
+    }
+    const client = createAnonymousClient(pendingSetupBaseUrl(cfg));
+    const result = await pollDeviceFlowOnce(client, pendingSetup.device_code);
+    if (result.status === "access_granted") {
+        const finalized = await finalizePendingAuthorization(cfg, pendingSetup, {
+            access_token: result.access_token,
+            refresh_token: result.refresh_token,
+            token_type: result.token_type ?? "Bearer",
+            expires_in: result.expires_in,
+            device_id: result.device_id,
+        });
+        return {
+            status: "authorized",
+            pendingSetup: finalized.pendingSetup,
+            message: `Authorized as ${describeAccount(finalized.account)}.`,
+        };
+    }
+    if (result.status === "authorization_pending") {
+        return {
+            status: "authorization_pending",
+            pendingSetup,
+            retryAfterSeconds: pendingSetup.interval_seconds,
+            message: "Waiting for the user to finish browser authorization.",
+        };
+    }
+    if (result.status === "slow_down") {
+        return {
+            status: "slow_down",
+            pendingSetup,
+            retryAfterSeconds: pendingSetup.interval_seconds + 1,
+            message: "The authorization server asked this device to poll more slowly.",
+        };
+    }
+    await clearPendingSetupArtifacts();
+    return {
+        status: result.status === "denied" ? "denied" : "expired",
+        pendingSetup: null,
+        message: result.status === "denied"
+            ? "The browser authorization was denied."
+            : "The browser authorization expired. Start setup again.",
+    };
+}
+async function buildAuthorizedContextFromPending(cfg, pendingSetup, options) {
+    if (pendingSetup.status !== "authorized" || !pendingSetup.device_id) {
+        throw new Error("Device authorization has not completed yet. Finish browser authorization first.");
+    }
+    const refreshToken = options?.refreshToken ??
+        (await getString(ACCOUNTS.PENDING_SETUP_REFRESH_TOKEN));
+    if (!refreshToken) {
+        throw new Error("Pending setup is missing its refresh token. Start setup again.");
+    }
+    const deviceKeys = await loadPendingSetupDeviceKeys();
+    const client = createAuthenticatedClient({
+        baseUrl: pendingSetupBaseUrl(cfg),
+        accessToken: options?.accessToken,
+        refreshToken,
+        refreshTokenAccount: ACCOUNTS.PENDING_SETUP_REFRESH_TOKEN,
+    });
+    const account = options?.account ?? (await getAccountMe(client));
+    return {
+        baseUrl: pendingSetupBaseUrl(cfg),
+        deviceName: pendingSetup.device_name,
+        platform: pendingSetup.platform,
+        deviceKeys,
+        tokens: {
+            access_token: options?.accessToken ?? "",
+            refresh_token: refreshToken,
+            token_type: "Bearer",
+            expires_in: 0,
+            device_id: pendingSetup.device_id,
+        },
+        client,
+        account,
+    };
+}
+function printAuthorizationPrompt(pendingSetup) {
+    console.log(`\n  Your code: ${pendingSetup.user_code}`);
+    console.log(`  Open: ${pendingSetup.verification_uri_complete}\n`);
+}
+async function waitForPendingAuthorization(cfg, pendingSetup) {
+    const client = createAnonymousClient(pendingSetupBaseUrl(cfg));
+    const expiresAt = Date.parse(pendingSetup.expires_at);
+    const tokens = await pollDeviceFlow(client, pendingSetup.device_code, pendingSetup.interval_seconds, Number.isFinite(expiresAt)
+        ? Math.max(1, Math.ceil((expiresAt - Date.now()) / 1000))
+        : 15 * 60);
+    const finalized = await finalizePendingAuthorization(cfg, pendingSetup, tokens);
+    console.log("Authorized!");
+    console.log(`Logged in as: ${describeAccount(finalized.account)}`);
+    return buildAuthorizedContextFromPending(cfg, finalized.pendingSetup, {
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        account: finalized.account,
+    });
+}
+export async function authorizeDevice(cfg) {
+    const { pendingSetup, created } = await ensurePendingDeviceAuthorization(cfg);
+    if (pendingSetup.status === "authorized") {
+        console.log("Reusing previously completed browser authorization.");
+        return buildAuthorizedContextFromPending(cfg, pendingSetup);
+    }
+    if (created) {
+        console.log("Starting device authorization...");
+    }
+    else {
+        console.log("Resuming pending device authorization...");
+    }
+    printAuthorizationPrompt(pendingSetup);
+    const browserOpened = tryOpenUrl(pendingSetup.verification_uri_complete);
+    if (!browserOpened) {
+        console.log("  No local browser was opened. If this machine is headless, open that URL in any trusted browser and sign in there.\n");
+    }
+    console.log("Waiting for authorization...");
+    return waitForPendingAuthorization(cfg, pendingSetup);
+}
+export async function persistVaultSecrets(params) {
+    const { urk, salt } = await deriveURK(params.passphrase);
+    try {
+        const wrappedAmk = wrapAMK(urk, params.amk);
+        await storeBytes(ACCOUNTS.ED25519_PRIVATE, params.deviceKeys.ed25519.privateKey);
+        await storeBytes(ACCOUNTS.ED25519_PUBLIC, params.deviceKeys.ed25519.publicKey);
+        await storeBytes(ACCOUNTS.X25519_PRIVATE, params.deviceKeys.x25519.privateKey);
+        await storeBytes(ACCOUNTS.X25519_PUBLIC, params.deviceKeys.x25519.publicKey);
+        await storeBytes(ACCOUNTS.WRAPPED_AMK, wrappedAmk.encrypted_amk);
+        await storeBytes(ACCOUNTS.WRAPPED_AMK_SALT, salt);
+        await storeBytes(ACCOUNTS.WRAPPED_AMK_IV, wrappedAmk.iv);
+        await storeBytes(ACCOUNTS.WRAPPED_AMK_TAG, wrappedAmk.tag);
+        await storeString(ACCOUNTS.REFRESH_TOKEN, params.refreshToken);
+    }
+    finally {
+        urk.fill(0);
+    }
+}

package/dist/src/cli/grants.d.ts

@@ -0,0 +1,8 @@
+export interface ApprovePendingGrantsResult {
+    approved: number;
+    skipped: number;
+    total: number;
+    approvedGrantIds: string[];
+}
+export declare function approvePendingGrants(): Promise<ApprovePendingGrantsResult>;
+export declare function approvePendingGrantsAction(): Promise<void>;

package/dist/src/cli/grants.js

@@ -0,0 +1,76 @@
+import { createAuthenticatedClient } from "./helpers.js";
+import { vaultSession } from "../store/session.js";
+import { getState } from "../sync/state.js";
+import { ACCOUNTS, getBytes, } from "../store/keychain.js";
+import { createDeviceGrant } from "../crypto/grant.js";
+import { computeSha256Hex } from "../crypto/manifest.js";
+import { approveGrant, getPendingGrants, } from "../api/devices.js";
+import { fromB64, toB64 } from "./bootstrap.js";
+import { ensureVaultUnlocked } from "./unlock.js";
+export async function approvePendingGrants() {
+    if (!(await ensureVaultUnlocked({ announceSuccess: true }))) {
+        return {
+            approved: 0,
+            skipped: 0,
+            total: 0,
+            approvedGrantIds: [],
+        };
+    }
+    const state = await getState();
+    const client = await createAuthenticatedClient(state);
+    const pending = await getPendingGrants(client);
+    if (pending.length === 0) {
+        console.log("No pending trusted-device approvals.");
+        return {
+            approved: 0,
+            skipped: 0,
+            total: 0,
+            approvedGrantIds: [],
+        };
+    }
+    const sourceEdPrivateKey = await getBytes(ACCOUNTS.ED25519_PRIVATE);
+    const sourceXPrivateKey = await getBytes(ACCOUNTS.X25519_PRIVATE);
+    if (!sourceEdPrivateKey || !sourceXPrivateKey) {
+        throw new Error("Device keypair missing from local keychain. Re-run setup on this device.");
+    }
+    const amk = vaultSession.getAMK();
+    let approved = 0;
+    let skipped = 0;
+    const approvedGrantIds = [];
+    for (const grant of pending) {
+        if (!grant.target_device_kex_public_key_b64) {
+            console.log(`Skipping grant ${grant.grant_id}: target device public key is missing from the API response.`);
+            skipped += 1;
+            continue;
+        }
+        const { payloadBytes, signature } = createDeviceGrant({
+            sourceEdPrivateKey,
+            sourceXPrivateKey,
+            sourceDeviceId: state.device_id,
+            targetDeviceId: grant.target_device_id,
+            targetKexPublicKey: fromB64(grant.target_device_kex_public_key_b64),
+            amk,
+        });
+        await approveGrant(client, grant.grant_id, {
+            encrypted_grant_payload_b64: toB64(payloadBytes),
+            signature: {
+                signature_algorithm: "ed25519",
+                signature_b64: toB64(signature),
+            },
+            payload_checksum_sha256: computeSha256Hex(payloadBytes),
+        });
+        console.log(`Approved grant ${grant.grant_id} for ${grant.target_device_name ?? grant.target_device_id}.`);
+        approved += 1;
+        approvedGrantIds.push(grant.grant_id);
+    }
+    console.log(`Grant approval complete. approved=${approved} skipped=${skipped}`);
+    return {
+        approved,
+        skipped,
+        total: pending.length,
+        approvedGrantIds,
+    };
+}
+export async function approvePendingGrantsAction() {
+    await approvePendingGrants();
+}

package/dist/src/cli/helpers.d.ts

@@ -0,0 +1,6 @@
+import { MemboxApiClient } from "../api/client.js";
+import type { LocalState } from "../store/local-state.js";
+/**
+ * Create an authenticated API client using stored tokens.
+ */
+export declare function createAuthenticatedClient(state: LocalState): Promise<MemboxApiClient>;

package/dist/src/cli/helpers.js

@@ -0,0 +1,13 @@
+import { MemboxApiClient } from "../api/client.js";
+import { getString, storeString, ACCOUNTS } from "../store/keychain.js";
+import { API_PREFIX } from "../constants.js";
+let cachedAccessToken = null;
+/**
+ * Create an authenticated API client using stored tokens.
+ */
+export async function createAuthenticatedClient(state) {
+    return new MemboxApiClient(state.server_url + API_PREFIX, async () => cachedAccessToken, async () => getString(ACCOUNTS.REFRESH_TOKEN), async (access, refresh) => {
+        cachedAccessToken = access;
+        await storeString(ACCOUNTS.REFRESH_TOKEN, refresh);
+    });
+}

package/dist/src/cli/passphrase-input.d.ts

@@ -0,0 +1,11 @@
+export declare function readPassphraseFromNonTty(prompt: string, input?: NodeJS.ReadableStream, output?: NodeJS.WritableStream): Promise<string>;
+/**
+ * Read a passphrase from stdin with echo disabled.
+ * Uses raw mode to suppress character display.
+ * NEVER reads from command arguments or environment variables.
+ */
+export declare function readPassphrase(prompt: string): Promise<string>;
+/**
+ * Read passphrase with confirmation (must enter twice).
+ */
+export declare function readPassphraseWithConfirm(prompt: string): Promise<string>;

package/dist/src/cli/passphrase-input.js

@@ -0,0 +1,94 @@
+import { createInterface } from "node:readline";
+const nonTtyReaders = new WeakMap();
+function getNonTtyReader(input) {
+    const existing = nonTtyReaders.get(input);
+    if (existing) {
+        return existing;
+    }
+    const rl = createInterface({
+        input,
+        terminal: false,
+        crlfDelay: Infinity,
+    });
+    const state = {
+        rl,
+        iterator: rl[Symbol.asyncIterator](),
+    };
+    nonTtyReaders.set(input, state);
+    return state;
+}
+export async function readPassphraseFromNonTty(prompt, input = process.stdin, output = process.stderr) {
+    output.write(prompt);
+    const { rl, iterator } = getNonTtyReader(input);
+    const { value, done } = await iterator.next();
+    if (done || value == null) {
+        rl.close();
+        nonTtyReaders.delete(input);
+        throw new Error("Cancelled");
+    }
+    output.write("\n");
+    return value;
+}
+/**
+ * Read a passphrase from stdin with echo disabled.
+ * Uses raw mode to suppress character display.
+ * NEVER reads from command arguments or environment variables.
+ */
+export function readPassphrase(prompt) {
+    if (!process.stdin.isTTY) {
+        return readPassphraseFromNonTty(prompt);
+    }
+    return new Promise((resolve, reject) => {
+        const rl = createInterface({
+            input: process.stdin,
+            output: process.stderr,
+            terminal: true,
+        });
+        process.stderr.write(prompt);
+        const stdin = process.stdin;
+        const wasRaw = stdin.isRaw;
+        if (stdin.isTTY) {
+            stdin.setRawMode(true);
+        }
+        let input = "";
+        const onData = (ch) => {
+            const c = ch.toString();
+            if (c === "\n" || c === "\r") {
+                if (stdin.isTTY)
+                    stdin.setRawMode(wasRaw ?? false);
+                stdin.removeListener("data", onData);
+                process.stderr.write("\n");
+                rl.close();
+                resolve(input);
+            }
+            else if (c === "\u0003") {
+                // Ctrl+C
+                if (stdin.isTTY)
+                    stdin.setRawMode(wasRaw ?? false);
+                stdin.removeListener("data", onData);
+                rl.close();
+                reject(new Error("Cancelled"));
+            }
+            else if (c === "\u007f" || c === "\b") {
+                // Backspace
+                input = input.slice(0, -1);
+            }
+            else if (c.charCodeAt(0) >= 32) {
+                // Printable character
+                input += c;
+            }
+        };
+        stdin.on("data", onData);
+    });
+}
+/**
+ * Read passphrase with confirmation (must enter twice).
+ */
+export async function readPassphraseWithConfirm(prompt) {
+    const p1 = await readPassphrase(prompt);
+    const p2 = await readPassphrase("Confirm passphrase: ");
+    if (p1 !== p2) {
+        throw new Error("Passphrases do not match.");
+    }
+    return p1;
+}

package/dist/src/cli/pause.d.ts

@@ -0,0 +1,2 @@
+export declare function pauseAction(): Promise<void>;
+export declare function resumeAction(): Promise<void>;

package/dist/src/cli/pause.js

@@ -0,0 +1,29 @@
+import { readState, writeState } from "../store/local-state.js";
+export async function pauseAction() {
+    const state = await readState();
+    if (!state?.setup_complete) {
+        console.log("Vault not set up. Run `openclaw membox setup` first.");
+        return;
+    }
+    if (state.sync_paused) {
+        console.log("Sync is already paused.");
+        return;
+    }
+    state.sync_paused = true;
+    await writeState(state);
+    console.log("Auto-sync paused. Run `openclaw membox resume` to resume.");
+}
+export async function resumeAction() {
+    const state = await readState();
+    if (!state?.setup_complete) {
+        console.log("Vault not set up. Run `openclaw membox setup` first.");
+        return;
+    }
+    if (!state.sync_paused) {
+        console.log("Sync is not paused.");
+        return;
+    }
+    state.sync_paused = false;
+    await writeState(state);
+    console.log("Auto-sync resumed.");
+}

package/dist/src/cli/provisioning.d.ts

@@ -0,0 +1,3 @@
+import { type AuthorizedDeviceContext } from "./bootstrap.js";
+export declare function rollbackIncompleteProvisioning(auth: Pick<AuthorizedDeviceContext, "client">): Promise<void>;
+export declare function runWithProvisioningRollback<T>(auth: Pick<AuthorizedDeviceContext, "client">, fn: (markProvisioned: () => void) => Promise<T>): Promise<T>;

package/dist/src/cli/provisioning.js

@@ -0,0 +1,30 @@
+import { revokeCurrentDevice } from "../api/devices.js";
+import { clearPendingSetupArtifacts, } from "./bootstrap.js";
+import { clearStoredSecrets } from "../store/keychain.js";
+import { deleteState } from "../store/local-state.js";
+import { vaultSession } from "../store/session.js";
+export async function rollbackIncompleteProvisioning(auth) {
+    vaultSession.lock();
+    try {
+        await revokeCurrentDevice(auth.client);
+    }
+    catch (error) {
+        console.warn("[membox] Failed to revoke incomplete device authorization:", error);
+    }
+    await clearStoredSecrets();
+    await clearPendingSetupArtifacts();
+    await deleteState();
+}
+export async function runWithProvisioningRollback(auth, fn) {
+    let provisioned = false;
+    try {
+        return await fn(() => {
+            provisioned = true;
+        });
+    }
+    finally {
+        if (!provisioned) {
+            await rollbackIncompleteProvisioning(auth);
+        }
+    }
+}

package/dist/src/cli/pull.d.ts

@@ -0,0 +1,31 @@
+import { type ConflictStrategy } from "../sync/conflict.js";
+export type PullActionResult = {
+    status: "locked";
+    message: string;
+} | {
+    status: "up_to_date";
+    cursor: number;
+} | {
+    status: "preview";
+    cursor: number;
+    strategy: ConflictStrategy;
+    toDownload: Array<{
+        logicalPath: string;
+        objectId: string;
+        version: number;
+        changeType: "upsert" | "delete";
+    }>;
+    conflicts: Array<{
+        logicalPath: string;
+        objectId: string;
+    }>;
+} | {
+    status: "ok";
+    cursor: number;
+    downloaded: number;
+    conflictsResolved: number;
+};
+export declare function pullAction(options?: {
+    preview?: boolean;
+    onConflict?: ConflictStrategy;
+}): Promise<PullActionResult>;