WIP

Sources/Packages/Sources/SecretAgentKit/Agent.swift

@@ -9,21 +9,20 @@ import SSHProtocolKit
 public final class Agent: Sendable {
 
     private let storeList: SecretStoreList
-    private let authenticationHandler: AuthenticationHandler
     private let witness: SigningWitness?
     private let publicKeyWriter = OpenSSHPublicKeyWriter()
     private let signatureWriter = OpenSSHSignatureWriter()
     private let certificateHandler = OpenSSHCertificateHandler()
     private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "Agent")
+    private let authorizationCoordinator = AuthorizationCoordinator()
 
     /// Initializes an agent with a store list and a witness.
     /// - Parameters:
     ///   - storeList: The `SecretStoreList` to make available.
     ///   - witness: A witness to notify of requests.
-    public init(storeList: SecretStoreList, authenticationHandler: AuthenticationHandler, witness: SigningWitness? = nil) {
+    public init(storeList: SecretStoreList, witness: SigningWitness? = nil) {
         logger.debug("Agent is running")
         self.storeList = storeList
-        self.authenticationHandler = authenticationHandler
         self.witness = witness
         Task { @MainActor in
             await certificateHandler.reloadCertificates(for: storeList.allSecrets)
@@ -104,21 +103,23 @@ extension Agent {
             throw NoMatchingKeyError()
         }
 
-        try await witness?.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)
+        let decision = try await authorizationCoordinator.waitForAccessIfNeeded(to: secret, provenance: provenance)
-
+        switch decision {
-        let context: any AuthenticationContextProtocol
+        case .proceed:
-        let offerPersistence: Bool
+            break
-        if let existing = await authenticationHandler.existingAuthenticationContextProtocol(secret: secret), existing.valid {
+        case .promptForSharedAuth:
-            context = existing
+            do {
-            offerPersistence = false
+                try await store.persistAuthentication(secret: secret, forProvenance: provenance)
-        } else {
+                await authorizationCoordinator.completedPersistence(secret: secret, forProvenance: provenance)
-            context = authenticationHandler.createAuthenticationContext(secret: secret, provenance: provenance, preauthorize: false)
+            } catch {
-            offerPersistence = secret.authenticationRequirement.required
+                await authorizationCoordinator.didNotCompletePersistence(secret: secret, forProvenance: provenance)
             }
-        let rawRepresentation = try await store.sign(data: data, with: secret, for: provenance, context: context)
+        }
+        try await witness?.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)
+        let rawRepresentation = try await store.sign(data: data, with: secret, for: provenance)
         let signedData = signatureWriter.data(secret: secret, signature: rawRepresentation)
 
-        try await witness?.witness(accessTo: secret, from: store, by: provenance, offerPersistence: offerPersistence)
+        try await witness?.witness(accessTo: secret, from: store, by: provenance)
 
         logger.debug("Agent signed request")
 

Sources/Packages/Sources/SecretAgentKit/AuthenticationHandler.swift

@@ -1,78 +0,0 @@
-@unsafe @preconcurrency import LocalAuthentication
-import SecretKit
-
-/// A context describing a persisted authentication.
-public final class AuthenticationContext: AuthenticationContextProtocol {
-
-    /// The Secret to persist authentication for.
-    public let secret: AnySecret
-    /// The LAContext used to authorize the persistent context.
-    public let laContext: LAContext
-    /// An expiration date for the context.
-    /// - Note -  Monotonic time instead of Date() to prevent people setting the clock back.
-    let monotonicExpiration: UInt64
-
-    /// Initializes a context.
-    /// - Parameters:
-    ///   - secret: The Secret to persist authentication for.
-    ///   - context: The LAContext used to authorize the persistent context.
-    ///   - duration: The duration of the authorization context, in seconds.
-    init<SecretType: Secret>(secret: SecretType, context: LAContext, duration: TimeInterval) {
-        self.secret = AnySecret(secret)
-        self.laContext = context
-        let durationInNanoSeconds = Measurement(value: duration, unit: UnitDuration.seconds).converted(to: .nanoseconds).value
-        self.monotonicExpiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
-    }
-
-    /// A boolean describing whether or not the context is still valid.
-    public var valid: Bool {
-        clock_gettime_nsec_np(CLOCK_MONOTONIC) < monotonicExpiration
-    }
-
-    public var expiration: Date {
-        let remainingNanoseconds = monotonicExpiration - clock_gettime_nsec_np(CLOCK_MONOTONIC)
-        let remainingInSeconds = Measurement(value: Double(remainingNanoseconds), unit: UnitDuration.nanoseconds).converted(to: .seconds).value
-        return Date(timeIntervalSinceNow: remainingInSeconds)
-    }
-
-}
-
-public actor AuthenticationHandler: Sendable {
-
-    private var persistedContexts: [AnySecret: AuthenticationContext] = [:]
-
-    public init() {
-    }
-
-    public nonisolated func createAuthenticationContext<SecretType: Secret>(secret: SecretType, provenance: SigningRequestProvenance, preauthorize: Bool) -> AuthenticationContextProtocol {
-        let newContext = LAContext()
-        newContext.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: provenance.origin.displayName, secretName: secret.name))
-        newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
-        return AuthenticationContext(secret: secret, context: newContext, duration: 0)
-    }
-
-    public func existingAuthenticationContextProtocol<SecretType: Secret>(secret: SecretType) -> AuthenticationContextProtocol? {
-        guard let persisted = persistedContexts[AnySecret(secret)], persisted.valid else { return nil }
-        return persisted
-    }
-
-    public func persistAuthentication<SecretType: Secret>(secret: SecretType, forDuration duration: TimeInterval) async throws {
-        let newContext = LAContext()
-        newContext.touchIDAuthenticationAllowableReuseDuration = duration
-        newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
-
-        let formatter = DateComponentsFormatter()
-        formatter.unitsStyle = .spellOut
-        formatter.allowedUnits = [.hour, .minute, .day]
-
-
-        let durationString = formatter.string(from: duration)!
-        newContext.localizedReason = String(localized: .authContextPersistForDuration(secretName: secret.name, duration: durationString))
-        let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
-        guard success else { return }
-        let context = AuthenticationContext(secret: secret, context: newContext, duration: duration)
-        persistedContexts[AnySecret(secret)] = context
-    }
-
-}
-

Sources/Packages/Sources/SecretAgentKit/AuthorizationCoordinator.swift

@@ -0,0 +1,105 @@
+import Foundation
+import SecretKit
+import os
+import LocalAuthentication
+
+struct PendingRequest: Identifiable, Hashable, CustomStringConvertible {
+    let id: UUID = UUID()
+    let secret: AnySecret
+    let provenance: SigningRequestProvenance
+
+    var description: String {
+        "\(id.uuidString) - \(secret.name) \(provenance.origin.displayName)"
+    }
+
+    func batchable(with request: PendingRequest) -> Bool {
+        secret == request.secret &&
+        provenance.isSameProvenance(as: request.provenance)
+    }
+}
+
+enum Decision {
+    case proceed
+    case promptForSharedAuth
+}
+
+actor RequestHolder {
+
+    var pending: [PendingRequest] = []
+    var authorizing: PendingRequest?
+    var preauthorized: PendingRequest?
+
+    func addPending(_ request: PendingRequest) {
+        pending.append(request)
+    }
+
+    func advanceIfIdle() {
+
+    }
+
+    func shouldBlock(_ request: PendingRequest) -> Bool {
+        guard request != authorizing else { return false }
+        if let preauthorized, preauthorized.batchable(with: request) {
+            print("Batching: \(request)")
+            pending.removeAll(where: { $0 == request })
+            return false
+        }
+        return authorizing == nil && authorizing.
+    }
+
+    func clear() {
+        if let preauthorized, allBatchable(with: preauthorized).isEmpty {
+            self.preauthorized = nil
+        }
+    }
+
+    func allBatchable(with request: PendingRequest) -> [PendingRequest] {
+        pending.filter { $0.batchable(with: request) }
+    }
+
+    func completedPersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) {
+        self.preauthorized = PendingRequest(secret: secret, provenance: provenance)
+    }
+
+    func didNotCompletePersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) {
+        self.preauthorized = nil
+    }
+}
+
+final class AuthorizationCoordinator: Sendable {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "AuthorizationCoordinator")
+    private let holder = RequestHolder()
+
+    public func waitForAccessIfNeeded(to secret: AnySecret, provenance: SigningRequestProvenance) async throws -> Decision {
+        // Block on unknown, since we don't really have any way to check.
+        if secret.authenticationRequirement == .unknown {
+            logger.warning("\(secret.name) has unknown authentication requirement.")
+        }
+        guard secret.authenticationRequirement != .notRequired else {
+            logger.debug("\(secret.name) does not require authentication, continuing.")
+            return .proceed
+        }
+        logger.debug("\(secret.name) requires authentication.")
+        let pending = PendingRequest(secret: secret, provenance: provenance)
+        await holder.addPending(pending)
+        while await holder.shouldBlock(pending) {
+            logger.debug("\(pending) waiting.")
+            try await Task.sleep(for: .milliseconds(100))
+        }
+        if await holder.preauthorized == nil, await holder.allBatchable(with: pending).count > 0 {
+            logger.debug("\(pending) batch suggestion.")
+            return .promptForSharedAuth
+        }
+        logger.debug("\(pending) continuing")
+        return .proceed
+    }
+
+    func completedPersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) async {
+        await holder.completedPersistence(secret: secret, forProvenance: provenance)
+    }
+
+    func didNotCompletePersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) async {
+        await holder.didNotCompletePersistence(secret: secret, forProvenance: provenance)
+    }
+}

Sources/Packages/Sources/SecretAgentKit/SigningWitness.swift

@@ -17,6 +17,6 @@ public protocol SigningWitness: Sendable {
     ///   - secret: The `Secret` that will was used to sign the request.
     ///   - store: The `Store` that signed the request..
     ///   - provenance: A `SigningRequestProvenance` object describing the origin of the request.
-    func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance, offerPersistence: Bool) async throws
+    func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws
 
 }

Sources/Packages/Sources/SecretKit/Convenience/PersistentAuthenticationHandler.swift

@@ -0,0 +1,95 @@
+import LocalAuthentication
+
+/// A context describing a persisted authentication.
+package struct PersistentAuthenticationContext<SecretType: Secret>: PersistedAuthenticationContext {
+
+    /// The Secret to persist authentication for.
+    let secret: SecretType
+    /// The LAContext used to authorize the persistent context.
+    package nonisolated(unsafe) let context: LAContext
+    /// An expiration date for the context.
+    /// - Note -  Monotonic time instead of Date() to prevent people setting the clock back.
+    let monotonicExpiration: UInt64
+
+    /// Initializes a context.
+    /// - Parameters:
+    ///   - secret: The Secret to persist authentication for.
+    ///   - context: The LAContext used to authorize the persistent context.
+    ///   - duration: The duration of the authorization context, in seconds.
+    init(secret: SecretType, context: LAContext, duration: TimeInterval) {
+        self.secret = secret
+        unsafe self.context = context
+        let durationInNanoSeconds = Measurement(value: duration, unit: UnitDuration.seconds).converted(to: .nanoseconds).value
+        self.monotonicExpiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
+    }
+
+    /// A boolean describing whether or not the context is still valid.
+    package var valid: Bool {
+        clock_gettime_nsec_np(CLOCK_MONOTONIC) < monotonicExpiration
+    }
+
+    package var expiration: Date {
+        let remainingNanoseconds = monotonicExpiration - clock_gettime_nsec_np(CLOCK_MONOTONIC)
+        let remainingInSeconds = Measurement(value: Double(remainingNanoseconds), unit: UnitDuration.nanoseconds).converted(to: .seconds).value
+        return Date(timeIntervalSinceNow: remainingInSeconds)
+    }
+}
+
+struct ScopedPersistentAuthenticationContext<SecretType: Secret>: Hashable {
+    let provenance: SigningRequestProvenance
+    let secret: SecretType
+}
+
+package actor PersistentAuthenticationHandler<SecretType: Secret>: Sendable {
+
+    private var unscopedPersistedAuthenticationContexts: [SecretType: PersistentAuthenticationContext<SecretType>] = [:]
+    private var scopedPersistedAuthenticationContexts: [ScopedPersistentAuthenticationContext<SecretType>: PersistentAuthenticationContext<SecretType>] = [:]
+
+    package init() {
+    }
+
+    package func existingPersistedAuthenticationContext(secret: SecretType, provenance: SigningRequestProvenance) -> PersistentAuthenticationContext<SecretType>? {
+        if let unscopedPersistence = unscopedPersistedAuthenticationContexts[secret], unscopedPersistence.valid {
+            return unscopedPersistence
+        }
+        if let scopedPersistence = scopedPersistedAuthenticationContexts[.init(provenance: provenance, secret: secret)], scopedPersistence.valid {
+            return scopedPersistence
+        }
+        return nil
+    }
+
+    package func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) async throws {
+        let newContext = LAContext()
+        newContext.touchIDAuthenticationAllowableReuseDuration = duration
+        newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+
+        let formatter = DateComponentsFormatter()
+        formatter.unitsStyle = .spellOut
+        formatter.allowedUnits = [.hour, .minute, .day]
+
+
+        let durationString = formatter.string(from: duration)!
+        newContext.localizedReason = String(localized: .authContextPersistForDuration(secretName: secret.name, duration: durationString))
+        let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
+        guard success else { return }
+        let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
+        unscopedPersistedAuthenticationContexts[secret] = context
+    }
+
+    package func persistAuthentication(secret: SecretType, provenance: SigningRequestProvenance) async throws {
+        let newContext = LAContext()
+
+        // FIXME: TEMPORARY
+        let duration: TimeInterval = 10000
+        newContext.touchIDAuthenticationAllowableReuseDuration = duration
+        newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+
+        newContext.localizedReason = "Batch requests"
+        let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
+        guard success else { return }
+        let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
+        scopedPersistedAuthenticationContexts[.init(provenance: provenance, secret: secret)] = context
+    }
+
+}
+

Sources/Packages/Sources/SecretKit/Documentation.docc/Documentation.md

@@ -31,7 +31,7 @@ SecretKit is a collection of protocols describing secrets and stores.
 
 ### Authentication Persistence
 
-- ``AuthenticationContextProtocol``
+- ``PersistedAuthenticationContext``
 
 ### Errors
 

Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift

@@ -1,5 +1,4 @@
 import Foundation
-import LocalAuthentication
 
 /// Type eraser for SecretStore.
 open class AnySecretStore: SecretStore, @unchecked Sendable {
@@ -9,7 +8,10 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
     private let _id: @Sendable () -> UUID
     private let _name: @MainActor @Sendable () -> String
     private let _secrets: @MainActor @Sendable () -> [AnySecret]
-    private let _sign: @Sendable (Data, AnySecret, SigningRequestProvenance, AuthenticationContextProtocol) async throws -> Data
+    private let _sign: @Sendable (Data, AnySecret, SigningRequestProvenance) async throws -> Data
+    private let _existingPersistedAuthenticationContext: @Sendable (AnySecret, SigningRequestProvenance) async -> PersistedAuthenticationContext?
+    private let _persistAuthenticationForDuration: @Sendable (AnySecret, TimeInterval) async throws -> Void
+    private let _persistAuthenticationForProvenance: @Sendable (AnySecret, SigningRequestProvenance) async throws -> Void
     private let _reloadSecrets: @Sendable () async -> Void
 
     public init<SecretStoreType>(_ secretStore: SecretStoreType) where SecretStoreType: SecretStore {
@@ -18,7 +20,10 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
         _name = { secretStore.name }
         _id = { secretStore.id }
         _secrets = { secretStore.secrets.map { AnySecret($0) } }
-        _sign = { try await secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2, context: $3) }
+        _sign = { try await secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) }
+        _existingPersistedAuthenticationContext = { await secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType, provenance: $1) }
+        _persistAuthenticationForDuration = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
+        _persistAuthenticationForProvenance = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forProvenance: $1) }
         _reloadSecrets = { await secretStore.reloadSecrets() }
     }
 
@@ -38,8 +43,20 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
         return _secrets()
     }
 
-    public func sign(data: Data, with secret: AnySecret, for provenance: SigningRequestProvenance, context: AuthenticationContextProtocol) async throws -> Data {
+    public func sign(data: Data, with secret: AnySecret, for provenance: SigningRequestProvenance) async throws -> Data {
-        try await _sign(data, secret, provenance, context)
+        try await _sign(data, secret, provenance)
+    }
+
+    public func existingPersistedAuthenticationContext(secret: AnySecret, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext? {
+        await _existingPersistedAuthenticationContext(secret, provenance)
+    }
+
+    public func persistAuthentication(secret: AnySecret, forDuration duration: TimeInterval) async throws {
+        try await _persistAuthenticationForDuration(secret, duration)
+    }
+
+    public func persistAuthentication(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) async throws {
+        try await _persistAuthenticationForProvenance(secret, provenance)
     }
 
     public func reloadSecrets() async {

Sources/Packages/Sources/SecretKit/Types/AuthenticationContext.swift

@@ -1,14 +0,0 @@
-import Foundation
-import LocalAuthentication
-
-/// Protocol describing an authentication context. This is an authorization that can be reused for multiple access to a secret that requires authentication for a specific period of time.
-public protocol AuthenticationContextProtocol: Sendable {
-    /// Whether the context remains valid.
-    var valid: Bool { get }
-    /// The date at which the authorization expires and the context becomes invalid.
-    var expiration: Date { get }
-
-    var secret: AnySecret { get }
-
-    var laContext: LAContext { get }
-}

Sources/Packages/Sources/SecretKit/Types/PersistedAuthenticationContext.swift

@@ -0,0 +1,9 @@
+import Foundation
+
+/// Protocol describing a persisted authentication context. This is an authorization that can be reused for multiple access to a secret that requires authentication for a specific period of time.
+public protocol PersistedAuthenticationContext: Sendable {
+    /// Whether the context remains valid.
+    var valid: Bool { get }
+    /// The date at which the authorization expires and the context becomes invalid.
+    var expiration: Date { get }
+}

Sources/Packages/Sources/SecretKit/Types/SecretStore.swift

@@ -20,7 +20,22 @@ public protocol SecretStore<SecretType>: Identifiable, Sendable {
     ///   - secret: The ``Secret`` to sign with.
     ///   - provenance: A ``SigningRequestProvenance`` describing where the request came from.
     /// - Returns: The signed data.
-    func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance, context: AuthenticationContextProtocol) async throws -> Data
+    func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) async throws -> Data
+
+    /// Checks to see if there is currently a valid persisted authentication for a given secret.
+    /// - Parameters:
+    ///   - secret: The ``Secret`` to check if there is a persisted authentication for.
+    /// - Returns: A persisted authentication context, if a valid one exists.
+    func existingPersistedAuthenticationContext(secret: SecretType, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext?
+
+    /// Persists user authorization for access to a secret.
+    /// - Parameters:
+    ///   - secret: The ``Secret`` to persist the authorization for.
+    ///   - duration: The duration that the authorization should persist for.
+    ///  - Note: This is used for temporarily unlocking access to a secret which would otherwise require authentication every single use. This is useful for situations where the user anticipates several rapid accesses to a authorization-guarded secret.
+    func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) async throws
+
+    func persistAuthentication(secret: SecretType, forProvenance provenance: SigningRequestProvenance) async throws
 
     /// Requests that the store reload secrets from any backing store, if neccessary.
     func reloadSecrets() async

Sources/Packages/Sources/SecretKit/Types/SigningRequestProvenance.swift

@@ -2,17 +2,13 @@ import Foundation
 import AppKit
 
 /// Describes the chain of applications that requested a signature operation.
-public struct SigningRequestProvenance: Hashable, Sendable {
+public struct SigningRequestProvenance: Equatable, Sendable, Hashable {
 
     /// A list of processes involved in the request.
     /// - Note: A chain will typically consist of many elements even for a simple request. For example, running `git fetch` in Terminal.app would generate a request chain of `ssh` -> `git` -> `zsh` -> `login` -> `Terminal.app`
     public var chain: [Process]
-
+    public init(root: Process) {
-    public var date: Date
-
-    public init(root: Process, date: Date = .now) {
         self.chain = [root]
-        self.date = date
     }
 
 }
@@ -29,12 +25,16 @@ extension SigningRequestProvenance {
         chain.allSatisfy { $0.validSignature }
     }
 
+    public func isSameProvenance(as other: SigningRequestProvenance) -> Bool {
+        zip(chain, other.chain).allSatisfy { $0.isSameProcess(as: $1) }
+    }
+
 }
 
 extension SigningRequestProvenance {
 
     /// Describes a process in a `SigningRequestProvenance` chain.
-    public struct Process: Hashable, Sendable {
+    public struct Process: Equatable, Sendable, Hashable {
 
         /// The pid of the process.
         public let pid: Int32
@@ -75,6 +75,15 @@ extension SigningRequestProvenance {
             appName ?? processName
         }
 
+        // Whether the
+        public func isSameProcess(as other: Process) -> Bool {
+            processName == other.processName &&
+            appName == other.appName &&
+            iconURL == other.iconURL &&
+            path == other.path &&
+            validSignature == other.validSignature
+        }
+
     }
 
 }

Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift

@@ -17,6 +17,7 @@ extension SecureEnclave {
         }
         public let id = UUID()
         public let name = String(localized: .secureEnclave)
+        private let persistentAuthenticationHandler = PersistentAuthenticationHandler<Secret>()
 
         /// Initializes a Store.
         @MainActor public init() {
@@ -36,7 +37,16 @@ extension SecureEnclave {
         
         // MARK: SecretStore
         
-        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance, context: AuthenticationContextProtocol) async throws -> Data {
+        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) async throws -> Data {
+            var context: LAContext
+            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance) {
+                context = unsafe existing.context
+            } else {
+                let newContext = LAContext()
+                newContext.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: provenance.origin.displayName, secretName: secret.name))
+                newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+                context = newContext
+            }
 
             let queryAttributes = KeychainDictionary([
                 kSecClass: Constants.keyClass,
@@ -62,15 +72,15 @@ extension SecureEnclave {
 
             switch attributes.keyType {
             case .ecdsa256:
-                let key = try CryptoKit.SecureEnclave.P256.Signing.PrivateKey(dataRepresentation: keyData, authenticationContext: context.laContext)
+                let key = try CryptoKit.SecureEnclave.P256.Signing.PrivateKey(dataRepresentation: keyData, authenticationContext: context)
                 return try key.signature(for: data).rawRepresentation
             case .mldsa65:
                 guard #available(macOS 26.0, *)  else { throw UnsupportedAlgorithmError() }
-                let key = try CryptoKit.SecureEnclave.MLDSA65.PrivateKey(dataRepresentation: keyData, authenticationContext: context.laContext)
+                let key = try CryptoKit.SecureEnclave.MLDSA65.PrivateKey(dataRepresentation: keyData, authenticationContext: context)
                 return try key.signature(for: data)
             case .mldsa87:
                 guard #available(macOS 26.0, *)  else { throw UnsupportedAlgorithmError() }
-                let key = try CryptoKit.SecureEnclave.MLDSA87.PrivateKey(dataRepresentation: keyData, authenticationContext: context.laContext)
+                let key = try CryptoKit.SecureEnclave.MLDSA87.PrivateKey(dataRepresentation: keyData, authenticationContext: context)
                 return try key.signature(for: data)
             default:
                 throw UnsupportedAlgorithmError()
@@ -78,6 +88,18 @@ extension SecureEnclave {
 
         }
 
+        public func existingPersistedAuthenticationContext(secret: Secret, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext? {
+            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance)
+        }
+
+        public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
+            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, forDuration: duration)
+        }
+
+        public func persistAuthentication(secret: SecureEnclave.Secret, forProvenance provenance: SigningRequestProvenance) async throws {
+            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, provenance: provenance)
+        }
+
         @MainActor public func reloadSecrets() {
             let before = secrets
             secrets.removeAll()

Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift

@@ -34,6 +34,7 @@ extension SmartCard {
         public var secrets: [Secret] {
             state.secrets
         }
+        private let persistentAuthenticationHandler = PersistentAuthenticationHandler<Secret>()
 
         /// Initializes a Store.
         public init() {
@@ -56,8 +57,17 @@ extension SmartCard {
 
         // MARK: Public API
 
-        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance, context: AuthenticationContextProtocol) async throws -> Data {
+        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) async throws -> Data {
             guard let tokenID = await state.tokenID else { fatalError() }
+            var context: LAContext
+            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance) {
+                context = unsafe existing.context
+            } else {
+                let newContext = LAContext()
+                newContext.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: provenance.origin.displayName, secretName: secret.name))
+                newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+                context = newContext
+            }
             let attributes = KeychainDictionary([
                 kSecClass: kSecClassKey,
                 kSecAttrKeyClass: kSecAttrKeyClassPrivate,
@@ -83,6 +93,18 @@ extension SmartCard {
             return signature as Data
         }
         
+        public func existingPersistedAuthenticationContext(secret: Secret, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext? {
+            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance)
+        }
+
+        public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
+            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, forDuration: duration)
+        }
+
+        public func persistAuthentication(secret: Secret, forProvenance provenance: SigningRequestProvenance) async throws {
+            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, provenance: provenance)
+        }
+
         /// Reloads all secrets from the store.
         @MainActor public func reloadSecrets() {
             reloadSecretsInternal()

Sources/Packages/Sources/XPCWrappers/TeamID.swift

@@ -11,7 +11,7 @@ extension ProcessInfo {
         }
 
         guard let value = SecTaskCopyValueForEntitlement(task, "com.apple.developer.team-identifier" as CFString, nil) as? String else {
-            assertionFailure("SecTaskCopyValueForEntitlement(com.apple.developer.team-identifier) failed")
+//            assertionFailure("SecTaskCopyValueForEntitlement(com.apple.developer.team-identifier) failed")
             return fallbackTeamID
         }
 

Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift

@@ -49,7 +49,7 @@ extension Stub {
             print("Public Key OpenSSH: \(OpenSSHPublicKeyWriter().openSSHString(secret: secret))")
         }
 
-        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance, context: AuthenticationContextProtocol?) throws -> Data {
+        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) throws -> Data {
             guard !shouldThrow else {
                 throw NSError(domain: "test", code: 0, userInfo: nil)
             }
@@ -57,7 +57,7 @@ extension Stub {
             return try privateKey.signature(for: data).rawRepresentation
         }
 
-        public func existingAuthenticationContextProtocol(secret: Stub.Secret) -> AuthenticationContextProtocol? {
+        public func existingPersistedAuthenticationContext(secret: Stub.Secret) -> PersistedAuthenticationContext? {
             nil
         }
 

Sources/SecretAgent/AppDelegate.swift

@@ -22,10 +22,9 @@ class AppDelegate: NSObject, NSApplicationDelegate {
     }()
     private let updater = Updater(checkOnLaunch: true)
     private let notifier = Notifier()
-    private let authenticationHandler = AuthenticationHandler()
     private let publicKeyFileStoreController = PublicKeyFileStoreController(directory: URL.publicKeyDirectory)
     private lazy var agent: Agent = {
-        Agent(storeList: storeList, authenticationHandler: authenticationHandler, witness: notifier)
+        Agent(storeList: storeList, witness: notifier)
     }()
     private lazy var socketController: SocketController = {
         let path = URL.socketPath as String
@@ -51,11 +50,6 @@ class AppDelegate: NSObject, NSApplicationDelegate {
                 }
             }
         }
-        Task { [notifier, authenticationHandler] in
-            await notifier.registerPersistenceHandler {
-                try await authenticationHandler.persistAuthentication(secret: $0, forDuration: $1)
-            }
-        }
         Task {
             for await _ in NotificationCenter.default.notifications(named: .secretStoreReloaded) {
                 try? publicKeyFileStoreController.generatePublicKeys(for: storeList.allSecrets, clear: true)

Sources/SecretAgent/Notifier.swift

@@ -5,8 +5,6 @@ import SecretKit
 import SecretAgentKit
 import Brief
 
-typealias PersistAction = (@Sendable (AnySecret, TimeInterval) async throws -> Void)
-
 final class Notifier: Sendable {
 
     private let notificationDelegate = NotificationDelegate()
@@ -17,12 +15,6 @@ final class Notifier: Sendable {
         let updateCategory = UNNotificationCategory(identifier: Constants.updateCategoryIdentitifier, actions: [updateAction, ignoreAction], intentIdentifiers: [], options: [])
         let criticalUpdateCategory = UNNotificationCategory(identifier: Constants.criticalUpdateCategoryIdentitifier, actions: [updateAction], intentIdentifiers: [], options: [])
 
-        UNUserNotificationCenter.current().setNotificationCategories([updateCategory, criticalUpdateCategory])
-        UNUserNotificationCenter.current().delegate = notificationDelegate
-
-    }
-
-    func registerPersistenceHandler(action: @escaping PersistAction) async {
         let rawDurations = [
             Measurement(value: 1, unit: UnitDuration.minutes),
             Measurement(value: 5, unit: UnitDuration.minutes),
@@ -32,9 +24,11 @@ final class Notifier: Sendable {
 
         let doNotPersistAction = UNNotificationAction(identifier: Constants.doNotPersistActionIdentitifier, title: String(localized: .persistAuthenticationDeclineButton), options: [])
         var allPersistenceActions = [doNotPersistAction]
+
         let formatter = DateComponentsFormatter()
         formatter.unitsStyle = .spellOut
         formatter.allowedUnits = [.hour, .minute, .day]
+
         var identifiers: [String: TimeInterval] = [:]
         for duration in rawDurations {
             let seconds = duration.converted(to: .seconds).value
@@ -49,11 +43,16 @@ final class Notifier: Sendable {
         if persistAuthenticationCategory.responds(to: Selector(("actionsMenuTitle"))) {
             persistAuthenticationCategory.setValue(String(localized: .persistAuthenticationAcceptButton), forKey: "_actionsMenuTitle")
         }
-        var categories = await UNUserNotificationCenter.current().notificationCategories()
+        UNUserNotificationCenter.current().setNotificationCategories([updateCategory, criticalUpdateCategory, persistAuthenticationCategory])
-        categories.insert(persistAuthenticationCategory)
+        UNUserNotificationCenter.current().delegate = notificationDelegate
-        UNUserNotificationCenter.current().setNotificationCategories(categories)
+
+        Task {
+            await notificationDelegate.state.setPersistenceState(options: identifiers) { secret, store, duration in
+                guard let duration = duration else { return }
+                try? await store.persistAuthentication(secret: secret, forDuration: duration)
+            }
+        }
 
-        await notificationDelegate.state.setPersistenceState(options: identifiers, action: action)
     }
 
     func prompt() {
@@ -61,7 +60,7 @@ final class Notifier: Sendable {
         notificationCenter.requestAuthorization(options: .alert) { _, _ in }
     }
 
-    func notify(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance, offerPersistence: Bool) async {
+    func notify(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async {
         await notificationDelegate.state.setPending(secret: secret, store: store)
         let notificationCenter = UNUserNotificationCenter.current()
         let notificationContent = UNMutableNotificationContent()
@@ -70,7 +69,7 @@ final class Notifier: Sendable {
         notificationContent.userInfo[Constants.persistSecretIDKey] = secret.id.description
         notificationContent.userInfo[Constants.persistStoreIDKey] = store.id.description
         notificationContent.interruptionLevel = .timeSensitive
-        if offerPersistence {
+        if await store.existingPersistedAuthenticationContext(secret: secret, provenance: provenance) == nil && secret.authenticationRequirement.required {
             notificationContent.categoryIdentifier = Constants.persistAuthenticationCategoryIdentitifier
         }
         if let iconURL = provenance.origin.iconURL, let attachment = try? UNNotificationAttachment(identifier: "icon", url: iconURL, options: nil) {
@@ -80,6 +79,25 @@ final class Notifier: Sendable {
         try? await notificationCenter.add(request)
     }
 
+    func notify(pendingAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async {
+        await notificationDelegate.state.setPending(secret: secret, store: store)
+        let notificationCenter = UNUserNotificationCenter.current()
+        let notificationContent = UNMutableNotificationContent()
+        notificationContent.title = "pending" //String(localized: .signedNotificationTitle(appName: provenance.origin.displayName))
+        notificationContent.subtitle = "pending" //String(localized: .signedNotificationDescription(secretName: secret.name))
+        notificationContent.userInfo[Constants.persistSecretIDKey] = secret.id.description
+        notificationContent.userInfo[Constants.persistStoreIDKey] = store.id.description
+        notificationContent.interruptionLevel = .timeSensitive
+        notificationContent.categoryIdentifier = Constants.persistAuthenticationCategoryIdentitifier
+        notificationContent.threadIdentifier = "\(secret.id)_\(provenance.hashValue)"
+        if let iconURL = provenance.origin.iconURL, let attachment = try? UNNotificationAttachment(identifier: "icon", url: iconURL, options: nil) {
+            notificationContent.attachments = [attachment]
+        }
+        let request = UNNotificationRequest(identifier: UUID().uuidString, content: notificationContent, trigger: nil)
+        try? await notificationCenter.add(request)
+
+    }
+
     func notify(update: Release, ignore: (@Sendable (Release) async -> Void)?) async {
         await notificationDelegate.state.prepareForNotification(release: update, ignoreAction: ignore)
         let notificationCenter = UNUserNotificationCenter.current()
@@ -104,8 +122,12 @@ extension Notifier: SigningWitness {
     func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
     }
 
-    func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance, offerPersistence: Bool) async throws {
+    func witness(pendingAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
-        await notify(accessTo: secret, from: store, by: provenance, offerPersistence: offerPersistence)
+        await notify(pendingAccessTo: secret, from: store, by: provenance)
+    }
+
+    func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
+        await notify(accessTo: secret, from: store, by: provenance)
     }
 
 }
@@ -134,24 +156,28 @@ extension Notifier {
 final class NotificationDelegate: NSObject, UNUserNotificationCenterDelegate, Sendable {
 
     fileprivate actor State {
+        typealias PersistAction = (@Sendable (AnySecret, AnySecretStore, TimeInterval?) async -> Void)
         typealias IgnoreAction = (@Sendable (Release) async -> Void)
         fileprivate var release: Release?
         fileprivate var ignoreAction: IgnoreAction?
         fileprivate var persistAction: PersistAction?
         fileprivate var persistOptions: [String: TimeInterval] = [:]
+        fileprivate var pendingPersistableStores: [String: AnySecretStore] = [:]
         fileprivate var pendingPersistableSecrets: [String: AnySecret] = [:]
 
         func setPending(secret: AnySecret, store: AnySecretStore) {
             pendingPersistableSecrets[secret.id.description] = secret
+            pendingPersistableStores[store.id.description] = store
         }
 
-        func retrievePending(secretID: String, optionID: String) -> (AnySecret, TimeInterval)? {
+        func retrievePending(secretID: String, storeID: String, optionID: String) -> (AnySecret, AnySecretStore, TimeInterval)? {
             guard let secret = pendingPersistableSecrets[secretID],
+                  let store = pendingPersistableStores[storeID],
                   let options = persistOptions[optionID] else {
                 return nil
             }
             pendingPersistableSecrets.removeValue(forKey: secretID)
-            return (secret, options)
+            return (secret, store, options)
         }
 
         func setPersistenceState(options: [String: TimeInterval], action: @escaping PersistAction) {
@@ -199,12 +225,13 @@ final class NotificationDelegate: NSObject, UNUserNotificationCenterDelegate, Se
     }
 
     func handlePersistAuthenticationResponse(response: UNNotificationResponse) async {
-        guard let secretID = response.notification.request.content.userInfo[Notifier.Constants.persistSecretIDKey] as? String else {
+        guard let secretID = response.notification.request.content.userInfo[Notifier.Constants.persistSecretIDKey] as? String,
+              let storeID = response.notification.request.content.userInfo[Notifier.Constants.persistStoreIDKey] as? String else {
             return
         }
         let optionID = response.actionIdentifier
-        guard let (secret, persistOptions) = await state.retrievePending(secretID: secretID, optionID: optionID) else { return }
+        guard let (secret, store, persistOptions) = await state.retrievePending(secretID: secretID, storeID: storeID, optionID: optionID) else { return }
-        try? await state.persistAction?(secret, persistOptions)
+        await state.persistAction?(secret, store, persistOptions)
     }
 
 

Sources/Secretive/Preview Content/PreviewStore.swift

@@ -38,11 +38,11 @@ extension Preview {
             self.init(secrets: new)
         }
 
-        func sign(data: Data, with secret: Preview.Secret, for provenance: SigningRequestProvenance, context: AuthenticationContextProtocol?) throws -> Data {
+        func sign(data: Data, with secret: Preview.Secret, for provenance: SigningRequestProvenance) throws -> Data {
             return data
         }
 
-        func existingAuthenticationContextProtocol(secret: Preview.Secret) -> AuthenticationContextProtocol? {
+        func existingPersistedAuthenticationContext(secret: Preview.Secret) -> PersistedAuthenticationContext? {
             nil
         }
 
@@ -82,11 +82,11 @@ extension Preview {
             self.init(secrets: new)
         }
 
-        func sign(data: Data, with secret: Preview.Secret, for provenance: SigningRequestProvenance, context: AuthenticationContextProtocol?) throws -> Data {
+        func sign(data: Data, with secret: Preview.Secret, for provenance: SigningRequestProvenance) throws -> Data {
             return data
         }
 
-        func existingAuthenticationContextProtocol(secret: Preview.Secret) -> AuthenticationContextProtocol? {
+        func existingPersistedAuthenticationContext(secret: Preview.Secret) -> PersistedAuthenticationContext? {
             nil
         }