WIP

* Bump CI to 26.4

* Update entitlements

* Move inputParser inside task scope to avoid races.

* Update project settings.

.github/workflows/codeql.yml

@@ -37,7 +37,7 @@ jobs:
         build-mode: ${{ matrix.build-mode }}
     - if: matrix.build-mode == 'manual'
       name: "Select Xcode"
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
     - if: matrix.build-mode == 'manual'
       name: "Build"
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO

.github/workflows/nightly.yml

@@ -3,7 +3,6 @@ name: Nightly
 on: 
   schedule: 
     - cron: "0 8 * * *"
-  workflow_dispatch:
   
 jobs:
   build:
@@ -12,6 +11,7 @@ jobs:
       id-token: write
       contents: write
       attestations: write
+      actions: read
     timeout-minutes: 10
     steps:
     - uses: actions/checkout@v5
@@ -25,7 +25,7 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
       run: ./.github/scripts/signing.sh
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
     - name: Update Build Number
       env:
         RUN_ID: ${{ github.run_id }}
@@ -36,20 +36,27 @@ jobs:
             sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
     - name: Build
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
-    - name: Create ZIP
+    - name: Move to Artifact Folder
+      run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
+    - name: Upload App to Artifacts
+      id: upload
+      uses: actions/upload-artifact@v4
+      with:
+        name: Secretive
+        path: Artifact
+    - name: Download Zipped Artifact
+      id: download
+      env: 
+        ZIP_ID: ${{ steps.upload.outputs.artifact-id }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
+            curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \
+            https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip
     - name: Notarize
       env: 
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
         APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
       run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
-    - name: Upload App to Artifacts
-      id: upload
-      uses: actions/upload-artifact@v4
-      with:
-        name: Secretive.zip
-        path: Secretive.zip
     - name: Attest
       id: attest
       uses: actions/attest-build-provenance@v2

.github/workflows/oneoff.yml

@@ -0,0 +1,64 @@
+name: One-Off Build
+
+on: 
+  workflow_dispatch:
+  
+jobs:
+  build:
+    runs-on: macos-26
+    permissions:
+      id-token: write
+      contents: write
+      attestations: write
+      actions: read
+    timeout-minutes: 10
+    steps:
+    - uses: actions/checkout@v5
+    - name: Setup Signing
+      env: 
+        SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
+        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+        HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }}
+        AGENT_PROFILE_DATA: ${{ secrets.AGENT_PROFILE_DATA }}
+        APPLE_API_KEY_DATA: ${{ secrets.APPLE_API_KEY_DATA }}
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+      run: ./.github/scripts/signing.sh
+    - name: Set Environment
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+    - name: Update Build Number
+      env:
+        RUN_ID: ${{ github.run_id }}
+      run: |
+            DATE=$(date "+%Y-%m-%d")
+            sed -i '' -e "s/GITHUB_CI_VERSION/0.0.0_oneoff-$DATE/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
+    - name: Build
+      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
+    - name: Move to Artifact Folder
+      run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
+    - name: Upload App to Artifacts
+      id: upload
+      uses: actions/upload-artifact@v4
+      with:
+        name: Secretive
+        path: Artifact
+    - name: Download Zipped Artifact
+      id: download
+      env: 
+        ZIP_ID: ${{ steps.upload.outputs.artifact-id }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+            curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \
+            https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip
+    - name: Notarize
+      env: 
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
+    - name: Attest
+      id: attest
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-name: "Secretive.zip"
+        subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}

.github/workflows/release.yml

@@ -22,7 +22,7 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
       run: ./.github/scripts/signing.sh
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
     - name: Test
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme PackageTests test
       # SPM doesn't seem to pick up on the tests currently?
@@ -32,6 +32,7 @@ jobs:
       id-token: write
       contents: write
       attestations: write
+      actions: read
     runs-on: macos-26
     timeout-minutes: 10
     steps:
@@ -46,7 +47,7 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
       run: ./.github/scripts/signing.sh
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
     - name: Update Build Number
       env:
         TAG_NAME: ${{ github.ref }}
@@ -58,33 +59,40 @@ jobs:
             sed -i '' -e "s/GITHUB_BUILD_URL/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
     - name: Build
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
-    - name: Create ZIP
-      run: |
-            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
-    - name: Notarize
-      env: 
-        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
-        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
-      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
+    - name: Move to Artifact Folder
+      run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
     - name: Upload App to Artifacts
       id: upload
       uses: actions/upload-artifact@v4
       with:
         name: Secretive.zip
-        path: Secretive.zip
+        path: Artifact
+    - name: Download Zipped Artifact
+      id: download
+      env: 
+        ZIP_ID: ${{ steps.upload.outputs.artifact-id }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+            curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \
+            https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip
+    - name: Notarize
+      env: 
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
     - name: Attest
       id: attest
       uses: actions/attest-build-provenance@v2
       with:
         subject-path: "Secretive.zip"
     - name: Create Release
-      run: |
-            sed -i.tmp "s/RUN_ID/$RUN_ID/g" .github/templates/release.md
-            sed -i.tmp "s/ATTESTATION_ID/$ATTESTATION_ID/g" .github/templates/release.md
-            gh release create $TAG_NAME -d -F .github/templates/release.md
-            gh release upload $TAG_NAME Secretive.zip
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         TAG_NAME: ${{ github.ref }}
         RUN_ID: ${{ github.run_id }}
         ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }}
+      run: |
+            sed -i.tmp "s/RUN_ID/$RUN_ID/g" .github/templates/release.md
+            sed -i.tmp "s/ATTESTATION_ID/$ATTESTATION_ID/g" .github/templates/release.md
+            gh release create $TAG_NAME -d -F .github/templates/release.md
+            gh release upload $TAG_NAME Secretive.zip

.github/workflows/test.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
     - uses: actions/checkout@v5
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
     - name: Test Main Packages
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme PackageTests test
       # SPM doesn't seem to pick up on the tests currently?

.gitignore

@@ -93,3 +93,7 @@ iOSInjectionProject/
 Archive.xcarchive
 .DS_Store
 contents.xcworkspacedata
+
+# Per-User Configs
+
+Sources/Config/OpenSource.xcconfig

Package.swift

@@ -22,6 +22,9 @@ let package = Package(
         .library(
             name: "SmartCardSecretKit",
             targets: ["SmartCardSecretKit"]),
+        .library(
+            name: "SSHProtocolKit",
+            targets: ["SSHProtocolKit"]),
     ],
     dependencies: [
     ],
@@ -53,6 +56,19 @@ let package = Package(
             resources: [localization],
             swiftSettings: swiftSettings
         ),
+        .target(
+            name: "SSHProtocolKit",
+            dependencies: ["SecretKit"],
+            path: "Sources/Packages/Sources/SSHProtocolKit",
+            resources: [localization],
+            swiftSettings: swiftSettings,
+        ),
+        .testTarget(
+            name: "SSHProtocolKitTests",
+            dependencies: ["SSHProtocolKit"],
+            path: "Sources/Packages/Tests/SSHProtocolKitTests",
+            swiftSettings: swiftSettings,
+        ),
     ]
 )
 

Sources/Config/Config.xcconfig

@@ -1,3 +1,8 @@
 CI_VERSION = GITHUB_CI_VERSION
 CI_BUILD_NUMBER = GITHUB_BUILD_NUMBER
 CI_BUILD_LINK = GITHUB_BUILD_URL
+
+#include? "OpenSource.xcconfig"
+
+SECRETIVE_BASE_BUNDLE_ID = $(SECRETIVE_BASE_BUNDLE_ID_OSS:default=com.maxgoedjen.Secretive)
+SECRETIVE_DEVELOPMENT_TEAM = $(SECRETIVE_DEVELOPMENT_TEAM_OSS:default=Z72PRUAWF6)

Sources/Packages/Package.swift

@@ -21,13 +21,19 @@ let package = Package(
             targets: ["SmartCardSecretKit"]),
         .library(
             name: "SecretAgentKit",
-            targets: ["SecretAgentKit", "XPCWrappers"]),
+            targets: ["SecretAgentKit"]),
+        .library(
+            name: "Common",
+            targets: ["Common"]),
         .library(
             name: "Brief",
             targets: ["Brief"]),
         .library(
             name: "XPCWrappers",
             targets: ["XPCWrappers"]),
+        .library(
+            name: "SSHProtocolKit",
+            targets: ["SSHProtocolKit"]),
     ],
     dependencies: [
     ],
@@ -40,7 +46,7 @@ let package = Package(
         ),
         .testTarget(
             name: "SecretKitTests",
-            dependencies: ["SecretKit", "SecureEnclaveSecretKit", "SmartCardSecretKit"],
+            dependencies: ["SecretKit", "SecretAgentKit", "SecureEnclaveSecretKit", "SmartCardSecretKit"],
             swiftSettings: swiftSettings,
         ),
         .target(
@@ -57,7 +63,7 @@ let package = Package(
         ),
         .target(
             name: "SecretAgentKit",
-            dependencies: ["SecretKit"],
+            dependencies: ["SecretKit", "SSHProtocolKit", "Common"],
             resources: [localization],
             swiftSettings: swiftSettings,
         ),
@@ -65,9 +71,26 @@ let package = Package(
             name: "SecretAgentKitTests",
             dependencies: ["SecretAgentKit"],
         ),
+        .target(
+            name: "SSHProtocolKit",
+            dependencies: ["SecretKit"],
+            resources: [localization],
+            swiftSettings: swiftSettings,
+        ),
+        .testTarget(
+            name: "SSHProtocolKitTests",
+            dependencies: ["SSHProtocolKit"],
+            swiftSettings: swiftSettings,
+        ),
+        .target(
+            name: "Common",
+            dependencies: ["SSHProtocolKit", "SecretKit"],
+            resources: [localization],
+            swiftSettings: swiftSettings,
+        ),
         .target(
             name: "Brief",
-            dependencies: ["XPCWrappers"],
+            dependencies: ["XPCWrappers", "SSHProtocolKit"],
             resources: [localization],
             swiftSettings: swiftSettings,
         ),

Sources/Packages/Sources/Common/URLs.swift

@@ -0,0 +1,46 @@
+import Foundation
+import SSHProtocolKit
+import SecretKit
+
+extension URL {
+
+    public static var agentHomeURL: URL {
+        URL(fileURLWithPath: URL.homeDirectory.path().replacingOccurrences(of: Bundle.hostBundleID, with: Bundle.agentBundleID))
+    }
+
+    public static var socketPath: String {
+        #if DEBUG
+        URL.agentHomeURL.appendingPathComponent("socket-debug.ssh").path()
+        #else
+        URL.agentHomeURL.appendingPathComponent("socket.ssh").path()
+        #endif
+    }
+
+    public static var publicKeyDirectory: URL {
+        agentHomeURL.appending(component: "PublicKeys")
+    }
+
+    /// The path for a Secret's public key.
+    /// - Parameter secret: The Secret to return the path for.
+    /// - Returns: The path to the Secret's public key.
+    /// - Warning: This method returning a path does not imply that a key has been written to disk already. This method only describes where it will be written to.
+    public static func publicKeyPath<SecretType: Secret>(for secret: SecretType, in directory: URL) -> String {
+        let keyWriter = OpenSSHPublicKeyWriter()
+        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
+        return directory.appending(component: "\(minimalHex).pub").path()
+    }
+
+}
+
+extension String {
+
+    public var normalizedPathAndFolder: (String, String) {
+        // All foundation-based normalization methods replace this with the container directly.
+        let processedPath = replacingOccurrences(of: "~", with: "/Users/\(NSUserName())")
+        let url = URL(filePath: processedPath)
+        let folder = url.deletingLastPathComponent().path()
+        return (processedPath, folder)
+    }
+
+}
+

Sources/Packages/Sources/SSHProtocolKit/Data+Hex.swift

@@ -0,0 +1,37 @@
+import Foundation
+import CryptoKit
+
+public struct HexDataStyle<SequenceType: Sequence>: Hashable, Codable {
+
+    let separator: String
+
+    public init(separator: String) {
+        self.separator = separator
+    }
+
+}
+
+extension HexDataStyle: FormatStyle where SequenceType.Element == UInt8 {
+
+    public func format(_ value: SequenceType) -> String {
+        value
+            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
+            .joined(separator: separator)
+    }
+
+}
+
+extension FormatStyle where Self == HexDataStyle<Data> {
+
+    public static func hex(separator: String = "") -> HexDataStyle<Data> {
+        HexDataStyle(separator: separator)
+    }
+
+}
+extension FormatStyle where Self == HexDataStyle<Insecure.MD5Digest> {
+
+    public static func hex(separator: String = ":") -> HexDataStyle<Insecure.MD5Digest> {
+        HexDataStyle(separator: separator)
+    }
+
+}

Sources/Packages/Sources/SSHProtocolKit/OpenSSHPublicKeyWriter.swift

@@ -1,5 +1,6 @@
 import Foundation
 import CryptoKit
+import SecretKit
 
 /// Generates OpenSSH representations of the public key sof secrets.
 public struct OpenSSHPublicKeyWriter: Sendable {
@@ -49,9 +50,7 @@ public struct OpenSSHPublicKeyWriter: Sendable {
     /// Generates an OpenSSH MD5 fingerprint string.
     /// - Returns: OpenSSH MD5 fingerprint string.
     public func openSSHMD5Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
-        Insecure.MD5.hash(data: data(secret: secret))
-            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
-            .joined(separator: ":")
+        Insecure.MD5.hash(data: data(secret: secret)).formatted(.hex(separator: ":"))
     }
 
     public func comment<SecretType: Secret>(secret: SecretType) -> String {

Sources/Packages/Sources/SSHProtocolKit/OpenSSHReader.swift

@@ -1,42 +1,49 @@
 import Foundation
 
 /// Reads OpenSSH protocol data.
-final class OpenSSHReader {
+public final class OpenSSHReader {
 
     var remaining: Data
+    var done = false
 
     /// Initialize the reader with an OpenSSH data payload.
     /// - Parameter data: The data to read.
-    init(data: Data) {
+    public init(data: Data) {
         remaining = Data(data)
     }
 
     /// Reads the next chunk of data from the playload.
     /// - Returns: The next chunk of data.
-    func readNextChunk(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> Data {
-        let littleEndianLength = try readNextBytes(as: UInt32.self)
-        let length = convertEndianness ? Int(littleEndianLength.bigEndian) : Int(littleEndianLength)
+    public func readNextChunk(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> Data {
+        let length = try readNextBytes(as: UInt32.self, convertEndianness: convertEndianness)
         guard remaining.count >= length else { throw .beyondBounds }
-        let dataRange = 0..<length
+        let dataRange = 0..<Int(length)
         let ret = Data(remaining[dataRange])
         remaining.removeSubrange(dataRange)
+        if remaining.isEmpty {
+            done = true
+        }
         return ret
     }
 
-    func readNextBytes<T>(as: T.Type) throws(OpenSSHReaderError) -> T {
+    public func readNextBytes<T: FixedWidthInteger>(as: T.Type, convertEndianness: Bool = true) throws(OpenSSHReaderError) -> T {
         let size = MemoryLayout<T>.size
         guard remaining.count >= size else { throw .beyondBounds }
         let lengthRange = 0..<size
         let lengthChunk = remaining[lengthRange]
         remaining.removeSubrange(lengthRange)
-        return unsafe lengthChunk.bytes.unsafeLoad(as: T.self)
+        if remaining.isEmpty {
+            done = true
+        }
+        let value = unsafe lengthChunk.bytes.unsafeLoad(as: T.self)
+        return convertEndianness ? T(value.bigEndian) : T(value)
     }
 
-    func readNextChunkAsString(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> String {
+    public func readNextChunkAsString(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> String {
         try String(decoding: readNextChunk(convertEndianness: convertEndianness), as: UTF8.self)
     }
 
-    func readNextChunkAsSubReader(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> OpenSSHReader {
+    public func readNextChunkAsSubReader(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> OpenSSHReader {
         OpenSSHReader(data: try readNextChunk(convertEndianness: convertEndianness))
     }
 

Sources/Packages/Sources/SSHProtocolKit/OpenSSHSignatureWriter.swift

@@ -1,5 +1,6 @@
 import Foundation
 import CryptoKit
+import SecretKit
 
 /// Generates OpenSSH representations of Secrets.
 public struct OpenSSHSignatureWriter: Sendable {
@@ -29,19 +30,28 @@ public struct OpenSSHSignatureWriter: Sendable {
 
 extension OpenSSHSignatureWriter {
 
+    /// Converts a fixed-width big-endian integer (e.g. r/s from CryptoKit rawRepresentation) into an SSH mpint.
+    /// Strips unnecessary leading zeros and prefixes `0x00` if needed to keep the value positive.
+    private func mpint(fromFixedWidthPositiveBytes bytes: Data) -> Data {
+        // mpint zero is encoded as a string with zero bytes of data.
+        guard let firstNonZeroIndex = bytes.firstIndex(where: { $0 != 0x00 }) else {
+            return Data()
+        }
+
+        let trimmed = Data(bytes[firstNonZeroIndex...])
+
+        if let first = trimmed.first, first >= 0x80 {
+            var prefixed = Data([0x00])
+            prefixed.append(trimmed)
+            return prefixed
+        }
+        return trimmed
+    }
+
     func ecdsaSignature(_ rawRepresentation: Data, keyType: KeyType) -> Data {
         let rawLength = rawRepresentation.count/2
-        // Check if we need to pad with 0x00 to prevent certain
-        // ssh servers from thinking r or s is negative
-        let paddingRange: ClosedRange<UInt8> = 0x80...0xFF
-        var r = Data(rawRepresentation[0..<rawLength])
-        if paddingRange ~= r.first! {
-            r.insert(0x00, at: 0)
-        }
-        var s = Data(rawRepresentation[rawLength...])
-        if paddingRange ~= s.first! {
-            s.insert(0x00, at: 0)
-        }
+        let r = mpint(fromFixedWidthPositiveBytes: Data(rawRepresentation[0..<rawLength]))
+        let s = mpint(fromFixedWidthPositiveBytes: Data(rawRepresentation[rawLength...]))
 
         var signatureChunk = Data()
         signatureChunk.append(r.lengthAndData)

Sources/Packages/Sources/SecretAgentKit/Agent.swift

@@ -3,6 +3,7 @@ import CryptoKit
 import OSLog
 import SecretKit
 import AppKit
+import SSHProtocolKit
 
 /// The `Agent` is an implementation of an SSH agent. It manages coordination and access between a socket, traces requests, notifies witnesses and passes requests to stores.
 public final class Agent: Sendable {
@@ -13,6 +14,7 @@ public final class Agent: Sendable {
     private let signatureWriter = OpenSSHSignatureWriter()
     private let certificateHandler = OpenSSHCertificateHandler()
     private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "Agent")
+    private let authorizationCoordinator = AuthorizationCoordinator()
 
     /// Initializes an agent with a store list and a witness.
     /// - Parameters:
@@ -47,6 +49,7 @@ extension Agent {
                 logger.debug("Agent returned \(SSHAgent.Response.agentSignResponse.debugDescription)")
             case .unknown(let value):
                 logger.error("Agent received unknown request of type \(value).")
+                throw UnhandledRequestError()
             default:
                 logger.debug("Agent received valid request of type \(request.debugDescription), but not currently supported.")
                 throw UnhandledRequestError()
@@ -100,8 +103,19 @@ extension Agent {
             throw NoMatchingKeyError()
         }
 
+        let decision = try await authorizationCoordinator.waitForAccessIfNeeded(to: secret, provenance: provenance)
+        switch decision {
+        case .proceed:
+            break
+        case .promptForSharedAuth:
+            do {
+                try await store.persistAuthentication(secret: secret, forProvenance: provenance)
+                await authorizationCoordinator.completedPersistence(secret: secret, forProvenance: provenance)
+            } catch {
+                await authorizationCoordinator.didNotCompletePersistence(secret: secret, forProvenance: provenance)
+            }
+        }
         try await witness?.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)
-
         let rawRepresentation = try await store.sign(data: data, with: secret, for: provenance)
         let signedData = signatureWriter.data(secret: secret, signature: rawRepresentation)
 

Sources/Packages/Sources/SecretAgentKit/AuthorizationCoordinator.swift

@@ -0,0 +1,105 @@
+import Foundation
+import SecretKit
+import os
+import LocalAuthentication
+
+struct PendingRequest: Identifiable, Hashable, CustomStringConvertible {
+    let id: UUID = UUID()
+    let secret: AnySecret
+    let provenance: SigningRequestProvenance
+
+    var description: String {
+        "\(id.uuidString) - \(secret.name) \(provenance.origin.displayName)"
+    }
+
+    func batchable(with request: PendingRequest) -> Bool {
+        secret == request.secret &&
+        provenance.isSameProvenance(as: request.provenance)
+    }
+}
+
+enum Decision {
+    case proceed
+    case promptForSharedAuth
+}
+
+actor RequestHolder {
+
+    var pending: [PendingRequest] = []
+    var authorizing: PendingRequest?
+    var preauthorized: PendingRequest?
+
+    func addPending(_ request: PendingRequest) {
+        pending.append(request)
+    }
+
+    func advanceIfIdle() {
+
+    }
+
+    func shouldBlock(_ request: PendingRequest) -> Bool {
+        guard request != authorizing else { return false }
+        if let preauthorized, preauthorized.batchable(with: request) {
+            print("Batching: \(request)")
+            pending.removeAll(where: { $0 == request })
+            return false
+        }
+        return authorizing == nil && authorizing.
+    }
+
+    func clear() {
+        if let preauthorized, allBatchable(with: preauthorized).isEmpty {
+            self.preauthorized = nil
+        }
+    }
+
+    func allBatchable(with request: PendingRequest) -> [PendingRequest] {
+        pending.filter { $0.batchable(with: request) }
+    }
+
+    func completedPersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) {
+        self.preauthorized = PendingRequest(secret: secret, provenance: provenance)
+    }
+
+    func didNotCompletePersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) {
+        self.preauthorized = nil
+    }
+}
+
+final class AuthorizationCoordinator: Sendable {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "AuthorizationCoordinator")
+    private let holder = RequestHolder()
+
+    public func waitForAccessIfNeeded(to secret: AnySecret, provenance: SigningRequestProvenance) async throws -> Decision {
+        // Block on unknown, since we don't really have any way to check.
+        if secret.authenticationRequirement == .unknown {
+            logger.warning("\(secret.name) has unknown authentication requirement.")
+        }
+        guard secret.authenticationRequirement != .notRequired else {
+            logger.debug("\(secret.name) does not require authentication, continuing.")
+            return .proceed
+        }
+        logger.debug("\(secret.name) requires authentication.")
+        let pending = PendingRequest(secret: secret, provenance: provenance)
+        await holder.addPending(pending)
+        while await holder.shouldBlock(pending) {
+            logger.debug("\(pending) waiting.")
+            try await Task.sleep(for: .milliseconds(100))
+        }
+        if await holder.preauthorized == nil, await holder.allBatchable(with: pending).count > 0 {
+            logger.debug("\(pending) batch suggestion.")
+            return .promptForSharedAuth
+        }
+        logger.debug("\(pending) continuing")
+        return .proceed
+    }
+
+    func completedPersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) async {
+        await holder.completedPersistence(secret: secret, forProvenance: provenance)
+    }
+
+    func didNotCompletePersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) async {
+        await holder.didNotCompletePersistence(secret: secret, forProvenance: provenance)
+    }
+}

Sources/Packages/Sources/SecretAgentKit/OpenSSHCertificateHandler.swift

@@ -1,11 +1,12 @@
 import Foundation
 import OSLog
 import SecretKit
+import SSHProtocolKit
 
 /// Manages storage and lookup for OpenSSH certificates.
 public actor OpenSSHCertificateHandler: Sendable {
 
-    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: URL.homeDirectory)
+    private let publicKeyFileStoreController = PublicKeyFileStoreController(directory: URL.publicKeyDirectory)
     private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "OpenSSHCertificateHandler")
     private let writer = OpenSSHPublicKeyWriter()
     private var keyBlobsAndNames: [AnySecret: (Data, Data)] = [:]

Sources/Packages/Sources/SecretAgentKit/PublicKeyStandinFileController.swift

@@ -1,5 +1,8 @@
 import Foundation
 import OSLog
+import SecretKit
+import SSHProtocolKit
+import Common
 
 /// Controller responsible for writing public keys to disk, so that they're easily accessible by scripts.
 public final class PublicKeyFileStoreController: Sendable {
@@ -9,8 +12,8 @@ public final class PublicKeyFileStoreController: Sendable {
     private let keyWriter = OpenSSHPublicKeyWriter()
 
     /// Initializes a PublicKeyFileStoreController.
-    public init(homeDirectory: URL) {
-        directory = homeDirectory.appending(component: "PublicKeys")
+    public init(directory: URL) {
+        self.directory = directory
     }
 
     /// Writes out the keys specified to disk.
@@ -19,7 +22,7 @@ public final class PublicKeyFileStoreController: Sendable {
     public func generatePublicKeys(for secrets: [AnySecret], clear: Bool = false) throws {
         logger.log("Writing public keys to disk")
         if clear {
-            let validPaths = Set(secrets.map { publicKeyPath(for: $0) })
+            let validPaths = Set(secrets.map { URL.publicKeyPath(for: $0, in: directory) })
                 .union(Set(secrets.map { sshCertificatePath(for: $0) }))
             let contentsOfDirectory = (try? FileManager.default.contentsOfDirectory(atPath: directory.path())) ?? []
             let fullPathContents = contentsOfDirectory.map { directory.appending(path: $0).path() }
@@ -33,21 +36,13 @@ public final class PublicKeyFileStoreController: Sendable {
         }
         try? FileManager.default.createDirectory(at: directory, withIntermediateDirectories: false, attributes: nil)
         for secret in secrets {
-            let path = publicKeyPath(for: secret)
+            let path = URL.publicKeyPath(for: secret, in: directory)
             let data = Data(keyWriter.openSSHString(secret: secret).utf8)
             FileManager.default.createFile(atPath: path, contents: data, attributes: nil)
         }
         logger.log("Finished writing public keys")
     }
 
-    /// The path for a Secret's public key.
-    /// - Parameter secret: The Secret to return the path for.
-    /// - Returns: The path to the Secret's public key.
-    /// - Warning: This method returning a path does not imply that a key has been written to disk already. This method only describes where it will be written to.
-    public func publicKeyPath<SecretType: Secret>(for secret: SecretType) -> String {
-        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
-        return directory.appending(component: "\(minimalHex).pub").path()
-    }
 
     /// Short-circuit check to ship enumerating a bunch of paths if there's nothing in the cert directory.
     public var hasAnyCertificates: Bool {

Sources/Packages/Sources/SecretAgentKit/SSHAgentInputParser.swift

@@ -1,11 +1,12 @@
 import Foundation
 import OSLog
 import SecretKit
+import SSHProtocolKit
 
 public protocol SSHAgentInputParserProtocol {
 
     func parse(data: Data) async throws -> SSHAgent.Request
-    
+
 }
 
 public struct SSHAgentInputParser: SSHAgentInputParserProtocol {
@@ -13,7 +14,7 @@ public struct SSHAgentInputParser: SSHAgentInputParserProtocol {
     private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "InputParser")
 
     public init() {
-        
+
     }
 
     public func parse(data: Data) throws(AgentParsingError) -> SSHAgent.Request {

Sources/Packages/Sources/SecretAgentKit/SigningRequestTracer.swift

@@ -36,7 +36,7 @@ extension SigningRequestTracer {
     /// - Parameter pid: The process ID to look up.
     /// - Returns: A ``SecretKit.SigningRequestProvenance.Process`` describing the process.
     func process(from pid: Int32) -> SigningRequestProvenance.Process {
-        var pidAndNameInfo = self.pidAndNameInfo(from: pid)
+        var pidAndNameInfo = unsafe self.pidAndNameInfo(from: pid)
         let ppid = unsafe pidAndNameInfo.kp_eproc.e_ppid != 0 ? pidAndNameInfo.kp_eproc.e_ppid : nil
         let procName = unsafe withUnsafeMutablePointer(to: &pidAndNameInfo.kp_proc.p_comm.0) { pointer in
             unsafe String(cString: pointer)

Sources/Packages/Sources/SecretAgentKit/SocketController.swift

@@ -36,16 +36,21 @@ public struct SocketController {
         logger.debug("Socket controller path is clear")
         port = SocketPort(path: path)
         fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
-        Task { [fileHandle, sessionsContinuation, logger] in
-            for await notification in NotificationCenter.default.notifications(named: .NSFileHandleConnectionAccepted) {
+        Task { @MainActor [fileHandle, sessionsContinuation, logger] in
+            // Create the sequence before triggering the notification to
+            // ensure it will not be missed.
+            let connectionAcceptedNotifications = NotificationCenter.default.notifications(named: .NSFileHandleConnectionAccepted)
+
+            fileHandle.acceptConnectionInBackgroundAndNotify()
+
+            for await notification in connectionAcceptedNotifications {
                 logger.debug("Socket controller accepted connection")
                 guard let new = notification.userInfo?[NSFileHandleNotificationFileHandleItem] as? FileHandle else { continue }
                 let session = Session(fileHandle: new)
                 sessionsContinuation.yield(session)
-                await fileHandle.acceptConnectionInBackgroundAndNotifyOnMainActor()
+                fileHandle.acceptConnectionInBackgroundAndNotify()
             }
         }
-        fileHandle.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.Mode.common])
         logger.debug("Socket listening at \(path)")
     }
 
@@ -77,8 +82,14 @@ extension SocketController {
             self.fileHandle = fileHandle
             provenance = SigningRequestTracer().provenance(from: fileHandle)
             (messages, messagesContinuation) = AsyncStream.makeStream()
-            Task { [messagesContinuation, logger] in
-                for await _ in NotificationCenter.default.notifications(named: .NSFileHandleDataAvailable, object: fileHandle) {
+            Task { @MainActor [messagesContinuation, logger] in
+                // Create the sequence before triggering the notification to
+                // ensure it will not be missed.
+                let dataAvailableNotifications = NotificationCenter.default.notifications(named: .NSFileHandleDataAvailable, object: fileHandle)
+
+                fileHandle.waitForDataInBackgroundAndNotify()
+
+                for await _ in dataAvailableNotifications {
                     let data = fileHandle.availableData
                     guard !data.isEmpty else {
                         logger.debug("Socket controller received empty data, ending continuation.")
@@ -90,16 +101,13 @@ extension SocketController {
                     logger.debug("Socket controller yielded data.")
                 }
             }
-            Task {
-                await fileHandle.waitForDataInBackgroundAndNotifyOnMainActor()
-            }
         }
         
         /// Writes new data to the socket.
         /// - Parameter data: The data to write.
-        public func write(_ data: Data) async throws {
-            try fileHandle.write(contentsOf: data)
-            await fileHandle.waitForDataInBackgroundAndNotifyOnMainActor()
+        @MainActor public func write(_ data: Data) throws {
+          try fileHandle.write(contentsOf: data)
+          fileHandle.waitForDataInBackgroundAndNotify()
         }
         
         /// Closes the socket and cleans up resources.
@@ -113,22 +121,6 @@ extension SocketController {
 
 }
 
-private extension FileHandle {
-
-    /// Ensures waitForDataInBackgroundAndNotify will be called on the main actor.
-    @MainActor func waitForDataInBackgroundAndNotifyOnMainActor() {
-        waitForDataInBackgroundAndNotify()
-    }
-
-
-    /// Ensures acceptConnectionInBackgroundAndNotify will be called on the main actor.
-    /// - Parameter modes: the runloop modes to use.
-    @MainActor func acceptConnectionInBackgroundAndNotifyOnMainActor(forModes modes: [RunLoop.Mode]? = [RunLoop.Mode.common]) {
-        acceptConnectionInBackgroundAndNotify(forModes: modes)
-    }
-
-}
-
 private extension SocketPort {
 
     convenience init(path: String) {

Sources/Packages/Sources/SecretKit/Convenience/PersistentAuthenticationHandler.swift

@@ -0,0 +1,95 @@
+import LocalAuthentication
+
+/// A context describing a persisted authentication.
+package struct PersistentAuthenticationContext<SecretType: Secret>: PersistedAuthenticationContext {
+
+    /// The Secret to persist authentication for.
+    let secret: SecretType
+    /// The LAContext used to authorize the persistent context.
+    package nonisolated(unsafe) let context: LAContext
+    /// An expiration date for the context.
+    /// - Note -  Monotonic time instead of Date() to prevent people setting the clock back.
+    let monotonicExpiration: UInt64
+
+    /// Initializes a context.
+    /// - Parameters:
+    ///   - secret: The Secret to persist authentication for.
+    ///   - context: The LAContext used to authorize the persistent context.
+    ///   - duration: The duration of the authorization context, in seconds.
+    init(secret: SecretType, context: LAContext, duration: TimeInterval) {
+        self.secret = secret
+        unsafe self.context = context
+        let durationInNanoSeconds = Measurement(value: duration, unit: UnitDuration.seconds).converted(to: .nanoseconds).value
+        self.monotonicExpiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
+    }
+
+    /// A boolean describing whether or not the context is still valid.
+    package var valid: Bool {
+        clock_gettime_nsec_np(CLOCK_MONOTONIC) < monotonicExpiration
+    }
+
+    package var expiration: Date {
+        let remainingNanoseconds = monotonicExpiration - clock_gettime_nsec_np(CLOCK_MONOTONIC)
+        let remainingInSeconds = Measurement(value: Double(remainingNanoseconds), unit: UnitDuration.nanoseconds).converted(to: .seconds).value
+        return Date(timeIntervalSinceNow: remainingInSeconds)
+    }
+}
+
+struct ScopedPersistentAuthenticationContext<SecretType: Secret>: Hashable {
+    let provenance: SigningRequestProvenance
+    let secret: SecretType
+}
+
+package actor PersistentAuthenticationHandler<SecretType: Secret>: Sendable {
+
+    private var unscopedPersistedAuthenticationContexts: [SecretType: PersistentAuthenticationContext<SecretType>] = [:]
+    private var scopedPersistedAuthenticationContexts: [ScopedPersistentAuthenticationContext<SecretType>: PersistentAuthenticationContext<SecretType>] = [:]
+
+    package init() {
+    }
+
+    package func existingPersistedAuthenticationContext(secret: SecretType, provenance: SigningRequestProvenance) -> PersistentAuthenticationContext<SecretType>? {
+        if let unscopedPersistence = unscopedPersistedAuthenticationContexts[secret], unscopedPersistence.valid {
+            return unscopedPersistence
+        }
+        if let scopedPersistence = scopedPersistedAuthenticationContexts[.init(provenance: provenance, secret: secret)], scopedPersistence.valid {
+            return scopedPersistence
+        }
+        return nil
+    }
+
+    package func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) async throws {
+        let newContext = LAContext()
+        newContext.touchIDAuthenticationAllowableReuseDuration = duration
+        newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+
+        let formatter = DateComponentsFormatter()
+        formatter.unitsStyle = .spellOut
+        formatter.allowedUnits = [.hour, .minute, .day]
+
+
+        let durationString = formatter.string(from: duration)!
+        newContext.localizedReason = String(localized: .authContextPersistForDuration(secretName: secret.name, duration: durationString))
+        let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
+        guard success else { return }
+        let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
+        unscopedPersistedAuthenticationContexts[secret] = context
+    }
+
+    package func persistAuthentication(secret: SecretType, provenance: SigningRequestProvenance) async throws {
+        let newContext = LAContext()
+
+        // FIXME: TEMPORARY
+        let duration: TimeInterval = 10000
+        newContext.touchIDAuthenticationAllowableReuseDuration = duration
+        newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+
+        newContext.localizedReason = "Batch requests"
+        let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
+        guard success else { return }
+        let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
+        scopedPersistedAuthenticationContexts[.init(provenance: provenance, secret: secret)] = context
+    }
+
+}
+

Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift

@@ -9,8 +9,9 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
     private let _name: @MainActor @Sendable () -> String
     private let _secrets: @MainActor @Sendable () -> [AnySecret]
     private let _sign: @Sendable (Data, AnySecret, SigningRequestProvenance) async throws -> Data
-    private let _existingPersistedAuthenticationContext: @Sendable (AnySecret) async -> PersistedAuthenticationContext?
-    private let _persistAuthentication: @Sendable (AnySecret, TimeInterval) async throws -> Void
+    private let _existingPersistedAuthenticationContext: @Sendable (AnySecret, SigningRequestProvenance) async -> PersistedAuthenticationContext?
+    private let _persistAuthenticationForDuration: @Sendable (AnySecret, TimeInterval) async throws -> Void
+    private let _persistAuthenticationForProvenance: @Sendable (AnySecret, SigningRequestProvenance) async throws -> Void
     private let _reloadSecrets: @Sendable () async -> Void
 
     public init<SecretStoreType>(_ secretStore: SecretStoreType) where SecretStoreType: SecretStore {
@@ -20,8 +21,9 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
         _id = { secretStore.id }
         _secrets = { secretStore.secrets.map { AnySecret($0) } }
         _sign = { try await secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) }
-        _existingPersistedAuthenticationContext = { await secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType) }
-        _persistAuthentication = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
+        _existingPersistedAuthenticationContext = { await secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType, provenance: $1) }
+        _persistAuthenticationForDuration = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
+        _persistAuthenticationForProvenance = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forProvenance: $1) }
         _reloadSecrets = { await secretStore.reloadSecrets() }
     }
 
@@ -45,12 +47,16 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
         try await _sign(data, secret, provenance)
     }
 
-    public func existingPersistedAuthenticationContext(secret: AnySecret) async -> PersistedAuthenticationContext? {
-        await _existingPersistedAuthenticationContext(secret)
+    public func existingPersistedAuthenticationContext(secret: AnySecret, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext? {
+        await _existingPersistedAuthenticationContext(secret, provenance)
     }
 
     public func persistAuthentication(secret: AnySecret, forDuration duration: TimeInterval) async throws {
-        try await _persistAuthentication(secret, duration)
+        try await _persistAuthenticationForDuration(secret, duration)
+    }
+
+    public func persistAuthentication(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) async throws {
+        try await _persistAuthenticationForProvenance(secret, provenance)
     }
 
     public func reloadSecrets() async {

Sources/Packages/Sources/SecretKit/Types/SecretStore.swift

@@ -26,7 +26,7 @@ public protocol SecretStore<SecretType>: Identifiable, Sendable {
     /// - Parameters:
     ///   - secret: The ``Secret`` to check if there is a persisted authentication for.
     /// - Returns: A persisted authentication context, if a valid one exists.
-    func existingPersistedAuthenticationContext(secret: SecretType) async -> PersistedAuthenticationContext?
+    func existingPersistedAuthenticationContext(secret: SecretType, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext?
 
     /// Persists user authorization for access to a secret.
     /// - Parameters:
@@ -35,6 +35,8 @@ public protocol SecretStore<SecretType>: Identifiable, Sendable {
     ///  - Note: This is used for temporarily unlocking access to a secret which would otherwise require authentication every single use. This is useful for situations where the user anticipates several rapid accesses to a authorization-guarded secret.
     func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) async throws
 
+    func persistAuthentication(secret: SecretType, forProvenance provenance: SigningRequestProvenance) async throws
+
     /// Requests that the store reload secrets from any backing store, if neccessary.
     func reloadSecrets() async
 

Sources/Packages/Sources/SecretKit/Types/SigningRequestProvenance.swift

@@ -2,7 +2,7 @@ import Foundation
 import AppKit
 
 /// Describes the chain of applications that requested a signature operation.
-public struct SigningRequestProvenance: Equatable, Sendable {
+public struct SigningRequestProvenance: Equatable, Sendable, Hashable {
 
     /// A list of processes involved in the request.
     /// - Note: A chain will typically consist of many elements even for a simple request. For example, running `git fetch` in Terminal.app would generate a request chain of `ssh` -> `git` -> `zsh` -> `login` -> `Terminal.app`
@@ -25,12 +25,16 @@ extension SigningRequestProvenance {
         chain.allSatisfy { $0.validSignature }
     }
 
+    public func isSameProvenance(as other: SigningRequestProvenance) -> Bool {
+        zip(chain, other.chain).allSatisfy { $0.isSameProcess(as: $1) }
+    }
+
 }
 
 extension SigningRequestProvenance {
 
     /// Describes a process in a `SigningRequestProvenance` chain.
-    public struct Process: Equatable, Sendable {
+    public struct Process: Equatable, Sendable, Hashable {
 
         /// The pid of the process.
         public let pid: Int32
@@ -71,6 +75,15 @@ extension SigningRequestProvenance {
             appName ?? processName
         }
 
+        // Whether the
+        public func isSameProcess(as other: Process) -> Bool {
+            processName == other.processName &&
+            appName == other.appName &&
+            iconURL == other.iconURL &&
+            path == other.path &&
+            validSignature == other.validSignature
+        }
+
     }
 
 }

Sources/Packages/Sources/SecureEnclaveSecretKit/PersistentAuthenticationHandler.swift

@@ -1,70 +0,0 @@
-import LocalAuthentication
-import SecretKit
-
-extension SecureEnclave {
-
-    /// A context describing a persisted authentication.
-    final class PersistentAuthenticationContext: PersistedAuthenticationContext {
-
-        /// The Secret to persist authentication for.
-        let secret: Secret
-        /// The LAContext used to authorize the persistent context.
-        nonisolated(unsafe) let context: LAContext
-        /// An expiration date for the context.
-        /// - Note -  Monotonic time instead of Date() to prevent people setting the clock back.
-        let monotonicExpiration: UInt64
-
-        /// Initializes a context.
-        /// - Parameters:
-        ///   - secret: The Secret to persist authentication for.
-        ///   - context: The LAContext used to authorize the persistent context.
-        ///   - duration: The duration of the authorization context, in seconds.
-        init(secret: Secret, context: LAContext, duration: TimeInterval) {
-            self.secret = secret
-            unsafe self.context = context
-            let durationInNanoSeconds = Measurement(value: duration, unit: UnitDuration.seconds).converted(to: .nanoseconds).value
-            self.monotonicExpiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
-        }
-
-        /// A boolean describing whether or not the context is still valid.
-        var valid: Bool {
-            clock_gettime_nsec_np(CLOCK_MONOTONIC) < monotonicExpiration
-        }
-
-        var expiration: Date {
-            let remainingNanoseconds = monotonicExpiration - clock_gettime_nsec_np(CLOCK_MONOTONIC)
-            let remainingInSeconds = Measurement(value: Double(remainingNanoseconds), unit: UnitDuration.nanoseconds).converted(to: .seconds).value
-            return Date(timeIntervalSinceNow: remainingInSeconds)
-        }
-    }
-
-    actor PersistentAuthenticationHandler: Sendable {
-
-        private var persistedAuthenticationContexts: [Secret: PersistentAuthenticationContext] = [:]
-
-        func existingPersistedAuthenticationContext(secret: Secret) -> PersistentAuthenticationContext? {
-            guard let persisted = persistedAuthenticationContexts[secret], persisted.valid else { return nil }
-            return persisted
-        }
-
-        func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
-            let newContext = LAContext()
-            newContext.touchIDAuthenticationAllowableReuseDuration = duration
-            newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
-
-            let formatter = DateComponentsFormatter()
-            formatter.unitsStyle = .spellOut
-            formatter.allowedUnits = [.hour, .minute, .day]
-
-            
-            let durationString = formatter.string(from: duration)!
-            newContext.localizedReason = String(localized: .authContextPersistForDuration(secretName: secret.name, duration: durationString))
-            let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
-            guard success else { return }
-            let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
-            persistedAuthenticationContexts[secret] = context
-        }
-
-    }
-
-}

Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift

@@ -17,7 +17,7 @@ extension SecureEnclave {
         }
         public let id = UUID()
         public let name = String(localized: .secureEnclave)
-        private let persistentAuthenticationHandler = PersistentAuthenticationHandler()
+        private let persistentAuthenticationHandler = PersistentAuthenticationHandler<Secret>()
 
         /// Initializes a Store.
         @MainActor public init() {
@@ -39,7 +39,7 @@ extension SecureEnclave {
         
         public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) async throws -> Data {
             var context: LAContext
-            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret) {
+            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance) {
                 context = unsafe existing.context
             } else {
                 let newContext = LAContext()
@@ -88,14 +88,18 @@ extension SecureEnclave {
 
         }
 
-        public func existingPersistedAuthenticationContext(secret: Secret) async -> PersistedAuthenticationContext? {
-            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret)
+        public func existingPersistedAuthenticationContext(secret: Secret, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext? {
+            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance)
         }
 
         public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
             try await persistentAuthenticationHandler.persistAuthentication(secret: secret, forDuration: duration)
         }
 
+        public func persistAuthentication(secret: SecureEnclave.Secret, forProvenance provenance: SigningRequestProvenance) async throws {
+            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, provenance: provenance)
+        }
+
         @MainActor public func reloadSecrets() {
             let before = secrets
             secrets.removeAll()

Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift

@@ -34,6 +34,7 @@ extension SmartCard {
         public var secrets: [Secret] {
             state.secrets
         }
+        private let persistentAuthenticationHandler = PersistentAuthenticationHandler<Secret>()
 
         /// Initializes a Store.
         public init() {
@@ -58,9 +59,15 @@ extension SmartCard {
 
         public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) async throws -> Data {
             guard let tokenID = await state.tokenID else { fatalError() }
-            let context = LAContext()
-            context.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: provenance.origin.displayName, secretName: secret.name))
-            context.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+            var context: LAContext
+            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance) {
+                context = unsafe existing.context
+            } else {
+                let newContext = LAContext()
+                newContext.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: provenance.origin.displayName, secretName: secret.name))
+                newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+                context = newContext
+            }
             let attributes = KeychainDictionary([
                 kSecClass: kSecClassKey,
                 kSecAttrKeyClass: kSecAttrKeyClassPrivate,
@@ -86,11 +93,16 @@ extension SmartCard {
             return signature as Data
         }
         
-        public func existingPersistedAuthenticationContext(secret: Secret) -> PersistedAuthenticationContext? {
-            nil
+        public func existingPersistedAuthenticationContext(secret: Secret, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext? {
+            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance)
         }
 
-        public func persistAuthentication(secret: Secret, forDuration: TimeInterval) throws {
+        public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
+            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, forDuration: duration)
+        }
+
+        public func persistAuthentication(secret: Secret, forProvenance provenance: SigningRequestProvenance) async throws {
+            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, provenance: provenance)
         }
 
         /// Reloads all secrets from the store.
@@ -163,7 +175,7 @@ extension SmartCard.Store {
             let publicKeySecRef = SecKeyCopyPublicKey(publicKeyRef)!
             let publicKeyAttributes = SecKeyCopyAttributes(publicKeySecRef) as! [CFString: Any]
             let publicKey = publicKeyAttributes[kSecValueData] as! Data
-            let attributes = Attributes(keyType: KeyType(secAttr: algorithmSecAttr, size: keySize)!, authentication: .unknown)
+            let attributes = Attributes(keyType: KeyType(secAttr: algorithmSecAttr, size: keySize)!, authentication: .presenceRequired)
             let secret = SmartCard.Secret(id: tokenID, name: name, publicKey: publicKey, attributes: attributes)
             guard signatureAlgorithm(for: secret) != nil else { return nil }
             return secret

Sources/Packages/Sources/XPCWrappers/TeamID.swift

@@ -0,0 +1,26 @@
+import Foundation
+
+extension ProcessInfo {
+    private static let fallbackTeamID = "Z72PRUAWF6"
+
+    private static let teamID: String = {
+        #if DEBUG
+        guard let task = SecTaskCreateFromSelf(nil) else {
+            assertionFailure("SecTaskCreateFromSelf failed")
+            return fallbackTeamID
+        }
+
+        guard let value = SecTaskCopyValueForEntitlement(task, "com.apple.developer.team-identifier" as CFString, nil) as? String else {
+//            assertionFailure("SecTaskCopyValueForEntitlement(com.apple.developer.team-identifier) failed")
+            return fallbackTeamID
+        }
+
+        return value
+        #else
+        /// Always use hardcoded team ID for release builds, just in case.
+        return fallbackTeamID
+        #endif
+    }()
+
+    public var teamID: String { Self.teamID }
+}

Sources/Packages/Sources/XPCWrappers/XPCServiceDelegate.swift

@@ -12,7 +12,7 @@ public final class XPCServiceDelegate: NSObject, NSXPCListenerDelegate {
         newConnection.exportedInterface = NSXPCInterface(with: (any _XPCProtocol).self)
         let exportedObject = exportedObject
         newConnection.exportedObject = exportedObject
-        newConnection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = Z72PRUAWF6")
+        newConnection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = \"\(ProcessInfo.processInfo.teamID)\"")
         newConnection.resume()
         return true
     }

Sources/Packages/Sources/XPCWrappers/XPCTypedSession.swift

@@ -8,7 +8,7 @@ public struct XPCTypedSession<ResponseType: Codable & Sendable, ErrorType: Error
     public init(serviceName: String, warmup: Bool = false) async throws {
         let connection = NSXPCConnection(serviceName: serviceName)
         connection.remoteObjectInterface = NSXPCInterface(with: (any _XPCProtocol).self)
-        connection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = Z72PRUAWF6")
+        connection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = \"\(ProcessInfo.processInfo.teamID)\"")
         connection.resume()
         guard let proxy = connection.remoteObjectProxy as? _XPCProtocol else { fatalError() }
         self.connection = connection

Sources/Packages/Tests/SSHProtocolKitTests/OpenSSHPublicKeyWriterTests.swift

@@ -1,8 +1,7 @@
 import Foundation
 import Testing
 @testable import SecretKit
-@testable import SecureEnclaveSecretKit
-@testable import SmartCardSecretKit
+import SSHProtocolKit
 
 @Suite struct OpenSSHPublicKeyWriterTests {
 
@@ -47,8 +46,8 @@ import Testing
 extension OpenSSHPublicKeyWriterTests {
 
     enum Constants {
-        static let ecdsa256Secret =  SmartCard.Secret(id: Data(), name: "Test Key (ECDSA 256)", publicKey: Data(base64Encoded: "BOVEjgAA5PHqRgwykjN5qM21uWCHFSY/Sqo5gkHAkn+e1MMQKHOLga7ucB9b3mif33MBid59GRK9GEPVlMiSQwo=")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 256), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
-        static let ecdsa384Secret = SmartCard.Secret(id: Data(), name: "Test Key (ECDSA 384)", publicKey: Data(base64Encoded: "BG2MNc/C5OTHFE2tBvbZCVcpOGa8vBMquiTLkH4lwkeqOPxhi+PyYUfQZMTRJNPiTyWPoMBqNiCIFRVv60yPN/AHufHaOgbdTP42EgMlMMImkAjYUEv9DESHTVIs2PW1yQ==")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 384), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
+        static let ecdsa256Secret =  TestSecret(id: Data(), name: "Test Key (ECDSA 256)", publicKey: Data(base64Encoded: "BOVEjgAA5PHqRgwykjN5qM21uWCHFSY/Sqo5gkHAkn+e1MMQKHOLga7ucB9b3mif33MBid59GRK9GEPVlMiSQwo=")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 256), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
+        static let ecdsa384Secret = TestSecret(id: Data(), name: "Test Key (ECDSA 384)", publicKey: Data(base64Encoded: "BG2MNc/C5OTHFE2tBvbZCVcpOGa8vBMquiTLkH4lwkeqOPxhi+PyYUfQZMTRJNPiTyWPoMBqNiCIFRVv60yPN/AHufHaOgbdTP42EgMlMMImkAjYUEv9DESHTVIs2PW1yQ==")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 384), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
 
     }
 

Sources/Packages/Tests/SSHProtocolKitTests/OpenSSHReaderTests.swift

@@ -1,8 +1,6 @@
 import Foundation
 import Testing
-@testable import SecretAgentKit
-@testable import SecureEnclaveSecretKit
-@testable import SmartCardSecretKit
+import SSHProtocolKit
 
 @Suite struct OpenSSHReaderTests {
 

Sources/Packages/Tests/SSHProtocolKitTests/OpenSSHSignatureWriterTests.swift

@@ -0,0 +1,83 @@
+import Foundation
+import Testing
+import SSHProtocolKit
+@testable import SecretKit
+
+@Suite struct OpenSSHSignatureWriterTests {
+
+    private let writer = OpenSSHSignatureWriter()
+
+    @Test func ecdsaMpintStripsUnnecessaryLeadingZeros() throws {
+        let secret = Constants.ecdsa256Secret
+
+        // r has a leading 0x00 followed by 0x01 (< 0x80): the mpint must not keep the leading zero.
+        let rBytes: [UInt8] = [0x00] + (1...31).map { UInt8($0) }
+        let r = Data(rBytes)
+        // s has two leading 0x00 bytes followed by 0x7f (< 0x80): the mpint must not keep the leading zeros.
+        let sBytes: [UInt8] = [0x00, 0x00, 0x7f] + Array(repeating: UInt8(0x01), count: 29)
+        let s = Data(sBytes)
+        let rawRepresentation = r + s
+
+        let response = writer.data(secret: secret, signature: rawRepresentation)
+        let (parsedR, parsedS) = try parseEcdsaSignatureMpints(from: response)
+
+        #expect(parsedR == Data((1...31).map { UInt8($0) }))
+        #expect(parsedS == Data([0x7f] + Array(repeating: UInt8(0x01), count: 29)))
+    }
+
+    @Test func ecdsaMpintPrefixesZeroWhenHighBitSet() throws {
+        let secret = Constants.ecdsa256Secret
+
+        // r starts with 0x80 (high bit set): mpint must be prefixed with 0x00.
+        let r = Data([UInt8(0x80)] + Array(repeating: UInt8(0x01), count: 31))
+        let s = Data([UInt8(0x01)] + Array(repeating: UInt8(0x02), count: 31))
+        let rawRepresentation = r + s
+
+        let response = writer.data(secret: secret, signature: rawRepresentation)
+        let (parsedR, parsedS) = try parseEcdsaSignatureMpints(from: response)
+
+        #expect(parsedR == Data([0x00, 0x80] + Array(repeating: UInt8(0x01), count: 31)))
+        #expect(parsedS == Data([0x01] + Array(repeating: UInt8(0x02), count: 31)))
+    }
+
+}
+
+private extension OpenSSHSignatureWriterTests {
+
+    enum Constants {
+        static let ecdsa256Secret = TestSecret(
+            id: Data(),
+            name: "Test Key (ECDSA 256)",
+            publicKey: Data(repeating: 0x01, count: 65),
+            attributes: Attributes(
+                keyType: KeyType(algorithm: .ecdsa, size: 256),
+                authentication: .notRequired,
+                publicKeyAttribution: "test@example.com"
+            )
+        )
+    }
+
+    enum ParseError: Error {
+        case eof
+        case invalidAlgorithm
+    }
+
+    func parseEcdsaSignatureMpints(from openSSHSignedData: Data) throws -> (r: Data, s: Data) {
+        let reader = OpenSSHReader(data: openSSHSignedData)
+
+        // Prefix
+        _ = try reader.readNextBytes(as: UInt32.self)
+
+        let algorithm = try reader.readNextChunkAsString()
+        guard algorithm == "ecdsa-sha2-nistp256" else {
+            throw ParseError.invalidAlgorithm
+        }
+
+        let sigReader = try reader.readNextChunkAsSubReader()
+        let r = try sigReader.readNextChunk()
+        let s = try sigReader.readNextChunk()
+        return (r, s)
+    }
+
+}
+

Sources/Packages/Tests/SSHProtocolKitTests/TestSecret.swift

@@ -0,0 +1,11 @@
+import Foundation
+import SecretKit
+
+public struct TestSecret: SecretKit.Secret {
+    
+    public let id: Data
+    public let name: String
+    public let publicKey: Data
+    public var attributes: Attributes
+    
+}

Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift

@@ -1,6 +1,7 @@
 import Foundation
 import Testing
 import CryptoKit
+@testable import SSHProtocolKit
 @testable import SecretKit
 @testable import SecretAgentKit
 
@@ -44,8 +45,8 @@ import CryptoKit
         let agent = Agent(storeList: list)
         let response = await agent.handle(request: request, provenance: .test)
         let responseReader = OpenSSHReader(data: response)
-        let length = try responseReader.readNextBytes(as: UInt32.self).bigEndian
-        let type = try responseReader.readNextBytes(as: UInt8.self).bigEndian
+        let length = try responseReader.readNextBytes(as: UInt32.self)
+        let type = try responseReader.readNextBytes(as: UInt8.self)
         #expect(length == response.count - MemoryLayout<UInt32>.size)
         #expect(type == SSHAgent.Response.agentSignResponse.rawValue)
         let outer = OpenSSHReader(data: responseReader.remaining)

Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift

@@ -1,6 +1,7 @@
 import Foundation
 import SecretKit
 import CryptoKit
+import SSHProtocolKit
 
 struct Stub {}
 

Sources/SecretAgent/AppDelegate.swift

@@ -6,6 +6,7 @@ import SmartCardSecretKit
 import SecretAgentKit
 import Brief
 import Observation
+import Common
 
 @main
 class AppDelegate: NSObject, NSApplicationDelegate {
@@ -21,12 +22,12 @@ class AppDelegate: NSObject, NSApplicationDelegate {
     }()
     private let updater = Updater(checkOnLaunch: true)
     private let notifier = Notifier()
-    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: URL.homeDirectory)
+    private let publicKeyFileStoreController = PublicKeyFileStoreController(directory: URL.publicKeyDirectory)
     private lazy var agent: Agent = {
         Agent(storeList: storeList, witness: notifier)
     }()
     private lazy var socketController: SocketController = {
-        let path = (NSHomeDirectory() as NSString).appendingPathComponent("socket.ssh") as String
+        let path = URL.socketPath as String
         return SocketController(path: path)
     }()
     private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "AppDelegate")
@@ -34,14 +35,14 @@ class AppDelegate: NSObject, NSApplicationDelegate {
     func applicationDidFinishLaunching(_ aNotification: Notification) {
         logger.debug("SecretAgent finished launching")
         Task {
-            let inputParser = try await XPCAgentInputParser()
             for await session in socketController.sessions {
                 Task {
+                    let inputParser = try await XPCAgentInputParser()
                     do {
                         for await message in session.messages {
                             let request = try await inputParser.parse(data: message)
                             let agentResponse = await agent.handle(request: request, provenance: session.provenance)
-                            try await session.write(agentResponse)
+                            try session.write(agentResponse)
                         }
                     } catch {
                         try session.close()

Sources/SecretAgent/Notifier.swift

@@ -69,7 +69,7 @@ final class Notifier: Sendable {
         notificationContent.userInfo[Constants.persistSecretIDKey] = secret.id.description
         notificationContent.userInfo[Constants.persistStoreIDKey] = store.id.description
         notificationContent.interruptionLevel = .timeSensitive
-        if await store.existingPersistedAuthenticationContext(secret: secret) == nil && secret.authenticationRequirement.required {
+        if await store.existingPersistedAuthenticationContext(secret: secret, provenance: provenance) == nil && secret.authenticationRequirement.required {
             notificationContent.categoryIdentifier = Constants.persistAuthenticationCategoryIdentitifier
         }
         if let iconURL = provenance.origin.iconURL, let attachment = try? UNNotificationAttachment(identifier: "icon", url: iconURL, options: nil) {
@@ -79,6 +79,25 @@ final class Notifier: Sendable {
         try? await notificationCenter.add(request)
     }
 
+    func notify(pendingAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async {
+        await notificationDelegate.state.setPending(secret: secret, store: store)
+        let notificationCenter = UNUserNotificationCenter.current()
+        let notificationContent = UNMutableNotificationContent()
+        notificationContent.title = "pending" //String(localized: .signedNotificationTitle(appName: provenance.origin.displayName))
+        notificationContent.subtitle = "pending" //String(localized: .signedNotificationDescription(secretName: secret.name))
+        notificationContent.userInfo[Constants.persistSecretIDKey] = secret.id.description
+        notificationContent.userInfo[Constants.persistStoreIDKey] = store.id.description
+        notificationContent.interruptionLevel = .timeSensitive
+        notificationContent.categoryIdentifier = Constants.persistAuthenticationCategoryIdentitifier
+        notificationContent.threadIdentifier = "\(secret.id)_\(provenance.hashValue)"
+        if let iconURL = provenance.origin.iconURL, let attachment = try? UNNotificationAttachment(identifier: "icon", url: iconURL, options: nil) {
+            notificationContent.attachments = [attachment]
+        }
+        let request = UNNotificationRequest(identifier: UUID().uuidString, content: notificationContent, trigger: nil)
+        try? await notificationCenter.add(request)
+
+    }
+
     func notify(update: Release, ignore: (@Sendable (Release) async -> Void)?) async {
         await notificationDelegate.state.prepareForNotification(release: update, ignoreAction: ignore)
         let notificationCenter = UNUserNotificationCenter.current()
@@ -103,6 +122,10 @@ extension Notifier: SigningWitness {
     func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
     }
 
+    func witness(pendingAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
+        await notify(pendingAccessTo: secret, from: store, by: provenance)
+    }
+
     func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
         await notify(accessTo: secret, from: store, by: provenance)
     }

Sources/SecretAgent/SecretAgent.entitlements

@@ -12,14 +12,14 @@
 	<true/>
 	<key>com.apple.security.hardened-process.dyld-ro</key>
 	<true/>
-	<key>com.apple.security.hardened-process.enhanced-security-version</key>
-	<integer>1</integer>
+	<key>com.apple.security.hardened-process.enhanced-security-version-string</key>
+	<string>1</string>
 	<key>com.apple.security.hardened-process.hardened-heap</key>
 	<true/>
-	<key>com.apple.security.hardened-process.platform-restrictions</key>
-	<integer>2</integer>
 	<key>com.apple.security.smartcard</key>
 	<true/>
+	<key>com.apple.security.hardened-process.platform-restrictions-string</key>
+	<string>2</string>
 	<key>keychain-access-groups</key>
 	<array>
 		<string>$(AppIdentifierPrefix)com.maxgoedjen.Secretive</string>

Sources/SecretAgent/XPCInputParser.swift

@@ -3,6 +3,7 @@ import SecretAgentKit
 import Brief
 import XPCWrappers
 import OSLog
+import SSHProtocolKit
 
 /// Delegates all agent input parsing to an XPC service which wraps OpenSSH
 public final class XPCAgentInputParser: SSHAgentInputParserProtocol {

Sources/SecretAgentInputParser/SecretAgentInputParser.entitlements

@@ -12,11 +12,11 @@
 	<true/>
 	<key>com.apple.security.hardened-process.dyld-ro</key>
 	<true/>
-	<key>com.apple.security.hardened-process.enhanced-security-version</key>
-	<integer>1</integer>
 	<key>com.apple.security.hardened-process.hardened-heap</key>
 	<true/>
-	<key>com.apple.security.hardened-process.platform-restrictions</key>
-	<integer>2</integer>
+	<key>com.apple.security.hardened-process.enhanced-security-version-string</key>
+	<string>1</string>
+	<key>com.apple.security.hardened-process.platform-restrictions-string</key>
+	<string>2</string>
 </dict>
 </plist>

Sources/SecretAgentInputParser/SecretAgentInputParser.swift

@@ -2,6 +2,7 @@ import Foundation
 import OSLog
 import XPCWrappers
 import SecretAgentKit
+import SSHProtocolKit
 
 final class SecretAgentInputParser: NSObject, XPCProtocol {
 

Sources/Secretive.xcodeproj/project.pbxproj

@@ -9,7 +9,7 @@
 /* Begin PBXBuildFile section */
 		2C4A9D2F2636FFD3008CC8E2 /* EditSecretView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 2C4A9D2E2636FFD3008CC8E2 /* EditSecretView.swift */; };
 		50020BB024064869003D4025 /* AppDelegate.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50020BAF24064869003D4025 /* AppDelegate.swift */; };
-		50033AC327813F1700253856 /* BundleIDs.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50033AC227813F1700253856 /* BundleIDs.swift */; };
+		5002C3AB2EEF483300FFAD22 /* XPCWrappers in Frameworks */ = {isa = PBXBuildFile; productRef = 5002C3AA2EEF483300FFAD22 /* XPCWrappers */; };
 		5003EF3B278005E800DF2006 /* SecretKit in Frameworks */ = {isa = PBXBuildFile; productRef = 5003EF3A278005E800DF2006 /* SecretKit */; };
 		5003EF3D278005F300DF2006 /* Brief in Frameworks */ = {isa = PBXBuildFile; productRef = 5003EF3C278005F300DF2006 /* Brief */; };
 		5003EF3F278005F300DF2006 /* SecretAgentKit in Frameworks */ = {isa = PBXBuildFile; productRef = 5003EF3E278005F300DF2006 /* SecretAgentKit */; };
@@ -26,13 +26,11 @@
 		50153E22250DECA300525160 /* SecretListItemView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50153E21250DECA300525160 /* SecretListItemView.swift */; };
 		501578132E6C0479004A37D0 /* XPCInputParser.swift in Sources */ = {isa = PBXBuildFile; fileRef = 501578122E6C0479004A37D0 /* XPCInputParser.swift */; };
 		5018F54F24064786002EB505 /* Notifier.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5018F54E24064786002EB505 /* Notifier.swift */; };
-		504788EC2E680DC800B4556F /* URLs.swift in Sources */ = {isa = PBXBuildFile; fileRef = 504788EB2E680DC400B4556F /* URLs.swift */; };
 		504788F22E681F3A00B4556F /* Instructions.swift in Sources */ = {isa = PBXBuildFile; fileRef = 504788F12E681F3A00B4556F /* Instructions.swift */; };
 		504788F42E681F6900B4556F /* ToolConfigurationView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 504788F32E681F6900B4556F /* ToolConfigurationView.swift */; };
 		504788F62E68206F00B4556F /* GettingStartedView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 504788F52E68206F00B4556F /* GettingStartedView.swift */; };
 		504789232E697DD300B4556F /* BoxBackgroundStyle.swift in Sources */ = {isa = PBXBuildFile; fileRef = 504789222E697DD300B4556F /* BoxBackgroundStyle.swift */; };
 		50571E0324393C2600F76F6C /* JustUpdatedChecker.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50571E0224393C2600F76F6C /* JustUpdatedChecker.swift */; };
-		50571E0524393D1500F76F6C /* LaunchAgentController.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50571E0424393D1500F76F6C /* LaunchAgentController.swift */; };
 		50617D8323FCE48E0099B055 /* App.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50617D8223FCE48E0099B055 /* App.swift */; };
 		50617D8523FCE48E0099B055 /* ContentView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50617D8423FCE48E0099B055 /* ContentView.swift */; };
 		50617D8A23FCE48E0099B055 /* Preview Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 50617D8923FCE48E0099B055 /* Preview Assets.xcassets */; };
@@ -63,6 +61,7 @@
 		50A3B79424026B7600D209EA /* Preview Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 50A3B79324026B7600D209EA /* Preview Assets.xcassets */; };
 		50A3B79724026B7600D209EA /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 50A3B79524026B7600D209EA /* Main.storyboard */; };
 		50AE97002E5C1A420018C710 /* IntegrationsView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50AE96FF2E5C1A420018C710 /* IntegrationsView.swift */; };
+		50B832C02F62202A00D2FCB8 /* InternetAccessPolicy.plist in Resources */ = {isa = PBXBuildFile; fileRef = 50692BA52E6D5CC90043C7BB /* InternetAccessPolicy.plist */; };
 		50B8550D24138C4F009958AC /* DeleteSecretView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50B8550C24138C4F009958AC /* DeleteSecretView.swift */; };
 		50BB046B2418AAAE00D6E079 /* EmptyStoreView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50BB046A2418AAAE00D6E079 /* EmptyStoreView.swift */; };
 		50BDCB722E63BAF20072D2E7 /* AgentStatusView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50BDCB712E63BAF20072D2E7 /* AgentStatusView.swift */; };
@@ -70,6 +69,8 @@
 		50BDCB762E6450950072D2E7 /* ConfigurationItemView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50BDCB752E6450950072D2E7 /* ConfigurationItemView.swift */; };
 		50C385A52407A76D00AF2719 /* SecretDetailView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50C385A42407A76D00AF2719 /* SecretDetailView.swift */; };
 		50CF4ABC2E601B0F005588DC /* ActionButtonStyle.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50CF4ABB2E601B0F005588DC /* ActionButtonStyle.swift */; };
+		50E0145C2EDB9CDF00B121F1 /* Common in Frameworks */ = {isa = PBXBuildFile; productRef = 50E0145B2EDB9CDF00B121F1 /* Common */; };
+		50E0145E2EDB9CE400B121F1 /* Common in Frameworks */ = {isa = PBXBuildFile; productRef = 50E0145D2EDB9CE400B121F1 /* Common */; };
 		50E4C4532E73C78C00C73783 /* WindowBackgroundStyle.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50E4C4522E73C78900C73783 /* WindowBackgroundStyle.swift */; };
 		50E4C4C32E7765DF00C73783 /* AboutView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50E4C4C22E7765DF00C73783 /* AboutView.swift */; };
 		50E4C4C82E777E4200C73783 /* AppIcon.icon in Resources */ = {isa = PBXBuildFile; fileRef = 50E4C4C72E777E4200C73783 /* AppIcon.icon */; };
@@ -181,20 +182,19 @@
 /* Begin PBXFileReference section */
 		2C4A9D2E2636FFD3008CC8E2 /* EditSecretView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = EditSecretView.swift; sourceTree = "<group>"; };
 		50020BAF24064869003D4025 /* AppDelegate.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = AppDelegate.swift; sourceTree = "<group>"; };
-		50033AC227813F1700253856 /* BundleIDs.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = BundleIDs.swift; sourceTree = "<group>"; };
 		5003EF39278005C800DF2006 /* Packages */ = {isa = PBXFileReference; lastKnownFileType = wrapper; path = Packages; sourceTree = "<group>"; };
+		500666D02F04786900328939 /* SecretiveUpdater.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = SecretiveUpdater.entitlements; sourceTree = "<group>"; };
+		500666D12F04787200328939 /* SecretAgentInputParser.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = SecretAgentInputParser.entitlements; sourceTree = "<group>"; };
 		5008C23D2E525D8200507AC2 /* Localizable.xcstrings */ = {isa = PBXFileReference; lastKnownFileType = text.json.xcstrings; name = Localizable.xcstrings; path = Packages/Resources/Localizable.xcstrings; sourceTree = SOURCE_ROOT; };
 		50153E1F250AFCB200525160 /* UpdateView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = UpdateView.swift; sourceTree = "<group>"; };
 		50153E21250DECA300525160 /* SecretListItemView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SecretListItemView.swift; sourceTree = "<group>"; };
 		501578122E6C0479004A37D0 /* XPCInputParser.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = XPCInputParser.swift; sourceTree = "<group>"; };
 		5018F54E24064786002EB505 /* Notifier.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Notifier.swift; sourceTree = "<group>"; };
-		504788EB2E680DC400B4556F /* URLs.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = URLs.swift; sourceTree = "<group>"; };
 		504788F12E681F3A00B4556F /* Instructions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Instructions.swift; sourceTree = "<group>"; };
 		504788F32E681F6900B4556F /* ToolConfigurationView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ToolConfigurationView.swift; sourceTree = "<group>"; };
 		504788F52E68206F00B4556F /* GettingStartedView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = GettingStartedView.swift; sourceTree = "<group>"; };
 		504789222E697DD300B4556F /* BoxBackgroundStyle.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = BoxBackgroundStyle.swift; sourceTree = "<group>"; };
 		50571E0224393C2600F76F6C /* JustUpdatedChecker.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = JustUpdatedChecker.swift; sourceTree = "<group>"; };
-		50571E0424393D1500F76F6C /* LaunchAgentController.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LaunchAgentController.swift; sourceTree = "<group>"; };
 		5059933F2E7A3B5B0092CFFA /* en */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = en; path = en.lproj/Main.storyboard; sourceTree = "<group>"; };
 		50617D7F23FCE48E0099B055 /* Secretive.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = Secretive.app; sourceTree = BUILT_PRODUCTS_DIR; };
 		50617D8223FCE48E0099B055 /* App.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = App.swift; sourceTree = "<group>"; };
@@ -231,8 +231,6 @@
 		50A3B79824026B7600D209EA /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 		50A3B79924026B7600D209EA /* SecretAgent.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = SecretAgent.entitlements; sourceTree = "<group>"; };
 		50AE96FF2E5C1A420018C710 /* IntegrationsView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = IntegrationsView.swift; sourceTree = "<group>"; };
-		50B5ACD42E87BCDD0048733E /* SecretAgentInputParser.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = SecretAgentInputParser.entitlements; sourceTree = "<group>"; };
-		50B5ACD52E87BCE40048733E /* SecretiveUpdater.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = SecretiveUpdater.entitlements; sourceTree = "<group>"; };
 		50B8550C24138C4F009958AC /* DeleteSecretView.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = DeleteSecretView.swift; sourceTree = "<group>"; };
 		50BB046A2418AAAE00D6E079 /* EmptyStoreView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = EmptyStoreView.swift; sourceTree = "<group>"; };
 		50BDCB712E63BAF20072D2E7 /* AgentStatusView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AgentStatusView.swift; sourceTree = "<group>"; };
@@ -243,6 +241,7 @@
 		50E4C4522E73C78900C73783 /* WindowBackgroundStyle.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = WindowBackgroundStyle.swift; sourceTree = "<group>"; };
 		50E4C4C22E7765DF00C73783 /* AboutView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AboutView.swift; sourceTree = "<group>"; };
 		50E4C4C72E777E4200C73783 /* AppIcon.icon */ = {isa = PBXFileReference; lastKnownFileType = folder.iconcomposer.icon; path = AppIcon.icon; sourceTree = "<group>"; };
+		F418C9A82F0C57F000E9ADF8 /* OpenSource.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = OpenSource.xcconfig; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -250,6 +249,7 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				50E0145C2EDB9CDF00B121F1 /* Common in Frameworks */,
 				5003EF3B278005E800DF2006 /* SecretKit in Frameworks */,
 				501421622781262300BBAA70 /* Brief in Frameworks */,
 				5003EF5F2780081600DF2006 /* SecureEnclaveSecretKit in Frameworks */,
@@ -270,6 +270,7 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				5002C3AB2EEF483300FFAD22 /* XPCWrappers in Frameworks */,
 				50692E6C2E6FFA510043C7BB /* SecretAgentKit in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
@@ -283,20 +284,13 @@
 				5003EF652780081B00DF2006 /* SmartCardSecretKit in Frameworks */,
 				5003EF3F278005F300DF2006 /* SecretAgentKit in Frameworks */,
 				5003EF41278005FA00DF2006 /* SecretKit in Frameworks */,
+				50E0145E2EDB9CE400B121F1 /* Common in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
 /* End PBXFrameworksBuildPhase section */
 
 /* Begin PBXGroup section */
-		50033AC427813F1C00253856 /* Helpers */ = {
-			isa = PBXGroup;
-			children = (
-				50033AC227813F1700253856 /* BundleIDs.swift */,
-			);
-			path = Helpers;
-			sourceTree = "<group>";
-		};
 		504788ED2E681EB200B4556F /* Modifiers */ = {
 			isa = PBXGroup;
 			children = (
@@ -380,7 +374,6 @@
 				50617D8223FCE48E0099B055 /* App.swift */,
 				508A58B0241ED1C40069DC07 /* Views */,
 				508A58B1241ED1EA0069DC07 /* Controllers */,
-				50033AC427813F1C00253856 /* Helpers */,
 				50617D8E23FCE48E0099B055 /* Info.plist */,
 				508BF28D25B4F005009EFB7E /* InternetAccessPolicy.plist */,
 				50E4C4C72E777E4200C73783 /* AppIcon.icon */,
@@ -405,7 +398,7 @@
 		50692D272E6FDB8D0043C7BB /* SecretiveUpdater */ = {
 			isa = PBXGroup;
 			children = (
-				50B5ACD52E87BCE40048733E /* SecretiveUpdater.entitlements */,
+				500666D02F04786900328939 /* SecretiveUpdater.entitlements */,
 				50692D232E6FDB8D0043C7BB /* Info.plist */,
 				50692BA52E6D5CC90043C7BB /* InternetAccessPolicy.plist */,
 				50692D242E6FDB8D0043C7BB /* main.swift */,
@@ -417,7 +410,7 @@
 		50692E662E6FF9E20043C7BB /* SecretAgentInputParser */ = {
 			isa = PBXGroup;
 			children = (
-				50B5ACD42E87BCDD0048733E /* SecretAgentInputParser.entitlements */,
+				500666D12F04787200328939 /* SecretAgentInputParser.entitlements */,
 				50692E622E6FF9E20043C7BB /* Info.plist */,
 				50692E632E6FF9E20043C7BB /* main.swift */,
 				50692E642E6FF9E20043C7BB /* SecretAgentInputParser.swift */,
@@ -430,6 +423,7 @@
 			children = (
 				508A590F241EEF6D0069DC07 /* Secretive.xctestplan */,
 				508A58AB241E121B0069DC07 /* Config.xcconfig */,
+				F418C9A82F0C57F000E9ADF8 /* OpenSource.xcconfig */,
 			);
 			path = Config;
 			sourceTree = "<group>";
@@ -448,11 +442,9 @@
 		508A58B1241ED1EA0069DC07 /* Controllers */ = {
 			isa = PBXGroup;
 			children = (
-				504788EB2E680DC400B4556F /* URLs.swift */,
 				508A58B2241ED2180069DC07 /* AgentStatusChecker.swift */,
 				5091D2BB25183B830049FD9B /* ApplicationDirectoryController.swift */,
 				50571E0224393C2600F76F6C /* JustUpdatedChecker.swift */,
-				50571E0424393D1500F76F6C /* LaunchAgentController.swift */,
 			);
 			path = Controllers;
 			sourceTree = "<group>";
@@ -514,6 +506,7 @@
 				5003EF5E2780081600DF2006 /* SecureEnclaveSecretKit */,
 				5003EF602780081600DF2006 /* SmartCardSecretKit */,
 				501421612781262300BBAA70 /* Brief */,
+				50E0145B2EDB9CDF00B121F1 /* Common */,
 			);
 			productName = Secretive;
 			productReference = 50617D7F23FCE48E0099B055 /* Secretive.app */;
@@ -555,6 +548,7 @@
 			name = SecretAgentInputParser;
 			packageProductDependencies = (
 				50692E6B2E6FFA510043C7BB /* SecretAgentKit */,
+				5002C3AA2EEF483300FFAD22 /* XPCWrappers */,
 			);
 			productName = SecretAgentInputParser;
 			productReference = 50692E502E6FF9D20043C7BB /* SecretAgentInputParser.xpc */;
@@ -584,6 +578,7 @@
 				5003EF40278005FA00DF2006 /* SecretKit */,
 				5003EF622780081B00DF2006 /* SecureEnclaveSecretKit */,
 				5003EF642780081B00DF2006 /* SmartCardSecretKit */,
+				50E0145D2EDB9CE400B121F1 /* Common */,
 			);
 			productName = SecretAgent;
 			productReference = 50A3B78A24026B7500D209EA /* SecretAgent.app */;
@@ -597,7 +592,7 @@
 			attributes = {
 				BuildIndependentTargetsInParallel = YES;
 				LastSwiftUpdateCheck = 2600;
-				LastUpgradeCheck = 2600;
+				LastUpgradeCheck = 2640;
 				ORGANIZATIONNAME = "Max Goedjen";
 				TargetAttributes = {
 					50617D7E23FCE48D0099B055 = {
@@ -659,6 +654,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				50B832C02F62202A00D2FCB8 /* InternetAccessPolicy.plist in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -694,7 +690,6 @@
 				2C4A9D2F2636FFD3008CC8E2 /* EditSecretView.swift in Sources */,
 				50E4C4532E73C78C00C73783 /* WindowBackgroundStyle.swift in Sources */,
 				5091D2BC25183B830049FD9B /* ApplicationDirectoryController.swift in Sources */,
-				504788EC2E680DC800B4556F /* URLs.swift in Sources */,
 				504789232E697DD300B4556F /* BoxBackgroundStyle.swift in Sources */,
 				5066A6C22516F303004B5A36 /* SetupView.swift in Sources */,
 				5065E313295517C500E16645 /* ToolbarButtonStyle.swift in Sources */,
@@ -704,14 +699,12 @@
 				50571E0324393C2600F76F6C /* JustUpdatedChecker.swift in Sources */,
 				5079BA0F250F29BF00EA86F4 /* StoreListView.swift in Sources */,
 				50617DD223FCEFA90099B055 /* PreviewStore.swift in Sources */,
-				50033AC327813F1700253856 /* BundleIDs.swift in Sources */,
 				50BDCB722E63BAF20072D2E7 /* AgentStatusView.swift in Sources */,
 				508A58B3241ED2180069DC07 /* AgentStatusChecker.swift in Sources */,
 				50C385A52407A76D00AF2719 /* SecretDetailView.swift in Sources */,
 				5099A02423FD2AAA0062B6F2 /* CreateSecretView.swift in Sources */,
 				50AE97002E5C1A420018C710 /* IntegrationsView.swift in Sources */,
 				50153E20250AFCB200525160 /* UpdateView.swift in Sources */,
-				50571E0524393D1500F76F6C /* LaunchAgentController.swift in Sources */,
 				5066A6C82516FE6E004B5A36 /* CopyableView.swift in Sources */,
 				50B8550D24138C4F009958AC /* DeleteSecretView.swift in Sources */,
 				50BB046B2418AAAE00D6E079 /* EmptyStoreView.swift in Sources */,
@@ -955,7 +948,7 @@
 				CURRENT_PROJECT_VERSION = 1;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"Secretive/Preview Content\"";
-				DEVELOPMENT_TEAM = Z72PRUAWF6;
+				DEVELOPMENT_TEAM = "$(SECRETIVE_DEVELOPMENT_TEAM)";
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -978,7 +971,7 @@
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.Host;
+				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).Host";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
 			};
@@ -995,8 +988,7 @@
 				CURRENT_PROJECT_VERSION = 1;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"Secretive/Preview Content\"";
-				DEVELOPMENT_TEAM = Z72PRUAWF6;
-				"DEVELOPMENT_TEAM[sdk=macosx*]" = Z72PRUAWF6;
+				DEVELOPMENT_TEAM = "$(SECRETIVE_DEVELOPMENT_TEAM)";
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -1019,10 +1011,9 @@
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.Host;
+				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).Host";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "Secretive - Host";
-				"PROVISIONING_PROFILE_SPECIFIER[sdk=macosx*]" = "Secretive - Host";
 			};
 			name = Release;
 		};
@@ -1036,7 +1027,7 @@
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
-				DEVELOPMENT_TEAM = Z72PRUAWF6;
+				DEVELOPMENT_TEAM = "$(SECRETIVE_DEVELOPMENT_TEAM)";
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -1059,7 +1050,7 @@
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretiveUpdater;
+				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretiveUpdater";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;
 				SKIP_INSTALL = YES;
@@ -1102,7 +1093,7 @@
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretiveUpdater;
+				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretiveUpdater";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;
 				SKIP_INSTALL = YES;
@@ -1124,7 +1115,7 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = "";
-				"DEVELOPMENT_TEAM[sdk=macosx*]" = Z72PRUAWF6;
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = "$(SECRETIVE_DEVELOPMENT_TEAM)";
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -1147,7 +1138,7 @@
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretiveUpdater;
+				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretiveUpdater";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				REGISTER_APP_GROUPS = YES;
@@ -1169,7 +1160,7 @@
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
-				DEVELOPMENT_TEAM = Z72PRUAWF6;
+				DEVELOPMENT_TEAM = "$(SECRETIVE_DEVELOPMENT_TEAM)";
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -1182,7 +1173,7 @@
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgentInputParser;
+				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretAgentInputParser";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;
 				SKIP_INSTALL = YES;
@@ -1215,7 +1206,7 @@
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgentInputParser;
+				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretAgentInputParser";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;
 				SKIP_INSTALL = YES;
@@ -1237,7 +1228,7 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = "";
-				"DEVELOPMENT_TEAM[sdk=macosx*]" = Z72PRUAWF6;
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = "$(SECRETIVE_DEVELOPMENT_TEAM)";
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -1250,7 +1241,7 @@
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgentInputParser;
+				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretAgentInputParser";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				REGISTER_APP_GROUPS = YES;
@@ -1344,13 +1335,11 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = Secretive/Secretive.entitlements;
-				CODE_SIGN_IDENTITY = "Apple Development";
-				CODE_SIGN_STYLE = Automatic;
+				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"Secretive/Preview Content\"";
-				DEVELOPMENT_TEAM = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = NO;
@@ -1373,9 +1362,8 @@
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.Host;
+				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).Host";
 				PRODUCT_NAME = "$(TARGET_NAME)";
-				PROVISIONING_PROFILE_SPECIFIER = "";
 			};
 			name = Test;
 		};
@@ -1384,12 +1372,10 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = SecretAgent/SecretAgent.entitlements;
-				CODE_SIGN_IDENTITY = "Apple Development";
-				CODE_SIGN_STYLE = Automatic;
+				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"SecretAgent/Preview Content\"";
-				DEVELOPMENT_TEAM = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -1412,9 +1398,8 @@
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgent;
+				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretAgent";
 				PRODUCT_NAME = "$(TARGET_NAME)";
-				PROVISIONING_PROFILE_SPECIFIER = "";
 			};
 			name = Test;
 		};
@@ -1427,7 +1412,7 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"SecretAgent/Preview Content\"";
-				DEVELOPMENT_TEAM = Z72PRUAWF6;
+				DEVELOPMENT_TEAM = "$(SECRETIVE_DEVELOPMENT_TEAM)";
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -1450,7 +1435,7 @@
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgent;
+				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretAgent";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
 			name = Debug;
@@ -1465,7 +1450,7 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"SecretAgent/Preview Content\"";
-				DEVELOPMENT_TEAM = Z72PRUAWF6;
+				DEVELOPMENT_TEAM = "$(SECRETIVE_DEVELOPMENT_TEAM)";
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -1488,7 +1473,7 @@
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgent;
+				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretAgent";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "Secretive - Secret Agent";
 			};
@@ -1550,6 +1535,10 @@
 /* End XCConfigurationList section */
 
 /* Begin XCSwiftPackageProductDependency section */
+		5002C3AA2EEF483300FFAD22 /* XPCWrappers */ = {
+			isa = XCSwiftPackageProductDependency;
+			productName = XPCWrappers;
+		};
 		5003EF3A278005E800DF2006 /* SecretKit */ = {
 			isa = XCSwiftPackageProductDependency;
 			productName = SecretKit;
@@ -1598,6 +1587,14 @@
 			isa = XCSwiftPackageProductDependency;
 			productName = SecretAgentKit;
 		};
+		50E0145B2EDB9CDF00B121F1 /* Common */ = {
+			isa = XCSwiftPackageProductDependency;
+			productName = Common;
+		};
+		50E0145D2EDB9CE400B121F1 /* Common */ = {
+			isa = XCSwiftPackageProductDependency;
+			productName = Common;
+		};
 /* End XCSwiftPackageProductDependency section */
 	};
 	rootObject = 50617D7723FCE48D0099B055 /* Project object */;

Sources/Secretive.xcodeproj/xcshareddata/xcschemes/PackageTests.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "2600"
+   LastUpgradeVersion = "2640"
    version = "1.7">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -14,7 +14,8 @@
       shouldUseLaunchSchemeArgsEnv = "YES">
       <TestPlans>
          <TestPlanReference
-            reference = "container:Config/Secretive.xctestplan">
+            reference = "container:Config/Secretive.xctestplan"
+            default = "YES">
          </TestPlanReference>
       </TestPlans>
    </TestAction>

Sources/Secretive.xcodeproj/xcshareddata/xcschemes/SecretAgent.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "2600"
+   LastUpgradeVersion = "2640"
    version = "1.7">
    <BuildAction
       parallelizeBuildables = "YES"

Sources/Secretive.xcodeproj/xcshareddata/xcschemes/Secretive.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "2600"
+   LastUpgradeVersion = "2640"
    version = "1.7">
    <BuildAction
       parallelizeBuildables = "YES"

Sources/Secretive/App.swift

@@ -7,7 +7,7 @@ import Brief
 @main
 struct Secretive: App {
     
-    @Environment(\.agentStatusChecker) var agentStatusChecker
+    @Environment(\.agentLaunchController) var agentLaunchController
     @Environment(\.justUpdatedChecker) var justUpdatedChecker
 
     @SceneBuilder var body: some Scene {
@@ -15,14 +15,16 @@ struct Secretive: App {
             ContentView()
                 .environment(EnvironmentValues._secretStoreList)
                 .onReceive(NotificationCenter.default.publisher(for: NSApplication.didBecomeActiveNotification)) { _ in
-                    @AppStorage("defaultsHasRunSetup") var hasRunSetup = false
-                    guard hasRunSetup else { return }
-                    agentStatusChecker.check()
-                    if agentStatusChecker.running && justUpdatedChecker.justUpdatedBuild {
-                        // Relaunch the agent, since it'll be running from earlier update still
-                        reinstallAgent()
-                    } else if !agentStatusChecker.running && !agentStatusChecker.developmentBuild {
-                        forceLaunchAgent()
+                    Task {
+                        @AppStorage("defaultsHasRunSetup") var hasRunSetup = false
+                        @AppStorage("explicitlyDisabled") var explicitlyDisabled = false
+                        guard hasRunSetup && !explicitlyDisabled else { return }
+                        agentLaunchController.check()
+                        guard !agentLaunchController.developmentBuild else { return }
+                        if justUpdatedChecker.justUpdatedBuild || !agentLaunchController.running {
+                            // Relaunch the agent, since it'll be running from earlier update still
+                            try await agentLaunchController.forceLaunch()
+                        }
                     }
                 }
         }
@@ -79,30 +81,6 @@ extension Secretive {
 
 }
 
-extension Secretive {
-
-    private func reinstallAgent() {
-        Task {
-            _ = await LaunchAgentController().install()
-            try? await Task.sleep(for: .seconds(1))
-            agentStatusChecker.check()
-            if !agentStatusChecker.running {
-                forceLaunchAgent()
-            }
-        }
-    }
-
-    private func forceLaunchAgent() {
-        // We've run setup, we didn't just update, launchd is just not doing it's thing.
-        // Force a launch directly.
-        Task {
-            _ = await LaunchAgentController().forceLaunch()
-            agentStatusChecker.check()
-        }
-    }
-
-}
-
 private enum Constants {
     static let helpURL = URL(string: "https://github.com/maxgoedjen/secretive/blob/main/FAQ.md")!
 }
@@ -121,8 +99,8 @@ extension EnvironmentValues {
         return list
     }()
 
-    private static let _agentStatusChecker = AgentStatusChecker()
-    @Entry var agentStatusChecker: any AgentStatusCheckerProtocol = _agentStatusChecker
+    private static let _agentLaunchController = AgentLaunchController()
+    @Entry var agentLaunchController: any AgentLaunchControllerProtocol = _agentLaunchController
     private static let _updater: any UpdaterProtocol = {
         @AppStorage("defaultsHasRunSetup") var hasRunSetup = false
         return Updater(checkOnLaunch: hasRunSetup)

Sources/Secretive/Controllers/AgentStatusChecker.swift

@@ -2,18 +2,26 @@ import Foundation
 import AppKit
 import SecretKit
 import Observation
+import OSLog
+import ServiceManagement
+import Common
 
-@MainActor protocol AgentStatusCheckerProtocol: Observable, Sendable {
+@MainActor protocol AgentLaunchControllerProtocol: Observable, Sendable {
     var running: Bool { get }
     var developmentBuild: Bool { get }
     var process: NSRunningApplication? { get }
     func check()
+    func install() async throws
+    func uninstall() async throws
+    func forceLaunch() async throws
 }
 
-@Observable @MainActor final class AgentStatusChecker: AgentStatusCheckerProtocol {
+@Observable @MainActor final class AgentLaunchController: AgentLaunchControllerProtocol {
 
     var running: Bool = false
     var process: NSRunningApplication? = nil
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive", category: "LaunchAgentController")
+    private let service = SMAppService.loginItem(identifier: Bundle.agentBundleID)
 
     nonisolated init() {
         Task { @MainActor in
@@ -33,7 +41,7 @@ import Observation
 
     // The process corresponding to this instance of Secretive
     var instanceSecretAgentProcess: NSRunningApplication? {
-        // FIXME: CHECK VERSION
+        // TODO: CHECK VERSION
         let agents = allSecretAgentProcesses
         for agent in agents {
             guard let url = agent.bundleURL else { continue }
@@ -49,6 +57,47 @@ import Observation
         Bundle.main.bundleURL.isXcodeURL
     }
 
+    func install() async throws {
+        logger.debug("Installing agent")
+        try? await service.unregister()
+        // This is definitely a bit of a "seems to work better" thing but:
+        // Seems to more reliably hit if these are on separate runloops, otherwise it seems like it sometimes doesn't kill old
+        // and start new?
+        try await Task.sleep(for: .seconds(1))
+        try service.register()
+        try await Task.sleep(for: .seconds(1))
+        check()
+    }
+
+    func uninstall() async throws {
+        logger.debug("Uninstalling agent")
+        try await Task.sleep(for: .seconds(1))
+        try await service.unregister()
+        try await Task.sleep(for: .seconds(1))
+        check()
+    }
+
+    func forceLaunch() async throws {
+        logger.debug("Agent is not running, attempting to force launch by reinstalling")
+        try await install()
+        if running {
+            logger.debug("Agent successfully force launched by reinstalling")
+            return
+        }
+        logger.debug("Agent is not running, attempting to force launch by launching directly")
+        let url = Bundle.main.bundleURL.appendingPathComponent("Contents/Library/LoginItems/SecretAgent.app")
+        let config = NSWorkspace.OpenConfiguration()
+        config.activates = false
+        do {
+            try await NSWorkspace.shared.openApplication(at: url, configuration: config)
+            logger.debug("Agent force launched")
+            try await Task.sleep(for: .seconds(1))
+        } catch {
+            logger.error("Error force launching \(error.localizedDescription)")
+        }
+        check()
+    }
+
 }
 
 extension URL {

Sources/Secretive/Controllers/LaunchAgentController.swift

@@ -1,65 +0,0 @@
-import Foundation
-import ServiceManagement
-import AppKit
-import OSLog
-import SecretKit
-
-struct LaunchAgentController {
-    
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive", category: "LaunchAgentController")
-
-    func install() async -> Bool {
-        logger.debug("Installing agent")
-        _ = setEnabled(false)
-        // This is definitely a bit of a "seems to work better" thing but:
-        // Seems to more reliably hit if these are on separate runloops, otherwise it seems like it sometimes doesn't kill old
-        // and start new?
-        try? await Task.sleep(for: .seconds(1))
-        let result = await MainActor.run {
-            setEnabled(true)
-        }
-        try? await Task.sleep(for: .seconds(1))
-        return result
-    }
-
-    func uninstall() async -> Bool {
-        logger.debug("Uninstalling agent")
-        try? await Task.sleep(for: .seconds(1))
-        let result = await MainActor.run {
-            setEnabled(false)
-        }
-        try? await Task.sleep(for: .seconds(1))
-        return result
-    }
-
-    func forceLaunch() async -> Bool {
-        logger.debug("Agent is not running, attempting to force launch")
-        let url = Bundle.main.bundleURL.appendingPathComponent("Contents/Library/LoginItems/SecretAgent.app")
-        let config = NSWorkspace.OpenConfiguration()
-        config.activates = false
-        do {
-            try await NSWorkspace.shared.openApplication(at: url, configuration: config)
-            logger.debug("Agent force launched")
-            try? await Task.sleep(for: .seconds(1))
-            return true
-        } catch {
-            logger.error("Error force launching \(error.localizedDescription)")
-            return false
-        }
-    }
-
-    private func setEnabled(_ enabled: Bool) -> Bool {
-        let service = SMAppService.loginItem(identifier: Bundle.agentBundleID)
-        do {
-            if enabled {
-                try service.register()
-            } else {
-                try service.unregister()
-            }
-            return true
-        } catch {
-            return false
-        }
-    }
-
-}

Sources/Secretive/Controllers/URLs.swift

@@ -1,25 +0,0 @@
-import Foundation
-
-extension URL {
-
-    static var agentHomeURL: URL {
-        URL(fileURLWithPath: URL.homeDirectory.path().replacingOccurrences(of: Bundle.hostBundleID, with: Bundle.agentBundleID))
-    }
-
-    static var socketPath: String {
-        URL.agentHomeURL.appendingPathComponent("socket.ssh").path()
-    }
-
-}
-
-extension String {
-
-    var normalizedPathAndFolder: (String, String) {
-        // All foundation-based normalization methods replace this with the container directly.
-        let processedPath = replacingOccurrences(of: "~", with: "/Users/\(NSUserName())")
-        let url = URL(filePath: processedPath)
-        let folder = url.deletingLastPathComponent().path()
-        return (processedPath, folder)
-    }
-
-}

Sources/Secretive/Preview Content/PreviewAgentStatusChecker.swift

@@ -1,7 +1,7 @@
 import Foundation
 import AppKit
 
-class PreviewAgentStatusChecker: AgentStatusCheckerProtocol {
+class PreviewAgentLaunchController: AgentLaunchControllerProtocol {
 
     let running: Bool
     let process: NSRunningApplication?
@@ -15,4 +15,13 @@ class PreviewAgentStatusChecker: AgentStatusCheckerProtocol {
     func check() {
     }
 
+    func install() async throws {
+    }
+
+    func uninstall() async throws {
+    }
+
+    func forceLaunch() async throws {
+    }
+
 }

Sources/Secretive/Secretive.entitlements

@@ -12,14 +12,14 @@
 	<true/>
 	<key>com.apple.security.hardened-process.dyld-ro</key>
 	<true/>
-	<key>com.apple.security.hardened-process.enhanced-security-version</key>
-	<integer>1</integer>
 	<key>com.apple.security.hardened-process.hardened-heap</key>
 	<true/>
-	<key>com.apple.security.hardened-process.platform-restrictions</key>
-	<integer>2</integer>
+	<key>com.apple.security.hardened-process.enhanced-security-version-string</key>
+	<string>1</string>
 	<key>com.apple.security.smartcard</key>
 	<true/>
+	<key>com.apple.security.hardened-process.platform-restrictions-string</key>
+	<string>2</string>
 	<key>keychain-access-groups</key>
 	<array>
 		<string>$(AppIdentifierPrefix)com.maxgoedjen.Secretive</string>

Sources/Secretive/Views/Configuration/SetupView.swift

@@ -3,6 +3,7 @@ import SwiftUI
 struct SetupView: View {
 
     @Environment(\.dismiss) private var dismiss
+    @Environment(\.agentLaunchController) private var agentLaunchController
     @Binding var setupComplete: Bool
 
     @State var showingIntegrations = false
@@ -31,7 +32,7 @@ struct SetupView: View {
                     ) {
                         installed = true
                         Task {
-                            await LaunchAgentController().install()
+                            try? await agentLaunchController.install()
                         }
                     }
                 }

Sources/Secretive/Views/Configuration/ToolConfigurationView.swift

@@ -1,5 +1,7 @@
 import SwiftUI
 import SecretKit
+import SSHProtocolKit
+import Common
 
 struct ToolConfigurationView: View {
 
@@ -10,6 +12,7 @@ struct ToolConfigurationView: View {
 
     @State var creating = false
     @State var selectedSecret: AnySecret?
+    @State var email = ""
 
     init(selectedInstruction: ConfigurationFileInstructions) {
         self.selectedInstruction = selectedInstruction
@@ -48,6 +51,12 @@ struct ToolConfigurationView: View {
                                     .tag(secret)
                             }
                         }
+                        TextField(text: $email, prompt: Text(.integrationsConfigureUsingEmailPlaceholder)) {
+                            Text(.integrationsConfigureUsingEmailTitle)
+                            Text(.integrationsConfigureUsingEmailSubtitle)
+                                .font(.subheadline)
+                                .foregroundStyle(.secondary)
+                        }
                     } header: {
                         Text(.integrationsConfigureUsingSecretHeader)
                     }
@@ -60,7 +69,7 @@ struct ToolConfigurationView: View {
                 Section {
                     ConfigurationItemView(title: .integrationsPathTitle, value: stepGroup.path, action: .revealInFinder(stepGroup.path))
                     ForEach(stepGroup.steps, id: \.self.key) { step in
-                        ConfigurationItemView(title: .integrationsAddThisTitle, action: .copy(String(localized: step))) {
+                        ConfigurationItemView(title: .integrationsAddThisTitle, action: .copy(placeholdersReplaced(text: String(localized: step)))) {
                             HStack {
                                 Text(placeholdersReplaced(text: String(localized: step)))
                                     .padding(8)
@@ -102,10 +111,11 @@ struct ToolConfigurationView: View {
     func placeholdersReplaced(text: String) -> String {
         guard let selectedSecret else { return text }
         let writer = OpenSSHPublicKeyWriter()
-        let fileController = PublicKeyFileStoreController(homeDirectory: URL.agentHomeURL)
+        let gitAllowedSignersString = [email.isEmpty ? String(localized: .integrationsConfigureUsingEmailPlaceholder) : email, writer.openSSHString(secret: selectedSecret)]
+            .joined(separator: " ")
         return text
-            .replacingOccurrences(of: Instructions.Constants.publicKeyPlaceholder, with: writer.openSSHString(secret: selectedSecret))
-            .replacingOccurrences(of: Instructions.Constants.publicKeyPathPlaceholder, with: fileController.publicKeyPath(for: selectedSecret))
+            .replacingOccurrences(of: Instructions.Constants.publicKeyPlaceholder, with: gitAllowedSignersString)
+            .replacingOccurrences(of: Instructions.Constants.publicKeyPathPlaceholder, with: URL.publicKeyPath(for: selectedSecret, in: URL.publicKeyDirectory))
     }
 
 }

Sources/Secretive/Views/Secrets/SecretDetailView.swift

@@ -1,12 +1,13 @@
 import SwiftUI
 import SecretKit
+import Common
+import SSHProtocolKit
 
 struct SecretDetailView<SecretType: Secret>: View {
     
     let secret: SecretType
 
     private let keyWriter = OpenSSHPublicKeyWriter()
-    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: URL.agentHomeURL)
 
     var body: some View {
         ScrollView {
@@ -21,7 +22,7 @@ struct SecretDetailView<SecretType: Secret>: View {
                     CopyableView(title: .secretDetailPublicKeyLabel, image: Image(systemName: "key"), text: keyString)
                     Spacer()
                         .frame(height: 20)
-                    CopyableView(title: .secretDetailPublicKeyPathLabel, image: Image(systemName: "lock.doc"), text: publicKeyFileStoreController.publicKeyPath(for: secret), showRevealInFinder: true)
+                    CopyableView(title: .secretDetailPublicKeyPathLabel, image: Image(systemName: "lock.doc"), text: URL.publicKeyPath(for: secret, in: URL.publicKeyDirectory), showRevealInFinder: true)
                     Spacer()
                 }
             }

Sources/Secretive/Views/Secrets/SecretListItemView.swift

@@ -24,6 +24,18 @@ struct SecretListItemView: View {
                 Text(secret.name)
             }
         }
+        .sheet(isPresented: $isRenaming, onDismiss: {
+            renamedSecret(secret)
+        }, content: {
+            if let modifiable = store as? AnySecretStoreModifiable {
+                EditSecretView(store: modifiable, secret: secret)
+            }
+        })
+        .showingDeleteConfirmation(isPresented: $isDeleting, secret, store as? AnySecretStoreModifiable) { deleted in
+            if deleted {
+                deletedSecret(secret)
+            }
+        }
         .contextMenu {
             if store is AnySecretStoreModifiable {
                 Button(action: { isRenaming = true }) {
@@ -36,17 +48,5 @@ struct SecretListItemView: View {
                 }
             }
         }
-        .showingDeleteConfirmation(isPresented: $isDeleting, secret, store as? AnySecretStoreModifiable) { deleted in
-            if deleted {
-                deletedSecret(secret)
-            }
-        }
-        .sheet(isPresented: $isRenaming, onDismiss: {
-            renamedSecret(secret)
-        }, content: {
-            if let modifiable = store as? AnySecretStoreModifiable {
-                EditSecretView(store: modifiable, secret: secret)
-            }
-        })
     }
 }

Sources/Secretive/Views/Views/AgentStatusView.swift

@@ -2,10 +2,10 @@ import SwiftUI
 
 struct AgentStatusView: View {
 
-    @Environment(\.agentStatusChecker) private var agentStatusChecker: any AgentStatusCheckerProtocol
+    @Environment(\.agentLaunchController) private var agentLaunchController: any AgentLaunchControllerProtocol
 
     var body: some View {
-        if agentStatusChecker.running {
+        if agentLaunchController.running {
             AgentRunningView()
         } else {
             AgentNotRunningView()
@@ -14,12 +14,13 @@ struct AgentStatusView: View {
 }
 struct AgentRunningView: View {
 
-    @Environment(\.agentStatusChecker) private var agentStatusChecker: any AgentStatusCheckerProtocol
+    @Environment(\.agentLaunchController) private var agentLaunchController: any AgentLaunchControllerProtocol
+    @AppStorage("explicitlyDisabled") var explicitlyDisabled = false
 
     var body: some View {
         Form {
             Section {
-                if let process = agentStatusChecker.process {
+                if let process = agentLaunchController.process {
                     ConfigurationItemView(
                         title: .agentDetailsLocationTitle,
                         value: process.bundleURL!.path(),
@@ -53,19 +54,14 @@ struct AgentRunningView: View {
                         Menu(.agentDetailsRestartAgentButton) {
                             Button(.agentDetailsDisableAgentButton) {
                                 Task {
-                                    _ = await LaunchAgentController()
+                                    explicitlyDisabled = true
+                                    try? await agentLaunchController
                                         .uninstall()
-                                    agentStatusChecker.check()
                                 }
                             }
                         } primaryAction: {
                             Task {
-                                let controller = LaunchAgentController()
-                                let installed = await controller.install()
-                                if !installed {
-                                    _ = await controller.forceLaunch()
-                                }
-                                agentStatusChecker.check()
+                                try? await agentLaunchController.forceLaunch()
                             }
                         }
                     }
@@ -82,9 +78,10 @@ struct AgentRunningView: View {
 
 struct AgentNotRunningView: View {
 
-    @Environment(\.agentStatusChecker) private var agentStatusChecker: any AgentStatusCheckerProtocol
+    @Environment(\.agentLaunchController) private var agentLaunchController
     @State var triedRestart = false
     @State var loading = false
+    @AppStorage("explicitlyDisabled") var explicitlyDisabled = false
 
     var body: some View {
         Form {
@@ -100,18 +97,14 @@ struct AgentNotRunningView: View {
                         if !triedRestart {
                             Spacer()
                             Button {
+                                explicitlyDisabled = false
                                 guard !loading else { return }
                                 loading = true
                                 Task {
-                                    let controller = LaunchAgentController()
-                                    let installed = await controller.install()
-                                    if !installed {
-                                        _ = await controller.forceLaunch()
-                                    }
-                                    agentStatusChecker.check()
+                                    try await agentLaunchController.forceLaunch()
                                     loading = false
 
-                                    if !agentStatusChecker.running {
+                                    if !agentLaunchController.running {
                                         triedRestart = true
                                     }
                                 }
@@ -145,9 +138,9 @@ struct AgentNotRunningView: View {
 
 //#Preview {
 //    AgentStatusView()
-//        .environment(\.agentStatusChecker, PreviewAgentStatusChecker(running: false))
+//        .environment(\.agentLaunchController, PreviewAgentLaunchController(running: false))
 //}
 //#Preview {
 //    AgentStatusView()
-//        .environment(\.agentStatusChecker, PreviewAgentStatusChecker(running: true, process: .current))
+//        .environment(\.agentLaunchController, PreviewAgentLaunchController(running: true, process: .current))
 //}

Sources/Secretive/Views/Views/ContentView.swift

@@ -14,7 +14,7 @@ struct ContentView: View {
     @Environment(\.openWindow) private var openWindow
     @Environment(\.secretStoreList) private var storeList
     @Environment(\.updater) private var updater
-    @Environment(\.agentStatusChecker) private var agentStatusChecker
+    @Environment(\.agentLaunchController) private var agentLaunchController
 
     @AppStorage("defaultsHasRunSetup") private var hasRunSetup = false
     @State private var showingCreation = false
@@ -127,7 +127,7 @@ extension ContentView {
             showingAgentInfo = true
         }, label: {
             HStack {
-                if agentStatusChecker.running {
+                if agentLaunchController.running {
                     Text(.agentRunningNoticeTitle)
                         .font(.headline)
                         .foregroundColor(colorScheme == .light ? Color(white: 0.3) : .white)
@@ -145,8 +145,8 @@ extension ContentView {
         })
         .buttonStyle(
             ToolbarStatusButtonStyle(
-                lightColor: agentStatusChecker.running ? .black.opacity(0.05) : .red.opacity(0.75),
-                darkColor: agentStatusChecker.running ? .white.opacity(0.05) : .red.opacity(0.5),
+                lightColor: agentLaunchController.running ? .black.opacity(0.05) : .red.opacity(0.75),
+                darkColor: agentLaunchController.running ? .white.opacity(0.05) : .red.opacity(0.5),
             )
         )
         .popover(isPresented: $showingAgentInfo, attachmentAnchor: attachmentAnchor, arrowEdge: .bottom) {

Sources/SecretiveUpdater/SecretiveUpdater.entitlements

@@ -12,11 +12,11 @@
 	<true/>
 	<key>com.apple.security.hardened-process.dyld-ro</key>
 	<true/>
-	<key>com.apple.security.hardened-process.enhanced-security-version</key>
-	<integer>1</integer>
+	<key>com.apple.security.hardened-process.enhanced-security-version-string</key>
+	<string>1</string>
 	<key>com.apple.security.hardened-process.hardened-heap</key>
 	<true/>
-	<key>com.apple.security.hardened-process.platform-restrictions</key>
-	<integer>2</integer>
+	<key>com.apple.security.hardened-process.platform-restrictions-string</key>
+	<string>2</string>
 </dict>
 </plist>

configure_team_id.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+TEAM_ID_FILE=Sources/Config/OpenSource.xcconfig
+
+function print_team_ids() {
+  echo ""
+  echo "FYI, here are the team IDs found in your Xcode preferences:"
+  echo ""
+  
+  XCODEPREFS="$HOME/Library/Preferences/com.apple.dt.Xcode.plist"
+  TEAM_KEYS=(`/usr/libexec/PlistBuddy -c "Print :IDEProvisioningTeams" "$XCODEPREFS" | perl -lne 'print $1 if /^    (\S*) =/'`)
+  
+  for KEY in $TEAM_KEYS 
+  do
+      i=0
+      while true ; do
+          NAME=$(/usr/libexec/PlistBuddy -c "Print :IDEProvisioningTeams:$KEY:$i:teamName" "$XCODEPREFS" 2>/dev/null)
+          TEAMID=$(/usr/libexec/PlistBuddy -c "Print :IDEProvisioningTeams:$KEY:$i:teamID" "$XCODEPREFS" 2>/dev/null)
+          
+          if [ $? -ne 0 ]; then
+              break
+          fi
+          
+          echo "$TEAMID - $NAME"
+          
+          i=$(($i + 1))
+      done
+  done
+}
+
+if [ -z "$1" ]; then
+  print_team_ids
+  echo ""
+  echo "> What is your Apple Developer Team ID? (looks like 1A23BDCD)"
+  read TEAM_ID
+else
+  TEAM_ID=$1
+fi
+
+if [ -z "$TEAM_ID" ]; then
+  echo "You must enter a team id"
+  print_team_ids
+  exit 1
+fi
+
+echo "Setting team ID to $TEAM_ID"
+
+echo "// This file was automatically generated, do not edit directly." > $TEAM_ID_FILE
+echo "" >> $TEAM_ID_FILE
+echo "SECRETIVE_BASE_BUNDLE_ID_OSS=${TEAM_ID}.com.example.Secretive" >> $TEAM_ID_FILE
+echo "SECRETIVE_DEVELOPMENT_TEAM_OSS=${TEAM_ID}" >> $TEAM_ID_FILE
+
+echo ""
+echo "Successfully generated configuration at $TEAM_ID_FILE, you may now build the app using the \"Secretive\" target"
+echo "You may need to close and re-open the project in Xcode if it's already open"
+echo ""