Update SecretListItemView.swift

Removed delete confirmation handling from SecretListItemView.
2026-04-10 03:07:22 +02:00 · 2025-12-13 20:10:46 -08:00
53 changed files with 196 additions and 796 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -37,7 +37,7 @@ jobs:
        build-mode: ${{ matrix.build-mode }}
    - if: matrix.build-mode == 'manual'
      name: "Select Xcode"
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.2.app
    - if: matrix.build-mode == 'manual'
      name: "Build"
      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -25,7 +25,7 @@ jobs:
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
      run: ./.github/scripts/signing.sh
    - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.2.app
    - name: Update Build Number
      env:
        RUN_ID: ${{ github.run_id }}
--- a/.github/workflows/oneoff.yml
+++ b/.github/workflows/oneoff.yml
@@ -24,7 +24,7 @@ jobs:
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
      run: ./.github/scripts/signing.sh
    - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.2.app
    - name: Update Build Number
      env:
        RUN_ID: ${{ github.run_id }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,7 +22,7 @@ jobs:
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
      run: ./.github/scripts/signing.sh
    - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.2.app
    - name: Test
      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme PackageTests test
      # SPM doesn't seem to pick up on the tests currently?
@@ -47,7 +47,7 @@ jobs:
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
      run: ./.github/scripts/signing.sh
    - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.2.app
    - name: Update Build Number
      env:
        TAG_NAME: ${{ github.ref }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,7 +10,7 @@ jobs:
    steps:
    - uses: actions/checkout@v5
    - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.2.app
    - name: Test Main Packages
      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme PackageTests test
      # SPM doesn't seem to pick up on the tests currently?
--- a/.gitignore
+++ b/.gitignore
@@ -93,7 +93,3 @@ iOSInjectionProject/
 Archive.xcarchive
 .DS_Store
 contents.xcworkspacedata
 # Per-User Configs
 Sources/Config/OpenSource.xcconfig
--- a/Package.swift
+++ b/Package.swift
@@ -22,9 +22,6 @@ let package = Package(
        .library(
            name: "SmartCardSecretKit",
            targets: ["SmartCardSecretKit"]),
        .library(
            name: "SSHProtocolKit",
            targets: ["SSHProtocolKit"]),
    ],
    dependencies: [
    ],
@@ -56,19 +53,6 @@ let package = Package(
            resources: [localization],
            swiftSettings: swiftSettings
        ),
        .target(
            name: "SSHProtocolKit",
            dependencies: ["SecretKit"],
            path: "Sources/Packages/Sources/SSHProtocolKit",
            resources: [localization],
            swiftSettings: swiftSettings,
        ),
        .testTarget(
            name: "SSHProtocolKitTests",
            dependencies: ["SSHProtocolKit"],
            path: "Sources/Packages/Tests/SSHProtocolKitTests",
            swiftSettings: swiftSettings,
        ),
    ]
 )
--- a/Sources/Config/Config.xcconfig
+++ b/Sources/Config/Config.xcconfig
@@ -1,8 +1,3 @@
 CI_VERSION = GITHUB_CI_VERSION
 CI_BUILD_NUMBER = GITHUB_BUILD_NUMBER
 CI_BUILD_LINK = GITHUB_BUILD_URL
 #include? "OpenSource.xcconfig"
 SECRETIVE_BASE_BUNDLE_ID = $(SECRETIVE_BASE_BUNDLE_ID_OSS:default=com.maxgoedjen.Secretive)
 SECRETIVE_DEVELOPMENT_TEAM = $(SECRETIVE_DEVELOPMENT_TEAM_OSS:default=Z72PRUAWF6)
--- a/Sources/Packages/Package.swift
+++ b/Sources/Packages/Package.swift
@@ -21,7 +21,7 @@ let package = Package(
            targets: ["SmartCardSecretKit"]),
        .library(
            name: "SecretAgentKit",
-            targets: ["SecretAgentKit"]),
+            targets: ["SecretAgentKit", "XPCWrappers"]),
        .library(
            name: "Common",
            targets: ["Common"]),
@@ -31,9 +31,6 @@ let package = Package(
        .library(
            name: "XPCWrappers",
            targets: ["XPCWrappers"]),
        .library(
            name: "SSHProtocolKit",
            targets: ["SSHProtocolKit"]),
    ],
    dependencies: [
    ],
@@ -46,7 +43,7 @@ let package = Package(
        ),
        .testTarget(
            name: "SecretKitTests",
-            dependencies: ["SecretKit", "SecretAgentKit", "SecureEnclaveSecretKit", "SmartCardSecretKit"],
+            dependencies: ["SecretKit", "SecureEnclaveSecretKit", "SmartCardSecretKit"],
            swiftSettings: swiftSettings,
        ),
        .target(
@@ -63,7 +60,7 @@ let package = Package(
        ),
        .target(
            name: "SecretAgentKit",
-            dependencies: ["SecretKit", "SSHProtocolKit", "Common"],
+            dependencies: ["SecretKit"],
            resources: [localization],
            swiftSettings: swiftSettings,
        ),
@@ -71,26 +68,15 @@ let package = Package(
            name: "SecretAgentKitTests",
            dependencies: ["SecretAgentKit"],
        ),
        .target(
            name: "SSHProtocolKit",
            dependencies: ["SecretKit"],
            resources: [localization],
            swiftSettings: swiftSettings,
        ),
        .testTarget(
            name: "SSHProtocolKitTests",
            dependencies: ["SSHProtocolKit"],
            swiftSettings: swiftSettings,
        ),
        .target(
            name: "Common",
-            dependencies: ["SSHProtocolKit", "SecretKit"],
+            dependencies: [],
            resources: [localization],
            swiftSettings: swiftSettings,
        ),
        .target(
            name: "Brief",
-            dependencies: ["XPCWrappers", "SSHProtocolKit"],
+            dependencies: ["XPCWrappers"],
            resources: [localization],
            swiftSettings: swiftSettings,
        ),
--- a/Sources/Packages/Sources/Common/URLs.swift
+++ b/Sources/Packages/Sources/Common/URLs.swift
@@ -1,6 +1,4 @@
 import Foundation
 import SSHProtocolKit
 import SecretKit
 extension URL {
@@ -16,20 +14,6 @@ extension URL {
        #endif
    }
    public static var publicKeyDirectory: URL {
        agentHomeURL.appending(component: "PublicKeys")
    }
    /// The path for a Secret's public key.
    /// - Parameter secret: The Secret to return the path for.
    /// - Returns: The path to the Secret's public key.
    /// - Warning: This method returning a path does not imply that a key has been written to disk already. This method only describes where it will be written to.
    public static func publicKeyPath<SecretType: Secret>(for secret: SecretType, in directory: URL) -> String {
        let keyWriter = OpenSSHPublicKeyWriter()
        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
        return directory.appending(component: "\(minimalHex).pub").path()
    }
 }
 extension String {
@@ -43,4 +27,3 @@ extension String {
    }
 }
--- a/Sources/Packages/Sources/SSHProtocolKit/Data+Hex.swift
+++ b/Sources/Packages/Sources/SSHProtocolKit/Data+Hex.swift
@@ -1,37 +0,0 @@
 import Foundation
 import CryptoKit
 public struct HexDataStyle<SequenceType: Sequence>: Hashable, Codable {
    let separator: String
    public init(separator: String) {
        self.separator = separator
    }
 }
 extension HexDataStyle: FormatStyle where SequenceType.Element == UInt8 {
    public func format(_ value: SequenceType) -> String {
        value
            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
            .joined(separator: separator)
    }
 }
 extension FormatStyle where Self == HexDataStyle<Data> {
    public static func hex(separator: String = "") -> HexDataStyle<Data> {
        HexDataStyle(separator: separator)
    }
 }
 extension FormatStyle where Self == HexDataStyle<Insecure.MD5Digest> {
    public static func hex(separator: String = ":") -> HexDataStyle<Insecure.MD5Digest> {
        HexDataStyle(separator: separator)
    }
 }
--- a/Sources/Packages/Sources/SecretAgentKit/Agent.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/Agent.swift
@@ -3,7 +3,6 @@ import CryptoKit
 import OSLog
 import SecretKit
 import AppKit
 import SSHProtocolKit
 /// The `Agent` is an implementation of an SSH agent. It manages coordination and access between a socket, traces requests, notifies witnesses and passes requests to stores.
 public final class Agent: Sendable {
@@ -14,7 +13,6 @@ public final class Agent: Sendable {
    private let signatureWriter = OpenSSHSignatureWriter()
    private let certificateHandler = OpenSSHCertificateHandler()
    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "Agent")
    private let authorizationCoordinator = AuthorizationCoordinator()
    /// Initializes an agent with a store list and a witness.
    /// - Parameters:
@@ -103,19 +101,8 @@ extension Agent {
            throw NoMatchingKeyError()
        }
        let decision = try await authorizationCoordinator.waitForAccessIfNeeded(to: secret, provenance: provenance)
        switch decision {
        case .proceed:
            break
        case .promptForSharedAuth:
            do {
                try await store.persistAuthentication(secret: secret, forProvenance: provenance)
                await authorizationCoordinator.completedPersistence(secret: secret, forProvenance: provenance)
            } catch {
                await authorizationCoordinator.didNotCompletePersistence(secret: secret, forProvenance: provenance)
            }
        }
        try await witness?.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)
        let rawRepresentation = try await store.sign(data: data, with: secret, for: provenance)
        let signedData = signatureWriter.data(secret: secret, signature: rawRepresentation)
--- a/Sources/Packages/Sources/SecretAgentKit/AuthorizationCoordinator.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/AuthorizationCoordinator.swift
@@ -1,105 +0,0 @@
 import Foundation
 import SecretKit
 import os
 import LocalAuthentication
 struct PendingRequest: Identifiable, Hashable, CustomStringConvertible {
    let id: UUID = UUID()
    let secret: AnySecret
    let provenance: SigningRequestProvenance
    var description: String {
        "\(id.uuidString) - \(secret.name) \(provenance.origin.displayName)"
    }
    func batchable(with request: PendingRequest) -> Bool {
        secret == request.secret &&
        provenance.isSameProvenance(as: request.provenance)
    }
 }
 enum Decision {
    case proceed
    case promptForSharedAuth
 }
 actor RequestHolder {
    var pending: [PendingRequest] = []
    var authorizing: PendingRequest?
    var preauthorized: PendingRequest?
    func addPending(_ request: PendingRequest) {
        pending.append(request)
    }
    func advanceIfIdle() {
    }
    func shouldBlock(_ request: PendingRequest) -> Bool {
        guard request != authorizing else { return false }
        if let preauthorized, preauthorized.batchable(with: request) {
            print("Batching: \(request)")
            pending.removeAll(where: { $0 == request })
            return false
        }
        return authorizing == nil && authorizing.
    }
    func clear() {
        if let preauthorized, allBatchable(with: preauthorized).isEmpty {
            self.preauthorized = nil
        }
    }
    func allBatchable(with request: PendingRequest) -> [PendingRequest] {
        pending.filter { $0.batchable(with: request) }
    }
    func completedPersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) {
        self.preauthorized = PendingRequest(secret: secret, provenance: provenance)
    }
    func didNotCompletePersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) {
        self.preauthorized = nil
    }
 }
 final class AuthorizationCoordinator: Sendable {
    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "AuthorizationCoordinator")
    private let holder = RequestHolder()
    public func waitForAccessIfNeeded(to secret: AnySecret, provenance: SigningRequestProvenance) async throws -> Decision {
        // Block on unknown, since we don't really have any way to check.
        if secret.authenticationRequirement == .unknown {
            logger.warning("\(secret.name) has unknown authentication requirement.")
        }
        guard secret.authenticationRequirement != .notRequired else {
            logger.debug("\(secret.name) does not require authentication, continuing.")
            return .proceed
        }
        logger.debug("\(secret.name) requires authentication.")
        let pending = PendingRequest(secret: secret, provenance: provenance)
        await holder.addPending(pending)
        while await holder.shouldBlock(pending) {
            logger.debug("\(pending) waiting.")
            try await Task.sleep(for: .milliseconds(100))
        }
        if await holder.preauthorized == nil, await holder.allBatchable(with: pending).count > 0 {
            logger.debug("\(pending) batch suggestion.")
            return .promptForSharedAuth
        }
        logger.debug("\(pending) continuing")
        return .proceed
    }
    func completedPersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) async {
        await holder.completedPersistence(secret: secret, forProvenance: provenance)
    }
    func didNotCompletePersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) async {
        await holder.didNotCompletePersistence(secret: secret, forProvenance: provenance)
    }
 }
--- a/Sources/Packages/Sources/SecretAgentKit/OpenSSHCertificateHandler.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/OpenSSHCertificateHandler.swift
@@ -1,12 +1,11 @@
 import Foundation
 import OSLog
 import SecretKit
 import SSHProtocolKit
 /// Manages storage and lookup for OpenSSH certificates.
 public actor OpenSSHCertificateHandler: Sendable {
-    private let publicKeyFileStoreController = PublicKeyFileStoreController(directory: URL.publicKeyDirectory)
+    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: URL.homeDirectory)
    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "OpenSSHCertificateHandler")
    private let writer = OpenSSHPublicKeyWriter()
    private var keyBlobsAndNames: [AnySecret: (Data, Data)] = [:]
--- a/Sources/Packages/Sources/SecretAgentKit/OpenSSHReader.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/OpenSSHReader.swift
@@ -1,49 +1,42 @@
 import Foundation
 /// Reads OpenSSH protocol data.
-public final class OpenSSHReader {
+final class OpenSSHReader {
    var remaining: Data
    var done = false
    /// Initialize the reader with an OpenSSH data payload.
    /// - Parameter data: The data to read.
-    public init(data: Data) {
+    init(data: Data) {
        remaining = Data(data)
    }
    /// Reads the next chunk of data from the playload.
    /// - Returns: The next chunk of data.
-    public func readNextChunk(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> Data {
+    func readNextChunk(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> Data {
-        let length = try readNextBytes(as: UInt32.self, convertEndianness: convertEndianness)
+        let littleEndianLength = try readNextBytes(as: UInt32.self)
        let length = convertEndianness ? Int(littleEndianLength.bigEndian) : Int(littleEndianLength)
        guard remaining.count >= length else { throw .beyondBounds }
-        let dataRange = 0..<Int(length)
+        let dataRange = 0..<length
        let ret = Data(remaining[dataRange])
        remaining.removeSubrange(dataRange)
        if remaining.isEmpty {
            done = true
        }
        return ret
    }
-    public func readNextBytes<T: FixedWidthInteger>(as: T.Type, convertEndianness: Bool = true) throws(OpenSSHReaderError) -> T {
+    func readNextBytes<T>(as: T.Type) throws(OpenSSHReaderError) -> T {
        let size = MemoryLayout<T>.size
        guard remaining.count >= size else { throw .beyondBounds }
        let lengthRange = 0..<size
        let lengthChunk = remaining[lengthRange]
        remaining.removeSubrange(lengthRange)
-        if remaining.isEmpty {
+        return unsafe lengthChunk.bytes.unsafeLoad(as: T.self)
            done = true
        }
        let value = unsafe lengthChunk.bytes.unsafeLoad(as: T.self)
        return convertEndianness ? T(value.bigEndian) : T(value)
    }
-    public func readNextChunkAsString(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> String {
+    func readNextChunkAsString(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> String {
        try String(decoding: readNextChunk(convertEndianness: convertEndianness), as: UTF8.self)
    }
-    public func readNextChunkAsSubReader(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> OpenSSHReader {
+    func readNextChunkAsSubReader(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> OpenSSHReader {
        OpenSSHReader(data: try readNextChunk(convertEndianness: convertEndianness))
    }
--- a/Sources/Packages/Sources/SecretAgentKit/SSHAgentInputParser.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/SSHAgentInputParser.swift
@@ -1,7 +1,6 @@
 import Foundation
 import OSLog
 import SecretKit
 import SSHProtocolKit
 public protocol SSHAgentInputParserProtocol {
--- a/Sources/Packages/Sources/SecretAgentKit/SSHAgentProtocol.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/SSHAgentProtocol.swift
--- a/Sources/Packages/Sources/SecretKit/Convenience/PersistentAuthenticationHandler.swift
+++ b/Sources/Packages/Sources/SecretKit/Convenience/PersistentAuthenticationHandler.swift
@@ -1,95 +0,0 @@
 import LocalAuthentication
 /// A context describing a persisted authentication.
 package struct PersistentAuthenticationContext<SecretType: Secret>: PersistedAuthenticationContext {
    /// The Secret to persist authentication for.
    let secret: SecretType
    /// The LAContext used to authorize the persistent context.
    package nonisolated(unsafe) let context: LAContext
    /// An expiration date for the context.
    /// - Note -  Monotonic time instead of Date() to prevent people setting the clock back.
    let monotonicExpiration: UInt64
    /// Initializes a context.
    /// - Parameters:
    ///   - secret: The Secret to persist authentication for.
    ///   - context: The LAContext used to authorize the persistent context.
    ///   - duration: The duration of the authorization context, in seconds.
    init(secret: SecretType, context: LAContext, duration: TimeInterval) {
        self.secret = secret
        unsafe self.context = context
        let durationInNanoSeconds = Measurement(value: duration, unit: UnitDuration.seconds).converted(to: .nanoseconds).value
        self.monotonicExpiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
    }
    /// A boolean describing whether or not the context is still valid.
    package var valid: Bool {
        clock_gettime_nsec_np(CLOCK_MONOTONIC) < monotonicExpiration
    }
    package var expiration: Date {
        let remainingNanoseconds = monotonicExpiration - clock_gettime_nsec_np(CLOCK_MONOTONIC)
        let remainingInSeconds = Measurement(value: Double(remainingNanoseconds), unit: UnitDuration.nanoseconds).converted(to: .seconds).value
        return Date(timeIntervalSinceNow: remainingInSeconds)
    }
 }
 struct ScopedPersistentAuthenticationContext<SecretType: Secret>: Hashable {
    let provenance: SigningRequestProvenance
    let secret: SecretType
 }
 package actor PersistentAuthenticationHandler<SecretType: Secret>: Sendable {
    private var unscopedPersistedAuthenticationContexts: [SecretType: PersistentAuthenticationContext<SecretType>] = [:]
    private var scopedPersistedAuthenticationContexts: [ScopedPersistentAuthenticationContext<SecretType>: PersistentAuthenticationContext<SecretType>] = [:]
    package init() {
    }
    package func existingPersistedAuthenticationContext(secret: SecretType, provenance: SigningRequestProvenance) -> PersistentAuthenticationContext<SecretType>? {
        if let unscopedPersistence = unscopedPersistedAuthenticationContexts[secret], unscopedPersistence.valid {
            return unscopedPersistence
        }
        if let scopedPersistence = scopedPersistedAuthenticationContexts[.init(provenance: provenance, secret: secret)], scopedPersistence.valid {
            return scopedPersistence
        }
        return nil
    }
    package func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) async throws {
        let newContext = LAContext()
        newContext.touchIDAuthenticationAllowableReuseDuration = duration
        newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
        let formatter = DateComponentsFormatter()
        formatter.unitsStyle = .spellOut
        formatter.allowedUnits = [.hour, .minute, .day]
        let durationString = formatter.string(from: duration)!
        newContext.localizedReason = String(localized: .authContextPersistForDuration(secretName: secret.name, duration: durationString))
        let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
        guard success else { return }
        let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
        unscopedPersistedAuthenticationContexts[secret] = context
    }
    package func persistAuthentication(secret: SecretType, provenance: SigningRequestProvenance) async throws {
        let newContext = LAContext()
        // FIXME: TEMPORARY
        let duration: TimeInterval = 10000
        newContext.touchIDAuthenticationAllowableReuseDuration = duration
        newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
        newContext.localizedReason = "Batch requests"
        let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
        guard success else { return }
        let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
        scopedPersistedAuthenticationContexts[.init(provenance: provenance, secret: secret)] = context
    }
 }
--- a/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
@@ -9,9 +9,8 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
    private let _name: @MainActor @Sendable () -> String
    private let _secrets: @MainActor @Sendable () -> [AnySecret]
    private let _sign: @Sendable (Data, AnySecret, SigningRequestProvenance) async throws -> Data
-    private let _existingPersistedAuthenticationContext: @Sendable (AnySecret, SigningRequestProvenance) async -> PersistedAuthenticationContext?
+    private let _existingPersistedAuthenticationContext: @Sendable (AnySecret) async -> PersistedAuthenticationContext?
-    private let _persistAuthenticationForDuration: @Sendable (AnySecret, TimeInterval) async throws -> Void
+    private let _persistAuthentication: @Sendable (AnySecret, TimeInterval) async throws -> Void
    private let _persistAuthenticationForProvenance: @Sendable (AnySecret, SigningRequestProvenance) async throws -> Void
    private let _reloadSecrets: @Sendable () async -> Void
    public init<SecretStoreType>(_ secretStore: SecretStoreType) where SecretStoreType: SecretStore {
@@ -21,9 +20,8 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
        _id = { secretStore.id }
        _secrets = { secretStore.secrets.map { AnySecret($0) } }
        _sign = { try await secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) }
-        _existingPersistedAuthenticationContext = { await secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType, provenance: $1) }
+        _existingPersistedAuthenticationContext = { await secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType) }
-        _persistAuthenticationForDuration = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
+        _persistAuthentication = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
        _persistAuthenticationForProvenance = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forProvenance: $1) }
        _reloadSecrets = { await secretStore.reloadSecrets() }
    }
@@ -47,16 +45,12 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
        try await _sign(data, secret, provenance)
    }
-    public func existingPersistedAuthenticationContext(secret: AnySecret, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext? {
+    public func existingPersistedAuthenticationContext(secret: AnySecret) async -> PersistedAuthenticationContext? {
-        await _existingPersistedAuthenticationContext(secret, provenance)
+        await _existingPersistedAuthenticationContext(secret)
    }
    public func persistAuthentication(secret: AnySecret, forDuration duration: TimeInterval) async throws {
-        try await _persistAuthenticationForDuration(secret, duration)
+        try await _persistAuthentication(secret, duration)
    }
    public func persistAuthentication(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) async throws {
        try await _persistAuthenticationForProvenance(secret, provenance)
    }
    public func reloadSecrets() async {
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/LengthAndData.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/LengthAndData.swift
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHPublicKeyWriter.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHPublicKeyWriter.swift
@@ -1,6 +1,5 @@
 import Foundation
 import CryptoKit
 import SecretKit
 /// Generates OpenSSH representations of the public key sof secrets.
 public struct OpenSSHPublicKeyWriter: Sendable {
@@ -50,7 +49,9 @@ public struct OpenSSHPublicKeyWriter: Sendable {
    /// Generates an OpenSSH MD5 fingerprint string.
    /// - Returns: OpenSSH MD5 fingerprint string.
    public func openSSHMD5Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
-        Insecure.MD5.hash(data: data(secret: secret)).formatted(.hex(separator: ":"))
+        Insecure.MD5.hash(data: data(secret: secret))
            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
            .joined(separator: ":")
    }
    public func comment<SecretType: Secret>(secret: SecretType) -> String {
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHSignatureWriter.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHSignatureWriter.swift
@@ -1,6 +1,5 @@
 import Foundation
 import CryptoKit
 import SecretKit
 /// Generates OpenSSH representations of Secrets.
 public struct OpenSSHSignatureWriter: Sendable {
@@ -30,28 +29,19 @@ public struct OpenSSHSignatureWriter: Sendable {
 extension OpenSSHSignatureWriter {
    /// Converts a fixed-width big-endian integer (e.g. r/s from CryptoKit rawRepresentation) into an SSH mpint.
    /// Strips unnecessary leading zeros and prefixes `0x00` if needed to keep the value positive.
    private func mpint(fromFixedWidthPositiveBytes bytes: Data) -> Data {
        // mpint zero is encoded as a string with zero bytes of data.
        guard let firstNonZeroIndex = bytes.firstIndex(where: { $0 != 0x00 }) else {
            return Data()
        }
        let trimmed = Data(bytes[firstNonZeroIndex...])
        if let first = trimmed.first, first >= 0x80 {
            var prefixed = Data([0x00])
            prefixed.append(trimmed)
            return prefixed
        }
        return trimmed
    }
    func ecdsaSignature(_ rawRepresentation: Data, keyType: KeyType) -> Data {
        let rawLength = rawRepresentation.count/2
-        let r = mpint(fromFixedWidthPositiveBytes: Data(rawRepresentation[0..<rawLength]))
+        // Check if we need to pad with 0x00 to prevent certain
-        let s = mpint(fromFixedWidthPositiveBytes: Data(rawRepresentation[rawLength...]))
+        // ssh servers from thinking r or s is negative
        let paddingRange: ClosedRange<UInt8> = 0x80...0xFF
        var r = Data(rawRepresentation[0..<rawLength])
        if paddingRange ~= r.first! {
            r.insert(0x00, at: 0)
        }
        var s = Data(rawRepresentation[rawLength...])
        if paddingRange ~= s.first! {
            s.insert(0x00, at: 0)
        }
        var signatureChunk = Data()
        signatureChunk.append(r.lengthAndData)
--- a/Sources/Packages/Sources/SecretAgentKit/PublicKeyStandinFileController.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/PublicKeyStandinFileController.swift
@@ -1,8 +1,5 @@
 import Foundation
 import OSLog
 import SecretKit
 import SSHProtocolKit
 import Common
 /// Controller responsible for writing public keys to disk, so that they're easily accessible by scripts.
 public final class PublicKeyFileStoreController: Sendable {
@@ -12,8 +9,8 @@ public final class PublicKeyFileStoreController: Sendable {
    private let keyWriter = OpenSSHPublicKeyWriter()
    /// Initializes a PublicKeyFileStoreController.
-    public init(directory: URL) {
+    public init(homeDirectory: URL) {
-        self.directory = directory
+        directory = homeDirectory.appending(component: "PublicKeys")
    }
    /// Writes out the keys specified to disk.
@@ -22,7 +19,7 @@ public final class PublicKeyFileStoreController: Sendable {
    public func generatePublicKeys(for secrets: [AnySecret], clear: Bool = false) throws {
        logger.log("Writing public keys to disk")
        if clear {
-            let validPaths = Set(secrets.map { URL.publicKeyPath(for: $0, in: directory) })
+            let validPaths = Set(secrets.map { publicKeyPath(for: $0) })
                .union(Set(secrets.map { sshCertificatePath(for: $0) }))
            let contentsOfDirectory = (try? FileManager.default.contentsOfDirectory(atPath: directory.path())) ?? []
            let fullPathContents = contentsOfDirectory.map { directory.appending(path: $0).path() }
@@ -36,13 +33,21 @@ public final class PublicKeyFileStoreController: Sendable {
        }
        try? FileManager.default.createDirectory(at: directory, withIntermediateDirectories: false, attributes: nil)
        for secret in secrets {
-            let path = URL.publicKeyPath(for: secret, in: directory)
+            let path = publicKeyPath(for: secret)
            let data = Data(keyWriter.openSSHString(secret: secret).utf8)
            FileManager.default.createFile(atPath: path, contents: data, attributes: nil)
        }
        logger.log("Finished writing public keys")
    }
    /// The path for a Secret's public key.
    /// - Parameter secret: The Secret to return the path for.
    /// - Returns: The path to the Secret's public key.
    /// - Warning: This method returning a path does not imply that a key has been written to disk already. This method only describes where it will be written to.
    public func publicKeyPath<SecretType: Secret>(for secret: SecretType) -> String {
        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
        return directory.appending(component: "\(minimalHex).pub").path()
    }
    /// Short-circuit check to ship enumerating a bunch of paths if there's nothing in the cert directory.
    public var hasAnyCertificates: Bool {
--- a/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
@@ -26,7 +26,7 @@ public protocol SecretStore<SecretType>: Identifiable, Sendable {
    /// - Parameters:
    ///   - secret: The ``Secret`` to check if there is a persisted authentication for.
    /// - Returns: A persisted authentication context, if a valid one exists.
-    func existingPersistedAuthenticationContext(secret: SecretType, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext?
+    func existingPersistedAuthenticationContext(secret: SecretType) async -> PersistedAuthenticationContext?
    /// Persists user authorization for access to a secret.
    /// - Parameters:
@@ -35,8 +35,6 @@ public protocol SecretStore<SecretType>: Identifiable, Sendable {
    ///  - Note: This is used for temporarily unlocking access to a secret which would otherwise require authentication every single use. This is useful for situations where the user anticipates several rapid accesses to a authorization-guarded secret.
    func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) async throws
    func persistAuthentication(secret: SecretType, forProvenance provenance: SigningRequestProvenance) async throws
    /// Requests that the store reload secrets from any backing store, if neccessary.
    func reloadSecrets() async
--- a/Sources/Packages/Sources/SecretKit/Types/SigningRequestProvenance.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SigningRequestProvenance.swift
@@ -2,7 +2,7 @@ import Foundation
 import AppKit
 /// Describes the chain of applications that requested a signature operation.
-public struct SigningRequestProvenance: Equatable, Sendable, Hashable {
+public struct SigningRequestProvenance: Equatable, Sendable {
    /// A list of processes involved in the request.
    /// - Note: A chain will typically consist of many elements even for a simple request. For example, running `git fetch` in Terminal.app would generate a request chain of `ssh` -> `git` -> `zsh` -> `login` -> `Terminal.app`
@@ -25,16 +25,12 @@ extension SigningRequestProvenance {
        chain.allSatisfy { $0.validSignature }
    }
    public func isSameProvenance(as other: SigningRequestProvenance) -> Bool {
        zip(chain, other.chain).allSatisfy { $0.isSameProcess(as: $1) }
    }
 }
 extension SigningRequestProvenance {
    /// Describes a process in a `SigningRequestProvenance` chain.
-    public struct Process: Equatable, Sendable, Hashable {
+    public struct Process: Equatable, Sendable {
        /// The pid of the process.
        public let pid: Int32
@@ -75,15 +71,6 @@ extension SigningRequestProvenance {
            appName ?? processName
        }
        // Whether the
        public func isSameProcess(as other: Process) -> Bool {
            processName == other.processName &&
            appName == other.appName &&
            iconURL == other.iconURL &&
            path == other.path &&
            validSignature == other.validSignature
        }
    }
 }
--- a/Sources/Packages/Sources/SecureEnclaveSecretKit/PersistentAuthenticationHandler.swift
+++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/PersistentAuthenticationHandler.swift
@@ -0,0 +1,70 @@
 import LocalAuthentication
 import SecretKit
 extension SecureEnclave {
    /// A context describing a persisted authentication.
    final class PersistentAuthenticationContext: PersistedAuthenticationContext {
        /// The Secret to persist authentication for.
        let secret: Secret
        /// The LAContext used to authorize the persistent context.
        nonisolated(unsafe) let context: LAContext
        /// An expiration date for the context.
        /// - Note -  Monotonic time instead of Date() to prevent people setting the clock back.
        let monotonicExpiration: UInt64
        /// Initializes a context.
        /// - Parameters:
        ///   - secret: The Secret to persist authentication for.
        ///   - context: The LAContext used to authorize the persistent context.
        ///   - duration: The duration of the authorization context, in seconds.
        init(secret: Secret, context: LAContext, duration: TimeInterval) {
            self.secret = secret
            unsafe self.context = context
            let durationInNanoSeconds = Measurement(value: duration, unit: UnitDuration.seconds).converted(to: .nanoseconds).value
            self.monotonicExpiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
        }
        /// A boolean describing whether or not the context is still valid.
        var valid: Bool {
            clock_gettime_nsec_np(CLOCK_MONOTONIC) < monotonicExpiration
        }
        var expiration: Date {
            let remainingNanoseconds = monotonicExpiration - clock_gettime_nsec_np(CLOCK_MONOTONIC)
            let remainingInSeconds = Measurement(value: Double(remainingNanoseconds), unit: UnitDuration.nanoseconds).converted(to: .seconds).value
            return Date(timeIntervalSinceNow: remainingInSeconds)
        }
    }
    actor PersistentAuthenticationHandler: Sendable {
        private var persistedAuthenticationContexts: [Secret: PersistentAuthenticationContext] = [:]
        func existingPersistedAuthenticationContext(secret: Secret) -> PersistentAuthenticationContext? {
            guard let persisted = persistedAuthenticationContexts[secret], persisted.valid else { return nil }
            return persisted
        }
        func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
            let newContext = LAContext()
            newContext.touchIDAuthenticationAllowableReuseDuration = duration
            newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
            let formatter = DateComponentsFormatter()
            formatter.unitsStyle = .spellOut
            formatter.allowedUnits = [.hour, .minute, .day]
            let durationString = formatter.string(from: duration)!
            newContext.localizedReason = String(localized: .authContextPersistForDuration(secretName: secret.name, duration: durationString))
            let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
            guard success else { return }
            let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
            persistedAuthenticationContexts[secret] = context
        }
    }
 }
--- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift
+++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift
@@ -17,7 +17,7 @@ extension SecureEnclave {
        }
        public let id = UUID()
        public let name = String(localized: .secureEnclave)
-        private let persistentAuthenticationHandler = PersistentAuthenticationHandler<Secret>()
+        private let persistentAuthenticationHandler = PersistentAuthenticationHandler()
        /// Initializes a Store.
        @MainActor public init() {
@@ -39,7 +39,7 @@ extension SecureEnclave {
        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) async throws -> Data {
            var context: LAContext
-            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance) {
+            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret) {
                context = unsafe existing.context
            } else {
                let newContext = LAContext()
@@ -88,18 +88,14 @@ extension SecureEnclave {
        }
-        public func existingPersistedAuthenticationContext(secret: Secret, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext? {
+        public func existingPersistedAuthenticationContext(secret: Secret) async -> PersistedAuthenticationContext? {
-            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance)
+            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret)
        }
        public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, forDuration: duration)
        }
        public func persistAuthentication(secret: SecureEnclave.Secret, forProvenance provenance: SigningRequestProvenance) async throws {
            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, provenance: provenance)
        }
        @MainActor public func reloadSecrets() {
            let before = secrets
            secrets.removeAll()
--- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
+++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
@@ -34,7 +34,6 @@ extension SmartCard {
        public var secrets: [Secret] {
            state.secrets
        }
        private let persistentAuthenticationHandler = PersistentAuthenticationHandler<Secret>()
        /// Initializes a Store.
        public init() {
@@ -59,15 +58,9 @@ extension SmartCard {
        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) async throws -> Data {
            guard let tokenID = await state.tokenID else { fatalError() }
-            var context: LAContext
+            let context = LAContext()
-            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance) {
+            context.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: provenance.origin.displayName, secretName: secret.name))
-                context = unsafe existing.context
+            context.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
            } else {
                let newContext = LAContext()
                newContext.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: provenance.origin.displayName, secretName: secret.name))
                newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
                context = newContext
            }
            let attributes = KeychainDictionary([
                kSecClass: kSecClassKey,
                kSecAttrKeyClass: kSecAttrKeyClassPrivate,
@@ -93,16 +86,11 @@ extension SmartCard {
            return signature as Data
        }
-        public func existingPersistedAuthenticationContext(secret: Secret, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext? {
+        public func existingPersistedAuthenticationContext(secret: Secret) -> PersistedAuthenticationContext? {
-            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance)
+            nil
        }
-        public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
+        public func persistAuthentication(secret: Secret, forDuration: TimeInterval) throws {
            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, forDuration: duration)
        }
        public func persistAuthentication(secret: Secret, forProvenance provenance: SigningRequestProvenance) async throws {
            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, provenance: provenance)
        }
        /// Reloads all secrets from the store.
@@ -175,7 +163,7 @@ extension SmartCard.Store {
            let publicKeySecRef = SecKeyCopyPublicKey(publicKeyRef)!
            let publicKeyAttributes = SecKeyCopyAttributes(publicKeySecRef) as! [CFString: Any]
            let publicKey = publicKeyAttributes[kSecValueData] as! Data
-            let attributes = Attributes(keyType: KeyType(secAttr: algorithmSecAttr, size: keySize)!, authentication: .presenceRequired)
+            let attributes = Attributes(keyType: KeyType(secAttr: algorithmSecAttr, size: keySize)!, authentication: .unknown)
            let secret = SmartCard.Secret(id: tokenID, name: name, publicKey: publicKey, attributes: attributes)
            guard signatureAlgorithm(for: secret) != nil else { return nil }
            return secret
--- a/Sources/Packages/Sources/XPCWrappers/TeamID.swift
+++ b/Sources/Packages/Sources/XPCWrappers/TeamID.swift
@@ -1,26 +0,0 @@
 import Foundation
 extension ProcessInfo {
    private static let fallbackTeamID = "Z72PRUAWF6"
    private static let teamID: String = {
        #if DEBUG
        guard let task = SecTaskCreateFromSelf(nil) else {
            assertionFailure("SecTaskCreateFromSelf failed")
            return fallbackTeamID
        }
        guard let value = SecTaskCopyValueForEntitlement(task, "com.apple.developer.team-identifier" as CFString, nil) as? String else {
 //            assertionFailure("SecTaskCopyValueForEntitlement(com.apple.developer.team-identifier) failed")
            return fallbackTeamID
        }
        return value
        #else
        /// Always use hardcoded team ID for release builds, just in case.
        return fallbackTeamID
        #endif
    }()
    public var teamID: String { Self.teamID }
 }
--- a/Sources/Packages/Sources/XPCWrappers/XPCServiceDelegate.swift
+++ b/Sources/Packages/Sources/XPCWrappers/XPCServiceDelegate.swift
@@ -12,7 +12,7 @@ public final class XPCServiceDelegate: NSObject, NSXPCListenerDelegate {
        newConnection.exportedInterface = NSXPCInterface(with: (any _XPCProtocol).self)
        let exportedObject = exportedObject
        newConnection.exportedObject = exportedObject
-        newConnection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = \"\(ProcessInfo.processInfo.teamID)\"")
+        newConnection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = Z72PRUAWF6")
        newConnection.resume()
        return true
    }
--- a/Sources/Packages/Sources/XPCWrappers/XPCTypedSession.swift
+++ b/Sources/Packages/Sources/XPCWrappers/XPCTypedSession.swift
@@ -8,7 +8,7 @@ public struct XPCTypedSession<ResponseType: Codable & Sendable, ErrorType: Error
    public init(serviceName: String, warmup: Bool = false) async throws {
        let connection = NSXPCConnection(serviceName: serviceName)
        connection.remoteObjectInterface = NSXPCInterface(with: (any _XPCProtocol).self)
-        connection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = \"\(ProcessInfo.processInfo.teamID)\"")
+        connection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = Z72PRUAWF6")
        connection.resume()
        guard let proxy = connection.remoteObjectProxy as? _XPCProtocol else { fatalError() }
        self.connection = connection
--- a/Sources/Packages/Tests/SSHProtocolKitTests/OpenSSHSignatureWriterTests.swift
+++ b/Sources/Packages/Tests/SSHProtocolKitTests/OpenSSHSignatureWriterTests.swift
@@ -1,83 +0,0 @@
 import Foundation
 import Testing
 import SSHProtocolKit
@testable import SecretKit
@Suite struct OpenSSHSignatureWriterTests {
    private let writer = OpenSSHSignatureWriter()
    @Test func ecdsaMpintStripsUnnecessaryLeadingZeros() throws {
        let secret = Constants.ecdsa256Secret
        // r has a leading 0x00 followed by 0x01 (< 0x80): the mpint must not keep the leading zero.
        let rBytes: [UInt8] = [0x00] + (1...31).map { UInt8($0) }
        let r = Data(rBytes)
        // s has two leading 0x00 bytes followed by 0x7f (< 0x80): the mpint must not keep the leading zeros.
        let sBytes: [UInt8] = [0x00, 0x00, 0x7f] + Array(repeating: UInt8(0x01), count: 29)
        let s = Data(sBytes)
        let rawRepresentation = r + s
        let response = writer.data(secret: secret, signature: rawRepresentation)
        let (parsedR, parsedS) = try parseEcdsaSignatureMpints(from: response)
        #expect(parsedR == Data((1...31).map { UInt8($0) }))
        #expect(parsedS == Data([0x7f] + Array(repeating: UInt8(0x01), count: 29)))
    }
    @Test func ecdsaMpintPrefixesZeroWhenHighBitSet() throws {
        let secret = Constants.ecdsa256Secret
        // r starts with 0x80 (high bit set): mpint must be prefixed with 0x00.
        let r = Data([UInt8(0x80)] + Array(repeating: UInt8(0x01), count: 31))
        let s = Data([UInt8(0x01)] + Array(repeating: UInt8(0x02), count: 31))
        let rawRepresentation = r + s
        let response = writer.data(secret: secret, signature: rawRepresentation)
        let (parsedR, parsedS) = try parseEcdsaSignatureMpints(from: response)
        #expect(parsedR == Data([0x00, 0x80] + Array(repeating: UInt8(0x01), count: 31)))
        #expect(parsedS == Data([0x01] + Array(repeating: UInt8(0x02), count: 31)))
    }
 }
 private extension OpenSSHSignatureWriterTests {
    enum Constants {
        static let ecdsa256Secret = TestSecret(
            id: Data(),
            name: "Test Key (ECDSA 256)",
            publicKey: Data(repeating: 0x01, count: 65),
            attributes: Attributes(
                keyType: KeyType(algorithm: .ecdsa, size: 256),
                authentication: .notRequired,
                publicKeyAttribution: "test@example.com"
            )
        )
    }
    enum ParseError: Error {
        case eof
        case invalidAlgorithm
    }
    func parseEcdsaSignatureMpints(from openSSHSignedData: Data) throws -> (r: Data, s: Data) {
        let reader = OpenSSHReader(data: openSSHSignedData)
        // Prefix
        _ = try reader.readNextBytes(as: UInt32.self)
        let algorithm = try reader.readNextChunkAsString()
        guard algorithm == "ecdsa-sha2-nistp256" else {
            throw ParseError.invalidAlgorithm
        }
        let sigReader = try reader.readNextChunkAsSubReader()
        let r = try sigReader.readNextChunk()
        let s = try sigReader.readNextChunk()
        return (r, s)
    }
 }
--- a/Sources/Packages/Tests/SSHProtocolKitTests/TestSecret.swift
+++ b/Sources/Packages/Tests/SSHProtocolKitTests/TestSecret.swift
@@ -1,11 +0,0 @@
 import Foundation
 import SecretKit
 public struct TestSecret: SecretKit.Secret {
    public let id: Data
    public let name: String
    public let publicKey: Data
    public var attributes: Attributes
 }
--- a/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift
+++ b/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift
@@ -1,7 +1,6 @@
 import Foundation
 import Testing
 import CryptoKit
@testable import SSHProtocolKit
@testable import SecretKit
@testable import SecretAgentKit
@@ -45,8 +44,8 @@ import CryptoKit
        let agent = Agent(storeList: list)
        let response = await agent.handle(request: request, provenance: .test)
        let responseReader = OpenSSHReader(data: response)
-        let length = try responseReader.readNextBytes(as: UInt32.self)
+        let length = try responseReader.readNextBytes(as: UInt32.self).bigEndian
-        let type = try responseReader.readNextBytes(as: UInt8.self)
+        let type = try responseReader.readNextBytes(as: UInt8.self).bigEndian
        #expect(length == response.count - MemoryLayout<UInt32>.size)
        #expect(type == SSHAgent.Response.agentSignResponse.rawValue)
        let outer = OpenSSHReader(data: responseReader.remaining)
--- a/Sources/Packages/Tests/SecretAgentKitTests/OpenSSHReaderTests.swift
+++ b/Sources/Packages/Tests/SecretAgentKitTests/OpenSSHReaderTests.swift
@@ -1,6 +1,8 @@
 import Foundation
 import Testing
-import SSHProtocolKit
+@testable import SecretAgentKit
@testable import SecureEnclaveSecretKit
@testable import SmartCardSecretKit
@Suite struct OpenSSHReaderTests {
--- a/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift
+++ b/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift
@@ -1,7 +1,6 @@
 import Foundation
 import SecretKit
 import CryptoKit
 import SSHProtocolKit
 struct Stub {}
--- a/Sources/Packages/Tests/SSHProtocolKitTests/OpenSSHPublicKeyWriterTests.swift
+++ b/Sources/Packages/Tests/SSHProtocolKitTests/OpenSSHPublicKeyWriterTests.swift
@@ -1,7 +1,8 @@
 import Foundation
 import Testing
@testable import SecretKit
-import SSHProtocolKit
+@testable import SecureEnclaveSecretKit
@testable import SmartCardSecretKit
@Suite struct OpenSSHPublicKeyWriterTests {
@@ -46,8 +47,8 @@ import SSHProtocolKit
 extension OpenSSHPublicKeyWriterTests {
    enum Constants {
-        static let ecdsa256Secret =  TestSecret(id: Data(), name: "Test Key (ECDSA 256)", publicKey: Data(base64Encoded: "BOVEjgAA5PHqRgwykjN5qM21uWCHFSY/Sqo5gkHAkn+e1MMQKHOLga7ucB9b3mif33MBid59GRK9GEPVlMiSQwo=")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 256), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
+        static let ecdsa256Secret =  SmartCard.Secret(id: Data(), name: "Test Key (ECDSA 256)", publicKey: Data(base64Encoded: "BOVEjgAA5PHqRgwykjN5qM21uWCHFSY/Sqo5gkHAkn+e1MMQKHOLga7ucB9b3mif33MBid59GRK9GEPVlMiSQwo=")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 256), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
-        static let ecdsa384Secret = TestSecret(id: Data(), name: "Test Key (ECDSA 384)", publicKey: Data(base64Encoded: "BG2MNc/C5OTHFE2tBvbZCVcpOGa8vBMquiTLkH4lwkeqOPxhi+PyYUfQZMTRJNPiTyWPoMBqNiCIFRVv60yPN/AHufHaOgbdTP42EgMlMMImkAjYUEv9DESHTVIs2PW1yQ==")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 384), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
+        static let ecdsa384Secret = SmartCard.Secret(id: Data(), name: "Test Key (ECDSA 384)", publicKey: Data(base64Encoded: "BG2MNc/C5OTHFE2tBvbZCVcpOGa8vBMquiTLkH4lwkeqOPxhi+PyYUfQZMTRJNPiTyWPoMBqNiCIFRVv60yPN/AHufHaOgbdTP42EgMlMMImkAjYUEv9DESHTVIs2PW1yQ==")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 384), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
    }
--- a/Sources/SecretAgent/AppDelegate.swift
+++ b/Sources/SecretAgent/AppDelegate.swift
@@ -22,7 +22,7 @@ class AppDelegate: NSObject, NSApplicationDelegate {
    }()
    private let updater = Updater(checkOnLaunch: true)
    private let notifier = Notifier()
-    private let publicKeyFileStoreController = PublicKeyFileStoreController(directory: URL.publicKeyDirectory)
+    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: URL.homeDirectory)
    private lazy var agent: Agent = {
        Agent(storeList: storeList, witness: notifier)
    }()
@@ -35,9 +35,9 @@ class AppDelegate: NSObject, NSApplicationDelegate {
    func applicationDidFinishLaunching(_ aNotification: Notification) {
        logger.debug("SecretAgent finished launching")
        Task {
            let inputParser = try await XPCAgentInputParser()
            for await session in socketController.sessions {
                Task {
                    let inputParser = try await XPCAgentInputParser()
                    do {
                        for await message in session.messages {
                            let request = try await inputParser.parse(data: message)
--- a/Sources/SecretAgent/Notifier.swift
+++ b/Sources/SecretAgent/Notifier.swift
@@ -69,7 +69,7 @@ final class Notifier: Sendable {
        notificationContent.userInfo[Constants.persistSecretIDKey] = secret.id.description
        notificationContent.userInfo[Constants.persistStoreIDKey] = store.id.description
        notificationContent.interruptionLevel = .timeSensitive
-        if await store.existingPersistedAuthenticationContext(secret: secret, provenance: provenance) == nil && secret.authenticationRequirement.required {
+        if await store.existingPersistedAuthenticationContext(secret: secret) == nil && secret.authenticationRequirement.required {
            notificationContent.categoryIdentifier = Constants.persistAuthenticationCategoryIdentitifier
        }
        if let iconURL = provenance.origin.iconURL, let attachment = try? UNNotificationAttachment(identifier: "icon", url: iconURL, options: nil) {
@@ -79,25 +79,6 @@ final class Notifier: Sendable {
        try? await notificationCenter.add(request)
    }
    func notify(pendingAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async {
        await notificationDelegate.state.setPending(secret: secret, store: store)
        let notificationCenter = UNUserNotificationCenter.current()
        let notificationContent = UNMutableNotificationContent()
        notificationContent.title = "pending" //String(localized: .signedNotificationTitle(appName: provenance.origin.displayName))
        notificationContent.subtitle = "pending" //String(localized: .signedNotificationDescription(secretName: secret.name))
        notificationContent.userInfo[Constants.persistSecretIDKey] = secret.id.description
        notificationContent.userInfo[Constants.persistStoreIDKey] = store.id.description
        notificationContent.interruptionLevel = .timeSensitive
        notificationContent.categoryIdentifier = Constants.persistAuthenticationCategoryIdentitifier
        notificationContent.threadIdentifier = "\(secret.id)_\(provenance.hashValue)"
        if let iconURL = provenance.origin.iconURL, let attachment = try? UNNotificationAttachment(identifier: "icon", url: iconURL, options: nil) {
            notificationContent.attachments = [attachment]
        }
        let request = UNNotificationRequest(identifier: UUID().uuidString, content: notificationContent, trigger: nil)
        try? await notificationCenter.add(request)
    }
    func notify(update: Release, ignore: (@Sendable (Release) async -> Void)?) async {
        await notificationDelegate.state.prepareForNotification(release: update, ignoreAction: ignore)
        let notificationCenter = UNUserNotificationCenter.current()
@@ -122,10 +103,6 @@ extension Notifier: SigningWitness {
    func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
    }
    func witness(pendingAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
        await notify(pendingAccessTo: secret, from: store, by: provenance)
    }
    func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
        await notify(accessTo: secret, from: store, by: provenance)
    }
--- a/Sources/SecretAgent/SecretAgent.entitlements
+++ b/Sources/SecretAgent/SecretAgent.entitlements
@@ -2,24 +2,8 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>com.apple.security.hardened-process</key>
 	<true/>
 	<key>com.apple.security.hardened-process.checked-allocations</key>
 	<true/>
 	<key>com.apple.security.hardened-process.checked-allocations.enable-pure-data</key>
 	<true/>
 	<key>com.apple.security.hardened-process.checked-allocations.no-tagged-receive</key>
 	<true/>
 	<key>com.apple.security.hardened-process.dyld-ro</key>
 	<true/>
 	<key>com.apple.security.hardened-process.enhanced-security-version-string</key>
 	<string>1</string>
 	<key>com.apple.security.hardened-process.hardened-heap</key>
 	<true/>
 	<key>com.apple.security.smartcard</key>
 	<true/>
 	<key>com.apple.security.hardened-process.platform-restrictions-string</key>
 	<string>2</string>
 	<key>keychain-access-groups</key>
 	<array>
 		<string>$(AppIdentifierPrefix)com.maxgoedjen.Secretive</string>
--- a/Sources/SecretAgent/XPCInputParser.swift
+++ b/Sources/SecretAgent/XPCInputParser.swift
@@ -3,7 +3,6 @@ import SecretAgentKit
 import Brief
 import XPCWrappers
 import OSLog
 import SSHProtocolKit
 /// Delegates all agent input parsing to an XPC service which wraps OpenSSH
 public final class XPCAgentInputParser: SSHAgentInputParserProtocol {
--- a/Sources/SecretAgentInputParser/SecretAgentInputParser.entitlements
+++ b/Sources/SecretAgentInputParser/SecretAgentInputParser.entitlements
@@ -1,22 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>com.apple.security.hardened-process</key>
 	<true/>
 	<key>com.apple.security.hardened-process.checked-allocations</key>
 	<true/>
 	<key>com.apple.security.hardened-process.checked-allocations.enable-pure-data</key>
 	<true/>
 	<key>com.apple.security.hardened-process.checked-allocations.no-tagged-receive</key>
 	<true/>
 	<key>com.apple.security.hardened-process.dyld-ro</key>
 	<true/>
 	<key>com.apple.security.hardened-process.hardened-heap</key>
 	<true/>
 	<key>com.apple.security.hardened-process.enhanced-security-version-string</key>
 	<string>1</string>
 	<key>com.apple.security.hardened-process.platform-restrictions-string</key>
 	<string>2</string>
 </dict>
 </plist>
--- a/Sources/SecretAgentInputParser/SecretAgentInputParser.swift
+++ b/Sources/SecretAgentInputParser/SecretAgentInputParser.swift
@@ -2,7 +2,6 @@ import Foundation
 import OSLog
 import XPCWrappers
 import SecretAgentKit
 import SSHProtocolKit
 final class SecretAgentInputParser: NSObject, XPCProtocol {
--- a/Sources/Secretive.xcodeproj/project.pbxproj
+++ b/Sources/Secretive.xcodeproj/project.pbxproj
@@ -9,7 +9,6 @@
 /* Begin PBXBuildFile section */
 		2C4A9D2F2636FFD3008CC8E2 /* EditSecretView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 2C4A9D2E2636FFD3008CC8E2 /* EditSecretView.swift */; };
 		50020BB024064869003D4025 /* AppDelegate.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50020BAF24064869003D4025 /* AppDelegate.swift */; };
 		5002C3AB2EEF483300FFAD22 /* XPCWrappers in Frameworks */ = {isa = PBXBuildFile; productRef = 5002C3AA2EEF483300FFAD22 /* XPCWrappers */; };
 		5003EF3B278005E800DF2006 /* SecretKit in Frameworks */ = {isa = PBXBuildFile; productRef = 5003EF3A278005E800DF2006 /* SecretKit */; };
 		5003EF3D278005F300DF2006 /* Brief in Frameworks */ = {isa = PBXBuildFile; productRef = 5003EF3C278005F300DF2006 /* Brief */; };
 		5003EF3F278005F300DF2006 /* SecretAgentKit in Frameworks */ = {isa = PBXBuildFile; productRef = 5003EF3E278005F300DF2006 /* SecretAgentKit */; };
@@ -61,7 +60,6 @@
 		50A3B79424026B7600D209EA /* Preview Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 50A3B79324026B7600D209EA /* Preview Assets.xcassets */; };
 		50A3B79724026B7600D209EA /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 50A3B79524026B7600D209EA /* Main.storyboard */; };
 		50AE97002E5C1A420018C710 /* IntegrationsView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50AE96FF2E5C1A420018C710 /* IntegrationsView.swift */; };
 		50B832C02F62202A00D2FCB8 /* InternetAccessPolicy.plist in Resources */ = {isa = PBXBuildFile; fileRef = 50692BA52E6D5CC90043C7BB /* InternetAccessPolicy.plist */; };
 		50B8550D24138C4F009958AC /* DeleteSecretView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50B8550C24138C4F009958AC /* DeleteSecretView.swift */; };
 		50BB046B2418AAAE00D6E079 /* EmptyStoreView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50BB046A2418AAAE00D6E079 /* EmptyStoreView.swift */; };
 		50BDCB722E63BAF20072D2E7 /* AgentStatusView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50BDCB712E63BAF20072D2E7 /* AgentStatusView.swift */; };
@@ -183,8 +181,6 @@
 		2C4A9D2E2636FFD3008CC8E2 /* EditSecretView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = EditSecretView.swift; sourceTree = "<group>"; };
 		50020BAF24064869003D4025 /* AppDelegate.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = AppDelegate.swift; sourceTree = "<group>"; };
 		5003EF39278005C800DF2006 /* Packages */ = {isa = PBXFileReference; lastKnownFileType = wrapper; path = Packages; sourceTree = "<group>"; };
 		500666D02F04786900328939 /* SecretiveUpdater.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = SecretiveUpdater.entitlements; sourceTree = "<group>"; };
 		500666D12F04787200328939 /* SecretAgentInputParser.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = SecretAgentInputParser.entitlements; sourceTree = "<group>"; };
 		5008C23D2E525D8200507AC2 /* Localizable.xcstrings */ = {isa = PBXFileReference; lastKnownFileType = text.json.xcstrings; name = Localizable.xcstrings; path = Packages/Resources/Localizable.xcstrings; sourceTree = SOURCE_ROOT; };
 		50153E1F250AFCB200525160 /* UpdateView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = UpdateView.swift; sourceTree = "<group>"; };
 		50153E21250DECA300525160 /* SecretListItemView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SecretListItemView.swift; sourceTree = "<group>"; };
@@ -241,7 +237,6 @@
 		50E4C4522E73C78900C73783 /* WindowBackgroundStyle.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = WindowBackgroundStyle.swift; sourceTree = "<group>"; };
 		50E4C4C22E7765DF00C73783 /* AboutView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AboutView.swift; sourceTree = "<group>"; };
 		50E4C4C72E777E4200C73783 /* AppIcon.icon */ = {isa = PBXFileReference; lastKnownFileType = folder.iconcomposer.icon; path = AppIcon.icon; sourceTree = "<group>"; };
 		F418C9A82F0C57F000E9ADF8 /* OpenSource.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = OpenSource.xcconfig; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 /* Begin PBXFrameworksBuildPhase section */
@@ -270,7 +265,6 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
 				5002C3AB2EEF483300FFAD22 /* XPCWrappers in Frameworks */,
 				50692E6C2E6FFA510043C7BB /* SecretAgentKit in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
@@ -398,7 +392,6 @@
 		50692D272E6FDB8D0043C7BB /* SecretiveUpdater */ = {
 			isa = PBXGroup;
 			children = (
 				500666D02F04786900328939 /* SecretiveUpdater.entitlements */,
 				50692D232E6FDB8D0043C7BB /* Info.plist */,
 				50692BA52E6D5CC90043C7BB /* InternetAccessPolicy.plist */,
 				50692D242E6FDB8D0043C7BB /* main.swift */,
@@ -410,7 +403,6 @@
 		50692E662E6FF9E20043C7BB /* SecretAgentInputParser */ = {
 			isa = PBXGroup;
 			children = (
 				500666D12F04787200328939 /* SecretAgentInputParser.entitlements */,
 				50692E622E6FF9E20043C7BB /* Info.plist */,
 				50692E632E6FF9E20043C7BB /* main.swift */,
 				50692E642E6FF9E20043C7BB /* SecretAgentInputParser.swift */,
@@ -423,7 +415,6 @@
 			children = (
 				508A590F241EEF6D0069DC07 /* Secretive.xctestplan */,
 				508A58AB241E121B0069DC07 /* Config.xcconfig */,
 				F418C9A82F0C57F000E9ADF8 /* OpenSource.xcconfig */,
 			);
 			path = Config;
 			sourceTree = "<group>";
@@ -548,7 +539,6 @@
 			name = SecretAgentInputParser;
 			packageProductDependencies = (
 				50692E6B2E6FFA510043C7BB /* SecretAgentKit */,
 				5002C3AA2EEF483300FFAD22 /* XPCWrappers */,
 			);
 			productName = SecretAgentInputParser;
 			productReference = 50692E502E6FF9D20043C7BB /* SecretAgentInputParser.xpc */;
@@ -592,7 +582,7 @@
 			attributes = {
 				BuildIndependentTargetsInParallel = YES;
 				LastSwiftUpdateCheck = 2600;
-				LastUpgradeCheck = 2640;
+				LastUpgradeCheck = 2600;
 				ORGANIZATIONNAME = "Max Goedjen";
 				TargetAttributes = {
 					50617D7E23FCE48D0099B055 = {
@@ -654,7 +644,6 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
 				50B832C02F62202A00D2FCB8 /* InternetAccessPolicy.plist in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -948,7 +937,7 @@
 				CURRENT_PROJECT_VERSION = 1;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"Secretive/Preview Content\"";
-				DEVELOPMENT_TEAM = "$(SECRETIVE_DEVELOPMENT_TEAM)";
+				DEVELOPMENT_TEAM = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -971,7 +960,7 @@
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).Host";
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.Host;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
 			};
@@ -988,7 +977,7 @@
 				CURRENT_PROJECT_VERSION = 1;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"Secretive/Preview Content\"";
-				DEVELOPMENT_TEAM = "$(SECRETIVE_DEVELOPMENT_TEAM)";
+				DEVELOPMENT_TEAM = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -1011,7 +1000,7 @@
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).Host";
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.Host;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "Secretive - Host";
 			};
@@ -1021,19 +1010,16 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
 				CODE_SIGN_ENTITLEMENTS = SecretiveUpdater/SecretiveUpdater.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
-				DEVELOPMENT_TEAM = "$(SECRETIVE_DEVELOPMENT_TEAM)";
+				DEVELOPMENT_TEAM = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES;
 				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
 				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
 				ENABLE_RESOURCE_ACCESS_CALENDARS = NO;
@@ -1050,7 +1036,7 @@
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretiveUpdater";
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretiveUpdater;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;
 				SKIP_INSTALL = YES;
@@ -1067,16 +1053,13 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
 				CODE_SIGN_ENTITLEMENTS = SecretiveUpdater/SecretiveUpdater.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES;
 				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
 				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
 				ENABLE_RESOURCE_ACCESS_CALENDARS = NO;
@@ -1093,7 +1076,7 @@
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretiveUpdater";
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretiveUpdater;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;
 				SKIP_INSTALL = YES;
@@ -1109,19 +1092,16 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
 				CODE_SIGN_ENTITLEMENTS = SecretiveUpdater/SecretiveUpdater.entitlements;
 				CODE_SIGN_IDENTITY = "Developer ID Application";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = "";
-				"DEVELOPMENT_TEAM[sdk=macosx*]" = "$(SECRETIVE_DEVELOPMENT_TEAM)";
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES;
 				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
 				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
 				ENABLE_RESOURCE_ACCESS_CALENDARS = NO;
@@ -1138,7 +1118,7 @@
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretiveUpdater";
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretiveUpdater;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				REGISTER_APP_GROUPS = YES;
@@ -1155,16 +1135,13 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
 				CODE_SIGN_ENTITLEMENTS = SecretAgentInputParser/SecretAgentInputParser.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
-				DEVELOPMENT_TEAM = "$(SECRETIVE_DEVELOPMENT_TEAM)";
+				DEVELOPMENT_TEAM = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_POINTER_AUTHENTICATION = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu17;
 				GENERATE_INFOPLIST_FILE = YES;
 				INFOPLIST_FILE = SecretAgentInputParser/Info.plist;
@@ -1173,7 +1150,7 @@
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretAgentInputParser";
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgentInputParser;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;
 				SKIP_INSTALL = YES;
@@ -1190,14 +1167,11 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
 				CODE_SIGN_ENTITLEMENTS = SecretAgentInputParser/SecretAgentInputParser.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_POINTER_AUTHENTICATION = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu17;
 				GENERATE_INFOPLIST_FILE = YES;
 				INFOPLIST_FILE = SecretAgentInputParser/Info.plist;
@@ -1206,7 +1180,7 @@
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretAgentInputParser";
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgentInputParser;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;
 				SKIP_INSTALL = YES;
@@ -1222,17 +1196,14 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
 				CODE_SIGN_ENTITLEMENTS = SecretAgentInputParser/SecretAgentInputParser.entitlements;
 				CODE_SIGN_IDENTITY = "Developer ID Application";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = "";
-				"DEVELOPMENT_TEAM[sdk=macosx*]" = "$(SECRETIVE_DEVELOPMENT_TEAM)";
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_POINTER_AUTHENTICATION = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu17;
 				GENERATE_INFOPLIST_FILE = YES;
 				INFOPLIST_FILE = SecretAgentInputParser/Info.plist;
@@ -1241,7 +1212,7 @@
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretAgentInputParser";
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgentInputParser;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				REGISTER_APP_GROUPS = YES;
@@ -1362,7 +1333,7 @@
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).Host";
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.Host;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
 			name = Test;
@@ -1371,17 +1342,14 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = SecretAgent/SecretAgent.entitlements;
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"SecretAgent/Preview Content\"";
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = NO;
 				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_PREVIEWS = YES;
 				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
 				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
@@ -1398,7 +1366,7 @@
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretAgent";
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgent;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
 			name = Test;
@@ -1412,13 +1380,11 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"SecretAgent/Preview Content\"";
-				DEVELOPMENT_TEAM = "$(SECRETIVE_DEVELOPMENT_TEAM)";
+				DEVELOPMENT_TEAM = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = NO;
 				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_PREVIEWS = YES;
 				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
 				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
@@ -1435,7 +1401,7 @@
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretAgent";
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgent;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
 			name = Debug;
@@ -1450,13 +1416,11 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"SecretAgent/Preview Content\"";
-				DEVELOPMENT_TEAM = "$(SECRETIVE_DEVELOPMENT_TEAM)";
+				DEVELOPMENT_TEAM = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = NO;
 				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_PREVIEWS = YES;
 				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
 				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
@@ -1473,7 +1437,7 @@
 				);
 				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = "$(SECRETIVE_BASE_BUNDLE_ID).SecretAgent";
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgent;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "Secretive - Secret Agent";
 			};
@@ -1535,10 +1499,6 @@
 /* End XCConfigurationList section */
 /* Begin XCSwiftPackageProductDependency section */
 		5002C3AA2EEF483300FFAD22 /* XPCWrappers */ = {
 			isa = XCSwiftPackageProductDependency;
 			productName = XPCWrappers;
 		};
 		5003EF3A278005E800DF2006 /* SecretKit */ = {
 			isa = XCSwiftPackageProductDependency;
 			productName = SecretKit;
--- a/Sources/Secretive.xcodeproj/xcshareddata/xcschemes/PackageTests.xcscheme
+++ b/Sources/Secretive.xcodeproj/xcshareddata/xcschemes/PackageTests.xcscheme
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "2640"
+   LastUpgradeVersion = "2600"
   version = "1.7">
   <BuildAction
      parallelizeBuildables = "YES"
@@ -14,8 +14,7 @@
      shouldUseLaunchSchemeArgsEnv = "YES">
      <TestPlans>
         <TestPlanReference
-            reference = "container:Config/Secretive.xctestplan"
+            reference = "container:Config/Secretive.xctestplan">
            default = "YES">
         </TestPlanReference>
      </TestPlans>
   </TestAction>
--- a/Sources/Secretive.xcodeproj/xcshareddata/xcschemes/SecretAgent.xcscheme
+++ b/Sources/Secretive.xcodeproj/xcshareddata/xcschemes/SecretAgent.xcscheme
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "2640"
+   LastUpgradeVersion = "2600"
   version = "1.7">
   <BuildAction
      parallelizeBuildables = "YES"
--- a/Sources/Secretive.xcodeproj/xcshareddata/xcschemes/Secretive.xcscheme
+++ b/Sources/Secretive.xcodeproj/xcshareddata/xcschemes/Secretive.xcscheme
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "2640"
+   LastUpgradeVersion = "2600"
   version = "1.7">
   <BuildAction
      parallelizeBuildables = "YES"
--- a/Sources/Secretive/Secretive.entitlements
+++ b/Sources/Secretive/Secretive.entitlements
@@ -4,22 +4,16 @@
 <dict>
 	<key>com.apple.security.hardened-process</key>
 	<true/>
 	<key>com.apple.security.hardened-process.checked-allocations</key>
 	<true/>
 	<key>com.apple.security.hardened-process.checked-allocations.enable-pure-data</key>
 	<true/>
 	<key>com.apple.security.hardened-process.checked-allocations.no-tagged-receive</key>
 	<true/>
 	<key>com.apple.security.hardened-process.dyld-ro</key>
 	<true/>
 	<key>com.apple.security.hardened-process.enhanced-security-version</key>
 	<integer>1</integer>
 	<key>com.apple.security.hardened-process.hardened-heap</key>
 	<true/>
-	<key>com.apple.security.hardened-process.enhanced-security-version-string</key>
+	<key>com.apple.security.hardened-process.platform-restrictions</key>
-	<string>1</string>
+	<integer>2</integer>
 	<key>com.apple.security.smartcard</key>
 	<true/>
 	<key>com.apple.security.hardened-process.platform-restrictions-string</key>
 	<string>2</string>
 	<key>keychain-access-groups</key>
 	<array>
 		<string>$(AppIdentifierPrefix)com.maxgoedjen.Secretive</string>
--- a/Sources/Secretive/Views/Configuration/ToolConfigurationView.swift
+++ b/Sources/Secretive/Views/Configuration/ToolConfigurationView.swift
@@ -1,7 +1,5 @@
 import SwiftUI
 import SecretKit
 import SSHProtocolKit
 import Common
 struct ToolConfigurationView: View {
@@ -113,9 +111,10 @@ struct ToolConfigurationView: View {
        let writer = OpenSSHPublicKeyWriter()
        let gitAllowedSignersString = [email.isEmpty ? String(localized: .integrationsConfigureUsingEmailPlaceholder) : email, writer.openSSHString(secret: selectedSecret)]
            .joined(separator: " ")
        let fileController = PublicKeyFileStoreController(homeDirectory: URL.agentHomeURL)
        return text
            .replacingOccurrences(of: Instructions.Constants.publicKeyPlaceholder, with: gitAllowedSignersString)
-            .replacingOccurrences(of: Instructions.Constants.publicKeyPathPlaceholder, with: URL.publicKeyPath(for: selectedSecret, in: URL.publicKeyDirectory))
+            .replacingOccurrences(of: Instructions.Constants.publicKeyPathPlaceholder, with: fileController.publicKeyPath(for: selectedSecret))
    }
 }
--- a/Sources/Secretive/Views/Secrets/SecretDetailView.swift
+++ b/Sources/Secretive/Views/Secrets/SecretDetailView.swift
@@ -1,13 +1,12 @@
 import SwiftUI
 import SecretKit
 import Common
 import SSHProtocolKit
 struct SecretDetailView<SecretType: Secret>: View {
    let secret: SecretType
    private let keyWriter = OpenSSHPublicKeyWriter()
    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: URL.agentHomeURL)
    var body: some View {
        ScrollView {
@@ -22,7 +21,7 @@ struct SecretDetailView<SecretType: Secret>: View {
                    CopyableView(title: .secretDetailPublicKeyLabel, image: Image(systemName: "key"), text: keyString)
                    Spacer()
                        .frame(height: 20)
-                    CopyableView(title: .secretDetailPublicKeyPathLabel, image: Image(systemName: "lock.doc"), text: URL.publicKeyPath(for: secret, in: URL.publicKeyDirectory), showRevealInFinder: true)
+                    CopyableView(title: .secretDetailPublicKeyPathLabel, image: Image(systemName: "lock.doc"), text: publicKeyFileStoreController.publicKeyPath(for: secret), showRevealInFinder: true)
                    Spacer()
                }
            }
--- a/Sources/Secretive/Views/Secrets/SecretListItemView.swift
+++ b/Sources/Secretive/Views/Secrets/SecretListItemView.swift
@@ -24,18 +24,6 @@ struct SecretListItemView: View {
                Text(secret.name)
            }
        }
        .sheet(isPresented: $isRenaming, onDismiss: {
            renamedSecret(secret)
        }, content: {
            if let modifiable = store as? AnySecretStoreModifiable {
                EditSecretView(store: modifiable, secret: secret)
            }
        })
        .showingDeleteConfirmation(isPresented: $isDeleting, secret, store as? AnySecretStoreModifiable) { deleted in
            if deleted {
                deletedSecret(secret)
            }
        }
        .contextMenu {
            if store is AnySecretStoreModifiable {
                Button(action: { isRenaming = true }) {
@@ -48,5 +36,12 @@ struct SecretListItemView: View {
                }
            }
        }
        .sheet(isPresented: $isRenaming, onDismiss: {
            renamedSecret(secret)
        }, content: {
            if let modifiable = store as? AnySecretStoreModifiable {
                EditSecretView(store: modifiable, secret: secret)
            }
        })
    }
 }
--- a/Sources/SecretiveUpdater/SecretiveUpdater.entitlements
+++ b/Sources/SecretiveUpdater/SecretiveUpdater.entitlements
@@ -1,22 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>com.apple.security.hardened-process</key>
 	<true/>
 	<key>com.apple.security.hardened-process.checked-allocations</key>
 	<true/>
 	<key>com.apple.security.hardened-process.checked-allocations.enable-pure-data</key>
 	<true/>
 	<key>com.apple.security.hardened-process.checked-allocations.no-tagged-receive</key>
 	<true/>
 	<key>com.apple.security.hardened-process.dyld-ro</key>
 	<true/>
 	<key>com.apple.security.hardened-process.enhanced-security-version-string</key>
 	<string>1</string>
 	<key>com.apple.security.hardened-process.hardened-heap</key>
 	<true/>
 	<key>com.apple.security.hardened-process.platform-restrictions-string</key>
 	<string>2</string>
 </dict>
 </plist>
--- a/configure_team_id.sh
+++ b/configure_team_id.sh
@@ -1,56 +0,0 @@
 #!/bin/bash
 TEAM_ID_FILE=Sources/Config/OpenSource.xcconfig
 function print_team_ids() {
  echo ""
  echo "FYI, here are the team IDs found in your Xcode preferences:"
  echo ""
  XCODEPREFS="$HOME/Library/Preferences/com.apple.dt.Xcode.plist"
  TEAM_KEYS=(`/usr/libexec/PlistBuddy -c "Print :IDEProvisioningTeams" "$XCODEPREFS" | perl -lne 'print $1 if /^    (\S*) =/'`)
  for KEY in $TEAM_KEYS 
  do
      i=0
      while true ; do
          NAME=$(/usr/libexec/PlistBuddy -c "Print :IDEProvisioningTeams:$KEY:$i:teamName" "$XCODEPREFS" 2>/dev/null)
          TEAMID=$(/usr/libexec/PlistBuddy -c "Print :IDEProvisioningTeams:$KEY:$i:teamID" "$XCODEPREFS" 2>/dev/null)
          if [ $? -ne 0 ]; then
              break
          fi
          echo "$TEAMID - $NAME"
          i=$(($i + 1))
      done
  done
 }
 if [ -z "$1" ]; then
  print_team_ids
  echo ""
  echo "> What is your Apple Developer Team ID? (looks like 1A23BDCD)"
  read TEAM_ID
 else
  TEAM_ID=$1
 fi
 if [ -z "$TEAM_ID" ]; then
  echo "You must enter a team id"
  print_team_ids
  exit 1
 fi
 echo "Setting team ID to $TEAM_ID"
 echo "// This file was automatically generated, do not edit directly." > $TEAM_ID_FILE
 echo "" >> $TEAM_ID_FILE
 echo "SECRETIVE_BASE_BUNDLE_ID_OSS=${TEAM_ID}.com.example.Secretive" >> $TEAM_ID_FILE
 echo "SECRETIVE_DEVELOPMENT_TEAM_OSS=${TEAM_ID}" >> $TEAM_ID_FILE
 echo ""
 echo "Successfully generated configuration at $TEAM_ID_FILE, you may now build the app using the \"Secretive\" target"
 echo "You may need to close and re-open the project in Xcode if it's already open"
 echo ""