2025-05-10 13:07:22 +00:00
150 changed files with 3877 additions and 9459 deletions
--- a/.github/readme/app-dark.png
+++ b/.github/readme/app-dark.png
--- a/.github/readme/app-light.png
+++ b/.github/readme/app-light.png
--- a/.github/readme/app.png
+++ b/.github/readme/app.png
--- a/.github/readme/localize_add.png
+++ b/.github/readme/localize_add.png
--- a/.github/readme/localize_sidebar.png
+++ b/.github/readme/localize_sidebar.png
--- a/.github/readme/localize_translate.png
+++ b/.github/readme/localize_translate.png
--- a/.github/readme/notification.png
+++ b/.github/readme/notification.png
--- a/.github/readme/touchid.png
+++ b/.github/readme/touchid.png
--- a/.github/workflows/add-to-project.yml
+++ b/.github/workflows/add-to-project.yml
@ -1,16 +0,0 @@
 name: Add bugs to bugs project
 on:
  issues:
    types:
      - opened
 jobs:
  add-to-project:
    name: Add issue to project
    runs-on: ubuntu-latest
    steps:
      - uses: actions/add-to-project@v1.0.1
        with:
          project-url: https://github.com/users/maxgoedjen/projects/1
          github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@ -1,54 +0,0 @@
 name: Nightly
 on: 
  schedule: 
    - cron: "0 8 * * *"
 jobs:
  build:
 #     runs-on: macOS-latest
    runs-on: macos-14
    timeout-minutes: 10
    steps:
    - uses: actions/checkout@v4
    - name: Setup Signing
      env: 
        SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
        HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }}
        AGENT_PROFILE_DATA: ${{ secrets.AGENT_PROFILE_DATA }}
        APPLE_API_KEY_DATA: ${{ secrets.APPLE_API_KEY_DATA }}
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
      run: ./.github/scripts/signing.sh
    - name: Set Environment
      run: sudo xcrun xcode-select -s /Applications/Xcode_15.4.app
    - name: Update Build Number
      env:
        RUN_ID: ${{ github.run_id }}
      run: |
            sed -i '' -e "s/GITHUB_CI_VERSION/0.0.0/g" Sources/Config/Config.xcconfig
            sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Secretive/Credits.rtf
    - name: Build
      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
    - name: Create ZIPs
      run: |
            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive ./Archive.zip
    - name: Notarize
      env: 
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
    - name: Document SHAs
      run: |
            echo "sha-512:"
            shasum -a 512 Secretive.zip
            shasum -a 512 Archive.zip
            echo "sha-256:"
            shasum -a 256 Secretive.zip
            shasum -a 256 Archive.zip
    - name: Upload App to Artifacts
      uses: actions/upload-artifact@v4
      with:
        name: Secretive.zip
        path: Secretive.zip
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -6,11 +6,10 @@ on:
      - '*'
 jobs:
  test:
-#     runs-on: macOS-latest
+    runs-on: macos-11.0
    runs-on: macos-14
    timeout-minutes: 10
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v1
    - name: Setup Signing
      env: 
        SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
@ -21,18 +20,14 @@ jobs:
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
      run: ./.github/scripts/signing.sh
    - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_15.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_12.5.1.app
    - name: Test
-      run: |
+      run: xcrun xcodebuild test -project Secretive.xcodeproj -scheme Secretive
            pushd Sources/Packages
            swift test
            popd
  build:
-#     runs-on: macOS-latest
+    runs-on: macos-11.0
    runs-on: macos-14
    timeout-minutes: 10
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v2
    - name: Setup Signing
      env: 
        SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
@ -43,18 +38,18 @@ jobs:
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
      run: ./.github/scripts/signing.sh
    - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_15.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_12.5.1.app
    - name: Update Build Number
      env:
        TAG_NAME: ${{ github.ref }}
        RUN_ID: ${{ github.run_id }}
      run: |
            export CLEAN_TAG=$(echo $TAG_NAME | sed -e 's/refs\/tags\/v//')
-            sed -i '' -e "s/GITHUB_CI_VERSION/$CLEAN_TAG/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_CI_VERSION/$CLEAN_TAG/g" Config/Config.xcconfig
-            sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Config/Config.xcconfig
-            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Secretive/Credits.rtf
+            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Secretive/Credits.rtf
    - name: Build
-      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
+      run: xcrun xcodebuild -project Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
    - name: Create ZIPs
      run: |
            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
@ -63,15 +58,11 @@ jobs:
      env: 
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
-      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
+      run: xcrun altool --notarize-app --primary-bundle-id "com.maxgoedjen.secretive.host" --apiKey $APPLE_API_KEY_ID --apiIssuer $APPLE_API_ISSUER --file Secretive.zip
    - name: Document SHAs
      run: |
            echo "sha-512:"
            shasum -a 512 Secretive.zip
            shasum -a 512 Archive.zip
            echo "sha-256:"
            shasum -a 256 Secretive.zip
            shasum -a 256 Archive.zip
    - name: Create Release
      id: create_release
      uses: actions/create-release@v1
@ -97,7 +88,7 @@ jobs:
        draft: true
        prerelease: false
    - name: Upload App to Release
-      id: upload-release-asset-app
+      id: upload-release-asset 
      uses: actions/upload-release-asset@v1.0.1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@ -106,13 +97,13 @@ jobs:
        asset_path: ./Secretive.zip
        asset_name: Secretive.zip
        asset_content_type: application/zip
-    - name: Upload App to Artifacts
+    - name: Upload Archive to Artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v1
      with:
        name: Archive.zip
        path: Archive.zip
    - name: Upload Archive to Artifacts
      uses: actions/upload-artifact@v1
      with:
        name: Secretive.zip
        path: Secretive.zip
    - name: Upload Archive to Artifacts
      uses: actions/upload-artifact@v4
      with:
        name: Xcode_Archive.zip
        path: Archive.zip
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -3,15 +3,11 @@ name: Test
 on: [push, pull_request]
 jobs:
  test:
-#     runs-on: macOS-latest
+    runs-on: macos-11.0
    runs-on: macos-14
    timeout-minutes: 10
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v2
    - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_15.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_12.5.1.app
    - name: Test
-      run: |
+      run: xcrun xcodebuild test -project Secretive.xcodeproj -scheme Secretive
            pushd Sources/Packages
            swift test
            popd
--- a/.gitignore
+++ b/.gitignore
@ -92,4 +92,3 @@ iOSInjectionProject/
 # Build script products
 Archive.xcarchive
 .DS_Store
 contents.xcworkspacedata
--- a/APP_CONFIG.md
+++ b/APP_CONFIG.md
@ -26,91 +26,8 @@ Host *
 	IdentityAgent /Users/$YOUR_USERNAME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
 ```
 ## nushell
 Add this to your `~/.ssh/config` (the path should match the socket path from the setup flow).
 ```
 Host *
 	IdentityAgent /Users/$YOUR_USERNAME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
 ```
 ## Cyberduck
 Add this to `~/Library/LaunchAgents/com.maxgoedjen.Secretive.SecretAgent.plist`
 ```
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
  <key>Label</key>
  <string>link-ssh-auth-sock</string>
  <key>ProgramArguments</key>
  <array>
    <string>/bin/sh</string>
    <string>-c</string>
    <string>/bin/ln -sf $HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh $SSH_AUTH_SOCK</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
 </dict>
 </plist>
 ```
 Log out and log in again before launching Cyberduck.
 ## Mountain Duck
 Add this to `~/Library/LaunchAgents/com.maxgoedjen.Secretive.SecretAgent.plist`
 ```
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
  <key>Label</key>
  <string>link-ssh-auth-sock</string>
  <key>ProgramArguments</key>
  <array>
    <string>/bin/sh</string>
    <string>-c</string>
    <string>/bin/ln -sf $HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh $SSH_AUTH_SOCK</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
 </dict>
 </plist>
 ```
 Log out and log in again before launching Mountain Duck.
 ## GitKraken
 Add this to `~/Library/LaunchAgents/com.maxgoedjen.Secretive.SecretAgent.plist`
 ```
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
  <key>Label</key>
  <string>link-ssh-auth-sock</string>
  <key>ProgramArguments</key>
  <array>
    <string>/bin/sh</string>
    <string>-c</string>
    <string>/bin/ln -sf $HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh $SSH_AUTH_SOCK</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
 </dict>
 </plist>
 ```
 Log out and log in again before launching Gitkraken. Then enable "Use local SSH agent in GitKraken Preferences (Located under Preferences -> SSH)
 # The app I use isn't listed here!
 If you know how to get it set up, please open a PR for this page and add it! Contributions are very welcome.
-If you're not able to get it working, please file a [GitHub issue](https://github.com/maxgoedjen/secretive/issues/new) for it. No guarantees we'll be able to get it working, but chances are someone else in the community might be able to.
+If you're not able to get it working, please file a [GitHub issue](https://github.com/maxgoedjen/secretive/issues/new) for it. No guarantees we'll be able to get it working, but chances are someone else in the community might be able to.
--- a/Brief/Brief.h
+++ b/Brief/Brief.h
@ -0,0 +1,19 @@
 //
 //  Brief.h
 //  Brief
 //
 //  Created by Max Goedjen on 3/21/20.
 //  Copyright © 2020 Max Goedjen. All rights reserved.
 //
 #import <Foundation/Foundation.h>
 //! Project version number for Brief.
 FOUNDATION_EXPORT double BriefVersionNumber;
 //! Project version string for Brief.
 FOUNDATION_EXPORT const unsigned char BriefVersionString[];
 // In this header, you should import all the public headers of your framework using statements like #import <Brief/PublicHeader.h>
--- a/Brief/Info.plist
+++ b/Brief/Info.plist
@ -0,0 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>$(DEVELOPMENT_LANGUAGE)</string>
 	<key>CFBundleExecutable</key>
 	<string>$(EXECUTABLE_NAME)</string>
 	<key>CFBundleIdentifier</key>
 	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
 	<key>CFBundleName</key>
 	<string>$(PRODUCT_NAME)</string>
 	<key>CFBundlePackageType</key>
 	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
 	<key>CFBundleShortVersionString</key>
 	<string>1.0</string>
 	<key>CFBundleVersion</key>
 	<string>$(CURRENT_PROJECT_VERSION)</string>
 	<key>NSHumanReadableCopyright</key>
 	<string>$(PRODUCT_NAME) is MIT Licensed.</string>
 </dict>
 </plist>
--- a/Brief/Updater.swift
+++ b/Brief/Updater.swift
@ -0,0 +1,177 @@
 import Foundation
 import Combine
 public protocol UpdaterProtocol: ObservableObject {
    var update: Release? { get }
 }
 public class Updater: ObservableObject, UpdaterProtocol {
    @Published public var update: Release?
    private let osVersion: SemVer
    public init(checkOnLaunch: Bool, osVersion: SemVer = SemVer(ProcessInfo.processInfo.operatingSystemVersion)) {
        self.osVersion = osVersion
        if checkOnLaunch {
            // Don't do a launch check if the user hasn't seen the setup prompt explaining updater yet.
            checkForUpdates()
        }
        let timer = Timer.scheduledTimer(withTimeInterval: 60*60*24, repeats: true) { _ in
            self.checkForUpdates()
        }
        timer.tolerance = 60*60
    }
    public func checkForUpdates() {
        URLSession.shared.dataTask(with: Constants.updateURL) { data, _, _ in
            guard let data = data else { return }
            guard let releases = try? JSONDecoder().decode([Release].self, from: data) else { return }
            self.evaluate(releases: releases)
        }.resume()
    }
    public func ignore(release: Release) {
        guard !release.critical else { return }
        defaults.set(true, forKey: release.name)
        DispatchQueue.main.async {
            self.update = nil
        }
    }
 }
 extension Updater {
    func evaluate(releases: [Release]) {
        guard let release = releases
                .sorted()
                .reversed()
                .filter({ !$0.prerelease })
                .first(where: { $0.minimumOSVersion <= osVersion }) else { return }
        guard !userIgnored(release: release) else { return }
        guard !release.prerelease else { return }
        let latestVersion = SemVer(release.name)
        let currentVersion = SemVer(Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String ?? "0.0.0")
        if latestVersion > currentVersion {
            DispatchQueue.main.async {
                self.update = release
            }
        }
    }
    func userIgnored(release: Release) -> Bool {
        guard !release.critical else { return false }
        return defaults.bool(forKey: release.name)
    }
    var defaults: UserDefaults {
        UserDefaults(suiteName: "com.maxgoedjen.Secretive.updater.ignorelist")!
    }
 }
 public struct SemVer {
    let versionNumbers: [Int]
    public init(_ version: String) {
        // Betas have the format 1.2.3_beta1
        let strippedBeta = version.split(separator: "_").first!
        var split = strippedBeta.split(separator: ".").compactMap { Int($0) }
        while split.count < 3 {
            split.append(0)
        }
        versionNumbers = split
    }
    public init(_ version: OperatingSystemVersion) {
        versionNumbers = [version.majorVersion, version.minorVersion, version.patchVersion]
    }
 }
 extension SemVer: Comparable {
    public static func < (lhs: SemVer, rhs: SemVer) -> Bool {
        for (latest, current) in zip(lhs.versionNumbers, rhs.versionNumbers) {
            if latest < current {
                return true
            } else if latest > current {
                return false
            }
        }
        return false
    }
 }
 extension Updater {
    enum Constants {
        static let updateURL = URL(string: "https://api.github.com/repos/maxgoedjen/secretive/releases")!
    }
 }
 public struct Release: Codable {
    public let name: String
    public let prerelease: Bool
    public let html_url: URL
    public let body: String
    public init(name: String, prerelease: Bool, html_url: URL, body: String) {
        self.name = name
        self.prerelease = prerelease
        self.html_url = html_url
        self.body = body
    }
 }
 extension Release: Identifiable {
    public var id: String {
        html_url.absoluteString
    }
 }
 extension Release: Comparable {
    public static func < (lhs: Release, rhs: Release) -> Bool {
        lhs.version < rhs.version
    }
 }
 extension Release {
    public var critical: Bool {
        body.contains(Constants.securityContent)
    }
    public var version: SemVer {
        SemVer(name)
    }
    public var minimumOSVersion: SemVer {
        guard let range = body.range(of: "Minimum macOS Version"),
              let numberStart = body.rangeOfCharacter(from: CharacterSet.decimalDigits, options: [], range: range.upperBound..<body.endIndex) else { return SemVer("11.0.0") }
        let numbersEnd = body.rangeOfCharacter(from: CharacterSet.whitespacesAndNewlines, options: [], range: numberStart.upperBound..<body.endIndex)?.lowerBound ?? body.endIndex
        let version = numberStart.lowerBound..<numbersEnd
        return SemVer(String(body[version]))
    }
 }
 extension Release {
    enum Constants {
        static let securityContent = "Critical Security Update"
    }
 }
--- a/Sources/SecretiveTests/Info.plist
+++ b/Sources/SecretiveTests/Info.plist
--- a/Sources/Packages/Tests/BriefTests/ReleaseParsingTests.swift
+++ b/Sources/Packages/Tests/BriefTests/ReleaseParsingTests.swift
@ -51,7 +51,7 @@ class ReleaseParsingTests: XCTestCase {
    func testGreatestSelectedIfOldPatchIsPublishedLater() {
        // If 2.x.x series has been published, and a patch for 1.x.x is issued
        // 2.x.x should still be selected if user can run it.
-        let updater = Updater(checkOnLaunch: false, osVersion: SemVer("2.2.3"), currentVersion: SemVer("1.0.0"))
+        let updater = Updater(checkOnLaunch: false, osVersion: SemVer("2.2.3"))
        let two = Release(name: "2.0.0", prerelease: false, html_url: URL(string: "https://example.com")!, body: "2.0 available! Minimum macOS Version: 2.2.3")
        let releases = [
            Release(name: "1.0.0", prerelease: false, html_url: URL(string: "https://example.com")!, body: "Initial release Minimum macOS Version: 1.2.3"),
@ -72,7 +72,7 @@ class ReleaseParsingTests: XCTestCase {
    func testLatestVersionIsRunnable() {
        // If the 2.x.x series has been published but the user can't run it
        // the last version the user can run should be selected.
-        let updater = Updater(checkOnLaunch: false, osVersion: SemVer("1.2.3"), currentVersion: SemVer("1.0.0"))
+        let updater = Updater(checkOnLaunch: false, osVersion: SemVer("1.2.3"))
        let oneOhTwo = Release(name: "1.0.2", prerelease: false, html_url: URL(string: "https://example.com")!, body: "Emergency patch! Minimum macOS Version: 1.2.3")
        let releases = [
            Release(name: "1.0.0", prerelease: false, html_url: URL(string: "https://example.com")!, body: "Initial release Minimum macOS Version: 1.2.3"),
--- a/Sources/Packages/Tests/BriefTests/SemVerTests.swift
+++ b/Sources/Packages/Tests/BriefTests/SemVerTests.swift
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -14,10 +14,6 @@ Secretive is designed to be easily auditable by people who are considering using
 All contributors must abide by the [Code of Conduct](CODE_OF_CONDUCT.md)
 ## Localization
 If you'd like to contribute a translation, please see [Localizing](LOCALIZING.md) to get started.
 ## Credits
 If you make a material contribution to the app, please add yourself to the end of the [credits](https://github.com/maxgoedjen/secretive/blob/main/Secretive/Credits.rtf).
--- a/Sources/Config/Config.xcconfig
+++ b/Sources/Config/Config.xcconfig
--- a/Config/Secretive.xctestplan
+++ b/Config/Secretive.xctestplan
@ -0,0 +1,50 @@
 {
  "configurations" : [
    {
      "id" : "5896AE5A-6D5A-48D3-837B-668B646A3273",
      "name" : "Configuration 1",
      "options" : {
      }
    }
  ],
  "defaultOptions" : {
  },
  "testTargets" : [
    {
      "parallelizable" : true,
      "target" : {
        "containerPath" : "container:Secretive.xcodeproj",
        "identifier" : "50617DAF23FCE4AB0099B055",
        "name" : "SecretKitTests"
      }
    },
    {
      "parallelizable" : true,
      "target" : {
        "containerPath" : "container:Secretive.xcodeproj",
        "identifier" : "5099A073240242BA0062B6F2",
        "name" : "SecretAgentKitTests"
      }
    },
    {
      "enabled" : false,
      "parallelizable" : true,
      "target" : {
        "containerPath" : "container:Secretive.xcodeproj",
        "identifier" : "50617D9323FCE48E0099B055",
        "name" : "SecretiveTests"
      }
    },
    {
      "parallelizable" : true,
      "target" : {
        "containerPath" : "container:Secretive.xcodeproj",
        "identifier" : "5091D31E2519D56D0049FD9B",
        "name" : "BriefTests"
      }
    }
  ],
  "version" : 1
 }
--- a/DESIGN.md
+++ b/DESIGN.md
@ -1,3 +0,0 @@
 # Design
 The art assets for the App Icon and GitHub image are located on [Sketch Cloud](https://www.sketch.com/s/574333cd-8ceb-40e1-a6d9-189da3f1e5dd).
--- a/FAQ.md
+++ b/FAQ.md
@ -12,10 +12,6 @@ Secretive relies on the `SSH_AUTH_SOCK` environment variable being respected. Th
 Please run `ssh -Tv git@github.com` in your terminal and paste the output in a [new GitHub issue](https://github.com/maxgoedjen/secretive/issues/new) with a description of your issue.
 ### Secretive was working for me, but now it has stopped
 Try running the "Setup Secretive" process by clicking on "Help", then "Setup Secretive." If that doesn't work, follow the process above.
 ### Secretive prompts me to type my password instead of using my Apple Watch
 1) Make sure you have enabled "Use your Apple Watch to unlock apps and your Mac" in System Preferences --> Security & Privacy:
@ -30,15 +26,7 @@ Try running the "Setup Secretive" process by clicking on "Help", then "Setup Sec
 ### How do I tell SSH to use a specific key?
-Beginning with Secretive 2.2, every secret has an automatically generated public key file representation on disk, and the path to it is listed under "Public Key Path" in Secretive. You can specify that you want to use that key in your `~/.ssh/config`.  [This ServerFault answer](https://serverfault.com/a/295771) has more details on setting that up.
+You can create a `mykey.pub` (where `mykey` is the name of your key) in your `~/.ssh/` directory with the contents of your public key, and specify that you want to use that key in your `~/.ssh/config`.  [This ServerFault answer](https://serverfault.com/a/295771) has more details on setting that up
 ### How can I generate an RSA key?
 The Mac's Secure Enclave only supports 256-bit EC keys, so inherently Secretive cannot support generating RSA keys.
 ### Can I use Secretive for SSH Agent Forwarding?
 Yes, you can! Once you've set up Secretive, just add `ForwardAgent yes` to the hosts you want to forward to in your SSH config file. Afterwards, any use of one of your SSH keys on the remote host must be authenticated through Secretive.
 ### Why should I trust you?
@ -50,11 +38,7 @@ Awesome! Just bear in mind that because an app only has access to the keychain i
 ### What's this network request to GitHub?
-Secretive checks in with GitHub's releases API to check if there's a new version of Secretive available. You can audit the source code for this feature [here](https://github.com/maxgoedjen/secretive/blob/main/Sources/Packages/Sources/Brief/Updater.swift).
+Secretive checks in with GitHub's releases API to check if there's a new version of Secretive available. You can audit the source code for this feature [here](https://github.com/maxgoedjen/secretive/blob/main/Brief/Updater.swift).
 ### How do I uninstall Secretive?
 Drag Secretive.app to the trash and remove `~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent`. `SecretAgent` may continue running until you quit it or reboot.
 ### I have a security issue
--- a/Icon.sketch
+++ b/Icon.sketch
--- a/LOCALIZING.md
+++ b/LOCALIZING.md
@ -1,37 +0,0 @@
 # Localizing Secretive
 If you speak another language, and would like to help translate Secretive to support that language, we'd love your help!
 ## Getting Started
 ### Download Xcode
 Download the latest version of Xcode (at minimum, Xcode 15) from [Apple](http://developer.apple.com/download/applications/).
 ### Clone Secretive
 Clone Secretive using [these instructions from GitHub](https://docs.github.com/en/repositories/creating-and-managing-repositories/cloning-a-repository).
 ### Open Secretive
 Open [Sources/Secretive.xcodeproj](Sources/Secretive.xcodeproj) in Xcode.
 ### Translate
 Navigate to [Secretive/Localizable](Sources/Secretive/Localizable.xcstrings). 
 <img src="/.github/readme/localize_sidebar.png" alt="Screenshot of Xcode navigating to the Localizable file" width="300">
 If your language already has an in-progress localization, select it from the list. If it isn't there, hit the "+" button and choose your language from the list.
 <img src="/.github/readme/localize_add.png" alt="Screenshot of Xcode adding a new language" width="600">
 Start translating! You'll see a list of english phrases, and a space to add a translation of your language.
 ### Create a Pull Request
 Push your changes and open a pull request. 
 ### Questions
 Please open an issue if you have a question about translating the app. I'm more than happy to clarify any terms that are ambiguous or confusing. Thanks for contributing!
--- a/README.md
+++ b/README.md
@ -3,10 +3,7 @@
 Secretive is an app for storing and managing SSH keys in the Secure Enclave. It is inspired by the [sekey project](https://github.com/sekey/sekey), but rewritten in Swift with no external dependencies and with a handy native management app.
-<picture>
+<img src="/.github/readme/app.png" alt="Screenshot of Secretive" width="600">
  <source media="(prefers-color-scheme: dark)" srcset="/.github/readme/app-dark.png">
  <img src="/.github/readme/app-light.png" alt="Screenshot of Secretive" width="600">
 </picture>
 ## Why?
@ -17,15 +14,15 @@ The most common setup for SSH keys is just keeping them on disk, guarded by prop
 ### Access Control
-If your Mac has a Secure Enclave, it also has support for strong access controls like Touch ID, or authentication with Apple Watch. You can configure your keys so that they require Touch ID (or Watch) authentication before they're accessed.
+If your Mac has a Secure Enclave, it also has support for strong access controls like Touch ID, or authentication with Apple Watch. You can configure your key so that they require Touch ID (or Watch) authentication before they're accessed.
-<img src="/.github/readme/touchid.png" alt="Screenshot of Secretive authenticating with Touch ID" width="400">
+<img src="/.github/readme/touchid.png" alt="Screenshot of Secretive authenticating with Touch ID">
 ### Notifications
 Secretive also notifies you whenever your keys are accessed, so you're never caught off guard.
-<img src="/.github/readme/notification.png" alt="Screenshot of Secretive notifying the user" width="600">
+<img src="/.github/readme/notification.png" alt="Screenshot of Secretive notifying the user">
 ### Support for Smart Cards Too!
--- a/Sources/SecretAgent/AppDelegate.swift
+++ b/Sources/SecretAgent/AppDelegate.swift
@ -2,8 +2,6 @@ import Cocoa
 import OSLog
 import Combine
 import SecretKit
 import SecureEnclaveSecretKit
 import SmartCardSecretKit
 import SecretAgentKit
 import Brief
@ -18,7 +16,6 @@ class AppDelegate: NSObject, NSApplicationDelegate {
    }()
    private let updater = Updater(checkOnLaunch: false)
    private let notifier = Notifier()
    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: NSHomeDirectory())
    private lazy var agent: Agent = {
        Agent(storeList: storeList, witness: notifier)
    }()
@ -27,17 +24,12 @@ class AppDelegate: NSObject, NSApplicationDelegate {
        return SocketController(path: path)
    }()
    private var updateSink: AnyCancellable?
    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "AppDelegate")
    func applicationDidFinishLaunching(_ aNotification: Notification) {
-        logger.debug("SecretAgent finished launching")
+        Logger().debug("SecretAgent finished launching")
        DispatchQueue.main.async {
            self.socketController.handler = self.agent.handle(reader:writer:)
        }
        NotificationCenter.default.addObserver(forName: .secretStoreReloaded, object: nil, queue: .main) { [self] _ in
            try? publicKeyFileStoreController.generatePublicKeys(for: storeList.allSecrets, clear: true)
        }
        try? publicKeyFileStoreController.generatePublicKeys(for: storeList.allSecrets, clear: true)
        notifier.prompt()
        updateSink = updater.$update.sink { update in
            guard let update = update else { return }
@ -45,5 +37,6 @@ class AppDelegate: NSObject, NSApplicationDelegate {
        }
    }
 }
--- a/Sources/SecretAgent/Assets.xcassets/AppIcon.appiconset/Contents.json
+++ b/Sources/SecretAgent/Assets.xcassets/AppIcon.appiconset/Contents.json
--- a/Sources/SecretAgent/Assets.xcassets/AppIcon.appiconset/Mac
+++ b/Sources/SecretAgent/Assets.xcassets/AppIcon.appiconset/Mac
--- a/Sources/SecretAgent/Assets.xcassets/AppIcon.appiconset/Mac
+++ b/Sources/SecretAgent/Assets.xcassets/AppIcon.appiconset/Mac
--- a/Sources/SecretAgent/Assets.xcassets/Contents.json
+++ b/Sources/SecretAgent/Assets.xcassets/Contents.json
--- a/Sources/SecretAgent/Base.lproj/Main.storyboard
+++ b/Sources/SecretAgent/Base.lproj/Main.storyboard
--- a/Sources/SecretAgent/Info.plist
+++ b/Sources/SecretAgent/Info.plist
--- a/Sources/SecretAgent/InternetAccessPolicy.plist
+++ b/Sources/SecretAgent/InternetAccessPolicy.plist
--- a/SecretAgent/Notifier.swift
+++ b/SecretAgent/Notifier.swift
@ -0,0 +1,105 @@
 import Foundation
 import UserNotifications
 import AppKit
 import SecretKit
 import SecretAgentKit
 import Brief
 class Notifier {
    private let notificationDelegate = NotificationDelegate()
    init() {
        let updateAction = UNNotificationAction(identifier: Constants.updateActionIdentitifier, title: "Update", options: [])
        let ignoreAction = UNNotificationAction(identifier: Constants.ignoreActionIdentitifier, title: "Ignore", options: [])
        let updateCategory = UNNotificationCategory(identifier: Constants.updateCategoryIdentitifier, actions: [updateAction, ignoreAction], intentIdentifiers: [], options: [])
        let criticalUpdateCategory = UNNotificationCategory(identifier: Constants.criticalUpdateCategoryIdentitifier, actions: [updateAction], intentIdentifiers: [], options: [])
        UNUserNotificationCenter.current().setNotificationCategories([updateCategory, criticalUpdateCategory])
        UNUserNotificationCenter.current().delegate = notificationDelegate
    }
    func prompt() {
        let notificationCenter = UNUserNotificationCenter.current()
        notificationCenter.requestAuthorization(options: .alert) { _, _ in }
    }
    func notify(accessTo secret: AnySecret, by provenance: SigningRequestProvenance) {
        let notificationCenter = UNUserNotificationCenter.current()
        let notificationContent = UNMutableNotificationContent()
        notificationContent.title = "Signed Request from \(provenance.origin.displayName)"
        notificationContent.subtitle = "Using secret \"\(secret.name)\""
        if let iconURL = provenance.origin.iconURL, let attachment = try? UNNotificationAttachment(identifier: "icon", url: iconURL, options: nil) {
            notificationContent.attachments = [attachment]
        }
        let request = UNNotificationRequest(identifier: UUID().uuidString, content: notificationContent, trigger: nil)
        notificationCenter.add(request, withCompletionHandler: nil)
    }
    func notify(update: Release, ignore: ((Release) -> Void)?) {
        notificationDelegate.release = update
        notificationDelegate.ignore = ignore
        let notificationCenter = UNUserNotificationCenter.current()
        let notificationContent = UNMutableNotificationContent()
        if update.critical {
            notificationContent.title = "Critical Security Update - \(update.name)"
        } else {
            notificationContent.title = "Update Available - \(update.name)"
        }
        notificationContent.subtitle = "Click to Update"
        notificationContent.body = update.body
        notificationContent.categoryIdentifier = update.critical ? Constants.criticalUpdateCategoryIdentitifier : Constants.updateCategoryIdentitifier
        let request = UNNotificationRequest(identifier: UUID().uuidString, content: notificationContent, trigger: nil)
        notificationCenter.add(request, withCompletionHandler: nil)
    }
 }
 extension Notifier: SigningWitness {
    func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, by provenance: SigningRequestProvenance) throws {
    }
    func witness(accessTo secret: AnySecret, by provenance: SigningRequestProvenance) throws {
        notify(accessTo: secret, by: provenance)
    }
 }
 extension Notifier {
    enum Constants {
        static let updateCategoryIdentitifier  = "com.maxgoedjen.Secretive.SecretAgent.update"
        static let criticalUpdateCategoryIdentitifier  = "com.maxgoedjen.Secretive.SecretAgent.update.critical"
        static let updateActionIdentitifier  = "com.maxgoedjen.Secretive.SecretAgent.update.updateaction"
        static let ignoreActionIdentitifier  = "com.maxgoedjen.Secretive.SecretAgent.update.ignoreaction"
    }
 }
 class NotificationDelegate: NSObject, UNUserNotificationCenterDelegate {
    fileprivate var release: Release?
    fileprivate var ignore: ((Release) -> Void)?
    func userNotificationCenter(_ center: UNUserNotificationCenter, openSettingsFor notification: UNNotification?) {
    }
    func userNotificationCenter(_ center: UNUserNotificationCenter, didReceive response: UNNotificationResponse, withCompletionHandler completionHandler: @escaping () -> Void) {
        guard let update = release else { return }
        switch response.actionIdentifier {
        case Notifier.Constants.updateActionIdentitifier, UNNotificationDefaultActionIdentifier:
            NSWorkspace.shared.open(update.html_url)
        case Notifier.Constants.ignoreActionIdentitifier:
            ignore?(update)
        default:
            fatalError()
        }
        completionHandler()
    }
    func userNotificationCenter(_ center: UNUserNotificationCenter, willPresent notification: UNNotification, withCompletionHandler completionHandler: @escaping (UNNotificationPresentationOptions) -> Void) {
        completionHandler([.list, .banner])
    }
 }
--- a/Assets.xcassets/Contents.json
+++ b/Assets.xcassets/Contents.json
--- a/Sources/SecretAgent/SecretAgent.entitlements
+++ b/Sources/SecretAgent/SecretAgent.entitlements
--- a/Sources/Packages/Sources/SecretAgentKit/Agent.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/Agent.swift
@ -4,74 +4,57 @@ import OSLog
 import SecretKit
 import AppKit
-/// The `Agent` is an implementation of an SSH agent. It manages coordination and access between a socket, traces requests, notifies witnesses and passes requests to stores.
+public class Agent {
 public final class Agent {
    private let storeList: SecretStoreList
    private let witness: SigningWitness?
    private let writer = OpenSSHKeyWriter()
    private let requestTracer = SigningRequestTracer()
    private let certificateHandler = OpenSSHCertificateHandler()
    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "Agent")
    /// Initializes an agent with a store list and a witness.
    /// - Parameters:
    ///   - storeList: The `SecretStoreList` to make available.
    ///   - witness: A witness to notify of requests.
    public init(storeList: SecretStoreList, witness: SigningWitness? = nil) {
-        logger.debug("Agent is running")
+        Logger().debug("Agent is running")
        self.storeList = storeList
        self.witness = witness
        certificateHandler.reloadCertificates(for: storeList.allSecrets)
    }
 }
 extension Agent {
-    /// Handles an incoming request.
+    public func handle(reader: FileHandleReader, writer: FileHandleWriter) {
-    /// - Parameters:
+        Logger().debug("Agent handling new data")
-    ///   - reader: A ``FileHandleReader`` to read the content of the request.
+        let data = reader.availableData
-    ///   - writer: A ``FileHandleWriter`` to write the response to.
+        guard !data.isEmpty else { return }
    /// - Return value: 
    ///   - Boolean if data could be read
    @discardableResult public func handle(reader: FileHandleReader, writer: FileHandleWriter) async -> Bool {
        logger.debug("Agent handling new data")
        let data = Data(reader.availableData)
        guard data.count > 4 else { return false}
        let requestTypeInt = data[4]
        guard let requestType = SSHAgent.RequestType(rawValue: requestTypeInt) else {
            writer.write(OpenSSHKeyWriter().lengthAndData(of: SSHAgent.ResponseType.agentFailure.data))
-            logger.debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
+            Logger().debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
-            return true
+            return
        }
-        logger.debug("Agent handling request of type \(requestType.debugDescription)")
+        Logger().debug("Agent handling request of type \(requestType.debugDescription)")
        let subData = Data(data[5...])
-        let response = await handle(requestType: requestType, data: subData, reader: reader)
+        let response = handle(requestType: requestType, data: subData, reader: reader)
        writer.write(response)
        return true
    }
-    func handle(requestType: SSHAgent.RequestType, data: Data, reader: FileHandleReader) async -> Data {
+    func handle(requestType: SSHAgent.RequestType, data: Data, reader: FileHandleReader) -> Data {
        // Depending on the launch context (such as after macOS update), the agent may need to reload secrets before acting
        reloadSecretsIfNeccessary()
        var response = Data()
        do {
            switch requestType {
            case .requestIdentities:
                response.append(SSHAgent.ResponseType.agentIdentitiesAnswer.data)
                response.append(identities())
-                logger.debug("Agent returned \(SSHAgent.ResponseType.agentIdentitiesAnswer.debugDescription)")
+                Logger().debug("Agent returned \(SSHAgent.ResponseType.agentIdentitiesAnswer.debugDescription)")
            case .signRequest:
                let provenance = requestTracer.provenance(from: reader)
                response.append(SSHAgent.ResponseType.agentSignResponse.data)
                response.append(try sign(data: data, provenance: provenance))
-                logger.debug("Agent returned \(SSHAgent.ResponseType.agentSignResponse.debugDescription)")
+                Logger().debug("Agent returned \(SSHAgent.ResponseType.agentSignResponse.debugDescription)")
            }
        } catch {
            response.removeAll()
            response.append(SSHAgent.ResponseType.agentFailure.data)
-            logger.debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
+            Logger().debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
        }
        let full = OpenSSHKeyWriter().lengthAndData(of: response)
        return full
@ -81,60 +64,36 @@ extension Agent {
 extension Agent {
    /// Lists the identities available for signing operations
    /// - Returns: An OpenSSH formatted Data payload listing the identities available for signing operations.
    func identities() -> Data {
-        let secrets = storeList.allSecrets
+        let secrets = storeList.stores.flatMap(\.secrets)
-        certificateHandler.reloadCertificates(for: secrets)
+        var count = UInt32(secrets.count).bigEndian
-        var count = secrets.count
+        let countData = Data(bytes: &count, count: UInt32.bitWidth/8)
        var keyData = Data()
-
+        let writer = OpenSSHKeyWriter()
        for secret in secrets {
            let keyBlob = writer.data(secret: secret)
            let curveData = writer.curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!
            keyData.append(writer.lengthAndData(of: keyBlob))
            let curveData = writer.curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!
            keyData.append(writer.lengthAndData(of: curveData))
            if let (certificateData, name) = try? certificateHandler.keyBlobAndName(for: secret) {
                keyData.append(writer.lengthAndData(of: certificateData))
                keyData.append(writer.lengthAndData(of: name))
                count += 1
            }
        }
-        logger.log("Agent enumerated \(count) identities")
+        Logger().debug("Agent enumerated \(secrets.count) identities")
        var countBigEndian = UInt32(count).bigEndian
        let countData = Data(bytes: &countBigEndian, count: UInt32.bitWidth/8)
        return countData + keyData
    }
    /// Notifies witnesses of a pending signature request, and performs the signing operation if none object.
    /// - Parameters:
    ///   - data: The data to sign.
    ///   - provenance: A ``SecretKit.SigningRequestProvenance`` object describing the origin of the request.
    /// - Returns: An OpenSSH formatted Data payload containing the signed data response.
    func sign(data: Data, provenance: SigningRequestProvenance) throws -> Data {
        let reader = OpenSSHReader(data: data)
-        let payloadHash = reader.readNextChunk()
+        let hash = reader.readNextChunk()
        let hash: Data
        // Check if hash is actually an openssh certificate and reconstruct the public key if it is
        if let certificatePublicKey = certificateHandler.publicKeyHash(from: payloadHash) {
            hash = certificatePublicKey
        } else {
            hash = payloadHash
        }
        guard let (store, secret) = secret(matching: hash) else {
-            logger.debug("Agent did not have a key matching \(hash as NSData)")
+            Logger().debug("Agent did not have a key matching \(hash as NSData)")
            throw AgentError.noMatchingKey
        }
        if let witness = witness {
-            try witness.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)
+            try witness.speakNowOrForeverHoldYourPeace(forAccessTo: secret, by: provenance)
        }
        let dataToSign = reader.readNextChunk()
-        let signed = try store.sign(data: dataToSign, with: secret, for: provenance)
+        let derSignature = try store.sign(data: dataToSign, with: secret, for: provenance)
        let derSignature = signed
        let curveData = writer.curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!
@ -175,10 +134,10 @@ extension Agent {
        signedData.append(writer.lengthAndData(of: sub))
        if let witness = witness {
-            try witness.witness(accessTo: secret, from: store, by: provenance)
+            try witness.witness(accessTo: secret, by: provenance)
        }
-        logger.debug("Agent signed request")
+        Logger().debug("Agent signed request")
        return signedData
    }
@ -187,19 +146,6 @@ extension Agent {
 extension Agent {
    /// Gives any store with no loaded secrets a chance to reload.
    func reloadSecretsIfNeccessary() {
        for store in storeList.stores {
            if store.secrets.isEmpty {
                logger.debug("Store \(store.name, privacy: .public) has no loaded secrets. Reloading.")
                store.reloadSecrets()
            }
        }
    }
    /// Finds a ``Secret`` matching a specified hash whos signature was requested.
    /// - Parameter hash: The hash to match against.
    /// - Returns: A ``Secret`` and the ``SecretStore`` containing it, if a match is found.
    func secret(matching hash: Data) -> (AnySecretStore, AnySecret)? {
        storeList.stores.compactMap { store -> (AnySecretStore, AnySecret)? in
            let allMatching = store.secrets.filter { secret in
@ -217,12 +163,10 @@ extension Agent {
 extension Agent {
    /// An error involving agent operations..
    enum AgentError: Error {
        case unhandledType
        case noMatchingKey
        case unsupportedKeyType
        case notOpenSSHCertificate
    }
 }
--- a/Sources/Packages/Sources/SecretAgentKit/FileHandleProtocols.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/FileHandleProtocols.swift
@ -1,21 +1,15 @@
 import Foundation
-/// Protocol abstraction of the reading aspects of FileHandle.
+public protocol FileHandleReader {
 public protocol FileHandleReader: Sendable {
    /// Gets data that is available for reading.
    var availableData: Data { get }
    /// A file descriptor of the handle.
    var fileDescriptor: Int32 { get }
    /// The  process ID of the process coonnected to the other end of the FileHandle.
    var pidOfConnectedProcess: Int32 { get }
 }
-/// Protocol abstraction of the writing aspects of FileHandle.
+public protocol FileHandleWriter {
 public protocol FileHandleWriter: Sendable {
    /// Writes data to the handle.
    func write(_ data: Data)
 }
--- a/SecretAgentKit/Info.plist
+++ b/SecretAgentKit/Info.plist
@ -0,0 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>$(DEVELOPMENT_LANGUAGE)</string>
 	<key>CFBundleExecutable</key>
 	<string>$(EXECUTABLE_NAME)</string>
 	<key>CFBundleIdentifier</key>
 	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
 	<key>CFBundleName</key>
 	<string>$(PRODUCT_NAME)</string>
 	<key>CFBundlePackageType</key>
 	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
 	<key>CFBundleShortVersionString</key>
 	<string>$(CI_VERSION)</string>
 	<key>CFBundleVersion</key>
 	<string>$(CURRENT_PROJECT_VERSION)</string>
 	<key>NSHumanReadableCopyright</key>
 	<string>$(PRODUCT_NAME) is MIT Licensed.</string>
 </dict>
 </plist>
--- a/Sources/Packages/Sources/SecretAgentKit/SSHAgentProtocol.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/SSHAgentProtocol.swift
@ -1,13 +1,10 @@
 import Foundation
 /// A namespace for the SSH Agent Protocol, as described in https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-5.1
 public enum SSHAgent {}
 extension SSHAgent {
    /// The type of the SSH Agent Request, as described in https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-5.1
    public enum RequestType: UInt8, CustomDebugStringConvertible {
        case requestIdentities = 11
        case signRequest = 13
@ -21,11 +18,8 @@ extension SSHAgent {
        }
    }
    /// The type of the SSH Agent Response, as described in https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-5.1
    public enum ResponseType: UInt8, CustomDebugStringConvertible {
        case agentFailure = 5
        case agentSuccess = 6
        case agentIdentitiesAnswer = 12
        case agentSignResponse = 14
@ -33,8 +27,6 @@ extension SSHAgent {
            switch self {
            case .agentFailure:
                return "AgentFailure"
            case .agentSuccess:
                return "AgentSuccess"
            case .agentIdentitiesAnswer:
                return "AgentIdentitiesAnswer"
            case .agentSignResponse:
--- a/Sources/Packages/Sources/SecretAgentKitHeaders/include/SecretAgentKit.h
+++ b/Sources/Packages/Sources/SecretAgentKitHeaders/include/SecretAgentKit.h
--- a/Sources/Packages/Sources/SecretAgentKit/SigningRequestTracer.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/SigningRequestTracer.swift
@ -2,17 +2,12 @@ import Foundation
 import AppKit
 import Security
 import SecretKit
 import SecretAgentKitHeaders
 /// An object responsible for generating ``SecretKit.SigningRequestProvenance`` objects.
 struct SigningRequestTracer {
 }
 extension SigningRequestTracer {
    /// Generates a ``SecretKit.SigningRequestProvenance`` from a ``FileHandleReader``.
    /// - Parameter fileHandleReader: The reader involved in processing the request.
    /// - Returns: A ``SecretKit.SigningRequestProvenance`` describing the origin of the request.
    func provenance(from fileHandleReader: FileHandleReader) -> SigningRequestProvenance {
        let firstInfo = process(from: fileHandleReader.pidOfConnectedProcess)
@ -23,9 +18,6 @@ extension SigningRequestTracer {
        return provenance
    }
    /// Generates a `kinfo_proc` representation of the provided process ID.
    /// - Parameter pid: The process ID to look up.
    /// - Returns: a `kinfo_proc` struct describing the process ID.
    func pidAndNameInfo(from pid: Int32) -> kinfo_proc {
        var len = MemoryLayout<kinfo_proc>.size
        let infoPointer = UnsafeMutableRawPointer.allocate(byteCount: len, alignment: 1)
@ -34,16 +26,10 @@ extension SigningRequestTracer {
        return infoPointer.load(as: kinfo_proc.self)
    }
    /// Generates a ``SecretKit.SigningRequestProvenance.Process`` from a provided process ID.
    /// - Parameter pid: The process ID to look up.
    /// - Returns: A ``SecretKit.SigningRequestProvenance.Process`` describing the process.
    func process(from pid: Int32) -> SigningRequestProvenance.Process {
        var pidAndNameInfo = self.pidAndNameInfo(from: pid)
        let ppid = pidAndNameInfo.kp_eproc.e_ppid != 0 ? pidAndNameInfo.kp_eproc.e_ppid : nil
-        let procName = withUnsafeMutablePointer(to: &pidAndNameInfo.kp_proc.p_comm.0) { pointer in
+        let procName = String(cString: &pidAndNameInfo.kp_proc.p_comm.0)
            String(cString: pointer)
        }
        let pathPointer = UnsafeMutablePointer<UInt8>.allocate(capacity: Int(MAXPATHLEN))
        _ = proc_pidpath(pid, pathPointer, UInt32(MAXPATHLEN))
        let path = String(cString: pathPointer)
@ -54,16 +40,10 @@ extension SigningRequestTracer {
        return SigningRequestProvenance.Process(pid: pid, processName: procName, appName: appName(for: pid), iconURL: iconURL(for: pid), path: path, validSignature: valid, parentPID: ppid)
    }
    /// Looks up the URL for the icon of a process ID, if it has one.
    /// - Parameter pid: The process ID to look up.
    /// - Returns: A URL to the icon, if the process has one.
    func iconURL(for pid: Int32) -> URL? {
        do {
            if let app = NSRunningApplication(processIdentifier: pid), let icon = app.icon?.tiffRepresentation {
-                let temporaryURL = URL(fileURLWithPath: (NSTemporaryDirectory() as NSString).appendingPathComponent("\(app.bundleIdentifier ?? UUID().uuidString).png"))
+                let temporaryURL = URL(fileURLWithPath: (NSTemporaryDirectory() as NSString).appendingPathComponent("\(UUID().uuidString).png"))
                if FileManager.default.fileExists(atPath: temporaryURL.path) {
                    return temporaryURL
                }
                let bitmap = NSBitmapImageRep(data: icon)
                try bitmap?.representation(using: .png, properties: [:])?.write(to: temporaryURL)
                return temporaryURL
@ -73,9 +53,6 @@ extension SigningRequestTracer {
        return nil
    }
    /// Looks up the application name of a process ID, if it has one.
    /// - Parameter pid: The process ID to look up.
    /// - Returns: The process's display name, if the process has one.
    func appName(for pid: Int32) -> String? {
        NSRunningApplication(processIdentifier: pid)?.localizedName
    }
--- a/SecretAgentKit/SigningWitness.swift
+++ b/SecretAgentKit/SigningWitness.swift
@ -0,0 +1,9 @@
 import Foundation
 import SecretKit
 public protocol SigningWitness {
    func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, by provenance: SigningRequestProvenance) throws
    func witness(accessTo secret: AnySecret, by provenance: SigningRequestProvenance) throws
 }
--- a/SecretAgentKit/SocketController.swift
+++ b/SecretAgentKit/SocketController.swift
@ -0,0 +1,67 @@
 import Foundation
 import OSLog
 public class SocketController {
    private var fileHandle: FileHandle?
    private var port: SocketPort?
    public var handler: ((FileHandleReader, FileHandleWriter) -> Void)?
    public init(path: String) {
        Logger().debug("Socket controller setting up at \(path)")
        if let _ = try? FileManager.default.removeItem(atPath: path) {
            Logger().debug("Socket controller removed existing socket")
        }
        let exists = FileManager.default.fileExists(atPath: path)
        assert(!exists)
        Logger().debug("Socket controller path is clear")
        port = socketPort(at: path)
        configureSocket(at: path)
        Logger().debug("Socket listening at \(path)")
    }
    func configureSocket(at path: String) {
        guard let port = port else { return }
        fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
        NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionAccept(notification:)), name: .NSFileHandleConnectionAccepted, object: nil)
        NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionDataAvailable(notification:)), name: .NSFileHandleDataAvailable, object: nil)
        fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
    }
    func socketPort(at path: String) -> SocketPort {
        var addr = sockaddr_un()
        addr.sun_family = sa_family_t(AF_UNIX)
        var len: Int = 0
        withUnsafeMutablePointer(to: &addr.sun_path.0) { pointer in
            path.withCString { cstring in
                len = strlen(cstring)
                strncpy(pointer, cstring, len)
            }
        }
        addr.sun_len = UInt8(len+2)
        var data: Data!
        withUnsafePointer(to: &addr) { pointer in
            data = Data(bytes: pointer, count: MemoryLayout<sockaddr_un>.size)
        }
        return SocketPort(protocolFamily: AF_UNIX, socketType: SOCK_STREAM, protocol: 0, address: data)!
    }
    @objc func handleConnectionAccept(notification: Notification) {
        Logger().debug("Socket controller accepted connection")
        guard let new = notification.userInfo?[NSFileHandleNotificationFileHandleItem] as? FileHandle else { return }
        handler?(new, new)
        new.waitForDataInBackgroundAndNotify()
        fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
    }
    @objc func handleConnectionDataAvailable(notification: Notification) {
        Logger().debug("Socket controller has new data available")
        guard let new = notification.object as? FileHandle else { return }
        Logger().debug("Socket controller received new file handle")
        handler?(new, new)
    }
 }
--- a/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift
+++ b/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift
@ -10,39 +10,39 @@ class AgentTests: XCTestCase {
    // MARK: Identity Listing
-    func testEmptyStores() async {
+    func testEmptyStores() {
        let stubReader = StubFileHandleReader(availableData: Constants.Requests.requestIdentities)
        let agent = Agent(storeList: SecretStoreList())
-        await agent.handle(reader: stubReader, writer: stubWriter)
+        agent.handle(reader: stubReader, writer: stubWriter)
        XCTAssertEqual(stubWriter.data, Constants.Responses.requestIdentitiesEmpty)
    }
-    func testIdentitiesList() async {
+    func testIdentitiesList() {
        let stubReader = StubFileHandleReader(availableData: Constants.Requests.requestIdentities)
        let list = storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
        let agent = Agent(storeList: list)
-        await agent.handle(reader: stubReader, writer: stubWriter)
+        agent.handle(reader: stubReader, writer: stubWriter)
        XCTAssertEqual(stubWriter.data, Constants.Responses.requestIdentitiesMultiple)
    }
    // MARK: Signatures
-    func testNoMatchingIdentities() async {
+    func testNoMatchingIdentities() {
        let stubReader = StubFileHandleReader(availableData: Constants.Requests.requestSignatureWithNoneMatching)
        let list = storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
        let agent = Agent(storeList: list)
-        await agent.handle(reader: stubReader, writer: stubWriter)
+        agent.handle(reader: stubReader, writer: stubWriter)
 //        XCTAssertEqual(stubWriter.data, Constants.Responses.requestFailure)
    }
-    func testSignature() async {
+    func testSignature() {
        let stubReader = StubFileHandleReader(availableData: Constants.Requests.requestSignature)
        let requestReader = OpenSSHReader(data: Constants.Requests.requestSignature[5...])
        _ = requestReader.readNextChunk()
        let dataToSign = requestReader.readNextChunk()
        let list = storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
        let agent = Agent(storeList: list)
-        await agent.handle(reader: stubReader, writer: stubWriter)
+        agent.handle(reader: stubReader, writer: stubWriter)
        let outer = OpenSSHReader(data: stubWriter.data[5...])
        let payload = outer.readNextChunk()
        let inner = OpenSSHReader(data: payload)
@ -61,33 +61,24 @@ class AgentTests: XCTestCase {
        var rs = r
        rs.append(s)
        let signature = try! P256.Signing.ECDSASignature(rawRepresentation: rs)
-        let referenceValid = try! P256.Signing.PublicKey(x963Representation: Constants.Secrets.ecdsa256Secret.publicKey).isValidSignature(signature, for: dataToSign)
+        let valid = try! P256.Signing.PublicKey(x963Representation: Constants.Secrets.ecdsa256Secret.publicKey).isValidSignature(signature, for: dataToSign)
-        let store = list.stores.first!
+        XCTAssertTrue(valid)
        let derVerifies = try! store.verify(signature: signature.derRepresentation, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa256Secret))
        let invalidRandomSignature = try? store.verify(signature: "invalid".data(using: .utf8)!, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa256Secret))
        let invalidRandomData = try? store.verify(signature: signature.derRepresentation, for: "invalid".data(using: .utf8)!, with: AnySecret(Constants.Secrets.ecdsa256Secret))
        let invalidWrongKey = try? store.verify(signature: signature.derRepresentation, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa384Secret))
        XCTAssertTrue(referenceValid)
        XCTAssertTrue(derVerifies)
        XCTAssert(invalidRandomSignature == false)
        XCTAssert(invalidRandomData == false)
        XCTAssert(invalidWrongKey == false)
    }
    // MARK: Witness protocol
-    func testWitnessObjectionStopsRequest() async {
+    func testWitnessObjectionStopsRequest() {
        let stubReader = StubFileHandleReader(availableData: Constants.Requests.requestSignature)
        let list = storeList(with: [Constants.Secrets.ecdsa256Secret])
        let witness = StubWitness(speakNow: { _,_  in
            return true
        }, witness: { _, _ in })
        let agent = Agent(storeList: list, witness: witness)
-        await agent.handle(reader: stubReader, writer: stubWriter)
+        agent.handle(reader: stubReader, writer: stubWriter)
        XCTAssertEqual(stubWriter.data, Constants.Responses.requestFailure)
    }
-    func testWitnessSignature() async {
+    func testWitnessSignature() {
        let stubReader = StubFileHandleReader(availableData: Constants.Requests.requestSignature)
        let list = storeList(with: [Constants.Secrets.ecdsa256Secret])
        var witnessed = false
@ -97,11 +88,11 @@ class AgentTests: XCTestCase {
            witnessed = true
        })
        let agent = Agent(storeList: list, witness: witness)
-        await agent.handle(reader: stubReader, writer: stubWriter)
+        agent.handle(reader: stubReader, writer: stubWriter)
        XCTAssertTrue(witnessed)
    }
-    func testRequestTracing() async {
+    func testRequestTracing() {
        let stubReader = StubFileHandleReader(availableData: Constants.Requests.requestSignature)
        let list = storeList(with: [Constants.Secrets.ecdsa256Secret])
        var speakNowTrace: SigningRequestProvenance! = nil
@ -113,7 +104,7 @@ class AgentTests: XCTestCase {
            witnessTrace = trace
        })
        let agent = Agent(storeList: list, witness: witness)
-        await agent.handle(reader: stubReader, writer: stubWriter)
+        agent.handle(reader: stubReader, writer: stubWriter)
        XCTAssertEqual(witnessTrace, speakNowTrace)
        XCTAssertEqual(witnessTrace.origin.displayName, "Finder")
        XCTAssertEqual(witnessTrace.origin.validSignature, true)
@ -122,22 +113,22 @@ class AgentTests: XCTestCase {
    // MARK: Exception Handling
-    func testSignatureException() async {
+    func testSignatureException() {
        let stubReader = StubFileHandleReader(availableData: Constants.Requests.requestSignature)
        let list = storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
        let store = list.stores.first?.base as! Stub.Store
        store.shouldThrow = true
        let agent = Agent(storeList: list)
-        await agent.handle(reader: stubReader, writer: stubWriter)
+        agent.handle(reader: stubReader, writer: stubWriter)
        XCTAssertEqual(stubWriter.data, Constants.Responses.requestFailure)
    }
    // MARK: Unsupported
-    func testUnhandledAdd() async {
+    func testUnhandledAdd() {
        let stubReader = StubFileHandleReader(availableData: Constants.Requests.addIdentity)
        let agent = Agent(storeList: SecretStoreList())
-        await agent.handle(reader: stubReader, writer: stubWriter)
+        agent.handle(reader: stubReader, writer: stubWriter)
        XCTAssertEqual(stubWriter.data, Constants.Responses.requestFailure)
    }
--- a/SecretAgentKitTests/Info.plist
+++ b/SecretAgentKitTests/Info.plist
@ -0,0 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>$(DEVELOPMENT_LANGUAGE)</string>
 	<key>CFBundleExecutable</key>
 	<string>$(EXECUTABLE_NAME)</string>
 	<key>CFBundleIdentifier</key>
 	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
 	<key>CFBundleName</key>
 	<string>$(PRODUCT_NAME)</string>
 	<key>CFBundlePackageType</key>
 	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
 	<key>CFBundleShortVersionString</key>
 	<string>1.0</string>
 	<key>CFBundleVersion</key>
 	<string>1</string>
 </dict>
 </plist>
--- a/Sources/Packages/Tests/SecretAgentKitTests/StubFileHandleReader.swift
+++ b/Sources/Packages/Tests/SecretAgentKitTests/StubFileHandleReader.swift
--- a/Sources/Packages/Tests/SecretAgentKitTests/StubFileHandleWriter.swift
+++ b/Sources/Packages/Tests/SecretAgentKitTests/StubFileHandleWriter.swift
@ -1,4 +1,3 @@
 import Foundation
 import SecretAgentKit
 class StubFileHandleWriter: FileHandleWriter {
--- a/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift
+++ b/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift
@ -1,4 +1,3 @@
 import Foundation
 import SecretKit
 import CryptoKit
@ -6,7 +5,7 @@ struct Stub {}
 extension Stub {
-    public final class Store: SecretStore {
+    public class Store: SecretStore {
        public let isAvailable = true
        public let id = UUID()
@ -27,7 +26,7 @@ extension Stub {
                                                flags,
                                                nil) as Any
-            let attributes = KeychainDictionary([
+            let attributes = [
                kSecAttrLabel: name,
                kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom,
                kSecAttrKeySizeInBits: size,
@ -35,10 +34,11 @@ extension Stub {
                    kSecAttrIsPermanent: true,
                    kSecAttrAccessControl: access
                ]
-                ])
+                ] as CFDictionary
-            let privateKey = SecKeyCreateRandomKey(attributes, nil)!
+            var privateKey: SecKey! = nil
-            let publicKey = SecKeyCopyPublicKey(privateKey)!
+            var publicKey: SecKey! = nil
            SecKeyGeneratePair(attributes, &publicKey, &privateKey)
            let publicAttributes = SecKeyCopyAttributes(publicKey) as! [CFString: Any]
            let privateAttributes = SecKeyCopyAttributes(privateKey) as! [CFString: Any]
            let publicData = (publicAttributes[kSecValueData] as! Data)
@ -50,48 +50,24 @@ extension Stub {
        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) throws -> Data {
            guard !shouldThrow else {
-                throw NSError(domain: "test", code: 0, userInfo: nil)
+                throw NSError()
            }
-            let privateKey = SecKeyCreateWithData(secret.privateKey as CFData, KeychainDictionary([
+            let privateKey = SecKeyCreateWithData(secret.privateKey as CFData, [
                kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom,
                kSecAttrKeySizeInBits: secret.keySize,
                kSecAttrKeyClass: kSecAttrKeyClassPrivate
-                ])
+                ] as CFDictionary
                , nil)!
-            return SecKeyCreateSignature(privateKey, signatureAlgorithm(for: secret), data as CFData, nil)! as Data
+            let signatureAlgorithm: SecKeyAlgorithm
-        }
+            switch secret.keySize {
-
+            case 256:
-        public func verify(signature: Data, for data: Data, with secret: Stub.Secret) throws -> Bool {
+                signatureAlgorithm = .ecdsaSignatureMessageX962SHA256
-            let attributes = KeychainDictionary([
+            case 384:
-                kSecAttrKeyType: secret.algorithm.secAttrKeyType,
+                signatureAlgorithm = .ecdsaSignatureMessageX962SHA384
-                kSecAttrKeySizeInBits: secret.keySize,
+            default:
-                kSecAttrKeyClass: kSecAttrKeyClassPublic
+                fatalError()
            ])
            var verifyError: Unmanaged<CFError>?
            let untyped: CFTypeRef? = SecKeyCreateWithData(secret.publicKey as CFData, attributes, &verifyError)
            guard let untypedSafe = untyped else {
                throw NSError(domain: "test", code: 0, userInfo: nil)
            }
-            let key = untypedSafe as! SecKey
+            return SecKeyCreateSignature(privateKey, signatureAlgorithm, data as CFData, nil)! as Data
            let verified = SecKeyVerifySignature(key, signatureAlgorithm(for: secret), data as CFData, signature as CFData, &verifyError)
            if let verifyError {
                if verifyError.takeUnretainedValue() ~= .verifyError {
                    return false
                } else {
                    throw NSError(domain: "test", code: 0, userInfo: nil)
                }
            }
            return verified
        }
        public func existingPersistedAuthenticationContext(secret: Stub.Secret) -> PersistedAuthenticationContext? {
            nil
        }
        public func persistAuthentication(secret: Stub.Secret, forDuration duration: TimeInterval) throws {
        }
        public func reloadSecrets() {
        }
    }
@ -108,7 +84,6 @@ extension Stub {
        let keySize: Int
        let publicKey: Data
        let requiresAuthentication = false
        let privateKey: Data
        init(keySize: Int, publicKey: Data, privateKey: Data) {
--- a/Sources/Packages/Tests/SecretAgentKitTests/StubWitness.swift
+++ b/Sources/Packages/Tests/SecretAgentKitTests/StubWitness.swift
@ -10,14 +10,14 @@ struct StubWitness {
 extension StubWitness: SigningWitness {
-func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) throws {
+    func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, by provenance: SigningRequestProvenance) throws {
        let objection = speakNow(secret, provenance)
        if objection {
            throw TheresMyChance()
        }
    }
-func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) throws {
+    func witness(accessTo secret: AnySecret, by provenance: SigningRequestProvenance) throws {
        witness(secret, provenance)
    }
--- a/Sources/Secretive/Helpers/BundleIDs.swift
+++ b/Sources/Secretive/Helpers/BundleIDs.swift
--- a/Sources/Packages/Sources/SecretKit/Erasers/AnySecret.swift
+++ b/Sources/Packages/Sources/SecretKit/Erasers/AnySecret.swift
@ -1,6 +1,5 @@
 import Foundation
 /// Type eraser for Secret.
 public struct AnySecret: Secret {
    let base: Any
@ -9,7 +8,6 @@ public struct AnySecret: Secret {
    private let _name: () -> String
    private let _algorithm: () -> Algorithm
    private let _keySize: () -> Int
    private let _requiresAuthentication: () -> Bool
    private let _publicKey: () -> Data
    public init<T>(_ secret: T) where T: Secret {
@ -20,7 +18,6 @@ public struct AnySecret: Secret {
            _name = secret._name
            _algorithm = secret._algorithm
            _keySize = secret._keySize
            _requiresAuthentication = secret._requiresAuthentication
            _publicKey = secret._publicKey
        } else {
            base = secret as Any
@ -29,7 +26,6 @@ public struct AnySecret: Secret {
            _name = { secret.name }
            _algorithm = { secret.algorithm }
            _keySize = { secret.keySize }
            _requiresAuthentication = { secret.requiresAuthentication }
            _publicKey = { secret.publicKey }
        }
    }
@ -50,10 +46,6 @@ public struct AnySecret: Secret {
        _keySize()
    }
    public var requiresAuthentication: Bool {
        _requiresAuthentication()
    }
    public var publicKey: Data {
        _publicKey()
    }
--- a/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
@ -1,7 +1,6 @@
 import Foundation
 import Combine
 /// Type eraser for SecretStore.
 public class AnySecretStore: SecretStore {
    let base: Any
@ -10,11 +9,6 @@ public class AnySecretStore: SecretStore {
    private let _name: () -> String
    private let _secrets: () -> [AnySecret]
    private let _sign: (Data, AnySecret, SigningRequestProvenance) throws -> Data
    private let _verify: (Data, Data, AnySecret) throws -> Bool
    private let _existingPersistedAuthenticationContext: (AnySecret) -> PersistedAuthenticationContext?
    private let _persistAuthentication: (AnySecret, TimeInterval) throws -> Void
    private let _reloadSecrets: () -> Void
    private var sink: AnyCancellable?
    public init<SecretStoreType>(_ secretStore: SecretStoreType) where SecretStoreType: SecretStore {
@ -24,10 +18,6 @@ public class AnySecretStore: SecretStore {
        _id = { secretStore.id }
        _secrets = { secretStore.secrets.map { AnySecret($0) } }
        _sign = { try secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) }
        _verify = { try secretStore.verify(signature: $0, for: $1, with: $2.base as! SecretStoreType.SecretType) }
        _existingPersistedAuthenticationContext = { secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType) }
        _persistAuthentication = { try secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
        _reloadSecrets = { secretStore.reloadSecrets() }
        sink = secretStore.objectWillChange.sink { _ in
            self.objectWillChange.send()
        }
@ -53,25 +43,9 @@ public class AnySecretStore: SecretStore {
        try _sign(data, secret, provenance)
    }
    public func verify(signature: Data, for data: Data, with secret: AnySecret) throws -> Bool {
        try _verify(signature, data, secret)
    }
    public func existingPersistedAuthenticationContext(secret: AnySecret) -> PersistedAuthenticationContext? {
        _existingPersistedAuthenticationContext(secret)
    }
    public func persistAuthentication(secret: AnySecret, forDuration duration: TimeInterval) throws {
        try _persistAuthentication(secret, duration)
    }
    public func reloadSecrets() {
        _reloadSecrets()
    }
 }
-public final class AnySecretStoreModifiable: AnySecretStore, SecretStoreModifiable {
+public class AnySecretStoreModifiable: AnySecretStore, SecretStoreModifiable {
    private let _create: (String, Bool) throws -> Void
    private let _delete: (AnySecret) throws -> Void
@ -95,5 +69,4 @@ public final class AnySecretStoreModifiable: AnySecretStore, SecretStoreModifiab
    public func update(secret: AnySecret, name: String) throws {
        try _update(secret, name)
    }
 }
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
@ -1,31 +1,24 @@
 import Foundation
 import CryptoKit
-/// Generates OpenSSH representations of Secrets.
+// For the moment, only supports ecdsa-sha2-nistp256 and ecdsa-sha2-nistp386 keys
 public struct OpenSSHKeyWriter {
    /// Initializes the writer.
    public init() {
    }
    /// Generates an OpenSSH data payload identifying the secret.
    /// - Returns: OpenSSH data payload identifying the secret.
    public func data<SecretType: Secret>(secret: SecretType) -> Data {
        lengthAndData(of: curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
            lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
            lengthAndData(of: secret.publicKey)
    }
    /// Generates an OpenSSH string representation of the secret.
    /// - Returns: OpenSSH string representation of the secret.
    public func openSSHString<SecretType: Secret>(secret: SecretType, comment: String? = nil) -> String {
        [curveType(for: secret.algorithm, length: secret.keySize), data(secret: secret).base64EncodedString(), comment]
            .compactMap { $0 }
            .joined(separator: " ")
    }
    /// Generates an OpenSSH SHA256 fingerprint string.
    /// - Returns: OpenSSH SHA256 fingerprint string.
    public func openSSHSHA256Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
        // OpenSSL format seems to strip the padding at the end.
        let base64 = Data(SHA256.hash(data: data(secret: secret))).base64EncodedString()
@ -34,8 +27,6 @@ public struct OpenSSHKeyWriter {
        return "SHA256:\(cleaned)"
    }
    /// Generates an OpenSSH MD5 fingerprint string.
    /// - Returns: OpenSSH MD5 fingerprint string.
    public func openSSHMD5Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
        Insecure.MD5.hash(data: data(secret: secret))
            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
@ -46,44 +37,23 @@ public struct OpenSSHKeyWriter {
 extension OpenSSHKeyWriter {
    /// Creates an OpenSSH protocol style data object, which has a length header, followed by the data payload.
    /// - Parameter data: The data payload.
    /// - Returns: OpenSSH data.
    public func lengthAndData(of data: Data) -> Data {
        let rawLength = UInt32(data.count)
        var endian = rawLength.bigEndian
        return Data(bytes: &endian, count: UInt32.bitWidth/8) + data
    }
-    /// The fully qualified OpenSSH identifier for the algorithm.
+    public func curveIdentifier(for algorithm: Algorithm, length: Int) -> String {
-    /// - Parameters:
+        switch algorithm {
-    ///   - algorithm: The algorithm to identify.
+        case .ellipticCurve:
-    ///   - length: The key length of the algorithm.
+            return "nistp" + String(describing: length)
-    /// - Returns: The OpenSSH identifier for the algorithm.
+        }
    }
    public func curveType(for algorithm: Algorithm, length: Int) -> String {
        switch algorithm {
        case .ellipticCurve:
            return "ecdsa-sha2-nistp" + String(describing: length)
        case .rsa:
            // All RSA keys use the same 512 bit hash function, per
            // https://security.stackexchange.com/questions/255074/why-are-rsa-sha2-512-and-rsa-sha2-256-supported-but-not-reported-by-ssh-q-key
            return "rsa-sha2-512"
        }
    }
    /// The OpenSSH identifier for an algorithm.
    /// - Parameters:
    ///   - algorithm: The algorithm to identify.
    ///   - length: The key length of the algorithm.
    /// - Returns: The OpenSSH identifier for the algorithm.
    private func curveIdentifier(for algorithm: Algorithm, length: Int) -> String {
        switch algorithm {
        case .ellipticCurve:
            return "nistp" + String(describing: length)
        case .rsa:
            // All RSA keys use the same 512 bit hash function
            return "rsa-sha2-512"
        }
    }
 }
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHReader.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHReader.swift
@ -1,18 +1,13 @@
 import Foundation
-/// Reads OpenSSH protocol data.
+public class OpenSSHReader {
 public final class OpenSSHReader {
    var remaining: Data
    /// Initialize the reader with an OpenSSH data payload.
    /// - Parameter data: The data to read.
    public init(data: Data) {
        remaining = Data(data)
    }
    /// Reads the next chunk of data from the playload.
    /// - Returns: The next chunk of data.
    public func readNextChunk() -> Data {
        let lengthRange = 0..<(UInt32.bitWidth/8)
        let lengthChunk = remaining[lengthRange]
--- a/Sources/Packages/Sources/SecretKit/SecretStoreList.swift
+++ b/Sources/Packages/Sources/SecretKit/SecretStoreList.swift
@ -1,49 +1,39 @@
 import Foundation
 import Combine
-/// A "Store Store," which holds a list of type-erased stores.
+public class SecretStoreList: ObservableObject {
 public final class SecretStoreList: ObservableObject {
    /// The Stores managed by the SecretStoreList.
    @Published public var stores: [AnySecretStore] = []
    /// A modifiable store, if one is available.
    @Published public var modifiableStore: AnySecretStoreModifiable?
-    private var cancellables: Set<AnyCancellable> = []
+    private var sinks: [AnyCancellable] = []
    /// Initializes a SecretStoreList.
    public init() {
    }
    /// Adds a non-type-erased SecretStore to the list.
    public func add<SecretStoreType: SecretStore>(store: SecretStoreType) {
        addInternal(store: AnySecretStore(store))
    }
    /// Adds a non-type-erased modifiable SecretStore.
    public func add<SecretStoreType: SecretStoreModifiable>(store: SecretStoreType) {
        let modifiable = AnySecretStoreModifiable(modifiable: store)
        modifiableStore = modifiable
        addInternal(store: modifiable)
    }
    /// A boolean describing whether there are any Stores available.
    public var anyAvailable: Bool {
        stores.reduce(false, { $0 || $1.isAvailable })
    }
    public var allSecrets: [AnySecret] {
        stores.flatMap(\.secrets)
    }
 }
 extension SecretStoreList {
    private func addInternal(store: AnySecretStore) {
        stores.append(store)
-        store.objectWillChange.sink {
+        let sink = store.objectWillChange.sink {
            self.objectWillChange.send()
-        }.store(in: &cancellables)
+        }
        sinks.append(sink)
    }
 }
--- a/SecretKit/Common/Types/Secret.swift
+++ b/SecretKit/Common/Types/Secret.swift
@ -0,0 +1,21 @@
 public protocol Secret: Identifiable, Hashable {
    var name: String { get }
    var algorithm: Algorithm { get }
    var keySize: Int { get }
    var publicKey: Data { get }
 }
 public enum Algorithm: Hashable {
    case ellipticCurve
    public init(secAttr: NSNumber) {
        let secAttrString = secAttr.stringValue as CFString
        switch secAttrString {
        case kSecAttrKeyTypeEC:
            self = .ellipticCurve
        default:
            fatalError()
        }
    }
 }
--- a/SecretKit/Common/Types/SecretStore.swift
+++ b/SecretKit/Common/Types/SecretStore.swift
@ -0,0 +1,28 @@
 import Combine
 public protocol SecretStore: ObservableObject, Identifiable {
    associatedtype SecretType: Secret
    var isAvailable: Bool { get }
    var id: UUID { get }
    var name: String { get }
    var secrets: [SecretType] { get }
    func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> Data
 }
 public protocol SecretStoreModifiable: SecretStore {
    func create(name: String, requiresAuthentication: Bool) throws
    func delete(secret: SecretType) throws
    func update(secret: SecretType, name: String) throws
 }
 extension NSNotification.Name {
    static let secretStoreUpdated = NSNotification.Name("com.maxgoedjen.Secretive.secretStore.updated")
 }
--- a/SecretKit/Common/Types/SigningRequestProvenance.swift
+++ b/SecretKit/Common/Types/SigningRequestProvenance.swift
@ -0,0 +1,53 @@
 import Foundation
 import AppKit
 public struct SigningRequestProvenance: Equatable {
    public var chain: [Process]
    public init(root: Process) {
        self.chain = [root]
    }
 }
 extension SigningRequestProvenance {
    public var origin: Process {
        chain.last!
    }
    public var intact: Bool {
        chain.allSatisfy { $0.validSignature }
    }
 }
 extension SigningRequestProvenance {
    public struct Process: Equatable {
        public let pid: Int32
        public let processName: String
        public let appName: String?
        public let iconURL: URL?
        public let path: String
        public let validSignature: Bool
        public let parentPID: Int32?
        public init(pid: Int32, processName: String, appName: String?, iconURL: URL?, path: String, validSignature: Bool, parentPID: Int32?) {
            self.pid = pid
            self.processName = processName
            self.appName = appName
            self.iconURL = iconURL
            self.path = path
            self.validSignature = validSignature
            self.parentPID = parentPID
        }
        public var displayName: String {
            appName ?? processName
        }
    }
 }
--- a/SecretKit/Info.plist
+++ b/SecretKit/Info.plist
@ -0,0 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>$(DEVELOPMENT_LANGUAGE)</string>
 	<key>CFBundleExecutable</key>
 	<string>$(EXECUTABLE_NAME)</string>
 	<key>CFBundleIdentifier</key>
 	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
 	<key>CFBundleName</key>
 	<string>$(PRODUCT_NAME)</string>
 	<key>CFBundlePackageType</key>
 	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
 	<key>CFBundleShortVersionString</key>
 	<string>$(CI_VERSION)</string>
 	<key>CFBundleVersion</key>
 	<string>$(CURRENT_PROJECT_VERSION)</string>
 	<key>NSHumanReadableCopyright</key>
 	<string>$(PRODUCT_NAME) is MIT Licensed.</string>
 </dict>
 </plist>
--- a/SecretKit/SecretKit.h
+++ b/SecretKit/SecretKit.h
@ -0,0 +1,11 @@
 #import <Foundation/Foundation.h>
 //! Project version number for SecretKit.
 FOUNDATION_EXPORT double SecretKitVersionNumber;
 //! Project version string for SecretKit.
 FOUNDATION_EXPORT const unsigned char SecretKitVersionString[];
 // In this header, you should import all the public headers of your framework using statements like #import <SecretKit/PublicHeader.h>
--- a/SecretKit/SecureEnclave/SecureEnclave.swift
+++ b/SecretKit/SecureEnclave/SecureEnclave.swift
@ -0,0 +1 @@
 public enum SecureEnclave {}
--- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveSecret.swift
+++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveSecret.swift
@ -1,17 +1,14 @@
 import Foundation
 import Combine
 import SecretKit
 extension SecureEnclave {
    /// An implementation of Secret backed by the Secure Enclave.
    public struct Secret: SecretKit.Secret {
        public let id: Data
        public let name: String
        public let algorithm = Algorithm.ellipticCurve
        public let keySize = 256
        public let requiresAuthentication: Bool
        public let publicKey: Data
    }
--- a/SecretKit/SecureEnclave/SecureEnclaveStore.swift
+++ b/SecretKit/SecureEnclave/SecureEnclaveStore.swift
@ -0,0 +1,207 @@
 import Foundation
 import Security
 import CryptoTokenKit
 import LocalAuthentication
 extension SecureEnclave {
    public class Store: SecretStoreModifiable {
        public var isAvailable: Bool {
            // For some reason, as of build time, CryptoKit.SecureEnclave.isAvailable always returns false
            // error msg "Received error sending GET UNIQUE DEVICE command"
            // Verify it with TKTokenWatcher manually.
            TKTokenWatcher().tokenIDs.contains("com.apple.setoken")
        }
        public let id = UUID()
        public let name = NSLocalizedString("Secure Enclave", comment: "Secure Enclave")
        @Published public private(set) var secrets: [Secret] = []
        public init() {
            DistributedNotificationCenter.default().addObserver(forName: .secretStoreUpdated, object: nil, queue: .main) { _ in
                self.reloadSecrets(notify: false)
            }
            loadSecrets()
        }
        // MARK: Public API
        public func create(name: String, requiresAuthentication: Bool) throws {
            var accessError: SecurityError?
            let flags: SecAccessControlCreateFlags
            if requiresAuthentication {
                flags = [.privateKeyUsage, .userPresence]
            } else {
                flags = .privateKeyUsage
            }
            let access =
                SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                                                kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
                                                flags,
                                                &accessError) as Any
            if let error = accessError {
                throw error.takeRetainedValue() as Error
            }
            let attributes = [
                kSecAttrLabel: name,
                kSecAttrKeyType: Constants.keyType,
                kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
                kSecAttrApplicationTag: Constants.keyTag,
                kSecPrivateKeyAttrs: [
                    kSecAttrIsPermanent: true,
                    kSecAttrAccessControl: access
                ]
            ] as CFDictionary
            var privateKey: SecKey? = nil
            var publicKey: SecKey? = nil
            let status = SecKeyGeneratePair(attributes, &publicKey, &privateKey)
            guard privateKey != nil, let pk = publicKey else {
                throw KeychainError(statusCode: status)
            }
            try savePublicKey(pk, name: name)
            reloadSecrets()
        }
        public func delete(secret: Secret) throws {
            let deleteAttributes = [
                kSecClass: kSecClassKey,
                kSecAttrApplicationLabel: secret.id as CFData
            ] as CFDictionary
            let status = SecItemDelete(deleteAttributes)
            if status != errSecSuccess {
                throw KeychainError(statusCode: status)
            }
            reloadSecrets()
        }
        public func update(secret: Secret, name: String) throws {
            let updateQuery = [
                kSecClass: kSecClassKey,
                kSecAttrApplicationLabel: secret.id as CFData
            ] as CFDictionary
            let updatedAttributes = [
                kSecAttrLabel: name,
            ] as CFDictionary
            let status = SecItemUpdate(updateQuery, updatedAttributes)
            if status != errSecSuccess {
                throw KeychainError(statusCode: status)
            }
            reloadSecrets()
        }
        public func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> Data {
            let context = LAContext()
            context.localizedReason = "sign a request from \"\(provenance.origin.displayName)\" using secret \"\(secret.name)\""
            context.localizedCancelTitle = "Deny"
            let attributes = [
                kSecClass: kSecClassKey,
                kSecAttrKeyClass: kSecAttrKeyClassPrivate,
                kSecAttrApplicationLabel: secret.id as CFData,
                kSecAttrKeyType: Constants.keyType,
                kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
                kSecAttrApplicationTag: Constants.keyTag,
                kSecUseAuthenticationContext: context,
                kSecReturnRef: true
                ] as CFDictionary
            var untyped: CFTypeRef?
            let status = SecItemCopyMatching(attributes, &untyped)
            if status != errSecSuccess {
                throw KeychainError(statusCode: status)
            }
            guard let untypedSafe = untyped else {
                throw KeychainError(statusCode: errSecSuccess)
            }
            let key = untypedSafe as! SecKey
            var signError: SecurityError?
            guard let signature = SecKeyCreateSignature(key, .ecdsaSignatureMessageX962SHA256, data as CFData, &signError) else {
                throw SigningError(error: signError)
            }
            return signature as Data
        }
    }
 }
 extension SecureEnclave.Store {
    private func reloadSecrets(notify: Bool = true) {
        secrets.removeAll()
        loadSecrets()
        if notify {
            DistributedNotificationCenter.default().post(name: .secretStoreUpdated, object: nil)
        }
    }
    private func loadSecrets() {
        let attributes = [
            kSecClass: kSecClassKey,
            kSecAttrKeyType: SecureEnclave.Constants.keyType,
            kSecAttrApplicationTag: SecureEnclave.Constants.keyTag,
            kSecAttrKeyClass: kSecAttrKeyClassPublic,
            kSecReturnRef: true,
            kSecMatchLimit: kSecMatchLimitAll,
            kSecReturnAttributes: true
            ] as CFDictionary
        var untyped: CFTypeRef?
        SecItemCopyMatching(attributes, &untyped)
        guard let typed = untyped as? [[CFString: Any]] else { return }
        let wrapped: [SecureEnclave.Secret] = typed.map {
            let name = $0[kSecAttrLabel] as? String ?? "Unnamed"
            let id = $0[kSecAttrApplicationLabel] as! Data
            let publicKeyRef = $0[kSecValueRef] as! SecKey
            let publicKeyAttributes = SecKeyCopyAttributes(publicKeyRef) as! [CFString: Any]
            let publicKey = publicKeyAttributes[kSecValueData] as! Data
            return SecureEnclave.Secret(id: id, name: name, publicKey: publicKey)
        }
        secrets.append(contentsOf: wrapped)
    }
    private func savePublicKey(_ publicKey: SecKey, name: String) throws {
        let attributes = [
            kSecClass: kSecClassKey,
            kSecAttrKeyType: SecureEnclave.Constants.keyType,
            kSecAttrKeyClass: kSecAttrKeyClassPublic,
            kSecAttrApplicationTag: SecureEnclave.Constants.keyTag,
            kSecValueRef: publicKey,
            kSecAttrIsPermanent: true,
            kSecReturnData: true,
            kSecAttrLabel: name
            ] as CFDictionary
        let status = SecItemAdd(attributes, nil)
        if status != errSecSuccess {
            throw SecureEnclave.KeychainError(statusCode: status)
        }
    }
 }
 extension SecureEnclave {
    public struct KeychainError: Error {
        public let statusCode: OSStatus
    }
    public struct SigningError: Error {
        public let error: SecurityError?
    }
 }
 extension SecureEnclave {
    public typealias SecurityError = Unmanaged<CFError>
 }
 extension SecureEnclave {
    enum Constants {
        static let keyTag = "com.maxgoedjen.secretive.secureenclave.key".data(using: .utf8)! as CFData
        static let keyType = kSecAttrKeyTypeECSECPrimeRandom
    }
 }
--- a/SecretKit/SmartCard/SmartCard.swift
+++ b/SecretKit/SmartCard/SmartCard.swift
@ -0,0 +1 @@
 public enum SmartCard {}
--- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardSecret.swift
+++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardSecret.swift
@ -1,17 +1,14 @@
 import Foundation
 import Combine
 import SecretKit
 extension SmartCard {
    /// An implementation of Secret backed by a Smart Card.
    public struct Secret: SecretKit.Secret {
        public let id: Data
        public let name: String
        public let algorithm: Algorithm
        public let keySize: Int
        public let requiresAuthentication: Bool = false
        public let publicKey: Data
    }
--- a/SecretKit/SmartCard/SmartCardStore.swift
+++ b/SecretKit/SmartCard/SmartCardStore.swift
@ -0,0 +1,165 @@
 import Foundation
 import Security
 import CryptoTokenKit
 import LocalAuthentication
 // TODO: Might need to split this up into "sub-stores?"
 // ie, each token has its own Store.
 extension SmartCard {
    public class Store: SecretStore {
        // TODO: Read actual smart card name, eg "YubiKey 5c"
        @Published public var isAvailable: Bool = false
        public let id = UUID()
        public private(set) var name = NSLocalizedString("Smart Card", comment: "Smart Card")
        @Published public private(set) var secrets: [Secret] = []
        private let watcher = TKTokenWatcher()
        private var tokenID: String?
        public init() {
            tokenID = watcher.nonSecureEnclaveTokens.first
            watcher.setInsertionHandler { string in
                guard self.tokenID == nil else { return }
                guard !string.contains("setoken") else { return }
                self.tokenID = string
                self.reloadSecrets()
                self.watcher.addRemovalHandler(self.smartcardRemoved, forTokenID: string)
            }
            if let tokenID = tokenID {
                self.isAvailable = true
                self.watcher.addRemovalHandler(self.smartcardRemoved, forTokenID: tokenID)
            }
            loadSecrets()
        }
        // MARK: Public API
        public func create(name: String) throws {
            fatalError("Keys must be created on the smart card.")
        }
        public func delete(secret: Secret) throws {
            fatalError("Keys must be deleted on the smart card.")
        }
        public func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> Data {
            guard let tokenID = tokenID else { fatalError() }
            let context = LAContext()
            context.localizedReason = "sign a request from \"\(provenance.origin.displayName)\" using secret \"\(secret.name)\""
            context.localizedCancelTitle = "Deny"
            let attributes = [
                kSecClass: kSecClassKey,
                kSecAttrKeyClass: kSecAttrKeyClassPrivate,
                kSecAttrApplicationLabel: secret.id as CFData,
                kSecAttrTokenID: tokenID,
                kSecUseAuthenticationContext: context,
                kSecReturnRef: true
                ] as CFDictionary
            var untyped: CFTypeRef?
            let status = SecItemCopyMatching(attributes, &untyped)
            if status != errSecSuccess {
                throw KeychainError(statusCode: status)
            }
            guard let untypedSafe = untyped else {
                throw KeychainError(statusCode: errSecSuccess)
            }
            let key = untypedSafe as! SecKey
            var signError: SecurityError?
            let signatureAlgorithm: SecKeyAlgorithm
            switch (secret.algorithm, secret.keySize) {
            case (.ellipticCurve, 256):
                signatureAlgorithm = .ecdsaSignatureMessageX962SHA256
            case (.ellipticCurve, 384):
                signatureAlgorithm = .ecdsaSignatureMessageX962SHA384
            default:
                fatalError()
            }
            guard let signature = SecKeyCreateSignature(key, signatureAlgorithm, data as CFData, &signError) else {
                throw SigningError(error: signError)
            }
            return signature as Data
        }
    }
 }
 extension SmartCard.Store {
    private func smartcardRemoved(for tokenID: String? = nil) {
        self.tokenID = nil
        reloadSecrets()
    }
    private func reloadSecrets() {
        DispatchQueue.main.async {
            self.isAvailable = self.tokenID != nil
            self.secrets.removeAll()
            self.loadSecrets()
        }
    }
    private func loadSecrets() {
        guard let tokenID = tokenID else { return }
        // Hack to read name if there's only one smart card
        let slotNames = TKSmartCardSlotManager().slotNames
        if watcher.nonSecureEnclaveTokens.count == 1 && slotNames.count == 1 {
            name = slotNames.first!
        } else {
            name = NSLocalizedString("Smart Card", comment: "Smart Card")
        }
        let attributes = [
            kSecClass: kSecClassKey,
            kSecAttrTokenID: tokenID,
            kSecAttrKeyType: kSecAttrKeyTypeEC, // Restrict to EC
            kSecReturnRef: true,
            kSecMatchLimit: kSecMatchLimitAll,
            kSecReturnAttributes: true
            ] as CFDictionary
        var untyped: CFTypeRef?
        SecItemCopyMatching(attributes, &untyped)
        guard let typed = untyped as? [[CFString: Any]] else { return }
        let wrapped: [SmartCard.Secret] = typed.map {
            let name = $0[kSecAttrLabel] as? String ?? "Unnamed"
            let tokenID = $0[kSecAttrApplicationLabel] as! Data
            let algorithm = Algorithm(secAttr: $0[kSecAttrKeyType] as! NSNumber)
            let keySize = $0[kSecAttrKeySizeInBits] as! Int
            let publicKeyRef = $0[kSecValueRef] as! SecKey
            let publicKeySecRef = SecKeyCopyPublicKey(publicKeyRef)!
            let publicKeyAttributes = SecKeyCopyAttributes(publicKeySecRef) as! [CFString: Any]
            let publicKey = publicKeyAttributes[kSecValueData] as! Data
            return SmartCard.Secret(id: tokenID, name: name, algorithm: algorithm, keySize: keySize, publicKey: publicKey)
        }
        secrets.append(contentsOf: wrapped)
    }
 }
 extension TKTokenWatcher {
    fileprivate var nonSecureEnclaveTokens: [String] {
        tokenIDs.filter { !$0.contains("setoken") }
    }
 }
 extension SmartCard {
    public struct KeychainError: Error {
        public let statusCode: OSStatus
    }
    public struct SigningError: Error {
        public let error: SecurityError?
    }
 }
 extension SmartCard {
    public typealias SecurityError = Unmanaged<CFError>
 }
--- a/Sources/Packages/Tests/SecretKitTests/AnySecretTests.swift
+++ b/Sources/Packages/Tests/SecretKitTests/AnySecretTests.swift
@ -1,8 +1,6 @@
 import Foundation
 import XCTest
@testable import SecretKit
@testable import SecureEnclaveSecretKit
@testable import SmartCardSecretKit
 class AnySecretTests: XCTestCase {
--- a/SecretKitTests/Info.plist
+++ b/SecretKitTests/Info.plist
@ -0,0 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>$(DEVELOPMENT_LANGUAGE)</string>
 	<key>CFBundleExecutable</key>
 	<string>$(EXECUTABLE_NAME)</string>
 	<key>CFBundleIdentifier</key>
 	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
 	<key>CFBundleName</key>
 	<string>$(PRODUCT_NAME)</string>
 	<key>CFBundlePackageType</key>
 	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
 	<key>CFBundleShortVersionString</key>
 	<string>1.0</string>
 	<key>CFBundleVersion</key>
 	<string>1</string>
 </dict>
 </plist>
--- a/Sources/Packages/Tests/SecretKitTests/OpenSSHReaderTests.swift
+++ b/Sources/Packages/Tests/SecretKitTests/OpenSSHReaderTests.swift
@ -1,8 +1,6 @@
 import Foundation
 import XCTest
@testable import SecretKit
@testable import SecureEnclaveSecretKit
@testable import SmartCardSecretKit
 class OpenSSHReaderTests: XCTestCase {
--- a/Sources/Packages/Tests/SecretKitTests/OpenSSHWriterTests.swift
+++ b/Sources/Packages/Tests/SecretKitTests/OpenSSHWriterTests.swift
@ -1,8 +1,6 @@
 import Foundation
 import XCTest
@testable import SecretKit
@testable import SecureEnclaveSecretKit
@testable import SmartCardSecretKit
 class OpenSSHWriterTests: XCTestCase {
--- a/Secretive.xcodeproj/project.pbxproj
+++ b/Secretive.xcodeproj/project.pbxproj
--- a/Sources/Secretive.xcodeproj/project.xcworkspace/contents.xcworkspacedata
+++ b/Sources/Secretive.xcodeproj/project.xcworkspace/contents.xcworkspacedata
--- a/Sources/Secretive.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
+++ b/Sources/Secretive.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
--- a/Sources/Secretive.xcodeproj/xcshareddata/xcschemes/SecretAgent.xcscheme
+++ b/Sources/Secretive.xcodeproj/xcshareddata/xcschemes/SecretAgent.xcscheme
@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "1320"
+   LastUpgradeVersion = "1140"
   version = "1.7">
   <BuildAction
      parallelizeBuildables = "YES"
--- a/Secretive.xcodeproj/xcshareddata/xcschemes/SecretAgentKit.xcscheme
+++ b/Secretive.xcodeproj/xcshareddata/xcschemes/SecretAgentKit.xcscheme
@ -0,0 +1,85 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
   LastUpgradeVersion = "1140"
   version = "1.7">
   <BuildAction
      parallelizeBuildables = "YES"
      buildImplicitDependencies = "YES">
      <BuildActionEntries>
         <BuildActionEntry
            buildForTesting = "YES"
            buildForRunning = "YES"
            buildForProfiling = "YES"
            buildForArchiving = "YES"
            buildForAnalyzing = "YES">
            <BuildableReference
               BuildableIdentifier = "primary"
               BlueprintIdentifier = "5099A06B240242BA0062B6F2"
               BuildableName = "SecretAgentKit.framework"
               BlueprintName = "SecretAgentKit"
               ReferencedContainer = "container:Secretive.xcodeproj">
            </BuildableReference>
         </BuildActionEntry>
      </BuildActionEntries>
   </BuildAction>
   <TestAction
      buildConfiguration = "Test"
      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
      shouldUseLaunchSchemeArgsEnv = "YES">
      <TestPlans>
         <TestPlanReference
            reference = "container:Config/Secretive.xctestplan"
            default = "YES">
         </TestPlanReference>
      </TestPlans>
      <Testables>
         <TestableReference
            skipped = "NO"
            parallelizable = "YES"
            testExecutionOrdering = "random">
            <BuildableReference
               BuildableIdentifier = "primary"
               BlueprintIdentifier = "5099A073240242BA0062B6F2"
               BuildableName = "SecretAgentKitTests.xctest"
               BlueprintName = "SecretAgentKitTests"
               ReferencedContainer = "container:Secretive.xcodeproj">
            </BuildableReference>
         </TestableReference>
      </Testables>
   </TestAction>
   <LaunchAction
      buildConfiguration = "Debug"
      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
      launchStyle = "0"
      useCustomWorkingDirectory = "NO"
      ignoresPersistentStateOnLaunch = "NO"
      debugDocumentVersioning = "YES"
      debugServiceExtension = "internal"
      allowLocationSimulation = "YES">
   </LaunchAction>
   <ProfileAction
      buildConfiguration = "Release"
      shouldUseLaunchSchemeArgsEnv = "YES"
      savedToolIdentifier = ""
      useCustomWorkingDirectory = "NO"
      debugDocumentVersioning = "YES">
      <MacroExpansion>
         <BuildableReference
            BuildableIdentifier = "primary"
            BlueprintIdentifier = "5099A06B240242BA0062B6F2"
            BuildableName = "SecretAgentKit.framework"
            BlueprintName = "SecretAgentKit"
            ReferencedContainer = "container:Secretive.xcodeproj">
         </BuildableReference>
      </MacroExpansion>
   </ProfileAction>
   <AnalyzeAction
      buildConfiguration = "Debug">
   </AnalyzeAction>
   <ArchiveAction
      buildConfiguration = "Release"
      revealArchiveInOrganizer = "YES">
   </ArchiveAction>
 </Scheme>
--- a/Secretive.xcodeproj/xcshareddata/xcschemes/SecretKit.xcscheme
+++ b/Secretive.xcodeproj/xcshareddata/xcschemes/SecretKit.xcscheme
@ -0,0 +1,71 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
   LastUpgradeVersion = "1140"
   version = "1.7">
   <BuildAction
      parallelizeBuildables = "YES"
      buildImplicitDependencies = "YES">
      <BuildActionEntries>
         <BuildActionEntry
            buildForTesting = "YES"
            buildForRunning = "YES"
            buildForProfiling = "YES"
            buildForArchiving = "YES"
            buildForAnalyzing = "YES">
            <BuildableReference
               BuildableIdentifier = "primary"
               BlueprintIdentifier = "50617DA723FCE4AB0099B055"
               BuildableName = "SecretKit.framework"
               BlueprintName = "SecretKit"
               ReferencedContainer = "container:Secretive.xcodeproj">
            </BuildableReference>
         </BuildActionEntry>
      </BuildActionEntries>
   </BuildAction>
   <TestAction
      buildConfiguration = "Test"
      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
      shouldUseLaunchSchemeArgsEnv = "YES">
      <TestPlans>
         <TestPlanReference
            reference = "container:Config/Secretive.xctestplan"
            default = "YES">
         </TestPlanReference>
      </TestPlans>
   </TestAction>
   <LaunchAction
      buildConfiguration = "Debug"
      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
      launchStyle = "0"
      useCustomWorkingDirectory = "NO"
      ignoresPersistentStateOnLaunch = "NO"
      debugDocumentVersioning = "YES"
      debugServiceExtension = "internal"
      allowLocationSimulation = "YES">
   </LaunchAction>
   <ProfileAction
      buildConfiguration = "Release"
      shouldUseLaunchSchemeArgsEnv = "YES"
      savedToolIdentifier = ""
      useCustomWorkingDirectory = "NO"
      debugDocumentVersioning = "YES">
      <MacroExpansion>
         <BuildableReference
            BuildableIdentifier = "primary"
            BlueprintIdentifier = "50617DA723FCE4AB0099B055"
            BuildableName = "SecretKit.framework"
            BlueprintName = "SecretKit"
            ReferencedContainer = "container:Secretive.xcodeproj">
         </BuildableReference>
      </MacroExpansion>
   </ProfileAction>
   <AnalyzeAction
      buildConfiguration = "Debug">
   </AnalyzeAction>
   <ArchiveAction
      buildConfiguration = "Release"
      revealArchiveInOrganizer = "YES">
   </ArchiveAction>
 </Scheme>
--- a/Sources/Secretive.xcodeproj/xcshareddata/xcschemes/Secretive.xcscheme
+++ b/Sources/Secretive.xcodeproj/xcshareddata/xcschemes/Secretive.xcscheme
@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "1320"
+   LastUpgradeVersion = "1140"
   version = "1.7">
   <BuildAction
      parallelizeBuildables = "YES"
@ -75,7 +75,6 @@
      ignoresPersistentStateOnLaunch = "NO"
      debugDocumentVersioning = "YES"
      debugServiceExtension = "internal"
      enableGPUValidationMode = "1"
      allowLocationSimulation = "YES">
      <BuildableProductRunnable
         runnableDebuggingMode = "0">
--- a/Sources/Secretive/App.swift
+++ b/Sources/Secretive/App.swift
@ -1,8 +1,6 @@
 import Cocoa
 import SwiftUI
 import SecretKit
 import SecureEnclaveSecretKit
 import SmartCardSecretKit
 import Brief
@main
@ -38,25 +36,25 @@ struct Secretive: App {
                    if agentStatusChecker.running && justUpdatedChecker.justUpdated {
                        // Relaunch the agent, since it'll be running from earlier update still
                        reinstallAgent()
-                    } else if !agentStatusChecker.running && !agentStatusChecker.developmentBuild {
+                    } else if !agentStatusChecker.running {
                        forceLaunchAgent()
                    }
                }
        }
        .commands {
            CommandGroup(after: CommandGroupPlacement.newItem) {
-                Button("app_menu_new_secret_button") {
+                Button("New Secret") {
                    showingCreation = true
                }
                .keyboardShortcut(KeyboardShortcut(KeyEquivalent("N"), modifiers: [.command, .shift]))
            }
            CommandGroup(replacing: .help) {
-                Button("app_menu_help_button") {
+                Button("Help") {
                    NSWorkspace.shared.open(Constants.helpURL)
                }
            }
            CommandGroup(after: .help) {
-                Button("app_menu_setup_button") {
+                Button("Setup Secretive") {
                    showingSetup = true
                }
            }
--- a/Sources/Secretive/Assets.xcassets/AppIcon.appiconset/Contents.json
+++ b/Sources/Secretive/Assets.xcassets/AppIcon.appiconset/Contents.json
--- a/Sources/Secretive/Assets.xcassets/AppIcon.appiconset/Mac
+++ b/Sources/Secretive/Assets.xcassets/AppIcon.appiconset/Mac
--- a/Sources/Secretive/Assets.xcassets/AppIcon.appiconset/Mac
+++ b/Sources/Secretive/Assets.xcassets/AppIcon.appiconset/Mac
--- a/Sources/Secretive/Assets.xcassets/Contents.json
+++ b/Sources/Secretive/Assets.xcassets/Contents.json
--- a/Sources/Secretive/Controllers/AgentStatusChecker.swift
+++ b/Sources/Secretive/Controllers/AgentStatusChecker.swift
@ -5,7 +5,6 @@ import SecretKit
 protocol AgentStatusCheckerProtocol: ObservableObject {
    var running: Bool { get }
    var developmentBuild: Bool { get }
 }
 class AgentStatusChecker: ObservableObject, AgentStatusCheckerProtocol {
@ -37,12 +36,6 @@ class AgentStatusChecker: ObservableObject, AgentStatusCheckerProtocol {
        return nil
    }
    // Whether Secretive is being run in an Xcode environment.
    var developmentBuild: Bool {
        Bundle.main.bundleURL.absoluteString.contains("/Library/Developer/Xcode")
    }
 }
--- a/Sources/Secretive/Controllers/ApplicationDirectoryController.swift
+++ b/Sources/Secretive/Controllers/ApplicationDirectoryController.swift
--- a/Sources/Secretive/Controllers/JustUpdatedChecker.swift
+++ b/Sources/Secretive/Controllers/JustUpdatedChecker.swift
--- a/Sources/Secretive/Controllers/LaunchAgentController.swift
+++ b/Sources/Secretive/Controllers/LaunchAgentController.swift
@ -6,10 +6,8 @@ import SecretKit
 struct LaunchAgentController {
    private let logger = Logger(subsystem: "com.maxgoedjen.secretive", category: "LaunchAgentController")
    func install(completion: (() -> Void)? = nil) {
-        logger.debug("Installing agent")
+        Logger().debug("Installing agent")
        _ = setEnabled(false)
        // This is definitely a bit of a "seems to work better" thing but:
        // Seems to more reliably hit if these are on separate runloops, otherwise it seems like it sometimes doesn't kill old
@ -22,7 +20,7 @@ struct LaunchAgentController {
    }
    func forceLaunch(completion: ((Bool) -> Void)?) {
-        logger.debug("Agent is not running, attempting to force launch")
+        Logger().debug("Agent is not running, attempting to force launch")
        let url = Bundle.main.bundleURL.appendingPathComponent("Contents/Library/LoginItems/SecretAgent.app")
        let config = NSWorkspace.OpenConfiguration()
        config.activates = false
@ -31,9 +29,9 @@ struct LaunchAgentController {
                completion?(error == nil)
            }
            if let error = error {
-                logger.error("Error force launching \(error.localizedDescription)")
+                Logger().error("Error force launching \(error.localizedDescription)")
            } else {
-                logger.debug("Agent force launched")
+                Logger().debug("Agent force launched")
            }
        }
    }
--- a/Sources/Secretive/Controllers/ShellConfigurationController.swift
+++ b/Sources/Secretive/Controllers/ShellConfigurationController.swift
@ -29,7 +29,7 @@ struct ShellConfigurationController {
    }
-    @MainActor func addToShell(shellInstructions: ShellConfigInstruction) -> Bool {
+    func addToShell(shellInstructions: ShellConfigInstruction) -> Bool {
        let openPanel = NSOpenPanel()
        // This is sync, so no need to strongly retain
        let delegate = Delegate(name: shellInstructions.shellConfigFilename)
--- a/Sources/Secretive/Credits.rtf
+++ b/Sources/Secretive/Credits.rtf
--- a/Sources/Secretive/Info.plist
+++ b/Sources/Secretive/Info.plist
--- a/Sources/Secretive/InternetAccessPolicy.plist
+++ b/Sources/Secretive/InternetAccessPolicy.plist
--- a/Assets.xcassets/Contents.json
+++ b/Assets.xcassets/Contents.json
--- a/Content/PreviewAgentStatusChecker.swift
+++ b/Content/PreviewAgentStatusChecker.swift
@ -4,7 +4,6 @@ import Combine
 class PreviewAgentStatusChecker: AgentStatusCheckerProtocol {
    let running: Bool
    let developmentBuild = false
    init(running: Bool = true) {
        self.running = running
--- a/Content/PreviewStore.swift
+++ b/Content/PreviewStore.swift
@ -11,7 +11,6 @@ extension Preview {
        let name: String
        let algorithm = Algorithm.ellipticCurve
        let keySize = 256
        let requiresAuthentication: Bool = false
        let publicKey = UUID().uuidString.data(using: .utf8)!
    }
@ -40,20 +39,6 @@ extension Preview {
            return data
        }
        func verify(signature data: Data, for signature: Data, with secret: Preview.Secret) throws -> Bool {
            true
        }
        func existingPersistedAuthenticationContext(secret: Preview.Secret) -> PersistedAuthenticationContext? {
            nil
        }
        func persistAuthentication(secret: Preview.Secret, forDuration duration: TimeInterval) throws {
        }
        func reloadSecrets() {
        }
    }
    class StoreModifiable: Store, SecretStoreModifiable {
--- a/Content/PreviewUpdater.swift
+++ b/Content/PreviewUpdater.swift
@ -5,7 +5,6 @@ import Brief
 class PreviewUpdater: UpdaterProtocol {
    let update: Release?
    let testBuild = false
    init(update: Update = .none) {
        switch update {
--- a/Sources/Secretive/Secretive.entitlements
+++ b/Sources/Secretive/Secretive.entitlements
--- a/Secretive/Views/ContentView.swift
+++ b/Secretive/Views/ContentView.swift
@ -0,0 +1,193 @@
 import SwiftUI
 import SecretKit
 import Brief
 struct ContentView<UpdaterType: UpdaterProtocol, AgentStatusCheckerType: AgentStatusCheckerProtocol>: View {
    @Binding var showingCreation: Bool
    @Binding var runningSetup: Bool
    @Binding var hasRunSetup: Bool
    @EnvironmentObject private var storeList: SecretStoreList
    @EnvironmentObject private var updater: UpdaterType
    @EnvironmentObject private var agentStatusChecker: AgentStatusCheckerType
    @State private var selectedUpdate: Release?
    @State private var showingAppPathNotice = false
    var body: some View {
        VStack {
            if storeList.anyAvailable {
                StoreListView(showingCreation: $showingCreation)
            } else {
                NoStoresView()
            }
        }
        .frame(minWidth: 640, minHeight: 320)
        .toolbar {
            updateNotice
            setupNotice
            appPathNotice
            newItem
        }
    }
 }
 extension ContentView {
    var updateNotice: ToolbarItem<Void, AnyView> {
        guard let update = updater.update else {
            return ToolbarItem { AnyView(EmptyView()) }
        }
        let color: Color
        let text: String
        if update.critical {
            text = "Critical Security Update Required"
            color = .red
        } else {
            text = "Update Available"
            color = .orange
        }
        return ToolbarItem {
            AnyView(
                Button(action: {
                    selectedUpdate = update
                }, label: {
                    Text(text)
                        .font(.headline)
                        .foregroundColor(.white)
                })
                .background(color)
                .cornerRadius(5)
                .popover(item: $selectedUpdate, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) { update in
                    UpdateDetailView(update: update)
                }
            )
        }
    }
    var newItem: ToolbarItem<Void, AnyView> {
        guard storeList.modifiableStore?.isAvailable ?? false else {
            return ToolbarItem { AnyView(EmptyView()) }
        }
        return ToolbarItem {
            AnyView(
                Button(action: {
                    showingCreation = true
                }, label: {
                    Image(systemName: "plus")
                })
                .popover(isPresented: $showingCreation, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) {
                    if let modifiable = storeList.modifiableStore {
                        CreateSecretView(store: modifiable, showing: $showingCreation)
                    }
                }
            )
        }
    }
    var setupNotice: ToolbarItem<Void, AnyView> {
        return ToolbarItem {
            AnyView(
                Group {
                    if runningSetup || !hasRunSetup || !agentStatusChecker.running  {
                        Button(action: {
                            runningSetup = true
                        }, label: {
                            Group {
                                if hasRunSetup && !agentStatusChecker.running {
                                    Text("Secret Agent Is Not Running")
                                } else {
                                    Text("Setup Secretive")
                                }
                            }
                            .font(.headline)
                            .foregroundColor(.white)
                        })
                        .background(Color.orange)
                        .cornerRadius(5)
                    } else {
                        EmptyView()
                    }
                }
                .sheet(isPresented: $runningSetup) {
                    SetupView(visible: $runningSetup, setupComplete: $hasRunSetup)
                }
            )
        }
    }
    var appPathNotice: ToolbarItem<Void, AnyView> {
        let controller = ApplicationDirectoryController()
        guard !controller.isInApplicationsDirectory else {
            return ToolbarItem { AnyView(EmptyView()) }
        }
        return ToolbarItem {
            AnyView(
                Button(action: {
                    showingAppPathNotice = true
                }, label: {
                    Group {
                        Text("Secretive Is Not in Applications Folder")
                    }
                    .font(.headline)
                    .foregroundColor(.white)
                })
                .background(Color.orange)
                .cornerRadius(5)
                .popover(isPresented: $showingAppPathNotice, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) {
                    VStack {
                        Image(systemName: "exclamationmark.triangle")
                            .resizable()
                            .aspectRatio(contentMode: .fit)
                            .frame(width: 64)
                        Text("Secretive needs to be in your Applications folder to work properly. Please move it and relaunch.")
                            .frame(maxWidth: 300)
                    }
                    .padding()
                }
            )
        }
    }
 }
 #if DEBUG
 struct ContentView_Previews: PreviewProvider {
    private static let storeList: SecretStoreList = {
        let list = SecretStoreList()
        list.add(store: SecureEnclave.Store())
        list.add(store: SmartCard.Store())
        return list
    }()
    private static let agentStatusChecker = AgentStatusChecker()
    private static let justUpdatedChecker = JustUpdatedChecker()
    @State var hasRunSetup = false
    @State private var showingSetup = false
    @State private var showingCreation = false
    static var previews: some View {
        Group {
            // Empty on modifiable and nonmodifiable
            ContentView<PreviewUpdater, AgentStatusChecker>(showingCreation: .constant(false), runningSetup: .constant(false), hasRunSetup: .constant(true))
                .environmentObject(Preview.storeList(stores: [Preview.Store(numberOfRandomSecrets: 0)], modifiableStores: [Preview.StoreModifiable(numberOfRandomSecrets: 0)]))
                .environmentObject(PreviewUpdater())
                .environmentObject(agentStatusChecker)
            // 5 items on modifiable and nonmodifiable
            ContentView<PreviewUpdater, AgentStatusChecker>(showingCreation: .constant(false), runningSetup: .constant(false), hasRunSetup: .constant(true))
                .environmentObject(Preview.storeList(stores: [Preview.Store()], modifiableStores: [Preview.StoreModifiable()]))
                .environmentObject(PreviewUpdater())
                .environmentObject(agentStatusChecker)
        }
        .environmentObject(agentStatusChecker)
    }
 }
 #endif
--- a/Show More
+++ b/Show More
		`@ -1,3 +0,0 @@`
			`# Design`

			`The art assets for the App Icon and GitHub image are located on [Sketch Cloud](https://www.sketch.com/s/574333cd-8ceb-40e1-a6d9-189da3f1e5dd).`