From f2c25da1aa0e447dd474ffcc6d0c825e7e2b5a51 Mon Sep 17 00:00:00 2001
From: "Morgan J." <me@morgan.kr>
Date: Sun, 22 Mar 2026 18:27:43 +0900
Subject: [PATCH] remove SEP backend, requires Xcode provisioning profile

---
 .DS_Store                       | Bin 0 -> 8196 bytes
 Makefile                        |  17 +------
 src/.DS_Store                   | Bin 0 -> 6148 bytes
 src/{sep => }/sep-helper.swift  |   0
 src/sep/sep-helper.entitlements |  10 ----
 src/storage/mod.rs              |  11 +----
 src/storage/sep.rs              |  84 --------------------------------
 7 files changed, 3 insertions(+), 119 deletions(-)
 create mode 100644 .DS_Store
 create mode 100644 src/.DS_Store
 rename src/{sep => }/sep-helper.swift (100%)
 delete mode 100644 src/sep/sep-helper.entitlements
 delete mode 100644 src/storage/sep.rs

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..1a086cdd57f86ef68d12d928620668fa9491e8e9
GIT binary patch
literal 8196
zcmeHMU2GIp6u#fIlv&Hz+ZMD8E?rqcf+e(#V6prx?V=!H3EQ8gpv&&gKnJEXb!T>4
zXo%HlH24#ZMiXB|jc@+N1SL@-zM&Y6NQ{5+#Rv33AB;wyjOWgsMJV*m7{$5C-0z-y
z&zUpl%y(w?&N9Z(Q#LvnYhjG3bO_}2)Lo{Db#YwMlyIh&5M<B1v4ZUuNIG5^yF@#h
zh%yjmAj&|LfhYq}2L25hpm(-t>J0CFxf=CR2BHl7FEb#X4+%O1rb3*O7(6<t3$_4+
zVha#78gnrqOoW&UaY`bsP=hojl%@!`7?9>Pp9u9*Ax=q@<_zKH1EFVxI}`-o>HLX6
zogpPL>Z1%q8Mrh9qI_zY$4abN7{74;Zd;z;-u^k1n%Y@)v(?#Zy?R$>#2wH0dB5!S
z<V(AR)bF}>p*qeN1}$?u$LIFCj-R(2vlJLuhDj>Bhb+f%$9vqeV|amWMlPr^HJ0No
zlan2t9c_t@uCBvviOJQS?QMxwE4vOKj;ZsKE4p{&4%nlPdqf6+@FBpoX#qX*S2VU)
z>6Kq2YSM)<8O_(#Xku5@&(W^d2L|U1W%c3V{6xPw;b*KvW{x*_6xQaV>ufKX6$)pl
z=-TB`$IJ1?V%{#6?YwVpux+7Ca}8dx<l6Rj*Ry=fb#~@>lQ8NV6OuP*mOR3&f5F)=
z($5ZiZprTrJmfepd*%+499R`IO>VrbMb{xbB~!~}q_Ni;TH=eA+|<7E)^)wNZ|OVB
z8=IQv&eODEN~Ysmdo8mxFm4(C$j-c1G#$fo_6=1m&nnnvzmp#|8_^bvo#jo9&GYpI
zdbV7!?kQXTL6s-f;9Lt^b#1pn&bPUSIGe$bsiaR{lC8SFORV&kOzI6)8r-;4*ZMuW
zMxGB9+m>ru{{gz&+!L<Iw4+ng2kd;ow7C(JW~*+|^r4E(58o0_cF)uFY|$MZrBJ+Z
zZhcDE?-p*i<~_e}%yj6IPKCbHv^MOG<V$AXII%69-9)p&eWZC|w9&A9H&~>ox9Y9>
zPI0;oh7rWj+|<Z*eMd%B`5C$emQ%5a;dIv|(bZ&?Vsop55Rp8&|7b7{600Utsc=PQ
zt!x=v!_q9v_OpB0!|XZsGCR)RXCJcD>?`&i`-%O+{y-h-aWxviF&~SN#9}PL3ar68
ztVar)F@Qk~VGm5~!w4*tFph&bgh@PrBX|^#;c+~R=kWqw#7lSu$M6>3#z}mFPjLpH
z;TxR8_xJ%nE49ijrA}#3<}13gK)FF#tSnKMD&5K&Wur2v<P<|O<+Ur-%Gwpi5`yB;
zAbd_xWrg4QloK;lR(#XuId^P{Z~HG*)|U;kmae(B<$6(ItJn3M=b|KUm9H08K|uYB
z3MQa_K#6IzJxdjLU3{UIs21e(LLH!*F(*_}qI|a0PHKx)su?~@ic7U+Dpd=wlj8FD
z3YF@UD}ktW#&3>M74jM>E{}J`R1PV0YinavkGxij3$+cg7-xYHPseXlsiwI4_mllw
zc8>kXeg%l^&1gX!ZCHu5=*2c<&`<QvVi-jj*h?fA6!%a@1rxXr_Y=(@#6x%jPvR*&
zjc17JM~Uo$>aXH;yn#3I4&KEHyoXcx0H^U0J|^;iAt;aE@cT4M-#Lxag6biqE18mG
zyUsqEsTRP+%2%XRBco~&`~QtIfB(NCV~>K0G7x1zW&pM6OuC20Gd=snUOPd@9y&x5
zdQ%bu6Y7HPIAO3ICp`a$A&nEHDr{0APD!L0YXA6$fHeL1yWB79==~qP{{ub-w7lZG
FKLNDBVom@6

literal 0
HcmV?d00001

diff --git a/Makefile b/Makefile
index 97539bf..7f247af 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,4 @@
 PREFIX ?= $(HOME)/.local/bin
-IDENTITY ?= -
-TEAM_ID ?= NONE
 
 all:
 	cargo build --release
@@ -10,18 +8,8 @@ install: all
 	install -m 755 target/release/bw-agent $(PREFIX)/bw-agent
 	install -m 755 target/release/bw-proxy $(PREFIX)/bw-proxy
 
-sep:
-	@if [ "$(TEAM_ID)" = "NONE" ]; then echo "error: TEAM_ID required (make sep TEAM_ID=... IDENTITY=...)"; exit 1; fi
-	mkdir -p target/release
-	sed 's/TEAM_ID/$(TEAM_ID)/' src/sep/sep-helper.entitlements > target/release/sep-helper.entitlements
-	swiftc -O -o target/release/sep-helper src/sep/sep-helper.swift
-	codesign --force --sign "$(IDENTITY)" --entitlements target/release/sep-helper.entitlements target/release/sep-helper
-
-install-sep: sep
-	install -m 755 target/release/sep-helper $(PREFIX)/sep-helper
-
 uninstall:
-	rm -f $(PREFIX)/bw-agent $(PREFIX)/bw-proxy $(PREFIX)/sep-helper
+	rm -f $(PREFIX)/bw-agent $(PREFIX)/bw-proxy
 
 launchd:
 	mkdir -p $(HOME)/Library/LaunchAgents
@@ -48,6 +36,5 @@ systemd-unload:
 
 clean:
 	cargo clean
-	rm -f target/release/sep-helper
 
-.PHONY: all install sep install-sep uninstall launchd launchd-unload systemd systemd-unload clean
+.PHONY: all install uninstall launchd launchd-unload systemd systemd-unload clean
diff --git a/src/.DS_Store b/src/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..f354ab99ce77b10dadf05594ad67993ab159963c
GIT binary patch
literal 6148
zcmeHKO-sW-5Pe&FsCdcIWBz~!|3N76CL$C)o2IQ+Y#Y)I;w?YjH?vEz#G-hRA~R*?
zP3B`a`xdfY0B+pQu7Cu<h$=WZrTIc6FWQqqj0id%;~8_jqNZ(n)fPBL24wFNY`J4K
zF7SE(E*X8p5)1g+PjA|-mpz^E_s)!G#|jx9u;Grk^yiFbC{Qw2(!1AD8;!15)!>Qo
zH8XegH+W%3#aii_avsmwN@iw^ulX(&$6c!L4^)&KQEDZ>WoM-*E6IMis@u4#Zy7ko
zt+RJB28;n?;MWZB%oZ7)1vG067z4(@jsf{Tq*TE?Vi!<99W;6cAPyN;p)Yp{=}9Bz
z5xaoQP+VvwhE^A^7%sFkp2oU7Viz#9!|BW%C(i8R4aMo~jHg--mj^U!3>X9Z44j0=
zM9%-~!}tIFCVMgljDdf}fEyN*V$3DQv$eN4IcrnuBUMD|x`4YDI(ihdR*vFxstV(&
WIK(_+7myK({Si<a%oqcI%D@N1DMq9K

literal 0
HcmV?d00001

diff --git a/src/sep/sep-helper.swift b/src/sep-helper.swift
similarity index 100%
rename from src/sep/sep-helper.swift
rename to src/sep-helper.swift
diff --git a/src/sep/sep-helper.entitlements b/src/sep/sep-helper.entitlements
deleted file mode 100644
index 016ae8c..0000000
--- a/src/sep/sep-helper.entitlements
+++ /dev/null
@@ -1,10 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>keychain-access-groups</key>
-    <array>
-        <string>TEAM_ID.com.bitwarden.agent</string>
-    </array>
-</dict>
-</plist>
diff --git a/src/storage/mod.rs b/src/storage/mod.rs
index 04b244a..21aba4a 100644
--- a/src/storage/mod.rs
+++ b/src/storage/mod.rs
@@ -1,5 +1,4 @@
 pub mod pin;
-pub mod sep;
 
 pub trait KeyStore {
     fn name(&self) -> &str;
@@ -13,15 +12,7 @@ pub trait KeyStore {
 
 pub fn get_backend(preferred: Option<&str>) -> Box<dyn KeyStore> {
     match preferred {
-        Some("pin") => Box::new(pin::PinKeyStore::new(None)),
-        Some("sep") => Box::new(sep::SEPKeyStore::new()),
-        None => {
-            let s = sep::SEPKeyStore::new();
-            if s.is_available() {
-                return Box::new(s);
-            }
-            Box::new(pin::PinKeyStore::new(None))
-        }
+        Some("pin") | None => Box::new(pin::PinKeyStore::new(None)),
         Some(other) => crate::log::fatal(&format!("unknown backend: {other}")),
     }
 }
diff --git a/src/storage/sep.rs b/src/storage/sep.rs
deleted file mode 100644
index 529d9d3..0000000
--- a/src/storage/sep.rs
+++ /dev/null
@@ -1,84 +0,0 @@
-use std::path::PathBuf;
-use std::process::Command;
-
-use base64::{engine::general_purpose::STANDARD as B64, Engine};
-
-use super::KeyStore;
-
-fn helper_path() -> PathBuf {
-    let exe = std::env::current_exe().unwrap_or_default();
-    let dir = exe.parent().unwrap_or(std::path::Path::new("."));
-    dir.join("sep-helper")
-}
-
-pub struct SEPKeyStore;
-
-impl SEPKeyStore {
-    pub fn new() -> Self {
-        Self
-    }
-}
-
-impl KeyStore for SEPKeyStore {
-    fn name(&self) -> &str {
-        "sep"
-    }
-
-    fn is_available(&self) -> bool {
-        helper_path().exists()
-    }
-
-    fn has_key(&self, uid: &str) -> bool {
-        Command::new(helper_path())
-            .args(["has", uid])
-            .output()
-            .map(|o| o.status.success())
-            .unwrap_or(false)
-    }
-
-    fn store(&self, uid: &str, data: &[u8], auth: &str) -> Result<(), String> {
-        let b64 = B64.encode(data);
-        let out = Command::new(helper_path())
-            .args(["store", uid, auth])
-            .stdin(std::process::Stdio::piped())
-            .stdout(std::process::Stdio::piped())
-            .stderr(std::process::Stdio::piped())
-            .spawn()
-            .and_then(|mut child| {
-                use std::io::Write;
-                child.stdin.take().unwrap().write_all(b64.as_bytes())?;
-                child.wait_with_output()
-            })
-            .map_err(|e| e.to_string())?;
-
-        if !out.status.success() {
-            return Err(String::from_utf8_lossy(&out.stderr).trim().to_string());
-        }
-        Ok(())
-    }
-
-    fn load(&self, uid: &str, auth: &str) -> Result<Vec<u8>, String> {
-        let out = Command::new(helper_path())
-            .args(["load", uid, auth])
-            .output()
-            .map_err(|e| e.to_string())?;
-
-        if !out.status.success() {
-            return Err(String::from_utf8_lossy(&out.stderr).trim().to_string());
-        }
-
-        let b64 = String::from_utf8_lossy(&out.stdout).trim().to_string();
-        B64.decode(&b64).map_err(|e| e.to_string())
-    }
-
-    fn remove(&self, uid: &str) {
-        Command::new(helper_path())
-            .args(["remove", uid])
-            .output()
-            .ok();
-    }
-
-    fn find_key(&self) -> Option<String> {
-        None
-    }
-}