diff --git a/hbs2-core/lib/HBS2/Net/Auth/GroupKeySymm.hs b/hbs2-core/lib/HBS2/Net/Auth/GroupKeySymm.hs
index c54625cb..e798ca8c 100644
--- a/hbs2-core/lib/HBS2/Net/Auth/GroupKeySymm.hs
+++ b/hbs2-core/lib/HBS2/Net/Auth/GroupKeySymm.hs
@@ -171,9 +171,7 @@ lookupGroupKey :: forall s .  ( ForGroupKeySymm s
 
 lookupGroupKey sk pk gk = runIdentity $ runMaybeT do
   (EncryptedBox bs) <- MaybeT $ pure $ HashMap.lookup pk (recipients gk)
-  -- error  "FOUND SHIT!"
   gkBs <- MaybeT $ pure $ AK.boxSealOpen pk sk bs
-  -- error $ "DECRYPTED SHIT!"
   MaybeT $ pure $ deserialiseOrFail (LBS.fromStrict gkBs) & either (const Nothing) Just
 
 
diff --git a/hbs2-keyman/src/HBS2/KeyMan/Keys/Direct.hs b/hbs2-keyman/src/HBS2/KeyMan/Keys/Direct.hs
index 4690249b..c06d6a1a 100644
--- a/hbs2-keyman/src/HBS2/KeyMan/Keys/Direct.hs
+++ b/hbs2-keyman/src/HBS2/KeyMan/Keys/Direct.hs
@@ -23,6 +23,7 @@ import Control.Monad.Trans.Maybe
 import Data.List qualified as List
 import Data.ByteString qualified as BS
 import Data.Ord
+import Streaming.Prelude qualified as S
 
 data KeyManClientError = KeyManClientSomeError
 
@@ -113,9 +114,11 @@ extractGroupKeySecret :: MonadIO m
                       => GroupKey 'Symm 'HBS2Basic
                       -> KeyManClient m (Maybe GroupSecret)
 extractGroupKeySecret gk = do
-  runMaybeT do
-    s <- forM (HM.toList $ recipients gk) $ \(pk,box) -> do
-      KeyringEntry pk sk _ <- MaybeT $ loadKeyRingEntry pk
-      MaybeT $ pure (Symm.lookupGroupKey sk pk gk)
-    MaybeT $ pure $ headMay s
+    r <- S.toList_ do
+          forM_ (HM.toList $ recipients gk) $ \(pk,box) -> runMaybeT do
+            (KeyringEntry ppk ssk _) <- MaybeT $ lift $ loadKeyRingEntry pk
+            let s = Symm.lookupGroupKey @'HBS2Basic ssk ppk gk
+            for_ s $ lift . S.yield
+
+    pure $ headMay r