diff --git a/pkgs/clan-cli/clan_cli/secrets/groups.py b/pkgs/clan-cli/clan_cli/secrets/groups.py
index 07c9c86..2d13614 100644
--- a/pkgs/clan-cli/clan_cli/secrets/groups.py
+++ b/pkgs/clan-cli/clan_cli/secrets/groups.py
@@ -31,7 +31,7 @@ class Group:
 
 
 def list_groups() -> list[Group]:
-    groups = []
+    groups: list[Group] = []
     folder = sops_groups_folder()
     if not folder.exists():
         return groups
@@ -111,38 +111,56 @@ def remove_member(group_folder: Path, name: str) -> None:
         os.rmdir(group_folder.parent)
 
 
+def add_user(group: str, name: str) -> None:
+    add_member(users_folder(group), sops_users_folder(), name)
+
+
 def add_user_command(args: argparse.Namespace) -> None:
-    add_member(users_folder(args.group), sops_users_folder(), args.user)
+    add_user(args.group, args.user)
+
+
+def remove_user(group: str, name: str) -> None:
+    remove_member(users_folder(group), name)
 
 
 def remove_user_command(args: argparse.Namespace) -> None:
-    remove_member(users_folder(args.group), args.user)
+    remove_user(args.group, args.user)
+
+
+def add_machine(group: str, name: str) -> None:
+    add_member(machines_folder(group), sops_machines_folder(), name)
 
 
 def add_machine_command(args: argparse.Namespace) -> None:
-    add_member(
-        machines_folder(args.group),
-        sops_machines_folder(),
-        args.machine,
-    )
+    add_machine(args.group, args.machine)
+
+
+def remove_machine(group: str, name: str) -> None:
+    remove_member(machines_folder(group), name)
 
 
 def remove_machine_command(args: argparse.Namespace) -> None:
-    remove_member(machines_folder(args.group), args.machine)
+    remove_machine(args.group, args.machine)
 
 
 def add_group_argument(parser: argparse.ArgumentParser) -> None:
     parser.add_argument("group", help="the name of the secret", type=group_name_type)
 
 
+def add_secret(group: str, name: str) -> None:
+    secrets.allow_member(secrets.groups_folder(name), sops_groups_folder(), group)
+
+
 def add_secret_command(args: argparse.Namespace) -> None:
-    secrets.allow_member(
-        secrets.groups_folder(args.secret), sops_groups_folder(), args.group
-    )
+    add_secret(args.group, args.secret)
+
+
+def remove_secret(group: str, name: str) -> None:
+    secrets.disallow_member(secrets.groups_folder(name), group)
 
 
 def remove_secret_command(args: argparse.Namespace) -> None:
-    secrets.disallow_member(secrets.groups_folder(args.secret), args.group)
+    remove_secret(args.group, args.secret)
 
 
 def register_groups_parser(parser: argparse.ArgumentParser) -> None: