With v0.2.9 you can successfully "metadata destroy --protector X" even though the protector is currently in use with a policy, and it then becomes impossible to remove-protector-from-policy because "protector metadata for X not found on filesystem Y".

Arguably, either the destroy should be forbidden OR all uses of the protector should be removed at the same point.

And a small bugette: if you attempt to unlock a directory which is using a policy which is "protected" by such a non-existent protector (in addition to one or more real, existing protectors) then you get a printf output with uninstantiated %placeholders:

The available protectors are:
1 - login protector for someuser
2 - custom protector "newprot"
NOTE: %d of the %d protectors failed to load. You may need to mount a linked filesystem. Run
with --verbose for more information.Enter the number of protector to use:

Other than this... great work! Thanks :)