After shipping v0.1.0 I did what most developers do after a release — I opened my own app and started poking around. The values were ciphertext. Good. But the keys were sitting right there in plain English. auth_state . cart_items . pending_payment . Anyone who opened DevTools knew exactly what I was keeping track of, even if they couldn't read the contents. That shouldn't have bothered me as much as it did. But I couldn't let it go. So I kept going. Your keys now mean nothing to anyone but you tessera now runs every key name through HMAC-SHA-256 before it touches storage. What you call cart_items , tessera stores as t_3a9f7c2e . Close DevTools, reopen it, and all you see is: t_3a9f7c2e → <ciphertext> t_b2d4f110 → <ciphertext> t_03e8a5cc → <ciphertext> Enter fullscreen mode Exit fullscreen mode The mapping only exists in memory, derived from your passcode. Lock the vault — it's gone. Some of those entries are fake Here's the thing I'm most pleased with: not all of those entries are real.…