Using symmetric AES to prevent passive extraction of credentials from local developer tools.
Leaving API keys in plaintext inside `localStorage` exposes them to XSS attacks and physical machine scraping.
Duplex architecture advocates for hashing the LocalStorage payload using standard Web Crypto API implementations. While a determined attacker with physical console access can reverse-engineer obfuscated keys, applying an AES symmetric envelope prevents passive scraper extensions from extracting raw `-sk` formatted tokens.