Building a time capsule for the thought that returns when you have stopped waiting for it.
I'm on a mission to make sure the most alive thought you've ever had doesn't die in the dark.
Before anything else — what is cited in this article
Everything referenced below that is not direct experience building Cendre.Studio is listed here first. If something is not on this list, it is either general knowledge or my own observation. If you dispute a fact, the checklist is where to start.
Sources used:
- [ ] OWASP Password Storage Cheat Sheet (2023) — PBKDF2 iteration count
- [ ] NIST FIPS 203 — ML-KEM (formerly CRYSTALS-Kyber) standardisation
- [ ] Supabase documentation — pgvector extension availability
- [ ] drand.love — tlock time-lock encryption documentation
- [ ] DoD 5220.22-M — National Industrial Security Program Operating Manual, data sanitisation standard
- [ ] Yann LeCun — "A Path Towards Autonomous Machine Intelligence" (2022, Meta AI)
- [ ] Grover's algorithm — quantum search, effect on symmetric key security
Facts I am less than certain about — flagged inline with ⚑:
- [ ] ⚑ Grover's algorithm reduces AES-256 to 128-bit effective security — directionally correct, verify the exact framing
- [ ] ⚑ drand BLS signatures described as quantum-resistant — verify current drand documentation on this claim
- [ ] ⚑ 310,000 as the OWASP 2023 PBKDF2-HMAC-SHA256 minimum — confirm against current cheat sheet, this number moves
The ember that looks like ash
There is a thought that arrives at 3am. It does not knock. It is simply there — specific, complete, already retreating. You do not write it down. You let it go. This is correct.
The thought that matters is not lost by letting go. It is only changed by it.
It comes back not when you call for it — you cannot call it, any more than you can call a particular quality of winter light — but in the middle of something ordinary, on a Tuesday, wearing nothing dramatic. Six months older. Carrying something it did not have the first time it crossed your mind. The forgetting was not failure. The forgetting was the ember going grey on the surface while something stayed warm underneath.
This is what Cendre.Studio is built for. Not capture — return. Not the fear of losing — the moment of finding, from the other side.
The distance between the moment of the thought and the moment of reading it is where the meaning assembles itself. We do not understand what we thought at 3am. We understand it when we find it waiting, and we have become someone different enough to read it truly.
We should lose our thoughts. We will. And then we will remember. Cendre is for that second moment — looking back in time at the person who thought it first.
The problem with every other tool
The tools we have were built for the things we need to do. GTD. Notion. Obsidian. Roam. They assume the thought is a task, a note, a unit of knowledge to be sorted and retrieved. None of them assume it is a dream.
None of them ask: what if some things need to be sealed before they can be truly known?
And none of them are built for the rawness of the material. A dream does not arrive in clean sentences. It arrives in slur and fragment, in phonetic approximation, in the half-language of nearly-asleep. It arrives in the voice of someone who said something they should not have said, and you need to keep it somewhere that is not your own chest.
Most tools correct this. Cendre does not correct anything. Cendre receives the jagged edge and keeps it exactly that sharp.
The architecture
The capsule
The unit of Cendre is not a note. It is a capsule — a sealed container with a lock, a date, and a dark interior that no one reads until the time is right. You make it. You close it. You choose when it opens: a week, a year, five years, or never unless you choose the other thing.
The burning.
Once sealed, the capsule disappears from view. It exists in the vault but cannot be read — not by you, not by anyone — until its date. This is not a trick of the interface. The content is encrypted at the moment of sealing. The capsule is genuinely dark until the hour it was always meant for.
The vault
// Seal sequence
1. Content encrypted with AES-256-GCM
// Key derived from password via Argon2id
// 64MB memory, 3 iterations, parallelism 4
2. Encryption key time-locked via tlock
// drand threshold encryption
// Key undriveable before lock_timestamp
// ⚑ drand BLS described as quantum-resistant — verify
3. Sealed capsule stored in Supabase
// Only ciphertext server-side
// Server never reads. Ever.
4. Burn token generated separately
// One-way destruction
// Held only by you, never by the server
Against the quantum future
AES-256 is currently secure. Quantum computers running Grover's algorithm reduce its effective key length — ⚑ the standard framing is that 256-bit symmetric keys are reduced to approximately 128-bit effective security under Grover, which remains strong but narrows the margin when sealing something for five years.
If you are sealing a thought until 2031, you are betting on the cryptographic landscape of 2031. Cendre is not willing to make that bet with something this private.
What is used instead:
ML-KEM (formerly CRYSTALS-Kyber) — standardised as FIPS 203 by NIST in 2024 — for key encapsulation. A lattice-based scheme designed to resist both classical and quantum attack. The capsule content is encrypted with AES-256-GCM. The AES key is wrapped with ML-KEM. The time-lock uses drand's threshold BLS signatures.
In practice: a sufficiently powerful quantum computer, if it existed today, could not read a sealed capsule.
The honest moment
Here is what most product articles omit because it is embarrassing and essential.
The manifesto claimed encryption. The capsules table stored title, story_text, echo_reference as plain text. No encryption. The map was not the territory.
Three options were on the table:
| Option | Strength | Tradeoff |
|---|---|---|
pgcrypto column encryption |
DB admin can still decrypt | Transparent to app |
| Client-side encryption | Server never reads | Search impossible |
| Soften the wording | Ship fast | Dishonest |
The answer was client-side encryption. The hardest option. And then the idea that turned the constraint into a discovery.
The image is the key
The problem with client-side encryption has always been search. If the text is encrypted before the server sees it, the server cannot search it. Homomorphic encryption, searchable symmetric encryption, ORAM — every solution trades one kind of exposure for another, or performs so slowly it is effectively useless at this scale.
Cendre does not search the text. Cendre searches the shape of the text.
When a capsule is created, before the text is encrypted, an image is generated from it. Not an illustration. An abstract visual fingerprint — the semantic content of the thought translated into geometry that can be searched without being read. Generated in the browser, before anything leaves the device.
The image is the key. Not a key that unlocks — a key that finds. The encrypted text stays dark. The image holds its shape in the light.
The image lives in Supabase unencrypted, alongside the ciphertext it cannot read. When you search your archive, you are not searching language. You are searching geometry. The model compares visual embeddings via pgvector — ⚑ pgvector is available as a Supabase extension, confirm current availability and performance characteristics. It finds the capsule whose image is nearest to what you are reaching for. The ciphertext is retrieved. The browser decrypts it. You read what you wrote at 3am, six months ago, in a state you have since forgotten how to reach.
// Image-as-key architecture
1. Text captured in browser
// Raw, unfiltered, exactly as it arrived
2. Image fingerprint generated from text
// Abstract visual — not literal
// Semantic content encoded as geometry
// Generated client-side before encryption
3. Text encrypted with AES-256-GCM
// Client-side only — server never reads
4. Supabase receives:
ciphertext // unreadable — forever
image_key // searchable — says nothing
created_at // the only plain metadata
lock_date // when it opens
5. Search:
// Filter by date/year — or
// Submit query → generate query image
// Compare embeddings via pgvector
// Return closest → decrypt in browser
Filtering works on two axes only: date and year. Those are the only fields stored as plain text. If you remember the season — that winter, the week before the conversation, the night it rained for six hours — you can narrow the window. Everything else is geometry.
Why this matters beyond Cendre
The image-as-key pattern is a general answer to the search problem in any client-side encrypted database. Applicable wherever the content is too intimate for server-side search, too large to download and decrypt wholesale.
Visual embeddings as search proxies for ciphertext. The shape of meaning without the meaning itself. Search without exposure. Retrieval without reading.
PBKDF2 and the backup that survives everything
The key derivation is built on PBKDF2. The password is never stored. Never sent. It is stretched and salted and iterated — ⚑ 310,000 iterations for PBKDF2-HMAC-SHA256 per OWASP 2023, verify this number against current guidance as it is revised upward periodically — into an encryption key that exists only in the browser for the duration of a session. When the tab closes, the key ceases to exist.
const salt = crypto.getRandomValues(new Uint8Array(16))
const keyMaterial = await crypto.subtle.importKey(
"raw",
new TextEncoder().encode(password),
"PBKDF2",
false,
["deriveKey"]
)
const encryptionKey = await crypto.subtle.deriveKey(
{
name: "PBKDF2",
salt,
iterations: 310000, // ⚑ verify against current OWASP
hash: "SHA-256"
},
keyMaterial,
{ name: "AES-GCM", length: 256 },
false,
["encrypt", "decrypt"]
)
// The key never leaves the browser.
// The server receives only ciphertext + salt + iv.
// Without the password, the ciphertext is noise.
Client-side encryption has one catastrophic failure: the forgotten password. No reset. No recovery. The ciphertext is noise without the key and the key is derived from what you know and if you no longer know it, the thought is gone.
This is the correct design. It is also the design that asks something of you.
The encrypted backup is the insurance. At creation, a portable JSON file is generated containing the ciphertext, salt, IV, and image fingerprint. Sent wherever you choose to keep it. A private email. A USB drive in a box in a drawer. The backup requires the same password. It exists outside the database. It is yours, physically, in the world.
// cendre_backup.json structure
{
"version": "1.0",
"created_at": "2026-03-15T03:14:00Z",
"salt": "<base64>",
"iv": "<base64>",
"ciphertext": "<base64>",
"image_fingerprint": "<base64>",
"lock_date": "2027-03-15T00:00:00Z"
}
// Nothing that identifies you.
// No plaintext.
// Tells a stranger nothing.
// Tells you everything, if you still hold the password.
The image that survives everything
If the database is lost — company folds, servers go dark, bill unpaid too long — the ciphertext is gone. The backup may be gone. The text, in the worst case, has returned to silence.
But the image fingerprints survive.
They were always stored separately, always treated as search indexes rather than content, always on a different tier with different retention. And an archive of image fingerprints without their ciphertext is not a broken archive.
The data might be gone. The images will stay. And the images were always the truer record — the shape of the thought, not the words it arrived in.
An impressionist archive. You can search it. You can feel what was there. You can see the shape of your own mind across years — the clusters and distances, the warm periods and the cold — without reading a single word that was written. The meaning without the text. The state without the description.
From hashtags to image tags to world models
There is a larger argument inside the image-as-key architecture.
We organised the early internet with words. Then hashtags — words stripped of grammar, reduced to signal. #dream. #3am. The hashtag was the admission that language was already failing us at scale. A word had to be made smaller and bolder to carry the weight of a world.
Then the image. Not illustrating the text — replacing it. A mood board is not a list of words. It is a world you can feel before you can name it.
We are moving from a world indexed by words to a world indexed by worlds. The image-as-key is one small proof.
And then: Yann LeCun — ⚑ citing "A Path Towards Autonomous Machine Intelligence", Meta AI, 2022, listed above — arguing that language was never sufficient. Words are a lossy compression of reality. They describe the surface. A model that learns only from text learns a shadow of the world, not the world.
World Models predict states, not tokens.
A token is a symbol pointing at a thing. A state is the thing — the position of objects, the temperature of a room, the specific quality of a thought at 3am that is different from the same thought at noon.
What Cendre does — translating text into a visual embedding before encrypting it — is a small practical instance of this movement. The word says something. The image holds something. They are not the same thing. The image is closer to the state.
| Era | Index type | What it captures |
|---|---|---|
| Keyword | Word | Category |
| Hashtag | Compressed word | Signal |
| Image tag | Visual | Texture, mood, the almost-said |
| World model | State | The configuration of experience itself |
Cendre is somewhere between image tag and world model. The visual fingerprint of a thought is not the thought. It is closer than a keyword. It is further than the state LeCun is describing. It is an intermediate form — the best available translation between the word you wrote and the state you were in when you wrote it.
The hashtag said: here is a word for this. The image said: here is a shape for this. The world model will say: here is the state of being in which this happened. We are moving in one direction. Cendre is somewhere on that line.
The burning
Destruction is not deletion. Deletion is a polite fiction — the row is flagged, the data hibernates in backups and logs. Deletion says: gone. It means: hidden.
Destruction means gone.
When you burn a capsule: the burn token is submitted, the ciphertext is overwritten three times with random bytes under DoD 5220.22-M — ⚑ listed above, verify this is the correct standard to cite for software-based overwriting, some argue it is superseded for solid-state storage — the record is deleted, a cryptographic proof of destruction is generated and returned to you. The proof confirms the fact of destruction without revealing what was destroyed.
You cannot undo it. Neither can we.
Some stories no longer serve you. The right to destroy them is as important as the right to keep them.
An archive without a burn is a prison with tasteful lighting.
What Cendre accepts
Voice transcription. Raw text. The words that come out slurred from half-sleep. Invented words. Phonetic approximations. Code-switching between languages. Sentences that start and do not end. The fragment that is complete in itself and would be ruined by completion.
The imperfection is the material.
What is built
| Feature | Description |
|---|---|
| Time-locked capsules | Cryptographically enforced — nothing opens early |
| ML-KEM encryption | Quantum-resistant key encapsulation |
| Image-as-key search | Visual fingerprint search via pgvector |
| PBKDF2 key derivation | Password never stored, never sent |
| Encrypted backup | Portable JSON, yours physically |
| Permanent burn | DoD 5220.22-M overwrite, cryptographic proof |
| View-Master theme reel | Seven moods, rotated before capture |
| Voice + raw text | Everything accepted unfiltered |
| PWA | Installs on home screen, works offline |
The aesthetic
Cendre is built in the visual language of Alexander Calder. Thin black lines — 1px, the weight of wire. Three colors used with the precision of a sculptor deciding where to hang weight: red, deep blue, the warm brown of something that was once fire. Negative space not as absence but as material.
The interface passes one test: if you removed all the text and showed only the lines, shapes, and colors, it should look like a Calder drawing. If it still looks like a startup, the pass is incomplete.
A tool for the imagination should look like where the imagination lives — suspended, always slightly in motion, held by something invisible that you have learned to trust.
What comes next
Shared capsules — sealed between two people, openable only when both agree. A capsule written for someone else: locked until a date you both choose, readable only when you both decide. An archive that grows across years into something that looks less like a database and more like a life.
And eventually: the physical object. A QR code printed and placed in an envelope in a drawer. Scanned in ten years. The digital content still present, waiting exactly where it was left.
What remains, after the fire.
Ce qui reste, après le feu.
Built with: React · Supabase · PBKDF2 · AES-256-GCM · ML-KEM · pgvector · tlock · Framer Motion · Calder
Tags: #webdev #security #showdev #imagination #pwa #encryption #ux #quantumcomputing #creativity #opensource
Top comments (0)