diff --git a/.hadolint.yml b/.hadolint.yml
new file mode 100644
index 0000000..f9f7dc2
--- /dev/null
+++ b/.hadolint.yml
@@ -0,0 +1,8 @@
+ignored:
+  # "Multiple consecutive `RUN` instructions. Consider consolidation."
+  # We've learned to love the layer cache. Considered and disregarded.
+  - DL3059
+
+trustedRegistries:
+  - docker.io
+  - ghcr.io
diff --git a/.vscode/launch.json b/.vscode/launch.json
new file mode 100644
index 0000000..e2195b9
--- /dev/null
+++ b/.vscode/launch.json
@@ -0,0 +1,17 @@
+{
+  // Use IntelliSense to learn about possible attributes.
+  // Hover to view descriptions of existing attributes.
+  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Debug Go running inside Lambda container",
+      "type": "go",
+      "request": "attach",
+      "mode": "remote",
+      "port": 42424,
+      "host": "localhost",
+      "showLog": true
+    }
+  ]
+}
diff --git a/Makefile b/Makefile
index 3d32eac..0f54ef8 100644
--- a/Makefile
+++ b/Makefile
@@ -184,7 +184,7 @@ build: tidy
 ## build-lambda: [build]* Builds the Lambda function with current ARCH for local development.
 build-lambda: tidy
 	@ $(HEADER) "=====> Building Lambda function..."
-	CGO_ENABLED=0 GOOS=linux $(GO) build -a -trimpath -ldflags="-s -w" -tags lambda.norpc -o localdev/var-runtime/bootstrap .
+	CGO_ENABLED=0 GOOS=linux $(GO) build -gcflags="all=-N -l" -tags lambda.norpc -o localdev/var-runtime/bootstrap .
 
 .PHONY: build-lambda-prod
 ## build-lambda-prod: [build]* Builds the Lambda function for deployment.
diff --git a/cmd/http.go b/cmd/http.go
index 238fb74..f910818 100644
--- a/cmd/http.go
+++ b/cmd/http.go
@@ -96,9 +96,9 @@ var httpCmd = &cobra.Command{
 		}
 
 		t := NewTable("HTTP Version", "Supported")
-		t.Row("1.1", displayBool(result.HTTP11))
-		t.Row("2", displayBool(result.HTTP2))
-		t.Row("3", displayBool(result.HTTP3))
+		t.Row("1.1", displayBool(result.HTTP11, fEmoji))
+		t.Row("2", displayBool(result.HTTP2, fEmoji))
+		t.Row("3", displayBool(result.HTTP3, fEmoji))
 
 		fmt.Println(t.Render())
 	},
diff --git a/cmd/root.go b/cmd/root.go
index a1c7864..394a069 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -31,6 +31,7 @@ var (
 
 	fJSON    bool
 	fQuiet   bool
+	fEmoji   bool
 	fVerbose int
 	fTimeout int
 
@@ -63,7 +64,18 @@ var (
 
 func init() {
 	rootCmd.PersistentFlags().BoolVarP(
-		&fJSON, "json", "j", false, "Output as JSON.",
+		&fEmoji,
+		"emoji",
+		"E",
+		parseFlagAsBool("DST_OUTPUT_EMOJI"),
+		"(DST_OUTPUT_EMOJI) Use emoji in tabular output for boolean values.",
+	)
+	rootCmd.PersistentFlags().BoolVarP(
+		&fJSON,
+		"json",
+		"j",
+		parseFlagAsBool("DST_OUTPUT_JSON"),
+		"(DST_OUTPUT_JSON) Output as JSON.",
 	)
 	rootCmd.PersistentFlags().BoolVarP(
 		&fQuiet, "quiet", "q", false, "Disable all logging output.",
diff --git a/cmd/tls.go b/cmd/tls.go
index c655f71..8985e90 100644
--- a/cmd/tls.go
+++ b/cmd/tls.go
@@ -86,7 +86,7 @@ var tlsCmd = &cobra.Command{
 			os.Exit(0)
 		}
 
-		t := NewTable("TLS Version", "Cipher Suites", "Strength")
+		t := NewTable("TLS Version", "Cipher Suites", "Strength", "PFS", "AEAD")
 
 		for i := range result.TLSConnections {
 			tlsConnection := result.TLSConnections[i]
@@ -94,17 +94,35 @@ var tlsCmd = &cobra.Command{
 			for j := range tlsConnection.CipherSuites {
 				cipher := tlsConnection.CipherSuites[j]
 
-				if tlsConnection.Version == "TLS v1.3" {
-					cipher.IANAName = "(Standardized 1.3 suites)"
-				}
+				// if tlsConnection.VersionID == httptls.VersionTLS13 {
+				// 	cipher.IANAName = "(Standardized 1.3 suites)"
+				// }
 
 				if j == 0 && i == 0 {
-					t.Row(tlsConnection.Version, cipher.IANAName, cipher.Strength)
+					t.Row(
+						tlsConnection.Version,
+						cipher.IANAName,
+						cipher.Strength,
+						displayBool(cipher.IsPFS, fEmoji),
+						displayBool(cipher.IsAEAD, fEmoji),
+					)
 				} else if j == 0 {
 					t.Row("", "", "")
-					t.Row(tlsConnection.Version, cipher.IANAName, cipher.Strength)
+					t.Row(
+						tlsConnection.Version,
+						cipher.IANAName,
+						cipher.Strength,
+						displayBool(cipher.IsPFS, fEmoji),
+						displayBool(cipher.IsAEAD, fEmoji),
+					)
 				} else {
-					t.Row("", cipher.IANAName, cipher.Strength)
+					t.Row(
+						"",
+						cipher.IANAName,
+						cipher.Strength,
+						displayBool(cipher.IsPFS, fEmoji),
+						displayBool(cipher.IsAEAD, fEmoji),
+					)
 				}
 			}
 		}
diff --git a/cmd/utils.go b/cmd/utils.go
index f6adac9..cf82933 100644
--- a/cmd/utils.go
+++ b/cmd/utils.go
@@ -110,10 +110,26 @@ func NewTable(headers ...string) *table.Table {
 		Headers(headers...)
 }
 
-func displayBool(b bool) string {
+func displayBool(b, useEmoji bool) string {
+	yes := "YES"
+	no := "NO"
+
+	if useEmoji {
+		yes = "✅"
+		no = "❌"
+	}
+
 	if b {
-		return "YES"
+		return yes
+	}
+
+	return no
+}
+
+func parseFlagAsBool(env string) bool {
+	if os.Getenv(env) == "true" {
+		return true
 	}
 
-	return "NO"
+	return false
 }
diff --git a/docs/localdev.md b/docs/localdev.md
index a7d5787..73c9a8d 100644
--- a/docs/localdev.md
+++ b/docs/localdev.md
@@ -2,34 +2,62 @@
 
 ## Prerequisites
 
-* [Docker Desktop](https://docker.com/desktop)
+* A *nix environment (e.g., Linux, macOS)
+* [Docker Desktop]
+  * [Recommended settings](https://github.com/northwood-labs/macos-for-development/wiki/Docker-Desktop#recommended-settings)
+* [Bash] 5.x shell
+  * [Recommended settings](https://github.com/skyzyx/bash-mac/blob/master/RECOMMENDED_SETTINGS.md)
+* [Go]
+* [Hugo]
+* [Homebrew] (macOS)
+  * `export HOMEBREW_CASK_OPTS="--no-quarantine"`
 * An HTTP client (Recommendations:)
   * [RapidAPI](https://paw.cloud) (formerly _Paw_)
   * [Insomnia](https://insomnia.rest)
 
+### Platform notes
+
+* **macOS** — Set up your environment with [Homebrew] as documented, which will include the [Xcode CLI Tools].
+* **Linux** — Install your platform's standard developer tools. This is different for different families of Linux distributions.
+* **Windows** — Run Linux via [Windows Subsystem for Linux v2][WSL2] (WSL2).
+
+## Exposed ports
+
+When running as a Lambda function for local development, Docker exposes certain ports on your host machine.
+
+| Port    | Description                                                                                                                 |
+|---------|-----------------------------------------------------------------------------------------------------------------------------|
+| `1313`  | Localhost endpoint for the website ([Hugo]). Returns HTML.                                                                  |
+| `6379`  | [Valkey] cache server. Redis 7.2-compatible.                                                                                |
+| `8080`  | Localhost endpoint for the local Lambda service that works the way real Lambda will work. (Compatible with documented API.) |
+| `9000`  | Direct local Lambda function interface (low-level [RIE] interface for protocol debugging).                                  |
+| `42424` | [Delve] debugging protocol for Go.                                                                                          |
+
 ## Start backend services
 
-First, login to `ghcr.io`.
+1. [Generate a new _Personal Access Token_](https://github.com/settings/tokens/new?description=DevSecTools%20localdev&scopes=read:packages&default_expires_at=90), with `read:packages` scope. Save it to your password manager.
 
-```bash
-echo -n "${GHCR_TOKEN}" | docker login ghcr.io -u "${GHCR_USER}" --password-stdin
-```
+1. Then, login to `ghcr.io`. This token is represented by `GHCR_TOKEN`. Your GitHub username is represented by `GHCR_USER`.
 
-The local versions of backend services run as containers. From the root of the repository:
+    ```bash
+    echo -n "${GHCR_TOKEN}" | docker login ghcr.io -u "${GHCR_USER}" --password-stdin
+    ```
 
-```bash
-make build-lambda
-cd localdev
-docker compose up
-```
+1. The local versions of backend services run as containers. From the root of the repository:
 
-The very first time you run `docker compose up`, the Docker images will need to build. Subsequent runs will leverage the cached completed image.
+    ```bash
+    make build-lambda
+    cd localdev
+    docker compose up
+    ```
 
-When you are done, terminate the containers.
+    The very first time you run `docker compose up`, the Docker images will need to build. Subsequent runs will leverage the cached completed image. Any time the `Dockerfile` or `docker-compose.yml` are changed, it is a good idea to explicitly run `docker compose up --build`.
 
-```bash
-docker compose down
-```
+1. When you are done, terminate the containers.
+
+    ```bash
+    docker compose down
+    ```
 
 Operating Docker Desktop and Docker Compose is outside the scope of these instructions, but you can read the documentation for yourself.
 
@@ -88,11 +116,11 @@ For local testing, the CLI exposes a very simple HTTP/1.1 server at <http://loca
 devsec-tools serve
 ```
 
-Re-read _Lambda server_ (above) to get a better understanding of how this works, but think of it like a reverse-proxy to your Lambda environment.
+Re-read _Lambda server_ (above) to get a better understanding of how this works, but think of it like a reverse-proxy to your Lambda environment. This is the endpoint that you, the developer, make requests to.
 
 ## Endpoints
 
-When launching the local web server, it will tell you which HTTP methods and endpoints are available. It exposes both `GET` and `POST`, as appropriate.
+When launching the local web server, it will tell you which HTTP methods and endpoints are available. It exposes both `GET` and `POST` HTTP methods.
 
 ### GET
 
@@ -115,4 +143,28 @@ Content-Type: application/json; charset=utf-8
 {"url":"https://apple.com"}
 ```
 
+## Start frontend services
+
+All of this exists in the [devsec-ui](https://github.com/northwood-labs/devsec-ui) repository. See that project for further instructions.
+
+## Delve: Go debugger (:42424)
+
+You may find that you need to run your debugger against the compiled Lambda function code running inside of our Docker container. If you followed the instructions above, then it should all be setup and ready to go for you.
+
+* The Lambda function has been compiled with debugging data.
+* The Docker container has been built with a copy of `dlv`.
+* The Docker Compose definition has been configured to expose the port to the host.
+* If you use [VS Code], we have the debugger definitions stored in this repository.
+* There are [Delve integrations for other IDEs](https://github.com/go-delve/delve/blob/master/Documentation/EditorIntegration.md) and tools as well.
+
+[Bash]: https://github.com/skyzyx/bash-mac
+[Delve]: https://github.com/go-delve/delve
+[Docker Desktop]: https://docker.com/desktop
+[Go]: https://go.dev
+[Homebrew]: https://github.com/northwood-labs/macos-for-development/wiki
+[Hugo]: https://gohugo.io
+[RIE]: https://github.com/aws/aws-lambda-runtime-interface-emulator
 [Valkey]: https://valkey.io
+[VS Code]: https://github.com/northwood-labs/macos-for-development/wiki/VS-Code
+[WSL2]: https://learn.microsoft.com/en-us/windows/wsl/install
+[Xcode CLI Tools]: https://github.com/northwood-labs/macos-for-development/wiki/Installing-the-Xcode-CLI-Tools
diff --git a/localdev/Dockerfile-lambda b/localdev/Dockerfile-lambda
index 0024d99..3d06de2 100644
--- a/localdev/Dockerfile-lambda
+++ b/localdev/Dockerfile-lambda
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1
 FROM golang:1-alpine AS go-installer
 
+# Download the AWS Lambda Runtime Interface Emulator
 RUN go install github.com/northwood-labs/download-asset@latest
 RUN --mount=type=secret,id=github_token \
     GITHUB_TOKEN="$(cat /run/secrets/github_token)" \
@@ -15,6 +16,9 @@ RUN --mount=type=secret,id=github_token \
 
 RUN mv /usr/local/bin/aws-lambda-rie* /usr/local/bin/aws-lambda-rie
 
+# Build Delve for debugging
+RUN go install -ldflags "-s -w -extldflags '-static'" github.com/go-delve/delve/cmd/dlv@latest
+
 #-------------------------------------------------------------------------------
 
 # syntax=docker/dockerfile:1
@@ -23,8 +27,11 @@ FROM ghcr.io/northwood-labs/lambda-provided-al2023@sha256:2b947c7c1e18392ce6b1b3
 # docker images --digests ghcr.io/northwood-labs/lambda-provided-al2023 --format '{{ .Digest }}'
 
 COPY --from=go-installer /usr/local/bin/aws-lambda-rie /usr/local/bin/aws-lambda-rie
+COPY --from=go-installer /go/bin/dlv /dlv
 COPY lambda-entrypoint.sh /entrypoint.sh
 
 RUN chmod 0755 /usr/local/bin/aws-lambda-rie /entrypoint.sh
 
+EXPOSE 42424
+
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/localdev/README.md b/localdev/README.md
new file mode 100644
index 0000000..676c98a
--- /dev/null
+++ b/localdev/README.md
@@ -0,0 +1 @@
+See docs/localdev.md for instructions.
diff --git a/localdev/compose.yml b/localdev/compose.yml
index 6865ad2..a94194b 100644
--- a/localdev/compose.yml
+++ b/localdev/compose.yml
@@ -1,68 +1,113 @@
 ---
 services:
   lambda:
+    # Name of the container when it is running.
     container_name: localdev-lambda
+
+    # Instructions which tell BuildKit how to build the image, passing secrets
+    # SECURELY to the Dockerfile.
     build:
       context: .
       dockerfile: Dockerfile-lambda
       secrets:
-        - github_token
+        - github_token # See below for definition
 
     depends_on:
       - cache
 
-    # set shared memory limit when using docker-compose
+    # Set shared memory limit when using `docker compose`.
     shm_size: 128mb
+
+    # Stay running. Restart on failure.
     restart: always
+
+    # Basic Linux-y and permission stuff.
     privileged: false
+    cap_add:
+      - SYS_PTRACE
+    security_opt:
+      - apparmor:unconfined
+      - seccomp:unconfined
     pid: host
     sysctls:
       net.core.somaxconn: 1024
+
+    # Environment variables used by the running Docker environment.
+    # https://github.com/aws/aws-lambda-runtime-interface-emulator
     environment:
-      # https://github.com/aws/aws-lambda-runtime-interface-emulator
       _LAMBDA_SERVER_PORT: 8080
-      AWS_LAMBDA_FUNCTION_TIMEOUT: 30 # Web timeout
-      AWS_LAMBDA_FUNCTION_MEMORY_SIZE: 128
+      AWS_LAMBDA_FUNCTION_TIMEOUT: 30      # Web timeout
+      AWS_LAMBDA_FUNCTION_MEMORY_SIZE: 128 # Lambda function memory limit (logged; not enforced)
       AWS_LAMBDA_FUNCTION_NAME: devsec-tools
-      LOG_LEVEL: DEBUG
+      LOG_LEVEL: DEBUG                     # Logging for the Runtime Interface Emulator
 
       # Configure devsec-tools
       DST_CACHE_HOSTS: "cache:6379"
       DST_LOG_VERBOSE: 2
+
+    # Mount a local directory inside the running Docker container.
     volumes:
       - ./var-runtime:/var/runtime:ro
+
+    # Inside, the container runs on port 8080. But we want to expose it on
+    # port 9000 to our host machine.
     ports:
-      - 9000:8080
+      - 9000:8080   # HTTP interface
+      - 42424:42424 # Delve debugger
+
+    # Enable running containers to communicate with services on the host machine.
+    # Only works in Docker Desktop for local development. Don't do this with
+    # containers you don't trust.
     extra_hosts:
       - host.docker.internal:host-gateway
 
   cache:
+    # Name of the container when it is running.
     container_name: localdev-valkey
+
+    # Instructions which tell BuildKit how to build the image, passing secrets
+    # SECURELY to the Dockerfile.
     build:
       context: .
       dockerfile: Dockerfile-valkey
 
-    # set shared memory limit when using docker-compose
+    # Set shared memory limit when using `docker compose`.
     shm_size: 512mb
+
+    # Stay running. Restart on failure.
     restart: always
+
+    # Basic Linux-y and permission stuff.
     privileged: true
     pid: host
     sysctls:
       net.core.somaxconn: 1024
+
+    # Connect persistent volumes to the container.
     volumes:
       - vkdata:/data
+
+    # Inside, the container runs on port 6379. We want to expose the same port
+    # number on the host.
     ports:
       - 6379:6379
 
+# Create a persistent volume for the cache that will reload on restart, without
+# dumping container files directly into your project directory.
 volumes:
   vkdata:
     driver: local
 
+# Define a secret here to read from the builder's environment variables, and
+# pass them SECURELY into Docker BuildKit so that the Dockerfile can access it.
 secrets:
   github_token:
     name: GITHUB_TOKEN
     environment: GITHUB_TOKEN
 
+
+# Configure a bridge network to connect this (and other containers inside this
+# file) together.
 networks:
   dst-network:
     driver: bridge
diff --git a/localdev/lambda-entrypoint.sh b/localdev/lambda-entrypoint.sh
index 36c4f5f..da4ff84 100644
--- a/localdev/lambda-entrypoint.sh
+++ b/localdev/lambda-entrypoint.sh
@@ -1,6 +1,22 @@
 #!/bin/sh
+
+##
+# Start the Runtime Interface Emulator (RIE), then the Delve debugger, then our
+# Lambda function -- all in a chain.
+##
+
+echo "------------------"
+/dlv version
+echo "------------------"
+
 if [ -z "${AWS_LAMBDA_RUNTIME_API}" ]; then
     exec /usr/local/bin/aws-lambda-rie /var/runtime/bootstrap
 else
     exec /var/runtime/bootstrap
 fi
+
+echo "RIE running as PID ${PID}."
+echo "------------------"
+
+# /dlv --listen=:42424 --headless=true --api-version=2 --accept-multiclient exec
+# dnf -y install htop
diff --git a/pkg/httptls/encryption.go b/pkg/httptls/encryption.go
index 3c9b813..4bd0356 100644
--- a/pkg/httptls/encryption.go
+++ b/pkg/httptls/encryption.go
@@ -95,3 +95,23 @@ var EncryptionAlgoList = map[EncryptionAlgo]string{
 	EncryptSM4CCM:         "SM4-CCM",           // China; 中国
 	EncryptSM4GCM:         "SM4-GCM",           // China; 中国
 }
+
+// AEADList is a map of Authenticated Encryption with Associated Data (AEAD)
+// encryption modes of operation. AEAD offers a much higher degree if security
+// than traditional encryption algorithms. They consist of GCM, CCM, and
+// Poly1305 modes.
+var AEADList = map[EncryptionAlgo]bool{
+	EncryptAES128CCM:      true, // International Standard
+	EncryptAES128CCM8:     true, // International Standard
+	EncryptAES128GCM:      true, // International Standard
+	EncryptAES256CCM:      true, // International Standard
+	EncryptAES256CCM8:     true, // International Standard
+	EncryptAES256GCM:      true, // International Standard
+	EncryptARIA128GCM:     true, // South Korea; 대한민국
+	EncryptARIA256GCM:     true, // South Korea; 대한민국
+	EncryptCamellia128GCM: true, // Japan, 日本
+	EncryptCamellia256GCM: true, // Japan, 日本
+	EncryptChaChaPoly:     true, // International Standard
+	EncryptSM4CCM:         true, // China; 中国
+	EncryptSM4GCM:         true, // China; 中国
+}
diff --git a/pkg/httptls/httptls.go b/pkg/httptls/httptls.go
index fe1cdf7..b009d63 100644
--- a/pkg/httptls/httptls.go
+++ b/pkg/httptls/httptls.go
@@ -414,6 +414,9 @@ func GetSupportedTLSVersions(domain, port string, opts ...Options) (TLSResult, e
 
 			if len(suites) > 0 {
 				var versionStr string
+
+				versionInt := int(version)
+
 				switch version {
 				case VersionSSL20:
 					versionStr = TLSVersion[VersionSSL20]
@@ -429,6 +432,7 @@ func GetSupportedTLSVersions(domain, port string, opts ...Options) (TLSResult, e
 					versionStr = TLSVersion[VersionTLS13]
 				}
 				results <- TLSConnection{
+					VersionID:    versionInt,
 					Version:      versionStr,
 					CipherSuites: suites,
 				}
diff --git a/pkg/httptls/key_exchange.go b/pkg/httptls/key_exchange.go
index c6473db..12573ad 100644
--- a/pkg/httptls/key_exchange.go
+++ b/pkg/httptls/key_exchange.go
@@ -49,3 +49,12 @@ var KeyExchangeList = map[KeyExchange]string{
 	KexSRP:     "Secure Remote Password (SRP)",
 	KexSM2:     "ShangMi-2 (SM2)",
 }
+
+// PFSList is a map of key exchange algorithms which fall under the definition
+// of Perfect Forward Secrecy (PFS). Perfect Forward Secrecy (PFS) is a property
+// of secure communication protocols in which compromise of long-term keys does
+// not compromise past session keys.
+var PFSList = map[KeyExchange]bool{
+	KexDHE:   true,
+	KexECDHE: true,
+}
diff --git a/pkg/httptls/structs.go b/pkg/httptls/structs.go
index ab8972d..3af6e5b 100644
--- a/pkg/httptls/structs.go
+++ b/pkg/httptls/structs.go
@@ -62,6 +62,9 @@ type (
 
 	// TLSConnection represents a single TLS connection, and is part of the TLSResult struct.
 	TLSConnection struct {
+		// VersionID represents the version of TLS as an integer.
+		VersionID int `json:"versionId,omitempty"`
+
 		// Version represents the version of TLS.
 		Version string `json:"version,omitempty"`
 
@@ -81,9 +84,14 @@ func (c *CipherData) Populate() {
 	c.Hash = HashList[c.hash]
 
 	// Apply PFS settings
-	if c.keyExchange == KexDHE || c.keyExchange == KexECDHE {
+	if _, ok := PFSList[c.keyExchange]; ok {
 		c.IsPFS = true
 	}
+
+	// Apply AEAD settings
+	if _, ok := AEADList[c.encryptionAlgo]; ok {
+		c.IsAEAD = true
+	}
 }
 
 func handleOpts(opts []Options) *Options {