diff --git a/README.md b/README.md
index 44ce05b182140e6bf4e6397afa2bc6e23503acc9..ab7a3646d790da563fc0d79a7903c7e16c3df934 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ suggest something!
   [Linux tap device on `std`](embassy/demos/std) running locally.
 
   At present the Pico W build is around 150kB binary size
-  (plus ~200KB [cyw43](https://github.com/embassy-rs/cyw43/) wifi blob),
+  (plus ~200KB [cyw43](https://github.com/embassy-rs/cyw43/) wifi firmware),
   using about 30kB RAM per concurrent SSH session (max stack size not confirmed).
 
 - [`sunset-async`](async/) adds functionality to use Sunset as a normal SSH client or
@@ -78,4 +78,4 @@ will not be cleared.
 Matt Johnston <matt@ucc.asn.au>
 
 It's built on top of lots of other work, particularly Embassy, the rust-crypto crates,
-and Salty.
+Virtue, and Salty.
diff --git a/src/encrypt.rs b/src/encrypt.rs
index d16f16969768002a598aadfa9ea47f571786377a..d45e1144b5739b4aeef941d830242d04e0d5ae16 100644
--- a/src/encrypt.rs
+++ b/src/encrypt.rs
@@ -43,8 +43,8 @@ const MAX_KEY_LEN: usize = 64;
 pub(crate) struct KeyState {
     keys: Keys,
     // Packet sequence numbers. These don't reset with rekeying.
-    seq_encrypt: Wrapping<u32>,
-    seq_decrypt: Wrapping<u32>,
+    pub seq_encrypt: Wrapping<u32>,
+    pub seq_decrypt: Wrapping<u32>,
 }
 
 impl KeyState {
diff --git a/src/kex.rs b/src/kex.rs
index 136fb743f7751c30b1b0f971eb65b3851426417f..540a8b7b2ee1baccf9b26e3f34ecea66f2dc69ab 100644
--- a/src/kex.rs
+++ b/src/kex.rs
@@ -242,6 +242,7 @@ impl Kex {
     }
 
     fn take(&mut self) -> Self {
+        debug_assert!(!matches!(self, Kex::Taken));
         core::mem::replace(self, Kex::Taken)
     }
 
@@ -583,6 +584,8 @@ impl SharedSecret {
     }
 }
 
+// TODO ZeroizeOnDrop. Sha256 doesn't support it yet.
+// https://github.com/RustCrypto/hashes/issues/87
 pub(crate) struct KexOutput {
     /// `H` for this exchange, conn takes the first as sess_id
     h: SessId,
diff --git a/src/traffic.rs b/src/traffic.rs
index 163fef9b91b43338b27941b39ebe7e3101988c86..eee177874ae2b2d1560426374ab1e34a1310e885 100644
--- a/src/traffic.rs
+++ b/src/traffic.rs
@@ -325,7 +325,7 @@ impl<'a> TrafOut<'a> {
 
     /// Serializes and and encrypts a packet to send
     pub(crate) fn send_packet(&mut self, p: packets::Packet, keys: &mut KeyState) -> Result<()> {
-        trace!("send_packet {:?}", p.message_num());
+        trace!("send_packet seq {} {:?}", keys.seq_encrypt, p.message_num());
 
         // Either a fresh buffer or appending to write
         let (idx, len) = match self.state {