Changelog

New Tool

• Chain Extractor — drop any PEM, CRT, or bundled chain file and PRISM splits it into individual files: server certificate, intermediate CA(s), and root CA; save each as a separate .pem with a single click (macOS + Windows)

Themes

• Nothing OS theme — new card aesthetic inspired by Nothing OS: pure black panels, 3×3 dot-matrix brand mark, dashed borders, and clean monospaced typography (macOS)

Bug Fix

• PFX Generator — ClearPass compatibility — PFX files now default to legacy 3DES + SHA-1 MAC encryption, matching what Aruba ClearPass and other network appliances require; previously the modern AES-256 default caused silent import failures (Windows)
• localKeyId attribute — PFX files now correctly embed the key-to-certificate linkage attribute, resolving import failures on ClearPass regardless of certificate or CA used (Windows)

Inventory

• Import External CSR — import a .csr, .pem, or .req file generated outside PRISM into Inventory as a pending entry; vault storage and signed-cert promotion work identically to PRISM-generated CSRs (macOS + Windows)

Vault

• Vault Backup Export/Import — export your entire vault and inventory as an encrypted .prismbackup file (AES-256-GCM ZIP); import on a fresh machine via Replace mode or merge into an existing vault via Merge mode with automatic per-entry key re-wrapping (macOS + Windows)

Licensing

• License key stored in Keychain — activation is now persisted in the macOS Keychain instead of UserDefaults, so it survives app reinstalls and updates without requiring re-activation
• Existing licenses are automatically migrated to the Keychain on first launch — no action required
• Activation now includes a machine-specific identifier so each device is uniquely tracked in the licensing dashboard

Updates

• Done & Close — the final step of the in-app updater now quits the running app when clicked, so the old version isn't holding files open while you drag the new one into Applications

Chain Builder

• Unified Chain Builder — auto-detects cert type on selection: P7B bundle (sorts and validates), public CA (builds via system keychain), or private CA (provide intermediates and root manually). Replaces the separate Private CA Chain tool.
• Append Root & Save — if the root CA is missing after a build, a warning banner and root CA picker appear inline to complete the chain without rebuilding
• Bundle attach sheet now only appears after a fully verified chain — no premature prompts when the root CA is still missing

Vault

• Master password required on every launch — vault keys are never cached between sessions
• Full-screen cover during unlock — inventory content is hidden behind an opaque overlay while entering the master password

Inventory

• CA nesting — Root CA and Intermediate CA entries are displayed nested under their associated server certificate, not as standalone rows
• Root CA detection fixed — self-signed certs now correctly identified via DER byte comparison; previously all appeared as Intermediate CA
• Private root CAs provided in Chain Builder are automatically tracked in Inventory with accurate expiry dates
• Home inventory card shows only server certificate expiry — root and intermediate CAs excluded from the preview
• CA entries with no matching parent server cert remain visible at the top level

Security

• Server-side trial enforcement — trial state is now registered per device via a Cloudflare Worker; clearing local data can no longer reset the trial clock
• Existing active trial users are automatically checked in on first launch of 7.2.1, anchoring their real start date server-side

Certificate Lifecycle Tracking

• CSR Generator creates an Inventory entry automatically — your certificate is tracked from the moment you generate the request, before a signed cert even exists
• Vault integration at CSR generation time — optionally encrypt the private key into a password-protected vault as part of the CSR workflow
• PFX Generator step-by-step workflow — guided flow walks you through the full lifecycle from CSR through signing and PFX creation in sequence
• Inventory now tracks every file created (CSR, private key, signed cert, full chain, PFX) and lets you export any of them directly from the entry detail view

Updates

• In-app update downloader — download the latest DMG directly without leaving PRISM; progress bar shows download status
• Update alerts now appear in the main window instead of buried in Settings, so background checks surface correctly
• What's New screen on first launch after each update — no more wondering what changed

Themes

• New Amber theme — classic 1980s amber phosphor terminal aesthetic

Bug Fixes

• Fixed app bundle identifier not being set correctly in SPM builds — preferences and vault data now stored under the correct tech.cmdlab.prism domain; existing data is migrated automatically on first launch

Vault Security Upgrade

• Upgraded to two-layer envelope encryption: a single app-level Master Key is derived via PBKDF2-SHA256 at 600,000 iterations (up from 310,000); each bundle gets a random 256-bit Vault Key wrapped by the Master Key
• One vault password now unlocks all certificate bundles in a session — no more per-entry prompts
• Password changes are instant (O(1)) — only the wrapped key file is re-encrypted, certificate files are untouched
• Fully backward-compatible: existing V1 bundles continue to work with their original per-entry passwords

Certificate Inventory

• Renewal detection: importing a cert with the same Common Name but a new serial number now prompts to update the existing entry (preserving vault, bundle, notes, and tags) or add it as a separate entry
• Tags moved to detail header: tag chips are now inline next to the certificate title; a tag icon button opens a compact popover for adding new tags
• Bundle picker now shows expiry month/year (e.g. "Expires Mar 2026") for each entry so renewals with the same CN are distinguishable; expired entries highlighted in red

PFX Generator

• Auto-loads FullChain.cer when navigating to the PFX Generator if one is available — no manual click required
• Private key passphrase field is no longer pre-filled — must be re-entered each time for security
• Generated PFX is now offered for attachment to an existing certificate bundle, matching the Full Chain Builder behavior

Legal & Compliance

• Added Legal & Compliance section in Settings with ECCN 5D992.c export classification and scope disclosures
• Added Security & Legal section in Help / Tutorial with the same disclosures and a link to the compliance page
• README updated with a ⚖️ Legal & Export Controls section covering certificate scope, local-only processing, user responsibility, and export classification
• Landing page footer now includes a one-line compliance disclaimer with a link to the Security page

Bug Fixes

• Removed duplicate "Skip" button from the top-right corner of the Bundle Attach sheet

Certificate Bundles

• New Certificate Bundle system groups all lifecycle files (CSR, private key, signed cert, full chain, PFX) under one inventory entry
• Three storage modes: Metadata Only (path references), Master Password Vault (AES-256-GCM + PBKDF2-SHA256 at 310K iterations), and Keychain Vault (private key in macOS Keychain)
• Pending entries: bundle is created at CSR generation time before a signed cert exists; automatically promoted to a full X.509 entry when the signed cert is attached
• Bundle Attach Sheet: after building a Full Chain or generating a PFX, PRISM offers to attach the file to an existing bundle in one click
• Certificate Files section in the inventory detail view shows all attached files with per-file Export buttons
• Session-level vault unlock prompt on launch when any master-password bundles are present; decrypted keys cached in memory only

License & Activation

• Simplified to local-only license validation — no periodic network revalidation required after activation
• License validation fires immediately on activation rather than on next app restart
• Added multi-product license support to the Windows build

Windows

• Added code signing to the Windows build pipeline
• AppInfo.cs is now auto-patched with the correct version at build time via build.bat
• Improved installer and update flow

Website

• Legal pages (Privacy Policy, Terms of Service, License) are now self-hosted; broken footer links fixed
• CMDLAB rebrand applied across all website pages
• Updated landing page hero with brand image, refined icon sizing, and cleaned up glow effects

Bug Fixes

• Fixed license activation not triggering validation immediately on macOS

Windows

• Improved update flow and installer behavior
• Fixed installer packaging issues affecting clean installs

Monetization

• Switched to a new payment and license management provider
• Updated checkout flow and license activation for both macOS and Windows

Website

• Redesigned landing page with simpler layout and OS-aware download buttons
• Downloads now served from a global CDN for improved reliability

Help & Tutorial

• Added Help & Tutorial system on both macOS and Windows with per-tool documentation, keyboard shortcuts, and workflow guides

Major Release

• Complete macOS rebuild as a native Swift/SwiftUI app (replacing prior Python-based version)
• New v7 icon and visual identity
• App Store build variant and direct-distribution DMG build
• Paid licensing via in-app purchase — first paid release

Certificate Inventory

• New persistent certificate library with expiry tracking, tags, notes, CSV export, and search/filter
• Auto-import from CSR Generator
• Expiry status badges (Valid, Expiring Soon, Expired)

Windows

• Complete rewrite of the Windows app using C#/WinUI 3 (.NET 9)
• Feature parity with macOS across CSR generation, Full Chain Builder, PFX Generator, and PFX Extractor