Clarify FIPS 140-2/140-3 targeting and improve docs conversion

Author: crisdosaygo

README.md

@@ -61,7 +61,13 @@ The gate is **fail-closed**:
 
 If the gate cannot be verified, fips-pad refuses to run.
 
-This project references **:contentReference[oaicite:0]{index=0} FIPS 140-3** as the governing cryptographic validation program, but does not claim validation.
+This project targets **FIPS 140-2 and FIPS 140-3 aligned runtime behavior** by requiring OS-backed, approved cryptographic surfaces at startup.
+It does **not** claim that fips-pad itself is a validated module.
+
+In short:
+- **FIPS 140-2/140-3 target:** only use platform cryptography that is part of an OS-certified/approved module boundary.
+- **Product claim:** fail closed if that surface cannot be established.
+- **Non-claim:** no claim that this application is itself CMVP-validated.
 
 ### Windows 10 / 11
 
@@ -137,7 +143,7 @@ If the gate can be bypassed, you are not running the product as shipped.
 
 ## NIST SP 800-53 control selection
 
-This project uses **:contentReference[oaicite:1]{index=1}** as a **control vocabulary**, not a compliance claim.
+This project uses **NIST SP 800-53** as a **control vocabulary**, not a compliance claim.
 
 Controls were selected and tailored based on the actual system boundary:
 - single user
@@ -162,6 +168,15 @@ Controls were selected and tailored based on the actual system boundary:
 - **AU-2 — Event Logging (minimal)**  
   Local-only logging of security-relevant events; no content logging.
 
+### Selected baseline control IDs (working set)
+
+The current selected/tailored working set for this project is:
+- `SC-13` (Cryptographic Protection)
+- `SC-28` (Protection of Information at Rest)
+- `SI-7` (Software, Firmware, and Information Integrity)
+- `CM-7` (Least Functionality)
+- `AU-2` (Event Logging)
+
 ### Controls explicitly out of scope
 
 Controls requiring:

docs/index.html

@@ -2,15 +2,26 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <title>FIPSPad — A Notepad That Refuses to Run Without FIPS</title>
+  <title>FIPSPad - Encrypted Notepad with a Hard FIPS Gate</title>
+  <meta name="description" content="FIPSPad is an offline encrypted notepad that refuses to run unless a platform-appropriate FIPS cryptographic surface is verified.">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <style>
+    :root {
+      --bg: #f6f7f4;
+      --card: #ffffff;
+      --ink: #1f2b23;
+      --muted: #516057;
+      --line: #d8ddd7;
+      --brand: #1f7a4f;
+      --brand-2: #145838;
+      --warn: #fff6df;
+    }
     body {
-      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+      font-family: Georgia, "Times New Roman", serif;
       margin: 0;
       padding: 0;
-      background: #0b0b0b;
-      color: #eaeaea;
+      background: radial-gradient(circle at 0% 0%, #edf2ea, var(--bg) 40%);
+      color: var(--ink);
       line-height: 1.5;
     }
     main {
@@ -22,21 +33,27 @@
       font-weight: 600;
     }
     h1 {
-      font-size: 2.4rem;
+      font-size: 2.6rem;
       margin-bottom: 0.5rem;
     }
     .subtitle {
-      color: #aaa;
+      color: var(--muted);
       margin-bottom: 2rem;
     }
     section {
       margin-bottom: 3rem;
     }
+    .hero {
+      border: 1px solid var(--line);
+      background: linear-gradient(180deg, #ffffff, #f9fbf8);
+      border-radius: 10px;
+      padding: 1.2rem 1.2rem 0.8rem;
+    }
     .box {
-      border: 1px solid #333;
+      border: 1px solid var(--line);
       padding: 1.25rem;
-      border-radius: 6px;
-      background: #111;
+      border-radius: 10px;
+      background: var(--card);
     }
     .pricing {
       display: grid;
@@ -50,62 +67,92 @@
     a.button {
       display: inline-block;
       padding: 0.6rem 1rem;
-      background: #2d7cff;
+      background: var(--brand);
       color: #fff;
       text-decoration: none;
       border-radius: 4px;
       font-weight: 500;
     }
+    a.button:hover {
+      background: var(--brand-2);
+    }
+    a.button.secondary {
+      background: transparent;
+      color: var(--brand-2);
+      border: 1px solid var(--brand-2);
+    }
     footer {
-      color: #777;
+      color: var(--muted);
       font-size: 0.9rem;
       margin-top: 4rem;
-      border-top: 1px solid #222;
+      border-top: 1px solid var(--line);
       padding-top: 1rem;
     }
     code {
-      background: #1a1a1a;
+      background: #ecf2ed;
       padding: 0.2rem 0.4rem;
       border-radius: 3px;
     }
+    .cta-row {
+      display: flex;
+      flex-wrap: wrap;
+      gap: 0.75rem;
+      margin: 1rem 0 1.2rem;
+    }
+    .highlight {
+      background: var(--warn);
+      border-left: 4px solid #b98b00;
+      padding: 0.75rem 0.9rem;
+      border-radius: 4px;
+    }
   </style>
 </head>
 <body>
 <main>
 
-  <h1>FIPSPad</h1>
-  <div class="subtitle">
-    A deliberately boring notepad that refuses to run unless it can prove it has a FIPS cryptographic surface.
-  </div>
+  <section class="hero">
+    <h1>FIPSPad</h1>
+    <div class="subtitle">
+      The encrypted notepad that fails closed: no verified FIPS surface, no launch.
+    </div>
+    <p>
+      For consultants, security teams, and regulated environments where "best effort crypto" is not acceptable.
+    </p>
+    <div class="cta-row">
+      <a class="button" href="https://github.com/BrowserBox/FIPSPad/releases">Get Signed Binary</a>
+      <a class="button secondary" href="#pricing">See Pricing</a>
+      <a class="button secondary" href="FIPSPad-SPS.pdf">Read Security Posture Statement</a>
+    </div>
+  </section>
 
   <section>
     <p>
-      FIPSPad is a single-user, offline, encrypted notepad.
-      No network. No accounts. No telemetry. No cloud.
+      FIPSPad is single-user, offline, and encrypted at rest.
+      No network. No accounts. No telemetry. No cloud sync.
     </p>
     <p>
-      It exists to explore one question honestly:
-      <strong>what does “FIPS-mode” actually mean for a real, minimal desktop app?</strong>
+      It answers one practical question:
+      <strong>what does a real fail-closed FIPS gate look like in a tiny desktop app?</strong>
     </p>
   </section>
 
   <section class="box">
-    <h2>Security posture</h2>
+    <h2>Why teams buy it</h2>
     <ul>
-      <li>Hard fail-closed gate on startup</li>
+      <li>Hard fail-closed startup gate</li>
       <li>Uses OS-provided cryptography only</li>
       <li>Refuses to run on unsupported platforms</li>
-      <li>Documents a scoped subset of NIST SP 800-53 controls</li>
+      <li>Scoped, explicit security claims you can read in minutes</li>
     </ul>
-    <p>
+    <p class="highlight">
       This is not a certified product. Claims are narrow, explicit, and documented.
     </p>
     <p>
-      <a class="button" href="FIPSPad-SPS.pdf">Read the Security Posture Statement (PDF)</a>
+      <a class="button secondary" href="FIPSPad-SPS.pdf">Open SPS (PDF)</a>
     </p>
   </section>
 
-  <section>
+  <section id="pricing">
     <h2>Pricing</h2>
     <div class="pricing">
       <div class="box">
@@ -116,7 +163,7 @@ <h3>Individual</h3>
           <li>Minor updates</li>
           <li>Personal use</li>
         </ul>
-        <a class="button" href="https://buy.stripe.com/REPLACE_ME">Buy</a>
+        <a class="button" href="https://buy.stripe.com/REPLACE_ME">Buy Individual</a>
       </div>
 
       <div class="box">
@@ -127,7 +174,7 @@ <h3>Professional</h3>
           <li>Client / consulting use</li>
           <li>Priority updates</li>
         </ul>
-        <a class="button" href="https://buy.stripe.com/REPLACE_ME">Buy</a>
+        <a class="button" href="https://buy.stripe.com/REPLACE_ME">Buy Professional</a>
       </div>
 
       <div class="box">
@@ -150,15 +197,14 @@ <h2>Source code</h2>
       Paid binaries cover signing, notarization, and supply-chain hygiene.
     </p>
     <p>
-      <a class="button" href="https://github.com/YOURNAME/FIPSPad">View the repository</a>
+      <a class="button secondary" href="https://github.com/BrowserBox/FIPSPad">View Repository</a>
     </p>
   </section>
 
   <footer>
-    FIPSPad © 2026. No tracking. No analytics. No surprises.
+    FIPSPad © 2026. No tracking. No analytics. No surprises. Security posture over marketing spin.
   </footer>
 
 </main>
 </body>
 </html>
-

scripts/inspect-p12.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Inspect identities inside a base64-encoded .p12 file
+# Usage: ./inspect-p12.sh [base64_string_or_file]
+
+cleanup() {
+    [[ -f "${TMP_P12:-}" ]] && rm -f "$TMP_P12"
+}
+trap cleanup EXIT
+
+# Get base64 input
+if [[ $# -ge 1 ]]; then
+    if [[ -f "$1" ]]; then
+        # It's a file path
+        P12_B64=$(cat "$1")
+    else
+        # It's a base64 string directly
+        P12_B64="$1"
+    fi
+elif [[ -n "${MACOS_CODESIGN_CERT_P12_B64:-}" ]]; then
+    P12_B64="$MACOS_CODESIGN_CERT_P12_B64"
+else
+    echo "Usage: $0 <base64_string_or_file>"
+    echo "   or: export MACOS_CODESIGN_CERT_P12_B64=... && $0"
+    exit 1
+fi
+
+# Prompt for password
+echo -n "Enter .p12 password: "
+read -rs P12_PASS
+echo
+
+# Decode to temp file
+TMP_P12=$(mktemp /tmp/inspect-p12.XXXXXX.p12)
+echo "$P12_B64" | base64 -d > "$TMP_P12"
+
+echo ""
+echo "=== Certificates in .p12 ==="
+echo ""
+
+openssl pkcs12 -in "$TMP_P12" -passin pass:"$P12_PASS" -nokeys -info 2>/dev/null | \
+    grep -E "(subject=|issuer=|friendlyName|localKeyID)" || true
+
+echo ""
+echo "=== Certificate Details ==="
+echo ""
+
+openssl pkcs12 -in "$TMP_P12" -passin pass:"$P12_PASS" -nokeys 2>/dev/null | \
+    openssl x509 -noout -subject -issuer -dates -serial 2>/dev/null || {
+        echo "Could not parse certificate details"
+    }
+
+echo ""
+echo "=== Identity Summary ==="
+echo ""
+
+# Count certificates
+CERT_COUNT=$(openssl pkcs12 -in "$TMP_P12" -passin pass:"$P12_PASS" -nokeys 2>/dev/null | \
+    grep -c "BEGIN CERTIFICATE" || echo "0")
+echo "Certificates found: $CERT_COUNT"
+
+# Check for private key
+if openssl pkcs12 -in "$TMP_P12" -passin pass:"$P12_PASS" -nocerts -nodes 2>/dev/null | \
+    grep -q "BEGIN.*PRIVATE KEY"; then
+    echo "Private key: Yes"
+else
+    echo "Private key: No"
+fi
+
+# Check certificate type (Developer ID, etc.)
+echo ""
+echo "=== Certificate Type Detection ==="
+SUBJECT=$(openssl pkcs12 -in "$TMP_P12" -passin pass:"$P12_PASS" -nokeys 2>/dev/null | \
+    openssl x509 -noout -subject 2>/dev/null || echo "")
+
+if echo "$SUBJECT" | grep -q "Developer ID Application"; then
+    echo "Type: Developer ID Application (for signing apps)"
+elif echo "$SUBJECT" | grep -q "Developer ID Installer"; then
+    echo "Type: Developer ID Installer (for signing .pkg)"
+elif echo "$SUBJECT" | grep -q "Apple Distribution"; then
+    echo "Type: Apple Distribution (App Store)"
+elif echo "$SUBJECT" | grep -q "Apple Development"; then
+    echo "Type: Apple Development (local testing)"
+else
+    echo "Type: Unknown or non-Apple certificate"
+fi
+
+echo ""
+echo "Full subject: $SUBJECT"