Changelog

Track every update, improvement, and fix. We believe in transparent development.

v2.4.28

PATCHLATEST

July 8, 2026

The "Free Up C: Drive Space" repair now reclaims dramatically more space - safely. It was fixed to actually show its results in Run All (it had been reclaiming space but printing nothing), and its safe cleanup was expanded to the same disposable caches Windows Storage Sense clears - browser caches, GPU/shader caches, the Delivery Optimization peer cache, stale Windows Update downloads, and more - typically lifting a cleanup from a few hundred MB to several GB. Personal files are never touched: only cache folders are ever cleared, and your documents, photos, downloads, cookies, passwords and browsing history are structurally off-limits.

Added
  • Much larger safe cleanup for "Free Up C: Drive Space": in addition to temp and error-report files, Run All now clears disposable caches that safely regenerate - web browser caches (Chrome, Edge, Brave, Vivaldi, Firefox), DirectX/OpenGL GPU shader caches (including large NVIDIA/AMD caches), the Windows internet (WinINet) cache, application crash dumps, the Delivery Optimization peer-update cache, stale Windows Update downloads (older than 5 days), and archived servicing logs. On a full drive this commonly frees several GB instead of a few hundred MB.
Security
  • The expanded cleanup keeps the same strict safety model: nothing is deleted unless it resolves inside an approved cache folder. Browser cleanup targets only the Cache / Code Cache / GPUCache / Service Worker cache subfolders - never the browser profile itself - so cookies, saved passwords, history and bookmarks are untouched. Documents, Desktop, Downloads, Pictures, Videos, the user profile, Windows, System32, WinSxS and Program Files remain hard deny-roots, verified by a 29-case path-safety test.
Fixed
  • "Free Up C: Drive Space" (fix_c_drive_full) appeared to do nothing in Run All. It was reclaiming space correctly, but every line of output was routed through an interactive-only status writer and suppressed in the non-interactive batch runner. Output now uses the same plain writer every other cleanup step uses, so Run All shows the audit findings and the amount reclaimed.
  • Enterprise triage collection (collect_enterprise_triage) no longer surfaces a raw "Invalid argument/option - /H" error on Windows builds whose gpresult tool has no HTML report option. It now detects HTML support first and falls back to capturing the text policy (RSoP) summary when HTML is unavailable.
Changed
  • Standard and Free ZIPs rebuilt and re-Authenticode-signed at v2.4.28 per SOP-01/SOP-32/SOP-72; pack manifest + RSA-SHA256 signature regenerated (SOP-54). Repair-engine module payloads are byte-unchanged from v2.4.24; only two repair scripts changed.

v2.4.27

PATCH

July 6, 2026

Reliability, safety, and one new repair. Run All no longer freezes for over a minute on machines with a large Windows Firewall rule set (the security check now reads the firewall profile state directly instead of enumerating every rule). A new one-click "Free Up C: Drive Space" repair safely reclaims disk space with an audit-first pass and a strict path allowlist so personal files are never touched. The desktop app adds a Contact Support link, the BitLocker recovery key is no longer written in plain text, and SFC output parses correctly on non-English Windows.

Added
  • New repair: "Free Up C: Drive Space" (fix_c_drive_full) - audit-first cleanup of temp/cache/update leftovers with a strict path-safety allowlist and a restore point, so personal files and documents are never deleted (SOP-76, SOP-88). Total repairs: 108 -> 109.
  • Desktop app header now has a Contact Support link that opens a pre-addressed support email ([email protected]).
Fixed
  • Run All no longer freezes for ~80+ seconds during the security check on PCs with many Windows Firewall rules: the firewall status is read from the per-profile state directly instead of enumerating every rule (O(rules) -> O(1)). Identical pass/fail result, dramatically faster.
  • SFC (System File Checker) result parsing now works on non-English Windows locales instead of misreading the scan outcome.
Security
  • The BitLocker recovery key is no longer written to disk in plain text: the desktop toolkit now stores recovery metadata only by default, so the key material is not left readable in ProgramData.
Changed
  • Standard and Free ZIPs rebuilt and re-Authenticode-signed at v2.4.27 per SOP-01/SOP-32/SOP-72; pack manifest + RSA-SHA256 signature regenerated (SOP-54). Repair-engine module payloads are byte-unchanged from v2.4.24.

v2.4.26

PATCH

June 21, 2026

Run All is dramatically faster on healthy PCs with identical repair behavior. The DISM/SFC system-file repairs now check image health first and skip the 10-20 minute deep repair when nothing is corrupted (a single repair could previously burn ~20+ minutes on a perfectly healthy machine); a corrupted image still gets the full repair, and running a repair on its own is unchanged. Also fixes the Windows Update reset registry backup, the enterprise Group Policy report export, and the Safe-mode lock badge.

Changed
  • Run All now self-gates the heavy DISM/SFC repairs on a healthy image (fix_startup_issues, repair_windows_system, repair_component_store, repair_system_integrity, fix_boot_issues, run_dism_sfc): the fast DISM CheckHealth runs first and the 10-20 min ScanHealth/RestoreHealth/SFC pass is skipped when no corruption is present. Interactive single-script runs and any non-healthy image still perform the full repair (SOP-76).
Fixed
  • reset_windows_update.ps1: the registry backup before the Windows Update reset now calls reg.exe with the correct hive path (previously failed with "Invalid key name" and skipped the backup).
  • collect_enterprise_triage.ps1: the Group Policy HTML report (gpresult /H) is generated correctly with a clean text fallback, instead of printing a raw usage error.
  • Desktop Safe/Aggressive mode badge now draws a vector padlock icon instead of the literal text "[Locked]".
Changed
  • Release pipeline hardened: the Version Lock contract now verifies every version surface (including src/lib/version.ts and the launcher LicenseClient) so a build with any mismatched version is blocked before shipping. Standard and Free ZIPs rebuilt and re-Authenticode-signed per SOP-01/SOP-32/SOP-72; pack manifest + RSA-SHA256 signature regenerated (SOP-54). Supersedes the unreleased v2.4.25 build.

v2.4.24

PATCH

June 21, 2026

Corrective release that fixes a false "update available" prompt. v2.4.23 desktop apps reported their embedded version as 2.4.22, so the toolkit nagged every customer to update to a build they were already running. The launcher and runner are rebuilt so the embedded version matches, and a permanent release safeguard now blocks any future version-mismatch build from shipping.

Fixed
  • Desktop launcher and runner now embed the correct FileVersion (2.4.24.0), clearing the false "Update available v2.4.23 (current v2.4.22)" prompt that appeared on v2.4.23.
Changed
  • Release pipeline hardened (SOP-34 RULE 10 / Version Lock): the version is bumped before binaries are built, the build aborts if any EXE FileVersion does not match the release version, and the ZIP packer verifies EXE ProductVersion/FileVersion both before zipping and inside the extracted ZIP - a matching checksum alone is no longer accepted as proof.
  • Standard and Free ZIPs rebuilt and re-Authenticode-signed at v2.4.24 per SOP-01/SOP-32/SOP-72; pack manifest + RSA-SHA256 signature regenerated (SOP-54).

v2.4.23

PATCH

June 20, 2026

RUN ALL result honesty and reliability. The Boot Repair tool now reports what bootrec actually did instead of always claiming success; Update All Apps installs each app individually so one stuck installer no longer wastes the whole batch; and the security scan no longer false-flags first-party signed scripts.

Fixed
  • scripts/repair/scripts/fix_boot_issues.ps1: the final summary now reflects real bootrec outcomes - a non-zero bootrec result (expected when run outside the Windows Recovery Environment) is reported as not modified instead of repaired (SOP-86).
  • scripts/repair/scripts/update_all_apps.ps1: RUN ALL now upgrades each winget package individually with a per-package timeout, so a single stalled installer can no longer consume the entire batch budget and leave zero apps updated; it falls back to a bounded upgrade --all if the package list cannot be parsed (SOP-86).
  • scripts/repair/scripts/enhanced_security_check.ps1: trusts the signed-pack 4-gate for first-party scripts and tightens the obfuscation heuristic, eliminating false obfuscated-code warnings on first-party signed scripts (SOP-86).
Changed
  • Standard, Free, and BryanIT Enterprise ZIPs rebuilt and re-Authenticode-signed at v2.4.23 per SOP-01/SOP-32/SOP-72; pack manifest + RSA-SHA256 signature regenerated (SOP-54). Docs: SOP-86 added; SOP-32 records signing-material locations.

v2.4.22

PATCH

June 6, 2026

Desktop visual refresh - the repair toolkit and the elevated Runner terminal both look noticeably cleaner, with identical behavior. Repair tiles now show color-coded category icons, and the Runner console renders crisp UTF-8 graphics instead of garbled characters on some systems.

Changed
  • launcher-csharp (Theme.cs, ModernButton.cs): repair tiles now draw each vector icon in a per-category accent color over a soft rounded chip, with a hover accent bar. Running/success/fail state feedback and locked PRO tiles are unchanged (SOP-48 v3.2).
  • launcher-csharp/MainForm.cs: the header now paints a subtle slate gradient and a 2px emerald-to-blue brand accent rule (SOP-48 section 7.3).
  • runner-csharp/Program.cs: the elevated Runner terminal sets UTF-8 output (only when it owns a real console window) so box-drawing and status glyphs render correctly instead of code-page mojibake, with a redesigned centered banner, aligned gate lines, and a cleaner summary footer (new SOP-81).
Changed
  • Standard, Free, and BryanIT Enterprise ZIPs rebuilt and re-Authenticode-signed at v2.4.22 per SOP-01/SOP-32/SOP-72; pack manifest + RSA-SHA256 signature regenerated (SOP-54). No repair-script or behavioral changes.

v2.4.21

PATCH

June 5, 2026

Desktop GUI repair-tile icon fix plus admin dashboard resilience. The launcher now draws SOP-48 safe vector icons instead of rendering raw manifest emoji/icon strings into WinForms, eliminating the ASCII/mojibake tiles. Ships alongside admin dashboard graceful-degrade and SOP-79 OWNER allowlist hardening.

Fixed
  • launcher-csharpModernButton.cs: repair tiles now render SOP-48 safe vector icons instead of rendering raw manifest emoji/icon strings into WinForms, fixing the ASCII/mojibake tiles seen on some locales and font configurations.
  • srcappadmindashboard: graceful degradation on backing-query failures plus a React hydration (#418) fix so the admin dashboard no longer hard-fails when a backing query is unavailable.
Security
  • SOP-79 OWNER HTTP-allowlist hardening for privileged plan codes.
Changed
  • Standard and Free ZIPs rebuilt and re-Authenticode-signed at v2.4.21 per SOP-01/SOP-32/SOP-72; signer CN=RescuePC Software, thumbprint 1FD31EB508E2C9D2D6D820955EC0E2E5A423BB88; DigiCert timestamped.
  • Pack manifest + RSA-SHA256 signature regenerated at v2.4.21; SOP-54 integrity gate verified (111 files).

v2.4.20

PATCH

May 26, 2026

Runner archive-path hotfix and Run All app-update restoration. This release ships the merged runner fix as a customer-facing version and restores Update All Apps coverage inside Run All with bounded non-interactive winget execution.

Fixed
  • runner-csharp/Program.cs: handles repair files that disappear after extraction or cleanup without surfacing CommandNotFoundException, including Japanese-locale Defender quarantine cases.
  • scripts/repair/scripts/update_all_apps.ps1: Run All no longer exits immediately under -NoPrompt. It skips the interactive pre-list, runs winget upgrade --all with agreement flags and --disable-interactivity, and enforces a hard timeout to prevent batch freezes.
  • launcher-csharp/PackManager.cs: update_all_apps now runs in the Updates phase so the Run All execution order matches SOP-76.
Changed
  • Version surfaces, pack metadata, pack manifest, and pack signature aligned to v2.4.20 through scripts/sync-version.ps1.
  • scripts/sync-version.ps1 now verifies every known version-dependent release surface, not only the smaller critical subset.
  • SOP-42 and SOP-76 updated for full version-surface verification and bounded Run All app-update behavior.
Security
  • No Stripe, licensing, download token, middleware, admin auth, database, SEO, or Vercel configuration surfaces changed in this release batch.

v2.4.19

PATCH

May 14, 2026

Runner first-run trust release. The launcher now preflight-checks SmartScreen approval of RescuePC.Runner.exe before Run All / Fix All / single repair, and surfaces a friendly BlockedRunnerDialog when SmartScreen / AppLocker / UAC denies launch. Closes the confused-customer flow where Runner.exe was unapproved and repairs failed with opaque errors.

Fixed
  • ScriptRunner.cs: two-tier Runner.exe first-run preflight. Tier 1 is a Zone.Identifier advisory check; tier 2 launches Runner.exe --check under UAC with a 5-second bounded timeout. Sentinel exit code -1700 signals preflight-blocked. Cached for the session so only one preflight UAC prompt is needed per Windows session.
  • ScriptRunner.cs: RunBatchAsync Win32Exception parity with RunScriptAsync (UAC denial 1223, AppLocker / SRP / WDAC policy block 1260 / 786, generic Win32). Fix All and Run All now return curated guidance instead of opaque errors when Runner cannot launch.
  • Program.cs: UnblockExtractedFiles now uses fail-soft sanitized logging. Fixed reason-vocabulary writer (unblock_failed_access_denied / _io_locked_or_denied / _dir_missing / _file_missing / _other) writes to logs/unblock-errors.log. Never emits ex.Message — path-free by construction.
  • New UI/BlockedRunnerDialog.cs WinForms modal wired through MainForm at RunSingleScript + FixAllButton_Click + RunAllButton_Click. ScriptRunner stays UI-free. Blocked-runner results are not reported to telemetry as failed repairs (no repair was attempted).
Changed
  • Standard and Free ZIPs rebuilt and re-Authenticode-signed at v2.4.19 per SOP-01/SOP-32/SOP-72. Both EXEs FileVersion 2.4.19.0. Signer CN=RescuePC Software, thumbprint 1FD31EB508E2C9D2D6D820955EC0E2E5A423BB88. DigiCert timestamped.
  • Pack manifest + RSA-SHA256 signature regenerated at v2.4.19. SOP-54 integrity gate verified (111 files, ManifestHash 6d512772735ad0203dd08600833dc20aae6c5e41ab4f689c71b979cee8e7eeda).
  • launcher-csharp.Tests project added (xUnit 2.9.2 + Moq 4.20.72, net8.0-windows). 30 / 30 tests passing. Includes a source-static regression guard preventing ex.Message reappearing in UnblockExtractedFiles.
  • New release-tooling: scripts/ci/verify-live-release.ps1 — hard post-deploy production verifier. Asserts /version.json, R2 reachability + SHA256, /api/health, and the nested wire-format contract on /api/client/integrity (.integrity.runnerSha256, .integrity.launcherSha256, .integrity.modules). Includes anti-regression guards that fail if the API response shape is ever flattened.
  • SOP-26 / SOP-34 / SOP-42 / SOP-60 / SOP-72 updated to lock the canonical dist artifact path and require live post-deploy verification before a release is considered closed.
Security
  • No security, auth, Stripe, licensing, download token, middleware, admin dashboard, SEO, database, or Vercel config surfaces touched in this release; scope limited to desktop trust-flow UX hardening + downstream pack/ZIP re-sign + integrity manifest update + release-tooling additions.

v2.4.18

PATCH

May 11, 2026

Desktop EXE FileVersion drift fixed. Launcher + Runner rebuilt from v2.4.17 source and re-Authenticode-signed so the embedded FileVersion finally matches APP_VERSION. Closes the toolkit "Update available v2.4.17 (current v2.4.16)" false-alarm prompt that customers saw on the v2.4.17 ZIPs.

Fixed
  • Toolkit "Update available v2.4.17 (current v2.4.16)" false-alarm prompt eliminated. Root cause: the v2.4.17 ZIPs shipped with the v2.4.16-built launcher + runner EXEs because the release flow only updated .csproj/.cs source files and did not invoke dotnet publish. The v2.4.18 release rebuilds both EXEs from source so the embedded FileVersion finally matches APP_VERSION.
  • release-gate.ps1 CHECK 7 (EXE FileVersion vs $Version) now passes end-to-end for the first time since the check was added in commit 68ac7a36; this gate will refuse any future release where the compiled FileVersion drifts from the source version.
  • public/version.json downloadUrl + freeDownloadUrl bumped to v2.4.18 R2 URLs; sha256 + freeSha256 carry the actual signed-and-zipped artifact hashes (no PENDING_BUILD placeholders ship to production this release).
Changed
  • Standard, Free, and BryanIT Enterprise ZIPs rebuilt around the freshly signed v2.4.18 EXEs per SOP-01/SOP-32/SOP-72
  • Pack manifest + RSA-SHA256 signature regenerated at v2.4.18; SOP-54 integrity gate verified
  • Launcher + runner Authenticode signatures re-issued with the same code-signing cert (CN=RescuePC Software); timestamp via DigiCert
  • Version surfaces (TypeScript, package.json, package-lock.json, .csproj Version + FileVersion + ProductVersion + AssemblyVersion, LicenseClient.cs appVersion + User-Agent, repairs.manifest packVersion, public/packs/latest.json, changelog) aligned to v2.4.18
  • src/app/api/client/integrity/route.ts INTEGRITY_MANIFEST v2.4.18 entry added with the NEW runner/launcher SHA256s (not carried forward from v2.4.16/v2.4.17 anymore — these are genuinely different binaries)
Security
  • No security, auth, Stripe, licensing, download token, middleware, admin dashboard, SEO, database, or Vercel config surfaces touched in this release; scope limited to desktop EXE FileVersion drift + downstream pack/ZIP re-sign + integrity manifest update.

v2.4.17

PATCH

May 10, 2026

SOP-50 repair-script style compliance: rebuild_windows_services.ps1 admin gate switched from throw to structured exit. Full pack re-sign + Standard/Free/BryanIT Enterprise ZIPs rebuilt.

Fixed
  • rebuild_windows_services.ps1 Ensure-Admin: replaced exception-based admin gate (throw) with SOP-50 structured exit (exit 2). Outer try/catch is preserved; behavior under elevation is unchanged; non-elevated launches now produce a clean exit code 2 with a logged ERROR and a yellow operator hint instead of a propagated exception.
Changed
  • Standard, Free, and BryanIT Enterprise ZIPs rebuilt and re-signed at v2.4.17 per SOP-01/SOP-32/SOP-72
  • Pack manifest + RSA-SHA256 signature regenerated; SOP-54 integrity gate verified
  • Version surfaces, pack metadata, proof bundle, and release-gate audit aligned to v2.4.17
Security
  • No security, auth, Stripe, licensing, download token, middleware, admin dashboard, SEO, database, or Vercel config surfaces touched in this release; scope limited to repair-script style compliance + release re-sign.

v2.4.16

PATCH

April 26, 2026

Repair telemetry contract closed: launcher now uploads single-repair + Fix All results to /api/client/repair-metrics/ingest with PII scrubbing (SOP-FUNNEL-02)

Added
  • LicenseClient.ReportRepairResultAsync(): launcher posts repair result metadata (scriptId, status, durationMs, exitCode, scrubbed errors) to /api/client/repair-metrics/ingest after every single repair AND every Fix All log-parser entry
  • Repair-result upload runs with a 5s timeout and never blocks or fails the user's local repair (fail-open by design — server-side observability only)
Fixed
  • SOP-AUDIT-DURABILITY: desktop launcher repair_run population unblocked. Prior versions ran repairs locally but never sent results to the server, so repair_run stayed at 0 in production
  • EULA copy aligned with actual telemetry behavior — no longer claims "no telemetry / no tracking" since metadata is now transmitted (PII-scrubbed)
Changed
  • Standard, Free, and BryanIT Enterprise ZIPs rebuilt and re-signed at v2.4.16 per SOP-01/SOP-32/SOP-72
  • Pack manifest + RSA-SHA256 signature regenerated for v2.4.16 (111 files); SOP-54 integrity gate verified
  • User-Agent: RescuePCLauncher/2.4.16 (+https://rescuepcrepairs.com); appVersion bumped across LicenseClient + MainForm
Security
  • PII scrubbing (SOP-06/SOP-18) applied to all error strings before transmission via PiiScrubber.Scrub
  • Telemetry endpoint protected by existing Zod strict-mode schema, rate limiting (SOP-08), and timing-safe comparisons
  • No SOP-79 entitlement, planCode, or license privilege logic touched; trust boundary unchanged

v2.4.15

PATCH

April 22, 2026

Fix All freeze eliminated; RUN ALL performance + correctness fixes under SOP-50/SOP-76

Fixed
  • optimize_system.ps1 and update_all_apps.ps1 now self-gate winget upgrade --all under -NoPrompt so Fix All no longer freezes on unbounded package-manager waits (SOP-76)
  • reset_file_permissions.ps1 gates expensive icacls /T recursion under -NoPrompt; previously ran 3501s in a single RUN ALL slot
  • fix_windows_corruption.ps1 short-circuits DISM ScanHealth/RestoreHealth and SFC when the image verifies healthy under -NoPrompt, while still recording batch markers for downstream dedup
  • repair_wmi.ps1 skips the stop/re-register/MOF-recompile cycle when the WMI repository verifies consistent under -NoPrompt (saves ~68s per batch)
  • fix_boot_issues.ps1 SFC now uses Test-BatchAlreadyRan / Set-BatchRanMarker dedup so a single batch never recompiles Windows corruption protection twice
  • fix_disk_health.ps1 dirty-bit detection now excludes "NOT Dirty" / "not dirty" instead of matching any "Dirty" substring
  • fix_bsod_crashes.ps1 Unicode mojibake replaced with plain ASCII Celsius marker in temperature output
  • fix_registry.ps1 excludes PS* pseudo-properties from shell extension count so results are accurate
  • collect_enterprise_triage.ps1 uses gpresult /h /f (force overwrite) so reruns succeed when an existing report is present
  • system_health_scan.ps1 Get-NetAdapter wrapped in try/catch so Invalid class errors in non-standard WMI states no longer abort the scan
  • fix_domain_time_sync.ps1 adds w32tm /register fallback when the time service is missing or cannot be started
Changed
  • Standard, Free, and BryanIT Enterprise ZIPs rebuilt and re-signed per SOP-01/SOP-32/SOP-72
  • Version metadata, launcher version surfaces, pack metadata, and published artifact URLs aligned to v2.4.15
  • Pack manifest regenerated and re-signed (RSA-SHA256, 111 files) for the current release state
Security
  • SOP-68 anti-drift gate: reset_file_permissions.ps1 removed from ALLOW_CAUTION_NO_GATE allowlist; cap tightened 27 -> 26
  • Run All compliance matrix regenerated with reset_file_permissions now self-gates=Y; all 64 Scope D regression tests pass

v2.4.14

PATCH

April 8, 2026

Release rebuild, SOP-76 script-safety cleanup, and SOP-60 integrity-manifest hardening

Fixed
  • rebuild_windows_services.ps1, disk_partition_fix.ps1, and repair_domain_trust.ps1 now self-gate destructive/caution behavior on -NoPrompt so Fix All and unattended flows stay inside SOP-76
  • repair_wsreset.ps1 removed the last forbidden wsreset.exe literal from the shipped script path while preserving the same Windows Store cache-repair behavior
  • Client integrity manifest drift closed: the current release entry is rebuilt from signed artifacts instead of shipping placeholder PENDING_BUILD hashes
Changed
  • Standard, Free, and BryanIT Enterprise ZIPs rebuilt from the current signed binaries and protected script pack
  • Version metadata, launcher version surfaces, pack metadata, and published artifact URLs aligned to v2.4.14
Security
  • Repo audit regression coverage now pins the client integrity manifest to concrete 64-character SHA-256 values for every shipped version entry

v2.4.13

PATCH

April 7, 2026

SOP-08/49/56 hardening: admin growth APIs gated, growth crons get mutual exclusion + canonical auth

Security
  • Admin growth APIs (/api/admin/growth/inbox, leaks, scorecard, pipeline) now enforce session-based requireAdmin + checkAuthRateLimit before any database read (SOP-08, SOP-49)
  • Growth follow-up cron (/api/cron/growth-followup) and growth scorecard cron (/api/cron/growth-scorecard) now route through verifyCronAuth, eliminating the inline fail-open CRON_SECRET check (SOP-08)
  • Both growth crons now acquire Postgres advisory locks (keys 560001 and 560002) using the SOP-56 canonical pg_try_advisory_lock pattern, with finally-block release and graceful skip on contention
  • SOP-56 §R-3 lock-key registry updated with the two new growth cron entries
Changed
  • Release metadata, launcher version surfaces, and pack metadata aligned to v2.4.13
  • Pack manifest regenerated and re-signed (RSA-SHA256, 111 files) for the current release state
Added
  • 36 new repo-audit regression tests pinning the SOP-08, SOP-49, and SOP-56 invariants for admin growth routes, growth crons, and the verifyCronAuth fail-closed contract
  • Governance-drift gate: any future POST/PUT/PATCH added under /api/admin/growth/** must use a zod .strict() schema and import requireAdmin or the regression suite fails

v2.4.12

PATCH

March 29, 2026

Release rebuild, Run All cleanup, integrity and compliance alignment

Changed
  • Run All excludes backup_user_data.ps1 to keep the automated chain focused on active repair operations
  • Release metadata, launcher version surfaces, and pack metadata aligned to v2.4.12
  • Current release integrity manifest now includes concrete hashes for the staged launcher, runner, and shipped modules
Fixed
  • repair_wsreset.ps1 parser failure repaired so the Fix All surface can load cleanly
  • repair_credential_manager.ps1 parser failure repaired so the shipped credential repair runs again
  • Public-facing repair-count claims aligned to the 108-script release state
Security
  • Pack manifest re-generated and re-signed for the current release
  • SOP-50 script audit restored to 0 syntax failures and 0 warnings

v2.4.8

PATCH

March 23, 2026

Full rebuild and re-sign; SOP-76 script safety fixes (Store, certificates, taskbar, Teams, WSUS)

Fixed
  • Windows Store repair: safe cache reset only (no wsreset.exe in Fix All chain)
  • Certificate repair: no CryptSvc stop; safe cache clear and root update
  • Taskbar repair: Explorer restart gated; no forced shell kill
  • Teams client repair: identity/TokenBroker steps gated behind admin + consent
  • Windows Update stack repair: no CryptSvc stop; safe service restart set
Changed
  • Standard and Free ZIPs rebuilt and re-signed for integrity (SHA256 updated in version.json after signing workstation)
  • User-Agent and version surfaces aligned to v2.4.8

v2.4.6

PATCH

March 22, 2026

Telemetry security hardening, browser repair safety, SOP-76 full audit

Security
  • Telemetry ingest now rejects unknown licenses with explicit 403 responses
  • Client telemetry bulk inserts keep nullable JSON payloads inside tagged Prisma.sql
  • All 110 scripts audited against SOP-76 session and credential safety rules
Fixed
  • Browser repair no longer wipes sessions, passwords, or sign-in state (safe cache-only clean)
  • Windows Store repair removed wsreset.exe call for SOP-76 Fix All chain compliance
  • Browser safety repair reclassified safe after full SOP-76 audit
Changed
  • Standard and Free ZIP URLs bumped to v2.4.6 with finalized SHA256 verification
  • Protected user-visible version surfaces remain enforced by release-gate and Vitest coverage

v2.4.5

PATCH

March 20, 2026

Free Edition full catalog UI, Bryan Enterprise Kit rebuild, security patches

Added
  • Free Edition now displays full repair catalog (110 repairs) with locked premium entries
  • Fix All and Run All buttons show real counts (37 / 110) with upgrade prompt in Free Edition
  • Locked repair cards show greyed styling with PRO badge and upgrade-on-click behavior
Changed
  • Free Edition manifest includes all repairs with locked flag (manifest-driven, not hardcoded)
  • Bryan Enterprise Kit rebuilt with latest signed EXEs
Security
  • Updated Next.js 16.1.6 → 16.2.1 (5 CVEs: HTTP smuggling, CSRF bypass, image cache DoS)
  • Updated flatted 3.4.1 → 3.4.2 (prototype pollution via parse())

v2.4.4

PATCH

March 15, 2026

Batch deduplication performance, funnel tracking fix, security patches

Changed
  • Batch dedup — Restore Points run once instead of 7× in batch mode
  • Batch dedup — Winsock Reset runs once instead of 8× in batch mode
  • Batch dedup — TCP/IP Reset runs once instead of 6× in batch mode
  • Batch dedup — Winget Upgrade runs once instead of 2× in batch mode
  • Batch dedup — Chkdsk runs once instead of 2× in batch mode
Fixed
  • Conversion funnel — free_scan_start now tracks on page load instead of form submit
  • Download page — added free trial CTA for visitors without a license key
  • Pricing page structured data changed from Product to SoftwareApplication (fixes GSC validation)
Security
  • Updated undici (10 CVEs: WebSocket crashes, HTTP smuggling, CRLF injection)
  • Updated flatted (1 CVE: recursion DoS in parse)

v2.4.3

PATCH

March 14, 2026

Fix 9 script failures from em-dash encoding corruption in ZIP packaging

Fixed
  • Fixed 9 PowerShell scripts that failed due to em-dash (—) encoding corruption during ZIP packaging
  • build-dist.ps1 now uses UTF-8 with BOM encoding to preserve special characters

v2.4.2

PATCH

March 13, 2026

Batch deduplication for Run All (110 scripts)

Changed
  • Batch deduplication markers added to 17 repair scripts for Run All performance
  • Run All now skips redundant operations (SFC, DISM, Winsock, TCP/IP reset) across scripts

v2.4.1

PATCH

March 13, 2026

Fix Microsoft account disconnect, GDPR validation, security audit

Fixed
  • Prevented Microsoft account disconnect during Run All Scripts batch operation
  • GDPR GET validation gap (F-N1) — DELETE-only endpoint now rejects GET requests
Security
  • Honest audit scorecard adjustments based on 356 security tests
  • 63 new hostile test cases added to security test suite

v2.4.0

MINOR

March 12, 2026

Run All Scripts button, fix_file_associations bug fix, per-repair progress UI

Added
  • Run All Scripts button — runs every manifest script with per-repair progress in the UI
  • Live status bar shows current repair name and progress count (X/N) during batch runs
  • Determinate progress bar for Run All with real completion percentage
  • Script buttons highlight yellow/green/red as each repair completes
Fixed
  • fix_file_associations.ps1 positional parameter bug caused by unescaped quotes
  • Broken summary output block at end of file associations repair
Changed
  • Mutual exclusion between Fix All and Run All buttons prevents concurrent batch runs
  • Pack re-signed with 113 verified scripts

v2.3.9

SECURITY

February 26, 2026

Admin API hardened, security telemetry, dashboard performance

Security
  • Admin API hardened — all unauthenticated responses return identical 404 (no route-existence leak)
  • system-health endpoint redacted — env var names and critical issue details no longer exposed
  • Cloudflare forensic headers (cf-ray, cf-ipcountry, user-agent) added to security telemetry
  • withAuth wrapper returns 404 for admin routes (was 401)
Changed
  • Dashboard LCP optimization for faster admin panel loading
  • Growth automation DB migrations for IP ban system
  • Clean rebuild with fresh signatures
Fixed
  • Admin API route fixes for edge cases
  • Dev environment truthfulness — Prisma logging, localhost rate limits, integrity manifest

v2.3.8

SECURITY

February 22, 2026

Security audit patches (7 fixes), SOP-50 compliance, session hardening

Security
  • IP-bind admin session tokens — stolen tokens cannot be replayed from different IPs
  • Honeypot bypass vulnerability fixed, legacy admin page removed
  • HTTPS enforcement moved before all route redirects
  • Transport security hardened (HSTS, preload)
Changed
  • SOP-50 compliance achieved (0 warnings)
  • Stale-while-revalidate caching for admin dashboard — instant tab switching with background refresh
  • Intl.NumberFormat instances cached at module scope for faster renders
Fixed
  • Admin dashboard LCP reduced from 14.6s to under 2s
  • CLS 0.25 fixed on admin dashboard
  • React hydration mismatch (Error #418) on admin dashboard resolved
  • UTF-8 mojibake in admin dashboard files repaired
  • Infinite data cache replaced with 30s TTL to prevent stale dashboard data
Added
  • Enterprise audit logging wired to 7 admin mutation routes
  • Centralized license audit logging across all creation paths
  • SOP-61 Transport Security documentation

v2.3.7

PATCH

February 17, 2026

Runner console UI polish with branded output

Changed
  • Runner console now shows branded header with version info
  • Gate verification output uses colored indicators (green pass, red fail)
  • Repair separators added between individual repair outputs for clarity
  • Summary footer with pass/fail/skip totals displayed after Fix All
  • [SUCCESS] lines now shown in green in Runner console
Fixed
  • Fix All success detection uses log-parsed results instead of exit code

v2.3.6

PATCH

February 17, 2026

Enterprise launcher UI polish and BITS deduplication

Changed
  • Launcher UI updated with 3-column layout for repair categories
  • SAFE indicator dot added to Fix All safe-chain repairs
  • Hover accent effects on repair buttons
  • Header size reduced for more visible repair area
  • BITS service repair deduplicated across scripts
Added
  • Enterprise license phone-home registration for admin dashboard visibility
  • Automated Pack Integrity Gate added to build-dist.ps1 (SOP-54 v2.0)

v2.3.5

MINOR

February 17, 2026

Telemetry foundation, security events to database, SOP hardening

Added
  • Security event telemetry written to database for audit trail
  • Pipeline run tracking for build and deploy operations
  • Email masking in logs for GDPR/privacy compliance
  • Homepage premium design system — brand palette, hero, CTAs, motion
Changed
  • WCAG AA contrast fixes across all dark-background pages
  • Homepage LCP optimized — h1 as LCP element instead of hero image
  • Critical CSS inlined via critters for faster first paint
  • Client JS bundle reduced by 206KB (Sentry tree-shaking + dedup)
Fixed
  • Homepage LCP reduced from 9s to near-zero with server-rendered hero
  • CLS 0.058 on mobile fixed with fill mode for hero image swap
  • Prisma MODULE_NOT_FOUND in dev resolved
  • Redis IP ban check skipped on static pages for faster loads
Security
  • Pack re-signed with updated script hashes (RSA-SHA256)

v2.3.4

PATCH

February 13, 2026

Security hotfix: Gate 3 hash verification, PII scrubbing, and AppLocker support

Fixed
  • Gate 3 suffix collision — security_check.ps1 no longer matches enhanced_security_check.ps1 hash during pack integrity verification
  • AppLocker/SRP policy blocks now show clear messaging instead of generic errors (error codes 1260/786)
  • build.ps1 .Count strict-mode bug fixed for single-RID builds
Added
  • Repair journal system for detecting incomplete repairs (power cuts, EDR kills)
  • ARM64 dual-publish support (-AllRuntimes switch in build pipeline)
Security
  • PII scrubbed from all server-side failure reports (client + server defense-in-depth)
  • Pack re-signed with updated script hashes (83 files RSA-SHA256)

v2.3.3

PATCH

February 11, 2026

Critical INTERNAL_ERROR fix and server-side hardening

Fixed
  • P0: INTERNAL_ERROR on license verification caused by withAuth tenant cleanup regression
  • Pre-deploy health check now runs automatically before production deploys
  • Runner.exe filters spinner/progress noise from winget, DISM, SFC output
  • update_all_drivers.ps1 no longer flags 186 false-positive devices on healthy systems
Security
  • Rate limit bypass via spoofed IP headers closed (8 files hardened)
  • /api/license-verify now fail-closed when rate limiter errors
  • /api/status and /api/health rate limits tightened (300/min → 60/min)
  • Pack re-signed with updated script hashes (83 files RSA-SHA256)
Changed
  • FTC compliance — homepage testimonial cards reframed as illustrative examples

v2.3.2

PATCH

February 8, 2026

Hash-only license lookup and webhook reliability

Changed
  • License verification switched to hash-only lookup (plaintext keys no longer stored)
  • API endpoints split for cleaner routing and maintainability
Fixed
  • Webhook retry guard prevents duplicate Stripe event processing
Security
  • Pack re-signed with updated script hashes (83 files RSA-SHA256)

v2.3.1

PATCH

February 5, 2026

Security check reliability fix

Fixed
  • Fixed security_check.ps1 failing with exit code 1 during Fix All
  • Wrapped Get-WindowsOptionalFeature, Get-BitLockerVolume, Get-NetFirewallRule, Get-LocalUser, Get-ExecutionPolicy in try/catch blocks
  • Security audit now gracefully handles missing Windows features (e.g., BitLocker on Home editions)

v2.3.0

MINOR

February 2, 2026

Professional logging, 4-Gate verification, and bug fixes

Fixed
  • Fixed -LogPath parameter bug in RunRepair.ps1 (was causing all repairs to fail)
  • Removed "View Log" popup after each repair (status now in status bar)
Added
  • Professional SOP-06 compliant log header with machine info and timestamps
  • 4-Gate verification logging (Pack Signature, Whitelist, Hash, License)
  • Actionable Advice section in HTML batch reports
Changed
  • Professional status messaging ("OPTIMIZATION COMPLETE" instead of "TERMINATED")
  • All scripts and EXEs signed with RescuePC Software certificate

v2.2.3

PATCH

January 26, 2026

Fix All reliability and -NoPrompt parameter support

Fixed
  • Fix All reporting 48 failed repairs when all actually succeeded (exit code parsing bug)
  • Batch report now correctly counts pass/fail/skip totals
Added
  • -NoPrompt parameter for all repair scripts (enables silent enterprise deployment)
  • Fix All safe chain expanded to 37 repairs (diagnostics/overlaps removed for speed)

v2.2.1

PATCH

January 25, 2026

WiFi killer bug fix and display repair safety

Fixed
  • WiFi killer bug in fix_network.ps1 (now detects WiFi and skips dangerous operations)
  • Disk health .Count error when single drive present
Changed
  • fix_display removed from Fix All (GPU disable can cause black screen on laptops)
  • fix_display risk level changed from low to medium

v2.1.6

MINOR

January 21, 2026

Enterprise Gold Master release with EDR rollback protection

Added
  • EDR rollback protection for 9 critical scripts
  • Service restart guarantees with try/finally pattern
  • Audio service dependency chain protection
  • Legacy OS detection (Windows 7/8.1 warnings)
  • S Mode and ARM64 detection
  • BitLocker safety checks before disk operations
  • AppLocker/WDAC detection
  • Long path support (260+ characters)
  • Zone.Identifier auto-unblock for downloaded ZIPs
  • PII scrubber for HIPAA/GDPR compliance
Changed
  • Improved fix_network.ps1 with Dhcp service protection
  • Enhanced fix_disk_health.ps1 with 7 safety checks
  • Better diagnose_performance.ps1 service detection (10 critical services only)
  • Standardized JSON output via RescuePC.ScriptOutput.psm1
Fixed
  • Network brick prevention (Dhcp service always restarts)
  • False positives from vendor services (ASUS, Edge, etc.)
  • Success masking in fix_network.ps1 (now reports step counts)
  • SystemUtils.psm1 module path resolution
Security
  • Manifest-driven execution with repairId validation
  • Path traversal protection in Runner.exe
  • Script whitelisting via repairs.manifest.json

v2.1.5

PATCH

January 15, 2026

Zone.Identifier auto-unblock for downloaded ZIP files

Added
  • Self-healing Zone.Identifier removal at startup
  • Win32 DeleteFile API for ADS removal
  • Unblock logging to logs/unblock.log
Fixed
  • Fix All completing instantly with no repairs (Zone.Identifier blocking scripts)
  • PowerShell execution policy bypass for downloaded files

v2.1.0

MINOR

January 5, 2026

C# launcher with two-process security model

Added
  • RescuePC Repairs.exe - Modern C# WinForms UI
  • RescuePC.Runner.exe - Elevated admin helper
  • Manifest-driven script execution
  • UAC elevation only when needed
  • Self-contained .NET 8 deployment
Changed
  • Migrated from PS2EXE to native C# launcher
  • Improved startup time (no PowerShell host initialization)
  • Reduced false positives from antivirus
Security
  • Repair ID validation against manifest whitelist
  • Path traversal attack prevention
  • Script execution only from approved directory

v1.5.0

MINOR

December 7, 2025

New RescueDriver unified driver management, enhanced security checks

Added
  • RescueDriver - Unified driver management with Windows Update integration
  • SHA-256 hash verification for all downloads
  • Enhanced Security Check with deeper malware scanning
  • Trust Center page with security documentation
  • Comprehensive legal pages (Privacy, EULA, Terms)
Changed
  • Improved GUI layout with better button sizing
  • Updated icons for all repair tools
  • Faster startup time with optimized loading
Fixed
  • Fixed mobile hamburger menu not appearing
  • Fixed header overlap on first row of buttons
  • Resolved UTF-8 encoding issues in GUI
Security
  • Added script whitelisting to prevent unauthorized execution
  • Implemented rate limiting on license API
  • Enhanced input validation across all endpoints

v1.4.0

MINOR

November 28, 2025

License activation system and admin dashboard

Added
  • License activation and verification system
  • Admin dashboard for license management
  • Stripe payment integration
  • Email delivery for license keys via Resend
Changed
  • Redesigned pricing page with tier comparison
  • Improved error messages for failed activations
Fixed
  • Fixed network repair script timeout issues
  • Resolved Windows Update reset edge cases

v1.3.0

MINOR

November 15, 2025

New repair scripts and performance optimizations

Added
  • Disk Partition Fix tool
  • Audio Repair utility
  • Startup Issues fixer
  • Suspicious Files scanner
Changed
  • Optimized System Health Check for faster scans
  • Reduced memory footprint during repairs
Fixed
  • Fixed false positives in bloatware detection
  • Resolved logging issues on Windows 7

v1.2.0

MINOR

October 30, 2025

Windows 11 24H2 support

Added
  • Full Windows 11 24H2 compatibility
  • New Boost Performance tool
  • Cleanup Bloat utility for removing pre-installed apps
Changed
  • Updated all scripts for Windows 11 compatibility
  • Improved detection of Windows version

v1.1.0

MINOR

October 15, 2025

Network repair tools and GUI improvements

Added
  • Fix Network tool with DNS reset
  • Windows Update Reset utility
  • Rebuild Windows Services tool
Changed
  • New modern GUI design
  • Tabbed interface for better organization
Fixed
  • Fixed script execution on non-admin accounts
  • Resolved path issues with spaces in folder names

v1.0.0

MAJOR

October 1, 2025

Initial release of RescuePC Toolkit

Added
  • System Health Check diagnostic tool
  • Advanced System Repair utility
  • Remove Temp Files cleaner
  • Optimize System performance tool
  • Security Check scanner
  • Backup User Data utility
  • Professional Windows Forms GUI
  • Support for Windows 7, 8, 8.1, 10, and 11

All releases are tested on Windows 7, 8, 8.1, 10, and 11 before publication.

SHA-256 checksums are available for all downloads on the download page.