{
  "schemaVersion": 1,
  "name": "MrTrust",
  "purpose": "Add explicit MrSphay trust onboarding and signing support to Windows target projects.",
  "sourceRepository": "https://git.wilkensxl.de/MrSphay/MrTrust",
  "releasePage": "https://git.wilkensxl.de/MrSphay/MrTrust/releases",
  "userFacingReleaseArtifact": {
    "fileName": "MrTrust.exe",
    "releaseZipNamePattern": "MrTrust-<version>.zip",
    "recommendedBundledPath": "MrTrust\\MrTrust.exe",
    "distribution": "Bundle this file directly or link to the MrTrust release ZIP.",
    "launchCommand": ".\\MrTrust\\MrTrust.exe",
    "removeTrustInstruction": "Open MrTrust and choose Remove trust."
  },
  "certificate": {
    "publisher": "MrSphay",
    "publicThumbprint": "A024A89200469F099EC4A172B4F96F6428AFD41B",
    "defaultTrustScope": "CurrentUser",
    "allUsersTrustScope": "LocalMachine",
    "privateMaterialPolicy": "Never commit .pfx files, private keys, passwords, tokens, or signing secrets."
  },
  "signing": {
    "supportedExtensions": [
      ".exe",
      ".msi",
      ".dll",
      ".ps1",
      ".psm1",
      ".psd1",
      ".cat"
    ],
    "ubuntuRunner": {
      "supportedExtensions": [
        ".exe",
        ".msi",
        ".dll",
        ".cat"
      ],
      "requiredTool": "osslsigncode",
      "helperScript": "scripts/Sign-MrTrustProjectLinux.sh",
      "requiredSecrets": [
        "MRTRUST_CODESIGN_PFX_BASE64",
        "MRTRUST_CODESIGN_PFX_PASSWORD"
      ],
      "preferredCommand": "bash ./MrTrust/scripts/Sign-MrTrustProjectLinux.sh <artifact-path>"
    },
    "windowsRunner": {
      "supportedExtensions": [
        ".exe",
        ".msi",
        ".dll",
        ".ps1",
        ".psm1",
        ".psd1",
        ".cat"
      ],
      "preferredCommand": ".\\MrTrust\\MrTrust.exe sign -Path <artifact-path> -CertificateThumbprint A024A89200469F099EC4A172B4F96F6428AFD41B"
    },
    "preferredCommand": "bash ./MrTrust/scripts/Sign-MrTrustProjectLinux.sh <artifact-path>",
    "ciGuidance": "On ubuntu-latest runners, sign PE/MSI/CAT artifacts with osslsigncode using a PFX stored in Gitea secrets. Use Windows runners only when signing PowerShell scripts or when Windows certificate store signing is required.",
    "unsignedBehavior": "Unsigned builds should remain unsigned. MrTrust only makes correctly signed MrSphay artifacts validate after the user has installed trust."
  },
  "targetProjectAgentContract": {
    "modifyTargetProject": true,
    "requiredOutcomes": [
      "Expose a visible optional Open MrTrust or trust setup path.",
      "Link to or bundle the standalone MrTrust.exe.",
      "Sign Windows release artifacts when the target project produces supported artifact types.",
      "Document how users install and remove MrTrust trust.",
      "Verify no private signing material is present in the target repository or release artifacts."
    ],
    "forbiddenOutcomes": [
      "Do not silently install certificates.",
      "Do not bypass Defender, SmartScreen, UAC, firewall, or Windows security policy.",
      "Do not claim MrTrust makes unsigned software trusted.",
      "Do not commit private signing material."
    ],
    "fallbackWhenNoInstallerExists": [
      "Add release documentation that links to or bundles MrTrust.exe.",
      "Add a release signing step for supported Windows artifacts.",
      "Add verification notes explaining that the app starts normally after the user installs MrTrust and the artifact signature validates."
    ]
  },
  "agentRunbook": "docs/agent-target-integration.md",
  "prompt": "docs/integration-prompt.md"
}