# Agent Instructions For MrTrust

MrTrust manages explicit Windows certificate trust for MrSphay software.

## Security Boundaries

- Do not add Defender, SmartScreen, UAC, firewall, or policy bypasses.
- Do not add silent certificate installation.
- Do not commit `.pfx`, private keys, passwords, tokens, or signing secrets.
- Default to `CurrentUser` certificate stores. Use `LocalMachine` only when the user explicitly chooses all-user trust.
- Keep all user-facing trust actions reversible.

## Repository Layout

- `scripts/` contains the PowerShell implementation.
- `assets/certificates/` contains public certificates only.
- `private/` is ignored and may contain local signing material.
- `docs/integration-prompt.md` is the prompt for adding MrTrust to other projects.
- `docs/security-model.md` documents the intended behavior and limits.
- `MrTrust.exe` is the user-facing standalone trust installer. The PowerShell scripts are source/build internals.

## Verification

Before finishing changes, run:

```powershell
$scripts = Get-ChildItem .\scripts -Filter *.ps1
foreach ($script in $scripts) {
  $tokens = $null
  $errors = $null
  [System.Management.Automation.Language.Parser]::ParseFile($script.FullName, [ref]$tokens, [ref]$errors) | Out-Null
  if ($errors) { throw $errors }
}
git diff --check
```