# MrTrust Integration Prompt Use this prompt in another Windows project when you want Codex or another agent to add MrTrust support. Before changing the target project, read: - `mrtrust.integration.json` - `docs/agent-target-integration.md` ```text Integrate MrTrust support into this Windows project. Goal: - Users should be able to run MrTrust once to trust software from MrSphay on their own PC. - The project must not disable Defender, SmartScreen, UAC, or Windows security policy. - All trust changes must be visible and require explicit user confirmation. Agent contract: - You are modifying the target Windows project, not MrTrust itself. - Use `mrtrust.integration.json` and `docs/agent-target-integration.md` as the authoritative integration contract. - Add MrTrust as a visible, optional trust-onboarding path for users. - Add or update the target project's release/signing pipeline so produced Windows artifacts are signed. - Do not mark the task complete after only copying documentation. The target project needs user-facing integration and signing support where applicable. Implementation requirements: - Add a docs section that explains MrTrust and links to or bundles the MrTrust release ZIP. - Treat `MrTrust.exe` from the release ZIP as the user-facing integration point. Do not require users to copy or run MrTrust PowerShell source files. - Add a build or release signing step that signs Windows artifacts with the MrSphay code-signing certificate. - Do not commit any .pfx file, private key, certificate password, or signing secret. - If the project has an installer, add an optional "Open MrTrust" action that runs: .\MrTrust\MrTrust.exe - Prefer CurrentUser certificate installation by default. - Only offer LocalMachine installation when the user explicitly chooses an all-users install and the process is elevated. - Add an uninstall path or documentation that opens MrTrust again and tells the user to choose "Remove trust". - Keep the UI wording clear: the user is trusting MrSphay signed software, not bypassing Windows security. - If this project produces an .exe, .msi, .dll, .ps1, .psm1, .psd1, or .cat release artifact, sign it with: .\MrTrust\MrTrust.exe sign -Path -CertificateThumbprint A024A89200469F099EC4A172B4F96F6428AFD41B - Treat the certificate thumbprint as public metadata, but never commit private signing material. - If the target project needs automated signing, call MrTrust's signing script from CI or a secure local release machine where the private certificate is already installed or supplied through secrets. Do not put private signing material into the target repository or user-facing release ZIP. Verification: - Confirm the target project's user-facing release contains either a link to the MrTrust release ZIP or a bundled copy of `MrTrust.exe`. - Confirm unsigned builds still show as unsigned. - Confirm signed builds validate after MrTrust installation. - Confirm the MrTrust certificate can be removed again. - Confirm no private signing material is present in the repository or release artifact. ```