[CmdletBinding(SupportsShouldProcess)]
param(
    [string]$CertificatePath = ".\assets\certificates\MrSphay-LocalTrust-Root.cer",
    [string]$PublisherCertificatePath = ".\assets\certificates\MrSphay-CodeSigning.cer",
    [ValidateSet("CurrentUser", "LocalMachine")]
    [string]$Scope = "CurrentUser",
    [switch]$Force
)

$ErrorActionPreference = "Stop"

function Resolve-FullPath {
    param([Parameter(Mandatory)][string]$Path)

    $executionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($Path)
}

function Test-IsAdministrator {
    $identity = [Security.Principal.WindowsIdentity]::GetCurrent()
    $principal = [Security.Principal.WindowsPrincipal]::new($identity)
    $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}

if ($Scope -eq "LocalMachine" -and -not (Test-IsAdministrator)) {
    throw "LocalMachine removal requires an elevated PowerShell session. Use -Scope CurrentUser or run as Administrator."
}

$resolvedCertificatePath = Resolve-FullPath $CertificatePath
if (-not (Test-Path -LiteralPath $resolvedCertificatePath)) {
    throw "Certificate file not found: $resolvedCertificatePath. Provide -CertificatePath to the public MrTrust certificate."
}

$rootCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($resolvedCertificatePath)
if (-not $rootCertificate.Subject.StartsWith("CN=MrSphay", [System.StringComparison]::OrdinalIgnoreCase)) {
    throw "Refusing to remove using an unexpected root certificate subject: $($rootCertificate.Subject)"
}

$resolvedPublisherCertificatePath = Resolve-FullPath $PublisherCertificatePath
$publisherCertificate = $null
if (Test-Path -LiteralPath $resolvedPublisherCertificatePath) {
    $publisherCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($resolvedPublisherCertificatePath)
    if (-not $publisherCertificate.Subject.StartsWith("CN=MrSphay", [System.StringComparison]::OrdinalIgnoreCase)) {
        throw "Refusing to remove using an unexpected publisher certificate subject: $($publisherCertificate.Subject)"
    }
}

$targets = @(
    [pscustomobject]@{
        Store = "Cert:\$Scope\Root"
        Thumbprint = $rootCertificate.Thumbprint
    }
)

if ($publisherCertificate) {
    $targets += [pscustomobject]@{
        Store = "Cert:\$Scope\TrustedPublisher"
        Thumbprint = $publisherCertificate.Thumbprint
    }
}

Write-Host "MrTrust will remove this certificate from scope '$Scope':"
Write-Host "  Root subject:    $($rootCertificate.Subject)"
Write-Host "  Root thumbprint: $($rootCertificate.Thumbprint)"
if ($publisherCertificate) {
    Write-Host "  Publisher subject:    $($publisherCertificate.Subject)"
    Write-Host "  Publisher thumbprint: $($publisherCertificate.Thumbprint)"
}
Write-Host ""

if (-not $Force) {
    $answer = Read-Host "Type REMOVE to continue"
    if ($answer -cne "REMOVE") {
        Write-Host "Removal cancelled."
        exit 1
    }
}

foreach ($target in $targets) {
    $matchingCertificates = Get-ChildItem -Path $target.Store | Where-Object Thumbprint -eq $target.Thumbprint
    foreach ($matchingCertificate in $matchingCertificates) {
        if ($PSCmdlet.ShouldProcess($target.Store, "Remove MrTrust certificate $($matchingCertificate.Thumbprint)")) {
            Remove-Item -LiteralPath $matchingCertificate.PSPath
        }
    }
}

Write-Host "MrTrust certificate removed where present."