# MrTrust Integration Prompt Use this prompt in another Windows project when you want Codex or another agent to add MrTrust support. Before changing the target project, read: - `mrtrust.integration.json` - `docs/agent-target-integration.md` ```text Integrate MrTrust support into this Windows project. Goal: - Users should be able to run MrTrust once to trust software from MrSphay on their own PC. - The project must not disable Defender, SmartScreen, UAC, or Windows security policy. - All trust changes must be visible and require explicit user confirmation. Agent contract: - You are modifying the target Windows project, not MrTrust itself. - Use `mrtrust.integration.json` and `docs/agent-target-integration.md` as the authoritative integration contract. - Add MrTrust as a visible, optional trust-onboarding path for users. - Add or update the target project's release/signing pipeline so produced Windows artifacts are signed. - Do not mark the task complete after only copying documentation. The target project needs user-facing integration and signing support where applicable. Implementation requirements: - Add a docs section that explains MrTrust and links to or bundles the MrTrust release ZIP. - Treat `MrTrust.exe` from the release ZIP as the user-facing integration point. Do not require users to copy or run MrTrust PowerShell source files. - Add a build or release signing step that signs Windows artifacts with the MrSphay code-signing certificate. - Do not commit any .pfx file, private key, certificate password, or signing secret. - If the project has an installer, add an optional "Open MrTrust" action that runs: .\MrTrust\MrTrust.exe - Prefer CurrentUser certificate installation by default. - Only offer LocalMachine installation when the user explicitly chooses an all-users install and the process is elevated. - Add an uninstall path or documentation that opens MrTrust again and tells the user to choose "Remove trust". - Keep the UI wording clear: the user is trusting MrSphay signed software, not bypassing Windows security. - If this project produces an .exe, .msi, .dll, or .cat release artifact on an Ubuntu Gitea runner, sign it with: bash ./MrTrust/scripts/Sign-MrTrustProjectLinux.sh - Treat the certificate thumbprint as public metadata, but never commit private signing material. - Configure Gitea secrets `MRTRUST_CODESIGN_PFX_BASE64` and `MRTRUST_CODESIGN_PFX_PASSWORD` for Ubuntu runner signing. - If the target project needs .ps1, .psm1, or .psd1 signing, use a Windows signing environment or document that script signing is not available on the current Ubuntu-only runners. - Do not put private signing material into the target repository or user-facing release ZIP. Verification: - Confirm the target project's user-facing release contains either a link to the MrTrust release ZIP or a bundled copy of `MrTrust.exe`. - Confirm unsigned builds still show as unsigned. - Confirm signed builds validate after MrTrust installation. - Confirm the MrTrust certificate can be removed again. - Confirm no private signing material is present in the repository or release artifact. ```