MrTrust/docs/integration-prompt.md

MrTrust Integration Prompt

Use this prompt in another Windows project when you want Codex or another agent to add MrTrust support.

Integrate MrTrust support into this Windows project.

Goal:
- Users should be able to run MrTrust once to trust software from MrSphay on their own PC.
- The project must not disable Defender, SmartScreen, UAC, or Windows security policy.
- All trust changes must be visible and require explicit user confirmation.

Implementation requirements:
- Add a docs section that explains MrTrust and links to or bundles the MrTrust release ZIP.
- Add a build or release signing step that signs Windows artifacts with the MrSphay code-signing certificate.
- Do not commit any .pfx file, private key, certificate password, or signing secret.
- If the project has an installer, add an optional "Open MrTrust" action that runs:
  powershell.exe -ExecutionPolicy Bypass -File .\MrTrust\MrTrust.ps1 gui
- Prefer CurrentUser certificate installation by default.
- Only offer LocalMachine installation when the user explicitly chooses an all-users install and the process is elevated.
- Add an uninstall path or documentation that runs:
  powershell.exe -ExecutionPolicy Bypass -File .\MrTrust\MrTrust.ps1 uninstall
- Keep the UI wording clear: the user is trusting MrSphay signed software, not bypassing Windows security.
- If this project produces an .exe, .msi, .dll, .ps1, .psm1, .psd1, or .cat release artifact, sign it with:
  powershell.exe -ExecutionPolicy Bypass -File .\MrTrust\MrTrust.ps1 sign -Path <artifact-path> -CertificateThumbprint A024A89200469F099EC4A172B4F96F6428AFD41B
- Treat the certificate thumbprint as public metadata, but never commit private signing material.

Verification:
- Confirm unsigned builds still show as unsigned.
- Confirm signed builds validate after MrTrust installation.
- Confirm the MrTrust certificate can be removed again.
- Confirm no private signing material is present in the repository or release artifact.