Control Plane: replace remaining upstream runtime identity leaks with explicit engine provenance

[mdheller]

Context

The SourceOS control-plane manifests and verifier now enforce BearBrowser product identity for the app bundle, native launcher, Homebrew command surface, doctor path, and macOS shell CI.

The next product-hardening pass is to audit remaining runtime surfaces where upstream engine names such as LibreWolf, Firefox, Mozilla, and Gecko may still appear. These terms are allowed as provenance, source, license, and upstream-mirror metadata. They must not appear as the user-facing product identity.

Scope

Create an explicit engine-provenance boundary for remaining runtime surfaces.

Deliverables

• Inventory remaining product/runtime surfaces where upstream names can appear.
• Classify each occurrence as one of:
  • allowed provenance/source/license metadata
  • allowed developer/upstream mirror context
  • forbidden product identity leak
  • intentionally deferred binary/runtime identity that needs a follow-up lane
• Extend scripts/verify-sourceos-control-plane.py or add a companion verifier to scan product-surface files.
• Add/adjust fixtures or docs so the allowed/forbidden distinction is machine-checkable.
• Ensure Homebrew formula tests and bearbrowser-doctor continue to run the verifier.

Acceptance criteria

• BearBrowser remains the product identity across app, launcher, doctor, Homebrew command surface, and manifest surfaces.
• Upstream engine names are only accepted in explicit provenance/source/license/upstream-mirror contexts.
• New verifier output explains any remaining deferred identity surfaces.
• CI/manual validation command is documented.

Non-goals

• Rebuilding the full browser binary.
• Removing legal/license attribution.
• Hiding upstream provenance from users.

Validation

Run:

python3 scripts/verify-sourceos-control-plane.py
bearbrowser-verify-control-plane
bearbrowser-doctor

Record CI or local validation output before closing.