webgl: ship only the GPU buckets that pass tampering_ml + decouple render-noise seed

Cut the per-seed WebGL persona to the two renderer buckets that score clean on
FP Pro tampering_ml across seeds (AMD Radeon R9 200 Series and Intel Arc A750),
weighted 70/30, cross-vendor so the fleet isn't one fixed GPU. Every NVIDIA
bucket and the integrated/ancient Intel buckets are penalised, so they're out.

The canvas/WebGL render-image hash turned out to be the dominant tampering_ml
driver, not the attributes, so the render-noise seed (zoom.stealth.fpp.hw_seed)
is now decoupled from the identity seed and drawn from a calibrated clean pool.
Per-seed determinism and per-user diversity are preserved.

Also in this change:
- audio maxChannelCount is stereo-dominant per class (it reflects the output
  device, not the GPU; the old tables over-emitted 5.1/7.1 surround)
- route discrete Intel Arc desktop cards to a discrete-GPU class (not integrated)
- condition the whole sampled profile on the exposed GPU class via the sampler's
  evidence path, so cores/screen/storage stay coherent with the declared GPU
- apply per-named-font width factors on Windows/macOS so canvas measureText
  widths don't collapse to a single value

12/12 seeds clean on tampering_ml (worst 0.29), bot and anti-detect negative,
and the fingerprint stays identical across repeated runs of the same seed.

tests/test_integration.py

@@ -289,8 +289,10 @@ def test_windows_virtual_display_with_socks_proxy(monkeypatch):
     assert prefs["security.sandbox.gpu.level"] == 0  # virtual_display branch
     assert prefs["network.proxy.type"] == 1          # SOCKS branch
     assert prefs["network.proxy.socks"] == "127.0.0.1"
-    # Windows still has the renderer cleared.
-    assert prefs["zoom.stealth.webgl.renderer"] == ""
+    # Windows exposes a validated persona renderer (calibrated clean bucket),
+    # not empty/native — see _webgl_personas.
+    assert prefs["zoom.stealth.webgl.renderer"].startswith("ANGLE (")
+    assert prefs["zoom.stealth.webgl.renderer"].rstrip().endswith(", D3D11)")
 
 
 # ──────────────────────────────────────────────────────────────────────

tests/test_prefs.py

@@ -15,12 +15,18 @@ from invisible_playwright.prefs import (
 
 @pytest.mark.unit
 def test_translate_includes_gpu_renderer_windows(monkeypatch):
-    """On Windows, renderer/vendor are cleared so ANGLE reports native hardware."""
+    """On Windows we falsify the GPU to one of the calibrated CLEAN buckets (FP Pro
+    tampering_ml<=0.5 on every seed; sweep 2026-06-14). Only Radeon R9 200 Series and
+    Intel Arc A750 ship — every NVIDIA/iGPU/945 bucket is penalized. See _webgl_personas."""
     monkeypatch.setattr(sys, "platform", "win32")
+    _CLEAN = {
+        "ANGLE (AMD, AMD Radeon R9 200 Series Direct3D11 vs_5_0 ps_5_0, D3D11)",
+        "ANGLE (Intel, Intel(R) Arc(TM) A750 Graphics Direct3D11 vs_5_0 ps_5_0, D3D11)",
+    }
     p = generate_profile(seed=42)
     prefs = translate_profile_to_prefs(p)
-    assert prefs["zoom.stealth.webgl.renderer"] == ""
-    assert prefs["zoom.stealth.webgl.vendor"] == ""
+    assert prefs["zoom.stealth.webgl.renderer"] in _CLEAN
+    assert prefs["zoom.stealth.webgl.vendor"] in {"Google Inc. (AMD)", "Google Inc. (Intel)"}
 
 
 @pytest.mark.unit
@@ -82,10 +88,15 @@ def test_accept_language_underscore_normalized():
 
 
 @pytest.mark.unit
-def test_font_metrics_windows_returns_empty(monkeypatch):
-    # FM2: Windows never applies width-scale factors.
+def test_font_metrics_windows_applies_named_factors(monkeypatch):
+    # FM2: Windows/mac apply the per-NAMED-font factors (so whitelisted named
+    # families don't collapse to the list-head width on the canvas measureText
+    # path), but WITHOUT the Linux generic-family compensation (generics bypass
+    # the whitelist and render native there).
     monkeypatch.setattr(sys, "platform", "win32")
-    assert _font_metrics_for_platform("Arial|1.0,Verdana|0.9,") == ""
+    out = _font_metrics_for_platform("Arial|1.0,Verdana|0.9,")
+    assert out == "Arial|1.0,Verdana|0.9,"
+    assert "sans-serif|" not in out  # no generic compensation on Windows
 
 
 @pytest.mark.unit
@@ -100,13 +111,14 @@ def test_font_metrics_empty_input_returns_empty():
 
 
 @pytest.mark.unit
-def test_gpu_renderer_empty_on_windows(monkeypatch):
-    # PG2
+def test_gpu_renderer_persona_on_windows(monkeypatch):
+    # PG2: Windows exposes a validated persona renderer (well-formed ANGLE bucket, NOT empty/native).
     monkeypatch.setattr(sys, "platform", "win32")
     p = generate_profile(seed=42)
     prefs = translate_profile_to_prefs(p)
-    assert prefs["zoom.stealth.webgl.renderer"] == ""
-    assert prefs["zoom.stealth.webgl.vendor"] == ""
+    r = prefs["zoom.stealth.webgl.renderer"]
+    assert r and r.startswith("ANGLE (") and r.rstrip().endswith(", D3D11)")
+    assert prefs["zoom.stealth.webgl.vendor"].startswith("Google Inc. (")
 
 
 @pytest.mark.unit
@@ -143,13 +155,16 @@ def test_canvas_noise_mask_windows_uses_intel_path(monkeypatch):
 
 
 @pytest.mark.unit
-def test_webgl_extensions_cleared_on_windows(monkeypatch):
-    # WE2
+def test_webgl_extensions_persona_on_windows(monkeypatch):
+    # WE2: with a persona active on Windows, extensions are FORCED to the persona's native-order
+    # list (host-independent), NOT cleared. Order is load-bearing (must match the persona verbatim).
     monkeypatch.setattr(sys, "platform", "win32")
+    from invisible_playwright._webgl_personas import select_persona
     p = generate_profile(seed=42)
     prefs = translate_profile_to_prefs(p)
-    assert prefs["zoom.stealth.webgl.extensions"] == ""
-    assert prefs["zoom.stealth.webgl2.extensions"] == ""
+    persona = select_persona(42)
+    assert prefs["zoom.stealth.webgl.extensions"] == persona["ext1"]
+    assert prefs["zoom.stealth.webgl2.extensions"] == persona["ext2"]
 
 
 # ──────────────────────────────────────────────────────────────────────

tests/test_sampler.py

@@ -45,13 +45,28 @@ def test_classify_gpu_intel_hd_old_buckets(renderer):
     "ANGLE (Intel, Intel(R) HD Graphics 530 Direct3D11)",
     "ANGLE (Intel, Intel(R) UHD Graphics 630 Direct3D11)",
     "ANGLE (Intel, Intel(R) Iris Xe Graphics Direct3D11)",
-    "ANGLE (Intel, Intel(R) Arc A750 Direct3D11)",
+    # Integrated Arc iGPUs (Core Ultra "Arc 130T/140T/Graphics") stay integrated_modern.
+    "ANGLE (Intel, Intel(R) Arc(TM) 140T GPU Direct3D11)",
 ])
 def test_classify_gpu_intel_modern(renderer):
-    """CG4-CG7 [DT]: modern Intel HD/UHD/Iris/Arc → integrated_modern."""
+    """CG4-CG7 [DT]: modern Intel HD/UHD/Iris + integrated Arc → integrated_modern."""
     assert classify_gpu(_gpu(renderer)) == "integrated_modern"
 
 
+@pytest.mark.unit
+@pytest.mark.parametrize("renderer,expected", [
+    # Discrete Intel Arc DESKTOP cards are NOT integrated: A5xx/A7xx/Bxxx ~ mid-range
+    # discrete (RTX 3060 tier); A3xx are entry discrete → low_end.
+    ("ANGLE (Intel, Intel(R) Arc(TM) A750 Graphics Direct3D11 vs_5_0 ps_5_0)", "mid_range"),
+    ("ANGLE (Intel, Intel(R) Arc(TM) A770 Graphics Direct3D11)", "mid_range"),
+    ("ANGLE (Intel, Intel(R) Arc(TM) B580 Graphics Direct3D11)", "mid_range"),
+    ("ANGLE (Intel, Intel(R) Arc(TM) A380 Graphics Direct3D11)", "low_end"),
+])
+def test_classify_gpu_intel_arc_discrete(renderer, expected):
+    """Discrete Intel Arc desktop SKUs map to a discrete-GPU class, not integrated."""
+    assert classify_gpu(_gpu(renderer)) == expected
+
+
 @pytest.mark.unit
 @pytest.mark.parametrize("renderer", [
     "ANGLE (AMD, AMD Radeon Graphics Direct3D11)",