fix(stealth): address security review findings

1. HIGH — Function.toString Map exfiltration:
   Replaced Map with WeakMap + bound methods. A malicious page could
   monkeypatch Map.prototype.has to capture the override store, then
   use it to cloak malicious functions as [native code]. WeakMap with
   pre-bound has/get methods prevents this side-channel.

2. MEDIUM — Static GPU fingerprint:
   Default GPU renderer now randomly selects from 5 common Apple chip
   variants (M1, M1 Pro, M1 Max, M2, M3) per session. Prevents sites
   from building a static GStack-specific fingerprint signature.

3. Tests updated: 54 total (35 unit + 19 e2e), 0 failures.
   Added tests for WeakMap usage and GPU randomization.

browse/test/stealth-e2e.test.ts

@@ -65,7 +65,7 @@ describe('stealth e2e — fingerprint verification', () => {
     expect(vendor).not.toContain('SwiftShader');
   });
 
-  test('WebGL renderer is spoofed to Apple M1 Pro', async () => {
+  test('WebGL renderer is spoofed to an Apple chip', async () => {
     const renderer = await page.evaluate(() => {
       const canvas = document.createElement('canvas');
       const gl = canvas.getContext('webgl');
@@ -75,7 +75,7 @@ describe('stealth e2e — fingerprint verification', () => {
       return gl.getParameter(ext.UNMASKED_RENDERER_WEBGL);
     });
     expect(renderer).toBeTruthy();
-    expect(renderer).toContain('Apple M1 Pro');
+    expect(renderer).toMatch(/Apple.*M[123]/);
     expect(renderer).not.toContain('SwiftShader');
     expect(renderer).not.toContain('llvmpipe');
   });
@@ -91,7 +91,7 @@ describe('stealth e2e — fingerprint verification', () => {
     });
     // WebGL2 might not be available in all environments
     if (renderer !== null) {
-      expect(renderer).toContain('Apple M1 Pro');
+      expect(renderer).toMatch(/Apple.*M[123]/);
     }
   });