# emoji-os Spike — VALIDATION RESULTS

## Signal hypothesis

Linux headless Chromium (no `fonts-noto-color-emoji` installed) renders emoji as
**Tofu boxes** (monochrome placeholders, very few distinct colors). Real Mac/Windows
browsers have color emoji fonts. Stealth frameworks that claim Mac/Windows UA on a
Linux headless env create a detectable inconsistency: UA says Mac, but emoji render
as Tofu.

## 2-test results (vanilla headless vs CDP-attached headless, Linux)

Both conditions: Chrome 148 on Linux headless, no color emoji fonts installed.
**All checks identical:**

| Check | Vanilla | CDP |
|---|---|---|
| `navPlatform` | Linux x86_64 | Linux x86_64 |
| `uaDataPlatform` | Linux | Linux |
| `claimsApple` | False | False |
| `colorRatio` | **0%** | **0%** |
| `tofuRenders` | 40/40 | 40/40 |
| `appleLie` | False | False |

**The baseline signal is silent on vanilla+CDP** — they're identical because both
are Linux headless. Color emoji fonts are missing in both.

## Stealth simulation (?stealth=1)

Override `navigator.userAgent` AND `navigator.platform` to claim Mac:

| Signal | Normal | Stealth Mac |
|---|---|---|
| `navPlatform` | Linux x86_64 | MacIntel (override) |
| `uaDataPlatform` | Linux | **Linux** (true, untouched) |
| `claimsApple` | False | **True** |
| `colorRatio` | 0% | **0%** (Tofu) |
| `appleLie` | False | **True** |

**Three independent signals fire when stealth framework lies:**

1. `navPlatform = "MacIntel"` ≠ `uaDataPlatform = "Linux"` (modern API doesn't lie)
2. `claimsApple = True` AND `colorRatio < 0.5` (UA says Mac, no emoji fonts)
3. `appleLie` composite = True

## Verdict: ✅ VALIDATED — multiple strong signals

The emoji check has **two complementary uses**:

### Use A: Headless detector (without stealth)
- `colorRatio < 0.5` fires on Linux headless without color emoji fonts
- Already covered by existing `webgpu_lockedapart` and other Phase 1 checks
- Lower priority — don't ship alone

### Use B: Stealth lie detector (with stealth override)
- `uaDataPlatform ≠ navPlatform` — modern API is hard to override
- `claimsApple AND emojiFallback` — UA claim inconsistent with render capability
- **This is a high-value signal**: catches the realistic attack where a fraudster
  uses puppeteer-extra-stealth or playwright-extra to fake Mac/Windows on a Linux
  bot host.

## Recommended Phase 1 finding

- `emoji_no_color_fonts`: `colorRatio < 0.3` → +5 penalty (Phase 1, catches Linux headless)
- `platform_ua_inconsistency`: `claimsApple && colorRatio < 0.5` → +15 penalty (Phase 1, catches stealth)

The first is mostly redundant with existing checks. The second is the high-value one.

## Notes

- Real Linux users on desktop also lack color emoji fonts by default. False positive
  risk on `colorRatio < 0.5` alone is significant. **Always pair with UA check.**
- `navigator.userAgentData` is a Chromium-specific modern API. Stealth frameworks
  that override `navigator.userAgent` often forget this — making the cross-check
  extremely reliable.
- This is **detection-of-stealth** more than detection-of-headless. Standard
  headless Chrome (without stealth) returns 0% color ratio in both vanilla and
  CDP conditions, identical — exactly what we want.

## Files

- `demo.html` — emoji rendering + UA cross-check + stealth query param
- `test.py` — 2-test runner (vanilla vs CDP, no stealth)
