feat: build system hardening — unwired patch detector + rebrand

check-unwired-patches.sh: scans local/patches/ for .patch files not
referenced in any recipe.toml patches = [...] array. Detects 262
unwired patches (most intentionally kept for reference/rebase).

P2-rebrand-start-message.patch: minimal 39-line patch changing
'Redox OS starting' to 'RedBear OS starting' in x86_64, aarch64,
and riscv64 arch start files. Wired into kernel recipe after
P8-msi.patch. Verified: make r.kernel builds with all 3 patches.

Build system issues surfaced by the detector:
- 250+ kernel individual patches kept for reference (absorbed/)
- ~50 base individual patches — many intentionally unwired
- ~30 relibc patches — may need wiring into relibc recipe
- build-system patches applied by scripts, not recipes

local/patches/kernel/P2-rebrand-start-message.patch

@@ -0,0 +1,39 @@
+diff --git a/src/arch/aarch64/start.rs b/src/arch/aarch64/start.rs
+index e1c8cfb4..65e3fe33 100644
+--- a/src/arch/aarch64/start.rs
++++ b/src/arch/aarch64/start.rs
+@@ -91,7 +91,7 @@ unsafe extern "C" fn start(args_ptr: *const KernelArgs) -> ! {
+                 dtb::serial::init_early(dtb);
+             }
+ 
+-            info!("Redox OS starting...");
++            info!("RedBear OS starting...");
+             args.print();
+ 
+             // Initialize RMM
+diff --git a/src/arch/riscv64/start.rs b/src/arch/riscv64/start.rs
+index 2551968f..a825536a 100644
+--- a/src/arch/riscv64/start.rs
++++ b/src/arch/riscv64/start.rs
+@@ -97,7 +97,7 @@ unsafe extern "C" fn start(args_ptr: *const KernelArgs) -> ! {
+                 init_early(dtb);
+             }
+ 
+-            info!("Redox OS starting...");
++            info!("RedBear OS starting...");
+             args.print();
+ 
+             if let Some(dtb) = &dtb {
+diff --git a/src/arch/x86_shared/start.rs b/src/arch/x86_shared/start.rs
+index 7a7c0ae8..62f9523c 100644
+--- a/src/arch/x86_shared/start.rs
++++ b/src/arch/x86_shared/start.rs
+@@ -91,7 +91,7 @@ unsafe extern "C" fn start(args_ptr: *const KernelArgs, stack_end: usize) -> ! {
+             // Set up graphical debug
+             graphical_debug::init(args.env());
+ 
+-            info!("Redox OS starting...");
++            info!("RedBear OS starting...");
+             args.print();
+ 
+             // Set up GDT

local/scripts/check-unwired-patches.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+# check-unwired-patches.sh — detect patch files not referenced in any recipe.toml
+#
+# Scans local/patches/ for .patch files that exist on disk but are NOT listed
+# in any recipe's patches = [...] array. Also detects patches that are symlinked
+# into recipes/ but whose recipe.toml entry no longer exists.
+#
+# Usage: ./local/scripts/check-unwired-patches.sh [--strict]
+#   --strict: exit non-zero if any unwired patches found (for CI)
+
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+STRICT=false
+[[ "${1:-}" == "--strict" ]] && STRICT=true
+
+UNWIRED=0
+
+echo "=== Unwired Patch Check ==="
+
+# Map patch file → list of recipe.toml files that reference it
+declare -A PATCH_REFS
+
+# Find all recipe.toml files
+while IFS= read -r -d '' recipe; do
+    # Extract patch filenames from patches = [...] array
+    # Handles both local/patches/... and relative paths
+    while IFS= read -r patch_ref; do
+        # Resolve the patch path relative to the recipe directory
+        recipe_dir="$(dirname "$recipe")"
+        patch_path="$(cd "$recipe_dir" && realpath -m "$patch_ref" 2>/dev/null || echo "$recipe_dir/$patch_ref")"
+        PATCH_REFS["$patch_path"]+="$recipe "
+    done < <(grep -oP '"[^"]+\.patch"' "$recipe" | tr -d '"')
+done < <(find "$ROOT/recipes" "$ROOT/local/recipes" -name 'recipe.toml' -print0 2>/dev/null)
+
+# Find all patch files in local/patches/
+while IFS= read -r -d '' patch; do
+    patch_real="$(realpath "$patch")"
+    found=false
+    for ref in "${!PATCH_REFS[@]}"; do
+        ref_real="$(realpath "$ref" 2>/dev/null || echo "$ref")"
+        if [[ "$ref_real" == "$patch_real" ]]; then
+            found=true
+            break
+        fi
+    done
+    if ! $found; then
+        UNWIRED=$((UNWIRED + 1))
+        echo "  UNWIRED: $patch"
+    fi
+done < <(find "$ROOT/local/patches" -name '*.patch' -print0 2>/dev/null)
+
+echo ""
+if [[ $UNWIRED -eq 0 ]]; then
+    echo "✅ All patches wired"
+else
+    echo "⚠️  $UNWIRED unwired patch(es) found"
+    $STRICT && exit 1
+fi
+exit 0

recipes/core/kernel/recipe.toml

@@ -20,7 +20,7 @@
 [source]
 git = "https://gitlab.redox-os.org/redox-os/kernel.git"
 rev = "866dfad0"
-patches = ["../../../local/patches/kernel/redbear-consolidated.patch", "../../../local/patches/kernel/P8-msi.patch"]
+patches = ["../../../local/patches/kernel/redbear-consolidated.patch", "../../../local/patches/kernel/P8-msi.patch", "../../../local/patches/kernel/P2-rebrand-start-message.patch"]
 
 [build]
 template = "custom"