Update attribution language: manifest author, not package publisher

Manifests in the WinGet community repository are frequently authored
by community contributors rather than the software publisher. The
attribution language throughout the spec now reflects this distinction.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: denelon

doc/specs/#3483 - UserMessages.md

@@ -107,7 +107,7 @@ Pre-action messages are displayed **before** the operation begins and represent
 **Interactive mode (default):**
 
 ```
-The following information has been provided by the package publisher:
+The following information has been provided by the manifest author:
 
   This package requires 2 GB of disk space and will modify your PATH.
 
@@ -121,15 +121,15 @@ The user is prompted to confirm. Entering `N` cancels the operation. Entering `Y
 The pre-action message is displayed (rendered to the output stream) but no prompt is shown and the operation proceeds automatically. This ensures automation pipelines see the message in logs without being blocked.
 
 ```
-The following information has been provided by the package publisher:
+The following information has been provided by the manifest author:
 
   This package requires 2 GB of disk space and will modify your PATH.
 
 Proceeding automatically (non-interactive mode)...
 ```
 
 > [!NOTE]
-> **Design rationale:** Pre-action messages are informational, not contractual agreements. Unlike license terms (which require explicit acceptance via `--accept-package-agreements`), user messages are publisher-authored guidance. The `--disable-interactivity` flag is the appropriate suppressor because it already governs all interactive prompts in WinGet. A new flag is not warranted.
+> **Design rationale:** Pre-action messages are informational, not contractual agreements. Unlike license terms (which require explicit acceptance via `--accept-package-agreements`), user messages are manifest-author-provided guidance. The `--disable-interactivity` flag is the appropriate suppressor because it already governs all interactive prompts in WinGet. A new flag is not warranted.
 
 #### Post-Action Messages (PostInstall, PostUpgrade, PostUninstall)
 
@@ -243,7 +243,7 @@ When running interactively in a PowerShell session, cmdlets follow the same patt
 ```powershell
 PS> Install-WinGetPackage -Id Publisher.ExampleApp
 
-The following information has been provided by the package publisher:
+The following information has been provided by the manifest author:
 
   This package requires 2 GB of disk space and will modify your PATH.
 
@@ -259,7 +259,7 @@ When running non-interactively (e.g., in a script with no host, or when the user
 
 ```powershell
 PS> Install-WinGetPackage -Id Publisher.ExampleApp -Force -Verbose
-VERBOSE: Publisher message (PreInstall): This package requires 2 GB of disk space and will modify your PATH.
+VERBOSE: Manifest author message (PreInstall): This package requires 2 GB of disk space and will modify your PATH.
 ```
 
 Post-action messages are written to the information stream (`Write-Information`) so they appear by default but can be suppressed with `-InformationAction SilentlyContinue`.
@@ -281,7 +281,7 @@ This allows scripts to programmatically inspect messages after an operation:
 ```powershell
 $result = Install-WinGetPackage -Id Publisher.ExampleApp -Force
 if ($result.UserMessages.PostInstall) {
-    Write-Host "Note from publisher: $($result.UserMessages.PostInstall)" -ForegroundColor Yellow
+    Write-Host "Note from manifest author: $($result.UserMessages.PostInstall)" -ForegroundColor Yellow
 }
 ```
 
@@ -397,14 +397,14 @@ Existing manifests are unaffected. `UserMessages` is entirely optional.
 
 ### Pre-Action Message Display
 
-Pre-action messages are displayed in a visually distinct block before the operation begins. The message is attributed to the package publisher to establish trust context.
+Pre-action messages are displayed in a visually distinct block before the operation begins. The message is attributed to the manifest author to establish trust context.
 
 ```
 Found Example App [Publisher.ExampleApp] v2.0.0
 This application is licensed to you by its owner.
 Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
 
-The following information has been provided by the package publisher:
+The following information has been provided by the manifest author:
 
   This package requires 2 GB of disk space and will modify your PATH.
 
@@ -423,7 +423,7 @@ Successfully installed Example App [Publisher.ExampleApp] v2.0.0
 
 ### Message Attribution
 
-All messages include clear attribution language ("provided by the package publisher") to ensure users understand the content originates from the manifest author, not from Microsoft or WinGet. This is critical for trust and security.
+All messages include clear attribution language ("provided by the manifest author") to ensure users understand the content originates from the manifest author, not from Microsoft or WinGet. This distinction is important because in the WinGet community repository, manifests are frequently authored by community contributors rather than the software publisher. This is critical for trust and security.
 
 ### Localization
 
@@ -441,7 +441,7 @@ Messages in locale manifests override those in the defaultLocale manifest on a p
 ### Security
 
 - **Phishing and social engineering:** Pre-action messages create a stronger social-engineering surface than post-action notes because they appear before the user commits to an action. A malicious manifest author could craft a message like "Enter your password at https://evil.example.com to continue." Mitigations:
-  - Clear attribution language ("provided by the package publisher") helps users assess trust.
+  - Clear attribution language ("provided by the manifest author") helps users assess trust.
   - Content validation in the winget-pkgs pipeline strips or rejects ANSI escape sequences and control characters.
   - The winget-pkgs community review process provides human review of manifest content.
   - Future enhancement: automated content moderation for suspicious URLs or social-engineering patterns.