fix(instantid): pass trust_remote_code=True for local custom_pipeline

The img2img run silently produced an identity output because
DiffusionPipeline.from_pretrained refused to load the local custom_pipeline
.py without `trust_remote_code=True` (emits a single-line warning to stderr,
then falls back to a default class). load_ip_adapter_instantid then
AttributeError'd, our outer except logged + skipped, and the saved file
was the un-restored cleaned image (exact byte size match against the
no-restore baseline -- 250988 bytes).

We fetch the file from a pinned raw.githubusercontent URL we control, so
trust_remote_code is safe to opt in here.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

src/remove_ai_watermarks/instantid_restore.py

@@ -276,6 +276,13 @@ def _get_pipeline() -> Any:
                 controlnet=controlnet,
                 torch_dtype=dtype,
                 custom_pipeline=str(_fetch_img2img_pipeline_file()),
+                # Custom_pipeline from a local .py file triggers diffusers' remote-code
+                # guard; the file is fetched from a pinned raw.githubusercontent URL
+                # we control, so opt in here. Without this the load silently falls
+                # back to a default pipeline (no img2img + no IP-Adapter cross-attn),
+                # the next call hits an AttributeError on load_ip_adapter_instantid,
+                # and our outer except logs but skips the whole restore.
+                trust_remote_code=True,
             )
             pipe.to(device)
             # IP-Adapter weights that wire the ArcFace embedding into cross-attention.