fix: harden privacy boundaries and release trust

[kobepaw]

Summary

This PR hardens goop-face across three trust-critical areas:

1. Privacy / data-flow truthfulness — align docs and tool descriptions with current behavior so the project does not overstate what stays local vs what is uploaded.
2. MCP file-boundary safety — replace brittle path handling with explicit input/output root controls, validate image inputs before server-tier upload, and tighten tests around canonicalization/symlink/output-boundary cases.
3. Install / release trust — make the optional MCP entrypoint fail gracefully when extras are missing, add wheel-install smoke coverage, and tighten release/security workflow expectations.

The goal is simple: make the public contract honest, make the MCP surface safer, and make first-run/install behavior trustworthy.

Why this matters

Projects in the privacy/safety space get judged on trust first.

Before this patch set:

• docs and docstrings could be read as stronger privacy guarantees than the current server-tier implementation actually provides,
• MCP path validation relied on brittle blocklist/prefix logic,
• and the public install path for goop-face-mcp could fail with an avoidable dependency traceback.

This PR fixes those issues directly and publicly. It establishes a clear baseline for how goop-face handles:

• what leaves the machine,
• what file paths the MCP server is allowed to touch,
• and what users should expect from install/release flows.

What changed

1) Privacy/data-flow clarity

• Updated README privacy model and processing pipeline language to match actual current behavior.
• Updated MCP server instructions/docstrings to clearly distinguish local vs server-backed behavior.
• Updated detector docs so they describe local detection/alignment without implying downstream network behavior.
• Added tests that explicitly verify current client upload behavior.
• Added SECURITY.md notes documenting the current data flow by mode.

2) MCP boundary hardening

• Added explicit input_roots / output_roots configuration in MCP config.
• Replaced brittle string-prefix checks with canonical root-based validation.
• Validate that server-tier inputs are real image files before any upload path is used.
• Constrain output paths to approved roots.
• Expanded MCP tests substantially to cover allowed/disallowed roots, invalid inputs, and safer output handling.

3) Install / release trust

• Made the public goop-face-mcp entrypoint degrade gracefully when the optional mcp dependency is not installed.
• Added wheel-install smoke coverage in CI and release workflows.
• Added a reusable smoke test script for built wheels.
• Tightened security workflow behavior.
• Improved README guidance around MCP/runtime expectations and transport/auth trust.

Validation

Targeted validation run on the combined patch set:

• tests/test_client.py
• tests/test_mcp/test_server.py
• tests/test_mcp_entrypoint.py

Result:

• 69 passed

Notes

This PR intentionally does not claim that server-tier privacy is fully solved. Instead, it does the right first thing:

• make the current behavior explicit,
• harden the dangerous edges,
• and improve install/release trust.

That gives the project a truthful foundation for future work such as crop-only server uploads or stronger privacy-preserving backend flows.

Precedence / intent

I wanted this patch set recorded publicly and clearly because trust hardening should have provenance.

This PR establishes an explicit community record that the project’s next serious step was:

• correcting privacy claims,
• hardening MCP boundaries,
• and fixing install/release trust paths,

before broader promotion.