security: strip absolute paths leaking dev machine + private monorepo

T.6 post-publish audit caught two leaks in the published artefacts:

1. `conversion_report.json` (4 hits on both HF and GitHub) exposed
   absolute paths from the build machine:
       "safetensors": "/Users/transcrilive/MLX_CONVERTOR/sub-projects/supertonic3-mlx/hf_release/weights/X.safetensors"
       "onnx":        "/tmp/supertonic3/model/onnx/X.onnx"
   This revealed the dev Mac's username (transcrilive) + the private
   monorepo name (MLX_CONVERTOR) + the internal sub-projects layout.

2. `src/supertonic_3_mlx/pipeline.py` docstring (1 hit) had a
   from_pretrained example pointing at /tmp/supertonic3/model.

Fixes:
- conversion_report.json regenerated with basenames only
  ("vector_estimator.onnx" / "weights/vector_estimator.safetensors")
- pipeline.py docstring example updated to use the canonical Hub repo id
- the upstream converter tool (in the dev monorepo) patched so future
  regenerations of the report don't reintroduce the leak

No tokens, credentials, or keys were ever exposed; tokens are kept only
in env vars / keyrings and never enter the published artefacts.

src/supertonic_3_mlx/pipeline.py

@@ -25,7 +25,7 @@ Flow:
 
 Public API:
 
-    pipe = SupertonicMLXPipeline.from_pretrained("/tmp/supertonic3/model")
+    pipe = SupertonicMLXPipeline.from_pretrained("ambassadia/supertonic-3-mlx")
     wav = pipe.generate("Hello world", voice="F1", lang="en")
     import soundfile as sf
     sf.write("out.wav", wav, pipe.sample_rate)