feat: safetensors checkpoint support for Torch backend

[alexandremendoncaalvaro]

Why

CorridorKey.pth loads via pickle, which executes arbitrary code — a real
concern for a model shipped to a wide user base. .safetensors is the safe
standard (no pickle, memory-mapped, zero-copy). The MLX side already uses it
(MLX_EXT = ".safetensors"); this PR brings the Torch side in line while
keeping every existing .pth install working untouched.

Design: prefer safetensors, fall back to .pth

No flag, no env var. The file that's there wins:

1. Discovery in CorridorKeyModule/checkpoints/: .safetensors →
   .pth (legacy) → auto-download.
2. Auto-download: request .safetensors from HF first; only on
   EntryNotFoundError (HF-specific "file absent from repo", not a network
   error) fall back to downloading .pth. Network / disk / auth failures
   propagate as today.
3. _load_model dispatches by extension to safetensors.torch.load_file
   or torch.load. The _orig_mod. strip and pos_embed reinterpolation
   logic is format-blind and unchanged.

Back-compat contract

• Cached CorridorKey.pth → still loads, no action required.
• New install → auto-download fetches .safetensors.
• Both present → .safetensors wins with an INFO log.

Every fallback branch is tagged # DEPRECATED: remove after .pth sunset so
the follow-up cleanup PR is a trivial grep.

Merge ordering

This PR is safe to land before the .safetensors upload to
nikopueringer/CorridorKey_v1.0: until the upload lands, first-run users
fall through to .pth via the EntryNotFoundError path. After the upload,
fresh installs pick up .safetensors automatically. Existing users are
unaffected either way.

---

Validation

Automated

• uv run ruff check → clean.
• uv run pytest -m "not gpu" → 326 passed. 9 pre-existing failures
  (OPENCV_IO_ENABLE_OPENEXR disabled in opencv-python on Windows, see
  opencv#21326) — confirmed
  identical on upstream/main, unrelated to this PR.
• Touched test files in isolation: 106 passed.

New test coverage

• Discovery preference (both present, only-one present, empty dir).
• HF download fallback on EntryNotFoundError downloads .pth.
• HF download non-fallback on any other exception (network / auth /
  disk) surfaces a RuntimeError — a regression guard against a future
  except widening that would silently downgrade users to the less-safe
  format.
• _load_model extension dispatch: .safetensors routes to
  safetensors.torch.load_file, .pth routes to torch.load. Each test
  mocks the other loader with an AssertionError side-effect to prove the
  wrong path isn't taken.
• Converter script (scripts/convert_pth_to_safetensors.py): wrapper
  unwrap, _orig_mod. prefix strip, non-tensor metadata skip, contiguity
  enforcement, round-trip detection of missing keys and shape mismatches,
  end-to-end .pth → .safetensors preserving tensor values bit-identically,
  CLI error paths.
• PBT auto-download properties updated — .safetensors is no longer
  treated as "junk" that should not trigger download.

Manual end-to-end (Windows, NVIDIA CUDA)

Converted the real 400 MB HF .pth via the new script (367 tensors,
round-trip verified) and ran three scenarios against a real 2048×2048 clip
through clip_manager.py --action run_inference --backend torch:

Scenario	Checkpoint loaded	Result
Both files present	.safetensors ✅	Inference succeeds
Only .safetensors	.safetensors ✅	Outputs byte-identical (SHA-256) to previous run
Only .pth (legacy)	.pth ✅	Outputs byte-identical (SHA-256) to the safetensors run

Separately, a deterministic-seed smoke script compared engine outputs
directly: max|diff| = 0.000e+00 on both alpha and fg, confirming
bit-for-bit equivalence at the tensor level.

Follow-up (out of scope)

Sunset .pth: delete from the HF repo and remove every branch tagged
# DEPRECATED: remove after .pth sunset. Trivial once the deprecation
window closes.