This fixes Weixin inbound PDF handling so uploaded documents are either stored as real files or explicitly rejected instead of being surfaced as unusable garbage data.

Before this change, the Weixin runtime only summarized inbound file_item payloads as text and did not persist them at all. After adding persistence, it became clear that the CDN download path could still save encrypted or malformed payloads as .pdf files because the upstream metadata is inconsistent: encrypt_type may be 0 even when an aes_key is present, and the key itself may be encoded in more than one way. In practice that meant users could send a PDF, see a saved path, and still end up with a file whose contents were not actually a PDF.

The fix adds an inbound file pipeline for Weixin that downloads file_item.media, attempts decryption across the key encodings and AES key sizes observed in the payloads, validates the resulting bytes against the expected file signature, and only then writes into the working directory uploads tree. For PDFs specifically, the runtime now requires a valid %PDF- header and tolerates a short prefix before the header if Weixin prepends extra bytes. When validation fails, the runtime records a clear download_failed=... note instead of writing a bad file.

The change also improves observability around this path. We now log whether media metadata exists, whether an AES key was present, the raw key length, candidate decoded key lengths, and the truncated media JSON on failure. That makes further protocol mismatches debuggable without having to inspect the database or saved files manually.

Validation used cargo test weixin -- --nocapture, including new tests that cover successful inbound download-and-save behavior and rejection of invalid PDF payloads.