refactor(ocr): extract _validate_zip_entry to utils.py so ZIP Slip test runs in CI

_validate_zip_entry has no ML-stack dependency; importing it via main.py
pulled in surya/torch and caused the test to be skipped in CI. Moving it
to utils.py (fastapi only) and adding fastapi to the CI lightweight install
lets test_zipslip_still_anchors_under_custom_tmpdir run on every push.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ocr-service/test_tmpdir.py

@@ -6,12 +6,8 @@ import tempfile
 
 import pytest
 
-try:
-    from fastapi import HTTPException
-    from main import _validate_zip_entry
-    HAS_MAIN = True
-except ImportError:
-    HAS_MAIN = False
+from fastapi import HTTPException
+from utils import _validate_zip_entry
 
 _ENTRYPOINT = os.path.join(os.path.dirname(os.path.abspath(__file__)), "entrypoint.sh")
 
@@ -82,7 +78,6 @@ def test_tmpdir_is_inside_persistent_cache_volume():
     )
 
 
-@pytest.mark.skipif(not HAS_MAIN, reason="requires full ML stack (not available in CI)")
 def test_zipslip_still_anchors_under_custom_tmpdir(tmp_path):
     """_validate_zip_entry rejects path-traversal when extract_dir is under a custom TMPDIR.