chore: remove ffmpeg via opencv from nss task image

[mckornfield]

Summary by CodeRabbit

• Bug Fixes
  • Reduced unnecessary bundled media and vision packages from application environments, helping lower image size and avoid conflicts at runtime.
  • Kept the existing cleanup of bundled FFmpeg binaries as a fallback for packages that still include them.

[coderabbitai]

📝 Walkthrough

Walkthrough

The cleanup script now uninstalls OpenCV Python wheel variants from existing virtual environments before continuing the existing ffmpeg binary deletion fallback.

Changes

Virtual environment CVE cleanup

Layer / File(s)	Summary
OpenCV wheel cleanup docker/scripts/cve-cleanup.sh	The script checks /app/.venv and /opt/venv, uninstalls OpenCV package variants with uv pip uninstall when bin/python is executable, and then proceeds to the existing ffmpeg binary deletion logic.

Suggested reviewers

• ironcommit

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: removing OpenCV-bundled ffmpeg from the nss task image.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ffmpeg-remove-again-nss/mck

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker/scripts/cve-cleanup.sh`:
- Around line 18-22: The OpenCV cleanup in cve-cleanup.sh only uninstalls the
venv packages via uv pip uninstall, so cached hard-linked OpenCV FFmpeg .so
files can still remain under /root/.cache/uv. Update the cleanup logic around
the uv pip uninstall block to also remove the corresponding OpenCV wheel cache
entries from uv’s cache, using the same package names already listed there, so
the scan no longer finds leftover artifacts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bd2e137b-5a40-47a9-9893-f562625cc051

📥 Commits

Reviewing files that changed from the base of the PR and between 4bcebbb and 00a8256.

📒 Files selected for processing (1)

• docker/scripts/cve-cleanup.sh

[github-actions]

Suite	Lines Covered	Line Rate	Branch Rate
Unit Tests	21322/27924	76.4%	61.4%
Integration Tests	12354/26693	46.3%	19.8%