fix(ocr): fail closed when TRAINING_TOKEN is not configured

_check_training_token previously skipped auth when TRAINING_TOKEN was
empty, allowing unauthenticated requests to reach /train and /segtrain.
Now returns 503 ("Training not configured on this node") when the token
is absent, so missing configuration fails closed rather than open.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ocr-service/main.py

@@ -259,8 +259,10 @@ async def run_ocr_stream(request: OcrRequest):
 
 
 def _check_training_token(x_training_token: str | None) -> None:
-    """Validate training token if TRAINING_TOKEN env var is set."""
-    if TRAINING_TOKEN and x_training_token != TRAINING_TOKEN:
+    """Validate training token — fails closed when TRAINING_TOKEN is not configured."""
+    if not TRAINING_TOKEN:
+        raise HTTPException(status_code=503, detail="Training not configured on this node")
+    if x_training_token != TRAINING_TOKEN:
         raise HTTPException(status_code=403, detail="Invalid or missing X-Training-Token")