bind: MLflow port to 127.0.0.1:5000:5000 in docker-compose.yml

Changes:
- Updated docker-compose.yml MLflow service port binding from 5000:5000 to 127.0.0.1:5000:5000
  to restrict access to localhost only for security
- Marked task 1.7 as complete in tasks.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

openspec/changes/code-review-fix/specs/ml-training/spec.md

@@ -0,0 +1,23 @@
+## ADDED Requirements
+
+### Requirement: Training resource limits
+The `POST /training/start` endpoint SHALL enforce resource limits: the training dataset file size SHALL not exceed 500MB, and the training thread SHALL have a configurable timeout (default: 30 minutes). If the timeout is exceeded, the training thread SHALL be marked as failed.
+
+#### Scenario: Dataset too large
+- **WHEN** the training dataset exceeds 500MB
+- **THEN** training fails immediately with `{ "detail": "Dataset too large. Maximum 500MB." }`
+
+#### Scenario: Training timeout
+- **WHEN** a training run exceeds the 30-minute timeout
+- **THEN** the training status is set to "failed" with reason "Training timed out"
+
+### Requirement: run_id validation on training endpoints
+The FastAPI training endpoints (`DELETE /training/runs/{run_id}`, `GET /training/runs/{run_id}`) SHALL validate that `run_id` matches `/^[a-zA-Z0-9_-]+$/` before any database or file operation.
+
+#### Scenario: Valid run_id
+- **WHEN** `DELETE /training/runs/run-2024-01-15_v3` is called
+- **THEN** the request proceeds normally
+
+#### Scenario: Invalid run_id
+- **WHEN** `DELETE /training/runs/../../admin` is called
+- **THEN** the endpoint returns HTTP 400 with `{ "detail": "Invalid run_id format" }`