security: harden production containers

Add cap_drop ALL, no-new-privileges, read_only + tmpfs to all
containers (postgres, redis, backend, celery worker, celery beat).
Matches Phase 3 security hardening standards.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.prod.yml

@@ -14,6 +14,15 @@ services:
       interval: 10s
       timeout: 5s
       retries: 5
+    cap_drop:
+      - ALL
+    cap_add:
+      - DAC_OVERRIDE
+      - FOWNER
+      - SETGID
+      - SETUID
+    security_opt:
+      - no-new-privileges:true
     networks:
       - rfiles-internal
 
@@ -29,6 +38,13 @@ services:
       interval: 10s
       timeout: 5s
       retries: 5
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+    security_opt:
+      - no-new-privileges:true
     networks:
       - rfiles-internal
 
@@ -67,6 +83,17 @@ services:
       - "traefik.http.routers.rfiles-direct.tls.certresolver=letsencrypt"
       - "traefik.http.services.rfiles.loadbalancer.server.port=8000"
       - "traefik.docker.network=traefik-public"
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
     networks:
       - rfiles-internal
       - traefik-public
@@ -94,6 +121,13 @@ services:
         condition: service_healthy
       redis:
         condition: service_healthy
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
     networks:
       - rfiles-internal
     command: celery -A config worker --loglevel=info --concurrency=2
@@ -112,6 +146,13 @@ services:
       - SECRET_KEY=${SECRET_KEY}
     depends_on:
       - celery-worker
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
     networks:
       - rfiles-internal
     command: celery -A config beat --loglevel=info