fix(deployment): add CHOWN and DAC_OVERRIDE capabilities to Redis for AOF persistence

The Redis container was failing with 'Permission denied' when trying to create
the appendonlydir for AOF (Append-Only File) persistence. The error occurred because:

1. Redis runs as root to read Docker Secrets from /run/secrets/redis_password
2. The /data volume is owned by UID 999 (default redis user)
3. cap_drop: ALL removed the CHOWN capability needed to create subdirectories
4. AOF persistence requires creating appendonlydir in /data with proper ownership

Solution:
- Added CHOWN capability: Allows Redis to create directories with correct ownership
- Added DAC_OVERRIDE capability: Allows writing to volume owned by different user
- Maintains all other security restrictions (no-new-privileges, minimal capabilities)

This fixes the continuous restart loop that persisted through commits:
- 5f7ebd9: Fixed healthcheck variable syntax
- 700fe81: Fixed entrypoint script variables
- bfe6a96: Changed healthcheck to read secret directly

The real issue was not the healthcheck but the permission error that prevented
Redis from starting in the first place.

Refs: Redis container logs showed:
'Can't open or create append-only dir appendonlydir: Permission denied'

docker-compose.production.yml

@@ -169,6 +169,9 @@ services:
     # Redis will run as root, but this is acceptable for this use case
     cap_drop:
       - ALL
+    cap_add:
+      - CHOWN        # Required for creating appendonlydir with correct permissions
+      - DAC_OVERRIDE # Required for writing to /data volume owned by redis user
 
     # Use entrypoint script to inject password from Docker Secret into environment
     # This makes password available to both Redis startup AND health check