cap_drop: ALL Breaks redis-alpine Startup

Applies when: adding Linux capability restrictions to Docker Compose services, especially Redis or any image that switches users at startup.

redis:7-alpine entrypoint calls gosu redis to drop from root to the redis user.
gosu requires SETUID and SETGID capabilities to switch users.
cap_drop: ALL without cap_add: [SETUID, SETGID] prevents the user switch, causing immediate container exit.
The container logs show no error -- it just exits silently with code 1.
Decision (2026-03-24): removed all cap_drop/cap_add from both compose files. For a dev-only local stack, the complexity and debugging cost outweigh the security benefit. Revisit for production deployment with proper per-service capability analysis.