fix: address review — move LOGFILE to tmpfs, add CapDrop check (#706)

LOGFILE=/var/chat/chat.log is unwritable on read-only rootfs; move to
/tmp/chat.log (tmpfs-backed). Add CapDrop=ALL assertion to verify script
so removing cap_drop from compose is caught.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/chat/entrypoint-chat.sh

@@ -6,7 +6,7 @@ set -euo pipefail
 # Exec-replace pattern: this script is the container entrypoint and runs
 # the server directly (no wrapper needed). Logs to stdout for docker logs.
 
-LOGFILE="/var/chat/chat.log"
+LOGFILE="/tmp/chat.log"
 
 log() {
     printf '[%s] %s\n' "$(date -u '+%Y-%m-%d %H:%M:%S UTC')" "$*" | tee -a "$LOGFILE"