fix: default container caps for rootless podman reliability

All containers now get CHOWN+FOWNER+SETUID+SETGID+DAC_OVERRIDE+NET_BIND_SERVICE
as the default cap set. Rootless podman needs these for:
- CHOWN/FOWNER/DAC_OVERRIDE: file ownership in mapped UID namespace
- SETUID/SETGID: internal user switching (entrypoint scripts)
- NET_BIND_SERVICE: port binding in network namespaces

Tested on .198: Grafana, Vaultwarden, Bitcoin Knots all start successfully.
Previously failed with "Permission denied" or "loopback adapter" errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

core/archipelago/src/api/rpc/package/config.rs

@@ -103,8 +103,14 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
             "--cap-add=DAC_OVERRIDE".to_string(),
             "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
-        // Default: NET_BIND_SERVICE for port binding in rootless podman networks
+        // Default: standard capabilities for rootless podman containers
+        // Most apps need file ownership + port binding to function correctly
         _ => vec![
+            "--cap-add=CHOWN".to_string(),
+            "--cap-add=FOWNER".to_string(),
+            "--cap-add=SETUID".to_string(),
+            "--cap-add=SETGID".to_string(),
+            "--cap-add=DAC_OVERRIDE".to_string(),
             "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
     }