fix: add required capabilities to UI container specs for nginx startup

Nginx needs CHOWN, SETUID, SETGID to chown cache directories and drop
privileges on startup. LND UI additionally needs NET_BIND_SERVICE to
bind port 80 inside the container. Without these, cap-drop ALL causes
nginx to crash with "Operation not permitted" on chown or bind.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/container-specs.sh

@@ -494,8 +494,8 @@ load_spec_archy-bitcoin-ui() {
   SPEC_MEMORY="$(mem_limit archy-bitcoin-ui)"
   SPEC_TIER="4"
   SPEC_LOCAL_IMAGE="true"
-  SPEC_CAPS=""
-  SPEC_SECURITY=""
+  SPEC_CAPS="CHOWN SETUID SETGID"
+  SPEC_SECURITY="no-new-privileges:true"
 }
 
 load_spec_archy-lnd-ui() {
@@ -506,8 +506,8 @@ load_spec_archy-lnd-ui() {
   SPEC_MEMORY="$(mem_limit archy-lnd-ui)"
   SPEC_TIER="4"
   SPEC_LOCAL_IMAGE="true"
-  SPEC_CAPS=""
-  SPEC_SECURITY=""
+  SPEC_CAPS="CHOWN SETUID SETGID NET_BIND_SERVICE"
+  SPEC_SECURITY="no-new-privileges:true"
 }
 
 load_spec_archy-electrs-ui() {
@@ -518,8 +518,8 @@ load_spec_archy-electrs-ui() {
   SPEC_MEMORY="$(mem_limit archy-electrs-ui)"
   SPEC_TIER="4"
   SPEC_LOCAL_IMAGE="true"
-  SPEC_CAPS=""
-  SPEC_SECURITY=""
+  SPEC_CAPS="CHOWN SETUID SETGID"
+  SPEC_SECURITY="no-new-privileges:true"
 }
 
 # ── Registry ─────────────────────────────────────────────────────────