CI lint: enforce security_opt + cap_drop on every service in examples/compose.*.yml

[CybotTM]

PR #21's security audit (#21) caught that the new Bugsink overlay services initially shipped without security_opt: [no-new-privileges:true] and cap_drop: [ALL] — every other service in compose.yml has both, but compose anchors don't survive overlays so it's easy to forget.

The base compose.yml uses an x-logging anchor as a global default; we should treat security_opt + cap_drop the same way and fail CI when an overlay service is missing them.

Implementation sketch:

# .github/workflows/lint.yml (new step)
- name: Hardening check on overlays
  run: |
    for f in examples/compose.*.yml; do
      docker compose -f compose.yml -f "$f" config | \
        yq '.services | to_entries[] | select(
          (.value.security_opt | tostring | contains("no-new-privileges")) == false or
          (.value.cap_drop | tostring | contains("ALL")) == false
        ) | .key' | tee /tmp/bad.txt
      [ -s /tmp/bad.txt ] && { echo "unhardened services in $f"; exit 1; } || true
    done

(Sketch — real check needs to handle services with merged-from-base hardening vs. their own.)

Acceptance:

• A PR that adds a new service to any examples/compose.*.yml without security_opt + cap_drop fails CI with a clear error pointing at the service name + file
• Existing overlays pass

Background: independently flagged by the security audit on PR #21 ("Bugsink overlay drops the stack's container-hardening posture").