fix(ssh-capture): hide watcher bash argv and sanitize script header

Two leaks remained after the inotifywait argv fix:

1. The bash running journal-relay showed its argv[1] (the script path)
   in /proc/PID/cmdline, producing a line like
     'journal-relay /usr/libexec/udev/journal-relay'
   Apply argv_zap.so to that bash too.

2. argv_zap previously hardcoded PR_SET_NAME to 'kmsg-watch', which was
   wrong for any caller other than inotifywait. The comm name now comes
   from ARGV_ZAP_COMM so each caller can pick its own (kmsg-watch for
   inotifywait, journal-relay for the watcher bash).

3. The capture.sh header started with 'SSH honeypot file-catcher' —
   fatal if an attacker runs 'cat' on it. Rewritten as a plausible
   systemd-journal relay helper; stray 'attacker' / 'honeypot' words
   in mid-script comments stripped too.

templates/ssh/entrypoint.sh

@@ -45,7 +45,12 @@ rsyslogd
 # File-catcher: mirror attacker drops into host-mounted quarantine with attribution.
 # Script lives at /usr/libexec/udev/journal-relay so `ps aux` shows a
 # plausible udev helper. See Dockerfile for the rename rationale.
+# LD_PRELOAD + ARGV_ZAP_COMM blank bash's argv[1..] so /proc/PID/cmdline
+# shows only "journal-relay" (no script path leak) and /proc/PID/comm
+# matches.
 CAPTURE_DIR=/var/lib/systemd/coredump \
+LD_PRELOAD=/usr/lib/argv_zap.so \
+ARGV_ZAP_COMM=journal-relay \
     bash -c 'exec -a "journal-relay" bash /usr/libexec/udev/journal-relay' &
 
 # sshd logs via syslog — no -e flag, so auth events flow through rsyslog → pipe → stdout