fix(profiler): extract commands when MSGID=command, not just MSGID=NIL

The Dockerfile PROMPT_COMMAND logger uses --msgid command, so the MSGID
field arrives as 'command' not '-'. The CMD rewrite block was guarded by
event_type == '-' so it never fired, leaving fields['command'] unpopulated
and cmd_text=None for every SSH session command.

Broaden the guard to also match event_type == 'command' with no existing
'command' field, which covers both the intended (MSGID=NIL) and actual
(MSGID=command) wire formats.

decnet/correlation/parser.py

@@ -137,11 +137,12 @@ def parse_line(line: str) -> LogEvent | None:
         msg = tail.group(1).strip() if tail else ""
     attacker_ip = _extract_attacker_ip(fields, msg)
 
-    # Free-form bash PROMPT_COMMAND lines arrive with MSGID=NIL and a body
+    # Free-form bash PROMPT_COMMAND lines arrive with MSGID=NIL or MSGID=command
-    # like `CMD uid=0 user=root src=… pwd=… cmd=<rest of line>`. Without
+    # and a body like `CMD uid=0 user=root src=… pwd=… cmd=<rest of line>`.
-    # this rewrite they're invisible to the behavioral profiler, which
+    # Without this rewrite they're invisible to the behavioral profiler, which
-    # filters on event_type ∈ {command, exec, query, …}.
+    # filters on event_type ∈ {command, exec, query, …}. The Dockerfile logger
-    if event_type == "-" and msg.startswith("CMD "):
+    # invocation uses --msgid command, so we must also handle the non-nil case.
+    if event_type in ("-", "command") and msg.startswith("CMD ") and "command" not in fields:
         event_type = "command"
         head, sep, cmd_rest = msg[4:].partition("cmd=")
         for k, v in re.findall(r'(\w+)=(\S+)', head):