fix(ssh-capture): cloak syslog relay pipe and cat process

Rename the rsyslog→stdout pipe from /var/run/decnet-logs (dead giveaway)
to /run/systemd/journal/syslog-relay, and launch the relay via
exec -a "systemd-journal-fwd" so ps shows a plausible systemd forwarder
instead of a bare cat. Casual ps/ls inspection now shows nothing
with "decnet" in the name.

templates/ssh/Dockerfile

@@ -36,8 +36,8 @@ RUN sed -i \
 RUN printf '%s\n' \
     '# DECNET log bridge — auth + user events → named pipe as RFC 5424' \
     '$template RFC5424fmt,"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"' \
-    'auth,authpriv.*  |/var/run/decnet-logs;RFC5424fmt' \
-    'user.*           |/var/run/decnet-logs;RFC5424fmt' \
+    'auth,authpriv.*  |/run/systemd/journal/syslog-relay;RFC5424fmt' \
+    'user.*           |/run/systemd/journal/syslog-relay;RFC5424fmt' \
     > /etc/rsyslog.d/99-decnet.conf
 
 # Silence default catch-all rules so we own auth/user routing exclusively

templates/ssh/entrypoint.sh

@@ -31,11 +31,13 @@ ls /var/www/html
 HIST
 fi
 
-# Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout → Docker log capture
-mkfifo /var/run/decnet-logs
+# Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout → Docker log capture.
+# Pipe lives under /run/systemd/journal/ and the relay process is cloaked via
+# exec -a so `ps aux` shows "systemd-journal-fwd" instead of a raw `cat`.
+mkdir -p /run/systemd/journal
+mkfifo /run/systemd/journal/syslog-relay
 
-# Relay pipe to stdout so Docker captures all syslog events
-cat /var/run/decnet-logs &
+bash -c 'exec -a "systemd-journal-fwd" cat /run/systemd/journal/syslog-relay' &
 
 # Start rsyslog (reads /etc/rsyslog.d/99-decnet.conf, writes to the pipe above)
 rsyslogd