fix(ssh-capture): cloak syslog relay pipe and cat process

Rename the rsyslog→stdout pipe from /var/run/decnet-logs (dead giveaway)
to /run/systemd/journal/syslog-relay, and launch the relay via
exec -a "systemd-journal-fwd" so ps shows a plausible systemd forwarder
instead of a bare cat. Casual ps/ls inspection now shows nothing
with "decnet" in the name.

templates/ssh/entrypoint.sh

@@ -31,11 +31,13 @@ ls /var/www/html
 HIST
 fi
 
-# Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout → Docker log capture
-mkfifo /var/run/decnet-logs
+# Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout → Docker log capture.
+# Pipe lives under /run/systemd/journal/ and the relay process is cloaked via
+# exec -a so `ps aux` shows "systemd-journal-fwd" instead of a raw `cat`.
+mkdir -p /run/systemd/journal
+mkfifo /run/systemd/journal/syslog-relay
 
-# Relay pipe to stdout so Docker captures all syslog events
-cat /var/run/decnet-logs &
+bash -c 'exec -a "systemd-journal-fwd" cat /run/systemd/journal/syslog-relay' &
 
 # Start rsyslog (reads /etc/rsyslog.d/99-decnet.conf, writes to the pipe above)
 rsyslogd