feat: SSH log relay emits proper DECNET syslog for sshd events

New log_relay.py replaces raw 'cat' on the rsyslog pipe. Intercepts
sshd and bash lines and re-emits them as structured RFC 5424 events:
login_success, session_opened, disconnect, connection_closed, command.
Parsers updated to accept non-nil PROCID (sshd uses PID).

templates/ssh/entrypoint.sh

@@ -34,8 +34,8 @@ fi
 # Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout → Docker log capture
 mkfifo /var/run/decnet-logs
 
-# Relay pipe to stdout so Docker captures all syslog events
-cat /var/run/decnet-logs &
+# Relay pipe through Python log_relay — normalizes sshd/bash events to DECNET format
+python3 /opt/log_relay.py &
 
 # Start rsyslog (reads /etc/rsyslog.d/99-decnet.conf, writes to the pipe above)
 rsyslogd