refactor: strip DECNET tokens from container-visible surface

Rename the container-side logging module decnet_logging → syslog_bridge
(canonical at templates/syslog_bridge.py, synced into each template by
the deployer). Drop the stale per-template copies; setuptools find was
picking them up anyway. Swap useradd/USER/chown "decnet" for "logrelay"
so no obvious token appears in the rendered container image.

Apply the same cloaking pattern to the telnet template that SSH got:
syslog pipe moves to /run/systemd/journal/syslog-relay and the relay
is cat'd via exec -a "systemd-journal-fwd". rsyslog.d conf rename
99-decnet.conf → 50-journal-forward.conf. SSH capture script:
/var/decnet/captured → /var/lib/systemd/coredump (real systemd path),
logger tag decnet-capture → systemd-journal. Compose volume updated
to match the new in-container quarantine path.

SD element ID shifts decnet@55555 → relay@55555; synced across
collector, parser, sniffer, prober, formatter, tests, and docs so the
host-side pipeline still matches what containers emit.

templates/telnet/Dockerfile

@@ -10,11 +10,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 # rsyslog: forward auth.* and user.* to named pipe in RFC 5424 format
 RUN printf '%s\n' \
-    '# DECNET log bridge — auth + user events → named pipe as RFC 5424' \
+    '# syslog-relay log bridge — auth + user events → named pipe as RFC 5424' \
     '$template RFC5424fmt,"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"' \
-    'auth,authpriv.*  |/var/run/decnet-logs;RFC5424fmt' \
-    'user.*           |/var/run/decnet-logs;RFC5424fmt' \
-    > /etc/rsyslog.d/99-decnet.conf
+    'auth,authpriv.*  |/run/systemd/journal/syslog-relay;RFC5424fmt' \
+    'user.*           |/run/systemd/journal/syslog-relay;RFC5424fmt' \
+    > /etc/rsyslog.d/50-journal-forward.conf
 
 # Disable imklog — containers can't read /proc/kmsg
 RUN sed -i 's/^\(module(load="imklog"\)/# \1/' /etc/rsyslog.conf