feat(actions): SSH forced-command service-restart channel + host wrapper

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

deploy/void-act

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+# Forced command for the Void's restricted key. Maps a whitelisted action id to a
+# concrete systemctl restart. The id arrives via SSH_ORIGINAL_COMMAND; nothing else
+# is honoured. Edit the case list per host. Keep in sync with config/actions.json.
+#
+# Install on each target host:
+#   install -m 755 void-act /usr/local/bin/void-act
+#   # in voidact's ~/.ssh/authorized_keys, prefix the Void's pubkey with:
+#   command="/usr/local/bin/void-act",no-port-forwarding,no-pty,no-X11-forwarding <pubkey>
+set -euo pipefail
+id="${SSH_ORIGINAL_COMMAND:-}"
+case "$id" in
+  restart-caddy-ct100) exec systemctl restart caddy ;;
+  *) echo "void-act: refused '$id'" >&2; exit 13 ;;
+esac