feat(actions): SSH forced-command service-restart channel + host wrapper

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/actions/ssh.test.js

@@ -0,0 +1,24 @@
+import { describe, it, expect } from 'vitest';
+import { restartService } from '../../lib/actions/channels/ssh.js';
+
+describe('ssh channel', () => {
+  it('spawns ssh with argv (no shell string) sending only the action id', async () => {
+    const calls = [];
+    const spawnMock = (cmd, args) => {
+      calls.push({ cmd, args });
+      return { stdout: { on(ev, cb) { if (ev === 'data') cb('ok\n'); } }, stderr: { on() {} },
+        on(ev, cb) { if (ev === 'close') cb(0); } };
+    };
+    const out = await restartService({ ip: '192.168.1.230', actionId: 'restart-caddy-ct100' },
+      { keyPath: '/k', user: 'voidact', spawnImpl: spawnMock });
+    expect(out.ok).toBe(true);
+    const { cmd, args } = calls[0];
+    expect(cmd).toBe('ssh');
+    expect(args).toEqual(['-i', '/k', '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=accept-new',
+      'voidact@192.168.1.230', 'restart-caddy-ct100']);
+  });
+  it('rejects an action id with shell metacharacters', async () => {
+    await expect(restartService({ ip: '1.2.3.4', actionId: 'x; rm -rf /' }, { spawnImpl: () => {} }))
+      .rejects.toThrow(/invalid action id/i);
+  });
+});