feat: remote commands, systemd units, process observability, broker auth split

- Command intake (reboot/shutdown) on infoscreen/{uuid}/commands with ack lifecycle
- MQTT_USER/MQTT_PASSWORD_BROKER split from identity vars; configure_mqtt_security() updated
- infoscreen-simclient.service: Type=notify, WatchdogSec=60, Restart=on-failure
- infoscreen-notify-failure@.service + script: retained MQTT alert when systemd gives up (Gap 3)
- _sd_notify() watchdog keepalive in simclient main loop (Gap 1)
- broker_connection block in health payload: reconnect_count, last_disconnect_at (Gap 2)
- COMMAND_MOCK_REBOOT_IMMEDIATE_COMPLETE canary flag with safety guard
- SERVER_TEAM_ACTIONS.md: server-side integration action items
- Docs: README, CHANGELOG, src/README, copilot-instructions updated
- 43 tests passing

scripts/install-command-helper.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Installs the privileged command helper and sudoers drop-in.
+# Usage: ./scripts/install-command-helper.sh [linux-user]
+
+target_user="${1:-$USER}"
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+helper_src="$script_dir/infoscreen-cmd-helper.sh"
+helper_dst="/usr/local/bin/infoscreen-cmd-helper.sh"
+sudoers_file="/etc/sudoers.d/infoscreen-command-helper"
+
+if [[ ! -f "$helper_src" ]]; then
+  echo "helper source not found: $helper_src" >&2
+  exit 1
+fi
+
+sudo install -m 0755 "$helper_src" "$helper_dst"
+printf '%s\n' "$target_user ALL=(ALL) NOPASSWD: $helper_dst" | sudo tee "$sudoers_file" >/dev/null
+sudo chmod 0440 "$sudoers_file"
+sudo visudo -cf "$sudoers_file" >/dev/null
+
+echo "Installed helper: $helper_dst"
+echo "Installed sudoers: $sudoers_file (user: $target_user)"