fix(iso): pet hardware watchdog via systemd RuntimeWatchdogSec=30s

Without a keepalive the kernel watchdog timer expires and reboots
the host mid-audit. Configuring RuntimeWatchdogSec lets systemd PID 1
reset /dev/watchdog every 30 s — well within the typical 60 s timeout.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

iso/overlay/etc/systemd/system.conf.d/watchdog.conf

@@ -0,0 +1,4 @@
+[Manager]
+# Pet the hardware watchdog every 30s so the host doesn't reboot mid-audit.
+# Kernel watchdog timeout is typically 60s; 30s gives a safe 2× margin.
+RuntimeWatchdogSec=30s