Add cac-litespeed image family (OpenLiteSpeed, native LSAPI)

New paid-tier per-customer image built on litespeedtech/openlitespeed:1.8.4-lsphpNN.
Matrix: 8.1-8.5. Native LSAPI suexec to customer uid, server-level LSCache,
all WP/WooCommerce extensions (memcached, redis, imagick, mbstring, etc.) baked in.

Files:
- Dockerfile.litespeed (FROM prebuilt LiteSpeed base, layers wp-cli/composer/mariadb)
- configs/litespeed/{httpd_config,site-template,lsphp-overrides}.tpl
- scripts/{entrypoint,create-vhost,detect-memory}-litespeed.sh + install-lscache-wp.sh

CI: new Build-LiteSpeed-Images matrix job. OLS_VERSION pinned to 1.8.4 (only
release with prebuilt images for all 5 PHP versions on Docker Hub).

Spec: whp/docs/superpowers/specs/2026-06-01-cac-litespeed-design.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Dockerfile.litespeed

@@ -0,0 +1,92 @@
+## cac-litespeed — OpenLiteSpeed customer container, LSAPI-native.
+##
+## Built on top of the LiteSpeed-maintained prebuilt image rather than
+## installed-from-RPM on AlmaLinux 10. Rationale:
+##   - The EL10 RPM ships an empty /usr/local/lsws/cgid/ directory (the
+##     lscgid suexec helper is built by the upstream tarball install.sh,
+##     not packaged), which makes LSAPI unusable.
+##   - The prebuilt image is Ubuntu 24.04-based and includes lsphp +
+##     everything WP/WooCommerce needs out of the box (memcached, redis,
+##     imagick, mbstring, mysqlnd, intl, gd, soap, bcmath, gmp, sodium,
+##     opcache, ...) — saves us a dozen explicit installs and avoids the
+##     libonig.so.105 packaging bug entirely.
+##   - LiteSpeed Inc maintains it; OLS upgrades become a base-image bump.
+##
+## Tradeoff vs the rest of the CAC family: this image is Ubuntu-based,
+## not AlmaLinux. The "cac" naming is now slightly misleading (it's no
+## longer Cloud *Apache* Container, it's Cloud LiteSpeed Container) but
+## the panel doesn't care and the customer-facing contract is identical.
+
+## ARG before FROM is special — it can be used in the FROM line, but the
+## value goes out of scope inside the image, so we re-declare ARG PHPVER
+## after FROM for any RUN steps that need it.
+ARG OLS_VERSION=1.8.5
+ARG PHPVER=83
+FROM litespeedtech/openlitespeed:${OLS_VERSION}-lsphp${PHPVER}
+ARG PHPVER=83
+ENV PHPVER=${PHPVER}
+
+## Tooling we layer on top of the base:
+##   - gettext-base: envsubst for runtime template rendering
+##   - sudo: install-lscache-wp.sh runs wp-cli as the customer user
+##   - composer: not in the base image (wp-cli is)
+##   - cron: customer crontab support (mirror cac:phpXX behaviour)
+##   - mariadb-server + memcached: DEV-mode parity with the existing CAC
+##     entrypoints. PROD mode never starts these.
+##   - lsphp83-ldap: not in base image, useful for some WP plugins
+##
+## All apt cache is cleaned in the same layer to keep image size down.
+## lsphp${PHPVER}-ldap is the only extra ext we add (everything else WP needs
+## ships in the prebuilt base). lsphp84 + lsphp85 don't ship imap or pspell
+## from LiteSpeed — customers needing imap should pin to 8.3 or earlier.
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        gettext-base sudo cron \
+        ca-certificates curl wget \
+        mariadb-server memcached \
+        lsphp${PHPVER}-ldap && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
+
+## Composer (matches the wp-cli pattern in the existing CAC Dockerfile —
+## phar download, no `php install` pipe since lsphp's CLI mode is fine).
+RUN curl -fsSL -o /usr/local/bin/composer https://getcomposer.org/download/latest-stable/composer.phar && \
+    chmod +x /usr/local/bin/composer
+
+## Our scripts + config templates layer in last (they change most often,
+## keep them off the slow apt layer).
+COPY ./scripts/entrypoint-litespeed.sh \
+     ./scripts/create-vhost-litespeed.sh \
+     ./scripts/detect-memory-litespeed.sh \
+     ./scripts/install-lscache-wp.sh \
+     ./scripts/log-rotate.sh \
+     /scripts/
+RUN chmod +x /scripts/*
+COPY ./configs/litespeed/ /etc/lsws-templates/
+
+## Apply our production lsphp ini overrides. Ask lsphp for its scan dir
+## directly (varies by PHP minor version: 8.3/8.4/8.5 each have their own
+## /usr/local/lsws/lsphpNN/etc/php/8.M/mods-available/). Dockerfile RUN uses
+## /bin/sh so we explicitly `bash -c` for safer scripting.
+RUN bash -c 'set -e; \
+    SCAN_DIR=$(/usr/local/lsws/lsphp${PHPVER}/bin/lsphp -i 2>/dev/null | awk -F"=> " "/^Scan this dir/ {print \$2; exit}"); \
+    mkdir -p "$SCAN_DIR"; \
+    cp /etc/lsws-templates/lsphp-overrides.ini "$SCAN_DIR/99-prod-overrides.ini"; \
+    echo "wrote overrides to $SCAN_DIR"'
+
+## Disable the OLS WebAdmin port for customer-facing containers. Bind admin
+## listener to loopback so it's unreachable even from the docker network.
+RUN sed -i 's|^[[:space:]]*address[[:space:]]\+\*:|  address               127.0.0.1:|' \
+        /usr/local/lsws/admin/conf/admin_config.conf 2>/dev/null || true
+
+## Cron entry for log rotation (mirrors cac:phpXX).
+RUN echo "15 */12 * * * root /scripts/log-rotate.sh" >> /etc/crontab
+
+EXPOSE 80 443
+
+## Healthcheck: the entrypoint drops a static /healthz into the customer
+## docroot at boot, so this passes even before any customer files exist.
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD curl -fsSk https://127.0.0.1/healthz || exit 1
+
+ENTRYPOINT ["/scripts/entrypoint-litespeed.sh"]