refactor(litespeed): drop setUIDMode for shared lsphp + cut opcache 128→32M

OLS runs as the customer user end-to-end (server-level user/group set by
create-vhost-litespeed.sh), so lsphp inherits that uid without per-request
suEXEC. Eliminates the per-httpd-worker lsphp instance fan-out — one shared
lsphp parent now serves all httpd workers via the shared socket.

Combined with opcache.memory_consumption 128→32M, brain-jar measured shmem
dropped from ~880 MiB → 32 MiB and memory.current from ~1.1 GiB → 67 MiB
at the 1.5 GiB cap. No new oom_kills since the change.

Safe because cac-litespeed is one-customer-per-container — the container
boundary is the privsep boundary.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

configs/litespeed/site-template.tpl

@@ -8,11 +8,16 @@
 allowSymbolLink           1
 enableScript              1
 restrained                1
-## setUIDMode 2 = DocRoot UID — lsphp suexec's to the OWNER of vhRoot.
-## We chown /home/${user} to ${user}:${user} in the entrypoint, so PHP
-## runs as the customer per request. Container is still the privsep
-## boundary; this is the clean "scripts run as user" model.
-setUIDMode                2
+## No setUIDMode — OLS itself runs as ${user} (set at server level by
+## create-vhost-litespeed.sh), so lsphp inherits that uid without needing
+## suEXEC per request. This is the key to single-lsphp-instance topology:
+## with setUIDMode 2, each httpd worker had to lscgid-spawn its own lsphp
+## (= N opcache shmem segments). Without it, ONE persistent lsphp parent
+## serves all httpd workers via the shared socket, and LSAPI children-mode
+## actually works (1 parent + N children = 1 shmem segment).
+##
+## Safe because cac-litespeed is one-customer-per-container — the container
+## boundary IS the privsep boundary.
 vhRoot                    /home/${user}/public_html/
 configFile                $SERVER_ROOT/conf/vhosts/$VH_NAME/vhconf.conf