refactor(litespeed): drop setUIDMode for shared lsphp + cut opcache 128→32M

OLS runs as the customer user end-to-end (server-level user/group set by
create-vhost-litespeed.sh), so lsphp inherits that uid without per-request
suEXEC. Eliminates the per-httpd-worker lsphp instance fan-out — one shared
lsphp parent now serves all httpd workers via the shared socket.

Combined with opcache.memory_consumption 128→32M, brain-jar measured shmem
dropped from ~880 MiB → 32 MiB and memory.current from ~1.1 GiB → 67 MiB
at the 1.5 GiB cap. No new oom_kills since the change.

Safe because cac-litespeed is one-customer-per-container — the container
boundary is the privsep boundary.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/create-vhost-litespeed.sh

@@ -56,6 +56,17 @@ awk '
 ' "$LSWS_CONF/httpd_config.conf" > "$LSWS_CONF/httpd_config.conf.new"
 mv "$LSWS_CONF/httpd_config.conf.new" "$LSWS_CONF/httpd_config.conf"
 
+## Server-level user/group → customer. Without this, OLS runs as nobody and
+## either can't read customer files (no setUIDMode) or has to lscgid-spawn a
+## per-uid lsphp for every httpd worker (the setUIDMode 2 pathway). With OLS
+## itself running as ${user}, a single shared lsphp parent serves all httpd
+## workers, LSAPI children-mode actually engages, and shmem stops fanning out.
+## OLS still starts as root (PID 1 binds 80/443) then drops privs after bind.
+sed -i \
+  -e "s|^user[[:space:]].*|user                             ${user}|" \
+  -e "s|^group[[:space:]].*|group                            ${user}|" \
+  "$LSWS_CONF/httpd_config.conf"
+
 ## --- append our listeners + vhTemplate ---
 SENTINEL="## ---- cac-litespeed append (do not edit below) ----"
 {