fix(cac-lsphp): entrypoint operates on the /mnt/users docroot, not /home/$user

Code-review integration fixes:
- entrypoint-lsphp.sh: the shared-ols tier mounts the docroot at
  /mnt/users/<user>/<domain> (NOT /home/$user). Discover the mount via glob
  (one site per sidecar; wildcard-safe), create public_html + logs/php-fpm under
  it (so OLS docRoot exists), point lsphp error_log there, and chown just those
  dirs. Verified: sidecar creates public_html under the mount, runs as the
  per-site user, OLS serves PHP (SAPI=litespeed) end-to-end.
- shared-ols vhconf.tpl: per-vhost logs -> /usr/local/lsws/logs/<vhname>.* (the
  shared-ols container has no /home/<user>).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

configs/shared-ols/vhconf.tpl

@@ -59,12 +59,14 @@ context / {
 ## cache block here. OLS stores each vhost's cache in its own subdir under the
 ## module storagePath automatically (per-vhost isolation, spec 5.2).
 
-errorlog ~~LOG_DIR~~/error_log {
+## Per-vhost logs in the shared-ols container's OWN writable log dir (NOT
+## /home/<user>, which doesn't exist here, and NOT the read-only /mnt/users mount).
+errorlog /usr/local/lsws/logs/~~VHNAME~~.error_log {
   logLevel                WARN
   rollingSize             50M
   keepDays                7
 }
-accesslog ~~LOG_DIR~~/access_log {
+accesslog /usr/local/lsws/logs/~~VHNAME~~.access_log {
   rollingSize             50M
   keepDays                7
 }

scripts/entrypoint-lsphp.sh

@@ -40,11 +40,30 @@ if [ ! -x "$LSPHP_BIN" ]; then
   exit 1
 fi
 
-## ---- user + directories (mirror entrypoint-litespeed.sh paths) ----
+## ---- user ----
 if ! id -u "$user" >/dev/null 2>&1; then
   useradd -u "$uid" -m -s /bin/bash "$user"
 fi
-mkdir -p "/home/$user/public_html" "/home/$user/logs/php-fpm"
+
+## ---- locate the customer docroot ----
+## Unlike cac-fpm/cac-litespeed (docroot at /home/$user), the shared-ols tier
+## mounts each site at /mnt/users/<user>/<domain> — the SAME absolute path the
+## shared-ols vhost uses as docRoot, because OLS hands lsphp exactly that path as
+## SCRIPT_FILENAME (feedback_ols_lsapi_no_script_filename_remap). The panel
+## mounts exactly ONE site dir here, so glob it (wildcard-safe: the on-disk dir
+## is wildcard.<domain> for wildcard sites, which the glob picks up verbatim).
+SITE_DIR=""
+for d in /mnt/users/"$user"/*/; do
+  [ -d "$d" ] || continue
+  SITE_DIR="${d%/}"
+  break
+done
+if [ -z "$SITE_DIR" ]; then
+  ## No bind mount yet (e.g. hand-run for testing) — fall back to a sane path so
+  ## lsphp still starts; OLS will send the real docRoot at request time.
+  SITE_DIR="/mnt/users/$user/site"
+fi
+mkdir -p "$SITE_DIR/public_html" "$SITE_DIR/logs/php-fpm"
 
 ## ---- detached-lsphp pool sizing ----
 # shellcheck source=/dev/null
@@ -71,7 +90,7 @@ if [ -n "$SCAN_DIR" ]; then
   mkdir -p "$SCAN_DIR"
   cat > "$SCAN_DIR/99-user-error-log.ini" <<EOF
 ; rendered at container start by entrypoint-lsphp.sh
-error_log = /home/${user}/logs/php-fpm/error.log
+error_log = ${SITE_DIR}/logs/php-fpm/error.log
 log_errors = On
 EOF
   ## Per-site opcache override (panel: Advanced Tuning → OpCache size); falls
@@ -87,9 +106,13 @@ EOF
 fi
 
 ## ---- ownership ----
-touch "/home/$user/logs/php-fpm/error.log"
-chown -R "$user:$user" "/home/$user"
-chmod 755 "/home/$user"
+## Own the docroot + logs so lsphp (running as $user) can read code and write
+## logs. Don't recurse the whole tree blindly — just ensure the dirs we created
+## and the log file are customer-owned (customer content may be large; a full
+## recursive chown every boot would be wasteful, and the files are already
+## customer-owned from the host side).
+touch "$SITE_DIR/logs/php-fpm/error.log"
+chown "$uid:$uid" "$SITE_DIR" "$SITE_DIR/public_html" "$SITE_DIR/logs" "$SITE_DIR/logs/php-fpm" "$SITE_DIR/logs/php-fpm/error.log" 2>/dev/null || true
 
 ## ---- exec lsphp -b as the customer user (PID 1) ----
 ## Bind port is unprivileged (9000), so no root port-bind step is needed — start