Add web-shell devcontainer feature

Installs web-shell (persistent browser terminal backed by tmux) from the
SoureCode/web-shell GitHub release tarball via npm, registers a systemd
unit for supervision under Coder + sysbox with a /etc/profile.d fallback
for non-systemd bases, and publishes a Coder workspace app so the
terminal button appears automatically on the workspace page.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: chapterjason

README.md

@@ -17,6 +17,7 @@ that hosts the devcontainers these features get installed into — see
 | `claude-code` | `ghcr.io/sourecode/devcontainer-features/claude-code:2` | Installs the Claude Code CLI via the official native installer into `/usr/local/bin`. Declares `~/.claude` and `~/.claude.json` as persistence targets via the `home-persist` manifest. Requires Node.js — automatically pulls in the `nvm` feature via `dependsOn`. |
 | `rtk` | `ghcr.io/sourecode/devcontainer-features/rtk:2` | Installs [rtk](https://github.com/rtk-ai/rtk), an LLM token-reducing CLI proxy, into `/usr/local/bin`. Auto-patches Claude Code via `postCreateCommand` so the hook is written against the live `~/.claude`, not the image. |
 | `context-mode` | `ghcr.io/sourecode/devcontainer-features/context-mode:2` | Installs the [`context-mode`](https://github.com/mksglu/context-mode) Claude Code plugin via `postCreateCommand`, so the plugin lands in `~/.claude/plugins` (which `home-persist` symlinks into the persistence volume when installed). |
+| `web-shell` | `ghcr.io/sourecode/devcontainer-features/web-shell:1` | Installs [web-shell](https://github.com/SoureCode/web-shell) (persistent browser terminal backed by `tmux`) from the GitHub release tarball and registers it as a systemd unit + Coder workspace app. Requires Node.js — automatically pulls in the `nvm` feature via `dependsOn`. |
 | `home-persist` | `ghcr.io/sourecode/devcontainer-features/home-persist:1` | Symlinks declared `$HOME` paths into a per-owner persistence volume at `/mnt/home-persist`. Features and users contribute paths via JSON manifests in `/etc/devcontainer-persist.d/`; an `onCreateCommand` resolver materializes the symlinks on every create. |
 | `nvm` | `ghcr.io/sourecode/devcontainer-features/nvm:2` | Installs [nvm](https://github.com/nvm-sh/nvm) system-wide at `/usr/local/share/nvm` and optionally a Node version (defaults to LTS), with `node`/`npm`/`npx` symlinked into `/usr/local/bin`. No yarn. |
 
@@ -73,6 +74,20 @@ claude-code feature as well. `installsAfter` handles ordering for either
 | `version` | string | `0.40.4` | nvm release tag to install (without the leading `v`). |
 | `node` | string | `lts` | Node version to install via nvm. `lts` uses `nvm install --lts`. `none` skips node install. Anything else is passed as-is to `nvm install`. |
 
+#### `web-shell`
+
+| Option | Type | Default | Purpose |
+|---|---|---|---|
+| `version` | string | `latest` | web-shell release to install. `latest` resolves the newest tag via the GitHub API; otherwise `X.Y.Z` or `vX.Y.Z`. |
+| `port` | string | `4000` | TCP port web-shell binds on. Baked into the systemd unit as `$PORT`. |
+| `host` | string | `127.0.0.1` | Bind address. Baked into the systemd unit as `$HOST`. Use `0.0.0.0` to listen on all interfaces. |
+| `authToken` | string | `""` | Bearer token for incoming connections. Baked into the systemd unit as `$AUTH_TOKEN`. Empty disables auth. |
+
+Declares `dependsOn` for `ghcr.io/sourecode/devcontainer-features/nvm:2`, so
+adding `web-shell` automatically pulls in `nvm` (and Node.js). The Coder app
+registration (`customizations.coder.apps`) makes a **web-shell** button appear
+on the workspace page when running under Coder + sysbox.
+
 #### `home-persist`
 
 | Option | Type | Default | Purpose |
@@ -291,6 +306,10 @@ src/
   rtk/
     devcontainer-feature.json
     install.sh
+  web-shell/
+    devcontainer-feature.json
+    install.sh
+    README.md
 docs/
   migration-guide.md
   persistence.md

src/web-shell/README.md

@@ -0,0 +1,89 @@
+# web-shell devcontainer feature
+
+Installs [web-shell](https://github.com/SoureCode/web-shell) — a persistent
+browser terminal backed by `tmux` — inside a devcontainer and registers it
+as a Coder workspace app.
+
+`web-shell` is a Node.js + xterm.js service. Every session is a `tmux` session
+on the server, so shells survive Node restarts. This feature:
+
+- Installs OS deps (`tmux`, `build-essential`, `python3`, `curl`, `jq`).
+- Downloads the release tarball from `SoureCode/web-shell` and `npm install -g`s
+  it against the Node toolchain provided by the
+  [`nvm`](../nvm) feature (`dependsOn`).
+- Symlinks the binary into `/usr/local/bin/web-shell`.
+- Writes and enables a systemd unit at `/etc/systemd/system/web-shell.service`.
+  Starting is left to container boot — systemd isn't running during image
+  build.
+- Falls back to a `/etc/profile.d/web-shell.sh` login-shell supervisor when
+  PID 1 is not `systemd`.
+
+## OCI reference
+
+```
+ghcr.io/sourecode/devcontainer-features/web-shell:1
+```
+
+## Options
+
+| Option | Type | Default | Purpose |
+|---|---|---|---|
+| `version` | string | `latest` | Release to install. `latest` resolves via the GitHub API; otherwise `X.Y.Z` or `vX.Y.Z`. |
+| `port` | string | `4000` | Port `web-shell` binds on. Baked into the systemd unit as `$PORT`. |
+| `host` | string | `127.0.0.1` | Bind address. Baked into the systemd unit as `$HOST`. Use `0.0.0.0` to listen on all interfaces. |
+| `authToken` | string | `""` | Bearer token required on incoming connections. Baked into the systemd unit as `$AUTH_TOKEN`. Empty disables auth. |
+
+## Usage
+
+```jsonc
+{
+  "image": "debian:trixie-slim",
+  "features": {
+    "ghcr.io/sourecode/devcontainer-features/nvm:2": {},
+    "ghcr.io/sourecode/devcontainer-features/web-shell:1": {}
+  }
+}
+```
+
+`nvm` is pulled in automatically via `dependsOn`, so listing it is optional.
+To expose the service to the workspace's public IP instead of loopback:
+
+```jsonc
+"ghcr.io/sourecode/devcontainer-features/web-shell:1": {
+  "host": "0.0.0.0",
+  "port": "4000",
+  "authToken": "replace-me"
+}
+```
+
+## Coder workspace app
+
+The feature ships a `customizations.coder.apps` entry so that workspaces
+running under Coder's Dev Containers integration (sub-agent) automatically
+render a **web-shell** button on the workspace page. The button opens the
+terminal in the browser — no manual steps.
+
+The app URL uses `${localEnv:PORT:4000}`, so overriding `PORT` in
+`devcontainer.json`'s `containerEnv` (or passing it via the feature option and
+also exposing it as env) is picked up by the Coder button. Set `PORT` in both
+places when customising.
+
+## Supervision
+
+| PID 1 | What runs |
+|---|---|
+| `systemd` (Coder + sysbox, systemd-on-boot bases) | `web-shell.service` — started on container boot, restarted on failure. |
+| Anything else (plain Docker, host-agent runners) | `/etc/profile.d/web-shell.sh` — spawns a background supervisor on first login per user, guarded by `pgrep` so relogins don't duplicate. Logs go to `/tmp/web-shell.log`. |
+
+The systemd unit is always written, even when the fallback is active, so a
+later rebase onto a systemd base just works without reinstalling.
+
+## Checks
+
+After the container is up:
+
+```bash
+which web-shell                              # /usr/local/bin/web-shell
+systemctl is-enabled web-shell.service       # enabled  (on systemd hosts)
+curl -fsS http://127.0.0.1:4000/api/sessions # health endpoint
+```

src/web-shell/devcontainer-feature.json

@@ -0,0 +1,52 @@
+{
+  "id": "web-shell",
+  "version": "1.0.0",
+  "name": "web-shell",
+  "description": "Installs web-shell (persistent browser terminal backed by tmux) from the GitHub release tarball into the global Node install, and registers a systemd unit so the service starts automatically on container boot. Also publishes the service as a Coder workspace app.",
+  "documentationURL": "https://github.com/SoureCode/devcontainer-features/tree/master/src/web-shell",
+  "options": {
+    "version": {
+      "type": "string",
+      "default": "latest",
+      "description": "web-shell release to install. `latest` resolves the newest tag via the GitHub API; otherwise pass a version like `1.2.3` or `v1.2.3`."
+    },
+    "port": {
+      "type": "string",
+      "default": "4000",
+      "description": "TCP port web-shell binds on (baked into the systemd unit as $PORT)."
+    },
+    "host": {
+      "type": "string",
+      "default": "127.0.0.1",
+      "description": "Bind address (baked into the systemd unit as $HOST). Set to `0.0.0.0` to listen on all interfaces."
+    },
+    "authToken": {
+      "type": "string",
+      "default": "",
+      "description": "Bearer token required on incoming connections (baked into the systemd unit as $AUTH_TOKEN). Empty disables auth."
+    }
+  },
+  "dependsOn": {
+    "ghcr.io/sourecode/devcontainer-features/nvm:2": {}
+  },
+  "customizations": {
+    "coder": {
+      "apps": [
+        {
+          "slug": "web-shell",
+          "displayName": "web-shell",
+          "url": "http://localhost:${localEnv:PORT:4000}",
+          "icon": "/icon/terminal.svg",
+          "share": "owner",
+          "subdomain": true,
+          "healthcheck": {
+            "url": "http://localhost:${localEnv:PORT:4000}/api/sessions",
+            "interval": 5,
+            "threshold": 6
+          },
+          "order": 2
+        }
+      ]
+    }
+  }
+}

src/web-shell/install.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env bash
+# web-shell feature installer.
+# https://github.com/SoureCode/web-shell
+#
+# Installs the release tarball globally via npm against the Node toolchain
+# provided by the `nvm` feature (required via `dependsOn`). The binary ends up
+# inside the nvm prefix, so we also symlink it into /usr/local/bin for a stable
+# path that systemd, sudo, and non-login shells can resolve without sourcing
+# nvm.
+#
+# Supervision: a real systemd unit if PID 1 is systemd (sysbox workspaces), a
+# /etc/profile.d login-shell fallback otherwise. Starting is never done here —
+# systemd isn't up during image build, and fallback starts happen on user
+# login.
+set -e
+
+WS_VERSION_OPT="${VERSION:-latest}"
+WS_PORT="${PORT:-4000}"
+WS_HOST="${HOST:-127.0.0.1}"
+WS_AUTH_TOKEN="${AUTHTOKEN:-}"
+
+# 1. OS deps: tmux for the terminal multiplexer, build-essential + python3
+# because node-pty compiles native bindings, plus curl/jq for release lookup.
+APT_PKGS=""
+for pkg in tmux build-essential python3 ca-certificates curl jq; do
+  if ! dpkg -s "$pkg" >/dev/null 2>&1; then
+    APT_PKGS="$APT_PKGS $pkg"
+  fi
+done
+if [ -n "$APT_PKGS" ]; then
+  apt-get update
+  # shellcheck disable=SC2086
+  apt-get install -y --no-install-recommends $APT_PKGS
+  rm -rf /var/lib/apt/lists/*
+fi
+
+# 2. Activate nvm so `npm` and `npm config get prefix` resolve against the
+# default Node alias the nvm feature set up.
+export NVM_DIR="${NVM_DIR:-/usr/local/share/nvm}"
+if [ -s "$NVM_DIR/nvm.sh" ]; then
+  # shellcheck disable=SC1091
+  . "$NVM_DIR/nvm.sh"
+  nvm use default >/dev/null
+fi
+
+if ! command -v npm >/dev/null 2>&1; then
+  echo "web-shell feature: npm not on PATH. Add ghcr.io/sourecode/devcontainer-features/nvm:2 to your features." >&2
+  exit 1
+fi
+
+# 3. Resolve target version. `latest` → newest tag via GitHub API. Otherwise
+# normalize `vX.Y.Z` / `X.Y.Z` → `X.Y.Z`.
+if [ "$WS_VERSION_OPT" = "latest" ]; then
+  WS_VERSION="$(curl -fsSL https://api.github.com/repos/SoureCode/web-shell/releases/latest | jq -r .tag_name)"
+else
+  WS_VERSION="$WS_VERSION_OPT"
+fi
+WS_VERSION="${WS_VERSION#v}"
+if [ -z "$WS_VERSION" ] || [ "$WS_VERSION" = "null" ]; then
+  echo "web-shell feature: failed to resolve release version (got '$WS_VERSION_OPT')." >&2
+  exit 1
+fi
+
+# 4. Download + global install.
+TMPDIR="$(mktemp -d)"
+trap 'rm -rf "$TMPDIR"' EXIT
+TARBALL_URL="https://github.com/SoureCode/web-shell/releases/download/v${WS_VERSION}/web-shell-${WS_VERSION}.tgz"
+curl -fsSL -o "$TMPDIR/web-shell.tgz" "$TARBALL_URL"
+
+npm install -g "$TMPDIR/web-shell.tgz"
+
+# 5. Stable symlink at /usr/local/bin/web-shell — the nvm prefix isn't on the
+# systemd service PATH.
+NPM_PREFIX="$(npm config get prefix)"
+WS_BIN="$NPM_PREFIX/bin/web-shell"
+if [ ! -x "$WS_BIN" ]; then
+  echo "web-shell feature: $WS_BIN missing after npm install." >&2
+  exit 1
+fi
+if [ "$WS_BIN" != "/usr/local/bin/web-shell" ]; then
+  ln -sf "$WS_BIN" /usr/local/bin/web-shell
+fi
+
+# 6. Systemd unit. We always write it — even when systemd isn't PID 1 right
+# now, a later rebase onto a systemd base won't need to reinstall.
+install -d -m 0755 /etc/systemd/system
+cat >/etc/systemd/system/web-shell.service <<EOF
+[Unit]
+Description=web-shell
+After=network.target
+
+[Service]
+Type=simple
+Environment=HOST=${WS_HOST}
+Environment=PORT=${WS_PORT}
+Environment=AUTH_TOKEN=${WS_AUTH_TOKEN}
+ExecStart=/usr/local/bin/web-shell
+Restart=on-failure
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target
+EOF
+chmod 0644 /etc/systemd/system/web-shell.service
+
+INIT_COMM="$(ps -p 1 -o comm= 2>/dev/null | tr -d '[:space:]' || true)"
+if [ "$INIT_COMM" = "systemd" ]; then
+  systemctl daemon-reload
+  systemctl enable web-shell.service
+else
+  if command -v systemctl >/dev/null 2>&1; then
+    systemctl enable web-shell.service >/dev/null 2>&1 || true
+  fi
+
+  # Login-shell fallback for non-systemd bases. pgrep guard avoids spawning
+  # duplicate supervisors on repeat logins. The inner while-loop restarts
+  # web-shell if it exits, mirroring `Restart=on-failure`.
+  cat >/etc/profile.d/web-shell.sh <<EOF
+# web-shell feature fallback: systemd wasn't PID 1 at feature install time,
+# so a login-shell supervisor is used instead.
+if ! pgrep -u "\$(id -u)" -f '/usr/local/bin/web-shell' >/dev/null 2>&1; then
+  HOST='${WS_HOST}' PORT='${WS_PORT}' AUTH_TOKEN='${WS_AUTH_TOKEN}' \\
+    nohup sh -c 'while true; do /usr/local/bin/web-shell; sleep 1; done' \\
+    > /tmp/web-shell.log 2>&1 &
+  disown >/dev/null 2>&1 || true
+fi
+EOF
+  chmod 0644 /etc/profile.d/web-shell.sh
+
+  echo "web-shell feature: PID 1 is '${INIT_COMM:-unknown}' (not systemd). Installed /etc/profile.d/web-shell.sh as a login-shell fallback; use a systemd-enabled base (e.g. Coder + sysbox) for proper supervision." >&2
+fi

test/web-shell/test.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Feature tests for web-shell. Run via:
+#   devcontainer features test --features web-shell --base-image debian:trixie-slim .
+set -e
+
+# shellcheck disable=SC1091
+source dev-container-features-test-lib
+
+check "tmux installed"                which tmux
+check "web-shell binary in /usr/local/bin" test -x /usr/local/bin/web-shell
+check "systemd unit present"          test -f /etc/systemd/system/web-shell.service
+check "unit contains PORT env"        grep -q '^Environment=PORT=' /etc/systemd/system/web-shell.service
+check "unit contains HOST env"        grep -q '^Environment=HOST=' /etc/systemd/system/web-shell.service
+check "unit contains ExecStart"       grep -q '^ExecStart=/usr/local/bin/web-shell' /etc/systemd/system/web-shell.service
+# On systemd hosts the unit is enabled; on non-systemd bases a profile.d
+# fallback is installed instead. Accept either.
+check "supervision wired" bash -c "systemctl is-enabled web-shell.service 2>/dev/null || test -f /etc/profile.d/web-shell.sh"
+
+reportResults