Flatten to single-image Coder workspace template

Shift away from the nested "outer workspace runs @devcontainers/cli
inside a devcontainer with its own sub-agent" model toward a flat
one-container-per-workspace design. The workspace container IS the dev
environment: one coder_agent, one HOME, one IDE target. Dev tooling is
baked into stack-specific images at build time instead of installed at
devcontainer-create time.

Also repositions the repo from a devcontainer-features collection to a
Coder workspace template. Renamed on GitHub to SoureCode/coder-workspaces.

## Workspace images

- src/base/Dockerfile — shared foundation: debian:trixie-slim + systemd
  + dockerd (sysbox-runc runtime) + coder user + dev-kit scripts
  (nvm, claude-code, rtk, context-mode, web-shell, home-persist).
- src/node/Dockerfile — FROM :base; named variant, no additions yet.
- src/cpp/Dockerfile — FROM :base + llvm/cmake/sccache + CC/CXX env.
- .github/workflows/publish-workspaces.yml — matrix build publishing
  ghcr.io/sourecode/coder-workspace:{base,node,cpp} (multi-arch).

## Scripts

Moved src/<feature>/ → scripts/<name>/. Dropped devcontainer-feature.json
files (no longer publishing features). Dropped "feature installer" /
"<tool> feature:" wording in comments and error messages. Scripts are now
bind-mounted into each Dockerfile at build via --mount=type=bind so their
source never enters an image layer.

Renamed manifest directory /etc/devcontainer-persist.d → /etc/home-persist.d
across scripts, resolver, docs, main.tf. Dropped the build-time \$PATHS
block from home-persist/install.sh (replaced by the runtime Coder parameter
below).

## main.tf rewrite

- data "coder_parameter" "workspace_image" dropdown (base/node/cpp).
- data "coder_parameter" "home_persist_paths" for per-workspace extra
  persistence paths; lifecycle_init writes /etc/home-persist.d/user.json
  from it before running home-persist-resolve.
- Dropped coder_devcontainer + subagent plumbing; every IDE module
  (code-server, jetbrains, git-clone) attaches to coder_agent.main.id.
- Inlined terraform/web-shell module as a coder_app resource —
  scripts/web-shell/install.sh already installs + supervises via systemd,
  the module was duplicating that work and conflicting at runtime.
- Dropped DEVCONTAINER_* env, rebuild_no_cache parameter + script.
- coder_script.lifecycle_init orchestrates home-persist-resolve +
  context-mode/rtk post-create hooks on start with start_blocks_login=true.
- Git identity (coder_env.git_*) + SSH signing (coder_script) moved from
  the old subagent onto coder_agent.main.

## Removed

- Dockerfile.workspace (Ubuntu noble, nested dockerd, @devcontainers/cli)
  — fully ported into src/base/Dockerfile (Debian trixie, same patterns).
- Dockerfile.devcontainer-base + publish-devcontainer-base.yml.
- publish-features.yml — features no longer published to GHCR.
- docs/migration-guide.md — devcontainer-migration-oriented, obsolete.
- terraform/web-shell/ — duplicated scripts/web-shell/install.sh.
- scripts/web-shell/README.md — feature-marketing doc, content in README.

## Docs

README rewritten as a Coder workspace template with per-stack image
matrix, sysbox host setup, push-to-Coder flow, troubleshooting.
docs/persistence.md updated for the flat model (coder_script-driven
resolver instead of onCreateCommand, new home_persist_paths parameter).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: chapterjason

.github/workflows/publish-devcontainer-base.yml

@@ -0,0 +1,111 @@
+name: Publish Workspace Images
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - "src/**"
+      - "scripts/**"
+      - ".github/workflows/publish-workspaces.yml"
+    tags: ["v*"]
+  workflow_dispatch:
+
+jobs:
+  base:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      short_sha: ${{ steps.sha.outputs.short }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Compute short sha
+        id: sha
+        run: echo "short=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
+
+      - name: Lowercase image name
+        id: img
+        run: echo "name=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/coder-workspace" >> "$GITHUB_OUTPUT"
+
+      - uses: docker/setup-qemu-action@v4
+      - uses: docker/setup-buildx-action@v4
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract tags
+        id: meta
+        uses: docker/metadata-action@v6
+        with:
+          images: ${{ steps.img.outputs.name }}
+          tags: |
+            type=raw,value=base
+            type=sha,format=short,prefix=base-
+
+      - name: Build and push
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: ./src/base/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=workspace-base
+          cache-to: type=gha,mode=max,scope=workspace-base
+
+  stacks:
+    needs: base
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        stack: [node, cpp]
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Lowercase image name
+        id: img
+        run: echo "name=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/coder-workspace" >> "$GITHUB_OUTPUT"
+
+      - uses: docker/setup-qemu-action@v4
+      - uses: docker/setup-buildx-action@v4
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract tags
+        id: meta
+        uses: docker/metadata-action@v6
+        with:
+          images: ${{ steps.img.outputs.name }}
+          tags: |
+            type=raw,value=${{ matrix.stack }}
+            type=sha,format=short,prefix=${{ matrix.stack }}-
+
+      - name: Build and push
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: ./src/${{ matrix.stack }}/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            BASE_IMAGE=${{ steps.img.outputs.name }}:base-${{ needs.base.outputs.short_sha }}
+          cache-from: type=gha,scope=workspace-${{ matrix.stack }}
+          cache-to: type=gha,mode=max,scope=workspace-${{ matrix.stack }}