web-shell: run service as _REMOTE_USER, repair root-owned ~/.cache (1.2.0)

Systemd unit had no User=, so ExecStart ran as root and web-shell created
$HOME/.cache on the remote user's home owned by root. Resolve the user via
_REMOTE_USER (matching the nvm and claude-code features), set User/Group/
WorkingDirectory/HOME on the unit, and chown any pre-existing ~/.cache left
behind by <1.2.0 installs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: chapterjason

src/web-shell/devcontainer-feature.json

@@ -1,6 +1,6 @@
 {
   "id": "web-shell",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "name": "web-shell",
   "description": "Installs web-shell (persistent browser terminal backed by dtach) from the GitHub release tarball into the global Node install, and registers a systemd unit so the service starts automatically on container boot. Also publishes the service as a Coder workspace app.",
   "documentationURL": "https://github.com/SoureCode/devcontainer-features/tree/master/src/web-shell",

src/web-shell/install.sh

@@ -19,6 +19,20 @@ WS_PORT="${PORT:-4000}"
 WS_HOST="${HOST:-127.0.0.1}"
 WS_AUTH_TOKEN="${AUTHTOKEN:-}"
 
+# Resolve the container's remote user. The devcontainer spec injects
+# _REMOTE_USER at feature-install time; USERNAME is the older fallback some
+# bases still set. Default to root only when neither is present. Without this,
+# the systemd unit would run ExecStart as root and web-shell would create
+# $HOME/.cache owned by root on the remote user's home.
+USER_NAME="${_REMOTE_USER:-${USERNAME:-root}}"
+if [ "$USER_NAME" = "root" ]; then
+  USER_GROUP="root"
+  USER_HOME="/root"
+else
+  USER_GROUP="$(id -gn "$USER_NAME")"
+  USER_HOME="$(getent passwd "$USER_NAME" | cut -d: -f6)"
+fi
+
 # 1. OS deps: dtach as the detachable session backend, build-essential + python3
 # because node-pty compiles native bindings, plus curl/jq for release lookup.
 APT_PKGS=""
@@ -91,6 +105,10 @@ After=network.target
 
 [Service]
 Type=simple
+User=${USER_NAME}
+Group=${USER_GROUP}
+WorkingDirectory=${USER_HOME}
+Environment=HOME=${USER_HOME}
 Environment=HOST=${WS_HOST}
 Environment=PORT=${WS_PORT}
 Environment=AUTH_TOKEN=${WS_AUTH_TOKEN}
@@ -103,6 +121,12 @@ WantedBy=multi-user.target
 EOF
 chmod 0644 /etc/systemd/system/web-shell.service
 
+# Repair state from earlier feature versions (<1.2.0) that ran the service as
+# root and left $HOME/.cache root-owned. Idempotent; cheap on clean installs.
+if [ "$USER_NAME" != "root" ] && [ -d "$USER_HOME/.cache" ]; then
+  chown -R "$USER_NAME:$USER_GROUP" "$USER_HOME/.cache" || true
+fi
+
 INIT_COMM="$(ps -p 1 -o comm= 2>/dev/null | tr -d '[:space:]' || true)"
 if [ "$INIT_COMM" = "systemd" ]; then
   systemctl daemon-reload