tmux-persist: add single-user restore mode (restore [user])

The web-terminal will get a "Restore sessions" button (common ask after an
OOM kills a user's tmux server without a reboot, which the boot-only restore
service doesn't catch). The button needs to restore ONE user's saved sessions
on demand, so teach `restore` an optional <user> argument: with no arg it
restores every terminal user (unchanged — the boot service path), with a
<user> arg it validates the name against /etc/ttyd-user-map and restores only
that user. Reuses the existing restore loop (single source of restore truth).

The terminal-lobby tmux-api will invoke this as root via a validated
tmux-restore-user sudo wrapper. Verified: bad user exits 2 (won't fall back to
restoring everyone), no-arg path unchanged, shellcheck clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

scripts/tmux-persist.sh

@@ -100,8 +100,16 @@ save() {
 }
 
 restore() {
-  local u f sess cwd uuid cmd
+  local only="${1:-}" u f sess cwd uuid cmd
+  # Optional single-user restore: `tmux-persist restore <user>` limits the
+  # action to one terminal user (the web-UI restore button calls this via the
+  # tmux-restore-user wrapper). No arg => restore every user (the boot service).
+  if [[ -n "$only" ]] && ! users | grep -qxF "$only"; then
+    echo "[tmux-persist] restore: '$only' is not a known terminal user" >&2
+    return 2
+  fi
   for u in $(users); do
+    [[ -z "$only" || "$u" == "$only" ]] || continue
     f="$STATE_DIR/$u.tsv"
     [[ -s "$f" ]] || continue
     while IFS=$'\t' read -r sess cwd uuid; do
@@ -122,6 +130,6 @@ restore() {
 
 case "$MODE" in
   save) save ;;
-  restore) restore ;;
-  *) echo "usage: tmux-persist save|restore" >&2; exit 1 ;;
+  restore) restore "${2:-}" ;;
+  *) echo "usage: tmux-persist save | restore [user]" >&2; exit 1 ;;
 esac