From 2c4bf1a27fd466e9f19ffc29c05868d806634277 Mon Sep 17 00:00:00 2001
From: mwiegand <martin.wiegand@seibert.group>
Date: Fri, 15 May 2026 19:28:45 +0200
Subject: [PATCH] deploy/tests: add visudo syntax test for the sudoers drop-in

Pre-deploy syntax guard; replaces ckn-bw's per-item test_with which
won't apply to a symlink-delivered file (see deployment-responsibility
migration step 3).
---
 deploy/tests/test_sudoers.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 deploy/tests/test_sudoers.py

diff --git a/deploy/tests/test_sudoers.py b/deploy/tests/test_sudoers.py
new file mode 100644
index 0000000..e5b0845
--- /dev/null
+++ b/deploy/tests/test_sudoers.py
@@ -0,0 +1,17 @@
+"""Syntax-check the sudoers drop-in via visudo before it leaves the repo."""
+import shutil
+import subprocess
+from pathlib import Path
+
+import pytest
+
+SUDOERS = Path(__file__).resolve().parents[2] / "deploy/files/etc/sudoers.d/left4me"
+
+
+@pytest.mark.skipif(shutil.which("visudo") is None, reason="visudo not installed")
+def test_sudoers_parses():
+    result = subprocess.run(
+        ["visudo", "-cf", str(SUDOERS)],
+        capture_output=True, text=True,
+    )
+    assert result.returncode == 0, f"visudo -cf failed: {result.stdout}{result.stderr}"