feat(deploy): script-sandbox runs in l4d2-build.slice + OOMScoreAdjust=500

Builds yield CPU/IO to game-server instances under contention via the
slice's weight=10, and are killed first under memory pressure
(servers have OOMScoreAdjust=-200).

deploy/files/usr/local/libexec/left4me/left4me-script-sandbox

@@ -45,6 +45,8 @@ chmod 0755 "$OVERLAY_DIR"
 SCRIPT_RC=0
 systemd-run --quiet --collect --wait --pipe \
     --unit="left4me-script-${OVERLAY_ID}-$$" \
+    --slice=l4d2-build.slice \
+    -p OOMScoreAdjust=500 \
     -p User=l4d2-sandbox -p Group=l4d2-sandbox \
     -p UMask=0022 \
     -p NoNewPrivileges=yes \

deploy/tests/test_deploy_artifacts.py

@@ -144,6 +144,18 @@ def test_sysctl_conf_present_with_perf_settings():
         assert line in text, f"missing {line!r} in 99-left4me.conf"
 
 
+def test_script_sandbox_in_build_slice_with_oom_adjust():
+    text = SCRIPT_SANDBOX_HELPER.read_text()
+
+    # Put the transient unit in the low-weight build slice so it yields to
+    # game-server instances under CPU/IO contention.
+    assert "--slice=l4d2-build.slice" in text
+
+    # Sandbox dies first if the host hits memory pressure; servers
+    # (OOMScoreAdjust=-200) survive.
+    assert "-p OOMScoreAdjust=500" in text
+
+
 def _fake_command(tmp_path, command_name):
     marker = tmp_path / f"{command_name}.args"
     command = tmp_path / command_name