deploy/tests: assert both hardening drop-ins allow x86 syscalls

The web and server hardening drop-ins both fork-exec 32-bit binaries
on critical paths (steamcmd_linux from the install job, srcds_linux
on the game side). When the web drop-in had SystemCallArchitectures=native
and the server had native x86, the asymmetry silently broke the install
flow — bash exit 159 (SIGSYS) — for as long as nobody re-triggered it.

Pin the constraint as a test: both drop-ins must agree on
SystemCallArchitectures, and both must include x86.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy/tests/test_example_units.py

@@ -306,3 +306,25 @@ def test_server_hardening_dropin_present_with_directives():
     for line in text.splitlines():
         bare = line.split("#", 1)[0].strip()
         assert bare != "ProcSubset=pid", "ProcSubset=pid must not be active in the server drop-in"
+
+
+def test_hardening_dropins_agree_on_syscall_architectures():
+    # Both units fork-exec a 32-bit binary on critical paths: the web
+    # service runs the install job (steamcmd_linux), the server unit runs
+    # srcds_linux. Either drop-in without `x86` in SystemCallArchitectures
+    # SIGSYS-kills its child on first syscall (bash exit 159). They must
+    # agree, and both must include x86 — caught the hard way on
+    # 2026-05-15 when web had `native` only and the install job died.
+    import re
+
+    pat = re.compile(r"^SystemCallArchitectures=(.+)$", re.MULTILINE)
+    web_arch = pat.search(WEB_HARDENING_DROPIN.read_text()).group(1).strip()
+    srv_arch = pat.search(SERVER_HARDENING_DROPIN.read_text()).group(1).strip()
+    assert web_arch == srv_arch, (
+        f"hardening drop-ins disagree on SystemCallArchitectures: "
+        f"web={web_arch!r} server={srv_arch!r}. Both must include `x86`."
+    )
+    assert "x86" in web_arch.split(), (
+        f"SystemCallArchitectures missing x86: {web_arch!r}. Required for "
+        "steamcmd_linux (install job) and srcds_linux."
+    )