diff --git a/deploy/tests/test_deploy_artifacts.py b/deploy/tests/test_deploy_artifacts.py
index 658b41c..78f733f 100644
--- a/deploy/tests/test_deploy_artifacts.py
+++ b/deploy/tests/test_deploy_artifacts.py
@@ -394,6 +394,28 @@ def test_overlay_helper_is_python_with_strict_validation():
     assert '"unmount"' not in text
 
 
+def test_overlay_helper_idmaps_sandbox_owned_lowerdirs():
+    """Script-built overlay lowerdirs are owned by l4d2-sandbox.  Without an
+    idmap bind mount, kernel-overlayfs copy-up preserves that ownership and
+    the gameserver (uid left4me) can't write to copied-up directories like
+    addons/sourcemod/logs/.  The helper must inject an idmap bind for each
+    sandbox-owned lowerdir before the overlay mount and tear it down after.
+    """
+    text = OVERLAY_HELPER.read_text()
+    # The bind-mount argv uses --map-users / --map-groups (numeric uids).
+    assert "--map-users=" in text
+    assert "--map-groups=" in text
+    # Idmapped paths live under runtime/<name>/idmap/ and are substituted
+    # into the lowerdir= string.
+    assert 'runtime_name_dir / "idmap"' in text
+    # Test-mode uid stubs are namespaced LEFT4ME_TEST_* and gated on
+    # PRINT_ONLY=1 so a misconfigured systemd unit can't inject uids.
+    assert "LEFT4ME_TEST_SANDBOX_UID" in text
+    assert "LEFT4ME_TEST_LEFT4ME_UID" in text
+    # Collision guard: two lowerdirs deriving the same idmap target die loudly.
+    assert "seen_idmap_targets" in text
+
+
 def test_deploy_script_installs_overlay_helper_with_executable_mode():
     script = DEPLOY_SCRIPT.read_text()
     assert "/usr/local/libexec/left4me/left4me-overlay" in script