test(deploy): assert left4me-overlay idmaps sandbox-owned lowerdirs

Guards against silent regression of the idmap bind-mount step in the
privileged kernel-overlayfs helper. Asserts --map-users / --map-groups
argv, the runtime/<name>/idmap/ target path, the LEFT4ME_TEST_* stub-
env-var names, and the collision-detection table.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

deploy/tests/test_deploy_artifacts.py

@@ -394,6 +394,28 @@ def test_overlay_helper_is_python_with_strict_validation():
     assert '"unmount"' not in text
 
 
+def test_overlay_helper_idmaps_sandbox_owned_lowerdirs():
+    """Script-built overlay lowerdirs are owned by l4d2-sandbox.  Without an
+    idmap bind mount, kernel-overlayfs copy-up preserves that ownership and
+    the gameserver (uid left4me) can't write to copied-up directories like
+    addons/sourcemod/logs/.  The helper must inject an idmap bind for each
+    sandbox-owned lowerdir before the overlay mount and tear it down after.
+    """
+    text = OVERLAY_HELPER.read_text()
+    # The bind-mount argv uses --map-users / --map-groups (numeric uids).
+    assert "--map-users=" in text
+    assert "--map-groups=" in text
+    # Idmapped paths live under runtime/<name>/idmap/ and are substituted
+    # into the lowerdir= string.
+    assert 'runtime_name_dir / "idmap"' in text
+    # Test-mode uid stubs are namespaced LEFT4ME_TEST_* and gated on
+    # PRINT_ONLY=1 so a misconfigured systemd unit can't inject uids.
+    assert "LEFT4ME_TEST_SANDBOX_UID" in text
+    assert "LEFT4ME_TEST_LEFT4ME_UID" in text
+    # Collision guard: two lowerdirs deriving the same idmap target die loudly.
+    assert "seen_idmap_targets" in text
+
+
 def test_deploy_script_installs_overlay_helper_with_executable_mode():
     script = DEPLOY_SCRIPT.read_text()
     assert "/usr/local/libexec/left4me/left4me-overlay" in script