Both items were operational verifications (not code changes) against
the deployed test host ovh.left4me (141.95.32.8).
Item 8: orphan idmap binds in PID 1's mount namespace.
`sudo findmnt --task 1 -o TARGET | grep /var/lib/left4me/runtime/.*/idmap/`
returned zero matches with left4me-server@{1,2}.service both active.
Either swept earlier or never appeared on this host; nothing to umount.
Item 9: Optimized Settings (overlay 8) files-overlay sanity.
Dir is left4me:left4me end-to-end; `sudo find /var/lib/left4me/overlays/8
-type f -uid 981` returned empty. The invariant "files-overlays are
populated by the web app as left4me, never through the sandbox helper"
holds.
Remaining live janitorial items: 7 (conditional on the build-overlay-unit
refactor) and 10 (SourceMod 1.13 calendar reminder, ~late 2026).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Janitorial item 6 in 2026-05-15-janitorial-cleanup.md. The v1 sandbox
design (2026-05-08-l4d2-script-overlays-design.md) was approved
2026-05-08 and superseded the same day by the v2 systemd-only design
(2026-05-08-l4d2-script-sandbox-v2-systemd.md). The current
left4me-script-sandbox helper uses systemd-run in service-unit mode;
no bwrap binary is invoked. The v1 spec still described bubblewrap as
the engine.
- v1 spec gets a top-of-file banner pointing at v2 as the supersede.
Body preserved; the rest of the v1 design (overlay-type unification,
resource caps, helper auth) is still valid — only the sandbox engine
changed.
- l4d2web/services/overlay_builders.py: ScriptBuilder docstring
"bubblewrap + systemd-run" → "hardened systemd-run transient
service" (the as-built reality).
- scripts/tests/test_script_sandbox.py: stray "/bwrap" in a comment
cleaned up. Negative regression assertions (`assert "bwrap" not in
text`) intentionally retained as the guard against accidental
re-introduction.
- Plan docs left untouched (historical action snapshots).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds the implementation plan that landed in the preceding commit
(2026-05-15-deploy-dir-rethink.md) under docs/superpowers/plans/, and
marks the two related specs:
- 2026-05-15-deploy-dir-rethink-design.md (the source handoff) gets a
"Resolved by …" banner at the top with a one-paragraph summary of
the decisions taken. Body preserved for archaeology.
- 2026-05-15-janitorial-cleanup.md gets a status banner noting that
items 1, 3, 4, 5 are fully resolved by the deploy-dir-rethink plan
and item 2 is partially resolved with a third option the original
enumeration didn't list: only the truly-dead two static units
(cake.service, nft-mark.service) deleted, the reactor-emitted set
(server@, web, workshop-refresh.{service,timer}, slices) retained
as curated examples. Resolved items left in place but flagged.
Remaining live janitorial items: 6 (bubblewrap doc drift), 7
(conditional on build-overlay-unit refactor), 8 (operational idmap
bind cleanup), 9 (Optimized Settings overlay verification), 10 (SM
1.13 calendar reminder).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two follow-ups bundled into a single commit:
- docs/superpowers/specs/2026-05-15-janitorial-cleanup.md collects
the "do later" small TODOs that surfaced across the recent idmap
+ consolidation work: dead cake-related artifacts, obsolete
static systemd units in deploy/files/, the bubblewrap→systemd-run
doc drift, stale gameserver-side idmap binds on un-checked
instances, calendar reminder for SM 1.13 stable. Each item is
small and self-contained.
- docs/l4d2-server-cvar-reference.md captures the research from
the early-session L4D2 cvar deep-dive: tickrate sweet spots,
nb_update_frequency cheat-protection + sm_cvar workaround,
cvars that don't exist in L4D2 (net_maxcleartime,
z_resolve_zombie_collision_multiplier per RCON probe), recommended
plugins, MetaMod/SourceMod branch tracking, and the empirically-
verified idmap-propagation-through-rebind kernel-6.12 quirk.
Reference material, not a spec — lives at docs/ root.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
