From cf085711f2742eb91715450912a940c39ed0bb7e Mon Sep 17 00:00:00 2001
From: JoshuaVlantis <joshuavlantis@users.noreply.github.com>
Date: Mon, 11 May 2026 07:32:12 +0200
Subject: [PATCH] docs(test): broaden chrome-sandbox suid guard comment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reframe the assert_setuid comment from "guards against the old %post
chmod pattern" to "guards against any regression that strips the suid
bit" — including but not limited to a %post chmod revert.

The assertion itself catches any loss of the setuid bit on
chrome-sandbox, not just the specific %post chmod regression path.
Per review feedback on #595.
---
 tests/test-artifact-rpm.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tests/test-artifact-rpm.sh b/tests/test-artifact-rpm.sh
index 958cf58..072a7b5 100644
--- a/tests/test-artifact-rpm.sh
+++ b/tests/test-artifact-rpm.sh
@@ -43,8 +43,9 @@ assert_executable "$electron_path"
 
 # chrome-sandbox: setuid bit must be set by the rpm spec's %files
 # %attr(4755, ...) entry, not by a %post chmod (#539). The check
-# guards against regressing the spec to the old %post chmod pattern,
-# which leaves chrome-sandbox unsuid'd if the scriptlet is skipped.
+# guards against any regression that strips the suid bit — including
+# (but not limited to) reverting to a %post chmod, which silently
+# no-ops if the scriptlet is skipped (--noscripts, layered images).
 chrome_sandbox='/usr/lib/claude-desktop/node_modules/electron/dist/chrome-sandbox'
 assert_file_exists "$chrome_sandbox"
 assert_setuid "$chrome_sandbox"