fix: three install-time bugs found during first lab-host bring-up on k-gamingcom

1. pyproject.toml — move pycdlib to main deps (was dev-only; cidata build
   fails on first install because the venv doesn't include dev extras).

2. scripts/install-lab-host.sh — create vm/images/ dir before symlinking
   alpine-baseline.qcow2 and cidata.iso into INSTALL_ROOT. Without the
   mkdir the ln -sf silently fails (|| true), leaving the launchers unable
   to find the images and causing every episode to fail within 15 s.

3. tools/cis490_doctor.py — two fixes:
   a. Insert repo_root into sys.path at doctor startup so the inline
      `from exploits.modules import ...` succeeds when running from /opt/cis490
      (package = false means nothing is installed into site-packages).
   b. Pass cwd=/opt/cis490 to the shipper --ping subprocess so python -m
      shipper resolves the module correctly regardless of the caller's CWD.

Tested on k-gamingcom: install script now builds cidata.iso on first run,
7-slot fleet wave completes with rc=0, doctor shows 13 ok / 4 warn / 2 fail
(remaining failures are mTLS certs + collector.wg DNS — both need Pi-side
action, not code changes).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

pyproject.toml

@@ -7,6 +7,7 @@ dependencies = [
     "starlette>=0.36",
     "uvicorn[standard]>=0.27",
     "msgpack>=1.0",  # MSF RPC wire format for the Tier-3 exploit driver
+    "pycdlib>=1.14",  # build NoCloud cidata ISOs in pure Python
 ]
 
 [dependency-groups]
@@ -17,7 +18,6 @@ dev = [
     "matplotlib>=3.8",
     "tornado>=6",  # required by matplotlib's WebAgg interactive backend
     "paramiko>=3",  # SSH client for in-guest control on images that support it
-    "pycdlib>=1.14",  # build NoCloud cidata ISOs in pure Python
 ]
 
 [tool.uv]

scripts/install-lab-host.sh

@@ -199,6 +199,7 @@ if [[ -f "$ALPINE_IMG" && ! -f "$CIDATA_ISO" ]]; then
         log "WARN: cidata build failed; run tools/build_cidata.py manually"
 fi
 # Symlink the canonical paths the launchers look at, when missing.
+install -d -o "$SERVICE_USER" -g "$SERVICE_USER" -m 0755 "$INSTALL_ROOT/vm/images"
 ln -sf "$ALPINE_IMG" "$INSTALL_ROOT/vm/images/alpine-baseline.qcow2" 2>/dev/null || true
 ln -sf "$CIDATA_ISO" "$INSTALL_ROOT/vm/images/cidata.iso" 2>/dev/null || true
 

tools/cis490_doctor.py

@@ -102,9 +102,9 @@ _JSON_MODE = False
 # ---------------------------------------------------------------------------
 
 
-def _run(cmd: list[str], *, timeout: float = 5.0) -> tuple[int, str, str]:
+def _run(cmd: list[str], *, timeout: float = 5.0, cwd: str | None = None) -> tuple[int, str, str]:
     try:
-        p = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
+        p = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout, cwd=cwd)
         return p.returncode, p.stdout.strip(), p.stderr.strip()
     except (FileNotFoundError, subprocess.TimeoutExpired) as e:
         return -1, "", str(e)
@@ -558,7 +558,7 @@ def check_end_to_end(report: Report) -> None:
     rc, out, err = _run([
         "/opt/cis490/.venv/bin/python", "-m", "shipper",
         "--config", cfg, "--ping",
-    ], timeout=15.0)
+    ], timeout=15.0, cwd="/opt/cis490")
     if rc == 0 and '"ok": true' in out:
         report.add(Check("e2e: cis490-shipper --ping", "ok",
                          detail="200 OK"))
@@ -588,6 +588,8 @@ def main(argv: list[str] | None = None) -> int:
     _JSON_MODE = args.json
 
     repo_root = Path(__file__).resolve().parent.parent
+    if str(repo_root) not in sys.path:
+        sys.path.insert(0, str(repo_root))
     if not _JSON_MODE:
         print(f"{_ANSI_BOLD}cis490-doctor{_ANSI_RESET} role={args.role} repo={repo_root}\n")