fix: ca_bundle in lab-host.toml.example pointed at client CA, not Caddy root

wg-ca.pem (from the bootstrap tarball) is the CIS490 Lab-Host Client
CA — the receiver's trust anchor for our client cert. The shipper's
ca_bundle is used to verify the *server's* TLS cert on collector.wg,
which is signed by the Caddy Local Authority. Point ca_bundle at
/opt/cis490/etc/caddy-root.crt (the Caddy root bundled in the repo)
so TLS verification succeeds.

Closes spectral/CIS490#12

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

etc/lab-host.toml.example

@@ -17,10 +17,12 @@ qcow_image = "/var/lib/cis490/vm/images/metasploitable2.qcow2"
 [receiver]
 # The receiver lives behind Caddy on the WG-side collector host. The
 # hostname must resolve over WG (collector.wg in the canonical
-# spectral lab). The wg-pki CA must be on every lab-host so the
+# spectral lab). ca_bundle pins the Caddy root CA (bundled in the
-# Caddy-issued internal cert validates.
+# repo) so the shipper can verify the server's TLS cert. The wg-pki
+# client CA (wg-ca.pem from the bootstrap tarball) is the RECEIVER's
+# trust anchor for our client cert — we don't configure it here.
 url = "https://collector.wg"
-ca_bundle = "/etc/cis490/certs/wg-ca.pem"
+ca_bundle = "/opt/cis490/etc/caddy-root.crt"
 
 # mTLS: leaf cert + private key issued by wg-pki for THIS host_id.
 # Comment these out to fall back to bearer-token auth during early