fix(vm): harden build-libkrun.sh for x86_64 and resolve PATH-shadowing issues

[vince-brisebois]

Summary

Fix the VM build pipeline (build-libkrun.sh) to work reliably on x86_64 Linux, resolving PATH-shadowing issues where mise shims and venvs override system python3/cargo/libclang, adding a KVM access pre-check with an actionable error message, and hardening supporting scripts (sync-vm-rootfs.sh, compress-vm-runtime.sh) against missing tools.

Related Issue

N/A

Changes

• tasks/scripts/vm/build-libkrun.sh: Replace fragile pip install pyelftools fallback with ensure_python3_with_pyelftools_for_libkrunfw() that detects PATH-shadowed python3 and falls back to /usr/bin/python3. Add ensure_cargo_for_libkrun() to find Cargo >= 1.85 (edition 2024) via mise or ~/.cargo/bin when the distro cargo is too old. Add ensure_libclang_for_libkrun() to robustly locate libclang.so / libclang-*.so across Debian, Fedora, and multiarch layouts. Pin libkrun to v1.17.4 and build with cargo build --release directly instead of make NET=1 BLK=1. Build init/init when present. Remove kernel.c / ABI_VERSION export (no longer needed for cross-platform builds).
• crates/openshell-vm/src/lib.rs: Add VmError::KvmAccess variant and check_kvm_access() pre-check on Linux — libkrun panics with an opaque error when /dev/kvm is inaccessible; this turns it into a clear, actionable error message suggesting usermod -aG kvm.
• tasks/scripts/vm/sync-vm-rootfs.sh: Guard the helm package step behind a command -v helm check so the script doesn't fail on machines without Helm installed.
• tasks/scripts/vm/compress-vm-runtime.sh: Add a fast-path that skips compression when .zst artifacts already exist (e.g. from vm:setup download), decompressing them into the work directory for bundle-vm-runtime.sh instead.
• crates/openshell-vm/runtime/kernel/openshell.kconfig: Enable CONFIG_POSIX_MQUEUE and CONFIG_POSIX_MQUEUE_SYSCTL (required by runc to mount /dev/mqueue in containers).
• deploy/docker/Dockerfile.images: Add openshell-prover and openshell-vm crate stubs to the Docker build skeleton so cargo build succeeds in the container.
• architecture/custom-vm-runtime.md and crates/openshell-vm/runtime/README.md: Update docs to reflect removal of kernel.c cross-compilation flow — each platform now builds its own libkrunfw natively.
• vm-setup-fixes.patch: Snapshot patch file capturing the full set of fixes (for reference/backport).

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

All contributors have signed the DCO ✍️ ✅
_{Posted by the DCO Assistant Lite bot.}

[drew]

Need to sign DCO

also should squash all these commits so the ubuntu user isn't in the commit history and triggering the dco.

[vince-brisebois]

I have read the DCO document and I hereby sign the DCO.