feat(update): add release status check

[titus7490]

Summary

• add gog update status with check alias for read-only release status checks
• report current/latest versions, update availability, platform release asset, checksum URL/SHA256, install method, and whether standalone self-update would be supported
• generate command docs for the new update namespace

Notes

• This intentionally does not write binaries, restart services, or perform self-update.
• The command gives automation and production wrappers a stable JSON primitive they can gate with their own health checks and rollback policy.

Testing

• go test -vet=off ./internal/cmd -run 'TestUpdate'
• node scripts/check-docs-coverage.mjs
• make build
• ./bin/gog --json update status
• go test -vet=off ./...

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 28, 2026, 2:07 PM ET / 18:07 UTC.

Summary
The PR adds a read-only gog update status/check command that fetches GitHub release metadata, reports version, asset, checksum, install-method, and self-update-support fields, registers the command, adds generated docs, and adds unit tests.

Reproducibility: not applicable. This PR adds a new release-status command rather than reporting broken existing behavior. The contributor did provide after-fix terminal output from a fresh build for JSON and plain command modes.

Review metrics: 2 noteworthy metrics.

• Command surface: 1 namespace, 1 subcommand, 1 alias. The PR adds a new user-facing CLI surface whose shape should be accepted intentionally before release.
• Diff scope: 9 files changed, +614/-2. Most of the diff is one new command with generated docs and tests, which is reviewable but not a narrow bug fix.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Get maintainer confirmation that gog update status belongs in core with this command and output contract.

Risk before merge

• [P1] Merging creates a new stable gog update status/check command and JSON/plain output contract that production wrappers may depend on; CI cannot decide whether that surface belongs in core.

Maintainer options:

1. Confirm the command contract before merge (recommended)
   Have a maintainer explicitly accept the gog update status namespace, check alias, and JSON/plain field contract before release.
2. Narrow or move the surface
   If the top-level namespace is too much, revise the PR toward the maintainer-preferred command placement or leave the release check to external automation.
3. Pause or close as unsponsored feature work
   If maintainers do not want this in core, close or pause the PR without treating the implementation quality as the blocker.

Next step before merge

• [P2] The remaining action is maintainer product review for a new top-level command and stable output fields, not an automated repair.

Security
Cleared: The diff adds unauthenticated read-only GitHub release metadata reads and checksum parsing without new dependencies, workflows, credentials, secrets, or binary write paths.

Review details

Best possible solution:

The end state should be either a maintainer-approved core release-status command with preserved generated docs and output contract, or no core command if maintainers prefer release checks to stay in external wrappers.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR adds a new release-status command rather than reporting broken existing behavior. The contributor did provide after-fix terminal output from a fresh build for JSON and plain command modes.

Is this the best way to solve the issue?

Unclear: the implementation is narrow and tested, but VISION.md says new product/API surfaces and command-structure changes should be discussed first. A maintainer should decide whether this belongs in core as gog update status before release.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 213ddb60d7d1.

Label changes

Label changes:

• add merge-risk: 🚨 other: The main merge risk is product/API-surface commitment: the new command and output fields become stable automation surface once released.

Label justifications:

• P3: This is a low-urgency optional CLI feature with limited blast radius and no confirmed correctness or security defect.
• merge-risk: 🚨 other: The main merge risk is product/API-surface commitment: the new command and output fields become stable automation surface once released.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The contributor posted after-fix terminal output from a fresh build showing ./bin/gog --json update status and plain output on PR head f85ffd26ceea.
• proof: sufficient: Contributor real behavior proof is sufficient. The contributor posted after-fix terminal output from a fresh build showing ./bin/gog --json update status and plain output on PR head f85ffd26ceea.

Evidence reviewed

What I checked:

• Repository policy read: AGENTS.md was read fully and applied: review stayed read-only, used gh pr view/gh pr diff, and checked generated command docs plus parseable output expectations. (AGENTS.md:1, 213ddb60d7d1)
• Vision product-surface guidance: VISION.md says new product/API surfaces, command-structure changes, and unusual features should be discussed first; this PR adds a new top-level command and JSON/plain contract. (VISION.md:20, 213ddb60d7d1)
• Current main lacks the update command: Targeted searches found no UpdateCmd, gog update status, release-status command, or update release URL on current main, and the root command list goes from Time to Gmail without Update. (internal/cmd/root.go:88, 213ddb60d7d1)
• PR registers new command surface: The PR branch adds Update UpdateCmd as a new top-level CLI command and defines status with check alias. (internal/cmd/root.go:89, f85ffd26ceea)
• PR implements release status output: The new command builds current/latest version, platform asset, checksum, install method, executable, self-update support, and warning fields, then emits JSON or TSV-style text. (internal/cmd/update.go:39, f85ffd26ceea)
• Tests cover core behavior: The PR adds httptest-backed JSON output coverage, the check alias, and version comparison cases. (internal/cmd/update_test.go:13, f85ffd26ceea)

Likely related people:

• steipete: Current-main blame for the root command registry, version metadata, and GoReleaser asset naming points to recent release work, and earlier release/version commits are also by this contributor. (role: recent CLI/release area contributor; confidence: high; commits: 608aa46e7b9c, 6af52a406b07, 0af3c331ff05; files: internal/cmd/root.go, internal/cmd/version.go, .goreleaser.yaml)
• Tan Lean Sheng: Authored the embedded VERSION fallback that resolvedVersion uses, which this PR relies on for current-version reporting and User-Agent construction. (role: version metadata contributor; confidence: medium; commits: 51283d56c705; files: internal/cmd/version.go, internal/cmd/VERSION, docs/RELEASING.md)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[titus7490]

Added real behavior proof for the current PR head f85ffd26ceea.

Fresh build:

$ make build
$ ./bin/gog --json update status

Output:

{
  "current_version": "v0.31.1-3-gf85ffd26",
  "current_commit": "f85ffd26ceea",
  "current_date": "2026-06-26T17:29:58Z",
  "latest_version": "v0.31.1",
  "latest_url": "https://github.com/openclaw/gogcli/releases/tag/v0.31.1",
  "update_available": false,
  "platform": "linux/amd64",
  "platform_asset": "gogcli_0.31.1_linux_amd64.tar.gz",
  "platform_asset_url": "https://github.com/openclaw/gogcli/releases/download/v0.31.1/gogcli_0.31.1_linux_amd64.tar.gz",
  "checksum_available": true,
  "checksums_url": "https://github.com/openclaw/gogcli/releases/download/v0.31.1/checksums.txt",
  "platform_asset_sha256": "5f5c35eb8c5603a59ee1eaf31909463f4e8c5f645130d9a4296571966a77aef2",
  "install_method": "standalone",
  "executable": "/root/.openclaw/workspace/upstream/gogcli-update-status/bin/gog",
  "self_update_supported": true
}

Plain output also works:

current_version	v0.31.1-3-gf85ffd26
current_commit	f85ffd26ceea
current_date	2026-06-26T17:29:58Z
latest_version	v0.31.1
update_available	false
platform	linux/amd64
platform_asset	gogcli_0.31.1_linux_amd64.tar.gz
platform_asset_sha256	5f5c35eb8c5603a59ee1eaf31909463f4e8c5f645130d9a4296571966a77aef2
install_method	standalone
self_update_supported	true

The command is read-only: it only reads GitHub release metadata and local executable/build metadata; it does not write binaries, restart services, or modify local state.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.