feat(update): add release status check

[titus7490]

Summary

• add gog update status with check alias for read-only release status checks
• report current/latest versions, update availability, platform release asset, checksum URL/SHA256, install method, and whether standalone self-update would be supported
• generate command docs for the new update namespace

Notes

• This intentionally does not write binaries, restart services, or perform self-update.
• The command gives automation and production wrappers a stable JSON primitive they can gate with their own health checks and rollback policy.

Testing

• go test -vet=off ./internal/cmd -run 'TestUpdate'
• node scripts/check-docs-coverage.mjs
• make build
• ./bin/gog --json update status
• go test -vet=off ./...

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 26, 2026, 5:29 PM ET / 21:29 UTC.

Summary
Adds a read-only gog update status/check command for GitHub release/version/asset/checksum/install metadata, generated command docs, unit tests, and a one-line Gmail watch constant cleanup.

Reproducibility: not applicable. this is a new CLI feature PR, not a bug report. The contributor posted terminal output for ./bin/gog --json update status and plain output on the current PR head.

Review metrics: 2 noteworthy metrics.

• Command surface: 1 namespace, 1 subcommand, 1 alias. This is new user-facing CLI surface, so maintainers should intentionally accept the command shape.
• Diff size: 9 files, +614/-2. Most of the change is a new command plus generated docs and tests, which is reviewable but not a narrow bug fix.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Get maintainer confirmation that gog update status belongs in core as a new top-level command.

Risk before merge

• [P1] If merged, gog update status and its JSON field names become new stable CLI surface; maintainers should accept that command shape before release.

Maintainer options:

1. Decide the mitigation before merge
   Have a maintainer decide whether release status belongs in core as gog update status; if accepted, preserve the JSON/plain contract and generated docs when landing.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P2] The remaining blocker is maintainer product judgment for new CLI surface, not an automated code repair.

Security
Cleared: The diff adds unauthenticated read-only GitHub release metadata reads and checksum parsing without dependency, workflow, credential, or write-path changes.

Review details

Best possible solution:

Have a maintainer decide whether release status belongs in core as gog update status; if accepted, preserve the JSON/plain contract and generated docs when landing.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a new CLI feature PR, not a bug report. The contributor posted terminal output for ./bin/gog --json update status and plain output on the current PR head.

Is this the best way to solve the issue?

Unclear: the implementation is narrow and tested, but VISION.md says new product/API surfaces and command-structure changes should be discussed first.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 213ddb60d7d1.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The contributor posted after-fix terminal output for JSON and plain update status output from PR head f85ffd26ceea.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The contributor posted after-fix terminal output for JSON and plain update status output from PR head f85ffd26ceea.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P3: The PR adds a low-risk optional release-status feature with limited blast radius and no confirmed blocking correctness defect.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The contributor posted after-fix terminal output for JSON and plain update status output from PR head f85ffd26ceea.
• proof: sufficient: Contributor real behavior proof is sufficient. The contributor posted after-fix terminal output for JSON and plain update status output from PR head f85ffd26ceea.

Evidence reviewed

What I checked:

• AGENTS.md policy read: Repository policy was read fully and applied: PR review stayed read-only, generated command docs were treated as generated output, and parseable stdout guidance was checked against the new command behavior. (AGENTS.md:1, 213ddb60d7d1)
• Current main lacks update command: The current main CLI top-level command list has Time followed by Gmail and no Update namespace, so the requested command is not already implemented on main. (internal/cmd/root.go:88, 213ddb60d7d1)
• PR registers new command surface: The PR branch adds Update UpdateCmd as a new top-level CLI command between Time and Gmail. (internal/cmd/root.go:89, f85ffd26ceea)
• PR implements release status report: The new UpdateStatusCmd builds JSON fields for current/latest version, platform asset, checksum URL/SHA256, install method, and self-update support, then writes JSON or TSV-style plain output. (internal/cmd/update.go:31, f85ffd26ceea)
• Release asset lookup matches repository release shape: GoReleaser is configured to publish gogcli_<version>_<os>_<arch> archives and checksums.txt, matching the PR's asset and checksum lookup model. (.goreleaser.yaml:47, 213ddb60d7d1)
• Latest release has expected assets: v0.31.1 is published with checksums.txt and platform archives including gogcli_0.31.1_linux_amd64.tar.gz, so the command has real release metadata to query. (608aa46e7b9c)

Likely related people:

• steipete: Recent history ties Peter Steinberger to the current CLI command registry, release config, release docs, and version fallback behavior that this PR builds on. (role: recent CLI/release area contributor; confidence: high; commits: 608aa46e7b9c, 6af52a406b07, 0af3c331ff05; files: internal/cmd/root.go, internal/cmd/version.go, .goreleaser.yaml)
• Tan Lean Sheng: Authored the embedded VERSION fallback used by resolvedVersion, which the PR uses for current-version reporting and User-Agent construction. (role: version metadata contributor; confidence: medium; commits: 51283d56c705; files: internal/cmd/version.go, docs/RELEASING.md)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[titus7490]

Added real behavior proof for the current PR head f85ffd26ceea.

Fresh build:

$ make build
$ ./bin/gog --json update status

Output:

{
  "current_version": "v0.31.1-3-gf85ffd26",
  "current_commit": "f85ffd26ceea",
  "current_date": "2026-06-26T17:29:58Z",
  "latest_version": "v0.31.1",
  "latest_url": "https://github.com/openclaw/gogcli/releases/tag/v0.31.1",
  "update_available": false,
  "platform": "linux/amd64",
  "platform_asset": "gogcli_0.31.1_linux_amd64.tar.gz",
  "platform_asset_url": "https://github.com/openclaw/gogcli/releases/download/v0.31.1/gogcli_0.31.1_linux_amd64.tar.gz",
  "checksum_available": true,
  "checksums_url": "https://github.com/openclaw/gogcli/releases/download/v0.31.1/checksums.txt",
  "platform_asset_sha256": "5f5c35eb8c5603a59ee1eaf31909463f4e8c5f645130d9a4296571966a77aef2",
  "install_method": "standalone",
  "executable": "/root/.openclaw/workspace/upstream/gogcli-update-status/bin/gog",
  "self_update_supported": true
}

Plain output also works:

current_version	v0.31.1-3-gf85ffd26
current_commit	f85ffd26ceea
current_date	2026-06-26T17:29:58Z
latest_version	v0.31.1
update_available	false
platform	linux/amd64
platform_asset	gogcli_0.31.1_linux_amd64.tar.gz
platform_asset_sha256	5f5c35eb8c5603a59ee1eaf31909463f4e8c5f645130d9a4296571966a77aef2
install_method	standalone
self_update_supported	true

The command is read-only: it only reads GitHub release metadata and local executable/build metadata; it does not write binaries, restart services, or modify local state.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.