[codex] add self update command

[masonjames]

Summary

• add clanker update with release and source-update channels
• default release updates download the matching GitHub release tarball and replace the current executable
• main channel builds the latest commit from the repository default branch and installs it in place
• add clanker config init --update-channel plus README setup docs

Validation

• go test ./internal/updater ./cmd
• go build ./...
• go run . update --dry-run --channel main
• go run . update --dry-run --channel release
• go test ./...

[bgdnvk]

Probably can merge it, sorry for the late review but will catch up on this tomorrow

cc @rafeegnash

[rafeegnash]

Reviewed end-to-end. CI is green across all 5 checks (lint, test 1.23 + 1.24, build amd64 + arm64), code is well-structured, tests cover the meaningful surfaces (channel normalization, asset selection, tarball extraction, default-branch resolution), and the install path uses the right pattern (temp file in same dir + os.Rename, with permission preservation via os.Stat → os.Chmod).

Squashing now. Two items I'm filing as follow-up issues rather than blocking on:

1. No checksum/signature verification on the downloaded binary (`internal/updater/updater.go:450-471`). Since clanker handles cloud creds and applies infra, an unverified self-update is a real risk surface long-term. Recommend cosign-style verification or at minimum a SHA256 checksum check from a separate file in the release.
2. Windows support is partial — `buildMainBinary` adds `.exe` but release-channel asset selection expects `_windows_amd64.tar.gz` (releases more typically ship `.zip`), and `os.Rename` over a running Windows executable usually fails. Project's CI is macOS-only so this isn't blocking, but worth documenting as known gap.

Nice work on this. Thanks for the contribution.