Add thv upgrade check and list --check-upgrades (#5409)

* Add upgrade detection for registry workloads

CLI and API users have no way to discover when a newer version of a
registry-sourced MCP server is available; only Studio implements drift
detection, in its frontend. Introduce a backend package that all clients
can consume.

Add pkg/workloads/upgrade with a Checker that compares a running
workload's image tag against its registry entry (semver-aware, with a
string fallback) and reports environment-variable and configuration
(transport / permission-profile / network-isolation) drift. Comparison
degrades safely to "unknown" for :latest, digest refs, repository
changes, and non-registry-sourced workloads, so only a strictly-newer
tag on the same repository yields "upgrade-available".

This is the read-only detection core (RFC THV-0068, phase A); the apply
path, API endpoints, and CLI follow in later changes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Address review feedback on upgrade detection

- Lowercase an uppercase "V" tag prefix so semver comparison works;
  "V1.2.0" vs "V1.3.0" no longer falls through to undecidable and
  hides a real upgrade.
- Drop the raw provider error from CheckResult.Reason (it is serialized
  into the API response and can leak internal addressing); log it at
  DEBUG and return a fixed string. Same for the CheckAll path.
- Add a defensive default to the comparison switch so an unexpected
  value yields StatusUnknown rather than the least-safe StatusUpToDate.
- Stop reporting network-isolation drift: the registry has no
  network-isolation field, so it fired for every isolated workload
  regardless of the candidate version. Remove the ConfigDrift field
  and the now-unused BoolChange type.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Add upgrade-check REST endpoints for workloads

CLI, Studio, and automation need a single backend source of truth for
upgrade availability instead of each client reimplementing registry
drift detection. Expose the Phase A checker over the existing workloads
API.

Add GET /api/v1beta/workloads/upgrade-check (batch) and
GET /api/v1beta/workloads/{name}/upgrade-check (single). The batch
handler reuses the exact group/all authorization scoping of the list
endpoint and intersects it with the enumerated run configs, so it can
never report a workload outside the caller's scope. Responses carry only
non-sensitive CheckResult metadata; secret env-var defaults are cleared.
Both routes are read-only and skip image pulls, so they use the standard
timeout. Regenerate the OpenAPI spec.

The dedicated apply endpoint (POST .../upgrade) follows once the Applier
lands (RFC THV-0068, phase B).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Return 404 for unknown group in workload listing

FilterByGroup returns an empty slice (nil error) for a group that does
not exist, so a typo'd ?group= silently returned 200 with an empty list
instead of the documented 404. Check group existence explicitly via the
group manager before filtering, in both the upgrade-check and the
listWorkloads handlers, so the advertised 404 is real. Add a bulk
upgrade-check test covering the unknown-group path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Regenerate OpenAPI spec after dropping network-isolation drift

The upgrade detection change removed the ConfigDrift.NetworkIsolation
field and the BoolChange type, so regenerate the committed OpenAPI spec
to drop the stale schema and property. Fixes the Verify Swagger
Documentation CI check.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Add thv upgrade check and list --check-upgrades

CLI users had no way to see whether their registry-sourced MCP servers
have newer versions available. Surface the upgrade checker on the
command line.

Add a thv upgrade command group with a check [name] subcommand: with a
name it prints a verbose report (candidate image, new env vars, and
permission/transport/network posture drift); with no name it prints a
table for all workloads. Add an opt-in --check-upgrades flag to thv list
that appends an upgrade column. Both reuse the pkg/workloads/upgrade
checker and only format results; the default list path is unchanged and
performs no registry lookup, so it stays offline-friendly. Bulk output
is sorted by name to match thv list.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Address review feedback on upgrade CLI

- Reject --check-upgrades together with --format mcpservers: that format
  has no upgrade column, so the combination performed a registry lookup
  per workload and discarded the result. Fail loudly in PreRunE instead.
- Guard the bulk-result loop against nil entries so it stays robust if
  CheckAll's contract ever changes.
- Drop the network-isolation line from the posture-drift report; the
  checker no longer reports it (the registry has no such field).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: JAORMX

cmd/thv/app/commands.go

@@ -76,6 +76,7 @@ func NewRootCmd(enableUpdates bool) *cobra.Command {
 	rootCmd.AddCommand(skillCmd)
 	rootCmd.AddCommand(statusCmd)
 	rootCmd.AddCommand(tuiCmd)
+	rootCmd.AddCommand(upgradeCmd)
 
 	// Silence printing the usage on error
 	rootCmd.SilenceUsage = true

cmd/thv/app/list.go

@@ -4,6 +4,7 @@
 package app
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"log/slog"
@@ -13,7 +14,9 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/stacklok/toolhive/pkg/core"
+	"github.com/stacklok/toolhive/pkg/runner"
 	"github.com/stacklok/toolhive/pkg/workloads"
+	"github.com/stacklok/toolhive/pkg/workloads/upgrade"
 )
 
 var listCmd = &cobra.Command{
@@ -41,24 +44,41 @@ Examples:
 }
 
 var (
-	listAll         bool
-	listFormat      string
-	listLabelFilter []string
-	listGroupFilter string
+	listAll           bool
+	listFormat        string
+	listLabelFilter   []string
+	listGroupFilter   string
+	listCheckUpgrades bool
 )
 
 func init() {
 	AddAllFlag(listCmd, &listAll, true, "Show all workloads (default shows just running)")
 	AddFormatFlag(listCmd, &listFormat, FormatJSON, FormatText, "mcpservers")
 	listCmd.Flags().StringArrayVarP(&listLabelFilter, "label", "l", []string{}, "Filter workloads by labels (format: key=value)")
 	AddGroupFlag(listCmd, &listGroupFilter, false)
+	listCmd.Flags().BoolVar(&listCheckUpgrades, "check-upgrades", false,
+		"Check each workload for available upgrades against its source registry (performs a registry lookup)")
 
 	listCmd.PreRunE = chainPreRunE(
 		validateGroupFlag(),
 		ValidateFormat(&listFormat, FormatJSON, FormatText, "mcpservers"),
+		validateCheckUpgradesFormat(),
 	)
 }
 
+// validateCheckUpgradesFormat rejects --check-upgrades with --format mcpservers.
+// The mcpservers format emits client configuration and has no upgrade column, so
+// the flag combination would perform a registry lookup per workload and then
+// discard the result. Fail loudly rather than do hidden, wasted work.
+func validateCheckUpgradesFormat() func(*cobra.Command, []string) error {
+	return func(_ *cobra.Command, _ []string) error {
+		if listCheckUpgrades && listFormat == "mcpservers" {
+			return fmt.Errorf("--check-upgrades is not supported with --format mcpservers; use --format text or json")
+		}
+		return nil
+	}
+}
+
 func listCmdFunc(cmd *cobra.Command, _ []string) error {
 	ctx := cmd.Context()
 
@@ -81,10 +101,20 @@ func listCmdFunc(cmd *cobra.Command, _ []string) error {
 		}
 	}
 
+	// Optionally compute upgrade status for each workload. This is the only path
+	// that performs a registry lookup; the default list stays offline-friendly.
+	var upgrades map[string]*upgrade.CheckResult
+	if listCheckUpgrades {
+		upgrades, err = checkUpgradesForWorkloads(ctx, workloadList)
+		if err != nil {
+			return err
+		}
+	}
+
 	// Output based on format
 	switch listFormat {
 	case FormatJSON:
-		return printJSONOutput(workloadList)
+		return printJSONOutput(workloadList, upgrades)
 	case "mcpservers":
 		return printMCPServersOutput(workloadList)
 	default:
@@ -97,13 +127,49 @@ func listCmdFunc(cmd *cobra.Command, _ []string) error {
 			}
 			return nil
 		}
-		printTextOutput(workloadList)
+		printTextOutput(workloadList, upgrades)
 		return nil
 	}
 }
 
-// printJSONOutput prints workload information in JSON format
-func printJSONOutput(workloadList []core.Workload) error {
+// checkUpgradesForWorkloads builds a single Checker, loads each workload's saved
+// RunConfig, and returns the upgrade result keyed by workload name. Workloads
+// whose config cannot be loaded are omitted from the map. The comparison logic
+// lives entirely in pkg/workloads/upgrade; this only collects inputs.
+func checkUpgradesForWorkloads(ctx context.Context, workloadList []core.Workload) (map[string]*upgrade.CheckResult, error) {
+	checker, err := newUpgradeChecker()
+	if err != nil {
+		return nil, err
+	}
+
+	configs := make([]*runner.RunConfig, 0, len(workloadList))
+	for _, wl := range workloadList {
+		cfg, err := runner.LoadState(ctx, wl.Name)
+		if err != nil {
+			slog.Debug("skipping upgrade check for workload with unloadable config", "workload", wl.Name, "error", err)
+			continue
+		}
+		configs = append(configs, cfg)
+	}
+
+	results := checker.CheckAll(ctx, configs)
+	byName := make(map[string]*upgrade.CheckResult, len(results))
+	for _, r := range results {
+		byName[r.WorkloadName] = r
+	}
+	return byName, nil
+}
+
+// workloadWithUpgrade augments a workload with its optional upgrade-check
+// result for JSON output when --check-upgrades is set.
+type workloadWithUpgrade struct {
+	core.Workload
+	Upgrade *upgrade.CheckResult `json:"upgrade,omitempty"`
+}
+
+// printJSONOutput prints workload information in JSON format. When upgrades is
+// non-nil, each workload is augmented with its upgrade-check result.
+func printJSONOutput(workloadList []core.Workload, upgrades map[string]*upgrade.CheckResult) error {
 	// Ensure we have a non-nil slice to avoid null in JSON output
 	if workloadList == nil {
 		workloadList = []core.Workload{}
@@ -112,13 +178,26 @@ func printJSONOutput(workloadList []core.Workload) error {
 	// Sort workloads alphabetically by name for deterministic output
 	core.SortWorkloadsByName(workloadList)
 
-	// Marshal to JSON
-	jsonData, err := json.MarshalIndent(workloadList, "", "  ")
+	// Without upgrade data, marshal the workloads directly to preserve the
+	// existing output shape.
+	if upgrades == nil {
+		jsonData, err := json.MarshalIndent(workloadList, "", "  ")
+		if err != nil {
+			return fmt.Errorf("failed to marshal JSON: %w", err)
+		}
+		fmt.Println(string(jsonData))
+		return nil
+	}
+
+	augmented := make([]workloadWithUpgrade, 0, len(workloadList))
+	for _, wl := range workloadList {
+		augmented = append(augmented, workloadWithUpgrade{Workload: wl, Upgrade: upgrades[wl.Name]})
+	}
+
+	jsonData, err := json.MarshalIndent(augmented, "", "  ")
 	if err != nil {
 		return fmt.Errorf("failed to marshal JSON: %w", err)
 	}
-
-	// Print JSON directly to stdout
 	fmt.Println(string(jsonData))
 	return nil
 }
@@ -150,14 +229,19 @@ func printMCPServersOutput(workloadList []core.Workload) error {
 	return nil
 }
 
-// printTextOutput prints workload information in text format
-func printTextOutput(workloadList []core.Workload) {
+// printTextOutput prints workload information in text format. When upgrades is
+// non-nil, an additional UPGRADE column reports each workload's upgrade status.
+func printTextOutput(workloadList []core.Workload, upgrades map[string]*upgrade.CheckResult) {
 	// Sort workloads alphabetically by name for deterministic output
 	core.SortWorkloadsByName(workloadList)
 
 	// Create a tabwriter for pretty output
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 3, ' ', 0)
-	if _, err := fmt.Fprintln(w, "NAME\tPACKAGE\tSTATUS\tURL\tPORT\tGROUP\tCREATED"); err != nil {
+	header := "NAME\tPACKAGE\tSTATUS\tURL\tPORT\tGROUP\tCREATED"
+	if upgrades != nil {
+		header += "\tUPGRADE"
+	}
+	if _, err := fmt.Fprintln(w, header); err != nil {
 		slog.Warn(fmt.Sprintf("Failed to write output header: %v", err))
 		return
 	}
@@ -168,7 +252,7 @@ func printTextOutput(workloadList []core.Workload) {
 		status := workloadStatusIndicator(c.Status)
 
 		// Print workload information
-		if _, err := fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%d\t%s\t%s\n",
+		if _, err := fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%d\t%s\t%s",
 			c.Name,
 			c.Package,
 			status,
@@ -179,6 +263,18 @@ func printTextOutput(workloadList []core.Workload) {
 		); err != nil {
 			slog.Debug(fmt.Sprintf("Failed to write workload information: %v", err))
 		}
+		if upgrades != nil {
+			upgradeStatus := "-"
+			if r, ok := upgrades[c.Name]; ok {
+				upgradeStatus = string(r.Status)
+			}
+			if _, err := fmt.Fprintf(w, "\t%s", upgradeStatus); err != nil {
+				slog.Debug(fmt.Sprintf("Failed to write upgrade status: %v", err))
+			}
+		}
+		if _, err := fmt.Fprintln(w); err != nil {
+			slog.Debug(fmt.Sprintf("Failed to write newline: %v", err))
+		}
 	}
 
 	// Flush the tabwriter