Add workload upgrade detection package

[JAORMX]

Summary

CLI and API users have no way to discover when a registry-sourced MCP server has a newer version available. Today only ToolHive Studio detects image-tag drift, and it does so in its frontend — so CLI users are blind to updates and every new client would have to reimplement the same logic. This is the first slice of RFC THV-0068 (Workload Upgrade), moving detection into the backend where all clients can consume it. Local experience only (Kubernetes is out of scope for this RFC).

• Add a new pkg/workloads/upgrade package with a Checker that compares a running workload's image tag against its current registry entry.
• Tag comparison is semver-aware (via golang.org/x/mod/semver) with a string-equality fallback; it degrades safely to unknown for :latest, digest references, repository changes (host-normalized), and non-registry-sourced workloads, so only a strictly-newer tag on the same repository yields upgrade-available.
• Reports environment-variable drift (new/removed registry-declared vars) and configuration drift (permission profile, transport, network isolation), with secret env-var defaults cleared from results.

Type of change

• New feature

Test plan

• Unit tests (task test) — table-driven coverage of tag comparison (incl. double-digit-minor and prerelease ordering), env/config drift, and status gating; registry provider mocked.
• Linting (task lint-fix)

Changes

File	Change
pkg/workloads/upgrade/doc.go	Package doc, cycle guard, no-rollback note
pkg/workloads/upgrade/types.go	CheckResult, EnvVarDrift, ConfigDrift, UpgradeStatus, ApplyOptions
pkg/workloads/upgrade/version.go	Semver-aware tag comparison helper
pkg/workloads/upgrade/checker.go	Checker + Check/CheckAll
pkg/workloads/upgrade/*_test.go	Unit tests incl. a drift-guard for the env-var boundary type

Does this introduce a user-facing change?

No — this PR adds an internal package only. The thv upgrade commands and REST endpoints that consume it land in later PRs of this stack.

Large PR Justification

This PR is ~1,158 lines, but 627 of those are unit tests (*_test.go) and only 531 are source across one cohesive new package (doc.go + types.go + version.go + checker.go).

• The source cannot be split smaller without leaving code uncompilable or untested. The Checker depends on its result types (types.go) and the tag-comparison helper (version.go); separating them yields a package that does not build. This is one self-contained unit, the smallest reviewable slice of the feature.
• Tests must ship with the code, not separately. Splitting the 627 lines of table-driven tests into a follow-up PR would merge untested detection logic — exactly what review is meant to prevent.
• The feature as a whole was deliberately split into 6 stacked PRs (this is fix(typo): corrects readme #1) to keep each phase focused; this phase is the irreducible detection core.

Special notes for reviewers

This is PR 1 of 6 in a stack implementing RFC THV-0068 (split to stay within the repo's PR-size limit). Each PR is one logical phase; later PRs are based on this branch:

1. Detection package ← this PR
2. Check REST API (GET .../upgrade-check)
3. CLI thv upgrade check + thv list --check-upgrades
4. upgrade.Applier
5. Apply CLI + API (thv upgrade apply, POST .../upgrade)
6. e2e + lifecycle docs

🤖 Generated with Claude Code

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

❌ Patch coverage is 91.89189% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.83%. Comparing base (05ca226) to head (d9f4c8d).

Files with missing lines	Patch %	Lines
pkg/workloads/upgrade/checker.go	90.19%	8 Missing and 2 partials ⚠️
pkg/workloads/upgrade/version.go	95.23%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5407      +/-   ##
==========================================
+ Coverage   68.77%   68.83%   +0.06%     
==========================================
  Files         629      632       +3     
  Lines       63937    64085     +148     
==========================================
+ Hits        43970    44111     +141     
- Misses      16713    16718       +5     
- Partials     3254     3256       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

[jhrozek]

Detection logic looks solid and the tests are thorough. A few comments from a focused review of the comparison/drift logic — one correctness item on semver normalization, plus two defensive/semantic notes. Nothing blocking.