Add upgrade-check REST endpoints for workloads

[JAORMX]

Summary

The upgrade checker (PR #5407) is only useful if clients can reach it. CLI, Studio, and automation should share one backend source of truth for upgrade availability instead of each reimplementing registry drift detection. This exposes the checker over the existing workloads API. Part of RFC THV-0068, local scope.

• Add GET /api/v1beta/workloads/upgrade-check (batch) and GET /api/v1beta/workloads/{name}/upgrade-check (single).
• The batch handler reuses the exact group/all authorization scoping of the list endpoint and intersects it with the enumerated run configs, so it can never report a workload outside the caller's scope.
• Responses carry only non-sensitive CheckResult metadata; secret env-var defaults are cleared. Both routes are read-only and skip image pulls, so they use the standard request timeout.
• Regenerate the OpenAPI spec.

Type of change

• New feature

Test plan

• Unit tests (task test) — single (up-to-date / available / 404 / 400), batch (mixed results, group filter, stale-on-disk config excluded, unloadable config skipped-not-fatal), a no-secret-leak assertion, and a chi route-ordering test (/upgrade-check does not resolve to getWorkload).
• Linting (task lint-fix)

Changes

File	Change
pkg/api/v1/workloads_upgrade.go	Batch + single check handlers, run-config enumeration
pkg/api/v1/workloads.go	Route registration + injected deps
pkg/api/v1/workload_types.go	Response types
docs/server/*	Regenerated OpenAPI

Does this introduce a user-facing change?

Yes — two new read-only REST endpoints for querying upgrade availability. No existing endpoints change.

Large PR Justification

This PR is ~1,434 lines, but only 231 are hand-written source. The rest is mechanically generated or test code that cannot be meaningfully split out:

• 764 lines are auto-generated OpenAPI (docs/server/docs.go, swagger.json, swagger.yaml), produced by task docs from the swag annotations on the two new handlers. These must be regenerated and committed in the same PR (a Verify Swagger Documentation CI check fails otherwise), and they cannot be split.
• 439 lines are integration tests for the new endpoints, which must ship with the handlers they cover.
• The 231 source lines are the two read-only handlers plus their response types — already the smallest coherent API slice (check endpoints only; the apply endpoint is deferred to PR Add upgrade apply for the CLI and API #5411).

Special notes for reviewers

PR 2 of 6 in the RFC THV-0068 stack; based on #5407. The dedicated apply endpoint (POST .../upgrade) lands in PR 5, reusing the response types added here.

🤖 Generated with Claude Code

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

❌ Patch coverage is 45.09804% with 56 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.79%. Comparing base (db82aef) to head (6850600).

Files with missing lines	Patch %	Lines
pkg/api/v1/workloads_upgrade.go	56.79%	23 Missing and 12 partials ⚠️
pkg/api/v1/workloads.go	0.00%	21 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5408      +/-   ##
==========================================
- Coverage   68.82%   68.79%   -0.03%     
==========================================
  Files         632      633       +1     
  Lines       64085    64181      +96     
==========================================
+ Hits        44105    44154      +49     
- Misses      16722    16760      +38     
- Partials     3258     3267       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

The base branch was changed.