update: docs + publish script for the self-update feature

README gets a top-level Updating section; docs/privileges.md gains
a step-by-step trust-model writeup of `banger update`. The new
scripts/publish-banger-release.sh drives the manual release cut:
build, tar, sha256sum, cosign sign-blob, verify against the embedded
public key, jq-merge into manifest.json, rclone upload to the R2
bucket. Refuses outright if the embedded key is still the placeholder
so we can't accidentally publish an unverifiable release. Also folds
in gofmt drift accumulated across the updater package and a few
sibling files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

README.md

@@ -267,6 +267,28 @@ directory are skipped with a warning — they'd otherwise leak files
 from outside the named tree (e.g. a symlink inside `~/.aws` pointing
 to an unrelated credential dir).
 
+## Updating
+
+```bash
+banger update --check        # is a newer release available?
+sudo banger update           # download, verify, swap, restart, run doctor
+sudo banger update --to v0.1.1
+sudo banger update --dry-run
+```
+
+`banger update` pulls the release manifest from
+`https://releases.thaloco.com/banger/manifest.json`, downloads the
+release tarball + `SHA256SUMS` + `SHA256SUMS.sig`, verifies the
+cosign signature against the public key embedded in the running
+binary, hashes the tarball, atomically swaps the three banger
+binaries, restarts both systemd services, and runs `banger doctor`.
+On any failure post-swap, it auto-restores the previous install
+from `.previous` backups before surfacing the original error.
+
+Refuses to start while any banger operation is in flight. No
+background update checks; updates only happen when you ask. See
+[`docs/privileges.md`](docs/privileges.md) for the trust model.
+
 ## Advanced
 
 The common path is `vm run`. Power-user flows (`vm create`, OCI pull