update: docs + publish script for the self-update feature

README gets a top-level Updating section; docs/privileges.md gains
a step-by-step trust-model writeup of `banger update`. The new
scripts/publish-banger-release.sh drives the manual release cut:
build, tar, sha256sum, cosign sign-blob, verify against the embedded
public key, jq-merge into manifest.json, rclone upload to the R2
bucket. Refuses outright if the embedded key is still the placeholder
so we can't accidentally publish an unverifiable release. Also folds
in gofmt drift accumulated across the updater package and a few
sibling files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/daemon/dispatch.go

@@ -50,8 +50,8 @@ func noParamHandler[R any](call func(ctx context.Context, d *Daemon) (R, error))
 // live below the map; they need pre-service validation or raw result
 // encoding that the generic wrapper can't express.
 var rpcHandlers = map[string]handler{
-	"ping":                 pingHandler,
-	"shutdown":             shutdownHandler,
+	"ping":                   pingHandler,
+	"shutdown":               shutdownHandler,
 	"daemon.operations.list": noParamHandler(daemonOperationsListDispatch),
 
 	"vm.create":        paramHandler(vmCreateDispatch),

internal/daemon/doctor_test.go

@@ -468,9 +468,9 @@ func TestFirecrackerInstallHintDispatchesByDistro(t *testing.T) {
 // dispatcher lets us run a real script for one command without
 // rewiring the rest.
 type firecrackerVersionRunner struct {
-	real    system.Runner
-	canned  []byte
-	bin     string
+	real   system.Runner
+	canned []byte
+	bin    string
 }
 
 func (r *firecrackerVersionRunner) Run(ctx context.Context, name string, args ...string) ([]byte, error) {