fix: harden self-update and scope nuke cleanup

[justrach]

Summary

• replace the inline shell updater with a dedicated self-update module that resolves the latest release via GitHub first, verifies checksums.sha256, and no-ops when already current
• centralize the release version string and expose codedb update in CLI help
• scope codedb nuke process termination to the same executable path so uninstalling one install does not kill unrelated codedb sessions
• add targeted tests for update version ordering, checksum parsing, asset naming, help output, and nuke process matching

Verification

• zig build
• zig build test -- --test-filter "issue-150:"
• zig build test -- --test-filter "update:"
• zig build test -- --test-filter "nuke:"
• CODEDB_VERSION=0.2.56 ./zig-out/bin/codedb update
• isolated temp-HOME smoke test for codedb nuke covering snapshot/config/binary removal and a same-install dummy serve process

[github-actions]

Benchmark Regression Report

Threshold: 10.00%

Tool	Base (ns)	Head (ns)	Delta	Status
codedb_bundle	691053	658760	-4.67%	OK
codedb_changes	109617	108266	-1.23%	OK
codedb_deps	29560	30000	+1.49%	OK
codedb_edit	19256	17574	-8.73%	OK
codedb_find	149690	142793	-4.61%	OK
codedb_hot	152402	145156	-4.75%	OK
codedb_outline	423933	452679	+6.78%	OK
codedb_read	143706	144190	+0.34%	OK
codedb_search	285470	287724	+0.79%	OK
codedb_snapshot	4300877	4388583	+2.04%	OK
codedb_status	257497	254208	-1.28%	OK
codedb_symbol	63634	61077	-4.02%	OK
codedb_tree	87592	73733	-15.82%	OK
codedb_word	94247	91318	-3.11%	OK

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ae8b09917c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Strip v prefix from CODEDB_VERSION before release URL use

When CODEDB_VERSION is set to a tag-like value such as v0.2.57, resolveTargetVersion returns it unchanged, but later download URLs are built as .../download/v{s}/..., producing vv0.2.57 and causing update failure for explicit-version updates. This is a real mismatch because compareVersions already accepts prefixed versions, so users can pass validation and still fail during download.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Resolve non-absolute argv0 when matching nuke target process

commandTargetsBinary only treats a process as in-scope when the command token equals the absolute self path (or contains that exact string). For processes launched from PATH (argv0 like codedb serve), this check returns false even when they are the same install, so codedb nuke can leave same-install serve/mcp processes running while uninstalling files.

Useful? React with 👍 / 👎.