feat: add cortex_status and cortex_update tools

cortex_status: git branch/commit/ahead-behind + systemctl state — read-only
cortex_update: git pull + syntax check all .py files + report; does NOT auto-restart.
  If syntax errors are found after pull, warns and blocks restart suggestion.
  Call cortex_restart separately to apply a clean update.

Both are admin-only. cortex_update is confirm-required (modifies files on disk).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cortex/tools/__init__.py

@@ -48,7 +48,12 @@ from tools.scratch import (
     scratch_append as _scratch_append,
     scratch_clear as _scratch_clear,
 )
-from tools.system import cortex_restart as _cortex_restart, cortex_logs as _cortex_logs
+from tools.system import (
+    cortex_restart as _cortex_restart,
+    cortex_logs as _cortex_logs,
+    cortex_status as _cortex_status,
+    cortex_update as _cortex_update,
+)
 from tools.web import http_fetch as _http_fetch
 from tools.files import file_list as _file_list, file_write as _file_write
 from tools.notify import nc_talk_send as _nc_talk_send, email_send as _email_send
@@ -389,6 +394,8 @@ _CALLABLES: dict[str, callable] = {
     "shell_exec": _shell_exec,
     "cortex_restart": _cortex_restart,
     "cortex_logs": _cortex_logs,
+    "cortex_status": _cortex_status,
+    "cortex_update": _cortex_update,
     "http_fetch": _http_fetch,
     "email_send":   _email_send,
     "nc_talk_send": _nc_talk_send,
@@ -793,6 +800,28 @@ _cortex_logs_declaration = types.FunctionDeclaration(
     ),
 )
 
+_cortex_status_declaration = types.FunctionDeclaration(
+    name="cortex_status",
+    description=(
+        "Return Cortex service status: current git branch and commit, how many commits "
+        "ahead/behind the remote, and the systemctl service state. "
+        "Use to check what version is running or whether the service is healthy. "
+        "ADMIN ONLY."
+    ),
+    parameters=types.Schema(type=types.Type.OBJECT, properties={}),
+)
+
+_cortex_update_declaration = types.FunctionDeclaration(
+    name="cortex_update",
+    description=(
+        "Pull the latest code from git, run a syntax check on all Python files, and report "
+        "what changed. Does NOT restart automatically — call cortex_restart separately after "
+        "reviewing the output. Will report syntax errors if the pull introduces broken code. "
+        "ADMIN ONLY. Requires confirmation."
+    ),
+    parameters=types.Schema(type=types.Type.OBJECT, properties={}),
+)
+
 _http_fetch_declaration = types.FunctionDeclaration(
     name="http_fetch",
     description=(
@@ -919,6 +948,8 @@ TOOL_ROLES: dict[str, str] = {
     "claude_allow_dir": "admin",
     "cortex_restart":   "admin",
     "cortex_logs":      "admin",
+    "cortex_status":    "admin",
+    "cortex_update":    "admin",
     "file_read":        "admin",
     "file_list":        "admin",
     "file_write":       "admin",
@@ -932,6 +963,7 @@ TOOL_ROLES: dict[str, str] = {
 # the tool, prompting Claude to ask the user to confirm in a follow-up message.
 CONFIRM_REQUIRED: set[str] = {
     "cortex_restart",
+    "cortex_update",
     "file_write",
     "shell_exec",
     "cron_remove",
@@ -966,6 +998,8 @@ _ALL_DECLARATIONS: list[types.FunctionDeclaration] = [
     _shell_exec_declaration,
     _cortex_restart_declaration,
     _cortex_logs_declaration,
+    _cortex_status_declaration,
+    _cortex_update_declaration,
     _http_fetch_declaration,
     _email_send_declaration,
     _nc_talk_send_declaration,