v2.7→v2.8 parity: package upgrade support (BEAST.base, BEAST.fx, installed packages)

[alexeid]

Part of v2.7→v2.8 parity (raised by Remco). Umbrella: #34. Spin-off: #85 (BEAST core update notifier — out of scope here).

Vocabulary. New CLI/UI in this issue uses "upgrade" as the primary verb (matches apt/brew/dnf). The pre-existing "update" flags (-update, -updatenow) are kept as aliases so existing scripts keep working with no changes required.

Problem

The core upgrade machinery is mostly in place for CBAN .zip packages: PackageManager.updatePackages(...) at PackageManager.java:1687 is CLI-wired as -update / -updatenow (PackageManagerCLI.java:179-187) and handles end-to-end upgrades, including Windows defer-delete + toInstallList resume-after-restart (PackageInstaller.java:62, 202-209, 293-347). The gaps:

1. Maven Central packages don't participate. No version discovery, and they're not surfaced in the unified packageMap that updatePackages walks.
2. No per-package CLI. Upgrades today are all-or-nothing; you can't say "just upgrade Mascot".
3. No BEAUti affordance. JPackageDialog has no "Upgrade?" column, no "Upgrade All" button, and doesn't list Maven-installed packages at all.
4. Rollback bug. PackageInstaller.prepareForInstall (PackageInstaller.java:44) uninstalls the old version before downloading the new one. A network failure mid-upgrade leaves the package gone.
5. Stale comment at PackageInstaller.java:312 referencing "packages could not be upgraded due to Windows preventing the deletion of jar files" — keep behaviour, fix wording.

(Note: BEAST.base / beast.fx are JPMS modules inside the beast3 core jar in v2.8 — not separately installable packages. Upgrading the core is an installer-level concern, tracked separately in #85.)

Plan

Phase 1 — CLI upgrade for CBAN + rollback-safe staging

• Add primary flags -upgrade <name>, -upgradeAll, -upgradeNow, -listUpgrades (apt-style: exit 0 clean / 1 if upgrades available) to PackageManagerCLI.java.
• Keep -update and -updatenow working as aliases routing to the same code paths. No deprecation warnings — old scripts must remain silently functional.
• Make PackageInstaller.prepareForInstall stage downloads (download → unzip into temp dir → atomic rename) so failed upgrades leave the prior install intact.
• Tidy stale comment at PackageInstaller.java:312.
• Tests: UpgradeFlowTest, UpgradeStagingTest, UpdateAliasTest (verifies old flag names still work) under beast-pkgmgmt/src/test/java/test/beast/pkgmgmt/.

Phase 2 — Maven version discovery + Maven upgrade

• MavenPackageResolver.resolveLatestVersion(g, a) and resolveAvailableVersions(g, a) via Aether VersionRangeRequest.
• PackageManager.addInstalledMavenPackages(packageMap) so Maven coords appear alongside CBAN entries.
• -upgradeAll covers both transport types; restart guidance for Maven where JPMS layers prevent hot reload.
• Tests: MavenVersionDiscoveryTest against a fixture Aether repo.

Phase 3 — BEAUti FX dialog parity

• Show Maven packages in the table with a Source column.
• Add "Upgrade?" indicator column driven by Package.newVersionAvailable().
• Add "Upgrade All" button in JPackageDialog.createButtonBox().

Phase 4 — Polish: upgrade checks for Maven

• Extend the startup package.update.status nag to include Maven packages.

Acceptance

• packagemanager -upgrade <name> and packagemanager -upgradeAll work for both CBAN and Maven packages.
• packagemanager -update and -updatenow continue to work as aliases without warning or behavioural change.
• BEAUti Manage Packages shows installed packages from both transports and highlights upgradable ones with an "Upgrade All" action.
• A failed download during upgrade leaves the prior install intact.

Open questions

• Hot reload on Linux/macOS for CBAN — does the current path truly hot-replace jars, or does it always require restart? Affects Phase 2 Maven UX wording.
• For Maven packages, what's the human-readable name in the table? Prefer embedded version.xml/name if present, fall back to artifactId.