chore(release): prepare v0.8.23

- Bump workspace version 0.8.22 → 0.8.23 across Cargo.toml, every per-crate
  path-dependency pin, npm/deepseek-tui/package.json (both `version` and
  `deepseekBinaryVersion`), and Cargo.lock.
- Add a 0.8.23 CHANGELOG entry covering the security hardening stack
  (sanitized child env, plan-mode tool surface, sub-agent approvals,
  symlink walks, runtime API auth, shell safety classification, MCP
  config path traversal), the macOS Keychain prompt fix, the #1244 MCP
  spawn error visibility + env passthrough work, the compact-thinking UX
  change, and a Known issues callout for mid-run MCP stderr.
- Backfill missing CHANGELOG entries for v0.8.21 (community-heavy
  release, contributors credited) and v0.8.22 (fetch_url redirect
  validation). The gap was unintentional, so contributor work is being
  reflected in-repo now.
- Add docs/RELEASE_CHECKLIST.md so future releases gate on the
  CHANGELOG/version/preflight steps explicitly.

CHANGELOG.md

@@ -5,6 +5,189 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.8.23] - 2026-05-08
+
+A security-focused follow-up to v0.8.22. The bulk of the diff is hardening of
+the child-process surface — shells, MCP stdio servers, and other spawned
+subprocesses — plus a related set of MCP, secret-store, and tool-policy
+fixes uncovered during follow-up review.
+
+### Security
+
+- **Sanitized child-process environments** - shells, MCP stdio servers, hooks,
+  and other child processes spawned from the TUI now start from an explicit
+  allowlist of parent environment variables rather than inheriting every
+  parent var. The base allowlist covers `PATH`, `HOME`, `USER`, `LANG`/`LC_*`,
+  `TERM`/`COLORTERM`, `SHELL`, `TMPDIR`/`TMP`/`TEMP`, and the corresponding
+  Windows variables. Stops casual exfiltration of `*_API_KEY`, `AWS_*`,
+  `GITHUB_TOKEN`, and similar through a spawned subprocess.
+- **Tighter shell safety classification** - the `exec_shell` deny-list was
+  reviewed and broadened to cover additional dangerous command patterns.
+- **Plan mode tool surface narrowed** - planning sub-agents see a smaller,
+  read-only tool surface so a plan-mode call can no longer mutate workspace
+  state.
+- **Sub-agent approval boundaries preserved** - sub-agents inherit the
+  parent's approval policy and cannot escalate beyond it.
+- **Symlinked workspace walks no longer followed** - workspace-relative
+  walkers (file-search, project context) now refuse to traverse symlinks
+  pointing outside the workspace root.
+- **Path and output handling tightened** - several tools that build paths
+  from model output now reject `..` segments and absolute paths outside the
+  workspace.
+- **Runtime API requires authentication by default** - `deepseek serve --http`
+  no longer accepts unauthenticated requests in its default configuration.
+- **Security-sensitive dependencies bumped** - routine bump pass for crates
+  with recent advisories.
+- **MCP config paths reject traversal** - `load_config`/`save_config` now
+  refuse paths containing `..` components.
+
+### Fixed
+
+- **macOS Keychain prompt at startup** - the file-backed secret store is now
+  the default. The OS keyring is opt-in via
+  `DEEPSEEK_SECRET_BACKEND=system|keyring`, and the auth status surface
+  refers to "secret store" rather than "keyring" where appropriate.
+- **MCP stdio spawn errors are now visible (#1244)** - when spawning a stdio
+  MCP server fails (e.g., `npx` not on `PATH`), the underlying OS error is
+  now shown ("No such file or directory (os error 2)") instead of the opaque
+  wrapper "MCP stdio spawn failed (...)". The fix applies to the snapshot,
+  the `mcp connect` / `mcp validate` CLI commands, and the in-TUI status
+  events.
+- **MCP servers no longer break under env scrub (#1244)** - MCP stdio launches
+  now inherit a wider env allowlist than arbitrary shell tools, so common
+  `npx ...`, `uvx ...`, `python -m mcp_server_*`, and proxy-bound corporate
+  setups keep working under the new child-env scrub. Pass-through includes
+  `NVM_DIR`, `NODE_OPTIONS`, `NODE_PATH`, `NODE_EXTRA_CA_CERTS`,
+  `NPM_CONFIG_*`, `VOLTA_HOME`, `COREPACK_HOME`, `PYTHONPATH`, `PYTHONHOME`,
+  `VIRTUAL_ENV`, `PIPX_*`, `POETRY_HOME`, `UV_*`, `GEM_*`, `BUNDLE_*`,
+  `JAVA_HOME`, `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY` / `ALL_PROXY` /
+  `FTP_PROXY` (case-insensitive), `SSL_CERT_FILE`, `SSL_CERT_DIR`,
+  `REQUESTS_CA_BUNDLE`, `CURL_CA_BUNDLE`. Secret-bearing parent env stays
+  scrubbed.
+
+### Changed
+
+- **Live thinking is compact by default** - the streaming "thinking" panel
+  collapses by default; expand via the existing details toggle.
+
+### Added
+
+- **`docs/RELEASE_CHECKLIST.md`** - explicit pre-tag checklist (CHANGELOG,
+  versions, preflight, npm wrapper smoke) so the v0.8.21/v0.8.22 CHANGELOG
+  gap does not recur.
+
+### Known issues
+
+- **Mid-run MCP server stderr is still suppressed** - if a stdio MCP server
+  spawns successfully but exits later (e.g., crashes during `initialize`),
+  its stderr is not yet captured. Spawn-time OS errors (the most common
+  case from #1244) are visible. Full mid-run stderr capture is planned for
+  v0.8.24.
+
+## [0.8.22] - 2026-05-08
+
+A focused security release: validate redirected `fetch_url` targets before
+following them so a server-controlled redirect cannot bypass per-domain
+network policy or steer the client at private/link-local IPs.
+
+### Security
+
+- **Validate redirected fetch targets** - the URL the redirect points to is
+  re-evaluated against the network policy and SSRF guards before any second
+  request is issued. Previously the policy decision was made only on the
+  initial URL, so a server response of `Location: http://10.0.0.1/...` could
+  reach a private host even if `fetch_url` would have rejected the same URL
+  if requested directly.
+
+## [0.8.21] - 2026-05-08
+
+A community-heavy release rolling up two weeks of contributor PRs across the
+TUI, runtime, and docs. Big thanks to **Reid (@reidliu41)**,
+**jiaren wang (@JiarenWang)**, **Friende (@pengyou200902)**,
+**ZzzPL (@Oliver-ZPLiu)**, **Sun**, **Liu-Vince**, **kitty**, and
+**Aqil Aziz** for the contributions below.
+
+### Added
+
+- **Distinct user-message body color** (#1168) - user turns now render in a
+  green body color so the conversation flow is easier to scan at a glance.
+
+### Fixed
+
+- **Plan mode enforces read-only tool boundaries** (#1114) - planning calls
+  can no longer reach into write-side tools. Thanks **jiaren wang**.
+- **Composer arrow keys navigate input history** (#1117) - up/down in the
+  composer cycles through prior prompts when the cursor is on the first/last
+  line. Thanks **Reid**.
+- **RLM preserves prompt cache usage** (#1127) - the RLM batch path no longer
+  resets prompt-cache hits between calls. Thanks **Sun**.
+- **`fetch_url` proxy DNS opt-in** (#1103) - the proxy DNS path is now opt-in
+  rather than always forced, fixing breakage in environments where the proxy
+  cannot resolve the target host. Thanks **Sun**.
+- **Undo syncs session context after snapshot restore** (#1150, fixes #1139) -
+  rolling back a turn now correctly resyncs the in-memory session so a
+  follow-up turn doesn't see stale context. Thanks **jiaren wang**.
+- **Stale busy-state watchdog** (#1170) - the TUI now recovers if the busy
+  indicator gets stuck after an aborted turn. Thanks **ZzzPL**.
+- **`gh` discovered across common install paths** - the `gh` tool is found
+  whether installed via Homebrew, apt, the Windows MSI, or the GitHub CLI
+  installer. Thanks **kitty**.
+- **Code block indentation preserved in transcript** - leading whitespace
+  inside fenced code blocks is no longer collapsed during rendering.
+  Thanks **Liu-Vince**.
+- **Stream pacing preserves upstream cadence** - long streaming responses
+  no longer chunk together when the upstream is bursty.
+  Thanks **Sun**.
+- **Task list output gets headers** - the long-form `/tasks` output now has
+  group headers so it scans cleanly. Thanks **Reid**.
+- **macOS option-V details shortcut** - the details toggle now works correctly
+  on US Mac keyboards where Option+V produces `√`.
+- **Uppercase approval shortcuts accepted** - `[A]/[D]/[V]` work in either
+  case in the approval dialog.
+- **Transcript scrollbar inert** - the transcript scrollbar no longer captures
+  clicks intended for content below it.
+- **Hide transcript rail before code blocks** - the rail glyph no longer
+  bleeds onto the line just above a fenced code block.
+- **Pager exit hint prominent** - the "press q to exit" hint is now visible
+  on the pager footer.
+- **Empty tool call names fall back to a placeholder** - a model that returns
+  an empty `function.name` in a tool call no longer hangs the turn.
+- **MCP SSE waits for endpoint before connect returns** (#1225) - the SSE
+  transport no longer reports "connected" before the endpoint event has been
+  received, fixing a race where the first request was lost.
+- **Git branch status item renders** (#1226, fixes #1217) - the
+  `StatusItem::GitBranch` toggle now produces a footer entry instead of a
+  blank slot.
+- **Beta endpoint routes non-beta paths to v1** (#1174) - paths that aren't
+  available on the DeepSeek beta host are transparently redirected to the v1
+  host instead of failing.
+- **Skill packs accept workflow-pack archive layouts** (#1164) - skill
+  archives produced by the workflow pack tool now install correctly.
+- **Interactive sessions stay in alternate screen** (#1158) - returning from
+  a sub-process no longer kicks the TUI back to the primary screen mid-turn.
+- **Slash-menu arrow navigation wraps** (#1152) - up at the top / down at the
+  bottom of the slash menu wraps to the other end.
+- **CLI preserves split prompt words from Windows shims** (#1160) - prompt
+  arguments forwarded by the npm wrapper on Windows are no longer joined into
+  one giant token.
+- **`libc` extended to all Unix targets** (#1173) - improves FreeBSD build
+  compatibility.
+- **Memory truncation marker reports omitted bytes** - the `[…N bytes
+  omitted]` marker now shows an accurate count. Thanks **Friende**.
+
+### Docs
+
+- **Memory skill link** (#1096) - corrected. Thanks **Aqil Aziz**.
+- **Help keybinding reference** (#1095) - corrected. Thanks **Friende**.
+- **Additional environment variables** documented in the config reference.
+  Thanks **Liu-Vince**.
+- **Docker volume guidance** - the install snippet now uses a writable named
+  data volume rather than a bind mount that may be read-only on some hosts.
+- **Competitive analysis reflects LSP diagnostics** (#1171) - the doc now
+  matches the shipping LSP diagnostics implementation.
+- **Dispatcher path for `/run-pr`** (#1227) - the README now points at the
+  dispatcher binary.
+
 ## [0.8.20] - 2026-05-08
 
 ### Fixed

Cargo.lock

@@ -1151,7 +1151,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-agent"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "deepseek-config",
  "serde",
@@ -1159,7 +1159,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-app-server"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "anyhow",
  "axum",
@@ -1181,7 +1181,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-config"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "anyhow",
  "deepseek-secrets",
@@ -1193,7 +1193,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-core"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "anyhow",
  "chrono",
@@ -1211,7 +1211,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-execpolicy"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "anyhow",
  "deepseek-protocol",
@@ -1220,7 +1220,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-hooks"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -1234,7 +1234,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-mcp"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "anyhow",
  "serde",
@@ -1243,7 +1243,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-protocol"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "serde",
  "serde_json",
@@ -1251,7 +1251,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-secrets"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "dirs",
  "keyring",
@@ -1264,7 +1264,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-state"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "anyhow",
  "chrono",
@@ -1276,7 +1276,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-tools"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -1289,7 +1289,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-tui"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "anyhow",
  "arboard",
@@ -1350,7 +1350,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-tui-cli"
-version = "0.8.22"
+version = "0.8.23"
 dependencies = [
  "anyhow",
  "chrono",
@@ -1374,7 +1374,7 @@ dependencies = [
 
 [[package]]
 name = "deepseek-tui-core"
-version = "0.8.22"
+version = "0.8.23"
 
 [[package]]
 name = "deltae"

Cargo.toml

@@ -19,7 +19,7 @@ default-members = ["crates/cli", "crates/app-server", "crates/tui"]
 resolver = "2"
 
 [workspace.package]
-version = "0.8.22"
+version = "0.8.23"
 edition = "2024"
 # Rust 1.88 stabilized `let_chains` in `if`/`while` conditions, which the
 # codebase relies on extensively. Cargo enforces this so users on older

crates/agent/Cargo.toml

@@ -7,5 +7,5 @@ repository.workspace = true
 description = "Model/provider registry and fallback strategy for DeepSeek workspace architecture"
 
 [dependencies]
-deepseek-config = { path = "../config", version = "0.8.22" }
+deepseek-config = { path = "../config", version = "0.8.23" }
 serde.workspace = true

crates/app-server/Cargo.toml

@@ -10,15 +10,15 @@ description = "Codex-style app-server transport for DeepSeek workspace architect
 anyhow.workspace = true
 axum.workspace = true
 clap.workspace = true
-deepseek-agent = { path = "../agent", version = "0.8.22" }
-deepseek-config = { path = "../config", version = "0.8.22" }
-deepseek-core = { path = "../core", version = "0.8.22" }
-deepseek-execpolicy = { path = "../execpolicy", version = "0.8.22" }
-deepseek-hooks = { path = "../hooks", version = "0.8.22" }
-deepseek-mcp = { path = "../mcp", version = "0.8.22" }
-deepseek-protocol = { path = "../protocol", version = "0.8.22" }
-deepseek-state = { path = "../state", version = "0.8.22" }
-deepseek-tools = { path = "../tools", version = "0.8.22" }
+deepseek-agent = { path = "../agent", version = "0.8.23" }
+deepseek-config = { path = "../config", version = "0.8.23" }
+deepseek-core = { path = "../core", version = "0.8.23" }
+deepseek-execpolicy = { path = "../execpolicy", version = "0.8.23" }
+deepseek-hooks = { path = "../hooks", version = "0.8.23" }
+deepseek-mcp = { path = "../mcp", version = "0.8.23" }
+deepseek-protocol = { path = "../protocol", version = "0.8.23" }
+deepseek-state = { path = "../state", version = "0.8.23" }
+deepseek-tools = { path = "../tools", version = "0.8.23" }
 serde.workspace = true
 serde_json.workspace = true
 tokio.workspace = true

crates/cli/Cargo.toml

@@ -14,13 +14,13 @@ path = "src/main.rs"
 anyhow.workspace = true
 clap.workspace = true
 clap_complete.workspace = true
-deepseek-agent = { path = "../agent", version = "0.8.22" }
-deepseek-app-server = { path = "../app-server", version = "0.8.22" }
-deepseek-config = { path = "../config", version = "0.8.22" }
-deepseek-execpolicy = { path = "../execpolicy", version = "0.8.22" }
-deepseek-mcp = { path = "../mcp", version = "0.8.22" }
-deepseek-secrets = { path = "../secrets", version = "0.8.22" }
-deepseek-state = { path = "../state", version = "0.8.22" }
+deepseek-agent = { path = "../agent", version = "0.8.23" }
+deepseek-app-server = { path = "../app-server", version = "0.8.23" }
+deepseek-config = { path = "../config", version = "0.8.23" }
+deepseek-execpolicy = { path = "../execpolicy", version = "0.8.23" }
+deepseek-mcp = { path = "../mcp", version = "0.8.23" }
+deepseek-secrets = { path = "../secrets", version = "0.8.23" }
+deepseek-state = { path = "../state", version = "0.8.23" }
 chrono.workspace = true
 dirs.workspace = true
 serde.workspace = true

crates/config/Cargo.toml

@@ -8,7 +8,7 @@ description = "Config schema and precedence model for DeepSeek workspace archite
 
 [dependencies]
 anyhow.workspace = true
-deepseek-secrets = { path = "../secrets", version = "0.8.22" }
+deepseek-secrets = { path = "../secrets", version = "0.8.23" }
 dirs.workspace = true
 serde.workspace = true
 toml.workspace = true

crates/core/Cargo.toml

@@ -9,13 +9,13 @@ description = "Core runtime boundaries for DeepSeek workspace architecture"
 [dependencies]
 anyhow.workspace = true
 chrono.workspace = true
-deepseek-agent = { path = "../agent", version = "0.8.22" }
-deepseek-config = { path = "../config", version = "0.8.22" }
-deepseek-execpolicy = { path = "../execpolicy", version = "0.8.22" }
-deepseek-hooks = { path = "../hooks", version = "0.8.22" }
-deepseek-mcp = { path = "../mcp", version = "0.8.22" }
-deepseek-protocol = { path = "../protocol", version = "0.8.22" }
-deepseek-state = { path = "../state", version = "0.8.22" }
-deepseek-tools = { path = "../tools", version = "0.8.22" }
+deepseek-agent = { path = "../agent", version = "0.8.23" }
+deepseek-config = { path = "../config", version = "0.8.23" }
+deepseek-execpolicy = { path = "../execpolicy", version = "0.8.23" }
+deepseek-hooks = { path = "../hooks", version = "0.8.23" }
+deepseek-mcp = { path = "../mcp", version = "0.8.23" }
+deepseek-protocol = { path = "../protocol", version = "0.8.23" }
+deepseek-state = { path = "../state", version = "0.8.23" }
+deepseek-tools = { path = "../tools", version = "0.8.23" }
 serde_json.workspace = true
 uuid.workspace = true

crates/execpolicy/Cargo.toml

@@ -8,5 +8,5 @@ description = "Execution policy and approval model parity for DeepSeek workspace
 
 [dependencies]
 anyhow.workspace = true
-deepseek-protocol = { path = "../protocol", version = "0.8.22" }
+deepseek-protocol = { path = "../protocol", version = "0.8.23" }
 serde.workspace = true

crates/hooks/Cargo.toml

@@ -10,7 +10,7 @@ description = "Hook dispatch and notifications parity for DeepSeek workspace arc
 anyhow.workspace = true
 async-trait.workspace = true
 chrono.workspace = true
-deepseek-protocol = { path = "../protocol", version = "0.8.22" }
+deepseek-protocol = { path = "../protocol", version = "0.8.23" }
 reqwest.workspace = true
 serde.workspace = true
 serde_json.workspace = true

crates/tools/Cargo.toml

@@ -9,7 +9,7 @@ description = "Tool invocation lifecycle, schema validation, and scheduler paral
 [dependencies]
 anyhow.workspace = true
 async-trait.workspace = true
-deepseek-protocol = { path = "../protocol", version = "0.8.22" }
+deepseek-protocol = { path = "../protocol", version = "0.8.23" }
 serde.workspace = true
 serde_json.workspace = true
 tokio.workspace = true

crates/tui/Cargo.toml

@@ -21,8 +21,8 @@ path = "src/main.rs"
 [dependencies]
 anyhow = "1.0.100"
 arboard = "3.4"
-deepseek-secrets = { path = "../secrets", version = "0.8.22" }
-deepseek-tools = { path = "../tools", version = "0.8.22" }
+deepseek-secrets = { path = "../secrets", version = "0.8.23" }
+deepseek-tools = { path = "../tools", version = "0.8.23" }
 schemaui = { version = "0.12.0", default-features = false, optional = true }
 async-stream = "0.3.6"
 async-trait = "0.1"

docs/RELEASE_CHECKLIST.md

@@ -0,0 +1,103 @@
+# Release Checklist
+
+A pre-tag checklist that the v0.8.21/v0.8.22 CHANGELOG gap proved we needed.
+Step through this in order from a clean worktree on the release branch
+(`work/vX.Y.Z-...`). Treat any unchecked box as a release blocker.
+
+For deeper context on the underlying tools (preflight scripts, npm smoke,
+publish-crates), see [`RELEASE_RUNBOOK.md`](RELEASE_RUNBOOK.md).
+
+## 1. CHANGELOG entry exists for the version
+
+- [ ] `CHANGELOG.md` has a `## [X.Y.Z] - YYYY-MM-DD` heading at the top
+- [ ] The entry credits every external contributor whose commit lands in this
+      version. Get the list with:
+      ```
+      git log vPREV..HEAD --no-merges --format="%h %an <%ae> %s" \
+        | grep -v '<your-email@…>'
+      ```
+      For each contributor, link both their display name and (when known)
+      `@github-handle`.
+- [ ] The entry uses the Keep a Changelog headers — `Added`, `Changed`,
+      `Fixed`, `Security`, `Removed`, `Deprecated`. Add `Known issues` only
+      if there is something material the user must work around.
+- [ ] The entry mentions all referenced issue/PR numbers as `#NNNN` so the
+      auto-linker on GitHub picks them up.
+
+## 2. Version pins are in sync
+
+- [ ] `Cargo.toml` workspace `version` is bumped.
+- [ ] All per-crate `crates/*/Cargo.toml` path-dependency `version = "..."`
+      pins match the new workspace version.
+- [ ] `npm/deepseek-tui/package.json` `version` AND `deepseekBinaryVersion`
+      are both bumped.
+- [ ] `Cargo.lock` is refreshed (`cargo update --workspace --offline`).
+- [ ] `./scripts/release/check-versions.sh` reports
+      `Version state OK: workspace=X.Y.Z, npm=X.Y.Z, lockfile in sync.`
+
+## 3. Preflight gates
+
+Run, in order, from the repo root:
+
+- [ ] `cargo fmt --all -- --check`
+- [ ] `cargo check --workspace --all-targets --locked`
+- [ ] `cargo clippy --workspace --all-targets --all-features --locked -- -D warnings`
+- [ ] `cargo test --workspace --all-features --locked`
+      (Re-run any single failure in isolation with
+      `cargo test -p PKG --bin BIN -- TEST_NAME` before declaring it a flake.
+      Tests that mutate process-wide state — `HOME`, `cwd`, `RUST_LOG` —
+      can race in parallel. Document confirmed flakes in `Known issues`.)
+- [ ] `./scripts/release/publish-crates.sh dry-run`
+
+## 4. npm wrapper smoke
+
+- [ ] `cargo build --release --locked -p deepseek-tui-cli -p deepseek-tui`
+- [ ] `node scripts/release/npm-wrapper-smoke.js`
+      (Set `DEEPSEEK_TUI_KEEP_SMOKE_DIR=1` if you need to inspect the temp
+      install afterwards.)
+
+## 5. Branch and PR
+
+- [ ] Branch is pushed: `git push -u origin work/vX.Y.Z-...`
+- [ ] PR opened with `gh pr create --base main --title "chore(release): prepare vX.Y.Z"`
+- [ ] PR body includes:
+  - one-paragraph summary of the release theme
+  - a punch list of the new commits since the last release
+  - explicit call-out of any **Security** items so reviewers see them
+  - the contributor thank-you list
+  - the `Known issues` block from the CHANGELOG, if any
+- [ ] PR title is **neutral** — do not put CVE-style language or specific
+      attack details in the title. Save those for the GitHub release notes
+      after the tag is pushed.
+
+## 6. CI green and review
+
+- [ ] All required CI jobs are green. The `versions` job should mirror the
+      preflight `check-versions.sh` and is your last line of defense.
+- [ ] PR has been reviewed.
+
+## 7. Tag and release (after review)
+
+- [ ] `git tag -s vX.Y.Z -m "vX.Y.Z"`
+- [ ] `git push origin vX.Y.Z`
+- [ ] The `release.yml` workflow has built and uploaded artifacts to the
+      GitHub release for this tag.
+- [ ] `npm view deepseek-tui@X.Y.Z version deepseekBinaryVersion --json`
+      reports the new version on the npm registry.
+- [ ] `crates.io` has the new version (or the `publish-crates.sh` job has
+      pushed it).
+- [ ] `ghcr.io/hmbown/deepseek-tui:vX.Y.Z` and `:latest` are updated.
+
+## 8. Post-tag
+
+- [ ] Edit the GitHub release notes to expand any CVE-style or attack
+      details that were intentionally omitted from the PR title/body.
+- [ ] Note any deferred items in the next release's tracking issue.
+- [ ] Close any issues that this release fixed.
+
+---
+
+If a step fails, **fix the underlying cause** rather than skipping it. Pre-commit
+hooks, signing, and CI are all here to catch real problems. `--no-verify`,
+`--no-gpg-sign`, and force-pushing a release branch over reviewers should
+remain hard-disabled by convention.

npm/deepseek-tui/package.json

@@ -1,7 +1,7 @@
 {
   "name": "deepseek-tui",
-  "version": "0.8.22",
-  "deepseekBinaryVersion": "0.8.22",
+  "version": "0.8.23",
+  "deepseekBinaryVersion": "0.8.23",
   "description": "Install and run deepseek and deepseek-tui binaries from GitHub release artifacts.",
   "author": "Hmbown",
   "license": "MIT",