From 8e9957da5cf36105f3f36005d4df3e655f5e7891 Mon Sep 17 00:00:00 2001 From: Hunter Bown Date: Fri, 8 May 2026 18:17:44 -0500 Subject: [PATCH] chore(release): prepare v0.8.23 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Bump workspace version 0.8.22 → 0.8.23 across Cargo.toml, every per-crate path-dependency pin, npm/deepseek-tui/package.json (both `version` and `deepseekBinaryVersion`), and Cargo.lock. - Add a 0.8.23 CHANGELOG entry covering the security hardening stack (sanitized child env, plan-mode tool surface, sub-agent approvals, symlink walks, runtime API auth, shell safety classification, MCP config path traversal), the macOS Keychain prompt fix, the #1244 MCP spawn error visibility + env passthrough work, the compact-thinking UX change, and a Known issues callout for mid-run MCP stderr. - Backfill missing CHANGELOG entries for v0.8.21 (community-heavy release, contributors credited) and v0.8.22 (fetch_url redirect validation). The gap was unintentional, so contributor work is being reflected in-repo now. - Add docs/RELEASE_CHECKLIST.md so future releases gate on the CHANGELOG/version/preflight steps explicitly. --- CHANGELOG.md | 183 ++++++++++++++++++++++++++++++++++ Cargo.lock | 28 +++--- Cargo.toml | 2 +- crates/agent/Cargo.toml | 2 +- crates/app-server/Cargo.toml | 18 ++-- crates/cli/Cargo.toml | 14 +-- crates/config/Cargo.toml | 2 +- crates/core/Cargo.toml | 16 +-- crates/execpolicy/Cargo.toml | 2 +- crates/hooks/Cargo.toml | 2 +- crates/tools/Cargo.toml | 2 +- crates/tui/Cargo.toml | 4 +- docs/RELEASE_CHECKLIST.md | 103 +++++++++++++++++++ npm/deepseek-tui/package.json | 4 +- 14 files changed, 334 insertions(+), 48 deletions(-) create mode 100644 docs/RELEASE_CHECKLIST.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 96798298..e0ff9ec9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,189 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [0.8.23] - 2026-05-08 + +A security-focused follow-up to v0.8.22. The bulk of the diff is hardening of +the child-process surface — shells, MCP stdio servers, and other spawned +subprocesses — plus a related set of MCP, secret-store, and tool-policy +fixes uncovered during follow-up review. + +### Security + +- **Sanitized child-process environments** - shells, MCP stdio servers, hooks, + and other child processes spawned from the TUI now start from an explicit + allowlist of parent environment variables rather than inheriting every + parent var. The base allowlist covers `PATH`, `HOME`, `USER`, `LANG`/`LC_*`, + `TERM`/`COLORTERM`, `SHELL`, `TMPDIR`/`TMP`/`TEMP`, and the corresponding + Windows variables. Stops casual exfiltration of `*_API_KEY`, `AWS_*`, + `GITHUB_TOKEN`, and similar through a spawned subprocess. +- **Tighter shell safety classification** - the `exec_shell` deny-list was + reviewed and broadened to cover additional dangerous command patterns. +- **Plan mode tool surface narrowed** - planning sub-agents see a smaller, + read-only tool surface so a plan-mode call can no longer mutate workspace + state. +- **Sub-agent approval boundaries preserved** - sub-agents inherit the + parent's approval policy and cannot escalate beyond it. +- **Symlinked workspace walks no longer followed** - workspace-relative + walkers (file-search, project context) now refuse to traverse symlinks + pointing outside the workspace root. +- **Path and output handling tightened** - several tools that build paths + from model output now reject `..` segments and absolute paths outside the + workspace. +- **Runtime API requires authentication by default** - `deepseek serve --http` + no longer accepts unauthenticated requests in its default configuration. +- **Security-sensitive dependencies bumped** - routine bump pass for crates + with recent advisories. +- **MCP config paths reject traversal** - `load_config`/`save_config` now + refuse paths containing `..` components. + +### Fixed + +- **macOS Keychain prompt at startup** - the file-backed secret store is now + the default. The OS keyring is opt-in via + `DEEPSEEK_SECRET_BACKEND=system|keyring`, and the auth status surface + refers to "secret store" rather than "keyring" where appropriate. +- **MCP stdio spawn errors are now visible (#1244)** - when spawning a stdio + MCP server fails (e.g., `npx` not on `PATH`), the underlying OS error is + now shown ("No such file or directory (os error 2)") instead of the opaque + wrapper "MCP stdio spawn failed (...)". The fix applies to the snapshot, + the `mcp connect` / `mcp validate` CLI commands, and the in-TUI status + events. +- **MCP servers no longer break under env scrub (#1244)** - MCP stdio launches + now inherit a wider env allowlist than arbitrary shell tools, so common + `npx ...`, `uvx ...`, `python -m mcp_server_*`, and proxy-bound corporate + setups keep working under the new child-env scrub. Pass-through includes + `NVM_DIR`, `NODE_OPTIONS`, `NODE_PATH`, `NODE_EXTRA_CA_CERTS`, + `NPM_CONFIG_*`, `VOLTA_HOME`, `COREPACK_HOME`, `PYTHONPATH`, `PYTHONHOME`, + `VIRTUAL_ENV`, `PIPX_*`, `POETRY_HOME`, `UV_*`, `GEM_*`, `BUNDLE_*`, + `JAVA_HOME`, `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY` / `ALL_PROXY` / + `FTP_PROXY` (case-insensitive), `SSL_CERT_FILE`, `SSL_CERT_DIR`, + `REQUESTS_CA_BUNDLE`, `CURL_CA_BUNDLE`. Secret-bearing parent env stays + scrubbed. + +### Changed + +- **Live thinking is compact by default** - the streaming "thinking" panel + collapses by default; expand via the existing details toggle. + +### Added + +- **`docs/RELEASE_CHECKLIST.md`** - explicit pre-tag checklist (CHANGELOG, + versions, preflight, npm wrapper smoke) so the v0.8.21/v0.8.22 CHANGELOG + gap does not recur. + +### Known issues + +- **Mid-run MCP server stderr is still suppressed** - if a stdio MCP server + spawns successfully but exits later (e.g., crashes during `initialize`), + its stderr is not yet captured. Spawn-time OS errors (the most common + case from #1244) are visible. Full mid-run stderr capture is planned for + v0.8.24. + +## [0.8.22] - 2026-05-08 + +A focused security release: validate redirected `fetch_url` targets before +following them so a server-controlled redirect cannot bypass per-domain +network policy or steer the client at private/link-local IPs. + +### Security + +- **Validate redirected fetch targets** - the URL the redirect points to is + re-evaluated against the network policy and SSRF guards before any second + request is issued. Previously the policy decision was made only on the + initial URL, so a server response of `Location: http://10.0.0.1/...` could + reach a private host even if `fetch_url` would have rejected the same URL + if requested directly. + +## [0.8.21] - 2026-05-08 + +A community-heavy release rolling up two weeks of contributor PRs across the +TUI, runtime, and docs. Big thanks to **Reid (@reidliu41)**, +**jiaren wang (@JiarenWang)**, **Friende (@pengyou200902)**, +**ZzzPL (@Oliver-ZPLiu)**, **Sun**, **Liu-Vince**, **kitty**, and +**Aqil Aziz** for the contributions below. + +### Added + +- **Distinct user-message body color** (#1168) - user turns now render in a + green body color so the conversation flow is easier to scan at a glance. + +### Fixed + +- **Plan mode enforces read-only tool boundaries** (#1114) - planning calls + can no longer reach into write-side tools. Thanks **jiaren wang**. +- **Composer arrow keys navigate input history** (#1117) - up/down in the + composer cycles through prior prompts when the cursor is on the first/last + line. Thanks **Reid**. +- **RLM preserves prompt cache usage** (#1127) - the RLM batch path no longer + resets prompt-cache hits between calls. Thanks **Sun**. +- **`fetch_url` proxy DNS opt-in** (#1103) - the proxy DNS path is now opt-in + rather than always forced, fixing breakage in environments where the proxy + cannot resolve the target host. Thanks **Sun**. +- **Undo syncs session context after snapshot restore** (#1150, fixes #1139) - + rolling back a turn now correctly resyncs the in-memory session so a + follow-up turn doesn't see stale context. Thanks **jiaren wang**. +- **Stale busy-state watchdog** (#1170) - the TUI now recovers if the busy + indicator gets stuck after an aborted turn. Thanks **ZzzPL**. +- **`gh` discovered across common install paths** - the `gh` tool is found + whether installed via Homebrew, apt, the Windows MSI, or the GitHub CLI + installer. Thanks **kitty**. +- **Code block indentation preserved in transcript** - leading whitespace + inside fenced code blocks is no longer collapsed during rendering. + Thanks **Liu-Vince**. +- **Stream pacing preserves upstream cadence** - long streaming responses + no longer chunk together when the upstream is bursty. + Thanks **Sun**. +- **Task list output gets headers** - the long-form `/tasks` output now has + group headers so it scans cleanly. Thanks **Reid**. +- **macOS option-V details shortcut** - the details toggle now works correctly + on US Mac keyboards where Option+V produces `√`. +- **Uppercase approval shortcuts accepted** - `[A]/[D]/[V]` work in either + case in the approval dialog. +- **Transcript scrollbar inert** - the transcript scrollbar no longer captures + clicks intended for content below it. +- **Hide transcript rail before code blocks** - the rail glyph no longer + bleeds onto the line just above a fenced code block. +- **Pager exit hint prominent** - the "press q to exit" hint is now visible + on the pager footer. +- **Empty tool call names fall back to a placeholder** - a model that returns + an empty `function.name` in a tool call no longer hangs the turn. +- **MCP SSE waits for endpoint before connect returns** (#1225) - the SSE + transport no longer reports "connected" before the endpoint event has been + received, fixing a race where the first request was lost. +- **Git branch status item renders** (#1226, fixes #1217) - the + `StatusItem::GitBranch` toggle now produces a footer entry instead of a + blank slot. +- **Beta endpoint routes non-beta paths to v1** (#1174) - paths that aren't + available on the DeepSeek beta host are transparently redirected to the v1 + host instead of failing. +- **Skill packs accept workflow-pack archive layouts** (#1164) - skill + archives produced by the workflow pack tool now install correctly. +- **Interactive sessions stay in alternate screen** (#1158) - returning from + a sub-process no longer kicks the TUI back to the primary screen mid-turn. +- **Slash-menu arrow navigation wraps** (#1152) - up at the top / down at the + bottom of the slash menu wraps to the other end. +- **CLI preserves split prompt words from Windows shims** (#1160) - prompt + arguments forwarded by the npm wrapper on Windows are no longer joined into + one giant token. +- **`libc` extended to all Unix targets** (#1173) - improves FreeBSD build + compatibility. +- **Memory truncation marker reports omitted bytes** - the `[…N bytes + omitted]` marker now shows an accurate count. Thanks **Friende**. + +### Docs + +- **Memory skill link** (#1096) - corrected. Thanks **Aqil Aziz**. +- **Help keybinding reference** (#1095) - corrected. Thanks **Friende**. +- **Additional environment variables** documented in the config reference. + Thanks **Liu-Vince**. +- **Docker volume guidance** - the install snippet now uses a writable named + data volume rather than a bind mount that may be read-only on some hosts. +- **Competitive analysis reflects LSP diagnostics** (#1171) - the doc now + matches the shipping LSP diagnostics implementation. +- **Dispatcher path for `/run-pr`** (#1227) - the README now points at the + dispatcher binary. + ## [0.8.20] - 2026-05-08 ### Fixed diff --git a/Cargo.lock b/Cargo.lock index 08512b26..6f21fdaa 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1151,7 +1151,7 @@ dependencies = [ [[package]] name = "deepseek-agent" -version = "0.8.22" +version = "0.8.23" dependencies = [ "deepseek-config", "serde", @@ -1159,7 +1159,7 @@ dependencies = [ [[package]] name = "deepseek-app-server" -version = "0.8.22" +version = "0.8.23" dependencies = [ "anyhow", "axum", @@ -1181,7 +1181,7 @@ dependencies = [ [[package]] name = "deepseek-config" -version = "0.8.22" +version = "0.8.23" dependencies = [ "anyhow", "deepseek-secrets", @@ -1193,7 +1193,7 @@ dependencies = [ [[package]] name = "deepseek-core" -version = "0.8.22" +version = "0.8.23" dependencies = [ "anyhow", "chrono", @@ -1211,7 +1211,7 @@ dependencies = [ [[package]] name = "deepseek-execpolicy" -version = "0.8.22" +version = "0.8.23" dependencies = [ "anyhow", "deepseek-protocol", @@ -1220,7 +1220,7 @@ dependencies = [ [[package]] name = "deepseek-hooks" -version = "0.8.22" +version = "0.8.23" dependencies = [ "anyhow", "async-trait", @@ -1234,7 +1234,7 @@ dependencies = [ [[package]] name = "deepseek-mcp" -version = "0.8.22" +version = "0.8.23" dependencies = [ "anyhow", "serde", @@ -1243,7 +1243,7 @@ dependencies = [ [[package]] name = "deepseek-protocol" -version = "0.8.22" +version = "0.8.23" dependencies = [ "serde", "serde_json", @@ -1251,7 +1251,7 @@ dependencies = [ [[package]] name = "deepseek-secrets" -version = "0.8.22" +version = "0.8.23" dependencies = [ "dirs", "keyring", @@ -1264,7 +1264,7 @@ dependencies = [ [[package]] name = "deepseek-state" -version = "0.8.22" +version = "0.8.23" dependencies = [ "anyhow", "chrono", @@ -1276,7 +1276,7 @@ dependencies = [ [[package]] name = "deepseek-tools" -version = "0.8.22" +version = "0.8.23" dependencies = [ "anyhow", "async-trait", @@ -1289,7 +1289,7 @@ dependencies = [ [[package]] name = "deepseek-tui" -version = "0.8.22" +version = "0.8.23" dependencies = [ "anyhow", "arboard", @@ -1350,7 +1350,7 @@ dependencies = [ [[package]] name = "deepseek-tui-cli" -version = "0.8.22" +version = "0.8.23" dependencies = [ "anyhow", "chrono", @@ -1374,7 +1374,7 @@ dependencies = [ [[package]] name = "deepseek-tui-core" -version = "0.8.22" +version = "0.8.23" [[package]] name = "deltae" diff --git a/Cargo.toml b/Cargo.toml index 3dc1cb67..5d733864 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,7 +19,7 @@ default-members = ["crates/cli", "crates/app-server", "crates/tui"] resolver = "2" [workspace.package] -version = "0.8.22" +version = "0.8.23" edition = "2024" # Rust 1.88 stabilized `let_chains` in `if`/`while` conditions, which the # codebase relies on extensively. Cargo enforces this so users on older diff --git a/crates/agent/Cargo.toml b/crates/agent/Cargo.toml index 3c2c2726..96e54662 100644 --- a/crates/agent/Cargo.toml +++ b/crates/agent/Cargo.toml @@ -7,5 +7,5 @@ repository.workspace = true description = "Model/provider registry and fallback strategy for DeepSeek workspace architecture" [dependencies] -deepseek-config = { path = "../config", version = "0.8.22" } +deepseek-config = { path = "../config", version = "0.8.23" } serde.workspace = true diff --git a/crates/app-server/Cargo.toml b/crates/app-server/Cargo.toml index 9ae6f7c2..a9eaf2a5 100644 --- a/crates/app-server/Cargo.toml +++ b/crates/app-server/Cargo.toml @@ -10,15 +10,15 @@ description = "Codex-style app-server transport for DeepSeek workspace architect anyhow.workspace = true axum.workspace = true clap.workspace = true -deepseek-agent = { path = "../agent", version = "0.8.22" } -deepseek-config = { path = "../config", version = "0.8.22" } -deepseek-core = { path = "../core", version = "0.8.22" } -deepseek-execpolicy = { path = "../execpolicy", version = "0.8.22" } -deepseek-hooks = { path = "../hooks", version = "0.8.22" } -deepseek-mcp = { path = "../mcp", version = "0.8.22" } -deepseek-protocol = { path = "../protocol", version = "0.8.22" } -deepseek-state = { path = "../state", version = "0.8.22" } -deepseek-tools = { path = "../tools", version = "0.8.22" } +deepseek-agent = { path = "../agent", version = "0.8.23" } +deepseek-config = { path = "../config", version = "0.8.23" } +deepseek-core = { path = "../core", version = "0.8.23" } +deepseek-execpolicy = { path = "../execpolicy", version = "0.8.23" } +deepseek-hooks = { path = "../hooks", version = "0.8.23" } +deepseek-mcp = { path = "../mcp", version = "0.8.23" } +deepseek-protocol = { path = "../protocol", version = "0.8.23" } +deepseek-state = { path = "../state", version = "0.8.23" } +deepseek-tools = { path = "../tools", version = "0.8.23" } serde.workspace = true serde_json.workspace = true tokio.workspace = true diff --git a/crates/cli/Cargo.toml b/crates/cli/Cargo.toml index 83be8411..69f841a3 100644 --- a/crates/cli/Cargo.toml +++ b/crates/cli/Cargo.toml @@ -14,13 +14,13 @@ path = "src/main.rs" anyhow.workspace = true clap.workspace = true clap_complete.workspace = true -deepseek-agent = { path = "../agent", version = "0.8.22" } -deepseek-app-server = { path = "../app-server", version = "0.8.22" } -deepseek-config = { path = "../config", version = "0.8.22" } -deepseek-execpolicy = { path = "../execpolicy", version = "0.8.22" } -deepseek-mcp = { path = "../mcp", version = "0.8.22" } -deepseek-secrets = { path = "../secrets", version = "0.8.22" } -deepseek-state = { path = "../state", version = "0.8.22" } +deepseek-agent = { path = "../agent", version = "0.8.23" } +deepseek-app-server = { path = "../app-server", version = "0.8.23" } +deepseek-config = { path = "../config", version = "0.8.23" } +deepseek-execpolicy = { path = "../execpolicy", version = "0.8.23" } +deepseek-mcp = { path = "../mcp", version = "0.8.23" } +deepseek-secrets = { path = "../secrets", version = "0.8.23" } +deepseek-state = { path = "../state", version = "0.8.23" } chrono.workspace = true dirs.workspace = true serde.workspace = true diff --git a/crates/config/Cargo.toml b/crates/config/Cargo.toml index 80c772bf..93ece828 100644 --- a/crates/config/Cargo.toml +++ b/crates/config/Cargo.toml @@ -8,7 +8,7 @@ description = "Config schema and precedence model for DeepSeek workspace archite [dependencies] anyhow.workspace = true -deepseek-secrets = { path = "../secrets", version = "0.8.22" } +deepseek-secrets = { path = "../secrets", version = "0.8.23" } dirs.workspace = true serde.workspace = true toml.workspace = true diff --git a/crates/core/Cargo.toml b/crates/core/Cargo.toml index e43688f6..25c69a43 100644 --- a/crates/core/Cargo.toml +++ b/crates/core/Cargo.toml @@ -9,13 +9,13 @@ description = "Core runtime boundaries for DeepSeek workspace architecture" [dependencies] anyhow.workspace = true chrono.workspace = true -deepseek-agent = { path = "../agent", version = "0.8.22" } -deepseek-config = { path = "../config", version = "0.8.22" } -deepseek-execpolicy = { path = "../execpolicy", version = "0.8.22" } -deepseek-hooks = { path = "../hooks", version = "0.8.22" } -deepseek-mcp = { path = "../mcp", version = "0.8.22" } -deepseek-protocol = { path = "../protocol", version = "0.8.22" } -deepseek-state = { path = "../state", version = "0.8.22" } -deepseek-tools = { path = "../tools", version = "0.8.22" } +deepseek-agent = { path = "../agent", version = "0.8.23" } +deepseek-config = { path = "../config", version = "0.8.23" } +deepseek-execpolicy = { path = "../execpolicy", version = "0.8.23" } +deepseek-hooks = { path = "../hooks", version = "0.8.23" } +deepseek-mcp = { path = "../mcp", version = "0.8.23" } +deepseek-protocol = { path = "../protocol", version = "0.8.23" } +deepseek-state = { path = "../state", version = "0.8.23" } +deepseek-tools = { path = "../tools", version = "0.8.23" } serde_json.workspace = true uuid.workspace = true diff --git a/crates/execpolicy/Cargo.toml b/crates/execpolicy/Cargo.toml index bd915fb6..fd5bbc5b 100644 --- a/crates/execpolicy/Cargo.toml +++ b/crates/execpolicy/Cargo.toml @@ -8,5 +8,5 @@ description = "Execution policy and approval model parity for DeepSeek workspace [dependencies] anyhow.workspace = true -deepseek-protocol = { path = "../protocol", version = "0.8.22" } +deepseek-protocol = { path = "../protocol", version = "0.8.23" } serde.workspace = true diff --git a/crates/hooks/Cargo.toml b/crates/hooks/Cargo.toml index 927008d0..b7a1915d 100644 --- a/crates/hooks/Cargo.toml +++ b/crates/hooks/Cargo.toml @@ -10,7 +10,7 @@ description = "Hook dispatch and notifications parity for DeepSeek workspace arc anyhow.workspace = true async-trait.workspace = true chrono.workspace = true -deepseek-protocol = { path = "../protocol", version = "0.8.22" } +deepseek-protocol = { path = "../protocol", version = "0.8.23" } reqwest.workspace = true serde.workspace = true serde_json.workspace = true diff --git a/crates/tools/Cargo.toml b/crates/tools/Cargo.toml index 508ad6b8..626411d3 100644 --- a/crates/tools/Cargo.toml +++ b/crates/tools/Cargo.toml @@ -9,7 +9,7 @@ description = "Tool invocation lifecycle, schema validation, and scheduler paral [dependencies] anyhow.workspace = true async-trait.workspace = true -deepseek-protocol = { path = "../protocol", version = "0.8.22" } +deepseek-protocol = { path = "../protocol", version = "0.8.23" } serde.workspace = true serde_json.workspace = true tokio.workspace = true diff --git a/crates/tui/Cargo.toml b/crates/tui/Cargo.toml index 177d8390..39bcc186 100644 --- a/crates/tui/Cargo.toml +++ b/crates/tui/Cargo.toml @@ -21,8 +21,8 @@ path = "src/main.rs" [dependencies] anyhow = "1.0.100" arboard = "3.4" -deepseek-secrets = { path = "../secrets", version = "0.8.22" } -deepseek-tools = { path = "../tools", version = "0.8.22" } +deepseek-secrets = { path = "../secrets", version = "0.8.23" } +deepseek-tools = { path = "../tools", version = "0.8.23" } schemaui = { version = "0.12.0", default-features = false, optional = true } async-stream = "0.3.6" async-trait = "0.1" diff --git a/docs/RELEASE_CHECKLIST.md b/docs/RELEASE_CHECKLIST.md new file mode 100644 index 00000000..b4291e44 --- /dev/null +++ b/docs/RELEASE_CHECKLIST.md @@ -0,0 +1,103 @@ +# Release Checklist + +A pre-tag checklist that the v0.8.21/v0.8.22 CHANGELOG gap proved we needed. +Step through this in order from a clean worktree on the release branch +(`work/vX.Y.Z-...`). Treat any unchecked box as a release blocker. + +For deeper context on the underlying tools (preflight scripts, npm smoke, +publish-crates), see [`RELEASE_RUNBOOK.md`](RELEASE_RUNBOOK.md). + +## 1. CHANGELOG entry exists for the version + +- [ ] `CHANGELOG.md` has a `## [X.Y.Z] - YYYY-MM-DD` heading at the top +- [ ] The entry credits every external contributor whose commit lands in this + version. Get the list with: + ``` + git log vPREV..HEAD --no-merges --format="%h %an <%ae> %s" \ + | grep -v '' + ``` + For each contributor, link both their display name and (when known) + `@github-handle`. +- [ ] The entry uses the Keep a Changelog headers — `Added`, `Changed`, + `Fixed`, `Security`, `Removed`, `Deprecated`. Add `Known issues` only + if there is something material the user must work around. +- [ ] The entry mentions all referenced issue/PR numbers as `#NNNN` so the + auto-linker on GitHub picks them up. + +## 2. Version pins are in sync + +- [ ] `Cargo.toml` workspace `version` is bumped. +- [ ] All per-crate `crates/*/Cargo.toml` path-dependency `version = "..."` + pins match the new workspace version. +- [ ] `npm/deepseek-tui/package.json` `version` AND `deepseekBinaryVersion` + are both bumped. +- [ ] `Cargo.lock` is refreshed (`cargo update --workspace --offline`). +- [ ] `./scripts/release/check-versions.sh` reports + `Version state OK: workspace=X.Y.Z, npm=X.Y.Z, lockfile in sync.` + +## 3. Preflight gates + +Run, in order, from the repo root: + +- [ ] `cargo fmt --all -- --check` +- [ ] `cargo check --workspace --all-targets --locked` +- [ ] `cargo clippy --workspace --all-targets --all-features --locked -- -D warnings` +- [ ] `cargo test --workspace --all-features --locked` + (Re-run any single failure in isolation with + `cargo test -p PKG --bin BIN -- TEST_NAME` before declaring it a flake. + Tests that mutate process-wide state — `HOME`, `cwd`, `RUST_LOG` — + can race in parallel. Document confirmed flakes in `Known issues`.) +- [ ] `./scripts/release/publish-crates.sh dry-run` + +## 4. npm wrapper smoke + +- [ ] `cargo build --release --locked -p deepseek-tui-cli -p deepseek-tui` +- [ ] `node scripts/release/npm-wrapper-smoke.js` + (Set `DEEPSEEK_TUI_KEEP_SMOKE_DIR=1` if you need to inspect the temp + install afterwards.) + +## 5. Branch and PR + +- [ ] Branch is pushed: `git push -u origin work/vX.Y.Z-...` +- [ ] PR opened with `gh pr create --base main --title "chore(release): prepare vX.Y.Z"` +- [ ] PR body includes: + - one-paragraph summary of the release theme + - a punch list of the new commits since the last release + - explicit call-out of any **Security** items so reviewers see them + - the contributor thank-you list + - the `Known issues` block from the CHANGELOG, if any +- [ ] PR title is **neutral** — do not put CVE-style language or specific + attack details in the title. Save those for the GitHub release notes + after the tag is pushed. + +## 6. CI green and review + +- [ ] All required CI jobs are green. The `versions` job should mirror the + preflight `check-versions.sh` and is your last line of defense. +- [ ] PR has been reviewed. + +## 7. Tag and release (after review) + +- [ ] `git tag -s vX.Y.Z -m "vX.Y.Z"` +- [ ] `git push origin vX.Y.Z` +- [ ] The `release.yml` workflow has built and uploaded artifacts to the + GitHub release for this tag. +- [ ] `npm view deepseek-tui@X.Y.Z version deepseekBinaryVersion --json` + reports the new version on the npm registry. +- [ ] `crates.io` has the new version (or the `publish-crates.sh` job has + pushed it). +- [ ] `ghcr.io/hmbown/deepseek-tui:vX.Y.Z` and `:latest` are updated. + +## 8. Post-tag + +- [ ] Edit the GitHub release notes to expand any CVE-style or attack + details that were intentionally omitted from the PR title/body. +- [ ] Note any deferred items in the next release's tracking issue. +- [ ] Close any issues that this release fixed. + +--- + +If a step fails, **fix the underlying cause** rather than skipping it. Pre-commit +hooks, signing, and CI are all here to catch real problems. `--no-verify`, +`--no-gpg-sign`, and force-pushing a release branch over reviewers should +remain hard-disabled by convention. diff --git a/npm/deepseek-tui/package.json b/npm/deepseek-tui/package.json index dd387faf..badf9ed2 100644 --- a/npm/deepseek-tui/package.json +++ b/npm/deepseek-tui/package.json @@ -1,7 +1,7 @@ { "name": "deepseek-tui", - "version": "0.8.22", - "deepseekBinaryVersion": "0.8.22", + "version": "0.8.23", + "deepseekBinaryVersion": "0.8.23", "description": "Install and run deepseek and deepseek-tui binaries from GitHub release artifacts.", "author": "Hmbown", "license": "MIT",