chore(release): harden deepseek-tui deprecation path

scripts/release/check-published.sh

@@ -92,14 +92,22 @@ else
   fail=1
 fi
 
-# Legacy `deepseek-tui` deprecation shim package. Best-effort check —
-# absence after the transition release is expected and not fatal.
+# Legacy `deepseek-tui` npm package. It is deprecated and must not be
+# republished under the release version.
 if legacy_version="$(npm view "deepseek-tui@${version}" version 2>/dev/null)"; then
-  echo "npm deepseek-tui@${legacy_version} (deprecation shim) is published."
+  echo "npm deepseek-tui@${legacy_version} exists, but the legacy npm package must not be republished." >&2
+  fail=1
+fi
+if legacy_deprecated="$(npm view deepseek-tui deprecated 2>/dev/null)" && [[ -n "${legacy_deprecated}" ]]; then
+  echo "npm deepseek-tui is deprecated: ${legacy_deprecated}"
+else
+  echo "npm deepseek-tui is not marked deprecated." >&2
+  fail=1
 fi
 
+crates_user_agent="CodeWhale release check (https://github.com/Hmbown/CodeWhale)"
 for crate in "${release_crates[@]}"; do
-  if curl -fsSL "https://crates.io/api/v1/crates/${crate}/${version}" >/dev/null 2>&1; then
+  if curl -fsSL -A "${crates_user_agent}" "https://crates.io/api/v1/crates/${crate}/${version}" >/dev/null 2>&1; then
     echo "crates.io ${crate}@${version} is published."
   else
     echo "crates.io ${crate}@${version} is not published." >&2

scripts/release/check-versions.sh

@@ -7,8 +7,8 @@
 #      crate must inherit `version.workspace = true`.
 #   2. `npm/codewhale/package.json` `version` matches the workspace
 #      `version` in the root `Cargo.toml`. (`npm/deepseek-tui/` still
-#      exists during the transition as a deprecation shim package; its
-#      version is also checked.)
+#      exists only as an unpublished compatibility notice and must stay
+#      private.)
 #   3. Internal `codewhale-*` path dependency pins match the workspace version.
 #   4. The TUI crate's packaged changelog copy matches root `CHANGELOG.md`.
 #   5. The current release has a dated Keep a Changelog entry and compare link.
@@ -37,12 +37,15 @@ if [[ "${workspace_version}" != "${npm_version}" ]]; then
   echo "::error::npm/codewhale/package.json version (${npm_version}) does not match workspace Cargo.toml (${workspace_version})." >&2
   fail=1
 fi
-# Also pin the legacy deprecation shim package to the same workspace version
-# so a stale `deepseek-tui` doesn't ship pointing at a different release.
 if [[ -f npm/deepseek-tui/package.json ]]; then
-  legacy_npm_version="$(node -p "require('./npm/deepseek-tui/package.json').version")"
-  if [[ "${workspace_version}" != "${legacy_npm_version}" ]]; then
-    echo "::error::npm/deepseek-tui/package.json version (${legacy_npm_version}) does not match workspace Cargo.toml (${workspace_version})." >&2
+  legacy_private="$(node -p "Boolean(require('./npm/deepseek-tui/package.json').private)")"
+  legacy_publish_config="$(node -p "Boolean(require('./npm/deepseek-tui/package.json').publishConfig)")"
+  if [[ "${legacy_private}" != "true" ]]; then
+    echo "::error::npm/deepseek-tui/package.json must stay private so the legacy package is not republished." >&2
+    fail=1
+  fi
+  if [[ "${legacy_publish_config}" == "true" ]]; then
+    echo "::error::npm/deepseek-tui/package.json must not define publishConfig; the legacy package is deprecated." >&2
     fail=1
   fi
 fi