deepseek-tui 0.3.28 → 0.3.32

package/README.md

@@ -1,19 +1,24 @@
 # deepseek-tui
 
-This package installs the `deepseek` and `deepseek-tui` binaries from the
-`DeepSeek-TUI` GitHub release artifacts and exposes them as Node-compatible
-console entry points.
+Install and run the `deepseek` and `deepseek-tui` binaries from GitHub release artifacts.
 
 ## Install
 
 ```bash
-npm install deepseek-tui
+npm install -g deepseek-tui
 # or
-pnpm add deepseek-tui
+pnpm add -g deepseek-tui
 ```
 
-This runs `postinstall`, downloads the platform-specific binaries for version
-`0.3.28`, and makes `deepseek` and `deepseek-tui` available on your PATH.
+For project-local usage:
+
+```bash
+npm install deepseek-tui
+npx deepseek-tui --help
+```
+
+`postinstall` downloads platform binaries into `bin/downloads/` and exposes
+`deepseek` and `deepseek-tui` commands.
 
 ## Supported platforms
 
@@ -21,11 +26,21 @@ This runs `postinstall`, downloads the platform-specific binaries for version
 - macOS x64 / arm64
 - Windows x64
 
-## Notes
+Other platform/architecture combinations are not supported and will fail during install.
+
+## Configuration
 
-- Binaries come directly from release assets in
-  `https://github.com/Hmbown/DeepSeek-TUI/releases`.
-- Set `DEEPSEEK_VERSION` to install a different release version (defaults to package version).
-- Set `DEEPSEEK_GITHUB_REPO` to override the repo source (defaults to `Hmbown/DeepSeek-TUI`).
+- Default binary version comes from `deepseekBinaryVersion` in `package.json`.
+- Set `DEEPSEEK_TUI_VERSION` or `DEEPSEEK_VERSION` to override the release version.
+- Set `DEEPSEEK_TUI_GITHUB_REPO` or `DEEPSEEK_GITHUB_REPO` to override the source repo (defaults to `Hmbown/DeepSeek-TUI`).
 - Set `DEEPSEEK_TUI_FORCE_DOWNLOAD=1` to force download even when the cached binary is already present.
 - Set `DEEPSEEK_TUI_DISABLE_INSTALL=1` to skip install-time download.
+
+## Release integrity
+
+- `npm publish` runs a release-asset check to ensure all required binary assets
+  exist for the target GitHub release before publishing.
+- Install-time downloads are verified against the release checksum manifest before
+  the wrapper marks them executable.
+- Set `DEEPSEEK_TUI_RELEASE_BASE_URL` to point the installer at a local or
+  staged release-asset directory for smoke tests.

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "deepseek-tui",
-  "version": "0.3.28",
+  "version": "0.3.32",
+  "deepseekBinaryVersion": "0.3.31",
   "description": "Install and run deepseek and deepseek-tui binaries from GitHub release artifacts.",
   "author": "Hmbown",
   "license": "MIT",
@@ -26,12 +27,17 @@
     "deepseek-tui": "bin/deepseek-tui.js"
   },
   "scripts": {
+    "release:check": "node scripts/verify-release-assets.js",
     "postinstall": "node scripts/install.js",
+    "prepublishOnly": "node scripts/verify-release-assets.js",
     "prepack": "node scripts/install.js"
   },
   "engines": {
     "node": ">=18"
   },
+  "publishConfig": {
+    "access": "public"
+  },
   "preferGlobal": true,
   "files": [
     "bin/*.js",

package/scripts/artifacts.js

@@ -1,19 +1,19 @@
 const path = require("path");
 const os = require("os");
 
+const CHECKSUM_MANIFEST = "deepseek-artifacts-sha256.txt";
+
 const ASSET_MATRIX = {
   linux: {
     x64: ["deepseek-linux-x64", "deepseek-tui-linux-x64"],
-    default: ["deepseek-linux-x64", "deepseek-tui-linux-x64"],
+    // arm64: ["deepseek-linux-arm64", "deepseek-tui-linux-arm64"], // Uncomment when binaries are available
   },
   darwin: {
     x64: ["deepseek-macos-x64", "deepseek-tui-macos-x64"],
     arm64: ["deepseek-macos-arm64", "deepseek-tui-macos-arm64"],
-    default: ["deepseek-macos-x64", "deepseek-tui-macos-x64"],
   },
   win32: {
     x64: ["deepseek-windows-x64.exe", "deepseek-tui-windows-x64.exe"],
-    default: ["deepseek-windows-x64.exe", "deepseek-tui-windows-x64.exe"],
   },
 };
 
@@ -22,9 +22,14 @@ function detectBinaryNames() {
   const arch = os.arch();
   const defaults = ASSET_MATRIX[platform];
   if (!defaults) {
-    throw new Error(`Unsupported platform: ${platform}`);
+    const supported = Object.keys(ASSET_MATRIX).map(p => `'${p}'`).join(', ');
+    throw new Error(`Unsupported platform: ${platform}. Supported platforms: ${supported}`);
+  }
+  const pair = defaults[arch];
+  if (!pair) {
+    const supported = Object.keys(defaults).map(a => `'${a}'`).join(', ');
+    throw new Error(`Unsupported architecture: ${arch} on platform ${platform}. Supported architectures: ${supported}`);
   }
-  const pair = defaults[arch] || defaults.default;
   return {
     platform,
     arch,
@@ -37,17 +42,50 @@ function executableName(base, platform) {
   return platform === "win32" ? `${base}.exe` : base;
 }
 
+function releaseBaseUrl(version, repo = "Hmbown/DeepSeek-TUI") {
+  const override =
+    process.env.DEEPSEEK_TUI_RELEASE_BASE_URL || process.env.DEEPSEEK_RELEASE_BASE_URL;
+  if (override) {
+    const trimmed = String(override).trim();
+    return trimmed.endsWith("/") ? trimmed : `${trimmed}/`;
+  }
+  return `https://github.com/${repo}/releases/download/v${version}/`;
+}
+
 function releaseAssetUrl(baseName, version, repo = "Hmbown/DeepSeek-TUI") {
-  return `https://github.com/${repo}/releases/download/v${version}/${baseName}`;
+  return new URL(baseName, releaseBaseUrl(version, repo)).toString();
+}
+
+function checksumManifestUrl(version, repo = "Hmbown/DeepSeek-TUI") {
+  return releaseAssetUrl(CHECKSUM_MANIFEST, version, repo);
 }
 
 function releaseBinaryDirectory() {
   return path.join(__dirname, "..", "bin", "downloads");
 }
 
+function allAssetNames() {
+  const names = [];
+  for (const platformAssets of Object.values(ASSET_MATRIX)) {
+    for (const pair of Object.values(platformAssets)) {
+      names.push(pair[0], pair[1]);
+    }
+  }
+  return Array.from(new Set(names));
+}
+
+function allReleaseAssetNames() {
+  return [...allAssetNames(), CHECKSUM_MANIFEST];
+}
+
 module.exports = {
+  allAssetNames,
+  allReleaseAssetNames,
+  CHECKSUM_MANIFEST,
+  checksumManifestUrl,
   detectBinaryNames,
   executableName,
   releaseAssetUrl,
+  releaseBaseUrl,
   releaseBinaryDirectory,
 };

package/scripts/install.js

@@ -1,20 +1,27 @@
 const fs = require("fs");
 const https = require("https");
 const http = require("http");
-const { mkdir, chmod, stat, rename, readFile, writeFile } = fs.promises;
+const crypto = require("crypto");
+const { mkdir, chmod, stat, rename, readFile, unlink, writeFile } = fs.promises;
 const { createWriteStream } = fs;
 const { pipeline } = require("stream/promises");
 const path = require("path");
 
 const {
+  checksumManifestUrl,
   detectBinaryNames,
   releaseAssetUrl,
   releaseBinaryDirectory,
 } = require("./artifacts");
+const pkg = require("../package.json");
 
 function resolvePackageVersion() {
-  const pkg = require("../package.json");
-  return process.env.DEEPSEEK_TUI_VERSION || process.env.DEEPSEEK_VERSION || pkg.version;
+  const configuredVersion =
+    process.env.DEEPSEEK_TUI_VERSION ||
+    process.env.DEEPSEEK_VERSION ||
+    pkg.deepseekBinaryVersion ||
+    pkg.version;
+  return String(configuredVersion).trim();
 }
 
 function resolveRepo() {
@@ -64,6 +71,19 @@ async function download(url, destination) {
   await pipeline(resolved.response, createWriteStream(destination));
 }
 
+async function downloadText(url) {
+  const resolved = await httpGet(url);
+  if (resolved.redirect) {
+    return downloadText(resolved.redirect);
+  }
+  const chunks = [];
+  resolved.response.setEncoding("utf8");
+  for await (const chunk of resolved.response) {
+    chunks.push(chunk);
+  }
+  return chunks.join("");
+}
+
 async function readLocalVersion(file) {
   return readFile(file, "utf8").catch(() => "");
 }
@@ -77,7 +97,45 @@ async function fileExists(file) {
   }
 }
 
-async function ensureBinary(targetPath, assetName, version, repo) {
+function parseChecksumManifest(text) {
+  const checksums = new Map();
+  for (const line of text.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed) {
+      continue;
+    }
+    const match = trimmed.match(/^([a-fA-F0-9]{64})\s+\*?(.+)$/);
+    if (!match) {
+      throw new Error(`Invalid checksum manifest line: ${trimmed}`);
+    }
+    checksums.set(match[2], match[1].toLowerCase());
+  }
+  return checksums;
+}
+
+async function sha256File(filePath) {
+  const content = await readFile(filePath);
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+
+async function verifyChecksum(filePath, assetName, checksums) {
+  const expected = checksums.get(assetName);
+  if (!expected) {
+    throw new Error(`Checksum manifest is missing ${assetName}`);
+  }
+  const actual = await sha256File(filePath);
+  if (actual !== expected) {
+    throw new Error(
+      `Checksum mismatch for ${assetName}: expected ${expected}, got ${actual}`,
+    );
+  }
+}
+
+async function loadChecksums(version, repo) {
+  return parseChecksumManifest(await downloadText(checksumManifestUrl(version, repo)));
+}
+
+async function ensureBinary(targetPath, assetName, version, repo, checksums) {
   const marker = `${targetPath}.version`;
   const downloadIfNeeded =
     process.env.DEEPSEEK_TUI_FORCE_DOWNLOAD === "1" || process.env.DEEPSEEK_FORCE_DOWNLOAD === "1";
@@ -86,6 +144,7 @@ async function ensureBinary(targetPath, assetName, version, repo) {
     if (existing) {
       const markerVersion = await readLocalVersion(marker);
       if (markerVersion === String(version)) {
+        await verifyChecksum(targetPath, assetName, checksums);
         return targetPath;
       }
     }
@@ -93,6 +152,12 @@ async function ensureBinary(targetPath, assetName, version, repo) {
   const url = releaseAssetUrl(assetName, version, repo);
   const destination = `${targetPath}.download`;
   await download(url, destination);
+  try {
+    await verifyChecksum(destination, assetName, checksums);
+  } catch (error) {
+    await unlink(destination).catch(() => {});
+    throw error;
+  }
   if (process.platform !== "win32") {
     await chmod(destination, 0o755);
   }
@@ -110,10 +175,11 @@ async function run() {
   const paths = binaryPaths();
   const releaseDir = releaseBinaryDirectory();
   await mkdir(releaseDir, { recursive: true });
+  const checksums = await loadChecksums(version, repo);
 
   await Promise.all([
-    ensureBinary(paths.deepseek.target, paths.deepseek.asset, version, repo),
-    ensureBinary(paths.tui.target, paths.tui.asset, version, repo),
+    ensureBinary(paths.deepseek.target, paths.deepseek.asset, version, repo, checksums),
+    ensureBinary(paths.tui.target, paths.tui.asset, version, repo, checksums),
   ]);
 }
 

package/scripts/verify-release-assets.js

@@ -0,0 +1,140 @@
+const https = require("https");
+const http = require("http");
+const {
+  allAssetNames,
+  allReleaseAssetNames,
+  checksumManifestUrl,
+  releaseAssetUrl,
+} = require("./artifacts");
+
+const pkg = require("../package.json");
+
+function resolveBinaryVersion() {
+  const configuredVersion =
+    process.env.DEEPSEEK_TUI_VERSION ||
+    process.env.DEEPSEEK_VERSION ||
+    pkg.deepseekBinaryVersion ||
+    pkg.version;
+  return String(configuredVersion).trim();
+}
+
+function resolveRepo() {
+  return process.env.DEEPSEEK_TUI_GITHUB_REPO || process.env.DEEPSEEK_GITHUB_REPO || "Hmbown/DeepSeek-TUI";
+}
+
+function requestStatus(url, method = "HEAD", redirects = 0) {
+  if (redirects > 10) {
+    throw new Error(`Too many redirects while checking ${url}`);
+  }
+  const client = url.startsWith("https:") ? https : http;
+  return new Promise((resolve, reject) => {
+    const req = client.request(
+      url,
+      {
+        method,
+        headers: {
+          "User-Agent": "deepseek-tui-npm-release-check",
+        },
+      },
+      (res) => {
+        const status = res.statusCode || 0;
+        const location = res.headers.location;
+        res.resume();
+        if (status >= 300 && status < 400 && location) {
+          const next = new URL(location, url).toString();
+          resolve(requestStatus(next, method, redirects + 1));
+          return;
+        }
+        resolve(status);
+      },
+    );
+    req.on("error", reject);
+    req.end();
+  });
+}
+
+async function verifyAsset(url, label) {
+  let status = await requestStatus(url, "HEAD");
+  if (status === 403 || status === 405) {
+    status = await requestStatus(url, "GET");
+  }
+  if (status < 200 || status >= 400) {
+    throw new Error(`${label} returned HTTP ${status} (${url})`);
+  }
+}
+
+async function downloadText(url) {
+  const client = url.startsWith("https:") ? https : http;
+  return new Promise((resolve, reject) => {
+    client
+      .get(
+        url,
+        {
+          headers: {
+            "User-Agent": "deepseek-tui-npm-release-check",
+          },
+        },
+        (res) => {
+          const status = res.statusCode || 0;
+          if (status >= 300 && status < 400 && res.headers.location) {
+            const next = new URL(res.headers.location, url).toString();
+            resolve(downloadText(next));
+            return;
+          }
+          if (status !== 200) {
+            reject(new Error(`Request failed with status ${status}: ${url}`));
+            res.resume();
+            return;
+          }
+          const chunks = [];
+          res.setEncoding("utf8");
+          res.on("data", (chunk) => chunks.push(chunk));
+          res.on("end", () => resolve(chunks.join("")));
+        },
+      )
+      .on("error", reject);
+  });
+}
+
+function parseChecksumManifest(text) {
+  const checksums = new Map();
+  for (const line of text.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed) {
+      continue;
+    }
+    const match = trimmed.match(/^([a-fA-F0-9]{64})\s+\*?(.+)$/);
+    if (!match) {
+      throw new Error(`Invalid checksum manifest line: ${trimmed}`);
+    }
+    checksums.set(match[2], match[1].toLowerCase());
+  }
+  return checksums;
+}
+
+async function run() {
+  const version = resolveBinaryVersion();
+  const repo = resolveRepo();
+  const assets = allReleaseAssetNames();
+
+  console.log(`Verifying ${assets.length} release assets for ${repo}@v${version}...`);
+  for (const asset of assets) {
+    const url = releaseAssetUrl(asset, version, repo);
+    await verifyAsset(url, asset);
+    console.log(`  ok ${asset}`);
+  }
+  const checksums = parseChecksumManifest(
+    await downloadText(checksumManifestUrl(version, repo)),
+  );
+  for (const asset of allAssetNames()) {
+    if (!checksums.has(asset)) {
+      throw new Error(`Checksum manifest is missing ${asset}`);
+    }
+  }
+  console.log("Release assets verified.");
+}
+
+run().catch((error) => {
+  console.error("Release asset verification failed:", error.message);
+  process.exit(1);
+});