deepseek-tui 0.3.29 → 0.4.4

package/README.md

@@ -20,6 +20,23 @@ npx deepseek-tui --help
 `postinstall` downloads platform binaries into `bin/downloads/` and exposes
 `deepseek` and `deepseek-tui` commands.
 
+## First run
+
+```bash
+deepseek login --api-key "YOUR_DEEPSEEK_API_KEY"
+deepseek doctor
+deepseek
+```
+
+The `deepseek` facade and `deepseek-tui` binary share `~/.deepseek/config.toml`
+for DeepSeek auth and default model settings. Common TUI commands are available
+directly through the facade, including `deepseek doctor`, `deepseek models`,
+`deepseek sessions`, and `deepseek resume --last`.
+
+The app talks to DeepSeek's documented OpenAI-compatible Chat Completions API.
+Set `DEEPSEEK_BASE_URL` only if you need the China endpoint or DeepSeek beta
+features such as strict tool mode, chat prefix completion, or FIM completion.
+
 ## Supported platforms
 
 - Linux x64
@@ -40,3 +57,7 @@ Other platform/architecture combinations are not supported and will fail during
 
 - `npm publish` runs a release-asset check to ensure all required binary assets
   exist for the target GitHub release before publishing.
+- Install-time downloads are verified against the release checksum manifest before
+  the wrapper marks them executable.
+- Set `DEEPSEEK_TUI_RELEASE_BASE_URL` to point the installer at a local or
+  staged release-asset directory for smoke tests.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "deepseek-tui",
-  "version": "0.3.29",
-  "deepseekBinaryVersion": "0.3.28",
+  "version": "0.4.4",
+  "deepseekBinaryVersion": "0.4.4",
   "description": "Install and run deepseek and deepseek-tui binaries from GitHub release artifacts.",
   "author": "Hmbown",
   "license": "MIT",

package/scripts/artifacts.js

@@ -1,6 +1,8 @@
 const path = require("path");
 const os = require("os");
 
+const CHECKSUM_MANIFEST = "deepseek-artifacts-sha256.txt";
+
 const ASSET_MATRIX = {
   linux: {
     x64: ["deepseek-linux-x64", "deepseek-tui-linux-x64"],
@@ -40,8 +42,22 @@ function executableName(base, platform) {
   return platform === "win32" ? `${base}.exe` : base;
 }
 
+function releaseBaseUrl(version, repo = "Hmbown/DeepSeek-TUI") {
+  const override =
+    process.env.DEEPSEEK_TUI_RELEASE_BASE_URL || process.env.DEEPSEEK_RELEASE_BASE_URL;
+  if (override) {
+    const trimmed = String(override).trim();
+    return trimmed.endsWith("/") ? trimmed : `${trimmed}/`;
+  }
+  return `https://github.com/${repo}/releases/download/v${version}/`;
+}
+
 function releaseAssetUrl(baseName, version, repo = "Hmbown/DeepSeek-TUI") {
-  return `https://github.com/${repo}/releases/download/v${version}/${baseName}`;
+  return new URL(baseName, releaseBaseUrl(version, repo)).toString();
+}
+
+function checksumManifestUrl(version, repo = "Hmbown/DeepSeek-TUI") {
+  return releaseAssetUrl(CHECKSUM_MANIFEST, version, repo);
 }
 
 function releaseBinaryDirectory() {
@@ -58,10 +74,18 @@ function allAssetNames() {
   return Array.from(new Set(names));
 }
 
+function allReleaseAssetNames() {
+  return [...allAssetNames(), CHECKSUM_MANIFEST];
+}
+
 module.exports = {
   allAssetNames,
+  allReleaseAssetNames,
+  CHECKSUM_MANIFEST,
+  checksumManifestUrl,
   detectBinaryNames,
   executableName,
   releaseAssetUrl,
+  releaseBaseUrl,
   releaseBinaryDirectory,
 };

package/scripts/install.js

@@ -1,12 +1,14 @@
 const fs = require("fs");
 const https = require("https");
 const http = require("http");
-const { mkdir, chmod, stat, rename, readFile, writeFile } = fs.promises;
+const crypto = require("crypto");
+const { mkdir, chmod, stat, rename, readFile, unlink, writeFile } = fs.promises;
 const { createWriteStream } = fs;
 const { pipeline } = require("stream/promises");
 const path = require("path");
 
 const {
+  checksumManifestUrl,
   detectBinaryNames,
   releaseAssetUrl,
   releaseBinaryDirectory,
@@ -69,6 +71,19 @@ async function download(url, destination) {
   await pipeline(resolved.response, createWriteStream(destination));
 }
 
+async function downloadText(url) {
+  const resolved = await httpGet(url);
+  if (resolved.redirect) {
+    return downloadText(resolved.redirect);
+  }
+  const chunks = [];
+  resolved.response.setEncoding("utf8");
+  for await (const chunk of resolved.response) {
+    chunks.push(chunk);
+  }
+  return chunks.join("");
+}
+
 async function readLocalVersion(file) {
   return readFile(file, "utf8").catch(() => "");
 }
@@ -82,7 +97,45 @@ async function fileExists(file) {
   }
 }
 
-async function ensureBinary(targetPath, assetName, version, repo) {
+function parseChecksumManifest(text) {
+  const checksums = new Map();
+  for (const line of text.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed) {
+      continue;
+    }
+    const match = trimmed.match(/^([a-fA-F0-9]{64})\s+\*?(.+)$/);
+    if (!match) {
+      throw new Error(`Invalid checksum manifest line: ${trimmed}`);
+    }
+    checksums.set(match[2], match[1].toLowerCase());
+  }
+  return checksums;
+}
+
+async function sha256File(filePath) {
+  const content = await readFile(filePath);
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+
+async function verifyChecksum(filePath, assetName, checksums) {
+  const expected = checksums.get(assetName);
+  if (!expected) {
+    throw new Error(`Checksum manifest is missing ${assetName}`);
+  }
+  const actual = await sha256File(filePath);
+  if (actual !== expected) {
+    throw new Error(
+      `Checksum mismatch for ${assetName}: expected ${expected}, got ${actual}`,
+    );
+  }
+}
+
+async function loadChecksums(version, repo) {
+  return parseChecksumManifest(await downloadText(checksumManifestUrl(version, repo)));
+}
+
+async function ensureBinary(targetPath, assetName, version, repo, checksums) {
   const marker = `${targetPath}.version`;
   const downloadIfNeeded =
     process.env.DEEPSEEK_TUI_FORCE_DOWNLOAD === "1" || process.env.DEEPSEEK_FORCE_DOWNLOAD === "1";
@@ -91,13 +144,20 @@ async function ensureBinary(targetPath, assetName, version, repo) {
     if (existing) {
       const markerVersion = await readLocalVersion(marker);
       if (markerVersion === String(version)) {
+        await verifyChecksum(targetPath, assetName, checksums);
         return targetPath;
       }
     }
   }
   const url = releaseAssetUrl(assetName, version, repo);
-  const destination = `${targetPath}.download`;
+  const destination = `${targetPath}.${process.pid}.${Date.now()}.download`;
   await download(url, destination);
+  try {
+    await verifyChecksum(destination, assetName, checksums);
+  } catch (error) {
+    await unlink(destination).catch(() => {});
+    throw error;
+  }
   if (process.platform !== "win32") {
     await chmod(destination, 0o755);
   }
@@ -115,10 +175,11 @@ async function run() {
   const paths = binaryPaths();
   const releaseDir = releaseBinaryDirectory();
   await mkdir(releaseDir, { recursive: true });
+  const checksums = await loadChecksums(version, repo);
 
   await Promise.all([
-    ensureBinary(paths.deepseek.target, paths.deepseek.asset, version, repo),
-    ensureBinary(paths.tui.target, paths.tui.asset, version, repo),
+    ensureBinary(paths.deepseek.target, paths.deepseek.asset, version, repo, checksums),
+    ensureBinary(paths.tui.target, paths.tui.asset, version, repo, checksums),
   ]);
 }
 

package/scripts/verify-release-assets.js

@@ -1,6 +1,11 @@
 const https = require("https");
 const http = require("http");
-const { allAssetNames, releaseAssetUrl } = require("./artifacts");
+const {
+  allAssetNames,
+  allReleaseAssetNames,
+  checksumManifestUrl,
+  releaseAssetUrl,
+} = require("./artifacts");
 
 const pkg = require("../package.json");
 
@@ -58,10 +63,59 @@ async function verifyAsset(url, label) {
   }
 }
 
+async function downloadText(url) {
+  const client = url.startsWith("https:") ? https : http;
+  return new Promise((resolve, reject) => {
+    client
+      .get(
+        url,
+        {
+          headers: {
+            "User-Agent": "deepseek-tui-npm-release-check",
+          },
+        },
+        (res) => {
+          const status = res.statusCode || 0;
+          if (status >= 300 && status < 400 && res.headers.location) {
+            const next = new URL(res.headers.location, url).toString();
+            resolve(downloadText(next));
+            return;
+          }
+          if (status !== 200) {
+            reject(new Error(`Request failed with status ${status}: ${url}`));
+            res.resume();
+            return;
+          }
+          const chunks = [];
+          res.setEncoding("utf8");
+          res.on("data", (chunk) => chunks.push(chunk));
+          res.on("end", () => resolve(chunks.join("")));
+        },
+      )
+      .on("error", reject);
+  });
+}
+
+function parseChecksumManifest(text) {
+  const checksums = new Map();
+  for (const line of text.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed) {
+      continue;
+    }
+    const match = trimmed.match(/^([a-fA-F0-9]{64})\s+\*?(.+)$/);
+    if (!match) {
+      throw new Error(`Invalid checksum manifest line: ${trimmed}`);
+    }
+    checksums.set(match[2], match[1].toLowerCase());
+  }
+  return checksums;
+}
+
 async function run() {
   const version = resolveBinaryVersion();
   const repo = resolveRepo();
-  const assets = allAssetNames();
+  const assets = allReleaseAssetNames();
 
   console.log(`Verifying ${assets.length} release assets for ${repo}@v${version}...`);
   for (const asset of assets) {
@@ -69,6 +123,14 @@ async function run() {
     await verifyAsset(url, asset);
     console.log(`  ok ${asset}`);
   }
+  const checksums = parseChecksumManifest(
+    await downloadText(checksumManifestUrl(version, repo)),
+  );
+  for (const asset of allAssetNames()) {
+    if (!checksums.has(asset)) {
+      throw new Error(`Checksum manifest is missing ${asset}`);
+    }
+  }
   console.log("Release assets verified.");
 }