github Hmbown/CodeWhale v0.8.64
CodeWhale v0.8.64
on GitHub

5 hours ago

CodeWhale is the canonical project, command, npm package, and
release-asset name. The legacy npm package deepseek-tui is
deprecated and receives no further releases. Users coming from
v0.8.x legacy deepseek / deepseek-tui names should migrate
with docs/REBRAND.md.

Install

Recommended — npm (one command, both binaries)

npm install -g codewhale

The wrapper downloads both binaries from this Release and places them in the same directory.

Docker / GHCR

docker run --rm -it \
  -e DEEPSEEK_API_KEY="$DEEPSEEK_API_KEY" \
  -v ~/.deepseek:/home/codewhale/.deepseek \
  ghcr.io/hmbown/codewhale:v0.8.64

The image ships the codewhale dispatcher and codewhale-tui runtime. The latest tag is also updated on release.

Cargo (Linux / macOS)

cargo install codewhale-cli codewhale-tui --locked

Both crates are required — codewhale-cli produces the codewhale dispatcher and codewhale-tui produces the interactive runtime that the dispatcher delegates to. Installing only one binary will fail at runtime with a MISSING_COMPANION_BINARY error.

Manual download — platform archives (recommended)

Each archive below contains both the codewhale dispatcher and codewhale-tui runtime, plus an install script:

Platform Archive Install script
Linux x64 codewhale-linux-x64.tar.gz install.sh
Linux ARM64 codewhale-linux-arm64.tar.gz install.sh
Linux RISC-V codewhale-linux-riscv64.tar.gz install.sh
macOS x64 codewhale-macos-x64.tar.gz install.sh
macOS ARM codewhale-macos-arm64.tar.gz install.sh
Windows x64 (installer) CodeWhaleSetup.exe NSIS setup
Windows x64 codewhale-windows-x64.zip install.bat
Windows x64 (portable) codewhale-windows-x64-portable.zip

Unix (Linux / macOS): 

tar xzf codewhale-<platform>.tar.gz
cd codewhale-<platform>
./install.sh

Windows:

  • For the installer path, run CodeWhaleSetup.exe; it installs both binaries under %LOCALAPPDATA%\Programs\CodeWhale\bin and adds that directory to the current-user PATH.
  • Extract codewhale-windows-x64.zip
  • Run install.bat (copies to %USERPROFILE%\bin)
  • Add %USERPROFILE%\bin to your PATH

The portable Windows archive skips the install script — extract and run from any directory. The NSIS installer is currently unsigned and may trigger Windows SmartScreen until a signing certificate is wired into the release pipeline.

Each platform also has bare, unarchived binaries attached below (codewhale-<platform> and codewhale-tui-<platform>) — these are what the npm wrapper and the in-app codewhale update download, whereas the .tar.gz / .zip archives above are the recommended manual download and additionally bundle an install script. The legacy npm package deepseek-tui is deprecated and is not republished. For migration from v0.8.x legacy binary names, see docs/REBRAND.md.

Verify (recommended)

Download the checksum manifests from this Release and verify: 

# Linux — archive bundles
sha256sum -c codewhale-bundles-sha256.txt

# Linux — individual binaries
sha256sum -c codewhale-artifacts-sha256.txt

# macOS
shasum -a 256 -c codewhale-bundles-sha256.txt
shasum -a 256 -c codewhale-artifacts-sha256.txt

What's in v0.8.64

Added

  • Seamless auto-compaction defaults. Known large-context routes now keep
    automatic compaction on by default while carrying summaries forward through
    the stable prompt path, reducing surprise context loss without changing
    explicit opt-out behavior.
  • Runtime web automation readiness. Local app automation gains a
    loopback-only dev-server readiness primitive so agents can wait for TCP and
    optional HTTP health checks before browser verification. Harvested from
    #3376 by @cyq1017.
  • Model and integration polish. /model pro and /model flash shortcuts
    now resolve to the current DeepSeek V4 routes while preserving existing model
    IDs. Harvested from #3350 by @KUK4. The WeCom bridge landed with
    maintainer follow-up hardening for state permissions and chat-facing error
    reporting, from #3370 by @pkeging.

Fixed

  • Security and trust-boundary hardening. Project-local config can no longer
    loosen user-owned shell or instruction-file policy, file edits now require a
    fresh read of the target file, git history inputs reject option-shaped or
    control-character revisions, interactive execution surfaces require approval,
    and local tool paths are narrowed through workspace/root validation.
  • Runtime and diagnostics redaction. Generated runtime/app-server tokens,
    raw session lineage identifiers, provider registry drift values, review
    receipt internals, and webhook URLs are no longer echoed into human-facing
    logs or diagnostics.
  • Network and alert safety. Provider TLS verification bypass requests now
    fail closed, fleet alert webhooks require HTTPS, fetch URL hostnames are
    resolved before requests, and runtime mobile auth no longer relies on
    token-bearing URLs.
  • Path-state hardening. Config sibling files, project MCP cwd values,
    runtime thread store files, sub-agent state, project-local state roots, and
    app-server sidecar config paths now resolve through checked roots before
    reads/writes.
  • Release CI repair. Nightly cross-target builds install Rust targets
    explicitly and retry transient cargo failures; auto-tag runs are serialized
    and treat an already-created remote tag as a no-op. Safe slices harvested
    from #3374 by @donglovejava.
  • Provider wait and sidebar regressions. Provider-wait footers suppress
    noisy countdowns until useful while keeping timeout warnings visible,
    harvested from #3375 by @idling11. The pinned sidebar can render at a
    narrower 64-column boundary, harvested from #3371 by @donglovejava.
  • Delegated server cleanup. Delegated serve / app-server children gain
    OS-level parent-death cleanup on supported platforms, completing the #3259
    follow-up from #3378 and #3317 by @wuisabel-gif.
  • ACP and sandbox correctness. ACP sessions preserve multi-turn
    conversation history across prompt turns, harvested from #3372 by @xulongzhe.
    Worktree Git metadata writes are allowed through sandbox policy without
    broad trust-mode escalation, from #3356 by @cyq1017 and the #3355 report by
    @linletian.

Changed

  • Community and dependency harvests. The release train carries focused
    community-credit slices from #3379 by @greyfreedom, #3348 by @nightt5879,
    #3346 by @hongqitai, #3345/#3333 by @cyq1017, and Dependabot updates for
    windows, toml, tokio, lru, similar, and web tooling security locks.
  • Public release surface cleanup. Benchmark-specific materials were kept
    out of the public release repo; benchmark source fragments belong in the
    separate codewhale-bench lane.

Contributor credits for this release live in the changelog entry above —
thank you to everyone whose reports, PRs, reviews, and reproductions shaped it.

See CHANGELOG.md for full notes and docs/CHANGELOG_ARCHIVE.md for older releases.

Check out latest releases or
releases around Hmbown/CodeWhale v0.8.64

Don't miss a new CodeWhale release

NewReleases is sending notifications on new releases.

Get notifications