fix(installers): 8 critical bugs from gpt-5.5 + glm-5.1 audit (Item 17)

Sub-agents reviewed all 26 installer scripts. Fixed (TDD):

BLOCKERS (install fails on platform):
1. claude/uclaude_uninstall.sh: replace `sed -i` → portable `sedi()` helper
   (BSD sed on macOS requires `-i ''`, GNU uses `-i`). Same fix style as
   codex/ucodex_install.sh:sedi.
2. claude/uclaude_install.ps1: abort if $apiKey null after fetch attempt
   (was silently completing install with broken auth env vars). Guard
   added to all 8 ps1 scripts.
3. qwen/uqwen_install.ps1 + uqwen_update.ps1: build trustedFolders.json
   via [ordered]@{} | ConvertTo-Json (PowerShell single-quoted literal
   was preserving `\"` as backslash+quote, producing INVALID JSON).
4. codex/ucodex_update.ps1: check $LASTEXITCODE after Python patcher call
   (native command non-zero exit doesn't throw under
   ErrorActionPreference='Continue' — patcher failure was silent, no
   PowerShell fallback triggered).

HIGH (wrong behavior / regressions):
5. gemini/ugemini_install.ps1 + update.ps1: read $env:UGEMINI_API_KEY
   FIRST (was only checking $env:UCLAUDE_API_KEY — claude variable).
6. gemini/ugemini_update.ps1: download gemini_config.json from PRIVATE
   unlimitedcoding-config (was downloading from public — would 404 after
   Item 14 sanitization).
7. claude/uclaude_update.ps1: drop ANTHROPIC_API_KEY assignment + dynamic
   models fetch (regression — install.ps1 was fixed earlier but update.ps1
   still set both env vars, re-introducing Auth conflict warning).
8. codex/ucodex_install.sh + update.sh: GitHub API curl needs
   `-H "User-Agent: UnlimitedCoding-Installer"` and `-f` flag (default
   curl/X.Y UA gets 403 from GitHub API + silent fail on 5xx).

Bonus fixes pulled in:
- codex/ucodex_install.ps1: switch codex_config download URL to private
  repo (consistency with update.ps1 + Item 14 sanitization)
- codex/ucodex_install.ps1: add `--all` flag to patcher invocation
  (matched between install + update)

Tests: tests/test_installer_bugs_audit.py — 9 GREEN regression guards.
Total: 186 tests GREEN.

Audit transcripts: gpt-5.5 found 24 issues (claude+gemini), glm-5.1
found 11 issues (codex+qwen). Lower-priority items (heredoc unsafe
quoting, lock files, schema validation) deferred to next iteration.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

codex/ucodex_install.ps1

@@ -206,24 +206,22 @@ if ($pyCmd) {
     $token = "cadffcb0a6a3be728ac1ff619bb40c86588f6837"
     $headers = @{ "Authorization" = "token $token" }
 
+    # codex_config.json moved to private repo (Item 14 security fix);
+    # patcher.py stays in public unlimitedcoding/codex/.
+    $cfgUrl = "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/codex_config.json"
     try {
         Invoke-WebRequest -Uri "$repoRaw/codex_patcher.py" -OutFile "$patchDir\codex_patcher.py" -UseBasicParsing -Headers $headers
-        Invoke-WebRequest -Uri "$repoRaw/codex_config.json" -OutFile "$patchDir\codex_config.json" -UseBasicParsing -Headers $headers
+        Invoke-WebRequest -Uri $cfgUrl -OutFile "$patchDir\codex_config.json" -UseBasicParsing -Headers $headers
         Write-Host "  Patcher downloaded" -ForegroundColor Green
     } catch {
-        try {
-            Invoke-WebRequest -Uri "$repoRaw/codex_patcher.py" -OutFile "$patchDir\codex_patcher.py" -UseBasicParsing
-            Invoke-WebRequest -Uri "$repoRaw/codex_config.json" -OutFile "$patchDir\codex_config.json" -UseBasicParsing
-            Write-Host "  Patcher downloaded (no auth)" -ForegroundColor Green
-        } catch {
-            Write-Host "  Patcher download failed, using PowerShell fallback" -ForegroundColor Yellow
-            $pyCmd = $null
-        }
+        Write-Host "  Patcher/config download failed: $_" -ForegroundColor Yellow
+        $pyCmd = $null
     }
 
     if ($pyCmd) {
         Write-Host "  Applying patches..." -ForegroundColor Cyan
-        & $pyCmd "$patchDir\codex_patcher.py" --apply --config "$patchDir\codex_config.json"
+        # `--all` flag covers all 6 patch targets (was missing in update.ps1)
+        & $pyCmd "$patchDir\codex_patcher.py" --apply --all --config "$patchDir\codex_config.json"
         if ($LASTEXITCODE -ne 0) {
             Write-Host "  Patcher returned exit code $LASTEXITCODE, using PowerShell fallback" -ForegroundColor Yellow
             $pyCmd = $null

codex/ucodex_install.sh

@@ -109,7 +109,7 @@ else
     esac
 fi
 
-LATEST_VER=$(curl -s "$GITHUB_API" | sed -n 's/.*"tag_name":[[:space:]]*"rust-v\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\)".*/\1/p' | head -1)
+LATEST_VER=$(curl -sf -H "User-Agent: UnlimitedCoding-Installer" "$GITHUB_API" | sed -n 's/.*"tag_name":[[:space:]]*"rust-v\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\)".*/\1/p' | head -1)
 if [ -z "$LATEST_VER" ]; then
     err "Could not fetch latest version from GitHub"
     exit 1

codex/ucodex_update.ps1

@@ -166,11 +166,21 @@ if ($pyCmd) {
     Write-Host "  Downloading patcher..." -ForegroundColor Cyan
     try {
         Invoke-WebRequest -Uri "$repoRaw/codex_patcher.py" -OutFile "$patchDir\codex_patcher.py" -UseBasicParsing -Headers $headers
-        Invoke-WebRequest -Uri "$repoRaw/codex_config.json" -OutFile "$patchDir\codex_config.json" -UseBasicParsing -Headers $headers
+        # codex_config.json moved to private repo (Item 14 security fix);
+        # download from unlimitedcoding-config with the same token.
+        $cfgUrl = "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/codex_config.json"
+        Invoke-WebRequest -Uri $cfgUrl -OutFile "$patchDir\codex_config.json" -UseBasicParsing -Headers $headers
         Write-Host "  Applying patches..." -ForegroundColor Cyan
-        & $pyCmd "$patchDir\codex_patcher.py" --apply --config "$patchDir\codex_config.json"
+        # Add --all to match install script (was missing — patches skipped on update)
+        & $pyCmd "$patchDir\codex_patcher.py" --apply --all --config "$patchDir\codex_config.json"
+        # Native command non-zero exit does NOT throw under
+        # ErrorActionPreference='Continue'. Check $LASTEXITCODE explicitly so
+        # we trigger the PowerShell fallback on patcher failure.
+        if ($LASTEXITCODE -ne 0) {
+            throw "codex_patcher.py exited with code $LASTEXITCODE"
+        }
     } catch {
-        Write-Host "  Patcher failed, using PowerShell fallback" -ForegroundColor Yellow
+        Write-Host "  Patcher failed, using PowerShell fallback: $_" -ForegroundColor Yellow
         $pyCmd = $null
     }
     Remove-Item -Recurse -Force $patchDir -ErrorAction SilentlyContinue

codex/ucodex_update.sh

@@ -74,7 +74,7 @@ fi
 # ---- Get latest version ----
 
 info "Checking latest version..."
-LATEST_VER=$(curl -s "$GITHUB_API" | sed -n 's/.*"tag_name":[[:space:]]*"rust-v\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\)".*/\1/p' | head -1)
+LATEST_VER=$(curl -sf -H "User-Agent: UnlimitedCoding-Installer" "$GITHUB_API" | sed -n 's/.*"tag_name":[[:space:]]*"rust-v\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\)".*/\1/p' | head -1)
 
 if [ -z "$LATEST_VER" ]; then
     err "Could not fetch latest version from GitHub"