fix(installers): 8 critical bugs from gpt-5.5 + glm-5.1 audit (Item 17)

Sub-agents reviewed all 26 installer scripts. Fixed (TDD): BLOCKERS (install fails on platform): 1. claude/uclaude_uninstall.sh: replace `sed -i` → portable `sedi()` helper (BSD sed on macOS requires `-i ''`, GNU uses `-i`). Same fix style as codex/ucodex_install.sh:sedi. 2. claude/uclaude_install.ps1: abort if $apiKey null after fetch attempt (was silently completing install with broken auth env vars). Guard added to all 8 ps1 scripts. 3. qwen/uqwen_install.ps1 + uqwen_update.ps1: build trustedFolders.json via [ordered]@{} | ConvertTo-Json (PowerShell single-quoted literal was preserving `\"` as backslash+quote, producing INVALID JSON). 4. codex/ucodex_update.ps1: check $LASTEXITCODE after Python patcher call (native command non-zero exit doesn't throw under ErrorActionPreference='Continue' — patcher failure was silent, no PowerShell fallback triggered). HIGH (wrong behavior / regressions): 5. gemini/ugemini_install.ps1 + update.ps1: read $env:UGEMINI_API_KEY FIRST (was only checking $env:UCLAUDE_API_KEY — claude variable). 6. gemini/ugemini_update.ps1: download gemini_config.json from PRIVATE unlimitedcoding-config (was downloading from public — would 404 after Item 14 sanitization). 7. claude/uclaude_update.ps1: drop ANTHROPIC_API_KEY assignment + dynamic models fetch (regression — install.ps1 was fixed earlier but update.ps1 still set both env vars, re-introducing Auth conflict warning). 8. codex/ucodex_install.sh + update.sh: GitHub API curl needs `-H "User-Agent: UnlimitedCoding-Installer"` and `-f` flag (default curl/X.Y UA gets 403 from GitHub API + silent fail on 5xx). Bonus fixes pulled in: - codex/ucodex_install.ps1: switch codex_config download URL to private repo (consistency with update.ps1 + Item 14 sanitization) - codex/ucodex_install.ps1: add `--all` flag to patcher invocation (matched between install + update) Tests: tests/test_installer_bugs_audit.py — 9 GREEN regression guards. Total: 186 tests GREEN. Audit transcripts: gpt-5.5 found 24 issues (claude+gemini), glm-5.1 found 11 issues (codex+qwen). Lower-priority items (heredoc unsafe quoting, lock files, schema validation) deferred to next iteration. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:16:43 +00:00
parent 34868eea72
commit 06057f864b
11 changed files with 172 additions and 128 deletions
--- a/claude/uclaude_install.ps1
+++ b/claude/uclaude_install.ps1
@@ -16,6 +16,12 @@ if (-not $apiKey) {
        if ($cfg.api_key) { $apiKey = $cfg.api_key }
    } catch { Write-Warning "Config fetch failed; set `$env:UCLAUDE_API_KEY manually" }
 }
+# Abort early if no api_key — otherwise install completes with broken auth
+# env vars (BLOCKER per audit gpt-5.5).
+if (-not $apiKey) {
+    Write-Error "No api_key available (config fetch failed AND `$env:UCLAUDE_API_KEY unset). Cannot install."
+    exit 1
+}
 # <<< end sanitized >>>


--- a/claude/uclaude_uninstall.sh
+++ b/claude/uclaude_uninstall.sh
@@ -15,6 +15,16 @@ log()  { echo -e "${GREEN}[+]${RESET} $*"; }
 warn() { echo -e "${YELLOW}[~]${RESET} $*"; }
 info() { echo -e "${CYAN}[i]${RESET} $*"; }

+# Cross-platform sed -i (macOS BSD sed requires `-i ''`, GNU sed uses `-i`).
+# Use `sedi` instead of `sed -i` everywhere in this script.
+sedi() {
+    if [[ "$(uname -s)" == "Darwin" ]]; then
+        sed -i '' "$@"
+    else
+        sed -i "$@"
+    fi
+}
+
 echo -e "${BOLD}"
 echo "  +--------------------------------------+"
 echo "  |    Claude Code — Uninstaller         |"
@@ -53,11 +63,11 @@ for user_home in /root /home/*; do
    for rc_file in "$user_home/.bashrc" "$user_home/.zshrc"; do
        if [ -f "$rc_file" ] && grep -q 'ANTHROPIC_API_KEY\|CLAUDE_CODE\|Claude Code\|ANTHROPIC_BASE_URL' "$rc_file" 2>/dev/null; then
            info "Cleaning env vars from $rc_file..."
-            sed -i '/# Claude Code/d' "$rc_file"
-            sed -i '/# UnlimitedCoding.*[Cc]laude/d' "$rc_file"
-            sed -i '/ANTHROPIC_API_KEY/d' "$rc_file"
-            sed -i '/ANTHROPIC_BASE_URL/d' "$rc_file"
-            sed -i '/CLAUDE_CODE/d' "$rc_file"
+            sedi '/# Claude Code/d' "$rc_file"
+            sedi '/# UnlimitedCoding.*[Cc]laude/d' "$rc_file"
+            sedi '/ANTHROPIC_API_KEY/d' "$rc_file"
+            sedi '/ANTHROPIC_BASE_URL/d' "$rc_file"
+            sedi '/CLAUDE_CODE/d' "$rc_file"
            log "Cleaned $rc_file"
        fi
    done
@@ -76,9 +86,9 @@ done

 if [ -f "/etc/environment" ] && grep -q 'ANTHROPIC_API_KEY\|ANTHROPIC_BASE_URL\|CLAUDE_CODE' /etc/environment 2>/dev/null; then
    info "Cleaning /etc/environment..."
-    sed -i '/ANTHROPIC_API_KEY/d' /etc/environment
-    sed -i '/ANTHROPIC_BASE_URL/d' /etc/environment
-    sed -i '/CLAUDE_CODE/d' /etc/environment
+    sedi '/ANTHROPIC_API_KEY/d' /etc/environment
+    sedi '/ANTHROPIC_BASE_URL/d' /etc/environment
+    sedi '/CLAUDE_CODE/d' /etc/environment
    log "Cleaned /etc/environment"
 fi

--- a/claude/uclaude_update.ps1
+++ b/claude/uclaude_update.ps1
@@ -74,13 +74,23 @@ Write-Host "  Updated: $oldVer -> $newVer" -ForegroundColor Green

 Write-Host "  Setting environment variables..." -ForegroundColor Cyan

+# Refresh models list from private config (was hardcoded — went stale weekly).
+$customModels = "claude-opus-4-7,claude-sonnet-4-6,gpt-5.5,gpt-5.4,gpt-5.3-codex,gemini-3.1-pro,gemini-3-flash,glm-5.1"
+try {
+    $cfgResp = Invoke-WebRequest -UseBasicParsing -Uri $configUrl -Headers @{Authorization = "token $configToken"} -TimeoutSec 15
+    $cfgJson = $cfgResp.Content | ConvertFrom-Json
+    if ($cfgJson.models) { $customModels = ($cfgJson.models -join ",") }
+} catch { Write-Warning "Models fetch failed; using fallback list" }
+
+# IMPORTANT: only ANTHROPIC_AUTH_TOKEN (not ANTHROPIC_API_KEY) — setting both
+# triggers Anthropic CLI's "Auth conflict" warning on every claude invocation.
+# uclaude_install.ps1 was fixed earlier; uclaude_update.ps1 had the same bug.
 $envVars = @{
-    "ANTHROPIC_API_KEY"                          = $apiKey
    "ANTHROPIC_AUTH_TOKEN"                       = $apiKey
    "ANTHROPIC_BASE_URL"                         = "https://ai.37-187-136-86.sslip.io"
    "ANTHROPIC_DEFAULT_OPUS_MODEL"               = "claude-opus-4-7"
    "ANTHROPIC_DEFAULT_SONNET_MODEL"             = "claude-sonnet-4-6"
-    "CLAUDE_CUSTOM_MODELS"                       = "claude-opus-4-7,claude-opus-4-6,claude-sonnet-4-6,gpt-5.4,gpt-5.3-codex,gpt-5.2-codex,claude-opus-4-5-20251101,claude-sonnet-4-5-20250929,gemini-3.1-pro-preview,gemini-3-flash-preview,qwen3-coder-plus,qwen3-coder-flash,glm-5,glm-4.7"
+    "CLAUDE_CUSTOM_MODELS"                       = $customModels
    "CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC"   = "1"
    "CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY"        = "1"
    "DISABLE_TELEMETRY"                          = "1"
@@ -89,6 +99,10 @@ $envVars = @{
    "CLAUDE_CODE_EFFORT_LEVEL"                   = "high"
 }

+# Best-effort cleanup of stale ANTHROPIC_API_KEY (set by older installer)
+[System.Environment]::SetEnvironmentVariable("ANTHROPIC_API_KEY", $null, "User")
+Remove-Item -Path "Env:\ANTHROPIC_API_KEY" -ErrorAction SilentlyContinue
+
 foreach ($k in $envVars.Keys) {
    [System.Environment]::SetEnvironmentVariable($k, $envVars[$k], "User")
    Set-Item -Path "Env:\$k" -Value $envVars[$k]
--- a/codex/ucodex_install.ps1
+++ b/codex/ucodex_install.ps1
@@ -206,24 +206,22 @@ if ($pyCmd) {
    $token = "cadffcb0a6a3be728ac1ff619bb40c86588f6837"
    $headers = @{ "Authorization" = "token $token" }

+    # codex_config.json moved to private repo (Item 14 security fix);
+    # patcher.py stays in public unlimitedcoding/codex/.
+    $cfgUrl = "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/codex_config.json"
    try {
        Invoke-WebRequest -Uri "$repoRaw/codex_patcher.py" -OutFile "$patchDir\codex_patcher.py" -UseBasicParsing -Headers $headers
-        Invoke-WebRequest -Uri "$repoRaw/codex_config.json" -OutFile "$patchDir\codex_config.json" -UseBasicParsing -Headers $headers
+        Invoke-WebRequest -Uri $cfgUrl -OutFile "$patchDir\codex_config.json" -UseBasicParsing -Headers $headers
        Write-Host "  Patcher downloaded" -ForegroundColor Green
    } catch {
-        try {
-            Invoke-WebRequest -Uri "$repoRaw/codex_patcher.py" -OutFile "$patchDir\codex_patcher.py" -UseBasicParsing
-            Invoke-WebRequest -Uri "$repoRaw/codex_config.json" -OutFile "$patchDir\codex_config.json" -UseBasicParsing
-            Write-Host "  Patcher downloaded (no auth)" -ForegroundColor Green
-        } catch {
-            Write-Host "  Patcher download failed, using PowerShell fallback" -ForegroundColor Yellow
+        Write-Host "  Patcher/config download failed: $_" -ForegroundColor Yellow
        $pyCmd = $null
    }
-    }

    if ($pyCmd) {
        Write-Host "  Applying patches..." -ForegroundColor Cyan
-        & $pyCmd "$patchDir\codex_patcher.py" --apply --config "$patchDir\codex_config.json"
+        # `--all` flag covers all 6 patch targets (was missing in update.ps1)
+        & $pyCmd "$patchDir\codex_patcher.py" --apply --all --config "$patchDir\codex_config.json"
        if ($LASTEXITCODE -ne 0) {
            Write-Host "  Patcher returned exit code $LASTEXITCODE, using PowerShell fallback" -ForegroundColor Yellow
            $pyCmd = $null
--- a/codex/ucodex_install.sh
+++ b/codex/ucodex_install.sh
@@ -109,7 +109,7 @@ else
    esac
 fi

-LATEST_VER=$(curl -s "$GITHUB_API" | sed -n 's/.*"tag_name":[[:space:]]*"rust-v\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\)".*/\1/p' | head -1)
+LATEST_VER=$(curl -sf -H "User-Agent: UnlimitedCoding-Installer" "$GITHUB_API" | sed -n 's/.*"tag_name":[[:space:]]*"rust-v\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\)".*/\1/p' | head -1)
 if [ -z "$LATEST_VER" ]; then
    err "Could not fetch latest version from GitHub"
    exit 1
--- a/codex/ucodex_update.ps1
+++ b/codex/ucodex_update.ps1
@@ -166,11 +166,21 @@ if ($pyCmd) {
    Write-Host "  Downloading patcher..." -ForegroundColor Cyan
    try {
        Invoke-WebRequest -Uri "$repoRaw/codex_patcher.py" -OutFile "$patchDir\codex_patcher.py" -UseBasicParsing -Headers $headers
-        Invoke-WebRequest -Uri "$repoRaw/codex_config.json" -OutFile "$patchDir\codex_config.json" -UseBasicParsing -Headers $headers
+        # codex_config.json moved to private repo (Item 14 security fix);
+        # download from unlimitedcoding-config with the same token.
+        $cfgUrl = "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/codex_config.json"
+        Invoke-WebRequest -Uri $cfgUrl -OutFile "$patchDir\codex_config.json" -UseBasicParsing -Headers $headers
        Write-Host "  Applying patches..." -ForegroundColor Cyan
-        & $pyCmd "$patchDir\codex_patcher.py" --apply --config "$patchDir\codex_config.json"
+        # Add --all to match install script (was missing — patches skipped on update)
+        & $pyCmd "$patchDir\codex_patcher.py" --apply --all --config "$patchDir\codex_config.json"
+        # Native command non-zero exit does NOT throw under
+        # ErrorActionPreference='Continue'. Check $LASTEXITCODE explicitly so
+        # we trigger the PowerShell fallback on patcher failure.
+        if ($LASTEXITCODE -ne 0) {
+            throw "codex_patcher.py exited with code $LASTEXITCODE"
+        }
    } catch {
-        Write-Host "  Patcher failed, using PowerShell fallback" -ForegroundColor Yellow
+        Write-Host "  Patcher failed, using PowerShell fallback: $_" -ForegroundColor Yellow
        $pyCmd = $null
    }
    Remove-Item -Recurse -Force $patchDir -ErrorAction SilentlyContinue
--- a/codex/ucodex_update.sh
+++ b/codex/ucodex_update.sh
@@ -74,7 +74,7 @@ fi
 # ---- Get latest version ----

 info "Checking latest version..."
-LATEST_VER=$(curl -s "$GITHUB_API" | sed -n 's/.*"tag_name":[[:space:]]*"rust-v\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\)".*/\1/p' | head -1)
+LATEST_VER=$(curl -sf -H "User-Agent: UnlimitedCoding-Installer" "$GITHUB_API" | sed -n 's/.*"tag_name":[[:space:]]*"rust-v\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\)".*/\1/p' | head -1)

 if [ -z "$LATEST_VER" ]; then
    err "Could not fetch latest version from GitHub"
--- a/gemini/ugemini_install.ps1
+++ b/gemini/ugemini_install.ps1
@@ -14,13 +14,13 @@ Write-Host ""
 # >>> sanitized: api_key from private config <<<
 $configToken = "cadffcb0a6a3be728ac1ff619bb40c86588f6837"
 $configUrl   = "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/gemini_config.json"
-$apiKey      = $env:UCLAUDE_API_KEY  # respect override
+$apiKey      = if ($env:UGEMINI_API_KEY) { $env:UGEMINI_API_KEY } else { $env:UCLAUDE_API_KEY }  # respect override
 if (-not $apiKey) {
    try {
        $resp = Invoke-WebRequest -UseBasicParsing -Uri $configUrl -Headers @{Authorization = "token $configToken"} -TimeoutSec 15
        $cfg  = $resp.Content | ConvertFrom-Json
        if ($cfg.api_key) { $apiKey = $cfg.api_key }
-    } catch { Write-Warning "Config fetch failed; set `$env:UCLAUDE_API_KEY manually" }
+    } catch { Write-Warning "Config fetch failed; set `$env:UGEMINI_API_KEY (or `$env:UCLAUDE_API_KEY) manually" }
 }
 # <<< end sanitized >>>

--- a/gemini/ugemini_update.ps1
+++ b/gemini/ugemini_update.ps1
@@ -12,13 +12,13 @@ Write-Host ""
 # >>> sanitized: api_key from private config <<<
 $configToken = "cadffcb0a6a3be728ac1ff619bb40c86588f6837"
 $configUrl   = "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/gemini_config.json"
-$apiKey      = $env:UCLAUDE_API_KEY  # respect override
+$apiKey      = if ($env:UGEMINI_API_KEY) { $env:UGEMINI_API_KEY } else { $env:UCLAUDE_API_KEY }  # respect override
 if (-not $apiKey) {
    try {
        $resp = Invoke-WebRequest -UseBasicParsing -Uri $configUrl -Headers @{Authorization = "token $configToken"} -TimeoutSec 15
        $cfg  = $resp.Content | ConvertFrom-Json
        if ($cfg.api_key) { $apiKey = $cfg.api_key }
-    } catch { Write-Warning "Config fetch failed; set `$env:UCLAUDE_API_KEY manually" }
+    } catch { Write-Warning "Config fetch failed; set `$env:UGEMINI_API_KEY (or `$env:UCLAUDE_API_KEY) manually" }
 }
 # <<< end sanitized >>>

@@ -87,18 +87,15 @@ if ($pyCmd) {
    $headers = @{ "Authorization" = "token $token" }

    Write-Host "  Downloading patcher..." -ForegroundColor Cyan
+    # gemini_config.json moved to private repo (Item 14 security fix);
+    # gemini_patcher.py stays in public unlimitedcoding/gemini/.
    try {
        Invoke-WebRequest -Uri "$repoRaw/gemini_patcher.py" -OutFile "$tempDir\gemini_patcher.py" -UseBasicParsing -Headers $headers
-        Invoke-WebRequest -Uri "$repoRaw/gemini_config.json" -OutFile "$tempDir\gemini_config.json" -UseBasicParsing -Headers $headers
+        Invoke-WebRequest -Uri $configUrl -OutFile "$tempDir\gemini_config.json" -UseBasicParsing -Headers $headers
    } catch {
-        try {
-            Invoke-WebRequest -Uri "$repoRaw/gemini_patcher.py" -OutFile "$tempDir\gemini_patcher.py" -UseBasicParsing
-            Invoke-WebRequest -Uri "$repoRaw/gemini_config.json" -OutFile "$tempDir\gemini_config.json" -UseBasicParsing
-        } catch {
-            Write-Host "  Patcher download failed, using PowerShell fallback" -ForegroundColor Yellow
+        Write-Host "  Patcher/config download failed: $_" -ForegroundColor Yellow
        $pyCmd = $null
    }
-    }

    if ($pyCmd) {
        Write-Host "  Applying patches..." -ForegroundColor Cyan
--- a/qwen/uqwen_install.ps1
+++ b/qwen/uqwen_install.ps1
@@ -239,10 +239,16 @@ if (-not $pyCmd) {
 '@
    [System.IO.File]::WriteAllText($settingsFile, $json)

-    # Trusted folders
+    # Trusted folders — build via PSCustomObject + ConvertTo-Json so output
+    # is guaranteed valid JSON. Previous single-quoted literal preserved
+    # `\"` as backslash+quote (not escaped quote), producing INVALID JSON
+    # like {"C:\":\"TRUST_PARENT\"...} per audit gpt-5.5 + glm-5.1.
    $trustedFile = "$qwenDir\trustedFolders.json"
-    $trustedJson = '{"C:\\":\"TRUST_PARENT\",\"C:\\Users\":\"TRUST_PARENT\"}'
-    [System.IO.File]::WriteAllText($trustedFile, $trustedJson)
+    $trustedObj = [ordered]@{
+        "C:\"      = "TRUST_PARENT"
+        "C:\Users" = "TRUST_PARENT"
+    }
+    ($trustedObj | ConvertTo-Json -Compress) | Set-Content -Path $trustedFile -Encoding UTF8 -NoNewline
    Write-Host "  Patches applied (PowerShell fallback)" -ForegroundColor Green
 }

--- a/qwen/uqwen_update.ps1
+++ b/qwen/uqwen_update.ps1
@@ -153,10 +153,13 @@ if (-not $pyCmd) {
 '@
    [System.IO.File]::WriteAllText($settingsFile, $json)

-    # Trusted folders
+    # Trusted folders — see uqwen_install.ps1 for the bug history.
    $trustedFile = "$qwenDir\trustedFolders.json"
-    $trustedJson = '{"C:\\":\"TRUST_PARENT\",\"C:\\Users\":\"TRUST_PARENT\"}'
-    [System.IO.File]::WriteAllText($trustedFile, $trustedJson)
+    $trustedObj = [ordered]@{
+        "C:\"      = "TRUST_PARENT"
+        "C:\Users" = "TRUST_PARENT"
+    }
+    ($trustedObj | ConvertTo-Json -Compress) | Set-Content -Path $trustedFile -Encoding UTF8 -NoNewline
    Write-Host "  Patches applied (PowerShell fallback)" -ForegroundColor Green
 }