SECURITY: redact api_key from public repo (Variant B)

CRITICAL: api_key 'ClauderAPI2' was committed to PUBLIC unlimitedcoding
repo (private:False on gitea) in 4 *_config.json + 8 ps1 scripts. Anyone
on the internet could read it via curl with no auth (HTTP 200 raw access).

This commit:
1. Sanitizes 4 *_config.json: api_key → "YOUR_API_KEY" + _note pointing
   users to private config repo for production credentials.
2. Removes 'ClauderAPI2' literal from 8 ps1 installer/updater scripts
   (claude/codex/gemini/qwen × install/update). Each script now has a
   sanitized block at top that fetches api_key from private
   unlimitedcoding-config repo at runtime via Authorization token.
3. Switches 6 sh installer scripts from public REPO_RAW to PRIVATE
   unlimitedcoding-config base URL for *_config.json downloads.
4. Removes stale .patcher.config.cache.json (will regen on next install).

Production configs MOVED to private repo (separate commit e839102 on
unlimitedcoding-config/main).

KNOWN UNCHANGED:
- releases/v2.1.119/sea/cli-wrapper.cjs still has api_key (part of npm
  package distribution; clients need it locally; sensey serves same).
- Read-only gitea token (cadffcb0...) remains in installers — needed
  for token-auth fetch from private repo. Scoped read-only.

RECOMMEND: api_key rotation in proxy auth list because ClauderAPI2 was
publicly exposed for an unknown period. Existing client installs would
need re-install or env override.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude/patcher.config.json

@@ -1,6 +1,6 @@
 {
   "base_url": "https://ai.37-187-136-86.sslip.io",
-  "api_key": "ClauderAPI2",
+  "api_key": "YOUR_API_KEY",
   "model": "claude-opus-4-7",
   "models": [
     "claude-opus-4-7",
@@ -27,5 +27,6 @@
   "theme": "dark",
   "complete_onboarding": true,
   "target_version": "2.1.112",
-  "effort_level": "high"
-}
+  "effort_level": "high",
+  "_note": "Production api_key lives in PRIVATE unlimitedcoding-config repo. uclaude_updater.py fetches it at runtime with token auth."
+}