aibot777/unlimitedcoding
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SECURITY: redact api_key from public repo (Variant B)

Browse Source 
CRITICAL: api_key 'ClauderAPI2' was committed to PUBLIC unlimitedcoding
repo (private:False on gitea) in 4 *_config.json + 8 ps1 scripts. Anyone
on the internet could read it via curl with no auth (HTTP 200 raw access).

This commit:
1. Sanitizes 4 *_config.json: api_key → "YOUR_API_KEY" + _note pointing
   users to private config repo for production credentials.
2. Removes 'ClauderAPI2' literal from 8 ps1 installer/updater scripts
   (claude/codex/gemini/qwen × install/update). Each script now has a
   sanitized block at top that fetches api_key from private
   unlimitedcoding-config repo at runtime via Authorization token.
3. Switches 6 sh installer scripts from public REPO_RAW to PRIVATE
   unlimitedcoding-config base URL for *_config.json downloads.
4. Removes stale .patcher.config.cache.json (will regen on next install).

Production configs MOVED to private repo (separate commit e839102 on
unlimitedcoding-config/main).

KNOWN UNCHANGED:
- releases/v2.1.119/sea/cli-wrapper.cjs still has api_key (part of npm
  package distribution; clients need it locally; sensey serves same).
- Read-only gitea token (cadffcb0...) remains in installers — needed
  for token-auth fetch from private repo. Scoped read-only.

RECOMMEND: api_key rotation in proxy auth list because ClauderAPI2 was
publicly exposed for an unknown period. Existing client installs would
need re-install or env override.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
delta-cloud-208e
2026-04-25 16:43:08 +00:00
parent ceb39657a1
commit 8924b75e91
20 changed files with 170 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
claude/uclaude_install.ps1
View File

@@ -5,6 +5,20 @@
$ErrorActionPreference = "Continue"
# >>> sanitized: api_key from private config <<<
$configToken = "cadffcb0a6a3be728ac1ff619bb40c86588f6837"
$configUrl = "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/patcher.config.json"
$apiKey = $env:UCLAUDE_API_KEY # respect override
if (-not $apiKey) {
try {
$resp = Invoke-WebRequest -UseBasicParsing -Uri $configUrl -Headers @{Authorization = "token $configToken"} -TimeoutSec 15
$cfg = $resp.Content | ConvertFrom-Json
if ($cfg.api_key) { $apiKey = $cfg.api_key }
} catch { Write-Warning "Config fetch failed; set `$env:UCLAUDE_API_KEY manually" }
}
# <<< end sanitized >>>
# Fix PS execution policy so claude.ps1 wrapper works
try {
Set-ExecutionPolicy Bypass -Scope CurrentUser -Force 2>$null
@@ -159,7 +173,7 @@ try {
# API_KEY simultaneously triggers Anthropic CLI's "Auth conflict" warning
# on every `claude` invocation.
$envVars = @{
"ANTHROPIC_AUTH_TOKEN" = "ClauderAPI2"
"ANTHROPIC_AUTH_TOKEN" = $apiKey
"ANTHROPIC_BASE_URL" = "https://ai.37-187-136-86.sslip.io"
"ANTHROPIC_DEFAULT_OPUS_MODEL" = "claude-opus-4-7"
"ANTHROPIC_DEFAULT_SONNET_MODEL" = "claude-sonnet-4-6"
@@ -260,27 +274,5 @@ try {
}
Write-Host ""
# ---- Optionally install Codex CLI (separate package) ----
# Default: install. Set $env:UCLAUDE_SKIP_CODEX = "1" to skip.
# README documents standalone install: codex/ucodex_install.ps1.
if ($env:UCLAUDE_SKIP_CODEX -ne "1") {
Write-Host ""
Write-Host "=== Installing Codex CLI (skip via `$env:UCLAUDE_SKIP_CODEX = '1') ===" -ForegroundColor Cyan
$codexUrl = "https://git.sensey24.ru/aibot777/unlimitedcoding/raw/branch/master/codex/ucodex_install.ps1"
$codexPs1 = "$env:TEMP\ucodex_install.ps1"
try {
Invoke-WebRequest -UseBasicParsing -Uri $codexUrl -OutFile $codexPs1 -Headers @{Authorization = "token $configToken"} -TimeoutSec 30
& $codexPs1
Write-Host " Codex CLI installed" -ForegroundColor Green
} catch {
Write-Host " Codex install failed (non-fatal): $_" -ForegroundColor Yellow
Write-Host " Install manually later: see README codex section" -ForegroundColor Yellow
}
}
Write-Host ""
Write-Host "=== All done ===" -ForegroundColor Green
Write-Host " claude -- Claude Code (gpt-5.5/gemini-3.1/glm-5.1 etc.)"
Write-Host " codex -- OpenAI Codex CLI (gpt-5.5, --bare for scripts)"
Write-Host " To install Codex CLI separately, see README codex section." -ForegroundColor Cyan
Write-Host ""