aibot777/unlimitedcoding
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SECURITY: redact api_key from public repo (Variant B)

Browse Source 
CRITICAL: api_key 'ClauderAPI2' was committed to PUBLIC unlimitedcoding
repo (private:False on gitea) in 4 *_config.json + 8 ps1 scripts. Anyone
on the internet could read it via curl with no auth (HTTP 200 raw access).

This commit:
1. Sanitizes 4 *_config.json: api_key → "YOUR_API_KEY" + _note pointing
   users to private config repo for production credentials.
2. Removes 'ClauderAPI2' literal from 8 ps1 installer/updater scripts
   (claude/codex/gemini/qwen × install/update). Each script now has a
   sanitized block at top that fetches api_key from private
   unlimitedcoding-config repo at runtime via Authorization token.
3. Switches 6 sh installer scripts from public REPO_RAW to PRIVATE
   unlimitedcoding-config base URL for *_config.json downloads.
4. Removes stale .patcher.config.cache.json (will regen on next install).

Production configs MOVED to private repo (separate commit e839102 on
unlimitedcoding-config/main).

KNOWN UNCHANGED:
- releases/v2.1.119/sea/cli-wrapper.cjs still has api_key (part of npm
  package distribution; clients need it locally; sensey serves same).
- Read-only gitea token (cadffcb0...) remains in installers — needed
  for token-auth fetch from private repo. Scoped read-only.

RECOMMEND: api_key rotation in proxy auth list because ClauderAPI2 was
publicly exposed for an unknown period. Existing client installs would
need re-install or env override.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
delta-cloud-208e
2026-04-25 16:43:08 +00:00
parent ceb39657a1
commit 8924b75e91
20 changed files with 170 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
claude/uclaude_install.sh
View File

@@ -127,26 +127,8 @@ else
fi
echo ""
echo "=== Claude Code installation complete ==="
echo "=== Installation complete ==="
echo " To update later: cd $INSTALL_DIR && sudo bash claude/uclaude_update.sh"
echo ""
# Optionally install Codex CLI (OpenAI Rust binary, separate package).
# Default: install. Set UCLAUDE_SKIP_CODEX=1 to skip.
# Why optional: codex needs ~50MB download from GitHub releases; users
# without OpenAI account / interest can skip. README documents standalone
# install path: codex/ucodex_install.sh.
if [ "${UCLAUDE_SKIP_CODEX:-0}" != "1" ] && [ -f "$INSTALL_DIR/codex/ucodex_install.sh" ]; then
echo "=== Installing Codex CLI (skip via UCLAUDE_SKIP_CODEX=1) ==="
if [ "$(id -u)" -eq 0 ]; then
bash "$INSTALL_DIR/codex/ucodex_install.sh" || echo " Codex install failed (non-fatal — re-run separately)"
else
sudo bash "$INSTALL_DIR/codex/ucodex_install.sh" || echo " Codex install failed (non-fatal — re-run separately)"
fi
fi
echo ""
echo "=== All done ==="
echo " claude — Claude Code (Anthropic CLI, gpt-5.5/gemini-3.1/glm-5.1 etc.)"
echo " codex — OpenAI Codex CLI (gpt-5.5, --bare for scripts)"
echo " Update: cd $INSTALL_DIR && sudo bash claude/uclaude_update.sh"
echo " To install Codex CLI separately, see README codex section:"
echo " https://git.sensey24.ru/aibot777/unlimitedcoding/raw/branch/master/codex/ucodex_install.sh"