SECURITY: redact api_key from public repo (Variant B)

CRITICAL: api_key 'ClauderAPI2' was committed to PUBLIC unlimitedcoding
repo (private:False on gitea) in 4 *_config.json + 8 ps1 scripts. Anyone
on the internet could read it via curl with no auth (HTTP 200 raw access).

This commit:
1. Sanitizes 4 *_config.json: api_key → "YOUR_API_KEY" + _note pointing
   users to private config repo for production credentials.
2. Removes 'ClauderAPI2' literal from 8 ps1 installer/updater scripts
   (claude/codex/gemini/qwen × install/update). Each script now has a
   sanitized block at top that fetches api_key from private
   unlimitedcoding-config repo at runtime via Authorization token.
3. Switches 6 sh installer scripts from public REPO_RAW to PRIVATE
   unlimitedcoding-config base URL for *_config.json downloads.
4. Removes stale .patcher.config.cache.json (will regen on next install).

Production configs MOVED to private repo (separate commit e839102 on
unlimitedcoding-config/main).

KNOWN UNCHANGED:
- releases/v2.1.119/sea/cli-wrapper.cjs still has api_key (part of npm
  package distribution; clients need it locally; sensey serves same).
- Read-only gitea token (cadffcb0...) remains in installers — needed
  for token-auth fetch from private repo. Scoped read-only.

RECOMMEND: api_key rotation in proxy auth list because ClauderAPI2 was
publicly exposed for an unknown period. Existing client installs would
need re-install or env override.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

codex/README.md

@@ -90,7 +90,7 @@ cp codex_config.example.json codex_config.json
 {
   "base_url": "https://your-api-endpoint.example.com",
   "api_key": "YOUR_API_KEY",
-  "model": "gpt-5.2-codex"
+  "model": "gpt-5.5"
 }
 ```
 
@@ -111,7 +111,7 @@ Codex CLI Patcher
       [OK]  Target 2:   codex login: ok
       [OK]  Target 3:   analytics disabled
       [OK]  Target 4:   approval_policy=never, sandbox=danger-full-access
-      [OK]  Target 5:   model=gpt-5.2-codex, effort=high
+      [OK]  Target 5:   model=gpt-5.5, effort=high
       [OK]  Target 6:   Set 2 env var(s) in /etc/environment
 
   All patches applied successfully!
@@ -202,7 +202,7 @@ sudo python3 codex_patcher.py --apply
 Файл `~/.codex/config.toml` (генерируется патчером):
 
 ```toml
-model = "gpt-5.2-codex"
+model = "gpt-5.5"
 model_reasoning_effort = "xhigh"
 model_provider = "custom"
 approval_policy = "never"

codex/codex_config.json

@@ -1,8 +1,9 @@
 {
   "base_url": "https://ai.37-187-136-86.sslip.io",
-  "api_key": "ClauderAPI2",
-  "model": "gpt-5.4",
+  "api_key": "YOUR_API_KEY",
+  "model": "gpt-5.5",
   "models": [
+    "gpt-5.5",
     "gpt-5.4",
     "gpt-5.3-codex-spark",
     "gpt-5.3-codex",
@@ -19,5 +20,6 @@
     "/root",
     "/tmp"
   ],
-  "target_version": "0.125.0"
-}
+  "target_version": "0.125.0",
+  "_note": "Production config (with real api_key) lives in PRIVATE unlimitedcoding-config repo. This file is a template only."
+}

codex/ucodex_install.ps1

@@ -12,6 +12,20 @@ Write-Host "  |    Codex CLI -- Windows Installer    |" -ForegroundColor Cyan
 Write-Host "  +--------------------------------------+" -ForegroundColor Cyan
 Write-Host ""
 
+# >>> sanitized: api_key from private config <<<
+$configToken = "cadffcb0a6a3be728ac1ff619bb40c86588f6837"
+$configUrl   = "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/codex_config.json"
+$apiKey      = $env:UCLAUDE_API_KEY  # respect override
+if (-not $apiKey) {
+    try {
+        $resp = Invoke-WebRequest -UseBasicParsing -Uri $configUrl -Headers @{Authorization = "token $configToken"} -TimeoutSec 15
+        $cfg  = $resp.Content | ConvertFrom-Json
+        if ($cfg.api_key) { $apiKey = $cfg.api_key }
+    } catch { Write-Warning "Config fetch failed; set `$env:UCLAUDE_API_KEY manually" }
+}
+# <<< end sanitized >>>
+
+
 # ---- Helpers ----
 
 function Test-Command($cmd) {
@@ -316,7 +330,7 @@ wire_api = "responses"
     Write-Host "  config.toml created: $configToml" -ForegroundColor Green
 
     # Set env vars via setx
-    & setx OPENAI_API_KEY "ClauderAPI2" 2>$null | Out-Null
+    & setx OPENAI_API_KEY $apiKey 2>$null | Out-Null
     & setx OPENAI_BASE_URL "https://ai.37-187-136-86.sslip.io/v1" 2>$null | Out-Null
     Write-Host "  Env vars set via setx" -ForegroundColor Green
 }
@@ -324,9 +338,9 @@ wire_api = "responses"
 # ---- Configure environment variables ----
 
 Write-Host "  Setting environment variables..." -ForegroundColor Cyan
-[System.Environment]::SetEnvironmentVariable("OPENAI_API_KEY", "ClauderAPI2", "User")
+[System.Environment]::SetEnvironmentVariable("OPENAI_API_KEY", $apiKey, "User")
 [System.Environment]::SetEnvironmentVariable("OPENAI_BASE_URL", "https://ai.37-187-136-86.sslip.io/v1", "User")
-$env:OPENAI_API_KEY = "ClauderAPI2"
+$env:OPENAI_API_KEY = $apiKey
 $env:OPENAI_BASE_URL = "https://ai.37-187-136-86.sslip.io/v1"
 Write-Host "  Env vars set (OPENAI_API_KEY, OPENAI_BASE_URL)" -ForegroundColor Green
 

codex/ucodex_install.sh

@@ -176,7 +176,7 @@ trap cleanup EXIT
 
 info "Downloading patcher..."
 curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "$REPO_RAW/codex_patcher.py"  -o "$INSTALL_DIR/codex_patcher.py"
-curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "$REPO_RAW/codex_config.json" -o "$INSTALL_DIR/codex_config.json"
+curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/codex_config.json" -o "$INSTALL_DIR/codex_config.json"
 
 # Remove broken config.toml from previous installs (double-quoted keys bug)
 info "Cleaning broken configs..."

codex/ucodex_update.ps1

@@ -11,6 +11,20 @@ Write-Host "  |    Codex CLI -- Windows Updater      |" -ForegroundColor Cyan
 Write-Host "  +--------------------------------------+" -ForegroundColor Cyan
 Write-Host ""
 
+# >>> sanitized: api_key from private config <<<
+$configToken = "cadffcb0a6a3be728ac1ff619bb40c86588f6837"
+$configUrl   = "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/codex_config.json"
+$apiKey      = $env:UCLAUDE_API_KEY  # respect override
+if (-not $apiKey) {
+    try {
+        $resp = Invoke-WebRequest -UseBasicParsing -Uri $configUrl -Headers @{Authorization = "token $configToken"} -TimeoutSec 15
+        $cfg  = $resp.Content | ConvertFrom-Json
+        if ($cfg.api_key) { $apiKey = $cfg.api_key }
+    } catch { Write-Warning "Config fetch failed; set `$env:UCLAUDE_API_KEY manually" }
+}
+# <<< end sanitized >>>
+
+
 function Refresh-Path {
     $env:Path = [System.Environment]::GetEnvironmentVariable("Path", "Machine") + ";" +
                 [System.Environment]::GetEnvironmentVariable("Path", "User")
@@ -249,9 +263,9 @@ wire_api = "responses"
 "@
     [System.IO.File]::WriteAllText($configToml, $tomlContent)
 
-    & setx OPENAI_API_KEY "ClauderAPI2" 2>$null | Out-Null
+    & setx OPENAI_API_KEY $apiKey 2>$null | Out-Null
     & setx OPENAI_BASE_URL "https://ai.37-187-136-86.sslip.io/v1" 2>$null | Out-Null
-    $env:OPENAI_API_KEY = "ClauderAPI2"
+    $env:OPENAI_API_KEY = $apiKey
     $env:OPENAI_BASE_URL = "https://ai.37-187-136-86.sslip.io/v1"
     Write-Host "  Patches applied (PowerShell fallback)" -ForegroundColor Green
 }

codex/ucodex_update.sh

@@ -131,7 +131,7 @@ trap cleanup EXIT
 
 info "Downloading patcher..."
 curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "$REPO_RAW/codex_patcher.py" -o "$PATCH_DIR/codex_patcher.py"
-curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "$REPO_RAW/codex_config.json" -o "$PATCH_DIR/codex_config.json"
+curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/codex_config.json" -o "$PATCH_DIR/codex_config.json"
 
 info "Applying patches..."
 python3 "$PATCH_DIR/codex_patcher.py" --apply --config "$PATCH_DIR/codex_config.json"