SECURITY: redact api_key from public repo (Variant B)

CRITICAL: api_key 'ClauderAPI2' was committed to PUBLIC unlimitedcoding repo (private:False on gitea) in 4 *_config.json + 8 ps1 scripts. Anyone on the internet could read it via curl with no auth (HTTP 200 raw access). This commit: 1. Sanitizes 4 *_config.json: api_key → "YOUR_API_KEY" + _note pointing users to private config repo for production credentials. 2. Removes 'ClauderAPI2' literal from 8 ps1 installer/updater scripts (claude/codex/gemini/qwen × install/update). Each script now has a sanitized block at top that fetches api_key from private unlimitedcoding-config repo at runtime via Authorization token. 3. Switches 6 sh installer scripts from public REPO_RAW to PRIVATE unlimitedcoding-config base URL for *_config.json downloads. 4. Removes stale .patcher.config.cache.json (will regen on next install). Production configs MOVED to private repo (separate commit e839102 on unlimitedcoding-config/main). KNOWN UNCHANGED: - releases/v2.1.119/sea/cli-wrapper.cjs still has api_key (part of npm package distribution; clients need it locally; sensey serves same). - Read-only gitea token (cadffcb0...) remains in installers — needed for token-auth fetch from private repo. Scoped read-only. RECOMMEND: api_key rotation in proxy auth list because ClauderAPI2 was publicly exposed for an unknown period. Existing client installs would need re-install or env override. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 16:43:08 +00:00
parent ceb39657a1
commit 8924b75e91
20 changed files with 170 additions and 93 deletions
--- a/qwen/qwen_config.json
+++ b/qwen/qwen_config.json
@@ -1,14 +1,15 @@
-{
-  "base_url": "https://ai.37-187-136-86.sslip.io",
-  "api_key": "ClauderAPI2",
-  "default_model": "qwen3.5-plus",
-  "models": [
-    "qwen3.5-plus",
-    "qwen3-coder-plus",
-    "qwen3-coder-flash"
-  ],
-  "target_version": "0.14.5",
-  "telemetry_enabled": false,
-  "npm_package": "@qwen-code/qwen-code",
-  "npm_registry": "https://npm.sensey24.ru"
-}
+{
+  "base_url": "https://ai.37-187-136-86.sslip.io",
+  "api_key": "YOUR_API_KEY",
+  "default_model": "qwen3.5-plus",
+  "models": [
+    "qwen3.5-plus",
+    "qwen3-coder-plus",
+    "qwen3-coder-flash"
+  ],
+  "target_version": "0.14.5",
+  "telemetry_enabled": false,
+  "npm_package": "@qwen-code/qwen-code",
+  "npm_registry": "https://npm.sensey24.ru",
+  "_note": "Production config (with real api_key) lives in PRIVATE unlimitedcoding-config repo. This file is a template only."
+}
--- a/qwen/uqwen_install.ps1
+++ b/qwen/uqwen_install.ps1
@@ -11,6 +11,20 @@ Write-Host "  |    Qwen Code -- Windows Installer    |" -ForegroundColor Cyan
 Write-Host "  +--------------------------------------+" -ForegroundColor Cyan
 Write-Host ""

+# >>> sanitized: api_key from private config <<<
+$configToken = "cadffcb0a6a3be728ac1ff619bb40c86588f6837"
+$configUrl   = "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/qwen_config.json"
+$apiKey      = $env:UCLAUDE_API_KEY  # respect override
+if (-not $apiKey) {
+    try {
+        $resp = Invoke-WebRequest -UseBasicParsing -Uri $configUrl -Headers @{Authorization = "token $configToken"} -TimeoutSec 15
+        $cfg  = $resp.Content | ConvertFrom-Json
+        if ($cfg.api_key) { $apiKey = $cfg.api_key }
+    } catch { Write-Warning "Config fetch failed; set `$env:UCLAUDE_API_KEY manually" }
+}
+# <<< end sanitized >>>
+
+
 # ---- Helpers ----

 function Test-Command($cmd) {
@@ -235,9 +249,9 @@ if (-not $pyCmd) {
 # ---- Configure environment variables ----

 Write-Host "  Setting environment variables..." -ForegroundColor Cyan
-[System.Environment]::SetEnvironmentVariable("QWEN_API_KEY", "ClauderAPI2", "User")
+[System.Environment]::SetEnvironmentVariable("QWEN_API_KEY", $apiKey, "User")
 [System.Environment]::SetEnvironmentVariable("QWEN_BASE_URL", "https://ai.37-187-136-86.sslip.io", "User")
-$env:QWEN_API_KEY = "ClauderAPI2"
+$env:QWEN_API_KEY = $apiKey
 $env:QWEN_BASE_URL = "https://ai.37-187-136-86.sslip.io"
 Write-Host "  Env vars set (QWEN_API_KEY, QWEN_BASE_URL)" -ForegroundColor Green

--- a/qwen/uqwen_install.sh
+++ b/qwen/uqwen_install.sh
@@ -209,7 +209,7 @@ trap cleanup EXIT

 info "Downloading patcher..."
 curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "$REPO_RAW/qwen_patcher.py"   -o "$INSTALL_DIR/qwen_patcher.py"
-curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "$REPO_RAW/qwen_config.json"  -o "$INSTALL_DIR/qwen_config.json"
+curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/qwen_config.json"  -o "$INSTALL_DIR/qwen_config.json"
 log "Patcher downloaded"

 info "Applying patches (settings + env)..."
--- a/qwen/uqwen_update.ps1
+++ b/qwen/uqwen_update.ps1
@@ -9,6 +9,20 @@ Write-Host "  |    Qwen Code -- Windows Updater      |" -ForegroundColor Cyan
 Write-Host "  +--------------------------------------+" -ForegroundColor Cyan
 Write-Host ""

+# >>> sanitized: api_key from private config <<<
+$configToken = "cadffcb0a6a3be728ac1ff619bb40c86588f6837"
+$configUrl   = "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/qwen_config.json"
+$apiKey      = $env:UCLAUDE_API_KEY  # respect override
+if (-not $apiKey) {
+    try {
+        $resp = Invoke-WebRequest -UseBasicParsing -Uri $configUrl -Headers @{Authorization = "token $configToken"} -TimeoutSec 15
+        $cfg  = $resp.Content | ConvertFrom-Json
+        if ($cfg.api_key) { $apiKey = $cfg.api_key }
+    } catch { Write-Warning "Config fetch failed; set `$env:UCLAUDE_API_KEY manually" }
+}
+# <<< end sanitized >>>
+
+
 function Refresh-Path {
    $env:Path = [System.Environment]::GetEnvironmentVariable("Path", "Machine") + ";" +
                [System.Environment]::GetEnvironmentVariable("Path", "User")
@@ -108,9 +122,9 @@ if (-not $pyCmd) {
    Write-Host "  Applying patches (PowerShell)..." -ForegroundColor Cyan

    # Environment variables
-    [System.Environment]::SetEnvironmentVariable("QWEN_API_KEY", "ClauderAPI2", "User")
+    [System.Environment]::SetEnvironmentVariable("QWEN_API_KEY", $apiKey, "User")
    [System.Environment]::SetEnvironmentVariable("QWEN_BASE_URL", "https://ai.37-187-136-86.sslip.io", "User")
-    $env:QWEN_API_KEY = "ClauderAPI2"
+    $env:QWEN_API_KEY = $apiKey
    $env:QWEN_BASE_URL = "https://ai.37-187-136-86.sslip.io"

    # Settings
--- a/qwen/uqwen_update.sh
+++ b/qwen/uqwen_update.sh
@@ -133,7 +133,7 @@ trap cleanup EXIT

 info "Downloading patcher..."
 curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "$REPO_RAW/qwen_patcher.py"   -o "$TEMP_DIR/qwen_patcher.py"
-curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "$REPO_RAW/qwen_config.json"  -o "$TEMP_DIR/qwen_config.json"
+curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "https://git.sensey24.ru/aibot777/unlimitedcoding-config/raw/branch/main/qwen_config.json"  -o "$TEMP_DIR/qwen_config.json"

 info "Applying patches..."
 python3 "$TEMP_DIR/qwen_patcher.py" --settings-only --config "$TEMP_DIR/qwen_config.json"