CRITICAL: api_key 'ClauderAPI2' was committed to PUBLIC unlimitedcoding
repo (private:False on gitea) in 4 *_config.json + 8 ps1 scripts. Anyone
on the internet could read it via curl with no auth (HTTP 200 raw access).
This commit:
1. Sanitizes 4 *_config.json: api_key → "YOUR_API_KEY" + _note pointing
users to private config repo for production credentials.
2. Removes 'ClauderAPI2' literal from 8 ps1 installer/updater scripts
(claude/codex/gemini/qwen × install/update). Each script now has a
sanitized block at top that fetches api_key from private
unlimitedcoding-config repo at runtime via Authorization token.
3. Switches 6 sh installer scripts from public REPO_RAW to PRIVATE
unlimitedcoding-config base URL for *_config.json downloads.
4. Removes stale .patcher.config.cache.json (will regen on next install).
Production configs MOVED to private repo (separate commit e839102 on
unlimitedcoding-config/main).
KNOWN UNCHANGED:
- releases/v2.1.119/sea/cli-wrapper.cjs still has api_key (part of npm
package distribution; clients need it locally; sensey serves same).
- Read-only gitea token (cadffcb0...) remains in installers — needed
for token-auth fetch from private repo. Scoped read-only.
RECOMMEND: api_key rotation in proxy auth list because ClauderAPI2 was
publicly exposed for an unknown period. Existing client installs would
need re-install or env override.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Delete config.toml with double-quoted keys bug before regenerating
- Replace pwd.getpwall() with /Users/* scan on macOS (Directory Services unreliable)
- Proper chown via stat of home directory
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- chown -R ~/.codex/ to actual user after patching (sudo creates as root)
- Detect SUDO_USER for the invoking user
- Iterate /Users/*/.codex (macOS) and /home/*/.codex (Linux) to fix all
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Install script now runs patcher with --all to patch every user's ~/.codex/config.toml
- Fix list_users() UID threshold: macOS starts at 500, Linux at 1000
- Fix file ownership: chown config files to the actual user after patching
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace grep -oP (Perl regex) with portable sed — fixes "grep: invalid option -- P" on macOS
- Add sedi() wrapper for cross-platform sed -i (BSD vs GNU)
- Detect macOS via uname and use apple-darwin binary suffix instead of linux-musl
- Add is_native_binary() helper: checks both ELF (Linux) and Mach-O (macOS)
- macOS env vars: use launchctl setenv + /etc/codex-env.sh + ~/.zshrc source line
- Linux env vars: keep /etc/environment + /etc/profile.d/ as before
- Wrapper script uses dynamic ENV_FILE path instead of hardcoded /etc/profile.d/
- Fix SUDO_USER handling for correct ~/.zshrc path when run via sudo
- Uninstaller: also remove .codex-bin, /etc/codex-env.sh, launchctl vars, rc file entries
- Uninstaller: scan /Users/* on macOS instead of /home/*
- Fix CRLF line endings in ucodex_uninstall.sh
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Patcher uses `which codex` to find binary. After migrating
codex -> .codex-bin, wrapper must exist before Step 2 (patcher)
or patcher fails with "Codex CLI not found".
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- tomllib fallback: try tomllib (3.11+) -> tomli -> minimal parser
- Works with Python 3.8+ (Ubuntu 20.04, Debian 11, etc.)
- Auto-install python3 if not found (like Gemini/Qwen scripts)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Problem: `sudo bash install.sh` runs in child process, `export` inside it
never reaches the user's current shell. /etc/environment and /etc/profile.d/
only work for NEW sessions. So `codex`/`gemini`/`qwen` fail with
"Missing environment variable" right after install.
Solution: wrapper scripts that auto-source env file before exec'ing binary.
- codex: /usr/local/bin/codex (wrapper) -> /usr/local/bin/.codex-bin (real)
- gemini: /usr/local/bin/gemini (wrapper) -> node .../dist/index.js
- qwen: /usr/local/bin/qwen (wrapper) -> node .../dist/index.js
Works immediately in ANY shell, no manual `source` needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Script no longer depends on local update-codex.sh or SCRIPT_DIR files
- Downloads Codex binary directly from GitHub releases
- Downloads patcher + config from gitea repo
- Sets env vars system-wide (/etc/environment + /etc/profile.d/)
- Proper error handling with set -euo pipefail
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Write OPENAI_API_KEY and OPENAI_BASE_URL to /etc/environment (all users)
- Create /etc/profile.d/codex-env.sh for login shell export (all users)
- Export for current session too
- Removes per-user ~/.bashrc approach — system-wide is more reliable
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Install/update scripts now:
- Export env vars for current session (fixes "Missing OPENAI_API_KEY")
- Write to ~/.bashrc or ~/.zshrc for persistence
- Handle sudo (detect real user via SUDO_USER)
- Remove stale entries before writing
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
