CRITICAL: api_key 'ClauderAPI2' was committed to PUBLIC unlimitedcoding
repo (private:False on gitea) in 4 *_config.json + 8 ps1 scripts. Anyone
on the internet could read it via curl with no auth (HTTP 200 raw access).
This commit:
1. Sanitizes 4 *_config.json: api_key → "YOUR_API_KEY" + _note pointing
users to private config repo for production credentials.
2. Removes 'ClauderAPI2' literal from 8 ps1 installer/updater scripts
(claude/codex/gemini/qwen × install/update). Each script now has a
sanitized block at top that fetches api_key from private
unlimitedcoding-config repo at runtime via Authorization token.
3. Switches 6 sh installer scripts from public REPO_RAW to PRIVATE
unlimitedcoding-config base URL for *_config.json downloads.
4. Removes stale .patcher.config.cache.json (will regen on next install).
Production configs MOVED to private repo (separate commit e839102 on
unlimitedcoding-config/main).
KNOWN UNCHANGED:
- releases/v2.1.119/sea/cli-wrapper.cjs still has api_key (part of npm
package distribution; clients need it locally; sensey serves same).
- Read-only gitea token (cadffcb0...) remains in installers — needed
for token-auth fetch from private repo. Scoped read-only.
RECOMMEND: api_key rotation in proxy auth list because ClauderAPI2 was
publicly exposed for an unknown period. Existing client installs would
need re-install or env override.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
User reported on Mac/Win:
1. gpt-5.5 not appearing in client model picker after install
2. codex CLI not installed by uclaude_install.{sh,ps1}
Root causes (TDD verified):
1. ps1 hardcoded fallback (when private config fetch fails) had only 5
models without gpt-5.5; users behind firewall/with stale cache fall
back to it. Updated fallback to include latest list including gpt-5.5,
gemini-3.1-pro, gemini-3-flash, glm-5.1.
2. Codex has SEPARATE installer (codex/ucodex_install.{sh,ps1}). Users
following claude install instructions miss it. README documents both
but as separate steps. Now uclaude_install.{sh,ps1} optionally chain
to codex installer at the end (skip via UCLAUDE_SKIP_CODEX=1).
Sh installer: also expanded sparse-checkout to include codex/ directory.
README versions: bumped Codex CLI 0.122.0 → 0.125.0 in all 4 locale files
(README.md, README_ru.md, README_es.md, README_zh.md).
3 new tests in claude_code_patcher/tests/test_installers_completeness.py
verify the fix sticks (ps1 fallback has gpt-5.5, both installers mention
codex chain, README codex version current via GitHub API check).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Auth conflict warning fix: setting both ANTHROPIC_AUTH_TOKEN and
ANTHROPIC_API_KEY simultaneously triggers Anthropic CLI to print
"Auth conflict" on every claude invocation. Drop API_KEY (we never
needed both — AUTH_TOKEN is the canonical for our proxy).
Best-effort cleanup: clear stale ANTHROPIC_API_KEY from User env (set
by previous installer versions).
Models stale fix: hardcoded list (qwen3-coder-plus, gemini-3.1-pro-preview,
glm-5, glm-4.7 etc.) was missing latest gemini-3.1-pro, gemini-3-flash,
glm-5.1. Now fetches CLAUDE_CUSTOM_MODELS from the private config repo
(unlimitedcoding-config/patcher.config.json) at install time, with
fallback to a small known-good list if fetch fails.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
One-liner script that:
- Verifies/installs Node.js >= 18, git, codex CLI
- Adds 'openai-codex' marketplace (github.com/openai/codex-plugin-cc)
- Installs/updates 'codex@openai-codex' plugin
- Verifies result via 'claude plugin list'
Re-runs are safe — auto-detects what is already installed and only fills
gaps or pulls newer plugin versions.
Three platforms covered: Linux (apt/dnf/yum), macOS (brew),
Windows (winget) via .sh and .ps1 wrappers + CMD entry-point.
Plugin commands inside Claude Code:
/codex:review, /codex:adversarial-review, /codex:rescue,
/codex:status, /codex:result, /codex:cancel
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- claude-haiku-4-5-20251001: was available in proxy but missing from config
- glm-5.1: new Zhipu model leading SWE-Bench Pro (Apr 2026), now registered
in proxy registry and reachable via /v1/messages
All previously listed models kept (qwen3.6-coder-* tokens are temporarily
expired but will recover once tokens refresh).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Windows PowerShell 5.1 reads .ps1 files without BOM as Windows-1251 by
default. Em-dashes (-) and other Unicode chars in string literals get
mangled into invalid bytes (e.g. "session - no" becomes garbage that
breaks the parser with "Unexpected token" errors.
Replaced em-dash, en-dash, smart quotes, ellipsis, NBSP and arrows with
their ASCII equivalents across all 12 .ps1 scripts (install/update/
uninstall for claude/gemini/codex/qwen).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Previously env vars were only set inside the PowerShell-fallback branch
(when Python was missing). If Python was present, gemini_patcher.py wrote
env vars via setx — which only updates the registry, not the current
PowerShell process. Result: user runs update, then `gemini`, and gets
prompted for API key because process.env.GEMINI_API_KEY is empty.
Fix: always set env vars in BOTH User scope (persistent across sessions)
AND $env: (current session) at the end of the script, regardless of which
branch was taken. Also fix malformed JSON in trustedFolders.json fallback
(escaped quotes were inconsistent).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Qwen patcher had two issues:
1. Only patched dashscope.aliyuncs.com but missed regional endpoints
(cn-hongkong, dashscope-intl, dashscope-us). Users in those regions
would still hit Aliyun directly.
2. --validate raised ModuleNotFoundError (referenced removed updater/
package). Replaced with self-contained inline checker — 13 GREEN
targets covering cli.js markers, settings.json, env vars.
Also bump Codex version to v0.122.0 across all READMEs (was v0.116.0).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
User feedback: pasting bash heredocs into PowerShell fails. Make the
ugemini_install.ps1/.sh wrapper the one and only command users need —
no need to copy bash/PS code blocks. Wrapper handles Node.js, npm,
env vars, settings.json, trustedFolders.json automatically.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Users were copying bash heredocs (cat << EOF) into PowerShell where they fail.
Split into three explicit sections per shell with warning at top.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- patcher.config.json: opus-4-7 added to models list, set as default opus
- PS1 installers: ANTHROPIC_DEFAULT_OPUS_MODEL=claude-opus-4-7
- CLAUDE_CUSTOM_MODELS includes opus-4-7 first
- v2.1.111 cli.js with patches applied
Opus 4.7 (released 2026-04-16):
- 1M context, 128K output
- New xhigh effort level
- Adaptive thinking (no more budget_tokens)
- High-res vision (2576px), high token efficiency
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
