CRITICAL: api_key 'ClauderAPI2' was committed to PUBLIC unlimitedcoding
repo (private:False on gitea) in 4 *_config.json + 8 ps1 scripts. Anyone
on the internet could read it via curl with no auth (HTTP 200 raw access).
This commit:
1. Sanitizes 4 *_config.json: api_key → "YOUR_API_KEY" + _note pointing
users to private config repo for production credentials.
2. Removes 'ClauderAPI2' literal from 8 ps1 installer/updater scripts
(claude/codex/gemini/qwen × install/update). Each script now has a
sanitized block at top that fetches api_key from private
unlimitedcoding-config repo at runtime via Authorization token.
3. Switches 6 sh installer scripts from public REPO_RAW to PRIVATE
unlimitedcoding-config base URL for *_config.json downloads.
4. Removes stale .patcher.config.cache.json (will regen on next install).
Production configs MOVED to private repo (separate commit e839102 on
unlimitedcoding-config/main).
KNOWN UNCHANGED:
- releases/v2.1.119/sea/cli-wrapper.cjs still has api_key (part of npm
package distribution; clients need it locally; sensey serves same).
- Read-only gitea token (cadffcb0...) remains in installers — needed
for token-auth fetch from private repo. Scoped read-only.
RECOMMEND: api_key rotation in proxy auth list because ClauderAPI2 was
publicly exposed for an unknown period. Existing client installs would
need re-install or env override.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
User reported on Mac/Win:
1. gpt-5.5 not appearing in client model picker after install
2. codex CLI not installed by uclaude_install.{sh,ps1}
Root causes (TDD verified):
1. ps1 hardcoded fallback (when private config fetch fails) had only 5
models without gpt-5.5; users behind firewall/with stale cache fall
back to it. Updated fallback to include latest list including gpt-5.5,
gemini-3.1-pro, gemini-3-flash, glm-5.1.
2. Codex has SEPARATE installer (codex/ucodex_install.{sh,ps1}). Users
following claude install instructions miss it. README documents both
but as separate steps. Now uclaude_install.{sh,ps1} optionally chain
to codex installer at the end (skip via UCLAUDE_SKIP_CODEX=1).
Sh installer: also expanded sparse-checkout to include codex/ directory.
README versions: bumped Codex CLI 0.122.0 → 0.125.0 in all 4 locale files
(README.md, README_ru.md, README_es.md, README_zh.md).
3 new tests in claude_code_patcher/tests/test_installers_completeness.py
verify the fix sticks (ps1 fallback has gpt-5.5, both installers mention
codex chain, README codex version current via GitHub API check).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add NPM_REGISTRY constant and set_npm_registry() function
- Configure npm to use https://npm.sensey24.ru/ for @anthropic-ai scope
- Pass --registry flag to npm install commands
- Configure registry in uclaude_install.sh before running updater
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Changed MIN_NODE_VERSION from (24, 13, 0) to (18, 0, 0) to match Claude Code requirements
- Updated uclaude_install.sh to fetch latest repo before running updater
- Rewrote uclaude_update.ps1 to require v18+ and update repo first
- Added multiple fallback methods for Node.js installation on Windows
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fixes curl "bad/illegal format" error on some systems when ?token= is in URL.
All 8 READMEs + uclaude_install.sh updated to download-then-run approach.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace old aibot777 token with new scoped token (read:repository)
- Simplify curl commands: use ?token= query param instead of -H header
- Token embedded in uclaude_install.sh for git clone auth
- All repos remain private; token only allows reading
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Embed GITEA_TOKEN in uclaude_install.sh for git clone auth
- Add Authorization header to all curl install commands in docs
- Add token to git clone URLs in Windows/manual install sections
- Token is read:repository scoped (read-only, can be revoked)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Process substitution <(...) fails with sudo and on systems without /dev/fd.
Pipe syntax works universally on all Linux/macOS systems.
Also changed curl -s to curl -fsSL for proper error handling.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Wire ensure_claude_code() into cmd_update() — auto npm install if missing
- uclaude_install.sh: auto-install git, python3, curl via apt/dnf/yum/brew
- uclaude_update.bat: prereq checks with winget install suggestions
- uclaude_update.ps1: auto-install via winget (git, python, node)
- install_node(): macOS support via brew, RHEL/Fedora via rpm.nodesource
- Increased npm install timeout to 300s for slow connections
- Все claude-файлы перенесены в claude/ (uclaude_updater.py, скрипты, config)
- claude/README.md с инструкцией для Claude Code
- Корневой README — общий для всех продуктов (claude, codex, gemini, qwen, antigravity)
- Node.js v24.13+ автоустановка через nodesource
- Sparse checkout: клиент скачивает только latest версию cli.js
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
