CRITICAL: api_key 'ClauderAPI2' was committed to PUBLIC unlimitedcoding
repo (private:False on gitea) in 4 *_config.json + 8 ps1 scripts. Anyone
on the internet could read it via curl with no auth (HTTP 200 raw access).
This commit:
1. Sanitizes 4 *_config.json: api_key → "YOUR_API_KEY" + _note pointing
users to private config repo for production credentials.
2. Removes 'ClauderAPI2' literal from 8 ps1 installer/updater scripts
(claude/codex/gemini/qwen × install/update). Each script now has a
sanitized block at top that fetches api_key from private
unlimitedcoding-config repo at runtime via Authorization token.
3. Switches 6 sh installer scripts from public REPO_RAW to PRIVATE
unlimitedcoding-config base URL for *_config.json downloads.
4. Removes stale .patcher.config.cache.json (will regen on next install).
Production configs MOVED to private repo (separate commit e839102 on
unlimitedcoding-config/main).
KNOWN UNCHANGED:
- releases/v2.1.119/sea/cli-wrapper.cjs still has api_key (part of npm
package distribution; clients need it locally; sensey serves same).
- Read-only gitea token (cadffcb0...) remains in installers — needed
for token-auth fetch from private repo. Scoped read-only.
RECOMMEND: api_key rotation in proxy auth list because ClauderAPI2 was
publicly exposed for an unknown period. Existing client installs would
need re-install or env override.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
User reported on Mac/Win:
1. gpt-5.5 not appearing in client model picker after install
2. codex CLI not installed by uclaude_install.{sh,ps1}
Root causes (TDD verified):
1. ps1 hardcoded fallback (when private config fetch fails) had only 5
models without gpt-5.5; users behind firewall/with stale cache fall
back to it. Updated fallback to include latest list including gpt-5.5,
gemini-3.1-pro, gemini-3-flash, glm-5.1.
2. Codex has SEPARATE installer (codex/ucodex_install.{sh,ps1}). Users
following claude install instructions miss it. README documents both
but as separate steps. Now uclaude_install.{sh,ps1} optionally chain
to codex installer at the end (skip via UCLAUDE_SKIP_CODEX=1).
Sh installer: also expanded sparse-checkout to include codex/ directory.
README versions: bumped Codex CLI 0.122.0 → 0.125.0 in all 4 locale files
(README.md, README_ru.md, README_es.md, README_zh.md).
3 new tests in claude_code_patcher/tests/test_installers_completeness.py
verify the fix sticks (ps1 fallback has gpt-5.5, both installers mention
codex chain, README codex version current via GitHub API check).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Auth conflict warning fix: setting both ANTHROPIC_AUTH_TOKEN and
ANTHROPIC_API_KEY simultaneously triggers Anthropic CLI to print
"Auth conflict" on every claude invocation. Drop API_KEY (we never
needed both — AUTH_TOKEN is the canonical for our proxy).
Best-effort cleanup: clear stale ANTHROPIC_API_KEY from User env (set
by previous installer versions).
Models stale fix: hardcoded list (qwen3-coder-plus, gemini-3.1-pro-preview,
glm-5, glm-4.7 etc.) was missing latest gemini-3.1-pro, gemini-3-flash,
glm-5.1. Now fetches CLAUDE_CUSTOM_MODELS from the private config repo
(unlimitedcoding-config/patcher.config.json) at install time, with
fallback to a small known-good list if fetch fails.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Windows PowerShell 5.1 reads .ps1 files without BOM as Windows-1251 by
default. Em-dashes (-) and other Unicode chars in string literals get
mangled into invalid bytes (e.g. "session - no" becomes garbage that
breaks the parser with "Unexpected token" errors.
Replaced em-dash, en-dash, smart quotes, ellipsis, NBSP and arrows with
their ASCII equivalents across all 12 .ps1 scripts (install/update/
uninstall for claude/gemini/codex/qwen).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- patcher.config.json: opus-4-7 added to models list, set as default opus
- PS1 installers: ANTHROPIC_DEFAULT_OPUS_MODEL=claude-opus-4-7
- CLAUDE_CUSTOM_MODELS includes opus-4-7 first
- v2.1.111 cli.js with patches applied
Opus 4.7 (released 2026-04-16):
- 1M context, 128K output
- New xhigh effort level
- Adaptive thinking (no more budget_tokens)
- High-res vision (2576px), high token efficiency
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Without this env var, CLI defaults to medium effort. Linux updater
already sets it via /etc/environment, but PS1 scripts were missing it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
npm creates claude.ps1 wrapper which gets blocked by default PS
ExecutionPolicy. Fix: set Bypass for CurrentUser and remove the .ps1
wrapper (claude.cmd still works fine).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
PS1 installer/updater only set ANTHROPIC_API_KEY and ANTHROPIC_BASE_URL,
missing CLAUDE_CUSTOM_MODELS (required for model picker), AUTH_TOKEN,
default model vars, and telemetry disable vars.
Also added .claude.json pre-configuration (onboarding skip, dark theme)
and mcp__* permission to settings.json.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
