CRITICAL: api_key 'ClauderAPI2' was committed to PUBLIC unlimitedcoding
repo (private:False on gitea) in 4 *_config.json + 8 ps1 scripts. Anyone
on the internet could read it via curl with no auth (HTTP 200 raw access).
This commit:
1. Sanitizes 4 *_config.json: api_key → "YOUR_API_KEY" + _note pointing
users to private config repo for production credentials.
2. Removes 'ClauderAPI2' literal from 8 ps1 installer/updater scripts
(claude/codex/gemini/qwen × install/update). Each script now has a
sanitized block at top that fetches api_key from private
unlimitedcoding-config repo at runtime via Authorization token.
3. Switches 6 sh installer scripts from public REPO_RAW to PRIVATE
unlimitedcoding-config base URL for *_config.json downloads.
4. Removes stale .patcher.config.cache.json (will regen on next install).
Production configs MOVED to private repo (separate commit e839102 on
unlimitedcoding-config/main).
KNOWN UNCHANGED:
- releases/v2.1.119/sea/cli-wrapper.cjs still has api_key (part of npm
package distribution; clients need it locally; sensey serves same).
- Read-only gitea token (cadffcb0...) remains in installers — needed
for token-auth fetch from private repo. Scoped read-only.
RECOMMEND: api_key rotation in proxy auth list because ClauderAPI2 was
publicly exposed for an unknown period. Existing client installs would
need re-install or env override.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Windows PowerShell 5.1 reads .ps1 files without BOM as Windows-1251 by
default. Em-dashes (-) and other Unicode chars in string literals get
mangled into invalid bytes (e.g. "session - no" becomes garbage that
breaks the parser with "Unexpected token" errors.
Replaced em-dash, en-dash, smart quotes, ellipsis, NBSP and arrows with
their ASCII equivalents across all 12 .ps1 scripts (install/update/
uninstall for claude/gemini/codex/qwen).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Previous attempt used OpenAI API format (bare array of {id, object}).
Codex expects ModelsResponse format: {"models": [{slug, display_name,
visibility, shell_type, supported_reasoning_levels, ...}]}.
Format reverse-engineered from codex-rs/core/models.json in official repo.
All 4 models (gpt-5.4, gpt-5.3-codex-spark, gpt-5.3-codex, gpt-5.2-codex)
now appear in interactive model picker.
Cleanup logic detects old bare-array format and replaces automatically.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All scripts now detect and fix leftover damage from previous installs:
- Remove model_catalog_json from config.toml (crashes Codex on startup)
- Delete stale model_catalog.json file
- Detect broken TOML with dotted key bug
Both PS1 scripts and Python patcher handle cleanup before patching.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
model_catalog_json expects internal Codex ModelsResponse format with
complex ModelInfo structs (slug, display_name, visibility, shell_type,
supported_reasoning_levels, etc.), not simple OpenAI API format.
Removed from all configs to restore working state.
env_key = "OPENAI_API_KEY" fix is preserved (fixes 401 Unauthorized).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add env_key = "OPENAI_API_KEY" to [model_providers.custom] in PS1 fallback
templates (fixes 401 Unauthorized on machines without Python 3.11+)
- Add model_catalog_json config + model_catalog.json file generation
(fixes empty model picker — all 4 models now visible in interactive mode)
- Both fixes applied in: codex_patcher.py, ucodex_install.ps1, ucodex_update.ps1
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Codex CLI reads config from %USERPROFILE%\.codex\config.toml
but PowerShell fallback was writing to %APPDATA%\codex\config.toml.
Old broken config remained in ~/.codex/ causing TOML parse errors.
- Fix config path: $env:APPDATA\codex → $env:USERPROFILE\.codex
- Add cleanup step to remove broken config before patching
- Remove old config before writing new one
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
On Windows Server without winget/Python, the patcher now generates
config.toml directly in PowerShell instead of requiring Python 3.11+.
Python patcher is still used when available.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
powershell -File runs script in child process — PATH changes don't
persist. Changed to Set-ExecutionPolicy + dot-sourcing (. script.ps1)
which runs in current session. Also added PATH restart hint to Codex
install/update scripts.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
GitHub releases use codex-x86_64-pc-windows-msvc.exe (not .zip).
Fixed both install and update PS1 scripts.
Also added patched settingsSchema.js to gemini releases.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
