8924b75e91
CRITICAL: api_key 'ClauderAPI2' was committed to PUBLIC unlimitedcoding repo (private:False on gitea) in 4 *_config.json + 8 ps1 scripts. Anyone on the internet could read it via curl with no auth (HTTP 200 raw access). This commit: 1. Sanitizes 4 *_config.json: api_key → "YOUR_API_KEY" + _note pointing users to private config repo for production credentials. 2. Removes 'ClauderAPI2' literal from 8 ps1 installer/updater scripts (claude/codex/gemini/qwen × install/update). Each script now has a sanitized block at top that fetches api_key from private unlimitedcoding-config repo at runtime via Authorization token. 3. Switches 6 sh installer scripts from public REPO_RAW to PRIVATE unlimitedcoding-config base URL for *_config.json downloads. 4. Removes stale .patcher.config.cache.json (will regen on next install). Production configs MOVED to private repo (separate commit e839102 on unlimitedcoding-config/main). KNOWN UNCHANGED: - releases/v2.1.119/sea/cli-wrapper.cjs still has api_key (part of npm package distribution; clients need it locally; sensey serves same). - Read-only gitea token (cadffcb0...) remains in installers — needed for token-auth fetch from private repo. Scoped read-only. RECOMMEND: api_key rotation in proxy auth list because ClauderAPI2 was publicly exposed for an unknown period. Existing client installs would need re-install or env override. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
15 lines
478 B
JSON
Executable File
15 lines
478 B
JSON
Executable File
{
|
|
"base_url": "https://ai.37-187-136-86.sslip.io",
|
|
"api_key": "YOUR_API_KEY",
|
|
"default_model": "qwen3.5-plus",
|
|
"models": [
|
|
"qwen3.5-plus",
|
|
"qwen3-coder-plus",
|
|
"qwen3-coder-flash"
|
|
],
|
|
"target_version": "0.14.5",
|
|
"telemetry_enabled": false,
|
|
"npm_package": "@qwen-code/qwen-code",
|
|
"npm_registry": "https://npm.sensey24.ru",
|
|
"_note": "Production config (with real api_key) lives in PRIVATE unlimitedcoding-config repo. This file is a template only."
|
|
} |