What problem it solves

Open-sourcing a private project safely is error-prone: developers forget to strip API keys, leave internal hostnames in configs, skip LICENSE files, or push without a README. This skill automates the entire workflow with a mandatory secret-audit gate before any public push.

Who uses this workflow

Developers who maintain private tools and periodically release them publicly — especially those with secrets embedded in configs, internal domain references, or no existing open-source packaging (setup.sh, CONTRIBUTING, issue templates).

How it works

Three chained agents handle the pipeline:

1. Forker — copies the project to ~/opensource-staging/, strips secrets (API keys, tokens, passwords, connection strings), replaces internal references (hostnames, IPs, paths) with placeholders, generates .env.example
2. Sanitizer — independently audits the fork across 6 categories and 30+ regex patterns; produces a PASS/FAIL verdict; pipeline halts on FAIL until issues are fixed
3. Packager — generates CLAUDE.md, setup.sh (one-command bootstrap), README.md, LICENSE, CONTRIBUTING.md, and GitHub issue templates

The skill requires explicit user approval before creating the GitHub repo or pushing.

Commands

/opensource fork my-project     # Full pipeline
/opensource verify PROJECT       # Sanitizer only
/opensource package PROJECT      # Packager only
/opensource list                 # Show all staged projects

Attribution

Based on the open-source pipeline built for the Hercules platform: https://github.com/herakles-dev/opensource-pipeline