| name | opensource-pipeline |
| description | 开源流水线:fork、sanitize 并 package 私有项目,使其可安全公开发布。串联 3 个智能体(forker、sanitizer、packager)。触发:'/opensource'、'open source this'、'make this public'、'prepare for open source'。 |
| metadata | {"origin":"ECC"} |
Open-Source Pipeline Skill
通过 3 阶段流水线安全开源任何项目:Fork(剥离 secrets)→ Sanitize(验证干净)→ Package(CLAUDE.md + setup.sh + README)。
何时激活
- 用户说 “open source this project” 或 “make this public”
- 用户想为公开发布准备私有 repo
- 用户需要在推到 GitHub 前剥离 secrets
- 用户调用
/opensource fork、/opensource verify 或 /opensource package
命令
| 命令 | 动作 |
|---|
/opensource fork PROJECT | 完整流水线:fork + sanitize + package |
/opensource verify PROJECT | 对现有 repo 运行 sanitizer |
/opensource package PROJECT | 生成 CLAUDE.md + setup.sh + README |
/opensource list | 显示所有 staged projects |
/opensource status PROJECT | 显示某个 staged project 的报告 |
协议
/opensource fork PROJECT
完整流水线——主工作流。
Step 1:收集参数
解析项目路径。如果 PROJECT 包含 /,按路径处理(绝对或相对)。否则依次检查:当前工作目录、$HOME/PROJECT,然后询问用户。
SOURCE_PATH="<resolved absolute path>"
STAGING_PATH="$HOME/opensource-staging/${PROJECT_NAME}"
询问用户:
- “Which project?”(如果找不到)
- “License? (MIT / Apache-2.0 / GPL-3.0 / BSD-3-Clause)”
- “GitHub org or username?”(默认:通过
gh api user -q .login 检测)
- “GitHub repo name?”(默认:项目名)
- “Description for README?”(分析项目给建议)
Step 2:创建 Staging 目录
mkdir -p $HOME/opensource-staging/
Step 3:运行 Forker Agent
启动 opensource-forker 智能体:
Agent(
description="Fork {PROJECT} for open-source",
subagent_type="opensource-forker",
prompt="""
Fork project for open-source release.
Source: {SOURCE_PATH}
Target: {STAGING_PATH}
License: {chosen_license}
Follow the full forking protocol:
1. Copy files (exclude .git, node_modules, __pycache__, .venv)
2. Strip all secrets and credentials
3. Replace internal references with placeholders
4. Generate .env.example
5. Clean git history
6. Generate FORK_REPORT.md in {STAGING_PATH}/FORK_REPORT.md
"""
)
等待完成。读取 {STAGING_PATH}/FORK_REPORT.md。
Step 4:运行 Sanitizer Agent
启动 opensource-sanitizer 智能体:
Agent(
description="Verify {PROJECT} sanitization",
subagent_type="opensource-sanitizer",
prompt="""
Verify sanitization of open-source fork.
Project: {STAGING_PATH}
Source (for reference): {SOURCE_PATH}
Run ALL scan categories:
1. Secrets scan (CRITICAL)
2. PII scan (CRITICAL)
3. Internal references scan (CRITICAL)
4. Dangerous files check (CRITICAL)
5. Configuration completeness (WARNING)
6. Git history audit
Generate SANITIZATION_REPORT.md inside {STAGING_PATH}/ with PASS/FAIL verdict.
"""
)
等待完成。读取 {STAGING_PATH}/SANITIZATION_REPORT.md。
如果 FAIL: 向用户展示 findings。询问:“Fix these and re-scan, or abort?”
- 如果 fix:应用修复,重新运行 sanitizer(最多 3 次重试;3 次 FAIL 后,展示所有 findings 并请用户手动修)
- 如果 abort:清理 staging directory
如果 PASS 或 PASS WITH WARNINGS: 继续 Step 5。
Step 5:运行 Packager Agent
启动 opensource-packager 智能体:
Agent(
description="Package {PROJECT} for open-source",
subagent_type="opensource-packager",
prompt="""
Generate open-source packaging for project.
Project: {STAGING_PATH}
License: {chosen_license}
Project name: {PROJECT_NAME}
Description: {description}
GitHub repo: {github_repo}
Generate:
1. CLAUDE.md (commands, architecture, key files)
2. setup.sh (one-command bootstrap, make executable)
3. README.md (or enhance existing)
4. LICENSE
5. CONTRIBUTING.md
6. .github/ISSUE_TEMPLATE/ (bug_report.md, feature_request.md)
"""
)
Step 6:最终审查
向用户展示:
Open-Source Fork Ready: {PROJECT_NAME}
Location: {STAGING_PATH}
License: {license}
Files generated:
- CLAUDE.md
- setup.sh (executable)
- README.md
- LICENSE
- CONTRIBUTING.md
- .env.example ({N} variables)
Sanitization: {sanitization_verdict}
Next steps:
1. Review: cd {STAGING_PATH}
2. Create repo: gh repo create {github_org}/{github_repo} --public
3. Push: git remote add origin ... && git push -u origin main
Proceed with GitHub creation? (yes/no/review first)
Step 7:GitHub Publish(用户批准后)
cd "{STAGING_PATH}"
gh repo create "{github_org}/{github_repo}" --public --source=. --push --description "{description}"
/opensource verify PROJECT
独立运行 sanitizer。解析路径:如果 PROJECT 包含 /,按路径处理。否则依次检查 $HOME/opensource-staging/PROJECT、$HOME/PROJECT、当前目录。
Agent(
subagent_type="opensource-sanitizer",
prompt="Verify sanitization of: {resolved_path}. Run all 6 scan categories and generate SANITIZATION_REPORT.md."
)
/opensource package PROJECT
独立运行 packager。询问 “License?” 和 “Description?”,然后:
Agent(
subagent_type="opensource-packager",
prompt="Package: {resolved_path} ..."
)
/opensource list
ls -d $HOME/opensource-staging/*/
显示每个项目的 pipeline progress(是否存在 FORK_REPORT.md、SANITIZATION_REPORT.md、CLAUDE.md)。
/opensource status PROJECT
cat $HOME/opensource-staging/${PROJECT}/SANITIZATION_REPORT.md
cat $HOME/opensource-staging/${PROJECT}/FORK_REPORT.md
Staging Layout
$HOME/opensource-staging/
my-project/
FORK_REPORT.md # From forker agent
SANITIZATION_REPORT.md # From sanitizer agent
CLAUDE.md # From packager agent
setup.sh # From packager agent
README.md # From packager agent
.env.example # From forker agent
... # Sanitized project files
反模式
- 绝不在没有用户批准的情况下 push 到 GitHub
- 绝不跳过 sanitizer——它是安全门控
- sanitizer FAIL 后,绝不在未修复所有 critical findings 的情况下继续
- 绝不把
.env、*.pem 或 credentials.json 留在 staging directory
最佳实践
- 新发布始终运行完整流水线(fork → sanitize → package)
- staging directory 会持续存在直到明确清理——用它做 review
- 发布前,在任何手动修复后重新运行 sanitizer
- 参数化 secrets,而不是直接删除它们——保留项目功能
相关技能
参见 security-review,了解 sanitizer 使用的 secret detection patterns。