Open-sourcing a project means ensuring every API key, database password, internal domain, and .env file is stripped before you push to a public repo. Miss one, and it's on GitHub forever.
I built a pipeline of 3 Claude Code agents that automates this:
/opensource fork my-project
The Pipeline
1. Forker — Copies your project and strips secrets using 20 regex patterns (AWS, GitHub, Google OAuth, JWT, private keys, database URLs, Slack webhooks, SendGrid, Mailgun). Replaces internal references (domains, paths, IPs) with placeholders. Generates .env.example.
2. Sanitizer — Independent read-only auditor. Doesn't trust the forker. Re-scans everything across 6 categories: secrets, PII, internal references, dangerous files, config completeness, git history. One critical finding blocks release.
3. Packager — Detects your tech stack and generates CLAUDE.md, setup.sh, README.md, LICENSE, CONTRIBUTING.md, and GitHub issue templates.
Why Zero Trust Between Agents?
The sanitizer can report problems. It cannot fix them. If the same agent that strips secrets also checks for them, it can silently paper over its own mistakes. Separating the transformer (forker) from the verifier (sanitizer) is the core security design.
The Interesting Part
The entire codebase is 1,506 lines of markdown. No npm, no pip, no Docker. Each agent is a .md file with natural language instructions that Claude Code follows. The "code" is English.
Install (30 seconds)
git clone https://github.com/herakles-dev/opensource-pipeline.git
cd opensource-pipeline
./setup.sh
Copies 4 files into ~/.claude/. Then open Claude Code in any project and say /opensource fork my-project.
Open Source
MIT license. 5 issues tagged "good first issue" — easiest contribution is adding a secret detection pattern.
GitHub: herakles-dev/opensource-pipeline