Summary

Migrate operational content out of the public esolia/.github profile repo into two new private repos, eliminating public exposure of private repo names, CI architecture, and internal tooling.

Problem

The public .github repo currently exposes:

• All consumer repo names (pulse, periodic, nexus, courier, etc.) in sync and audit scripts
• Internal repo structures (packages/hanawa-cms/, /security/assessment/)
• CI/CD pipeline architecture (scanner configs, OPA policies, evidence sink)
• Claude rules/commands revealing internal coding standards
• ASVS assessment tooling showing which security controls we check

Target state

Migration phases

1. Create repos — scaffold devkit and opskit with starter structure
2. Migrate dev content — copy workflows, scripts, rules from .github to devkit
3. Migrate ops content — consolidate scattered PowerShell scripts into opskit
4. Update sync engine — repoint sync.ts to reference devkit instead of .github
5. Update consumers — update all consumer repos to reference devkit workflows
6. Clean up .github — remove operational content, reduce to profile only

Acceptance criteria

• devkit exists with all reusable workflows, scripts, and Claude rules
• opskit exists with PowerShell script scaffolding
• All consumer repos reference devkit workflows (not .github)
• .github contains only profile README and community health files
• grep across .github for private repo names returns nothing
• CI passes in at least one consumer repo after migration

InfoSec: eliminates public exposure of internal repo names, CI architecture, and security tooling configuration