feat: community export workflow — strip script, leak-check hardening, CLA docs

- scripts/strip-commercial.sh: removes agor-pro/, commercial files, SPDX headers
- leak-check.yml: added LICENSE-COMMERCIAL, SPDX header, and feature flag checks
- CONTRIBUTING.md: external contributor guide, commercial content table, sync docs

CONTRIBUTING.md

@@ -18,6 +18,20 @@ periodically.
 All community contributions go to **DexterFromLab/agent-orchestrator**. Do not open
 PRs against this repo for community features.
 
+### How to Contribute
+
+1. Fork the community repo at `DexterFromLab/agent-orchestrator`
+2. Create a feature branch from `main`
+3. Make your changes and commit using conventional commits
+4. Open a pull request against `DexterFromLab/agent-orchestrator` `main`
+5. Sign the CLA when prompted by the bot on your first PR
+6. Address review feedback
+7. Once approved, a maintainer will merge your PR
+
+Do **not** fork or open PRs against `agents-orchestrator/agents-orchestrator` for
+community contributions. That repository contains commercial code and access is
+restricted.
+
 ### Contributor License Agreement (CLA)
 
 Every community contributor must sign the CLA before their first PR is merged.
@@ -25,13 +39,30 @@ CLA signing is automated via [CLA-assistant.io](https://cla-assistant.io/) on
 the community repository. The bot will prompt you on your first PR.
 
 The CLA grants the project maintainers a perpetual, irrevocable license to use
-your contribution in both the community and commercial editions.
+your contribution in both the community and commercial editions. You retain full
+ownership of your code. See [CLA.md](CLA.md) for the full agreement text.
 
 ## Commercial Development
 
 Commercial features are developed only in this repository. Access is restricted
 to authorized team members.
 
+### What Content Is Commercial-Only
+
+The following paths and markers identify commercial-only content:
+
+| Marker | Description |
+|--------|-------------|
+| `agor-pro/` | Commercial feature modules |
+| `src/lib/commercial/` | Commercial frontend components |
+| `tests/commercial/` | Commercial test suites |
+| `LICENSE-COMMERCIAL` | Commercial license file |
+| `LicenseRef-Commercial` SPDX header | Any file with this header |
+| `test:all:commercial` script | Commercial test runner |
+
+This content is automatically stripped during community sync and never appears in
+the community repository.
+
 ### SPDX License Headers
 
 All commercial source files must include the following header as the first line:
@@ -58,12 +89,27 @@ Community-shared code uses the MIT identifier:
 // SPDX-License-Identifier: MIT
 ```
 
-### Commercial Directories
+## Community Sync Workflow
 
-Files under these paths are always commercial-only:
+The community repo is kept in sync with this repo via an automated workflow:
 
-- `agor-pro/`
-- `src/lib/commercial/`
+1. **Trigger**: Manual dispatch or on release tag publication
+2. **Strip**: `scripts/strip-commercial.sh` removes all commercial content
+3. **Verify**: Automated checks ensure no commercial references remain
+4. **Push**: A sync branch is pushed to `DexterFromLab/agent-orchestrator`
+5. **Merge**: A maintainer reviews and merges the sync PR
+
+To preview what would be stripped locally:
+
+```bash
+# Dry run — shows what files would be removed (modifies working tree)
+bash scripts/strip-commercial.sh
+# Reset after preview
+git checkout .
+```
+
+The leak-check CI workflow runs on every push and PR to `main`, verifying that no
+commercial content has been accidentally committed to community-bound code.
 
 ## Branch Model