feat(build): migrate to tsup for ESM build

[jbdevprimary]

Summary

• Add tsup.config.ts to all packages (agentic-control, providers, vitest-agentic-control)
• Update build scripts to use tsup for faster, more reliable ESM builds
• Use --no-frozen-lockfile during transition to update lockfile with tsup

Why tsup?

• Faster builds: esbuild-based bundler
• Correct ESM output: Proper .js extensions for Node.js ESM compatibility
• DTS generation: Automatically generates TypeScript declarations
• Tree-shaking: Removes unused code for smaller bundles
• Consistent tooling: Matches other ecosystem packages

Test plan

• CI passes with new build configuration
• All packages can be imported in Node.js ESM
• TypeScript types are correctly generated
• CLI binary works correctly

---

Note

Introduces tsup-based builds across packages and simplifies CI for faster, consistent ESM outputs.

• Build system: Replace tsc with tsup in agentic-control, providers, and vitest-agentic-control; add tsup.config.ts per package with explicit entry points, ESM output, DTS generation, and externals
• Scripts/Deps: Update package scripts (build, dev, build:types) and add tsup to devDependencies; update pnpm-lock.yaml
• CI: Merge separate jobs into a single ci job running check, build, typecheck, and tests with coverage; add pnpm store caching; use pnpm install --no-frozen-lockfile; upload packages/*/dist artifacts
• Docker: Keep PR build (no push) with linux/amd64; metadata/tags unchanged

^{Written by Cursor Bugbot for commit 079acce. This will update automatically on new commits. Configure here.}

[gemini-code-assist]

Summary of Changes

Hello @jbdevprimary, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant upgrade to the project's build infrastructure by migrating all packages from tsc to tsup. This change aims to streamline the development workflow, improve build performance, and ensure robust compatibility with modern JavaScript module standards, particularly ESM. The transition to tsup brings benefits such as faster compilation, accurate ESM output, automatic TypeScript declaration generation, and efficient code tree-shaking, ultimately leading to a more reliable and optimized build process for the entire monorepo.

Highlights

• Build System Migration: The project's build system has been migrated from tsc to tsup across agentic-control, providers, and vitest-agentic-control packages to enhance build efficiency and correctness.
• Improved ESM Output: tsup ensures proper .js extensions for Node.js ESM compatibility, addressing common issues with module resolution and making the packages more robust.
• Automated DTS Generation: TypeScript declaration files (.d.ts) are now automatically generated as part of the tsup build process, simplifying type management and distribution.
• Performance and Optimization: Leveraging esbuild, tsup provides significantly faster builds and incorporates tree-shaking for smaller, optimized bundles, improving overall development and production efficiency.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/ci.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request migrates the build system for agentic-control, providers, and vitest-agentic-control packages from tsc to tsup. The changes are well-structured and the new tsup.config.ts files are comprehensive. The migration to tsup is a great improvement for build speed and ESM compatibility.

I've found a few issues, mostly related to dependency management (peerDependencies and external configuration) that have been surfaced by this build system change. The most critical one is in vitest-agentic-control which is missing key peer dependencies, which would break the package for external consumers. There are also some inconsistencies in dependency definitions in the providers package. Finally, I've added a couple of suggestions for cleanup and simplification. Addressing these points will improve the robustness and maintainability of the packages.

[gemini-code-assist]

The new build:types script appears to be redundant. The build script now uses tsup, which is configured with dts: true in tsup.config.ts to generate declaration files. The typecheck script already handles type checking without emitting files. To keep the scripts clean and avoid confusion, consider removing build:types unless it has a specific purpose not covered by the other scripts.

[jbdevprimary]

🤖 Agent Handoff: @cursor

Enterprise Dashboard: jbcom/control-center#505

Context

This PR migrates @agentic-dev-library/control to tsup for proper ESM support. Part of enterprise-wide ESM standardization.

Your Responsibilities

1. Handle ALL AI PR feedback - Own Gemini/Copilot suggestions
2. Review and merge if CI passes
3. Coordinate with triage#76 - Same migration pattern

Actions Required

git clone https://github.com/agentic-dev-library/control.git
cd control && git checkout <branch>
pnpm install && pnpm run build

Merge Priority

This is Phase 1 of the enterprise merge order. Merge to unblock feature PRs.

Please respond with status after review.

[jbdevprimary]

📦 Tracking: #51

[jbdevprimary]

🤖 AI Code Review

Summary of Changes

• Added a new "Roles" system for configurable AI agent personas (Sage, Harvester, Curator, Reviewer, Fixer, Delegator)
• Switched from TypeScript compiler to tsup for building packages
• Updated CI/CD workflow to consolidate jobs, add Docker build, and improve artifact handling
• Added test coverage reporting to Coveralls
• Updated .gitignore to exclude build artifacts and local repos

Issues Found

🔴 Critical: The packages/providers package has an empty dependencies array but references @agentic/triage in its code. This will cause runtime errors.

🟠 High: The Docker build job doesn't push the image, making it ineffective for deployment. Consider adding push condition for main branch.

🟠 High: The packages/vitest-agentic-control package has dependencies that should be peerDependencies (ai, @ai-sdk/mcp, @modelcontextprotocol/sdk).

🟡 Medium: The new roles system imports from ./core/providers.js which may cause circular dependencies with the providers package.

⚪ Low: Some action versions are pinned to major versions only (e.g., @v4) instead of exact versions.

Suggestions for Improvement

1. Fix the packages/providers dependency issue by moving @agentic/triage back to dependencies
2. Add conditional Docker push for releases: if: github.ref == 'refs/heads/main'
3. Move AI SDK dependencies to peerDependencies in vitest-agentic-control
4. Consider extracting the roles system to a separate package to avoid circular dependencies
5. Pin all GitHub Actions to exact versions for better security
6. Add a job to verify Docker image can be pulled and run after build

---

_{Reviewed by Ecosystem Reviewer using glm-4.6:cloud}

[jbdevprimary]

🤖 AI Code Review

Summary of Changes

• Added a new "Roles" feature for configurable AI agent personas (Sage, Harvester, Curator, etc.)
• Restructured CI workflow to combine build/test jobs and add Python tests
• Updated Dockerfile to fix build issues (pnpm@9, --no-frozen-lockfile, build-essential)
• Switched from tsc to tsup for building TypeScript
• Updated repository URLs in package.json
• Added coverage reporting and Coveralls integration

Issues Found

🔴 Critical: Docker build uses --no-frozen-lockfile which can cause dependency drift
🟠 High: CI workflow doesn't cache pnpm store properly (key uses hashFiles but restore-keys is generic)
🟠 High: Python tests run without dependency caching
🟡 Medium: Release job downloads artifacts but doesn't verify they exist
🟡 Medium: No timeout specified for Python tests

Suggestions for Improvement

1. 🔧 Fix Docker build: Use --frozen-lockfile and ensure lockfile is up-to-date
2. 🔧 Improve CI caching: Add separate cache for Python dependencies with uv
3. 🔧 Add artifact verification: Check if dist artifacts exist before download in release job
4. 🔧 Add test timeouts: Set timeout for Python tests (e.g., timeout-minutes: 30)
5. 🔧 Pin action versions: Use specific SHA versions instead of floating tags (v4, v5)
6. 🔧 Optimize Docker: Multi-stage build to reduce final image size
7. 🔧 Add error handling: Wrap critical steps in try/catch blocks
8. 🔧 Security: Avoid using --no-frozen-lockfile in production builds

---

_{Reviewed by Ecosystem Reviewer using glm-4.6:cloud}

[jbdevprimary]

🤖 AI Code Review

Summary of Changes

• Added Docker build and push workflow for multi-arch releases
• Refactored CI workflow to combine build/test jobs and add Python tests
• Added new "roles" feature for configurable AI agent personas
• Updated Dockerfile to fix build issues (pnpm@9, build-essential, local Python package)
• Updated repository URLs in package.json to match org
• Added comprehensive role definitions and CLI commands

Issues Found

🔴 Critical: Docker build uses --no-frozen-lockfile which can cause inconsistent builds
🔴 Critical: CI workflow doesn't pin action versions (security risk)
🟠 High: Python tests run without caching (slow CI)
🟠 High: No rate limiting on role execution (potential DoS)
🟡 Medium: Large system prompts in roles may hit token limits
🟡 Medium: No validation for custom role configurations
⚪ Low: Some CLI commands lack proper error handling

Suggestions for Improvement

1. Pin all GitHub Actions to specific SHAs in workflows
2. Use --frozen-lockfile in Dockerfile for reproducible builds
3. Add Python dependency caching in CI workflow
4. Implement rate limiting for role execution
5. Add configuration validation for custom roles
6. Break down large system prompts into smaller, focused sections
7. Add comprehensive error handling for all CLI commands
8. Consider adding integration tests for the new roles feature

---

_{Reviewed by Ecosystem Reviewer using glm-4.6:cloud}

[jbdevprimary]

🤖 AI Code Review

Summary of Changes

• Added Docker build and push workflow for multi-arch releases
• Refactored CI workflow to consolidate Node.js build/test steps
• Added Python test workflow with uv package manager
• Updated Dockerfile to fix build issues (pnpm@9, build-essential, local Python package)
• Added new "roles" feature for configurable AI agent personas
• Updated repository URLs in package.json to match org

Issues Found

🔴 Critical: Docker build uses --no-frozen-lockfile which ignores dependency lock verification
🔴 Critical: CI workflow doesn't verify pnpm lockfile integrity
🟠 High: Dockerfile installs Python package from local source without version pinning
🟠 High: New roles feature exports large amounts of code without proper access controls
🟡 Medium: Test timeout increased to 60s without investigating root cause
🟡 Medium: Docker build context includes entire repo (inefficient)

Suggestions

1. 🔴 Use --frozen-lockfile in Dockerfile and CI for dependency security
2. 🔴 Add pnpm lockfile verification step in CI workflow
3. 🟠 Pin Python package version in Dockerfile or use git hash
4. 🟠 Consider making roles feature opt-in via config flag
5. 🟡 Use .dockerignore to reduce build context size
6. 🟡 Add workflow to automatically update Docker base image
7. ⚪ Consolidate duplicate Docker metadata extraction logic
8. ⚪ Add workflow to validate repository URL consistency

---

_{Reviewed by Ecosystem Reviewer using glm-4.6:cloud}

[jbdevprimary]

🤖 AI Code Review

Summary of Changes

• Added Docker build and push workflow for multi-arch releases
• Refactored CI to consolidate build/test jobs and add Python tests
• Updated Dockerfile to fix build issues (pnpm@9, build-essential, local Python package)
• Added new "roles" feature for configurable AI agent personas
• Updated repository URLs in package.json to match org

Issues Found

🔴 Critical: Dockerfile installs Python package from local source but doesn't verify it exists
🔴 Critical: CI workflow uses --no-frozen-lockfile which can cause dependency drift
🟠 High: Docker build runs as root for initial setup before switching to agent user
🟠 High: No rate limiting or concurrency control for Docker pushes
🟡 Medium: Missing health checks in Dockerfile
🟡 Medium: No validation for Docker metadata tags
⚪ Low: Some action versions not pinned (e.g., softprops/action-gh-release@v2)

Suggestions for Improvement

1. Add Python package existence check in Dockerfile before pip install
2. Use --frozen-lockfile in CI for reproducible builds
3. Implement multi-stage Docker build to reduce final image size
4. Add Docker image SBOM generation for security compliance
5. Configure GitHub Container Registry retention policies
6. Add Docker image vulnerability scanning step
7. Implement proper error handling for Docker build failures
8. Add workflow permissions scoping for security
9. Consider using Docker BuildKit cache mounts for faster builds
10. Add integration tests for Docker image functionality

---

_{Reviewed by Ecosystem Reviewer using glm-4.6:cloud}

[jbdevprimary]

🔧 Jules refactoring session started: https://jules.google.com/session/2991199301875474330

[jbdevprimary]

🤖 AI Code Review

1. Summary of Changes

• Added Docker build and push workflow for multi-arch releases
• Restructured CI workflow to include Node.js and Python jobs separately
• Added new "roles" feature for configurable AI agent personas
• Updated Dockerfile to fix build issues (pnpm@9, build-essential, local Python package)
• Updated repository URLs from jbdevprimary to agentic-dev-library
• Added comprehensive role definitions (Sage, Harvester, Curator, etc.)

2. Issues Found

🔴 Critical: Security Risk in Dockerfile

• The Dockerfile installs pnpm globally without integrity verification
• RUN npm install -g pnpm@9 should use checksum verification

🔴 Critical: Permission Bypass

• The release job has contents: write and packages: write but runs on any push to main
• Should require explicit release trigger or approval

🟠 High: Missing Input Validation

• roles sage command accepts arbitrary query without sanitization
• Could lead to prompt injection attacks

🟠 High: Inconsistent Secret Usage

• Mixes GITHUB_TOKEN and CI_GITHUB_TOKEN across workflows
• Standardize on GITHUB_TOKEN

🟡 Medium: Resource Waste

• Docker build in CI runs full build without caching between jobs
• Consider using build cache service

🟡 Medium: Missing Error Handling

• Role executor lacks timeout protection
• Could hang indefinitely on AI API calls

⚪ Low: Redundant Builds

• Both CI and CD workflows build Docker images
• Consolidate to single build step

3. Suggestions for Improvement

1. Add checksum verification for pnpm:

   RUN pnpm_version=9 && \
       checksum="sha512-..." && \
       npm install -g pnpm@${pnpm_version} --checksum="${checksum}"

2. Implement input sanitization:

   import { sanitize } from 'sanitize-html';
   const cleanQuery = sanitize(query, { allowedTags: [] });

3. Add timeout protection:

   const timeout = 30000; // 30s
   const result = await Promise.race([
       executeRole(context),
       new Promise((_, reject) => 
           setTimeout(() => reject(new Error('Timeout')), timeout)
       )
   ]);

4. Consolidate Docker builds:

   • Move Docker build to composite action
   • Share cache between CI and CD

5. Standardize secret names:

   • Replace all CI_GITHUB_TOKEN with GITHUB_TOKEN
   • Update documentation accordingly

6. Add approval gate:

   release:
     needs: [node-ci, python-ci]
     environment: production

7. Improve error messages:

   • Add structured error types
   • Include retry logic for transient failures

---

_{Reviewed by Ecosystem Reviewer using glm-4.6:cloud}

[sonarqubecloud]

Quality Gate failed

Failed conditions
18 Security Hotspots
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE