Add support for triggering from the backend

Author: ericallam

packages/build/package.json

@@ -31,7 +31,8 @@
       "./extensions/typescript": "./src/extensions/typescript.ts",
       "./extensions/puppeteer": "./src/extensions/puppeteer.ts",
       "./extensions/playwright": "./src/extensions/playwright.ts",
-      "./extensions/lightpanda": "./src/extensions/lightpanda.ts"
+      "./extensions/lightpanda": "./src/extensions/lightpanda.ts",
+      "./extensions/secureExec": "./src/extensions/secureExec.ts"
     },
     "sourceDialects": [
       "@triggerdotdev/source"
@@ -65,6 +66,9 @@
       ],
       "extensions/lightpanda": [
         "dist/commonjs/extensions/lightpanda.d.ts"
+      ],
+      "extensions/secureExec": [
+        "dist/commonjs/extensions/secureExec.d.ts"
       ]
     }
   },
@@ -207,6 +211,17 @@
         "types": "./dist/commonjs/extensions/lightpanda.d.ts",
         "default": "./dist/commonjs/extensions/lightpanda.js"
       }
+    },
+    "./extensions/secureExec": {
+      "import": {
+        "@triggerdotdev/source": "./src/extensions/secureExec.ts",
+        "types": "./dist/esm/extensions/secureExec.d.ts",
+        "default": "./dist/esm/extensions/secureExec.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/extensions/secureExec.d.ts",
+        "default": "./dist/commonjs/extensions/secureExec.js"
+      }
     }
   },
   "main": "./dist/commonjs/index.js",

packages/build/src/extensions/secureExec.ts

@@ -0,0 +1,172 @@
+import { BuildTarget } from "@trigger.dev/core/v3";
+import { BuildManifest } from "@trigger.dev/core/v3/schemas";
+import { BuildContext, BuildExtension } from "@trigger.dev/core/v3/build";
+import { dirname, resolve, join } from "node:path";
+import { readFileSync } from "node:fs";
+import { createRequire } from "node:module";
+import { readPackageJSON } from "pkg-types";
+
+export type SecureExecOptions = {
+  /**
+   * Packages available inside the sandbox at runtime.
+   *
+   * These are `require()`'d inside the V8 isolate at runtime — the bundler
+   * never sees them statically. They are marked external and installed as
+   * deploy dependencies.
+   *
+   * @example
+   * ```ts
+   * secureExec({ packages: ["jszip", "lodash"] })
+   * ```
+   */
+  packages?: string[];
+};
+
+/**
+ * Build extension for [secure-exec](https://secureexec.dev) — run untrusted
+ * JavaScript/TypeScript in V8 isolates with configurable permissions.
+ *
+ * Handles the esbuild workarounds needed for secure-exec's runtime
+ * `require.resolve` calls, native binaries, and module-scope resolution.
+ *
+ * @example
+ * ```ts
+ * import { secureExec } from "@trigger.dev/build/extensions/secureExec";
+ *
+ * export default defineConfig({
+ *   build: {
+ *     extensions: [secureExec()],
+ *   },
+ * });
+ * ```
+ */
+export function secureExec(options?: SecureExecOptions): BuildExtension {
+  return new SecureExecExtension(options ?? {});
+}
+
+class SecureExecExtension implements BuildExtension {
+  public readonly name = "SecureExecExtension";
+
+  private userPackages: string[];
+
+  constructor(options: SecureExecOptions) {
+    this.userPackages = options.packages ?? [];
+  }
+
+  externalsForTarget(_target: BuildTarget) {
+    return [
+      // esbuild must not be bundled — it locates its native binary via a
+      // relative path from its JS API entry point. secure-exec uses esbuild
+      // at runtime to bundle polyfills for sandbox code.
+      "esbuild",
+      // User-specified packages are require()'d inside the V8 sandbox at
+      // runtime — the bundler never sees them statically.
+      ...this.userPackages,
+    ];
+  }
+
+  onBuildStart(context: BuildContext) {
+    context.logger.debug(`Adding ${this.name} esbuild plugins`);
+
+    // Plugin 1: Replace node-stdlib-browser with pre-resolved paths.
+    //
+    // Trigger's ESM shim anchors require.resolve() to the chunk path, so
+    // node-stdlib-browser's runtime require.resolve("./mock/empty.js") breaks.
+    // Fix: load the real node-stdlib-browser at build time (where require.resolve
+    // works), capture the resolved path map, and inline it as a static export.
+    const workingDir = context.workingDir;
+    context.registerPlugin({
+      name: "secure-exec-stdlib-resolver",
+      setup(build) {
+        build.onResolve({ filter: /^node-stdlib-browser$/ }, () => ({
+          path: "node-stdlib-browser",
+          namespace: "secure-exec-nsb-resolved",
+        }));
+        build.onLoad({ filter: /.*/, namespace: "secure-exec-nsb-resolved" }, () => {
+          const buildRequire = createRequire(join(workingDir, "package.json"));
+          const resolved = buildRequire("node-stdlib-browser");
+          return {
+            contents: `export default ${JSON.stringify(resolved)};`,
+            loader: "js",
+          };
+        });
+      },
+    });
+
+    // Plugin 2: Inline bridge.js at build time.
+    //
+    // bridge-loader.js in @secure-exec/node(js) uses __dirname and
+    // require.resolve("@secure-exec/core") at module scope to locate
+    // dist/bridge.js on disk. This fails in Trigger's bundled output.
+    // Fix: read bridge.js content at build time and inline it as a
+    // string literal so no runtime filesystem resolution is needed.
+    //
+    context.registerPlugin({
+      name: "secure-exec-bridge-inline",
+      setup(build) {
+        build.onLoad(
+          { filter: /[\\/]@secure-exec[\\/]node[\\/]dist[\\/]bridge-loader\.js$/ },
+          (args) => {
+            try {
+              const buildRequire = createRequire(args.path);
+              const coreEntry = buildRequire.resolve("@secure-exec/core");
+              const coreRoot = resolve(dirname(coreEntry), "..");
+              const bridgeCode = readFileSync(join(coreRoot, "dist", "bridge.js"), "utf8");
+
+              return {
+                contents: [
+                  `import { getIsolateRuntimeSource } from "@secure-exec/core";`,
+                  `const bridgeCodeCache = ${JSON.stringify(bridgeCode)};`,
+                  `export function getRawBridgeCode() { return bridgeCodeCache; }`,
+                  `export function getBridgeAttachCode() { return getIsolateRuntimeSource("bridgeAttach"); }`,
+                ].join("\n"),
+                loader: "js",
+              };
+            } catch {
+              // If we can't inline the bridge, let the normal loader handle it.
+              return undefined;
+            }
+          }
+        );
+      },
+    });
+  }
+
+  async onBuildComplete(context: BuildContext, _manifest: BuildManifest) {
+    if (context.target === "dev") {
+      return;
+    }
+
+    context.logger.debug(`Adding ${this.name} deploy dependencies`);
+
+    const dependencies: Record<string, string> = {};
+
+    // Resolve versions for user-specified sandbox packages
+    for (const pkg of this.userPackages) {
+      try {
+        const modulePath = await context.resolvePath(pkg);
+        if (!modulePath) {
+          dependencies[pkg] = "latest";
+          continue;
+        }
+
+        const packageJSON = await readPackageJSON(dirname(modulePath));
+        dependencies[pkg] = packageJSON.version ?? "latest";
+      } catch {
+        context.logger.warn(
+          `Could not resolve version for sandbox package ${pkg}, defaulting to latest`
+        );
+        dependencies[pkg] = "latest";
+      }
+    }
+
+    context.addLayer({
+      id: "secureExec",
+      dependencies,
+      image: {
+        // isolated-vm requires native compilation tools
+        pkgs: ["python3", "make", "g++"],
+      },
+    });
+  }
+}

packages/trigger-sdk/src/v3/ai.ts

@@ -43,7 +43,8 @@ import { locals } from "./locals.js";
 import { metadata } from "./metadata.js";
 import type { ResolvedPrompt } from "./prompt.js";
 import { streams } from "./streams.js";
-import { createTask } from "./shared.js";
+import { createTask, trigger as triggerTaskInternal } from "./shared.js";
+import type { TriggerChatTaskParams, TriggerChatTaskResult } from "./chat.js";
 import { tracer } from "./tracer.js";
 
 /** Re-export for typing `ctx` in `chat.task` hooks without importing `@trigger.dev/core`. */
@@ -5125,13 +5126,72 @@ export type InferChatUIMessage<TTask extends AnyTask> = TTask extends Task<
   ? TUIM
   : UIMessage;
 
+/**
+ * Options for {@link createChatTriggerAction}.
+ */
+export type CreateChatTriggerActionOptions = {
+  /** TTL for the run-scoped public access token. @default "1h" */
+  tokenTTL?: string | number | Date;
+};
+
+/**
+ * Creates a function that triggers a chat task and returns a run-scoped session.
+ *
+ * Wrap the returned function in a Next.js server action (or any server-side handler)
+ * to keep task triggering on the server. The function calls `tasks.trigger()` with
+ * the secret key and mints a run-scoped PAT for stream subscription + input stream writes.
+ *
+ * @example
+ * ```ts
+ * // actions.ts
+ * "use server";
+ * import { chat } from "@trigger.dev/sdk/ai";
+ *
+ * export const triggerChat = chat.createTriggerAction("my-chat");
+ * ```
+ *
+ * Then pass it to the transport:
+ * ```tsx
+ * const transport = useTriggerChatTransport({
+ *   task: "my-chat",
+ *   triggerTask: triggerChat,
+ * });
+ * ```
+ */
+function createChatTriggerAction(
+  taskId: string,
+  options?: CreateChatTriggerActionOptions
+): (params: TriggerChatTaskParams) => Promise<TriggerChatTaskResult> {
+  return async (params: TriggerChatTaskParams): Promise<TriggerChatTaskResult> => {
+    const handle = await triggerTaskInternal(taskId, params.payload, {
+      tags: params.options.tags,
+      queue: params.options.queue,
+      maxAttempts: params.options.maxAttempts,
+      machine: params.options.machine as any,
+      priority: params.options.priority,
+    });
+
+    const publicAccessToken = await auth.createPublicToken({
+      scopes: {
+        read: { runs: handle.id },
+        write: { inputStreams: handle.id },
+      },
+      expirationTime: options?.tokenTTL ?? "1h",
+    });
+
+    return { runId: handle.id, publicAccessToken };
+  };
+}
+
 export const chat = {
   /** Create a chat task. See {@link chatTask}. */
   task: chatTask,
   /** Create a chat task with a fixed {@link UIMessage} subtype and optional default stream options. See {@link withUIMessage}. */
   withUIMessage,
   /** Create a chat task with a fixed client data schema. See {@link withClientData}. */
   withClientData,
+  /** Create a server-side trigger action helper. See {@link createChatTriggerAction}. */
+  createTriggerAction: createChatTriggerAction,
   /** Pipe a stream to the chat transport. See {@link pipeChat}. */
   pipe: pipeChat,
   /** Create a per-run typed local. See {@link chatLocal}. */

packages/trigger-sdk/src/v3/chat-react.ts

@@ -86,11 +86,11 @@ export function useTriggerChatTransport<TTask extends AnyTask = AnyTask>(
 ): TriggerChatTransport {
   const ref = useRef<TriggerChatTransport | null>(null);
   if (ref.current === null) {
-    ref.current = new TriggerChatTransport(options);
+    ref.current = new TriggerChatTransport(options as TriggerChatTransportOptions);
   }
 
-  // Keep onSessionChange up to date without recreating the transport
-  const { onSessionChange, renewRunAccessToken } = options;
+  // Keep callbacks up to date without recreating the transport
+  const { onSessionChange, renewRunAccessToken, triggerTask } = options;
   useEffect(() => {
     ref.current?.setOnSessionChange(onSessionChange);
   }, [onSessionChange]);
@@ -99,6 +99,10 @@ export function useTriggerChatTransport<TTask extends AnyTask = AnyTask>(
     ref.current?.setRenewRunAccessToken(renewRunAccessToken);
   }, [renewRunAccessToken]);
 
+  useEffect(() => {
+    ref.current?.setTriggerTask(triggerTask);
+  }, [triggerTask]);
+
   return ref.current;
 }