fix(sdk,core,build): SDK hardening pass

[ericallam]

Summary

Five hardening fixes across @trigger.dev/sdk, @trigger.dev/core, and @trigger.dev/build.

• tasks.triggerAndSubscribe now forwards caller requestOptions (custom API keys, per-request overrides) to the underlying apiClient.triggerTask call instead of silently dropping them.
• SSEStreamSubscription no longer retries permanent client errors forever. The default nonRetryableStatuses widens from [404, 410] to [400, 404, 409, 410, 422], so a malformed session-stream request fails fast instead of busy-looping under bounded backoff.
• Session writer falls back to manually wiring the caller's AbortSignal on Node 18, where AbortSignal.any is unavailable. Caller-driven cancellation now propagates on every supported runtime.
• TriggerChatTransport throws immediately when a chat.handover response is missing X-Trigger-Chat-Access-Token, instead of silently downgrading every subsequent turn back to the handover path. dispose() aborts every active session.out subscription before tearing the coordinator down, so unmount/navigation no longer leaves SSE readers in flight.
• Removed the experimental @trigger.dev/build/extensions/secureExec build extension. It will return alongside the sandbox feature it was built to support.

Test plan

• pnpm run build --filter @trigger.dev/sdk --filter @trigger.dev/core --filter @trigger.dev/build
• pnpm --filter @trigger.dev/sdk test --run (183 tests, including chat / chat-server / sessions / handover)
• pnpm --filter @trigger.dev/core test --run
• Manually trigger a chat.handover whose response strips X-Trigger-Chat-Access-Token, and confirm the transport throws synchronously rather than degrading.
• Unmount a chat UI mid-stream and confirm the active session.out SSE connection closes immediately.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a7675827-1dad-4009-b51b-1635cb6ac307

📥 Commits

Reviewing files that changed from the base of the PR and between 385c284 and 991d1d6.

📒 Files selected for processing (1)

• packages/trigger-sdk/src/v3/sessions.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/trigger-sdk/src/v3/sessions.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: webapp / 🧪 Unit Tests: Webapp (6, 8)
• GitHub Check: internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (1, 8)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: typecheck / typecheck

---

Walkthrough

This PR removes the secureExec build extension from package exports and type mappings. It expands default non-retryable HTTP statuses for stream retries to include 400, 404, 409, 410, and 422. Chat handover now fails fast if X-Trigger-Chat-Access-Token is missing, dispose() aborts and clears active session streams, and AbortSignal.any usage in session streaming is replaced with explicit capability detection and a fallback that propagates caller abort reasons. Minor docs and call-argument fixes are included.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description provides comprehensive details about changes, test plan, and objectives, but does not follow the required template structure with checklist items, Testing, Changelog, and Screenshots sections.	Restructure the description to follow the template: include the checklist, organize content under Testing and Changelog sections, and confirm all contributing guide steps were followed.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: a hardening pass addressing security and robustness improvements across three packages (sdk, core, build).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/v45-sdk-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 991d1d6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.