feat(supervisor): wide events + warm-start trace propagation

[deepshekhardas]

Adds wide events system to supervisor for better event propagation across worker restarts.

Changes

• New \wideEvents\ module with emit, middleware, record, state modules
• Traceparent propagation for warm-start runs
• Socket lifecycle management with noisy-routes flag
• Workload server integration for wide events

Files changed (17)

• apps/supervisor/src/index.ts
• apps/supervisor/src/wideEvents/* (7 new files)
• apps/supervisor/src/workloadServer/index.ts

Test

• Added wideEvents tests: emit.test.ts, middleware.test.ts, new.test.ts, record.test.ts, traceparent.test.ts

Closes triggerdotdev#3669

---

Summary by cubic

Adds wide-event instrumentation to supervisor and propagates traceparent on warm-start runs so traces stay connected across worker restarts. Improves visibility of workload routes and run socket lifecycle; feature is disabled by default.

• New Features
  • New wide-events pipeline (emit, middleware, record, state) for cross-restart observability.
  • Warm-start trace context propagation for continuous end-to-end tracing.
  • Socket lifecycle tracking with a “noisy routes” toggle.
  • Workload server integration to emit wide events.
  • Gated behind TRIGGER_WIDE_EVENTS_ENABLED (off by default).

^{Written for commit 671b137. Summary will update on new commits. Review in cubic}

[cubic-dev-ai]

4 issues found across 1525 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/e2e-webapp.yml">

<violation number="1" location=".github/workflows/e2e-webapp.yml:67">
P2: Guard DockerHub login on both username and token so optional secrets don't cause a hard failure when only one is provided.</violation>
</file>

<file name=".github/workflows/publish-worker-v4.yml">

<violation number="1" location=".github/workflows/publish-worker-v4.yml:69">
P2: Semver releases no longer publish the additional `v4-beta` image tag, which regresses the previous tagging behavior.</violation>
</file>

<file name=".github/workflows/claude.yml">

<violation number="1" location=".github/workflows/claude.yml:22">
P1: This workflow now grants repository write permissions on `@claude` comment triggers without restricting who can invoke it, which creates an untrusted-to-write privilege escalation path.</violation>
</file>

<file name=".changeset/agent-skills.md">

<violation number="1" location=".changeset/agent-skills.md:1">
P2: Changeset describes 'Agent Skills for chat.agent' but the PR implements supervisor wide events and warm-start trace propagation. This changeset would create an inaccurate changelog entry and trigger patch bumps for packages that may not have corresponding code changes in this PR.</violation>
</file>

<sub>Note: This PR contains a large number of files. cubic only reviews up to 100 files per PR, so some files may not have been reviewed. cubic prioritizes the most important files to review.
On a pro plan you can use ultrareview for larger PRs.

Re-trigger cubic</sub>

[cubic-dev-ai]

P1: This workflow now grants repository write permissions on @claude comment triggers without restricting who can invoke it, which creates an untrusted-to-write privilege escalation path.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude.yml, line 22:

<comment>This workflow now grants repository write permissions on `@claude` comment triggers without restricting who can invoke it, which creates an untrusted-to-write privilege escalation path.</comment>

<file context>
@@ -19,24 +19,25 @@ jobs:
-      contents: read
-      pull-requests: read
-      issues: read
+      contents: write
+      pull-requests: write
+      issues: write
</file context>

[cubic-dev-ai]

P2: Guard DockerHub login on both username and token so optional secrets don't cause a hard failure when only one is provided.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/e2e-webapp.yml, line 67:

<comment>Guard DockerHub login on both username and token so optional secrets don't cause a hard failure when only one is provided.</comment>

<file context>
@@ -0,0 +1,97 @@
+
+      # ..to avoid rate limits when pulling images
+      - name: 🐳 Login to DockerHub
+        if: ${{ env.DOCKERHUB_USERNAME }}
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
</file context>

Suggested change

	if: ${{ env.DOCKERHUB_USERNAME }}
	if: ${{ secrets.DOCKERHUB_USERNAME && secrets.DOCKERHUB_TOKEN }}

[cubic-dev-ai]

P2: Semver releases no longer publish the additional v4-beta image tag, which regresses the previous tagging behavior.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/publish-worker-v4.yml, line 69:

<comment>Semver releases no longer publish the additional `v4-beta` image tag, which regresses the previous tagging behavior.</comment>

<file context>
@@ -62,26 +65,24 @@ jobs:
-            image_tags=$image_tags,$ref_without_tag:v4-beta
-          fi
+          ref_without_tag=ghcr.io/triggerdotdev/${STEPS_GET_REPOSITORY_OUTPUTS_REPO}
+          image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}
 
           echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
</file context>

Suggested change

	image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}
	image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}
	# if tag is a semver, also tag it as v4
	if [[ "$STEPS_GET_TAG_OUTPUTS_IS_SEMVER" == true ]]; then
	image_tags=$image_tags,$ref_without_tag:v4-beta
	fi

[cubic-dev-ai]

P2: Changeset describes 'Agent Skills for chat.agent' but the PR implements supervisor wide events and warm-start trace propagation. This changeset would create an inaccurate changelog entry and trigger patch bumps for packages that may not have corresponding code changes in this PR.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .changeset/agent-skills.md:

<comment>Changeset describes 'Agent Skills for chat.agent' but the PR implements supervisor wide events and warm-start trace propagation. This changeset would create an inaccurate changelog entry and trigger patch bumps for packages that may not have corresponding code changes in this PR.</comment>

<file context>
@@ -0,0 +1,16 @@
+---
+"@trigger.dev/sdk": patch
+"@trigger.dev/core": patch
+"@trigger.dev/build": patch
+"trigger.dev": patch
+---
+
+Add Agent Skills for `chat.agent`. Drop a folder with a `SKILL.md` and any helper scripts/references next to your task code, register it with `skills.define({ id, path })`, and the CLI bundles it into the deploy image automatically — no `trigger.config.ts` changes. The agent gets a one-line summary in its system prompt and discovers full instructions on demand via `loadSkill`, with `bash` and `readFile` tools scoped per-skill (path-traversal guards, output caps, abort-signal propagation).
+
</file context>