datadog 2.23.0 → 2.25.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a168735b19c403a74cd23f49a301a74006d827ff24f62cc93255a353d0415359
-  data.tar.gz: 7f6df03ec7834bf5709b36d8fa9a8213ad5c5f9bf04e299acb7d3c1e781760e7
+  metadata.gz: b31bd418a350c8999b821462c0699a19af1b02242a7a22f4fee10859cd520d4c
+  data.tar.gz: 4a77d7cb714bfb82312d642b583d23f7b9407435c6577b864f1ca98751826ec6
 SHA512:
-  metadata.gz: a933fb99fd374b1da93fd0a70b7cb33b2396977e8388ebfd5e12d968da7158ef8fc23a73672c308f8a72e433525c99ac1182285adc2df1eb244082efeef374bb
-  data.tar.gz: 224bbcc48cde29a3a85c1eea9d5e1653ed26ad2d195389e599f2e4614158d63284c92fbf155cbd7bf584930195d4b30b7bf5a8a1fd6951ac798c1d3a1b35969b
+  metadata.gz: f51a7d85ab5e057e5a485f7dffe7d329b4aacde56d784239a15dbb8a48508d082ba69dbecb992336d132965b642ccdf39cd4f4e2378d749174cab64496b1fe2f
+  data.tar.gz: 83504124b5fad578d31002d5ab4d19450c14c8a857b7b553925bbff2cb2fdb53ee2dbeb2e7c774128c92203e69b3c484896591435ec4df01740e2028b70ff7fe

data/CHANGELOG.md

@@ -2,6 +2,51 @@
 
 ## [Unreleased]
 
+## [2.25.0] - 2026-01-13
+
+### Added
+
+AI Guard: Add SDK for evaluating the safety of user messages and assistant commands for LLM session ([#5144][])
+
+### Changed
+
+Core: Bump minimum version of `datadog-ruby_core_source` dependency ([#5215][])
+
+### Fixed
+
+AppSec: Fix processing of numeric data for WAF and RASP checks ([#5222][])
+
+## [2.24.0] - 2026-01-08
+
+### Added
+
+* Core: Add support for installing the gem on Ruby 4.0.x stable ([#5157][])
+* Tracing: Add origin detection using extra headers and the `DD_EXTERNAL_ENV` variable. ([#5028][])
+* Dynamic Instrumentation: Add one-click enablement support ([#5150][])
+* SSI: Add support for Bundler deployment mode ([#5053][])
+* SSI: Report UI-oriented injection results ([#5053][])
+* SSI: Guard against Bundler global force_ruby_platform ([#5053][])
+* SSI: Guard against Bundler 4.0 and Bundler 2.7 in 4.0 mode ([#5053][])
+* SSI: Guard against Ruby 3.5+ ([#5053][])
+
+### Changed
+
+* Profiling: Remove profiler warning related to the Ractor issue ([#5194][])
+* Profiling: Disable heap profiling on Ruby 4 due to incompatibility ([#5148][])
+* Dynamic Instrumentation: Stop using customer-provided time provider for method duration calculation ([#5153][])
+* Live Debugger / Dynamic Instrumentation: Improve probe instrumentation ([#5165][])
+* Live Debugger / Dynamic Instrumentation: Improve instrumentation reliability for probes ([#5169][])
+
+### Fixed
+
+* Core: Improve reliability of worker shutdown ([#5176][])
+* Core: Fix RDoc error when installing the `datadog` gem ([#5145][])
+* Tracing: Ensure `Tracing.continue_from!` keeps the active trace for the full block duration. ([#4941][])
+* Profiling: Fix and refine profiler thread state categorization for Ruby 4 ([#5197][])
+* Profiling: Fix profiler error triggering `Bundler::PermissionError` ([#5146][])
+* Live Debugger / Dynamic Instrumentation: Fix Live Debugger and Dynamic Instrumentation UI for forking web servers ([#5159][])
+* Live Debugger / Dynamic Instrumentation: Fix method probe leak when a referenced class loads after the probe reaches the application ([#5168][])
+
 ## [2.23.0] - 2025-12-11
 
 ### Added
@@ -3392,7 +3437,9 @@ Release notes: https://github.com/DataDog/dd-trace-rb/releases/tag/v0.3.1
 Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 
 
-[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v2.23.0...master
+[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v2.25.0...master
+[2.25.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.24.0...v2.25.0
+[2.24.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.23.0...v2.24.0
 [2.23.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.22.0...v2.23.0
 [2.22.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.21.0...v2.22.0
 [2.21.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.20.0...v2.21.0
@@ -5010,6 +5057,7 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [#4914]: https://github.com/DataDog/dd-trace-rb/issues/4914
 [#4918]: https://github.com/DataDog/dd-trace-rb/issues/4918
 [#4919]: https://github.com/DataDog/dd-trace-rb/issues/4919
+[#4941]: https://github.com/DataDog/dd-trace-rb/issues/4941
 [#4957]: https://github.com/DataDog/dd-trace-rb/issues/4957
 [#4965]: https://github.com/DataDog/dd-trace-rb/issues/4965
 [#4969]: https://github.com/DataDog/dd-trace-rb/issues/4969
@@ -5024,18 +5072,36 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [#5021]: https://github.com/DataDog/dd-trace-rb/issues/5021
 [#5024]: https://github.com/DataDog/dd-trace-rb/issues/5024
 [#5025]: https://github.com/DataDog/dd-trace-rb/issues/5025
+[#5028]: https://github.com/DataDog/dd-trace-rb/issues/5028
 [#5031]: https://github.com/DataDog/dd-trace-rb/issues/5031
 [#5033]: https://github.com/DataDog/dd-trace-rb/issues/5033
 [#5042]: https://github.com/DataDog/dd-trace-rb/issues/5042
 [#5044]: https://github.com/DataDog/dd-trace-rb/issues/5044
 [#5045]: https://github.com/DataDog/dd-trace-rb/issues/5045
 [#5049]: https://github.com/DataDog/dd-trace-rb/issues/5049
+[#5053]: https://github.com/DataDog/dd-trace-rb/issues/5053
 [#5054]: https://github.com/DataDog/dd-trace-rb/issues/5054
 [#5058]: https://github.com/DataDog/dd-trace-rb/issues/5058
 [#5073]: https://github.com/DataDog/dd-trace-rb/issues/5073
 [#5086]: https://github.com/DataDog/dd-trace-rb/issues/5086
 [#5091]: https://github.com/DataDog/dd-trace-rb/issues/5091
 [#5122]: https://github.com/DataDog/dd-trace-rb/issues/5122
+[#5144]: https://github.com/DataDog/dd-trace-rb/issues/5144
+[#5145]: https://github.com/DataDog/dd-trace-rb/issues/5145
+[#5146]: https://github.com/DataDog/dd-trace-rb/issues/5146
+[#5148]: https://github.com/DataDog/dd-trace-rb/issues/5148
+[#5150]: https://github.com/DataDog/dd-trace-rb/issues/5150
+[#5153]: https://github.com/DataDog/dd-trace-rb/issues/5153
+[#5157]: https://github.com/DataDog/dd-trace-rb/issues/5157
+[#5159]: https://github.com/DataDog/dd-trace-rb/issues/5159
+[#5165]: https://github.com/DataDog/dd-trace-rb/issues/5165
+[#5168]: https://github.com/DataDog/dd-trace-rb/issues/5168
+[#5169]: https://github.com/DataDog/dd-trace-rb/issues/5169
+[#5176]: https://github.com/DataDog/dd-trace-rb/issues/5176
+[#5194]: https://github.com/DataDog/dd-trace-rb/issues/5194
+[#5197]: https://github.com/DataDog/dd-trace-rb/issues/5197
+[#5215]: https://github.com/DataDog/dd-trace-rb/issues/5215
+[#5222]: https://github.com/DataDog/dd-trace-rb/issues/5222
 [@AdrianLC]: https://github.com/AdrianLC
 [@Azure7111]: https://github.com/Azure7111
 [@BabyGroot]: https://github.com/BabyGroot

data/ext/datadog_profiling_native_extension/collectors_stack.c

@@ -347,8 +347,10 @@ void sample_thread(
         } else if (CHARSLICE_EQUALS("select", name_slice)) { // Expected to be Kernel.select
           state_label->str  = DDOG_CHARSLICE_C("waiting");
         } else if (
-            CHARSLICE_EQUALS("synchronize", name_slice) || // Expected to be Monitor/Mutex#synchronize
-            CHARSLICE_EQUALS("lock", name_slice) ||        // Expected to be Mutex#lock
+            CHARSLICE_EQUALS("synchronize", name_slice) || // Expected to be Monitor/Mutex#synchronize on Ruby 2 & 3, and Monitor#synchronize on 4 (Mutex becomes <internal:thread_sync>)
+            #ifdef NO_PRIMITIVE_MUTEX_AND_CONDITION_VARIABLE // Ruby < 4
+              CHARSLICE_EQUALS("lock", name_slice) ||        // Expected to be Mutex#lock
+            #endif
             CHARSLICE_EQUALS("join", name_slice)           // Expected to be Thread#join
         ) {
           state_label->str  = DDOG_CHARSLICE_C("blocked");
@@ -366,9 +368,19 @@ void sample_thread(
         #endif
       } else {
         #ifndef NO_PRIMITIVE_POP // Ruby >= 3.2
-          // Unlike the above, Ruby actually treats this one specially and gives it a nice file name we can match on!
-          if (CHARSLICE_EQUALS("pop", name_slice) && CHARSLICE_EQUALS("<internal:thread_sync>", filename_slice)) { // Expected to be Queue/SizedQueue#pop
-            state_label->str  = DDOG_CHARSLICE_C("waiting");
+          if (CHARSLICE_EQUALS("<internal:thread_sync>", filename_slice)) {
+            if (CHARSLICE_EQUALS("pop", name_slice)) { // Expected to be Queue/SizedQueue#pop
+              state_label->str  = DDOG_CHARSLICE_C("waiting");
+            }
+            #ifndef NO_PRIMITIVE_MUTEX_AND_CONDITION_VARIABLE // Ruby >= 4
+              else if (CHARSLICE_EQUALS("synchronize", name_slice) || CHARSLICE_EQUALS("lock", name_slice)) { // Expected to be Mutex#lock/synchronize
+                state_label->str  = DDOG_CHARSLICE_C("blocked");
+              } else if (CHARSLICE_EQUALS("sleep", name_slice)) { // Expected to be Mutex#sleep
+                state_label->str  = DDOG_CHARSLICE_C("sleeping");
+              } else if (CHARSLICE_EQUALS("wait", name_slice)) { // Expected to be ConditionVariable#wait
+                state_label->str  = DDOG_CHARSLICE_C("waiting");
+              }
+            #endif
           }
         #endif
       }

data/ext/datadog_profiling_native_extension/crashtracking_runtime_stacks.c

@@ -0,0 +1,239 @@
+// NOTE: This file is a part of the profiling native extension even though the
+// runtime stacks feature is consumed by the crashtracker. The profiling
+// extension already carries all the Ruby VM private header access and build
+// plumbing required to safely poke at internal structures. Sharing that setup
+// avoids duplicating another native extension with the same (fragile) access
+// patterns, and keeps the overall install/build surface area smaller.
+//
+// This also means that this functionality is depend on the profiling native extension
+// being available and built
+#include "extconf.h"
+
+#if defined(__linux__)
+
+#include <datadog/crashtracker.h>
+#include "datadog_ruby_common.h"
+#include "private_vm_api_access.h"
+#include <sys/mman.h>
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+
+static const rb_data_type_t *crashtracker_thread_data_type = NULL;
+
+static void ruby_runtime_stack_callback(
+  void (*emit_frame)(const ddog_crasht_RuntimeStackFrame*)
+);
+
+// Use a fixed, preallocated buffer for crash-time runtime stacks to avoid
+// heap allocation in the signal/crash path.
+#define RUNTIME_STACK_MAX_FRAMES 512
+static frame_info runtime_stack_buffer[RUNTIME_STACK_MAX_FRAMES];
+
+#if defined(__x86_64__)
+#  define SYS_MINCORE 0x1B
+#elif defined(__aarch64__)
+#  define SYS_MINCORE 0xE8
+#endif
+
+long syscall(long number, ...);
+
+// align down to power of two
+static inline uintptr_t align_down(uintptr_t x, uintptr_t align) {
+  return x & ~(align - 1u);
+}
+
+static uintptr_t cached_page_size = 0;
+
+// TODO: This function is not necessarily Ruby specific. This will be moved to
+// `libdatadog` in the future as a shared utility function.
+static inline bool is_pointer_readable(const void *ptr, size_t size) {
+  if (!ptr || size == 0) return false;
+
+  uintptr_t page_size = cached_page_size;
+
+  const uintptr_t start = align_down((uintptr_t)ptr, page_size);
+  const uintptr_t end   = ((uintptr_t)ptr + size - 1u);
+  const uintptr_t last  = align_down(end, page_size);
+
+  // Number of pages spanned
+  size_t pages = 1u + (last != start);
+  if (pages > 2u) pages = 2u;
+
+  unsigned char vec[2];
+
+  int retries = 5;
+  for (;;) {
+      size_t len = pages * (size_t)page_size;
+      long rc = syscall(SYS_MINCORE, (void*)start, len, vec);
+
+      if (rc == 0) {
+          return true;
+      }
+
+      int e = errno;
+      if (e == ENOMEM || e == EFAULT) {
+          return false;
+      }
+
+      if (e == EAGAIN && retries-- > 0) {
+          continue;
+      }
+
+      // Unknown errno, we assume mapped to avoid cascading faults in crash path
+      return true;
+  }
+}
+
+static inline ddog_CharSlice char_slice_from_cstr(const char *cstr) {
+  if (cstr == NULL) {
+    return (ddog_CharSlice){.ptr = NULL, .len = 0};
+  }
+  return (ddog_CharSlice){.ptr = cstr, .len = strlen(cstr)};
+}
+
+static ddog_CharSlice safe_string_value(VALUE str) {
+  if (str == Qnil) return DDOG_CHARSLICE_C("<nil>");
+
+  // Validate object and payload readability in one check
+  if (!is_pointer_readable((const void *)str, sizeof(struct RString))) return DDOG_CHARSLICE_C("<corrupted>");
+  if (!RB_TYPE_P(str, T_STRING)) return DDOG_CHARSLICE_C("<not_string>");
+
+  long len = RSTRING_LEN(str);
+  if (len < 0 || len > 1024) return DDOG_CHARSLICE_C("<length_over_limit>");
+
+  const char *ptr = RSTRING_PTR(str);
+  if (!ptr) return DDOG_CHARSLICE_C("<null>");
+
+  if (!is_pointer_readable(ptr, len > 0 ? len : 1)) return DDOG_CHARSLICE_C("<unreadable>");
+
+  return (ddog_CharSlice){.ptr = ptr, .len = (size_t)len};
+}
+
+static void emit_placeholder_frame(
+  void (*emit_frame)(const ddog_crasht_RuntimeStackFrame*),
+  const char *label
+) {
+  ddog_crasht_RuntimeStackFrame frame = {
+    .type_name = DDOG_CHARSLICE_C(""),
+    .function = char_slice_from_cstr(label),
+    .file = DDOG_CHARSLICE_C("<unknown>"),
+    .line = 0,
+    .column = 0
+  };
+  emit_frame(&frame);
+}
+
+// Collect the crashing thread's frames via ddtrace_rb_profile_frames into a static buffer, then emit
+// them newest-first. If corruption is detected, emit placeholder frames so the crash report still
+// completes. We lean on the Ruby VM helpers we already use for profiling and rely on crashtracker's
+// safety nets so a failure here should not impact customers.
+static void ruby_runtime_stack_callback(
+  void (*emit_frame)(const ddog_crasht_RuntimeStackFrame*)
+) {
+  // Grab the Ruby thread we crashed on; crashtracker only runs once.
+  VALUE current_thread = rb_thread_current();
+  if (current_thread == Qnil) return;
+
+  if (crashtracker_thread_data_type == NULL) return;
+
+  if (!rb_typeddata_is_kind_of(current_thread, crashtracker_thread_data_type)) {
+    emit_placeholder_frame(emit_frame, "<runtime stack not found>");
+    return;
+  }
+
+  // Use the profiling helper to gather frames into our static buffer.
+  int frame_count = ddtrace_rb_profile_frames(
+    current_thread,
+    0,
+    RUNTIME_STACK_MAX_FRAMES,
+    runtime_stack_buffer
+  );
+
+  if (frame_count <= 0) {
+    emit_placeholder_frame(emit_frame, "<runtime stack not found>");
+    return;
+  }
+
+  for (int i = frame_count - 1; i >= 0; i--) {
+    frame_info *info = &runtime_stack_buffer[i];
+
+    if (info->is_ruby_frame) {
+      const void *iseq = (const void *)info->as.ruby_frame.iseq;
+      ddog_CharSlice function_slice = DDOG_CHARSLICE_C("<unknown>");
+      ddog_CharSlice file_slice = DDOG_CHARSLICE_C("<unknown>");
+
+      if (iseq && is_pointer_readable(iseq, sizeof_rb_iseq_t())) {
+        function_slice = safe_string_value(ddtrace_iseq_base_label(iseq));
+        file_slice = safe_string_value(ddtrace_iseq_path(iseq));
+      }
+
+      ddog_crasht_RuntimeStackFrame frame = {
+        .type_name = DDOG_CHARSLICE_C(""),
+        .function = function_slice,
+        .file = file_slice,
+        .line = info->as.ruby_frame.line,
+        .column = 0
+      };
+
+      emit_frame(&frame);
+    } else {
+      ddog_CharSlice function_slice = DDOG_CHARSLICE_C("<C method>");
+      ddog_CharSlice file_slice = DDOG_CHARSLICE_C("<C extension>");
+
+      if (info->as.native_frame.method_id) {
+        const char *method_name = rb_id2name(info->as.native_frame.method_id);
+        if (is_pointer_readable(method_name, 256)) {
+          size_t method_name_len = strnlen(method_name, 256);
+          if (method_name_len > 0 && method_name_len < 256) {
+            function_slice = char_slice_from_cstr(method_name);
+          }
+        }
+      }
+
+      ddog_crasht_RuntimeStackFrame frame = {
+        .type_name = DDOG_CHARSLICE_C(""),
+        .function = function_slice,
+        .file = file_slice,
+        .line = 0,
+        .column = 0
+      };
+
+      emit_frame(&frame);
+    }
+  }
+
+  if (frame_count == RUNTIME_STACK_MAX_FRAMES) {
+    emit_placeholder_frame(emit_frame, "<truncated frames>");
+  }
+}
+
+void crashtracking_runtime_stacks_init(void) {
+  cached_page_size = (uintptr_t)sysconf(_SC_PAGESIZE);
+  if (cached_page_size == 0 || (cached_page_size & (cached_page_size - 1u))) {
+    cached_page_size = 4096;
+  }
+
+  if (crashtracker_thread_data_type == NULL) {
+    VALUE current_thread = rb_thread_current();
+    if (current_thread == Qnil) {
+      rb_raise(rb_eRuntimeError, "crashtracking_runtime_stacks_init: rb_thread_current returned Qnil");
+    }
+
+    const rb_data_type_t *thread_data_type = RTYPEDDATA_TYPE(current_thread);
+    if (!thread_data_type) {
+      rb_raise(rb_eRuntimeError, "crashtracking_runtime_stacks_init: RTYPEDDATA_TYPE returned NULL");
+    }
+
+    crashtracker_thread_data_type = thread_data_type;
+  }
+
+  // Register immediately so Ruby doesn't need to manage this explicitly.
+  ddog_crasht_register_runtime_frame_callback(ruby_runtime_stack_callback);
+}
+
+#else
+// Keep init symbol to satisfy linkage on non linux platforms, but do nothing
+void crashtracking_runtime_stacks_init(void) {}
+#endif
+

data/ext/datadog_profiling_native_extension/extconf.rb

@@ -138,8 +138,11 @@ if have_header("dlfcn.h")
     have_func("dladdr")
 end
 
+# On older Rubies, there was no primitive mutex and condition variable implemented in `thread_sync.rb` (internal)
+$defs << "-DNO_PRIMITIVE_MUTEX_AND_CONDITION_VARIABLE" if RUBY_VERSION < "4"
+
 # On Ruby 4, we can't ask the object_id from IMEMOs (https://github.com/ruby/ruby/pull/13347)
-$defs << "-DNO_IMEMO_OBJECT_ID" unless RUBY_VERSION < "4.0"
+$defs << "-DNO_IMEMO_OBJECT_ID" unless RUBY_VERSION < "4"
 
 # This symbol is exclusively visible on certain Ruby versions: 2.6 to 3.2, as well as 3.4 (but not 4.0+)
 # It's only used to get extra information about an object when a failure happens, so it's a "very nice to have" but not

data/ext/datadog_profiling_native_extension/private_vm_api_access.c

@@ -76,6 +76,18 @@ rb_nativethread_id_t pthread_id_for(VALUE thread) {
   #endif
 }
 
+size_t sizeof_rb_iseq_t(void) {
+  return sizeof(rb_iseq_t);
+}
+
+VALUE ddtrace_iseq_base_label(const void *iseq) {
+  return rb_iseq_base_label((const rb_iseq_t *)iseq);
+}
+
+VALUE ddtrace_iseq_path(const void *iseq) {
+  return rb_iseq_path((const rb_iseq_t *)iseq);
+}
+
 // Queries if the current thread is the owner of the global VM lock.
 //
 // @ivoanjo: Ruby has a similarly-named `ruby_thread_has_gvl_p` but that API is insufficient for our needs because it can

data/ext/datadog_profiling_native_extension/private_vm_api_access.h

@@ -47,6 +47,10 @@ VALUE thread_name_for(VALUE thread);
 
 int ddtrace_rb_profile_frames(VALUE thread, int start, int limit, frame_info *stack_buffer);
 
+size_t sizeof_rb_iseq_t(void);
+VALUE ddtrace_iseq_base_label(const void *iseq);
+VALUE ddtrace_iseq_path(const void *iseq);
+
 // Returns true if the current thread belongs to the main Ractor or if Ruby has no Ractor support
 bool ddtrace_rb_ractor_main_p(void);
 

data/ext/datadog_profiling_native_extension/profiling.c

@@ -23,6 +23,7 @@ void collectors_thread_context_init(VALUE profiling_module);
 void encoded_profile_init(VALUE profiling_module);
 void http_transport_init(VALUE profiling_module);
 void stack_recorder_init(VALUE profiling_module);
+void crashtracking_runtime_stacks_init(void);
 
 static VALUE native_working_p(VALUE self);
 static VALUE _native_grab_gvl_and_raise(DDTRACE_UNUSED VALUE _self, VALUE exception_class, VALUE test_message, VALUE test_message_arg, VALUE release_gvl);
@@ -65,6 +66,7 @@ void DDTRACE_EXPORT Init_datadog_profiling_native_extension(void) {
   encoded_profile_init(profiling_module);
   http_transport_init(profiling_module);
   stack_recorder_init(profiling_module);
+  crashtracking_runtime_stacks_init();
   unsafe_api_calls_check_init();
 
   // Hosts methods used for testing the native code using RSpec

data/lib/datadog/ai_guard/api_client.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require "uri"
+require "net/http"
+require "json"
+
+module Datadog
+  module AIGuard
+    # API Client for AI Guard API.
+    # Uses net/http to perform request. Raises on client and server errors.
+    class APIClient
+      DEFAULT_SITE = "app.datadoghq.com"
+      DEFAULT_PATH = "/api/v2/ai-guard"
+
+      def initialize(endpoint:, api_key:, application_key:, timeout:)
+        @timeout = timeout
+
+        @endpoint_uri = if endpoint
+          URI(endpoint) #: URI::HTTP
+        else
+          URI::HTTPS.build(
+            host: Datadog.configuration.site || DEFAULT_SITE,
+            path: DEFAULT_PATH
+          )
+        end
+
+        @headers = {
+          "DD-API-KEY": api_key.to_s,
+          "DD-APPLICATION-KEY": application_key.to_s,
+          "DD-AI-GUARD-VERSION": Datadog::VERSION::STRING,
+          "DD-AI-GUARD-SOURCE": "SDK",
+          "DD-AI-GUARD-LANGUAGE": "ruby",
+          "content-type": "application/json"
+        }.freeze
+      end
+
+      def post(path, body:)
+        Net::HTTP.start(@endpoint_uri.host.to_s, @endpoint_uri.port, use_ssl: use_ssl?, read_timeout: @timeout) do |http|
+          request = Net::HTTP::Post.new(@endpoint_uri.request_uri + path, @headers)
+          request.body = body.to_json
+
+          response = http.request(request)
+          raise_on_http_error!(response)
+
+          parse_response_body(response.body)
+        end
+      rescue Net::ReadTimeout
+        raise AIGuardClientError, "Request to AI Guard timed out"
+      end
+
+      private
+
+      def raise_on_http_error!(response)
+        case response
+        when Net::HTTPSuccess
+          # do nothing
+        when Net::HTTPRedirection
+          raise AIGuardClientError, "Redirects for AI Guard API are not supported"
+        else
+          error_message = begin
+            parsed_body = JSON.parse(response.body)
+            Array(parsed_body.fetch('errors')).join(', ')
+          rescue JSON::ParserError, KeyError
+            response.body
+          end
+
+          raise AIGuardClientError, error_message
+        end
+      end
+
+      def parse_response_body(body)
+        JSON.parse(body)
+      rescue JSON::ParserError
+        raise AIGuardClientError, "Could not parse response body"
+      end
+
+      def use_ssl?
+        @endpoint_uri.scheme == 'https'
+      end
+    end
+  end
+end

data/lib/datadog/ai_guard/component.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require_relative 'api_client'
+require_relative 'evaluation'
+require_relative 'evaluation/request'
+require_relative 'evaluation/result'
+require_relative 'evaluation/no_op_result'
+require_relative 'evaluation/message'
+require_relative 'evaluation/tool_call'
+require_relative 'ext'
+
+module Datadog
+  module AIGuard
+    # Component for API Guard product
+    class Component
+      attr_reader :api_client, :logger
+
+      def self.build(settings, logger:, telemetry:)
+        return unless settings.respond_to?(:ai_guard) && settings.ai_guard.enabled
+
+        api_client = APIClient.new(
+          endpoint: settings.ai_guard.endpoint,
+          api_key: settings.api_key,
+          application_key: settings.ai_guard.app_key,
+          timeout: settings.ai_guard.timeout_ms / 1_000
+        )
+
+        new(api_client, logger: logger, telemetry: telemetry)
+      end
+
+      def initialize(api_client, logger:, telemetry:)
+        @api_client = api_client
+        @logger = logger
+        @telemetry = telemetry
+      end
+
+      def shutdown!
+        # no-op
+      end
+    end
+  end
+end

data/lib/datadog/ai_guard/configuration/ext.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AIGuard
+    module Configuration
+      # This module contains constants for AI Guard component
+      module Ext
+        ENV_AI_GUARD_ENABLED = "DD_AI_GUARD_ENABLED"
+        ENV_AI_GUARD_ENDPOINT = "DD_AI_GUARD_ENDPOINT"
+        ENV_AI_GUARD_TIMEOUT = "DD_AI_GUARD_TIMEOUT"
+        ENV_AI_GUARD_MAX_CONTENT_SIZE = "DD_AI_GUARD_MAX_CONTENT_SIZE"
+        ENV_AI_GUARD_MAX_MESSAGES_LENGTH = "DD_AI_GUARD_MAX_MESSAGES_LENGTH"
+        ENV_APP_KEY = "DD_APP_KEY"
+      end
+    end
+  end
+end