datadog 2.24.0 → 2.26.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a1e3df0d4845537939ee39a49f98f9645cf0b5f3cd8f62cd9b7c8dd7f7cf112f
-  data.tar.gz: e84c39b5b0d3b464aa5d9c1d050a215374520575832bee48671549bbf9696973
+  metadata.gz: cbf89a9582401ec9fcab36ed1c165ccd447e286085668c768c4df83b5dd27d81
+  data.tar.gz: 0c915a22c6ba56f7d39cd03a278466100e72769ac013bb26e9bd2204b4f280ee
 SHA512:
-  metadata.gz: f00d5556de98278dc5f80d1146374b378e6d21e32c041239e0e6a6237f4169d79061f1e94df1f8221255a2a807ed6a3ff6f80668ff3421030737c6ec7bf35f76
-  data.tar.gz: 94a76fd5432c238ee71c261419cb99e943143e802092ba0ec4aa9391e988f5ed6e9c307295211f0c16951d47e060633b62b40f982c83834aa179b6e66b03af91
+  metadata.gz: 1d2fefe85cab7cff7273196e57638a62da64b6ab0f84b0a350266b0adbc64ae57249d1ab6beb74bfe0d42a233f5b36855a4210ffeb69573fa4cafa2decc12820
+  data.tar.gz: 6b41c594384690eed2a84f1e8046046a72bb29c276e87d6cf048b34df2d24cf54725526f0d6eebed0a523f4334385a1f796cba8a6c1112e46e5d58787410611d

data/CHANGELOG.md

@@ -2,6 +2,32 @@
 
 ## [Unreleased]
 
+## [2.26.0] - 2026-01-16
+
+### Added
+
+* Core: Add process tags to runtime metrics when `DD_EXPERIMENTAL_PROPAGATE_PROCESS_TAGS_ENABLED` is enabled. ([#5210][])
+* SSI: Add experimental dependency injection validation.
+
+### Changed
+
+* Profiling: Improve profiler error reporting. ([#5237][])
+* SSI: Improve injection debug error reporting. ([#5238][])
+
+## [2.25.0] - 2026-01-13
+
+### Added
+
+AI Guard: Add SDK for evaluating the safety of user messages and assistant commands for LLM session ([#5144][])
+
+### Changed
+
+Core: Bump minimum version of `datadog-ruby_core_source` dependency ([#5215][])
+
+### Fixed
+
+AppSec: Fix processing of numeric data for WAF and RASP checks ([#5222][])
+
 ## [2.24.0] - 2026-01-08
 
 ### Added
@@ -9,6 +35,11 @@
 * Core: Add support for installing the gem on Ruby 4.0.x stable ([#5157][])
 * Tracing: Add origin detection using extra headers and the `DD_EXTERNAL_ENV` variable. ([#5028][])
 * Dynamic Instrumentation: Add one-click enablement support ([#5150][])
+* SSI: Add support for Bundler deployment mode ([#5053][])
+* SSI: Report UI-oriented injection results ([#5053][])
+* SSI: Guard against Bundler global force_ruby_platform ([#5053][])
+* SSI: Guard against Bundler 4.0 and Bundler 2.7 in 4.0 mode ([#5053][])
+* SSI: Guard against Ruby 3.5+ ([#5053][])
 
 ### Changed
 
@@ -3418,7 +3449,9 @@ Release notes: https://github.com/DataDog/dd-trace-rb/releases/tag/v0.3.1
 Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 
 
-[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v2.24.0...master
+[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v2.26.0...master
+[2.26.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.25.0...v2.26.0
+[2.25.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.24.0...v2.25.0
 [2.24.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.23.0...v2.24.0
 [2.23.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.22.0...v2.23.0
 [2.22.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.21.0...v2.22.0
@@ -5059,12 +5092,14 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [#5044]: https://github.com/DataDog/dd-trace-rb/issues/5044
 [#5045]: https://github.com/DataDog/dd-trace-rb/issues/5045
 [#5049]: https://github.com/DataDog/dd-trace-rb/issues/5049
+[#5053]: https://github.com/DataDog/dd-trace-rb/issues/5053
 [#5054]: https://github.com/DataDog/dd-trace-rb/issues/5054
 [#5058]: https://github.com/DataDog/dd-trace-rb/issues/5058
 [#5073]: https://github.com/DataDog/dd-trace-rb/issues/5073
 [#5086]: https://github.com/DataDog/dd-trace-rb/issues/5086
 [#5091]: https://github.com/DataDog/dd-trace-rb/issues/5091
 [#5122]: https://github.com/DataDog/dd-trace-rb/issues/5122
+[#5144]: https://github.com/DataDog/dd-trace-rb/issues/5144
 [#5145]: https://github.com/DataDog/dd-trace-rb/issues/5145
 [#5146]: https://github.com/DataDog/dd-trace-rb/issues/5146
 [#5148]: https://github.com/DataDog/dd-trace-rb/issues/5148
@@ -5078,6 +5113,11 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [#5176]: https://github.com/DataDog/dd-trace-rb/issues/5176
 [#5194]: https://github.com/DataDog/dd-trace-rb/issues/5194
 [#5197]: https://github.com/DataDog/dd-trace-rb/issues/5197
+[#5210]: https://github.com/DataDog/dd-trace-rb/issues/5210
+[#5215]: https://github.com/DataDog/dd-trace-rb/issues/5215
+[#5222]: https://github.com/DataDog/dd-trace-rb/issues/5222
+[#5237]: https://github.com/DataDog/dd-trace-rb/issues/5237
+[#5238]: https://github.com/DataDog/dd-trace-rb/issues/5238
 [@AdrianLC]: https://github.com/AdrianLC
 [@Azure7111]: https://github.com/Azure7111
 [@BabyGroot]: https://github.com/BabyGroot

data/ext/datadog_profiling_native_extension/collectors_cpu_and_wall_time_worker.c

@@ -76,8 +76,6 @@
 //
 // ---
 
-#define ERR_CLOCK_FAIL "failed to get clock time"
-
 // Maximum allowed value for an allocation weight. Attempts to use higher values will result in clamping.
 // See https://docs.google.com/document/d/1lWLB714wlLBBq6T4xZyAc4a5wtWhSmr4-hgiPKeErlA/edit#heading=h.ugp0zxcj5iqh
 // (Datadog-only link) for research backing the choice of this value.
@@ -117,6 +115,7 @@ typedef struct {
   // When something goes wrong during sampling, we record the Ruby exception here, so that it can be "re-raised" on
   // the CpuAndWallTimeWorker thread
   VALUE failure_exception;
+  const char *failure_exception_during_operation;
   // Used by `_native_stop` to flag the worker thread to start (see comment on `_native_sampling_loop`)
   VALUE stop_thread;
 
@@ -191,17 +190,17 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
 static void cpu_and_wall_time_worker_typed_data_mark(void *state_ptr);
 static VALUE _native_sampling_loop(VALUE self, VALUE instance);
 static VALUE _native_stop(DDTRACE_UNUSED VALUE _self, VALUE self_instance, VALUE worker_thread);
-static VALUE stop(VALUE self_instance, VALUE optional_exception);
-static void stop_state(cpu_and_wall_time_worker_state *state, VALUE optional_exception);
+static VALUE stop(VALUE self_instance, VALUE optional_exception, const char *optional_exception_during_operation);
+static void stop_state(cpu_and_wall_time_worker_state *state, VALUE optional_exception, const char *optional_operation_name);
 static void handle_sampling_signal(DDTRACE_UNUSED int _signal, DDTRACE_UNUSED siginfo_t *_info, DDTRACE_UNUSED void *_ucontext);
 static void *run_sampling_trigger_loop(void *state_ptr);
 static void interrupt_sampling_trigger_loop(void *state_ptr);
 static void sample_from_postponed_job(DDTRACE_UNUSED void *_unused);
 static VALUE rescued_sample_from_postponed_job(VALUE self_instance);
-static VALUE handle_sampling_failure(VALUE self_instance, VALUE exception);
 static VALUE _native_current_sigprof_signal_handler(DDTRACE_UNUSED VALUE self);
 static VALUE release_gvl_and_run_sampling_trigger_loop(VALUE instance);
 static VALUE _native_is_running(DDTRACE_UNUSED VALUE self, VALUE instance);
+static VALUE _native_failure_exception_during_operation(DDTRACE_UNUSED VALUE self, VALUE instance);
 static void testing_signal_handler(DDTRACE_UNUSED int _signal, DDTRACE_UNUSED siginfo_t *_info, DDTRACE_UNUSED void *_ucontext);
 static VALUE _native_install_testing_signal_handler(DDTRACE_UNUSED VALUE self);
 static VALUE _native_remove_testing_signal_handler(DDTRACE_UNUSED VALUE self);
@@ -209,7 +208,12 @@ static VALUE _native_trigger_sample(DDTRACE_UNUSED VALUE self);
 static VALUE _native_gc_tracepoint(DDTRACE_UNUSED VALUE self, VALUE instance);
 static void on_gc_event(VALUE tracepoint_data, DDTRACE_UNUSED void *unused);
 static void after_gc_from_postponed_job(DDTRACE_UNUSED void *_unused);
-static VALUE safely_call(VALUE (*function_to_call_safely)(VALUE), VALUE function_to_call_safely_arg, VALUE instance);
+static VALUE safely_call(
+  VALUE (*function_to_call_safely)(VALUE),
+  VALUE function_to_call_safely_arg,
+  VALUE instance,
+  VALUE (*handle_sampling_failure)(VALUE, VALUE)
+);
 static VALUE _native_simulate_handle_sampling_signal(DDTRACE_UNUSED VALUE self);
 static VALUE _native_simulate_sample_from_postponed_job(DDTRACE_UNUSED VALUE self);
 static VALUE _native_reset_after_fork(DDTRACE_UNUSED VALUE self, VALUE instance);
@@ -226,6 +230,7 @@ static void disable_tracepoints(cpu_and_wall_time_worker_state *state);
 static VALUE _native_with_blocked_sigprof(DDTRACE_UNUSED VALUE self);
 static VALUE rescued_sample_allocation(VALUE tracepoint_data);
 static void delayed_error(cpu_and_wall_time_worker_state *state, const char *error);
+static void delayed_error_clock_failure(cpu_and_wall_time_worker_state *state);
 static VALUE _native_delayed_error(DDTRACE_UNUSED VALUE self, VALUE instance, VALUE error_msg);
 static VALUE _native_hold_signals(DDTRACE_UNUSED VALUE self);
 static VALUE _native_resume_signals(DDTRACE_UNUSED VALUE self);
@@ -235,6 +240,10 @@ static void after_gvl_running_from_postponed_job(DDTRACE_UNUSED void *_unused);
 #endif
 static VALUE rescued_after_gvl_running_from_postponed_job(VALUE self_instance);
 static VALUE _native_gvl_profiling_hook_active(DDTRACE_UNUSED VALUE self, VALUE instance);
+static VALUE handle_sampling_failure_rescued_sample_from_postponed_job(VALUE self_instance, VALUE exception);
+static VALUE handle_sampling_failure_thread_context_collector_sample_after_gc(VALUE self_instance, VALUE exception);
+static VALUE handle_sampling_failure_rescued_sample_allocation(VALUE self_instance, VALUE exception);
+static VALUE handle_sampling_failure_rescued_after_gvl_running_from_postponed_job(VALUE self_instance, VALUE exception);
 static inline void during_sample_enter(cpu_and_wall_time_worker_state* state);
 static inline void during_sample_exit(cpu_and_wall_time_worker_state* state);
 
@@ -262,6 +271,7 @@ static inline void during_sample_exit(cpu_and_wall_time_worker_state* state);
 // (e.g. signal handler) where it's impossible or just awkward to pass it as an argument.
 static VALUE active_sampler_instance = Qnil;
 static cpu_and_wall_time_worker_state *active_sampler_instance_state = NULL;
+static VALUE clock_failure_exception_class = Qnil;
 
 // See handle_sampling_signal for details on what this does
 #ifdef NO_POSTPONED_TRIGGER
@@ -299,6 +309,8 @@ void collectors_cpu_and_wall_time_worker_init(VALUE profiling_module) {
   VALUE collectors_cpu_and_wall_time_worker_class = rb_define_class_under(collectors_module, "CpuAndWallTimeWorker", rb_cObject);
   // Hosts methods used for testing the native code using RSpec
   VALUE testing_module = rb_define_module_under(collectors_cpu_and_wall_time_worker_class, "Testing");
+  clock_failure_exception_class = rb_define_class_under(collectors_cpu_and_wall_time_worker_class, "ClockFailure", rb_eRuntimeError);
+  rb_gc_register_mark_object(clock_failure_exception_class);
 
   // Instances of the CpuAndWallTimeWorker class are "TypedData" objects.
   // "TypedData" objects are special objects in the Ruby VM that can wrap C structs.
@@ -318,6 +330,7 @@ void collectors_cpu_and_wall_time_worker_init(VALUE profiling_module) {
   rb_define_singleton_method(collectors_cpu_and_wall_time_worker_class, "_native_stats_reset_not_thread_safe", _native_stats_reset_not_thread_safe, 1);
   rb_define_singleton_method(collectors_cpu_and_wall_time_worker_class, "_native_allocation_count", _native_allocation_count, 0);
   rb_define_singleton_method(collectors_cpu_and_wall_time_worker_class, "_native_is_running?", _native_is_running, 1);
+  rb_define_singleton_method(collectors_cpu_and_wall_time_worker_class, "_native_failure_exception_during_operation", _native_failure_exception_during_operation, 1);
   rb_define_singleton_method(testing_module, "_native_current_sigprof_signal_handler", _native_current_sigprof_signal_handler, 0);
   rb_define_singleton_method(collectors_cpu_and_wall_time_worker_class, "_native_hold_signals", _native_hold_signals, 0);
   rb_define_singleton_method(collectors_cpu_and_wall_time_worker_class, "_native_resume_signals", _native_resume_signals, 0);
@@ -370,6 +383,7 @@ static VALUE _native_new(VALUE klass) {
 
   atomic_init(&state->should_run, false);
   state->failure_exception = Qnil;
+  state->failure_exception_during_operation = NULL;
   state->stop_thread = Qnil;
 
   during_sample_exit(state);
@@ -554,22 +568,24 @@ static VALUE _native_stop(DDTRACE_UNUSED VALUE _self, VALUE self_instance, VALUE
 
   state->stop_thread = worker_thread;
 
-  return stop(self_instance, /* optional_exception: */ Qnil);
+  return stop(self_instance, Qnil, NULL);
 }
 
-static void stop_state(cpu_and_wall_time_worker_state *state, VALUE optional_exception) {
+// When providing an `optional_exception`, `optional_exception_during_operation` should be provided as well
+static void stop_state(cpu_and_wall_time_worker_state *state, VALUE optional_exception, const char *optional_exception_during_operation) {
   atomic_store(&state->should_run, false);
   state->failure_exception = optional_exception;
+  state->failure_exception_during_operation = optional_exception_during_operation;
 
   // Disable the tracepoints as soon as possible, so the VM doesn't keep on calling them
   disable_tracepoints(state);
 }
 
-static VALUE stop(VALUE self_instance, VALUE optional_exception) {
+static VALUE stop(VALUE self_instance, VALUE optional_exception, const char *optional_exception_during_operation) {
   cpu_and_wall_time_worker_state *state;
   TypedData_Get_Struct(self_instance, cpu_and_wall_time_worker_state, &cpu_and_wall_time_worker_typed_data, state);
 
-  stop_state(state, optional_exception);
+  stop_state(state, optional_exception, optional_exception_during_operation);
 
   return Qtrue;
 }
@@ -726,7 +742,12 @@ static void sample_from_postponed_job(DDTRACE_UNUSED void *_unused) {
   during_sample_enter(state);
 
   // Rescue against any exceptions that happen during sampling
-  safely_call(rescued_sample_from_postponed_job, state->self_instance, state->self_instance);
+  safely_call(
+    rescued_sample_from_postponed_job,
+    state->self_instance,
+    state->self_instance,
+    handle_sampling_failure_rescued_sample_from_postponed_job
+  );
 
   during_sample_exit(state);
 }
@@ -763,11 +784,6 @@ static VALUE rescued_sample_from_postponed_job(VALUE self_instance) {
   return Qnil;
 }
 
-static VALUE handle_sampling_failure(VALUE self_instance, VALUE exception) {
-  stop(self_instance, exception);
-  return Qnil;
-}
-
 // This method exists only to enable testing Datadog::Profiling::Collectors::CpuAndWallTimeWorker behavior using RSpec.
 // It SHOULD NOT be used for other purposes.
 static VALUE _native_current_sigprof_signal_handler(DDTRACE_UNUSED VALUE self) {
@@ -844,6 +860,15 @@ static VALUE _native_is_running(DDTRACE_UNUSED VALUE self, VALUE instance) {
   return (state != NULL && is_thread_alive(state->owner_thread) && state->self_instance == instance) ? Qtrue : Qfalse;
 }
 
+static VALUE _native_failure_exception_during_operation(DDTRACE_UNUSED VALUE self, VALUE instance) {
+  cpu_and_wall_time_worker_state *state;
+  TypedData_Get_Struct(instance, cpu_and_wall_time_worker_state, &cpu_and_wall_time_worker_typed_data, state);
+
+  if (state->failure_exception_during_operation == NULL) return Qnil;
+
+  return rb_str_new_cstr(state->failure_exception_during_operation);
+}
+
 static void testing_signal_handler(DDTRACE_UNUSED int _signal, DDTRACE_UNUSED siginfo_t *_info, DDTRACE_UNUSED void *_ucontext) {
   /* Does nothing on purpose */
 }
@@ -936,14 +961,24 @@ static void after_gc_from_postponed_job(DDTRACE_UNUSED void *_unused) {
 
   during_sample_enter(state);
 
-  safely_call(thread_context_collector_sample_after_gc, state->thread_context_collector_instance, state->self_instance);
+  safely_call(
+    thread_context_collector_sample_after_gc,
+    state->thread_context_collector_instance,
+    state->self_instance,
+    handle_sampling_failure_thread_context_collector_sample_after_gc
+  );
 
   during_sample_exit(state);
 }
 
 // Equivalent to Ruby begin/rescue call, where we call a C function and jump to the exception handler if an
 // exception gets raised within
-static VALUE safely_call(VALUE (*function_to_call_safely)(VALUE), VALUE function_to_call_safely_arg, VALUE instance) {
+static VALUE safely_call(
+  VALUE (*function_to_call_safely)(VALUE),
+  VALUE function_to_call_safely_arg,
+  VALUE instance,
+  VALUE (*handle_sampling_failure)(VALUE, VALUE)
+) {
   VALUE exception_handler_function_arg = instance;
   return rb_rescue2(
     function_to_call_safely,
@@ -1119,7 +1154,7 @@ static VALUE _native_allocation_count(DDTRACE_UNUSED VALUE self) {
 #define HANDLE_CLOCK_FAILURE(call) ({ \
     long _result = (call); \
     if (_result == 0) { \
-        delayed_error(state, ERR_CLOCK_FAIL); \
+        delayed_error_clock_failure(state); \
         return; \
     } \
     _result; \
@@ -1203,12 +1238,17 @@ static void on_newobj_event(DDTRACE_UNUSED VALUE unused1, DDTRACE_UNUSED void *u
   during_sample_enter(state);
 
   // Rescue against any exceptions that happen during sampling
-  safely_call(rescued_sample_allocation, Qnil, state->self_instance);
+  safely_call(
+    rescued_sample_allocation,
+    Qnil,
+    state->self_instance,
+    handle_sampling_failure_rescued_sample_allocation
+  );
 
   if (state->dynamic_sampling_rate_enabled) {
     long now = monotonic_wall_time_now_ns(DO_NOT_RAISE_ON_FAILURE);
     if (now == 0) {
-      delayed_error(state, ERR_CLOCK_FAIL);
+      delayed_error_clock_failure(state);
       // NOTE: Not short-circuiting here to make sure cleanup happens
     }
     uint64_t sampling_time_ns = discrete_dynamic_sampler_after_sample(&state->allocation_sampler, now);
@@ -1284,7 +1324,12 @@ static VALUE rescued_sample_allocation(DDTRACE_UNUSED VALUE unused) {
 
 static void delayed_error(cpu_and_wall_time_worker_state *state, const char *error) {
   // If we can't raise an immediate exception at the calling site, use the asynchronous flow through the main worker loop.
-  stop_state(state, rb_exc_new_cstr(rb_eRuntimeError, error));
+  stop_state(state, rb_exc_new_cstr(rb_eRuntimeError, error), "delayed_error");
+}
+
+static void delayed_error_clock_failure(cpu_and_wall_time_worker_state *state) {
+  // If we can't raise an immediate exception at the calling site, use the asynchronous flow through the main worker loop.
+  stop_state(state, rb_exc_new_cstr(clock_failure_exception_class, "failed to get clock time"), "delayed_error_clock_failure");
 }
 
 static VALUE _native_delayed_error(DDTRACE_UNUSED VALUE self, VALUE instance, VALUE error_msg) {
@@ -1365,7 +1410,12 @@ static VALUE _native_resume_signals(DDTRACE_UNUSED VALUE self) {
     during_sample_enter(state);
 
     // Rescue against any exceptions that happen during sampling
-    safely_call(rescued_after_gvl_running_from_postponed_job, state->self_instance, state->self_instance);
+    safely_call(
+      rescued_after_gvl_running_from_postponed_job,
+      state->self_instance,
+      state->self_instance,
+      handle_sampling_failure_rescued_after_gvl_running_from_postponed_job
+    );
 
     during_sample_exit(state);
   }
@@ -1404,6 +1454,26 @@ static VALUE _native_resume_signals(DDTRACE_UNUSED VALUE self) {
   }
 #endif
 
+static VALUE handle_sampling_failure_rescued_sample_from_postponed_job(VALUE self_instance, VALUE exception) {
+  stop(self_instance, exception, "rescued_sample_from_postponed_job");
+  return Qnil;
+}
+
+static VALUE handle_sampling_failure_thread_context_collector_sample_after_gc(VALUE self_instance, VALUE exception) {
+  stop(self_instance, exception, "thread_context_collector_sample_after_gc");
+  return Qnil;
+}
+
+static VALUE handle_sampling_failure_rescued_sample_allocation(VALUE self_instance, VALUE exception) {
+  stop(self_instance, exception, "rescued_sample_allocation");
+  return Qnil;
+}
+
+static VALUE handle_sampling_failure_rescued_after_gvl_running_from_postponed_job(VALUE self_instance, VALUE exception) {
+  stop(self_instance, exception, "rescued_after_gvl_running_from_postponed_job");
+  return Qnil;
+}
+
 static inline void during_sample_enter(cpu_and_wall_time_worker_state* state) {
   // Tell the compiler it's not allowed to reorder the `during_sample` flag with anything that happens after.
   //

data/ext/datadog_profiling_native_extension/http_transport.c

@@ -136,6 +136,7 @@ static VALUE perform_export(
     files_to_compress_and_export,
     /* files_to_export_unmodified: */ ddog_prof_Exporter_Slice_File_empty(),
     /* optional_additional_tags: */ NULL,
+    /* optional_process_tags: */ NULL,
     &internal_metadata,
     &info
   );

data/ext/libdatadog_extconf_helpers.rb

@@ -10,7 +10,7 @@ module Datadog
   module LibdatadogExtconfHelpers
     # Used to make sure the correct gem version gets loaded, as extconf.rb does not get run with "bundle exec" and thus
     # may see multiple libdatadog versions. See https://github.com/DataDog/dd-trace-rb/pull/2531 for the horror story.
-    LIBDATADOG_VERSION = '~> 24.0.1.1.0'
+    LIBDATADOG_VERSION = '~> 25.0.0.1.0'
 
     # Used as an workaround for a limitation with how dynamic linking works in environments where the datadog gem and
     # libdatadog are moved after the extension gets compiled.

data/lib/datadog/ai_guard/api_client.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require "uri"
+require "net/http"
+require "json"
+
+module Datadog
+  module AIGuard
+    # API Client for AI Guard API.
+    # Uses net/http to perform request. Raises on client and server errors.
+    class APIClient
+      DEFAULT_SITE = "app.datadoghq.com"
+      DEFAULT_PATH = "/api/v2/ai-guard"
+
+      def initialize(endpoint:, api_key:, application_key:, timeout:)
+        @timeout = timeout
+
+        @endpoint_uri = if endpoint
+          URI(endpoint) #: URI::HTTP
+        else
+          URI::HTTPS.build(
+            host: Datadog.configuration.site || DEFAULT_SITE,
+            path: DEFAULT_PATH
+          )
+        end
+
+        @headers = {
+          "DD-API-KEY": api_key.to_s,
+          "DD-APPLICATION-KEY": application_key.to_s,
+          "DD-AI-GUARD-VERSION": Datadog::VERSION::STRING,
+          "DD-AI-GUARD-SOURCE": "SDK",
+          "DD-AI-GUARD-LANGUAGE": "ruby",
+          "content-type": "application/json"
+        }.freeze
+      end
+
+      def post(path, body:)
+        Net::HTTP.start(@endpoint_uri.host.to_s, @endpoint_uri.port, use_ssl: use_ssl?, read_timeout: @timeout) do |http|
+          request = Net::HTTP::Post.new(@endpoint_uri.request_uri + path, @headers)
+          request.body = body.to_json
+
+          response = http.request(request)
+          raise_on_http_error!(response)
+
+          parse_response_body(response.body)
+        end
+      rescue Net::ReadTimeout
+        raise AIGuardClientError, "Request to AI Guard timed out"
+      end
+
+      private
+
+      def raise_on_http_error!(response)
+        case response
+        when Net::HTTPSuccess
+          # do nothing
+        when Net::HTTPRedirection
+          raise AIGuardClientError, "Redirects for AI Guard API are not supported"
+        else
+          error_message = begin
+            parsed_body = JSON.parse(response.body)
+            Array(parsed_body.fetch('errors')).join(', ')
+          rescue JSON::ParserError, KeyError
+            response.body
+          end
+
+          raise AIGuardClientError, error_message
+        end
+      end
+
+      def parse_response_body(body)
+        JSON.parse(body)
+      rescue JSON::ParserError
+        raise AIGuardClientError, "Could not parse response body"
+      end
+
+      def use_ssl?
+        @endpoint_uri.scheme == 'https'
+      end
+    end
+  end
+end

data/lib/datadog/ai_guard/component.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require_relative 'api_client'
+require_relative 'evaluation'
+require_relative 'evaluation/request'
+require_relative 'evaluation/result'
+require_relative 'evaluation/no_op_result'
+require_relative 'evaluation/message'
+require_relative 'evaluation/tool_call'
+require_relative 'ext'
+
+module Datadog
+  module AIGuard
+    # Component for API Guard product
+    class Component
+      attr_reader :api_client, :logger
+
+      def self.build(settings, logger:, telemetry:)
+        return unless settings.respond_to?(:ai_guard) && settings.ai_guard.enabled
+
+        api_client = APIClient.new(
+          endpoint: settings.ai_guard.endpoint,
+          api_key: settings.api_key,
+          application_key: settings.ai_guard.app_key,
+          timeout: settings.ai_guard.timeout_ms / 1_000
+        )
+
+        new(api_client, logger: logger, telemetry: telemetry)
+      end
+
+      def initialize(api_client, logger:, telemetry:)
+        @api_client = api_client
+        @logger = logger
+        @telemetry = telemetry
+      end
+
+      def shutdown!
+        # no-op
+      end
+    end
+  end
+end

data/lib/datadog/ai_guard/configuration/ext.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AIGuard
+    module Configuration
+      # This module contains constants for AI Guard component
+      module Ext
+        ENV_AI_GUARD_ENABLED = "DD_AI_GUARD_ENABLED"
+        ENV_AI_GUARD_ENDPOINT = "DD_AI_GUARD_ENDPOINT"
+        ENV_AI_GUARD_TIMEOUT = "DD_AI_GUARD_TIMEOUT"
+        ENV_AI_GUARD_MAX_CONTENT_SIZE = "DD_AI_GUARD_MAX_CONTENT_SIZE"
+        ENV_AI_GUARD_MAX_MESSAGES_LENGTH = "DD_AI_GUARD_MAX_MESSAGES_LENGTH"
+        ENV_APP_KEY = "DD_APP_KEY"
+      end
+    end
+  end
+end

data/lib/datadog/ai_guard/configuration/settings.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require 'uri'
+require_relative "ext"
+
+module Datadog
+  module AIGuard
+    module Configuration
+      # AI Guard specific settings
+      module Settings
+        def self.extended(base)
+          base = base.singleton_class unless base.is_a?(Class)
+          add_settings!(base)
+        end
+
+        def self.add_settings!(base)
+          base.class_eval do
+            # AI Guard specific configurations.
+            # @public_api
+            settings :ai_guard do
+              # Enable AI Guard.
+              #
+              # You can use this option to skip calls to AI Guard API without having to remove library as a whole.
+              #
+              # @default `DD_AI_GUARD_ENABLED`, otherwise `false`
+              # @return [Boolean]
+              option :enabled do |o|
+                o.type :bool
+                o.env Ext::ENV_AI_GUARD_ENABLED
+                o.default false
+              end
+
+              # AI Guard API endpoint path.
+              #
+              # @default `DD_AI_GUARD_ENDPOINT`, otherwise `nil`
+              # @return [String, nil]
+              option :endpoint do |o|
+                o.type :string, nilable: true
+                o.env Ext::ENV_AI_GUARD_ENDPOINT
+
+                o.setter do |value|
+                  next unless value
+
+                  uri = URI(value.to_s)
+                  raise ArgumentError, "Please provide an absolute URI that includes a protocol" unless uri.absolute?
+
+                  uri.to_s.delete_suffix("/")
+                end
+              end
+
+              # Datadog Application key.
+              #
+              # @default `DD_APP_KEY` environment variable, otherwise `nil`
+              # @return [String, nil]
+              option :app_key do |o|
+                o.type :string, nilable: true
+                o.env Ext::ENV_APP_KEY
+              end
+
+              # Request timeout in milliseconds.
+              #
+              # @default `DD_AI_GUARD_TIMEOUT`, otherwise 10 000 ms
+              # @return [Integer]
+              option :timeout_ms do |o|
+                o.type :int
+                o.env Ext::ENV_AI_GUARD_TIMEOUT
+                o.default 10_000
+              end
+
+              # Maximum content size in bytes.
+              # Content that exceeds the maximum allowed size is truncated before
+              # being stored in the current span context.
+              #
+              # @default `DD_AI_GUARD_MAX_CONTENT_SIZE`, otherwise 524 228 bytes
+              # @return [Integer]
+              option :max_content_size_bytes do |o|
+                o.type :int
+                o.env Ext::ENV_AI_GUARD_MAX_CONTENT_SIZE
+                o.default 512 * 1024
+              end
+
+              # Maximum number of messages.
+              # Older messages are omitted once the message limit is reached.
+              #
+              # @default `DD_AI_GUARD_MAX_MESSAGES_LENGTH`, otherwise 16 messages
+              # @return [Integer]
+              option :max_messages_length do |o|
+                o.type :int
+                o.env Ext::ENV_AI_GUARD_MAX_MESSAGES_LENGTH
+                o.default 16
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/ai_guard/configuration.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AIGuard
+    # Configuration module for AI Guard
+    module Configuration
+    end
+  end
+end
+
+require_relative "configuration/settings"

data/lib/datadog/ai_guard/evaluation/message.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AIGuard
+    module Evaluation
+      # Message class for AI Guard
+      class Message
+        attr_reader :role, :content, :tool_call, :tool_call_id
+
+        def initialize(role:, content: nil, tool_call: nil, tool_call_id: nil)
+          raise ArgumentError, "Role must be set to a non-empty value" if role.to_s.empty?
+
+          @role = role.to_sym
+          @content = content
+          @tool_call = tool_call
+          @tool_call_id = tool_call_id
+
+          if @tool_call && !@tool_call.is_a?(ToolCall)
+            raise ArgumentError, "Expected an instance of #{ToolCall.name} for :tool_call argument"
+          end
+        end
+      end
+    end
+  end
+end