datadog 2.33.0 → 2.35.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ff1c01535f382bb6e3de5b529bf8ec30a6deda1d1c4aba3450bb21dbd80407bf
-  data.tar.gz: 966a01b956c9df2cd8d451df9175b66e0dbae3b7b3da7732ea998c7adca70442
+  metadata.gz: 4029cb3d97dee5a685f9f34027d3f46c960d452eb82339f8a167227f597881aa
+  data.tar.gz: 3a108d7cb90cb00326d2f9ec563e0370855161ea21c270e31cfe8bbd16b9e154
 SHA512:
-  metadata.gz: c2d4111c1b0526122be94729577ba54d1e85fb08f2cd1ae74495d9de5bd805cb883b39c872187a5a10f2d4f67a3153d6bce2dda8192e75f4b0e808c9ab9b6a79
-  data.tar.gz: 413cb6dc25ca7b8a79e9e85b152bfd4eed649f72ca5275a46203e30c12f893914337cbd8e5136767588b67f81eadefdc839a5a4aafebbdf5cc17e7d089798886
+  metadata.gz: c10991420b5026c39d0ca76529be13c276479236ebf01ab8e5050c110f687266620bfa04127f76cdb55c87b54e84c3cee5ffa39f1de46492f2dd90a58f8ed484
+  data.tar.gz: f7508958b880c20197ab687ff2eb98c29af51aadbc1835f8ae88a88b8858a520518aefb0d73797ae0728018fe871056c4fa4baccc86aa77b9ec0e1d20a8df298

data/CHANGELOG.md

@@ -2,6 +2,73 @@
 
 ## [Unreleased]
 
+## [2.35.0] - 2026-06-03
+
+### Added
+
+* Tracing: Add `dynamic_service` SQL comment propagation mode for Database Monitoring ([#5812][])
+* Tracing: Prevent Datadog-generated traffic from interfering with application metrics ([#5811][])
+
+### Changed
+
+* AppSec: Improve route extraction performance for Rails applications ([#5836][])
+
+### Fixed
+
+* Tracing: Restore `Datadog::Tracing::Contrib::Ext::Metadata::TAG_BASE_SERVICE` constant removed in v2.34.0 ([#5830][])
+
+### Removed
+
+* Profiling: Deprecate the `profiling.advanced.timeline_enabled` setting for removal; it no longer does anything. Please remove it from `Datadog.configure` and do not set `DD_PROFILING_TIMELINE_ENABLED` ([#5750][])
+
+## [2.34.0] - 2026-05-27
+
+### Added
+
+* Dynamic Instrumentation: Enable opt-in Symbol Database upload so Ruby services populate Live Debugger UI autocomplete when creating probes ([#5717][])
+* Open Telemetry: Add OpenTelemetry logs support with OTLP export. Enable using `DD_LOGS_OTEL_ENABLED=true`; supports standard `OTEL_EXPORTER_OTLP_*` settings ([#5446][])
+
+### Fixed
+
+* Core: Fix Remote configuration `TransportError` messages removing wrapper response object memory addresses ([#5762][])
+* Core: Fix `TypeError` from `Process.spawn` when passing an environment Hash ([#5773][], [#5634][])
+* AppSec: Prevent host application crashes when AppSec fails to initialize ([#5768][])
+* Dynamic Instrumentation: Fix off-by-one in `max_capture_depth` so snapshots respect the configured nesting limit exactly ([#5753][])
+* Dynamic Instrumentation: Improve line probes to match `sourceFile` case-insensitively and support Windows-style backslashes for correct installation ([#5754][])
+
+## [2.33.0] - 2026-05-13
+
+### Added
+
+* AI Guard: Ensure client IP is always collected when AI Guard is enabled ([#5677][])
+* AppSec: Add support for AWS Lambda ([#5663][])
+* Tracing: Add inferred proxy spans for services behind AWS Gateway ([#5681][])
+* Open Telemetry: Add support for `DD_HOSTNAME` to set trace hostname and OTel `host.name` when `DD_TRACE_REPORT_HOSTNAME` is enabled ([#5705][])
+
+### Changed
+
+* Core: Collect all threads in crash reports to provide full thread context during crashes ([#5724][])
+* Core: Update `libdatadog` dependency to version 33.0.0 ([#5723][])
+
+## [2.32.0] - 2026-05-08
+
+### Added
+
+* Open Feature: Add flag evaluation metrics (`feature_flag.evaluations`) via OpenTelemetry for OpenFeature provider. ([#5599][])
+* Profiling: Add metric for total time spent waiting for the GVL. ([#5569][])
+* Dynamic Instrumentation: Live Debugger line probes can now target third-party and Ruby standard library code loaded before datadog gem is loaded. ([#5501][])
+
+### Changed
+
+* Profiling: Print failure info when native extension setup fails ([#5657][])
+* Tracing: Add parsing limits to `tracestate` and `traceparent` propagation headers and remove whitespace around list members. ([#5674][])
+* Tracing: Limit extracted [baggage](https://www.w3.org/TR/2024/CR-baggage-20240530/) header parsing to 64 items and 8192 bytes. ([#5672][])
+
+### Fixed
+
+* Tracing: Enforce `x-datadog-tags` propagation header size limits by byte size. ([#5687][])
+* Tracing: Return empty baggage on invalid UTF-8 baggage extraction ([#5689][])
+
 ## [2.31.0] - 2026-04-20
 
 ### Added
@@ -3567,7 +3634,11 @@ Release notes: https://github.com/DataDog/dd-trace-rb/releases/tag/v0.3.1
 Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 
 
-[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v2.31.0...master
+[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v2.35.0...master
+[2.35.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.34.0...v2.35.0
+[2.34.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.33.0...v2.34.0
+[2.33.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.32.0...v2.33.0
+[2.32.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.31.0...v2.32.0
 [2.31.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.30.0...v2.31.0
 [2.30.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.29.0...v2.30.0
 [2.29.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.28.0...v2.29.0
@@ -5278,6 +5349,7 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [#5434]: https://github.com/DataDog/dd-trace-rb/issues/5434
 [#5435]: https://github.com/DataDog/dd-trace-rb/issues/5435
 [#5436]: https://github.com/DataDog/dd-trace-rb/issues/5436
+[#5446]: https://github.com/DataDog/dd-trace-rb/issues/5446
 [#5448]: https://github.com/DataDog/dd-trace-rb/issues/5448
 [#5449]: https://github.com/DataDog/dd-trace-rb/issues/5449
 [#5461]: https://github.com/DataDog/dd-trace-rb/issues/5461
@@ -5286,15 +5358,41 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [#5483]: https://github.com/DataDog/dd-trace-rb/issues/5483
 [#5484]: https://github.com/DataDog/dd-trace-rb/issues/5484
 [#5499]: https://github.com/DataDog/dd-trace-rb/issues/5499
+[#5501]: https://github.com/DataDog/dd-trace-rb/issues/5501
 [#5509]: https://github.com/DataDog/dd-trace-rb/issues/5509
 [#5531]: https://github.com/DataDog/dd-trace-rb/issues/5531
 [#5564]: https://github.com/DataDog/dd-trace-rb/issues/5564
+[#5569]: https://github.com/DataDog/dd-trace-rb/issues/5569
 [#5573]: https://github.com/DataDog/dd-trace-rb/issues/5573
 [#5574]: https://github.com/DataDog/dd-trace-rb/issues/5574
 [#5579]: https://github.com/DataDog/dd-trace-rb/issues/5579
 [#5580]: https://github.com/DataDog/dd-trace-rb/issues/5580
 [#5587]: https://github.com/DataDog/dd-trace-rb/issues/5587
 [#5594]: https://github.com/DataDog/dd-trace-rb/issues/5594
+[#5599]: https://github.com/DataDog/dd-trace-rb/issues/5599
+[#5634]: https://github.com/DataDog/dd-trace-rb/issues/5634
+[#5657]: https://github.com/DataDog/dd-trace-rb/issues/5657
+[#5663]: https://github.com/DataDog/dd-trace-rb/issues/5663
+[#5672]: https://github.com/DataDog/dd-trace-rb/issues/5672
+[#5674]: https://github.com/DataDog/dd-trace-rb/issues/5674
+[#5677]: https://github.com/DataDog/dd-trace-rb/issues/5677
+[#5681]: https://github.com/DataDog/dd-trace-rb/issues/5681
+[#5687]: https://github.com/DataDog/dd-trace-rb/issues/5687
+[#5689]: https://github.com/DataDog/dd-trace-rb/issues/5689
+[#5705]: https://github.com/DataDog/dd-trace-rb/issues/5705
+[#5717]: https://github.com/DataDog/dd-trace-rb/issues/5717
+[#5723]: https://github.com/DataDog/dd-trace-rb/issues/5723
+[#5724]: https://github.com/DataDog/dd-trace-rb/issues/5724
+[#5750]: https://github.com/DataDog/dd-trace-rb/issues/5750
+[#5753]: https://github.com/DataDog/dd-trace-rb/issues/5753
+[#5754]: https://github.com/DataDog/dd-trace-rb/issues/5754
+[#5762]: https://github.com/DataDog/dd-trace-rb/issues/5762
+[#5768]: https://github.com/DataDog/dd-trace-rb/issues/5768
+[#5773]: https://github.com/DataDog/dd-trace-rb/issues/5773
+[#5811]: https://github.com/DataDog/dd-trace-rb/issues/5811
+[#5812]: https://github.com/DataDog/dd-trace-rb/issues/5812
+[#5830]: https://github.com/DataDog/dd-trace-rb/issues/5830
+[#5836]: https://github.com/DataDog/dd-trace-rb/issues/5836
 [@AdrianLC]: https://github.com/AdrianLC
 [@Azure7111]: https://github.com/Azure7111
 [@BabyGroot]: https://github.com/BabyGroot

data/ext/datadog_profiling_native_extension/collectors_cpu_and_wall_time_worker.c

@@ -17,6 +17,10 @@
 #include "setup_signal_handler.h"
 #include "time_helpers.h"
 
+#ifdef __APPLE__
+  #include "macos_sampler_thread.h"
+#endif
+
 // Used to trigger the execution of Collectors::ThreadContext, which implements all of the sampling logic
 // itself; this class only implements the "when to do it" part.
 //
@@ -535,6 +539,14 @@ static VALUE _native_sampling_loop(DDTRACE_UNUSED VALUE _self, VALUE instance) {
 
   block_sigprof_signal_handler_from_running_in_current_thread(); // We want to interrupt the thread with the global VM lock, never this one
 
+  #ifdef __APPLE__
+    // Promote the native thread that will run the sampling loop to a realtime scheduling policy so
+    // its periodic wake-ups are not subject to the default ~1-2ms timeshare wake latency. The matching
+    // demote happens below in this same function, alongside the SIGPROF unblock dance, so both per-thread
+    // policy changes are reverted before Ruby reuses this native thread for an unrelated Ruby thread.
+    promote_sampler_thread_to_realtime(MILLIS_AS_NS(state->cpu_sampling_interval_ms));
+  #endif
+
   // Release GVL, get to the actual work!
   int exception_state;
   rb_protect(release_gvl_and_run_sampling_trigger_loop, instance, &exception_state);
@@ -556,6 +568,14 @@ static VALUE _native_sampling_loop(DDTRACE_UNUSED VALUE _self, VALUE instance) {
   // had SIGPROF delivery blocked. :hide_the_pain_harold:
   unblock_sigprof_signal_handler_from_running_in_current_thread();
 
+  #ifdef __APPLE__
+    // Pairs with promote_sampler_thread_to_realtime above. Same reasoning as the SIGPROF unblock:
+    // Ruby may reuse this native thread for an unrelated Ruby thread that would otherwise inherit
+    // our scheduler policy. Doing it here also covers the exception path, since grab_gvl_and_sample
+    // can raise and unwind out of the sampling loop.
+    demote_sampler_thread_from_realtime();
+  #endif
+
   // Why replace and not use remove the signal handler? We do this because when a process receives a SIGPROF without
   // having an explicit signal handler set up, the process will instantly terminate with a confusing
   // "Profiling timer expired" message left behind. (This message doesn't come from us -- it's the default message for

data/ext/datadog_profiling_native_extension/collectors_thread_context.c

@@ -142,8 +142,6 @@ typedef struct {
   VALUE thread_list_buffer;
   // Used to omit endpoint names (retrieved from tracer) from collected data
   bool endpoint_collection_enabled;
-  // Used to omit timestamps / timeline events from collected data
-  bool timeline_enabled;
   // Used to control context collection
   otel_context_enabled otel_context_enabled;
   // Used to remember where otel context is being stored after we observe it the first time
@@ -458,7 +456,6 @@ static VALUE _native_new(VALUE klass) {
   VALUE thread_list_buffer = rb_ary_new();
   state->thread_list_buffer = thread_list_buffer;
   state->endpoint_collection_enabled = true;
-  state->timeline_enabled = true;
   state->native_filenames_enabled = false;
   state->native_filenames_cache = st_init_numtable();
   state->otel_context_enabled = OTEL_CONTEXT_ENABLED_FALSE;
@@ -492,14 +489,12 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
   VALUE max_frames = rb_hash_fetch(options, ID2SYM(rb_intern("max_frames")));
   VALUE tracer_context_key = rb_hash_fetch(options, ID2SYM(rb_intern("tracer_context_key")));
   VALUE endpoint_collection_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("endpoint_collection_enabled")));
-  VALUE timeline_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("timeline_enabled")));
   VALUE waiting_for_gvl_threshold_ns = rb_hash_fetch(options, ID2SYM(rb_intern("waiting_for_gvl_threshold_ns")));
   VALUE otel_context_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("otel_context_enabled")));
   VALUE native_filenames_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("native_filenames_enabled")));
 
   ENFORCE_TYPE(max_frames, T_FIXNUM);
   ENFORCE_BOOLEAN(endpoint_collection_enabled);
-  ENFORCE_BOOLEAN(timeline_enabled);
   ENFORCE_TYPE(waiting_for_gvl_threshold_ns, T_FIXNUM);
   ENFORCE_BOOLEAN(native_filenames_enabled);
 
@@ -512,7 +507,6 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
   // hash_map_per_thread_context is already initialized, nothing to do here
   state->recorder_instance = enforce_recorder_instance(recorder_instance);
   state->endpoint_collection_enabled = (endpoint_collection_enabled == Qtrue);
-  state->timeline_enabled = (timeline_enabled == Qtrue);
   state->native_filenames_enabled = (native_filenames_enabled == Qtrue);
   if (otel_context_enabled == Qfalse || otel_context_enabled == Qnil) {
     state->otel_context_enabled = OTEL_CONTEXT_ENABLED_FALSE;
@@ -844,11 +838,7 @@ VALUE thread_context_collector_sample_after_gc(VALUE self_instance) {
   ddog_prof_Slice_Label slice_labels = {.ptr = labels, .len = label_pos};
 
   // The end_timestamp_ns is treated specially by libdatadog and that's why it's not added as a ddog_prof_Label
-  int64_t end_timestamp_ns = 0;
-
-  if (state->timeline_enabled) {
-    end_timestamp_ns = monotonic_to_system_epoch_ns(&state->time_converter_state, state->gc_tracking.wall_time_at_previous_gc_ns);
-  }
+  int64_t end_timestamp_ns = monotonic_to_system_epoch_ns(&state->time_converter_state, state->gc_tracking.wall_time_at_previous_gc_ns);
 
   record_placeholder_stack(
     state->recorder_instance,
@@ -1008,7 +998,7 @@ static void trigger_sample_for_thread(
 
   // The end_timestamp_ns is treated specially by libdatadog and that's why it's not added as a ddog_prof_Label
   int64_t end_timestamp_ns = 0;
-  if (state->timeline_enabled && current_monotonic_wall_time_ns != INVALID_TIME) {
+  if (current_monotonic_wall_time_ns != INVALID_TIME) {
     end_timestamp_ns = monotonic_to_system_epoch_ns(&state->time_converter_state, current_monotonic_wall_time_ns);
   }
 
@@ -1166,7 +1156,6 @@ static VALUE _native_inspect(DDTRACE_UNUSED VALUE _self, VALUE collector_instanc
   rb_str_concat(result, rb_sprintf(" sample_count=%u", state->sample_count));
   rb_str_concat(result, rb_sprintf(" stats=%"PRIsVALUE, stats_as_ruby_hash(state)));
   rb_str_concat(result, rb_sprintf(" endpoint_collection_enabled=%"PRIsVALUE, state->endpoint_collection_enabled ? Qtrue : Qfalse));
-  rb_str_concat(result, rb_sprintf(" timeline_enabled=%"PRIsVALUE, state->timeline_enabled ? Qtrue : Qfalse));
   rb_str_concat(result, rb_sprintf(" native_filenames_enabled=%"PRIsVALUE, state->native_filenames_enabled ? Qtrue : Qfalse));
   // Note: `st_table_size()` is available from Ruby 3.2+ but not before
   rb_str_concat(result, rb_sprintf(" native_filenames_cache_size=%zu", state->native_filenames_cache->num_entries));
@@ -1994,8 +1983,6 @@ static uint64_t otel_span_id_to_uint(VALUE otel_span_id) {
     thread_context_collector_state *state;
     TypedData_Get_Struct(self_instance, thread_context_collector_state, &thread_context_collector_typed_data, state);
 
-    if (!state->timeline_enabled) raise_error(rb_eRuntimeError, "GVL profiling requires timeline to be enabled");
-
     intptr_t gvl_waiting_at = gvl_profiling_state_thread_object_get(current_thread);
 
     if (gvl_waiting_at >= 0) {

data/ext/datadog_profiling_native_extension/macos_sampler_thread.h

@@ -0,0 +1,55 @@
+#pragma once
+
+#include <mach/mach.h>
+#include <mach/mach_time.h>
+#include <mach/thread_policy.h>
+#include <pthread.h>
+#include <stdio.h>
+
+#include "time_helpers.h"
+
+// On macOS the default scheduler wake latency for a timeshare thread is ~1-2ms,
+// so nanosleep regularly overshoots a 10ms request by ~2ms. Marking the worker
+// thread with THREAD_TIME_CONSTRAINT_POLICY tells the scheduler this thread has
+// a periodic deadline; the kernel then wakes it close to the requested time.
+//
+// This only affects the sampler worker thread. We pair it with a demote call
+// before the thread can be reused by Ruby for unrelated Ruby threads (see the
+// SIGPROF unblock dance in _native_sampling_loop).
+static inline void promote_sampler_thread_to_realtime(uint64_t period_ns) {
+  mach_timebase_info_data_t timebase = (mach_timebase_info_data_t) {};
+  mach_timebase_info(&timebase);
+
+  // ns -> mach ticks: each mach tick is (numer/denom) ns, so divide by that.
+  #define NS_TO_MACH_TICKS(ns) ((uint32_t) (((uint64_t)(ns) * (uint64_t) timebase.denom) / (uint64_t) timebase.numer))
+
+  struct thread_time_constraint_policy policy = {
+    .period      = NS_TO_MACH_TICKS(period_ns),
+    .computation = NS_TO_MACH_TICKS(MICROS_AS_NS(200)),  // 200us upper bound on the work we do per period
+    .constraint  = NS_TO_MACH_TICKS(MILLIS_AS_NS(1)),    // wake us within 1ms of the deadline
+    .preemptible = TRUE,
+  };
+
+  #undef NS_TO_MACH_TICKS
+
+  kern_return_t kr = thread_policy_set(
+    pthread_mach_thread_np(pthread_self()),
+    THREAD_TIME_CONSTRAINT_POLICY,
+    (thread_policy_t) &policy,
+    THREAD_TIME_CONSTRAINT_POLICY_COUNT
+  );
+  if (kr != KERN_SUCCESS) {
+    // Non-fatal: we'll fall back to the default scheduler behavior (overshoot ~2ms).
+    fprintf(stderr, "[ddtrace] Failed to set real-time policy on profiler sampler thread (kr=%d); sample cadence may be imprecise\n", kr);
+  }
+}
+
+static inline void demote_sampler_thread_from_realtime(void) {
+  struct thread_standard_policy policy = {.no_data = 0};
+  thread_policy_set(
+    pthread_mach_thread_np(pthread_self()),
+    THREAD_STANDARD_POLICY,
+    (thread_policy_t) &policy,
+    THREAD_STANDARD_POLICY_COUNT
+  );
+}

data/ext/datadog_profiling_native_extension/stack_recorder.c

@@ -420,14 +420,12 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
   VALUE heap_samples_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("heap_samples_enabled")));
   VALUE heap_size_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("heap_size_enabled")));
   VALUE heap_sample_every = rb_hash_fetch(options, ID2SYM(rb_intern("heap_sample_every")));
-  VALUE timeline_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("timeline_enabled")));
   VALUE heap_clean_after_gc_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("heap_clean_after_gc_enabled")));
 
   ENFORCE_BOOLEAN(alloc_samples_enabled);
   ENFORCE_BOOLEAN(heap_samples_enabled);
   ENFORCE_BOOLEAN(heap_size_enabled);
   ENFORCE_TYPE(heap_sample_every, T_FIXNUM);
-  ENFORCE_BOOLEAN(timeline_enabled);
   ENFORCE_BOOLEAN(heap_clean_after_gc_enabled);
 
   stack_recorder_state *state;
@@ -440,8 +438,7 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
   uint8_t requested_values_count = ALL_VALUE_TYPES_COUNT -
     (alloc_samples_enabled == Qtrue? 0 : 2) -
     (heap_samples_enabled == Qtrue ? 0 : 1) -
-    (heap_size_enabled == Qtrue ? 0 : 1) -
-    (timeline_enabled == Qtrue ? 0 : 1);
+    (heap_size_enabled == Qtrue ? 0 : 1);
 
   if (requested_values_count == ALL_VALUE_TYPES_COUNT) return Qtrue; // Nothing to do, this is the default
 
@@ -467,6 +464,10 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
   enabled_sample_types[next_enabled_pos] = DDOG_PROF_SAMPLE_TYPE_CPU_TIME;
   state->position_for[CPU_TIME_VALUE_ID] = next_enabled_pos++;
 
+  // TIMELINE is always enabled
+  enabled_sample_types[next_enabled_pos] = DDOG_PROF_SAMPLE_TYPE_TIMELINE;
+  state->position_for[TIMELINE_VALUE_ID] = next_enabled_pos++;
+
   if (alloc_samples_enabled == Qtrue) {
     enabled_sample_types[next_enabled_pos] = DDOG_PROF_SAMPLE_TYPE_ALLOC_SAMPLES;
     state->position_for[ALLOC_SAMPLES_VALUE_ID] = next_enabled_pos++;
@@ -500,13 +501,6 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
     state->heap_recorder = NULL;
   }
 
-  if (timeline_enabled == Qtrue) {
-    enabled_sample_types[next_enabled_pos] = DDOG_PROF_SAMPLE_TYPE_TIMELINE;
-    state->position_for[TIMELINE_VALUE_ID] = next_enabled_pos++;
-  } else {
-    state->position_for[TIMELINE_VALUE_ID] = next_disabled_pos++;
-  }
-
   ddog_prof_Profile_drop(&state->profile_slot_one.profile);
   ddog_prof_Profile_drop(&state->profile_slot_two.profile);
 
@@ -639,6 +633,7 @@ void record_sample(VALUE recorder_instance, ddog_prof_Slice_Location locations,
       .values = (ddog_Slice_I64) {.ptr = metric_values, .len = state->enabled_values_count},
       .labels = labels.labels
     },
+    /* To disable end_timestamp_ns to get aggregated profiles in pprof, replace the below with `0` */
     labels.end_timestamp_ns
   );
 

data/lib/datadog/ai_guard/configuration.rb

@@ -71,6 +71,7 @@ module Datadog
               option :app_key do |o|
                 o.type :string, nilable: true
                 o.env Ext::ENV_APP_KEY
+                o.skip_telemetry true
               end
 
               # Request timeout in milliseconds.

data/lib/datadog/ai_guard/contrib/rack/request_middleware.rb

@@ -11,71 +11,85 @@ module Datadog
       module Rack
         # AI Guard Rack middleware.
         #
-        # Inserted into the middleware stack right after
-        # Datadog::Tracing::Contrib::Rack::TraceMiddleware (i.e. nested inside
-        # it). This ordering matters: on the way out of the request, AI Guard's
-        # `ensure` block unwinds *before* Tracing's ensure, while Tracing's
-        # request span is still live. We need that, because Tracing's ensure
-        # calls `request_span.finish`, which builds a frozen `Span` snapshot of
-        # the meta hash — any `set_tag` call after that point mutates the
-        # `SpanOperation` but never reaches the exported `Span`.
+        # At request entry the middleware stores some request attributes for
+        # on the active trace under the `_dd.ai_guard.` prefix.
         #
-        # So while the span is still active, we tag `http.client_ip` and
-        # `network.client.ip` on it — but only when an AI Guard span was
-        # actually recorded during the request.
+        # Later when AI Guard evaluation is performed, those attributes are
+        # mirrored on AI Guard span.
         class RequestMiddleware
-          NETWORK_CLIENT_IP_TAG = "network.client.ip"
-
           def initialize(app, opt = {})
             @app = app
           end
 
           def call(env)
+            trace = Datadog::Tracing.active_trace
+            return @app.call(env) unless trace
+
+            store_anomaly_detection_tags!(trace, env)
+
             @app.call(env)
           ensure
-            tag_client_ip(env) if consume_ai_guard_executed_flag
+            # @type var trace: Datadog::Tracing::TraceSegment?
+            # Steep: https://github.com/soutaro/steep/issues/919
+            if trace
+              tag_client_ip_on_request_span!(trace) if ai_guard_executed?(trace)
+
+              clean_up_ai_guard_temp_tags!(trace)
+            end
           end
 
           private
 
-          # AI Guard's evaluation flow sets `ai_guard.executed` on the trace
-          # whenever an AI Guard span is created during the request. We read
-          # it here to know whether to tag client IP, then clear it so the
-          # internal flag does not propagate to the exported trace.
-          #
-          # `Tracing.active_trace` is publicly typed as `TraceSegment?` but at
-          # runtime returns a `TraceOperation`, which exposes `get_tag` and
-          # `clear_tag`. Pre-existing sig mismatch — hence the steep:ignore.
           # steep:ignore:start
-          def consume_ai_guard_executed_flag
-            trace = Datadog::Tracing.active_trace
-            return false unless trace
-            return false unless trace.get_tag(Datadog::AIGuard::Ext::SERVICE_ENTRY_EXECUTED_TAG) == "1"
+          def store_anomaly_detection_tags!(trace, env)
+            remote_ip = env["REMOTE_ADDR"]
+            trace.set_tag(Datadog::AIGuard::Ext::TRACE_NETWORK_CLIENT_IP_TAG, remote_ip) if remote_ip
+
+            headers = Datadog::Tracing::Contrib::Rack::Header::RequestHeaderCollection.new(env)
+            resolved_client_ip = Datadog::Tracing::ClientIp.extract_client_ip(headers, remote_ip)
+            trace.set_tag(Datadog::AIGuard::Ext::TRACE_HTTP_CLIENT_IP_TAG, resolved_client_ip) if resolved_client_ip
+
+            user_agent = env["HTTP_USER_AGENT"]
+            trace.set_tag(Datadog::AIGuard::Ext::TRACE_HTTP_USERAGENT_TAG, user_agent) if user_agent
+          rescue => e
+            Datadog::AIGuard.telemetry&.report(e, description: "AI Guard: failed to get request attributes")
+          end
+          # steep:ignore:end
+
+          # steep:ignore:start
+          def clean_up_ai_guard_temp_tags!(trace)
+            Ext::TRACE_ANOMALY_DETECTION_TAGS.each do |tag|
+              trace.clear_tag(tag)
+            end
 
-            trace.clear_tag(Datadog::AIGuard::Ext::SERVICE_ENTRY_EXECUTED_TAG)
-            true
+            trace.clear_tag(Datadog::AIGuard::Ext::TRACE_EXECUTED_TAG)
           end
           # steep:ignore:end
 
-          def tag_client_ip(env)
+          # AI Guard's evaluation flow sets `_dd.ai_guard.executed` on the
+          # trace whenever an AI Guard span is created during the request.
+          # steep:ignore:start
+          def ai_guard_executed?(trace)
+            trace.get_tag(Datadog::AIGuard::Ext::TRACE_EXECUTED_TAG) == "1"
+          end
+          # steep:ignore:end
+
+          # steep:ignore:start
+          def tag_client_ip_on_request_span!(trace)
             span = Datadog::Tracing.active_span
             return unless span
 
-            if span.get_tag(Datadog::Tracing::Metadata::Ext::HTTP::TAG_CLIENT_IP).nil?
-              headers = Datadog::Tracing::Contrib::Rack::Header::RequestHeaderCollection.new(env)
-              Datadog::Tracing::ClientIp.set_client_ip_tag!(
-                span,
-                headers: headers,
-                remote_ip: env["REMOTE_ADDR"]
-              )
+            client_ip = trace.get_tag(Datadog::AIGuard::Ext::TRACE_HTTP_CLIENT_IP_TAG)
+            if client_ip && span.get_tag(Datadog::Tracing::Metadata::Ext::HTTP::TAG_CLIENT_IP).nil?
+              span.set_tag(Datadog::Tracing::Metadata::Ext::HTTP::TAG_CLIENT_IP, client_ip)
             end
 
-            if env["REMOTE_ADDR"] && span.get_tag(NETWORK_CLIENT_IP_TAG).nil?
-              span.set_tag(NETWORK_CLIENT_IP_TAG, env["REMOTE_ADDR"])
-            end
+            network_client_ip = trace.get_tag(Datadog::AIGuard::Ext::TRACE_NETWORK_CLIENT_IP_TAG)
+            span["network.client.ip"] = network_client_ip if network_client_ip
           rescue => e
             Datadog::AIGuard.telemetry&.report(e, description: "AI Guard: failed to tag client IP on root span")
           end
+          # steep:ignore:end
         end
       end
     end

data/lib/datadog/ai_guard/evaluation.rb

@@ -16,7 +16,12 @@ module Datadog
               Tracing::Sampling::Ext::Decision::AI_GUARD
             )
             trace.set_tag(Ext::EVENT_TAG, true)
-            trace.set_tag(Ext::SERVICE_ENTRY_EXECUTED_TAG, "1")
+            trace.set_tag(Ext::TRACE_EXECUTED_TAG, "1")
+
+            Ext::TRACE_ANOMALY_DETECTION_TAGS.each do |tag|
+              value = trace.get_tag(tag)
+              span.set_tag(tag, value) if value
+            end
 
             if (last_message = messages.last)
               if last_message.tool_call

data/lib/datadog/ai_guard/ext.rb

@@ -11,8 +11,19 @@ module Datadog
       REASON_TAG = "ai_guard.reason"
       BLOCKED_TAG = "ai_guard.blocked"
       EVENT_TAG = "ai_guard.event"
-      SERVICE_ENTRY_EXECUTED_TAG = "_dd.ai_guard.executed"
+
       METASTRUCT_TAG = "ai_guard"
+
+      TRACE_EXECUTED_TAG = "_dd.ai_guard.executed"
+      TRACE_HTTP_USERAGENT_TAG = "_dd.ai_guard.http.useragent"
+      TRACE_HTTP_CLIENT_IP_TAG = "_dd.ai_guard.http.client_ip"
+      TRACE_NETWORK_CLIENT_IP_TAG = "_dd.ai_guard.network.client.ip"
+
+      TRACE_ANOMALY_DETECTION_TAGS = [
+        TRACE_HTTP_USERAGENT_TAG,
+        TRACE_HTTP_CLIENT_IP_TAG,
+        TRACE_NETWORK_CLIENT_IP_TAG
+      ].freeze
     end
   end
 end

data/lib/datadog/appsec/api_security/route_extractor.rb

@@ -15,6 +15,7 @@ module Datadog
         RAILS_ROUTES_KEY = 'action_dispatch.routes'
         RAILS_PATH_PARAMS_KEY = 'action_dispatch.request.path_parameters'
         RAILS_FORMAT_SUFFIX = '(.:format)'
+        DATADOG_RAILS_ROUTE_KEY = 'datadog.action_dispatch.route'
 
         # HACK: We rely on the fact that each contrib will modify `request.env`
         #       and store information sufficient to compute the canonical
@@ -55,6 +56,8 @@ module Datadog
           elsif request.env.key?(SINATRA_ROUTE_KEY)
             pattern = request.env[SINATRA_ROUTE_KEY].split(SINATRA_ROUTE_SEPARATOR, 2)[1]
             "#{request.script_name}#{pattern}"
+          elsif request.env.key?(DATADOG_RAILS_ROUTE_KEY)
+            request.env[DATADOG_RAILS_ROUTE_KEY].path.spec.to_s.delete_suffix(RAILS_FORMAT_SUFFIX)
           elsif request.env.key?(RAILS_ROUTE_KEY)
             request.env[RAILS_ROUTE_KEY].path.spec.to_s.delete_suffix(RAILS_FORMAT_SUFFIX)
           elsif request.env.key?(RAILS_ROUTE_URI_PATTERN_KEY)

data/lib/datadog/appsec/component.rb

@@ -46,7 +46,10 @@ module Datadog
 
           security_engine = SecurityEngine::Engine.new(appsec_settings: settings.appsec, telemetry: telemetry)
           new(security_engine: security_engine)
-        rescue => e
+        # NOTE: At this point we should capture all possible exceptions and
+        #       gracefully fail component initialization, preventing propagation
+        #       into the host application code.
+        rescue Exception => e # standard:disable Lint/RescueException
           Datadog.logger.warn("AppSec is disabled: #{e.class}: #{e.message}; there may be additional logged errors above")
 
           # Not reporting to telemetry here because some of the rescued exceptions

data/lib/datadog/appsec/compressed_json.rb

@@ -4,7 +4,7 @@ require 'json'
 require 'zlib'
 require 'stringio'
 
-require_relative '../core/utils/base64'
+require_relative '../core/utils/base64_codec'
 
 module Datadog
   module AppSec
@@ -27,7 +27,7 @@ module Datadog
       end
 
       private_class_method def self.compress_and_encode(payload)
-        Core::Utils::Base64.strict_encode64(
+        Core::Utils::Base64Codec.strict_encode64(
           Zlib.gzip(payload, level: Zlib::BEST_SPEED, strategy: Zlib::DEFAULT_STRATEGY)
         )
       rescue Zlib::Error, TypeError => e

data/lib/datadog/appsec/contrib/aws_lambda/waf_addresses.rb

@@ -4,7 +4,7 @@ require 'uri'
 
 require_relative '../../utils/http/media_type'
 require_relative '../../utils/http/body'
-require_relative '../../../core/utils/base64'
+require_relative '../../../core/utils/base64_codec'
 require_relative '../../../core/header_collection'
 require_relative '../../../tracing/client_ip'
 
@@ -42,7 +42,7 @@ module Datadog
 
             headers = parse_headers(payload)
             data = {
-              'server.response.status' => payload['statusCode']&.to_s,
+              'server.response.status' => payload['status_code']&.to_s,
               'server.response.headers' => headers,
               'server.response.headers.no_cookies' => headers.dup.tap { |h| h.delete('set-cookie') }
             }
@@ -94,7 +94,7 @@ module Datadog
             body = payload['body']
             return unless body
 
-            body = Core::Utils::Base64.strict_decode64(body) if payload['base64_encoded']
+            body = Core::Utils::Base64Codec.strict_decode64(body) if payload['base64_encoded']
 
             content_type = headers['content-type']
             return unless content_type

data/lib/datadog/appsec/contrib/rack/ext.rb

@@ -13,7 +13,7 @@ module Datadog
             'cloudfront-viewer-ja3-fingerprint',
             'content-type',
             'user-agent',
-            'x-amzn-trace-Id',
+            'x-amzn-trace-id',
             'x-appgw-trace-id',
             'x-cloud-trace-context',
             'x-sigsci-requestid',