datadog 2.34.0 → 2.35.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aa3ddf8f18dda4b503c654911332fb5cdc50356d4fa8223d43a993be204618ac
-  data.tar.gz: d917e203823268d36fc01c086969052160a6afdfb2c3cfdc29a081d8ce23a384
+  metadata.gz: 4029cb3d97dee5a685f9f34027d3f46c960d452eb82339f8a167227f597881aa
+  data.tar.gz: 3a108d7cb90cb00326d2f9ec563e0370855161ea21c270e31cfe8bbd16b9e154
 SHA512:
-  metadata.gz: 4fda14c3e26b82d5b93e3581acfa939d9ac3be695c2ad26ca720b4873127f05e949dc78f0cb1b8922ed87cd114881e9191fa36463cd86f3dcbf5d969da0da932
-  data.tar.gz: ca53286a2a5ad436e460ede12148faed98b9904d0823715954f602cdf292cb03966cde1f96dd2c227581b1ccd814c30fdd0236dfaa1903f59a87ae2873f40dd0
+  metadata.gz: c10991420b5026c39d0ca76529be13c276479236ebf01ab8e5050c110f687266620bfa04127f76cdb55c87b54e84c3cee5ffa39f1de46492f2dd90a58f8ed484
+  data.tar.gz: f7508958b880c20197ab687ff2eb98c29af51aadbc1835f8ae88a88b8858a520518aefb0d73797ae0728018fe871056c4fa4baccc86aa77b9ec0e1d20a8df298

data/CHANGELOG.md

@@ -2,16 +2,31 @@
 
 ## [Unreleased]
 
-## [2.34.0] - 2026-05-27
+## [2.35.0] - 2026-06-03
 
 ### Added
 
-* Dynamic Instrumentation: Enable Symbol Database upload so Ruby services populate Live Debugger UI autocomplete when creating probes ([#5717][])
-* Open Telemetry: Add OpenTelemetry logs support with OTLP export. Enable using `DD_LOGS_OTEL_ENABLED=true`; supports standard `OTEL_EXPORTER_OTLP_*` settings ([#5446][])
+* Tracing: Add `dynamic_service` SQL comment propagation mode for Database Monitoring ([#5812][])
+* Tracing: Prevent Datadog-generated traffic from interfering with application metrics ([#5811][])
 
 ### Changed
 
-* Dynamic Instrumentation: Improve request latency under load by throttling symbol database extraction CPU usage during background processing ([#5776][])
+* AppSec: Improve route extraction performance for Rails applications ([#5836][])
+
+### Fixed
+
+* Tracing: Restore `Datadog::Tracing::Contrib::Ext::Metadata::TAG_BASE_SERVICE` constant removed in v2.34.0 ([#5830][])
+
+### Removed
+
+* Profiling: Deprecate the `profiling.advanced.timeline_enabled` setting for removal; it no longer does anything. Please remove it from `Datadog.configure` and do not set `DD_PROFILING_TIMELINE_ENABLED` ([#5750][])
+
+## [2.34.0] - 2026-05-27
+
+### Added
+
+* Dynamic Instrumentation: Enable opt-in Symbol Database upload so Ruby services populate Live Debugger UI autocomplete when creating probes ([#5717][])
+* Open Telemetry: Add OpenTelemetry logs support with OTLP export. Enable using `DD_LOGS_OTEL_ENABLED=true`; supports standard `OTEL_EXPORTER_OTLP_*` settings ([#5446][])
 
 ### Fixed
 
@@ -21,6 +36,39 @@
 * Dynamic Instrumentation: Fix off-by-one in `max_capture_depth` so snapshots respect the configured nesting limit exactly ([#5753][])
 * Dynamic Instrumentation: Improve line probes to match `sourceFile` case-insensitively and support Windows-style backslashes for correct installation ([#5754][])
 
+## [2.33.0] - 2026-05-13
+
+### Added
+
+* AI Guard: Ensure client IP is always collected when AI Guard is enabled ([#5677][])
+* AppSec: Add support for AWS Lambda ([#5663][])
+* Tracing: Add inferred proxy spans for services behind AWS Gateway ([#5681][])
+* Open Telemetry: Add support for `DD_HOSTNAME` to set trace hostname and OTel `host.name` when `DD_TRACE_REPORT_HOSTNAME` is enabled ([#5705][])
+
+### Changed
+
+* Core: Collect all threads in crash reports to provide full thread context during crashes ([#5724][])
+* Core: Update `libdatadog` dependency to version 33.0.0 ([#5723][])
+
+## [2.32.0] - 2026-05-08
+
+### Added
+
+* Open Feature: Add flag evaluation metrics (`feature_flag.evaluations`) via OpenTelemetry for OpenFeature provider. ([#5599][])
+* Profiling: Add metric for total time spent waiting for the GVL. ([#5569][])
+* Dynamic Instrumentation: Live Debugger line probes can now target third-party and Ruby standard library code loaded before datadog gem is loaded. ([#5501][])
+
+### Changed
+
+* Profiling: Print failure info when native extension setup fails ([#5657][])
+* Tracing: Add parsing limits to `tracestate` and `traceparent` propagation headers and remove whitespace around list members. ([#5674][])
+* Tracing: Limit extracted [baggage](https://www.w3.org/TR/2024/CR-baggage-20240530/) header parsing to 64 items and 8192 bytes. ([#5672][])
+
+### Fixed
+
+* Tracing: Enforce `x-datadog-tags` propagation header size limits by byte size. ([#5687][])
+* Tracing: Return empty baggage on invalid UTF-8 baggage extraction ([#5689][])
+
 ## [2.31.0] - 2026-04-20
 
 ### Added
@@ -3586,8 +3634,11 @@ Release notes: https://github.com/DataDog/dd-trace-rb/releases/tag/v0.3.1
 Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 
 
-[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v2.34.0...master
+[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v2.35.0...master
+[2.35.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.34.0...v2.35.0
 [2.34.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.33.0...v2.34.0
+[2.33.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.32.0...v2.33.0
+[2.32.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.31.0...v2.32.0
 [2.31.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.30.0...v2.31.0
 [2.30.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.29.0...v2.30.0
 [2.29.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.28.0...v2.29.0
@@ -5307,23 +5358,41 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [#5483]: https://github.com/DataDog/dd-trace-rb/issues/5483
 [#5484]: https://github.com/DataDog/dd-trace-rb/issues/5484
 [#5499]: https://github.com/DataDog/dd-trace-rb/issues/5499
+[#5501]: https://github.com/DataDog/dd-trace-rb/issues/5501
 [#5509]: https://github.com/DataDog/dd-trace-rb/issues/5509
 [#5531]: https://github.com/DataDog/dd-trace-rb/issues/5531
 [#5564]: https://github.com/DataDog/dd-trace-rb/issues/5564
+[#5569]: https://github.com/DataDog/dd-trace-rb/issues/5569
 [#5573]: https://github.com/DataDog/dd-trace-rb/issues/5573
 [#5574]: https://github.com/DataDog/dd-trace-rb/issues/5574
 [#5579]: https://github.com/DataDog/dd-trace-rb/issues/5579
 [#5580]: https://github.com/DataDog/dd-trace-rb/issues/5580
 [#5587]: https://github.com/DataDog/dd-trace-rb/issues/5587
 [#5594]: https://github.com/DataDog/dd-trace-rb/issues/5594
+[#5599]: https://github.com/DataDog/dd-trace-rb/issues/5599
 [#5634]: https://github.com/DataDog/dd-trace-rb/issues/5634
+[#5657]: https://github.com/DataDog/dd-trace-rb/issues/5657
+[#5663]: https://github.com/DataDog/dd-trace-rb/issues/5663
+[#5672]: https://github.com/DataDog/dd-trace-rb/issues/5672
+[#5674]: https://github.com/DataDog/dd-trace-rb/issues/5674
+[#5677]: https://github.com/DataDog/dd-trace-rb/issues/5677
+[#5681]: https://github.com/DataDog/dd-trace-rb/issues/5681
+[#5687]: https://github.com/DataDog/dd-trace-rb/issues/5687
+[#5689]: https://github.com/DataDog/dd-trace-rb/issues/5689
+[#5705]: https://github.com/DataDog/dd-trace-rb/issues/5705
 [#5717]: https://github.com/DataDog/dd-trace-rb/issues/5717
+[#5723]: https://github.com/DataDog/dd-trace-rb/issues/5723
+[#5724]: https://github.com/DataDog/dd-trace-rb/issues/5724
+[#5750]: https://github.com/DataDog/dd-trace-rb/issues/5750
 [#5753]: https://github.com/DataDog/dd-trace-rb/issues/5753
 [#5754]: https://github.com/DataDog/dd-trace-rb/issues/5754
 [#5762]: https://github.com/DataDog/dd-trace-rb/issues/5762
 [#5768]: https://github.com/DataDog/dd-trace-rb/issues/5768
 [#5773]: https://github.com/DataDog/dd-trace-rb/issues/5773
-[#5776]: https://github.com/DataDog/dd-trace-rb/issues/5776
+[#5811]: https://github.com/DataDog/dd-trace-rb/issues/5811
+[#5812]: https://github.com/DataDog/dd-trace-rb/issues/5812
+[#5830]: https://github.com/DataDog/dd-trace-rb/issues/5830
+[#5836]: https://github.com/DataDog/dd-trace-rb/issues/5836
 [@AdrianLC]: https://github.com/AdrianLC
 [@Azure7111]: https://github.com/Azure7111
 [@BabyGroot]: https://github.com/BabyGroot

data/ext/datadog_profiling_native_extension/collectors_thread_context.c

@@ -142,8 +142,6 @@ typedef struct {
   VALUE thread_list_buffer;
   // Used to omit endpoint names (retrieved from tracer) from collected data
   bool endpoint_collection_enabled;
-  // Used to omit timestamps / timeline events from collected data
-  bool timeline_enabled;
   // Used to control context collection
   otel_context_enabled otel_context_enabled;
   // Used to remember where otel context is being stored after we observe it the first time
@@ -458,7 +456,6 @@ static VALUE _native_new(VALUE klass) {
   VALUE thread_list_buffer = rb_ary_new();
   state->thread_list_buffer = thread_list_buffer;
   state->endpoint_collection_enabled = true;
-  state->timeline_enabled = true;
   state->native_filenames_enabled = false;
   state->native_filenames_cache = st_init_numtable();
   state->otel_context_enabled = OTEL_CONTEXT_ENABLED_FALSE;
@@ -492,14 +489,12 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
   VALUE max_frames = rb_hash_fetch(options, ID2SYM(rb_intern("max_frames")));
   VALUE tracer_context_key = rb_hash_fetch(options, ID2SYM(rb_intern("tracer_context_key")));
   VALUE endpoint_collection_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("endpoint_collection_enabled")));
-  VALUE timeline_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("timeline_enabled")));
   VALUE waiting_for_gvl_threshold_ns = rb_hash_fetch(options, ID2SYM(rb_intern("waiting_for_gvl_threshold_ns")));
   VALUE otel_context_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("otel_context_enabled")));
   VALUE native_filenames_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("native_filenames_enabled")));
 
   ENFORCE_TYPE(max_frames, T_FIXNUM);
   ENFORCE_BOOLEAN(endpoint_collection_enabled);
-  ENFORCE_BOOLEAN(timeline_enabled);
   ENFORCE_TYPE(waiting_for_gvl_threshold_ns, T_FIXNUM);
   ENFORCE_BOOLEAN(native_filenames_enabled);
 
@@ -512,7 +507,6 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
   // hash_map_per_thread_context is already initialized, nothing to do here
   state->recorder_instance = enforce_recorder_instance(recorder_instance);
   state->endpoint_collection_enabled = (endpoint_collection_enabled == Qtrue);
-  state->timeline_enabled = (timeline_enabled == Qtrue);
   state->native_filenames_enabled = (native_filenames_enabled == Qtrue);
   if (otel_context_enabled == Qfalse || otel_context_enabled == Qnil) {
     state->otel_context_enabled = OTEL_CONTEXT_ENABLED_FALSE;
@@ -844,11 +838,7 @@ VALUE thread_context_collector_sample_after_gc(VALUE self_instance) {
   ddog_prof_Slice_Label slice_labels = {.ptr = labels, .len = label_pos};
 
   // The end_timestamp_ns is treated specially by libdatadog and that's why it's not added as a ddog_prof_Label
-  int64_t end_timestamp_ns = 0;
-
-  if (state->timeline_enabled) {
-    end_timestamp_ns = monotonic_to_system_epoch_ns(&state->time_converter_state, state->gc_tracking.wall_time_at_previous_gc_ns);
-  }
+  int64_t end_timestamp_ns = monotonic_to_system_epoch_ns(&state->time_converter_state, state->gc_tracking.wall_time_at_previous_gc_ns);
 
   record_placeholder_stack(
     state->recorder_instance,
@@ -1008,7 +998,7 @@ static void trigger_sample_for_thread(
 
   // The end_timestamp_ns is treated specially by libdatadog and that's why it's not added as a ddog_prof_Label
   int64_t end_timestamp_ns = 0;
-  if (state->timeline_enabled && current_monotonic_wall_time_ns != INVALID_TIME) {
+  if (current_monotonic_wall_time_ns != INVALID_TIME) {
     end_timestamp_ns = monotonic_to_system_epoch_ns(&state->time_converter_state, current_monotonic_wall_time_ns);
   }
 
@@ -1166,7 +1156,6 @@ static VALUE _native_inspect(DDTRACE_UNUSED VALUE _self, VALUE collector_instanc
   rb_str_concat(result, rb_sprintf(" sample_count=%u", state->sample_count));
   rb_str_concat(result, rb_sprintf(" stats=%"PRIsVALUE, stats_as_ruby_hash(state)));
   rb_str_concat(result, rb_sprintf(" endpoint_collection_enabled=%"PRIsVALUE, state->endpoint_collection_enabled ? Qtrue : Qfalse));
-  rb_str_concat(result, rb_sprintf(" timeline_enabled=%"PRIsVALUE, state->timeline_enabled ? Qtrue : Qfalse));
   rb_str_concat(result, rb_sprintf(" native_filenames_enabled=%"PRIsVALUE, state->native_filenames_enabled ? Qtrue : Qfalse));
   // Note: `st_table_size()` is available from Ruby 3.2+ but not before
   rb_str_concat(result, rb_sprintf(" native_filenames_cache_size=%zu", state->native_filenames_cache->num_entries));
@@ -1994,8 +1983,6 @@ static uint64_t otel_span_id_to_uint(VALUE otel_span_id) {
     thread_context_collector_state *state;
     TypedData_Get_Struct(self_instance, thread_context_collector_state, &thread_context_collector_typed_data, state);
 
-    if (!state->timeline_enabled) raise_error(rb_eRuntimeError, "GVL profiling requires timeline to be enabled");
-
     intptr_t gvl_waiting_at = gvl_profiling_state_thread_object_get(current_thread);
 
     if (gvl_waiting_at >= 0) {

data/ext/datadog_profiling_native_extension/stack_recorder.c

@@ -420,14 +420,12 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
   VALUE heap_samples_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("heap_samples_enabled")));
   VALUE heap_size_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("heap_size_enabled")));
   VALUE heap_sample_every = rb_hash_fetch(options, ID2SYM(rb_intern("heap_sample_every")));
-  VALUE timeline_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("timeline_enabled")));
   VALUE heap_clean_after_gc_enabled = rb_hash_fetch(options, ID2SYM(rb_intern("heap_clean_after_gc_enabled")));
 
   ENFORCE_BOOLEAN(alloc_samples_enabled);
   ENFORCE_BOOLEAN(heap_samples_enabled);
   ENFORCE_BOOLEAN(heap_size_enabled);
   ENFORCE_TYPE(heap_sample_every, T_FIXNUM);
-  ENFORCE_BOOLEAN(timeline_enabled);
   ENFORCE_BOOLEAN(heap_clean_after_gc_enabled);
 
   stack_recorder_state *state;
@@ -440,8 +438,7 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
   uint8_t requested_values_count = ALL_VALUE_TYPES_COUNT -
     (alloc_samples_enabled == Qtrue? 0 : 2) -
     (heap_samples_enabled == Qtrue ? 0 : 1) -
-    (heap_size_enabled == Qtrue ? 0 : 1) -
-    (timeline_enabled == Qtrue ? 0 : 1);
+    (heap_size_enabled == Qtrue ? 0 : 1);
 
   if (requested_values_count == ALL_VALUE_TYPES_COUNT) return Qtrue; // Nothing to do, this is the default
 
@@ -467,6 +464,10 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
   enabled_sample_types[next_enabled_pos] = DDOG_PROF_SAMPLE_TYPE_CPU_TIME;
   state->position_for[CPU_TIME_VALUE_ID] = next_enabled_pos++;
 
+  // TIMELINE is always enabled
+  enabled_sample_types[next_enabled_pos] = DDOG_PROF_SAMPLE_TYPE_TIMELINE;
+  state->position_for[TIMELINE_VALUE_ID] = next_enabled_pos++;
+
   if (alloc_samples_enabled == Qtrue) {
     enabled_sample_types[next_enabled_pos] = DDOG_PROF_SAMPLE_TYPE_ALLOC_SAMPLES;
     state->position_for[ALLOC_SAMPLES_VALUE_ID] = next_enabled_pos++;
@@ -500,13 +501,6 @@ static VALUE _native_initialize(int argc, VALUE *argv, DDTRACE_UNUSED VALUE _sel
     state->heap_recorder = NULL;
   }
 
-  if (timeline_enabled == Qtrue) {
-    enabled_sample_types[next_enabled_pos] = DDOG_PROF_SAMPLE_TYPE_TIMELINE;
-    state->position_for[TIMELINE_VALUE_ID] = next_enabled_pos++;
-  } else {
-    state->position_for[TIMELINE_VALUE_ID] = next_disabled_pos++;
-  }
-
   ddog_prof_Profile_drop(&state->profile_slot_one.profile);
   ddog_prof_Profile_drop(&state->profile_slot_two.profile);
 
@@ -639,6 +633,7 @@ void record_sample(VALUE recorder_instance, ddog_prof_Slice_Location locations,
       .values = (ddog_Slice_I64) {.ptr = metric_values, .len = state->enabled_values_count},
       .labels = labels.labels
     },
+    /* To disable end_timestamp_ns to get aggregated profiles in pprof, replace the below with `0` */
     labels.end_timestamp_ns
   );
 

data/lib/datadog/ai_guard/configuration.rb

@@ -71,6 +71,7 @@ module Datadog
               option :app_key do |o|
                 o.type :string, nilable: true
                 o.env Ext::ENV_APP_KEY
+                o.skip_telemetry true
               end
 
               # Request timeout in milliseconds.

data/lib/datadog/ai_guard/contrib/rack/request_middleware.rb

@@ -11,71 +11,85 @@ module Datadog
       module Rack
         # AI Guard Rack middleware.
         #
-        # Inserted into the middleware stack right after
-        # Datadog::Tracing::Contrib::Rack::TraceMiddleware (i.e. nested inside
-        # it). This ordering matters: on the way out of the request, AI Guard's
-        # `ensure` block unwinds *before* Tracing's ensure, while Tracing's
-        # request span is still live. We need that, because Tracing's ensure
-        # calls `request_span.finish`, which builds a frozen `Span` snapshot of
-        # the meta hash — any `set_tag` call after that point mutates the
-        # `SpanOperation` but never reaches the exported `Span`.
+        # At request entry the middleware stores some request attributes for
+        # on the active trace under the `_dd.ai_guard.` prefix.
         #
-        # So while the span is still active, we tag `http.client_ip` and
-        # `network.client.ip` on it — but only when an AI Guard span was
-        # actually recorded during the request.
+        # Later when AI Guard evaluation is performed, those attributes are
+        # mirrored on AI Guard span.
         class RequestMiddleware
-          NETWORK_CLIENT_IP_TAG = "network.client.ip"
-
           def initialize(app, opt = {})
             @app = app
           end
 
           def call(env)
+            trace = Datadog::Tracing.active_trace
+            return @app.call(env) unless trace
+
+            store_anomaly_detection_tags!(trace, env)
+
             @app.call(env)
           ensure
-            tag_client_ip(env) if consume_ai_guard_executed_flag
+            # @type var trace: Datadog::Tracing::TraceSegment?
+            # Steep: https://github.com/soutaro/steep/issues/919
+            if trace
+              tag_client_ip_on_request_span!(trace) if ai_guard_executed?(trace)
+
+              clean_up_ai_guard_temp_tags!(trace)
+            end
           end
 
           private
 
-          # AI Guard's evaluation flow sets `ai_guard.executed` on the trace
-          # whenever an AI Guard span is created during the request. We read
-          # it here to know whether to tag client IP, then clear it so the
-          # internal flag does not propagate to the exported trace.
-          #
-          # `Tracing.active_trace` is publicly typed as `TraceSegment?` but at
-          # runtime returns a `TraceOperation`, which exposes `get_tag` and
-          # `clear_tag`. Pre-existing sig mismatch — hence the steep:ignore.
           # steep:ignore:start
-          def consume_ai_guard_executed_flag
-            trace = Datadog::Tracing.active_trace
-            return false unless trace
-            return false unless trace.get_tag(Datadog::AIGuard::Ext::SERVICE_ENTRY_EXECUTED_TAG) == "1"
+          def store_anomaly_detection_tags!(trace, env)
+            remote_ip = env["REMOTE_ADDR"]
+            trace.set_tag(Datadog::AIGuard::Ext::TRACE_NETWORK_CLIENT_IP_TAG, remote_ip) if remote_ip
+
+            headers = Datadog::Tracing::Contrib::Rack::Header::RequestHeaderCollection.new(env)
+            resolved_client_ip = Datadog::Tracing::ClientIp.extract_client_ip(headers, remote_ip)
+            trace.set_tag(Datadog::AIGuard::Ext::TRACE_HTTP_CLIENT_IP_TAG, resolved_client_ip) if resolved_client_ip
+
+            user_agent = env["HTTP_USER_AGENT"]
+            trace.set_tag(Datadog::AIGuard::Ext::TRACE_HTTP_USERAGENT_TAG, user_agent) if user_agent
+          rescue => e
+            Datadog::AIGuard.telemetry&.report(e, description: "AI Guard: failed to get request attributes")
+          end
+          # steep:ignore:end
+
+          # steep:ignore:start
+          def clean_up_ai_guard_temp_tags!(trace)
+            Ext::TRACE_ANOMALY_DETECTION_TAGS.each do |tag|
+              trace.clear_tag(tag)
+            end
 
-            trace.clear_tag(Datadog::AIGuard::Ext::SERVICE_ENTRY_EXECUTED_TAG)
-            true
+            trace.clear_tag(Datadog::AIGuard::Ext::TRACE_EXECUTED_TAG)
           end
           # steep:ignore:end
 
-          def tag_client_ip(env)
+          # AI Guard's evaluation flow sets `_dd.ai_guard.executed` on the
+          # trace whenever an AI Guard span is created during the request.
+          # steep:ignore:start
+          def ai_guard_executed?(trace)
+            trace.get_tag(Datadog::AIGuard::Ext::TRACE_EXECUTED_TAG) == "1"
+          end
+          # steep:ignore:end
+
+          # steep:ignore:start
+          def tag_client_ip_on_request_span!(trace)
             span = Datadog::Tracing.active_span
             return unless span
 
-            if span.get_tag(Datadog::Tracing::Metadata::Ext::HTTP::TAG_CLIENT_IP).nil?
-              headers = Datadog::Tracing::Contrib::Rack::Header::RequestHeaderCollection.new(env)
-              Datadog::Tracing::ClientIp.set_client_ip_tag!(
-                span,
-                headers: headers,
-                remote_ip: env["REMOTE_ADDR"]
-              )
+            client_ip = trace.get_tag(Datadog::AIGuard::Ext::TRACE_HTTP_CLIENT_IP_TAG)
+            if client_ip && span.get_tag(Datadog::Tracing::Metadata::Ext::HTTP::TAG_CLIENT_IP).nil?
+              span.set_tag(Datadog::Tracing::Metadata::Ext::HTTP::TAG_CLIENT_IP, client_ip)
             end
 
-            if env["REMOTE_ADDR"] && span.get_tag(NETWORK_CLIENT_IP_TAG).nil?
-              span.set_tag(NETWORK_CLIENT_IP_TAG, env["REMOTE_ADDR"])
-            end
+            network_client_ip = trace.get_tag(Datadog::AIGuard::Ext::TRACE_NETWORK_CLIENT_IP_TAG)
+            span["network.client.ip"] = network_client_ip if network_client_ip
           rescue => e
             Datadog::AIGuard.telemetry&.report(e, description: "AI Guard: failed to tag client IP on root span")
           end
+          # steep:ignore:end
         end
       end
     end

data/lib/datadog/ai_guard/evaluation.rb

@@ -16,7 +16,12 @@ module Datadog
               Tracing::Sampling::Ext::Decision::AI_GUARD
             )
             trace.set_tag(Ext::EVENT_TAG, true)
-            trace.set_tag(Ext::SERVICE_ENTRY_EXECUTED_TAG, "1")
+            trace.set_tag(Ext::TRACE_EXECUTED_TAG, "1")
+
+            Ext::TRACE_ANOMALY_DETECTION_TAGS.each do |tag|
+              value = trace.get_tag(tag)
+              span.set_tag(tag, value) if value
+            end
 
             if (last_message = messages.last)
               if last_message.tool_call

data/lib/datadog/ai_guard/ext.rb

@@ -11,8 +11,19 @@ module Datadog
       REASON_TAG = "ai_guard.reason"
       BLOCKED_TAG = "ai_guard.blocked"
       EVENT_TAG = "ai_guard.event"
-      SERVICE_ENTRY_EXECUTED_TAG = "_dd.ai_guard.executed"
+
       METASTRUCT_TAG = "ai_guard"
+
+      TRACE_EXECUTED_TAG = "_dd.ai_guard.executed"
+      TRACE_HTTP_USERAGENT_TAG = "_dd.ai_guard.http.useragent"
+      TRACE_HTTP_CLIENT_IP_TAG = "_dd.ai_guard.http.client_ip"
+      TRACE_NETWORK_CLIENT_IP_TAG = "_dd.ai_guard.network.client.ip"
+
+      TRACE_ANOMALY_DETECTION_TAGS = [
+        TRACE_HTTP_USERAGENT_TAG,
+        TRACE_HTTP_CLIENT_IP_TAG,
+        TRACE_NETWORK_CLIENT_IP_TAG
+      ].freeze
     end
   end
 end

data/lib/datadog/appsec/api_security/route_extractor.rb

@@ -15,6 +15,7 @@ module Datadog
         RAILS_ROUTES_KEY = 'action_dispatch.routes'
         RAILS_PATH_PARAMS_KEY = 'action_dispatch.request.path_parameters'
         RAILS_FORMAT_SUFFIX = '(.:format)'
+        DATADOG_RAILS_ROUTE_KEY = 'datadog.action_dispatch.route'
 
         # HACK: We rely on the fact that each contrib will modify `request.env`
         #       and store information sufficient to compute the canonical
@@ -55,6 +56,8 @@ module Datadog
           elsif request.env.key?(SINATRA_ROUTE_KEY)
             pattern = request.env[SINATRA_ROUTE_KEY].split(SINATRA_ROUTE_SEPARATOR, 2)[1]
             "#{request.script_name}#{pattern}"
+          elsif request.env.key?(DATADOG_RAILS_ROUTE_KEY)
+            request.env[DATADOG_RAILS_ROUTE_KEY].path.spec.to_s.delete_suffix(RAILS_FORMAT_SUFFIX)
           elsif request.env.key?(RAILS_ROUTE_KEY)
             request.env[RAILS_ROUTE_KEY].path.spec.to_s.delete_suffix(RAILS_FORMAT_SUFFIX)
           elsif request.env.key?(RAILS_ROUTE_URI_PATTERN_KEY)

data/lib/datadog/appsec/contrib/rack/request_middleware.rb

@@ -9,9 +9,11 @@ require_relative 'gateway/response'
 require_relative '../../event'
 require_relative '../../response'
 require_relative '../../api_security'
+require_relative '../../default_header_tags'
 require_relative '../../security_event'
 require_relative '../../instrumentation/gateway'
 
+require_relative '../../../core/header_collection'
 require_relative '../../../tracing/client_ip'
 require_relative '../../../tracing/contrib/rack/header_collection'
 
@@ -19,24 +21,6 @@ module Datadog
   module AppSec
     module Contrib
       module Rack
-        RESPONSE_HEADERS_TAGS = %w[
-          content-length
-          content-type
-          content-encoding
-          content-language
-        ].freeze
-
-        WAF_VENDOR_HEADERS_TAGS = %w[
-          X-Amzn-Trace-Id
-          Cloudfront-Viewer-Ja3-Fingerprint
-          Cf-Ray
-          X-Cloud-Trace-Context
-          X-Appgw-Trace-id
-          X-SigSci-RequestID
-          X-SigSci-Tags
-          Akamai-User-Risk
-        ].map(&:downcase).freeze
-
         # Topmost Rack middleware for AppSec
         # This should be inserted just below Datadog::Tracing::Contrib::Rack::TraceMiddleware
         class RequestMiddleware
@@ -44,7 +28,6 @@ module Datadog
             @app = app
 
             @oneshot_tags_sent = false
-            @rack_headers = {}
           end
 
           # rubocop:disable Metrics/MethodLength
@@ -186,38 +169,28 @@ module Datadog
           end
           # standard:enable Metrics/MethodLength
 
-          # standard:disable Metrics/MethodLength
           def add_request_tags(context, env)
             span = context.span
             return unless span
 
-            # Always add WAF vendors headers
-            WAF_VENDOR_HEADERS_TAGS.each do |lowercase_header|
-              rack_header = to_rack_header(lowercase_header)
-              span.set_tag("http.request.headers.#{lowercase_header}", env[rack_header]) if env[rack_header]
-            end
-
-            if span && span.get_tag(Tracing::Metadata::Ext::HTTP::TAG_CLIENT_IP).nil?
-              request_header_collection = Datadog::Tracing::Contrib::Rack::Header::RequestHeaderCollection.new(env)
+            headers = Tracing::Contrib::Rack::Header::RequestHeaderCollection.new(env)
+            AppSec::DefaultHeaderTags.tag_request(span, headers)
 
+            if span.get_tag(Tracing::Metadata::Ext::HTTP::TAG_CLIENT_IP).nil?
               # always collect client ip, as this is part of AppSec provided functionality
               Datadog::Tracing::ClientIp.set_client_ip_tag!(
-                span,
-                headers: request_header_collection,
-                remote_ip: env['REMOTE_ADDR']
+                span, headers: headers, remote_ip: env['REMOTE_ADDR']
               )
             end
           end
-          # standard:enable Metrics/MethodLength
 
           def add_response_tags(context, response)
             span = context.span
             return unless span
 
-            RESPONSE_HEADERS_TAGS.each do |name|
-              value = response.headers[name]
-              span.set_tag("http.response.headers.#{name}", value.to_s) if value
-            end
+            AppSec::DefaultHeaderTags.tag_response(
+              span, Datadog::Core::HeaderCollection.from_hash(response.headers)
+            )
 
             unless response.headers.key?('content-length')
               length = ResponseBody.content_length(response.body)
@@ -228,10 +201,6 @@ module Datadog
           def oneshot_tags_sent?
             @oneshot_tags_sent
           end
-
-          def to_rack_header(header)
-            @rack_headers[header] ||= Datadog::Tracing::Contrib::Rack::Header.to_rack_header(header)
-          end
         end
       end
     end

data/lib/datadog/appsec/default_header_tags.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    # Sets the always-on span tags built from a fixed allowlist of request and
+    # response headers.
+    #
+    # NOTE: Unlike {Event#record}, which reports request headers only when
+    #       a security event fires, these are tagged on every request/response
+    #
+    # @api private
+    module DefaultHeaderTags
+      WAF_VENDOR_HEADERS_TAGS = %w[
+        x-amzn-trace-id
+        cloudfront-viewer-ja3-fingerprint
+        cf-ray
+        x-cloud-trace-context
+        x-appgw-trace-id
+        x-sigsci-requestid
+        x-sigsci-tags
+        akamai-user-risk
+      ].freeze
+
+      RESPONSE_HEADERS_TAGS = %w[
+        content-length
+        content-type
+        content-encoding
+        content-language
+      ].freeze
+
+      module_function
+
+      def tag_request(span, headers)
+        WAF_VENDOR_HEADERS_TAGS.each do |name|
+          value = headers.get(name)
+          span.set_tag("http.request.headers.#{name}", value) if value
+        end
+      end
+
+      def tag_response(span, headers)
+        RESPONSE_HEADERS_TAGS.each do |name|
+          value = headers.get(name)
+          span.set_tag("http.response.headers.#{name}", value.to_s) if value
+        end
+      end
+    end
+  end
+end

data/lib/datadog/core/configuration/settings.rb

@@ -107,6 +107,7 @@ module Datadog
         option :api_key do |o|
           o.type :string, nilable: true
           o.env Core::Environment::Ext::ENV_API_KEY
+          o.skip_telemetry true
         end
 
         # Datadog diagnostic settings.
@@ -394,16 +395,19 @@ module Datadog
               o.default false
             end
 
-            # Controls data collection for the timeline feature.
-            #
-            # If you needed to disable this, please tell us why on <https://github.com/DataDog/dd-trace-rb/issues/new>,
-            # so we can fix it!
-            #
-            # @default `DD_PROFILING_TIMELINE_ENABLED` environment variable as a boolean, otherwise `true`
+            # DEV-3.0: Remove `timeline_enabled` option
             option :timeline_enabled do |o|
               o.type :bool
               o.env 'DD_PROFILING_TIMELINE_ENABLED'
               o.default true
+              o.after_set do |_, _, precedence|
+                unless precedence == Datadog::Core::Configuration::Option::Precedence::DEFAULT
+                  Core.log_deprecation(key: :timeline_enabled) do
+                    'The profiling.advanced.timeline_enabled setting has been deprecated for removal and no longer does anything. ' \
+                      'Please remove it from your Datadog.configure block and do not set DD_PROFILING_TIMELINE_ENABLED.'
+                  end
+                end
+              end
             end
 
             # The profiler gathers data by sending `SIGPROF` unix signals to Ruby application threads.