newrelic_rpm 9.8.0 → 9.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fac159d955f3aaf1b926d68335c05f8bbea9fa3089bed68bee11f9bb50243361
-  data.tar.gz: 783c82413e45080741cbc9fd9fe0488b59cede5b64d359af46cf524d871b7763
+  metadata.gz: d3793bb498826b000ad9e00e7d57de0e95988c4ba213e341a6a8c18f90df772e
+  data.tar.gz: 6cb26b15c2faace4a7e1fd6775a3f69f965beaad10f395e0fb618cb411dbacfe
 SHA512:
-  metadata.gz: ae3deb3425be91f81d30fd76f6af95ec2ff573f2941e17474cbc96cadd70baa7eda534fcb8886ed039b71eba202d81ef9098600e307dcdf27919f84612eea15d
-  data.tar.gz: 4000a2bd73ea4eee6853878630d777226c39af0b46aafa8946bc167495728dc754136731162e660e6fbc895d2df1ca12709e3d2e60be4df8ae5f09035e072cfe
+  metadata.gz: acb8dd0c767f40796fa1afb9cc26c0a57a9bdd83a4cbf550589a094f5cf48da32caf1d4c0f10e154633b754086bd62aa17d393bffa37eee5a0128e72c3bd6160
+  data.tar.gz: 6ce06fe8f1506405b7696089bf366e1aa0ccd60ab0d5034b22db87ac3c4523bd9d8d4dc4a6b568515cd516cd5c64babf853cdfed4af1839fd45cbed0450994f5

data/CHANGELOG.md

@@ -1,5 +1,49 @@
 # New Relic Ruby Agent Release Notes
 
+## v9.10.0
+
+Version 9.10.0 introduces instrumentation for DynamoDB, adds a new feature to automatically apply nonces from the Rails content security policy, fixes a bug that would cause an expected error to negatively impact a transaction's Apdex, and fixes the agent's autostart logic so that by default `rails runner` and `rails db` commands will not cause the agent to start.
+
+- **Feature: Add instrumentation for DynamoDB**
+  
+    The agent has added instrumentation for the aws-sdk-dynamodb gem. The agent will now record datastore spans for DynamoDB client calls made with the aws-sdk-dynamodb gem.  [PR#2642](https://github.com/newrelic/newrelic-ruby-agent/pull/2642)
+
+- **Feature: Automatically apply nonces from the Rails content security policy**
+
+  To auto-inject browser monitoring with the New Relic Ruby agent, you either need to set your content security policy to 'unsafe-inline' or provide a nonce. Previously, the only way to provide a nonce was by using the [`NewRelic::Agent.browser_timing_header`](https://rubydoc.info/gems/newrelic_rpm/NewRelic/Agent#browser_timing_header-instance_method) API. Now, when a Rails application uses [the content security policy configuration to add a nonce](https://guides.rubyonrails.org/security.html#adding-a-nonce), the nonce will be automatically applied to the browser agent. A new configuration option, [`browser_monitoring.content_security_policy_nonce`](https://docs.newrelic.com/docs/apm/agents/ruby-agent/configuration/ruby-agent-configuration/#browser_monitoring-content_security_policy_nonce), toggles this feature. It is on by default. Thank you [@baldarn](https://github.com/baldarn) for submitting this feature! [PR#2544](https://github.com/newrelic/newrelic-ruby-agent/pull/2544)
+
+- **Bugfix: Expected errors related to HTTP status code, class, and message won't impact Apdex**
+
+  The agent is supposed to prevent observed application errors from negatively impacting Apdex if the errors are either ignored or expected. There are two ways for the agent to expect an error: via the `notice_error` API receiving an `expected: true` argument or via matches made against user-configured lists for expected HTTP status codes (`:'error_collector.expected_status_codes'`), expected error classes (`:'error_collector.expected_classes'`), or expected error messages (`:'error_collector.expected_messages'`). Previously, only errors expected via the `notice_error` API were correctly prevented from impacting Apdex. Expected errors set by configuration incorrectly impacted Apdex. This behavior has been fixed and now both types of expected errors will correctly not impact Apdex. Thanks very much to [@florianpilz](https://github.com/florianpilz) for bringing this issue to our attention. [PR#2619](https://github.com/newrelic/newrelic-ruby-agent/pull/2619)
+
+- **Bugfix: Do not start the agent automatically when `rails runner` or `rails db` commands are ran**
+
+  [PR#2239](https://github.com/newrelic/newrelic-ruby-agent/pull/2239) taught the agent how to recognize `bin/rails` based contexts that it should not automatically start up in. But `bin/rails runner` and `bin/rails db` commands would still see the agent start automatically. Those 2 contexts will now no longer see the agent start automatically. Thank you to [@jdelStrother](https://github.com/jdelStrother) for both bringing the `bin/rails` context to our attention and for letting us know about the `bin/rails runner` and `bin/rails db` outliers that still needed fixing. [PR#2623](https://github.com/newrelic/newrelic-ruby-agent/pull/2623)
+
+  Older agent versions that are still supported by New Relic can update to the new list of denylisted constants by having the following line added to the `newrelic.yml` configuration file:
+
+  ```yaml
+    autostart.denylisted_constants: "Rails::Command::ConsoleCommand,Rails::Command::CredentialsCommand,Rails::Command::Db::System::ChangeCommand,Rails::Command::DbConsoleCommand,Rails::Command::DestroyCommand,Rails::Command::DevCommand,Rails::Command::EncryptedCommand,Rails::Command::GenerateCommand,Rails::Command::InitializersCommand,Rails::Command::NotesCommand,Rails::Command::RakeCommand,Rails::Command::RoutesCommand,Rails::Command::RunnerCommand,Rails::Command::SecretsCommand,Rails::Console,Rails::DBConsole"
+  ```
+
+## v9.9.0
+
+Version 9.9.0 introduces support for AWS Lambda serverless function observability, adds support for Elasticsearch 8.13.0, and adds the 'request.temperature' attribute to chat completion summaries in ruby-openai instrumentation.
+
+- **Feature: Serverless Mode for AWS Lambda**
+
+  The Ruby agent is now capable of operating in a quick and light serverless mode suitable for observing AWS Lambda function invocations. For serverless use, the agent is delivered by a New Relic Lambda [layer](https://github.com/newrelic/newrelic-lambda-layers) that can be associated with a Lambda function. All reported data will appear in New Relic's dedicated serverless UI views. Only AWS based Lambda functions are supported for now, though support for other cloud hosted serverless offerings may be added in future depending on Ruby customer demand. The serverless functionality is only intended for use with the official New Relic Ruby layers for Lambda. Any existing workflows that involve the manual use of the Ruby agent in an AWS Lambda context without a New Relic layer should not be impacted.
+
+  For more details, see our [getting started guide](https://docs.newrelic.com/docs/serverless-function-monitoring/aws-lambda-monitoring/get-started/monitoring-aws-lambda-serverless-monitoring/).
+
+- **Feature: Add support for Elasticsearch 8.13.0**
+
+  Elasticsearch 8.13.0 increased the number of arguments used in the method the agent instruments, `Elastic::Transport::Client#perform_request`. Now, the agent supports a variable number of arguments for the instrumented method to prevent future `ArgumentError`s.
+
+- **Bugfix: Add 'request.temperature' to ruby-openai chat completion summaries**
+
+  Previously, the agent was not reporting the `request.temperature` attribute on `LlmChatCompletionSummary` events through ruby-openai instrumentation. We are now reporting this attribute.
+
 ## v9.8.0
 
 Version 9.8.0 introduces instrumentation for ruby-openai, adds the option to store tracer state on the thread-level, hardens the browser agent insertion logic to better proactively anticipate errors, and prevents excpetions from being raised in the Active Support Broadcast logger instrumentation.
@@ -15,7 +59,7 @@ Version 9.8.0 introduces instrumentation for ruby-openai, adds the option to sto
   This version introduces two new APIs that allow users to record additional information on LLM events:
   * `NewRelic::Agent.record_llm_feedback_event` - Records user feedback events.
   * `NewRelic::Agent.set_llm_token_count_callback` - Sets a callback proc for calculating `token_count` attributes for embedding and chat completion message events.
-  
+
   Visit [RubyDoc](https://rubydoc.info/github/newrelic/newrelic-ruby-agent/) for more information on each of these APIs.
 
 - **Feature: Store tracer state on thread-level**
@@ -49,7 +93,7 @@ Version 9.7.0 introduces ViewComponent instrumentation, changes the endpoint use
 
 - **Feature: ViewComponent instrumentation**
 
-  [ViewComponent](https://viewcomponent.org/) is a now an instrumented library. [PR#2367](https://github.com/newrelic/newrelic-ruby-agent/pull/2367) 
+  [ViewComponent](https://viewcomponent.org/) is a now an instrumented library. [PR#2367](https://github.com/newrelic/newrelic-ruby-agent/pull/2367)
 
 - **Feature: Use root path to access Elasticsearch cluster name**
 

data/README.md

@@ -23,6 +23,9 @@ can be found on [our docs site](http://docs.newrelic.com/docs/ruby/supported-fra
 You can also monitor non-web applications. Refer to the "Other
 Environments" section below.
 
+We offer an AWS Lambda layer for instrumenting your serverless Ruby functions.
+Details can be found on our [getting started guide](https://docs.newrelic.com/docs/serverless-function-monitoring/aws-lambda-monitoring/get-started/monitoring-aws-lambda-serverless-monitoring/).
+
 ## Installing and Using
 
 The latest released gem for the Ruby agent can be found at [RubyGems.org](https://rubygems.org/gems/newrelic_rpm)

data/Rakefile

@@ -134,5 +134,5 @@ task :console do
   require 'pry' if ENV['ENABLE_PRY']
   require 'newrelic_rpm'
   ARGV.clear
-  Pry.start
+  ENV['ENABLE_PRY'] ? Pry.start : binding.irb # rubocop:disable Lint/Debugger
 end

data/lib/bootstrap.rb

@@ -0,0 +1,105 @@
+# This file is distributed under New Relic's license terms.
+# See https://github.com/newrelic/newrelic-ruby-agent/blob/main/LICENSE for complete details.
+# frozen_string_literal: true
+
+# This file is designed to bootstrap a `Bundler.require`-based Ruby app (such as
+# a Ruby on Rails app) so the app can be instrumented and observed by the
+# New Relic Ruby agent without the agent being added to the app as a dependency.
+# NOTE: introducing the agent into your application via bootstrap is in beta.
+# Use at your own risk.
+#
+# Given a production-ready Ruby app that optionally has a pre-packaged "frozen"
+# or "deployment"–gem bundle, the New Relic Ruby agent can be introduced
+# to the app without modifying the app and keeping all of the app's content
+# read-only.
+#
+# Prerequisites:
+#   - Ruby (tested v2.4+)
+#   - Bundler (included with Ruby, tested v1.17+)
+#
+# Instructions:
+#   - First, make sure the New Relic Ruby agent exists on disk. For these
+#     instructions, we'll assume the agent exists at `/newrelic`.
+#     - The agent can be downloaded as the "newrelic_rpm" gem from RubyGems.org
+#       and unpacked with "gem unpack"
+#     - The agent can be cloned from the New Relic public GitHub repo:
+#       https://github.com/newrelic/newrelic-ruby-agent
+#   - Next, use the "RUBYOPT" environment variable to require ("-r") this
+#     file (note that the ".rb" extension is dropped):
+#       ```
+#       export RUBYOPT="-r /newrelic/lib/bootstrap"
+#       ```
+#    - Add your New Relic license key as an environment variable.
+#       ```
+#       export NEW_RELIC_LICENSE_KEY=1a2b3c4d5e67f8g9h0i
+#       ```
+#   - Launch an existing Ruby app as usual. For a Ruby on Rails app, this might
+#     involve running `bin/rails server`.
+#   - In the Ruby app's directory, look for and inspect
+#     `log/newrelic_agent.log`. If this file exists and there are no "WARN" or
+#     "ERROR" entries within it, then the agent was successfully introduced to
+#     the Ruby application.
+
+module NRBundlerPatch
+  NR_AGENT_GEM = 'newrelic_rpm'
+
+  def require(*_groups)
+    super
+
+    require_newrelic
+  end
+
+  def require_newrelic
+    lib = File.dirname(__FILE__)
+    $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+    Kernel.require NR_AGENT_GEM
+  end
+end
+
+class NRBundlerPatcher
+  BUNDLER = 'bundler'
+  RUBYOPT = 'RUBYOPT'
+
+  def self.patch
+    check_for_require
+    check_for_rubyopt
+    check_for_bundler
+    Bundler::Runtime.prepend(NRBundlerPatch)
+  end
+
+  private
+
+  def self.check_for_require
+    warn_and_exit "#{__FILE__} is meant to be required, not invoked directly" if $PROGRAM_NAME == __FILE__
+  end
+
+  def self.check_for_rubyopt
+    unless ENV[RUBYOPT].to_s.match?("-r #{__FILE__.rpartition('.').first}")
+      warn_and_exit "#{__FILE__} is meant to be required via the RUBYOPT env var"
+    end
+  end
+
+  def self.check_for_bundler
+    require_bundler
+
+    warn_and_exit 'Required Ruby Bundler class Bundler::Runtime not defined!' unless defined?(Bundler::Runtime)
+
+    unless Bundler::Runtime.method_defined?(:require)
+      warn_and_exit "The active Ruby Bundler instance doesn't offer Bundler::Runtime#require"
+    end
+  end
+
+  def self.require_bundler
+    require BUNDLER
+  rescue LoadError => e
+    warn_and_exit "Required Ruby library '#{BUNDLER}' could not be required - #{e}"
+  end
+
+  def self.warn_and_exit(msg)
+    warn "New Relic entrypoint at #{__FILE__} encountered an issue:\n\t#{msg}"
+
+    exit 1
+  end
+end
+
+NRBundlerPatcher.patch

data/lib/new_relic/agent/agent.rb

@@ -34,6 +34,7 @@ require 'new_relic/agent/utilization_data'
 require 'new_relic/environment_report'
 require 'new_relic/agent/attribute_filter'
 require 'new_relic/agent/adaptive_sampler'
+require 'new_relic/agent/serverless_handler'
 require 'new_relic/agent/connect/request_builder'
 require 'new_relic/agent/connect/response_handler'
 
@@ -96,6 +97,7 @@ module NewRelic
         @monotonic_gc_profiler = VM::MonotonicGCProfiler.new
         @adaptive_sampler = AdaptiveSampler.new(Agent.config[:sampling_target],
           Agent.config[:sampling_target_period_in_seconds])
+        @serverless_handler = ServerlessHandler.new
       end
 
       def init_event_handlers
@@ -172,6 +174,7 @@ module NewRelic
         attr_reader :transaction_event_recorder
         attr_reader :attribute_filter
         attr_reader :adaptive_sampler
+        attr_reader :serverless_handler
 
         def transaction_event_aggregator
           @transaction_event_recorder.transaction_event_aggregator
@@ -307,7 +310,7 @@ module NewRelic
           @stats_engine = StatsEngine.new
         end
 
-        def flush_pipe_data
+        def flush_pipe_data # used only by resque
           if connected? && @service.is_a?(PipeService)
             transmit_data_types
           end

data/lib/new_relic/agent/agent_helpers/connect.rb

@@ -27,9 +27,13 @@ module NewRelic
           @connect_state == :disconnected
         end
 
-        # Don't connect if we're already connected, or if we tried to connect
-        # and were rejected with prejudice because of a license issue, unless
-        # we're forced to by force_reconnect.
+        def serverless?
+          Agent.config[:'serverless_mode.enabled']
+        end
+
+        # Don't connect if we're already connected, if we're in serverless mode,
+        # or if we tried to connect and were rejected with prejudice because of
+        # a license issue, unless we're forced to by force_reconnect.
         def should_connect?(force = false)
           force || (!connected? && !disconnected?)
         end
@@ -62,10 +66,8 @@ module NewRelic
         # no longer try to connect to the server, saving the
         # application and the server load
         def handle_license_error(error)
-          ::NewRelic::Agent.logger.error( \
-            error.message, \
-            'Visit NewRelic.com to obtain a valid license key, or to upgrade your account.'
-          )
+          ::NewRelic::Agent.logger.error(error.message,
+            'Visit newrelic.com to obtain a valid license key, or to upgrade your account.')
           disconnect
         end
 
@@ -94,7 +96,7 @@ module NewRelic
         # connects, then configures the agent using the response from
         # the connect service
         def connect_to_server
-          request_builder = ::NewRelic::Agent::Connect::RequestBuilder.new( \
+          request_builder = ::NewRelic::Agent::Connect::RequestBuilder.new(
             @service,
             Agent.config,
             event_harvest_config,

data/lib/new_relic/agent/agent_helpers/start_worker_thread.rb

@@ -128,7 +128,7 @@ module NewRelic
           catch_errors do
             NewRelic::Agent.disable_all_tracing do
               connect(connection_options)
-              if connected?
+              if NewRelic::Agent.instance.connected?
                 create_and_run_event_loop
                 # never reaches here unless there is a problem or
                 # the agent is exiting

data/lib/new_relic/agent/agent_helpers/startup.rb

@@ -124,6 +124,8 @@ module NewRelic
         # Warn the user if they have configured their agent not to
         # send data, that way we can see this clearly in the log file
         def monitoring?
+          return false if Agent.config[:'serverless_mode.enabled']
+
           if Agent.config[:monitor_mode]
             true
           else
@@ -146,7 +148,6 @@ module NewRelic
           end
         end
 
-        # A correct license key exists and is of the proper length
         def has_correct_license_key?
           has_license_key? && correct_license_length
         end

data/lib/new_relic/agent/agent_logger.rb

@@ -132,7 +132,8 @@ module NewRelic
       end
 
       def wants_stdout?
-        ::NewRelic::Agent.config[:log_file_path].casecmp(NewRelic::STANDARD_OUT) == 0
+        ::NewRelic::Agent.config[:log_file_path].casecmp(NewRelic::STANDARD_OUT) == 0 ||
+          ::NewRelic::Agent.config[:'serverless_mode.enabled']
       end
 
       def find_or_create_file_path(path_setting, root)

data/lib/new_relic/agent/aws.rb

@@ -0,0 +1,56 @@
+# This file is distributed under New Relic's license terms.
+# See https://github.com/newrelic/newrelic-ruby-agent/blob/main/LICENSE for complete details.
+# frozen_string_literal: true
+
+module NewRelic
+  module Agent
+    module Aws
+      CHARACTERS = %w[A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 2 3 4 5 6 7].freeze
+      HEX_MASK = '7fffffffff80'
+
+      def self.create_arn(service, resource, config)
+        region = config.region
+        account_id = NewRelic::Agent::Aws.convert_access_key_to_account_id(config.credentials.access_key_id)
+
+        "arn:aws:#{service}:#{region}:#{account_id}:#{resource}"
+      rescue => e
+        NewRelic::Agent.logger.warn("Failed to create ARN: #{e}")
+      end
+
+      def self.convert_access_key_to_account_id(access_key)
+        decoded_key = Integer(decode_to_hex(access_key[4..-1]), 16)
+        mask = Integer(HEX_MASK, 16)
+        (decoded_key & mask) >> 7
+      end
+
+      def self.decode_to_hex(access_key)
+        bytes = access_key.delete('=').each_char.map { |c| CHARACTERS.index(c) }
+
+        bytes.each_slice(8).map do |section|
+          convert_section(section)
+        end.flatten[0...6].join
+      end
+
+      def self.convert_section(section)
+        buffer = 0
+        section.each do |chunk|
+          buffer = (buffer << 5) + chunk
+        end
+
+        chunk_count = (section.length * 5.0 / 8.0).floor
+
+        if section.length < 8
+          buffer >>= (5 - (chunk_count * 8)) % 5
+        end
+
+        decoded = []
+        chunk_count.times do |i|
+          shift = 8 * (chunk_count - 1 - i)
+          decoded << ((buffer >> shift) & 255).to_s(16)
+        end
+
+        decoded
+      end
+    end
+  end
+end

data/lib/new_relic/agent/configuration/default_source.rb

@@ -52,9 +52,24 @@ module NewRelic
           result
         end
 
+        def self.default_settings(key)
+          ::NewRelic::Agent::Configuration::DEFAULTS[key]
+        end
+
+        def self.value_from_defaults(key, subkey)
+          default_settings(key)&.send(:[], subkey)
+        end
+
+        def self.allowlist_for(key)
+          value_from_defaults(key, :allowlist)
+        end
+
+        def self.default_for(key)
+          value_from_defaults(key, :default)
+        end
+
         def self.transform_for(key)
-          default_settings = ::NewRelic::Agent::Configuration::DEFAULTS[key]
-          default_settings[:transform] if default_settings
+          value_from_defaults(key, :transform)
         end
 
         def self.config_search_paths # rubocop:disable Metrics/AbcSize
@@ -375,9 +390,11 @@ module NewRelic
           :description => <<~DESCRIPTION
             If `false`, LLM instrumentation (OpenAI only for now) will not capture input and output content on specific LLM events.
 
-            The excluded attributes include:
-              * `content` from LlmChatCompletionMessage events
-              * `input` from LlmEmbedding events
+              The excluded attributes include:
+                * `content` from LlmChatCompletionMessage events
+                * `input` from LlmEmbedding events
+
+              This is an optional security setting to prevent recording sensitive data sent to and received from your LLMs.
           DESCRIPTION
         },
         # this is only set via server side config
@@ -462,12 +479,9 @@ module NewRelic
           :public => true,
           :type => Boolean,
           :allowed_from_server => false,
-          :description => 'Forces the exit handler that sends all cached data to collector ' \
-            'before shutting down to be installed regardless of detecting scenarios where it generally should not be. ' \
-            'Known use-case for this option is where Sinatra is running as an embedded service within another framework ' \
-            'and the agent is detecting the Sinatra app and skipping the `at_exit` handler as a result. Sinatra classically ' \
-            'runs the entire application in an `at_exit` block and would otherwise misbehave if the agent\'s `at_exit` handler ' \
-            'was also installed in those circumstances. Note: `send_data_on_exit` should also be set to `true` in  tandem with this setting.'
+          :description => <<~DESC
+            Forces the exit handler that sends all cached data to collector before shutting down to be installed regardless of detecting scenarios where it generally should not be. Known use-case for this option is where Sinatra is running as an embedded service within another framework and the agent is detecting the Sinatra app and skipping the `at_exit` handler as a result. Sinatra classically runs the entire application in an `at_exit` block and would otherwise misbehave if the Agent's `at_exit` handler was also installed in those circumstances. Note: `send_data_on_exit` should also be set to `true` in  tandem with this setting."
+          DESC
         },
         :high_security => {
           :default => false,
@@ -765,6 +779,15 @@ module NewRelic
           :allowed_from_server => true,
           :description => 'If `true`, enables [auto-injection](/docs/browser/new-relic-browser/installation-configuration/adding-apps-new-relic-browser#select-apm-app) of the JavaScript header for page load timing (sometimes referred to as real user monitoring or RUM).'
         },
+        # CSP nonce
+        :'browser_monitoring.content_security_policy_nonce' => {
+          :default => value_of(:'rum.enabled'),
+          :documentation_default => false,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, enables auto-injection of [Content Security Policy Nonce](https://content-security-policy.com/nonce/) in browser monitoring scripts. For now, auto-injection only works with Rails 5.2+.'
+        },
         # Transaction events
         :'transaction_events.enabled' => {
           :default => true,
@@ -800,6 +823,7 @@ module NewRelic
           :public => true,
           :type => String,
           :allowed_from_server => false,
+          :allowlist => %w[debug info warn error fatal unknown DEBUG INFO WARN ERROR FATAL UNKNOWN],
           :description => <<~DESCRIPTION
             Sets the minimum level a log event must have to be forwarded to New Relic.
 
@@ -1053,7 +1077,9 @@ module NewRelic
             Rails::Command::GenerateCommand
             Rails::Command::InitializersCommand
             Rails::Command::NotesCommand
+            Rails::Command::RakeCommand
             Rails::Command::RoutesCommand
+            Rails::Command::RunnerCommand
             Rails::Command::SecretsCommand
             Rails::Console
             Rails::DBConsole].join(','),
@@ -1424,6 +1450,14 @@ module NewRelic
           :allowed_from_server => false,
           :description => 'Controls auto-instrumentation of bunny at start-up. May be one of: `auto`, `prepend`, `chain`, `disabled`.'
         },
+        :'instrumentation.dynamodb' => {
+          :default => 'auto',
+          :public => true,
+          :type => String,
+          :dynamic_name => true,
+          :allowed_from_server => false,
+          :description => 'Controls auto-instrumentation of the aws-sdk-dynamodb library at start-up. May be one of `auto`, `prepend`, `chain`, `disabled`.'
+        },
         :'instrumentation.fiber' => {
           :default => 'auto',
           :public => true,
@@ -1472,7 +1506,7 @@ module NewRelic
           :type => String,
           :dynamic_name => true,
           :allowed_from_server => false,
-          :description => 'Controls auto-instrumentation of ethon at start up. May be one of [auto|prepend|chain|disabled]'
+          :description => 'Controls auto-instrumentation of ethon at start up. May be one of `auto`, `prepend`, `chain`, `disabled`'
         },
         :'instrumentation.excon' => {
           :default => 'enabled',
@@ -1542,7 +1576,7 @@ module NewRelic
           :type => String,
           :dynamic_name => true,
           :allowed_from_server => false,
-          :description => 'Controls auto-instrumentation of httpx at start up. May be one of [auto|prepend|chain|disabled]'
+          :description => 'Controls auto-instrumentation of httpx at start up. May be one of `auto`, `prepend`, `chain`, `disabled`'
         },
         :'instrumentation.logger' => {
           :default => instrumentation_value_from_boolean(:'application_logging.enabled'),
@@ -1604,7 +1638,7 @@ module NewRelic
           :type => String,
           :dynamic_name => true,
           :allowed_from_server => false,
-          :description => 'Controls auto-instrumentation of the ruby-openai gem at start-up. May be one of: `auto`, `prepend`, `chain`, `disabled`.'
+          :description => 'Controls auto-instrumentation of the ruby-openai gem at start-up. May be one of: `auto`, `prepend`, `chain`, `disabled`. Defaults to `disabled` in high security mode.'
         },
         :'instrumentation.puma_rack' => {
           :default => value_of(:'instrumentation.rack'),
@@ -1844,6 +1878,17 @@ module NewRelic
           :transform => DefaultSource.method(:convert_to_regexp_list),
           :description => 'Define transactions you want the agent to ignore, by specifying a list of patterns matching the URI you want to ignore. For more detail, see [the docs on ignoring specific transactions](/docs/agents/ruby-agent/api-guides/ignoring-specific-transactions/#config-ignoring).'
         },
+        # Serverless
+        :'serverless_mode.enabled' => {
+          :default => false,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :transform => proc { |bool| NewRelic::Agent::ServerlessHandler.env_var_set? || bool },
+          :description => 'If `true`, the agent will operate in a streamlined mode suitable for use with short-lived ' \
+                          'serverless functions. NOTE: Only AWS Lambda functions are supported currently and this ' \
+                          "option is not intended for use without [New Relic's Ruby Lambda layer](https://docs.newrelic.com/docs/serverless-function-monitoring/aws-lambda-monitoring/get-started/monitoring-aws-lambda-serverless-monitoring/) offering."
+        },
         # Sidekiq
         :'sidekiq.args.include' => {
           default: NewRelic::EMPTY_ARRAY,
@@ -1936,7 +1981,11 @@ module NewRelic
           :public => true,
           :type => Integer,
           :allowed_from_server => true,
-          :description => 'Defines the maximum number of span events reported from a single harvest. Any Integer between `1` and `10000` is valid.'
+          :description => <<~DESC
+            * Defines the maximum number of span events reported from a single harvest. Any Integer between `1` and `10000` is valid.'
+              * When configuring the agent for [AI monitoring](/docs/ai-monitoring/intro-to-ai-monitoring), set to max value `10000`.\
+              This ensures that the agent captures the maximum amount of distributed traces.
+          DESC
         },
         # Strip exception messages
         :'strip_exception_messages.enabled' => {
@@ -2252,6 +2301,7 @@ module NewRelic
           :public => true,
           :type => Symbol,
           :allowed_from_server => false,
+          :allowlist => %i[none low medium high],
           :external => :infinite_tracing,
           :description => <<~DESC
             Configure the compression level for data sent to the trace observer.

data/lib/new_relic/agent/configuration/environment_source.rb

@@ -99,7 +99,7 @@ module NewRelic
             elsif !value.nil?
               self[config_key] = true
             end
-          else
+          elsif !serverless?
             ::NewRelic::Agent.logger.info("#{environment_key} does not have a corresponding configuration setting (#{config_key} does not exist).")
             ::NewRelic::Agent.logger.info('Run `rake newrelic:config:docs` or visit https://docs.newrelic.com/docs/apm/agents/ruby-agent/configuration/ruby-agent-configuration to see a list of available configuration settings.')
             self[config_key] = value
@@ -114,6 +114,14 @@ module NewRelic
         def collect_new_relic_environment_variable_keys
           ENV.keys.select { |key| key.match(SUPPORTED_PREFIXES) }
         end
+
+        # we can't rely on the :'serverless_mode.enabled' config parameter being
+        # set yet to signify serverless mode given that we're in the midst of
+        # building the config but we can always rely on the env var being set
+        # by the Lambda layer
+        def serverless?
+          NewRelic::Agent::ServerlessHandler.env_var_set?
+        end
       end
     end
   end

data/lib/new_relic/agent/configuration/manager.rb

@@ -138,7 +138,11 @@ module NewRelic
         end
 
         def evaluate_and_apply_transformations(key, value)
-          apply_transformations(key, evaluate_procs(value))
+          evaluated = evaluate_procs(value)
+          default = enforce_allowlist(key, evaluated)
+          return default if default
+
+          apply_transformations(key, evaluated)
         end
 
         def apply_transformations(key, value)
@@ -146,7 +150,7 @@ module NewRelic
             begin
               transform.call(value)
             rescue => e
-              ::NewRelic::Agent.logger.error("Error applying transformation for #{key}, pre-transform value was: #{value}.", e)
+              NewRelic::Agent.logger.error("Error applying transformation for #{key}, pre-transform value was: #{value}.", e)
               raise e
             end
           else
@@ -154,8 +158,21 @@ module NewRelic
           end
         end
 
+        def enforce_allowlist(key, value)
+          return unless allowlist = default_source.allowlist_for(key)
+          return if allowlist.include?(value)
+
+          default = default_source.default_for(key)
+          NewRelic::Agent.logger.warn "Invalid value '#{value}' for #{key}, applying default value of '#{default}'"
+          default
+        end
+
         def transform_from_default(key)
-          ::NewRelic::Agent::Configuration::DefaultSource.transform_for(key)
+          default_source.transform_for(key)
+        end
+
+        def default_source
+          NewRelic::Agent::Configuration::DefaultSource
         end
 
         def register_callback(key, &proc)
@@ -214,7 +231,7 @@ module NewRelic
               begin
                 thawed_layer[k] = instance_eval(&v) if v.respond_to?(:call)
               rescue => e
-                ::NewRelic::Agent.logger.debug("#{e.class.name} : #{e.message} - when accessing config key #{k}")
+                NewRelic::Agent.logger.debug("#{e.class.name} : #{e.message} - when accessing config key #{k}")
                 thawed_layer[k] = nil
               end
               thawed_layer.delete(:config)
@@ -383,7 +400,7 @@ module NewRelic
           # is expensive enough that we don't want to do it unless we're
           # actually going to be logging the message based on our current log
           # level, so use a `do` block.
-          ::NewRelic::Agent.logger.debug do
+          NewRelic::Agent.logger.debug do
             hash = flattened.delete_if { |k, _h| DEFAULTS.fetch(k, {}).fetch(:exclude_from_reported_settings, false) }
             "Updating config (#{direction}) from #{source.class}. Results: #{hash.inspect}"
           end

data/lib/new_relic/agent/configuration/yaml_source.rb

@@ -53,6 +53,8 @@ module NewRelic
         protected
 
         def validate_config_file_path(path)
+          return if NewRelic::Agent.config[:'serverless_mode.enabled']
+
           expanded_path = File.expand_path(path)
 
           if path.empty? || !File.exist?(expanded_path)

data/lib/new_relic/agent/connect/request_builder.rb

@@ -24,7 +24,7 @@ module NewRelic
             :host => local_host,
             :display_host => Agent.config[:'process_host.display_name'],
             :app_name => Agent.config[:app_name],
-            :language => 'ruby',
+            :language => LANGUAGE,
             :labels => Agent.config.parsed_labels,
             :agent_version => NewRelic::VERSION::STRING,
             :environment => @environment_report,