dd-trace 5.106.0 → 5.107.0

package/packages/dd-trace/src/aiguard/index.js

@@ -44,27 +44,46 @@ function disable () {
 /**
  * Handles channel messages with pre-converted messages.
  *
- * @param {{messages: Array<object>, integration?: string, resolve: Function, reject: Function}} ctx
+ * @param {object} ctx
+ * @param {Array<object>} ctx.messages
+ * @param {string} [ctx.integration]
+ * @param {object} [ctx.parentSpan] - LLM span to parent the `ai_guard` span under.
+ * @param {AbortController} ctx.abortController
+ * @param {Array<Promise<void>>} ctx.pending - Subscribers push only when they evaluate.
  */
 function onEvaluate (ctx) {
+  // Decline to evaluate empty payloads by not pushing to pending.
   if (!ctx.messages?.length) {
-    ctx.resolve()
     return
   }
 
-  const opts = { block, source: SOURCE_AUTO, integration: ctx.integration || INTEGRATION_NONE }
-  aiguard.evaluate(ctx.messages, opts)
-    .then(() => {
-      ctx.resolve()
-    })
-    .catch(err => {
-      if (err.name === 'AIGuardAbortError') {
-        ctx.reject(err)
-      } else {
-        log.error('AIGuard: unexpected error during evaluation: %s', err.message)
-        ctx.resolve()
-      }
-    })
+  const opts = {
+    block,
+    source: SOURCE_AUTO,
+    integration: ctx.integration || INTEGRATION_NONE,
+    childOf: ctx.parentSpan,
+  }
+
+  try {
+    ctx.pending.push(aiguard.evaluate(ctx.messages, opts).catch(handleEvaluationError.bind(null, ctx)))
+  } catch (err) {
+    ctx.pending.push(Promise.resolve().then(() => handleEvaluationError(ctx, err)))
+  }
+}
+
+/**
+ * Handles an AI Guard evaluation failure.
+ *
+ * @param {object} ctx
+ * @param {AbortController} ctx.abortController
+ * @param {Error} err
+ */
+function handleEvaluationError (ctx, err) {
+  if (err.name === 'AIGuardAbortError') {
+    ctx.abortController.abort(err)
+  } else {
+    log.error('AIGuard: unexpected error during evaluation: %s', err.message)
+  }
 }
 
 module.exports = { enable, disable }

package/packages/dd-trace/src/aiguard/sdk.js

@@ -1,7 +1,8 @@
 'use strict'
 
 const rfdc = require('../../../../vendor/dist/rfdc')({ proto: false, circles: false })
-const { HTTP_CLIENT_IP, NETWORK_CLIENT_IP } = require('../../../../ext/tags')
+const { HTTP_CLIENT_IP, NETWORK_CLIENT_IP, HTTP_USERAGENT } = require('../../../../ext/tags')
+const { USER_ID, USER_SESSION_ID } = require('../appsec/addresses')
 const { getActiveRequest } = require('../appsec/store')
 const log = require('../log')
 const { extractIp } = require('../plugins/util/ip_extractor')
@@ -17,6 +18,16 @@ const aiguardMetrics = telemetryMetrics.manager.namespace('ai_guard')
 
 const ALLOW = 'ALLOW'
 
+// Tags from the service entry span that must be mirrored onto every AI Guard span
+// so anomaly detection pipelines can process each span independently.
+const SERVICE_ENTRY_TAG_MAPPINGS = [
+  [HTTP_USERAGENT, TAGS.HTTP_USERAGENT_TAG_KEY],
+  [HTTP_CLIENT_IP, TAGS.HTTP_CLIENT_IP_TAG_KEY],
+  [NETWORK_CLIENT_IP, TAGS.NETWORK_CLIENT_IP_TAG_KEY],
+  [USER_ID, TAGS.USR_ID_TAG_KEY],
+  [USER_SESSION_ID, TAGS.USR_SESSION_ID_TAG_KEY],
+]
+
 /**
  * Reports a telemetry error
  *
@@ -181,13 +192,32 @@ class AIGuard extends NoopAIGuard {
     }
   }
 
+  /**
+   * Copies service entry span tags needed by anomaly detection to the AI Guard span.
+   *
+   * @param {import('../opentracing/span')} guardSpan
+   * @param {import('../opentracing/span')} rootSpan
+   */
+  #copyServiceEntryTagsToGuardSpan (guardSpan, rootSpan) {
+    const rootTags = rootSpan.context().getTags()
+    for (const [sourceTag, destTag] of SERVICE_ENTRY_TAG_MAPPINGS) {
+      const value = rootTags[sourceTag]
+      if (value !== undefined && value !== null) {
+        guardSpan.setTag(destTag, value)
+      }
+    }
+  }
+
   evaluate (messages, opts) {
     if (!this.#initialized) {
       return super.evaluate(messages, opts)
     }
-    const { block = true, source = TAGS.SOURCE_SDK, integration = TAGS.INTEGRATION_NONE } = opts ?? {}
+    const { block = true, source = TAGS.SOURCE_SDK, integration = TAGS.INTEGRATION_NONE, childOf } = opts ?? {}
     const telemetryTags = { source, integration }
-    return this.#tracer.trace(TAGS.RESOURCE, {}, async (span) => {
+    // Only pass `childOf` when truthy so `tracer.trace`'s default (`scope().active()`)
+    // still applies for SDK callers that don't supply an explicit parent.
+    const traceOpts = childOf ? { childOf } : {}
+    return this.#tracer.trace(TAGS.RESOURCE, traceOpts, async (span) => {
       const last = messages[messages.length - 1]
       const target = this.#isToolCall(last) ? 'tool' : 'prompt'
       span.setTag(TAGS.TARGET_TAG_KEY, target)
@@ -206,6 +236,7 @@ class AIGuard extends NoopAIGuard {
       const rootSpan = span.context()?._trace?.started?.[0]
       if (rootSpan) {
         this.#setRootSpanClientIpTags(rootSpan)
+        this.#copyServiceEntryTagsToGuardSpan(span, rootSpan)
         // keepTrace must be called before executeRequest so the sampling decision
         // is propagated correctly to outgoing HTTP client calls.
         keepTrace(rootSpan, AI_GUARD)

package/packages/dd-trace/src/aiguard/tags.js

@@ -10,6 +10,12 @@ module.exports = {
   EVENT_TAG_KEY: 'ai_guard.event',
   META_STRUCT_KEY: 'ai_guard',
 
+  HTTP_USERAGENT_TAG_KEY: 'ai_guard.http.useragent',
+  HTTP_CLIENT_IP_TAG_KEY: 'ai_guard.http.client_ip',
+  NETWORK_CLIENT_IP_TAG_KEY: 'ai_guard.network.client.ip',
+  USR_ID_TAG_KEY: 'ai_guard.usr.id',
+  USR_SESSION_ID_TAG_KEY: 'ai_guard.usr.session_id',
+
   TELEMETRY_REQUESTS: 'requests',
   TELEMETRY_TRUNCATED: 'truncated',
   TELEMETRY_ERROR: 'error',

package/packages/dd-trace/src/ci-visibility/exporters/agentless/index.js

@@ -9,7 +9,7 @@ const CoverageWriter = require('./coverage-writer')
 class AgentlessCiVisibilityExporter extends CiVisibilityExporter {
   constructor (config) {
     super(config)
-    const { tags, site, url, isTestDynamicInstrumentationEnabled } = config
+    const { tags, site, DD_CIVISIBILITY_AGENTLESS_URL: url, isTestDynamicInstrumentationEnabled } = config
     // we don't need to request /info because we are using agentless by configuration
     this._isInitialized = true
     this._resolveCanUseCiVisProtocol(true)

package/packages/dd-trace/src/config/defaults.js

@@ -72,6 +72,12 @@ for (const [name, value] of Object.entries(defaults)) {
 function generateTelemetry (value = null, origin, optionName) {
   const tableEntry = configurationsTable[optionName]
   const { type, canonicalName = optionName } = tableEntry ?? { type: typeof value }
+  // Sensitive configurations are excluded from configuration telemetry: their
+  // entry is never added to `configWithOrigin`, the single source for every
+  // telemetry path (app-started and app-client-configuration-change).
+  if (sensitiveConfigurations.has(canonicalName)) {
+    return
+  }
   // TODO: Should we not send defaults to telemetry to reduce size?
   // TODO: How to handle aliases/actual names in the future? Optional fields? Normalize the name at intake?
   // TODO: Validate that space separated tags are parsed by the backend. Optimizations would be possible with that.
@@ -196,6 +202,11 @@ const fallbackConfigurations = new Map()
 
 const regExps = {}
 
+// Canonical names of configurations whose value is excluded from configuration
+// telemetry. Driven by the `sensitive: true` attribute in
+// `supported-configurations.json` so new entries opt in without code changes.
+const sensitiveConfigurations = new Set()
+
 for (const [canonicalName, entries] of Object.entries(supportedConfigurations)) {
   if (entries.length !== 1) {
     // TODO: Determine if we really want to support multiple entries for a canonical name.
@@ -207,6 +218,9 @@ for (const [canonicalName, entries] of Object.entries(supportedConfigurations))
     )
   }
   for (const entry of entries) {
+    if (entry.sensitive) {
+      sensitiveConfigurations.add(canonicalName)
+    }
     const configurationNames = entry.internalPropertyName ? [entry.internalPropertyName] : entry.configurationNames
     const fullPropertyName = configurationNames?.[0] ?? canonicalName
     const type = entry.type.toUpperCase()

package/packages/dd-trace/src/config/generated-config-types.d.ts

@@ -73,7 +73,7 @@ export interface GeneratedConfig {
   DD_APP_KEY: string | undefined;
   DD_AZURE_RESOURCE_GROUP: string | undefined;
   DD_CIVISIBILITY_AGENTLESS_ENABLED: boolean;
-  DD_CIVISIBILITY_AGENTLESS_URL: string | undefined;
+  DD_CIVISIBILITY_AGENTLESS_URL: URL | undefined;
   DD_CIVISIBILITY_AUTO_INSTRUMENTATION_PROVIDER: string | undefined;
   DD_CIVISIBILITY_DANGEROUSLY_FORCE_COVERAGE: boolean;
   DD_CIVISIBILITY_DANGEROUSLY_FORCE_TEST_SKIPPING: boolean;

package/packages/dd-trace/src/config/helper.js

@@ -13,6 +13,7 @@
  * @property {string} [transform]
  * @property {string} [allowed]
  * @property {string|boolean} [deprecated]
+ * @property {boolean} [sensitive] Excludes the configuration value from configuration telemetry.
  */
 
 /**

package/packages/dd-trace/src/config/index.js

@@ -2,7 +2,7 @@
 
 const fs = require('node:fs')
 const os = require('node:os')
-const { URL } = require('node:url')
+const { URL, format } = require('node:url')
 
 const rfdc = require('../../../../vendor/dist/rfdc')({ proto: false, circles: false })
 const uuid = require('../../../../vendor/dist/crypto-randomuuid') // we need to keep the old uuid dep because of cypress
@@ -322,18 +322,14 @@ class Config extends ConfigBase {
   #applyCalculated () {
     undo(this, 'calculated')
 
-    if (this.DD_CIVISIBILITY_AGENTLESS_URL ||
-        this.url ||
+    if (this.url ||
         os.type() !== 'Windows_NT' &&
         !trackedConfigOrigins.has('hostname') &&
         !trackedConfigOrigins.has('port') &&
-        !this.DD_CIVISIBILITY_AGENTLESS_ENABLED &&
         fs.existsSync('/var/run/datadog/apm.socket')) {
-      setAndTrack(
-        this,
-        'url',
-        new URL(this.DD_CIVISIBILITY_AGENTLESS_URL || this.url || 'unix:///var/run/datadog/apm.socket')
-      )
+      setAndTrack(this, 'url', new URL(this.url || 'unix:///var/run/datadog/apm.socket'))
+    } else {
+      setAndTrack(this, 'url', new URL(format({ protocol: 'http:', hostname: this.hostname, port: this.port })))
     }
 
     if (this.isCiVisibility) {

package/packages/dd-trace/src/config/parsers.js

@@ -145,6 +145,14 @@ const transformers = {
     }
     return value.replaceAll(/\s*:\s*/g, ':')
   },
+  /**
+   * @param {string} value
+   */
+  toURL (value) {
+    try {
+      return new URL(value)
+    } catch {}
+  },
   validatePropagationStyles (value, optionName) {
     value = transformers.toLowerCase(value)
     for (let index = 0; index < value.length; index++) {

package/packages/dd-trace/src/config/supported-configurations.json

@@ -111,7 +111,8 @@
         "aliases": [
           "DATADOG_API_KEY"
         ],
-        "internalPropertyName": "apiKey"
+        "internalPropertyName": "apiKey",
+        "sensitive": true
       }
     ],
     "DD_API_SECURITY_ENABLED": [
@@ -423,7 +424,8 @@
       {
         "implementation": "A",
         "type": "string",
-        "default": null
+        "default": null,
+        "sensitive": true
       }
     ],
     "DD_AZURE_RESOURCE_GROUP": [
@@ -444,6 +446,7 @@
       {
         "implementation": "A",
         "type": "string",
+        "transform": "toURL",
         "default": null
       }
     ],
@@ -3913,7 +3916,8 @@
       {
         "implementation": "B",
         "type": "map",
-        "default": null
+        "default": null,
+        "sensitive": true
       }
     ],
     "OTEL_EXPORTER_OTLP_TRACES_ENDPOINT": [
@@ -3930,7 +3934,8 @@
         "default": null,
         "aliases": [
           "OTEL_EXPORTER_OTLP_HEADERS"
-        ]
+        ],
+        "sensitive": true
       }
     ],
     "OTEL_EXPORTER_OTLP_TRACES_PROTOCOL": [
@@ -3968,7 +3973,8 @@
         "default": null,
         "aliases": [
           "OTEL_EXPORTER_OTLP_HEADERS"
-        ]
+        ],
+        "sensitive": true
       }
     ],
     "OTEL_EXPORTER_OTLP_LOGS_PROTOCOL": [
@@ -4006,7 +4012,8 @@
         "default": null,
         "aliases": [
           "OTEL_EXPORTER_OTLP_HEADERS"
-        ]
+        ],
+        "sensitive": true
       }
     ],
     "OTEL_EXPORTER_OTLP_METRICS_PROTOCOL": [

package/packages/dd-trace/src/crashtracking/crashtracker.js

@@ -7,7 +7,6 @@ const libdatadog = require('@datadog/libdatadog')
 const binding = libdatadog.load('crashtracker')
 
 const log = require('../log')
-const { getAgentUrl } = require('../agent/url')
 const pkg = require('../../../../package.json')
 const processTags = require('../process-tags')
 
@@ -68,7 +67,7 @@ class Crashtracker {
    * @param {import('../config/config-base')} config - Tracer configuration
    */
   #getConfig (config) {
-    const url = getAgentUrl(config)
+    const url = config.url
 
     // Out-of-process symbolication currently works on
     // Linux only, does not work on Mac.
@@ -78,6 +77,7 @@ class Crashtracker {
 
     return {
       additional_files: [],
+      collect_all_threads: true,
       create_alt_stack: true,
       use_alt_stack: true,
       endpoint: {

package/packages/dd-trace/src/datastreams/writer.js

@@ -5,7 +5,6 @@ const pkg = require('../../../../package.json')
 const log = require('../log')
 const request = require('../exporters/common/request')
 const { encode: encodeMsgpack } = require('../msgpack')
-const { getAgentUrl } = require('../agent/url')
 
 function makeRequest (data, url, cb) {
   const options = {
@@ -29,7 +28,7 @@ function makeRequest (data, url, cb) {
 
 class DataStreamsWriter {
   constructor (config) {
-    this._url = getAgentUrl(config)
+    this._url = config.url
   }
 
   flush (payload) {

package/packages/dd-trace/src/debugger/config.js

@@ -16,7 +16,7 @@ module.exports = function getDebuggerConfig (config, inputPath) {
     repositoryUrl,
     runtimeId: config.tags['runtime-id'],
     service: config.service,
-    url: config.url?.toString(),
+    url: config.url.toString(),
     version: config.version,
     inputPath,
   }

package/packages/dd-trace/src/debugger/devtools_client/config.js

@@ -1,7 +1,6 @@
 'use strict'
 
 const { workerData: { config: parentConfig, parentThreadId, configPort } } = require('node:worker_threads')
-const { getAgentUrl } = require('../../agent/url')
 const processTags = require('../../process-tags')
 const log = require('./log')
 
@@ -21,6 +20,8 @@ configPort.on('messageerror', (err) =>
 )
 
 function updateConfig (updates) {
-  config.url = getAgentUrl(updates)
+  // The worker receives a serialized config (see ../config.js) where `url` is a string, so it is
+  // reconstructed into a URL here rather than read directly off a Config instance.
+  config.url = new URL(updates.url)
   config.dynamicInstrumentation.captureTimeoutNs = BigInt(updates.dynamicInstrumentation.captureTimeoutMs) * 1_000_000n
 }

package/packages/dd-trace/src/debugger/index.js

@@ -6,7 +6,6 @@ const { join } = require('path')
 const { Worker, MessageChannel, threadId: parentThreadId } = require('worker_threads')
 const log = require('../log')
 const { fetchAgentInfo } = require('../agent/info')
-const { getAgentUrl } = require('../agent/url')
 const getDebuggerConfig = require('./config')
 const { DEBUGGER_DIAGNOSTICS_V1, DEBUGGER_INPUT_V2 } = require('./constants')
 
@@ -211,7 +210,7 @@ function cleanup (error) {
 function detectDebuggerEndpoint (config, cb) {
   log.debug('[debugger] Detecting available debugger endpoints...')
 
-  fetchAgentInfo(getAgentUrl(config), (err, agentInfo) => {
+  fetchAgentInfo(config.url, (err, agentInfo) => {
     if (err) {
       log.warn('[debugger] Failed to query agent %s endpoint, falling back to %s',
         DEBUGGER_INPUT_V2,

package/packages/dd-trace/src/dogstatsd.js

@@ -6,7 +6,6 @@ const isIP = require('net').isIP
 const request = require('./exporters/common/request')
 const log = require('./log')
 const Histogram = require('./histogram')
-const { getAgentUrl } = require('./agent/url')
 const { entityId } = require('./exporters/common/docker')
 
 const MAX_BUFFER_SIZE = 1024 // limit from the agent
@@ -191,8 +190,8 @@ class DogStatsDClient {
       lookup: config.lookup,
     }
 
-    if (config.url || config.port) {
-      clientConfig.metricsProxyUrl = getAgentUrl(config)
+    if (config.url) {
+      clientConfig.metricsProxyUrl = config.url
     }
 
     return clientConfig

package/packages/dd-trace/src/encode/0.4.js

@@ -3,7 +3,7 @@
 const getConfig = require('../config')
 const { MsgpackChunk } = require('../msgpack')
 const log = require('../log')
-const { normalizeSpan } = require('./tags-processors')
+const { normalizeSpan, eventTimeNano } = require('./tags-processors')
 
 const SOFT_LIMIT = 8 * 1024 * 1024 // 8MB
 // Values longer than this byte threshold skip the `_stringMap` lookup and
@@ -114,8 +114,10 @@ const ATTR_PAYLOAD_BOOL_FALSE = Buffer.concat([ATTR_PREFIX_BOOL, Buffer.from([0x
 function formatSpanWithLegacyEvents (span) {
   span = normalizeSpan(span)
   if (span.span_events) {
-    // TODO: this is currently a main cost driver. By unifying it with the formatter
-    // it should be possible to improve performance significantly overall.
+    // Reads the raw `_events` array directly (no formatter pre-reshape) and
+    // serializes to the legacy meta.events JSON string. The serialization is
+    // still the main cost on the legacy path; the native span_events slot
+    // (`#encodeSpanEvents`) avoids it entirely.
     span.meta.events = stringifySpanEvents(span.span_events)
     // `= undefined` over `delete` to keep the span's hidden class — `delete`
     // would push every event-bearing span into V8 dictionary mode.
@@ -125,14 +127,15 @@ function formatSpanWithLegacyEvents (span) {
 }
 
 /**
- * Hand-written stringifier for `span.span_events`. The shape is fixed by
- * `extractSpanEvents` (`{ name, time_unix_nano, attributes? }`) and attribute
- * values are pre-sanitized to primitives or arrays of primitives, so we can
- * skip everything `JSON.stringify` does for the generic case (toJSON probing,
- * key iteration over the prototype chain, replacer hooks). Output matches
- * `JSON.stringify(spanEvents)` byte-for-byte for the post-sanitization shape.
+ * Hand-written stringifier for `span.span_events`. Events arrive in their raw
+ * `{ name, startTime, attributes? }` shape; `time_unix_nano` is derived per
+ * event via `eventTimeNano` and empty attribute objects are dropped, matching
+ * what the formatter used to precompute. Attribute values are pre-sanitized to
+ * primitives or arrays of primitives, so we skip everything `JSON.stringify`
+ * does for the generic case (toJSON probing, prototype-chain key iteration,
+ * replacer hooks).
  *
- * @param {Array<{ name: string, time_unix_nano: number, attributes?: object }>} spanEvents
+ * @param {Array<{ name: unknown, startTime: number, attributes?: object }>} spanEvents
  * @returns {string}
  */
 function stringifySpanEvents (spanEvents) {
@@ -140,17 +143,21 @@ function stringifySpanEvents (spanEvents) {
   for (let index = 0; index < spanEvents.length; index++) {
     if (index > 0) result += ','
     const event = spanEvents[index]
+    // `_sanitizeEventAttributes` leaves `attributes` undefined when empty, so a
+    // present value always has entries — no emptiness probe here.
+    const attributes = event.attributes
     // `addEvent` does not type-check `name`; defer the unusual cases to
-    // `JSON.stringify` so non-string names match the prior behaviour
-    // instead of throwing in `escapeJsonString`.
+    // `JSON.stringify` so non-string names match the prior behaviour instead
+    // of throwing in `escapeJsonString`. Build the wire-shaped object so the
+    // emitted key stays `time_unix_nano`, not the raw `startTime`.
     if (typeof event.name !== 'string') {
-      result += JSON.stringify(event)
+      result += JSON.stringify({ name: event.name, time_unix_nano: eventTimeNano(event), attributes })
       continue
     }
     result += '{"name":' + escapeJsonString(event.name) +
-      ',"time_unix_nano":' + jsonNumber(event.time_unix_nano)
-    if (event.attributes) {
-      result += ',"attributes":' + stringifyAttributes(event.attributes)
+      ',"time_unix_nano":' + jsonNumber(eventTimeNano(event))
+    if (attributes) {
+      result += ',"attributes":' + stringifyAttributes(attributes)
     }
     result += '}'
   }
@@ -241,8 +248,8 @@ class AgentEncoder {
     this.#config = getConfig()
     this.#debugEncoding = this.#config.DD_TRACE_ENCODING_DEBUG
     // Pick the per-span formatter once so the hot loop pays no per-span
-    // config check. The native path doesn't need to reshape `span_events`
-    // because `#encodeSpanEvents` works directly on the raw attributes.
+    // config check. The native path keeps the raw `span_events` slot for
+    // `#encodeSpanEvents`; the legacy path serializes it into meta.events.
     this.#formatSpan = this.#config.DD_TRACE_NATIVE_SPAN_EVENTS
       ? normalizeSpan
       : formatSpanWithLegacyEvents
@@ -320,16 +327,18 @@ class AgentEncoder {
       const resourceLen = resourceEntry.length
       const serviceLen = serviceEntry.length
 
-      // Almost every span carries `error: 0` or `error: 1` AND a nanosecond
-      // `start` timestamp ≥ 2³² (so `start` always encodes as a u64). When
-      // both hold, the block fuses error key+value, the start key + 0xCF
-      // type byte + 8-byte timestamp, and the duration key into the per-span
-      // reserve. The fallback path covers synthetic/test inputs with small
-      // starts and rare non-binary error flags by keeping per-field emits so
-      // each integer picks the shortest msgpack encoding.
-      const errorIsFixint = span.error === 0 || span.error === 1
-      const startFitsU64 = span.start >= 0x1_00_00_00_00
-      const fuseTail = errorIsFixint && startFitsU64
+      // `error` is `0` or `1` on nearly every span, and `start` is a
+      // nanosecond timestamp ≥ 2³² (always a msgpack u64). Decide the fused
+      // error key+value up front (`KEY_ERROR_0` / `KEY_ERROR_1`, or `undefined`
+      // for the rare non-binary flag) so the tail fuses without re-deciding the
+      // error shape twice. The fused tail also needs `start` as a u64; when
+      // either misses (synthetic small `start`, non-binary error) the tail
+      // routes each integer through `writeIntOrFloat` for the shortest
+      // encoding.
+      const errorEntry = span.error === 0
+        ? KEY_ERROR_0
+        : span.error === 1 ? KEY_ERROR_1 : undefined
+      const fuseTail = errorEntry !== undefined && span.start >= 0x1_00_00_00_00
 
       let blockSize = 1 +
         KEY_TRACE_ID_PREFIX.length + 8 +
@@ -340,7 +349,7 @@ class AgentEncoder {
         KEY_SERVICE.length + serviceLen
       if (typeEntry) blockSize += KEY_TYPE.length + typeEntry.length
       if (fuseTail) {
-        blockSize += KEY_ERROR_0.length + KEY_START_PREFIX.length + 8 + KEY_DURATION.length
+        blockSize += errorEntry.length + KEY_START_PREFIX.length + 8 + KEY_DURATION.length
       }
 
       const blockOffset = bytes.length
@@ -377,8 +386,8 @@ class AgentEncoder {
       cursor += serviceLen
 
       if (fuseTail) {
-        target.set(span.error === 0 ? KEY_ERROR_0 : KEY_ERROR_1, cursor)
-        cursor += KEY_ERROR_0.length
+        target.set(errorEntry, cursor)
+        cursor += errorEntry.length
 
         target.set(KEY_START_PREFIX, cursor)
         cursor += KEY_START_PREFIX.length
@@ -389,15 +398,14 @@ class AgentEncoder {
         cursor += 8
 
         target.set(KEY_DURATION, cursor)
+      } else if (errorEntry) {
+        bytes.set(errorEntry)
+        bytes.set(KEY_START)
+        bytes.writeIntOrFloat(span.start)
+        bytes.set(KEY_DURATION)
       } else {
-        if (span.error === 0) {
-          bytes.set(KEY_ERROR_0)
-        } else if (span.error === 1) {
-          bytes.set(KEY_ERROR_1)
-        } else {
-          bytes.set(KEY_ERROR)
-          bytes.writeIntOrFloat(span.error)
-        }
+        bytes.set(KEY_ERROR)
+        bytes.writeIntOrFloat(span.error)
         bytes.set(KEY_START)
         bytes.writeIntOrFloat(span.start)
         bytes.set(KEY_DURATION)
@@ -763,7 +771,7 @@ class AgentEncoder {
    * values — no `formatSpanEvents` pre-pass and no recursive generic walk.
    *
    * @param {MsgpackChunk} bytes
-   * @param {Array<{ name: string, time_unix_nano: number, attributes?: object }>} spanEvents
+   * @param {Array<{ name: unknown, startTime: number, attributes?: object }>} spanEvents
    */
   #encodeSpanEvents (bytes, spanEvents) {
     const offset = bytes.length
@@ -784,7 +792,7 @@ class AgentEncoder {
       bytes.set(KEY_NAME)
       this._encodeString(bytes, event.name)
       bytes.set(KEY_EVENT_TIME)
-      bytes.writeFloat(event.time_unix_nano)
+      bytes.writeFloat(eventTimeNano(event))
 
       const attributes = event.attributes
       if (attributes !== null && typeof attributes === 'object') {

package/packages/dd-trace/src/encode/agentless-json.js

@@ -3,6 +3,7 @@
 const log = require('../log')
 const { TOP_LEVEL_KEY } = require('../constants')
 const { normalizeSpan } = require('./tags-processors')
+const { stringifySpanEvents } = require('./0.4')
 
 // Soft limit for estimated payload size. Triggers an early flush to stay under intake request size limits.
 const SOFT_LIMIT = 8 * 1024 * 1024 // 8MB
@@ -20,7 +21,10 @@ function formatSpan (span, isFirstSpan) {
   delete span.meta['_dd.p.tid']
 
   if (span.span_events) {
-    span.meta.events = JSON.stringify(span.span_events)
+    // Events arrive raw (`{ name, startTime, attributes? }`); stringifySpanEvents
+    // derives `time_unix_nano` and drops empty attributes, matching the JSON the
+    // reshaped array used to produce.
+    span.meta.events = stringifySpanEvents(span.span_events)
     delete span.span_events
   }
 

package/packages/dd-trace/src/encode/tags-processors.js

@@ -46,6 +46,19 @@ function truncateSpanTestOpt (span) {
   return span
 }
 
+/**
+ * Convert a raw span event's `startTime` (milliseconds, sub-millisecond
+ * precision) to the wire `time_unix_nano`. Single source of truth for the
+ * formula so the four encoders that consume `span_events` stay in lockstep;
+ * the formatter no longer reshapes events, it hands the raw array through.
+ *
+ * @param {{ startTime: number }} event
+ * @returns {number}
+ */
+function eventTimeNano (event) {
+  return Math.round(event.startTime * 1e6)
+}
+
 function normalizeSpan (span) {
   span.service = span.service || DEFAULT_SERVICE_NAME
   if (span.service.length > MAX_SERVICE_LENGTH) {
@@ -69,6 +82,7 @@ module.exports = {
   truncateSpan,
   truncateSpanTestOpt,
   normalizeSpan,
+  eventTimeNano,
   MAX_META_KEY_LENGTH,
   MAX_META_VALUE_LENGTH,
   MAX_META_VALUE_LENGTH_TEST_OPTIMIZATION,