Add AppSec agentic onboarding runtime telemetry (RFC-1110)#11983
Add AppSec agentic onboarding runtime telemetry (RFC-1110)#11983christophe-papazian wants to merge 2 commits into
Conversation
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 79d7375567
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
🎯 Code Coverage (details) 🔗 Commit SHA: b91b3e2 | Docs | Datadog PR Page | Give us feedback! |
Report a runtime signal that a service was onboarded by the agentic onboarding solution. When the presence-only flag DD_APPSEC_AGENTIC_ONBOARDING is set (via env var, JVM property, or local/fleet stable config), the tracer emits a single boolean configuration entry `appsec.agentic_onboarding` in its app-started instrumentation-telemetry payload, tagged with the flag's origin. The reported boolean reflects whether AppSec fully came up at startup with its WAF module started (new ActiveSubsystems.APPSEC_WAF_STARTED), which matches the Python reference's "native WAF loaded" semantics and is stricter than bare isActive(). The flag's value is never read or transmitted; only its presence triggers reporting. When the flag is unset in all sources, nothing is reported. Reporting runs in a finally in maybeStartAppSec so it also covers the AppSec-disabled and startup-failure cases (reported as false). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
When DD_APPSEC_AGENTIC_ONBOARDING is set via fleet/local stable config, attach the source's config_id to the reported entry so the signal stays attributable to the deployed stable config, matching other stable-config telemetry. No config_id for env/jvm origins. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
79d7375 to
b91b3e2
Compare
🟢 Java Benchmark SLOs — All performance SLOs passed
PR vs. master results
Commit: Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion. |
There was a problem hiding this comment.
More details
Validated across three standalone test programs covering 26 adversarial scenarios (origin precedence/presence-only semantics, key transformations, APPSEC_WAF_STARTED state management in all startup paths, and finally-block behavior). All scenarios pass: the DD_APPSEC_AGENTIC_ONBOARDING env var key is derived consistently across all lookup paths, the flag reports false for every non-WAF-started case (disabled, WAF init failure, exception path), and AgenticOnboarding.report() fires in the finally block under all conditions including AppSec errors.
📊 Validated against 26 scenarios · Open Bits AI session
🤖 Datadog Autotest · Commit b91b3e2 · What is Autotest? · Any feedback? Reach out in #autotest
What Does This Do
Implements RFC-1110 — a runtime telemetry signal that a service was onboarded by the AAP agentic onboarding solution.
When the presence-only flag
DD_APPSEC_AGENTIC_ONBOARDINGis set (via env var, JVM property, or local/fleet stable config), the tracer emits a single boolean configuration entryappsec.agentic_onboardingin itsapp-startedinstrumentation-telemetry payload, tagged with the config source origin.trueonly when AppSec fully came up at startup with its WAF module started, andfalseotherwise (AppSec disabled, remote-config-only, native WAF failed to load, or startup aborted). This mirrors the Python reference's "native WAF loaded" semantics and is stricter than bareisActive().Motivation
Prerequisite for Agentic Onboarding GA (APPSEC-68812): lets the usage→activation funnel be measured in production. Java counterpart of the merged Python implementation (dd-trace-py#19068).
Changes
AppSecConfig— newAPPSEC_AGENTIC_ONBOARDINGconfig key; registeredDD_APPSEC_AGENTIC_ONBOARDINGinmetadata/supported-configurations.json.ActiveSubsystems— new bootstrap-visibleAPPSEC_WAF_STARTEDflag.AppSecSystem— sets it on full startup success (active + WAF module started), cleared per start attempt.Agent.maybeStartAppSec— reports the signal in afinallyso the disabled/failed cases are covered.AgenticOnboarding(new) — presence/origin resolution (never viaConfigProvider, to keep the raw value out of telemetry) + reporting.Testing
New JUnit 5 unit tests (
AgenticOnboardingTest) cover presence-only semantics (incl. empty string), source precedence, the absent case, boolean value/origin, and the system-property end-to-end path. Behavioral coverage across languages is handled by system tests (APPSEC-69171).🤖 Generated with Claude Code