Support DD_APM_TRACING_ENABLED=false for AI Guard traces#11885
Support DD_APM_TRACING_ENABLED=false for AI Guard traces#11885claponcet wants to merge 3 commits into
Conversation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 42d77deb22
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
🎯 Code Coverage (details) 🔗 Commit SHA: 40cce9e | Docs | Datadog PR Page | Give us feedback! |
| rootSpan.spanContext().getPropagationTags().getTraceSource(), | ||
| ProductTraceSource.ASM)) | ||
| ProductTraceSource.ASM) | ||
| && !Boolean.TRUE.equals(rootSpan.getTag(Tags.AI_GUARD_EVENT))) |
There was a problem hiding this comment.
I don't think we should add further product-specific tags to this code.
Have you considered using Tags.PROPAGATED_TRACE_SOURCE to mark the root span as coming from the AI/LLM product like ASM does?
You'd just need to add your product to ProductTraceSource - and maybe introduce a new method that lets you check if one of several products are marked here, rather than calling isProductMarked multiple times.
For example it could then become:
!ProductTraceSource.isProductMarked(
rootSpan.spanContext().getPropagationTags().getTraceSource(),
ProductTraceSource.ASM, ProductTraceSource.LLM)
There was a problem hiding this comment.
I have considered this but I don't think ProductTraceSource is used in other tracers for AI Guard so I opted for consistency. @smola what do you think?
🟢 Java Benchmark SLOs — All performance SLOs passed
PR vs. master results
Commit: Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion. |
What Does This Do
When
DD_APM_TRACING_ENABLED=false, AI Guard traces are now preserved and sentto the backend. The tracer no longer lets the sampler override the
USER_KEEPpriority that AI Guard sets via
ai_guard.keep.Concretely,
TraceCollector.setSamplingPriorityIfNecessarygains a guard: if aspan carries
ai_guard.event=true, the sampler is skipped (whether that sampleris the regular priority sampler or the
AsmStandaloneSamplerrate-limiter usedin ASM standalone mode).
The
ai_guard.eventtag is also promoted from a local string constant inAIGuardInternalto a canonical constant inTags, alongsideai_guard.keep.Root spans for AI Guard evaluations carry:
_sampling_priority_v1:2(USER_KEEP) — set byforceKeep(SamplingMechanism.AI_GUARD)_dd.p.dm:-13(decision maker: AI Guard) — set by the same mechanismai_guard.event:trueMotivation
Part of APPSEC-61460 (AI Guard without APM billing). AI Guard customers should
not require APM host billing. Unlike ASM standalone mode, AI Guard does not need
the "1 trace per minute" allowance — every AI Guard trace must go through.
Additional Notes
The
AsmStandaloneSampler(used when APM is disabled and AppSec is enabled)has a rate limiter that allows only 1 trace/minute for regular APM traces. The
new bypass ensures AI Guard traces are never dropped by this limiter, while
regular traces remain subject to it.
Contributor Checklist
type:and (comp:orinst:) labels in addition to any other useful labelsclose,fix, or any linking keywords when referencing an issueUse
solvesinstead, and assign the PR milestone to the issue/merge. You can also:/merge --commit-message "..."/merge -c/merge -f --reason "reason"; please use this judiciously, as some checks do not run at the PR-level (note: the PR still needs to be mergeable, this will only skip the pre-merge build)Jira ticket: APPSEC-68487