feat!: integrate obfuscation to trace exporter [APMSP-2764]

[Eldolfin]

What does this PR do?

Integrate the work that has been done on obfuscate_span into the trace exporter

Motivation

Let the sdks obfuscate spans before sending them to the agent when possible, reducing the amount of data transfered from the sdks to the agent.

Additional Notes

Anything else we should know when reviewing?

How to test the change?

• manual tests
• system tests
• unit tests

TODO

• retrieve obfuscation config from /info
• add a test for agent obfuscation version > library obfuscation version (it should not obfuscate)
• obfuscate more than just sql and redis not for stats

[github-actions]

📚 Documentation Check Results

⚠️ 2152 documentation warning(s) found

📦 libdd-data-pipeline - 951 warning(s)

📦 libdd-trace-obfuscation - 640 warning(s)

📦 libdd-trace-stats - 561 warning(s)

---

Updated: 2026-03-31 11:15:48 UTC | Commit: 17eb594 | missing-docs job results

[github-actions]

Clippy Allow Annotation Report

Comparing clippy allow annotations between branches:

• Base Branch: origin/main
• PR Branch: origin/oscarld/integrate-obfuscation-to-trace-exporter

Summary by Rule

Rule	Base Branch	PR Branch	Change
unwrap_used	3	3	No change (0%)
Total	3	3	No change (0%)

Annotation Counts by File

File	Base Branch	PR Branch	Change
libdd-data-pipeline/src/stats_exporter.rs	1	1	No change (0%)
libdd-data-pipeline/src/trace_exporter/mod.rs	2	2	No change (0%)

Annotation Stats by Crate

Crate	Base Branch	PR Branch	Change
clippy-annotation-reporter	5	5	No change (0%)
datadog-ffe-ffi	1	1	No change (0%)
datadog-ipc	20	20	No change (0%)
datadog-live-debugger	6	6	No change (0%)
datadog-live-debugger-ffi	10	10	No change (0%)
datadog-profiling-replayer	4	4	No change (0%)
datadog-remote-config	3	3	No change (0%)
datadog-sidecar	55	55	No change (0%)
libdd-common	10	10	No change (0%)
libdd-common-ffi	12	12	No change (0%)
libdd-data-pipeline	5	5	No change (0%)
libdd-ddsketch	2	2	No change (0%)
libdd-dogstatsd-client	1	1	No change (0%)
libdd-profiling	13	13	No change (0%)
libdd-telemetry	19	19	No change (0%)
libdd-tinybytes	4	4	No change (0%)
libdd-trace-normalization	2	2	No change (0%)
libdd-trace-obfuscation	8	8	No change (0%)
libdd-trace-utils	15	15	No change (0%)
Total	195	195	No change (0%)

About This Report

This report tracks Clippy allow annotations for specific rules, showing how they've changed in this PR. Decreasing the number of these annotations generally improves code quality.

[github-actions]

🔒 Cargo Deny Results

⚠️ 1 issue(s) found, showing only errors (advisories, bans, sources)

📦 libdd-data-pipeline - 1 error(s)

Show output

error[vulnerability]: Denial of Service via Stack Exhaustion
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:283:1
    │
283 │ time 0.3.41 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0009
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0009
    ├ ## Impact
      
      When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of
      service attack via stack exhaustion is possible. The attack relies on formally deprecated and
      rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,
      non-malicious input will never encounter this scenario.
      
      ## Patches
      
      A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned
      rather than exhausting the stack.
      
      ## Workarounds
      
      Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of
      the stack consumed would be at most a factor of the length of the input.
    ├ Announcement: https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05
    ├ Solution: Upgrade to >=0.3.47 (try `cargo update -p time`)
    ├ time v0.3.41
      └── tracing-appender v0.2.3
          └── libdd-log v1.0.0
              └── (dev) libdd-data-pipeline v3.0.1

advisories FAILED, bans ok, sources ok

📦 libdd-trace-obfuscation - ✅ No issues

📦 libdd-trace-stats - ✅ No issues

---

Updated: 2026-03-31 11:18:49 UTC | Commit: 17eb594 | dependency-check job results

[codecov-commenter]

Codecov Report

❌ Patch coverage is 57.83133% with 70 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.41%. Comparing base (bfdbeae) to head (f2621f3).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1819      +/-   ##
==========================================
+ Coverage   71.21%   71.41%   +0.19%     
==========================================
  Files         414      425      +11     
  Lines       65963    67092    +1129     
==========================================
+ Hits        46974    47911     +937     
- Misses      18989    19181     +192     

Components	Coverage Δ
libdd-crashtracker	65.87% <ø> (+0.64%)	⬆️
libdd-crashtracker-ffi	34.47% <ø> (ø)
libdd-alloc	98.77% <ø> (ø)
libdd-data-pipeline	86.24% <42.62%> (-0.77%)	⬇️
libdd-data-pipeline-ffi	74.17% <ø> (+1.48%)	⬆️
libdd-common	80.19% <ø> (+0.40%)	⬆️
libdd-common-ffi	73.87% <ø> (ø)
libdd-telemetry	62.48% <ø> (ø)
libdd-telemetry-ffi	16.75% <ø> (ø)
libdd-dogstatsd-client	82.64% <ø> (ø)
datadog-ipc	70.31% <ø> (-2.25%)	⬇️
libdd-profiling	82.05% <ø> (+0.42%)	⬆️
libdd-profiling-ffi	64.94% <ø> (ø)
datadog-sidecar	30.29% <ø> (-0.50%)	⬇️
datdog-sidecar-ffi	7.04% <ø> (-2.33%)	⬇️
spawn-worker	54.69% <ø> (ø)
libdd-tinybytes	93.16% <ø> (ø)
libdd-trace-normalization	81.71% <ø> (ø)
libdd-trace-obfuscation	87.36% <100.00%> (+0.11%)	⬆️
libdd-trace-protobuf	68.25% <ø> (ø)
libdd-trace-utils	88.72% <ø> (ø)
datadog-tracer-flare	86.88% <ø> (ø)
libdd-log	74.69% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[datadog-datadog-prod-us1-2]

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 02ab474 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[Eldolfin]

@codex review

[dd-octo-sts]

Artifact Size Benchmark Report

aarch64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.so	8.76 MB	8.76 MB	0% (0 B) 👌
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.a	101.91 MB	101.92 MB	+.01% (+13.14 KB) 🔍

aarch64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.so	11.36 MB	11.36 MB	+0% (+544 B) 👌
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.a	118.86 MB	118.87 MB	+.01% (+15.03 KB) 🔍

libdatadog-x64-windows

Artifact	Baseline	Commit	Change
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.dll	27.38 MB	27.39 MB	+.01% (+5.00 KB) 🔍
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.lib	80.69 KB	80.69 KB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.pdb	187.11 MB	187.14 MB	+.01% (+32.00 KB) 🔍
/libdatadog-x64-windows/debug/static/datadog_profiling_ffi.lib	925.04 MB	925.20 MB	+.01% (+164.25 KB) 🔍
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.dll	9.06 MB	9.07 MB	+.01% (+1.50 KB) 🔍
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.lib	80.69 KB	80.69 KB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.pdb	26.98 MB	26.98 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/static/datadog_profiling_ffi.lib	61.28 MB	61.29 MB	+.01% (+7.25 KB) 🔍

libdatadog-x86-windows

Artifact	Baseline	Commit	Change
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.dll	23.19 MB	23.19 MB	+.01% (+4.50 KB) 🔍
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.lib	81.94 KB	81.94 KB	0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.pdb	191.47 MB	191.49 MB	+.01% (+24.00 KB) 🔍
/libdatadog-x86-windows/debug/static/datadog_profiling_ffi.lib	908.71 MB	908.87 MB	+.01% (+165.73 KB) 🔍
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.dll	6.90 MB	6.90 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.lib	81.94 KB	81.94 KB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.pdb	29.11 MB	29.12 MB	+.02% (+8.00 KB) 🔍
/libdatadog-x86-windows/release/static/datadog_profiling_ffi.lib	57.68 MB	57.69 MB	+.01% (+6.45 KB) 🔍

x86_64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.a	88.72 MB	88.73 MB	+.01% (+11.91 KB) 🔍
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.so	10.32 MB	10.32 MB	0% (0 B) 👌

x86_64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.a	111.55 MB	111.56 MB	+0% (+10.32 KB) 👌
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.so	12.08 MB	12.08 MB	+0% (+400 B) 👌

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f2621f3041

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Recreate stats worker when obfuscation mode flips

When /info changes obfuscation support, this branch only updates client_side_stats and leaves the running StatsExporter untouched. The exporter’s obfuscation_active flag is fixed at construction time in create_and_start_stats_worker, so it keeps sending the old datadog-obfuscation-version header state even after process_traces_for_stats switches to the new obfuscation behavior. In the toggle scenario (e.g., agent enables obfuscation after startup), stats payload resources and header version can diverge, which makes the agent interpret stats under the wrong format/version.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

This PR integrates obfuscation support into the trace exporter for client-side stats computation. It enables SDKs to obfuscate spans before sending them to the agent when the agent supports it, reducing data transfer between SDKs and the agent.

Changes:

• Adds obfuscate_resource_for_stats function to obfuscate resource names for SQL, Redis, Cassandra, and Valkey spans
• Implements obfuscation state tracking through the stats computation lifecycle
• Creates an ObfuscatedStatSpan wrapper to provide obfuscated resources to the stats concentrator without modifying original spans
• Adds HTTP header datadog-obfuscation-version: 1 when obfuscation is active
• Adds schema field for agent's obfuscation version support
• Fixes a typo in documentation ("will" → "while")

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
libdd-trace-stats/src/span_concentrator/mod.rs	Exports the stat_span module publicly for use in the stats exporter
libdd-trace-obfuscation/src/obfuscate.rs	Adds obfuscate_resource_for_stats function with comprehensive tests for SQL, Redis, Cassandra, and Valkey obfuscation
libdd-data-pipeline/src/trace_exporter/stats.rs	Implements obfuscation state management and applies obfuscation to spans during stats computation
libdd-data-pipeline/src/trace_exporter/mod.rs	Passes obfuscation state through the stats handler call chain
libdd-data-pipeline/src/stats_exporter.rs	Adds obfuscation header to HTTP requests when obfuscation is active, includes test coverage
libdd-data-pipeline/src/agent_info/schema.rs	Adds obfuscation_version field to capture agent capabilities
libdd-data-pipeline/Cargo.toml	Adds dependency on libdd-trace-obfuscation

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.