From e503b4b18d58052afd53c8f6ca24183b9ef2b497 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Fri, 22 May 2026 12:43:33 -0600
Subject: [PATCH 01/42] build: update Rust MSRV to 1.87

---
 .github/workflows/prof_asan.yml               |  6 +--
 .github/workflows/prof_correctness.yml        | 10 ++--
 .gitlab/build-profiler.sh                     | 10 ----
 .gitlab/generate-package.php                  | 12 ++---
 .gitlab/generate-profiler.php                 |  5 +-
 .gitlab/generate-shared.php                   | 10 ++--
 .gitlab/generate-tracer.php                   |  4 +-
 Cargo.toml                                    |  4 +-
 README.md                                     |  2 +-
 .../alpine_compile_extension/base.Dockerfile  |  2 +-
 dockerfiles/ci/bookworm/Dockerfile            | 46 ++++++++++---------
 dockerfiles/ci/centos/7/base.Dockerfile       | 12 ++---
 libdatadog                                    |  2 +-
 profiling/Cargo.toml                          |  2 +-
 profiling/rust-toolchain.toml                 |  2 +-
 tooling/bin/build-debug-artifact              |  4 +-
 16 files changed, 62 insertions(+), 71 deletions(-)

diff --git a/.github/workflows/prof_asan.yml b/.github/workflows/prof_asan.yml
index 80d385a4e6f..feb04143260 100644
--- a/.github/workflows/prof_asan.yml
+++ b/.github/workflows/prof_asan.yml
@@ -16,7 +16,7 @@ jobs:
       CARGO_TARGET_DIR: /tmp/build-cargo
       RUST_TOOLCHAIN: nightly-2025-06-13
     container:
-      image: datadog/dd-trace-ci:php-${{matrix.php-version}}_bookworm-7
+      image: datadog/dd-trace-ci:php-${{matrix.php-version}}_bookworm-8
       # https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#user
       options: --user root --privileged
 
@@ -49,10 +49,10 @@ jobs:
           set -eux
           switch-php nts-asan
           cd profiling
-          export CC=clang-19
+          export CC=clang-20
           export CFLAGS='-fsanitize=address  -fno-omit-frame-pointer'
           export LDFLAGS='-fsanitize=address -shared-libasan'
-          export RUSTC_LINKER=lld-17
+          export RUSTC_LINKER=lld-20
           triplet=$(uname -m)-unknown-linux-gnu
           RUSTFLAGS='-Zsanitizer=address' cargo +${RUST_TOOLCHAIN} build -Zbuild-std=std,panic_abort --target $triplet --profile profiler-release
           cp -v "$CARGO_TARGET_DIR/$triplet/profiler-release/libdatadog_php_profiling.so" "$(php-config --extension-dir)/datadog-profiling.so"
diff --git a/.github/workflows/prof_correctness.yml b/.github/workflows/prof_correctness.yml
index fd8e449d6da..b11f2fe889f 100644
--- a/.github/workflows/prof_correctness.yml
+++ b/.github/workflows/prof_correctness.yml
@@ -49,12 +49,12 @@ jobs:
         run: |
           codename="$(lsb_release -cs)"
           curl -fsSL https://apt.llvm.org/llvm-snapshot.gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/llvm-archive-keyring.gpg
-          echo "deb [signed-by=/usr/share/keyrings/llvm-archive-keyring.gpg] http://apt.llvm.org/${codename}/ llvm-toolchain-${codename}-19 main" | sudo tee /etc/apt/sources.list.d/llvm.list
+          echo "deb [signed-by=/usr/share/keyrings/llvm-archive-keyring.gpg] http://apt.llvm.org/${codename}/ llvm-toolchain-${codename}-20 main" | sudo tee /etc/apt/sources.list.d/llvm.list
           sudo apt-get update
-          sudo apt-get install -y clang-19 lld-19
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-19 100
-          sudo update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-19 100
-          sudo update-alternatives --install /usr/bin/ld.lld ld.lld /usr/bin/ld.lld-19 100
+          sudo apt-get install -y clang-20 lld-20
+          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-20 100
+          sudo update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-20 100
+          sudo update-alternatives --install /usr/bin/ld.lld ld.lld /usr/bin/ld.lld-20 100
           clang --version
           ld.lld --version
           cd profiling
diff --git a/.gitlab/build-profiler.sh b/.gitlab/build-profiler.sh
index b1b8e6712de..7e5e4d71cf6 100755
--- a/.gitlab/build-profiler.sh
+++ b/.gitlab/build-profiler.sh
@@ -10,16 +10,6 @@ if [ -d '/opt/rh/devtoolset-7' ] ; then
     set -eo pipefail
 fi
 
-# With clang 20, bindgen fails on aarch64:
-#  /usr/lib/llvm20/lib/clang/20/include/arm_vector_types.h:20:9: error: unknown type name '__mfp8'
-#  /usr/lib/llvm20/lib/clang/20/include/arm_vector_types.h:93:24: error: Neon vector size must be 64 or 128 bits
-#  /usr/lib/llvm20/lib/clang/20/include/arm_vector_types.h:94:24: error: Neon vector size must be 64 or 128 bits
-#  /usr/lib/llvm20/lib/clang/20/include/arm_neon.h:6374:25: error: incompatible constant for this __builtin_neon function
-# etc.
-if [ -f /sbin/apk ] && [ $(uname -m) = "aarch64" ]; then
-    ln -sf ../lib/llvm19/bin/clang /usr/bin/clang
-fi
-
 # On CentOS 7 aarch64, clang's resource dir isn't on the default include path,
 # causing bindgen to fail with "stddef.h not found".
 if [ -d '/opt/rh/devtoolset-7' ] && [ "$(uname -m)" = "aarch64" ]; then
diff --git a/.gitlab/generate-package.php b/.gitlab/generate-package.php
index 8c68e9f2765..ac760cdcae1 100644
--- a/.gitlab/generate-package.php
+++ b/.gitlab/generate-package.php
@@ -48,13 +48,13 @@
 $asan_build_platforms = [
     [
         "triplet" => "x86_64-unknown-linux-gnu",
-        "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_bookworm-7",
+        "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_bookworm-8",
         "arch" => "amd64",
         "host_os" => "linux-gnu",
     ],
     [
         "triplet" => "aarch64-unknown-linux-gnu",
-        "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_bookworm-7",
+        "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_bookworm-8",
         "arch" => "arm64",
         "host_os" => "linux-gnu",
     ]
@@ -321,7 +321,7 @@
 
 "pecl build":
   stage: tracing
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-7.4_bookworm-7"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-7.4_bookworm-8"
   tags: [ "arch:amd64" ]
   needs: [ "prepare code" ]
   script:
@@ -371,7 +371,7 @@
 <?php foreach ($arch_targets as $arch): ?>
 "aggregate tracing extension: [<?= $arch ?>]":
   stage: tracing
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-7.4_bookworm-7"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-7.4_bookworm-8"
   tags: [ "arch:amd64" ]
   script: ls ./
   variables:
@@ -1154,7 +1154,7 @@
 
 "pecl tests":
   stage: verify
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_VERSION}_bookworm-7"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_VERSION}_bookworm-8"
   tags: [ "arch:amd64" ]
   services:
     - !reference [.services, request-replayer]
@@ -1370,7 +1370,7 @@
   variables:
     VALGRIND: false
     ARCH: "<?= $arch ?>"
-    CONTAINER_SUFFIX: bookworm-7
+    CONTAINER_SUFFIX: bookworm-8
   needs:
     - job: "package loader: [<?= $arch ?>]"
       artifacts: true
diff --git a/.gitlab/generate-profiler.php b/.gitlab/generate-profiler.php
index 728ba8621d0..2268cd44c44 100644
--- a/.gitlab/generate-profiler.php
+++ b/.gitlab/generate-profiler.php
@@ -43,7 +43,6 @@
         IMAGE_SUFFIX: _centos-7
   script:
     - if [ -d '/opt/rh/devtoolset-7' ]; then set +eo pipefail; source scl_source enable devtoolset-7; set -eo pipefail; fi
-    - if [ -f /sbin/apk ] && [ $(uname -m) = "aarch64" ]; then ln -sf ../lib/llvm19/bin/clang /usr/bin/clang; fi
     - if [ -d '/opt/rh/devtoolset-7' ] && [ "$(uname -m)" = "aarch64" ]; then export BINDGEN_EXTRA_CLANG_ARGS="-I$(clang --print-resource-dir)/include"; fi
 
     - cd profiling
@@ -84,7 +83,7 @@
 "clippy NTS":
   stage: test
   tags: [ "arch:amd64" ]
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-7
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8
   variables:
     KUBERNETES_CPU_REQUEST: 5
     KUBERNETES_MEMORY_REQUEST: 3Gi
@@ -103,7 +102,7 @@
 "Cargo test":
   stage: test
   tags: [ "arch:amd64" ]
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.5_bookworm-7
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.5_bookworm-8
   variables:
     KUBERNETES_CPU_REQUEST: 5
     KUBERNETES_MEMORY_REQUEST: 3Gi
diff --git a/.gitlab/generate-shared.php b/.gitlab/generate-shared.php
index eb200835a9e..f28ef82fe80 100644
--- a/.gitlab/generate-shared.php
+++ b/.gitlab/generate-shared.php
@@ -21,7 +21,7 @@
       - IMAGE:
         - "datadog/dd-trace-ci:centos-7"
         - "datadog/dd-trace-ci:php-compile-extension-alpine"
-        - "datadog/dd-trace-ci:bookworm-7"
+        - "datadog/dd-trace-ci:bookworm-8"
   script:
     - if [ -f "/opt/libuv/lib/pkgconfig/libuv.pc" ]; then export PKG_CONFIG_PATH="/opt/libuv/lib/pkgconfig:$PKG_CONFIG_PATH"; fi
     - if [ -d "/opt/catch2" ]; then export CMAKE_PREFIX_PATH=/opt/catch2; fi
@@ -45,7 +45,7 @@
 "C components UBSAN":
   tags: [ "arch:amd64" ]
   stage: test
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-7"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-8"
   needs: []
   script:
     - if [ -f "/opt/libuv/lib/pkgconfig/libuv.pc" ]; then export PKG_CONFIG_PATH="/opt/libuv/lib/pkgconfig:$PKG_CONFIG_PATH"; fi
@@ -69,7 +69,7 @@
 "Build & Test Tea":
   tags: [ "arch:amd64" ]
   stage: build
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-7"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8"
   parallel:
     matrix:
       - PHP_MAJOR_MINOR: *no_asan_minor_major_targets
@@ -98,7 +98,7 @@
 .tea_test:
   tags: [ "arch:amd64" ]
   stage: test
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-7"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8"
   interruptible: true
   rules:
     - if: $CI_COMMIT_BRANCH == "master"
@@ -122,7 +122,7 @@
   needs: []
   variables:
     PHP_MAJOR_MINOR: "<?= $all_minor_major_targets[count($all_minor_major_targets) - 1] ?>"
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-7"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8"
   script:
     - |
       if ! command -v cc >/dev/null 2>&1 && ! command -v clang >/dev/null 2>&1 && ! command -v gcc >/dev/null 2>&1; then
diff --git a/.gitlab/generate-tracer.php b/.gitlab/generate-tracer.php
index 42510ff8ce5..864e57ab932 100644
--- a/.gitlab/generate-tracer.php
+++ b/.gitlab/generate-tracer.php
@@ -67,7 +67,7 @@ function before_script_steps($with_docker_auth = false) {
 "compile extension: debug":
   stage: compile
   tags: [ "arch:${ARCH}" ]
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-7
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8
   parallel:
     matrix:
       - PHP_MAJOR_MINOR: *all_minor_major_targets
@@ -186,7 +186,7 @@ function before_script_steps($with_docker_auth = false) {
 .base_test:
   stage: test
   tags: [ "arch:${ARCH}" ]
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-7
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8
   timeout: 60m
   interruptible: true
   rules:
diff --git a/Cargo.toml b/Cargo.toml
index 5fda3a7ac57..bf4ff93f4bb 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -3,7 +3,7 @@ members = ["components-rs", "components-rs/php_sidecar_mockgen", "profiling"]
 resolver = "2"
 
 [workspace.package]
-rust-version = "1.84.1"
+rust-version = "1.87.0"
 edition = "2021"
 # Irrelevant version and license. These do NOT apply here, they just are here to make cargo build pass.
 version = "0.0.1"
@@ -46,4 +46,4 @@ hyper-util = { version = "0.1.10", features = [
 ] }
 
 [workspace.lints]
-# empty for compat with libdatadog
\ No newline at end of file
+# empty for compat with libdatadog
diff --git a/README.md b/README.md
index 8864bb16a7a..c69807c1548 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ Visit the [PHP tracer documentation](https://docs.datadoghq.com/tracing/language
 
 #### Installation from PECL (datadog_trace) or from source
 
-Compilation of the tracer and the profiler requires cargo to be installed. Ensure that cargo is minimum version 1.84.1, otherwise follow the [official instructions for installing cargo](https://doc.rust-lang.org/cargo/getting-started/installation.html).
+Compilation of the tracer and the profiler requires cargo to be installed. Ensure that cargo is minimum version 1.87.0, otherwise follow the [official instructions for installing cargo](https://doc.rust-lang.org/cargo/getting-started/installation.html).
 
 ### Advanced configuration
 
diff --git a/dockerfiles/ci/alpine_compile_extension/base.Dockerfile b/dockerfiles/ci/alpine_compile_extension/base.Dockerfile
index aff36105b8e..c879e2429b1 100644
--- a/dockerfiles/ci/alpine_compile_extension/base.Dockerfile
+++ b/dockerfiles/ci/alpine_compile_extension/base.Dockerfile
@@ -34,7 +34,7 @@ RUN set -eux; \
 # Minimum: libclang. Nice-to-have: full toolchain including linker to play
 # with cross-language link-time optimization. Needs to match rustc -Vv's llvm
 # version.
-RUN apk add --no-cache llvm19-libs clang19-dev lld llvm19 rust-stdlib rust-src cargo clang git protoc unzip
+RUN apk add --no-cache llvm20-libs clang20-dev lld llvm20 rust-stdlib rust-src cargo clang git protoc unzip
 
 RUN cargo install --force --locked bindgen-cli && mv /root/.cargo/bin/bindgen /usr/local/bin/ && rm -rf /root/.cargo
 
diff --git a/dockerfiles/ci/bookworm/Dockerfile b/dockerfiles/ci/bookworm/Dockerfile
index 53ca77f14ab..ac8ae99acfc 100644
--- a/dockerfiles/ci/bookworm/Dockerfile
+++ b/dockerfiles/ci/bookworm/Dockerfile
@@ -9,10 +9,10 @@ ENV ACCEPT_EULA=Y
 # with cross-language link-time optimization. Needs to match rustc -Vv's llvm
 # version.
 ENV DEVLIBS \
-    libclang-19-dev \
-    libclang-rt-19-dev \
-    llvm-19-dev \
-    lld-19 \
+    libclang-20-dev \
+    libclang-rt-20-dev \
+    llvm-20-dev \
+    lld-20 \
     libbrotli-dev \
     libcurl4-openssl-dev \
     libedit-dev \
@@ -48,8 +48,8 @@ ENV RUNTIME_DEPS \
     apache2 \
     apache2-dev \
     ca-certificates \
-    clang-format-19 \
-    clang-tidy-19 \
+    clang-format-20 \
+    clang-tidy-20 \
     curl \
     debian-goodies \
     git \
@@ -70,7 +70,7 @@ ENV RUNTIME_DEPS \
 ENV PHPIZE_DEPS \
     autoconf \
     bison \
-    clang-19 \
+    clang-20 \
     cmake \
     dpkg-dev \
     file \
@@ -97,12 +97,12 @@ RUN set -eux; \
     echo "deb http://deb.debian.org/debian-debug/ bookworm-debug main" | \
         tee -a /etc/apt/sources.list; \
     \
-# Use LLVM from orig vendor (also LLVM 19 is not shipped with bookworm)
+# Use LLVM from orig vendor (also LLVM 20 is not shipped with bookworm)
     apt-get update; \
     apt-get install -y curl gnupg software-properties-common; \
     curl https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc; \
-    add-apt-repository "deb http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-19 main"; \
-    add-apt-repository "deb-src http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-19 main"; \
+    add-apt-repository "deb http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-20 main"; \
+    add-apt-repository "deb-src http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-20 main"; \
     \
 # prevent Debian's PHP packages from being installed
 # https://github.com/docker-library/php/pull/542
@@ -136,14 +136,14 @@ RUN set -eux; \
     chown -R circleci:circleci /var/log/nginx/ /var/lib/nginx/; \
     \
 # Make clang the default compiler
-    update-alternatives --install /usr/bin/cc cc /usr/bin/clang-19 100; \
-    update-alternatives --install /usr/bin/c++ c++ /usr/bin/clang++-19 100; \
-    update-alternatives --install /usr/bin/clang clang /usr/bin/clang-19 100; \
-    update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-19 100; \
-    update-alternatives --install /usr/bin/ld ld /usr/bin/ld.lld-19 100; \
-    echo "-L /usr/lib/llvm-19/lib/clang/19/lib/linux" > /usr/lib/llvm-19/bin/clang.cfg; \
+    update-alternatives --install /usr/bin/cc cc /usr/bin/clang-20 100; \
+    update-alternatives --install /usr/bin/c++ c++ /usr/bin/clang++-20 100; \
+    update-alternatives --install /usr/bin/clang clang /usr/bin/clang-20 100; \
+    update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-20 100; \
+    update-alternatives --install /usr/bin/ld ld /usr/bin/ld.lld-20 100; \
+    echo "-L /usr/lib/llvm-20/lib/clang/20/lib/linux" > /usr/lib/llvm-20/bin/clang.cfg; \
 # Include libasan library path
-    echo /usr/lib/llvm-19/lib/clang/19/lib/linux > /etc/ld.so.conf.d/libasan.conf && ldconfig
+    echo /usr/lib/llvm-20/lib/clang/20/lib/linux > /etc/ld.so.conf.d/libasan.conf && ldconfig
 
 ENV CMAKE_VERSION="3.24.4"
 
@@ -189,15 +189,16 @@ RUN set -eux; \
 # Install gdb
 RUN set -eux; \
     apt install -y libmpfr-dev libgmp-dev; \
-    GDB_VERSION="15.2"; \
-    GDB_SHA256="9d16bc2539a2a20dc3ef99b48b8414d51c51305c8577eb7a1da00996f6dea223";\
+    GDB_VERSION="17.2"; \
+    GDB_SHA256="cb891b9a9f554cac972eea5368176b240640ae90b681aae84bf873a9501f0063";\
     cd /tmp && curl -OL https://mirrors.kernel.org/sourceware/gdb/releases/gdb-${GDB_VERSION}.tar.gz; \
     (echo "${GDB_SHA256} gdb-${GDB_VERSION}.tar.gz" | sha256sum -c -); \
     mkdir gdb && cd gdb; \
     tar -xf ../gdb-${GDB_VERSION}.tar.gz --strip 1;\
     ./configure; \
     make -j "$((`nproc`+1))"; \
-    make install
+    make install; \
+    rm -rfv /tmp/*
 
 # Install valgrind
 RUN set -eux; \
@@ -209,7 +210,8 @@ RUN set -eux; \
     tar -xjf ../valgrind-${VALGRIND_VERSION}.tar.bz2 --strip 1;\
     ./configure; \
     make -j "$((`nproc`+1))"; \
-    make install
+    make install; \
+    rm -rfv /tmp/*
 
 # Install SqlServer PHP Driver
 # https://learn.microsoft.com/en-us/sql/connect/odbc/linux-mac/installing-the-microsoft-odbc-driver-for-sql-server
@@ -298,7 +300,7 @@ RUN set -eux; \
     chown -R circleci:circleci /opt;
 
 # rust sha256sum generated locally after verifying it with sha256
-ARG RUST_VERSION="1.84.1"
+ARG RUST_VERSION="1.87.0"
 ARG RUST_NIGHTLY_VERSION="-2025-06-13"
 # Mount a cache into /rust/cargo if you want to pre-fetch packages or something
 ENV CARGO_HOME=/rust/cargo
diff --git a/dockerfiles/ci/centos/7/base.Dockerfile b/dockerfiles/ci/centos/7/base.Dockerfile
index 7c697400776..b32ffcceae1 100644
--- a/dockerfiles/ci/centos/7/base.Dockerfile
+++ b/dockerfiles/ci/centos/7/base.Dockerfile
@@ -134,7 +134,7 @@ RUN set -eux; \
 
 # PHP 8.4+ requires OpenSSL >= 1.1.1
 RUN source scl_source enable devtoolset-7; set -ex; \
-    /root/download-src.sh openssl https://openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz; \
+    /root/download-src.sh openssl https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1w/openssl-1.1.1w.tar.gz; \
     cd "${SRC_DIR}/openssl"; \
     mkdir -v 'build' && cd 'build'; \
     ../config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib; \
@@ -194,7 +194,7 @@ RUN source scl_source enable devtoolset-7; set -ex; \
 ENV PKG_CONFIG_PATH="${PKG_CONFIG_PATH}:/usr/local/lib/pkgconfig:/usr/local/lib64/pkgconfig:/usr/local/openssl/lib/pkgconfig:/usr/local/zlib/lib/pkgconfig:/usr/local/curl/lib/pkgconfig:/usr/local/sqlite3/lib/pkgconfig"
 
 # Caution, takes a very long time! Since we have to build one from source,
-# I picked LLVM 19, which matches Rust 1.84.
+# I picked LLVM 20, which matches Rust 1.87.
 # Ordinarily we leave sources, but LLVM is 2GiB just for the sources...
 # Minimum: libclang. Nice-to-have: full toolchain including linker to play
 # with cross-language link-time optimization. Needs to match rustc -Vv's llvm
@@ -211,7 +211,7 @@ RUN yum install -y --nogpgcheck devtoolset-9 \
   && cd - \
   && rm -fr "${SRC_DIR}/ninja" \
   && cd /usr/local/src \
-  && git clone --depth 1 -b release/19.x https://github.com/llvm/llvm-project.git \
+  && git clone --depth 1 -b release/20.x https://github.com/llvm/llvm-project.git \
   && mkdir -vp llvm-project/build \
   && cd llvm-project/build \
   && cmake -G Ninja -DLLVM_ENABLE_PROJECTS="clang;lld" -DLLVM_TARGETS_TO_BUILD=host -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local -DLLVM_INCLUDE_TESTS=OFF -DLLVM_ENABLE_BINDINGS=OFF -DLLVM_INSTALL_TOOLCHAIN_ONLY=ON ../llvm \
@@ -226,9 +226,9 @@ RUN yum install -y --nogpgcheck devtoolset-9 \
 
 
 # rust sha256sum generated locally after verifying it with sha256
-ARG RUST_VERSION="1.84.1"
-ARG RUST_SHA256_ARM="be89f6ad9b70cc4b25182ae299f94ab047a713a51fddf95284823c8afe4aef85"
-ARG RUST_SHA256_X86="106c89f23ce1c763fcbea8e2714b2ba869bf7af70804813987a4483896398933"
+ARG RUST_VERSION="1.87.0"
+ARG RUST_SHA256_ARM="2c66e31d774a0dcd4422db74584ebc6362ff3ae90c452caff9d2fb912c821e8d"
+ARG RUST_SHA256_X86="1f6f18ce19387c42968a474cf175e67f99280614ded9c752d5d2e37af3204bcd"
 # Mount a cache into /rust/cargo if you want to pre-fetch packages or something
 ENV CARGO_HOME=/rust/cargo
 ENV RUSTUP_HOME=/rust/rustup
diff --git a/libdatadog b/libdatadog
index cea1e44eddd..b84f19e7507 160000
--- a/libdatadog
+++ b/libdatadog
@@ -1 +1 @@
-Subproject commit cea1e44edddd9124f75d5095f31026904a1f58d8
+Subproject commit b84f19e7507b2bff468dda9939da4dc5f820615f
diff --git a/profiling/Cargo.toml b/profiling/Cargo.toml
index 62a2e9ab46f..77a8e25bb50 100644
--- a/profiling/Cargo.toml
+++ b/profiling/Cargo.toml
@@ -3,7 +3,7 @@ name = "datadog-php-profiling"
 version = "0.0.0"
 edition = "2021"
 license = "Apache-2.0"
-rust-version = "1.84.1"
+rust-version = "1.87.0"
 
 [profile.release]
 panic = "abort"
diff --git a/profiling/rust-toolchain.toml b/profiling/rust-toolchain.toml
index fcb78ec564f..b8889a3bb3b 100644
--- a/profiling/rust-toolchain.toml
+++ b/profiling/rust-toolchain.toml
@@ -1,2 +1,2 @@
 [toolchain]
-channel = "1.84.1"
+channel = "1.87.0"
diff --git a/tooling/bin/build-debug-artifact b/tooling/bin/build-debug-artifact
index 135f5392aac..2b8759af0c5 100755
--- a/tooling/bin/build-debug-artifact
+++ b/tooling/bin/build-debug-artifact
@@ -115,7 +115,7 @@ case "$php_version" in
 esac
 
 # ─── Docker image selection ───────────────────────────────────────────────────
-BOOKWORM_VERSION=6
+BOOKWORM_VERSION=8
 if [[ "$libc" == "musl" ]]; then
     DOCKER_IMAGE="datadog/dd-trace-ci:php-compile-extension-alpine-${php_version}"
 else
@@ -244,7 +244,7 @@ cp tmp/build_extension/modules/ddtrace.so /output/ddtrace.so")"
 
 if [[ "$BUILD_PROFILER" == "1" ]]; then
     PROFILER_SCRIPT="$(_preamble "if [ -f /sbin/apk ] && [ \$(uname -m) = 'aarch64' ]; then
-    ln -sf ../lib/llvm19/bin/clang /usr/bin/clang
+    ln -sf ../lib/llvm20/bin/clang /usr/bin/clang
 fi
 (cd profiling && CARGO_TARGET_DIR=${HOME_DIR}/tmp/build_profiler cargo build --profile dev)
 cp ${HOME_DIR}/tmp/build_profiler/debug/libdatadog_php_profiling.so /output/datadog-profiling${EXT_SUFFIX}.so")"

From e7581a2ec2717b2d43dfe2a0f2ec10865b643bf9 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Fri, 22 May 2026 15:40:24 -0600
Subject: [PATCH 02/42] ci: add otel exporter for better diagnostics when
 things go wrong

---
 .gitlab/ci-images.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml
index 1852f6fa5d8..b666220fe44 100644
--- a/.gitlab/ci-images.yml
+++ b/.gitlab/ci-images.yml
@@ -17,6 +17,8 @@ CentOS:
   tags: ["arch:amd64"]
   timeout: 4h
   image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble
+  variables:
+    DDCI_CONFIGURE_OTEL_EXPORTER: "true"
   parallel:
     matrix:
       - PHP_VERSION:
@@ -46,6 +48,8 @@ Alpine:
   tags: ["arch:amd64"]
   timeout: 4h
   image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble
+  variables:
+    DDCI_CONFIGURE_OTEL_EXPORTER: "true"
   parallel:
     matrix:
       - PHP_VERSION:
@@ -75,6 +79,8 @@ Bookworm:
   tags: ["arch:amd64"]
   timeout: 4h
   image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble
+  variables:
+    DDCI_CONFIGURE_OTEL_EXPORTER: "true"
   parallel:
     matrix:
       - PHP_VERSION:

From 5d23d5a06d682294b9cc25a84477206fc733147d Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Fri, 22 May 2026 16:58:33 -0600
Subject: [PATCH 03/42] ci: limit build parallelism

---
 .gitlab/ci-images.yml                       |  2 ++
 dockerfiles/ci/bookworm/Dockerfile          |  9 ++++++--
 dockerfiles/ci/bookworm/build-extensions.sh | 23 +++++++++++----------
 dockerfiles/ci/bookworm/build-php.sh        | 10 ++++++---
 dockerfiles/ci/bookworm/docker-compose.yml  |  2 +-
 dockerfiles/ci/bookworm/php-7.0/Dockerfile  |  2 ++
 dockerfiles/ci/bookworm/php-7.1/Dockerfile  |  2 ++
 dockerfiles/ci/bookworm/php-7.2/Dockerfile  |  2 ++
 dockerfiles/ci/bookworm/php-7.3/Dockerfile  |  2 ++
 dockerfiles/ci/bookworm/php-7.4/Dockerfile  |  2 ++
 dockerfiles/ci/bookworm/php-8.0/Dockerfile  |  2 ++
 dockerfiles/ci/bookworm/php-8.1/Dockerfile  |  2 ++
 dockerfiles/ci/bookworm/php-8.2/Dockerfile  |  2 ++
 dockerfiles/ci/bookworm/php-8.3/Dockerfile  |  2 ++
 dockerfiles/ci/bookworm/php-8.4/Dockerfile  |  2 ++
 dockerfiles/ci/bookworm/php-8.5/Dockerfile  |  2 ++
 16 files changed, 51 insertions(+), 17 deletions(-)

diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml
index b666220fe44..994d5529c41 100644
--- a/.gitlab/ci-images.yml
+++ b/.gitlab/ci-images.yml
@@ -85,6 +85,7 @@ Bookworm:
     matrix:
       - PHP_VERSION:
         - base
+      - PHP_VERSION:
         - php-8.5
         - php-8.4
         - php-8.3
@@ -98,6 +99,7 @@ Bookworm:
         - php-7.2
         - php-7.1
         - php-7.0
+        MAKE_JOBS: ["2"]
   script:
     - cd dockerfiles/ci/bookworm
     - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
diff --git a/dockerfiles/ci/bookworm/Dockerfile b/dockerfiles/ci/bookworm/Dockerfile
index ac8ae99acfc..41eeb619013 100644
--- a/dockerfiles/ci/bookworm/Dockerfile
+++ b/dockerfiles/ci/bookworm/Dockerfile
@@ -83,6 +83,7 @@ ENV PHPIZE_DEPS \
     re2c
 
 ARG TARGETPLATFORM
+ARG MAKE_JOBS=
 RUN set -eux; \
 # Set timezone to UTC by default
     ln -sf /usr/share/zoneinfo/Etc/UTC /etc/localtime; \
@@ -188,6 +189,8 @@ RUN set -eux; \
 
 # Install gdb
 RUN set -eux; \
+    make_jobs="${MAKE_JOBS:-0}"; \
+    if [ "$make_jobs" = "0" ]; then make_jobs="$(nproc)"; fi; \
     apt install -y libmpfr-dev libgmp-dev; \
     GDB_VERSION="17.2"; \
     GDB_SHA256="cb891b9a9f554cac972eea5368176b240640ae90b681aae84bf873a9501f0063";\
@@ -196,12 +199,14 @@ RUN set -eux; \
     mkdir gdb && cd gdb; \
     tar -xf ../gdb-${GDB_VERSION}.tar.gz --strip 1;\
     ./configure; \
-    make -j "$((`nproc`+1))"; \
+    make -j "$make_jobs"; \
     make install; \
     rm -rfv /tmp/*
 
 # Install valgrind
 RUN set -eux; \
+    make_jobs="${MAKE_JOBS:-0}"; \
+    if [ "$make_jobs" = "0" ]; then make_jobs="$(nproc)"; fi; \
     VALGRIND_VERSION="3.25.1"; \
     VALGRIND_SHA256="61deb8d0727b45c268efdc1b3b6c9e679cd97cbf5ee4b28d1dead7c8b7a271af"; \
     cd /tmp && curl -OL https://mirrors.kernel.org/sourceware/valgrind/valgrind-${VALGRIND_VERSION}.tar.bz2; \
@@ -209,7 +214,7 @@ RUN set -eux; \
     mkdir valgrind && cd valgrind; \
     tar -xjf ../valgrind-${VALGRIND_VERSION}.tar.bz2 --strip 1;\
     ./configure; \
-    make -j "$((`nproc`+1))"; \
+    make -j "$make_jobs"; \
     make install; \
     rm -rfv /tmp/*
 
diff --git a/dockerfiles/ci/bookworm/build-extensions.sh b/dockerfiles/ci/bookworm/build-extensions.sh
index 8a6ebe891bb..a619baaba14 100755
--- a/dockerfiles/ci/bookworm/build-extensions.sh
+++ b/dockerfiles/ci/bookworm/build-extensions.sh
@@ -7,8 +7,9 @@ PHP_VERSION_ID=$(php -r 'echo PHP_MAJOR_VERSION . PHP_MINOR_VERSION;')
 PHP_ZTS=$(php -r 'echo PHP_ZTS;')
 EXTENSION_DIR=$(php-config --extension-dir)
 
-# This make `pecl install` use all available cores
-export MAKEFLAGS="-s -j $(nproc)"
+if [[ -z "${MAKE_JOBS:-}" || "${MAKE_JOBS}" == "0" ]]; then
+  MAKE_JOBS="$(nproc)"
+fi
 
 XDEBUG_VERSIONS=(-3.1.2)
 if [[ $PHP_VERSION_ID -le 70 ]]; then
@@ -89,7 +90,7 @@ if [[ $SHARED_BUILD -ne 0 ]]; then
     tar -xf curl.tar.gz && rm curl.tar.gz
     cd curl-${curlVer}
     ./configure --with-openssl --prefix=/opt/curl/${curlVer}
-    make -j "$((`nproc`+1))"
+    make -j "$MAKE_JOBS"
     make install
   done
 
@@ -100,14 +101,14 @@ if [[ $SHARED_BUILD -ne 0 ]]; then
   cd ${PHP_SRC_DIR}/ext/curl
   phpize
   ./configure
-  make -j "$((`nproc`+1))"
+  make -j "$MAKE_JOBS"
   mv ./modules/*.so $EXTENSION_DIR
   make clean
 
   for curlVer in ${CURL_VERSIONS}; do
     PKG_CONFIG_PATH=/opt/curl/${curlVer}/lib/pkgconfig/
     ./configure
-    make -j "$((`nproc`+1))"
+    make -j "$MAKE_JOBS"
     mv ./modules/curl.so $EXTENSION_DIR/curl-${curlVer}.so
     make clean
   done
@@ -117,7 +118,7 @@ if [[ $SHARED_BUILD -ne 0 ]]; then
   cd ${PHP_SRC_DIR}/ext/pdo
   phpize
   ./configure
-  make -j "$((`nproc`+1))"
+  make -j "$MAKE_JOBS"
   mv ./modules/*.so $(php-config --extension-dir)
   make clean;
   phpize --clean
@@ -149,13 +150,13 @@ else
     # memcached master version
     git clone https://github.com/php-memcached-dev/php-memcached.git
     cd php-memcached
-    phpize && ./configure && make -j"$(nproc)" && make install && echo "extension=memcached.so" >> ${iniDir}/memcached.ini;
+    phpize && ./configure && make -j"$MAKE_JOBS" && make install && echo "extension=memcached.so" >> ${iniDir}/memcached.ini;
     cd ..
 
     # memcache master version
     git clone https://github.com/websupport-sk/pecl-memcache.git
     cd pecl-memcache
-    phpize && ./configure && make -j"$(nproc)" && make install && echo "extension=memcache.so" >> ${iniDir}/memcache.ini;
+    phpize && ./configure && make -j"$MAKE_JOBS" && make install && echo "extension=memcache.so" >> ${iniDir}/memcache.ini;
     cd ..
 
     pecl install mongodb$MONGODB_VERSION; echo "extension=mongodb.so" >> ${iniDir}/mongodb.ini;
@@ -163,7 +164,7 @@ else
     # Xdebug master version (disabled by default)
     git clone https://github.com/xdebug/xdebug.git
     cd xdebug
-    phpize && ./configure && make -j"$(nproc)" && make install;
+    phpize && ./configure && make -j"$MAKE_JOBS" && make install;
     cd ..
   fi
   pecl install rdkafka; echo "extension=rdkafka.so" >> ${iniDir}/rdkafka.ini;
@@ -190,7 +191,7 @@ else
     fi
     phpize
     ./configure --host=$HOST_ARCH-linux-gnu
-    make -j "$((`nproc`+1))"
+    make -j "$MAKE_JOBS"
     make install
     popd
   fi
@@ -222,7 +223,7 @@ else
     if [[ $PHP_VERSION_ID -ge 85 ]]; then
       git clone https://github.com/phpredis/phpredis.git
       cd phpredis
-      phpize && ./configure && make -j"$(nproc)" && make install
+      phpize && ./configure && make -j"$MAKE_JOBS" && make install
     else
       pecl install redis-6.1.0
     fi
diff --git a/dockerfiles/ci/bookworm/build-php.sh b/dockerfiles/ci/bookworm/build-php.sh
index 29e622b447d..83df36900a4 100755
--- a/dockerfiles/ci/bookworm/build-php.sh
+++ b/dockerfiles/ci/bookworm/build-php.sh
@@ -7,6 +7,10 @@ INSTALL_VERSION=$3
 PHP_VERSION=$4
 SHARED_BUILD=${5:-0}
 
+if [[ -z "${MAKE_JOBS:-}" || "${MAKE_JOBS}" == "0" ]]; then
+  MAKE_JOBS="$(nproc)"
+fi
+
 PHP_VERSION_ID=${PHP_VERSION:0:3}
 PHP_VERSION_ID=${PHP_VERSION_ID/./}
 INSTALL_DIR=$BASE_INSTALL_DIR/$INSTALL_VERSION
@@ -91,7 +95,7 @@ ${PHP_SRC_DIR}/configure \
     --with-config-file-path=${INSTALL_DIR} \
     --with-config-file-scan-dir=${INSTALL_DIR}/conf.d
 
-make -s -j "$((`nproc`+1))" || true
+make -s -j "$MAKE_JOBS" || true
 
 if ! [[ -f ext/phar/phar.phar ]] && [[ ${INSTALL_VERSION} == *asan* ]]; then
   # Cross-compilation with asan and qemu will fail with a segfault instead. Handle this.
@@ -99,7 +103,7 @@ if ! [[ -f ext/phar/phar.phar ]] && [[ ${INSTALL_VERSION} == *asan* ]]; then
   mkdir -p ext/phar/
   touch ext/phar/phar.phar
   # ensure compilation finishes, then back up php
-  make -s || true;
+  make -s -j "$MAKE_JOBS" || true;
   exit;
 fi
 
@@ -109,7 +113,7 @@ if [[ ${INSTALL_VERSION} != *asan* ]]; then
   # In two steps, because: You've configured multiple SAPIs to be built. You can build only one SAPI module plus CGI, CLI and FPM binaries at the same time.
   sed -i 's/--enable-embed/--with-apxs2=\/usr\/bin\/apxs2/' config.nice
   ./config.nice
-  make -s -j "$((`nproc`+1))"
+  make -s -j "$MAKE_JOBS"
   cp .libs/libphp*.so ${INSTALL_DIR}/lib/apache2handler-libphp.so
 fi
 
diff --git a/dockerfiles/ci/bookworm/docker-compose.yml b/dockerfiles/ci/bookworm/docker-compose.yml
index b771375e0b3..a8df1f70e22 100644
--- a/dockerfiles/ci/bookworm/docker-compose.yml
+++ b/dockerfiles/ci/bookworm/docker-compose.yml
@@ -12,6 +12,7 @@ services:
           - linux/amd64
       args: &build-base
         BUILD_BASE: datadog/dd-trace-ci:bookworm-$BOOKWORM_NEXT_VERSION
+        MAKE_JOBS: ${MAKE_JOBS:-}
 
   php-8.5:
     image: datadog/dd-trace-ci:php-8.5_bookworm-$BOOKWORM_NEXT_VERSION
@@ -170,4 +171,3 @@ services:
         phpVersion: "7.0"
         phpTarGzUrl: https://www.php.net/distributions/php-7.0.33.tar.gz
         phpSha256Hash: d71a6ecb6b13dc53fed7532a7f8f949c4044806f067502f8fb6f9facbb40452a
-
diff --git a/dockerfiles/ci/bookworm/php-7.0/Dockerfile b/dockerfiles/ci/bookworm/php-7.0/Dockerfile
index e218acf11a3..ce79de67566 100644
--- a/dockerfiles/ci/bookworm/php-7.0/Dockerfile
+++ b/dockerfiles/ci/bookworm/php-7.0/Dockerfile
@@ -30,6 +30,8 @@ ENV PHP_VERSION=${phpVersion}
 ENV PHP_INSTALL_DIR=${PHP_INSTALL_DIR}
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG MAKE_JOBS=
+ENV MAKE_JOBS=${MAKE_JOBS}
 # install cross-compiling packages
 RUN if [ "$BUILDPLATFORM" != "$TARGETPLATFORM" ]; then \
         sudo dpkg --add-architecture ${TARGETPLATFORM#linux/}; \
diff --git a/dockerfiles/ci/bookworm/php-7.1/Dockerfile b/dockerfiles/ci/bookworm/php-7.1/Dockerfile
index d21d6962b1d..97926597e55 100644
--- a/dockerfiles/ci/bookworm/php-7.1/Dockerfile
+++ b/dockerfiles/ci/bookworm/php-7.1/Dockerfile
@@ -30,6 +30,8 @@ ENV PHP_VERSION=${phpVersion}
 ENV PHP_INSTALL_DIR=${PHP_INSTALL_DIR}
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG MAKE_JOBS=
+ENV MAKE_JOBS=${MAKE_JOBS}
 # install cross-compiling packages
 RUN if [ "$BUILDPLATFORM" != "$TARGETPLATFORM" ]; then \
         sudo dpkg --add-architecture ${TARGETPLATFORM#linux/}; \
diff --git a/dockerfiles/ci/bookworm/php-7.2/Dockerfile b/dockerfiles/ci/bookworm/php-7.2/Dockerfile
index 5bafb197c28..66df6a34a5f 100644
--- a/dockerfiles/ci/bookworm/php-7.2/Dockerfile
+++ b/dockerfiles/ci/bookworm/php-7.2/Dockerfile
@@ -31,6 +31,8 @@ ENV PHP_VERSION=${phpVersion}
 ENV PHP_INSTALL_DIR=${PHP_INSTALL_DIR}
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG MAKE_JOBS=
+ENV MAKE_JOBS=${MAKE_JOBS}
 # install cross-compiling packages
 RUN if [ "$BUILDPLATFORM" != "$TARGETPLATFORM" ]; then \
         sudo dpkg --add-architecture ${TARGETPLATFORM#linux/}; \
diff --git a/dockerfiles/ci/bookworm/php-7.3/Dockerfile b/dockerfiles/ci/bookworm/php-7.3/Dockerfile
index 09a21305975..c02b3b144f7 100644
--- a/dockerfiles/ci/bookworm/php-7.3/Dockerfile
+++ b/dockerfiles/ci/bookworm/php-7.3/Dockerfile
@@ -24,6 +24,8 @@ ENV PHP_VERSION=${phpVersion}
 ENV PHP_INSTALL_DIR=${PHP_INSTALL_DIR}
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG MAKE_JOBS=
+ENV MAKE_JOBS=${MAKE_JOBS}
 # install cross-compiling packages
 RUN if [ "$BUILDPLATFORM" != "$TARGETPLATFORM" ]; then \
         sudo dpkg --add-architecture ${TARGETPLATFORM#linux/}; \
diff --git a/dockerfiles/ci/bookworm/php-7.4/Dockerfile b/dockerfiles/ci/bookworm/php-7.4/Dockerfile
index 4c9d31edf88..f15f41d7b62 100644
--- a/dockerfiles/ci/bookworm/php-7.4/Dockerfile
+++ b/dockerfiles/ci/bookworm/php-7.4/Dockerfile
@@ -22,6 +22,8 @@ ENV PHP_VERSION=${phpVersion}
 ENV PHP_INSTALL_DIR=${PHP_INSTALL_DIR}
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG MAKE_JOBS=
+ENV MAKE_JOBS=${MAKE_JOBS}
 ARG sharedBuild=0
 ENV SHARED_BUILD=${sharedBuild}
 # install cross-compiling packages
diff --git a/dockerfiles/ci/bookworm/php-8.0/Dockerfile b/dockerfiles/ci/bookworm/php-8.0/Dockerfile
index 6ff8fc523a7..add481710c9 100644
--- a/dockerfiles/ci/bookworm/php-8.0/Dockerfile
+++ b/dockerfiles/ci/bookworm/php-8.0/Dockerfile
@@ -28,6 +28,8 @@ ENV PHP_VERSION=${phpVersion}
 ENV PHP_INSTALL_DIR=${PHP_INSTALL_DIR}
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG MAKE_JOBS=
+ENV MAKE_JOBS=${MAKE_JOBS}
 ARG sharedBuild=0
 ENV SHARED_BUILD=${sharedBuild}
 # install cross-compiling packages
diff --git a/dockerfiles/ci/bookworm/php-8.1/Dockerfile b/dockerfiles/ci/bookworm/php-8.1/Dockerfile
index 15d7a69d71f..087a0f9f9f9 100644
--- a/dockerfiles/ci/bookworm/php-8.1/Dockerfile
+++ b/dockerfiles/ci/bookworm/php-8.1/Dockerfile
@@ -31,6 +31,8 @@ ENV PHP_VERSION=${phpVersion}
 ENV PHP_INSTALL_DIR=${PHP_INSTALL_DIR}
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG MAKE_JOBS=
+ENV MAKE_JOBS=${MAKE_JOBS}
 # install cross-compiling packages
 RUN if [ "$BUILDPLATFORM" != "$TARGETPLATFORM" ]; then \
         sudo dpkg --add-architecture ${TARGETPLATFORM#linux/}; \
diff --git a/dockerfiles/ci/bookworm/php-8.2/Dockerfile b/dockerfiles/ci/bookworm/php-8.2/Dockerfile
index bfb9d871b5a..0401cbfa24c 100644
--- a/dockerfiles/ci/bookworm/php-8.2/Dockerfile
+++ b/dockerfiles/ci/bookworm/php-8.2/Dockerfile
@@ -29,6 +29,8 @@ ENV PHP_VERSION=${phpVersion}
 ENV PHP_INSTALL_DIR=${PHP_INSTALL_DIR}
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG MAKE_JOBS=
+ENV MAKE_JOBS=${MAKE_JOBS}
 # install cross-compiling packages
 RUN if [ "$BUILDPLATFORM" != "$TARGETPLATFORM" ]; then \
         sudo dpkg --add-architecture ${TARGETPLATFORM#linux/}; \
diff --git a/dockerfiles/ci/bookworm/php-8.3/Dockerfile b/dockerfiles/ci/bookworm/php-8.3/Dockerfile
index dbf79aff9e0..9df64d84de1 100644
--- a/dockerfiles/ci/bookworm/php-8.3/Dockerfile
+++ b/dockerfiles/ci/bookworm/php-8.3/Dockerfile
@@ -28,6 +28,8 @@ ENV PHP_VERSION=${phpVersion}
 ENV PHP_INSTALL_DIR=${PHP_INSTALL_DIR}
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG MAKE_JOBS=
+ENV MAKE_JOBS=${MAKE_JOBS}
 # install cross-compiling packages
 RUN if [ "$BUILDPLATFORM" != "$TARGETPLATFORM" ]; then \
         sudo dpkg --add-architecture ${TARGETPLATFORM#linux/}; \
diff --git a/dockerfiles/ci/bookworm/php-8.4/Dockerfile b/dockerfiles/ci/bookworm/php-8.4/Dockerfile
index 632221b1595..4f3911b0b26 100644
--- a/dockerfiles/ci/bookworm/php-8.4/Dockerfile
+++ b/dockerfiles/ci/bookworm/php-8.4/Dockerfile
@@ -26,6 +26,8 @@ ENV PHP_VERSION=${phpVersion}
 ENV PHP_INSTALL_DIR=${PHP_INSTALL_DIR}
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG MAKE_JOBS=
+ENV MAKE_JOBS=${MAKE_JOBS}
 # install cross-compiling packages
 RUN if [ "$BUILDPLATFORM" != "$TARGETPLATFORM" ]; then \
         sudo dpkg --add-architecture ${TARGETPLATFORM#linux/}; \
diff --git a/dockerfiles/ci/bookworm/php-8.5/Dockerfile b/dockerfiles/ci/bookworm/php-8.5/Dockerfile
index 5a98c2832af..0be7910cfd7 100644
--- a/dockerfiles/ci/bookworm/php-8.5/Dockerfile
+++ b/dockerfiles/ci/bookworm/php-8.5/Dockerfile
@@ -28,6 +28,8 @@ ENV PHP_VERSION=${phpVersion}
 ENV PHP_INSTALL_DIR=${PHP_INSTALL_DIR}
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG MAKE_JOBS=
+ENV MAKE_JOBS=${MAKE_JOBS}
 # install cross-compiling packages
 RUN if [ "$BUILDPLATFORM" != "$TARGETPLATFORM" ]; then \
         sudo dpkg --add-architecture ${TARGETPLATFORM#linux/}; \

From 3bcc9c99ae29d2b8d673cf0126a2de35affe1386 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Tue, 26 May 2026 13:27:52 -0600
Subject: [PATCH 04/42] bump PHP versions and reduce image size

---
 .../alpine_compile_extension/docker-compose.yml | 17 ++++++++---------
 dockerfiles/ci/bookworm/Dockerfile              | 10 ++++++----
 dockerfiles/ci/bookworm/docker-compose.yml      | 16 ++++++++--------
 dockerfiles/ci/centos/7/docker-compose.yml      | 16 ++++++++--------
 libdatadog                                      |  2 +-
 5 files changed, 31 insertions(+), 30 deletions(-)

diff --git a/dockerfiles/ci/alpine_compile_extension/docker-compose.yml b/dockerfiles/ci/alpine_compile_extension/docker-compose.yml
index 764b2896c5d..0201dc852bb 100644
--- a/dockerfiles/ci/alpine_compile_extension/docker-compose.yml
+++ b/dockerfiles/ci/alpine_compile_extension/docker-compose.yml
@@ -104,8 +104,8 @@ services:
       context: .
       x-bake: *bake
       args:
-        phpVersion: 8.2.26
-        phpSha256Hash: 04e47b46b347ed6404dcc9e9989486710b075eafc8490500fd271aeeac5d83cb
+        phpVersion: 8.2.31
+        phpSha256Hash: 083c2f61cc5f527eb293c4c468a91af46a9678785957e023b2796a9db290d870
         phpApi: 20220829
     volumes:
       - ../../:/app
@@ -116,8 +116,8 @@ services:
       context: .
       x-bake: *bake
       args:
-        phpVersion: 8.3.14
-        phpSha256Hash: e4ee602c31e2f701c9f0209a2902dd4802727431246a9155bf56dda7bcf7fb4a
+        phpVersion: 8.3.31
+        phpSha256Hash: 4e7baaf0a690e954a20e7ced3dd633ce8cb8094e2b6b612a55e703ecbbdcbf4f
         phpApi: 20230831
     volumes:
       - ../../:/app
@@ -128,8 +128,8 @@ services:
       context: .
       x-bake: *bake
       args:
-        phpVersion: 8.4.1
-        phpSha256Hash: c3d1ce4157463ea43004289c01172deb54ce9c5894d8722f4e805461bf9feaec
+        phpVersion: 8.4.21
+        phpSha256Hash: db96ee0a8e5ee7b73a4913a2aeddc162ba2ef16cd34b9347b5b9a6150e1f8e48
         phpApi: 20240924
     volumes:
       - ../../:/app
@@ -140,9 +140,8 @@ services:
       context: .
       x-bake: *bake
       args:
-        phpVersion: 8.5.0
-        phpTarGzUrl: https://downloads.php.net/~daniels/php-8.5.0RC3.tar.gz
-        phpSha256Hash: "937e544d72ee1eb28d2190cadaadf8e5e8d7d8c365b5c1f6a99b4f979a1f3a1b"
+        phpVersion: 8.5.6
+        phpSha256Hash: "169aaa21c2834b38df8e39169f43bc5bea8d4059a816cfbc59be08fc2bae60cd"
         phpApi: 20250925
     volumes:
       - ../../:/app
diff --git a/dockerfiles/ci/bookworm/Dockerfile b/dockerfiles/ci/bookworm/Dockerfile
index 41eeb619013..888efd70b5f 100644
--- a/dockerfiles/ci/bookworm/Dockerfile
+++ b/dockerfiles/ci/bookworm/Dockerfile
@@ -132,6 +132,8 @@ RUN set -eux; \
         useradd --uid 3434 --gid circleci --shell /bin/bash --create-home circleci; \
         echo 'circleci ALL=NOPASSWD: ALL' >> /etc/sudoers.d/50-circleci; \
         echo 'Defaults    env_keep += "DEBIAN_FRONTEND"' >> /etc/sudoers.d/env_keep; \
+    mkdir -p /opt; \
+    chown circleci:circleci /opt; \
     \
 # Allow nginx to be run as non-root for tests
     chown -R circleci:circleci /var/log/nginx/ /var/lib/nginx/; \
@@ -302,7 +304,7 @@ RUN set -eux; \
     chown -R circleci:circleci /usr/local/src; \
 # Setup php install directory
     mkdir -p $PHP_INSTALL_DIR; \
-    chown -R circleci:circleci /opt;
+    chown circleci:circleci $PHP_INSTALL_DIR;
 
 # rust sha256sum generated locally after verifying it with sha256
 ARG RUST_VERSION="1.87.0"
@@ -313,10 +315,10 @@ ENV RUSTUP_HOME=/rust/rustup
 RUN mkdir -p -v "${CARGO_HOME}" "${RUSTUP_HOME}" \
     && chmod -R 777 "${CARGO_HOME}" "${RUSTUP_HOME}" \
     && MARCH=$(uname -m) \
-    && curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_VERSION -c "rustc,cargo,clippy-preview,rustfmt-preview,rust-std,rust-src" \
+    && curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION -c "rustc,cargo,clippy-preview,rustfmt-preview,rust-std,rust-src" \
     && export PATH="/rust/cargo/bin:$PATH" \
-    && rustup install nightly${RUST_NIGHTLY_VERSION} \
-    && rustup component add rust-src --toolchain nightly${RUST_NIGHTLY_VERSION}-$MARCH-unknown-linux-gnu
+    && rustup toolchain install --profile minimal nightly${RUST_NIGHTLY_VERSION} \
+    && rustup component add clippy-preview rustfmt-preview rust-src --toolchain nightly${RUST_NIGHTLY_VERSION}-$MARCH-unknown-linux-gnu
 
 ENV PATH="/rust/cargo/bin:${PATH}"
 
diff --git a/dockerfiles/ci/bookworm/docker-compose.yml b/dockerfiles/ci/bookworm/docker-compose.yml
index a8df1f70e22..08e8d54cff2 100644
--- a/dockerfiles/ci/bookworm/docker-compose.yml
+++ b/dockerfiles/ci/bookworm/docker-compose.yml
@@ -23,8 +23,8 @@ services:
       args:
         <<: *build-base
         phpVersion: "8.5"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.5.4.tar.gz
-        phpSha256Hash: "4fef7f44eff3c18e329504cb0d3eb30b41cf54e2db05cb4ebe8b78fc37d38ce1"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.5.6.tar.gz
+        phpSha256Hash: "169aaa21c2834b38df8e39169f43bc5bea8d4059a816cfbc59be08fc2bae60cd"
 
   php-8.4:
     image: datadog/dd-trace-ci:php-8.4_bookworm-$BOOKWORM_NEXT_VERSION
@@ -35,8 +35,8 @@ services:
       args:
         <<: *build-base
         phpVersion: "8.4"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.4.19.tar.gz
-        phpSha256Hash: "9e862435ffb533dc5b0eb486170a74e5f7c8095e8eb8819a2ff5aad430292a18"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.4.21.tar.gz
+        phpSha256Hash: "db96ee0a8e5ee7b73a4913a2aeddc162ba2ef16cd34b9347b5b9a6150e1f8e48"
 
   php-8.3:
     image: datadog/dd-trace-ci:php-8.3_bookworm-$BOOKWORM_NEXT_VERSION
@@ -47,8 +47,8 @@ services:
       args:
         <<: *build-base
         phpVersion: "8.3"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.3.30.tar.gz
-        phpSha256Hash: "e587dc95fb7f62730299fa7b36b6e4f91e6708aaefa2fff68a0098d320c16386"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.3.31.tar.gz
+        phpSha256Hash: "4e7baaf0a690e954a20e7ced3dd633ce8cb8094e2b6b612a55e703ecbbdcbf4f"
 
   php-8.2:
     image: datadog/dd-trace-ci:php-8.2_bookworm-$BOOKWORM_NEXT_VERSION
@@ -59,8 +59,8 @@ services:
       args:
         <<: *build-base
         phpVersion: "8.2"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.2.30.tar.gz
-        phpSha256Hash: "a0fa6673ba4b0c8335fbab08afb7c2e13a3791f2b5a0928c7ad3d7ad872edf26"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.2.31.tar.gz
+        phpSha256Hash: "083c2f61cc5f527eb293c4c468a91af46a9678785957e023b2796a9db290d870"
 
   php-8.1:
     image: datadog/dd-trace-ci:php-8.1_bookworm-$BOOKWORM_NEXT_VERSION
diff --git a/dockerfiles/ci/centos/7/docker-compose.yml b/dockerfiles/ci/centos/7/docker-compose.yml
index fd29fa339a0..e1378570db4 100644
--- a/dockerfiles/ci/centos/7/docker-compose.yml
+++ b/dockerfiles/ci/centos/7/docker-compose.yml
@@ -95,8 +95,8 @@ services:
       x-bake: *bake
       args:
         phpVersion: "8.2"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.2.30.tar.gz
-        phpSha256Hash: "a0fa6673ba4b0c8335fbab08afb7c2e13a3791f2b5a0928c7ad3d7ad872edf26"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.2.31.tar.gz
+        phpSha256Hash: "083c2f61cc5f527eb293c4c468a91af46a9678785957e023b2796a9db290d870"
     image: 'datadog/dd-trace-ci:php-8.2_centos-7'
 
   php-8.3:
@@ -106,8 +106,8 @@ services:
       x-bake: *bake
       args:
         phpVersion: "8.3"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.3.30.tar.gz
-        phpSha256Hash: "e587dc95fb7f62730299fa7b36b6e4f91e6708aaefa2fff68a0098d320c16386"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.3.31.tar.gz
+        phpSha256Hash: "4e7baaf0a690e954a20e7ced3dd633ce8cb8094e2b6b612a55e703ecbbdcbf4f"
     image: 'datadog/dd-trace-ci:php-8.3_centos-7'
 
   php-8.4:
@@ -117,8 +117,8 @@ services:
       x-bake: *bake
       args:
         phpVersion: "8.4"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.4.19.tar.gz
-        phpSha256Hash: "9e862435ffb533dc5b0eb486170a74e5f7c8095e8eb8819a2ff5aad430292a18"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.4.21.tar.gz
+        phpSha256Hash: "db96ee0a8e5ee7b73a4913a2aeddc162ba2ef16cd34b9347b5b9a6150e1f8e48"
     image: 'datadog/dd-trace-ci:php-8.4_centos-7'
 
   php-8.5:
@@ -128,6 +128,6 @@ services:
       x-bake: *bake
       args:
         phpVersion: "8.5"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.5.4.tar.gz
-        phpSha256Hash: "4fef7f44eff3c18e329504cb0d3eb30b41cf54e2db05cb4ebe8b78fc37d38ce1"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.5.6.tar.gz
+        phpSha256Hash: "169aaa21c2834b38df8e39169f43bc5bea8d4059a816cfbc59be08fc2bae60cd"
     image: 'datadog/dd-trace-ci:php-8.5_centos-7'
diff --git a/libdatadog b/libdatadog
index b84f19e7507..dd71a87702a 160000
--- a/libdatadog
+++ b/libdatadog
@@ -1 +1 @@
-Subproject commit b84f19e7507b2bff468dda9939da4dc5f820615f
+Subproject commit dd71a87702aa4ed6c5f09399a72d42eaa98d3cf1

From 0a6fcaf3f6955f77e3b2debb6d46679717d96cfa Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Wed, 27 May 2026 09:42:45 -0600
Subject: [PATCH 05/42] Start using bookworm-8 images in CI

---
 docker-compose.yml           | 26 +++++++++++++-------------
 dockerfiles/ci/bookworm/.env |  2 +-
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 1ae0b5f428b..5d5297b405f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -72,19 +72,19 @@ services:
   # --- Alpine ---
   '8.0-alpine': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.0_alpine' }
   # --- Bookworm ---
-  '7.0-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.0_bookworm-7' }
-  '7.1-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.1_bookworm-7' }
-  '7.2-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.2_bookworm-7' }
-  '7.3-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.3_bookworm-7' }
-  '7.4-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.4_bookworm-7' }
-  '7.4-bookworm-shared-ext': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.4-shared-ext-6' }
-  '8.0-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.0_bookworm-7' }
-  '8.0-bookworm-shared-ext': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.0-shared-ext-6' }
-  '8.1-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.1_bookworm-7' }
-  '8.2-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.2_bookworm-7' }
-  '8.3-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.3_bookworm-7' }
-  '8.4-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.4_bookworm-7' }
-  '8.5-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.5_bookworm-7' }
+  '7.0-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.0_bookworm-8' }
+  '7.1-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.1_bookworm-8' }
+  '7.2-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.2_bookworm-8' }
+  '7.3-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.3_bookworm-8' }
+  '7.4-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.4_bookworm-8' }
+  '7.4-bookworm-shared-ext': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.4-shared-ext-8' }
+  '8.0-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.0_bookworm-8' }
+  '8.0-bookworm-shared-ext': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.0-shared-ext-8' }
+  '8.1-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.1_bookworm-8' }
+  '8.2-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.2_bookworm-8' }
+  '8.3-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.3_bookworm-8' }
+  '8.4-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.4_bookworm-8' }
+  '8.5-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.5_bookworm-8' }
   'php-master-buster': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-master_buster' }
   # --- CentOS 6 ---
   '7.0-centos7': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.0_centos-7' }
diff --git a/dockerfiles/ci/bookworm/.env b/dockerfiles/ci/bookworm/.env
index c262c5f2817..bdd749c6725 100644
--- a/dockerfiles/ci/bookworm/.env
+++ b/dockerfiles/ci/bookworm/.env
@@ -1,2 +1,2 @@
-BOOKWORM_CURRENT_VERSION=7
+BOOKWORM_CURRENT_VERSION=8
 BOOKWORM_NEXT_VERSION=8

From 807b8f6239c55b66a2d76b7d4b6923d3b709eaf4 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Wed, 27 May 2026 11:26:39 -0600
Subject: [PATCH 06/42] docs: explain minimal rust install

---
 dockerfiles/ci/bookworm/Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dockerfiles/ci/bookworm/Dockerfile b/dockerfiles/ci/bookworm/Dockerfile
index 888efd70b5f..8b391bd0b87 100644
--- a/dockerfiles/ci/bookworm/Dockerfile
+++ b/dockerfiles/ci/bookworm/Dockerfile
@@ -312,6 +312,9 @@ ARG RUST_NIGHTLY_VERSION="-2025-06-13"
 # Mount a cache into /rust/cargo if you want to pre-fetch packages or something
 ENV CARGO_HOME=/rust/cargo
 ENV RUSTUP_HOME=/rust/rustup
+
+# Using minimal and adding additional components avoids the HTML docs, which
+# are unnecessary bloat.
 RUN mkdir -p -v "${CARGO_HOME}" "${RUSTUP_HOME}" \
     && chmod -R 777 "${CARGO_HOME}" "${RUSTUP_HOME}" \
     && MARCH=$(uname -m) \

From fcd032040918fbc08b63299e85b3bf63b55181db Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Wed, 27 May 2026 12:41:24 -0600
Subject: [PATCH 07/42] ci(appsec): adopt bookworm-8

This is going to cause breakages with lints
---
 .gitlab/generate-appsec.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.gitlab/generate-appsec.php b/.gitlab/generate-appsec.php
index 3f3aff72e33..b83fd2e9476 100644
--- a/.gitlab/generate-appsec.php
+++ b/.gitlab/generate-appsec.php
@@ -71,7 +71,7 @@
 "test appsec extension":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-6
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_CPU_LIMIT: 3
@@ -393,7 +393,7 @@
 "appsec code coverage":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.3_bookworm-6
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.3_bookworm-8
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_MEMORY_REQUEST: 3Gi
@@ -515,7 +515,7 @@
 "appsec lint":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.3_bookworm-6
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.3_bookworm-8
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_MEMORY_REQUEST: 9Gi
@@ -537,7 +537,7 @@
 "test appsec helper asan":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-6
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-8
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_MEMORY_REQUEST: 3Gi
@@ -563,7 +563,7 @@
 #"fuzz appsec helper":
 #  stage: test
 #  extends: .appsec_test
-#  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-6
+#  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-8
 #  variables:
 #    KUBERNETES_CPU_REQUEST: 3
 #    KUBERNETES_MEMORY_REQUEST: 5Gi

From f07940a975431af1c82992609edbec7b6bceff65 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Wed, 27 May 2026 12:54:43 -0600
Subject: [PATCH 08/42] ci: use versioned images for shared-ext too

---
 .gitlab/generate-package.php | 2 +-
 .gitlab/generate-shared.php  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitlab/generate-package.php b/.gitlab/generate-package.php
index ac760cdcae1..8fe2c722839 100644
--- a/.gitlab/generate-package.php
+++ b/.gitlab/generate-package.php
@@ -1187,7 +1187,7 @@
 
 "min install tests":
   stage: verify
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.0-shared-ext
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.0-shared-ext-8
   tags: [ "arch:amd64" ]
   variables:
     MAX_TEST_PARALLELISM: 8
diff --git a/.gitlab/generate-shared.php b/.gitlab/generate-shared.php
index f28ef82fe80..d3f5f0a4f0f 100644
--- a/.gitlab/generate-shared.php
+++ b/.gitlab/generate-shared.php
@@ -185,7 +185,7 @@
 ?>
 "ZAI Shared Tests: [<?= $major_minor ?>]":
   extends: .tea_test
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-<?= $major_minor ?>-shared-ext"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-<?= $major_minor ?>-shared-ext-8"
   needs:
     - job: "Build & Test Tea"
       parallel:

From 8ed72a060f5864eba065c8d18d95ab19c1637038 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Wed, 27 May 2026 13:21:32 -0600
Subject: [PATCH 09/42] ci(appsec): clang 17 to clang 20

---
 .gitlab/generate-appsec.php | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/.gitlab/generate-appsec.php b/.gitlab/generate-appsec.php
index b83fd2e9476..06c65cc1166 100644
--- a/.gitlab/generate-appsec.php
+++ b/.gitlab/generate-appsec.php
@@ -53,7 +53,7 @@
   before_script:
 <?php unset_dd_runner_env_vars() ?>
     - git config --global --add safe.directory "$(pwd)/appsec/third_party/libddwaf"
-    - sudo apt install -y clang-tidy-17 libc++-17-dev libc++abi-17-dev
+    - sudo apt install -y clang-tidy-20 libc++-20-dev libc++abi-20-dev
     - mkdir -p appsec/build boost-cache boost-cache
   cache:
     - key: "appsec boost cache"
@@ -408,7 +408,7 @@
       sudo cp -v vault /usr/local/bin
       cd -
       sudo sed -i 's|http://deb.debian.org/debian|http://archive.debian.org/debian|g; s|http://security.debian.org/debian-security|http://archive.debian.org/debian-security|g' /etc/apt/sources.list
-      sudo apt-get update && sudo apt-get install -y jq gcovr llvm-17 clang-17
+      sudo apt-get update && sudo apt-get install -y jq gcovr llvm-20 clang-20
 
       echo "Installing codecov"
 
@@ -428,7 +428,7 @@
     - |
       cmake .. -DCMAKE_BUILD_TYPE=Debug -DDD_APPSEC_ENABLE_COVERAGE=ON \
         -DDD_APPSEC_TESTING=ON -DCMAKE_CXX_FLAGS="-stdlib=libc++" \
-        -DCMAKE_C_COMPILER=/usr/bin/clang-17 -DCMAKE_CXX_COMPILER=/usr/bin/clang++-17 \
+        -DCMAKE_C_COMPILER=/usr/bin/clang-20 -DCMAKE_CXX_COMPILER=/usr/bin/clang++-20 \
         -DCMAKE_CXX_LINK_FLAGS="-stdlib=libc++" \
         -DBOOST_CACHE_PREFIX="$CI_PROJECT_DIR/boost-cache"
     - |
@@ -442,8 +442,8 @@
         ./appsec/build/tests/helper/ddappsec_helper_test
     - |
       cd /tmp/cov-ext
-      llvm-profdata-17 merge -sparse *.profraw -o default.profdata
-      llvm-cov-17 export "$CI_PROJECT_DIR"/appsec/build/ddappsec.so \
+      llvm-profdata-20 merge -sparse *.profraw -o default.profdata
+      llvm-cov-20 export "$CI_PROJECT_DIR"/appsec/build/ddappsec.so \
         -format=lcov -instr-profile=default.profdata \
         > "$CI_PROJECT_DIR"/appsec/build/coverage-ext.lcov
       echo "Uploading extension coverage to codecov"
@@ -451,8 +451,8 @@
       codecov -t "$CODECOV_TOKEN" -n appsec-extension -v -f appsec/build/coverage-ext.lcov
     - |
       cd /tmp/cov-helper
-      llvm-profdata-17 merge -sparse *.profraw -o default.profdata
-      llvm-cov-17 export "$CI_PROJECT_DIR"/appsec/build/tests/helper/ddappsec_helper_test \
+      llvm-profdata-20 merge -sparse *.profraw -o default.profdata
+      llvm-cov-20 export "$CI_PROJECT_DIR"/appsec/build/tests/helper/ddappsec_helper_test \
         -format=lcov -instr-profile=default.profdata \
         > "$CI_PROJECT_DIR/appsec/build/coverage-helper.lcov"
       echo "Uploading helper coverage to codecov"
@@ -522,15 +522,15 @@
     KUBERNETES_MEMORY_LIMIT: 10Gi
     ARCH: amd64
   script:
-    - sudo apt install -y clang-format-17
+    - sudo apt install -y clang-format-20
     - cd appsec/build
     - |
       cmake .. -DCMAKE_BUILD_TYPE=Debug -DDD_APPSEC_ENABLE_COVERAGE=OFF \
         -DDD_APPSEC_TESTING=OFF -DCMAKE_CXX_FLAGS="-stdlib=libc++" \
         -DCMAKE_CXX_LINK_FLAGS="-stdlib=libc++" \
         -DBOOST_CACHE_PREFIX="$CI_PROJECT_DIR/boost-cache" \
-        -DCLANG_TIDY=/usr/bin/run-clang-tidy-17 \
-        -DCLANG_FORMAT=/usr/bin/clang-format-17
+        -DCLANG_TIDY=/usr/bin/run-clang-tidy-20 \
+        -DCLANG_FORMAT=/usr/bin/clang-format-20
     - make -j 4 extension ddappsec-helper
     - make format tidy
 
@@ -555,7 +555,7 @@
         -DASAN_BUILD" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address -fsanitize=leak" \
         -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address -fsanitize=leak" \
         -DBOOST_CACHE_PREFIX="$CI_PROJECT_DIR/boost-cache" \
-        -DCLANG_TIDY=/usr/bin/run-clang-tidy-17
+        -DCLANG_TIDY=/usr/bin/run-clang-tidy-20
     - make -j 4 ddappsec_helper_test
     - cd ../..; ./appsec/build/tests/helper/ddappsec_helper_test
 
@@ -581,7 +581,7 @@
 #    - cd -
 #
 #    - cd appsec/build
-#    - cmake .. -DCMAKE_BUILD_TYPE=Debug -DDD_APPSEC_BUILD_EXTENSION=OFF -DCMAKE_CXX_FLAGS="-stdlib=libc++" -DCMAKE_CXX_LINK_FLAGS="-stdlib=libc++" -DFUZZER_ARCHIVE_PATH=$fuzzer -DBOOST_CACHE_PREFIX=/boost-cache -DCLANG_TIDY=/usr/bin/run-clang-tidy-17
+#    - cmake .. -DCMAKE_BUILD_TYPE=Debug -DDD_APPSEC_BUILD_EXTENSION=OFF -DCMAKE_CXX_FLAGS="-stdlib=libc++" -DCMAKE_CXX_LINK_FLAGS="-stdlib=libc++" -DFUZZER_ARCHIVE_PATH=$fuzzer -DBOOST_CACHE_PREFIX=/boost-cache -DCLANG_TIDY=/usr/bin/run-clang-tidy-20
 #    - make -j 4 ddappsec_helper_fuzzer corpus_generator
 #    - cd ..
 #    - mkdir -p tests/fuzzer/{corpus,results,logs}
@@ -602,9 +602,9 @@
 #    - LLVM_PROFILE_FILE=body.profraw ./build/tests/fuzzer/ddappsec_helper_fuzzer --log_level=off --fuzz-mode=body -max_total_time=60 -rss_limit_mb=4096 -artifact_prefix=tests/fuzzer/results/ tests/fuzzer/corpus/
 #
 #    - '# Generate coverage'
-#    - llvm-profdata-17 merge -sparse *.profraw -o default.profdata
-#    - llvm-cov-17 show build/tests/fuzzer/ddappsec_helper_fuzzer -instr-profile=default.profdata -ignore-filename-regex="(tests|third_party|build)" -format=html > fuzzer-coverage.html
-#    - llvm-cov-17 report -instr-profile default.profdata build/tests/fuzzer/ddappsec_helper_fuzzer -ignore-filename-regex="(tests|third_party|build)" -show-region-summary=false
+#    - llvm-profdata-20 merge -sparse *.profraw -o default.profdata
+#    - llvm-cov-20 show build/tests/fuzzer/ddappsec_helper_fuzzer -instr-profile=default.profdata -ignore-filename-regex="(tests|third_party|build)" -format=html > fuzzer-coverage.html
+#    - llvm-cov-20 report -instr-profile default.profdata build/tests/fuzzer/ddappsec_helper_fuzzer -ignore-filename-regex="(tests|third_party|build)" -show-region-summary=false
 #  artifacts:
 #    paths:
 #     - appsec/fuzzer-coverage.html

From 434d550e42c376d4e315c9623e4a810f126bd160 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Wed, 27 May 2026 14:00:01 -0600
Subject: [PATCH 10/42] ci(appsec): bump Rust to 1.87

---
 appsec/tests/integration/build.gradle                  | 10 ++--------
 .../integration/src/docker/nginx-fpm-musl/Dockerfile   |  2 +-
 .../integration/src/docker/php/Dockerfile-php-deps     |  3 +--
 3 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/appsec/tests/integration/build.gradle b/appsec/tests/integration/build.gradle
index 6f10f373ef6..d9f23734e4d 100644
--- a/appsec/tests/integration/build.gradle
+++ b/appsec/tests/integration/build.gradle
@@ -1101,14 +1101,8 @@ buildRunInDockerTask(
                     echo 'Found profraw files:'
                     ls -la *.profraw
 
-                    # Detect the architecture-specific toolchain path
-                    ARCH=\$(uname -m)
-                    if [ "\$ARCH" = "aarch64" ]; then
-                        RUST_TARGET="aarch64-unknown-linux-gnu"
-                    else
-                        RUST_TARGET="x86_64-unknown-linux-gnu"
-                    fi
-                    LLVM_TOOLS="/root/.rustup/toolchains/1.84.1-\${RUST_TARGET}/lib/rustlib/\${RUST_TARGET}/bin"
+                    RUST_TARGET_LIBDIR="\$(rustc --print target-libdir)"
+                    LLVM_TOOLS="\${RUST_TARGET_LIBDIR%/lib}/bin"
 
                     \${LLVM_TOOLS}/llvm-profdata merge -sparse *.profraw -o merged.profdata
                     \${LLVM_TOOLS}/llvm-cov export \\
diff --git a/appsec/tests/integration/src/docker/nginx-fpm-musl/Dockerfile b/appsec/tests/integration/src/docker/nginx-fpm-musl/Dockerfile
index b43281b06fb..b82083c3196 100644
--- a/appsec/tests/integration/src/docker/nginx-fpm-musl/Dockerfile
+++ b/appsec/tests/integration/src/docker/nginx-fpm-musl/Dockerfile
@@ -18,7 +18,7 @@ ENV CARGO_HOME=/usr/local/cargo \
     LIBCLANG_PATH=/usr/lib
 
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
-    sh -s -- -y --default-toolchain 1.84.1 --no-modify-path && \
+    sh -s -- -y --default-toolchain 1.87.0 --no-modify-path && \
     chmod -R 777 /usr/local/cargo /usr/local/rustup && \
     ln -sf /usr/local/cargo/bin/{cargo,rustc} /usr/local/bin/ && \
     rustup toolchain install nightly-$(uname -m)-unknown-linux-musl && \
diff --git a/appsec/tests/integration/src/docker/php/Dockerfile-php-deps b/appsec/tests/integration/src/docker/php/Dockerfile-php-deps
index ed62102399a..1c6b8f76869 100644
--- a/appsec/tests/integration/src/docker/php/Dockerfile-php-deps
+++ b/appsec/tests/integration/src/docker/php/Dockerfile-php-deps
@@ -22,8 +22,7 @@ RUN apt-get update && apt-get install -y \
 ADD build_dev_php.sh /build/php/
 RUN USER=root /build/php/build_dev_php.sh deps
 
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain 1.84.1 -y \
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain 1.87.0 -y \
     && /root/.cargo/bin/rustup component add llvm-tools-preview \
     && chmod -R a+rX /root /root/.cargo /root/.rustup
 ENV PATH="/root/.cargo/bin:${PATH}"
-

From 2e7b9d21e2683d34af94014715c6bf22e530bc97 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Wed, 27 May 2026 16:11:40 -0600
Subject: [PATCH 11/42] bump PHP and Rust for Windows too

---
 dockerfiles/ci/windows/basetools.Dockerfile |  2 +-
 dockerfiles/ci/windows/docker-compose.yml   | 36 ++++++++++-----------
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/dockerfiles/ci/windows/basetools.Dockerfile b/dockerfiles/ci/windows/basetools.Dockerfile
index 1d71c6a5c07..94b8854cabb 100644
--- a/dockerfiles/ci/windows/basetools.Dockerfile
+++ b/dockerfiles/ci/windows/basetools.Dockerfile
@@ -6,7 +6,7 @@ RUN powershell.exe "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Ne
 # I really need some sane file editing utilities
 RUN powershell "Invoke-WebRequest https://ftp.nluug.nl/pub/vim/pc/vim90w32.zip -OutFile /tmp/vim90w32.zip; Expand-Archive /tmp/vim90w32.zip /tmp; move C:\tmp\vim\vim90\tee.exe C:\Windows\tee.exe; move C:\tmp\vim\vim90\vim.exe C:\Windows\vim.exe; move C:\tmp\vim\vim90\xxd.exe C:\Windows\xxd.exe; Remove-Item /tmp/vim90w32.zip; Remove-Item -Recurse C:\tmp\vim"
 
-RUN powershell "Invoke-WebRequest https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe -OutFile /tmp/rustup-init.exe; cmd /S /C /tmp/rustup-init.exe --profile minimal -y --default-toolchain=1.84.1; Remove-Item /tmp/rustup-init.exe"
+RUN powershell "Invoke-WebRequest https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe -OutFile /tmp/rustup-init.exe; cmd /S /C /tmp/rustup-init.exe --profile minimal -y --default-toolchain=1.87.0; Remove-Item /tmp/rustup-init.exe"
 
 RUN choco install -y cmake
 RUN choco install -y nasm
diff --git a/dockerfiles/ci/windows/docker-compose.yml b/dockerfiles/ci/windows/docker-compose.yml
index 6548f22c4fb..8324eacf780 100644
--- a/dockerfiles/ci/windows/docker-compose.yml
+++ b/dockerfiles/ci/windows/docker-compose.yml
@@ -85,10 +85,10 @@ services:
         - windows/amd64
       context: .
       args:
-        phpVersion: "8.5.0"
+        phpVersion: "8.5.6"
         vsVersion: "vs17"
-        phpTarGzUrl: https://downloads.php.net/~daniels/php-8.5.0RC3.tar.gz
-        phpSha256Hash: "937e544d72ee1eb28d2190cadaadf8e5e8d7d8c365b5c1f6a99b4f979a1f3a1b"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.5.6.tar.gz
+        phpSha256Hash: "169aaa21c2834b38df8e39169f43bc5bea8d4059a816cfbc59be08fc2bae60cd"
 
   php-8.4:
     image: datadog/dd-trace-ci:php-8.4_windows
@@ -97,10 +97,10 @@ services:
         - windows/amd64
       context: .
       args:
-        phpVersion: "8.4.1"
+        phpVersion: "8.4.21"
         vsVersion: "vs17"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.4.1.tar.gz
-        phpSha256Hash: "c3d1ce4157463ea43004289c01172deb54ce9c5894d8722f4e805461bf9feaec"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.4.21.tar.gz
+        phpSha256Hash: "db96ee0a8e5ee7b73a4913a2aeddc162ba2ef16cd34b9347b5b9a6150e1f8e48"
 
   php-8.3:
     image: datadog/dd-trace-ci:php-8.3_windows
@@ -109,10 +109,10 @@ services:
         - windows/amd64
       context: .
       args:
-        phpVersion: "8.3.9"
+        phpVersion: "8.3.31"
         vsVersion: "vs16"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.3.9.tar.gz
-        phpSha256Hash: "f484dec6ee005c83f899af02fc021e1bc3b1d7b3f143ca062ef66b0fcee96566"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.3.31.tar.gz
+        phpSha256Hash: "4e7baaf0a690e954a20e7ced3dd633ce8cb8094e2b6b612a55e703ecbbdcbf4f"
 
   php-8.2:
     image: datadog/dd-trace-ci:php-8.2_windows
@@ -121,10 +121,10 @@ services:
         - windows/amd64
       context: .
       args:
-        phpVersion: "8.2.21"
+        phpVersion: "8.2.31"
         vsVersion: "vs16"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.2.21.tar.gz
-        phpSha256Hash: "0c6323699309a4d2e71057f01bc071b199f240973c349287b667a3ab36a496c6"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.2.31.tar.gz
+        phpSha256Hash: "083c2f61cc5f527eb293c4c468a91af46a9678785957e023b2796a9db290d870"
 
   php-8.1:
     image: datadog/dd-trace-ci:php-8.1_windows
@@ -133,10 +133,10 @@ services:
         - windows/amd64
       context: .
       args:
-        phpVersion: "8.1.29"
+        phpVersion: "8.1.32"
         vsVersion: "vs16"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.1.29.tar.gz
-        phpSha256Hash: "8b2609bf1d3173aa38269a9af21532c65f730aadd3051f9aae011eea9e246de5"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.1.32.tar.gz
+        phpSha256Hash: "4846836d1de27dbd28e89180f073531087029a77e98e8e019b7b2eddbdb1baff"
 
   php-8.0:
     image: datadog/dd-trace-ci:php-8.0_windows
@@ -145,10 +145,10 @@ services:
         - windows/amd64
       context: .
       args:
-        phpVersion: "8.0.28"
+        phpVersion: "8.0.30"
         vsVersion: "vs16"
-        phpTarGzUrl: https://www.php.net/distributions/php-8.0.28.tar.gz
-        phpSha256Hash: "7432184eae01e4e8e39f03f80e8ec0ca2c8bfebc56e9a7b983541ca8805df22f"
+        phpTarGzUrl: https://www.php.net/distributions/php-8.0.30.tar.gz
+        phpSha256Hash: "449d2048fcb20a314d8c218097c6d1047a9f1c5bb72aa54d5d3eba0a27a4c80c"
 
   php-7.4:
     image: datadog/dd-trace-ci:php-7.4_windows

From 6db6faaa8307d3c60e66009481747c28fea4d094 Mon Sep 17 00:00:00 2001
From: Florian Engelhardt <florian.engelhardt@datadoghq.com>
Date: Thu, 28 May 2026 10:59:04 +0200
Subject: [PATCH 12/42] fix llvm version mismatch and fix cache key

---
 .github/workflows/prof_correctness.yml | 30 ++++++++++++++++++++------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/prof_correctness.yml b/.github/workflows/prof_correctness.yml
index b11f2fe889f..609f7a03fc5 100644
--- a/.github/workflows/prof_correctness.yml
+++ b/.github/workflows/prof_correctness.yml
@@ -8,6 +8,8 @@ on:
 jobs:
   prof-correctness:
     runs-on: ubuntu-24.04
+    env:
+      LLVM_VERSION: "20"
     strategy:
       fail-fast: false
       matrix:
@@ -43,20 +45,34 @@ jobs:
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
             target/
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}-${{ matrix.php-version }}-${{ matrix.phpts }}
+          key: ${{ runner.os }}-cargo-llvm-${{ env.LLVM_VERSION }}-${{ hashFiles('**/Cargo.lock', 'profiling/rust-toolchain.toml') }}-${{ matrix.php-version }}-${{ matrix.phpts }}
 
       - name: Build profiler
         run: |
           codename="$(lsb_release -cs)"
           curl -fsSL https://apt.llvm.org/llvm-snapshot.gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/llvm-archive-keyring.gpg
-          echo "deb [signed-by=/usr/share/keyrings/llvm-archive-keyring.gpg] http://apt.llvm.org/${codename}/ llvm-toolchain-${codename}-20 main" | sudo tee /etc/apt/sources.list.d/llvm.list
+          echo "deb [signed-by=/usr/share/keyrings/llvm-archive-keyring.gpg] http://apt.llvm.org/${codename}/ llvm-toolchain-${codename}-${LLVM_VERSION} main" | sudo tee /etc/apt/sources.list.d/llvm.list
           sudo apt-get update
-          sudo apt-get install -y clang-20 lld-20
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-20 100
-          sudo update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-20 100
-          sudo update-alternatives --install /usr/bin/ld.lld ld.lld /usr/bin/ld.lld-20 100
+          llvm18_packages="$(dpkg-query -W -f='${binary:Package}\n' \
+            '*clang*18*' '*llvm*18*' '*lld*18*' '*libomp*18*' \
+            '*libc++*18*' '*libc++abi*18*' '*mlir*18*' '*flang*18*' \
+            '*bolt*18*' '*polly*18*' 2>/dev/null || true)"
+          if [ -n "$llvm18_packages" ]; then
+            sudo apt-get purge -y $llvm18_packages
+            sudo apt-get autoremove -y
+          fi
+          sudo apt-get install -y clang-${LLVM_VERSION} lld-${LLVM_VERSION} llvm-${LLVM_VERSION}-dev libclang-${LLVM_VERSION}-dev libclang-rt-${LLVM_VERSION}-dev
+          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-${LLVM_VERSION} 100
+          sudo update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-${LLVM_VERSION} 100
+          sudo update-alternatives --install /usr/bin/ld.lld ld.lld /usr/bin/ld.lld-${LLVM_VERSION} 100
+          export CC=clang-${LLVM_VERSION}
+          export CXX=clang++-${LLVM_VERSION}
+          export LLVM_CONFIG_PATH=/usr/bin/llvm-config-${LLVM_VERSION}
+          export LIBCLANG_PATH=/usr/lib/llvm-${LLVM_VERSION}/lib
+          export LD_LIBRARY_PATH="${LIBCLANG_PATH}:${LD_LIBRARY_PATH:-}"
           clang --version
           ld.lld --version
+          "$LLVM_CONFIG_PATH" --version
           cd profiling
           version_number=$(awk -F' = ' '$1 == "channel" { gsub(/"/, "", $2); print $2 }' rust-toolchain.toml)
           curl https://sh.rustup.rs -sSf | sh -s -- --profile minimal -y --default-toolchain "$version_number"
@@ -71,7 +87,7 @@ jobs:
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
             target/
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}-${{ matrix.php-version }}-${{ matrix.phpts }}
+          key: ${{ runner.os }}-cargo-llvm-${{ env.LLVM_VERSION }}-${{ hashFiles('**/Cargo.lock', 'profiling/rust-toolchain.toml') }}-${{ matrix.php-version }}-${{ matrix.phpts }}
 
       - name: Run no profile test
         run: |

From 3b2f483cc4e4ed02dba86a0b69344d37e672991d Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 08:58:47 -0600
Subject: [PATCH 13/42] ci: attempt to build Windows images in CI

---
 .gitlab/ci-images.yml | 60 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml
index 994d5529c41..eec0eddf8d8 100644
--- a/.gitlab/ci-images.yml
+++ b/.gitlab/ci-images.yml
@@ -135,3 +135,63 @@ Buster:
     - cd dockerfiles/ci/buster
     - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
     - docker buildx bake --no-cache --pull --push $PHP_VERSION
+
+.windows_image_build:
+  stage: ci-build
+  rules:
+    - when: manual
+      allow_failure: true
+  needs: []
+  tags: ["windows-v2:2019"]
+  timeout: 6h
+  variables:
+    DDCI_CONFIGURE_OTEL_EXPORTER: "true"
+  script: |
+    cd dockerfiles\ci\windows
+    $env:CI_REGISTRY_TOKEN | docker login -u "$env:CI_REGISTRY_USER" --password-stdin "$env:CI_REGISTRY"
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+
+    foreach ($target in ($env:WINDOWS_IMAGE_TARGETS -split ' ')) {
+      if ([string]::IsNullOrWhiteSpace($target)) { continue }
+      docker buildx bake --no-cache --pull --push "$target"
+      if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+    }
+
+Windows Base Images:
+  extends: .windows_image_build
+  parallel:
+    matrix:
+      - WINDOWS_IMAGE_TARGETS:
+        - "vc14-base"
+        - "vc15-base"
+        - "vs16-base"
+        - "vs17-base"
+
+Windows Tool Images:
+  extends: .windows_image_build
+  parallel:
+    matrix:
+      - WINDOWS_IMAGE_TARGETS:
+        - "vc14"
+        - "vc15"
+        - "vs16"
+        - "vs17"
+
+Windows PHP Images:
+  extends: .windows_image_build
+  needs:
+    - job: "Windows Tool Images"
+  parallel:
+    matrix:
+      - WINDOWS_IMAGE_TARGETS:
+        - "php-8.5"
+        - "php-8.4"
+        - "php-8.3"
+        - "php-8.2"
+        - "php-8.1"
+        - "php-8.0"
+        - "php-7.4"
+        - "php-7.3"
+        - "php-7.2"
+        - "php-7.1"
+        - "php-7.0"

From 04ac8aff18d931df6939cf99d7e4862fbefe1bda Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 09:34:11 -0600
Subject: [PATCH 14/42] ci: copy bits of windows_git_setup

---
 .gitlab/ci-images.yml | 45 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml
index eec0eddf8d8..88c6952991c 100644
--- a/.gitlab/ci-images.yml
+++ b/.gitlab/ci-images.yml
@@ -146,8 +146,53 @@ Buster:
   timeout: 6h
   variables:
     DDCI_CONFIGURE_OTEL_EXPORTER: "true"
+    GIT_STRATEGY: none
   script: |
+    # Kill leftover containers; a previous run may still hold php_ddtrace.dll open.
+    $containers = docker ps -aq 2>$null
+    if ($containers) { docker rm -f $containers 2>$null }
+
+    # Use cmd.exe rd from the parent dir: handles junctions/symlinks that PS5.1 Remove-Item cannot.
+    Write-Host "Performing workspace cleanup..."
+    $workspace = $PWD.Path
+    Push-Location ..
+    cmd /c "rd /s /q ""$workspace"""
+    if (-not (Test-Path $workspace)) {
+        New-Item -ItemType Directory -Path $workspace -Force | Out-Null
+    }
+    Pop-Location
+    $remaining = Get-ChildItem -Path . -Force -ErrorAction SilentlyContinue
+    if ($remaining) { Write-Host "WARNING: could not remove: $($remaining.Name -join ', ')" }
+    Write-Host "Cleanup complete."
+
+    # PS 5.1 ignores $PSNativeCommandUseErrorActionPreference; use $LASTEXITCODE checks instead.
+    $ErrorActionPreference = 'Stop'
+
+    # Manual git clone with proper config.
+    Write-Host "Cloning repository..."
+    git config --global core.longpaths true
+    git config --global core.symlinks true
+    git clone --branch $env:CI_COMMIT_REF_NAME $env:CI_REPOSITORY_URL .
+    if ($LASTEXITCODE -ne 0) {
+        Write-Host "ERROR: git clone failed. Remaining workspace contents:"
+        Get-ChildItem -Force | Select-Object Name
+        exit $LASTEXITCODE
+    }
+    git checkout $env:CI_COMMIT_SHA
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+
+    # Initialize submodules.
+    Write-Host "Initializing submodules..."
+    git submodule update --init --recursive
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+    Write-Host "Git setup complete."
+
     cd dockerfiles\ci\windows
+
+    $env:DOCKER_CONFIG = Join-Path $env:CI_PROJECT_DIR ".docker"
+    New-Item -ItemType Directory -Force -Path $env:DOCKER_CONFIG | Out-Null
+    Set-Content -Encoding ascii -Path (Join-Path $env:DOCKER_CONFIG "config.json") -Value '{"auths":{}}'
+
     $env:CI_REGISTRY_TOKEN | docker login -u "$env:CI_REGISTRY_USER" --password-stdin "$env:CI_REGISTRY"
     if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 

From f3e85d608c5955665a1bb326307a7ba5a0725742 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 09:47:01 -0600
Subject: [PATCH 15/42] ci: windows buildx didn't support --no-cache

---
 .gitlab/ci-images.yml | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml
index 88c6952991c..80793b788bd 100644
--- a/.gitlab/ci-images.yml
+++ b/.gitlab/ci-images.yml
@@ -196,9 +196,28 @@ Buster:
     $env:CI_REGISTRY_TOKEN | docker login -u "$env:CI_REGISTRY_USER" --password-stdin "$env:CI_REGISTRY"
     if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 
+    docker version
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+    docker buildx version
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+
+    $bakeHelp = docker buildx bake --help 2>&1 | Out-String
+    if ($LASTEXITCODE -ne 0) {
+      Write-Host $bakeHelp
+      exit $LASTEXITCODE
+    }
+    $supportsNoCache = $bakeHelp -match "(^|\s)--no-cache(\s|,)"
+
     foreach ($target in ($env:WINDOWS_IMAGE_TARGETS -split ' ')) {
       if ([string]::IsNullOrWhiteSpace($target)) { continue }
-      docker buildx bake --no-cache --pull --push "$target"
+      $bakeArgs = @("bake", "--pull", "--push")
+      if ($supportsNoCache) {
+        $bakeArgs += "--no-cache"
+      } else {
+        Write-Host "docker buildx bake does not support --no-cache on this runner; building $target with cache."
+      }
+      $bakeArgs += "$target"
+      docker buildx @bakeArgs
       if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
     }
 

From 846c5f04711eefd43b7fb31be3c776a35da5b701 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 10:10:23 -0600
Subject: [PATCH 16/42] ci: windows didn't even have buildx, way to bury the
 lede

---
 .gitlab/ci-images.yml | 40 +++++++++++++++++++++++++---------------
 1 file changed, 25 insertions(+), 15 deletions(-)

diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml
index 80793b788bd..2b6898a0d54 100644
--- a/.gitlab/ci-images.yml
+++ b/.gitlab/ci-images.yml
@@ -198,26 +198,36 @@ Buster:
 
     docker version
     if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
-    docker buildx version
-    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 
-    $bakeHelp = docker buildx bake --help 2>&1 | Out-String
-    if ($LASTEXITCODE -ne 0) {
-      Write-Host $bakeHelp
-      exit $LASTEXITCODE
+    docker compose version
+    if ($LASTEXITCODE -eq 0) {
+      $compose = @("docker", "compose")
+    } elseif (Get-Command docker-compose -ErrorAction SilentlyContinue) {
+      docker-compose version
+      if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+      $compose = @("docker-compose")
+    } else {
+      Write-Host "ERROR: neither docker compose nor docker-compose is available on this runner."
+      exit 1
     }
-    $supportsNoCache = $bakeHelp -match "(^|\s)--no-cache(\s|,)"
 
-    foreach ($target in ($env:WINDOWS_IMAGE_TARGETS -split ' ')) {
-      if ([string]::IsNullOrWhiteSpace($target)) { continue }
-      $bakeArgs = @("bake", "--pull", "--push")
-      if ($supportsNoCache) {
-        $bakeArgs += "--no-cache"
+    function Invoke-Compose {
+      param([string[]]$Arguments)
+      if ($compose.Count -eq 2) {
+        & $compose[0] $compose[1] @Arguments
       } else {
-        Write-Host "docker buildx bake does not support --no-cache on this runner; building $target with cache."
+        & $compose[0] @Arguments
       }
-      $bakeArgs += "$target"
-      docker buildx @bakeArgs
+    }
+
+    foreach ($target in ($env:WINDOWS_IMAGE_TARGETS -split ' ')) {
+      if ([string]::IsNullOrWhiteSpace($target)) { continue }
+      Write-Host "Building Windows CI image target $target..."
+      Invoke-Compose -Arguments @("build", "--pull", "--no-cache", "$target")
+      if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+
+      Write-Host "Pushing Windows CI image target $target..."
+      Invoke-Compose -Arguments @("push", "$target")
       if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
     }
 

From 2f1868645152846b8c5a0c588f13e701cfea7d61 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 10:42:09 -0600
Subject: [PATCH 17/42] ci: avoid docker compose for windows

---
 .gitlab/ci-images.yml | 131 +++++++++++++++++++++++++++++++++++-------
 1 file changed, 111 insertions(+), 20 deletions(-)

diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml
index 2b6898a0d54..8da9a1321bd 100644
--- a/.gitlab/ci-images.yml
+++ b/.gitlab/ci-images.yml
@@ -199,35 +199,126 @@ Buster:
     docker version
     if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 
-    docker compose version
-    if ($LASTEXITCODE -eq 0) {
-      $compose = @("docker", "compose")
-    } elseif (Get-Command docker-compose -ErrorAction SilentlyContinue) {
-      docker-compose version
-      if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
-      $compose = @("docker-compose")
-    } else {
-      Write-Host "ERROR: neither docker compose nor docker-compose is available on this runner."
-      exit 1
-    }
-
-    function Invoke-Compose {
-      param([string[]]$Arguments)
-      if ($compose.Count -eq 2) {
-        & $compose[0] $compose[1] @Arguments
-      } else {
-        & $compose[0] @Arguments
+    $targets = @{
+      "vc14-base" = @{
+        Image = "datadog/dd-trace-ci:windows-base-vc14"
+        Dockerfile = "vc14.Dockerfile"
+        BuildArgs = @()
+      }
+      "vc15-base" = @{
+        Image = "datadog/dd-trace-ci:windows-base-vc15"
+        Dockerfile = "vc15.Dockerfile"
+        BuildArgs = @()
+      }
+      "vs16-base" = @{
+        Image = "datadog/dd-trace-ci:windows-base-vs16"
+        Dockerfile = "vs16.Dockerfile"
+        BuildArgs = @()
+      }
+      "vs17-base" = @{
+        Image = "datadog/dd-trace-ci:windows-base-vs17"
+        Dockerfile = "vs17.Dockerfile"
+        BuildArgs = @()
+      }
+      "vc14" = @{
+        Image = "datadog/dd-trace-ci:windows-vc14"
+        Dockerfile = "basetools.Dockerfile"
+        BuildArgs = @("vsVersion=vc14", "sdkVersion=2.1.10")
+      }
+      "vc15" = @{
+        Image = "datadog/dd-trace-ci:windows-vc15"
+        Dockerfile = "basetools.Dockerfile"
+        BuildArgs = @("vsVersion=vc15", "sdkVersion=2.2.0")
+      }
+      "vs16" = @{
+        Image = "datadog/dd-trace-ci:windows-vs16"
+        Dockerfile = "basetools.Dockerfile"
+        BuildArgs = @("vsVersion=vs16", "sdkVersion=2.2.0")
+      }
+      "vs17" = @{
+        Image = "datadog/dd-trace-ci:windows-vs17"
+        Dockerfile = "basetools.Dockerfile"
+        BuildArgs = @("vsVersion=vs17", "sdkVersion=2.3.0")
+      }
+      "php-8.5" = @{
+        Image = "datadog/dd-trace-ci:php-8.5_windows"
+        Dockerfile = "Dockerfile"
+        BuildArgs = @("phpVersion=8.5.6", "vsVersion=vs17", "phpTarGzUrl=https://www.php.net/distributions/php-8.5.6.tar.gz", "phpSha256Hash=169aaa21c2834b38df8e39169f43bc5bea8d4059a816cfbc59be08fc2bae60cd")
+      }
+      "php-8.4" = @{
+        Image = "datadog/dd-trace-ci:php-8.4_windows"
+        Dockerfile = "Dockerfile"
+        BuildArgs = @("phpVersion=8.4.21", "vsVersion=vs17", "phpTarGzUrl=https://www.php.net/distributions/php-8.4.21.tar.gz", "phpSha256Hash=db96ee0a8e5ee7b73a4913a2aeddc162ba2ef16cd34b9347b5b9a6150e1f8e48")
+      }
+      "php-8.3" = @{
+        Image = "datadog/dd-trace-ci:php-8.3_windows"
+        Dockerfile = "Dockerfile"
+        BuildArgs = @("phpVersion=8.3.31", "vsVersion=vs16", "phpTarGzUrl=https://www.php.net/distributions/php-8.3.31.tar.gz", "phpSha256Hash=4e7baaf0a690e954a20e7ced3dd633ce8cb8094e2b6b612a55e703ecbbdcbf4f")
+      }
+      "php-8.2" = @{
+        Image = "datadog/dd-trace-ci:php-8.2_windows"
+        Dockerfile = "Dockerfile"
+        BuildArgs = @("phpVersion=8.2.31", "vsVersion=vs16", "phpTarGzUrl=https://www.php.net/distributions/php-8.2.31.tar.gz", "phpSha256Hash=083c2f61cc5f527eb293c4c468a91af46a9678785957e023b2796a9db290d870")
+      }
+      "php-8.1" = @{
+        Image = "datadog/dd-trace-ci:php-8.1_windows"
+        Dockerfile = "Dockerfile"
+        BuildArgs = @("phpVersion=8.1.32", "vsVersion=vs16", "phpTarGzUrl=https://www.php.net/distributions/php-8.1.32.tar.gz", "phpSha256Hash=4846836d1de27dbd28e89180f073531087029a77e98e8e019b7b2eddbdb1baff")
+      }
+      "php-8.0" = @{
+        Image = "datadog/dd-trace-ci:php-8.0_windows"
+        Dockerfile = "Dockerfile"
+        BuildArgs = @("phpVersion=8.0.30", "vsVersion=vs16", "phpTarGzUrl=https://www.php.net/distributions/php-8.0.30.tar.gz", "phpSha256Hash=449d2048fcb20a314d8c218097c6d1047a9f1c5bb72aa54d5d3eba0a27a4c80")
+      }
+      "php-7.4" = @{
+        Image = "datadog/dd-trace-ci:php-7.4_windows"
+        Dockerfile = "Dockerfile"
+        BuildArgs = @("phpVersion=7.4.33", "vsVersion=vc15", "phpTarGzUrl=https://www.php.net/distributions/php-7.4.33.tar.gz", "phpSha256Hash=5a2337996f07c8a097e03d46263b5c98d2c8e355227756351421003bea8f463e")
+      }
+      "php-7.3" = @{
+        Image = "datadog/dd-trace-ci:php-7.3_windows"
+        Dockerfile = "Dockerfile"
+        BuildArgs = @("phpVersion=7.3.33", "vsVersion=vc15", "phpTarGzUrl=https://www.php.net/distributions/php-7.3.33.tar.gz", "phpSha256Hash=9a369c32c6f52036b0a890f290327f148a1904ee66aa56e2c9a7546da6525ec8")
+      }
+      "php-7.2" = @{
+        Image = "datadog/dd-trace-ci:php-7.2_windows"
+        Dockerfile = "Dockerfile"
+        BuildArgs = @("phpVersion=7.2.34", "vsVersion=vc15", "phpTarGzUrl=https://www.php.net/distributions/php-7.2.34.tar.gz", "phpSha256Hash=8b2777c741e83f188d3ca6d8e98ece7264acafee86787298fae57e05d0dddc78")
+      }
+      "php-7.1" = @{
+        Image = "datadog/dd-trace-ci:php-7.1_windows"
+        Dockerfile = "Dockerfile"
+        BuildArgs = @("phpVersion=7.1.33", "vsVersion=vc14", "phpTarGzUrl=https://www.php.net/distributions/php-7.1.33.tar.gz", "phpSha256Hash=0055f368ffefe51d5a4483755bd17475e88e74302c08b727952831c5b2682ea2")
+      }
+      "php-7.0" = @{
+        Image = "datadog/dd-trace-ci:php-7.0_windows"
+        Dockerfile = "Dockerfile"
+        BuildArgs = @("phpVersion=7.0.33", "vsVersion=vc14", "phpTarGzUrl=https://www.php.net/distributions/php-7.0.33.tar.gz", "phpSha256Hash=d71a6ecb6b13dc53fed7532a7f8f949c4044806f067502f8fb6f9facbb40452a")
       }
     }
 
     foreach ($target in ($env:WINDOWS_IMAGE_TARGETS -split ' ')) {
       if ([string]::IsNullOrWhiteSpace($target)) { continue }
+      if (-not $targets.ContainsKey($target)) {
+        Write-Host "ERROR: unknown Windows CI image target $target."
+        exit 1
+      }
+
+      $config = $targets[$target]
+      $image = $config["Image"]
+      $dockerfile = $config["Dockerfile"]
+      $buildCommand = @("build", "--pull", "--no-cache", "-t", "$image", "-f", "$dockerfile")
+      foreach ($buildArg in $config["BuildArgs"]) {
+        $buildCommand += @("--build-arg", "$buildArg")
+      }
+      $buildCommand += "."
+
       Write-Host "Building Windows CI image target $target..."
-      Invoke-Compose -Arguments @("build", "--pull", "--no-cache", "$target")
+      docker @buildCommand
       if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 
       Write-Host "Pushing Windows CI image target $target..."
-      Invoke-Compose -Arguments @("push", "$target")
+      docker push "$image"
       if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
     }
 

From e06a5664f59db5ce39efe59e5cac444602a78a10 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 10:48:59 -0600
Subject: [PATCH 18/42] appsec: backport fmt lib changes for libddwaf

---
 appsec/third_party/libddwaf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/appsec/third_party/libddwaf b/appsec/third_party/libddwaf
index 2f4aa84cd61..3e1cb0f030b 160000
--- a/appsec/third_party/libddwaf
+++ b/appsec/third_party/libddwaf
@@ -1 +1 @@
-Subproject commit 2f4aa84cd61dc13229d1431779c007bf4ebda89c
+Subproject commit 3e1cb0f030b1d9f8c696a06621116d452013133c

From 34e219fdbb659e925470206116647e904222fff7 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 12:04:26 -0600
Subject: [PATCH 19/42] ci: verify the compiler shell after install

---
 dockerfiles/ci/windows/vc14.Dockerfile | 3 ++-
 dockerfiles/ci/windows/vc15.Dockerfile | 1 +
 dockerfiles/ci/windows/vs16.Dockerfile | 1 +
 dockerfiles/ci/windows/vs17.Dockerfile | 1 +
 4 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/dockerfiles/ci/windows/vc14.Dockerfile b/dockerfiles/ci/windows/vc14.Dockerfile
index 1649c444412..fb0ae55f4c3 100644
--- a/dockerfiles/ci/windows/vc14.Dockerfile
+++ b/dockerfiles/ci/windows/vc14.Dockerfile
@@ -2,4 +2,5 @@ FROM mcr.microsoft.com/windows/servercore:1809
 
 # https://aka.ms/vs/14/release/vs_buildtools.exe has been removed
 ADD vs14_buildtools.exe /tmp/vs_buildtools.exe
-RUN /tmp/vs_buildtools.exe --quiet --wait --add Microsoft.VisualStudio.Workload.VCTools --add Microsoft.Net.Component.4.7.SDK --add Microsoft.VisualStudio.Component.VC.Tools.x86.x64 --add Microsoft.VisualStudio.Component.Windows10SDK.17763
+RUN powershell "$ErrorActionPreference = 'Stop'; $p = Start-Process C:\tmp\vs_buildtools.exe -ArgumentList @('/S', '/InstallSelectableItems', 'VisualCppBuildTools_NETFX_SDK') -Wait -PassThru; if (@(0, 3010) -notcontains $p.ExitCode) { exit $p.ExitCode }"
+RUN powershell "$ErrorActionPreference = 'Stop'; $vc = (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC' -Name ProductDir).ProductDir; $vcvars = Join-Path $vc 'vcvarsall.bat'; if (-not (Test-Path $vcvars)) { Write-Error ('VC14 vcvarsall.bat not found at ' + $vcvars); exit 3 }; $q = [char]34; $cmd = 'call ' + $q + $vcvars + $q + ' amd64 >NUL && where cl.exe && where link.exe'; cmd /S /C $cmd; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }"
diff --git a/dockerfiles/ci/windows/vc15.Dockerfile b/dockerfiles/ci/windows/vc15.Dockerfile
index 3c1114c01b9..91d06ec881d 100644
--- a/dockerfiles/ci/windows/vc15.Dockerfile
+++ b/dockerfiles/ci/windows/vc15.Dockerfile
@@ -2,3 +2,4 @@ FROM mcr.microsoft.com/windows/servercore:1809
 
 ADD https://aka.ms/vs/15/release/vs_buildtools.exe /tmp/vs_buildtools.exe
 RUN powershell "cmd /S /C /tmp/vs_buildtools.exe --quiet --wait --add Microsoft.VisualStudio.Component.VC.Redist.14.Latest --add Microsoft.VisualStudio.Component.VC.CoreBuildTools --add Microsoft.VisualStudio.Component.VC.Tools.x86.x64 --add Microsoft.VisualStudio.Component.Windows10SDK.17763; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Tools\MSVC\14.16.27023\bin\Hostx86'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Tools\MSVC\14.16.27023\lib\onecore'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Tools\MSVC\14.16.27023\lib\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Redist\MSVC\14.16.27012\onecore'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Redist\MSVC\14.16.27012\debug_nonredist\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\bin\arm'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\arm'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\arm64'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.17763.0\ucrt\arm'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.17763.0\ucrt\arm64'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.17763.0\ucrt\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.17763.0\um\arm'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.17763.0\um\arm64'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.17763.0\um\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Testing'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Include\10.0.17763.0\cppwinrt\'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Include\10.0.17763.0\winrt\'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\References'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Remote\ARM'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Remote\x86'; Remove-Item -Recurse 'C:\Users\ContainerAdministrator\AppData\Local\Temp\*'"
+RUN powershell "$ErrorActionPreference = 'Stop'; $vcvars = 'C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Auxiliary\Build\vcvarsall.bat'; if (-not (Test-Path $vcvars)) { Write-Error ('vcvarsall.bat not found at ' + $vcvars); exit 3 }; $q = [char]34; $cmd = 'call ' + $q + $vcvars + $q + ' amd64 >NUL && where cl.exe && where link.exe'; cmd /S /C $cmd; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }"
diff --git a/dockerfiles/ci/windows/vs16.Dockerfile b/dockerfiles/ci/windows/vs16.Dockerfile
index 0e7c441c47c..f88f1d341e1 100644
--- a/dockerfiles/ci/windows/vs16.Dockerfile
+++ b/dockerfiles/ci/windows/vs16.Dockerfile
@@ -2,3 +2,4 @@ FROM mcr.microsoft.com/windows/servercore:ltsc2019
 
 ADD https://aka.ms/vs/16/release/vs_buildtools.exe /tmp/vs_buildtools.exe
 RUN powershell "cmd /S /C /tmp/vs_buildtools.exe --quiet --wait --add Microsoft.VisualStudio.Component.VC.Redist.14.Latest --add Microsoft.VisualStudio.Component.VC.CoreBuildTools --add Microsoft.VisualStudio.Component.VC.Tools.x86.x64 --add Microsoft.VisualStudio.Component.Windows10SDK.19041; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Tools\MSVC\14.29.30133\bin\Hostx86'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Tools\MSVC\14.29.30133\lib\onecore'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Tools\MSVC\14.29.30133\lib\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Redist\MSVC\14.29.30133\onecore'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Redist\MSVC\14.29.30133\debug_nonredist\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\bin\arm'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\arm'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\arm64'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\ucrt\arm'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\ucrt\arm64'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\ucrt\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\um\arm'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\um\arm64'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\um\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Testing'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\cppwinrt\'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\winrt\'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\References'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Remote\ARM'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Remote\x86'; Remove-Item -Recurse 'C:\Users\ContainerAdministrator\AppData\Local\Temp\*'"
+RUN powershell "$ErrorActionPreference = 'Stop'; $vcvars = 'C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Auxiliary\Build\vcvarsall.bat'; if (-not (Test-Path $vcvars)) { Write-Error ('vcvarsall.bat not found at ' + $vcvars); exit 3 }; $q = [char]34; $cmd = 'call ' + $q + $vcvars + $q + ' amd64 >NUL && where cl.exe && where link.exe'; cmd /S /C $cmd; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }"
diff --git a/dockerfiles/ci/windows/vs17.Dockerfile b/dockerfiles/ci/windows/vs17.Dockerfile
index d28649f84a7..0764b961bb5 100644
--- a/dockerfiles/ci/windows/vs17.Dockerfile
+++ b/dockerfiles/ci/windows/vs17.Dockerfile
@@ -2,3 +2,4 @@ FROM mcr.microsoft.com/windows/servercore:ltsc2019
 
 ADD https://aka.ms/vs/17/release/vs_buildtools.exe /tmp/vs_buildtools.exe
 RUN powershell "cmd /S /C /tmp/vs_buildtools.exe --quiet --wait --add Microsoft.VisualStudio.Component.VC.Redist.14.Latest --add Microsoft.VisualStudio.Component.VC.CoreBuildTools --add Microsoft.VisualStudio.Component.VC.Tools.x86.x64 --add Microsoft.VisualStudio.Component.Windows10SDK.19041; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Tools\MSVC\14.40.33807\bin\Hostx86'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Tools\MSVC\14.40.33807\lib\onecore'; Remove-Item -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Tools\MSVC\14.40.33807\lib\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\bin\arm'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\arm'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\arm64'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\ucrt\arm'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\ucrt\arm64'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\ucrt\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\um\arm'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\um\arm64'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Lib\10.0.19041.0\um\x86'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Testing'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\cppwinrt\'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\winrt\'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\References'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Remote\ARM'; Remove-Item -Recurse 'C:\Program Files (x86)\Windows Kits\10\Remote\x86'; Remove-Item -Recurse 'C:\Users\ContainerAdministrator\AppData\Local\Temp\*'"
+RUN powershell "$ErrorActionPreference = 'Stop'; $vcvars = 'C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Auxiliary\Build\vcvarsall.bat'; if (-not (Test-Path $vcvars)) { Write-Error ('vcvarsall.bat not found at ' + $vcvars); exit 3 }; $q = [char]34; $cmd = 'call ' + $q + $vcvars + $q + ' amd64 >NUL && where cl.exe && where link.exe'; cmd /S /C $cmd; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }"

From af9852bc32fd9c3a92cd81b6ff3d18d4d7b9c17a Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 13:08:05 -0600
Subject: [PATCH 20/42] ci: windows more verification in tool images

---
 dockerfiles/ci/windows/basetools.Dockerfile | 3 +++
 dockerfiles/ci/windows/check-phpsdk.bat     | 9 +++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 dockerfiles/ci/windows/check-phpsdk.bat

diff --git a/dockerfiles/ci/windows/basetools.Dockerfile b/dockerfiles/ci/windows/basetools.Dockerfile
index 94b8854cabb..ab4ab5bf05c 100644
--- a/dockerfiles/ci/windows/basetools.Dockerfile
+++ b/dockerfiles/ci/windows/basetools.Dockerfile
@@ -20,3 +20,6 @@ ARG sdkVersion
 RUN powershell "cd /tmp; Invoke-WebRequest https://github.com/php/php-sdk-binary-tools/archive/refs/tags/php-sdk-%sdkVersion%.zip -OutFile php-sdk.zip; Expand-Archive php-sdk.zip; move php-sdk\php-sdk-binary-tools-php-sdk-%sdkVersion% /php-sdk; Remove-Item php-sdk; Remove-Item php-sdk.zip"
 
 WORKDIR /php-sdk
+
+ADD check-phpsdk.bat /tmp/check-phpsdk.bat
+RUN phpsdk-%vsVersion%-x64.bat -t /tmp/check-phpsdk.bat
diff --git a/dockerfiles/ci/windows/check-phpsdk.bat b/dockerfiles/ci/windows/check-phpsdk.bat
new file mode 100644
index 00000000000..84479111e59
--- /dev/null
+++ b/dockerfiles/ci/windows/check-phpsdk.bat
@@ -0,0 +1,9 @@
+@echo off
+
+where cl.exe
+if %errorlevel% neq 0 exit /b %errorlevel%
+
+where link.exe
+if %errorlevel% neq 0 exit /b %errorlevel%
+
+exit /b 0

From a24cf8ca46564cf7429a6d3124dbe4ac140fe232 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 13:10:02 -0600
Subject: [PATCH 21/42] ci: rename windows build jobs

---
 .gitlab/ci-images.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml
index 8da9a1321bd..3f0fde423c1 100644
--- a/.gitlab/ci-images.yml
+++ b/.gitlab/ci-images.yml
@@ -322,7 +322,7 @@ Buster:
       if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
     }
 
-Windows Base Images:
+"Windows 1: Base Images":
   extends: .windows_image_build
   parallel:
     matrix:
@@ -332,7 +332,7 @@ Windows Base Images:
         - "vs16-base"
         - "vs17-base"
 
-Windows Tool Images:
+"Windows 2: Tool Images":
   extends: .windows_image_build
   parallel:
     matrix:
@@ -342,10 +342,8 @@ Windows Tool Images:
         - "vs16"
         - "vs17"
 
-Windows PHP Images:
+"Windows 3: PHP Images":
   extends: .windows_image_build
-  needs:
-    - job: "Windows Tool Images"
   parallel:
     matrix:
       - WINDOWS_IMAGE_TARGETS:

From 20ad98836ca39e3f574638b6a9330fe7381d5d69 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 13:22:55 -0600
Subject: [PATCH 22/42] add missing docker arg

---
 dockerfiles/ci/windows/basetools.Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dockerfiles/ci/windows/basetools.Dockerfile b/dockerfiles/ci/windows/basetools.Dockerfile
index ab4ab5bf05c..1e921f48c8c 100644
--- a/dockerfiles/ci/windows/basetools.Dockerfile
+++ b/dockerfiles/ci/windows/basetools.Dockerfile
@@ -1,5 +1,6 @@
 ARG vsVersion
 FROM datadog/dd-trace-ci:windows-base-$vsVersion
+ARG vsVersion
 
 RUN powershell.exe "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; $Env:chocolateyVersion = '0.10.15'; $Env:chocolateyUseWindowsCompression = 'false'; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')); ''"
 

From 21936353f23882e3cbb0071ce45f15a64c3f454b Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 13:54:42 -0600
Subject: [PATCH 23/42] wip windows

---
 dockerfiles/ci/windows/vc14.Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dockerfiles/ci/windows/vc14.Dockerfile b/dockerfiles/ci/windows/vc14.Dockerfile
index fb0ae55f4c3..c1cfa7bf958 100644
--- a/dockerfiles/ci/windows/vc14.Dockerfile
+++ b/dockerfiles/ci/windows/vc14.Dockerfile
@@ -2,5 +2,5 @@ FROM mcr.microsoft.com/windows/servercore:1809
 
 # https://aka.ms/vs/14/release/vs_buildtools.exe has been removed
 ADD vs14_buildtools.exe /tmp/vs_buildtools.exe
-RUN powershell "$ErrorActionPreference = 'Stop'; $p = Start-Process C:\tmp\vs_buildtools.exe -ArgumentList @('/S', '/InstallSelectableItems', 'VisualCppBuildTools_NETFX_SDK') -Wait -PassThru; if (@(0, 3010) -notcontains $p.ExitCode) { exit $p.ExitCode }"
-RUN powershell "$ErrorActionPreference = 'Stop'; $vc = (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC' -Name ProductDir).ProductDir; $vcvars = Join-Path $vc 'vcvarsall.bat'; if (-not (Test-Path $vcvars)) { Write-Error ('VC14 vcvarsall.bat not found at ' + $vcvars); exit 3 }; $q = [char]34; $cmd = 'call ' + $q + $vcvars + $q + ' amd64 >NUL && where cl.exe && where link.exe'; cmd /S /C $cmd; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }"
+RUN powershell "$ErrorActionPreference = 'Stop'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; $items = 'Win81SDK_CppBuildSKUV1;Win10SDK_VisibleV1;VisualCppBuildTools_NETFX_SDK'; $p = Start-Process C:\tmp\vs_buildtools.exe -ArgumentList @('/Passive', '/NoRestart', '/Log', $log, '/InstallSelectableItems', $items) -Wait -PassThru; if (@(0, 3010) -notcontains $p.ExitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $p.ExitCode }"
+RUN powershell "$ErrorActionPreference = 'Stop'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; try { $vc = (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC' -Name ProductDir).ProductDir } catch { if (Test-Path $log) { Get-Content $log -Tail 200 }; throw }; $vcvars = Join-Path $vc 'vcvarsall.bat'; if (-not (Test-Path $vcvars)) { if (Test-Path $log) { Get-Content $log -Tail 200 }; Write-Error ('VC14 vcvarsall.bat not found at ' + $vcvars); exit 3 }; $q = [char]34; $cmd = 'call ' + $q + $vcvars + $q + ' amd64 >NUL && where cl.exe && where link.exe'; cmd /S /C $cmd; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }"

From 080fff25122592ce30056f8b6b13f942b0a1a0e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gustavo=20Andr=C3=A9=20dos=20Santos=20Lopes?=
 <gustavo.lopes@datadoghq.com>
Date: Fri, 29 May 2026 00:12:39 +0100
Subject: [PATCH 24/42] upd appsec tag mappings; work around problem due to
 gradle upgrade

---
 appsec/tests/integration/gradle/images.gradle |  45 ++-
 .../integration/gradle/tag_mappings.gradle    | 274 +++++++++---------
 2 files changed, 181 insertions(+), 138 deletions(-)

diff --git a/appsec/tests/integration/gradle/images.gradle b/appsec/tests/integration/gradle/images.gradle
index b32e23eee34..f285ea546c1 100644
--- a/appsec/tests/integration/gradle/images.gradle
+++ b/appsec/tests/integration/gradle/images.gradle
@@ -307,6 +307,48 @@ tasks.register('pushMultiArch') {
     dependsOn allMultiArchTasks
 }
 
+// Build a JSON-parsing closure backed by a private copy of groovy-json loaded
+// in an isolated, child-first classloader. FastStringUtils' daemon-global
+// static service cache can otherwise be poisoned permanently by a worker
+// thread whose context classloader lacks the groovy-json service.
+def makeIsolatedJsonParser = {
+    URL jsonJar = groovy.json.JsonSlurper.protectionDomain.codeSource.location
+    ClassLoader parent = groovy.json.JsonSlurper.classLoader
+    def isolated = new URLClassLoader([jsonJar] as URL[], parent) {
+        @Override
+        protected Class<?> loadClass(String name, boolean resolve) {
+            // Define groovy-json's own classes locally so they get fresh
+            // static state; delegate everything else (groovy runtime, JDK,
+            // ...) to the parent so types stay mutually compatible.
+            if (name.startsWith('groovy.json.') || name.startsWith('org.apache.groovy.json.')) {
+                synchronized (getClassLoadingLock(name)) {
+                    Class<?> c = findLoadedClass(name) ?: findClass(name)
+                    if (resolve) {
+                        resolveClass(c)
+                    }
+                    return c
+                }
+            }
+            super.loadClass(name, resolve)
+        }
+    }
+    Class<?> slurperClass = isolated.loadClass('groovy.json.JsonSlurper')
+    def ctor = slurperClass.getDeclaredConstructor()
+    def parseText = slurperClass.getMethod('parseText', String)
+    return { String text ->
+        // ServiceLoader (inside the isolated FastStringUtils) uses the thread
+        // context classloader; point it at our loader so the service resolves
+        // regardless of which thread runs the parse.
+        def prev = Thread.currentThread().contextClassLoader
+        Thread.currentThread().contextClassLoader = isolated
+        try {
+            parseText.invoke(ctor.newInstance(), text)
+        } finally {
+            Thread.currentThread().contextClassLoader = prev
+        }
+    }
+}
+
 task generateTagMappings {
     description = "Generate tag_mappings.gradle file with SHA256 hashes for all pushed images"
     def outputFile = file("${project.rootDir}/gradle/tag_mappings.gradle")
@@ -318,6 +360,7 @@ task generateTagMappings {
             pushTask.name - ~/\ApushImage-/
         }
 
+        def parseJson = makeIsolatedJsonParser()
         def tagMappings = new java.util.concurrent.ConcurrentHashMap<String, String>()
         def customThreadPool = new java.util.concurrent.ForkJoinPool(10)
 
@@ -336,7 +379,7 @@ task generateTagMappings {
                             proc.waitForOrKill(10_000)
 
                             if (proc.exitValue() == 0) {
-                                String sha256 = new groovy.json.JsonSlurper().parseText(proc.text)
+                                String sha256 = parseJson(proc.text)
                                 tagMappings[tag] = sha256
                                 println "${imageRef} → ${sha256}"
                                 success = true
diff --git a/appsec/tests/integration/gradle/tag_mappings.gradle b/appsec/tests/integration/gradle/tag_mappings.gradle
index af3f27ce03e..ca2bdd442c4 100644
--- a/appsec/tests/integration/gradle/tag_mappings.gradle
+++ b/appsec/tests/integration/gradle/tag_mappings.gradle
@@ -1,141 +1,141 @@
 // Auto-generated tag mappings with SHA256 hashes
-// Generated on Thu Jun 26 16:49:39 WEST 2025
+// Generated on Fri May 29 00:08:57 WEST 2026
 
 ext.tag_mappings = [
-    'apache2-mod-php-8.0-release-zts': 'sha256:5221a1aa7d1169c47b276c1a3ffd9021f751027814877ea44026fd2d1db3212a',
-    'apache2-mod-php-8.1-release-zts': 'sha256:2d0d0a916e97de14450be9b88eb438074ea64a93b620c60039b8e643feb2226e',
-    'apache2-mod-php-8.0-debug': 'sha256:5c8880c3365d1856c0d554d48b5d8f7800c6292d97e00d46eda638885c4f9cde',
-    'apache2-mod-php-8.2-release-zts': 'sha256:6201a4210d48093c70c0d27f104f644be9f5a76287875a19f1453f44c13a19c8',
-    'apache2-mod-php-7.2-debug': 'sha256:bde590e37918a4fb52fceba4eca20d67b31adc4d0a3f64b94b93e5c951bd375c',
-    'php-8.0-release-zts': 'sha256:b6243199f6aea0792a97583c9036f0b191ad9efb96ea337632fbaca76289a4da',
-    'apache2-fpm-php-7.0-release': 'sha256:c1770decbbcc963bcae3568531f6fff992bf1f522203477d379dd8118d681a21',
-    'nginx-fpm-php-8.1-release-zts': 'sha256:fe2a456acc419a400263be30df53069183f99972a218d729632dfdcf3c370583',
-    'nginx-fpm-php-8.0-release-zts': 'sha256:4a827735d62e4d16788d3f4b8575bcd66e98c40dfa0e15da2e8824d4a07109f7',
-    'nginx-fpm-php-8.2-release': 'sha256:026f0ae916e4d8ea9a5524f13ca7c7878d057e6bba21598c6e769321a4002d5b',
-    'php-8.4-release-zts': 'sha256:8e0ac25a3306b4b9f692c593b8a509cc789c2e001ce52682928065a92c880136',
-    'php-8.0-release': 'sha256:15a9e23372df35fbb9c587ef7d3ec69be4b134be9742e108a70999f081e75e53',
-    'nginx-fpm-php-8.2-release-zts': 'sha256:08b1e29c1ef5208a9ed51805340f913e52d8c7b414840407949e49cdf4dd0b6c',
-    'nginx-fpm-php-8.3-release-zts': 'sha256:db36fddc1afdf5c8d0f1359e3dcfd74667c0e9df0c1d3baf3cb0b9b8bbba146e',
-    'php-8.2-release-zts': 'sha256:cb143d915b394f16a2d78018765705460f3d1b788fdd2a90ef50fad5f8f5918c',
-    'php-8.3-release-zts': 'sha256:e58e25a017f75df82691d408b8cb70453875ff36718e295ee8c6653a0f117331',
-    'apache2-fpm-php-7.4-release': 'sha256:7b702e1d5ecfe1ffd97697bfe27f01a53808cfa27882e443ec75e2b52846b71e',
-    'apache2-mod-php-8.3-debug': 'sha256:a9ac7a80d45ad77df9607d9f12e57f4881f97c0b21621c679df664ce70e73fd1',
-    'php-8.1-release-zts': 'sha256:5b8a269b4228d9191420059daef820b660110be0aca6776557924172fd1ff0c8',
-    'apache2-mod-php-7.4-release': 'sha256:8568f07aaf294f417df0c48209e920582c4f2a4af6a4596ebb9bc78b456f4806',
-    'nginx-fpm-php-8.4-release-zts': 'sha256:8d7fc86b5fc18051a3b1aa34930e9ec69b06d0df1b5df48bf6f3e11318734aa6',
-    'php-8.0-debug': 'sha256:900ceae7487db1e3652de2880c181e572fdf053673bcda8ff47abf664ff74d39',
-    'nginx-fpm-php-8.4-debug': 'sha256:105176db0bd6631895cec72d9299d57debe07e6d858ebf253b2243b505fba36b',
-    'apache2-fpm-php-8.1-debug': 'sha256:331e0d9041c83e63d645464320826794a06f28ba9a61fed398733678f5078713',
-    'apache2-fpm-php-8.4-release': 'sha256:63892415800a28762de027338af3de1b67a5e20068270d5a1c3a255a52e099eb',
-    'apache2-fpm-php-8.0-release': 'sha256:24af820f9381d0461308ae654831ff0de7b162f6ee4953b7731ad7c2b3864857',
-    'apache2-fpm-php-8.4-debug': 'sha256:381cd576bee2c4a1b543b280d57f81e4869e72bd3d5108340744321c6f99d43b',
-    'nginx-fpm-php-7.3-release': 'sha256:864053ec4c79c690bbec7646e958a24b5591eec74ca27a064a810a1dd29a1fdb',
-    'nginx-fpm-php-8.1-debug': 'sha256:ae05a5bb3b0753c5cd684440812a4adebd52b32b6ea3106645fa5c5619847152',
-    'apache2-mod-php-7.0-release': 'sha256:665f96b92febda98fc6290ed033b75fa699f075e87d764401735f9cea4305279',
-    'php-7.1-release': 'sha256:09eeb2ad0350cd965a6cf1323f06a4ae26b3136967f9d6f211fa49ca5cd66fb6',
-    'apache2-mod-php-8.4-release-zts': 'sha256:4ed6065fa3c565ec778fb3c6d3c0ebda7a54666a28f148698b7873f6154577cb',
-    'php-8.4-release': 'sha256:947957777b616b3d0a8615b544521bb5e39456dd490d5fd9edc99f420ff13c4c',
-    'apache2-mod-php-8.3-release-zts': 'sha256:654030bad096cff9c42e55e4d075e7aa594d97532f233e841db1e2e70d2a931a',
-    'php-7.2-debug': 'sha256:4c5f111f8e84fcb7dcc9e3cc13e1277d0702b04cd33286ce33db885485d1f025',
-    'apache2-mod-php-8.3-release': 'sha256:73a1a50b75f375131ee7c014135de2dc0dc7198554e14572f0a638e25ad870b1',
-    'apache2-mod-php-7.1-release': 'sha256:f280f205789672705c27992e8deeaa50b7cab360ca2344193e8c75b8de6503b6',
-    'apache2-fpm-php-7.1-release': 'sha256:e1a0599c9115e90bcdc425492dea2f02899943e634c2a5cfc58670e637130f50',
-    'php-7.2-release': 'sha256:56dfed8eaa569e47452d1d9918889fd619c76ecdaf95e42f6bdefcaac4e9d437',
-    'toolchain': 'sha256:20ddcdfa1da2e8cfa87b94425139b55e67e55910d219f6dedfc8808d142e6eaa',
-    'nginx-fpm-php-8.1-release': 'sha256:1a44076b45fd4b344f1fee89a153c2561a3a5b95f40cb2e21eee45b9ca37317f',
-    'php-8.3-debug': 'sha256:bb6df08160126374d3d9247428928aa19a9c2b2429c98356650199b85ae20212',
-    'nginx-fpm-php-7.3-debug': 'sha256:eaec39c95b95bfbb24e08365622573fe377a8564ad8a06b636089d3c909a27ff',
-    'apache2-mod-php-7.3-debug': 'sha256:14010c4b223a2c05f03acffd213cc26344f772b6364a45ec40e4a04c46809279',
-    'apache2-fpm-php-7.3-debug': 'sha256:d678b10dc0e3d918587adfe0681fa521ee2b49d1f592702e4806d9b7a1c4a141',
-    'apache2-mod-php-8.2-release': 'sha256:ebeaef9bedb7a7945286220129d0641481a7dd4aeb9602729cccd1b1f081a29e',
-    'apache2-mod-php-8.1-debug': 'sha256:380f13cee2c09677a48132050c26015f55ade1c89b9a396eedc7d80d60a83858',
-    'nginx-fpm-php-7.0-release': 'sha256:8c5ed03fe19bf0122aaeabdffb985181893af879d0009db0bef331fcd5db99a3',
-    'php-7.4-debug': 'sha256:b8a9e982179189122d73feb896c1a1e8578a92fc9a023dabc825f45db8299c22',
-    'php-8.3-release': 'sha256:47e8c84898a8129dcec1c93b329e05cc51d5c2ea1dfe0c383a8ecbbbd1555190',
-    'nginx-fpm-php-8.2-debug': 'sha256:d2e922fd8b8d33f30a05dde0362225706e0fb621a8191f2713d7f5774343b757',
-    'apache2-fpm-php-7.4-debug': 'sha256:78dda825ba7c29ed5f3fb8555bc096ad10cfc67a88d765284cdfbc89d0ae6d05',
-    'php-8.2-debug': 'sha256:52ad14560672fc8c5130f5758bbee3fa401bc1d35b412f4a230c6258143291a5',
-    'nginx-fpm-php-7.4-debug': 'sha256:46a0f429f9b91e4a93f382cdadd2ebe3c4797d355e095f769d839061d68e316c',
-    'nginx-fpm-php-7.4-release': 'sha256:f921303421890714e67a9b3586471a9868ad35dd0086980ba5f08eb1e62a54a3',
-    'apache2-fpm-php-8.3-release': 'sha256:fc791e96abc113beafccd411ecec882e5b25fa658f264433f5f511d323fadff8',
-    'apache2-fpm-php-8.2-debug': 'sha256:580f5b205a7dc752e511ed5c448c6cb8abc6f4b55e554d497524d77a8d4d637f',
-    'apache2-fpm-php-8.0-debug': 'sha256:619297f44a95859279672aeeb054c015391b94113e55362632dbee578909417d',
-    'php-8.1-debug': 'sha256:1a1e5b44cf043e59768c65fd7c94aaefdacde5fa96d83102d35db11ad86f24c6',
-    'apache2-fpm-php-7.2-release': 'sha256:b6ff99e6ecb632f9ab914f0366781d9203f814f9fcd994f1cca11c490237229b',
-    'apache2-mod-php-7.2-release': 'sha256:b2d4c60b1290030def79d077a3229f0cb112f2b3f114fb110b0888df072aae73',
-    'php-8.4-debug': 'sha256:15045688f6986f4625b1507a7f4be6104e7bbb88caf877f1611463b929f2bca2',
-    'nginx-fpm-php-8.0-release': 'sha256:be7506249f270259e041e1f4f03386c74c0f71e6b1ddd5c3e4dda09e251a02b5',
-    'apache2-fpm-php-8.3-debug': 'sha256:d4bf1720bfccd503b470ad58b78282d0fea360b6d2010e8fb2256e9f3705b0d2',
-    'apache2-mod-php-7.4-release-zts': 'sha256:1d10765bcbf1d2e48cf14e5b8ac53f5f02ff89d34befe41490277805b16d83c8',
-    'php-7.3-release': 'sha256:90222b164254e71896fdbc7d99e4b35c187f8a063e119d5f992027062ecd4852',
-    'nginx-fpm-php-8.0-debug': 'sha256:5ad63d2c693bb849201e3675cadbe0ac33515808ad0be5052d9425d689af3465',
-    'frankenphp-8.4-release-zts': 'sha256:554c7f7ffdb94fb47ba3388dcf8ea44f225549210f4a7a8bed088fc24cea431d',
-    'nginx-fpm-php-8.4-release': 'sha256:9475ea59ddd091eb91b8cfa2200b883bf4e20a6a432a4655fe5b86b74b999f38',
-    'apache2-mod-php-7.2-release-zts': 'sha256:0a2828f62f68001211195caf39b2111d36f1af8621796276b226e359d84020cf',
-    'nginx-fpm-php-8.3-debug': 'sha256:2ad9efb823472ec780ac3ff2b8145df389712a056b1db286231765ffc0a986c6',
-    'php-7.3-debug': 'sha256:efa81f79783097478a434578226fe9a3b8fe84abda33168034aaea60c197c73b',
-    'apache2-mod-php-7.3-release-zts': 'sha256:1f839e9141ccc9bd9df62ae4b26a466e91e9fe6f51c57035e408cf959db3d898',
-    'apache2-fpm-php-8.2-release': 'sha256:09de5f888a9a6fe435d16804a92a1566bb120a7ef6cb8414583d2ea737b2290b',
-    'nginx-fpm-php-7.4-release-zts': 'sha256:040e014ecaba8c0b5a1f132732161586b7ba76a92a230fc856e99091f05f5077',
-    'apache2-mod-php-7.1-debug': 'sha256:ce4b8cbb0ed829ffb56ab1436d09dbfdf0ef529b9e202f7aefdcef0c7ce21676',
-    'apache2-mod-php-8.1-release': 'sha256:627058ded40e5573110d81a086926a92516867339c3478cd9bf698b5fc5093a1',
-    'nginx-fpm-php-7.2-release-zts': 'sha256:40b1171928cb1a8be69c3f571d6bdd57ab22f8ef6cf88fe34e3c68971fdd4ad9',
-    'nginx-fpm-php-7.1-release-zts': 'sha256:eb5e55128f9e91e93a9d4cd918777eceb163a88343db1d2679b73e0463769ce4',
-    'nginx-fpm-php-7.0-release-zts': 'sha256:e2ae077387dc8af90ea4722df2558cbc90a76f04c01b65ed064151493e56ef81',
-    'php-deps': 'sha256:b9601fa1937c745403f65a0f4919acf3883b812b843c0b7cd8e0ae817f217a52',
-    'nginx-fpm-php-7.1-release': 'sha256:e7e42bb9410aee145bae2827a4d242e17dcd692ec8a4486bc5712788c4b3005c',
-    'nginx-fpm-php-7.2-debug': 'sha256:20e284b3936a45547a60d7090d40aa1e57caea85fbc8ada666a97a959a863a0b',
-    'apache2-mod-php-7.4-debug': 'sha256:2b76e1949737fd52ebea0227099b5a6821ea675008ea9091d8d8274ab8c47873',
-    'php-8.2-release': 'sha256:21c07181c9cfef62c44f7530d79d8dd40650e62e676562f4e9d44f06dfcaa1b0',
-    'apache2-mod-php-8.2-debug': 'sha256:18b0a514c809b1071f2ae1907b483428c479a3648116a73918f3f09b8b7c097c',
-    'apache2-fpm-php-7.2-debug': 'sha256:ef4e471c80b845c89a1096ff442d7564806dd765bdc8b8aa66f4bb42446611e6',
-    'nginx-fpm-php-7.3-release-zts': 'sha256:9f4a4640abcdac91e531c0958b9072319c64d05cf9e856e8f3a7025bf19a757e',
-    'apache2-fpm-php-7.3-release': 'sha256:70711b04c38817b2b18c8365e7931bc4cebb7684dd619a744f5fcf492ea7f789',
-    'php-7.1-debug': 'sha256:500007ad057d9e71b2bb9079a2f8ba3f1ecfbb26d112db69e17d6007b4e857b5',
-    'apache2-mod-php-7.3-release': 'sha256:adba5678c350db9e4526da1ba96cadcc4def69caec64678bf070aabe5a081b85',
-    'apache2-fpm-php-7.0-debug': 'sha256:389aca25e18e63a16c39481d905087b0c091011aebc4729f086adf6a5320035a',
-    'apache2-mod-php-7.0-debug': 'sha256:067f016d0e2ee35f890a613019f84063ce4af1f0b533411dca5a67579d2cf06e',
-    'apache2-fpm-php-8.3-release-zts': 'sha256:c74a06ebc208326840634e26538ad890a2502ece5a936109cbbdf1691f1b812e',
-    'apache2-fpm-php-8.4-release-zts': 'sha256:6b12b3cd013162de5e8aa1d7650c9f8741ccf294b7a1dbfba1b48e375b733940',
-    'apache2-fpm-php-8.2-release-zts': 'sha256:73999668dd180a304808f3ce3bcdc99c8d6adca143dab965576364f7430caacd',
-    'php-7.4-release': 'sha256:8391f2193354f1f6bd63cb8c636139f4a22861b0c341afd940ae6820243ff718',
-    'nginx-fpm-php-7.0-debug': 'sha256:df8842cfa506cbd2c86b38b55cb60ce5fbae5266a117cf9d382be5ac2812bcdd',
-    'apache2-fpm-php-8.0-release-zts': 'sha256:f62d1745dd6756598d99a9f515ea5067bdad213f391826289ca53deee495547f',
-    'apache2-fpm-php-8.1-release-zts': 'sha256:c783107ca73afabd25b57573310fbc817d836e6217efcc54b9a45ca3a3c0575b',
-    'nginx-fpm-php-8.3-release': 'sha256:5a5d1031dcc93ff440677361bdd26fbc845d1b855de195346e742dff4c58ebcb',
-    'apache2-fpm-php-7.1-debug': 'sha256:a127a0229c234f2c814c4e8c8640842124696fb4d54e926ae268e80fbadfd005',
-    'apache2-fpm-php-8.1-release': 'sha256:09ed8c114fdbb9ea60ab249ebcb9827d0c40213e7aa7b1bb9fbc352202413203',
-    'apache2-mod-php-7.1-release-zts': 'sha256:d4d8c0d950330bd3c6a6225857aec8eae6989fe38409bccf96d87c480cd7bedb',
-    'apache2-mod-php-8.0-release': 'sha256:13bfc3bdcf6becf4916e4059faae71e8377cc707d1eda28f2d91025183eff276',
-    'apache2-fpm-php-7.4-release-zts': 'sha256:05bb8279c9d7dde3a23ad24f982e82e4f348b63867e00abac2eef0bc81bc1697',
-    'apache2-fpm-php-7.3-release-zts': 'sha256:26c45f5c73a972993d4ae94d420af274aa07856953da725bea8986a024d97434',
-    'apache2-mod-php-7.0-release-zts': 'sha256:12c06f6d770c046d497cdc823332ad9514b6d7f10232d92c7c64c978d088ee0e',
-    'php-8.1-release': 'sha256:20aa4acfb0d5ef3e16614c39daecf0c2df6068af46a592456e24884be73a59be',
-    'php-7.0-debug': 'sha256:0a9aaeaf79bd4c578eac6dedabf6ac131537266f44562158ce67fdb37c794916',
-    'apache2-fpm-php-7.0-release-zts': 'sha256:3a6d6d8fdadb6347131c0183aaf41a9a09da1632092ec702e555b2ab609ce3d0',
-    'php-7.4-release-zts': 'sha256:6492e3334e722b106352180ec9f0cbee8dd81f008e3537d03f4b8da3522f49e1',
-    'php-7.3-release-zts': 'sha256:c713df299596a9615f88cfe73c29b0a1f9faf32e5e6fa62fa07ee839313cd57e',
-    'apache2-fpm-php-7.1-release-zts': 'sha256:ca2e04104d67272cf819f34525c5692192b7836c786b3dcda072f0c49d5abb59',
-    'nginx-fpm-php-7.2-release': 'sha256:daa158286c8df095c61926441a7c3da75994533fa375882aad6e492c90f89c55',
-    'apache2-fpm-php-7.2-release-zts': 'sha256:cd0f9ba39a4a8e3b3a5e6eef17f8094bddcdb2aae407b6bb15ec0d68645a17fd',
-    'nginx-fpm-php-7.1-debug': 'sha256:26aa364fcd7fc7f9396962eda65058664bd83003e8ee272562baef2362d443f4',
-    'php-7.2-release-zts': 'sha256:634b857d74c3d77b88986ceb088be2dd5bc30151bc08c2b536443984e6659d6e',
-    'apache2-mod-php-8.4-debug': 'sha256:d172da243f1ebec74646fdbea7ab3e7a882e056b31942f7e5ad7560ef8e62359',
-    'php-7.0-release-zts': 'sha256:4bb5fac6fbd3124234d062328c68f6c51027aa95f13e4e8b14afd7c8de518ec6',
-    'apache2-mod-php-8.4-release': 'sha256:79c2d7dd843b18ce2c5f929e6300e9a1f64a5e00a7edbaeb9f75d8a60b2be3d2',
-    'php-7.0-release': 'sha256:627c4f460fa1c11f3f5da44d9361eba5de9f38134189ca05b3bfdb9979011e44',
-    'php-7.1-release-zts': 'sha256:d997b9f99c28967872bd0949f8572b089daaadb6ceaa1e856ccc76e07e2ba6b7',
-    'php-8.5-release': 'sha256:2d3f721958476ac0837ae016d77a1fc796e48e0384e62721a6924c2fab204a82',
-    'php-8.5-release-zts': 'sha256:b2096ab1477c3d90a53e62112774c525324ab2debc1cbfecc2cdd4c0a3599dc3',
-    'php-8.5-debug': 'sha256:61a6a0d0fba6ad51dc39b3c8669e33498f78350e539a1ff7594d6a01e7ebdd0d',
-    'apache2-fpm-php-8.5-release-zts': 'sha256:3434bfc2dee477bbf34c454b8b1fbb92a5dbdac7fc543e5d7a8714907493dea6',
-    'apache2-fpm-php-8.5-release': 'sha256:f9e18353afcad74db9f56b4e46a8ffe9d628ac12f6fd491f525626d0e25429cb',
-    'apache2-fpm-php-8.5-debug': 'sha256:86c7f37cb46200dbc73c6863a2255de7ed88fd01177cbaef69fa206719ba904c',
-    'apache2-mod-php-8.5-release-zts': 'sha256:3b5132226a4f07628161f5a7a784b46426004c799f6a9e03d5397490b479d639',
-    'apache2-mod-php-8.5-release': 'sha256:f6b156aaed21db2870cf1d452de1f0811d221b4ef250c777fecf2e96f6c9a161',
-    'apache2-mod-php-8.5-debug': 'sha256:1ce0570b1e8fba34db0e4ec0f18134fb30c1d50ba795b6f42f0cbe3f19c7a68f',
-    'nginx-fpm-php-8.5-release-zts': 'sha256:527f2ba273685ff7e3f72a74076fd6d99cbc87d51fb3485fef4dc80a0cfddeee',
-    'nginx-fpm-php-8.5-release': 'sha256:fc2eea1ed06dfcf8102bdbfb2596f9a32bbe6493ca83d53370e1438289caa6aa',
-    'nginx-fpm-php-8.5-debug': 'sha256:915d0155897e4f42cf1867b93edbb928afcc1c5b3bd3eccdb2d56ac50510cd82',
-	'nginx-fpm-php-8.5-release-musl': 'sha256:a1ef09c1bf398049b340ab2a1c40839d828420df5a404831bb7b33a09d433755',
+    'apache2-mod-php-8.0-release-zts': 'sha256:c63c903d32f9d4d13333fef94a09272825e97d1b9c0a680785a343803b9146fb',
+    'apache2-mod-php-8.1-release-zts': 'sha256:df59e70404776f49dcc5ccdf120040c7af59715990c3fef6fef216d15d0af1fa',
+    'apache2-mod-php-8.0-debug': 'sha256:d497d82298612b040c5ab9e3f85d1458ca7065d5fdda19e161691e424f3a2356',
+    'apache2-mod-php-8.2-release-zts': 'sha256:94d85b00fa1f367b3ddf52accb8445ecf87cafc88d875d0f7004e07387585420',
+    'apache2-mod-php-7.2-debug': 'sha256:042ec74fec68650fd599a5158320a8a9d09db1efd694010b6ddb239125e46ee8',
+    'php-8.0-release-zts': 'sha256:93a3d95e843dc14a7c27755bd0c44754f668408ab1e7f5a70de7ce0f1542b920',
+    'apache2-fpm-php-7.0-release': 'sha256:d685418801548ff3eadc3fabd55e4380c2297ea0b888f22f8a380ab16d16aec4',
+    'nginx-fpm-php-8.1-release-zts': 'sha256:d334e70e6ff8c8ca891a7c1b5e275b0f5833575105e03512da8a2af4dd4d3c87',
+    'php-8.5-release-zts': 'sha256:6285062325a4f55efaa76c5859d7c44ff75ce252093d3450030d6c598389e19c',
+    'nginx-fpm-php-8.0-release-zts': 'sha256:edbb114900c00df737d6d4947f0d257ea4757d035888f2b211985e1ebb8632d9',
+    'nginx-fpm-php-8.2-release': 'sha256:e1164329e80ed47ccf9e17df972dec569e027bb72da5d9f53dbe341f1ccfa89a',
+    'php-8.4-release-zts': 'sha256:ec4ec4eaa7ce26da8705ba2fcfa2df39704bd8a83fa13173ee5c683b626b3ae9',
+    'nginx-fpm-php-8.2-release-zts': 'sha256:c0c521ad7386913d7e0c39b977adce03006df0cdf6659fe253487239882213f5',
+    'php-8.0-release': 'sha256:f6c7557c63d9da34d081bc681768798bc4f70d8be36c565c526e57cecd6c2249',
+    'nginx-fpm-php-8.3-release-zts': 'sha256:1fbcce3b1a3c10b060141c14f1adf9c208a693d7012b10d44eabbcc69f1372fb',
+    'php-8.2-release-zts': 'sha256:668613168e7d1d3b3895bc655d2871519e590ea5095efde48346c7eb8a305240',
+    'php-8.3-release-zts': 'sha256:0f3717c52618fac31d69058be641a216622560d0f3ffa4d87ba195c112b4f939',
+    'nginx-fpm-php-8.5-release-zts': 'sha256:1c72409eb4cfa7ee2722a6029d1e99570884d7a167f9ac9f835e8d951f5dc657',
+    'php-8.1-release-zts': 'sha256:f6bae994704c0bdabd8906dfc1ef2843ee9a724002a8bbf8475a93591e7c0a56',
+    'apache2-mod-php-8.3-debug': 'sha256:014a173295d6b7ecde224a23a06daae8d9e8b7c729a2f254b427de0f85d33800',
+    'apache2-fpm-php-7.4-release': 'sha256:f95cb84e6f881db48cd8d3a108d5ca39aeac906c515eb44b02bd4f0d7dce4c5c',
+    'apache2-mod-php-7.4-release': 'sha256:492b03fbbeb022e3a0f71a7b9c1c9c31b348d2085d8e7d525ad339f602ec3df1',
+    'nginx-fpm-php-8.4-release-zts': 'sha256:12050bfecaff2934de98bb54b81d2efe2237fe6c7f1601c7dacaa0f34b93497a',
+    'php-8.0-debug': 'sha256:c3ef955a68417284dcb5b08c14b05c2102f3e1273ad88bc6885da0207cf56837',
+    'nginx-fpm-php-8.4-debug': 'sha256:f6766a758828e9779a1456a1f6f5b8a2329cecab8d9132b5d902b0427e0ef131',
+    'apache2-fpm-php-8.1-debug': 'sha256:535dc70e8fbaacd8b65a405aa5046c7d799567a4071122aed6340580ff753050',
+    'apache2-fpm-php-8.4-release': 'sha256:2790e7717c16f4636e8359f1a6dce67517592fdd879374f1f91bb989f7b890b9',
+    'apache2-fpm-php-8.0-release': 'sha256:b4fe65a8ea7701f0f1c550da1cb6bbc0d48084dcc29a85b805521e46c8575365',
+    'apache2-fpm-php-8.4-debug': 'sha256:c9bf37a838480999bdc4d31b624ec10a44ba5a77ff512e877bace0df82b70325',
+    'nginx-fpm-php-7.3-release': 'sha256:6d742d87c59309eb726bc8069292c32ddb2a2a8e3dda09fe9075c49f13f57f4a',
+    'nginx-fpm-php-8.1-debug': 'sha256:a4785f4b92fbd463cb05cadfc9b75e3a462a62f2052d87159f723637ff8b0aed',
+    'apache2-mod-php-7.0-release': 'sha256:3aa3666fe0e1380d7f985e29b889567d653d8ec8f6b1b801665f7c6c68d6f069',
+    'php-7.1-release': 'sha256:d52f126a9101785afe08aeb8af45ebc9393f6007fa9ad20f847fceb4dfe00ef6',
+    'php-8.4-release': 'sha256:8dd60fd881701c66853820ca7bbbfa5554a91a6007c372444d3203f30d7eae4f',
+    'apache2-mod-php-8.4-release-zts': 'sha256:d0974677d0f1e12dc59a217a07045afd9649bdc42e680df7d6f7c718ad07c9ed',
+    'nginx-fpm-php-8.5-release-musl': 'sha256:0ab409dfc415b0c035414b89efdb34218faa1850e99ad3fcf7b52bd5fc042e0c',
+    'apache2-mod-php-8.3-release-zts': 'sha256:0ddb8cdc827b9a3dc271a35712346c66ab5a70aa34ae4f2fdf73e3632d0fd1f0',
+    'apache2-mod-php-8.5-release-zts': 'sha256:33aa76b5ee683d9eb3a1c199b01f3dc998671c0d27ea465ac67943ccda0ad017',
+    'php-7.2-debug': 'sha256:b809a751f79a4a5b8dedaa57b08c1e9ad407805732f67609a015370867691b79',
+    'apache2-mod-php-8.3-release': 'sha256:c53c867125a3e6af9a130d51443c4a0c77b9be2decc0a9344947ca6159e5bd04',
+    'apache2-mod-php-7.1-release': 'sha256:54c3dc2e8401f980dacde153088e1082802fe4cb78575d71b2ddad903a705244',
+    'apache2-fpm-php-7.1-release': 'sha256:0bd711fa4a12f6a650cb12c50dd594bc758b9caf69130c1ebde9f2da078590dd',
+    'php-7.2-release': 'sha256:f99142253171e747c2759e243c6d4301d07d20133c539602e8734ff5ab4bce92',
+    'toolchain': 'sha256:13429a447c9fa042f86a076ece568db7a240a0a1c63020dd34fc557a88040052',
+    'nginx-fpm-php-8.1-release': 'sha256:bec0683f16dd81058bbd12d4ca893e4da8aa39b461a660c1c63386c89c872aab',
+    'php-8.3-debug': 'sha256:421a5f36ee55c1f3b3937feea7083420d5768f47dec40d4561e00a7c7533c6b7',
+    'nginx-fpm-php-7.3-debug': 'sha256:fc54b97cdd31239d28deb7f7b6f9c64e50922688c698335dc13a36831db62919',
+    'apache2-mod-php-7.3-debug': 'sha256:b4951eb923ceac249c9dd41de2276f1c1473cecd7e895800623abfcd03e4ef03',
+    'apache2-fpm-php-7.3-debug': 'sha256:1b19a626c049181d9322e9b62f0b1c6f6cc7038e94513e76d761749483f4c486',
+    'apache2-mod-php-8.2-release': 'sha256:d748644e7978fa1907586c7d245c70a940df15a72e6e210f905e014b214c2026',
+    'apache2-mod-php-8.1-debug': 'sha256:bc6d996b8585812b0b111c3351393e4929b5102de7d534ef8ab7de02edd49561',
+    'nginx-fpm-php-8.5-release': 'sha256:a442e42bd3fc1a65f75124d77e94551d9ff1ce5f04f9e63d0931c7448958a300',
+    'nginx-fpm-php-7.0-release': 'sha256:df1f49bf891042b89714c564e9ace325956c84621f1bb43a1ab4538f951b6017',
+    'php-7.4-debug': 'sha256:70a2498d427dcd36b03eaa00d5ea73e95d67ace3385dcd76432be7a9e023dc2c',
+    'php-8.3-release': 'sha256:2652449cecb073c780a38a11b6bf9a190851f704c5fb5b1058c898cda5cd6c25',
+    'nginx-fpm-php-8.2-debug': 'sha256:02e90d98c06de3c43d139659b26d5cc37b3d7a6ace84f8efc57b03796489fd77',
+    'apache2-fpm-php-7.4-debug': 'sha256:2f9fd1c9db1293a246ea9e2b1936fcb98f262448da96957357241c6b8d9b6895',
+    'php-8.2-debug': 'sha256:61c6f4db9e8aab44a6571095aa363f28578064f5b627a09129aeffe32ab0864c',
+    'nginx-fpm-php-7.4-release': 'sha256:ce1f20e94b691515eb473b69bf423ef012857d54e03e9f6e33cf8266ffcb8d34',
+    'nginx-fpm-php-7.4-debug': 'sha256:9bcfe446e5769361c5106d1259195b0a958069eab1dc9dd9f40fb17efb98b123',
+    'apache2-fpm-php-8.3-release': 'sha256:51a4c2dc5c9435f597cb4a042c67d22219e6517603b7febaeb079c6dd7d31a4f',
+    'apache2-fpm-php-8.2-debug': 'sha256:2a9fc1240d389bf2e43a888a6dd93476ba5dc4dad75c5c3c8c4012ee4ab758d6',
+    'apache2-fpm-php-8.0-debug': 'sha256:285ada20f496d3ac8bc6288254c6d5f3cdeaaa98a51aebbe69736ffe28c101fa',
+    'php-8.1-debug': 'sha256:11bca87c7b9391b26933541c1d3ede5d91eea531e2ae89e7267573c5cba15037',
+    'apache2-fpm-php-7.2-release': 'sha256:4b84d841ea820e2ce06ef2a3ee2bf0cd74ec87786feb54d85dcb81ddc5175015',
+    'apache2-mod-php-7.2-release': 'sha256:def47c631f7f5ce9c1b436445149bfa586b7c9ded9b290f9fc3f4660fadddde4',
+    'php-8.4-debug': 'sha256:c1ff0c7860d0923ea000ec1b4726277fc1bcce6b4942a7f0d636d7e6dfd23d40',
+    'nginx-fpm-php-8.0-release': 'sha256:7c46bc623af1fc631ac5e67f26cd4a100faf39177862c8823b164c63ad9f510b',
+    'apache2-fpm-php-8.3-debug': 'sha256:cecb69dd0cb1011b6295d55142f1eb421c961fe7f4bcfd5a8e0801a18e396b4f',
+    'apache2-mod-php-7.4-release-zts': 'sha256:aa21db9d5eb27ee2fd8e187dd572074105d1f927cdca56d2e253569a5c210e79',
+    'php-7.3-release': 'sha256:5f2b03a07e0272f5bccb9c57bc0bb780e49d9a0daf72499f9b32e4a2bfc2e467',
+    'nginx-fpm-php-8.0-debug': 'sha256:d775c9cc49c04bec246eba8273a5cc1159282dd537468e4148aacae1d3e0fccc',
+    'frankenphp-8.4-release-zts': 'sha256:497b1f786a902141ea35f9297909d3226ab3bd2fccace9af545093e9160e1526',
+    'nginx-fpm-php-8.4-release': 'sha256:dabb50940ee3449d0244d5b6eae5b080d5065dde1ebe58119741d443ac8078bd',
+    'nginx-fpm-php-8.3-debug': 'sha256:f536c26ceadff7759b2feb6433eff971e8959e5f193cc1063d1355cd9fc425de',
+    'apache2-mod-php-7.2-release-zts': 'sha256:61ce4e813383289647249334a4f0bdb880a62d127eeedec9580cd0e4bdee9dae',
+    'php-7.3-debug': 'sha256:43bef965a47a225221a4a2720809c0e589db4de081d9866699ae893ac01f9d09',
+    'apache2-mod-php-7.3-release-zts': 'sha256:624948bcb9ec671fe150281c151ffbd44f7cb19d30a247ce8469f2dfdbf26087',
+    'apache2-fpm-php-8.2-release': 'sha256:577529988acf977e8c64492bfa60c9d80ca5b9fa008164dcfa016d3d75023f79',
+    'nginx-fpm-php-7.4-release-zts': 'sha256:b8b41a5c8d18651ddbd96979b5a350caf00e0bb652d4d5454a4faa55d03724a3',
+    'apache2-mod-php-7.1-debug': 'sha256:de03b3d589570e649d88ee52de920b82ccf4de537a5f792b19c4fa0ab62da989',
+    'nginx-fpm-php-7.2-release-zts': 'sha256:63d2b86e2a8190b1edd7850dcb489a76b9b7ee8b00ec2b4504153b23b0eceaee',
+    'apache2-mod-php-8.1-release': 'sha256:eb7817c04c42baaf17f87641f655b03ac13263e58ca388f6672e932ede4cdc5b',
+    'nginx-fpm-php-7.1-release-zts': 'sha256:c8c6edddf69729437be27d4e94559bcbd6f860e3e398552d628a5e92c8795f6e',
+    'nginx-fpm-php-7.0-release-zts': 'sha256:bab423024b502c85a27995bac9b59420c8d7317f7c7910eee3d1ea7da71e3a14',
+    'apache2-mod-php-8.5-release': 'sha256:60b1d07ec071793a0904a3b7898e45ca6dfddf933f360291bd64cb23929ca3cd',
+    'php-deps': 'sha256:b8fdc9f7d169c15301f63e57d9f3f59e856343a371bd5a1053a9375a4e1ca5df',
+    'nginx-fpm-php-7.1-release': 'sha256:57ed7ee61104d9ec322d92f1d9a0ef49502b303ba1380cc64e145053edcdd8f3',
+    'nginx-fpm-php-7.2-debug': 'sha256:ad8cd02fbbb2ab4e284f03d9d296c3e0081336fa0366afb281a0cb7a5b826dad',
+    'php-8.2-release': 'sha256:0199e251729b25276f97049cbcd39dd1997e98413a07b10a3c7e9e755d505a42',
+    'apache2-mod-php-7.4-debug': 'sha256:e2c52ca16a8ede260ecef564d41d7c312e42fb7c35787de92d89e7d140b1cf67',
+    'apache2-mod-php-8.2-debug': 'sha256:fe5ff47714a06c391a78f3b8429b03372dd5860020934e1beae2906167cff650',
+    'apache2-fpm-php-7.2-debug': 'sha256:cad31d8b57102b81c9588a4f24dc170d2462e2e6f8e47612abd7c509edc6772c',
+    'nginx-fpm-php-7.3-release-zts': 'sha256:db915c42d757ce6348d87da4eaf72ec106f591569be8fee04e0b78c25c9a578e',
+    'apache2-fpm-php-7.3-release': 'sha256:c453dc5052aec33c790c6b9777f6d507e464e6c88786f4fbae2a20f683b24fbf',
+    'php-7.1-debug': 'sha256:2acfe53ccedf9984d25293b3a4788fbbcacdf819915d69c53f1dc6bad40ba864',
+    'apache2-mod-php-7.3-release': 'sha256:daed732e434a02035e223ba423b51d66ec67690513f899ec5c86e40a7b62af51',
+    'apache2-fpm-php-7.0-debug': 'sha256:bf41c2c81931d81dcf1e3bbe762ca81a3331c2b6cc38635639d0519e38a3727f',
+    'nginx-fpm-php-8.5-debug': 'sha256:7dfbeb5ddb62cb1cbcb6d75373eb5662a534da5b7c067b53426201047b6b7d15',
+    'apache2-mod-php-7.0-debug': 'sha256:74049cb549aedc9103ca6832b69afe7bbb9536320fc98245b5ffbabeae02ba96',
+    'apache2-mod-php-8.5-debug': 'sha256:c461996eaff3ce3e296ddbfdbefbc1bddd81439b24d3699b5a7f3344bfad1da1',
+    'apache2-fpm-php-8.5-debug': 'sha256:abe529d92654d0712526b4f60a77964582559a18728604d79726c7a815057d71',
+    'apache2-fpm-php-8.5-release-zts': 'sha256:d6ee244a11431eccce5b20d88849f30ed866ac4f6192c3be41b128c31d447675',
+    'apache2-fpm-php-8.3-release-zts': 'sha256:be50109cefa6468e2d939b22c5a9468b28b570f3470bd502240085a89a2819c7',
+    'apache2-fpm-php-8.2-release-zts': 'sha256:9faba6f49dd5bcac33d81814e5e62131ebe1efed0fd2ca537b6306c02b89cc12',
+    'apache2-fpm-php-8.4-release-zts': 'sha256:fabebf5f234bdac72cda9bf061fe6bb2689cfdba6976c528271f182e99d194e2',
+    'php-7.4-release': 'sha256:6d073fea82095decf37458d238b763a8df26688ffe8ad8017c8f7d8d7e588931',
+    'nginx-fpm-php-7.0-debug': 'sha256:9192d5bd27a9a023cd644c9f7413f35327500232cc1b75cd8ed66efbe3266044',
+    'apache2-fpm-php-8.0-release-zts': 'sha256:bdb859af20f596e53b96b805a3471e2f7883264c75dd432adc3492ed40628959',
+    'nginx-fpm-php-8.3-release': 'sha256:6dc2fae96359b927c8b04ff5e1b31a5fdcc85fbfb7c234e374bdab347e9e3f94',
+    'apache2-fpm-php-8.1-release-zts': 'sha256:a2fd874506abaa5e286ce2ab47124a1bce4e1df76d404256fbb48d024ba5b1b6',
+    'apache2-fpm-php-7.1-debug': 'sha256:e8b1f333504620ebcd3fa9d66d95ba480796644a778686731ad021e364a89b0f',
+    'apache2-fpm-php-8.1-release': 'sha256:7f7849bd0c60b3303dfda144d275b3ed0a0a41528e4eb06bd5990b04d552c205',
+    'apache2-mod-php-8.0-release': 'sha256:2e7442b1e571ac14b41021b751a6f0580eae25067b165feb42e2cdbc12bd964b',
+    'apache2-mod-php-7.1-release-zts': 'sha256:e774faad6c4cb0ace56e4b5e3f6eb1babf1dc810674658722d9dce0d0149815a',
+    'apache2-fpm-php-7.4-release-zts': 'sha256:58e6a775d06e46899c6f3cd76275fa50f0099865acd3474d0b0542753aa0b389',
+    'apache2-fpm-php-7.3-release-zts': 'sha256:95dfd5b007bd025252f7d93d77ecda720738d8f377a85a10dac2026409a29c04',
+    'apache2-fpm-php-8.5-release': 'sha256:52cd6c2a5a7266e74f55c1e3c2f21f30caa02b496618926e2f11a73abad0cded',
+    'apache2-mod-php-7.0-release-zts': 'sha256:ad63a984521e51c587c240728a1d4a6a808911d54900f4b95424d63137090aea',
+    'php-8.1-release': 'sha256:cce133e903895e3eb9223cd15f705cfde50cba62165fe4acc8ea7231883c13b8',
+    'php-7.0-debug': 'sha256:42a2d76a8507208f27c1860c0ad280cb825e61f130ba5af462989ea065fce007',
+    'apache2-fpm-php-7.0-release-zts': 'sha256:b6524092e1d603f73d3ba725b825db1e5e8a9c6dbbf1033a52a6aac762759c1c',
+    'php-7.3-release-zts': 'sha256:ac6923e62f7dc9ba46c1045c3c63acb4ebfb8d2945639e954c3f350aa2fddada',
+    'php-7.4-release-zts': 'sha256:ce0f6f7b6683d64826135bc1c52d1a0a412e506627bf9245d7896ca283247528',
+    'apache2-fpm-php-7.1-release-zts': 'sha256:f94515ad517d90daacde76d133e097f48cf3e6cb386b64e66ed6c85c8e62101b',
+    'nginx-fpm-php-7.2-release': 'sha256:09ecf5f3db71b66c7a1d26d9b865f1de1b79c7166b16f48b992dd8cc2a3ff73a',
+    'apache2-fpm-php-7.2-release-zts': 'sha256:1ed67a099859f464df86246c82e5b38b552b2af059a6519ed723d26153ed9006',
+    'nginx-fpm-php-7.1-debug': 'sha256:914c9314a4de5aafd26f74061716be44753cd466bf143e3cf1e380972bfd9cf2',
+    'php-7.2-release-zts': 'sha256:db53b9c2cc53fb38954eb4260cf1791d129a9f35efa2ea2655593e002300ea26',
+    'apache2-mod-php-8.4-debug': 'sha256:59f59f18032b0a513447a9fcd0ae9982f6f889e6d78a5757baf73d55d2395500',
+    'php-8.5-debug': 'sha256:10a60296e5900e60c0a04478ad5e3c603f3923f02f0a7ce61f207c68704cae26',
+    'php-7.0-release-zts': 'sha256:d1e78bda9eaa59fddb59bf08ceb3a5362f184f2d22074e6913d52bacf563bc9a',
+    'apache2-mod-php-8.4-release': 'sha256:197b5c7d1251fa669831392efa824fd8938f5a7c0acf9f83108e5791c7010932',
+    'php-7.0-release': 'sha256:0262fe65291c8415e0792bf24e6ac6e01eac84de47e62ac6c4cc72342634a895',
+    'php-8.5-release': 'sha256:d5d38441284b053c1667ef282b528802d7c437582a9ba77735a0286ca4951cc3',
+    'php-7.1-release-zts': 'sha256:e3cefd4d4f8dfc7508a4db56e9fba18f9c63c928f79540fa0f2ecbe6ace70a03'
 ]

From 74600d57daa910ba8da09bc8b66e1c579af5aea4 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 17:56:45 -0600
Subject: [PATCH 25/42] wip windows

---
 dockerfiles/ci/windows/basetools.Dockerfile | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/dockerfiles/ci/windows/basetools.Dockerfile b/dockerfiles/ci/windows/basetools.Dockerfile
index 1e921f48c8c..ad491682d5e 100644
--- a/dockerfiles/ci/windows/basetools.Dockerfile
+++ b/dockerfiles/ci/windows/basetools.Dockerfile
@@ -1,6 +1,11 @@
 ARG vsVersion
 FROM datadog/dd-trace-ci:windows-base-$vsVersion
 ARG vsVersion
+ARG sdkVersion
+
+ADD check-phpsdk.bat /tmp/check-phpsdk.bat
+RUN powershell "cd /tmp; Invoke-WebRequest https://github.com/php/php-sdk-binary-tools/archive/refs/tags/php-sdk-%sdkVersion%.zip -OutFile php-sdk.zip; Expand-Archive php-sdk.zip; move php-sdk\php-sdk-binary-tools-php-sdk-%sdkVersion% /php-sdk; Remove-Item php-sdk; Remove-Item php-sdk.zip"
+RUN C:\php-sdk\phpsdk-%vsVersion%-x64.bat -t /tmp/check-phpsdk.bat
 
 RUN powershell.exe "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; $Env:chocolateyVersion = '0.10.15'; $Env:chocolateyUseWindowsCompression = 'false'; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')); ''"
 
@@ -15,12 +20,6 @@ RUN choco install -y llvm
 
 RUN powershell "[Environment]::SetEnvironmentVariable('PATH', $env:PATH + ';C:\Program Files\NASM;C:\Program Files\CMake\bin', 'Machine')"
 
-# initial setup
-
-ARG sdkVersion
-RUN powershell "cd /tmp; Invoke-WebRequest https://github.com/php/php-sdk-binary-tools/archive/refs/tags/php-sdk-%sdkVersion%.zip -OutFile php-sdk.zip; Expand-Archive php-sdk.zip; move php-sdk\php-sdk-binary-tools-php-sdk-%sdkVersion% /php-sdk; Remove-Item php-sdk; Remove-Item php-sdk.zip"
-
 WORKDIR /php-sdk
 
-ADD check-phpsdk.bat /tmp/check-phpsdk.bat
 RUN phpsdk-%vsVersion%-x64.bat -t /tmp/check-phpsdk.bat

From 84caf7cc92de56935a74afc5e33f6af1e3090f67 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 18:23:20 -0600
Subject: [PATCH 26/42] try to fix vc14

---
 dockerfiles/ci/windows/vc14.Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dockerfiles/ci/windows/vc14.Dockerfile b/dockerfiles/ci/windows/vc14.Dockerfile
index c1cfa7bf958..007bde9744d 100644
--- a/dockerfiles/ci/windows/vc14.Dockerfile
+++ b/dockerfiles/ci/windows/vc14.Dockerfile
@@ -1,6 +1,6 @@
 FROM mcr.microsoft.com/windows/servercore:1809
 
-# https://aka.ms/vs/14/release/vs_buildtools.exe has been removed
-ADD vs14_buildtools.exe /tmp/vs_buildtools.exe
-RUN powershell "$ErrorActionPreference = 'Stop'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; $items = 'Win81SDK_CppBuildSKUV1;Win10SDK_VisibleV1;VisualCppBuildTools_NETFX_SDK'; $p = Start-Process C:\tmp\vs_buildtools.exe -ArgumentList @('/Passive', '/NoRestart', '/Log', $log, '/InstallSelectableItems', $items) -Wait -PassThru; if (@(0, 3010) -notcontains $p.ExitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $p.ExitCode }"
+# https://aka.ms/vs/14/release/vs_buildtools.exe has been removed.
+# Use the full Microsoft installer URL from the Visual C++ Build Tools 2015 Chocolatey package.
+RUN powershell "$ErrorActionPreference = 'Stop'; $installer = 'C:\tmp\visualcppbuildtools_full.exe'; $url = 'https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; $items = 'Win81SDK_CppBuildSKUV1;Win10SDK_VisibleV1;VisualCppBuildTools_NETFX_SDK'; Invoke-WebRequest $url -OutFile $installer; $p = Start-Process $installer -ArgumentList @('/Passive', '/NoRestart', '/Log', $log, '/InstallSelectableItems', $items) -Wait -PassThru; Remove-Item $installer -Force; if (@(0, 3010) -notcontains $p.ExitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $p.ExitCode }"
 RUN powershell "$ErrorActionPreference = 'Stop'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; try { $vc = (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC' -Name ProductDir).ProductDir } catch { if (Test-Path $log) { Get-Content $log -Tail 200 }; throw }; $vcvars = Join-Path $vc 'vcvarsall.bat'; if (-not (Test-Path $vcvars)) { if (Test-Path $log) { Get-Content $log -Tail 200 }; Write-Error ('VC14 vcvarsall.bat not found at ' + $vcvars); exit 3 }; $q = [char]34; $cmd = 'call ' + $q + $vcvars + $q + ' amd64 >NUL && where cl.exe && where link.exe'; cmd /S /C $cmd; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }"

From 0c19dda6eeb626e083930ecd3e8584519d886a41 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 18:41:26 -0600
Subject: [PATCH 27/42] try to fix vc14 tmp folder

---
 dockerfiles/ci/windows/vc14.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dockerfiles/ci/windows/vc14.Dockerfile b/dockerfiles/ci/windows/vc14.Dockerfile
index 007bde9744d..383ee42dfc3 100644
--- a/dockerfiles/ci/windows/vc14.Dockerfile
+++ b/dockerfiles/ci/windows/vc14.Dockerfile
@@ -2,5 +2,5 @@ FROM mcr.microsoft.com/windows/servercore:1809
 
 # https://aka.ms/vs/14/release/vs_buildtools.exe has been removed.
 # Use the full Microsoft installer URL from the Visual C++ Build Tools 2015 Chocolatey package.
-RUN powershell "$ErrorActionPreference = 'Stop'; $installer = 'C:\tmp\visualcppbuildtools_full.exe'; $url = 'https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; $items = 'Win81SDK_CppBuildSKUV1;Win10SDK_VisibleV1;VisualCppBuildTools_NETFX_SDK'; Invoke-WebRequest $url -OutFile $installer; $p = Start-Process $installer -ArgumentList @('/Passive', '/NoRestart', '/Log', $log, '/InstallSelectableItems', $items) -Wait -PassThru; Remove-Item $installer -Force; if (@(0, 3010) -notcontains $p.ExitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $p.ExitCode }"
+RUN powershell "$ErrorActionPreference = 'Stop'; New-Item -ItemType Directory -Force C:\tmp | Out-Null; $installer = 'C:\tmp\visualcppbuildtools_full.exe'; $url = 'https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; $items = 'Win81SDK_CppBuildSKUV1;Win10SDK_VisibleV1;VisualCppBuildTools_NETFX_SDK'; Invoke-WebRequest $url -OutFile $installer; $p = Start-Process $installer -ArgumentList @('/Passive', '/NoRestart', '/Log', $log, '/InstallSelectableItems', $items) -Wait -PassThru; Remove-Item $installer -Force; if (@(0, 3010) -notcontains $p.ExitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $p.ExitCode }"
 RUN powershell "$ErrorActionPreference = 'Stop'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; try { $vc = (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC' -Name ProductDir).ProductDir } catch { if (Test-Path $log) { Get-Content $log -Tail 200 }; throw }; $vcvars = Join-Path $vc 'vcvarsall.bat'; if (-not (Test-Path $vcvars)) { if (Test-Path $log) { Get-Content $log -Tail 200 }; Write-Error ('VC14 vcvarsall.bat not found at ' + $vcvars); exit 3 }; $q = [char]34; $cmd = 'call ' + $q + $vcvars + $q + ' amd64 >NUL && where cl.exe && where link.exe'; cmd /S /C $cmd; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }"

From 725b1ac368f2145c6f4cc114201b2ee658673f69 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 18:53:45 -0600
Subject: [PATCH 28/42] sleep for a bit before deleting installer to avoid it
 being locked still

---
 dockerfiles/ci/windows/vc14.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dockerfiles/ci/windows/vc14.Dockerfile b/dockerfiles/ci/windows/vc14.Dockerfile
index 383ee42dfc3..5198d232d11 100644
--- a/dockerfiles/ci/windows/vc14.Dockerfile
+++ b/dockerfiles/ci/windows/vc14.Dockerfile
@@ -2,5 +2,5 @@ FROM mcr.microsoft.com/windows/servercore:1809
 
 # https://aka.ms/vs/14/release/vs_buildtools.exe has been removed.
 # Use the full Microsoft installer URL from the Visual C++ Build Tools 2015 Chocolatey package.
-RUN powershell "$ErrorActionPreference = 'Stop'; New-Item -ItemType Directory -Force C:\tmp | Out-Null; $installer = 'C:\tmp\visualcppbuildtools_full.exe'; $url = 'https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; $items = 'Win81SDK_CppBuildSKUV1;Win10SDK_VisibleV1;VisualCppBuildTools_NETFX_SDK'; Invoke-WebRequest $url -OutFile $installer; $p = Start-Process $installer -ArgumentList @('/Passive', '/NoRestart', '/Log', $log, '/InstallSelectableItems', $items) -Wait -PassThru; Remove-Item $installer -Force; if (@(0, 3010) -notcontains $p.ExitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $p.ExitCode }"
+RUN powershell "$ErrorActionPreference = 'Stop'; New-Item -ItemType Directory -Force C:\tmp | Out-Null; $installer = 'C:\tmp\visualcppbuildtools_full.exe'; $url = 'https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; $items = 'Win81SDK_CppBuildSKUV1;Win10SDK_VisibleV1;VisualCppBuildTools_NETFX_SDK'; Invoke-WebRequest $url -OutFile $installer; $p = Start-Process $installer -ArgumentList @('/Passive', '/NoRestart', '/Log', $log, '/InstallSelectableItems', $items) -Wait -PassThru; $exitCode = $p.ExitCode; Start-Sleep -Seconds 10; Remove-Item $installer -Force; if (@(0, 3010) -notcontains $exitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $exitCode }"
 RUN powershell "$ErrorActionPreference = 'Stop'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; try { $vc = (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC' -Name ProductDir).ProductDir } catch { if (Test-Path $log) { Get-Content $log -Tail 200 }; throw }; $vcvars = Join-Path $vc 'vcvarsall.bat'; if (-not (Test-Path $vcvars)) { if (Test-Path $log) { Get-Content $log -Tail 200 }; Write-Error ('VC14 vcvarsall.bat not found at ' + $vcvars); exit 3 }; $q = [char]34; $cmd = 'call ' + $q + $vcvars + $q + ' amd64 >NUL && where cl.exe && where link.exe'; cmd /S /C $cmd; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }"

From e7bdebb0c421df1fcf68076924489978361cd10e Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 19:15:29 -0600
Subject: [PATCH 29/42] simplify vc14 install

---
 dockerfiles/ci/windows/vc14.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dockerfiles/ci/windows/vc14.Dockerfile b/dockerfiles/ci/windows/vc14.Dockerfile
index 5198d232d11..6d552217357 100644
--- a/dockerfiles/ci/windows/vc14.Dockerfile
+++ b/dockerfiles/ci/windows/vc14.Dockerfile
@@ -2,5 +2,5 @@ FROM mcr.microsoft.com/windows/servercore:1809
 
 # https://aka.ms/vs/14/release/vs_buildtools.exe has been removed.
 # Use the full Microsoft installer URL from the Visual C++ Build Tools 2015 Chocolatey package.
-RUN powershell "$ErrorActionPreference = 'Stop'; New-Item -ItemType Directory -Force C:\tmp | Out-Null; $installer = 'C:\tmp\visualcppbuildtools_full.exe'; $url = 'https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; $items = 'Win81SDK_CppBuildSKUV1;Win10SDK_VisibleV1;VisualCppBuildTools_NETFX_SDK'; Invoke-WebRequest $url -OutFile $installer; $p = Start-Process $installer -ArgumentList @('/Passive', '/NoRestart', '/Log', $log, '/InstallSelectableItems', $items) -Wait -PassThru; $exitCode = $p.ExitCode; Start-Sleep -Seconds 10; Remove-Item $installer -Force; if (@(0, 3010) -notcontains $exitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $exitCode }"
+RUN powershell "$ErrorActionPreference = 'Stop'; New-Item -ItemType Directory -Force C:\tmp | Out-Null; $installer = 'C:\tmp\visualcppbuildtools_full.exe'; $url = 'https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; Invoke-WebRequest $url -OutFile $installer; $p = Start-Process $installer -ArgumentList @('/Passive', '/NoRestart', '/Log', $log) -Wait -PassThru; $exitCode = $p.ExitCode; Start-Sleep -Seconds 10; Remove-Item $installer -Force; if (@(0, 3010) -notcontains $exitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $exitCode }"
 RUN powershell "$ErrorActionPreference = 'Stop'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; try { $vc = (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC' -Name ProductDir).ProductDir } catch { if (Test-Path $log) { Get-Content $log -Tail 200 }; throw }; $vcvars = Join-Path $vc 'vcvarsall.bat'; if (-not (Test-Path $vcvars)) { if (Test-Path $log) { Get-Content $log -Tail 200 }; Write-Error ('VC14 vcvarsall.bat not found at ' + $vcvars); exit 3 }; $q = [char]34; $cmd = 'call ' + $q + $vcvars + $q + ' amd64 >NUL && where cl.exe && where link.exe'; cmd /S /C $cmd; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }"

From d9552a4863fa562df16481692be0c63158f72d86 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 19:27:41 -0600
Subject: [PATCH 30/42] adjust vc14 configure args

---
 dockerfiles/ci/windows/vc14.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dockerfiles/ci/windows/vc14.Dockerfile b/dockerfiles/ci/windows/vc14.Dockerfile
index 6d552217357..f9fa3b30251 100644
--- a/dockerfiles/ci/windows/vc14.Dockerfile
+++ b/dockerfiles/ci/windows/vc14.Dockerfile
@@ -2,5 +2,5 @@ FROM mcr.microsoft.com/windows/servercore:1809
 
 # https://aka.ms/vs/14/release/vs_buildtools.exe has been removed.
 # Use the full Microsoft installer URL from the Visual C++ Build Tools 2015 Chocolatey package.
-RUN powershell "$ErrorActionPreference = 'Stop'; New-Item -ItemType Directory -Force C:\tmp | Out-Null; $installer = 'C:\tmp\visualcppbuildtools_full.exe'; $url = 'https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; Invoke-WebRequest $url -OutFile $installer; $p = Start-Process $installer -ArgumentList @('/Passive', '/NoRestart', '/Log', $log) -Wait -PassThru; $exitCode = $p.ExitCode; Start-Sleep -Seconds 10; Remove-Item $installer -Force; if (@(0, 3010) -notcontains $exitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $exitCode }"
+RUN powershell "$ErrorActionPreference = 'Stop'; New-Item -ItemType Directory -Force C:\tmp | Out-Null; $installer = 'C:\tmp\visualcppbuildtools_full.exe'; $url = 'https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; Invoke-WebRequest $url -OutFile $installer; $p = Start-Process $installer -ArgumentList @('/Q', '/L', $log, '/Full') -Wait -PassThru; $exitCode = $p.ExitCode; Start-Sleep -Seconds 10; Remove-Item $installer -Force; if (@(0, 3010) -notcontains $exitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $exitCode }"
 RUN powershell "$ErrorActionPreference = 'Stop'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; try { $vc = (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC' -Name ProductDir).ProductDir } catch { if (Test-Path $log) { Get-Content $log -Tail 200 }; throw }; $vcvars = Join-Path $vc 'vcvarsall.bat'; if (-not (Test-Path $vcvars)) { if (Test-Path $log) { Get-Content $log -Tail 200 }; Write-Error ('VC14 vcvarsall.bat not found at ' + $vcvars); exit 3 }; $q = [char]34; $cmd = 'call ' + $q + $vcvars + $q + ' amd64 >NUL && where cl.exe && where link.exe'; cmd /S /C $cmd; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }"

From 8880905ae1ce81077cadbd1d878730b42090d88f Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 21:19:49 -0600
Subject: [PATCH 31/42] oops, full was too much

---
 dockerfiles/ci/windows/vc14.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dockerfiles/ci/windows/vc14.Dockerfile b/dockerfiles/ci/windows/vc14.Dockerfile
index f9fa3b30251..33ca9e08613 100644
--- a/dockerfiles/ci/windows/vc14.Dockerfile
+++ b/dockerfiles/ci/windows/vc14.Dockerfile
@@ -2,5 +2,5 @@ FROM mcr.microsoft.com/windows/servercore:1809
 
 # https://aka.ms/vs/14/release/vs_buildtools.exe has been removed.
 # Use the full Microsoft installer URL from the Visual C++ Build Tools 2015 Chocolatey package.
-RUN powershell "$ErrorActionPreference = 'Stop'; New-Item -ItemType Directory -Force C:\tmp | Out-Null; $installer = 'C:\tmp\visualcppbuildtools_full.exe'; $url = 'https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; Invoke-WebRequest $url -OutFile $installer; $p = Start-Process $installer -ArgumentList @('/Q', '/L', $log, '/Full') -Wait -PassThru; $exitCode = $p.ExitCode; Start-Sleep -Seconds 10; Remove-Item $installer -Force; if (@(0, 3010) -notcontains $exitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $exitCode }"
+RUN powershell "$ErrorActionPreference = 'Stop'; New-Item -ItemType Directory -Force C:\tmp | Out-Null; $installer = 'C:\tmp\visualcppbuildtools_full.exe'; $url = 'https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; Invoke-WebRequest $url -OutFile $installer; $p = Start-Process $installer -ArgumentList @('/Q', '/L', $log, '/InstallSelectableItems', 'VisualCppBuildTools_Windows_SDK') -Wait -PassThru; $exitCode = $p.ExitCode; Start-Sleep -Seconds 10; Remove-Item $installer -Force; if (@(0, 3010) -notcontains $exitCode) { if (Test-Path $log) { Get-Content $log -Tail 200 }; exit $exitCode }"
 RUN powershell "$ErrorActionPreference = 'Stop'; $log = 'C:\tmp\visual-cpp-build-tools-2015.log'; try { $vc = (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC' -Name ProductDir).ProductDir } catch { if (Test-Path $log) { Get-Content $log -Tail 200 }; throw }; $vcvars = Join-Path $vc 'vcvarsall.bat'; if (-not (Test-Path $vcvars)) { if (Test-Path $log) { Get-Content $log -Tail 200 }; Write-Error ('VC14 vcvarsall.bat not found at ' + $vcvars); exit 3 }; $q = [char]34; $cmd = 'call ' + $q + $vcvars + $q + ' amd64 >NUL && where cl.exe && where link.exe'; cmd /S /C $cmd; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }"

From 38fb86095e24bf7e3283a7c36b015e9b5ca6bef5 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 22:10:05 -0600
Subject: [PATCH 32/42] revert base images, vc images were replaced

---
 .gitlab/ci-images.yml | 34 ++--------------------------------
 1 file changed, 2 insertions(+), 32 deletions(-)

diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml
index 3f0fde423c1..6cdfb40d65f 100644
--- a/.gitlab/ci-images.yml
+++ b/.gitlab/ci-images.yml
@@ -200,26 +200,6 @@ Buster:
     if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 
     $targets = @{
-      "vc14-base" = @{
-        Image = "datadog/dd-trace-ci:windows-base-vc14"
-        Dockerfile = "vc14.Dockerfile"
-        BuildArgs = @()
-      }
-      "vc15-base" = @{
-        Image = "datadog/dd-trace-ci:windows-base-vc15"
-        Dockerfile = "vc15.Dockerfile"
-        BuildArgs = @()
-      }
-      "vs16-base" = @{
-        Image = "datadog/dd-trace-ci:windows-base-vs16"
-        Dockerfile = "vs16.Dockerfile"
-        BuildArgs = @()
-      }
-      "vs17-base" = @{
-        Image = "datadog/dd-trace-ci:windows-base-vs17"
-        Dockerfile = "vs17.Dockerfile"
-        BuildArgs = @()
-      }
       "vc14" = @{
         Image = "datadog/dd-trace-ci:windows-vc14"
         Dockerfile = "basetools.Dockerfile"
@@ -322,17 +302,7 @@ Buster:
       if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
     }
 
-"Windows 1: Base Images":
-  extends: .windows_image_build
-  parallel:
-    matrix:
-      - WINDOWS_IMAGE_TARGETS:
-        - "vc14-base"
-        - "vc15-base"
-        - "vs16-base"
-        - "vs17-base"
-
-"Windows 2: Tool Images":
+"Windows 1: Tool Images":
   extends: .windows_image_build
   parallel:
     matrix:
@@ -342,7 +312,7 @@ Buster:
         - "vs16"
         - "vs17"
 
-"Windows 3: PHP Images":
+"Windows 2: PHP Images":
   extends: .windows_image_build
   parallel:
     matrix:

From 3537e5defc9ccf9ee065847ae31858725678dddf Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Thu, 28 May 2026 22:31:56 -0600
Subject: [PATCH 33/42] revert tool images down to just MSRV bump

---
 dockerfiles/ci/windows/basetools.Dockerfile | 13 +++++--------
 dockerfiles/ci/windows/check-phpsdk.bat     |  9 ---------
 2 files changed, 5 insertions(+), 17 deletions(-)
 delete mode 100644 dockerfiles/ci/windows/check-phpsdk.bat

diff --git a/dockerfiles/ci/windows/basetools.Dockerfile b/dockerfiles/ci/windows/basetools.Dockerfile
index ad491682d5e..94b8854cabb 100644
--- a/dockerfiles/ci/windows/basetools.Dockerfile
+++ b/dockerfiles/ci/windows/basetools.Dockerfile
@@ -1,11 +1,5 @@
 ARG vsVersion
 FROM datadog/dd-trace-ci:windows-base-$vsVersion
-ARG vsVersion
-ARG sdkVersion
-
-ADD check-phpsdk.bat /tmp/check-phpsdk.bat
-RUN powershell "cd /tmp; Invoke-WebRequest https://github.com/php/php-sdk-binary-tools/archive/refs/tags/php-sdk-%sdkVersion%.zip -OutFile php-sdk.zip; Expand-Archive php-sdk.zip; move php-sdk\php-sdk-binary-tools-php-sdk-%sdkVersion% /php-sdk; Remove-Item php-sdk; Remove-Item php-sdk.zip"
-RUN C:\php-sdk\phpsdk-%vsVersion%-x64.bat -t /tmp/check-phpsdk.bat
 
 RUN powershell.exe "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; $Env:chocolateyVersion = '0.10.15'; $Env:chocolateyUseWindowsCompression = 'false'; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')); ''"
 
@@ -20,6 +14,9 @@ RUN choco install -y llvm
 
 RUN powershell "[Environment]::SetEnvironmentVariable('PATH', $env:PATH + ';C:\Program Files\NASM;C:\Program Files\CMake\bin', 'Machine')"
 
-WORKDIR /php-sdk
+# initial setup
 
-RUN phpsdk-%vsVersion%-x64.bat -t /tmp/check-phpsdk.bat
+ARG sdkVersion
+RUN powershell "cd /tmp; Invoke-WebRequest https://github.com/php/php-sdk-binary-tools/archive/refs/tags/php-sdk-%sdkVersion%.zip -OutFile php-sdk.zip; Expand-Archive php-sdk.zip; move php-sdk\php-sdk-binary-tools-php-sdk-%sdkVersion% /php-sdk; Remove-Item php-sdk; Remove-Item php-sdk.zip"
+
+WORKDIR /php-sdk
diff --git a/dockerfiles/ci/windows/check-phpsdk.bat b/dockerfiles/ci/windows/check-phpsdk.bat
deleted file mode 100644
index 84479111e59..00000000000
--- a/dockerfiles/ci/windows/check-phpsdk.bat
+++ /dev/null
@@ -1,9 +0,0 @@
-@echo off
-
-where cl.exe
-if %errorlevel% neq 0 exit /b %errorlevel%
-
-where link.exe
-if %errorlevel% neq 0 exit /b %errorlevel%
-
-exit /b 0

From 9e99cc1bc93b6049259765ca5610afe127b2d188 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Fri, 29 May 2026 09:54:11 -0600
Subject: [PATCH 34/42] patch PHP sdk script

---
 dockerfiles/ci/windows/basetools.Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dockerfiles/ci/windows/basetools.Dockerfile b/dockerfiles/ci/windows/basetools.Dockerfile
index 94b8854cabb..675b24a9fb0 100644
--- a/dockerfiles/ci/windows/basetools.Dockerfile
+++ b/dockerfiles/ci/windows/basetools.Dockerfile
@@ -18,5 +18,7 @@ RUN powershell "[Environment]::SetEnvironmentVariable('PATH', $env:PATH + ';C:\P
 
 ARG sdkVersion
 RUN powershell "cd /tmp; Invoke-WebRequest https://github.com/php/php-sdk-binary-tools/archive/refs/tags/php-sdk-%sdkVersion%.zip -OutFile php-sdk.zip; Expand-Archive php-sdk.zip; move php-sdk\php-sdk-binary-tools-php-sdk-%sdkVersion% /php-sdk; Remove-Item php-sdk; Remove-Item php-sdk.zip"
+# Older PHP SDK tags expect Apache indexes to prefix package links with /.
+RUN powershell "$config = 'C:\php-sdk\lib\php\libsdk\SDK\Config.php'; $text = [IO.File]::ReadAllText($config).Replace(',/packages-', ',>packages-'); if ($text.Contains(',/packages-')) { throw 'Failed to patch PHP SDK dependency series regex' }; [IO.File]::WriteAllText($config, $text, [System.Text.Encoding]::ASCII)"
 
 WORKDIR /php-sdk

From 2644abe60aba99661c4aa4c98a5a918552279e04 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Fri, 29 May 2026 10:14:52 -0600
Subject: [PATCH 35/42] drop vc14, PHP 7.0/7.1, and fix php-8.0.30.tar.gz hash

---
 .gitlab/ci-images.yml | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml
index 6cdfb40d65f..cbe43845eb8 100644
--- a/.gitlab/ci-images.yml
+++ b/.gitlab/ci-images.yml
@@ -32,8 +32,6 @@ CentOS:
         - php-7.4
         - php-7.3
         - php-7.2
-        - php-7.1
-        - php-7.0
   script:
     - cd dockerfiles/ci/centos/7
     - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
@@ -63,8 +61,6 @@ Alpine:
         - 7.4-alpine
         - 7.3-alpine
         - 7.2-alpine
-        - 7.1-alpine
-        - 7.0-alpine
   script:
     - cd dockerfiles/ci/alpine_compile_extension
     - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
@@ -97,8 +93,6 @@ Bookworm:
         - php-7.4-shared-ext
         - php-7.3
         - php-7.2
-        - php-7.1
-        - php-7.0
         MAKE_JOBS: ["2"]
   script:
     - cd dockerfiles/ci/bookworm
@@ -129,8 +123,6 @@ Buster:
         - php-7.4-shared-ext
         - php-7.3
         - php-7.2
-        - php-7.1
-        - php-7.0
   script:
     - cd dockerfiles/ci/buster
     - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
@@ -248,7 +240,7 @@ Buster:
       "php-8.0" = @{
         Image = "datadog/dd-trace-ci:php-8.0_windows"
         Dockerfile = "Dockerfile"
-        BuildArgs = @("phpVersion=8.0.30", "vsVersion=vs16", "phpTarGzUrl=https://www.php.net/distributions/php-8.0.30.tar.gz", "phpSha256Hash=449d2048fcb20a314d8c218097c6d1047a9f1c5bb72aa54d5d3eba0a27a4c80")
+        BuildArgs = @("phpVersion=8.0.30", "vsVersion=vs16", "phpTarGzUrl=https://www.php.net/distributions/php-8.0.30.tar.gz", "phpSha256Hash=449d2048fcb20a314d8c218097c6d1047a9f1c5bb72aa54d5d3eba0a27a4c80c")
       }
       "php-7.4" = @{
         Image = "datadog/dd-trace-ci:php-7.4_windows"
@@ -307,7 +299,6 @@ Buster:
   parallel:
     matrix:
       - WINDOWS_IMAGE_TARGETS:
-        - "vc14"
         - "vc15"
         - "vs16"
         - "vs17"
@@ -326,5 +317,3 @@ Buster:
         - "php-7.4"
         - "php-7.3"
         - "php-7.2"
-        - "php-7.1"
-        - "php-7.0"

From a447f8f1a34968277e18cd79f04d10a1b3016e85 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Fri, 29 May 2026 10:52:07 -0600
Subject: [PATCH 36/42] drop the user-agent, it's causing rejections

---
 dockerfiles/ci/windows/basetools.Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dockerfiles/ci/windows/basetools.Dockerfile b/dockerfiles/ci/windows/basetools.Dockerfile
index 675b24a9fb0..001f9f553e9 100644
--- a/dockerfiles/ci/windows/basetools.Dockerfile
+++ b/dockerfiles/ci/windows/basetools.Dockerfile
@@ -20,5 +20,7 @@ ARG sdkVersion
 RUN powershell "cd /tmp; Invoke-WebRequest https://github.com/php/php-sdk-binary-tools/archive/refs/tags/php-sdk-%sdkVersion%.zip -OutFile php-sdk.zip; Expand-Archive php-sdk.zip; move php-sdk\php-sdk-binary-tools-php-sdk-%sdkVersion% /php-sdk; Remove-Item php-sdk; Remove-Item php-sdk.zip"
 # Older PHP SDK tags expect Apache indexes to prefix package links with /.
 RUN powershell "$config = 'C:\php-sdk\lib\php\libsdk\SDK\Config.php'; $text = [IO.File]::ReadAllText($config).Replace(',/packages-', ',>packages-'); if ($text.Contains(',/packages-')) { throw 'Failed to patch PHP SDK dependency series regex' }; [IO.File]::WriteAllText($config, $text, [System.Text.Encoding]::ASCII)"
+# The PHP downloads CDN rejects the SDK's user-agent for some reason.
+RUN powershell "$fileOps = 'C:\php-sdk\lib\php\libsdk\SDK\FileOps.php'; $text = [IO.File]::ReadAllText($fileOps); $text = $text -replace '(?m)^\s*curl_setopt\(\$ch, CURLOPT_USERAGENT, Config::getSdkUserAgentName\(\)\);\r?\n?', ''; if ($text.Contains('CURLOPT_USERAGENT')) { throw 'Failed to remove PHP SDK curl user-agent' }; [IO.File]::WriteAllText($fileOps, $text, [System.Text.Encoding]::ASCII)"
 
 WORKDIR /php-sdk

From de8ffe417e6536586ffa78e2c20b699e011407e1 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Fri, 29 May 2026 12:18:44 -0600
Subject: [PATCH 37/42] move bookworm next to 9

---
 dockerfiles/ci/bookworm/.env | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dockerfiles/ci/bookworm/.env b/dockerfiles/ci/bookworm/.env
index bdd749c6725..def4d3a63e9 100644
--- a/dockerfiles/ci/bookworm/.env
+++ b/dockerfiles/ci/bookworm/.env
@@ -1,2 +1,2 @@
 BOOKWORM_CURRENT_VERSION=8
-BOOKWORM_NEXT_VERSION=8
+BOOKWORM_NEXT_VERSION=9

From 30a0eb83b7f3073a7983f9db6f9b450855efc732 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Fri, 29 May 2026 12:40:10 -0600
Subject: [PATCH 38/42] appsec: bump spdlog's fmt lib too

---
 appsec/third_party/CMakeLists.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/appsec/third_party/CMakeLists.txt b/appsec/third_party/CMakeLists.txt
index f09cfab64cf..0500f7d962a 100644
--- a/appsec/third_party/CMakeLists.txt
+++ b/appsec/third_party/CMakeLists.txt
@@ -76,7 +76,7 @@ endif()
 FetchContent_Declare(
     spdlog
     GIT_REPOSITORY https://github.com/gabime/spdlog.git
-    GIT_TAG 5fd32e1a70871e2f6a52734e36bc33cb7ac022a5)
+    GIT_TAG 79524ddd08a4ec981b7fea76afd08ee05f83755d)
 FetchContent_MakeAvailable(spdlog)
 set_target_properties(spdlog PROPERTIES POSITION_INDEPENDENT_CODE 1)
 

From 751af9ee9553e086d95ecfcd5b5171fc5f44e8f4 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Fri, 29 May 2026 13:00:26 -0600
Subject: [PATCH 39/42] style(appsec): format with clang-format 20

---
 appsec/src/extension/attributes.h             |  46 +++----
 appsec/src/extension/commands/client_init.h   |   6 +-
 appsec/src/extension/commands/config_sync.h   |   2 +-
 appsec/src/extension/commands/request_init.h  |   6 +-
 .../src/extension/commands/request_shutdown.c |   6 +-
 .../src/extension/commands/request_shutdown.h |   6 +-
 appsec/src/extension/commands_ctx.h           |   2 +-
 appsec/src/extension/commands_helpers.c       |   2 +-
 appsec/src/extension/commands_helpers.h       |   2 +-
 appsec/src/extension/compatibility.h          |  11 +-
 appsec/src/extension/ddappsec.c               |   2 +-
 appsec/src/extension/ddappsec_arginfo.h       |  23 ++--
 appsec/src/extension/dddefs.h                 |   6 +-
 appsec/src/extension/ddtrace.h                |   6 +-
 appsec/src/extension/duration_acc.h           |  10 +-
 appsec/src/extension/entity_body.c            |   2 +-
 appsec/src/extension/entity_body.h            |   6 +-
 appsec/src/extension/entity_body_arginfo.h    |  24 ++--
 appsec/src/extension/json_truncated_parser.h  |   3 +-
 appsec/src/extension/logging.h                |   7 +-
 appsec/src/extension/msgpack_helpers.h        |  12 +-
 appsec/src/extension/network.c                |   4 +-
 appsec/src/extension/php_compat.h             |  59 +++++----
 appsec/src/extension/php_helpers.h            |   2 +-
 appsec/src/extension/request_abort.c          |   6 +-
 appsec/src/extension/string_helpers.h         |   8 +-
 appsec/src/extension/tags.c                   |   8 +-
 appsec/src/extension/tags.h                   |   6 +-
 appsec/src/extension/tags_arginfo.h           | 114 ++++++++++++------
 appsec/src/extension/telemetry.h              |  13 +-
 appsec/src/extension/user_tracking.h          |   4 +-
 appsec/src/extension/xml_truncated_parser.h   |   2 +-
 appsec/src/helper/main.cpp                    |   2 +-
 appsec/src/helper/network/acceptor.cpp        |   4 +-
 appsec/src/helper/rate_limit.hpp              |   2 +-
 appsec/src/helper/rcu.h                       |  10 +-
 appsec/src/helper/remote_config/config.cpp    |   2 +-
 appsec/src/helper/remote_config/config.hpp    |   4 +-
 .../listeners/asm_features_listener.hpp       |   2 +-
 appsec/src/helper/runner.cpp                  |   2 +-
 appsec/src/helper/utils.cpp                   |   2 +-
 appsec/tests/helper/engine_test.cpp           |  17 +--
 42 files changed, 257 insertions(+), 206 deletions(-)

diff --git a/appsec/src/extension/attributes.h b/appsec/src/extension/attributes.h
index b25505ebf58..2c6adfac06a 100644
--- a/appsec/src/extension/attributes.h
+++ b/appsec/src/extension/attributes.h
@@ -1,32 +1,32 @@
 // Unless explicitly stated otherwise all files in this repository are
 // dual-licensed under the Apache-2.0 License or BSD-3-Clause License.
 //
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2021 Datadog, Inc.
+// This product includes software developed at Datadog
+// (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #ifndef DD_ATTRIBUTES_H
 #define DD_ATTRIBUTES_H
 
 #ifndef __has_feature
-# define __has_feature(x) 0
+#    define __has_feature(x) 0
 #endif
 
 #if !__has_feature(nullability)
-# ifndef _Nullable
-#  define _Nullable
-# endif
-# ifndef _Nonnull
-#  define _Nonnull
-# endif
-# ifndef _Null_unspecified
-#  define _Null_unspecified
-# endif
+#    ifndef _Nullable
+#        define _Nullable
+#    endif
+#    ifndef _Nonnull
+#        define _Nonnull
+#    endif
+#    ifndef _Null_unspecified
+#        define _Null_unspecified
+#    endif
 #endif
 
 #if defined(__has_attribute) && __has_attribute(format)
-#define ATTR_FORMAT(fmt_idx, first_arg_idx)                                    \
-    __attribute__((format(printf, fmt_idx, first_arg_idx)))
+#    define ATTR_FORMAT(fmt_idx, first_arg_idx)                                \
+        __attribute__((format(printf, fmt_idx, first_arg_idx)))
 #elif
-#define ATTR_FORMAT(fmt_idx, first_arg_idx)
+#    define ATTR_FORMAT(fmt_idx, first_arg_idx)
 #endif
 
 // see also zend_always_inline
@@ -69,9 +69,9 @@
 #endif
 
 #if defined(__GNUC__) && (__GNUC__ > 3 || __GNUC__ == 3 && __GNUC_MINOR__ > 0)
-# define may_alias __attribute((__may_alias__))
+#    define may_alias __attribute((__may_alias__))
 #else
-# define may_alias
+#    define may_alias
 #endif
 
 #define nonnull _Nonnull
@@ -79,13 +79,13 @@
 #define unspecnull _Null_unspecified
 
 #ifdef __cplusplus
-#define EXTERN_C extern "C"
-#define EXTERN_C_BEGIN extern "C" {
-#define EXTERN_C_END }
+#    define EXTERN_C extern "C"
+#    define EXTERN_C_BEGIN extern "C" {
+#    define EXTERN_C_END }
 #else
-#define EXTERN_C
-#define EXTERN_C_BEGIN
-#define EXTERN_C_END
+#    define EXTERN_C
+#    define EXTERN_C_BEGIN
+#    define EXTERN_C_END
 #endif
 
 #define PACKED __attribute__((__packed__))
diff --git a/appsec/src/extension/commands/client_init.h b/appsec/src/extension/commands/client_init.h
index ad4170cf108..9c59963f01f 100644
--- a/appsec/src/extension/commands/client_init.h
+++ b/appsec/src/extension/commands/client_init.h
@@ -1,11 +1,11 @@
 // Unless explicitly stated otherwise all files in this repository are
 // dual-licensed under the Apache-2.0 License or BSD-3-Clause License.
 //
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2021 Datadog, Inc.
+// This product includes software developed at Datadog
+// (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
-#include "../network.h"
 #include "../commands_ctx.h"
+#include "../network.h"
 
 dd_result dd_client_init(dd_conn *nonnull conn, struct req_info *nonnull ctx);
diff --git a/appsec/src/extension/commands/config_sync.h b/appsec/src/extension/commands/config_sync.h
index d921538254c..5676edf9d80 100644
--- a/appsec/src/extension/commands/config_sync.h
+++ b/appsec/src/extension/commands/config_sync.h
@@ -5,8 +5,8 @@
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
-#include "../network.h"
 #include "../ddtrace.h"
+#include "../network.h"
 
 struct config_sync_data {
     char *nullable rem_cfg_path;
diff --git a/appsec/src/extension/commands/request_init.h b/appsec/src/extension/commands/request_init.h
index 17600709068..7c16b9416fa 100644
--- a/appsec/src/extension/commands/request_init.h
+++ b/appsec/src/extension/commands/request_init.h
@@ -1,12 +1,12 @@
 // Unless explicitly stated otherwise all files in this repository are
 // dual-licensed under the Apache-2.0 License or BSD-3-Clause License.
 //
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2021 Datadog, Inc.
+// This product includes software developed at Datadog
+// (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
-#include "../network.h"
 #include "../commands_ctx.h"
+#include "../network.h"
 
 struct req_info_init {
     struct req_info req_info;
diff --git a/appsec/src/extension/commands/request_shutdown.c b/appsec/src/extension/commands/request_shutdown.c
index 722e50dd764..dc845e665c6 100644
--- a/appsec/src/extension/commands/request_shutdown.c
+++ b/appsec/src/extension/commands/request_shutdown.c
@@ -130,7 +130,7 @@ static void _pack_headers_no_cookies_llist(
 
     zend_llist_position pos;
     for (sapi_header_struct *header = zend_llist_get_first_ex(hl, &pos); header;
-         header = zend_llist_get_next_ex(hl, &pos)) {
+        header = zend_llist_get_next_ex(hl, &pos)) {
         const char *pcol = memchr(header->header, ':', header->header_len);
         if (!pcol) {
             continue;
@@ -172,7 +172,7 @@ static void _pack_headers_no_cookies_llist(
         mpack_start_array(w, zend_llist_count(coll));
         zend_llist_position p;
         for (struct _header_val *hv = zend_llist_get_first_ex(coll, &p); hv;
-             hv = zend_llist_get_next_ex(coll, &p)) {
+            hv = zend_llist_get_next_ex(coll, &p)) {
             dd_mpack_write_nullable_str_lim(
                 w, hv->val, hv->len, DD_MPACK_DEF_STRING_LIMIT);
         }
@@ -189,7 +189,7 @@ static const char *nullable _header_content_type_llist(
 {
     zend_llist_position pos;
     for (sapi_header_struct *header = zend_llist_get_first_ex(hl, &pos); header;
-         header = zend_llist_get_next_ex(hl, &pos)) {
+        header = zend_llist_get_next_ex(hl, &pos)) {
         if (header->header_len >= LSTRLEN("content-type") &&
             strncasecmp(header->header, LSTRARG("content-type")) == 0) {
             const char *pcol = memchr(header->header, ':', header->header_len);
diff --git a/appsec/src/extension/commands/request_shutdown.h b/appsec/src/extension/commands/request_shutdown.h
index e421b0a54ec..c67a22a1869 100644
--- a/appsec/src/extension/commands/request_shutdown.h
+++ b/appsec/src/extension/commands/request_shutdown.h
@@ -1,13 +1,13 @@
 // Unless explicitly stated otherwise all files in this repository are
 // dual-licensed under the Apache-2.0 License or BSD-3-Clause License.
 //
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2021 Datadog, Inc.
+// This product includes software developed at Datadog
+// (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
-#include "../network.h"
 #include "../attributes.h"
 #include "../commands_ctx.h"
+#include "../network.h"
 #include <Zend/zend_llist.h>
 
 struct req_shutdown_info {
diff --git a/appsec/src/extension/commands_ctx.h b/appsec/src/extension/commands_ctx.h
index 2aa1754797b..7f7e40df8e9 100644
--- a/appsec/src/extension/commands_ctx.h
+++ b/appsec/src/extension/commands_ctx.h
@@ -1,8 +1,8 @@
 #pragma once
 
-#include <php.h>
 #include "attributes.h"
 #include "request_abort.h"
+#include <php.h>
 
 struct req_info {
     const char *nullable command_name; // for logging
diff --git a/appsec/src/extension/commands_helpers.c b/appsec/src/extension/commands_helpers.c
index f589b94d0b5..8c7cafee00c 100644
--- a/appsec/src/extension/commands_helpers.c
+++ b/appsec/src/extension/commands_helpers.c
@@ -811,7 +811,7 @@ static void _dump_out_msg(dd_log_level_t lvl, zend_llist *iovecs)
     zend_llist_position pos;
     int i = 1;
     for (struct iovec *iov = zend_llist_get_first_ex(iovecs, &pos); iov;
-         iov = zend_llist_get_next_ex(iovecs, &pos), i++) {
+        iov = zend_llist_get_next_ex(iovecs, &pos), i++) {
         zend_string *zstr = php_base64_encode(iov->iov_base, iov->iov_len);
         if (ZSTR_LEN(zstr) > INT_MAX) {
             return;
diff --git a/appsec/src/extension/commands_helpers.h b/appsec/src/extension/commands_helpers.h
index 459fa0ac1d8..45321bb0aa3 100644
--- a/appsec/src/extension/commands_helpers.h
+++ b/appsec/src/extension/commands_helpers.h
@@ -5,8 +5,8 @@
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
-#include "commands_ctx.h"
 #include "attributes.h"
+#include "commands_ctx.h"
 #include "dddefs.h"
 #include "network.h"
 #include <mpack.h>
diff --git a/appsec/src/extension/compatibility.h b/appsec/src/extension/compatibility.h
index b9e9ad79547..1e8d62ffb53 100644
--- a/appsec/src/extension/compatibility.h
+++ b/appsec/src/extension/compatibility.h
@@ -4,8 +4,13 @@
 #include <php.h>
 
 #if PHP_VERSION_ID < 80400
-#undef ZEND_RAW_FENTRY
-#define ZEND_RAW_FENTRY(zend_name, name, arg_info, flags, ...)   { zend_name, name, arg_info, (uint32_t) (sizeof(arg_info)/sizeof(struct _zend_internal_arg_info)-1), flags },
+#    undef ZEND_RAW_FENTRY
+#    define ZEND_RAW_FENTRY(zend_name, name, arg_info, flags, ...)             \
+        {zend_name, name, arg_info,                                            \
+            (uint32_t)(sizeof(arg_info) /                                      \
+                           sizeof(struct _zend_internal_arg_info) -            \
+                       1),                                                     \
+            flags},
 #endif
 
-#endif  // DD_COMPATIBILITY_H
+#endif // DD_COMPATIBILITY_H
diff --git a/appsec/src/extension/ddappsec.c b/appsec/src/extension/ddappsec.c
index e839b60dd95..d8106a82e02 100644
--- a/appsec/src/extension/ddappsec.c
+++ b/appsec/src/extension/ddappsec.c
@@ -131,7 +131,7 @@ static void ddappsec_sort_modules(void *base, size_t count, size_t siz,
 
     // Reorder ddappsec to ensure it's always after ddtrace
     for (Bucket *module = base, *end = module + count, *ddappsec_module = NULL;
-         module < end; ++module) {
+        module < end; ++module) {
         zend_module_entry *m = (zend_module_entry *)Z_PTR(module->val);
         if (m->name == ddappsec_module_entry.name) {
             ddappsec_module = module;
diff --git a/appsec/src/extension/ddappsec_arginfo.h b/appsec/src/extension/ddappsec_arginfo.h
index c642dc2ed3d..ac489c4a3e3 100644
--- a/appsec/src/extension/ddappsec_arginfo.h
+++ b/appsec/src/extension/ddappsec_arginfo.h
@@ -1,20 +1,23 @@
 /* This is a generated file, edit the .stub.php file instead.
  * Stub hash: 12b545740a93f0ea5f4ecfdfc3a95fb144161bd2 */
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_datadog_appsec_is_enabled, 0, 0, _IS_BOOL, 0)
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(
+    arginfo_datadog_appsec_is_enabled, 0, 0, _IS_BOOL, 0)
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_datadog_appsec_push_addresses, 0, 1, _IS_BOOL, 0)
-	ZEND_ARG_TYPE_INFO(0, addresses, IS_ARRAY, 0)
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, rasp_rule, IS_STRING, 0, "\'\'")
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, rule_variant, IS_STRING, 0, "\'\'")
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(
+    arginfo_datadog_appsec_push_addresses, 0, 1, _IS_BOOL, 0)
+ZEND_ARG_TYPE_INFO(0, addresses, IS_ARRAY, 0)
+ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, rasp_rule, IS_STRING, 0, "\'\'")
+ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, rule_variant, IS_STRING, 0, "\'\'")
 ZEND_END_ARG_INFO()
 
 ZEND_FUNCTION(datadog_appsec_is_enabled);
 ZEND_FUNCTION(datadog_appsec_push_addresses);
 
-static const zend_function_entry ext_functions[] = {
-	ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec", "is_enabled"), zif_datadog_appsec_is_enabled, arginfo_datadog_appsec_is_enabled, 0, NULL, NULL)
-	ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec", "push_addresses"), zif_datadog_appsec_push_addresses, arginfo_datadog_appsec_push_addresses, 0, NULL, NULL)
-	ZEND_FE_END
-};
+static const zend_function_entry ext_functions[] = {ZEND_RAW_FENTRY(
+    ZEND_NS_NAME("datadog\\appsec", "is_enabled"),
+    zif_datadog_appsec_is_enabled, arginfo_datadog_appsec_is_enabled, 0, NULL,
+    NULL) ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec", "push_addresses"),
+    zif_datadog_appsec_push_addresses, arginfo_datadog_appsec_push_addresses, 0,
+    NULL, NULL) ZEND_FE_END};
diff --git a/appsec/src/extension/dddefs.h b/appsec/src/extension/dddefs.h
index da9c57c9ccb..0df47469161 100644
--- a/appsec/src/extension/dddefs.h
+++ b/appsec/src/extension/dddefs.h
@@ -15,9 +15,9 @@ typedef enum {
     dd_should_block, // caller should abort the request
     dd_should_redirect, // caller should redirect the request
     dd_should_record,
-    dd_error,           // misc error
-    dd_try_later,       // non-fatal error, try again
-    dd_helper_error     // helper failed to process message (non-fatal)
+    dd_error,       // misc error
+    dd_try_later,   // non-fatal error, try again
+    dd_helper_error // helper failed to process message (non-fatal)
 } dd_result;
 
 const char *nonnull dd_result_to_string(dd_result result);
diff --git a/appsec/src/extension/ddtrace.h b/appsec/src/extension/ddtrace.h
index 4b845bf0432..2d1bd7154cb 100644
--- a/appsec/src/extension/ddtrace.h
+++ b/appsec/src/extension/ddtrace.h
@@ -5,9 +5,9 @@
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
+#include "attributes.h"
 #include <stdbool.h>
 #include <zend.h>
-#include "attributes.h"
 
 static const int PRIORITY_SAMPLING_AUTO_KEEP = 1;
 static const int PRIORITY_SAMPLING_AUTO_REJECT = 0;
@@ -123,5 +123,5 @@ typedef enum {
 
 extern void (*nullable ddtrace_metric_register_buffer)(
     zend_string *nonnull name, ddtrace_metric_type type, ddtrace_metric_ns ns);
-extern bool (*nullable ddtrace_metric_add_point)(zend_string *nonnull name,
-    double value, zend_string *nonnull tags);
+extern bool (*nullable ddtrace_metric_add_point)(
+    zend_string *nonnull name, double value, zend_string *nonnull tags);
diff --git a/appsec/src/extension/duration_acc.h b/appsec/src/extension/duration_acc.h
index 7301ca39cfe..8fa9b394718 100644
--- a/appsec/src/extension/duration_acc.h
+++ b/appsec/src/extension/duration_acc.h
@@ -1,9 +1,10 @@
 #pragma once
 
-// php_compat.h must precede attributes.h: attributes.h defines `nonnull` as _Nonnull
-// (empty on GCC), which breaks PHP 8.4+'s __has_attribute(nonnull) in zend_portability.h.
-#include "php_compat.h"  // NOLINT(llvm-include-order)
+// php_compat.h must precede attributes.h: attributes.h defines `nonnull` as
+// _Nonnull (empty on GCC), which breaks PHP 8.4+'s __has_attribute(nonnull) in
+// zend_portability.h.
 #include "attributes.h"
+#include "php_compat.h" // NOLINT(llvm-include-order)
 #include <time.h>
 
 static inline struct timespec dd_monotime_start(void)
@@ -16,7 +17,8 @@ static inline struct timespec dd_monotime_start(void)
 void dd_duration_startup(void);
 void dd_duration_shutdown(void);
 void dd_duration_reset_globals(void); // call on rinit/user req begin
-void dd_duration_flush_metrics(zend_object *nonnull span); // call on rshutdown/user req shutdown
+void dd_duration_flush_metrics(
+    zend_object *nonnull span); // call on rshutdown/user req shutdown
 
 // RASP round-trip time
 void dd_duration_rasp_ext_account(const struct timespec *nonnull start);
diff --git a/appsec/src/extension/entity_body.c b/appsec/src/extension/entity_body.c
index 4c27daf809f..df94e3ef455 100644
--- a/appsec/src/extension/entity_body.c
+++ b/appsec/src/extension/entity_body.c
@@ -192,7 +192,7 @@ static bool _assume_utf8(const char *ct, size_t ct_len)
         return true;
     }
     for (const char *end = ct + ct_len, *c = psemi + 1;
-         c < end - LSTRLEN("charset=utf-8") + 1; c++) {
+        c < end - LSTRLEN("charset=utf-8") + 1; c++) {
         if (tolower(*c) == 'c' && tolower(*(c + 1)) == 'h' &&
             tolower(*(c + 2)) == 'a' && tolower(*(c + 3)) == 'r' &&
             tolower(*(c + 4)) == 's' && tolower(*(c + 5)) == 'e' && // NOLINT
diff --git a/appsec/src/extension/entity_body.h b/appsec/src/extension/entity_body.h
index a6eb0454a58..556cd023c7e 100644
--- a/appsec/src/extension/entity_body.h
+++ b/appsec/src/extension/entity_body.h
@@ -1,12 +1,12 @@
 // Unless explicitly stated otherwise all files in this repository are
 // dual-licensed under the Apache-2.0 License or BSD-3-Clause License.
 //
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2021 Datadog, Inc.
+// This product includes software developed at Datadog
+// (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
-#include <php.h>
 #include "attributes.h"
+#include <php.h>
 #include <stdbool.h>
 
 void dd_entity_body_startup(void);
diff --git a/appsec/src/extension/entity_body_arginfo.h b/appsec/src/extension/entity_body_arginfo.h
index 9288eaae281..c7a80db468e 100644
--- a/appsec/src/extension/entity_body_arginfo.h
+++ b/appsec/src/extension/entity_body_arginfo.h
@@ -1,23 +1,23 @@
 /* This is a generated file, edit the .stub.php file instead.
  * Stub hash: dfa1f0081bab0c798625353df5966ae21e7c4b89 */
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_datadog_appsec_convert_xml, 0, 2, IS_ARRAY, 1)
-	ZEND_ARG_TYPE_INFO(0, xml, IS_STRING, 0)
-	ZEND_ARG_TYPE_INFO(0, contentType, IS_STRING, 0)
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(
+    arginfo_datadog_appsec_convert_xml, 0, 2, IS_ARRAY, 1)
+ZEND_ARG_TYPE_INFO(0, xml, IS_STRING, 0)
+ZEND_ARG_TYPE_INFO(0, contentType, IS_STRING, 0)
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_datadog_appsec_convert_json, 0, 1, IS_MIXED, 1)
-	ZEND_ARG_TYPE_INFO(0, json, IS_STRING, 0)
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, maxDepth, IS_LONG, 0, "30")
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(
+    arginfo_datadog_appsec_convert_json, 0, 1, IS_MIXED, 1)
+ZEND_ARG_TYPE_INFO(0, json, IS_STRING, 0)
+ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, maxDepth, IS_LONG, 0, "30")
 ZEND_END_ARG_INFO()
 
-
 ZEND_FUNCTION(datadog_appsec_convert_xml);
 ZEND_FUNCTION(datadog_appsec_convert_json);
 
-
 static const zend_function_entry ext_functions[] = {
-	ZEND_NS_FALIAS("datadog\\appsec", convert_xml, datadog_appsec_convert_xml, arginfo_datadog_appsec_convert_xml)
-	ZEND_NS_FALIAS("datadog\\appsec", convert_json, datadog_appsec_convert_json, arginfo_datadog_appsec_convert_json)
-	ZEND_FE_END
-};
+    ZEND_NS_FALIAS("datadog\\appsec", convert_xml, datadog_appsec_convert_xml,
+        arginfo_datadog_appsec_convert_xml) ZEND_NS_FALIAS("datadog\\appsec",
+        convert_json, datadog_appsec_convert_json,
+        arginfo_datadog_appsec_convert_json) ZEND_FE_END};
diff --git a/appsec/src/extension/json_truncated_parser.h b/appsec/src/extension/json_truncated_parser.h
index 379c8cb98a7..31df9472fb8 100644
--- a/appsec/src/extension/json_truncated_parser.h
+++ b/appsec/src/extension/json_truncated_parser.h
@@ -21,7 +21,8 @@ extern "C" {
  * @param max_depth Maximum recursion depth for nested structures
  * @return zval containing parsed data, or NULL zval on failure
  */
-zval dd_parse_json_truncated(const char* json_data, size_t json_len, int max_depth);
+zval dd_parse_json_truncated(
+    const char *json_data, size_t json_len, int max_depth);
 
 #ifdef __cplusplus
 }
diff --git a/appsec/src/extension/logging.h b/appsec/src/extension/logging.h
index 738722c8589..456619d3a73 100644
--- a/appsec/src/extension/logging.h
+++ b/appsec/src/extension/logging.h
@@ -5,10 +5,10 @@
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
+#include "attributes.h"
 #include "configuration.h"
 #include "php_helpers.h"
 #include <stdbool.h>
-#include "attributes.h"
 
 /* log levels - the first argument to the mlog helper
  * The lower the number, the higher the priority */
@@ -35,8 +35,9 @@ static inline dd_log_level_t dd_log_level(void)
     if (!_dd_log_config_ready) {
         return dd_log_warning;
     }
-    return (dd_log_level_t)(runtime_config_first_init ? get_DD_APPSEC_LOG_LEVEL()
-                                                      : get_global_DD_APPSEC_LOG_LEVEL());
+    return (dd_log_level_t)(runtime_config_first_init
+                                ? get_DD_APPSEC_LOG_LEVEL()
+                                : get_global_DD_APPSEC_LOG_LEVEL());
 }
 
 void dd_log_startup_before_cfg(void);
diff --git a/appsec/src/extension/msgpack_helpers.h b/appsec/src/extension/msgpack_helpers.h
index 9cb227b1756..f14fd6d1a53 100644
--- a/appsec/src/extension/msgpack_helpers.h
+++ b/appsec/src/extension/msgpack_helpers.h
@@ -6,8 +6,8 @@
 #ifndef DD_MSGPACK_HELPERS_H
 #define DD_MSGPACK_HELPERS_H
 
-#include "string_helpers.h"
 #include "attributes.h"
+#include "string_helpers.h"
 #include <mpack.h>
 #include <php.h>
 
@@ -36,7 +36,7 @@ static inline bool dd_mpack_limits_reached(dd_mpack_limits *nonnull limits)
         memcmp(mpack_node_str(node), "" lstr, LSTRLEN(lstr)) == 0)
 
 #define dd_mpack_node_str_eq(node, str, len)                                   \
-    (mpack_node_strlen(node) == (len) &&                                         \
+    (mpack_node_strlen(node) == (len) &&                                       \
         memcmp(mpack_node_str(node), str, len) == 0)
 
 #define dd_mpack_write_lstr(w, str) mpack_write_str(w, str, LSTRLEN(str))
@@ -45,8 +45,8 @@ static inline bool dd_mpack_limits_reached(dd_mpack_limits *nonnull limits)
 
 void dd_mpack_write_nullable_cstr(
     mpack_writer_t *nonnull w, const char *nullable cstr);
-void dd_mpack_write_nullable_cstr_lim(mpack_writer_t *nonnull w,
-    const char *nullable cstr, size_t max_len);
+void dd_mpack_write_nullable_cstr_lim(
+    mpack_writer_t *nonnull w, const char *nullable cstr, size_t max_len);
 void dd_mpack_write_nullable_str(
     mpack_writer_t *nonnull w, const char *nullable str, size_t len);
 void dd_mpack_write_nullable_str_lim(mpack_writer_t *nonnull w,
@@ -54,8 +54,8 @@ void dd_mpack_write_nullable_str_lim(mpack_writer_t *nonnull w,
 
 void dd_mpack_write_zstr(
     mpack_writer_t *nonnull w, const zend_string *nonnull zstr);
-void dd_mpack_write_zstr_lim(mpack_writer_t *nonnull w,
-    const zend_string *nonnull zstr, size_t max_len);
+void dd_mpack_write_zstr_lim(
+    mpack_writer_t *nonnull w, const zend_string *nonnull zstr, size_t max_len);
 void dd_mpack_write_nullable_zstr(
     mpack_writer_t *nonnull w, const zend_string *nullable zstr);
 void dd_mpack_write_nullable_zstr_lim(mpack_writer_t *nonnull w,
diff --git a/appsec/src/extension/network.c b/appsec/src/extension/network.c
index 641853c6c1f..86f7ee58824 100644
--- a/appsec/src/extension/network.c
+++ b/appsec/src/extension/network.c
@@ -187,7 +187,7 @@ static size_t _iovecs_total_size(zend_llist *nonnull iovecs)
     zend_llist_position pos;
     size_t total = 0;
     for (struct iovec *iov = zend_llist_get_first_ex(iovecs, &pos); iov;
-         iov = zend_llist_get_next_ex(iovecs, &pos)) {
+        iov = zend_llist_get_next_ex(iovecs, &pos)) {
         total += iov->iov_len;
     }
     return total;
@@ -212,7 +212,7 @@ dd_result dd_conn_sendv(dd_conn *nonnull conn, zend_llist *nonnull iovecs)
     zend_llist_position pos;
     size_t i = 1;
     for (struct iovec *iov = zend_llist_get_first_ex(iovecs, &pos); iov;
-         iov = zend_llist_get_next_ex(iovecs, &pos), i++) {
+        iov = zend_llist_get_next_ex(iovecs, &pos), i++) {
         iovs[i] = *iov;
     }
 
diff --git a/appsec/src/extension/php_compat.h b/appsec/src/extension/php_compat.h
index 4bbea5d4aab..7da9d496ab2 100644
--- a/appsec/src/extension/php_compat.h
+++ b/appsec/src/extension/php_compat.h
@@ -1,8 +1,8 @@
 // Unless explicitly stated otherwise all files in this repository are
 // dual-licensed under the Apache-2.0 License or BSD-3-Clause License.
 //
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2021 Datadog, Inc.
+// This product includes software developed at Datadog
+// (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
 #include <php.h>
@@ -16,9 +16,9 @@
 #    define HT_IS_PACKED(ht) 0
 #    define HT_IS_WITHOUT_HOLES(ht) 0
 
-#define MAY_BE_NULL 0
-#define MAY_BE_STRING 0
-#define MAY_BE_ARRAY 0
+#    define MAY_BE_NULL 0
+#    define MAY_BE_STRING 0
+#    define MAY_BE_ARRAY 0
 
 #    include <Zend/zend_smart_str.h>
 void zend_print_zval_r_to_buf_compat(smart_str *buf, zval *expr, int indent);
@@ -35,19 +35,24 @@ static inline zend_string *zend_print_zval_r_to_str(zval *expr, int indent)
 #    undef ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX
 #    undef ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO
 
-#    define ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(name, return_reference, required_num_args, type, allow_null) \
-    static const zend_internal_arg_info name[] = { \
-        { (const char*)(zend_uintptr_t)(required_num_args), NULL, type, return_reference, allow_null, 0 },
+#    define ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(                           \
+        name, return_reference, required_num_args, type, allow_null)           \
+        static const zend_internal_arg_info name[] = {                         \
+            {(const char *)(zend_uintptr_t)(required_num_args), NULL, type,    \
+                return_reference, allow_null, 0},
 
-#    define ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO(name, type, allow_null) \
-    ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(name, 0, -1, type, allow_null)
+#    define ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO(name, type, allow_null)       \
+        ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(name, 0, -1, type, allow_null)
 
-#    define ZEND_BEGIN_ARG_WITH_RETURN_OBJ_INFO_EX(name, return_reference, required_num_args, class_name, allow_null) \
-    static const zend_internal_arg_info name[] = { \
-        { (const char*)(zend_uintptr_t)(required_num_args), #class_name, IS_OBJECT, return_reference, allow_null, 0 },
+#    define ZEND_BEGIN_ARG_WITH_RETURN_OBJ_INFO_EX(                            \
+        name, return_reference, required_num_args, class_name, allow_null)     \
+        static const zend_internal_arg_info name[] = {                         \
+            {(const char *)(zend_uintptr_t)(required_num_args), #class_name,   \
+                IS_OBJECT, return_reference, allow_null, 0},
 
-#    define ZEND_BEGIN_ARG_WITH_RETURN_OBJ_INFO(name, class_name, allow_null) \
-    ZEND_BEGIN_ARG_WITH_RETURN_OBJ_INFO_EX(name, 0, -1, class_name, allow_null)
+#    define ZEND_BEGIN_ARG_WITH_RETURN_OBJ_INFO(name, class_name, allow_null)  \
+        ZEND_BEGIN_ARG_WITH_RETURN_OBJ_INFO_EX(                                \
+            name, 0, -1, class_name, allow_null)
 
 // persistent must be true iif we're on the startup phase
 static zend_always_inline zend_string *zend_string_init_interned(
@@ -92,7 +97,8 @@ static zend_always_inline void _gc_try_delref(zend_refcounted_h *_rc)
 zend_bool zend_ini_parse_bool(zend_string *str);
 #    define zend_string_efree zend_string_free
 
-static inline HashTable *zend_new_array(uint32_t nSize) {
+static inline HashTable *zend_new_array(uint32_t nSize)
+{
     HashTable *ht = (HashTable *)emalloc(sizeof(HashTable));
     zend_hash_init(ht, nSize, dummy, ZVAL_PTR_DTOR, 0);
     return ht;
@@ -107,13 +113,16 @@ zend_bool try_convert_to_string(zval *op);
 
 #if PHP_VERSION_ID < 80000
 /* ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE was added in PHP 8.0 */
-#define ZEND_ARG_TYPE_MASK(pass_by_ref, name, type_mask, default_value) ZEND_ARG_INFO_WITH_DEFAULT_VALUE(pass_by_ref, name, default_value)
-#define ZEND_ARG_INFO_WITH_DEFAULT_VALUE(pass_by_ref, name, default_value) ZEND_ARG_INFO(pass_by_ref, name)
-#ifndef ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE
-#    define ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(pass_by_ref, name, type_hint, allow_null, default_value) \
-        ZEND_ARG_TYPE_INFO(pass_by_ref, name, type_hint, allow_null)
-#endif
-#define IS_MIXED 0
+#    define ZEND_ARG_TYPE_MASK(pass_by_ref, name, type_mask, default_value)    \
+        ZEND_ARG_INFO_WITH_DEFAULT_VALUE(pass_by_ref, name, default_value)
+#    define ZEND_ARG_INFO_WITH_DEFAULT_VALUE(pass_by_ref, name, default_value) \
+        ZEND_ARG_INFO(pass_by_ref, name)
+#    ifndef ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE
+#        define ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(                         \
+            pass_by_ref, name, type_hint, allow_null, default_value)           \
+            ZEND_ARG_TYPE_INFO(pass_by_ref, name, type_hint, allow_null)
+#    endif
+#    define IS_MIXED 0
 #endif
 
 #if PHP_VERSION_ID >= 70300 && PHP_VERSION_ID < 80000
@@ -123,7 +132,7 @@ static zend_always_inline void _gc_try_addref(zend_refcounted_h *rc)
         rc->refcount++;
     }
 }
-#define GC_TRY_ADDREF(p) _gc_try_addref(&(p)->gc)
+#    define GC_TRY_ADDREF(p) _gc_try_addref(&(p)->gc)
 #endif
 #if PHP_VERSION_ID >= 70300 && PHP_VERSION_ID < 80100
 static zend_always_inline void _gc_try_delref(zend_refcounted_h *rc)
@@ -132,7 +141,7 @@ static zend_always_inline void _gc_try_delref(zend_refcounted_h *rc)
         rc->refcount--;
     }
 }
-#define GC_TRY_DELREF(p) _gc_try_delref(&(p)->gc)
+#    define GC_TRY_DELREF(p) _gc_try_delref(&(p)->gc)
 #endif
 
 #if PHP_VERSION_ID < 80100
diff --git a/appsec/src/extension/php_helpers.h b/appsec/src/extension/php_helpers.h
index 4489abd9879..d8f8e61ca38 100644
--- a/appsec/src/extension/php_helpers.h
+++ b/appsec/src/extension/php_helpers.h
@@ -5,8 +5,8 @@
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
-#include <php.h>
 #include "attributes.h"
+#include <php.h>
 
 #ifdef ZTS
 #    define THREAD_LOCAL_ON_ZTS __thread
diff --git a/appsec/src/extension/request_abort.c b/appsec/src/extension/request_abort.c
index 3424c89c229..728ab9eaedd 100644
--- a/appsec/src/extension/request_abort.c
+++ b/appsec/src/extension/request_abort.c
@@ -667,9 +667,9 @@ static void _run_rshutdowns(void)
 
     mlog_g(dd_log_debug, "Running remaining extensions' RSHUTDOWN");
     for (zend_hash_internal_pointer_end_ex(&module_registry, &pos);
-         (module = zend_hash_get_current_data_ptr_ex(&module_registry, &pos)) !=
-         NULL;
-         zend_hash_move_backwards_ex(&module_registry, &pos)) {
+        (module = zend_hash_get_current_data_ptr_ex(&module_registry, &pos)) !=
+        NULL;
+        zend_hash_move_backwards_ex(&module_registry, &pos)) {
         if (!found_ddappsec && strcmp("ddappsec", module->name) == 0) {
             found_ddappsec = true;
             continue;
diff --git a/appsec/src/extension/string_helpers.h b/appsec/src/extension/string_helpers.h
index 7cf09f11c0a..5a81edffda9 100644
--- a/appsec/src/extension/string_helpers.h
+++ b/appsec/src/extension/string_helpers.h
@@ -1,8 +1,8 @@
 // Unless explicitly stated otherwise all files in this repository are
 // dual-licensed under the Apache-2.0 License or BSD-3-Clause License.
 //
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2021 Datadog, Inc.
+// This product includes software developed at Datadog
+// (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
 #include "attributes.h"
@@ -12,10 +12,10 @@
 
 #define STR_FOR_FMT(a) ((a) != NULL ? (a) : "(null)")
 
-#define STR_CONS_EQ(str, len, cons) \
+#define STR_CONS_EQ(str, len, cons)                                            \
     (sizeof("" cons) - 1 == len && memcmp(str, cons, len) == 0)
 
-#define STR_STARTS_WITH_CONS(str, len, cons) \
+#define STR_STARTS_WITH_CONS(str, len, cons)                                   \
     (sizeof("" cons) - 1 <= len && memcmp(str, cons, sizeof(cons) - 1) == 0)
 
 #define LSTRLEN(str) (sizeof(str "") - 1)
diff --git a/appsec/src/extension/tags.c b/appsec/src/extension/tags.c
index ed243e5a859..fccc545fe6f 100644
--- a/appsec/src/extension/tags.c
+++ b/appsec/src/extension/tags.c
@@ -477,7 +477,7 @@ static zend_string *_concat_json_fragments(void)
 
     zend_llist_position pos;
     for (zend_string **sp = zend_llist_get_first_ex(&_appsec_json_frags, &pos);
-         sp != NULL; sp = zend_llist_get_next_ex(&_appsec_json_frags, &pos)) {
+        sp != NULL; sp = zend_llist_get_next_ex(&_appsec_json_frags, &pos)) {
         zend_string *s = *sp;
         needed_len += ZSTR_LEN(s);
     }
@@ -489,8 +489,8 @@ static zend_string *_concat_json_fragments(void)
 
     size_t i = 0;
     for (zend_string **sp = zend_llist_get_first_ex(&_appsec_json_frags, &pos);
-         sp != NULL;
-         sp = zend_llist_get_next_ex(&_appsec_json_frags, &pos), i++) {
+        sp != NULL;
+        sp = zend_llist_get_next_ex(&_appsec_json_frags, &pos), i++) {
         if (i != 0) {
             *buf++ = ',';
         }
@@ -804,7 +804,7 @@ static void _dd_response_headers(zend_array *meta_ht)
     zend_llist *l = &SG(sapi_headers).headers;
     zend_llist_position pos;
     for (sapi_header_struct *header = zend_llist_get_first_ex(l, &pos); header;
-         header = zend_llist_get_next_ex(l, &pos)) {
+        header = zend_llist_get_next_ex(l, &pos)) {
         const char *pcol = memchr(header->header, ':', header->header_len);
         if (!pcol) {
             if (header->header_len <= INT_MAX) {
diff --git a/appsec/src/extension/tags.h b/appsec/src/extension/tags.h
index bc50195259e..2c219e55f0e 100644
--- a/appsec/src/extension/tags.h
+++ b/appsec/src/extension/tags.h
@@ -4,12 +4,11 @@
 // This product includes software developed at Datadog
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
-#include "configuration.h"
 #include "attributes.h"
+#include "configuration.h"
 #include <php.h>
 #include <stdbool.h>
 #include <zend.h>
-#include "attributes.h"
 
 #define DD_TAG_DATA_MAX_LEN (1024UL * 1024UL)
 
@@ -17,7 +16,8 @@ void dd_tags_startup(void);
 void dd_tags_shutdown(void);
 void dd_tags_rinit(void);
 void dd_tags_rshutdown(void);
-void dd_tags_add_tags(zend_object *nonnull span, zend_array *nullable superglob_equiv);
+void dd_tags_add_tags(
+    zend_object *nonnull span, zend_array *nullable superglob_equiv);
 void dd_tags_set_user_event_triggered(void);
 
 // Copies (or increases refcount) of zstr
diff --git a/appsec/src/extension/tags_arginfo.h b/appsec/src/extension/tags_arginfo.h
index 5d790d7a996..2cf3247880b 100644
--- a/appsec/src/extension/tags_arginfo.h
+++ b/appsec/src/extension/tags_arginfo.h
@@ -1,46 +1,58 @@
 /* This is a generated file, edit the .stub.php file instead.
  * Stub hash: cf49b514da3ab250e03685f2cabc7ed20575bfa7 */
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_datadog_appsec_track_user_signup_event, 0, 1, IS_VOID, 0)
-	ZEND_ARG_TYPE_INFO(0, user_id, IS_STRING, 0)
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, metadata, IS_ARRAY, 0, "[]")
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(
+    arginfo_datadog_appsec_track_user_signup_event, 0, 1, IS_VOID, 0)
+ZEND_ARG_TYPE_INFO(0, user_id, IS_STRING, 0)
+ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, metadata, IS_ARRAY, 0, "[]")
 ZEND_END_ARG_INFO()
 
-#define arginfo_datadog_appsec_track_user_login_success_event arginfo_datadog_appsec_track_user_signup_event
+#define arginfo_datadog_appsec_track_user_login_success_event                  \
+    arginfo_datadog_appsec_track_user_signup_event
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_datadog_appsec_track_user_login_failure_event, 0, 2, IS_VOID, 0)
-	ZEND_ARG_TYPE_INFO(0, user_id, IS_STRING, 0)
-	ZEND_ARG_TYPE_INFO(0, exists, _IS_BOOL, 0)
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, metadata, IS_ARRAY, 0, "[]")
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(
+    arginfo_datadog_appsec_track_user_login_failure_event, 0, 2, IS_VOID, 0)
+ZEND_ARG_TYPE_INFO(0, user_id, IS_STRING, 0)
+ZEND_ARG_TYPE_INFO(0, exists, _IS_BOOL, 0)
+ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, metadata, IS_ARRAY, 0, "[]")
 ZEND_END_ARG_INFO()
 
-#define arginfo_datadog_appsec_track_authenticated_user_event arginfo_datadog_appsec_track_user_signup_event
+#define arginfo_datadog_appsec_track_authenticated_user_event                  \
+    arginfo_datadog_appsec_track_user_signup_event
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_datadog_appsec_track_custom_event, 0, 1, IS_VOID, 0)
-	ZEND_ARG_TYPE_INFO(0, event_name, IS_STRING, 0)
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, metadata, IS_ARRAY, 0, "[]")
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(
+    arginfo_datadog_appsec_track_custom_event, 0, 1, IS_VOID, 0)
+ZEND_ARG_TYPE_INFO(0, event_name, IS_STRING, 0)
+ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, metadata, IS_ARRAY, 0, "[]")
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_datadog_appsec_internal_track_user_signup_event_automated, 0, 3, IS_VOID, 0)
-	ZEND_ARG_TYPE_INFO(0, framework, IS_STRING, 0)
-	ZEND_ARG_TYPE_INFO(0, user_login, IS_STRING, 1)
-	ZEND_ARG_TYPE_INFO(0, user_id, IS_STRING, 1)
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, metadata, IS_ARRAY, 1, "null")
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(
+    arginfo_datadog_appsec_internal_track_user_signup_event_automated, 0, 3,
+    IS_VOID, 0)
+ZEND_ARG_TYPE_INFO(0, framework, IS_STRING, 0)
+ZEND_ARG_TYPE_INFO(0, user_login, IS_STRING, 1)
+ZEND_ARG_TYPE_INFO(0, user_id, IS_STRING, 1)
+ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, metadata, IS_ARRAY, 1, "null")
 ZEND_END_ARG_INFO()
 
-#define arginfo_datadog_appsec_internal_track_user_login_success_event_automated arginfo_datadog_appsec_internal_track_user_signup_event_automated
+#define arginfo_datadog_appsec_internal_track_user_login_success_event_automated \
+    arginfo_datadog_appsec_internal_track_user_signup_event_automated
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_datadog_appsec_internal_track_user_login_failure_event_automated, 0, 4, IS_VOID, 0)
-	ZEND_ARG_TYPE_INFO(0, framework, IS_STRING, 0)
-	ZEND_ARG_TYPE_INFO(0, user_login, IS_STRING, 1)
-	ZEND_ARG_TYPE_INFO(0, user_id, IS_STRING, 1)
-	ZEND_ARG_TYPE_INFO(0, exists, _IS_BOOL, 0)
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, metadata, IS_ARRAY, 1, "null")
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(
+    arginfo_datadog_appsec_internal_track_user_login_failure_event_automated, 0,
+    4, IS_VOID, 0)
+ZEND_ARG_TYPE_INFO(0, framework, IS_STRING, 0)
+ZEND_ARG_TYPE_INFO(0, user_login, IS_STRING, 1)
+ZEND_ARG_TYPE_INFO(0, user_id, IS_STRING, 1)
+ZEND_ARG_TYPE_INFO(0, exists, _IS_BOOL, 0)
+ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, metadata, IS_ARRAY, 1, "null")
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_datadog_appsec_internal_track_authenticated_user_event_automated, 0, 2, IS_VOID, 0)
-	ZEND_ARG_TYPE_INFO(0, framework, IS_STRING, 0)
-	ZEND_ARG_TYPE_INFO(0, user_id, IS_STRING, 1)
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(
+    arginfo_datadog_appsec_internal_track_authenticated_user_event_automated, 0,
+    2, IS_VOID, 0)
+ZEND_ARG_TYPE_INFO(0, framework, IS_STRING, 0)
+ZEND_ARG_TYPE_INFO(0, user_id, IS_STRING, 1)
 ZEND_END_ARG_INFO()
 
 ZEND_FUNCTION(datadog_appsec_track_user_signup_event);
@@ -53,15 +65,39 @@ ZEND_FUNCTION(datadog_appsec_internal_track_user_login_success_event_automated);
 ZEND_FUNCTION(datadog_appsec_internal_track_user_login_failure_event_automated);
 ZEND_FUNCTION(datadog_appsec_internal_track_authenticated_user_event_automated);
 
-static const zend_function_entry ext_functions[] = {
-	ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec", "track_user_signup_event"), zif_datadog_appsec_track_user_signup_event, arginfo_datadog_appsec_track_user_signup_event, 0, NULL, NULL)
-	ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec", "track_user_login_success_event"), zif_datadog_appsec_track_user_login_success_event, arginfo_datadog_appsec_track_user_login_success_event, ZEND_ACC_DEPRECATED, NULL, NULL)
-	ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec", "track_user_login_failure_event"), zif_datadog_appsec_track_user_login_failure_event, arginfo_datadog_appsec_track_user_login_failure_event, ZEND_ACC_DEPRECATED, NULL, NULL)
-	ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec", "track_authenticated_user_event"), zif_datadog_appsec_track_authenticated_user_event, arginfo_datadog_appsec_track_authenticated_user_event, 0, NULL, NULL)
-	ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec", "track_custom_event"), zif_datadog_appsec_track_custom_event, arginfo_datadog_appsec_track_custom_event, 0, NULL, NULL)
-	ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec\\internal", "track_user_signup_event_automated"), zif_datadog_appsec_internal_track_user_signup_event_automated, arginfo_datadog_appsec_internal_track_user_signup_event_automated, 0, NULL, NULL)
-	ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec\\internal", "track_user_login_success_event_automated"), zif_datadog_appsec_internal_track_user_login_success_event_automated, arginfo_datadog_appsec_internal_track_user_login_success_event_automated, 0, NULL, NULL)
-	ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec\\internal", "track_user_login_failure_event_automated"), zif_datadog_appsec_internal_track_user_login_failure_event_automated, arginfo_datadog_appsec_internal_track_user_login_failure_event_automated, 0, NULL, NULL)
-	ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec\\internal", "track_authenticated_user_event_automated"), zif_datadog_appsec_internal_track_authenticated_user_event_automated, arginfo_datadog_appsec_internal_track_authenticated_user_event_automated, 0, NULL, NULL)
-	ZEND_FE_END
-};
+static const zend_function_entry ext_functions[] = {ZEND_RAW_FENTRY(
+    ZEND_NS_NAME("datadog\\appsec", "track_user_signup_event"),
+    zif_datadog_appsec_track_user_signup_event,
+    arginfo_datadog_appsec_track_user_signup_event, 0, NULL,
+    NULL) ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec",
+                              "track_user_login_success_event"),
+    zif_datadog_appsec_track_user_login_success_event,
+    arginfo_datadog_appsec_track_user_login_success_event, ZEND_ACC_DEPRECATED,
+    NULL, NULL) ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec",
+                                    "track_user_login_failure_event"),
+    zif_datadog_appsec_track_user_login_failure_event,
+    arginfo_datadog_appsec_track_user_login_failure_event, ZEND_ACC_DEPRECATED,
+    NULL, NULL) ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec",
+                                    "track_authenticated_user_event"),
+    zif_datadog_appsec_track_authenticated_user_event,
+    arginfo_datadog_appsec_track_authenticated_user_event, 0, NULL,
+    NULL) ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec", "track_custom_event"),
+    zif_datadog_appsec_track_custom_event,
+    arginfo_datadog_appsec_track_custom_event, 0, NULL,
+    NULL) ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec\\internal",
+                              "track_user_signup_event_automated"),
+    zif_datadog_appsec_internal_track_user_signup_event_automated,
+    arginfo_datadog_appsec_internal_track_user_signup_event_automated, 0, NULL,
+    NULL) ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec\\internal",
+                              "track_user_login_success_event_automated"),
+    zif_datadog_appsec_internal_track_user_login_success_event_automated,
+    arginfo_datadog_appsec_internal_track_user_login_success_event_automated, 0,
+    NULL, NULL) ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec\\internal",
+                                    "track_user_login_failure_event_automated"),
+    zif_datadog_appsec_internal_track_user_login_failure_event_automated,
+    arginfo_datadog_appsec_internal_track_user_login_failure_event_automated, 0,
+    NULL, NULL) ZEND_RAW_FENTRY(ZEND_NS_NAME("datadog\\appsec\\internal",
+                                    "track_authenticated_user_event_automated"),
+    zif_datadog_appsec_internal_track_authenticated_user_event_automated,
+    arginfo_datadog_appsec_internal_track_authenticated_user_event_automated, 0,
+    NULL, NULL) ZEND_FE_END};
diff --git a/appsec/src/extension/telemetry.h b/appsec/src/extension/telemetry.h
index ff0ba9a5a80..57eed8cc850 100644
--- a/appsec/src/extension/telemetry.h
+++ b/appsec/src/extension/telemetry.h
@@ -14,21 +14,18 @@ void dd_telemetry_add_metric(zend_string *nonnull name_zstr, double value,
 void dd_telemetry_add_sdk_event(
     char *nonnull event_type, size_t event_type_len);
 void dd_telemetry_add_missing_user_login(const char *nonnull event_type,
-    size_t event_type_len, const char *nonnull framework,
-    size_t framework_len);
+    size_t event_type_len, const char *nonnull framework, size_t framework_len);
 void dd_telemetry_add_missing_user_id(const char *nonnull event_type,
-    size_t event_type_len, const char *nonnull framework,
-    size_t framework_len);
+    size_t event_type_len, const char *nonnull framework, size_t framework_len);
 void dd_telemetry_startup(void);
 void dd_telemetry_mshutdown(void);
 
 void dd_telemetry_rinit(void);
-void dd_telemetry_note_helper_string_meta(const char *nonnull key, size_t key_len,
-    const char *nonnull val, size_t val_len);
+void dd_telemetry_note_helper_string_meta(const char *nonnull key,
+    size_t key_len, const char *nonnull val, size_t val_len);
 
 // NOLINTNEXTLINE(bugprone-easily-swappable-parameters)
-void dd_telemetry_submit_duration_ext(
-    double waf_ext_us, double rasp_ext_us);
+void dd_telemetry_submit_duration_ext(double waf_ext_us, double rasp_ext_us);
 
 void dd_telemetry_helper_conn_error(void);
 void dd_telemetry_helper_conn_success(void);
diff --git a/appsec/src/extension/user_tracking.h b/appsec/src/extension/user_tracking.h
index f01aa30b327..31df61ce1bf 100644
--- a/appsec/src/extension/user_tracking.h
+++ b/appsec/src/extension/user_tracking.h
@@ -5,8 +5,8 @@
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #pragma once
 
-#include "zai_string/string.h"
 #include "attributes.h"
+#include "zai_string/string.h"
 #include <zend.h>
 
 typedef enum _user_collection_mode {
@@ -17,7 +17,7 @@ typedef enum _user_collection_mode {
 } user_collection_mode;
 
 typedef enum _user_event {
-    user_event_none  = 0,
+    user_event_none = 0,
     user_event_login_success,
     user_event_login_failure
 } user_event;
diff --git a/appsec/src/extension/xml_truncated_parser.h b/appsec/src/extension/xml_truncated_parser.h
index 3096c9c7711..d5bfe9046d6 100644
--- a/appsec/src/extension/xml_truncated_parser.h
+++ b/appsec/src/extension/xml_truncated_parser.h
@@ -5,10 +5,10 @@
 // (https://www.datadoghq.com/). Copyright 2025 Datadog, Inc.
 #pragma once
 
+#include "attributes.h"
 #include <php.h>
 #include <stdbool.h>
 #include <stddef.h>
-#include "attributes.h"
 
 bool dd_xml_parser_startup(void);
 void dd_xml_parser_shutdown(void);
diff --git a/appsec/src/helper/main.cpp b/appsec/src/helper/main.cpp
index 61b7ce6279e..6785ed4cef9 100644
--- a/appsec/src/helper/main.cpp
+++ b/appsec/src/helper/main.cpp
@@ -104,7 +104,7 @@ bool ensure_unique_abstract_socket(std::string_view socket_path)
         return false;
     }
 
-    struct sockaddr_un addr {};
+    struct sockaddr_un addr{};
     addr.sun_family = AF_UNIX;
     addr.sun_path[0] = '\0';
 
diff --git a/appsec/src/helper/network/acceptor.cpp b/appsec/src/helper/network/acceptor.cpp
index f2b80314886..8c9e43b3ba1 100644
--- a/appsec/src/helper/network/acceptor.cpp
+++ b/appsec/src/helper/network/acceptor.cpp
@@ -28,7 +28,7 @@ acceptor::acceptor(const std::string_view &sv)
         throw std::system_error(errno, std::generic_category());
     }
 
-    struct sockaddr_un addr {};
+    struct sockaddr_un addr{};
     std::size_t addr_size;
     addr.sun_family = AF_UNIX;
     bool const is_abstract = (!sv.empty() && sv[0] == '@');
@@ -111,7 +111,7 @@ void acceptor::set_accept_timeout(std::chrono::seconds timeout)
 
 std::unique_ptr<base_socket> acceptor::accept()
 {
-    struct sockaddr_un addr {};
+    struct sockaddr_un addr{};
     socklen_t len = sizeof(addr);
 
     int s =
diff --git a/appsec/src/helper/rate_limit.hpp b/appsec/src/helper/rate_limit.hpp
index 54a47c43363..c91f57775c2 100644
--- a/appsec/src/helper/rate_limit.hpp
+++ b/appsec/src/helper/rate_limit.hpp
@@ -19,7 +19,7 @@ namespace dds {
 template <typename T> class rate_limiter {
 public:
     explicit rate_limiter(uint32_t max_per_second)
-        : max_per_second_(max_per_second){};
+        : max_per_second_(max_per_second) {};
     bool allow()
     {
         SPDLOG_TRACE("rate_limiter: allow() called");
diff --git a/appsec/src/helper/rcu.h b/appsec/src/helper/rcu.h
index 9f1081cf583..2ca020db24a 100644
--- a/appsec/src/helper/rcu.h
+++ b/appsec/src/helper/rcu.h
@@ -5,8 +5,8 @@
 #include <cassert>
 #include <memory>
 #include <mutex>
-#include <vector>
 #include <spdlog/spdlog.h>
+#include <vector>
 
 /*
  * A simple RCU implementation, using a global generation counter and per-reader
@@ -192,7 +192,8 @@ template <typename T> class rcu_manager {
         : data_ptr{initial_data.release()}
     {}
 
-    ~rcu_manager() {
+    ~rcu_manager()
+    {
         auto *data = data_ptr.exchange(nullptr, std::memory_order_release);
         if (data) {
             delete data;
@@ -225,10 +226,7 @@ template <typename T> class rcu_manager {
     }
 
     // for internal use by rcu_read_guard
-    T *get_data_acq() const
-    {
-        return data_ptr.load(std::memory_order_acquire);
-    }
+    T *get_data_acq() const { return data_ptr.load(std::memory_order_acquire); }
 
     void collect_garbage()
     {
diff --git a/appsec/src/helper/remote_config/config.cpp b/appsec/src/helper/remote_config/config.cpp
index 2a3ec65e779..67118f7a499 100644
--- a/appsec/src/helper/remote_config/config.cpp
+++ b/appsec/src/helper/remote_config/config.cpp
@@ -57,7 +57,7 @@ mapped_memory config::read() const
     auto close_fs = defer{[fd]() { ::close(fd); }};
 
     // check that the uid of the shared memory segment is the same as ours
-    struct ::stat shm_stat {};
+    struct ::stat shm_stat{};
     if (::fstat(fd, &shm_stat) == -1) {
         throw std::runtime_error{
             "Call to fstat on memory segment failed: " + strerror_ts(errno)};
diff --git a/appsec/src/helper/remote_config/config.hpp b/appsec/src/helper/remote_config/config.hpp
index be94906e6d0..586c5dd3832 100644
--- a/appsec/src/helper/remote_config/config.hpp
+++ b/appsec/src/helper/remote_config/config.hpp
@@ -135,9 +135,7 @@ class parsed_config_key {
     std::string key_;
     std::string_view source_;
     std::uint64_t org_id_{};
-    class product product_ {
-        known_products::UNKNOWN
-    };
+    class product product_{known_products::UNKNOWN};
     std::string_view config_id_;
     std::string_view name_;
 };
diff --git a/appsec/src/helper/remote_config/listeners/asm_features_listener.hpp b/appsec/src/helper/remote_config/listeners/asm_features_listener.hpp
index 0e81b07908c..a04fb4e4e4d 100644
--- a/appsec/src/helper/remote_config/listeners/asm_features_listener.hpp
+++ b/appsec/src/helper/remote_config/listeners/asm_features_listener.hpp
@@ -17,7 +17,7 @@ class asm_features_listener : public listener_base {
 public:
     explicit asm_features_listener(
         std::shared_ptr<dds::service_config> service_config)
-        : service_config_(std::move(service_config)){};
+        : service_config_(std::move(service_config)) {};
 
     void init() override;
     void on_update(const config &config) override;
diff --git a/appsec/src/helper/runner.cpp b/appsec/src/helper/runner.cpp
index 32e0ddd60d6..f05dc1e3de4 100644
--- a/appsec/src/helper/runner.cpp
+++ b/appsec/src/helper/runner.cpp
@@ -38,7 +38,7 @@ std::unique_ptr<network::base_acceptor> acceptor_from_config(
     if (sock_path.size() >= 4 && sock_path.substr(0, 3) == "fd:") {
         auto rest{sock_path.substr(3)};
         int const fd = std::stoi(std::string{rest}); // can throw
-        struct stat statbuf {};
+        struct stat statbuf{};
         int const res = fstat(fd, &statbuf);
         if (res == -1 || !S_ISSOCK(statbuf.st_mode)) {
             throw std::invalid_argument{
diff --git a/appsec/src/helper/utils.cpp b/appsec/src/helper/utils.cpp
index 05c44fc0f02..21e5ab5b02c 100644
--- a/appsec/src/helper/utils.cpp
+++ b/appsec/src/helper/utils.cpp
@@ -20,7 +20,7 @@ std::string read_file(std::string_view filename)
         throw std::system_error(errno, std::generic_category());
     }
 
-    struct stat statbuf {};
+    struct stat statbuf{};
     auto rc = stat(std::string{filename}.c_str(), &statbuf);
     auto file_size = rc == 0 ? statbuf.st_size : 0;
     std::string buffer(file_size, '\0');
diff --git a/appsec/tests/helper/engine_test.cpp b/appsec/tests/helper/engine_test.cpp
index 3436374aa87..732e4c67c3d 100644
--- a/appsec/tests/helper/engine_test.cpp
+++ b/appsec/tests/helper/engine_test.cpp
@@ -279,14 +279,15 @@ TEST(EngineTest, WafDefaultActions)
 
     auto listener = std::make_unique<mock::listener>();
     EXPECT_CALL(*listener, call(_, _, _))
-        .WillRepeatedly(Invoke([](dds::parameter_view &data, dds::event &event_,
-                                   const dds::network::request_exec_options
-                                       &options) -> void {
-            event_.actions.push_back({dds::action_type::redirect, {}});
-            event_.actions.push_back({dds::action_type::block, {}});
-            event_.actions.push_back({dds::action_type::stack_trace, {}});
-            event_.actions.push_back({dds::action_type::extract_schema, {}});
-        }));
+        .WillRepeatedly(Invoke(
+            [](dds::parameter_view &data, dds::event &event_,
+                const dds::network::request_exec_options &options) -> void {
+                event_.actions.push_back({dds::action_type::redirect, {}});
+                event_.actions.push_back({dds::action_type::block, {}});
+                event_.actions.push_back({dds::action_type::stack_trace, {}});
+                event_.actions.push_back(
+                    {dds::action_type::extract_schema, {}});
+            }));
 
     auto sub = std::make_unique<mock::subscriber>();
     EXPECT_CALL(*sub, get_listener()).WillOnce(Invoke([&]() {

From f31d128a16d79005b711ef5cf5ce1412af414f3e Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Fri, 29 May 2026 13:53:23 -0600
Subject: [PATCH 40/42] fix(appsec): include order for nonnull

---
 appsec/src/extension/attributes.h   | 4 ++++
 appsec/src/extension/duration_acc.h | 5 +----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/appsec/src/extension/attributes.h b/appsec/src/extension/attributes.h
index 2c6adfac06a..cb6b086e1d7 100644
--- a/appsec/src/extension/attributes.h
+++ b/appsec/src/extension/attributes.h
@@ -6,6 +6,10 @@
 #ifndef DD_ATTRIBUTES_H
 #define DD_ATTRIBUTES_H
 
+// PHP 8.4+ uses __has_attribute(nonnull) in zend_portability.h. This header
+// defines nonnull below, so Zend must see that check before our shorthand exists.
+#include <zend.h>
+
 #ifndef __has_feature
 #    define __has_feature(x) 0
 #endif
diff --git a/appsec/src/extension/duration_acc.h b/appsec/src/extension/duration_acc.h
index 8fa9b394718..a3621cbee3f 100644
--- a/appsec/src/extension/duration_acc.h
+++ b/appsec/src/extension/duration_acc.h
@@ -1,10 +1,7 @@
 #pragma once
 
-// php_compat.h must precede attributes.h: attributes.h defines `nonnull` as
-// _Nonnull (empty on GCC), which breaks PHP 8.4+'s __has_attribute(nonnull) in
-// zend_portability.h.
 #include "attributes.h"
-#include "php_compat.h" // NOLINT(llvm-include-order)
+#include "php_compat.h"
 #include <time.h>
 
 static inline struct timespec dd_monotime_start(void)

From 0385edbe54f58967abc1a1fb2438d4db5bb7d4e7 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Fri, 29 May 2026 14:50:59 -0600
Subject: [PATCH 41/42] style(appsec): fix tidy lints, batch 1

---
 appsec/src/extension/commands/request_exec.c  |  2 +-
 appsec/src/extension/commands_helpers.c       | 16 ++++++------
 appsec/src/extension/compatibility.h          |  4 +--
 appsec/src/extension/configuration.c          |  6 ++---
 appsec/src/extension/entity_body.c            |  4 +--
 appsec/src/extension/logging.c                |  7 ++++--
 appsec/src/extension/msgpack_helpers.c        |  2 +-
 appsec/src/extension/network.c                |  8 +++---
 appsec/src/extension/php_objects.c            |  2 +-
 appsec/src/extension/request_abort.c          | 16 +++++++++---
 appsec/src/extension/request_lifecycle.c      |  2 +-
 appsec/src/extension/xml_truncated_parser.c   |  5 ++--
 appsec/src/helper/.clang-tidy                 |  2 +-
 appsec/src/helper/client.cpp                  |  4 ++-
 appsec/src/helper/compression.cpp             |  7 +++---
 appsec/src/helper/engine.cpp                  | 10 +++++---
 appsec/src/helper/engine_settings.cpp         |  4 +--
 appsec/src/helper/json_helper.cpp             | 25 +++++++++++++------
 appsec/src/helper/network/acceptor.cpp        |  4 +--
 appsec/src/helper/network/msgpack_helpers.cpp |  1 +
 appsec/src/helper/parameter.cpp               |  2 ++
 appsec/src/helper/remote_config/config.cpp    |  2 +-
 .../listeners/engine_listener.cpp             |  6 ++---
 appsec/src/helper/runner.cpp                  |  2 +-
 appsec/src/helper/subscriber/waf.cpp          |  7 ++++--
 appsec/src/helper/utils.cpp                   |  5 ++--
 26 files changed, 98 insertions(+), 57 deletions(-)

diff --git a/appsec/src/extension/commands/request_exec.c b/appsec/src/extension/commands/request_exec.c
index 51d72d87cf6..aa781d23158 100644
--- a/appsec/src/extension/commands/request_exec.c
+++ b/appsec/src/extension/commands/request_exec.c
@@ -62,7 +62,7 @@ static dd_result _pack_command(mpack_writer_t *nonnull w, void *nonnull _ctx)
     bool has_rule_variant =
         ctx->rule_variant != NULL && ZSTR_LEN(ctx->rule_variant) > 0;
     size_t num_map_elems = (ctx->rasp_rule != NULL) + has_rule_variant +
-                           (ctx->subctx_id != NULL) * 2;
+                           ((ctx->subctx_id != NULL) * 2);
     mpack_start_map(w, num_map_elems);
 
     if (dd_mpack_limits_reached(&limits)) {
diff --git a/appsec/src/extension/commands_helpers.c b/appsec/src/extension/commands_helpers.c
index 8c7cafee00c..00a3f69cf77 100644
--- a/appsec/src/extension/commands_helpers.c
+++ b/appsec/src/extension/commands_helpers.c
@@ -293,7 +293,7 @@ static inline ATTR_WARN_UNUSED mpack_error_t _imsg_destroy(
 
 static void _imsg_cleanup(dd_imsg *nullable *imsg)
 {
-    dd_imsg **imsg_c = (dd_imsg * nullable * nonnull) imsg;
+    dd_imsg **imsg_c = imsg;
     if (*imsg_c) {
         UNUSED(_imsg_destroy(*imsg_c));
     }
@@ -504,12 +504,14 @@ static void dd_command_process_settings(mpack_node_t root);
  *    4: [metrics: map]
  * )
  */
-#define RESP_INDEX_ACTION_PARAMS 0
-#define RESP_INDEX_APPSEC_SPAN_DATA 1
-#define RESP_INDEX_FORCE_KEEP 2
-#define RESP_INDEX_SETTINGS 3
-#define RESP_INDEX_SPAN_META 4
-#define RESP_INDEX_SPAN_METRICS 5
+enum {
+    RESP_INDEX_ACTION_PARAMS = 0,
+    RESP_INDEX_APPSEC_SPAN_DATA = 1,
+    RESP_INDEX_FORCE_KEEP = 2,
+    RESP_INDEX_SETTINGS = 3,
+    RESP_INDEX_SPAN_META = 4,
+    RESP_INDEX_SPAN_METRICS = 5,
+};
 
 dd_result dd_command_proc_resp_verd_span_data(
     mpack_node_t root, void *unspecnull _ctx)
diff --git a/appsec/src/extension/compatibility.h b/appsec/src/extension/compatibility.h
index 1e8d62ffb53..cb7e0386c2d 100644
--- a/appsec/src/extension/compatibility.h
+++ b/appsec/src/extension/compatibility.h
@@ -7,8 +7,8 @@
 #    undef ZEND_RAW_FENTRY
 #    define ZEND_RAW_FENTRY(zend_name, name, arg_info, flags, ...)             \
         {zend_name, name, arg_info,                                            \
-            (uint32_t)(sizeof(arg_info) /                                      \
-                           sizeof(struct _zend_internal_arg_info) -            \
+            (uint32_t)((sizeof(arg_info) /                                     \
+                           sizeof(struct _zend_internal_arg_info)) -           \
                        1),                                                     \
             flags},
 #endif
diff --git a/appsec/src/extension/configuration.c b/appsec/src/extension/configuration.c
index 4763df33589..74562d7aed5 100644
--- a/appsec/src/extension/configuration.c
+++ b/appsec/src/extension/configuration.c
@@ -175,7 +175,7 @@ static void _register_testing_objects(void);
 bool dd_config_minit(int module_number)
 {
     if (!zai_config_minit(config_entries,
-            (sizeof config_entries / sizeof *config_entries),
+            (sizeof(config_entries) / sizeof(*config_entries)),
             dd_ini_env_to_ini_name, module_number)) {
         mlog(dd_log_fatal, "Unable to load configuration.");
         return false;
@@ -210,7 +210,7 @@ static PHP_FUNCTION(datadog_appsec_testing_zai_config_get_value)
         RETURN_FALSE;
     }
 
-    unsigned entries = sizeof config_entries / sizeof *config_entries;
+    unsigned entries = sizeof(config_entries) / sizeof(*config_entries);
     for (unsigned i = 0; i < entries; i++) {
         if (strcmp(ZSTR_VAL(key), config_entries[i].name.ptr) == 0) {
             RETURN_ZVAL(zai_config_get_value(config_entries[i].id),
@@ -228,7 +228,7 @@ static PHP_FUNCTION(datadog_appsec_testing_zai_config_get_global_value)
         RETURN_FALSE;
     }
 
-    unsigned entries = sizeof config_entries / sizeof *config_entries;
+    unsigned entries = sizeof(config_entries) / sizeof(*config_entries);
     for (unsigned i = 0; i < entries; i++) {
         if (strcmp(ZSTR_VAL(key), config_entries[i].name.ptr) == 0) {
             zval *value = &zai_config_memoized_entries[config_entries[i].id]
diff --git a/appsec/src/extension/entity_body.c b/appsec/src/extension/entity_body.c
index df94e3ef455..19cd2430798 100644
--- a/appsec/src/extension/entity_body.c
+++ b/appsec/src/extension/entity_body.c
@@ -214,7 +214,7 @@ static bool _assume_utf8(const char *ct, size_t ct_len)
     return true;
 }
 
-#define MAX_XML_DEPTH 30
+enum { MAX_XML_DEPTH = 30 };
 static zval _convert_xml(const char *nonnull entity, size_t entity_len,
     const char *nonnull content_type, size_t content_type_len)
 {
@@ -244,7 +244,7 @@ PHP_FUNCTION(datadog_appsec_convert_xml)
 PHP_FUNCTION(datadog_appsec_convert_json)
 {
     zend_string *entity;
-#define MAX_DEPTH_DEFAULT 30
+    enum { MAX_DEPTH_DEFAULT = 30 };
     zend_long max_depth = MAX_DEPTH_DEFAULT;
     ZEND_PARSE_PARAMETERS_START(1, 2) // NOLINT
     Z_PARAM_STR(entity)
diff --git a/appsec/src/extension/logging.c b/appsec/src/extension/logging.c
index 7094cfc3923..9f0327066b3 100644
--- a/appsec/src/extension/logging.c
+++ b/appsec/src/extension/logging.c
@@ -217,7 +217,7 @@ static int _dd_log_level_from_str(const char *nullable log_level)
         goto err;
     }
 
-    size_t len = strlen((const char *)log_level);
+    size_t len = strlen(log_level);
     if (dd_string_equals_lc(log_level, len, ZEND_STRL("off"))) {
         return dd_log_off;
     }
@@ -415,7 +415,10 @@ static void _format_time(
     char *buf, size_t buf_size, struct timespec *time, int precision)
 {
     struct tm tm = {0};
-    gmtime_r(&time->tv_sec, &tm);
+    if (gmtime_r(&time->tv_sec, &tm) == NULL) {
+        *buf = '\0';
+        return;
+    }
     size_t len = strftime(buf, buf_size, "%FT%T", &tm);
     size_t left_size = buf_size - len;
     if (UNEXPECTED(left_size > buf_size)) {
diff --git a/appsec/src/extension/msgpack_helpers.c b/appsec/src/extension/msgpack_helpers.c
index c1a541af4f6..dbc287e6b7a 100644
--- a/appsec/src/extension/msgpack_helpers.c
+++ b/appsec/src/extension/msgpack_helpers.c
@@ -19,7 +19,7 @@
 #endif
 
 static const size_t MAX_DEPTH_READING = 32;
-#define MAX_RECURSION_DEPTH 50 // arbitrary limit to prevent stack overflow
+enum { MAX_RECURSION_DEPTH = 50 }; // arbitrary limit to prevent stack overflow
 
 static THREAD_LOCAL_ON_ZTS bool data_truncated_ = false;
 
diff --git a/appsec/src/extension/network.c b/appsec/src/extension/network.c
index 86f7ee58824..76b157b8624 100644
--- a/appsec/src/extension/network.c
+++ b/appsec/src/extension/network.c
@@ -456,9 +456,11 @@ dd_result dd_conn_set_timeout(
     return dd_success;
 }
 
-#define ONE_E3 1000
-#define ONE_E6 1000000
-#define ONE_E9 1000000000
+enum {
+    ONE_E3 = 1000,
+    ONE_E6 = 1000000,
+    ONE_E9 = 1000000000,
+};
 static void _timespec_add_ms(struct timespec *ts, long num_ms)
 {
     long seconds = num_ms / ONE_E3;
diff --git a/appsec/src/extension/php_objects.c b/appsec/src/extension/php_objects.c
index 60b45070b1f..e4b54a074df 100644
--- a/appsec/src/extension/php_objects.c
+++ b/appsec/src/extension/php_objects.c
@@ -30,7 +30,7 @@ dd_result dd_phpobj_reg_funcs(const zend_function_entry *entries)
     if (res == FAILURE) {
         return dd_error;
     }
-    zend_llist_add_element(&_function_entry_arrays, &entries);
+    zend_llist_add_element(&_function_entry_arrays, (const void *)&entries);
     return dd_success;
 }
 
diff --git a/appsec/src/extension/request_abort.c b/appsec/src/extension/request_abort.c
index 728ab9eaedd..978cc124e54 100644
--- a/appsec/src/extension/request_abort.c
+++ b/appsec/src/extension/request_abort.c
@@ -94,6 +94,15 @@ static void _emit_error(const char *format, ...);
 static zend_string *nonnull _get_json_blocking_template(void);
 static zend_string *nonnull _get_html_blocking_template(void);
 
+static zend_string *nonnull _get_empty_blocking_template(void)
+{
+    if (zend_empty_string != NULL) {
+        return zend_empty_string;
+    }
+
+    return zend_string_init("", 0, 0);
+}
+
 static inline bool _is_valid_redirect_code(int code)
 {
     return code >= 300 && code < 400; // NOLINT
@@ -540,7 +549,8 @@ static void _force_destroy_output_handlers(void)
 
     if (OG(handlers).elements) {
         php_output_handler **handler;
-        while ((handler = zend_stack_top(&OG(handlers)))) {
+        while (
+            (handler = (php_output_handler **)zend_stack_top(&OG(handlers)))) {
             php_output_handler_free(handler);
             zend_stack_del_top(&OG(handlers));
         }
@@ -809,7 +819,7 @@ static zend_string *nonnull _get_json_blocking_template(void)
         // * if the template file is not found, return an empty template
         // * if the template file is empty, return the default
         if (!body_error_json) {
-            return zend_empty_string;
+            return _get_empty_blocking_template();
         }
         if (ZSTR_LEN(body_error_json) == 0) {
             zend_string_release(body_error_json);
@@ -830,7 +840,7 @@ static zend_string *nonnull _get_html_blocking_template(void)
         zend_string *nullable body_error_html =
             _read_file_contents(ZSTR_VAL(html_template_file));
         if (!body_error_html) {
-            return zend_empty_string;
+            return _get_empty_blocking_template();
         }
         if (ZSTR_LEN(body_error_html) == 0) {
             zend_string_release(body_error_html);
diff --git a/appsec/src/extension/request_lifecycle.c b/appsec/src/extension/request_lifecycle.c
index 0e14c3de991..35deaae25a5 100644
--- a/appsec/src/extension/request_lifecycle.c
+++ b/appsec/src/extension/request_lifecycle.c
@@ -52,7 +52,7 @@ static THREAD_LOCAL_ON_ZTS zval _blocking_function;
 static THREAD_LOCAL_ON_ZTS bool _shutdown_done_on_commit;
 static THREAD_LOCAL_ON_ZTS bool _empty_service_or_env;
 static THREAD_LOCAL_ON_ZTS bool _request_blocked;
-#define MAX_LENGTH_OF_REM_CFG_PATH 31
+enum { MAX_LENGTH_OF_REM_CFG_PATH = 31 };
 static THREAD_LOCAL_ON_ZTS char
     _last_rem_cfg_path[MAX_LENGTH_OF_REM_CFG_PATH + 1];
 #define CLIENT_IP_LOOKUP_FAILED ((zend_string *)-1)
diff --git a/appsec/src/extension/xml_truncated_parser.c b/appsec/src/extension/xml_truncated_parser.c
index 8f8aa0a8552..9bf8522f42d 100644
--- a/appsec/src/extension/xml_truncated_parser.c
+++ b/appsec/src/extension/xml_truncated_parser.c
@@ -18,7 +18,7 @@
 #include <zend_API.h>
 // clang-format on
 
-#define STACK_INITIAL_CAPACITY 16
+enum { STACK_INITIAL_CAPACITY = 16 };
 typedef struct {
     zval **items;
     size_t size;
@@ -453,7 +453,8 @@ static void _sax_start_element_ns(void *user_ctx, const xmlChar *localname,
 
         for (int i = 0; i < nb_attributes; i++) {
             // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers)
-            memcpy(&attr, &attributes[(ptrdiff_t)i * 5], sizeof(attr));
+            memcpy(&attr, (const void *)&attributes[(ptrdiff_t)i * 5],
+                sizeof(attr));
 
             // Build qualified attribute name with @ prefix
             zend_string *prefixed_name =
diff --git a/appsec/src/helper/.clang-tidy b/appsec/src/helper/.clang-tidy
index 56f0b950c90..86ef4b8b1b1 100644
--- a/appsec/src/helper/.clang-tidy
+++ b/appsec/src/helper/.clang-tidy
@@ -1,4 +1,4 @@
-Checks: 'readability-identifier-naming,-bugprone-lambda-function-name'
+Checks: 'readability-identifier-naming,-bugprone-lambda-function-name,-clang-analyzer-optin.cplusplus.UninitializedObject'
 
 CheckOptions:
   - key: readability-identifier-naming.StructCase
diff --git a/appsec/src/helper/client.cpp b/appsec/src/helper/client.cpp
index 5a524c60ee2..5aee831ef6e 100644
--- a/appsec/src/helper/client.cpp
+++ b/appsec/src/helper/client.cpp
@@ -4,6 +4,7 @@
 // This product includes software developed at Datadog
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 
+#include <cassert>
 #include <chrono>
 #include <map>
 #include <spdlog/spdlog.h>
@@ -474,7 +475,8 @@ bool client::handle_command(network::request_shutdown::request &command)
         return false;
     }
 
-    context_->set_input_truncated(command.input_truncated);
+    assert(context_.has_value());
+    context_.value().set_input_truncated(command.input_truncated);
 
     collect_metrics(*response, *service_, context_, sc_settings_);
     service_->drain_logs(sc_settings_);
diff --git a/appsec/src/helper/compression.cpp b/appsec/src/helper/compression.cpp
index 2446ad9b783..aa2c0a2c546 100644
--- a/appsec/src/helper/compression.cpp
+++ b/appsec/src/helper/compression.cpp
@@ -19,7 +19,8 @@ constexpr int max_round_decompression = 100;
 size_t estimate_compressed_size(size_t in_len)
 {
     // NOLINTBEGIN(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers)
-    return (((size_t)((double)in_len * (double)1.015)) + 10 + 8 + 4 + 1);
+    return static_cast<size_t>(static_cast<double>(in_len) * 1.015) + 10 + 8 +
+           4 + 1;
     // NOLINTEND(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers)
 }
 } // namespace
@@ -31,7 +32,7 @@ std::optional<std::string> compress(const std::string &text)
     std::string ret_string;
     z_stream strm = {};
 
-    if (text.length() == 0) {
+    if (text.empty()) {
         return std::nullopt;
     }
 
@@ -69,7 +70,7 @@ std::optional<std::string> uncompress(const std::string &compressed)
     size_t capacity;
     z_stream strm = {};
 
-    if (compressed.length() < 1 || Z_OK != inflateInit2(&strm, encoding)) {
+    if (compressed.empty() || Z_OK != inflateInit2(&strm, encoding)) {
         return std::nullopt;
     }
 
diff --git a/appsec/src/helper/engine.cpp b/appsec/src/helper/engine.cpp
index 083839ebdaf..bf20e040cbb 100644
--- a/appsec/src/helper/engine.cpp
+++ b/appsec/src/helper/engine.cpp
@@ -131,11 +131,15 @@ std::optional<engine::result> engine::context::publish(
 
     // no actions, but we have json fragments in triggers. Add a record action
     if (event.actions.empty()) {
-        action record = {dds::action_type::record, {}};
-        event.actions.emplace_back(std::move(record));
+        event.actions.emplace_back(
+            dds::action{.type = dds::action_type::record, .parameters = {}});
     }
 
-    dds::engine::result res{{}, std::move(event.triggers), force_keep};
+    dds::engine::result res{
+        .actions = {},
+        .triggers = std::move(event.triggers),
+        .force_keep = force_keep,
+    };
     for (auto const &action : event.actions) {
         dds::action new_action;
         new_action.type = action.type;
diff --git a/appsec/src/helper/engine_settings.cpp b/appsec/src/helper/engine_settings.cpp
index d8e6e2440f7..fc2f24efb23 100644
--- a/appsec/src/helper/engine_settings.cpp
+++ b/appsec/src/helper/engine_settings.cpp
@@ -53,9 +53,9 @@ namespace dds {
 
 namespace {
 struct def_rules_file {
-    std::atomic<std::string *> stored_file{};
+    std::atomic<std::string *> stored_file;
 
-    def_rules_file() = default;
+    def_rules_file() : stored_file(nullptr) {}
     def_rules_file(const def_rules_file &) = delete;
     def_rules_file(def_rules_file &&) = delete;
     def_rules_file &operator=(const def_rules_file &) = delete;
diff --git a/appsec/src/helper/json_helper.cpp b/appsec/src/helper/json_helper.cpp
index 79ed711c960..d3b4ebaefd2 100644
--- a/appsec/src/helper/json_helper.cpp
+++ b/appsec/src/helper/json_helper.cpp
@@ -9,6 +9,7 @@
 #include "parameter_view.hpp"
 #include "std_logging.hpp"
 #include <base64.h>
+#include <concepts>
 #include <ddwaf.h>
 #include <rapidjson/error/en.h>
 #include <rapidjson/prettywriter.h>
@@ -90,10 +91,12 @@ std::string parameter_to_json(const parameter_view &pv)
     return {};
 }
 
+namespace {
+
 // TODO: we should limit the recursion
-template <typename T, typename = std::enable_if_t<std::disjunction_v<
-                          std::is_same<rapidjson::Document, std::decay_t<T>>,
-                          std::is_same<rapidjson::Value, std::decay_t<T>>>>>
+template <typename T>
+    requires(std::same_as<rapidjson::Document, std::decay_t<T>> ||
+             std::same_as<rapidjson::Value, std::decay_t<T>>)
 // NOLINTNEXTLINE(misc-no-recursion)
 void json_to_object(ddwaf_object *object, T &doc)
 {
@@ -110,7 +113,9 @@ void json_to_object(ddwaf_object *object, T &doc)
             ddwaf_object element;
             json_to_object(&element, kv.value);
 
-            std::string_view const key = kv.name.GetString();
+            std::string_view const key{
+                kv.name.GetString(), kv.name.GetStringLength()};
+            // NOLINTNEXTLINE(bugprone-suspicious-stringview-data-usage)
             ddwaf_object_map_addl(object, key.data(), key.length(), &element);
         }
         break;
@@ -126,7 +131,8 @@ void json_to_object(ddwaf_object *object, T &doc)
         break;
     }
     case rapidjson::kStringType: {
-        std::string_view const str = doc.GetString();
+        std::string_view const str{doc.GetString(), doc.GetStringLength()};
+        // NOLINTNEXTLINE(bugprone-suspicious-stringview-data-usage)
         ddwaf_object_stringl(object, str.data(), str.size());
         break;
     }
@@ -147,6 +153,8 @@ void json_to_object(ddwaf_object *object, T &doc)
     }
 }
 
+} // namespace
+
 dds::parameter json_to_parameter(const rapidjson::Value &value)
 {
     dds::parameter obj;
@@ -157,7 +165,7 @@ dds::parameter json_to_parameter(const rapidjson::Value &value)
 dds::parameter json_to_parameter(std::string_view json)
 {
     rapidjson::Document doc;
-    rapidjson::ParseResult const result = doc.Parse(json.data());
+    rapidjson::ParseResult const result = doc.Parse(json.data(), json.size());
     if (result.IsError()) {
         throw parsing_error("invalid json object: "s +
                             rapidjson::GetParseError_En(result.Code()));
@@ -170,7 +178,7 @@ json_helper::get_field_of_type(const rapidjson::Value &parent_field,
     std::string_view key, rapidjson::Type type)
 {
     rapidjson::Value::ConstMemberIterator const output_itr =
-        parent_field.FindMember(key.data());
+        parent_field.FindMember(rapidjson::StringRef(key.data(), key.size()));
 
     if (output_itr == parent_field.MemberEnd()) {
         SPDLOG_DEBUG("Field {} not found", key);
@@ -206,7 +214,8 @@ json_helper::get_field_of_type(
 bool json_helper::field_exists(
     const rapidjson::Value &parent_field, std::string_view key)
 {
-    return parent_field.FindMember(key.data()) != parent_field.MemberEnd();
+    return parent_field.FindMember(rapidjson::StringRef(
+               key.data(), key.size())) != parent_field.MemberEnd();
 }
 
 bool json_helper::field_exists(
diff --git a/appsec/src/helper/network/acceptor.cpp b/appsec/src/helper/network/acceptor.cpp
index 8c9e43b3ba1..5cd4e5fac03 100644
--- a/appsec/src/helper/network/acceptor.cpp
+++ b/appsec/src/helper/network/acceptor.cpp
@@ -101,7 +101,7 @@ acceptor::acceptor(const std::string_view &sv)
 
 void acceptor::set_accept_timeout(std::chrono::seconds timeout)
 {
-    struct timeval tv = {timeout.count(), 0};
+    struct timeval tv = {.tv_sec = timeout.count(), .tv_usec = 0};
     int const res =
         setsockopt(sock_.get(), SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
     if (res == -1) {
@@ -114,7 +114,7 @@ std::unique_ptr<base_socket> acceptor::accept()
     struct sockaddr_un addr{};
     socklen_t len = sizeof(addr);
 
-    int s =
+    const int s =
         // NOLINTNEXTLINE
         ::accept(sock_.get(), reinterpret_cast<struct sockaddr *>(&addr), &len);
     if (s == -1) {
diff --git a/appsec/src/helper/network/msgpack_helpers.cpp b/appsec/src/helper/network/msgpack_helpers.cpp
index 6effe74db8c..981da3b523b 100644
--- a/appsec/src/helper/network/msgpack_helpers.cpp
+++ b/appsec/src/helper/network/msgpack_helpers.cpp
@@ -70,6 +70,7 @@ msgpack::object const &convert<dds::parameter>::operator()(
     msgpack::object const &o, dds::parameter &v) const
 {
     v = msgpack_to_param(o);
+    // NOLINTNEXTLINE(bugprone-return-const-ref-from-parameter)
     return o;
 }
 
diff --git a/appsec/src/helper/parameter.cpp b/appsec/src/helper/parameter.cpp
index 61b50ff4417..c1ec3bcf1a1 100644
--- a/appsec/src/helper/parameter.cpp
+++ b/appsec/src/helper/parameter.cpp
@@ -84,6 +84,7 @@ parameter parameter::string(std::string_view str) noexcept
     length_type const length =
         str.length() <= max_length ? str.length() : max_length;
     ddwaf_object obj;
+    // NOLINTNEXTLINE(bugprone-suspicious-stringview-data-usage)
     ddwaf_object_stringl(&obj, str.data(), length);
     return parameter{obj};
 }
@@ -124,6 +125,7 @@ bool parameter::add(std::string_view name, parameter &&entry) noexcept
 {
     length_type const length =
         name.length() <= max_length ? name.length() : max_length;
+    // NOLINTNEXTLINE(bugprone-suspicious-stringview-data-usage)
     if (!ddwaf_object_map_addl(this, name.data(), length, entry)) {
         return false;
     }
diff --git a/appsec/src/helper/remote_config/config.cpp b/appsec/src/helper/remote_config/config.cpp
index 67118f7a499..9e06452d06c 100644
--- a/appsec/src/helper/remote_config/config.cpp
+++ b/appsec/src/helper/remote_config/config.cpp
@@ -42,7 +42,7 @@ config config::from_line(std::string_view line)
     // base64 decode rc_path (no padding):
     std::string rc_path = base64_decode(rc_path_encoded);
 
-    return {std::string{shm_path}, std::move(rc_path)};
+    return {.shm_path = std::string{shm_path}, .rc_path = std::move(rc_path)};
 }
 
 mapped_memory config::read() const
diff --git a/appsec/src/helper/remote_config/listeners/engine_listener.cpp b/appsec/src/helper/remote_config/listeners/engine_listener.cpp
index 4e296600c46..1648fa6772e 100644
--- a/appsec/src/helper/remote_config/listeners/engine_listener.cpp
+++ b/appsec/src/helper/remote_config/listeners/engine_listener.cpp
@@ -44,7 +44,7 @@ void engine_listener::on_update(const config &config)
     }
 
     auto &aggregator = it->second;
-    if (to_commit_.find(aggregator.get()) == to_commit_.end()) {
+    if (!to_commit_.contains(aggregator.get())) {
         aggregator->init(&ruleset_.GetAllocator());
         to_commit_.emplace(aggregator.get());
     }
@@ -62,7 +62,7 @@ void engine_listener::on_unapply(const config &config)
     }
 
     auto &aggregator = it->second;
-    if (to_commit_.find(aggregator.get()) == to_commit_.end()) {
+    if (!to_commit_.contains(aggregator.get())) {
         aggregator->init(&ruleset_.GetAllocator());
         to_commit_.emplace(aggregator.get());
     }
@@ -77,7 +77,7 @@ void engine_listener::commit()
     }
 
     for (auto &[product, aggregator] : aggregators_) {
-        if (to_commit_.find(aggregator.get()) != to_commit_.end()) {
+        if (to_commit_.contains(aggregator.get())) {
             aggregator->aggregate(ruleset_);
         }
     }
diff --git a/appsec/src/helper/runner.cpp b/appsec/src/helper/runner.cpp
index f05dc1e3de4..7e1a7fd2b11 100644
--- a/appsec/src/helper/runner.cpp
+++ b/appsec/src/helper/runner.cpp
@@ -35,7 +35,7 @@ std::unique_ptr<network::base_acceptor> acceptor_from_config(
     const config::config &cfg)
 {
     std::string_view const sock_path{cfg.socket_file_path()};
-    if (sock_path.size() >= 4 && sock_path.substr(0, 3) == "fd:") {
+    if (sock_path.size() >= 4 && sock_path.starts_with("fd:")) {
         auto rest{sock_path.substr(3)};
         int const fd = std::stoi(std::string{rest}); // can throw
         struct stat statbuf{};
diff --git a/appsec/src/helper/subscriber/waf.cpp b/appsec/src/helper/subscriber/waf.cpp
index 74b9075f95b..047620955d6 100644
--- a/appsec/src/helper/subscriber/waf.cpp
+++ b/appsec/src/helper/subscriber/waf.cpp
@@ -216,7 +216,9 @@ void format_waf_result(
             const parameter_view actions_pv{*actions};
             for (const auto &action : actions_pv) {
                 dds::action a{
-                    parse_action_type_string(std::string(action.key())), {}};
+                    .type = parse_action_type_string(std::string(action.key())),
+                    .parameters = {},
+                };
                 for (const auto &parameter : action) {
                     std::string value;
                     // As of libddwaf 1.28.0, status_code and grpc_status_code
@@ -689,7 +691,8 @@ void instance::listener::call(dds::parameter_view &data, event &event,
     switch (code) {
     case DDWAF_MATCH:
         rule_triggered_ = true;
-        return format_waf_result(actions, events, event);
+        format_waf_result(actions, events, event);
+        return;
     case DDWAF_ERR_INTERNAL:
         waf_run_error_ = true;
         throw internal_error();
diff --git a/appsec/src/helper/utils.cpp b/appsec/src/helper/utils.cpp
index 21e5ab5b02c..ec32b690d33 100644
--- a/appsec/src/helper/utils.cpp
+++ b/appsec/src/helper/utils.cpp
@@ -15,13 +15,14 @@
 namespace dds {
 std::string read_file(std::string_view filename)
 {
-    std::ifstream file(filename.data(), std::ios::in);
+    const std::string path{filename};
+    std::ifstream file(path, std::ios::in);
     if (!file) {
         throw std::system_error(errno, std::generic_category());
     }
 
     struct stat statbuf{};
-    auto rc = stat(std::string{filename}.c_str(), &statbuf);
+    auto rc = stat(path.c_str(), &statbuf);
     auto file_size = rc == 0 ? statbuf.st_size : 0;
     std::string buffer(file_size, '\0');
     buffer.resize(file_size);

From d83f7018832cae773be1b529b850d16e7ad35ca1 Mon Sep 17 00:00:00 2001
From: Levi Morrison <levi.morrison@datadoghq.com>
Date: Fri, 29 May 2026 14:59:52 -0600
Subject: [PATCH 42/42] style(appsec): fix tidy lints, batch 2

---
 appsec/src/extension/php_objects.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/appsec/src/extension/php_objects.c b/appsec/src/extension/php_objects.c
index e4b54a074df..5bc9c90cc35 100644
--- a/appsec/src/extension/php_objects.c
+++ b/appsec/src/extension/php_objects.c
@@ -30,7 +30,7 @@ dd_result dd_phpobj_reg_funcs(const zend_function_entry *entries)
     if (res == FAILURE) {
         return dd_error;
     }
-    zend_llist_add_element(&_function_entry_arrays, (const void *)&entries);
+    zend_llist_add_element(&_function_entry_arrays, (void *)&entries);
     return dd_success;
 }