From d43efc37327e07a7fe6a6d434d3dc229d186da9b Mon Sep 17 00:00:00 2001
From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com>
Date: Wed, 10 Jun 2026 12:52:09 -0400
Subject: [PATCH 1/2] feat(agent-config): make TLS provider opt-in for
 transitive libdd deps

libdd-trace-obfuscation and libdd-trace-utils default to their "https"
feature which pulls hyper-rustls with ring crypto. When a consumer needs
FIPS compliance, this default leaks into the dependency graph and
defeats consumer-side fips features (cargo unions features additively,
so default+fips ends up linking both ring and aws-lc-rs).

Switch the libdd deps to default-features = false and expose two new
crate features so consumers pick explicitly:

  https = libdd-trace-{utils,obfuscation}/https   # ring-backed HTTPS
  fips  = libdd-trace-{utils,obfuscation}/fips    # aws-lc-rs HTTPS

The default feature set is empty - the crate itself never needs TLS,
only its libdd transitives can. Existing consumers that relied on
the implicit "https" pull now opt in by setting
`datadog-agent-config = { ..., features = ["https"] }` (or "fips").

Also flips `dogstatsd = { path = "../dogstatsd" }` to
default-features = false for the same reason - dogstatsd's default
features include HTTP send paths that we don't use from agent-config,
and they similarly leak ring/rustls feature flags downstream.

Verified:
  cargo check -p datadog-agent-config      # clean
  cargo test  -p datadog-agent-config      # 71 passed
---
 crates/datadog-agent-config/Cargo.toml | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/crates/datadog-agent-config/Cargo.toml b/crates/datadog-agent-config/Cargo.toml
index 3e061a7..7221fcf 100644
--- a/crates/datadog-agent-config/Cargo.toml
+++ b/crates/datadog-agent-config/Cargo.toml
@@ -6,19 +6,35 @@ license.workspace = true
 
 [dependencies]
 figment = { version = "0.10", default-features = false, features = ["yaml", "env"] }
-libdd-trace-obfuscation = { git = "https://github.com/DataDog/libdatadog", rev = "48da0d82cb32b43d4cdece35b794c9bcbc275a03" }
-libdd-trace-utils = { git = "https://github.com/DataDog/libdatadog", rev = "48da0d82cb32b43d4cdece35b794c9bcbc275a03" }
+libdd-trace-obfuscation = { git = "https://github.com/DataDog/libdatadog", rev = "48da0d82cb32b43d4cdece35b794c9bcbc275a03", default-features = false }
+libdd-trace-utils = { git = "https://github.com/DataDog/libdatadog", rev = "48da0d82cb32b43d4cdece35b794c9bcbc275a03", default-features = false }
 log = { version = "0.4", default-features = false }
 serde = { version = "1.0", default-features = false, features = ["derive"] }
 serde-aux = { version = "4.7", default-features = false }
 serde_json = { version = "1.0", default-features = false, features = ["alloc"] }
 tracing = { version = "0.1", default-features = false }
 datadog-opentelemetry = { git = "https://github.com/DataDog/dd-trace-rs", rev = "f51cefc4ad24bec81b38fb2f36b1ed93f21ae913", default-features = false }
-dogstatsd = { path = "../dogstatsd" }
+dogstatsd = { path = "../dogstatsd", default-features = false }
 tokio = { version = "1.47", default-features = false, features = ["time"] }
 
 [dev-dependencies]
 figment = { version = "0.10", default-features = false, features = ["yaml", "env", "test"] }
 
+[features]
+# Disabled by default. Consumers that need a TLS provider on the transitive
+# libdatadog deps (e.g. for HTTPS proxying) must enable one of these features
+# explicitly; without that, no TLS provider is pulled in and the crate stays
+# crypto-agnostic. The two are mutually exclusive — pick whichever matches
+# your consumer's crypto policy.
+default = []
+https = [
+    "libdd-trace-utils/https",
+    "libdd-trace-obfuscation/https",
+]
+fips = [
+    "libdd-trace-utils/fips",
+    "libdd-trace-obfuscation/fips",
+]
+
 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = ['cfg(coverage,coverage_nightly)'] }

From 429578db1c87d7304f368751c216db59dc8fd59a Mon Sep 17 00:00:00 2001
From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com>
Date: Wed, 10 Jun 2026 12:59:07 -0400
Subject: [PATCH 2/2] docs(agent-config): clarify https/fips features aren't
 Cargo-enforced
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Per copilot review on DataDog/serverless-components#136 — Cargo doesn't
enforce mutual exclusivity. Reword the doc comment to spell out that
both features can technically be enabled (e.g. via --all-features)
but that doing so defeats the purpose by re-adding ring alongside
aws-lc-rs in the dep graph.
---
 crates/datadog-agent-config/Cargo.toml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crates/datadog-agent-config/Cargo.toml b/crates/datadog-agent-config/Cargo.toml
index 7221fcf..62e7d64 100644
--- a/crates/datadog-agent-config/Cargo.toml
+++ b/crates/datadog-agent-config/Cargo.toml
@@ -24,8 +24,9 @@ figment = { version = "0.10", default-features = false, features = ["yaml", "env
 # Disabled by default. Consumers that need a TLS provider on the transitive
 # libdatadog deps (e.g. for HTTPS proxying) must enable one of these features
 # explicitly; without that, no TLS provider is pulled in and the crate stays
-# crypto-agnostic. The two are mutually exclusive — pick whichever matches
-# your consumer's crypto policy.
+# crypto-agnostic. Pick one — Cargo doesn't enforce this, but enabling both
+# (e.g. via `--all-features`) defeats the purpose since cargo unions
+# features additively, leaving both ring and aws-lc-rs in the dep graph.
 default = []
 https = [
     "libdd-trace-utils/https",