Merge branch 'main' into avara1986/APPSEC-60135_iast_potencial_error

Author: avara1986

.claude/skills/releasenote/SKILL.md

@@ -0,0 +1,143 @@
+---
+
+name: releasenote
+description: >
+  Create or update release notes for changes in the current branch using Reno,
+  following dd-trace-py's conventions and the guidelines in docs/releasenotes.rst.
+allowed-tools:
+  - Bash
+  - Read
+  - Grep
+  - Glob
+  - TodoWrite
+
+---
+
+## When to Use This Skill
+
+Use this skill whenever:
+
+* The user asks to create a new release note.
+* The user asks to update or modify an existing release note.
+* The user wants a summary of changes that is intended to be inserted into a release note file.
+
+---
+
+## Key Principles
+
+* Follow strictly the conventions described in `docs/releasenotes.rst` and any Reno-related docs in the repo.
+* ALWAYS use `riot` (not `reno` directly) to generate the new release note skeleton.
+* If the user does not specify the release-note category (`feature`, `bugfix`, `deprecation`, `breaking-change`, `misc`, etc.), ask first.
+* Release notes must:
+  * Be one Reno fragment per change / PR, unless the change explicitly belongs inside an existing release note.
+  * Use a slug that is short, clear, and uses hyphens.
+  * Appear under `releasenotes/notes/` with a `.yaml` suffix.
+* If updating an existing fragment, search for a fragment that matches the topic or ticket before creating a new one.
+* Ensure the wording is:
+  * Clear, concise, and user-facing.
+  * Describes *what changed* and *why users should care*.
+  * Avoids internal-only terminology unless necessary.
+
+## Interaction Rules
+
+* Before creating anything:
+
+  1. Confirm the category.
+  2. Confirm the title-slug if the user hasn't provided one.
+  3. Confirm whether the release note is for a new fragment or an update.
+
+* If the user wants to modify a note:
+  * Search for the matching fragment using `ls releasenotes/notes/` or grep keywords.
+  * Open the file and update only the content the user mentions.
+
+
+## Quick Start
+
+### Create a new release note
+
+```bash
+riot run reno new <title-slug>
+```
+
+After creation, modify the generated YAML fragment to include the content under the correct section:
+
+```yaml
+features:
+  - |
+    <description of the new feature>
+
+# or
+
+fixes:
+  - |
+    <description of the bug fix>
+```
+
+### List existing release notes
+
+```bash
+ls releasenotes/notes/
+```
+
+### Find a release note containing a keyword
+
+```bash
+grep -R "<keyword>" releasenotes/notes/
+```
+
+---
+
+## Best Practices for Note Content
+
+* Start with an action verb: *Add…*, *Fix…*, *Improve…*, *Deprecate…*
+* Reference PR or issue numbers only if relevant (e.g., "(#12345)").
+* If the change requires user action, highlight it clearly.
+* Avoid long paragraphs; prefer concise bullet-style explanations.
+
+---
+
+## Optional Enhancements
+
+If you want, you can add:
+
+### Validation checks
+
+* Ensure the repo is clean (`git status`).
+* Confirm that the working directory is at the repo root.
+* Warn if a release note already exists for the same issue/PR.
+
+### Automation scaffolding
+
+* Automatically propose a slug from the branch name.
+* Suggest the best category based on commit diff keywords.
+
+---
+
+If you'd like, I can also:
+
+✔ generate a stricter version (more guardrails)
+✔ generate a shorter version (minimal skill spec)
+✔ help you convert this to Anthropic’s new "Tool Use Skills" format
+✔ help you create automated tests or examples for this skill
+
+Just tell me!
+
+
+## When to Use This Skill
+
+Use this skill when:
+- You are asked to create a new release note
+- You are asked to update an existing release note
+
+## Key Principles
+
+- Strictly follow what is described in docs/releasenotes.rst
+- ALWAYS use riot to generate the new release note
+- If the user does not specify it, ask whether it is a fix, a feature, etc.
+
+## Quick Start
+
+Create the release note:
+```bash
+riot run reno new <title-slug>
+```

.claude/skills/run-tests/SKILL.md

@@ -84,7 +84,7 @@ When you modify files like:
 #### For Test-Only Changes
 When you modify `tests/` files (but not test infrastructure):
 - Run only the specific test files/functions modified
-- Use pytest args: `-- -k test_name` or direct test file paths
+- Use pytest args: `-- -- -k test_name` or direct test file paths
 
 #### For Test Infrastructure Changes
 When you modify:
@@ -121,7 +121,7 @@ This will:
 
 For re-running specific tests:
 ```bash
-scripts/run-tests --venv <hash> -- -vv -k test_name
+scripts/run-tests --venv <hash> -- -- -vv -k test_name
 ```
 
 ## When Tests Fail
@@ -243,15 +243,15 @@ scripts/run-tests --list tests/contrib/flask/test_views.py
 # Output shows: contrib::flask suite
 
 # Run just the specific test:
-scripts/run-tests --venv flask_py311 -- -vv tests/contrib/flask/test_views.py
+scripts/run-tests --venv flask_py311 -- -- -vv tests/contrib/flask/test_views.py
 ```
 
 ### Example 4: Iterating on a Failing Test
 
 First run shows one test failing:
 
 ```bash
-scripts/run-tests --venv flask_py311 -- -vv -k test_view_called_twice
+scripts/run-tests --venv flask_py311 -- -- -vv -k test_view_called_twice
 # Focused on the specific failing test with verbose output
 ```
 
@@ -330,7 +330,7 @@ The `scripts/run-tests` system:
 - Uses `riot` to manage multiple Python/package combinations as venvs
 - Each venv is a self-contained environment
 - Docker services are managed per suite lifecycle
-- Tests can pass optional pytest arguments with `--`
+- Tests can pass optional pytest arguments with `-- --`
 
 ### Supported Suite Types
 

.github/workflows/system-tests.yml

@@ -45,7 +45,7 @@ jobs:
           persist-credentials: false
           repository: 'DataDog/system-tests'
           # Automatically managed, use scripts/update-system-tests-version to update
-          ref: '31bc180ce87184c996400361ddb17c8743eec18f'
+          ref: '94529f681dcaf74382ed47c3b0c85acdb775b6c9'
 
       - name: Download wheels to binaries directory
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -90,7 +90,7 @@ jobs:
           persist-credentials: false
           repository: 'DataDog/system-tests'
           # Automatically managed, use scripts/update-system-tests-version to update
-          ref: '31bc180ce87184c996400361ddb17c8743eec18f'
+          ref: '94529f681dcaf74382ed47c3b0c85acdb775b6c9'
 
       - name: Build runner
         uses: ./.github/actions/install_runner
@@ -217,6 +217,10 @@ jobs:
         if: always() && steps.docker_load.outcome == 'success' && matrix.scenario == 'appsec-1'
         run: ./run.sh APPSEC_RASP
 
+      - name: Run APPSEC_RASP_NON_BLOCKING
+        if: always() && steps.docker_load.outcome == 'success' && matrix.scenario == 'appsec-1'
+        run: ./run.sh APPSEC_RASP_NON_BLOCKING
+
       - name: Run APPSEC_RASP_WITHOUT_DOWNSTREAM_BODY_ANALYSIS_USING_MAX
         if: always() && steps.docker_load.outcome == 'success' && matrix.scenario == 'appsec-1'
         run: ./run.sh APPSEC_RASP_WITHOUT_DOWNSTREAM_BODY_ANALYSIS_USING_MAX
@@ -283,7 +287,7 @@ jobs:
           persist-credentials: false
           repository: 'DataDog/system-tests'
           # Automatically managed, use scripts/update-system-tests-version to update
-          ref: '31bc180ce87184c996400361ddb17c8743eec18f'
+          ref: '94529f681dcaf74382ed47c3b0c85acdb775b6c9'
       - name: Download wheels to binaries directory
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:

.gitlab-ci.yml

@@ -14,7 +14,7 @@ variables:
   DD_VPA_TEMPLATE: "vpa-template-cpu-p70-10percent-2x-oom-min-cap"
   # CI_DEBUG_SERVICES: "true"
   # Automatically managed, use scripts/update-system-tests-version to update
-  SYSTEM_TESTS_REF: "31bc180ce87184c996400361ddb17c8743eec18f"
+  SYSTEM_TESTS_REF: "94529f681dcaf74382ed47c3b0c85acdb775b6c9"
 
 default:
   interruptible: true

.riot/requirements/1832cc1.txt .riot/requirements/12131e2.txt.riot/requirements/1832cc1.txt renamed to .riot/requirements/12131e2.txt

@@ -2,9 +2,9 @@
 # This file is autogenerated by pip-compile with Python 3.10
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1832cc1.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/12131e2.in
 #
-anyio==4.11.0
+anyio==4.12.0
 asynctest==0.13.0
 attrs==25.4.0
 certifi==2025.11.12
@@ -23,8 +23,10 @@ msgpack==1.1.2
 opentracing==2.4.0
 packaging==25.0
 pluggy==1.6.0
+py-cpuinfo==9.0.0
 pygments==2.19.2
 pytest==9.0.1
+pytest-benchmark==5.2.3
 pytest-cov==7.0.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1

.riot/requirements/1e35505.txt .riot/requirements/13ee570.txt.riot/requirements/1e35505.txt renamed to .riot/requirements/13ee570.txt

@@ -2,9 +2,9 @@
 # This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1e35505.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/13ee570.in
 #
-anyio==4.11.0
+anyio==4.12.0
 asynctest==0.13.0
 attrs==25.4.0
 certifi==2025.11.12
@@ -22,8 +22,10 @@ msgpack==1.1.2
 opentracing==2.4.0
 packaging==25.0
 pluggy==1.6.0
+py-cpuinfo==9.0.0
 pygments==2.19.2
 pytest==8.4.2
+pytest-benchmark==5.2.3
 pytest-cov==7.0.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1

.riot/requirements/1aa84d6.txt .riot/requirements/1700bc6.txt.riot/requirements/1aa84d6.txt renamed to .riot/requirements/1700bc6.txt

@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.14
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1aa84d6.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1700bc6.in
 #
 anyio==4.12.0
 asynctest==0.13.0
@@ -22,7 +22,9 @@ msgpack==1.1.2
 opentracing==2.4.0
 packaging==25.0
 pluggy==1.6.0
+py-cpuinfo==9.0.0
 pytest==7.4.4
+pytest-benchmark==5.0.1
 pytest-cov==7.0.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1

.riot/requirements/d46b12e.txt .riot/requirements/1a4cb4d.txt.riot/requirements/d46b12e.txt renamed to .riot/requirements/1a4cb4d.txt

@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.14
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/d46b12e.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1a4cb4d.in
 #
 anyio==4.12.0
 asynctest==0.13.0
@@ -22,8 +22,10 @@ msgpack==1.1.2
 opentracing==2.4.0
 packaging==25.0
 pluggy==1.6.0
+py-cpuinfo==9.0.0
 pygments==2.19.2
 pytest==9.0.1
+pytest-benchmark==5.2.3
 pytest-cov==7.0.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1

.riot/requirements/bb5bc08.txt .riot/requirements/1c574f2.txt.riot/requirements/bb5bc08.txt renamed to .riot/requirements/1c574f2.txt

@@ -2,9 +2,9 @@
 # This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/bb5bc08.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1c574f2.in
 #
-anyio==4.11.0
+anyio==4.12.0
 attrs==25.4.0
 certifi==2025.11.12
 coverage[toml]==7.10.7
@@ -23,8 +23,10 @@ msgpack==1.1.2
 opentracing==2.4.0
 packaging==25.0
 pluggy==1.6.0
+py-cpuinfo==9.0.0
 pygments==2.19.2
 pytest==8.4.2
+pytest-benchmark==5.2.3
 pytest-cov==7.0.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1

.riot/requirements/195fa4e.txt .riot/requirements/1c92f27.txt.riot/requirements/195fa4e.txt renamed to .riot/requirements/1c92f27.txt

@@ -2,9 +2,9 @@
 # This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/195fa4e.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1c92f27.in
 #
-anyio==4.11.0
+anyio==4.12.0
 asynctest==0.13.0
 attrs==25.4.0
 certifi==2025.11.12
@@ -22,8 +22,10 @@ msgpack==1.1.2
 opentracing==2.4.0
 packaging==25.0
 pluggy==1.6.0
+py-cpuinfo==9.0.0
 pygments==2.19.2
 pytest==8.4.2
+pytest-benchmark==5.2.3
 pytest-cov==7.0.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1