Implement an Org Propagation Guard mechanism

[amarziali]

What Does This Do

Adds the Org Propagation Guard (OPG): a propagation-layer check that prevents the part of the tracing context from leaking across organizational boundaries.

When enabled, every inbound trace is checked against the local Org Propagation Marker (OPM) reported by the Datadog Agent. If the inbound OPM doesn't match (or is absent in strict mode), sampling priority, origin, and _dd.p.* propagation tags are dropped. Parent/trace IDs, W3C baggage, and non-dd vendor tracestate are kept. On the inject side, the local OPM is stamped onto outgoing requests so downstream services can do the same check.

Off by default, with no overhead when disabled. When the agent hasn't reported a local OPM yet, enforcement is skipped entirely and the inbound context passes through unchanged, including any inbound OPM it carries.

Two additional knobs:

• DD_TRACE_ORG_GUARD_STRICT=true also enforces when the inbound OPM is absent (not just on mismatch)
• DD_TRACE_ORG_GUARD_TRUSTED_OPMS accepts a comma-separated list of partner OPMs to allow through

Each enforcement emits an org_guard.enforce metric with a reason tag (mismatch or strict_missing).

New configuration

Env var	Default	Description
DD_TRACE_ORG_GUARD_ENABLED	false	Master switch
DD_TRACE_ORG_GUARD_STRICT	false	Enforce when inbound OPM is absent too
DD_TRACE_ORG_GUARD_TRUSTED_OPMS	(empty)	Comma-separated allowlist of trusted inbound OPMs

Motivation

Additional Notes

System tests: DataDog/system-tests#6872

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any other useful labels
• Avoid using close, fix, or any linking keywords when referencing an issue
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors

Jira ticket: [PROJ-IDENT]

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

[datadog-prod-us1-5]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 10 Pipeline jobs failed

Run system tests | main / End-to-end #5 / spring-boot 5     

🔧 Fix in code (Fix with Cursor).

1 failed test: AssertionError: Request failed: None

Run system tests | main / End-to-end #1 / uds-spring-boot 1     

🔄 Retry job. This looks flaky and may succeed on retry.

Error response from daemon: Get "https://registry-1.docker.io/v2/": context deadline exceeded after multiple fetch attempts.

DataDog/apm-reliability/dd-trace-java | java-startup-parallel-check-slo-breaches     

🛟 This job is unlikely to succeed on retry. Please review your pipeline configuration.

Failed to generate Markdown threshold comparison report due to missing scenarios.

View all 10 failed jobs.

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 64ce55d | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite	Status
Startup	🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results

Startup Time

Scenario	This PR	master	Change
insecure-bank / iast	13,995 ms	13,870 ms	+0.9%
insecure-bank / tracing	12,852 ms	12,951 ms	-0.8%
petclinic / appsec	16,519 ms	16,478 ms	+0.2%
petclinic / iast	16,598 ms	16,606 ms	-0.0%
petclinic / profiling	16,356 ms	16,545 ms	-1.1%
petclinic / tracing	15,892 ms	15,793 ms	+0.6%

Commit: 58d4e2d8 · CI Pipeline · Benchmarking Platform UI

---

Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

[mcculls]

Looks good - just some small suggestions