feat(FeatureFlags): FFE APM feature-flag span enrichment (experimental, gated)

[leoromanovsky]

feat(FeatureFlags): FFE APM feature-flag span enrichment

⚠️ Experimental, opt-in, gated behind DD_EXPERIMENTAL_FLAGGING_PROVIDER_SPAN_ENRICHMENT_ENABLED (off by default).

Summary

Adds Feature Flag Events (FFE) span enrichment to the feature-flag integration. When feature
flags are evaluated, the evaluation metadata is attached to the root APM span so APM customers
can filter traces and errors by active flag variant, and the FFE/Experimentation platform can
correlate spans with experiments. The wire format matches the merged reference implementation
(dd-trace-js#8343) so backend/Trino decode is identical.

How it works

1. A flag is evaluated (via the OpenFeature DataDogProvider or the native DDTrace\FeatureFlags\Client).
2. Each evaluation is accumulated inline against the current root span.
3. At root-span close, the accumulated state is encoded and written as ffe_* tags.

Configuration

Opt-in, off by default:

DD_EXPERIMENTAL_FLAGGING_PROVIDER_SPAN_ENRICHMENT_ENABLED=true

This is distinct from DD_EXPERIMENTAL_FLAGGING_PROVIDER_ENABLED.

Span tags added

Tag	Description	Format
ffe_flags_enc	All evaluated flag serial IDs	base64 delta-varint
ffe_subjects_enc	Subject → flags mapping (when doLog=true)	JSON { sha256(key): encodedIds }
ffe_runtime_defaults	Fallback values for flags not in UFC	JSON { flagKey: value }

Limits: 200 serial IDs, 10 subjects, 20 experiments/subject, 5 runtime defaults, 64 chars/runtime-default value (UTF-8-safe truncation).

Changes

• Gate + config: add DD_EXPERIMENTAL_FLAGGING_PROVIDER_SPAN_ENRICHMENT_ENABLED (ext/configuration.h), off by default; thread the split serial_id Rust → C → PHP mapper (components-rs/ffe.rs, tracer/ffe.c/.h, ResultMapper.php).
• Codec + accumulator: inline span-enrichment accumulation (SpanEnrichmentAccumulator.php) with delta-varint serial IDs + SHA256-hashed subject keys; write ffe_* tags at root-span close (tracer/span.c).
• SpanEnrichmentBinder: binds enrichment to the native DDTrace\FeatureFlags\Client path in addition to the OpenFeature DataDogProvider, so non-OpenFeature consumers are enriched too.
• Tests: accumulator + result-mapper unit tests; .phpt ext tests for native bridge, serial-id passthrough, eval metrics, and remote-config lifecycle.

Decisions

• Inline accumulation (not a finally hook): PHP OpenFeature does not pass ResolutionDetails to finally hooks, so enrichment is accumulated inline.
• No idle per-span overhead when the gate is off — the accumulator is absent and spans carry no ffe_* tags.
• Lifecycle: accumulator reset on the root-span boundary.
• ffe_* are bare tag names on span meta (not _dd.-prefixed); subject keys are SHA256 hashes emitted only when logging is authorized.

Validation

FFE dogfooding app

Validated live against the ffe-dogfooding app via a trace-intake tee-proxy that captures the raw /v0.4/traces payload and decodes the ffe_* tags. Flag ffe-dogfooding-string-flag (serial 2312):

• Gate ON — the root span (web.request, auto-instrumented web SAPI) carried ffe_flags_enc decoding to serial [2312] plus a SHA256-hashed ffe_subjects_enc → [2312].
• Gate OFF — span flushed with zero ffe_* tags.

Local system-tests run

Ran the frozen system-tests parametric suite (tests/parametric/test_ffe/test_span_enrichment.py, unchanged) against this branch's tracer (dd-library-php-1.21.0, C extension built from source for aarch64-linux-gnu, PHP 8.2 NTS):

TEST_LIBRARY=php ./run.sh PARAMETRIC -k span_enrichment
Library: php@1.21.0
============================= 18 passed in 49.99s ==============================

All 18 cases pass — ffe_flags_enc aggregates serial IDs across evaluations and propagates from child spans to the root (ZAgUAg== → [100,108,128,130]); ffe_subjects_enc carries SHA256-hashed targeting keys gated on doLog; ffe_runtime_defaults is added for not-found flags with 64-char truncation; and all frozen limits are enforced. The SpanEnrichmentBinder change above was required so the native DDTrace\FeatureFlags\Client path (used by the parametric server) is enriched. The system-tests enablement (parametric server.php + manifests/php.yml) is a separate draft PR against DataDog/system-tests.

Full dogfooding matrix + fix (2026-06-17)

Re-validated end-to-end through the real OpenFeature provider path behind the trace-intake
tee-proxy, decoding ffe_* with scripts/decode_ffe_span_tags.py (root span web.request,
service ffe-dogfooding-php8-openfeature, extension built from this branch):

Scenario	Result
Gate ON (serial 2312)	ffe_flags_enc → [2312]; ffe_subjects_enc = {sha256(targeting key): ids} only when do_log
Gate OFF	zero ffe_* tags; no binder constructed
Aggregation	multiple flags + 2 subjects on one root → ffe_flags_enc = [829,1442,2311,2312], nothing overwritten (shared SpanEnrichmentRegistry)
Unicode + object runtime defaults	ffe_runtime_defaults raw UTF-8 (héllo-wörld-☃-日本語-Ω, こんにちは, 🎉), valid JSON, values truncated to 64
Codec parity	ZAgUAg== → [100,108,128,130]

Fix found by the matrix (commit fix(ffe): emit ffe_* JSON as raw UTF-8 with unescaped slashes):
the unicode scenario showed ffe_runtime_defaults was \uXXXX-escaped (and object values were
truncated mid-escape-sequence, yielding invalid JSON) because json_encode() was called without
flags. Added JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES at the three json_encode sites in
SpanEnrichmentAccumulator.php so the emitted bytes match the frozen Node JSON.stringify
contract (raw UTF-8, bare /). Existing accumulator unit tests json_decode the tags (normalizing
escapes) so they are unaffected; the dogfooding loop is what surfaced the divergence.

System-tests re-confirmed against a tarball rebuilt from this branch's source: 18 passed
(TEST_LIBRARY=php ./run.sh PARAMETRIC -k span_enrichment, library php@1.21.0).

[datadog-prod-us1-4]

 

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 14 Pipeline jobs failed

DataDog/apm-reliability/dd-trace-php | benchmarks-tracer     

DataDog/apm-reliability/dd-trace-php | test_extension_ci: [7.1]     

DataDog/apm-reliability/dd-trace-php | test_extension_ci: [7.4]     

View all 14 failed jobs.

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 54.08% (-0.04%)

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 156726d | Docs | Datadog PR Page | Give us feedback!}

[pr-commenter]

Benchmarks [ tracer ]

Benchmark execution time: 2026-06-17 08:47:40

Comparing candidate commit 3229c80 in PR branch leo.romanovsky/ffe-apm-span-enrichment with baseline commit a65b400 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 194 metrics, 0 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

• 🟩 = significantly better candidate vs. baseline
• 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'