Add AppSec scenarios for restart propagation behavior

[robertomonteromiguel]

Motivation

This PR adds two new end-to-end test scenarios to demonstrate and track a critical issue in dd-trace-java when using DD_TRACE_PROPAGATION_BEHAVIOR_EXTRACT=restart with AppSec enabled.

Problem Description

When DD_TRACE_PROPAGATION_BEHAVIOR_EXTRACT=restart is configured, the Java tracer fails to set AppSec tags on spans, causing:

• ❌ Missing _dd.appsec.enabled metric on root spans
• ❌ Missing appsec.event tag when security events are detected
• ❌ Missing HTTP request/response header collection metadata
• ❌ Incorrect sampling priority (stays at 1 instead of upgrading to 2 for security events)

This behavior is specific to Java - the same scenarios pass successfully for Node.js, Python, and .NET tracers.

Root Cause

The Java tracer resets propagation tags (including _dd.p.ts for AppSec context) to empty when in restart mode, breaking AppSec instrumentation that depends on these tags for proper span tagging and sampling decisions.

See detailed analysis: APPSEC_RESTART_PROPAGATION_ANALYSIS.md

Testing Impact

These scenarios will:

1. Document the issue with reproducible test cases
2. Prevent regressions once fixed in dd-trace-java
3. Verify cross-tracer consistency when the Java fix is implemented
4. Enable automated testing in CI pipelines

Changes

New Scenarios Added

1. APPSEC_WITH_RESTART_PROPAGATION (lines 1154-1160)

   • Enables AppSec with DD_TRACE_PROPAGATION_BEHAVIOR_EXTRACT=restart
   • Tests that AppSec tags are correctly set even when trace context is restarted
   • Status: ✅ Passing for Node.js, Python, .NET | ❌ Failing for Java

2. APPSEC_WITHOUT_RESTART_PROPAGATION (lines 1161-1166)

   • Enables AppSec with default propagation behavior (continue)
   • Serves as baseline comparison to show AppSec works correctly without restart mode
   • Status: ✅ Passing for all languages including Java

Test Coverage

Both scenarios use existing AppSec test cases from tests/appsec/test_traces.py:

• Test_RetainTraces::test_appsec_event_span_tags - Validates appsec.event tag and sampling priority
• Test_AppSecEventSpanTags::test_custom_span_tags - Validates _dd.appsec.enabled metric
• Test_AppSecEventSpanTags::test_header_collection - Validates HTTP header collection
• Test_AppSecEventSpanTags::test_root_span_coherence - Validates AppSec tags on correct span types

Documentation Added

• Analysis Document: APPSEC_RESTART_PROPAGATION_ANALYSIS.md
  • Complete root cause analysis
  • Tracer implementation comparison (Java vs Node.js vs Python)
  • Proposed fixes with code examples
  • Testing strategy and verification steps

Related Issues

• Tracer: dd-trace-java
• https://datadoghq.atlassian.net/browse/APMSP-2496

---

Note: This PR intentionally adds failing tests for Java to document the issue. The tests will pass once the corresponding fix is implemented in dd-trace-java.

1. ⚠️ Create your PR as draft ⚠️
2. Work on you PR until the CI passes
3. Mark it as ready for review
   • Test logic is modified? -> Get a review from RFC owner.
   • Framework is modified, or non obvious usage of it -> get a review from R&P team

🚀 Once your PR is reviewed and the CI green, you can merge it!

🛟 #apm-shared-testing 🛟

Reviewer checklist

• Anything but tests/ or manifests/ is modified ? I have the approval from R&P team
• A docker base image is modified?
  • the relevant build-XXX-image label is present
• A scenario is added, removed or renamed?
  • Get a review from R&P team

[github-actions]

CODEOWNERS have been resolved as:

APPSEC_RESTART_PROPAGATION_ANALYSIS.md                                  @DataDog/system-tests-core
tests/appsec/test_traces.py                                             @DataDog/asm-libraries @DataDog/system-tests-core
utils/_context/_scenarios/__init__.py                                   @DataDog/system-tests-core