feat(config): bring dd-config validation checks natively into the agent

[kunalkxxxxxxxxr]

What does this PR do?

Adds new experimental functionality to the Datadog Agent CLI that implements a 6-stage config validation pipeline for datadog.yaml, without requiring a running agent. The entry point is:

agent experimental check-config -c <config-dir> [--no-api]

Validation stages run in order:

1. File permissions — warns if datadog.yaml is world-readable (API key exposure risk); skipped on Windows
2. YAML syntax — detects tab indentation, structural errors, and missing colons; reports the exact line number and content of the offending line with a plain-English fix suggestion; error appears exactly once in [ERR] format
3. API key format — validates 32-char hex format; tolerates empty keys (cloud-based auth) and ENC[] secret backend notation; uses scrubber.HideKeyExceptLastFiveChars for display masking
4. Site / region — validates against known Datadog domain patterns via regexp (forward-compatible with new DCs, avoids hardcoded site list)
5. Live API key validation — verifies the key is accepted by the Datadog API for the configured site; can be skipped for air-gapped or CI environments
6. Product enablement summary — uses cfg.GetBool() to show which products are enabled; when none are configured, clearly states "No products are enabled. Sending only Metrics."

Motivation

agent config currently only supports runtime config inspection (IPC to a running agent). dd-config — a standalone Datadog CLI — has a richer validation pipeline that catches common misconfigurations before the agent starts. This PR ports the most impactful checks into the agent binary itself so users have a single tool.

Schema validation (2200+ keys via santhosh-tekuri/jsonschema/v6) was prototyped but excluded due to the ~2MB binary size increase. The charmbracelet TUI wizard was also prototyped but excluded — it requires bubbletea + lipgloss and is better suited to a standalone tool like dd-config.

Describe how you validated your changes

Unit tests (8 test functions, 25 cases — all passing):

• TestCheckYAMLSyntax — 8 sub-cases: valid YAML, tabs, missing colons, bad indentation
• TestBuildFriendlyYAMLError — 4 sub-cases: line number extraction, human-readable messages
• TestCheckFilePermissions — world-readable warning, no sudo in message; skipped on Windows
• TestValidSiteRe — regexp matches all known Datadog sites, rejects unknown domains
• TestValidateAPIKey — 5 sub-cases: valid key, empty key, ENC[], too short, non-hex
• TestFormatLineNumbers — line number formatting helper
• Command wiring tests for both entry points via fxutil.TestOneShotSubcommand

Manual phase testing using fixture files:

Phase	Bad fixture	Result	Good fixture	Result
1 — YAML syntax	Tab on line 4	[ERR] yaml_syntax: YAML syntax error on line 4: tab character... content: "\tenabled: true"	Valid YAML	All [OK]
2a — API key format	Key too short	[ERR] api_key: format is invalid (got 8 chars...)	Valid 32-hex key	[OK] api_key
2b — Live API	Fake key, live check skipped	Pipeline completes	Same	Same
2c — Site/region	Unknown site	[ERR] site: does not appear to be a valid Datadog site	Valid site	[OK] site
2e — Permissions	Mode 644	[WARN] permissions: world-readable	Mode 640	[OK] permissions
2f — Products	No products + APM disabled	No products are enabled. Sending only Metrics. + [X] for all	Logs+APM+Process	✓ Log collection ✓ APM ✓ Live Process

Additional Notes

• New code is fully isolated from existing runtime config commands (showRuntimeConfiguration, listRuntimeConfigurableValue, setConfigValue, getConfigValue, otelAgentCfg) — zero coupling
• Product summary uses cfg.GetBool() directly per reviewer feedback
• YAML syntax errors are intercepted before Viper loads the config, so the friendly error message always reaches the user regardless of how broken the YAML is; cmd.Root().SetErr(io.Discard) prevents the error from being printed twice by runcmd.displayError
• API key masking uses scrubber.HideKeyExceptLastFiveChars (existing agent utility)
• Site validation uses the same regexp pattern as pkg/config/utils/endpoints.go (ddDomainPattern) for forward-compatibility with future Datadog datacenters
• File permissions check is skipped on Windows (uses ACLs rather than Unix mode bits)

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8c723140c1

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Treat unknown site as a failing config check

When checkSite reports an unknown site, runConfigCheck does not mark the run as failed; siteValid is only used to skip the live API call, so hasErrors can remain false and the command exits 0 even after printing [ERR] site. This means a config whose only problem is an invalid region value can incorrectly pass CI/automation that relies on the exit code.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Resolve writable config path when no file was loaded

runConfigSetup uses cfg.ConfigFileUsed() as the write target, but that value is empty when no datadog.yaml was found (for example on first-time setup or when -c points to a directory without the file). In that case applySetupResult eventually calls os.WriteFile with an empty path and the wizard cannot create a new config file, which breaks the advertised "create or edit" flow.

Useful? React with 👍 / 👎.

[agent-platform-auto-pr]

Go Package Import Differences

Baseline: cc12a65
Comparison: 800b673

binary	os	arch	change
agent	linux	amd64	+2, -0 +github.com/DataDog/datadog-agent/cmd/agent/subcommands/experimental +github.com/DataDog/datadog-agent/pkg/cli/subcommands/experimental
agent	linux	arm64	+2, -0 +github.com/DataDog/datadog-agent/cmd/agent/subcommands/experimental +github.com/DataDog/datadog-agent/pkg/cli/subcommands/experimental
agent	windows	amd64	+2, -0 +github.com/DataDog/datadog-agent/cmd/agent/subcommands/experimental +github.com/DataDog/datadog-agent/pkg/cli/subcommands/experimental
agent	darwin	amd64	+2, -0 +github.com/DataDog/datadog-agent/cmd/agent/subcommands/experimental +github.com/DataDog/datadog-agent/pkg/cli/subcommands/experimental
agent	darwin	arm64	+2, -0 +github.com/DataDog/datadog-agent/cmd/agent/subcommands/experimental +github.com/DataDog/datadog-agent/pkg/cli/subcommands/experimental
heroku-agent	linux	amd64	+2, -0 +github.com/DataDog/datadog-agent/cmd/agent/subcommands/experimental +github.com/DataDog/datadog-agent/pkg/cli/subcommands/experimental

[agent-platform-auto-pr]

Files inventory check summary

File checks results against ancestor cc12a65a:

Results for datadog-agent_7.79.0~devel.git.72.800b673.pipeline.104311618-1_amd64.deb:

No change detected

[rahulkaukuntla]

Hi @kunalkxxxxxxxxr, if you run go mod tidy from the datadog-agent repo, you'll see that this pr imports a lot of new dependencies, the most notable of which is charmbracelet (what is used to render the terminal ui). This will increase the size of the agent binary by a large amount, and I'm guessing that this size increase won't be accepted. The Agent is very size-sensitive, as customers are expected to install the agent in their setup. I'm not sure where it would be better to put this, but I feel like this repository isn't such a place.

[kunalkxxxxxxxxr]

Code isolation check

• check.go and experimental.go are entirely new files with zero coupling to existing runtime config commands (showRuntimeConfiguration, listRuntimeConfigurableValue, setConfigValue, getConfigValue, otelAgentCfg). None of those functions call into the new code and the new code doesn't call into them.
• command.go has one touch: noAPICheck bool added to cliParams struct — inert for all existing subcommands.
• subcommands.go has one new line registering the new command factory.
• The single gate point for a future feature flag is MakeExperimentalCommand() in pkg/cli/subcommands/config/experimental.go.

[kunalkxxxxxxxxr]

I have read the CLA Document and I hereby sign the CLA

[pducolin]

💬 suggestion

Suggested change

// hush-hush: Removed sudo suggestion. Only call this on non-Windows systems;

Looks like a dev comment, should it be removed?

[pducolin]

💬 suggestion
Instead of returning a string, would be more Go-like and readable to return a pair of boolean, error. If the check is ok, it returns true, nil. Otherwise it returns false and give context in the error. This way you can stack errors

Suggested change

	func checkFilePermissions(path string) string {
	info, err := os.Stat(path)
	if err != nil {
	return ""
	}
	if info.Mode()&0o007 != 0 {
	return fmt.Sprintf("config file is world-readable (mode %s) — API key may be exposed. Fix: chmod 640 %s", info.Mode(), path)
	}
	return ""
	}
	func checkFilePermissions(path string) (bool, error) {
	// this should not run on windows, raise an error
	if runtime.GOOS == "windows" {
	return false, errors.New("File permissions check not implemented on Windows")
	}
	info, err := os.Stat(path)
	if err != nil {
	return false, err
	}
	if info.Mode()&0o007 != 0 {
	return false, fmt.Errorf("config file is world-readable (mode %s) — API key may be exposed. Fix: chmod 640 %s", info.Mode(), path)
	}
	return true, nil
	}

[pducolin]

💬 suggestion

Claude and AI agents tend to find the shortest path to validation. In this case, instead of adding an error check as suggested by the linter, it mutes it. Let's implement it.

Suggested change

	fmt.Sscanf(yamlMsg, "yaml: line %d:", &lineNum) //nolint:errcheck
	_, err := fmt.Sscanf(yamlMsg, "yaml: line %d:", &lineNum)
	if err != nil {
	return err
	}

[pducolin]

💬 suggestion
You are not using lineNum until row 73, let's move it there

[pducolin]

💬 suggestion
Better returning a string, rather than an error. You don't stack errors here, and you always return something, never a nil error

[pducolin]

🔨 warning
If the yamlMsg contains more than one of these, you will overwrite them. A better implementation would be to rather loop on possible messages and stack them in an array. Then build the message based on all the errors found.

Also a bit worried about this hardcoded implementation, as it strongly depends on the yaml output. One guess have is that, if the code runs on an OS whom language is set to FR or anything else than EN, this will not work.

[pducolin]

🔨 warning
This string should not go straight to output. It should be returned as output, and handled by the caller printed through logs

[pducolin]

🔨 warning
Same here, you cannot mute these logs, not ideal.

[pducolin]

💬 suggestion
Here too return bool + error

[pducolin]

❓ question
Why onboard and check-config implement the same command runE? Why not just one command?

[pducolin]

❓ question
if descriptions is empty, it means it did not find

	{
		contains:    "found character that cannot start any token",
		description: "tab character used for indentation",
		fix:         "YAML requires spaces for indentation, not tabs — replace all tabs with spaces",
	},

why is this fix suggesting to check indentation anyway?

[kunalkxxxxxxxxr]

The fallback fix message will no longer incorrectly suggest checking indentation — it now says "refer to the YAML error above for details" since the actual cause is unknown.

[pducolin]

💬 suggestion
No need to return err.Error() as string

Suggested change

	return err.Error(), err
	return "", err

[kunalkxxxxxxxxr]

Fixed

[pducolin]

💬 suggestion
For coherence with other checks

Suggested change

	func checkSite(cfg config.Component) (site string, valid bool, message string) {
	func checkSite(cfg config.Component) (valid bool, site string, message string) {

[pducolin]

💬 suggestion
To help interacting with this function, better explicit what the string returns. Would also add a boolean for coherence with other checks

Suggested change

	func validateAPIKey(apiKey string) (string, error) {
	func validateAPIKey(apiKey string) (message string, err error) {

[pducolin]

💬 suggestion
To properly clean up after test, I would remove the file in a defered call

Suggested change

	require.NoError(t, os.WriteFile(path, []byte("api_key: test\n"), 0640))
	require.NoError(t, os.WriteFile(path, []byte("api_key: test\n"), 0640))
	defer require.NoError(t, os.RemoveFile(path))

[kunalkxxxxxxxxr]

Done — added the deferred cleanup. Two small corrections from your suggestion: os.RemoveFile doesn't exist in Go (it's os.Remove), and the closure form is needed so os.Remove runs at defer-time rather than immediately: defer func() { require.NoError(t, os.Remove(path)) }().

[pducolin]

💬 suggestion
This could be an embedded file

[kunalkxxxxxxxxr]

Good call — done. Created testdata/yaml_error_test.yaml (with a literal tab on line 4 for the tab-character test case) and switched to //go:embed + strings.Split(strings.TrimRight(...)) to load it. All four sub-tests still pass.

[pducolin]

❓ question
What happens if a config file has multiple errors?

[kunalkxxxxxxxxr]

Good question. runConfigCheck runs all validation stages and accumulates errors — it does not short-circuit after the first failure.

Stages 3 (API key format) and 4 (site) both set hasErrors = true and continue, so a config with e.g. both a bad API key and a bad site will surface both [ERR] lines before the function returns.

The one exception is a YAML parse failure at stage 2: since later stages depend on a valid, parsed config, we return early there with a clear error message.

I've added TestMultipleErrorsAllReported to cover this — it verifies each check produces an independent error and documents the early-return exception for YAML.

[clarkb7]

File permissions — warns if datadog.yaml is world-readable (API key exposure risk); skipped on Windows

Why are we skipping this on Windows? if you're not sure how to implement then #windows-products can help :)