fix(crypto): gate libdd-common TLS features in obfuscation and capabilities-impl

[duncanista]

What does this PR do?

Follows up on #1816 by gating libdd-common's TLS features behind https/fips feature flags in the three internal crates that were still pulling in libdd-common with default features. Without this, downstream consumers that build with --no-default-features --features fips still get ring in the dependency tree via transitive default feature activation, breaking FIPS compliance checks.

Changes:

• libdd-trace-obfuscation/Cargo.toml: Added default-features = false on both libdd-common and libdd-trace-utils. Added [features] section with default = ["https"], https (forwarding to libdd-common/https and libdd-trace-utils/https), and fips (forwarding to libdd-common/fips and libdd-trace-utils/fips).
• libdd-capabilities-impl/Cargo.toml: Added default-features = false on libdd-common. Added [features] section with default = ["https"], https (forwarding to libdd-common/https), and fips (forwarding to libdd-common/fips).
• libdd-trace-utils/Cargo.toml: Added default-features = false on libdd-capabilities-impl in [target.'cfg(not(target_arch = "wasm32"))'.dependencies]. Updated https and fips features to also forward to libdd-capabilities-impl/https and libdd-capabilities-impl/fips respectively.

Motivation

PR #1816 moved ring behind libdd-common's https feature and introduced a separate fips feature that uses aws-lc-rs without pulling in ring. However, three internal crates (libdd-trace-obfuscation, libdd-capabilities-impl, and libdd-trace-utils via libdd-capabilities-impl) still depended on libdd-common with default features enabled. Since Cargo features are additive, this caused libdd-common/default → https → rustls/ring to be activated regardless of what the downstream consumer configured.

In datadog-lambda-extension, the FIPS build (cargo clippy --no-default-features --features fips) was failing because the build.rs FIPS compliance check detected ring in the dependency tree through these transitive paths:

ring v0.17.14
└── rustls
    └── libdd-common (feature "https", activated by "default")
        ├── libdd-trace-obfuscation (default features)
        ├── libdd-capabilities-impl (default features, via libdd-trace-utils)
        └── libdd-trace-utils (default features, via libdd-trace-obfuscation)

This PR applies the same pattern already used by libdd-trace-utils for its libdd-common dependency (default-features = false + explicit https/fips forwarding) to all internal crates in the dependency chain.

Additional Notes

• libdd-trace-utils already had default-features = false on libdd-common and proper https/fips feature gates. The only change to libdd-trace-utils is adding the same treatment for its libdd-capabilities-impl dependency.
• Default builds are unchanged — the default = ["https"] feature on each crate preserves the existing behavior where ring is used as the crypto backend.
• Downstream consumers that need FIPS must set default-features = false on these crates and activate the fips feature explicitly. For example, in datadog-lambda-extension:

  libdd-common = { ..., default-features = false }
  libdd-trace-utils = { ..., default-features = false, features = ["mini_agent"] }
  libdd-trace-obfuscation = { ..., default-features = false }
  
  [features]
  default = ["libdd-common/default", "libdd-trace-utils/default", "libdd-trace-obfuscation/default", ...]
  fips = ["libdd-common/fips", "libdd-trace-utils/fips", "libdd-trace-obfuscation/fips", ...]

How to test the change?

• Verify default build compiles (ring path unchanged):

  cargo check --workspace
  

• Verify ring is absent from a FIPS feature build of affected crates:

  cargo tree -p libdd-trace-obfuscation --no-default-features --features fips -i ring
  # Expected: "error: package ID specification `ring` did not match any packages"
  

• Verify aws-lc-rs is present in FIPS builds:

  cargo tree -p libdd-trace-obfuscation --no-default-features --features fips -i aws-lc-rs
  # Expected: aws-lc-rs present via hyper-rustls/fips
  

• Verify ring is still present in default builds:

  cargo tree -p libdd-trace-obfuscation -i ring
  # Expected: ring present via libdd-common/https
  

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.78%. Comparing base (d60d0a4) to head (0e0729d).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1872      +/-   ##
==========================================
- Coverage   71.79%   71.78%   -0.02%     
==========================================
  Files         429      429              
  Lines       68082    68082              
==========================================
- Hits        48877    48870       -7     
- Misses      19205    19212       +7     

Components	Coverage Δ
libdd-crashtracker	66.03% <ø> (-0.02%)	⬇️
libdd-crashtracker-ffi	34.47% <ø> (ø)
libdd-alloc	98.77% <ø> (ø)
libdd-data-pipeline	86.08% <ø> (-0.07%)	⬇️
libdd-data-pipeline-ffi	72.16% <ø> (-0.34%)	⬇️
libdd-common	79.16% <ø> (ø)
libdd-common-ffi	73.87% <ø> (ø)
libdd-telemetry	65.98% <ø> (-0.04%)	⬇️
libdd-telemetry-ffi	16.75% <ø> (ø)
libdd-dogstatsd-client	82.64% <ø> (ø)
datadog-ipc	73.10% <ø> (ø)
libdd-profiling	81.62% <ø> (ø)
libdd-profiling-ffi	64.94% <ø> (ø)
datadog-sidecar	30.69% <ø> (+0.15%)	⬆️
datdog-sidecar-ffi	9.52% <ø> (+0.74%)	⬆️
spawn-worker	54.69% <ø> (ø)
libdd-tinybytes	93.16% <ø> (ø)
libdd-trace-normalization	81.71% <ø> (ø)
libdd-trace-obfuscation	87.24% <ø> (ø)
libdd-trace-protobuf	68.25% <ø> (ø)
libdd-trace-utils	89.24% <ø> (ø)
datadog-tracer-flare	86.88% <ø> (ø)
libdd-log	74.69% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[datadog-official]

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 71.78% (-0.01%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 0e0729d | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[dd-octo-sts]

Artifact Size Benchmark Report

aarch64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.so	7.63 MB	7.63 MB	0% (0 B) 👌
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.a	83.25 MB	83.25 MB	-0% (-296 B) 👌

aarch64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.a	99.29 MB	99.30 MB	+0% (+5.03 KB) 👌
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.so	10.10 MB	10.10 MB	+0% (+144 B) 👌

libdatadog-x64-windows

Artifact	Baseline	Commit	Change
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.dll	25.16 MB	25.16 MB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.lib	78.21 KB	78.21 KB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.pdb	184.24 MB	184.19 MB	--.02% (-48.00 KB) 💪
/libdatadog-x64-windows/debug/static/datadog_profiling_ffi.lib	917.27 MB	917.26 MB	-0% (-4.49 KB) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.dll	7.88 MB	7.88 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.lib	78.21 KB	78.21 KB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.pdb	23.64 MB	23.64 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/static/datadog_profiling_ffi.lib	46.13 MB	46.13 MB	-0% (-130 B) 👌

libdatadog-x86-windows

Artifact	Baseline	Commit	Change
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.dll	21.63 MB	21.63 MB	-0% (-512 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.lib	79.42 KB	79.42 KB	0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.pdb	188.34 MB	188.31 MB	--.01% (-32.00 KB) 💪
/libdatadog-x86-windows/debug/static/datadog_profiling_ffi.lib	902.28 MB	902.27 MB	-0% (-11.99 KB) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.dll	6.12 MB	6.12 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.lib	79.42 KB	79.42 KB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.pdb	25.31 MB	25.31 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/static/datadog_profiling_ffi.lib	43.60 MB	43.60 MB	-0% (-1.31 KB) 👌

x86_64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.a	74.38 MB	74.38 MB	-0% (-160 B) 👌
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.so	8.51 MB	8.51 MB	0% (0 B) 👌

x86_64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.a	91.66 MB	91.67 MB	+0% (+2.28 KB) 👌
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.so	10.18 MB	10.18 MB	+0% (+96 B) 👌