Expand appsec integrations to Laminas Framework

[estringana]

Add AAP support to Laminas framework

This PR introduces AAP support to the Laminas framework, enabling improved observability and authentication-related event tracking.

Features added

• Provide http.route
  Captures and exposes the resolved route for incoming requests.

• Collect endpoints at startup
  Gathers and registers available endpoints during application bootstrap.

• Login success event
  Emits an event when a user successfully authenticates.

• Login failure event
  Emits an event when authentication fails.

• Authenticated request events
  Tracks requests performed by authenticated users.

• Collect path parameters
  Extracts and includes route path parameters in the collected data.

Limitations / Missing features

• Signup events
  Not implemented because Laminas does not provide a built-in signup mechanism. This functionality is application-specific and must be implemented by developers if needed.

Reviewer checklist

• Test coverage seems ok.
• Appropriate labels assigned.

[datadog-prod-us1-4]

⚠️ Tests

✨ Fix all issues with BitsAI or with Cursor

⚠️ Other Violations

❄️ 2 New flaky tests detected

Endpoints are sent() from com.datadog.appsec.php.integration.Laminas33Tests     (Fix with Cursor)

Assertion failed: 

assert endpoints.size() == 4
       |         |      |
       []        0      false

Assertion failed: 

assert endpoints.size() == 4
       |         |      |
...

path params trigger WAF block and laminas http route template() from com.datadog.appsec.php.integration.Laminas33Tests     (Fix with Cursor)

java.lang.AssertionError: Mismatched trace id gotten after request to http://docker:32772/dynamic-path/someValue: expected 17330552715433315787, but got 14893484583510283577

java.lang.AssertionError: Mismatched trace id gotten after request to http://docker:32772/dynamic-path/someValue: expected 17330552715433315787, but got 14893484583510283577
	at org.codehaus.groovy.vmplugin.v8.IndyInterface.fromCache(IndyInterface.java:321)
	at com.datadog.appsec.php.docker.AppSecContainer.traceFromRequest(AppSecContainer.groovy:399)
	at com.datadog.appsec.php.docker.AppSecContainer.traceFromRequest(AppSecContainer.groovy)
	at org.codehaus.groovy.vmplugin.v8.IndyInterface.fromCache(IndyInterface.java:321)
	at com.datadog.appsec.php.integration.Laminas33Tests.path params trigger WAF block and laminas http route template(Laminas33Tests.groovy:166)
	at java.base/java.lang.reflect.Method.invoke(Method.java:569)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
...

ℹ️ Info

No other issues found (see more)

🧪 All tests passed

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 60.68% (-0.01%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 140b8c4 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.74%. Comparing base (78ecdb0) to head (d2866e8).
⚠️ Report is 16 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3716      +/-   ##
==========================================
- Coverage   68.81%   68.74%   -0.08%     
==========================================
  Files         166      166              
  Lines       19030    19030              
  Branches     1797     1797              
==========================================
- Hits        13096    13082      -14     
- Misses       5121     5135      +14     
  Partials      813      813              

Flag	Coverage Δ
helper-rust-integration	78.82% <ø> (-0.03%)	⬇️
helper-rust-unit	49.17% <ø> (-0.20%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 4 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 78ecdb0...d2866e8. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pr-commenter]

Benchmarks [ tracer ]

Benchmark execution time: 2026-04-14 15:46:16

Comparing candidate commit a35cd52 in PR branch estringana/add-laminas-appsec-integration with baseline commit df43587 in branch master.

Found 0 performance improvements and 6 performance regressions! Performance is the same for 188 metrics, 0 unstable metrics.

scenario:MessagePackSerializationBench/benchMessagePackSerialization-opcache

• 🟥 execution_time [+3.785µs; +5.055µs] or [+3.818%; +5.100%]

scenario:PDOBench/benchPDOOverhead-opcache

• 🟥 execution_time [+8.038µs; +9.869µs] or [+3.365%; +4.131%]

scenario:PDOBench/benchPDOOverheadWithDBM-opcache

• 🟥 execution_time [+7.608µs; +9.649µs] or [+3.175%; +4.027%]

scenario:PHPRedisBench/benchRedisOverhead

• 🟥 execution_time [+33.225µs; +41.437µs] or [+3.496%; +4.360%]

scenario:SamplingRuleMatchingBench/benchRegexMatching1

• 🟥 execution_time [+31.682ns; +109.118ns] or [+2.139%; +7.366%]

scenario:SamplingRuleMatchingBench/benchRegexMatching3

• 🟥 execution_time [+44.495ns; +120.705ns] or [+2.997%; +8.131%]

[github-actions]

Snapshots difference summary

The following differences have been observed in committed snapshots. It is meant to help the reviewer.
The diff is simplistic, so please check some files anyway while we improve it.

If you need to update snapshots, please refer to CONTRIBUTING.md

[cataphract]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 140b8c4617

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Derive login from configured adapter on auth failures

The failure path only inspects $hook->args[0] for the adapter, so applications that use setAdapter($adapter) followed by authenticate() (no argument) emit login-failure events without a user identifier. That drops automated identification data for a common Laminas authentication flow and makes failure telemetry much less useful.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Register endpoints even when route match is null

Endpoint collection is gated on getRouteMatch() !== null, so requests that route to 404/no-match paths skip collection entirely. If early traffic is mostly unmatched (or an app primarily serves unmatched probes), are_endpoints_collected() can remain false and endpoints may never be registered despite the router being available.

Useful? React with 👍 / 👎.