[codex] feat(signal-safe-http-client): add no_std HTTP client

[pawelchcki]

What changed

Adds a new libdd-signal-safe-http-client crate as a no-default-features, no_std facade over reqwless.

The crate keeps alloc, std, and TLS backend integration opt-in. It inherits workspace lints and exposes the embedded I/O traits and reqwless request/response/client types for caller-provided transports and buffers.

This also adds a Linux-only origin + rustix example that builds for x86_64-unknown-linux-none without default features. The example streams a fixed Alpine ISO over HTTP, hashes it with SHA-256, and verifies the result against a hardcoded digest.

DNS/example details

The example resolver is no-alloc and does not call the libc resolver. It checks /etc/hosts, parses /etc/resolv.conf, supports search/domain, options ndots:n, CNAME chasing, UDP A-record lookups through low_dns, and TCP fallback for truncated DNS replies.

Validation

• cargo +nightly-2026-02-08 fmt --all -- --check
• cargo check -p libdd-signal-safe-http-client --no-default-features
• cargo test -p libdd-signal-safe-http-client --no-default-features
• cargo +stable clippy -p libdd-signal-safe-http-client --all-targets --no-default-features --features std,alloc,mbedtls,esp-mbedtls -- -D warnings
• RUSTFLAGS='-C target-feature=+crt-static -C relocation-model=static' cargo +nightly-2026-02-08 build -p libdd-signal-safe-http-client --example http_only_no_std --no-default-features --target x86_64-unknown-linux-none -Zbuild-std=core,compiler_builtins -Zbuild-std-features=compiler-builtins-mem
• RUSTFLAGS='-C target-feature=+crt-static -C relocation-model=static' cargo +nightly-2026-02-08 clippy -p libdd-signal-safe-http-client --example http_only_no_std --no-default-features --target x86_64-unknown-linux-none -Zbuild-std=core,compiler_builtins -Zbuild-std-features=compiler-builtins-mem -- -D warnings
• Debian Docker run of the no_std example, including SHA-256 verification
• Scratch-image Docker run of the no_std example, including SHA-256 verification
• Scratch-image run with DNS disabled and /etc/hosts injected, including SHA-256 verification
• Feature scan found no no-default alloc, std, mbedtls, embedded-tls, or esp-mbedtls on the linux-none path
• Symbol scan found no getaddrinfo, freeaddrinfo, malloc family, mbedtls, or rustls symbols in the linux-none example binary

Notes

LICENSE-3rdparty.csv is intentionally not regenerated here; the commit hook/normal license workflow should handle that.

[datadog-prod-us1-4]

 

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 12 Pipeline jobs failed

Lint | Valid LICENSE-3rdparty.csv     

Lint | clippy #ubuntu-latest msrv     

Lint | clippy #ubuntu-latest nightly     

View all 12 failed jobs.

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 1892f2b | Docs | Datadog PR Page | Give us feedback!}

[github-actions]

📚 Documentation Check Results

⚠️ 171 documentation warning(s) found

📦 libdd-signal-safe-http-client - ✅ No warnings

📦 tools - 171 warning(s)

---

Updated: 2026-06-15 11:27:58 UTC | Commit: d7bfa23 | missing-docs job results

[github-actions]

Clippy Allow Annotation Report

Comparing clippy allow annotations between branches:

• Base Branch: origin/main
• PR Branch: origin/tiny_http_client

Summary by Rule

Rule	Base Branch	PR Branch	Change

Annotation Counts by File

File	Base Branch	PR Branch	Change

Annotation Stats by Crate

Crate	Base Branch	PR Branch	Change
clippy-annotation-reporter	5	5	No change (0%)
datadog-ffe-ffi	1	1	No change (0%)
datadog-ipc	21	21	No change (0%)
datadog-live-debugger	4	4	No change (0%)
datadog-live-debugger-ffi	10	10	No change (0%)
datadog-profiling-replayer	4	4	No change (0%)
datadog-sidecar	46	46	No change (0%)
libdd-common	13	13	No change (0%)
libdd-common-ffi	12	12	No change (0%)
libdd-data-pipeline	5	5	No change (0%)
libdd-ddsketch	2	2	No change (0%)
libdd-dogstatsd-client	1	1	No change (0%)
libdd-profiling	13	13	No change (0%)
libdd-remote-config	3	3	No change (0%)
libdd-telemetry	20	20	No change (0%)
libdd-tinybytes	4	4	No change (0%)
libdd-trace-normalization	2	2	No change (0%)
libdd-trace-obfuscation	3	3	No change (0%)
libdd-trace-stats	1	1	No change (0%)
libdd-trace-utils	12	12	No change (0%)
Total	182	182	No change (0%)

About This Report

This report tracks Clippy allow annotations for specific rules, showing how they've changed in this PR. Decreasing the number of these annotations generally improves code quality.

[github-actions]

🔒 Cargo Deny Results

⚠️ 1 issue(s) found, showing only errors (advisories, bans, sources)

📦 libdd-signal-safe-http-client - ✅ No issues

📦 tools - 1 error(s)

Show output

error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:76:1
   │
76 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
   │
   ├ ID: RUSTSEC-2026-0097
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
   ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
     
     - The `log` and `thread_rng` features are enabled
     - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
     - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
     - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
     - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
     
     `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
   ├ Announcement: https://github.com/rust-random/rand/pull/1763
   ├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
   ├ rand v0.8.5
     └── (dev) libdd-common v4.2.0
         └── tools v35.0.0

advisories FAILED, bans ok, sources ok

---

Updated: 2026-06-15 11:29:59 UTC | Commit: d7bfa23 | dependency-check job results