[appsec] Integrate SCA instrumentation with agent bootstrap and wire Instrumentation API

  Completes end-to-end integration of SCA hot instrumentation by wiring the
  Java Instrumentation API through the agent initialization chain. The
  Instrumentation instance is now passed from Agent.start() → AppSecSystem.start()
  → AppSecConfigServiceImpl.setInstrumentation(), enabling dynamic bytecode
  transformation when SCA configs arrive via Remote Config.

Author: jandro996

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/Agent.java

@@ -659,7 +659,7 @@ public void execute() {
         resumeRemoteComponents();
       }
 
-      maybeStartAppSec(scoClass, sco);
+      maybeStartAppSec(instrumentation, scoClass, sco);
       maybeStartCiVisibility(instrumentation, scoClass, sco);
       maybeStartLLMObs(instrumentation, scoClass, sco);
       // start debugger before remote config to subscribe to it before starting to poll
@@ -973,7 +973,7 @@ private static void maybeStartAiGuard() {
     }
   }
 
-  private static void maybeStartAppSec(Class<?> scoClass, Object o) {
+  private static void maybeStartAppSec(Instrumentation inst, Class<?> scoClass, Object o) {
 
     try {
       // event tracking SDK must be available for customers even if AppSec is fully disabled
@@ -990,21 +990,22 @@ private static void maybeStartAppSec(Class<?> scoClass, Object o) {
 
     try {
       SubscriptionService ss = AgentTracer.get().getSubscriptionService(RequestContextSlot.APPSEC);
-      startAppSec(ss, scoClass, o);
+      startAppSec(inst, ss, scoClass, o);
     } catch (Exception e) {
       log.error("Error starting AppSec System", e);
     }
 
     StaticEventLogger.end("AppSec");
   }
 
-  private static void startAppSec(SubscriptionService ss, Class<?> scoClass, Object sco) {
+  private static void startAppSec(
+      Instrumentation inst, SubscriptionService ss, Class<?> scoClass, Object sco) {
     try {
       final Class<?> appSecSysClass =
           AGENT_CLASSLOADER.loadClass("com.datadog.appsec.AppSecSystem");
       final Method appSecInstallerMethod =
-          appSecSysClass.getMethod("start", SubscriptionService.class, scoClass);
-      appSecInstallerMethod.invoke(null, ss, sco);
+          appSecSysClass.getMethod("start", Instrumentation.class, SubscriptionService.class, scoClass);
+      appSecInstallerMethod.invoke(null, inst, ss, sco);
     } catch (final Throwable ex) {
       log.warn("Not starting AppSec subsystem: {}", ex.getMessage());
     }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java

@@ -46,9 +46,12 @@ public class AppSecSystem {
   private static final AtomicBoolean API_SECURITY_INITIALIZED = new AtomicBoolean(false);
   private static volatile ApiSecuritySampler API_SECURITY_SAMPLER = new ApiSecuritySampler.NoOp();
 
-  public static void start(SubscriptionService gw, SharedCommunicationObjects sco) {
+  public static void start(
+      java.lang.instrument.Instrumentation inst,
+      SubscriptionService gw,
+      SharedCommunicationObjects sco) {
     try {
-      doStart(gw, sco);
+      doStart(inst, gw, sco);
     } catch (AbortStartupException ase) {
       throw ase;
     } catch (RuntimeException | Error e) {
@@ -58,7 +61,10 @@ public static void start(SubscriptionService gw, SharedCommunicationObjects sco)
     }
   }
 
-  private static void doStart(SubscriptionService gw, SharedCommunicationObjects sco) {
+  private static void doStart(
+      java.lang.instrument.Instrumentation inst,
+      SubscriptionService gw,
+      SharedCommunicationObjects sco) {
     final Config config = Config.get();
     ProductActivation appSecEnabledConfig = config.getAppSecActivation();
     if (appSecEnabledConfig == ProductActivation.FULLY_DISABLED) {
@@ -97,6 +103,9 @@ private static void doStart(SubscriptionService gw, SharedCommunicationObjects s
 
     setActive(appSecEnabledConfig == ProductActivation.FULLY_ENABLED);
 
+    // Initialize SCA instrumentation before subscribing to Remote Config
+    APP_SEC_CONFIG_SERVICE.setInstrumentation(inst);
+
     APP_SEC_CONFIG_SERVICE.maybeSubscribeConfigPolling();
 
     Blocking.setBlockingService(new BlockingServiceImpl(REPLACEABLE_EVENT_PRODUCER));

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/AppSecSystemSpecification.groovy

@@ -33,14 +33,18 @@ import static datadog.trace.api.gateway.Events.EVENTS
 class AppSecSystemSpecification extends DDSpecification {
   SubscriptionService subService = Mock()
   ConfigurationPoller poller = Mock()
+  java.lang.instrument.Instrumentation inst = Mock() {
+    isRetransformClassesSupported() >> true
+    getAllLoadedClasses() >> ([] as Class[])
+  }
 
   def cleanup() {
     AppSecSystem.stop()
   }
 
   void 'registers powerwaf module'() {
     when:
-    AppSecSystem.start(subService, sharedCommunicationObjects())
+    AppSecSystem.start(inst, subService, sharedCommunicationObjects())
 
     then:
     'ddwaf' in AppSecSystem.startedModulesInfo
@@ -51,7 +55,7 @@ class AppSecSystemSpecification extends DDSpecification {
     injectSysConfig('dd.appsec.rules', '/file/that/does/not/exist')
 
     when:
-    AppSecSystem.start(subService, sharedCommunicationObjects())
+    AppSecSystem.start(inst, subService, sharedCommunicationObjects())
 
     then:
     def exception = thrown(AbortStartupException)
@@ -66,7 +70,7 @@ class AppSecSystemSpecification extends DDSpecification {
     rebuildConfig()
 
     when: 'starting the AppSec system'
-    AppSecSystem.start(subService, sharedCommunicationObjects())
+    AppSecSystem.start(inst, subService, sharedCommunicationObjects())
 
     then: 'an AbortStartupException should be thrown'
     def exception = thrown(AbortStartupException)
@@ -88,7 +92,7 @@ class AppSecSystemSpecification extends DDSpecification {
     injectSysConfig('dd.appsec.ipheader', 'foo-bar')
 
     when:
-    AppSecSystem.start(subService, sharedCommunicationObjects())
+    AppSecSystem.start(inst, subService, sharedCommunicationObjects())
     requestEndedCB.apply(requestContext, span)
 
     then:
@@ -110,7 +114,7 @@ class AppSecSystemSpecification extends DDSpecification {
     rebuildConfig()
 
     when:
-    AppSecSystem.start(subService, sharedCommunicationObjects())
+    AppSecSystem.start(inst, subService, sharedCommunicationObjects())
 
     then:
     thrown AbortStartupException
@@ -126,7 +130,7 @@ class AppSecSystemSpecification extends DDSpecification {
     ConfigurationEndListener savedConfEndListener
 
     when:
-    AppSecSystem.start(subService, sharedCommunicationObjects())
+    AppSecSystem.start(inst, subService, sharedCommunicationObjects())
     EventProducerService initialEPS = AppSecSystem.REPLACEABLE_EVENT_PRODUCER.cur
 
     then: