feat(telemetry): implement secure telemetry logging with PII protection

[kakkoyun]

Eliminate PII leakage in telemetry data sent to external services by enforcing
strict security controls on telemetry logging with comprehensive static analysis.

Redesigned telemetry Error API to require constant messages only, implemented
SafeError with automatic stack trace redaction, and created mission-critical
static checker rules with bulletproof scoping.

• Messages: Constant templates only (no dynamic strings/format verbs)
• Stack traces: Customer code frames replaced with "REDACTED" placeholder
• Error details: Only error type exposed, never error messages
• Collections: SafeSlice with explicit type conversions (no %v formatting)
• Static enforcement: Comprehensive ruleguard rules prevent all violations

SafeError extracts error types and redacts customer stack frames using contrib/
directory for frame classification. API breaking change from telemetrylog.Error(err)

to Error("message", SafeError(err)) ensures constant messages with secure error
details.

Signed-off-by: Kemal Akkoyun [email protected]

What does this PR do?

Motivation

Reviewer's Checklist

• Changed code has unit tests for its functionality at or near 100% coverage.
• System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
• There is a benchmark for any new code, or changes to existing code.
• If this interacts with the agent in a new way, a system test has been added.
• New code is free of linting errors. You can check this by running ./scripts/lint.sh locally.
• Add an appropriate team label so this PR gets put in the right place for the release notes.
• Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.

Unsure? Have a question? Request a review!

[bouwkast]

Wow this looks great thanks a bunch @kakkoyun
I think this will do it, I don't see anything that stands out.

I wasn't actually aware of WithTags being a thing, but they appear fine to me, I would like to follow up on that outside of this PR with the ASM team (I think they implemented it) to just figure out what the expectations are for that.

(don't take this as a go review 😛)

[bouwkast]

I think my understanding is that the WithTags is something that ASM designed / built into the telemetry logs.

I am actually not very familiar with them, but so far I think they are okay, they fall out of the message (I think) so hopefully they don't impact our deduplication logic.

I'll plan on following up on these though to find out more about how they work - it seems that ASM pushed for this and relies on it entirely as some of their logs don't get sent anywhere else.

[bouwkast]

Awesome thanks 👍

One additional element is that constant messages also allows us to better deduplicate log messages to reduce how many of the same log we actually send

[bouwkast]

@quinna-h wondering if we maybe already have this or something like this? 😄

Just wondering, we don't need to act on this here.

[bouwkast]

Wow this is a great addition!

[bouwkast]

and an analyzer very nice 🚀 🎉