feat(secrets): improve error messages for secrets management

[gouri-yerra]

What does this PR do?

Improves error messages for secrets management so they are clearer and more actionable. Changes include:

• Version mismatch: When the script expects payload version 1.0, the error now states that the Agent sends 1.1 and links to the docs.
• Timeout: The error now mentions secret_backend_timeout and how to increase it.
• Permissions: When the script fails with a permission error, the message includes platform-specific guidance (e.g. chmod 700 on Linux).
• Both command + type set: The warning now explains that secret_backend_command takes precedence and how to switch to the native backend.
• Unmarshal error: The error now shows the expected JSON format.
• Empty secret: The message now mentions checking the backend and secret_backend_remove_trailing_line_break.
• Secret not resolved: The message now includes a hint about the expected JSON format.

All secrets-related errors now include a link to the secrets management docs.

Motivation

Customers often see unclear secrets errors, especially around v0→v1 migration, which leads to more support tickets. Clearer, actionable messages should help users self-serve and reduce support load.

Describe how you validated your changes

Updated unit tests in comp/core/secrets/impl/fetch_secret_test.go to match the new messages.
Ran dda inv test --targets=./comp/core/secrets/impl — all 87 tests passed.
Testing doc
Manually tested with a local script:

• Version mismatch → script expects 1.0, Agent sends 1.1
• Timeout → mentions secret_backend_timeout
• Both command + type set → warning with migration guidance
• Empty secret → mentions backend and secret_backend_remove_trailing_line_break
• Invalid JSON → shows expected format
• Missing handle → hint about JSON format

Additional Notes

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2e884f5f9e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Restrict permission branch to real permission-denied errors

This condition matches any cmd.Run() error containing the substring permission, which can come from the command path itself (for example, fork/exec /opt/permission-helper: no such file or directory). In that case we now rewrite unrelated failures as permission denied, hiding the true cause and steering users to the wrong fix. Please match only concrete permission-denied patterns (e.g., permission denied/operation not permitted) instead of the broad permission substring.

Useful? React with 👍 / 👎.

[gouri-yerra]

👍

[agent-platform-auto-pr]

Files inventory check summary

File checks results against ancestor 4fed36d1:

Results for datadog-agent_7.78.0~devel.git.590.3ea3be7.pipeline.102477218-1_amd64.deb:

No change detected

[agent-platform-auto-pr]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor b9ff244
📊 Static Quality Gates Dashboard
🔗 SQG Job

Successful checks

Info

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	+16.0 KiB (0.00% increase)	746.938 → 746.954 → 750.720
✅	agent_deb_amd64_fips	+8.0 KiB (0.00% increase)	705.304 → 705.312 → 711.230
✅	agent_rpm_amd64	+16.0 KiB (0.00% increase)	746.922 → 746.938 → 750.690
✅	agent_rpm_amd64_fips	+8.0 KiB (0.00% increase)	705.288 → 705.295 → 711.210
✅	agent_rpm_arm64	+12.0 KiB (0.00% increase)	724.842 → 724.854 → 732.890
✅	agent_rpm_arm64_fips	+16.0 KiB (0.00% increase)	686.154 → 686.169 → 694.440
✅	agent_suse_amd64	+16.0 KiB (0.00% increase)	746.922 → 746.938 → 750.690
✅	agent_suse_amd64_fips	+8.0 KiB (0.00% increase)	705.288 → 705.295 → 711.210
✅	agent_suse_arm64	+12.0 KiB (0.00% increase)	724.842 → 724.854 → 732.890
✅	agent_suse_arm64_fips	+16.0 KiB (0.00% increase)	686.154 → 686.169 → 694.440
✅	docker_agent_amd64	+15.99 KiB (0.00% increase)	807.275 → 807.290 → 813.040
✅	docker_agent_arm64	+12.0 KiB (0.00% increase)	809.996 → 810.007 → 819.570
✅	docker_agent_jmx_amd64	+16.0 KiB (0.00% increase)	998.190 → 998.206 → 1003.920
✅	docker_agent_jmx_arm64	+12.0 KiB (0.00% increase)	989.690 → 989.702 → 999.170
✅	docker_cluster_agent_amd64	+4.01 KiB (0.00% increase)	203.662 → 203.666 → 206.270
✅	docker_dogstatsd_amd64	+8.0 KiB (0.02% increase)	38.619 → 38.627 → 39.380
✅	iot_agent_deb_armhf	+4.0 KiB (0.01% increase)	40.843 → 40.847 → 41.030

13 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_heroku_amd64	311.743 MiB
✅	docker_cluster_agent_arm64	218.164 MiB
✅	docker_cws_instrumentation_amd64	7.142 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_dogstatsd_arm64	36.939 MiB
✅	dogstatsd_deb_amd64	29.847 MiB
✅	dogstatsd_deb_arm64	28.000 MiB
✅	dogstatsd_rpm_amd64	29.847 MiB
✅	dogstatsd_suse_amd64	29.847 MiB
✅	iot_agent_deb_amd64	43.048 MiB
✅	iot_agent_deb_arm64	40.111 MiB
✅	iot_agent_rpm_amd64	43.049 MiB
✅	iot_agent_suse_amd64	43.049 MiB

On-wire sizes (compressed)

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	+64.42 KiB (0.04% increase)	174.449 → 174.512 → 177.700
✅	agent_deb_amd64_fips	+31.83 KiB (0.02% increase)	165.336 → 165.367 → 172.230
✅	agent_heroku_amd64	neutral	75.171 MiB → 79.970
✅	agent_rpm_amd64	neutral	176.424 MiB → 180.780
✅	agent_rpm_amd64_fips	-35.58 KiB (0.02% reduction)	168.093 → 168.059 → 173.370
✅	agent_rpm_arm64	+15.41 KiB (0.01% increase)	159.333 → 159.348 → 161.610
✅	agent_rpm_arm64_fips	+35.46 KiB (0.02% increase)	151.360 → 151.394 → 155.910
✅	agent_suse_amd64	neutral	176.424 MiB → 180.780
✅	agent_suse_amd64_fips	-35.58 KiB (0.02% reduction)	168.093 → 168.059 → 173.370
✅	agent_suse_arm64	+15.41 KiB (0.01% increase)	159.333 → 159.348 → 161.610
✅	agent_suse_arm64_fips	+35.46 KiB (0.02% increase)	151.360 → 151.394 → 155.910
✅	docker_agent_amd64	+14.55 KiB (0.01% increase)	267.109 → 267.123 → 271.240
✅	docker_agent_arm64	+8.81 KiB (0.00% increase)	254.420 → 254.429 → 259.800
✅	docker_agent_jmx_amd64	neutral	335.766 MiB → 339.870
✅	docker_agent_jmx_arm64	+12.16 KiB (0.00% increase)	319.056 → 319.068 → 324.390
✅	docker_cluster_agent_amd64	neutral	71.277 MiB → 72.920
✅	docker_cluster_agent_arm64	+3.47 KiB (0.01% increase)	66.918 → 66.921 → 68.220
✅	docker_cws_instrumentation_amd64	neutral	2.999 MiB → 3.330
✅	docker_cws_instrumentation_arm64	neutral	2.729 MiB → 3.090
✅	docker_dogstatsd_amd64	neutral	14.945 MiB → 15.820
✅	docker_dogstatsd_arm64	+11.75 KiB (0.08% increase)	14.274 → 14.285 → 14.830
✅	dogstatsd_deb_amd64	neutral	7.884 MiB → 8.790
✅	dogstatsd_deb_arm64	+2.2 KiB (0.03% increase)	6.770 → 6.772 → 7.710
✅	dogstatsd_rpm_amd64	neutral	7.897 MiB → 8.800
✅	dogstatsd_suse_amd64	neutral	7.897 MiB → 8.800
✅	iot_agent_deb_amd64	neutral	11.348 MiB → 12.040
✅	iot_agent_deb_arm64	+2.44 KiB (0.02% increase)	9.659 → 9.662 → 10.450
✅	iot_agent_deb_armhf	+2.12 KiB (0.02% increase)	9.890 → 9.892 → 10.620
✅	iot_agent_rpm_amd64	neutral	11.368 MiB → 12.060
✅	iot_agent_suse_amd64	neutral	11.368 MiB → 12.060

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: bc91cdf2-b63f-44e1-bd3b-b08c6a15618e

Baseline: b9ff244
Comparison: 3ea3be7
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	-1.41	[-4.42, +1.60]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	file_tree	memory utilization	+0.61	[+0.56, +0.67]	1	Logs
➖	otlp_ingest_metrics	memory utilization	+0.60	[+0.44, +0.75]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	+0.31	[+0.17, +0.45]	1	Logs
➖	ddot_metrics	memory utilization	+0.26	[+0.09, +0.44]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	+0.26	[+0.04, +0.48]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	+0.11	[+0.05, +0.16]	1	Logs
➖	ddot_logs	memory utilization	+0.07	[-0.00, +0.14]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	+0.02	[-0.16, +0.19]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.01	[-0.09, +0.11]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.01	[-0.38, +0.40]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	-0.01	[-0.50, +0.48]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.02	[-0.10, +0.06]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.02	[-0.22, +0.18]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.03	[-0.46, +0.40]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	-0.04	[-0.22, +0.13]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	-0.05	[-0.29, +0.18]	1	Logs bounds checks dashboard
➖	quality_gate_idle	memory utilization	-0.08	[-0.13, -0.02]	1	Logs bounds checks dashboard
➖	quality_gate_idle_all_features	memory utilization	-0.21	[-0.24, -0.17]	1	Logs bounds checks dashboard
➖	otlp_ingest_logs	memory utilization	-0.32	[-0.42, -0.22]	1	Logs
➖	docker_containers_memory	memory utilization	-0.34	[-0.41, -0.26]	1	Logs
➖	quality_gate_logs	% cpu utilization	-1.29	[-2.87, +0.29]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	-1.29	[-1.41, -1.17]	1	Logs
➖	docker_containers_cpu	% cpu utilization	-1.41	[-4.42, +1.60]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	701 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	272.44MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	697 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.19GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.24GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.20GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.22GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	3 = 3	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	174.19MiB ≤ 175MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	3 = 3	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	489.12MiB ≤ 550MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	205.84MiB ≤ 220MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	379.54 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	3 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	407.29MiB ≤ 475MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.