feat: add opt-in Dynamic Instrumentation

[srprash]

Description

Adds Dynamic Instrumentation (DI) to the ADOT Python distro — an opt-in feature that periodically polls instrumentation configurations from a control plane, applies runtime breakpoints/probes to a running application, captures runtime snapshots, and exports them as OTLP log records.

DI is disabled by default and only activates when OTEL_AWS_DYNAMIC_INSTRUMENTATION_ENABLED=true. Initialization is wrapped so any failure is a no-op that never affects the host application.

Changes

• New debugger package: configuration poller, instrumentation manager, snapshot capture/serialization, OTLP emitter, and status reporter.
• Two instrumentation engines: bytecode injection (Python 3.9–3.11) and sys.monitoring (Python 3.12+).
• Wired into the distro via a guarded initialize_debugger() call in AwsOpenTelemetryDistro._configure() (default off).
• python-dateutil and bytecode (3.9–3.11 only, via environment marker) added as core dependencies so a plain pip install aws-opentelemetry-distro yields a fully working feature with no extras.
• DI unit tests plus Docker-based contract tests (a di-flask sample app and a mock control-plane API); the mock collector gains an OTLP-logs gRPC/HTTP path so contract tests can assert on captured snapshots.

Testing

• tox -e 3.11-test-aws-opentelemetry-distro and tox -e 3.12-test-aws-opentelemetry-distro pass (full distro suite + coverage gate), exercising both engines.
• DI contract tests: all 24 pass (function-level, line-level, probe, hit-limit, capture-limit, and shared-function coexistence scenarios).
• Lint (black/isort/flake8/pylint), codespell, and a default-off / opt-in smoke check all pass.

Default behavior

No change for existing users: DI is off unless explicitly enabled. When enabled, snapshots are exported to the OTLP logs endpoint (OTEL_AWS_OTLP_LOGS_ENDPOINT).

[github-actions]

Code Review: Dynamic Instrumentation (PR 761) -- BUGS: (1) _data_models.py: datetime.fromtimestamp(expires_at_value) creates a naive local-time datetime, but created_at correctly uses tz=timezone.utc. This causes expiration checks to be off by the UTC offset. Fix: add tz=timezone.utc. (2) instrumentation_manager.py: increment_hit_count performs an O(n) linear scan over all active functions on every breakpoint hit while holding the RLock. (3) instrumentation_manager.py: Dict[str, any] should be Dict[str, Any] (capital A) on apply_configuration return type. -- SECURITY: (4) No sensitive data redaction in captured variables (_function_wrapper.py). Function args, return values, and locals are emitted as OTLP logs with no mechanism to skip passwords/tokens/PII. (5) _failed_configs dict can grow without bound if the control plane sends new broken configs with unique IDs. -- CONCURRENCY: (6) _snapshot_otlp_emitter.py: Double-checked locking reads self._event_logger outside the lock. Safe under CPython GIL but fragile under free-threaded Python (PEP 703). -- CODE QUALITY: (7) _debugger_client.py: _poll_probes_loop and _poll_breakpoints_loop are nearly identical. Extract a shared helper. (8) _variable_serializer.py: Marked DEPRECATED yet introduced as new code. Remove if no external consumers. -- See inline comments for details.

[github-actions]

Bug: datetime.fromtimestamp(expires_at_value) creates a naive datetime in local time. However, the created_at parsing correctly uses tz=timezone.utc. This inconsistency means expiration checks will malfunction on non-UTC servers. Fix: datetime.fromtimestamp(expires_at_value, tz=timezone.utc)

[github-actions]

Performance: increment_hit_count performs an O(n) linear scan over all breakpoints on every probe hit. For hot functions this could become a bottleneck. Consider using a dict keyed by breakpoint_id for O(1) lookup instead of iterating through the list.

[github-actions]

Potential memory leak: _failed_configs dict grows unbounded. Every failed configuration is added but never removed, even after successful retries or when configurations are deleted upstream. Over long-lived processes this could accumulate significant memory. Consider adding eviction logic or a max size cap.

[github-actions]

Typo: Return type annotation uses lowercase 'any' (Dict[str, any]) instead of 'Any' from typing. This won't cause a runtime error but is incorrect from a type-checking perspective.

[github-actions]

Concurrency: The double-checked locking pattern here is fragile. Under PEP 703 (no-GIL Python), the check-then-act outside the lock is a data race. Even with the GIL, if initialization raises an exception, the half-constructed state may be visible to other threads. Consider using threading.Lock with a single check inside, or lazy_object_proxy / functools.cached_property for safer lazy init.

[github-actions]

Security: Captured local variables are serialized and exported without any redaction or filtering. Sensitive data (passwords, tokens, PII) in local variables will be sent to the OTLP endpoint. Consider adding a configurable deny-list of variable names (e.g. password, secret, token, key) or a depth/size limit on captured values to reduce exposure.

[github-actions]

Code duplication: _poll_loop and _poll_loop_degraded are nearly identical methods with the same structure. Consider extracting the shared logic into a single method parameterized by the interval and max-failures threshold, to reduce maintenance burden and risk of the two diverging.

[github-actions]

Confusing: This file is marked DEPRECATED in its docstring but is being introduced as brand-new code in this PR. If it is genuinely deprecated in favor of another serializer, consider not adding it at all, or if it must exist as a fallback, clarify what replaces it and under what conditions the deprecated path is used.

[github-actions]

Code review findings for the Dynamic Instrumentation PR. Multiple issues identified related to security, bugs, and code quality.

[github-actions]

Code Review: Dynamic Instrumentation PR

I reviewed the core implementation files in this PR. Below are findings related to bugs, security concerns, and code quality issues.

[github-actions]

Bug (timezone inconsistency): datetime.fromtimestamp(expires_at_value) creates a naive datetime (no timezone info), while created_at parsing a few lines below correctly uses datetime.fromtimestamp(created_at_value, tz=timezone.utc). This inconsistency means:

1. If expires_at is later compared to a timezone-aware datetime, Python will raise TypeError.
2. On non-UTC servers, the timestamp will be interpreted in local time, causing breakpoints to expire at the wrong time.

Fix: expires_at = datetime.fromtimestamp(expires_at_value, tz=timezone.utc)

[github-actions]

Security concern (SSRF vector): The proxy_url is read from env var OTEL_AWS_DYNAMIC_INSTRUMENTATION_API_URL with no validation, then used directly for HTTP POST requests. While env vars are generally trusted, this URL is concatenated with paths and could potentially be pointed at internal metadata endpoints. Consider validating the URL scheme (only allow http/https) and optionally logging a warning when using a non-default URL.

[github-actions]

Security (sensitive data in logs): This line logs the full raw API config response at DEBUG level. This could include ARNs, service names, and configuration details. In production environments where debug logging might be accidentally enabled, this creates an information disclosure risk. Consider logging only non-sensitive metadata or removing this log.

[github-actions]

Security concern (information disclosure via variable capture): The serializer captures arbitrary object attributes including __dict__. When DI is enabled, this could inadvertently capture and export sensitive data such as passwords, tokens, API keys, or PII stored in local variables or object fields. While the feature is opt-in, there is no built-in redaction/deny-list mechanism for sensitive field names.

Consider adding a configurable deny-list of field name patterns that are never captured, similar to how other APM tools redact sensitive data by default.

[github-actions]

Performance (hot-path linear scan): increment_hit_count is called on every breakpoint hit (the hot path) and iterates over ALL active functions while holding the RLock. With many instrumented functions, this O(n) linear scan under lock on every request will add measurable latency.

Suggestion: Add a direct lookup dict _breakpoint_key_to_state maintained alongside _active_functions for O(1) lookup.

[github-actions]

Bug (potential issue in double-fork): _after_fork_in_child calls initialize_debugger(). Since os.register_at_fork callbacks persist across forks, in a double-fork scenario (master -> worker -> sub-worker), the callback fires again. Consider adding a PID check: if os.getpid() == _initialized_pid: return to prevent redundant re-initialization.

[github-actions]

Code quality (forward compat): The double-checked locking pattern checks self._event_logger outside the lock. In CPython this is safe due to the GIL, but on free-threaded builds (PEP 703, Python 3.13+) this could be a data race. Consider documenting the GIL dependency or using a single check inside the lock.

[github-actions]

Code quality (id stability): id(code) is used as dict key but only guarantees uniqueness during the objects lifetime. After disable_breakpoints_for_function clears state and the code object is GCd, a new code object could reuse the same address. Consider documenting this invariant or holding a reference.

[github-actions]

Bug (overly broad Flask patching): The fallback name-based Flask patching matches ANY endpoint whose view function has the same __name__. If two different modules both define a function named index registered as Flask routes, this could incorrectly patch the wrong endpoint.

Consider also comparing __module__ to avoid false positive matches.

[github-actions]

Bug (sentinel value conflict): The sentinel 0 for _window_start_ns conflicts with a legitimate now_ns=0 argument. If called explicitly with now_ns=0, the lazy init sets _window_start_ns=0, and the next real call will always roll the window. Consider using None as the uninitialized sentinel instead.

[github-actions]

Reviewed core source files for bugs, security issues, and code quality. Inline review comments follow on specific lines.

[github-actions]

Bug: datetime.fromtimestamp(expires_at_value) creates a naive datetime in the server's local timezone. A few lines below, created_at correctly uses datetime.fromtimestamp(created_at_value, tz=timezone.utc). This inconsistency means expires_at will be off by the UTC offset on non-UTC servers, and naive/aware datetime comparisons will raise TypeError.

Fix: expires_at = datetime.fromtimestamp(expires_at_value, tz=timezone.utc)

[github-actions]

Bug (type mismatch): Snapshot.duration is annotated as Optional[int] (see _snapshot_models.py line 7: duration: Optional[int] = None), but this expression uses true division (/), which always returns a float in Python 3. This could cause unexpected behavior in downstream serializers or type-checked code.

Fix: use integer division duration_ms = duration_ns // 1_000_000 if duration_ns else None, or change the Snapshot type annotation to Optional[float] if sub-millisecond precision is desired.

[github-actions]

Performance: This linear scan over all active functions runs on every breakpoint hit (hot path). With many instrumented functions, this becomes O(n) per hit. Consider maintaining a direct Dict[str, BreakpointState] lookup (breakpoint_key -> state) alongside _active_functions for O(1) lookups. The TODO above acknowledges this.

[github-actions]

Security note: This imports arbitrary modules based on names received from the polled API configuration. While this is inherent to the DI feature design, it means the API proxy endpoint is a trust boundary -- a compromised proxy could cause arbitrary module imports. The existing mitigations (opt-in gate, Lambda exclusion) are appropriate, but consider documenting this trust relationship explicitly in the security model.

[github-actions]

Thread safety: This iterates over self._manager._active_functions.values() while only holding self._lock (the reporter's own lock), not the manager's _lock. If a configuration poll thread calls apply_configuration concurrently, it could modify _active_functions (adding/removing entries) while this iteration is in progress, causing a RuntimeError: dictionary changed size during iteration. Consider either: (1) acquiring self._manager._lock here, or (2) snapshotting with list(self._manager._active_functions.values()) to iterate a copy.

[github-actions]

Security (low risk): Logging the entire raw API response at DEBUG level could expose configuration details (e.g., ARNs, location hashes, service names) in log files if DEBUG logging is enabled in production. Consider truncating or summarizing the logged output, or only logging the config count and key identifiers.

[github-actions]

The bytecode dependency has no version pin. Other dependencies in this file use exact pins (e.g., python-dateutil == 2.9.0.post0). An unpinned dependency could introduce breaking changes on a future bytecode release. Consider pinning to a known-good version or at least a compatible-release constraint (e.g., bytecode ~= 0.16).

[github-actions]

Bug (_data_models.py line 225): Naive datetime from fromtimestamp causes timezone-dependent expiration checks

datetime.fromtimestamp(expires_at_value) creates a naive datetime in the system local timezone, while isoparse(...) on line 229 may return a UTC-aware datetime. This inconsistency means expiration comparisons downstream will either raise TypeError (comparing aware vs naive) or silently produce wrong results.

For consistency with created_at parsing on line 240 (which correctly passes tz=timezone.utc), this should be:

expires_at = datetime.fromtimestamp(expires_at_value, tz=timezone.utc)

[github-actions]

Security: Full API response logged at DEBUG level may leak sensitive data

This logs the entire raw API response including LatestConfigurations which may contain breakpoint configurations with location details, ARNs, or other sensitive identifiers. If a user enables DEBUG logging in production (common for troubleshooting), this could expose internal application structure to log aggregation systems.

Consider logging only non-sensitive summary info (e.g., number of configs, Changed flag):

logger.debug("Response: Changed=%s, configs=%d", raw_config.get("Changed"), len(raw_config.get("LatestConfigurations", [])))

[github-actions]

Bug: Race condition — iterating _active_functions without acquiring the manager's lock

This method iterates over self._manager._active_functions.values() and mutates state objects (state.hit_in_last_period = False) while only holding the reporter's own self._lock. The manager's _lock (RLock) is what protects _active_functions — iterating and mutating without it is a race condition with the polling threads that call apply_configuration (which adds/removes entries from the same dict).

This could lead to RuntimeError: dictionary changed size during iteration or inconsistent state reads. The loop should also acquire self._manager._lock.

[github-actions]

Bug/Security: Name-based Flask view_functions patching could patch the wrong endpoint

The fallback from identity-based matching to name-based matching (matching by name) is unsafe. If two different view functions share the same name (e.g., decorated functions, or functions with the same name in different modules registered on the same app), this could incorrectly patch the wrong endpoint.

This could cause DI instrumentation to capture data from an unintended code path. Consider removing the name-based fallback, or at minimum also verifying the module attribute of the matched function.

[liustve]

note:
for visibility, the unpinned bytecode dependency at pyproject.toml#L98 does have a near-term compatibility issue:

• bytecode 0.18.0 https://github.com/MatthieuDartiailh/bytecode/releases/tag/0.18.0 explicitly drops support for Python 3.9 and 3.10 Drop support for Python 3.9 and 3.10 MatthieuDartiailh/bytecode#183
• PyPI's requires_python for bytecode is >=3.11 for 0.18.x and >=3.9 for 0.17.0 / >=3.8 for 0.16.x.

discussed internally going to handle this in a separate follow-up PR rather than rolling it into this one and leaving this comment to flag it here so the broader DI work doesn't merge with the gap unaddressed.

[github-actions]

Code review completed - see inline comments for findings on bugs, security issues, and code quality.

[github-actions]

Security: SSRF via unvalidated API URL

The API URL is taken directly from the environment variable OTEL_AWS_DYNAMIC_INSTRUMENTATION_API_URL without any validation or sanitization. A malicious environment variable could point to an internal service (e.g., http://169.254.169.254/latest/meta-data/ on AWS) causing Server-Side Request Forgery.

Consider:

1. Validating the URL scheme is http or https
2. Optionally restricting to known/expected domains or IP ranges
3. At minimum, logging a warning when a non-default URL is used

[github-actions]

Bug: Server-controlled poll interval has no upper bound

The server response's SyncInterval is applied directly to the client's poll interval with only a > 0 check. A malicious or buggy backend could set this to an extremely low value (e.g., 1 second), causing the client to hammer the API and consume excessive resources, or to an extremely high value, effectively disabling polling.

Consider clamping the value to a reasonable range, e.g.:

MIN_POLL_INTERVAL = 10   # seconds
MAX_POLL_INTERVAL = 3600 # 1 hour
next_sync_interval = max(MIN_POLL_INTERVAL, min(MAX_POLL_INTERVAL, next_sync_interval))

[github-actions]

Security: Sensitive data in debug logs

The full raw API response is logged at DEBUG level. In production environments where debug logging might be enabled for troubleshooting, this could expose sensitive configuration data (e.g., ARNs, internal endpoints, customer-specific instrumentation details) to log aggregation systems.

Consider logging only non-sensitive metadata (e.g., number of configs returned, response status) rather than the full response body.

[github-actions]

Bug: _breakpoint_handler bound as instance method but injected as plain function

On line 157, self._breakpoint_handler is stored into the function's __globals__ dict. Because it's a bound method reference, this works correctly - the self parameter is already captured in the bound method object.

However, there's a subtle lifetime/GC issue: the bound method holds a strong reference to the BytecodeInjectionEngine instance. If the engine is replaced (e.g., after fork and re-initialization), instrumented functions from the old engine will keep the old engine instance alive via this reference. Consider using a weakref or a module-level dispatch function that looks up the current engine.

[github-actions]

Bug: Race condition in double-checked locking pattern

The _ensure_initialized method uses double-checked locking but the outer fast-path check (if self._event_logger is not None: return True) is missing. Looking at emit_snapshot, it always calls _ensure_initialized() which acquires the lock every time.

While the current implementation is technically safe because it always locks, the docstring says 'double-checked locking' suggesting the intent was to have a lock-free fast path. If you later add the fast-path optimization, note that Python's memory model (GIL) makes this safe for CPython, but on free-threaded builds (PEP 703), you'd need _event_logger to be set atomically after all initialization is complete. Currently the assignment order is correct (logger_provider -> event_logger last), but this is fragile.

Consider adding a simple boolean flag set last, or document that this relies on CPython's GIL guarantee.

[github-actions]

Security: No secret/sensitive data redaction in variable capture

The function wrapper captures arguments and return values of instrumented functions without any filtering for sensitive data. When DI is enabled and configured to capture arguments, values like passwords, API keys, tokens, PII, etc., will be serialized and sent via OTLP logs to the configured endpoint.

Consider:

1. Adding a configurable deny-list of parameter names to skip (e.g., password, secret, token, key, auth, credential)
2. Redacting values that match common secret patterns (long base64 strings, JWT tokens, etc.)
3. At minimum, documenting this risk prominently so users understand that enabling DI with argument capture may expose secrets in their observability pipeline

[github-actions]

Bug: Potential unbounded memory growth in _failed_configs

The _failed_configs dict stores location_hash -> error_cause for every failed configuration, and entries are only cleaned up when they disappear from the incoming config list (line ~753). However, if the API keeps sending the same broken configs indefinitely (e.g., a misconfiguration that's never fixed), these entries accumulate forever.

More importantly, _preserved_states (line 59) preserves breakpoint states across configuration updates but _cleanup_orphaned_states only cleans states that aren't in active functions. If a function is repeatedly added and removed (flapping config), preserved states can accumulate.

Consider adding a TTL or max-size bound to _failed_configs, and auditing whether _preserved_states can grow unbounded under pathological config update patterns.

[github-actions]

Code Quality: Dead code - unreachable validation after safe_int

The check if not isinstance(line_number, int) or line_number < 0 on line 371 (diff line ~648) is unreachable because safe_int() (called on line 361/diff ~638) always returns an int (either the parsed value or the default 0). The isinstance check will always be True, and line_number < 0 can never happen because safe_int returns the default (0) on failure rather than a negative value.

This is dead code that gives a false sense of additional validation. Consider removing it or replacing with a comment noting the invariant.

[github-actions]

Bug: increment_hit_count iterates all active functions on every breakpoint hit

The increment_hit_count method (called on the hot path for every breakpoint hit) iterates through ALL active functions and their states to find the matching breakpoint_key. With many instrumented functions, this is O(N*M) where N = number of functions and M = average breakpoints per function. This is especially problematic because this runs inside the manager's RLock, blocking all other configuration operations.

The TODO in the code acknowledges this. Consider maintaining a direct lookup dict breakpoint_key -> (bp_set, state) that is updated when functions are added/removed. This would make the hot path O(1) and reduce lock contention.

[github-actions]

Bug: Recursive re-initialization in post-fork handler

The _after_fork_in_child callback calls initialize_debugger() which calls _register_fork_handler() again. While the idempotency guard (_fork_handler_registered) prevents double-registration, there's a subtlety: _fork_handler_registered is a module-level global that survives fork (it's True in the child). This means the fork handler registration is a no-op in children, which is correct.

However, if the child process itself forks (e.g., a gunicorn worker spawning sub-processes), the handler fires in the grandchild but _fork_handler_registered is still True from the original parent, so no handler gets registered for the grandchild's children. This is likely fine for typical deployments but worth documenting.

[github-actions]

Security: Object serialization via __dict__ may leak internal state

The _serialize_object method accesses value.__dict__ to enumerate fields for serialization. This means if a line-level breakpoint captures a local variable that is (for example) an HTTP request object, database connection, or security context, its internal state including credentials, session tokens, connection strings, etc., will be serialized and exported.

While the depth/field limits help bound the exposure, they don't prevent the most sensitive fields from being in the first N fields captured. The capture_locals filter only controls which variables to capture, not which fields within an object to redact.

Consider adding object-type-level redaction (e.g., skip objects whose type matches known sensitive patterns like *Session*, *Credential*, *Auth*).

[github-actions]

Security & Code Quality Review

I've reviewed this PR for bugs, security issues, and code quality. The feature is well-structured with appropriate opt-in guards and error isolation. Below I've posted inline comments on specific issues found. Here's a summary of the most critical ones:

Security Concerns (High)

1. Arbitrary module import from remote API — _resolve_module() calls importlib.import_module() with a module name sourced from API responses. If the control plane is compromised or traffic is intercepted (default endpoint is HTTP), this enables code execution.
2. Default HTTP endpoint — The default API URL is http://localhost:2000 with no TLS enforcement or validation, making MITM feasible in non-localhost deployments.

Bugs / Race Conditions (Medium)

3. _status_reporter.py iterates manager's _active_functions without holding the manager's lock — can raise RuntimeError: dictionary changed size during iteration.
4. _snapshot_otlp_emitter.py reset() is not thread-safe — sets _event_logger = None without the lock, racing with concurrent emit_snapshot calls.
5. Missing double-checked locking in _ensure_initialized() — always acquires the lock even when already initialized, causing unnecessary contention on the hot path.

DoS / Resource Exhaustion (Medium)

6. Unbounded _reported_configs set — grows without limit as configs rotate over time.
7. _failed_configs dict has no size cap — a malicious API flooding unique failing config IDs can grow this without bound.
8. list(value) materializes entire sets before truncation — should use itertools.islice.
9. No cap on number of active instrumented functions — API can instruct arbitrarily many instrumentations.

Dependency Issue

10. bytecode dependency has no version constraint — a breaking release could silently break the bytecode injection engine.

[github-actions]

Security: Arbitrary module import from remote API (High)

module_name originates from the API response (BreakpointConfiguration.module) and flows here without any validation or allowlisting. importlib.import_module() executes top-level module code on import, so a compromised or MITMed control plane could achieve remote code execution by specifying a malicious module name.

Consider:

1. Restricting to modules already in sys.modules (i.e., only instrument already-loaded code).
2. Validating module names against a pattern allowlist (e.g., no leading underscores, no relative imports).
3. Requiring HTTPS for the API endpoint to prevent MITM injection of malicious configs.

[github-actions]

Bug: Race condition — iterating manager's internal dict without its lock (Medium)

This iterates self._manager._active_functions.values() while only holding self._lock (the reporter's own lock). The manager's _active_functions dict can be concurrently modified by apply_configuration() (which holds the manager's self._lock, a different lock). This can raise RuntimeError: dictionary changed size during iteration.

Fix: Either expose a thread-safe snapshot method on the manager (e.g., get_active_functions_snapshot() that copies under its own lock), or acquire self._manager._lock here before iterating.

[github-actions]

Performance: Missing fast-path check in double-checked locking (Medium)

The docstring says "double-checked locking" but the implementation always acquires the lock. The classic double-checked locking pattern should check if self._event_logger is not None: return True before acquiring the lock to avoid contention on the hot path (every snapshot emission after initialization):

def _ensure_initialized(self):
    if self._event_logger is not None:  # fast path - no lock
        return True
    with self._lock:
        if self._event_logger is not None:  # re-check under lock
            return True
        ...

This also makes the reset() method unsafe — it sets _event_logger = None without holding the lock, which could race with concurrent reads in the fast path. reset() should acquire the lock too.

[github-actions]

Resource leak: Unbounded _reported_configs set (Medium)

This set grows monotonically — entries are added whenever a config transitions to READY or ERROR but are never removed. In a long-running process with config rotation (old configs removed, new ones added), this set will grow without bound, constituting a slow memory leak.

Consider pruning entries that correspond to configs no longer in _active_functions, or switching to an LRU-bounded structure.

[github-actions]

Performance: O(n) iteration on every breakpoint hit (Medium)

increment_hit_count is called on every breakpoint hit (hot path) and iterates through ALL active functions and their breakpoints to find the matching one. With many active instrumentations, this causes O(n) lock-held time on every single hit.

The TODO comment acknowledges this. Consider maintaining a direct Dict[str, BreakpointState] lookup by breakpoint_key for O(1) access, updated when functions are added/removed.

[github-actions]

DoS: Unbounded _failed_configs dict (Medium)

While stale entries are cleaned when their config IDs disappear from the incoming API response, there is no maximum size limit on this dict. If an attacker controls the API and continuously sends new unique config IDs that all fail (different IDs each poll cycle, so stale cleanup doesn't help), this dict grows without bound.

Consider adding a max-size eviction (e.g., drop oldest entries when exceeding a threshold like 1000).

[github-actions]

DoS: Full materialization of sets/frozensets before truncation (Low-Medium)

list(value) materializes the entire collection into memory before the max_collection_size limit is applied. For a set with millions of elements, this creates a full copy before only taking the first N items.

Use itertools.islice to lazily consume only what's needed:

import itertools
items = list(itertools.islice(value, self.max_collection_size))
original_size = len(value)  # len() is O(1) for sets

[github-actions]

Bug: TOCTOU race in initialize_global_manager (Low)

The check-then-assign pattern (if _global_manager_instance is not None ... _global_manager_instance = ...) is not atomic. If two threads call this concurrently during startup, both could pass the None check and create separate instances, with one silently discarded.

This is low severity because it's typically called once during distro _configure(), but the post-fork handler could race with application code that somehow triggers re-initialization. Consider using a module-level lock.

[github-actions]

Security: No response size limit on API responses (Medium)

The response.json() call deserializes the entire response body without any size check. A single page response could contain an arbitrarily large LatestConfigurations array (the max_pages=3 limit doesn't bound per-page size). A compromised or malicious API endpoint could return a multi-GB JSON response, causing OOM.

Consider:

1. Setting stream=True on the request and checking Content-Length before reading.
2. Or using a streaming JSON parser with a byte limit.
3. At minimum, cap the number of configs per page (e.g., reject responses with more than 100 items).

[github-actions]

Dependency: bytecode has no version constraint (Low-Medium)

Unlike python-dateutil which is pinned to a specific version, bytecode has no version bounds. The bytecode injection engine relies on specific internal APIs of this library (e.g., Instr, Bytecode, the tuple format for LOAD_GLOBAL in 3.11). A breaking release could silently produce incorrect bytecode, leading to hard-to-debug crashes in user applications.

Consider pinning to a compatible range, e.g.:

"bytecode >= 0.15, < 1.0; python_version >= '3.9' and python_version < '3.12'",

[github-actions]

Info leak: Logging full error response body (Low)

response.text from a server error may contain internal server details (stack traces, internal paths, debugging info). Logging it at ERROR level means it could end up in production log files accessible to broader audiences.

Consider truncating: response.text[:500] or logging at DEBUG level instead.

[github-actions]

DoS: No upper bound on number of active instrumentations (Medium)

_active_functions has no maximum size limit. A malicious or misconfigured API could return hundreds or thousands of configurations targeting different functions. Each instrumentation allocates wrapper closures, state objects, and (for the bytecode engine) modified code objects. This could exhaust memory or cause severe performance degradation.

Consider adding a configurable cap (e.g., MAX_ACTIVE_INSTRUMENTATIONS = 100) and rejecting configurations beyond that limit with an appropriate error status report.