chore(tracing): add integration guardrails (#13483)

# Description

This PR adds a feature to ensure safe patching of instrumentation
libraries by checking the installed version of the library is compatible
with an explicitly defined support range for the related integration. To
enable the feature, set `DD_TRACE_SAFE_INSTRUMENTATION_ENABLED=true`. It
is disabled by default.

The PR adds integration guardrails by introducing a new function that
returns supported version specs in each integration patch file. This is
used by `ddtrace._monkey.py` during the integration module hook, looking
at the installed module version and comparing against our guardrails
spec for the integration. Guardrails version spec will be based off of
minimum used dependency versions used by customers via Metabase
dependency data.

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

---------

Co-authored-by: Brett Langdon <[email protected]>

Author: wconti27

.riot/requirements/113966a.txt

@@ -0,0 +1,44 @@
+#
+# This file is autogenerated by pip-compile with Python 3.9
+# by the following command:
+#
+#    pip-compile --allow-unsafe --no-annotate --resolver=backtracking .riot/requirements/113966a.in
+#
+aiobotocore==1.0.7
+aiohappyeyeballs==2.6.1
+aiohttp==3.12.2
+aioitertools==0.12.0
+aiosignal==1.3.2
+async-generator==1.10
+async-timeout==5.0.1
+attrs==25.3.0
+botocore==1.15.32
+coverage[toml]==7.8.2
+docutils==0.15.2
+exceptiongroup==1.3.0
+frozenlist==1.6.0
+hypothesis==6.45.0
+idna==3.10
+importlib-metadata==8.7.0
+iniconfig==2.1.0
+jmespath==0.10.0
+mock==5.2.0
+multidict==6.4.4
+opentracing==2.4.0
+packaging==25.0
+pluggy==1.6.0
+propcache==0.3.1
+pytest==8.3.5
+pytest-asyncio==0.21.1
+pytest-cov==6.1.1
+pytest-mock==3.14.1
+pytest-randomly==3.16.0
+python-dateutil==2.9.0.post0
+six==1.17.0
+sortedcontainers==2.4.0
+tomli==2.2.1
+typing-extensions==4.13.2
+urllib3==1.25.11
+wrapt==1.17.2
+yarl==1.20.0
+zipp==3.22.0

.riot/requirements/11c2039.txt

@@ -5,7 +5,7 @@
 #    pip-compile --allow-unsafe --no-annotate .riot/requirements/11c2039.in
 #
 attrs==25.3.0
-coverage[toml]==7.8.0
+coverage[toml]==7.8.2
 gevent==25.5.1
 greenlet==3.2.2
 gunicorn[gevent]==23.0.0
@@ -15,18 +15,19 @@ lz4==4.4.4
 mock==5.2.0
 opentracing==2.4.0
 packaging==25.0
-pluggy==1.5.0
+pluggy==1.6.0
 py-cpuinfo==8.0.0
-pytest==8.3.5
+pygments==2.19.1
+pytest==8.4.0
 pytest-asyncio==0.21.1
 pytest-benchmark==5.1.0
 pytest-cov==6.1.1
-pytest-mock==3.14.0
+pytest-mock==3.14.1
 pytest-randomly==3.16.0
 sortedcontainers==2.4.0
-uwsgi==2.0.29
+uwsgi==2.0.30
 zope-event==5.0
 zope-interface==7.2
 
 # The following packages are considered to be unsafe in a requirements file:
-setuptools==80.4.0
+setuptools==80.9.0

.riot/requirements/150beac.txt

@@ -0,0 +1,38 @@
+#
+# This file is autogenerated by pip-compile with Python 3.11
+# by the following command:
+#
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/150beac.in
+#
+aiobotocore==1.0.7
+aiohappyeyeballs==2.6.1
+aiohttp==3.12.2
+aioitertools==0.12.0
+aiosignal==1.3.2
+async-generator==1.10
+attrs==25.3.0
+botocore==1.15.32
+coverage[toml]==7.8.2
+docutils==0.15.2
+frozenlist==1.6.0
+hypothesis==6.45.0
+idna==3.10
+iniconfig==2.1.0
+jmespath==0.10.0
+mock==5.2.0
+multidict==6.4.4
+opentracing==2.4.0
+packaging==25.0
+pluggy==1.6.0
+propcache==0.3.1
+pytest==8.3.5
+pytest-asyncio==0.21.1
+pytest-cov==6.1.1
+pytest-mock==3.14.1
+pytest-randomly==3.16.0
+python-dateutil==2.9.0.post0
+six==1.17.0
+sortedcontainers==2.4.0
+urllib3==1.25.11
+wrapt==1.17.2
+yarl==1.20.0

.riot/requirements/158ac30.txt

@@ -2,10 +2,10 @@
 # This file is autogenerated by pip-compile with Python 3.10
 # by the following command:
 #
-#    pip-compile --no-annotate .riot/requirements/158ac30.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/158ac30.in
 #
 aiohappyeyeballs==2.6.1
-aiohttp==3.12.2
+aiohttp==3.12.7
 aiosignal==1.3.2
 annotated-types==0.7.0
 anyio==4.9.0
@@ -23,11 +23,11 @@ cachetools==5.5.2
 certifi==2025.4.26
 cffi==1.17.1
 charset-normalizer==3.4.2
-chromadb==1.0.10
+chromadb==1.0.12
 click==8.2.1
 coloredlogs==15.0.1
 coverage[toml]==7.8.2
-crewai==0.121.0
+crewai==0.121.1
 cryptography==45.0.3
 decorator==5.2.1
 deprecated==1.2.18
@@ -44,27 +44,27 @@ frozenlist==1.6.0
 fsspec==2025.5.1
 google-auth==2.40.2
 googleapis-common-protos==1.70.0
-grpcio==1.71.0
+grpcio==1.72.1
 h11==0.16.0
 hf-xet==1.1.2
 httpcore==1.0.9
 httptools==0.6.4
 httpx==0.28.1
-huggingface-hub==0.32.2
+huggingface-hub==0.32.4
 humanfriendly==10.0
 hypothesis==6.45.0
 idna==3.10
 importlib-metadata==8.6.1
 importlib-resources==6.5.2
 iniconfig==2.1.0
 instructor==1.8.3
-ipython==8.36.0
+ipython==8.37.0
 jedi==0.19.2
 jinja2==3.1.6
 jiter==0.8.2
 json-repair==0.46.0
 json5==0.12.0
-jsonpickle==4.1.0
+jsonpickle==4.1.1
 jsonref==1.1.0
 jsonschema==4.24.0
 jsonschema-specifications==2025.4.1
@@ -108,7 +108,7 @@ pluggy==1.6.0
 posthog==4.2.0
 prompt-toolkit==3.0.51
 propcache==0.3.1
-protobuf==5.29.4
+protobuf==5.29.5
 ptyprocess==0.7.0
 pure-eval==0.2.3
 pyasn1==0.6.1
@@ -121,7 +121,7 @@ pyjwt==2.10.1
 pypdfium2==4.30.1
 pypika==0.48.9
 pyproject-hooks==1.2.0
-pytest==8.3.5
+pytest==8.4.0
 pytest-asyncio==1.0.0
 pytest-cov==6.1.1
 pytest-mock==3.14.1
@@ -151,11 +151,11 @@ tomli-w==1.2.0
 tqdm==4.67.1
 traitlets==5.14.3
 typer==0.16.0
-typing-extensions==4.13.2
+typing-extensions==4.14.0
 typing-inspection==0.4.1
 urllib3==2.4.0
-uv==0.7.8
-uvicorn[standard]==0.34.2
+uv==0.7.9
+uvicorn[standard]==0.34.3
 uvloop==0.21.0
 vcrpy==7.0.0
 watchfiles==1.0.5

.riot/requirements/16628a6.txt

@@ -2,10 +2,10 @@
 # This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    pip-compile --no-annotate .riot/requirements/16628a6.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/16628a6.in
 #
 aiohappyeyeballs==2.6.1
-aiohttp==3.12.2
+aiohttp==3.12.7
 aiosignal==1.3.2
 annotated-types==0.7.0
 anyio==4.9.0
@@ -22,11 +22,11 @@ cachetools==5.5.2
 certifi==2025.4.26
 cffi==1.17.1
 charset-normalizer==3.4.2
-chromadb==1.0.10
+chromadb==1.0.12
 click==8.2.1
 coloredlogs==15.0.1
 coverage[toml]==7.8.2
-crewai==0.121.0
+crewai==0.121.1
 cryptography==45.0.3
 decorator==5.2.1
 deprecated==1.2.18
@@ -42,28 +42,28 @@ frozenlist==1.6.0
 fsspec==2025.5.1
 google-auth==2.40.2
 googleapis-common-protos==1.70.0
-grpcio==1.71.0
+grpcio==1.72.1
 h11==0.16.0
 hf-xet==1.1.2
 httpcore==1.0.9
 httptools==0.6.4
 httpx==0.28.1
-huggingface-hub==0.32.2
+huggingface-hub==0.32.4
 humanfriendly==10.0
 hypothesis==6.45.0
 idna==3.10
 importlib-metadata==8.6.1
 importlib-resources==6.5.2
 iniconfig==2.1.0
 instructor==1.8.3
-ipython==9.2.0
+ipython==9.3.0
 ipython-pygments-lexers==1.1.1
 jedi==0.19.2
 jinja2==3.1.6
 jiter==0.8.2
 json-repair==0.46.0
 json5==0.12.0
-jsonpickle==4.1.0
+jsonpickle==4.1.1
 jsonref==1.1.0
 jsonschema==4.24.0
 jsonschema-specifications==2025.4.1
@@ -77,7 +77,7 @@ mmh3==5.1.0
 mock==5.2.0
 mpmath==1.3.0
 multidict==6.4.4
-networkx==3.4.2
+networkx==3.5
 numpy==2.2.6
 oauthlib==3.2.2
 onnxruntime==1.22.0
@@ -107,7 +107,7 @@ pluggy==1.6.0
 posthog==4.2.0
 prompt-toolkit==3.0.51
 propcache==0.3.1
-protobuf==5.29.4
+protobuf==5.29.5
 ptyprocess==0.7.0
 pure-eval==0.2.3
 pyasn1==0.6.1
@@ -120,7 +120,7 @@ pyjwt==2.10.1
 pypdfium2==4.30.1
 pypika==0.48.9
 pyproject-hooks==1.2.0
-pytest==8.3.5
+pytest==8.4.0
 pytest-asyncio==1.0.0
 pytest-cov==6.1.1
 pytest-mock==3.14.1
@@ -150,11 +150,11 @@ tomli-w==1.2.0
 tqdm==4.67.1
 traitlets==5.14.3
 typer==0.16.0
-typing-extensions==4.13.2
+typing-extensions==4.14.0
 typing-inspection==0.4.1
 urllib3==2.4.0
-uv==0.7.8
-uvicorn[standard]==0.34.2
+uv==0.7.9
+uvicorn[standard]==0.34.3
 uvloop==0.21.0
 vcrpy==7.0.0
 watchfiles==1.0.5

.riot/requirements/1671e93.txt

@@ -5,7 +5,7 @@
 #    pip-compile --allow-unsafe --no-annotate .riot/requirements/1671e93.in
 #
 attrs==25.3.0
-coverage[toml]==7.8.0
+coverage[toml]==7.8.2
 exceptiongroup==1.3.0
 gevent==25.5.1
 greenlet==3.2.2
@@ -16,20 +16,21 @@ lz4==4.4.4
 mock==5.2.0
 opentracing==2.4.0
 packaging==25.0
-pluggy==1.5.0
+pluggy==1.6.0
 py-cpuinfo==8.0.0
-pytest==8.3.5
+pygments==2.19.1
+pytest==8.4.0
 pytest-asyncio==0.21.1
 pytest-benchmark==5.1.0
 pytest-cov==6.1.1
-pytest-mock==3.14.0
+pytest-mock==3.14.1
 pytest-randomly==3.16.0
 sortedcontainers==2.4.0
 tomli==2.2.1
-typing-extensions==4.13.2
-uwsgi==2.0.29
+typing-extensions==4.14.0
+uwsgi==2.0.30
 zope-event==5.0
 zope-interface==7.2
 
 # The following packages are considered to be unsafe in a requirements file:
-setuptools==80.4.0
+setuptools==80.9.0

.riot/requirements/175a6ba.txt

@@ -2,20 +2,21 @@
 # This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
-#    pip-compile --no-annotate .riot/requirements/175a6ba.in
+#    pip-compile --allow-unsafe --no-annotate --resolver=backtracking .riot/requirements/175a6ba.in
 #
 attrs==25.3.0
-coverage[toml]==7.8.1
+coverage[toml]==7.8.2
 exceptiongroup==1.3.0
 hypothesis==6.45.0
 iniconfig==2.1.0
 mock==5.2.0
 opentracing==2.4.0
 packaging==25.0
 pluggy==1.6.0
-pytest==8.3.5
+pygments==2.19.1
+pytest==8.4.0
 pytest-cov==6.1.1
-pytest-mock==3.14.0
+pytest-mock==3.14.1
 sortedcontainers==2.4.0
 tomli==2.2.1
-typing-extensions==4.13.2
+typing-extensions==4.14.0