feat(aap): In App WAF support

[CarlesDD]

What does this PR do?

Adds AppSec support to the Lambda layer by extracting HTTP data from Lambda events and publishing it to diagnostic channels consumed by dd-trace-js's AppSec subsystem.

Changes:

• Dockerfile + move script: move_ddtrace_dependency.js now reads @datadog/native-appsec from dd-trace's optionalDependencies and promotes it to a direct dependency so it survives --ignore-optional. The Dockerfile runs the script before rm -rf node_modules and strips unused native prebuilds (non-Linux-glibc platforms)
• Event data extractor (src/appsec/event-data-extractor.ts): Parses API Gateway v1/v2, ALB, and Lambda Function URL events, extracting headers, method, path, query, body, client IP, path params, cookies, and route
• Orchestrator (src/appsec/index.ts): Checks DD_APPSEC_ENABLED and publishes extracted data to datadog:lambda:start-invocation / datadog:lambda:end-invocation diagnostic channels
• TraceListener integration: initAppsec() called in onStartInvocation, processAppSecRequest and processAppSecResponse called in onEndingInvocation

Motivation

Porting the In-App WAF security product to AWS Lambda for the Node.js runtime. The Lambda layer extracts HTTP data and dispatches it to the tracer for WAF execution and reporting.

The layer is intentionally kept thin, only extracting and publishing data. All security logic (WAF, reporting, trace keeping) lives in dd-trace-js.

Testing Guidelines

• Unit tests for the event data extractor cover all 4 HTTP event types (API GW v1/v2, ALB, Lambda Function URL) and non-HTTP events
• Unit tests for the orchestrator verify configuration gating and channel publishing
• Existing listener tests pass unchanged

Additional Notes

• @datadog/native-appsec is NOT added to this repo's package.json. The version is read dynamically from dd-trace's optionalDependencies at build time, so dd-trace-js remains the single owner of the native module version.
• No new environment variables, using the existing DD_APPSEC_ENABLED.
• This is a monitoring-only first iteration. Blocking, Remote Config, and telemetry are out of scope.
• Companion PR in dd-trace-js: feat(aap): In App WAF support for lambda dd-trace-js#7783

Types of Changes

• Bug fix
• New feature
• Breaking change
• Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

• This PR's description is comprehensive
• This PR contains breaking changes that are documented in the description
• This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
• This PR impacts documentation, and it has been updated (or a ticket has been logged)
• This PR's changes are covered by the automated tests
• This PR collects user input/sensitive content into Datadog
• This PR passes the integration tests (ask a Datadog member to run the tests)

APPSEC-60752

[IlyasShabi]

Why not moveDependency('@datadog/native-appsec')?

[CarlesDD]

I've changed the implementation to mimic datadog/pprof package using moveDependency

[IlyasShabi]

The signature of this function is span: any, statusCode?: string, responseHeaders?: Record<string, string> wondering if this correct way to call it

[CarlesDD]

Good catch. Fixed and included a test

[IlyasShabi]

If cookies is undefined returned from parseCookieHeader we should not add it right?

[CarlesDD]

You're right

[IlyasShabi]

The route could be undefined or empty string similar to tracer?

[CarlesDD]

It could be for v2. Fixed!