Apply main forbidden APIs to instrumentation modules

[bric3]

What Does This Do

Restores the intended forbidden-apis signature set for instrumentation modules: main.txt plus instrumentation.txt.

The stricter check surfaced a few existing calls that were previously leaking through:

• String#split(String) in Liberty filename parsing, kept with a narrow @SuppressForbidden because this is the existing one-character split fast-path pattern used elsewhere in the repo.
• String#getBytes() in Spring Core muzzle code, changed to getBytes(UTF_8).
• direct Byte Buddy ElementMatchers usage in Code Origin support, I kept as-is with because the existing matcher expression intentionally differs from the available HierarchyMatchers.

Motivation

Follow-up to #11620. Actually it can be merged before.

Instrumentation forbidden-apis tasks were not properly configured to use main.txt.
This was already true on master, and it surfaced while working on #11620:

1. the forbidden-api task setup configures main.txt,
2. then dd-java-agent/instrumentation/build.gradle mutates each CheckForbiddenApis task with signaturesFiles += instrumentation.txt,

...but it's not working as expected.

With the forbidden-apis Gradle plugin task property/convention wiring, that task-level += did not merge with the extension's "default" in the way it was supposedly (as far as I understand) intended. In practice, that means that forbidden api instrumentation tasks such as :dd-java-agent:instrumentation:liberty:liberty-20.0:forbiddenApisMain only read instrumentation.txt.

This means that APIs covered only by main.txt were not checked in instrumentation modules.

This PR makes the task-level configuration explicit by assigning both files together.

Additional Details

• By using --info to the forbiddenApisMain task, once can see what signature file are used.

• The CodeOriginInstrumentation change is now using tracer's HierarchyMatchers. In particular the change should keep the Fix CodeOrigin for interface endpoints #11017.

  The API is a bit different on the surface, but should behave the same way

  - isDeclaredBy(hasSuperType(isInterface().and(declaresMethod(isAnnotatedWith(matcher)))))
  + isDeclaredBy(implementsInterface(declaresMethod(isAnnotatedWith(matcher))))

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any other useful labels
• Avoid using close, fix, or any linking keywords when referencing an issue
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors
• Add your completed PR to the merge queue by commenting /merge. You can also:
  • Customize the commit message associated with the merge with /merge --commit-message "..."
  • Remove your PR from the merge queue with /merge -c
  • Skip all merge queue checks with /merge -f --reason "reason"; please use this judiciously, as some checks do not run at the PR-level (note: the PR still needs to be mergeable, this will only skip the pre-merge build)
  • Get more information in this doc

Jira ticket: [N/A]

[dd-octo-sts]

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite	Status
Startup	🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results

Scenario	Candidate	master	Δ (95% CI of mean)
startup:insecure-bank:iast:Agent	13.97 s	13.91 s	[-0.2%; +1.2%] (no difference)
startup:insecure-bank:tracing:Agent	12.94 s	12.97 s	[-1.2%; +0.6%] (no difference)
startup:petclinic:appsec:Agent	16.86 s	16.65 s	[+0.4%; +2.2%] (maybe worse)
startup:petclinic:iast:Agent	16.86 s	16.91 s	[-1.1%; +0.5%] (no difference)
startup:petclinic:profiling:Agent	16.76 s	16.86 s	[-1.7%; +0.5%] (no difference)
startup:petclinic:sca:Agent	16.86 s	16.76 s	[-0.1%; +1.4%] (no difference)
startup:petclinic:tracing:Agent	15.99 s	16.01 s	[-1.3%; +1.1%] (no difference)

Commit: a6e41883 · CI Pipeline · Benchmarking Platform UI

---

Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

[PerfectSlayer]

Checked the main.txt is still applying to the instrumentations.

👏 praise: ‏
Thanks for finding the issue and fixing the instrumentations!

[mcculls]

👍 thanks, isDeclaredBy(implementsInterface(...)) is the same as isDeclaredBy(hasSuperType(isInterface().and(...))) but more performant

[PerfectSlayer]

I went back to commet on it following Yesterday’s discussion with @bric3 Glad you caught it @mcculls
Again, I have a tendency to overlook the PR when you push for review in person 😓

[bric3]

No problem, also sorry @PerfectSlayer, I had some questions and our offline discussions confirmed there was something to look again. There was a reason it was a reason why it was made like that (see #11017), but this allowed to improve the situation.

[mcculls]

Good catch

[dd-octo-sts]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-06-12 12:19:29 UTC ℹ️ Start processing command /merge

---

2026-06-12 12:19:40 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 1h (p90).

---

2026-06-12 13:24:42 UTC ℹ️ MergeQueue: This merge request was merged