48 Commits

Author	SHA1	Message	Date
Vikrant Gupta	7844fc1fe1	fix(authn): include base path in SSO callback and error-redirect URLs (#11588) ... * fix(authn): include base path in SSO callback and error-redirect URLs The SAML ACS URL and the OIDC/Google redirect URLs were built from the site URL host plus a hardcoded path (e.g. /api/v1/complete/saml), dropping the base path. When SigNoz is served under a sub-path (global.external_url with a path, e.g. https://example.com/signoz), the API is served at <prefix>/api/v1/complete/<provider>, so the identity provider was told to call back to a path without the prefix and hit a 404. Thread global.Config into the SAML/OIDC/Google callback providers and the session handler, and prepend global.Config.ExternalPath() to the callback paths and the SSO error redirect to /login. Root deployments are unchanged since ExternalPath() returns "" without a configured sub-path. * fix(authn): run callbackauthn suite with base path * refactor(tests): self-contained base-path fixture for callbackauthn Move the base-path setup out of the shared create_signoz factory and into a package-scoped signoz fixture in the callbackauthn suite's own conftest (same pattern as rootuser/conftest.py). When --base-path is set the fixture appends SIGNOZ_GLOBAL_EXTERNAL__URL and the url-config prefix locally; without it it behaves exactly like the global fixture. The shared factory and docker config are left untouched. * test(authn): add base-path SSO integration suite Adds a dedicated `basepath` integration suite that serves SigNoz under a hardcoded /signoz prefix (SIGNOZ_GLOBAL_EXTERNAL__URL) and exercises the SAML and OIDC happy-path logins end-to-end. Every SigNoz API call is issued under the prefix and the IdP callback (ACS / redirect URI) is registered with the prefix, so the flow only passes when the backend builds prefixed callback URLs. The shared TestContainerUrlConfig and create_signoz factory are left untouched. The suite's conftest shadows the same-named auth fixtures (create_user_admin, get_token, get_session_context, apply_license) with base-path-aware variants and reuses the Keycloak/browser fixtures, which are not under the base path. Google SSO is not covered: it requires the real accounts.google.com issuer and a real Google login, so it cannot run against the local Keycloak IdP; it shares the identical path.Join(ExternalPath, redirectPath) callback logic that SAML and OIDC validate. * revert: drop in-place base-path wiring from integration harness Removes the --base-path flag, TestContainerUrlConfig.base_path, the idp.py and 02_saml.py .get() changes, and the callbackauthn base-path conftest fixture. Base-path SSO is now covered by the dedicated `basepath` suite, so the shared harness (TestContainerUrlConfig, create_signoz, callbackauthn) is back to its original root-only form. * refactor(test): remove apply_license fixture * refactor(test): extract base-path-aware auth factories Extract the session-context / token / token-pair / admin-registration logic in fixtures/auth.py into reusable factory functions that take an optional base_path (token_getter, session_context_getter, tokens_getter, register_admin), with the fixtures delegating to them. Default base_path="" is byte-identical for existing callers. The basepath suite's conftest now reuses these factories with the /signoz prefix as thin one-line fixture overrides instead of duplicating the request logic. * refactor(test): give base-path admin registration a distinct cache key register_admin takes an optional cache_key (default "create_user_admin"); the basepath suite passes a distinct key so that under --reuse the admin marker cached against the signoz-base-path container is not restored for (or from) other suites' default signoz instance.	2026-06-08 14:15:04 +00:00
Naman Verma	c68f237a8a	feat: v2 create and get dashboard API (#11125) ... * feat: openapi spec generation * test: script to generate test dashboard data in a sql db * test: fixes in dashboard perf testing data generator * test: perf test script for both sql flavours * test: data column in perf tests should match real data * test: much bigger json for data column * chore: comment clean up * chore: separate file for perses replicas * test: more descriptive test file name * chore: move plugin maps to correct file * chore: comment cleanup * test: add tests for spec wrappers * chore: better file names * chore: better file name * chore: too many comments * fix: js lint errors * fix: dot at the end of a comment * chore: better error messages * fix: strict decode variable spec as well * fix: remove textbox plugin from openapi spec * chore: renames and code rearrangement * chore: better comment to explain what restrictKindToLiteral does * chore: cleaner comment * chore: cleaner comment * chore: cleaner comment * chore: better method name * chore: cleanup testing code * chore: code movement * chore: code movement * chore: code movement * chore: go lint fix (godot) * chore: code movement * chore: cleanup comments * chore: better method name extractKindAndSpec * test: test for drift detection mechanics * feat: define tags module for v2 dashboard creation * feat: enum for entity type that other modules can register * chore: follow proper unmarshal json method structure * feat: v2 create dashboard API * fix: only return name of a tag in dashboard response * fix: use existing tag's casing if new tag is a prefix of an existing tag * fix: go lint fix * fix: more dashboard request validations * chore: separate method for validation * fix: module should also validate postable dashboard * test: integration tests for create API * test: integration test fixes * chore: use existing mapper * fix: remove extra spec from builder query marshalling * fix: merge conflicts * fix: add allowed values in err messages * fix: remove extra (un)marshal cycle * fix: return 500 err if spec is nil for composite kind w/ code comment * fix: no need for copying textboxvariablespec * fix: wrap errors * chore: no v2 subpackage * fix: no v2 package and its consequences * fix: no v2 package and its consequences * fix: query-less panels not allowed * feat: consolidate tag module and tagtypes changes from downstream branches * fix: allow only 1 query in a panel * test: unit test fixes * feat: method to fetch tags for multiple entries at once * test: fix mock interface in test * feat: move tags to key:value pairs model * feat: entity type column in tags * fix: pass entity type in create many * feat: reserved DSL key validation for tags * feat: new module for tags * chore: merge conflicts error fixing pt 1 * fix: lint fix regarding nil, nil return in test file * chore: change where tag module is instantiated * fix: add back api endpoint * chore: generate api spec * fix: extend bun in joinedRow * feat: method to build postable tags from tags * fix: diff error codes for invalid keys and values * fix: correct pk in bun model for tag relations * fix: created and updated by schema * fix: use coretypes.Kind instead of defining entity type * fix: singular table name * chore: remove org ID from tag relation * feat: foreign key on tag id * feat: add SyncTags method that covers creation and linking * fix: remove entity type definition * fix: fix build errors in dashboard module * chore: bump migration number * chore: change entity id to resource id * fix: add org id filter in all list and delete queries * fix: remove user auditable * fix: add ID in tag relation * fix: fix build error * chore: bump migration number * fix: add len check on tags keys and values * fix: add regex for tags * chore: remove methods that shouldn't be exposed * fix: use sync tags in create api * feat: functional unique index in sql schema * fix: only ascii in regex * chore: rename create method to createOrGet * chore: use tagtypestest package for mock store * chore: combine functional unique index with unique index * chore: move tag resolution to module * test: add unit tests for new idx type * chore: comment out tags unique index for now * chore: add a todo comment * chore: comment out unique index test * feat: add created at to tag relations * chore: comment out unique index test * chore: bump migration number * chore: remove uploaded grafana flag from metadata * Merge branch 'main' into nv/v2-dashboard-create * chore: revert idx generation to resolve conflicts * fix: use store.RunInTx instead of taking in sqlstore * fix: use binding package to get request * chore: move NewDashboardV2 to NewDashboardV2WithoutTags * chore: rename module to m * fix: add ctx needed in sqlstore * fix: remove sqlstore passage in ee pkg * chore: change dashboardData to dashboardSpec * feat: follow the metadata+spec key structure * feat: follow the metadata+spec key structure in open api spec * feat: v2 dashboard GET API (#11136) * feat: v2 dashboard GET API * Merge branch 'nv/v2-dashboard-create' into nv/v2-dashboard-get * chore: update api specs * fix: remove soft delete references * chore: embed StorableDashboard into joinedRow in store method * fix: fix build error * chore: revert all frontend changes * fix: remove public dashboard from get v2 call * chore: update frontend schema * chore: generate api specs * fix: add source for v2 dashboards * chore: incorporate source * fix: add some required fields * feat: add immutable name in dashboard v2 * feat: add immutable name in dashboard v2 * feat: add immutable name in dashboard v2 api specs * fix: remove unused param in constructor * fix: improve api descriptions * fix: remove unneeded comment * chore: increase MaxTagsPerDashboard to 10 * fix: set display name in unmarshal json * chore: remove integration test for now (will add along with list api) * feat: add validation on dashboard name * fix: correct convertor method name * test: add unit tests for type conversions * chore: remove enum def of threshold comparison operator * feat: add flag to generate unique name in backend * chore: generate api specs * chore: make tags required in postable * test: fix unit tests referring to > threshold operator * fix: use must new uuid for org id	2026-05-27 11:15:02 +00:00
Abhishek Kumar Singh	804ea2a7f8	feat: alert template processor + integration in notifiers (#10750) ... * chore: custom notifiers in alert manager * chore: lint fixs * chore: fix email linter * chore: added tracing to msteamsv2 notifier * feat: alert manager template to template title and notification body * chore: updated test name + code for timeout errors * chore: added utils for using variables with $ notation * chore: exposed templates for alertmanager types * feat: added preprocessor for alert templater * chore: hooked preProcess function in expandTitle and body, added labels and annotations in alertdata * chore: fix lint issues * chore: added handling for missing variable used in template * feat: converted alerttemplater to interface and updated tests * refactor: added extractCommonKV instead of 2 different functions * test: fix preprocessor test case * feat: added support for and in templating * chore: lint fix * chore: renamed the interface * chore: added test for missing function * refactor: test case and sb related changed * refactor: comments and test improvements * chore: lint fix * chore: updated comments * feat: added basic html markdown templater * chore: updated newline to markdown format * feat: slack blockkit renderer using goldmark * test: added test for html rendering * feat: integrated slack blockit in markdownrenderer package and removed plaintext format * chore: updated br with new line in test and logs added * refactor: alert manager templater * feat: added no-op formatter in markdown rederer * chore: return missing variables as sorted list * feat: alert notification processor * chore: refactor notification processor and send processor in ReceiverIntegrations * chore: return isDefaultTemplated true even in case of blank default template * feat: updated email notifier * feat: update ms team notifier with notification processor * refactor: ms teams notifier * chore: msteams note * feat: added notification processor in opsgenie notifier * feat: added notification processor in slack notifier * feat: added notification processor in pagerduty notifier * chore: added IsCustomTemplated helper function in result struct * feat: added notification processor in webhook notifier * chore: updated alertmanagernotify package with updated notifier signature * feat: slack mrkdwn renderer * feat: added new format in markdown renderer * test: simplify TestRenderSlackMrkdwn * test: add new test cases for Slack MRKDWN rendering * feat: updated slack notifier with slack mrkdwn format * fix: webhook notifier update annotations before preparing data * fix: added handling for labels and annotations with `.` and `-` * fix: handled <no value> in templated response * test: added test in notification procesor for no value * refactor: review comments * refactor: lint fixes * chore: updated licenses for notifiers * chore: updated email notifier from upstream * chore: lint fixes * feat: added no value extension to render <no value> in html * feat: email rendering with custom template in notification processor * chore: integration of custom templating in rule manager * chore: added action links to email and slack notifiers * chore: fix linter and merge conflict issues * feat: added `Literal` for CompareOperator and MatchType and expose from ruleManager * chore: error logging + NoOp type definition * feat: return single templating result from with flag for template type * fix: variables with symbols in template * feat: slack mrkdwn renderer * feat: custom raw html renderer to escape <no value> * chore: integrated slack mrkdwn renderer and added NoOp formatter * fix: email template directory for notification processor * chore: remove static templates from pagerduty notifications * chore: removed notifier test files * fix: concurrent rendering in markdown renderer * refactor: changes as per internal review * chore: lint issue * chore: removed special handling for softline break * refactor: removed logger as markdown renderer dependency * refactor: changed markdown renderer from interface to package-level functions * refactor: changes as per internal review * chore: removed notification processor * chore: updated webhook notifier to send templated title and body in notification * refactor: msteams skip logs and traces as factsset, slack code refactor * chore: remove private annotations from pagerduty notifier * chore: updated email template based on new template struct * chore: update receiver integrations * chore: outdated comment * chore: move to templates/alertmanager * chore: address comments * chore: add example for templates --------- Co-authored-by: Srikanth Chekuri <srikanth.chekuri92@gmail.com>	2026-05-25 17:07:55 +00:00
Vikrant Gupta	d1f143f675	feat(web): add support for generating web settings types (#11445) ... * feat(web): add support for generating settings type * feat(web): add support for generating settings type * feat(web): add support for generating settings type * refactor: rename generate settings to generate config web-settings - Rename cmd/settings.go to cmd/genconfig.go - Restructure command as `generate config web-settings` - Move schema output to docs/config/web-settings.json - Update frontend script to generate:config:web-settings - Update CI checks to match new command names - Strip Web prefix from generated JSON Schema definitions	2026-05-25 12:41:24 +00:00
swapnil-signoz	832930239e	refactor: cloud integration dashboards migration to DB (#11382) ... * chore: added migration setup * feat(sqlmigration): add integration_dashboards table (migration 079) Adds the `integration_dashboards` relations table that stores the integration-specific identity for dashboards provisioned from cloud or builtin integrations. Columns: id, org_id, dashboard_id, provider, slug, created_at, updated_at. Includes a unique index on dashboard_id. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat(sqlmigration): backfill cloud integration dashboards to DB (migration 080) One-time idempotent migration that provisions dashboard rows for all orgs with existing cloud integration services where metrics are enabled. Each dashboard is inserted into the `dashboard` table with source="integration" and locked=true, and a companion row is added to `integration_dashboards` with provider="cloud_integrations" and slug="{provider}-{service}-{dashboard}" (e.g. aws-alb-overview). Idempotency is enforced by checking (org_id, provider, slug) on integration_dashboards before each insert. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(sqlmigration): clean up stale 079 artifacts, add 079 schema migration Remove the pre-rename 079_migrate_cloud_integration_dashboards.go and 079_cloud_integration_dashboards/ directory that were left behind when the backfill migration was renumbered to 080. Add the missing 079_add_integration_dashboards.go (schema-only migration creating the integration_dashboards table) which provider.go already references. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: adding comment for fk * refactor: renaming table name * refactor: rename and restructure cloud integration dashboard migration types * chore: file rename * refactor: dashboard creation and listing flow change * refactor: removing loose strings * refactor: adding DeleteBySource on dashboard module * refactor: review changes and update service flow change * refactor: simplify comments * ci: lint staticcheck fix * refactor: renaming migration and adding integration tests * ci: py fmt lint fixes * feat: adding ListSharedServices store method * ci: golangci-lint fix * refactor: code cleanup * chore: revert changed due to js lint * refactor: test assertion changes * refactor: using bindparam for sql generation * chore: migrate integration dashboards json to v5 (#11419) --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Srikanth Chekuri <srikanth.chekuri92@gmail.com>	2026-05-23 03:05:06 +00:00
Vikrant Gupta	d2f3659df2	fix(authz): add role CRUD permissions (#11315) ... * fix(authz): add attach detach permissions on metaresource * fix(authz): add role CRUD permissions * feat(authz): add support for supported verbs per metaresource * feat(authz): fix formatting for generated files * feat(authz): fix formatting for generated files * feat(authz): fix formatting for generated files * feat(authz): remove frontend changes * feat(authz): fix jest test	2026-05-15 12:53:48 +00:00
Pandey	db9a348a4e	feat(cmd): add metastore migrate command (#11311) ... * refactor(cmd): extract per-build sqlstore/sqlschema factory helpers Move the build-specific composition of sqlstore and sqlschema provider factories out of community/server.go and enterprise/server.go into sibling metastore.go files. This deduplicates the wiring that will otherwise be repeated in the upcoming metastore command, and keeps each build's postgres opt-in expressed in exactly one place. refs SigNoz/platform-pod#706 * feat(cmd): add metastore migrate sync up command Introduce a 'metastore migrate sync up' cobra command that applies SQL schema migrations as a standalone CLI step. Operators can now run migrations to completion before bringing up the application, instead of having them implicitly run on server startup. The command accepts the same --config flag shape as 'server' so the same YAML configuration files line up across both entrypoints. The build-specific composition of sqlstore and sqlschema provider factories is injected from cmd/{community,enterprise}/metastore.go. refs SigNoz/platform-pod#706 * feat(cmd): register metastore command from both build mains Wire RegisterMetastore into cmd/community/main.go and cmd/enterprise/main.go so the new 'metastore migrate sync up' subcommand is reachable from both binaries. refs SigNoz/platform-pod#706 * feat(sqlmigrator): add Check method to report pending migrations Check reports whether the database has any unapplied migrations without applying them, intended for use by preflight/CI gates. It returns nil when the database is up to date and a typed error (ErrCodePendingSQLMigrations) listing the pending migration names otherwise. refs SigNoz/platform-pod#706 * refactor(cmd): split metastore registration from execution, add sync check Mirror the server.go pattern: registerSync{Up,Check} only build the cobra commands and parse flags; runSync{Up,Check} hold the actual work and share a newSyncMigrator helper so the wiring of sqlstore, sqlschema, telemetrystore and the SQL migrator lives in one place. Adds the new 'metastore migrate sync check' subcommand, which calls sqlmigrator.Check and exits non-zero when migrations are pending — useful as a deployment preflight gate before bringing up the server. refs SigNoz/platform-pod#706 * fix(sqlmigrator): drop Init from Check Check should report state, not create the migration table. If the migration table is missing, that's itself a signal that 'up' has not been run. refs SigNoz/platform-pod#706 * fix(sqlmigrator): use TypeUnexpected for pending migrations error Pending migrations are a state mismatch, not bad caller input. TypeUnexpected ('Generic mismatch of expectations') is the correct category. refs SigNoz/platform-pod#706 * fix(sqlmigrator): switch pending migrations error to TypeInternal Pending migrations describe internal system state (the schema is behind the target version), not bad caller input or a caller-visible state mismatch. None of the existing types maps to a FAILED_PRECONDITION equivalent, so TypeInternal is the closest fit. refs SigNoz/platform-pod#706 * fix(sqlmigrator): use TypeNotFound for pending migrations error refs SigNoz/platform-pod#706	2026-05-14 13:23:03 +00:00
Vikrant Gupta	edb30f29c1	feat(authz): introduce detach relationship (#11298) ... * feat(authz): introduce detach relationship * feat(authz): attach and detach for parent child heirarchy * feat(authz): fix the openapi spec generated schemas * feat(authz): add integration tests * feat(authz): add telemetry metaresource * feat(authz): fix the http response and integration tests * feat(authz): generate frontend openapi schema * feat(authz): remove unwanted tuples	2026-05-14 11:06:17 +00:00
Ashwin Bhatkal	5363dc6b0e	test: new playwright project to seed data (#11271) ... * test: new playwright project to seed data * test: add teardown bits * test: move from fixtures to seeder * test: format file * test: format file + update lockfile	2026-05-14 08:37:40 +00:00
Vinicius Lourenço	c86df3adcb	feat(pnpm): migrate away from yarn (#11158) ... * feat(pnpm): migrate away from yarn * fix(lodash): using uninstall dependency * fix(workflows): use pnpm as package manager * fix(pnpm-lock): keep it updated * fix(test): issue with lodash-es and our pnpm store * fix(jest): more esm conflicts * fix(pipeline-page): update snapshot test * fix(pnpm-lock): out of sync * fix(json-view): issue with typing * chore(pnpm): upgrade pnpm * chore(yarn): remove yarn	2026-05-12 12:25:21 +00:00
Karan Balani	0766ab31c0	feat: meter reporter for new billing infra (#11016) ... * feat: meter reporter for new billing infra * feat(meterreporter): simplify code, add metric meters, dry-run zeus call * feat(meterreporter): add traces meters * chore: update interval validation to allow min 5 mins interval for testing * feat: add telemetry for collect and ship durations & improve comments * feat(meterreporter): sealed-range catch-up and today-partial ticks * chore: intermediate commit * feat: improve retention period queries based on workspace ids for logs only for now * chore: skip meter checkpoint call temporarily * feat(meterreporter): bootstrap from data floor, emit sentinel zero-readings * chore: lower HistoricalBackfillDays * fix(meterreporter): pin retention type * refactor(meterreporter): remove unused retry config * refactor: add retentiontypes * chore: intermediate commit * feat(meterreporter): add metric and trace meters * refactor: cleanup comments * refactor: remove HistoricalBackfillDays * refactor: move few things to ee package * refactor: simplify some sections of tick * refactor: push meters in batch for each day * chore: add tracing and logging * feat: make retention buckets generic * feat(metercollector): add MeterCollector interface and split type packages * feat(metercollector/retention): add narrow retention slice loader and SQL helpers * refactor(meterreporter): wire http collectors * chore(meterreporter): trim comments * test(metercollector): add collector coverage * chore(meterreporter): increase catchup window * fix: ci lint and flag default value * refactor(meters): align retention and zeus * refactor(retention): move ttl types * refactor(meters): rename platform fee collector * refactor(meters): add meter constructor * refactor(meters): add window constructor * refactor(meters): consolidate zeus meter types * refactor(meters): centralize meter metadata * refactor(retention): add getter module * refactor(retention): consolidate ttl types * chore: use int64 instead of float64 as meter value * chore: int64 conversion in clickhouse query too * chore: error log - make failed meter collection louder * chore: start sending data to zeus * chore: add debug statement for logging meter data * chore: simplify meter query only use org id and retention duration * chore: remove unused functions from retention module and move sqlbuilder function too * chore: remove unused code * chore: switch to info context log for testing * refactor(meterreporter): consolidate collectors and push origin into source Replaces six near-duplicate collector packages with two parametrized, factory-shaped ones: telemetrymetercollector for the ClickHouse-backed meters (log size, span size, datapoint count) and staticmetercollector for fixed-value meters (base platform fee). Each meter is now a Config entry in cmd/enterprise/meter.go, materialized by iterating the factory. Pushes the catchup floor concept out of the reporter and into each collector via a new Origin method. Telemetry collectors return per-meter min(unix_milli) FROM signoz_meter.samples; static collectors return todayStart. The reporter now computes per-meter next-day-to-report and only invokes a collector for days at/after its own next, eliminating the over-emit + dropCheckpointed dance. Other tightening: typed Meter.MeterName with JSON marshalers; Meter dimensions built via attribute.Key-based zeustypes.NewDimensions; license flows into Collect from the reporter (collectors stop fetching it themselves); providerSettings plumbed into the meterreporter factory closure for harness-style provider construction. * refactor(meterreporter): per-collector Origin, simpler tick, semconv metrics Pushes the catchup-floor concept out of the reporter and into each collector via MeterCollector.Origin. Telemetry collectors return per- meter min(unix_milli) FROM signoz_meter.samples; static collectors return today. The reporter computes per-meter next-reportable-day, iterates the day-loop globally, and only invokes a collector for days at/after its own next — eliminating the over-emit + dropCheckpointed dance entirely. collectOrg is split into three named helpers: provider.checkpoints (Zeus call + index), provider.nextDays (per-meter origin + checkpoint max), and pure backfillRange (start/end clamped to yesterday + cap). collectOrg itself reads as a five-step recipe. Provider stores collectors as map[MeterName]MeterCollector keyed by name; the slice + sort.Slice scaffolding is gone, validation moves into newProvider. eligibleCollectors and report take the map directly. Start matches the opaquetokenizer pattern: synchronous select+ticker, sharder + per-org loop with license check (skipping orgs with no active license), per-tick span scoped via an IIFE so defer span.End() fires once per tick. goroutinesWg removed. Config drops Timeout. CatchupMaxDaysPerTick renamed to MaxBackfillDays. runPhase renamed to report. telemetryStore injection removed (no longer used after dataFloor moved into the telemetry collector). Metrics rebuilt around OTel semconv: signoz.meterreporter.checkpoints, .reports, .collections, .meters — each bumped on success and failure, with error.type set on failure via a new errors.TypeAttr helper in pkg/errors. collections also carries signoz.meter.name. * refactor(meterreporter): rename base platform fee meter, add metric units Renames signoz.meter.base.platform.fee to signoz.meter.platform.active. The new name matches the per-service template signoz.meter.<service> .active that scales for future per-service billing meters; "active" fits the billing-eligibility semantic (org's platform subscription is active for the period) without conflating with operational liveness conventions like Prometheus's `up`. Adds UCUM annotated-count units to each reporter counter: - signoz.meterreporter.checkpoints -> {checkpoint} - signoz.meterreporter.reports -> {report} - signoz.meterreporter.collections -> {collection} - signoz.meterreporter.meters -> {meter} * chore: stop leaking collectors if flag is false and address comments * fix(meterreporter): correct startup and retention metadata * fix(meterreporter): recover static meter backfill * chore: address review comments * chore: move flag evaluation into reporter * refactor: fix retention origin for staticmeter collectors * fix(meterreporter): gate backfill by license day Replace max_backfill_days with a backfill switch. Clamp sealed-day catch-up to the license creation day. Send retention duration dimensions in seconds. * fix(meterreporter): anchor backfill to license day * chore: address review comments * chore: drop unrelated authz schema diff --------- Co-authored-by: Karan Balani <29383381+balanikaran@users.noreply.github.com> Co-authored-by: grandwizard28 <vibhupandey28@gmail.com>	2026-05-11 17:47:29 +00:00
Pandey	a2b4a685ad	feat(auditor): add file provider (#11252) ... * feat(auditor): add file provider for audit logs * feat(auditor): write payload + newline in a single syscall Combine the JSON payload and trailing newline into one Write call so a concurrent reader can never observe a torn JSON object — they see either the full line or nothing. * style(auditor): drop wrapping at file-provider export and obvious doc comments	2026-05-11 06:23:42 +00:00
Vikrant Gupta	912c6073c5	feat(authz): add resource-level FGA for service accounts (#11065) ... * feat(authz): add resource-level FGA and attach permissions for service accounts - Add CheckAll middleware (AND of OR groups) for multi-resource authz checks - Switch SA role routes (SetRole, DeleteRole) to VerbAttach on ResourceServiceAccount - Add RoleAttachSelectors on SA module for role-level VerbAttach resolution - DeleteRole uses CheckAll (both checks at middleware from URL params) - SetRole uses Check (entity) at middleware + module-level role attach check - Add migration 078 to backfill FGA tuples for existing organizations - Add authz contributing guide (docs/contributing/go/authz.md) - Regenerate OpenAPI spec with scoped security schemes * feat(authz): fix openapi spec * feat(authz): add attach permissions to migration * feat(authz): role details page fixes * fix(openapi): openapi changes for attach * fix(openapi): openapi changes for attach * fix(types): move types to middleware to remove http import from types * test(integration): add integration tests * test(integration): fix test lint and remove contributing guide * feat(authz): revert role details changes * feat(authz): move selectors to handler * feat(authz): better naming for authz service and authz middleware * feat(authz): better naming for authz service and authz middleware	2026-05-08 20:33:02 +00:00
Pandey	3d8cddf84e	refactor: split typeable infrastructure into pkg/types/coretypes (#11105) ... * refactor: move authtypes to coretypes * refactor: migrate downstream consumers to coretypes Kind/Type/Relation Wire all consumers of the typeable infrastructure through coretypes: - Replace authtypes.Name/Type/Relation references with coretypes equivalents - Switch Typeable singletons to constructor calls (authtypes.NewTypeableUser etc.), with the embedded coretypes.Typeable populated so Kind/Type/Prefix/ Scope dispatch correctly through the embed - Update dashboardtypes meta-resource declarations to use authtypes constructors so they expose Tuples (authz callers need it) - Rename Resource.Name field accesses to Resource.Kind to match the field rename in authtypes.Resource - Fix typeable_metaresource.go calling the plural NewTypeableMetaResources helper — should be the singular NewTypeableMetaResource go build ./... and go vet ./... clean (parser-generated unreachable-code warnings are pre-existing). Authz unit tests pass. * refactor(audittypes): unify Action with coretypes.Relation Drop the duplicate Action enum from audittypes — the verbs (create/update/ delete) match coretypes.Relation exactly. Move PastTense onto Relation so audit EventName derivation continues to work without a parallel hierarchy. Also retypes AuditDef.ResourceKind from string to coretypes.Kind so audit declarations get the same regex validation that authz already enforces. * refactor(retentiontypes): extract TTLSetting into its own package TTLSetting is the bun model for ClickHouse TTL settings — has nothing to do with the Organization domain it was previously co-located with in pkg/types/organization.go. Moved to pkg/types/retentiontypes/ alongside the ClickHouse reader that's its sole consumer. No schema change; the bun table tag (table:ttl_setting) is unchanged. * chore(openapi): regenerate spec for coretypes.Relation and Resource.Kind * chore(frontend): regenerate API client and migrate Resource.name → Resource.kind Regenerated TypeScript API types after the AuthtypesResource field rename and the new CoretypesRelation enum. Updated: - frontend/scripts/generate-permissions-type.cjs to read `r.kind` from the /api/v1/authz/resources response and emit `kind:` in the static permissions.type.ts file. - frontend/src/hooks/useAuthZ/{permissions.type,types,utils,useAuthZ}.tsx: Resource.name → Resource.kind throughout. - frontend/src/container/RolesSettings/{utils.tsx,__tests__/utils.test.ts}: same field migration. - frontend/src/components/createGuardedRoute/createGuardedRoute.test.tsx: same. - useAuthZ/utils.ts: cast string relations to CoretypesRelationDTO at the AuthtypesTransactionDTO boundary now that relation is an enum, not a raw string. yarn generate:api passes (orval generation + lint + typecheck). * refactor: migrate downstream consumers to Resource/Verb rename * chore(openapi): regenerate spec for Resource/Verb rename * feat(coretypes): add ListResources accessor with stable sort * feat(cmd): add 'generate authz' subcommand for permissions type * refactor(authz): drop runtime authz/resources endpoint * refactor(frontend): consume static permissions.type.ts directly * chore(frontend): regenerate Orval client without authz/resources * ci: move authz schema check from jsci to goci * refactor(coretypes): move Selector/Object/Transaction from authtypes * feat(coretypes): add managed role names and permission policy * feat(coretypes): add Registry assembling resources, types, and managed-role transactions * refactor(authz): wire *coretypes.Registry; drop RegisterTypeable * refactor(cmd): wire coretypes.NewRegistry into server bootstraps * chore: regenerate openapi spec for authtypes -> coretypes type moves * chore(frontend): regenerate API client for Authtypes -> Coretypes type moves * refactor(coretypes): rename GettableResource to ResourceRef * refactor(authz): collapse Registry around static data; bridge once at construction * refactor(coretypes): tighten Registry, restore anonymous public-dashboard grant Drops passthrough fields from coretypes.Registry; adds an O(1) lookup map for NewResourceFromTypeAndKind; replaces stringly-typed Type compares with Type.Equals; removes the now-redundant getUniqueTypes helper. Restores the signoz-anonymous read grant on metaresource/public-dashboard that was silently dropped, and removes the invalid signoz-admin/VerbCreate/TypeUser entry that panicked at startup. * chore: regenerate openapi spec for coretypes -> authtypes type moves * chore(frontend): regenerate API client for Coretypes -> Authtypes type moves * fix(authz): disambiguate kind→type by relation, preserve multi-part selectors permissions.type.ts now lists the same kind (dashboard, role, public-dashboard) under both metaresource and metaresources, so the prior kind→type map silently overwrote one with the other. Resolve the type using the requesting relation's allowed types, and slice the selector at the first colon so multi-part selectors (e.g. id:version) round-trip correctly. Updates useAuthZ.test.tsx to use the regenerated kind field. * refactor(authtypes): introduce Relation wrapper over coretypes.Verb The authz layer modeled relations as raw coretypes.Verb everywhere, which forced authz-level concepts (action, role-binding) to share a type with schema-level enumerations. Introduce authtypes.Relation as a thin wrapper over coretypes.Verb so the authz APIs (CheckWithTupleCreation, ListObjects, GetObjects, PatchObjects, NewTuples, Transaction.Relation, etc.) can grow authz-specific affordances without leaking back into coretypes. Also reshuffles the static coretypes data into dedicated registry_*.go files (types, kinds, verbs, resources, managed roles) to keep the schema declarations isolated from the value types they configure. * refactor(authtypes): expose Relation.Enum() and regenerate openapi spec Without an Enum() method on Relation the openapi generator emitted an empty AuthtypesRelation schema (no allowed values). Forward the enum from the embedded coretypes.Verb so the wire contract is faithful. * refactor(ee/authz): drop always-nil error returns from managed-role tuple helpers getManagedRoleGrantTuples and getManagedRoleTransactionTuples never returned a non-nil error, which the linter (unparam) had flagged. Drop the unused error return; callers no longer need the err check either. * chore(frontend): regenerate API client for authtypes.Relation * fix(authz): satisfy go-lint — keyed Relation literal, drop redundant Verb selector * refactor(coretypes): sync Kinds slice with full registry_kind declarations * feat(coretypes): register metaresource and metaresources for all new kinds Adds 21 metaresource and 21 metaresources entries (covering notification-channel, route-policy, apdex-setting, auth-domain, session, cloud-integration, cloud-integration-service, ingestion-key, ingestion-limit, pipeline, user-preference, org-preference, quick-filter, ttl-setting, rule, planned-maintenance, saved-view, trace-funnel, factor-password, factor-api-key, license) so the authz schema covers every resource Kind declared in registry_kind. Regenerates the static frontend permissions.type.ts to match. * feat(coretypes): populate ManagedRoleToTransactions from signozapiserver routes Enumerates every (verb, resource) tuple each managed role holds, derived from the AdminAccess/EditAccess/ViewAccess middleware on routes in pkg/apiserver/signozapiserver and the legacy http_handler in pkg/query-service/app. Admin gets 123 transactions, editor 53, viewer 25, anonymous keeps the single public-dashboard read. * feat(coretypes): add integration kind with full CRUD for viewer/editor/admin Install/uninstall/list integration routes (legacy /api/v1/integrations) all sit behind ViewAccess, so every authenticated role gets the full CRUD surface on (metaresource, integration) and (metaresources, integration). Regenerates the static frontend permissions.type.ts to match. * feat(coretypes): add subscription kind alongside license, document LCRUD shape License covers the in-product license resource (Activate/Refresh/GetActive). Subscription is the billing lifecycle (checkout/portal/billing) served by ee/query-service routes. Both are admin-only and modeled with a uniform LCRUD shape; comments call out which verbs actually map to routes versus which are placeholders for shape parity (e.g. cancellation flows through Stripe's portal, not an in-process delete). * feat(coretypes): model telemetryresource for logs, traces, metrics Mirrors the telemetryresource type from ee/authz/openfgaschema/base.fga into coretypes: a read-only Type with three Kinds (logs, traces, metrics) matching telemetrytypes.Signal. Selector is wildcard-only for v1; future work can narrow per-service or per-environment when the use case lands. Every managed role (admin/editor/viewer) gets read on each signal, matching the schema's role#assignee grant. Anonymous stays unchanged. Regenerates the static frontend permissions.type.ts. * feat(coretypes): add audit-logs and meter-metrics kinds under telemetryresource Audit logs (signal=logs, source=audit) and meter metrics (signal=metrics, source=meter) are sensitive source-qualified telemetry streams that don't belong under the broad read-grant every role gets on regular logs/traces/ metrics. Modeled as distinct Kinds so they can be permissioned independently. Admin-only read for now; widen on explicit ask (e.g. an auditor flow that needs viewer access to audit-logs). Regenerates the static frontend permissions.type.ts. * feat(coretypes): add logs-field and traces-field kinds for stored field config GET/POST /logs/fields and /api/v2/traces/fields manage stored, mutable field metadata (indexed/promoted columns) over each signal. They're configuration, not telemetry data, so they sit under metaresource rather than telemetryresource. Viewer reads, editor/admin update; no create/delete since POST overwrites. Plural prefix (logs-field / traces-field) matches the signal naming. * chore(frontend): regenerate permissions.type.ts to match generate authz output * feat(authz): add attach permissions to fga model * fix(tests): use role permissions instead of dashboards * fix(authz): couple of issues with register flow * fix(authz): public dashboard read should be anomymous * fix(tests): integration test for public dashboard access --------- Co-authored-by: vikrantgupta25 <vikrant@signoz.io>	2026-05-05 19:13:09 +05:30
swapnil-signoz	97885babe8	feat: adding cloud integration implementation details for Azure (#11058) ... * refactor: moving types to cloud provider specific namespace/pkg * refactor: separating cloud provider types * refactor: using upper case key for AWS * feat: adding cloud integration azure types * feat: adding azure services * refactor: updating omitempty tags * refactor: updating azure integration config * feat: completing azure types * refactor: lint issues * feat: adding service definitions for azure * refactor: update service names for Azure Blob Storage telemetry * refactor: updating definitions with metrics and strategy * refactor: updating command key * fix: handle optional connection URL in AWS integration * feat: wip * refactor: updating strategy struct * refactor: updating telemetry strategy * refactor: updating connection artifact struct * refactor: updating blob storage service name * refactor: updating azure blob storage service name * refactor: update Azure service identifiers * refactor: updating service defs * fix: update integration account ID and add agent version to Azure CLI and PowerShell commands * refactor: updating deny settings mode * refactor: updating types * refactor: adding missing case for azure service update * feat: implement Azure connection commands and add unit tests * refactor: using template for Azure connection artifact creation and update tests	2026-04-27 11:23:52 +00:00
Vikrant Gupta	afe85c48f9	feat(authz): add support for delete role (#11044) ... * feat(authz): add support for delete role * feat(authz): register config and return error on cleanup failure * feat(authz): take user and serviceaccount DI for assignee checks * feat(authz): add the example yaml * feat(authz): move to callbacks instead of DI	2026-04-23 13:25:19 +00:00
Pandey	c9610df66d	refactor(ruler): move rules and planned maintenance handlers to signozapiserver (#10957) ... * refactor(ruler): define Ruler and Handler interfaces with signozruler implementation Expand the Ruler interface with rule management and planned maintenance methods matching rules.Manager signatures. Add Handler interface for HTTP endpoints. Implement handler in signozruler wrapping ruler.Ruler, and update provider to embed *rules.Manager for interface satisfaction. * refactor(ruler): move eval_delay from query-service constants to ruler config Replace constants.GetEvalDelay() with config.EvalDelay on ruler.Config, defaulting to 2m. This removes the signozruler dependency on pkg/query-service/constants. * refactor(ruler): use time.Duration for eval_delay config Match the convention used by all other configs in the codebase. TextDuration is for preserving human-readable text through JSON round-trips in user-facing rule definitions, not for internal config. * refactor(ruler): add godoc comments and spacing to Ruler interface * refactor(ruler): wire ruler handler through signoz.New and signozapiserver - Add Start/Stop to Ruler interface for lifecycle management - Add rulerCallback to signoz.New() for EE customization - Wire ruler.Handler through Handlers, signozapiserver provider - Register 12 routes in signozapiserver/ruler.go (7 rules, 5 downtime) - Update cmd/community and cmd/enterprise to pass rulerCallback - Move rules.Manager creation from server.go to signoz.New via callback - Change APIHandler.ruleManager type from *rules.Manager to ruler.Ruler - Remove makeRulesManager from both OSS and EE server.go * refactor(ruler): remove old rules and downtime_schedules routes from http_handler Remove 7 rules CRUD routes and 5 downtime_schedules routes plus their handler methods from http_handler.go. These are now served by signozapiserver/ruler.go via handler.New() with OpenAPIDef. The 4 v1 history routes (stats, timeline, top_contributors, overall_status) remain in http_handler.go as they depend on interfaces.Reader and have v2 equivalents already in signozapiserver. * refactor(ruler): use ProviderFactory pattern and register in factory.Registry Replace the rulerCallback with rulerProviderFactories following the standard ProviderFactory pattern (like auditorProviderFactories). The ruler is now created via factory.NewProviderFromNamedMap and registered in factory.Registry for lifecycle management. Start/Stop are no longer called manually in server.go. - Ruler interface embeds factory.Service (Start/Stop return error) - signozruler.NewFactory accepts all deps including EE task funcs - provider uses named field (not embedding) with explicit delegation - cmd/community passes nil task funcs, cmd/enterprise passes EE funcs - Remove NewRulerProviderFactories (replaced by callback from cmd/) - Remove manual Start/Stop from both OSS and EE server.go * fix(ruler): make Start block on stopC per factory.Service contract rules.Manager.Start is non-blocking (run() just closes a channel). Add stopC to provider so Start blocks until Stop closes it, matching the factory.Service contract used by the Registry. * refactor(ruler): remove unused RM() accessor from EE APIHandler * refactor(ruler): remove RuleManager from APIHandlerOpts Use Signoz.Ruler directly instead of passing it through opts. * refactor(ruler): add /api/v1/rules/test and mark /api/v1/testRule as deprecated * refactor(ruler): use binding.JSON.BindBody for downtime schedule decode * refactor(ruler): add TODOs for raw string params on Ruler interface Mark CreateRule, EditRule, PatchRule, TestNotification, and DeleteRule with TODOs to accept typed params instead of raw JSON strings. Requires changing the storage model since the manager stores raw JSON as Data. * refactor(ruler): add TODO on MaintenanceStore to not expose store directly * docs: regenerate OpenAPI spec and frontend API clients with ruler routes * refactor(ruler): rename downtime_schedules tag to downtimeschedules * refactor(ruler): add query params to ListDowntimeSchedules OpenAPIDef Add ListPlannedMaintenanceParams struct with active/recurring fields. Use binding.Query.BindQuery in the handler instead of raw URL parsing. Add RequestQuery to the OpenAPIDef so params appear in the OpenAPI spec and generated frontend client. * refactor(ruler): add GettableTestRule response type to TestRule endpoint Define GettableTestRule struct with AlertCount and Message fields. Use it as the Response in TestRule OpenAPIDef so the generated frontend client has a proper response type instead of string. * refactor(ruler): tighten schema with oneOf unions and required fields Surface the polymorphism in RuleThresholdData and EvaluationEnvelope via JSONSchemaOneOf (the same pattern as QueryEnvelope), so the generated TS types are discriminated unions with typed `spec` instead of unknown. Also mark `alert`, `ruleType`, and `condition` required on PostableRule so the generated TS types are non-optional for callers. * refactor(ruler): add Enum() on EvaluationKind, ScheduleType, ThresholdKind Surface the fixed set of accepted values for these valuer-wrapped kind types so OpenAPI emits proper string-enum schemas and the generated TS types become string-literal unions instead of plain string. * refactor(ruler): mark required fields on nested rule and maintenance types Surface fields already enforced by Validate()/UnmarshalJSON as required in the OpenAPI schema so the generated TS types match runtime behavior. Touches RuleCondition (compositeQuery, op, matchType), RuleThresholdData (kind, spec), BasicRuleThreshold (name, target, op, matchType), RollingWindow (evalWindow, frequency), CumulativeWindow (schedule, frequency, timezone), EvaluationEnvelope (kind, spec), Schedule (timezone), GettablePlannedMaintenance (name, schedule). Does not mark server-populated fields (id, createdAt, updatedAt, status, kind) on GettablePlannedMaintenance required, since the same struct is reused for request bodies in MaintenanceStore.CreatePlannedMaintenance. * refactor(ruler): tighten AlertCompositeQuery, QueryType, PanelType schema Missed in the earlier tightening pass. AlertCompositeQuery.queries, panelType, queryType are all required for a valid composite query; QueryType and PanelType are valuer-wrapped with fixed value sets, so expose them as enums in the OpenAPI schema. * refactor(ruler): wrap sql.ErrNoRows as TypeNotFound in by-ID lookups GetStoredRule and GetPlannedMaintenanceByID previously returned bun's raw Scan error, so a missing ID leaked "sql: no rows in result set" to the HTTP response with a 500 status. WrapNotFoundErrf converts sql.ErrNoRows into TypeNotFound so render.Error emits 404 with a stable `not_found` code, and passes other errors through unchanged. * refactor(ruler): move migrated rules routes to /api/v2/rules The 7 rules routes now live at /api/v2/rules, /api/v2/rules/{id}, and /api/v2/rules/test — served via handler.New with render.Success and render.Error. The legacy /api/v1/rules paths will be restored in the query-service http handler in a follow-up so existing clients keep receiving the SuccessResponse envelope unchanged. Drop the /api/v1/testRule deprecated alias from signozapiserver; the original lives on main's http_handler.go and is restored alongside the other v1 paths. Downtime schedule routes stay at /api/v1/downtime_schedules — single track, no legacy restore planned. * refactor(ruler): restore /api/v1/rules legacy handlers for back-compat Bring the 7 rule CRUD/test handlers and their router.HandleFunc lines back to http_handler.go so /api/v1/rules, /api/v1/rules/{id}, and /api/v1/testRule continue to emit the legacy SuccessResponse envelope. The v2 versions under signozapiserver are the new home for the render envelope used by generated clients. Delegation uses aH.ruleManager (populated from opts.Signoz.Ruler in NewAPIHandler), so a single ruler.Ruler instance serves both paths — no second rules.Manager is instantiated. Downtime schedules stay single-track under signozapiserver; the 5 downtime handlers are not restored. * docs: regenerate OpenAPI spec and frontend clients for /api/v2/rules * refactor(ruler): return 201 Created on POST /api/v2/rules A successful create now responds with 201 Created and the full GettableRule body, matching REST convention for resource creation. Regenerates the OpenAPI spec and frontend clients to reflect the new status code. * refactor(ruler): restore dropped sorter TODO in legacy listRules The legacy listRules handler was copied verbatim from main during the v1 back-compat restore, but an inner blank line and the load-bearing `// todo(amol): need to add sorter` comment were stripped. Put them back so the legacy block round-trips cleanly against main. * refactor(ruler): return 201 Created on POST /api/v1/downtime_schedules Match the REST convention already applied to POST /api/v2/rules: successful creates respond with 201 Created. Response body remains empty (nil); the generated frontend client surface is unchanged since no response type was declared. A richer "return the created resource" response body is a separate follow-up — holding off until the ruletypes naming cleanup lands. * fix(ruler): signal Healthy only after manager.Start closes m.block The ruler provider didn't implement factory.Healthy, so the registry fell back to factory.closedC and marked the service StateRunning the instant its Start goroutine spawned — before rules.Manager.Start had closed m.block. /api/v2/healthz therefore returned 200 while rule evaluation was still gated, and integration tests that POSTed a rule immediately after the readiness check saw their task goroutines stuck on <-m.block until the next frequency tick. Add a healthyC channel and close it inside Start only after manager.Start returns; implement factory.Healthy so the registry and /api/v2/healthz wait on the real readiness signal. * fix: add the withhealthy interface * fix(ruler): alias legacy RULES_EVAL_DELAY env var in backward-compat The eval_delay config was moved from query-service constants (read from RULES_EVAL_DELAY) onto ruler.Config (read via mapstructure from SIGNOZ_RULER_EVAL__DELAY). That silently broke the legacy env var for any existing deployment — notably the alerts integration-test fixture which sets RULES_EVAL_DELAY=0s to let rules evaluate against just- inserted data. The resulting default 2m delay pushed the query window far enough back that the fixture's rate spike fell outside it, causing 8 of 24 parametrize cases in 02_basic_alert_conditions.py to fail with "Expected N alerts to be fired but got 0 alerts". Add RULES_EVAL_DELAY to mergeAndEnsureBackwardCompatibility alongside the ~10 other aliased legacy env vars. Emits the standard deprecation warning and overrides config.Ruler.EvalDelay.	2026-04-18 08:25:16 +00:00
Pandey	ef298af388	feat(apiserver): derive HTTP route prefix from global.external_url (#10943) ... * feat(apiserver): derive HTTP route prefix from global.external_url The path component of global.external_url is now used as the base path for all HTTP routes (API and web frontend), enabling SigNoz to be served behind a reverse proxy at a sub-path (e.g. https://example.com/signoz/). The prefix is applied via http.StripPrefix at the outermost handler level, requiring zero changes to route registration code. Health endpoints (/api/v1/health, /api/v2/healthz, /api/v2/readyz, /api/v2/livez) remain accessible without the prefix for container healthchecks. Removes web.prefix config in favor of the unified global.external_url approach, avoiding the desync bugs seen in projects with separate API/UI prefix configs (ArgoCD, Prometheus). closes SigNoz/platform-pod#1775 * feat(web): template index.html with dynamic base href from global.external_url Read index.html at startup, parse as Go template with [[ ]] delimiters, execute with BasePath derived from global.external_url, and cache the rendered bytes in memory. This injects <base href="/signoz/" /> (or whatever the route prefix is) so the browser resolves relative URLs correctly when SigNoz is served at a sub-path. Inject global.Config into the routerweb provider via the factory closure pattern. Static files (JS, CSS, images) are still served from disk unchanged. * refactor(web): extract index.html templating into web.NewIndex Move the template parsing and execution logic from routerweb provider into pkg/web/template.go. NewIndex logs and returns raw bytes on template failure; NewIndexE returns the error for callers that need it. Rename BasePath to BaseHref to match the HTML attribute it populates. Inject global.Config into routerweb via the factory closure pattern. * refactor(global): rename RoutePrefix to ExternalPath, add ExternalPathTrailing Rename RoutePrefix() to ExternalPath() to accurately reflect what it returns: the path component of the external URL. Add ExternalPathTrailing() which returns the path with a trailing slash, used for HTML base href injection. * refactor(web): make index filename configurable via web.index Move the hardcoded indexFileName const from routerweb/provider.go to web.Config.Index with default "index.html". This allows overriding the SPA entrypoint file via configuration. * refactor(web): collapse testdata_basepath into testdata Use a single testdata directory with a templated index.html for all routerweb tests. Remove the redundant testdata_basepath directory. * test(web): add no-template and invalid-template index test cases Add three distinct index fixtures in testdata: - index.html: correct [[ ]] template with BaseHref - index_no_template.html: plain HTML, no placeholders - index_invalid_template.html: malformed template syntax Tests verify: template substitution works, plain files pass through unchanged, and invalid templates fall back to serving raw bytes. Consolidate test helpers into startServer/get. * refactor(web): rename test fixtures to no_template, valid_template, invalid_template Drop the index_ prefix from test fixtures. Use web instead of w for the variable name in test helpers. * test(web): add SPA fallback paths to no_template and invalid_template tests Test /, /does-not-exist, and /assets in all three template test cases to verify SPA fallback behavior (non-existent paths and directories serve the index) regardless of template type. * test(web): use exact match instead of contains in template tests Match the full expected response body in TestServeTemplatedIndex instead of using assert.Contains. * style(web): use raw string literals for expected test values * refactor(web): rename get test helper to httpGet * refactor(web): use table-driven tests with named path cases Replace for-loop path iteration with explicit table-driven test cases for each path. Each path (root, non-existent, directory) is a named subtest case in all three template tests. * chore: remove redundant comments from added code * style: add blank lines between logical blocks * fix(web): resolve lint errors in provider and template Fix errcheck on rw.Write in serveIndex, use ErrorContext instead of Error in NewIndex for sloglint compliance. Move serveIndex below ServeHTTP to order public methods before private ones. * style: formatting and test cleanup from review Restructure Validate nil check, rename expectErr to fail with early-return, trim trailing newlines in test assertions, remove t.Parallel from subtests, inline short config literals, restore struct field comments in web.Config. * fix: remove unused files * fix: remove unused files * perf(web): cache http.FileServer on provider instead of creating per-request * refactor(web): use html/template for context-aware escaping in index rendering --------- Co-authored-by: SagarRajput-7 <162284829+SagarRajput-7@users.noreply.github.com>	2026-04-18 06:47:17 +00:00
swapnil-signoz	dce496d099	refactor: cloud integration modules implementation (#10718) ... * feat: adding cloud integration type for refactor * refactor: store interfaces to use local types and error * feat: adding sql store implementation * refactor: removing interface check * feat: adding updated types for cloud integration * refactor: using struct for map * refactor: update cloud integration types and module interface * fix: correct GetService signature and remove shadowed Data field * feat: implement cloud integration store * refactor: adding comments and removed wrong code * refactor: streamlining types * refactor: add comments for backward compatibility in PostableAgentCheckInRequest * refactor: update Dashboard struct comments and remove unused fields * refactor: split upsert store method * feat: adding integration test * refactor: clean up types * refactor: renaming service type to service id * refactor: using serviceID type * feat: adding method for service id creation * refactor: updating store methods * refactor: clean up * refactor: clean up * refactor: review comments * refactor: clean up * feat: adding handlers * fix: lint and ci issues * fix: lint issues * fix: update error code for service not found * feat: adding handler skeleton * chore: removing todo comment * feat: adding frontend openapi schema * feat: adding module implementation for create account * fix: returning valid error instead of panic * fix: module test * refactor: simplify ingestion key retrieval logic * feat: adding module implementation for AWS * refactor: ci lint changes * refactor: python formatting change * fix: new storable account func was unsetting provider account id * refactor: python lint changes * refactor: adding validation on update account request * refactor: reverting older tests and adding new tests * chore: lint changes * feat: using service account for API key * refactor: renaming tests and cleanup * refactor: removing dashboard overview images * feat: adding service definition store * chore: adding TODO comments * feat: adding API for getting connection credentials * feat: adding openapi spec for the endpoint * feat: adding tests for credential API * feat: adding cloud integration config * refactor: updating test with new env variable for config * refactor: moving few cloud provider interface methods to types * refactor: review comments resolution * refactor: lint changes * refactor: code clean up * refactor: removing email domain function * refactor: review comments and clean up * refactor: lint fixes * refactor: review changes - Added get connected account module method - Fixed integration tests - Removed cloud integration store as callback function's param * refactor: changing wrong dashboard id for EKS definition	2026-04-13 15:16:26 +00:00
Pandey	621127b7fb	feat(audit): wire auditor into DI graph and service lifecycle (#10891) ... * feat(audit): wire auditor into DI graph and service lifecycle Register the auditor in the factory service registry so it participates in application lifecycle (start/stop/health). Community uses noopauditor, enterprise uses otlphttpauditor with licensing gate. Pass the auditor instance to the audit middleware instead of nil. * feat(audit): use NamedMap provider pattern with config-driven selection Switch from single-factory callback to NamedMap + factory.NewProviderFromNamedMap so the config's Provider field selects the auditor implementation. Add NewAuditorProviderFactories() with noop as the community default. Enterprise extends the map with otlphttpauditor. Add auditor section to conf/example.yaml and set default provider to "noop" in config. * chore: move auditor config to end of example.yaml	2026-04-09 11:44:05 +00:00
Vikrant Gupta	d19592ce7b	chore(authz): bump up openfga version (#10767) ... * chore(authz): bump up openfga version * chore(authz): fix tests * chore(authz): bump up openfga version * chore(authz): remove ee references	2026-03-30 20:44:11 +00:00
Pandey	95ed125bd9	feat(instrumentation): add OTel exception semantic convention log handler (#10665) ... * feat(instrumentation): add OTel exception semantic convention log handler Add a loghandler.Wrapper that enriches error log records with OpenTelemetry exception semantic convention attributes (exception.type, exception.code, exception.message, exception.stacktrace). - Add errors.Attr() helper for standardized error logging under "exception" key - Add exception log handler that replaces raw error attrs with structured group - Wire exception handler into the instrumentation SDK logger chain - Remove LogValue() from errors.base as the handler now owns structuring * refactor: replace "error", err with errors.Attr(err) across codebase Migrate all slog error logging from ad-hoc "error", err key-value pairs to the standardized errors.Attr(err) helper, enabling the exception log handler to enrich these logs with OTel semantic convention attributes. * refactor: enforce attr-only slog style across codebase Change sloglint from kv-only to attr-only, requiring all slog calls to use typed attributes (slog.String, slog.Any, etc.) instead of key-value pairs. Convert all existing kv-style slog calls in non-excluded paths. * refactor: tighten slog.Any to specific types and standardize error attrs - Replace slog.Any with slog.String for string values (action, key, where_clause) - Replace slog.Any with slog.Uint64 for uint64 values (start, end, step, etc.) - Replace slog.Any("err", err) with errors.Attr(err) in dispatcher and segment analytics - Replace slog.Any("error", ctx.Err()) with errors.Attr in factory registry * fix(instrumentation): use Unwrapb message for exception.message Use the explicit error message (m) from Unwrapb instead of foundErr.Error(), which resolves to the inner cause's message for wrapped errors. * feat(errors): capture stacktrace at error creation time Store program counters ([]uintptr) in base errors at creation time using runtime.Callers, inspired by thanos-io/thanos/pkg/errors. The exception log handler reads the stacktrace from the error instead of capturing at log time, showing where the error originated. * fix(instrumentation): apply default log wrappers uniformly in NewLogger Move correlation, filtering, and exception wrappers into NewLogger so all call sites (including CLI loggers in cmd/) get them automatically. * refactor(instrumentation): remove variadic wrappers from NewLogger NewLogger no longer accepts arbitrary wrappers. The core wrappers (correlation, filtering, exception) are hardcoded, preventing callers from accidentally duplicating behavior. * refactor: migrate remaining "error", <var> to errors.Attr across legacy paths Replace all remaining "error", <variable> key-value pairs with errors.Attr(<variable>) in pkg/query-service/ and ee/query-service/ paths that were missed in the initial migration due to non-standard variable names (res.Err, filterErr, apiErrorObj.Err, etc). * refactor(instrumentation): use flat exception.* keys instead of nested group Use flat keys (exception.type, exception.code, exception.message, exception.stacktrace) instead of a nested slog.Group in the exception log handler.	2026-03-22 04:06:31 +00:00
Pandey	cc6f2170a5	refactor: remove DeprecatedFlags CLI flag backward compatibility (#10659) ... Remove the DeprecatedFlags struct and all associated CLI flags (--max-idle-conns, --max-open-conns, --dial-timeout, --flux-interval, --flux-interval-for-trace-detail, --prefer-span-metrics, --cluster, --gateway-url) that were superseded by environment variable-based configuration. Deprecated environment variable handling is retained. Closes #6805	2026-03-19 19:43:37 +00:00
Pandey	4ffab5f580	feat: add --config flag for YAML configuration files (#10649)	2026-03-19 19:09:15 +00:00
Pandey	f8c38df2bf	refactor: replace zap logger with slog across codebase (#10599) ... * refactor: replace zap logger with slog across codebase * refactor: fix lint * refactor: fix lint	2026-03-16 12:09:39 +00:00
Naman Verma	51967c527f	Upgrade prometheus/common and prometheus/prometheus to latest available version (#10467) ... * chore: upgrade prometheus/common to latest available version * chore: upgrade prometheus/prometheus to latest available version * chore: easy changes first * chore: slightly unsure changes * fix: correct imported version of semconv in sdk.go * test: ut fix, just matched expected and actual nothing else * test: ut fix, just matched expected and actual nothing else * test: ut fix, just matched expected and actual nothing else * test: ut fix, just matched expected and actual nothing else * test: ut fix, pass no nil prometheus registry * chore: upgrade go version in dockerfile to 1.25 * chore: no need for our own alert store callback * chore: 1.25 bullseye is still an rc so shifting to bookworm * fix: parallel calls for each query in readmultiple method * chore: remove unused var * Sync PagerDuty frontend defaults with Alertmanager v0.31 Applied via @cursor push command * chore: make ctx the first param --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com>	2026-03-10 05:09:05 +00:00
Karan Balani	6f8da2edeb	feat: deprecate user invite table and add user status lifecycle (#10445) ... * feat: deprecate user invite table * fix: handle soft deleted users flow * fix: handle edge cases for authentication and reset password flow * feat: integration tests with fixes for new flow * fix: array for grants * fix: edge cases for reset token and context api * chore: remove all code related to old invite flow * fix: openapi specs * fix: integration tests and minor naming change * fix: integration tests fmtlint * feat: improve invitation email template * fix: role tests * fix: context api * fix: openapi frontend * chore: rename countbyorgid to activecountbyorgid * fix: a deleted user cannot recycled, creating a new one * feat: migrate existing invites to user as pending invite status * fix: error from GetUsersByEmailAndOrgID * feat: add backward compatibility to existing apis using new invite flow * chore: change ordering of apis in server * chore: change ordering of apis in server * fix: filter active users in role and org id check * fix: check deleted user in reset password flow * chore: address some review comments, add back countbyorgid method * chore: move to bulk inserts for migrating existing invites * fix: wrap funcs to transactions, and fix openapi specs * fix: move reset link method to types, also move authz grants outside transation * fix: transaction issues * feat: helper method ErrIfDeleted for user * fix: error code for errifdeleted in user * fix: soft delete store method * fix: password authn tests also add old invite flow test * fix: callbackauthn tests * fix: remove extra oidc tests * fix: callback authn tests oidc * chore: address review comments and optimise bulk invite api * fix: use db ctx in various places * fix: fix duplicate email invite issue and add partial invite * fix: openapi specs * fix: errifpending * fix: user status persistence * fix: edge cases * chore: add tests for partial index too * feat: use composite unique index on users table instead of partial one * chore: move duplicate email check to unmarshaljson and query user again in accept invite * fix: make 068 migratin idempotent * chore: remove unused emails var * chore: add a temp filter to show only active users in frontend until next frontend fix * chore: remove one check from register flow testing until temp code is removed * chore: remove commented code from tests * chore: address frontend review comments * chore: address frontend review comments	2026-03-09 18:16:04 +00:00
Pandey	92b07d15ea	chore: register querier routes in apiserver (#10370)	2026-02-20 07:08:48 +00:00
Vikrant Gupta	4ad0baa2a2	feat(authz): add support for wildcard selector (#10208) ... * feat(authz): remove unnecessary dependency injection for role setter * feat(authz): deprecate role module * feat(authz): deprecate role module * feat(authz): split between server and sql actions * feat(authz): add bootstrap for managed role transactions * feat(authz): update and add integration tests * feat(authz): match names for factory and migration * feat(authz): fix integration tests * feat(authz): reduce calls on organisation creeation	2026-02-09 14:37:44 +05:30
Vikrant Gupta	1c815b130c	feat(authz): scafolding for rbac migration (#10121) ... * feat(authz): initial commit for migrating rbac to openfga * feat(authz): make the role updates idempotant * feat(authz): split role module into role and grant * feat(authz): some naming changes * feat(authz): integrate the grant module * feat(authz): add support for migrating existing user role * feat(authz): add support for migrating existing user role * feat(authz): figure out the * selector * feat(authz): merge main * feat(authz): merge main * feat(authz): address couple of todos * feat(authz): address couple of todos * feat(authz): fix tests and revert public dashboard change * feat(authz): fix tests and revert public dashboard change * feat(authz): add open api spec * feat(authz): add open api spec * feat(authz): add api key changes and missing migration * feat(authz): split role into getter and setter * feat(authz): add integration tests for authz register * feat(authz): add more tests for user invite and delete * feat(authz): update user tests * feat(authz): rename grant to granter * feat(authz): address review comments * feat(authz): address review comments * feat(authz): address review comments * feat(authz): add the migration for existing roles * feat(authz): go mod tidy * feat(authz): fix integration tests * feat(authz): handle community changes * feat(authz): handle community changes * feat(authz): role selectors for open claims * feat(authz): role selectors for open claims * feat(authz): prevent duplicate entries for changelog * feat(authz): scafolding for rbac migration * feat(authz): scafolding for rbac migration * feat(authz): scafolding for rbac migration * feat(authz): scafolding for rbac migration * feat(authz): scafolding for rbac migration	2026-01-27 21:24:36 +05:30
Pandey	3051d442c0	fix: move ee references out of cmd/community (#10063) ... - move ee references out of cmd/community - add check in commitci	2026-01-21 09:22:40 +05:30
Karan Balani	26d3d6b1e4	feat: gateway apis (#10010)	2026-01-20 15:46:46 +00:00
Jatinderjit Singh	c9cbc8d9ad	chore: ignore logs for context.Canceled errors (#9945)	2026-01-08 01:25:41 +05:30
Vikrant Gupta	0b890154b4	feat(dashboard): add public dashboard APIs to open-api spec (#9899) ... * feat(dashboard): add public dashboard APIs to open-api spec * feat(dashboard): split the ee and pkg modules * feat(dashboard): commit open api spec * feat(dashboard): fix signoz module test * feat(dashboard): add license checks * feat(dashboard): merge main * feat(dashboard): add anonymous scheme	2025-12-30 20:58:12 +05:30
Pandey	bb4d6117ac	test: add integration tests for preferences and add --with-web flag (#9821) ... * test: add integration test for preferences * test: add flag --with-web	2025-12-18 00:05:27 +05:30
Pandey	8771919de6	feat(gen): add cobra command for generating openapi spec (#9803) ... add cobra command for auto-generating openapi spec	2025-12-15 17:48:30 +05:30
Vikrant Gupta	7bd3e1c453	feat(authz): publicly shareable dashboards (#9584) ... * feat(authz): base setup for public shareable dashboards * feat(authz): add support for public masking * feat(authz): added public path for gettable public dashboard * feat(authz): checkpoint-1 for widget query to query range conversion * feat(authz): checkpoint-2 for widget query to query range conversion * feat(authz): fix widget index issue * feat(authz): better handling for dashboard json and query * feat(authz): use the default time range if timerange is disabled * feat(authz): use the default time range if timerange is disabled * feat(authz): add authz changes * feat(authz): integrate role with dashboard anonymous access * feat(authz): integrate the new middleware * feat(authz): integrate the new middleware * feat(authz): add back licensing * feat(authz): renaming selector callback * feat(authz): self review * feat(authz): self review * feat(authz): change to promql	2025-11-18 00:21:46 +05:30
swapnil-signoz	bbf987ebd7	fix: removing duplicate creation of user if user does not exist already (#9455) ... * fix: removing duplicate creation of user if user does not exist already * test: adding api test case * fix: updated test cases * fix: remove unnecessary logging and clean up connection params API * feat: add gateway fixture and integrate with signoz for connection parameters * feat: add cloudintegrations to the test job matrix in integrationci.yaml * fix: remove outdated comments from make_http_mocks fixture * fix: remove deprecated ZeusURL from build configurations	2025-11-03 16:45:08 +05:30
Vikrant Gupta	d539ca9bab	feat(sql): swap mattn/sqlite with modernc.org/sqlite (#9343) ... * feat(sql): swap mattn/sqlite with modernc.org/sqlite (#9325) * feat(sql): swap mattn/sqlite with modernc.org/sqlite * feat(sql): revert the dashboard testing changes * feat(sql): enable WAL mode for sqlite * feat(sql): revert enable WAL mode for sqlite * feat(sql): use sensible defaults for busy_timeout * feat(sql): add ldflags * feat(sql): enable WAL mode for sqlite * feat(sql): some fixes * feat(sql): some fixes * feat(sql): fix yarn lock and config defaults * feat(sql): update the defaults in example.conf * feat(sql): remove wal mode from integration tests	2025-10-21 18:45:48 +05:30
Vibhu Pandey	c122bc09b4	feat(tokenizer|sso): add tokenizer for session management and oidc sso support (#9183) ... ## 📄 Summary - Instead of relying on JWT for session management, we are adding another token system: opaque. This gives the benefits of expiration and revocation. - We are now ensuring that emails are regex checked throughout the backend. - Support has been added for OIDC protocol	2025-10-16 18:00:38 +05:30
Vikrant Gupta	bac8f8b211	Revert "feat(sql): swap mattn/sqlite with modernc.org/sqlite (#9325)" (#9338) ... This reverts commit c62d41edf0.	2025-10-14 15:01:51 +00:00
Vikrant Gupta	c62d41edf0	feat(sql): swap mattn/sqlite with modernc.org/sqlite (#9325) ... * feat(sql): swap mattn/sqlite with modernc.org/sqlite * feat(sql): revert the dashboard testing changes * feat(sql): enable WAL mode for sqlite * feat(sql): revert enable WAL mode for sqlite * feat(sql): use sensible defaults for busy_timeout * feat(sql): add ldflags	2025-10-14 15:28:19 +05:30
Vibhu Pandey	c83eaf3d50	chore: enable forbidigo and noerrors in depguard (#9047) ... * chore: enable forbidgo * chore: enable forbidgo	2025-09-09 15:44:27 +05:30
Vibhu Pandey	360e8309c8	feat(password): implement strong controls for password (#8983) ... ## 📄 Summary implement strong controls for password. Now the password requirement is : password must be at least 12 characters long, should contain at least one uppercase letter [A-Z], one lowercase letter [a-z], one number [0-9], and one symbol	2025-09-04 17:22:28 +05:30
Vikrant Gupta	f61e859901	feat(authz): embed openfga server (#8966) ... * feat(access-control): embed openfga in signoz * feat(authz): rename access control to authz * feat(authz): fix codeowners and go mod tidy * feat(authz): fix lint * feat(authz): update go version and move convertor to instrumentation * feat(authz): some more lint issues * feat(authz): some more lint issues * feat(authz): some more lint issues * feat(authz): fix more lint issues * feat(authz): make logger converter interface	2025-09-01 17:10:13 +05:30
Vibhu Pandey	a3c039006f	chore(goreleaser): fix main path (#8654) ... #### Chores - Fix main path in goreleaser	2025-07-29 13:31:08 +00:00
Vibhu Pandey	c17241272f	test(integration): add integration tests for logs (#8619)	2025-07-29 14:44:16 +05:30
Vibhu Pandey	ebb2f1fd63	feat(cmd): add cmd package (#8535)	2025-07-17 10:38:31 +00:00