feat: update message as typehint in JSON Column

* chore: upgrade prometheus/common to latest available version

* chore: upgrade prometheus/prometheus to latest available version

* chore: easy changes first

* chore: slightly unsure changes

* fix: correct imported version of semconv in sdk.go

* test: ut fix, just matched expected and actual nothing else

* test: ut fix, just matched expected and actual nothing else

* test: ut fix, just matched expected and actual nothing else

* test: ut fix, just matched expected and actual nothing else

* test: ut fix, pass no nil prometheus registry

* chore: upgrade go version in dockerfile to 1.25

* chore: no need for our own alert store callback

* chore: 1.25 bullseye is still an rc so shifting to bookworm

* fix: parallel calls for each query in readmultiple method

* chore: remove unused var

* Sync PagerDuty frontend defaults with Alertmanager v0.31

Applied via @cursor push command

* chore: make ctx the first param

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>

.github/workflows/jsci.yaml

@@ -13,23 +13,6 @@ on:
 
 jobs:
   tsc:
-    if: |
-      github.event_name == 'merge_group' ||
-      (github.event_name == 'pull_request' && ! github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]' && ! contains(github.event.pull_request.labels.*.name, 'safe-to-test')) ||
-      (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-test'))
-    runs-on: ubuntu-latest
-    steps:
-      - name: checkout
-        uses: actions/checkout@v4
-      - name: setup node
-        uses: actions/setup-node@v5
-        with:
-          node-version: "22"
-      - name: install
-        run: cd frontend && yarn install
-      - name: tsc
-        run: cd frontend && yarn tsc
-  tsc2:
     if: |
       github.event_name == 'merge_group' ||
       (github.event_name == 'pull_request' && ! github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]' && ! contains(github.event.pull_request.labels.*.name, 'safe-to-test')) ||

cmd/enterprise/Dockerfile.integration

@@ -1,4 +1,4 @@
-FROM golang:1.24-bullseye
+FROM golang:1.25-bookworm
 
 ARG OS="linux"
 ARG TARGETARCH

cmd/enterprise/Dockerfile.with-web.integration

@@ -1,4 +1,4 @@
-FROM node:18-bullseye AS build
+FROM node:22-bookworm AS build
 
 WORKDIR /opt/
 COPY ./frontend/ ./
@@ -6,7 +6,7 @@ ENV NODE_OPTIONS=--max-old-space-size=8192
 RUN CI=1 yarn install
 RUN CI=1 yarn build
 
-FROM golang:1.24-bullseye
+FROM golang:1.25-bookworm
 
 ARG OS="linux"
 ARG TARGETARCH

docs/api/openapi.yml

@@ -2108,6 +2108,15 @@ components:
         token:
           type: string
       type: object
+    TypesPostableBulkInviteRequest:
+      properties:
+        invites:
+          items:
+            $ref: '#/components/schemas/TypesPostableInvite'
+          type: array
+      required:
+      - invites
+      type: object
     TypesPostableForgotPassword:
       properties:
         email:
@@ -2196,6 +2205,8 @@ components:
           type: string
         role:
           type: string
+        status:
+          type: string
         updatedAt:
           format: date-time
           type: string
@@ -3538,9 +3549,7 @@ paths:
         content:
           application/json:
             schema:
-              items:
-                $ref: '#/components/schemas/TypesPostableInvite'
-              type: array
+              $ref: '#/components/schemas/TypesPostableBulkInviteRequest'
       responses:
         "201":
           description: Created

docs/contributing/query-range.md

@@ -0,0 +1,216 @@
+# Query Range v5 — Design Principles & Architectural Contracts
+
+## Purpose of This Document
+
+This document defines the design principles, invariants, and architectural contracts of the Query Range v5 system. It is intended for the authors working on the querier and querier related parts codebase. Any change to the system must align with the principles described here. If a change would violate a principle, it must be flagged and discussed.
+
+---
+
+## Core Architectural Principle
+
+**The user speaks OpenTelemetry. The storage speaks ClickHouse. The system translates between them. These two worlds must never leak into each other.**
+
+Every design choice in Query Range flows from this separation. The user-facing API surface deals exclusively in `TelemetryFieldKey`: a representation of fields as they exist in the OpenTelemetry data model. The storage layer deals in ClickHouse column expressions, table names, and SQL fragments. The translation between them is mediated by a small set of composable abstractions with strict boundaries.
+
+---
+
+## The Central Type: `TelemetryFieldKey`
+
+`TelemetryFieldKey` is the atomic unit of the entire query system. Every filter, aggregation, group-by, order-by, and select operation is expressed in terms of field keys. Understanding its design contracts is non-negotiable.
+
+### Identity
+
+A field key is identified by three dimensions:
+
+- **Name** — the field name as the user knows it (`service.name`, `http.method`, `trace_id`)
+- **FieldContext** — where the field lives in the OTel model (`resource`, `attribute`, `span`, `log`, `body`, `scope`, `event`, `metric`)
+- **FieldDataType** — the data type (`string`, `bool`, `number`/`float64`/`int64`, array variants)
+
+### Invariant: Same name does not mean same field
+
+`status` as an attribute, `status` as a body JSON key, and `status` as a span-level field are **three different fields**. The context disambiguates. Code that resolves or compares field keys must always consider all three dimensions, never just the name.
+
+### Invariant: Normalization happens once, at the boundary
+
+`TelemetryFieldKey.Normalize()` is called during JSON unmarshaling. After normalization, the text representation `resource.service.name:string` and the programmatic construction `{Name: "service.name", FieldContext: Resource, FieldDataType: String}` are identical.
+
+**Consequence:** Downstream code must never re-parse or re-normalize field keys. If you find yourself splitting on `.` or `:` deep in the pipeline, something is wrong — the normalization should have already happened.
+
+### Invariant: The text format is `context.name:datatype`
+
+Parsing rules (implemented in `GetFieldKeyFromKeyText` and `Normalize`):
+
+1. Data type is extracted from the right, after the last `:`.
+2. Field context is extracted from the left, before the first `.`, if it matches a known context prefix.
+3. Everything remaining is the name.
+
+Special case: `log.body.X` normalizes to `{FieldContext: body, Name: X}` — the `log.body.` prefix collapses because body fields under log are a nested context.
+
+### Invariant: Historical aliases must be preserved
+
+The `fieldContexts` map includes aliases (`tag` -> `attribute`, `spanfield` -> `span`, `logfield` -> `log`). These exist because older database entries use these names. Removing or changing these aliases will break existing saved queries and dashboard configurations.
+
+---
+
+## The Abstraction Stack
+
+The query pipeline is built from four interfaces that compose vertically. Each layer has a single responsibility. Each layer depends only on the layers below it. This layering is intentional and must be preserved.
+
+```
+StatementBuilder          <- Orchestrates everything into executable SQL
+  ├── AggExprRewriter     <- Rewrites aggregation expressions (maps field refs to columns)
+  ├── ConditionBuilder    <- Builds WHERE predicates (field + operator + value -> SQL)
+  └── FieldMapper         <- Maps TelemetryFieldKey -> ClickHouse column expression
+```
+
+### FieldMapper
+
+**Contract:** Given a `TelemetryFieldKey`, return a ClickHouse column expression that yields the value for that field when used in a SELECT.
+
+**Principle:** This is the *only* place where field-to-column translation happens. No other layer should contain knowledge of how fields map to storage. If you need a column expression, go through the FieldMapper.
+
+**Why:** The user says `http.request.method`. ClickHouse might store it as `attributes_string['http.request.method']`, or as a materialized column `` `attribute_string_http$$request$$method` ``, or via a JSON access path in a body column. This variation is entirely contained within the FieldMapper. Everything above it is storage-agnostic.
+
+### ConditionBuilder
+
+**Contract:** Given a field key, an operator, and a value, produce a valid SQL predicate for a WHERE clause.
+
+**Dependency:** Uses FieldMapper for the left-hand side of the condition.
+
+**Principle:** The ConditionBuilder owns all the complexity of operator semantics, i.e type casting, array operators (`hasAny`/`hasAll` vs `=`), existence checks, and negative operator behavior. This complexity must not leak upward into the StatementBuilder.
+
+### AggExprRewriter
+
+**Contract:** Given a user-facing aggregation expression like `sum(duration_nano)`, resolve field references within it and produce valid ClickHouse SQL.
+
+**Dependency:** Uses FieldMapper to resolve field names within expressions.
+
+**Principle:** Aggregation expressions are user-authored strings that contain field references. The rewriter parses them, identifies field references, resolves each through the FieldMapper, and reassembles the expression.
+
+### StatementBuilder
+
+**Contract:** Given a complete `QueryBuilderQuery`, a time range, and a request type, produces an executable SQL statement.
+
+**Dependency:** Uses all three abstractions above.
+
+**Principle:** This is the composition layer. It does not contain field mapping logic, condition building logic, or expression rewriting logic. It orchestrates the other abstractions. If you find storage-specific logic creeping into the StatementBuilder, push it down into the appropriate abstraction.
+
+### Invariant: No layer skipping
+
+The StatementBuilder must not call FieldMapper directly to build conditions, it goes through the ConditionBuilder. The AggExprRewriter must not hardcode column names, it goes through the FieldMapper. Skipping layers creates hidden coupling and makes the system fragile to storage changes.
+
+---
+
+## Design Decisions as Constraints
+
+### Constraint: Formula evaluation happens in Go, not in ClickHouse
+
+Formulas (`A + B`, `A / B`, `sqrt(A*A + B*B)`) are evaluated application-side by `FormulaEvaluator`, not via ClickHouse JOINs.
+
+**Why this is a constraint, not just an implementation choice:** The original JOIN-based approach was abandoned because ClickHouse evaluates joins right-to-left, serializing execution unnecessarily. Running queries independently allows parallelism and caching of intermediate results. Any future optimization must not reintroduce the JOIN pattern without solving the serialization problem.
+
+**Consequence:** Individual query results must be independently cacheable. Formula evaluation must handle label matching, timestamp alignment, and missing values without requiring the queries to coordinate at the SQL level.
+
+### Constraint: Zero-defaulting is aggregation-dependent
+
+Only additive/counting aggregations (`count`, `count_distinct`, `sum`, `rate`) default missing values to zero. Statistical aggregations (`avg`, `min`, `max`, percentiles) must show gaps.
+
+**Why:** Absence of data has different meanings. No error requests in a time bucket means error count = 0. No requests at all means average latency is *unknown*, not 0. Conflating these is a correctness bug, not a display preference.
+
+**Enforcement:** `GetQueriesSupportingZeroDefault` determines which queries can default to zero. The `FormulaEvaluator` consumes this via `canDefaultZero`. Changes to aggregation handling must preserve this distinction.
+
+### Constraint: Existence semantics differ for positive vs negative operators
+
+- **Positive operators** (`=`, `>`, `LIKE`, `IN`, etc.) implicitly assert field existence. `http.method = GET` means "the field exists AND equals GET".
+- **Negative operators** (`!=`, `NOT IN`, `NOT LIKE`, etc.) do **not** add an existence check. `http.method != GET` includes records where the field doesn't exist at all.
+
+**Why:** The user's intent with negative operators is ambiguous. Rather than guess, we take the broader interpretation. Users can add an explicit `EXISTS` filter if they want the narrower one. This is documented in `AddDefaultExistsFilter`.
+
+**Consequence:** Any new operator must declare its existence behavior in `AddDefaultExistsFilter`. Do not add operators without considering this.
+
+### Constraint: Post-processing functions operate on result sets, not in SQL
+
+Functions like `cutOffMin`, `ewma`, `median`, `timeShift`, `fillZero`, `runningDiff`, and `cumulativeSum` are applied in Go on the returned time series, not pushed into ClickHouse SQL.
+
+**Why:** These are sequential time-series transformations that require complete, ordered result sets. Pushing them into SQL would complicate query generation, prevent caching of raw results, and make the functions harder to test. They are applied via `ApplyFunctions` after query execution.
+
+**Consequence:** New time-series transformation functions should follow this pattern i.e implement them as Go functions on `*TimeSeries`, not as SQL modifications.
+
+### Constraint: The API surface rejects unknown fields with suggestions
+
+All request types use custom `UnmarshalJSON` that calls `DisallowUnknownFields`. Unknown fields trigger error messages with Levenshtein-based suggestions ("did you mean: 'groupBy'?").
+
+**Why:** Silent acceptance of unknown fields causes subtle bugs. A misspelled `groupBy` results in ungrouped data with no indication of what went wrong. Failing fast with suggestions turns errors into actionable feedback.
+
+**Consequence:** Any new request type or query spec struct must implement custom unmarshaling with `UnmarshalJSONWithContext`. Do not use default `json.Unmarshal` for user-facing types.
+
+### Constraint: Validation is context-sensitive to request type
+
+What's valid depends on the `RequestType`. For aggregation requests (`time_series`, `scalar`, `distribution`), fields like `groupBy`, `aggregations`, `having`, and aggregation-referenced `orderBy` are validated. For non-aggregation requests (`raw`, `raw_stream`, `trace`), these fields are ignored.
+
+**Why:** A raw log query doesn't have aggregations, so requiring `aggregations` would be wrong. But a time-series query without aggregations is meaningless. The validation rules are request-type-aware to avoid both false positives and false negatives.
+
+**Consequence:** When adding new fields to query specs, consider which request types they apply to and gate validation accordingly.
+
+---
+
+## The Composite Query Model
+
+### Structure
+
+A `QueryRangeRequest` contains a `CompositeQuery` which holds `[]QueryEnvelope`. Each envelope is a discriminated union: a `Type` field determines how `Spec` is decoded.
+
+### Invariant: Query names are unique within a composite query
+
+Builder queries must have unique names. Formulas reference queries by name (`A`, `B`, `A.0`, `A.my_alias`). Duplicate names would make formula evaluation ambiguous.
+
+### Invariant: Multi-aggregation uses indexed or aliased references
+
+A single builder query can have multiple aggregations. They are accessed in formulas via:
+- Index: `A.0`, `A.1` (zero-based)
+- Alias: `A.total`, `A.error_count`
+
+The default (just `A`) resolves to index 0. This is the formula evaluation contract and must be preserved.
+
+### Invariant: Type-specific decoding through signal detection
+
+Builder queries are decoded by first peeking at the `signal` field in the raw JSON, then unmarshaling into the appropriate generic type (`QueryBuilderQuery[TraceAggregation]`, `QueryBuilderQuery[LogAggregation]`, `QueryBuilderQuery[MetricAggregation]`). This two-pass decoding is intentional — it allows each signal to have its own aggregation schema while sharing the query structure.
+
+---
+
+## The Metadata Layer
+
+### MetadataStore
+
+The `MetadataStore` interface provides runtime field discovery and type resolution. It answers questions like "what fields exist for this signal?" and "what are the data types of field X?".
+
+### Principle: Fields can be ambiguous until resolved
+
+The same name can map to multiple `TelemetryFieldKey` variants (different contexts, different types). The metadata store returns *all* variants. Resolution to a single field happens during query building, using the query's signal and any explicit context/type hints from the user.
+
+**Consequence:** Code that calls `GetKey` or `GetKeys` must handle multiple results. Do not assume a name maps to a single field.
+
+### Principle: Materialized fields are a performance optimization, not a semantic distinction
+
+A materialized field and its non-materialized equivalent represent the same logical field. The `Materialized` flag tells the FieldMapper to generate a simpler column expression. The user should never need to know whether a field is materialized.
+
+### Principle: JSON body fields require access plans
+
+Fields inside JSON body columns (`body.response.errors[].code`) need pre-computed `JSONAccessPlan` trees that encode the traversal path, including branching at array boundaries between `Array(JSON)` and `Array(Dynamic)` representations. These plans are computed during metadata resolution, not during query execution.
+
+---
+
+## Summary of Inviolable Rules
+
+1. **User-facing types never contain ClickHouse column names or SQL fragments.**
+2. **Field-to-column translation only happens in FieldMapper.**
+3. **Normalization happens once at the API boundary, never deeper.**
+4. **Historical aliases in fieldContexts and fieldDataTypes must not be removed.**
+5. **Formula evaluation stays in Go — do not push it into ClickHouse JOINs.**
+6. **Zero-defaulting is aggregation-type-dependent — do not universally default to zero.**
+7. **Positive operators imply existence, negative operators do not.**
+8. **Post-processing functions operate on Go result sets, not in SQL.**
+9. **All user-facing types reject unknown JSON fields with suggestions.**
+10. **Validation rules are gated by request type.**
+11. **Query names must be unique within a composite query.**
+12. **The four-layer abstraction stack (FieldMapper -> ConditionBuilder -> AggExprRewriter -> StatementBuilder) must not be bypassed or flattened.**

ee/authz/openfgaauthz/provider.go

@@ -176,6 +176,7 @@ func (provider *provider) GetResources(_ context.Context) []*authtypes.Resource
 		typeables = append(typeables, register.MustGetTypeables()...)
 	}
 
+	typeables = append(typeables, provider.MustGetTypeables()...)
 	resources := make([]*authtypes.Resource, 0)
 	for _, typeable := range typeables {
 		resources = append(resources, &authtypes.Resource{Name: typeable.Name(), Type: typeable.Type()})

ee/query-service/app/api/cloudIntegrations.go

@@ -170,7 +170,7 @@ func (ah *APIHandler) getOrCreateCloudIntegrationUser(
 	cloudIntegrationUserName := fmt.Sprintf("%s-integration", cloudProvider)
 	email := valuer.MustNewEmail(fmt.Sprintf("%s@signoz.io", cloudIntegrationUserName))
 
-	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, valuer.MustNewUUID(orgId))
+	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, valuer.MustNewUUID(orgId), types.UserStatusActive)
 	if err != nil {
 		return nil, basemodel.InternalError(fmt.Errorf("couldn't create cloud integration user: %w", err))
 	}

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -2525,6 +2525,13 @@ export interface TypesPostableAcceptInviteDTO {
 	token?: string;
 }
 
+export interface TypesPostableBulkInviteRequestDTO {
+	/**
+	 * @type array
+	 */
+	invites: TypesPostableInviteDTO[];
+}
+
 export interface TypesPostableForgotPasswordDTO {
 	/**
 	 * @type string
@@ -2665,6 +2672,10 @@ export interface TypesUserDTO {
 	 * @type string
 	 */
 	role?: string;
+	/**
+	 * @type string
+	 */
+	status?: string;
 	/**
 	 * @type string
 	 * @format date-time

frontend/src/api/generated/services/users/index.ts

@@ -41,6 +41,7 @@ import type {
 	TypesChangePasswordRequestDTO,
 	TypesPostableAcceptInviteDTO,
 	TypesPostableAPIKeyDTO,
+	TypesPostableBulkInviteRequestDTO,
 	TypesPostableForgotPasswordDTO,
 	TypesPostableInviteDTO,
 	TypesPostableResetPasswordDTO,
@@ -671,14 +672,14 @@ export const useAcceptInvite = <
  * @summary Create bulk invite
  */
 export const createBulkInvite = (
-	typesPostableInviteDTO: BodyType<TypesPostableInviteDTO[]>,
+	typesPostableBulkInviteRequestDTO: BodyType<TypesPostableBulkInviteRequestDTO>,
 	signal?: AbortSignal,
 ) => {
 	return GeneratedAPIInstance<void>({
 		url: `/api/v1/invite/bulk`,
 		method: 'POST',
 		headers: { 'Content-Type': 'application/json' },
-		data: typesPostableInviteDTO,
+		data: typesPostableBulkInviteRequestDTO,
 		signal,
 	});
 };
@@ -690,13 +691,13 @@ export const getCreateBulkInviteMutationOptions = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof createBulkInvite>>,
 		TError,
-		{ data: BodyType<TypesPostableInviteDTO[]> },
+		{ data: BodyType<TypesPostableBulkInviteRequestDTO> },
 		TContext
 	>;
 }): UseMutationOptions<
 	Awaited<ReturnType<typeof createBulkInvite>>,
 	TError,
-	{ data: BodyType<TypesPostableInviteDTO[]> },
+	{ data: BodyType<TypesPostableBulkInviteRequestDTO> },
 	TContext
 > => {
 	const mutationKey = ['createBulkInvite'];
@@ -710,7 +711,7 @@ export const getCreateBulkInviteMutationOptions = <
 
 	const mutationFn: MutationFunction<
 		Awaited<ReturnType<typeof createBulkInvite>>,
-		{ data: BodyType<TypesPostableInviteDTO[]> }
+		{ data: BodyType<TypesPostableBulkInviteRequestDTO> }
 	> = (props) => {
 		const { data } = props ?? {};
 
@@ -723,7 +724,7 @@ export const getCreateBulkInviteMutationOptions = <
 export type CreateBulkInviteMutationResult = NonNullable<
 	Awaited<ReturnType<typeof createBulkInvite>>
 >;
-export type CreateBulkInviteMutationBody = BodyType<TypesPostableInviteDTO[]>;
+export type CreateBulkInviteMutationBody = BodyType<TypesPostableBulkInviteRequestDTO>;
 export type CreateBulkInviteMutationError = ErrorType<RenderErrorResponseDTO>;
 
 /**
@@ -736,13 +737,13 @@ export const useCreateBulkInvite = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof createBulkInvite>>,
 		TError,
-		{ data: BodyType<TypesPostableInviteDTO[]> },
+		{ data: BodyType<TypesPostableBulkInviteRequestDTO> },
 		TContext
 	>;
 }): UseMutationResult<
 	Awaited<ReturnType<typeof createBulkInvite>>,
 	TError,
-	{ data: BodyType<TypesPostableInviteDTO[]> },
+	{ data: BodyType<TypesPostableBulkInviteRequestDTO> },
 	TContext
 > => {
 	const mutationOptions = getCreateBulkInviteMutationOptions(options);

frontend/src/constants/queryCacheTime.ts

@@ -0,0 +1,3 @@
+export const DASHBOARD_CACHE_TIME = 30_000;
+// keep it low or zero, otherwise, when enabled auto-refresh, this causes OOM due to accumulated queries in cache
+export const DASHBOARD_CACHE_TIME_ON_REFRESH_ENABLED = 0;

frontend/src/constants/reactQueryKeys.ts

@@ -96,4 +96,7 @@ export const REACT_QUERY_KEY = {
 
 	// Span Percentiles Query Keys
 	GET_SPAN_PERCENTILES: 'GET_SPAN_PERCENTILES',
+
+	// Dashboard Grid Card Query Keys
+	DASHBOARD_GRID_CARD_QUERY_RANGE: 'DASHBOARD_GRID_CARD_QUERY_RANGE',
 } as const;

frontend/src/container/CreateAlertChannels/defaults.ts

@@ -16,8 +16,8 @@ export const PagerInitialConfig: Partial<PagerChannel> = {
 	client: 'SigNoz Alert Manager',
 	client_url: 'https://enter-signoz-host-n-port-here/alerts',
 	details: JSON.stringify({
-		firing: `{{ template "pagerduty.default.instances" .Alerts.Firing }}`,
-		resolved: `{{ template "pagerduty.default.instances" .Alerts.Resolved }}`,
+		firing: `{{ .Alerts.Firing | toJson }}`,
+		resolved: `{{ .Alerts.Resolved | toJson }}`,
 		num_firing: '{{ .Alerts.Firing | len }}',
 		num_resolved: '{{ .Alerts.Resolved | len }}',
 	}),

frontend/src/container/DashboardContainer/DashboardVariablesSelection/DynamicVariableInput.tsx

@@ -13,6 +13,10 @@ import { FieldValueResponse } from 'types/api/dynamicVariables/getFieldValues';
 import { GlobalReducer } from 'types/reducer/globalTime';
 import { isRetryableError as checkIfRetryableError } from 'utils/errorUtils';
 
+import {
+	DASHBOARD_CACHE_TIME,
+	DASHBOARD_CACHE_TIME_ON_REFRESH_ENABLED,
+} from '../../../constants/queryCacheTime';
 import SelectVariableInput from './SelectVariableInput';
 import { useDashboardVariableSelectHelper } from './useDashboardVariableSelectHelper';
 import {
@@ -101,9 +105,10 @@ function DynamicVariableInput({
 		return dynamicVars || 'no_dynamic_variables';
 	}, [existingVariables]);
 
-	const { maxTime, minTime } = useSelector<AppState, GlobalReducer>(
-		(state) => state.globalTime,
-	);
+	const { maxTime, minTime, isAutoRefreshDisabled } = useSelector<
+		AppState,
+		GlobalReducer
+	>((state) => state.globalTime);
 
 	const {
 		variableFetchCycleId,
@@ -232,6 +237,9 @@ function DynamicVariableInput({
 				!!variableData.dynamicVariablesSource &&
 				!!variableData.dynamicVariablesAttribute &&
 				(isVariableFetching || (isVariableSettled && hasVariableFetchedOnce)),
+			cacheTime: isAutoRefreshDisabled
+				? DASHBOARD_CACHE_TIME
+				: DASHBOARD_CACHE_TIME_ON_REFRESH_ENABLED,
 			queryFn: ({ signal }) =>
 				getFieldValues(
 					variableData.dynamicVariablesSource?.toLowerCase() === 'all telemetry'

frontend/src/container/DashboardContainer/DashboardVariablesSelection/QueryVariableInput.tsx

@@ -11,6 +11,10 @@ import { AppState } from 'store/reducers';
 import { VariableResponseProps } from 'types/api/dashboard/variables/query';
 import { GlobalReducer } from 'types/reducer/globalTime';
 
+import {
+	DASHBOARD_CACHE_TIME,
+	DASHBOARD_CACHE_TIME_ON_REFRESH_ENABLED,
+} from '../../../constants/queryCacheTime';
 import { variablePropsToPayloadVariables } from '../utils';
 import SelectVariableInput from './SelectVariableInput';
 import { useDashboardVariableSelectHelper } from './useDashboardVariableSelectHelper';
@@ -33,9 +37,10 @@ function QueryVariableInput({
 	);
 	const [errorMessage, setErrorMessage] = useState<null | string>(null);
 
-	const { maxTime, minTime } = useSelector<AppState, GlobalReducer>(
-		(state) => state.globalTime,
-	);
+	const { maxTime, minTime, isAutoRefreshDisabled } = useSelector<
+		AppState,
+		GlobalReducer
+	>((state) => state.globalTime);
 
 	const {
 		variableFetchCycleId,
@@ -197,6 +202,9 @@ function QueryVariableInput({
 					signal,
 				),
 			refetchOnWindowFocus: false,
+			cacheTime: isAutoRefreshDisabled
+				? DASHBOARD_CACHE_TIME
+				: DASHBOARD_CACHE_TIME_ON_REFRESH_ENABLED,
 			onSuccess: (response) => {
 				getOptions(response.payload);
 				settleVariableFetch(variableData.name, 'complete');

frontend/src/container/GridCardLayout/GridCard/index.tsx

@@ -25,6 +25,11 @@ import { GlobalReducer } from 'types/reducer/globalTime';
 import { getGraphType } from 'utils/getGraphType';
 import { getSortedSeriesData } from 'utils/getSortedSeriesData';
 
+import {
+	DASHBOARD_CACHE_TIME,
+	DASHBOARD_CACHE_TIME_ON_REFRESH_ENABLED,
+} from '../../../constants/queryCacheTime';
+import { REACT_QUERY_KEY } from '../../../constants/reactQueryKeys';
 import EmptyWidget from '../EmptyWidget';
 import { MenuItemKeys } from '../WidgetHeader/contants';
 import { GridCardGraphProps } from './types';
@@ -68,10 +73,12 @@ function GridCardGraph({
 		setDashboardQueryRangeCalled,
 	} = useDashboard();
 
-	const { minTime, maxTime, selectedTime: globalSelectedInterval } = useSelector<
-		AppState,
-		GlobalReducer
-	>((state) => state.globalTime);
+	const {
+		minTime,
+		maxTime,
+		selectedTime: globalSelectedInterval,
+		isAutoRefreshDisabled,
+	} = useSelector<AppState, GlobalReducer>((state) => state.globalTime);
 
 	const handleBackNavigation = (): void => {
 		const searchParams = new URLSearchParams(window.location.search);
@@ -210,8 +217,10 @@ function GridCardGraph({
 		version || DEFAULT_ENTITY_VERSION,
 		{
 			queryKey: [
+				REACT_QUERY_KEY.DASHBOARD_GRID_CARD_QUERY_RANGE,
 				maxTime,
 				minTime,
+				isAutoRefreshDisabled,
 				globalSelectedInterval,
 				widget?.query,
 				widget?.panelTypes,
@@ -241,6 +250,9 @@ function GridCardGraph({
 				return failureCount < 2;
 			},
 			keepPreviousData: true,
+			cacheTime: isAutoRefreshDisabled
+				? DASHBOARD_CACHE_TIME
+				: DASHBOARD_CACHE_TIME_ON_REFRESH_ENABLED,
 			enabled: queryEnabledCondition,
 			refetchOnMount: false,
 			onError: (error) => {

frontend/src/hooks/useAuthZ/permissions.type.ts

@@ -11,8 +11,17 @@ export default {
 				name: 'dashboards',
 				type: 'metaresources',
 			},
+			{
+				name: 'role',
+				type: 'role',
+			},
+			{
+				name: 'roles',
+				type: 'metaresources',
+			},
 		],
 		relations: {
+			assignee: ['role'],
 			create: ['metaresources'],
 			delete: ['user', 'role', 'organization', 'metaresource'],
 			list: ['metaresources'],

frontend/src/mocks-server/__mockdata__/alerts.ts

@@ -32,8 +32,8 @@ export const editSlackDescriptionDefaultValue = `{{ range .Alerts -}} *Alert:* {
 export const pagerDutyDescriptionDefaultVaule = `{{ if gt (len .Alerts.Firing) 0 -}} Alerts Firing: {{ range .Alerts.Firing }} - Message: {{ .Annotations.description }} Labels: {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }} {{ end }} Annotations: {{ range .Annotations.SortedPairs }} - {{ .Name }} = {{ .Value }} {{ end }} Source: {{ .GeneratorURL }} {{ end }} {{- end }} {{ if gt (len .Alerts.Resolved) 0 -}} Alerts Resolved: {{ range .Alerts.Resolved }} - Message: {{ .Annotations.description }} Labels: {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }} {{ end }} Annotations: {{ range .Annotations.SortedPairs }} - {{ .Name }} = {{ .Value }} {{ end }} Source: {{ .GeneratorURL }} {{ end }} {{- end }}`;
 
 export const pagerDutyAdditionalDetailsDefaultValue = JSON.stringify({
-	firing: `{{ template "pagerduty.default.instances" .Alerts.Firing }}`,
-	resolved: `{{ template "pagerduty.default.instances" .Alerts.Resolved }}`,
+	firing: `{{ .Alerts.Firing | toJson }}`,
+	resolved: `{{ .Alerts.Resolved | toJson }}`,
 	num_firing: '{{ .Alerts.Firing | len }}',
 	num_resolved: '{{ .Alerts.Resolved | len }}',
 });

frontend/src/providers/Dashboard/Dashboard.tsx

@@ -46,6 +46,10 @@ import APIError from 'types/api/error';
 import { GlobalReducer } from 'types/reducer/globalTime';
 import { v4 as generateUUID } from 'uuid';
 
+import {
+	DASHBOARD_CACHE_TIME,
+	DASHBOARD_CACHE_TIME_ON_REFRESH_ENABLED,
+} from '../../constants/queryCacheTime';
 import { useDashboardVariablesSelector } from '../../hooks/dashboard/useDashboardVariables';
 import {
 	setDashboardVariablesStore,
@@ -272,7 +276,12 @@ export function DashboardProvider({
 		return data;
 	};
 	const dashboardResponse = useQuery(
-		[REACT_QUERY_KEY.DASHBOARD_BY_ID, isDashboardPage?.params, dashboardId],
+		[
+			REACT_QUERY_KEY.DASHBOARD_BY_ID,
+			isDashboardPage?.params,
+			dashboardId,
+			globalTime.isAutoRefreshDisabled,
+		],
 		{
 			enabled: (!!isDashboardPage || !!isDashboardWidgetPage) && isLoggedIn,
 			queryFn: async () => {
@@ -289,6 +298,9 @@ export function DashboardProvider({
 				}
 			},
 			refetchOnWindowFocus: false,
+			cacheTime: globalTime.isAutoRefreshDisabled
+				? DASHBOARD_CACHE_TIME
+				: DASHBOARD_CACHE_TIME_ON_REFRESH_ENABLED,
 			onError: (error) => {
 				showErrorModal(error as APIError);
 			},

frontend/src/providers/Dashboard/__tests__/Dashboard.test.tsx

@@ -1,7 +1,10 @@
 import { QueryClient, QueryClientProvider } from 'react-query';
+// eslint-disable-next-line no-restricted-imports
+import { useSelector } from 'react-redux';
 import { MemoryRouter } from 'react-router-dom';
 import { render, screen, waitFor } from '@testing-library/react';
 import getDashboard from 'api/v1/dashboards/id/get';
+import { DASHBOARD_CACHE_TIME_ON_REFRESH_ENABLED } from 'constants/queryCacheTime';
 import { REACT_QUERY_KEY } from 'constants/reactQueryKeys';
 import ROUTES from 'constants/routes';
 import { DashboardProvider, useDashboard } from 'providers/Dashboard/Dashboard';
@@ -47,6 +50,7 @@ jest.mock('react-redux', () => ({
 		selectedTime: 'GLOBAL_TIME',
 		minTime: '2023-01-01T00:00:00Z',
 		maxTime: '2023-01-01T01:00:00Z',
+		isAutoRefreshDisabled: true,
 	})),
 	useDispatch: jest.fn(() => jest.fn()),
 }));
@@ -322,13 +326,68 @@ describe('Dashboard Provider - Query Key with Route Params', () => {
 				REACT_QUERY_KEY.DASHBOARD_BY_ID,
 				{ dashboardId: dashboardId1 },
 				dashboardId1,
+				true, // globalTime.isAutoRefreshDisabled
 			]);
 			expect(cacheKeys[1]).toEqual([
 				REACT_QUERY_KEY.DASHBOARD_BY_ID,
 				{ dashboardId: dashboardId2 },
 				dashboardId2,
+				true, // globalTime.isAutoRefreshDisabled
 			]);
 		});
+
+		it('should not store dashboard in cache when autoRefresh is enabled (isAutoRefreshDisabled=false)', async () => {
+			jest.mocked(useSelector).mockImplementation(() => ({
+				selectedTime: 'GLOBAL_TIME',
+				minTime: '2023-01-01T00:00:00Z',
+				maxTime: '2023-01-01T01:00:00Z',
+				isAutoRefreshDisabled: false,
+			}));
+
+			const queryClient = createTestQueryClient();
+			const dashboardId = 'auto-refresh-dashboard';
+
+			mockUseRouteMatch.mockReturnValue({
+				path: ROUTES.DASHBOARD,
+				url: `/dashboard/${dashboardId}`,
+				isExact: true,
+				params: { dashboardId },
+			});
+
+			render(
+				<QueryClientProvider client={queryClient}>
+					<MemoryRouter initialEntries={[`/dashboard/${dashboardId}`]}>
+						<DashboardProvider>
+							<TestComponent />
+						</DashboardProvider>
+					</MemoryRouter>
+				</QueryClientProvider>,
+			);
+
+			await waitFor(() => {
+				expect(mockGetDashboard).toHaveBeenCalledWith({ id: dashboardId });
+			});
+
+			const dashboardQuery = queryClient
+				.getQueryCache()
+				.getAll()
+				.find(
+					(query) =>
+						query.queryKey[0] === REACT_QUERY_KEY.DASHBOARD_BY_ID &&
+						query.queryKey[3] === false,
+				);
+			expect(dashboardQuery).toBeDefined();
+			expect((dashboardQuery as { cacheTime: number }).cacheTime).toBe(
+				DASHBOARD_CACHE_TIME_ON_REFRESH_ENABLED,
+			);
+
+			jest.mocked(useSelector).mockImplementation(() => ({
+				selectedTime: 'GLOBAL_TIME',
+				minTime: '2023-01-01T00:00:00Z',
+				maxTime: '2023-01-01T01:00:00Z',
+				isAutoRefreshDisabled: true,
+			}));
+		});
 	});
 });
 

go.mod

@@ -1,51 +1,50 @@
 module github.com/SigNoz/signoz
 
-go 1.24.0
+go 1.25.0
 
 require (
-	dario.cat/mergo v1.0.1
+	dario.cat/mergo v1.0.2
 	github.com/AfterShip/clickhouse-sql-parser v0.4.16
 	github.com/ClickHouse/clickhouse-go/v2 v2.40.1
 	github.com/DATA-DOG/go-sqlmock v1.5.2
 	github.com/SigNoz/govaluate v0.0.0-20240203125216-988004ccc7fd
-	github.com/SigNoz/signoz-otel-collector v0.129.10-rc.9
+	github.com/SigNoz/signoz-otel-collector v0.144.2
 	github.com/antlr4-go/antlr/v4 v4.13.1
 	github.com/antonmedv/expr v1.15.3
-	github.com/bytedance/sonic v1.14.1
 	github.com/cespare/xxhash/v2 v2.3.0
-	github.com/coreos/go-oidc/v3 v3.14.1
+	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/dgraph-io/ristretto/v2 v2.3.0
 	github.com/dustin/go-humanize v1.0.1
 	github.com/gin-gonic/gin v1.11.0
 	github.com/go-co-op/gocron v1.30.1
-	github.com/go-openapi/runtime v0.28.0
-	github.com/go-openapi/strfmt v0.23.0
+	github.com/go-openapi/runtime v0.29.2
+	github.com/go-openapi/strfmt v0.25.0
 	github.com/go-redis/redismock/v9 v9.2.0
-	github.com/go-viper/mapstructure/v2 v2.4.0
+	github.com/go-viper/mapstructure/v2 v2.5.0
 	github.com/gojek/heimdall/v7 v7.0.3
-	github.com/golang-jwt/jwt/v5 v5.3.0
+	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674
 	github.com/huandu/go-sqlbuilder v1.35.0
 	github.com/jackc/pgx/v5 v5.7.6
-	github.com/json-iterator/go v1.1.12
+	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12
 	github.com/knadh/koanf v1.5.0
-	github.com/knadh/koanf/v2 v2.2.0
-	github.com/mailru/easyjson v0.7.7
-	github.com/open-telemetry/opamp-go v0.19.0
-	github.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza v0.128.0
+	github.com/knadh/koanf/v2 v2.3.2
+	github.com/mailru/easyjson v0.9.0
+	github.com/open-telemetry/opamp-go v0.22.0
+	github.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza v0.144.0
 	github.com/openfga/api/proto v0.0.0-20250909172242-b4b2a12f5c67
 	github.com/openfga/language/pkg/go v0.2.0-beta.2.0.20250428093642-7aeebe78bbfe
 	github.com/opentracing/opentracing-go v1.2.0
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/alertmanager v0.28.1
+	github.com/prometheus/alertmanager v0.31.0
 	github.com/prometheus/client_golang v1.23.2
-	github.com/prometheus/common v0.66.1
-	github.com/prometheus/prometheus v0.304.1
+	github.com/prometheus/common v0.67.5
+	github.com/prometheus/prometheus v0.310.0
 	github.com/redis/go-redis/extra/redisotel/v9 v9.15.1
-	github.com/redis/go-redis/v9 v9.15.1
+	github.com/redis/go-redis/v9 v9.17.2
 	github.com/rs/cors v1.11.1
 	github.com/russellhaering/gosaml2 v0.9.0
 	github.com/russellhaering/goxmldsig v1.2.0
@@ -54,7 +53,7 @@ require (
 	github.com/sethvargo/go-password v0.2.0
 	github.com/smartystreets/goconvey v1.8.1
 	github.com/soheilhy/cmux v0.1.5
-	github.com/spf13/cobra v1.10.1
+	github.com/spf13/cobra v1.10.2
 	github.com/srikanthccv/ClickHouse-go-mock v0.13.0
 	github.com/stretchr/testify v1.11.1
 	github.com/swaggest/jsonschema-go v0.3.78
@@ -64,43 +63,72 @@ require (
 	github.com/uptrace/bun/dialect/pgdialect v1.2.9
 	github.com/uptrace/bun/dialect/sqlitedialect v1.2.9
 	github.com/uptrace/bun/extra/bunotel v1.2.9
-	go.opentelemetry.io/collector/confmap v1.34.0
-	go.opentelemetry.io/collector/otelcol v0.128.0
-	go.opentelemetry.io/collector/pdata v1.34.0
+	go.opentelemetry.io/collector/confmap v1.51.0
+	go.opentelemetry.io/collector/otelcol v0.144.0
+	go.opentelemetry.io/collector/pdata v1.51.0
 	go.opentelemetry.io/contrib/config v0.10.0
 	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.63.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0
-	go.opentelemetry.io/otel v1.38.0
-	go.opentelemetry.io/otel/metric v1.38.0
-	go.opentelemetry.io/otel/sdk v1.38.0
-	go.opentelemetry.io/otel/trace v1.38.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0
+	go.opentelemetry.io/otel v1.40.0
+	go.opentelemetry.io/otel/metric v1.40.0
+	go.opentelemetry.io/otel/sdk v1.40.0
+	go.opentelemetry.io/otel/trace v1.40.0
 	go.uber.org/multierr v1.11.0
-	go.uber.org/zap v1.27.0
-	golang.org/x/crypto v0.46.0
-	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
-	golang.org/x/net v0.47.0
-	golang.org/x/oauth2 v0.30.0
+	go.uber.org/zap v1.27.1
+	golang.org/x/crypto v0.47.0
+	golang.org/x/exp v0.0.0-20260112195511-716be5621a96
+	golang.org/x/net v0.49.0
+	golang.org/x/oauth2 v0.34.0
 	golang.org/x/sync v0.19.0
-	golang.org/x/text v0.32.0
-	google.golang.org/protobuf v1.36.9
+	golang.org/x/text v0.33.0
+	google.golang.org/protobuf v1.36.11
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/apimachinery v0.34.0
+	k8s.io/apimachinery v0.35.0
 	modernc.org/sqlite v1.39.1
 )
 
 require (
+	github.com/aws/aws-sdk-go-v2 v1.41.1 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.32.7 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.7 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sns v1.39.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect
+	github.com/aws/smithy-go v1.24.0 // indirect
 	github.com/bytedance/gopkg v0.1.3 // indirect
+	github.com/bytedance/sonic v1.14.1 // indirect
 	github.com/bytedance/sonic/loader v0.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/go-openapi/swag/cmdutils v0.25.4 // indirect
+	github.com/go-openapi/swag/conv v0.25.4 // indirect
+	github.com/go-openapi/swag/fileutils v0.25.4 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.4 // indirect
+	github.com/go-openapi/swag/jsonutils v0.25.4 // indirect
+	github.com/go-openapi/swag/loading v0.25.4 // indirect
+	github.com/go-openapi/swag/mangling v0.25.4 // indirect
+	github.com/go-openapi/swag/netutils v0.25.4 // indirect
+	github.com/go-openapi/swag/stringutils v0.25.4 // indirect
+	github.com/go-openapi/swag/typeutils v0.25.4 // indirect
+	github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.27.0 // indirect
-	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/goccy/go-yaml v1.19.2 // indirect
+	github.com/hashicorp/go-metrics v0.5.4 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/prometheus/client_golang/exp v0.0.0-20260108101519-fb0838f53562 // indirect
 	github.com/redis/go-redis/extra/rediscmd/v9 v9.15.1 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/swaggest/refl v1.4.0 // indirect
@@ -108,69 +136,70 @@ require (
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.0 // indirect
 	github.com/uptrace/opentelemetry-go-extra/otelsql v0.3.2 // indirect
-	go.opentelemetry.io/collector/config/configretry v1.34.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.opentelemetry.io/collector/client v1.50.0 // indirect
+	go.opentelemetry.io/collector/config/configoptional v1.50.0 // indirect
+	go.opentelemetry.io/collector/config/configretry v1.50.0 // indirect
+	go.opentelemetry.io/collector/exporter/exporterhelper v0.144.0 // indirect
+	go.opentelemetry.io/collector/internal/componentalias v0.145.0 // indirect
+	go.opentelemetry.io/collector/pdata/xpdata v0.144.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/tools/godoc v0.1.0-deprecated // indirect
 	modernc.org/libc v1.66.10 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 )
 
 require (
-	cel.dev/expr v0.24.0 // indirect
-	cloud.google.com/go/auth v0.16.1 // indirect
+	cel.dev/expr v0.25.1 // indirect
+	cloud.google.com/go/auth v0.18.1 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-	cloud.google.com/go/compute/metadata v0.8.2 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
 	github.com/ClickHouse/ch-go v0.67.0 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/Yiling-J/theine-go v0.6.2 // indirect
 	github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go v1.55.7 // indirect
 	github.com/beevik/etree v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
-	github.com/coder/quartz v0.1.2 // indirect
-	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/coder/quartz v0.3.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.6.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dennwc/varint v1.0.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.4 // indirect
+	github.com/ebitengine/purego v0.9.1 // indirect
 	github.com/edsrzf/mmap-go v1.2.0 // indirect
-	github.com/elastic/lunes v0.1.0 // indirect
+	github.com/elastic/lunes v0.2.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
-	github.com/expr-lang/expr v1.17.5
+	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
+	github.com/expr-lang/expr v1.17.7
 	github.com/facette/natsort v0.0.0-20181210072756-2cd4dd1e2dcb // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/go-faster/city v1.0.1 // indirect
 	github.com/go-faster/errors v0.7.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/go-openapi/analysis v0.23.0 // indirect
-	github.com/go-openapi/errors v0.22.0 // indirect
-	github.com/go-openapi/jsonpointer v0.21.0 // indirect
-	github.com/go-openapi/jsonreference v0.21.0 // indirect
-	github.com/go-openapi/loads v0.22.0 // indirect
-	github.com/go-openapi/spec v0.21.0 // indirect
-	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/go-openapi/analysis v0.24.2 // indirect
+	github.com/go-openapi/errors v0.22.6 // indirect
+	github.com/go-openapi/jsonpointer v0.22.4 // indirect
+	github.com/go-openapi/jsonreference v0.21.4 // indirect
+	github.com/go-openapi/loads v0.23.2 // indirect
+	github.com/go-openapi/spec v0.22.3 // indirect
+	github.com/go-openapi/swag v0.25.4 // indirect
+	github.com/go-openapi/validate v0.25.1 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/gojek/valkyrie v0.0.0-20180215180059-6aee720afcdf // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -178,22 +207,22 @@ require (
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/cel-go v0.26.1 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
-	github.com/googleapis/gax-go/v2 v2.14.2 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
+	github.com/googleapis/gax-go/v2 v2.16.0 // indirect
 	github.com/gopherjs/gopherjs v1.17.2 // indirect
-	github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
+	github.com/grafana/regexp v0.0.0-20250905093917-f7b3be9d1853 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
-	github.com/hashicorp/go-msgpack/v2 v2.1.1 // indirect
+	github.com/hashicorp/go-msgpack/v2 v2.1.5 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
-	github.com/hashicorp/go-version v1.7.0 // indirect
+	github.com/hashicorp/go-version v1.8.0 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
-	github.com/hashicorp/memberlist v0.5.1 // indirect
+	github.com/hashicorp/memberlist v0.5.4 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
@@ -201,26 +230,25 @@ require (
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jessevdk/go-flags v1.6.1 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/jtolds/gls v4.20.0+incompatible // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/compress v1.18.3 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/leodido/go-syslog/v4 v4.2.0 // indirect
+	github.com/leodido/go-syslog/v4 v4.3.0 // indirect
 	github.com/leodido/ragel-machinery v0.0.0-20190525184631-5f46317e436b // indirect
-	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
+	github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect
 	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/mdlayher/socket v0.4.1 // indirect
+	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/mdlayher/vsock v1.2.1 // indirect
 	github.com/mfridman/interpolate v0.0.2 // indirect
-	github.com/miekg/dns v1.1.65 // indirect
+	github.com/miekg/dns v1.1.72 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
@@ -229,27 +257,27 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // indirect
 	github.com/natefinch/wrap v0.2.0 // indirect
-	github.com/oklog/run v1.1.0 // indirect
+	github.com/oklog/run v1.2.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/oklog/ulid/v2 v2.1.1
 	github.com/open-feature/go-sdk v1.17.0
-	github.com/open-telemetry/opentelemetry-collector-contrib/internal/coreinternal v0.128.0 // indirect
-	github.com/open-telemetry/opentelemetry-collector-contrib/internal/exp/metrics v0.128.0 // indirect
-	github.com/open-telemetry/opentelemetry-collector-contrib/pkg/pdatautil v0.128.0 // indirect
-	github.com/open-telemetry/opentelemetry-collector-contrib/processor/deltatocumulativeprocessor v0.128.0 // indirect
+	github.com/open-telemetry/opentelemetry-collector-contrib/internal/coreinternal v0.144.0 // indirect
+	github.com/open-telemetry/opentelemetry-collector-contrib/internal/exp/metrics v0.145.0 // indirect
+	github.com/open-telemetry/opentelemetry-collector-contrib/pkg/pdatautil v0.145.0 // indirect
+	github.com/open-telemetry/opentelemetry-collector-contrib/processor/deltatocumulativeprocessor v0.145.0 // indirect
 	github.com/openfga/openfga v1.10.1
 	github.com/paulmach/orb v0.11.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/pierrec/lz4/v4 v4.1.22 // indirect
+	github.com/pierrec/lz4/v4 v4.1.23 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/pressly/goose/v3 v3.25.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/exporter-toolkit v0.14.0 // indirect
-	github.com/prometheus/otlptranslator v0.0.0-20250320144820-d800c8b0eb07 // indirect
-	github.com/prometheus/procfs v0.16.1 // indirect
-	github.com/prometheus/sigv4 v0.1.2 // indirect
+	github.com/prometheus/exporter-toolkit v0.15.1 // indirect
+	github.com/prometheus/otlptranslator v1.0.0 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
+	github.com/prometheus/sigv4 v0.4.1 // indirect
 	github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/sagikazarmark/locafero v0.9.0 // indirect
@@ -257,7 +285,7 @@ require (
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/segmentio/backo-go v1.0.1 // indirect
 	github.com/sethvargo/go-retry v0.3.0 // indirect
-	github.com/shirou/gopsutil/v4 v4.25.5 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.12 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/shurcooL/httpfs v0.0.0-20230704072500-f1e31cf0ba5c // indirect
 	github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92 // indirect
@@ -272,94 +300,92 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/swaggest/openapi-go v0.2.60
 	github.com/tidwall/match v1.1.1 // indirect
-	github.com/tidwall/pretty v1.2.0 // indirect
-	github.com/tklauser/go-sysconf v0.3.15 // indirect
-	github.com/tklauser/numcpus v0.10.0 // indirect
+	github.com/tidwall/pretty v1.2.1 // indirect
+	github.com/tklauser/go-sysconf v0.3.16 // indirect
+	github.com/tklauser/numcpus v0.11.0 // indirect
 	github.com/tmthrgd/go-hex v0.0.0-20190904060850-447a3041c3bc // indirect
-	github.com/trivago/tgo v1.0.7 // indirect
-	github.com/valyala/fastjson v1.6.4 // indirect
+	github.com/valyala/fastjson v1.6.7 // indirect
 	github.com/vjeantet/grok v1.0.1 // indirect
 	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
-	go.mongodb.org/mongo-driver v1.17.1 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/collector/component v1.34.0 // indirect
-	go.opentelemetry.io/collector/component/componentstatus v0.128.0 // indirect
-	go.opentelemetry.io/collector/component/componenttest v0.128.0 // indirect
-	go.opentelemetry.io/collector/config/configtelemetry v0.128.0 // indirect
-	go.opentelemetry.io/collector/confmap/provider/envprovider v1.34.0 // indirect
-	go.opentelemetry.io/collector/confmap/provider/fileprovider v1.34.0 // indirect
-	go.opentelemetry.io/collector/confmap/xconfmap v0.128.0 // indirect
-	go.opentelemetry.io/collector/connector v0.128.0 // indirect
-	go.opentelemetry.io/collector/connector/connectortest v0.128.0 // indirect
-	go.opentelemetry.io/collector/connector/xconnector v0.128.0 // indirect
-	go.opentelemetry.io/collector/consumer v1.34.0 // indirect
-	go.opentelemetry.io/collector/consumer/consumererror v0.128.0 // indirect
-	go.opentelemetry.io/collector/consumer/consumertest v0.128.0 // indirect
-	go.opentelemetry.io/collector/consumer/xconsumer v0.128.0 // indirect
-	go.opentelemetry.io/collector/exporter v0.128.0 // indirect
-	go.opentelemetry.io/collector/exporter/exportertest v0.128.0 // indirect
-	go.opentelemetry.io/collector/exporter/xexporter v0.128.0 // indirect
-	go.opentelemetry.io/collector/extension v1.34.0 // indirect
-	go.opentelemetry.io/collector/extension/extensioncapabilities v0.128.0 // indirect
-	go.opentelemetry.io/collector/extension/extensiontest v0.128.0 // indirect
-	go.opentelemetry.io/collector/extension/xextension v0.128.0 // indirect
-	go.opentelemetry.io/collector/featuregate v1.34.0 // indirect
-	go.opentelemetry.io/collector/internal/fanoutconsumer v0.128.0 // indirect
-	go.opentelemetry.io/collector/internal/telemetry v0.128.0 // indirect
-	go.opentelemetry.io/collector/pdata/pprofile v0.128.0 // indirect
-	go.opentelemetry.io/collector/pdata/testdata v0.128.0 // indirect
-	go.opentelemetry.io/collector/pipeline v0.128.0 // indirect
-	go.opentelemetry.io/collector/pipeline/xpipeline v0.128.0 // indirect
-	go.opentelemetry.io/collector/processor v1.34.0 // indirect
-	go.opentelemetry.io/collector/processor/processorhelper v0.128.0 // indirect
-	go.opentelemetry.io/collector/processor/processortest v0.128.0 // indirect
-	go.opentelemetry.io/collector/processor/xprocessor v0.128.0 // indirect
-	go.opentelemetry.io/collector/receiver v1.34.0 // indirect
-	go.opentelemetry.io/collector/receiver/receiverhelper v0.128.0 // indirect
-	go.opentelemetry.io/collector/receiver/receivertest v0.128.0 // indirect
-	go.opentelemetry.io/collector/receiver/xreceiver v0.128.0 // indirect
-	go.opentelemetry.io/collector/semconv v0.128.0
-	go.opentelemetry.io/collector/service v0.128.0 // indirect
-	go.opentelemetry.io/collector/service/hostcapabilities v0.128.0 // indirect
-	go.opentelemetry.io/contrib/bridges/otelzap v0.11.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.60.0 // indirect
-	go.opentelemetry.io/contrib/otelconf v0.16.0 // indirect
-	go.opentelemetry.io/contrib/propagators/b3 v1.36.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.12.2 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.12.2 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.36.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.36.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.36.0 // indirect
-	go.opentelemetry.io/otel/exporters/prometheus v0.58.0
-	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.12.2 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 // indirect
-	go.opentelemetry.io/otel/log v0.12.2 // indirect
-	go.opentelemetry.io/otel/sdk/log v0.12.2 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.38.0
-	go.opentelemetry.io/proto/otlp v1.8.0 // indirect
+	go.mongodb.org/mongo-driver v1.17.6 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/collector/component v1.51.0 // indirect
+	go.opentelemetry.io/collector/component/componentstatus v0.145.0 // indirect
+	go.opentelemetry.io/collector/component/componenttest v0.145.0 // indirect
+	go.opentelemetry.io/collector/config/configtelemetry v0.144.0 // indirect
+	go.opentelemetry.io/collector/confmap/provider/envprovider v1.50.0 // indirect
+	go.opentelemetry.io/collector/confmap/provider/fileprovider v1.50.0 // indirect
+	go.opentelemetry.io/collector/confmap/xconfmap v0.145.0 // indirect
+	go.opentelemetry.io/collector/connector v0.144.0 // indirect
+	go.opentelemetry.io/collector/connector/connectortest v0.144.0 // indirect
+	go.opentelemetry.io/collector/connector/xconnector v0.144.0 // indirect
+	go.opentelemetry.io/collector/consumer v1.51.0 // indirect
+	go.opentelemetry.io/collector/consumer/consumererror v0.144.0 // indirect
+	go.opentelemetry.io/collector/consumer/consumertest v0.145.0 // indirect
+	go.opentelemetry.io/collector/consumer/xconsumer v0.145.0 // indirect
+	go.opentelemetry.io/collector/exporter v1.50.0 // indirect
+	go.opentelemetry.io/collector/exporter/exportertest v0.144.0 // indirect
+	go.opentelemetry.io/collector/exporter/xexporter v0.144.0 // indirect
+	go.opentelemetry.io/collector/extension v1.50.0 // indirect
+	go.opentelemetry.io/collector/extension/extensioncapabilities v0.144.0 // indirect
+	go.opentelemetry.io/collector/extension/extensiontest v0.144.0 // indirect
+	go.opentelemetry.io/collector/extension/xextension v0.144.0 // indirect
+	go.opentelemetry.io/collector/featuregate v1.51.0 // indirect
+	go.opentelemetry.io/collector/internal/fanoutconsumer v0.144.0 // indirect
+	go.opentelemetry.io/collector/internal/telemetry v0.144.0 // indirect
+	go.opentelemetry.io/collector/pdata/pprofile v0.145.0 // indirect
+	go.opentelemetry.io/collector/pdata/testdata v0.145.0 // indirect
+	go.opentelemetry.io/collector/pipeline v1.51.0 // indirect
+	go.opentelemetry.io/collector/pipeline/xpipeline v0.144.0 // indirect
+	go.opentelemetry.io/collector/processor v1.51.0 // indirect
+	go.opentelemetry.io/collector/processor/processorhelper v0.144.0 // indirect
+	go.opentelemetry.io/collector/processor/processortest v0.145.0 // indirect
+	go.opentelemetry.io/collector/processor/xprocessor v0.145.0 // indirect
+	go.opentelemetry.io/collector/receiver v1.50.0 // indirect
+	go.opentelemetry.io/collector/receiver/receiverhelper v0.144.0 // indirect
+	go.opentelemetry.io/collector/receiver/receivertest v0.144.0 // indirect
+	go.opentelemetry.io/collector/receiver/xreceiver v0.144.0 // indirect
+	go.opentelemetry.io/collector/semconv v0.128.1-0.20250610090210-188191247685
+	go.opentelemetry.io/collector/service v0.144.0 // indirect
+	go.opentelemetry.io/collector/service/hostcapabilities v0.144.0 // indirect
+	go.opentelemetry.io/contrib/bridges/otelzap v0.13.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.65.0 // indirect
+	go.opentelemetry.io/contrib/otelconf v0.18.0 // indirect
+	go.opentelemetry.io/contrib/propagators/b3 v1.39.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.39.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0 // indirect
+	go.opentelemetry.io/otel/exporters/prometheus v0.60.0
+	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.39.0 // indirect
+	go.opentelemetry.io/otel/log v0.15.0 // indirect
+	go.opentelemetry.io/otel/sdk/log v0.14.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.40.0
+	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/mock v0.6.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.30.0 // indirect
-	golang.org/x/sys v0.39.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.39.0 // indirect
-	gonum.org/v1/gonum v0.16.0 // indirect
-	google.golang.org/api v0.236.0
-	google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect
-	google.golang.org/grpc v1.75.1 // indirect
+	golang.org/x/mod v0.32.0 // indirect
+	golang.org/x/sys v0.40.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	golang.org/x/tools v0.41.0 // indirect
+	gonum.org/v1/gonum v0.17.0 // indirect
+	google.golang.org/api v0.265.0
+	google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
+	google.golang.org/grpc v1.78.0 // indirect
 	gopkg.in/telebot.v3 v3.3.8 // indirect
-	k8s.io/client-go v0.34.0 // indirect
+	k8s.io/client-go v0.35.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	sigs.k8s.io/yaml v1.6.0 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
 )
 
 replace github.com/expr-lang/expr => github.com/SigNoz/expr v1.17.7-beta

pkg/alertmanager/alertmanagerserver/dispatcher.go

@@ -95,7 +95,7 @@ func (d *Dispatcher) Run() {
 	d.ctx, d.cancel = context.WithCancel(context.Background())
 	d.mtx.Unlock()
 
-	d.run(d.alerts.Subscribe())
+	d.run(d.alerts.Subscribe(fmt.Sprintf("dispatcher-%s", d.orgID)))
 	close(d.done)
 }
 
@@ -107,14 +107,15 @@ func (d *Dispatcher) run(it provider.AlertIterator) {
 
 	for {
 		select {
-		case alert, ok := <-it.Next():
-			if !ok {
+		case alertWrapper, ok := <-it.Next():
+			if !ok || alertWrapper == nil {
 				// Iterator exhausted for some reason.
 				if err := it.Err(); err != nil {
 					d.logger.ErrorContext(d.ctx, "Error on alert update", "err", err)
 				}
 				return
 			}
+			alert := alertWrapper.Data
 
 			d.logger.DebugContext(d.ctx, "SigNoz Custom Dispatcher: Received alert", "alert", alert)
 

pkg/alertmanager/alertmanagerserver/distpatcher_test.go

@@ -365,7 +365,7 @@ route:
 	logger := providerSettings.Logger
 	route := dispatch.NewRoute(conf.Route, nil)
 	marker := alertmanagertypes.NewMarker(prometheus.NewRegistry())
-	alerts, err := mem.NewAlerts(context.Background(), marker, time.Hour, nil, logger, nil)
+	alerts, err := mem.NewAlerts(context.Background(), marker, time.Hour, 0, nil, logger, prometheus.NewRegistry(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -496,7 +496,7 @@ route:
 		err := nfManager.SetNotificationConfig(orgId, ruleID, &config)
 		require.NoError(t, err)
 	}
-	err = alerts.Put(inputAlerts...)
+	err = alerts.Put(ctx, inputAlerts...)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -638,7 +638,7 @@ route:
 	logger := providerSettings.Logger
 	route := dispatch.NewRoute(conf.Route, nil)
 	marker := alertmanagertypes.NewMarker(prometheus.NewRegistry())
-	alerts, err := mem.NewAlerts(context.Background(), marker, time.Hour, nil, logger, nil)
+	alerts, err := mem.NewAlerts(context.Background(), marker, time.Hour, 0, nil, logger, prometheus.NewRegistry(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -798,7 +798,7 @@ route:
 		err := nfManager.SetNotificationConfig(orgId, ruleID, &config)
 		require.NoError(t, err)
 	}
-	err = alerts.Put(inputAlerts...)
+	err = alerts.Put(ctx, inputAlerts...)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -897,7 +897,7 @@ route:
 	logger := providerSettings.Logger
 	route := dispatch.NewRoute(conf.Route, nil)
 	marker := alertmanagertypes.NewMarker(prometheus.NewRegistry())
-	alerts, err := mem.NewAlerts(context.Background(), marker, time.Hour, nil, logger, nil)
+	alerts, err := mem.NewAlerts(context.Background(), marker, time.Hour, 0, nil, logger, prometheus.NewRegistry(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1028,7 +1028,7 @@ route:
 		err := nfManager.SetNotificationConfig(orgId, ruleID, &config)
 		require.NoError(t, err)
 	}
-	err = alerts.Put(inputAlerts...)
+	err = alerts.Put(ctx, inputAlerts...)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1159,7 +1159,7 @@ func newAlert(labels model.LabelSet) *alertmanagertypes.Alert {
 func TestDispatcherRace(t *testing.T) {
 	logger := promslog.NewNopLogger()
 	marker := alertmanagertypes.NewMarker(prometheus.NewRegistry())
-	alerts, err := mem.NewAlerts(context.Background(), marker, time.Hour, nil, logger, nil)
+	alerts, err := mem.NewAlerts(context.Background(), marker, time.Hour, 0, nil, logger, prometheus.NewRegistry(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1175,6 +1175,7 @@ func TestDispatcherRace(t *testing.T) {
 }
 
 func TestDispatcherRaceOnFirstAlertNotDeliveredWhenGroupWaitIsZero(t *testing.T) {
+	ctx := context.Background()
 	const numAlerts = 5000
 	confData := `receivers:
 - name: 'slack'
@@ -1194,7 +1195,7 @@ route:
 	providerSettings := createTestProviderSettings()
 	logger := providerSettings.Logger
 	marker := alertmanagertypes.NewMarker(prometheus.NewRegistry())
-	alerts, err := mem.NewAlerts(context.Background(), marker, time.Hour, nil, logger, nil)
+	alerts, err := mem.NewAlerts(context.Background(), marker, time.Hour, 0, nil, logger, prometheus.NewRegistry(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1247,7 +1248,7 @@ route:
 	for i := 0; i < numAlerts; i++ {
 		ruleId := fmt.Sprintf("Alert_%d", i)
 		alert := newAlert(model.LabelSet{"ruleId": model.LabelValue(ruleId)})
-		require.NoError(t, alerts.Put(alert))
+		require.NoError(t, alerts.Put(ctx, alert))
 	}
 
 	for deadline := time.Now().Add(5 * time.Second); time.Now().Before(deadline); {
@@ -1265,7 +1266,7 @@ func TestDispatcher_DoMaintenance(t *testing.T) {
 	r := prometheus.NewRegistry()
 	marker := alertmanagertypes.NewMarker(r)
 
-	alerts, err := mem.NewAlerts(context.Background(), marker, time.Minute, nil, promslog.NewNopLogger(), nil)
+	alerts, err := mem.NewAlerts(context.Background(), marker, time.Minute, 0, nil, promslog.NewNopLogger(), prometheus.NewRegistry(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1370,7 +1371,7 @@ route:
 			logger := providerSettings.Logger
 			route := dispatch.NewRoute(conf.Route, nil)
 			marker := alertmanagertypes.NewMarker(prometheus.NewRegistry())
-			alerts, err := mem.NewAlerts(context.Background(), marker, time.Hour, nil, logger, nil)
+			alerts, err := mem.NewAlerts(context.Background(), marker, time.Hour, 0, nil, logger, prometheus.NewRegistry(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}

pkg/alertmanager/alertmanagerserver/server.go

@@ -190,7 +190,7 @@ func New(ctx context.Context, logger *slog.Logger, registry prometheus.Registere
 		})
 	}()
 
-	server.alerts, err = mem.NewAlerts(ctx, server.marker, server.srvConfig.Alerts.GCInterval, nil, server.logger, signozRegisterer)
+	server.alerts, err = mem.NewAlerts(ctx, server.marker, server.srvConfig.Alerts.GCInterval, 0, nil, server.logger, signozRegisterer, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -203,15 +203,15 @@ func New(ctx context.Context, logger *slog.Logger, registry prometheus.Registere
 
 func (server *Server) GetAlerts(ctx context.Context, params alertmanagertypes.GettableAlertsParams) (alertmanagertypes.GettableAlerts, error) {
 	return alertmanagertypes.NewGettableAlertsFromAlertProvider(server.alerts, server.alertmanagerConfig, server.marker.Status, func(labels model.LabelSet) {
-		server.inhibitor.Mutes(labels)
-		server.silencer.Mutes(labels)
+		server.inhibitor.Mutes(ctx, labels)
+		server.silencer.Mutes(ctx, labels)
 	}, params)
 }
 
 func (server *Server) PutAlerts(ctx context.Context, postableAlerts alertmanagertypes.PostableAlerts) error {
-	alerts, err := alertmanagertypes.NewAlertsFromPostableAlerts(postableAlerts, time.Duration(server.srvConfig.Global.ResolveTimeout), time.Now())
+	alerts, err := alertmanagertypes.NewAlertsFromPostableAlerts(ctx, postableAlerts, time.Duration(server.srvConfig.Global.ResolveTimeout), time.Now())
 	// Notification sending alert takes precedence over validation errors.
-	if err := server.alerts.Put(alerts...); err != nil {
+	if err := server.alerts.Put(ctx, alerts...); err != nil {
 		return err
 	}
 
@@ -340,6 +340,7 @@ func (server *Server) TestAlert(ctx context.Context, receiversMap map[*alertmana
 	}
 
 	alerts, err := alertmanagertypes.NewAlertsFromPostableAlerts(
+		ctx,
 		postableAlerts,
 		time.Duration(server.srvConfig.Global.ResolveTimeout),
 		time.Now(),

pkg/alertmanager/alertmanagerserver/server_test.go

@@ -70,7 +70,7 @@ func TestServerTestReceiverTypeWebhook(t *testing.T) {
 		WebhookConfigs: []*config.WebhookConfig{
 			{
 				HTTPConfig: &commoncfg.HTTPClientConfig{},
-				URL:        &config.SecretURL{URL: webhookURL},
+				URL:        config.SecretTemplateURL(webhookURL.String()),
 			},
 		},
 	})
@@ -96,7 +96,7 @@ func TestServerPutAlerts(t *testing.T) {
 		WebhookConfigs: []*config.WebhookConfig{
 			{
 				HTTPConfig: &commoncfg.HTTPClientConfig{},
-				URL:        &config.SecretURL{URL: &url.URL{Host: "localhost", Path: "/test-receiver"}},
+				URL:        config.SecretTemplateURL("http://localhost/test-receiver"),
 			},
 		},
 	}))
@@ -176,7 +176,7 @@ func TestServerTestAlert(t *testing.T) {
 		WebhookConfigs: []*config.WebhookConfig{
 			{
 				HTTPConfig: &commoncfg.HTTPClientConfig{},
-				URL:        &config.SecretURL{URL: webhook1URL},
+				URL:        config.SecretTemplateURL(webhook1URL.String()),
 			},
 		},
 	}))
@@ -186,7 +186,7 @@ func TestServerTestAlert(t *testing.T) {
 		WebhookConfigs: []*config.WebhookConfig{
 			{
 				HTTPConfig: &commoncfg.HTTPClientConfig{},
-				URL:        &config.SecretURL{URL: webhook2URL},
+				URL:        config.SecretTemplateURL(webhook2URL.String()),
 			},
 		},
 	}))
@@ -268,7 +268,7 @@ func TestServerTestAlertContinuesOnFailure(t *testing.T) {
 		WebhookConfigs: []*config.WebhookConfig{
 			{
 				HTTPConfig: &commoncfg.HTTPClientConfig{},
-				URL:        &config.SecretURL{URL: webhookURL},
+				URL:        config.SecretTemplateURL(webhookURL.String()),
 			},
 		},
 	}))
@@ -278,7 +278,7 @@ func TestServerTestAlertContinuesOnFailure(t *testing.T) {
 		WebhookConfigs: []*config.WebhookConfig{
 			{
 				HTTPConfig: &commoncfg.HTTPClientConfig{},
-				URL:        &config.SecretURL{URL: &url.URL{Scheme: "http", Host: "localhost:1", Path: "/webhook"}},
+				URL:        config.SecretTemplateURL("http://localhost:1/webhook"),
 			},
 		},
 	}))

pkg/apiserver/signozapiserver/user.go

@@ -32,7 +32,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Tags:               []string{"users"},
 		Summary:            "Create bulk invite",
 		Description:        "This endpoint creates a bulk invite for a user",
-		Request:            make([]*types.PostableInvite, 0),
+		Request:            new(types.PostableBulkInviteRequest),
 		RequestContentType: "application/json",
 		Response:           nil,
 		SuccessStatusCode:  http.StatusCreated,

pkg/authn/authnstore/sqlauthnstore/store.go

@@ -17,7 +17,7 @@ func NewStore(sqlstore sqlstore.SQLStore) authtypes.AuthNStore {
 	return &store{sqlstore: sqlstore}
 }
 
-func (store *store) GetUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error) {
+func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error) {
 	user := new(types.User)
 	factorPassword := new(types.FactorPassword)
 
@@ -28,6 +28,7 @@ func (store *store) GetUserAndFactorPasswordByEmailAndOrgID(ctx context.Context,
 		Model(user).
 		Where("email = ?", email).
 		Where("org_id = ?", orgID).
+		Where("status = ?", types.UserStatusActive.StringValue()).
 		Scan(ctx)
 	if err != nil {
 		return nil, nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodeUserNotFound, "user with email %s in org %s not found", email, orgID)

pkg/authn/passwordauthn/emailpasswordauthn/authn.go

@@ -21,7 +21,7 @@ func New(store authtypes.AuthNStore) *AuthN {
 }
 
 func (a *AuthN) Authenticate(ctx context.Context, email string, password string, orgID valuer.UUID) (*authtypes.Identity, error) {
-	user, factorPassword, err := a.store.GetUserAndFactorPasswordByEmailAndOrgID(ctx, email, orgID)
+	user, factorPassword, err := a.store.GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx, email, orgID)
 	if err != nil {
 		return nil, err
 	}

pkg/instrumentation/sdk.go

@@ -15,7 +15,7 @@ import (
 	sdkmetric "go.opentelemetry.io/otel/metric"
 	sdkmetricnoop "go.opentelemetry.io/otel/metric/noop"
 	sdkresource "go.opentelemetry.io/otel/sdk/resource"
-	semconv "go.opentelemetry.io/otel/semconv/v1.37.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.39.0"
 	sdktrace "go.opentelemetry.io/otel/trace"
 )
 

pkg/modules/promote/implpromote/module.go

@@ -78,7 +78,7 @@ func (m *module) ListPromotedAndIndexedPaths(ctx context.Context) ([]promotetype
 
 	// add the paths that are not promoted but have indexes
 	for path, indexes := range aggr {
-		path := strings.TrimPrefix(path, telemetrylogs.BodyJSONColumnPrefix)
+		path := strings.TrimPrefix(path, telemetrylogs.BodyV2ColumnPrefix)
 		path = telemetrytypes.BodyJSONStringSearchPrefix + path
 		response = append(response, promotetypes.PromotePath{
 			Path:    path,
@@ -163,7 +163,7 @@ func (m *module) PromoteAndIndexPaths(
 			}
 		}
 		if len(it.Indexes) > 0 {
-			parentColumn := telemetrylogs.LogsV2BodyJSONColumn
+			parentColumn := telemetrylogs.LogsV2BodyV2Column
 			// if the path is already promoted or is being promoted, add it to the promoted column
 			if _, promoted := existingPromotedPaths[it.Path]; promoted || it.Promote {
 				parentColumn = telemetrylogs.LogsV2BodyPromotedColumn

pkg/modules/session/implsession/module.go

@@ -65,6 +65,9 @@ func (module *module) GetSessionContext(ctx context.Context, email valuer.Email,
 		return nil, err
 	}
 
+	// filter out deleted users
+	users = slices.DeleteFunc(users, func(user *types.User) bool { return user.ErrIfDeleted() != nil })
+
 	// Since email is a valuer, we can be sure that it is a valid email and we can split it to get the domain name.
 	name := strings.Split(email.String(), "@")[1]
 
@@ -141,7 +144,7 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 	roleMapping := authDomain.AuthDomainConfig().RoleMapping
 	role := roleMapping.NewRoleFromCallbackIdentity(callbackIdentity)
 
-	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, role, callbackIdentity.OrgID)
+	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, role, callbackIdentity.OrgID, types.UserStatusActive)
 	if err != nil {
 		return "", err
 	}

pkg/modules/user/impluser/getter.go

@@ -86,6 +86,15 @@ func (module *getter) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int6
 	return count, nil
 }
 
+func (module *getter) CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, statuses []string) (map[valuer.String]int64, error) {
+	counts, err := module.store.CountByOrgIDAndStatuses(ctx, orgID, statuses)
+	if err != nil {
+		return nil, err
+	}
+
+	return counts, nil
+}
+
 func (module *getter) GetFactorPasswordByUserID(ctx context.Context, userID valuer.UUID) (*types.FactorPassword, error) {
 	factorPassword, err := module.store.GetPasswordByUserID(ctx, userID)
 	if err != nil {

pkg/modules/user/impluser/handler.go

@@ -149,16 +149,11 @@ func (h *handler) DeleteInvite(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	uuid, err := valuer.NewUUID(id)
-	if err != nil {
-		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "orgId is invalid"))
-		return
-	}
-
-	if err := h.module.DeleteInvite(ctx, claims.OrgID, uuid); err != nil {
+	if err := h.module.DeleteUser(ctx, valuer.MustNewUUID(claims.OrgID), id, claims.UserID); err != nil {
 		render.Error(w, err)
 		return
 	}
+
 	render.Success(w, http.StatusNoContent, nil)
 }
 
@@ -218,6 +213,9 @@ func (h *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// temp code - show only active users
+	users = slices.DeleteFunc(users, func(user *types.User) bool { return user.Status != types.UserStatusActive })
+
 	render.Success(w, http.StatusOK, users)
 }
 

pkg/modules/user/impluser/module.go

@@ -2,7 +2,6 @@ package impluser
 
 import (
 	"context"
-	"fmt"
 	"slices"
 	"strings"
 	"time"
@@ -52,39 +51,50 @@ func NewModule(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing em
 }
 
 func (m *Module) AcceptInvite(ctx context.Context, token string, password string) (*types.User, error) {
-	invite, err := m.store.GetInviteByToken(ctx, token)
+	// get the user by reset password token
+	user, err := m.store.GetUserByResetPasswordToken(ctx, token)
 	if err != nil {
 		return nil, err
 	}
 
-	user, err := types.NewUser(invite.Name, invite.Email, invite.Role, invite.OrgID)
+	// update the password and delete the token
+	err = m.UpdatePasswordByResetPasswordToken(ctx, token, password)
 	if err != nil {
 		return nil, err
 	}
 
-	factorPassword, err := types.NewFactorPassword(password, user.ID.StringValue())
+	// query the user again
+	user, err = m.store.GetByOrgIDAndID(ctx, user.OrgID, user.ID)
 	if err != nil {
 		return nil, err
 	}
 
-	err = m.CreateUser(ctx, user, root.WithFactorPassword(factorPassword))
-	if err != nil {
-		return nil, err
-	}
-
-	if err := m.DeleteInvite(ctx, invite.OrgID.String(), invite.ID); err != nil {
-		return nil, err
-	}
-
 	return user, nil
 }
 
 func (m *Module) GetInviteByToken(ctx context.Context, token string) (*types.Invite, error) {
-	invite, err := m.store.GetInviteByToken(ctx, token)
+	// get the user
+	user, err := m.store.GetUserByResetPasswordToken(ctx, token)
 	if err != nil {
 		return nil, err
 	}
 
+	// create a dummy invite obj for backward compatibility
+	invite := &types.Invite{
+		Identifiable: types.Identifiable{
+			ID: user.ID,
+		},
+		Name:  user.DisplayName,
+		Email: user.Email,
+		Token: token,
+		Role:  user.Role,
+		OrgID: user.OrgID,
+		TimeAuditable: types.TimeAuditable{
+			CreatedAt: user.CreatedAt,
+			UpdatedAt: user.UpdatedAt,
+		},
+	}
+
 	return invite, nil
 }
 
@@ -95,80 +105,158 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 		return nil, err
 	}
 
-	invites := make([]*types.Invite, 0, len(bulkInvites.Invites))
-
-	for _, invite := range bulkInvites.Invites {
-		// check if user exists
-		existingUser, err := m.store.GetUserByEmailAndOrgID(ctx, invite.Email, orgID)
-		if err != nil && !errors.Ast(err, errors.TypeNotFound) {
-			return nil, err
-		}
-
-		if existingUser != nil {
-			if err := existingUser.ErrIfRoot(); err != nil {
-				return nil, errors.WithAdditionalf(err, "cannot send invite to root user")
-			}
-		}
-
-		if existingUser != nil {
-			return nil, errors.New(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with the same email")
-		}
-
-		// Check if an invite already exists
-		existingInvite, err := m.store.GetInviteByEmailAndOrgID(ctx, invite.Email, orgID)
-		if err != nil && !errors.Ast(err, errors.TypeNotFound) {
-			return nil, err
-		}
-		if existingInvite != nil {
-			return nil, errors.New(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "An invite already exists for this email")
-		}
-
-		role, err := types.NewRole(invite.Role.String())
-		if err != nil {
-			return nil, err
-		}
-
-		newInvite, err := types.NewInvite(invite.Name, role, orgID, invite.Email)
-		if err != nil {
-			return nil, err
-		}
-
-		newInvite.InviteLink = fmt.Sprintf("%s/signup?token=%s", invite.FrontendBaseUrl, newInvite.Token)
-		invites = append(invites, newInvite)
+	// validate all emails to be invited
+	emails := make([]string, len(bulkInvites.Invites))
+	for idx, invite := range bulkInvites.Invites {
+		emails[idx] = invite.Email.StringValue()
 	}
-
-	err = m.store.CreateBulkInvite(ctx, invites)
+	users, err := m.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
 	if err != nil {
 		return nil, err
 	}
 
-	for i := 0; i < len(invites); i++ {
-		m.analytics.TrackUser(ctx, orgID.String(), creator.ID.String(), "Invite Sent", map[string]any{"invitee_email": invites[i].Email, "invitee_role": invites[i].Role})
+	if len(users) > 0 {
+		if err := users[0].ErrIfRoot(); err != nil {
+			return nil, errors.WithAdditionalf(err, "Cannot send invite to root user")
+		}
 
-		// if the frontend base url is not provided, we don't send the email
-		if bulkInvites.Invites[i].FrontendBaseUrl == "" {
-			m.settings.Logger().InfoContext(ctx, "frontend base url is not provided, skipping email", "invitee_email", invites[i].Email)
+		if users[0].Status == types.UserStatusPendingInvite {
+			return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "An invite already exists for this email: %s", users[0].Email.StringValue())
+		}
+
+		return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with this email: %s", users[0].Email.StringValue())
+	}
+
+	type userWithResetToken struct {
+		User               *types.User
+		ResetPasswordToken *types.ResetPasswordToken
+	}
+
+	newUsersWithResetToken := make([]*userWithResetToken, len(bulkInvites.Invites))
+
+	if err := m.store.RunInTx(ctx, func(ctx context.Context) error {
+		for idx, invite := range bulkInvites.Invites {
+			role, err := types.NewRole(invite.Role.String())
+			if err != nil {
+				return err
+			}
+
+			// create a new user with pending invite status
+			newUser, err := types.NewUser(invite.Name, invite.Email, role, orgID, types.UserStatusPendingInvite)
+			if err != nil {
+				return err
+			}
+
+			// store the user and password in db
+			err = m.createUserWithoutGrant(ctx, newUser)
+			if err != nil {
+				return err
+			}
+
+			// generate reset password token
+			resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, newUser.ID)
+			if err != nil {
+				m.settings.Logger().ErrorContext(ctx, "failed to create reset password token for invited user", "error", err)
+				return err
+			}
+
+			newUsersWithResetToken[idx] = &userWithResetToken{
+				User:               newUser,
+				ResetPasswordToken: resetPasswordToken,
+			}
+		}
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+
+	invites := make([]*types.Invite, len(bulkInvites.Invites))
+
+	// send password reset emails to all the invited users
+	for idx, userWithToken := range newUsersWithResetToken {
+		m.analytics.TrackUser(ctx, orgID.String(), creator.ID.String(), "Invite Sent", map[string]any{
+			"invitee_email": userWithToken.User.Email,
+			"invitee_role":  userWithToken.User.Role,
+		})
+
+		invite := &types.Invite{
+			Identifiable: types.Identifiable{
+				ID: userWithToken.User.ID,
+			},
+			Name:  userWithToken.User.DisplayName,
+			Email: userWithToken.User.Email,
+			Token: userWithToken.ResetPasswordToken.Token,
+			Role:  userWithToken.User.Role,
+			OrgID: userWithToken.User.OrgID,
+			TimeAuditable: types.TimeAuditable{
+				CreatedAt: userWithToken.User.CreatedAt,
+				UpdatedAt: userWithToken.User.UpdatedAt,
+			},
+		}
+
+		invites[idx] = invite
+
+		frontendBaseUrl := bulkInvites.Invites[idx].FrontendBaseUrl
+		if frontendBaseUrl == "" {
+			m.settings.Logger().InfoContext(ctx, "frontend base url is not provided, skipping email", "invitee_email", userWithToken.User.Email)
 			continue
 		}
 
-		if err := m.emailing.SendHTML(ctx, invites[i].Email.String(), "You're Invited to Join SigNoz", emailtypes.TemplateNameInvitationEmail, map[string]any{
-			"inviter_email": creator.Email,
-			"link":          fmt.Sprintf("%s/signup?token=%s", bulkInvites.Invites[i].FrontendBaseUrl, invites[i].Token),
-		}); err != nil {
-			m.settings.Logger().ErrorContext(ctx, "failed to send email", "error", err)
-		}
+		resetLink := userWithToken.ResetPasswordToken.FactorPasswordResetLink(frontendBaseUrl)
 
+		tokenLifetime := m.config.Password.Reset.MaxTokenLifetime
+		humanizedTokenLifetime := strings.TrimSpace(humanize.RelTime(time.Now(), time.Now().Add(tokenLifetime), "", ""))
+
+		if err := m.emailing.SendHTML(ctx, userWithToken.User.Email.String(), "You're Invited to Join SigNoz", emailtypes.TemplateNameInvitationEmail, map[string]any{
+			"inviter_email": creator.Email,
+			"link":          resetLink,
+			"Expiry":        humanizedTokenLifetime,
+		}); err != nil {
+			m.settings.Logger().ErrorContext(ctx, "failed to send invite email", "error", err)
+		}
 	}
 
 	return invites, nil
 }
 
 func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite, error) {
-	return m.store.ListInvite(ctx, orgID)
-}
+	// find all the users with pending_invite status
+	users, err := m.store.ListUsersByOrgID(ctx, valuer.MustNewUUID(orgID))
+	if err != nil {
+		return nil, err
+	}
 
-func (m *Module) DeleteInvite(ctx context.Context, orgID string, id valuer.UUID) error {
-	return m.store.DeleteInvite(ctx, orgID, id)
+	pendingUsers := slices.DeleteFunc(users, func(user *types.User) bool { return user.Status != types.UserStatusPendingInvite })
+
+	var invites []*types.Invite
+
+	for _, pUser := range pendingUsers {
+		// get the reset password token
+		resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, pUser.ID)
+		if err != nil {
+			return nil, err
+		}
+
+		// create a dummy invite obj for backward compatibility
+		invite := &types.Invite{
+			Identifiable: types.Identifiable{
+				ID: pUser.ID,
+			},
+			Name:  pUser.DisplayName,
+			Email: pUser.Email,
+			Token: resetPasswordToken.Token,
+			Role:  pUser.Role,
+			OrgID: pUser.OrgID,
+			TimeAuditable: types.TimeAuditable{
+				CreatedAt: pUser.CreatedAt,
+				UpdatedAt: pUser.UpdatedAt, // dummy
+			},
+		}
+
+		invites = append(invites, invite)
+	}
+
+	return invites, nil
 }
 
 func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
@@ -213,6 +301,14 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		return nil, errors.WithAdditionalf(err, "cannot update root user")
 	}
 
+	if err := existingUser.ErrIfDeleted(); err != nil {
+		return nil, errors.WithAdditionalf(err, "cannot update deleted user")
+	}
+
+	if err := existingUser.ErrIfPending(); err != nil {
+		return nil, errors.WithAdditionalf(err, "cannot update pending user")
+	}
+
 	requestor, err := m.store.GetUser(ctx, valuer.MustNewUUID(updatedBy))
 	if err != nil {
 		return nil, err
@@ -224,7 +320,7 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 
 	// Make sure that the request is not demoting the last admin user.
 	if user.Role != "" && user.Role != existingUser.Role && existingUser.Role == types.RoleAdmin {
-		adminUsers, err := m.store.GetUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
+		adminUsers, err := m.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
 		if err != nil {
 			return nil, err
 		}
@@ -280,12 +376,16 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 		return errors.WithAdditionalf(err, "cannot delete root user")
 	}
 
+	if err := user.ErrIfDeleted(); err != nil {
+		return errors.WithAdditionalf(err, "cannot delete already deleted user")
+	}
+
 	if slices.Contains(integrationtypes.AllIntegrationUserEmails, integrationtypes.IntegrationUserEmail(user.Email.String())) {
 		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "integration user cannot be deleted")
 	}
 
 	// don't allow to delete the last admin user
-	adminUsers, err := module.store.GetUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
+	adminUsers, err := module.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
 	if err != nil {
 		return err
 	}
@@ -300,7 +400,8 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 		return err
 	}
 
-	if err := module.store.DeleteUser(ctx, orgID.String(), user.ID.StringValue()); err != nil {
+	// for now we are only soft deleting users
+	if err := module.store.SoftDeleteUser(ctx, orgID.String(), user.ID.StringValue()); err != nil {
 		return err
 	}
 
@@ -321,6 +422,10 @@ func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, userID
 		return nil, errors.WithAdditionalf(err, "cannot reset password for root user")
 	}
 
+	if err := user.ErrIfDeleted(); err != nil {
+		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "user has been deleted")
+	}
+
 	password, err := module.store.GetPasswordByUserID(ctx, userID)
 	if err != nil {
 		if !errors.Ast(err, errors.TypeNotFound) {
@@ -375,7 +480,7 @@ func (module *Module) ForgotPassword(ctx context.Context, orgID valuer.UUID, ema
 		return errors.New(errors.TypeUnsupported, errors.CodeUnsupported, "Users are not allowed to reset their password themselves, please contact an admin to reset your password.")
 	}
 
-	user, err := module.store.GetUserByEmailAndOrgID(ctx, email, orgID)
+	user, err := module.GetNonDeletedUserByEmailAndOrgID(ctx, email, orgID)
 	if err != nil {
 		if errors.Ast(err, errors.TypeNotFound) {
 			return nil // for security reasons
@@ -393,7 +498,7 @@ func (module *Module) ForgotPassword(ctx context.Context, orgID valuer.UUID, ema
 		return err
 	}
 
-	resetLink := fmt.Sprintf("%s/password-reset?token=%s", frontendBaseURL, token.Token)
+	resetLink := token.FactorPasswordResetLink(frontendBaseURL)
 
 	tokenLifetime := module.config.Password.Reset.MaxTokenLifetime
 	humanizedTokenLifetime := strings.TrimSpace(humanize.RelTime(time.Now(), time.Now().Add(tokenLifetime), "", ""))
@@ -435,6 +540,11 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}
 
+	// handle deleted user
+	if err := user.ErrIfDeleted(); err != nil {
+		return errors.WithAdditionalf(err, "deleted users cannot reset their password")
+	}
+
 	if err := user.ErrIfRoot(); err != nil {
 		return errors.WithAdditionalf(err, "cannot reset password for root user")
 	}
@@ -443,7 +553,38 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}
 
-	return module.store.UpdatePassword(ctx, password)
+	// since grant is idempotent, multiple calls won't cause issues in case of retries
+	if user.Status == types.UserStatusPendingInvite {
+		if err = module.authz.Grant(
+			ctx,
+			user.OrgID,
+			[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+			authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
+		); err != nil {
+			return err
+		}
+	}
+
+	return module.store.RunInTx(ctx, func(ctx context.Context) error {
+		if user.Status == types.UserStatusPendingInvite {
+			if err := user.UpdateStatus(types.UserStatusActive); err != nil {
+				return err
+			}
+			if err := module.store.UpdateUser(ctx, user.OrgID, user); err != nil {
+				return err
+			}
+		}
+
+		if err := module.store.UpdatePassword(ctx, password); err != nil {
+			return err
+		}
+
+		if err := module.store.DeleteResetPasswordTokenByPasswordID(ctx, password.ID); err != nil {
+			return err
+		}
+
+		return nil
+	})
 }
 
 func (module *Module) UpdatePassword(ctx context.Context, userID valuer.UUID, oldpasswd string, passwd string) error {
@@ -452,6 +593,10 @@ func (module *Module) UpdatePassword(ctx context.Context, userID valuer.UUID, ol
 		return err
 	}
 
+	if err := user.ErrIfDeleted(); err != nil {
+		return errors.WithAdditionalf(err, "cannot change password for deleted user")
+	}
+
 	if err := user.ErrIfRoot(); err != nil {
 		return errors.WithAdditionalf(err, "cannot change password for root user")
 	}
@@ -469,7 +614,17 @@ func (module *Module) UpdatePassword(ctx context.Context, userID valuer.UUID, ol
 		return err
 	}
 
-	if err := module.store.UpdatePassword(ctx, password); err != nil {
+	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
+		if err := module.store.UpdatePassword(ctx, password); err != nil {
+			return err
+		}
+
+		if err := module.store.DeleteResetPasswordTokenByPasswordID(ctx, password.ID); err != nil {
+			return err
+		}
+
+		return nil
+	}); err != nil {
 		return err
 	}
 
@@ -477,7 +632,7 @@ func (module *Module) UpdatePassword(ctx context.Context, userID valuer.UUID, ol
 }
 
 func (module *Module) GetOrCreateUser(ctx context.Context, user *types.User, opts ...root.CreateUserOption) (*types.User, error) {
-	existingUser, err := module.store.GetUserByEmailAndOrgID(ctx, user.Email, user.OrgID)
+	existingUser, err := module.GetNonDeletedUserByEmailAndOrgID(ctx, user.Email, user.OrgID)
 	if err != nil {
 		if !errors.Ast(err, errors.TypeNotFound) {
 			return nil, err
@@ -485,6 +640,16 @@ func (module *Module) GetOrCreateUser(ctx context.Context, user *types.User, opt
 	}
 
 	if existingUser != nil {
+		// for users logging through SSO flow but are having status as pending_invite
+		if existingUser.Status == types.UserStatusPendingInvite {
+			// respect the role coming from the SSO
+			existingUser.Update("", user.Role)
+			// activate the user
+			if err = module.activatePendingUser(ctx, existingUser); err != nil {
+				return nil, err
+			}
+		}
+
 		return existingUser, nil
 	}
 
@@ -561,12 +726,15 @@ func (module *Module) CreateFirstUser(ctx context.Context, organization *types.O
 
 func (module *Module) Collect(ctx context.Context, orgID valuer.UUID) (map[string]any, error) {
 	stats := make(map[string]any)
-	count, err := module.store.CountByOrgID(ctx, orgID)
+	counts, err := module.store.CountByOrgIDAndStatuses(ctx, orgID, []string{types.UserStatusActive.StringValue(), types.UserStatusDeleted.StringValue(), types.UserStatusPendingInvite.StringValue()})
 	if err == nil {
-		stats["user.count"] = count
+		stats["user.count"] = counts[types.UserStatusActive] + counts[types.UserStatusDeleted] + counts[types.UserStatusPendingInvite]
+		stats["user.count.active"] = counts[types.UserStatusActive]
+		stats["user.count.deleted"] = counts[types.UserStatusDeleted]
+		stats["user.count.pending_invite"] = counts[types.UserStatusPendingInvite]
 	}
 
-	count, err = module.store.CountAPIKeyByOrgID(ctx, orgID)
+	count, err := module.store.CountAPIKeyByOrgID(ctx, orgID)
 	if err == nil {
 		stats["factor.api_key.count"] = count
 	}
@@ -574,6 +742,28 @@ func (module *Module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin
 	return stats, nil
 }
 
+// this function restricts that only one non-deleted user email can exist for an org ID, if found more, it throws an error
+func (module *Module) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error) {
+	existingUsers, err := module.store.GetUsersByEmailAndOrgID(ctx, email, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	// filter out the deleted users
+	existingUsers = slices.DeleteFunc(existingUsers, func(user *types.User) bool { return user.ErrIfDeleted() != nil })
+
+	if len(existingUsers) > 1 {
+		return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "Multiple non-deleted users found for email %s in org_id: %s", email.StringValue(), orgID.StringValue())
+	}
+
+	if len(existingUsers) == 1 {
+		return existingUsers[0], nil
+	}
+
+	return nil, errors.Newf(errors.TypeNotFound, errors.CodeNotFound, "No non-deleted user found with email %s in org_id: %s", email.StringValue(), orgID.StringValue())
+
+}
+
 func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
 	createUserOpts := root.NewCreateUserOptions(opts...)
 	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
@@ -598,3 +788,25 @@ func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.U
 
 	return nil
 }
+
+func (module *Module) activatePendingUser(ctx context.Context, user *types.User) error {
+	err := module.authz.Grant(
+		ctx,
+		user.OrgID,
+		[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+		authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
+	)
+	if err != nil {
+		return err
+	}
+
+	if err := user.UpdateStatus(types.UserStatusActive); err != nil {
+		return err
+	}
+	err = module.store.UpdateUser(ctx, user.OrgID, user)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/modules/user/impluser/service.go

@@ -143,7 +143,7 @@ func (s *service) reconcileRootUser(ctx context.Context, orgID valuer.UUID) erro
 }
 
 func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID) error {
-	existingUser, err := s.store.GetUserByEmailAndOrgID(ctx, s.config.Email, orgID)
+	existingUser, err := s.module.GetNonDeletedUserByEmailAndOrgID(ctx, s.config.Email, orgID)
 	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
 		return err
 	}

pkg/modules/user/impluser/store.go

@@ -25,77 +25,6 @@ func NewStore(sqlstore sqlstore.SQLStore, settings factory.ProviderSettings) typ
 	return &store{sqlstore: sqlstore, settings: settings}
 }
 
-// CreateBulkInvite implements types.InviteStore.
-func (store *store) CreateBulkInvite(ctx context.Context, invites []*types.Invite) error {
-	_, err := store.sqlstore.BunDB().NewInsert().
-		Model(&invites).
-		Exec(ctx)
-
-	if err != nil {
-		return store.sqlstore.WrapAlreadyExistsErrf(err, types.ErrInviteAlreadyExists, "invite with email: %s already exists in org: %s", invites[0].Email, invites[0].OrgID)
-	}
-	return nil
-}
-
-// Delete implements types.InviteStore.
-func (store *store) DeleteInvite(ctx context.Context, orgID string, id valuer.UUID) error {
-	_, err := store.sqlstore.BunDB().NewDelete().
-		Model(&types.Invite{}).
-		Where("org_id = ?", orgID).
-		Where("id = ?", id).
-		Exec(ctx)
-	if err != nil {
-		return store.sqlstore.WrapNotFoundErrf(err, types.ErrInviteNotFound, "invite with id: %s does not exist in org: %s", id.StringValue(), orgID)
-	}
-	return nil
-}
-
-func (store *store) GetInviteByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.Invite, error) {
-	invite := new(types.Invite)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).NewSelect().
-		Model(invite).
-		Where("email = ?", email).
-		Where("org_id = ?", orgID).
-		Scan(ctx)
-	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrInviteNotFound, "invite with email %s does not exist in org %s", email, orgID)
-	}
-
-	return invite, nil
-}
-
-func (store *store) GetInviteByToken(ctx context.Context, token string) (*types.GettableInvite, error) {
-	invite := new(types.Invite)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(invite).
-		Where("token = ?", token).
-		Scan(ctx)
-	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrInviteNotFound, "invite does not exist", token)
-	}
-
-	return invite, nil
-}
-
-func (store *store) ListInvite(ctx context.Context, orgID string) ([]*types.Invite, error) {
-	invites := new([]*types.Invite)
-	err := store.sqlstore.BunDB().NewSelect().
-		Model(invites).
-		Where("org_id = ?", orgID).
-		Scan(ctx)
-	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrInviteNotFound, "invite with org id: %s does not exist", orgID)
-	}
-	return *invites, nil
-}
-
 func (store *store) CreatePassword(ctx context.Context, password *types.FactorPassword) error {
 	_, err := store.
 		sqlstore.
@@ -175,24 +104,25 @@ func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id v
 	return user, nil
 }
 
-func (store *store) GetUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.User, error) {
+	var users []*types.User
+
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
 		NewSelect().
-		Model(user).
+		Model(&users).
 		Where("org_id = ?", orgID).
 		Where("email = ?", email).
 		Scan(ctx)
 	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodeUserNotFound, "user with email %s does not exist in org %s", email, orgID)
+		return nil, err
 	}
 
-	return user, nil
+	return users, nil
 }
 
-func (store *store) GetUsersByRoleAndOrgID(ctx context.Context, role types.Role, orgID valuer.UUID) ([]*types.User, error) {
+func (store *store) GetActiveUsersByRoleAndOrgID(ctx context.Context, role types.Role, orgID valuer.UUID) ([]*types.User, error) {
 	var users []*types.User
 
 	err := store.
@@ -202,6 +132,7 @@ func (store *store) GetUsersByRoleAndOrgID(ctx context.Context, role types.Role,
 		Model(&users).
 		Where("org_id = ?", orgID).
 		Where("role = ?", role).
+		Where("status = ?", types.UserStatusActive.StringValue()).
 		Scan(ctx)
 	if err != nil {
 		return nil, err
@@ -221,6 +152,7 @@ func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *typ
 		Column("role").
 		Column("is_root").
 		Column("updated_at").
+		Column("status").
 		Where("org_id = ?", orgID).
 		Where("id = ?", user.ID).
 		Exec(ctx)
@@ -331,10 +263,98 @@ func (store *store) DeleteUser(ctx context.Context, orgID string, id string) err
 	return nil
 }
 
+func (store *store) SoftDeleteUser(ctx context.Context, orgID string, id string) error {
+	tx, err := store.sqlstore.BunDB().BeginTx(ctx, nil)
+	if err != nil {
+		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to start transaction")
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	// get the password id
+
+	var password types.FactorPassword
+	err = tx.NewSelect().
+		Model(&password).
+		Where("user_id = ?", id).
+		Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete password")
+	}
+
+	// delete reset password request
+	_, err = tx.NewDelete().
+		Model(new(types.ResetPasswordToken)).
+		Where("password_id = ?", password.ID.String()).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete reset password request")
+	}
+
+	// delete factor password
+	_, err = tx.NewDelete().
+		Model(new(types.FactorPassword)).
+		Where("user_id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete factor password")
+	}
+
+	// delete api keys
+	_, err = tx.NewDelete().
+		Model(&types.StorableAPIKey{}).
+		Where("user_id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete API keys")
+	}
+
+	// delete user_preference
+	_, err = tx.NewDelete().
+		Model(new(preferencetypes.StorableUserPreference)).
+		Where("user_id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete user preferences")
+	}
+
+	// delete tokens
+	_, err = tx.NewDelete().
+		Model(new(authtypes.StorableToken)).
+		Where("user_id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete tokens")
+	}
+
+	// soft delete user
+	now := time.Now()
+	_, err = tx.NewUpdate().
+		Model(new(types.User)).
+		Set("status = ?", types.UserStatusDeleted).
+		Set("deleted_at = ?", now).
+		Set("updated_at = ?", now).
+		Where("org_id = ?", orgID).
+		Where("id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete user")
+	}
+
+	err = tx.Commit()
+	if err != nil {
+		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to commit transaction")
+	}
+
+	return nil
+}
+
 func (store *store) CreateResetPasswordToken(ctx context.Context, resetPasswordToken *types.ResetPasswordToken) error {
 	_, err := store.
 		sqlstore.
-		BunDB().
+		BunDBCtx(ctx).
 		NewInsert().
 		Model(resetPasswordToken).
 		Exec(ctx)
@@ -367,7 +387,7 @@ func (store *store) GetPasswordByUserID(ctx context.Context, userID valuer.UUID)
 
 	err := store.
 		sqlstore.
-		BunDB().
+		BunDBCtx(ctx).
 		NewSelect().
 		Model(password).
 		Where("user_id = ?", userID).
@@ -383,7 +403,7 @@ func (store *store) GetResetPasswordTokenByPasswordID(ctx context.Context, passw
 
 	err := store.
 		sqlstore.
-		BunDB().
+		BunDBCtx(ctx).
 		NewSelect().
 		Model(resetPasswordToken).
 		Where("password_id = ?", passwordID).
@@ -396,7 +416,7 @@ func (store *store) GetResetPasswordTokenByPasswordID(ctx context.Context, passw
 }
 
 func (store *store) DeleteResetPasswordTokenByPasswordID(ctx context.Context, passwordID valuer.UUID) error {
-	_, err := store.sqlstore.BunDB().NewDelete().
+	_, err := store.sqlstore.BunDBCtx(ctx).NewDelete().
 		Model(&types.ResetPasswordToken{}).
 		Where("password_id = ?", passwordID).
 		Exec(ctx)
@@ -418,23 +438,14 @@ func (store *store) GetResetPasswordToken(ctx context.Context, token string) (*t
 		Where("token = ?", token).
 		Scan(ctx)
 	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrResetPasswordTokenNotFound, "reset password token does not exist", token)
+		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrResetPasswordTokenNotFound, "reset password token does not exist")
 	}
 
 	return resetPasswordRequest, nil
 }
 
 func (store *store) UpdatePassword(ctx context.Context, factorPassword *types.FactorPassword) error {
-	tx, err := store.sqlstore.BunDB().BeginTx(ctx, nil)
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		_ = tx.Rollback()
-	}()
-
-	_, err = tx.
+	_, err := store.sqlstore.BunDBCtx(ctx).
 		NewUpdate().
 		Model(factorPassword).
 		Where("user_id = ?", factorPassword.UserID).
@@ -443,20 +454,6 @@ func (store *store) UpdatePassword(ctx context.Context, factorPassword *types.Fa
 		return store.sqlstore.WrapNotFoundErrf(err, types.ErrPasswordNotFound, "password for user %s does not exist", factorPassword.UserID)
 	}
 
-	_, err = tx.
-		NewDelete().
-		Model(&types.ResetPasswordToken{}).
-		Where("password_id = ?", factorPassword.ID).
-		Exec(ctx)
-	if err != nil {
-		return err
-	}
-
-	err = tx.Commit()
-	if err != nil {
-		return err
-	}
-
 	return nil
 }
 
@@ -582,6 +579,36 @@ func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64,
 	return int64(count), nil
 }
 
+func (store *store) CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, statuses []string) (map[valuer.String]int64, error) {
+	user := new(types.User)
+	var results []struct {
+		Status valuer.String `bun:"status"`
+		Count  int64         `bun:"count"`
+	}
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(user).
+		ColumnExpr("status").
+		ColumnExpr("COUNT(*) AS count").
+		Where("org_id = ?", orgID.StringValue()).
+		Where("status IN (?)", bun.In(statuses)).
+		GroupExpr("status").
+		Scan(ctx, &results)
+	if err != nil {
+		return nil, err
+	}
+
+	counts := make(map[valuer.String]int64, len(results))
+	for _, r := range results {
+		counts[r.Status] = r.Count
+	}
+
+	return counts, nil
+}
+
 func (store *store) CountAPIKeyByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
 	apiKey := new(types.StorableAPIKey)
 
@@ -638,3 +665,41 @@ func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.
 
 	return users, nil
 }
+
+func (store *store) GetUserByResetPasswordToken(ctx context.Context, token string) (*types.User, error) {
+	user := new(types.User)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(user).
+		Join(`JOIN factor_password ON factor_password.user_id = "user".id`).
+		Join("JOIN reset_password_token ON reset_password_token.password_id = factor_password.id").
+		Where("reset_password_token.token = ?", token).
+		Scan(ctx)
+	if err != nil {
+		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodeUserNotFound, "user not found for reset password token")
+	}
+
+	return user, nil
+}
+
+func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, emails []string, statuses []string) ([]*types.User, error) {
+	users := []*types.User{}
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&users).
+		Where("email IN (?)", bun.In(emails)).
+		Where("org_id = ?", orgID).
+		Where("status in (?)", bun.In(statuses)).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return users, nil
+}

pkg/modules/user/user.go

@@ -42,7 +42,6 @@ type Module interface {
 	// invite
 	CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, bulkInvites *types.PostableBulkInviteRequest) ([]*types.Invite, error)
 	ListInvite(ctx context.Context, orgID string) ([]*types.Invite, error)
-	DeleteInvite(ctx context.Context, orgID string, id valuer.UUID) error
 	AcceptInvite(ctx context.Context, token string, password string) (*types.User, error)
 	GetInviteByToken(ctx context.Context, token string) (*types.Invite, error)
 
@@ -53,6 +52,8 @@ type Module interface {
 	RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UUID) error
 	GetAPIKey(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.StorableAPIKeyUser, error)
 
+	GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error)
+
 	statsreporter.StatsCollector
 }
 
@@ -78,6 +79,9 @@ type Getter interface {
 	// Count users by org id.
 	CountByOrgID(context.Context, valuer.UUID) (int64, error)
 
+	// Count of users by org id and grouped by status.
+	CountByOrgIDAndStatuses(context.Context, valuer.UUID, []string) (map[valuer.String]int64, error)
+
 	// Get factor password by user id.
 	GetFactorPasswordByUserID(context.Context, valuer.UUID) (*types.FactorPassword, error)
 }

pkg/prometheus/clickhouseprometheus/client.go

@@ -6,6 +6,7 @@ import (
 	"math"
 	"strconv"
 	"strings"
+	"sync"
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
@@ -90,6 +91,41 @@ func (client *client) Read(ctx context.Context, query *prompb.Query, sortSeries
 	return remote.FromQueryResult(sortSeries, res), nil
 }
 
+func (c *client) ReadMultiple(ctx context.Context, queries []*prompb.Query, sortSeries bool) (storage.SeriesSet, error) {
+	if len(queries) == 0 {
+		return storage.EmptySeriesSet(), nil
+	}
+	if len(queries) == 1 {
+		return c.Read(ctx, queries[0], sortSeries)
+	}
+
+	type result struct {
+		ss  storage.SeriesSet
+		err error
+	}
+
+	results := make([]result, len(queries))
+	var wg sync.WaitGroup
+	wg.Add(len(queries))
+	for i, q := range queries {
+		go func(i int, q *prompb.Query) {
+			defer wg.Done()
+			ss, err := c.Read(ctx, q, sortSeries)
+			results[i] = result{ss, err}
+		}(i, q)
+	}
+	wg.Wait()
+
+	sets := make([]storage.SeriesSet, 0, len(queries))
+	for _, r := range results {
+		if r.err != nil {
+			return nil, r.err
+		}
+		sets = append(sets, r.ss)
+	}
+	return storage.NewMergeSeriesSet(sets, 0, storage.ChainedSeriesMerge), nil
+}
+
 func (client *client) queryToClickhouseQuery(_ context.Context, query *prompb.Query, metricName string, subQuery bool) (string, []any, error) {
 	var clickHouseQuery string
 	var conditions []string

pkg/prometheus/utils.go

@@ -2,6 +2,7 @@ package prometheus
 
 import (
 	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/prometheus/prometheus/model/labels"
 	"github.com/prometheus/prometheus/promql"
 )
 
@@ -10,35 +11,22 @@ func RemoveExtraLabels(res *promql.Result, labelsToRemove ...string) error {
 		return nil
 	}
 
-	toRemove := make(map[string]struct{}, len(labelsToRemove))
-	for _, l := range labelsToRemove {
-		toRemove[l] = struct{}{}
-	}
-
 	switch res.Value.(type) {
 	case promql.Vector:
 		value := res.Value.(promql.Vector)
 		for i := range value {
-			series := &(value)[i]
-			dst := series.Metric[:0]
-			for _, lbl := range series.Metric {
-				if _, drop := toRemove[lbl.Name]; !drop {
-					dst = append(dst, lbl)
-				}
-			}
-			series.Metric = dst
+			b := labels.NewBuilder(value[i].Metric)
+			b.Del(labelsToRemove...)
+			newLabels := b.Labels()
+			value[i].Metric = newLabels
 		}
 	case promql.Matrix:
 		value := res.Value.(promql.Matrix)
 		for i := range value {
-			series := &(value)[i]
-			dst := series.Metric[:0]
-			for _, lbl := range series.Metric {
-				if _, drop := toRemove[lbl.Name]; !drop {
-					dst = append(dst, lbl)
-				}
-			}
-			series.Metric = dst
+			b := labels.NewBuilder(value[i].Metric)
+			b.Del(labelsToRemove...)
+			newLabels := b.Labels()
+			value[i].Metric = newLabels
 		}
 	case promql.Scalar:
 		return nil

pkg/querier/builder_query.go

@@ -10,13 +10,11 @@ import (
 
 	"github.com/ClickHouse/clickhouse-go/v2"
 	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/telemetrylogs"
 	"github.com/SigNoz/signoz/pkg/telemetrystore"
 	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
 	"github.com/SigNoz/signoz/pkg/types/instrumentationtypes"
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
-	"github.com/bytedance/sonic"
 )
 
 type builderQuery[T any] struct {
@@ -262,40 +260,6 @@ func (q *builderQuery[T]) executeWithContext(ctx context.Context, query string,
 		return nil, err
 	}
 
-	// merge body_json and promoted into body
-	if q.spec.Signal == telemetrytypes.SignalLogs {
-		switch typedPayload := payload.(type) {
-		case *qbtypes.RawData:
-			for _, rr := range typedPayload.Rows {
-				seeder := func() error {
-					body, ok := rr.Data[telemetrylogs.LogsV2BodyJSONColumn].(map[string]any)
-					if !ok {
-						return nil
-					}
-					promoted, ok := rr.Data[telemetrylogs.LogsV2BodyPromotedColumn].(map[string]any)
-					if !ok {
-						return nil
-					}
-					seed(promoted, body)
-					str, err := sonic.MarshalString(body)
-					if err != nil {
-						return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to marshal body")
-					}
-					rr.Data["body"] = str
-					return nil
-				}
-				err := seeder()
-				if err != nil {
-					return nil, err
-				}
-
-				delete(rr.Data, telemetrylogs.LogsV2BodyJSONColumn)
-				delete(rr.Data, telemetrylogs.LogsV2BodyPromotedColumn)
-			}
-			payload = typedPayload
-		}
-	}
-
 	return &qbtypes.Result{
 		Type:  q.kind,
 		Value: payload,
@@ -423,18 +387,3 @@ func decodeCursor(cur string) (int64, error) {
 	}
 	return strconv.ParseInt(string(b), 10, 64)
 }
-
-func seed(promoted map[string]any, body map[string]any) {
-	for key, fromValue := range promoted {
-		if toValue, ok := body[key]; !ok {
-			body[key] = fromValue
-		} else {
-			if fromValue, ok := fromValue.(map[string]any); ok {
-				if toValue, ok := toValue.(map[string]any); ok {
-					seed(fromValue, toValue)
-					body[key] = toValue
-				}
-			}
-		}
-	}
-}

pkg/querier/consume.go

@@ -14,7 +14,6 @@ import (
 	"github.com/ClickHouse/clickhouse-go/v2/lib/driver"
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
-	"github.com/bytedance/sonic"
 )
 
 var (
@@ -394,17 +393,11 @@ func readAsRaw(rows driver.Rows, queryName string) (*qbtypes.RawData, error) {
 
 			// de-reference the typed pointer to any
 			val := reflect.ValueOf(cellPtr).Elem().Interface()
-
-			// Post-process JSON columns: normalize into structured values
+			// Post-process JSON columns: normalize into String value
 			if strings.HasPrefix(strings.ToUpper(colTypes[i].DatabaseTypeName()), "JSON") {
 				switch x := val.(type) {
 				case []byte:
-					if len(x) > 0 {
-						var v any
-						if err := sonic.Unmarshal(x, &v); err == nil {
-							val = v
-						}
-					}
+					val = string(x)
 				default:
 					// already a structured type (map[string]any, []any, etc.)
 				}

pkg/querier/promql_query.go

@@ -18,6 +18,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/types/instrumentationtypes"
 	qbv5 "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
+	"github.com/prometheus/prometheus/model/labels"
 	"github.com/prometheus/prometheus/promql"
 	"github.com/prometheus/prometheus/promql/parser"
 )
@@ -254,17 +255,16 @@ func (q *promqlQuery) Execute(ctx context.Context) (*qbv5.Result, error) {
 	var series []*qbv5.TimeSeries
 	for _, v := range matrix {
 		var s qbv5.TimeSeries
-		lbls := make([]*qbv5.Label, 0, len(v.Metric))
-		for name, value := range v.Metric.Copy().Map() {
-			if excludeLabel(name) {
-				continue
+		lbls := make([]*qbv5.Label, 0, v.Metric.Len())
+		v.Metric.Range(func(l labels.Label) {
+			if excludeLabel(l.Name) {
+				return
 			}
 			lbls = append(lbls, &qbv5.Label{
-				Key:   telemetrytypes.TelemetryFieldKey{Name: name},
-				Value: value,
+				Key:   telemetrytypes.TelemetryFieldKey{Name: l.Name},
+				Value: l.Value,
 			})
-		}
-
+		})
 		s.Labels = lbls
 
 		for idx := range v.Floats {

pkg/query-service/rules/prom_rule.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/prometheus"
-	"github.com/SigNoz/signoz/pkg/units"
 	"github.com/SigNoz/signoz/pkg/query-service/interfaces"
 	"github.com/SigNoz/signoz/pkg/query-service/model"
 	v3 "github.com/SigNoz/signoz/pkg/query-service/model/v3"
@@ -18,7 +17,9 @@ import (
 	"github.com/SigNoz/signoz/pkg/query-service/utils/timestamp"
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/types/ruletypes"
+	"github.com/SigNoz/signoz/pkg/units"
 	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/prometheus/prometheus/model/labels"
 	"github.com/prometheus/prometheus/promql"
 )
 
@@ -461,12 +462,12 @@ func toCommonSeries(series promql.Series) v3.Series {
 		Points:      make([]v3.Point, 0),
 	}
 
-	for _, lbl := range series.Metric {
+	series.Metric.Range(func(lbl labels.Label) {
 		commonSeries.Labels[lbl.Name] = lbl.Value
 		commonSeries.LabelsArray = append(commonSeries.LabelsArray, map[string]string{
 			lbl.Name: lbl.Value,
 		})
-	}
+	})
 
 	for _, f := range series.Floats {
 		commonSeries.Points = append(commonSeries.Points, v3.Point{

pkg/querybuilder/fallback_expr.go

@@ -204,7 +204,10 @@ func DataTypeCollisionHandledFieldName(key *telemetrytypes.TelemetryFieldKey, va
 	// While we expect user not to send the mixed data types, it inevitably happens
 	// So we handle the data type collisions here
 	switch key.FieldDataType {
-	case telemetrytypes.FieldDataTypeString, telemetrytypes.FieldDataTypeArrayString:
+	case telemetrytypes.FieldDataTypeString, telemetrytypes.FieldDataTypeArrayString, telemetrytypes.FieldDataTypeJSON:
+		if key.FieldDataType == telemetrytypes.FieldDataTypeJSON {
+			tblFieldName = fmt.Sprintf("toString(%s)", tblFieldName)
+		}
 		switch v := value.(type) {
 		case float64:
 			// try to convert the string value to to number
@@ -219,7 +222,6 @@ func DataTypeCollisionHandledFieldName(key *telemetrytypes.TelemetryFieldKey, va
 			// we don't have a toBoolOrNull in ClickHouse, so we need to convert the bool to a string
 			value = fmt.Sprintf("%t", v)
 		}
-
 	case telemetrytypes.FieldDataTypeInt64,
 		telemetrytypes.FieldDataTypeArrayInt64,
 		telemetrytypes.FieldDataTypeNumber,

pkg/querybuilder/where_clause_visitor.go

@@ -313,37 +313,30 @@ func (v *filterExpressionVisitor) VisitPrimary(ctx *grammar.PrimaryContext) any
 			return ""
 		}
 		child := ctx.GetChild(0)
+		var searchText string
 		if keyCtx, ok := child.(*grammar.KeyContext); ok {
 			// create a full text search condition on the body field
-
-			keyText := keyCtx.GetText()
-			cond, err := v.conditionBuilder.ConditionFor(context.Background(), v.fullTextColumn, qbtypes.FilterOperatorRegexp, FormatFullTextSearch(keyText), v.builder, v.startNs, v.endNs)
-			if err != nil {
-				v.errors = append(v.errors, fmt.Sprintf("failed to build full text search condition: %s", err.Error()))
-				return ""
-			}
-			return cond
+			searchText = keyCtx.GetText()
 		} else if valCtx, ok := child.(*grammar.ValueContext); ok {
-			var text string
 			if valCtx.QUOTED_TEXT() != nil {
-				text = trimQuotes(valCtx.QUOTED_TEXT().GetText())
+				searchText = trimQuotes(valCtx.QUOTED_TEXT().GetText())
 			} else if valCtx.NUMBER() != nil {
-				text = valCtx.NUMBER().GetText()
+				searchText = valCtx.NUMBER().GetText()
 			} else if valCtx.BOOL() != nil {
-				text = valCtx.BOOL().GetText()
+				searchText = valCtx.BOOL().GetText()
 			} else if valCtx.KEY() != nil {
-				text = valCtx.KEY().GetText()
+				searchText = valCtx.KEY().GetText()
 			} else {
 				v.errors = append(v.errors, fmt.Sprintf("unsupported value type: %s", valCtx.GetText()))
 				return ""
 			}
-			cond, err := v.conditionBuilder.ConditionFor(context.Background(), v.fullTextColumn, qbtypes.FilterOperatorRegexp, FormatFullTextSearch(text), v.builder, v.startNs, v.endNs)
-			if err != nil {
-				v.errors = append(v.errors, fmt.Sprintf("failed to build full text search condition: %s", err.Error()))
-				return ""
-			}
-			return cond
 		}
+		cond, err := v.conditionBuilder.ConditionFor(context.Background(), v.fullTextColumn, qbtypes.FilterOperatorRegexp, FormatFullTextSearch(searchText), v.builder, v.startNs, v.endNs)
+		if err != nil {
+			v.errors = append(v.errors, fmt.Sprintf("failed to build full text search condition: %s", err.Error()))
+			return ""
+		}
+		return cond
 	}
 
 	return "" // Should not happen with valid input
@@ -383,6 +376,7 @@ func (v *filterExpressionVisitor) VisitComparison(ctx *grammar.ComparisonContext
 		for _, key := range keys {
 			condition, err := v.conditionBuilder.ConditionFor(context.Background(), key, op, nil, v.builder, v.startNs, v.endNs)
 			if err != nil {
+				v.errors = append(v.errors, fmt.Sprintf("failed to build condition: %s", err.Error()))
 				return ""
 			}
 			conds = append(conds, condition)
@@ -648,7 +642,6 @@ func (v *filterExpressionVisitor) VisitValueList(ctx *grammar.ValueListContext)
 
 // VisitFullText handles standalone quoted strings for full-text search
 func (v *filterExpressionVisitor) VisitFullText(ctx *grammar.FullTextContext) any {
-
 	if v.skipFullTextFilter {
 		return ""
 	}
@@ -670,6 +663,7 @@ func (v *filterExpressionVisitor) VisitFullText(ctx *grammar.FullTextContext) an
 		v.errors = append(v.errors, fmt.Sprintf("failed to build full text search condition: %s", err.Error()))
 		return ""
 	}
+
 	return cond
 }
 

pkg/signoz/provider.go

@@ -170,6 +170,8 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewAddRootUserFactory(sqlstore, sqlschema),
 		sqlmigration.NewAddUserEmailOrgIDIndexFactory(sqlstore, sqlschema),
 		sqlmigration.NewMigrateRulesV4ToV5Factory(sqlstore, telemetryStore),
+		sqlmigration.NewAddStatusUserFactory(sqlstore, sqlschema),
+		sqlmigration.NewDeprecateUserInviteFactory(sqlstore, sqlschema),
 	)
 }
 

pkg/sqlmigration/067_add_status_user.go

@@ -0,0 +1,109 @@
+package sqlmigration
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type addStatusUser struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+func NewAddStatusUserFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(
+		factory.MustNewName("add_status_user"),
+		func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+			return &addStatusUser{
+				sqlstore:  sqlstore,
+				sqlschema: sqlschema,
+			}, nil
+		},
+	)
+}
+
+func (migration *addStatusUser) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addStatusUser) Up(ctx context.Context, db *bun.DB) error {
+	if err := migration.sqlschema.ToggleFKEnforcement(ctx, db, false); err != nil {
+		return err
+	}
+
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	table, uniqueConstraints, err := migration.sqlschema.GetTable(ctx, sqlschema.TableName("users"))
+	if err != nil {
+		return err
+	}
+
+	statusColumn := &sqlschema.Column{
+		Name:     sqlschema.ColumnName("status"),
+		DataType: sqlschema.DataTypeText,
+		Nullable: false,
+	}
+
+	sqls := migration.sqlschema.Operator().AddColumn(table, uniqueConstraints, statusColumn, "active")
+
+	// add deleted_at (zero time = not deleted, non-zero = deletion timestamp) to enable the
+	// composite unique index that replaces the partial index approach
+	deletedAtColumn := &sqlschema.Column{
+		Name:     sqlschema.ColumnName("deleted_at"),
+		DataType: sqlschema.DataTypeTimestamp,
+		Nullable: false,
+	}
+
+	sqls = append(sqls, migration.sqlschema.Operator().AddColumn(table, uniqueConstraints, deletedAtColumn, time.Time{})...)
+
+	// we need to drop the unique index on (email, org_id)
+	sqls = append(sqls, migration.sqlschema.Operator().DropIndex(&sqlschema.UniqueIndex{TableName: "users", ColumnNames: []sqlschema.ColumnName{"email", "org_id"}})...)
+
+	for _, sql := range sqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	// add a composite unique index on (org_id, email, deleted_at).
+	// active and pending users have deleted_at=time.Time{} (zero), forming a unique (org_id, email, zero) tuple.
+	// soft-deleted users have deleted_at set to the deletion timestamp, making each deleted row unique
+	// and allowing the same email to be re-invited after deletion without a constraint violation.
+	newIndexSqls := migration.sqlschema.Operator().CreateIndex(&sqlschema.UniqueIndex{TableName: "users", ColumnNames: []sqlschema.ColumnName{"org_id", "email", "deleted_at"}})
+	for _, sql := range newIndexSqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	if err := migration.sqlschema.ToggleFKEnforcement(ctx, db, true); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addStatusUser) Down(ctx context.Context, db *bun.DB) error {
+	return nil
+}

pkg/sqlmigration/068_deprecate_user_invite.go

@@ -0,0 +1,154 @@
+package sqlmigration
+
+import (
+	"context"
+	"database/sql"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type deprecateUserInvite struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+type userInviteRow struct {
+	bun.BaseModel `bun:"table:user_invite"`
+
+	ID        string    `bun:"id"`
+	Name      string    `bun:"name"`
+	Email     string    `bun:"email"`
+	Role      string    `bun:"role"`
+	OrgID     string    `bun:"org_id"`
+	Token     string    `bun:"token"`
+	CreatedAt time.Time `bun:"created_at"`
+	UpdatedAt time.Time `bun:"updated_at"`
+}
+
+type pendingInviteUser struct {
+	bun.BaseModel `bun:"table:users"`
+
+	ID          string    `bun:"id"`
+	DisplayName string    `bun:"display_name"`
+	Email       string    `bun:"email"`
+	Role        string    `bun:"role"`
+	OrgID       string    `bun:"org_id"`
+	IsRoot      bool      `bun:"is_root"`
+	Status      string    `bun:"status"`
+	CreatedAt   time.Time `bun:"created_at"`
+	UpdatedAt   time.Time `bun:"updated_at"`
+	DeletedAt   time.Time `bun:"deleted_at"`
+}
+
+func NewDeprecateUserInviteFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(
+		factory.MustNewName("deprecate_user_invite"),
+		func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+			return &deprecateUserInvite{
+				sqlstore:  sqlstore,
+				sqlschema: sqlschema,
+			}, nil
+		},
+	)
+}
+
+func (migration *deprecateUserInvite) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *deprecateUserInvite) Up(ctx context.Context, db *bun.DB) error {
+	table, _, err := migration.sqlschema.GetTable(ctx, sqlschema.TableName("user_invite"))
+	if err != nil {
+		if err == sql.ErrNoRows || errors.Ast(err, errors.TypeNotFound) {
+			return nil
+		}
+		return err
+	}
+
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	// existing invites
+	var invites []*userInviteRow
+	err = tx.NewSelect().Model(&invites).Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return err
+	}
+
+	// move all invitations to the users table as a pending_invite user
+	// skipping any invite whose email+org already has a user entry with non-deleted status
+	users := make([]*pendingInviteUser, 0, len(invites))
+
+	for _, invite := range invites {
+		existingCount, err := tx.NewSelect().
+			TableExpr("users").
+			Where("email = ?", invite.Email).
+			Where("org_id = ?", invite.OrgID).
+			Where("status != ?", "deleted").
+			Count(ctx)
+		if err != nil {
+			return err
+		}
+
+		if existingCount > 0 {
+			continue
+		}
+
+		user := &pendingInviteUser{
+			ID:          invite.ID,
+			DisplayName: invite.Name,
+			Email:       invite.Email,
+			Role:        invite.Role,
+			OrgID:       invite.OrgID,
+			IsRoot:      false,
+			Status:      "pending_invite",
+			CreatedAt:   invite.CreatedAt,
+			UpdatedAt:   time.Now(),
+			DeletedAt:   time.Time{},
+		}
+
+		users = append(users, user)
+	}
+
+	if len(users) > 0 {
+		_, err = tx.NewInsert().Model(&users).Exec(ctx)
+		if err != nil {
+			return err
+		}
+	}
+
+	// finally drop the user_invite table
+	dropTableSqls := migration.sqlschema.Operator().DropTable(table)
+
+	for _, sql := range dropTableSqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *deprecateUserInvite) Down(ctx context.Context, db *bun.DB) error {
+	return nil
+}

pkg/telemetrylogs/condition_builder.go

@@ -3,14 +3,12 @@ package telemetrylogs
 import (
 	"context"
 	"fmt"
-	"slices"
 
 	schema "github.com/SigNoz/signoz-otel-collector/cmd/signozschemamigrator/schema_migrator"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/querybuilder"
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
-	"golang.org/x/exp/maps"
 
 	"github.com/huandu/go-sqlbuilder"
 )
@@ -35,7 +33,7 @@ func (c *conditionBuilder) conditionFor(
 		return "", err
 	}
 
-	if column.IsJSONColumn() && querybuilder.BodyJSONQueryEnabled {
+	if column.Type.GetType() == schema.ColumnTypeEnumJSON && querybuilder.BodyJSONQueryEnabled && key.FieldContext != telemetrytypes.FieldContextLog {
 		valueType, value := InferDataType(value, operator, key)
 		cond, err := NewJSONConditionBuilder(key, valueType).buildJSONCondition(operator, value, sb)
 		if err != nil {
@@ -108,7 +106,6 @@ func (c *conditionBuilder) conditionFor(
 		return sb.ILike(tblFieldName, fmt.Sprintf("%%%s%%", value)), nil
 	case qbtypes.FilterOperatorNotContains:
 		return sb.NotILike(tblFieldName, fmt.Sprintf("%%%s%%", value)), nil
-
 	case qbtypes.FilterOperatorRegexp:
 		// Note: Escape $$ to $$$$ to avoid sqlbuilder interpreting materialized $ signs
 		// Only needed because we are using sprintf instead of sb.Match (not implemented in sqlbuilder)
@@ -176,9 +173,16 @@ func (c *conditionBuilder) conditionFor(
 		var value any
 		switch column.Type.GetType() {
 		case schema.ColumnTypeEnumJSON:
-			if operator == qbtypes.FilterOperatorExists {
-				return sb.IsNotNull(tblFieldName), nil
-			} else {
+			switch key.FieldDataType {
+			case telemetrytypes.FieldDataTypeJSON:
+				if operator == qbtypes.FilterOperatorExists {
+					return sb.EQ(fmt.Sprintf("empty(%s)", tblFieldName), false), nil
+				}
+				return sb.EQ(fmt.Sprintf("empty(%s)", tblFieldName), true), nil
+			default:
+				if operator == qbtypes.FilterOperatorExists {
+					return sb.IsNotNull(tblFieldName), nil
+				}
 				return sb.IsNull(tblFieldName), nil
 			}
 		case schema.ColumnTypeEnumLowCardinality:
@@ -247,19 +251,32 @@ func (c *conditionBuilder) ConditionFor(
 		return "", err
 	}
 
-	if !(key.FieldContext == telemetrytypes.FieldContextBody && querybuilder.BodyJSONQueryEnabled) && operator.AddDefaultExistsFilter() {
-		// skip adding exists filter for intrinsic fields
-		// with an exception for body json search
-		field, _ := c.fm.FieldFor(ctx, key)
-		if slices.Contains(maps.Keys(IntrinsicFields), field) && key.FieldContext != telemetrytypes.FieldContextBody {
+	// Skip adding exists filter for intrinsic fields i.e. Table level log context fields
+	buildExistCondition := operator.AddDefaultExistsFilter()
+	switch key.FieldContext {
+	case telemetrytypes.FieldContextLog, telemetrytypes.FieldContextScope:
+		// pass; No need to build exist condition for top level columns
+		// immidiately return
+		return condition, nil
+	case telemetrytypes.FieldContextResource, telemetrytypes.FieldContextAttribute:
+		buildExistCondition = buildExistCondition && true
+	case telemetrytypes.FieldContextBody:
+		// Querying JSON fields already account for Nullability of fields
+		// so additional exists checks are not needed
+		if querybuilder.BodyJSONQueryEnabled {
 			return condition, nil
 		}
 
+		buildExistCondition = buildExistCondition && true
+	}
+
+	if buildExistCondition {
 		existsCondition, err := c.conditionFor(ctx, key, qbtypes.FilterOperatorExists, nil, sb)
 		if err != nil {
 			return "", err
 		}
 		return sb.And(condition, existsCondition), nil
 	}
+
 	return condition, nil
 }

pkg/telemetrylogs/condition_builder_test.go

@@ -127,7 +127,8 @@ func TestConditionFor(t *testing.T) {
 		{
 			name: "Contains operator - body",
 			key: telemetrytypes.TelemetryFieldKey{
-				Name: "body",
+				Name:         "body",
+				FieldContext: telemetrytypes.FieldContextLog,
 			},
 			operator:      qbtypes.FilterOperatorContains,
 			value:         521509198310,

pkg/telemetrylogs/const.go

@@ -1,7 +1,10 @@
 package telemetrylogs
 
 import (
+	"fmt"
+
 	"github.com/SigNoz/signoz-otel-collector/constants"
+	"github.com/SigNoz/signoz/pkg/querybuilder"
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 )
@@ -17,7 +20,7 @@ const (
 	LogsV2TimestampColumn         = "timestamp"
 	LogsV2ObservedTimestampColumn = "observed_timestamp"
 	LogsV2BodyColumn              = "body"
-	LogsV2BodyJSONColumn          = constants.BodyJSONColumn
+	LogsV2BodyV2Column            = constants.BodyV2Column
 	LogsV2BodyPromotedColumn      = constants.BodyPromotedColumn
 	LogsV2TraceIDColumn           = "trace_id"
 	LogsV2SpanIDColumn            = "span_id"
@@ -34,11 +37,23 @@ const (
 	LogsV2ResourcesStringColumn  = "resources_string"
 	LogsV2ScopeStringColumn      = "scope_string"
 
-	BodyJSONColumnPrefix     = constants.BodyJSONColumnPrefix
+	BodyV2ColumnPrefix       = constants.BodyV2ColumnPrefix
 	BodyPromotedColumnPrefix = constants.BodyPromotedColumnPrefix
+	MessageSubColumn         = "body_v2.message"
+	bodySearchDefaultWarning = "body searches default to `body.message:string`. Use `body.<key>` to search a different field inside body"
 )
 
 var (
+	// mapping for body logical field to message sub column
+	// Here field context is log since message is a type hint and
+	// in a sense it is a direct column of log table and doesn't need any lambda expressions
+	// TODO(Piyush): Add description for detailed explanation of remapping of body to message
+	BodyLogicalFieldJSONMapping = &telemetrytypes.TelemetryFieldKey{
+		Name:          MessageSubColumn,
+		Signal:        telemetrytypes.SignalLogs,
+		FieldContext:  telemetrytypes.FieldContextLog,
+		FieldDataType: telemetrytypes.FieldDataTypeString,
+	}
 	DefaultFullTextColumn = &telemetrytypes.TelemetryFieldKey{
 		Name:          "body",
 		Signal:        telemetrytypes.SignalLogs,
@@ -118,3 +133,23 @@ var (
 		},
 	}
 )
+
+func bodyAliasExpression() string {
+	if !querybuilder.BodyJSONQueryEnabled {
+		return LogsV2BodyColumn
+	}
+
+	return fmt.Sprintf("%s as body", LogsV2BodyV2Column)
+}
+
+func enrichMapsForJSONBodyEnabled() {
+	if querybuilder.BodyJSONQueryEnabled {
+		DefaultFullTextColumn = BodyLogicalFieldJSONMapping
+		IntrinsicFields["body"] = *BodyLogicalFieldJSONMapping
+		IntrinsicFields[MessageSubColumn] = *BodyLogicalFieldJSONMapping
+	}
+}
+
+func init() {
+	enrichMapsForJSONBodyEnabled()
+}

pkg/telemetrylogs/field_mapper.go

@@ -30,7 +30,7 @@ var (
 		"severity_text":      {Name: "severity_text", Type: schema.LowCardinalityColumnType{ElementType: schema.ColumnTypeString}},
 		"severity_number":    {Name: "severity_number", Type: schema.ColumnTypeUInt8},
 		"body":               {Name: "body", Type: schema.ColumnTypeString},
-		LogsV2BodyJSONColumn: {Name: LogsV2BodyJSONColumn, Type: schema.JSONColumnType{
+		LogsV2BodyV2Column: {Name: LogsV2BodyV2Column, Type: schema.JSONColumnType{
 			MaxDynamicTypes: utils.ToPointer(uint(32)),
 			MaxDynamicPaths: utils.ToPointer(uint(0)),
 		}},
@@ -58,10 +58,11 @@ var (
 			KeyType:   schema.LowCardinalityColumnType{ElementType: schema.ColumnTypeString},
 			ValueType: schema.ColumnTypeString,
 		}},
+		MessageSubColumn: {Name: MessageSubColumn, Type: schema.ColumnTypeString},
 	}
 )
 
-type fieldMapper struct {}
+type fieldMapper struct{}
 
 func NewFieldMapper() qbtypes.FieldMapper {
 	return &fieldMapper{}
@@ -89,9 +90,9 @@ func (m *fieldMapper) getColumn(_ context.Context, key *telemetrytypes.Telemetry
 		}
 	case telemetrytypes.FieldContextBody:
 		// Body context is for JSON body fields
-		// Use body_json if feature flag is enabled
+		// Use body_v2 if feature flag is enabled
 		if querybuilder.BodyJSONQueryEnabled {
-			return logsV2Columns[LogsV2BodyJSONColumn], nil
+			return logsV2Columns[LogsV2BodyV2Column], nil
 		}
 		// Fall back to legacy body column
 		return logsV2Columns["body"], nil
@@ -100,9 +101,9 @@ func (m *fieldMapper) getColumn(_ context.Context, key *telemetrytypes.Telemetry
 		if !ok {
 			// check if the key has body JSON search
 			if strings.HasPrefix(key.Name, telemetrytypes.BodyJSONStringSearchPrefix) {
-				// Use body_json if feature flag is enabled and we have a body condition builder
+				// Use body_v2 if feature flag is enabled and we have a body condition builder
 				if querybuilder.BodyJSONQueryEnabled {
-					return logsV2Columns[LogsV2BodyJSONColumn], nil
+					return logsV2Columns[LogsV2BodyV2Column], nil
 				}
 				// Fall back to legacy body column
 				return logsV2Columns["body"], nil
@@ -147,6 +148,8 @@ func (m *fieldMapper) FieldFor(ctx context.Context, key *telemetrytypes.Telemetr
 			}
 
 			return m.buildFieldForJSON(key)
+		case telemetrytypes.FieldContextLog:
+			return column.Name, nil
 		default:
 			return "", errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "only resource/body context fields are supported for json columns, got %s", key.FieldContext.String)
 		}

pkg/telemetrylogs/json_condition_builder.go

@@ -30,7 +30,7 @@ func NewJSONConditionBuilder(key *telemetrytypes.TelemetryFieldKey, valueType te
 	return &jsonConditionBuilder{key: key, valueType: telemetrytypes.MappingFieldDataTypeToJSONDataType[valueType]}
 }
 
-// BuildCondition builds the full WHERE condition for body_json JSON paths
+// BuildCondition builds the full WHERE condition for body_v2 JSON paths
 func (c *jsonConditionBuilder) buildJSONCondition(operator qbtypes.FilterOperator, value any, sb *sqlbuilder.SelectBuilder) (string, error) {
 	conditions := []string{}
 	for _, node := range c.key.JSONPlan {
@@ -40,6 +40,7 @@ func (c *jsonConditionBuilder) buildJSONCondition(operator qbtypes.FilterOperato
 		}
 		conditions = append(conditions, condition)
 	}
+
 	return sb.Or(conditions...), nil
 }
 
@@ -288,9 +289,9 @@ func (c *jsonConditionBuilder) applyOperator(sb *sqlbuilder.SelectBuilder, field
 		}
 		return sb.NotIn(fieldExpr, values...), nil
 	case qbtypes.FilterOperatorExists:
-		return fmt.Sprintf("%s IS NOT NULL", fieldExpr), nil
+		return sb.IsNotNull(fieldExpr), nil
 	case qbtypes.FilterOperatorNotExists:
-		return fmt.Sprintf("%s IS NULL", fieldExpr), nil
+		return sb.IsNull(fieldExpr), nil
 	// between and not between
 	case qbtypes.FilterOperatorBetween, qbtypes.FilterOperatorNotBetween:
 		values, ok := value.([]any)

pkg/telemetrylogs/statement_builder.go

@@ -65,7 +65,7 @@ func (b *logQueryStatementBuilder) Build(
 	start = querybuilder.ToNanoSecs(start)
 	end = querybuilder.ToNanoSecs(end)
 
-	keySelectors := getKeySelectors(query)
+	keySelectors, warnings := getKeySelectors(query)
 	keys, _, err := b.metadataStore.GetKeysMulti(ctx, keySelectors)
 	if err != nil {
 		return nil, err
@@ -76,20 +76,32 @@ func (b *logQueryStatementBuilder) Build(
 	// Create SQL builder
 	q := sqlbuilder.NewSelectBuilder()
 
+	var stmt *qbtypes.Statement
 	switch requestType {
 	case qbtypes.RequestTypeRaw, qbtypes.RequestTypeRawStream:
-		return b.buildListQuery(ctx, q, query, start, end, keys, variables)
+		stmt, err = b.buildListQuery(ctx, q, query, start, end, keys, variables)
 	case qbtypes.RequestTypeTimeSeries:
-		return b.buildTimeSeriesQuery(ctx, q, query, start, end, keys, variables)
+		stmt, err = b.buildTimeSeriesQuery(ctx, q, query, start, end, keys, variables)
 	case qbtypes.RequestTypeScalar:
-		return b.buildScalarQuery(ctx, q, query, start, end, keys, false, variables)
+		stmt, err = b.buildScalarQuery(ctx, q, query, start, end, keys, false, variables)
+	default:
+		return nil, errors.NewInvalidInputf(errors.CodeInvalidInput, "unsupported request type: %s", requestType)
 	}
 
-	return nil, errors.NewInvalidInputf(errors.CodeInvalidInput, "unsupported request type: %s", requestType)
+	if err != nil {
+		return nil, err
+	}
+
+	if stmt != nil && len(warnings) > 0 {
+		stmt.Warnings = append(stmt.Warnings, warnings...)
+	}
+
+	return stmt, nil
 }
 
-func getKeySelectors(query qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]) []*telemetrytypes.FieldKeySelector {
+func getKeySelectors(query qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]) ([]*telemetrytypes.FieldKeySelector, []string) {
 	var keySelectors []*telemetrytypes.FieldKeySelector
+	var warnings []string
 
 	for idx := range query.Aggregations {
 		aggExpr := query.Aggregations[idx]
@@ -136,7 +148,19 @@ func getKeySelectors(query qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]) []
 		keySelectors[idx].SelectorMatchType = telemetrytypes.FieldSelectorMatchTypeExact
 	}
 
-	return keySelectors
+	// When the new JSON body experience is enabled, warn the user if they use the bare
+	// "body" key in the filter — queries on plain "body" default to body.message:string.
+	// TODO(Piyush): Setup better for coming FTS support.
+	if querybuilder.BodyJSONQueryEnabled {
+		for _, sel := range keySelectors {
+			if sel.Name == LogsV2BodyColumn {
+				warnings = append(warnings, bodySearchDefaultWarning)
+				break
+			}
+		}
+	}
+
+	return keySelectors, warnings
 }
 
 func (b *logQueryStatementBuilder) adjustKeys(ctx context.Context, keys map[string][]*telemetrytypes.TelemetryFieldKey, query qbtypes.QueryBuilderQuery[qbtypes.LogAggregation], requestType qbtypes.RequestType) qbtypes.QueryBuilderQuery[qbtypes.LogAggregation] {
@@ -203,7 +227,6 @@ func (b *logQueryStatementBuilder) adjustKeys(ctx context.Context, keys map[stri
 }
 
 func (b *logQueryStatementBuilder) adjustKey(key *telemetrytypes.TelemetryFieldKey, keys map[string][]*telemetrytypes.TelemetryFieldKey) []string {
-
 	// First check if it matches with any intrinsic fields
 	var intrinsicOrCalculatedField telemetrytypes.TelemetryFieldKey
 	if _, ok := IntrinsicFields[key.Name]; ok {
@@ -212,7 +235,6 @@ func (b *logQueryStatementBuilder) adjustKey(key *telemetrytypes.TelemetryFieldK
 	}
 
 	return querybuilder.AdjustKey(key, keys, nil)
-
 }
 
 // buildListQuery builds a query for list panel type
@@ -249,11 +271,7 @@ func (b *logQueryStatementBuilder) buildListQuery(
 		sb.SelectMore(LogsV2SeverityNumberColumn)
 		sb.SelectMore(LogsV2ScopeNameColumn)
 		sb.SelectMore(LogsV2ScopeVersionColumn)
-		sb.SelectMore(LogsV2BodyColumn)
-		if querybuilder.BodyJSONQueryEnabled {
-			sb.SelectMore(LogsV2BodyJSONColumn)
-			sb.SelectMore(LogsV2BodyPromotedColumn)
-		}
+		sb.SelectMore(bodyAliasExpression())
 		sb.SelectMore(LogsV2AttributesStringColumn)
 		sb.SelectMore(LogsV2AttributesNumberColumn)
 		sb.SelectMore(LogsV2AttributesBoolColumn)

pkg/telemetrylogs/stmt_builder_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/instrumentation/instrumentationtest"
 	"github.com/SigNoz/signoz/pkg/querybuilder"
 	"github.com/SigNoz/signoz/pkg/querybuilder/resourcefilter"
@@ -886,3 +887,154 @@ func TestAdjustKey(t *testing.T) {
 		})
 	}
 }
+
+func TestStmtBuilderBodyField(t *testing.T) {
+	cases := []struct {
+		name                string
+		requestType         qbtypes.RequestType
+		query               qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]
+		enableBodyJSONQuery bool
+		expected            qbtypes.Statement
+		expectedErr         error
+	}{
+		{
+			name:        "body_exists",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "body Exists"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: true,
+			expected: qbtypes.Statement{
+				Query:    "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body_v2 as body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND body_v2.message <> ? AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:     []any{uint64(1747945619), uint64(1747983448), "", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+				Warnings: []string{bodySearchDefaultWarning},
+			},
+			expectedErr: nil,
+		},
+		{
+			name:        "body_exists_disabled",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "body Exists"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: false,
+			expected: qbtypes.Statement{
+				Query: "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND body <> ? AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:  []any{uint64(1747945619), uint64(1747983448), "", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+			},
+			expectedErr: nil,
+		},
+		{
+			name:        "body_empty",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "body == ''"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: true,
+			expected: qbtypes.Statement{
+				Query:    "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body_v2 as body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND body_v2.message = ? AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:     []any{uint64(1747945619), uint64(1747983448), "", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+				Warnings: []string{bodySearchDefaultWarning},
+			},
+			expectedErr: nil,
+		},
+		{
+			name:        "body_empty_disabled",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "body == ''"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: false,
+			expected: qbtypes.Statement{
+				Query: "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND body = ? AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:  []any{uint64(1747945619), uint64(1747983448), "", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+			},
+			expectedErr: nil,
+		},
+		{
+			name:        "body_contains",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "body CONTAINS 'error'"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: true,
+			expected: qbtypes.Statement{
+				Query:    "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body_v2 as body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND LOWER(body_v2.message) LIKE LOWER(?) AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:     []any{uint64(1747945619), uint64(1747983448), "%error%", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+				Warnings: []string{bodySearchDefaultWarning},
+			},
+			expectedErr: nil,
+		},
+		{
+			name:        "body_contains_disabled",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "body CONTAINS 'error'"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: false,
+			expected: qbtypes.Statement{
+				Query: "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND LOWER(body) LIKE LOWER(?) AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:  []any{uint64(1747945619), uint64(1747983448), "%error%", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+			},
+			expectedErr: nil,
+		},
+	}
+
+	fm := NewFieldMapper()
+	cb := NewConditionBuilder(fm)
+
+	enable, disable := jsonQueryTestUtil(t)
+	defer disable()
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			if c.enableBodyJSONQuery {
+				enable()
+			} else {
+				disable()
+			}
+			// build the key map after enabling/disabling body JSON query
+			mockMetadataStore := telemetrytypestest.NewMockMetadataStore()
+			mockMetadataStore.KeysMap = buildCompleteFieldKeyMap()
+
+			aggExprRewriter := querybuilder.NewAggExprRewriter(instrumentationtest.New().ToProviderSettings(), nil, fm, cb, nil)
+			resourceFilterStmtBuilder := resourceFilterStmtBuilder()
+			statementBuilder := NewLogQueryStatementBuilder(
+				instrumentationtest.New().ToProviderSettings(),
+				mockMetadataStore,
+				fm,
+				cb,
+				resourceFilterStmtBuilder,
+				aggExprRewriter,
+				DefaultFullTextColumn,
+				GetBodyJSONKey,
+			)
+
+			q, err := statementBuilder.Build(context.Background(), 1747947419000, 1747983448000, c.requestType, c.query, nil)
+			if c.expectedErr != nil {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), c.expectedErr.Error())
+			} else {
+				if err != nil {
+					_, _, _, _, _, add := errors.Unwrapb(err)
+					t.Logf("error additionals: %v", add)
+				}
+				require.NoError(t, err)
+				require.Equal(t, c.expected.Query, q.Query)
+				require.Equal(t, c.expected.Args, q.Args)
+				require.Equal(t, c.expected.Warnings, q.Warnings)
+			}
+		})
+	}
+}

pkg/telemetrylogs/test_data.go

@@ -27,13 +27,6 @@ func buildCompleteFieldKeyMap() map[string][]*telemetrytypes.TelemetryFieldKey {
 				FieldDataType: telemetrytypes.FieldDataTypeString,
 			},
 		},
-		"body": {
-			{
-				Name:          "body",
-				FieldContext:  telemetrytypes.FieldContextLog,
-				FieldDataType: telemetrytypes.FieldDataTypeString,
-			},
-		},
 		"http.status_code": {
 			{
 				Name:          "http.status_code",
@@ -945,6 +938,11 @@ func buildCompleteFieldKeyMap() map[string][]*telemetrytypes.TelemetryFieldKey {
 			key.Signal = telemetrytypes.SignalLogs
 		}
 	}
+
+	// add intrinsic fields to the map
+	for fieldName, key := range IntrinsicFields {
+		keysMap[fieldName] = append(keysMap[fieldName], &key)
+	}
 	return keysMap
 }
 

pkg/telemetrymetadata/body_json_metadata.go

@@ -260,7 +260,7 @@ func buildListLogsJSONIndexesQuery(cluster string, filters ...string) (string, [
 	sb.Where(sb.Equal("database", telemetrylogs.DBName))
 	sb.Where(sb.Equal("table", telemetrylogs.LogsV2LocalTableName))
 	sb.Where(sb.Or(
-		sb.ILike("expr", fmt.Sprintf("%%%s%%", querybuilder.FormatValueForContains(constants.BodyJSONColumnPrefix))),
+		sb.ILike("expr", fmt.Sprintf("%%%s%%", querybuilder.FormatValueForContains(constants.BodyV2ColumnPrefix))),
 		sb.ILike("expr", fmt.Sprintf("%%%s%%", querybuilder.FormatValueForContains(constants.BodyPromotedColumnPrefix))),
 	))
 
@@ -319,7 +319,7 @@ func (t *telemetryMetaStore) ListJSONValues(ctx context.Context, path string, li
 	if promoted {
 		path = telemetrylogs.BodyPromotedColumnPrefix + path
 	} else {
-		path = telemetrylogs.BodyJSONColumnPrefix + path
+		path = telemetrylogs.BodyV2ColumnPrefix + path
 	}
 
 	from := fmt.Sprintf("%s.%s", telemetrylogs.DBName, telemetrylogs.LogsV2TableName)
@@ -522,7 +522,7 @@ func (t *telemetryMetaStore) GetPromotedPaths(ctx context.Context, paths ...stri
 // TODO(Piyush): Remove this function
 func CleanPathPrefixes(path string) string {
 	path = strings.TrimPrefix(path, telemetrytypes.BodyJSONStringSearchPrefix)
-	path = strings.TrimPrefix(path, telemetrylogs.BodyJSONColumnPrefix)
+	path = strings.TrimPrefix(path, telemetrylogs.BodyV2ColumnPrefix)
 	path = strings.TrimPrefix(path, telemetrylogs.BodyPromotedColumnPrefix)
 	return path
 }

pkg/telemetrymetadata/body_json_metadata_test.go

@@ -117,7 +117,7 @@ func TestBuildListLogsJSONIndexesQuery(t *testing.T) {
 			expectedArgs: []any{
 				telemetrylogs.DBName,
 				telemetrylogs.LogsV2LocalTableName,
-				fmt.Sprintf("%%%s%%", querybuilder.FormatValueForContains(constants.BodyJSONColumnPrefix)),
+				fmt.Sprintf("%%%s%%", querybuilder.FormatValueForContains(constants.BodyV2ColumnPrefix)),
 				fmt.Sprintf("%%%s%%", querybuilder.FormatValueForContains(constants.BodyPromotedColumnPrefix)),
 			},
 		},
@@ -130,7 +130,7 @@ func TestBuildListLogsJSONIndexesQuery(t *testing.T) {
 			expectedArgs: []any{
 				telemetrylogs.DBName,
 				telemetrylogs.LogsV2LocalTableName,
-				fmt.Sprintf("%%%s%%", querybuilder.FormatValueForContains(constants.BodyJSONColumnPrefix)),
+				fmt.Sprintf("%%%s%%", querybuilder.FormatValueForContains(constants.BodyV2ColumnPrefix)),
 				fmt.Sprintf("%%%s%%", querybuilder.FormatValueForContains(constants.BodyPromotedColumnPrefix)),
 				fmt.Sprintf("%%%s%%", querybuilder.FormatValueForContains("foo")),
 				fmt.Sprintf("%%%s%%", querybuilder.FormatValueForContains("bar")),

pkg/telemetrymetadata/metadata.go

@@ -102,7 +102,7 @@ func NewTelemetryMetaStore(
 		jsonColumnMetadata: map[telemetrytypes.Signal]map[telemetrytypes.FieldContext]telemetrytypes.JSONColumnMetadata{
 			telemetrytypes.SignalLogs: {
 				telemetrytypes.FieldContextBody: telemetrytypes.JSONColumnMetadata{
-					BaseColumn:     telemetrylogs.LogsV2BodyJSONColumn,
+					BaseColumn:     telemetrylogs.LogsV2BodyV2Column,
 					PromotedColumn: telemetrylogs.LogsV2BodyPromotedColumn,
 				},
 			},
@@ -351,7 +351,7 @@ func (t *telemetryMetaStore) logsTblStatementToFieldKeys(ctx context.Context) ([
 }
 
 // getLogsKeys returns the keys from the spans that match the field selection criteria
-func (t *telemetryMetaStore) getLogsKeys(ctx context.Context, fieldKeySelectors []*telemetrytypes.FieldKeySelector) ([]*telemetrytypes.TelemetryFieldKey, bool, error) {
+func (t *telemetryMetaStore) getLogsKeys(ctx context.Context, fieldKeySelectors []*telemetrytypes.FieldKeySelector) (map[string][]*telemetrytypes.TelemetryFieldKey, bool, error) {
 	ctx = ctxtypes.NewContextWithCommentVals(ctx, map[string]string{
 		instrumentationtypes.TelemetrySignal:  telemetrytypes.SignalLogs.StringValue(),
 		instrumentationtypes.CodeNamespace:    "metadata",
@@ -367,9 +367,10 @@ func (t *telemetryMetaStore) getLogsKeys(ctx context.Context, fieldKeySelectors
 	if err != nil {
 		return nil, false, err
 	}
-	mapOfKeys := make(map[string]*telemetrytypes.TelemetryFieldKey)
+	// setOfKeys to reuse the same key object for qualified names
+	setOfKeys := make(map[string]*telemetrytypes.TelemetryFieldKey)
 	for _, key := range matKeys {
-		mapOfKeys[key.Name+";"+key.FieldContext.StringValue()+";"+key.FieldDataType.StringValue()] = key
+		setOfKeys[key.Text()] = key
 	}
 
 	// queries for both attribute and resource keys tables
@@ -470,7 +471,7 @@ func (t *telemetryMetaStore) getLogsKeys(ctx context.Context, fieldKeySelectors
 
 	if len(queries) == 0 {
 		// No matching contexts, return empty result
-		return []*telemetrytypes.TelemetryFieldKey{}, true, nil
+		return nil, true, nil
 	}
 
 	// Combine queries with UNION ALL
@@ -498,7 +499,7 @@ func (t *telemetryMetaStore) getLogsKeys(ctx context.Context, fieldKeySelectors
 	}
 	defer rows.Close()
 
-	keys := []*telemetrytypes.TelemetryFieldKey{}
+	mapOfKeys := make(map[string][]*telemetrytypes.TelemetryFieldKey)
 	rowCount := 0
 	searchTexts := []string{}
 	dataTypes := []telemetrytypes.FieldDataType{}
@@ -526,7 +527,7 @@ func (t *telemetryMetaStore) getLogsKeys(ctx context.Context, fieldKeySelectors
 		if err != nil {
 			return nil, false, errors.Wrap(err, errors.TypeInternal, errors.CodeInternal, ErrFailedToGetLogsKeys.Error())
 		}
-		key, ok := mapOfKeys[name+";"+fieldContext.StringValue()+";"+fieldDataType.StringValue()]
+		key, ok := setOfKeys[name+";"+fieldContext.StringValue()+";"+fieldDataType.StringValue()]
 
 		// if there is no materialised column, create a key with the field context and data type
 		if !ok {
@@ -538,8 +539,8 @@ func (t *telemetryMetaStore) getLogsKeys(ctx context.Context, fieldKeySelectors
 			}
 		}
 
-		keys = append(keys, key)
-		mapOfKeys[name+";"+fieldContext.StringValue()+";"+fieldDataType.StringValue()] = key
+		mapOfKeys[key.Name] = append(mapOfKeys[key.Name], key)
+		setOfKeys[name+";"+fieldContext.StringValue()+";"+fieldDataType.StringValue()] = key
 	}
 
 	if rows.Err() != nil {
@@ -565,17 +566,13 @@ func (t *telemetryMetaStore) getLogsKeys(ctx context.Context, fieldKeySelectors
 
 		if found {
 			if field, exists := telemetrylogs.IntrinsicFields[key]; exists {
-				if _, added := mapOfKeys[field.Name+";"+field.FieldContext.StringValue()+";"+field.FieldDataType.StringValue()]; !added {
-					keys = append(keys, &field)
+				if _, added := setOfKeys[field.Name+";"+field.FieldContext.StringValue()+";"+field.FieldDataType.StringValue()]; !added {
+					mapOfKeys[field.Name] = append(mapOfKeys[field.Name], &field)
+					// intrinsic field can be a logical field mapped to a different physical location
+					mapOfKeys[key] = append(mapOfKeys[key], &field)
 				}
 				continue
 			}
-
-			keys = append(keys, &telemetrytypes.TelemetryFieldKey{
-				Name:         key,
-				FieldContext: telemetrytypes.FieldContextLog,
-				Signal:       telemetrytypes.SignalLogs,
-			})
 		}
 	}
 
@@ -584,10 +581,13 @@ func (t *telemetryMetaStore) getLogsKeys(ctx context.Context, fieldKeySelectors
 		if err != nil {
 			t.logger.ErrorContext(ctx, "failed to extract body JSON paths", "error", err)
 		}
-		keys = append(keys, bodyJSONPaths...)
+		for _, key := range bodyJSONPaths {
+			mapOfKeys[key.Name] = append(mapOfKeys[key.Name], key)
+		}
 		complete = complete && finished
 	}
-	return keys, complete, nil
+
+	return mapOfKeys, complete, nil
 }
 
 func getPriorityForContext(ctx telemetrytypes.FieldContext) int {
@@ -882,12 +882,20 @@ func (t *telemetryMetaStore) GetKeys(ctx context.Context, fieldKeySelector *tele
 	if fieldKeySelector != nil {
 		selectors = []*telemetrytypes.FieldKeySelector{fieldKeySelector}
 	}
+	mapOfKeys := make(map[string][]*telemetrytypes.TelemetryFieldKey)
 
 	switch fieldKeySelector.Signal {
 	case telemetrytypes.SignalTraces:
 		keys, complete, err = t.getTracesKeys(ctx, selectors)
 	case telemetrytypes.SignalLogs:
-		keys, complete, err = t.getLogsKeys(ctx, selectors)
+		mapOfLogKeys, logsComplete, err := t.getLogsKeys(ctx, selectors)
+		if err != nil {
+			return nil, false, err
+		}
+		for keyName, keys := range mapOfLogKeys {
+			mapOfKeys[keyName] = append(mapOfKeys[keyName], keys...)
+		}
+		complete = complete && logsComplete
 	case telemetrytypes.SignalMetrics:
 		if fieldKeySelector.Source == telemetrytypes.SourceMeter {
 			keys, complete, err = t.getMeterSourceMetricKeys(ctx, selectors)
@@ -903,12 +911,13 @@ func (t *telemetryMetaStore) GetKeys(ctx context.Context, fieldKeySelector *tele
 		keys = append(keys, tracesKeys...)
 
 		// get logs keys
-		logsKeys, logsComplete, err := t.getLogsKeys(ctx, selectors)
+		mapOfLogKeys, logsComplete, err := t.getLogsKeys(ctx, selectors)
 		if err != nil {
 			return nil, false, err
 		}
-		keys = append(keys, logsKeys...)
-
+		for keyName, keys := range mapOfLogKeys {
+			mapOfKeys[keyName] = append(mapOfKeys[keyName], keys...)
+		}
 		// get metrics keys
 		metricsKeys, metricsComplete, err := t.getMetricsKeys(ctx, selectors)
 		if err != nil {
@@ -922,7 +931,6 @@ func (t *telemetryMetaStore) GetKeys(ctx context.Context, fieldKeySelector *tele
 		return nil, false, err
 	}
 
-	mapOfKeys := make(map[string][]*telemetrytypes.TelemetryFieldKey)
 	for _, key := range keys {
 		mapOfKeys[key.Name] = append(mapOfKeys[key.Name], key)
 	}
@@ -959,7 +967,7 @@ func (t *telemetryMetaStore) GetKeysMulti(ctx context.Context, fieldKeySelectors
 		}
 	}
 
-	logsKeys, logsComplete, err := t.getLogsKeys(ctx, logsSelectors)
+	mapOfLogKeys, logsComplete, err := t.getLogsKeys(ctx, logsSelectors)
 	if err != nil {
 		return nil, false, err
 	}
@@ -980,8 +988,8 @@ func (t *telemetryMetaStore) GetKeysMulti(ctx context.Context, fieldKeySelectors
 	complete := logsComplete && tracesComplete && metricsComplete
 
 	mapOfKeys := make(map[string][]*telemetrytypes.TelemetryFieldKey)
-	for _, key := range logsKeys {
-		mapOfKeys[key.Name] = append(mapOfKeys[key.Name], key)
+	for keyName, keys := range mapOfLogKeys {
+		mapOfKeys[keyName] = append(mapOfKeys[keyName], keys...)
 	}
 	for _, key := range tracesKeys {
 		mapOfKeys[key.Name] = append(mapOfKeys[key.Name], key)

pkg/types/alertmanagertypes/alert.go

@@ -1,6 +1,7 @@
 package alertmanagertypes
 
 import (
+	"context"
 	"fmt"
 	"net/http"
 	"regexp"
@@ -90,8 +91,8 @@ func NewDeprecatedGettableAlertsFromGettableAlerts(gettableAlerts GettableAlerts
 }
 
 // Converts a slice of PostableAlert to a slice of Alert.
-func NewAlertsFromPostableAlerts(postableAlerts PostableAlerts, resolveTimeout time.Duration, now time.Time) ([]*types.Alert, []error) {
-	alerts := v2.OpenAPIAlertsToAlerts(postableAlerts)
+func NewAlertsFromPostableAlerts(ctx context.Context, postableAlerts PostableAlerts, resolveTimeout time.Duration, now time.Time) ([]*types.Alert, []error) {
+	alerts := v2.OpenAPIAlertsToAlerts(ctx, postableAlerts)
 
 	for _, alert := range alerts {
 		alert.UpdatedAt = now
@@ -196,8 +197,15 @@ func NewGettableAlertsFromAlertProvider(
 		if err = iterator.Err(); err != nil {
 			break
 		}
+		if a == nil {
+			break
+		}
+		alertData := a.Data
+		if alertData == nil {
+			continue
+		}
 
-		routes := dispatch.NewRoute(cfg.alertmanagerConfig.Route, nil).Match(a.Labels)
+		routes := dispatch.NewRoute(cfg.alertmanagerConfig.Route, nil).Match(alertData.Labels)
 		receivers := make([]string, 0, len(routes))
 		for _, r := range routes {
 			receivers = append(receivers, r.RouteOpts.Receiver)
@@ -207,11 +215,11 @@ func NewGettableAlertsFromAlertProvider(
 			continue
 		}
 
-		if !alertFilter(a, now) {
+		if !alertFilter(alertData, now) {
 			continue
 		}
 
-		alert := v2.AlertToOpenAPIAlert(a, getAlertStatusFunc(a.Fingerprint()), receivers, nil)
+		alert := v2.AlertToOpenAPIAlert(alertData, getAlertStatusFunc(alertData.Fingerprint()), receivers, nil)
 
 		res = append(res, alert)
 	}

pkg/types/alertmanagertypes/channel_test.go

@@ -41,6 +41,7 @@ func TestNewConfigFromChannels(t *testing.T) {
 						"require_tls":   true,
 						"html":          "{{ template \"email.default.html\" . }}",
 						"tls_config":    map[string]any{"insecure_skip_verify": false},
+						"threading":     map[string]any{},
 					}},
 				},
 			},
@@ -62,6 +63,7 @@ func TestNewConfigFromChannels(t *testing.T) {
 					"slack_configs": []any{map[string]any{
 						"send_resolved": true,
 						"api_url":       "https://slack.com/api/test",
+						"app_url":       "https://slack.com/api/chat.postMessage",
 						"channel":       "#alerts",
 						"callback_id":   "{{ template \"slack.default.callbackid\" . }}",
 						"color":         "{{ if eq .Status \"firing\" }}danger{{ else }}good{{ end }}",
@@ -71,6 +73,7 @@ func TestNewConfigFromChannels(t *testing.T) {
 						"icon_url":      "{{ template \"slack.default.iconurl\" . }}",
 						"pretext":       "{{ template \"slack.default.pretext\" . }}",
 						"text":          "{{ template \"slack.default.text\" . }}",
+						"timeout":       float64(0),
 						"title":         "{{ template \"slack.default.title\" . }}",
 						"title_link":    "{{ template \"slack.default.titlelink\" . }}",
 						"username":      "{{ template \"slack.default.username\" . }}",
@@ -106,11 +109,12 @@ func TestNewConfigFromChannels(t *testing.T) {
 						"client_url":    "{{ template \"pagerduty.default.clientURL\" . }}",
 						"description":   "{{ template \"pagerduty.default.description\" .}}",
 						"source":        "{{ template \"pagerduty.default.client\" . }}",
+						"timeout":       float64(0),
 						"details": map[string]any{
-							"firing":       "{{ template \"pagerduty.default.instances\" .Alerts.Firing }}",
+							"firing":       "{{ .Alerts.Firing | toJson }}",
 							"num_firing":   "{{ .Alerts.Firing | len }}",
 							"num_resolved": "{{ .Alerts.Resolved | len }}",
-							"resolved":     "{{ template \"pagerduty.default.instances\" .Alerts.Resolved }}",
+							"resolved":     "{{ .Alerts.Resolved | toJson }}",
 						},
 						"http_config": map[string]any{
 							"tls_config":       map[string]any{"insecure_skip_verify": false},
@@ -149,11 +153,12 @@ func TestNewConfigFromChannels(t *testing.T) {
 						"client_url":    "{{ template \"pagerduty.default.clientURL\" . }}",
 						"description":   "{{ template \"pagerduty.default.description\" .}}",
 						"source":        "{{ template \"pagerduty.default.client\" . }}",
+						"timeout":       float64(0),
 						"details": map[string]any{
-							"firing":       "{{ template \"pagerduty.default.instances\" .Alerts.Firing }}",
+							"firing":       "{{ .Alerts.Firing | toJson }}",
 							"num_firing":   "{{ .Alerts.Firing | len }}",
 							"num_resolved": "{{ .Alerts.Resolved | len }}",
-							"resolved":     "{{ template \"pagerduty.default.instances\" .Alerts.Resolved }}",
+							"resolved":     "{{ .Alerts.Resolved | toJson }}",
 						},
 						"http_config": map[string]any{
 							"tls_config":       map[string]any{"insecure_skip_verify": false},
@@ -168,6 +173,7 @@ func TestNewConfigFromChannels(t *testing.T) {
 					"slack_configs": []any{map[string]any{
 						"send_resolved": true,
 						"api_url":       "https://slack.com/api/test",
+						"app_url":       "https://slack.com/api/chat.postMessage",
 						"channel":       "#alerts",
 						"callback_id":   "{{ template \"slack.default.callbackid\" . }}",
 						"color":         "{{ if eq .Status \"firing\" }}danger{{ else }}good{{ end }}",
@@ -177,6 +183,7 @@ func TestNewConfigFromChannels(t *testing.T) {
 						"icon_url":      "{{ template \"slack.default.iconurl\" . }}",
 						"pretext":       "{{ template \"slack.default.pretext\" . }}",
 						"text":          "{{ template \"slack.default.text\" . }}",
+						"timeout":       float64(0),
 						"title":         "{{ template \"slack.default.title\" . }}",
 						"title_link":    "{{ template \"slack.default.titlelink\" . }}",
 						"username":      "{{ template \"slack.default.username\" . }}",
@@ -270,7 +277,7 @@ func TestNewChannelFromReceiver(t *testing.T) {
 			expected: &Channel{
 				Name: "test-receiver",
 				Type: "slack",
-				Data: `{"name":"test-receiver","slack_configs":[{"send_resolved":true,"api_url":"https://slack.com/api/test","channel":"#alerts"}]}`,
+				Data: `{"name":"test-receiver","slack_configs":[{"send_resolved":true,"api_url":"https://slack.com/api/test","channel":"#alerts","timeout":0}]}`,
 			},
 			pass: true,
 		},

pkg/types/authtypes/authn.go

@@ -125,7 +125,7 @@ func (typ *Identity) ToClaims() Claims {
 
 type AuthNStore interface {
 	// Get user and factor password by email and orgID.
-	GetUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error)
+	GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error)
 
 	// Get org domain from id.
 	GetAuthDomainFromID(ctx context.Context, domainID valuer.UUID) (*AuthDomain, error)

pkg/types/authtypes/relation.go

@@ -28,11 +28,12 @@ var TypeableRelations = map[Type][]Relation{
 }
 
 var RelationsTypeable = map[Relation][]Type{
-	RelationCreate: {TypeMetaResources},
-	RelationRead:   {TypeUser, TypeRole, TypeOrganization, TypeMetaResource},
-	RelationList:   {TypeMetaResources},
-	RelationUpdate: {TypeUser, TypeRole, TypeOrganization, TypeMetaResource},
-	RelationDelete: {TypeUser, TypeRole, TypeOrganization, TypeMetaResource},
+	RelationCreate:   {TypeMetaResources},
+	RelationRead:     {TypeUser, TypeRole, TypeOrganization, TypeMetaResource},
+	RelationList:     {TypeMetaResources},
+	RelationUpdate:   {TypeUser, TypeRole, TypeOrganization, TypeMetaResource},
+	RelationDelete:   {TypeUser, TypeRole, TypeOrganization, TypeMetaResource},
+	RelationAssignee: {TypeRole},
 }
 
 type Relation struct{ valuer.String }

pkg/types/factor_password.go

@@ -2,6 +2,7 @@ package types
 
 import (
 	"encoding/json"
+	"fmt"
 	"slices"
 	"time"
 	"unicode"
@@ -220,3 +221,7 @@ func comparePassword(hashedPassword string, password string) bool {
 func (r *ResetPasswordToken) IsExpired() bool {
 	return r.ExpiresAt.Before(time.Now())
 }
+
+func (r *ResetPasswordToken) FactorPasswordResetLink(frontendBaseUrl string) string {
+	return fmt.Sprintf("%s/password-reset?token=%s", frontendBaseUrl, r.Token)
+}

pkg/types/invite.go

@@ -54,7 +54,29 @@ type PostableInvite struct {
 }
 
 type PostableBulkInviteRequest struct {
-	Invites []PostableInvite `json:"invites"`
+	Invites []PostableInvite `json:"invites" required:"true" nullable:"false"`
+}
+
+func (request *PostableBulkInviteRequest) UnmarshalJSON(data []byte) error {
+	type Alias PostableBulkInviteRequest
+
+	var temp Alias
+	if err := json.Unmarshal(data, &temp); err != nil {
+		return err
+	}
+
+	// check for duplicate emails in the same request
+	seen := make(map[string]struct{}, len(temp.Invites))
+	for _, invite := range temp.Invites {
+		email := invite.Email.StringValue()
+		if _, exists := seen[email]; exists {
+			return errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "Duplicate email in request: %s", email)
+		}
+		seen[email] = struct{}{}
+	}
+
+	*request = PostableBulkInviteRequest(temp)
+	return nil
 }
 
 type GettableCreateInviteResponse struct {

pkg/types/promotetypes/types.go

@@ -36,8 +36,8 @@ func (i *PromotePath) ValidateAndSetDefaults() error {
 		return errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "array paths can not be promoted or indexed")
 	}
 
-	if strings.HasPrefix(i.Path, constants.BodyJSONColumnPrefix) || strings.HasPrefix(i.Path, constants.BodyPromotedColumnPrefix) {
-		return errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "`%s`, `%s` don't add these prefixes to the path", constants.BodyJSONColumnPrefix, constants.BodyPromotedColumnPrefix)
+	if strings.HasPrefix(i.Path, constants.BodyV2ColumnPrefix) || strings.HasPrefix(i.Path, constants.BodyPromotedColumnPrefix) {
+		return errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "`%s`, `%s` don't add these prefixes to the path", constants.BodyV2ColumnPrefix, constants.BodyPromotedColumnPrefix)
 	}
 
 	if !strings.HasPrefix(i.Path, telemetrytypes.BodyJSONStringSearchPrefix) {

pkg/types/telemetrytypes/field_datatype.go

@@ -21,6 +21,7 @@ var (
 	// int64 and number are synonyms for float64
 	FieldDataTypeInt64       = FieldDataType{valuer.NewString("int64")}
 	FieldDataTypeNumber      = FieldDataType{valuer.NewString("number")}
+	FieldDataTypeJSON        = FieldDataType{valuer.NewString("json")}
 	FieldDataTypeUnspecified = FieldDataType{valuer.NewString("")}
 
 	FieldDataTypeArrayString  = FieldDataType{valuer.NewString("[]string")}

pkg/types/telemetrytypes/json_access_plan.go

@@ -40,7 +40,7 @@ type JSONAccessNode struct {
 	// Node information
 	Name       string
 	IsTerminal bool
-	isRoot     bool // marked true for only body_json and body_json_promoted
+	isRoot     bool // marked true for only body_v2 and body_promoted
 
 	// Precomputed type information (single source of truth)
 	AvailableTypes []JSONDataType

pkg/types/telemetrytypes/json_access_plan_test.go

@@ -1,12 +1,19 @@
 package telemetrytypes
 
 import (
+	"fmt"
 	"testing"
 
+	otelconstants "github.com/SigNoz/signoz-otel-collector/constants"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/yaml.v3"
 )
 
+const (
+	bodyV2Column       = otelconstants.BodyV2Column
+	bodyPromotedColumn = otelconstants.BodyPromotedColumn
+)
+
 // ============================================================================
 // Helper Functions for Test Data Creation
 // ============================================================================
@@ -109,8 +116,8 @@ func TestNode_Alias(t *testing.T) {
 	}{
 		{
 			name:     "Root node returns name as-is",
-			node:     NewRootJSONAccessNode("body_json", 32, 0),
-			expected: "body_json",
+			node:     NewRootJSONAccessNode(bodyV2Column, 32, 0),
+			expected: bodyV2Column,
 		},
 		{
 			name: "Node without parent returns backticked name",
@@ -124,9 +131,9 @@ func TestNode_Alias(t *testing.T) {
 			name: "Node with root parent uses dot separator",
 			node: &JSONAccessNode{
 				Name:   "age",
-				Parent: NewRootJSONAccessNode("body_json", 32, 0),
+				Parent: NewRootJSONAccessNode(bodyV2Column, 32, 0),
 			},
-			expected: "`" + "body_json" + ".age`",
+			expected: "`" + bodyV2Column + ".age`",
 		},
 		{
 			name: "Node with non-root parent uses array separator",
@@ -134,10 +141,10 @@ func TestNode_Alias(t *testing.T) {
 				Name: "name",
 				Parent: &JSONAccessNode{
 					Name:   "education",
-					Parent: NewRootJSONAccessNode("body_json", 32, 0),
+					Parent: NewRootJSONAccessNode(bodyV2Column, 32, 0),
 				},
 			},
-			expected: "`" + "body_json" + ".education[].name`",
+			expected: "`" + bodyV2Column + ".education[].name`",
 		},
 		{
 			name: "Nested array path with multiple levels",
@@ -147,11 +154,11 @@ func TestNode_Alias(t *testing.T) {
 					Name: "awards",
 					Parent: &JSONAccessNode{
 						Name:   "education",
-						Parent: NewRootJSONAccessNode("body_json", 32, 0),
+						Parent: NewRootJSONAccessNode(bodyV2Column, 32, 0),
 					},
 				},
 			},
-			expected: "`" + "body_json" + ".education[].awards[].type`",
+			expected: "`" + bodyV2Column + ".education[].awards[].type`",
 		},
 	}
 
@@ -173,18 +180,18 @@ func TestNode_FieldPath(t *testing.T) {
 			name: "Simple field path from root",
 			node: &JSONAccessNode{
 				Name:   "user",
-				Parent: NewRootJSONAccessNode("body_json", 32, 0),
+				Parent: NewRootJSONAccessNode(bodyV2Column, 32, 0),
 			},
 			// FieldPath() always wraps the field name in backticks
-			expected: "body_json" + ".`user`",
+			expected: bodyV2Column + ".`user`",
 		},
 		{
 			name: "Field path with backtick-required key",
 			node: &JSONAccessNode{
 				Name:   "user-name", // requires backtick
-				Parent: NewRootJSONAccessNode("body_json", 32, 0),
+				Parent: NewRootJSONAccessNode(bodyV2Column, 32, 0),
 			},
-			expected: "body_json" + ".`user-name`",
+			expected: bodyV2Column + ".`user-name`",
 		},
 		{
 			name: "Nested field path",
@@ -192,11 +199,11 @@ func TestNode_FieldPath(t *testing.T) {
 				Name: "age",
 				Parent: &JSONAccessNode{
 					Name:   "user",
-					Parent: NewRootJSONAccessNode("body_json", 32, 0),
+					Parent: NewRootJSONAccessNode(bodyV2Column, 32, 0),
 				},
 			},
 			// FieldPath() always wraps the field name in backticks
-			expected: "`" + "body_json" + ".user`.`age`",
+			expected: "`" + bodyV2Column + ".user`.`age`",
 		},
 		{
 			name: "Array element field path",
@@ -204,11 +211,11 @@ func TestNode_FieldPath(t *testing.T) {
 				Name: "name",
 				Parent: &JSONAccessNode{
 					Name:   "education",
-					Parent: NewRootJSONAccessNode("body_json", 32, 0),
+					Parent: NewRootJSONAccessNode(bodyV2Column, 32, 0),
 				},
 			},
 			// FieldPath() always wraps the field name in backticks
-			expected: "`" + "body_json" + ".education`.`name`",
+			expected: "`" + bodyV2Column + ".education`.`name`",
 		},
 	}
 
@@ -236,36 +243,36 @@ func TestPlanJSON_BasicStructure(t *testing.T) {
 		{
 			name: "Simple path not promoted",
 			key:  makeKey("user.name", String, false),
-			expectedYAML: `
+			expectedYAML: fmt.Sprintf(`
 - name: user.name
-  column: body_json
+  column: %s
   availableTypes:
     - String
   maxDynamicTypes: 16
   isTerminal: true
   elemType: String
-`,
+`, bodyV2Column),
 		},
 		{
 			name: "Simple path promoted",
 			key:  makeKey("user.name", String, true),
-			expectedYAML: `
+			expectedYAML: fmt.Sprintf(`
 - name: user.name
-  column: body_json
+  column: %s
   availableTypes:
     - String
   maxDynamicTypes: 16
   isTerminal: true
   elemType: String
 - name: user.name
-  column: body_json_promoted
+  column: %s
   availableTypes:
     - String
   maxDynamicTypes: 16
   maxDynamicPaths: 256
   isTerminal: true
   elemType: String
-`,
+`, bodyV2Column, bodyPromotedColumn),
 		},
 		{
 			name:         "Empty path returns error",
@@ -278,8 +285,8 @@ func TestPlanJSON_BasicStructure(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := tt.key.SetJSONAccessPlan(JSONColumnMetadata{
-				BaseColumn:     "body_json",
-				PromotedColumn: "body_json_promoted",
+				BaseColumn:     bodyV2Column,
+				PromotedColumn: bodyPromotedColumn,
 			}, types)
 			if tt.expectErr {
 				require.Error(t, err)
@@ -304,9 +311,9 @@ func TestPlanJSON_ArrayPaths(t *testing.T) {
 		{
 			name: "Single array level - JSON branch only",
 			path: "education[].name",
-			expectedYAML: `
+			expectedYAML: fmt.Sprintf(`
 - name: education
-  column: body_json
+  column: %s
   availableTypes:
     - Array(JSON)
   maxDynamicTypes: 16
@@ -318,14 +325,14 @@ func TestPlanJSON_ArrayPaths(t *testing.T) {
       maxDynamicTypes: 8
       isTerminal: true
       elemType: String
-`,
+`, bodyV2Column),
 		},
 		{
 			name: "Single array level - both JSON and Dynamic branches",
 			path: "education[].awards[].type",
-			expectedYAML: `
+			expectedYAML: fmt.Sprintf(`
 - name: education
-  column: body_json
+  column: %s
   availableTypes:
     - Array(JSON)
   maxDynamicTypes: 16
@@ -352,14 +359,14 @@ func TestPlanJSON_ArrayPaths(t *testing.T) {
           maxDynamicPaths: 256
           isTerminal: true
           elemType: String
-`,
+`, bodyV2Column),
 		},
 		{
 			name: "Deeply nested array path",
 			path: "interests[].entities[].reviews[].entries[].metadata[].positions[].name",
-			expectedYAML: `
+			expectedYAML: fmt.Sprintf(`
 - name: interests
-  column: body_json
+  column: %s
   availableTypes:
     - Array(JSON)
   maxDynamicTypes: 16
@@ -399,14 +406,14 @@ func TestPlanJSON_ArrayPaths(t *testing.T) {
                             - String
                           isTerminal: true
                           elemType: String
-`,
+`, bodyV2Column),
 		},
 		{
 			name: "ArrayAnyIndex replacement [*] to []",
 			path: "education[*].name",
-			expectedYAML: `
+			expectedYAML: fmt.Sprintf(`
 - name: education
-  column: body_json
+  column: %s
   availableTypes:
     - Array(JSON)
   maxDynamicTypes: 16
@@ -418,7 +425,7 @@ func TestPlanJSON_ArrayPaths(t *testing.T) {
       maxDynamicTypes: 8
       isTerminal: true
       elemType: String
-`,
+`, bodyV2Column),
 		},
 	}
 
@@ -426,8 +433,8 @@ func TestPlanJSON_ArrayPaths(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			key := makeKey(tt.path, String, false)
 			err := key.SetJSONAccessPlan(JSONColumnMetadata{
-				BaseColumn:     "body_json",
-				PromotedColumn: "body_json_promoted",
+				BaseColumn:     bodyV2Column,
+				PromotedColumn: bodyPromotedColumn,
 			}, types)
 			require.NoError(t, err)
 			require.NotNil(t, key.JSONPlan)
@@ -445,15 +452,15 @@ func TestPlanJSON_PromotedVsNonPromoted(t *testing.T) {
 	t.Run("Non-promoted plan", func(t *testing.T) {
 		key := makeKey(path, String, false)
 		err := key.SetJSONAccessPlan(JSONColumnMetadata{
-			BaseColumn:     "body_json",
-			PromotedColumn: "body_json_promoted",
+			BaseColumn:     bodyV2Column,
+			PromotedColumn: bodyPromotedColumn,
 		}, types)
 		require.NoError(t, err)
 		require.Len(t, key.JSONPlan, 1)
 
-		expectedYAML := `
+		expectedYAML := fmt.Sprintf(`
 - name: education
-  column: body_json
+  column: %s
   availableTypes:
     - Array(JSON)
   maxDynamicTypes: 16
@@ -480,7 +487,7 @@ func TestPlanJSON_PromotedVsNonPromoted(t *testing.T) {
           maxDynamicPaths: 256
           isTerminal: true
           elemType: String
-`
+`, bodyV2Column)
 		got := plansToYAML(t, key.JSONPlan)
 		require.YAMLEq(t, expectedYAML, got)
 	})
@@ -488,15 +495,15 @@ func TestPlanJSON_PromotedVsNonPromoted(t *testing.T) {
 	t.Run("Promoted plan", func(t *testing.T) {
 		key := makeKey(path, String, true)
 		err := key.SetJSONAccessPlan(JSONColumnMetadata{
-			BaseColumn:     "body_json",
-			PromotedColumn: "body_json_promoted",
+			BaseColumn:     bodyV2Column,
+			PromotedColumn: bodyPromotedColumn,
 		}, types)
 		require.NoError(t, err)
 		require.Len(t, key.JSONPlan, 2)
 
-		expectedYAML := `
+		expectedYAML := fmt.Sprintf(`
 - name: education
-  column: body_json
+  column: %s
   availableTypes:
     - Array(JSON)
   maxDynamicTypes: 16
@@ -524,7 +531,7 @@ func TestPlanJSON_PromotedVsNonPromoted(t *testing.T) {
           isTerminal: true
           elemType: String
 - name: education
-  column: body_json_promoted
+  column: %s
   availableTypes:
     - Array(JSON)
   maxDynamicTypes: 16
@@ -554,7 +561,7 @@ func TestPlanJSON_PromotedVsNonPromoted(t *testing.T) {
           maxDynamicPaths: 256
           isTerminal: true
           elemType: String
-`
+`, bodyV2Column, bodyPromotedColumn)
 		got := plansToYAML(t, key.JSONPlan)
 		require.YAMLEq(t, expectedYAML, got)
 	})
@@ -575,11 +582,11 @@ func TestPlanJSON_EdgeCases(t *testing.T) {
 			expectErr: true,
 		},
 		{
-			name:  "Very deep nesting - validates progression doesn't go negative",
-			path:  "interests[].entities[].reviews[].entries[].metadata[].positions[].name",
-			expectedYAML: `
+			name: "Very deep nesting - validates progression doesn't go negative",
+			path: "interests[].entities[].reviews[].entries[].metadata[].positions[].name",
+			expectedYAML: fmt.Sprintf(`
 - name: interests
-  column: body_json
+  column: %s
   availableTypes:
     - Array(JSON)
   maxDynamicTypes: 16
@@ -619,14 +626,14 @@ func TestPlanJSON_EdgeCases(t *testing.T) {
                             - String
                           isTerminal: true
                           elemType: String
-`,
+`, bodyV2Column),
 		},
 		{
-			name:  "Path with mixed scalar and array types",
-			path:  "education[].type",
-			expectedYAML: `
+			name: "Path with mixed scalar and array types",
+			path: "education[].type",
+			expectedYAML: fmt.Sprintf(`
 - name: education
-  column: body_json
+  column: %s
   availableTypes:
     - Array(JSON)
   maxDynamicTypes: 16
@@ -639,20 +646,20 @@ func TestPlanJSON_EdgeCases(t *testing.T) {
       maxDynamicTypes: 8
       isTerminal: true
       elemType: String
-`,
+`, bodyV2Column),
 		},
 		{
-			name:  "Exists with only array types available",
-			path:  "education",
-			expectedYAML: `
+			name: "Exists with only array types available",
+			path: "education",
+			expectedYAML: fmt.Sprintf(`
 - name: education
-  column: body_json
+  column: %s
   availableTypes:
     - Array(JSON)
   maxDynamicTypes: 16
   isTerminal: true
   elemType: Array(JSON)
-`,
+`, bodyV2Column),
 		},
 	}
 
@@ -668,8 +675,8 @@ func TestPlanJSON_EdgeCases(t *testing.T) {
 			}
 			key := makeKey(tt.path, keyType, false)
 			err := key.SetJSONAccessPlan(JSONColumnMetadata{
-				BaseColumn:     "body_json",
-				PromotedColumn: "body_json_promoted",
+				BaseColumn:     bodyV2Column,
+				PromotedColumn: bodyPromotedColumn,
 			}, types)
 			if tt.expectErr {
 				require.Error(t, err)
@@ -687,15 +694,15 @@ func TestPlanJSON_TreeStructure(t *testing.T) {
 	path := "education[].awards[].participated[].team[].branch"
 	key := makeKey(path, String, false)
 	err := key.SetJSONAccessPlan(JSONColumnMetadata{
-		BaseColumn:     "body_json",
-		PromotedColumn: "body_json_promoted",
+		BaseColumn:     bodyV2Column,
+		PromotedColumn: bodyPromotedColumn,
 	}, types)
 	require.NoError(t, err)
 	require.Len(t, key.JSONPlan, 1)
 
-	expectedYAML := `
+	expectedYAML := fmt.Sprintf(`
 - name: education
-  column: body_json
+  column: %s
   availableTypes:
     - Array(JSON)
   maxDynamicTypes: 16
@@ -780,7 +787,7 @@ func TestPlanJSON_TreeStructure(t *testing.T) {
                   maxDynamicPaths: 64
                   isTerminal: true
                   elemType: String
-`
+`, bodyV2Column)
 
 	got := plansToYAML(t, key.JSONPlan)
 	require.YAMLEq(t, expectedYAML, got)

pkg/types/telemetrytypes/telemetrytypestest/metadata_store.go

@@ -2,6 +2,7 @@ package telemetrytypestest
 
 import (
 	"context"
+	"slices"
 	"strings"
 
 	schemamigrator "github.com/SigNoz/signoz-otel-collector/cmd/signozschemamigrator/schema_migrator"
@@ -178,8 +179,9 @@ func matchesKey(selector *telemetrytypes.FieldKeySelector, key *telemetrytypes.T
 		return true
 	}
 
+	matchNameExceptions := []string{"body"}
 	// Check name (already checked in matchesName, but double-check here)
-	if selector.Name != "" && !matchesName(selector, key.Name) {
+	if selector.Name != "" && !matchesName(selector, key.Name) && slices.Contains(matchNameExceptions, key.Name) {
 		return false
 	}
 

pkg/types/user.go

@@ -3,6 +3,7 @@ package types
 import (
 	"context"
 	"encoding/json"
+	"slices"
 	"time"
 
 	"github.com/SigNoz/signoz/pkg/errors"
@@ -21,6 +22,15 @@ var (
 	ErrAPIKeyAlreadyExists              = errors.MustNewCode("api_key_already_exists")
 	ErrAPIKeyNotFound                   = errors.MustNewCode("api_key_not_found")
 	ErrCodeRootUserOperationUnsupported = errors.MustNewCode("root_user_operation_unsupported")
+	ErrCodeUserStatusDeleted            = errors.MustNewCode("user_status_deleted")
+	ErrCodeUserStatusPendingInvite      = errors.MustNewCode("user_status_pending_invite")
+)
+
+var (
+	UserStatusPendingInvite = valuer.NewString("pending_invite")
+	UserStatusActive        = valuer.NewString("active")
+	UserStatusDeleted       = valuer.NewString("deleted")
+	ValidUserStatus         = []valuer.String{UserStatusPendingInvite, UserStatusActive, UserStatusDeleted}
 )
 
 type GettableUser = User
@@ -29,11 +39,13 @@ type User struct {
 	bun.BaseModel `bun:"table:users"`
 
 	Identifiable
-	DisplayName string       `bun:"display_name" json:"displayName"`
-	Email       valuer.Email `bun:"email" json:"email"`
-	Role        Role         `bun:"role" json:"role"`
-	OrgID       valuer.UUID  `bun:"org_id" json:"orgId"`
-	IsRoot      bool         `bun:"is_root" json:"isRoot"`
+	DisplayName string        `bun:"display_name" json:"displayName"`
+	Email       valuer.Email  `bun:"email" json:"email"`
+	Role        Role          `bun:"role" json:"role"`
+	OrgID       valuer.UUID   `bun:"org_id" json:"orgId"`
+	IsRoot      bool          `bun:"is_root" json:"isRoot"`
+	Status      valuer.String `bun:"status" json:"status"`
+	DeletedAt   time.Time     `bun:"deleted_at" json:"-"`
 	TimeAuditable
 }
 
@@ -45,7 +57,7 @@ type PostableRegisterOrgAndAdmin struct {
 	OrgName        string       `json:"orgName"`
 }
 
-func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUID) (*User, error) {
+func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUID, status valuer.String) (*User, error) {
 	if email.IsZero() {
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "email is required")
 	}
@@ -58,6 +70,10 @@ func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUI
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "orgID is required")
 	}
 
+	if !slices.Contains(ValidUserStatus, status) {
+		return nil, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "invalid status: %s, allowed status are: %v", status, ValidUserStatus)
+	}
+
 	return &User{
 		Identifiable: Identifiable{
 			ID: valuer.GenerateUUID(),
@@ -67,6 +83,7 @@ func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUI
 		Role:        role,
 		OrgID:       orgID,
 		IsRoot:      false,
+		Status:      status,
 		TimeAuditable: TimeAuditable{
 			CreatedAt: time.Now(),
 			UpdatedAt: time.Now(),
@@ -92,6 +109,7 @@ func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID) (*Us
 		Role:        RoleAdmin,
 		OrgID:       orgID,
 		IsRoot:      true,
+		Status:      UserStatusActive,
 		TimeAuditable: TimeAuditable{
 			CreatedAt: time.Now(),
 			UpdatedAt: time.Now(),
@@ -111,6 +129,23 @@ func (u *User) Update(displayName string, role Role) {
 	u.UpdatedAt = time.Now()
 }
 
+func (u *User) UpdateStatus(status valuer.String) error {
+	// no updates allowed if user is in delete state
+	if err := u.ErrIfDeleted(); err != nil {
+		return errors.WithAdditionalf(err, "cannot update status of a deleted user")
+	}
+
+	// not udpates allowed from active to pending state
+	if status == UserStatusPendingInvite && u.Status == UserStatusActive {
+		return errors.New(errors.TypeUnsupported, errors.CodeUnsupported, "cannot move user to pending state from active state")
+	}
+
+	u.Status = status
+	u.UpdatedAt = time.Now()
+
+	return nil
+}
+
 // PromoteToRoot promotes the user to a root user with admin role.
 func (u *User) PromoteToRoot() {
 	u.IsRoot = true
@@ -133,12 +168,31 @@ func (u *User) ErrIfRoot() error {
 	return nil
 }
 
+// ErrIfDeleted returns an error if the user is in deleted state.
+// This error can be enriched with specific operation by the called using errors.WithAdditionalf
+func (u *User) ErrIfDeleted() error {
+	if u.Status == UserStatusDeleted {
+		return errors.New(errors.TypeUnsupported, ErrCodeUserStatusDeleted, "unsupported operation for deleted user")
+	}
+	return nil
+}
+
+// ErrIfPending returns an error if the user is in pending invite state.
+// This error can be enriched with specific operation by the called using errors.WithAdditionalf
+func (u *User) ErrIfPending() error {
+	if u.Status == UserStatusPendingInvite {
+		return errors.New(errors.TypeUnsupported, ErrCodeUserStatusPendingInvite, "unsupported operation for pending user")
+	}
+	return nil
+}
+
 func NewTraitsFromUser(user *User) map[string]any {
 	return map[string]any{
 		"name":         user.DisplayName,
 		"role":         user.Role,
 		"email":        user.Email.String(),
 		"display_name": user.DisplayName,
+		"status":       user.Status,
 		"created_at":   user.CreatedAt,
 	}
 }
@@ -160,17 +214,6 @@ func (request *PostableRegisterOrgAndAdmin) UnmarshalJSON(data []byte) error {
 }
 
 type UserStore interface {
-	// invite
-	CreateBulkInvite(ctx context.Context, invites []*Invite) error
-	ListInvite(ctx context.Context, orgID string) ([]*Invite, error)
-	DeleteInvite(ctx context.Context, orgID string, id valuer.UUID) error
-
-	// Get invite by token.
-	GetInviteByToken(ctx context.Context, token string) (*Invite, error)
-
-	// Get invite by email and org.
-	GetInviteByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*Invite, error)
-
 	// Creates a user.
 	CreateUser(ctx context.Context, user *User) error
 
@@ -181,13 +224,13 @@ type UserStore interface {
 	GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*User, error)
 
 	// Get user by email and orgID.
-	GetUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*User, error)
+	GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*User, error)
 
 	// Get users by email.
 	GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*User, error)
 
 	// Get users by role and org.
-	GetUsersByRoleAndOrgID(ctx context.Context, role Role, orgID valuer.UUID) ([]*User, error)
+	GetActiveUsersByRoleAndOrgID(ctx context.Context, role Role, orgID valuer.UUID) ([]*User, error)
 
 	// List users by org.
 	ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*User, error)
@@ -195,8 +238,12 @@ type UserStore interface {
 	// List users by email and org ids.
 	ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*User, error)
 
+	// Get users for an org id using emails and statuses
+	GetUsersByEmailsOrgIDAndStatuses(context.Context, valuer.UUID, []string, []string) ([]*User, error)
+
 	UpdateUser(ctx context.Context, orgID valuer.UUID, user *User) error
 	DeleteUser(ctx context.Context, orgID string, id string) error
+	SoftDeleteUser(ctx context.Context, orgID string, id string) error
 
 	// Creates a password.
 	CreatePassword(ctx context.Context, password *FactorPassword) error
@@ -217,10 +264,14 @@ type UserStore interface {
 	CountAPIKeyByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error)
 
 	CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error)
+	CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, statuses []string) (map[valuer.String]int64, error)
 
 	// Get root user by org.
 	GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*User, error)
 
+	// Get user by reset password token
+	GetUserByResetPasswordToken(ctx context.Context, token string) (*User, error)
+
 	// Transaction
 	RunInTx(ctx context.Context, cb func(ctx context.Context) error) error
 }

templates/email/invitation.gotmpl

@@ -5,7 +5,7 @@
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
-  <title>You're Invited to Join SigNoz</title>
+  <title>{{.subject}}</title>
 </head>
 
 <body style="margin:0;padding:0;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica Neue',Arial,sans-serif;line-height:1.6;color:#333;background:#fff">
@@ -41,13 +41,13 @@
                 </tr>
               </table>
               <p style="margin:0 0 16px;font-size:16px;color:#333;line-height:1.6">
-                Accept the invitation to get started.
+                Click the button below to set your password and activate your account:
               </p>
               <table role="presentation" width="100%" cellspacing="0" cellpadding="0" border="0" style="margin:0 0 16px">
                 <tr>
                   <td align="center">
                     <a href="{{.link}}" target="_blank" style="display:inline-block;padding:16px 48px;font-size:16px;font-weight:600;color:#fff;background:#4E74F8;text-decoration:none;border-radius:4px">
-                      Accept Invitation
+                      Set Password
                     </a>
                   </td>
                 </tr>
@@ -60,6 +60,18 @@
                   {{.link}}
                 </a>
               </p>
+              <table role="presentation" width="100%" cellspacing="0" cellpadding="0" border="0" style="margin:0 0 16px">
+                <tr>
+                  <td style="padding:16px;background:#fff4e6;border-radius:6px;border-left:4px solid #ff9800">
+                    <p style="margin:0;font-size:14px;color:#333;line-height:1.6">
+                      <strong>&#9201; This link will expire in {{.Expiry}}.</strong>
+                    </p>
+                  </td>
+                </tr>
+              </table>
+              <p style="margin:0 0 16px;font-size:16px;color:#333;line-height:1.6">
+                If you didn't expect this invitation, please ignore this email. No account will be activated.
+              </p>
               {{ if .format.Help.Enabled }}
               <p style="margin:0 0 16px;font-size:16px;color:#333;line-height:1.6">
                 Need help? Chat with our team in the SigNoz application or email us at <a href="mailto:{{.format.Help.Email}}" style="color:#4E74F8;text-decoration:none">{{.format.Help.Email}}</a>.

tests/integration/src/callbackauthn/02_saml.py

@@ -4,6 +4,7 @@ from typing import Any, Callable, Dict, List
 
 import requests
 from selenium import webdriver
+from sqlalchemy import sql
 from wiremock.resources.mappings import Mapping
 
 from fixtures.auth import (
@@ -570,3 +571,121 @@ def test_saml_empty_name_fallback(
 
     assert found_user is not None
     assert found_user["role"] == "VIEWER"
+
+
+def test_saml_sso_login_activates_pending_invite_user(
+    signoz: SigNoz,
+    idp: TestContainerIDP,  # pylint: disable=unused-argument
+    driver: webdriver.Chrome,
+    create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Verify that an invited user (pending_invite) who logs in via SAML SSO is
+    auto-activated with the role from the invite, not the SSO default/group role.
+
+    1. Admin invites user as ADMIN
+    2. User exists in IDP with 'signoz-viewers' group (would normally get VIEWER)
+    3. SSO login activates the user with VIEWER role (SSO Wins)
+    """
+    email = "sso-pending-invite@saml.integration.test"
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    # Invite user as ADMIN
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite"),
+        json={"email": email, "role": "ADMIN", "name": "SAML SSO Pending User"},
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.CREATED
+
+    # Create IDP user in viewer group — SSO would normally assign VIEWER
+    create_user_idp_with_groups(email, "password", True, ["signoz-viewers"])
+
+    perform_saml_login(
+        signoz, driver, get_session_context, idp_login, email, "password"
+    )
+
+    # User should be active with VIEWER role from SSO
+    found_user = get_user_by_email(signoz, admin_token, email)
+    assert found_user is not None
+    assert found_user["status"] == "active"
+    assert found_user["role"] == "VIEWER"
+
+
+def test_saml_sso_deleted_user_gets_new_user_on_login(
+    signoz: SigNoz,
+    idp: TestContainerIDP,  # pylint: disable=unused-argument
+    driver: webdriver.Chrome,
+    create_user_idp: Callable[[str, str, bool, str, str], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Verify the full deleted-user SAML SSO lifecycle:
+    1. Invite + activate a user (EDITOR)
+    2. Soft delete the user
+    3. SSO login attempt — user should remain deleted (blocked)
+    5. SSO login — new user should created
+    """
+    email = "sso-deleted-lifecycle@saml.integration.test"
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    # --- Step 1: Invite and activate via password reset ---
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite"),
+        json={"email": email, "role": "EDITOR", "name": "SAML SSO Lifecycle User"},
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.CREATED
+    user_id = response.json()["data"]["id"]
+    reset_token = response.json()["data"]["token"]
+
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
+        json={"password": "password123Z$", "token": reset_token},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    # --- Step 2: Soft delete via DB using API
+    response = requests.delete(
+        signoz.self.host_configs["8080"].get(f"/api/v1/user/{user_id}"),
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    # --- Step 3: SSO login should be blocked for deleted user ---
+    create_user_idp(email, "password", True, "SAML", "Lifecycle")
+
+    perform_saml_login(signoz, driver, get_session_context, idp_login, email, "password")
+
+    # Verify user is NOT reactivated — check via DB since API may filter deleted users
+    with signoz.sqlstore.conn.connect() as conn:
+        result = conn.execute(
+            sql.text("SELECT status FROM users WHERE id = :user_id"),
+            {"user_id": user_id},
+        )
+        row = result.fetchone()
+        assert row is not None
+        assert row[0] == "deleted"
+
+    # Verify a NEW active user was auto-provisioned via SSO
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/user"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    found_user = next(
+        (user for user in response.json()["data"] if user["email"] == email and user["id"] != user_id),
+        None,
+    )
+    assert found_user is not None
+    assert found_user["status"] == "active"
+    assert found_user["role"] == "VIEWER"  # default role from SSO domain config

tests/integration/src/callbackauthn/03_oidc.py

@@ -4,6 +4,7 @@ from urllib.parse import urlparse
 
 import requests
 from selenium import webdriver
+from sqlalchemy import sql
 from wiremock.resources.mappings import Mapping
 
 from fixtures.auth import (
@@ -532,3 +533,54 @@ def test_oidc_empty_name_uses_fallback(
     assert found_user is not None
     assert found_user["role"] == "VIEWER"
     # Note: displayName may be empty - this is a known limitation
+
+
+def test_oidc_sso_login_activates_pending_invite_user(
+    signoz: SigNoz,
+    idp: TestContainerIDP,
+    driver: webdriver.Chrome,
+    create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Verify that an invited user (pending_invite) who logs in via OIDC SSO is
+    auto-activated with the role from the invite, not the SSO default/group role.
+
+    1. Admin invites user as ADMIN
+    2. User exists in IDP with 'signoz-viewers' group (would normally get VIEWER)
+    3. SSO login activates the user with VIEWER role (SSO wins)
+    """
+    email = "sso-pending-invite@oidc.integration.test"
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    # Invite user as ADMIN
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite"),
+        json={"email": email, "role": "ADMIN", "name": "OIDC SSO Pending User"},
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.CREATED
+
+    # Create IDP user in viewer group — SSO would normally assign VIEWER
+    create_user_idp_with_groups(email, "password123", True, ["signoz-viewers"])
+
+    perform_oidc_login(
+        signoz, idp, driver, get_session_context, idp_login, email, "password123"
+    )
+
+    # User should be active with ADMIN role from invite, not VIEWER from SSO
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/user"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    found_user = next(
+        (user for user in response.json()["data"] if user["email"] == email),
+        None,
+    )
+    assert found_user is not None
+    assert found_user["status"] == "active"
+    assert found_user["role"] == "VIEWER"

tests/integration/src/passwordauthn/01_register.py

@@ -104,68 +104,49 @@ def test_register(signoz: types.SigNoz, get_token: Callable[[str, str], str]) ->
 def test_invite_and_register(
     signoz: types.SigNoz, get_token: Callable[[str, str], str]
 ) -> None:
+    admin_token = get_token("admin@integration.test", "password123Z$")
     # Generate an invite token for the editor user
     response = requests.post(
         signoz.self.host_configs["8080"].get("/api/v1/invite"),
         json={"email": "editor@integration.test", "role": "EDITOR", "name": "editor"},
         timeout=2,
         headers={
-            "Authorization": f"Bearer {get_token("admin@integration.test", "password123Z$")}"
+            "Authorization": f"Bearer {admin_token}"
         },
     )
 
     assert response.status_code == HTTPStatus.CREATED
 
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/invite"),
-        timeout=2,
-        headers={
-            "Authorization": f"Bearer {get_token("admin@integration.test", "password123Z$")}"
-        },
-    )
+    invited_user = response.json()["data"]
+    assert invited_user["email"] == "editor@integration.test"
+    assert invited_user["role"] == "EDITOR"
 
-    invite_response = response.json()["data"]
-    found_invite = next(
-        (
-            invite
-            for invite in invite_response
-            if invite["email"] == "editor@integration.test"
-        ),
-        None,
-    )
+    reset_token = invited_user["token"]
 
-    # Register the editor user using the invite token
+    # Reset the password to complete the invite flow (activates the user and also grants authz)
     response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/invite/accept"),
-        json={
-            "password": "password123Z$",
-            "displayName": "editor",
-            "token": f"{found_invite['token']}",
-        },
+        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
+        json={"password": "password123Z$", "token": reset_token},
         timeout=2,
     )
-    assert response.status_code == HTTPStatus.CREATED
+    assert response.status_code == HTTPStatus.NO_CONTENT
 
-    # Verify that the invite token has been deleted
-    response = requests.get(
-        signoz.self.host_configs["8080"].get(f"/api/v1/invite/{found_invite['token']}"),
-        timeout=2,
-    )
-
-    assert response.status_code in (HTTPStatus.NOT_FOUND, HTTPStatus.BAD_REQUEST)
+    # Verify the user can now log in
+    editor_token = get_token("editor@integration.test", "password123Z$")
+    assert editor_token is not None
 
     # Verify that an admin endpoint cannot be called by the editor user
     response = requests.get(
         signoz.self.host_configs["8080"].get("/api/v1/user"),
         timeout=2,
         headers={
-            "Authorization": f"Bearer {get_token("editor@integration.test", "password123Z$")}"
+            "Authorization": f"Bearer {editor_token}"
         },
     )
 
     assert response.status_code == HTTPStatus.FORBIDDEN
 
-    # Verify that the editor has been created
+    # Verify that the editor user status has been updated to ACTIVE
     response = requests.get(
         signoz.self.host_configs["8080"].get("/api/v1/user"),
         timeout=2,
@@ -186,59 +167,40 @@ def test_invite_and_register(
     assert found_user["role"] == "EDITOR"
     assert found_user["displayName"] == "editor"
     assert found_user["email"] == "editor@integration.test"
+    assert found_user["status"] == "active"
 
 
 def test_revoke_invite_and_register(
     signoz: types.SigNoz, get_token: Callable[[str, str], str]
 ) -> None:
     admin_token = get_token("admin@integration.test", "password123Z$")
-    # Generate an invite token for the viewer user
+
+    # Invite the viewer user
     response = requests.post(
         signoz.self.host_configs["8080"].get("/api/v1/invite"),
         json={"email": "viewer@integration.test", "role": "VIEWER"},
         timeout=2,
         headers={"Authorization": f"Bearer {admin_token}"},
     )
-
     assert response.status_code == HTTPStatus.CREATED
+    invited_user = response.json()["data"]
+    reset_token = invited_user["token"]
 
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/invite"),
-        timeout=2,
-        headers={
-            "Authorization": f"Bearer {get_token("admin@integration.test", "password123Z$")}"
-        },
-    )
-
-    invite_response = response.json()["data"]
-    found_invite = next(
-        (
-            invite
-            for invite in invite_response
-            if invite["email"] == "viewer@integration.test"
-        ),
-        None,
-    )
-
+    # Delete the pending invite user (revoke the invite)
     response = requests.delete(
-        signoz.self.host_configs["8080"].get(f"/api/v1/invite/{found_invite['id']}"),
+        signoz.self.host_configs["8080"].get(f"/api/v1/user/{invited_user['id']}"),
         timeout=2,
         headers={"Authorization": f"Bearer {admin_token}"},
     )
-
     assert response.status_code == HTTPStatus.NO_CONTENT
 
-    # Try registering the viewer user with the invite token
+
+    # Try to use the reset token — should fail (user deleted)
     response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/invite/accept"),
-        json={
-            "password": "password123Z$",
-            "displayName": "viewer",
-            "token": f"{found_invite["token"]}",
-        },
+        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
+        json={"password": "password123Z$", "token": reset_token},
         timeout=2,
     )
-
     assert response.status_code in (HTTPStatus.BAD_REQUEST, HTTPStatus.NOT_FOUND)
 
 
@@ -269,3 +231,85 @@ def test_self_access(
 
     assert response.status_code == HTTPStatus.OK
     assert response.json()["data"]["role"] == "EDITOR"
+
+
+def test_old_invite_flow(signoz: types.SigNoz, get_token: Callable[[str, str], str]):
+    admin_token = get_token("admin@integration.test", "password123Z$")
+
+    # invite a new user
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite"),
+        json={"email": "oldinviteflow@integration.test", "role": "VIEWER", "name": "old invite flow"},
+        timeout=2,
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert response.status_code == HTTPStatus.CREATED
+
+    # get the invite token using get api
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/invite"),
+        timeout=2,
+        headers={
+            "Authorization": f"Bearer {admin_token}"
+        },
+    )
+
+    invite_response = response.json()["data"]
+    found_invite = next(
+        (
+            invite
+            for invite in invite_response
+            if invite["email"] == "oldinviteflow@integration.test"
+        ),
+        None,
+    )
+
+    # accept the invite
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite/accept"),
+        json={
+            "password": "password123Z$",
+            "displayName": "old invite flow",
+            "token": f"{found_invite['token']}",
+        },
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.CREATED
+
+    # verify the invite token has been deleted
+    response = requests.get(
+        signoz.self.host_configs["8080"].get(f"/api/v1/invite/{found_invite['token']}"),
+        timeout=2,
+    )
+    assert response.status_code in (HTTPStatus.NOT_FOUND, HTTPStatus.BAD_REQUEST)
+
+    # verify that admin endpoints cannot be called
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/user"),
+        timeout=2,
+        headers={
+            "Authorization": f"Bearer {get_token("oldinviteflow@integration.test", "password123Z$")}"
+        },
+    )
+    assert response.status_code == HTTPStatus.FORBIDDEN
+
+    # verify the user has been created
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/user"),
+        timeout=2,
+        headers={
+            "Authorization": f"Bearer {admin_token}"
+        },
+    )
+    assert response.status_code == HTTPStatus.OK
+
+    user_response = response.json()["data"]
+    found_user = next(
+        (user for user in user_response if user["email"] == "oldinviteflow@integration.test"),
+        None,
+    )
+
+    assert found_user is not None
+    assert found_user["role"] == "VIEWER"
+    assert found_user["displayName"] == "old invite flow"
+    assert found_user["email"] == "oldinviteflow@integration.test"

tests/integration/src/passwordauthn/04_password.py

@@ -22,50 +22,17 @@ def test_change_password(
         timeout=2,
         headers={"Authorization": f"Bearer {admin_token}"},
     )
-
     assert response.status_code == HTTPStatus.CREATED
+    invited_user = response.json()["data"]
+    reset_token = invited_user["token"]
 
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/invite"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-
-    invite_response = response.json()["data"]
-    found_invite = next(
-        (
-            invite
-            for invite in invite_response
-            if invite["email"] == "admin+password@integration.test"
-        ),
-        None,
-    )
-
-    # Accept the invite with a bad password which should fail
+    # Reset password to activate user
     response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/invite/accept"),
-        json={
-            "password": "password",
-            "displayName": "admin password",
-            "token": f"{found_invite['token']}",
-        },
+        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
+        json={"password": "password123Z$", "token": reset_token},
         timeout=2,
     )
-
-    assert response.status_code == HTTPStatus.BAD_REQUEST
-
-    # Accept the invite with a good password
-    response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/invite/accept"),
-        json={
-            "password": "password123Z$",
-            "displayName": "admin password",
-            "token": f"{found_invite['token']}",
-        },
-        timeout=2,
-    )
-
-    assert response.status_code == HTTPStatus.CREATED
+    assert response.status_code == HTTPStatus.NO_CONTENT
 
     # Get the user id
     response = requests.get(
@@ -301,33 +268,16 @@ def test_forgot_password_creates_reset_token(
     )
     assert response.status_code == HTTPStatus.CREATED
 
-    # Get the invite token
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/invite"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-    invite_response = response.json()["data"]
-    found_invite = next(
-        (
-            invite
-            for invite in invite_response
-            if invite["email"] == "forgot@integration.test"
-        ),
-        None,
-    )
+    invited_user = response.json()["data"]
+    reset_token = invited_user["token"]
 
-    # Accept the invite to create the user
+    # Activate user via reset password
     response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/invite/accept"),
-        json={
-            "password": "originalPassword123Z$",
-            "displayName": "forgotpassword user",
-            "token": f"{found_invite['token']}",
-        },
+        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
+        json={"password": "originalPassword123Z$", "token": reset_token},
         timeout=2,
     )
-    assert response.status_code == HTTPStatus.CREATED
+    assert response.status_code == HTTPStatus.NO_CONTENT
 
     # Get org ID
     response = requests.get(

tests/integration/src/passwordauthn/05_role.py

@@ -23,20 +23,16 @@ def test_change_role(
 
     assert response.status_code == HTTPStatus.CREATED
 
-    invite_token = response.json()["data"]["token"]
+    invited_user = response.json()["data"]
+    reset_token = invited_user["token"]
 
-    # Accept the invite of the new user
+    # Activate user via reset password
     response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/invite/accept"),
-        json={
-            "password": "password123Z$",
-            "displayName": "role change user",
-            "token": f"{invite_token}",
-        },
+        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
+        json={"password": "password123Z$", "token": reset_token},
         timeout=2,
     )
-
-    assert response.status_code == HTTPStatus.CREATED
+    assert response.status_code == HTTPStatus.NO_CONTENT
 
     # Make some API calls as new user
     new_user_token, new_user_refresh_token = get_tokens(

tests/integration/src/passwordauthn/06_duplicate_invite.py

@@ -20,43 +20,39 @@ def test_duplicate_user_invite_rejected(
     """
     admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
 
-    # Step 1: Invite a new user.
-    initial_invite_response = requests.post(
+    # Invite a new user
+    response = requests.post(
         signoz.self.host_configs["8080"].get("/api/v1/invite"),
         json={"email": DUPLICATE_USER_EMAIL, "role": "EDITOR"},
         headers={"Authorization": f"Bearer {admin_token}"},
         timeout=2,
     )
-    assert initial_invite_response.status_code == HTTPStatus.CREATED
-    initial_invite_token = initial_invite_response.json()["data"]["token"]
+    assert response.status_code == HTTPStatus.CREATED
+    invited_user = response.json()["data"]
+    reset_token = invited_user["token"]
 
-    # Step 2: Accept the invite to create the user.
-    initial_accept_response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/invite/accept"),
-        json={"token": initial_invite_token, "password": "password123Z$"},
-        timeout=2,
-    )
-    assert initial_accept_response.status_code == HTTPStatus.CREATED
-
-    # Step 3: Invite the same email again.
-    duplicate_invite_response = requests.post(
+    # Invite the same email again — should fail
+    response = requests.post(
         signoz.self.host_configs["8080"].get("/api/v1/invite"),
         json={"email": DUPLICATE_USER_EMAIL, "role": "VIEWER"},
         headers={"Authorization": f"Bearer {admin_token}"},
         timeout=2,
     )
+    assert response.status_code == HTTPStatus.CONFLICT
 
-    # The invite creation itself may be rejected if the app checks for existing users.
-    if duplicate_invite_response.status_code != HTTPStatus.CREATED:
-        assert duplicate_invite_response.status_code == HTTPStatus.CONFLICT
-        return
-
-    duplicate_invite_token = duplicate_invite_response.json()["data"]["token"]
-
-    # Step 4: Accept the duplicate invite — should fail due to unique constraint.
-    duplicate_accept_response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/invite/accept"),
-        json={"token": duplicate_invite_token, "password": "password123Z$"},
+    # activate the user
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
+        json={"password": "password123Z$", "token": reset_token},
         timeout=2,
     )
-    assert duplicate_accept_response.status_code == HTTPStatus.CONFLICT
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    # Try to invite the same email again — should fail
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite"),
+        json={"email": DUPLICATE_USER_EMAIL, "role": "VIEWER"},
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.CONFLICT

tests/integration/src/passwordauthn/07_invite_status.py

@@ -0,0 +1,105 @@
+from http import HTTPStatus
+from typing import Callable
+
+import requests
+
+from fixtures.auth import USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD
+from fixtures.types import SigNoz
+
+from sqlalchemy import sql
+
+
+def test_reinvite_deleted_user(
+    signoz: SigNoz,
+    get_token: Callable[[str, str], str],
+):
+    """
+    Verify that a deleted user if re-inivited creates a new user altogether:
+    1. Invite and activate a user
+    2. Call the delete user api
+    3. Re-invite the same email — should succeed and create a new user with pending_invite status
+    4. Reset password for the new user
+    5. Get User API returns two users now, one deleted and one active
+    """
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    reinvite_user_email = "reinvite@integration.test"
+    reinvite_user_name = "reinvite user"
+    reinvite_user_role = "EDITOR"
+    reinvite_user_password = "password123Z$"
+
+    # invite the user
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite"),
+        json={"email": reinvite_user_email, "role": reinvite_user_role, "name": reinvite_user_name},
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.CREATED
+    invited_user = response.json()["data"]
+    reset_token = invited_user["token"]
+
+    # reset the password to make it active
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
+        json={"password": reinvite_user_password, "token": reset_token},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    # call the delete api which now soft deletes the user
+    response = requests.delete(
+        signoz.self.host_configs["8080"].get(f"/api/v1/user/{invited_user['id']}"),
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    # Re-invite the same email — should succeed
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite"),
+        json={"email": reinvite_user_email, "role": "VIEWER", "name": "reinvite user v2"},
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.CREATED
+    reinvited_user = response.json()["data"]
+    assert reinvited_user["role"] == "VIEWER" 
+    assert reinvited_user["id"] != invited_user["id"] # confirms a new user was created
+
+    reinvited_user_reset_password_token = reinvited_user["token"]
+    
+
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
+        json={"password": "newPassword123Z$", "token": reinvited_user_reset_password_token},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    # Verify user can log in with new password
+    user_token = get_token("reinvite@integration.test", "newPassword123Z$")
+    assert user_token is not None
+
+
+def test_bulk_invite(
+    signoz: SigNoz,
+    get_token: Callable[[str, str], str],
+):
+    """
+    Verify the bulk invite endpoint creates multiple pending_invite users.
+    """
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite/bulk"),
+        json={
+            "invites": [
+                {"email": "bulk1@integration.test", "role": "EDITOR", "name": "bulk user 1"},
+                {"email": "bulk2@integration.test", "role": "VIEWER", "name": "bulk user 2"},
+            ]
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=5,
+    )
+    assert response.status_code == HTTPStatus.CREATED

tests/integration/src/passwordauthn/08_user_unique_index.py

@@ -0,0 +1,176 @@
+import uuid
+from http import HTTPStatus
+from typing import Callable
+
+import pytest
+import requests
+from sqlalchemy import sql
+from sqlalchemy.exc import IntegrityError
+
+from fixtures.auth import USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD
+from fixtures.types import SigNoz
+
+UNIQUE_INDEX_USER_EMAIL = "useruniqueindex@integration.test"
+
+
+def test_unique_index_allows_multiple_deleted_rows(
+    signoz: SigNoz,
+    get_token: Callable[[str, str], str],
+):
+    """
+    Verify that the composite unique index on (org_id, email, deleted_at) allows multiple
+    deleted rows for the same (org_id, email) while still enforcing uniqueness among
+    non-deleted rows.
+
+    Non-deleted users share deleted_at=zero-time, so the unique index prevents duplicates.
+    Soft-deleted users each have a distinct deleted_at timestamp, so the index allows
+    multiple deleted rows for the same (org_id, email).
+
+    Steps:
+    1. Invite and soft-delete a user via the API (first deleted row).
+    2. Re-invite and soft-delete the same email via the API (second deleted row).
+    3. Assert via SQL that exactly two deleted rows exist for the email.
+    4. Assert via SQL that inserting one active row succeeds (no conflict — only
+       deleted rows exist), then inserting a second active row for the same
+       (org_id, email) fails with a unique constraint error (both have deleted_at=zero-time).
+    5. Assert via SQL that inserting a third deleted row for the same (org_id, email)
+       with a unique deleted_at succeeds — confirming the index does not cover deleted rows.
+    6. Assert via SQL that the final count of deleted rows is 3.
+    """
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    # Step 1: invite and delete the first user
+    resp = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite"),
+        json={"email": UNIQUE_INDEX_USER_EMAIL, "role": "EDITOR", "name": "unique index user v1"},
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert resp.status_code == HTTPStatus.CREATED
+    first_user_id = resp.json()["data"]["id"]
+
+    resp = requests.delete(
+        signoz.self.host_configs["8080"].get(f"/api/v1/user/{first_user_id}"),
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert resp.status_code == HTTPStatus.NO_CONTENT
+
+    # Step 2: re-invite and delete the same email (second deleted row)
+    resp = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite"),
+        json={"email": UNIQUE_INDEX_USER_EMAIL, "role": "EDITOR", "name": "unique index user v2"},
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert resp.status_code == HTTPStatus.CREATED
+    second_user_id = resp.json()["data"]["id"]
+    assert second_user_id != first_user_id
+
+    resp = requests.delete(
+        signoz.self.host_configs["8080"].get(f"/api/v1/user/{second_user_id}"),
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert resp.status_code == HTTPStatus.NO_CONTENT
+
+    # Step 3: assert the DB has exactly two deleted rows for this email
+    with signoz.sqlstore.conn.connect() as conn:
+        result = conn.execute(
+            sql.text(
+                "SELECT id, deleted_at FROM users"
+                " WHERE email = :email AND deleted_at != :zero_time"
+            ),
+            {"email": UNIQUE_INDEX_USER_EMAIL, "zero_time": "0001-01-01 00:00:00"},
+        )
+        deleted_rows = result.fetchall()
+
+    assert len(deleted_rows) == 2, (
+        f"expected 2 deleted rows for {UNIQUE_INDEX_USER_EMAIL}, got {len(deleted_rows)}"
+    )
+    deleted_ids = {row[0] for row in deleted_rows}
+    assert first_user_id in deleted_ids
+    assert second_user_id in deleted_ids
+
+    # Retrieve org_id for the direct SQL inserts below
+    with signoz.sqlstore.conn.connect() as conn:
+        result = conn.execute(
+            sql.text("SELECT org_id FROM users WHERE id = :id"),
+            {"id": first_user_id},
+        )
+        org_id = result.fetchone()[0]
+
+    # Step 4: the unique index must still block a duplicate non-deleted row.
+    # Both active rows have deleted_at=zero-time, so they share the same (org_id, email, zero-time)
+    # tuple. First insert must succeed (only deleted rows exist so far).
+    # Second insert for the same (org_id, email) with deleted_at=zero-time must fail.
+    active_id = str(uuid.uuid4())
+    with signoz.sqlstore.conn.connect() as conn:
+        conn.execute(
+            sql.text(
+                "INSERT INTO users"
+                " (id, display_name, email, role, org_id, is_root, status, created_at, updated_at, deleted_at)"
+                " VALUES (:id, :display_name, :email, :role, :org_id,"
+                "         false, 'active', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, :zero_time)"
+            ),
+            {
+                "id": active_id,
+                "display_name": "first active row",
+                "email": UNIQUE_INDEX_USER_EMAIL,
+                "role": "EDITOR",
+                "org_id": org_id,
+                "zero_time": "0001-01-01 00:00:00",
+            },
+        )
+        conn.commit()
+
+    with signoz.sqlstore.conn.connect() as conn:
+        with pytest.raises(IntegrityError):
+            conn.execute(
+                sql.text(
+                    "INSERT INTO users"
+                    " (id, display_name, email, role, org_id, is_root, status, created_at, updated_at, deleted_at)"
+                    " VALUES (:id, :display_name, :email, :role, :org_id,"
+                    "         false, 'active', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, :zero_time)"
+                ),
+                {
+                    "id": str(uuid.uuid4()),
+                    "display_name": "should violate index",
+                    "email": UNIQUE_INDEX_USER_EMAIL,
+                    "role": "EDITOR",
+                    "org_id": org_id,
+                    "zero_time": "0001-01-01 00:00:00",
+                },
+            )
+
+    # Step 5: a third deleted row with a unique deleted_at must be accepted
+    with signoz.sqlstore.conn.connect() as conn:
+        conn.execute(
+            sql.text(
+                "INSERT INTO users"
+                " (id, display_name, email, role, org_id, is_root, status, created_at, updated_at, deleted_at)"
+                " VALUES (:id, :display_name, :email, :role, :org_id,"
+                "         false, 'deleted', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)"
+            ),
+            {
+                "id": str(uuid.uuid4()),
+                "display_name": "third deleted row",
+                "email": UNIQUE_INDEX_USER_EMAIL,
+                "role": "EDITOR",
+                "org_id": org_id,
+            },
+        )
+        conn.commit()
+
+    # Step 6: confirm three deleted rows now exist
+    with signoz.sqlstore.conn.connect() as conn:
+        result = conn.execute(
+            sql.text(
+                "SELECT COUNT(*) FROM users"
+                " WHERE email = :email AND deleted_at != :zero_time"
+            ),
+            {"email": UNIQUE_INDEX_USER_EMAIL, "zero_time": "0001-01-01 00:00:00"},
+        )
+        count = result.fetchone()[0]
+
+    assert count == 3, f"expected 3 deleted rows after direct insert, got {count}"

tests/integration/src/role/02_user.py

@@ -34,19 +34,15 @@ def test_user_invite_accept_role_grant(
         timeout=2,
     )
     assert invite_response.status_code == HTTPStatus.CREATED
-    invite_token = invite_response.json()["data"]["token"]
+    invited_user = invite_response.json()["data"]
+    reset_token = invited_user["token"]
 
-    # accept the invite for editor
-    accept_payload = {
-        "token": invite_token,
-        "password": "password123Z$",
-    }
-    accept_response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/invite/accept"),
-        json=accept_payload,
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
+        json={"password": USER_EDITOR_PASSWORD, "token": reset_token},
         timeout=2,
     )
-    assert accept_response.status_code == HTTPStatus.CREATED
+    assert response.status_code == HTTPStatus.NO_CONTENT
 
     # Login with editor email and password
     editor_token = get_token(USER_EDITOR_EMAIL, USER_EDITOR_PASSWORD)