feat: v2 list, delete, pin, unpin dashboards api (#11219)

* fix: compile error fix

* fix: remove soft delete references

* fix: use new pattern of checking for admin permission

* fix: remove soft delete reference

* test: key value tags in test

* fix: build error in patch module method

* feat: method to build postable tags from tags

* fix: build error in Apply method

* chore: remove newline

* fix: remove soft delete references

* fix: build error fix

* chore: embed StorableDashboard in listedRow

* fix: visitor should follow new tag struct

* fix: diff error codes for invalid keys and values

* fix: correct pk in bun model for tag relations

* fix: created and updated by schema

* fix: use coretypes.Kind instead of defining entity type

* fix: singular table name

* chore: remove org ID from tag relation

* feat: foreign key on tag id

* feat: add SyncTags method that covers creation and linking

* fix: remove entity type definition

* fix: fix build errors in dashboard module

* chore: bump migration number

* chore: change entity id to resource id

* fix: add org id filter in all list and delete queries

* fix: remove user auditable

* fix: add ID in tag relation

* fix: fix build error

* fix: fix build error

* chore: bump migration number

* fix: add len check on tags keys and values

* fix: add regex for tags

* chore: remove methods that shouldn't be exposed

* fix: use sync tags in create api

* feat: functional unique index in sql schema

* fix: only ascii in regex

* fix: use sync tags method in update

* fix: use sync tags method in update

* fix: correct the method name being called

* chore: rename create method to createOrGet

* chore: use tagtypestest package for mock store

* chore: combine functional unique index with unique index

* chore: move tag resolution to module

* test: add unit tests for new idx type

* chore: comment out tags unique index for now

* chore: add a todo comment

* chore: comment out unique index test

* feat: add created at to tag relations

* chore: comment out unique index test

* chore: bump migration number

* chore: remove uploaded grafana flag from metadata

* Merge branch 'main' into nv/v2-dashboard-create

* chore: revert idx generation to resolve conflicts

* fix: use store.RunInTx instead of taking in sqlstore

* fix: use binding package to get request

* chore: move NewDashboardV2 to NewDashboardV2WithoutTags

* chore: rename module to m

* fix: add ctx needed in sqlstore

* fix: remove sqlstore passage in ee pkg

* chore: change dashboardData to dashboardSpec

* feat: follow the metadata+spec key structure

* feat: follow the metadata+spec key structure in open api spec

* feat: v2 dashboard GET API (#11136)

* feat: v2 dashboard GET API

* Merge branch 'nv/v2-dashboard-create' into nv/v2-dashboard-get

* chore: update api specs

* fix: remove soft delete references

* chore: embed StorableDashboard into joinedRow in store method

* fix: fix build error

* chore: revert all frontend changes

* fix: remove public dashboard from get v2 call

* chore: revert all frontend changes

* fix: fix build errors post merge conflict resolution

* feat: lock, unlock, create public, update public v2 dashboard APIs (#11167)

* feat: lock, unlock, create public, update public v2 dashboard APIs

* chore: update api specs

* fix: use new pattern of checking for admin permission

* fix: remove soft delete reference

* chore: revert all frontend changes

* fix: fix build errors and remove v2 create/update public apis

* chore: use v1 methods wherever possible

* fix: use update v2 store method

* chore: update frontend schema

* chore: update frontend schema

* chore: generate api specs

* chore: generate api specs

* feat: patch dashboard api (#11182)

* feat: lock, unlock, create public, update public v2 dashboard APIs

* feat: delete dashboard v2 API and hard delete cron job

* feat: patch dashboard api

* chore: update api specs

* chore: update api specs

* chore: update api specs

* chore: remove delete related work

* fix: add examples of structs for value param in param description

* test: unit test fixes

* fix: use new pattern of checking for admin permission

* fix: remove soft delete reference

* test: key value tags in test

* fix: build error in patch module method

* fix: build error in Apply method

* fix: use sync tags method in update

* fix: fix build errors

* fix: fix all patch application tests

* chore: add more mapper methods

* fix: fix build errors

* chore: generate api specs

* fix: update migration numbering

* fix: add missing request struct in list api

* fix: remove hasMore from list response

* chore: bump migration number

* fix: send total count in response + bug fixes

* fix: add source for v2 dashboards

* chore: incorporate source

* chore: incorporate source in api spec

* chore: incorporate source

* fix: remove system dashboards from list v2 response

* fix: add some required fields

* feat: add immutable name in dashboard v2

* feat: add immutable name in dashboard v2

* feat: add immutable name in dashboard v2 api specs

* fix: remove unused param in constructor

* fix: improve api descriptions

* fix: remove unneeded comment

* chore: increase MaxTagsPerDashboard to 10

* fix: set display name in unmarshal json

* chore: remove integration test for now (will add along with list api)

* feat: add validation on dashboard name

* test: fix build errors and tests based on name related changes

* chore: bump migration number

* chore: generate api specs

* fix: fix tests based on name related changes

* fix: dont include full data in list response

* fix: add quotes around tag relation kind

* chore: bump migration number

* fix: correct convertor method name

* test: add unit tests for type conversions

* chore: remove enum def of threshold comparison operator

* feat: add flag to generate unique name in backend

* chore: generate api specs

* chore: make tags required in postable

* fix: build error fix

* chore: bump migration number

* fix: fix build error in test after merge conflict

* fix: remove unused store method

* fix: remove unused module methods

* fix: use v1 store update method

* fix: change data to spec in api param description

* chore: add back accidentally removed tests

* chore: update api spec

* chore: bump migration number

* feat: delete dashboard v2 API (#11299)

* feat: delete dashboard v2 API

* fix: fix post merge build and spec errors

* fix: address review comments

* chore: generate frontend api spec

* fix: add missing name fetch in listv2 store method

* fix: change title to name in api description

* fix: add all error codes for new apis

* test: change data to spec in unit tests

* fix: remove join to public dashboard table in list call

* fix: use valuer string for list order and sort

* test: integration test and fixes found through it

* chore: use same jsonpatch package as done in zeus

* chore: remove JSONPatchDocument and use patchable everywhere

* fix: make remove idempotent in patch

* chore: separate file for patch types

* chore: better error passage

* fix: remove extra decodePatch calls

* fix: use must new org id

* fix: proper error passage

* chore: rename updateable to updatable

* fix: use must new org id

* feat: include list of all dashboard tags in list api response

* fix: remove wrong api description msg

* fix: use must method for user id as well

* chore: add nolint comment

* fix: add missing image field in list response

* chore: regenerate api specs

* fix: make GettableTag a defined type instead of an alias

* fix: dont allow system dashboards to be deleted

* fix: remove public filter from visitor

* chore: use go sqlbuilder

* fix: use ESCAPE literal in contains and like operators

* fix: use correct perses package in list v2 file

* feat: change pinned dashboard table to user dashboard preference table

* fix: delete preferences on dashboard delete

* test: add integration test for pinning

* fix: wrap naked errors

* fix: integration dashboards should not be deletable either

* fix: remove org column in preferences and add foreign key to users table

* chore: add fk from prefs to dashbaord table

* chore: remove outer parenthesis removal function

* test: add unit test to ensure that all reserved keys have handlers

* fix: proper url for pin apis

* fix: delete preferences on user deletion

* test: address integration test comments

* test: change limit

* fix: revert the check in can delete

* fix: remove unit test from ee package

* fix: move list filter to impl to avoid db impl logic in types

* chore: code movement

* feat: add a pin free list dashboards api

* fix: update api specs

* fix: use request query in api defs for list apis

* chore: explicitly mark request as nil in list apis

---------

Co-authored-by: Srikanth Chekuri <srikanth.chekuri92@gmail.com>

docs/api/openapi.yml

@@ -470,6 +470,25 @@ components:
         role:
           type: string
       type: object
+    AuthtypesAuthDomainConfig:
+      oneOf:
+      - $ref: '#/components/schemas/AuthtypesSamlConfig'
+      - $ref: '#/components/schemas/AuthtypesGoogleConfig'
+      - $ref: '#/components/schemas/AuthtypesOIDCConfig'
+      properties:
+        googleAuthConfig:
+          $ref: '#/components/schemas/AuthtypesGoogleConfig'
+        oidcConfig:
+          $ref: '#/components/schemas/AuthtypesOIDCConfig'
+        roleMapping:
+          $ref: '#/components/schemas/AuthtypesRoleMapping'
+        samlConfig:
+          $ref: '#/components/schemas/AuthtypesSamlConfig'
+        ssoEnabled:
+          type: boolean
+        ssoType:
+          $ref: '#/components/schemas/AuthtypesAuthNProvider'
+      type: object
     AuthtypesAuthNProvider:
       enum:
       - google_auth
@@ -496,48 +515,6 @@ components:
           nullable: true
           type: array
       type: object
-    AuthtypesAuthProviderEnvelope:
-      discriminator:
-        mapping:
-          google_auth: '#/components/schemas/AuthtypesAuthProviderGoogle'
-          oidc: '#/components/schemas/AuthtypesAuthProviderOIDC'
-          saml: '#/components/schemas/AuthtypesAuthProviderSAML'
-        propertyName: type
-      oneOf:
-      - $ref: '#/components/schemas/AuthtypesAuthProviderSAML'
-      - $ref: '#/components/schemas/AuthtypesAuthProviderOIDC'
-      - $ref: '#/components/schemas/AuthtypesAuthProviderGoogle'
-      type: object
-    AuthtypesAuthProviderGoogle:
-      properties:
-        config:
-          $ref: '#/components/schemas/AuthtypesGoogleConfig'
-        type:
-          $ref: '#/components/schemas/AuthtypesAuthNProvider'
-      required:
-      - type
-      - config
-      type: object
-    AuthtypesAuthProviderOIDC:
-      properties:
-        config:
-          $ref: '#/components/schemas/AuthtypesOIDCConfig'
-        type:
-          $ref: '#/components/schemas/AuthtypesAuthNProvider'
-      required:
-      - type
-      - config
-      type: object
-    AuthtypesAuthProviderSAML:
-      properties:
-        config:
-          $ref: '#/components/schemas/AuthtypesSAMLConfig'
-        type:
-          $ref: '#/components/schemas/AuthtypesAuthNProvider'
-      required:
-      - type
-      - config
-      type: object
     AuthtypesCallbackAuthNSupport:
       properties:
         provider:
@@ -549,6 +526,8 @@ components:
       properties:
         authNProviderInfo:
           $ref: '#/components/schemas/AuthtypesAuthNProviderInfo'
+        config:
+          $ref: '#/components/schemas/AuthtypesAuthDomainConfig'
         createdAt:
           format: date-time
           type: string
@@ -558,12 +537,6 @@ components:
           type: string
         orgId:
           type: string
-        provider:
-          $ref: '#/components/schemas/AuthtypesAuthProviderEnvelope'
-        roleMapping:
-          $ref: '#/components/schemas/AuthtypesRoleMapping'
-        ssoEnabled:
-          type: boolean
         updatedAt:
           format: date-time
           type: string
@@ -661,14 +634,10 @@ components:
       type: object
     AuthtypesPostableAuthDomain:
       properties:
+        config:
+          $ref: '#/components/schemas/AuthtypesAuthDomainConfig'
         name:
           type: string
-        provider:
-          $ref: '#/components/schemas/AuthtypesAuthProviderEnvelope'
-        roleMapping:
-          $ref: '#/components/schemas/AuthtypesRoleMapping'
-        ssoEnabled:
-          type: boolean
       type: object
     AuthtypesPostableEmailPasswordSession:
       properties:
@@ -741,7 +710,7 @@ components:
         useRoleAttribute:
           type: boolean
       type: object
-    AuthtypesSAMLConfig:
+    AuthtypesSamlConfig:
       properties:
         attributeMapping:
           $ref: '#/components/schemas/AuthtypesAttributeMapping'
@@ -776,12 +745,8 @@ components:
       type: object
     AuthtypesUpdatableAuthDomain:
       properties:
-        provider:
-          $ref: '#/components/schemas/AuthtypesAuthProviderEnvelope'
-        roleMapping:
-          $ref: '#/components/schemas/AuthtypesRoleMapping'
-        ssoEnabled:
-          type: boolean
+        config:
+          $ref: '#/components/schemas/AuthtypesAuthDomainConfig'
       type: object
     AuthtypesUserRole:
       properties:
@@ -2531,10 +2496,17 @@ components:
           $ref: '#/components/schemas/DashboardtypesTimePreference'
       type: object
     DashboardtypesBuilderQuerySpec:
+      discriminator:
+        mapping:
+          logs: '#/components/schemas/Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5LogAggregation'
+          metrics: '#/components/schemas/Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5MetricAggregation'
+          traces: '#/components/schemas/Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5TraceAggregation'
+        propertyName: signal
       oneOf:
       - $ref: '#/components/schemas/Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5LogAggregation'
       - $ref: '#/components/schemas/Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5MetricAggregation'
       - $ref: '#/components/schemas/Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5TraceAggregation'
+      type: object
     DashboardtypesComparisonOperator:
       enum:
       - above
@@ -2623,8 +2595,13 @@ components:
           type: array
       type: object
     DashboardtypesDatasourcePlugin:
+      discriminator:
+        mapping:
+          signoz/Datasource: '#/components/schemas/DashboardtypesDatasourcePluginVariantStruct'
+        propertyName: kind
       oneOf:
       - $ref: '#/components/schemas/DashboardtypesDatasourcePluginVariantStruct'
+      type: object
     DashboardtypesDatasourcePluginKind:
       enum:
       - signoz/Datasource
@@ -2691,7 +2668,7 @@ components:
           $ref: '#/components/schemas/DashboardtypesDashboardSpec'
         tags:
           items:
-            $ref: '#/components/schemas/TagtypesPostableTag'
+            $ref: '#/components/schemas/TagtypesGettableTag'
           nullable: true
           type: array
         updatedAt:
@@ -2768,8 +2745,13 @@ components:
       - path
       type: object
     DashboardtypesLayout:
+      discriminator:
+        mapping:
+          Grid: '#/components/schemas/DashboardtypesLayoutEnvelopeGithubComPersesSpecGoDashboardGridLayoutSpec'
+        propertyName: kind
       oneOf:
       - $ref: '#/components/schemas/DashboardtypesLayoutEnvelopeGithubComPersesSpecGoDashboardGridLayoutSpec'
+      type: object
     DashboardtypesLayoutEnvelopeGithubComPersesSpecGoDashboardGridLayoutSpec:
       properties:
         kind:
@@ -2809,6 +2791,11 @@ components:
       - solid
       - dashed
       type: string
+    DashboardtypesListOrder:
+      enum:
+      - asc
+      - desc
+      type: string
     DashboardtypesListPanelSpec:
       properties:
         selectFields:
@@ -2816,6 +2803,12 @@ components:
             $ref: '#/components/schemas/TelemetrytypesTelemetryFieldKey'
           type: array
       type: object
+    DashboardtypesListSort:
+      enum:
+      - updated_at
+      - created_at
+      - name
+      type: string
     DashboardtypesListVariableSpec:
       properties:
         allowAllValue:
@@ -2838,6 +2831,134 @@ components:
           nullable: true
           type: string
       type: object
+    DashboardtypesListableDashboardForUserV2:
+      properties:
+        dashboards:
+          items:
+            $ref: '#/components/schemas/DashboardtypesListedDashboardForUserV2'
+          type: array
+        tags:
+          items:
+            $ref: '#/components/schemas/TagtypesGettableTag'
+          type: array
+        total:
+          format: int64
+          type: integer
+      required:
+      - dashboards
+      - total
+      - tags
+      type: object
+    DashboardtypesListableDashboardV2:
+      properties:
+        dashboards:
+          items:
+            $ref: '#/components/schemas/DashboardtypesListedDashboardV2'
+          type: array
+        tags:
+          items:
+            $ref: '#/components/schemas/TagtypesGettableTag'
+          type: array
+        total:
+          format: int64
+          type: integer
+      required:
+      - dashboards
+      - total
+      - tags
+      type: object
+    DashboardtypesListedDashboardForUserV2:
+      properties:
+        createdAt:
+          format: date-time
+          type: string
+        createdBy:
+          type: string
+        id:
+          type: string
+        image:
+          type: string
+        locked:
+          type: boolean
+        name:
+          type: string
+        orgId:
+          type: string
+        pinned:
+          type: boolean
+        schemaVersion:
+          type: string
+        source:
+          $ref: '#/components/schemas/DashboardtypesSource'
+        spec:
+          $ref: '#/components/schemas/DashboardtypesListedDashboardV2Spec'
+        tags:
+          items:
+            $ref: '#/components/schemas/TagtypesGettableTag'
+          type: array
+        updatedAt:
+          format: date-time
+          type: string
+        updatedBy:
+          type: string
+      required:
+      - id
+      - orgId
+      - locked
+      - source
+      - schemaVersion
+      - name
+      - tags
+      - spec
+      - pinned
+      type: object
+    DashboardtypesListedDashboardV2:
+      properties:
+        createdAt:
+          format: date-time
+          type: string
+        createdBy:
+          type: string
+        id:
+          type: string
+        image:
+          type: string
+        locked:
+          type: boolean
+        name:
+          type: string
+        orgId:
+          type: string
+        schemaVersion:
+          type: string
+        source:
+          $ref: '#/components/schemas/DashboardtypesSource'
+        spec:
+          $ref: '#/components/schemas/DashboardtypesListedDashboardV2Spec'
+        tags:
+          items:
+            $ref: '#/components/schemas/TagtypesGettableTag'
+          type: array
+        updatedAt:
+          format: date-time
+          type: string
+        updatedBy:
+          type: string
+      required:
+      - id
+      - orgId
+      - locked
+      - source
+      - schemaVersion
+      - name
+      - tags
+      - spec
+      type: object
+    DashboardtypesListedDashboardV2Spec:
+      properties:
+        display:
+          $ref: '#/components/schemas/CommonDisplay'
+      type: object
     DashboardtypesNumberPanelSpec:
       properties:
         formatting:
@@ -2869,6 +2990,16 @@ components:
       - Panel
       type: string
     DashboardtypesPanelPlugin:
+      discriminator:
+        mapping:
+          signoz/BarChartPanel: '#/components/schemas/DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesBarChartPanelSpec'
+          signoz/HistogramPanel: '#/components/schemas/DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesHistogramPanelSpec'
+          signoz/ListPanel: '#/components/schemas/DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesListPanelSpec'
+          signoz/NumberPanel: '#/components/schemas/DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesNumberPanelSpec'
+          signoz/PieChartPanel: '#/components/schemas/DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesPieChartPanelSpec'
+          signoz/TablePanel: '#/components/schemas/DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesTablePanelSpec'
+          signoz/TimeSeriesPanel: '#/components/schemas/DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesTimeSeriesPanelSpec'
+        propertyName: kind
       oneOf:
       - $ref: '#/components/schemas/DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesTimeSeriesPanelSpec'
       - $ref: '#/components/schemas/DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesBarChartPanelSpec'
@@ -2877,6 +3008,7 @@ components:
       - $ref: '#/components/schemas/DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesTablePanelSpec'
       - $ref: '#/components/schemas/DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesHistogramPanelSpec'
       - $ref: '#/components/schemas/DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesListPanelSpec'
+      type: object
     DashboardtypesPanelPluginKind:
       enum:
       - signoz/TimeSeriesPanel
@@ -3055,6 +3187,15 @@ components:
           $ref: '#/components/schemas/DashboardtypesQuerySpec'
       type: object
     DashboardtypesQueryPlugin:
+      discriminator:
+        mapping:
+          signoz/BuilderQuery: '#/components/schemas/DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesBuilderQuerySpec'
+          signoz/ClickHouseSQL: '#/components/schemas/DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5ClickHouseQuery'
+          signoz/CompositeQuery: '#/components/schemas/DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5CompositeQuery'
+          signoz/Formula: '#/components/schemas/DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5QueryBuilderFormula'
+          signoz/PromQLQuery: '#/components/schemas/DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5PromQuery'
+          signoz/TraceOperator: '#/components/schemas/DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5QueryBuilderTraceOperator'
+        propertyName: kind
       oneOf:
       - $ref: '#/components/schemas/DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesBuilderQuerySpec'
       - $ref: '#/components/schemas/DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5CompositeQuery'
@@ -3062,6 +3203,7 @@ components:
       - $ref: '#/components/schemas/DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5PromQuery'
       - $ref: '#/components/schemas/DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5ClickHouseQuery'
       - $ref: '#/components/schemas/DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5QueryBuilderTraceOperator'
+      type: object
     DashboardtypesQueryPluginKind:
       enum:
       - signoz/BuilderQuery
@@ -3316,9 +3458,15 @@ components:
           type: boolean
       type: object
     DashboardtypesVariable:
+      discriminator:
+        mapping:
+          ListVariable: '#/components/schemas/DashboardtypesVariableEnvelopeGithubComSigNozSignozPkgTypesDashboardtypesListVariableSpec'
+          TextVariable: '#/components/schemas/DashboardtypesVariableEnvelopeGithubComPersesSpecGoDashboardTextVariableSpec'
+        propertyName: kind
       oneOf:
       - $ref: '#/components/schemas/DashboardtypesVariableEnvelopeGithubComSigNozSignozPkgTypesDashboardtypesListVariableSpec'
       - $ref: '#/components/schemas/DashboardtypesVariableEnvelopeGithubComPersesSpecGoDashboardTextVariableSpec'
+      type: object
     DashboardtypesVariableEnvelopeGithubComPersesSpecGoDashboardTextVariableSpec:
       properties:
         kind:
@@ -3344,10 +3492,17 @@ components:
       - spec
       type: object
     DashboardtypesVariablePlugin:
+      discriminator:
+        mapping:
+          signoz/CustomVariable: '#/components/schemas/DashboardtypesVariablePluginVariantGithubComSigNozSignozPkgTypesDashboardtypesCustomVariableSpec'
+          signoz/DynamicVariable: '#/components/schemas/DashboardtypesVariablePluginVariantGithubComSigNozSignozPkgTypesDashboardtypesDynamicVariableSpec'
+          signoz/QueryVariable: '#/components/schemas/DashboardtypesVariablePluginVariantGithubComSigNozSignozPkgTypesDashboardtypesQueryVariableSpec'
+        propertyName: kind
       oneOf:
       - $ref: '#/components/schemas/DashboardtypesVariablePluginVariantGithubComSigNozSignozPkgTypesDashboardtypesDynamicVariableSpec'
       - $ref: '#/components/schemas/DashboardtypesVariablePluginVariantGithubComSigNozSignozPkgTypesDashboardtypesQueryVariableSpec'
       - $ref: '#/components/schemas/DashboardtypesVariablePluginVariantGithubComSigNozSignozPkgTypesDashboardtypesCustomVariableSpec'
+      type: object
     DashboardtypesVariablePluginKind:
       enum:
       - signoz/DynamicVariable
@@ -5550,11 +5705,15 @@ components:
             $ref: '#/components/schemas/TelemetrytypesTelemetryFieldKey'
           type: array
         signal:
-          $ref: '#/components/schemas/TelemetrytypesSignal'
+          enum:
+          - logs
+          type: string
         source:
           $ref: '#/components/schemas/TelemetrytypesSource'
         stepInterval:
           $ref: '#/components/schemas/Querybuildertypesv5Step'
+      required:
+      - signal
       type: object
     Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5MetricAggregation:
       properties:
@@ -5601,11 +5760,15 @@ components:
             $ref: '#/components/schemas/TelemetrytypesTelemetryFieldKey'
           type: array
         signal:
-          $ref: '#/components/schemas/TelemetrytypesSignal'
+          enum:
+          - metrics
+          type: string
         source:
           $ref: '#/components/schemas/TelemetrytypesSource'
         stepInterval:
           $ref: '#/components/schemas/Querybuildertypesv5Step'
+      required:
+      - signal
       type: object
     Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5TraceAggregation:
       properties:
@@ -5652,11 +5815,15 @@ components:
             $ref: '#/components/schemas/TelemetrytypesTelemetryFieldKey'
           type: array
         signal:
-          $ref: '#/components/schemas/TelemetrytypesSignal'
+          enum:
+          - traces
+          type: string
         source:
           $ref: '#/components/schemas/TelemetrytypesSource'
         stepInterval:
           $ref: '#/components/schemas/Querybuildertypesv5Step'
+      required:
+      - signal
       type: object
     Querybuildertypesv5QueryBuilderTraceOperator:
       properties:
@@ -7097,6 +7264,16 @@ components:
       required:
       - references
       type: object
+    TagtypesGettableTag:
+      properties:
+        key:
+          type: string
+        value:
+          type: string
+      required:
+      - key
+      - value
+      type: object
     TagtypesPostableTag:
       properties:
         key:
@@ -13132,6 +13309,82 @@ paths:
       tags:
       - preferences
   /api/v2/dashboards:
+    get:
+      deprecated: false
+      description: Returns a page of v2-shape dashboards for the org. This is the
+        pure, user-independent list — it carries no pin state. Use ListDashboardsForUserV2
+        for the personalized, pin-aware list. Supports a filter DSL (`query`), sort
+        (`updated_at`/`created_at`/`name`), order (`asc`/`desc`), and offset-based
+        pagination (`limit`/`offset`).
+      operationId: ListDashboardsV2
+      parameters:
+      - in: query
+        name: query
+        schema:
+          type: string
+      - in: query
+        name: sort
+        schema:
+          $ref: '#/components/schemas/DashboardtypesListSort'
+      - in: query
+        name: order
+        schema:
+          $ref: '#/components/schemas/DashboardtypesListOrder'
+      - in: query
+        name: limit
+        schema:
+          type: integer
+      - in: query
+        name: offset
+        schema:
+          type: integer
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/DashboardtypesListableDashboardV2'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - VIEWER
+      - tokenizer:
+        - VIEWER
+      summary: List dashboards (v2)
+      tags:
+      - dashboard
     post:
       deprecated: false
       description: This endpoint creates a dashboard in the v2 format that follows
@@ -13190,6 +13443,62 @@ paths:
       tags:
       - dashboard
   /api/v2/dashboards/{id}:
+    delete:
+      deprecated: false
+      description: This endpoint deletes a v2-shape dashboard along with its tag relations.
+        Locked dashboards are rejected.
+      operationId: DeleteDashboardV2
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "204":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - EDITOR
+      - tokenizer:
+        - EDITOR
+      summary: Delete dashboard (v2)
+      tags:
+      - dashboard
     get:
       deprecated: false
       description: This endpoint returns a v2-shape dashboard.
@@ -20412,6 +20721,196 @@ paths:
       summary: Update my user v2
       tags:
       - users
+  /api/v2/users/me/dashboards:
+    get:
+      deprecated: false
+      description: 'Same as ListDashboardsV2 but personalized for the calling user:
+        each dashboard carries the caller''s `pinned` state, and pinned dashboards
+        float to the top of the requested ordering. Supports the same filter DSL,
+        sort, order, and pagination.'
+      operationId: ListDashboardsForUserV2
+      parameters:
+      - in: query
+        name: query
+        schema:
+          type: string
+      - in: query
+        name: sort
+        schema:
+          $ref: '#/components/schemas/DashboardtypesListSort'
+      - in: query
+        name: order
+        schema:
+          $ref: '#/components/schemas/DashboardtypesListOrder'
+      - in: query
+        name: limit
+        schema:
+          type: integer
+      - in: query
+        name: offset
+        schema:
+          type: integer
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/DashboardtypesListableDashboardForUserV2'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - VIEWER
+      - tokenizer:
+        - VIEWER
+      summary: List dashboards for the current user (v2)
+      tags:
+      - dashboard
+  /api/v2/users/me/dashboards/{id}/pins:
+    delete:
+      deprecated: false
+      description: Removes the pin for the calling user. Idempotent — unpinning a
+        dashboard that wasn't pinned still returns 204.
+      operationId: UnpinDashboardV2
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "204":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - VIEWER
+      - tokenizer:
+        - VIEWER
+      summary: Unpin a dashboard for the current user (v2)
+      tags:
+      - dashboard
+    put:
+      deprecated: false
+      description: Pins the dashboard for the calling user. A user can pin at most
+        10 dashboards; pinning when at the limit returns 409. Re-pinning an already-pinned
+        dashboard is a no-op success.
+      operationId: PinDashboardV2
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "204":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "409":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Conflict
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - VIEWER
+      - tokenizer:
+        - VIEWER
+      summary: Pin a dashboard for the current user (v2)
+      tags:
+      - dashboard
   /api/v2/users/me/factor_password:
     put:
       deprecated: false

docs/contributing/go/handler.md

@@ -333,6 +333,50 @@ func (Step) JSONSchema() (jsonschema.Schema, error) {
 }
 ```
 
+### `oneOf` with a discriminator
+
+For a sum type whose variants are keyed by a property (e.g. `kind`), expose the variants via `JSONSchemaOneOf()` and add a discriminator. Without it, code generators intersect the variants (`A & B & C`) instead of producing a clean discriminated union (`A | B | C`).
+
+The parent keeps its `JSONSchemaOneOf()` (the `oneOf` itself) and *additionally* tags it via `PrepareJSONSchema` with the `x-signoz-discriminator` extension; `signoz.attachDiscriminators` then promotes that marker to a real OpenAPI 3 `discriminator` (and strips the duplicate parent properties) after reflection.
+
+```go
+// On the parent: expose the oneOf variants...
+func (Plugin) JSONSchemaOneOf() []any {
+    return []any{FooVariant{}}
+}
+
+// ...and tag that same oneOf with the discriminator marker.
+func (Plugin) PrepareJSONSchema(s *jsonschema.Schema) error {
+    if s.ExtraProperties == nil {
+        s.ExtraProperties = map[string]any{}
+    }
+    s.ExtraProperties["x-signoz-discriminator"] = map[string]any{
+        "propertyName": "kind",
+        "mapping": map[string]string{
+            "signoz/Foo": "#/components/schemas/FooVariant",
+        },
+    }
+    return nil
+}
+```
+
+Each variant must declare the discriminator property (`kind`) and mark it `required`. 
+
+This produces the following in the generated OpenAPI spec:
+
+```yaml
+Plugin:
+  discriminator:
+    propertyName: kind
+    mapping:
+      signoz/Foo: '#/components/schemas/FooVariant'
+  oneOf:
+  - $ref: '#/components/schemas/FooVariant'
+  type: object
+```
+
+Note the discriminator property lives in the variants, not on the parent — the parent is only the union.
+
 
 ## What should I remember?
 

ee/authn/callbackauthn/oidccallbackauthn/authn.go

@@ -53,7 +53,7 @@ func New(store authtypes.AuthNStore, licensing licensing.Licensing, providerSett
 }
 
 func (a *AuthN) LoginURL(ctx context.Context, siteURL *url.URL, authDomain *authtypes.AuthDomain) (string, error) {
-	if authDomain.AuthDomainConfig().Provider.Type != authtypes.AuthNProviderOIDC {
+	if authDomain.AuthDomainConfig().AuthNProvider != authtypes.AuthNProviderOIDC {
 		return "", errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthDomainMismatch, "domain type is not oidc")
 	}
 
@@ -106,14 +106,14 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 		return nil, err
 	}
 
-	if claims == nil && authDomain.AuthDomainConfig().Oidc().GetUserInfo {
+	if claims == nil && authDomain.AuthDomainConfig().OIDC.GetUserInfo {
 		claims, err = a.claimsFromUserInfo(ctx, oidcProvider, token)
 		if err != nil {
 			return nil, err
 		}
 	}
 
-	emailClaim, ok := claims[authDomain.AuthDomainConfig().Oidc().ClaimMapping.Email].(string)
+	emailClaim, ok := claims[authDomain.AuthDomainConfig().OIDC.ClaimMapping.Email].(string)
 	if !ok {
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "oidc: missing email in claims")
 	}
@@ -123,7 +123,7 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 		return nil, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "oidc: failed to parse email").WithAdditional(err.Error())
 	}
 
-	if !authDomain.AuthDomainConfig().Oidc().InsecureSkipEmailVerified {
+	if !authDomain.AuthDomainConfig().OIDC.InsecureSkipEmailVerified {
 		emailVerifiedClaim, ok := claims["email_verified"].(bool)
 		if !ok {
 			return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "oidc: missing email_verified in claims")
@@ -135,14 +135,14 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 	}
 
 	name := ""
-	if nameClaim := authDomain.AuthDomainConfig().Oidc().ClaimMapping.Name; nameClaim != "" {
+	if nameClaim := authDomain.AuthDomainConfig().OIDC.ClaimMapping.Name; nameClaim != "" {
 		if n, ok := claims[nameClaim].(string); ok {
 			name = n
 		}
 	}
 
 	var groups []string
-	if groupsClaim := authDomain.AuthDomainConfig().Oidc().ClaimMapping.Groups; groupsClaim != "" {
+	if groupsClaim := authDomain.AuthDomainConfig().OIDC.ClaimMapping.Groups; groupsClaim != "" {
 		if claimValue, exists := claims[groupsClaim]; exists {
 			switch g := claimValue.(type) {
 			case []any:
@@ -161,7 +161,7 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 	}
 
 	role := ""
-	if roleClaim := authDomain.AuthDomainConfig().Oidc().ClaimMapping.Role; roleClaim != "" {
+	if roleClaim := authDomain.AuthDomainConfig().OIDC.ClaimMapping.Role; roleClaim != "" {
 		if r, ok := claims[roleClaim].(string); ok {
 			role = r
 		}
@@ -177,11 +177,11 @@ func (a *AuthN) ProviderInfo(ctx context.Context, authDomain *authtypes.AuthDoma
 }
 
 func (a *AuthN) oidcProviderAndoauth2Config(ctx context.Context, siteURL *url.URL, authDomain *authtypes.AuthDomain) (*oidc.Provider, *oauth2.Config, error) {
-	if authDomain.AuthDomainConfig().Oidc().IssuerAlias != "" {
-		ctx = oidc.InsecureIssuerURLContext(ctx, authDomain.AuthDomainConfig().Oidc().IssuerAlias)
+	if authDomain.AuthDomainConfig().OIDC.IssuerAlias != "" {
+		ctx = oidc.InsecureIssuerURLContext(ctx, authDomain.AuthDomainConfig().OIDC.IssuerAlias)
 	}
 
-	oidcProvider, err := oidc.NewProvider(ctx, authDomain.AuthDomainConfig().Oidc().Issuer)
+	oidcProvider, err := oidc.NewProvider(ctx, authDomain.AuthDomainConfig().OIDC.Issuer)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -194,8 +194,8 @@ func (a *AuthN) oidcProviderAndoauth2Config(ctx context.Context, siteURL *url.UR
 	}
 
 	return oidcProvider, &oauth2.Config{
-		ClientID:     authDomain.AuthDomainConfig().Oidc().ClientID,
-		ClientSecret: authDomain.AuthDomainConfig().Oidc().ClientSecret,
+		ClientID:     authDomain.AuthDomainConfig().OIDC.ClientID,
+		ClientSecret: authDomain.AuthDomainConfig().OIDC.ClientSecret,
 		Endpoint:     oidcProvider.Endpoint(),
 		Scopes:       scopes,
 		RedirectURL: (&url.URL{
@@ -212,7 +212,7 @@ func (a *AuthN) claimsFromIDToken(ctx context.Context, authDomain *authtypes.Aut
 		return nil, errors.New(errors.TypeNotFound, errors.CodeNotFound, "oidc: no id_token in token response")
 	}
 
-	verifier := provider.Verifier(&oidc.Config{ClientID: authDomain.AuthDomainConfig().Oidc().ClientID})
+	verifier := provider.Verifier(&oidc.Config{ClientID: authDomain.AuthDomainConfig().OIDC.ClientID})
 	idToken, err := verifier.Verify(ctx, rawIDToken)
 	if err != nil {
 		return nil, errors.Newf(errors.TypeForbidden, errors.CodeForbidden, "oidc: failed to verify token").WithAdditional(err.Error())

ee/authn/callbackauthn/samlcallbackauthn/authn.go

@@ -40,7 +40,7 @@ func New(ctx context.Context, store authtypes.AuthNStore, licensing licensing.Li
 }
 
 func (a *AuthN) LoginURL(ctx context.Context, siteURL *url.URL, authDomain *authtypes.AuthDomain) (string, error) {
-	if authDomain.AuthDomainConfig().Provider.Type != authtypes.AuthNProviderSAML {
+	if authDomain.AuthDomainConfig().AuthNProvider != authtypes.AuthNProviderSAML {
 		return "", errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthDomainMismatch, "saml: domain type is not saml")
 	}
 
@@ -101,19 +101,19 @@ func (a *AuthN) HandleCallback(ctx context.Context, formValues url.Values) (*aut
 	}
 
 	name := ""
-	if nameAttribute := authDomain.AuthDomainConfig().Saml().AttributeMapping.Name; nameAttribute != "" {
+	if nameAttribute := authDomain.AuthDomainConfig().SAML.AttributeMapping.Name; nameAttribute != "" {
 		if val := assertionInfo.Values.Get(nameAttribute); val != "" {
 			name = val
 		}
 	}
 
 	var groups []string
-	if groupAttribute := authDomain.AuthDomainConfig().Saml().AttributeMapping.Groups; groupAttribute != "" {
+	if groupAttribute := authDomain.AuthDomainConfig().SAML.AttributeMapping.Groups; groupAttribute != "" {
 		groups = assertionInfo.Values.GetAll(groupAttribute)
 	}
 
 	role := ""
-	if roleAttribute := authDomain.AuthDomainConfig().Saml().AttributeMapping.Role; roleAttribute != "" {
+	if roleAttribute := authDomain.AuthDomainConfig().SAML.AttributeMapping.Role; roleAttribute != "" {
 		if val := assertionInfo.Values.Get(roleAttribute); val != "" {
 			role = val
 		}
@@ -142,11 +142,11 @@ func (a *AuthN) serviceProvider(siteURL *url.URL, authDomain *authtypes.AuthDoma
 	// The ServiceProviderIssuer is the client id in case of keycloak. Since we set it to the host here, we need to set the client id == host in keycloak.
 	// For AWSSSO, this is the value of Application SAML audience.
 	return &saml2.SAMLServiceProvider{
-		IdentityProviderSSOURL:      authDomain.AuthDomainConfig().Saml().SamlIdp,
-		IdentityProviderIssuer:      authDomain.AuthDomainConfig().Saml().SamlEntity,
+		IdentityProviderSSOURL:      authDomain.AuthDomainConfig().SAML.SamlIdp,
+		IdentityProviderIssuer:      authDomain.AuthDomainConfig().SAML.SamlEntity,
 		ServiceProviderIssuer:       siteURL.Host,
 		AssertionConsumerServiceURL: acsURL.String(),
-		SignAuthnRequests:           !authDomain.AuthDomainConfig().Saml().InsecureSkipAuthNRequestsSigned,
+		SignAuthnRequests:           !authDomain.AuthDomainConfig().SAML.InsecureSkipAuthNRequestsSigned,
 		AllowMissingAttributes:      true,
 		IDPCertificateStore:         certStore,
 		SPKeyStore:                  dsig.RandomKeyStoreForTest(),
@@ -159,15 +159,15 @@ func (a *AuthN) getCertificateStore(authDomain *authtypes.AuthDomain) (dsig.X509
 	}
 
 	var certBytes []byte
-	if strings.Contains(authDomain.AuthDomainConfig().Saml().SamlCert, "-----BEGIN CERTIFICATE-----") {
-		block, _ := pem.Decode([]byte(authDomain.AuthDomainConfig().Saml().SamlCert))
+	if strings.Contains(authDomain.AuthDomainConfig().SAML.SamlCert, "-----BEGIN CERTIFICATE-----") {
+		block, _ := pem.Decode([]byte(authDomain.AuthDomainConfig().SAML.SamlCert))
 		if block == nil {
 			return certStore, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "no valid pem cert found")
 		}
 
 		certBytes = block.Bytes
 	} else {
-		certData, err := base64.StdEncoding.DecodeString(authDomain.AuthDomainConfig().Saml().SamlCert)
+		certData, err := base64.StdEncoding.DecodeString(authDomain.AuthDomainConfig().SAML.SamlCert)
 		if err != nil {
 			return certStore, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "failed to read certificate: %s", err.Error())
 		}

ee/modules/dashboard/impldashboard/module.go

@@ -229,10 +229,39 @@ func (module *module) PatchV2(ctx context.Context, orgID valuer.UUID, id valuer.
 	return module.pkgDashboardModule.PatchV2(ctx, orgID, id, updatedBy, patch)
 }
 
+func (module *module) DeleteV2(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error {
+	return module.store.RunInTx(ctx, func(ctx context.Context) error {
+		if err := module.store.DeletePublic(ctx, id.String()); err != nil && !errors.Ast(err, errors.TypeNotFound) {
+			return err
+		}
+		return module.pkgDashboardModule.DeleteV2(ctx, orgID, id)
+	})
+}
+
 func (module *module) LockUnlockV2(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, isAdmin bool, lock bool) error {
 	return module.pkgDashboardModule.LockUnlockV2(ctx, orgID, id, updatedBy, isAdmin, lock)
 }
 
+func (module *module) ListV2(ctx context.Context, orgID valuer.UUID, params *dashboardtypes.ListDashboardsV2Params) (*dashboardtypes.ListableDashboardV2, error) {
+	return module.pkgDashboardModule.ListV2(ctx, orgID, params)
+}
+
+func (module *module) ListForUserV2(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, params *dashboardtypes.ListDashboardsV2Params) (*dashboardtypes.ListableDashboardForUserV2, error) {
+	return module.pkgDashboardModule.ListForUserV2(ctx, orgID, userID, params)
+}
+
+func (module *module) PinV2(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, id valuer.UUID) error {
+	return module.pkgDashboardModule.PinV2(ctx, orgID, userID, id)
+}
+
+func (module *module) UnpinV2(ctx context.Context, userID valuer.UUID, id valuer.UUID) error {
+	return module.pkgDashboardModule.UnpinV2(ctx, userID, id)
+}
+
+func (module *module) DeletePreferencesForUser(ctx context.Context, userID valuer.UUID) error {
+	return module.pkgDashboardModule.DeletePreferencesForUser(ctx, userID)
+}
+
 func (module *module) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*dashboardtypes.Dashboard, error) {
 	return module.pkgDashboardModule.Get(ctx, orgID, id)
 }

ee/sqlstore/postgressqlstore/formatter.go

@@ -16,10 +16,11 @@ func newFormatter(dialect schema.Dialect) sqlstore.SQLFormatter {
 }
 
 func (f *formatter) JSONExtractString(column, path string) []byte {
-	var sql []byte
-	sql = f.bunf.AppendIdent(sql, column)
-	sql = append(sql, f.convertJSONPathToPostgres(path)...)
-	return sql
+	ops := f.convertJSONPathToPostgres(path)
+	if len(ops) == 0 {
+		return f.bunf.AppendIdent(nil, column)
+	}
+	return append(f.TextToJsonColumn(column), ops...)
 }
 
 func (f *formatter) JSONType(column, path string) []byte {

ee/sqlstore/postgressqlstore/formatter_test.go

@@ -18,19 +18,19 @@ func TestJSONExtractString(t *testing.T) {
 			name:     "simple path",
 			column:   "data",
 			path:     "$.field",
-			expected: `"data"->>'field'`,
+			expected: `"data"::jsonb->>'field'`,
 		},
 		{
 			name:     "nested path",
 			column:   "metadata",
 			path:     "$.user.name",
-			expected: `"metadata"->'user'->>'name'`,
+			expected: `"metadata"::jsonb->'user'->>'name'`,
 		},
 		{
 			name:     "deeply nested path",
 			column:   "json_col",
 			path:     "$.level1.level2.level3",
-			expected: `"json_col"->'level1'->'level2'->>'level3'`,
+			expected: `"json_col"::jsonb->'level1'->'level2'->>'level3'`,
 		},
 		{
 			name:     "root path",

frontend/src/api/generated/services/dashboard/index.ts

@@ -26,6 +26,7 @@ import type {
 	DashboardtypesPostablePublicDashboardDTO,
 	DashboardtypesUpdatableDashboardV2DTO,
 	DashboardtypesUpdatablePublicDashboardDTO,
+	DeleteDashboardV2PathParameters,
 	DeletePublicDashboardPathParameters,
 	GetDashboardV2200,
 	GetDashboardV2PathParameters,
@@ -35,11 +36,17 @@ import type {
 	GetPublicDashboardPathParameters,
 	GetPublicDashboardWidgetQueryRange200,
 	GetPublicDashboardWidgetQueryRangePathParameters,
+	ListDashboardsForUserV2200,
+	ListDashboardsForUserV2Params,
+	ListDashboardsV2200,
+	ListDashboardsV2Params,
 	LockDashboardV2PathParameters,
 	PatchDashboardV2200,
 	PatchDashboardV2PathParameters,
+	PinDashboardV2PathParameters,
 	RenderErrorResponseDTO,
 	UnlockDashboardV2PathParameters,
+	UnpinDashboardV2PathParameters,
 	UpdateDashboardV2200,
 	UpdateDashboardV2PathParameters,
 	UpdatePublicDashboardPathParameters,
@@ -641,6 +648,103 @@ export const invalidateGetPublicDashboardWidgetQueryRange = async (
 	return queryClient;
 };
 
+/**
+ * Returns a page of v2-shape dashboards for the org. This is the pure, user-independent list — it carries no pin state. Use ListDashboardsForUserV2 for the personalized, pin-aware list. Supports a filter DSL (`query`), sort (`updated_at`/`created_at`/`name`), order (`asc`/`desc`), and offset-based pagination (`limit`/`offset`).
+ * @summary List dashboards (v2)
+ */
+export const listDashboardsV2 = (
+	params?: ListDashboardsV2Params,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<ListDashboardsV2200>({
+		url: `/api/v2/dashboards`,
+		method: 'GET',
+		params,
+		signal,
+	});
+};
+
+export const getListDashboardsV2QueryKey = (
+	params?: ListDashboardsV2Params,
+) => {
+	return [`/api/v2/dashboards`, ...(params ? [params] : [])] as const;
+};
+
+export const getListDashboardsV2QueryOptions = <
+	TData = Awaited<ReturnType<typeof listDashboardsV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>,
+>(
+	params?: ListDashboardsV2Params,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof listDashboardsV2>>,
+			TError,
+			TData
+		>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getListDashboardsV2QueryKey(params);
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof listDashboardsV2>>> = ({
+		signal,
+	}) => listDashboardsV2(params, signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof listDashboardsV2>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type ListDashboardsV2QueryResult = NonNullable<
+	Awaited<ReturnType<typeof listDashboardsV2>>
+>;
+export type ListDashboardsV2QueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary List dashboards (v2)
+ */
+
+export function useListDashboardsV2<
+	TData = Awaited<ReturnType<typeof listDashboardsV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>,
+>(
+	params?: ListDashboardsV2Params,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof listDashboardsV2>>,
+			TError,
+			TData
+		>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getListDashboardsV2QueryOptions(params, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	return { ...query, queryKey: queryOptions.queryKey };
+}
+
+/**
+ * @summary List dashboards (v2)
+ */
+export const invalidateListDashboardsV2 = async (
+	queryClient: QueryClient,
+	params?: ListDashboardsV2Params,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getListDashboardsV2QueryKey(params) },
+		options,
+	);
+
+	return queryClient;
+};
+
 /**
  * This endpoint creates a dashboard in the v2 format that follows Perses spec.
  * @summary Create dashboard (v2)
@@ -724,6 +828,85 @@ export const useCreateDashboardV2 = <
 > => {
 	return useMutation(getCreateDashboardV2MutationOptions(options));
 };
+/**
+ * This endpoint deletes a v2-shape dashboard along with its tag relations. Locked dashboards are rejected.
+ * @summary Delete dashboard (v2)
+ */
+export const deleteDashboardV2 = (
+	{ id }: DeleteDashboardV2PathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<string>({
+		url: `/api/v2/dashboards/${id}`,
+		method: 'DELETE',
+		signal,
+	});
+};
+
+export const getDeleteDashboardV2MutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown,
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof deleteDashboardV2>>,
+		TError,
+		{ pathParams: DeleteDashboardV2PathParameters },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof deleteDashboardV2>>,
+	TError,
+	{ pathParams: DeleteDashboardV2PathParameters },
+	TContext
+> => {
+	const mutationKey = ['deleteDashboardV2'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+			'mutationKey' in options.mutation &&
+			options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof deleteDashboardV2>>,
+		{ pathParams: DeleteDashboardV2PathParameters }
+	> = (props) => {
+		const { pathParams } = props ?? {};
+
+		return deleteDashboardV2(pathParams);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type DeleteDashboardV2MutationResult = NonNullable<
+	Awaited<ReturnType<typeof deleteDashboardV2>>
+>;
+
+export type DeleteDashboardV2MutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Delete dashboard (v2)
+ */
+export const useDeleteDashboardV2 = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown,
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof deleteDashboardV2>>,
+		TError,
+		{ pathParams: DeleteDashboardV2PathParameters },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof deleteDashboardV2>>,
+	TError,
+	{ pathParams: DeleteDashboardV2PathParameters },
+	TContext
+> => {
+	return useMutation(getDeleteDashboardV2MutationOptions(options));
+};
 /**
  * This endpoint returns a v2-shape dashboard.
  * @summary Get dashboard (v2)
@@ -1181,3 +1364,260 @@ export const useLockDashboardV2 = <
 > => {
 	return useMutation(getLockDashboardV2MutationOptions(options));
 };
+/**
+ * Same as ListDashboardsV2 but personalized for the calling user: each dashboard carries the caller's `pinned` state, and pinned dashboards float to the top of the requested ordering. Supports the same filter DSL, sort, order, and pagination.
+ * @summary List dashboards for the current user (v2)
+ */
+export const listDashboardsForUserV2 = (
+	params?: ListDashboardsForUserV2Params,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<ListDashboardsForUserV2200>({
+		url: `/api/v2/users/me/dashboards`,
+		method: 'GET',
+		params,
+		signal,
+	});
+};
+
+export const getListDashboardsForUserV2QueryKey = (
+	params?: ListDashboardsForUserV2Params,
+) => {
+	return [`/api/v2/users/me/dashboards`, ...(params ? [params] : [])] as const;
+};
+
+export const getListDashboardsForUserV2QueryOptions = <
+	TData = Awaited<ReturnType<typeof listDashboardsForUserV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>,
+>(
+	params?: ListDashboardsForUserV2Params,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof listDashboardsForUserV2>>,
+			TError,
+			TData
+		>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey =
+		queryOptions?.queryKey ?? getListDashboardsForUserV2QueryKey(params);
+
+	const queryFn: QueryFunction<
+		Awaited<ReturnType<typeof listDashboardsForUserV2>>
+	> = ({ signal }) => listDashboardsForUserV2(params, signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof listDashboardsForUserV2>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type ListDashboardsForUserV2QueryResult = NonNullable<
+	Awaited<ReturnType<typeof listDashboardsForUserV2>>
+>;
+export type ListDashboardsForUserV2QueryError =
+	ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary List dashboards for the current user (v2)
+ */
+
+export function useListDashboardsForUserV2<
+	TData = Awaited<ReturnType<typeof listDashboardsForUserV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>,
+>(
+	params?: ListDashboardsForUserV2Params,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof listDashboardsForUserV2>>,
+			TError,
+			TData
+		>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getListDashboardsForUserV2QueryOptions(params, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	return { ...query, queryKey: queryOptions.queryKey };
+}
+
+/**
+ * @summary List dashboards for the current user (v2)
+ */
+export const invalidateListDashboardsForUserV2 = async (
+	queryClient: QueryClient,
+	params?: ListDashboardsForUserV2Params,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getListDashboardsForUserV2QueryKey(params) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * Removes the pin for the calling user. Idempotent — unpinning a dashboard that wasn't pinned still returns 204.
+ * @summary Unpin a dashboard for the current user (v2)
+ */
+export const unpinDashboardV2 = (
+	{ id }: UnpinDashboardV2PathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<string>({
+		url: `/api/v2/users/me/dashboards/${id}/pins`,
+		method: 'DELETE',
+		signal,
+	});
+};
+
+export const getUnpinDashboardV2MutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown,
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof unpinDashboardV2>>,
+		TError,
+		{ pathParams: UnpinDashboardV2PathParameters },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof unpinDashboardV2>>,
+	TError,
+	{ pathParams: UnpinDashboardV2PathParameters },
+	TContext
+> => {
+	const mutationKey = ['unpinDashboardV2'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+			'mutationKey' in options.mutation &&
+			options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof unpinDashboardV2>>,
+		{ pathParams: UnpinDashboardV2PathParameters }
+	> = (props) => {
+		const { pathParams } = props ?? {};
+
+		return unpinDashboardV2(pathParams);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type UnpinDashboardV2MutationResult = NonNullable<
+	Awaited<ReturnType<typeof unpinDashboardV2>>
+>;
+
+export type UnpinDashboardV2MutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Unpin a dashboard for the current user (v2)
+ */
+export const useUnpinDashboardV2 = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown,
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof unpinDashboardV2>>,
+		TError,
+		{ pathParams: UnpinDashboardV2PathParameters },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof unpinDashboardV2>>,
+	TError,
+	{ pathParams: UnpinDashboardV2PathParameters },
+	TContext
+> => {
+	return useMutation(getUnpinDashboardV2MutationOptions(options));
+};
+/**
+ * Pins the dashboard for the calling user. A user can pin at most 10 dashboards; pinning when at the limit returns 409. Re-pinning an already-pinned dashboard is a no-op success.
+ * @summary Pin a dashboard for the current user (v2)
+ */
+export const pinDashboardV2 = (
+	{ id }: PinDashboardV2PathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<string>({
+		url: `/api/v2/users/me/dashboards/${id}/pins`,
+		method: 'PUT',
+		signal,
+	});
+};
+
+export const getPinDashboardV2MutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown,
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof pinDashboardV2>>,
+		TError,
+		{ pathParams: PinDashboardV2PathParameters },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof pinDashboardV2>>,
+	TError,
+	{ pathParams: PinDashboardV2PathParameters },
+	TContext
+> => {
+	const mutationKey = ['pinDashboardV2'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+			'mutationKey' in options.mutation &&
+			options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof pinDashboardV2>>,
+		{ pathParams: PinDashboardV2PathParameters }
+	> = (props) => {
+		const { pathParams } = props ?? {};
+
+		return pinDashboardV2(pathParams);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type PinDashboardV2MutationResult = NonNullable<
+	Awaited<ReturnType<typeof pinDashboardV2>>
+>;
+
+export type PinDashboardV2MutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Pin a dashboard for the current user (v2)
+ */
+export const usePinDashboardV2 = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown,
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof pinDashboardV2>>,
+		TError,
+		{ pathParams: PinDashboardV2PathParameters },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof pinDashboardV2>>,
+	TError,
+	{ pathParams: PinDashboardV2PathParameters },
+	TContext
+> => {
+	return useMutation(getPinDashboardV2MutationOptions(options));
+};

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -3495,6 +3495,9 @@ export interface TelemetrytypesTelemetryFieldKeyDTO {
 	unit?: string;
 }
 
+export enum Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5LogAggregationDTOSignal {
+	logs = 'logs',
+}
 export enum TelemetrytypesSourceDTO {
 	meter = 'meter',
 }
@@ -3550,7 +3553,11 @@ export interface Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTyp
 	 * @type array
 	 */
 	selectFields?: TelemetrytypesTelemetryFieldKeyDTO[];
-	signal?: TelemetrytypesSignalDTO;
+	/**
+	 * @enum logs
+	 * @type string
+	 */
+	signal: Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5LogAggregationDTOSignal;
 	source?: TelemetrytypesSourceDTO;
 	stepInterval?: Querybuildertypesv5StepDTO;
 }
@@ -3616,6 +3623,9 @@ export interface Querybuildertypesv5MetricAggregationDTO {
 	timeAggregation?: MetrictypesTimeAggregationDTO;
 }
 
+export enum Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5MetricAggregationDTOSignal {
+	metrics = 'metrics',
+}
 export interface Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5MetricAggregationDTO {
 	/**
 	 * @type array
@@ -3668,7 +3678,11 @@ export interface Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTyp
 	 * @type array
 	 */
 	selectFields?: TelemetrytypesTelemetryFieldKeyDTO[];
-	signal?: TelemetrytypesSignalDTO;
+	/**
+	 * @enum metrics
+	 * @type string
+	 */
+	signal: Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5MetricAggregationDTOSignal;
 	source?: TelemetrytypesSourceDTO;
 	stepInterval?: Querybuildertypesv5StepDTO;
 }
@@ -3684,6 +3698,9 @@ export interface Querybuildertypesv5TraceAggregationDTO {
 	expression?: string;
 }
 
+export enum Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5TraceAggregationDTOSignal {
+	traces = 'traces',
+}
 export interface Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5TraceAggregationDTO {
 	/**
 	 * @type array
@@ -3736,7 +3753,11 @@ export interface Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTyp
 	 * @type array
 	 */
 	selectFields?: TelemetrytypesTelemetryFieldKeyDTO[];
-	signal?: TelemetrytypesSignalDTO;
+	/**
+	 * @enum traces
+	 * @type string
+	 */
+	signal: Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5TraceAggregationDTOSignal;
 	source?: TelemetrytypesSourceDTO;
 	stepInterval?: Querybuildertypesv5StepDTO;
 }
@@ -4623,7 +4644,7 @@ export interface DashboardtypesDashboardSpecDTO {
 export enum DashboardtypesDatasourcePluginKindDTO {
 	'signoz/Datasource' = 'signoz/Datasource',
 }
-export interface TagtypesPostableTagDTO {
+export interface TagtypesGettableTagDTO {
 	/**
 	 * @type string
 	 */
@@ -4673,7 +4694,7 @@ export interface DashboardtypesGettableDashboardV2DTO {
 	/**
 	 * @type array,null
 	 */
-	tags: TagtypesPostableTagDTO[] | null;
+	tags: TagtypesGettableTagDTO[] | null;
 	/**
 	 * @type string
 	 * @format date-time
@@ -4731,6 +4752,157 @@ export interface DashboardtypesJSONPatchOperationDTO {
 	value?: unknown;
 }
 
+export enum DashboardtypesListOrderDTO {
+	asc = 'asc',
+	desc = 'desc',
+}
+export enum DashboardtypesListSortDTO {
+	updated_at = 'updated_at',
+	created_at = 'created_at',
+	name = 'name',
+}
+export interface DashboardtypesListedDashboardV2SpecDTO {
+	display?: CommonDisplayDTO;
+}
+
+export interface DashboardtypesListedDashboardForUserV2DTO {
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	createdAt?: string;
+	/**
+	 * @type string
+	 */
+	createdBy?: string;
+	/**
+	 * @type string
+	 */
+	id: string;
+	/**
+	 * @type string
+	 */
+	image?: string;
+	/**
+	 * @type boolean
+	 */
+	locked: boolean;
+	/**
+	 * @type string
+	 */
+	name: string;
+	/**
+	 * @type string
+	 */
+	orgId: string;
+	/**
+	 * @type boolean
+	 */
+	pinned: boolean;
+	/**
+	 * @type string
+	 */
+	schemaVersion: string;
+	source: DashboardtypesSourceDTO;
+	spec: DashboardtypesListedDashboardV2SpecDTO;
+	/**
+	 * @type array
+	 */
+	tags: TagtypesGettableTagDTO[];
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	updatedAt?: string;
+	/**
+	 * @type string
+	 */
+	updatedBy?: string;
+}
+
+export interface DashboardtypesListableDashboardForUserV2DTO {
+	/**
+	 * @type array
+	 */
+	dashboards: DashboardtypesListedDashboardForUserV2DTO[];
+	/**
+	 * @type array
+	 */
+	tags: TagtypesGettableTagDTO[];
+	/**
+	 * @type integer
+	 * @format int64
+	 */
+	total: number;
+}
+
+export interface DashboardtypesListedDashboardV2DTO {
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	createdAt?: string;
+	/**
+	 * @type string
+	 */
+	createdBy?: string;
+	/**
+	 * @type string
+	 */
+	id: string;
+	/**
+	 * @type string
+	 */
+	image?: string;
+	/**
+	 * @type boolean
+	 */
+	locked: boolean;
+	/**
+	 * @type string
+	 */
+	name: string;
+	/**
+	 * @type string
+	 */
+	orgId: string;
+	/**
+	 * @type string
+	 */
+	schemaVersion: string;
+	source: DashboardtypesSourceDTO;
+	spec: DashboardtypesListedDashboardV2SpecDTO;
+	/**
+	 * @type array
+	 */
+	tags: TagtypesGettableTagDTO[];
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	updatedAt?: string;
+	/**
+	 * @type string
+	 */
+	updatedBy?: string;
+}
+
+export interface DashboardtypesListableDashboardV2DTO {
+	/**
+	 * @type array
+	 */
+	dashboards: DashboardtypesListedDashboardV2DTO[];
+	/**
+	 * @type array
+	 */
+	tags: TagtypesGettableTagDTO[];
+	/**
+	 * @type integer
+	 * @format int64
+	 */
+	total: number;
+}
+
 export enum DashboardtypesPanelPluginKindDTO {
 	'signoz/TimeSeriesPanel' = 'signoz/TimeSeriesPanel',
 	'signoz/BarChartPanel' = 'signoz/BarChartPanel',
@@ -4747,6 +4919,17 @@ export type DashboardtypesPatchableDashboardV2DTO =
 	| DashboardtypesJSONPatchOperationDTO[]
 	| null;
 
+export interface TagtypesPostableTagDTO {
+	/**
+	 * @type string
+	 */
+	key: string;
+	/**
+	 * @type string
+	 */
+	value: string;
+}
+
 export interface DashboardtypesPostableDashboardV2DTO {
 	/**
 	 * @type boolean
@@ -9649,6 +9832,40 @@ export type GetUserPreference200 = {
 export type UpdateUserPreferencePathParameters = {
 	name: string;
 };
+export type ListDashboardsV2Params = {
+	/**
+	 * @type string
+	 * @description undefined
+	 */
+	query?: string;
+	/**
+	 * @description undefined
+	 */
+	sort?: DashboardtypesListSortDTO;
+	/**
+	 * @description undefined
+	 */
+	order?: DashboardtypesListOrderDTO;
+	/**
+	 * @type integer
+	 * @description undefined
+	 */
+	limit?: number;
+	/**
+	 * @type integer
+	 * @description undefined
+	 */
+	offset?: number;
+};
+
+export type ListDashboardsV2200 = {
+	data: DashboardtypesListableDashboardV2DTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
 export type CreateDashboardV2201 = {
 	data: DashboardtypesGettableDashboardV2DTO;
 	/**
@@ -9657,6 +9874,9 @@ export type CreateDashboardV2201 = {
 	status: string;
 };
 
+export type DeleteDashboardV2PathParameters = {
+	id: string;
+};
 export type GetDashboardV2PathParameters = {
 	id: string;
 };
@@ -10489,6 +10709,46 @@ export type GetMyUser200 = {
 	status: string;
 };
 
+export type ListDashboardsForUserV2Params = {
+	/**
+	 * @type string
+	 * @description undefined
+	 */
+	query?: string;
+	/**
+	 * @description undefined
+	 */
+	sort?: DashboardtypesListSortDTO;
+	/**
+	 * @description undefined
+	 */
+	order?: DashboardtypesListOrderDTO;
+	/**
+	 * @type integer
+	 * @description undefined
+	 */
+	limit?: number;
+	/**
+	 * @type integer
+	 * @description undefined
+	 */
+	offset?: number;
+};
+
+export type ListDashboardsForUserV2200 = {
+	data: DashboardtypesListableDashboardForUserV2DTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type UnpinDashboardV2PathParameters = {
+	id: string;
+};
+export type PinDashboardV2PathParameters = {
+	id: string;
+};
 export type GetHosts200 = {
 	data: ZeustypesGettableHostDTO;
 	/**

pkg/apiserver/signozapiserver/dashboard.go

@@ -14,6 +14,42 @@ import (
 )
 
 func (provider *provider) addDashboardRoutes(router *mux.Router) error {
+	if err := router.Handle("/api/v2/dashboards", handler.New(provider.authzMiddleware.ViewAccess(provider.dashboardHandler.ListV2), handler.OpenAPIDef{
+		ID:                  "ListDashboardsV2",
+		Tags:                []string{"dashboard"},
+		Summary:             "List dashboards (v2)",
+		Description:         "Returns a page of v2-shape dashboards for the org. This is the pure, user-independent list — it carries no pin state. Use ListDashboardsForUserV2 for the personalized, pin-aware list. Supports a filter DSL (`query`), sort (`updated_at`/`created_at`/`name`), order (`asc`/`desc`), and offset-based pagination (`limit`/`offset`).",
+		Request:             nil,
+		RequestQuery:        new(dashboardtypes.ListDashboardsV2Params),
+		RequestContentType:  "",
+		Response:            new(dashboardtypes.ListableDashboardV2),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusBadRequest},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleViewer),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v2/users/me/dashboards", handler.New(provider.authzMiddleware.ViewAccess(provider.dashboardHandler.ListForUserV2), handler.OpenAPIDef{
+		ID:                  "ListDashboardsForUserV2",
+		Tags:                []string{"dashboard"},
+		Summary:             "List dashboards for the current user (v2)",
+		Description:         "Same as ListDashboardsV2 but personalized for the calling user: each dashboard carries the caller's `pinned` state, and pinned dashboards float to the top of the requested ordering. Supports the same filter DSL, sort, order, and pagination.",
+		Request:             nil,
+		RequestQuery:        new(dashboardtypes.ListDashboardsV2Params),
+		RequestContentType:  "",
+		Response:            new(dashboardtypes.ListableDashboardForUserV2),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusBadRequest},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleViewer),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v2/dashboards", handler.New(provider.authzMiddleware.EditAccess(provider.dashboardHandler.CreateV2), handler.OpenAPIDef{
 		ID:                  "CreateDashboardV2",
 		Tags:                []string{"dashboard"},
@@ -89,6 +125,23 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v2/dashboards/{id}", handler.New(provider.authzMiddleware.EditAccess(provider.dashboardHandler.DeleteV2), handler.OpenAPIDef{
+		ID:                  "DeleteDashboardV2",
+		Tags:                []string{"dashboard"},
+		Summary:             "Delete dashboard (v2)",
+		Description:         "This endpoint deletes a v2-shape dashboard along with its tag relations. Locked dashboards are rejected.",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleEditor),
+	})).Methods(http.MethodDelete).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v2/dashboards/{id}/lock", handler.New(provider.authzMiddleware.EditAccess(provider.dashboardHandler.LockV2), handler.OpenAPIDef{
 		ID:                  "LockDashboardV2",
 		Tags:                []string{"dashboard"},
@@ -123,6 +176,42 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {
 		return err
 	}
 
+	// ViewAccess: pinning only mutates the calling user's pin list, not the
+	// dashboard itself — anyone who can view a dashboard can bookmark it.
+	if err := router.Handle("/api/v2/users/me/dashboards/{id}/pins", handler.New(provider.authzMiddleware.ViewAccess(provider.dashboardHandler.PinV2), handler.OpenAPIDef{
+		ID:                  "PinDashboardV2",
+		Tags:                []string{"dashboard"},
+		Summary:             "Pin a dashboard for the current user (v2)",
+		Description:         "Pins the dashboard for the calling user. A user can pin at most 10 dashboards; pinning when at the limit returns 409. Re-pinning an already-pinned dashboard is a no-op success.",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound, http.StatusConflict},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleViewer),
+	})).Methods(http.MethodPut).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v2/users/me/dashboards/{id}/pins", handler.New(provider.authzMiddleware.ViewAccess(provider.dashboardHandler.UnpinV2), handler.OpenAPIDef{
+		ID:                  "UnpinDashboardV2",
+		Tags:                []string{"dashboard"},
+		Summary:             "Unpin a dashboard for the current user (v2)",
+		Description:         "Removes the pin for the calling user. Idempotent — unpinning a dashboard that wasn't pinned still returns 204.",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusBadRequest},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleViewer),
+	})).Methods(http.MethodDelete).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/dashboards/{id}/public", handler.New(provider.authzMiddleware.AdminAccess(provider.dashboardHandler.CreatePublic), handler.OpenAPIDef{
 		ID:                  "CreatePublicDashboard",
 		Tags:                []string{"dashboard"},

pkg/authn/callbackauthn/googlecallbackauthn/authn.go

@@ -59,7 +59,7 @@ func (a *AuthN) LoginURL(ctx context.Context, siteURL *url.URL, authDomain *auth
 		return "", err
 	}
 
-	if authDomain.AuthDomainConfig().Provider.Type != authtypes.AuthNProviderGoogleAuth {
+	if authDomain.AuthDomainConfig().AuthNProvider != authtypes.AuthNProviderGoogleAuth {
 		return "", errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthDomainMismatch, "domain type is not google")
 	}
 
@@ -111,7 +111,7 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "google: no id_token in token response")
 	}
 
-	verifier := oidcProvider.Verifier(&oidc.Config{ClientID: authDomain.AuthDomainConfig().Google().ClientID})
+	verifier := oidcProvider.Verifier(&oidc.Config{ClientID: authDomain.AuthDomainConfig().Google.ClientID})
 	idToken, err := verifier.Verify(ctx, rawIDToken)
 	if err != nil {
 		a.settings.Logger().ErrorContext(ctx, "google: failed to verify token", errors.Attr(err))
@@ -135,7 +135,7 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 		return nil, errors.Newf(errors.TypeForbidden, errors.CodeForbidden, "google: unexpected hd claim")
 	}
 
-	if !authDomain.AuthDomainConfig().Google().InsecureSkipEmailVerified {
+	if !authDomain.AuthDomainConfig().Google.InsecureSkipEmailVerified {
 		if !claims.EmailVerified {
 			a.settings.Logger().ErrorContext(ctx, "google: email is not verified", slog.String("email", claims.Email))
 			return nil, errors.Newf(errors.TypeForbidden, errors.CodeForbidden, "google: email is not verified")
@@ -148,14 +148,14 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 	}
 
 	var groups []string
-	if authDomain.AuthDomainConfig().Google().FetchGroups {
-		groups, err = a.fetchGoogleWorkspaceGroups(ctx, claims.Email, authDomain.AuthDomainConfig().Google())
+	if authDomain.AuthDomainConfig().Google.FetchGroups {
+		groups, err = a.fetchGoogleWorkspaceGroups(ctx, claims.Email, authDomain.AuthDomainConfig().Google)
 		if err != nil {
 			a.settings.Logger().ErrorContext(ctx, "google: could not fetch groups", errors.Attr(err))
 			return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "google: could not fetch groups").WithAdditional(err.Error())
 		}
 
-		allowedGroups := authDomain.AuthDomainConfig().Google().AllowedGroups
+		allowedGroups := authDomain.AuthDomainConfig().Google.AllowedGroups
 		if len(allowedGroups) > 0 {
 			groups = filterGroups(groups, allowedGroups)
 			if len(groups) == 0 {
@@ -175,8 +175,8 @@ func (a *AuthN) ProviderInfo(ctx context.Context, authDomain *authtypes.AuthDoma
 
 func (a *AuthN) oauth2Config(siteURL *url.URL, authDomain *authtypes.AuthDomain, provider *oidc.Provider) *oauth2.Config {
 	return &oauth2.Config{
-		ClientID:     authDomain.AuthDomainConfig().Google().ClientID,
-		ClientSecret: authDomain.AuthDomainConfig().Google().ClientSecret,
+		ClientID:     authDomain.AuthDomainConfig().Google.ClientID,
+		ClientSecret: authDomain.AuthDomainConfig().Google.ClientSecret,
 		Endpoint:     provider.Endpoint(),
 		Scopes:       scopes,
 		RedirectURL: (&url.URL{

pkg/modules/authdomain/implauthdomain/handler.go

@@ -38,7 +38,7 @@ func (handler *handler) Create(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	authDomain, err := authtypes.NewAuthDomainFromConfig(body.Name, &body.AuthDomainConfig, valuer.MustNewUUID(claims.OrgID))
+	authDomain, err := authtypes.NewAuthDomainFromConfig(body.Name, &body.Config, valuer.MustNewUUID(claims.OrgID))
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -154,7 +154,7 @@ func (handler *handler) Update(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = authDomain.Update(&body.AuthDomainConfig)
+	err = authDomain.Update(&body.Config)
 	if err != nil {
 		render.Error(rw, err)
 		return

pkg/modules/authdomain/implauthdomain/module.go

@@ -27,7 +27,7 @@ func (module *module) Get(ctx context.Context, id valuer.UUID) (*authtypes.AuthD
 }
 
 func (module *module) GetAuthNProviderInfo(ctx context.Context, domain *authtypes.AuthDomain) *authtypes.AuthNProviderInfo {
-	if callbackAuthN, ok := module.authNs[domain.AuthDomainConfig().Provider.Type].(authn.CallbackAuthN); ok {
+	if callbackAuthN, ok := module.authNs[domain.AuthDomainConfig().AuthNProvider].(authn.CallbackAuthN); ok {
 		return callbackAuthN.ProviderInfo(ctx, domain)
 	}
 	return &authtypes.AuthNProviderInfo{}
@@ -62,7 +62,7 @@ func (module *module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin
 	stats := make(map[string]any)
 
 	for _, domain := range domains {
-		key := "authdomain." + domain.AuthDomainConfig().Provider.Type.StringValue() + ".count"
+		key := "authdomain." + domain.AuthDomainConfig().AuthNProvider.StringValue() + ".count"
 		if value, ok := stats[key]; ok {
 			stats[key] = value.(int64) + 1
 		} else {

pkg/modules/dashboard/dashboard.go

@@ -61,11 +61,23 @@ type Module interface {
 
 	GetV2(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*dashboardtypes.DashboardV2, error)
 
+	ListV2(ctx context.Context, orgID valuer.UUID, params *dashboardtypes.ListDashboardsV2Params) (*dashboardtypes.ListableDashboardV2, error)
+
+	ListForUserV2(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, params *dashboardtypes.ListDashboardsV2Params) (*dashboardtypes.ListableDashboardForUserV2, error)
+
 	UpdateV2(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, updatable dashboardtypes.UpdatableDashboardV2) (*dashboardtypes.DashboardV2, error)
 
 	LockUnlockV2(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, isAdmin bool, lock bool) error
 
 	PatchV2(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, patch dashboardtypes.PatchableDashboardV2) (*dashboardtypes.DashboardV2, error)
+
+	PinV2(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, id valuer.UUID) error
+
+	UnpinV2(ctx context.Context, userID valuer.UUID, id valuer.UUID) error
+
+	DeleteV2(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error
+
+	DeletePreferencesForUser(ctx context.Context, userID valuer.UUID) error
 }
 
 type Handler interface {
@@ -96,6 +108,10 @@ type Handler interface {
 
 	GetV2(http.ResponseWriter, *http.Request)
 
+	ListV2(http.ResponseWriter, *http.Request)
+
+	ListForUserV2(http.ResponseWriter, *http.Request)
+
 	UpdateV2(http.ResponseWriter, *http.Request)
 
 	LockV2(http.ResponseWriter, *http.Request)
@@ -103,4 +119,10 @@ type Handler interface {
 	UnlockV2(http.ResponseWriter, *http.Request)
 
 	PatchV2(http.ResponseWriter, *http.Request)
+
+	PinV2(http.ResponseWriter, *http.Request)
+
+	UnpinV2(http.ResponseWriter, *http.Request)
+
+	DeleteV2(http.ResponseWriter, *http.Request)
 }

pkg/modules/dashboard/impldashboard/listfilter.go

@@ -0,0 +1,40 @@
+package impldashboard
+
+import (
+	"strings"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
+)
+
+type Compiled struct {
+	SQL  string
+	Args []any
+}
+
+func Compile(query string, formatter sqlstore.SQLFormatter) (*Compiled, error) {
+	if len(query) == 0 {
+		return nil, nil //nolint:nilnil
+	}
+
+	queryVisitor := newVisitor(formatter)
+	sql, args, syntaxErrs := queryVisitor.compile(query)
+
+	if len(syntaxErrs) > 0 {
+		return nil, errors.NewInvalidInputf(dashboardtypes.ErrCodeDashboardListFilterInvalid,
+			"invalid filter query: %s", strings.Join(syntaxErrs, "; "))
+	}
+	if len(queryVisitor.errors) > 0 {
+		return nil, errors.NewInvalidInputf(dashboardtypes.ErrCodeDashboardListFilterInvalid,
+			"invalid filter query: %s", strings.Join(queryVisitor.errors, "; "))
+	}
+	if sql == "" {
+		return nil, nil //nolint:nilnil
+	}
+
+	return &Compiled{
+		SQL:  sql,
+		Args: args,
+	}, nil
+}

pkg/modules/dashboard/impldashboard/listfilter_test.go

@@ -0,0 +1,526 @@
+package impldashboard
+
+import (
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/sqlstore/sqlstoretest"
+	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
+)
+
+type compileCase struct {
+	subtestName              string
+	dslQueryToCompile        string
+	nilExpected              bool
+	expectedSQL              string
+	expectedArgs             []any
+	expectedErrShouldContain string
+}
+
+// kindArg is the tag_relation.kind value bound into every tag EXISTS subquery
+// (stored double-encoded, hence the embedded quotes). It leads each tag
+// predicate's args, ahead of the tag key.
+const kindArg = `"dashboard"`
+
+func runCompileCases(t *testing.T, cases []compileCase) {
+	t.Helper()
+	for _, c := range cases {
+		t.Run(c.subtestName, func(t *testing.T) {
+			out, err := Compile(c.dslQueryToCompile, formatter(t))
+
+			if c.expectedErrShouldContain != "" {
+				require.Error(t, err)
+				assert.Contains(t, strings.ToLower(err.Error()), strings.ToLower(c.expectedErrShouldContain))
+				return
+			}
+
+			require.NoError(t, err)
+			if c.nilExpected {
+				assert.Nil(t, out)
+				return
+			}
+			require.NotNil(t, out)
+
+			if c.expectedSQL != "" {
+				assert.Equal(t, normalizeSQL(c.expectedSQL), normalizeSQL(out.SQL))
+			}
+			if c.expectedArgs != nil {
+				require.Len(t, out.Args, len(c.expectedArgs))
+				for i, want := range c.expectedArgs {
+					// time.Time values can carry semantically-equal instants
+					// in different *Location representations (UTC vs Local vs
+					// FixedZone). Compare via .Equal() instead of DeepEqual.
+					if wantT, ok := want.(time.Time); ok {
+						gotT, ok := out.Args[i].(time.Time)
+						require.True(t, ok, "arg[%d]: want time.Time, got %T", i, out.Args[i])
+						assert.True(t, wantT.Equal(gotT), "arg[%d]: want %s, got %s", i, wantT, gotT)
+						continue
+					}
+					assert.Equal(t, want, out.Args[i], "arg[%d]", i)
+				}
+			}
+		})
+	}
+}
+
+func TestCompile_Empty(t *testing.T) {
+	runCompileCases(t, []compileCase{
+		{subtestName: "empty query yields nil", dslQueryToCompile: "", nilExpected: true},
+	})
+}
+
+func TestCompile_Name(t *testing.T) {
+	runCompileCases(t, []compileCase{
+		{
+			subtestName:       "name =",
+			dslQueryToCompile: `name = 'overview'`,
+			expectedSQL:       `json_extract("dashboard"."data", '$.spec.display.name') = ?`,
+			expectedArgs:      []any{"overview"},
+		},
+		{
+			// QUOTED_TEXT in the grammar covers both '…' and "…" — visitor
+			// strips whichever quote pair surrounds the value.
+			subtestName:       "name = with double-quoted value",
+			dslQueryToCompile: `name = "something"`,
+			expectedSQL:       `json_extract("dashboard"."data", '$.spec.display.name') = ?`,
+			expectedArgs:      []any{"something"},
+		},
+		{
+			subtestName:       "name CONTAINS",
+			dslQueryToCompile: `name CONTAINS 'overview'`,
+			expectedSQL:       `json_extract("dashboard"."data", '$.spec.display.name') LIKE ? ESCAPE '\'`,
+			expectedArgs:      []any{"%overview%"},
+		},
+		{
+			subtestName:       "name ILIKE — emitted as LOWER(col) LIKE LOWER(?) for dialect parity",
+			dslQueryToCompile: `name ILIKE 'Prod%'`,
+			expectedSQL:       `lower(json_extract("dashboard"."data", '$.spec.display.name')) LIKE LOWER(?) ESCAPE '\'`,
+			expectedArgs:      []any{"Prod%"},
+		},
+		{
+			subtestName:       "CONTAINS escapes % in user input",
+			dslQueryToCompile: `name CONTAINS '50%'`,
+			expectedSQL:       `json_extract("dashboard"."data", '$.spec.display.name') LIKE ? ESCAPE '\'`,
+			expectedArgs:      []any{`%50\%%`},
+		},
+	})
+}
+
+func TestCompile_CreatedByLocked(t *testing.T) {
+	runCompileCases(t, []compileCase{
+		{
+			subtestName:       "created_by LIKE",
+			dslQueryToCompile: `created_by LIKE '%@signoz.io'`,
+			expectedSQL:       `dashboard.created_by LIKE ? ESCAPE '\'`,
+			expectedArgs:      []any{"%@signoz.io"},
+		},
+		{
+			subtestName:       "locked = true",
+			dslQueryToCompile: `locked = true`,
+			expectedSQL:       `dashboard.locked = ?`,
+			expectedArgs:      []any{true},
+		},
+	})
+}
+
+func TestCompile_Timestamps(t *testing.T) {
+	ist := time.FixedZone("+05:30", 5*60*60+30*60)
+	runCompileCases(t, []compileCase{
+		{
+			subtestName:       "created_at >= RFC3339",
+			dslQueryToCompile: `created_at >= '2026-03-10T00:00:00Z'`,
+			expectedSQL:       `dashboard.created_at >= ?`,
+			expectedArgs:      []any{time.Date(2026, 3, 10, 0, 0, 0, 0, time.UTC)},
+		},
+		{
+			subtestName:       "updated_at BETWEEN",
+			dslQueryToCompile: `updated_at BETWEEN '2026-03-10T00:00:00Z' AND '2026-03-20T00:00:00Z'`,
+			expectedSQL:       `dashboard.updated_at BETWEEN ? AND ?`,
+			expectedArgs: []any{
+				time.Date(2026, 3, 10, 0, 0, 0, 0, time.UTC),
+				time.Date(2026, 3, 20, 0, 0, 0, 0, time.UTC),
+			},
+		},
+		{
+			subtestName:       "created_at >= IST timestamp",
+			dslQueryToCompile: `created_at >= '2026-03-10T05:30:00+05:30'`,
+			expectedSQL:       `dashboard.created_at >= ?`,
+			expectedArgs:      []any{time.Date(2026, 3, 10, 5, 30, 0, 0, ist)},
+		},
+	})
+}
+
+// Tag operators wrap each predicate in EXISTS / NOT EXISTS. Any non-reserved
+// key is a tag key — `team = 'pulse'` matches a tag with key=team value=pulse,
+// `tag = 'prod'` matches a tag with key=tag value=prod, and so on.
+func TestCompile_Tag(t *testing.T) {
+	runCompileCases(t, []compileCase{
+		{
+			subtestName:       "team = wraps in EXISTS",
+			dslQueryToCompile: `team = 'pulse'`,
+			expectedSQL: `
+				EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+					AND t.value = ?
+				)`,
+			expectedArgs: []any{kindArg, "team", "pulse"},
+		},
+		{
+			subtestName:       "tag = is just a regular tag-key filter",
+			dslQueryToCompile: `tag = 'database'`,
+			expectedSQL: `
+				EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+					AND t.value = ?
+				)`,
+			expectedArgs: []any{kindArg, "tag", "database"},
+		},
+		{
+			subtestName:       "team != wraps in NOT EXISTS with positive inner",
+			dslQueryToCompile: `team != 'pulse'`,
+			expectedSQL: `
+				NOT EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+					AND t.value = ?
+				)`,
+			expectedArgs: []any{kindArg, "team", "pulse"},
+		},
+		{
+			subtestName:       "team IN — inner is single placeholder list on t.value",
+			dslQueryToCompile: `team IN ['pulse', 'events']`,
+			expectedSQL: `
+				EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+					AND t.value IN (?, ?)
+				)`,
+			expectedArgs: []any{kindArg, "team", "pulse", "events"},
+		},
+		{
+			subtestName:       "team NOT IN",
+			dslQueryToCompile: `team NOT IN ['pulse', 'events']`,
+			expectedSQL: `
+				NOT EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+					AND t.value IN (?, ?)
+				)`,
+			expectedArgs: []any{kindArg, "team", "pulse", "events"},
+		},
+		{
+			subtestName:       "team LIKE — wildcard on value",
+			dslQueryToCompile: `team LIKE 'pulse%'`,
+			expectedSQL: `
+				EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+					AND t.value LIKE ? ESCAPE '\'
+				)`,
+			expectedArgs: []any{kindArg, "team", "pulse%"},
+		},
+		{
+			subtestName:       "team NOT LIKE",
+			dslQueryToCompile: `team NOT LIKE 'staging%'`,
+			expectedSQL: `
+				NOT EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+					AND t.value LIKE ? ESCAPE '\'
+				)`,
+			expectedArgs: []any{kindArg, "team", "staging%"},
+		},
+		{
+			subtestName:       "database EXISTS — asserts a tag with key=database is present",
+			dslQueryToCompile: `database EXISTS`,
+			expectedSQL: `
+				EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+				)`,
+			expectedArgs: []any{kindArg, "database"},
+		},
+		{
+			subtestName:       "database NOT EXISTS",
+			dslQueryToCompile: `database NOT EXISTS`,
+			expectedSQL: `
+				NOT EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+				)`,
+			expectedArgs: []any{kindArg, "database"},
+		},
+		{
+			subtestName:       "tag-key matching is case-insensitive — TEAM lowercased",
+			dslQueryToCompile: `TEAM = 'pulse'`,
+			expectedSQL: `
+				EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+					AND t.value = ?
+				)`,
+			expectedArgs: []any{kindArg, "team", "pulse"},
+		},
+	})
+}
+
+func TestCompile_BooleanComposition(t *testing.T) {
+	runCompileCases(t, []compileCase{
+		{
+			subtestName:       "AND chain — flat arg list",
+			dslQueryToCompile: `locked = true AND created_by = 'a@b.com'`,
+			expectedSQL:       `(dashboard.locked = ? AND dashboard.created_by = ?)`,
+			expectedArgs:      []any{true, "a@b.com"},
+		},
+		{
+			subtestName:       "OR chain",
+			dslQueryToCompile: `locked = true OR created_by = 'a@b.com'`,
+			expectedSQL:       `(dashboard.locked = ? OR dashboard.created_by = ?)`,
+			expectedArgs:      []any{true, "a@b.com"},
+		},
+		{
+			subtestName:       "parens preserve precedence",
+			dslQueryToCompile: `(locked = true OR locked = false) AND created_by = 'a@b.com'`,
+			expectedSQL:       `((dashboard.locked = ? OR dashboard.locked = ?) AND dashboard.created_by = ?)`,
+			expectedArgs:      []any{true, false, "a@b.com"},
+		},
+	})
+}
+
+// Distinct from operator-suffix negation (NOT IN / NOT LIKE / NOT EXISTS).
+// Driven by the unaryExpression rule (`NOT? primary`), so NOT binds to
+// exactly one primary and only widens via parens.
+func TestCompile_NOT(t *testing.T) {
+	runCompileCases(t, []compileCase{
+		{
+			subtestName:       "NOT on a single comparison",
+			dslQueryToCompile: `NOT name = 'foo'`,
+			expectedSQL:       `NOT (json_extract("dashboard"."data", '$.spec.display.name') = ?)`,
+			expectedArgs:      []any{"foo"},
+		},
+		{
+			subtestName:       "NOT binds tightly to its primary in an AND chain",
+			dslQueryToCompile: `NOT name = 'foo' AND created_by = 'alice'`,
+			expectedSQL:       `(NOT (json_extract("dashboard"."data", '$.spec.display.name') = ?) AND dashboard.created_by = ?)`,
+			expectedArgs:      []any{"foo", "alice"},
+		},
+		{
+			subtestName:       "NOT applied to the second term in an AND chain",
+			dslQueryToCompile: `locked = true AND NOT name = 'foo'`,
+			expectedSQL:       `(dashboard.locked = ? AND NOT (json_extract("dashboard"."data", '$.spec.display.name') = ?))`,
+			expectedArgs:      []any{true, "foo"},
+		},
+		{
+			subtestName:       "NOT around a parenthesized OR",
+			dslQueryToCompile: `NOT (locked = true OR created_by = 'a@b.com')`,
+			expectedSQL:       `NOT ((dashboard.locked = ? OR dashboard.created_by = ?))`,
+			expectedArgs:      []any{true, "a@b.com"},
+		},
+		{
+			subtestName:       "double NOT via parens",
+			dslQueryToCompile: `NOT (NOT name = 'foo')`,
+			expectedSQL:       `NOT (NOT (json_extract("dashboard"."data", '$.spec.display.name') = ?))`,
+			expectedArgs:      []any{"foo"},
+		},
+		{
+			subtestName:       "NOT on a tag equality",
+			dslQueryToCompile: `NOT team = 'pulse'`,
+			expectedSQL: `
+				NOT (
+					EXISTS (
+						SELECT 1 FROM tag_relation tr
+						JOIN tag t ON t.id = tr.tag_id
+						WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+						AND LOWER(t.key) = LOWER(?)
+						AND t.value = ?
+					)
+				)`,
+			expectedArgs: []any{kindArg, "team", "pulse"},
+		},
+		{
+			subtestName:       "NOT team = ... AND name = ...",
+			dslQueryToCompile: `NOT team = 'pulse' AND name = 'overview'`,
+			expectedSQL: `
+				(
+				NOT (
+					EXISTS (
+						SELECT 1 FROM tag_relation tr
+						JOIN tag t ON t.id = tr.tag_id
+						WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+						AND LOWER(t.key) = LOWER(?)
+						AND t.value = ?
+					)
+				)
+				AND json_extract("dashboard"."data", '$.spec.display.name') = ?)`,
+			expectedArgs: []any{kindArg, "team", "pulse", "overview"},
+		},
+	})
+}
+
+func TestCompile_ComplexExamples(t *testing.T) {
+	runCompileCases(t, []compileCase{
+		{
+			subtestName:       "name CONTAINS + tag LIKE + created_by + database =",
+			dslQueryToCompile: `name CONTAINS 'overview' AND tag LIKE 'prod%' AND created_by = 'naman.verma@signoz.io' AND database = 'mongo'`,
+			expectedSQL: `
+				(
+				json_extract("dashboard"."data", '$.spec.display.name') LIKE ? ESCAPE '\'
+				AND EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+					AND t.value LIKE ? ESCAPE '\'
+				)
+				AND dashboard.created_by = ?
+				AND EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+					AND t.value = ?
+				))`,
+			expectedArgs: []any{"%overview%", kindArg, "tag", "prod%", "naman.verma@signoz.io", kindArg, "database", "mongo"},
+		},
+		{
+			subtestName:       "team IN AND database EXISTS",
+			dslQueryToCompile: `team IN ['pulse', 'events'] AND database EXISTS`,
+			expectedSQL: `
+				(
+				EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+					AND t.value IN (?, ?)
+				)
+				AND EXISTS (
+					SELECT 1 FROM tag_relation tr
+					JOIN tag t ON t.id = tr.tag_id
+					WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+					AND LOWER(t.key) = LOWER(?)
+				))`,
+			expectedArgs: []any{kindArg, "team", "pulse", "events", kindArg, "database"},
+		},
+		{
+			subtestName:       "nested OR / AND with parens",
+			dslQueryToCompile: `(database IN ['sql', 'redis', 'mongo'] OR name LIKE '%database%') AND (team = 'pulse' OR name LIKE '%pulse%')`,
+			expectedSQL: `
+				(
+				(
+					EXISTS (
+						SELECT 1 FROM tag_relation tr
+						JOIN tag t ON t.id = tr.tag_id
+						WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+						AND LOWER(t.key) = LOWER(?)
+						AND t.value IN (?, ?, ?)
+					)
+					OR json_extract("dashboard"."data", '$.spec.display.name') LIKE ? ESCAPE '\'
+				)
+				AND (
+					EXISTS (
+						SELECT 1 FROM tag_relation tr
+						JOIN tag t ON t.id = tr.tag_id
+						WHERE tr.kind = ? AND tr.resource_id = dashboard.id
+						AND LOWER(t.key) = LOWER(?)
+						AND t.value = ?
+					)
+					OR json_extract("dashboard"."data", '$.spec.display.name') LIKE ? ESCAPE '\'
+				))`,
+			expectedArgs: []any{kindArg, "database", "sql", "redis", "mongo", "%database%", kindArg, "team", "pulse", "%pulse%"},
+		},
+	})
+}
+
+func TestCompile_Rejections(t *testing.T) {
+	runCompileCases(t, []compileCase{
+		{
+			subtestName:              "rejects op outside per-reserved-key allowlist",
+			dslQueryToCompile:        `name BETWEEN 'a' AND 'z'`,
+			expectedErrShouldContain: "operator",
+		},
+		{
+			subtestName:              "rejects BETWEEN on a tag key",
+			dslQueryToCompile:        `team BETWEEN 'a' AND 'z'`,
+			expectedErrShouldContain: "operator",
+		},
+		{
+			subtestName:              "rejects non-bool on locked",
+			dslQueryToCompile:        `locked = 'yes'`,
+			expectedErrShouldContain: "boolean",
+		},
+		{
+			subtestName:              "rejects non-RFC3339 timestamp",
+			dslQueryToCompile:        `created_at >= 'not-a-date'`,
+			expectedErrShouldContain: "RFC3339",
+		},
+		{
+			subtestName:              "rejects REGEXP — not yet supported",
+			dslQueryToCompile:        `name REGEXP '.*'`,
+			expectedErrShouldContain: "REGEXP",
+		},
+		{
+			subtestName:              "rejects syntax error from grammar",
+			dslQueryToCompile:        `name = `,
+			expectedErrShouldContain: "syntax",
+		},
+	})
+}
+
+// Every key in dashboardtypes.ReservedOps must have a matching case in
+// visitComparisonForReservedKeys; a key that's reserved but unhandled falls
+// through to the "no handler for reserved key" error. Equal is accepted by all
+// reserved keys, so `key = 'x'` always reaches the dispatch switch — a missing
+// handler surfaces as that error regardless of whether the value type-checks.
+func TestCompileReservedKeysAllHandled(t *testing.T) {
+	for key := range dashboardtypes.ReservedOps {
+		t.Run(string(key), func(t *testing.T) {
+			_, err := Compile(string(key)+` = 'x'`, formatter(t))
+			if err != nil {
+				assert.NotContains(t, err.Error(), "no handler for reserved key",
+					"reserved key %q has no handler in visitComparisonForReservedKeys", key)
+			}
+		})
+	}
+}
+
+func formatter(t *testing.T) sqlstore.SQLFormatter {
+	t.Helper()
+	p := sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual)
+	return p.Formatter()
+}
+
+func normalizeSQL(s string) string {
+	s = strings.Join(strings.Fields(s), " ")
+	s = strings.ReplaceAll(s, "( ", "(")
+	s = strings.ReplaceAll(s, " )", ")")
+	return s
+}

pkg/modules/dashboard/impldashboard/listfilter_visitor.go

@@ -0,0 +1,581 @@
+package impldashboard
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/parser/filterquery"
+	grammar "github.com/SigNoz/signoz/pkg/parser/filterquery/grammar"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
+	qbtypesv5 "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
+	"github.com/antlr4-go/antlr/v4"
+	sqlbuilder "github.com/huandu/go-sqlbuilder"
+)
+
+// bunPlaceholderFlavor is any flavor that renders `?` placeholders, which bun
+// re-binds to the actual backend (e.g. `$1` for Postgres) at query time.
+const bunPlaceholderFlavor = sqlbuilder.SQLite
+
+type visitor struct {
+	grammar.BaseFilterQueryVisitor
+	selectBuilder *sqlbuilder.SelectBuilder
+	formatter     sqlstore.SQLFormatter
+	errors        []string
+}
+
+func newVisitor(formatter sqlstore.SQLFormatter) *visitor {
+	return &visitor{
+		selectBuilder: sqlbuilder.NewSelectBuilder(),
+		formatter:     formatter,
+	}
+}
+
+// compile turns the parse tree into `?`-placeholder WHERE SQL + arguments for bun.
+func (v *visitor) compile(query string) (string, []any, []string) {
+	tree, _, collector := filterquery.Parse(query)
+	if len(collector.Errors) > 0 {
+		return "", nil, collector.Errors
+	}
+	condition, _ := v.visit(tree).(string)
+	if condition == "" {
+		return "", nil, nil
+	}
+	sql, arguments := v.selectBuilder.Args.CompileWithFlavor(condition, bunPlaceholderFlavor)
+	return sql, arguments, nil
+}
+
+func (v *visitor) visit(tree antlr.ParseTree) any {
+	if tree == nil {
+		return nil
+	}
+	return tree.Accept(v)
+}
+
+// ════════════════════════════════════════════════════════════════════════
+// methods from grammar.BaseFilterQueryVisitor that are overridden
+// ════════════════════════════════════════════════════════════════════════
+
+func (v *visitor) VisitQuery(ctx *grammar.QueryContext) any {
+	return v.visit(ctx.Expression())
+}
+
+func (v *visitor) VisitExpression(ctx *grammar.ExpressionContext) any {
+	return v.visit(ctx.OrExpression())
+}
+
+func (v *visitor) VisitOrExpression(ctx *grammar.OrExpressionContext) any {
+	parts := ctx.AllAndExpression()
+	conditions := make([]string, 0, len(parts))
+	for _, part := range parts {
+		if condition, ok := v.visit(part).(string); ok && condition != "" {
+			conditions = append(conditions, condition)
+		}
+	}
+	switch len(conditions) {
+	case 0:
+		return ""
+	case 1:
+		return conditions[0]
+	default:
+		return v.selectBuilder.Or(conditions...)
+	}
+}
+
+func (v *visitor) VisitAndExpression(ctx *grammar.AndExpressionContext) any {
+	parts := ctx.AllUnaryExpression()
+	conditions := make([]string, 0, len(parts))
+	for _, part := range parts {
+		if condition, ok := v.visit(part).(string); ok && condition != "" {
+			conditions = append(conditions, condition)
+		}
+	}
+	switch len(conditions) {
+	case 0:
+		return ""
+	case 1:
+		return conditions[0]
+	default:
+		return v.selectBuilder.And(conditions...)
+	}
+}
+
+func (v *visitor) VisitUnaryExpression(ctx *grammar.UnaryExpressionContext) any {
+	condition, _ := v.visit(ctx.Primary()).(string)
+	if condition == "" {
+		return ""
+	}
+	if ctx.NOT() != nil {
+		return fmt.Sprintf("NOT (%s)", condition)
+	}
+	return condition
+}
+
+func (v *visitor) VisitPrimary(ctx *grammar.PrimaryContext) any {
+	if ctx.OrExpression() != nil {
+		return v.visit(ctx.OrExpression())
+	}
+	if ctx.Comparison() != nil {
+		return v.visit(ctx.Comparison())
+	}
+	// Bare keys, values, full text, and function calls are not part of the
+	// dashboard list DSL.
+	v.addError("unsupported expression %q — every term must be of the form `key OP value`", ctx.GetText())
+	return ""
+}
+
+// VisitComparison dispatches a single `key OP value` term. A key that matches
+// a reserved DSL key (name, description, etc.) becomes a column-level
+// predicate; any other identifier is treated as a tag key — the operator
+// applies to the tag's value, with a case-insensitive match on the tag's key.
+func (v *visitor) VisitComparison(ctx *grammar.ComparisonContext) any {
+	key := strings.ToLower(strings.TrimSpace(ctx.Key().GetText()))
+
+	operation, ok := v.extractOperation(ctx)
+	if !ok {
+		return ""
+	}
+
+	if allowedOperations, isReserved := dashboardtypes.ReservedOps[dashboardtypes.DSLKey(key)]; isReserved {
+		return v.visitComparisonForReservedKeys(ctx, operation, dashboardtypes.DSLKey(key), allowedOperations)
+	}
+	return v.visitComparisonForTags(ctx, operation, key)
+}
+
+func (v *visitor) visitComparisonForReservedKeys(ctx *grammar.ComparisonContext, operation qbtypesv5.FilterOperator, key dashboardtypes.DSLKey, allowedOperations map[qbtypesv5.FilterOperator]struct{}) string {
+	if _, allowed := allowedOperations[operation]; !allowed {
+		v.addError("operator %s is not allowed for key %q", operationName(operation), key)
+		return ""
+	}
+	switch key {
+	case dashboardtypes.DSLKeyName:
+		return v.buildJSONStringComparison(ctx, operation, dashboardtypes.DSLKeyName, "$.spec.display.name")
+	case dashboardtypes.DSLKeyDescription:
+		return v.buildJSONStringComparison(ctx, operation, dashboardtypes.DSLKeyDescription, "$.spec.display.description")
+	case dashboardtypes.DSLKeyCreatedAt:
+		return v.buildTimestampComparison(ctx, operation, "dashboard.created_at")
+	case dashboardtypes.DSLKeyUpdatedAt:
+		return v.buildTimestampComparison(ctx, operation, "dashboard.updated_at")
+	case dashboardtypes.DSLKeyCreatedBy:
+		return v.buildStringComparison(ctx, operation, dashboardtypes.DSLKeyCreatedBy, "dashboard.created_by")
+	case dashboardtypes.DSLKeyLocked:
+		return v.buildBoolComparison(ctx, operation, "dashboard.locked")
+	}
+	// Unreachable for real input: every dashboardtypes.ReservedOps key has a case above, and
+	// TestCompileReservedKeysAllHandled guards that the two stay in sync.
+	v.addError("no handler for reserved key %q", key)
+	return ""
+}
+
+func (v *visitor) visitComparisonForTags(ctx *grammar.ComparisonContext, operation qbtypesv5.FilterOperator, tagKey string) string {
+	if _, allowed := dashboardtypes.TagKeyOps[operation]; !allowed {
+		v.addError("operator %s is not allowed on a tag-key filter", operationName(operation))
+		return ""
+	}
+	return v.buildTagComparison(ctx, operation, tagKey)
+}
+
+func (v *visitor) extractOperation(ctx *grammar.ComparisonContext) (qbtypesv5.FilterOperator, bool) {
+	// For operators that take an optional leading NOT, Inverse() maps each to
+	// its Not<X> counterpart.
+	maybeNot := func(operation qbtypesv5.FilterOperator) qbtypesv5.FilterOperator {
+		if ctx.NOT() != nil {
+			return operation.Inverse()
+		}
+		return operation
+	}
+	switch {
+	case ctx.EQUALS() != nil:
+		return qbtypesv5.FilterOperatorEqual, true
+	case ctx.NOT_EQUALS() != nil, ctx.NEQ() != nil:
+		return qbtypesv5.FilterOperatorNotEqual, true
+	case ctx.LT() != nil:
+		return qbtypesv5.FilterOperatorLessThan, true
+	case ctx.LE() != nil:
+		return qbtypesv5.FilterOperatorLessThanOrEq, true
+	case ctx.GT() != nil:
+		return qbtypesv5.FilterOperatorGreaterThan, true
+	case ctx.GE() != nil:
+		return qbtypesv5.FilterOperatorGreaterThanOrEq, true
+	case ctx.BETWEEN() != nil:
+		return maybeNot(qbtypesv5.FilterOperatorBetween), true
+	case ctx.LIKE() != nil:
+		return maybeNot(qbtypesv5.FilterOperatorLike), true
+	case ctx.ILIKE() != nil:
+		return maybeNot(qbtypesv5.FilterOperatorILike), true
+	case ctx.CONTAINS() != nil:
+		return maybeNot(qbtypesv5.FilterOperatorContains), true
+	case ctx.REGEXP() != nil:
+		return maybeNot(qbtypesv5.FilterOperatorRegexp), true
+	case ctx.InClause() != nil:
+		return qbtypesv5.FilterOperatorIn, true
+	case ctx.NotInClause() != nil:
+		return qbtypesv5.FilterOperatorNotIn, true
+	case ctx.EXISTS() != nil:
+		return maybeNot(qbtypesv5.FilterOperatorExists), true
+	}
+	v.addError("could not determine operator in expression %q", ctx.GetText())
+	return qbtypesv5.FilterOperatorUnknown, false
+}
+
+// ─── per-key emitters ────────────────────────────────────────────────────────
+
+func (v *visitor) buildJSONStringComparison(ctx *grammar.ComparisonContext, operation qbtypesv5.FilterOperator, key dashboardtypes.DSLKey, jsonPath string) string {
+	columnExpression := string(v.formatter.JSONExtractString("dashboard.data", jsonPath))
+	return v.buildStringOperation(v.selectBuilder, ctx, operation, columnExpression, string(key))
+}
+
+func (v *visitor) buildStringComparison(ctx *grammar.ComparisonContext, operation qbtypesv5.FilterOperator, key dashboardtypes.DSLKey, columnExpression string) string {
+	return v.buildStringOperation(v.selectBuilder, ctx, operation, columnExpression, string(key))
+}
+
+// buildStringOperation covers all the operators the spec allows on text-shaped keys
+// (name, description, created_by, and a tag's value). Placeholders are interned
+// into builder — the outer builder for column predicates, the subquery builder for
+// tag-value predicates — so nested EXISTS arguments thread correctly.
+func (v *visitor) buildStringOperation(builder *sqlbuilder.SelectBuilder, ctx *grammar.ComparisonContext, operation qbtypesv5.FilterOperator, columnExpression, keyForError string) string {
+	switch operation {
+	case qbtypesv5.FilterOperatorEqual:
+		val, ok := v.extractSingleStringValue(ctx, keyForError)
+		if !ok {
+			return ""
+		}
+		return builder.Equal(columnExpression, val)
+	case qbtypesv5.FilterOperatorNotEqual:
+		val, ok := v.extractSingleStringValue(ctx, keyForError)
+		if !ok {
+			return ""
+		}
+		return builder.NotEqual(columnExpression, val)
+	case qbtypesv5.FilterOperatorLike, qbtypesv5.FilterOperatorNotLike:
+		val, ok := v.extractSingleStringValue(ctx, keyForError)
+		if !ok {
+			return ""
+		}
+		like := "LIKE"
+		if operation == qbtypesv5.FilterOperatorNotLike {
+			like = "NOT LIKE"
+		}
+		// The user's % and _ stay as wildcards; ESCAPE pins backslash as the escape
+		// char so a literal `\` in the pattern is read the same on both dialects —
+		// Postgres defaults to `\`, SQLite has no default escape.
+		return fmt.Sprintf("%s %s %s ESCAPE '\\'", columnExpression, like, builder.Var(val))
+	case qbtypesv5.FilterOperatorILike, qbtypesv5.FilterOperatorNotILike:
+		val, ok := v.extractSingleStringValue(ctx, keyForError)
+		if !ok {
+			return ""
+		}
+		// SQLite has no ILIKE keyword and Postgres LIKE is case-sensitive — emit
+		// LOWER(col) LIKE LOWER(?) so behavior is identical on both dialects. ESCAPE
+		// pins backslash as the escape char (Postgres default; SQLite has none).
+		lowerColumn := string(v.formatter.LowerExpression(columnExpression))
+		like := "LIKE"
+		if operation == qbtypesv5.FilterOperatorNotILike {
+			like = "NOT LIKE"
+		}
+		return fmt.Sprintf("%s %s LOWER(%s) ESCAPE '\\'", lowerColumn, like, builder.Var(val))
+	case qbtypesv5.FilterOperatorContains, qbtypesv5.FilterOperatorNotContains:
+		val, ok := v.extractSingleStringValue(ctx, keyForError)
+		if !ok {
+			return ""
+		}
+		like := "LIKE"
+		if operation == qbtypesv5.FilterOperatorNotContains {
+			like = "NOT LIKE"
+		}
+		// Escape the user's % and _ so they match literally, then wrap in wildcards.
+		// ESCAPE declares the backslash we just injected as the escape char — needed
+		// on SQLite (no default) and a harmless restatement of the Postgres default.
+		escaped := strings.NewReplacer(`\`, `\\`, `%`, `\%`, `_`, `\_`).Replace(val)
+		return fmt.Sprintf("%s %s %s ESCAPE '\\'", columnExpression, like, builder.Var("%"+escaped+"%"))
+	case qbtypesv5.FilterOperatorRegexp, qbtypesv5.FilterOperatorNotRegexp:
+		v.addError("REGEXP filtering on %q is not yet supported", keyForError)
+		return ""
+	case qbtypesv5.FilterOperatorIn, qbtypesv5.FilterOperatorNotIn:
+		values, ok := v.extractStringValueList(ctx, keyForError)
+		if !ok {
+			return ""
+		}
+		arguments := make([]any, len(values))
+		for i, s := range values {
+			arguments[i] = s
+		}
+		if operation == qbtypesv5.FilterOperatorNotIn {
+			return builder.NotIn(columnExpression, arguments...)
+		}
+		return builder.In(columnExpression, arguments...)
+	}
+	v.addError("operator %s on %q is not implemented", operationName(operation), keyForError)
+	return ""
+}
+
+func (v *visitor) buildTimestampComparison(ctx *grammar.ComparisonContext, operation qbtypesv5.FilterOperator, columnExpression string) string {
+	switch operation {
+	case qbtypesv5.FilterOperatorEqual, qbtypesv5.FilterOperatorNotEqual,
+		qbtypesv5.FilterOperatorLessThan, qbtypesv5.FilterOperatorLessThanOrEq,
+		qbtypesv5.FilterOperatorGreaterThan, qbtypesv5.FilterOperatorGreaterThanOrEq:
+		t, ok := v.extractSingleTimestampValue(ctx)
+		if !ok {
+			return ""
+		}
+		switch operation {
+		case qbtypesv5.FilterOperatorEqual:
+			return v.selectBuilder.Equal(columnExpression, t)
+		case qbtypesv5.FilterOperatorNotEqual:
+			return v.selectBuilder.NotEqual(columnExpression, t)
+		case qbtypesv5.FilterOperatorLessThan:
+			return v.selectBuilder.LessThan(columnExpression, t)
+		case qbtypesv5.FilterOperatorLessThanOrEq:
+			return v.selectBuilder.LessEqualThan(columnExpression, t)
+		case qbtypesv5.FilterOperatorGreaterThan:
+			return v.selectBuilder.GreaterThan(columnExpression, t)
+		case qbtypesv5.FilterOperatorGreaterThanOrEq:
+			return v.selectBuilder.GreaterEqualThan(columnExpression, t)
+		}
+	case qbtypesv5.FilterOperatorBetween, qbtypesv5.FilterOperatorNotBetween:
+		timestamps, ok := v.extractTwoTimestampValues(ctx)
+		if !ok {
+			return ""
+		}
+		if operation == qbtypesv5.FilterOperatorNotBetween {
+			return v.selectBuilder.NotBetween(columnExpression, timestamps[0], timestamps[1])
+		}
+		return v.selectBuilder.Between(columnExpression, timestamps[0], timestamps[1])
+	}
+	v.addError("operator %s on timestamp is not implemented", operationName(operation))
+	return ""
+}
+
+func (v *visitor) buildBoolComparison(ctx *grammar.ComparisonContext, operation qbtypesv5.FilterOperator, columnExpression string) string {
+	b, ok := v.extractSingleBoolValue(ctx)
+	if !ok {
+		return ""
+	}
+	if operation == qbtypesv5.FilterOperatorNotEqual {
+		return v.selectBuilder.NotEqual(columnExpression, b)
+	}
+	return v.selectBuilder.Equal(columnExpression, b)
+}
+
+func (v *visitor) buildTagComparison(ctx *grammar.ComparisonContext, operation qbtypesv5.FilterOperator, tagKey string) string {
+	subqueryBuilder := sqlbuilder.NewSelectBuilder()
+
+	if operation == qbtypesv5.FilterOperatorExists || operation == qbtypesv5.FilterOperatorNotExists {
+		buildSubqueryForTagKey(subqueryBuilder, tagKey)
+	} else {
+		// All other tag operators take the positive form of the value predicate
+		// and toggle the EXISTS wrapper for negation. Inverse() flips Not<X> → <X>.
+		positiveOperation := operation
+		if operation.IsNegativeOperator() {
+			positiveOperation = operation.Inverse()
+		}
+		valuePredicate := v.buildStringOperation(subqueryBuilder, ctx, positiveOperation, "t.value", tagKey)
+		if valuePredicate == "" {
+			return ""
+		}
+		buildSubqueryForTagKeyAndValue(subqueryBuilder, tagKey, valuePredicate)
+	}
+
+	if operation.IsNegativeOperator() {
+		return v.selectBuilder.NotExists(subqueryBuilder)
+	}
+	return v.selectBuilder.Exists(subqueryBuilder)
+}
+
+func buildSubqueryForTagKey(subqueryBuilder *sqlbuilder.SelectBuilder, tagKey string) *sqlbuilder.SelectBuilder {
+	const dashboardTagKind = `"dashboard"`
+
+	return subqueryBuilder.
+		Select("1").
+		From("tag_relation tr").
+		Join("tag t", "t.id = tr.tag_id").
+		Where(
+			subqueryBuilder.Equal("tr.kind", dashboardTagKind),
+			"tr.resource_id = dashboard.id",
+			"LOWER(t.key) = LOWER("+subqueryBuilder.Var(tagKey)+")",
+		)
+}
+
+func buildSubqueryForTagKeyAndValue(subqueryBuilder *sqlbuilder.SelectBuilder, tagKey, valuePredicate string) *sqlbuilder.SelectBuilder {
+	return buildSubqueryForTagKey(subqueryBuilder, tagKey).Where(valuePredicate)
+}
+
+// ─── value extraction helpers ───────────────────────────────────────────────
+
+func (v *visitor) addError(format string, arguments ...any) {
+	v.errors = append(v.errors, fmt.Sprintf(format, arguments...))
+}
+
+func (v *visitor) extractSingleStringValue(ctx *grammar.ComparisonContext, keyForError string) (string, bool) {
+	values := ctx.AllValue()
+	if len(values) != 1 {
+		v.addError("expected exactly one value for %q", keyForError)
+		return "", false
+	}
+	return v.extractStringValue(values[0], keyForError)
+}
+
+func (v *visitor) extractSingleBoolValue(ctx *grammar.ComparisonContext) (bool, bool) {
+	values := ctx.AllValue()
+	if len(values) != 1 {
+		v.addError("expected a single boolean (true/false)")
+		return false, false
+	}
+	return v.extractBoolValue(values[0])
+}
+
+func (v *visitor) extractSingleTimestampValue(ctx *grammar.ComparisonContext) (time.Time, bool) {
+	values := ctx.AllValue()
+	if len(values) != 1 {
+		v.addError("expected a single RFC3339 timestamp")
+		return time.Time{}, false
+	}
+	return v.extractTimestampValue(values[0])
+}
+
+func (v *visitor) extractTwoTimestampValues(ctx *grammar.ComparisonContext) ([2]time.Time, bool) {
+	values := ctx.AllValue()
+	if len(values) != 2 {
+		v.addError("BETWEEN expects two RFC3339 timestamps")
+		return [2]time.Time{}, false
+	}
+	a, ok1 := v.extractTimestampValue(values[0])
+	b, ok2 := v.extractTimestampValue(values[1])
+	if !ok1 || !ok2 {
+		return [2]time.Time{}, false
+	}
+	return [2]time.Time{a, b}, true
+}
+
+func (v *visitor) extractStringValueList(ctx *grammar.ComparisonContext, keyForError string) ([]string, bool) {
+	var valuesCtx []grammar.IValueContext
+	switch {
+	case ctx.InClause() != nil:
+		inClause := ctx.InClause()
+		if inClause.ValueList() != nil {
+			valuesCtx = inClause.ValueList().AllValue()
+		} else {
+			valuesCtx = []grammar.IValueContext{inClause.Value()}
+		}
+	case ctx.NotInClause() != nil:
+		notInClause := ctx.NotInClause()
+		if notInClause.ValueList() != nil {
+			valuesCtx = notInClause.ValueList().AllValue()
+		} else {
+			valuesCtx = []grammar.IValueContext{notInClause.Value()}
+		}
+	default:
+		v.addError("IN clause is missing for %q", keyForError)
+		return nil, false
+	}
+	if len(valuesCtx) == 0 {
+		v.addError("IN list for %q is empty", keyForError)
+		return nil, false
+	}
+	out := make([]string, 0, len(valuesCtx))
+	for _, valueContext := range valuesCtx {
+		s, ok := v.extractStringValue(valueContext, keyForError)
+		if !ok {
+			return nil, false
+		}
+		out = append(out, s)
+	}
+	return out, true
+}
+
+func (v *visitor) extractStringValue(ctx grammar.IValueContext, keyForError string) (string, bool) {
+	if ctx.QUOTED_TEXT() != nil {
+		return trimQuotes(ctx.QUOTED_TEXT().GetText()), true
+	}
+	if ctx.KEY() != nil {
+		// Bare tokens are accepted as strings, mirroring the FilterQuery lexer's
+		// treatment of unquoted identifiers on the value side.
+		return ctx.KEY().GetText(), true
+	}
+	v.addError("expected a string value for %q, got %q", keyForError, ctx.GetText())
+	return "", false
+}
+
+func (v *visitor) extractBoolValue(ctx grammar.IValueContext) (bool, bool) {
+	if ctx.BOOL() == nil {
+		v.addError("expected a boolean (true/false), got %q", ctx.GetText())
+		return false, false
+	}
+	return strings.EqualFold(ctx.BOOL().GetText(), "true"), true
+}
+
+func (v *visitor) extractTimestampValue(ctx grammar.IValueContext) (time.Time, bool) {
+	if ctx.QUOTED_TEXT() == nil {
+		v.addError("expected an RFC3339 timestamp string, got %q", ctx.GetText())
+		return time.Time{}, false
+	}
+	raw := trimQuotes(ctx.QUOTED_TEXT().GetText())
+	t, err := time.Parse(time.RFC3339, raw)
+	if err != nil {
+		v.addError("invalid RFC3339 timestamp %q: %s", raw, err.Error())
+		return time.Time{}, false
+	}
+	return t, true
+}
+
+// ─── operator spelling ───────────────────────────────────────────────────────
+
+// operationName returns the user-facing spelling of a FilterOperator, used only in
+// error messages — go-sqlbuilder's Cond helpers emit the SQL keywords.
+func operationName(operation qbtypesv5.FilterOperator) string {
+	switch operation {
+	case qbtypesv5.FilterOperatorEqual:
+		return "="
+	case qbtypesv5.FilterOperatorNotEqual:
+		return "!="
+	case qbtypesv5.FilterOperatorLessThan:
+		return "<"
+	case qbtypesv5.FilterOperatorLessThanOrEq:
+		return "<="
+	case qbtypesv5.FilterOperatorGreaterThan:
+		return ">"
+	case qbtypesv5.FilterOperatorGreaterThanOrEq:
+		return ">="
+	case qbtypesv5.FilterOperatorBetween:
+		return "BETWEEN"
+	case qbtypesv5.FilterOperatorNotBetween:
+		return "NOT BETWEEN"
+	case qbtypesv5.FilterOperatorLike:
+		return "LIKE"
+	case qbtypesv5.FilterOperatorNotLike:
+		return "NOT LIKE"
+	case qbtypesv5.FilterOperatorILike:
+		return "ILIKE"
+	case qbtypesv5.FilterOperatorNotILike:
+		return "NOT ILIKE"
+	case qbtypesv5.FilterOperatorContains:
+		return "CONTAINS"
+	case qbtypesv5.FilterOperatorNotContains:
+		return "NOT CONTAINS"
+	case qbtypesv5.FilterOperatorRegexp:
+		return "REGEXP"
+	case qbtypesv5.FilterOperatorNotRegexp:
+		return "NOT REGEXP"
+	case qbtypesv5.FilterOperatorIn:
+		return "IN"
+	case qbtypesv5.FilterOperatorNotIn:
+		return "NOT IN"
+	case qbtypesv5.FilterOperatorExists:
+		return "EXISTS"
+	case qbtypesv5.FilterOperatorNotExists:
+		return "NOT EXISTS"
+	}
+	return "?"
+}
+
+func trimQuotes(s string) string {
+	if len(s) >= 2 {
+		if (s[0] == '"' && s[len(s)-1] == '"') || (s[0] == '\'' && s[len(s)-1] == '\'') {
+			s = s[1 : len(s)-1]
+		}
+	}
+	s = strings.ReplaceAll(s, `\\`, `\`)
+	s = strings.ReplaceAll(s, `\'`, `'`)
+	return s
+}

pkg/modules/dashboard/impldashboard/store.go

@@ -2,6 +2,7 @@ package impldashboard
 
 import (
 	"context"
+	"strings"
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
@@ -63,6 +64,155 @@ func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID)
 	return storableDashboard, nil
 }
 
+// ListForUser emits the joined dashboard ⨝ user_dashboard_preference query the
+// spec calls for. Aliases:
+//
+//	dashboard                  — the visitor expects this
+//	user_dashboard_preference  AS preference  — only used inside this query
+//
+// Sort is "is_pinned DESC, <sort> <order>" so pinned dashboards float to the
+// top inside the requested ordering. Name-sort goes through the same
+// JSONExtractString path the visitor uses for name/description filtering.
+func (store *store) ListForUser(
+	ctx context.Context,
+	orgID valuer.UUID,
+	userID valuer.UUID,
+	params *dashboardtypes.ListDashboardsV2Params,
+) ([]*dashboardtypes.StorableDashboardWithPinInfo, int64, error) {
+	compiled, err := Compile(params.Query, store.sqlstore.Formatter())
+	if err != nil {
+		return nil, 0, err
+	}
+	type listedRow struct {
+		*dashboardtypes.StorableDashboard `bun:",extend"`
+
+		IsPinned bool  `bun:"is_pinned"`
+		Total    int64 `bun:"total"`
+	}
+
+	rows := make([]*listedRow, 0)
+
+	q := store.sqlstore.
+		BunDB().
+		NewSelect().
+		Model(&rows).
+		ColumnExpr("dashboard.id, dashboard.org_id, dashboard.name, dashboard.data, dashboard.locked, dashboard.source, dashboard.created_at, dashboard.created_by, dashboard.updated_at, dashboard.updated_by").
+		ColumnExpr("CASE WHEN preference.is_pinned THEN 1 ELSE 0 END AS is_pinned").
+		ColumnExpr("COUNT(*) OVER () AS total").
+		Join("LEFT JOIN user_dashboard_preference AS preference ON preference.user_id = ? AND preference.dashboard_id = dashboard.id", userID).
+		Where("dashboard.org_id = ?", orgID).
+		Where("dashboard.source != ?", dashboardtypes.SourceSystem)
+
+	if compiled != nil {
+		q = q.Where(compiled.SQL, compiled.Args...)
+	}
+
+	sortExpr, err := store.sortExprForListV2(params.Sort)
+	if err != nil {
+		return nil, 0, err
+	}
+	q = q.
+		OrderExpr("is_pinned DESC").
+		OrderExpr(sortExpr + " " + strings.ToUpper(params.Order.StringValue())).
+		Limit(params.Limit).
+		Offset(params.Offset)
+
+	if err := q.Scan(ctx); err != nil {
+		return nil, 0, errors.WrapInternalf(err, errors.CodeInternal, "couldn't list dashboards")
+	}
+
+	// COUNT(*) OVER () is computed pre-LIMIT, so any returned row carries the
+	// full filter total. Empty result page => zero matches.
+	var total int64
+	if len(rows) > 0 {
+		total = rows[0].Total
+	}
+
+	out := make([]*dashboardtypes.StorableDashboardWithPinInfo, len(rows))
+	for i, r := range rows {
+		out[i] = &dashboardtypes.StorableDashboardWithPinInfo{
+			Dashboard: r.StorableDashboard,
+			Pinned:    r.IsPinned,
+		}
+	}
+	return out, total, nil
+}
+
+// ListV2 is the pure (user-independent) list: the same filter/sort/pagination as
+// ListForUser, but without the per-user pin join or pin-first ordering.
+func (store *store) ListV2(
+	ctx context.Context,
+	orgID valuer.UUID,
+	params *dashboardtypes.ListDashboardsV2Params,
+) ([]*dashboardtypes.StorableDashboard, int64, error) {
+	compiled, err := Compile(params.Query, store.sqlstore.Formatter())
+	if err != nil {
+		return nil, 0, err
+	}
+	type listedRow struct {
+		*dashboardtypes.StorableDashboard `bun:",extend"`
+
+		Total int64 `bun:"total"`
+	}
+
+	rows := make([]*listedRow, 0)
+
+	q := store.sqlstore.
+		BunDB().
+		NewSelect().
+		Model(&rows).
+		ColumnExpr("dashboard.id, dashboard.org_id, dashboard.name, dashboard.data, dashboard.locked, dashboard.source, dashboard.created_at, dashboard.created_by, dashboard.updated_at, dashboard.updated_by").
+		ColumnExpr("COUNT(*) OVER () AS total").
+		Where("dashboard.org_id = ?", orgID).
+		Where("dashboard.source != ?", dashboardtypes.SourceSystem)
+
+	if compiled != nil {
+		q = q.Where(compiled.SQL, compiled.Args...)
+	}
+
+	sortExpr, err := store.sortExprForListV2(params.Sort)
+	if err != nil {
+		return nil, 0, err
+	}
+	q = q.
+		OrderExpr(sortExpr + " " + strings.ToUpper(params.Order.StringValue())).
+		Limit(params.Limit).
+		Offset(params.Offset)
+
+	if err := q.Scan(ctx); err != nil {
+		return nil, 0, errors.WrapInternalf(err, errors.CodeInternal, "couldn't list dashboards")
+	}
+
+	// COUNT(*) OVER () is computed pre-LIMIT, so any returned row carries the
+	// full filter total. Empty result page => zero matches.
+	var total int64
+	if len(rows) > 0 {
+		total = rows[0].Total
+	}
+
+	out := make([]*dashboardtypes.StorableDashboard, len(rows))
+	for i, r := range rows {
+		out[i] = r.StorableDashboard
+	}
+	return out, total, nil
+}
+
+// sortExprForListV2 maps a sort enum to the SQL expression to plug into
+// ORDER BY. Title-sort routes through the SQLFormatter so it stays
+// dialect-aware (matches what the filter visitor does for the name filter).
+func (store *store) sortExprForListV2(sort dashboardtypes.ListSort) (string, error) {
+	switch sort {
+	case dashboardtypes.ListSortUpdatedAt:
+		return "dashboard.updated_at", nil
+	case dashboardtypes.ListSortCreatedAt:
+		return "dashboard.created_at", nil
+	case dashboardtypes.ListSortName:
+		return string(store.sqlstore.Formatter().JSONExtractString("dashboard.data", "$.spec.display.name")), nil
+	}
+	return "", errors.Newf(errors.TypeInvalidInput, dashboardtypes.ErrCodeDashboardListInvalid,
+		"unsupported sort field %q", sort)
+}
+
 func (store *store) GetPublic(ctx context.Context, dashboardID string) (*dashboardtypes.StorablePublicDashboard, error) {
 	storable := new(dashboardtypes.StorablePublicDashboard)
 	err := store.
@@ -217,3 +367,82 @@ func (store *store) RunInTx(ctx context.Context, cb func(ctx context.Context) er
 		return cb(ctx)
 	})
 }
+
+// PinForUser combines the count check, the existence check, and the upsert in
+// a single statement so the limit gate and the insert can't drift between two
+// round-trips. The count and existence checks gate on is_pinned = true so they
+// stay correct once the row carries preferences other than the pin.
+//
+//	pin exists? | pinned count < 10? | WHERE passes?           | effect                              | rows
+//	------------|--------------------|-------------------------|-------------------------------------|-----
+//	no          | yes                | yes (count branch)      | INSERT new pinned row               | 1
+//	no          | no                 | no                      | nothing (limit hit)                 | 0
+//	yes         | yes                | yes (count branch)      | INSERT → conflict → UPDATE is_pinned| 1
+//	yes         | no                 | yes (EXISTS OR branch)  | INSERT → conflict → UPDATE is_pinned| 1
+//
+// rows = 0 is the only signal of a real limit hit.
+func (store *store) PinForUser(ctx context.Context, preference *dashboardtypes.UserDashboardPreference) error {
+	res, err := store.sqlstore.BunDBCtx(ctx).NewRaw(`
+		INSERT INTO user_dashboard_preference (user_id, dashboard_id, is_pinned)
+		SELECT ?, ?, true
+		WHERE (SELECT COUNT(*) FROM user_dashboard_preference WHERE user_id = ? AND is_pinned = true) < ?
+		   OR EXISTS (SELECT 1 FROM user_dashboard_preference WHERE user_id = ? AND dashboard_id = ? AND is_pinned = true)
+		ON CONFLICT (user_id, dashboard_id) DO UPDATE SET is_pinned = true
+	`,
+		preference.UserID, preference.DashboardID,
+		preference.UserID, dashboardtypes.MaxPinnedDashboardsPerUser,
+		preference.UserID, preference.DashboardID,
+	).Exec(ctx)
+	if err != nil {
+		return errors.WrapInternalf(err, errors.CodeInternal, "couldn't pin dashboard for user")
+	}
+	rows, err := res.RowsAffected()
+	if err != nil {
+		return errors.WrapInternalf(err, errors.CodeInternal, "couldn't read pin result")
+	}
+	if rows == 0 {
+		return errors.Newf(errors.TypeAlreadyExists, dashboardtypes.ErrCodePinnedDashboardLimitHit,
+			"cannot pin more than %d dashboards", dashboardtypes.MaxPinnedDashboardsPerUser)
+	}
+	return nil
+}
+
+// UnpinForUser deletes the user's preference row. This is fine while is_pinned
+// is the only preference stored; once the row carries other preferences this
+// must become an UPDATE that clears is_pinned instead of dropping the row.
+func (store *store) UnpinForUser(ctx context.Context, userID valuer.UUID, dashboardID valuer.UUID) error {
+	_, err := store.sqlstore.BunDBCtx(ctx).
+		NewDelete().
+		Model((*dashboardtypes.UserDashboardPreference)(nil)).
+		Where("user_id = ?", userID).
+		Where("dashboard_id = ?", dashboardID).
+		Exec(ctx)
+	if err != nil {
+		return errors.WrapInternalf(err, errors.CodeInternal, "couldn't unpin dashboard for user")
+	}
+	return nil
+}
+
+func (store *store) DeletePreferencesForDashboard(ctx context.Context, dashboardID valuer.UUID) error {
+	_, err := store.sqlstore.BunDBCtx(ctx).
+		NewDelete().
+		Model((*dashboardtypes.UserDashboardPreference)(nil)).
+		Where("dashboard_id = ?", dashboardID).
+		Exec(ctx)
+	if err != nil {
+		return errors.WrapInternalf(err, errors.CodeInternal, "couldn't delete dashboard preferences")
+	}
+	return nil
+}
+
+func (store *store) DeletePreferencesForUser(ctx context.Context, userID valuer.UUID) error {
+	_, err := store.sqlstore.BunDBCtx(ctx).
+		NewDelete().
+		Model((*dashboardtypes.UserDashboardPreference)(nil)).
+		Where("user_id = ?", userID).
+		Exec(ctx)
+	if err != nil {
+		return errors.WrapInternalf(err, errors.CodeInternal, "couldn't delete dashboard preferences")
+	}
+	return nil
+}

pkg/modules/dashboard/impldashboard/v2_handler.go

@@ -42,6 +42,69 @@ func (handler *handler) CreateV2(rw http.ResponseWriter, r *http.Request) {
 	render.Success(rw, http.StatusCreated, dashboard.ToGettableDashboardV2())
 }
 
+func (handler *handler) ListV2(rw http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	orgID := valuer.MustNewUUID(claims.OrgID)
+
+	params := new(dashboardtypes.ListDashboardsV2Params)
+	if err := binding.Query.BindQuery(r.URL.Query(), params); err != nil {
+		render.Error(rw, err)
+		return
+	}
+	if err := params.Validate(); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	out, err := handler.module.ListV2(ctx, orgID, params)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusOK, out)
+}
+
+func (handler *handler) ListForUserV2(rw http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	orgID := valuer.MustNewUUID(claims.OrgID)
+	userID := valuer.MustNewUUID(claims.IdentityID())
+
+	params := new(dashboardtypes.ListDashboardsV2Params)
+	if err := binding.Query.BindQuery(r.URL.Query(), params); err != nil {
+		render.Error(rw, err)
+		return
+	}
+	if err := params.Validate(); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	out, err := handler.module.ListForUserV2(ctx, orgID, userID, params)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusOK, out)
+}
+
 func (handler *handler) GetV2(rw http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
@@ -205,3 +268,79 @@ func (handler *handler) PatchV2(rw http.ResponseWriter, r *http.Request) {
 
 	render.Success(rw, http.StatusOK, dashboard.ToGettableDashboardV2())
 }
+
+func (handler *handler) PinV2(rw http.ResponseWriter, r *http.Request) {
+	handler.pinUnpinV2(rw, r, true)
+}
+
+func (handler *handler) UnpinV2(rw http.ResponseWriter, r *http.Request) {
+	handler.pinUnpinV2(rw, r, false)
+}
+
+func (handler *handler) pinUnpinV2(rw http.ResponseWriter, r *http.Request, pin bool) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	orgID := valuer.MustNewUUID(claims.OrgID)
+	userID := valuer.MustNewUUID(claims.IdentityID())
+
+	id := mux.Vars(r)["id"]
+	if id == "" {
+		render.Error(rw, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "id is missing in the path"))
+		return
+	}
+	dashboardID, err := valuer.NewUUID(id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	if pin {
+		err = handler.module.PinV2(ctx, orgID, userID, dashboardID)
+	} else {
+		err = handler.module.UnpinV2(ctx, userID, dashboardID)
+	}
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusNoContent, nil)
+}
+
+func (handler *handler) DeleteV2(rw http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	orgID := valuer.MustNewUUID(claims.OrgID)
+
+	id := mux.Vars(r)["id"]
+	if id == "" {
+		render.Error(rw, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "id is missing in the path"))
+		return
+	}
+	dashboardID, err := valuer.NewUUID(id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	if err := handler.module.DeleteV2(ctx, orgID, dashboardID); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusNoContent, nil)
+}

pkg/modules/dashboard/impldashboard/v2_module.go

@@ -6,6 +6,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
+	"github.com/SigNoz/signoz/pkg/types/tagtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
@@ -42,6 +43,58 @@ func (m *module) CreateV2(ctx context.Context, orgID valuer.UUID, createdBy stri
 	return dashboard, nil
 }
 
+func (module *module) ListV2(ctx context.Context, orgID valuer.UUID, params *dashboardtypes.ListDashboardsV2Params) (*dashboardtypes.ListableDashboardV2, error) {
+	dashboards, total, err := module.store.ListV2(ctx, orgID, params)
+	if err != nil {
+		return nil, err
+	}
+
+	dashboardIDs := make([]valuer.UUID, len(dashboards))
+	for i, d := range dashboards {
+		dashboardIDs[i] = d.ID
+	}
+
+	tagsByDashboard, allTags, err := module.fetchDashboardTags(ctx, orgID, dashboardIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	return dashboardtypes.NewListableDashboardV2(dashboards, total, tagsByDashboard, allTags)
+}
+
+func (module *module) ListForUserV2(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, params *dashboardtypes.ListDashboardsV2Params) (*dashboardtypes.ListableDashboardForUserV2, error) {
+	rows, total, err := module.store.ListForUser(ctx, orgID, userID, params)
+	if err != nil {
+		return nil, err
+	}
+
+	dashboardIDs := make([]valuer.UUID, len(rows))
+	for i, r := range rows {
+		dashboardIDs[i] = r.Dashboard.ID
+	}
+
+	tagsByDashboard, allTags, err := module.fetchDashboardTags(ctx, orgID, dashboardIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	return dashboardtypes.NewListableDashboardForUserV2(rows, total, tagsByDashboard, allTags)
+}
+
+func (module *module) fetchDashboardTags(ctx context.Context, orgID valuer.UUID, dashboardIDs []valuer.UUID) (map[valuer.UUID][]*tagtypes.Tag, []*tagtypes.Tag, error) {
+	tagsByDashboard, err := module.tagModule.ListForResources(ctx, orgID, coretypes.KindDashboard, dashboardIDs)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	allTags, err := module.tagModule.List(ctx, orgID, coretypes.KindDashboard)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return tagsByDashboard, allTags, nil
+}
+
 func (module *module) GetV2(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*dashboardtypes.DashboardV2, error) {
 	storable, err := module.store.Get(ctx, orgID, id)
 	if err != nil {
@@ -135,6 +188,27 @@ func (module *module) PatchV2(ctx context.Context, orgID valuer.UUID, id valuer.
 	return existing, nil
 }
 
+func (module *module) DeleteV2(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error {
+	existing, err := module.GetV2(ctx, orgID, id)
+	if err != nil {
+		return err
+	}
+	if err := existing.CanDelete(); err != nil {
+		return err
+	}
+
+	return module.store.RunInTx(ctx, func(ctx context.Context) error {
+		// Syncing to an empty tag set drops every tag link for the dashboard.
+		if _, err := module.tagModule.SyncTags(ctx, orgID, coretypes.KindDashboard, id, nil); err != nil {
+			return err
+		}
+		if err := module.store.DeletePreferencesForDashboard(ctx, id); err != nil {
+			return err
+		}
+		return module.store.Delete(ctx, orgID, id)
+	})
+}
+
 func (module *module) LockUnlockV2(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, isAdmin bool, lock bool) error {
 	existing, err := module.GetV2(ctx, orgID, id)
 	if err != nil {
@@ -149,3 +223,18 @@ func (module *module) LockUnlockV2(ctx context.Context, orgID valuer.UUID, id va
 	}
 	return module.store.Update(ctx, orgID, storable)
 }
+
+func (module *module) PinV2(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, id valuer.UUID) error {
+	if _, err := module.GetV2(ctx, orgID, id); err != nil {
+		return err
+	}
+	return module.store.PinForUser(ctx, dashboardtypes.NewUserDashboardPreference(userID, id))
+}
+
+func (module *module) UnpinV2(ctx context.Context, userID valuer.UUID, id valuer.UUID) error {
+	return module.store.UnpinForUser(ctx, userID, id)
+}
+
+func (module *module) DeletePreferencesForUser(ctx context.Context, userID valuer.UUID) error {
+	return module.store.DeletePreferencesForUser(ctx, userID)
+}

pkg/modules/session/implsession/module.go

@@ -201,7 +201,7 @@ func (module *module) getOrgSessionContext(ctx context.Context, org *types.Organ
 		return authtypes.NewOrgSessionContext(org.ID, org.Name).AddPasswordAuthNSupport(authtypes.AuthNProviderEmailPassword), nil
 	}
 
-	provider, err := getProvider[authn.CallbackAuthN](authDomain.AuthDomainConfig().Provider.Type, module.authNs)
+	provider, err := getProvider[authn.CallbackAuthN](authDomain.AuthDomainConfig().AuthNProvider, module.authNs)
 	if err != nil {
 		return nil, err
 	}
@@ -211,7 +211,7 @@ func (module *module) getOrgSessionContext(ctx context.Context, org *types.Organ
 		return nil, err
 	}
 
-	return authtypes.NewOrgSessionContext(org.ID, org.Name).AddCallbackAuthNSupport(authDomain.AuthDomainConfig().Provider.Type, loginURL), nil
+	return authtypes.NewOrgSessionContext(org.ID, org.Name).AddCallbackAuthNSupport(authDomain.AuthDomainConfig().AuthNProvider, loginURL), nil
 }
 
 func getProvider[T authn.AuthN](authNProvider authtypes.AuthNProvider, authNs map[authtypes.AuthNProvider]authn.AuthN) (T, error) {

pkg/modules/tag/impltag/module.go

@@ -67,6 +67,10 @@ func (m *module) syncLinksForResource(ctx context.Context, orgID valuer.UUID, ki
 	})
 }
 
+func (m *module) List(ctx context.Context, orgID valuer.UUID, kind coretypes.Kind) ([]*tagtypes.Tag, error) {
+	return m.store.List(ctx, orgID, kind)
+}
+
 func (m *module) ListForResource(ctx context.Context, orgID valuer.UUID, kind coretypes.Kind, resourceID valuer.UUID) ([]*tagtypes.Tag, error) {
 	return m.store.ListByResource(ctx, orgID, kind, resourceID)
 }

pkg/modules/tag/tag.go

@@ -13,6 +13,9 @@ type Module interface {
 	// and reconciles the resource's links to exactly that set, all in one transaction.
 	SyncTags(ctx context.Context, orgID valuer.UUID, kind coretypes.Kind, resourceID valuer.UUID, postable []tagtypes.PostableTag) ([]*tagtypes.Tag, error)
 
+	// List returns every tag of the given kind in the org.
+	List(ctx context.Context, orgID valuer.UUID, kind coretypes.Kind) ([]*tagtypes.Tag, error)
+
 	ListForResource(ctx context.Context, orgID valuer.UUID, kind coretypes.Kind, resourceID valuer.UUID) ([]*tagtypes.Tag, error)
 
 	// Resources with no tags are absent from the returned map.

pkg/modules/user/impluser/setter.go

@@ -13,6 +13,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/emailing"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/modules/dashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	root "github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/tokenizer"
@@ -34,10 +35,11 @@ type setter struct {
 	analytics     analytics.Analytics
 	config        root.Config
 	getter        root.Getter
+	dashboard     dashboard.Module
 }
 
 // This module is a WIP, don't take inspiration from this.
-func NewSetter(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config root.Config, userRoleStore authtypes.UserRoleStore, getter root.Getter) root.Setter {
+func NewSetter(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config root.Config, userRoleStore authtypes.UserRoleStore, getter root.Getter, dashboard dashboard.Module) root.Setter {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/user/impluser")
 	return &setter{
 		store:         store,
@@ -50,6 +52,7 @@ func NewSetter(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing em
 		authz:         authz,
 		config:        config,
 		getter:        getter,
+		dashboard:     dashboard,
 	}
 }
 
@@ -406,6 +409,10 @@ func (module *setter) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 		return err
 	}
 
+	if err := module.dashboard.DeletePreferencesForUser(ctx, user.ID); err != nil {
+		return err
+	}
+
 	traitsOrProperties := types.NewTraitsFromUser(user)
 	module.analytics.IdentifyUser(ctx, user.OrgID.String(), user.ID.String(), traitsOrProperties)
 	module.analytics.TrackUser(ctx, user.OrgID.String(), user.ID.String(), "User Deleted", map[string]any{

pkg/parser/filterquery/parse.go

@@ -0,0 +1,33 @@
+package filterquery
+
+import (
+	"fmt"
+
+	grammar "github.com/SigNoz/signoz/pkg/parser/filterquery/grammar"
+	"github.com/antlr4-go/antlr/v4"
+)
+
+func Parse(query string) (antlr.ParseTree, *antlr.CommonTokenStream, *ErrorCollector) {
+	collector := NewErrorCollector()
+	lexer := grammar.NewFilterQueryLexer(antlr.NewInputStream(query))
+	lexer.RemoveErrorListeners()
+	lexer.AddErrorListener(collector)
+	tokens := antlr.NewCommonTokenStream(lexer, 0)
+	parser := grammar.NewFilterQueryParser(tokens)
+	parser.RemoveErrorListeners()
+	parser.AddErrorListener(collector)
+	return parser.Query(), tokens, collector
+}
+
+type ErrorCollector struct {
+	*antlr.DefaultErrorListener
+	Errors []string
+}
+
+func NewErrorCollector() *ErrorCollector {
+	return &ErrorCollector{}
+}
+
+func (c *ErrorCollector) SyntaxError(_ antlr.Recognizer, _ any, line, column int, msg string, _ antlr.RecognitionException) {
+	c.Errors = append(c.Errors, fmt.Sprintf("syntax error at %d:%d — %s", line, column, msg))
+}

pkg/querier/querier.go

@@ -361,6 +361,10 @@ func (q *querier) resolveMetricMetadata(ctx context.Context, queries []qbtypes.Q
 				missingMetrics = append(missingMetrics, spec.Aggregations[i].MetricName)
 				continue
 			}
+			// Type is resolved now; validate aggregation compatibility against it.
+			if err := spec.Aggregations[i].ValidateForType(); err != nil {
+				return nil, "", err
+			}
 			presentAggregations = append(presentAggregations, spec.Aggregations[i])
 		}
 		if len(presentAggregations) == 0 {

pkg/signoz/module.go

@@ -122,7 +122,7 @@ func NewModules(
 ) Modules {
 	quickfilter := implquickfilter.NewModule(implquickfilter.NewStore(sqlstore))
 	orgSetter := implorganization.NewSetter(implorganization.NewStore(sqlstore), alertmanager, quickfilter)
-	userSetter := impluser.NewSetter(impluser.NewStore(sqlstore, providerSettings), tokenizer, emailing, providerSettings, orgSetter, authz, analytics, config.User, userRoleStore, userGetter)
+	userSetter := impluser.NewSetter(impluser.NewStore(sqlstore, providerSettings), tokenizer, emailing, providerSettings, orgSetter, authz, analytics, config.User, userRoleStore, userGetter, dashboard)
 	ruleStore := sqlrulestore.NewRuleStore(sqlstore, queryParser, providerSettings)
 
 	return Modules{

pkg/signoz/provider.go

@@ -211,7 +211,7 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewAddDashboardNameFactory(sqlstore, sqlschema),
 		sqlmigration.NewFixChangelogOperationTypeFactory(sqlstore, sqlschema),
 		sqlmigration.NewCloudIntegrationRemoveCascadeDeleteFactory(sqlschema),
-		sqlmigration.NewMigrateAuthDomainPayloadFactory(),
+		sqlmigration.NewAddUserDashboardPreferenceFactory(sqlstore, sqlschema),
 	)
 }
 

pkg/sqlmigration/092_add_user_dashboard_preference.go

@@ -0,0 +1,71 @@
+package sqlmigration
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type addUserDashboardPreference struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+func NewAddUserDashboardPreferenceFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_user_dashboard_preference"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &addUserDashboardPreference{
+			sqlstore:  sqlstore,
+			sqlschema: sqlschema,
+		}, nil
+	})
+}
+
+func (migration *addUserDashboardPreference) Register(migrations *migrate.Migrations) error {
+	return migrations.Register(migration.Up, migration.Down)
+}
+
+func (migration *addUserDashboardPreference) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+	defer func() { _ = tx.Rollback() }()
+
+	sqls := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
+		Name: "user_dashboard_preference",
+		Columns: []*sqlschema.Column{
+			{Name: "user_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "dashboard_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "is_pinned", DataType: sqlschema.DataTypeBoolean, Nullable: false, Default: "false"},
+		},
+		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{ColumnNames: []sqlschema.ColumnName{"user_id", "dashboard_id"}},
+		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
+			{
+				ReferencingColumnName: sqlschema.ColumnName("user_id"),
+				ReferencedTableName:   sqlschema.TableName("users"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+			{
+				ReferencingColumnName: sqlschema.ColumnName("dashboard_id"),
+				ReferencedTableName:   sqlschema.TableName("dashboard"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+		},
+	})
+
+	for _, sql := range sqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	return tx.Commit()
+}
+
+func (migration *addUserDashboardPreference) Down(_ context.Context, _ *bun.DB) error {
+	return nil
+}

pkg/sqlmigration/092_migrate_auth_domain_payload.go

@@ -1,118 +0,0 @@
-package sqlmigration
-
-import (
-	"context"
-	"encoding/json"
-
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/uptrace/bun"
-	"github.com/uptrace/bun/migrate"
-)
-
-type migrateAuthDomainPayload struct{}
-
-type authDomainPayloadRaw struct {
-	bun.BaseModel `bun:"table:auth_domain"`
-
-	ID   string `bun:"id"`
-	Data string `bun:"data"`
-}
-
-// auth config type -> old sso type.
-var legacyConfigKeyByType = map[string]string{
-	"saml":        "samlConfig",
-	"oidc":        "oidcConfig",
-	"google_auth": "googleAuthConfig",
-}
-
-func NewMigrateAuthDomainPayloadFactory() factory.ProviderFactory[SQLMigration, Config] {
-	return factory.NewProviderFactory(
-		factory.MustNewName("migrate_auth_domain_payload"),
-		func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
-			return &migrateAuthDomainPayload{}, nil
-		},
-	)
-}
-
-func (migration *migrateAuthDomainPayload) Register(migrations *migrate.Migrations) error {
-	return migrations.Register(migration.Up, migration.Down)
-}
-
-func (migration *migrateAuthDomainPayload) Up(ctx context.Context, db *bun.DB) error {
-	tx, err := db.BeginTx(ctx, nil)
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		_ = tx.Rollback()
-	}()
-
-	var rows []*authDomainPayloadRaw
-	if err := tx.NewSelect().Model(&rows).Scan(ctx); err != nil {
-		return err
-	}
-
-	for _, row := range rows {
-		var oldData map[string]json.RawMessage
-		if err := json.Unmarshal([]byte(row.Data), &oldData); err != nil {
-			return err
-		}
-
-		// idempotency - we skip the ones which already migrated.
-		if _, hasProvider := oldData["provider"]; hasProvider {
-			continue
-		}
-		if _, hasSSOType := oldData["ssoType"]; !hasSSOType {
-			continue
-		}
-
-		var ssoType string
-		if err := json.Unmarshal(oldData["ssoType"], &ssoType); err != nil {
-			return err
-		}
-
-		provider := map[string]json.RawMessage{
-			"type": oldData["ssoType"],
-		}
-
-		// get from old data and set config in provider.
-		if configKey, ok := legacyConfigKeyByType[ssoType]; ok {
-			if cfg, ok := oldData[configKey]; ok {
-				provider["config"] = cfg
-			}
-		}
-
-		providerRaw, err := json.Marshal(provider)
-		if err != nil {
-			return err
-		}
-
-		updatedData := map[string]json.RawMessage{
-			"provider": providerRaw,
-		}
-		if v, ok := oldData["ssoEnabled"]; ok {
-			updatedData["ssoEnabled"] = v
-		}
-		if v, ok := oldData["roleMapping"]; ok {
-			updatedData["roleMapping"] = v
-		}
-
-		updatedDataRaw, err := json.Marshal(updatedData)
-		if err != nil {
-			return err
-		}
-
-		row.Data = string(updatedDataRaw)
-
-		if _, err := tx.NewUpdate().Model(row).Column("data").Where("id = ?", row.ID).Exec(ctx); err != nil {
-			return err
-		}
-	}
-
-	return tx.Commit()
-}
-
-func (migration *migrateAuthDomainPayload) Down(ctx context.Context, db *bun.DB) error {
-	return nil
-}

pkg/types/authtypes/domain.go

@@ -9,7 +9,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/swaggest/jsonschema-go"
 	"github.com/uptrace/bun"
 )
 
@@ -31,7 +30,7 @@ var (
 
 type GettableAuthDomain struct {
 	StorableAuthDomain
-	AuthDomainConfig
+	Config            AuthDomainConfig   `json:"config"`
 	AuthNProviderInfo *AuthNProviderInfo `json:"authNProviderInfo"`
 }
 
@@ -40,12 +39,12 @@ type AuthNProviderInfo struct {
 }
 
 type PostableAuthDomain struct {
-	Name string `json:"name"`
-	AuthDomainConfig
+	Config AuthDomainConfig `json:"config"`
+	Name   string           `json:"name"`
 }
 
 type UpdatableAuthDomain struct {
-	AuthDomainConfig
+	Config AuthDomainConfig `json:"config"`
 }
 
 type StorableAuthDomain struct {
@@ -58,114 +57,22 @@ type StorableAuthDomain struct {
 	types.TimeAuditable
 }
 
+// TODO: the oneOf emitted by JSONSchemaOneOf is not the shape OpenAPI wants
+// for a discriminated union. OpenAPI's discriminator requires every oneOf
+// branch to be a $ref to a named component and a sibling property whose value
+// selects the variant. ssoType is already discriminator-shaped, but the
+// variant payload lives in a sibling field (samlConfig / googleAuthConfig /
+// oidcConfig) instead of being the payload itself, so no discriminator can
+// be attached. Refactor AuthDomainConfig into an envelope (see
+// ruletypes.RuleThresholdData for the pattern) where the chosen config is
+// the payload and ssoType is the discriminator.
 type AuthDomainConfig struct {
-	SSOEnabled  bool                 `json:"ssoEnabled"`
-	RoleMapping *RoleMapping         `json:"roleMapping,omitempty"`
-	Provider    AuthProviderEnvelope `json:"provider"`
-}
-
-func (config AuthDomainConfig) Saml() *SAMLConfig {
-	cfg, _ := config.Provider.Config.(*SAMLConfig)
-	return cfg
-}
-
-func (config AuthDomainConfig) Google() *GoogleConfig {
-	cfg, _ := config.Provider.Config.(*GoogleConfig)
-	return cfg
-}
-
-func (config AuthDomainConfig) Oidc() *OIDCConfig {
-	cfg, _ := config.Provider.Config.(*OIDCConfig)
-	return cfg
-}
-
-type AuthProviderEnvelope struct {
-	Type   AuthNProvider `json:"type" required:"true"`
-	Config any           `json:"config" required:"true"` // this can be either of SamlConfig, OIDCConfig and GoogleConfig
-}
-
-// internal - drives the oneOf thing in open api spec.
-type authProviderSAML struct {
-	Type   AuthNProvider `json:"type" required:"true"`
-	Config SAMLConfig    `json:"config" required:"true"`
-}
-
-type authProviderOIDC struct {
-	Type   AuthNProvider `json:"type" required:"true"`
-	Config OIDCConfig    `json:"config" required:"true"`
-}
-
-type authProviderGoogle struct {
-	Type   AuthNProvider `json:"type" required:"true"`
-	Config GoogleConfig  `json:"config" required:"true"`
-}
-
-var (
-	_ jsonschema.OneOfExposer = AuthProviderEnvelope{}
-	_ jsonschema.Preparer     = AuthProviderEnvelope{}
-)
-
-func (AuthProviderEnvelope) JSONSchemaOneOf() []any {
-	return []any{
-		authProviderSAML{},
-		authProviderOIDC{},
-		authProviderGoogle{},
-	}
-}
-
-func (AuthProviderEnvelope) PrepareJSONSchema(schema *jsonschema.Schema) error {
-	if schema.ExtraProperties == nil {
-		schema.ExtraProperties = map[string]any{}
-	}
-
-	schema.ExtraProperties["x-signoz-discriminator"] = map[string]any{
-		"propertyName": "type",
-		"mapping": map[string]string{
-			"saml":        "#/components/schemas/AuthtypesAuthProviderSAML",
-			"oidc":        "#/components/schemas/AuthtypesAuthProviderOIDC",
-			"google_auth": "#/components/schemas/AuthtypesAuthProviderGoogle",
-		},
-	}
-
-	return nil
-}
-
-func (envelop *AuthProviderEnvelope) UnmarshalJSON(data []byte) error {
-	var raw struct {
-		Type   AuthNProvider   `json:"type"`
-		Config json.RawMessage `json:"config"`
-	}
-
-	if err := json.Unmarshal(data, &raw); err != nil {
-		return errors.NewInvalidInputf(errors.CodeInvalidInput, "failed to unmarshal auth provider: %v", err)
-	}
-
-	envelop.Type = raw.Type
-
-	switch raw.Type {
-	case AuthNProviderSAML:
-		cfg := new(SAMLConfig)
-		if err := json.Unmarshal(raw.Config, cfg); err != nil {
-			return err
-		}
-		envelop.Config = cfg
-	case AuthNProviderOIDC:
-		cfg := new(OIDCConfig)
-		if err := json.Unmarshal(raw.Config, cfg); err != nil {
-			return err
-		}
-		envelop.Config = cfg
-	case AuthNProviderGoogleAuth:
-		cfg := new(GoogleConfig)
-		if err := json.Unmarshal(raw.Config, cfg); err != nil {
-			return err
-		}
-		envelop.Config = cfg
-	default:
-		return errors.NewInvalidInputf(errors.CodeInvalidInput, "unknown auth provider type: %s", raw.Type.StringValue())
-	}
-
-	return nil
+	SSOEnabled    bool          `json:"ssoEnabled"`
+	AuthNProvider AuthNProvider `json:"ssoType"`
+	SAML          *SamlConfig   `json:"samlConfig"`
+	Google        *GoogleConfig `json:"googleAuthConfig"`
+	OIDC          *OIDCConfig   `json:"oidcConfig"`
+	RoleMapping   *RoleMapping  `json:"roleMapping"`
 }
 
 type AuthDomain struct {
@@ -214,7 +121,7 @@ func NewAuthDomainFromStorableAuthDomain(storableAuthDomain *StorableAuthDomain)
 func NewGettableAuthDomainFromAuthDomain(authDomain *AuthDomain, authNProviderInfo *AuthNProviderInfo) *GettableAuthDomain {
 	return &GettableAuthDomain{
 		StorableAuthDomain: *authDomain.StorableAuthDomain(),
-		AuthDomainConfig:   *authDomain.AuthDomainConfig(),
+		Config:             *authDomain.AuthDomainConfig(),
 		AuthNProviderInfo:  authNProviderInfo,
 	}
 }
@@ -251,14 +158,51 @@ func (typ *PostableAuthDomain) UnmarshalJSON(data []byte) error {
 		return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthDomainInvalidName, "invalid domain name %s", temp.Name)
 	}
 
-	if temp.Provider.Config == nil {
-		return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthDomainInvalidConfig, "provider config is required")
-	}
-
 	*typ = PostableAuthDomain(temp)
 	return nil
 }
 
+func (typ *AuthDomainConfig) UnmarshalJSON(data []byte) error {
+	type Alias AuthDomainConfig
+
+	var temp Alias
+	if err := json.Unmarshal(data, &temp); err != nil {
+		return err
+	}
+
+	switch temp.AuthNProvider {
+	case AuthNProviderGoogleAuth:
+		if temp.Google == nil {
+			return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthDomainInvalidConfig, "google auth config is required")
+		}
+
+	case AuthNProviderSAML:
+		if temp.SAML == nil {
+			return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthDomainInvalidConfig, "saml config is required")
+		}
+
+	case AuthNProviderOIDC:
+		if temp.OIDC == nil {
+			return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthDomainInvalidConfig, "oidc config is required")
+		}
+
+	default:
+		return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthDomainInvalidConfig, "invalid authn provider %q", temp.AuthNProvider.StringValue())
+	}
+
+	*typ = AuthDomainConfig(temp)
+	return nil
+
+}
+
+func (AuthDomainConfig) JSONSchemaOneOf() []any {
+	return []any{
+		SamlConfig{},
+		GoogleConfig{},
+		OIDCConfig{},
+	}
+}
+
 type AuthDomainStore interface {
 	// Get by id.
 	Get(context.Context, valuer.UUID) (*AuthDomain, error)

pkg/types/authtypes/domain_test.go

@@ -1,154 +0,0 @@
-package authtypes
-
-import (
-	"encoding/json"
-	"testing"
-
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/stretchr/testify/require"
-)
-
-// Verifies the new flat wire shape: ssoType/provider configs collapse into a
-// single discriminated `provider:{type,config}`, and the typed payload survives
-// a marshal -> unmarshal round-trip. This fails if UnmarshalJSON forgets to
-// assign envelop.Config (the decoded config would be lost).
-func TestAuthDomainConfigWireRoundTrip(t *testing.T) {
-	tests := []struct {
-		name         string
-		provider     AuthNProvider
-		config       any
-		wantType     string
-		assertConfig func(t *testing.T, c AuthDomainConfig)
-	}{
-		{
-			name:     "saml",
-			provider: AuthNProviderSAML,
-			config: &SAMLConfig{
-				SamlEntity: "https://idp.example.com",
-				SamlIdp:    "https://idp.example.com/sso",
-				SamlCert:   "cert-bytes",
-			},
-			wantType: "saml",
-			assertConfig: func(t *testing.T, c AuthDomainConfig) {
-				require.NotNil(t, c.Saml())
-				require.Equal(t, "https://idp.example.com", c.Saml().SamlEntity)
-			},
-		},
-		{
-			name:     "google",
-			provider: AuthNProviderGoogleAuth,
-			config:   &GoogleConfig{ClientID: "cid", ClientSecret: "secret"},
-			wantType: "google_auth",
-			assertConfig: func(t *testing.T, c AuthDomainConfig) {
-				require.NotNil(t, c.Google())
-				require.Equal(t, "cid", c.Google().ClientID)
-			},
-		},
-		{
-			name:     "oidc",
-			provider: AuthNProviderOIDC,
-			config:   &OIDCConfig{Issuer: "https://issuer", ClientID: "cid", ClientSecret: "secret"},
-			wantType: "oidc",
-			assertConfig: func(t *testing.T, c AuthDomainConfig) {
-				require.NotNil(t, c.Oidc())
-				require.Equal(t, "https://issuer", c.Oidc().Issuer)
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			in := AuthDomainConfig{
-				SSOEnabled: true,
-				Provider:   AuthProviderEnvelope{Type: tt.provider, Config: tt.config},
-			}
-
-			raw, err := json.Marshal(in)
-			require.NoError(t, err)
-
-			js := string(raw)
-			require.Contains(t, js, `"provider"`)
-			require.Contains(t, js, `"type":"`+tt.wantType+`"`)
-			// legacy keys must be gone
-			require.NotContains(t, js, "ssoType")
-			require.NotContains(t, js, "samlConfig")
-			require.NotContains(t, js, "googleAuthConfig")
-			require.NotContains(t, js, "oidcConfig")
-
-			var out AuthDomainConfig
-			require.NoError(t, json.Unmarshal(raw, &out))
-			require.True(t, out.SSOEnabled)
-			require.Equal(t, tt.provider, out.Provider.Type)
-			tt.assertConfig(t, out)
-		})
-	}
-}
-
-// Unknown discriminator values are rejected, and the nested provider config's
-// own validators still run through the envelope.
-func TestAuthDomainConfigUnmarshalRejects(t *testing.T) {
-	tests := []struct {
-		name string
-		json string
-	}{
-		{
-			name: "unknown provider type",
-			json: `{"ssoEnabled":true,"provider":{"type":"ldap","config":{}}}`,
-		},
-		{
-			name: "oidc config missing clientId",
-			json: `{"ssoEnabled":true,"provider":{"type":"oidc","config":{"issuer":"https://issuer","clientSecret":"secret"}}}`,
-		},
-		{
-			name: "saml config missing samlEntity",
-			json: `{"ssoEnabled":true,"provider":{"type":"saml","config":{"samlIdp":"https://idp/sso","samlCert":"abc"}}}`,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var c AuthDomainConfig
-			require.Error(t, json.Unmarshal([]byte(tt.json), &c))
-		})
-	}
-}
-
-// The config is marshaled into the `data` column and unmarshaled back when the
-// domain is loaded, so the typed provider config must survive that round-trip.
-func TestAuthDomainStorageRoundTrip(t *testing.T) {
-	cfg := AuthDomainConfig{
-		SSOEnabled: true,
-		Provider: AuthProviderEnvelope{
-			Type:   AuthNProviderSAML,
-			Config: &SAMLConfig{SamlEntity: "https://idp", SamlIdp: "https://idp/sso", SamlCert: "abc"},
-		},
-	}
-
-	domain, err := NewAuthDomainFromConfig("example.com", &cfg, valuer.GenerateUUID())
-	require.NoError(t, err)
-
-	got := domain.AuthDomainConfig()
-	require.Equal(t, AuthNProviderSAML, got.Provider.Type)
-	require.NotNil(t, got.Saml())
-	require.Equal(t, "https://idp", got.Saml().SamlEntity)
-}
-
-// Postable keeps name-regex validation and still decodes the embedded provider.
-func TestPostableAuthDomainUnmarshal(t *testing.T) {
-	valid := `{
-		"name":"example.com",
-		"ssoEnabled":true,
-		"provider":{"type":"saml","config":{"samlEntity":"https://idp","samlIdp":"https://idp/sso","samlCert":"abc"}}
-	}`
-
-	var p PostableAuthDomain
-	require.NoError(t, json.Unmarshal([]byte(valid), &p))
-	require.Equal(t, "example.com", p.Name)
-	require.True(t, p.SSOEnabled)
-	require.NotNil(t, p.Saml())
-	require.Equal(t, "https://idp", p.Saml().SamlEntity)
-
-	invalid := `{"name":"not a domain!","provider":{"type":"saml","config":{"samlEntity":"https://idp","samlIdp":"https://idp/sso","samlCert":"abc"}}}`
-	var bad PostableAuthDomain
-	require.Error(t, json.Unmarshal([]byte(invalid), &bad))
-}

pkg/types/authtypes/saml.go

@@ -6,7 +6,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 )
 
-type SAMLConfig struct {
+type SamlConfig struct {
 	// The entityID of the SAML identity provider. It can typically be found in the EntityID attribute of the EntityDescriptor element in the SAML metadata of the identity provider. Example: <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="{samlEntity}">
 	SamlEntity string `json:"samlEntity"`
 
@@ -25,8 +25,8 @@ type SAMLConfig struct {
 	AttributeMapping AttributeMapping `json:"attributeMapping"`
 }
 
-func (config *SAMLConfig) UnmarshalJSON(data []byte) error {
-	type Alias SAMLConfig
+func (config *SamlConfig) UnmarshalJSON(data []byte) error {
+	type Alias SamlConfig
 
 	var temp Alias
 	if err := json.Unmarshal(data, &temp); err != nil {
@@ -51,6 +51,6 @@ func (config *SAMLConfig) UnmarshalJSON(data []byte) error {
 		}
 	}
 
-	*config = SAMLConfig(temp)
+	*config = SamlConfig(temp)
 	return nil
 }

pkg/types/dashboardtypes/list_filter.go

@@ -0,0 +1,59 @@
+package dashboardtypes
+
+import (
+	"github.com/SigNoz/signoz/pkg/errors"
+	qbtypesv5 "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
+)
+
+var ErrCodeDashboardListFilterInvalid = errors.MustNewCode("dashboard_list_filter_invalid")
+
+// ReservedOps lists the operators each reserved (column-level) DSL key accepts.
+// Any non-reserved key is treated as a tag key and uses TagKeyOps.
+var ReservedOps = map[DSLKey]map[qbtypesv5.FilterOperator]struct{}{
+	DSLKeyName:        stringSearchOps(),
+	DSLKeyDescription: stringSearchOps(),
+	DSLKeyCreatedAt:   numericRangeOps(),
+	DSLKeyUpdatedAt:   numericRangeOps(),
+	DSLKeyCreatedBy:   stringSearchOps(),
+	DSLKeyLocked:      opsSet(qbtypesv5.FilterOperatorEqual, qbtypesv5.FilterOperatorNotEqual),
+}
+
+// TagKeyOps applies to every non-reserved DSL key — the operator targets the
+// tag's value with an implicit case-insensitive match on the tag's key.
+var TagKeyOps = opsSet(
+	qbtypesv5.FilterOperatorEqual, qbtypesv5.FilterOperatorNotEqual,
+	qbtypesv5.FilterOperatorLike, qbtypesv5.FilterOperatorNotLike,
+	qbtypesv5.FilterOperatorILike, qbtypesv5.FilterOperatorNotILike,
+	qbtypesv5.FilterOperatorContains, qbtypesv5.FilterOperatorNotContains,
+	qbtypesv5.FilterOperatorRegexp, qbtypesv5.FilterOperatorNotRegexp,
+	qbtypesv5.FilterOperatorIn, qbtypesv5.FilterOperatorNotIn,
+	qbtypesv5.FilterOperatorExists, qbtypesv5.FilterOperatorNotExists,
+)
+
+func stringSearchOps() map[qbtypesv5.FilterOperator]struct{} {
+	return opsSet(
+		qbtypesv5.FilterOperatorEqual, qbtypesv5.FilterOperatorNotEqual,
+		qbtypesv5.FilterOperatorLike, qbtypesv5.FilterOperatorNotLike,
+		qbtypesv5.FilterOperatorILike, qbtypesv5.FilterOperatorNotILike,
+		qbtypesv5.FilterOperatorContains, qbtypesv5.FilterOperatorNotContains,
+		qbtypesv5.FilterOperatorRegexp, qbtypesv5.FilterOperatorNotRegexp,
+		qbtypesv5.FilterOperatorIn, qbtypesv5.FilterOperatorNotIn,
+	)
+}
+
+func numericRangeOps() map[qbtypesv5.FilterOperator]struct{} {
+	return opsSet(
+		qbtypesv5.FilterOperatorEqual, qbtypesv5.FilterOperatorNotEqual,
+		qbtypesv5.FilterOperatorLessThan, qbtypesv5.FilterOperatorLessThanOrEq,
+		qbtypesv5.FilterOperatorGreaterThan, qbtypesv5.FilterOperatorGreaterThanOrEq,
+		qbtypesv5.FilterOperatorBetween, qbtypesv5.FilterOperatorNotBetween,
+	)
+}
+
+func opsSet(ops ...qbtypesv5.FilterOperator) map[qbtypesv5.FilterOperator]struct{} {
+	m := make(map[qbtypesv5.FilterOperator]struct{}, len(ops))
+	for _, op := range ops {
+		m[op] = struct{}{}
+	}
+	return m
+}

pkg/types/dashboardtypes/list_v2.go

@@ -0,0 +1,192 @@
+package dashboardtypes
+
+import (
+	"slices"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/tagtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/perses/spec/go/common"
+)
+
+const (
+	DefaultListLimit = 20
+	MaxListLimit     = 200
+)
+
+// ListSort is the sort field for the dashboard list endpoint. The value is a
+// stable enum so callers can't ask for arbitrary columns.
+type ListSort struct{ valuer.String }
+
+var (
+	ListSortUpdatedAt = ListSort{valuer.NewString("updated_at")}
+	ListSortCreatedAt = ListSort{valuer.NewString("created_at")}
+	ListSortName      = ListSort{valuer.NewString("name")}
+)
+
+func (ListSort) Enum() []any {
+	return []any{ListSortUpdatedAt, ListSortCreatedAt, ListSortName}
+}
+
+func (s ListSort) IsValid() bool {
+	return slices.ContainsFunc(s.Enum(), func(v any) bool { return v == s })
+}
+
+type ListOrder struct{ valuer.String }
+
+var (
+	ListOrderAsc  = ListOrder{valuer.NewString("asc")}
+	ListOrderDesc = ListOrder{valuer.NewString("desc")}
+)
+
+func (ListOrder) Enum() []any {
+	return []any{ListOrderAsc, ListOrderDesc}
+}
+
+func (o ListOrder) IsValid() bool {
+	return slices.ContainsFunc(o.Enum(), func(v any) bool { return v == o })
+}
+
+var ErrCodeDashboardListInvalid = errors.MustNewCode("dashboard_list_invalid")
+
+type ListDashboardsV2Params struct {
+	Query  string    `query:"query"`
+	Sort   ListSort  `query:"sort"`
+	Order  ListOrder `query:"order"`
+	Limit  int       `query:"limit"`
+	Offset int       `query:"offset"`
+}
+
+// Validate fills in defaults (sort=updated_at, order=desc, limit=20) and
+// rejects out-of-allowlist sort/order values and bad limit/offset. Limit is
+// clamped to MaxListLimit on the high side. Sort/order are case-insensitive —
+// valuer.String lowercases them at bind time.
+func (p *ListDashboardsV2Params) Validate() error {
+	if p.Sort.IsZero() {
+		p.Sort = ListSortUpdatedAt
+	} else if !p.Sort.IsValid() {
+		return errors.NewInvalidInputf(ErrCodeDashboardListInvalid,
+			"invalid sort %q — expected one of: `updated_at`, `created_at`, `name`", p.Sort)
+	}
+
+	if p.Order.IsZero() {
+		p.Order = ListOrderDesc
+	} else if !p.Order.IsValid() {
+		return errors.NewInvalidInputf(ErrCodeDashboardListInvalid,
+			"invalid order %q — expected `asc` or `desc`", p.Order)
+	}
+
+	if p.Limit == 0 {
+		p.Limit = DefaultListLimit
+	} else if p.Limit < 0 {
+		return errors.NewInvalidInputf(ErrCodeDashboardListInvalid,
+			"invalid limit %d — must be a positive integer", p.Limit)
+	} else if p.Limit > MaxListLimit {
+		p.Limit = MaxListLimit
+	}
+
+	if p.Offset < 0 {
+		return errors.NewInvalidInputf(ErrCodeDashboardListInvalid,
+			"invalid offset %d — must be a non-negative integer", p.Offset)
+	}
+
+	return nil
+}
+
+type listedDashboardV2 struct {
+	types.Identifiable
+	types.TimeAuditable
+	types.UserAuditable
+
+	OrgID         valuer.UUID             `json:"orgId" required:"true"`
+	Locked        bool                    `json:"locked" required:"true"`
+	Source        Source                  `json:"source" required:"true"`
+	SchemaVersion string                  `json:"schemaVersion" required:"true"`
+	Name          string                  `json:"name" required:"true"`
+	Image         string                  `json:"image,omitempty"`
+	Tags          []*tagtypes.GettableTag `json:"tags" required:"true" nullable:"false"`
+	Spec          listedDashboardV2Spec   `json:"spec" required:"true"`
+}
+
+type listedDashboardV2Spec struct {
+	Display *common.Display `json:"display,omitempty"`
+}
+
+func newListedDashboardV2(v2 *DashboardV2) *listedDashboardV2 {
+	return &listedDashboardV2{
+		Identifiable:  v2.Identifiable,
+		TimeAuditable: v2.TimeAuditable,
+		UserAuditable: v2.UserAuditable,
+		OrgID:         v2.OrgID,
+		Locked:        v2.Locked,
+		Source:        v2.Source,
+		SchemaVersion: v2.SchemaVersion,
+		Name:          v2.Name,
+		Image:         v2.Image,
+		Tags:          tagtypes.NewGettableTagsFromTags(v2.Tags),
+		Spec:          listedDashboardV2Spec{Display: v2.Spec.Display},
+	}
+}
+
+type ListableDashboardV2 struct {
+	Dashboards []*listedDashboardV2    `json:"dashboards" required:"true" nullable:"false"`
+	Total      int64                   `json:"total" required:"true"`
+	Tags       []*tagtypes.GettableTag `json:"tags" required:"true" nullable:"false"`
+}
+
+func NewListableDashboardV2(dashboards []*StorableDashboard, total int64, tagsByEntity map[valuer.UUID][]*tagtypes.Tag, allTags []*tagtypes.Tag) (*ListableDashboardV2, error) {
+	items := make([]*listedDashboardV2, len(dashboards))
+	for i, d := range dashboards {
+		v2, err := d.ToDashboardV2(tagsByEntity[d.ID])
+		if err != nil {
+			return nil, err
+		}
+		items[i] = newListedDashboardV2(v2)
+	}
+	return &ListableDashboardV2{
+		Dashboards: items,
+		Total:      total,
+		Tags:       tagtypes.NewGettableTagsFromTags(allTags),
+	}, nil
+}
+
+// listedDashboardForUserV2 is a listed dashboard plus the calling user's pin
+// state. Only the per-user list endpoint emits this; the pure list omits pins.
+type listedDashboardForUserV2 struct {
+	listedDashboardV2
+	Pinned bool `json:"pinned" required:"true"`
+}
+
+type ListableDashboardForUserV2 struct {
+	Dashboards []*listedDashboardForUserV2 `json:"dashboards" required:"true" nullable:"false"`
+	Total      int64                       `json:"total" required:"true"`
+	Tags       []*tagtypes.GettableTag     `json:"tags" required:"true" nullable:"false"`
+}
+
+// StorableDashboardWithPinInfo is the per-row shape Store.ListForUser returns: the dashboard
+// joined with the calling user's pin state, so the module layer can attach tags
+// and assemble the gettable view.
+type StorableDashboardWithPinInfo struct {
+	Dashboard *StorableDashboard
+	Pinned    bool
+}
+
+func NewListableDashboardForUserV2(rows []*StorableDashboardWithPinInfo, total int64, tagsByEntity map[valuer.UUID][]*tagtypes.Tag, allTags []*tagtypes.Tag) (*ListableDashboardForUserV2, error) {
+	items := make([]*listedDashboardForUserV2, len(rows))
+	for i, r := range rows {
+		v2, err := r.Dashboard.ToDashboardV2(tagsByEntity[r.Dashboard.ID])
+		if err != nil {
+			return nil, err
+		}
+		items[i] = &listedDashboardForUserV2{
+			listedDashboardV2: *newListedDashboardV2(v2),
+			Pinned:            r.Pinned,
+		}
+	}
+	return &ListableDashboardForUserV2{
+		Dashboards: items,
+		Total:      total,
+		Tags:       tagtypes.NewGettableTagsFromTags(allTags),
+	}, nil
+}

pkg/types/dashboardtypes/perses_dashboard.go

@@ -31,7 +31,7 @@ const (
 	DSLKeyUpdatedAt   DSLKey = "updated_at"
 	DSLKeyCreatedBy   DSLKey = "created_by"
 	DSLKeyLocked      DSLKey = "locked"
-	DSLKeyPublic      DSLKey = "public"
+	DSLKeySource      DSLKey = "source"
 )
 
 // reservedDSLKeys are dashboard column-level filter names in the list-query DSL.
@@ -44,7 +44,7 @@ var reservedDSLKeys = map[DSLKey]struct{}{
 	DSLKeyUpdatedAt:   {},
 	DSLKeyCreatedBy:   {},
 	DSLKeyLocked:      {},
-	DSLKeyPublic:      {},
+	DSLKeySource:      {},
 }
 
 type DashboardV2 struct {
@@ -110,6 +110,16 @@ func (d *DashboardV2) LockUnlock(lock bool, isAdmin bool, updatedBy string) erro
 	return nil
 }
 
+func (d *DashboardV2) CanDelete() error {
+	if d.Locked {
+		return errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "cannot delete a locked dashboard, please unlock the dashboard to delete")
+	}
+	if !d.Source.isUserDeletable() {
+		return errors.Newf(errors.TypeInvalidInput, ErrCodeDashboardImmutable, "%s dashboards cannot be deleted", d.Source)
+	}
+	return nil
+}
+
 type DashboardV2MetadataBase struct {
 	SchemaVersion string `json:"schemaVersion" required:"true"`
 	Image         string `json:"image,omitempty"`

pkg/types/dashboardtypes/perses_plugin_wrappers.go

@@ -22,10 +22,19 @@ type PanelPlugin struct {
 	Spec any             `json:"spec"`
 }
 
-// PrepareJSONSchema drops the reflected struct shape (type: object, properties)
-// from the envelope so that only the JSONSchemaOneOf result binds.
+// PrepareJSONSchema marks the envelope with x-signoz-discriminator;
+// signoz.attachDiscriminators promotes it to a real OpenAPI 3 discriminator
+// (and strips the duplicate parent properties) after reflection.
 func (PanelPlugin) PrepareJSONSchema(s *jsonschema.Schema) error {
-	return clearOneOfParentShape(s)
+	return markDiscriminator(s, "kind", map[string]string{
+		string(PanelKindTimeSeries): schemaRef("DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesTimeSeriesPanelSpec"),
+		string(PanelKindBarChart):   schemaRef("DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesBarChartPanelSpec"),
+		string(PanelKindNumber):     schemaRef("DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesNumberPanelSpec"),
+		string(PanelKindPieChart):   schemaRef("DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesPieChartPanelSpec"),
+		string(PanelKindTable):      schemaRef("DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesTablePanelSpec"),
+		string(PanelKindHistogram):  schemaRef("DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesHistogramPanelSpec"),
+		string(PanelKindList):       schemaRef("DashboardtypesPanelPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesListPanelSpec"),
+	})
 }
 
 func (p *PanelPlugin) UnmarshalJSON(data []byte) error {
@@ -77,7 +86,14 @@ type QueryPlugin struct {
 }
 
 func (QueryPlugin) PrepareJSONSchema(s *jsonschema.Schema) error {
-	return clearOneOfParentShape(s)
+	return markDiscriminator(s, "kind", map[string]string{
+		string(QueryKindBuilder):       schemaRef("DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesDashboardtypesBuilderQuerySpec"),
+		string(QueryKindComposite):     schemaRef("DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5CompositeQuery"),
+		string(QueryKindFormula):       schemaRef("DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5QueryBuilderFormula"),
+		string(QueryKindPromQL):        schemaRef("DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5PromQuery"),
+		string(QueryKindClickHouseSQL): schemaRef("DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5ClickHouseQuery"),
+		string(QueryKindTraceOperator): schemaRef("DashboardtypesQueryPluginVariantGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5QueryBuilderTraceOperator"),
+	})
 }
 
 func (p *QueryPlugin) UnmarshalJSON(data []byte) error {
@@ -128,7 +144,11 @@ type VariablePlugin struct {
 }
 
 func (VariablePlugin) PrepareJSONSchema(s *jsonschema.Schema) error {
-	return clearOneOfParentShape(s)
+	return markDiscriminator(s, "kind", map[string]string{
+		string(VariableKindDynamic): schemaRef("DashboardtypesVariablePluginVariantGithubComSigNozSignozPkgTypesDashboardtypesDynamicVariableSpec"),
+		string(VariableKindQuery):   schemaRef("DashboardtypesVariablePluginVariantGithubComSigNozSignozPkgTypesDashboardtypesQueryVariableSpec"),
+		string(VariableKindCustom):  schemaRef("DashboardtypesVariablePluginVariantGithubComSigNozSignozPkgTypesDashboardtypesCustomVariableSpec"),
+	})
 }
 
 func (p *VariablePlugin) UnmarshalJSON(data []byte) error {
@@ -176,7 +196,9 @@ type DatasourcePlugin struct {
 }
 
 func (DatasourcePlugin) PrepareJSONSchema(s *jsonschema.Schema) error {
-	return clearOneOfParentShape(s)
+	return markDiscriminator(s, "kind", map[string]string{
+		string(DatasourceKindSigNoz): schemaRef("DashboardtypesDatasourcePluginVariantStruct"),
+	})
 }
 
 func (p *DatasourcePlugin) UnmarshalJSON(data []byte) error {
@@ -291,10 +313,28 @@ func decodeSpec(specJSON []byte, target any, kind string) (any, error) {
 	return target, nil
 }
 
-// clearOneOfParentShape drops Type and Properties on a schema that also has a JSONSchemaOneOf.
-func clearOneOfParentShape(s *jsonschema.Schema) error {
-	s.Type = nil
-	s.Properties = nil
+// signozDiscriminatorKey is the extension key that signoz.attachDiscriminators
+// promotes into a native OpenAPI 3 discriminator after reflection.
+const signozDiscriminatorKey = "x-signoz-discriminator"
+
+// schemaRef builds a local component schema reference for a discriminator mapping.
+func schemaRef(name string) string {
+	return "#/components/schemas/" + name
+}
+
+// markDiscriminator tags a oneOf envelope schema with x-signoz-discriminator so
+// signoz.attachDiscriminators promotes it to a real OpenAPI 3 discriminator,
+// keyed on propertyName, with the given value -> schema-ref mapping. This turns
+// the union into a discriminated DTO (instead of an intersection) for generated
+// clients.
+func markDiscriminator(s *jsonschema.Schema, propertyName string, mapping map[string]string) error {
+	if s.ExtraProperties == nil {
+		s.ExtraProperties = map[string]any{}
+	}
+	s.ExtraProperties[signozDiscriminatorKey] = map[string]any{
+		"propertyName": propertyName,
+		"mapping":      mapping,
+	}
 	return nil
 }
 

pkg/types/dashboardtypes/perses_replicas.go

@@ -87,7 +87,10 @@ type Variable struct {
 }
 
 func (Variable) PrepareJSONSchema(s *jsonschema.Schema) error {
-	return clearOneOfParentShape(s)
+	return markDiscriminator(s, "kind", map[string]string{
+		string(variable.KindList): schemaRef("DashboardtypesVariableEnvelopeGithubComSigNozSignozPkgTypesDashboardtypesListVariableSpec"),
+		string(variable.KindText): schemaRef("DashboardtypesVariableEnvelopeGithubComPersesSpecGoDashboardTextVariableSpec"),
+	})
 }
 
 func (v *Variable) UnmarshalJSON(data []byte) error {
@@ -167,7 +170,9 @@ var layoutSpecs = map[dashboard.LayoutKind]func() any{
 }
 
 func (Layout) PrepareJSONSchema(s *jsonschema.Schema) error {
-	return clearOneOfParentShape(s)
+	return markDiscriminator(s, "kind", map[string]string{
+		string(dashboard.KindGridLayout): schemaRef("DashboardtypesLayoutEnvelopeGithubComPersesSpecGoDashboardGridLayoutSpec"),
+	})
 }
 
 func (l *Layout) UnmarshalJSON(data []byte) error {

pkg/types/dashboardtypes/perses_signoz_plugins.go

@@ -93,14 +93,21 @@ func (b BuilderQuerySpec) MarshalJSON() ([]byte, error) {
 	return json.Marshal(b.Spec)
 }
 
-// PrepareJSONSchema drops the reflected struct shape so only the
-// JSONSchemaOneOf result binds.
+// PrepareJSONSchema marks the envelope with x-signoz-discriminator keyed on
+// `signal`. Each QueryBuilderQuery[T] variant pins `signal` to its one value
+// (via its own PrepareJSONSchema in the qb package), so the union resolves
+// cleanly even though it doesn't carry a `kind`.
 func (BuilderQuerySpec) PrepareJSONSchema(s *jsonschema.Schema) error {
-	return clearOneOfParentShape(s)
+	return markDiscriminator(s, "signal", map[string]string{
+		telemetrytypes.SignalLogs.StringValue():    schemaRef("Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5LogAggregation"),
+		telemetrytypes.SignalMetrics.StringValue(): schemaRef("Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5MetricAggregation"),
+		telemetrytypes.SignalTraces.StringValue():  schemaRef("Querybuildertypesv5QueryBuilderQueryGithubComSigNozSignozPkgTypesQuerybuildertypesQuerybuildertypesv5TraceAggregation"),
+	})
 }
 
 // JSONSchemaOneOf exposes the three signal-dispatched shapes a builder query
-// can take. Mirrors qb.UnmarshalBuilderQueryBySignal's runtime dispatch.
+// can take. Mirrors qb.UnmarshalBuilderQueryBySignal's runtime dispatch. Each
+// QueryBuilderQuery[T] pins its own `signal` enum (see its PrepareJSONSchema).
 func (BuilderQuerySpec) JSONSchemaOneOf() []any {
 	return []any{
 		qb.QueryBuilderQuery[qb.LogAggregation]{},

pkg/types/dashboardtypes/source.go

@@ -51,6 +51,10 @@ func (s *Source) UnmarshalJSON(data []byte) error {
 	return s.s.UnmarshalJSON(data)
 }
 
+func (s Source) isUserDeletable() bool {
+	return s == SourceUser
+}
+
 func NewSource(source string) (Source, error) {
 	candidate := Source{s: valuer.NewString(source)}
 	if !candidate.IsValid() {

pkg/types/dashboardtypes/store.go

@@ -32,4 +32,23 @@ type Store interface {
 	DeletePublic(context.Context, string) error
 
 	RunInTx(context.Context, func(context.Context) error) error
+
+	// ════════════════════════════════════════════════════════════════════════
+	// v2 dashboard methods
+	// ════════════════════════════════════════════════════════════════════════
+
+	// int64 return is the total row count for the filter (pre-limit/offset).
+	// ListV2 is the pure list; ListForUser additionally joins the caller's pins.
+	ListV2(ctx context.Context, orgID valuer.UUID, params *ListDashboardsV2Params) ([]*StorableDashboard, int64, error)
+
+	ListForUser(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, params *ListDashboardsV2Params) ([]*StorableDashboardWithPinInfo, int64, error)
+
+	// Returns ErrCodePinnedDashboardLimitHit when the user is at MaxPinnedDashboardsPerUser.
+	PinForUser(ctx context.Context, preference *UserDashboardPreference) error
+
+	UnpinForUser(ctx context.Context, userID valuer.UUID, dashboardID valuer.UUID) error
+
+	DeletePreferencesForDashboard(ctx context.Context, dashboardID valuer.UUID) error
+
+	DeletePreferencesForUser(ctx context.Context, userID valuer.UUID) error
 }

pkg/types/dashboardtypes/user_dashboard_preference.go

@@ -0,0 +1,28 @@
+package dashboardtypes
+
+import (
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+const MaxPinnedDashboardsPerUser = 10
+
+var ErrCodePinnedDashboardLimitHit = errors.MustNewCode("pinned_dashboard_limit_hit")
+
+// Only the pin is tracked for now; more preferences can be added later.
+type UserDashboardPreference struct {
+	bun.BaseModel `bun:"table:user_dashboard_preference,alias:user_dashboard_preference"`
+
+	UserID      valuer.UUID `bun:"user_id,pk,type:text"`
+	DashboardID valuer.UUID `bun:"dashboard_id,pk,type:text"`
+	IsPinned    bool        `bun:"is_pinned,notnull,default:false"`
+}
+
+func NewUserDashboardPreference(userID, dashboardID valuer.UUID) *UserDashboardPreference {
+	return &UserDashboardPreference{
+		UserID:      userID,
+		DashboardID: dashboardID,
+		IsPinned:    true,
+	}
+}

pkg/types/metrictypes/metrictypes.go

@@ -137,7 +137,7 @@ func (t *Type) Scan(src interface{}) error {
 }
 
 func (t Type) IsPercentileSpaceAggregationAllowed() bool {
-	return t == HistogramType || t == ExpHistogramType || t == SummaryType
+	return t == HistogramType || t == ExpHistogramType
 }
 
 var (

pkg/types/querybuildertypes/querybuildertypesv5/builder_query.go

@@ -2,9 +2,11 @@ package querybuildertypesv5
 
 import (
 	"fmt"
+	"slices"
 
 	"github.com/SigNoz/signoz/pkg/types/metrictypes"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
+	"github.com/swaggest/jsonschema-go"
 )
 
 type QueryBuilderQuery[T any] struct {
@@ -69,6 +71,32 @@ type QueryBuilderQuery[T any] struct {
 	ShiftBy int64 `json:"-"`
 }
 
+// PrepareJSONSchema pins `signal` to the single value implied by the aggregation
+// type T, as an inline single-value enum, and marks it required. This lets a
+// oneOf over the QueryBuilderQuery[T] instantiations be discriminated by signal.
+func (QueryBuilderQuery[T]) PrepareJSONSchema(s *jsonschema.Schema) error {
+	var signal telemetrytypes.Signal
+	switch any(*new(T)).(type) {
+	case LogAggregation:
+		signal = telemetrytypes.SignalLogs
+	case MetricAggregation:
+		signal = telemetrytypes.SignalMetrics
+	case TraceAggregation:
+		signal = telemetrytypes.SignalTraces
+	default:
+		return nil
+	}
+	if _, ok := s.Properties["signal"]; !ok {
+		return nil
+	}
+	prop := (&jsonschema.Schema{}).WithType(jsonschema.String.Type()).WithEnum(signal.StringValue())
+	s.Properties["signal"] = prop.ToSchemaOrBool()
+	if !slices.Contains(s.Required, "signal") {
+		s.Required = append(s.Required, "signal")
+	}
+	return nil
+}
+
 // Copy creates a deep copy of the QueryBuilderQuery.
 func (q QueryBuilderQuery[T]) Copy() QueryBuilderQuery[T] {
 	// start with a shallow copy

pkg/types/querybuildertypes/querybuildertypesv5/validation.go

@@ -317,6 +317,19 @@ func (q *QueryBuilderQuery[T]) validateAggregations(cfg validationConfig) error
 	return nil
 }
 
+func (m MetricAggregation) ValidateForType() error {
+	if m.SpaceAggregation.IsPercentile() && !m.Type.IsPercentileSpaceAggregationAllowed() {
+		return errors.Newf(
+			errors.TypeInvalidInput,
+			errors.CodeInvalidInput,
+			"invalid space aggregation `%s` for metric type `%s`, percentile space aggregations are only supported for `histogram`, `exponentialhistogram` metric types",
+			m.SpaceAggregation.StringValue(),
+			m.Type.StringValue(),
+		)
+	}
+	return nil
+}
+
 func (q *QueryBuilderQuery[T]) validateLimitAndPagination(cfg validationConfig) error {
 	if cfg.skipLimitOffsetValidation {
 		return nil

pkg/types/querybuildertypes/querybuildertypesv5/validation_test.go

@@ -1421,3 +1421,62 @@ func TestNonAggregationFieldsSkipped(t *testing.T) {
 		}
 	})
 }
+
+func TestMetricAggregationValidateForType(t *testing.T) {
+	cases := []struct {
+		name             string
+		metricType       metrictypes.Type
+		spaceAggregation metrictypes.SpaceAggregation
+		comparisonParam  *metrictypes.ComparisonSpaceAggregationParam
+		wantErr          bool
+	}{
+		{
+			name:             "percentile on histogram is allowed",
+			metricType:       metrictypes.HistogramType,
+			spaceAggregation: metrictypes.SpaceAggregationPercentile95,
+			wantErr:          false,
+		},
+		{
+			name:             "percentile on exponential histogram is allowed",
+			metricType:       metrictypes.ExpHistogramType,
+			spaceAggregation: metrictypes.SpaceAggregationPercentile99,
+			wantErr:          false,
+		},
+		{
+			name:             "percentile on summary is not allowed",
+			metricType:       metrictypes.SummaryType,
+			spaceAggregation: metrictypes.SpaceAggregationPercentile95,
+			wantErr:          true,
+		},
+		{
+			name:             "percentile on sum is not allowed",
+			metricType:       metrictypes.SumType,
+			spaceAggregation: metrictypes.SpaceAggregationPercentile95,
+			wantErr:          true,
+		},
+		{
+			name:             "non-percentile space aggregation on sum is allowed",
+			metricType:       metrictypes.SumType,
+			spaceAggregation: metrictypes.SpaceAggregationSum,
+			wantErr:          false,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			agg := MetricAggregation{
+				MetricName:                      "test_metric",
+				Type:                            tc.metricType,
+				SpaceAggregation:                tc.spaceAggregation,
+				ComparisonSpaceAggregationParam: tc.comparisonParam,
+			}
+			err := agg.ValidateForType()
+			if tc.wantErr && err == nil {
+				t.Errorf("expected error, got nil")
+			}
+			if !tc.wantErr && err != nil {
+				t.Errorf("expected no error, got: %v", err)
+			}
+		})
+	}
+}

pkg/types/tagtypes/tag.go

@@ -43,7 +43,7 @@ type PostableTag struct {
 	Value string `json:"value" required:"true"`
 }
 
-type GettableTag = PostableTag
+type GettableTag PostableTag
 
 func NewGettableTagFromTag(tag *Tag) *GettableTag {
 	return &GettableTag{Key: tag.Key, Value: tag.Value}

tests/fixtures/idp.py

@@ -371,11 +371,10 @@ def idp_login(driver: webdriver.Chrome) -> Callable[[str, str], None]:
 
         # Click the login button
         login_button = wait.until(EC.element_to_be_clickable((By.ID, "kc-login")))
-        current_url = driver.current_url
         login_button.click()
 
-        # Wait till the page redirects away from the login form. We poll the URL.
-        wait.until(EC.url_changes(current_url))
+        # Wait till kc-login element has vanished from the page, which means that a redirection is taking place.
+        wait.until(EC.invisibility_of_element((By.ID, "kc-login")))
 
     return _idp_login
 

tests/integration/tests/basepath/01_oidc.py

@@ -53,10 +53,10 @@ def test_create_auth_domain(
         signoz.self.host_configs["8080"].get("/signoz/api/v1/domains"),
         json={
             "name": "oidc.basepath.test",
-            "ssoEnabled": True,
-            "provider": {
-                "type": "oidc",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "oidc",
+                "oidcConfig": {
                     "clientId": settings["client_id"],
                     "clientSecret": settings["client_secret"],
                     # Change the hostname of the issuer to the internal resolvable hostname of the idp

tests/integration/tests/basepath/02_saml.py

@@ -51,10 +51,10 @@ def test_create_auth_domain(
         signoz.self.host_configs["8080"].get("/signoz/api/v1/domains"),
         json={
             "name": "saml.basepath.test",
-            "ssoEnabled": True,
-            "provider": {
-                "type": "saml",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "samlConfig": {
                     "samlEntity": settings["entityID"],
                     "samlIdp": settings["singleSignOnServiceLocation"],
                     "samlCert": settings["certificate"],

tests/integration/tests/callbackauthn/01_domain.py

@@ -31,10 +31,10 @@ def test_create_and_get_domain(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "domain-google.integration.test",
-            "ssoEnabled": True,
-            "provider": {
-                "type": "google_auth",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "google_auth",
+                "googleAuthConfig": {
                     "clientId": "client-id",
                     "clientSecret": "client-secret",
                     "redirectURI": "redirect-uri",
@@ -52,10 +52,10 @@ def test_create_and_get_domain(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "domain-saml.integration.test",
-            "ssoEnabled": True,
-            "provider": {
-                "type": "saml",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "samlConfig": {
                     "samlEntity": "saml-entity",
                     "samlIdp": "saml-idp",
                     "samlCert": "saml-cert",
@@ -86,7 +86,7 @@ def test_create_and_get_domain(
             "domain-google.integration.test",
             "domain-saml.integration.test",
         ]
-        assert domain["provider"]["type"] in ["google_auth", "saml"]
+        assert domain["config"]["ssoType"] in ["google_auth", "saml"]
 
 
 def test_create_invalid(
@@ -96,16 +96,15 @@ def test_create_invalid(
 ):
     admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
 
-    # Create a domain with type saml but an oidc-shaped config; this should fail
-    # because the config is decoded as SAML and fails SAML validation.
+    # Create a domain with type saml and body for oidc, this should fail because oidcConfig is not allowed for saml
     response = requests.post(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "domain.integration.test",
-            "ssoEnabled": True,
-            "provider": {
-                "type": "saml",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "oidcConfig": {
                     "clientId": "client-id",
                     "clientSecret": "client-secret",
                     "issuer": "issuer",
@@ -123,10 +122,10 @@ def test_create_invalid(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "$%^invalid",
-            "ssoEnabled": True,
-            "provider": {
-                "type": "saml",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "samlConfig": {
                     "samlEntity": "saml-entity",
                     "samlIdp": "saml-idp",
                     "samlCert": "saml-cert",
@@ -143,15 +142,15 @@ def test_create_invalid(
     response = requests.post(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
-            "ssoEnabled": True,
-            "provider": {
-                "type": "saml",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "samlConfig": {
                     "samlEntity": "saml-entity",
                     "samlIdp": "saml-idp",
                     "samlCert": "saml-cert",
                 },
-            },
+            }
         },
         headers={"Authorization": f"Bearer {admin_token}"},
         timeout=2,
@@ -159,7 +158,7 @@ def test_create_invalid(
 
     assert response.status_code == HTTPStatus.BAD_REQUEST
 
-    # Create a domain with no provider
+    # Create a domain with no config
     response = requests.post(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
@@ -185,17 +184,17 @@ def test_create_invalid_role_mapping(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "invalid-role-test.integration.test",
-            "ssoEnabled": True,
-            "provider": {
-                "type": "saml",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "samlConfig": {
                     "samlEntity": "saml-entity",
                     "samlIdp": "saml-idp",
                     "samlCert": "saml-cert",
                 },
-            },
-            "roleMapping": {
-                "defaultRole": "SUPERADMIN",  # Invalid role
+                "roleMapping": {
+                    "defaultRole": "SUPERADMIN",  # Invalid role
+                },
             },
         },
         headers={"Authorization": f"Bearer {admin_token}"},
@@ -209,19 +208,19 @@ def test_create_invalid_role_mapping(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "invalid-group-role.integration.test",
-            "ssoEnabled": True,
-            "provider": {
-                "type": "saml",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "samlConfig": {
                     "samlEntity": "saml-entity",
                     "samlIdp": "saml-idp",
                     "samlCert": "saml-cert",
                 },
-            },
-            "roleMapping": {
-                "defaultRole": "VIEWER",
-                "groupMappings": {
-                    "admins": "SUPERUSER",  # Invalid role
+                "roleMapping": {
+                    "defaultRole": "VIEWER",
+                    "groupMappings": {
+                        "admins": "SUPERUSER",  # Invalid role
+                    },
                 },
             },
         },
@@ -236,20 +235,20 @@ def test_create_invalid_role_mapping(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "valid-role-mapping.integration.test",
-            "ssoEnabled": True,
-            "provider": {
-                "type": "saml",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "samlConfig": {
                     "samlEntity": "saml-entity",
                     "samlIdp": "saml-idp",
                     "samlCert": "saml-cert",
                 },
-            },
-            "roleMapping": {
-                "defaultRole": "VIEWER",
-                "groupMappings": {
-                    "signoz-admins": "ADMIN",
-                    "signoz-editors": "EDITOR",
+                "roleMapping": {
+                    "defaultRole": "VIEWER",
+                    "groupMappings": {
+                        "signoz-admins": "ADMIN",
+                        "signoz-editors": "EDITOR",
+                    },
                 },
             },
         },

tests/integration/tests/callbackauthn/02_saml.py

@@ -53,10 +53,10 @@ def test_create_auth_domain(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "saml.integration.test",
-            "ssoEnabled": True,
-            "provider": {
-                "type": "saml",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "samlConfig": {
                     "samlEntity": settings["entityID"],
                     "samlIdp": settings["singleSignOnServiceLocation"],
                     "samlCert": settings["certificate"],
@@ -176,10 +176,10 @@ def test_saml_update_domain_with_group_mappings(
     response = requests.put(
         signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
         json={
-            "ssoEnabled": True,
-            "provider": {
-                "type": "saml",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "samlConfig": {
                     "samlEntity": settings["entityID"],
                     "samlIdp": settings["singleSignOnServiceLocation"],
                     "samlCert": settings["certificate"],
@@ -189,15 +189,15 @@ def test_saml_update_domain_with_group_mappings(
                         "role": "signoz_role",
                     },
                 },
-            },
-            "roleMapping": {
-                "defaultRole": "VIEWER",
-                "groupMappings": {
-                    "signoz-admins": "ADMIN",
-                    "signoz-editors": "EDITOR",
-                    "signoz-viewers": "VIEWER",
+                "roleMapping": {
+                    "defaultRole": "VIEWER",
+                    "groupMappings": {
+                        "signoz-admins": "ADMIN",
+                        "signoz-editors": "EDITOR",
+                        "signoz-viewers": "VIEWER",
+                    },
+                    "useRoleAttribute": False,
                 },
-                "useRoleAttribute": False,
             },
         },
         headers={"Authorization": f"Bearer {admin_token}"},
@@ -340,10 +340,10 @@ def test_saml_update_domain_with_use_role_claim(
     response = requests.put(
         signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
         json={
-            "ssoEnabled": True,
-            "provider": {
-                "type": "saml",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "samlConfig": {
                     "samlEntity": settings["entityID"],
                     "samlIdp": settings["singleSignOnServiceLocation"],
                     "samlCert": settings["certificate"],
@@ -353,14 +353,14 @@ def test_saml_update_domain_with_use_role_claim(
                         "role": "signoz_role",
                     },
                 },
-            },
-            "roleMapping": {
-                "defaultRole": "VIEWER",
-                "groupMappings": {
-                    "signoz-admins": "ADMIN",
-                    "signoz-editors": "EDITOR",
+                "roleMapping": {
+                    "defaultRole": "VIEWER",
+                    "groupMappings": {
+                        "signoz-admins": "ADMIN",
+                        "signoz-editors": "EDITOR",
+                    },
+                    "useRoleAttribute": True,
                 },
-                "useRoleAttribute": True,
             },
         },
         headers={"Authorization": f"Bearer {admin_token}"},

tests/integration/tests/callbackauthn/03_oidc.py

@@ -57,10 +57,10 @@ def test_create_auth_domain(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "oidc.integration.test",
-            "ssoEnabled": True,
-            "provider": {
-                "type": "oidc",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "oidc",
+                "oidcConfig": {
                     "clientId": settings["client_id"],
                     "clientSecret": settings["client_secret"],
                     # Change the hostname of the issuer to the internal resolvable hostname of the idp
@@ -132,10 +132,10 @@ def test_oidc_update_domain_with_group_mappings(
     response = requests.put(
         signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
         json={
-            "ssoEnabled": True,
-            "provider": {
-                "type": "oidc",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "oidc",
+                "oidcConfig": {
                     "clientId": settings["client_id"],
                     "clientSecret": settings["client_secret"],
                     "issuer": f"{idp.container.container_configs['6060'].get(urlparse(settings['issuer']).path)}",
@@ -148,15 +148,15 @@ def test_oidc_update_domain_with_group_mappings(
                         "role": "signoz_role",
                     },
                 },
-            },
-            "roleMapping": {
-                "defaultRole": "VIEWER",
-                "groupMappings": {
-                    "signoz-admins": "ADMIN",
-                    "signoz-editors": "EDITOR",
-                    "signoz-viewers": "VIEWER",
+                "roleMapping": {
+                    "defaultRole": "VIEWER",
+                    "groupMappings": {
+                        "signoz-admins": "ADMIN",
+                        "signoz-editors": "EDITOR",
+                        "signoz-viewers": "VIEWER",
+                    },
+                    "useRoleAttribute": False,
                 },
-                "useRoleAttribute": False,
             },
         },
         headers={"Authorization": f"Bearer {admin_token}"},
@@ -301,10 +301,10 @@ def test_oidc_update_domain_with_use_role_claim(
     response = requests.put(
         signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
         json={
-            "ssoEnabled": True,
-            "provider": {
-                "type": "oidc",
-                "config": {
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "oidc",
+                "oidcConfig": {
                     "clientId": settings["client_id"],
                     "clientSecret": settings["client_secret"],
                     "issuer": f"{idp.container.container_configs['6060'].get(urlparse(settings['issuer']).path)}",
@@ -317,14 +317,14 @@ def test_oidc_update_domain_with_use_role_claim(
                         "role": "signoz_role",
                     },
                 },
-            },
-            "roleMapping": {
-                "defaultRole": "VIEWER",
-                "groupMappings": {
-                    "signoz-admins": "ADMIN",
-                    "signoz-editors": "EDITOR",
+                "roleMapping": {
+                    "defaultRole": "VIEWER",
+                    "groupMappings": {
+                        "signoz-admins": "ADMIN",
+                        "signoz-editors": "EDITOR",
+                    },
+                    "useRoleAttribute": True,
                 },
-                "useRoleAttribute": True,
             },
         },
         headers={"Authorization": f"Bearer {admin_token}"},

tests/integration/tests/dashboard/03_v2_dashboard.py

@@ -0,0 +1,695 @@
+import uuid
+from collections.abc import Callable, Iterator
+from http import HTTPStatus
+
+import pytest
+import requests
+
+from fixtures.auth import USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD
+from fixtures.types import Operation, SigNoz
+
+# The v2 dashboard API. Request shape (current):
+#   {"schemaVersion": "v6", "name": "<dns-1123-label>",
+#    "spec": {"display": {"name": "<human name>"}},
+#    "tags": [{"key": "...", "value": "..."}]}
+# `name` is a DNS-1123 label identifier and is immutable after create;
+# `spec.display.name` is the human-facing title used for name-sort/name-filter.
+
+_BASE = "/api/v2/dashboards"
+_TIMEOUT = 5
+
+# This file's tests tag their dashboards with a `suite` marker so list queries
+# can be scoped server-side. Each test gets its own unique marker (the
+# suite_marker fixture) so tests stay isolated from each other and from leftovers
+# in the reused session DB.
+_SUITE_PREFIX = "dashboardv2"
+
+
+def _headers(token: str) -> dict:
+    return {"Authorization": f"Bearer {token}"}
+
+
+def _url(signoz: SigNoz, path: str = "") -> str:
+    return signoz.self.host_configs["8080"].get(f"{_BASE}{path}")
+
+
+def _create(signoz: SigNoz, token: str, body: dict) -> requests.Response:
+    return requests.post(_url(signoz), json=body, headers=_headers(token), timeout=_TIMEOUT)
+
+
+def _get(signoz: SigNoz, token: str, dashboard_id: str) -> requests.Response:
+    return requests.get(_url(signoz, f"/{dashboard_id}"), headers=_headers(token), timeout=_TIMEOUT)
+
+
+# The tests exercise the per-user list (carries pin state); the pure list lives
+# at GET /api/v2/dashboards.
+def _list(signoz: SigNoz, token: str, **params: object) -> requests.Response:
+    url = signoz.self.host_configs["8080"].get("/api/v2/users/me/dashboards")
+    return requests.get(
+        url,
+        params={k: v for k, v in params.items() if v is not None},
+        headers=_headers(token),
+        timeout=_TIMEOUT,
+    )
+
+
+# The pure, user-independent list — no pin join, no pinned field.
+def _list_pure(signoz: SigNoz, token: str, **params: object) -> requests.Response:
+    return requests.get(
+        _url(signoz),
+        params={k: v for k, v in params.items() if v is not None},
+        headers=_headers(token),
+        timeout=_TIMEOUT,
+    )
+
+
+def _update(signoz: SigNoz, token: str, dashboard_id: str, body: dict) -> requests.Response:
+    return requests.put(
+        _url(signoz, f"/{dashboard_id}"),
+        json=body,
+        headers=_headers(token),
+        timeout=_TIMEOUT,
+    )
+
+
+def _delete(signoz: SigNoz, token: str, dashboard_id: str) -> requests.Response:
+    return requests.delete(_url(signoz, f"/{dashboard_id}"), headers=_headers(token), timeout=_TIMEOUT)
+
+
+def _lock(signoz: SigNoz, token: str, dashboard_id: str, lock: bool) -> requests.Response:
+    method = requests.put if lock else requests.delete
+    return method(
+        _url(signoz, f"/{dashboard_id}/lock"),
+        headers=_headers(token),
+        timeout=_TIMEOUT,
+    )
+
+
+def _pin(signoz: SigNoz, token: str, dashboard_id: str, pin: bool) -> requests.Response:
+    method = requests.put if pin else requests.delete
+    url = signoz.self.host_configs["8080"].get(f"/api/v2/users/me/dashboards/{dashboard_id}/pins")
+    return method(url, headers=_headers(token), timeout=_TIMEOUT)
+
+
+def _minimal_body(name: str, display: str, tags: list[dict] | None = None) -> dict:
+    return {
+        "schemaVersion": "v6",
+        "name": name,
+        "spec": {"display": {"name": display}},
+        "tags": tags or [],
+    }
+
+
+# ─── failure cases (create no dashboards) ────────────────────────────────────
+
+
+def test_create_rejects_wrong_schema_version(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    response = _create(signoz, token, {})
+
+    assert response.status_code == HTTPStatus.BAD_REQUEST
+    body = response.json()
+    assert body["status"] == "error"
+    assert body["error"]["code"] == "dashboard_invalid_input"
+    assert body["error"]["message"] == 'schemaVersion must be "v6", got ""'
+
+
+def test_create_rejects_missing_name(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    response = _create(signoz, token, {"schemaVersion": "v6"})
+
+    assert response.status_code == HTTPStatus.BAD_REQUEST
+    body = response.json()
+    assert body["error"]["code"] == "dashboard_invalid_input"
+    assert body["error"]["message"] == "name is required"
+
+
+def test_create_rejects_non_dns_name(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    response = _create(signoz, token, _minimal_body(name="Not A Label", display="Not A Label"))
+
+    assert response.status_code == HTTPStatus.BAD_REQUEST
+    assert response.json()["error"]["code"] == "dashboard_invalid_input"
+
+
+def test_create_rejects_unknown_field(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    body = _minimal_body("rejects-unknown", "Rejects Unknown")
+    body["unknownfield"] = "boom"
+    response = _create(signoz, token, body)
+
+    assert response.status_code == HTTPStatus.BAD_REQUEST
+    assert response.json()["error"]["code"] == "dashboard_invalid_input"
+    assert "unknown field" in response.json()["error"]["message"]
+
+
+def test_create_rejects_reserved_tag_key(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    body = _minimal_body("rejects-reserved", "Rejects Reserved", [{"key": "source", "value": "x"}])
+    response = _create(signoz, token, body)
+
+    assert response.status_code == HTTPStatus.BAD_REQUEST
+    assert response.json()["error"]["code"] == "dashboard_invalid_input"
+
+
+def test_create_rejects_too_many_tags(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    tags = [{"key": f"k{i}", "value": "v"} for i in range(11)]
+    response = _create(signoz, token, _minimal_body("too-many-tags", "Too Many", tags))
+
+    assert response.status_code == HTTPStatus.BAD_REQUEST
+    assert response.json()["error"]["code"] == "dashboard_invalid_input"
+
+
+@pytest.mark.parametrize(
+    "params",
+    [
+        {"sort": "bogus"},
+        {"order": "bogus"},
+        {"limit": -1},
+        {"offset": -1},
+    ],
+)
+def test_list_rejects_invalid_params(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+    params: dict,
+):
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    response = _list(signoz, token, **params)
+
+    assert response.status_code == HTTPStatus.BAD_REQUEST
+    assert response.json()["error"]["code"] == "dashboard_list_invalid"
+
+
+def test_get_rejects_malformed_id(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    response = _get(signoz, token, "not-a-uuid")
+
+    assert response.status_code == HTTPStatus.BAD_REQUEST
+
+
+def test_get_missing_dashboard_returns_not_found(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    response = _get(signoz, token, str(uuid.uuid4()))
+
+    assert response.status_code == HTTPStatus.NOT_FOUND
+
+
+def test_delete_missing_dashboard_returns_not_found(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    response = _delete(signoz, token, str(uuid.uuid4()))
+
+    assert response.status_code == HTTPStatus.NOT_FOUND
+
+
+def test_pin_missing_dashboard_returns_not_found(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    response = _pin(signoz, token, str(uuid.uuid4()), pin=True)
+
+    assert response.status_code == HTTPStatus.NOT_FOUND
+
+
+# ─── lifecycle ───────────────────────────────────────────────────────────────
+# A single end-to-end flow through create → get → list/filter/sort → pin →
+# update → lock → delete. Every fixture dashboard carries the shared suite marker
+# tag so list queries can be scoped server-side, isolating this test from any
+# other dashboards sharing the session DB.
+
+
+def _display_names(body: dict) -> list[str]:
+    return [d["spec"]["display"]["name"] for d in body["data"]["dashboards"]]
+
+
+def _delete_suite(signoz: SigNoz, token: str, suite_filter: str) -> None:
+    response = _list(signoz, token, query=suite_filter, limit=200)
+    if response.status_code != HTTPStatus.OK:
+        return
+    for dashboard in response.json()["data"]["dashboards"]:
+        _delete(signoz, token, dashboard["id"])
+
+
+@pytest.fixture(name="suite_marker")
+def _suite_marker(
+    signoz: SigNoz,
+    get_token: Callable[[str, str], str],
+) -> Iterator[tuple[dict, str]]:
+    """Yields a per-test unique suite (tag, filter) and deletes its dashboards on teardown.
+    Unique per test so the tests stay isolated from each other and from reused-DB leftovers."""
+    value = f"{_SUITE_PREFIX}-{uuid.uuid4().hex[:8]}"
+    suite_tag = {"key": "suite", "value": value}
+    suite_filter = f"suite = '{value}'"
+    yield suite_tag, suite_filter
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    _delete_suite(signoz, token, suite_filter)
+
+
+def test_dashboard_v2_lifecycle(  # pylint: disable=too-many-locals,too-many-statements
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+    suite_marker: tuple[dict, str],
+):
+    suite_tag, suite_filter = suite_marker
+
+    def _scoped(query: str) -> str:
+        return f"({query}) AND {suite_filter}"
+
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    dashboard_requests = [
+        (
+            "lc-alpha",
+            "Alpha Overview",
+            [{"key": "team", "value": "pulse"}, {"key": "env", "value": "prod"}],
+        ),
+        (
+            "lc-beta",
+            "Beta Overview",
+            [{"key": "team", "value": "pulse"}, {"key": "env", "value": "dev"}],
+        ),
+        (
+            "lc-gamma",
+            "Gamma Storage",
+            [{"key": "team", "value": "storage"}, {"key": "env", "value": "prod"}],
+        ),
+        (
+            "lc-delta",
+            "Delta Storage",
+            [
+                {"key": "team", "value": "storage"},
+                {"key": "env", "value": "dev"},
+                {"key": "tier", "value": "critical"},
+            ],
+        ),
+        (
+            "lc-epsilon",
+            "Epsilon Metrics",
+            [
+                {"key": "team", "value": "metrics"},
+                {"key": "env", "value": "staging"},
+                {"key": "tier", "value": "critical"},
+            ],
+        ),
+        (
+            "lc-zeta",
+            "Zeta Overview",
+            [{"key": "team", "value": "pulse"}, {"key": "env", "value": "staging"}],
+        ),
+    ]
+
+    # ── stage 1: create ──────────────────────────────────────────────────────
+    ids: dict[str, str] = {}
+    for name, display, tags in dashboard_requests:
+        response = _create(signoz, token, _minimal_body(name, display, [suite_tag, *tags]))
+        assert response.status_code == HTTPStatus.CREATED, response.text
+        ids[name] = response.json()["data"]["id"]
+
+    # TODO: re-enable once the dashboard name unique index lands — creating a
+    # second dashboard with an existing name should conflict (409). Until the
+    # index exists, duplicate names are silently allowed.
+    # response = _create(signoz, token, _minimal_body("lc-alpha", "Alpha Dupe"))
+    # assert response.status_code == HTTPStatus.CONFLICT, response.text
+
+    # ── stage 2: get one and verify the round-tripped shape ──────────────────
+    response = _get(signoz, token, ids["lc-alpha"])
+    assert response.status_code == HTTPStatus.OK, response.text
+    alpha = response.json()["data"]
+    assert alpha["id"] == ids["lc-alpha"]
+    assert alpha["name"] == "lc-alpha"
+    assert alpha["spec"]["display"]["name"] == "Alpha Overview"
+    assert alpha["schemaVersion"] == "v6"
+    assert alpha["source"] == "user"
+    assert alpha["locked"] is False
+    assert {"key": "team", "value": "pulse"} in alpha["tags"]
+
+    # ── stage 3: list everything in the suite ────────────────────────────────
+    response = _list(signoz, token, query=suite_filter, limit=200)
+    assert response.status_code == HTTPStatus.OK, response.text
+    body = response.json()
+    assert body["data"]["total"] == 6
+    assert set(_display_names(body)) == {
+        "Alpha Overview",
+        "Beta Overview",
+        "Gamma Storage",
+        "Delta Storage",
+        "Epsilon Metrics",
+        "Zeta Overview",
+    }
+
+    # ── stage 4: filter DSL ──────────────────────────────────────────────────
+    cases = [
+        (
+            "team = 'pulse'",
+            {"Alpha Overview", "Beta Overview", "Zeta Overview"},
+        ),
+        (
+            "env = 'prod'",
+            {"Alpha Overview", "Gamma Storage"},
+        ),
+        (
+            "name CONTAINS 'Overview'",
+            {"Alpha Overview", "Beta Overview", "Zeta Overview"},
+        ),
+        (
+            "env IN ['dev', 'test']",
+            {"Beta Overview", "Delta Storage"},
+        ),
+        (
+            "name LIKE 'Delta%'",
+            {"Delta Storage"},
+        ),
+        (
+            "team LIKE 'stor%'",
+            {"Gamma Storage", "Delta Storage"},
+        ),
+        (
+            "name ILIKE '%storage'",
+            {"Gamma Storage", "Delta Storage"},
+        ),
+        (
+            "name NOT CONTAINS 'Overview'",
+            {"Gamma Storage", "Delta Storage", "Epsilon Metrics"},
+        ),
+        (
+            "name NOT LIKE '%Storage'",
+            {
+                "Alpha Overview",
+                "Beta Overview",
+                "Epsilon Metrics",
+                "Zeta Overview",
+            },
+        ),
+        (
+            "name NOT ILIKE 'alpha%'",
+            {
+                "Beta Overview",
+                "Gamma Storage",
+                "Delta Storage",
+                "Epsilon Metrics",
+                "Zeta Overview",
+            },
+        ),
+        (
+            "team = 'pulse' AND env = 'prod'",
+            {"Alpha Overview"},
+        ),
+        (
+            "team = 'storage' OR env = 'staging'",
+            {
+                "Gamma Storage",
+                "Delta Storage",
+                "Epsilon Metrics",
+                "Zeta Overview",
+            },
+        ),
+        (
+            "tier EXISTS",
+            {"Delta Storage", "Epsilon Metrics"},
+        ),
+        (
+            "tier NOT EXISTS",
+            {
+                "Alpha Overview",
+                "Beta Overview",
+                "Gamma Storage",
+                "Zeta Overview",
+            },
+        ),
+        (
+            "NOT team = 'pulse'",
+            {"Gamma Storage", "Delta Storage", "Epsilon Metrics"},
+        ),
+        (
+            "(team = 'pulse' OR team = 'storage') AND env = 'prod'",
+            {"Alpha Overview", "Gamma Storage"},
+        ),
+        (
+            "NOT (team = 'storage' OR env = 'staging')",
+            {"Alpha Overview", "Beta Overview"},
+        ),
+        (
+            "team IN ['pulse', 'metrics'] AND tier EXISTS",
+            {"Epsilon Metrics"},
+        ),
+        (
+            "name CONTAINS 'Storage' AND env = 'dev'",
+            {"Delta Storage"},
+        ),
+    ]
+    for query, expected in cases:
+        response = _list(signoz, token, query=_scoped(query), limit=200)
+        assert response.status_code == HTTPStatus.OK, response.text
+        assert set(_display_names(response.json())) == expected, query
+
+    # ── stage 5: name sort honours order ─────────────────────────────────────
+    response = _list(signoz, token, query=suite_filter, sort="name", order="asc", limit=200)
+    assert _display_names(response.json()) == [
+        "Alpha Overview",
+        "Beta Overview",
+        "Delta Storage",
+        "Epsilon Metrics",
+        "Gamma Storage",
+        "Zeta Overview",
+    ]
+    response = _list(signoz, token, query=suite_filter, sort="name", order="desc", limit=200)
+    assert _display_names(response.json()) == [
+        "Zeta Overview",
+        "Gamma Storage",
+        "Epsilon Metrics",
+        "Delta Storage",
+        "Beta Overview",
+        "Alpha Overview",
+    ]
+
+    # ── stage 6: pinning floats a dashboard to the top of any ordering ───────
+    assert _pin(signoz, token, ids["lc-gamma"], pin=True).status_code == HTTPStatus.NO_CONTENT
+    response = _list(signoz, token, query=suite_filter, sort="name", order="asc", limit=200)
+    dashboards = response.json()["data"]["dashboards"]
+    assert dashboards[0]["name"] == "lc-gamma"
+    assert dashboards[0]["pinned"] is True
+    assert all(d["pinned"] is False for d in dashboards[1:])
+
+    # the pure list is user-independent: the same pin neither reorders it (gamma
+    # stays in natural name order, not floated to the top) nor adds a pinned field.
+    response = _list_pure(signoz, token, query=suite_filter, sort="name", order="asc", limit=200)
+    assert _display_names(response.json()) == [
+        "Alpha Overview",
+        "Beta Overview",
+        "Delta Storage",
+        "Epsilon Metrics",
+        "Gamma Storage",
+        "Zeta Overview",
+    ]
+    assert all("pinned" not in d for d in response.json()["data"]["dashboards"])
+
+    # ── stage 7: unpinning restores the natural ordering ─────────────────────
+    assert _pin(signoz, token, ids["lc-gamma"], pin=False).status_code == HTTPStatus.NO_CONTENT
+    response = _list(signoz, token, query=suite_filter, sort="name", order="asc", limit=200)
+    assert _display_names(response.json()) == [
+        "Alpha Overview",
+        "Beta Overview",
+        "Delta Storage",
+        "Epsilon Metrics",
+        "Gamma Storage",
+        "Zeta Overview",
+    ]
+
+    # ── stage 8: update mutates the spec but keeps the immutable name ────────
+    update_body = _minimal_body(
+        "lc-alpha",
+        "Alpha Overview",
+        [
+            suite_tag,
+            {"key": "team", "value": "pulse"},
+            {"key": "env", "value": "prod"},
+        ],
+    )
+    update_body["spec"]["display"]["description"] = "now with a description"
+    response = _update(signoz, token, ids["lc-alpha"], update_body)
+    assert response.status_code == HTTPStatus.OK, response.text
+    response = _get(signoz, token, ids["lc-alpha"])
+    assert response.json()["data"]["spec"]["display"]["description"] == "now with a description"
+
+    # ── stage 9: a locked dashboard rejects updates until unlocked ───────────
+    assert _lock(signoz, token, ids["lc-beta"], lock=True).status_code == HTTPStatus.NO_CONTENT
+    beta_body = _minimal_body(
+        "lc-beta",
+        "Beta Overview",
+        [suite_tag, {"key": "team", "value": "pulse"}, {"key": "env", "value": "dev"}],
+    )
+    response = _update(signoz, token, ids["lc-beta"], beta_body)
+    assert response.status_code == HTTPStatus.BAD_REQUEST
+    assert _lock(signoz, token, ids["lc-beta"], lock=False).status_code == HTTPStatus.NO_CONTENT
+    assert _update(signoz, token, ids["lc-beta"], beta_body).status_code == HTTPStatus.OK
+
+    # ── stage 10: delete removes the dashboard from get and list ─────────────
+    assert _delete(signoz, token, ids["lc-gamma"]).status_code == HTTPStatus.NO_CONTENT
+    assert _get(signoz, token, ids["lc-gamma"]).status_code == HTTPStatus.NOT_FOUND
+    response = _list(signoz, token, query=suite_filter, limit=200)
+    assert response.json()["data"]["total"] == 5
+    assert set(_display_names(response.json())) == {
+        "Alpha Overview",
+        "Beta Overview",
+        "Delta Storage",
+        "Epsilon Metrics",
+        "Zeta Overview",
+    }
+
+
+def test_dashboard_v2_pin_limit(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+    suite_marker: tuple[dict, str],
+):
+    suite_tag, _ = suite_marker
+    max_pinned = 10
+
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    ids: list[str] = []
+    for i in range(max_pinned + 1):
+        response = _create(signoz, token, _minimal_body(f"pl-{i}", f"Pin Limit {i}", [suite_tag]))
+        assert response.status_code == HTTPStatus.CREATED, response.text
+        ids.append(response.json()["data"]["id"])
+
+    # pinning up to the limit succeeds
+    for dashboard_id in ids[:max_pinned]:
+        assert _pin(signoz, token, dashboard_id, pin=True).status_code == HTTPStatus.NO_CONTENT
+
+    # re-pinning an already-pinned dashboard is an idempotent no-op, even at the limit
+    assert _pin(signoz, token, ids[0], pin=True).status_code == HTTPStatus.NO_CONTENT
+
+    # the 11th distinct pin is rejected with the typed limit error
+    response = _pin(signoz, token, ids[max_pinned], pin=True)
+    assert response.status_code == HTTPStatus.CONFLICT, response.text
+    assert response.json()["error"]["code"] == "pinned_dashboard_limit_hit"
+
+    # unpinning frees a slot, so the previously-rejected dashboard can now be pinned
+    assert _pin(signoz, token, ids[0], pin=False).status_code == HTTPStatus.NO_CONTENT
+    assert _pin(signoz, token, ids[max_pinned], pin=True).status_code == HTTPStatus.NO_CONTENT
+
+
+# ─── LIKE escaping ───────────────────────────────────────────────────────────
+# Backslash is the LIKE escape character, declared explicitly via ESCAPE '\' on
+# every emitted LIKE/ILIKE. Postgres defaults to backslash; sqlite has no default
+# escape, so without the clause the two dialects disagree on any pattern carrying
+# a backslash. Two ways a backslash shows up: CONTAINS injects its own to escape
+# the user's % and _ (so `50%` matches literally), and LIKE/ILIKE pass through a
+# user-supplied `\%` / `\_`. These cases assert literal-match semantics so a
+# dialect that drops the escape fails here. Backslash-bearing queries use raw
+# python strings so the backslash reaches the DSL verbatim.
+
+
+def test_dashboard_v2_like_escaping(
+    signoz: SigNoz,
+    create_user_admin: Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+    suite_marker: tuple[dict, str],
+):
+    suite_tag, suite_filter = suite_marker
+
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    dashboard_requests = [
+        ("esc-pct", "Cost 50% Report"),
+        ("esc-pct-plain", "Cost 5000 Report"),
+        ("esc-underscore", "user_id panel"),
+        ("esc-underscore-wild", "userXid panel"),
+    ]
+    for name, display in dashboard_requests:
+        response = _create(signoz, token, _minimal_body(name, display, [suite_tag]))
+        assert response.status_code == HTTPStatus.CREATED, response.text
+
+    cases = [
+        (
+            "name CONTAINS '50%'",
+            {"Cost 50% Report"},
+        ),
+        (
+            "name CONTAINS 'user_id'",
+            {"user_id panel"},
+        ),
+        (
+            "name NOT CONTAINS '50%'",
+            {"Cost 5000 Report", "user_id panel", "userXid panel"},
+        ),
+        (
+            r"name LIKE 'Cost 50\% Report'",
+            {"Cost 50% Report"},
+        ),
+        (
+            r"name ILIKE 'cost 50\% report'",
+            {"Cost 50% Report"},
+        ),
+        (
+            r"name LIKE 'user\_id panel'",
+            {"user_id panel"},
+        ),
+        (
+            r"name NOT LIKE 'user\_id panel'",
+            {"Cost 50% Report", "Cost 5000 Report", "userXid panel"},
+        ),
+    ]
+    for query, expected in cases:
+        response = _list(
+            signoz,
+            token,
+            query=f"({query}) AND {suite_filter}",
+            limit=200,
+        )
+        assert response.status_code == HTTPStatus.OK, response.text
+        assert set(_display_names(response.json())) == expected, query