Merge branch 'feat/flamegraph-v3' of github.com:SigNoz/signoz into feat/flamegraph-v3

Since it's changed in api response

ee/query-service/app/server.go

@@ -185,6 +185,7 @@ func (s *Server) createPublicServer(apiHandler *api.APIHandler, web web.Web) (*h
 		s.config.APIServer.Timeout.Default,
 		s.config.APIServer.Timeout.Max,
 	).Wrap)
+	r.Use(middleware.NewResource(s.signoz.Instrumentation.Logger()).Wrap)
 	r.Use(middleware.NewAudit(s.signoz.Instrumentation.Logger(), s.config.APIServer.Logging.ExcludedRoutes, s.signoz.Auditor).Wrap)
 	r.Use(middleware.NewComment().Wrap)
 

frontend/src/AppRoutes/pageComponents.ts

@@ -323,10 +323,3 @@ export const AIAssistantPage = Loadable(
 			/* webpackChunkName: "AI Assistant Page" */ 'pages/AIAssistantPage/AIAssistantPage'
 		),
 );
-
-export const LLMObservabilityModelPricingPage = Loadable(
-	() =>
-		import(
-			/* webpackChunkName: "LLM Observability Model Pricing Page" */ 'pages/LLMObservabilityModelPricing'
-		),
-);

frontend/src/AppRoutes/routes.ts

@@ -22,7 +22,6 @@ import {
 	IntegrationsDetailsPage,
 	LicensePage,
 	ListAllALertsPage,
-	LLMObservabilityModelPricingPage,
 	LiveLogs,
 	Login,
 	Logs,
@@ -508,13 +507,6 @@ const routes: AppRoutes[] = [
 		key: 'AI_ASSISTANT',
 		isPrivate: true,
 	},
-	{
-		path: ROUTES.LLM_OBSERVABILITY_MODEL_PRICING,
-		exact: true,
-		component: LLMObservabilityModelPricingPage,
-		key: 'LLM_OBSERVABILITY_MODEL_PRICING',
-		isPrivate: true,
-	},
 ];
 
 export const SUPPORT_ROUTE: AppRoutes = {

frontend/src/constants/reactQueryKeys.ts

@@ -36,6 +36,7 @@ export const REACT_QUERY_KEY = {
 	GET_TRACE_V4_WATERFALL: 'GET_TRACE_V4_WATERFALL',
 	GET_TRACE_AGGREGATIONS: 'GET_TRACE_AGGREGATIONS',
 	GET_TRACE_V2_FLAMEGRAPH: 'GET_TRACE_V2_FLAMEGRAPH',
+	GET_TRACE_V3_FLAMEGRAPH: 'GET_TRACE_V3_FLAMEGRAPH',
 	GET_POD_LIST: 'GET_POD_LIST',
 	GET_NODE_LIST: 'GET_NODE_LIST',
 	GET_DEPLOYMENT_LIST: 'GET_DEPLOYMENT_LIST',

frontend/src/constants/routes.ts

@@ -91,7 +91,6 @@ const ROUTES = {
 	AI_ASSISTANT_BASE: '/ai-assistant',
 	AI_ASSISTANT_ICON_PREVIEW: '/ai-assistant-icon-preview',
 	MCP_SERVER: '/settings/mcp-server',
-	LLM_OBSERVABILITY_MODEL_PRICING: '/llm-observability/model-pricing',
 } as const;
 
 export default ROUTES;

frontend/src/container/AIAssistant/hooks/useSpeechRecognition.ts

@@ -40,13 +40,31 @@ type SpeechRecognitionConstructor = new () => ISpeechRecognition;
 
 // ── Vendor-prefix shim for Safari / older browsers ────────────────────────────
 
-const SpeechRecognitionAPI: SpeechRecognitionConstructor | null =
-	typeof window !== 'undefined'
-		? // eslint-disable-next-line @typescript-eslint/no-explicit-any
-			((window as any).SpeechRecognition ??
+// Some hardened/enterprise browsers install a getter
+// on window.SpeechRecognition that THROWS on access ("Web Speech API is disabled
+// due to your security policy") instead of leaving the property undefined.
+// Because this resolves at module-evaluation time, an uncaught throw here aborts
+// the entire bundle and the app renders a blank page. Read defensively so a
+// throwing getter degrades to "unsupported" rather than crashing the app.
+function resolveSpeechRecognitionAPI(): SpeechRecognitionConstructor | null {
+	if (typeof window === 'undefined') {
+		return null;
+	}
+	try {
+		return (
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+			(window as any).SpeechRecognition ??
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
 			(window as any).webkitSpeechRecognition ??
-			null)
-		: null;
+			null
+		);
+	} catch {
+		return null;
+	}
+}
+
+const SpeechRecognitionAPI: SpeechRecognitionConstructor | null =
+	resolveSpeechRecognitionAPI();
 
 export type SpeechRecognitionError =
 	| 'not-supported'

frontend/src/container/LLMObservabilityModelPricing/LLMObservabilityModelPricing.styles.scss

@@ -1,140 +0,0 @@
-.llm-observability-model-pricing {
-	display: flex;
-	flex-direction: column;
-	gap: 16px;
-	padding: 24px 32px;
-
-	.page-header {
-		display: flex;
-		align-items: flex-start;
-		justify-content: space-between;
-		gap: 16px;
-
-		&__title {
-			h1 {
-				margin: 0;
-				font-size: 22px;
-				font-weight: 600;
-			}
-
-			p {
-				margin: 4px 0 0;
-				color: var(--bg-vanilla-400);
-				font-size: 13px;
-			}
-		}
-
-		&__actions {
-			display: flex;
-			gap: 8px;
-		}
-	}
-
-	.page-tabs {
-		.ant-tabs-nav {
-			margin-bottom: 0;
-		}
-	}
-
-	.filters-bar {
-		display: flex;
-		gap: 12px;
-		align-items: center;
-
-		&__search {
-			flex: 1;
-			max-width: 360px;
-		}
-
-		&__source,
-		&__currency {
-			min-width: 160px;
-		}
-
-		&__add {
-			margin-left: auto;
-		}
-	}
-
-	.page-error {
-		padding: 12px 16px;
-		border-radius: 4px;
-		background: rgba(255, 90, 90, 0.08);
-		color: var(--bg-cherry-400);
-		font-size: 13px;
-	}
-
-	.page-footer {
-		color: var(--bg-vanilla-400);
-		font-size: 12px;
-	}
-}
-
-.model-costs-table {
-	.model-cell {
-		display: flex;
-		flex-direction: column;
-		gap: 2px;
-
-		&__name {
-			font-weight: 600;
-		}
-
-		&__canonical-id {
-			color: var(--bg-vanilla-400);
-			font-family: var(--code-font-family, monospace);
-			font-size: 12px;
-		}
-	}
-
-	.price-cell {
-		font-family: var(--code-font-family, monospace);
-	}
-
-	.extra-buckets {
-		display: flex;
-		flex-wrap: wrap;
-		gap: 6px;
-
-		&__chip {
-			display: inline-flex;
-			align-items: center;
-			gap: 6px;
-			margin: 0;
-		}
-
-		&__key {
-			font-family: var(--code-font-family, monospace);
-			font-size: 12px;
-		}
-
-		&__price {
-			font-family: var(--code-font-family, monospace);
-			font-weight: 600;
-		}
-	}
-
-	.muted {
-		color: var(--bg-vanilla-400);
-	}
-
-	.source-badge {
-		margin: 0;
-
-		&--auto {
-			background: rgba(78, 116, 248, 0.12);
-			color: var(--bg-robin-400);
-			border-color: rgba(78, 116, 248, 0.24);
-		}
-
-		&--override {
-			background: rgba(245, 175, 25, 0.12);
-			color: var(--bg-amber-400);
-			border-color: rgba(245, 175, 25, 0.24);
-		}
-	}
-
-	&__row--selected {
-		background: rgba(78, 116, 248, 0.06);
-	}
-}

frontend/src/container/LLMObservabilityModelPricing/LLMObservabilityModelPricing.tsx

@@ -1,140 +0,0 @@
-import { useMemo, useState } from 'react';
-import { Button, Input, Select, Tabs } from 'antd';
-import { Plus, Search } from '@signozhq/icons';
-import { useListLLMPricingRules } from 'api/generated/services/llmpricingrules';
-
-import ModelCostDrawer from './ModelCostDrawer';
-import ModelCostsTable from './ModelCostsTable';
-import { useModelCostDrawer } from './useModelCostDrawer';
-import { filterRules, type PricingRule, type SourceFilter } from './utils';
-
-import './LLMObservabilityModelPricing.styles.scss';
-
-const SOURCE_OPTIONS: { value: SourceFilter; label: string }[] = [
-	{ value: 'all', label: 'Source: All' },
-	{ value: 'auto', label: 'Auto-populated' },
-	{ value: 'override', label: 'User override' },
-];
-
-const CURRENCY_OPTIONS = [
-	{ value: 'USD', label: 'USD' },
-	{ value: 'EUR', label: 'EUR', disabled: true },
-	{ value: 'INR', label: 'INR', disabled: true },
-];
-
-const PAGE_SIZE = 100;
-
-function LLMObservabilityModelPricing(): JSX.Element {
-	const [search, setSearch] = useState<string>('');
-	const [source, setSource] = useState<SourceFilter>('all');
-	const [currency, setCurrency] = useState<string>('USD');
-
-	const { data, isLoading, isError } = useListLLMPricingRules({
-		offset: 0,
-		limit: PAGE_SIZE,
-	});
-
-	const rules: PricingRule[] = useMemo(() => data?.data?.items || [], [data]);
-
-	const filteredRules = useMemo(
-		() => filterRules(rules, search, source),
-		[rules, search, source],
-	);
-
-	const drawer = useModelCostDrawer();
-
-	return (
-		<div
-			className="llm-observability-model-pricing"
-			data-testid="llm-observability-model-pricing-page"
-		>
-			<header className="page-header">
-				<div className="page-header__title">
-					<h1>Configuration</h1>
-					<p>Model pricing and cost estimation settings</p>
-				</div>
-			</header>
-
-			<Tabs
-				className="page-tabs"
-				defaultActiveKey="model-costs"
-				items={[
-					{ key: 'model-costs', label: 'Model costs' },
-					{
-						key: 'unpriced-models',
-						label: 'Unpriced models',
-						disabled: true,
-					},
-				]}
-			/>
-
-			<div className="filters-bar">
-				<Input
-					className="filters-bar__search"
-					placeholder="Search by model or provider…"
-					prefix={<Search size={14} />}
-					value={search}
-					onChange={(event): void => setSearch(event.target.value)}
-					data-testid="search-input"
-					allowClear
-				/>
-				<Select<SourceFilter>
-					className="filters-bar__source"
-					value={source}
-					onChange={(value): void => setSource(value)}
-					options={SOURCE_OPTIONS}
-					data-testid="source-select"
-				/>
-				<Select<string>
-					className="filters-bar__currency"
-					value={currency}
-					onChange={(value): void => setCurrency(value)}
-					options={CURRENCY_OPTIONS}
-					data-testid="currency-select"
-				/>
-				<Button
-					type="primary"
-					className="filters-bar__add"
-					icon={<Plus size={14} />}
-					onClick={(): void => drawer.openForAdd()}
-					data-testid="add-model-cost-btn"
-				>
-					Add model cost
-				</Button>
-			</div>
-
-			{isError && (
-				<div className="page-error" role="alert">
-					Failed to load pricing rules. Please try again.
-				</div>
-			)}
-
-			<ModelCostsTable
-				rules={filteredRules}
-				isLoading={isLoading}
-				selectedRuleId={drawer.selectedRuleId}
-				onEdit={drawer.openForEdit}
-			/>
-
-			<footer className="page-footer">
-				Showing {filteredRules.length} model{filteredRules.length === 1 ? '' : 's'}
-				{' · '}All prices per 1M tokens (USD)
-			</footer>
-
-			<ModelCostDrawer
-				isOpen={drawer.isOpen}
-				mode={drawer.mode}
-				draft={drawer.draft}
-				setDraft={drawer.setDraft}
-				onClose={drawer.close}
-				onSave={drawer.save}
-				onDelete={drawer.deleteRule}
-				isSaving={drawer.isSaving}
-				isDeleting={drawer.isDeleting}
-				saveError={drawer.saveError}
-			/>
-		</div>
-	);
-}
-
-export default LLMObservabilityModelPricing;

frontend/src/container/LLMObservabilityModelPricing/ModelCostDrawer.styles.scss

@@ -1,256 +0,0 @@
-.model-cost-drawer {
-	.ant-drawer-body {
-		padding: 20px 24px;
-		display: flex;
-		flex-direction: column;
-		gap: 18px;
-	}
-
-	&__title {
-		h3 {
-			margin: 0;
-			font-size: 16px;
-			font-weight: 600;
-		}
-
-		p {
-			margin: 4px 0 0;
-			color: var(--bg-vanilla-400);
-			font-size: 12px;
-		}
-	}
-
-	&__footer {
-		display: flex;
-		align-items: center;
-		justify-content: space-between;
-		padding: 12px 16px;
-		border-top: 1px solid var(--bg-slate-300);
-
-		&-right {
-			display: flex;
-			gap: 8px;
-			margin-left: auto;
-		}
-	}
-
-	.drawer-section {
-		display: flex;
-		flex-direction: column;
-		gap: 6px;
-
-		label,
-		.field-label {
-			font-size: 12px;
-			font-weight: 600;
-			color: var(--bg-vanilla-200);
-		}
-
-		.help {
-			margin: 0;
-			font-size: 11px;
-		}
-	}
-
-	.muted {
-		color: var(--bg-vanilla-400);
-	}
-
-	.required {
-		color: var(--bg-cherry-400);
-	}
-
-	.full-width {
-		width: 100%;
-	}
-
-	.drawer-surface {
-		padding: 14px;
-		border-radius: 6px;
-		background: rgba(255, 255, 255, 0.02);
-		border: 1px solid var(--bg-slate-300);
-
-		&__head {
-			display: flex;
-			align-items: center;
-			justify-content: space-between;
-			margin-bottom: 10px;
-
-			h4 {
-				margin: 0;
-				font-size: 13px;
-				font-weight: 600;
-				text-transform: uppercase;
-				letter-spacing: 0.04em;
-				color: var(--bg-vanilla-300);
-			}
-		}
-	}
-
-	.managed-label {
-		display: inline-flex;
-		align-items: center;
-		gap: 4px;
-		font-size: 11px;
-		color: var(--bg-vanilla-400);
-	}
-
-	.pattern-chips {
-		display: flex;
-		flex-wrap: wrap;
-		gap: 6px;
-		min-height: 28px;
-	}
-
-	.pattern-chip {
-		display: inline-flex;
-		align-items: center;
-		gap: 4px;
-
-		&__remove {
-			background: transparent;
-			border: none;
-			padding: 0;
-			margin-left: 2px;
-			cursor: pointer;
-			color: inherit;
-			display: inline-flex;
-			align-items: center;
-
-			&:hover {
-				color: var(--bg-cherry-400);
-			}
-		}
-	}
-
-	.pattern-add {
-		display: flex;
-		gap: 6px;
-	}
-
-	.pattern-test {
-		display: flex;
-		gap: 10px;
-		align-items: center;
-		flex-wrap: wrap;
-		margin-top: 6px;
-
-		&__result {
-			font-size: 12px;
-
-			&--match {
-				color: var(--bg-forest-400);
-			}
-
-			&--no-match {
-				color: var(--bg-cherry-400);
-			}
-		}
-	}
-
-	.source-radio-group {
-		display: flex;
-		flex-direction: column;
-		gap: 8px;
-		width: 100%;
-	}
-
-	.source-radio {
-		display: flex;
-		align-items: flex-start;
-		gap: 8px;
-		padding: 10px 12px;
-		border-radius: 4px;
-		border: 1px solid transparent;
-		background: rgba(255, 255, 255, 0.02);
-		margin: 0;
-		width: 100%;
-
-		&__title {
-			font-weight: 600;
-			font-size: 13px;
-		}
-
-		&__desc {
-			font-size: 12px;
-			color: var(--bg-vanilla-400);
-		}
-
-		&.ant-radio-wrapper-checked.source-radio--auto {
-			background: rgba(78, 116, 248, 0.1);
-			border-color: rgba(78, 116, 248, 0.3);
-		}
-
-		&.ant-radio-wrapper-checked.source-radio--override {
-			background: rgba(245, 175, 25, 0.1);
-			border-color: rgba(245, 175, 25, 0.3);
-		}
-	}
-
-	.reset-confirm {
-		margin-top: 12px;
-		padding: 12px;
-		border-radius: 4px;
-		background: rgba(78, 116, 248, 0.06);
-		border: 1px solid rgba(78, 116, 248, 0.2);
-
-		p {
-			margin: 0 0 10px;
-			font-size: 12px;
-		}
-
-		&__actions {
-			display: flex;
-			gap: 8px;
-			justify-content: flex-end;
-		}
-	}
-
-	.pricing-grid {
-		display: grid;
-		grid-template-columns: 1fr 1fr;
-		gap: 12px;
-	}
-
-	.pricing-field {
-		display: flex;
-		flex-direction: column;
-		gap: 4px;
-
-		.ant-input-number {
-			width: 100%;
-		}
-	}
-
-	.cache-mode-field {
-		margin-top: 10px;
-	}
-
-	.extras-divider {
-		margin-top: 14px;
-		margin-bottom: 6px;
-		font-size: 11px;
-		text-transform: uppercase;
-		letter-spacing: 0.04em;
-		color: var(--bg-vanilla-400);
-	}
-
-	.cost-preview {
-		&__line {
-			font-family: var(--code-font-family, monospace);
-			font-size: 12px;
-
-			strong {
-				margin-left: 4px;
-			}
-		}
-	}
-
-	.drawer-error {
-		padding: 10px 12px;
-		border-radius: 4px;
-		background: rgba(255, 90, 90, 0.08);
-		color: var(--bg-cherry-400);
-		font-size: 12px;
-	}
-}

frontend/src/container/LLMObservabilityModelPricing/ModelCostDrawer.tsx

@@ -1,413 +0,0 @@
-import { useMemo, useState } from 'react';
-import { Button, Drawer, Input, InputNumber, Select, Tooltip } from 'antd';
-import { Badge } from '@signozhq/ui/badge';
-import { RadioGroup, RadioGroupItem } from '@signozhq/ui/radio-group';
-import { Lock, Trash2, X } from '@signozhq/icons';
-import { LlmpricingruletypesLLMPricingRuleCacheModeDTO as CacheModeDTO } from 'api/generated/services/sigNoz.schemas';
-
-import {
-	CACHE_MODE_OPTIONS,
-	computeCostPreview,
-	matchesAnyPattern,
-	PROVIDER_OPTIONS,
-	validateDraft,
-	type DrawerDraft,
-	type DrawerMode,
-} from './drawerUtils';
-import './ModelCostDrawer.styles.scss';
-
-interface ModelCostDrawerProps {
-	isOpen: boolean;
-	mode: DrawerMode;
-	draft: DrawerDraft;
-	setDraft: (next: DrawerDraft) => void;
-	onClose: () => void;
-	onSave: () => void;
-	onDelete: () => void;
-	isSaving: boolean;
-	isDeleting: boolean;
-	saveError: string | null;
-}
-
-function ModelCostDrawer({
-	isOpen,
-	mode,
-	draft,
-	setDraft,
-	onClose,
-	onSave,
-	onDelete,
-	isSaving,
-	isDeleting,
-	saveError,
-}: ModelCostDrawerProps): JSX.Element {
-	const [patternInput, setPatternInput] = useState<string>('');
-	const [testInput, setTestInput] = useState<string>('');
-	const [showResetConfirm, setShowResetConfirm] = useState<boolean>(false);
-	const isReadOnly = !draft.isOverride;
-
-	const validation = validateDraft(draft, mode);
-	const preview = useMemo(() => computeCostPreview(draft), [draft]);
-	const testMatch = useMemo(
-		() => (testInput ? matchesAnyPattern(testInput, draft.patterns) : null),
-		[testInput, draft.patterns],
-	);
-
-	const update = (patch: Partial<DrawerDraft>): void => {
-		setDraft({ ...draft, ...patch });
-	};
-
-	const updatePricing = (patch: Partial<DrawerDraft['pricing']>): void => {
-		setDraft({ ...draft, pricing: { ...draft.pricing, ...patch } });
-	};
-
-	const addPattern = (): void => {
-		const next = patternInput.trim();
-		if (!next || draft.patterns.includes(next)) {
-			setPatternInput('');
-			return;
-		}
-		update({ patterns: [...draft.patterns, next] });
-		setPatternInput('');
-	};
-
-	const removePattern = (pattern: string): void => {
-		update({ patterns: draft.patterns.filter((p) => p !== pattern) });
-	};
-
-	const handleSourceChange = (value: 'auto' | 'override'): void => {
-		if (value === 'auto' && draft.isOverride) {
-			setShowResetConfirm(true);
-			return;
-		}
-		if (value === 'override' && !draft.isOverride) {
-			update({ isOverride: true });
-		}
-	};
-
-	const confirmReset = (): void => {
-		update({ isOverride: false });
-		setShowResetConfirm(false);
-	};
-
-	const hasCacheBucket =
-		draft.pricing.cacheRead !== null || draft.pricing.cacheWrite !== null;
-
-	return (
-		<Drawer
-			width={520}
-			open={isOpen}
-			onClose={onClose}
-			placement="right"
-			className="model-cost-drawer"
-			destroyOnClose
-			closeIcon={<X size={16} />}
-			title={
-				<div className="model-cost-drawer__title">
-					<h3>{mode === 'edit' ? 'Edit model cost' : 'Add model cost'}</h3>
-					<p>Pricing computes gen_ai.estimated_total_cost at ingest.</p>
-				</div>
-			}
-			footer={
-				<div className="model-cost-drawer__footer">
-					{mode === 'edit' && (
-						<Button
-							danger
-							type="text"
-							icon={<Trash2 size={14} />}
-							onClick={onDelete}
-							loading={isDeleting}
-							data-testid="drawer-delete-btn"
-						>
-							Delete
-						</Button>
-					)}
-					<div className="model-cost-drawer__footer-right">
-						<Button onClick={onClose} data-testid="drawer-cancel-btn">
-							Cancel
-						</Button>
-						<Tooltip title={validation.ok ? '' : validation.message}>
-							<Button
-								type="primary"
-								onClick={onSave}
-								loading={isSaving}
-								disabled={!validation.ok}
-								data-testid="drawer-save-btn"
-							>
-								Save
-							</Button>
-						</Tooltip>
-					</div>
-				</div>
-			}
-		>
-			<div className="drawer-section">
-				<label htmlFor="billing-model-id">Billing model ID</label>
-				<Input
-					id="billing-model-id"
-					placeholder="e.g. openai:gpt-4o"
-					value={draft.modelName}
-					disabled={mode === 'edit'}
-					onChange={(e): void => update({ modelName: e.target.value })}
-					data-testid="drawer-model-id-input"
-				/>
-			</div>
-
-			<div className="drawer-section">
-				<label htmlFor="provider-select">Provider</label>
-				<Select
-					id="provider-select"
-					value={draft.provider}
-					onChange={(value): void => update({ provider: value })}
-					options={PROVIDER_OPTIONS}
-					disabled={isReadOnly}
-					className="full-width"
-					data-testid="drawer-provider-select"
-				/>
-			</div>
-
-			<div className="drawer-section">
-				<span className="field-label">
-					Model name patterns <span className="muted">(prefix match)</span>
-				</span>
-				<div className="pattern-chips">
-					{draft.patterns.map((pattern) => (
-						<Badge
-							key={pattern}
-							color="forest"
-							variant="outline"
-							className="pattern-chip"
-						>
-							{pattern}*
-							{!isReadOnly && (
-								<button
-									type="button"
-									aria-label={`Remove pattern ${pattern}`}
-									className="pattern-chip__remove"
-									onClick={(): void => removePattern(pattern)}
-								>
-									<X size={10} />
-								</button>
-							)}
-						</Badge>
-					))}
-				</div>
-				{!isReadOnly && (
-					<div className="pattern-add">
-						<Input
-							placeholder="Add pattern…"
-							value={patternInput}
-							onChange={(e): void => setPatternInput(e.target.value)}
-							onPressEnter={addPattern}
-							data-testid="drawer-pattern-input"
-						/>
-						<Button onClick={addPattern} data-testid="drawer-pattern-add-btn">
-							+ Add
-						</Button>
-					</div>
-				)}
-				<p className="muted help">
-					Each pattern uses prefix matching against gen_ai.request.model.
-				</p>
-				{!isReadOnly && (
-					<div className="pattern-test">
-						<Input
-							placeholder="Test: type a model name…"
-							value={testInput}
-							onChange={(e): void => setTestInput(e.target.value)}
-							data-testid="drawer-pattern-test-input"
-						/>
-						{testInput && (
-							<span
-								className={`pattern-test__result ${
-									testMatch
-										? 'pattern-test__result--match'
-										: 'pattern-test__result--no-match'
-								}`}
-								data-testid="drawer-pattern-test-result"
-							>
-								{testMatch ? `Matched: ${testMatch}*` : 'No matching pattern'}
-							</span>
-						)}
-					</div>
-				)}
-			</div>
-
-			<div className="drawer-section drawer-surface">
-				<div className="drawer-surface__head">
-					<h4>Source</h4>
-					{isReadOnly && (
-						<span className="managed-label">
-							<Lock size={12} />
-							Managed by SigNoz
-						</span>
-					)}
-				</div>
-				<RadioGroup
-					value={draft.isOverride ? 'override' : 'auto'}
-					onChange={(value): void =>
-						handleSourceChange(value as 'auto' | 'override')
-					}
-					className="source-radio-group"
-				>
-					<RadioGroupItem
-						value="auto"
-						className="source-radio source-radio--auto"
-						testId="drawer-source-auto"
-					>
-						<div className="source-radio__title">Auto-populated</div>
-						<div className="source-radio__desc">
-							Default pricing from SigNoz. Updated automatically.
-						</div>
-					</RadioGroupItem>
-					<RadioGroupItem
-						value="override"
-						className="source-radio source-radio--override"
-						testId="drawer-source-override"
-					>
-						<div className="source-radio__title">User override</div>
-						<div className="source-radio__desc">
-							Custom pricing. Takes precedence.
-						</div>
-					</RadioGroupItem>
-				</RadioGroup>
-				{showResetConfirm && (
-					<div
-						className="reset-confirm"
-						role="dialog"
-						aria-label="Reset to default pricing"
-					>
-						<p>Reset to default pricing? Custom values will be discarded.</p>
-						<div className="reset-confirm__actions">
-							<Button
-								onClick={(): void => setShowResetConfirm(false)}
-								data-testid="drawer-reset-keep-btn"
-							>
-								Keep
-							</Button>
-							<Button
-								type="primary"
-								onClick={confirmReset}
-								data-testid="drawer-reset-confirm-btn"
-							>
-								Reset
-							</Button>
-						</div>
-					</div>
-				)}
-			</div>
-
-			<div className="drawer-section drawer-surface">
-				<div className="drawer-surface__head">
-					<h4>Pricing (per 1M tokens, USD)</h4>
-					{isReadOnly && (
-						<span className="managed-label">
-							<Lock size={12} />
-							Read-only
-						</span>
-					)}
-				</div>
-				<div className="pricing-grid">
-					<div className="pricing-field">
-						<label htmlFor="input-cost">
-							Input cost <span className="required">*</span>
-						</label>
-						<InputNumber
-							id="input-cost"
-							min={0}
-							step={0.01}
-							value={draft.pricing.input}
-							onChange={(v): void => updatePricing({ input: Number(v) || 0 })}
-							disabled={isReadOnly}
-							data-testid="drawer-input-cost"
-						/>
-					</div>
-					<div className="pricing-field">
-						<label htmlFor="output-cost">
-							Output cost <span className="required">*</span>
-						</label>
-						<InputNumber
-							id="output-cost"
-							min={0}
-							step={0.01}
-							value={draft.pricing.output}
-							onChange={(v): void => updatePricing({ output: Number(v) || 0 })}
-							disabled={isReadOnly}
-							data-testid="drawer-output-cost"
-						/>
-					</div>
-				</div>
-
-				<div className="extras-divider">Extra pricing buckets</div>
-				<div className="pricing-grid">
-					<div className="pricing-field">
-						<label htmlFor="cache-read">cache_read</label>
-						<InputNumber
-							id="cache-read"
-							min={0}
-							step={0.01}
-							value={draft.pricing.cacheRead ?? undefined}
-							placeholder="—"
-							onChange={(v): void =>
-								updatePricing({ cacheRead: v === null ? null : Number(v) })
-							}
-							disabled={isReadOnly}
-							data-testid="drawer-cache-read-cost"
-						/>
-					</div>
-					<div className="pricing-field">
-						<label htmlFor="cache-write">cache_write</label>
-						<InputNumber
-							id="cache-write"
-							min={0}
-							step={0.01}
-							value={draft.pricing.cacheWrite ?? undefined}
-							placeholder="—"
-							onChange={(v): void =>
-								updatePricing({ cacheWrite: v === null ? null : Number(v) })
-							}
-							disabled={isReadOnly}
-							data-testid="drawer-cache-write-cost"
-						/>
-					</div>
-				</div>
-				{hasCacheBucket && (
-					<div className="pricing-field cache-mode-field">
-						<label htmlFor="cache-mode">Cache mode</label>
-						<Select
-							id="cache-mode"
-							value={draft.pricing.cacheMode}
-							options={CACHE_MODE_OPTIONS}
-							onChange={(v): void => updatePricing({ cacheMode: v as CacheModeDTO })}
-							disabled={isReadOnly}
-							className="full-width"
-							data-testid="drawer-cache-mode"
-						/>
-					</div>
-				)}
-				<p className="muted help">Image tokens may be priced differently (v2).</p>
-			</div>
-
-			<div className="drawer-section drawer-surface cost-preview">
-				<div className="drawer-surface__head">
-					<h4>Cost preview</h4>
-				</div>
-				<div className="cost-preview__line">
-					{preview.breakdown.map((part) => part.label).join(' + ')} ={' '}
-					<strong>≈ ${preview.total.toFixed(4)}</strong>
-				</div>
-				<p className="muted help">
-					Write-time attribution. Changes only affect new spans.
-				</p>
-			</div>
-
-			{saveError && (
-				<div className="drawer-error" role="alert">
-					{saveError}
-				</div>
-			)}
-		</Drawer>
-	);
-}
-
-export default ModelCostDrawer;

frontend/src/container/LLMObservabilityModelPricing/ModelCostsTable.tsx

@@ -1,146 +0,0 @@
-import { Button, Table, type TableColumnsType } from 'antd';
-import { Badge } from '@signozhq/ui/badge';
-import { ChevronDown } from '@signozhq/icons';
-
-import {
-	formatPricePerMillion,
-	getCanonicalId,
-	getExtraBuckets,
-	getRelativeLastSeen,
-	getSourceLabel,
-	type PricingRule,
-} from './utils';
-
-interface ModelCostsTableProps {
-	rules: PricingRule[];
-	isLoading: boolean;
-	selectedRuleId: string | null;
-	onEdit: (rule: PricingRule) => void;
-}
-
-function ModelCostsTable({
-	rules,
-	isLoading,
-	selectedRuleId,
-	onEdit,
-}: ModelCostsTableProps): JSX.Element {
-	const columns: TableColumnsType<PricingRule> = [
-		{
-			title: 'Model',
-			dataIndex: 'modelName',
-			key: 'model',
-			render: (_value, rule): JSX.Element => (
-				<div className="model-cell">
-					<div className="model-cell__name">{rule.modelName}</div>
-					<div className="model-cell__canonical-id">{getCanonicalId(rule)}</div>
-				</div>
-			),
-		},
-		{
-			title: 'Provider',
-			dataIndex: 'provider',
-			key: 'provider',
-		},
-		{
-			title: 'Input / 1M',
-			key: 'input',
-			render: (_value, rule): JSX.Element => (
-				<span className="price-cell">
-					{formatPricePerMillion(rule.pricing?.input)}
-				</span>
-			),
-		},
-		{
-			title: 'Output / 1M',
-			key: 'output',
-			render: (_value, rule): JSX.Element => (
-				<span className="price-cell">
-					{formatPricePerMillion(rule.pricing?.output)}
-				</span>
-			),
-		},
-		{
-			title: 'Extra buckets',
-			key: 'extra-buckets',
-			render: (_value, rule): JSX.Element => {
-				const buckets = getExtraBuckets(rule);
-				if (buckets.length === 0) {
-					return <span className="muted">—</span>;
-				}
-				return (
-					<div className="extra-buckets">
-						{buckets.map((bucket) => (
-							<Badge
-								key={bucket.key}
-								color="vanilla"
-								variant="outline"
-								className="extra-buckets__chip"
-							>
-								<span className="extra-buckets__key">{bucket.key}</span>
-								<span className="extra-buckets__price">
-									{formatPricePerMillion(bucket.pricePerMillion)}
-								</span>
-							</Badge>
-						))}
-					</div>
-				);
-			},
-		},
-		{
-			title: 'Source',
-			dataIndex: 'isOverride',
-			key: 'source',
-			render: (_value, rule): JSX.Element => {
-				const label = getSourceLabel(rule);
-				return (
-					<Badge
-						color={rule.isOverride ? 'amber' : 'robin'}
-						variant="outline"
-						className="source-badge"
-						data-testid={`source-badge-${rule.id}`}
-					>
-						{label}
-					</Badge>
-				);
-			},
-		},
-		{
-			title: 'Last seen',
-			key: 'last-seen',
-			render: (_value, rule): string => getRelativeLastSeen(rule),
-		},
-		{
-			title: '',
-			key: 'actions',
-			width: 80,
-			render: (_value, rule): JSX.Element => (
-				<Button
-					type="text"
-					size="small"
-					data-testid={`edit-rule-${rule.id}`}
-					onClick={(): void => onEdit(rule)}
-				>
-					Edit
-					<ChevronDown size={14} />
-				</Button>
-			),
-		},
-	];
-
-	return (
-		<Table<PricingRule>
-			className="model-costs-table"
-			rowKey="id"
-			columns={columns}
-			dataSource={rules}
-			loading={isLoading}
-			pagination={false}
-			rowClassName={(row): string =>
-				row.id === selectedRuleId ? 'model-costs-table__row--selected' : ''
-			}
-			data-testid="model-costs-table"
-		/>
-	);
-}
-
-export default ModelCostsTable;

frontend/src/container/LLMObservabilityModelPricing/__tests__/LLMObservabilityModelPricing.test.tsx

@@ -1,108 +0,0 @@
-import {
-	LlmpricingruletypesLLMPricingRuleUnitDTO as UnitDTO,
-	type LlmpricingruletypesLLMPricingRuleDTO,
-} from 'api/generated/services/sigNoz.schemas';
-import { rest, server } from 'mocks-server/server';
-import { fireEvent, render, screen } from 'tests/test-utils';
-
-import LLMObservabilityModelPricing from '../LLMObservabilityModelPricing';
-
-const ENDPOINT = '*/api/v1/llm_pricing_rules';
-
-const mockRules: LlmpricingruletypesLLMPricingRuleDTO[] = [
-	{
-		id: 'rule-gpt4o',
-		orgId: 'org-1',
-		modelName: 'gpt-4o',
-		provider: 'OpenAI',
-		modelPattern: ['gpt-4o'],
-		isOverride: false,
-		enabled: true,
-		unit: UnitDTO.per_million_tokens,
-		pricing: { input: 15, output: 60 },
-	},
-	{
-		id: 'rule-llama',
-		orgId: 'org-1',
-		modelName: 'llama-3.1-70b',
-		provider: 'Self-hosted',
-		modelPattern: ['llama-3.1'],
-		isOverride: true,
-		enabled: true,
-		unit: UnitDTO.per_million_tokens,
-		pricing: { input: 0, output: 0 },
-	},
-];
-
-describe('LLMObservabilityModelPricing', () => {
-	beforeEach(() => {
-		server.use(
-			rest.get(ENDPOINT, (_, res, ctx) =>
-				res(
-					ctx.status(200),
-					ctx.json({
-						status: 'success',
-						data: {
-							items: mockRules,
-							limit: 100,
-							offset: 0,
-							total: mockRules.length,
-						},
-					}),
-				),
-			),
-		);
-	});
-
-	afterEach(() => {
-		server.resetHandlers();
-	});
-
-	it('renders the page header and both rules', async () => {
-		render(<LLMObservabilityModelPricing />);
-
-		await screen.findByText('gpt-4o');
-		expect(screen.getByText('Configuration')).toBeInTheDocument();
-		expect(screen.getByText('llama-3.1-70b')).toBeInTheDocument();
-		expect(screen.getByText('openai:gpt-4o')).toBeInTheDocument();
-	});
-
-	it('filters rules by the search input', async () => {
-		render(<LLMObservabilityModelPricing />);
-
-		await screen.findByText('gpt-4o');
-
-		fireEvent.change(screen.getByTestId('search-input'), {
-			target: { value: 'llama' },
-		});
-
-		expect(screen.queryByText('gpt-4o')).not.toBeInTheDocument();
-		expect(screen.getByText('llama-3.1-70b')).toBeInTheDocument();
-	});
-
-	it('opens the drawer in Add mode when the Add button is clicked', async () => {
-		render(<LLMObservabilityModelPricing />);
-
-		await screen.findByText('gpt-4o');
-		fireEvent.click(screen.getByTestId('add-model-cost-btn'));
-
-		const input = (await screen.findByTestId(
-			'drawer-model-id-input',
-		)) as HTMLInputElement;
-		expect(input).toBeInTheDocument();
-		expect(input.value).toBe('');
-	});
-
-	it('opens the drawer in Edit mode with prefilled values when a row Edit is clicked', async () => {
-		render(<LLMObservabilityModelPricing />);
-
-		await screen.findByText('gpt-4o');
-		fireEvent.click(screen.getByTestId('edit-rule-rule-gpt4o'));
-
-		const input = (await screen.findByTestId(
-			'drawer-model-id-input',
-		)) as HTMLInputElement;
-		expect(input).toBeInTheDocument();
-		expect(input.value).toBe('gpt-4o');
-	});
-});

frontend/src/container/LLMObservabilityModelPricing/__tests__/ModelCostDrawer.test.tsx

@@ -1,141 +0,0 @@
-import { useState } from 'react';
-import userEvent from '@testing-library/user-event';
-import { fireEvent, render, screen } from 'tests/test-utils';
-
-import { EMPTY_DRAFT, type DrawerDraft } from '../drawerUtils';
-import ModelCostDrawer from '../ModelCostDrawer';
-
-interface HarnessProps {
-	initialDraft?: DrawerDraft;
-	mode?: 'add' | 'edit';
-	onSave?: () => void;
-	onDelete?: () => void;
-}
-
-function Harness({
-	initialDraft = { ...EMPTY_DRAFT, modelName: 'gpt-4o' },
-	mode = 'add',
-	onSave = jest.fn(),
-	onDelete = jest.fn(),
-}: HarnessProps): JSX.Element {
-	const [draft, setDraft] = useState<DrawerDraft>(initialDraft);
-	return (
-		<ModelCostDrawer
-			isOpen
-			mode={mode}
-			draft={draft}
-			setDraft={setDraft}
-			onClose={jest.fn()}
-			onSave={onSave}
-			onDelete={onDelete}
-			isSaving={false}
-			isDeleting={false}
-			saveError={null}
-		/>
-	);
-}
-
-describe('ModelCostDrawer', () => {
-	it('adds a pattern chip when the user types and presses Enter', () => {
-		render(<Harness />);
-
-		fireEvent.change(screen.getByTestId('drawer-pattern-input'), {
-			target: { value: 'gpt-4o-mini' },
-		});
-		fireEvent.keyDown(screen.getByTestId('drawer-pattern-input'), {
-			key: 'Enter',
-			code: 'Enter',
-		});
-
-		expect(screen.getByText('gpt-4o-mini*')).toBeInTheDocument();
-	});
-
-	it('shows a match result when the test input matches an existing pattern', () => {
-		render(
-			<Harness
-				initialDraft={{
-					...EMPTY_DRAFT,
-					modelName: 'gpt-4o',
-					patterns: ['gpt-4o'],
-					isOverride: true,
-				}}
-			/>,
-		);
-
-		fireEvent.change(screen.getByTestId('drawer-pattern-test-input'), {
-			target: { value: 'gpt-4o-2024-08-06' },
-		});
-
-		expect(screen.getByTestId('drawer-pattern-test-result')).toHaveTextContent(
-			/matched: gpt-4o\*/i,
-		);
-	});
-
-	it('shows a no-match result when nothing matches', () => {
-		render(
-			<Harness
-				initialDraft={{
-					...EMPTY_DRAFT,
-					modelName: 'gpt-4o',
-					patterns: ['gpt-4o'],
-					isOverride: true,
-				}}
-			/>,
-		);
-
-		fireEvent.change(screen.getByTestId('drawer-pattern-test-input'), {
-			target: { value: 'claude' },
-		});
-
-		expect(screen.getByTestId('drawer-pattern-test-result')).toHaveTextContent(
-			/no matching pattern/i,
-		);
-	});
-
-	it('shows a reset confirmation when switching from Override to Auto', async () => {
-		const user = userEvent.setup({ pointerEventsCheck: 0 });
-		render(
-			<Harness
-				initialDraft={{
-					...EMPTY_DRAFT,
-					modelName: 'gpt-4o',
-					isOverride: true,
-				}}
-			/>,
-		);
-
-		await user.click(screen.getByTestId('drawer-source-auto'));
-
-		expect(screen.getByTestId('drawer-reset-confirm-btn')).toBeInTheDocument();
-		expect(screen.getByTestId('drawer-reset-keep-btn')).toBeInTheDocument();
-	});
-
-	it('hides the Delete action in Add mode', () => {
-		render(<Harness mode="add" />);
-		expect(screen.queryByTestId('drawer-delete-btn')).not.toBeInTheDocument();
-	});
-
-	it('shows the Delete action in Edit mode', () => {
-		render(
-			<Harness
-				mode="edit"
-				initialDraft={{
-					...EMPTY_DRAFT,
-					id: 'rule-1',
-					modelName: 'gpt-4o',
-					isOverride: true,
-				}}
-			/>,
-		);
-		expect(screen.getByTestId('drawer-delete-btn')).toBeInTheDocument();
-	});
-
-	it('calls onSave when the Save button is clicked', async () => {
-		const user = userEvent.setup({ pointerEventsCheck: 0 });
-		const onSave = jest.fn();
-		render(<Harness onSave={onSave} />);
-
-		await user.click(screen.getByTestId('drawer-save-btn'));
-		expect(onSave).toHaveBeenCalledTimes(1);
-	});
-});

frontend/src/container/LLMObservabilityModelPricing/__tests__/drawerUtils.test.ts

@@ -1,160 +0,0 @@
-import {
-	LlmpricingruletypesLLMPricingRuleCacheModeDTO as CacheModeDTO,
-	LlmpricingruletypesLLMPricingRuleUnitDTO as UnitDTO,
-} from 'api/generated/services/sigNoz.schemas';
-
-import {
-	buildPricingPayload,
-	buildRulePayload,
-	computeCostPreview,
-	draftFromRule,
-	EMPTY_DRAFT,
-	matchesAnyPattern,
-	validateDraft,
-	type DrawerDraft,
-} from '../drawerUtils';
-import type { PricingRule } from '../utils';
-
-const makeRule = (overrides: Partial<PricingRule> = {}): PricingRule => ({
-	id: 'rule-1',
-	orgId: 'org-1',
-	modelName: 'gpt-4o',
-	provider: 'OpenAI',
-	modelPattern: ['gpt-4o'],
-	isOverride: false,
-	enabled: true,
-	unit: UnitDTO.per_million_tokens,
-	pricing: { input: 15, output: 60 },
-	...overrides,
-});
-
-describe('drawerUtils', () => {
-	describe('draftFromRule', () => {
-		it('maps a rule to a draft with cache values when present', () => {
-			const rule = makeRule({
-				pricing: {
-					input: 3,
-					output: 15,
-					cache: {
-						mode: CacheModeDTO.additive,
-						read: 0.3,
-						write: 3.75,
-					},
-				},
-			});
-			const draft = draftFromRule(rule);
-			expect(draft.modelName).toBe('gpt-4o');
-			expect(draft.pricing.input).toBe(3);
-			expect(draft.pricing.cacheRead).toBe(0.3);
-			expect(draft.pricing.cacheWrite).toBe(3.75);
-			expect(draft.pricing.cacheMode).toBe(CacheModeDTO.additive);
-		});
-
-		it('falls back to defaults when cache is missing', () => {
-			const draft = draftFromRule(makeRule());
-			expect(draft.pricing.cacheRead).toBeNull();
-			expect(draft.pricing.cacheWrite).toBeNull();
-			expect(draft.pricing.cacheMode).toBe(CacheModeDTO.unknown);
-		});
-	});
-
-	describe('buildPricingPayload', () => {
-		it('omits the cache block when no cache values are set', () => {
-			const payload = buildPricingPayload(EMPTY_DRAFT);
-			expect(payload.cache).toBeUndefined();
-		});
-
-		it('includes only the cache values that are > 0', () => {
-			const draft: DrawerDraft = {
-				...EMPTY_DRAFT,
-				pricing: {
-					...EMPTY_DRAFT.pricing,
-					cacheRead: 1.5,
-					cacheWrite: 0,
-					cacheMode: CacheModeDTO.subtract,
-				},
-			};
-			const payload = buildPricingPayload(draft);
-			expect(payload.cache?.read).toBe(1.5);
-			expect(payload.cache?.write).toBeUndefined();
-			expect(payload.cache?.mode).toBe(CacheModeDTO.subtract);
-		});
-	});
-
-	describe('buildRulePayload', () => {
-		it('uses the modelName as a default pattern when no patterns are supplied', () => {
-			const draft: DrawerDraft = {
-				...EMPTY_DRAFT,
-				modelName: 'gpt-4o',
-				patterns: [],
-				provider: 'OpenAI',
-			};
-			const payload = buildRulePayload(draft);
-			expect(payload.modelPattern).toStrictEqual(['gpt-4o']);
-			expect(payload.unit).toBe(UnitDTO.per_million_tokens);
-			expect(payload.enabled).toBe(true);
-		});
-
-		it('omits id and sourceId for an Add draft', () => {
-			const payload = buildRulePayload(EMPTY_DRAFT);
-			expect(payload.id).toBeUndefined();
-			expect(payload.sourceId).toBeUndefined();
-		});
-	});
-
-	describe('validateDraft', () => {
-		it('requires a model name in Add mode', () => {
-			const result = validateDraft(EMPTY_DRAFT, 'add');
-			expect(result.ok).toBe(false);
-			expect(result.message).toMatch(/billing model id/i);
-		});
-
-		it('rejects negative pricing', () => {
-			const draft: DrawerDraft = {
-				...EMPTY_DRAFT,
-				modelName: 'gpt-4o',
-				pricing: { ...EMPTY_DRAFT.pricing, input: -1 },
-			};
-			expect(validateDraft(draft, 'add').ok).toBe(false);
-		});
-
-		it('accepts a valid Add draft', () => {
-			const draft: DrawerDraft = {
-				...EMPTY_DRAFT,
-				modelName: 'gpt-4o',
-				pricing: { ...EMPTY_DRAFT.pricing, input: 1, output: 2 },
-			};
-			expect(validateDraft(draft, 'add').ok).toBe(true);
-		});
-	});
-
-	describe('matchesAnyPattern', () => {
-		it('returns the matching prefix pattern, case-insensitive', () => {
-			expect(matchesAnyPattern('GPT-4o-2024', ['gpt-4o'])).toBe('gpt-4o');
-		});
-
-		it('returns null when nothing matches', () => {
-			expect(matchesAnyPattern('claude', ['gpt-4o'])).toBeNull();
-		});
-	});
-
-	describe('computeCostPreview', () => {
-		it('adds cache buckets when they are set', () => {
-			const draft: DrawerDraft = {
-				...EMPTY_DRAFT,
-				pricing: {
-					...EMPTY_DRAFT.pricing,
-					input: 10,
-					output: 30,
-					cacheRead: 5,
-				},
-			};
-			const preview = computeCostPreview(draft);
-			const labels = preview.breakdown.map((part) => part.label);
-			expect(labels).toContain('2000 input');
-			expect(labels).toContain('500 output');
-			expect(labels).toContain('1000 cache_read');
-			expect(preview.total).toBeGreaterThan(0);
-		});
-	});
-});

frontend/src/container/LLMObservabilityModelPricing/__tests__/utils.test.ts

@@ -1,119 +0,0 @@
-import {
-	LlmpricingruletypesLLMPricingRuleCacheModeDTO as CacheModeDTO,
-	LlmpricingruletypesLLMPricingRuleUnitDTO as UnitDTO,
-} from 'api/generated/services/sigNoz.schemas';
-
-import {
-	filterRules,
-	formatPricePerMillion,
-	getCanonicalId,
-	getExtraBuckets,
-	getRelativeLastSeen,
-	getSourceLabel,
-	type PricingRule,
-} from '../utils';
-
-const makeRule = (overrides: Partial<PricingRule> = {}): PricingRule => ({
-	id: 'rule-1',
-	orgId: 'org-1',
-	modelName: 'gpt-4o',
-	provider: 'OpenAI',
-	modelPattern: ['gpt-4o'],
-	isOverride: false,
-	enabled: true,
-	unit: UnitDTO.per_million_tokens,
-	pricing: { input: 15, output: 60 },
-	...overrides,
-});
-
-describe('utils', () => {
-	describe('formatPricePerMillion', () => {
-		it('formats numbers with 2 decimals and dollar prefix', () => {
-			expect(formatPricePerMillion(15)).toBe('$15.00');
-			expect(formatPricePerMillion(0.15)).toBe('$0.15');
-		});
-
-		it('returns em-dash for nullish or NaN', () => {
-			expect(formatPricePerMillion(undefined)).toBe('—');
-			expect(formatPricePerMillion(Number.NaN)).toBe('—');
-		});
-	});
-
-	describe('getExtraBuckets', () => {
-		it('returns an empty array when there is no cache pricing', () => {
-			expect(getExtraBuckets(makeRule())).toStrictEqual([]);
-		});
-
-		it('returns only buckets with values > 0', () => {
-			const rule = makeRule({
-				pricing: {
-					input: 3,
-					output: 15,
-					cache: {
-						mode: CacheModeDTO.additive,
-						read: 0.3,
-						write: 0,
-					},
-				},
-			});
-			const buckets = getExtraBuckets(rule);
-			expect(buckets).toStrictEqual([{ key: 'cache_read', pricePerMillion: 0.3 }]);
-		});
-	});
-
-	describe('getSourceLabel', () => {
-		it('returns "Auto" for non-override and "User override" otherwise', () => {
-			expect(getSourceLabel(makeRule({ isOverride: false }))).toBe('Auto');
-			expect(getSourceLabel(makeRule({ isOverride: true }))).toBe('User override');
-		});
-	});
-
-	describe('getCanonicalId', () => {
-		it('lowercases the provider and joins with the model name', () => {
-			expect(getCanonicalId(makeRule({ provider: 'OpenAI' }))).toBe(
-				'openai:gpt-4o',
-			);
-		});
-	});
-
-	describe('getRelativeLastSeen', () => {
-		it('returns em-dash when no timestamp is present', () => {
-			expect(getRelativeLastSeen(makeRule())).toBe('—');
-		});
-
-		it('formats minutes-old timestamps', () => {
-			const recent = new Date(Date.now() - 5 * 60 * 1000).toISOString();
-			expect(getRelativeLastSeen(makeRule({ updatedAt: recent }))).toMatch(
-				/min ago/,
-			);
-		});
-	});
-
-	describe('filterRules', () => {
-		const auto = makeRule({ id: 'r1', modelName: 'gpt-4o', isOverride: false });
-		const override = makeRule({
-			id: 'r2',
-			modelName: 'llama-3',
-			provider: 'Self-hosted',
-			modelPattern: ['llama-3'],
-			isOverride: true,
-		});
-
-		it('returns everything when no filters are applied', () => {
-			expect(filterRules([auto, override], '', 'all')).toHaveLength(2);
-		});
-
-		it('narrows by source = override', () => {
-			expect(filterRules([auto, override], '', 'override')).toStrictEqual([
-				override,
-			]);
-		});
-
-		it('narrows by free-text search across model and provider', () => {
-			expect(filterRules([auto, override], 'self', 'all')).toStrictEqual([
-				override,
-			]);
-			expect(filterRules([auto, override], 'gpt-4', 'all')).toStrictEqual([auto]);
-		});
-	});
-});

frontend/src/container/LLMObservabilityModelPricing/drawerUtils.ts

@@ -1,191 +0,0 @@
-import {
-	LlmpricingruletypesLLMPricingRuleCacheModeDTO as CacheModeDTO,
-	LlmpricingruletypesLLMPricingRuleUnitDTO as UnitDTO,
-	type LlmpricingruletypesLLMPricingCacheCostsDTO,
-	type LlmpricingruletypesLLMRulePricingDTO,
-	type LlmpricingruletypesUpdatableLLMPricingRuleDTO,
-} from 'api/generated/services/sigNoz.schemas';
-
-import type { PricingRule } from './utils';
-
-export const PROVIDER_OPTIONS = [
-	{ value: 'OpenAI', label: 'OpenAI' },
-	{ value: 'Anthropic', label: 'Anthropic' },
-	{ value: 'Azure OpenAI', label: 'Azure OpenAI' },
-	{ value: 'Google', label: 'Google' },
-	{ value: 'Self-hosted', label: 'Self-hosted' },
-	{ value: 'Other', label: 'Other' },
-];
-
-export const CACHE_MODE_OPTIONS = [
-	{
-		value: CacheModeDTO.subtract,
-		label: 'Subtract (OpenAI style)',
-	},
-	{
-		value: CacheModeDTO.additive,
-		label: 'Additive (Anthropic style)',
-	},
-	{
-		value: CacheModeDTO.unknown,
-		label: 'Unknown',
-	},
-];
-
-export type DrawerMode = 'add' | 'edit';
-
-export interface DrawerDraft {
-	id: string | null;
-	sourceId: string | null;
-	modelName: string;
-	provider: string;
-	patterns: string[];
-	isOverride: boolean;
-	pricing: {
-		input: number;
-		output: number;
-		cacheMode: CacheModeDTO;
-		cacheRead: number | null;
-		cacheWrite: number | null;
-	};
-}
-
-export const EMPTY_DRAFT: DrawerDraft = {
-	id: null,
-	sourceId: null,
-	modelName: '',
-	provider: 'OpenAI',
-	patterns: [],
-	isOverride: true,
-	pricing: {
-		input: 0,
-		output: 0,
-		cacheMode: CacheModeDTO.unknown,
-		cacheRead: null,
-		cacheWrite: null,
-	},
-};
-
-export const draftFromRule = (rule: PricingRule): DrawerDraft => ({
-	id: rule.id,
-	sourceId: rule.sourceId ?? null,
-	modelName: rule.modelName,
-	provider: rule.provider || 'OpenAI',
-	patterns: rule.modelPattern || [],
-	isOverride: !!rule.isOverride,
-	pricing: {
-		input: rule.pricing?.input ?? 0,
-		output: rule.pricing?.output ?? 0,
-		cacheMode: rule.pricing?.cache?.mode ?? CacheModeDTO.unknown,
-		cacheRead: rule.pricing?.cache?.read ?? null,
-		cacheWrite: rule.pricing?.cache?.write ?? null,
-	},
-});
-
-const hasCacheValue = (value: number | null): boolean =>
-	typeof value === 'number' && value > 0;
-
-export const buildPricingPayload = (
-	draft: DrawerDraft,
-): LlmpricingruletypesLLMRulePricingDTO => {
-	const pricing: LlmpricingruletypesLLMRulePricingDTO = {
-		input: draft.pricing.input,
-		output: draft.pricing.output,
-	};
-	if (
-		hasCacheValue(draft.pricing.cacheRead) ||
-		hasCacheValue(draft.pricing.cacheWrite)
-	) {
-		const cache: LlmpricingruletypesLLMPricingCacheCostsDTO = {
-			mode: draft.pricing.cacheMode,
-		};
-		if (hasCacheValue(draft.pricing.cacheRead)) {
-			cache.read = draft.pricing.cacheRead as number;
-		}
-		if (hasCacheValue(draft.pricing.cacheWrite)) {
-			cache.write = draft.pricing.cacheWrite as number;
-		}
-		pricing.cache = cache;
-	}
-	return pricing;
-};
-
-export const buildRulePayload = (
-	draft: DrawerDraft,
-): LlmpricingruletypesUpdatableLLMPricingRuleDTO => ({
-	id: draft.id || undefined,
-	sourceId: draft.sourceId || undefined,
-	modelName: draft.modelName.trim(),
-	provider: draft.provider.trim(),
-	modelPattern:
-		draft.patterns.length > 0 ? draft.patterns : [draft.modelName.trim()],
-	isOverride: draft.isOverride,
-	enabled: true,
-	unit: UnitDTO.per_million_tokens,
-	pricing: buildPricingPayload(draft),
-});
-
-export interface ValidationResult {
-	ok: boolean;
-	message?: string;
-}
-
-export const validateDraft = (
-	draft: DrawerDraft,
-	mode: DrawerMode,
-): ValidationResult => {
-	if (mode === 'add' && !draft.modelName.trim()) {
-		return { ok: false, message: 'Billing model ID is required.' };
-	}
-	if (!draft.provider.trim()) {
-		return { ok: false, message: 'Provider is required.' };
-	}
-	if (draft.pricing.input < 0 || draft.pricing.output < 0) {
-		return { ok: false, message: 'Pricing values must be non-negative.' };
-	}
-	return { ok: true };
-};
-
-export const matchesAnyPattern = (
-	candidate: string,
-	patterns: string[],
-): string | null => {
-	const lowered = candidate.toLowerCase();
-	const match = patterns.find((pattern) =>
-		lowered.startsWith(pattern.toLowerCase()),
-	);
-	return match || null;
-};
-
-const EXAMPLE_INPUT_TOKENS = 2000;
-const EXAMPLE_OUTPUT_TOKENS = 500;
-const EXAMPLE_CACHE_TOKENS = 1000;
-const PER_MILLION = 1_000_000;
-
-export interface CostPreviewParts {
-	total: number;
-	breakdown: { label: string; cost: number }[];
-}
-
-export const computeCostPreview = (draft: DrawerDraft): CostPreviewParts => {
-	const breakdown: { label: string; cost: number }[] = [];
-	const inputCost = (EXAMPLE_INPUT_TOKENS / PER_MILLION) * draft.pricing.input;
-	const outputCost =
-		(EXAMPLE_OUTPUT_TOKENS / PER_MILLION) * draft.pricing.output;
-	breakdown.push({ label: `${EXAMPLE_INPUT_TOKENS} input`, cost: inputCost });
-	breakdown.push({ label: `${EXAMPLE_OUTPUT_TOKENS} output`, cost: outputCost });
-	let total = inputCost + outputCost;
-	if (hasCacheValue(draft.pricing.cacheRead)) {
-		const cost =
-			(EXAMPLE_CACHE_TOKENS / PER_MILLION) * (draft.pricing.cacheRead as number);
-		breakdown.push({ label: `${EXAMPLE_CACHE_TOKENS} cache_read`, cost });
-		total += cost;
-	}
-	if (hasCacheValue(draft.pricing.cacheWrite)) {
-		const cost =
-			(EXAMPLE_CACHE_TOKENS / PER_MILLION) * (draft.pricing.cacheWrite as number);
-		breakdown.push({ label: `${EXAMPLE_CACHE_TOKENS} cache_write`, cost });
-		total += cost;
-	}
-	return { total, breakdown };
-};

frontend/src/container/LLMObservabilityModelPricing/useModelCostDrawer.ts

@@ -1,125 +0,0 @@
-import { useCallback, useState } from 'react';
-import { useQueryClient } from 'react-query';
-import {
-	getListLLMPricingRulesQueryKey,
-	useCreateOrUpdateLLMPricingRules,
-	useDeleteLLMPricingRule,
-} from 'api/generated/services/llmpricingrules';
-
-import {
-	buildRulePayload,
-	draftFromRule,
-	EMPTY_DRAFT,
-	type DrawerDraft,
-	type DrawerMode,
-} from './drawerUtils';
-import type { PricingRule } from './utils';
-
-interface UseModelCostDrawerResult {
-	isOpen: boolean;
-	mode: DrawerMode;
-	draft: DrawerDraft;
-	setDraft: (next: DrawerDraft) => void;
-	openForAdd: (prefillModelName?: string) => void;
-	openForEdit: (rule: PricingRule) => void;
-	close: () => void;
-	save: () => Promise<void>;
-	deleteRule: () => Promise<void>;
-	isSaving: boolean;
-	isDeleting: boolean;
-	saveError: string | null;
-	selectedRuleId: string | null;
-}
-
-export function useModelCostDrawer(): UseModelCostDrawerResult {
-	const queryClient = useQueryClient();
-	const [isOpen, setIsOpen] = useState<boolean>(false);
-	const [mode, setMode] = useState<DrawerMode>('add');
-	const [draft, setDraft] = useState<DrawerDraft>(EMPTY_DRAFT);
-	const [selectedRuleId, setSelectedRuleId] = useState<string | null>(null);
-	const [saveError, setSaveError] = useState<string | null>(null);
-
-	const { mutateAsync: createOrUpdate, isLoading: isSaving } =
-		useCreateOrUpdateLLMPricingRules();
-	const { mutateAsync: deleteRuleApi, isLoading: isDeleting } =
-		useDeleteLLMPricingRule();
-
-	const invalidateList = useCallback(async (): Promise<void> => {
-		await queryClient.invalidateQueries({
-			queryKey: getListLLMPricingRulesQueryKey(),
-		});
-	}, [queryClient]);
-
-	const openForAdd = useCallback((prefillModelName?: string): void => {
-		setMode('add');
-		setDraft({
-			...EMPTY_DRAFT,
-			modelName: prefillModelName || '',
-			patterns: prefillModelName ? [prefillModelName] : [],
-		});
-		setSelectedRuleId(null);
-		setSaveError(null);
-		setIsOpen(true);
-	}, []);
-
-	const openForEdit = useCallback((rule: PricingRule): void => {
-		setMode('edit');
-		setDraft(draftFromRule(rule));
-		setSelectedRuleId(rule.id);
-		setSaveError(null);
-		setIsOpen(true);
-	}, []);
-
-	const close = useCallback((): void => {
-		setIsOpen(false);
-		setSelectedRuleId(null);
-		setSaveError(null);
-	}, []);
-
-	const save = useCallback(async (): Promise<void> => {
-		setSaveError(null);
-		try {
-			await createOrUpdate({
-				data: { rules: [buildRulePayload(draft)] },
-			});
-			await invalidateList();
-			setIsOpen(false);
-			setSelectedRuleId(null);
-		} catch (error) {
-			const message = error instanceof Error ? error.message : 'Save failed';
-			setSaveError(message);
-		}
-	}, [createOrUpdate, draft, invalidateList]);
-
-	const deleteRule = useCallback(async (): Promise<void> => {
-		if (!draft.id) {
-			return;
-		}
-		setSaveError(null);
-		try {
-			await deleteRuleApi({ pathParams: { id: draft.id } });
-			await invalidateList();
-			setIsOpen(false);
-			setSelectedRuleId(null);
-		} catch (error) {
-			const message = error instanceof Error ? error.message : 'Delete failed';
-			setSaveError(message);
-		}
-	}, [deleteRuleApi, draft.id, invalidateList]);
-
-	return {
-		isOpen,
-		mode,
-		draft,
-		setDraft,
-		openForAdd,
-		openForEdit,
-		close,
-		save,
-		deleteRule,
-		isSaving,
-		isDeleting,
-		saveError,
-		selectedRuleId,
-	};
-}

frontend/src/container/LLMObservabilityModelPricing/utils.ts

@@ -1,101 +0,0 @@
-import type { LlmpricingruletypesLLMPricingRuleDTO } from 'api/generated/services/sigNoz.schemas';
-
-export type PricingRule = LlmpricingruletypesLLMPricingRuleDTO;
-
-export type SourceFilter = 'all' | 'auto' | 'override';
-
-export interface ExtraBucket {
-	key: string;
-	pricePerMillion: number;
-}
-
-export const formatPricePerMillion = (value: number | undefined): string => {
-	if (value === undefined || value === null || Number.isNaN(value)) {
-		return '—';
-	}
-	return `$${value.toFixed(2)}`;
-};
-
-export const getExtraBuckets = (rule: PricingRule): ExtraBucket[] => {
-	const cache = rule.pricing?.cache;
-	if (!cache) {
-		return [];
-	}
-	const buckets: ExtraBucket[] = [];
-	if (typeof cache.read === 'number' && cache.read > 0) {
-		buckets.push({ key: 'cache_read', pricePerMillion: cache.read });
-	}
-	if (typeof cache.write === 'number' && cache.write > 0) {
-		buckets.push({ key: 'cache_write', pricePerMillion: cache.write });
-	}
-	return buckets;
-};
-
-export const getSourceLabel = (rule: PricingRule): 'Auto' | 'User override' =>
-	rule.isOverride ? 'User override' : 'Auto';
-
-const MINUTE = 60;
-const HOUR = 60 * MINUTE;
-const DAY = 24 * HOUR;
-const MONTH = 30 * DAY;
-const YEAR = 365 * DAY;
-
-export const getRelativeLastSeen = (rule: PricingRule): string => {
-	const ts = rule.updatedAt || rule.syncedAt || rule.createdAt;
-	if (!ts) {
-		return '—';
-	}
-	const now = Date.now();
-	const target = new Date(ts).getTime();
-	if (Number.isNaN(target)) {
-		return '—';
-	}
-	const seconds = Math.max(0, Math.round((now - target) / 1000));
-	if (seconds < MINUTE) {
-		return 'just now';
-	}
-	if (seconds < HOUR) {
-		return `${Math.floor(seconds / MINUTE)} min ago`;
-	}
-	if (seconds < DAY) {
-		return `${Math.floor(seconds / HOUR)} hr ago`;
-	}
-	if (seconds < MONTH) {
-		return `${Math.floor(seconds / DAY)} days ago`;
-	}
-	if (seconds < YEAR) {
-		return `${Math.floor(seconds / MONTH)} mo ago`;
-	}
-	return `${Math.floor(seconds / YEAR)} yr ago`;
-};
-
-const lc = (value: string): string => value.toLowerCase();
-
-export const filterRules = (
-	rules: PricingRule[],
-	search: string,
-	source: SourceFilter,
-): PricingRule[] => {
-	const normalized = lc(search.trim());
-	return rules.filter((rule) => {
-		if (source === 'auto' && rule.isOverride) {
-			return false;
-		}
-		if (source === 'override' && !rule.isOverride) {
-			return false;
-		}
-		if (!normalized) {
-			return true;
-		}
-		return (
-			lc(rule.modelName).includes(normalized) ||
-			lc(rule.provider).includes(normalized) ||
-			(rule.modelPattern || []).some((pattern) => lc(pattern).includes(normalized))
-		);
-	});
-};
-
-export const getCanonicalId = (rule: PricingRule): string => {
-	const provider = rule.provider?.trim() || 'unknown';
-	return `${lc(provider)}:${rule.modelName}`;
-};

frontend/src/container/ResetPassword/ResetPassword.styles.scss

@@ -142,6 +142,15 @@
 		}
 	}
 
+	.reset-password-back-action {
+		margin-top: var(--spacing-12);
+		width: 100%;
+
+		button {
+			width: 100%;
+		}
+	}
+
 	@media (max-width: 768px) {
 		width: 100%;
 		padding: 0 16px;

frontend/src/container/ResetPassword/TokenError.tsx

@@ -1,7 +1,10 @@
-import { CircleAlert } from '@signozhq/icons';
+import { ArrowLeft, CircleAlert } from '@signozhq/icons';
+import { Button } from '@signozhq/ui/button';
 import { Typography } from '@signozhq/ui/typography';
 import AuthError from 'components/AuthError/AuthError';
 import AuthPageContainer from 'components/AuthPageContainer';
+import ROUTES from 'constants/routes';
+import history from 'lib/history';
 import APIError from 'types/api/error';
 
 import './ResetPassword.styles.scss';
@@ -59,6 +62,16 @@ function TokenError({ error }: TokenErrorProps): JSX.Element {
 					</Typography.Text>
 				</div>
 				{error && <AuthError error={error} />}
+				<div className="reset-password-back-action">
+					<Button
+						variant="solid"
+						data-testid="back-to-login"
+						prefix={<ArrowLeft size={12} />}
+						onClick={(): void => history.push(ROUTES.LOGIN)}
+					>
+						Back to login
+					</Button>
+				</div>
 			</div>
 		</AuthPageContainer>
 	);

frontend/src/container/SideNav/SideNav.styles.scss

@@ -119,6 +119,10 @@
 
 				border-radius: 0px 4px 4px 0px;
 				background: var(--l3-background);
+
+				&.version-container-standalone {
+					border-radius: 4px;
+				}
 			}
 
 			.version {

frontend/src/container/SideNav/SideNav.tsx

@@ -1010,7 +1010,7 @@ function SideNav({ isPinned }: { isPinned: boolean }): JSX.Element {
 								<img src={signozBrandLogoUrl} alt="SigNoz" />
 							</div>
 
-							{licenseTag && (
+							{(licenseTag || currentVersion) && (
 								<div
 									className={cx(
 										'brand-title-section',
@@ -1021,7 +1021,7 @@ function SideNav({ isPinned }: { isPinned: boolean }): JSX.Element {
 											'version-update-notification',
 									)}
 								>
-									<span className="license-type"> {licenseTag} </span>
+									{licenseTag && <span className="license-type"> {licenseTag} </span>}
 
 									{currentVersion && (
 										<Tooltip
@@ -1043,7 +1043,12 @@ function SideNav({ isPinned }: { isPinned: boolean }): JSX.Element {
 												)
 											}
 										>
-											<div className="version-container">
+											<div
+												className={cx(
+													'version-container',
+													!licenseTag && 'version-container-standalone',
+												)}
+											>
 												<span
 													className={cx('version', changelog && 'version-clickable')}
 													onClick={onClickVersionHandler}

frontend/src/container/SideNav/menuItems.tsx

@@ -11,7 +11,6 @@ import {
 	Building2,
 	ChartArea,
 	Cloudy,
-	Coins,
 	DraftingCompass,
 	FileKey2,
 	Github,
@@ -366,13 +365,6 @@ export const settingsNavSections: SettingsNavSection[] = [
 				isEnabled: false,
 				itemKey: 'mcp-server',
 			},
-			{
-				key: ROUTES.LLM_OBSERVABILITY_MODEL_PRICING,
-				label: 'Model Pricing',
-				icon: <Coins size={16} />,
-				isEnabled: true,
-				itemKey: 'llm-observability-model-pricing',
-			},
 		],
 	},
 

frontend/src/hooks/trace/useGetTraceFlamegraphV3.tsx

@@ -0,0 +1,42 @@
+import { getFlamegraph } from 'api/generated/services/tracedetail';
+import {
+	SpantypesGettableFlamegraphTraceDTO,
+	TelemetrytypesTelemetryFieldKeyDTO,
+} from 'api/generated/services/sigNoz.schemas';
+import { REACT_QUERY_KEY } from 'constants/reactQueryKeys';
+import { useQuery, UseQueryResult } from 'react-query';
+import { TelemetryFieldKey } from 'types/api/v5/queryRange';
+
+export interface GetTraceFlamegraphV3Props {
+	traceId: string;
+	selectedSpanId?: string;
+	selectFields?: TelemetryFieldKey[];
+	enabled?: boolean;
+}
+
+const useGetTraceFlamegraphV3 = (
+	props: GetTraceFlamegraphV3Props,
+): UseQueryResult<SpantypesGettableFlamegraphTraceDTO, unknown> =>
+	useQuery({
+		queryFn: () =>
+			getFlamegraph(
+				{ traceID: props.traceId },
+				{
+					selectedSpanId: props.selectedSpanId,
+					// v5 TelemetryFieldKey and the generated DTO are runtime-identical; only
+					// the literal-union vs enum nominal types differ
+					selectFields: props.selectFields as TelemetrytypesTelemetryFieldKeyDTO[],
+				},
+			).then((res) => res.data),
+		queryKey: [
+			REACT_QUERY_KEY.GET_TRACE_V3_FLAMEGRAPH,
+			props.traceId,
+			props.selectedSpanId,
+			props.selectFields,
+		],
+		enabled: props.enabled,
+		keepPreviousData: true,
+		refetchOnWindowFocus: false,
+	});
+
+export default useGetTraceFlamegraphV3;

frontend/src/pages/DashboardPage/DashboardPage.tsx

@@ -0,0 +1,53 @@
+import { useEffect } from 'react';
+import { useParams } from 'react-router-dom';
+import { Modal } from 'antd';
+import { Typography } from '@signozhq/ui/typography';
+import { AxiosError } from 'axios';
+import NotFound from 'components/NotFound';
+import Spinner from 'components/Spinner';
+import DashboardContainer from 'container/DashboardContainer';
+import { useDashboardBootstrap } from 'hooks/dashboard/useDashboardBootstrap';
+import { useDashboardStore } from 'providers/Dashboard/store/useDashboardStore';
+import { ErrorType } from 'types/common';
+
+function DashboardPage(): JSX.Element {
+	const { dashboardId } = useParams<{ dashboardId: string }>();
+
+	const [onModal, Content] = Modal.useModal();
+
+	const { isLoading, isError, isFetching, error } = useDashboardBootstrap(
+		dashboardId,
+		{ confirm: onModal.confirm },
+	);
+
+	const dashboardTitle = useDashboardStore((s) => s.dashboardData?.data.title);
+
+	useEffect(() => {
+		document.title = dashboardTitle || document.title;
+	}, [dashboardTitle]);
+
+	const errorMessage = isError
+		? (error as AxiosError<{ errorType: string }>)?.response?.data?.errorType
+		: 'Something went wrong';
+
+	if (isError && !isFetching && errorMessage === ErrorType.NotFound) {
+		return <NotFound />;
+	}
+
+	if (isError && errorMessage) {
+		return <Typography>{errorMessage}</Typography>;
+	}
+
+	if (isLoading) {
+		return <Spinner tip="Loading.." />;
+	}
+
+	return (
+		<>
+			{Content}
+			<DashboardContainer />
+		</>
+	);
+}
+
+export default DashboardPage;

frontend/src/pages/DashboardPage/index.tsx

@@ -1,53 +1,15 @@
-import { useEffect } from 'react';
-import { useParams } from 'react-router-dom';
-import { Modal } from 'antd';
-import { Typography } from '@signozhq/ui/typography';
-import { AxiosError } from 'axios';
-import NotFound from 'components/NotFound';
-import Spinner from 'components/Spinner';
-import DashboardContainer from 'container/DashboardContainer';
-import { useDashboardBootstrap } from 'hooks/dashboard/useDashboardBootstrap';
-import { useDashboardStore } from 'providers/Dashboard/store/useDashboardStore';
-import { ErrorType } from 'types/common';
+import { useIsDashboardV2 } from 'hooks/useIsDashboardV2';
+import DashboardPageV2 from 'pages/DashboardPageV2';
 
-function DashboardPage(): JSX.Element {
-	const { dashboardId } = useParams<{ dashboardId: string }>();
+import DashboardPage from './DashboardPage';
 
-	const [onModal, Content] = Modal.useModal();
+// Serves the V2 dashboard detail page when the `use_dashboard_v2` flag is active;
+// otherwise the existing V1 page. Lets V2 dark-ship behind the flag without
+// changing route definitions.
+function DashboardPageEntry(): JSX.Element {
+	const isDashboardV2 = useIsDashboardV2();
 
-	const { isLoading, isError, isFetching, error } = useDashboardBootstrap(
-		dashboardId,
-		{ confirm: onModal.confirm },
-	);
-
-	const dashboardTitle = useDashboardStore((s) => s.dashboardData?.data.title);
-
-	useEffect(() => {
-		document.title = dashboardTitle || document.title;
-	}, [dashboardTitle]);
-
-	const errorMessage = isError
-		? (error as AxiosError<{ errorType: string }>)?.response?.data?.errorType
-		: 'Something went wrong';
-
-	if (isError && !isFetching && errorMessage === ErrorType.NotFound) {
-		return <NotFound />;
-	}
-
-	if (isError && errorMessage) {
-		return <Typography>{errorMessage}</Typography>;
-	}
-
-	if (isLoading) {
-		return <Spinner tip="Loading.." />;
-	}
-
-	return (
-		<>
-			{Content}
-			<DashboardContainer />
-		</>
-	);
+	return isDashboardV2 ? <DashboardPageV2 /> : <DashboardPage />;
 }
 
-export default DashboardPage;
+export default DashboardPageEntry;

frontend/src/pages/DashboardPageV2/DashboardContainer/patchOps.ts

@@ -4,7 +4,7 @@ import type {
 	DashboardtypesLayoutDTO,
 	DashboardtypesPanelDTO,
 } from 'api/generated/services/sigNoz.schemas';
-import { DashboardtypesJSONPatchOperationDTOOp } from 'api/generated/services/sigNoz.schemas';
+import { DashboardtypesPatchOpDTO } from 'api/generated/services/sigNoz.schemas';
 
 import type { GridItem } from './utils';
 
@@ -16,7 +16,7 @@ import type { GridItem } from './utils';
  * patches in DashboardSettings/General and DashboardDescription).
  */
 
-const { add, replace, remove } = DashboardtypesJSONPatchOperationDTOOp;
+const { add, replace, remove } = DashboardtypesPatchOpDTO;
 
 const PANEL_REF_PREFIX = '#/spec/panels/';
 

frontend/src/pages/DashboardsListPage/index.tsx

@@ -1,3 +1,15 @@
+import { useIsDashboardV2 } from 'hooks/useIsDashboardV2';
+import DashboardsListPageV2 from 'pages/DashboardsListPageV2';
+
 import DashboardsListPage from './DashboardsListPage';
 
-export default DashboardsListPage;
+// Serves the V2 dashboards list when the `use_dashboard_v2` flag is active;
+// otherwise the existing V1 list. Lets V2 dark-ship behind the flag without
+// changing route definitions.
+function DashboardsListPageEntry(): JSX.Element {
+	const isDashboardV2 = useIsDashboardV2();
+
+	return isDashboardV2 ? <DashboardsListPageV2 /> : <DashboardsListPage />;
+}
+
+export default DashboardsListPageEntry;

frontend/src/pages/DashboardsListPageV2/components/DashboardsList/DashboardsList.tsx

@@ -8,6 +8,10 @@ import {
 	createDashboardV2,
 	useListDashboardsV2,
 } from 'api/generated/services/dashboard';
+import {
+	DashboardtypesListOrderDTO,
+	DashboardtypesListSortDTO,
+} from 'api/generated/services/sigNoz.schemas';
 import ROUTES from 'constants/routes';
 import { RequestDashboardBtn } from 'container/ListOfDashboard/RequestDashboardBtn';
 import useComponentPermission from 'hooks/useComponentPermission';
@@ -24,8 +28,6 @@ import {
 	useSearch,
 	useSortColumn,
 	useSortOrder,
-	type SortColumn,
-	type SortOrder,
 } from '../../hooks/useDashboardsListQueryParams';
 import type { DashboardListItem } from '../../utils';
 import ConfigureMetadataModal from '../ConfigureMetadataModal/ConfigureMetadataModal';
@@ -150,7 +152,7 @@ function DashboardsList(): JSX.Element {
 	}, []);
 
 	const onSortChange = useCallback(
-		(column: SortColumn): void => {
+		(column: DashboardtypesListSortDTO): void => {
 			void setSortColumn(column);
 			void setPage(1);
 		},
@@ -158,7 +160,7 @@ function DashboardsList(): JSX.Element {
 	);
 
 	const onOrderChange = useCallback(
-		(order: SortOrder): void => {
+		(order: DashboardtypesListOrderDTO): void => {
 			void setSortOrder(order);
 			void setPage(1);
 		},

frontend/src/pages/DashboardsListPageV2/components/ListHeader/ListHeader.tsx

@@ -7,18 +7,18 @@ import {
 	HdmiPort,
 } from '@signozhq/icons';
 
-import type {
-	SortColumn,
-	SortOrder,
-} from '../../hooks/useDashboardsListQueryParams';
+import {
+	DashboardtypesListOrderDTO,
+	DashboardtypesListSortDTO,
+} from 'api/generated/services/sigNoz.schemas';
 
 import styles from './ListHeader.module.scss';
 
 interface Props {
-	sortColumn: SortColumn;
-	onSortChange: (column: SortColumn) => void;
-	sortOrder: SortOrder;
-	onOrderChange: (order: SortOrder) => void;
+	sortColumn: DashboardtypesListSortDTO;
+	onSortChange: (column: DashboardtypesListSortDTO) => void;
+	sortOrder: DashboardtypesListOrderDTO;
+	onOrderChange: (order: DashboardtypesListOrderDTO) => void;
 	onConfigureMetadata: () => void;
 }
 
@@ -44,49 +44,57 @@ function ListHeader({
 								<Button
 									type="text"
 									className={styles.sortButton}
-									onClick={(): void => onSortChange('name')}
+									onClick={(): void => onSortChange(DashboardtypesListSortDTO.name)}
 									data-testid="sort-by-name"
 								>
 									Name
-									{sortColumn === 'name' && <Check size={14} />}
+									{sortColumn === DashboardtypesListSortDTO.name && <Check size={14} />}
 								</Button>
 								<Button
 									type="text"
 									className={styles.sortButton}
-									onClick={(): void => onSortChange('created_at')}
+									onClick={(): void =>
+										onSortChange(DashboardtypesListSortDTO.created_at)
+									}
 									data-testid="sort-by-last-created"
 								>
 									Last created
-									{sortColumn === 'created_at' && <Check size={14} />}
+									{sortColumn === DashboardtypesListSortDTO.created_at && (
+										<Check size={14} />
+									)}
 								</Button>
 								<Button
 									type="text"
 									className={styles.sortButton}
-									onClick={(): void => onSortChange('updated_at')}
+									onClick={(): void =>
+										onSortChange(DashboardtypesListSortDTO.updated_at)
+									}
 									data-testid="sort-by-last-updated"
 								>
 									Last updated
-									{sortColumn === 'updated_at' && <Check size={14} />}
+									{sortColumn === DashboardtypesListSortDTO.updated_at && (
+										<Check size={14} />
+									)}
 								</Button>
 								<div className={styles.sortDivider} />
 								<Typography.Text className={styles.sortHeading}>Order</Typography.Text>
 								<Button
 									type="text"
 									className={styles.sortButton}
-									onClick={(): void => onOrderChange('asc')}
+									onClick={(): void => onOrderChange(DashboardtypesListOrderDTO.asc)}
 									data-testid="sort-order-asc"
 								>
 									Ascending
-									{sortOrder === 'asc' && <Check size={14} />}
+									{sortOrder === DashboardtypesListOrderDTO.asc && <Check size={14} />}
 								</Button>
 								<Button
 									type="text"
 									className={styles.sortButton}
-									onClick={(): void => onOrderChange('desc')}
+									onClick={(): void => onOrderChange(DashboardtypesListOrderDTO.desc)}
 									data-testid="sort-order-desc"
 								>
 									Descending
-									{sortOrder === 'desc' && <Check size={14} />}
+									{sortOrder === DashboardtypesListOrderDTO.desc && <Check size={14} />}
 								</Button>
 							</div>
 						}

frontend/src/pages/DashboardsListPageV2/components/states/states.module.scss

@@ -1,5 +1,5 @@
-// Shared building blocks for the dashboards-list view states.
-// Composed via CSS-modules `composes:` from each state's own SCSS.
+/* Shared building blocks for the dashboards-list view states. */
+/* Composed via CSS-modules `composes:` from each state's own SCSS. */
 
 .cardWrapper {
 	display: flex;

frontend/src/pages/DashboardsListPageV2/hooks/useDashboardsListQueryParams.ts

@@ -1,3 +1,7 @@
+import {
+	DashboardtypesListOrderDTO,
+	DashboardtypesListSortDTO,
+} from 'api/generated/services/sigNoz.schemas';
 import {
 	parseAsInteger,
 	parseAsString,
@@ -7,26 +11,31 @@ import {
 	type UseQueryStateReturn,
 } from 'nuqs';
 
-export const SORT_COLUMNS = ['updated_at', 'created_at', 'name'] as const;
-export type SortColumn = (typeof SORT_COLUMNS)[number];
-
-export const SORT_ORDERS = ['asc', 'desc'] as const;
-export type SortOrder = (typeof SORT_ORDERS)[number];
+export const SORT_COLUMNS = Object.values(DashboardtypesListSortDTO);
+export const SORT_ORDERS = Object.values(DashboardtypesListOrderDTO);
 
 const opts: Options = { history: 'push' };
 
-export const useSortColumn = (): UseQueryStateReturn<SortColumn, SortColumn> =>
+export const useSortColumn = (): UseQueryStateReturn<
+	DashboardtypesListSortDTO,
+	DashboardtypesListSortDTO
+> =>
 	useQueryState(
 		'sort',
 		parseAsStringLiteral(SORT_COLUMNS)
-			.withDefault('updated_at')
+			.withDefault(DashboardtypesListSortDTO.updated_at)
 			.withOptions(opts),
 	);
 
-export const useSortOrder = (): UseQueryStateReturn<SortOrder, SortOrder> =>
+export const useSortOrder = (): UseQueryStateReturn<
+	DashboardtypesListOrderDTO,
+	DashboardtypesListOrderDTO
+> =>
 	useQueryState(
 		'order',
-		parseAsStringLiteral(SORT_ORDERS).withDefault('desc').withOptions(opts),
+		parseAsStringLiteral(SORT_ORDERS)
+			.withDefault(DashboardtypesListOrderDTO.desc)
+			.withOptions(opts),
 	);
 
 export const usePage = (): UseQueryStateReturn<number, number> =>

frontend/src/pages/DashboardsListPageV2/utils.ts

@@ -1,8 +1,8 @@
 import dayjs from 'dayjs';
 import { isEmpty } from 'lodash-es';
-import type { DashboardtypesGettableDashboardWithPinDTO } from 'api/generated/services/sigNoz.schemas';
+import type { DashboardtypesListedDashboardV2DTO } from 'api/generated/services/sigNoz.schemas';
 
-export type DashboardListItem = DashboardtypesGettableDashboardWithPinDTO;
+export type DashboardListItem = DashboardtypesListedDashboardV2DTO;
 
 export const tagsToStrings = (
 	tags: { key: string; value: string }[] | null | undefined,

frontend/src/pages/LLMObservabilityModelPricing/index.tsx

@@ -1,7 +0,0 @@
-import LLMObservabilityModelPricing from 'container/LLMObservabilityModelPricing/LLMObservabilityModelPricing';
-
-function LLMObservabilityModelPricingPage(): JSX.Element {
-	return <LLMObservabilityModelPricing />;
-}
-
-export default LLMObservabilityModelPricingPage;

frontend/src/pages/ResetPassword/__tests__/ResetPasswordPage.test.tsx

@@ -2,7 +2,7 @@ import { Logout } from 'api/utils';
 import ROUTES from 'constants/routes';
 import history from 'lib/history';
 import { createErrorResponse, rest, server } from 'mocks-server/server';
-import { render, screen, waitFor } from 'tests/test-utils';
+import { render, screen, waitFor, fireEvent } from 'tests/test-utils';
 
 import ResetPassword from '../index';
 
@@ -103,6 +103,7 @@ describe('ResetPassword Page', () => {
 			expect(
 				screen.getByText(/reset password token does not exist/i),
 			).toBeInTheDocument();
+			expect(screen.getByTestId('back-to-login')).toBeInTheDocument();
 		});
 
 		it('shows "token is expired" when token is expired (401) without redirecting to login', async () => {
@@ -137,6 +138,32 @@ describe('ResetPassword Page', () => {
 			// 401 from this endpoint must NOT trigger logout/redirect
 			expect(mockHistoryPush).not.toHaveBeenCalledWith(ROUTES.LOGIN);
 			expect(Logout).not.toHaveBeenCalled();
+			expect(screen.getByTestId('back-to-login')).toBeInTheDocument();
+		});
+
+		it('navigates to login when "Back to login" is clicked on error screen', async () => {
+			server.use(
+				rest.post(
+					VERIFY_TOKEN_ENDPOINT,
+					createErrorResponse(
+						404,
+						'reset_password_token_not_found',
+						'reset password token does not exist',
+					),
+				),
+			);
+
+			window.history.pushState({}, '', '/password-reset?token=invalid-token');
+			render(<ResetPassword />, undefined, {
+				initialRoute: '/password-reset?token=invalid-token',
+			});
+
+			await waitFor(() => {
+				expect(screen.getByTestId('back-to-login')).toBeInTheDocument();
+			});
+
+			fireEvent.click(screen.getByTestId('back-to-login'));
+			expect(mockHistoryPush).toHaveBeenCalledWith(ROUTES.LOGIN);
 		});
 
 		it('redirects to login when no token is in the URL', async () => {

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/TraceFlamegraph.tsx

@@ -1,7 +1,7 @@
 import { useCallback, useEffect, useMemo, useState } from 'react';
 import { useHistory, useLocation, useParams } from 'react-router-dom';
 import { Skeleton } from 'antd';
-import useGetTraceFlamegraph from 'hooks/trace/useGetTraceFlamegraph';
+import useGetTraceFlamegraphV3 from 'hooks/trace/useGetTraceFlamegraphV3';
 import useUrlQuery from 'hooks/useUrlQuery';
 import { TraceDetailFlamegraphURLProps } from 'types/api/trace/getTraceFlamegraph';
 import { SpanV3 } from 'types/api/trace/getTraceV3';
@@ -53,6 +53,9 @@ function TraceFlamegraph({
 	);
 
 	const previewFields = useTraceStore((s) => s.previewFields);
+	// Gate the fetch until prefs load, else selectFields (in the query key)
+	// repopulates and triggers a second fetch.
+	const userPrefsReady = useTraceStore((s) => s.userPreferences !== null);
 
 	// Color-by fields baseline + user-picked preview fields. De-duped by `name`,
 	// color-by entries first so their canonical metadata wins on collision.
@@ -70,17 +73,14 @@ function TraceFlamegraph({
 		data,
 		isFetching,
 		error: fetchError,
-	} = useGetTraceFlamegraph({
+	} = useGetTraceFlamegraphV3({
 		traceId,
 		selectedSpanId: selectedSpanIdForFetch,
-		limit: FLAMEGRAPH_SPAN_LIMIT,
 		selectFields: flamegraphSelectFields,
+		enabled: !!traceId && userPrefsReady,
 	});
 
-	const spans = useMemo(
-		() => data?.payload?.spans || [],
-		[data?.payload?.spans],
-	);
+	const spans = useMemo(() => data?.spans || [], [data?.spans]);
 
 	const {
 		layout,
@@ -99,8 +99,8 @@ function TraceFlamegraph({
 						setFirstSpanAtFetchLevel={setFirstSpanAtFetchLevel}
 						onSpanClick={handleSpanClick}
 						traceMetadata={{
-							startTime: data?.payload?.startTimestampMillis || 0,
-							endTime: data?.payload?.endTimestampMillis || 0,
+							startTime: data?.startTimestampMillis || 0,
+							endTime: data?.endTimestampMillis || 0,
 						}}
 						filteredSpanIds={filteredSpanIds}
 						isFilterActive={isFilterActive}
@@ -124,7 +124,7 @@ function TraceFlamegraph({
 		if (fetchError || workerError) {
 			return <Error error={(fetchError || workerError) as any} />;
 		}
-		if (data?.payload?.spans && data.payload.spans.length === 0) {
+		if (data?.spans && data.spans.length === 0) {
 			return <div>No data found for trace {traceId}</div>;
 		}
 		return (
@@ -134,17 +134,17 @@ function TraceFlamegraph({
 				setFirstSpanAtFetchLevel={setFirstSpanAtFetchLevel}
 				onSpanClick={handleSpanClick}
 				traceMetadata={{
-					startTime: data?.payload?.startTimestampMillis || 0,
-					endTime: data?.payload?.endTimestampMillis || 0,
+					startTime: data?.startTimestampMillis || 0,
+					endTime: data?.endTimestampMillis || 0,
 				}}
 				filteredSpanIds={filteredSpanIds}
 				isFilterActive={isFilterActive}
 			/>
 		);
 	}, [
-		data?.payload?.endTimestampMillis,
-		data?.payload?.startTimestampMillis,
-		data?.payload?.spans,
+		data?.endTimestampMillis,
+		data?.startTimestampMillis,
+		data?.spans,
 		fetchError,
 		filteredSpanIds,
 		firstSpanAtFetchLevel,

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/__tests__/TraceFlamegraph.test.tsx

@@ -1,12 +1,12 @@
 import { render } from '@testing-library/react';
-import useGetTraceFlamegraph from 'hooks/trace/useGetTraceFlamegraph';
+import useGetTraceFlamegraphV3 from 'hooks/trace/useGetTraceFlamegraphV3';
 import { AllTheProviders } from 'tests/test-utils';
 import { SpanV3 } from 'types/api/trace/getTraceV3';
 
 import { FLAMEGRAPH_SPAN_LIMIT } from '../constants';
 import TraceFlamegraph from '../TraceFlamegraph';
 
-jest.mock('hooks/trace/useGetTraceFlamegraph');
+jest.mock('hooks/trace/useGetTraceFlamegraphV3');
 
 // Short-circuit the worker so the test doesn't depend on layout computation.
 jest.mock('../hooks/useVisualLayoutWorker', () => ({
@@ -17,9 +17,8 @@ jest.mock('../hooks/useVisualLayoutWorker', () => ({
 	}),
 }));
 
-const mockUseGetTraceFlamegraph = useGetTraceFlamegraph as jest.MockedFunction<
-	typeof useGetTraceFlamegraph
->;
+const mockUseGetTraceFlamegraph =
+	useGetTraceFlamegraphV3 as jest.MockedFunction<typeof useGetTraceFlamegraphV3>;
 
 function renderFlamegraph(props: {
 	selectedSpan: SpanV3 | undefined;
@@ -45,7 +44,7 @@ describe('TraceFlamegraph - selectedSpanId pass-through', () => {
 	beforeEach(() => {
 		mockUseGetTraceFlamegraph.mockReset();
 		mockUseGetTraceFlamegraph.mockReturnValue({
-			data: { payload: { spans: [] } },
+			data: { spans: [] },
 			isFetching: false,
 			error: null,
 		} as never);

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/__tests__/computeVisualLayout.test.ts

@@ -1,4 +1,4 @@
-import { FlamegraphSpan } from 'types/api/trace/getTraceFlamegraph';
+import { SpantypesFlamegraphSpanDTO as FlamegraphSpan } from 'api/generated/services/sigNoz.schemas';
 
 import {
 	computeVisualLayout,
@@ -14,12 +14,12 @@ function makeSpan(
 ): FlamegraphSpan {
 	return {
 		parentSpanId: '',
-		traceId: 'trace-1',
 		hasError: false,
-		serviceName: 'svc',
 		name: 'op',
 		level: 0,
 		event: [],
+		resource: {},
+		attributes: {},
 		...overrides,
 	};
 }

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/__tests__/testUtils.ts

@@ -1,4 +1,4 @@
-import { FlamegraphSpan } from 'types/api/trace/getTraceFlamegraph';
+import { SpantypesFlamegraphSpanDTO as FlamegraphSpan } from 'api/generated/services/sigNoz.schemas';
 
 /** Minimal FlamegraphSpan for unit tests */
 export const MOCK_SPAN: FlamegraphSpan = {
@@ -6,12 +6,12 @@ export const MOCK_SPAN: FlamegraphSpan = {
 	durationNano: 50_000_000, // 50ms
 	spanId: 'span-1',
 	parentSpanId: '',
-	traceId: 'trace-1',
 	hasError: false,
-	serviceName: 'test-service',
 	name: 'test-span',
 	level: 0,
 	event: [],
+	resource: {},
+	attributes: {},
 };
 
 /** Nested spans structure for findSpanById tests */

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/__tests__/utils.presentation.test.ts

@@ -65,37 +65,25 @@ describe('Presentation / Styling Utils', () => {
 	describe('getFlamegraphSpanGroupValue', () => {
 		it('returns resource[field.name] when present', () => {
 			const value = getFlamegraphSpanGroupValue(
-				{
-					serviceName: 'legacy',
-					resource: { 'service.name': 'svc-from-resource' },
-				},
+				{ resource: { 'service.name': 'svc-from-resource' } },
 				SERVICE_FIELD,
 			);
 			expect(value).toBe('svc-from-resource');
 		});
 
-		it('falls back to top-level serviceName for service.name when resource is empty', () => {
-			const value = getFlamegraphSpanGroupValue(
-				{ serviceName: 'svc-legacy', resource: {} },
-				SERVICE_FIELD,
-			);
-			expect(value).toBe('svc-legacy');
+		it('returns "unknown" for service.name when resource is empty', () => {
+			const value = getFlamegraphSpanGroupValue({ resource: {} }, SERVICE_FIELD);
+			expect(value).toBe('unknown');
 		});
 
 		it('returns "unknown" for non-service fields when resource is missing', () => {
-			const value = getFlamegraphSpanGroupValue(
-				{ serviceName: 'svc', resource: {} },
-				HOST_FIELD,
-			);
+			const value = getFlamegraphSpanGroupValue({ resource: {} }, HOST_FIELD);
 			expect(value).toBe('unknown');
 		});
 
 		it('reads host.name from resource when present', () => {
 			const value = getFlamegraphSpanGroupValue(
-				{
-					serviceName: 'svc',
-					resource: { 'host.name': 'host-1' },
-				},
+				{ resource: { 'host.name': 'host-1' } },
 				HOST_FIELD,
 			);
 			expect(value).toBe('host-1');

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/computeVisualLayout.ts

@@ -1,11 +1,10 @@
 /* eslint-disable sonarjs/cognitive-complexity */
-import { FlamegraphSpan } from 'types/api/trace/getTraceFlamegraph';
+import { SpantypesFlamegraphSpanDTO as FlamegraphSpan } from 'api/generated/services/sigNoz.schemas';
 
 export interface ConnectorLine {
 	parentRow: number;
 	childRow: number;
 	timestampMs: number;
-	serviceName: string;
 	// Snapshot of the child span's resource so draw-time can resolve the
 	// `colorByField` group value without crossing the worker boundary.
 	resource?: Record<string, string>;
@@ -159,24 +158,8 @@ export function computeVisualLayout(spans: FlamegraphSpan[][]): VisualLayout {
 		}
 	}
 
-	// Extract parentSpanId — the field may be missing at runtime when the API
-	// returns `references` instead.  Fall back to the first CHILD_OF reference.
 	function getParentId(span: FlamegraphSpan): string {
-		if (span.parentSpanId) {
-			return span.parentSpanId;
-		}
-		// eslint-disable-next-line @typescript-eslint/no-explicit-any
-		const refs = (span as any).references as
-			| Array<{ spanId?: string; refType?: string }>
-			| undefined;
-		if (refs) {
-			for (const ref of refs) {
-				if (ref.refType === 'CHILD_OF' && ref.spanId) {
-					return ref.spanId;
-				}
-			}
-		}
-		return '';
+		return span.parentSpanId || '';
 	}
 
 	// Build children map and identify roots
@@ -480,7 +463,6 @@ export function computeVisualLayout(spans: FlamegraphSpan[][]): VisualLayout {
 				parentRow,
 				childRow,
 				timestampMs: child.timestamp,
-				serviceName: child.serviceName,
 				resource: child.resource,
 			});
 		}

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/hooks/useFlamegraphDraw.ts

@@ -1,7 +1,7 @@
 import React, { RefObject, useCallback, useMemo, useRef } from 'react';
 import { generateColorPair } from 'pages/TraceDetailsV3/utils/generateColorPair';
 import { useTraceStore } from 'pages/TraceDetailsV3/stores/traceStore';
-import { FlamegraphSpan } from 'types/api/trace/getTraceFlamegraph';
+import { SpantypesFlamegraphSpanDTO as FlamegraphSpan } from 'api/generated/services/sigNoz.schemas';
 import { TelemetryFieldKey } from 'types/api/v5/queryRange';
 
 import { ConnectorLine } from '../computeVisualLayout';
@@ -200,7 +200,7 @@ function drawConnectorLines(args: DrawConnectorLinesArgs): void {
 		}
 
 		const groupValue = getFlamegraphSpanGroupValue(
-			{ serviceName: conn.serviceName, resource: conn.resource },
+			{ resource: conn.resource },
 			colorByField,
 		);
 		const pair = generateColorPair(groupValue);

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/hooks/useFlamegraphHover.ts

@@ -11,10 +11,9 @@ import {
 import { useTraceStore } from 'pages/TraceDetailsV3/stores/traceStore';
 import { RESERVED_PREVIEW_KEYS } from 'pages/TraceDetailsV3/SpanHoverCard/SpanHoverCard';
 import { getSpanAttribute } from 'pages/TraceDetailsV3/utils';
-import { FlamegraphSpan } from 'types/api/trace/getTraceFlamegraph';
+import { SpantypesFlamegraphSpanDTO as FlamegraphSpan } from 'api/generated/services/sigNoz.schemas';
 
-import { EventRect, SpanRect } from '../types';
-import { ITraceMetadata } from '../types';
+import { EventRect, ITraceMetadata, SpanRect } from '../types';
 import {
 	getFlamegraphServiceName,
 	getFlamegraphSpanGroupValue,
@@ -200,7 +199,7 @@ export function useFlamegraphHover(
 
 			if (eventRect) {
 				const { event, span } = eventRect;
-				const eventTimeMs = event.timeUnixNano / 1e6;
+				const eventTimeMs = (event.timeUnixNano ?? 0) / 1e6;
 				setHoveredEventKey(`${span.spanId}-${event.name}-${event.timeUnixNano}`);
 				setHoveredSpanId(span.spanId);
 				setTooltipContent({
@@ -220,10 +219,10 @@ export function useFlamegraphHover(
 						return isDarkMode ? pair.color : pair.colorDark;
 					})(),
 					event: {
-						name: event.name,
+						name: event.name ?? '',
 						timeOffsetMs: eventTimeMs - span.timestamp,
-						isError: event.isError,
-						attributeMap: event.attributeMap || {},
+						isError: event.isError ?? false,
+						attributeMap: (event.attributeMap as Record<string, string>) ?? {},
 					},
 				});
 				updateCursor(canvas, eventRect.span);

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/hooks/useScrollToSpan.ts

@@ -5,7 +5,7 @@ import {
 	SetStateAction,
 	useEffect,
 } from 'react';
-import { FlamegraphSpan } from 'types/api/trace/getTraceFlamegraph';
+import { SpantypesFlamegraphSpanDTO as FlamegraphSpan } from 'api/generated/services/sigNoz.schemas';
 
 import { MIN_VISIBLE_SPAN_MS } from '../constants';
 import { ITraceMetadata } from '../types';

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/hooks/useVisualLayoutWorker.ts

@@ -1,5 +1,5 @@
 import { useEffect, useRef, useState } from 'react';
-import { FlamegraphSpan } from 'types/api/trace/getTraceFlamegraph';
+import { SpantypesFlamegraphSpanDTO as FlamegraphSpan } from 'api/generated/services/sigNoz.schemas';
 
 import { computeVisualLayout, VisualLayout } from '../computeVisualLayout';
 import { LayoutWorkerResponse } from '../visualLayoutWorkerTypes';

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/types.ts

@@ -1,5 +1,8 @@
+import {
+	SpantypesEventDTO as FlamegraphEvent,
+	SpantypesFlamegraphSpanDTO as FlamegraphSpan,
+} from 'api/generated/services/sigNoz.schemas';
 import { Dispatch, SetStateAction } from 'react';
-import { Event, FlamegraphSpan } from 'types/api/trace/getTraceFlamegraph';
 
 import { VisualLayout } from './computeVisualLayout';
 
@@ -28,7 +31,7 @@ export interface SpanRect {
 }
 
 export interface EventRect {
-	event: Event;
+	event: FlamegraphEvent;
 	span: FlamegraphSpan;
 	cx: number;
 	cy: number;

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/utils.ts

@@ -7,7 +7,7 @@ import {
 	generateColorPair,
 	RESERVED_ERROR,
 } from 'pages/TraceDetailsV3/utils/generateColorPair';
-import { FlamegraphSpan } from 'types/api/trace/getTraceFlamegraph';
+import { SpantypesFlamegraphSpanDTO as FlamegraphSpan } from 'api/generated/services/sigNoz.schemas';
 import { TelemetryFieldKey } from 'types/api/v5/queryRange';
 
 import {
@@ -74,34 +74,25 @@ export function getFlamegraphRowMetrics(
 
 /**
  * Resolve the displayed service.name for a flamegraph span. Used by tooltips
- * (service identity, independent of the active colour-by field). Prefers
- * `resource['service.name']` with legacy top-level `serviceName` fallback.
+ * (service identity, independent of the active colour-by field). Reads
+ * `resource['service.name']`.
  */
 export function getFlamegraphServiceName(
-	span: Pick<FlamegraphSpan, 'serviceName' | 'resource' | 'attributes'>,
+	span: Partial<Pick<FlamegraphSpan, 'resource' | 'attributes'>>,
 ): string {
-	return getSpanAttribute(span, 'service.name') || span.serviceName || '';
+	return getSpanAttribute(span, 'service.name') || '';
 }
 
 /**
  * Resolve the value used to bucket a flamegraph span by colour for the given
- * field. Prefers `resource[field.name]` (new contract from `selectFields`).
- * For `service.name`, falls back to the legacy top-level `serviceName` when
- * resource is empty (backward-compat with backends that haven't shipped
- * `selectFields` yet). For other fields, falls back to `'unknown'`.
+ * field. Prefers `resource[field.name]` (contract from `selectFields`), falling
+ * back to `'unknown'`.
  */
 export function getFlamegraphSpanGroupValue(
-	span: Pick<FlamegraphSpan, 'serviceName' | 'resource' | 'attributes'>,
+	span: Partial<Pick<FlamegraphSpan, 'resource' | 'attributes'>>,
 	field: TelemetryFieldKey,
 ): string {
-	const fromAttribute = getSpanAttribute(span, field.name);
-	if (fromAttribute) {
-		return fromAttribute;
-	}
-	if (field.name === 'service.name') {
-		return span.serviceName || 'unknown';
-	}
-	return 'unknown';
+	return getSpanAttribute(span, field.name) || 'unknown';
 }
 
 interface GetSpanColorArgs {
@@ -296,7 +287,7 @@ export function drawSpanBar(args: DrawSpanBarArgs): void {
 			return;
 		}
 
-		const eventTimeMs = event.timeUnixNano / 1e6;
+		const eventTimeMs = (event.timeUnixNano ?? 0) / 1e6;
 		const eventOffsetPercent =
 			((eventTimeMs - span.timestamp) / spanDurationMs) * 100;
 		const clampedOffset = clamp(eventOffsetPercent, 1, 99);
@@ -306,7 +297,11 @@ export function drawSpanBar(args: DrawSpanBarArgs): void {
 		// Event dots derive from the effective bar color so they track the
 		// light/dark variant the bar is rendered with.
 		const parentBarColor = isDarkMode ? color : colorDark;
-		const dotColor = getEventDotColor(parentBarColor, event.isError, isDarkMode);
+		const dotColor = getEventDotColor(
+			parentBarColor,
+			event.isError ?? false,
+			isDarkMode,
+		);
 		const eventKey = `${span.spanId}-${event.name}-${event.timeUnixNano}`;
 		const isEventHovered = hoveredEventKey === eventKey;
 		const dotSize = isEventHovered

frontend/src/pages/TraceDetailsV3/TraceFlamegraph/visualLayoutWorkerTypes.ts

@@ -1,4 +1,4 @@
-import { FlamegraphSpan } from 'types/api/trace/getTraceFlamegraph';
+import { SpantypesFlamegraphSpanDTO as FlamegraphSpan } from 'api/generated/services/sigNoz.schemas';
 
 import { VisualLayout } from './computeVisualLayout';
 

frontend/src/utils/permission/index.ts

@@ -136,5 +136,4 @@ export const routePermission: Record<keyof typeof ROUTES, ROLES[]> = {
 	AI_ASSISTANT_ICON_PREVIEW: ['ADMIN', 'EDITOR', 'VIEWER'],
 	MCP_SERVER: ['ADMIN', 'EDITOR', 'VIEWER'],
 	AI_ASSISTANT_BASE: ['ADMIN', 'EDITOR', 'VIEWER'],
-	LLM_OBSERVABILITY_MODEL_PRICING: ['ADMIN', 'EDITOR', 'VIEWER'],
 };

frontend/tsconfig.json

@@ -48,9 +48,7 @@
 		"node_modules",
 		"src/parser/*.ts",
 		"src/parser/TraceOperatorParser/*.ts",
-		"orval.config.ts",
-		"src/pages/DashboardsListPageV2/**/*",
-		"src/pages/DashboardPageV2/**/*"
+		"orval.config.ts"
 	],
 	"include": [
 		"./src",

pkg/apiserver/signozapiserver/registry.go

@@ -50,8 +50,8 @@ func (handler *healthOpenAPIHandler) ServeOpenAPI(opCtx openapi.OperationContext
 	)
 }
 
-func (handler *healthOpenAPIHandler) AuditDef() *pkghandler.AuditDef {
-	// Health endpoints are not audited since they don't represent user actions and are called frequently by monitoring systems, which would create noise in the audit logs.
+func (handler *healthOpenAPIHandler) ResourceDefs() []pkghandler.ResourceDef {
+	// Health endpoints don't act on resources.
 	return nil
 }
 

pkg/apiserver/signozapiserver/role.go

@@ -7,166 +7,197 @@ import (
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/coretypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
 
 func (provider *provider) addRoleRoutes(router *mux.Router) error {
-	if err := router.Handle("/api/v1/roles", handler.New(provider.authzMiddleware.Check(provider.authzHandler.Create, authtypes.Relation{Verb: coretypes.VerbCreate}, coretypes.ResourceRole, roleCollectionSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "CreateRole",
-		Tags:                []string{"role"},
-		Summary:             "Create role",
-		Description:         "This endpoint creates a role",
-		Request:             new(authtypes.PostableRole),
-		RequestContentType:  "",
-		Response:            new(types.Identifiable),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbCreate)}),
-	})).Methods(http.MethodPost).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.Create, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "CreateRole",
+			Tags:                []string{"role"},
+			Summary:             "Create role",
+			Description:         "This endpoint creates a role",
+			Request:             new(authtypes.PostableRole),
+			RequestContentType:  "",
+			Response:            new(types.Identifiable),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusCreated,
+			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbCreate)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbCreate,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.ResponseJSONPath("data.id"),
+			Selector: coretypes.WildcardSelector,
+		}),
+	)).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles", handler.New(provider.authzMiddleware.Check(provider.authzHandler.List, authtypes.Relation{Verb: coretypes.VerbList}, coretypes.ResourceRole, roleCollectionSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "ListRoles",
-		Tags:                []string{"role"},
-		Summary:             "List roles",
-		Description:         "This endpoint lists all roles",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            make([]*authtypes.Role, 0),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbList)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.List, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "ListRoles",
+			Tags:                []string{"role"},
+			Summary:             "List roles",
+			Description:         "This endpoint lists all roles",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            make([]*authtypes.Role, 0),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbList)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbList,
+			Category: coretypes.ActionCategoryAccessControl,
+			Selector: coretypes.WildcardSelector,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authzMiddleware.Check(provider.authzHandler.Get, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "GetRole",
-		Tags:                []string{"role"},
-		Summary:             "Get role",
-		Description:         "This endpoint gets a role",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new(authtypes.Role),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbRead)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.Get, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "GetRole",
+			Tags:                []string{"role"},
+			Summary:             "Get role",
+			Description:         "This endpoint gets a role",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            new(authtypes.Role),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbRead)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbRead,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.PathParam("id"),
+			Selector: provider.roleSelector,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(provider.authzMiddleware.Check(provider.authzHandler.GetObjects, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "GetObjects",
-		Tags:                []string{"role"},
-		Summary:             "Get objects for a role by relation",
-		Description:         "Gets all objects connected to the specified role via a given relation type",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            make([]*coretypes.ObjectGroup, 0),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbRead)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.GetObjects, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "GetObjects",
+			Tags:                []string{"role"},
+			Summary:             "Get objects for a role by relation",
+			Description:         "Gets all objects connected to the specified role via a given relation type",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            make([]*coretypes.ObjectGroup, 0),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbRead)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbRead,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.PathParam("id"),
+			Selector: provider.roleSelector,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authzMiddleware.Check(provider.authzHandler.Patch, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "PatchRole",
-		Tags:                []string{"role"},
-		Summary:             "Patch role",
-		Description:         "This endpoint patches a role",
-		Request:             new(authtypes.PatchableRole),
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
-	})).Methods(http.MethodPatch).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.Patch, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "PatchRole",
+			Tags:                []string{"role"},
+			Summary:             "Patch role",
+			Description:         "This endpoint patches a role",
+			Request:             new(authtypes.PatchableRole),
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbUpdate,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.PathParam("id"),
+			Selector: provider.roleSelector,
+		}),
+	)).Methods(http.MethodPatch).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(provider.authzMiddleware.Check(provider.authzHandler.PatchObjects, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "PatchObjects",
-		Tags:                []string{"role"},
-		Summary:             "Patch objects for a role by relation",
-		Description:         "Patches the objects connected to the specified role via a given relation type",
-		Request:             new(coretypes.PatchableObjects),
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
-	})).Methods(http.MethodPatch).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.PatchObjects, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "PatchObjects",
+			Tags:                []string{"role"},
+			Summary:             "Patch objects for a role by relation",
+			Description:         "Patches the objects connected to the specified role via a given relation type",
+			Request:             new(coretypes.PatchableObjects),
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbUpdate,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.PathParam("id"),
+			Selector: provider.roleSelector,
+		}),
+	)).Methods(http.MethodPatch).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authzMiddleware.Check(provider.authzHandler.Delete, authtypes.Relation{Verb: coretypes.VerbDelete}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "DeleteRole",
-		Tags:                []string{"role"},
-		Summary:             "Delete role",
-		Description:         "This endpoint deletes a role",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbDelete)}),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.Delete, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "DeleteRole",
+			Tags:                []string{"role"},
+			Summary:             "Delete role",
+			Description:         "This endpoint deletes a role",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbDelete)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbDelete,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.PathParam("id"),
+			Selector: provider.roleSelector,
+		}),
+	)).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}
 
 	return nil
 }
-
-func roleCollectionSelectorCallback(_ *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {
-	return []coretypes.Selector{
-		coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-}
-
-func (provider *provider) roleInstanceSelectorCallback(req *http.Request, claims authtypes.Claims) ([]coretypes.Selector, error) {
-	roleID, err := valuer.NewUUID(mux.Vars(req)["id"])
-	if err != nil {
-		return nil, err
-	}
-
-	role, err := provider.authzService.Get(req.Context(), valuer.MustNewUUID(claims.OrgID), roleID)
-	if err != nil {
-		return nil, err
-	}
-
-	return []coretypes.Selector{
-		coretypes.TypeRole.MustSelector(role.Name),
-		coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-}

pkg/apiserver/signozapiserver/serviceaccount.go

@@ -1,13 +1,10 @@
 package signozapiserver
 
 import (
-	"bytes"
-	"encoding/json"
-	"io"
+	"context"
 	"net/http"
 
 	"github.com/SigNoz/signoz/pkg/http/handler"
-	"github.com/SigNoz/signoz/pkg/http/middleware"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/coretypes"
@@ -17,41 +14,56 @@ import (
 )
 
 func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
-	if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.Create, authtypes.Relation{Verb: coretypes.VerbCreate}, coretypes.ResourceServiceAccount, serviceAccountCollectionSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "CreateServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Create service account",
-		Description:         "This endpoint creates a service account",
-		Request:             new(serviceaccounttypes.PostableServiceAccount),
-		RequestContentType:  "",
-		Response:            new(types.Identifiable),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbCreate)}),
-	})).Methods(http.MethodPost).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.Create, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "CreateServiceAccount",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Create service account",
+			Description:         "This endpoint creates a service account",
+			Request:             new(serviceaccounttypes.PostableServiceAccount),
+			RequestContentType:  "",
+			Response:            new(types.Identifiable),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusCreated,
+			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbCreate)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceServiceAccount,
+			Verb:     coretypes.VerbCreate,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.ResponseJSONPath("data.id"),
+			Selector: coretypes.WildcardSelector,
+		}),
+	)).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.List, authtypes.Relation{Verb: coretypes.VerbList}, coretypes.ResourceServiceAccount, serviceAccountCollectionSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "ListServiceAccounts",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "List service accounts",
-		Description:         "This endpoint lists the service accounts for an organisation",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            make([]*serviceaccounttypes.ServiceAccount, 0),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbList)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.List, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "ListServiceAccounts",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "List service accounts",
+			Description:         "This endpoint lists the service accounts for an organisation",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            make([]*serviceaccounttypes.ServiceAccount, 0),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbList)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceServiceAccount,
+			Verb:     coretypes.VerbList,
+			Category: coretypes.ActionCategoryAccessControl,
+			Selector: coretypes.WildcardSelector,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
@@ -72,89 +84,117 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.Get, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "GetServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Gets a service account",
-		Description:         "This endpoint gets an existing service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new(serviceaccounttypes.ServiceAccountWithRoles),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.Get, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "GetServiceAccount",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Gets a service account",
+			Description:         "This endpoint gets an existing service account",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            new(serviceaccounttypes.ServiceAccountWithRoles),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{http.StatusNotFound},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceServiceAccount,
+			Verb:     coretypes.VerbRead,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.PathParam("id"),
+			Selector: coretypes.IDSelector,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.GetRoles, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "GetServiceAccountRoles",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Gets service account roles",
-		Description:         "This endpoint gets all the roles for the existing service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new([]*authtypes.Role),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.GetRoles, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "GetServiceAccountRoles",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Gets service account roles",
+			Description:         "This endpoint gets all the roles for the existing service account",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            new([]*authtypes.Role),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{http.StatusNotFound},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceServiceAccount,
+			Verb:     coretypes.VerbRead,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.PathParam("id"),
+			Selector: coretypes.IDSelector,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(provider.authzMiddleware.CheckAll(provider.serviceAccountHandler.SetRole, []middleware.AuthZCheckGroup{
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbAttach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbAttach}, Resource: coretypes.ResourceRole, SelectorCallback: provider.roleAttachSelectorFromBody, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-	}), handler.OpenAPIDef{
-		ID:                  "CreateServiceAccountRole",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Create service account role",
-		Description:         "This endpoint assigns a role to a service account",
-		Request:             new(serviceaccounttypes.PostableServiceAccountRole),
-		RequestContentType:  "",
-		Response:            new(types.Identifiable),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach), coretypes.ResourceRole.Scope(coretypes.VerbAttach)}),
-	})).Methods(http.MethodPost).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.SetRole, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "CreateServiceAccountRole",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Create service account role",
+			Description:         "This endpoint assigns a role to a service account",
+			Request:             new(serviceaccounttypes.PostableServiceAccountRole),
+			RequestContentType:  "",
+			Response:            new(types.Identifiable),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusCreated,
+			ErrorStatusCodes:    []int{http.StatusBadRequest},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach), coretypes.ResourceRole.Scope(coretypes.VerbAttach)}),
+		},
+		handler.WithResourceDefs(handler.AttachDetachSiblingResourceDef{
+			Verb:           coretypes.VerbAttach,
+			Category:       coretypes.ActionCategoryAccessControl,
+			SourceResource: coretypes.ResourceServiceAccount,
+			SourceIDs:      coretypes.OneID(coretypes.PathParam("id")),
+			SourceSelector: coretypes.IDSelector,
+			TargetResource: coretypes.ResourceRole,
+			TargetIDs:      coretypes.OneID(coretypes.BodyJSONPath("id")),
+			TargetSelector: provider.roleSelector,
+		}),
+	)).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/roles/{rid}", handler.New(provider.authzMiddleware.CheckAll(provider.serviceAccountHandler.DeleteRole, []middleware.AuthZCheckGroup{
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbDetach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbDetach}, Resource: coretypes.ResourceRole, SelectorCallback: provider.roleDetachSelectorFromPath, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-	}), handler.OpenAPIDef{
-		ID:                  "DeleteServiceAccountRole",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Delete service account role",
-		Description:         "This endpoint revokes a role from service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDetach), coretypes.ResourceRole.Scope(coretypes.VerbDetach)}),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/roles/{rid}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.DeleteRole, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "DeleteServiceAccountRole",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Delete service account role",
+			Description:         "This endpoint revokes a role from service account",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDetach), coretypes.ResourceRole.Scope(coretypes.VerbDetach)}),
+		},
+		handler.WithResourceDefs(handler.AttachDetachSiblingResourceDef{
+			Verb:           coretypes.VerbDetach,
+			Category:       coretypes.ActionCategoryAccessControl,
+			SourceResource: coretypes.ResourceServiceAccount,
+			SourceIDs:      coretypes.OneID(coretypes.PathParam("id")),
+			SourceSelector: coretypes.IDSelector,
+			TargetResource: coretypes.ResourceRole,
+			TargetIDs:      coretypes.OneID(coretypes.PathParam("rid")),
+			TargetSelector: provider.roleSelector,
+		}),
+	)).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}
 
@@ -175,208 +215,209 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.Update, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "UpdateServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Updates a service account",
-		Description:         "This endpoint updates an existing service account",
-		Request:             new(serviceaccounttypes.UpdatableServiceAccount),
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbUpdate)}),
-	})).Methods(http.MethodPut).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.Update, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "UpdateServiceAccount",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Updates a service account",
+			Description:         "This endpoint updates an existing service account",
+			Request:             new(serviceaccounttypes.UpdatableServiceAccount),
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbUpdate)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceServiceAccount,
+			Verb:     coretypes.VerbUpdate,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.PathParam("id"),
+			Selector: coretypes.IDSelector,
+		}),
+	)).Methods(http.MethodPut).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.Delete, authtypes.Relation{Verb: coretypes.VerbDelete}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "DeleteServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Deletes a service account",
-		Description:         "This endpoint deletes an existing service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDelete)}),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.Delete, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "DeleteServiceAccount",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Deletes a service account",
+			Description:         "This endpoint deletes an existing service account",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDelete)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceServiceAccount,
+			Verb:     coretypes.VerbDelete,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.PathParam("id"),
+			Selector: coretypes.IDSelector,
+		}),
+	)).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authzMiddleware.CheckAll(provider.serviceAccountHandler.CreateFactorAPIKey, []middleware.AuthZCheckGroup{
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbCreate}, Resource: coretypes.ResourceMetaResourceFactorAPIKey, SelectorCallback: factorAPIKeyCollectionSelectorCallback, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbAttach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-	}), handler.OpenAPIDef{
-		ID:                  "CreateServiceAccountKey",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Create a service account key",
-		Description:         "This endpoint creates a service account key",
-		Request:             new(serviceaccounttypes.PostableFactorAPIKey),
-		RequestContentType:  "",
-		Response:            new(serviceaccounttypes.GettableFactorAPIKeyWithKey),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbCreate), coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach)}),
-	})).Methods(http.MethodPost).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.CreateFactorAPIKey, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "CreateServiceAccountKey",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Create a service account key",
+			Description:         "This endpoint creates a service account key",
+			Request:             new(serviceaccounttypes.PostableFactorAPIKey),
+			RequestContentType:  "",
+			Response:            new(serviceaccounttypes.GettableFactorAPIKeyWithKey),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusCreated,
+			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbCreate), coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach)}),
+		},
+		handler.WithResourceDefs(
+			handler.BasicResourceDef{
+				Resource: coretypes.ResourceMetaResourceFactorAPIKey,
+				Verb:     coretypes.VerbCreate,
+				Category: coretypes.ActionCategoryAccessControl,
+				ID:       coretypes.ResponseJSONPath("data.id"),
+				Selector: coretypes.WildcardSelector,
+			},
+			handler.AttachDetachParentChildResourceDef{
+				Verb:           coretypes.VerbAttach,
+				Category:       coretypes.ActionCategoryAccessControl,
+				ParentResource: coretypes.ResourceServiceAccount,
+				ParentID:       coretypes.PathParam("id"),
+				ParentSelector: coretypes.IDSelector,
+				ChildResource:  coretypes.ResourceMetaResourceFactorAPIKey,
+				ChildIDs:       coretypes.OneID(coretypes.ResponseJSONPath("data.id")),
+			},
+		),
+	)).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.ListFactorAPIKey, authtypes.Relation{Verb: coretypes.VerbList}, coretypes.ResourceMetaResourceFactorAPIKey, factorAPIKeyCollectionSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "ListServiceAccountKeys",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "List service account keys",
-		Description:         "This endpoint lists the service account keys",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            make([]*serviceaccounttypes.GettableFactorAPIKey, 0),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbList)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.ListFactorAPIKey, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "ListServiceAccountKeys",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "List service account keys",
+			Description:         "This endpoint lists the service account keys",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            make([]*serviceaccounttypes.GettableFactorAPIKey, 0),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbList)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceMetaResourceFactorAPIKey,
+			Verb:     coretypes.VerbList,
+			Category: coretypes.ActionCategoryAccessControl,
+			Selector: coretypes.WildcardSelector,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.UpdateFactorAPIKey, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceMetaResourceFactorAPIKey, factorAPIKeyInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "UpdateServiceAccountKey",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Updates a service account key",
-		Description:         "This endpoint updates an existing service account key",
-		Request:             new(serviceaccounttypes.UpdatableFactorAPIKey),
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbUpdate)}),
-	})).Methods(http.MethodPut).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.UpdateFactorAPIKey, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "UpdateServiceAccountKey",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Updates a service account key",
+			Description:         "This endpoint updates an existing service account key",
+			Request:             new(serviceaccounttypes.UpdatableFactorAPIKey),
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbUpdate)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceMetaResourceFactorAPIKey,
+			Verb:     coretypes.VerbUpdate,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.PathParam("fid"),
+			Selector: coretypes.IDSelector,
+		}),
+	)).Methods(http.MethodPut).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authzMiddleware.CheckAll(provider.serviceAccountHandler.RevokeFactorAPIKey, []middleware.AuthZCheckGroup{
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbDelete}, Resource: coretypes.ResourceMetaResourceFactorAPIKey, SelectorCallback: factorAPIKeyInstanceSelectorCallback, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbDetach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-	}), handler.OpenAPIDef{
-		ID:                  "RevokeServiceAccountKey",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Revoke a service account key",
-		Description:         "This endpoint revokes an existing service account key",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbDelete), coretypes.ResourceServiceAccount.Scope(coretypes.VerbDetach)}),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.RevokeFactorAPIKey, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "RevokeServiceAccountKey",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Revoke a service account key",
+			Description:         "This endpoint revokes an existing service account key",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbDelete), coretypes.ResourceServiceAccount.Scope(coretypes.VerbDetach)}),
+		},
+		handler.WithResourceDefs(
+			handler.BasicResourceDef{
+				Resource: coretypes.ResourceMetaResourceFactorAPIKey,
+				Verb:     coretypes.VerbDelete,
+				Category: coretypes.ActionCategoryAccessControl,
+				ID:       coretypes.PathParam("fid"),
+				Selector: coretypes.IDSelector,
+			},
+			handler.AttachDetachParentChildResourceDef{
+				Verb:           coretypes.VerbDetach,
+				Category:       coretypes.ActionCategoryAccessControl,
+				ParentResource: coretypes.ResourceServiceAccount,
+				ParentID:       coretypes.PathParam("id"),
+				ParentSelector: coretypes.IDSelector,
+				ChildResource:  coretypes.ResourceMetaResourceFactorAPIKey,
+				ChildIDs:       coretypes.OneID(coretypes.PathParam("fid")),
+			},
+		),
+	)).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}
 
 	return nil
 }
 
-func (provider *provider) roleDetachSelectorFromPath(req *http.Request, claims authtypes.Claims) ([]coretypes.Selector, error) {
-	roleID, err := valuer.NewUUID(mux.Vars(req)["rid"])
+// roleSelector resolves the FGA selectors for a role from its UUID. The id is
+// already extracted by the ResourceDef (path or body); this only does the
+// UUID -> name lookup the FGA object string requires. Shared by service account
+// and role routes.
+func (provider *provider) roleSelector(ctx context.Context, resource coretypes.Resource, id string, orgID valuer.UUID) ([]coretypes.Selector, error) {
+	roleID, err := valuer.NewUUID(id)
 	if err != nil {
 		return nil, err
 	}
 
-	role, err := provider.authzService.Get(req.Context(), valuer.MustNewUUID(claims.OrgID), roleID)
+	role, err := provider.authzService.Get(ctx, orgID, roleID)
 	if err != nil {
 		return nil, err
 	}
 
 	return []coretypes.Selector{
-		coretypes.TypeRole.MustSelector(role.Name),
-		coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-
-}
-
-func (provider *provider) roleAttachSelectorFromBody(req *http.Request, claims authtypes.Claims) ([]coretypes.Selector, error) {
-	body, err := io.ReadAll(req.Body)
-	if err != nil {
-		return nil, err
-	}
-	req.Body = io.NopCloser(bytes.NewReader(body))
-
-	postableRole := new(serviceaccounttypes.PostableServiceAccountRole)
-	if err := json.Unmarshal(body, postableRole); err != nil {
-		return nil, err
-	}
-
-	role, err := provider.authzService.Get(req.Context(), valuer.MustNewUUID(claims.OrgID), postableRole.ID)
-	if err != nil {
-		return nil, err
-	}
-
-	return []coretypes.Selector{
-		coretypes.TypeRole.MustSelector(role.Name),
-		coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-}
-
-func factorAPIKeyCollectionSelectorCallback(_ *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {
-	return []coretypes.Selector{
-		coretypes.TypeMetaResource.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-}
-
-func factorAPIKeyInstanceSelectorCallback(req *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {
-	fid := mux.Vars(req)["fid"]
-	fidSelector, err := coretypes.TypeMetaResource.Selector(fid)
-	if err != nil {
-		return nil, err
-	}
-
-	return []coretypes.Selector{
-		fidSelector,
-		coretypes.TypeMetaResource.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-}
-
-func serviceAccountCollectionSelectorCallback(_ *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {
-	return []coretypes.Selector{
-		coretypes.TypeServiceAccount.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-}
-
-func serviceAccountInstanceSelectorCallback(req *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {
-	id := mux.Vars(req)["id"]
-	idSelector, err := coretypes.TypeServiceAccount.Selector(id)
-	if err != nil {
-		return nil, err
-	}
-
-	return []coretypes.Selector{
-		idSelector,
-		coretypes.TypeServiceAccount.MustSelector(coretypes.WildCardSelectorString),
+		resource.Type().MustSelector(role.Name),
+		resource.Type().MustSelector(coretypes.WildCardSelectorString),
 	}, nil
 }

pkg/auditor/auditorserver/server_test.go

@@ -20,16 +20,16 @@ func newTestSettings() factory.ScopedProviderSettings {
 	return factory.NewScopedProviderSettings(instrumentationtest.New().ToProviderSettings(), "auditorserver_test")
 }
 
-func newTestEvent(resource string, action coretypes.Verb) audittypes.AuditEvent {
+func newTestEvent(resource coretypes.Resource, action coretypes.Verb) audittypes.AuditEvent {
 	return audittypes.AuditEvent{
 		Timestamp: time.Now(),
-		EventName: audittypes.NewEventName(coretypes.MustNewKind(resource), action),
+		EventName: audittypes.NewEventName(resource.Kind(), action),
 		AuditAttributes: audittypes.AuditAttributes{
 			Action:  action,
 			Outcome: audittypes.OutcomeSuccess,
 		},
 		ResourceAttributes: audittypes.ResourceAttributes{
-			ResourceKind: coretypes.MustNewKind(resource),
+			Resource: resource,
 		},
 	}
 }
@@ -84,7 +84,7 @@ func TestAdd_FlushesOnBatchSize(t *testing.T) {
 	go func() { _ = server.Start(ctx) }()
 
 	for i := 0; i < 3; i++ {
-		server.Add(ctx, newTestEvent("dashboard", coretypes.VerbCreate))
+		server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbCreate))
 	}
 
 	assert.Eventually(t, func() bool {
@@ -113,7 +113,7 @@ func TestAdd_FlushesOnInterval(t *testing.T) {
 
 	go func() { _ = server.Start(ctx) }()
 
-	server.Add(ctx, newTestEvent("user", coretypes.VerbUpdate))
+	server.Add(ctx, newTestEvent(coretypes.ResourceUser, coretypes.VerbUpdate))
 
 	assert.Eventually(t, func() bool {
 		return exported.Load() == 1
@@ -131,9 +131,9 @@ func TestAdd_DropsWhenBufferFull(t *testing.T) {
 
 	ctx := context.Background()
 
-	server.Add(ctx, newTestEvent("dashboard", coretypes.VerbCreate))
-	server.Add(ctx, newTestEvent("dashboard", coretypes.VerbUpdate))
-	server.Add(ctx, newTestEvent("dashboard", coretypes.VerbDelete))
+	server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbCreate))
+	server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbUpdate))
+	server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbDelete))
 
 	assert.Equal(t, 2, server.queueLen())
 }
@@ -156,7 +156,7 @@ func TestStop_DrainsRemainingEvents(t *testing.T) {
 	go func() { _ = server.Start(ctx) }()
 
 	for i := 0; i < 5; i++ {
-		server.Add(ctx, newTestEvent("alert-rule", coretypes.VerbCreate))
+		server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceRule, coretypes.VerbCreate))
 	}
 
 	require.NoError(t, server.Stop(ctx))
@@ -181,8 +181,8 @@ func TestAdd_ContinuesAfterExportFailure(t *testing.T) {
 
 	go func() { _ = server.Start(ctx) }()
 
-	server.Add(ctx, newTestEvent("user", coretypes.VerbDelete))
-	server.Add(ctx, newTestEvent("user", coretypes.VerbDelete))
+	server.Add(ctx, newTestEvent(coretypes.ResourceUser, coretypes.VerbDelete))
+	server.Add(ctx, newTestEvent(coretypes.ResourceUser, coretypes.VerbDelete))
 
 	assert.Eventually(t, func() bool {
 		return calls.Load() >= 1
@@ -213,7 +213,7 @@ func TestAdd_ConcurrentSafety(t *testing.T) {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
-			server.Add(ctx, newTestEvent("dashboard", coretypes.VerbCreate))
+			server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbCreate))
 		}()
 	}
 	wg.Wait()

pkg/http/handler/handler.go

@@ -15,13 +15,13 @@ type ServeOpenAPIFunc func(openapi.OperationContext)
 type Handler interface {
 	http.Handler
 	ServeOpenAPI(openapi.OperationContext)
-	AuditDef() *AuditDef
+	ResourceDefs() []ResourceDef
 }
 
 type handler struct {
-	handlerFunc http.HandlerFunc
-	openAPIDef  OpenAPIDef
-	auditDef    *AuditDef
+	handlerFunc  http.HandlerFunc
+	openAPIDef   OpenAPIDef
+	resourceDefs []ResourceDef
 }
 
 func New(handlerFunc http.HandlerFunc, openAPIDef OpenAPIDef, opts ...Option) Handler {
@@ -130,6 +130,6 @@ func (handler *handler) ServeOpenAPI(opCtx openapi.OperationContext) {
 	}
 }
 
-func (handler *handler) AuditDef() *AuditDef {
-	return handler.auditDef
+func (handler *handler) ResourceDefs() []ResourceDef {
+	return handler.resourceDefs
 }

pkg/http/handler/option.go

@@ -1,25 +1,9 @@
 package handler
 
-import (
-	"github.com/SigNoz/signoz/pkg/types/audittypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
-)
-
-// Option configures optional behaviour on a handler created by New.
 type Option func(*handler)
 
-type AuditDef struct {
-	ResourceKind    coretypes.Kind            //  Typeable.Kind() value, e.g. "dashboard", "user".
-	Action          coretypes.Verb            // create, update, delete, etc.
-	Category        audittypes.ActionCategory // access_control, configuration_change, etc.
-	ResourceIDParam string                    // Gorilla mux path param name for the resource ID.
-}
-
-// WithAudit attaches an AuditDef to the handler. The actual audit event
-// emission is handled by the middleware layer, which reads the AuditDef
-// from the matched route's handler.
-func WithAuditDef(def AuditDef) Option {
+func WithResourceDefs(defs ...ResourceDef) Option {
 	return func(h *handler) {
-		h.auditDef = &def
+		h.resourceDefs = append(h.resourceDefs, defs...)
 	}
 }

pkg/http/handler/resourcedef.go

@@ -0,0 +1,99 @@
+package handler
+
+import "github.com/SigNoz/signoz/pkg/types/coretypes"
+
+type ResourceDef interface {
+	// resolveRequest is unexported to seal the interface. It returns a slice so a
+	// single def can fan out (e.g. a telemetry query touching multiple signals).
+	resolveRequest(ec coretypes.ExtractorContext) []coretypes.ResolvedResource
+}
+
+func ResolveRequest(defs []ResourceDef, ec coretypes.ExtractorContext) []coretypes.ResolvedResource {
+	resolved := make([]coretypes.ResolvedResource, 0, len(defs))
+	for _, def := range defs {
+		resolved = append(resolved, def.resolveRequest(ec)...)
+	}
+
+	return resolved
+}
+
+// BasicResourceDef checks a single resource for one verb.
+type BasicResourceDef struct {
+	Resource coretypes.Resource
+	Verb     coretypes.Verb
+	Category coretypes.ActionCategory
+	ID       coretypes.ResourceIDExtractor
+	Selector coretypes.SelectorFunc
+}
+
+func (def BasicResourceDef) resolveRequest(ec coretypes.ExtractorContext) []coretypes.ResolvedResource {
+	return []coretypes.ResolvedResource{
+		coretypes.NewResolvedResource(
+			def.Verb,
+			def.Category,
+			def.Resource,
+			def.ID,
+			def.Selector,
+			ec,
+		),
+	}
+}
+
+// AttachDetachSiblingResourceDef checks an attach/detach between peer resources;
+// both source and target are authz-checked.
+type AttachDetachSiblingResourceDef struct {
+	Verb           coretypes.Verb
+	Category       coretypes.ActionCategory
+	SourceResource coretypes.Resource
+	SourceIDs      coretypes.ResourceIDsExtractor
+	SourceSelector coretypes.SelectorFunc
+	TargetResource coretypes.Resource
+	TargetIDs      coretypes.ResourceIDsExtractor
+	TargetSelector coretypes.SelectorFunc
+}
+
+func (def AttachDetachSiblingResourceDef) resolveRequest(ec coretypes.ExtractorContext) []coretypes.ResolvedResource {
+	return []coretypes.ResolvedResource{
+		coretypes.NewResolvedResourceWithTarget(
+			def.Verb,
+			def.Category,
+			def.SourceResource,
+			def.SourceIDs,
+			def.SourceSelector,
+			def.TargetResource,
+			def.TargetIDs,
+			def.TargetSelector,
+			false,
+			ec,
+		),
+	}
+}
+
+// AttachDetachParentChildResourceDef authz-checks only the parent; the child
+// rides along for audit context.
+type AttachDetachParentChildResourceDef struct {
+	Verb           coretypes.Verb
+	Category       coretypes.ActionCategory
+	ParentResource coretypes.Resource
+	ParentID       coretypes.ResourceIDExtractor
+	ParentSelector coretypes.SelectorFunc
+	ChildResource  coretypes.Resource
+	ChildIDs       coretypes.ResourceIDsExtractor
+}
+
+func (def AttachDetachParentChildResourceDef) resolveRequest(ec coretypes.ExtractorContext) []coretypes.ResolvedResource {
+	return []coretypes.ResolvedResource{
+		coretypes.NewResolvedResourceWithTarget(
+			def.Verb,
+			def.Category,
+			def.ParentResource,
+			coretypes.OneID(def.ParentID),
+			def.ParentSelector,
+			def.ChildResource,
+			def.ChildIDs,
+			nil,
+			true,
+			ec,
+		),
+	}
+}

pkg/http/middleware/audit.go

@@ -12,10 +12,10 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/auditor"
 	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/types/audittypes"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/coretypes"
 )
 
 const (
@@ -61,6 +61,12 @@ func (middleware *Audit) Wrap(next http.Handler) http.Handler {
 
 		responseBuffer := &byteBuffer{}
 		writer := newResponseCapture(rw, responseBuffer)
+
+		// Capture the body only when a resolved resource derives an id from it (e.g. a create).
+		if coretypes.ShouldCaptureResponseBody(req.Context()) {
+			writer.EnableBodyCapture()
+		}
+
 		next.ServeHTTP(writer, req)
 
 		statusCode, writeErr := writer.StatusCode(), writer.WriteError()
@@ -80,7 +86,7 @@ func (middleware *Audit) Wrap(next http.Handler) http.Handler {
 			fields = append(fields, errors.Attr(writeErr))
 			middleware.logger.ErrorContext(req.Context(), logMessage, fields...)
 		} else {
-			if responseBuffer.Len() != 0 {
+			if statusCode >= 400 && responseBuffer.Len() != 0 {
 				fields = append(fields, "response.body", responseBuffer.String())
 			}
 
@@ -94,76 +100,85 @@ func (middleware *Audit) emitAuditEvent(req *http.Request, writer responseCaptur
 		return
 	}
 
-	def := auditDefFromRequest(req)
-	if def == nil {
+	resolved, err := coretypes.ResolvedResourcesFromContext(req.Context())
+	if err != nil || len(resolved) == 0 {
 		return
 	}
 
-	// extract claims
 	claims, _ := authtypes.ClaimsFromContext(req.Context())
-
-	// extract status code
 	statusCode := writer.StatusCode()
-
-	// extract traces.
 	span := trace.SpanFromContext(req.Context())
 
-	// extract error details.
 	var errorType, errorCode string
 	if statusCode >= 400 {
 		errorType = render.ErrorTypeFromStatusCode(statusCode)
 		errorCode = render.ErrorCodeFromBody(writer.BodyBytes())
 	}
 
-	event := audittypes.NewAuditEventFromHTTPRequest(
-		req,
-		routeTemplate,
-		statusCode,
-		span.SpanContext().TraceID(),
-		span.SpanContext().SpanID(),
-		def.Action,
-		def.Category,
-		claims,
-		resourceIDFromRequest(req, def.ResourceIDParam),
-		def.ResourceKind,
-		errorType,
-		errorCode,
-	)
+	extractorCtx := coretypes.ExtractorContext{Request: req, ResponseBody: writer.BodyBytes()}
 
-	middleware.auditor.Audit(req.Context(), event)
-}
-
-func auditDefFromRequest(req *http.Request) *handler.AuditDef {
-	route := mux.CurrentRoute(req)
-	if route == nil {
-		return nil
-	}
-
-	actualHandler := route.GetHandler()
-	if actualHandler == nil {
-		return nil
-	}
-
-	// The type assertion is necessary because route.GetHandler() returns
-	// http.Handler, and not every http.Handler on the mux is a handler.Handler
-	// (e.g. middleware wrappers, raw http.HandlerFunc registrations).
-	provider, ok := actualHandler.(handler.Handler)
-	if !ok {
-		return nil
-	}
-
-	return provider.AuditDef()
-}
-
-func resourceIDFromRequest(req *http.Request, param string) string {
-	if param == "" {
-		return ""
-	}
-
-	vars := mux.Vars(req)
-	if vars == nil {
-		return ""
-	}
-
-	return vars[param]
+	for _, resource := range resolved {
+		resource.ResolveResponse(extractorCtx)
+		verb, category := resource.Verb(), resource.Category()
+
+		switch typed := resource.(type) {
+		case coretypes.ResolvedResourceWithTargetResource:
+			for _, sourceID := range typed.SourceIDs() {
+				for _, targetID := range typed.TargetIDs() {
+					attributesList := []audittypes.ResourceAttributes{
+						audittypes.NewRelatedResourceAttributes(
+							typed.SourceResource(),
+							sourceID,
+							typed.TargetResource(),
+							targetID,
+						),
+					}
+
+					// Sibling peers are symmetric, so mirror the event from the target's side too.
+					if !typed.IsParentChild() {
+						attributesList = append(attributesList, audittypes.NewRelatedResourceAttributes(
+							typed.TargetResource(),
+							targetID,
+							typed.SourceResource(),
+							sourceID,
+						))
+					}
+
+					for _, attributes := range attributesList {
+						middleware.auditor.Audit(req.Context(), audittypes.NewAuditEventFromHTTPRequest(
+							req,
+							routeTemplate,
+							statusCode,
+							span.SpanContext().TraceID(),
+							span.SpanContext().SpanID(),
+							verb,
+							category,
+							claims,
+							attributes,
+							errorType,
+							errorCode,
+						))
+					}
+				}
+			}
+		default:
+			for _, id := range resource.SourceIDs() {
+				attributes := audittypes.NewResourceAttributes(resource.SourceResource(), id)
+
+				middleware.auditor.Audit(req.Context(), audittypes.NewAuditEventFromHTTPRequest(
+					req,
+					routeTemplate,
+					statusCode,
+					span.SpanContext().TraceID(),
+					span.SpanContext().SpanID(),
+					verb,
+					category,
+					claims,
+					attributes,
+					errorType,
+					errorCode,
+				))
+			}
+		}
+	}
 }

pkg/http/middleware/authz.go

@@ -1,6 +1,8 @@
 package middleware
 
 import (
+	"context"
+	"fmt"
 	"log/slog"
 	"net/http"
 
@@ -19,18 +21,6 @@ const (
 	authzDeniedMessage string = "::AUTHZ-DENIED::"
 )
 
-type AuthZCheckDef struct {
-	Relation         authtypes.Relation
-	Resource         coretypes.Resource
-	SelectorCallback selectorCallbackWithClaimsFn
-	Roles            []string
-}
-
-// AuthZCheckGroup is a set of checks OR'd together.
-// At least one check in the group must pass for the group to pass.
-type AuthZCheckGroup []AuthZCheckDef
-
-type selectorCallbackWithClaimsFn func(*http.Request, authtypes.Claims) ([]coretypes.Selector, error)
 type selectorCallbackWithoutClaimsFn func(*http.Request, []*types.Organization) ([]coretypes.Selector, valuer.UUID, error)
 
 type AuthZ struct {
@@ -201,7 +191,9 @@ func (middleware *AuthZ) OpenAccess(next http.HandlerFunc) http.HandlerFunc {
 	})
 }
 
-func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relation, typeable coretypes.Resource, cb selectorCallbackWithClaimsFn, roles []string) http.HandlerFunc {
+// CheckResources authorizes every resolved resource for the route. roles are the
+// allowed role names (the OSS role-gate); the resource selectors drive the EE check.
+func (middleware *AuthZ) CheckResources(next http.HandlerFunc, roles ...string) http.HandlerFunc {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		ctx := req.Context()
 		claims, err := authtypes.ClaimsFromContext(ctx)
@@ -210,40 +202,7 @@ func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relatio
 			return
 		}
 
-		selectors, err := cb(req, claims)
-		if err != nil {
-			render.Error(rw, err)
-			return
-		}
-
-		roleSelectors := []coretypes.Selector{}
-		for _, role := range roles {
-			roleSelectors = append(roleSelectors, coretypes.TypeRole.MustSelector(role))
-		}
-
-		err = middleware.authzService.CheckWithTupleCreation(ctx, claims, valuer.MustNewUUID(claims.OrgID), relation, typeable, selectors, roleSelectors)
-		if err != nil {
-			render.Error(rw, err)
-			return
-		}
-
-		next(rw, req)
-	})
-}
-
-// CheckAll verifies groups of permission checks.
-// Within each group, checks are OR'd (any check passing = group passes).
-// Across groups, results are AND'd (all groups must pass).
-//
-// This model expresses any combination:
-//   - Single check:          []AuthZCheckGroup{{checkA}}
-//   - Pure AND:              []AuthZCheckGroup{{checkA}, {checkB}}
-//   - Cross-resource OR:     []AuthZCheckGroup{{checkA, checkB}}
-//   - Mixed (A OR B) AND C:  []AuthZCheckGroup{{checkA, checkB}, {checkC}}
-func (middleware *AuthZ) CheckAll(next http.HandlerFunc, groups []AuthZCheckGroup) http.HandlerFunc {
-	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-		ctx := req.Context()
-		claims, err := authtypes.ClaimsFromContext(ctx)
+		resolved, err := coretypes.ResolvedResourcesFromContext(ctx)
 		if err != nil {
 			render.Error(rw, err)
 			return
@@ -251,33 +210,23 @@ func (middleware *AuthZ) CheckAll(next http.HandlerFunc, groups []AuthZCheckGrou
 
 		orgID := valuer.MustNewUUID(claims.OrgID)
 
-		for _, group := range groups {
-			groupPassed := false
-			var lastErr error
+		roleSelectors := make([]coretypes.Selector, len(roles))
+		for idx, role := range roles {
+			roleSelectors[idx] = coretypes.TypeRole.MustSelector(role)
+		}
 
-			for _, check := range group {
-				selectors, err := check.SelectorCallback(req, claims)
-				if err != nil {
+		for _, resource := range resolved {
+			if err := middleware.checkResource(ctx, claims, orgID, resource.Verb(), resource.SourceResource(), resource.SourceIDs(), resource.SourceSelector(), roleSelectors); err != nil {
+				render.Error(rw, err)
+				return
+			}
+
+			target, ok := resource.(coretypes.ResolvedResourceWithTargetResource)
+			if ok && !target.IsParentChild() {
+				if err := middleware.checkResource(ctx, claims, orgID, target.Verb(), target.TargetResource(), target.TargetIDs(), target.TargetSelector(), roleSelectors); err != nil {
 					render.Error(rw, err)
 					return
 				}
-
-				roleSelectors := make([]coretypes.Selector, len(check.Roles))
-				for idx, role := range check.Roles {
-					roleSelectors[idx] = coretypes.TypeRole.MustSelector(role)
-				}
-
-				err = middleware.authzService.CheckWithTupleCreation(ctx, claims, orgID, check.Relation, check.Resource, selectors, roleSelectors)
-				if err == nil {
-					groupPassed = true
-					break
-				}
-				lastErr = err
-			}
-
-			if !groupPassed {
-				render.Error(rw, lastErr)
-				return
 			}
 		}
 
@@ -285,6 +234,68 @@ func (middleware *AuthZ) CheckAll(next http.HandlerFunc, groups []AuthZCheckGrou
 	})
 }
 
+func (middleware *AuthZ) checkResource(
+	ctx context.Context,
+	claims authtypes.Claims,
+	orgID valuer.UUID,
+	verb coretypes.Verb,
+	resource coretypes.Resource,
+	ids []string,
+	selector coretypes.SelectorFunc,
+	roleSelectors []coretypes.Selector,
+) error {
+	if selector == nil {
+		return errors.New(errors.TypeInternal, errors.CodeInternal, "resolved resource is missing a selector")
+	}
+
+	for _, id := range ids {
+		selectors, err := selector(ctx, resource, id, orgID)
+		if err != nil {
+			return err
+		}
+
+		err = middleware.authzService.CheckWithTupleCreation(
+			ctx,
+			claims,
+			orgID,
+			authtypes.Relation{Verb: verb},
+			resource,
+			selectors,
+			roleSelectors,
+		)
+		if err == nil {
+			continue
+		}
+
+		if !errors.Asc(err, authtypes.ErrCodeAuthZForbidden) {
+			return err
+		}
+
+		middleware.logger.WarnContext(ctx, authzDeniedMessage, slog.Any("claims", claims))
+		principal := fmt.Sprintf("%s/%s", claims.Principal.StringValue(), claims.IdentityID())
+		if id != "" {
+			return errors.Newf(
+				errors.TypeForbidden,
+				authtypes.ErrCodeAuthZForbidden,
+				"%s is not authorized to perform %s on resource %q",
+				principal,
+				resource.Scope(verb),
+				id,
+			)
+		}
+
+		return errors.Newf(
+			errors.TypeForbidden,
+			authtypes.ErrCodeAuthZForbidden,
+			"%s is not authorized to perform %s",
+			principal,
+			resource.Scope(verb),
+		)
+	}
+
+	return nil
+}
+
 func (middleware *AuthZ) CheckWithoutClaims(next http.HandlerFunc, relation authtypes.Relation, typeable coretypes.Resource, cb selectorCallbackWithoutClaimsFn, roles []string) http.HandlerFunc {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		ctx := req.Context()

pkg/http/middleware/resource.go

@@ -0,0 +1,67 @@
+package middleware
+
+import (
+	"bytes"
+	"io"
+	"log/slog"
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/http/handler"
+	"github.com/SigNoz/signoz/pkg/types/coretypes"
+	"github.com/gorilla/mux"
+)
+
+// Resource resolves a route's declared ResourceDefs and stashes the result in
+// the request context for authz and audit to read.
+type Resource struct {
+	logger *slog.Logger
+}
+
+func NewResource(logger *slog.Logger) *Resource {
+	return &Resource{logger: logger.With(slog.String("pkg", pkgname))}
+}
+
+func (middleware *Resource) Wrap(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		defs := resourceDefsFromRequest(req)
+		if len(defs) == 0 {
+			next.ServeHTTP(rw, req)
+			return
+		}
+
+		// Buffer the body once so extractors can read it and the handler still sees a fresh reader.
+		var body []byte
+		if req.Body != nil {
+			body, _ = io.ReadAll(req.Body)
+			req.Body = io.NopCloser(bytes.NewReader(body))
+		}
+
+		extractorCtx := coretypes.ExtractorContext{
+			Request:     req,
+			RequestBody: body,
+		}
+		resolved := handler.ResolveRequest(defs, extractorCtx)
+
+		ctx := coretypes.NewContextWithResolvedResources(req.Context(), resolved)
+		next.ServeHTTP(rw, req.WithContext(ctx))
+	})
+}
+
+func resourceDefsFromRequest(req *http.Request) []handler.ResourceDef {
+	route := mux.CurrentRoute(req)
+	if route == nil {
+		return nil
+	}
+
+	actualHandler := route.GetHandler()
+	if actualHandler == nil {
+		return nil
+	}
+
+	provider, ok := actualHandler.(handler.Handler)
+	if !ok {
+		return nil
+	}
+
+	return provider.ResourceDefs()
+}

pkg/http/middleware/response.go

@@ -23,9 +23,14 @@ type responseCapture interface {
 	// WriteError returns the error (if any) from the downstream Write call.
 	WriteError() error
 
-	// BodyBytes returns the captured response body bytes. Only populated
-	// for error responses (status >= 400).
+	// BodyBytes returns the captured response body bytes. Populated for error
+	// responses (status >= 400), or for any response once EnableBodyCapture is called.
 	BodyBytes() []byte
+
+	// EnableBodyCapture forces capture of the response body regardless of status
+	// code (still bounded by maxResponseBodyCapture). Must be called before the
+	// handler writes the response.
+	EnableBodyCapture()
 }
 
 func newResponseCapture(rw http.ResponseWriter, buffer *byteBuffer) responseCapture {
@@ -72,12 +77,13 @@ func (b *byteBuffer) String() string {
 }
 
 type nonFlushingResponseCapture struct {
-	rw            http.ResponseWriter
-	buffer        *byteBuffer
-	captureBody   bool
-	bodyBytesLeft int
-	statusCode    int
-	writeError    error
+	rw               http.ResponseWriter
+	buffer           *byteBuffer
+	captureBody      bool
+	forceCaptureBody bool
+	bodyBytesLeft    int
+	statusCode       int
+	writeError       error
 }
 
 type flushingResponseCapture struct {
@@ -98,13 +104,17 @@ func (writer *nonFlushingResponseCapture) Header() http.Header {
 // WriteHeader writes the HTTP response header.
 func (writer *nonFlushingResponseCapture) WriteHeader(statusCode int) {
 	writer.statusCode = statusCode
-	if statusCode >= 400 {
+	if statusCode >= 400 || writer.forceCaptureBody {
 		writer.captureBody = true
 	}
 
 	writer.rw.WriteHeader(statusCode)
 }
 
+func (writer *nonFlushingResponseCapture) EnableBodyCapture() {
+	writer.forceCaptureBody = true
+}
+
 // Write writes HTTP response data.
 func (writer *nonFlushingResponseCapture) Write(data []byte) (int, error) {
 	if writer.statusCode == 0 {

pkg/modules/tracedetail/impltracedetail/module.go

@@ -182,7 +182,7 @@ func (m *module) getFullFlamegraph(ctx context.Context, traceID string, summary
 		return nil, spantypes.ErrTraceNotFound
 	}
 	flamegraphTrace := spantypes.NewFlamegraphTraceFromStorable(fullSpans, selectFields)
-	return spantypes.NewGettableFlamegraphTrace(flamegraphTrace.GetAllLevels(), summary.Start.UnixMilli(), summary.End.UnixMilli(), false), nil
+	return spantypes.NewGettableFlamegraphTrace(flamegraphTrace.GetAllLevels(), summary.Start, summary.End, false), nil
 }
 
 // getWindowedFlamegraph returns a window of a max levels and max sampled spans per level around the selected span.
@@ -209,10 +209,6 @@ func (m *module) getWindowedFlamegraph(ctx context.Context, traceID, selectedSpa
 		return nil, err
 	}
 
-	return spantypes.NewGettableFlamegraphTrace(
-		flamegraphTrace.EnrichSelectedSpans(selectedSpans, fullSpans, selectFields),
-		summary.Start.UnixMilli(),
-		summary.End.UnixMilli(),
-		true,
-	), nil
+	enrichedSpans := flamegraphTrace.EnrichSelectedSpans(selectedSpans, fullSpans, selectFields)
+	return spantypes.NewGettableFlamegraphTrace(enrichedSpans, summary.Start, summary.End, true), nil
 }

pkg/query-service/app/server.go

@@ -168,6 +168,7 @@ func (s *Server) createPublicServer(api *APIHandler, web web.Web) (*http.Server,
 		s.config.APIServer.Timeout.Default,
 		s.config.APIServer.Timeout.Max,
 	).Wrap)
+	r.Use(middleware.NewResource(s.signoz.Instrumentation.Logger()).Wrap)
 	r.Use(middleware.NewAudit(s.signoz.Instrumentation.Logger(), s.config.APIServer.Logging.ExcludedRoutes, s.signoz.Auditor).Wrap)
 	r.Use(middleware.NewComment().Wrap)
 

pkg/types/audittypes/attributes.go

@@ -13,13 +13,13 @@ import (
 
 // Audit attributes — Action (What).
 type AuditAttributes struct {
-	Action         coretypes.Verb // guaranteed to be present
-	ActionCategory ActionCategory // guaranteed to be present
-	Outcome        Outcome        // guaranteed to be present
+	Action         coretypes.Verb           // guaranteed to be present
+	ActionCategory coretypes.ActionCategory // guaranteed to be present
+	Outcome        Outcome                  // guaranteed to be present
 	IdentNProvider authtypes.IdentNProvider
 }
 
-func NewAuditAttributesFromHTTP(statusCode int, action coretypes.Verb, category ActionCategory, claims authtypes.Claims) AuditAttributes {
+func NewAuditAttributesFromHTTP(statusCode int, action coretypes.Verb, category coretypes.ActionCategory, claims authtypes.Claims) AuditAttributes {
 	outcome := OutcomeFailure
 	if statusCode >= 200 && statusCode < 400 {
 		outcome = OutcomeSuccess
@@ -71,23 +71,50 @@ func (attributes PrincipalAttributes) Put(dest pcommon.Map) {
 // Audit attributes — Resource (On What).
 // These are OTel resource attributes (placed on the Resource, not event attributes).
 type ResourceAttributes struct {
-	ResourceID   string
-	ResourceKind coretypes.Kind // guaranteed to be present
+	Resource   coretypes.Resource // guaranteed to be present
+	ResourceID string
+
+	// TargetResource names the counterpart of an attach/detach event (audit
+	// context only). nil when there is no relationship.
+	TargetResource   coretypes.Resource
+	TargetResourceID string
 }
 
-func NewResourceAttributes(resourceID string, resourceKind coretypes.Kind) ResourceAttributes {
+func NewResourceAttributes(resource coretypes.Resource, resourceID string) ResourceAttributes {
 	return ResourceAttributes{
-		ResourceID:   resourceID,
-		ResourceKind: resourceKind,
+		Resource:   resource,
+		ResourceID: resourceID,
+	}
+}
+
+// NewAttachResourceAttributes builds resource attributes that additionally name
+// the target counterpart (used for attach/detach audit events).
+func NewRelatedResourceAttributes(resource coretypes.Resource, resourceID string, targetResource coretypes.Resource, targetResourceID string) ResourceAttributes {
+	return ResourceAttributes{
+		Resource:         resource,
+		ResourceID:       resourceID,
+		TargetResource:   targetResource,
+		TargetResourceID: targetResourceID,
 	}
 }
 
 // PutResource writes the resource attributes to an OTel Resource's attribute map.
 // These are resource-level attributes (stored in the resource JSON column),
 // not event-level attributes (stored in attributes_string).
-func (attributes ResourceAttributes) PutResource(dest pcommon.Map) {
-	putStrIfNotEmpty(dest, "signoz.audit.resource.kind", attributes.ResourceKind.String())
+func (attributes ResourceAttributes) PutResource(orgID valuer.UUID, dest pcommon.Map) {
+	putStrIfNotEmpty(dest, "signoz.audit.resource.kind", attributes.Resource.Kind().String())
 	putStrIfNotEmpty(dest, "signoz.audit.resource.id", attributes.ResourceID)
+	if attributes.ResourceID != "" {
+		putStrIfNotEmpty(dest, "signoz.audit.resource.object", attributes.Resource.Object(orgID, attributes.ResourceID))
+	}
+
+	if attributes.TargetResource != nil {
+		putStrIfNotEmpty(dest, "signoz.audit.resource.target.kind", attributes.TargetResource.Kind().String())
+		putStrIfNotEmpty(dest, "signoz.audit.resource.target.id", attributes.TargetResourceID)
+		if attributes.TargetResourceID != "" {
+			putStrIfNotEmpty(dest, "signoz.audit.resource.target.object", attributes.TargetResource.Object(orgID, attributes.TargetResourceID))
+		}
+	}
 }
 
 // Audit attributes — Error (When outcome is failure)
@@ -193,13 +220,24 @@ func newBody(auditAttributes AuditAttributes, principalAttributes PrincipalAttri
 
 	// Resource: " kind (id)" or " kind".
 	b.WriteString(" ")
-	b.WriteString(resourceAttributes.ResourceKind.String())
+	b.WriteString(resourceAttributes.Resource.Kind().String())
 	if resourceAttributes.ResourceID != "" {
 		b.WriteString(" (")
 		b.WriteString(resourceAttributes.ResourceID)
 		b.WriteString(")")
 	}
 
+	// Target (attach/detach context): " · target kind (id)" or " · target kind".
+	if resourceAttributes.TargetResource != nil {
+		b.WriteString(" to ")
+		b.WriteString(resourceAttributes.TargetResource.Kind().String())
+		if resourceAttributes.TargetResourceID != "" {
+			b.WriteString(" (")
+			b.WriteString(resourceAttributes.TargetResourceID)
+			b.WriteString(")")
+		}
+	}
+
 	// Error suffix (failure only): ": type (code)" or ": type" or ": (code)" or omitted.
 	if auditAttributes.Outcome == OutcomeFailure {
 		errorType := errorAttributes.ErrorType

pkg/types/audittypes/attributes_test.go

@@ -36,7 +36,7 @@ func TestNewAuditAttributesFromHTTP_OutcomeBoundary(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			attrs := NewAuditAttributesFromHTTP(testCase.statusCode, coretypes.VerbUpdate, ActionCategoryConfigurationChange, claims)
+			attrs := NewAuditAttributesFromHTTP(testCase.statusCode, coretypes.VerbUpdate, coretypes.ActionCategoryConfigurationChange, claims)
 			assert.Equal(t, testCase.expectedOutcome, attrs.Outcome)
 		})
 	}
@@ -55,7 +55,7 @@ func TestNewBody(t *testing.T) {
 			name: "Success_EmptyResourceID",
 			auditAttributes: AuditAttributes{
 				Action:         coretypes.VerbDelete,
-				ActionCategory: ActionCategoryConfigurationChange,
+				ActionCategory: coretypes.ActionCategoryConfigurationChange,
 				Outcome:        OutcomeSuccess,
 			},
 			principalAttributes: PrincipalAttributes{
@@ -63,8 +63,8 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.MustNewEmail("test@acme.com"),
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceID:   "",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceID: "",
+				Resource:   coretypes.ResourceMetaResourceDashboard,
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "test@acme.com (019a1234-abcd-7000-8000-567800000001) deleted dashboard",
@@ -73,7 +73,7 @@ func TestNewBody(t *testing.T) {
 			name: "Success_EmptyPrincipalEmail",
 			auditAttributes: AuditAttributes{
 				Action:         coretypes.VerbDelete,
-				ActionCategory: ActionCategoryConfigurationChange,
+				ActionCategory: coretypes.ActionCategoryConfigurationChange,
 				Outcome:        OutcomeSuccess,
 			},
 			principalAttributes: PrincipalAttributes{
@@ -81,8 +81,8 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.Email{},
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceID:   "abd",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceID: "abd",
+				Resource:   coretypes.ResourceMetaResourceDashboard,
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "019a1234-abcd-7000-8000-567800000001 deleted dashboard (abd)",
@@ -91,7 +91,7 @@ func TestNewBody(t *testing.T) {
 			name: "Success_EmptyPrincipalIDandEmail",
 			auditAttributes: AuditAttributes{
 				Action:         coretypes.VerbDelete,
-				ActionCategory: ActionCategoryConfigurationChange,
+				ActionCategory: coretypes.ActionCategoryConfigurationChange,
 				Outcome:        OutcomeSuccess,
 			},
 			principalAttributes: PrincipalAttributes{
@@ -99,8 +99,8 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.Email{},
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceID:   "abd",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceID: "abd",
+				Resource:   coretypes.ResourceMetaResourceDashboard,
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "deleted dashboard (abd)",
@@ -109,7 +109,7 @@ func TestNewBody(t *testing.T) {
 			name: "Success_AllPresent",
 			auditAttributes: AuditAttributes{
 				Action:         coretypes.VerbCreate,
-				ActionCategory: ActionCategoryConfigurationChange,
+				ActionCategory: coretypes.ActionCategoryConfigurationChange,
 				Outcome:        OutcomeSuccess,
 			},
 			principalAttributes: PrincipalAttributes{
@@ -117,8 +117,8 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.MustNewEmail("alice@acme.com"),
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceID:   "019b-5678",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceID: "019b-5678",
+				Resource:   coretypes.ResourceMetaResourceDashboard,
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "alice@acme.com (019a1234-abcd-7000-8000-567800000001) created dashboard (019b-5678)",
@@ -127,21 +127,21 @@ func TestNewBody(t *testing.T) {
 			name: "Success_EmptyEverythingOptional",
 			auditAttributes: AuditAttributes{
 				Action:         coretypes.VerbUpdate,
-				ActionCategory: ActionCategoryConfigurationChange,
+				ActionCategory: coretypes.ActionCategoryConfigurationChange,
 				Outcome:        OutcomeSuccess,
 			},
 			principalAttributes: PrincipalAttributes{},
 			resourceAttributes: ResourceAttributes{
-				ResourceKind: coretypes.MustNewKind("alert-rule"),
+				Resource: coretypes.ResourceMetaResourceRule,
 			},
 			errorAttributes: ErrorAttributes{},
-			expectedBody:    "updated alert-rule",
+			expectedBody:    "updated rule",
 		},
 		{
 			name: "Failure_AllPresent",
 			auditAttributes: AuditAttributes{
 				Action:         coretypes.VerbUpdate,
-				ActionCategory: ActionCategoryConfigurationChange,
+				ActionCategory: coretypes.ActionCategoryConfigurationChange,
 				Outcome:        OutcomeFailure,
 			},
 			principalAttributes: PrincipalAttributes{
@@ -149,8 +149,8 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.MustNewEmail("viewer@acme.com"),
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceID:   "019b-5678",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceID: "019b-5678",
+				Resource:   coretypes.ResourceMetaResourceDashboard,
 			},
 			errorAttributes: ErrorAttributes{
 				ErrorType: "forbidden",
@@ -169,7 +169,7 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.MustNewEmail("test@acme.com"),
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceKind: coretypes.MustNewKind("user"),
+				Resource: coretypes.ResourceUser,
 			},
 			errorAttributes: ErrorAttributes{
 				ErrorType: "not-found",
@@ -187,8 +187,8 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.MustNewEmail("test@acme.com"),
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceID:   "019b-5678",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceID: "019b-5678",
+				Resource:   coretypes.ResourceMetaResourceDashboard,
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "test@acme.com (019a1234-abcd-7000-8000-567800000001) failed to create dashboard (019b-5678)",

pkg/types/audittypes/event.go

@@ -44,6 +44,8 @@ type AuditEvent struct {
 	TransportAttributes TransportAttributes
 }
 
+// NewAuditEvent builds an audit event from pre-built resource attributes (which
+// may carry attach/target context).
 func NewAuditEventFromHTTPRequest(
 	req *http.Request,
 	route string,
@@ -51,16 +53,14 @@ func NewAuditEventFromHTTPRequest(
 	traceID oteltrace.TraceID,
 	spanID oteltrace.SpanID,
 	action coretypes.Verb,
-	actionCategory ActionCategory,
+	actionCategory coretypes.ActionCategory,
 	claims authtypes.Claims,
-	resourceID string,
-	resourceKind coretypes.Kind,
+	resourceAttributes ResourceAttributes,
 	errorType string,
 	errorCode string,
 ) AuditEvent {
 	auditAttributes := NewAuditAttributesFromHTTP(statusCode, action, actionCategory, claims)
 	principalAttributes := NewPrincipalAttributesFromClaims(claims)
-	resourceAttributes := NewResourceAttributes(resourceID, resourceKind)
 	errorAttributes := NewErrorAttributes(errorType, errorCode)
 	transportAttributes := NewTransportAttributesFromHTTP(req, route, statusCode)
 
@@ -69,7 +69,7 @@ func NewAuditEventFromHTTPRequest(
 		TraceID:             traceID,
 		SpanID:              spanID,
 		Body:                newBody(auditAttributes, principalAttributes, resourceAttributes, errorAttributes),
-		EventName:           NewEventName(resourceAttributes.ResourceKind, auditAttributes.Action),
+		EventName:           NewEventName(resourceAttributes.Resource.Kind(), auditAttributes.Action),
 		AuditAttributes:     auditAttributes,
 		PrincipalAttributes: principalAttributes,
 		ResourceAttributes:  resourceAttributes,
@@ -89,7 +89,7 @@ func NewPLogsFromAuditEvents(events []AuditEvent, name string, version string, s
 	groups := make(map[resourceKey][]int)
 	order := make([]resourceKey, 0)
 	for i, event := range events {
-		key := resourceKey{kind: event.ResourceAttributes.ResourceKind.String(), id: event.ResourceAttributes.ResourceID}
+		key := resourceKey{kind: event.ResourceAttributes.Resource.Kind().String(), id: event.ResourceAttributes.ResourceID}
 		if _, exists := groups[key]; !exists {
 			order = append(order, key)
 		}
@@ -101,7 +101,8 @@ func NewPLogsFromAuditEvents(events []AuditEvent, name string, version string, s
 		resourceAttrs := resourceLogs.Resource().Attributes()
 		resourceAttrs.PutStr(string(semconv.ServiceNameKey), name)
 		resourceAttrs.PutStr(string(semconv.ServiceVersionKey), version)
-		events[groups[key][0]].ResourceAttributes.PutResource(resourceAttrs)
+		head := events[groups[key][0]]
+		head.ResourceAttributes.PutResource(head.PrincipalAttributes.PrincipalOrgID, resourceAttrs)
 
 		scopeLogs := resourceLogs.ScopeLogs().AppendEmpty()
 		scopeLogs.Scope().SetName(scope)

pkg/types/audittypes/event_test.go

@@ -12,10 +12,10 @@ import (
 )
 
 var (
-	testDashboardKind = coretypes.MustNewKind("dashboard")
+	testDashboardResource = coretypes.ResourceMetaResourceDashboard
 )
 
-func TestNewAuditEventFromHTTPRequest(t *testing.T) {
+func TestNewAuditEvent(t *testing.T) {
 	traceID := oteltrace.TraceID{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}
 	spanID := oteltrace.SpanID{1, 2, 3, 4, 5, 6, 7, 8}
 
@@ -26,10 +26,10 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {
 		route           string
 		statusCode      int
 		action          coretypes.Verb
-		category        ActionCategory
+		category        coretypes.ActionCategory
 		claims          authtypes.Claims
+		resource        coretypes.Resource
 		resourceID      string
-		resourceKind    coretypes.Kind
 		errorType       string
 		errorCode       string
 		expectedOutcome Outcome
@@ -42,10 +42,10 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {
 			route:           "/api/v1/dashboards",
 			statusCode:      http.StatusOK,
 			action:          coretypes.VerbCreate,
-			category:        ActionCategoryConfigurationChange,
+			category:        coretypes.ActionCategoryConfigurationChange,
 			claims:          authtypes.Claims{UserID: "019a1234-abcd-7000-8000-567800000001", Email: "alice@acme.com", OrgID: "019a-0000-0000-0001", IdentNProvider: authtypes.IdentNProviderTokenizer},
+			resource:        testDashboardResource,
 			resourceID:      "019b-5678-efgh-9012",
-			resourceKind:    testDashboardKind,
 			expectedOutcome: OutcomeSuccess,
 			expectedBody:    "alice@acme.com (019a1234-abcd-7000-8000-567800000001) created dashboard (019b-5678-efgh-9012)",
 		},
@@ -56,10 +56,10 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {
 			route:           "/api/v1/dashboards/{id}",
 			statusCode:      http.StatusForbidden,
 			action:          coretypes.VerbUpdate,
-			category:        ActionCategoryConfigurationChange,
+			category:        coretypes.ActionCategoryConfigurationChange,
 			claims:          authtypes.Claims{UserID: "019aaaaa-bbbb-7000-8000-cccc00000002", Email: "viewer@acme.com", OrgID: "019a-0000-0000-0001", IdentNProvider: authtypes.IdentNProviderTokenizer},
+			resource:        testDashboardResource,
 			resourceID:      "019b-5678-efgh-9012",
-			resourceKind:    testDashboardKind,
 			errorType:       "forbidden",
 			errorCode:       "authz_forbidden",
 			expectedOutcome: OutcomeFailure,
@@ -80,15 +80,14 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {
 				testCase.action,
 				testCase.category,
 				testCase.claims,
-				testCase.resourceID,
-				testCase.resourceKind,
+				NewResourceAttributes(testCase.resource, testCase.resourceID),
 				testCase.errorType,
 				testCase.errorCode,
 			)
 
 			assert.Equal(t, testCase.expectedOutcome, event.AuditAttributes.Outcome)
 			assert.Equal(t, testCase.expectedBody, event.Body)
-			assert.Equal(t, testCase.resourceKind, event.ResourceAttributes.ResourceKind)
+			assert.Equal(t, testCase.resource.Kind(), event.ResourceAttributes.Resource.Kind())
 			assert.Equal(t, testCase.resourceID, event.ResourceAttributes.ResourceID)
 			assert.Equal(t, testCase.action, event.AuditAttributes.Action)
 			assert.Equal(t, testCase.category, event.AuditAttributes.ActionCategory)
@@ -103,18 +102,18 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {
 	}
 }
 
-func newTestEvent(resourceKind coretypes.Kind, resourceID string, action coretypes.Verb) AuditEvent {
+func newTestEvent(resource coretypes.Resource, resourceID string, action coretypes.Verb) AuditEvent {
 	return AuditEvent{
-		Body:      resourceKind.String() + "." + action.PastTense(),
-		EventName: NewEventName(resourceKind, action),
+		Body:      resource.Kind().String() + "." + action.PastTense(),
+		EventName: NewEventName(resource.Kind(), action),
 		AuditAttributes: AuditAttributes{
 			Action:         action,
-			ActionCategory: ActionCategoryConfigurationChange,
+			ActionCategory: coretypes.ActionCategoryConfigurationChange,
 			Outcome:        OutcomeSuccess,
 		},
 		ResourceAttributes: ResourceAttributes{
-			ResourceKind: resourceKind,
-			ResourceID:   resourceID,
+			Resource:   resource,
+			ResourceID: resourceID,
 		},
 	}
 }
@@ -136,7 +135,7 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 		{
 			name: "SingleEvent",
 			events: []AuditEvent{
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbCreate),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbCreate),
 			},
 			expectedResourceLogs:    1,
 			expectedResourceKinds:   []string{"dashboard"},
@@ -146,9 +145,9 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 		{
 			name: "SameResource_MultipleEvents",
 			events: []AuditEvent{
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbCreate),
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbUpdate),
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbDelete),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbCreate),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbUpdate),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbDelete),
 			},
 			expectedResourceLogs:    1,
 			expectedResourceKinds:   []string{"dashboard"},
@@ -158,8 +157,8 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 		{
 			name: "DifferentResources_SeparateGroups",
 			events: []AuditEvent{
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbUpdate),
-				newTestEvent(coretypes.MustNewKind("user"), "u-001", coretypes.VerbDelete),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbUpdate),
+				newTestEvent(coretypes.ResourceUser, "u-001", coretypes.VerbDelete),
 			},
 			expectedResourceLogs:    2,
 			expectedResourceKinds:   []string{"dashboard", "user"},
@@ -169,8 +168,8 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 		{
 			name: "SameKind_DifferentIDs_SeparateGroups",
 			events: []AuditEvent{
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbUpdate),
-				newTestEvent(testDashboardKind, "d-002", coretypes.VerbDelete),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbUpdate),
+				newTestEvent(testDashboardResource, "d-002", coretypes.VerbDelete),
 			},
 			expectedResourceLogs:    2,
 			expectedResourceKinds:   []string{"dashboard", "dashboard"},
@@ -180,11 +179,11 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 		{
 			name: "InterleavedResources_GroupedCorrectly",
 			events: []AuditEvent{
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbCreate),
-				newTestEvent(coretypes.MustNewKind("user"), "u-001", coretypes.VerbUpdate),
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbUpdate),
-				newTestEvent(coretypes.MustNewKind("user"), "u-001", coretypes.VerbDelete),
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbDelete),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbCreate),
+				newTestEvent(coretypes.ResourceUser, "u-001", coretypes.VerbUpdate),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbUpdate),
+				newTestEvent(coretypes.ResourceUser, "u-001", coretypes.VerbDelete),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbDelete),
 			},
 			expectedResourceLogs:    2,
 			expectedResourceKinds:   []string{"dashboard", "user"},
@@ -203,7 +202,6 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 				resourceLogs := logs.ResourceLogs().At(i)
 				resourceAttrs := resourceLogs.Resource().Attributes()
 
-				// Verify service resource attributes
 				serviceName, exists := resourceAttrs.Get("service.name")
 				assert.True(t, exists)
 				assert.Equal(t, "signoz", serviceName.Str())
@@ -212,7 +210,6 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 				assert.True(t, exists)
 				assert.Equal(t, "0.90.0", serviceVersion.Str())
 
-				// Verify audit resource attributes on Resource (not event attributes)
 				kind, exists := resourceAttrs.Get("signoz.audit.resource.kind")
 				assert.True(t, exists)
 				assert.Equal(t, testCase.expectedResourceKinds[i], kind.Str())
@@ -221,14 +218,11 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 				assert.True(t, exists)
 				assert.Equal(t, testCase.expectedResourceIDs[i], id.Str())
 
-				// Verify scope
 				assert.Equal(t, 1, resourceLogs.ScopeLogs().Len())
 				assert.Equal(t, "signoz.audit", resourceLogs.ScopeLogs().At(0).Scope().Name())
 
-				// Verify log record count per group
 				assert.Equal(t, testCase.expectedLogRecordCounts[i], resourceLogs.ScopeLogs().At(0).LogRecords().Len())
 
-				// Verify resource attrs are NOT in log record event attributes
 				for j := 0; j < resourceLogs.ScopeLogs().At(0).LogRecords().Len(); j++ {
 					recordAttrs := resourceLogs.ScopeLogs().At(0).LogRecords().At(j).Attributes()
 					_, hasKind := recordAttrs.Get("signoz.audit.resource.kind")

pkg/types/coretypes/action_category.go

@@ -1,11 +1,7 @@
-package audittypes
+package coretypes
 
 import "github.com/SigNoz/signoz/pkg/valuer"
 
-// ActionCategory classifies the audit event per IEC 62443.
-// See https://www.iec.ch/blog/understanding-iec-62443 for the standard reference.
-type ActionCategory struct{ valuer.String }
-
 var (
 	ActionCategoryAccessControl       = ActionCategory{valuer.NewString("access_control")}
 	ActionCategoryConfigurationChange = ActionCategory{valuer.NewString("configuration_change")}
@@ -13,6 +9,10 @@ var (
 	ActionCategorySystemEvent         = ActionCategory{valuer.NewString("system_event")}
 )
 
+// ActionCategory classifies an audited action per IEC 62443.
+// See https://www.iec.ch/blog/understanding-iec-62443 for the standard reference.
+type ActionCategory struct{ valuer.String }
+
 func (ActionCategory) Enum() []any {
 	return []any{
 		ActionCategoryAccessControl,

pkg/types/coretypes/extractor.go

@@ -0,0 +1,99 @@
+package coretypes
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+	"github.com/tidwall/gjson"
+)
+
+const (
+	PhaseRequest ExtractPhase = iota
+	PhaseResponse
+)
+
+type ExtractPhase int
+
+// ExtractorContext carries everything an extractor may read: Request + RequestBody
+// are filled pre-handler, ResponseBody post-handler.
+type ExtractorContext struct {
+	Request      *http.Request
+	RequestBody  []byte
+	ResponseBody []byte
+}
+
+type ResourceIDExtractor struct {
+	Phase ExtractPhase
+	Fn    func(ExtractorContext) (string, error)
+}
+
+type ResourceIDsExtractor struct {
+	Phase ExtractPhase
+	Fn    func(ExtractorContext) ([]string, error)
+}
+
+func (extractor ResourceIDExtractor) IsPhase(phase ExtractPhase) bool {
+	return extractor.Fn != nil && extractor.Phase == phase
+}
+
+func (extractor ResourceIDExtractor) RunFor(phase ExtractPhase, ec ExtractorContext) (string, bool) {
+	if !extractor.IsPhase(phase) {
+		return "", false
+	}
+
+	id, _ := extractor.Fn(ec)
+	return id, true
+}
+
+func (extractor ResourceIDsExtractor) IsPhase(phase ExtractPhase) bool {
+	return extractor.Fn != nil && extractor.Phase == phase
+}
+
+// OneID lifts a single-id extractor into a one-element ids extractor.
+func OneID(extractor ResourceIDExtractor) ResourceIDsExtractor {
+	return ResourceIDsExtractor{Phase: extractor.Phase, Fn: func(ec ExtractorContext) ([]string, error) {
+		id, err := extractor.Fn(ec)
+		if err != nil || id == "" {
+			return nil, err
+		}
+		return []string{id}, nil
+	}}
+}
+
+func PathParam(name string) ResourceIDExtractor {
+	return ResourceIDExtractor{Phase: PhaseRequest, Fn: func(ec ExtractorContext) (string, error) {
+		if ec.Request == nil {
+			return "", nil
+		}
+		return mux.Vars(ec.Request)[name], nil
+	}}
+}
+
+func BodyJSONPath(path string) ResourceIDExtractor {
+	return ResourceIDExtractor{Phase: PhaseRequest, Fn: func(ec ExtractorContext) (string, error) {
+		return gjson.GetBytes(ec.RequestBody, path).String(), nil
+	}}
+}
+
+func BodyJSONArray(path string) ResourceIDsExtractor {
+	return ResourceIDsExtractor{Phase: PhaseRequest, Fn: func(ec ExtractorContext) ([]string, error) {
+		result := gjson.GetBytes(ec.RequestBody, path)
+		if !result.Exists() {
+			return nil, nil
+		}
+
+		array := result.Array()
+		ids := make([]string, 0, len(array))
+		for _, r := range array {
+			ids = append(ids, r.String())
+		}
+
+		return ids, nil
+	}}
+}
+
+func ResponseJSONPath(path string) ResourceIDExtractor {
+	return ResourceIDExtractor{Phase: PhaseResponse, Fn: func(ec ExtractorContext) (string, error) {
+		return gjson.GetBytes(ec.ResponseBody, path).String(), nil
+	}}
+}

pkg/types/coretypes/resolved.go

@@ -0,0 +1,64 @@
+package coretypes
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+)
+
+var errCodeResolvedResourcesNotFound = errors.MustNewCode("resolved_resources_not_found")
+
+type resolvedKey struct{}
+
+// ResolvedResource is the resolved form of a resource def, produced by the
+// resource middleware and read by authz and audit.
+type ResolvedResource interface {
+	Verb() Verb
+	Category() ActionCategory
+	SourceResource() Resource
+	SourceIDs() []string
+	SourceSelector() SelectorFunc
+	ResolveResponse(ec ExtractorContext)
+	// hasResponsePhase reports whether an id is resolved from the response body.
+	hasResponsePhase() bool
+}
+
+type ResolvedResourceWithTargetResource interface {
+	ResolvedResource
+	TargetResource() Resource
+	TargetIDs() []string
+	TargetSelector() SelectorFunc
+	// IsParentChild true: the target is a child audited along but not authz-checked
+	// (only the source is); false: a sibling peer that is also authz-checked.
+	IsParentChild() bool
+}
+
+func NewContextWithResolvedResources(ctx context.Context, resolved []ResolvedResource) context.Context {
+	return context.WithValue(ctx, resolvedKey{}, resolved)
+}
+
+func ResolvedResourcesFromContext(ctx context.Context) ([]ResolvedResource, error) {
+	resolved, ok := ctx.Value(resolvedKey{}).([]ResolvedResource)
+	if !ok {
+		return nil, errors.New(errors.TypeInternal, errCodeResolvedResourcesNotFound, "resolved resources not found in context")
+	}
+
+	return resolved, nil
+}
+
+// ShouldCaptureResponseBody reports whether any resolved resource in ctx derives
+// an id from the response body.
+func ShouldCaptureResponseBody(ctx context.Context) bool {
+	resolved, err := ResolvedResourcesFromContext(ctx)
+	if err != nil {
+		return false
+	}
+
+	for _, resource := range resolved {
+		if resource.hasResponsePhase() {
+			return true
+		}
+	}
+
+	return false
+}

pkg/types/coretypes/resolved_resource.go

@@ -0,0 +1,69 @@
+package coretypes
+
+type resolvedResource struct {
+	verb        Verb
+	category    ActionCategory
+	resource    Resource
+	selector    SelectorFunc
+	idExtractor ResourceIDExtractor
+	ids         []string
+}
+
+func NewResolvedResource(
+	verb Verb,
+	category ActionCategory,
+	resource Resource,
+	idExtractor ResourceIDExtractor,
+	selector SelectorFunc,
+	ec ExtractorContext,
+) ResolvedResource {
+	resolved := &resolvedResource{
+		verb:        verb,
+		category:    category,
+		resource:    resource,
+		selector:    selector,
+		idExtractor: idExtractor,
+	}
+	resolved.fill(PhaseRequest, ec)
+
+	return resolved
+}
+
+func (resolved *resolvedResource) fill(phase ExtractPhase, ec ExtractorContext) {
+	if id, ok := resolved.idExtractor.RunFor(phase, ec); ok && id != "" {
+		resolved.ids = []string{id}
+	}
+}
+
+func (resolved *resolvedResource) Verb() Verb {
+	return resolved.verb
+}
+
+func (resolved *resolvedResource) Category() ActionCategory {
+	return resolved.category
+}
+
+func (resolved *resolvedResource) SourceResource() Resource {
+	return resolved.resource
+}
+
+// An empty id (when none resolved) means collection-level access.
+func (resolved *resolvedResource) SourceIDs() []string {
+	if len(resolved.ids) == 0 {
+		return []string{""}
+	}
+
+	return resolved.ids
+}
+
+func (resolved *resolvedResource) SourceSelector() SelectorFunc {
+	return resolved.selector
+}
+
+func (resolved *resolvedResource) ResolveResponse(ec ExtractorContext) {
+	resolved.fill(PhaseResponse, ec)
+}
+
+func (resolved *resolvedResource) hasResponsePhase() bool {
+	return resolved.idExtractor.IsPhase(PhaseResponse)
+}

pkg/types/coretypes/resolved_resource_with_target.go

@@ -0,0 +1,108 @@
+package coretypes
+
+type resolvedResourceWithTarget struct {
+	verb            Verb
+	category        ActionCategory
+	sourceResource  Resource
+	sourceSelector  SelectorFunc
+	sourceExtractor ResourceIDsExtractor
+	sourceIDs       []string
+	targetResource  Resource
+	targetSelector  SelectorFunc
+	targetExtractor ResourceIDsExtractor
+	targetIDs       []string
+	parentChild     bool
+}
+
+func NewResolvedResourceWithTarget(
+	verb Verb,
+	category ActionCategory,
+	sourceResource Resource,
+	sourceExtractor ResourceIDsExtractor,
+	sourceSelector SelectorFunc,
+	targetResource Resource,
+	targetExtractor ResourceIDsExtractor,
+	targetSelector SelectorFunc,
+	parentChild bool,
+	ec ExtractorContext,
+) ResolvedResourceWithTargetResource {
+	resolved := &resolvedResourceWithTarget{
+		verb:            verb,
+		category:        category,
+		sourceResource:  sourceResource,
+		sourceSelector:  sourceSelector,
+		sourceExtractor: sourceExtractor,
+		targetResource:  targetResource,
+		targetSelector:  targetSelector,
+		targetExtractor: targetExtractor,
+		parentChild:     parentChild,
+	}
+	resolved.fill(PhaseRequest, ec)
+
+	return resolved
+}
+
+func (resolved *resolvedResourceWithTarget) fill(phase ExtractPhase, ec ExtractorContext) {
+	if resolved.sourceExtractor.IsPhase(phase) {
+		if ids, _ := resolved.sourceExtractor.Fn(ec); len(ids) > 0 {
+			resolved.sourceIDs = ids
+		}
+	}
+	if resolved.targetExtractor.IsPhase(phase) {
+		if ids, _ := resolved.targetExtractor.Fn(ec); len(ids) > 0 {
+			resolved.targetIDs = ids
+		}
+	}
+}
+
+func (resolved *resolvedResourceWithTarget) Verb() Verb {
+	return resolved.verb
+}
+
+func (resolved *resolvedResourceWithTarget) Category() ActionCategory {
+	return resolved.category
+}
+
+func (resolved *resolvedResourceWithTarget) SourceResource() Resource {
+	return resolved.sourceResource
+}
+
+// An empty id (when none resolved) means collection-level access.
+func (resolved *resolvedResourceWithTarget) SourceIDs() []string {
+	if len(resolved.sourceIDs) == 0 {
+		return []string{""}
+	}
+
+	return resolved.sourceIDs
+}
+
+func (resolved *resolvedResourceWithTarget) SourceSelector() SelectorFunc {
+	return resolved.sourceSelector
+}
+
+func (resolved *resolvedResourceWithTarget) TargetResource() Resource {
+	return resolved.targetResource
+}
+
+func (resolved *resolvedResourceWithTarget) TargetIDs() []string {
+	if len(resolved.targetIDs) == 0 {
+		return []string{""}
+	}
+
+	return resolved.targetIDs
+}
+func (resolved *resolvedResourceWithTarget) TargetSelector() SelectorFunc {
+	return resolved.targetSelector
+}
+
+func (resolved *resolvedResourceWithTarget) IsParentChild() bool {
+	return resolved.parentChild
+}
+
+func (resolved *resolvedResourceWithTarget) ResolveResponse(ec ExtractorContext) {
+	resolved.fill(PhaseResponse, ec)
+}
+
+func (resolved *resolvedResourceWithTarget) hasResponsePhase() bool {
+	return resolved.sourceExtractor.IsPhase(PhaseResponse) || resolved.targetExtractor.IsPhase(PhaseResponse)
+}

pkg/types/coretypes/selector.go

@@ -1,15 +1,48 @@
 package coretypes
 
-import "encoding/json"
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
 
 const (
 	WildCardSelectorString string = "*"
 )
 
+var errCodeInvalidResourceID = errors.MustNewCode("invalid_resource_id")
+
+var WildcardSelector SelectorFunc = func(_ context.Context, resource Resource, _ string, _ valuer.UUID) ([]Selector, error) {
+	return []Selector{resource.Type().MustSelector(WildCardSelectorString)}, nil
+}
+
+var IDSelector SelectorFunc = func(_ context.Context, resource Resource, id string, _ valuer.UUID) ([]Selector, error) {
+	if id == "" {
+		return nil, errors.Newf(
+			errors.TypeInvalidInput,
+			errCodeInvalidResourceID,
+			"resource id is required for %s",
+			resource.Kind().String(),
+		)
+	}
+
+	selector, err := resource.Type().Selector(id)
+	if err != nil {
+		return nil, err
+	}
+
+	return []Selector{selector, resource.Type().MustSelector(WildCardSelectorString)}, nil
+}
+
 type Selector struct {
 	val string
 }
 
+// SelectorFunc maps a resolved id (+ its resource) to authz FGA selectors.
+type SelectorFunc func(ctx context.Context, resource Resource, id string, orgID valuer.UUID) ([]Selector, error)
+
 func (selector *Selector) MarshalJSON() ([]byte, error) {
 	return json.Marshal(selector.val)
 }

pkg/types/spantypes/flamegraph_span.go

@@ -1,6 +1,8 @@
 package spantypes
 
 import (
+	"time"
+
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 )
 
@@ -37,11 +39,17 @@ type GettableFlamegraphTrace struct {
 	HasMore              bool                `json:"hasMore" required:"true"`
 }
 
-func NewGettableFlamegraphTrace(spans [][]*FlamegraphSpan, startMs, endMs int64, hasMore bool) *GettableFlamegraphTrace {
+func NewGettableFlamegraphTrace(spans [][]*FlamegraphSpan, start, end time.Time, hasMore bool) *GettableFlamegraphTrace {
+	// convert timestamp to millisecond since client expect that
+	for _, level := range spans {
+		for _, span := range level {
+			span.Timestamp /= 1_000_000
+		}
+	}
 	return &GettableFlamegraphTrace{
 		Spans:                spans,
-		StartTimestampMillis: startMs,
-		EndTimestampMillis:   endMs,
+		StartTimestampMillis: start.UnixMilli(),
+		EndTimestampMillis:   end.UnixMilli(),
 		HasMore:              hasMore,
 	}
 }