fix(authz): single line returns

* feat(authz): add support for delete role

* feat(authz): register config and return error on cleanup failure

* feat(authz): take user and serviceaccount DI for assignee checks

* feat(authz): add the example yaml

* feat(authz): move to callbacks instead of DI

.github/workflows/e2eci.yaml

@@ -9,6 +9,27 @@ on:
       - labeled
 
 jobs:
+  fmtlint:
+    if: |
+      ((github.event_name == 'pull_request' && ! github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]' && ! contains(github.event.pull_request.labels.*.name, 'safe-to-test')) ||
+      (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-test'))) && contains(github.event.pull_request.labels.*.name, 'safe-to-e2e')
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: node
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+      - name: install
+        run: |
+          cd tests/e2e && yarn install --frozen-lockfile
+      - name: fmt
+        run: |
+          cd tests/e2e && yarn fmt:check
+      - name: lint
+        run: |
+          cd tests/e2e && yarn lint
   test:
     strategy:
       fail-fast: false

Makefile

@@ -201,14 +201,12 @@ docker-buildx-enterprise: go-build-enterprise js-build
 # python commands
 ##############################################################
 .PHONY: py-fmt
-py-fmt: ## Run black across the shared tests project
-	@cd tests && uv run black .
+py-fmt: ## Run ruff format across the shared tests project
+	@cd tests && uv run ruff format .
 
 .PHONY: py-lint
-py-lint: ## Run lint across the shared tests project
-	@cd tests && uv run isort .
-	@cd tests && uv run autoflake .
-	@cd tests && uv run pylint .
+py-lint: ## Run ruff check across the shared tests project
+	@cd tests && uv run ruff check --fix .
 
 .PHONY: py-test-setup
 py-test-setup: ## Bring up the shared SigNoz backend used by integration and e2e tests

cmd/community/server.go

@@ -92,7 +92,7 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e
 		func(ctx context.Context, providerSettings factory.ProviderSettings, store authtypes.AuthNStore, licensing licensing.Licensing) (map[authtypes.AuthNProvider]authn.AuthN, error) {
 			return signoz.NewAuthNs(ctx, providerSettings, store, licensing)
 		},
-		func(ctx context.Context, sqlstore sqlstore.SQLStore, _ licensing.Licensing, _ dashboard.Module) (factory.ProviderFactory[authz.AuthZ, authz.Config], error) {
+		func(ctx context.Context, sqlstore sqlstore.SQLStore, _ licensing.Licensing, _ []authz.OnBeforeRoleDelete, _ dashboard.Module) (factory.ProviderFactory[authz.AuthZ, authz.Config], error) {
 			openfgaDataStore, err := openfgaserver.NewSQLStore(sqlstore)
 			if err != nil {
 				return nil, err

cmd/enterprise/server.go

@@ -137,12 +137,12 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e
 
 			return authNs, nil
 		},
-		func(ctx context.Context, sqlstore sqlstore.SQLStore, licensing licensing.Licensing, dashboardModule dashboard.Module) (factory.ProviderFactory[authz.AuthZ, authz.Config], error) {
+		func(ctx context.Context, sqlstore sqlstore.SQLStore, licensing licensing.Licensing, onBeforeRoleDelete []authz.OnBeforeRoleDelete, dashboardModule dashboard.Module) (factory.ProviderFactory[authz.AuthZ, authz.Config], error) {
 			openfgaDataStore, err := openfgaserver.NewSQLStore(sqlstore)
 			if err != nil {
 				return nil, err
 			}
-			return openfgaauthz.NewProviderFactory(sqlstore, openfgaschema.NewSchema().Get(ctx), openfgaDataStore, licensing, dashboardModule), nil
+			return openfgaauthz.NewProviderFactory(sqlstore, openfgaschema.NewSchema().Get(ctx), openfgaDataStore, licensing, onBeforeRoleDelete, dashboardModule), nil
 		},
 		func(store sqlstore.SQLStore, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, queryParser queryparser.QueryParser, querier querier.Querier, licensing licensing.Licensing) dashboard.Module {
 			return impldashboard.NewModule(pkgimpldashboard.NewStore(store), settings, analytics, orgGetter, queryParser, querier, licensing)

conf/example.yaml

@@ -407,3 +407,11 @@ cloudintegration:
   agent:
     # The version of the cloud integration agent.
     version: v0.0.8
+
+##################### Authz #################################
+authz:
+  # Specifies the authz provider to use.
+  provider: openfga
+  openfga:
+    # maximum tuples allowed per openfga write operation.
+    max_tuples_per_write: 100

docs/api/openapi.yml

@@ -2406,155 +2406,6 @@ components:
       - list
       - grouped_list
       type: string
-    LlmpricingruletypesGettablePricingRules:
-      properties:
-        items:
-          items:
-            $ref: '#/components/schemas/LlmpricingruletypesLLMPricingRule'
-          nullable: true
-          type: array
-        limit:
-          type: integer
-        offset:
-          type: integer
-        total:
-          type: integer
-      required:
-      - items
-      - total
-      - offset
-      - limit
-      type: object
-    LlmpricingruletypesLLMPricingRule:
-      properties:
-        cacheMode:
-          $ref: '#/components/schemas/LlmpricingruletypesLLMPricingRuleCacheMode'
-        costCacheRead:
-          format: double
-          type: number
-        costCacheWrite:
-          format: double
-          type: number
-        costInput:
-          format: double
-          type: number
-        costOutput:
-          format: double
-          type: number
-        createdAt:
-          format: date-time
-          type: string
-        createdBy:
-          type: string
-        enabled:
-          type: boolean
-        id:
-          type: string
-        isOverride:
-          type: boolean
-        modelName:
-          type: string
-        modelPattern:
-          items:
-            type: string
-          nullable: true
-          type: array
-        orgId:
-          type: string
-        sourceId:
-          type: string
-        syncedAt:
-          format: date-time
-          nullable: true
-          type: string
-        unit:
-          $ref: '#/components/schemas/LlmpricingruletypesLLMPricingRuleUnit'
-        updatedAt:
-          format: date-time
-          type: string
-        updatedBy:
-          type: string
-      required:
-      - id
-      - orgId
-      - modelName
-      - modelPattern
-      - unit
-      - cacheMode
-      - costInput
-      - costOutput
-      - costCacheRead
-      - costCacheWrite
-      - isOverride
-      - enabled
-      type: object
-    LlmpricingruletypesLLMPricingRuleCacheMode:
-      enum:
-      - subtract
-      - additive
-      - unknown
-      type: string
-    LlmpricingruletypesLLMPricingRuleUnit:
-      enum:
-      - per_million_tokens
-      type: string
-    LlmpricingruletypesUpdatableLLMPricingRule:
-      properties:
-        cacheMode:
-          $ref: '#/components/schemas/LlmpricingruletypesLLMPricingRuleCacheMode'
-        costCacheRead:
-          format: double
-          type: number
-        costCacheWrite:
-          format: double
-          type: number
-        costInput:
-          format: double
-          type: number
-        costOutput:
-          format: double
-          type: number
-        enabled:
-          type: boolean
-        id:
-          nullable: true
-          type: string
-        isOverride:
-          nullable: true
-          type: boolean
-        modelName:
-          type: string
-        modelPattern:
-          items:
-            type: string
-          nullable: true
-          type: array
-        sourceId:
-          nullable: true
-          type: string
-        unit:
-          $ref: '#/components/schemas/LlmpricingruletypesLLMPricingRuleUnit'
-      required:
-      - modelName
-      - modelPattern
-      - unit
-      - cacheMode
-      - costInput
-      - costOutput
-      - costCacheRead
-      - costCacheWrite
-      - enabled
-      type: object
-    LlmpricingruletypesUpdatableLLMPricingRules:
-      properties:
-        rules:
-          items:
-            $ref: '#/components/schemas/LlmpricingruletypesUpdatableLLMPricingRule'
-          nullable: true
-          type: array
-      required:
-      - rules
-      type: object
     MetricsexplorertypesInspectMetricsRequest:
       properties:
         end:
@@ -7245,218 +7096,6 @@ paths:
       summary: Create bulk invite
       tags:
       - users
-  /api/v1/llm_pricing_rules:
-    get:
-      deprecated: false
-      description: Returns all LLM pricing rules for the authenticated org, with pagination.
-      operationId: ListLLMPricingRules
-      parameters:
-      - in: query
-        name: offset
-        schema:
-          type: integer
-      - in: query
-        name: limit
-        schema:
-          type: integer
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/LlmpricingruletypesGettablePricingRules'
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: OK
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - VIEWER
-      - tokenizer:
-        - VIEWER
-      summary: List pricing rules
-      tags:
-      - llmpricingrules
-    put:
-      deprecated: false
-      description: Single write endpoint used by both the user and the Zeus sync job.
-        Per-rule match is by id, then sourceId, then insert. Override rows (is_override=true)
-        are fully preserved when the request does not provide isOverride; only synced_at
-        is stamped.
-      operationId: UpdateLLMPricingRules
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/LlmpricingruletypesUpdatableLLMPricingRules'
-      responses:
-        "204":
-          description: No Content
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Bulk update pricing rules
-      tags:
-      - llmpricingrules
-  /api/v1/llm_pricing_rules/{id}:
-    delete:
-      deprecated: false
-      description: Hard-deletes a pricing rule. If auto-synced, it will be recreated
-        on the next sync cycle.
-      operationId: DeleteLLMPricingRule
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      responses:
-        "204":
-          description: No Content
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Delete a pricing rule
-      tags:
-      - llmpricingrules
-    get:
-      deprecated: false
-      description: Returns a single LLM pricing rule by ID.
-      operationId: GetLLMPricingRule
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/LlmpricingruletypesLLMPricingRule'
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: OK
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - VIEWER
-      - tokenizer:
-        - VIEWER
-      summary: Get a pricing rule
-      tags:
-      - llmpricingrules
   /api/v1/logs/promote_paths:
     get:
       deprecated: false
@@ -8168,7 +7807,7 @@ paths:
       summary: Patch role
       tags:
       - role
-  /api/v1/roles/{id}/relation/{relation}/objects:
+  /api/v1/roles/{id}/relations/{relation}/objects:
     get:
       deprecated: false
       description: Gets all objects connected to the specified role via a given relation

ee/authz/openfgaauthz/provider.go

@@ -20,20 +20,23 @@ import (
 )
 
 type provider struct {
-	pkgAuthzService authz.AuthZ
-	openfgaServer   *openfgaserver.Server
-	licensing       licensing.Licensing
-	store           authtypes.RoleStore
-	registry        []authz.RegisterTypeable
+	config             authz.Config
+	pkgAuthzService    authz.AuthZ
+	openfgaServer      *openfgaserver.Server
+	licensing          licensing.Licensing
+	store              authtypes.RoleStore
+	registry           []authz.RegisterTypeable
+	settings           factory.ScopedProviderSettings
+	onBeforeRoleDelete []authz.OnBeforeRoleDelete
 }
 
-func NewProviderFactory(sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, licensing licensing.Licensing, registry ...authz.RegisterTypeable) factory.ProviderFactory[authz.AuthZ, authz.Config] {
+func NewProviderFactory(sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, licensing licensing.Licensing, onBeforeRoleDelete []authz.OnBeforeRoleDelete, registry ...authz.RegisterTypeable) factory.ProviderFactory[authz.AuthZ, authz.Config] {
 	return factory.NewProviderFactory(factory.MustNewName("openfga"), func(ctx context.Context, ps factory.ProviderSettings, config authz.Config) (authz.AuthZ, error) {
-		return newOpenfgaProvider(ctx, ps, config, sqlstore, openfgaSchema, openfgaDataStore, licensing, registry)
+		return newOpenfgaProvider(ctx, ps, config, sqlstore, openfgaSchema, openfgaDataStore, licensing, onBeforeRoleDelete, registry)
 	})
 }
 
-func newOpenfgaProvider(ctx context.Context, settings factory.ProviderSettings, config authz.Config, sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, licensing licensing.Licensing, registry []authz.RegisterTypeable) (authz.AuthZ, error) {
+func newOpenfgaProvider(ctx context.Context, settings factory.ProviderSettings, config authz.Config, sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, licensing licensing.Licensing, onBeforeRoleDelete []authz.OnBeforeRoleDelete, registry []authz.RegisterTypeable) (authz.AuthZ, error) {
 	pkgOpenfgaAuthzProvider := pkgopenfgaauthz.NewProviderFactory(sqlstore, openfgaSchema, openfgaDataStore)
 	pkgAuthzService, err := pkgOpenfgaAuthzProvider.New(ctx, settings, config)
 	if err != nil {
@@ -45,12 +48,17 @@ func newOpenfgaProvider(ctx context.Context, settings factory.ProviderSettings,
 		return nil, err
 	}
 
+	scopedSettings := factory.NewScopedProviderSettings(settings, "github.com/SigNoz/signoz/ee/authz/openfgaauthz")
+
 	return &provider{
-		pkgAuthzService: pkgAuthzService,
-		openfgaServer:   openfgaServer,
-		licensing:       licensing,
-		store:           sqlauthzstore.NewSqlAuthzStore(sqlstore),
-		registry:        registry,
+		config:             config,
+		pkgAuthzService:    pkgAuthzService,
+		openfgaServer:      openfgaServer,
+		licensing:          licensing,
+		store:              sqlauthzstore.NewSqlAuthzStore(sqlstore),
+		registry:           registry,
+		settings:           scopedSettings,
+		onBeforeRoleDelete: onBeforeRoleDelete,
 	}, nil
 }
 
@@ -78,14 +86,40 @@ func (provider *provider) BatchCheck(ctx context.Context, tupleReq map[string]*o
 	return provider.openfgaServer.BatchCheck(ctx, tupleReq)
 }
 
-func (provider *provider) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, typeable authtypes.Typeable) ([]*authtypes.Object, error) {
-	return provider.openfgaServer.ListObjects(ctx, subject, relation, typeable)
+func (provider *provider) CheckTransactions(ctx context.Context, subject string, orgID valuer.UUID, transactions []*authtypes.Transaction) ([]*authtypes.TransactionWithAuthorization, error) {
+	tuples, err := authtypes.NewTuplesFromTransactions(transactions, subject, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	batchResults, err := provider.openfgaServer.BatchCheck(ctx, tuples)
+	if err != nil {
+		return nil, err
+	}
+
+	results := make([]*authtypes.TransactionWithAuthorization, len(transactions))
+	for i, txn := range transactions {
+		result := batchResults[txn.ID.StringValue()]
+		results[i] = &authtypes.TransactionWithAuthorization{
+			Transaction: txn,
+			Authorized:  result.Authorized,
+		}
+	}
+	return results, nil
+}
+
+func (provider *provider) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, objectType authtypes.Type) ([]*authtypes.Object, error) {
+	return provider.openfgaServer.ListObjects(ctx, subject, relation, objectType)
 }
 
 func (provider *provider) Write(ctx context.Context, additions []*openfgav1.TupleKey, deletions []*openfgav1.TupleKey) error {
 	return provider.openfgaServer.Write(ctx, additions, deletions)
 }
 
+func (provider *provider) ReadTuples(ctx context.Context, tupleKey *openfgav1.ReadRequestTupleKey) ([]*openfgav1.TupleKey, error) {
+	return provider.openfgaServer.ReadTuples(ctx, tupleKey)
+}
+
 func (provider *provider) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*authtypes.Role, error) {
 	return provider.pkgAuthzService.Get(ctx, orgID, id)
 }
@@ -146,7 +180,7 @@ func (provider *provider) Create(ctx context.Context, orgID valuer.UUID, role *a
 		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
 	}
 
-	return provider.store.Create(ctx, authtypes.NewStorableRoleFromRole(role))
+	return provider.store.Create(ctx, role)
 }
 
 func (provider *provider) GetOrCreate(ctx context.Context, orgID valuer.UUID, role *authtypes.Role) (*authtypes.Role, error) {
@@ -163,10 +197,10 @@ func (provider *provider) GetOrCreate(ctx context.Context, orgID valuer.UUID, ro
 	}
 
 	if existingRole != nil {
-		return authtypes.NewRoleFromStorableRole(existingRole), nil
+		return existingRole, nil
 	}
 
-	err = provider.store.Create(ctx, authtypes.NewStorableRoleFromRole(role))
+	err = provider.store.Create(ctx, role)
 	if err != nil {
 		return nil, err
 	}
@@ -175,14 +209,13 @@ func (provider *provider) GetOrCreate(ctx context.Context, orgID valuer.UUID, ro
 }
 
 func (provider *provider) GetResources(_ context.Context) []*authtypes.Resource {
-	typeables := make([]authtypes.Typeable, 0)
-	for _, register := range provider.registry {
-		typeables = append(typeables, register.MustGetTypeables()...)
-	}
-
-	typeables = append(typeables, provider.MustGetTypeables()...)
 	resources := make([]*authtypes.Resource, 0)
-	for _, typeable := range typeables {
+	for _, register := range provider.registry {
+		for _, typeable := range register.MustGetTypeables() {
+			resources = append(resources, &authtypes.Resource{Name: typeable.Name(), Type: typeable.Type()})
+		}
+	}
+	for _, typeable := range provider.MustGetTypeables() {
 		resources = append(resources, &authtypes.Resource{Name: typeable.Name(), Type: typeable.Type()})
 	}
 
@@ -201,21 +234,23 @@ func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id
 	}
 
 	objects := make([]*authtypes.Object, 0)
-	for _, resource := range provider.GetResources(ctx) {
-		if slices.Contains(authtypes.TypeableRelations[resource.Type], relation) {
-			resourceObjects, err := provider.
-				ListObjects(
-					ctx,
-					authtypes.MustNewSubject(authtypes.TypeableRole, storableRole.Name, orgID, &authtypes.RelationAssignee),
-					relation,
-					authtypes.MustNewTypeableFromType(resource.Type, resource.Name),
-				)
-			if err != nil {
-				return nil, err
-			}
-
-			objects = append(objects, resourceObjects...)
+	for _, objectType := range provider.getUniqueTypes() {
+		if !slices.Contains(authtypes.TypeableRelations[objectType], relation) {
+			continue
 		}
+
+		resourceObjects, err := provider.
+			ListObjects(
+				ctx,
+				authtypes.MustNewSubject(authtypes.TypeableRole, storableRole.Name, orgID, &authtypes.RelationAssignee),
+				relation,
+				objectType,
+			)
+		if err != nil {
+			return nil, err
+		}
+
+		objects = append(objects, resourceObjects...)
 	}
 
 	return objects, nil
@@ -227,7 +262,7 @@ func (provider *provider) Patch(ctx context.Context, orgID valuer.UUID, role *au
 		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
 	}
 
-	return provider.store.Update(ctx, orgID, authtypes.NewStorableRoleFromRole(role))
+	return provider.store.Update(ctx, orgID, role)
 }
 
 func (provider *provider) PatchObjects(ctx context.Context, orgID valuer.UUID, name string, relation authtypes.Relation, additions, deletions []*authtypes.Object) error {
@@ -260,17 +295,26 @@ func (provider *provider) Delete(ctx context.Context, orgID valuer.UUID, id valu
 		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
 	}
 
-	storableRole, err := provider.store.Get(ctx, orgID, id)
+	role, err := provider.store.Get(ctx, orgID, id)
 	if err != nil {
 		return err
 	}
 
-	role := authtypes.NewRoleFromStorableRole(storableRole)
 	err = role.ErrIfManaged()
 	if err != nil {
 		return err
 	}
 
+	for _, cb := range provider.onBeforeRoleDelete {
+		if err := cb(ctx, orgID, id); err != nil {
+			return err
+		}
+	}
+
+	if err := provider.deleteTuples(ctx, role.Name, orgID); err != nil {
+		return errors.WithAdditionalf(err, "failed to delete tuples for the role: %s", role.Name)
+	}
+
 	return provider.store.Delete(ctx, orgID, id)
 }
 
@@ -346,3 +390,62 @@ func (provider *provider) getManagedRoleTransactionTuples(orgID valuer.UUID) ([]
 
 	return tuples, nil
 }
+
+func (provider *provider) deleteTuples(ctx context.Context, roleName string, orgID valuer.UUID) error {
+	subject := authtypes.MustNewSubject(authtypes.TypeableRole, roleName, orgID, &authtypes.RelationAssignee)
+
+	tuples := make([]*openfgav1.TupleKey, 0)
+	for _, objectType := range provider.getUniqueTypes() {
+		typeTuples, err := provider.ReadTuples(ctx, &openfgav1.ReadRequestTupleKey{
+			User:   subject,
+			Object: objectType.StringValue() + ":",
+		})
+		if err != nil {
+			return err
+		}
+		tuples = append(tuples, typeTuples...)
+	}
+
+	if len(tuples) == 0 {
+		return nil
+	}
+
+	for idx := 0; idx < len(tuples); idx += provider.config.OpenFGA.MaxTuplesPerWrite {
+		end := idx + provider.config.OpenFGA.MaxTuplesPerWrite
+		if end > len(tuples) {
+			end = len(tuples)
+		}
+
+		err := provider.Write(ctx, nil, tuples[idx:end])
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (provider *provider) getUniqueTypes() []authtypes.Type {
+	seen := make(map[string]struct{})
+	uniqueTypes := make([]authtypes.Type, 0)
+	for _, register := range provider.registry {
+		for _, typeable := range register.MustGetTypeables() {
+			typeKey := typeable.Type().StringValue()
+			if _, ok := seen[typeKey]; ok {
+				continue
+			}
+			seen[typeKey] = struct{}{}
+			uniqueTypes = append(uniqueTypes, typeable.Type())
+		}
+	}
+	for _, typeable := range provider.MustGetTypeables() {
+		typeKey := typeable.Type().StringValue()
+		if _, ok := seen[typeKey]; ok {
+			continue
+		}
+		seen[typeKey] = struct{}{}
+		uniqueTypes = append(uniqueTypes, typeable.Type())
+	}
+
+	return uniqueTypes
+}

ee/authz/openfgaserver/server.go

@@ -110,10 +110,14 @@ func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openf
 	return server.pkgAuthzService.BatchCheck(ctx, tupleReq)
 }
 
-func (server *Server) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, typeable authtypes.Typeable) ([]*authtypes.Object, error) {
-	return server.pkgAuthzService.ListObjects(ctx, subject, relation, typeable)
+func (server *Server) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, objectType authtypes.Type) ([]*authtypes.Object, error) {
+	return server.pkgAuthzService.ListObjects(ctx, subject, relation, objectType)
 }
 
 func (server *Server) Write(ctx context.Context, additions []*openfgav1.TupleKey, deletions []*openfgav1.TupleKey) error {
 	return server.pkgAuthzService.Write(ctx, additions, deletions)
 }
+
+func (server *Server) ReadTuples(ctx context.Context, tupleKey *openfgav1.ReadRequestTupleKey) ([]*openfgav1.TupleKey, error) {
+	return server.pkgAuthzService.ReadTuples(ctx, tupleKey)
+}

ee/query-service/app/server.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/cache/memorycache"
 	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/modules/llmpricingrule/impllmpricingrule"
 
 	"github.com/gorilla/handlers"
 
@@ -112,11 +111,9 @@ func NewServer(config signoz.Config, signoz *signoz.SigNoz) (*Server, error) {
 	}
 
 	// initiate agent config handler
-	llmCostFeature := impllmpricingrule.NewLLMCostFeature(signoz.Modules.LLMPricingRule)
-
 	agentConfMgr, err := agentConf.Initiate(&agentConf.ManagerOptions{
 		Store:         signoz.SQLStore,
-		AgentFeatures: []agentConf.AgentFeature{logParsingPipelineController, llmCostFeature},
+		AgentFeatures: []agentConf.AgentFeature{logParsingPipelineController},
 	})
 	if err != nil {
 		return nil, err

frontend/e2e/test-plan/README.md

@@ -1,29 +0,0 @@
-# SigNoz E2E Test Plan
-
-This directory contains the structured test plan for the SigNoz application. Each subfolder corresponds to a main module or feature area, and contains scenario files for all user journeys, edge cases, and cross-module flows. These documents serve as the basis for generating Playwright MCP-driven E2E tests.
-
-## Structure
-
-- Each main module (e.g., logs, traces, dashboards, alerts, settings, etc.) has its own folder or markdown file.
-- Each file contains detailed scenario templates, including preconditions, step-by-step actions, and expected outcomes.
-- Use these documents to write, review, and update test cases as the application evolves.
-
-## Folders & Files
-
-- `logs/` — Logs module scenarios
-- `traces/` — Traces module scenarios
-- `metrics/` — Metrics module scenarios
-- `dashboards/` — Dashboards module scenarios
-- `alerts/` — Alerts module scenarios
-- `services/` — Services module scenarios
-- `settings/` — Settings and all sub-settings scenarios
-- `onboarding/` — Onboarding and signup flows
-- `navigation/` — Navigation, sidebar, and cross-module flows
-- `exceptions/` — Exception and error handling scenarios
-- `external-apis/` — External API monitoring scenarios
-- `messaging-queues/` — Messaging queue scenarios
-- `infrastructure/` — Infrastructure monitoring scenarios
-- `help-support/` — Help & support scenarios
-- `user-preferences/` — User preferences and personalization scenarios
-- `service-map/` — Service map scenarios
-- `saved-views/` — Saved views scenarios

frontend/e2e/test-plan/settings/README.md

@@ -1,16 +0,0 @@
-# Settings Module Test Plan
-
-This folder contains E2E test scenarios for the Settings module and all sub-settings.
-
-## Scenario Categories
-
-- General settings (org/workspace, branding, version info)
-- Billing settings
-- Members & SSO
-- Custom domain
-- Integrations
-- Notification channels
-- API keys
-- Ingestion
-- Account settings (profile, password, preferences)
-- Keyboard shortcuts

frontend/e2e/test-plan/settings/account-settings.md

@@ -1,43 +0,0 @@
-# Account Settings E2E Scenarios (Updated)
-
-## 1. Update Name
-
-- **Precondition:** User is logged in
-- **Steps:**
-  1. Click 'Update name' button
-  2. Edit name field in the modal/dialog
-  3. Save changes
-- **Expected:** Name is updated in the UI
-
-## 2. Update Email
-
-- **Note:** The email field is not editable in the current UI.
-
-## 3. Reset Password
-
-- **Precondition:** User is logged in
-- **Steps:**
-  1. Click 'Reset password' button
-  2. Complete reset flow (modal/dialog or external flow)
-- **Expected:** Password is reset
-
-## 4. Toggle 'Adapt to my timezone'
-
-- **Precondition:** User is logged in
-- **Steps:**
-  1. Toggle 'Adapt to my timezone' switch
-- **Expected:** Timezone adapts accordingly (UI feedback/confirmation should be checked)
-
-## 5. Toggle Theme (Dark/Light)
-
-- **Precondition:** User is logged in
-- **Steps:**
-  1. Toggle theme radio buttons ('Dark', 'Light Beta')
-- **Expected:** Theme changes
-
-## 6. Toggle Sidebar Always Open
-
-- **Precondition:** User is logged in
-- **Steps:**
-  1. Toggle 'Keep the primary sidebar always open' switch
-- **Expected:** Sidebar remains open/closed as per toggle

frontend/e2e/test-plan/settings/api-keys.md

@@ -1,26 +0,0 @@
-# API Keys E2E Scenarios (Updated)
-
-## 1. Create a New API Key
-
-- **Precondition:** User is admin
-- **Steps:**
-  1. Click 'New Key' button
-  2. Enter details in the modal/dialog
-  3. Click 'Save'
-- **Expected:** API key is created and listed in the table
-
-## 2. Revoke an API Key
-
-- **Precondition:** API key exists
-- **Steps:**
-  1. In the table, locate the API key row
-  2. Click the revoke/delete button (icon button in the Action column)
-  3. Confirm if prompted
-- **Expected:** API key is revoked/removed from the table
-
-## 3. View API Key Usage
-
-- **Precondition:** API key exists
-- **Steps:**
-  1. View the 'Last used' and 'Expired' columns in the table
-- **Expected:** Usage data is displayed for each API key

frontend/e2e/test-plan/settings/billing.md

@@ -1,17 +0,0 @@
-# Billing Settings E2E Scenarios (Updated)
-
-## 1. View Billing Information
-
-- **Precondition:** User is admin
-- **Steps:**
-  1. Navigate to Billing Settings
-  2. Wait for the billing chart/data to finish loading
-- **Expected:**
-  - Billing heading and subheading are displayed
-  - Usage/cost table is visible with columns: Unit, Data Ingested, Price per Unit, Cost (Billing period to date)
-  - "Download CSV" and "Manage Billing" buttons are present and enabled after loading
-  - Test clicking "Download CSV" and "Manage Billing" for expected behavior (e.g., file download, navigation, or modal)
-
-> Note: If these features are expected to trigger specific flows, document the observed behavior for each button.
-
-

frontend/e2e/test-plan/settings/custom-domain.md

@@ -1,18 +0,0 @@
-# Custom Domain E2E Scenarios (Updated)
-
-## 1. Add or Update Custom Domain
-
-- **Precondition:** User is admin
-- **Steps:**
-  1. Click 'Customize team’s URL' button
-  2. In the 'Customize your team’s URL' dialog, enter the preferred subdomain
-  3. Click 'Apply Changes'
-- **Expected:** Domain is set/updated for the team (UI feedback/confirmation should be checked)
-
-## 2. Verify Domain Ownership
-
-- **Note:** No explicit 'Verify' button or flow is present in the current UI. If verification is required, it may be handled automatically or via support.
-
-## 3. Remove a Custom Domain
-
-- **Note:** No explicit 'Remove' button or flow is present in the current UI. The only available action is to update the subdomain.

frontend/e2e/test-plan/settings/general.md

@@ -1,31 +0,0 @@
-# General Settings E2E Scenarios
-
-## 1. View General Settings
-
-- **Precondition:** User is logged in
-- **Steps:**
-  1. Navigate to General Settings
-- **Expected:** General settings are displayed
-
-## 2. Update Organization/Workspace Name
-
-- **Precondition:** User is admin
-- **Steps:**
-  1. Edit organization/workspace name
-  2. Save changes
-- **Expected:** Name is updated and visible
-
-## 3. Update Logo or Branding
-
-- **Precondition:** User is admin
-- **Steps:**
-  1. Upload new logo/branding
-  2. Save changes
-- **Expected:** Branding is updated
-
-## 4. View Version/Build Info
-
-- **Precondition:** User is logged in
-- **Steps:**
-  1. View version/build info section
-- **Expected:** Version/build info is displayed

frontend/e2e/test-plan/settings/ingestion.md

@@ -1,20 +0,0 @@
-# Ingestion E2E Scenarios (Updated)
-
-## 1. View Ingestion Sources
-
-- **Precondition:** User is admin
-- **Steps:**
-  1. Navigate to the Integrations page
-- **Expected:** List of available data sources/integrations is displayed
-
-## 2. Configure Ingestion Sources
-
-- **Precondition:** User is admin
-- **Steps:**
-  1. Click 'Configure' for a data source/integration
-  2. Complete the configuration flow (modal or page, as available)
-- **Expected:** Source is configured (UI feedback/confirmation should be checked)
-
-## 3. Disable/Enable Ingestion
-
-- **Note:** No visible enable/disable toggle for ingestion sources in the current UI. Ingestion is managed via the Integrations configuration flows.

frontend/e2e/test-plan/settings/integrations.md

@@ -1,51 +0,0 @@
-# Integrations E2E Scenarios (Updated)
-
-## 1. View List of Available Integrations
-
-- **Precondition:** User is logged in
-- **Steps:**
-  1. Navigate to Integrations
-- **Expected:** List of integrations is displayed, each with a name, description, and 'Configure' button
-
-## 2. Search Integrations by Name/Type
-
-- **Precondition:** Integrations exist
-- **Steps:**
-  1. Enter search/filter criteria in the 'Search for an integration...' box
-- **Expected:** Only matching integrations are shown
-
-## 3. Connect a New Integration
-
-- **Precondition:** User is admin
-- **Steps:**
-  1. Click 'Configure' for an integration
-  2. Complete the configuration flow (modal or page, as available)
-- **Expected:** Integration is connected/configured (UI feedback/confirmation should be checked)
-
-## 4. Disconnect an Integration
-
-- **Note:** No visible 'Disconnect' button in the main list. This may be available in the configuration flow for a connected integration.
-
-## 5. Configure Integration Settings
-
-- **Note:** Configuration is handled in the flow after clicking 'Configure' for an integration.
-
-## 6. Test Integration Connection
-
-- **Note:** No visible 'Test Connection' button in the main list. This may be available in the configuration flow.
-
-## 7. View Integration Status/Logs
-
-- **Note:** No visible status/logs section in the main list. This may be available in the configuration flow.
-
-## 8. Filter Integrations by Category
-
-- **Note:** No explicit category filter in the current UI, only a search box.
-
-## 9. View Integration Documentation/Help
-
-- **Note:** No visible 'Help/Docs' button in the main list. This may be available in the configuration flow.
-
-## 10. Update Integration Configuration
-
-- **Note:** Configuration is handled in the flow after clicking 'Configure' for an integration.

frontend/e2e/test-plan/settings/keyboard-shortcuts.md

@@ -1,19 +0,0 @@
-# Keyboard Shortcuts E2E Scenarios (Updated)
-
-## 1. View Keyboard Shortcuts
-
-- **Precondition:** User is logged in
-- **Steps:**
-  1. Navigate to Keyboard Shortcuts
-- **Expected:** Shortcuts are displayed in categorized tables (Global, Logs Explorer, Query Builder, Dashboard)
-
-## 2. Customize Keyboard Shortcuts (if supported)
-
-- **Note:** Customization is not available in the current UI. Shortcuts are view-only.
-
-## 3. Use Keyboard Shortcuts for Navigation/Actions
-
-- **Precondition:** User is logged in
-- **Steps:**
-  1. Use shortcut for navigation/action (e.g., shift+s for Services, cmd+enter for running query)
-- **Expected:** Navigation/action is performed as per shortcut

frontend/e2e/test-plan/settings/members-sso.md

@@ -1,49 +0,0 @@
-# Members & SSO E2E Scenarios (Updated)
-
-## 1. Invite a New Member
-
-- **Precondition:** User is admin
-- **Steps:**
-  1. Click 'Invite Members' button
-  2. In the 'Invite team members' dialog, enter email address, name (optional), and select role
-  3. (Optional) Click 'Add another team member' to invite more
-  4. Click 'Invite team members' to send invite(s)
-- **Expected:** Pending invite appears in the 'Pending Invites' table
-
-## 2. Remove a Member
-
-- **Precondition:** User is admin, member exists
-- **Steps:**
-  1. In the 'Members' table, locate the member row
-  2. Click 'Delete' in the Action column
-  3. Confirm removal if prompted
-- **Expected:** Member is removed from the table
-
-## 3. Update Member Roles
-
-- **Precondition:** User is admin, member exists
-- **Steps:**
-  1. In the 'Members' table, locate the member row
-  2. Click 'Edit' in the Action column
-  3. Change role in the edit dialog/modal
-  4. Save changes
-- **Expected:** Member role is updated in the table
-
-## 4. Configure SSO
-
-- **Precondition:** User is admin
-- **Steps:**
-  1. In the 'Authenticated Domains' section, locate the domain row
-  2. Click 'Configure SSO' or 'Edit Google Auth' as available
-  3. Complete SSO provider configuration in the modal/dialog
-  4. Save settings
-- **Expected:** SSO is configured for the domain
-
-## 5. Login via SSO
-
-- **Precondition:** SSO is configured
-- **Steps:**
-  1. Log out from the app
-  2. On the login page, click 'Login with SSO'
-  3. Complete SSO login flow
-- **Expected:** User is logged in via SSO

frontend/e2e/test-plan/settings/notification-channels.md

@@ -1,39 +0,0 @@
-# Notification Channels E2E Scenarios (Updated)
-
-## 1. Add a New Notification Channel
-
-- **Precondition:** User is admin
-- **Steps:**
-  1. Click 'New Alert Channel' button
-  2. In the 'New Notification Channel' form, fill in required fields (Name, Type, Webhook URL, etc.)
-  3. (Optional) Toggle 'Send resolved alerts'
-  4. (Optional) Click 'Test' to send a test notification
-  5. Click 'Save' to add the channel
-- **Expected:** Channel is added and listed in the table
-
-## 2. Test Notification Channel
-
-- **Precondition:** Channel is being created or edited
-- **Steps:**
-  1. In the 'New Notification Channel' or 'Edit Notification Channel' form, click 'Test'
-- **Expected:** Test notification is sent (UI feedback/confirmation should be checked)
-
-## 3. Remove a Notification Channel
-
-- **Precondition:** Channel is added
-- **Steps:**
-  1. In the table, locate the channel row
-  2. Click 'Delete' in the Action column
-  3. Confirm removal if prompted
-- **Expected:** Channel is removed from the table
-
-## 4. Update Notification Channel Settings
-
-- **Precondition:** Channel is added
-- **Steps:**
-  1. In the table, locate the channel row
-  2. Click 'Edit' in the Action column
-  3. In the 'Edit Notification Channel' form, update fields as needed
-  4. (Optional) Click 'Test' to send a test notification
-  5. Click 'Save' to update the channel
-- **Expected:** Settings are updated

frontend/e2e/test-plan/validation-report.md

@@ -1,199 +0,0 @@
-# SigNoz Test Plan Validation Report
-
-This report documents the validation of the E2E test plan against the current live application using Playwright MCP. Each module is reviewed for coverage, gaps, and required updates.
-
----
-
-## Home Module
-
-- **Coverage:**
-  - Widgets for logs, traces, metrics, dashboards, alerts, services, saved views, onboarding checklist
-  - Quick access buttons: Explore Logs, Create dashboard, Create an alert
-- **Gaps/Updates:**
-  - Add scenarios for checklist interactions (e.g., “I’ll do this later”, progress tracking)
-  - Add scenarios for Saved Views and cross-module links
-  - Add scenario for onboarding checklist completion
-
----
-
-## Logs Module
-
-- **Coverage:**
-  - Explorer, Pipelines, Views tabs
-  - Filtering by service, environment, severity, host, k8s, etc.
-  - Search, save view, create alert, add to dashboard, export, view mode switching
-- **Gaps/Updates:**
-  - Add scenario for quick filter customization
-  - Add scenario for “Old Explorer” button
-  - Add scenario for frequency chart toggle
-  - Add scenario for “Stage & Run Query” workflow
-
----
-
-## Traces Module
-
-- **Coverage:**
-  - Tabs: Explorer, Funnels, Views
-  - Filtering by name, error status, duration, environment, function, service, RPC, status code, HTTP, trace ID, etc.
-  - Search, save view, create alert, add to dashboard, export, view mode switching (List, Traces, Time Series, Table)
-  - Pagination, quick filter customization, group by, aggregation
-- **Gaps/Updates:**
-  - Add scenario for quick filter customization
-  - Add scenario for “Stage & Run Query” workflow
-  - Add scenario for all view modes (List, Traces, Time Series, Table)
-  - Add scenario for group by/aggregation
-  - Add scenario for trace detail navigation (clicking on trace row)
-  - Add scenario for Funnels tab (create/edit/delete funnel)
-  - Add scenario for Views tab (manage saved views)
-
----
-
-## Metrics Module
-
-- **Coverage:**
-  - Tabs: Summary, Explorer, Views
-  - Filtering by metric, type, unit, etc.
-  - Search, save view, add to dashboard, export, view mode switching (chart, table, proportion view)
-  - Pagination, group by, aggregation, custom queries
-- **Gaps/Updates:**
-  - Add scenario for Proportion View in Summary
-  - Add scenario for all view modes (chart, table, proportion)
-  - Add scenario for group by/aggregation
-  - Add scenario for custom queries in Explorer
-  - Add scenario for Views tab (manage saved views)
-
----
-
-## Dashboards Module
-
-- **Coverage:**
-  - List, search, and filter dashboards
-  - Create new dashboard (button and template link)
-  - Edit, delete, and view dashboard details
-  - Add/edit/delete widgets (implied by dashboard detail)
-  - Pagination through dashboards
-- **Gaps/Updates:**
-  - Add scenario for browsing dashboard templates (external link)
-  - Add scenario for requesting new template
-  - Add scenario for dashboard owner and creation info
-  - Add scenario for dashboard tags and filtering by tags
-  - Add scenario for dashboard sharing (if available)
-  - Add scenario for dashboard image/preview
-
----
-
-## Messaging Queues Module
-
-- **Coverage:**
-  - Overview tab: queue metrics, filters (Service Name, Span Name, Msg System, Destination, Kind)
-  - Search across all columns
-  - Pagination of queue data
-  - Sync and Share buttons
-  - Tabs for Kafka and Celery
-- **Gaps/Updates:**
-  - Add scenario for Kafka tab (detailed metrics, actions)
-  - Add scenario for Celery tab (detailed metrics, actions)
-  - Add scenario for filter combinations and edge cases
-  - Add scenario for sharing queue data
-  - Add scenario for time range selection
-
----
-
-## External APIs Module
-
-- **Coverage:**
-  - Accessed via side navigation under MORE
-  - Explorer tab: domain, endpoints, last used, rate, error %, avg. latency
-  - Filters: Deployment Environment, Service Name, Rpc Method, Show IP addresses
-  - Table pagination
-  - Share and Stage & Run Query buttons
-- **Gaps/Updates:**
-  - Add scenario for customizing quick filters
-  - Add scenario for running and staging queries
-  - Add scenario for sharing API data
-  - Add scenario for edge cases in filters and table data
-
----
-
-## Alerts Module
-
-- **Coverage:**
-  - Alert Rules tab: list, search, create (New Alert), edit, delete, enable/disable, severity, labels, actions
-  - Triggered Alerts tab (visible in tablist)
-  - Configuration tab (visible in tablist)
-  - Table pagination
-- **Gaps/Updates:**
-  - Add scenario for triggered alerts (view, acknowledge, resolve)
-  - Add scenario for alert configuration (settings, integrations)
-  - Add scenario for edge cases in alert creation and management
-  - Add scenario for searching and filtering alerts
-
----
-
-## Integrations Module
-
-- **Coverage:**
-  - Integrations tab: list, search, configure (e.g., AWS), request new integration
-  - One-click setup for AWS monitoring
-  - Request more integrations (form)
-- **Gaps/Updates:**
-  - Add scenario for configuring integrations (step-by-step)
-  - Add scenario for searching and filtering integrations
-  - Add scenario for requesting new integrations
-  - Add scenario for edge cases (e.g., failed configuration)
-
----
-
-## Exceptions Module
-
-- **Coverage:**
-  - All Exceptions: list, search, filter (Deployment Environment, Service Name, Host Name, K8s Cluster/Deployment/Namespace, Net Peer Name)
-  - Table: Exception Type, Error Message, Count, Last Seen, First Seen, Application
-  - Pagination
-  - Exception detail links
-  - Share and Stage & Run Query buttons
-- **Gaps/Updates:**
-  - Add scenario for exception detail view
-  - Add scenario for advanced filtering and edge cases
-  - Add scenario for sharing and running queries
-  - Add scenario for error grouping and navigation
-
----
-
-## Service Map Module
-
-- **Coverage:**
-  - Service Map visualization (main graph)
-  - Filters: environment, resource attributes
-  - Time range selection
-  - Sync and Share buttons
-- **Gaps/Updates:**
-  - Add scenario for interacting with the map (zoom, pan, select service)
-  - Add scenario for filtering and edge cases
-  - Add scenario for sharing the map
-  - Add scenario for time range and environment combinations
-
----
-
-## Billing Module
-
-- **Coverage:**
-  - Billing overview: cost monitoring, invoices, CSV download (disabled), manage billing (disabled)
-  - Teams Cloud section
-  - Billing table: Unit, Data Ingested, Price per Unit, Cost (Billing period to date)
-- **Gaps/Updates:**
-  - Add scenario for invoice download and management (when enabled)
-  - Add scenario for cost monitoring and edge cases
-  - Add scenario for billing table data validation
-  - Add scenario for permissions and access control
-
----
-
-## Usage Explorer Module
-
-- **Status:**
-  - Not accessible in the current environment. Removing from test plan flows.
-
----
-
-## [Next modules will be filled as validation proceeds]

frontend/e2e/tests/settings/account-settings/account-settings-settings.spec.ts

@@ -1,42 +0,0 @@
-import { expect, test } from '@playwright/test';
-
-import { ensureLoggedIn } from '../../../utils/login.util';
-
-test('Account Settings - View and Assert Static Controls', async ({ page }) => {
-	await ensureLoggedIn(page);
-
-	// 1. Open the sidebar settings menu using data-testid
-	await page.getByTestId('settings-nav-item').click();
-
-	// 2. Click Account Settings in the dropdown (by role/name or data-testid if available)
-	await page.getByRole('menuitem', { name: 'Account Settings' }).click();
-
-	// Assert the main tabpanel/heading (confirmed by DOM)
-	await expect(page.getByTestId('settings-page-title')).toBeVisible();
-
-	// Assert General section and controls (confirmed by DOM)
-	await expect(
-		page.getByLabel('My Settings').getByText('General'),
-	).toBeVisible();
-	await expect(page.getByText('Manage your account settings.')).toBeVisible();
-	await expect(page.getByRole('button', { name: 'Update name' })).toBeVisible();
-	await expect(
-		page.getByRole('button', { name: 'Reset password' }),
-	).toBeVisible();
-
-	// Assert User Preferences section and controls (confirmed by DOM)
-	await expect(page.getByText('User Preferences')).toBeVisible();
-	await expect(
-		page.getByText('Tailor the SigNoz console to work according to your needs.'),
-	).toBeVisible();
-	await expect(page.getByText('Select your theme')).toBeVisible();
-
-	const themeSelector = page.getByTestId('theme-selector');
-
-	await expect(themeSelector.getByText('Dark')).toBeVisible();
-	await expect(themeSelector.getByText('Light')).toBeVisible();
-	await expect(themeSelector.getByText('System')).toBeVisible();
-
-	await expect(page.getByTestId('timezone-adaptation-switch')).toBeVisible();
-	await expect(page.getByTestId('side-nav-pinned-switch')).toBeVisible();
-});

frontend/e2e/tests/settings/api-keys/api-keys-settings.spec.ts

@@ -1,42 +0,0 @@
-import { expect, test } from '@playwright/test';
-
-import { ensureLoggedIn } from '../../../utils/login.util';
-
-test('API Keys Settings - View and Interact', async ({ page }) => {
-	await ensureLoggedIn(page);
-
-	// 1. Open the sidebar settings menu using data-testid
-	await page.getByTestId('settings-nav-item').click();
-
-	// 2. Click Account Settings in the dropdown (by role/name or data-testid if available)
-	await page.getByRole('menuitem', { name: 'Account Settings' }).click();
-
-	// Assert the main tabpanel/heading (confirmed by DOM)
-	await expect(page.getByTestId('settings-page-title')).toBeVisible();
-
-	// Focus on the settings page sidenav
-	await page.getByTestId('settings-page-sidenav').focus();
-
-	// Click API Keys tab in the settings sidebar (by data-testid)
-	await page.getByTestId('api-keys').click();
-
-	// Assert heading and subheading
-	await expect(page.getByRole('heading', { name: 'API Keys' })).toBeVisible();
-	await expect(
-		page.getByText('Create and manage API keys for the SigNoz API'),
-	).toBeVisible();
-
-	// Assert presence of New Key button
-	const newKeyBtn = page.getByRole('button', { name: 'New Key' });
-	await expect(newKeyBtn).toBeVisible();
-
-	// Assert table columns
-	await expect(page.getByText('Last used').first()).toBeVisible();
-	await expect(page.getByText('Expired').first()).toBeVisible();
-
-	// Assert at least one API key row with action buttons
-	// Select the first action cell's first button (icon button)
-	const firstActionCell = page.locator('table tr').nth(1).locator('td').last();
-	const deleteBtn = firstActionCell.locator('button').first();
-	await expect(deleteBtn).toBeVisible();
-});

frontend/e2e/tests/settings/billing/billing-settings.spec.ts

@@ -1,71 +0,0 @@
-import { expect, test } from '@playwright/test';
-
-import { ensureLoggedIn } from '../../../utils/login.util';
-
-// E2E: Billing Settings - View Billing Information and Button Actions
-
-test('View Billing Information and Button Actions', async ({
-	page,
-	context,
-}) => {
-	// Ensure user is logged in
-	await ensureLoggedIn(page);
-
-	// 1. Open the sidebar settings menu using data-testid
-	await page.getByTestId('settings-nav-item').click();
-
-	// 2. Click Account Settings in the dropdown (by role/name or data-testid if available)
-	await page.getByRole('menuitem', { name: 'Account Settings' }).click();
-
-	// Assert the main tabpanel/heading (confirmed by DOM)
-	await expect(page.getByTestId('settings-page-title')).toBeVisible();
-
-	// Focus on the settings page sidenav
-	await page.getByTestId('settings-page-sidenav').focus();
-
-	// Click Billing tab in the settings sidebar (by data-testid)
-	await page.getByTestId('billing').click();
-
-	// Wait for billing chart/data to finish loading
-	await page.getByText('loading').first().waitFor({ state: 'hidden' });
-
-	// Assert visibility of subheading (unique)
-	await expect(
-		page.getByText(
-			'Manage your billing information, invoices, and monitor costs.',
-		),
-	).toBeVisible();
-	// Assert visibility of Teams Cloud heading
-	await expect(page.getByRole('heading', { name: 'Teams Cloud' })).toBeVisible();
-
-	// Assert presence of summary and detailed tables
-	await expect(page.getByText('TOTAL SPENT')).toBeVisible();
-	await expect(page.getByText('Data Ingested')).toBeVisible();
-	await expect(page.getByText('Price per Unit')).toBeVisible();
-	await expect(page.getByText('Cost (Billing period to date)')).toBeVisible();
-
-	// Assert presence of alert and note
-	await expect(
-		page.getByText('Your current billing period is from', { exact: false }),
-	).toBeVisible();
-	await expect(
-		page.getByText('Billing metrics are updated once every 24 hours.'),
-	).toBeVisible();
-
-	// Test Download CSV button
-	const [download] = await Promise.all([
-		page.waitForEvent('download'),
-		page.getByRole('button', { name: 'cloud-download Download CSV' }).click(),
-	]);
-	// Optionally, check download file name
-	expect(download.suggestedFilename()).toContain('billing_usage');
-
-	// Test Manage Billing button (opens Stripe in new tab)
-	const [newPage] = await Promise.all([
-		context.waitForEvent('page'),
-		page.getByTestId('header-billing-button').click(),
-	]);
-	await newPage.waitForLoadState();
-	expect(newPage.url()).toContain('stripe.com');
-	await newPage.close();
-});

frontend/e2e/tests/settings/custom-domain/custom-domain-settings.spec.ts

@@ -1,52 +0,0 @@
-import { expect, test } from '@playwright/test';
-
-import { ensureLoggedIn } from '../../../utils/login.util';
-
-test('Custom Domain Settings - View and Interact', async ({ page }) => {
-	await ensureLoggedIn(page);
-
-	// 1. Open the sidebar settings menu using data-testid
-	await page.getByTestId('settings-nav-item').click();
-
-	// 2. Click Account Settings in the dropdown (by role/name or data-testid if available)
-	await page.getByRole('menuitem', { name: 'Account Settings' }).click();
-
-	// Assert the main tabpanel/heading (confirmed by DOM)
-	await expect(page.getByTestId('settings-page-title')).toBeVisible();
-
-	// Focus on the settings page sidenav
-	await page.getByTestId('settings-page-sidenav').focus();
-
-	// Click Custom Domain tab in the settings sidebar (by data-testid)
-	await page.getByTestId('custom-domain').click();
-
-	// Wait for custom domain chart/data to finish loading
-	await page.getByText('loading').first().waitFor({ state: 'hidden' });
-
-	// Assert heading and subheading
-	await expect(
-		page.getByRole('heading', { name: 'Custom Domain Settings' }),
-	).toBeVisible();
-	await expect(
-		page.getByText('Personalize your workspace domain effortlessly.'),
-	).toBeVisible();
-
-	// Assert presence of Customize team’s URL button
-	const customizeBtn = page.getByRole('button', {
-		name: 'Customize team’s URL',
-	});
-	await expect(customizeBtn).toBeVisible();
-	await customizeBtn.click();
-
-	// Assert modal/dialog fields and buttons
-	await expect(
-		page.getByRole('dialog', { name: 'Customize your team’s URL' }),
-	).toBeVisible();
-	await expect(page.getByLabel('Team’s URL subdomain')).toBeVisible();
-	await expect(
-		page.getByRole('button', { name: 'Apply Changes' }),
-	).toBeVisible();
-	await expect(page.getByRole('button', { name: 'Close' })).toBeVisible();
-	// Close the modal
-	await page.getByRole('button', { name: 'Close' }).click();
-});

frontend/e2e/tests/settings/general/general-settings.spec.ts

@@ -1,32 +0,0 @@
-import { expect, test } from '@playwright/test';
-
-import { ensureLoggedIn } from '../../../utils/login.util';
-
-test('View General Settings', async ({ page }) => {
-	await ensureLoggedIn(page);
-
-	// 1. Open the sidebar settings menu using data-testid
-	await page.getByTestId('settings-nav-item').click();
-
-	// 2. Click Account Settings in the dropdown (by role/name or data-testid if available)
-	await page.getByRole('menuitem', { name: 'Account Settings' }).click();
-
-	// Assert the main tabpanel/heading (confirmed by DOM)
-	await expect(page.getByTestId('settings-page-title')).toBeVisible();
-
-	// Focus on the settings page sidenav
-	await page.getByTestId('settings-page-sidenav').focus();
-
-	// Click General tab in the settings sidebar (by data-testid)
-	await page.getByTestId('general').click();
-
-	// Wait for General tab to be visible
-	await page.getByRole('tabpanel', { name: 'General' }).waitFor();
-
-	// Assert visibility of definitive/static elements
-	await expect(page.getByRole('heading', { name: 'Metrics' })).toBeVisible();
-	await expect(page.getByRole('heading', { name: 'Traces' })).toBeVisible();
-	await expect(page.getByRole('heading', { name: 'Logs' })).toBeVisible();
-	await expect(page.getByText('Please')).toBeVisible();
-	await expect(page.getByRole('link', { name: 'email us' })).toBeVisible();
-});

frontend/e2e/tests/settings/ingestion/ingestion-settings.spec.ts

@@ -1,48 +0,0 @@
-import { expect, test } from '@playwright/test';
-
-import { ensureLoggedIn } from '../../../utils/login.util';
-
-test('Ingestion Settings - View and Interact', async ({ page }) => {
-	await ensureLoggedIn(page);
-
-	// 1. Open the sidebar settings menu using data-testid
-	await page.getByTestId('settings-nav-item').click();
-
-	// 2. Click Account Settings in the dropdown (by role/name or data-testid if available)
-	await page.getByRole('menuitem', { name: 'Account Settings' }).click();
-
-	// Assert the main tabpanel/heading (confirmed by DOM)
-	await expect(page.getByTestId('settings-page-title')).toBeVisible();
-
-	// Focus on the settings page sidenav
-	await page.getByTestId('settings-page-sidenav').focus();
-
-	// Click Ingestion tab in the settings sidebar (by data-testid)
-	await page.getByTestId('ingestion').click();
-
-	// Assert heading and subheading (Integrations page)
-	await expect(
-		page.getByRole('heading', { name: 'Integrations' }),
-	).toBeVisible();
-	await expect(
-		page.getByText('Manage Integrations for this workspace'),
-	).toBeVisible();
-
-	// Assert presence of search box
-	await expect(
-		page.getByPlaceholder('Search for an integration...'),
-	).toBeVisible();
-
-	// Assert at least one data source with Configure button
-	const configureBtn = page.getByRole('button', { name: 'Configure' }).first();
-	await expect(configureBtn).toBeVisible();
-
-	// Assert Request more integrations section
-	await expect(
-		page.getByText(
-			"Can't find what you’re looking for? Request more integrations",
-		),
-	).toBeVisible();
-	await expect(page.getByPlaceholder('Enter integration name...')).toBeVisible();
-	await expect(page.getByRole('button', { name: 'Submit' })).toBeVisible();
-});

frontend/e2e/tests/settings/integrations/integrations-settings.spec.ts

@@ -1,48 +0,0 @@
-import { expect, test } from '@playwright/test';
-
-import { ensureLoggedIn } from '../../../utils/login.util';
-
-test('Integrations Settings - View and Interact', async ({ page }) => {
-	await ensureLoggedIn(page);
-
-	// 1. Open the sidebar settings menu using data-testid
-	await page.getByTestId('settings-nav-item').click();
-
-	// 2. Click Account Settings in the dropdown (by role/name or data-testid if available)
-	await page.getByRole('menuitem', { name: 'Account Settings' }).click();
-
-	// Assert the main tabpanel/heading (confirmed by DOM)
-	await expect(page.getByTestId('settings-page-title')).toBeVisible();
-
-	// Focus on the settings page sidenav
-	await page.getByTestId('settings-page-sidenav').focus();
-
-	// Click Integrations tab in the settings sidebar (by data-testid)
-	await page.getByTestId('integrations').click();
-
-	// Assert heading and subheading
-	await expect(
-		page.getByRole('heading', { name: 'Integrations' }),
-	).toBeVisible();
-	await expect(
-		page.getByText('Manage Integrations for this workspace'),
-	).toBeVisible();
-
-	// Assert presence of search box
-	await expect(
-		page.getByPlaceholder('Search for an integration...'),
-	).toBeVisible();
-
-	// Assert at least one integration with Configure button
-	const configureBtn = page.getByRole('button', { name: 'Configure' }).first();
-	await expect(configureBtn).toBeVisible();
-
-	// Assert Request more integrations section
-	await expect(
-		page.getByText(
-			"Can't find what you’re looking for? Request more integrations",
-		),
-	).toBeVisible();
-	await expect(page.getByPlaceholder('Enter integration name...')).toBeVisible();
-	await expect(page.getByRole('button', { name: 'Submit' })).toBeVisible();
-});

frontend/e2e/tests/settings/members-sso/members-sso-settings.spec.ts

@@ -1,56 +0,0 @@
-import { expect, test } from '@playwright/test';
-
-import { ensureLoggedIn } from '../../../utils/login.util';
-
-test('Members & SSO Settings - View and Interact', async ({ page }) => {
-	await ensureLoggedIn(page);
-
-	// 1. Open the sidebar settings menu using data-testid
-	await page.getByTestId('settings-nav-item').click();
-
-	// 2. Click Account Settings in the dropdown (by role/name or data-testid if available)
-	await page.getByRole('menuitem', { name: 'Account Settings' }).click();
-
-	// Assert the main tabpanel/heading (confirmed by DOM)
-	await expect(page.getByTestId('settings-page-title')).toBeVisible();
-
-	// Focus on the settings page sidenav
-	await page.getByTestId('settings-page-sidenav').focus();
-
-	// Click Members & SSO tab in the settings sidebar (by data-testid)
-	await page.getByTestId('members-sso').click();
-
-	// Assert headings and tables
-	await expect(
-		page.getByRole('heading', { name: /Members \(\d+\)/ }),
-	).toBeVisible();
-	await expect(
-		page.getByRole('heading', { name: /Pending Invites \(\d+\)/ }),
-	).toBeVisible();
-	await expect(
-		page.getByRole('heading', { name: 'Authenticated Domains' }),
-	).toBeVisible();
-
-	// Assert Invite Members button is visible and clickable
-	const inviteBtn = page.getByRole('button', { name: /Invite Members/ });
-	await expect(inviteBtn).toBeVisible();
-	await inviteBtn.click();
-	// Assert Invite Members modal/dialog appears (modal title is unique)
-	await expect(page.getByText('Invite team members').first()).toBeVisible();
-	// Close the modal (use unique 'Close' button)
-	await page.getByRole('button', { name: 'Close' }).click();
-
-	// Assert Edit and Delete buttons are present for at least one member
-	const editBtn = page.getByRole('button', { name: /Edit/ }).first();
-	const deleteBtn = page.getByRole('button', { name: /Delete/ }).first();
-	await expect(editBtn).toBeVisible();
-	await expect(deleteBtn).toBeVisible();
-
-	// Assert Add Domains button is visible
-	await expect(page.getByRole('button', { name: /Add Domains/ })).toBeVisible();
-	// Assert Configure SSO or Edit Google Auth button is visible for at least one domain
-	const ssoBtn = page
-		.getByRole('button', { name: /Configure SSO|Edit Google Auth/ })
-		.first();
-	await expect(ssoBtn).toBeVisible();
-});

frontend/e2e/tests/settings/notification-channels/notification-channels-settings.spec.ts

@@ -1,57 +0,0 @@
-import { expect, test } from '@playwright/test';
-
-import { ensureLoggedIn } from '../../../utils/login.util';
-
-test('Notification Channels Settings - View and Interact', async ({ page }) => {
-	await ensureLoggedIn(page);
-
-	// 1. Open the sidebar settings menu using data-testid
-	await page.getByTestId('settings-nav-item').click();
-
-	// 2. Click Account Settings in the dropdown (by role/name or data-testid if available)
-	await page.getByRole('menuitem', { name: 'Account Settings' }).click();
-
-	// Assert the main tabpanel/heading (confirmed by DOM)
-	await expect(page.getByTestId('settings-page-title')).toBeVisible();
-
-	// Focus on the settings page sidenav
-	await page.getByTestId('settings-page-sidenav').focus();
-
-	// Click Notification Channels tab in the settings sidebar (by data-testid)
-	await page.getByTestId('notification-channels').click();
-
-	// Wait for loading to finish
-	await page.getByText('loading').first().waitFor({ state: 'hidden' });
-
-	// Assert presence of New Alert Channel button
-	const newChannelBtn = page.getByRole('button', { name: /New Alert Channel/ });
-	await expect(newChannelBtn).toBeVisible();
-
-	// Assert table columns
-	await expect(page.getByText('Name')).toBeVisible();
-	await expect(page.getByText('Type')).toBeVisible();
-	await expect(page.getByText('Action')).toBeVisible();
-
-	// Click New Alert Channel and assert modal fields/buttons
-	await newChannelBtn.click();
-	await expect(
-		page.getByRole('heading', { name: 'New Notification Channel' }),
-	).toBeVisible();
-	await expect(page.getByLabel('Name')).toBeVisible();
-	await expect(page.getByLabel('Type')).toBeVisible();
-	await expect(page.getByLabel('Webhook URL')).toBeVisible();
-	await expect(
-		page.getByRole('switch', { name: 'Send resolved alerts' }),
-	).toBeVisible();
-	await expect(page.getByRole('button', { name: 'Save' })).toBeVisible();
-	await expect(page.getByRole('button', { name: 'Test' })).toBeVisible();
-	await expect(page.getByRole('button', { name: 'Back' })).toBeVisible();
-	// Close modal
-	await page.getByRole('button', { name: 'Back' }).click();
-
-	// Assert Edit and Delete buttons for at least one channel
-	const editBtn = page.getByRole('button', { name: 'Edit' }).first();
-	const deleteBtn = page.getByRole('button', { name: 'Delete' }).first();
-	await expect(editBtn).toBeVisible();
-	await expect(deleteBtn).toBeVisible();
-});

frontend/e2e/utils/login.util.ts

@@ -1,35 +0,0 @@
-import { Page } from '@playwright/test';
-
-// Read credentials from environment variables
-const username = process.env.LOGIN_USERNAME;
-const password = process.env.LOGIN_PASSWORD;
-const baseURL = process.env.BASE_URL;
-
-/**
- * Ensures the user is logged in. If not, performs the login steps.
- * Follows the MCP process step-by-step.
- */
-export async function ensureLoggedIn(page: Page): Promise<void> {
-	// if already in home page, return
-	if (await page.url().includes('/home')) {
-		return;
-	}
-
-	if (!username || !password) {
-		throw new Error(
-			'E2E_EMAIL and E2E_PASSWORD environment variables must be set.',
-		);
-	}
-
-	await page.goto(`${baseURL}/login`);
-	await page.getByTestId('email').click();
-	await page.getByTestId('email').fill(username);
-	await page.getByTestId('initiate_login').click();
-	await page.getByTestId('password').click();
-	await page.getByTestId('password').fill(password);
-	await page.getByRole('button', { name: 'Login' }).click();
-
-	await page
-		.getByText('Hello there, Welcome to your')
-		.waitFor({ state: 'visible' });
-}

frontend/package.json

@@ -44,7 +44,6 @@
     "@mdx-js/loader": "2.3.0",
     "@mdx-js/react": "2.3.0",
     "@monaco-editor/react": "^4.3.1",
-    "@playwright/test": "1.55.1",
     "@radix-ui/react-tabs": "1.0.4",
     "@radix-ui/react-tooltip": "1.0.7",
     "@sentry/react": "8.41.0",

frontend/playwright.config.ts

@@ -1,95 +0,0 @@
-import { defineConfig, devices } from '@playwright/test';
-import dotenv from 'dotenv';
-import path from 'path';
-
-// Read from ".env" file.
-dotenv.config({ path: path.resolve(__dirname, '.env') });
-
-/**
- * Read environment variables from file.
- * https://github.com/motdotla/dotenv
- */
-// import dotenv from 'dotenv';
-// import path from 'path';
-// dotenv.config({ path: path.resolve(__dirname, '.env') });
-
-/**
- * See https://playwright.dev/docs/test-configuration.
- */
-export default defineConfig({
-	testDir: './e2e/tests',
-	/* Run tests in files in parallel */
-	fullyParallel: true,
-	/* Fail the build on CI if you accidentally left test.only in the source code. */
-	forbidOnly: !!process.env.CI,
-	/* Retry on CI only */
-	retries: process.env.CI ? 2 : 0,
-	/* Run tests in parallel even in CI - optimized for GitHub Actions free tier */
-	workers: process.env.CI ? 2 : undefined,
-	/* Reporter to use. See https://playwright.dev/docs/test-reporters */
-	reporter: 'html',
-	/* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
-	use: {
-		/* Base URL to use in actions like `await page.goto('/')`. */
-		baseURL:
-			process.env.SIGNOZ_E2E_BASE_URL || 'https://app.us.staging.signoz.cloud',
-
-		/* Collect trace when retrying the failed test. See https://playwright.dev/docs/trace-viewer */
-		trace: 'on-first-retry',
-		colorScheme: 'dark',
-		locale: 'en-US',
-		viewport: { width: 1280, height: 720 },
-	},
-
-	/* Configure projects for major browsers */
-	projects: [
-		{
-			name: 'chromium',
-			use: {
-				launchOptions: { args: ['--start-maximized'] },
-				viewport: null,
-				colorScheme: 'dark',
-				locale: 'en-US',
-				baseURL: 'https://app.us.staging.signoz.cloud',
-				trace: 'on-first-retry',
-			},
-		},
-
-		{
-			name: 'firefox',
-			use: { ...devices['Desktop Firefox'] },
-		},
-
-		{
-			name: 'webkit',
-			use: { ...devices['Desktop Safari'] },
-		},
-
-		/* Test against mobile viewports. */
-		// {
-		//   name: 'Mobile Chrome',
-		//   use: { ...devices['Pixel 5'] },
-		// },
-		// {
-		//   name: 'Mobile Safari',
-		//   use: { ...devices['iPhone 12'] },
-		// },
-
-		/* Test against branded browsers. */
-		// {
-		//   name: 'Microsoft Edge',
-		//   use: { ...devices['Desktop Edge'], channel: 'msedge' },
-		// },
-		// {
-		//   name: 'Google Chrome',
-		//   use: { ...devices['Desktop Chrome'], channel: 'chrome' },
-		// },
-	],
-
-	/* Run your local dev server before starting the tests */
-	// webServer: {
-	//   command: 'npm run start',
-	//   url: 'http://localhost:3000',
-	//   reuseExistingServer: !process.env.CI,
-	// },
-});

frontend/prompts/generate-e2e-test.md

@@ -1,16 +0,0 @@
-RULE: All test code for this repo must be generated by following the step-by-step Playwright MCP process as described below.
-
-- You are a playwright test generator.
-- You are given a scenario and you need to generate a playwright test for it.
-- Use login util if not logged in.
-- DO NOT generate test code based on the scenario alone.
-- DO run steps one by one using the tools provided by the Playwright MCP.
-- Only after all steps are completed, emit a Playwright TypeScript test that uses @playwright/test based on message history
-- Gather correct selectors before writing the test
-- DO NOT valiate for dynamic content in the tests, only validate for the correctness with meta data
-- Always inspect the DOM at each navigation or interaction step to determine the correct selector for the next action. Do not assume selectors, confirm via inspection before proceeding.
-- Assert visibility of definitive/static elements in the UI (such as labels, headings, or section titles) rather than dynamic values or content that may change between runs.
-- Save generated test file in the tests directory
-- Execute the test file and iterate until the test passes
-
-

frontend/src/api/generated/services/llmpricingrules/index.ts

@@ -1,398 +0,0 @@
-/**
- * ! Do not edit manually
- * * The file has been auto-generated using Orval for SigNoz
- * * regenerate with 'yarn generate:api'
- * SigNoz
- */
-import { useMutation, useQuery } from 'react-query';
-import type {
-	InvalidateOptions,
-	MutationFunction,
-	QueryClient,
-	QueryFunction,
-	QueryKey,
-	UseMutationOptions,
-	UseMutationResult,
-	UseQueryOptions,
-	UseQueryResult,
-} from 'react-query';
-
-import type {
-	DeleteLLMPricingRulePathParameters,
-	GetLLMPricingRule200,
-	GetLLMPricingRulePathParameters,
-	ListLLMPricingRules200,
-	ListLLMPricingRulesParams,
-	LlmpricingruletypesUpdatableLLMPricingRulesDTO,
-	RenderErrorResponseDTO,
-} from '../sigNoz.schemas';
-
-import { GeneratedAPIInstance } from '../../../generatedAPIInstance';
-import type { ErrorType, BodyType } from '../../../generatedAPIInstance';
-
-/**
- * Returns all LLM pricing rules for the authenticated org, with pagination.
- * @summary List pricing rules
- */
-export const listLLMPricingRules = (
-	params?: ListLLMPricingRulesParams,
-	signal?: AbortSignal,
-) => {
-	return GeneratedAPIInstance<ListLLMPricingRules200>({
-		url: `/api/v1/llm_pricing_rules`,
-		method: 'GET',
-		params,
-		signal,
-	});
-};
-
-export const getListLLMPricingRulesQueryKey = (
-	params?: ListLLMPricingRulesParams,
-) => {
-	return [`/api/v1/llm_pricing_rules`, ...(params ? [params] : [])] as const;
-};
-
-export const getListLLMPricingRulesQueryOptions = <
-	TData = Awaited<ReturnType<typeof listLLMPricingRules>>,
-	TError = ErrorType<RenderErrorResponseDTO>,
->(
-	params?: ListLLMPricingRulesParams,
-	options?: {
-		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof listLLMPricingRules>>,
-			TError,
-			TData
-		>;
-	},
-) => {
-	const { query: queryOptions } = options ?? {};
-
-	const queryKey =
-		queryOptions?.queryKey ?? getListLLMPricingRulesQueryKey(params);
-
-	const queryFn: QueryFunction<
-		Awaited<ReturnType<typeof listLLMPricingRules>>
-	> = ({ signal }) => listLLMPricingRules(params, signal);
-
-	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
-		Awaited<ReturnType<typeof listLLMPricingRules>>,
-		TError,
-		TData
-	> & { queryKey: QueryKey };
-};
-
-export type ListLLMPricingRulesQueryResult = NonNullable<
-	Awaited<ReturnType<typeof listLLMPricingRules>>
->;
-export type ListLLMPricingRulesQueryError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary List pricing rules
- */
-
-export function useListLLMPricingRules<
-	TData = Awaited<ReturnType<typeof listLLMPricingRules>>,
-	TError = ErrorType<RenderErrorResponseDTO>,
->(
-	params?: ListLLMPricingRulesParams,
-	options?: {
-		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof listLLMPricingRules>>,
-			TError,
-			TData
-		>;
-	},
-): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
-	const queryOptions = getListLLMPricingRulesQueryOptions(params, options);
-
-	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
-		queryKey: QueryKey;
-	};
-
-	query.queryKey = queryOptions.queryKey;
-
-	return query;
-}
-
-/**
- * @summary List pricing rules
- */
-export const invalidateListLLMPricingRules = async (
-	queryClient: QueryClient,
-	params?: ListLLMPricingRulesParams,
-	options?: InvalidateOptions,
-): Promise<QueryClient> => {
-	await queryClient.invalidateQueries(
-		{ queryKey: getListLLMPricingRulesQueryKey(params) },
-		options,
-	);
-
-	return queryClient;
-};
-
-/**
- * Single write endpoint used by both the user and the Zeus sync job. Per-rule match is by id, then sourceId, then insert. Override rows (is_override=true) are fully preserved when the request does not provide isOverride; only synced_at is stamped.
- * @summary Bulk update pricing rules
- */
-export const updateLLMPricingRules = (
-	llmpricingruletypesUpdatableLLMPricingRulesDTO: BodyType<LlmpricingruletypesUpdatableLLMPricingRulesDTO>,
-) => {
-	return GeneratedAPIInstance<void>({
-		url: `/api/v1/llm_pricing_rules`,
-		method: 'PUT',
-		headers: { 'Content-Type': 'application/json' },
-		data: llmpricingruletypesUpdatableLLMPricingRulesDTO,
-	});
-};
-
-export const getUpdateLLMPricingRulesMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown,
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateLLMPricingRules>>,
-		TError,
-		{ data: BodyType<LlmpricingruletypesUpdatableLLMPricingRulesDTO> },
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof updateLLMPricingRules>>,
-	TError,
-	{ data: BodyType<LlmpricingruletypesUpdatableLLMPricingRulesDTO> },
-	TContext
-> => {
-	const mutationKey = ['updateLLMPricingRules'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-			'mutationKey' in options.mutation &&
-			options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof updateLLMPricingRules>>,
-		{ data: BodyType<LlmpricingruletypesUpdatableLLMPricingRulesDTO> }
-	> = (props) => {
-		const { data } = props ?? {};
-
-		return updateLLMPricingRules(data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type UpdateLLMPricingRulesMutationResult = NonNullable<
-	Awaited<ReturnType<typeof updateLLMPricingRules>>
->;
-export type UpdateLLMPricingRulesMutationBody =
-	BodyType<LlmpricingruletypesUpdatableLLMPricingRulesDTO>;
-export type UpdateLLMPricingRulesMutationError =
-	ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Bulk update pricing rules
- */
-export const useUpdateLLMPricingRules = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown,
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateLLMPricingRules>>,
-		TError,
-		{ data: BodyType<LlmpricingruletypesUpdatableLLMPricingRulesDTO> },
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof updateLLMPricingRules>>,
-	TError,
-	{ data: BodyType<LlmpricingruletypesUpdatableLLMPricingRulesDTO> },
-	TContext
-> => {
-	const mutationOptions = getUpdateLLMPricingRulesMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
-/**
- * Hard-deletes a pricing rule. If auto-synced, it will be recreated on the next sync cycle.
- * @summary Delete a pricing rule
- */
-export const deleteLLMPricingRule = ({
-	id,
-}: DeleteLLMPricingRulePathParameters) => {
-	return GeneratedAPIInstance<void>({
-		url: `/api/v1/llm_pricing_rules/${id}`,
-		method: 'DELETE',
-	});
-};
-
-export const getDeleteLLMPricingRuleMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown,
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof deleteLLMPricingRule>>,
-		TError,
-		{ pathParams: DeleteLLMPricingRulePathParameters },
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof deleteLLMPricingRule>>,
-	TError,
-	{ pathParams: DeleteLLMPricingRulePathParameters },
-	TContext
-> => {
-	const mutationKey = ['deleteLLMPricingRule'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-			'mutationKey' in options.mutation &&
-			options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof deleteLLMPricingRule>>,
-		{ pathParams: DeleteLLMPricingRulePathParameters }
-	> = (props) => {
-		const { pathParams } = props ?? {};
-
-		return deleteLLMPricingRule(pathParams);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type DeleteLLMPricingRuleMutationResult = NonNullable<
-	Awaited<ReturnType<typeof deleteLLMPricingRule>>
->;
-
-export type DeleteLLMPricingRuleMutationError =
-	ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Delete a pricing rule
- */
-export const useDeleteLLMPricingRule = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown,
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof deleteLLMPricingRule>>,
-		TError,
-		{ pathParams: DeleteLLMPricingRulePathParameters },
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof deleteLLMPricingRule>>,
-	TError,
-	{ pathParams: DeleteLLMPricingRulePathParameters },
-	TContext
-> => {
-	const mutationOptions = getDeleteLLMPricingRuleMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
-/**
- * Returns a single LLM pricing rule by ID.
- * @summary Get a pricing rule
- */
-export const getLLMPricingRule = (
-	{ id }: GetLLMPricingRulePathParameters,
-	signal?: AbortSignal,
-) => {
-	return GeneratedAPIInstance<GetLLMPricingRule200>({
-		url: `/api/v1/llm_pricing_rules/${id}`,
-		method: 'GET',
-		signal,
-	});
-};
-
-export const getGetLLMPricingRuleQueryKey = ({
-	id,
-}: GetLLMPricingRulePathParameters) => {
-	return [`/api/v1/llm_pricing_rules/${id}`] as const;
-};
-
-export const getGetLLMPricingRuleQueryOptions = <
-	TData = Awaited<ReturnType<typeof getLLMPricingRule>>,
-	TError = ErrorType<RenderErrorResponseDTO>,
->(
-	{ id }: GetLLMPricingRulePathParameters,
-	options?: {
-		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof getLLMPricingRule>>,
-			TError,
-			TData
-		>;
-	},
-) => {
-	const { query: queryOptions } = options ?? {};
-
-	const queryKey =
-		queryOptions?.queryKey ?? getGetLLMPricingRuleQueryKey({ id });
-
-	const queryFn: QueryFunction<
-		Awaited<ReturnType<typeof getLLMPricingRule>>
-	> = ({ signal }) => getLLMPricingRule({ id }, signal);
-
-	return {
-		queryKey,
-		queryFn,
-		enabled: !!id,
-		...queryOptions,
-	} as UseQueryOptions<
-		Awaited<ReturnType<typeof getLLMPricingRule>>,
-		TError,
-		TData
-	> & { queryKey: QueryKey };
-};
-
-export type GetLLMPricingRuleQueryResult = NonNullable<
-	Awaited<ReturnType<typeof getLLMPricingRule>>
->;
-export type GetLLMPricingRuleQueryError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Get a pricing rule
- */
-
-export function useGetLLMPricingRule<
-	TData = Awaited<ReturnType<typeof getLLMPricingRule>>,
-	TError = ErrorType<RenderErrorResponseDTO>,
->(
-	{ id }: GetLLMPricingRulePathParameters,
-	options?: {
-		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof getLLMPricingRule>>,
-			TError,
-			TData
-		>;
-	},
-): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
-	const queryOptions = getGetLLMPricingRuleQueryOptions({ id }, options);
-
-	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
-		queryKey: QueryKey;
-	};
-
-	query.queryKey = queryOptions.queryKey;
-
-	return query;
-}
-
-/**
- * @summary Get a pricing rule
- */
-export const invalidateGetLLMPricingRule = async (
-	queryClient: QueryClient,
-	{ id }: GetLLMPricingRulePathParameters,
-	options?: InvalidateOptions,
-): Promise<QueryClient> => {
-	await queryClient.invalidateQueries(
-		{ queryKey: getGetLLMPricingRuleQueryKey({ id }) },
-		options,
-	);
-
-	return queryClient;
-};

frontend/src/api/generated/services/role/index.ts

@@ -471,7 +471,7 @@ export const getObjects = (
 	signal?: AbortSignal,
 ) => {
 	return GeneratedAPIInstance<GetObjects200>({
-		url: `/api/v1/roles/${id}/relation/${relation}/objects`,
+		url: `/api/v1/roles/${id}/relations/${relation}/objects`,
 		method: 'GET',
 		signal,
 	});
@@ -481,7 +481,7 @@ export const getGetObjectsQueryKey = ({
 	id,
 	relation,
 }: GetObjectsPathParameters) => {
-	return [`/api/v1/roles/${id}/relation/${relation}/objects`] as const;
+	return [`/api/v1/roles/${id}/relations/${relation}/objects`] as const;
 };
 
 export const getGetObjectsQueryOptions = <
@@ -574,7 +574,7 @@ export const patchObjects = (
 	authtypesPatchableObjectsDTO: BodyType<AuthtypesPatchableObjectsDTO>,
 ) => {
 	return GeneratedAPIInstance<string>({
-		url: `/api/v1/roles/${id}/relation/${relation}/objects`,
+		url: `/api/v1/roles/${id}/relations/${relation}/objects`,
 		method: 'PATCH',
 		headers: { 'Content-Type': 'application/json' },
 		data: authtypesPatchableObjectsDTO,

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -3178,173 +3178,6 @@ export enum InframonitoringtypesResponseTypeDTO {
 	list = 'list',
 	grouped_list = 'grouped_list',
 }
-export interface LlmpricingruletypesGettablePricingRulesDTO {
-	/**
-	 * @type array
-	 * @nullable true
-	 */
-	items: LlmpricingruletypesLLMPricingRuleDTO[] | null;
-	/**
-	 * @type integer
-	 */
-	limit: number;
-	/**
-	 * @type integer
-	 */
-	offset: number;
-	/**
-	 * @type integer
-	 */
-	total: number;
-}
-
-export interface LlmpricingruletypesLLMPricingRuleDTO {
-	cacheMode: LlmpricingruletypesLLMPricingRuleCacheModeDTO;
-	/**
-	 * @type number
-	 * @format double
-	 */
-	costCacheRead: number;
-	/**
-	 * @type number
-	 * @format double
-	 */
-	costCacheWrite: number;
-	/**
-	 * @type number
-	 * @format double
-	 */
-	costInput: number;
-	/**
-	 * @type number
-	 * @format double
-	 */
-	costOutput: number;
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	createdAt?: Date;
-	/**
-	 * @type string
-	 */
-	createdBy?: string;
-	/**
-	 * @type boolean
-	 */
-	enabled: boolean;
-	/**
-	 * @type string
-	 */
-	id: string;
-	/**
-	 * @type boolean
-	 */
-	isOverride: boolean;
-	/**
-	 * @type string
-	 */
-	modelName: string;
-	/**
-	 * @type array
-	 * @nullable true
-	 */
-	modelPattern: string[] | null;
-	/**
-	 * @type string
-	 */
-	orgId: string;
-	/**
-	 * @type string
-	 */
-	sourceId?: string;
-	/**
-	 * @type string
-	 * @format date-time
-	 * @nullable true
-	 */
-	syncedAt?: Date | null;
-	unit: LlmpricingruletypesLLMPricingRuleUnitDTO;
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	updatedAt?: Date;
-	/**
-	 * @type string
-	 */
-	updatedBy?: string;
-}
-
-export enum LlmpricingruletypesLLMPricingRuleCacheModeDTO {
-	subtract = 'subtract',
-	additive = 'additive',
-	unknown = 'unknown',
-}
-export enum LlmpricingruletypesLLMPricingRuleUnitDTO {
-	per_million_tokens = 'per_million_tokens',
-}
-export interface LlmpricingruletypesUpdatableLLMPricingRuleDTO {
-	cacheMode: LlmpricingruletypesLLMPricingRuleCacheModeDTO;
-	/**
-	 * @type number
-	 * @format double
-	 */
-	costCacheRead: number;
-	/**
-	 * @type number
-	 * @format double
-	 */
-	costCacheWrite: number;
-	/**
-	 * @type number
-	 * @format double
-	 */
-	costInput: number;
-	/**
-	 * @type number
-	 * @format double
-	 */
-	costOutput: number;
-	/**
-	 * @type boolean
-	 */
-	enabled: boolean;
-	/**
-	 * @type string
-	 * @nullable true
-	 */
-	id?: string | null;
-	/**
-	 * @type boolean
-	 * @nullable true
-	 */
-	isOverride?: boolean | null;
-	/**
-	 * @type string
-	 */
-	modelName: string;
-	/**
-	 * @type array
-	 * @nullable true
-	 */
-	modelPattern: string[] | null;
-	/**
-	 * @type string
-	 * @nullable true
-	 */
-	sourceId?: string | null;
-	unit: LlmpricingruletypesLLMPricingRuleUnitDTO;
-}
-
-export interface LlmpricingruletypesUpdatableLLMPricingRulesDTO {
-	/**
-	 * @type array
-	 * @nullable true
-	 */
-	rules: LlmpricingruletypesUpdatableLLMPricingRuleDTO[] | null;
-}
-
 export interface MetricsexplorertypesInspectMetricsRequestDTO {
 	/**
 	 * @type integer
@@ -6490,41 +6323,6 @@ export type CreateInvite201 = {
 	status: string;
 };
 
-export type ListLLMPricingRulesParams = {
-	/**
-	 * @type integer
-	 * @description undefined
-	 */
-	offset?: number;
-	/**
-	 * @type integer
-	 * @description undefined
-	 */
-	limit?: number;
-};
-
-export type ListLLMPricingRules200 = {
-	data: LlmpricingruletypesGettablePricingRulesDTO;
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
-export type DeleteLLMPricingRulePathParameters = {
-	id: string;
-};
-export type GetLLMPricingRulePathParameters = {
-	id: string;
-};
-export type GetLLMPricingRule200 = {
-	data: LlmpricingruletypesLLMPricingRuleDTO;
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
 export type ListPromotedAndIndexedPaths200 = {
 	/**
 	 * @type array

frontend/tsconfig.json

@@ -66,8 +66,6 @@
 		"./vite.config.ts",
 		"./jest.setup.ts",
 		"./tests/**.ts",
-		"./**/*.d.ts",
-		"./playwright.config.ts",
-		"./e2e/**/*.ts"
+		"./**/*.d.ts"
 	]
 }

frontend/yarn.lock

@@ -4540,13 +4540,6 @@
   resolved "https://registry.yarnpkg.com/@pkgr/core/-/core-0.2.9.tgz#d229a7b7f9dac167a156992ef23c7f023653f53b"
   integrity sha512-QNqXyfVS2wm9hweSYD2O7F0G06uurj9kZ96TRQE5Y9hU7+tgdZwIkbAKc5Ocy1HxEY2kuDQa6cQ1WRs/O5LFKA==
 
-"@playwright/test@1.55.1":
-  version "1.55.1"
-  resolved "https://registry.yarnpkg.com/@playwright/test/-/test-1.55.1.tgz#80f775d5f948cd3ef550fcc45ef99986d3ffb36c"
-  integrity sha512-IVAh/nOJaw6W9g+RJVlIQJ6gSiER+ae6mKQ5CX1bERzQgbC1VSeBlwdvczT7pxb0GWiyrxH4TGKbMfDb4Sq/ig==
-  dependencies:
-    playwright "1.55.1"
-
 "@posthog/core@1.6.0":
   version "1.6.0"
   resolved "https://registry.yarnpkg.com/@posthog/core/-/core-1.6.0.tgz#a5b63a30950a8dfe87d4bf335ab24005c7ce1278"
@@ -10568,7 +10561,7 @@ fscreen@^1.0.2:
   resolved "https://registry.yarnpkg.com/fscreen/-/fscreen-1.2.0.tgz#1a8c88e06bc16a07b473ad96196fb06d6657f59e"
   integrity sha512-hlq4+BU0hlPmwsFjwGGzZ+OZ9N/wq9Ljg/sq3pX+2CD7hrJsX9tJgWWK/wiNTFM212CLHWhicOoqwXyZGGetJg==
 
-fsevents@2.3.2, fsevents@^2.3.2, fsevents@~2.3.2:
+fsevents@^2.3.2, fsevents@~2.3.2:
   version "2.3.2"
   resolved "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz"
   integrity sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==
@@ -15468,20 +15461,6 @@ pkg-dir@^7.0.0:
   dependencies:
     find-up "^6.3.0"
 
-playwright-core@1.55.1:
-  version "1.55.1"
-  resolved "https://registry.yarnpkg.com/playwright-core/-/playwright-core-1.55.1.tgz#5d3bb1846bc4289d364ea1a9dcb33f14545802e9"
-  integrity sha512-Z6Mh9mkwX+zxSlHqdr5AOcJnfp+xUWLCt9uKV18fhzA8eyxUd8NUWzAjxUh55RZKSYwDGX0cfaySdhZJGMoJ+w==
-
-playwright@1.55.1:
-  version "1.55.1"
-  resolved "https://registry.yarnpkg.com/playwright/-/playwright-1.55.1.tgz#8a9954e9e61ed1ab479212af9be336888f8b3f0e"
-  integrity sha512-cJW4Xd/G3v5ovXtJJ52MAOclqeac9S/aGGgRzLabuF8TnIb6xHvMzKIa6JmrRzUkeXJgfL1MhukP0NK6l39h3A==
-  dependencies:
-    playwright-core "1.55.1"
-  optionalDependencies:
-    fsevents "2.3.2"
-
 pony-cause@^1.1.1:
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/pony-cause/-/pony-cause-1.1.1.tgz#f795524f83bebbf1878bd3587b45f69143cbf3f9"

pkg/apiserver/signozapiserver/llmpricingrule.go

@@ -1,93 +0,0 @@
-package signozapiserver
-
-import (
-	"net/http"
-
-	"github.com/SigNoz/signoz/pkg/http/handler"
-	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/llmpricingruletypes"
-	"github.com/gorilla/mux"
-)
-
-func (provider *provider) addLLMPricingRuleRoutes(router *mux.Router) error {
-	if err := router.Handle("/api/v1/llm_pricing_rules", handler.New(
-		provider.authZ.ViewAccess(provider.llmPricingRuleHandler.List),
-		handler.OpenAPIDef{
-			ID:                  "ListLLMPricingRules",
-			Tags:                []string{"llmpricingrules"},
-			Summary:             "List pricing rules",
-			Description:         "Returns all LLM pricing rules for the authenticated org, with pagination.",
-			Request:             nil,
-			RequestContentType:  "",
-			RequestQuery:        new(llmpricingruletypes.ListPricingRulesQuery),
-			Response:            new(llmpricingruletypes.GettablePricingRules),
-			ResponseContentType: "application/json",
-			SuccessStatusCode:   http.StatusOK,
-			ErrorStatusCodes:    []int{http.StatusBadRequest},
-			Deprecated:          false,
-			SecuritySchemes:     newSecuritySchemes(types.RoleViewer),
-		},
-	)).Methods(http.MethodGet).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/llm_pricing_rules", handler.New(
-		provider.authZ.AdminAccess(provider.llmPricingRuleHandler.Update),
-		handler.OpenAPIDef{
-			ID:                 "UpdateLLMPricingRules",
-			Tags:               []string{"llmpricingrules"},
-			Summary:            "Bulk update pricing rules",
-			Description:        "Single write endpoint used by both the user and the Zeus sync job. Per-rule match is by id, then sourceId, then insert. Override rows (is_override=true) are fully preserved when the request does not provide isOverride; only synced_at is stamped.",
-			Request:            new(llmpricingruletypes.UpdatableLLMPricingRules),
-			RequestContentType: "application/json",
-			SuccessStatusCode:  http.StatusNoContent,
-			ErrorStatusCodes:   []int{http.StatusBadRequest},
-			Deprecated:         false,
-			SecuritySchemes:    newSecuritySchemes(types.RoleAdmin),
-		},
-	)).Methods(http.MethodPut).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/llm_pricing_rules/{id}", handler.New(
-		provider.authZ.ViewAccess(provider.llmPricingRuleHandler.Get),
-		handler.OpenAPIDef{
-			ID:                  "GetLLMPricingRule",
-			Tags:                []string{"llmpricingrules"},
-			Summary:             "Get a pricing rule",
-			Description:         "Returns a single LLM pricing rule by ID.",
-			Request:             nil,
-			RequestContentType:  "",
-			Response:            new(llmpricingruletypes.GettableLLMPricingRule),
-			ResponseContentType: "application/json",
-			SuccessStatusCode:   http.StatusOK,
-			ErrorStatusCodes:    []int{http.StatusNotFound},
-			Deprecated:          false,
-			SecuritySchemes:     newSecuritySchemes(types.RoleViewer),
-		},
-	)).Methods(http.MethodGet).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/llm_pricing_rules/{id}", handler.New(
-		provider.authZ.AdminAccess(provider.llmPricingRuleHandler.Delete),
-		handler.OpenAPIDef{
-			ID:                  "DeleteLLMPricingRule",
-			Tags:                []string{"llmpricingrules"},
-			Summary:             "Delete a pricing rule",
-			Description:         "Hard-deletes a pricing rule. If auto-synced, it will be recreated on the next sync cycle.",
-			Request:             nil,
-			RequestContentType:  "",
-			Response:            nil,
-			ResponseContentType: "",
-			SuccessStatusCode:   http.StatusNoContent,
-			ErrorStatusCodes:    []int{http.StatusNotFound},
-			Deprecated:          false,
-			SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-		},
-	)).Methods(http.MethodDelete).GetError(); err != nil {
-		return err
-	}
-
-	return nil
-}

pkg/apiserver/signozapiserver/provider.go

@@ -16,9 +16,8 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/cloudintegration"
 	"github.com/SigNoz/signoz/pkg/modules/dashboard"
 	"github.com/SigNoz/signoz/pkg/modules/fields"
-	"github.com/SigNoz/signoz/pkg/modules/inframonitoring"
-	"github.com/SigNoz/signoz/pkg/modules/llmpricingrule"
 	"github.com/SigNoz/signoz/pkg/modules/metricsexplorer"
+	"github.com/SigNoz/signoz/pkg/modules/inframonitoring"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/modules/preference"
 	"github.com/SigNoz/signoz/pkg/modules/promote"
@@ -64,7 +63,6 @@ type provider struct {
 	ruleStateHistoryHandler rulestatehistory.Handler
 	alertmanagerHandler     alertmanager.Handler
 	rulerHandler            ruler.Handler
-	llmPricingRuleHandler   llmpricingrule.Handler
 }
 
 func NewFactory(
@@ -93,7 +91,6 @@ func NewFactory(
 	cloudIntegrationHandler cloudintegration.Handler,
 	ruleStateHistoryHandler rulestatehistory.Handler,
 	alertmanagerHandler alertmanager.Handler,
-	llmPricingRuleHandler llmpricingrule.Handler,
 	rulerHandler ruler.Handler,
 ) factory.ProviderFactory[apiserver.APIServer, apiserver.Config] {
 	return factory.NewProviderFactory(factory.MustNewName("signoz"), func(ctx context.Context, providerSettings factory.ProviderSettings, config apiserver.Config) (apiserver.APIServer, error) {
@@ -126,7 +123,6 @@ func NewFactory(
 			cloudIntegrationHandler,
 			ruleStateHistoryHandler,
 			alertmanagerHandler,
-			llmPricingRuleHandler,
 			rulerHandler,
 		)
 	})
@@ -161,8 +157,6 @@ func newProvider(
 	cloudIntegrationHandler cloudintegration.Handler,
 	ruleStateHistoryHandler rulestatehistory.Handler,
 	alertmanagerHandler alertmanager.Handler,
-	llmPricingRuleHandler llmpricingrule.Handler,
-
 	rulerHandler ruler.Handler,
 ) (apiserver.APIServer, error) {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/apiserver/signozapiserver")
@@ -196,7 +190,6 @@ func newProvider(
 		ruleStateHistoryHandler: ruleStateHistoryHandler,
 		alertmanagerHandler:     alertmanagerHandler,
 		rulerHandler:            rulerHandler,
-		llmPricingRuleHandler:   llmPricingRuleHandler,
 	}
 
 	provider.authZ = middleware.NewAuthZ(settings.Logger(), orgGetter, authz)
@@ -305,10 +298,6 @@ func (provider *provider) AddToRouter(router *mux.Router) error {
 		return err
 	}
 
-	if err := provider.addLLMPricingRuleRoutes(router); err != nil {
-		return err
-	}
-
 	if err := provider.addRulerRoutes(router); err != nil {
 		return err
 	}

pkg/apiserver/signozapiserver/role.go

@@ -61,7 +61,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}/relation/{relation}/objects", handler.New(provider.authZ.AdminAccess(provider.authzHandler.GetObjects), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(provider.authZ.AdminAccess(provider.authzHandler.GetObjects), handler.OpenAPIDef{
 		ID:                  "GetObjects",
 		Tags:                []string{"role"},
 		Summary:             "Get objects for a role by relation",
@@ -95,7 +95,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}/relation/{relation}/objects", handler.New(provider.authZ.AdminAccess(provider.authzHandler.PatchObjects), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(provider.authZ.AdminAccess(provider.authzHandler.PatchObjects), handler.OpenAPIDef{
 		ID:                  "PatchObjects",
 		Tags:                []string{"role"},
 		Summary:             "Patch objects for a role by relation",

pkg/authz/authz.go

@@ -22,11 +22,15 @@ type AuthZ interface {
 	// BatchCheck accepts a map of ID → tuple and returns a map of ID → authorization result.
 	BatchCheck(context.Context, map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error)
 
+	// CheckTransactions checks whether the given subject is authorized for the given transactions.
+	// Returns results in the same order as the input transactions.
+	CheckTransactions(ctx context.Context, subject string, orgID valuer.UUID, transactions []*authtypes.Transaction) ([]*authtypes.TransactionWithAuthorization, error)
+
 	// Write accepts the insertion tuples and the deletion tuples.
 	Write(context.Context, []*openfgav1.TupleKey, []*openfgav1.TupleKey) error
 
 	// Lists the selectors for objects assigned to subject (s) with relation (r) on resource (s)
-	ListObjects(context.Context, string, authtypes.Relation, authtypes.Typeable) ([]*authtypes.Object, error)
+	ListObjects(context.Context, string, authtypes.Relation, authtypes.Type) ([]*authtypes.Object, error)
 
 	// Creates the role.
 	Create(context.Context, valuer.UUID, *authtypes.Role) error
@@ -78,8 +82,14 @@ type AuthZ interface {
 
 	// Bootstrap managed roles transactions and user assignments
 	CreateManagedUserRoleTransactions(context.Context, valuer.UUID, valuer.UUID) error
+
+	// ReadTuples reads tuples from the authorization server matching the given tuple key filter.
+	ReadTuples(context.Context, *openfgav1.ReadRequestTupleKey) ([]*openfgav1.TupleKey, error)
 }
 
+// OnBeforeRoleDelete is a callback invoked before a role is deleted.
+type OnBeforeRoleDelete func(context.Context, valuer.UUID, valuer.UUID) error
+
 type RegisterTypeable interface {
 	MustGetTypeables() []authtypes.Typeable
 

pkg/authz/authzstore/sqlauthzstore/store.go

@@ -18,7 +18,7 @@ func NewSqlAuthzStore(sqlstore sqlstore.SQLStore) authtypes.RoleStore {
 	return &store{sqlstore: sqlstore}
 }
 
-func (store *store) Create(ctx context.Context, role *authtypes.StorableRole) error {
+func (store *store) Create(ctx context.Context, role *authtypes.Role) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -32,8 +32,8 @@ func (store *store) Create(ctx context.Context, role *authtypes.StorableRole) er
 	return nil
 }
 
-func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*authtypes.StorableRole, error) {
-	role := new(authtypes.StorableRole)
+func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*authtypes.Role, error) {
+	role := new(authtypes.Role)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -49,8 +49,8 @@ func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID)
 	return role, nil
 }
 
-func (store *store) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*authtypes.StorableRole, error) {
-	role := new(authtypes.StorableRole)
+func (store *store) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*authtypes.Role, error) {
+	role := new(authtypes.Role)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -66,8 +66,8 @@ func (store *store) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, na
 	return role, nil
 }
 
-func (store *store) List(ctx context.Context, orgID valuer.UUID) ([]*authtypes.StorableRole, error) {
-	roles := make([]*authtypes.StorableRole, 0)
+func (store *store) List(ctx context.Context, orgID valuer.UUID) ([]*authtypes.Role, error) {
+	roles := make([]*authtypes.Role, 0)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -82,8 +82,8 @@ func (store *store) List(ctx context.Context, orgID valuer.UUID) ([]*authtypes.S
 	return roles, nil
 }
 
-func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID, names []string) ([]*authtypes.StorableRole, error) {
-	roles := make([]*authtypes.StorableRole, 0)
+func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID, names []string) ([]*authtypes.Role, error) {
+	roles := make([]*authtypes.Role, 0)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -103,8 +103,8 @@ func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID,
 	return roles, nil
 }
 
-func (store *store) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*authtypes.StorableRole, error) {
-	roles := make([]*authtypes.StorableRole, 0)
+func (store *store) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*authtypes.Role, error) {
+	roles := make([]*authtypes.Role, 0)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -124,7 +124,7 @@ func (store *store) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, id
 	return roles, nil
 }
 
-func (store *store) Update(ctx context.Context, orgID valuer.UUID, role *authtypes.StorableRole) error {
+func (store *store) Update(ctx context.Context, orgID valuer.UUID, role *authtypes.Role) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -145,7 +145,7 @@ func (store *store) Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUI
 		sqlstore.
 		BunDBCtx(ctx).
 		NewDelete().
-		Model(new(authtypes.StorableRole)).
+		Model(new(authtypes.Role)).
 		Where("org_id = ?", orgID).
 		Where("id = ?", id).
 		Exec(ctx)

pkg/authz/config.go

@@ -4,14 +4,30 @@ import (
 	"github.com/SigNoz/signoz/pkg/factory"
 )
 
-type Config struct{}
+type Config struct {
+	// Provider is the name of the authorization provider to use.
+	Provider string `mapstructure:"provider"`
+
+	// OpenFGA is the configuration specific to the OpenFGA authorization provider.
+	OpenFGA OpenFGAConfig `mapstructure:"openfga"`
+}
+
+type OpenFGAConfig struct {
+	// MaxTuplesPerWrite is the maximum number of tuples to include in a single write call.
+	MaxTuplesPerWrite int `mapstructure:"max_tuples_per_write"`
+}
 
 func NewConfigFactory() factory.ConfigFactory {
 	return factory.NewConfigFactory(factory.MustNewName("authz"), newConfig)
 }
 
 func newConfig() factory.Config {
-	return Config{}
+	return &Config{
+		Provider: "openfga",
+		OpenFGA: OpenFGAConfig{
+			MaxTuplesPerWrite: 100,
+		},
+	}
 }
 
 func (c Config) Validate() error {

pkg/authz/openfgaauthz/provider.go

@@ -18,25 +18,31 @@ import (
 )
 
 type provider struct {
-	server *openfgaserver.Server
-	store  authtypes.RoleStore
+	server                    *openfgaserver.Server
+	store                     authtypes.RoleStore
+	registry                  []authz.RegisterTypeable
+	managedRolesByTransaction map[string][]string
 }
 
-func NewProviderFactory(sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore) factory.ProviderFactory[authz.AuthZ, authz.Config] {
+func NewProviderFactory(sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, registry ...authz.RegisterTypeable) factory.ProviderFactory[authz.AuthZ, authz.Config] {
 	return factory.NewProviderFactory(factory.MustNewName("openfga"), func(ctx context.Context, ps factory.ProviderSettings, config authz.Config) (authz.AuthZ, error) {
-		return newOpenfgaProvider(ctx, ps, config, sqlstore, openfgaSchema, openfgaDataStore)
+		return newOpenfgaProvider(ctx, ps, config, sqlstore, openfgaSchema, openfgaDataStore, registry)
 	})
 }
 
-func newOpenfgaProvider(ctx context.Context, settings factory.ProviderSettings, config authz.Config, sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore) (authz.AuthZ, error) {
+func newOpenfgaProvider(ctx context.Context, settings factory.ProviderSettings, config authz.Config, sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, registry []authz.RegisterTypeable) (authz.AuthZ, error) {
 	server, err := openfgaserver.NewOpenfgaServer(ctx, settings, config, sqlstore, openfgaSchema, openfgaDataStore)
 	if err != nil {
 		return nil, err
 	}
 
+	managedRolesByTransaction := buildManagedRolesByTransaction(registry)
+
 	return &provider{
-		server: server,
-		store:  sqlauthzstore.NewSqlAuthzStore(sqlstore),
+		server:                    server,
+		store:                     sqlauthzstore.NewSqlAuthzStore(sqlstore),
+		registry:                  registry,
+		managedRolesByTransaction: managedRolesByTransaction,
 	}, nil
 }
 
@@ -68,68 +74,32 @@ func (provider *provider) Write(ctx context.Context, additions []*openfgav1.Tupl
 	return provider.server.Write(ctx, additions, deletions)
 }
 
-func (provider *provider) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, typeable authtypes.Typeable) ([]*authtypes.Object, error) {
-	return provider.server.ListObjects(ctx, subject, relation, typeable)
+func (provider *provider) ReadTuples(ctx context.Context, tupleKey *openfgav1.ReadRequestTupleKey) ([]*openfgav1.TupleKey, error) {
+	return provider.server.ReadTuples(ctx, tupleKey)
+}
+
+func (provider *provider) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, objectType authtypes.Type) ([]*authtypes.Object, error) {
+	return provider.server.ListObjects(ctx, subject, relation, objectType)
 }
 
 func (provider *provider) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*authtypes.Role, error) {
-	storableRole, err := provider.store.Get(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	return authtypes.NewRoleFromStorableRole(storableRole), nil
+	return provider.store.Get(ctx, orgID, id)
 }
 
 func (provider *provider) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*authtypes.Role, error) {
-	storableRole, err := provider.store.GetByOrgIDAndName(ctx, orgID, name)
-	if err != nil {
-		return nil, err
-	}
-
-	return authtypes.NewRoleFromStorableRole(storableRole), nil
+	return provider.store.GetByOrgIDAndName(ctx, orgID, name)
 }
 
 func (provider *provider) List(ctx context.Context, orgID valuer.UUID) ([]*authtypes.Role, error) {
-	storableRoles, err := provider.store.List(ctx, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	roles := make([]*authtypes.Role, len(storableRoles))
-	for idx, storableRole := range storableRoles {
-		roles[idx] = authtypes.NewRoleFromStorableRole(storableRole)
-	}
-
-	return roles, nil
+	return provider.store.List(ctx, orgID)
 }
 
 func (provider *provider) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID, names []string) ([]*authtypes.Role, error) {
-	storableRoles, err := provider.store.ListByOrgIDAndNames(ctx, orgID, names)
-	if err != nil {
-		return nil, err
-	}
-
-	roles := make([]*authtypes.Role, len(storableRoles))
-	for idx, storable := range storableRoles {
-		roles[idx] = authtypes.NewRoleFromStorableRole(storable)
-	}
-
-	return roles, nil
+	return provider.store.ListByOrgIDAndNames(ctx, orgID, names)
 }
 
 func (provider *provider) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*authtypes.Role, error) {
-	storableRoles, err := provider.store.ListByOrgIDAndIDs(ctx, orgID, ids)
-	if err != nil {
-		return nil, err
-	}
-
-	roles := make([]*authtypes.Role, len(storableRoles))
-	for idx, storable := range storableRoles {
-		roles[idx] = authtypes.NewRoleFromStorableRole(storable)
-	}
-
-	return roles, nil
+	return provider.store.ListByOrgIDAndIDs(ctx, orgID, ids)
 }
 
 func (provider *provider) Grant(ctx context.Context, orgID valuer.UUID, names []string, subject string) error {
@@ -197,7 +167,7 @@ func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, names [
 func (provider *provider) CreateManagedRoles(ctx context.Context, _ valuer.UUID, managedRoles []*authtypes.Role) error {
 	err := provider.store.RunInTx(ctx, func(ctx context.Context) error {
 		for _, role := range managedRoles {
-			err := provider.store.Create(ctx, authtypes.NewStorableRoleFromRole(role))
+			err := provider.store.Create(ctx, role)
 			if err != nil {
 				return err
 			}
@@ -245,6 +215,42 @@ func (provider *provider) Delete(_ context.Context, _ valuer.UUID, _ valuer.UUID
 	return errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }
 
+func (provider *provider) CheckTransactions(ctx context.Context, subject string, orgID valuer.UUID, transactions []*authtypes.Transaction) ([]*authtypes.TransactionWithAuthorization, error) {
+	if len(transactions) == 0 {
+		return make([]*authtypes.TransactionWithAuthorization, 0), nil
+	}
+
+	tuples, preResolved, roleCorrelations, err := authtypes.NewTuplesFromTransactionsWithManagedRoles(transactions, subject, orgID, provider.managedRolesByTransaction)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(tuples) == 0 {
+		return authtypes.NewTransactionWithAuthorizationFromBatchResults(transactions, nil, preResolved, roleCorrelations), nil
+	}
+
+	batchResults, err := provider.server.BatchCheck(ctx, tuples)
+	if err != nil {
+		return nil, err
+	}
+
+	return authtypes.NewTransactionWithAuthorizationFromBatchResults(transactions, batchResults, preResolved, roleCorrelations), nil
+}
+
+func buildManagedRolesByTransaction(registry []authz.RegisterTypeable) map[string][]string {
+	managedRolesByTransaction := make(map[string][]string)
+	for _, register := range registry {
+		for roleName, transactions := range register.MustGetManagedRoleTransactions() {
+			for _, txn := range transactions {
+				key := txn.TransactionKey()
+				managedRolesByTransaction[key] = append(managedRolesByTransaction[key], roleName)
+			}
+		}
+	}
+
+	return managedRolesByTransaction
+}
+
 func (provider *provider) MustGetTypeables() []authtypes.Typeable {
 	return nil
 }

pkg/authz/openfgaserver/server.go

@@ -265,17 +265,45 @@ func (server *Server) Write(ctx context.Context, additions []*openfgav1.TupleKey
 	return nil
 }
 
-func (server *Server) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, typeable authtypes.Typeable) ([]*authtypes.Object, error) {
+func (server *Server) ReadTuples(ctx context.Context, tupleKey *openfgav1.ReadRequestTupleKey) ([]*openfgav1.TupleKey, error) {
+	storeID, _ := server.getStoreIDandModelID()
+	var tuples []*openfgav1.TupleKey
+	continuationToken := ""
+
+	for {
+		response, err := server.openfgaServer.Read(ctx, &openfgav1.ReadRequest{
+			StoreId:           storeID,
+			TupleKey:          tupleKey,
+			ContinuationToken: continuationToken,
+		})
+		if err != nil {
+			return nil, errors.Wrapf(err, errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "failed to read tuples from authorization server")
+		}
+
+		for _, tuple := range response.Tuples {
+			tuples = append(tuples, tuple.Key)
+		}
+
+		if response.ContinuationToken == "" {
+			break
+		}
+		continuationToken = response.ContinuationToken
+	}
+
+	return tuples, nil
+}
+
+func (server *Server) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, objectType authtypes.Type) ([]*authtypes.Object, error) {
 	storeID, modelID := server.getStoreIDandModelID()
 	response, err := server.openfgaServer.ListObjects(ctx, &openfgav1.ListObjectsRequest{
 		StoreId:              storeID,
 		AuthorizationModelId: modelID,
 		User:                 subject,
 		Relation:             relation.StringValue(),
-		Type:                 typeable.Type().StringValue(),
+		Type:                 objectType.StringValue(),
 	})
 	if err != nil {
-		return nil, errors.Wrapf(err, errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "cannot list objects for subject %s with relation %s for type %s", subject, relation.StringValue(), typeable.Type().StringValue())
+		return nil, errors.Wrapf(err, errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "cannot list objects for subject %s with relation %s for type %s", subject, relation.StringValue(), objectType.StringValue())
 	}
 
 	return authtypes.MustNewObjectsFromStringSlice(response.Objects), nil

pkg/authz/signozauthzapi/handler.go

@@ -272,17 +272,11 @@ func (handler *handler) Check(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	tuples, err := authtypes.NewTuplesFromTransactions(transactions, subject, orgID)
+	results, err := handler.authz.CheckTransactions(ctx, subject, orgID, transactions)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}
 
-	results, err := handler.authz.BatchCheck(ctx, tuples)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusOK, authtypes.NewGettableTransaction(transactions, results))
+	render.Success(rw, http.StatusOK, authtypes.NewGettableTransaction(results))
 }

pkg/modules/llmpricingrule/impllmpricingrule/agent_feature.go

@@ -1,74 +0,0 @@
-package impllmpricingrule
-
-import (
-	"context"
-	"encoding/json"
-
-	"github.com/SigNoz/signoz/pkg/modules/llmpricingrule"
-	"github.com/SigNoz/signoz/pkg/query-service/agentConf"
-	"github.com/SigNoz/signoz/pkg/types/llmpricingruletypes"
-	"github.com/SigNoz/signoz/pkg/types/opamptypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-const LLMCostFeatureType agentConf.AgentFeatureType = "llm_pricing"
-
-// LLMCostFeature implements agentConf.AgentFeature. It reads pricing rules
-// from the module and generates the signozllmpricing processor config for
-// deployment to OTel collectors via OpAMP.
-type LLMCostFeature struct {
-	module llmpricingrule.Module
-}
-
-func NewLLMCostFeature(module llmpricingrule.Module) *LLMCostFeature {
-	return &LLMCostFeature{module: module}
-}
-
-func (f *LLMCostFeature) AgentFeatureType() agentConf.AgentFeatureType {
-	return LLMCostFeatureType
-}
-
-func (f *LLMCostFeature) RecommendAgentConfig(
-	orgId valuer.UUID,
-	currentConfYaml []byte,
-	configVersion *opamptypes.AgentConfigVersion,
-) ([]byte, string, error) {
-	ctx := context.Background()
-
-	rules, err := f.getEnabledRules(ctx, orgId)
-	if err != nil {
-		return nil, "", err
-	}
-
-	updatedConf, err := generateCollectorConfigWithLLMCost(currentConfYaml, rules)
-	if err != nil {
-		return nil, "", err
-	}
-
-	serialized, err := json.Marshal(rules)
-	if err != nil {
-		return nil, "", err
-	}
-
-	return updatedConf, string(serialized), nil
-}
-
-// getEnabledRules fetches all enabled pricing rules for the given org.
-func (f *LLMCostFeature) getEnabledRules(ctx context.Context, orgId valuer.UUID) ([]*llmpricingruletypes.LLMPricingRule, error) {
-	if f.module == nil {
-		return nil, nil
-	}
-
-	rules, _, err := f.module.List(ctx, orgId, 0, 10000)
-	if err != nil {
-		return nil, err
-	}
-
-	enabled := make([]*llmpricingruletypes.LLMPricingRule, 0, len(rules))
-	for _, r := range rules {
-		if r.Enabled {
-			enabled = append(enabled, r)
-		}
-	}
-	return enabled, nil
-}

pkg/modules/llmpricingrule/impllmpricingrule/collector_config.go

@@ -1,94 +0,0 @@
-package impllmpricingrule
-
-import (
-	"bytes"
-	"fmt"
-
-	"github.com/SigNoz/signoz/pkg/types/llmpricingruletypes"
-	"gopkg.in/yaml.v3"
-)
-
-const processorName = "signozllmpricing"
-
-// buildProcessorConfig converts pricing rules into the signozllmpricing processor config.
-func buildProcessorConfig(rules []*llmpricingruletypes.LLMPricingRule) *llmpricingruletypes.LLMPricingRuleProcessorConfig {
-	pricingRules := make([]llmpricingruletypes.LLMPricingRuleProcessor, 0, len(rules))
-	for _, r := range rules {
-		pricingRules = append(pricingRules, llmpricingruletypes.LLMPricingRuleProcessor{
-			Name:    r.Model,
-			Pattern: r.ModelPattern,
-			Cache: llmpricingruletypes.LLMPricingRuleProcessorCache{
-				Mode:  r.CacheMode.StringValue(),
-				Read:  r.CostCacheRead,
-				Write: r.CostCacheWrite,
-			},
-			In:  r.CostInput,
-			Out: r.CostOutput,
-		})
-	}
-
-	return &llmpricingruletypes.LLMPricingRuleProcessorConfig{
-		Attrs: llmpricingruletypes.LLMPricingRuleProcessorAttrs{
-			Model:      "gen_ai.request.model",
-			In:         "gen_ai.usage.input_tokens",
-			Out:        "gen_ai.usage.output_tokens",
-			CacheRead:  "gen_ai.usage.input_token_details.cached",
-			CacheWrite: "gen_ai.usage.input_token_details.cache_creation",
-		},
-		DefaultPricing: llmpricingruletypes.LLMPricingRuleProcessorDefaultPricing{
-			Unit:  "per_million_tokens",
-			Rules: pricingRules,
-		},
-		OutputAttrs: llmpricingruletypes.LLMPricingRuleProcessorOutputAttrs{
-			In:         "_signoz.gen_ai.cost_input",
-			Out:        "_signoz.gen_ai.cost_output",
-			CacheRead:  "_signoz.gen_ai.cost_cache_read",
-			CacheWrite: "_signoz.gen_ai.cost_cache_write",
-			Total:      "_signoz.gen_ai.total_cost",
-		},
-	}
-}
-
-// generateCollectorConfigWithLLMCost injects (or replaces) the signozllmpricing
-// processor block in the collector YAML with one built from the given rules.
-// Pipeline wiring is handled by the collector's baseline config, not here.
-func generateCollectorConfigWithLLMCost(
-	currentConfYaml []byte,
-	rules []*llmpricingruletypes.LLMPricingRule,
-) ([]byte, error) {
-	// Empty input: nothing to inject into. Pass through unchanged so we don't
-	// turn it into "null\n" or fail on yaml.v3's EOF.
-	if len(bytes.TrimSpace(currentConfYaml)) == 0 {
-		return currentConfYaml, nil
-	}
-
-	var collectorConf map[string]any
-	if err := yaml.Unmarshal(currentConfYaml, &collectorConf); err != nil {
-		return nil, fmt.Errorf("failed to unmarshal collector config: %w", err)
-	}
-	if collectorConf == nil {
-		collectorConf = map[string]any{}
-	}
-
-	processors := map[string]any{}
-	if collectorConf["processors"] != nil {
-		if p, ok := collectorConf["processors"].(map[string]any); ok {
-			processors = p
-		}
-	}
-
-	procConfig := buildProcessorConfig(rules)
-	configBytes, err := yaml.Marshal(procConfig)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal llm cost processor config: %w", err)
-	}
-	var configMap any
-	if err := yaml.Unmarshal(configBytes, &configMap); err != nil {
-		return nil, fmt.Errorf("failed to re-unmarshal llm cost processor config: %w", err)
-	}
-
-	processors[processorName] = configMap
-	collectorConf["processors"] = processors
-
-	return yaml.Marshal(collectorConf)
-}

pkg/modules/llmpricingrule/impllmpricingrule/collector_config_test.go

@@ -1,169 +0,0 @@
-package impllmpricingrule
-
-import (
-	"testing"
-
-	"github.com/SigNoz/signoz/pkg/types/llmpricingruletypes"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"gopkg.in/yaml.v3"
-)
-
-func makePricingRule(model string, patterns []string, cacheMode llmpricingruletypes.LLMPricingRuleCacheMode, costIn, costOut, cacheRead, cacheWrite float64) *llmpricingruletypes.LLMPricingRule {
-	return &llmpricingruletypes.LLMPricingRule{
-		Model:          model,
-		ModelPattern:   patterns,
-		Unit:           llmpricingruletypes.UnitPerMillionTokens,
-		CacheMode:      cacheMode,
-		CostInput:      costIn,
-		CostOutput:     costOut,
-		CostCacheRead:  cacheRead,
-		CostCacheWrite: cacheWrite,
-		Enabled:        true,
-	}
-}
-
-func TestBuildProcessorConfig_EmptyRules(t *testing.T) {
-	cfg := buildProcessorConfig(nil)
-
-	require.NotNil(t, cfg)
-	assert.Empty(t, cfg.DefaultPricing.Rules)
-	assert.Equal(t, "per_million_tokens", cfg.DefaultPricing.Unit)
-
-	assert.Equal(t, "gen_ai.request.model", cfg.Attrs.Model)
-	assert.Equal(t, "gen_ai.usage.input_tokens", cfg.Attrs.In)
-	assert.Equal(t, "gen_ai.usage.output_tokens", cfg.Attrs.Out)
-	assert.Equal(t, "gen_ai.usage.input_token_details.cached", cfg.Attrs.CacheRead)
-	assert.Equal(t, "gen_ai.usage.input_token_details.cache_creation", cfg.Attrs.CacheWrite)
-
-	assert.Equal(t, "_signoz.gen_ai.cost_input", cfg.OutputAttrs.In)
-	assert.Equal(t, "_signoz.gen_ai.cost_output", cfg.OutputAttrs.Out)
-	assert.Equal(t, "_signoz.gen_ai.cost_cache_read", cfg.OutputAttrs.CacheRead)
-	assert.Equal(t, "_signoz.gen_ai.cost_cache_write", cfg.OutputAttrs.CacheWrite)
-	assert.Equal(t, "_signoz.gen_ai.total_cost", cfg.OutputAttrs.Total)
-}
-
-func TestBuildProcessorConfig_SingleRule(t *testing.T) {
-	rules := []*llmpricingruletypes.LLMPricingRule{
-		makePricingRule("gpt-4o", []string{"gpt-4o*"}, llmpricingruletypes.LLMPricingRuleCacheModeSubtract, 5.0, 15.0, 2.5, 0),
-	}
-
-	cfg := buildProcessorConfig(rules)
-
-	require.Len(t, cfg.DefaultPricing.Rules, 1)
-	r := cfg.DefaultPricing.Rules[0]
-	assert.Equal(t, "gpt-4o", r.Name)
-	assert.Equal(t, []string{"gpt-4o*"}, r.Pattern)
-	assert.Equal(t, 5.0, r.In)
-	assert.Equal(t, 15.0, r.Out)
-	assert.Equal(t, "subtract", r.Cache.Mode)
-	assert.Equal(t, 2.5, r.Cache.Read)
-	assert.Equal(t, 0.0, r.Cache.Write)
-}
-
-func TestBuildProcessorConfig_MultipleRules_PreservesOrder(t *testing.T) {
-	rules := []*llmpricingruletypes.LLMPricingRule{
-		makePricingRule("gpt-4o", []string{"gpt-4o*"}, llmpricingruletypes.LLMPricingRuleCacheModeSubtract, 5.0, 15.0, 2.5, 0),
-		makePricingRule("claude-sonnet", []string{"claude-sonnet-*", "claude-3-5-*"}, llmpricingruletypes.LLMPricingRuleCacheModeAdditive, 3.0, 15.0, 0.30, 3.75),
-		makePricingRule("gemini", []string{"gemini-*"}, llmpricingruletypes.LLMPricingRuleCacheModeUnknown, 1.25, 5.0, 0, 0),
-	}
-
-	cfg := buildProcessorConfig(rules)
-	require.Len(t, cfg.DefaultPricing.Rules, 3)
-
-	assert.Equal(t, "gpt-4o", cfg.DefaultPricing.Rules[0].Name)
-	assert.Equal(t, []string{"gpt-4o*"}, cfg.DefaultPricing.Rules[0].Pattern)
-	assert.Equal(t, "subtract", cfg.DefaultPricing.Rules[0].Cache.Mode)
-
-	assert.Equal(t, "claude-sonnet", cfg.DefaultPricing.Rules[1].Name)
-	assert.Equal(t, []string{"claude-sonnet-*", "claude-3-5-*"}, cfg.DefaultPricing.Rules[1].Pattern)
-	assert.Equal(t, "additive", cfg.DefaultPricing.Rules[1].Cache.Mode)
-	assert.Equal(t, 0.30, cfg.DefaultPricing.Rules[1].Cache.Read)
-	assert.Equal(t, 3.75, cfg.DefaultPricing.Rules[1].Cache.Write)
-
-	assert.Equal(t, "gemini", cfg.DefaultPricing.Rules[2].Name)
-	assert.Equal(t, []string{"gemini-*"}, cfg.DefaultPricing.Rules[2].Pattern)
-	assert.Equal(t, "unknown", cfg.DefaultPricing.Rules[2].Cache.Mode)
-	assert.Equal(t, 1.25, cfg.DefaultPricing.Rules[2].In)
-	assert.Equal(t, 5.0, cfg.DefaultPricing.Rules[2].Out)
-}
-
-func TestBuildProcessorConfig_NilPattern(t *testing.T) {
-	rules := []*llmpricingruletypes.LLMPricingRule{
-		makePricingRule("gpt-4o", nil, llmpricingruletypes.LLMPricingRuleCacheModeSubtract, 5.0, 15.0, 2.5, 0),
-	}
-
-	cfg := buildProcessorConfig(rules)
-	require.Len(t, cfg.DefaultPricing.Rules, 1)
-	assert.Nil(t, cfg.DefaultPricing.Rules[0].Pattern)
-}
-
-func TestGenerateCollectorConfig_NoRulesStillInjectsProcessor(t *testing.T) {
-	// We deploy the processor even with zero rules so rules can be added
-	// later (by a user or by Zeus) without any config-shape change.
-	// Pipeline wiring is handled by the collector's baseline config.
-	in := []byte(`
-receivers:
-  otlp:
-    protocols:
-      grpc:
-processors:
-  batch: {}
-exporters:
-  otlp:
-    endpoint: localhost:4317
-service:
-  pipelines:
-    traces:
-      receivers: [otlp]
-      processors: [batch, signozllmpricing]
-      exporters: [otlp]
-`)
-
-	out, err := generateCollectorConfigWithLLMCost(in, nil)
-	require.NoError(t, err)
-
-	var conf map[string]any
-	require.NoError(t, yaml.Unmarshal(out, &conf))
-
-	processors := conf["processors"].(map[string]any)
-	require.Contains(t, processors, processorName, "processor must be present even with zero rules")
-
-	procCfg := processors[processorName].(map[string]any)
-	pricing := procCfg["default_pricing"].(map[string]any)
-	if rules, ok := pricing["rules"].([]any); ok {
-		assert.Empty(t, rules, "rules list must be empty when no pricing rules configured")
-	}
-}
-
-func TestGenerateCollectorConfig_EmptyInput(t *testing.T) {
-	// yaml.v3 returns an EOF error on empty/whitespace input; ensure the
-	// generator passes it through unchanged instead.
-	rules := []*llmpricingruletypes.LLMPricingRule{
-		makePricingRule("gpt-4o", []string{"gpt-4o*"}, llmpricingruletypes.LLMPricingRuleCacheModeSubtract, 5.0, 15.0, 2.5, 0),
-	}
-
-	for _, in := range [][]byte{nil, {}, []byte("   \n"), []byte("\t\t")} {
-		out, err := generateCollectorConfigWithLLMCost(in, rules)
-		require.NoError(t, err)
-		assert.Equal(t, in, out)
-
-		out, err = generateCollectorConfigWithLLMCost(in, nil)
-		require.NoError(t, err)
-		assert.Equal(t, in, out)
-	}
-}
-
-func TestBuildProcessorConfig_ZeroCosts(t *testing.T) {
-	rules := []*llmpricingruletypes.LLMPricingRule{
-		makePricingRule("free-model", []string{"free-*"}, llmpricingruletypes.LLMPricingRuleCacheModeSubtract, 0, 0, 0, 0),
-	}
-
-	cfg := buildProcessorConfig(rules)
-	require.Len(t, cfg.DefaultPricing.Rules, 1)
-	r := cfg.DefaultPricing.Rules[0]
-	assert.Equal(t, 0.0, r.In)
-	assert.Equal(t, 0.0, r.Out)
-	assert.Equal(t, 0.0, r.Cache.Read)
-	assert.Equal(t, 0.0, r.Cache.Write)
-}

pkg/modules/llmpricingrule/impllmpricingrule/handler.go

@@ -1,158 +0,0 @@
-package impllmpricingrule
-
-import (
-	"context"
-	"net/http"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/http/binding"
-	"github.com/SigNoz/signoz/pkg/http/render"
-	"github.com/SigNoz/signoz/pkg/modules/llmpricingrule"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/llmpricingruletypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/gorilla/mux"
-)
-
-const maxLimit = 100
-
-type handler struct {
-	module           llmpricingrule.Module
-	providerSettings factory.ProviderSettings
-}
-
-func NewHandler(module llmpricingrule.Module, providerSettings factory.ProviderSettings) llmpricingrule.Handler {
-	return &handler{module: module, providerSettings: providerSettings}
-}
-
-// List handles GET /api/v1/llm_pricing_rules.
-func (h *handler) List(rw http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
-	defer cancel()
-
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	orgID := valuer.MustNewUUID(claims.OrgID)
-
-	var q llmpricingruletypes.ListPricingRulesQuery
-	if err := binding.Query.BindQuery(r.URL.Query(), &q); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	if q.Limit <= 0 {
-		q.Limit = 20
-	} else if q.Limit > maxLimit {
-		q.Limit = maxLimit
-	}
-	if q.Offset < 0 {
-		render.Error(rw, errors.Newf(errors.TypeInvalidInput, llmpricingruletypes.ErrCodePricingRuleInvalidInput, "offset must be a non-negative integer"))
-		return
-	}
-
-	rules, total, err := h.module.List(ctx, orgID, q.Offset, q.Limit)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusOK, llmpricingruletypes.NewGettableLLMPricingRulesFromLLMPricingRules(rules, total, q.Offset, q.Limit))
-}
-
-// Get handles GET /api/v1/llm_pricing_rules/{id}.
-func (h *handler) Get(rw http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
-	defer cancel()
-
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	orgID := valuer.MustNewUUID(claims.OrgID)
-
-	id, err := ruleIDFromPath(r)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	rule, err := h.module.Get(ctx, orgID, id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusOK, rule)
-}
-
-func (h *handler) Update(rw http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 30*time.Second)
-	defer cancel()
-
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	orgID := valuer.MustNewUUID(claims.OrgID)
-
-	req := new(llmpricingruletypes.UpdatableLLMPricingRules)
-	if err := binding.JSON.BindBody(r.Body, req); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	err = h.module.Update(ctx, orgID, claims.Email, req.Rules)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusNoContent, nil)
-}
-
-// Delete handles DELETE /api/v1/llm_pricing_rules/{id}.
-func (h *handler) Delete(rw http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
-	defer cancel()
-
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	orgID := valuer.MustNewUUID(claims.OrgID)
-
-	id, err := ruleIDFromPath(r)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	if err := h.module.Delete(ctx, orgID, id); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusNoContent, nil)
-}
-
-// ruleIDFromPath extracts and validates the {id} path variable.
-func ruleIDFromPath(r *http.Request) (valuer.UUID, error) {
-	raw := mux.Vars(r)["id"]
-	id, err := valuer.NewUUID(raw)
-	if err != nil {
-		return valuer.UUID{}, errors.Wrapf(err, errors.TypeInvalidInput, llmpricingruletypes.ErrCodePricingRuleInvalidInput, "id is not a valid uuid")
-	}
-	return id, nil
-}

pkg/modules/llmpricingrule/impllmpricingrule/module.go

@@ -1,127 +0,0 @@
-package impllmpricingrule
-
-import (
-	"context"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/modules/llmpricingrule"
-	"github.com/SigNoz/signoz/pkg/query-service/agentConf"
-	"github.com/SigNoz/signoz/pkg/types/llmpricingruletypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-type module struct {
-	store llmpricingruletypes.Store
-}
-
-func NewModule(store llmpricingruletypes.Store) llmpricingrule.Module {
-	return &module{store: store}
-}
-
-func (m *module) List(ctx context.Context, orgID valuer.UUID, offset, limit int) ([]*llmpricingruletypes.LLMPricingRule, int, error) {
-	storables, total, err := m.store.List(ctx, orgID, offset, limit)
-	if err != nil {
-		return nil, 0, err
-	}
-	rules := make([]*llmpricingruletypes.LLMPricingRule, len(storables))
-	for i, s := range storables {
-		rules[i] = llmpricingruletypes.NewLLMPricingRuleFromStorable(s)
-	}
-	return rules, total, nil
-}
-
-func (m *module) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*llmpricingruletypes.LLMPricingRule, error) {
-	s, err := m.store.Get(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-	return llmpricingruletypes.NewLLMPricingRuleFromStorable(s), nil
-}
-
-// Update applies a batch of pricing rule changes:
-//   - ID set       → match by id, overwrite fields.
-//   - SourceID set → match by source_id; if found overwrite, else insert.
-//   - neither set  → insert a new user-created row (is_override = true).
-//
-// When UpdatableLLMPricingRule.IsOverride is nil AND the matched row has
-// is_override = true, the row is fully preserved — only synced_at is stamped.
-func (m *module) Update(ctx context.Context, orgID valuer.UUID, userEmail string, rules []llmpricingruletypes.UpdatableLLMPricingRule) error {
-	now := time.Now()
-
-	for _, r := range rules {
-		existing, err := m.findExisting(ctx, orgID, r)
-		if err != nil {
-			return err
-		}
-
-		if existing == nil {
-			if err := m.store.Create(ctx, llmpricingruletypes.NewStorablePricingRuleFromUpdatable(orgID, userEmail, now, r)); err != nil {
-				return err
-			}
-			continue
-		}
-
-		if r.IsOverride == nil && existing.IsOverride {
-			existing.SyncedAt = &now
-			if err := m.store.Update(ctx, existing); err != nil {
-				return err
-			}
-			continue
-		}
-
-		applyUpdate(existing, userEmail, now, r)
-		if err := m.store.Update(ctx, existing); err != nil {
-			return err
-		}
-	}
-
-	agentConf.NotifyConfigUpdate(ctx)
-	return nil
-}
-
-func (m *module) Delete(ctx context.Context, orgID, id valuer.UUID) error {
-	if err := m.store.Delete(ctx, orgID, id); err != nil {
-		return err
-	}
-
-	agentConf.NotifyConfigUpdate(ctx)
-
-	return nil
-}
-
-func (m *module) findExisting(ctx context.Context, orgID valuer.UUID, r llmpricingruletypes.UpdatableLLMPricingRule) (*llmpricingruletypes.StorableLLMPricingRule, error) {
-	switch {
-	case r.ID != nil:
-		return m.store.Get(ctx, orgID, *r.ID)
-	case r.SourceID != nil:
-		s, err := m.store.GetBySourceID(ctx, orgID, *r.SourceID)
-		if err != nil {
-			if errors.Ast(err, errors.TypeNotFound) {
-				return nil, nil
-			}
-			return nil, err
-		}
-		return s, nil
-	default:
-		return nil, nil
-	}
-}
-
-func applyUpdate(existing *llmpricingruletypes.StorableLLMPricingRule, userEmail string, now time.Time, r llmpricingruletypes.UpdatableLLMPricingRule) {
-	existing.Model = r.Model
-	existing.ModelPattern = r.ModelPattern
-	existing.Unit = r.Unit
-	existing.CacheMode = r.CacheMode
-	existing.CostInput = r.CostInput
-	existing.CostOutput = r.CostOutput
-	existing.CostCacheRead = r.CostCacheRead
-	existing.CostCacheWrite = r.CostCacheWrite
-	if r.IsOverride != nil {
-		existing.IsOverride = *r.IsOverride
-	}
-	existing.Enabled = r.Enabled
-	existing.SyncedAt = &now
-	existing.UpdatedAt = now
-	existing.UpdatedBy = userEmail
-}

pkg/modules/llmpricingrule/impllmpricingrule/store.go

@@ -1,137 +0,0 @@
-package impllmpricingrule
-
-import (
-	"context"
-	"database/sql"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/SigNoz/signoz/pkg/types/llmpricingruletypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-type store struct {
-	sqlstore sqlstore.SQLStore
-}
-
-func NewStore(sqlstore sqlstore.SQLStore) llmpricingruletypes.Store {
-	return &store{sqlstore: sqlstore}
-}
-
-func (s *store) List(ctx context.Context, orgID valuer.UUID, offset, limit int) ([]*llmpricingruletypes.StorableLLMPricingRule, int, error) {
-	rules := make([]*llmpricingruletypes.StorableLLMPricingRule, 0)
-
-	count, err := s.sqlstore.
-		BunDB().
-		NewSelect().
-		Model(&rules).
-		Where("org_id = ?", orgID).
-		Order("created_at DESC").
-		Offset(offset).
-		Limit(limit).
-		ScanAndCount(ctx)
-	if err != nil {
-		return nil, 0, err
-	}
-
-	return rules, count, nil
-}
-
-func (s *store) Get(ctx context.Context, orgID, id valuer.UUID) (*llmpricingruletypes.StorableLLMPricingRule, error) {
-	rule := new(llmpricingruletypes.StorableLLMPricingRule)
-
-	err := s.sqlstore.
-		BunDB().
-		NewSelect().
-		Model(rule).
-		Where("org_id = ?", orgID).
-		Where("id = ?", id).
-		Scan(ctx)
-	if err != nil {
-		if err == sql.ErrNoRows {
-			return nil, s.sqlstore.WrapNotFoundErrf(err, llmpricingruletypes.ErrCodePricingRuleNotFound, "pricing rule %s not found", id)
-		}
-		return nil, err
-	}
-
-	return rule, nil
-}
-
-func (s *store) GetBySourceID(ctx context.Context, orgID, sourceID valuer.UUID) (*llmpricingruletypes.StorableLLMPricingRule, error) {
-	rule := new(llmpricingruletypes.StorableLLMPricingRule)
-
-	err := s.sqlstore.
-		BunDB().
-		NewSelect().
-		Model(rule).
-		Where("org_id = ?", orgID).
-		Where("source_id = ?", sourceID).
-		Scan(ctx)
-	if err != nil {
-		if err == sql.ErrNoRows {
-			return nil, s.sqlstore.WrapNotFoundErrf(err, llmpricingruletypes.ErrCodePricingRuleNotFound, "pricing rule with source_id %s not found", sourceID)
-		}
-		return nil, err
-	}
-
-	return rule, nil
-}
-
-func (s *store) Create(ctx context.Context, rule *llmpricingruletypes.StorableLLMPricingRule) error {
-	_, err := s.sqlstore.
-		BunDBCtx(ctx).
-		NewInsert().
-		Model(rule).
-		Exec(ctx)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (s *store) Update(ctx context.Context, rule *llmpricingruletypes.StorableLLMPricingRule) error {
-	res, err := s.sqlstore.
-		BunDBCtx(ctx).
-		NewUpdate().
-		Model(rule).
-		Where("org_id = ?", rule.OrgID).
-		Where("id = ?", rule.ID).
-		ExcludeColumn("id", "org_id", "created_at", "created_by").
-		Exec(ctx)
-	if err != nil {
-		return err
-	}
-
-	rowsAffected, err := res.RowsAffected()
-	if err != nil {
-		return err
-	}
-	if rowsAffected == 0 {
-		return errors.Newf(errors.TypeNotFound, llmpricingruletypes.ErrCodePricingRuleNotFound, "pricing rule %s not found", rule.ID)
-	}
-
-	return nil
-}
-
-func (s *store) Delete(ctx context.Context, orgID, id valuer.UUID) error {
-	res, err := s.sqlstore.
-		BunDBCtx(ctx).
-		NewDelete().
-		Model((*llmpricingruletypes.StorableLLMPricingRule)(nil)).
-		Where("org_id = ?", orgID).
-		Where("id = ?", id).
-		Exec(ctx)
-	if err != nil {
-		return err
-	}
-
-	rowsAffected, err := res.RowsAffected()
-	if err != nil {
-		return err
-	}
-	if rowsAffected == 0 {
-		return errors.Newf(errors.TypeNotFound, llmpricingruletypes.ErrCodePricingRuleNotFound, "pricing rule %s not found", id)
-	}
-
-	return nil
-}

pkg/modules/llmpricingrule/llmpricingrule.go

@@ -1,24 +0,0 @@
-package llmpricingrule
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/SigNoz/signoz/pkg/types/llmpricingruletypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-type Module interface {
-	List(ctx context.Context, orgID valuer.UUID, offset, limit int) ([]*llmpricingruletypes.LLMPricingRule, int, error)
-	Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*llmpricingruletypes.LLMPricingRule, error)
-	Update(ctx context.Context, orgID valuer.UUID, userEmail string, rules []llmpricingruletypes.UpdatableLLMPricingRule) (err error)
-	Delete(ctx context.Context, orgID, id valuer.UUID) error
-}
-
-// Handler defines the HTTP handler interface for pricing rule endpoints.
-type Handler interface {
-	List(rw http.ResponseWriter, r *http.Request)
-	Get(rw http.ResponseWriter, r *http.Request)
-	Update(rw http.ResponseWriter, r *http.Request)
-	Delete(rw http.ResponseWriter, r *http.Request)
-}

pkg/modules/serviceaccount/implserviceaccount/getter.go

@@ -0,0 +1,30 @@
+package implserviceaccount
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type getter struct {
+	store serviceaccounttypes.Store
+}
+
+func NewGetter(store serviceaccounttypes.Store) serviceaccount.Getter {
+	return &getter{store: store}
+}
+
+func (getter *getter) OnBeforeRoleDelete(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) error {
+	serviceAccounts, err := getter.store.GetServiceAccountsByOrgIDAndRoleID(ctx, orgID, roleID)
+	if err != nil {
+		return err
+	}
+	if len(serviceAccounts) > 0 {
+		return errors.New(errors.TypeInvalidInput, authtypes.ErrCodeRoleHasServiceAccountAssignees, "role has active service account assignments, remove them before deleting")
+	}
+	return nil
+}

pkg/modules/serviceaccount/implserviceaccount/store.go

@@ -123,6 +123,25 @@ func (store *store) GetByIDAndStatus(ctx context.Context, id valuer.UUID, status
 	return storable, nil
 }
 
+func (store *store) GetServiceAccountsByOrgIDAndRoleID(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]*serviceaccounttypes.ServiceAccount, error) {
+	serviceAccounts := make([]*serviceaccounttypes.ServiceAccount, 0)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&serviceAccounts).
+		Join(`JOIN service_account_role ON service_account_role.service_account_id = service_account.id`).
+		Where(`service_account.org_id = ?`, orgID).
+		Where("service_account_role.role_id = ?", roleID).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return serviceAccounts, nil
+}
+
 func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
 	storable := new(serviceaccounttypes.ServiceAccount)
 

pkg/modules/serviceaccount/serviceaccount.go

@@ -11,6 +11,11 @@ import (
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
+type Getter interface {
+	// OnBeforeRoleDelete checks if any service accounts are assigned to the role and rejects deletion if so.
+	OnBeforeRoleDelete(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) error
+}
+
 type Module interface {
 	// Creates a new service account for an organization.
 	Create(context.Context, valuer.UUID, *serviceaccounttypes.ServiceAccount) error

pkg/modules/user/impluser/getter.go

@@ -225,3 +225,14 @@ func (module *getter) GetResetPasswordTokenByOrgIDAndUserID(ctx context.Context,
 func (module *getter) GetUsersByOrgIDAndRoleID(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]*types.User, error) {
 	return module.store.GetUsersByOrgIDAndRoleID(ctx, orgID, roleID)
 }
+
+func (module *getter) OnBeforeRoleDelete(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) error {
+	users, err := module.GetUsersByOrgIDAndRoleID(ctx, orgID, roleID)
+	if err != nil {
+		return err
+	}
+	if len(users) > 0 {
+		return errors.New(errors.TypeInvalidInput, authtypes.ErrCodeRoleHasUserAssignees, "role has active user assignments, remove them before deleting")
+	}
+	return nil
+}

pkg/modules/user/user.go

@@ -91,6 +91,9 @@ type Getter interface {
 
 	// Gets all the user with role using role id in an org id
 	GetUsersByOrgIDAndRoleID(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]*types.User, error)
+
+	// OnBeforeRoleDelete checks if any users are assigned to the role and rejects deletion if so.
+	OnBeforeRoleDelete(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) error
 }
 
 type Handler interface {

pkg/query-service/app/server.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/cache/memorycache"
 	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/modules/llmpricingrule/impllmpricingrule"
 	"github.com/SigNoz/signoz/pkg/queryparser"
 
 	"github.com/gorilla/handlers"
@@ -130,14 +129,11 @@ func NewServer(config signoz.Config, signoz *signoz.SigNoz) (*Server, error) {
 
 	opAmpModel.Init(signoz.SQLStore, signoz.Instrumentation.Logger(), signoz.Modules.OrgGetter)
 
-	llmCostFeature := impllmpricingrule.NewLLMCostFeature(signoz.Modules.LLMPricingRule)
-
 	agentConfMgr, err := agentConf.Initiate(
 		&agentConf.ManagerOptions{
 			Store: signoz.SQLStore,
 			AgentFeatures: []agentConf.AgentFeature{
 				logParsingPipelineController,
-				llmCostFeature,
 			},
 		},
 	)

pkg/signoz/config.go

@@ -12,6 +12,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/analytics"
 	"github.com/SigNoz/signoz/pkg/apiserver"
 	"github.com/SigNoz/signoz/pkg/auditor"
+	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/cache"
 	"github.com/SigNoz/signoz/pkg/config"
 	"github.com/SigNoz/signoz/pkg/emailing"
@@ -135,6 +136,9 @@ type Config struct {
 
 	// CloudIntegration config
 	CloudIntegration cloudintegration.Config `mapstructure:"cloudintegration"`
+
+	// Authz config
+	Authz authz.Config `mapstructure:"authz"`
 }
 
 func NewConfig(ctx context.Context, logger *slog.Logger, resolverConfig config.ResolverConfig) (Config, error) {
@@ -168,6 +172,7 @@ func NewConfig(ctx context.Context, logger *slog.Logger, resolverConfig config.R
 		serviceaccount.NewConfigFactory(),
 		auditor.NewConfigFactory(),
 		cloudintegration.NewConfigFactory(),
+		authz.NewConfigFactory(),
 	}
 
 	conf, err := config.New(ctx, resolverConfig, configFactories)

pkg/signoz/handler.go

@@ -3,6 +3,8 @@ package signoz
 import (
 	"github.com/SigNoz/signoz/pkg/alertmanager"
 	"github.com/SigNoz/signoz/pkg/alertmanager/signozalertmanager"
+	"github.com/SigNoz/signoz/pkg/ruler"
+	"github.com/SigNoz/signoz/pkg/ruler/signozruler"
 	"github.com/SigNoz/signoz/pkg/analytics"
 	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/authz/signozauthzapi"
@@ -22,8 +24,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/fields/implfields"
 	"github.com/SigNoz/signoz/pkg/modules/inframonitoring"
 	"github.com/SigNoz/signoz/pkg/modules/inframonitoring/implinframonitoring"
-	"github.com/SigNoz/signoz/pkg/modules/llmpricingrule"
-	"github.com/SigNoz/signoz/pkg/modules/llmpricingrule/impllmpricingrule"
 	"github.com/SigNoz/signoz/pkg/modules/metricsexplorer"
 	"github.com/SigNoz/signoz/pkg/modules/metricsexplorer/implmetricsexplorer"
 	"github.com/SigNoz/signoz/pkg/modules/quickfilter"
@@ -43,8 +43,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/tracefunnel"
 	"github.com/SigNoz/signoz/pkg/modules/tracefunnel/impltracefunnel"
 	"github.com/SigNoz/signoz/pkg/querier"
-	"github.com/SigNoz/signoz/pkg/ruler"
-	"github.com/SigNoz/signoz/pkg/ruler/signozruler"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 	"github.com/SigNoz/signoz/pkg/zeus"
 )
@@ -73,7 +71,6 @@ type Handlers struct {
 	RuleStateHistory        rulestatehistory.Handler
 	AlertmanagerHandler     alertmanager.Handler
 	RulerHandler            ruler.Handler
-	LLMPricingRuleHandler   llmpricingrule.Handler
 }
 
 func NewHandlers(
@@ -116,6 +113,5 @@ func NewHandlers(
 		CloudIntegrationHandler: implcloudintegration.NewHandler(modules.CloudIntegration),
 		AlertmanagerHandler:     signozalertmanager.NewHandler(alertmanagerService),
 		RulerHandler:            signozruler.NewHandler(rulerService),
-		LLMPricingRuleHandler:   impllmpricingrule.NewHandler(modules.LLMPricingRule, providerSettings),
 	}
 }

pkg/signoz/module.go

@@ -16,8 +16,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/dashboard"
 	"github.com/SigNoz/signoz/pkg/modules/inframonitoring"
 	"github.com/SigNoz/signoz/pkg/modules/inframonitoring/implinframonitoring"
-	"github.com/SigNoz/signoz/pkg/modules/llmpricingrule"
-	"github.com/SigNoz/signoz/pkg/modules/llmpricingrule/impllmpricingrule"
 	"github.com/SigNoz/signoz/pkg/modules/metricsexplorer"
 	"github.com/SigNoz/signoz/pkg/modules/metricsexplorer/implmetricsexplorer"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
@@ -78,7 +76,6 @@ type Modules struct {
 	ServiceAccount   serviceaccount.Module
 	CloudIntegration cloudintegration.Module
 	RuleStateHistory rulestatehistory.Module
-	LLMPricingRule   llmpricingrule.Module
 }
 
 func NewModules(
@@ -130,6 +127,5 @@ func NewModules(
 		ServiceAccount:   serviceAccount,
 		RuleStateHistory: implrulestatehistory.NewModule(implrulestatehistory.NewStore(telemetryStore, telemetryMetadataStore, providerSettings.Logger)),
 		CloudIntegration: cloudIntegrationModule,
-		LLMPricingRule:   impllmpricingrule.NewModule(impllmpricingrule.NewStore(sqlstore)),
 	}
 }

pkg/signoz/openapi.go

@@ -17,7 +17,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/global"
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/instrumentation"
-	"github.com/SigNoz/signoz/pkg/modules/llmpricingrule"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
 	"github.com/SigNoz/signoz/pkg/modules/cloudintegration"
 	"github.com/SigNoz/signoz/pkg/modules/dashboard"
@@ -75,7 +74,6 @@ func NewOpenAPI(ctx context.Context, instrumentation instrumentation.Instrumenta
 		struct{ cloudintegration.Handler }{},
 		struct{ rulestatehistory.Handler }{},
 		struct{ alertmanager.Handler }{},
-		struct{ llmpricingrule.Handler }{},
 		struct{ ruler.Handler }{},
 	).New(ctx, instrumentation.ToProviderSettings(), apiserver.Config{})
 	if err != nil {

pkg/signoz/provider.go

@@ -3,6 +3,8 @@ package signoz
 import (
 	"github.com/SigNoz/signoz/pkg/alertmanager"
 	"github.com/SigNoz/signoz/pkg/alertmanager/nfmanager"
+	"github.com/SigNoz/signoz/pkg/auditor"
+	"github.com/SigNoz/signoz/pkg/auditor/noopauditor"
 	"github.com/SigNoz/signoz/pkg/alertmanager/nfmanager/rulebasednotification"
 	"github.com/SigNoz/signoz/pkg/alertmanager/signozalertmanager"
 	"github.com/SigNoz/signoz/pkg/analytics"
@@ -10,8 +12,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/analytics/segmentanalytics"
 	"github.com/SigNoz/signoz/pkg/apiserver"
 	"github.com/SigNoz/signoz/pkg/apiserver/signozapiserver"
-	"github.com/SigNoz/signoz/pkg/auditor"
-	"github.com/SigNoz/signoz/pkg/auditor/noopauditor"
 	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/cache"
 	"github.com/SigNoz/signoz/pkg/cache/memorycache"
@@ -195,7 +195,6 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewServiceAccountAuthzactory(sqlstore),
 		sqlmigration.NewDropUserDeletedAtFactory(sqlstore, sqlschema),
 		sqlmigration.NewMigrateAWSAllRegionsFactory(sqlstore),
-		sqlmigration.NewAddLLMPricingRulesFactory(sqlstore, sqlschema),
 	)
 }
 
@@ -228,6 +227,8 @@ func NewAlertmanagerProviderFactories(sqlstore sqlstore.SQLStore, orgGetter orga
 	)
 }
 
+
+
 func NewEmailingProviderFactories() factory.NamedMap[factory.ProviderFactory[emailing.Emailing, emailing.Config]] {
 	return factory.MustNewNamedMap(
 		noopemailing.NewFactory(),
@@ -283,7 +284,6 @@ func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.Au
 			handlers.CloudIntegrationHandler,
 			handlers.RuleStateHistory,
 			handlers.AlertmanagerHandler,
-			handlers.LLMPricingRuleHandler,
 			handlers.RulerHandler,
 		),
 	)

pkg/signoz/signoz.go

@@ -100,7 +100,7 @@ func New(
 	sqlstoreProviderFactories factory.NamedMap[factory.ProviderFactory[sqlstore.SQLStore, sqlstore.Config]],
 	telemetrystoreProviderFactories factory.NamedMap[factory.ProviderFactory[telemetrystore.TelemetryStore, telemetrystore.Config]],
 	authNsCallback func(ctx context.Context, providerSettings factory.ProviderSettings, store authtypes.AuthNStore, licensing licensing.Licensing) (map[authtypes.AuthNProvider]authn.AuthN, error),
-	authzCallback func(context.Context, sqlstore.SQLStore, licensing.Licensing, dashboard.Module) (factory.ProviderFactory[authz.AuthZ, authz.Config], error),
+	authzCallback func(context.Context, sqlstore.SQLStore, licensing.Licensing, []authz.OnBeforeRoleDelete, dashboard.Module) (factory.ProviderFactory[authz.AuthZ, authz.Config], error),
 	dashboardModuleCallback func(sqlstore.SQLStore, factory.ProviderSettings, analytics.Analytics, organization.Getter, queryparser.QueryParser, querier.Querier, licensing.Licensing) dashboard.Module,
 	gatewayProviderFactory func(licensing.Licensing) factory.ProviderFactory[gateway.Gateway, gateway.Config],
 	auditorProviderFactories func(licensing.Licensing) factory.NamedMap[factory.ProviderFactory[auditor.Auditor, auditor.Config]],
@@ -328,19 +328,28 @@ func New(
 	// Initialize dashboard module (needed for authz registry)
 	dashboard := dashboardModuleCallback(sqlstore, providerSettings, analytics, orgGetter, queryParser, querier, licensing)
 
-	// Initialize authz
-	authzProviderFactory, err := authzCallback(ctx, sqlstore, licensing, dashboard)
-	if err != nil {
-		return nil, err
-	}
-	authz, err := authzProviderFactory.New(ctx, providerSettings, authz.Config{})
-	if err != nil {
-		return nil, err
-	}
-
 	// Initialize user getter
 	userGetter := impluser.NewGetter(userStore, userRoleStore, flagger)
 
+	// Initialize service account getter
+	serviceAccountGetter := implserviceaccount.NewGetter(implserviceaccount.NewStore(sqlstore))
+
+	// Build pre-delete callbacks from modules
+	onBeforeRoleDelete := []authz.OnBeforeRoleDelete{
+		userGetter.OnBeforeRoleDelete,
+		serviceAccountGetter.OnBeforeRoleDelete,
+	}
+
+	// Initialize authz
+	authzProviderFactory, err := authzCallback(ctx, sqlstore, licensing, onBeforeRoleDelete, dashboard)
+	if err != nil {
+		return nil, err
+	}
+	authz, err := authzProviderFactory.New(ctx, providerSettings, config.Authz)
+	if err != nil {
+		return nil, err
+	}
+
 	// Initialize notification manager from the available notification manager provider factories
 	nfManager, err := factory.NewProviderFromNamedMap(
 		ctx,

pkg/sqlmigration/059_add_managed_roles.go

@@ -54,7 +54,7 @@ func (migration *addManagedRoles) Up(ctx context.Context, db *bun.DB) error {
 		return err
 	}
 
-	managedRoles := []*authtypes.StorableRole{}
+	managedRoles := []*authtypes.Role{}
 	for _, orgIDStr := range orgIDs {
 		orgID, err := valuer.NewUUID(orgIDStr)
 		if err != nil {
@@ -63,19 +63,19 @@ func (migration *addManagedRoles) Up(ctx context.Context, db *bun.DB) error {
 
 		// signoz admin
 		signozAdminRole := authtypes.NewRole(authtypes.SigNozAdminRoleName, authtypes.SigNozAdminRoleDescription, authtypes.RoleTypeManaged, orgID)
-		managedRoles = append(managedRoles, authtypes.NewStorableRoleFromRole(signozAdminRole))
+		managedRoles = append(managedRoles, signozAdminRole)
 
 		// signoz editor
 		signozEditorRole := authtypes.NewRole(authtypes.SigNozEditorRoleName, authtypes.SigNozEditorRoleDescription, authtypes.RoleTypeManaged, orgID)
-		managedRoles = append(managedRoles, authtypes.NewStorableRoleFromRole(signozEditorRole))
+		managedRoles = append(managedRoles, signozEditorRole)
 
 		// signoz viewer
 		signozViewerRole := authtypes.NewRole(authtypes.SigNozViewerRoleName, authtypes.SigNozViewerRoleDescription, authtypes.RoleTypeManaged, orgID)
-		managedRoles = append(managedRoles, authtypes.NewStorableRoleFromRole(signozViewerRole))
+		managedRoles = append(managedRoles, signozViewerRole)
 
 		// signoz anonymous
 		signozAnonymousRole := authtypes.NewRole(authtypes.SigNozAnonymousRoleName, authtypes.SigNozAnonymousRoleDescription, authtypes.RoleTypeManaged, orgID)
-		managedRoles = append(managedRoles, authtypes.NewStorableRoleFromRole(signozAnonymousRole))
+		managedRoles = append(managedRoles, signozAnonymousRole)
 	}
 
 	if len(managedRoles) > 0 {

pkg/sqlmigration/078_add_llm_pricing_rules.go

@@ -1,99 +0,0 @@
-package sqlmigration
-
-import (
-	"context"
-
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/sqlschema"
-	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/uptrace/bun"
-	"github.com/uptrace/bun/migrate"
-)
-
-type addLLMPricingRules struct {
-	sqlschema sqlschema.SQLSchema
-	sqlstore  sqlstore.SQLStore
-}
-
-func NewAddLLMPricingRulesFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
-	return factory.NewProviderFactory(factory.MustNewName("add_llm_pricing_rule"), func(_ context.Context, _ factory.ProviderSettings, _ Config) (SQLMigration, error) {
-		return &addLLMPricingRules{
-			sqlschema: sqlschema,
-			sqlstore:  sqlstore,
-		}, nil
-	})
-}
-
-func (migration *addLLMPricingRules) Register(migrations *migrate.Migrations) error {
-	if err := migrations.Register(migration.Up, migration.Down); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (migration *addLLMPricingRules) Up(ctx context.Context, db *bun.DB) error {
-	tx, err := db.BeginTx(ctx, nil)
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		_ = tx.Rollback()
-	}()
-
-	sqls := [][]byte{}
-
-	tableSQLs := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
-		Name: "llm_pricing_rule",
-		Columns: []*sqlschema.Column{
-			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
-			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
-			{Name: "created_by", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "updated_by", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "org_id", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "source_id", DataType: sqlschema.DataTypeText, Nullable: true},
-			{Name: "model", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "model_pattern", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "unit", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "cache_mode", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "cost_input", DataType: sqlschema.DataTypeNumeric, Nullable: false},
-			{Name: "cost_output", DataType: sqlschema.DataTypeNumeric, Nullable: false},
-			{Name: "cost_cache_read", DataType: sqlschema.DataTypeNumeric, Nullable: false},
-			{Name: "cost_cache_write", DataType: sqlschema.DataTypeNumeric, Nullable: false},
-			{Name: "is_override", DataType: sqlschema.DataTypeBoolean, Nullable: false, Default: "false"},
-			{Name: "synced_at", DataType: sqlschema.DataTypeTimestamp, Nullable: true},
-			{Name: "enabled", DataType: sqlschema.DataTypeBoolean, Nullable: false, Default: "true"},
-		},
-		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
-			ColumnNames: []sqlschema.ColumnName{"id"},
-		},
-		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
-			{
-				ReferencingColumnName: sqlschema.ColumnName("org_id"),
-				ReferencedTableName:   sqlschema.TableName("organizations"),
-				ReferencedColumnName:  sqlschema.ColumnName("id"),
-			},
-		},
-	})
-	sqls = append(sqls, tableSQLs...)
-
-	indexSQLs := migration.sqlschema.Operator().CreateIndex(
-		&sqlschema.UniqueIndex{
-			TableName:   "llm_pricing_rule",
-			ColumnNames: []sqlschema.ColumnName{"org_id", "source_id"},
-		})
-	sqls = append(sqls, indexSQLs...)
-
-	for _, sql := range sqls {
-		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
-			return err
-		}
-	}
-
-	return tx.Commit()
-}
-
-func (migration *addLLMPricingRules) Down(context.Context, *bun.DB) error {
-	return nil
-}

pkg/types/authtypes/role.go

@@ -20,6 +20,8 @@ var (
 	ErrCodeRoleNotFound                     = errors.MustNewCode("role_not_found")
 	ErrCodeRoleFailedTransactionsFromString = errors.MustNewCode("role_failed_transactions_from_string")
 	ErrCodeRoleUnsupported                  = errors.MustNewCode("role_unsupported")
+	ErrCodeRoleHasUserAssignees             = errors.MustNewCode("role_has_user_assignees")
+	ErrCodeRoleHasServiceAccountAssignees   = errors.MustNewCode("role_has_service_account_assignees")
 )
 
 var (
@@ -60,17 +62,6 @@ var (
 	TypeableResourcesRoles = MustNewTypeableMetaResources(MustNewName("roles"))
 )
 
-type StorableRole struct {
-	bun.BaseModel `bun:"table:role"`
-
-	types.Identifiable
-	types.TimeAuditable
-	Name        string `bun:"name,type:string" json:"name"`
-	Description string `bun:"description,type:string" json:"description"`
-	Type        string `bun:"type,type:string" json:"type"`
-	OrgID       string `bun:"org_id,type:string" json:"orgId"`
-}
-
 type Role struct {
 	bun.BaseModel `bun:"table:role"`
 
@@ -91,28 +82,6 @@ type PatchableRole struct {
 	Description string `json:"description" required:"true"`
 }
 
-func NewStorableRoleFromRole(role *Role) *StorableRole {
-	return &StorableRole{
-		Identifiable:  role.Identifiable,
-		TimeAuditable: role.TimeAuditable,
-		Name:          role.Name,
-		Description:   role.Description,
-		Type:          role.Type.String(),
-		OrgID:         role.OrgID.StringValue(),
-	}
-}
-
-func NewRoleFromStorableRole(storableRole *StorableRole) *Role {
-	return &Role{
-		Identifiable:  storableRole.Identifiable,
-		TimeAuditable: storableRole.TimeAuditable,
-		Name:          storableRole.Name,
-		Description:   storableRole.Description,
-		Type:          valuer.NewString(storableRole.Type),
-		OrgID:         valuer.MustNewUUID(storableRole.OrgID),
-	}
-}
-
 func NewRole(name, description string, roleType valuer.String, orgID valuer.UUID) *Role {
 	return &Role{
 		Identifiable: types.Identifiable{
@@ -264,13 +233,13 @@ func MustGetSigNozManagedRoleFromExistingRole(role types.Role) string {
 }
 
 type RoleStore interface {
-	Create(context.Context, *StorableRole) error
-	Get(context.Context, valuer.UUID, valuer.UUID) (*StorableRole, error)
-	GetByOrgIDAndName(context.Context, valuer.UUID, string) (*StorableRole, error)
-	List(context.Context, valuer.UUID) ([]*StorableRole, error)
-	ListByOrgIDAndNames(context.Context, valuer.UUID, []string) ([]*StorableRole, error)
-	ListByOrgIDAndIDs(context.Context, valuer.UUID, []valuer.UUID) ([]*StorableRole, error)
-	Update(context.Context, valuer.UUID, *StorableRole) error
+	Create(context.Context, *Role) error
+	Get(context.Context, valuer.UUID, valuer.UUID) (*Role, error)
+	GetByOrgIDAndName(context.Context, valuer.UUID, string) (*Role, error)
+	List(context.Context, valuer.UUID) ([]*Role, error)
+	ListByOrgIDAndNames(context.Context, valuer.UUID, []string) ([]*Role, error)
+	ListByOrgIDAndIDs(context.Context, valuer.UUID, []valuer.UUID) ([]*Role, error)
+	Update(context.Context, valuer.UUID, *Role) error
 	Delete(context.Context, valuer.UUID, valuer.UUID) error
 	RunInTx(context.Context, func(ctx context.Context) error) error
 }

pkg/types/authtypes/transaction.go

@@ -20,6 +20,11 @@ type GettableTransaction struct {
 	Authorized bool     `json:"authorized" required:"true"`
 }
 
+type TransactionWithAuthorization struct {
+	Transaction *Transaction
+	Authorized  bool
+}
+
 func NewTransaction(relation Relation, object Object) (*Transaction, error) {
 	if !slices.Contains(TypeableRelations[object.Resource.Type], relation) {
 		return nil, errors.Newf(errors.TypeInvalidInput, ErrCodeAuthZInvalidRelation, "invalid relation %s for type %s", relation.StringValue(), object.Resource.Type.StringValue())
@@ -28,13 +33,12 @@ func NewTransaction(relation Relation, object Object) (*Transaction, error) {
 	return &Transaction{ID: valuer.GenerateUUID(), Relation: relation, Object: object}, nil
 }
 
-func NewGettableTransaction(transactions []*Transaction, results map[string]*TupleKeyAuthorization) []*GettableTransaction {
-	gettableTransactions := make([]*GettableTransaction, len(transactions))
-	for i, txn := range transactions {
-		result := results[txn.ID.StringValue()]
+func NewGettableTransaction(results []*TransactionWithAuthorization) []*GettableTransaction {
+	gettableTransactions := make([]*GettableTransaction, len(results))
+	for i, result := range results {
 		gettableTransactions[i] = &GettableTransaction{
-			Relation:   txn.Relation,
-			Object:     txn.Object,
+			Relation:   result.Transaction.Relation,
+			Object:     result.Transaction.Object,
 			Authorized: result.Authorized,
 		}
 	}
@@ -42,6 +46,54 @@ func NewGettableTransaction(transactions []*Transaction, results map[string]*Tup
 	return gettableTransactions
 }
 
+// NewTransactionWithAuthorizationFromBatchResults merges batch check results into an ordered
+// slice of TransactionWithAuthorization matching the input transactions order.
+// preResolved contains txn IDs whose authorization was determined without BatchCheck.
+// roleCorrelations maps txn IDs to correlation IDs used for managed role checks.
+func NewTransactionWithAuthorizationFromBatchResults(
+	transactions []*Transaction,
+	batchResults map[string]*TupleKeyAuthorization,
+	preResolved map[string]bool,
+	roleCorrelations map[string][]string,
+) []*TransactionWithAuthorization {
+	output := make([]*TransactionWithAuthorization, len(transactions))
+	for i, txn := range transactions {
+		txnID := txn.ID.StringValue()
+
+		if authorized, ok := preResolved[txnID]; ok {
+			output[i] = &TransactionWithAuthorization{
+				Transaction: txn,
+				Authorized:  authorized,
+			}
+			continue
+		}
+
+		if txn.Object.Resource.Type == TypeRole && txn.Relation == RelationAssignee {
+			output[i] = &TransactionWithAuthorization{
+				Transaction: txn,
+				Authorized:  batchResults[txnID].Authorized,
+			}
+			continue
+		}
+
+		correlationIDs := roleCorrelations[txnID]
+		authorized := false
+		for _, correlationID := range correlationIDs {
+			if result, exists := batchResults[correlationID]; exists && result.Authorized {
+				authorized = true
+				break
+			}
+		}
+
+		output[i] = &TransactionWithAuthorization{
+			Transaction: txn,
+			Authorized:  authorized,
+		}
+	}
+
+	return output
+}
+
 func (transaction *Transaction) UnmarshalJSON(data []byte) error {
 	var shadow = struct {
 		Relation Relation

pkg/types/authtypes/tuple.go

@@ -10,6 +10,11 @@ type TupleKeyAuthorization struct {
 	Authorized bool
 }
 
+// TransactionKey returns a composite key for matching transactions to managed roles.
+func (transaction *Transaction) TransactionKey() string {
+	return transaction.Relation.StringValue() + ":" + transaction.Object.Resource.Type.StringValue() + ":" + transaction.Object.Resource.Name.String()
+}
+
 func NewTuplesFromTransactions(transactions []*Transaction, subject string, orgID valuer.UUID) (map[string]*openfgav1.TupleKey, error) {
 	tuples := make(map[string]*openfgav1.TupleKey, len(transactions))
 	for _, txn := range transactions {
@@ -29,3 +34,57 @@ func NewTuplesFromTransactions(transactions []*Transaction, subject string, orgI
 
 	return tuples, nil
 }
+
+// NewTuplesFromTransactionsWithManagedRoles converts transactions to tuples for BatchCheck.
+// Direct role-assignment transactions (TypeRole + RelationAssignee) produce one tuple keyed by txn ID.
+// Other transactions are expanded via managedRolesByTransaction into role-assignee checks, keyed by "txnID:roleName".
+// Transactions with no managed role mapping are marked as pre-resolved (false) in the returned map.
+func NewTuplesFromTransactionsWithManagedRoles(
+	transactions []*Transaction,
+	subject string,
+	orgID valuer.UUID,
+	managedRolesByTransaction map[string][]string,
+) (tuples map[string]*openfgav1.TupleKey, preResolved map[string]bool, roleCorrelations map[string][]string, err error) {
+	tuples = make(map[string]*openfgav1.TupleKey)
+	preResolved = make(map[string]bool)
+	roleCorrelations = make(map[string][]string)
+
+	for _, txn := range transactions {
+		txnID := txn.ID.StringValue()
+
+		if txn.Object.Resource.Type == TypeRole && txn.Relation == RelationAssignee {
+			typeable, err := NewTypeableFromType(txn.Object.Resource.Type, txn.Object.Resource.Name)
+			if err != nil {
+				return nil, nil, nil, err
+			}
+
+			txnTuples, err := typeable.Tuples(subject, txn.Relation, []Selector{txn.Object.Selector}, orgID)
+			if err != nil {
+				return nil, nil, nil, err
+			}
+
+			tuples[txnID] = txnTuples[0]
+			continue
+		}
+
+		roleNames, found := managedRolesByTransaction[txn.TransactionKey()]
+		if !found || len(roleNames) == 0 {
+			preResolved[txnID] = false
+			continue
+		}
+
+		for _, roleName := range roleNames {
+			roleSelector := MustNewSelector(TypeRole, roleName)
+			roleTuples, err := TypeableRole.Tuples(subject, RelationAssignee, []Selector{roleSelector}, orgID)
+			if err != nil {
+				return nil, nil, nil, err
+			}
+
+			correlationID := valuer.GenerateUUID().StringValue()
+			tuples[correlationID] = roleTuples[0]
+			roleCorrelations[txnID] = append(roleCorrelations[txnID], correlationID)
+		}
+	}
+
+	return tuples, preResolved, roleCorrelations, nil
+}

pkg/types/llmpricingruletypes/pricing.go

@@ -1,144 +0,0 @@
-package llmpricingruletypes
-
-import (
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-var (
-	ErrCodePricingRuleNotFound     = errors.MustNewCode("pricing_rule_not_found")
-	ErrCodePricingRuleInvalidInput = errors.MustNewCode("pricing_rule_invalid_input")
-)
-
-type LLMPricingRuleUnit struct {
-	valuer.String
-}
-
-var (
-	UnitPerMillionTokens = LLMPricingRuleUnit{valuer.NewString("per_million_tokens")}
-)
-
-type LLMPricingRuleCacheMode struct {
-	valuer.String
-}
-
-var (
-	// LLMPricingRuleCacheModeSubtract: cached tokens are inside input_tokens (OpenAI-style).
-	LLMPricingRuleCacheModeSubtract = LLMPricingRuleCacheMode{valuer.NewString("subtract")}
-	// LLMPricingRuleCacheModeAdditive: cached tokens are reported separately (Anthropic-style).
-	LLMPricingRuleCacheModeAdditive = LLMPricingRuleCacheMode{valuer.NewString("additive")}
-	// LLMPricingRuleCacheModeUnknown: provider behaviour is unknown; falls back to subtract.
-	LLMPricingRuleCacheModeUnknown = LLMPricingRuleCacheMode{valuer.NewString("unknown")}
-)
-
-// LLMPricingRule is the domain model for an LLM pricing rule.
-// It also doubles as the HTTP response shape; see GettablePricingRule.
-type LLMPricingRule struct {
-	types.TimeAuditable
-	types.UserAuditable
-
-	ID             valuer.UUID             `json:"id" required:"true"`
-	OrgID          valuer.UUID             `json:"orgId" required:"true"`
-	SourceID       *valuer.UUID            `json:"sourceId,omitempty"`
-	Model          string                  `json:"modelName" required:"true"`
-	ModelPattern   []string                `json:"modelPattern" required:"true"`
-	Unit           LLMPricingRuleUnit      `json:"unit" required:"true"`
-	CacheMode      LLMPricingRuleCacheMode `json:"cacheMode" required:"true"`
-	CostInput      float64                 `json:"costInput" required:"true"`
-	CostOutput     float64                 `json:"costOutput" required:"true"`
-	CostCacheRead  float64                 `json:"costCacheRead" required:"true"`
-	CostCacheWrite float64                 `json:"costCacheWrite" required:"true"`
-	IsOverride     bool                    `json:"isOverride" required:"true"`
-	SyncedAt       *time.Time              `json:"syncedAt,omitempty"`
-	Enabled        bool                    `json:"enabled" required:"true"`
-}
-
-// GettablePricingRule is a type alias for PricingRule — the response shape is
-// identical to the core type, so per pkg/types conventions we do not mint a
-// separate flavor.
-type GettableLLMPricingRule = LLMPricingRule
-
-// UpdatablePricingRule is one entry in the bulk upsert batch.
-//
-// Identification:
-//   - ID set       → match by id (user editing a known row).
-//   - SourceID set → match by source_id (Zeus sync, or user editing a Zeus-synced row).
-//   - neither set  → insert a new row with source_id = NULL (user-created custom rule).
-//
-// IsOverride is a pointer so the caller can distinguish "not sent" from "set to false".
-// When IsOverride is nil AND the matched row has is_override = true, the row is fully
-// preserved — only synced_at is stamped.
-type UpdatableLLMPricingRule struct {
-	ID             *valuer.UUID            `json:"id,omitempty"`
-	SourceID       *valuer.UUID            `json:"sourceId,omitempty"`
-	Model          string                  `json:"modelName" required:"true"`
-	ModelPattern   []string                `json:"modelPattern" required:"true"`
-	Unit           LLMPricingRuleUnit      `json:"unit" required:"true"`
-	CacheMode      LLMPricingRuleCacheMode `json:"cacheMode" required:"true"`
-	CostInput      float64                 `json:"costInput" required:"true"`
-	CostOutput     float64                 `json:"costOutput" required:"true"`
-	CostCacheRead  float64                 `json:"costCacheRead" required:"true"`
-	CostCacheWrite float64                 `json:"costCacheWrite" required:"true"`
-	IsOverride     *bool                   `json:"isOverride,omitempty"`
-	Enabled        bool                    `json:"enabled" required:"true"`
-}
-
-type UpdatableLLMPricingRules struct {
-	Rules []UpdatableLLMPricingRule `json:"rules" required:"true"`
-}
-
-type ListPricingRulesQuery struct {
-	Offset int `query:"offset" json:"offset"`
-	Limit  int `query:"limit"  json:"limit"`
-}
-
-type GettablePricingRules struct {
-	Items  []*GettableLLMPricingRule `json:"items"  required:"true"`
-	Total  int                       `json:"total"  required:"true"`
-	Offset int                       `json:"offset" required:"true"`
-	Limit  int                       `json:"limit"  required:"true"`
-}
-
-func (LLMPricingRuleUnit) Enum() []any {
-	return []any{UnitPerMillionTokens}
-}
-
-func (LLMPricingRuleCacheMode) Enum() []any {
-	return []any{LLMPricingRuleCacheModeSubtract, LLMPricingRuleCacheModeAdditive, LLMPricingRuleCacheModeUnknown}
-}
-
-func NewLLMPricingRuleFromStorable(s *StorableLLMPricingRule) *LLMPricingRule {
-	pattern := make([]string, len(s.ModelPattern))
-	copy(pattern, s.ModelPattern)
-
-	return &LLMPricingRule{
-		TimeAuditable:  s.TimeAuditable,
-		UserAuditable:  s.UserAuditable,
-		ID:             s.ID,
-		OrgID:          s.OrgID,
-		SourceID:       s.SourceID,
-		Model:          s.Model,
-		ModelPattern:   pattern,
-		Unit:           s.Unit,
-		CacheMode:      s.CacheMode,
-		CostInput:      s.CostInput,
-		CostOutput:     s.CostOutput,
-		CostCacheRead:  s.CostCacheRead,
-		CostCacheWrite: s.CostCacheWrite,
-		IsOverride:     s.IsOverride,
-		SyncedAt:       s.SyncedAt,
-		Enabled:        s.Enabled,
-	}
-}
-
-func NewGettableLLMPricingRulesFromLLMPricingRules(items []*LLMPricingRule, total, offset, limit int) *GettablePricingRules {
-	return &GettablePricingRules{
-		Items:  items,
-		Total:  total,
-		Offset: offset,
-		Limit:  limit,
-	}
-}

pkg/types/llmpricingruletypes/processor_config.go

@@ -1,49 +0,0 @@
-package llmpricingruletypes
-
-// LLMPricingRuleProcessorConfig is the top-level config for the signozllmpricing
-// OTel processor that gets deployed to collectors via OpAMP.
-type LLMPricingRuleProcessorConfig struct {
-	Attrs          LLMPricingRuleProcessorAttrs          `yaml:"attrs" json:"attrs"`
-	DefaultPricing LLMPricingRuleProcessorDefaultPricing `yaml:"default_pricing" json:"default_pricing"`
-	OutputAttrs    LLMPricingRuleProcessorOutputAttrs    `yaml:"output_attrs" json:"output_attrs"`
-}
-
-// LLMCostAttrs maps span attribute names to the processor's input fields.
-type LLMPricingRuleProcessorAttrs struct {
-	Model      string `yaml:"model" json:"model"`
-	In         string `yaml:"in" json:"in"`
-	Out        string `yaml:"out" json:"out"`
-	CacheRead  string `yaml:"cache_read" json:"cache_read"`
-	CacheWrite string `yaml:"cache_write" json:"cache_write"`
-}
-
-// LLMPricingRuleDefaultPricing holds the pricing unit and the list of model-specific rules.
-type LLMPricingRuleProcessorDefaultPricing struct {
-	Unit  string                    `yaml:"unit" json:"unit"`
-	Rules []LLMPricingRuleProcessor `yaml:"rules" json:"rules"`
-}
-
-// LLMPricingRuleRule is a single pricing rule inside the processor config.
-type LLMPricingRuleProcessor struct {
-	Name    string                       `yaml:"name" json:"name"`
-	Pattern []string                     `yaml:"pattern" json:"pattern"`
-	Cache   LLMPricingRuleProcessorCache `yaml:"cache" json:"cache"`
-	In      float64                      `yaml:"in" json:"in"`
-	Out     float64                      `yaml:"out" json:"out"`
-}
-
-// LLMPricingRuleCache describes how cached tokens are accounted for.
-type LLMPricingRuleProcessorCache struct {
-	Mode  string  `yaml:"mode" json:"mode"`
-	Read  float64 `yaml:"read" json:"read"`
-	Write float64 `yaml:"write" json:"write"`
-}
-
-// LLMPricingRuleOutputAttrs maps the processor's computed cost fields to span attribute names.
-type LLMPricingRuleProcessorOutputAttrs struct {
-	In         string `yaml:"in" json:"in"`
-	Out        string `yaml:"out" json:"out"`
-	CacheRead  string `yaml:"cache_read" json:"cache_read"`
-	CacheWrite string `yaml:"cache_write" json:"cache_write"`
-	Total      string `yaml:"total" json:"total"`
-}

pkg/types/llmpricingruletypes/storable.go

@@ -1,95 +0,0 @@
-package llmpricingruletypes
-
-import (
-	"database/sql/driver"
-	"encoding/json"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/uptrace/bun"
-)
-
-// StringSlice is a []string that is stored as a JSON text column.
-// It is compatible with both SQLite and PostgreSQL.
-type StringSlice []string
-
-// StorableLLMPricingRule is the bun/DB representation of an LLM pricing rule.
-type StorableLLMPricingRule struct {
-	bun.BaseModel `bun:"table:llm_pricing_rule,alias:llm_pricing_rule"`
-
-	types.Identifiable
-	types.TimeAuditable
-	types.UserAuditable
-
-	OrgID          valuer.UUID             `bun:"org_id,type:text,notnull"`
-	SourceID       *valuer.UUID            `bun:"source_id,type:text"`
-	Model          string                  `bun:"model,type:text,notnull"`
-	ModelPattern   StringSlice             `bun:"model_pattern,type:text,notnull"`
-	Unit           LLMPricingRuleUnit      `bun:"unit,type:text,notnull"`
-	CacheMode      LLMPricingRuleCacheMode `bun:"cache_mode,type:text,notnull"`
-	CostInput      float64                 `bun:"cost_input,notnull"`
-	CostOutput     float64                 `bun:"cost_output,notnull"`
-	CostCacheRead  float64                 `bun:"cost_cache_read,notnull"`
-	CostCacheWrite float64                 `bun:"cost_cache_write,notnull"`
-	// IsOverride marks the row as user-pinned. When true, Zeus skips it entirely.
-	IsOverride bool       `bun:"is_override,notnull,default:false"`
-	SyncedAt   *time.Time `bun:"synced_at"`
-	Enabled    bool       `bun:"enabled,notnull,default:true"`
-}
-
-func (s StringSlice) Value() (driver.Value, error) {
-	if s == nil {
-		return "[]", nil
-	}
-	b, err := json.Marshal(s)
-	if err != nil {
-		return nil, err
-	}
-	return string(b), nil
-}
-
-func (s *StringSlice) Scan(src any) error {
-	var raw []byte
-	switch v := src.(type) {
-	case string:
-		raw = []byte(v)
-	case []byte:
-		raw = v
-	case nil:
-		*s = nil
-		return nil
-	default:
-		return errors.NewInternalf(errors.CodeInternal, "llmpricingruletypes: cannot scan %T into StringSlice", src)
-	}
-	return json.Unmarshal(raw, s)
-}
-
-func NewStorablePricingRuleFromUpdatable(orgID valuer.UUID, userEmail string, now time.Time, r UpdatableLLMPricingRule) *StorableLLMPricingRule {
-	isOverride := true
-	if r.IsOverride != nil {
-		isOverride = *r.IsOverride
-	} else if r.SourceID != nil {
-		isOverride = false
-	}
-
-	return &StorableLLMPricingRule{
-		Identifiable:   types.Identifiable{ID: valuer.GenerateUUID()},
-		TimeAuditable:  types.TimeAuditable{CreatedAt: now, UpdatedAt: now},
-		UserAuditable:  types.UserAuditable{CreatedBy: userEmail, UpdatedBy: userEmail},
-		OrgID:          orgID,
-		SourceID:       r.SourceID,
-		Model:          r.Model,
-		ModelPattern:   r.ModelPattern,
-		Unit:           r.Unit,
-		CacheMode:      r.CacheMode,
-		CostInput:      r.CostInput,
-		CostOutput:     r.CostOutput,
-		CostCacheRead:  r.CostCacheRead,
-		CostCacheWrite: r.CostCacheWrite,
-		IsOverride:     isOverride,
-		SyncedAt:       &now,
-		Enabled:        r.Enabled,
-	}
-}

pkg/types/llmpricingruletypes/store.go

@@ -1,16 +0,0 @@
-package llmpricingruletypes
-
-import (
-	"context"
-
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-type Store interface {
-	List(ctx context.Context, orgID valuer.UUID, offset, limit int) ([]*StorableLLMPricingRule, int, error)
-	Get(ctx context.Context, orgID, id valuer.UUID) (*StorableLLMPricingRule, error)
-	GetBySourceID(ctx context.Context, orgID, sourceID valuer.UUID) (*StorableLLMPricingRule, error)
-	Create(ctx context.Context, rule *StorableLLMPricingRule) error
-	Update(ctx context.Context, rule *StorableLLMPricingRule) error
-	Delete(ctx context.Context, orgID, id valuer.UUID) error
-}

pkg/types/serviceaccounttypes/service_acccount.go

@@ -17,13 +17,12 @@ import (
 )
 
 var (
-	ErrCodeServiceAccountInvalidConfig        = errors.MustNewCode("service_account_invalid_config")
-	ErrCodeServiceAccountInvalidInput         = errors.MustNewCode("service_account_invalid_input")
-	ErrCodeServiceAccountAlreadyExists        = errors.MustNewCode("service_account_already_exists")
-	ErrCodeServiceAccountNotFound             = errors.MustNewCode("service_account_not_found")
-	ErrCodeServiceAccountRoleAlreadyExists    = errors.MustNewCode("service_account_role_already_exists")
-	ErrCodeServiceAccountOperationUnsupported = errors.MustNewCode("service_account_operation_unsupported")
-	errInvalidServiceAccountName              = errors.New(errors.TypeInvalidInput, ErrCodeServiceAccountInvalidInput, "name must start with a lowercase letter (a-z), contain only lowercase letters, numbers (0-9), and hyphens (-), and be at most 50 characters long")
+	ErrCodeServiceAccountInvalidConfig     = errors.MustNewCode("service_account_invalid_config")
+	ErrCodeServiceAccountInvalidInput      = errors.MustNewCode("service_account_invalid_input")
+	ErrCodeServiceAccountAlreadyExists     = errors.MustNewCode("service_account_already_exists")
+	ErrCodeServiceAccountNotFound          = errors.MustNewCode("service_account_not_found")
+	ErrCodeServiceAccountRoleAlreadyExists = errors.MustNewCode("service_account_role_already_exists")
+	errInvalidServiceAccountName           = errors.New(errors.TypeInvalidInput, ErrCodeServiceAccountInvalidInput, "name must start with a lowercase letter (a-z), contain only lowercase letters, numbers (0-9), and hyphens (-), and be at most 50 characters long")
 )
 
 var (
@@ -120,7 +119,7 @@ func (serviceAccount *ServiceAccount) UpdateStatus(status ServiceAccountStatus)
 
 func (serviceAccount *ServiceAccount) ErrIfDeleted() error {
 	if serviceAccount.Status == ServiceAccountStatusDeleted {
-		return errors.New(errors.TypeUnsupported, ErrCodeServiceAccountOperationUnsupported, "this operation is not supported for disabled service account")
+		return errors.Newf(errors.TypeNotFound, ErrCodeServiceAccountNotFound, "an active service account with id: %s does not exist", serviceAccount.ID)
 	}
 
 	return nil
@@ -239,6 +238,7 @@ type Store interface {
 	GetActiveByOrgIDAndName(context.Context, valuer.UUID, string) (*ServiceAccount, error)
 	GetByID(context.Context, valuer.UUID) (*ServiceAccount, error)
 	GetByIDAndStatus(context.Context, valuer.UUID, ServiceAccountStatus) (*ServiceAccount, error)
+	GetServiceAccountsByOrgIDAndRoleID(context.Context, valuer.UUID, valuer.UUID) ([]*ServiceAccount, error)
 	CountByOrgID(context.Context, valuer.UUID) (int64, error)
 	List(context.Context, valuer.UUID) ([]*ServiceAccount, error)
 	Update(context.Context, valuer.UUID, *ServiceAccount) error

tests/e2e/.eslintignore

@@ -1,38 +0,0 @@
-# Dependencies
-node_modules/
-
-# Build outputs
-dist/
-build/
-
-# Test results
-test-results/
-playwright-report/
-coverage/
-
-# Environment files
-.env
-.env.local
-.env.production
-
-# Editor files
-.vscode/
-.idea/
-*.swp
-*.swo
-
-# OS files
-.DS_Store
-Thumbs.db
-
-# Logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-
-# Runtime data
-pids
-*.pid
-*.seed
-*.pid.lock

tests/e2e/.eslintrc.js

@@ -1,68 +0,0 @@
-module.exports = {
-  parser: '@typescript-eslint/parser',
-  parserOptions: {
-    ecmaVersion: 2022,
-    sourceType: 'module',
-  },
-  extends: [
-    'eslint:recommended',
-    'plugin:@typescript-eslint/recommended',
-    'plugin:playwright/recommended',
-  ],
-  env: {
-    node: true,
-    es2022: true,
-  },
-  rules: {
-    // Code Quality
-    '@typescript-eslint/no-unused-vars': 'error',
-    '@typescript-eslint/no-explicit-any': 'warn',
-    'prefer-const': 'error',
-    'no-var': 'error',
-
-    // Formatting Rules (ESLint handles formatting)
-    'semi': ['error', 'always'],
-    'quotes': ['error', 'single', { avoidEscape: true }],
-    'comma-dangle': ['error', 'always-multiline'],
-    'indent': ['error', 2, { SwitchCase: 1 }],
-    'object-curly-spacing': ['error', 'always'],
-    'array-bracket-spacing': ['error', 'never'],
-    'space-before-function-paren': ['error', {
-      anonymous: 'always',
-      named: 'never',
-      asyncArrow: 'always',
-    }],
-    'keyword-spacing': 'error',
-    'space-infix-ops': 'error',
-    'eol-last': 'error',
-    'no-trailing-spaces': 'error',
-    'no-multiple-empty-lines': ['error', { max: 2, maxEOF: 1 }],
-
-    // Playwright-specific (enhanced)
-    'playwright/expect-expect': 'error',
-    'playwright/no-conditional-in-test': 'error',
-    'playwright/no-page-pause': 'error',
-    'playwright/no-wait-for-timeout': 'warn',
-    'playwright/prefer-web-first-assertions': 'error',
-
-    // Console usage
-    'no-console': ['warn', { allow: ['warn', 'error'] }],
-  },
-  overrides: [
-    {
-      // Config files can use console and have relaxed formatting
-      files: ['*.config.{js,ts}', 'playwright.config.ts'],
-      rules: {
-        'no-console': 'off',
-        '@typescript-eslint/no-explicit-any': 'off',
-      },
-    },
-    {
-      // Test files specific rules
-      files: ['**/*.spec.ts', '**/*.test.ts'],
-      rules: {
-        '@typescript-eslint/no-explicit-any': 'off', // Page objects often need any
-      },
-    },
-  ],
-};

tests/e2e/.oxfmtrc.json

@@ -0,0 +1,26 @@
+{
+	"$schema": "./node_modules/oxfmt/configuration_schema.json",
+	"trailingComma": "all",
+	"useTabs": true,
+	"tabWidth": 1,
+	"singleQuote": true,
+	"jsxSingleQuote": false,
+	"semi": true,
+	"printWidth": 80,
+	"bracketSpacing": true,
+	"jsxBracketSameLine": false,
+	"arrowParens": "always",
+	"endOfLine": "lf",
+	"quoteProps": "as-needed",
+	"proseWrap": "preserve",
+	"htmlWhitespaceSensitivity": "css",
+	"embeddedLanguageFormatting": "auto",
+	"sortPackageJson": false,
+	"ignorePatterns": [
+		"artifacts",
+		"node_modules",
+		"playwright-report",
+		"**/*.md",
+		"**/*.json"
+	]
+}

tests/e2e/.oxlintrc.json

@@ -0,0 +1,45 @@
+{
+	"$schema": "./node_modules/oxlint/configuration_schema.json",
+	"jsPlugins": ["eslint-plugin-playwright"],
+	"plugins": ["eslint", "typescript", "unicorn", "import", "promise"],
+	"categories": {
+		"correctness": "warn"
+	},
+	"env": {
+		"builtin": true,
+		"es2022": true,
+		"node": true
+	},
+	"options": {
+		"typeAware": true,
+		"typeCheck": false
+	},
+	"rules": {
+		"prefer-const": "error",
+		"no-var": "error",
+		"no-console": ["warn", { "allow": ["warn", "error"] }],
+		"typescript/no-unused-vars": "error",
+		"typescript/no-explicit-any": "warn",
+		"playwright/expect-expect": "error",
+		"playwright/no-conditional-in-test": "error",
+		"playwright/no-page-pause": "error",
+		"playwright/no-wait-for-timeout": "warn",
+		"playwright/prefer-web-first-assertions": "error"
+	},
+	"overrides": [
+		{
+			"files": ["*.config.{js,ts}", "playwright.config.ts"],
+			"rules": {
+				"no-console": "off",
+				"typescript/no-explicit-any": "off"
+			}
+		},
+		{
+			"files": ["**/*.spec.ts", "**/*.test.ts"],
+			"rules": {
+				"typescript/no-explicit-any": "off"
+			}
+		}
+	],
+	"ignorePatterns": ["node_modules", "artifacts", "playwright-report"]
+}

tests/e2e/.prettierignore

@@ -1,30 +0,0 @@
-# Dependencies
-node_modules/
-
-# Generated test outputs
-artifacts/
-playwright/.cache/
-
-# Build outputs
-dist/
-
-# Environment files
-.env
-.env.local
-.env*.local
-
-# Lock files
-yarn.lock
-package-lock.json
-pnpm-lock.yaml
-
-# Logs
-*.log
-yarn-error.log
-
-# IDE
-.vscode/
-.idea/
-
-# Other
-.DS_Store

tests/e2e/.prettierrc.json

@@ -1,6 +0,0 @@
-{
-  "useTabs": false,
-  "tabWidth": 2,
-  "singleQuote": true,
-  "trailingComma": "all"
-}

tests/e2e/bootstrap/setup.py

@@ -26,13 +26,12 @@ def test_setup(
     seeder_cfg = seeder.host_configs["8080"]
     out = _env_file(pytestconfig)
     out.parent.mkdir(parents=True, exist_ok=True)
-    out.write_text(
-        "# Generated by tests/e2e/bootstrap/setup.py — do not edit.\n"
-        f"SIGNOZ_E2E_BASE_URL={host_cfg.base()}\n"
-        f"SIGNOZ_E2E_USERNAME={USER_ADMIN_EMAIL}\n"
-        f"SIGNOZ_E2E_PASSWORD={USER_ADMIN_PASSWORD}\n"
-        f"SIGNOZ_E2E_SEEDER_URL={seeder_cfg.base()}\n"
-    )
+    with out.open("w") as f:
+        f.write("# Generated by tests/e2e/bootstrap/setup.py — do not edit.\n")
+        f.write(f"SIGNOZ_E2E_BASE_URL={host_cfg.base()}\n")
+        f.write(f"SIGNOZ_E2E_USERNAME={USER_ADMIN_EMAIL}\n")
+        f.write(f"SIGNOZ_E2E_PASSWORD={USER_ADMIN_PASSWORD}\n")
+        f.write(f"SIGNOZ_E2E_SEEDER_URL={seeder_cfg.base()}\n")
 
 
 def test_teardown(

tests/e2e/fixtures/auth.ts

@@ -1,17 +1,17 @@
 import {
-  test as base,
-  expect,
-  type Browser,
-  type BrowserContext,
-  type Page,
+	test as base,
+	expect,
+	type Browser,
+	type BrowserContext,
+	type Page,
 } from '@playwright/test';
 
 export type User = { email: string; password: string };
 
 // Default user — admin from the pytest bootstrap (.env.local) or staging .env.
 export const ADMIN: User = {
-  email: process.env.SIGNOZ_E2E_USERNAME!,
-  password: process.env.SIGNOZ_E2E_PASSWORD!,
+	email: process.env.SIGNOZ_E2E_USERNAME!,
+	password: process.env.SIGNOZ_E2E_PASSWORD!,
 };
 
 // Per-worker storageState cache. One login per unique user per worker.
@@ -21,65 +21,65 @@ type StorageState = Awaited<ReturnType<BrowserContext['storageState']>>;
 const storageByUser = new Map<string, Promise<StorageState>>();
 
 async function storageFor(browser: Browser, user: User): Promise<StorageState> {
-  const cached = storageByUser.get(user.email);
-  if (cached) return cached;
+	const cached = storageByUser.get(user.email);
+	if (cached) return cached;
 
-  const task = (async () => {
-    const ctx = await browser.newContext();
-    const page = await ctx.newPage();
-    await login(page, user);
-    const state = await ctx.storageState();
-    await ctx.close();
-    return state;
-  })();
+	const task = (async () => {
+		const ctx = await browser.newContext();
+		const page = await ctx.newPage();
+		await login(page, user);
+		const state = await ctx.storageState();
+		await ctx.close();
+		return state;
+	})();
 
-  storageByUser.set(user.email, task);
-  return task;
+	storageByUser.set(user.email, task);
+	return task;
 }
 
 async function login(page: Page, user: User): Promise<void> {
-  if (!user.email || !user.password) {
-    throw new Error(
-      'User credentials missing. Set SIGNOZ_E2E_USERNAME / SIGNOZ_E2E_PASSWORD ' +
-        '(pytest bootstrap writes them to .env.local), or pass a User via test.use({ user: ... }).',
-    );
-  }
-  await page.goto('/login?password=Y');
-  await page.getByTestId('email').fill(user.email);
-  await page.getByTestId('initiate_login').click();
-  await page.getByTestId('password').fill(user.password);
-  await page.getByRole('button', { name: 'Sign in with Password' }).click();
-  // Post-login lands somewhere different depending on whether the org is
-  // licensed (onboarding flow on ENTERPRISE) or not (legacy "Hello there"
-  // welcome). Wait for URL to move off /login — whichever page follows
-  // is fine, each spec navigates to the feature under test anyway.
-  await page.waitForURL((url) => !url.pathname.startsWith('/login'));
+	if (!user.email || !user.password) {
+		throw new Error(
+			'User credentials missing. Set SIGNOZ_E2E_USERNAME / SIGNOZ_E2E_PASSWORD ' +
+				'(pytest bootstrap writes them to .env.local), or pass a User via test.use({ user: ... }).',
+		);
+	}
+	await page.goto('/login?password=Y');
+	await page.getByTestId('email').fill(user.email);
+	await page.getByTestId('initiate_login').click();
+	await page.getByTestId('password').fill(user.password);
+	await page.getByRole('button', { name: 'Sign in with Password' }).click();
+	// Post-login lands somewhere different depending on whether the org is
+	// licensed (onboarding flow on ENTERPRISE) or not (legacy "Hello there"
+	// welcome). Wait for URL to move off /login — whichever page follows
+	// is fine, each spec navigates to the feature under test anyway.
+	await page.waitForURL((url) => !url.pathname.startsWith('/login'));
 }
 
 export const test = base.extend<{
-  /**
-   * User identity for this test. Override with `test.use({ user: ... })` at
-   * the describe or test level to run the suite as a different user.
-   * Defaults to ADMIN (the pytest-bootstrap-seeded admin).
-   */
-  user: User;
+	/**
+	 * User identity for this test. Override with `test.use({ user: ... })` at
+	 * the describe or test level to run the suite as a different user.
+	 * Defaults to ADMIN (the pytest-bootstrap-seeded admin).
+	 */
+	user: User;
 
-  /**
-   * A Page whose context is already authenticated as `user`. First request
-   * for a given user triggers one login per worker; the resulting
-   * storageState is held in memory and reused for all later requests.
-   */
-  authedPage: Page;
+	/**
+	 * A Page whose context is already authenticated as `user`. First request
+	 * for a given user triggers one login per worker; the resulting
+	 * storageState is held in memory and reused for all later requests.
+	 */
+	authedPage: Page;
 }>({
-  user: [ADMIN, { option: true }],
+	user: [ADMIN, { option: true }],
 
-  authedPage: async ({ browser, user }, use) => {
-    const storageState = await storageFor(browser, user);
-    const ctx = await browser.newContext({ storageState });
-    const page = await ctx.newPage();
-    await use(page);
-    await ctx.close();
-  },
+	authedPage: async ({ browser, user }, use) => {
+		const storageState = await storageFor(browser, user);
+		const ctx = await browser.newContext({ storageState });
+		const page = await ctx.newPage();
+		await use(page);
+		await ctx.close();
+	},
 });
 
 export { expect };

tests/e2e/package.json

@@ -16,8 +16,10 @@
     "codegen": "playwright codegen",
     "install:browsers": "playwright install",
     "install:cli": "npm install -g @playwright/cli@latest && playwright-cli install --skills",
-    "lint": "eslint . --ext .ts,.js",
-    "lint:fix": "eslint . --ext .ts,.js --fix",
+    "fmt": "oxfmt .",
+    "fmt:check": "oxfmt --check .",
+    "lint": "oxlint .",
+    "lint:fix": "oxlint . --fix",
     "typecheck": "tsc --noEmit"
   },
   "keywords": [
@@ -31,11 +33,11 @@
   "devDependencies": {
     "@playwright/test": "^1.57.0-alpha-2025-10-09",
     "@types/node": "^20.0.0",
-    "@typescript-eslint/eslint-plugin": "^6.0.0",
-    "@typescript-eslint/parser": "^6.0.0",
     "dotenv": "^16.0.0",
-    "eslint": "^9.26.0",
-    "eslint-plugin-playwright": "^0.16.0",
+    "eslint-plugin-playwright": "^2.10.2",
+    "oxfmt": "^0.41.0",
+    "oxlint": "^1.59.0",
+    "oxlint-tsgolint": "^0.20.0",
     "typescript": "^5.0.0"
   },
   "engines": {

tests/e2e/playwright.config.ts

@@ -12,50 +12,50 @@ dotenv.config({ path: path.resolve(__dirname, '.env') });
 dotenv.config({ path: path.resolve(__dirname, '.env.local'), override: true });
 
 export default defineConfig({
-  testDir: './tests',
+	testDir: './tests',
 
-  // All Playwright output lands under artifacts/. One subdir per reporter
-  // plus results/ for per-test artifacts (traces/screenshots/videos).
-  // CI can archive the whole dir with `tar czf artifacts.tgz tests/e2e/artifacts`.
-  outputDir: 'artifacts/results',
+	// All Playwright output lands under artifacts/. One subdir per reporter
+	// plus results/ for per-test artifacts (traces/screenshots/videos).
+	// CI can archive the whole dir with `tar czf artifacts.tgz tests/e2e/artifacts`.
+	outputDir: 'artifacts/results',
 
-  // Run tests in parallel
-  fullyParallel: true,
+	// Run tests in parallel
+	fullyParallel: true,
 
-  // Fail the build on CI if you accidentally left test.only
-  forbidOnly: !!process.env.CI,
+	// Fail the build on CI if you accidentally left test.only
+	forbidOnly: !!process.env.CI,
 
-  // Retry on CI only
-  retries: process.env.CI ? 2 : 0,
+	// Retry on CI only
+	retries: process.env.CI ? 2 : 0,
 
-  // Workers
-  workers: process.env.CI ? 2 : undefined,
+	// Workers
+	workers: process.env.CI ? 2 : undefined,
 
-  // Reporter
-  reporter: [
-    ['html', { outputFolder: 'artifacts/html', open: 'never' }],
-    ['json', { outputFile: 'artifacts/json/results.json' }],
-    ['list'],
-  ],
+	// Reporter
+	reporter: [
+		['html', { outputFolder: 'artifacts/html', open: 'never' }],
+		['json', { outputFile: 'artifacts/json/results.json' }],
+		['list'],
+	],
 
-  // Shared settings
-  use: {
-    baseURL:
-      process.env.SIGNOZ_E2E_BASE_URL || 'https://app.us.staging.signoz.cloud',
-    trace: 'on-first-retry',
-    screenshot: 'only-on-failure',
-    video: 'retain-on-failure',
-    colorScheme: 'dark',
-    locale: 'en-US',
-    viewport: { width: 1280, height: 720 },
-  },
+	// Shared settings
+	use: {
+		baseURL:
+			process.env.SIGNOZ_E2E_BASE_URL || 'https://app.us.staging.signoz.cloud',
+		trace: 'on-first-retry',
+		screenshot: 'only-on-failure',
+		video: 'retain-on-failure',
+		colorScheme: 'dark',
+		locale: 'en-US',
+		viewport: { width: 1280, height: 720 },
+	},
 
-  // Browser projects. No project-level auth — specs opt in via the
-  // authedPage fixture in tests/e2e/fixtures/auth.ts, which logs a user
-  // in on first use and caches the resulting storageState per worker.
-  projects: [
-    { name: 'chromium', use: devices['Desktop Chrome'] },
-    { name: 'firefox', use: devices['Desktop Firefox'] },
-    { name: 'webkit', use: devices['Desktop Safari'] },
-  ],
+	// Browser projects. No project-level auth — specs opt in via the
+	// authedPage fixture in tests/e2e/fixtures/auth.ts, which logs a user
+	// in on first use and caches the resulting storageState per worker.
+	projects: [
+		{ name: 'chromium', use: devices['Desktop Chrome'] },
+		{ name: 'firefox', use: devices['Desktop Firefox'] },
+		{ name: 'webkit', use: devices['Desktop Safari'] },
+	],
 });

tests/e2e/tests/alerts/alerts.spec.ts

@@ -1,7 +1,7 @@
 import { test, expect } from '../../fixtures/auth';
 
 test('TC-01 alerts page — tabs render', async ({ authedPage: page }) => {
-  await page.goto('/alerts');
-  await expect(page.getByRole('tab', { name: /alert rules/i })).toBeVisible();
-  await expect(page.getByRole('tab', { name: /configuration/i })).toBeVisible();
+	await page.goto('/alerts');
+	await expect(page.getByRole('tab', { name: /alert rules/i })).toBeVisible();
+	await expect(page.getByRole('tab', { name: /configuration/i })).toBeVisible();
 });

tests/fixtures/alerts.py

@@ -1,9 +1,9 @@
 import base64
 import json
 import time
-from datetime import datetime, timedelta, timezone
+from collections.abc import Callable
+from datetime import UTC, datetime, timedelta
 from http import HTTPStatus
-from typing import Callable, List
 
 import pytest
 import requests
@@ -20,9 +20,7 @@ logger = setup_logger(__name__)
 
 
 @pytest.fixture(name="create_alert_rule", scope="function")
-def create_alert_rule(
-    signoz: types.SigNoz, get_token: Callable[[str, str], str]
-) -> Callable[[dict], str]:
+def create_alert_rule(signoz: types.SigNoz, get_token: Callable[[str, str], str]) -> Callable[[dict], str]:
     admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
 
     rule_ids = []
@@ -34,9 +32,7 @@ def create_alert_rule(
             headers={"Authorization": f"Bearer {admin_token}"},
             timeout=5,
         )
-        assert (
-            response.status_code == HTTPStatus.OK
-        ), f"Failed to create rule, api returned {response.status_code} with response: {response.text}"
+        assert response.status_code == HTTPStatus.OK, f"Failed to create rule, api returned {response.status_code} with response: {response.text}"
         rule_id = response.json()["data"]["id"]
         rule_ids.append(rule_id)
         return rule_id
@@ -64,23 +60,21 @@ def create_alert_rule(
 
 @pytest.fixture(name="insert_alert_data", scope="function")
 def insert_alert_data(
-    insert_metrics: Callable[[List[Metrics]], None],
-    insert_traces: Callable[[List[Traces]], None],
-    insert_logs: Callable[[List[Logs]], None],
-) -> Callable[[List[types.AlertData]], None]:
+    insert_metrics: Callable[[list[Metrics]], None],
+    insert_traces: Callable[[list[Traces]], None],
+    insert_logs: Callable[[list[Logs]], None],
+) -> Callable[[list[types.AlertData]], None]:
 
     def _insert_alert_data(
-        alert_data_items: List[types.AlertData],
+        alert_data_items: list[types.AlertData],
         base_time: datetime = None,
     ) -> None:
 
-        metrics: List[Metrics] = []
-        traces: List[Traces] = []
-        logs: List[Logs] = []
+        metrics: list[Metrics] = []
+        traces: list[Traces] = []
+        logs: list[Logs] = []
 
-        now = base_time or datetime.now(tz=timezone.utc).replace(
-            second=0, microsecond=0
-        )
+        now = base_time or datetime.now(tz=UTC).replace(second=0, microsecond=0)
 
         for data_item in alert_data_items:
             if data_item.type == "metrics":
@@ -113,9 +107,7 @@ def insert_alert_data(
     yield _insert_alert_data
 
 
-def collect_webhook_firing_alerts(
-    webhook_test_container: types.TestContainerDocker, notification_channel_name: str
-) -> List[types.FiringAlert]:
+def collect_webhook_firing_alerts(webhook_test_container: types.TestContainerDocker, notification_channel_name: str) -> list[types.FiringAlert]:
     # Prepare the endpoint path for the channel name, for alerts tests we have
     # used different paths for receiving alerts from each channel so that
     # multiple rules can be tested in isolation.
@@ -127,10 +119,7 @@ def collect_webhook_firing_alerts(
         "url": rule_webhook_endpoint,
     }
     res = requests.post(url, json=req, timeout=5)
-    assert res.status_code == HTTPStatus.OK, (
-        f"Failed to collect firing alerts for notification channel {notification_channel_name}, "
-        f"status code: {res.status_code}, response: {res.text}"
-    )
+    assert res.status_code == HTTPStatus.OK, f"Failed to collect firing alerts for notification channel {notification_channel_name}, status code: {res.status_code}, response: {res.text}"
     response = res.json()
     alerts = []
     for req in response["requests"]:
@@ -144,9 +133,7 @@ def collect_webhook_firing_alerts(
     return alerts
 
 
-def _verify_alerts_labels(
-    firing_alerts: list[dict[str, str]], expected_alerts: list[dict[str, str]]
-) -> tuple[int, list[dict[str, str]]]:
+def _verify_alerts_labels(firing_alerts: list[dict[str, str]], expected_alerts: list[dict[str, str]]) -> tuple[int, list[dict[str, str]]]:
     """
     Checks how many of the expected alerts have been fired.
     Returns the count of expected alerts that have been fired.
@@ -159,10 +146,7 @@ def _verify_alerts_labels(
 
         for fired_alert in firing_alerts:
             # Check if current expected alert is present in the fired alerts
-            if all(
-                key in fired_alert and fired_alert[key] == value
-                for key, value in alert.items()
-            ):
+            if all(key in fired_alert and fired_alert[key] == value for key, value in alert.items()):
                 is_alert_fired = True
                 break
 
@@ -181,35 +165,24 @@ def verify_webhook_alert_expectation(
 ) -> bool:
 
     # time to wait till the expected alerts are fired
-    time_to_wait = datetime.now() + timedelta(
-        seconds=alert_expectations.wait_time_seconds
-    )
-    expected_alerts_labels = [
-        alert.labels for alert in alert_expectations.expected_alerts
-    ]
+    time_to_wait = datetime.now() + timedelta(seconds=alert_expectations.wait_time_seconds)
+    expected_alerts_labels = [alert.labels for alert in alert_expectations.expected_alerts]
 
     while datetime.now() < time_to_wait:
-        firing_alerts = collect_webhook_firing_alerts(
-            test_alert_container, notification_channel_name
-        )
+        firing_alerts = collect_webhook_firing_alerts(test_alert_container, notification_channel_name)
         firing_alert_labels = [alert.labels for alert in firing_alerts]
 
         if alert_expectations.should_alert:
             # verify the number of alerts fired, currently we're only verifying the labels of the alerts
             # but there could be verification of annotations and other fields in the FiringAlert
-            (verified_count, missing_alerts) = _verify_alerts_labels(
-                firing_alert_labels, expected_alerts_labels
-            )
+            (verified_count, missing_alerts) = _verify_alerts_labels(firing_alert_labels, expected_alerts_labels)
 
             if verified_count == len(alert_expectations.expected_alerts):
-                logger.info(
-                    "Got expected number of alerts: %s", {"count": verified_count}
-                )
+                logger.info("Got expected number of alerts: %s", {"count": verified_count})
                 return True
-        else:
-            # No alert is supposed to be fired if should_alert is False
-            if len(firing_alerts) > 0:
-                break
+        # No alert is supposed to be fired if should_alert is False
+        elif len(firing_alerts) > 0:
+            break
 
         # wait for some time before checking again
         time.sleep(1)
@@ -220,7 +193,7 @@ def verify_webhook_alert_expectation(
     if not alert_expectations.should_alert:
         assert len(firing_alerts) == 0, (
             "Expected no alerts to be fired, ",
-            f"got {len(firing_alerts)} alerts, " f"firing alerts: {firing_alerts}",
+            f"got {len(firing_alerts)} alerts, firing alerts: {firing_alerts}",
         )
         logger.info("No alerts fired, as expected")
         return True

tests/fixtures/audit.py

@@ -1,7 +1,8 @@
 import datetime
 import json
 from abc import ABC
-from typing import Any, Callable, Generator, List, Optional
+from collections.abc import Callable, Generator
+from typing import Any
 
 import numpy as np
 import pytest
@@ -54,8 +55,8 @@ class AuditTagAttributes(ABC):
     tag_type: str
     tag_data_type: str
     string_value: str
-    int64_value: Optional[np.int64]
-    float64_value: Optional[np.float64]
+    int64_value: np.int64 | None
+    float64_value: np.float64 | None
 
     def __init__(
         self,
@@ -63,9 +64,9 @@ class AuditTagAttributes(ABC):
         tag_key: str,
         tag_type: str,
         tag_data_type: str,
-        string_value: Optional[str],
-        int64_value: Optional[np.int64],
-        float64_value: Optional[np.float64],
+        string_value: str | None,
+        int64_value: np.int64 | None,
+        float64_value: np.float64 | None,
     ) -> None:
         self.unix_milli = np.int64(int(timestamp.timestamp() * 1e3))
         self.tag_key = tag_key
@@ -121,14 +122,14 @@ class AuditLog(ABC):
     resource_json: dict[str, str]
     event_name: str
 
-    resource: List[AuditResource]
-    tag_attributes: List[AuditTagAttributes]
-    resource_keys: List[AuditResourceOrAttributeKeys]
-    attribute_keys: List[AuditResourceOrAttributeKeys]
+    resource: list[AuditResource]
+    tag_attributes: list[AuditTagAttributes]
+    resource_keys: list[AuditResourceOrAttributeKeys]
+    attribute_keys: list[AuditResourceOrAttributeKeys]
 
     def __init__(
         self,
-        timestamp: Optional[datetime.datetime] = None,
+        timestamp: datetime.datetime | None = None,
         resources: dict[str, Any] = {},
         attributes: dict[str, Any] = {},
         body: str = "",
@@ -180,13 +181,9 @@ class AuditLog(ABC):
                     float64_value=None,
                 )
             )
-            self.resource_keys.append(
-                AuditResourceOrAttributeKeys(name=k, datatype="string")
-            )
+            self.resource_keys.append(AuditResourceOrAttributeKeys(name=k, datatype="string"))
 
-        self.resource_fingerprint = LogsOrTracesFingerprint(
-            self.resource_json
-        ).calculate()
+        self.resource_fingerprint = LogsOrTracesFingerprint(self.resource_json).calculate()
 
         # Process attributes by type
         self.attributes_string = {}
@@ -207,9 +204,7 @@ class AuditLog(ABC):
                         float64_value=None,
                     )
                 )
-                self.attribute_keys.append(
-                    AuditResourceOrAttributeKeys(name=k, datatype="bool")
-                )
+                self.attribute_keys.append(AuditResourceOrAttributeKeys(name=k, datatype="bool"))
             elif isinstance(v, int):
                 self.attributes_number[k] = np.float64(v)
                 self.tag_attributes.append(
@@ -223,9 +218,7 @@ class AuditLog(ABC):
                         float64_value=None,
                     )
                 )
-                self.attribute_keys.append(
-                    AuditResourceOrAttributeKeys(name=k, datatype="int64")
-                )
+                self.attribute_keys.append(AuditResourceOrAttributeKeys(name=k, datatype="int64"))
             elif isinstance(v, float):
                 self.attributes_number[k] = np.float64(v)
                 self.tag_attributes.append(
@@ -239,9 +232,7 @@ class AuditLog(ABC):
                         float64_value=np.float64(v),
                     )
                 )
-                self.attribute_keys.append(
-                    AuditResourceOrAttributeKeys(name=k, datatype="float64")
-                )
+                self.attribute_keys.append(AuditResourceOrAttributeKeys(name=k, datatype="float64"))
             else:
                 self.attributes_string[k] = str(v)
                 self.tag_attributes.append(
@@ -255,9 +246,7 @@ class AuditLog(ABC):
                         float64_value=None,
                     )
                 )
-                self.attribute_keys.append(
-                    AuditResourceOrAttributeKeys(name=k, datatype="string")
-                )
+                self.attribute_keys.append(AuditResourceOrAttributeKeys(name=k, datatype="string"))
 
         self.scope_name = scope_name
         self.scope_version = scope_version
@@ -300,9 +289,9 @@ class AuditLog(ABC):
 @pytest.fixture(name="insert_audit_logs", scope="function")
 def insert_audit_logs(
     clickhouse: types.TestContainerClickhouse,
-) -> Generator[Callable[[List[AuditLog]], None], Any, None]:
-    def _insert_audit_logs(logs: List[AuditLog]) -> None:
-        resources: List[AuditResource] = []
+) -> Generator[Callable[[list[AuditLog]], None], Any]:
+    def _insert_audit_logs(logs: list[AuditLog]) -> None:
+        resources: list[AuditResource] = []
         for log in logs:
             resources.extend(log.resource)
 
@@ -318,7 +307,7 @@ def insert_audit_logs(
                 ],
             )
 
-        tag_attributes: List[AuditTagAttributes] = []
+        tag_attributes: list[AuditTagAttributes] = []
         for log in logs:
             tag_attributes.extend(log.tag_attributes)
 
@@ -338,7 +327,7 @@ def insert_audit_logs(
                 ],
             )
 
-        attribute_keys: List[AuditResourceOrAttributeKeys] = []
+        attribute_keys: list[AuditResourceOrAttributeKeys] = []
         for log in logs:
             attribute_keys.extend(log.attribute_keys)
 
@@ -350,7 +339,7 @@ def insert_audit_logs(
                 column_names=["name", "datatype"],
             )
 
-        resource_keys: List[AuditResourceOrAttributeKeys] = []
+        resource_keys: list[AuditResourceOrAttributeKeys] = []
         for log in logs:
             resource_keys.extend(log.resource_keys)
 
@@ -399,6 +388,4 @@ def insert_audit_logs(
         "logs_attribute_keys",
         "logs_resource_keys",
     ]:
-        clickhouse.conn.query(
-            f"TRUNCATE TABLE signoz_audit.{table} ON CLUSTER '{cluster}' SYNC"
-        )
+        clickhouse.conn.query(f"TRUNCATE TABLE signoz_audit.{table} ON CLUSTER '{cluster}' SYNC")

tests/fixtures/auth.py

@@ -1,6 +1,6 @@
 import time
+from collections.abc import Callable
 from http import HTTPStatus
-from typing import Callable, Dict, List, Tuple
 
 import pytest
 import requests
@@ -57,9 +57,7 @@ def _login(signoz: types.SigNoz, email: str, password: str) -> str:
 
 
 @pytest.fixture(name="create_user_admin", scope="package")
-def create_user_admin(
-    signoz: types.SigNoz, request: pytest.FixtureRequest, pytestconfig: pytest.Config
-) -> types.Operation:
+def create_user_admin(signoz: types.SigNoz, request: pytest.FixtureRequest, pytestconfig: pytest.Config) -> types.Operation:
     def create() -> None:
         response = requests.post(
             signoz.self.host_configs["8080"].get("/api/v1/register"),
@@ -143,7 +141,7 @@ def get_token(signoz: types.SigNoz) -> Callable[[str, str], str]:
 
 
 @pytest.fixture(name="get_tokens", scope="function")
-def get_tokens(signoz: types.SigNoz) -> Callable[[str, str], Tuple[str, str]]:
+def get_tokens(signoz: types.SigNoz) -> Callable[[str, str], tuple[str, str]]:
     def _get_tokens(email: str, password: str) -> str:
         response = requests.get(
             signoz.self.host_configs["8080"].get("/api/v2/sessions/context"),
@@ -193,11 +191,7 @@ def apply_license(
                 request=MappingRequest(
                     method=HttpMethods.GET,
                     url="/v2/licenses/me",
-                    headers={
-                        "X-Signoz-Cloud-Api-Key": {
-                            WireMockMatchers.EQUAL_TO: "secret-key"
-                        }
-                    },
+                    headers={"X-Signoz-Cloud-Api-Key": {WireMockMatchers.EQUAL_TO: "secret-key"}},
                 ),
                 response=MappingResponse(
                     status=200,
@@ -245,9 +239,7 @@ def apply_license(
         # redirects first-time admins to a questionnaire. Mark the preference
         # complete so specs can navigate directly to the feature under test.
         pref_resp = requests.put(
-            signoz.self.host_configs["8080"].get(
-                "/api/v1/org/preferences/org_onboarding"
-            ),
+            signoz.self.host_configs["8080"].get("/api/v1/org/preferences/org_onboarding"),
             json={"value": True},
             headers=auth_header,
             timeout=5,
@@ -276,7 +268,7 @@ def apply_license(
 # This is also idempotent in nature.
 def add_license(
     signoz: types.SigNoz,
-    make_http_mocks: Callable[[types.TestContainerDocker, List[Mapping]], None],
+    make_http_mocks: Callable[[types.TestContainerDocker, list[Mapping]], None],
     get_token: Callable[[str, str], str],  # pylint: disable=redefined-outer-name
 ) -> None:
     make_http_mocks(
@@ -286,11 +278,7 @@ def add_license(
                 request=MappingRequest(
                     method=HttpMethods.GET,
                     url="/v2/licenses/me",
-                    headers={
-                        "X-Signoz-Cloud-Api-Key": {
-                            WireMockMatchers.EQUAL_TO: "secret-key"
-                        }
-                    },
+                    headers={"X-Signoz-Cloud-Api-Key": {WireMockMatchers.EQUAL_TO: "secret-key"}},
                 ),
                 response=MappingResponse(
                     status=200,
@@ -368,7 +356,7 @@ def create_active_user(
     return invited_user["id"]
 
 
-def find_user_by_email(signoz: types.SigNoz, token: str, email: str) -> Dict:
+def find_user_by_email(signoz: types.SigNoz, token: str, email: str) -> dict:
     """Find a user by email from the user list. Raises AssertionError if not found."""
     response = requests.get(
         signoz.self.host_configs["8080"].get(USERS_BASE),
@@ -381,7 +369,7 @@ def find_user_by_email(signoz: types.SigNoz, token: str, email: str) -> Dict:
     return user
 
 
-def find_user_with_roles_by_email(signoz: types.SigNoz, token: str, email: str) -> Dict:
+def find_user_with_roles_by_email(signoz: types.SigNoz, token: str, email: str) -> dict:
     """Find a user by email and return UserWithRoles (user fields + userRoles).
 
     Raises AssertionError if the user is not found.
@@ -396,7 +384,7 @@ def find_user_with_roles_by_email(signoz: types.SigNoz, token: str, email: str)
     return response.json()["data"]
 
 
-def assert_user_has_role(data: Dict, role_name: str) -> None:
+def assert_user_has_role(data: dict, role_name: str) -> None:
     """Assert that a UserWithRoles response contains the expected managed role."""
     role_names = {ur["role"]["name"] for ur in data.get("userRoles", [])}
     assert role_name in role_names, f"Expected role '{role_name}' in {role_names}"
@@ -427,9 +415,7 @@ def change_user_role(
 
     # Remove old role
     response = requests.delete(
-        signoz.self.host_configs["8080"].get(
-            f"{USERS_BASE}/{user_id}/roles/{old_role_entry['id']}"
-        ),
+        signoz.self.host_configs["8080"].get(f"{USERS_BASE}/{user_id}/roles/{old_role_entry['id']}"),
         headers={"Authorization": f"Bearer {admin_token}"},
         timeout=5,
     )

tests/fixtures/clickhouse.py

@@ -1,5 +1,6 @@
 import os
-from typing import Any, Generator
+from collections.abc import Generator
+from typing import Any
 
 import clickhouse_connect
 import clickhouse_connect.driver
@@ -18,7 +19,7 @@ logger = setup_logger(__name__)
 
 @pytest.fixture(name="clickhouse", scope="package")
 def clickhouse(
-    tmpfs: Generator[types.LegacyPath, Any, None],
+    tmpfs: Generator[types.LegacyPath, Any],
     network: Network,
     zookeeper: types.TestContainerDocker,
     request: pytest.FixtureRequest,
@@ -153,9 +154,7 @@ def clickhouse(
         with open(custom_function_file_path, "w", encoding="utf-8") as f:
             f.write(custom_function_config)
 
-        container.with_volume_mapping(
-            cluster_config_file_path, "/etc/clickhouse-server/config.d/cluster.xml"
-        )
+        container.with_volume_mapping(cluster_config_file_path, "/etc/clickhouse-server/config.d/cluster.xml")
         container.with_volume_mapping(
             custom_function_file_path,
             "/etc/clickhouse-server/custom-function.xml",
@@ -183,9 +182,7 @@ def clickhouse(
             ],
         )
         if exit_code != 0:
-            raise RuntimeError(
-                f"Failed to install histogramQuantile binary: {output.decode()}"
-            )
+            raise RuntimeError(f"Failed to install histogramQuantile binary: {output.decode()}")
 
         connection = clickhouse_connect.get_client(
             user=container.username,
@@ -210,12 +207,8 @@ def clickhouse(
                     ),
                 },
                 container_configs={
-                    "9000": types.TestContainerUrlConfig(
-                        "tcp", container.get_wrapped_container().name, 9000
-                    ),
-                    "8123": types.TestContainerUrlConfig(
-                        "tcp", container.get_wrapped_container().name, 8123
-                    ),
+                    "9000": types.TestContainerUrlConfig("tcp", container.get_wrapped_container().name, 9000),
+                    "8123": types.TestContainerUrlConfig("tcp", container.get_wrapped_container().name, 8123),
                 },
             ),
             conn=connection,
@@ -261,9 +254,7 @@ def clickhouse(
         pytestconfig,
         "clickhouse",
         empty=lambda: types.TestContainerSQL(
-            container=types.TestContainerDocker(
-                id="", host_configs={}, container_configs={}
-            ),
+            container=types.TestContainerDocker(id="", host_configs={}, container_configs={}),
             conn=None,
             env={},
         ),

tests/fixtures/cloudintegrations.py

@@ -1,7 +1,7 @@
 """Fixtures for cloud integration tests."""
 
+from collections.abc import Callable
 from http import HTTPStatus
-from typing import Callable
 
 import pytest
 import requests
@@ -52,9 +52,7 @@ def deprecated_create_cloud_integration_account(
             timeout=10,
         )
 
-        assert (
-            response.status_code == HTTPStatus.OK
-        ), f"Failed to create test account: {response.status_code}"
+        assert response.status_code == HTTPStatus.OK, f"Failed to create test account: {response.status_code}"
 
         data = response.json().get("data", response.json())
         created_accounts.append((data.get("account_id"), cloud_provider))
@@ -127,9 +125,7 @@ def create_cloud_integration_account(
             timeout=10,
         )
 
-        assert (
-            response.status_code == HTTPStatus.CREATED
-        ), f"Failed to create test account: {response.status_code}: {response.text}"
+        assert response.status_code == HTTPStatus.CREATED, f"Failed to create test account: {response.status_code}: {response.text}"
 
         data = response.json()["data"]
         created_accounts.append((data["id"], cloud_provider))
@@ -143,9 +139,7 @@ def create_cloud_integration_account(
         try:
             admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
             for account_id, cloud_provider in created_accounts:
-                delete_endpoint = (
-                    f"/api/v1/cloud_integrations/{cloud_provider}/accounts/{account_id}"
-                )
+                delete_endpoint = f"/api/v1/cloud_integrations/{cloud_provider}/accounts/{account_id}"
                 r = requests.delete(
                     signoz.self.host_configs["8080"].get(delete_endpoint),
                     headers={"Authorization": f"Bearer {admin_token}"},
@@ -206,11 +200,7 @@ def setup_create_account_mocks(
                 request=MappingRequest(
                     method=HttpMethods.GET,
                     url="/v2/deployments/me",
-                    headers={
-                        "X-Signoz-Cloud-Api-Key": {
-                            WireMockMatchers.EQUAL_TO: "secret-key"
-                        }
-                    },
+                    headers={"X-Signoz-Cloud-Api-Key": {WireMockMatchers.EQUAL_TO: "secret-key"}},
                 ),
                 response=MappingResponse(
                     status=200,

tests/fixtures/fs.py

@@ -1,5 +1,6 @@
 import os
-from typing import Any, Generator
+from collections.abc import Generator
+from typing import Any
 
 import pytest
 
@@ -9,7 +10,7 @@ from fixtures import types
 @pytest.fixture(scope="package")
 def tmpfs(
     tmp_path_factory: pytest.TempPathFactory,
-) -> Generator[types.LegacyPath, Any, None]:
+) -> Generator[types.LegacyPath, Any]:
     def _tmp(basename: str):
         return tmp_path_factory.mktemp(basename)
 
@@ -19,7 +20,5 @@ def tmpfs(
 def get_testdata_file_path(file: str) -> str:
     # Integration testdata lives at tests/integration/testdata/. This helper
     # resolves from tests/fixtures/fs.py, so walk up to tests/ and across.
-    testdata_dir = os.path.join(
-        os.path.dirname(__file__), "..", "integration", "testdata"
-    )
+    testdata_dir = os.path.join(os.path.dirname(__file__), "..", "integration", "testdata")
     return os.path.join(testdata_dir, file)

tests/fixtures/gateway.py

@@ -1,5 +1,4 @@
 import json
-from typing import Optional
 
 import requests
 from wiremock.client import WireMockMatchers
@@ -14,9 +13,7 @@ def common_gateway_headers():
     """Common headers expected on requests forwarded to the gateway."""
     return {
         "X-Signoz-Cloud-Api-Key": {WireMockMatchers.EQUAL_TO: "secret-key"},
-        "X-Consumer-Username": {
-            WireMockMatchers.EQUAL_TO: "lid:00000000-0000-0000-0000-000000000000"
-        },
+        "X-Consumer-Username": {WireMockMatchers.EQUAL_TO: "lid:00000000-0000-0000-0000-000000000000"},
         "X-Consumer-Groups": {WireMockMatchers.EQUAL_TO: "ns:default"},
     }
 
@@ -34,9 +31,7 @@ def get_gateway_requests(signoz: types.SigNoz, method: str, url: str) -> list:
     return response.json().get("requests", [])
 
 
-def get_latest_gateway_request_body(
-    signoz: types.SigNoz, method: str, url: str
-) -> Optional[dict]:
+def get_latest_gateway_request_body(signoz: types.SigNoz, method: str, url: str) -> dict | None:
     """Return the parsed JSON body of the most recent matching gateway request.
 
     WireMock returns requests in reverse chronological order, so ``matched[0]``

tests/fixtures/http.py

@@ -1,4 +1,4 @@
-from typing import Callable, List
+from collections.abc import Callable
 
 import docker
 import docker.errors
@@ -42,11 +42,7 @@ def zeus(
                     container.get_exposed_port(8080),
                 )
             },
-            container_configs={
-                "8080": types.TestContainerUrlConfig(
-                    "http", container.get_wrapped_container().name, 8080
-                )
-            },
+            container_configs={"8080": types.TestContainerUrlConfig("http", container.get_wrapped_container().name, 8080)},
         )
 
     def delete(container: types.TestContainerDocker):
@@ -99,11 +95,7 @@ def gateway(
                     container.get_exposed_port(8080),
                 )
             },
-            container_configs={
-                "8080": types.TestContainerUrlConfig(
-                    "http", container.get_wrapped_container().name, 8080
-                )
-            },
+            container_configs={"8080": types.TestContainerUrlConfig("http", container.get_wrapped_container().name, 8080)},
         )
 
     def delete(container: types.TestContainerDocker):
@@ -132,10 +124,8 @@ def gateway(
 
 
 @pytest.fixture(name="make_http_mocks", scope="function")
-def make_http_mocks() -> Callable[[types.TestContainerDocker, List[Mapping]], None]:
-    def _make_http_mocks(
-        container: types.TestContainerDocker, mappings: List[Mapping]
-    ) -> None:
+def make_http_mocks() -> Callable[[types.TestContainerDocker, list[Mapping]], None]:
+    def _make_http_mocks(container: types.TestContainerDocker, mappings: list[Mapping]) -> None:
         Config.base_url = container.host_configs["8080"].get("/__admin")
 
         for mapping in mappings:

tests/fixtures/idp.py

@@ -1,4 +1,5 @@
-from typing import Any, Callable, Dict, List
+from collections.abc import Callable
+from typing import Any
 from urllib.parse import urljoin, urlparse
 from xml.etree import ElementTree
 
@@ -15,9 +16,7 @@ from fixtures.keycloak import IDP_ROOT_PASSWORD, IDP_ROOT_USERNAME
 
 
 @pytest.fixture(name="create_saml_client", scope="function")
-def create_saml_client(
-    idp: types.TestContainerIDP, signoz: types.SigNoz
-) -> Callable[[str, str], None]:
+def create_saml_client(idp: types.TestContainerIDP, signoz: types.SigNoz) -> Callable[[str, str], None]:
     def _create_saml_client(client_id: str, callback_path: str) -> None:
         client = KeycloakAdmin(
             server_url=idp.container.host_configs["6060"].base(),
@@ -34,9 +33,7 @@ def create_saml_client(
                 "description": f"client for {client_id}",
                 "rootUrl": "",
                 "adminUrl": "",
-                "baseUrl": urljoin(
-                    f"{signoz.self.host_configs['8080'].base()}", callback_path
-                ),
+                "baseUrl": urljoin(f"{signoz.self.host_configs['8080'].base()}", callback_path),
                 "surrogateAuthRequired": False,
                 "enabled": True,
                 "alwaysDisplayInConsole": False,
@@ -71,9 +68,7 @@ def create_saml_client(
                     "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#",
                     "saml.onetimeuse.condition": "false",
                     "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer": "NONE",
-                    "saml_assertion_consumer_url_post": urljoin(
-                        f"{signoz.self.host_configs['8080'].base()}", callback_path
-                    ),
+                    "saml_assertion_consumer_url_post": urljoin(f"{signoz.self.host_configs['8080'].base()}", callback_path),
                 },
                 "authenticationFlowBindingOverrides": {},
                 "fullScopeAllowed": True,
@@ -164,10 +159,8 @@ def create_saml_client(
 @pytest.fixture(name="update_saml_client_attributes", scope="function")
 def update_saml_client_attributes(
     idp: types.TestContainerIDP,
-) -> Callable[[str, Dict[str, Any]], None]:
-    def _update_saml_client_attributes(
-        client_id: str, attributes: Dict[str, Any]
-    ) -> None:
+) -> Callable[[str, dict[str, Any]], None]:
+    def _update_saml_client_attributes(client_id: str, attributes: dict[str, Any]) -> None:
         client = KeycloakAdmin(
             server_url=idp.container.host_configs["6060"].base(),
             username=IDP_ROOT_USERNAME,
@@ -189,9 +182,7 @@ def update_saml_client_attributes(
 
 
 @pytest.fixture(name="create_oidc_client", scope="function")
-def create_oidc_client(
-    idp: types.TestContainerIDP, signoz: types.SigNoz
-) -> Callable[[str, str], None]:
+def create_oidc_client(idp: types.TestContainerIDP, signoz: types.SigNoz) -> Callable[[str, str], None]:
     def _create_oidc_client(client_id: str, callback_path: str) -> None:
         client = KeycloakAdmin(
             server_url=idp.container.host_configs["6060"].base(),
@@ -215,9 +206,7 @@ def create_oidc_client(
                 "enabled": True,
                 "alwaysDisplayInConsole": False,
                 "clientAuthenticatorType": "client-secret",
-                "redirectUris": [
-                    f"{urljoin(signoz.self.host_configs['8080'].base(), callback_path)}"
-                ],
+                "redirectUris": [f"{urljoin(signoz.self.host_configs['8080'].base(), callback_path)}"],
                 "webOrigins": ["/*"],
                 "notBefore": 0,
                 "bearerOnly": False,
@@ -287,9 +276,7 @@ def get_saml_settings(idp: types.TestContainerIDP) -> dict:
         return {
             "entityID": entity_id,
             "certificate": certificate_el.text if certificate_el is not None else None,
-            "singleSignOnServiceLocation": (
-                sso_post_el.get("Location") if sso_post_el is not None else None
-            ),
+            "singleSignOnServiceLocation": (sso_post_el.get("Location") if sso_post_el is not None else None),
         }
 
     return _get_saml_settings
@@ -422,7 +409,7 @@ def create_group_idp(idp: types.TestContainerIDP) -> Callable[[str], str]:
 def create_user_idp_with_groups(
     idp: types.TestContainerIDP,
     create_group_idp: Callable[[str], str],  # pylint: disable=redefined-outer-name
-) -> Callable[[str, str, bool, List[str]], None]:
+) -> Callable[[str, str, bool, list[str]], None]:
     """Creates a user in Keycloak IDP with specified groups."""
     client = KeycloakAdmin(
         server_url=idp.container.host_configs["6060"].base(),
@@ -433,9 +420,7 @@ def create_user_idp_with_groups(
 
     created_users = []
 
-    def _create_user_idp_with_groups(
-        email: str, password: str, verified: bool, groups: List[str]
-    ) -> None:
+    def _create_user_idp_with_groups(email: str, password: str, verified: bool, groups: list[str]) -> None:
         # Create groups first
         group_ids = []
         for group_name in groups:
@@ -493,7 +478,7 @@ def add_user_to_group(
 def create_user_idp_with_role(
     idp: types.TestContainerIDP,
     create_group_idp: Callable[[str], str],  # pylint: disable=redefined-outer-name
-) -> Callable[[str, str, bool, str, List[str]], None]:
+) -> Callable[[str, str, bool, str, list[str]], None]:
     """Creates a user in Keycloak IDP with a custom role attribute and optional groups."""
     client = KeycloakAdmin(
         server_url=idp.container.host_configs["6060"].base(),
@@ -504,9 +489,7 @@ def create_user_idp_with_role(
 
     created_users = []
 
-    def _create_user_idp_with_role(
-        email: str, password: str, verified: bool, role: str, groups: List[str]
-    ) -> None:
+    def _create_user_idp_with_role(email: str, password: str, verified: bool, role: str, groups: list[str]) -> None:
         # Create groups first
         group_ids = []
         for group_name in groups:
@@ -559,9 +542,7 @@ def setup_user_profile(idp: types.TestContainerIDP) -> Callable[[], None]:
 
         # Check if signoz_role attribute already exists
         attributes = profile.get("attributes", [])
-        signoz_role_exists = any(
-            attr.get("name") == "signoz_role" for attr in attributes
-        )
+        signoz_role_exists = any(attr.get("name") == "signoz_role" for attr in attributes)
 
         if not signoz_role_exists:
             # Add signoz_role attribute to user profile
@@ -645,11 +626,7 @@ def get_oidc_domain(signoz: types.SigNoz, admin_token: str) -> dict:
         timeout=2,
     )
     return next(
-        (
-            domain
-            for domain in response.json()["data"]
-            if domain["name"] == "oidc.integration.test"
-        ),
+        (domain for domain in response.json()["data"] if domain["name"] == "oidc.integration.test"),
         None,
     )
 
@@ -680,9 +657,7 @@ def perform_oidc_login(
     session_context = get_session_context(email)
     url = session_context["orgs"][0]["authNSupport"]["callback"][0]["url"]
     parsed_url = urlparse(url)
-    actual_url = (
-        f"{idp.container.host_configs['6060'].get(parsed_url.path)}?{parsed_url.query}"
-    )
+    actual_url = f"{idp.container.host_configs['6060'].get(parsed_url.path)}?{parsed_url.query}"
     driver.get(actual_url)
     idp_login(email, password)
 
@@ -694,11 +669,7 @@ def get_saml_domain(signoz: types.SigNoz, admin_token: str) -> dict:
         timeout=2,
     )
     return next(
-        (
-            domain
-            for domain in response.json()["data"]
-            if domain["name"] == "saml.integration.test"
-        ),
+        (domain for domain in response.json()["data"] if domain["name"] == "saml.integration.test"),
         None,
     )
 

tests/fixtures/keycloak.py

@@ -52,12 +52,8 @@ def idp(
                     ),
                 },
                 container_configs={
-                    "6060": types.TestContainerUrlConfig(
-                        "http", container.get_wrapped_container().name, 6060
-                    ),
-                    "6061": types.TestContainerUrlConfig(
-                        "http", container.get_wrapped_container().name, 6061
-                    ),
+                    "6060": types.TestContainerUrlConfig("http", container.get_wrapped_container().name, 6060),
+                    "6061": types.TestContainerUrlConfig("http", container.get_wrapped_container().name, 6061),
                 },
             ),
         )
@@ -84,11 +80,7 @@ def idp(
         request,
         pytestconfig,
         "idp",
-        lambda: types.TestContainerIDP(
-            container=types.TestContainerDocker(
-                id="", host_configs={}, container_configs={}
-            )
-        ),
+        lambda: types.TestContainerIDP(container=types.TestContainerDocker(id="", host_configs={}, container_configs={})),
         create,
         delete,
         restore,