chore: more cleanup

chore: use a struct instead
fix(querier): pad clamped time range for trace_id-filtered logs
2026-06-23 00:30:30 +01:00 · 2026-06-22 17:22:32 +05:30 · 2026-06-22 17:11:09 +05:30 · 2026-06-21 11:19:42 +05:30
39 changed files with 251 additions and 1197 deletions
--- a/conf/example.yaml
+++ b/conf/example.yaml
@@ -141,6 +141,10 @@ querier:
  flux_interval: 5m
  # The maximum number of concurrent queries for missing ranges.
  max_concurrent_queries: 4
+  # When filtering logs by trace_id, clamp the query window to the trace time
+  # range with padding to include slightly delayed log exports. Logs only; set
+  # to 0 to disable.
+  log_trace_id_window_padding: 5m

 ##################### TelemetryStore #####################
 telemetrystore:
--- a/docs/api/openapi.yml
+++ b/docs/api/openapi.yml
@@ -647,12 +647,8 @@ components:
          type: string
        name:
          type: string
-        transactionGroups:
-          $ref: '#/components/schemas/AuthtypesTransactionGroups'
      required:
      - name
-      - description
-      - transactionGroups
      type: object
    AuthtypesPostableRotateToken:
      properties:
@@ -707,34 +703,6 @@ components:
        useRoleAttribute:
          type: boolean
      type: object
-    AuthtypesRoleWithTransactionGroups:
-      properties:
-        createdAt:
-          format: date-time
-          type: string
-        description:
-          type: string
-        id:
-          type: string
-        name:
-          type: string
-        orgId:
-          type: string
-        transactionGroups:
-          $ref: '#/components/schemas/AuthtypesTransactionGroups'
-        type:
-          type: string
-        updatedAt:
-          format: date-time
-          type: string
-      required:
-      - id
-      - name
-      - description
-      - type
-      - orgId
-      - transactionGroups
-      type: object
    AuthtypesSamlConfig:
      properties:
        attributeMapping:
@@ -768,35 +736,11 @@ components:
      - relation
      - object
      type: object
-    AuthtypesTransactionGroup:
-      properties:
-        objectGroup:
-          $ref: '#/components/schemas/CoretypesObjectGroup'
-        relation:
-          $ref: '#/components/schemas/AuthtypesRelation'
-      required:
-      - relation
-      - objectGroup
-      type: object
-    AuthtypesTransactionGroups:
-      items:
-        $ref: '#/components/schemas/AuthtypesTransactionGroup'
-      type: array
    AuthtypesUpdatableAuthDomain:
      properties:
        config:
          $ref: '#/components/schemas/AuthtypesAuthDomainConfig'
      type: object
-    AuthtypesUpdatableRole:
-      properties:
-        description:
-          type: string
-        transactionGroups:
-          $ref: '#/components/schemas/AuthtypesTransactionGroups'
-      required:
-      - description
-      - transactionGroups
-      type: object
    AuthtypesUserRole:
      properties:
        createdAt:
@@ -10309,15 +10253,6 @@ paths:
        name: limit
        schema:
          type: integer
-      - in: query
-        name: q
-        schema:
-          type: string
-      - in: query
-        name: isOverride
-        schema:
-          nullable: true
-          type: boolean
      responses:
        "200":
          content:
@@ -11123,7 +11058,7 @@ paths:
              schema:
                properties:
                  data:
-                    $ref: '#/components/schemas/AuthtypesRoleWithTransactionGroups'
+                    $ref: '#/components/schemas/AuthtypesRole'
                  status:
                    type: string
                required:
@@ -11158,7 +11093,7 @@ paths:
      tags:
      - role
    patch:
-      deprecated: true
+      deprecated: false
      description: This endpoint patches a role
      operationId: PatchRole
      parameters:
@@ -11219,68 +11154,6 @@ paths:
      summary: Patch role
      tags:
      - role
-    put:
-      deprecated: false
-      description: This endpoint updates a role
-      operationId: UpdateRole
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/AuthtypesUpdatableRole'
-      responses:
-        "204":
-          description: No Content
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "451":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unavailable For Legal Reasons
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-        "501":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Implemented
-      security:
-      - api_key:
-        - role:update
-      - tokenizer:
-        - role:update
-      summary: Update role
-      tags:
-      - role
  /api/v1/roles/{id}/relations/{relation}/objects:
    get:
      deprecated: false
@@ -11360,7 +11233,7 @@ paths:
      tags:
      - role
    patch:
-      deprecated: true
+      deprecated: false
      description: Patches the objects connected to the specified role via a given
        relation type
      operationId: PatchObjects
--- a/ee/authz/openfgaauthz/provider.go
+++ b/ee/authz/openfgaauthz/provider.go
@@ -179,36 +179,13 @@ func (provider *provider) CreateManagedUserRoleTransactions(ctx context.Context,
 	return provider.Write(ctx, tuples, nil)
 }

-func (provider *provider) Create(ctx context.Context, orgID valuer.UUID, role *authtypes.RoleWithTransactionGroups) error {
+func (provider *provider) Create(ctx context.Context, orgID valuer.UUID, role *authtypes.Role) error {
 	_, err := provider.licensing.GetActive(ctx, orgID)
 	if err != nil {
 		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
 	}

-	existingRole, err := provider.GetByOrgIDAndName(ctx, orgID, role.Name)
-	if err != nil && !errors.Asc(err, authtypes.ErrCodeRoleNotFound) {
-		return err
-	}
-
-	if existingRole != nil {
-		return errors.Newf(errors.TypeAlreadyExists, authtypes.ErrCodeRoleAlreadyExists, "role with name: %s already exists", existingRole.Name)
-	}
-
-	tuples, err := authtypes.NewTuplesFromTransactionGroups(role.Name, orgID, role.TransactionGroups)
-	if err != nil {
-		return err
-	}
-
-	err = provider.Write(ctx, tuples, nil)
-	if err != nil {
-		return err
-	}
-
-	if err := provider.store.Create(ctx, role.Role); err != nil {
-		return err
-	}
-
-	return nil
+	return provider.store.Create(ctx, role)
 }

 func (provider *provider) GetOrCreate(ctx context.Context, orgID valuer.UUID, role *authtypes.Role) (*authtypes.Role, error) {
@@ -236,26 +213,6 @@ func (provider *provider) GetOrCreate(ctx context.Context, orgID valuer.UUID, ro
 	return role, nil
 }

-func (provider *provider) GetWithTransactionGroups(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*authtypes.RoleWithTransactionGroups, error) {
-	_, err := provider.licensing.GetActive(ctx, orgID)
-	if err != nil {
-		return nil, errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
-	}
-
-	role, err := provider.store.Get(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	tuples, err := provider.readAllTuplesForRole(ctx, role.Name, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	transactionGroups := authtypes.MustNewTransactionGroupsFromTuples(tuples)
-	return authtypes.MakeRoleWithTransactionGroups(role, transactionGroups), nil
-}
-
 func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*coretypes.Object, error) {
 	_, err := provider.licensing.GetActive(ctx, orgID)
 	if err != nil {
@@ -290,36 +247,6 @@ func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id
 	return objects, nil
 }

-func (provider *provider) Update(ctx context.Context, orgID valuer.UUID, updatedRole *authtypes.RoleWithTransactionGroups) error {
-	_, err := provider.licensing.GetActive(ctx, orgID)
-	if err != nil {
-		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
-	}
-
-	existingRole, err := provider.GetWithTransactionGroups(ctx, orgID, updatedRole.ID)
-	if err != nil {
-		return err
-	}
-
-	additions, deletions := existingRole.TransactionGroups.Diff(updatedRole.TransactionGroups)
-	additionTuples, err := authtypes.NewTuplesFromTransactionGroups(existingRole.Name, orgID, additions)
-	if err != nil {
-		return err
-	}
-
-	deletionTuples, err := authtypes.NewTuplesFromTransactionGroups(existingRole.Name, orgID, deletions)
-	if err != nil {
-		return err
-	}
-
-	err = provider.Write(ctx, additionTuples, deletionTuples)
-	if err != nil {
-		return err
-	}
-
-	return provider.store.Update(ctx, orgID, updatedRole.Role)
-}
-
 func (provider *provider) Patch(ctx context.Context, orgID valuer.UUID, role *authtypes.Role) error {
 	_, err := provider.licensing.GetActive(ctx, orgID)
 	if err != nil {
@@ -359,7 +286,7 @@ func (provider *provider) Delete(ctx context.Context, orgID valuer.UUID, id valu
 		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
 	}

-	role, err := provider.GetWithTransactionGroups(ctx, orgID, id)
+	role, err := provider.store.Get(ctx, orgID, id)
 	if err != nil {
 		return err
 	}
@@ -375,12 +302,7 @@ func (provider *provider) Delete(ctx context.Context, orgID valuer.UUID, id valu
 		}
 	}

-	tuples, err := authtypes.NewTuplesFromTransactionGroups(role.Name, orgID, role.TransactionGroups)
-	if err != nil {
-		return err
-	}
-
-	if err := provider.Write(ctx, nil, tuples); err != nil {
+	if err := provider.deleteTuples(ctx, role.Name, orgID); err != nil {
 		return errors.WithAdditionalf(err, "failed to delete tuples for the role: %s", role.Name)
 	}

@@ -439,7 +361,7 @@ func (provider *provider) getManagedRoleTransactionTuples(orgID valuer.UUID) []*
 	return tuples
 }

-func (provider *provider) readAllTuplesForRole(ctx context.Context, roleName string, orgID valuer.UUID) ([]*openfgav1.TupleKey, error) {
+func (provider *provider) deleteTuples(ctx context.Context, roleName string, orgID valuer.UUID) error {
 	subject := authtypes.MustNewSubject(coretypes.NewResourceRole(), roleName, orgID, &coretypes.VerbAssignee)

 	tuples := make([]*openfgav1.TupleKey, 0)
@@ -449,10 +371,26 @@ func (provider *provider) readAllTuplesForRole(ctx context.Context, roleName str
 			Object: objectType.StringValue() + ":",
 		})
 		if err != nil {
-			return nil, err
+			return err
 		}
 		tuples = append(tuples, typeTuples...)
 	}

-	return tuples, nil
+	if len(tuples) == 0 {
+		return nil
+	}
+
+	for idx := 0; idx < len(tuples); idx += provider.config.OpenFGA.MaxTuplesPerWrite {
+		end := idx + provider.config.OpenFGA.MaxTuplesPerWrite
+		if end > len(tuples) {
+			end = len(tuples)
+		}
+
+		err := provider.Write(ctx, nil, tuples[idx:end])
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
 }
--- a/ee/query-service/app/api/featureFlags.go
+++ b/ee/query-service/app/api/featureFlags.go
@@ -98,15 +98,6 @@ func (ah *APIHandler) getFeatureFlags(w http.ResponseWriter, r *http.Request) {
 		Route:      "",
 	})

-	aiObservability := ah.Signoz.Flagger.BooleanOrEmpty(ctx, flagger.FeatureEnableAIObservability, evalCtx)
-	featureSet = append(featureSet, &licensetypes.Feature{
-		Name:       valuer.NewString(flagger.FeatureEnableAIObservability.String()),
-		Active:     aiObservability,
-		Usage:      0,
-		UsageLimit: -1,
-		Route:      "",
-	})
-
 	if constants.IsDotMetricsEnabled {
 		for idx, feature := range featureSet {
 			if feature.Name == licensetypes.DotMetricsEnabled {
--- a/frontend/src/api/generated/services/role/index.ts
+++ b/frontend/src/api/generated/services/role/index.ts
@@ -20,7 +20,6 @@ import type {
 import type {
 	AuthtypesPatchableRoleDTO,
 	AuthtypesPostableRoleDTO,
-	AuthtypesUpdatableRoleDTO,
 	CoretypesPatchableObjectsDTO,
 	CreateRole201,
 	DeleteRolePathParameters,
@@ -32,7 +31,6 @@ import type {
 	PatchObjectsPathParameters,
 	PatchRolePathParameters,
 	RenderErrorResponseDTO,
-	UpdateRolePathParameters,
 } from '../sigNoz.schemas';

 import { GeneratedAPIInstance } from '../../../generatedAPIInstance';
@@ -367,7 +365,6 @@ export const invalidateGetRole = async (

 /**
 * This endpoint patches a role
- * @deprecated
 * @summary Patch role
 */
 export const patchRole = (
@@ -439,7 +436,6 @@ export type PatchRoleMutationBody =
 export type PatchRoleMutationError = ErrorType<RenderErrorResponseDTO>;

 /**
- * @deprecated
 * @summary Patch role
 */
 export const usePatchRole = <
@@ -466,105 +462,6 @@ export const usePatchRole = <
 > => {
 	return useMutation(getPatchRoleMutationOptions(options));
 };
-/**
- * This endpoint updates a role
- * @summary Update role
- */
-export const updateRole = (
-	{ id }: UpdateRolePathParameters,
-	authtypesUpdatableRoleDTO?: BodyType<AuthtypesUpdatableRoleDTO>,
-	signal?: AbortSignal,
-) => {
-	return GeneratedAPIInstance<void>({
-		url: `/api/v1/roles/${id}`,
-		method: 'PUT',
-		headers: { 'Content-Type': 'application/json' },
-		data: authtypesUpdatableRoleDTO,
-		signal,
-	});
-};
-
-export const getUpdateRoleMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown,
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateRole>>,
-		TError,
-		{
-			pathParams: UpdateRolePathParameters;
-			data?: BodyType<AuthtypesUpdatableRoleDTO>;
-		},
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof updateRole>>,
-	TError,
-	{
-		pathParams: UpdateRolePathParameters;
-		data?: BodyType<AuthtypesUpdatableRoleDTO>;
-	},
-	TContext
-> => {
-	const mutationKey = ['updateRole'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-			'mutationKey' in options.mutation &&
-			options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof updateRole>>,
-		{
-			pathParams: UpdateRolePathParameters;
-			data?: BodyType<AuthtypesUpdatableRoleDTO>;
-		}
-	> = (props) => {
-		const { pathParams, data } = props ?? {};
-
-		return updateRole(pathParams, data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type UpdateRoleMutationResult = NonNullable<
-	Awaited<ReturnType<typeof updateRole>>
->;
-export type UpdateRoleMutationBody =
-	| BodyType<AuthtypesUpdatableRoleDTO>
-	| undefined;
-export type UpdateRoleMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Update role
- */
-export const useUpdateRole = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown,
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateRole>>,
-		TError,
-		{
-			pathParams: UpdateRolePathParameters;
-			data?: BodyType<AuthtypesUpdatableRoleDTO>;
-		},
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof updateRole>>,
-	TError,
-	{
-		pathParams: UpdateRolePathParameters;
-		data?: BodyType<AuthtypesUpdatableRoleDTO>;
-	},
-	TContext
-> => {
-	return useMutation(getUpdateRoleMutationOptions(options));
-};
 /**
 * Gets all objects connected to the specified role via a given relation type
 * @summary Get objects for a role by relation
@@ -668,7 +565,6 @@ export const invalidateGetObjects = async (

 /**
 * Patches the objects connected to the specified role via a given relation type
- * @deprecated
 * @summary Patch objects for a role by relation
 */
 export const patchObjects = (
@@ -740,7 +636,6 @@ export type PatchObjectsMutationBody =
 export type PatchObjectsMutationError = ErrorType<RenderErrorResponseDTO>;

 /**
- * @deprecated
 * @summary Patch objects for a role by relation
 */
 export const usePatchObjects = <
--- a/frontend/src/api/generated/services/sigNoz.schemas.ts
+++ b/frontend/src/api/generated/services/sigNoz.schemas.ts
@@ -2224,31 +2224,15 @@ export interface AuthtypesPostableEmailPasswordSessionDTO {
 	password?: string;
 }

-export interface CoretypesObjectGroupDTO {
-	resource: CoretypesResourceRefDTO;
-	/**
-	 * @type array
-	 */
-	selectors: string[];
-}
-
-export interface AuthtypesTransactionGroupDTO {
-	objectGroup: CoretypesObjectGroupDTO;
-	relation: AuthtypesRelationDTO;
-}
-
-export type AuthtypesTransactionGroupsDTO = AuthtypesTransactionGroupDTO[];
-
 export interface AuthtypesPostableRoleDTO {
 	/**
 	 * @type string
 	 */
-	description: string;
+	description?: string;
 	/**
 	 * @type string
 	 */
 	name: string;
-	transactionGroups: AuthtypesTransactionGroupsDTO;
 }

 export interface AuthtypesPostableRotateTokenDTO {
@@ -2291,40 +2275,6 @@ export interface AuthtypesRoleDTO {
 	updatedAt?: string;
 }

-export interface AuthtypesRoleWithTransactionGroupsDTO {
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	createdAt?: string;
-	/**
-	 * @type string
-	 */
-	description: string;
-	/**
-	 * @type string
-	 */
-	id: string;
-	/**
-	 * @type string
-	 */
-	name: string;
-	/**
-	 * @type string
-	 */
-	orgId: string;
-	transactionGroups: AuthtypesTransactionGroupsDTO;
-	/**
-	 * @type string
-	 */
-	type: string;
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	updatedAt?: string;
-}
-
 export interface AuthtypesSessionContextDTO {
 	/**
 	 * @type boolean
@@ -2345,14 +2295,6 @@ export interface AuthtypesUpdatableAuthDomainDTO {
 	config?: AuthtypesAuthDomainConfigDTO;
 }

-export interface AuthtypesUpdatableRoleDTO {
-	/**
-	 * @type string
-	 */
-	description: string;
-	transactionGroups: AuthtypesTransactionGroupsDTO;
-}
-
 export interface AuthtypesUserRoleDTO {
 	/**
 	 * @type string
@@ -3123,6 +3065,14 @@ export interface CommonJSONRefDTO {
 	$ref?: string;
 }

+export interface CoretypesObjectGroupDTO {
+	resource: CoretypesResourceRefDTO;
+	/**
+	 * @type array
+	 */
+	selectors: string[];
+}
+
 export interface CoretypesPatchableObjectsDTO {
 	/**
 	 * @type array,null
@@ -9500,16 +9450,6 @@ export type ListLLMPricingRulesParams = {
 	 * @description undefined
 	 */
 	limit?: number;
-	/**
-	 * @type string
-	 * @description undefined
-	 */
-	q?: string;
-	/**
-	 * @type boolean,null
-	 * @description undefined
-	 */
-	isOverride?: boolean | null;
 };

 export type ListLLMPricingRules200 = {
@@ -9619,7 +9559,7 @@ export type GetRolePathParameters = {
 	id: string;
 };
 export type GetRole200 = {
-	data: AuthtypesRoleWithTransactionGroupsDTO;
+	data: AuthtypesRoleDTO;
 	/**
 	 * @type string
 	 */
@@ -9629,9 +9569,6 @@ export type GetRole200 = {
 export type PatchRolePathParameters = {
 	id: string;
 };
-export type UpdateRolePathParameters = {
-	id: string;
-};
 export type GetObjectsPathParameters = {
 	id: string;
 	relation: string;
--- a/frontend/src/api/v5/queryRange/convertV5Response.test.ts
+++ b/frontend/src/api/v5/queryRange/convertV5Response.test.ts
@@ -274,110 +274,4 @@ describe('convertV5ResponseToLegacy', () => {
 			},
 		});
 	});
-
-	it('clickhouse_sql scalar keeps each value column distinct (regression: all-"A" collapse)', () => {
-		const scalar: ScalarData = {
-			columns: [
-				{
-					name: 'service.name',
-					queryName: 'A',
-					aggregationIndex: 0,
-					columnType: 'group',
-				} as unknown as ScalarData['columns'][number],
-				{
-					name: 'current_availability',
-					queryName: 'A',
-					aggregationIndex: 0,
-					columnType: 'aggregation',
-				} as unknown as ScalarData['columns'][number],
-				{
-					name: 'error_budget_remaining',
-					queryName: 'A',
-					aggregationIndex: 1,
-					columnType: 'aggregation',
-				} as unknown as ScalarData['columns'][number],
-				{
-					name: 'budget_status',
-					queryName: 'A',
-					aggregationIndex: 2,
-					columnType: 'group',
-				} as unknown as ScalarData['columns'][number],
-				{
-					name: 'total_requests',
-					queryName: 'A',
-					aggregationIndex: 4,
-					columnType: 'aggregation',
-				} as unknown as ScalarData['columns'][number],
-			],
-			data: [['kuja-api_gateway-service', 99.985, 0.985, 'Healthy ✅', 2181216]],
-		};
-
-		const v5Data: QueryRangeResponseV5 = {
-			type: 'scalar',
-			data: { results: [scalar] },
-			meta: { rowsScanned: 0, bytesScanned: 0, durationMs: 0, stepIntervals: {} },
-		};
-
-		// A clickhouse_sql envelope contributes no aggregation metadata.
-		const params = makeBaseParams('scalar', [
-			{
-				type: 'clickhouse_sql',
-				spec: {
-					name: 'A',
-					query: 'SELECT ...',
-					disabled: false,
-				},
-			} as unknown as QueryRangeRequestV5['compositeQuery']['queries'][number],
-		]);
-
-		const input: SuccessResponse<MetricRangePayloadV5, QueryRangeRequestV5> =
-			makeBaseSuccess({ data: v5Data }, params);
-		// formatForWeb=true is the table-panel path.
-		const result = convertV5ResponseToLegacy(input, { A: '' }, true);
-
-		const [tableEntry] = result.payload.data.result;
-		// Headers keep their real names instead of collapsing to "A".
-		expect(tableEntry.table?.columns).toStrictEqual([
-			{
-				name: 'service.name',
-				queryName: 'A',
-				isValueColumn: false,
-				id: 'service.name',
-			},
-			{
-				name: 'current_availability',
-				queryName: 'A',
-				isValueColumn: true,
-				id: 'current_availability',
-			},
-			{
-				name: 'error_budget_remaining',
-				queryName: 'A',
-				isValueColumn: true,
-				id: 'error_budget_remaining',
-			},
-			{
-				name: 'budget_status',
-				queryName: 'A',
-				isValueColumn: false,
-				id: 'budget_status',
-			},
-			{
-				name: 'total_requests',
-				queryName: 'A',
-				isValueColumn: true,
-				id: 'total_requests',
-			},
-		]);
-		// Ids are unique, so value columns don't overwrite each other in the row.
-		expect(tableEntry.table?.rows?.[0]).toStrictEqual({
-			data: {
-				'service.name': 'kuja-api_gateway-service',
-				current_availability: 99.985,
-				error_budget_remaining: 0.985,
-				budget_status: 'Healthy ✅',
-				total_requests: 2181216,
-			},
-		});
-	});
 });
--- a/frontend/src/api/v5/queryRange/convertV5Response.ts
+++ b/frontend/src/api/v5/queryRange/convertV5Response.ts
@@ -15,7 +15,6 @@ function getColName(
 	col: ScalarData['columns'][number],
 	legendMap: Record<string, string>,
 	aggregationPerQuery: Record<string, any>,
-	clickhouseQueryNames: Set<string>,
 ): string {
 	if (col.columnType === 'group') {
 		return col.name;
@@ -40,32 +39,16 @@ function getColName(
 		return alias || expression || col.queryName;
 	}

-	// clickhouse_sql value columns carry their real SQL alias in col.name — use
-	// it so each value column keeps its own header instead of collapsing onto
-	// the query name. Formulas/promql use placeholder names, so they fall back
-	// to legend || queryName.
-	if (clickhouseQueryNames.has(col.queryName)) {
-		return col.name;
-	}
 	return legend || col.queryName;
 }

 function getColId(
 	col: ScalarData['columns'][number],
 	aggregationPerQuery: Record<string, any>,
-	clickhouseQueryNames: Set<string>,
 ): string {
 	if (col.columnType === 'group') {
 		return col.name;
 	}
-
-	// clickhouse_sql value columns are keyed by their real SQL alias so multiple
-	// value columns stay unique instead of all collapsing onto the query name
-	// (which would overwrite every cell in the row with the last column's value).
-	if (clickhouseQueryNames.has(col.queryName)) {
-		return col.name;
-	}
-
 	const aggregation =
 		aggregationPerQuery?.[col.queryName]?.[col.aggregationIndex];
 	const expression = aggregation?.expression || '';
@@ -158,7 +141,6 @@ function convertScalarDataArrayToTable(
 	scalarDataArray: ScalarData[],
 	legendMap: Record<string, string>,
 	aggregationPerQuery: Record<string, any>,
-	clickhouseQueryNames: Set<string>,
 ): QueryDataV3[] {
 	// If no scalar data, return empty structure

@@ -184,10 +166,10 @@ function convertScalarDataArrayToTable(

 		// Collect columns for this specific query
 		const columns = scalarData?.columns?.map((col) => ({
-			name: getColName(col, legendMap, aggregationPerQuery, clickhouseQueryNames),
+			name: getColName(col, legendMap, aggregationPerQuery),
 			queryName: col.queryName,
 			isValueColumn: col.columnType === 'aggregation',
-			id: getColId(col, aggregationPerQuery, clickhouseQueryNames),
+			id: getColId(col, aggregationPerQuery),
 		}));

 		// Process rows for this specific query
@@ -195,13 +177,8 @@ function convertScalarDataArrayToTable(
 			const rowData: Record<string, any> = {};

 			scalarData?.columns?.forEach((col, colIndex) => {
-				const columnName = getColName(
-					col,
-					legendMap,
-					aggregationPerQuery,
-					clickhouseQueryNames,
-				);
-				const columnId = getColId(col, aggregationPerQuery, clickhouseQueryNames);
+				const columnName = getColName(col, legendMap, aggregationPerQuery);
+				const columnId = getColId(col, aggregationPerQuery);
 				rowData[columnId || columnName] = dataRow[colIndex];
 			});

@@ -225,7 +202,6 @@ function convertScalarWithFormatForWeb(
 	scalarDataArray: ScalarData[],
 	legendMap: Record<string, string>,
 	aggregationPerQuery: Record<string, any>,
-	clickhouseQueryNames: Set<string>,
 ): QueryDataV3[] {
 	if (!scalarDataArray || scalarDataArray.length === 0) {
 		return [];
@@ -234,18 +210,13 @@ function convertScalarWithFormatForWeb(
 	return scalarDataArray.map((scalarData) => {
 		const columns =
 			scalarData.columns?.map((col) => {
-				const colName = getColName(
-					col,
-					legendMap,
-					aggregationPerQuery,
-					clickhouseQueryNames,
-				);
+				const colName = getColName(col, legendMap, aggregationPerQuery);

 				return {
 					name: colName,
 					queryName: col.queryName,
 					isValueColumn: col.columnType === 'aggregation',
-					id: getColId(col, aggregationPerQuery, clickhouseQueryNames),
+					id: getColId(col, aggregationPerQuery),
 				};
 			}) || [];

@@ -318,7 +289,6 @@ function convertV5DataByType(
 	v5Data: any,
 	legendMap: Record<string, string>,
 	aggregationPerQuery: Record<string, any>,
-	clickhouseQueryNames: Set<string>,
 ): MetricRangePayloadV3['data'] {
 	switch (v5Data?.type) {
 		case 'time_series': {
@@ -337,7 +307,6 @@ function convertV5DataByType(
 				scalarData,
 				legendMap,
 				aggregationPerQuery,
-				clickhouseQueryNames,
 			);
 			return {
 				resultType: 'scalar',
@@ -404,15 +373,6 @@ export function convertV5ResponseToLegacy(
 				{} as Record<string, any>,
 			) || {};

-	// clickhouse_sql queries have no aggregation metadata; their value columns
-	// are named/keyed by the real SQL alias the response carries (see getColId).
-	const clickhouseQueryNames = new Set<string>(
-		(params?.compositeQuery?.queries ?? [])
-			.filter((query) => query.type === 'clickhouse_sql')
-			.map((query) => (query.spec as { name?: string })?.name)
-			.filter((name): name is string => !!name),
-	);
-
 	// If formatForWeb is true, return as-is (like existing logic)
 	if (formatForWeb && v5Data?.type === 'scalar') {
 		const scalarData = v5Data.data.results as ScalarData[];
@@ -420,7 +380,6 @@ export function convertV5ResponseToLegacy(
 			scalarData,
 			legendMap,
 			aggregationPerQuery,
-			clickhouseQueryNames,
 		);

 		return {
@@ -443,7 +402,6 @@ export function convertV5ResponseToLegacy(
 		v5Data,
 		legendMap,
 		aggregationPerQuery,
-		clickhouseQueryNames,
 	);

 	// Create legacy-compatible response structure
--- a/frontend/src/constants/features.ts
+++ b/frontend/src/constants/features.ts
@@ -12,5 +12,4 @@ export enum FeatureKeys {
 	USE_JSON_BODY = 'use_json_body',
 	USE_FINE_GRAINED_AUTHZ = 'use_fine_grained_authz',
 	USE_DASHBOARD_V2 = 'use_dashboard_v2',
-	EMABLE_AI_OBSERVABILITY = 'enable_ai_observability',
 }
--- a/frontend/src/container/RolesSettings/RolesComponents/CreateRoleModal.tsx
+++ b/frontend/src/container/RolesSettings/RolesComponents/CreateRoleModal.tsx
@@ -116,8 +116,7 @@ function CreateRoleModal({
 			} else {
 				const data: AuthtypesPostableRoleDTO = {
 					name: values.name,
-					description: values.description || '',
-					transactionGroups: [],
+					...(values.description ? { description: values.description } : {}),
 				};
 				createRole({ data });
 			}
--- a/frontend/src/pages/DashboardPageV2/DashboardContainer/queryV5/tests/prepareScalarTables.test.ts
+++ b/frontend/src/pages/DashboardPageV2/DashboardContainer/queryV5/tests/prepareScalarTables.test.ts
@@ -5,7 +5,6 @@ import type {

 import {
 	extractAggregationsPerQuery,
-	extractClickhouseQueryNames,
 	prepareScalarTables,
 } from '../prepareScalarTables';

@@ -57,24 +56,6 @@ describe('extractAggregationsPerQuery', () => {
 	});
 });

-describe('extractClickhouseQueryNames', () => {
-	it('collects names of clickhouse_sql queries, ignoring other envelope types', () => {
-		const request = requestWith([
-			{ type: 'clickhouse_sql', spec: { name: 'A', query: 'SELECT 1' } },
-			{
-				type: 'builder_query',
-				spec: { name: 'B', aggregations: [{ expression: 'count()' }] },
-			},
-			{ type: 'promql', spec: { name: 'P', query: 'up' } },
-		]);
-		expect(extractClickhouseQueryNames(request)).toStrictEqual(new Set(['A']));
-	});
-
-	it('returns an empty set for an undefined payload', () => {
-		expect(extractClickhouseQueryNames(undefined)).toStrictEqual(new Set());
-	});
-});
-
 describe('prepareScalarTables', () => {
 	it('builds keyed rows with group + aggregation columns (V1 getColName/getColId parity)', () => {
 		const [table] = prepareScalarTables({
@@ -213,115 +194,18 @@ describe('prepareScalarTables', () => {
 		expect(tables.map((t) => t.queryName)).toStrictEqual(['A', 'B']);
 	});

-	it('clickhouse_sql single value column uses the SQL alias over the legend', () => {
+	it('queries without aggregation metadata fall back to legend || queryName', () => {
 		const [table] = prepareScalarTables({
 			results: [
-				scalarResult(
-					[
-						{
-							name: 'current_availability',
-							queryName: 'A',
-							columnType: 'aggregation',
-						},
-					],
-					[],
-				),
-			],
-			legendMap: { A: 'Legend' },
-			requestPayload: requestWith([
-				{ type: 'clickhouse_sql', spec: { name: 'A', query: 'SELECT ...' } },
-			]),
-		});
-		// The query is clickhouse_sql, so the response column's real SQL alias is
-		// used for both header and key (a single legend can't be the column name).
-		expect(table.columns[0].name).toBe('current_availability');
-		expect(table.columns[0].id).toBe('current_availability');
-	});
-
-	it('non-clickhouse query without aggregation metadata falls back to legend || queryName', () => {
-		const [table] = prepareScalarTables({
-			results: [
-				// Formulas/promql carry placeholder names and are not clickhouse_sql,
-				// so they must not adopt the response column name.
 				scalarResult(
 					[{ name: '__result_0', queryName: 'A', columnType: 'aggregation' }],
 					[],
 				),
 			],
 			legendMap: { A: 'Legend' },
-			requestPayload: requestWith([
-				{ type: 'promql', spec: { name: 'A', query: 'up' } },
-			]),
+			requestPayload: requestWith([]),
 		});
 		expect(table.columns[0].name).toBe('Legend');
 		expect(table.columns[0].id).toBe('A');
 	});
-
-	it('clickhouse_sql query keeps each value column distinct (regression: all-"A" collapse)', () => {
-		const [table] = prepareScalarTables({
-			results: [
-				scalarResult(
-					[
-						{ name: 'service.name', queryName: 'A', columnType: 'group' },
-						{
-							name: 'current_availability',
-							queryName: 'A',
-							columnType: 'aggregation',
-							aggregationIndex: 0,
-						},
-						{
-							name: 'error_budget_remaining',
-							queryName: 'A',
-							columnType: 'aggregation',
-							aggregationIndex: 1,
-						},
-						{ name: 'budget_status', queryName: 'A', columnType: 'group' },
-						{
-							name: 'total_requests',
-							queryName: 'A',
-							columnType: 'aggregation',
-							aggregationIndex: 4,
-						},
-					],
-					[['kuja-api_gateway-service', 99.985, 0.985, 'Healthy ✅', 2181216]],
-				),
-			],
-			legendMap: { A: '' },
-			// A clickhouse_sql envelope contributes no aggregation metadata.
-			requestPayload: requestWith([
-				{
-					type: 'clickhouse_sql',
-					spec: { name: 'A', query: 'SELECT ...' },
-				},
-			]),
-		});
-
-		// Headers keep their real names instead of collapsing to "A".
-		expect(table.columns.map((col) => col.name)).toStrictEqual([
-			'service.name',
-			'current_availability',
-			'error_budget_remaining',
-			'budget_status',
-			'total_requests',
-		]);
-		// Ids are unique, so value columns don't overwrite each other in the row.
-		expect(table.columns.map((col) => col.id)).toStrictEqual([
-			'service.name',
-			'current_availability',
-			'error_budget_remaining',
-			'budget_status',
-			'total_requests',
-		]);
-		expect(table.rows).toStrictEqual([
-			{
-				data: {
-					'service.name': 'kuja-api_gateway-service',
-					current_availability: 99.985,
-					error_budget_remaining: 0.985,
-					budget_status: 'Healthy ✅',
-					total_requests: 2181216,
-				},
-			},
-		]);
-	});
 });
--- a/frontend/src/pages/DashboardPageV2/DashboardContainer/queryV5/prepareScalarTables.ts
+++ b/frontend/src/pages/DashboardPageV2/DashboardContainer/queryV5/prepareScalarTables.ts
@@ -1,6 +1,5 @@
 import type {
 	Querybuildertypesv5ColumnDescriptorDTO,
-	Querybuildertypesv5QueryEnvelopeClickHouseSQLDTO,
 	Querybuildertypesv5QueryRangeRequestDTO,
 	Querybuildertypesv5ScalarDataDTO,
 } from 'api/generated/services/sigNoz.schemas';
@@ -45,43 +44,16 @@ export function extractAggregationsPerQuery(
 	return perQuery;
 }

-/**
- * Names of the request's clickhouse_sql queries. These have no aggregation
- * metadata, but their value columns carry the user's real SQL alias in the
- * response `col.name` — so columns of these queries are named/keyed by that
- * alias rather than collapsing onto the query name. Builder/formula/promql use
- * placeholder names (`__result`/`__result_N`) and are excluded here.
- */
-export function extractClickhouseQueryNames(
-	requestPayload: Querybuildertypesv5QueryRangeRequestDTO | undefined,
-): Set<string> {
-	const names = new Set<string>();
-	(requestPayload?.compositeQuery?.queries ?? []).forEach((envelope) => {
-		if (envelope.type !== Querybuildertypesv5QueryTypeDTO.clickhouse_sql) {
-			return;
-		}
-		const spec = (envelope as Querybuildertypesv5QueryEnvelopeClickHouseSQLDTO)
-			.spec;
-		if (spec?.name) {
-			names.add(spec.name);
-		}
-	});
-	return names;
-}
-
 /**
 * Column display name. Group columns keep their field name; aggregation
 * columns resolve alias > legend > expression > queryName — with the legend
 * skipped when the query has multiple aggregations, because one legend can't
- * label several value columns. clickhouse_sql columns have no aggregation
- * metadata, so their value columns are named by the real SQL alias the
- * response carries in `col.name`. (Port of V1 `getColName`.)
+ * label several value columns. (Port of V1 `getColName`.)
 */
 function getColName(
 	col: Querybuildertypesv5ColumnDescriptorDTO,
 	legendMap: Record<string, string>,
 	aggregationsPerQuery: AggregationsPerQuery,
-	clickhouseQueryNames: Set<string>,
 ): string {
 	if (col.columnType === 'group') {
 		return col.name;
@@ -102,13 +74,6 @@ function getColName(
 		return alias || expression || queryName;
 	}

-	// clickhouse_sql value columns carry their real SQL alias in col.name — use
-	// it so each value column keeps its own header instead of collapsing onto
-	// the query name. Formulas/promql use placeholder names, so they fall back
-	// to legend || queryName.
-	if (clickhouseQueryNames.has(queryName)) {
-		return col.name;
-	}
 	return legend || queryName;
 }

@@ -120,23 +85,15 @@ function getColName(
 function getColId(
 	col: Querybuildertypesv5ColumnDescriptorDTO,
 	aggregationsPerQuery: AggregationsPerQuery,
-	clickhouseQueryNames: Set<string>,
 ): string {
 	if (col.columnType === 'group') {
 		return col.name;
 	}

 	const queryName = col.queryName ?? '';
-
-	// clickhouse_sql value columns are keyed by their real SQL alias so multiple
-	// value columns stay unique instead of all collapsing onto the query name
-	// (which would overwrite every cell in the row with the last column's value).
-	if (clickhouseQueryNames.has(queryName)) {
-		return col.name;
-	}
-
 	const aggregations = aggregationsPerQuery[queryName];
 	const expression = aggregations?.[col.aggregationIndex ?? 0]?.expression || '';
+
 	if ((aggregations?.length || 0) > 1 && expression) {
 		return `${queryName}.${expression}`;
 	}
@@ -162,7 +119,6 @@ export function prepareScalarTables({
 	requestPayload,
 }: PrepareScalarTablesArgs): PanelTable[] {
 	const aggregationsPerQuery = extractAggregationsPerQuery(requestPayload);
-	const clickhouseQueryNames = extractClickhouseQueryNames(requestPayload);

 	return results.map((scalarData) => {
 		if (!scalarData) {
@@ -176,10 +132,10 @@ export function prepareScalarTables({
 		const queryName = scalarData.columns?.[0]?.queryName ?? '';

 		const columns: PanelTableColumn[] = (scalarData.columns ?? []).map((col) => ({
-			name: getColName(col, legendMap, aggregationsPerQuery, clickhouseQueryNames),
+			name: getColName(col, legendMap, aggregationsPerQuery),
 			queryName: col.queryName ?? '',
 			isValueColumn: col.columnType === 'aggregation',
-			id: getColId(col, aggregationsPerQuery, clickhouseQueryNames),
+			id: getColId(col, aggregationsPerQuery),
 		}));

 		const rows = (scalarData.data ?? []).map((dataRow) => {
--- a/pkg/apiserver/signozapiserver/role.go
+++ b/pkg/apiserver/signozapiserver/role.go
@@ -73,7 +73,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 			Description:         "This endpoint gets a role",
 			Request:             nil,
 			RequestContentType:  "",
-			Response:            new(authtypes.RoleWithTransactionGroups),
+			Response:            new(authtypes.Role),
 			ResponseContentType: "application/json",
 			SuccessStatusCode:   http.StatusOK,
 			ErrorStatusCodes:    []int{},
@@ -91,60 +91,6 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		return err
 	}

-	if err := router.Handle("/api/v1/roles/{id}", handler.New(
-		provider.authzMiddleware.CheckResources(provider.authzHandler.Update, authtypes.SigNozAdminRoleName),
-		handler.OpenAPIDef{
-			ID:                  "UpdateRole",
-			Tags:                []string{"role"},
-			Summary:             "Update role",
-			Description:         "This endpoint updates a role",
-			Request:             new(authtypes.UpdatableRole),
-			RequestContentType:  "",
-			Response:            nil,
-			ResponseContentType: "application/json",
-			SuccessStatusCode:   http.StatusNoContent,
-			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-			Deprecated:          false,
-			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
-		},
-		handler.WithResourceDefs(handler.BasicResourceDef{
-			Resource: coretypes.ResourceRole,
-			Verb:     coretypes.VerbUpdate,
-			Category: coretypes.ActionCategoryAccessControl,
-			ID:       coretypes.PathParam("id"),
-			Selector: provider.roleSelector,
-		}),
-	)).Methods(http.MethodPut).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/roles/{id}", handler.New(
-		provider.authzMiddleware.CheckResources(provider.authzHandler.Delete, authtypes.SigNozAdminRoleName),
-		handler.OpenAPIDef{
-			ID:                  "DeleteRole",
-			Tags:                []string{"role"},
-			Summary:             "Delete role",
-			Description:         "This endpoint deletes a role",
-			Request:             nil,
-			RequestContentType:  "",
-			Response:            nil,
-			ResponseContentType: "application/json",
-			SuccessStatusCode:   http.StatusNoContent,
-			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-			Deprecated:          false,
-			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbDelete)}),
-		},
-		handler.WithResourceDefs(handler.BasicResourceDef{
-			Resource: coretypes.ResourceRole,
-			Verb:     coretypes.VerbDelete,
-			Category: coretypes.ActionCategoryAccessControl,
-			ID:       coretypes.PathParam("id"),
-			Selector: provider.roleSelector,
-		}),
-	)).Methods(http.MethodDelete).GetError(); err != nil {
-		return err
-	}
-
 	if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(
 		provider.authzMiddleware.CheckResources(provider.authzHandler.GetObjects, authtypes.SigNozAdminRoleName),
 		handler.OpenAPIDef{
@@ -185,7 +131,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 			ResponseContentType: "application/json",
 			SuccessStatusCode:   http.StatusNoContent,
 			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-			Deprecated:          true,
+			Deprecated:          false,
 			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
 		},
 		handler.WithResourceDefs(handler.BasicResourceDef{
@@ -212,7 +158,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 			ResponseContentType: "application/json",
 			SuccessStatusCode:   http.StatusNoContent,
 			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-			Deprecated:          true,
+			Deprecated:          false,
 			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
 		},
 		handler.WithResourceDefs(handler.BasicResourceDef{
@@ -226,5 +172,32 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		return err
 	}

+	if err := router.Handle("/api/v1/roles/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.Delete, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "DeleteRole",
+			Tags:                []string{"role"},
+			Summary:             "Delete role",
+			Description:         "This endpoint deletes a role",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbDelete)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbDelete,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.PathParam("id"),
+			Selector: provider.roleSelector,
+		}),
+	)).Methods(http.MethodDelete).GetError(); err != nil {
+		return err
+	}
+
 	return nil
 }
--- a/pkg/authz/authz.go
+++ b/pkg/authz/authz.go
@@ -33,8 +33,8 @@ type AuthZ interface {
 	// Lists the selectors for objects assigned to subject (s) with relation (r) on resource (s)
 	ListObjects(context.Context, string, authtypes.Relation, coretypes.Type) ([]*coretypes.Object, error)

-	// Creates the role with its transaction groups.
-	Create(context.Context, valuer.UUID, *authtypes.RoleWithTransactionGroups) error
+	// Creates the role.
+	Create(context.Context, valuer.UUID, *authtypes.Role) error

 	// Gets the role if it exists or creates one.
 	GetOrCreate(context.Context, valuer.UUID, *authtypes.Role) (*authtypes.Role, error)
@@ -48,18 +48,12 @@ type AuthZ interface {
 	// Patches the objects in authorization server associated with the given role and relation
 	PatchObjects(context.Context, valuer.UUID, string, authtypes.Relation, []*coretypes.Object, []*coretypes.Object) error

-	// Updates the role's metadata and reconciles its transaction groups.
-	Update(context.Context, valuer.UUID, *authtypes.RoleWithTransactionGroups) error
-
 	// Deletes the role and tuples in authorization server.
 	Delete(context.Context, valuer.UUID, valuer.UUID) error

 	// Gets the role
 	Get(context.Context, valuer.UUID, valuer.UUID) (*authtypes.Role, error)

-	// Gets the role with transaction groups
-	GetWithTransactionGroups(context.Context, valuer.UUID, valuer.UUID) (*authtypes.RoleWithTransactionGroups, error)
-
 	// Gets the role by org_id and name
 	GetByOrgIDAndName(context.Context, valuer.UUID, string) (*authtypes.Role, error)

@@ -107,8 +101,6 @@ type Handler interface {

 	PatchObjects(http.ResponseWriter, *http.Request)

-	Update(http.ResponseWriter, *http.Request)
-
 	Check(http.ResponseWriter, *http.Request)

 	Delete(http.ResponseWriter, *http.Request)
--- a/pkg/authz/openfgaauthz/provider.go
+++ b/pkg/authz/openfgaauthz/provider.go
@@ -83,10 +83,6 @@ func (provider *provider) Get(ctx context.Context, orgID valuer.UUID, id valuer.
 	return provider.store.Get(ctx, orgID, id)
 }

-func (provider *provider) GetWithTransactionGroups(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*authtypes.RoleWithTransactionGroups, error) {
-	return nil, errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
-}
-
 func (provider *provider) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*authtypes.Role, error) {
 	return provider.store.GetByOrgIDAndName(ctx, orgID, name)
 }
@@ -172,7 +168,7 @@ func (provider *provider) CreateManagedUserRoleTransactions(ctx context.Context,
 	return provider.Grant(ctx, orgID, []string{authtypes.SigNozAdminRoleName}, authtypes.MustNewSubject(coretypes.NewResourceUser(), userID.String(), orgID, nil))
 }

-func (setter *provider) Create(_ context.Context, _ valuer.UUID, _ *authtypes.RoleWithTransactionGroups) error {
+func (setter *provider) Create(_ context.Context, _ valuer.UUID, _ *authtypes.Role) error {
 	return errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }

@@ -184,10 +180,6 @@ func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id
 	return nil, errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }

-func (provider *provider) Update(_ context.Context, _ valuer.UUID, _ *authtypes.RoleWithTransactionGroups) error {
-	return errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
-}
-
 func (provider *provider) Patch(_ context.Context, _ valuer.UUID, _ *authtypes.Role) error {
 	return errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }
--- a/pkg/authz/openfgaserver/server.go
+++ b/pkg/authz/openfgaserver/server.go
@@ -212,30 +212,6 @@ func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, o
 }

 func (server *Server) Write(ctx context.Context, additions []*openfgav1.TupleKey, deletions []*openfgav1.TupleKey) error {
-	maxTuplesPerWrite := server.config.OpenFGA.MaxTuplesPerWrite
-
-	if len(additions)+len(deletions) <= maxTuplesPerWrite {
-		return server.write(ctx, additions, deletions)
-	}
-
-	for idx := 0; idx < len(additions); idx += maxTuplesPerWrite {
-		end := min(idx+maxTuplesPerWrite, len(additions))
-		if err := server.write(ctx, additions[idx:end], nil); err != nil {
-			return err
-		}
-	}
-
-	for idx := 0; idx < len(deletions); idx += maxTuplesPerWrite {
-		end := min(idx+maxTuplesPerWrite, len(deletions))
-		if err := server.write(ctx, nil, deletions[idx:end]); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (server *Server) write(ctx context.Context, additions []*openfgav1.TupleKey, deletions []*openfgav1.TupleKey) error {
 	if len(additions) == 0 && len(deletions) == 0 {
 		return nil
 	}
--- a/pkg/authz/signozauthzapi/handler.go
+++ b/pkg/authz/signozauthzapi/handler.go
@@ -36,14 +36,14 @@ func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

-	roleWithTransactionGroups := authtypes.NewRoleWithTransactionGroups(req.Name, req.Description, authtypes.RoleTypeCustom, valuer.MustNewUUID(claims.OrgID), req.TransactionGroups)
-	err = handler.authz.Create(ctx, valuer.MustNewUUID(claims.OrgID), roleWithTransactionGroups)
+	role := authtypes.NewRole(req.Name, req.Description, authtypes.RoleTypeCustom, valuer.MustNewUUID(claims.OrgID))
+	err = handler.authz.Create(ctx, valuer.MustNewUUID(claims.OrgID), role)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}

-	render.Success(rw, http.StatusCreated, types.Identifiable{ID: roleWithTransactionGroups.ID})
+	render.Success(rw, http.StatusCreated, types.Identifiable{ID: role.ID})
 }

 func (handler *handler) Get(rw http.ResponseWriter, r *http.Request) {
@@ -65,13 +65,13 @@ func (handler *handler) Get(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

-	roleWithTransactionGroups, err := handler.authz.GetWithTransactionGroups(ctx, valuer.MustNewUUID(claims.OrgID), roleID)
+	role, err := handler.authz.Get(ctx, valuer.MustNewUUID(claims.OrgID), roleID)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}

-	render.Success(rw, http.StatusOK, roleWithTransactionGroups)
+	render.Success(rw, http.StatusOK, role)
 }

 func (handler *handler) GetObjects(rw http.ResponseWriter, r *http.Request) {
@@ -224,48 +224,6 @@ func (handler *handler) PatchObjects(rw http.ResponseWriter, r *http.Request) {
 	render.Success(rw, http.StatusNoContent, nil)
 }

-func (handler *handler) Update(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	req := new(authtypes.UpdatableRole)
-	if err := binding.JSON.BindBody(r.Body, req); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	role, err := handler.authz.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	roleWithTransactionGroups := authtypes.MakeRoleWithTransactionGroups(role, nil)
-	err = roleWithTransactionGroups.Update(req.Description, req.TransactionGroups)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	err = handler.authz.Update(ctx, valuer.MustNewUUID(claims.OrgID), roleWithTransactionGroups)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusNoContent, nil)
-}
-
 func (handler *handler) Delete(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	claims, err := authtypes.ClaimsFromContext(ctx)
--- a/pkg/flagger/registry.go
+++ b/pkg/flagger/registry.go
@@ -3,16 +3,15 @@ package flagger
 import "github.com/SigNoz/signoz/pkg/types/featuretypes"

 var (
-	FeatureUseSpanMetrics        = featuretypes.MustNewName("use_span_metrics")
-	FeatureKafkaSpanEval         = featuretypes.MustNewName("kafka_span_eval")
-	FeatureHideRootUser          = featuretypes.MustNewName("hide_root_user")
-	FeatureGetMetersFromZeus     = featuretypes.MustNewName("get_meters_from_zeus")
-	FeaturePutMetersInZeus       = featuretypes.MustNewName("put_meters_in_zeus")
-	FeatureUseMeterReporter      = featuretypes.MustNewName("use_meter_reporter")
-	FeatureUseJSONBody           = featuretypes.MustNewName("use_json_body")
-	FeatureUseFineGrainedAuthz   = featuretypes.MustNewName("use_fine_grained_authz")
-	FeatureUseDashboardV2        = featuretypes.MustNewName("use_dashboard_v2")
-	FeatureEnableAIObservability = featuretypes.MustNewName("enable_ai_observability")
+	FeatureUseSpanMetrics      = featuretypes.MustNewName("use_span_metrics")
+	FeatureKafkaSpanEval       = featuretypes.MustNewName("kafka_span_eval")
+	FeatureHideRootUser        = featuretypes.MustNewName("hide_root_user")
+	FeatureGetMetersFromZeus   = featuretypes.MustNewName("get_meters_from_zeus")
+	FeaturePutMetersInZeus     = featuretypes.MustNewName("put_meters_in_zeus")
+	FeatureUseMeterReporter    = featuretypes.MustNewName("use_meter_reporter")
+	FeatureUseJSONBody         = featuretypes.MustNewName("use_json_body")
+	FeatureUseFineGrainedAuthz = featuretypes.MustNewName("use_fine_grained_authz")
+	FeatureUseDashboardV2      = featuretypes.MustNewName("use_dashboard_v2")
 )

 func MustNewRegistry() featuretypes.Registry {
@@ -89,14 +88,6 @@ func MustNewRegistry() featuretypes.Registry {
 			DefaultVariant: featuretypes.MustNewName("disabled"),
 			Variants:       featuretypes.NewBooleanVariants(),
 		},
-		&featuretypes.Feature{
-			Name:           FeatureEnableAIObservability,
-			Kind:           featuretypes.KindBoolean,
-			Stage:          featuretypes.StageExperimental,
-			Description:    "Controls whether ai observability is enabled",
-			DefaultVariant: featuretypes.MustNewName("disabled"),
-			Variants:       featuretypes.NewBooleanVariants(),
-		},
 	)
 	if err != nil {
 		panic(err)
--- a/pkg/modules/llmpricingrule/impllmpricingrule/handler.go
+++ b/pkg/modules/llmpricingrule/impllmpricingrule/handler.go
@@ -54,7 +54,7 @@ func (h *handler) List(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

-	rules, total, err := h.module.List(ctx, orgID, q.Offset, q.Limit, q.Search, q.IsOverride)
+	rules, total, err := h.module.List(ctx, orgID, q.Offset, q.Limit)
 	if err != nil {
 		render.Error(rw, err)
 		return
--- a/pkg/modules/llmpricingrule/impllmpricingrule/module.go
+++ b/pkg/modules/llmpricingrule/impllmpricingrule/module.go
@@ -21,8 +21,8 @@ func NewModule(store llmpricingruletypes.Store) llmpricingrule.Module {
 	return &module{store: store}
 }

-func (module *module) List(ctx context.Context, orgID valuer.UUID, offset, limit int, search string, isOverride *bool) ([]*llmpricingruletypes.LLMPricingRule, int, error) {
-	return module.store.List(ctx, orgID, offset, limit, search, isOverride)
+func (module *module) List(ctx context.Context, orgID valuer.UUID, offset, limit int) ([]*llmpricingruletypes.LLMPricingRule, int, error) {
+	return module.store.List(ctx, orgID, offset, limit)
 }

 func (module *module) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*llmpricingruletypes.LLMPricingRule, error) {
@@ -108,7 +108,7 @@ func (module *module) RecommendAgentConfig(orgID valuer.UUID, currentConfYaml []
 }

 func (module *module) getEnabledRules(ctx context.Context, orgID valuer.UUID) ([]*llmpricingruletypes.LLMPricingRule, error) {
-	rules, _, err := module.List(ctx, orgID, 0, 10000, "", nil)
+	rules, _, err := module.List(ctx, orgID, 0, 10000)
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/modules/llmpricingrule/impllmpricingrule/store.go
+++ b/pkg/modules/llmpricingrule/impllmpricingrule/store.go
@@ -17,25 +17,14 @@ func NewStore(sqlstore sqlstore.SQLStore) llmpricingruletypes.Store {
 	return &store{sqlstore: sqlstore}
 }

-func (store *store) List(ctx context.Context, orgID valuer.UUID, offset, limit int, search string, isOverride *bool) ([]*llmpricingruletypes.LLMPricingRule, int, error) {
+func (store *store) List(ctx context.Context, orgID valuer.UUID, offset, limit int) ([]*llmpricingruletypes.LLMPricingRule, int, error) {
 	rules := make([]*llmpricingruletypes.LLMPricingRule, 0)

-	query := store.sqlstore.
+	count, err := store.sqlstore.
 		BunDBCtx(ctx).
 		NewSelect().
 		Model(&rules).
-		Where("org_id = ?", orgID)
-
-	if search != "" {
-		like := "%" + search + "%"
-		query = query.Where("(LOWER(model) LIKE LOWER(?) OR LOWER(provider) LIKE LOWER(?))", like, like)
-	}
-
-	if isOverride != nil {
-		query = query.Where("is_override = ?", *isOverride)
-	}
-
-	count, err := query.
+		Where("org_id = ?", orgID).
 		Order("created_at DESC").
 		Offset(offset).
 		Limit(limit).
--- a/pkg/modules/llmpricingrule/llmpricingrule.go
+++ b/pkg/modules/llmpricingrule/llmpricingrule.go
@@ -13,7 +13,7 @@ type Module interface {
 	// Since this module interacts with OpAMP, it must implement the AgentFeature interface.
 	agentConf.AgentFeature

-	List(ctx context.Context, orgID valuer.UUID, offset, limit int, search string, isOverride *bool) ([]*llmpricingruletypes.LLMPricingRule, int, error)
+	List(ctx context.Context, orgID valuer.UUID, offset, limit int) ([]*llmpricingruletypes.LLMPricingRule, int, error)
 	Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*llmpricingruletypes.LLMPricingRule, error)
 	CreateOrUpdate(ctx context.Context, orgID valuer.UUID, userEmail string, rules []*llmpricingruletypes.UpdatableLLMPricingRule) (err error)
 	Delete(ctx context.Context, orgID, id valuer.UUID) error
--- a/pkg/querier/builder_query.go
+++ b/pkg/querier/builder_query.go
@@ -31,10 +31,16 @@ type builderQuery[T any] struct {
 	fromMS uint64
 	toMS   uint64
 	kind   qbtypes.RequestType
+
+	builderConfig builderConfig
 }

 var _ qbtypes.Query = (*builderQuery[any])(nil)

+type builderConfig struct {
+	logTraceIDWindowPaddingMS uint64
+}
+
 func newBuilderQuery[T any](
 	logger *slog.Logger,
 	telemetryStore telemetrystore.TelemetryStore,
@@ -43,6 +49,7 @@ func newBuilderQuery[T any](
 	tr qbtypes.TimeRange,
 	kind qbtypes.RequestType,
 	variables map[string]qbtypes.VariableItem,
+	cfg builderConfig,
 ) *builderQuery[T] {
 	return &builderQuery[T]{
 		logger:         logger,
@@ -53,6 +60,7 @@ func newBuilderQuery[T any](
 		fromMS:         tr.From,
 		toMS:           tr.To,
 		kind:           kind,
+		builderConfig:  cfg,
 	}
 }

@@ -277,9 +285,20 @@ func (q *builderQuery[T]) narrowWindowByTraceID(ctx context.Context, fromMS, toM
 		return fromMS, toMS, true, ""
 	}

+	// Logs can be flushed slightly after the span ends. The trace
+	// time range comes from the spans table, so for logs we widen it by the
+	// configured padding before clamping. Keep the actual recorded bounds for
+	// the user-facing warning so it reports where the trace truly lies, not the
+	// padded range.
+	actualStartMS, actualEndMS := traceStartMS, traceEndMS
+	if q.spec.Signal == telemetrytypes.SignalLogs {
+		traceStartMS -= q.builderConfig.logTraceIDWindowPaddingMS
+		traceEndMS += q.builderConfig.logTraceIDWindowPaddingMS
+	}
+
 	if traceStartMS > toMS || traceEndMS < fromMS {
-		traceStartUTC := time.UnixMilli(int64(traceStartMS)).UTC().Format(time.RFC3339)
-		traceEndUTC := time.UnixMilli(int64(traceEndMS)).UTC().Format(time.RFC3339)
+		traceStartUTC := time.UnixMilli(int64(actualStartMS)).UTC().Format(time.RFC3339)
+		traceEndUTC := time.UnixMilli(int64(actualEndMS)).UTC().Format(time.RFC3339)
 		return fromMS, toMS, false, fmt.Sprintf(traceOutsideRangeWarn, q.spec.Name, traceStartUTC, traceEndUTC)
 	}
 	if traceStartMS > fromMS {
--- a/pkg/querier/config.go
+++ b/pkg/querier/config.go
@@ -23,6 +23,8 @@ type Config struct {
 	MaxConcurrentQueries int `yaml:"max_concurrent_queries" mapstructure:"max_concurrent_queries"`
 	// SkipResourceFingerprint configures when the resource fingerprint subquery is skipped in favor of main-table filtering.
 	SkipResourceFingerprint SkipResourceFingerprint `yaml:"skip_resource_fingerprint" mapstructure:"skip_resource_fingerprint"`
+	// LogTraceIDWindowPadding is the padding added to narrowed down timerange from trace summary to logs with trace_id filter.
+	LogTraceIDWindowPadding time.Duration `yaml:"log_trace_id_window_padding" mapstructure:"log_trace_id_window_padding"`
 }

 // NewConfigFactory creates a new config factory for querier.
@@ -40,6 +42,7 @@ func newConfig() factory.Config {
 			Enabled:   false,
 			Threshold: 100000,
 		},
+		LogTraceIDWindowPadding: 5 * time.Minute,
 	}
 }

@@ -57,6 +60,9 @@ func (c Config) Validate() error {
 	if c.SkipResourceFingerprint.Enabled && c.SkipResourceFingerprint.Threshold == 0 {
 		return errors.NewInvalidInputf(errors.CodeInvalidInput, "skip_resource_fingerprint.threshold must be > 0 when enabled")
 	}
+	if c.LogTraceIDWindowPadding < 0 {
+		return errors.NewInvalidInputf(errors.CodeInvalidInput, "log_trace_id_window_padding must not be negative, got %v", c.LogTraceIDWindowPadding)
+	}
 	return nil
 }

--- a/pkg/querier/querier.go
+++ b/pkg/querier/querier.go
@@ -35,19 +35,20 @@ var (
 )

 type querier struct {
-	logger                   *slog.Logger
-	fl                       flagger.Flagger
-	telemetryStore           telemetrystore.TelemetryStore
-	metadataStore            telemetrytypes.MetadataStore
-	promEngine               prometheus.Prometheus
-	traceStmtBuilder         qbtypes.StatementBuilder[qbtypes.TraceAggregation]
-	logStmtBuilder           qbtypes.StatementBuilder[qbtypes.LogAggregation]
-	auditStmtBuilder         qbtypes.StatementBuilder[qbtypes.LogAggregation]
-	metricStmtBuilder        qbtypes.StatementBuilder[qbtypes.MetricAggregation]
-	meterStmtBuilder         qbtypes.StatementBuilder[qbtypes.MetricAggregation]
-	traceOperatorStmtBuilder qbtypes.TraceOperatorStatementBuilder
-	bucketCache              BucketCache
-	liveDataRefresh          time.Duration
+	logger                    *slog.Logger
+	fl                        flagger.Flagger
+	telemetryStore            telemetrystore.TelemetryStore
+	metadataStore             telemetrytypes.MetadataStore
+	promEngine                prometheus.Prometheus
+	traceStmtBuilder          qbtypes.StatementBuilder[qbtypes.TraceAggregation]
+	logStmtBuilder            qbtypes.StatementBuilder[qbtypes.LogAggregation]
+	auditStmtBuilder          qbtypes.StatementBuilder[qbtypes.LogAggregation]
+	metricStmtBuilder         qbtypes.StatementBuilder[qbtypes.MetricAggregation]
+	meterStmtBuilder          qbtypes.StatementBuilder[qbtypes.MetricAggregation]
+	traceOperatorStmtBuilder  qbtypes.TraceOperatorStatementBuilder
+	bucketCache               BucketCache
+	liveDataRefresh           time.Duration
+	builderConfig             builderConfig
 }

 var _ Querier = (*querier)(nil)
@@ -65,22 +66,26 @@ func New(
 	traceOperatorStmtBuilder qbtypes.TraceOperatorStatementBuilder,
 	bucketCache BucketCache,
 	flagger flagger.Flagger,
+	logTraceIDWindowPadding time.Duration,
 ) *querier {
 	querierSettings := factory.NewScopedProviderSettings(settings, "github.com/SigNoz/signoz/pkg/querier")
 	return &querier{
-		logger:                   querierSettings.Logger(),
-		fl:                       flagger,
-		telemetryStore:           telemetryStore,
-		metadataStore:            metadataStore,
-		promEngine:               promEngine,
-		traceStmtBuilder:         traceStmtBuilder,
-		logStmtBuilder:           logStmtBuilder,
-		auditStmtBuilder:         auditStmtBuilder,
-		metricStmtBuilder:        metricStmtBuilder,
-		meterStmtBuilder:         meterStmtBuilder,
-		traceOperatorStmtBuilder: traceOperatorStmtBuilder,
-		bucketCache:              bucketCache,
-		liveDataRefresh:          5 * time.Second,
+		logger:                    querierSettings.Logger(),
+		fl:                        flagger,
+		telemetryStore:            telemetryStore,
+		metadataStore:             metadataStore,
+		promEngine:                promEngine,
+		traceStmtBuilder:          traceStmtBuilder,
+		logStmtBuilder:            logStmtBuilder,
+		auditStmtBuilder:          auditStmtBuilder,
+		metricStmtBuilder:         metricStmtBuilder,
+		meterStmtBuilder:          meterStmtBuilder,
+		traceOperatorStmtBuilder:  traceOperatorStmtBuilder,
+		bucketCache:               bucketCache,
+		liveDataRefresh:           5 * time.Second,
+		builderConfig: builderConfig{
+			logTraceIDWindowPaddingMS: uint64(logTraceIDWindowPadding.Milliseconds()),
+		},
 	}
 }

@@ -173,7 +178,7 @@ func (q *querier) QueryRange(ctx context.Context, orgID valuer.UUID, req *qbtype
 			case qbtypes.QueryBuilderQuery[qbtypes.TraceAggregation]:
 				spec.ShiftBy = extractShiftFromBuilderQuery(spec)
 				timeRange := adjustTimeRangeForShift(spec, qbtypes.TimeRange{From: req.Start, To: req.End}, req.RequestType)
-				bq := newBuilderQuery(q.logger, q.telemetryStore, q.traceStmtBuilder, spec, timeRange, req.RequestType, tmplVars)
+				bq := newBuilderQuery(q.logger, q.telemetryStore, q.traceStmtBuilder, spec, timeRange, req.RequestType, tmplVars, builderConfig{})
 				queries[spec.Name] = bq
 				steps[spec.Name] = spec.StepInterval
 			case qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]:
@@ -183,7 +188,7 @@ func (q *querier) QueryRange(ctx context.Context, orgID valuer.UUID, req *qbtype
 				if spec.Source == telemetrytypes.SourceAudit {
 					stmtBuilder = q.auditStmtBuilder
 				}
-				bq := newBuilderQuery(q.logger, q.telemetryStore, stmtBuilder, spec, timeRange, req.RequestType, tmplVars)
+				bq := newBuilderQuery(q.logger, q.telemetryStore, stmtBuilder, spec, timeRange, req.RequestType, tmplVars, q.builderConfig)
 				queries[spec.Name] = bq
 				steps[spec.Name] = spec.StepInterval
 			case qbtypes.QueryBuilderQuery[qbtypes.MetricAggregation]:
@@ -200,9 +205,9 @@ func (q *querier) QueryRange(ctx context.Context, orgID valuer.UUID, req *qbtype

 				if spec.Source == telemetrytypes.SourceMeter {
 					event.Source = telemetrytypes.SourceMeter.StringValue()
-					bq = newBuilderQuery(q.logger, q.telemetryStore, q.meterStmtBuilder, spec, timeRange, req.RequestType, tmplVars)
+					bq = newBuilderQuery(q.logger, q.telemetryStore, q.meterStmtBuilder, spec, timeRange, req.RequestType, tmplVars, builderConfig{})
 				} else {
-					bq = newBuilderQuery(q.logger, q.telemetryStore, q.metricStmtBuilder, spec, timeRange, req.RequestType, tmplVars)
+					bq = newBuilderQuery(q.logger, q.telemetryStore, q.metricStmtBuilder, spec, timeRange, req.RequestType, tmplVars, builderConfig{})
 				}

 				queries[spec.Name] = bq
@@ -508,7 +513,7 @@ func (q *querier) QueryRawStream(ctx context.Context, orgID valuer.UUID, req *qb
 				"id": {
 					Value: updatedLogID,
 				},
-			})
+			}, q.builderConfig)
 			queries[spec.Name] = bq

 			qbResp, qbErr := q.run(ctx, orgID, queries, req, nil, event, nil)
@@ -804,7 +809,7 @@ func (q *querier) createRangedQuery(originalQuery qbtypes.Query, timeRange qbtyp
 		specCopy := qt.spec.Copy()
 		specCopy.ShiftBy = extractShiftFromBuilderQuery(specCopy)
 		adjustedTimeRange := adjustTimeRangeForShift(specCopy, timeRange, qt.kind)
-		return newBuilderQuery(q.logger, q.telemetryStore, q.traceStmtBuilder, specCopy, adjustedTimeRange, qt.kind, qt.variables)
+		return newBuilderQuery(q.logger, q.telemetryStore, q.traceStmtBuilder, specCopy, adjustedTimeRange, qt.kind, qt.variables, builderConfig{})

 	case *builderQuery[qbtypes.LogAggregation]:
 		specCopy := qt.spec.Copy()
@@ -814,16 +819,16 @@ func (q *querier) createRangedQuery(originalQuery qbtypes.Query, timeRange qbtyp
 		if qt.spec.Source == telemetrytypes.SourceAudit {
 			shiftStmtBuilder = q.auditStmtBuilder
 		}
-		return newBuilderQuery(q.logger, q.telemetryStore, shiftStmtBuilder, specCopy, adjustedTimeRange, qt.kind, qt.variables)
+		return newBuilderQuery(q.logger, q.telemetryStore, shiftStmtBuilder, specCopy, adjustedTimeRange, qt.kind, qt.variables, q.builderConfig)

 	case *builderQuery[qbtypes.MetricAggregation]:
 		specCopy := qt.spec.Copy()
 		specCopy.ShiftBy = extractShiftFromBuilderQuery(specCopy)
 		adjustedTimeRange := adjustTimeRangeForShift(specCopy, timeRange, qt.kind)
 		if qt.spec.Source == telemetrytypes.SourceMeter {
-			return newBuilderQuery(q.logger, q.telemetryStore, q.meterStmtBuilder, specCopy, adjustedTimeRange, qt.kind, qt.variables)
+			return newBuilderQuery(q.logger, q.telemetryStore, q.meterStmtBuilder, specCopy, adjustedTimeRange, qt.kind, qt.variables, builderConfig{})
 		}
-		return newBuilderQuery(q.logger, q.telemetryStore, q.metricStmtBuilder, specCopy, adjustedTimeRange, qt.kind, qt.variables)
+		return newBuilderQuery(q.logger, q.telemetryStore, q.metricStmtBuilder, specCopy, adjustedTimeRange, qt.kind, qt.variables, builderConfig{})
 	case *traceOperatorQuery:
 		specCopy := qt.spec.Copy()
 		return &traceOperatorQuery{
--- a/pkg/querier/querier_test.go
+++ b/pkg/querier/querier_test.go
@@ -54,6 +54,7 @@ func TestQueryRange_MetricTypeMissing(t *testing.T) {
 		nil,                // traceOperatorStmtBuilder
 		nil,                // bucketCache
 		flaggertest.New(t), // flagger
+		0,
 	)

 	req := &qbtypes.QueryRangeRequest{
@@ -124,6 +125,7 @@ func TestQueryRange_MetricTypeFromStore(t *testing.T) {
 		nil,                      // traceOperatorStmtBuilder
 		nil,                      // bucketCache
 		flaggertest.New(t),       // flagger
+		0,
 	)

 	req := &qbtypes.QueryRangeRequest{
--- a/pkg/querier/signozquerier/provider.go
+++ b/pkg/querier/signozquerier/provider.go
@@ -192,5 +192,6 @@ func newProvider(
 		traceOperatorStmtBuilder,
 		bucketCache,
 		flagger,
+		cfg.LogTraceIDWindowPadding,
 	), nil
 }
--- a/pkg/query-service/app/http_handler.go
+++ b/pkg/query-service/app/http_handler.go
@@ -1678,15 +1678,6 @@ func (aH *APIHandler) getFeatureFlags(w http.ResponseWriter, r *http.Request) {
 		Route:      "",
 	})

-	aiObservability := aH.Signoz.Flagger.BooleanOrEmpty(r.Context(), flagger.FeatureEnableAIObservability, evalCtx)
-	featureSet = append(featureSet, &licensetypes.Feature{
-		Name:       valuer.NewString(flagger.FeatureEnableAIObservability.String()),
-		Active:     aiObservability,
-		Usage:      0,
-		UsageLimit: -1,
-		Route:      "",
-	})
-
 	if constants.IsDotMetricsEnabled {
 		for idx, feature := range featureSet {
 			if feature.Name == licensetypes.DotMetricsEnabled {
--- a/pkg/query-service/rules/setups_test.go
+++ b/pkg/query-service/rules/setups_test.go
@@ -3,6 +3,7 @@ package rules
 import (
 	"context"
 	"testing"
+	"time"

 	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/instrumentation/instrumentationtest"
@@ -54,6 +55,7 @@ func prepareQuerierForMetrics(t *testing.T, telemetryStore telemetrystore.Teleme
 		nil, // traceOperatorStmtBuilder
 		nil, // bucketCache
 		flagger,
+		0,
 	), metadataStore
 }

@@ -107,6 +109,7 @@ func prepareQuerierForLogs(t *testing.T, telemetryStore telemetrystore.Telemetry
 		nil,            // traceOperatorStmtBuilder
 		nil,            // bucketCache
 		fl,
+		5*time.Minute, // logTraceIDWindowPadding
 	)
 }

@@ -154,5 +157,6 @@ func prepareQuerierForTraces(t *testing.T, telemetryStore telemetrystore.Telemet
 		nil,              // traceOperatorStmtBuilder
 		nil,              // bucketCache
 		fl,
+		0,
 	)
 }
--- a/pkg/types/authtypes/role.go
+++ b/pkg/types/authtypes/role.go
@@ -20,7 +20,6 @@ var (
 	ErrCodeRoleEmptyPatch                   = errors.MustNewCode("role_empty_patch")
 	ErrCodeInvalidTypeRelation              = errors.MustNewCode("role_invalid_type_relation")
 	ErrCodeRoleNotFound                     = errors.MustNewCode("role_not_found")
-	ErrCodeRoleAlreadyExists                = errors.MustNewCode("role_already_exists")
 	ErrCodeRoleFailedTransactionsFromString = errors.MustNewCode("role_failed_transactions_from_string")
 	ErrCodeRoleUnsupported                  = errors.MustNewCode("role_unsupported")
 	ErrCodeRoleHasUserAssignees             = errors.MustNewCode("role_has_user_assignees")
@@ -73,20 +72,9 @@ type Role struct {
 	OrgID       valuer.UUID   `bun:"org_id,type:string" json:"orgId" required:"true"`
 }

-type RoleWithTransactionGroups struct {
-	*Role
-	TransactionGroups TransactionGroups `json:"transactionGroups" required:"true" nullable:"false"`
-}
-
 type PostableRole struct {
-	Name              string            `json:"name" required:"true"`
-	Description       string            `json:"description" required:"true"`
-	TransactionGroups TransactionGroups `json:"transactionGroups" required:"true" nullable:"false"`
-}
-
-type UpdatableRole struct {
-	Description       string            `json:"description" required:"true"`
-	TransactionGroups TransactionGroups `json:"transactionGroups" required:"true" nullable:"false"`
+	Name        string `json:"name" required:"true"`
+	Description string `json:"description"`
 }

 type PatchableRole struct {
@@ -109,22 +97,6 @@ func NewRole(name, description string, roleType valuer.String, orgID valuer.UUID
 	}
 }

-func NewRoleWithTransactionGroups(name, description string, roleType valuer.String, orgID valuer.UUID, transactionGroups TransactionGroups) *RoleWithTransactionGroups {
-	role := NewRole(name, description, roleType, orgID)
-
-	return &RoleWithTransactionGroups{
-		Role:              role,
-		TransactionGroups: transactionGroups,
-	}
-}
-
-func MakeRoleWithTransactionGroups(role *Role, transactionGroups TransactionGroups) *RoleWithTransactionGroups {
-	return &RoleWithTransactionGroups{
-		Role:              role,
-		TransactionGroups: transactionGroups,
-	}
-}
-
 func NewManagedRoles(orgID valuer.UUID) []*Role {
 	return []*Role{
 		NewRole(SigNozAdminRoleName, SigNozAdminRoleDescription, RoleTypeManaged, orgID),
@@ -146,18 +118,6 @@ func (role *Role) PatchMetadata(description string) error {
 	return nil
 }

-func (role *RoleWithTransactionGroups) Update(description string, transactionGroups TransactionGroups) error {
-	err := role.ErrIfManaged()
-	if err != nil {
-		return err
-	}
-
-	role.Description = description
-	role.TransactionGroups = transactionGroups
-	role.UpdatedAt = time.Now()
-	return nil
-}
-
 func (role *Role) ErrIfManaged() error {
 	if role.Type == RoleTypeManaged {
 		return errors.Newf(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "cannot edit/delete managed role: %s", role.Name)
@@ -167,58 +127,31 @@ func (role *Role) ErrIfManaged() error {
 }

 func (role *PostableRole) UnmarshalJSON(data []byte) error {
-	type Alias PostableRole
-	var temp Alias
+	type shadowPostableRole struct {
+		Name        string `json:"name"`
+		Description string `json:"description"`
+	}

-	if err := json.Unmarshal(data, &temp); err != nil {
+	var shadowRole shadowPostableRole
+	if err := json.Unmarshal(data, &shadowRole); err != nil {
 		return err
 	}

-	if temp.Name == "" {
+	if shadowRole.Name == "" {
 		return errors.New(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "name is missing from the request")
 	}

-	if match := roleNameRegex.MatchString(temp.Name); !match {
+	if match := roleNameRegex.MatchString(shadowRole.Name); !match {
 		return errors.New(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "name must contain only lowercase letters (a-z) and hyphens (-), and be at most 50 characters long.")
 	}

-	if strings.HasPrefix(temp.Name, managedRolePrefix) {
+	if strings.HasPrefix(shadowRole.Name, managedRolePrefix) {
 		return errors.Newf(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "role name cannot start with %q as it is reserved for SigNoz managed roles.", managedRolePrefix)
 	}

-	if temp.TransactionGroups == nil {
-		return errors.New(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "transactionGroups is required").WithAdditional("send an empty array to create a role with no transaction groups")
-	}
+	role.Name = shadowRole.Name
+	role.Description = shadowRole.Description

-	role.Name = temp.Name
-	role.Description = temp.Description
-	role.TransactionGroups = temp.TransactionGroups
-	return nil
-}
-
-func (role *UpdatableRole) UnmarshalJSON(data []byte) error {
-	shadow := struct {
-		Description       *string           `json:"description"`
-		TransactionGroups TransactionGroups `json:"transactionGroups"`
-	}{}
-
-	if err := json.Unmarshal(data, &shadow); err != nil {
-		return err
-	}
-
-	// A pointer distinguishes an omitted/null description from an explicit empty string: the field
-	// must be sent (update reconciles to exactly what is given), but an empty string is allowed so a
-	// caller can deliberately clear the description.
-	if shadow.Description == nil {
-		return errors.New(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "description is required").WithAdditional("send an empty string to clear the description")
-	}
-
-	if shadow.TransactionGroups == nil {
-		return errors.New(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "transactionGroups is required").WithAdditional("send an empty array to clear the role's transaction groups")
-	}
-
-	role.Description = *shadow.Description
-	role.TransactionGroups = shadow.TransactionGroups
 	return nil
 }

--- a/pkg/types/authtypes/transaction.go
+++ b/pkg/types/authtypes/transaction.go
@@ -13,13 +13,6 @@ type Transaction struct {
 	Object   coretypes.Object `json:"object" required:"true"`
 }

-type TransactionGroup struct {
-	Relation    Relation              `json:"relation" required:"true"`
-	ObjectGroup coretypes.ObjectGroup `json:"objectGroup" required:"true"`
-}
-
-type TransactionGroups []*TransactionGroup
-
 type GettableTransaction struct {
 	Relation   Relation         `json:"relation" required:"true"`
 	Object     coretypes.Object `json:"object" required:"true"`
@@ -39,18 +32,6 @@ func NewTransaction(relation Relation, object coretypes.Object) (*Transaction, e
 	return &Transaction{ID: valuer.GenerateUUID(), Relation: relation, Object: object}, nil
 }

-func NewTransactionGroup(relation Relation, objectGroup coretypes.ObjectGroup) (*TransactionGroup, error) {
-	if err := coretypes.ErrIfVerbNotValidForResource(relation.Verb, objectGroup.Resource); err != nil {
-		return nil, err
-	}
-
-	if _, err := coretypes.NewObjectsFromObjectGroup(objectGroup); err != nil {
-		return nil, err
-	}
-
-	return &TransactionGroup{Relation: relation, ObjectGroup: objectGroup}, nil
-}
-
 func NewGettableTransaction(results []*TransactionWithAuthorization) []*GettableTransaction {
 	gettableTransactions := make([]*GettableTransaction, len(results))
 	for i, result := range results {
@@ -64,10 +45,6 @@ func NewGettableTransaction(results []*TransactionWithAuthorization) []*Gettable
 	return gettableTransactions
 }

-func (groups TransactionGroups) Diff(desired TransactionGroups) (additions, deletions TransactionGroups) {
-	return desired.subtract(groups), groups.subtract(desired)
-}
-
 func (transaction *Transaction) UnmarshalJSON(data []byte) error {
 	var shadow = struct {
 		Relation Relation
@@ -88,71 +65,6 @@ func (transaction *Transaction) UnmarshalJSON(data []byte) error {
 	return nil
 }

-func (transactionGroup *TransactionGroup) UnmarshalJSON(data []byte) error {
-	var shadow = struct {
-		Relation    Relation
-		ObjectGroup coretypes.ObjectGroup
-	}{}
-
-	err := json.Unmarshal(data, &shadow)
-	if err != nil {
-		return err
-	}
-
-	group, err := NewTransactionGroup(shadow.Relation, shadow.ObjectGroup)
-	if err != nil {
-		return err
-	}
-
-	*transactionGroup = *group
-	return nil
-}
-
 func (transaction *Transaction) TransactionKey() string {
 	return transaction.Relation.StringValue() + ":" + transaction.Object.Resource.Type.StringValue() + ":" + transaction.Object.Resource.Kind.String()
 }
-
-func (groups TransactionGroups) subtract(other TransactionGroups) TransactionGroups {
-	otherSelectors := other.selectorSet()
-
-	order := make([]string, 0)
-	grouped := make(map[string]*TransactionGroup)
-	for _, group := range groups {
-		for _, selector := range group.ObjectGroup.Selectors {
-			if _, ok := otherSelectors[group.selectorKey(selector)]; ok {
-				continue
-			}
-
-			groupKey := group.Relation.StringValue() + "|" + group.ObjectGroup.Resource.String()
-			out, ok := grouped[groupKey]
-			if !ok {
-				out = &TransactionGroup{Relation: group.Relation, ObjectGroup: coretypes.ObjectGroup{Resource: group.ObjectGroup.Resource, Selectors: make([]coretypes.Selector, 0)}}
-				grouped[groupKey] = out
-				order = append(order, groupKey)
-			}
-			out.ObjectGroup.Selectors = append(out.ObjectGroup.Selectors, selector)
-		}
-	}
-
-	result := make(TransactionGroups, 0, len(order))
-	for _, key := range order {
-		result = append(result, grouped[key])
-	}
-
-	return result
-}
-
-func (groups TransactionGroups) selectorSet() map[string]struct{} {
-	set := make(map[string]struct{})
-	for _, group := range groups {
-		for _, selector := range group.ObjectGroup.Selectors {
-			set[group.selectorKey(selector)] = struct{}{}
-		}
-	}
-
-	return set
-}
-
-func (group *TransactionGroup) selectorKey(selector coretypes.Selector) string {
-	return group.Relation.StringValue() + "|" + group.ObjectGroup.Resource.String() + "|" + selector.String()
-}
--- a/pkg/types/authtypes/tuple.go
+++ b/pkg/types/authtypes/tuple.go
@@ -47,58 +47,14 @@ func NewTuplesFromTransactions(transactions []*Transaction, subject string, orgI
 	return tuples, nil
 }

-func NewTuplesFromTransactionGroups(name string, orgID valuer.UUID, transactionGroups []*TransactionGroup) ([]*openfgav1.TupleKey, error) {
-	tuples := make([]*openfgav1.TupleKey, 0)
-	subject := MustNewSubject(coretypes.NewResourceRole(), name, orgID, &coretypes.VerbAssignee)
-
-	for _, transactionGroup := range transactionGroups {
-		if err := coretypes.ErrIfVerbNotValidForResource(transactionGroup.Relation.Verb, transactionGroup.ObjectGroup.Resource); err != nil {
-			return nil, err
-		}
-
-		resource, err := coretypes.NewResourceFromTypeAndKind(transactionGroup.ObjectGroup.Resource.Type, transactionGroup.ObjectGroup.Resource.Kind)
-		if err != nil {
-			return nil, err
-		}
-
-		objectGroupTuples := NewTuples(resource, subject, transactionGroup.Relation, transactionGroup.ObjectGroup.Selectors, orgID)
-		tuples = append(tuples, objectGroupTuples...)
-	}
-
-	return tuples, nil
-}
-
-func MustNewTransactionGroupsFromTuples(tuples []*openfgav1.TupleKey) []*TransactionGroup {
-	objectsByRelation := make(map[string][]*coretypes.Object)
-
-	for _, tuple := range tuples {
-		verb, err := coretypes.NewVerb(tuple.GetRelation())
-		if err != nil {
-			panic(err)
-		}
-
-		object := coretypes.MustNewObjectFromString(tuple.GetObject())
-		objectsByRelation[verb.StringValue()] = append(objectsByRelation[verb.StringValue()], object)
-	}
-
-	transactionGroups := make([]*TransactionGroup, 0)
-	for _, verb := range coretypes.Verbs {
-		objects := objectsByRelation[verb.StringValue()]
-		if len(objects) == 0 {
-			continue
-		}
-
-		for _, objectGroup := range coretypes.NewObjectGroupsFromObjects(objects) {
-			transactionGroups = append(transactionGroups, &TransactionGroup{
-				Relation:    Relation{Verb: verb},
-				ObjectGroup: *objectGroup,
-			})
-		}
-	}
-
-	return transactionGroups
-}
-
+// NewTuplesFromTransactionsWithCorrelations converts transactions to tuples for BatchCheck,
+// and for each transaction whose selector is not already a wildcard, generates an additional
+// tuple with the wildcard selector. This ensures that permissions granted via wildcard
+// selectors (e.g., dashboard:*) are checked alongside exact selectors (e.g., dashboard:abc-123).
+//
+// Returns:
+//   - tuples: all tuples to check (exact + correlated), keyed by transaction ID or generated correlation ID
+//   - correlations: maps transaction ID to a slice of correlation IDs for the additional tuples
 func NewTuplesFromTransactionsWithCorrelations(transactions []*Transaction, subject string, orgID valuer.UUID) (tuples map[string]*openfgav1.TupleKey, correlations map[string][]string, err error) {
 	tuples = make(map[string]*openfgav1.TupleKey)
 	correlations = make(map[string][]string)
@@ -127,6 +83,10 @@ func NewTuplesFromTransactionsWithCorrelations(transactions []*Transaction, subj
 	return tuples, correlations, nil
 }

+// NewTuplesFromTransactionsWithManagedRoles converts transactions to tuples for BatchCheck.
+// Direct role-assignment transactions (TypeRole + VerbAssignee) produce one tuple keyed by txn ID.
+// Other transactions are expanded via managedRolesByTransaction into role-assignee checks, keyed by "txnID:roleName".
+// Transactions with no managed role mapping are marked as pre-resolved (false) in the returned map.
 func NewTuplesFromTransactionsWithManagedRoles(
 	transactions []*Transaction,
 	subject string,
@@ -171,6 +131,10 @@ func NewTuplesFromTransactionsWithManagedRoles(
 	return tuples, preResolved, roleCorrelations, nil
 }

+// NewTransactionWithAuthorizationFromBatchResults merges batch check results into an ordered
+// slice of TransactionWithAuthorization matching the input transactions order.
+// preResolved contains txn IDs whose authorization was determined without BatchCheck.
+// roleCorrelations maps txn IDs to correlation IDs used for managed role checks.
 func NewTransactionWithAuthorizationFromBatchResults(
 	transactions []*Transaction,
 	batchResults map[string]*TupleKeyAuthorization,
--- a/pkg/types/coretypes/object.go
+++ b/pkg/types/coretypes/object.go
@@ -9,7 +9,6 @@ import (

 var (
 	ErrCodeInvalidPatchObject = errors.MustNewCode("authz_invalid_patch_objects")
-	ErrCodeInvalidObject      = errors.MustNewCode("authz_invalid_object")
 )

 type Object struct {
--- a/pkg/types/llmpricingruletypes/pricing.go
+++ b/pkg/types/llmpricingruletypes/pricing.go
@@ -125,10 +125,8 @@ type UpdatableLLMPricingRules struct {
 }

 type ListPricingRulesQuery struct {
-	Offset     int    `query:"offset" json:"offset"`
-	Limit      int    `query:"limit"  json:"limit"`
-	Search     string `query:"q" json:"q"`
-	IsOverride *bool  `query:"isOverride" json:"isOverride"`
+	Offset int `query:"offset" json:"offset"`
+	Limit  int `query:"limit"  json:"limit"`
 }

 type GettablePricingRules struct {
--- a/pkg/types/llmpricingruletypes/store.go
+++ b/pkg/types/llmpricingruletypes/store.go
@@ -7,7 +7,7 @@ import (
 )

 type Store interface {
-	List(ctx context.Context, orgID valuer.UUID, offset, limit int, search string, isOverride *bool) ([]*LLMPricingRule, int, error)
+	List(ctx context.Context, orgID valuer.UUID, offset, limit int) ([]*LLMPricingRule, int, error)
 	Get(ctx context.Context, orgID, id valuer.UUID) (*LLMPricingRule, error)
 	GetBySourceID(ctx context.Context, orgID, sourceID valuer.UUID) (*LLMPricingRule, error)
 	Create(ctx context.Context, rule *LLMPricingRule) error
--- a/tests/fixtures/role.py
+++ b/tests/fixtures/role.py
@@ -26,10 +26,10 @@ def find_role_by_name(signoz: types.SigNoz, token: str, name: str) -> str:


 def create_custom_role(signoz: types.SigNoz, token: str, name: str) -> str:
-    """Create a custom role and return its ID. transactionGroups is required (send [] for none)."""
+    """Create a custom role and return its ID."""
    resp = requests.post(
        signoz.self.host_configs["8080"].get(ROLES_BASE),
-        json={"name": name, "transactionGroups": []},
+        json={"name": name},
        headers={"Authorization": f"Bearer {token}"},
        timeout=5,
    )
--- a/tests/integration/tests/querier/01_logs.py
+++ b/tests/integration/tests/querier/01_logs.py
@@ -2306,9 +2306,11 @@ def test_logs_list_filter_by_trace_id(
    """
    Tests that filtering logs by trace_id uses the trace_summary lookup to
    narrow the query window before scanning the logs table:
-    1. Returns the matching log (narrow window, single bucket).
+    1. Returns the matching logs (narrow window, single bucket), including a log
+       flushed shortly after the span ends — kept by the configured padding.
    2. Does not return duplicate logs when the query window should span multiple
-       exponential buckets (>1 h). But is clamped to the timerange of trace.
+       exponential buckets (>1 h). The window is clamped to the trace's recorded
+       range widened by the padding, so the post-span log survives the clamp.
    3. Returns no results when the query window does not contain the trace.
    4. Logs carrying a trace_id whose trace is NOT in trace_summary (e.g.
       traces disabled) are still returned — the lookup miss must not
@@ -2366,6 +2368,9 @@ def test_logs_list_filter_by_trace_id(
    # Insert logs:
    # - one with the target trace_id, at a timestamp within the trace's
    #   recorded window (now-10s..now-5s, padded ±1s).
+    # - one with the target trace_id flushed ~3s AFTER the span's recorded end
+    #   (now-2s). This is outside the ±1s base pad but inside the multi-minute
+    #   log_trace_id_window_padding, so it must still be returned.
    # - one with an orphan trace_id whose trace was never ingested — used to
    #   verify the lookup miss does NOT short-circuit logs queries.
    insert_logs(
@@ -2379,6 +2384,15 @@ def test_logs_list_filter_by_trace_id(
                trace_id=target_trace_id,
                span_id=target_root_span_id,
            ),
+            Logs(
+                timestamp=now - timedelta(seconds=2),
+                resources=common_resources,
+                attributes={"http.method": "POST"},
+                body="log flushed after the span ends, within padding window",
+                severity_text="INFO",
+                trace_id=target_trace_id,
+                span_id=target_root_span_id,
+            ),
            Logs(
                timestamp=now - timedelta(seconds=2),
                resources=common_resources,
@@ -2429,23 +2443,31 @@ def test_logs_list_filter_by_trace_id(

    now_ms = int(now.timestamp() * 1000)

+    inside_window_body = "log inside the target trace window"
+    post_span_body = "log flushed after the span ends, within padding window"
+
    # --- Test 1: narrow window (single bucket, <1 h) ---
    narrow_start_ms = int((now - timedelta(minutes=5)).timestamp() * 1000)
    narrow_rows, narrow_warnings = _query(narrow_start_ms, now_ms, target_trace_id)

-    assert len(narrow_rows) == 1, f"Expected 1 log for trace_id filter (narrow window), got {len(narrow_rows)}"
-    assert narrow_rows[0]["data"]["trace_id"] == target_trace_id
-    assert narrow_rows[0]["data"]["span_id"] == target_root_span_id
+    assert len(narrow_rows) == 2, f"Expected 2 logs for trace_id filter (narrow window), got {len(narrow_rows)}"
+    assert {r["data"]["trace_id"] for r in narrow_rows} == {target_trace_id}
+    narrow_bodies = {r["data"]["body"] for r in narrow_rows}
+    assert inside_window_body in narrow_bodies
+    assert post_span_body in narrow_bodies, "post-span log should be returned within the padding window"
    assert not any(outside_range_msg in m for m in narrow_warnings), f"Did not expect outside-range warning, got {narrow_warnings}"

-    # --- Test 2: wide window (>1 h, clamp to the timerange from trace_summary) ---
-    # Should still return exactly one log — no duplicates from multi-bucket scan.
+    # --- Test 2: wide window (>1 h, clamp to the padded timerange from trace_summary) ---
+    # Should return exactly the two target logs — no duplicates from multi-bucket
+    # scan, and the post-span log survives the clamp only because of the padding.
    wide_start_ms = int((now - timedelta(hours=12)).timestamp() * 1000)
    wide_rows, wide_warnings = _query(wide_start_ms, now_ms, target_trace_id)

-    assert len(wide_rows) == 1, f"Expected 1 log for trace_id filter (wide window, multi-bucket), got {len(wide_rows)} — possible duplicate-log regression"
-    assert wide_rows[0]["data"]["trace_id"] == target_trace_id
-    assert wide_rows[0]["data"]["span_id"] == target_root_span_id
+    assert len(wide_rows) == 2, f"Expected 2 logs for trace_id filter (wide window, multi-bucket), got {len(wide_rows)} — possible duplicate-log regression or padding not applied"
+    assert {r["data"]["trace_id"] for r in wide_rows} == {target_trace_id}
+    wide_bodies = {r["data"]["body"] for r in wide_rows}
+    assert inside_window_body in wide_bodies
+    assert post_span_body in wide_bodies, "post-span log should survive the clamp because of the padding"
    assert not any(outside_range_msg in m for m in wide_warnings), f"Did not expect outside-range warning, got {wide_warnings}"

    # --- Test 3: window that does not contain the trace returns no results + warning ---
--- a/tests/integration/tests/querier/03_metrics.py
+++ b/tests/integration/tests/querier/03_metrics.py
@@ -15,7 +15,6 @@ from fixtures.querier import (
    build_builder_query,
    find_named_result,
    get_all_warnings,
-    get_error_message,
    index_series_by_label,
    make_query_request,
 )
--- a/tests/integration/tests/role/03_fga.py
+++ b/tests/integration/tests/role/03_fga.py
@@ -63,7 +63,7 @@ def test_create_role_with_signoz_prefix_rejected(
    for name in ("signoz-custom", "signozcustom"):
        resp = requests.post(
            signoz.self.host_configs["8080"].get(ROLES_BASE),
-            json={"name": name, "transactionGroups": []},
+            json={"name": name},
            headers={"Authorization": f"Bearer {admin_token}"},
            timeout=5,
        )
@@ -175,7 +175,7 @@ def test_role_readonly_forbidden_operations(
    # Create role — forbidden.
    resp = requests.post(
        signoz.self.host_configs["8080"].get(ROLES_BASE),
-        json={"name": "role-fga-should-fail", "transactionGroups": []},
+        json={"name": "role-fga-should-fail"},
        headers={"Authorization": f"Bearer {token}"},
        timeout=5,
    )
@@ -238,7 +238,7 @@ def test_role_grant_write_permissions(
    # Create role — now allowed.
    resp = requests.post(
        signoz.self.host_configs["8080"].get(ROLES_BASE),
-        json={"name": "role-fga-write-test", "transactionGroups": []},
+        json={"name": "role-fga-write-test"},
        headers={"Authorization": f"Bearer {custom_token}"},
        timeout=5,
    )
Author	SHA1	Message	Date
nityanandagohain	c926034f14	chore: more cleanup	2026-06-22 17:22:32 +05:30
nityanandagohain	ecd6e04518	chore: use a struct instead	2026-06-22 17:11:09 +05:30
nityanandagohain	4744f83cfe	fix(querier): pad clamped time range for trace_id-filtered logs	2026-06-21 11:19:42 +05:30