feat: control visibility of root user in list user api using flagger

## Summary

- Remove the legacy `/api/gateway` reverse proxy from `ee/query-service/integrations/gateway/` — it has been superseded by the new provider-pattern-based `pkg/gateway/` package (serving
  `/api/v2/gateway/ingestion_keys`)
- Delete dead frontend code: manual IngestionKeys API clients and hooks that targeted the old gateway routes
- Clean up `GatewayApiV1`/`GatewayApiV2` axios instances and route constants from the frontend API layer

## What's retained

- `--gateway-url` flag and `GatewayUrl` field in `APIHandlerOptions` (still used by `cloudIntegrations.go`)
- `pkg/gateway/` package (the new gateway provider)
- `frontend/src/api/generated/services/gateway/` (generated client for the new endpoints)

ee/query-service/app/api/api.go

@@ -2,11 +2,9 @@ package api
 
 import (
 	"net/http"
-	"net/http/httputil"
 	"time"
 
 	"github.com/SigNoz/signoz/ee/licensing/httplicensing"
-	"github.com/SigNoz/signoz/ee/query-service/integrations/gateway"
 	"github.com/SigNoz/signoz/ee/query-service/usage"
 	"github.com/SigNoz/signoz/pkg/alertmanager"
 	"github.com/SigNoz/signoz/pkg/global"
@@ -31,7 +29,6 @@ type APIHandlerOptions struct {
 	IntegrationsController        *integrations.Controller
 	CloudIntegrationsController   *cloudintegrations.Controller
 	LogsParsingPipelineController *logparsingpipeline.LogParsingPipelineController
-	Gateway                       *httputil.ReverseProxy
 	GatewayUrl                    string
 	// Querier Influx Interval
 	FluxInterval time.Duration
@@ -77,10 +74,6 @@ func (ah *APIHandler) UM() *usage.Manager {
 	return ah.opts.UsageManager
 }
 
-func (ah *APIHandler) Gateway() *httputil.ReverseProxy {
-	return ah.opts.Gateway
-}
-
 // RegisterRoutes registers routes for this handler on the given router
 func (ah *APIHandler) RegisterRoutes(router *mux.Router, am *middleware.AuthZ) {
 	// note: add ee override methods first
@@ -103,9 +96,6 @@ func (ah *APIHandler) RegisterRoutes(router *mux.Router, am *middleware.AuthZ) {
 	// v4
 	router.HandleFunc("/api/v4/query_range", am.ViewAccess(ah.queryRangeV4)).Methods(http.MethodPost)
 
-	// Gateway
-	router.PathPrefix(gateway.RoutePrefix).HandlerFunc(am.EditAccess(ah.ServeGatewayHTTP))
-
 	ah.APIHandler.RegisterRoutes(router, am)
 
 }

ee/query-service/app/api/gateway.go

@@ -1,58 +0,0 @@
-package api
-
-import (
-	"net/http"
-	"strings"
-
-	"github.com/SigNoz/signoz/ee/query-service/integrations/gateway"
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/http/render"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-func (ah *APIHandler) ServeGatewayHTTP(rw http.ResponseWriter, req *http.Request) {
-	ctx := req.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	orgID, err := valuer.NewUUID(claims.OrgID)
-	if err != nil {
-		render.Error(rw, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "orgId is invalid"))
-		return
-	}
-
-	validPath := false
-	for _, allowedPrefix := range gateway.AllowedPrefix {
-		if strings.HasPrefix(req.URL.Path, gateway.RoutePrefix+allowedPrefix) {
-			validPath = true
-			break
-		}
-	}
-
-	if !validPath {
-		rw.WriteHeader(http.StatusNotFound)
-		return
-	}
-
-	license, err := ah.Signoz.Licensing.GetActive(ctx, orgID)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	//Create headers
-	var licenseKey string
-	if license != nil {
-		licenseKey = license.Key
-	}
-
-	req.Header.Set("X-Signoz-Cloud-Api-Key", licenseKey)
-	req.Header.Set("X-Consumer-Username", "lid:00000000-0000-0000-0000-000000000000")
-	req.Header.Set("X-Consumer-Groups", "ns:default")
-
-	ah.Gateway().ServeHTTP(rw, req)
-}

ee/query-service/app/server.go

@@ -19,7 +19,6 @@ import (
 	"github.com/gorilla/handlers"
 
 	"github.com/SigNoz/signoz/ee/query-service/app/api"
-	"github.com/SigNoz/signoz/ee/query-service/integrations/gateway"
 	"github.com/SigNoz/signoz/ee/query-service/rules"
 	"github.com/SigNoz/signoz/ee/query-service/usage"
 	"github.com/SigNoz/signoz/pkg/alertmanager"
@@ -72,11 +71,6 @@ type Server struct {
 
 // NewServer creates and initializes Server
 func NewServer(config signoz.Config, signoz *signoz.SigNoz) (*Server, error) {
-	gatewayProxy, err := gateway.NewProxy(config.Gateway.URL.String(), gateway.RoutePrefix)
-	if err != nil {
-		return nil, err
-	}
-
 	cacheForTraceDetail, err := memorycache.New(context.TODO(), signoz.Instrumentation.ToProviderSettings(), cache.Config{
 		Provider: "memory",
 		Memory: cache.Memory{
@@ -170,7 +164,6 @@ func NewServer(config signoz.Config, signoz *signoz.SigNoz) (*Server, error) {
 		CloudIntegrationsController:   cloudIntegrationsController,
 		LogsParsingPipelineController: logParsingPipelineController,
 		FluxInterval:                  config.Querier.FluxInterval,
-		Gateway:                       gatewayProxy,
 		GatewayUrl:                    config.Gateway.URL.String(),
 		GlobalConfig:                  config.Global,
 	}

ee/query-service/integrations/gateway/noop.go

@@ -1,9 +0,0 @@
-package gateway
-
-import (
-	"net/http/httputil"
-)
-
-func NewNoopProxy() (*httputil.ReverseProxy, error) {
-	return &httputil.ReverseProxy{}, nil
-}

ee/query-service/integrations/gateway/proxy.go

@@ -1,66 +0,0 @@
-package gateway
-
-import (
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"path"
-	"strings"
-)
-
-var (
-	RoutePrefix   string   = "/api/gateway"
-	AllowedPrefix []string = []string{"/v1/workspaces/me", "/v2/profiles/me", "/v2/deployments/me"}
-)
-
-type proxy struct {
-	url       *url.URL
-	stripPath string
-}
-
-func NewProxy(u string, stripPath string) (*httputil.ReverseProxy, error) {
-	url, err := url.Parse(u)
-	if err != nil {
-		return nil, err
-	}
-
-	proxy := &proxy{url: url, stripPath: stripPath}
-
-	return &httputil.ReverseProxy{
-		Rewrite:        proxy.rewrite,
-		ModifyResponse: proxy.modifyResponse,
-		ErrorHandler:   proxy.errorHandler,
-	}, nil
-}
-
-func (p *proxy) rewrite(pr *httputil.ProxyRequest) {
-	pr.SetURL(p.url)
-	pr.SetXForwarded()
-	pr.Out.URL.Path = cleanPath(strings.ReplaceAll(pr.Out.URL.Path, p.stripPath, ""))
-}
-
-func (p *proxy) modifyResponse(res *http.Response) error {
-	return nil
-}
-
-func (p *proxy) errorHandler(rw http.ResponseWriter, req *http.Request, err error) {
-	rw.WriteHeader(http.StatusBadGateway)
-}
-
-func cleanPath(p string) string {
-	if p == "" {
-		return "/"
-	}
-	if p[0] != '/' {
-		p = "/" + p
-	}
-	np := path.Clean(p)
-	if p[len(p)-1] == '/' && np != "/" {
-		if len(p) == len(np)+1 && strings.HasPrefix(p, np) {
-			np = p
-		} else {
-			np += "/"
-		}
-	}
-	return np
-}

ee/query-service/integrations/gateway/proxy_test.go

@@ -1,61 +0,0 @@
-package gateway
-
-import (
-	"context"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestProxyRewrite(t *testing.T) {
-	testCases := []struct {
-		name      string
-		url       *url.URL
-		stripPath string
-		in        *url.URL
-		expected  *url.URL
-	}{
-		{
-			name:      "SamePathAdded",
-			url:       &url.URL{Scheme: "http", Host: "backend", Path: "/path1"},
-			stripPath: "/strip",
-			in:        &url.URL{Scheme: "http", Host: "localhost", Path: "/strip/path1"},
-			expected:  &url.URL{Scheme: "http", Host: "backend", Path: "/path1/path1"},
-		},
-		{
-			name:      "NoStripPathInput",
-			url:       &url.URL{Scheme: "http", Host: "backend"},
-			stripPath: "",
-			in:        &url.URL{Scheme: "http", Host: "localhost", Path: "/strip/path1"},
-			expected:  &url.URL{Scheme: "http", Host: "backend", Path: "/strip/path1"},
-		},
-		{
-			name:      "NoStripPathPresentInReq",
-			url:       &url.URL{Scheme: "http", Host: "backend"},
-			stripPath: "/not-found",
-			in:        &url.URL{Scheme: "http", Host: "localhost", Path: "/strip/path1"},
-			expected:  &url.URL{Scheme: "http", Host: "backend", Path: "/strip/path1"},
-		},
-	}
-
-	for _, tc := range testCases {
-		proxy, err := NewProxy(tc.url.String(), tc.stripPath)
-		require.NoError(t, err)
-		inReq, err := http.NewRequest(http.MethodGet, tc.in.String(), nil)
-		require.NoError(t, err)
-		proxyReq := &httputil.ProxyRequest{
-			In:  inReq,
-			Out: inReq.Clone(context.Background()),
-		}
-		proxy.Rewrite(proxyReq)
-
-		assert.Equal(t, tc.expected.Host, proxyReq.Out.URL.Host)
-		assert.Equal(t, tc.expected.Scheme, proxyReq.Out.URL.Scheme)
-		assert.Equal(t, tc.expected.Path, proxyReq.Out.URL.Path)
-		assert.Equal(t, tc.expected.Query(), proxyReq.Out.URL.Query())
-	}
-}

frontend/src/api/IngestionKeys/createIngestionKey.ts

@@ -1,29 +0,0 @@
-import { GatewayApiV1Instance } from 'api';
-import { ErrorResponseHandler } from 'api/ErrorResponseHandler';
-import { AxiosError } from 'axios';
-import { ErrorResponse, SuccessResponse } from 'types/api';
-import {
-	CreateIngestionKeyProps,
-	IngestionKeyProps,
-} from 'types/api/ingestionKeys/types';
-
-const createIngestionKey = async (
-	props: CreateIngestionKeyProps,
-): Promise<SuccessResponse<IngestionKeyProps> | ErrorResponse> => {
-	try {
-		const response = await GatewayApiV1Instance.post('/workspaces/me/keys', {
-			...props,
-		});
-
-		return {
-			statusCode: 200,
-			error: null,
-			message: response.data.status,
-			payload: response.data.data,
-		};
-	} catch (error) {
-		return ErrorResponseHandler(error as AxiosError);
-	}
-};
-
-export default createIngestionKey;

frontend/src/api/IngestionKeys/deleteIngestionKey.ts

@@ -1,26 +0,0 @@
-import { GatewayApiV1Instance } from 'api';
-import { ErrorResponseHandler } from 'api/ErrorResponseHandler';
-import { AxiosError } from 'axios';
-import { ErrorResponse, SuccessResponse } from 'types/api';
-import { AllIngestionKeyProps } from 'types/api/ingestionKeys/types';
-
-const deleteIngestionKey = async (
-	id: string,
-): Promise<SuccessResponse<AllIngestionKeyProps> | ErrorResponse> => {
-	try {
-		const response = await GatewayApiV1Instance.delete(
-			`/workspaces/me/keys/${id}`,
-		);
-
-		return {
-			statusCode: 200,
-			error: null,
-			message: response.data.status,
-			payload: response.data.data,
-		};
-	} catch (error) {
-		return ErrorResponseHandler(error as AxiosError);
-	}
-};
-
-export default deleteIngestionKey;

frontend/src/api/IngestionKeys/getAllIngestionKeys.ts

@@ -1,21 +0,0 @@
-import { GatewayApiV1Instance } from 'api';
-import { AxiosResponse } from 'axios';
-import {
-	AllIngestionKeyProps,
-	GetIngestionKeyProps,
-} from 'types/api/ingestionKeys/types';
-
-export const getAllIngestionKeys = (
-	props: GetIngestionKeyProps,
-): Promise<AxiosResponse<AllIngestionKeyProps>> => {
-	// eslint-disable-next-line @typescript-eslint/naming-convention
-	const { search, per_page, page } = props;
-
-	const BASE_URL = '/workspaces/me/keys';
-	const URL_QUERY_PARAMS =
-		search && search.length > 0
-			? `/search?name=${search}&page=1&per_page=100`
-			: `?page=${page}&per_page=${per_page}`;
-
-	return GatewayApiV1Instance.get(`${BASE_URL}${URL_QUERY_PARAMS}`);
-};

frontend/src/api/IngestionKeys/limits/createLimitsForKey.ts

@@ -1,65 +0,0 @@
-/* eslint-disable @typescript-eslint/no-throw-literal */
-import { GatewayApiV1Instance } from 'api';
-import axios from 'axios';
-import {
-	AddLimitProps,
-	LimitSuccessProps,
-} from 'types/api/ingestionKeys/limits/types';
-
-interface SuccessResponse<T> {
-	statusCode: number;
-	error: null;
-	message: string;
-	payload: T;
-}
-
-interface ErrorResponse {
-	statusCode: number;
-	error: string;
-	message: string;
-	payload: null;
-}
-
-const createLimitForIngestionKey = async (
-	props: AddLimitProps,
-): Promise<SuccessResponse<LimitSuccessProps> | ErrorResponse> => {
-	try {
-		const response = await GatewayApiV1Instance.post(
-			`/workspaces/me/keys/${props.keyID}/limits`,
-			{
-				...props,
-			},
-		);
-
-		return {
-			statusCode: 200,
-			error: null,
-			message: response.data.status,
-			payload: response.data.data,
-		};
-	} catch (error) {
-		if (axios.isAxiosError(error)) {
-			// Axios error
-			const errResponse: ErrorResponse = {
-				statusCode: error.response?.status || 500,
-				error: error.response?.data?.error,
-				message: error.response?.data?.status || 'An error occurred',
-				payload: null,
-			};
-
-			throw errResponse;
-		} else {
-			// Non-Axios error
-			const errResponse: ErrorResponse = {
-				statusCode: 500,
-				error: 'Unknown error',
-				message: 'An unknown error occurred',
-				payload: null,
-			};
-
-			throw errResponse;
-		}
-	}
-};
-
-export default createLimitForIngestionKey;

frontend/src/api/IngestionKeys/limits/deleteLimitsForIngestionKey.ts

@@ -1,26 +0,0 @@
-import { GatewayApiV1Instance } from 'api';
-import { ErrorResponseHandler } from 'api/ErrorResponseHandler';
-import { AxiosError } from 'axios';
-import { ErrorResponse, SuccessResponse } from 'types/api';
-import { AllIngestionKeyProps } from 'types/api/ingestionKeys/types';
-
-const deleteLimitsForIngestionKey = async (
-	id: string,
-): Promise<SuccessResponse<AllIngestionKeyProps> | ErrorResponse> => {
-	try {
-		const response = await GatewayApiV1Instance.delete(
-			`/workspaces/me/limits/${id}`,
-		);
-
-		return {
-			statusCode: 200,
-			error: null,
-			message: response.data.status,
-			payload: response.data.data,
-		};
-	} catch (error) {
-		return ErrorResponseHandler(error as AxiosError);
-	}
-};
-
-export default deleteLimitsForIngestionKey;

frontend/src/api/IngestionKeys/limits/updateLimitsForIngestionKey.ts

@@ -1,65 +0,0 @@
-/* eslint-disable @typescript-eslint/no-throw-literal */
-import { GatewayApiV1Instance } from 'api';
-import axios from 'axios';
-import {
-	LimitSuccessProps,
-	UpdateLimitProps,
-} from 'types/api/ingestionKeys/limits/types';
-
-interface SuccessResponse<T> {
-	statusCode: number;
-	error: null;
-	message: string;
-	payload: T;
-}
-
-interface ErrorResponse {
-	statusCode: number;
-	error: string;
-	message: string;
-	payload: null;
-}
-
-const updateLimitForIngestionKey = async (
-	props: UpdateLimitProps,
-): Promise<SuccessResponse<LimitSuccessProps> | ErrorResponse> => {
-	try {
-		const response = await GatewayApiV1Instance.patch(
-			`/workspaces/me/limits/${props.limitID}`,
-			{
-				config: props.config,
-			},
-		);
-
-		return {
-			statusCode: 200,
-			error: null,
-			message: response.data.status,
-			payload: response.data.data,
-		};
-	} catch (error) {
-		if (axios.isAxiosError(error)) {
-			// Axios error
-			const errResponse: ErrorResponse = {
-				statusCode: error.response?.status || 500,
-				error: error.response?.data?.error,
-				message: error.response?.data?.status || 'An error occurred',
-				payload: null,
-			};
-
-			throw errResponse;
-		} else {
-			// Non-Axios error
-			const errResponse: ErrorResponse = {
-				statusCode: 500,
-				error: 'Unknown error',
-				message: 'An unknown error occurred',
-				payload: null,
-			};
-
-			throw errResponse;
-		}
-	}
-};
-
-export default updateLimitForIngestionKey;

frontend/src/api/IngestionKeys/updateIngestionKey.ts

@@ -1,32 +0,0 @@
-import { GatewayApiV1Instance } from 'api';
-import { ErrorResponseHandler } from 'api/ErrorResponseHandler';
-import { AxiosError } from 'axios';
-import { ErrorResponse, SuccessResponse } from 'types/api';
-import {
-	IngestionKeysPayloadProps,
-	UpdateIngestionKeyProps,
-} from 'types/api/ingestionKeys/types';
-
-const updateIngestionKey = async (
-	props: UpdateIngestionKeyProps,
-): Promise<SuccessResponse<IngestionKeysPayloadProps> | ErrorResponse> => {
-	try {
-		const response = await GatewayApiV1Instance.patch(
-			`/workspaces/me/keys/${props.id}`,
-			{
-				...props.data,
-			},
-		);
-
-		return {
-			statusCode: 200,
-			error: null,
-			message: response.data.status,
-			payload: response.data.data,
-		};
-	} catch (error) {
-		return ErrorResponseHandler(error as AxiosError);
-	}
-};
-
-export default updateIngestionKey;

frontend/src/api/apiV1.ts

@@ -4,8 +4,6 @@ export const apiV2 = '/api/v2/';
 export const apiV3 = '/api/v3/';
 export const apiV4 = '/api/v4/';
 export const apiV5 = '/api/v5/';
-export const gatewayApiV1 = '/api/gateway/v1/';
-export const gatewayApiV2 = '/api/gateway/v2/';
 export const apiAlertManager = '/api/alertmanager/';
 
 export default apiV1;

frontend/src/api/index.ts

@@ -15,15 +15,7 @@ import { Events } from 'constants/events';
 import { LOCALSTORAGE } from 'constants/localStorage';
 import { eventEmitter } from 'utils/getEventEmitter';
 
-import apiV1, {
-	apiAlertManager,
-	apiV2,
-	apiV3,
-	apiV4,
-	apiV5,
-	gatewayApiV1,
-	gatewayApiV2,
-} from './apiV1';
+import apiV1, { apiAlertManager, apiV2, apiV3, apiV4, apiV5 } from './apiV1';
 import { Logout } from './utils';
 
 const RESPONSE_TIMEOUT_THRESHOLD = 5000; // 5 seconds
@@ -211,24 +203,6 @@ LogEventAxiosInstance.interceptors.response.use(
 LogEventAxiosInstance.interceptors.request.use(interceptorsRequestResponse);
 //
 
-// gateway Api V1
-export const GatewayApiV1Instance = axios.create({
-	baseURL: `${ENVIRONMENT.baseURL}${gatewayApiV1}`,
-});
-
-GatewayApiV1Instance.interceptors.response.use(
-	interceptorsResponse,
-	interceptorRejected,
-);
-
-GatewayApiV1Instance.interceptors.request.use(interceptorsRequestResponse);
-//
-
-// gateway Api V2
-export const GatewayApiV2Instance = axios.create({
-	baseURL: `${ENVIRONMENT.baseURL}${gatewayApiV2}`,
-});
-
 // generated API Instance
 export const GeneratedAPIInstance = axios.create({
 	baseURL: ENVIRONMENT.baseURL,
@@ -240,14 +214,6 @@ GeneratedAPIInstance.interceptors.response.use(
 	interceptorRejected,
 );
 
-GatewayApiV2Instance.interceptors.response.use(
-	interceptorsResponse,
-	interceptorRejected,
-);
-
-GatewayApiV2Instance.interceptors.request.use(interceptorsRequestResponse);
-//
-
 AxiosAlertManagerInstance.interceptors.response.use(
 	interceptorsResponse,
 	interceptorRejected,

frontend/src/hooks/IngestionKeys/useGetAllIngestionKeys.ts

@@ -1,15 +0,0 @@
-import { useQuery, UseQueryResult } from 'react-query';
-import { getAllIngestionKeys } from 'api/IngestionKeys/getAllIngestionKeys';
-import { AxiosError, AxiosResponse } from 'axios';
-import {
-	AllIngestionKeyProps,
-	GetIngestionKeyProps,
-} from 'types/api/ingestionKeys/types';
-
-export const useGetAllIngestionsKeys = (
-	props: GetIngestionKeyProps,
-): UseQueryResult<AxiosResponse<AllIngestionKeyProps>, AxiosError> =>
-	useQuery<AxiosResponse<AllIngestionKeyProps>, AxiosError>({
-		queryKey: [`IngestionKeys-${props.page}-${props.search}`],
-		queryFn: () => getAllIngestionKeys(props),
-	});

pkg/flagger/registry.go

@@ -3,8 +3,9 @@ package flagger
 import "github.com/SigNoz/signoz/pkg/types/featuretypes"
 
 var (
-	FeatureUseSpanMetrics = featuretypes.MustNewName("use_span_metrics")
-	FeatureKafkaSpanEval  = featuretypes.MustNewName("kafka_span_eval")
+	FeatureUseSpanMetrics       = featuretypes.MustNewName("use_span_metrics")
+	FeatureKafkaSpanEval        = featuretypes.MustNewName("kafka_span_eval")
+	FeatureListUsersIncludeRoot = featuretypes.MustNewName("list_users_include_root")
 )
 
 func MustNewRegistry() featuretypes.Registry {
@@ -25,6 +26,14 @@ func MustNewRegistry() featuretypes.Registry {
 			DefaultVariant: featuretypes.MustNewName("disabled"),
 			Variants:       featuretypes.NewBooleanVariants(),
 		},
+		&featuretypes.Feature{
+			Name:           FeatureListUsersIncludeRoot,
+			Kind:           featuretypes.KindBoolean,
+			Stage:          featuretypes.StageStable,
+			Description:    "Controls whether root admin users are shown in the list users API",
+			DefaultVariant: featuretypes.MustNewName("enabled"),
+			Variants:       featuretypes.NewBooleanVariants(),
+		},
 	)
 	if err != nil {
 		panic(err)

pkg/modules/user/impluser/handler.go

@@ -8,22 +8,25 @@ import (
 	"time"
 
 	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/http/binding"
 	"github.com/SigNoz/signoz/pkg/http/render"
 	root "github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/featuretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
 
 type handler struct {
-	module root.Module
-	getter root.Getter
+	module  root.Module
+	getter  root.Getter
+	flagger flagger.Flagger
 }
 
-func NewHandler(module root.Module, getter root.Getter) root.Handler {
-	return &handler{module: module, getter: getter}
+func NewHandler(module root.Module, getter root.Getter, flagger flagger.Flagger) root.Handler {
+	return &handler{module: module, getter: getter, flagger: flagger}
 }
 
 func (h *handler) AcceptInvite(w http.ResponseWriter, r *http.Request) {
@@ -211,12 +214,29 @@ func (h *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	users, err := h.getter.ListByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
+	orgId := valuer.MustNewUUID(claims.OrgID)
+	users, err := h.getter.ListByOrgID(ctx, orgId)
 	if err != nil {
 		render.Error(w, err)
 		return
 	}
 
+	// filter root users if feature flag `list_users_include_root` is disabled
+	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgId)
+	listUsersIncludeRoot := h.flagger.BooleanOrEmpty(r.Context(), flagger.FeatureListUsersIncludeRoot, evalCtx)
+
+	if !listUsersIncludeRoot {
+		filteredUsers := users[:0]
+		for _, u := range users {
+			if !u.IsRoot {
+				filteredUsers = append(filteredUsers, u)
+			}
+		}
+
+		render.Success(w, http.StatusOK, filteredUsers)
+		return
+	}
+
 	render.Success(w, http.StatusOK, users)
 }
 

pkg/query-service/app/clickhouseReader/reader.go

@@ -1913,7 +1913,7 @@ func (r *ClickHouseReader) GetCustomRetentionTTL(ctx context.Context, orgID stri
 			// No V2 configuration found, return defaults
 			response.DefaultTTLDays = 15
 			response.TTLConditions = []model.CustomRetentionRule{}
-			response.Status = constants.StatusFailed
+			response.Status = constants.StatusSuccess
 			response.ColdStorageTTLDays = -1
 			return response, nil
 		}

pkg/signoz/handler_test.go

@@ -11,6 +11,8 @@ import (
 	"github.com/SigNoz/signoz/pkg/alertmanager/signozalertmanager"
 	"github.com/SigNoz/signoz/pkg/emailing/emailingtest"
 	"github.com/SigNoz/signoz/pkg/factory/factorytest"
+	"github.com/SigNoz/signoz/pkg/flagger"
+	"github.com/SigNoz/signoz/pkg/instrumentation/instrumentationtest"
 	"github.com/SigNoz/signoz/pkg/modules/dashboard/impldashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
 	"github.com/SigNoz/signoz/pkg/querier"
@@ -41,7 +43,13 @@ func TestNewHandlers(t *testing.T) {
 	queryParser := queryparser.New(providerSettings)
 	require.NoError(t, err)
 	dashboardModule := impldashboard.NewModule(impldashboard.NewStore(sqlstore), providerSettings, nil, orgGetter, queryParser)
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule)
+
+	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
+	if err != nil {
+		t.Fatalf("failed to create flagger: %v", err)
+	}
+
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, flagger)
 
 	querierHandler := querier.NewHandler(providerSettings, nil, nil)
 	handlers := NewHandlers(modules, providerSettings, nil, querierHandler, nil, nil, nil, nil, nil, nil, nil)

pkg/signoz/module.go

@@ -8,6 +8,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/cache"
 	"github.com/SigNoz/signoz/pkg/emailing"
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/apdex"
 	"github.com/SigNoz/signoz/pkg/modules/apdex/implapdex"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
@@ -66,6 +67,7 @@ type Modules struct {
 	SpanPercentile  spanpercentile.Module
 	MetricsExplorer metricsexplorer.Module
 	Promote         promote.Module
+	Flagger         flagger.Flagger
 }
 
 func NewModules(
@@ -85,6 +87,7 @@ func NewModules(
 	queryParser queryparser.QueryParser,
 	config Config,
 	dashboard dashboard.Module,
+	flagger flagger.Flagger,
 ) Modules {
 	quickfilter := implquickfilter.NewModule(implquickfilter.NewStore(sqlstore))
 	orgSetter := implorganization.NewSetter(implorganization.NewStore(sqlstore), alertmanager, quickfilter)
@@ -110,5 +113,6 @@ func NewModules(
 		Services:        implservices.NewModule(querier, telemetryStore),
 		MetricsExplorer: implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, ruleStore, dashboard, providerSettings, config.MetricsExplorer),
 		Promote:         implpromote.NewModule(telemetryMetadataStore, telemetryStore),
+		Flagger:         flagger,
 	}
 }

pkg/signoz/module_test.go

@@ -11,6 +11,8 @@ import (
 	"github.com/SigNoz/signoz/pkg/alertmanager/signozalertmanager"
 	"github.com/SigNoz/signoz/pkg/emailing/emailingtest"
 	"github.com/SigNoz/signoz/pkg/factory/factorytest"
+	"github.com/SigNoz/signoz/pkg/flagger"
+	"github.com/SigNoz/signoz/pkg/instrumentation/instrumentationtest"
 	"github.com/SigNoz/signoz/pkg/modules/dashboard/impldashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
 	"github.com/SigNoz/signoz/pkg/queryparser"
@@ -40,7 +42,13 @@ func TestNewModules(t *testing.T) {
 	queryParser := queryparser.New(providerSettings)
 	require.NoError(t, err)
 	dashboardModule := impldashboard.NewModule(impldashboard.NewStore(sqlstore), providerSettings, nil, orgGetter, queryParser)
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule)
+
+	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
+	if err != nil {
+		t.Fatalf("failed to create flagger: %v", err)
+	}
+
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, flagger)
 
 	reflectVal := reflect.ValueOf(modules)
 	for i := 0; i < reflectVal.NumField(); i++ {

pkg/signoz/provider.go

@@ -239,7 +239,7 @@ func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.Au
 			orgGetter,
 			authz,
 			implorganization.NewHandler(modules.OrgGetter, modules.OrgSetter),
-			impluser.NewHandler(modules.User, modules.UserGetter),
+			impluser.NewHandler(modules.User, modules.UserGetter, modules.Flagger),
 			implsession.NewHandler(modules.Session),
 			implauthdomain.NewHandler(modules.AuthDomain),
 			implpreference.NewHandler(modules.Preference),

pkg/signoz/signoz.go

@@ -388,7 +388,7 @@ func New(
 	}
 
 	// Initialize all modules
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard)
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, flagger)
 
 	userService := impluser.NewService(providerSettings, impluser.NewStore(sqlstore, providerSettings), modules.User, orgGetter, authz, config.User.Root)