Merge branch 'main' into platform-pod/issues/2266

Break the ~320-line resourcedef.go into cohesive files within the handler
package (pure relocation, no behavior or API change):

- extractor.go        — extraction: ExtractorContext, phases, extractors + constructors
- resourcedef.go      — declaration: ResourceDef/ResourcesDef/RelatedResource/
                         ResourceSpec + their functions (resolveRequest, ResolveRequest)
                         and the selectors
- resolved_resource.go — resolved types + their functions (resolve,
                         newResolvedRelated, FinalizeResponseIDs, HasResponseIDs)
- resolved_context.go — context plumbing (resolvedKey + accessors)

Each file's imports narrow to its concern; mux/gjson are now confined to
extractor.go.

conf/example.yaml

@@ -440,6 +440,17 @@ traces:
     max_depth_to_auto_expand: 5
     # Threshold below which all spans are returned without windowing.
     max_limit_to_select_all_spans: 10000
+  flamegraph:
+    # Maximum number of BFS depth levels included in a windowed response.
+    max_selected_levels: 50
+    # Maximum spans per level before sampling is applied.
+    max_spans_per_level: 100
+    # Number of highest-latency spans always included when sampling a level.
+    sampling_top_latency_count: 5
+    # Number of timestamp buckets used for uniform sampling within a level.
+    sampling_bucket_count: 50
+    # Threshold below which all spans are returned without windowing or sampling.
+    select_all_spans_limit: 100000
 
 ##################### Authz #################################
 authz:

docs/api/openapi.yml

@@ -6638,6 +6638,70 @@ components:
       - attribute
       - resource
       type: string
+    SpantypesFlamegraphSpan:
+      properties:
+        attributes:
+          additionalProperties: {}
+          type: object
+        durationNano:
+          minimum: 0
+          type: integer
+        event:
+          items:
+            $ref: '#/components/schemas/SpantypesEvent'
+          type: array
+        hasError:
+          type: boolean
+        level:
+          format: int64
+          type: integer
+        name:
+          type: string
+        parentSpanId:
+          type: string
+        resource:
+          additionalProperties:
+            type: string
+          type: object
+        spanId:
+          type: string
+        timestamp:
+          minimum: 0
+          type: integer
+      required:
+      - spanId
+      - parentSpanId
+      - timestamp
+      - durationNano
+      - hasError
+      - name
+      - level
+      - event
+      - attributes
+      - resource
+      type: object
+    SpantypesGettableFlamegraphTrace:
+      properties:
+        endTimestampMillis:
+          format: int64
+          type: integer
+        hasMore:
+          type: boolean
+        spans:
+          items:
+            items:
+              $ref: '#/components/schemas/SpantypesFlamegraphSpan'
+            type: array
+          type: array
+        startTimestampMillis:
+          format: int64
+          type: integer
+      required:
+      - spans
+      - startTimestampMillis
+      - endTimestampMillis
+      - hasMore
+      type: object
     SpantypesGettableSpanMapperGroups:
       properties:
         items:
@@ -6703,6 +6767,15 @@ components:
         traceId:
           type: string
       type: object
+    SpantypesPostableFlamegraph:
+      properties:
+        selectFields:
+          items:
+            $ref: '#/components/schemas/TelemetrytypesTelemetryFieldKey'
+          type: array
+        selectedSpanId:
+          type: string
+      type: object
     SpantypesPostableSpanMapper:
       properties:
         config:
@@ -20535,6 +20608,75 @@ paths:
       summary: Put profile in Zeus for a deployment.
       tags:
       - zeus
+  /api/v3/traces/{traceID}/flamegraph:
+    post:
+      deprecated: false
+      description: Returns the flamegraph view of spans for a given trace ID.
+      operationId: GetFlamegraph
+      parameters:
+      - in: path
+        name: traceID
+        required: true
+        schema:
+          type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/SpantypesPostableFlamegraph'
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/SpantypesGettableFlamegraphTrace'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - VIEWER
+      - tokenizer:
+        - VIEWER
+      summary: Get flamegraph view for a trace
+      tags:
+      - tracedetail
   /api/v3/traces/{traceID}/waterfall:
     post:
       deprecated: false

ee/query-service/app/server.go

@@ -185,6 +185,7 @@ func (s *Server) createPublicServer(apiHandler *api.APIHandler, web web.Web) (*h
 		s.config.APIServer.Timeout.Default,
 		s.config.APIServer.Timeout.Max,
 	).Wrap)
+	r.Use(middleware.NewResource(s.signoz.Instrumentation.Logger()).Wrap)
 	r.Use(middleware.NewAudit(s.signoz.Instrumentation.Logger(), s.config.APIServer.Logging.ExcludedRoutes, s.signoz.Auditor).Wrap)
 	r.Use(middleware.NewComment().Wrap)
 

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -7769,6 +7769,77 @@ export enum SpantypesFieldContextDTO {
 	attribute = 'attribute',
 	resource = 'resource',
 }
+export type SpantypesFlamegraphSpanDTOAttributes = { [key: string]: unknown };
+
+export type SpantypesFlamegraphSpanDTOResource = { [key: string]: string };
+
+export interface SpantypesFlamegraphSpanDTO {
+	/**
+	 * @type object
+	 */
+	attributes: SpantypesFlamegraphSpanDTOAttributes;
+	/**
+	 * @type integer
+	 * @minimum 0
+	 */
+	durationNano: number;
+	/**
+	 * @type array
+	 */
+	event: SpantypesEventDTO[];
+	/**
+	 * @type boolean
+	 */
+	hasError: boolean;
+	/**
+	 * @type integer
+	 * @format int64
+	 */
+	level: number;
+	/**
+	 * @type string
+	 */
+	name: string;
+	/**
+	 * @type string
+	 */
+	parentSpanId: string;
+	/**
+	 * @type object
+	 */
+	resource: SpantypesFlamegraphSpanDTOResource;
+	/**
+	 * @type string
+	 */
+	spanId: string;
+	/**
+	 * @type integer
+	 * @minimum 0
+	 */
+	timestamp: number;
+}
+
+export interface SpantypesGettableFlamegraphTraceDTO {
+	/**
+	 * @type integer
+	 * @format int64
+	 */
+	endTimestampMillis: number;
+	/**
+	 * @type boolean
+	 */
+	hasMore: boolean;
+	/**
+	 * @type array
+	 */
+	spans: SpantypesFlamegraphSpanDTO[][];
+	/**
+	 * @type integer
+	 * @format int64
+	 */
+	startTimestampMillis: number;
+}
+
 export type SpantypesSpanMapperGroupConditionDTOAnyOf = {
 	/**
 	 * @type array,null
@@ -8070,6 +8141,17 @@ export interface SpantypesGettableWaterfallTraceDTO {
 	uncollapsedSpans?: string[] | null;
 }
 
+export interface SpantypesPostableFlamegraphDTO {
+	/**
+	 * @type array
+	 */
+	selectFields?: TelemetrytypesTelemetryFieldKeyDTO[];
+	/**
+	 * @type string
+	 */
+	selectedSpanId?: string;
+}
+
 export enum SpantypesSpanMapperOperationDTO {
 	move = 'move',
 	copy = 'copy',
@@ -10424,6 +10506,17 @@ export type GetHosts200 = {
 	status: string;
 };
 
+export type GetFlamegraphPathParameters = {
+	traceID: string;
+};
+export type GetFlamegraph200 = {
+	data: SpantypesGettableFlamegraphTraceDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
 export type GetWaterfallPathParameters = {
 	traceID: string;
 };

frontend/src/api/generated/services/tracedetail/index.ts

@@ -12,6 +12,8 @@ import type {
 } from 'react-query';
 
 import type {
+	GetFlamegraph200,
+	GetFlamegraphPathParameters,
 	GetTraceAggregations200,
 	GetTraceAggregationsPathParameters,
 	GetWaterfall200,
@@ -19,6 +21,7 @@ import type {
 	GetWaterfallV4200,
 	GetWaterfallV4PathParameters,
 	RenderErrorResponseDTO,
+	SpantypesPostableFlamegraphDTO,
 	SpantypesPostableTraceAggregationsDTO,
 	SpantypesPostableWaterfallDTO,
 } from '../sigNoz.schemas';
@@ -126,6 +129,105 @@ export const useGetTraceAggregations = <
 > => {
 	return useMutation(getGetTraceAggregationsMutationOptions(options));
 };
+/**
+ * Returns the flamegraph view of spans for a given trace ID.
+ * @summary Get flamegraph view for a trace
+ */
+export const getFlamegraph = (
+	{ traceID }: GetFlamegraphPathParameters,
+	spantypesPostableFlamegraphDTO?: BodyType<SpantypesPostableFlamegraphDTO>,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetFlamegraph200>({
+		url: `/api/v3/traces/${traceID}/flamegraph`,
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: spantypesPostableFlamegraphDTO,
+		signal,
+	});
+};
+
+export const getGetFlamegraphMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown,
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof getFlamegraph>>,
+		TError,
+		{
+			pathParams: GetFlamegraphPathParameters;
+			data?: BodyType<SpantypesPostableFlamegraphDTO>;
+		},
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof getFlamegraph>>,
+	TError,
+	{
+		pathParams: GetFlamegraphPathParameters;
+		data?: BodyType<SpantypesPostableFlamegraphDTO>;
+	},
+	TContext
+> => {
+	const mutationKey = ['getFlamegraph'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+			'mutationKey' in options.mutation &&
+			options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof getFlamegraph>>,
+		{
+			pathParams: GetFlamegraphPathParameters;
+			data?: BodyType<SpantypesPostableFlamegraphDTO>;
+		}
+	> = (props) => {
+		const { pathParams, data } = props ?? {};
+
+		return getFlamegraph(pathParams, data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type GetFlamegraphMutationResult = NonNullable<
+	Awaited<ReturnType<typeof getFlamegraph>>
+>;
+export type GetFlamegraphMutationBody =
+	| BodyType<SpantypesPostableFlamegraphDTO>
+	| undefined;
+export type GetFlamegraphMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Get flamegraph view for a trace
+ */
+export const useGetFlamegraph = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown,
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof getFlamegraph>>,
+		TError,
+		{
+			pathParams: GetFlamegraphPathParameters;
+			data?: BodyType<SpantypesPostableFlamegraphDTO>;
+		},
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof getFlamegraph>>,
+	TError,
+	{
+		pathParams: GetFlamegraphPathParameters;
+		data?: BodyType<SpantypesPostableFlamegraphDTO>;
+	},
+	TContext
+> => {
+	return useMutation(getGetFlamegraphMutationOptions(options));
+};
 /**
  * Returns the waterfall view of spans for a given trace ID with tree structure, metadata, and windowed pagination
  * @summary Get waterfall view for a trace

pkg/apiserver/signozapiserver/registry.go

@@ -55,6 +55,11 @@ func (handler *healthOpenAPIHandler) AuditDef() *pkghandler.AuditDef {
 	return nil
 }
 
+func (handler *healthOpenAPIHandler) ResourceDefs() []pkghandler.ResourceSpec {
+	// Health endpoints don't act on resources.
+	return nil
+}
+
 func (provider *provider) addRegistryRoutes(router *mux.Router) error {
 	if err := router.Handle("/api/v2/healthz", newHealthOpenAPIHandler(
 		provider.authzMiddleware.OpenAccess(provider.factoryHandler.Healthz),

pkg/apiserver/signozapiserver/role.go

@@ -5,168 +5,200 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/audittypes"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/coretypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
 
 func (provider *provider) addRoleRoutes(router *mux.Router) error {
-	if err := router.Handle("/api/v1/roles", handler.New(provider.authzMiddleware.Check(provider.authzHandler.Create, authtypes.Relation{Verb: coretypes.VerbCreate}, coretypes.ResourceRole, roleCollectionSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "CreateRole",
-		Tags:                []string{"role"},
-		Summary:             "Create role",
-		Description:         "This endpoint creates a role",
-		Request:             new(authtypes.PostableRole),
-		RequestContentType:  "",
-		Response:            new(types.Identifiable),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbCreate)}),
-	})).Methods(http.MethodPost).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.Create, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "CreateRole",
+			Tags:                []string{"role"},
+			Summary:             "Create role",
+			Description:         "This endpoint creates a role",
+			Request:             new(authtypes.PostableRole),
+			RequestContentType:  "",
+			Response:            new(types.Identifiable),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusCreated,
+			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbCreate)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbCreate,
+			ID:       handler.ResponseJSONPath("data.id"),
+			Selector: handler.WildcardSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles", handler.New(provider.authzMiddleware.Check(provider.authzHandler.List, authtypes.Relation{Verb: coretypes.VerbList}, coretypes.ResourceRole, roleCollectionSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "ListRoles",
-		Tags:                []string{"role"},
-		Summary:             "List roles",
-		Description:         "This endpoint lists all roles",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            make([]*authtypes.Role, 0),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbList)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.List, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "ListRoles",
+			Tags:                []string{"role"},
+			Summary:             "List roles",
+			Description:         "This endpoint lists all roles",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            make([]*authtypes.Role, 0),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbList)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbList,
+			Selector: handler.WildcardSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authzMiddleware.Check(provider.authzHandler.Get, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "GetRole",
-		Tags:                []string{"role"},
-		Summary:             "Get role",
-		Description:         "This endpoint gets a role",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new(authtypes.Role),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbRead)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.Get, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "GetRole",
+			Tags:                []string{"role"},
+			Summary:             "Get role",
+			Description:         "This endpoint gets a role",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            new(authtypes.Role),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbRead)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbRead,
+			ID:       handler.PathParam("id"),
+			Selector: provider.roleSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(provider.authzMiddleware.Check(provider.authzHandler.GetObjects, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "GetObjects",
-		Tags:                []string{"role"},
-		Summary:             "Get objects for a role by relation",
-		Description:         "Gets all objects connected to the specified role via a given relation type",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            make([]*coretypes.ObjectGroup, 0),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbRead)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.GetObjects, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "GetObjects",
+			Tags:                []string{"role"},
+			Summary:             "Get objects for a role by relation",
+			Description:         "Gets all objects connected to the specified role via a given relation type",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            make([]*coretypes.ObjectGroup, 0),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbRead)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbRead,
+			ID:       handler.PathParam("id"),
+			Selector: provider.roleSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authzMiddleware.Check(provider.authzHandler.Patch, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "PatchRole",
-		Tags:                []string{"role"},
-		Summary:             "Patch role",
-		Description:         "This endpoint patches a role",
-		Request:             new(authtypes.PatchableRole),
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
-	})).Methods(http.MethodPatch).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.Patch, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "PatchRole",
+			Tags:                []string{"role"},
+			Summary:             "Patch role",
+			Description:         "This endpoint patches a role",
+			Request:             new(authtypes.PatchableRole),
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbUpdate,
+			ID:       handler.PathParam("id"),
+			Selector: provider.roleSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodPatch).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(provider.authzMiddleware.Check(provider.authzHandler.PatchObjects, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "PatchObjects",
-		Tags:                []string{"role"},
-		Summary:             "Patch objects for a role by relation",
-		Description:         "Patches the objects connected to the specified role via a given relation type",
-		Request:             new(coretypes.PatchableObjects),
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
-	})).Methods(http.MethodPatch).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.PatchObjects, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "PatchObjects",
+			Tags:                []string{"role"},
+			Summary:             "Patch objects for a role by relation",
+			Description:         "Patches the objects connected to the specified role via a given relation type",
+			Request:             new(coretypes.PatchableObjects),
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbUpdate,
+			ID:       handler.PathParam("id"),
+			Selector: provider.roleSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodPatch).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authzMiddleware.Check(provider.authzHandler.Delete, authtypes.Relation{Verb: coretypes.VerbDelete}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "DeleteRole",
-		Tags:                []string{"role"},
-		Summary:             "Delete role",
-		Description:         "This endpoint deletes a role",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbDelete)}),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
+	if err := router.Handle("/api/v1/roles/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.Delete, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "DeleteRole",
+			Tags:                []string{"role"},
+			Summary:             "Delete role",
+			Description:         "This endpoint deletes a role",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbDelete)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbDelete,
+			ID:       handler.PathParam("id"),
+			Selector: provider.roleSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}
 
 	return nil
 }
-
-func roleCollectionSelectorCallback(_ *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {
-	return []coretypes.Selector{
-		coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-}
-
-func (provider *provider) roleInstanceSelectorCallback(req *http.Request, claims authtypes.Claims) ([]coretypes.Selector, error) {
-	roleID, err := valuer.NewUUID(mux.Vars(req)["id"])
-	if err != nil {
-		return nil, err
-	}
-
-	role, err := provider.authzService.Get(req.Context(), valuer.MustNewUUID(claims.OrgID), roleID)
-	if err != nil {
-		return nil, err
-	}
-
-	return []coretypes.Selector{
-		coretypes.TypeRole.MustSelector(role.Name),
-		coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-}

pkg/apiserver/signozapiserver/serviceaccount.go

@@ -1,14 +1,12 @@
 package signozapiserver
 
 import (
-	"bytes"
-	"encoding/json"
-	"io"
+	"context"
 	"net/http"
 
 	"github.com/SigNoz/signoz/pkg/http/handler"
-	"github.com/SigNoz/signoz/pkg/http/middleware"
 	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/audittypes"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
@@ -17,41 +15,56 @@ import (
 )
 
 func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
-	if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.Create, authtypes.Relation{Verb: coretypes.VerbCreate}, coretypes.ResourceServiceAccount, serviceAccountCollectionSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "CreateServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Create service account",
-		Description:         "This endpoint creates a service account",
-		Request:             new(serviceaccounttypes.PostableServiceAccount),
-		RequestContentType:  "",
-		Response:            new(types.Identifiable),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbCreate)}),
-	})).Methods(http.MethodPost).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.Create, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "CreateServiceAccount",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Create service account",
+			Description:         "This endpoint creates a service account",
+			Request:             new(serviceaccounttypes.PostableServiceAccount),
+			RequestContentType:  "",
+			Response:            new(types.Identifiable),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusCreated,
+			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbCreate)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceServiceAccount,
+			Verb:     coretypes.VerbCreate,
+			ID:       handler.ResponseJSONPath("data.id"),
+			Selector: handler.WildcardSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.List, authtypes.Relation{Verb: coretypes.VerbList}, coretypes.ResourceServiceAccount, serviceAccountCollectionSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "ListServiceAccounts",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "List service accounts",
-		Description:         "This endpoint lists the service accounts for an organisation",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            make([]*serviceaccounttypes.ServiceAccount, 0),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbList)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.List, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "ListServiceAccounts",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "List service accounts",
+			Description:         "This endpoint lists the service accounts for an organisation",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            make([]*serviceaccounttypes.ServiceAccount, 0),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbList)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceServiceAccount,
+			Verb:     coretypes.VerbList,
+			Selector: handler.WildcardSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
@@ -72,89 +85,133 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.Get, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "GetServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Gets a service account",
-		Description:         "This endpoint gets an existing service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new(serviceaccounttypes.ServiceAccountWithRoles),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.Get, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "GetServiceAccount",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Gets a service account",
+			Description:         "This endpoint gets an existing service account",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            new(serviceaccounttypes.ServiceAccountWithRoles),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{http.StatusNotFound},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceServiceAccount,
+			Verb:     coretypes.VerbRead,
+			ID:       handler.PathParam("id"),
+			Selector: handler.IDSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.GetRoles, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "GetServiceAccountRoles",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Gets service account roles",
-		Description:         "This endpoint gets all the roles for the existing service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new([]*authtypes.Role),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.GetRoles, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "GetServiceAccountRoles",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Gets service account roles",
+			Description:         "This endpoint gets all the roles for the existing service account",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            new([]*authtypes.Role),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{http.StatusNotFound},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceServiceAccount,
+			Verb:     coretypes.VerbRead,
+			ID:       handler.PathParam("id"),
+			Selector: handler.IDSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(provider.authzMiddleware.CheckAll(provider.serviceAccountHandler.SetRole, []middleware.AuthZCheckGroup{
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbAttach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbAttach}, Resource: coretypes.ResourceRole, SelectorCallback: provider.roleAttachSelectorFromBody, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-	}), handler.OpenAPIDef{
-		ID:                  "CreateServiceAccountRole",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Create service account role",
-		Description:         "This endpoint assigns a role to a service account",
-		Request:             new(serviceaccounttypes.PostableServiceAccountRole),
-		RequestContentType:  "",
-		Response:            new(types.Identifiable),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach), coretypes.ResourceRole.Scope(coretypes.VerbAttach)}),
-	})).Methods(http.MethodPost).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.SetRole, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "CreateServiceAccountRole",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Create service account role",
+			Description:         "This endpoint assigns a role to a service account",
+			Request:             new(serviceaccounttypes.PostableServiceAccountRole),
+			RequestContentType:  "",
+			Response:            new(types.Identifiable),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusCreated,
+			ErrorStatusCodes:    []int{http.StatusBadRequest},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach), coretypes.ResourceRole.Scope(coretypes.VerbAttach)}),
+		},
+		handler.WithResourceDefs(
+			handler.ResourceDef{
+				Resource: coretypes.ResourceServiceAccount,
+				Verb:     coretypes.VerbAttach,
+				ID:       handler.PathParam("id"),
+				Selector: handler.IDSelector,
+				Category: audittypes.ActionCategoryAccessControl,
+				Related:  &handler.RelatedResource{Resource: coretypes.ResourceRole, ID: handler.BodyJSONPath("id")},
+			},
+			handler.ResourceDef{
+				Resource: coretypes.ResourceRole,
+				Verb:     coretypes.VerbAttach,
+				ID:       handler.BodyJSONPath("id"),
+				Selector: provider.roleSelector,
+				Category: audittypes.ActionCategoryAccessControl,
+				Related:  &handler.RelatedResource{Resource: coretypes.ResourceServiceAccount, ID: handler.PathParam("id")},
+			},
+		),
+	)).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/roles/{rid}", handler.New(provider.authzMiddleware.CheckAll(provider.serviceAccountHandler.DeleteRole, []middleware.AuthZCheckGroup{
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbDetach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbDetach}, Resource: coretypes.ResourceRole, SelectorCallback: provider.roleDetachSelectorFromPath, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-	}), handler.OpenAPIDef{
-		ID:                  "DeleteServiceAccountRole",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Delete service account role",
-		Description:         "This endpoint revokes a role from service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDetach), coretypes.ResourceRole.Scope(coretypes.VerbDetach)}),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/roles/{rid}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.DeleteRole, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "DeleteServiceAccountRole",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Delete service account role",
+			Description:         "This endpoint revokes a role from service account",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDetach), coretypes.ResourceRole.Scope(coretypes.VerbDetach)}),
+		},
+		handler.WithResourceDefs(
+			handler.ResourceDef{
+				Resource: coretypes.ResourceServiceAccount,
+				Verb:     coretypes.VerbDetach,
+				ID:       handler.PathParam("id"),
+				Selector: handler.IDSelector,
+				Category: audittypes.ActionCategoryAccessControl,
+				Related:  &handler.RelatedResource{Resource: coretypes.ResourceRole, ID: handler.PathParam("rid")},
+			},
+			handler.ResourceDef{
+				Resource: coretypes.ResourceRole,
+				Verb:     coretypes.VerbDetach,
+				ID:       handler.PathParam("rid"),
+				Selector: provider.roleSelector,
+				Category: audittypes.ActionCategoryAccessControl,
+				Related:  &handler.RelatedResource{Resource: coretypes.ResourceServiceAccount, ID: handler.PathParam("id")},
+			},
+		),
+	)).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}
 
@@ -175,208 +232,207 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.Update, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "UpdateServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Updates a service account",
-		Description:         "This endpoint updates an existing service account",
-		Request:             new(serviceaccounttypes.UpdatableServiceAccount),
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbUpdate)}),
-	})).Methods(http.MethodPut).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.Update, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "UpdateServiceAccount",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Updates a service account",
+			Description:         "This endpoint updates an existing service account",
+			Request:             new(serviceaccounttypes.UpdatableServiceAccount),
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbUpdate)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceServiceAccount,
+			Verb:     coretypes.VerbUpdate,
+			ID:       handler.PathParam("id"),
+			Selector: handler.IDSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodPut).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.Delete, authtypes.Relation{Verb: coretypes.VerbDelete}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "DeleteServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Deletes a service account",
-		Description:         "This endpoint deletes an existing service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDelete)}),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.Delete, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "DeleteServiceAccount",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Deletes a service account",
+			Description:         "This endpoint deletes an existing service account",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDelete)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceServiceAccount,
+			Verb:     coretypes.VerbDelete,
+			ID:       handler.PathParam("id"),
+			Selector: handler.IDSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authzMiddleware.CheckAll(provider.serviceAccountHandler.CreateFactorAPIKey, []middleware.AuthZCheckGroup{
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbCreate}, Resource: coretypes.ResourceMetaResourceFactorAPIKey, SelectorCallback: factorAPIKeyCollectionSelectorCallback, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbAttach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-	}), handler.OpenAPIDef{
-		ID:                  "CreateServiceAccountKey",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Create a service account key",
-		Description:         "This endpoint creates a service account key",
-		Request:             new(serviceaccounttypes.PostableFactorAPIKey),
-		RequestContentType:  "",
-		Response:            new(serviceaccounttypes.GettableFactorAPIKeyWithKey),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbCreate), coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach)}),
-	})).Methods(http.MethodPost).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.CreateFactorAPIKey, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "CreateServiceAccountKey",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Create a service account key",
+			Description:         "This endpoint creates a service account key",
+			Request:             new(serviceaccounttypes.PostableFactorAPIKey),
+			RequestContentType:  "",
+			Response:            new(serviceaccounttypes.GettableFactorAPIKeyWithKey),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusCreated,
+			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbCreate), coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach)}),
+		},
+		handler.WithResourceDefs(
+			handler.ResourceDef{
+				Resource: coretypes.ResourceMetaResourceFactorAPIKey,
+				Verb:     coretypes.VerbCreate,
+				ID:       handler.ResponseJSONPath("data.id"),
+				Selector: handler.WildcardSelector,
+				Category: audittypes.ActionCategoryAccessControl,
+			},
+			handler.ResourceDef{
+				Resource: coretypes.ResourceServiceAccount,
+				Verb:     coretypes.VerbAttach,
+				ID:       handler.PathParam("id"),
+				Selector: handler.IDSelector,
+				Category: audittypes.ActionCategoryAccessControl,
+				Related:  &handler.RelatedResource{Resource: coretypes.ResourceMetaResourceFactorAPIKey, ID: handler.ResponseJSONPath("data.id")},
+			},
+		),
+	)).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.ListFactorAPIKey, authtypes.Relation{Verb: coretypes.VerbList}, coretypes.ResourceMetaResourceFactorAPIKey, factorAPIKeyCollectionSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "ListServiceAccountKeys",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "List service account keys",
-		Description:         "This endpoint lists the service account keys",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            make([]*serviceaccounttypes.GettableFactorAPIKey, 0),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbList)}),
-	})).Methods(http.MethodGet).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.ListFactorAPIKey, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "ListServiceAccountKeys",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "List service account keys",
+			Description:         "This endpoint lists the service account keys",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            make([]*serviceaccounttypes.GettableFactorAPIKey, 0),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbList)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceMetaResourceFactorAPIKey,
+			Verb:     coretypes.VerbList,
+			Selector: handler.WildcardSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.UpdateFactorAPIKey, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceMetaResourceFactorAPIKey, factorAPIKeyInstanceSelectorCallback, []string{
-		authtypes.SigNozAdminRoleName,
-	}), handler.OpenAPIDef{
-		ID:                  "UpdateServiceAccountKey",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Updates a service account key",
-		Description:         "This endpoint updates an existing service account key",
-		Request:             new(serviceaccounttypes.UpdatableFactorAPIKey),
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbUpdate)}),
-	})).Methods(http.MethodPut).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.UpdateFactorAPIKey, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "UpdateServiceAccountKey",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Updates a service account key",
+			Description:         "This endpoint updates an existing service account key",
+			Request:             new(serviceaccounttypes.UpdatableFactorAPIKey),
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbUpdate)}),
+		},
+		handler.WithResourceDefs(handler.ResourceDef{
+			Resource: coretypes.ResourceMetaResourceFactorAPIKey,
+			Verb:     coretypes.VerbUpdate,
+			ID:       handler.PathParam("fid"),
+			Selector: handler.IDSelector,
+			Category: audittypes.ActionCategoryAccessControl,
+		}),
+	)).Methods(http.MethodPut).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authzMiddleware.CheckAll(provider.serviceAccountHandler.RevokeFactorAPIKey, []middleware.AuthZCheckGroup{
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbDelete}, Resource: coretypes.ResourceMetaResourceFactorAPIKey, SelectorCallback: factorAPIKeyInstanceSelectorCallback, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-		{{Relation: authtypes.Relation{Verb: coretypes.VerbDetach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{
-			authtypes.SigNozAdminRoleName,
-		}}},
-	}), handler.OpenAPIDef{
-		ID:                  "RevokeServiceAccountKey",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Revoke a service account key",
-		Description:         "This endpoint revokes an existing service account key",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbDelete), coretypes.ResourceServiceAccount.Scope(coretypes.VerbDetach)}),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.RevokeFactorAPIKey, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "RevokeServiceAccountKey",
+			Tags:                []string{"serviceaccount"},
+			Summary:             "Revoke a service account key",
+			Description:         "This endpoint revokes an existing service account key",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbDelete), coretypes.ResourceServiceAccount.Scope(coretypes.VerbDetach)}),
+		},
+		handler.WithResourceDefs(
+			handler.ResourceDef{
+				Resource: coretypes.ResourceMetaResourceFactorAPIKey,
+				Verb:     coretypes.VerbDelete,
+				ID:       handler.PathParam("fid"),
+				Selector: handler.IDSelector,
+				Category: audittypes.ActionCategoryAccessControl,
+			},
+			handler.ResourceDef{
+				Resource: coretypes.ResourceServiceAccount,
+				Verb:     coretypes.VerbDetach,
+				ID:       handler.PathParam("id"),
+				Selector: handler.IDSelector,
+				Category: audittypes.ActionCategoryAccessControl,
+				Related:  &handler.RelatedResource{Resource: coretypes.ResourceMetaResourceFactorAPIKey, ID: handler.PathParam("fid")},
+			},
+		),
+	)).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}
 
 	return nil
 }
 
-func (provider *provider) roleDetachSelectorFromPath(req *http.Request, claims authtypes.Claims) ([]coretypes.Selector, error) {
-	roleID, err := valuer.NewUUID(mux.Vars(req)["rid"])
+// roleSelector resolves the FGA selectors for a role from its UUID. The id is
+// already extracted by the ResourceDef (path or body); this only does the
+// UUID -> name lookup the FGA object string requires. Shared by service account
+// and role routes.
+func (provider *provider) roleSelector(ctx context.Context, resource coretypes.Resource, id string, claims authtypes.Claims) ([]coretypes.Selector, error) {
+	roleID, err := valuer.NewUUID(id)
 	if err != nil {
 		return nil, err
 	}
 
-	role, err := provider.authzService.Get(req.Context(), valuer.MustNewUUID(claims.OrgID), roleID)
+	role, err := provider.authzService.Get(ctx, valuer.MustNewUUID(claims.OrgID), roleID)
 	if err != nil {
 		return nil, err
 	}
 
 	return []coretypes.Selector{
-		coretypes.TypeRole.MustSelector(role.Name),
-		coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-
-}
-
-func (provider *provider) roleAttachSelectorFromBody(req *http.Request, claims authtypes.Claims) ([]coretypes.Selector, error) {
-	body, err := io.ReadAll(req.Body)
-	if err != nil {
-		return nil, err
-	}
-	req.Body = io.NopCloser(bytes.NewReader(body))
-
-	postableRole := new(serviceaccounttypes.PostableServiceAccountRole)
-	if err := json.Unmarshal(body, postableRole); err != nil {
-		return nil, err
-	}
-
-	role, err := provider.authzService.Get(req.Context(), valuer.MustNewUUID(claims.OrgID), postableRole.ID)
-	if err != nil {
-		return nil, err
-	}
-
-	return []coretypes.Selector{
-		coretypes.TypeRole.MustSelector(role.Name),
-		coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-}
-
-func factorAPIKeyCollectionSelectorCallback(_ *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {
-	return []coretypes.Selector{
-		coretypes.TypeMetaResource.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-}
-
-func factorAPIKeyInstanceSelectorCallback(req *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {
-	fid := mux.Vars(req)["fid"]
-	fidSelector, err := coretypes.TypeMetaResource.Selector(fid)
-	if err != nil {
-		return nil, err
-	}
-
-	return []coretypes.Selector{
-		fidSelector,
-		coretypes.TypeMetaResource.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-}
-
-func serviceAccountCollectionSelectorCallback(_ *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {
-	return []coretypes.Selector{
-		coretypes.TypeServiceAccount.MustSelector(coretypes.WildCardSelectorString),
-	}, nil
-}
-
-func serviceAccountInstanceSelectorCallback(req *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {
-	id := mux.Vars(req)["id"]
-	idSelector, err := coretypes.TypeServiceAccount.Selector(id)
-	if err != nil {
-		return nil, err
-	}
-
-	return []coretypes.Selector{
-		idSelector,
-		coretypes.TypeServiceAccount.MustSelector(coretypes.WildCardSelectorString),
+		resource.Type().MustSelector(role.Name),
+		resource.Type().MustSelector(coretypes.WildCardSelectorString),
 	}, nil
 }

pkg/apiserver/signozapiserver/tracedetail.go

@@ -67,5 +67,24 @@ func (provider *provider) addTraceDetailRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v3/traces/{traceID}/flamegraph", handler.New(
+		provider.authzMiddleware.ViewAccess(provider.traceDetailHandler.GetFlamegraph),
+		handler.OpenAPIDef{
+			ID:                  "GetFlamegraph",
+			Tags:                []string{"tracedetail"},
+			Summary:             "Get flamegraph view for a trace",
+			Description:         "Returns the flamegraph view of spans for a given trace ID.",
+			Request:             new(spantypes.PostableFlamegraph),
+			RequestContentType:  "application/json",
+			Response:            new(spantypes.GettableFlamegraphTrace),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+			SecuritySchemes:     newSecuritySchemes(types.RoleViewer),
+		},
+	)).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
 	return nil
 }

pkg/auditor/auditorserver/server_test.go

@@ -20,16 +20,16 @@ func newTestSettings() factory.ScopedProviderSettings {
 	return factory.NewScopedProviderSettings(instrumentationtest.New().ToProviderSettings(), "auditorserver_test")
 }
 
-func newTestEvent(resource string, action coretypes.Verb) audittypes.AuditEvent {
+func newTestEvent(resource coretypes.Resource, action coretypes.Verb) audittypes.AuditEvent {
 	return audittypes.AuditEvent{
 		Timestamp: time.Now(),
-		EventName: audittypes.NewEventName(coretypes.MustNewKind(resource), action),
+		EventName: audittypes.NewEventName(resource.Kind(), action),
 		AuditAttributes: audittypes.AuditAttributes{
 			Action:  action,
 			Outcome: audittypes.OutcomeSuccess,
 		},
 		ResourceAttributes: audittypes.ResourceAttributes{
-			ResourceKind: coretypes.MustNewKind(resource),
+			Resource: resource,
 		},
 	}
 }
@@ -84,7 +84,7 @@ func TestAdd_FlushesOnBatchSize(t *testing.T) {
 	go func() { _ = server.Start(ctx) }()
 
 	for i := 0; i < 3; i++ {
-		server.Add(ctx, newTestEvent("dashboard", coretypes.VerbCreate))
+		server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbCreate))
 	}
 
 	assert.Eventually(t, func() bool {
@@ -113,7 +113,7 @@ func TestAdd_FlushesOnInterval(t *testing.T) {
 
 	go func() { _ = server.Start(ctx) }()
 
-	server.Add(ctx, newTestEvent("user", coretypes.VerbUpdate))
+	server.Add(ctx, newTestEvent(coretypes.ResourceUser, coretypes.VerbUpdate))
 
 	assert.Eventually(t, func() bool {
 		return exported.Load() == 1
@@ -131,9 +131,9 @@ func TestAdd_DropsWhenBufferFull(t *testing.T) {
 
 	ctx := context.Background()
 
-	server.Add(ctx, newTestEvent("dashboard", coretypes.VerbCreate))
-	server.Add(ctx, newTestEvent("dashboard", coretypes.VerbUpdate))
-	server.Add(ctx, newTestEvent("dashboard", coretypes.VerbDelete))
+	server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbCreate))
+	server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbUpdate))
+	server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbDelete))
 
 	assert.Equal(t, 2, server.queueLen())
 }
@@ -156,7 +156,7 @@ func TestStop_DrainsRemainingEvents(t *testing.T) {
 	go func() { _ = server.Start(ctx) }()
 
 	for i := 0; i < 5; i++ {
-		server.Add(ctx, newTestEvent("alert-rule", coretypes.VerbCreate))
+		server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceRule, coretypes.VerbCreate))
 	}
 
 	require.NoError(t, server.Stop(ctx))
@@ -181,8 +181,8 @@ func TestAdd_ContinuesAfterExportFailure(t *testing.T) {
 
 	go func() { _ = server.Start(ctx) }()
 
-	server.Add(ctx, newTestEvent("user", coretypes.VerbDelete))
-	server.Add(ctx, newTestEvent("user", coretypes.VerbDelete))
+	server.Add(ctx, newTestEvent(coretypes.ResourceUser, coretypes.VerbDelete))
+	server.Add(ctx, newTestEvent(coretypes.ResourceUser, coretypes.VerbDelete))
 
 	assert.Eventually(t, func() bool {
 		return calls.Load() >= 1
@@ -213,7 +213,7 @@ func TestAdd_ConcurrentSafety(t *testing.T) {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
-			server.Add(ctx, newTestEvent("dashboard", coretypes.VerbCreate))
+			server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbCreate))
 		}()
 	}
 	wg.Wait()

pkg/http/handler/extractor.go

@@ -0,0 +1,103 @@
+// Resource id extraction from the request/response.
+package handler
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+	"github.com/tidwall/gjson"
+)
+
+// ExtractorContext carries everything an extractor may read. The resource
+// middleware fills Request + RequestBody pre-handler; the audit middleware adds
+// ResponseBody post-handler. Each extractor is run exactly once, in the phase
+// whose data it needs.
+type ExtractorContext struct {
+	Request      *http.Request
+	RequestBody  []byte
+	ResponseBody []byte
+}
+
+// extractPhase marks whether an extractor reads request-side data (resolved
+// pre-handler by the resource middleware) or response-side data (resolved
+// post-handler by the audit middleware).
+type extractPhase int
+
+const (
+	phaseRequest extractPhase = iota
+	phaseResponse
+)
+
+// ResourceIDExtractor resolves a single resource id. Phase-tagged so the
+// resolver runs it exactly once in the right phase. The declaration API exposes
+// only the constructors below, so the phase is an internal detail.
+type ResourceIDExtractor struct {
+	phase extractPhase
+	fn    func(ExtractorContext) (string, error)
+}
+
+// isPhase reports whether this extractor is runnable in the given phase.
+func (extractor ResourceIDExtractor) isPhase(phase extractPhase) bool {
+	return extractor.fn != nil && extractor.phase == phase
+}
+
+// runFor runs the extractor against ec when it belongs to phase, reporting
+// whether it ran.
+func (extractor ResourceIDExtractor) runFor(phase extractPhase, ec ExtractorContext) (string, bool) {
+	if !extractor.isPhase(phase) {
+		return "", false
+	}
+
+	id, _ := extractor.fn(ec)
+	return id, true
+}
+
+// ResourceIDsExtractor resolves multiple resource ids (fan-out). Always
+// request-phase — arrays come from the request body.
+type ResourceIDsExtractor struct {
+	phase extractPhase
+	fn    func(ExtractorContext) ([]string, error)
+}
+
+// PathParam reads a gorilla/mux path variable. Request-phase.
+func PathParam(name string) ResourceIDExtractor {
+	return ResourceIDExtractor{phase: phaseRequest, fn: func(ec ExtractorContext) (string, error) {
+		if ec.Request == nil {
+			return "", nil
+		}
+		return mux.Vars(ec.Request)[name], nil
+	}}
+}
+
+// BodyJSONPath reads a gjson path from the request body. Request-phase.
+func BodyJSONPath(path string) ResourceIDExtractor {
+	return ResourceIDExtractor{phase: phaseRequest, fn: func(ec ExtractorContext) (string, error) {
+		return gjson.GetBytes(ec.RequestBody, path).String(), nil
+	}}
+}
+
+// BodyJSONArray reads a JSON array of strings from the request body. Request-phase.
+func BodyJSONArray(path string) ResourceIDsExtractor {
+	return ResourceIDsExtractor{phase: phaseRequest, fn: func(ec ExtractorContext) ([]string, error) {
+		result := gjson.GetBytes(ec.RequestBody, path)
+		if !result.Exists() {
+			return nil, nil
+		}
+
+		array := result.Array()
+		ids := make([]string, 0, len(array))
+		for _, r := range array {
+			ids = append(ids, r.String())
+		}
+
+		return ids, nil
+	}}
+}
+
+// ResponseJSONPath reads a gjson path from the response body. Response-phase —
+// yields "" pre-handler and the real value post-handler.
+func ResponseJSONPath(path string) ResourceIDExtractor {
+	return ResourceIDExtractor{phase: phaseResponse, fn: func(ec ExtractorContext) (string, error) {
+		return gjson.GetBytes(ec.ResponseBody, path).String(), nil
+	}}
+}

pkg/http/handler/handler.go

@@ -16,12 +16,14 @@ type Handler interface {
 	http.Handler
 	ServeOpenAPI(openapi.OperationContext)
 	AuditDef() *AuditDef
+	ResourceDefs() []ResourceSpec
 }
 
 type handler struct {
-	handlerFunc http.HandlerFunc
-	openAPIDef  OpenAPIDef
-	auditDef    *AuditDef
+	handlerFunc  http.HandlerFunc
+	openAPIDef   OpenAPIDef
+	auditDef     *AuditDef
+	resourceDefs []ResourceSpec
 }
 
 func New(handlerFunc http.HandlerFunc, openAPIDef OpenAPIDef, opts ...Option) Handler {
@@ -133,3 +135,7 @@ func (handler *handler) ServeOpenAPI(opCtx openapi.OperationContext) {
 func (handler *handler) AuditDef() *AuditDef {
 	return handler.auditDef
 }
+
+func (handler *handler) ResourceDefs() []ResourceSpec {
+	return handler.resourceDefs
+}

pkg/http/handler/option.go

@@ -23,3 +23,12 @@ func WithAuditDef(def AuditDef) Option {
 		h.auditDef = &def
 	}
 }
+
+// WithResourceDefs attaches one or more resource specs (ResourceDef /
+// ResourcesDef) to the handler. The resource middleware resolves them and the
+// authz + audit middlewares read the result.
+func WithResourceDefs(defs ...ResourceSpec) Option {
+	return func(h *handler) {
+		h.resourceDefs = append(h.resourceDefs, defs...)
+	}
+}

pkg/http/handler/resolved_context.go

@@ -0,0 +1,33 @@
+// Storing and retrieving the resolved resource list on the request context.
+package handler
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+)
+
+var errCodeResolvedResourcesNotFound = errors.MustNewCode("resolved_resources_not_found")
+
+// resolvedKey is the context key under which the resolved resource list is stored.
+type resolvedKey struct{}
+
+// NewContextWithResolvedResources stores the resolved resource list in the
+// context. Entries are pointers so the audit middleware can finalize
+// response-phase ids in place after the handler runs.
+func NewContextWithResolvedResources(ctx context.Context, resolved []*ResolvedResource) context.Context {
+	return context.WithValue(ctx, resolvedKey{}, resolved)
+}
+
+// ResolvedResourcesFromContext returns the resolved resource list placed by the
+// Resource middleware, or an error if no list is present (the route declared no
+// ResourceDefs or the Resource middleware is not wired). Entries are pointers so
+// the audit middleware can finalize response-phase ids in place.
+func ResolvedResourcesFromContext(ctx context.Context) ([]*ResolvedResource, error) {
+	resolved, ok := ctx.Value(resolvedKey{}).([]*ResolvedResource)
+	if !ok {
+		return nil, errors.New(errors.TypeInternal, errCodeResolvedResourcesNotFound, "resolved resources not found in context")
+	}
+
+	return resolved, nil
+}

pkg/http/handler/resolved_resource.go

@@ -0,0 +1,79 @@
+// The resolved output of a resource def, consumed by authz and audit.
+package handler
+
+import (
+	"github.com/SigNoz/signoz/pkg/types/audittypes"
+	"github.com/SigNoz/signoz/pkg/types/coretypes"
+)
+
+// ResolvedResource is the uniform output of resolution (after fan-out). ID is a
+// resolved string: request-phase ids are filled by the resource middleware;
+// response-phase ids stay "" until FinalizeResponseIDs runs in the audit
+// middleware. idExtractor is retained so resolve can run it in its phase.
+type ResolvedResource struct {
+	Resource    coretypes.Resource
+	Verb        coretypes.Verb
+	ID          string
+	Selector    SelectorFunc
+	Category    audittypes.ActionCategory
+	Related     *ResolvedRelated
+	idExtractor ResourceIDExtractor
+}
+
+// ResolvedRelated is the resolved counterpart for audit context.
+type ResolvedRelated struct {
+	Resource    coretypes.Resource
+	ID          string
+	idExtractor ResourceIDExtractor
+}
+
+// newResolvedRelated wires a related counterpart's structure. Its id is resolved
+// later by ResolvedResource.resolve, in the extractor's declared phase.
+func newResolvedRelated(related *RelatedResource) *ResolvedRelated {
+	if related == nil {
+		return nil
+	}
+
+	return &ResolvedRelated{Resource: related.Resource, idExtractor: related.ID}
+}
+
+// resolve fills this entry's ids whose extractor belongs to phase. Called once
+// per phase: phaseRequest by the resource middleware, phaseResponse by the audit
+// middleware. An extractor from a different phase is left untouched.
+func (resolved *ResolvedResource) resolve(phase extractPhase, ec ExtractorContext) {
+	if id, ok := resolved.idExtractor.runFor(phase, ec); ok {
+		resolved.ID = id
+	}
+
+	if resolved.Related != nil {
+		if id, ok := resolved.Related.idExtractor.runFor(phase, ec); ok {
+			resolved.Related.ID = id
+		}
+	}
+}
+
+// FinalizeResponseIDs runs the carried response-phase extractors against ec to
+// fill the ids that were unknown pre-handler. Called by the audit middleware
+// post-handler. Mutates the entries in place.
+func FinalizeResponseIDs(resolved []*ResolvedResource, ec ExtractorContext) {
+	for _, entry := range resolved {
+		entry.resolve(phaseResponse, ec)
+	}
+}
+
+// HasResponseIDs reports whether any resolved entry needs the response body to
+// finalize its id. The audit middleware uses this to decide whether to capture
+// the success response body.
+func HasResponseIDs(resolved []*ResolvedResource) bool {
+	for _, entry := range resolved {
+		if entry.idExtractor.isPhase(phaseResponse) {
+			return true
+		}
+
+		if entry.Related != nil && entry.Related.idExtractor.isPhase(phaseResponse) {
+			return true
+		}
+	}
+
+	return false
+}

pkg/http/handler/resourcedef.go

@@ -0,0 +1,129 @@
+// Declaration API a route author writes: the resource defs and the selectors
+// that map a resolved id to authz selectors.
+package handler
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types/audittypes"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/coretypes"
+)
+
+var errCodeInvalidResourceDef = errors.MustNewCode("invalid_resource_def")
+
+// SelectorFunc maps a resolved id (+ its resource) to authz FGA selectors. It is
+// the sole source of selectors — there is no default fallback to wildcard. Given
+// a missing id it decides for itself whether to return a wildcard or an error. It
+// never reads the request/body; ctx + claims are only for an optional DB lookup
+// (e.g. role UUID -> name).
+type SelectorFunc func(ctx context.Context, resource coretypes.Resource, id string, claims authtypes.Claims) ([]coretypes.Selector, error)
+
+// WildcardSelector ignores the id and returns the resource's wildcard selector.
+// Use for create / list / collection routes.
+var WildcardSelector SelectorFunc = func(_ context.Context, resource coretypes.Resource, _ string, _ authtypes.Claims) ([]coretypes.Selector, error) {
+	return []coretypes.Selector{resource.Type().MustSelector(coretypes.WildCardSelectorString)}, nil
+}
+
+// IDSelector returns [exact, wildcard] for a present id and errors when the id is
+// missing. Use for instance routes whose id is in the path/body.
+var IDSelector SelectorFunc = func(_ context.Context, resource coretypes.Resource, id string, _ authtypes.Claims) ([]coretypes.Selector, error) {
+	if id == "" {
+		return nil, errors.Newf(errors.TypeInvalidInput, errCodeInvalidResourceDef, "resource id is required for %s", resource.Kind().String())
+	}
+
+	selector, err := resource.Type().Selector(id)
+	if err != nil {
+		return nil, err
+	}
+
+	return []coretypes.Selector{selector, resource.Type().MustSelector(coretypes.WildCardSelectorString)}, nil
+}
+
+// ResourceSpec is the sealed interface implemented by ResourceDef and
+// ResourcesDef. Only these two satisfy WithResourceDefs.
+type ResourceSpec interface {
+	sealResourceSpec()
+	resolveRequest(ec ExtractorContext) []*ResolvedResource
+}
+
+// ResourceDef declares one resource an operation acts on. For attach/detach,
+// Related names the counterpart for audit clarity only — it is never authz-checked.
+type ResourceDef struct {
+	Resource coretypes.Resource
+	Verb     coretypes.Verb
+	ID       ResourceIDExtractor
+	Selector SelectorFunc
+	Category audittypes.ActionCategory
+	Related  *RelatedResource
+}
+
+// ResourcesDef declares many resources of one kind (fan-out). One resolved
+// entry is produced per id.
+type ResourcesDef struct {
+	Resource coretypes.Resource
+	Verb     coretypes.Verb
+	IDs      ResourceIDsExtractor
+	Selector SelectorFunc
+	Category audittypes.ActionCategory
+	Related  *RelatedResource
+}
+
+// RelatedResource is a counterpart named purely for audit clarity. It carries no
+// verb and no selector and is not authz-checked.
+type RelatedResource struct {
+	Resource coretypes.Resource
+	ID       ResourceIDExtractor
+}
+
+func (ResourceDef) sealResourceSpec()  {}
+func (ResourcesDef) sealResourceSpec() {}
+
+func (d ResourceDef) resolveRequest(ec ExtractorContext) []*ResolvedResource {
+	resolved := &ResolvedResource{
+		Resource:    d.Resource,
+		Verb:        d.Verb,
+		Selector:    d.Selector,
+		Category:    d.Category,
+		idExtractor: d.ID,
+		Related:     newResolvedRelated(d.Related),
+	}
+	resolved.resolve(phaseRequest, ec)
+
+	return []*ResolvedResource{resolved}
+}
+
+func (d ResourcesDef) resolveRequest(ec ExtractorContext) []*ResolvedResource {
+	var ids []string
+	if d.IDs.fn != nil {
+		ids, _ = d.IDs.fn(ec)
+	}
+
+	resolved := make([]*ResolvedResource, 0, len(ids))
+	for _, id := range ids {
+		entry := &ResolvedResource{
+			Resource: d.Resource,
+			Verb:     d.Verb,
+			ID:       id,
+			Selector: d.Selector,
+			Category: d.Category,
+			Related:  newResolvedRelated(d.Related),
+		}
+		entry.resolve(phaseRequest, ec)
+		resolved = append(resolved, entry)
+	}
+
+	return resolved
+}
+
+// ResolveRequest resolves the request-phase ids for all specs (fan-out included)
+// against ec. Called by the resource middleware pre-handler.
+func ResolveRequest(defs []ResourceSpec, ec ExtractorContext) []*ResolvedResource {
+	var resolved []*ResolvedResource
+	for _, def := range defs {
+		resolved = append(resolved, def.resolveRequest(ec)...)
+	}
+
+	return resolved
+}

pkg/http/handler/resourcedef_test.go

@@ -0,0 +1,86 @@
+package handler
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/coretypes"
+	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestStandardSelectors(t *testing.T) {
+	ctx := context.Background()
+	claims := authtypes.Claims{}
+
+	wildcard, err := WildcardSelector(ctx, coretypes.ResourceServiceAccount, "ignored", claims)
+	require.NoError(t, err)
+	require.Len(t, wildcard, 1)
+	assert.Equal(t, coretypes.WildCardSelectorString, wildcard[0].String())
+
+	// IDSelector errors on a missing id — no silent wildcard fallback.
+	_, err = IDSelector(ctx, coretypes.ResourceServiceAccount, "", claims)
+	require.Error(t, err)
+
+	id := "0199c47d-f61b-7833-bc5f-c0730f12f046"
+	selectors, err := IDSelector(ctx, coretypes.ResourceServiceAccount, id, claims)
+	require.NoError(t, err)
+	require.Len(t, selectors, 2)
+	assert.Equal(t, id, selectors[0].String())
+	assert.Equal(t, coretypes.WildCardSelectorString, selectors[1].String())
+}
+
+func TestResolveRequestAndFinalize(t *testing.T) {
+	req := httptest.NewRequest(http.MethodPost, "/x", nil)
+	req = mux.SetURLVars(req, map[string]string{"id": "sa-1"})
+	body := []byte(`{"id":"role-1","channels":["c1","c2"]}`)
+
+	defs := []ResourceSpec{
+		ResourceDef{
+			Resource: coretypes.ResourceServiceAccount, Verb: coretypes.VerbAttach,
+			ID: PathParam("id"), Selector: IDSelector,
+			Related: &RelatedResource{Resource: coretypes.ResourceRole, ID: BodyJSONPath("id")},
+		},
+		ResourceDef{
+			Resource: coretypes.ResourceMetaResourceFactorAPIKey, Verb: coretypes.VerbCreate,
+			ID: ResponseJSONPath("data.id"), Selector: WildcardSelector,
+		},
+		ResourcesDef{
+			Resource: coretypes.ResourceMetaResourceNotificationChannel, Verb: coretypes.VerbAttach,
+			IDs: BodyJSONArray("channels"), Selector: IDSelector,
+		},
+	}
+
+	resolved := ResolveRequest(defs, ExtractorContext{Request: req, RequestBody: body})
+
+	// 1 service account + 1 create + 2 channels (fan-out).
+	require.Len(t, resolved, 4)
+	assert.Equal(t, "sa-1", resolved[0].ID)
+	require.NotNil(t, resolved[0].Related)
+	assert.Equal(t, "role-1", resolved[0].Related.ID)
+	assert.Equal(t, "", resolved[1].ID, "response-phase id is empty pre-handler")
+	assert.Equal(t, "c1", resolved[2].ID)
+	assert.Equal(t, "c2", resolved[3].ID)
+
+	assert.True(t, HasResponseIDs(resolved))
+
+	// Audit finalizes the response-phase id once the response body is present.
+	FinalizeResponseIDs(resolved, ExtractorContext{ResponseBody: []byte(`{"data":{"id":"key-9"}}`)})
+	assert.Equal(t, "key-9", resolved[1].ID)
+}
+
+func TestExtractorPhases(t *testing.T) {
+	assert.Equal(t, phaseRequest, PathParam("id").phase)
+	assert.Equal(t, phaseRequest, BodyJSONPath("id").phase)
+	assert.Equal(t, phaseRequest, BodyJSONArray("ids").phase)
+	assert.Equal(t, phaseResponse, ResponseJSONPath("data.id").phase)
+
+	// ResponseJSONPath yields "" when the response body is absent (pre-handler).
+	id, err := ResponseJSONPath("data.id").fn(ExtractorContext{})
+	require.NoError(t, err)
+	assert.Equal(t, "", id)
+}

pkg/http/middleware/audit.go

@@ -61,6 +61,13 @@ func (middleware *Audit) Wrap(next http.Handler) http.Handler {
 
 		responseBuffer := &byteBuffer{}
 		writer := newResponseCapture(rw, responseBuffer)
+
+		// If any resolved resource derives its id from the response, capture the
+		// success body (bounded) so the audit event can read it post-handler.
+		if resolved, err := handler.ResolvedResourcesFromContext(req.Context()); err == nil && handler.HasResponseIDs(resolved) {
+			writer.EnableBodyCapture()
+		}
+
 		next.ServeHTTP(writer, req)
 
 		statusCode, writeErr := writer.StatusCode(), writer.WriteError()
@@ -80,7 +87,9 @@ func (middleware *Audit) Wrap(next http.Handler) http.Handler {
 			fields = append(fields, errors.Attr(writeErr))
 			middleware.logger.ErrorContext(req.Context(), logMessage, fields...)
 		} else {
-			if responseBuffer.Len() != 0 {
+			// Only log error bodies (status >= 400); a force-captured success
+			// body is for audit id extraction, not for logging.
+			if statusCode >= 400 && responseBuffer.Len() != 0 {
 				fields = append(fields, "response.body", responseBuffer.String())
 			}
 
@@ -94,76 +103,54 @@ func (middleware *Audit) emitAuditEvent(req *http.Request, writer responseCaptur
 		return
 	}
 
-	def := auditDefFromRequest(req)
-	if def == nil {
-		return
-	}
-
-	// extract claims
 	claims, _ := authtypes.ClaimsFromContext(req.Context())
-
-	// extract status code
 	statusCode := writer.StatusCode()
-
-	// extract traces.
 	span := trace.SpanFromContext(req.Context())
 
-	// extract error details.
 	var errorType, errorCode string
 	if statusCode >= 400 {
 		errorType = render.ErrorTypeFromStatusCode(statusCode)
 		errorCode = render.ErrorCodeFromBody(writer.BodyBytes())
 	}
 
-	event := audittypes.NewAuditEventFromHTTPRequest(
-		req,
-		routeTemplate,
-		statusCode,
-		span.SpanContext().TraceID(),
-		span.SpanContext().SpanID(),
-		def.Action,
-		def.Category,
-		claims,
-		resourceIDFromRequest(req, def.ResourceIDParam),
-		def.ResourceKind,
-		errorType,
-		errorCode,
-	)
+	// Resources resolved by the Resource middleware — emit one event per entry.
+	resolved, err := handler.ResolvedResourcesFromContext(req.Context())
+	if err != nil || len(resolved) == 0 {
+		return
+	}
 
-	middleware.auditor.Audit(req.Context(), event)
-}
-
-func auditDefFromRequest(req *http.Request) *handler.AuditDef {
-	route := mux.CurrentRoute(req)
-	if route == nil {
-		return nil
-	}
-
-	actualHandler := route.GetHandler()
-	if actualHandler == nil {
-		return nil
-	}
-
-	// The type assertion is necessary because route.GetHandler() returns
-	// http.Handler, and not every http.Handler on the mux is a handler.Handler
-	// (e.g. middleware wrappers, raw http.HandlerFunc registrations).
-	provider, ok := actualHandler.(handler.Handler)
-	if !ok {
-		return nil
-	}
-
-	return provider.AuditDef()
-}
-
-func resourceIDFromRequest(req *http.Request, param string) string {
-	if param == "" {
-		return ""
-	}
-
-	vars := mux.Vars(req)
-	if vars == nil {
-		return ""
-	}
-
-	return vars[param]
+	extractorCtx := handler.ExtractorContext{
+		Request:      req,
+		ResponseBody: writer.BodyBytes(),
+	}
+	handler.FinalizeResponseIDs(resolved, extractorCtx)
+
+	for _, entry := range resolved {
+		// Audit records state changes only — skip read/list verbs (they still
+		// exist on the def for authz).
+		if !entry.Verb.IsMutation() {
+			continue
+		}
+
+		resourceAttributes := audittypes.NewResourceAttributes(entry.Resource, entry.ID)
+		if entry.Related != nil {
+			resourceAttributes = audittypes.NewRelatedResourceAttributes(entry.Resource, entry.ID, entry.Related.Resource, entry.Related.ID)
+		}
+
+		event := audittypes.NewAuditEventFromHTTPRequest(
+			req,
+			routeTemplate,
+			statusCode,
+			span.SpanContext().TraceID(),
+			span.SpanContext().SpanID(),
+			entry.Verb,
+			entry.Category,
+			claims,
+			resourceAttributes,
+			errorType,
+			errorCode,
+		)
+
+		middleware.auditor.Audit(req.Context(), event)
+	}
 }

pkg/http/middleware/authz.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/types"
@@ -19,18 +20,6 @@ const (
 	authzDeniedMessage string = "::AUTHZ-DENIED::"
 )
 
-type AuthZCheckDef struct {
-	Relation         authtypes.Relation
-	Resource         coretypes.Resource
-	SelectorCallback selectorCallbackWithClaimsFn
-	Roles            []string
-}
-
-// AuthZCheckGroup is a set of checks OR'd together.
-// At least one check in the group must pass for the group to pass.
-type AuthZCheckGroup []AuthZCheckDef
-
-type selectorCallbackWithClaimsFn func(*http.Request, authtypes.Claims) ([]coretypes.Selector, error)
 type selectorCallbackWithoutClaimsFn func(*http.Request, []*types.Organization) ([]coretypes.Selector, valuer.UUID, error)
 
 type AuthZ struct {
@@ -201,7 +190,12 @@ func (middleware *AuthZ) OpenAccess(next http.HandlerFunc) http.HandlerFunc {
 	})
 }
 
-func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relation, typeable coretypes.Resource, cb selectorCallbackWithClaimsFn, roles []string) http.HandlerFunc {
+// CheckResources authorizes every resolved ResourceDef for the route (AND across
+// defs). It reads the list placed by the Resource middleware. Each def's Selector
+// is the sole source of its FGA selectors; roles are the role names allowed
+// (consumed by the OSS role-gate, while the resource selectors drive the EE
+// resource check).
+func (middleware *AuthZ) CheckResources(next http.HandlerFunc, roles ...string) http.HandlerFunc {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		ctx := req.Context()
 		claims, err := authtypes.ClaimsFromContext(ctx)
@@ -210,40 +204,7 @@ func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relatio
 			return
 		}
 
-		selectors, err := cb(req, claims)
-		if err != nil {
-			render.Error(rw, err)
-			return
-		}
-
-		roleSelectors := []coretypes.Selector{}
-		for _, role := range roles {
-			roleSelectors = append(roleSelectors, coretypes.TypeRole.MustSelector(role))
-		}
-
-		err = middleware.authzService.CheckWithTupleCreation(ctx, claims, valuer.MustNewUUID(claims.OrgID), relation, typeable, selectors, roleSelectors)
-		if err != nil {
-			render.Error(rw, err)
-			return
-		}
-
-		next(rw, req)
-	})
-}
-
-// CheckAll verifies groups of permission checks.
-// Within each group, checks are OR'd (any check passing = group passes).
-// Across groups, results are AND'd (all groups must pass).
-//
-// This model expresses any combination:
-//   - Single check:          []AuthZCheckGroup{{checkA}}
-//   - Pure AND:              []AuthZCheckGroup{{checkA}, {checkB}}
-//   - Cross-resource OR:     []AuthZCheckGroup{{checkA, checkB}}
-//   - Mixed (A OR B) AND C:  []AuthZCheckGroup{{checkA, checkB}, {checkC}}
-func (middleware *AuthZ) CheckAll(next http.HandlerFunc, groups []AuthZCheckGroup) http.HandlerFunc {
-	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-		ctx := req.Context()
-		claims, err := authtypes.ClaimsFromContext(ctx)
+		resolved, err := handler.ResolvedResourcesFromContext(ctx)
 		if err != nil {
 			render.Error(rw, err)
 			return
@@ -251,32 +212,37 @@ func (middleware *AuthZ) CheckAll(next http.HandlerFunc, groups []AuthZCheckGrou
 
 		orgID := valuer.MustNewUUID(claims.OrgID)
 
-		for _, group := range groups {
-			groupPassed := false
-			var lastErr error
+		roleSelectors := make([]coretypes.Selector, len(roles))
+		for idx, role := range roles {
+			roleSelectors[idx] = coretypes.TypeRole.MustSelector(role)
+		}
 
-			for _, check := range group {
-				selectors, err := check.SelectorCallback(req, claims)
-				if err != nil {
-					render.Error(rw, err)
+		for _, def := range resolved {
+			if def.Selector == nil {
+				render.Error(rw, errors.New(errors.TypeInternal, errors.CodeInternal, "resource def used with CheckResources must declare a Selector"))
+				return
+			}
+
+			selectors, err := def.Selector(ctx, def.Resource, def.ID, claims)
+			if err != nil {
+				render.Error(rw, err)
+				return
+			}
+
+			err = middleware.authzService.CheckWithTupleCreation(ctx, claims, orgID, authtypes.Relation{Verb: def.Verb}, def.Resource, selectors, roleSelectors)
+			if err != nil {
+				if errors.Asc(err, authtypes.ErrCodeAuthZForbidden) {
+					middleware.logger.WarnContext(ctx, authzDeniedMessage, slog.Any("claims", claims))
+					if def.ID != "" {
+						render.Error(rw, errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "you don't have %s access to %s %s", def.Verb.StringValue(), def.Resource.Kind().String(), def.ID))
+						return
+					}
+
+					render.Error(rw, errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "you don't have %s access to %s", def.Verb.StringValue(), def.Resource.Kind().String()))
 					return
 				}
 
-				roleSelectors := make([]coretypes.Selector, len(check.Roles))
-				for idx, role := range check.Roles {
-					roleSelectors[idx] = coretypes.TypeRole.MustSelector(role)
-				}
-
-				err = middleware.authzService.CheckWithTupleCreation(ctx, claims, orgID, check.Relation, check.Resource, selectors, roleSelectors)
-				if err == nil {
-					groupPassed = true
-					break
-				}
-				lastErr = err
-			}
-
-			if !groupPassed {
-				render.Error(rw, lastErr)
+				render.Error(rw, err)
 				return
 			}
 		}

pkg/http/middleware/resource.go

@@ -0,0 +1,69 @@
+package middleware
+
+import (
+	"bytes"
+	"io"
+	"log/slog"
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/http/handler"
+	"github.com/gorilla/mux"
+)
+
+// Resource resolves a route's declared ResourceDefs (request-side) and stashes
+// the result in the request context. It is the OUTER of the resource-aware
+// middlewares (placed before Audit) and the single point that buffers the
+// request body. AuthZ (in the handler) and Audit (inner) read the resolved list.
+type Resource struct {
+	logger *slog.Logger
+}
+
+func NewResource(logger *slog.Logger) *Resource {
+	return &Resource{logger: logger.With(slog.String("pkg", pkgname))}
+}
+
+func (middleware *Resource) Wrap(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		defs := resourceDefsFromRequest(req)
+		if len(defs) == 0 {
+			next.ServeHTTP(rw, req)
+			return
+		}
+
+		// Buffer the request body once so request-side extractors can read it and
+		// the handler still sees a fresh reader. Single buffering point.
+		var body []byte
+		if req.Body != nil {
+			body, _ = io.ReadAll(req.Body)
+			req.Body = io.NopCloser(bytes.NewReader(body))
+		}
+
+		extractorCtx := handler.ExtractorContext{
+			Request:     req,
+			RequestBody: body,
+		}
+		resolved := handler.ResolveRequest(defs, extractorCtx)
+
+		ctx := handler.NewContextWithResolvedResources(req.Context(), resolved)
+		next.ServeHTTP(rw, req.WithContext(ctx))
+	})
+}
+
+func resourceDefsFromRequest(req *http.Request) []handler.ResourceSpec {
+	route := mux.CurrentRoute(req)
+	if route == nil {
+		return nil
+	}
+
+	actualHandler := route.GetHandler()
+	if actualHandler == nil {
+		return nil
+	}
+
+	provider, ok := actualHandler.(handler.Handler)
+	if !ok {
+		return nil
+	}
+
+	return provider.ResourceDefs()
+}

pkg/http/middleware/response.go

@@ -23,9 +23,14 @@ type responseCapture interface {
 	// WriteError returns the error (if any) from the downstream Write call.
 	WriteError() error
 
-	// BodyBytes returns the captured response body bytes. Only populated
-	// for error responses (status >= 400).
+	// BodyBytes returns the captured response body bytes. Populated for error
+	// responses (status >= 400), or for any response once EnableBodyCapture is called.
 	BodyBytes() []byte
+
+	// EnableBodyCapture forces capture of the response body regardless of status
+	// code (still bounded by maxResponseBodyCapture). Must be called before the
+	// handler writes the response.
+	EnableBodyCapture()
 }
 
 func newResponseCapture(rw http.ResponseWriter, buffer *byteBuffer) responseCapture {
@@ -72,12 +77,13 @@ func (b *byteBuffer) String() string {
 }
 
 type nonFlushingResponseCapture struct {
-	rw            http.ResponseWriter
-	buffer        *byteBuffer
-	captureBody   bool
-	bodyBytesLeft int
-	statusCode    int
-	writeError    error
+	rw               http.ResponseWriter
+	buffer           *byteBuffer
+	captureBody      bool
+	forceCaptureBody bool
+	bodyBytesLeft    int
+	statusCode       int
+	writeError       error
 }
 
 type flushingResponseCapture struct {
@@ -98,13 +104,17 @@ func (writer *nonFlushingResponseCapture) Header() http.Header {
 // WriteHeader writes the HTTP response header.
 func (writer *nonFlushingResponseCapture) WriteHeader(statusCode int) {
 	writer.statusCode = statusCode
-	if statusCode >= 400 {
+	if statusCode >= 400 || writer.forceCaptureBody {
 		writer.captureBody = true
 	}
 
 	writer.rw.WriteHeader(statusCode)
 }
 
+func (writer *nonFlushingResponseCapture) EnableBodyCapture() {
+	writer.forceCaptureBody = true
+}
+
 // Write writes HTTP response data.
 func (writer *nonFlushingResponseCapture) Write(data []byte) (int, error) {
 	if writer.statusCode == 0 {

pkg/modules/tracedetail/config.go

@@ -6,7 +6,16 @@ import (
 )
 
 type Config struct {
-	Waterfall WaterfallConfig `mapstructure:"waterfall"`
+	Waterfall  WaterfallConfig  `mapstructure:"waterfall"`
+	Flamegraph FlamegraphConfig `mapstructure:"flamegraph"`
+}
+
+type FlamegraphConfig struct {
+	MaxSelectedLevels            int  `mapstructure:"max_selected_levels"`
+	MaxSpansPerLevel             int  `mapstructure:"max_spans_per_level"`
+	SamplingTopLatencySpansCount int  `mapstructure:"sampling_top_latency_count"`
+	SamplingBucketCount          int  `mapstructure:"sampling_bucket_count"`
+	SelectAllSpansLimit          uint `mapstructure:"select_all_spans_limit"`
 }
 
 type WaterfallConfig struct {
@@ -29,6 +38,13 @@ func newConfig() factory.Config {
 			MaxDepthToAutoExpand:     5,
 			MaxLimitToSelectAllSpans: 10_000,
 		},
+		Flamegraph: FlamegraphConfig{
+			MaxSelectedLevels:            50,
+			MaxSpansPerLevel:             100,
+			SamplingTopLatencySpansCount: 5,
+			SamplingBucketCount:          50,
+			SelectAllSpansLimit:          100_000,
+		},
 	}
 }
 
@@ -42,5 +58,20 @@ func (c Config) Validate() error {
 	if c.Waterfall.MaxLimitToSelectAllSpans == 0 {
 		return errors.NewInvalidInputf(errors.CodeInvalidInput, "traces.waterfall.max_limit_to_select_all_spans must be positive")
 	}
+	if c.Flamegraph.MaxSelectedLevels <= 0 {
+		return errors.NewInvalidInputf(errors.CodeInvalidInput, "tracedetail.flamegraph.level_limit must be positive, got %d", c.Flamegraph.MaxSelectedLevels)
+	}
+	if c.Flamegraph.MaxSpansPerLevel <= 0 {
+		return errors.NewInvalidInputf(errors.CodeInvalidInput, "tracedetail.flamegraph.spans_per_level must be positive, got %d", c.Flamegraph.MaxSpansPerLevel)
+	}
+	if c.Flamegraph.SamplingTopLatencySpansCount < 0 {
+		return errors.NewInvalidInputf(errors.CodeInvalidInput, "tracedetail.flamegraph.top_latency_count cannot be negative, got %d", c.Flamegraph.SamplingTopLatencySpansCount)
+	}
+	if c.Flamegraph.SamplingBucketCount <= 0 {
+		return errors.NewInvalidInputf(errors.CodeInvalidInput, "tracedetail.flamegraph.bucket_count must be positive, got %d", c.Flamegraph.SamplingBucketCount)
+	}
+	if c.Flamegraph.SelectAllSpansLimit == 0 {
+		return errors.NewInvalidInputf(errors.CodeInvalidInput, "tracedetail.flamegraph.max_limit_to_select_all_spans must be positive")
+	}
 	return nil
 }

pkg/modules/tracedetail/impltracedetail/handler.go

@@ -80,3 +80,19 @@ func (h *handler) GetTraceAggregations(rw http.ResponseWriter, r *http.Request)
 
 	render.Success(rw, http.StatusOK, result)
 }
+
+func (h *handler) GetFlamegraph(rw http.ResponseWriter, r *http.Request) {
+	req := new(spantypes.PostableFlamegraph)
+	if err := binding.JSON.BindBody(r.Body, req); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	result, err := h.module.GetFlamegraph(r.Context(), mux.Vars(r)["traceID"], req.SelectedSpanID, req.SelectFields)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusOK, result)
+}

pkg/modules/tracedetail/impltracedetail/module.go

@@ -7,6 +7,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/modules/tracedetail"
 	"github.com/SigNoz/signoz/pkg/types/spantypes"
+	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 	"go.opentelemetry.io/otel/metric"
 )
 
@@ -164,6 +165,17 @@ func (m *module) GetTraceAggregations(ctx context.Context, traceID string, req *
 	return &spantypes.GettableTraceAggregations{Aggregations: results}, nil
 }
 
+func (m *module) GetFlamegraph(ctx context.Context, traceID string, selectedSpanID string, selectFields []telemetrytypes.TelemetryFieldKey) (*spantypes.GettableFlamegraphTrace, error) {
+	summary, err := m.store.GetTraceSummary(ctx, traceID)
+	if err != nil {
+		return nil, err
+	}
+	if summary.NumSpans <= uint64(m.config.Flamegraph.SelectAllSpansLimit) {
+		return m.getFullFlamegraph(ctx, traceID, summary, selectFields)
+	}
+	return m.getWindowedFlamegraph(ctx, traceID, selectedSpanID, summary, selectFields)
+}
+
 // getWindowedWaterfall builds the waterfall tree with minimal data and then returns only a window of full spans.
 func (m *module) getWindowedWaterfall(ctx context.Context, traceID, selectedSpanID string, uncollapsedSpans []string, start, end time.Time) (*spantypes.GettableWaterfallTrace, error) {
 	// Step 1: minimal fetch → build full tree → select visible window
@@ -204,3 +216,47 @@ func (m *module) getWindowedWaterfall(ctx context.Context, traceID, selectedSpan
 		waterfallTrace, selectedSpans, uncollapsedSpans, false, nil,
 	), nil
 }
+
+func (m *module) getFullFlamegraph(ctx context.Context, traceID string, summary *spantypes.TraceSummary, selectFields []telemetrytypes.TelemetryFieldKey) (*spantypes.GettableFlamegraphTrace, error) {
+	fullSpans, err := m.store.GetFlamegraphSpans(ctx, traceID, summary.Start, summary.End, nil)
+	if err != nil {
+		return nil, err
+	}
+	if len(fullSpans) == 0 {
+		return nil, spantypes.ErrTraceNotFound
+	}
+	flamegraphTrace := spantypes.NewFlamegraphTraceFromStorable(fullSpans, selectFields)
+	return spantypes.NewGettableFlamegraphTrace(flamegraphTrace.GetAllLevels(), summary.Start.UnixMilli(), summary.End.UnixMilli(), false), nil
+}
+
+// getWindowedFlamegraph returns a window of a max levels and max sampled spans per level around the selected span.
+func (m *module) getWindowedFlamegraph(ctx context.Context, traceID, selectedSpanID string, summary *spantypes.TraceSummary, selectFields []telemetrytypes.TelemetryFieldKey) (*spantypes.GettableFlamegraphTrace, error) {
+	minimalSpans, err := m.store.GetMinimalSpans(ctx, traceID, summary.Start, summary.End)
+	if err != nil {
+		return nil, err
+	}
+	if len(minimalSpans) == 0 {
+		return nil, spantypes.ErrTraceNotFound
+	}
+
+	flamegraphTrace := spantypes.NewFlamegraphTraceFromMinimal(minimalSpans)
+	minimalSpans = nil //nolint:ineffassign,wastedassign // release backing array before further db calls
+
+	cfg := m.config.Flamegraph
+	selectedSpans := flamegraphTrace.GetSelectedLevels(selectedSpanID, cfg.MaxSelectedLevels, cfg.MaxSpansPerLevel, cfg.SamplingTopLatencySpansCount, cfg.SamplingBucketCount)
+	if len(selectedSpans) == 0 {
+		return nil, spantypes.ErrTraceNotFound
+	}
+
+	fullSpans, err := m.store.GetFlamegraphSpans(ctx, traceID, summary.Start, summary.End, spantypes.FlamegraphWindowSpanIDs(selectedSpans))
+	if err != nil {
+		return nil, err
+	}
+
+	return spantypes.NewGettableFlamegraphTrace(
+		flamegraphTrace.EnrichSelectedSpans(selectedSpans, fullSpans, selectFields),
+		summary.Start.UnixMilli(),
+		summary.End.UnixMilli(),
+		true,
+	), nil
+}

pkg/modules/tracedetail/impltracedetail/store.go

@@ -154,6 +154,47 @@ func (s *traceStore) GetTraceSpansByIDs(ctx context.Context, traceID string, sta
 	return spans, nil
 }
 
+func (s *traceStore) GetFlamegraphSpans(ctx context.Context, traceID string, start, end time.Time, spanIDs []string) ([]spantypes.StorableSpan, error) {
+	sb := sqlbuilder.NewSelectBuilder()
+	sb.Select(
+		"span_id",
+		"any(parent_span_id) AS parent_span_id",
+		"any(timestamp) AS timestamp",
+		"any(duration_nano) AS duration_nano",
+		"any(has_error) AS has_error",
+		"any(name) AS name",
+		"any(events) AS events",
+		"any(attributes_string) AS attributes_string",
+		"any(attributes_number) AS attributes_number",
+		"any(attributes_bool) AS attributes_bool",
+		"any(resources_string) AS resources_string",
+	)
+	sb.From(fmt.Sprintf("%s.%s", spantypes.TraceDB, spantypes.TraceTable))
+	conditions := []string{
+		sb.E("trace_id", traceID),
+		sb.GE("ts_bucket_start", start.Unix()-1800),
+		sb.LE("ts_bucket_start", end.Unix()),
+	}
+	if len(spanIDs) > 0 {
+		ids := make([]any, len(spanIDs))
+		for i, id := range spanIDs {
+			ids[i] = id
+		}
+		conditions = append(conditions, sb.In("span_id", ids...))
+	}
+	sb.Where(conditions...)
+	sb.GroupBy("span_id")
+	sb.OrderByAsc("timestamp")
+	sb.OrderByAsc("name")
+	query, args := sb.BuildWithFlavor(sqlbuilder.ClickHouse)
+
+	var spans []spantypes.StorableSpan
+	if err := s.telemetryStore.ClickhouseDB().Select(ctx, &spans, query, args...); err != nil {
+		return nil, errors.WrapInternalf(err, errors.CodeInternal, "error querying flamegraph spans")
+	}
+	return spans, nil
+}
+
 func (s *traceStore) GetSpanCountByField(ctx context.Context, traceID string, summary *spantypes.TraceSummary, fieldKey telemetrytypes.TelemetryFieldKey) (map[string]uint64, error) {
 	fieldExpr, err := buildFieldExpr(fieldKey)
 	if err != nil {

pkg/modules/tracedetail/impltracedetail/store_test.go

@@ -91,6 +91,30 @@ func TestGetSpanCountByField(t *testing.T) {
 	}
 }
 
+func TestGetFlamegraphSpans(t *testing.T) {
+	baseSQL := "SELECT span_id, any(parent_span_id) AS parent_span_id, any(timestamp) AS timestamp, any(duration_nano) AS duration_nano, any(has_error) AS has_error, any(name) AS name, any(events) AS events, any(attributes_string) AS attributes_string, any(attributes_number) AS attributes_number, any(attributes_bool) AS attributes_bool, any(resources_string) AS resources_string FROM signoz_traces.distributed_signoz_index_v3 WHERE trace_id = ? AND ts_bucket_start >= ? AND ts_bucket_start <= ? GROUP BY span_id ORDER BY timestamp ASC, name ASC"
+	withSpanIDsSQL := "SELECT span_id, any(parent_span_id) AS parent_span_id, any(timestamp) AS timestamp, any(duration_nano) AS duration_nano, any(has_error) AS has_error, any(name) AS name, any(events) AS events, any(attributes_string) AS attributes_string, any(attributes_number) AS attributes_number, any(attributes_bool) AS attributes_bool, any(resources_string) AS resources_string FROM signoz_traces.distributed_signoz_index_v3 WHERE trace_id = ? AND ts_bucket_start >= ? AND ts_bucket_start <= ? AND span_id IN (?, ?) GROUP BY span_id ORDER BY timestamp ASC, name ASC"
+
+	tests := []struct {
+		name    string
+		spanIDs []string
+		sql     string
+	}{
+		{name: "NoSpanIDs_GeneratesBaseSQL", spanIDs: nil, sql: baseSQL},
+		{name: "WithSpanIDs_GeneratesInClauseSQL", spanIDs: []string{"span-1", "span-2"}, sql: withSpanIDsSQL},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			s := newTestStore(sqlmock.QueryMatcherRegexp)
+			s.Mock().ExpectSelect(regexp.QuoteMeta(tc.sql)).
+				WillReturnRows(cmock.NewRows(nil, nil))
+			_, _ = s.Store().GetFlamegraphSpans(context.Background(), testTraceID, testStart, testEnd, tc.spanIDs)
+			assert.NoError(t, s.Mock().ExpectationsWereMet())
+		})
+	}
+}
+
 func TestGetSpanDurationByField(t *testing.T) {
 
 	expectedSQL := "WITH all_spans AS (SELECT DISTINCT ON (span_id) resource.`service.name`::String AS field_value, toUnixTimestamp64Nano(timestamp) AS start_ns, start_ns + duration_nano AS end_ns FROM signoz_traces.distributed_signoz_index_v3 WHERE trace_id = ? AND ts_bucket_start >= ? AND ts_bucket_start <= ? AND notEmpty(field_value) ORDER BY timestamp ASC, name ASC), effective_start AS (SELECT field_value, end_ns, greatest(start_ns, ifNull(max(end_ns) OVER (PARTITION BY field_value ORDER BY start_ns ROWS BETWEEN UNBOUNDED PRECEDING AND 1 PRECEDING), toUInt64(0))) AS effective_start_ns FROM all_spans) SELECT field_value, sum(toUInt64(greatest(end_ns - effective_start_ns, 0))) AS total_ns FROM effective_start GROUP BY field_value"

pkg/modules/tracedetail/tracedetail.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	"github.com/SigNoz/signoz/pkg/types/spantypes"
+	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 )
 
 // Handler exposes HTTP handlers for trace detail APIs.
@@ -12,6 +13,7 @@ type Handler interface {
 	GetWaterfall(http.ResponseWriter, *http.Request)
 	GetWaterfallV4(http.ResponseWriter, *http.Request)
 	GetTraceAggregations(http.ResponseWriter, *http.Request)
+	GetFlamegraph(http.ResponseWriter, *http.Request)
 }
 
 // Module defines the business logic for trace detail operations.
@@ -19,4 +21,5 @@ type Module interface {
 	GetWaterfall(ctx context.Context, traceID string, req *spantypes.PostableWaterfall) (*spantypes.GettableWaterfallTrace, error)
 	GetWaterfallV4(ctx context.Context, traceID string, selectedSpanID string, uncollapsedSpans []string, selectAllLimit uint) (*spantypes.GettableWaterfallTrace, error)
 	GetTraceAggregations(ctx context.Context, traceID string, req *spantypes.PostableTraceAggregations) (*spantypes.GettableTraceAggregations, error)
+	GetFlamegraph(ctx context.Context, traceID string, selectedSpanID string, selectFields []telemetrytypes.TelemetryFieldKey) (*spantypes.GettableFlamegraphTrace, error)
 }

pkg/query-service/app/server.go

@@ -168,6 +168,7 @@ func (s *Server) createPublicServer(api *APIHandler, web web.Web) (*http.Server,
 		s.config.APIServer.Timeout.Default,
 		s.config.APIServer.Timeout.Max,
 	).Wrap)
+	r.Use(middleware.NewResource(s.signoz.Instrumentation.Logger()).Wrap)
 	r.Use(middleware.NewAudit(s.signoz.Instrumentation.Logger(), s.config.APIServer.Logging.ExcludedRoutes, s.signoz.Auditor).Wrap)
 	r.Use(middleware.NewComment().Wrap)
 

pkg/types/audittypes/attributes.go

@@ -71,23 +71,50 @@ func (attributes PrincipalAttributes) Put(dest pcommon.Map) {
 // Audit attributes — Resource (On What).
 // These are OTel resource attributes (placed on the Resource, not event attributes).
 type ResourceAttributes struct {
-	ResourceID   string
-	ResourceKind coretypes.Kind // guaranteed to be present
+	Resource   coretypes.Resource // guaranteed to be present
+	ResourceID string
+
+	// TargetResource names the counterpart of an attach/detach event (audit
+	// context only). nil when there is no relationship.
+	TargetResource   coretypes.Resource
+	TargetResourceID string
 }
 
-func NewResourceAttributes(resourceID string, resourceKind coretypes.Kind) ResourceAttributes {
+func NewResourceAttributes(resource coretypes.Resource, resourceID string) ResourceAttributes {
 	return ResourceAttributes{
-		ResourceID:   resourceID,
-		ResourceKind: resourceKind,
+		Resource:   resource,
+		ResourceID: resourceID,
+	}
+}
+
+// NewAttachResourceAttributes builds resource attributes that additionally name
+// the target counterpart (used for attach/detach audit events).
+func NewRelatedResourceAttributes(resource coretypes.Resource, resourceID string, targetResource coretypes.Resource, targetResourceID string) ResourceAttributes {
+	return ResourceAttributes{
+		Resource:         resource,
+		ResourceID:       resourceID,
+		TargetResource:   targetResource,
+		TargetResourceID: targetResourceID,
 	}
 }
 
 // PutResource writes the resource attributes to an OTel Resource's attribute map.
 // These are resource-level attributes (stored in the resource JSON column),
 // not event-level attributes (stored in attributes_string).
-func (attributes ResourceAttributes) PutResource(dest pcommon.Map) {
-	putStrIfNotEmpty(dest, "signoz.audit.resource.kind", attributes.ResourceKind.String())
+func (attributes ResourceAttributes) PutResource(orgID valuer.UUID, dest pcommon.Map) {
+	putStrIfNotEmpty(dest, "signoz.audit.resource.kind", attributes.Resource.Kind().String())
 	putStrIfNotEmpty(dest, "signoz.audit.resource.id", attributes.ResourceID)
+	if attributes.ResourceID != "" {
+		putStrIfNotEmpty(dest, "signoz.audit.resource.object", attributes.Resource.Object(orgID, attributes.ResourceID))
+	}
+
+	if attributes.TargetResource != nil {
+		putStrIfNotEmpty(dest, "signoz.audit.resource.target.kind", attributes.TargetResource.Kind().String())
+		putStrIfNotEmpty(dest, "signoz.audit.resource.target.id", attributes.TargetResourceID)
+		if attributes.TargetResourceID != "" {
+			putStrIfNotEmpty(dest, "signoz.audit.resource.target.object", attributes.TargetResource.Object(orgID, attributes.TargetResourceID))
+		}
+	}
 }
 
 // Audit attributes — Error (When outcome is failure)
@@ -193,13 +220,24 @@ func newBody(auditAttributes AuditAttributes, principalAttributes PrincipalAttri
 
 	// Resource: " kind (id)" or " kind".
 	b.WriteString(" ")
-	b.WriteString(resourceAttributes.ResourceKind.String())
+	b.WriteString(resourceAttributes.Resource.Kind().String())
 	if resourceAttributes.ResourceID != "" {
 		b.WriteString(" (")
 		b.WriteString(resourceAttributes.ResourceID)
 		b.WriteString(")")
 	}
 
+	// Target (attach/detach context): " · target kind (id)" or " · target kind".
+	if resourceAttributes.TargetResource != nil {
+		b.WriteString(" to ")
+		b.WriteString(resourceAttributes.TargetResource.Kind().String())
+		if resourceAttributes.TargetResourceID != "" {
+			b.WriteString(" (")
+			b.WriteString(resourceAttributes.TargetResourceID)
+			b.WriteString(")")
+		}
+	}
+
 	// Error suffix (failure only): ": type (code)" or ": type" or ": (code)" or omitted.
 	if auditAttributes.Outcome == OutcomeFailure {
 		errorType := errorAttributes.ErrorType

pkg/types/audittypes/attributes_test.go

@@ -63,8 +63,8 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.MustNewEmail("test@acme.com"),
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceID:   "",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceID: "",
+				Resource:   coretypes.ResourceMetaResourceDashboard,
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "test@acme.com (019a1234-abcd-7000-8000-567800000001) deleted dashboard",
@@ -81,8 +81,8 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.Email{},
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceID:   "abd",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceID: "abd",
+				Resource:   coretypes.ResourceMetaResourceDashboard,
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "019a1234-abcd-7000-8000-567800000001 deleted dashboard (abd)",
@@ -99,8 +99,8 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.Email{},
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceID:   "abd",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceID: "abd",
+				Resource:   coretypes.ResourceMetaResourceDashboard,
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "deleted dashboard (abd)",
@@ -117,8 +117,8 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.MustNewEmail("alice@acme.com"),
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceID:   "019b-5678",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceID: "019b-5678",
+				Resource:   coretypes.ResourceMetaResourceDashboard,
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "alice@acme.com (019a1234-abcd-7000-8000-567800000001) created dashboard (019b-5678)",
@@ -132,10 +132,10 @@ func TestNewBody(t *testing.T) {
 			},
 			principalAttributes: PrincipalAttributes{},
 			resourceAttributes: ResourceAttributes{
-				ResourceKind: coretypes.MustNewKind("alert-rule"),
+				Resource: coretypes.ResourceMetaResourceRule,
 			},
 			errorAttributes: ErrorAttributes{},
-			expectedBody:    "updated alert-rule",
+			expectedBody:    "updated rule",
 		},
 		{
 			name: "Failure_AllPresent",
@@ -149,8 +149,8 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.MustNewEmail("viewer@acme.com"),
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceID:   "019b-5678",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceID: "019b-5678",
+				Resource:   coretypes.ResourceMetaResourceDashboard,
 			},
 			errorAttributes: ErrorAttributes{
 				ErrorType: "forbidden",
@@ -169,7 +169,7 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.MustNewEmail("test@acme.com"),
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceKind: coretypes.MustNewKind("user"),
+				Resource: coretypes.ResourceUser,
 			},
 			errorAttributes: ErrorAttributes{
 				ErrorType: "not-found",
@@ -187,8 +187,8 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.MustNewEmail("test@acme.com"),
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceID:   "019b-5678",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceID: "019b-5678",
+				Resource:   coretypes.ResourceMetaResourceDashboard,
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "test@acme.com (019a1234-abcd-7000-8000-567800000001) failed to create dashboard (019b-5678)",

pkg/types/audittypes/event.go

@@ -44,6 +44,8 @@ type AuditEvent struct {
 	TransportAttributes TransportAttributes
 }
 
+// NewAuditEvent builds an audit event from pre-built resource attributes (which
+// may carry attach/target context).
 func NewAuditEventFromHTTPRequest(
 	req *http.Request,
 	route string,
@@ -53,14 +55,12 @@ func NewAuditEventFromHTTPRequest(
 	action coretypes.Verb,
 	actionCategory ActionCategory,
 	claims authtypes.Claims,
-	resourceID string,
-	resourceKind coretypes.Kind,
+	resourceAttributes ResourceAttributes,
 	errorType string,
 	errorCode string,
 ) AuditEvent {
 	auditAttributes := NewAuditAttributesFromHTTP(statusCode, action, actionCategory, claims)
 	principalAttributes := NewPrincipalAttributesFromClaims(claims)
-	resourceAttributes := NewResourceAttributes(resourceID, resourceKind)
 	errorAttributes := NewErrorAttributes(errorType, errorCode)
 	transportAttributes := NewTransportAttributesFromHTTP(req, route, statusCode)
 
@@ -69,7 +69,7 @@ func NewAuditEventFromHTTPRequest(
 		TraceID:             traceID,
 		SpanID:              spanID,
 		Body:                newBody(auditAttributes, principalAttributes, resourceAttributes, errorAttributes),
-		EventName:           NewEventName(resourceAttributes.ResourceKind, auditAttributes.Action),
+		EventName:           NewEventName(resourceAttributes.Resource.Kind(), auditAttributes.Action),
 		AuditAttributes:     auditAttributes,
 		PrincipalAttributes: principalAttributes,
 		ResourceAttributes:  resourceAttributes,
@@ -89,7 +89,7 @@ func NewPLogsFromAuditEvents(events []AuditEvent, name string, version string, s
 	groups := make(map[resourceKey][]int)
 	order := make([]resourceKey, 0)
 	for i, event := range events {
-		key := resourceKey{kind: event.ResourceAttributes.ResourceKind.String(), id: event.ResourceAttributes.ResourceID}
+		key := resourceKey{kind: event.ResourceAttributes.Resource.Kind().String(), id: event.ResourceAttributes.ResourceID}
 		if _, exists := groups[key]; !exists {
 			order = append(order, key)
 		}
@@ -101,7 +101,8 @@ func NewPLogsFromAuditEvents(events []AuditEvent, name string, version string, s
 		resourceAttrs := resourceLogs.Resource().Attributes()
 		resourceAttrs.PutStr(string(semconv.ServiceNameKey), name)
 		resourceAttrs.PutStr(string(semconv.ServiceVersionKey), version)
-		events[groups[key][0]].ResourceAttributes.PutResource(resourceAttrs)
+		head := events[groups[key][0]]
+		head.ResourceAttributes.PutResource(head.PrincipalAttributes.PrincipalOrgID, resourceAttrs)
 
 		scopeLogs := resourceLogs.ScopeLogs().AppendEmpty()
 		scopeLogs.Scope().SetName(scope)

pkg/types/audittypes/event_test.go

@@ -12,10 +12,10 @@ import (
 )
 
 var (
-	testDashboardKind = coretypes.MustNewKind("dashboard")
+	testDashboardResource = coretypes.ResourceMetaResourceDashboard
 )
 
-func TestNewAuditEventFromHTTPRequest(t *testing.T) {
+func TestNewAuditEvent(t *testing.T) {
 	traceID := oteltrace.TraceID{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}
 	spanID := oteltrace.SpanID{1, 2, 3, 4, 5, 6, 7, 8}
 
@@ -28,8 +28,8 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {
 		action          coretypes.Verb
 		category        ActionCategory
 		claims          authtypes.Claims
+		resource        coretypes.Resource
 		resourceID      string
-		resourceKind    coretypes.Kind
 		errorType       string
 		errorCode       string
 		expectedOutcome Outcome
@@ -44,8 +44,8 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {
 			action:          coretypes.VerbCreate,
 			category:        ActionCategoryConfigurationChange,
 			claims:          authtypes.Claims{UserID: "019a1234-abcd-7000-8000-567800000001", Email: "alice@acme.com", OrgID: "019a-0000-0000-0001", IdentNProvider: authtypes.IdentNProviderTokenizer},
+			resource:        testDashboardResource,
 			resourceID:      "019b-5678-efgh-9012",
-			resourceKind:    testDashboardKind,
 			expectedOutcome: OutcomeSuccess,
 			expectedBody:    "alice@acme.com (019a1234-abcd-7000-8000-567800000001) created dashboard (019b-5678-efgh-9012)",
 		},
@@ -58,8 +58,8 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {
 			action:          coretypes.VerbUpdate,
 			category:        ActionCategoryConfigurationChange,
 			claims:          authtypes.Claims{UserID: "019aaaaa-bbbb-7000-8000-cccc00000002", Email: "viewer@acme.com", OrgID: "019a-0000-0000-0001", IdentNProvider: authtypes.IdentNProviderTokenizer},
+			resource:        testDashboardResource,
 			resourceID:      "019b-5678-efgh-9012",
-			resourceKind:    testDashboardKind,
 			errorType:       "forbidden",
 			errorCode:       "authz_forbidden",
 			expectedOutcome: OutcomeFailure,
@@ -80,15 +80,14 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {
 				testCase.action,
 				testCase.category,
 				testCase.claims,
-				testCase.resourceID,
-				testCase.resourceKind,
+				NewResourceAttributes(testCase.resource, testCase.resourceID),
 				testCase.errorType,
 				testCase.errorCode,
 			)
 
 			assert.Equal(t, testCase.expectedOutcome, event.AuditAttributes.Outcome)
 			assert.Equal(t, testCase.expectedBody, event.Body)
-			assert.Equal(t, testCase.resourceKind, event.ResourceAttributes.ResourceKind)
+			assert.Equal(t, testCase.resource.Kind(), event.ResourceAttributes.Resource.Kind())
 			assert.Equal(t, testCase.resourceID, event.ResourceAttributes.ResourceID)
 			assert.Equal(t, testCase.action, event.AuditAttributes.Action)
 			assert.Equal(t, testCase.category, event.AuditAttributes.ActionCategory)
@@ -103,18 +102,18 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {
 	}
 }
 
-func newTestEvent(resourceKind coretypes.Kind, resourceID string, action coretypes.Verb) AuditEvent {
+func newTestEvent(resource coretypes.Resource, resourceID string, action coretypes.Verb) AuditEvent {
 	return AuditEvent{
-		Body:      resourceKind.String() + "." + action.PastTense(),
-		EventName: NewEventName(resourceKind, action),
+		Body:      resource.Kind().String() + "." + action.PastTense(),
+		EventName: NewEventName(resource.Kind(), action),
 		AuditAttributes: AuditAttributes{
 			Action:         action,
 			ActionCategory: ActionCategoryConfigurationChange,
 			Outcome:        OutcomeSuccess,
 		},
 		ResourceAttributes: ResourceAttributes{
-			ResourceKind: resourceKind,
-			ResourceID:   resourceID,
+			Resource:   resource,
+			ResourceID: resourceID,
 		},
 	}
 }
@@ -136,7 +135,7 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 		{
 			name: "SingleEvent",
 			events: []AuditEvent{
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbCreate),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbCreate),
 			},
 			expectedResourceLogs:    1,
 			expectedResourceKinds:   []string{"dashboard"},
@@ -146,9 +145,9 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 		{
 			name: "SameResource_MultipleEvents",
 			events: []AuditEvent{
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbCreate),
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbUpdate),
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbDelete),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbCreate),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbUpdate),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbDelete),
 			},
 			expectedResourceLogs:    1,
 			expectedResourceKinds:   []string{"dashboard"},
@@ -158,8 +157,8 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 		{
 			name: "DifferentResources_SeparateGroups",
 			events: []AuditEvent{
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbUpdate),
-				newTestEvent(coretypes.MustNewKind("user"), "u-001", coretypes.VerbDelete),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbUpdate),
+				newTestEvent(coretypes.ResourceUser, "u-001", coretypes.VerbDelete),
 			},
 			expectedResourceLogs:    2,
 			expectedResourceKinds:   []string{"dashboard", "user"},
@@ -169,8 +168,8 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 		{
 			name: "SameKind_DifferentIDs_SeparateGroups",
 			events: []AuditEvent{
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbUpdate),
-				newTestEvent(testDashboardKind, "d-002", coretypes.VerbDelete),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbUpdate),
+				newTestEvent(testDashboardResource, "d-002", coretypes.VerbDelete),
 			},
 			expectedResourceLogs:    2,
 			expectedResourceKinds:   []string{"dashboard", "dashboard"},
@@ -180,11 +179,11 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 		{
 			name: "InterleavedResources_GroupedCorrectly",
 			events: []AuditEvent{
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbCreate),
-				newTestEvent(coretypes.MustNewKind("user"), "u-001", coretypes.VerbUpdate),
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbUpdate),
-				newTestEvent(coretypes.MustNewKind("user"), "u-001", coretypes.VerbDelete),
-				newTestEvent(testDashboardKind, "d-001", coretypes.VerbDelete),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbCreate),
+				newTestEvent(coretypes.ResourceUser, "u-001", coretypes.VerbUpdate),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbUpdate),
+				newTestEvent(coretypes.ResourceUser, "u-001", coretypes.VerbDelete),
+				newTestEvent(testDashboardResource, "d-001", coretypes.VerbDelete),
 			},
 			expectedResourceLogs:    2,
 			expectedResourceKinds:   []string{"dashboard", "user"},
@@ -203,7 +202,6 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 				resourceLogs := logs.ResourceLogs().At(i)
 				resourceAttrs := resourceLogs.Resource().Attributes()
 
-				// Verify service resource attributes
 				serviceName, exists := resourceAttrs.Get("service.name")
 				assert.True(t, exists)
 				assert.Equal(t, "signoz", serviceName.Str())
@@ -212,7 +210,6 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 				assert.True(t, exists)
 				assert.Equal(t, "0.90.0", serviceVersion.Str())
 
-				// Verify audit resource attributes on Resource (not event attributes)
 				kind, exists := resourceAttrs.Get("signoz.audit.resource.kind")
 				assert.True(t, exists)
 				assert.Equal(t, testCase.expectedResourceKinds[i], kind.Str())
@@ -221,14 +218,11 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {
 				assert.True(t, exists)
 				assert.Equal(t, testCase.expectedResourceIDs[i], id.Str())
 
-				// Verify scope
 				assert.Equal(t, 1, resourceLogs.ScopeLogs().Len())
 				assert.Equal(t, "signoz.audit", resourceLogs.ScopeLogs().At(0).Scope().Name())
 
-				// Verify log record count per group
 				assert.Equal(t, testCase.expectedLogRecordCounts[i], resourceLogs.ScopeLogs().At(0).LogRecords().Len())
 
-				// Verify resource attrs are NOT in log record event attributes
 				for j := 0; j < resourceLogs.ScopeLogs().At(0).LogRecords().Len(); j++ {
 					recordAttrs := resourceLogs.ScopeLogs().At(0).LogRecords().At(j).Attributes()
 					_, hasKind := recordAttrs.Get("signoz.audit.resource.kind")

pkg/types/coretypes/verb.go

@@ -53,3 +53,14 @@ func (Verb) Enum() []any {
 func (verb Verb) PastTense() string {
 	return verb.pastTense
 }
+
+// IsMutation reports whether the verb changes state (create/update/delete/
+// attach/detach) as opposed to a read (read/list/assignee).
+func (verb Verb) IsMutation() bool {
+	switch verb {
+	case VerbCreate, VerbUpdate, VerbDelete, VerbAttach, VerbDetach:
+		return true
+	default:
+		return false
+	}
+}

pkg/types/spantypes/flamegraph_span.go

@@ -0,0 +1,102 @@
+package spantypes
+
+import (
+	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
+)
+
+type FlamegraphSpan struct {
+	SpanID       string            `json:"spanId" required:"true"`
+	ParentSpanID string            `json:"parentSpanId" required:"true"`
+	Timestamp    uint64            `json:"timestamp" required:"true"`
+	DurationNano uint64            `json:"durationNano" required:"true"`
+	HasError     bool              `json:"hasError" required:"true"`
+	Name         string            `json:"name" required:"true"`
+	Level        int64             `json:"level" required:"true"`
+	Events       []Event           `json:"event" required:"true" nullable:"false"`
+	Attributes   map[string]any    `json:"attributes" required:"true" nullable:"false"`
+	Resource     map[string]string `json:"resource" required:"true" nullable:"false"`
+	Children     []*FlamegraphSpan `json:"-"` // internal tree use only
+}
+
+// FlamegraphLevel groups span IDs at a single level within the selected window.
+type FlamegraphLevel struct {
+	Level   int64
+	SpanIDs []string
+}
+
+type PostableFlamegraph struct {
+	SelectedSpanID string                             `json:"selectedSpanId"`
+	SelectFields   []telemetrytypes.TelemetryFieldKey `json:"selectFields,omitempty"`
+}
+
+// GettableFlamegraphTrace is the response for the v3 flamegraph API.
+type GettableFlamegraphTrace struct {
+	Spans                [][]*FlamegraphSpan `json:"spans" required:"true" nullable:"false"`
+	StartTimestampMillis int64               `json:"startTimestampMillis" required:"true"`
+	EndTimestampMillis   int64               `json:"endTimestampMillis" required:"true"`
+	HasMore              bool                `json:"hasMore" required:"true"`
+}
+
+func NewGettableFlamegraphTrace(spans [][]*FlamegraphSpan, startMs, endMs int64, hasMore bool) *GettableFlamegraphTrace {
+	return &GettableFlamegraphTrace{
+		Spans:                spans,
+		StartTimestampMillis: startMs,
+		EndTimestampMillis:   endMs,
+		HasMore:              hasMore,
+	}
+}
+
+func NewFlamegraphSpanFromStorable(s *StorableSpan, level int64, selectFields []telemetrytypes.TelemetryFieldKey) *FlamegraphSpan {
+	span := &FlamegraphSpan{
+		SpanID:       s.SpanID,
+		ParentSpanID: s.ParentSpanID,
+		Timestamp:    uint64(s.StartTime.UnixNano()),
+		DurationNano: s.DurationNano,
+		HasError:     s.HasError,
+		Name:         s.Name,
+		Level:        level,
+		Events:       s.UnmarshalledEvents(),
+		Attributes:   make(map[string]any),
+		Resource:     make(map[string]string),
+	}
+	if len(selectFields) == 0 {
+		return span
+	}
+	for _, field := range selectFields {
+		switch field.FieldContext {
+		case telemetrytypes.FieldContextResource:
+			if v, ok := s.ResourcesString[field.Name]; ok && v != "" {
+				span.Resource[field.Name] = v
+			}
+		case telemetrytypes.FieldContextAttribute:
+			if v := s.AttributeValue(field.Name); v != nil {
+				span.Attributes[field.Name] = v
+			}
+		}
+	}
+	return span
+}
+
+func NewMissingParentFlamegraphSpan(node *FlamegraphSpan) *FlamegraphSpan {
+	return &FlamegraphSpan{
+		SpanID:       node.ParentSpanID,
+		Name:         "Missing Span",
+		Timestamp:    node.Timestamp,
+		DurationNano: node.DurationNano,
+		Events:       []Event{},
+		Children:     []*FlamegraphSpan{node},
+	}
+}
+
+// FlamegraphWindowSpanIDs collects all span IDs from a level window into a flat slice.
+func FlamegraphWindowSpanIDs(window []FlamegraphLevel) []string {
+	total := 0
+	for _, lvl := range window {
+		total += len(lvl.SpanIDs)
+	}
+	ids := make([]string, 0, total)
+	for _, lvl := range window {
+		ids = append(ids, lvl.SpanIDs...)
+	}
+	return ids
+}

pkg/types/spantypes/flamegraph_trace.go

@@ -0,0 +1,111 @@
+package spantypes
+
+import (
+	"sort"
+
+	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
+)
+
+// FlamegraphTrace holds the level wise tree built from minimal spans.
+type FlamegraphTrace struct {
+	roots     []*FlamegraphSpan
+	nodeByID  map[string]*FlamegraphSpan
+	startTime uint64
+	endTime   uint64
+}
+
+func NewFlamegraphTraceFromMinimal(spans []MinimalSpan) *FlamegraphTrace {
+	t := &FlamegraphTrace{
+		nodeByID: make(map[string]*FlamegraphSpan, len(spans)),
+	}
+	for i := range spans {
+		node := spans[i].ToFlamegraphSpan()
+		t.updateTimeRange(node.Timestamp, node.DurationNano)
+		t.nodeByID[node.SpanID] = node
+	}
+	t.buildSpanTree()
+	return t
+}
+
+func NewFlamegraphTraceFromStorable(spans []StorableSpan, selectFields []telemetrytypes.TelemetryFieldKey) *FlamegraphTrace {
+	t := &FlamegraphTrace{
+		nodeByID: make(map[string]*FlamegraphSpan, len(spans)),
+	}
+	for i := range spans {
+		node := NewFlamegraphSpanFromStorable(&spans[i], 0, selectFields) // level is set later by BFS
+		t.updateTimeRange(node.Timestamp, node.DurationNano)
+		t.nodeByID[node.SpanID] = node
+	}
+	t.buildSpanTree()
+	return t
+}
+
+func (t *FlamegraphTrace) GetAllLevels() [][]*FlamegraphSpan {
+	return nil
+}
+
+// GetSelectedLevels returns the window of levels around selectedSpanID with sampling applied to dense levels.
+func (t *FlamegraphTrace) GetSelectedLevels(selectedSpanID string, levelLimit, spansPerLevel, topLatencyCount, bucketCount int) []FlamegraphLevel {
+	return nil
+}
+
+func (t *FlamegraphTrace) EnrichSelectedSpans(selectedSpans []FlamegraphLevel, fullSpans []StorableSpan, selectFields []telemetrytypes.TelemetryFieldKey) [][]*FlamegraphSpan {
+	fullByID := make(map[string]*StorableSpan, len(fullSpans))
+	for i := range fullSpans {
+		fullByID[fullSpans[i].SpanID] = &fullSpans[i]
+	}
+
+	result := make([][]*FlamegraphSpan, len(selectedSpans))
+	for i, lvl := range selectedSpans {
+		result[i] = make([]*FlamegraphSpan, 0, len(lvl.SpanIDs))
+		for _, spanID := range lvl.SpanIDs {
+			if full, ok := fullByID[spanID]; ok {
+				result[i] = append(result[i], NewFlamegraphSpanFromStorable(full, lvl.Level, selectFields))
+			} else if lean, ok := t.nodeByID[spanID]; ok {
+				result[i] = append(result[i], lean)
+			}
+		}
+	}
+	return result
+}
+
+func (t *FlamegraphTrace) updateTimeRange(timestamp, durationNano uint64) {
+	if t.startTime == 0 || timestamp < t.startTime {
+		t.startTime = timestamp
+	}
+	if end := timestamp + durationNano; end > t.endTime {
+		t.endTime = end
+	}
+}
+
+func (t *FlamegraphTrace) buildSpanTree() {
+	for _, node := range t.nodeByID {
+		if node.ParentSpanID != "" {
+			if parent, ok := t.nodeByID[node.ParentSpanID]; ok {
+				parent.Children = append(parent.Children, node)
+			} else {
+				missing := NewMissingParentFlamegraphSpan(node)
+				t.nodeByID[missing.SpanID] = missing
+				t.roots = append(t.roots, missing)
+			}
+		} else if flamegraphSpanIndex(t.roots, node.SpanID) == -1 {
+			t.roots = append(t.roots, node)
+		}
+	}
+
+	sort.Slice(t.roots, func(i, j int) bool {
+		if t.roots[i].Timestamp == t.roots[j].Timestamp {
+			return t.roots[i].SpanID < t.roots[j].SpanID
+		}
+		return t.roots[i].Timestamp < t.roots[j].Timestamp
+	})
+}
+
+func flamegraphSpanIndex(spans []*FlamegraphSpan, spanID string) int {
+	for i, s := range spans {
+		if s.SpanID == spanID {
+			return i
+		}
+	}
+	return -1
+}

pkg/types/spantypes/store.go

@@ -30,6 +30,7 @@ type TraceStore interface {
 	GetTraceSpans(ctx context.Context, traceID string, summary *TraceSummary) ([]StorableSpan, error)
 	GetMinimalSpans(ctx context.Context, traceID string, start, end time.Time) ([]MinimalSpan, error)
 	GetTraceSpansByIDs(ctx context.Context, traceID string, start, end time.Time, spanIDs []string) ([]StorableSpan, error)
+	GetFlamegraphSpans(ctx context.Context, traceID string, start, end time.Time, spanIDs []string) ([]StorableSpan, error)
 
 	GetSpanCountByField(ctx context.Context, traceID string, summary *TraceSummary, fieldKey telemetrytypes.TelemetryFieldKey) (map[string]uint64, error)
 	GetSpanDurationByField(ctx context.Context, traceID string, summary *TraceSummary, fieldKey telemetrytypes.TelemetryFieldKey) (map[string]uint64, error)

pkg/types/spantypes/waterfall_span.go

@@ -164,6 +164,17 @@ func (item *MinimalSpan) ToWaterfallSpan(traceID string) *WaterfallSpan {
 	}
 }
 
+func (item *MinimalSpan) ToFlamegraphSpan() *FlamegraphSpan {
+	return &FlamegraphSpan{
+		SpanID:       item.SpanID,
+		ParentSpanID: item.ParentSpanID,
+		Timestamp:    uint64(item.StartTime.UnixNano()),
+		DurationNano: item.DurationNano,
+		HasError:     item.HasError,
+		Children:     make([]*FlamegraphSpan, 0),
+	}
+}
+
 // NewMissingWaterfallSpan creates a synthetic placeholder span for a parent that has no recorded data.
 func NewMissingWaterfallSpan(spanID, traceID string, timeUnixNano, durationNano uint64) *WaterfallSpan {
 	return &WaterfallSpan{
@@ -267,6 +278,19 @@ func (ws *WaterfallSpan) getPathToSelectedSpanID(selectedSpanID string) ([]strin
 	return nil, false
 }
 
+func (item *StorableSpan) AttributeValue(name string) any {
+	if v, ok := item.AttributesString[name]; ok {
+		return v
+	}
+	if v, ok := item.AttributesNumber[name]; ok {
+		return v
+	}
+	if v, ok := item.AttributesBool[name]; ok {
+		return v
+	}
+	return nil
+}
+
 func (item *StorableSpan) Attributes() map[string]any {
 	attributes := make(map[string]any, len(item.AttributesString)+len(item.AttributesNumber)+len(item.AttributesBool))
 	for k, v := range item.AttributesString {
@@ -296,7 +320,7 @@ func (item *StorableSpan) UnmarshalledEvents() []Event {
 func (item *StorableSpan) UnmarshalledRefs() []OtelSpanRef {
 	refs := []OtelSpanRef{}
 	if err := json.Unmarshal([]byte(item.References), &refs); err != nil {
-		return nil // skip malformed values
+		return []OtelSpanRef{} // skip malformed values
 	}
 	return refs
 }