prettier

alerting docs: update docs for slack
Custom Routes: use existing server's mux container instead of gorilla.Mux (#115605 )
2026-01-09 14:12:31 -06:00 · 2026-01-08 15:32:19 -06:00 · 2026-01-07 12:46:27 -08:00 · 2026-01-07 15:46:02 -05:00 · 2026-01-07 14:29:59 -06:00 · 2026-01-07 19:35:33 +00:00
186 changed files with 3836 additions and 1212 deletions
@@ -129,7 +129,7 @@ DashboardLink: {
 	placement?: DashboardLinkPlacement
 }

-// Dashboard Link placement. Defines where the link should be displayed. 
+// Dashboard Link placement. Defines where the link should be displayed.
 // - "inControlsMenu" renders the link in bottom part of the dashboard controls dropdown menu
 DashboardLinkPlacement: "inControlsMenu"

@@ -932,6 +932,7 @@ CustomVariableSpec: {
 	skipUrlSync:  bool | *false
 	description?: string
 	allowCustomValue: bool | *true
+	valuesFormat?: "csv" | "json"
 }

 // Custom variable kind
@@ -935,6 +935,7 @@ CustomVariableSpec: {
 	skipUrlSync:  bool | *false
 	description?: string
 	allowCustomValue: bool | *true
+	valuesFormat?: "csv" | "json"
 }

 // Custom variable kind
@@ -222,8 +222,10 @@ lineage: schemas: [{
 			// Optional field, if you want to extract part of a series name or metric node segment.
 			// Named capture groups can be used to separate the display text and value.
 			regex?: string
-      // Determine whether regex applies to variable value or display text
-      regexApplyTo?: #VariableRegexApplyTo
+			// Optional, indicates whether a custom type variable uses CSV or JSON to define its values
+			valuesFormat?: "csv" | "json" | *"csv"
+			// Determine whether regex applies to variable value or display text
+			regexApplyTo?: #VariableRegexApplyTo
 			// Additional static options for query variable
 			staticOptions?: [...#VariableOption]
 			// Ordering of static options in relation to options returned from data source for query variable
@@ -222,8 +222,10 @@ lineage: schemas: [{
 			// Optional field, if you want to extract part of a series name or metric node segment.
 			// Named capture groups can be used to separate the display text and value.
 			regex?: string
-      // Determine whether regex applies to variable value or display text
-      regexApplyTo?: #VariableRegexApplyTo
+			// Optional, indicates whether a custom type variable uses CSV or JSON to define its values
+			valuesFormat?: "csv" | "json" | *"csv"
+			// Determine whether regex applies to variable value or display text
+			regexApplyTo?: #VariableRegexApplyTo
 			// Additional static options for query variable
 			staticOptions?: [...#VariableOption]
 			// Ordering of static options in relation to options returned from data source for query variable
@@ -133,7 +133,7 @@ DashboardLink: {
 	placement?: DashboardLinkPlacement
 }

-// Dashboard Link placement. Defines where the link should be displayed. 
+// Dashboard Link placement. Defines where the link should be displayed.
 // - "inControlsMenu" renders the link in bottom part of the dashboard controls dropdown menu
 DashboardLinkPlacement: "inControlsMenu"

@@ -936,6 +936,7 @@ CustomVariableSpec: {
 	skipUrlSync:  bool | *false
 	description?: string
 	allowCustomValue: bool | *true
+	valuesFormat?: "csv" | "json"
 }

 // Custom variable kind
@@ -1703,18 +1703,19 @@ func NewDashboardCustomVariableKind() *DashboardCustomVariableKind {
 // Custom variable specification
 // +k8s:openapi-gen=true
 type DashboardCustomVariableSpec struct {
-	Name             string                    `json:"name"`
-	Query            string                    `json:"query"`
-	Current          DashboardVariableOption   `json:"current"`
-	Options          []DashboardVariableOption `json:"options"`
-	Multi            bool                      `json:"multi"`
-	IncludeAll       bool                      `json:"includeAll"`
-	AllValue         *string                   `json:"allValue,omitempty"`
-	Label            *string                   `json:"label,omitempty"`
-	Hide             DashboardVariableHide     `json:"hide"`
-	SkipUrlSync      bool                      `json:"skipUrlSync"`
-	Description      *string                   `json:"description,omitempty"`
-	AllowCustomValue bool                      `json:"allowCustomValue"`
+	Name             string                                   `json:"name"`
+	Query            string                                   `json:"query"`
+	Current          DashboardVariableOption                  `json:"current"`
+	Options          []DashboardVariableOption                `json:"options"`
+	Multi            bool                                     `json:"multi"`
+	IncludeAll       bool                                     `json:"includeAll"`
+	AllValue         *string                                  `json:"allValue,omitempty"`
+	Label            *string                                  `json:"label,omitempty"`
+	Hide             DashboardVariableHide                    `json:"hide"`
+	SkipUrlSync      bool                                     `json:"skipUrlSync"`
+	Description      *string                                  `json:"description,omitempty"`
+	AllowCustomValue bool                                     `json:"allowCustomValue"`
+	ValuesFormat     *DashboardCustomVariableSpecValuesFormat `json:"valuesFormat,omitempty"`
 }

 // NewDashboardCustomVariableSpec creates a new DashboardCustomVariableSpec object.
@@ -2098,6 +2099,14 @@ const (
 	DashboardQueryVariableSpecStaticOptionsOrderSorted DashboardQueryVariableSpecStaticOptionsOrder = "sorted"
 )

+// +k8s:openapi-gen=true
+type DashboardCustomVariableSpecValuesFormat string
+
+const (
+	DashboardCustomVariableSpecValuesFormatCsv  DashboardCustomVariableSpecValuesFormat = "csv"
+	DashboardCustomVariableSpecValuesFormatJson DashboardCustomVariableSpecValuesFormat = "json"
+)
+
 // +k8s:openapi-gen=true
 type DashboardPanelKindOrLibraryPanelKind struct {
 	PanelKind        *DashboardPanelKind        `json:"PanelKind,omitempty"`
@@ -1548,6 +1548,12 @@ func schema_pkg_apis_dashboard_v2alpha1_DashboardCustomVariableSpec(ref common.R
 							Format:  "",
 						},
 					},
+					"valuesFormat": {
+						SchemaProps: spec.SchemaProps{
+							Type:   []string{"string"},
+							Format: "",
+						},
+					},
 				},
 				Required: []string{"name", "query", "current", "options", "multi", "includeAll", "hide", "skipUrlSync", "allowCustomValue"},
 			},
@@ -939,6 +939,7 @@ CustomVariableSpec: {
 	skipUrlSync:  bool | *false
 	description?: string
 	allowCustomValue: bool | *true
+	valuesFormat?: "csv" | "json"
 }

 // Custom variable kind
@@ -1707,18 +1707,19 @@ func NewDashboardCustomVariableKind() *DashboardCustomVariableKind {
 // Custom variable specification
 // +k8s:openapi-gen=true
 type DashboardCustomVariableSpec struct {
-	Name             string                    `json:"name"`
-	Query            string                    `json:"query"`
-	Current          DashboardVariableOption   `json:"current"`
-	Options          []DashboardVariableOption `json:"options"`
-	Multi            bool                      `json:"multi"`
-	IncludeAll       bool                      `json:"includeAll"`
-	AllValue         *string                   `json:"allValue,omitempty"`
-	Label            *string                   `json:"label,omitempty"`
-	Hide             DashboardVariableHide     `json:"hide"`
-	SkipUrlSync      bool                      `json:"skipUrlSync"`
-	Description      *string                   `json:"description,omitempty"`
-	AllowCustomValue bool                      `json:"allowCustomValue"`
+	Name             string                                   `json:"name"`
+	Query            string                                   `json:"query"`
+	Current          DashboardVariableOption                  `json:"current"`
+	Options          []DashboardVariableOption                `json:"options"`
+	Multi            bool                                     `json:"multi"`
+	IncludeAll       bool                                     `json:"includeAll"`
+	AllValue         *string                                  `json:"allValue,omitempty"`
+	Label            *string                                  `json:"label,omitempty"`
+	Hide             DashboardVariableHide                    `json:"hide"`
+	SkipUrlSync      bool                                     `json:"skipUrlSync"`
+	Description      *string                                  `json:"description,omitempty"`
+	AllowCustomValue bool                                     `json:"allowCustomValue"`
+	ValuesFormat     *DashboardCustomVariableSpecValuesFormat `json:"valuesFormat,omitempty"`
 }

 // NewDashboardCustomVariableSpec creates a new DashboardCustomVariableSpec object.
@@ -2133,6 +2134,14 @@ const (
 	DashboardQueryVariableSpecStaticOptionsOrderSorted DashboardQueryVariableSpecStaticOptionsOrder = "sorted"
 )

+// +k8s:openapi-gen=true
+type DashboardCustomVariableSpecValuesFormat string
+
+const (
+	DashboardCustomVariableSpecValuesFormatCsv  DashboardCustomVariableSpecValuesFormat = "csv"
+	DashboardCustomVariableSpecValuesFormatJson DashboardCustomVariableSpecValuesFormat = "json"
+)
+
 // +k8s:openapi-gen=true
 type DashboardPanelKindOrLibraryPanelKind struct {
 	PanelKind        *DashboardPanelKind        `json:"PanelKind,omitempty"`
@@ -1560,6 +1560,12 @@ func schema_pkg_apis_dashboard_v2beta1_DashboardCustomVariableSpec(ref common.Re
 							Format:  "",
 						},
 					},
+					"valuesFormat": {
+						SchemaProps: spec.SchemaProps{
+							Type:   []string{"string"},
+							Format: "",
+						},
+					},
 				},
 				Required: []string{"name", "query", "current", "options", "multi", "includeAll", "hide", "skipUrlSync", "allowCustomValue"},
 			},
@@ -1336,6 +1336,17 @@ func buildCustomVariable(varMap map[string]interface{}, commonProps CommonVariab
 		customVar.Spec.AllValue = &allValue
 	}

+	if valuesFormat := schemaversion.GetStringValue(varMap, "valuesFormat"); valuesFormat != "" {
+		switch valuesFormat {
+		case string(dashv2alpha1.DashboardCustomVariableSpecValuesFormatJson):
+			format := dashv2alpha1.DashboardCustomVariableSpecValuesFormatJson
+			customVar.Spec.ValuesFormat = &format
+		case string(dashv2alpha1.DashboardCustomVariableSpecValuesFormatCsv):
+			format := dashv2alpha1.DashboardCustomVariableSpecValuesFormatCsv
+			customVar.Spec.ValuesFormat = &format
+		}
+	}
+
 	return dashv2alpha1.DashboardVariableKind{
 		CustomVariableKind: customVar,
 	}, nil
@@ -685,6 +685,7 @@ func convertVariable_V2alpha1_to_V2beta1(in *dashv2alpha1.DashboardVariableKind,
 				SkipUrlSync:      in.CustomVariableKind.Spec.SkipUrlSync,
 				Description:      in.CustomVariableKind.Spec.Description,
 				AllowCustomValue: in.CustomVariableKind.Spec.AllowCustomValue,
+				ValuesFormat:     convertCustomValuesFormat_V2alpha1_to_V2beta1(in.CustomVariableKind.Spec.ValuesFormat),
 			},
 		}
 	}
@@ -758,6 +759,23 @@ func convertVariable_V2alpha1_to_V2beta1(in *dashv2alpha1.DashboardVariableKind,
 	return nil
 }

+func convertCustomValuesFormat_V2alpha1_to_V2beta1(in *dashv2alpha1.DashboardCustomVariableSpecValuesFormat) *dashv2beta1.DashboardCustomVariableSpecValuesFormat {
+	if in == nil {
+		return nil
+	}
+
+	switch *in {
+	case dashv2alpha1.DashboardCustomVariableSpecValuesFormatJson:
+		v := dashv2beta1.DashboardCustomVariableSpecValuesFormatJson
+		return &v
+	case dashv2alpha1.DashboardCustomVariableSpecValuesFormatCsv:
+		v := dashv2beta1.DashboardCustomVariableSpecValuesFormatCsv
+		return &v
+	default:
+		return nil
+	}
+}
+
 func convertQueryVariableSpec_V2alpha1_to_V2beta1(in *dashv2alpha1.DashboardQueryVariableSpec, out *dashv2beta1.DashboardQueryVariableSpec, scope conversion.Scope) error {
 	out.Name = in.Name
 	out.Current = convertVariableOption_V2alpha1_to_V2beta1(in.Current)
@@ -82,8 +82,8 @@ cloud.google.com/go/storage v1.55.0 h1:NESjdAToN9u1tmhVqhXCaCwYBuvEhZLLv0gBr+2zn
 cloud.google.com/go/storage v1.55.0/go.mod h1:ztSmTTwzsdXe5syLVS0YsbFxXuvEmEyZj7v7zChEmuY=
 cloud.google.com/go/trace v1.11.6 h1:2O2zjPzqPYAHrn3OKl029qlqG6W8ZdYaOWRyr8NgMT4=
 cloud.google.com/go/trace v1.11.6/go.mod h1:GA855OeDEBiBMzcckLPE2kDunIpC72N+Pq8WFieFjnI=
-connectrpc.com/connect v1.18.1 h1:PAg7CjSAGvscaf6YZKUefjoih5Z/qYkyaTrBW8xvYPw=
-connectrpc.com/connect v1.18.1/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2prWDO8=
+connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14=
+connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
 cuelabs.dev/go/oci/ociregistry v0.0.0-20251212221603-3adeb8663819 h1:Zh+Ur3OsoWpvALHPLT45nOekHkgOt+IOfutBbPqM17I=
 cuelabs.dev/go/oci/ociregistry v0.0.0-20251212221603-3adeb8663819/go.mod h1:WjmQxb+W6nVNCgj8nXrF24lIz95AHwnSl36tpjDZSU8=
 cuelang.org/go v0.11.1 h1:pV+49MX1mmvDm8Qh3Za3M786cty8VKPWzQ1Ho4gZRP0=
@@ -749,6 +749,8 @@ github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ=
 github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
 github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=
 github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
+github.com/google/gnostic v0.7.1 h1:t5Kc7j/8kYr8t2u11rykRrPPovlEMG4+xdc/SpekATs=
+github.com/google/gnostic v0.7.1/go.mod h1:KSw6sxnxEBFM8jLPfJd46xZP+yQcfE8XkiqfZx5zR28=
 github.com/google/gnostic-models v0.7.1 h1:SisTfuFKJSKM5CPZkffwi6coztzzeYUhc3v4yxLWH8c=
 github.com/google/gnostic-models v0.7.1/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -887,8 +889,8 @@ github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604
 github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604/go.mod h1:O/QP1BCm0HHIzbKvgMzqb5sSyH88rzkFk84F4TfJjBU=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.9 h1:c1Us8i6eSmkW+Ez05d3co8kasnuOY813tbMN8i/a3Og=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.9/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
-github.com/grafana/pyroscope/api v1.2.1-0.20250415190842-3ff7247547ae h1:35W3Wjp9KWnSoV/DuymmyIj5aHE0CYlDQ5m2KeXUPAc=
-github.com/grafana/pyroscope/api v1.2.1-0.20250415190842-3ff7247547ae/go.mod h1:6CJ1uXmLZ13ufpO9xE4pST+DyaBt0uszzrV0YnoaVLQ=
+github.com/grafana/pyroscope/api v1.2.1-0.20251118081820-ace37f973a0f h1:fTlIj5n4x5dU63XHItug7GLjtnaeJdPqBlqg4zlABq0=
+github.com/grafana/pyroscope/api v1.2.1-0.20251118081820-ace37f973a0f/go.mod h1:VBNcIhunCZsJ3/mcYx+j7uFf0P/108eiWa+8+Z9ll3o=
 github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248=
 github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk=
 github.com/grafana/sqlds/v5 v5.0.3 h1:+yUMUxfa0WANQsmS9xtTFSRX1Q55Iv1B9EjlrW4VlBU=
@@ -217,6 +217,13 @@ metaV0Alpha1: {
 		title:        string
 		description?: string
 	}]
+	// +listType=atomic
+	addedFunctions?: [...{
+		// +listType=set
+		targets: [...string]
+		title:        string
+		description?: string
+	}]
 	// +listType=set
 	// +listMapKey=id
 	exposedComponents?: [...{
@@ -193,6 +193,8 @@ type MetaExtensions struct {
 	AddedComponents []MetaV0alpha1ExtensionsAddedComponents `json:"addedComponents,omitempty"`
 	// +listType=atomic
 	AddedLinks []MetaV0alpha1ExtensionsAddedLinks `json:"addedLinks,omitempty"`
+	// +listType=atomic
+	AddedFunctions []MetaV0alpha1ExtensionsAddedFunctions `json:"addedFunctions,omitempty"`
 	// +listType=set
 	// +listMapKey=id
 	ExposedComponents []MetaV0alpha1ExtensionsExposedComponents `json:"exposedComponents,omitempty"`
@@ -396,6 +398,21 @@ func NewMetaV0alpha1ExtensionsAddedLinks() *MetaV0alpha1ExtensionsAddedLinks {
 	}
 }

+// +k8s:openapi-gen=true
+type MetaV0alpha1ExtensionsAddedFunctions struct {
+	// +listType=set
+	Targets     []string `json:"targets"`
+	Title       string   `json:"title"`
+	Description *string  `json:"description,omitempty"`
+}
+
+// NewMetaV0alpha1ExtensionsAddedFunctions creates a new MetaV0alpha1ExtensionsAddedFunctions object.
+func NewMetaV0alpha1ExtensionsAddedFunctions() *MetaV0alpha1ExtensionsAddedFunctions {
+	return &MetaV0alpha1ExtensionsAddedFunctions{
+		Targets: []string{},
+	}
+}
+
 // +k8s:openapi-gen=true
 type MetaV0alpha1ExtensionsExposedComponents struct {
 	Id          string  `json:"id"`
@@ -367,7 +367,8 @@ func jsonDataToMetaJSONData(jsonData plugins.JSONData) pluginsv0alpha1.MetaJSOND

 	// Map Extensions
 	if len(jsonData.Extensions.AddedLinks) > 0 || len(jsonData.Extensions.AddedComponents) > 0 ||
-		len(jsonData.Extensions.ExposedComponents) > 0 || len(jsonData.Extensions.ExtensionPoints) > 0 {
+		len(jsonData.Extensions.ExposedComponents) > 0 || len(jsonData.Extensions.ExtensionPoints) > 0 ||
+		len(jsonData.Extensions.AddedFunctions) > 0 {
 		extensions := &pluginsv0alpha1.MetaExtensions{}

 		if len(jsonData.Extensions.AddedLinks) > 0 {
@@ -398,6 +399,20 @@ func jsonDataToMetaJSONData(jsonData plugins.JSONData) pluginsv0alpha1.MetaJSOND
 			}
 		}

+		if len(jsonData.Extensions.AddedFunctions) > 0 {
+			extensions.AddedFunctions = make([]pluginsv0alpha1.MetaV0alpha1ExtensionsAddedFunctions, 0, len(jsonData.Extensions.AddedFunctions))
+			for _, comp := range jsonData.Extensions.AddedFunctions {
+				v0Comp := pluginsv0alpha1.MetaV0alpha1ExtensionsAddedFunctions{
+					Targets: comp.Targets,
+					Title:   comp.Title,
+				}
+				if comp.Description != "" {
+					v0Comp.Description = &comp.Description
+				}
+				extensions.AddedFunctions = append(extensions.AddedFunctions, v0Comp)
+			}
+		}
+
 		if len(jsonData.Extensions.ExposedComponents) > 0 {
 			extensions.ExposedComponents = make([]pluginsv0alpha1.MetaV0alpha1ExtensionsExposedComponents, 0, len(jsonData.Extensions.ExposedComponents))
 			for _, comp := range jsonData.Extensions.ExposedComponents {
@@ -48,6 +48,14 @@ Recording rules can be helpful in various scenarios, such as:

 The evaluation group of the recording rule determines how often the metric is pre-computed.

+## Recommendations
+
+- **Use frequent evaluation intervals**. Set frequent evaluation intervals for recording rules. Long intervals, such as an hour, can cause the recorded metric to be stale and lead to misaligned alert rule evaluations, especially when combined with a long pending period.
+- **Align alert evaluation with recording frequency**. The evaluation interval of an alert rule that depends on a recorded metric should be aligned with the recording rule's interval. If a recording rule runs every 3 minutes, the alert rule should also be evaluated at a similar frequency to ensure it acts on fresh data.
+- **Use `_over_time` functions for instant queries**. Since all alert rules are ultimately executed as an instant query, you can use functions like `max_over_time(my_metric[5m])` as an instant query. This allows you to get an aggregated value over a period without using a range query and a reduce expression.
+
+## Types of recording rules
+
 Similar to alert rules, Grafana supports two types of recording rules:

 1. [Grafana-managed recording rules](ref:grafana-managed-recording-rules), which can query any Grafana data source supported by alerting. It's the recommended option.
@@ -1,57 +0,0 @@
---
-canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/
-description: This section provides a set of guides for useful alerting practices and recommendations
-keywords:
-  - grafana
-labels:
-  products:
-    - cloud
-    - enterprise
-    - oss
-menuTitle: Best practices
-title: Grafana Alerting best practices
-weight: 170
---
-
-# Grafana Alerting best practices
-
-This section provides a set of guides and examples of best practices for Grafana Alerting. Here you can learn more about how to handle common alert management problems and you can see examples of more advanced usage of Grafana Alerting.
-
-{{< section >}}
-
-Designing and configuring an alert management set up that works takes time. Here are some additional tips on how to create an effective alert management set up:
-
-{{< shared id="alert-planning-fundamentals" >}}
-
-**Which are the key metrics for your business that you want to monitor and alert on?**
-
- Find events that are important to know about and not so trivial or frequent that recipients ignore them.
- Alerts should only be created for big events that require immediate attention or intervention.
- Consider quality over quantity.
-
-**How do you want to organize your alerts and notifications?**
-
- Be selective about who you set to receive alerts. Consider sending them to the right teams, whoever is on call, and the specific channels.
- Think carefully about priority and severity levels.
- Automate as far as possible provisioning Alerting resources with the API or Terraform.
-
-**Which information should you include in notifications?**
-
- Consider who the alert receivers and responders are.
- Share information that helps responders identify and address potential issues.
- Link alerts to dashboards to guide responders on which data to investigate.
-
-**How can you reduce alert fatigue?**
-
- Avoid noisy, unnecessary alerts by using silences, mute timings, or pausing alert rule evaluation.
- Continually tune your alert rules to review effectiveness. Remove alert rules to avoid duplication or ineffective alerts.
- Continually review your thresholds and evaluation rules.
-
-**How should you configure recording rules?**
-
- Use frequent evaluation intervals. It is recommended to set a frequent evaluation interval for recording rules. Long intervals, such as an hour, can cause the recorded metric to be stale and lead to misaligned alert rule evaluations, especially when combined with a long pending period.
- Understand query types. Grafana Alerting uses both **Instant** and **Range** queries. Instant queries fetch a single data point, while Range queries fetch a series of data points over time. When using a Range query in an alert condition, you must use a Reduce expression to aggregate the series into a single value.
- Align alert evaluation with recording frequency. The evaluation interval of an alert rule that depends on a recorded metric should be aligned with the recording rule's interval. If a recording rule runs every 3 minutes, the alert rule should also be evaluated at a similar frequency to ensure it acts on fresh data.
- Use `_over_time` functions for instant queries. Since all alert rules are ultimately executed as an instant query, you can use functions like `max_over_time(my_metric[1h])` as an instant query. This allows you to get an aggregated value over a period without using a range query and a reduce expression.
-
-{{< /shared >}}
@@ -43,7 +43,7 @@ There are two ways of integrating Slack into Grafana Alerting.

 Note that you can only setup one Slack channel per contact point.

-You can customize the `title` and `body` of the Slack message using [notification templates](ref:notification-templates); however, you cannot modify its visual appearance with custom blocks.
+You can customize the `title` and `body` of the Slack message using [notification templates](ref:notification-templates); however, you cannot modify its visual appearance with custom blocks. Additional optional settings are available to customize bot appearance, mentions, and message formatting. Refer to the [Optional settings](#optional-settings) section for more details.

 ## Before you begin

@@ -83,6 +83,47 @@ To create your Slack integration in Grafana Alerting, complete the following ste

 1. Click **Save contact point**.

+## Optional settings
+
+You can configure additional settings to customize your Slack notifications beyond the required fields.
+
+### Customize bot appearance
+
+You can customize how the bot appears in Slack channels:
+
+- **Username**: Override the default bot username that appears in Slack. Set the `username` field to customize the display name.
+- **Icon emoji**: Provide an emoji to use as the icon for the message. Set the `icon_emoji` field (for example, `:rocket:`). This overrides the icon URL.
+- **Icon URL**: Provide a URL to an image to use as the icon for the message. Set the `icon_url` field with the image URL.
+
+### Configure mentions
+
+You can automatically mention users, groups, or the entire channel when notifications are sent:
+
+- **Mention users**: Mention one or more specific users in the notification. Set the `mentionUsers` field with a comma-separated list of user IDs (for example, `U024BE7LH,U024BE7LJ`). To find a user's ID, refer to [Slack's documentation on finding member IDs](https://api.slack.com/methods/users.list).
+
+- **Mention groups**: Mention one or more user groups in the notification. Set the `mentionGroups` field with a comma-separated list of group IDs. You can copy group IDs from the group's Slack profile URL.
+
+- **Mention channel**: Mention the entire channel or active members. Set the `mentionChannel` field to one of the following:
+  - Empty or omit the field to disable channel mentions
+  - `here` to mention every active channel member
+  - `channel` to mention every channel member
+
+### Customize message content
+
+You can customize the notification message using [notification templates](ref:notification-templates):
+
+- **Title**: Set a custom title for the Slack message. Use the `title` field with template variables (for example, `{{ template "slack.default.title" . }}`).
+
+- **Text body**: Set a custom body text for the Slack message. Use the `text` field with template variables (for example, `{{ template "slack.default.text" . }}`).
+
+- **Color**: Set the color of the vertical bar on the left side of the message attachment. Use the `color` field with either:
+
+### Advanced configuration
+
+For specialized environments, you can override the default Slack API endpoint:
+
+- **Endpoint URL**: Specify a custom Slack API endpoint for non-webhook requests. Set the `endpointUrl` field to your custom endpoint. The default is `https://slack.com/api/chat.postMessage`.
+
 ## Next steps

 The Slack contact point is ready to receive alert notifications.
@@ -0,0 +1,22 @@
+---
+canonical: https://grafana.com/docs/grafana/latest/alerting/examples/
+description: This section provides a set of guides for useful alerting practices and recommendations
+keywords:
+  - grafana
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Examples
+title: Examples
+weight: 180
+---
+
+# Examples
+
+This section provides practical examples that show how to work with different types of alerting data, apply alert design patterns, reuse alert logic, and take advantage of specific Grafana Alerting features.
+
+This section includes:
+
+{{< section >}}
@@ -1,5 +1,7 @@
 ---
-canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/dynamic-labels
+aliases:
+  - ../best-practices/dynamic-labels/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/dynamic-labels/
+canonical: https://grafana.com/docs/grafana/latest/alerting/examples/dynamic-labels
 description: This example shows how to define dynamic labels based on query values, along with important behavior to keep in mind when using them.
 keywords:
  - grafana
@@ -10,7 +12,7 @@ labels:
    - cloud
    - enterprise
    - oss
-menuTitle: Examples of dynamic labels
+menuTitle: Dynamic labels
 title: Example of dynamic labels in alert instances
 weight: 1104
 refs:
@@ -1,5 +1,7 @@
 ---
-canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/dynamic-thresholds
+aliases:
+  - ../best-practices/dynamic-thresholds/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/dynamic-thresholds/
+canonical: https://grafana.com/docs/grafana/latest/alerting/examples/dynamic-thresholds
 description: This example shows how to use a distinct threshold value per dimension using multi-dimensional alerts and a Math expression.
 keywords:
  - grafana
@@ -10,7 +12,7 @@ labels:
    - cloud
    - enterprise
    - oss
-menuTitle: Examples of dynamic thresholds
+menuTitle: Dynamic thresholds
 title: Example of dynamic thresholds per dimension
 weight: 1105
 refs:
@@ -1,5 +1,7 @@
 ---
-canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/high-cardinality-alerts/
+aliases:
+  - ../best-practices/high-cardinality-alerts/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/high-cardinality-alerts/
+canonical: https://grafana.com/docs/grafana/latest/alerting/examples/high-cardinality-alerts/
 description: Learn how to detect and alert on high-cardinality metrics that can overload your metrics backend and increase observability costs.
 keywords:
  - grafana
@@ -8,7 +10,7 @@ labels:
    - cloud
    - enterprise
    - oss
-menuTitle: Examples of high-cardinality alerts
+menuTitle: High-cardinality alerts
 title: Examples of high-cardinality alerts
 weight: 1105
 refs:
@@ -1,5 +1,7 @@
 ---
-canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/multi-dimensional-alerts/
+aliases:
+  - ../best-practices/multi-dimensional-alerts/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/multi-dimensional-alerts/
+canonical: https://grafana.com/docs/grafana/latest/alerting/examples/multi-dimensional-alerts/
 description: This example shows how a single alert rule can generate multiple alert instances using time series data.
 keywords:
  - grafana
@@ -8,7 +10,7 @@ labels:
    - cloud
    - enterprise
    - oss
-menuTitle: Examples of multi-dimensional alerts
+menuTitle: Multi-dimensional alerts
 title: Example of multi-dimensional alerts on time series data
 weight: 1101
 refs:
@@ -1,5 +1,7 @@
 ---
-canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/table-data
+aliases:
+  - ../best-practices/table-data/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/table-data/
+canonical: https://grafana.com/docs/grafana/latest/alerting/examples/table-data
 description: This example shows how to create an alert rule using table data.
 keywords:
  - grafana
@@ -8,7 +10,7 @@ labels:
    - cloud
    - enterprise
    - oss
-menuTitle: Examples of table data
+menuTitle: Table data
 title: Example of alerting on tabular data
 weight: 1102
 refs:
@@ -1,5 +1,7 @@
 ---
-canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/trace-based-alerts/
+aliases:
+  - ../best-practices/trace-based-alerts/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/trace-based-alerts/
+canonical: https://grafana.com/docs/grafana/latest/alerting/examples/trace-based-alerts/
 description: This guide provides introductory examples and distinct approaches for setting up trace-based alerts in Grafana.
 keywords:
  - grafana
@@ -8,7 +10,7 @@ labels:
    - cloud
    - enterprise
    - oss
-title: Examples of trace-based alerts
+title: Trace-based alerts
 weight: 1103
 refs:
  testdata-data-source:
@@ -1,5 +1,7 @@
 ---
-canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/tutorials/
+aliases:
+  - ../best-practices/tutorials/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/tutorials/
+canonical: https://grafana.com/docs/grafana/latest/alerting/examples/tutorials/
 description: This section provides a set of step-by-step tutorials guides to get started with Grafana Aletings.
 keywords:
  - grafana
@@ -0,0 +1,35 @@
+---
+canonical: https://grafana.com/docs/grafana/latest/alerting/guides/
+description: This section provides a set of guides for useful alerting practices and recommendations
+keywords:
+  - grafana
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Guides
+title: Guides
+weight: 170
+refs:
+  examples:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/examples/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/examples/
+  tutorials:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/examples/tutorials/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/examples/tutorials/
+---
+
+# Guides
+
+Guides in the Grafana Alerting documentation provide best practices and practical recommendations to help you move from a basic alerting setup to real-world use cases.
+
+These guides cover topics such as:
+
+{{< section >}}
+
+For more hands-on examples, refer to [Examples](ref:examples) and [Tutorials](ref:tutorials).
@@ -0,0 +1,201 @@
+---
+aliases:
+  - ../best-practices/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/
+canonical: https://grafana.com/docs/grafana/latest/alerting/guides/best-practices/
+description: Designing and configuring an effective alerting system takes time. This guide focuses on building alerting systems that scale with real-world operations.
+keywords:
+  - grafana
+  - alerting
+  - guide
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Best practices
+title: Best practices
+weight: 1010
+refs:
+  recovery-threshold:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/alert-rules/queries-conditions/#recovery-threshold
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/fundamentals/alert-rules/queries-conditions/#recovery-threshold
+  keep-firing-for:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/alert-rule-evaluation/#keep-firing-for
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/fundamentals/alert-rule-evaluation/#keep-firing-for
+  pending-period:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/alert-rule-evaluation/#pending-period
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/fundamentals/alert-rule-evaluation/#pending-period
+  silences:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/configure-notifications/create-silence/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/configure-notifications/create-silence/
+  timing-options:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/notifications/group-alert-notifications/#timing-options
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/fundamentals/notifications/group-alert-notifications/#timing-options
+  group-alert-notifications:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/notifications/group-alert-notifications/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/fundamentals/notifications/group-alert-notifications/
+  notification-policies:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/notifications/notification-policies/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/fundamentals/notifications/notification-policies/
+  annotations:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/alert-rules/annotation-label/#annotations
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/fundamentals/alert-rules/annotation-label/#annotations
+  multi-dimensional-alerts:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/examples/multi-dimensional-alerts/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/examples/multi-dimensional-alerts/
+---
+
+# Alerting best practices
+
+Designing and configuring an effective alerting system takes time. This guide focuses on building alerting systems that scale with real-world operations.
+
+The practices described here are intentionally high-level and apply regardless of tooling. Whether you use Prometheus, Grafana Alerting, or another stack, the same constraints apply: complex systems, imperfect signals, and humans on call.
+
+Alerting is never finished. It evolves with incidents, organizational changes, and the systems it’s meant to protect.
+
+{{< shared id="alert-planning-fundamentals" >}}
+
+## Prioritize symptoms, but don’t ignore infrastructure signals
+
+Alerts should primarily detect user-facing failures, not internal component behavior. Users don't care that a pod restarted; they care when the application is slow or failing. Symptom-based alerts tie directly to user impact.
+
+Reliability metrics that impact users—latency, errors, availability—are better paging signals than infrastructure events or internal errors.
+
+That said, infrastructure signals still matter. They can act as early warning indicators and are often useful when alerting maturity is low. A sustained spike in CPU or memory usage might not justify a page, but it can help explain or anticipate symptom-based failures.
+
+Infrastructure alerts tend to be noisy and are often ignored when treated like paging signals. They are usually better suited for lower-severity channels such as dashboards, alert lists, or non-paging destinations like a dedicated Slack channel, where they can be monitored without interrupting on-call.
+
+The key is balance as your alerting matures. Use infrastructure alerts to support diagnosis and prevention, not as a replacement for symptom-based alerts.
+
+## Escalate priority based on confidence
+
+Alert priority is often tied to user impact and the urgency to respond, but confidence should determine when escalation is necessary.
+
+In this context, escalation defines how responders are notified as confidence grows. This can include increasing alert priority, widening notification, paging additional responders, or opening an incident once intervention is clearly required.
+
+Early signals are often ambiguous, and confidence in a non-transient failure is usually low. Paging too early creates noise; paging too late means users are impacted for longer before anyone acts. A small or sudden increase in latency may not justify immediate action, but it can indicate a failure in progress.
+
+Confidence increases as signals become stronger or begin to correlate.
+
+Escalation is justified when issues are sustained or reinforced by multiple signals. For example, high latency combined with a rising error rate, or the same event firing over a sustained period. These patterns reduce the chance of transient noise and increase the likelihood of real impact.
+
+Use confidence in user impact to drive escalation and avoid unnecessary pages.
+
+## Scope alerts for scalability and actionability
+
+In distributed systems, avoid creating separate alert rules for every host, service, or endpoint. Instead, define alert rules that scale automatically using [multi-dimensional alert rules](ref:multi-dimensional-alerts). This reduces rule duplication and allows alerting to scale as the system grows.
+
+Start simple. Default to a single dimension such as `service` or `endpoint` to keep alerts manageable. Add dimensions only when they improve actionability. For example, when missing a dimension like `region` hides failures or doesn't provide enough information to act quickly.
+
+Additional dimensions like `region` or `instance` can help identify the root cause, but more isn't always better.
+
+## Design alerts for first responders and clear actions
+
+Alerts should be designed for the first responder, not the person who created the alert. Anyone on call should be able to understand what's wrong and what to do next without deep knowledge of the system or alert configuration.
+
+Avoid vague alerts that force responders to spend time figuring out context. Every alert should clearly explain why it exists, what triggered it, and how to investigate. Use [annotations](ref:annotations) to link to relevant dashboards and runbooks, which are essential for faster resolution.
+
+Alerts should indicate a real problem and be actionable, even if the impact is low. Informational alerts add noise without improving reliability.
+
+If no action is possible, it shouldn't be an alert—consider using a dashboard instead. Over time, alerts behave like technical debt: easy to create, costly to maintain, and hard to remove.
+
+Review alerts often and remove those that don’t lead to action.
+
+## Alerts should have an owner and system scope
+
+Alerts without ownership are often ignored. Every alert must have an owner: a team responsible for maintaining the alert and responding when it fires.
+
+Alerts must also define a system scope, such as a service or infrastructure component. Scope provides organizational context and connects alerts with ownership. Defining clear scopes is easier when services are treated as first-class entities, and organizations are built around service ownership.
+
+> [Service Center in Grafana Cloud](/docs/grafana-cloud/alerting-and-irm/service-center/) can help operate a service-oriented view of your system and align alert scope with ownership.
+
+After scope, ownership, and alert priority are defined, routing determines where alerts go and how they escalate. **Notification routing is as important as the alerts**.
+
+Alerts should be delivered to the right team and channel based on priority, ownership, and team workflows. Use [notification policies](ref:notification-policies) to define a routing tree that matches the context of your service or scope:
+
+- Define a parent policy for default routing within the scope.
+- Define nested policies for specific cases or higher-priority issues.
+
+## Prevent notification overload with alert grouping
+
+Without alert grouping, responders can receive many notifications for the same underlying problem.
+
+For example, a database failure can trigger several alerts at the same time like increased latency, higher error rates, and internal errors. Paging separately for each symptom quickly turns into notification spam, even though there is a single root cause.
+
+[Notification grouping](ref:group-alert-notifications) consolidates related alerts into a single notification. Instead of receiving multiple pages for the same issue, responders get one alert that represents the incident and includes all related firing alerts.
+
+Grouping should follow operational boundaries such as service or owner, as defined by notification policies. Downstream or cascading failures should be grouped together so they surface as one issue rather than many.
+
+## Mitigate flapping alerts
+
+Short-lived failure spikes often trigger alerts that auto-resolve quickly. Alerting on transient failures creates noise and leads responders to ignore them.
+
+Require issues to persist before alerting. Set a [pending period](ref:pending-period) to define how long a condition must remain true before firing. For example, instead of alerting immediately on high error rate, require it to stay above the threshold for some minutes.
+
+Also, stabilize alerts by tuning query ranges and aggregations. Using raw data makes alerts sensitive to noise. Instead, evaluate over a time window and aggregate the data to smooth short spikes.
+
+```promql
+# Reacts to transient spikes. Avoid this.
+cpu_usage > 90
+
+# Smooth fluctuations.
+avg_over_time(cpu_usage[5m]) > 90
+```
+
+For latency and error-based alerts, percentiles are often more useful than averages:
+
+```promql
+quantile_over_time(0.95, http_duration_seconds[5m]) > 3
+```
+
+Finally, avoid rapid resolve-and-fire notifications by using [`keep_firing_for`](ref:keep-firing-for) or [recovery thresholds](ref:recovery-threshold) to keep alerts active briefly during recovery. Both options reduce flapping and unnecessary notifications.
+
+## Graduate symptom-based alerts into SLOs
+
+When a symptom-based alert fires frequently, it usually indicates a reliability concern that should be measured and managed more deliberately. This is often a sign that the alert could evolve into an [SLO](/docs/grafana-cloud/alerting-and-irm/slo/).
+
+Traditional alerts create pressure to react immediately, while error budgets introduce a buffer of time to act, changing how urgency is handled. Alerts can then be defined in terms of error budget burn rate rather than reacting to every minor deviation.
+
+SLOs also align distinct teams around common reliability goals by providing a shared definition of what "good" looks like. They help consolidate multiple symptom alerts into a single user-facing objective.
+
+For example, instead of several teams alerting on high latency, a single SLO can be used across teams to capture overall API performance.
+
+## Integrate alerting into incident post-mortems
+
+Every incident is an opportunity to improve alerting. After each incident, evaluate whether alerts helped responders act quickly or added unnecessary noise.
+
+Assess which alerts fired, and how they influenced incident response. Review whether alerts triggered too late, too early, or without enough context, and adjust thresholds, priority, or escalation based on what actually happened.
+
+Use [silences](ref:silences) during active incidents to reduce repeated notifications, but scope them carefully to avoid silencing unrelated alerts.
+
+Post-mortems should evaluate alerts with root causes and lessons learned. If responders lacked key information during the incident, enrich alerts with additional context, dashboards, or better guidance.
+
+## Alerts should be continuously improved
+
+Alerting is an iterative process. Alerts that aren’t reviewed and refined lose effectiveness as systems and traffic patterns change.
+
+Schedule regular reviews of existing alerts. Remove alerts that don’t lead to action, and tune alerts or thresholds that fire too often without providing useful signal. Reduce false positives to combat alert fatigue.
+
+Prioritize clarity and simplicity in alert design. Simpler alerts are easier to understand, maintain, and trust under pressure. Favor fewer high-quality, actionable alerts over a large number of low-value ones.
+
+Use dashboards and observability tools for investigation, not alerts.
+
+{{< /shared >}}
@@ -1,5 +1,7 @@
 ---
-canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/connectivity-errors/
+aliases:
+  - ../best-practices/connectivity-errors/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/connectivity-errors/
+canonical: https://grafana.com/docs/grafana/latest/alerting/guides/connectivity-errors/
 description: Learn how to detect and handle connectivity issues in alerts using Prometheus, Grafana Alerting, or both.
 keywords:
  - grafana
@@ -14,7 +16,7 @@ labels:
    - oss
 menuTitle: Handle connectivity errors
 title: Handle connectivity errors in alerts
-weight: 1010
+weight: 1020
 refs:
  pending-period:
    - pattern: /docs/grafana/
@@ -1,5 +1,7 @@
 ---
-canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/missing-data/
+aliases:
+  - ../best-practices/missing-data/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/missing-data/
+canonical: https://grafana.com/docs/grafana/latest/alerting/guides/missing-data/
 description: Learn how to detect missing metrics and design alerts that handle gaps in data in Prometheus and Grafana Alerting.
 keywords:
  - grafana
@@ -14,7 +16,7 @@ labels:
    - oss
 menuTitle: Handle missing data
 title: Handle missing data in Grafana Alerting
-weight: 1020
+weight: 1030
 refs:
  connectivity-errors-guide:
    - pattern: /docs/grafana/
@@ -41,9 +41,13 @@ Select a group to expand it and view the list of alert rules within that group.

 The list view includes a number of filters to simplify managing large volumes of alerts.

+## Filter and save searches
+
 Click the **Filter** button to open the filter popup. You can filter by name, label, folder/namespace, evaluation group, data source, contact point, rule source, rule state, rule type, and the health of the alert rule from the popup menu. Click **Apply** at the bottom of the filter popup to enact the filters as you search.

-{{< figure src="/media/docs/alerting/alerting-list-view-filter.png" max-width="750px" alt="Alert rule filter options" >}}
+Click the **Saved searches** button to open the list of previously saved searches, or click **+ Save current search** to add your current search to the saved searches list. You can also rename a saved search or set it as a default search. When you set a saved search as the default search, the Alert rules page opens with the search applied.
+
+{{< figure src="/media/docs/alerting/alerting-saved-searches.png" max-width="750px" alt="Alert rule filter options" >}}

 ## Change alert rules list view

@@ -135,9 +135,12 @@ You can use the **Span Limit** field in **Options** section of the TraceQL query
 This field sets the maximum number of spans to return for each span set.
 By default, the maximum value that you can set for the **Span Limit** value (or the spss query) is 100.
 In Tempo configuration, this value is controlled by the `max_spans_per_span_set` parameter and can be modified by your Tempo administrator.
-Grafana Cloud users can contact Grafana Support to request a change.
 Entering a value higher than the default results in an error.

+{{< admonition type="note" >}}
+Changing the value of `max_spans_per_span_set` isn't supported in Grafana Cloud.
+{{< /admonition >}}
+
 ### Focus on traces or spans

 Under **Options**, you can choose to display the table as **Traces** or **Spans** focused.
@@ -23,6 +23,8 @@ killercoda:

 This tutorial is a continuation of the [Get started with Grafana Alerting - Route alerts using dynamic labels](http://www.grafana.com/tutorials/alerting-get-started-pt5/) tutorial.

+{{< youtube id="mqj_hN24zLU" >}}
+
 <!-- USE CASE -->

 In this tutorial you will learn how to:
@@ -1,6 +1,6 @@
 import { test, expect } from '@grafana/plugin-e2e';

-import { flows, type Variable } from './utils';
+import { flows, saveDashboard, type Variable } from './utils';

 test.use({
  featureToggles: {
@@ -64,20 +64,7 @@ test.describe(
        label: 'VariableUnderTest',
      };

-      // common steps to add a new variable
-      await flows.newEditPaneVariableClick(dashboardPage, selectors);
-      await flows.newEditPanelCommonVariableInputs(dashboardPage, selectors, variable);
-
-      // set the textbox variable value
-      const type = 'variable-type Value';
-      const fieldLabel = dashboardPage.getByGrafanaSelector(
-        selectors.components.PanelEditor.OptionsPane.fieldLabel(type)
-      );
-      await expect(fieldLabel).toBeVisible();
-      const inputField = fieldLabel.locator('input');
-      await expect(inputField).toBeVisible();
-      await inputField.fill(variable.value);
-      await inputField.blur();
+      await flows.addNewTextBoxVariable(dashboardPage, variable);

      // select the variable in the dashboard and confirm the variable value is set
      await dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItem).click();
@@ -140,5 +127,94 @@ test.describe(
      await expect(panelContent).toBeVisible();
      await expect(markdownContent).toContainText('VariableUnderTest: 10m');
    });
+    test('can hide a variable', async ({ dashboardPage, selectors, page }) => {
+      const variable: Variable = {
+        type: 'textbox',
+        name: 'VariableUnderTest',
+        value: 'foo',
+        label: 'VariableUnderTest',
+      };
+
+      await saveDashboard(dashboardPage, page, selectors, 'can hide a variable');
+      await flows.addNewTextBoxVariable(dashboardPage, variable);
+
+      // check the variable is visible in the dashboard
+      const variableLabel = dashboardPage.getByGrafanaSelector(
+        selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label)
+      );
+      await expect(variableLabel).toBeVisible();
+      // hide the variable
+      await dashboardPage
+        .getByGrafanaSelector(selectors.pages.Dashboard.Settings.Variables.Edit.General.generalDisplaySelect)
+        .click();
+      await page.getByText('Hidden', { exact: true }).click();
+
+      // check that the variable is still visible
+      await expect(
+        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
+      ).toBeVisible();
+
+      // save dashboard and exit edit mode and check variable is not visible
+      await saveDashboard(dashboardPage, page, selectors);
+      await dashboardPage.getByGrafanaSelector(selectors.components.NavToolbar.editDashboard.editButton).click();
+      await expect(
+        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
+      ).toBeHidden();
+      // refresh and check that variable isn't visible
+      await page.reload();
+      await expect(
+        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
+      ).toBeHidden();
+      // check that the variable is visible in edit mode
+      await dashboardPage.getByGrafanaSelector(selectors.components.NavToolbar.editDashboard.editButton).click();
+      await expect(
+        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
+      ).toBeVisible();
+    });
+
+    test('can hide variable under the controls menu', async ({ dashboardPage, selectors, page }) => {
+      const variable: Variable = {
+        type: 'textbox',
+        name: 'VariableUnderTest',
+        value: 'foo',
+        label: 'VariableUnderTest',
+      };
+      await saveDashboard(dashboardPage, page, selectors, 'can hide a variable in controls menu');
+
+      await flows.addNewTextBoxVariable(dashboardPage, variable);
+
+      // check the variable is visible in the dashboard
+      const variableLabel = dashboardPage.getByGrafanaSelector(
+        selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label)
+      );
+      await expect(variableLabel).toBeVisible();
+      // hide the variable
+      await dashboardPage
+        .getByGrafanaSelector(selectors.pages.Dashboard.Settings.Variables.Edit.General.generalDisplaySelect)
+        .click();
+      await page.getByText('Controls menu', { exact: true }).click();
+
+      // check that the variable is hidden under the controls menu
+      await expect(
+        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
+      ).toBeHidden();
+      await dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.ControlsButton).click();
+      await expect(
+        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
+      ).toBeVisible();
+
+      // save dashboard and refresh
+      await saveDashboard(dashboardPage, page, selectors);
+      await page.reload();
+
+      //check that the variable is hidden under the controls menu
+      await expect(
+        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
+      ).toBeHidden();
+      await dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.ControlsButton).click();
+      await expect(
+        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
+      ).toBeVisible();
+    });
  }
 );
@@ -79,6 +79,20 @@ export const flows = {
      await variableLabelInput.blur();
    }
  },
+  async addNewTextBoxVariable(dashboardPage: DashboardPage, variable: Variable) {
+    await flows.newEditPaneVariableClick(dashboardPage, selectors);
+    await flows.newEditPanelCommonVariableInputs(dashboardPage, selectors, variable);
+    // set the textbox variable value
+    const type = 'variable-type Value';
+    const fieldLabel = dashboardPage.getByGrafanaSelector(
+      selectors.components.PanelEditor.OptionsPane.fieldLabel(type)
+    );
+    await expect(fieldLabel).toBeVisible();
+    const inputField = fieldLabel.locator('input');
+    await expect(inputField).toBeVisible();
+    await inputField.fill(variable.value);
+    await inputField.blur();
+  },
 };

 export type Variable = {
@@ -89,8 +103,16 @@ export type Variable = {
  value: string;
 };

-export async function saveDashboard(dashboardPage: DashboardPage, page: Page, selectors: E2ESelectorGroups) {
+export async function saveDashboard(
+  dashboardPage: DashboardPage,
+  page: Page,
+  selectors: E2ESelectorGroups,
+  title?: string
+) {
  await dashboardPage.getByGrafanaSelector(selectors.components.NavToolbar.editDashboard.saveButton).click();
+  if (title) {
+    await page.getByTestId(selectors.components.Drawer.DashboardSaveDrawer.saveAsTitleInput).fill(title);
+  }
  await dashboardPage.getByGrafanaSelector(selectors.components.Drawer.DashboardSaveDrawer.saveButton).click();
  await expect(page.getByText('Dashboard saved')).toBeVisible();
 }
@@ -7,7 +7,7 @@ require (
 	buf.build/gen/go/parca-dev/parca/protocolbuffers/go v1.36.2-20250703125925-3f0fcf4bff96.1 // @grafana/observability-traces-and-profiling
 	cloud.google.com/go/kms v1.22.0 // @grafana/grafana-backend-group
 	cloud.google.com/go/storage v1.55.0 // @grafana/grafana-backend-group
-	connectrpc.com/connect v1.18.1 // @grafana/observability-traces-and-profiling
+	connectrpc.com/connect v1.19.1 // @grafana/observability-traces-and-profiling
 	cuelang.org/go v0.11.1 // @grafana/grafana-as-code
 	dario.cat/mergo v1.0.2 // @grafana/grafana-app-platform-squad
 	filippo.io/age v1.2.1 // @grafana/identity-access-team
@@ -33,12 +33,14 @@ require (
 	github.com/armon/go-radix v1.0.0 // @grafana/grafana-app-platform-squad
 	github.com/aws/aws-sdk-go v1.55.7 // @grafana/aws-datasources
 	github.com/aws/aws-sdk-go-v2 v1.40.0 // @grafana/aws-datasources
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.21 // @grafana/grafana-operator-experience-squad
 	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.45.3 // @grafana/aws-datasources
 	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.51.0 // @grafana/aws-datasources
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.225.2 // @grafana/aws-datasources
 	github.com/aws/aws-sdk-go-v2/service/oam v1.18.3 // @grafana/aws-datasources
 	github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.26.6 // @grafana/aws-datasources
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.40.1 // @grafana/grafana-operator-experience-squad
+	github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 // @grafana/grafana-operator-experience-squad
 	github.com/aws/smithy-go v1.23.2 // @grafana/aws-datasources
 	github.com/beevik/etree v1.4.1 // @grafana/grafana-backend-group
 	github.com/benbjohnson/clock v1.3.5 // @grafana/alerting-backend
@@ -111,7 +113,7 @@ require (
 	github.com/grafana/nanogit v0.3.0 // indirect; @grafana/grafana-git-ui-sync-team
 	github.com/grafana/otel-profiling-go v0.5.1 // @grafana/grafana-backend-group
 	github.com/grafana/pyroscope-go/godeltaprof v0.1.9 // @grafana/observability-traces-and-profiling
-	github.com/grafana/pyroscope/api v1.2.1-0.20250415190842-3ff7247547ae // @grafana/observability-traces-and-profiling
+	github.com/grafana/pyroscope/api v1.2.1-0.20251118081820-ace37f973a0f // @grafana/observability-traces-and-profiling
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // @grafana/grafana-search-and-storage
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // @grafana/plugins-platform-backend
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // @grafana/grafana-backend-group
@@ -343,7 +345,6 @@ require (
 	github.com/at-wat/mqtt-go v0.19.6 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.31.17 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.21 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.84 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 // indirect
@@ -358,7 +359,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.84.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 // indirect
 	github.com/axiomhq/hyperloglog v0.0.0-20240507144631-af9851f82b27 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/barkimedes/go-deepcopy v0.0.0-20220514131651-17c30cfc62df // indirect
@@ -681,6 +681,7 @@ require (
 	github.com/go-openapi/swag/stringutils v0.25.4 // indirect
 	github.com/go-openapi/swag/typeutils v0.25.4 // indirect
 	github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
+	github.com/google/gnostic v0.7.1 // indirect
 	github.com/gophercloud/gophercloud/v2 v2.9.0 // indirect
 	github.com/grafana/sqlds/v5 v5.0.3 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 // indirect
@@ -627,8 +627,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS
 cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M=
 cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA=
 cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw=
-connectrpc.com/connect v1.18.1 h1:PAg7CjSAGvscaf6YZKUefjoih5Z/qYkyaTrBW8xvYPw=
-connectrpc.com/connect v1.18.1/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2prWDO8=
+connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14=
+connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
 contrib.go.opencensus.io/exporter/ocagent v0.6.0/go.mod h1:zmKjrJcdo0aYcVS7bmEeSEBLPA9YJp5bjrofdU3pIXs=
 cuelabs.dev/go/oci/ociregistry v0.0.0-20251212221603-3adeb8663819 h1:Zh+Ur3OsoWpvALHPLT45nOekHkgOt+IOfutBbPqM17I=
 cuelabs.dev/go/oci/ociregistry v0.0.0-20251212221603-3adeb8663819/go.mod h1:WjmQxb+W6nVNCgj8nXrF24lIz95AHwnSl36tpjDZSU8=
@@ -1503,6 +1503,8 @@ github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PU
 github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=
 github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
+github.com/google/gnostic v0.7.1 h1:t5Kc7j/8kYr8t2u11rykRrPPovlEMG4+xdc/SpekATs=
+github.com/google/gnostic v0.7.1/go.mod h1:KSw6sxnxEBFM8jLPfJd46xZP+yQcfE8XkiqfZx5zR28=
 github.com/google/gnostic-models v0.7.1 h1:SisTfuFKJSKM5CPZkffwi6coztzzeYUhc3v4yxLWH8c=
 github.com/google/gnostic-models v0.7.1/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -1685,8 +1687,8 @@ github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604
 github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604/go.mod h1:O/QP1BCm0HHIzbKvgMzqb5sSyH88rzkFk84F4TfJjBU=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.9 h1:c1Us8i6eSmkW+Ez05d3co8kasnuOY813tbMN8i/a3Og=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.9/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
-github.com/grafana/pyroscope/api v1.2.1-0.20250415190842-3ff7247547ae h1:35W3Wjp9KWnSoV/DuymmyIj5aHE0CYlDQ5m2KeXUPAc=
-github.com/grafana/pyroscope/api v1.2.1-0.20250415190842-3ff7247547ae/go.mod h1:6CJ1uXmLZ13ufpO9xE4pST+DyaBt0uszzrV0YnoaVLQ=
+github.com/grafana/pyroscope/api v1.2.1-0.20251118081820-ace37f973a0f h1:fTlIj5n4x5dU63XHItug7GLjtnaeJdPqBlqg4zlABq0=
+github.com/grafana/pyroscope/api v1.2.1-0.20251118081820-ace37f973a0f/go.mod h1:VBNcIhunCZsJ3/mcYx+j7uFf0P/108eiWa+8+Z9ll3o=
 github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248=
 github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk=
 github.com/grafana/saml v0.4.15-0.20240917091248-ae3bbdad8a56 h1:SDGrP81Vcd102L3UJEryRd1eestRw73wt+b8vnVEFe0=
@@ -755,6 +755,8 @@ github.com/felixge/fgprof v0.9.4/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZP
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/flosch/pongo2/v4 v4.0.2 h1:gv+5Pe3vaSVmiJvh/BZa82b7/00YUGm0PIyVVLop0Hw=
 github.com/flosch/pongo2/v4 v4.0.2/go.mod h1:B5ObFANs/36VwxxlgKpdchIJHMvHB562PW+BWPhwZD8=
+github.com/flowstack/go-jsonschema v0.1.1 h1:dCrjGJRXIlbDsLAgTJZTjhwUJnnxVWl1OgNyYh5nyDc=
+github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0=
 github.com/fluent/fluent-bit-go v0.0.0-20230731091245-a7a013e2473c h1:yKN46XJHYC/gvgH2UsisJ31+n4K3S7QYZSfU2uAWjuI=
 github.com/fluent/fluent-bit-go v0.0.0-20230731091245-a7a013e2473c/go.mod h1:L92h+dgwElEyUuShEwjbiHjseW410WIcNz+Bjutc8YQ=
 github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8=
@@ -218,8 +218,10 @@ lineage: schemas: [{
 			// Optional field, if you want to extract part of a series name or metric node segment.
 			// Named capture groups can be used to separate the display text and value.
 			regex?: string
-      // Determine whether regex applies to variable value or display text
-      regexApplyTo?: #VariableRegexApplyTo
+			// Optional, indicates whether a custom type variable uses CSV or JSON to define its values
+			valuesFormat?: "csv" | "json" | *"csv"
+			// Determine whether regex applies to variable value or display text
+			regexApplyTo?: #VariableRegexApplyTo
 			// Additional static options for query variable
 			staticOptions?: [...#VariableOption]
 			// Ordering of static options in relation to options returned from data source for query variable
@@ -295,8 +295,8 @@
    "@grafana/plugin-ui": "^0.11.1",
    "@grafana/prometheus": "workspace:*",
    "@grafana/runtime": "workspace:*",
-    "@grafana/scenes": "6.52.0",
-    "@grafana/scenes-react": "6.52.0",
+    "@grafana/scenes": "v6.52.1",
+    "@grafana/scenes-react": "v6.52.1",
    "@grafana/schema": "workspace:*",
    "@grafana/sql": "workspace:*",
    "@grafana/ui": "workspace:*",
@@ -165,9 +165,17 @@ describe('DateMath', () => {
      expect(date!.valueOf()).toEqual(dateTime([2014, 1, 3]).valueOf());
    });

-    it('should handle multiple math expressions', () => {
-      const date = dateMath.parseDateMath('-2d-6h', dateTime([2014, 1, 5]));
-      expect(date!.valueOf()).toEqual(dateTime([2014, 1, 2, 18]).valueOf());
+    it.each([
+      ['-2d-6h', [2014, 1, 5], [2014, 1, 2, 18]],
+      ['-30m-2d', [2014, 1, 5], [2014, 1, 2, 23, 30]],
+      ['-2d-1d', [2014, 1, 5], [2014, 1, 2]],
+      ['-1h-30m', [2014, 1, 5, 12, 0], [2014, 1, 5, 10, 30]],
+      ['-1d-1h-30m', [2014, 1, 5, 12, 0], [2014, 1, 4, 10, 30]],
+      ['+1d-6h', [2014, 1, 5], [2014, 1, 5, 18]],
+      ['-1w-1d', [2014, 1, 14], [2014, 1, 6]],
+    ])('should handle multiple math expressions: %s', (expression, inputDate, expectedDate) => {
+      const date = dateMath.parseDateMath(expression, dateTime(inputDate));
+      expect(date!.valueOf()).toEqual(dateTime(expectedDate).valueOf());
    });

    it('should return false when invalid expression', () => {
@@ -400,10 +400,6 @@ export interface FeatureToggles {
  */
  tableSharedCrosshair?: boolean;
  /**
-  * Use the kubernetes API for feature toggle management in the frontend
-  */
-  kubernetesFeatureToggles?: boolean;
-  /**
  * Enabled grafana cloud specific RBAC roles
  */
  cloudRBACRoles?: boolean;
@@ -699,6 +695,10 @@ export interface FeatureToggles {
  */
  playlistsReconciler?: boolean;
  /**
+  * Enable passwordless login via magic link authentication
+  */
+  passwordlessMagicLinkAuthentication?: boolean;
+  /**
  * Display Related Logs in Grafana Metrics Drilldown
  */
  exploreMetricsRelatedLogs?: boolean;
@@ -1259,4 +1259,8 @@ export interface FeatureToggles {
  * Enables the creation of keepers that manage secrets stored on AWS secrets manager
  */
  secretsManagementAppPlatformAwsKeeper?: boolean;
+  /**
+  * Enables profiles exemplars support in profiles drilldown
+  */
+  profilesExemplars?: boolean;
 }
@@ -103,6 +103,7 @@ export interface IntervalVariableModel extends VariableWithOptions {

 export interface CustomVariableModel extends VariableWithMultiSupport {
  type: 'custom';
+  valuesFormat?: 'csv' | 'json';
 }

 export interface DataSourceVariableModel extends VariableWithMultiSupport {
@@ -266,6 +266,9 @@ export const versionedPages = {
    Controls: {
      '11.1.0': 'data-testid dashboard controls',
    },
+    ControlsButton: {
+      '12.3.0': 'data-testid dashboard controls button',
+    },
    SubMenu: {
      submenu: {
        [MIN_GRAFANA_VERSION]: 'Dashboard submenu',
@@ -25,6 +25,10 @@ export interface GrafanaPyroscopeDataQuery extends common.DataQuery {
   * Allows to group the results.
   */
  groupBy: Array<string>;
+  /**
+   * If set to true, exemplars will be requested
+   */
+  includeExemplars: boolean;
  /**
   * Specifies the query label selectors.
   */
@@ -49,6 +53,7 @@ export interface GrafanaPyroscopeDataQuery extends common.DataQuery {

 export const defaultGrafanaPyroscopeDataQuery: Partial<GrafanaPyroscopeDataQuery> = {
  groupBy: [],
+  includeExemplars: false,
  labelSelector: '{}',
  spanSelector: [],
 };
@@ -211,6 +211,10 @@ export interface VariableModel {
   * Type of variable
   */
  type: VariableType;
+  /**
+   * Optional, indicates whether a custom type variable uses CSV or JSON to define its values
+   */
+  valuesFormat?: ('csv' | 'json');
 }

 export const defaultVariableModel: Partial<VariableModel> = {
@@ -220,6 +224,7 @@ export const defaultVariableModel: Partial<VariableModel> = {
  options: [],
  skipUrlSync: false,
  staticOptions: [],
+  valuesFormat: 'csv',
 };

 /**
@@ -317,6 +317,7 @@ export const handyTestingSchema: Spec = {
        query: 'option1, option2',
        skipUrlSync: false,
        allowCustomValue: true,
+        valuesFormat: 'csv',
      },
    },
    {
@@ -300,7 +300,7 @@ export interface FieldConfig {
 	description?: string;
 	// An explicit path to the field in the datasource.  When the frame meta includes a path,
 	// This will default to `${frame.meta.path}/${field.name}
-	// 
+	//
 	// When defined, this value can be used as an identifier within the datasource scope, and
 	// may be used to update the results
 	path?: string;
@@ -1353,6 +1353,7 @@ export interface CustomVariableSpec {
 	skipUrlSync: boolean;
 	description?: string;
 	allowCustomValue: boolean;
+  valuesFormat?: "csv" | "json";
 }

 export const defaultCustomVariableSpec = (): CustomVariableSpec => ({
@@ -1365,6 +1366,7 @@ export const defaultCustomVariableSpec = (): CustomVariableSpec => ({
 	hide: "dontHide",
 	skipUrlSync: false,
 	allowCustomValue: true,
+  valuesFormat: undefined,
 });

 // Group variable kind
@@ -1549,4 +1551,3 @@ export const defaultSpec = (): Spec => ({
 	title: "",
 	variables: [],
 });
-
@@ -1359,6 +1359,7 @@ export interface CustomVariableSpec {
 	skipUrlSync: boolean;
 	description?: string;
 	allowCustomValue: boolean;
+	valuesFormat?: "csv" | "json";
 }

 export const defaultCustomVariableSpec = (): CustomVariableSpec => ({
@@ -226,7 +226,8 @@ func (hs *HTTPServer) registerRoutes() {
 		r.Post("/api/user/email/start-verify", reqSignedInNoAnonymous, routing.Wrap(hs.StartEmailVerificaton))
 	}

-	if hs.Cfg.PasswordlessMagicLinkAuth.Enabled {
+	//nolint:staticcheck // not yet migrated to OpenFeature
+	if hs.Cfg.PasswordlessMagicLinkAuth.Enabled && hs.Features.IsEnabledGlobally(featuremgmt.FlagPasswordlessMagicLinkAuthentication) {
 		r.Post("/api/login/passwordless/start", requestmeta.SetOwner(requestmeta.TeamAuth), quota(string(auth.QuotaTargetSrv)), hs.StartPasswordless)
 		r.Post("/api/login/passwordless/authenticate", requestmeta.SetOwner(requestmeta.TeamAuth), quota(string(auth.QuotaTargetSrv)), routing.Wrap(hs.LoginPasswordless))
 	}
@@ -204,7 +204,7 @@ func (hs *HTTPServer) DeleteDataSourceById(c *contextmodel.ReqContext) response.
 func (hs *HTTPServer) GetDataSourceByUID(c *contextmodel.ReqContext) response.Response {
 	start := time.Now()
 	defer func() {
-		metricutil.ObserveWithExemplar(c.Req.Context(), hs.dsConfigHandlerRequestsDuration.WithLabelValues("legacy", "GetDataSourceByUID"), time.Since(start).Seconds())
+		metricutil.ObserveWithExemplar(c.Req.Context(), hs.dsConfigHandlerRequestsDuration.WithLabelValues("GetDataSourceByUID"), time.Since(start).Seconds())
 	}()

 	ds, err := hs.getRawDataSourceByUID(c.Req.Context(), web.Params(c.Req)[":uid"], c.GetOrgID())
@@ -240,7 +240,7 @@ func (hs *HTTPServer) GetDataSourceByUID(c *contextmodel.ReqContext) response.Re
 func (hs *HTTPServer) DeleteDataSourceByUID(c *contextmodel.ReqContext) response.Response {
 	start := time.Now()
 	defer func() {
-		metricutil.ObserveWithExemplar(c.Req.Context(), hs.dsConfigHandlerRequestsDuration.WithLabelValues("legacy", "DeleteDataSourceByUID"), time.Since(start).Seconds())
+		metricutil.ObserveWithExemplar(c.Req.Context(), hs.dsConfigHandlerRequestsDuration.WithLabelValues("DeleteDataSourceByUID"), time.Since(start).Seconds())
 	}()

 	uid := web.Params(c.Req)[":uid"]
@@ -375,7 +375,7 @@ func validateJSONData(jsonData *simplejson.Json, cfg *setting.Cfg) error {
 func (hs *HTTPServer) AddDataSource(c *contextmodel.ReqContext) response.Response {
 	start := time.Now()
 	defer func() {
-		metricutil.ObserveWithExemplar(c.Req.Context(), hs.dsConfigHandlerRequestsDuration.WithLabelValues("legacy", "AddDataSource"), time.Since(start).Seconds())
+		metricutil.ObserveWithExemplar(c.Req.Context(), hs.dsConfigHandlerRequestsDuration.WithLabelValues("AddDataSource"), time.Since(start).Seconds())
 	}()

 	cmd := datasources.AddDataSourceCommand{}
@@ -497,7 +497,7 @@ func (hs *HTTPServer) UpdateDataSourceByID(c *contextmodel.ReqContext) response.
 func (hs *HTTPServer) UpdateDataSourceByUID(c *contextmodel.ReqContext) response.Response {
 	start := time.Now()
 	defer func() {
-		metricutil.ObserveWithExemplar(c.Req.Context(), hs.dsConfigHandlerRequestsDuration.WithLabelValues("legacy", "UpdateDataSourceByUID"), time.Since(start).Seconds())
+		metricutil.ObserveWithExemplar(c.Req.Context(), hs.dsConfigHandlerRequestsDuration.WithLabelValues("UpdateDataSourceByUID"), time.Since(start).Seconds())
 	}()
 	cmd := datasources.UpdateDataSourceCommand{}
 	if err := web.Bind(c.Req, &cmd); err != nil {
@@ -91,7 +91,7 @@ func setupDsConfigHandlerMetrics() (prometheus.Registerer, *prometheus.Histogram
 		Namespace: "grafana",
 		Name:      "ds_config_handler_requests_duration_seconds",
 		Help:      "Duration of requests handled by datasource configuration handlers",
-	}, []string{"code_path", "handler"})
+	}, []string{"handler"})
 	promRegister.MustRegister(dsConfigHandlerRequestsDuration)
 	return promRegister, dsConfigHandlerRequestsDuration
 }
@@ -410,7 +410,8 @@ func (hs *HTTPServer) getFrontendSettings(c *contextmodel.ReqContext) (*dtos.Fro
 		DisableSignoutMenu:            hs.Cfg.DisableSignoutMenu,
 	}

-	if hs.Cfg.PasswordlessMagicLinkAuth.Enabled {
+	//nolint:staticcheck // not yet migrated to OpenFeature
+	if hs.Cfg.PasswordlessMagicLinkAuth.Enabled && hs.Features.IsEnabled(c.Req.Context(), featuremgmt.FlagPasswordlessMagicLinkAuthentication) {
 		hasEnabledProviders := hs.samlEnabled() || hs.authnService.IsClientEnabled(authn.ClientLDAP)

 		if !hasEnabledProviders {
@@ -387,7 +387,7 @@ func ProvideHTTPServer(opts ServerOptions, cfg *setting.Cfg, routeRegister routi
 			Namespace: "grafana",
 			Name:      "ds_config_handler_requests_duration_seconds",
 			Help:      "Duration of requests handled by datasource configuration handlers",
-		}, []string{"code_path", "handler"}),
+		}, []string{"handler"}),
 	}

 	promRegister.MustRegister(hs.htmlHandlerRequestsDuration)
@@ -20,7 +20,6 @@ import (
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/plugins"
-	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
 	"github.com/grafana/grafana/pkg/plugins/manager/pluginfakes"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/caching"
@@ -28,6 +27,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/oauthtoken/oauthtokentest"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration"
+	"github.com/grafana/grafana/pkg/services/pluginsintegration/coreplugin"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginconfig"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/plugincontext"
@@ -928,9 +928,10 @@ func getDatasourceProxiedRequest(t *testing.T, ctx *contextmodel.ReqContext, cfg
 	secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 	features := featuremgmt.WithFeatures()
 	quotaService := quotatest.New(false, nil)
+	dsRetriever := datasourceservice.ProvideDataSourceRetriever(sqlStore, features)
 	dsService, err := datasourceservice.ProvideService(nil, secretsService, secretsStore, cfg, features, acimpl.ProvideAccessControl(features),
 		&actest.FakePermissionsService{}, quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{},
-		plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()))
+		plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()), dsRetriever)
 	require.NoError(t, err)
 	proxy, err := NewDataSourceProxy(ds, routes, ctx, "", cfg, httpclient.NewProvider(), &oauthtoken.Service{}, dsService, tracer, features)
 	require.NoError(t, err)
@@ -1050,9 +1051,11 @@ func runDatasourceAuthTest(t *testing.T, secretsService secrets.Service, secrets
 	var routes []*plugins.Route
 	features := featuremgmt.WithFeatures()
 	quotaService := quotatest.New(false, nil)
-	dsService, err := datasourceservice.ProvideService(nil, secretsService, secretsStore, cfg, features, acimpl.ProvideAccessControl(features),
+	var sqlStore db.DB = nil
+	dsRetriever := datasourceservice.ProvideDataSourceRetriever(sqlStore, features)
+	dsService, err := datasourceservice.ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acimpl.ProvideAccessControl(features),
 		&actest.FakePermissionsService{}, quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{},
-		plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()))
+		plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()), dsRetriever)
 	require.NoError(t, err)
 	proxy, err := NewDataSourceProxy(test.datasource, routes, ctx, "", &setting.Cfg{}, httpclient.NewProvider(), &oauthtoken.Service{}, dsService, tracer, features)
 	require.NoError(t, err)
@@ -1106,9 +1109,11 @@ func setupDSProxyTest(t *testing.T, ctx *contextmodel.ReqContext, ds *datasource
 	secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 	secretsStore := secretskvs.NewSQLSecretsKVStore(dbtest.NewFakeDB(), secretsService, log.NewNopLogger())
 	features := featuremgmt.WithFeatures()
-	dsService, err := datasourceservice.ProvideService(nil, secretsService, secretsStore, cfg, features, acimpl.ProvideAccessControl(features),
+	var sqlStore db.DB = nil
+	dsRetriever := datasourceservice.ProvideDataSourceRetriever(sqlStore, features)
+	dsService, err := datasourceservice.ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acimpl.ProvideAccessControl(features),
 		&actest.FakePermissionsService{}, quotatest.New(false, nil), &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{},
-		plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()))
+		plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()), dsRetriever)
 	require.NoError(t, err)

 	tracer := tracing.InitializeTracerForTest()
@@ -11,6 +11,9 @@ import (
 	_ "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
 	_ "github.com/Azure/go-autorest/autorest"
 	_ "github.com/Azure/go-autorest/autorest/adal"
+	_ "github.com/aws/aws-sdk-go-v2/credentials"
+	_ "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	_ "github.com/aws/aws-sdk-go-v2/service/sts"
 	_ "github.com/beevik/etree"
 	_ "github.com/blugelabs/bluge"
 	_ "github.com/blugelabs/bluge_segment_api"
@@ -46,7 +49,6 @@ import (
 	_ "sigs.k8s.io/randfill"
 	_ "xorm.io/builder"

-	_ "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	_ "github.com/grafana/authlib/authn"
 	_ "github.com/grafana/authlib/authz"
 	_ "github.com/grafana/authlib/cache"
@@ -209,7 +209,7 @@ func (ots *TracingService) initSampler() (tracesdk.Sampler, error) {
 	case "rateLimiting":
 		return newRateLimiter(ots.cfg.SamplerParam), nil
 	case "remote":
-		return jaegerremote.New("grafana",
+		return jaegerremote.New(ots.cfg.ServiceName,
 			jaegerremote.WithSamplingServerURL(ots.cfg.SamplerRemoteURL),
 			jaegerremote.WithInitialSampler(tracesdk.TraceIDRatioBased(ots.cfg.SamplerParam)),
 		), nil
@@ -837,6 +837,8 @@ type VariableModel struct {
 	// Optional field, if you want to extract part of a series name or metric node segment.
 	// Named capture groups can be used to separate the display text and value.
 	Regex *string `json:"regex,omitempty"`
+	// Optional, indicates whether a custom type variable uses CSV or JSON to define its values
+	ValuesFormat *VariableModelValuesFormat `json:"valuesFormat,omitempty"`
 	// Determine whether regex applies to variable value or display text
 	RegexApplyTo *VariableRegexApplyTo `json:"regexApplyTo,omitempty"`
 	// Additional static options for query variable
@@ -852,6 +854,7 @@ func NewVariableModel() *VariableModel {
 		Multi:            (func(input bool) *bool { return &input })(false),
 		AllowCustomValue: (func(input bool) *bool { return &input })(true),
 		IncludeAll:       (func(input bool) *bool { return &input })(false),
+		ValuesFormat:     (func(input VariableModelValuesFormat) *VariableModelValuesFormat { return &input })(VariableModelValuesFormatCsv),
 	}
 }

@@ -1191,6 +1194,13 @@ const (
 	DataTransformerConfigTopicAlertStates DataTransformerConfigTopic = "alertStates"
 )

+type VariableModelValuesFormat string
+
+const (
+	VariableModelValuesFormatCsv  VariableModelValuesFormat = "csv"
+	VariableModelValuesFormatJson VariableModelValuesFormat = "json"
+)
+
 type VariableModelStaticOptionsOrder string

 const (
@@ -5,7 +5,6 @@ import (

 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin"
-	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/grpcplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/pluginextensionv2"
 	"github.com/grafana/grafana/pkg/plugins/log"
@@ -27,10 +26,6 @@ func New(providers ...PluginBackendProvider) *Service {
 	}
 }

-func ProvideService(coreRegistry *coreplugin.Registry) *Service {
-	return New(coreRegistry.BackendFactoryProvider(), DefaultProvider)
-}
-
 func (s *Service) BackendFactory(ctx context.Context, p *plugins.Plugin) backendplugin.PluginFactoryFunc {
 	for _, provider := range s.providerChain {
 		if factory := provider(ctx, p); factory != nil {
@@ -57,6 +57,12 @@ func (s *legacyStorage) ConvertToTable(ctx context.Context, object runtime.Objec
 }

 func (s *legacyStorage) List(ctx context.Context, options *internalversion.ListOptions) (runtime.Object, error) {
+	if s.dsConfigHandlerRequestsDuration != nil {
+		start := time.Now()
+		defer func() {
+			metricutil.ObserveWithExemplar(ctx, s.dsConfigHandlerRequestsDuration.WithLabelValues("legacyStorage.List"), time.Since(start).Seconds())
+		}()
+	}
 	return s.datasources.ListDataSources(ctx)
 }

@@ -64,7 +70,7 @@ func (s *legacyStorage) Get(ctx context.Context, name string, options *metav1.Ge
 	if s.dsConfigHandlerRequestsDuration != nil {
 		start := time.Now()
 		defer func() {
-			metricutil.ObserveWithExemplar(ctx, s.dsConfigHandlerRequestsDuration.WithLabelValues("new", "Get"), time.Since(start).Seconds())
+			metricutil.ObserveWithExemplar(ctx, s.dsConfigHandlerRequestsDuration.WithLabelValues("legacyStorage.Get"), time.Since(start).Seconds())
 		}()
 	}

@@ -76,7 +82,7 @@ func (s *legacyStorage) Create(ctx context.Context, obj runtime.Object, createVa
 	if s.dsConfigHandlerRequestsDuration != nil {
 		start := time.Now()
 		defer func() {
-			metricutil.ObserveWithExemplar(ctx, s.dsConfigHandlerRequestsDuration.WithLabelValues("new", "Create"), time.Since(start).Seconds())
+			metricutil.ObserveWithExemplar(ctx, s.dsConfigHandlerRequestsDuration.WithLabelValues("legacyStorage.Create"), time.Since(start).Seconds())
 		}()
 	}

@@ -92,7 +98,7 @@ func (s *legacyStorage) Update(ctx context.Context, name string, objInfo rest.Up
 	if s.dsConfigHandlerRequestsDuration != nil {
 		start := time.Now()
 		defer func() {
-			metricutil.ObserveWithExemplar(ctx, s.dsConfigHandlerRequestsDuration.WithLabelValues("new", "Create"), time.Since(start).Seconds())
+			metricutil.ObserveWithExemplar(ctx, s.dsConfigHandlerRequestsDuration.WithLabelValues("legacyStorage.Update"), time.Since(start).Seconds())
 		}()
 	}

@@ -135,7 +141,7 @@ func (s *legacyStorage) Delete(ctx context.Context, name string, deleteValidatio
 	if s.dsConfigHandlerRequestsDuration != nil {
 		start := time.Now()
 		defer func() {
-			metricutil.ObserveWithExemplar(ctx, s.dsConfigHandlerRequestsDuration.WithLabelValues("new", "Create"), time.Since(start).Seconds())
+			metricutil.ObserveWithExemplar(ctx, s.dsConfigHandlerRequestsDuration.WithLabelValues("legacyStorage.Delete"), time.Since(start).Seconds())
 		}()
 	}

@@ -145,6 +151,13 @@ func (s *legacyStorage) Delete(ctx context.Context, name string, deleteValidatio

 // DeleteCollection implements rest.CollectionDeleter.
 func (s *legacyStorage) DeleteCollection(ctx context.Context, deleteValidation rest.ValidateObjectFunc, options *metav1.DeleteOptions, listOptions *internalversion.ListOptions) (runtime.Object, error) {
+	if s.dsConfigHandlerRequestsDuration != nil {
+		start := time.Now()
+		defer func() {
+			metricutil.ObserveWithExemplar(ctx, s.dsConfigHandlerRequestsDuration.WithLabelValues("legacyStorage.DeleteCollection"), time.Since(start).Seconds())
+		}()
+	}
+
 	dss, err := s.datasources.ListDataSources(ctx)
 	if err != nil {
 		return nil, err
@@ -21,6 +21,7 @@ import (
 	datasourceV0 "github.com/grafana/grafana/pkg/apis/datasource/v0alpha1"
 	queryV0 "github.com/grafana/grafana/pkg/apis/query/v0alpha1"
 	grafanaregistry "github.com/grafana/grafana/pkg/apiserver/registry/generic"
+	"github.com/grafana/grafana/pkg/infra/metrics"
 	"github.com/grafana/grafana/pkg/infra/metrics/metricutil"
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/plugins/manager/sources"
@@ -69,10 +70,10 @@ func RegisterAPIService(

 	dataSourceCRUDMetric := metricutil.NewHistogramVec(prometheus.HistogramOpts{
 		Namespace: "grafana",
-		Name:      "ds_config_handler_requests_duration_seconds",
-		Help:      "Duration of requests handled by datasource configuration handlers",
-	}, []string{"code_path", "handler"})
-	regErr := reg.Register(dataSourceCRUDMetric)
+		Name:      "ds_config_handler_apis_requests_duration_seconds",
+		Help:      "Duration of requests handled by new k8s style APIs datasource configuration handlers",
+	}, []string{"handler"})
+	regErr := metrics.ProvideRegisterer().Register(dataSourceCRUDMetric)
 	if regErr != nil && !errors.As(regErr, &prometheus.AlreadyRegisteredError{}) {
 		return nil, regErr
 	}
@@ -276,7 +276,7 @@ func (b *APIBuilder) oneFlagHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if b.providerType == setting.GOFFProviderType || b.providerType == setting.OFREPProviderType {
+	if b.providerType == setting.FeaturesServiceProviderType || b.providerType == setting.OFREPProviderType {
 		b.proxyFlagReq(ctx, flagKey, isAuthedReq, w, r)
 		return
 	}
@@ -304,7 +304,7 @@ func (b *APIBuilder) allFlagsHandler(w http.ResponseWriter, r *http.Request) {
 	isAuthedReq := b.isAuthenticatedRequest(r)
 	span.SetAttributes(attribute.Bool("authenticated", isAuthedReq))

-	if b.providerType == setting.GOFFProviderType || b.providerType == setting.OFREPProviderType {
+	if b.providerType == setting.FeaturesServiceProviderType || b.providerType == setting.OFREPProviderType {
 		b.proxyAllFlagReq(ctx, isAuthedReq, w, r)
 		return
 	}
@@ -13,6 +13,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/apiserver"
 	"github.com/grafana/grafana/pkg/services/apiserver/appinstaller"
 	grafanaauthorizer "github.com/grafana/grafana/pkg/services/apiserver/auth/authorizer"
+	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginassets"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginstore"
 )
@@ -36,9 +37,13 @@ func ProvideAppInstaller(
 	pluginStore pluginstore.Store,
 	pluginAssetsService *pluginassets.Service,
 	accessControlService accesscontrol.Service, accessClient authlib.AccessClient,
+	features featuremgmt.FeatureToggles,
 ) (*AppInstaller, error) {
-	if err := registerAccessControlRoles(accessControlService); err != nil {
-		return nil, fmt.Errorf("registering access control roles: %w", err)
+	//nolint:staticcheck // not yet migrated to OpenFeature
+	if features.IsEnabledGlobally(featuremgmt.FlagPluginStoreServiceLoading) {
+		if err := registerAccessControlRoles(accessControlService); err != nil {
+			return nil, fmt.Errorf("registering access control roles: %w", err)
+		}
 	}

 	localProvider := meta.NewLocalProvider(pluginStore, pluginAssetsService)
@@ -330,6 +330,7 @@ var wireBasicSet = wire.NewSet(
 	dashsnapstore.ProvideStore,
 	wire.Bind(new(dashboardsnapshots.Service), new(*dashsnapsvc.ServiceImpl)),
 	dashsnapsvc.ProvideService,
+	datasourceservice.ProvideDataSourceRetriever,
 	datasourceservice.ProvideService,
 	wire.Bind(new(datasources.DataSourceService), new(*datasourceservice.Service)),
 	datasourceservice.ProvideLegacyDataSourceLookup,
@@ -3,11 +3,13 @@ package dualwrite
 import (
 	"context"
 	"fmt"
+	"strings"

 	openfgav1 "github.com/openfga/api/proto/openfga/v1"

 	claims "github.com/grafana/authlib/types"

+	dashboardV1 "github.com/grafana/grafana/apps/dashboard/pkg/apis/dashboard/v1beta1"
 	authzextv1 "github.com/grafana/grafana/pkg/services/authz/proto/v1"
 	"github.com/grafana/grafana/pkg/services/authz/zanzana"
 )
@@ -19,14 +21,30 @@ type legacyTupleCollector func(ctx context.Context, orgID int64) (map[string]map
 type zanzanaTupleCollector func(ctx context.Context, client zanzana.Client, object string, namespace string) (map[string]*openfgav1.TupleKey, error)

 type resourceReconciler struct {
-	name    string
-	legacy  legacyTupleCollector
-	zanzana zanzanaTupleCollector
-	client  zanzana.Client
+	name               string
+	legacy             legacyTupleCollector
+	zanzana            zanzanaTupleCollector
+	client             zanzana.Client
+	orphanObjectPrefix string
+	orphanRelations    []string
 }

-func newResourceReconciler(name string, legacy legacyTupleCollector, zanzana zanzanaTupleCollector, client zanzana.Client) resourceReconciler {
-	return resourceReconciler{name, legacy, zanzana, client}
+func newResourceReconciler(name string, legacy legacyTupleCollector, zanzanaCollector zanzanaTupleCollector, client zanzana.Client) resourceReconciler {
+	r := resourceReconciler{name: name, legacy: legacy, zanzana: zanzanaCollector, client: client}
+
+	// we only need to worry about orphaned tuples for reconcilers that use the managed permissions collector (i.e. dashboards & folders)
+	switch name {
+	case "managed folder permissions":
+		// prefix for folders is `folder:`
+		r.orphanObjectPrefix = zanzana.NewObjectEntry(zanzana.TypeFolder, "", "", "", "")
+		r.orphanRelations = append([]string{}, zanzana.RelationsFolder...)
+	case "managed dashboard permissions":
+		// prefix for dashboards will be `resource:dashboard.grafana.app/dashboards/`
+		r.orphanObjectPrefix = fmt.Sprintf("%s/", zanzana.NewObjectEntry(zanzana.TypeResource, dashboardV1.APIGroup, dashboardV1.DASHBOARD_RESOURCE, "", ""))
+		r.orphanRelations = append([]string{}, zanzana.RelationsResouce...)
+	}
+
+	return r
 }

 func (r resourceReconciler) reconcile(ctx context.Context, namespace string) error {
@@ -35,6 +53,15 @@ func (r resourceReconciler) reconcile(ctx context.Context, namespace string) err
 		return err
 	}

+	// 0. Fetch all tuples currently stored in Zanzana. This will be used later on
+	// to cleanup orphaned tuples.
+	// This order needs to be kept (fetching from Zanzana first) to avoid accidentally
+	// cleaning up new tuples that were added after the legacy tuples were fetched.
+	allTuplesInZanzana, err := r.readAllTuples(ctx, namespace)
+	if err != nil {
+		return fmt.Errorf("failed to read all tuples from zanzana for %s: %w", r.name, err)
+	}
+
 	// 1. Fetch grafana resources stored in grafana db.
 	res, err := r.legacy(ctx, info.OrgID)
 	if err != nil {
@@ -87,6 +114,14 @@ func (r resourceReconciler) reconcile(ctx context.Context, namespace string) err
 		}
 	}

+	// when the last managed permission for a resource is removed, the legacy results will no
+	// longer contain any tuples for that resource. this process cleans it up when applicable.
+	orphans, err := r.collectOrphanDeletes(ctx, namespace, allTuplesInZanzana, res)
+	if err != nil {
+		return fmt.Errorf("failed to collect orphan deletes (%s): %w", r.name, err)
+	}
+	deletes = append(deletes, orphans...)
+
 	if len(writes) == 0 && len(deletes) == 0 {
 		return nil
 	}
@@ -119,3 +154,79 @@ func (r resourceReconciler) reconcile(ctx context.Context, namespace string) err

 	return nil
 }
+
+// collectOrphanDeletes collects tuples that are no longer present in the legacy results
+// but still are present in zanzana. when that is the case, we need to delete the tuple from
+// zanzana. this will happen when the last managed permission for a resource is removed.
+// this is only used for dashboards and folders, as those are the only resources that use the managed permissions collector.
+func (r resourceReconciler) collectOrphanDeletes(
+	ctx context.Context,
+	namespace string,
+	allTuplesInZanzana []*authzextv1.Tuple,
+	legacyReturnedTuples map[string]map[string]*openfgav1.TupleKey,
+) ([]*openfgav1.TupleKeyWithoutCondition, error) {
+	if r.orphanObjectPrefix == "" || len(r.orphanRelations) == 0 {
+		return []*openfgav1.TupleKeyWithoutCondition{}, nil
+	}
+
+	seen := map[string]struct{}{}
+	out := []*openfgav1.TupleKeyWithoutCondition{}
+
+	// what relation types we are interested in cleaning up
+	relationsToCleanup := map[string]struct{}{}
+	for _, rel := range r.orphanRelations {
+		relationsToCleanup[rel] = struct{}{}
+	}
+
+	for _, tuple := range allTuplesInZanzana {
+		if tuple == nil || tuple.Key == nil {
+			continue
+		}
+		// only cleanup the particular relation types we are interested in
+		if _, ok := relationsToCleanup[tuple.Key.Relation]; !ok {
+			continue
+		}
+		// only cleanup the particular object types we are interested in (either dashboards or folders)
+		if !strings.HasPrefix(tuple.Key.Object, r.orphanObjectPrefix) {
+			continue
+		}
+		// if legacy returned this object, it's not orphaned
+		if _, ok := legacyReturnedTuples[tuple.Key.Object]; ok {
+			continue
+		}
+		// keep track of the tuples we have already seen and marked for deletion
+		key := fmt.Sprintf("%s|%s|%s", tuple.Key.User, tuple.Key.Relation, tuple.Key.Object)
+		if _, ok := seen[key]; ok {
+			continue
+		}
+		seen[key] = struct{}{}
+		out = append(out, &openfgav1.TupleKeyWithoutCondition{
+			User:     tuple.Key.User,
+			Relation: tuple.Key.Relation,
+			Object:   tuple.Key.Object,
+		})
+	}
+
+	return out, nil
+}
+
+func (r resourceReconciler) readAllTuples(ctx context.Context, namespace string) ([]*authzextv1.Tuple, error) {
+	var (
+		out           []*authzextv1.Tuple
+		continueToken string
+	)
+	for {
+		res, err := r.client.Read(ctx, &authzextv1.ReadRequest{
+			Namespace:         namespace,
+			ContinuationToken: continueToken,
+		})
+		if err != nil {
+			return nil, err
+		}
+		out = append(out, res.Tuples...)
+		continueToken = res.ContinuationToken
+		if continueToken == "" {
+			return out, nil
+		}
+	}
+}
@@ -0,0 +1,110 @@
+package dualwrite
+
+import (
+	"context"
+	"testing"
+
+	authlib "github.com/grafana/authlib/types"
+	openfgav1 "github.com/openfga/api/proto/openfga/v1"
+	"github.com/stretchr/testify/require"
+
+	authzextv1 "github.com/grafana/grafana/pkg/services/authz/proto/v1"
+	"github.com/grafana/grafana/pkg/services/authz/zanzana"
+)
+
+type fakeZanzanaClient struct {
+	readTuples []*authzextv1.Tuple
+	writeReqs  []*authzextv1.WriteRequest
+}
+
+func (f *fakeZanzanaClient) Read(ctx context.Context, req *authzextv1.ReadRequest) (*authzextv1.ReadResponse, error) {
+	return &authzextv1.ReadResponse{
+		Tuples:            f.readTuples,
+		ContinuationToken: "",
+	}, nil
+}
+
+func (f *fakeZanzanaClient) Write(ctx context.Context, req *authzextv1.WriteRequest) error {
+	f.writeReqs = append(f.writeReqs, req)
+	return nil
+}
+
+func (f *fakeZanzanaClient) BatchCheck(ctx context.Context, req *authzextv1.BatchCheckRequest) (*authzextv1.BatchCheckResponse, error) {
+	return &authzextv1.BatchCheckResponse{}, nil
+}
+
+func (f *fakeZanzanaClient) Mutate(ctx context.Context, req *authzextv1.MutateRequest) error {
+	return nil
+}
+
+func (f *fakeZanzanaClient) Query(ctx context.Context, req *authzextv1.QueryRequest) (*authzextv1.QueryResponse, error) {
+	return &authzextv1.QueryResponse{}, nil
+}
+
+func (f *fakeZanzanaClient) Check(ctx context.Context, info authlib.AuthInfo, req authlib.CheckRequest, folder string) (authlib.CheckResponse, error) {
+	return authlib.CheckResponse{Allowed: true}, nil
+}
+
+func (f *fakeZanzanaClient) Compile(ctx context.Context, info authlib.AuthInfo, req authlib.ListRequest) (authlib.ItemChecker, authlib.Zookie, error) {
+	return func(name, folder string) bool { return true }, authlib.NoopZookie{}, nil
+}
+
+func TestResourceReconciler_OrphanedManagedDashboardTuplesAreDeleted(t *testing.T) {
+	legacy := func(ctx context.Context, orgID int64) (map[string]map[string]*openfgav1.TupleKey, error) {
+		return map[string]map[string]*openfgav1.TupleKey{}, nil
+	}
+	zCollector := func(ctx context.Context, client zanzana.Client, object string, namespace string) (map[string]*openfgav1.TupleKey, error) {
+		return map[string]*openfgav1.TupleKey{}, nil
+	}
+
+	fake := &fakeZanzanaClient{}
+	r := newResourceReconciler("managed dashboard permissions", legacy, zCollector, fake)
+
+	require.NotEmpty(t, r.orphanObjectPrefix)
+	require.NotEmpty(t, r.orphanRelations)
+
+	relAllowed := r.orphanRelations[0]
+	objAllowed := r.orphanObjectPrefix + "dash-uid-1"
+
+	fake.readTuples = []*authzextv1.Tuple{
+		// should be removed
+		{
+			Key: &authzextv1.TupleKey{
+				User:     "user:1",
+				Relation: relAllowed,
+				Object:   objAllowed,
+			},
+		},
+
+		// same relation but different object type/prefix - should stay
+		{
+			Key: &authzextv1.TupleKey{
+				User:     "user:1",
+				Relation: relAllowed,
+				Object:   "folder:some-folder",
+			},
+		},
+		// same prefix but different relation - should stay
+		{
+			Key: &authzextv1.TupleKey{
+				User:     "user:1",
+				Relation: zanzana.RelationParent,
+				Object:   objAllowed,
+			},
+		},
+	}
+
+	err := r.reconcile(context.Background(), authlib.OrgNamespaceFormatter(1))
+	require.NoError(t, err)
+
+	require.Len(t, fake.writeReqs, 1)
+	wr := fake.writeReqs[0]
+	require.NotNil(t, wr.Deletes)
+	require.Nil(t, wr.Writes)
+
+	require.Len(t, wr.Deletes.TupleKeys, 1)
+	del := wr.Deletes.TupleKeys[0]
+	require.Equal(t, "user:1", del.User)
+	require.Equal(t, relAllowed, del.Relation)
+	require.Equal(t, objAllowed, del.Object)
+}
@@ -3,7 +3,6 @@ package authorizer
 import (
 	"context"

-	"github.com/grafana/grafana/pkg/setting"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	k8suser "k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
@@ -29,9 +28,9 @@ type GrafanaAuthorizer struct {
 //  4. We check authorizer that is configured speficially for an api.
 //  5. As a last fallback we check Role, this will only happen if an api have not configured
 //     an authorizer or return authorizer.DecisionNoOpinion
-func NewGrafanaBuiltInSTAuthorizer(cfg *setting.Cfg) *GrafanaAuthorizer {
+func NewGrafanaBuiltInSTAuthorizer() *GrafanaAuthorizer {
 	authorizers := []authorizer.Authorizer{
-		newImpersonationAuthorizer(),
+		NewImpersonationAuthorizer(),
 		authorizerfactory.NewPrivilegedGroups(k8suser.SystemPrivilegedGroup),
 		newNamespaceAuthorizer(),
 	}
@@ -8,7 +8,7 @@ import (

 var _ authorizer.Authorizer = (*impersonationAuthorizer)(nil)

-func newImpersonationAuthorizer() *impersonationAuthorizer {
+func NewImpersonationAuthorizer() *impersonationAuthorizer {
 	return &impersonationAuthorizer{}
 }

@@ -76,19 +76,7 @@ var PathRewriters = []filters.PathRewriter{

 func GetDefaultBuildHandlerChainFunc(builders []APIGroupBuilder, reg prometheus.Registerer) BuildHandlerChainFunc {
 	return func(delegateHandler http.Handler, c *genericapiserver.Config) http.Handler {
-		requestHandler, err := GetCustomRoutesHandler(
-			delegateHandler,
-			c.LoopbackClientConfig,
-			builders,
-			reg,
-			c.MergedResourceConfig,
-		)
-		if err != nil {
-			panic(fmt.Sprintf("could not build the request handler for specified API builders: %s", err.Error()))
-		}
-
-		// Needs to run last in request chain to function as expected, hence we register it first.
-		handler := filters.WithTracingHTTPLoggingAttributes(requestHandler)
+		handler := filters.WithTracingHTTPLoggingAttributes(delegateHandler)

 		// filters.WithRequester needs to be after the K8s chain because it depends on the K8s user in context
 		handler = filters.WithRequester(handler)
@@ -3,146 +3,306 @@ package builder
 import (
 	"fmt"
 	"net/http"
+	"strings"

+	"github.com/emicklei/go-restful/v3"
 	"github.com/gorilla/mux"
 	"github.com/prometheus/client_golang/prometheus"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
-	restclient "k8s.io/client-go/rest"
 	klog "k8s.io/klog/v2"
 	"k8s.io/kube-openapi/pkg/spec3"
 )

-type requestHandler struct {
-	router *mux.Router
+// convertHandlerToRouteFunction converts an http.HandlerFunc to a restful.RouteFunction
+// It extracts path parameters from restful.Request and populates them in the request context
+// so that mux.Vars can read them (for backward compatibility with handlers that use mux.Vars)
+func convertHandlerToRouteFunction(handler http.HandlerFunc) restful.RouteFunction {
+	return func(req *restful.Request, resp *restful.Response) {
+		// Extract path parameters from restful.Request and populate mux.Vars
+		// This is needed for backward compatibility with handlers that use mux.Vars(r)
+		vars := make(map[string]string)
+
+		// Get all path parameters from the restful.Request
+		// The restful.Request has PathParameters() method that returns a map
+		pathParams := req.PathParameters()
+		for key, value := range pathParams {
+			vars[key] = value
+		}
+
+		// Set the vars in the request context using mux.SetURLVars
+		// This makes mux.Vars(r) work correctly
+		if len(vars) > 0 {
+			req.Request = mux.SetURLVars(req.Request, vars)
+		}
+
+		handler(resp.ResponseWriter, req.Request)
+	}
 }

-func GetCustomRoutesHandler(delegateHandler http.Handler, restConfig *restclient.Config, builders []APIGroupBuilder, metricsRegistry prometheus.Registerer, apiResourceConfig *serverstorage.ResourceConfig) (http.Handler, error) {
-	useful := false // only true if any routes exist anywhere
-	router := mux.NewRouter()
+// AugmentWebServicesWithCustomRoutes adds custom routes from builders to existing WebServices
+// in the container.
+func AugmentWebServicesWithCustomRoutes(
+	container *restful.Container,
+	builders []APIGroupBuilder,
+	metricsRegistry prometheus.Registerer,
+	apiResourceConfig *serverstorage.ResourceConfig,
+) error {
+	if container == nil {
+		return fmt.Errorf("container cannot be nil")
+	}

 	metrics := NewCustomRouteMetrics(metricsRegistry)

-	for _, builder := range builders {
-		provider, ok := builder.(APIGroupRouteProvider)
+	// Build a map of existing WebServices by root path
+	existingWebServices := make(map[string]*restful.WebService)
+	for _, ws := range container.RegisteredWebServices() {
+		existingWebServices[ws.RootPath()] = ws
+	}
+
+	for _, b := range builders {
+		provider, ok := b.(APIGroupRouteProvider)
 		if !ok || provider == nil {
 			continue
 		}

-		for _, gv := range GetGroupVersions(builder) {
-			// filter out api groups that are disabled in APIEnablementOptions
+		for _, gv := range GetGroupVersions(b) {
+			// Filter out disabled API groups
 			gvr := gv.WithResource("")
 			if apiResourceConfig != nil && !apiResourceConfig.ResourceEnabled(gvr) {
-				klog.InfoS("Skipping custom route handler for disabled group version", "gv", gv.String())
+				klog.InfoS("Skipping custom routes for disabled group version", "gv", gv.String())
 				continue
 			}
+
 			routes := provider.GetAPIRoutes(gv)
 			if routes == nil {
 				continue
 			}

-			prefix := "/apis/" + gv.String()
-
-			// Root handlers
-			var sub *mux.Router
-			for _, route := range routes.Root {
-				if sub == nil {
-					sub = router.PathPrefix(prefix).Subrouter()
-					sub.MethodNotAllowedHandler = &methodNotAllowedHandler{}
-				}
-
-				useful = true
-				methods, err := methodsFromSpec(route.Path, route.Spec)
-				if err != nil {
-					return nil, err
-				}
-
-				instrumentedHandler := metrics.InstrumentHandler(
-					gv.Group,
-					gv.Version,
-					route.Path, // Use path as resource identifier
-					route.Handler,
-				)
-
-				sub.HandleFunc("/"+route.Path, instrumentedHandler).
-					Methods(methods...)
+			// Find or create WebService for this group version
+			rootPath := "/apis/" + gv.String()
+			ws, exists := existingWebServices[rootPath]
+			if !exists {
+				// Create a new WebService if one doesn't exist
+				ws = new(restful.WebService)
+				ws.Path(rootPath)
+				container.Add(ws)
+				existingWebServices[rootPath] = ws
 			}

-			// Namespace handlers
-			sub = nil
-			prefix += "/namespaces/{namespace}"
-			for _, route := range routes.Namespace {
-				if sub == nil {
-					sub = router.PathPrefix(prefix).Subrouter()
-					sub.MethodNotAllowedHandler = &methodNotAllowedHandler{}
-				}
-
-				useful = true
-				methods, err := methodsFromSpec(route.Path, route.Spec)
-				if err != nil {
-					return nil, err
-				}
-
+			// Add root handlers using OpenAPI specs
+			for _, route := range routes.Root {
 				instrumentedHandler := metrics.InstrumentHandler(
 					gv.Group,
 					gv.Version,
-					route.Path, // Use path as resource identifier
+					route.Path,
 					route.Handler,
 				)
+				routeFunction := convertHandlerToRouteFunction(instrumentedHandler)

-				sub.HandleFunc("/"+route.Path, instrumentedHandler).
-					Methods(methods...)
+				// Use OpenAPI spec to configure routes properly
+				if err := addRouteFromSpec(ws, route.Path, route.Spec, routeFunction, false); err != nil {
+					return fmt.Errorf("failed to add root route %s: %w", route.Path, err)
+				}
+			}
+
+			// Add namespace handlers using OpenAPI specs
+			for _, route := range routes.Namespace {
+				instrumentedHandler := metrics.InstrumentHandler(
+					gv.Group,
+					gv.Version,
+					route.Path,
+					route.Handler,
+				)
+				routeFunction := convertHandlerToRouteFunction(instrumentedHandler)
+
+				// Use OpenAPI spec to configure routes properly
+				if err := addRouteFromSpec(ws, route.Path, route.Spec, routeFunction, true); err != nil {
+					return fmt.Errorf("failed to add namespace route %s: %w", route.Path, err)
+				}
 			}
 		}
 	}

-	if !useful {
-		return delegateHandler, nil
-	}
-
-	// Per Gorilla Mux issue here: https://github.com/gorilla/mux/issues/616#issuecomment-798807509
-	// default handler must come last
-	router.PathPrefix("/").Handler(delegateHandler)
-
-	return &requestHandler{
-		router: router,
-	}, nil
+	return nil
 }

-func (h *requestHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	h.router.ServeHTTP(w, req)
+// addRouteFromSpec adds routes to a WebService using OpenAPI specs
+func addRouteFromSpec(ws *restful.WebService, routePath string, pathProps *spec3.PathProps, handler restful.RouteFunction, isNamespaced bool) error {
+	if pathProps == nil {
+		return fmt.Errorf("pathProps cannot be nil for route %s", routePath)
+	}
+
+	// Build the full path (relative to WebService root)
+	var fullPath string
+	if isNamespaced {
+		fullPath = "/namespaces/{namespace}/" + routePath
+	} else {
+		fullPath = "/" + routePath
+	}
+
+	// Add routes for each HTTP method defined in the OpenAPI spec
+	operations := map[string]*spec3.Operation{
+		"GET":    pathProps.Get,
+		"POST":   pathProps.Post,
+		"PUT":    pathProps.Put,
+		"PATCH":  pathProps.Patch,
+		"DELETE": pathProps.Delete,
+	}
+
+	for method, operation := range operations {
+		if operation == nil {
+			continue
+		}
+
+		// Create route builder for this method
+		var routeBuilder *restful.RouteBuilder
+		switch method {
+		case "GET":
+			routeBuilder = ws.GET(fullPath)
+		case "POST":
+			routeBuilder = ws.POST(fullPath)
+		case "PUT":
+			routeBuilder = ws.PUT(fullPath)
+		case "PATCH":
+			routeBuilder = ws.PATCH(fullPath)
+		case "DELETE":
+			routeBuilder = ws.DELETE(fullPath)
+		}
+
+		// Set operation ID from OpenAPI spec (with K8s verb prefix if needed)
+		operationID := operation.OperationId
+		if operationID == "" {
+			// Generate from path if not specified
+			operationID = generateOperationNameFromPath(routePath)
+		}
+		operationID = prefixRouteIDWithK8sVerbIfNotPresent(operationID, method)
+		routeBuilder = routeBuilder.Operation(operationID)
+
+		// Add description from OpenAPI spec
+		if operation.Description != "" {
+			routeBuilder = routeBuilder.Doc(operation.Description)
+		}
+
+		// Check if namespace parameter is already in the OpenAPI spec
+		hasNamespaceParam := false
+		if operation.Parameters != nil {
+			for _, param := range operation.Parameters {
+				if param.Name == "namespace" && param.In == "path" {
+					hasNamespaceParam = true
+					break
+				}
+			}
+		}
+
+		// Add namespace parameter for namespaced routes if not already in spec
+		if isNamespaced && !hasNamespaceParam {
+			routeBuilder = routeBuilder.Param(restful.PathParameter("namespace", "object name and auth scope, such as for teams and projects"))
+		}
+
+		// Add parameters from OpenAPI spec
+		if operation.Parameters != nil {
+			for _, param := range operation.Parameters {
+				switch param.In {
+				case "path":
+					routeBuilder = routeBuilder.Param(restful.PathParameter(param.Name, param.Description))
+				case "query":
+					routeBuilder = routeBuilder.Param(restful.QueryParameter(param.Name, param.Description))
+				case "header":
+					routeBuilder = routeBuilder.Param(restful.HeaderParameter(param.Name, param.Description))
+				}
+			}
+		}
+
+		// Note: Request/response schemas are already defined in the OpenAPI spec from builders
+		// and will be added to the OpenAPI document via addBuilderRoutes in openapi.go.
+		// We don't duplicate that information here since restful uses the route metadata
+		// for OpenAPI generation, which is handled separately in this codebase.
+
+		// Register the route with handler
+		ws.Route(routeBuilder.To(handler))
+	}
+
+	return nil
 }

-func methodsFromSpec(slug string, props *spec3.PathProps) ([]string, error) {
-	if props == nil {
-		return []string{"GET", "POST", "PUT", "PATCH", "DELETE"}, nil
+func prefixRouteIDWithK8sVerbIfNotPresent(operationID string, method string) string {
+	for _, verb := range allowedK8sVerbs {
+		if len(operationID) > len(verb) && operationID[:len(verb)] == verb {
+			return operationID
+		}
 	}
-
-	methods := make([]string, 0)
-	if props.Get != nil {
-		methods = append(methods, "GET")
-	}
-	if props.Post != nil {
-		methods = append(methods, "POST")
-	}
-	if props.Put != nil {
-		methods = append(methods, "PUT")
-	}
-	if props.Patch != nil {
-		methods = append(methods, "PATCH")
-	}
-	if props.Delete != nil {
-		methods = append(methods, "DELETE")
-	}
-
-	if len(methods) == 0 {
-		return nil, fmt.Errorf("invalid OpenAPI Spec for slug=%s without any methods in PathProps", slug)
-	}
-
-	return methods, nil
+	return fmt.Sprintf("%s%s", httpMethodToK8sVerb[strings.ToUpper(method)], operationID)
 }

-type methodNotAllowedHandler struct{}
-
-func (h *methodNotAllowedHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	w.WriteHeader(405) // method not allowed
+var allowedK8sVerbs = []string{
+	"get", "log", "read", "replace", "patch", "delete", "deletecollection", "watch", "connect", "proxy", "list", "create", "patch",
+}
+
+var httpMethodToK8sVerb = map[string]string{
+	http.MethodGet:     "get",
+	http.MethodPost:    "create",
+	http.MethodPut:     "replace",
+	http.MethodPatch:   "patch",
+	http.MethodDelete:  "delete",
+	http.MethodConnect: "connect",
+	http.MethodOptions: "connect", // No real equivalent to options and head
+	http.MethodHead:    "connect",
+}
+
+// generateOperationNameFromPath creates an operation name from a route path.
+// The operation name is used by the OpenAPI generator and should be descriptive.
+// It uses meaningful path segments to create readable yet unique operation names.
+// Examples:
+//   - "/search" -> "Search"
+//   - "/snapshots/create" -> "SnapshotsCreate"
+//   - "ofrep/v1/evaluate/flags" -> "OfrepEvaluateFlags"
+//   - "ofrep/v1/evaluate/flags/{flagKey}" -> "OfrepEvaluateFlagsFlagKey"
+func generateOperationNameFromPath(routePath string) string {
+	// Remove leading slash and split by path segments
+	parts := strings.Split(strings.TrimPrefix(routePath, "/"), "/")
+
+	// Filter to keep meaningful segments and path parameters
+	var nameParts []string
+	skipPrefixes := map[string]bool{
+		"namespaces": true,
+		"apis":       true,
+	}
+
+	for _, part := range parts {
+		if part == "" {
+			continue
+		}
+
+		// Extract parameter name from {paramName} format
+		if strings.HasPrefix(part, "{") && strings.HasSuffix(part, "}") {
+			paramName := part[1 : len(part)-1]
+			// Skip generic parameters like {namespace}, but keep specific ones like {flagKey}
+			if paramName != "namespace" && paramName != "name" {
+				nameParts = append(nameParts, strings.ToUpper(paramName[:1])+paramName[1:])
+			}
+			continue
+		}
+
+		// Skip common prefixes
+		if skipPrefixes[strings.ToLower(part)] {
+			continue
+		}
+
+		// Skip version segments like v1, v0alpha1, v2beta1, etc.
+		if strings.HasPrefix(strings.ToLower(part), "v") &&
+			(len(part) <= 3 || strings.Contains(strings.ToLower(part), "alpha") || strings.Contains(strings.ToLower(part), "beta")) {
+			continue
+		}
+
+		// Capitalize first letter and add to parts
+		if len(part) > 0 {
+			nameParts = append(nameParts, strings.ToUpper(part[:1])+part[1:])
+		}
+	}
+
+	if len(nameParts) == 0 {
+		return "Route"
+	}
+
+	return strings.Join(nameParts, "")
 }
@@ -5,7 +5,6 @@ import (
 	"net"
 	"path/filepath"
 	"strconv"
-	"strings"

 	"github.com/grafana/grafana/pkg/services/apiserver/options"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
@@ -41,15 +40,6 @@ func applyGrafanaConfig(cfg *setting.Cfg, features featuremgmt.FeatureToggles, o
 	apiserverCfg := cfg.SectionWithEnvOverrides("grafana-apiserver")

 	runtimeConfig := apiserverCfg.Key("runtime_config").String()
-	runtimeConfigSplit := strings.Split(runtimeConfig, ",")
-
-	// TODO: temporary fix to allow disabling local features service and still being able to use its authz handler
-	if !cfg.OpenFeature.APIEnabled {
-		runtimeConfigSplit = append(runtimeConfigSplit, "features.grafana.app/v0alpha1=false")
-	}
-
-	runtimeConfig = strings.Join(runtimeConfigSplit, ",")
-
 	if runtimeConfig != "" {
 		if err := o.APIEnablementOptions.RuntimeConfig.Set(runtimeConfig); err != nil {
 			return fmt.Errorf("failed to set runtime config: %w", err)
@@ -155,7 +155,7 @@ func ProvideService(
 		features:                          features,
 		rr:                                rr,
 		builders:                          []builder.APIGroupBuilder{},
-		authorizer:                        authorizer.NewGrafanaBuiltInSTAuthorizer(cfg),
+		authorizer:                        authorizer.NewGrafanaBuiltInSTAuthorizer(),
 		tracing:                           tracing,
 		db:                                db, // For Unified storage
 		metrics:                           reg,
@@ -443,6 +443,19 @@ func (s *service) start(ctx context.Context) error {
 		return err
 	}

+	// Augment existing WebServices with custom routes from builders
+	// This directly adds routes to existing WebServices using the OpenAPI specs from builders
+	if server.Handler != nil && server.Handler.GoRestfulContainer != nil {
+		if err := builder.AugmentWebServicesWithCustomRoutes(
+			server.Handler.GoRestfulContainer,
+			builders,
+			s.metrics,
+			serverConfig.MergedResourceConfig,
+		); err != nil {
+			return fmt.Errorf("failed to augment web services with custom routes: %w", err)
+		}
+	}
+
 	// stash the options for later use
 	s.options = o

@@ -1,6 +1,8 @@
 package authnimpl

 import (
+	"context"
+
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/infra/remotecache"
 	"github.com/grafana/grafana/pkg/infra/tracing"
@@ -81,7 +83,8 @@ func ProvideRegistration(
 		}
 	}

-	if cfg.PasswordlessMagicLinkAuth.Enabled {
+	//nolint:staticcheck // not yet migrated to OpenFeature
+	if cfg.PasswordlessMagicLinkAuth.Enabled && features.IsEnabled(context.Background(), featuremgmt.FlagPasswordlessMagicLinkAuthentication) {
 		hasEnabledProviders := authnSvc.IsClientEnabled(authn.ClientSAML) || authnSvc.IsClientEnabled(authn.ClientLDAP)
 		if !hasEnabledProviders {
 			oauthInfos := socialService.GetOAuthInfoProviders()
@@ -32,6 +32,8 @@ func NewOpenFGAServer(cfg setting.ZanzanaServerSettings, store storage.OpenFGADa
 	opts := []server.OpenFGAServiceV1Option{
 		server.WithDatastore(store),
 		server.WithLogger(zlogger.New(logger)),
+
+		// Cache settings
 		server.WithCheckCacheLimit(cfg.CacheSettings.CheckCacheLimit),
 		server.WithCacheControllerEnabled(cfg.CacheSettings.CacheControllerEnabled),
 		server.WithCacheControllerTTL(cfg.CacheSettings.CacheControllerTTL),
@@ -40,16 +42,25 @@ func NewOpenFGAServer(cfg setting.ZanzanaServerSettings, store storage.OpenFGADa
 		server.WithCheckIteratorCacheEnabled(cfg.CacheSettings.CheckIteratorCacheEnabled),
 		server.WithCheckIteratorCacheMaxResults(cfg.CacheSettings.CheckIteratorCacheMaxResults),
 		server.WithCheckIteratorCacheTTL(cfg.CacheSettings.CheckIteratorCacheTTL),
+
+		// ListObjects settings
 		server.WithListObjectsMaxResults(cfg.ListObjectsMaxResults),
 		server.WithListObjectsIteratorCacheEnabled(cfg.CacheSettings.ListObjectsIteratorCacheEnabled),
 		server.WithListObjectsIteratorCacheMaxResults(cfg.CacheSettings.ListObjectsIteratorCacheMaxResults),
 		server.WithListObjectsIteratorCacheTTL(cfg.CacheSettings.ListObjectsIteratorCacheTTL),
+		server.WithListObjectsDeadline(cfg.ListObjectsDeadline),
+
+		// Shared iterator settings
 		server.WithSharedIteratorEnabled(cfg.CacheSettings.SharedIteratorEnabled),
 		server.WithSharedIteratorLimit(cfg.CacheSettings.SharedIteratorLimit),
 		server.WithSharedIteratorTTL(cfg.CacheSettings.SharedIteratorTTL),
-		server.WithListObjectsDeadline(cfg.ListObjectsDeadline),
+
+		server.WithContextPropagationToDatastore(true),
 	}

+	openfgaOpts := withOpenFGAOptions(cfg)
+	opts = append(opts, openfgaOpts...)
+
 	srv, err := server.NewServerWithOpts(opts...)
 	if err != nil {
 		return nil, err
@@ -58,6 +69,129 @@ func NewOpenFGAServer(cfg setting.ZanzanaServerSettings, store storage.OpenFGADa
 	return srv, nil
 }

+func withOpenFGAOptions(cfg setting.ZanzanaServerSettings) []server.OpenFGAServiceV1Option {
+	opts := make([]server.OpenFGAServiceV1Option, 0)
+
+	listOpts := withListOptions(cfg)
+	opts = append(opts, listOpts...)
+
+	// Check settings
+	if cfg.OpenFgaServerSettings.MaxConcurrentReadsForCheck != 0 {
+		opts = append(opts, server.WithMaxConcurrentReadsForCheck(cfg.OpenFgaServerSettings.MaxConcurrentReadsForCheck))
+	}
+	if cfg.OpenFgaServerSettings.CheckDatabaseThrottleThreshold != 0 || cfg.OpenFgaServerSettings.CheckDatabaseThrottleDuration != 0 {
+		opts = append(opts, server.WithCheckDatabaseThrottle(cfg.OpenFgaServerSettings.CheckDatabaseThrottleThreshold, cfg.OpenFgaServerSettings.CheckDatabaseThrottleDuration))
+	}
+
+	// Batch check settings
+	if cfg.OpenFgaServerSettings.MaxConcurrentChecksPerBatchCheck != 0 {
+		opts = append(opts, server.WithMaxConcurrentChecksPerBatchCheck(cfg.OpenFgaServerSettings.MaxConcurrentChecksPerBatchCheck))
+	}
+	if cfg.OpenFgaServerSettings.MaxChecksPerBatchCheck != 0 {
+		opts = append(opts, server.WithMaxChecksPerBatchCheck(cfg.OpenFgaServerSettings.MaxChecksPerBatchCheck))
+	}
+
+	// Resolve node settings
+	if cfg.OpenFgaServerSettings.ResolveNodeLimit != 0 {
+		opts = append(opts, server.WithResolveNodeLimit(cfg.OpenFgaServerSettings.ResolveNodeLimit))
+	}
+	if cfg.OpenFgaServerSettings.ResolveNodeBreadthLimit != 0 {
+		opts = append(opts, server.WithResolveNodeBreadthLimit(cfg.OpenFgaServerSettings.ResolveNodeBreadthLimit))
+	}
+
+	// Dispatch throttling settings
+	if cfg.OpenFgaServerSettings.DispatchThrottlingCheckResolverEnabled {
+		opts = append(opts, server.WithDispatchThrottlingCheckResolverEnabled(cfg.OpenFgaServerSettings.DispatchThrottlingCheckResolverEnabled))
+	}
+	if cfg.OpenFgaServerSettings.DispatchThrottlingCheckResolverFrequency != 0 {
+		opts = append(opts, server.WithDispatchThrottlingCheckResolverFrequency(cfg.OpenFgaServerSettings.DispatchThrottlingCheckResolverFrequency))
+	}
+	if cfg.OpenFgaServerSettings.DispatchThrottlingCheckResolverThreshold != 0 {
+		opts = append(opts, server.WithDispatchThrottlingCheckResolverThreshold(cfg.OpenFgaServerSettings.DispatchThrottlingCheckResolverThreshold))
+	}
+	if cfg.OpenFgaServerSettings.DispatchThrottlingCheckResolverMaxThreshold != 0 {
+		opts = append(opts, server.WithDispatchThrottlingCheckResolverMaxThreshold(cfg.OpenFgaServerSettings.DispatchThrottlingCheckResolverMaxThreshold))
+	}
+
+	// Shadow check/query settings
+	if cfg.OpenFgaServerSettings.ShadowCheckResolverTimeout != 0 {
+		opts = append(opts, server.WithShadowCheckResolverTimeout(cfg.OpenFgaServerSettings.ShadowCheckResolverTimeout))
+	}
+	if cfg.OpenFgaServerSettings.ShadowListObjectsQueryTimeout != 0 {
+		opts = append(opts, server.WithShadowListObjectsQueryTimeout(cfg.OpenFgaServerSettings.ShadowListObjectsQueryTimeout))
+	}
+	if cfg.OpenFgaServerSettings.ShadowListObjectsQueryMaxDeltaItems != 0 {
+		opts = append(opts, server.WithShadowListObjectsQueryMaxDeltaItems(cfg.OpenFgaServerSettings.ShadowListObjectsQueryMaxDeltaItems))
+	}
+
+	if cfg.OpenFgaServerSettings.RequestTimeout != 0 {
+		opts = append(opts, server.WithRequestTimeout(cfg.OpenFgaServerSettings.RequestTimeout))
+	}
+	if cfg.OpenFgaServerSettings.MaxAuthorizationModelSizeInBytes != 0 {
+		opts = append(opts, server.WithMaxAuthorizationModelSizeInBytes(cfg.OpenFgaServerSettings.MaxAuthorizationModelSizeInBytes))
+	}
+	if cfg.OpenFgaServerSettings.AuthorizationModelCacheSize != 0 {
+		opts = append(opts, server.WithAuthorizationModelCacheSize(cfg.OpenFgaServerSettings.AuthorizationModelCacheSize))
+	}
+	if cfg.OpenFgaServerSettings.ChangelogHorizonOffset != 0 {
+		opts = append(opts, server.WithChangelogHorizonOffset(cfg.OpenFgaServerSettings.ChangelogHorizonOffset))
+	}
+
+	return opts
+}
+
+func withListOptions(cfg setting.ZanzanaServerSettings) []server.OpenFGAServiceV1Option {
+	opts := make([]server.OpenFGAServiceV1Option, 0)
+
+	// ListObjects settings
+	if cfg.OpenFgaServerSettings.MaxConcurrentReadsForListObjects != 0 {
+		opts = append(opts, server.WithMaxConcurrentReadsForListObjects(cfg.OpenFgaServerSettings.MaxConcurrentReadsForListObjects))
+	}
+	if cfg.OpenFgaServerSettings.ListObjectsDispatchThrottlingEnabled {
+		opts = append(opts, server.WithListObjectsDispatchThrottlingEnabled(cfg.OpenFgaServerSettings.ListObjectsDispatchThrottlingEnabled))
+	}
+	if cfg.OpenFgaServerSettings.ListObjectsDispatchThrottlingFrequency != 0 {
+		opts = append(opts, server.WithListObjectsDispatchThrottlingFrequency(cfg.OpenFgaServerSettings.ListObjectsDispatchThrottlingFrequency))
+	}
+	if cfg.OpenFgaServerSettings.ListObjectsDispatchThrottlingThreshold != 0 {
+		opts = append(opts, server.WithListObjectsDispatchThrottlingThreshold(cfg.OpenFgaServerSettings.ListObjectsDispatchThrottlingThreshold))
+	}
+	if cfg.OpenFgaServerSettings.ListObjectsDispatchThrottlingMaxThreshold != 0 {
+		opts = append(opts, server.WithListObjectsDispatchThrottlingMaxThreshold(cfg.OpenFgaServerSettings.ListObjectsDispatchThrottlingMaxThreshold))
+	}
+	if cfg.OpenFgaServerSettings.ListObjectsDatabaseThrottleThreshold != 0 || cfg.OpenFgaServerSettings.ListObjectsDatabaseThrottleDuration != 0 {
+		opts = append(opts, server.WithListObjectsDatabaseThrottle(cfg.OpenFgaServerSettings.ListObjectsDatabaseThrottleThreshold, cfg.OpenFgaServerSettings.ListObjectsDatabaseThrottleDuration))
+	}
+
+	// ListUsers settings
+	if cfg.OpenFgaServerSettings.ListUsersDeadline != 0 {
+		opts = append(opts, server.WithListUsersDeadline(cfg.OpenFgaServerSettings.ListUsersDeadline))
+	}
+	if cfg.OpenFgaServerSettings.ListUsersMaxResults != 0 {
+		opts = append(opts, server.WithListUsersMaxResults(cfg.OpenFgaServerSettings.ListUsersMaxResults))
+	}
+	if cfg.OpenFgaServerSettings.MaxConcurrentReadsForListUsers != 0 {
+		opts = append(opts, server.WithMaxConcurrentReadsForListUsers(cfg.OpenFgaServerSettings.MaxConcurrentReadsForListUsers))
+	}
+	if cfg.OpenFgaServerSettings.ListUsersDispatchThrottlingEnabled {
+		opts = append(opts, server.WithListUsersDispatchThrottlingEnabled(cfg.OpenFgaServerSettings.ListUsersDispatchThrottlingEnabled))
+	}
+	if cfg.OpenFgaServerSettings.ListUsersDispatchThrottlingFrequency != 0 {
+		opts = append(opts, server.WithListUsersDispatchThrottlingFrequency(cfg.OpenFgaServerSettings.ListUsersDispatchThrottlingFrequency))
+	}
+	if cfg.OpenFgaServerSettings.ListUsersDispatchThrottlingThreshold != 0 {
+		opts = append(opts, server.WithListUsersDispatchThrottlingThreshold(cfg.OpenFgaServerSettings.ListUsersDispatchThrottlingThreshold))
+	}
+	if cfg.OpenFgaServerSettings.ListUsersDispatchThrottlingMaxThreshold != 0 {
+		opts = append(opts, server.WithListUsersDispatchThrottlingMaxThreshold(cfg.OpenFgaServerSettings.ListUsersDispatchThrottlingMaxThreshold))
+	}
+	if cfg.OpenFgaServerSettings.ListUsersDatabaseThrottleThreshold != 0 || cfg.OpenFgaServerSettings.ListUsersDatabaseThrottleDuration != 0 {
+		opts = append(opts, server.WithListUsersDatabaseThrottle(cfg.OpenFgaServerSettings.ListUsersDatabaseThrottleThreshold, cfg.OpenFgaServerSettings.ListUsersDatabaseThrottleDuration))
+	}
+
+	return opts
+}
+
 func NewOpenFGAHttpServer(cfg setting.ZanzanaServerSettings, srv grpcserver.Provider) (*http.Server, error) {
 	dialOpts := []grpc.DialOption{
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
@@ -51,6 +51,7 @@ type Service struct {
 	pluginStore               pluginstore.Store
 	pluginClient              plugins.Client
 	basePluginContextProvider plugincontext.BasePluginContextProvider
+	retriever                 DataSourceRetriever

 	ptc proxyTransportCache
 }
@@ -70,6 +71,7 @@ func ProvideService(
 	features featuremgmt.FeatureToggles, ac accesscontrol.AccessControl, datasourcePermissionsService accesscontrol.DatasourcePermissionsService,
 	quotaService quota.Service, pluginStore pluginstore.Store, pluginClient plugins.Client,
 	basePluginContextProvider plugincontext.BasePluginContextProvider,
+	retriever DataSourceRetriever,
 ) (*Service, error) {
 	dslogger := log.New("datasources")
 	store := &SqlStore{db: db, logger: dslogger, features: features}
@@ -89,6 +91,7 @@ func ProvideService(
 		pluginStore:               pluginStore,
 		pluginClient:              pluginClient,
 		basePluginContextProvider: basePluginContextProvider,
+		retriever:                 retriever,
 	}

 	ac.RegisterScopeAttributeResolver(NewNameScopeResolver(store))
@@ -175,11 +178,11 @@ func NewIDScopeResolver(db DataSourceRetriever) (string, accesscontrol.ScopeAttr
 }

 func (s *Service) GetDataSource(ctx context.Context, query *datasources.GetDataSourceQuery) (*datasources.DataSource, error) {
-	return s.SQLStore.GetDataSource(ctx, query)
+	return s.retriever.GetDataSource(ctx, query)
 }

 func (s *Service) GetDataSourceInNamespace(ctx context.Context, namespace, name, group string) (*datasources.DataSource, error) {
-	return s.SQLStore.GetDataSourceInNamespace(ctx, namespace, name, group)
+	return s.retriever.GetDataSourceInNamespace(ctx, namespace, name, group)
 }

 func (s *Service) GetDataSources(ctx context.Context, query *datasources.GetDataSourcesQuery) ([]*datasources.DataSource, error) {
@@ -832,8 +832,9 @@ func TestIntegrationService_DeleteDataSource(t *testing.T) {
 		quotaService := quotatest.New(false, nil)
 		permissionSvc := acmock.NewMockedPermissionsService()
 		permissionSvc.On("DeleteResourcePermissions", mock.Anything, mock.Anything, mock.Anything).Return(nil).Maybe()
-
-		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, &setting.Cfg{}, featuremgmt.WithFeatures(), acmock.New(), permissionSvc, quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+		features := featuremgmt.WithFeatures()
+		dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, &setting.Cfg{}, features, acmock.New(), permissionSvc, quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 		require.NoError(t, err)

 		cmd := &datasources.DeleteDataSourceCommand{
@@ -857,7 +858,9 @@ func TestIntegrationService_DeleteDataSource(t *testing.T) {
 		permissionSvc.On("DeleteResourcePermissions", mock.Anything, mock.Anything, mock.Anything).Return(nil).Once()
 		cfg := &setting.Cfg{}
 		enableRBACManagedPermissions(t, cfg)
-		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, featuremgmt.WithFeatures(), acmock.New(), permissionSvc, quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+		features := featuremgmt.WithFeatures()
+		dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acmock.New(), permissionSvc, quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 		require.NoError(t, err)

 		// First add the datasource
@@ -1124,7 +1127,9 @@ func TestIntegrationService_GetHttpTransport(t *testing.T) {
 		secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 		secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 		quotaService := quotatest.New(false, nil)
-		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+		features := featuremgmt.WithFeatures()
+		dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 		require.NoError(t, err)

 		rt1, err := dsService.GetHTTPTransport(context.Background(), &ds, provider)
@@ -1161,7 +1166,9 @@ func TestIntegrationService_GetHttpTransport(t *testing.T) {
 		secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 		secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 		quotaService := quotatest.New(false, nil)
-		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+		features := featuremgmt.WithFeatures()
+		dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 		require.NoError(t, err)

 		ds := datasources.DataSource{
@@ -1212,7 +1219,9 @@ func TestIntegrationService_GetHttpTransport(t *testing.T) {
 		secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 		secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 		quotaService := quotatest.New(false, nil)
-		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+		features := featuremgmt.WithFeatures()
+		dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 		require.NoError(t, err)

 		ds := datasources.DataSource{
@@ -1260,7 +1269,9 @@ func TestIntegrationService_GetHttpTransport(t *testing.T) {
 		secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 		secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 		quotaService := quotatest.New(false, nil)
-		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+		features := featuremgmt.WithFeatures()
+		dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 		require.NoError(t, err)

 		ds := datasources.DataSource{
@@ -1316,7 +1327,9 @@ func TestIntegrationService_GetHttpTransport(t *testing.T) {
 		secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 		secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 		quotaService := quotatest.New(false, nil)
-		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+		features := featuremgmt.WithFeatures()
+		dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 		require.NoError(t, err)

 		ds := datasources.DataSource{
@@ -1351,7 +1364,9 @@ func TestIntegrationService_GetHttpTransport(t *testing.T) {
 		secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 		secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 		quotaService := quotatest.New(false, nil)
-		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+		features := featuremgmt.WithFeatures()
+		dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 		require.NoError(t, err)

 		ds := datasources.DataSource{
@@ -1420,7 +1435,9 @@ func TestIntegrationService_GetHttpTransport(t *testing.T) {
 		secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 		secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 		quotaService := quotatest.New(false, nil)
-		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+		features := featuremgmt.WithFeatures()
+		dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 		require.NoError(t, err)

 		ds := datasources.DataSource{
@@ -1499,7 +1516,9 @@ func TestIntegrationService_GetHttpTransport(t *testing.T) {
 		secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 		secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 		quotaService := quotatest.New(false, nil)
-		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+		features := featuremgmt.WithFeatures()
+		dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 		require.NoError(t, err)

 		ds := datasources.DataSource{
@@ -1522,7 +1541,9 @@ func TestIntegrationService_getProxySettings(t *testing.T) {
 	secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 	secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 	quotaService := quotatest.New(false, nil)
-	dsService, err := ProvideService(sqlStore, secretsService, secretsStore, &setting.Cfg{}, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+	features := featuremgmt.WithFeatures()
+	dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+	dsService, err := ProvideService(sqlStore, secretsService, secretsStore, &setting.Cfg{}, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 	require.NoError(t, err)

 	t.Run("Should default to disabled", func(t *testing.T) {
@@ -1620,7 +1641,9 @@ func TestIntegrationService_getTimeout(t *testing.T) {
 	secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 	secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 	quotaService := quotatest.New(false, nil)
-	dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+	features := featuremgmt.WithFeatures()
+	dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+	dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 	require.NoError(t, err)

 	for _, tc := range testCases {
@@ -1645,7 +1668,9 @@ func TestIntegrationService_GetDecryptedValues(t *testing.T) {
 		secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 		secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 		quotaService := quotatest.New(false, nil)
-		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, nil, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+		features := featuremgmt.WithFeatures()
+		dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, nil, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 		require.NoError(t, err)

 		jsonData := map[string]string{
@@ -1673,7 +1698,9 @@ func TestIntegrationService_GetDecryptedValues(t *testing.T) {
 		secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 		secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 		quotaService := quotatest.New(false, nil)
-		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, nil, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+		features := featuremgmt.WithFeatures()
+		dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+		dsService, err := ProvideService(sqlStore, secretsService, secretsStore, nil, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 		require.NoError(t, err)

 		jsonData := map[string]string{
@@ -1699,7 +1726,9 @@ func TestIntegrationDataSource_CustomHeaders(t *testing.T) {
 	secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 	secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
 	quotaService := quotatest.New(false, nil)
-	dsService, err := ProvideService(sqlStore, secretsService, secretsStore, nil, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil)
+	features := featuremgmt.WithFeatures()
+	dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+	dsService, err := ProvideService(sqlStore, secretsService, secretsStore, nil, features, acmock.New(), acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, nil, dsRetriever)
 	require.NoError(t, err)

 	dsService.cfg = setting.NewCfg()
@@ -1788,7 +1817,9 @@ func initDSService(t *testing.T) *Service {
 	quotaService := quotatest.New(false, nil)
 	mockPermission := acmock.NewMockedPermissionsService()
 	mockPermission.On("SetPermissions", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return([]accesscontrol.ResourcePermission{}, nil)
-	dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, featuremgmt.WithFeatures(), actest.FakeAccessControl{}, mockPermission, quotaService, &pluginstore.FakePluginStore{
+	features := featuremgmt.WithFeatures()
+	dsRetriever := ProvideDataSourceRetriever(sqlStore, features)
+	dsService, err := ProvideService(sqlStore, secretsService, secretsStore, cfg, features, actest.FakeAccessControl{}, mockPermission, quotaService, &pluginstore.FakePluginStore{
 		PluginList: []pluginstore.Plugin{{
 			JSONData: plugins.JSONData{
 				ID:   "test",
@@ -1808,7 +1839,7 @@ func initDSService(t *testing.T) *Service {
 				ObjectBytes: req.ObjectBytes,
 			}, nil
 		},
-	}, plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()))
+	}, plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()), dsRetriever)
 	require.NoError(t, err)

 	return dsService
@@ -0,0 +1,34 @@
+package service
+
+import (
+	"context"
+
+	"github.com/grafana/grafana/pkg/infra/db"
+	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/services/datasources"
+	"github.com/grafana/grafana/pkg/services/featuremgmt"
+)
+
+// DataSourceRetrieverImpl implements DataSourceRetriever by delegating to a Store.
+type DataSourceRetrieverImpl struct {
+	store Store
+}
+
+var _ DataSourceRetriever = (*DataSourceRetrieverImpl)(nil)
+
+// ProvideDataSourceRetriever creates a DataSourceRetriever for wire injection.
+func ProvideDataSourceRetriever(db db.DB, features featuremgmt.FeatureToggles) DataSourceRetriever {
+	dslogger := log.New("datasources-retriever")
+	store := &SqlStore{db: db, logger: dslogger, features: features}
+	return &DataSourceRetrieverImpl{store: store}
+}
+
+// GetDataSource gets a datasource.
+func (r *DataSourceRetrieverImpl) GetDataSource(ctx context.Context, query *datasources.GetDataSourceQuery) (*datasources.DataSource, error) {
+	return r.store.GetDataSource(ctx, query)
+}
+
+// GetDataSourceInNamespace gets a datasource by namespace, name (datasource uid), and group (datasource type).
+func (r *DataSourceRetrieverImpl) GetDataSourceInNamespace(ctx context.Context, namespace, name, group string) (*datasources.DataSource, error) {
+	return r.store.GetDataSourceInNamespace(ctx, namespace, name, group)
+}
@@ -7,7 +7,7 @@ import (
 	"github.com/open-feature/go-sdk/openfeature"
 )

-func newGOFFProvider(url string, client *http.Client) (openfeature.FeatureProvider, error) {
+func newFeaturesServiceProvider(url string, client *http.Client) (openfeature.FeatureProvider, error) {
 	options := gofeatureflag.ProviderOptions{
 		Endpoint: url,
 		// consider using github.com/grafana/grafana/pkg/infra/httpclient/provider.go
@@ -19,11 +19,11 @@ const (

 // OpenFeatureConfig holds configuration for initializing OpenFeature
 type OpenFeatureConfig struct {
-	// ProviderType is either "static", "goff", or "ofrep"
+	// ProviderType is either "static", "features-service", or "ofrep"
 	ProviderType string
-	// URL is the GOFF or OFREP service URL (required for GOFF + OFREP providers)
+	// URL is the remote provider's URL (required for features-service + OFREP providers)
 	URL *url.URL
-	// HTTPClient is a pre-configured HTTP client (optional, used for GOFF + OFREP providers)
+	// HTTPClient is a pre-configured HTTP client (optional, used by features-service + OFREP providers)
 	HTTPClient *http.Client
 	// StaticFlags are the feature flags to use with static provider
 	StaticFlags map[string]bool
@@ -35,9 +35,9 @@ type OpenFeatureConfig struct {

 // InitOpenFeature initializes OpenFeature with the provided configuration
 func InitOpenFeature(config OpenFeatureConfig) error {
-	// For GOFF + OFREP providers, ensure we have a URL
-	if (config.ProviderType == setting.GOFFProviderType || config.ProviderType == setting.OFREPProviderType) && (config.URL == nil || config.URL.String() == "") {
-		return fmt.Errorf("URL is required for GOFF + OFREP providers")
+	// For remote providers, ensure we have a URL
+	if (config.ProviderType == setting.FeaturesServiceProviderType || config.ProviderType == setting.OFREPProviderType) && (config.URL == nil || config.URL.String() == "") {
+		return fmt.Errorf("URL is required for remote providers")
 	}

 	p, err := createProvider(config.ProviderType, config.URL, config.StaticFlags, config.HTTPClient)
@@ -66,10 +66,10 @@ func InitOpenFeatureWithCfg(cfg *setting.Cfg) error {
 	}

 	var httpcli *http.Client
-	if cfg.OpenFeature.ProviderType == setting.GOFFProviderType || cfg.OpenFeature.ProviderType == setting.OFREPProviderType {
+	if cfg.OpenFeature.ProviderType == setting.FeaturesServiceProviderType || cfg.OpenFeature.ProviderType == setting.OFREPProviderType {
 		var m *clientauthmiddleware.TokenExchangeMiddleware

-		if cfg.OpenFeature.ProviderType == setting.GOFFProviderType {
+		if cfg.OpenFeature.ProviderType == setting.FeaturesServiceProviderType {
 			m, err = clientauthmiddleware.NewTokenExchangeMiddleware(cfg)
 			if err != nil {
 				return fmt.Errorf("failed to create token exchange middleware: %w", err)
@@ -103,13 +103,13 @@ func createProvider(
 	staticFlags map[string]bool,
 	httpClient *http.Client,
 ) (openfeature.FeatureProvider, error) {
-	if providerType == setting.GOFFProviderType || providerType == setting.OFREPProviderType {
+	if providerType == setting.FeaturesServiceProviderType || providerType == setting.OFREPProviderType {
 		if u == nil || u.String() == "" {
-			return nil, fmt.Errorf("feature provider url is required for GOFFProviderType + OFREPProviderType")
+			return nil, fmt.Errorf("feature provider url is required for FeaturesServiceProviderType + OFREPProviderType")
 		}

-		if providerType == setting.GOFFProviderType {
-			return newGOFFProvider(u.String(), httpClient)
+		if providerType == setting.FeaturesServiceProviderType {
+			return newFeaturesServiceProvider(u.String(), httpClient)
 		}

 		if providerType == setting.OFREPProviderType {
@@ -35,9 +35,9 @@ func TestCreateProvider(t *testing.T) {
 			expectedProvider: setting.StaticProviderType,
 		},
 		{
-			name: "goff provider",
+			name: "features-service provider",
 			cfg: setting.OpenFeatureSettings{
-				ProviderType: setting.GOFFProviderType,
+				ProviderType: setting.FeaturesServiceProviderType,
 				URL:          u,
 				TargetingKey: "grafana",
 			},
@@ -45,12 +45,12 @@ func TestCreateProvider(t *testing.T) {
 				Namespace: "*",
 				Audiences: []string{"features.grafana.app"},
 			},
-			expectedProvider: setting.GOFFProviderType,
+			expectedProvider: setting.FeaturesServiceProviderType,
 		},
 		{
-			name: "goff provider with failing token exchange",
+			name: "features-service provider with failing token exchange",
 			cfg: setting.OpenFeatureSettings{
-				ProviderType: setting.GOFFProviderType,
+				ProviderType: setting.FeaturesServiceProviderType,
 				URL:          u,
 				TargetingKey: "grafana",
 			},
@@ -58,7 +58,7 @@ func TestCreateProvider(t *testing.T) {
 				Namespace: "*",
 				Audiences: []string{"features.grafana.app"},
 			},
-			expectedProvider: setting.GOFFProviderType,
+			expectedProvider: setting.FeaturesServiceProviderType,
 			failSigning:      true,
 		},
 		{
@@ -107,7 +107,7 @@ func TestCreateProvider(t *testing.T) {

 			tokenExchangeMiddleware := middleware.TestingTokenExchangeMiddleware(tokenExchangeClient)
 			httpClient, err := createHTTPClient(tokenExchangeMiddleware)
-			require.NoError(t, err, "failed to create goff http client")
+			require.NoError(t, err, "failed to create features-service http client")
 			provider, err := createProvider(tc.cfg.ProviderType, tc.cfg.URL, nil, httpClient)
 			require.NoError(t, err)

@@ -115,7 +115,7 @@ func TestCreateProvider(t *testing.T) {
 			require.NoError(t, err, "failed to set provider")

 			switch tc.expectedProvider {
-			case setting.GOFFProviderType:
+			case setting.FeaturesServiceProviderType:
 				_, ok := provider.(*gofeatureflag.Provider)
 				assert.True(t, ok, "expected provider to be of type goff.Provider")

@@ -141,10 +141,10 @@ func testGoFFProvider(t *testing.T, failSigning bool) {
 	_, err := openfeature.NewDefaultClient().BooleanValueDetails(ctx, "test", false, openfeature.NewEvaluationContext("test", map[string]interface{}{"test": "test"}))

 	// Error related to the token exchange should be returned if signing fails
-	// otherwise, it should return a connection refused error since the goff URL is not set
+	// otherwise, it should return a connection refused error since the features-service URL is not set
 	if failSigning {
 		assert.ErrorContains(t, err, "failed to exchange token: error signing token", "should return an error when signing fails")
 	} else {
-		assert.ErrorContains(t, err, "connect: connection refused", "should return an error when goff url is not set")
+		assert.ErrorContains(t, err, "connect: connection refused", "should return an error when features-service url is not set")
 	}
 }
@@ -650,13 +650,6 @@ var (
 			Stage:        FeatureStageExperimental,
 			Owner:        grafanaDatavizSquad,
 		},
-		{
-			Name:         "kubernetesFeatureToggles",
-			Description:  "Use the kubernetes API for feature toggle management in the frontend",
-			Stage:        FeatureStageExperimental,
-			FrontendOnly: true,
-			Owner:        grafanaOperatorExperienceSquad,
-		},
 		{
 			Name:            "cloudRBACRoles",
 			Description:     "Enabled grafana cloud specific RBAC roles",
@@ -1155,7 +1148,14 @@ var (
 			Owner:           grafanaAppPlatformSquad,
 			RequiresRestart: true,
 		},
-			{
+		{
+			Name:         "passwordlessMagicLinkAuthentication",
+			Description:  "Enable passwordless login via magic link authentication",
+			Stage:        FeatureStageExperimental,
+			Owner:        identityAccessTeam,
+			HideFromDocs: true,
+		},
+		{
 			Name:         "exploreMetricsRelatedLogs",
 			Description:  "Display Related Logs in Grafana Metrics Drilldown",
 			Stage:        FeatureStageExperimental,
@@ -2083,6 +2083,13 @@ var (
 			FrontendOnly: false,
 			Owner:        grafanaOperatorExperienceSquad,
 		},
+		{
+			Name:         "profilesExemplars",
+			Description:  "Enables profiles exemplars support in profiles drilldown",
+			Stage:        FeatureStageExperimental,
+			Owner:        grafanaObservabilityTracesAndProfilingSquad,
+			FrontendOnly: false,
+		},
 	}
 )

@@ -90,7 +90,6 @@ pdfTables,preview,@grafana/grafana-operator-experience-squad,false,false,false
 canvasPanelPanZoom,preview,@grafana/dataviz-squad,false,false,true
 timeComparison,experimental,@grafana/dataviz-squad,false,false,true
 tableSharedCrosshair,experimental,@grafana/dataviz-squad,false,false,true
-kubernetesFeatureToggles,experimental,@grafana/grafana-operator-experience-squad,false,false,true
 cloudRBACRoles,preview,@grafana/identity-access-team,false,true,false
 alertingQueryOptimization,GA,@grafana/alerting-squad,false,false,false
 jitterAlertRulesWithinGroups,preview,@grafana/alerting-squad,false,true,false
@@ -160,6 +159,7 @@ timeRangePan,experimental,@grafana/dataviz-squad,false,false,true
 newTimeRangeZoomShortcuts,experimental,@grafana/dataviz-squad,false,false,true
 azureMonitorDisableLogLimit,GA,@grafana/partner-datasources,false,false,false
 playlistsReconciler,experimental,@grafana/grafana-app-platform-squad,false,true,false
+passwordlessMagicLinkAuthentication,experimental,@grafana/identity-access-team,false,false,false
 exploreMetricsRelatedLogs,experimental,@grafana/observability-metrics,false,false,true
 prometheusSpecialCharsInLabelValues,experimental,@grafana/oss-big-tent,false,false,true
 enableExtensionsAdminPage,experimental,@grafana/plugins-platform-backend,false,true,false
@@ -282,3 +282,4 @@ useMTPlugins,experimental,@grafana/plugins-platform-backend,false,false,true
 multiPropsVariables,experimental,@grafana/dashboards-squad,false,false,true
 smoothingTransformation,experimental,@grafana/datapro,false,false,true
 secretsManagementAppPlatformAwsKeeper,experimental,@grafana/grafana-operator-experience-squad,false,false,false
+profilesExemplars,experimental,@grafana/observability-traces-and-profiling,false,false,false
@@ -483,6 +483,10 @@ const (
 	// Enables experimental reconciler for playlists
 	FlagPlaylistsReconciler = "playlistsReconciler"

+	// FlagPasswordlessMagicLinkAuthentication
+	// Enable passwordless login via magic link authentication
+	FlagPasswordlessMagicLinkAuthentication = "passwordlessMagicLinkAuthentication"
+
 	// FlagEnableExtensionsAdminPage
 	// Enables the extension admin page regardless of development mode
 	FlagEnableExtensionsAdminPage = "enableExtensionsAdminPage"
@@ -781,4 +785,8 @@ const (
 	// FlagSecretsManagementAppPlatformAwsKeeper
 	// Enables the creation of keepers that manage secrets stored on AWS secrets manager
 	FlagSecretsManagementAppPlatformAwsKeeper = "secretsManagementAppPlatformAwsKeeper"
+
+	// FlagProfilesExemplars
+	// Enables profiles exemplars support in profiles drilldown
+	FlagProfilesExemplars = "profilesExemplars"
 )
@@ -2044,7 +2044,8 @@
      "metadata": {
        "name": "kubernetesFeatureToggles",
        "resourceVersion": "1764664939750",
-        "creationTimestamp": "2024-01-18T05:32:44Z"
+        "creationTimestamp": "2024-01-18T05:32:44Z",
+        "deletionTimestamp": "2026-01-07T12:02:51Z"
      },
      "spec": {
        "description": "Use the kubernetes API for feature toggle management in the frontend",
@@ -2661,8 +2662,7 @@
      "metadata": {
        "name": "passwordlessMagicLinkAuthentication",
        "resourceVersion": "1764664939750",
-        "creationTimestamp": "2024-11-14T13:50:55Z",
-        "deletionTimestamp": "2026-01-08T15:33:29Z"
+        "creationTimestamp": "2024-11-14T13:50:55Z"
      },
      "spec": {
        "description": "Enable passwordless login via magic link authentication",
@@ -2867,6 +2867,18 @@
        "expression": "true"
      }
    },
+    {
+      "metadata": {
+        "name": "profilesExemplars",
+        "resourceVersion": "1767777507980",
+        "creationTimestamp": "2026-01-07T09:18:27Z"
+      },
+      "spec": {
+        "description": "Enables profiles exemplars support in profiles drilldown",
+        "stage": "experimental",
+        "codeowner": "@grafana/observability-traces-and-profiling"
+      }
+    },
    {
      "metadata": {
        "name": "prometheusAzureOverrideAudience",
@@ -14,6 +14,8 @@ import (

 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin"
+	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
+	"github.com/grafana/grafana/pkg/plugins/backendplugin/provider"
 	"github.com/grafana/grafana/pkg/plugins/log"
 	"github.com/grafana/grafana/pkg/tsdb/azuremonitor"
 	cloudmonitoring "github.com/grafana/grafana/pkg/tsdb/cloud-monitoring"
@@ -92,6 +94,10 @@ func NewRegistry(store map[string]backendplugin.PluginFactoryFunc) *Registry {
 	}
 }

+func ProvideCoreProvider(coreRegistry *Registry) plugins.BackendFactoryProvider {
+	return provider.New(coreRegistry.BackendFactoryProvider(), provider.DefaultProvider)
+}
+
 func ProvideCoreRegistry(tracer trace.Tracer, am *azuremonitor.Service, cw *cloudwatch.Service, cm *cloudmonitoring.Service,
 	es *elasticsearch.Service, grap *graphite.Service, idb *influxdb.Service, lk *loki.Service, otsdb *opentsdb.Service,
 	pr *prometheus.Service, t *tempo.Service, td *testdatasource.Service, pg *postgres.Service, my *mysql.Service,
@@ -156,7 +162,7 @@ func asBackendPlugin(svc any) backendplugin.PluginFactoryFunc {

 	if opts.QueryDataHandler != nil || opts.CallResourceHandler != nil ||
 		opts.CheckHealthHandler != nil || opts.StreamHandler != nil {
-		return New(opts)
+		return coreplugin.New(opts)
 	}

 	return nil
@@ -6,7 +6,6 @@ import (
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/plugins/auth"
-	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
 	"github.com/grafana/grafana/pkg/plugins/config"
 	"github.com/grafana/grafana/pkg/plugins/envvars"
 	"github.com/grafana/grafana/pkg/plugins/manager/loader/angular/angularinspector"
@@ -19,6 +18,7 @@ import (
 	"github.com/grafana/grafana/pkg/plugins/manager/registry"
 	"github.com/grafana/grafana/pkg/plugins/manager/signature"
 	"github.com/grafana/grafana/pkg/plugins/pluginassets"
+	"github.com/grafana/grafana/pkg/services/pluginsintegration/coreplugin"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/provisionedplugins"
 )
@@ -10,8 +10,6 @@ import (
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/plugins/auth"
-	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
-	"github.com/grafana/grafana/pkg/plugins/backendplugin/provider"
 	"github.com/grafana/grafana/pkg/plugins/envvars"
 	"github.com/grafana/grafana/pkg/plugins/log"
 	"github.com/grafana/grafana/pkg/plugins/manager/client"
@@ -39,6 +37,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/angularinspector"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/angularpatternsstore"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/clientmiddleware"
+	"github.com/grafana/grafana/pkg/services/pluginsintegration/coreplugin"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/installsync"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/keyretriever"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/keyretriever/dynamic"
@@ -146,8 +145,7 @@ var WireSet = wire.NewSet(
 // WireExtensionSet provides a wire.ProviderSet of plugin providers that can be
 // extended.
 var WireExtensionSet = wire.NewSet(
-	provider.ProvideService,
-	wire.Bind(new(plugins.BackendFactoryProvider), new(*provider.Service)),
+	coreplugin.ProvideCoreProvider,
 	signature.ProvideOSSAuthorizer,
 	wire.Bind(new(plugins.PluginLoaderAuthorizer), new(*signature.UnsignedPluginAuthorizer)),
 	ProvideClientWithMiddlewares,
@@ -19,10 +19,10 @@ import (
 	"github.com/grafana/grafana/pkg/infra/fs"
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/plugins"
-	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration"
+	"github.com/grafana/grafana/pkg/services/pluginsintegration/coreplugin"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginstore"
 	"github.com/grafana/grafana/pkg/services/searchV2"
 	"github.com/grafana/grafana/pkg/services/sqlstore"
@@ -8,8 +8,6 @@ import (
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin"
-	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
-	"github.com/grafana/grafana/pkg/plugins/backendplugin/provider"
 	pluginsCfg "github.com/grafana/grafana/pkg/plugins/config"
 	"github.com/grafana/grafana/pkg/plugins/manager/client"
 	"github.com/grafana/grafana/pkg/plugins/manager/loader"
@@ -27,6 +25,7 @@ import (
 	"github.com/grafana/grafana/pkg/plugins/pluginassets"
 	"github.com/grafana/grafana/pkg/plugins/pluginerrs"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
+	"github.com/grafana/grafana/pkg/services/pluginsintegration/coreplugin"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/pipeline"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginconfig"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginsources"
@@ -52,7 +51,7 @@ func CreateIntegrationTestCtx(t *testing.T, cfg *setting.Cfg, coreRegistry *core
 	disc := pipeline.ProvideDiscoveryStage(pCfg, reg)
 	boot := pipeline.ProvideBootstrapStage(pCfg, signature.ProvideService(pCfg, statickey.New()), pluginassets.NewLocalProvider())
 	valid := pipeline.ProvideValidationStage(pCfg, signature.NewValidator(signature.NewUnsignedAuthorizer(pCfg)), angularInspector)
-	init := pipeline.ProvideInitializationStage(pCfg, reg, provider.ProvideService(coreRegistry), proc, &pluginfakes.FakeAuthService{}, pluginfakes.NewFakeRoleRegistry(), pluginfakes.NewFakeActionSetRegistry(), nil, tracing.InitializeTracerForTest(), provisionedplugins.NewNoop())
+	init := pipeline.ProvideInitializationStage(pCfg, reg, coreplugin.ProvideCoreProvider(coreRegistry), proc, &pluginfakes.FakeAuthService{}, pluginfakes.NewFakeRoleRegistry(), pluginfakes.NewFakeActionSetRegistry(), nil, tracing.InitializeTracerForTest(), provisionedplugins.NewNoop())
 	term, err := pipeline.ProvideTerminationStage(pCfg, reg, proc)
 	require.NoError(t, err)

@@ -98,7 +97,7 @@ func CreateTestLoader(t *testing.T, cfg *pluginsCfg.PluginManagementCfg, opts Lo
 	if opts.Initializer == nil {
 		reg := registry.ProvideService()
 		coreRegistry := coreplugin.NewRegistry(make(map[string]backendplugin.PluginFactoryFunc))
-		opts.Initializer = pipeline.ProvideInitializationStage(cfg, reg, provider.ProvideService(coreRegistry), process.ProvideService(), &pluginfakes.FakeAuthService{}, pluginfakes.NewFakeRoleRegistry(), pluginfakes.NewFakeActionSetRegistry(), nil, tracing.InitializeTracerForTest(), provisionedplugins.NewNoop())
+		opts.Initializer = pipeline.ProvideInitializationStage(cfg, reg, coreplugin.ProvideCoreProvider(coreRegistry), process.ProvideService(), &pluginfakes.FakeAuthService{}, pluginfakes.NewFakeRoleRegistry(), pluginfakes.NewFakeActionSetRegistry(), nil, tracing.InitializeTracerForTest(), provisionedplugins.NewNoop())
 	}

 	if opts.Terminator == nil {
@@ -542,9 +542,10 @@ func setupEnv(t *testing.T, sqlStore db.DB, cfg *setting.Cfg, b bus.Bus, quotaSe
 	dashService.RegisterDashboardPermissions(acmock.NewMockedPermissionsService())
 	secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 	secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
+	dsRetriever := dsservice.ProvideDataSourceRetriever(sqlStore, featuremgmt.WithFeatures())
 	_, err = dsservice.ProvideService(sqlStore, secretsService, secretsStore, cfg, featuremgmt.WithFeatures(), acmock.New(), acmock.NewMockedPermissionsService(),
 		quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{}, plugincontext.
-			ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()))
+			ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()), dsRetriever)
 	require.NoError(t, err)
 	m := metrics.NewNGAlert(prometheus.NewRegistry())

@@ -37,9 +37,10 @@ func SetupTestDataSourceSecretMigrationService(t *testing.T, sqlStore db.DB, kvS
 	features := featuremgmt.WithFeatures()
 	secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
 	quotaService := quotatest.New(false, nil)
+	dsRetriever := dsservice.ProvideDataSourceRetriever(sqlStore, features)
 	dsService, err := dsservice.ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acmock.New(),
 		acmock.NewMockedPermissionsService(), quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{},
-		plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()))
+		plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()), dsRetriever)
 	require.NoError(t, err)
 	migService := ProvideDataSourceMigrationService(dsService, kvStore, features)
 	return migService
@@ -6,9 +6,9 @@ import (
 )

 const (
-	StaticProviderType = "static"
-	GOFFProviderType   = "goff"
-	OFREPProviderType  = "ofrep"
+	StaticProviderType          = "static"
+	FeaturesServiceProviderType = "features-service"
+	OFREPProviderType           = "ofrep"
 )

 type OpenFeatureSettings struct {
@@ -34,7 +34,7 @@ func (cfg *Cfg) readOpenFeatureSettings() error {

 	cfg.OpenFeature.TargetingKey = config.Key("targetingKey").MustString(defaultTargetingKey)

-	if strURL != "" && (cfg.OpenFeature.ProviderType == GOFFProviderType || cfg.OpenFeature.ProviderType == OFREPProviderType) {
+	if strURL != "" && (cfg.OpenFeature.ProviderType == FeaturesServiceProviderType || cfg.OpenFeature.ProviderType == OFREPProviderType) {
 		u, err := url.Parse(strURL)
 		if err != nil {
 			return fmt.Errorf("invalid feature provider url: %w", err)
@@ -37,6 +37,8 @@ type ZanzanaServerSettings struct {
 	OpenFGAHttpAddr string
 	// Cache settings
 	CacheSettings OpenFgaCacheSettings
+	// OpenFGA server settings
+	OpenFgaServerSettings OpenFgaServerSettings
 	// Max number of results returned by ListObjects() query. Default is 1000.
 	ListObjectsMaxResults uint32
 	// Deadline for the ListObjects() query. Default is 3 seconds.
@@ -50,6 +52,92 @@ type ZanzanaServerSettings struct {
 	AllowInsecure bool
 }

+type OpenFgaServerSettings struct {
+	// ListObjects settings
+	// Max number of concurrent datastore reads for ListObjects queries
+	MaxConcurrentReadsForListObjects uint32
+	// Enable dispatch throttling for ListObjects queries
+	ListObjectsDispatchThrottlingEnabled bool
+	// Frequency for dispatch throttling in ListObjects queries
+	ListObjectsDispatchThrottlingFrequency time.Duration
+	// Threshold for dispatch throttling in ListObjects queries
+	ListObjectsDispatchThrottlingThreshold uint32
+	// Max threshold for dispatch throttling in ListObjects queries
+	ListObjectsDispatchThrottlingMaxThreshold uint32
+	// Database throttle threshold for ListObjects queries
+	ListObjectsDatabaseThrottleThreshold int
+	// Database throttle duration for ListObjects queries
+	ListObjectsDatabaseThrottleDuration time.Duration
+
+	// ListUsers settings
+	// Deadline for ListUsers queries
+	ListUsersDeadline time.Duration
+	// Max number of results returned by ListUsers queries
+	ListUsersMaxResults uint32
+	// Max number of concurrent datastore reads for ListUsers queries
+	MaxConcurrentReadsForListUsers uint32
+	// Enable dispatch throttling for ListUsers queries
+	ListUsersDispatchThrottlingEnabled bool
+	// Frequency for dispatch throttling in ListUsers queries
+	ListUsersDispatchThrottlingFrequency time.Duration
+	// Threshold for dispatch throttling in ListUsers queries
+	ListUsersDispatchThrottlingThreshold uint32
+	// Max threshold for dispatch throttling in ListUsers queries
+	ListUsersDispatchThrottlingMaxThreshold uint32
+	// Database throttle threshold for ListUsers queries
+	ListUsersDatabaseThrottleThreshold int
+	// Database throttle duration for ListUsers queries
+	ListUsersDatabaseThrottleDuration time.Duration
+
+	// Check settings
+	// Max number of concurrent datastore reads for Check queries
+	MaxConcurrentReadsForCheck uint32
+	// Database throttle threshold for Check queries
+	CheckDatabaseThrottleThreshold int
+	// Database throttle duration for Check queries
+	CheckDatabaseThrottleDuration time.Duration
+
+	// Batch check settings
+	// Max number of concurrent checks per batch check request
+	MaxConcurrentChecksPerBatchCheck uint32
+	// Max number of checks per batch check request
+	MaxChecksPerBatchCheck uint32
+
+	// Resolve node settings
+	// Max number of nodes that can be resolved in a single query
+	ResolveNodeLimit uint32
+	// Max breadth of nodes that can be resolved in a single query
+	ResolveNodeBreadthLimit uint32
+
+	// Dispatch throttling settings for Check resolver
+	// Enable dispatch throttling for Check resolver
+	DispatchThrottlingCheckResolverEnabled bool
+	// Frequency for dispatch throttling in Check resolver
+	DispatchThrottlingCheckResolverFrequency time.Duration
+	// Threshold for dispatch throttling in Check resolver
+	DispatchThrottlingCheckResolverThreshold uint32
+	// Max threshold for dispatch throttling in Check resolver
+	DispatchThrottlingCheckResolverMaxThreshold uint32
+
+	// Shadow check/query settings
+	// Timeout for shadow check resolver
+	ShadowCheckResolverTimeout time.Duration
+	// Timeout for shadow ListObjects query
+	ShadowListObjectsQueryTimeout time.Duration
+	// Max delta items for shadow ListObjects query
+	ShadowListObjectsQueryMaxDeltaItems int
+
+	// Request settings
+	// Global request timeout
+	RequestTimeout time.Duration
+	// Max size in bytes for authorization model
+	MaxAuthorizationModelSizeInBytes int
+	// Size of the authorization model cache
+	AuthorizationModelCacheSize int
+	// Offset for changelog horizon
+	ChangelogHorizonOffset int
+}
+
 // Parameters to configure OpenFGA cache.
 type OpenFgaCacheSettings struct {
 	// Number of items that will be kept in the in-memory cache used to resolve Check queries.
@@ -156,5 +244,56 @@ func (cfg *Cfg) readZanzanaSettings() {
 	zs.CacheSettings.SharedIteratorLimit = uint32(serverSec.Key("shared_iterator_limit").MustUint(1000))
 	zs.CacheSettings.SharedIteratorTTL = serverSec.Key("shared_iterator_ttl").MustDuration(10 * time.Second)

+	openfgaSec := cfg.SectionWithEnvOverrides("openfga")
+
+	// ListObjects settings
+	zs.OpenFgaServerSettings.MaxConcurrentReadsForListObjects = uint32(openfgaSec.Key("max_concurrent_reads_for_list_objects").MustUint(0))
+	zs.OpenFgaServerSettings.ListObjectsDispatchThrottlingEnabled = openfgaSec.Key("list_objects_dispatch_throttling_enabled").MustBool(false)
+	zs.OpenFgaServerSettings.ListObjectsDispatchThrottlingFrequency = openfgaSec.Key("list_objects_dispatch_throttling_frequency").MustDuration(0)
+	zs.OpenFgaServerSettings.ListObjectsDispatchThrottlingThreshold = uint32(openfgaSec.Key("list_objects_dispatch_throttling_threshold").MustUint(0))
+	zs.OpenFgaServerSettings.ListObjectsDispatchThrottlingMaxThreshold = uint32(openfgaSec.Key("list_objects_dispatch_throttling_max_threshold").MustUint(0))
+	zs.OpenFgaServerSettings.ListObjectsDatabaseThrottleThreshold = openfgaSec.Key("list_objects_database_throttle_threshold").MustInt(0)
+	zs.OpenFgaServerSettings.ListObjectsDatabaseThrottleDuration = openfgaSec.Key("list_objects_database_throttle_duration").MustDuration(0)
+
+	// ListUsers settings
+	zs.OpenFgaServerSettings.ListUsersDeadline = openfgaSec.Key("list_users_deadline").MustDuration(0)
+	zs.OpenFgaServerSettings.ListUsersMaxResults = uint32(openfgaSec.Key("list_users_max_results").MustUint(0))
+	zs.OpenFgaServerSettings.MaxConcurrentReadsForListUsers = uint32(openfgaSec.Key("max_concurrent_reads_for_list_users").MustUint(0))
+	zs.OpenFgaServerSettings.ListUsersDispatchThrottlingEnabled = openfgaSec.Key("list_users_dispatch_throttling_enabled").MustBool(false)
+	zs.OpenFgaServerSettings.ListUsersDispatchThrottlingFrequency = openfgaSec.Key("list_users_dispatch_throttling_frequency").MustDuration(0)
+	zs.OpenFgaServerSettings.ListUsersDispatchThrottlingThreshold = uint32(openfgaSec.Key("list_users_dispatch_throttling_threshold").MustUint(0))
+	zs.OpenFgaServerSettings.ListUsersDispatchThrottlingMaxThreshold = uint32(openfgaSec.Key("list_users_dispatch_throttling_max_threshold").MustUint(0))
+	zs.OpenFgaServerSettings.ListUsersDatabaseThrottleThreshold = openfgaSec.Key("list_users_database_throttle_threshold").MustInt(0)
+	zs.OpenFgaServerSettings.ListUsersDatabaseThrottleDuration = openfgaSec.Key("list_users_database_throttle_duration").MustDuration(0)
+
+	// Check settings
+	zs.OpenFgaServerSettings.MaxConcurrentReadsForCheck = uint32(openfgaSec.Key("max_concurrent_reads_for_check").MustUint(0))
+	zs.OpenFgaServerSettings.CheckDatabaseThrottleThreshold = openfgaSec.Key("check_database_throttle_threshold").MustInt(0)
+	zs.OpenFgaServerSettings.CheckDatabaseThrottleDuration = openfgaSec.Key("check_database_throttle_duration").MustDuration(0)
+
+	// Batch check settings
+	zs.OpenFgaServerSettings.MaxConcurrentChecksPerBatchCheck = uint32(openfgaSec.Key("max_concurrent_checks_per_batch_check").MustUint(0))
+	zs.OpenFgaServerSettings.MaxChecksPerBatchCheck = uint32(openfgaSec.Key("max_checks_per_batch_check").MustUint(0))
+
+	// Resolve node settings
+	zs.OpenFgaServerSettings.ResolveNodeLimit = uint32(openfgaSec.Key("resolve_node_limit").MustUint(0))
+	zs.OpenFgaServerSettings.ResolveNodeBreadthLimit = uint32(openfgaSec.Key("resolve_node_breadth_limit").MustUint(0))
+
+	// Dispatch throttling settings for Check resolver
+	zs.OpenFgaServerSettings.DispatchThrottlingCheckResolverEnabled = openfgaSec.Key("dispatch_throttling_check_resolver_enabled").MustBool(false)
+	zs.OpenFgaServerSettings.DispatchThrottlingCheckResolverFrequency = openfgaSec.Key("dispatch_throttling_check_resolver_frequency").MustDuration(0)
+	zs.OpenFgaServerSettings.DispatchThrottlingCheckResolverThreshold = uint32(openfgaSec.Key("dispatch_throttling_check_resolver_threshold").MustUint(0))
+	zs.OpenFgaServerSettings.DispatchThrottlingCheckResolverMaxThreshold = uint32(openfgaSec.Key("dispatch_throttling_check_resolver_max_threshold").MustUint(0))
+
+	// Shadow check/query settings
+	zs.OpenFgaServerSettings.ShadowCheckResolverTimeout = openfgaSec.Key("shadow_check_resolver_timeout").MustDuration(0)
+	zs.OpenFgaServerSettings.ShadowListObjectsQueryTimeout = openfgaSec.Key("shadow_list_objects_query_timeout").MustDuration(0)
+	zs.OpenFgaServerSettings.ShadowListObjectsQueryMaxDeltaItems = openfgaSec.Key("shadow_list_objects_query_max_delta_items").MustInt(0)
+
+	zs.OpenFgaServerSettings.RequestTimeout = openfgaSec.Key("request_timeout").MustDuration(0)
+	zs.OpenFgaServerSettings.MaxAuthorizationModelSizeInBytes = openfgaSec.Key("max_authorization_model_size_in_bytes").MustInt(0)
+	zs.OpenFgaServerSettings.AuthorizationModelCacheSize = openfgaSec.Key("authorization_model_cache_size").MustInt(0)
+	zs.OpenFgaServerSettings.ChangelogHorizonOffset = openfgaSec.Key("changelog_horizon_offset").MustInt(0)
+
 	cfg.ZanzanaServer = zs
 }
@@ -293,15 +293,15 @@ overrides_path = overrides.yaml
 overrides_reload_period = 5s
 ```

-To overrides the default quota for a tenant, add the following to the overrides.yaml file:
+To override the default quota for a tenant, add the following to the `overrides.yaml` file:
 ```yaml
 overrides:
  <NAMESPACE>:
    quotas:
-      <GROUP>.<RESOURCE>:
+      <GROUP>/<RESOURCE>:
        limit: 10
 ```
-Unless otherwise set, the NAMESPACE when running locally is `default`.
+Unless otherwise set, the `NAMESPACE` when running locally is `default`.

 To access quotas, use the following API endpoint:
 ```
@@ -806,8 +806,10 @@ flowchart TD

 #### Setting Dual Writer Mode
 ```ini
-[unified_storage.{resource}.{kind}.{group}]
-dualWriterMode = {0-5}
+; [unified_storage.{resource}.{group}]
+[unified_storage.dashboards.dashboard.grafana.app]
+; modes {0-5}
+dualWriterMode = 0
 ```

 #### Background Sync Configuration
@@ -1376,4 +1378,3 @@ disable_data_migrations = false
 ### Documentation

 For detailed information about migration architecture, validators, and troubleshooting, refer to [migrations/README.md](./migrations/README.md).
- 
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Johnny K.	b8e7d3b91a	prettier	2026-01-09 14:12:31 -06:00
Johnny K.	9bd5cfe0c1	alerting docs: update docs for slack	2026-01-08 15:32:19 -06:00
Charandas	b96a1ae722	Custom Routes: use existing server's mux container instead of gorilla.Mux (#115605 )	2026-01-07 12:46:27 -08:00
Kim Nylander	a53875e621	[DOC] Changed so max_spans_per_span_set can't be changed in Cloud Traces (#115914 ) Changed so max_spans_per_span_set can't be changed in Cloud Traces	2026-01-07 15:46:02 -05:00
Cory Forseth	9598ae6434	Datasources: extract data source read methods from service (#115834 ) * extra data source read methods * update tests * more tests * fix more tests; actually initialize retriever instead of sending nil * moving GetAllDataSources isn't strictly required, so keep to minimal changes * better name for retriever logger Co-authored-by: Dafydd <72009875+dafydd-t@users.noreply.github.com> * add compile-time check for DS retriever impl --------- Co-authored-by: Dafydd <72009875+dafydd-t@users.noreply.github.com> Co-authored-by: Stephanie Hingtgen <stephanie.hingtgen@grafana.com>	2026-01-07 14:29:59 -06:00
owensmallwood	ab0b05550f	Unified Storag: Fix readme (#115957 ) * fix readme * spelling	2026-01-07 19:35:33 +00:00
beejeebus	4518add556	Use a different metric name for new config CRUD APIs Also, make sure to register the metrics with the same prometheus registerer as the http server, so that metrics will show up.	2026-01-07 14:28:31 -05:00
Kristina Demeshchik	00b89b0d29	Dashboards: Fix liveNow not working for panels with time shift (#115902 ) * relative time for timeshifts * remove extra assertion * absolute time range	2026-01-07 14:24:20 -05:00
Todd Treece	a3eedfeb73	Plugins: Move fixed role registration behind toggle (#115940 )	2026-01-07 13:52:01 -05:00
Renato Costa	1e8f1f74ea	unified-storage: apply backwards compatibility changes outside sqlkv (#115954 )	2026-01-07 13:51:15 -05:00
owensmallwood	66b05914e2	Tracing: Use service name from config (#115955 ) use service name from config	2026-01-07 12:50:11 -06:00
Yunwen Zheng	0c60d356d1	RecentlyViewedDashboards: Hide entire section when there is no recently view item (#115905 ) * RecentlyViewedDashboards: Hide entire section when there is no recently view item	2026-01-07 13:31:48 -05:00
Ezequiel Victorero	41d7213d7e	Docs: Update dualwrite ini config (#115934 )	2026-01-07 17:58:58 +01:00
Todd Treece	efad6c7be0	Chore: Update enterprise imports (#115947 )	2026-01-07 16:55:59 +00:00
Paulo Dias	e116254f32	Alerting: Update createdBy field when silence is being Recreated (#115543 )	2026-01-07 16:05:53 +00:00
Matheus Macabu	2efcc88e62	FeatureToggles: Remove unused kubernetesFeatureToggles (#115933 )	2026-01-07 15:53:58 +01:00
Galen Kistler	6fea614106	LogsTable: Inspect button fix (#115912 ) * fix: inspect button * chore: memoize component	2026-01-07 14:31:04 +00:00
antonio	c0c05a65fd	docs/alerting: add video to tutorial (#115675 )	2026-01-07 15:11:41 +01:00
Alexander Akhmetov	41ed2aeb23	Alerting: Display change message next to the rule version when exists (#115664 ) * Alerting: Display change message next to the rule version when exists * Alerting: Update version history tests for message field Updates test mocks and assertions to include message fields in version history data. Adds three message examples to the mock handler and updates test expectations to verify the Notes column displays correctly when messages are present or absent. --------- Co-authored-by: Konrad Lalik <konradlalik@gmail.com>	2026-01-07 15:06:41 +01:00
Johnny Kartheiser	9e9233051e	alerting docs: saved searches (#115524 ) * alerting docs: saved searches adds paragraph about saved searches functionality * typo and explainer details on default search option * image update	2026-01-07 08:03:38 -06:00
Ricardo Galeno	a5faedbe68	Explore: escape character of break-line in Traceql in Search tab fixing an issue when filtering by a multi line span tag value (#114672 ) * Explore: escape character of break-line in Traceql in Search tab * Explore: fix test for escape character of break-line in Traceql in Search tab	2026-01-07 13:31:29 +01:00
Alberto	6fee200327	Pyroscope: Exemplar support for series queries (#113926 ) * feat(pyroscope): Exemplar support for series queries use enum flag, add exemplar flag to explore disable exemplars on explore as well tests feature toggle fixing tests * resolve conflicts * lint	2026-01-07 13:25:42 +01:00
Alexander Zobnin	0b9046be15	Zanzana: Add more openfga settings for fine tuning (#115928 ) * Zanzana: Add more openfga settings for fine tuning * neat * refactor	2026-01-07 13:07:13 +01:00
Hugo Häggmark	20eeff3e7b	Plugins: add missing addedFunctions property in extensions (#115926 )	2026-01-07 13:05:38 +01:00
Will Browne	ec55871b9b	Plugins: Remove `pkg/tsdb/` as dependency (#115886 ) remove deps * singular * add rest * make update-workspace * undo go.mod changes	2026-01-07 11:28:25 +00:00
Pepe Cano	0bfcc55411	docs(alerting): new best practices guide (#115687 ) * Split best practices section * Write Examples and Guides docs * Move recording rule recommendations * docs(alerting): new best practices guide * fix vale errors * Detail meaning of alert `escalation` * Include the recovery threshold option * Include lower severity channels for infrastructure alerts * Remove timing options * minor intro edits * Rename heading to avoid gerunds	2026-01-07 12:05:58 +01:00
Tania	016301c304	OpenFeature: Rename provider from `goff` to `features-service` (#115895 ) * OpenFeature: Rename provider * Update other references to goff * Update pkg/services/featuremgmt/openfeature.go Co-authored-by: Dave Henderson <dave.henderson@grafana.com> * Update pkg/services/featuremgmt/openfeature.go Co-authored-by: Dave Henderson <dave.henderson@grafana.com> * Update pkg/services/featuremgmt/openfeature.go Co-authored-by: Dave Henderson <dave.henderson@grafana.com> * Update pkg/services/featuremgmt/openfeature.go Co-authored-by: Dave Henderson <dave.henderson@grafana.com> --------- Co-authored-by: Dave Henderson <dave.henderson@grafana.com>	2026-01-07 12:04:30 +01:00
grafana-pr-automation[bot]	5e05289bc8	I18n: Download translations from Crowdin (#115913 ) New Crowdin translations by GitHub Action Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2026-01-07 10:32:13 +00:00
Marc M.	be734e970e	CustomVariable: support values with multiple properties (json values format) (#113844 ) * update Scenes libraries --------- Co-authored-by: idastambuk <ida.stambuk@grafana.com>	2026-01-07 11:01:03 +01:00
Ida Štambuk	05681efee3	Dynamic Dashboards: Show hidden variables greyed out (#115723 )	2026-01-07 09:48:50 +01:00
Stephanie Hingtgen	844a7332b9	Zanzana: Add orphan cleanup to reconciler (#115775 )	2026-01-06 23:19:25 +00:00