Refactor Watch method to implement batch event processing and authorization

- Integrated batch authorization checks using the authz package in List functions for IAM and SecureValue services, improving efficiency in permission validation.
- Updated List functions to handle pagination and authorization in a more streamlined manner, reducing redundant checks.
- Enhanced the server's List method to support batch authorization for resource listing, ensuring proper access control.
- Refactored related test cases to validate the new batch authorization logic and ensure comprehensive coverage of various scenarios.

apps/advisor/go.mod

@@ -69,12 +69,12 @@ require (
 	github.com/at-wat/mqtt-go v0.19.6 // indirect
 	github.com/aws/aws-sdk-go v1.55.7 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.40.0 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.21 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.14 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.38.5 // indirect
 	github.com/aws/smithy-go v1.23.2 // indirect
 	github.com/barkimedes/go-deepcopy v0.0.0-20220514131651-17c30cfc62df // indirect
 	github.com/benbjohnson/clock v1.3.5 // indirect
@@ -162,14 +162,14 @@ require (
 	github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f // indirect
 	github.com/grafana/dataplane/sdata v0.0.9 // indirect
 	github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4 // indirect
-	github.com/grafana/grafana-aws-sdk v1.4.2 // indirect
+	github.com/grafana/grafana-aws-sdk v1.3.0 // indirect
 	github.com/grafana/grafana-azure-sdk-go/v2 v2.3.1 // indirect
 	github.com/grafana/grafana/apps/provisioning v0.0.0 // indirect
 	github.com/grafana/grafana/pkg/apiserver v0.0.0 // indirect
 	github.com/grafana/grafana/pkg/semconv v0.0.0-20250804150913-990f1c69ecc2 // indirect
 	github.com/grafana/otel-profiling-go v0.5.1 // indirect
 	github.com/grafana/pyroscope-go/godeltaprof v0.1.9 // indirect
-	github.com/grafana/sqlds/v5 v5.0.3 // indirect
+	github.com/grafana/sqlds/v4 v4.2.7 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20191002090509-6af20e3a5340 // indirect

apps/advisor/go.sum

@@ -177,38 +177,38 @@ github.com/aws/aws-sdk-go-v2 v1.40.0 h1:/WMUA0kjhZExjOQN2z3oLALDREea1A7TobfuiBrK
 github.com/aws/aws-sdk-go-v2 v1.40.0/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11 h1:12SpdwU8Djs+YGklkinSSlcrPyj3H4VifVsKf78KbwA=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11/go.mod h1:dd+Lkp6YmMryke+qxW/VnKyhMBDTYP41Q2Bb+6gNZgY=
-github.com/aws/aws-sdk-go-v2/config v1.31.17 h1:QFl8lL6RgakNK86vusim14P2k8BFSxjvUkcWLDjgz9Y=
-github.com/aws/aws-sdk-go-v2/config v1.31.17/go.mod h1:V8P7ILjp/Uef/aX8TjGk6OHZN6IKPM5YW6S78QnRD5c=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.21 h1:56HGpsgnmD+2/KpG0ikvvR8+3v3COCwaF4r+oWwOeNA=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.21/go.mod h1:3YELwedmQbw7cXNaII2Wywd+YY58AmLPwX4LzARgmmA=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 h1:T1brd5dR3/fzNFAQch/iBKeX07/ffu/cLu+q+RuzEWk=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13/go.mod h1:Peg/GBAQ6JDt+RoBf4meB1wylmAipb7Kg2ZFakZTlwk=
+github.com/aws/aws-sdk-go-v2/config v1.31.10 h1:7LllDZAegXU3yk41mwM6KcPu0wmjKGQB1bg99bNdQm4=
+github.com/aws/aws-sdk-go-v2/config v1.31.10/go.mod h1:Ge6gzXPjqu4v0oHvgAwvGzYcK921GU0hQM25WF/Kl+8=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.14 h1:TxkI7QI+sFkTItN/6cJuMZEIVMFXeu2dI1ZffkXngKI=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.14/go.mod h1:12x4Uw/vijC11XkctTjy92TNCQ+UnNJkT7fzX0Yd93E=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8 h1:gLD09eaJUdiszm7vd1btiQUYE0Hj+0I2b8AS+75z9AY=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8/go.mod h1:4RW3oMPt1POR74qVOC4SbubxAwdP4pCT0nSw3jycOU4=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.84 h1:cTXRdLkpBanlDwISl+5chq5ui1d1YWg4PWMR9c3kXyw=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.84/go.mod h1:kwSy5X7tfIHN39uucmjQVs2LvDdXEjQucgQQEqCggEo=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 h1:PZHqQACxYb8mYgms4RZbhZG0a7dPW06xOjmaH0EJC/I=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14/go.mod h1:VymhrMJUWs69D8u0/lZ7jSB6WgaG/NqHi3gX0aYf6U0=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 h1:bOS19y6zlJwagBfHxs0ESzr1XCOU2KXJCWcq3E2vfjY=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14/go.mod h1:1ipeGBMAxZ0xcTm6y6paC2C/J6f6OO7LBODV9afuAyM=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36 h1:GMYy2EOWfzdP3wfVAGXBNKY5vK4K8vMET4sYOYltmqs=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36/go.mod h1:gDhdAV6wL3PmPqBhiPbnlS447GoWs8HTTOYef9/9Inw=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 h1:x2Ibm/Af8Fi+BH+Hsn9TXGdT+hKbDd5XOTZxTMxDk7o=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3/go.mod h1:IW1jwyrQgMdhisceG8fQLmQIydcT/jWY21rFhzgaKwo=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4 h1:nAP2GYbfh8dd2zGZqFRSMlq+/F6cMPBUuCsGAMkN074=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4/go.mod h1:LT10DsiGjLWh4GbjInf9LQejkYEhBgBCjLG5+lvk4EE=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 h1:kDqdFvMY4AtKoACfzIGD8A0+hbT41KTKF//gq7jITfM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13/go.mod h1:lmKuogqSU3HzQCwZ9ZtcqOc5XGMqtDK7OIc2+DxiUEg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 h1:M6JI2aGFEzYxsF6CXIuRBnkge9Wf9a2xU39rNeXgu10=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8/go.mod h1:Fw+MyTwlwjFsSTE31mH211Np+CUslml8mzc0AFEG09s=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17 h1:qcLWgdhq45sDM9na4cvXax9dyLitn8EYBRl8Ak4XtG4=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17/go.mod h1:M+jkjBFZ2J6DJrjMv2+vkBbuht6kxJYtJiwoVgX4p4U=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.84.0 h1:0reDqfEN+tB+sozj2r92Bep8MEwBZgtAXTND1Kk9OXg=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.84.0/go.mod h1:kUklwasNoCn5YpyAqC/97r6dzTA1SRKJfKq16SXeoDU=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 h1:0JPwLz1J+5lEOfy/g0SURC9cxhbQ1lIMHMa+AHZSzz0=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.1/go.mod h1:fKvyjJcz63iL/ftA6RaM8sRCtN4r4zl4tjL3qw5ec7k=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 h1:OWs0/j2UYR5LOGi88sD5/lhN6TDLG6SfA7CqsQO9zF0=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5/go.mod h1:klO+ejMvYsB4QATfEOIXk8WAEwN4N0aBfJpvC+5SZBo=
-github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 h1:mLlUgHn02ue8whiR4BmxxGJLR2gwU6s6ZzJ5wDamBUs=
-github.com/aws/aws-sdk-go-v2/service/sts v1.39.1/go.mod h1:E19xDjpzPZC7LS2knI9E6BaRFDK43Eul7vd6rSq2HWk=
+github.com/aws/aws-sdk-go-v2/service/sso v1.29.4 h1:FTdEN9dtWPB0EOURNtDPmwGp6GGvMqRJCAihkSl/1No=
+github.com/aws/aws-sdk-go-v2/service/sso v1.29.4/go.mod h1:mYubxV9Ff42fZH4kexj43gFPhgc/LyC7KqvUKt1watc=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.0 h1:I7ghctfGXrscr7r1Ga/mDqSJKm7Fkpl5Mwq79Z+rZqU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.0/go.mod h1:Zo9id81XP6jbayIFWNuDpA6lMBWhsVy+3ou2jLa4JnA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.5 h1:+LVB0xBqEgjQoqr9bGZbRzvg212B0f17JdflleJRNR4=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.5/go.mod h1:xoaxeqnnUaZjPjaICgIy5B+MHCSb/ZSOn4MvkFNOUA0=
 github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
 github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
 github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk=
@@ -637,8 +637,8 @@ github.com/grafana/grafana-app-sdk v0.48.7 h1:9mF7nqkqP0QUYYDlznoOt+GIyjzj45wGfU
 github.com/grafana/grafana-app-sdk v0.48.7/go.mod h1:DWsaaH39ZMHwSOSoUBaeW8paMrRaYsjRYlLwCJYd78k=
 github.com/grafana/grafana-app-sdk/logging v0.48.7 h1:Oa5qg473gka5+W/WQk61Xbw4YdAv+wV2Z4bJtzeCaQw=
 github.com/grafana/grafana-app-sdk/logging v0.48.7/go.mod h1:5u3KalezoBAAo2Y3ytDYDAIIPvEqFLLDSxeiK99QxDU=
-github.com/grafana/grafana-aws-sdk v1.4.2 h1:GrUEoLbs46r8rG/GZL4L2b63Bo+rkIYKdtCT7kT5KkM=
-github.com/grafana/grafana-aws-sdk v1.4.2/go.mod h1:1qnZdYs6gQzxxF0dDodaE7Rn9fiMzuhwvtaAZ7ySnhY=
+github.com/grafana/grafana-aws-sdk v1.3.0 h1:/bfJzP93rCel1GbWoRSq0oUo424MZXt8jAp2BK9w8tM=
+github.com/grafana/grafana-aws-sdk v1.3.0/go.mod h1:VGycF0JkCGKND2O5je1ucOqPJ0ZNhZYzV3c2bNBAaGk=
 github.com/grafana/grafana-azure-sdk-go/v2 v2.3.1 h1:FFcEA01tW+SmuJIuDbHOdgUBL+d7DPrZ2N4zwzPhfGk=
 github.com/grafana/grafana-azure-sdk-go/v2 v2.3.1/go.mod h1:Oi4anANlCuTCc66jCyqIzfVbgLXFll8Wja+Y4vfANlc=
 github.com/grafana/grafana-plugin-sdk-go v0.284.0 h1:1bK7eWsnPBLUWDcWJWe218Ik5ad0a5JpEL4mH9ry7Ws=
@@ -655,8 +655,8 @@ github.com/grafana/pyroscope-go/godeltaprof v0.1.9 h1:c1Us8i6eSmkW+Ez05d3co8kasn
 github.com/grafana/pyroscope-go/godeltaprof v0.1.9/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
 github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248=
 github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk=
-github.com/grafana/sqlds/v5 v5.0.3 h1:+yUMUxfa0WANQsmS9xtTFSRX1Q55Iv1B9EjlrW4VlBU=
-github.com/grafana/sqlds/v5 v5.0.3/go.mod h1:GKeTTiC+GeR1X0z3f0Iee+hZnNgN62uQpj5XVMx5Uew=
+github.com/grafana/sqlds/v4 v4.2.7 h1:sFQhsS7DBakNMdxa++yOfJ9BVvkZwFJ0B95o57K0/XA=
+github.com/grafana/sqlds/v4 v4.2.7/go.mod h1:BQRjUG8rOqrBI4NAaeoWrIMuoNgfi8bdhCJ+5cgEfLU=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8=
 github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 h1:QGLs/O40yoNK9vmy4rhUGBVyMf1lISBGtXRpsu/Qu/o=

apps/dashboard/kinds/v2alpha1/dashboard_spec.cue

@@ -129,7 +129,7 @@ DashboardLink: {
 	placement?: DashboardLinkPlacement
 }
 
-// Dashboard Link placement. Defines where the link should be displayed.
+// Dashboard Link placement. Defines where the link should be displayed. 
 // - "inControlsMenu" renders the link in bottom part of the dashboard controls dropdown menu
 DashboardLinkPlacement: "inControlsMenu"
 
@@ -932,7 +932,6 @@ CustomVariableSpec: {
 	skipUrlSync:  bool | *false
 	description?: string
 	allowCustomValue: bool | *true
-	valuesFormat?: "csv" | "json"
 }
 
 // Custom variable kind

apps/dashboard/kinds/v2beta1/dashboard_spec.cue

@@ -935,7 +935,6 @@ CustomVariableSpec: {
 	skipUrlSync:  bool | *false
 	description?: string
 	allowCustomValue: bool | *true
-	valuesFormat?: "csv" | "json"
 }
 
 // Custom variable kind

apps/dashboard/pkg/apis/dashboard/v0alpha1/dashboard_kind.cue

@@ -222,10 +222,8 @@ lineage: schemas: [{
 			// Optional field, if you want to extract part of a series name or metric node segment.
 			// Named capture groups can be used to separate the display text and value.
 			regex?: string
-			// Optional, indicates whether a custom type variable uses CSV or JSON to define its values
-			valuesFormat?: "csv" | "json" | *"csv"
-			// Determine whether regex applies to variable value or display text
-			regexApplyTo?: #VariableRegexApplyTo
+      // Determine whether regex applies to variable value or display text
+      regexApplyTo?: #VariableRegexApplyTo
 			// Additional static options for query variable
 			staticOptions?: [...#VariableOption]
 			// Ordering of static options in relation to options returned from data source for query variable

apps/dashboard/pkg/apis/dashboard/v1beta1/dashboard_kind.cue

@@ -222,10 +222,8 @@ lineage: schemas: [{
 			// Optional field, if you want to extract part of a series name or metric node segment.
 			// Named capture groups can be used to separate the display text and value.
 			regex?: string
-			// Optional, indicates whether a custom type variable uses CSV or JSON to define its values
-			valuesFormat?: "csv" | "json" | *"csv"
-			// Determine whether regex applies to variable value or display text
-			regexApplyTo?: #VariableRegexApplyTo
+      // Determine whether regex applies to variable value or display text
+      regexApplyTo?: #VariableRegexApplyTo
 			// Additional static options for query variable
 			staticOptions?: [...#VariableOption]
 			// Ordering of static options in relation to options returned from data source for query variable

apps/dashboard/pkg/apis/dashboard/v2alpha1/dashboard_spec.cue

@@ -133,7 +133,7 @@ DashboardLink: {
 	placement?: DashboardLinkPlacement
 }
 
-// Dashboard Link placement. Defines where the link should be displayed.
+// Dashboard Link placement. Defines where the link should be displayed. 
 // - "inControlsMenu" renders the link in bottom part of the dashboard controls dropdown menu
 DashboardLinkPlacement: "inControlsMenu"
 
@@ -936,7 +936,6 @@ CustomVariableSpec: {
 	skipUrlSync:  bool | *false
 	description?: string
 	allowCustomValue: bool | *true
-	valuesFormat?: "csv" | "json"
 }
 
 // Custom variable kind

apps/dashboard/pkg/apis/dashboard/v2alpha1/dashboard_spec_gen.go

@@ -1703,19 +1703,18 @@ func NewDashboardCustomVariableKind() *DashboardCustomVariableKind {
 // Custom variable specification
 // +k8s:openapi-gen=true
 type DashboardCustomVariableSpec struct {
-	Name             string                                   `json:"name"`
-	Query            string                                   `json:"query"`
-	Current          DashboardVariableOption                  `json:"current"`
-	Options          []DashboardVariableOption                `json:"options"`
-	Multi            bool                                     `json:"multi"`
-	IncludeAll       bool                                     `json:"includeAll"`
-	AllValue         *string                                  `json:"allValue,omitempty"`
-	Label            *string                                  `json:"label,omitempty"`
-	Hide             DashboardVariableHide                    `json:"hide"`
-	SkipUrlSync      bool                                     `json:"skipUrlSync"`
-	Description      *string                                  `json:"description,omitempty"`
-	AllowCustomValue bool                                     `json:"allowCustomValue"`
-	ValuesFormat     *DashboardCustomVariableSpecValuesFormat `json:"valuesFormat,omitempty"`
+	Name             string                    `json:"name"`
+	Query            string                    `json:"query"`
+	Current          DashboardVariableOption   `json:"current"`
+	Options          []DashboardVariableOption `json:"options"`
+	Multi            bool                      `json:"multi"`
+	IncludeAll       bool                      `json:"includeAll"`
+	AllValue         *string                   `json:"allValue,omitempty"`
+	Label            *string                   `json:"label,omitempty"`
+	Hide             DashboardVariableHide     `json:"hide"`
+	SkipUrlSync      bool                      `json:"skipUrlSync"`
+	Description      *string                   `json:"description,omitempty"`
+	AllowCustomValue bool                      `json:"allowCustomValue"`
 }
 
 // NewDashboardCustomVariableSpec creates a new DashboardCustomVariableSpec object.
@@ -2099,14 +2098,6 @@ const (
 	DashboardQueryVariableSpecStaticOptionsOrderSorted DashboardQueryVariableSpecStaticOptionsOrder = "sorted"
 )
 
-// +k8s:openapi-gen=true
-type DashboardCustomVariableSpecValuesFormat string
-
-const (
-	DashboardCustomVariableSpecValuesFormatCsv  DashboardCustomVariableSpecValuesFormat = "csv"
-	DashboardCustomVariableSpecValuesFormatJson DashboardCustomVariableSpecValuesFormat = "json"
-)
-
 // +k8s:openapi-gen=true
 type DashboardPanelKindOrLibraryPanelKind struct {
 	PanelKind        *DashboardPanelKind        `json:"PanelKind,omitempty"`

apps/dashboard/pkg/apis/dashboard/v2alpha1/zz_generated.openapi.go

@@ -1548,12 +1548,6 @@ func schema_pkg_apis_dashboard_v2alpha1_DashboardCustomVariableSpec(ref common.R
 							Format:  "",
 						},
 					},
-					"valuesFormat": {
-						SchemaProps: spec.SchemaProps{
-							Type:   []string{"string"},
-							Format: "",
-						},
-					},
 				},
 				Required: []string{"name", "query", "current", "options", "multi", "includeAll", "hide", "skipUrlSync", "allowCustomValue"},
 			},

apps/dashboard/pkg/apis/dashboard/v2beta1/dashboard_spec.cue

@@ -939,7 +939,6 @@ CustomVariableSpec: {
 	skipUrlSync:  bool | *false
 	description?: string
 	allowCustomValue: bool | *true
-	valuesFormat?: "csv" | "json"
 }
 
 // Custom variable kind

apps/dashboard/pkg/apis/dashboard/v2beta1/dashboard_spec_gen.go

@@ -1707,19 +1707,18 @@ func NewDashboardCustomVariableKind() *DashboardCustomVariableKind {
 // Custom variable specification
 // +k8s:openapi-gen=true
 type DashboardCustomVariableSpec struct {
-	Name             string                                   `json:"name"`
-	Query            string                                   `json:"query"`
-	Current          DashboardVariableOption                  `json:"current"`
-	Options          []DashboardVariableOption                `json:"options"`
-	Multi            bool                                     `json:"multi"`
-	IncludeAll       bool                                     `json:"includeAll"`
-	AllValue         *string                                  `json:"allValue,omitempty"`
-	Label            *string                                  `json:"label,omitempty"`
-	Hide             DashboardVariableHide                    `json:"hide"`
-	SkipUrlSync      bool                                     `json:"skipUrlSync"`
-	Description      *string                                  `json:"description,omitempty"`
-	AllowCustomValue bool                                     `json:"allowCustomValue"`
-	ValuesFormat     *DashboardCustomVariableSpecValuesFormat `json:"valuesFormat,omitempty"`
+	Name             string                    `json:"name"`
+	Query            string                    `json:"query"`
+	Current          DashboardVariableOption   `json:"current"`
+	Options          []DashboardVariableOption `json:"options"`
+	Multi            bool                      `json:"multi"`
+	IncludeAll       bool                      `json:"includeAll"`
+	AllValue         *string                   `json:"allValue,omitempty"`
+	Label            *string                   `json:"label,omitempty"`
+	Hide             DashboardVariableHide     `json:"hide"`
+	SkipUrlSync      bool                      `json:"skipUrlSync"`
+	Description      *string                   `json:"description,omitempty"`
+	AllowCustomValue bool                      `json:"allowCustomValue"`
 }
 
 // NewDashboardCustomVariableSpec creates a new DashboardCustomVariableSpec object.
@@ -2134,14 +2133,6 @@ const (
 	DashboardQueryVariableSpecStaticOptionsOrderSorted DashboardQueryVariableSpecStaticOptionsOrder = "sorted"
 )
 
-// +k8s:openapi-gen=true
-type DashboardCustomVariableSpecValuesFormat string
-
-const (
-	DashboardCustomVariableSpecValuesFormatCsv  DashboardCustomVariableSpecValuesFormat = "csv"
-	DashboardCustomVariableSpecValuesFormatJson DashboardCustomVariableSpecValuesFormat = "json"
-)
-
 // +k8s:openapi-gen=true
 type DashboardPanelKindOrLibraryPanelKind struct {
 	PanelKind        *DashboardPanelKind        `json:"PanelKind,omitempty"`

apps/dashboard/pkg/apis/dashboard/v2beta1/zz_generated.openapi.go

@@ -1560,12 +1560,6 @@ func schema_pkg_apis_dashboard_v2beta1_DashboardCustomVariableSpec(ref common.Re
 							Format:  "",
 						},
 					},
-					"valuesFormat": {
-						SchemaProps: spec.SchemaProps{
-							Type:   []string{"string"},
-							Format: "",
-						},
-					},
 				},
 				Required: []string{"name", "query", "current", "options", "multi", "includeAll", "hide", "skipUrlSync", "allowCustomValue"},
 			},

apps/dashboard/pkg/migration/conversion/v1beta1_to_v2alpha1.go

@@ -1336,17 +1336,6 @@ func buildCustomVariable(varMap map[string]interface{}, commonProps CommonVariab
 		customVar.Spec.AllValue = &allValue
 	}
 
-	if valuesFormat := schemaversion.GetStringValue(varMap, "valuesFormat"); valuesFormat != "" {
-		switch valuesFormat {
-		case string(dashv2alpha1.DashboardCustomVariableSpecValuesFormatJson):
-			format := dashv2alpha1.DashboardCustomVariableSpecValuesFormatJson
-			customVar.Spec.ValuesFormat = &format
-		case string(dashv2alpha1.DashboardCustomVariableSpecValuesFormatCsv):
-			format := dashv2alpha1.DashboardCustomVariableSpecValuesFormatCsv
-			customVar.Spec.ValuesFormat = &format
-		}
-	}
-
 	return dashv2alpha1.DashboardVariableKind{
 		CustomVariableKind: customVar,
 	}, nil

apps/dashboard/pkg/migration/conversion/v2alpha1_to_v2beta1.go

@@ -685,7 +685,6 @@ func convertVariable_V2alpha1_to_V2beta1(in *dashv2alpha1.DashboardVariableKind,
 				SkipUrlSync:      in.CustomVariableKind.Spec.SkipUrlSync,
 				Description:      in.CustomVariableKind.Spec.Description,
 				AllowCustomValue: in.CustomVariableKind.Spec.AllowCustomValue,
-				ValuesFormat:     convertCustomValuesFormat_V2alpha1_to_V2beta1(in.CustomVariableKind.Spec.ValuesFormat),
 			},
 		}
 	}
@@ -759,23 +758,6 @@ func convertVariable_V2alpha1_to_V2beta1(in *dashv2alpha1.DashboardVariableKind,
 	return nil
 }
 
-func convertCustomValuesFormat_V2alpha1_to_V2beta1(in *dashv2alpha1.DashboardCustomVariableSpecValuesFormat) *dashv2beta1.DashboardCustomVariableSpecValuesFormat {
-	if in == nil {
-		return nil
-	}
-
-	switch *in {
-	case dashv2alpha1.DashboardCustomVariableSpecValuesFormatJson:
-		v := dashv2beta1.DashboardCustomVariableSpecValuesFormatJson
-		return &v
-	case dashv2alpha1.DashboardCustomVariableSpecValuesFormatCsv:
-		v := dashv2beta1.DashboardCustomVariableSpecValuesFormatCsv
-		return &v
-	default:
-		return nil
-	}
-}
-
 func convertQueryVariableSpec_V2alpha1_to_V2beta1(in *dashv2alpha1.DashboardQueryVariableSpec, out *dashv2beta1.DashboardQueryVariableSpec, scope conversion.Scope) error {
 	out.Name = in.Name
 	out.Current = convertVariableOption_V2alpha1_to_V2beta1(in.Current)

apps/iam/go.mod

@@ -108,22 +108,22 @@ require (
 	github.com/aws/aws-sdk-go v1.55.7 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.40.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.31.17 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.21 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.31.10 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.14 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.84 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.84.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.29.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.38.5 // indirect
 	github.com/aws/smithy-go v1.23.2 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/barkimedes/go-deepcopy v0.0.0-20220514131651-17c30cfc62df // indirect
@@ -229,7 +229,7 @@ require (
 	github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 // indirect
 	github.com/grafana/dataplane/sdata v0.0.9 // indirect
 	github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4 // indirect
-	github.com/grafana/grafana-aws-sdk v1.4.2 // indirect
+	github.com/grafana/grafana-aws-sdk v1.3.0 // indirect
 	github.com/grafana/grafana-azure-sdk-go/v2 v2.3.1 // indirect
 	github.com/grafana/grafana-plugin-sdk-go v0.284.0 // indirect
 	github.com/grafana/grafana/apps/dashboard v0.0.0 // indirect
@@ -242,7 +242,7 @@ require (
 	github.com/grafana/otel-profiling-go v0.5.1 // indirect
 	github.com/grafana/pyroscope-go/godeltaprof v0.1.9 // indirect
 	github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
-	github.com/grafana/sqlds/v5 v5.0.3 // indirect
+	github.com/grafana/sqlds/v4 v4.2.7 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect

apps/iam/go.sum

@@ -82,8 +82,8 @@ cloud.google.com/go/storage v1.55.0 h1:NESjdAToN9u1tmhVqhXCaCwYBuvEhZLLv0gBr+2zn
 cloud.google.com/go/storage v1.55.0/go.mod h1:ztSmTTwzsdXe5syLVS0YsbFxXuvEmEyZj7v7zChEmuY=
 cloud.google.com/go/trace v1.11.6 h1:2O2zjPzqPYAHrn3OKl029qlqG6W8ZdYaOWRyr8NgMT4=
 cloud.google.com/go/trace v1.11.6/go.mod h1:GA855OeDEBiBMzcckLPE2kDunIpC72N+Pq8WFieFjnI=
-connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14=
-connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
+connectrpc.com/connect v1.18.1 h1:PAg7CjSAGvscaf6YZKUefjoih5Z/qYkyaTrBW8xvYPw=
+connectrpc.com/connect v1.18.1/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2prWDO8=
 cuelabs.dev/go/oci/ociregistry v0.0.0-20251212221603-3adeb8663819 h1:Zh+Ur3OsoWpvALHPLT45nOekHkgOt+IOfutBbPqM17I=
 cuelabs.dev/go/oci/ociregistry v0.0.0-20251212221603-3adeb8663819/go.mod h1:WjmQxb+W6nVNCgj8nXrF24lIz95AHwnSl36tpjDZSU8=
 cuelang.org/go v0.11.1 h1:pV+49MX1mmvDm8Qh3Za3M786cty8VKPWzQ1Ho4gZRP0=
@@ -242,20 +242,20 @@ github.com/aws/aws-sdk-go-v2 v1.40.0 h1:/WMUA0kjhZExjOQN2z3oLALDREea1A7TobfuiBrK
 github.com/aws/aws-sdk-go-v2 v1.40.0/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11 h1:12SpdwU8Djs+YGklkinSSlcrPyj3H4VifVsKf78KbwA=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11/go.mod h1:dd+Lkp6YmMryke+qxW/VnKyhMBDTYP41Q2Bb+6gNZgY=
-github.com/aws/aws-sdk-go-v2/config v1.31.17 h1:QFl8lL6RgakNK86vusim14P2k8BFSxjvUkcWLDjgz9Y=
-github.com/aws/aws-sdk-go-v2/config v1.31.17/go.mod h1:V8P7ILjp/Uef/aX8TjGk6OHZN6IKPM5YW6S78QnRD5c=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.21 h1:56HGpsgnmD+2/KpG0ikvvR8+3v3COCwaF4r+oWwOeNA=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.21/go.mod h1:3YELwedmQbw7cXNaII2Wywd+YY58AmLPwX4LzARgmmA=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 h1:T1brd5dR3/fzNFAQch/iBKeX07/ffu/cLu+q+RuzEWk=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13/go.mod h1:Peg/GBAQ6JDt+RoBf4meB1wylmAipb7Kg2ZFakZTlwk=
+github.com/aws/aws-sdk-go-v2/config v1.31.10 h1:7LllDZAegXU3yk41mwM6KcPu0wmjKGQB1bg99bNdQm4=
+github.com/aws/aws-sdk-go-v2/config v1.31.10/go.mod h1:Ge6gzXPjqu4v0oHvgAwvGzYcK921GU0hQM25WF/Kl+8=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.14 h1:TxkI7QI+sFkTItN/6cJuMZEIVMFXeu2dI1ZffkXngKI=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.14/go.mod h1:12x4Uw/vijC11XkctTjy92TNCQ+UnNJkT7fzX0Yd93E=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8 h1:gLD09eaJUdiszm7vd1btiQUYE0Hj+0I2b8AS+75z9AY=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8/go.mod h1:4RW3oMPt1POR74qVOC4SbubxAwdP4pCT0nSw3jycOU4=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.84 h1:cTXRdLkpBanlDwISl+5chq5ui1d1YWg4PWMR9c3kXyw=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.84/go.mod h1:kwSy5X7tfIHN39uucmjQVs2LvDdXEjQucgQQEqCggEo=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 h1:PZHqQACxYb8mYgms4RZbhZG0a7dPW06xOjmaH0EJC/I=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14/go.mod h1:VymhrMJUWs69D8u0/lZ7jSB6WgaG/NqHi3gX0aYf6U0=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 h1:bOS19y6zlJwagBfHxs0ESzr1XCOU2KXJCWcq3E2vfjY=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14/go.mod h1:1ipeGBMAxZ0xcTm6y6paC2C/J6f6OO7LBODV9afuAyM=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36 h1:GMYy2EOWfzdP3wfVAGXBNKY5vK4K8vMET4sYOYltmqs=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36/go.mod h1:gDhdAV6wL3PmPqBhiPbnlS447GoWs8HTTOYef9/9Inw=
 github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.45.3 h1:Nn3qce+OHZuMj/edx4its32uxedAmquCDxtZkrdeiD4=
@@ -264,12 +264,12 @@ github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.51.0 h1:e5cbPZYTIY2nUEFie
 github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.51.0/go.mod h1:UseIHRfrm7PqeZo6fcTb6FUCXzCnh1KJbQbmOfxArGM=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.225.2 h1:IfMb3Ar8xEaWjgH/zeVHYD8izwJdQgRP5mKCTDt4GNk=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.225.2/go.mod h1:35jGWx7ECvCwTsApqicFYzZ7JFEnBc6oHUuOQ3xIS54=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 h1:x2Ibm/Af8Fi+BH+Hsn9TXGdT+hKbDd5XOTZxTMxDk7o=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3/go.mod h1:IW1jwyrQgMdhisceG8fQLmQIydcT/jWY21rFhzgaKwo=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4 h1:nAP2GYbfh8dd2zGZqFRSMlq+/F6cMPBUuCsGAMkN074=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4/go.mod h1:LT10DsiGjLWh4GbjInf9LQejkYEhBgBCjLG5+lvk4EE=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 h1:kDqdFvMY4AtKoACfzIGD8A0+hbT41KTKF//gq7jITfM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13/go.mod h1:lmKuogqSU3HzQCwZ9ZtcqOc5XGMqtDK7OIc2+DxiUEg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 h1:M6JI2aGFEzYxsF6CXIuRBnkge9Wf9a2xU39rNeXgu10=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8/go.mod h1:Fw+MyTwlwjFsSTE31mH211Np+CUslml8mzc0AFEG09s=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17 h1:qcLWgdhq45sDM9na4cvXax9dyLitn8EYBRl8Ak4XtG4=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17/go.mod h1:M+jkjBFZ2J6DJrjMv2+vkBbuht6kxJYtJiwoVgX4p4U=
 github.com/aws/aws-sdk-go-v2/service/kms v1.41.2 h1:zJeUxFP7+XP52u23vrp4zMcVhShTWbNO8dHV6xCSvFo=
@@ -282,12 +282,12 @@ github.com/aws/aws-sdk-go-v2/service/s3 v1.84.0 h1:0reDqfEN+tB+sozj2r92Bep8MEwBZ
 github.com/aws/aws-sdk-go-v2/service/s3 v1.84.0/go.mod h1:kUklwasNoCn5YpyAqC/97r6dzTA1SRKJfKq16SXeoDU=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.40.1 h1:w6a0H79HrHf3lr+zrw+pSzR5B+caiQFAKiNHlrUcnoc=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.40.1/go.mod h1:c6Vg0BRiU7v0MVhHupw90RyL120QBwAMLbDCzptGeMk=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 h1:0JPwLz1J+5lEOfy/g0SURC9cxhbQ1lIMHMa+AHZSzz0=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.1/go.mod h1:fKvyjJcz63iL/ftA6RaM8sRCtN4r4zl4tjL3qw5ec7k=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 h1:OWs0/j2UYR5LOGi88sD5/lhN6TDLG6SfA7CqsQO9zF0=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5/go.mod h1:klO+ejMvYsB4QATfEOIXk8WAEwN4N0aBfJpvC+5SZBo=
-github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 h1:mLlUgHn02ue8whiR4BmxxGJLR2gwU6s6ZzJ5wDamBUs=
-github.com/aws/aws-sdk-go-v2/service/sts v1.39.1/go.mod h1:E19xDjpzPZC7LS2knI9E6BaRFDK43Eul7vd6rSq2HWk=
+github.com/aws/aws-sdk-go-v2/service/sso v1.29.4 h1:FTdEN9dtWPB0EOURNtDPmwGp6GGvMqRJCAihkSl/1No=
+github.com/aws/aws-sdk-go-v2/service/sso v1.29.4/go.mod h1:mYubxV9Ff42fZH4kexj43gFPhgc/LyC7KqvUKt1watc=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.0 h1:I7ghctfGXrscr7r1Ga/mDqSJKm7Fkpl5Mwq79Z+rZqU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.0/go.mod h1:Zo9id81XP6jbayIFWNuDpA6lMBWhsVy+3ou2jLa4JnA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.5 h1:+LVB0xBqEgjQoqr9bGZbRzvg212B0f17JdflleJRNR4=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.5/go.mod h1:xoaxeqnnUaZjPjaICgIy5B+MHCSb/ZSOn4MvkFNOUA0=
 github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
 github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
 github.com/axiomhq/hyperloglog v0.0.0-20240507144631-af9851f82b27 h1:60m4tnanN1ctzIu4V3bfCNJ39BiOPSm1gHFlFjTkRE0=
@@ -749,8 +749,6 @@ github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ=
 github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
 github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=
 github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
-github.com/google/gnostic v0.7.1 h1:t5Kc7j/8kYr8t2u11rykRrPPovlEMG4+xdc/SpekATs=
-github.com/google/gnostic v0.7.1/go.mod h1:KSw6sxnxEBFM8jLPfJd46xZP+yQcfE8XkiqfZx5zR28=
 github.com/google/gnostic-models v0.7.1 h1:SisTfuFKJSKM5CPZkffwi6coztzzeYUhc3v4yxLWH8c=
 github.com/google/gnostic-models v0.7.1/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -855,8 +853,8 @@ github.com/grafana/grafana-app-sdk v0.48.7 h1:9mF7nqkqP0QUYYDlznoOt+GIyjzj45wGfU
 github.com/grafana/grafana-app-sdk v0.48.7/go.mod h1:DWsaaH39ZMHwSOSoUBaeW8paMrRaYsjRYlLwCJYd78k=
 github.com/grafana/grafana-app-sdk/logging v0.48.7 h1:Oa5qg473gka5+W/WQk61Xbw4YdAv+wV2Z4bJtzeCaQw=
 github.com/grafana/grafana-app-sdk/logging v0.48.7/go.mod h1:5u3KalezoBAAo2Y3ytDYDAIIPvEqFLLDSxeiK99QxDU=
-github.com/grafana/grafana-aws-sdk v1.4.2 h1:GrUEoLbs46r8rG/GZL4L2b63Bo+rkIYKdtCT7kT5KkM=
-github.com/grafana/grafana-aws-sdk v1.4.2/go.mod h1:1qnZdYs6gQzxxF0dDodaE7Rn9fiMzuhwvtaAZ7ySnhY=
+github.com/grafana/grafana-aws-sdk v1.3.0 h1:/bfJzP93rCel1GbWoRSq0oUo424MZXt8jAp2BK9w8tM=
+github.com/grafana/grafana-aws-sdk v1.3.0/go.mod h1:VGycF0JkCGKND2O5je1ucOqPJ0ZNhZYzV3c2bNBAaGk=
 github.com/grafana/grafana-azure-sdk-go/v2 v2.3.1 h1:FFcEA01tW+SmuJIuDbHOdgUBL+d7DPrZ2N4zwzPhfGk=
 github.com/grafana/grafana-azure-sdk-go/v2 v2.3.1/go.mod h1:Oi4anANlCuTCc66jCyqIzfVbgLXFll8Wja+Y4vfANlc=
 github.com/grafana/grafana-cloud-migration-snapshot v1.9.0 h1:JOzchPgptwJdruYoed7x28lFDwhzs7kssResYsnC0iI=
@@ -889,12 +887,12 @@ github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604
 github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604/go.mod h1:O/QP1BCm0HHIzbKvgMzqb5sSyH88rzkFk84F4TfJjBU=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.9 h1:c1Us8i6eSmkW+Ez05d3co8kasnuOY813tbMN8i/a3Og=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.9/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
-github.com/grafana/pyroscope/api v1.2.1-0.20251118081820-ace37f973a0f h1:fTlIj5n4x5dU63XHItug7GLjtnaeJdPqBlqg4zlABq0=
-github.com/grafana/pyroscope/api v1.2.1-0.20251118081820-ace37f973a0f/go.mod h1:VBNcIhunCZsJ3/mcYx+j7uFf0P/108eiWa+8+Z9ll3o=
+github.com/grafana/pyroscope/api v1.2.1-0.20250415190842-3ff7247547ae h1:35W3Wjp9KWnSoV/DuymmyIj5aHE0CYlDQ5m2KeXUPAc=
+github.com/grafana/pyroscope/api v1.2.1-0.20250415190842-3ff7247547ae/go.mod h1:6CJ1uXmLZ13ufpO9xE4pST+DyaBt0uszzrV0YnoaVLQ=
 github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248=
 github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk=
-github.com/grafana/sqlds/v5 v5.0.3 h1:+yUMUxfa0WANQsmS9xtTFSRX1Q55Iv1B9EjlrW4VlBU=
-github.com/grafana/sqlds/v5 v5.0.3/go.mod h1:GKeTTiC+GeR1X0z3f0Iee+hZnNgN62uQpj5XVMx5Uew=
+github.com/grafana/sqlds/v4 v4.2.7 h1:sFQhsS7DBakNMdxa++yOfJ9BVvkZwFJ0B95o57K0/XA=
+github.com/grafana/sqlds/v4 v4.2.7/go.mod h1:BQRjUG8rOqrBI4NAaeoWrIMuoNgfi8bdhCJ+5cgEfLU=
 github.com/grafana/tempo v1.5.1-0.20250529124718-87c2dc380cec h1:wnzJov9RhSHGaTYGzTygL4qq986fLen8xSqnQgaMd28=
 github.com/grafana/tempo v1.5.1-0.20250529124718-87c2dc380cec/go.mod h1:j1IY7J2rUz7TcTjFVVx6HCpyTlYOJPtXuGRZ7sI+vSo=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=

apps/plugins/go.mod

@@ -31,12 +31,12 @@ require (
 	github.com/apache/arrow-go/v18 v18.4.1 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.40.0 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.21 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.14 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.38.5 // indirect
 	github.com/aws/smithy-go v1.23.2 // indirect
 	github.com/barkimedes/go-deepcopy v0.0.0-20220514131651-17c30cfc62df // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -97,14 +97,14 @@ require (
 	github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 // indirect
 	github.com/grafana/dataplane/sdata v0.0.9 // indirect
 	github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4 // indirect
-	github.com/grafana/grafana-aws-sdk v1.4.2 // indirect
+	github.com/grafana/grafana-aws-sdk v1.3.0 // indirect
 	github.com/grafana/grafana-azure-sdk-go/v2 v2.3.1 // indirect
 	github.com/grafana/grafana-plugin-sdk-go v0.284.0 // indirect
 	github.com/grafana/grafana/pkg/apiserver v0.0.0 // indirect
 	github.com/grafana/grafana/pkg/semconv v0.0.0-20250804150913-990f1c69ecc2 // indirect
 	github.com/grafana/otel-profiling-go v0.5.1 // indirect
 	github.com/grafana/pyroscope-go/godeltaprof v0.1.9 // indirect
-	github.com/grafana/sqlds/v5 v5.0.3 // indirect
+	github.com/grafana/sqlds/v4 v4.2.7 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20191002090509-6af20e3a5340 // indirect

apps/plugins/go.sum

@@ -30,18 +30,18 @@ github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJ
 github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4=
 github.com/aws/aws-sdk-go-v2 v1.40.0 h1:/WMUA0kjhZExjOQN2z3oLALDREea1A7TobfuiBrKlwc=
 github.com/aws/aws-sdk-go-v2 v1.40.0/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.21 h1:56HGpsgnmD+2/KpG0ikvvR8+3v3COCwaF4r+oWwOeNA=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.21/go.mod h1:3YELwedmQbw7cXNaII2Wywd+YY58AmLPwX4LzARgmmA=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.14 h1:TxkI7QI+sFkTItN/6cJuMZEIVMFXeu2dI1ZffkXngKI=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.14/go.mod h1:12x4Uw/vijC11XkctTjy92TNCQ+UnNJkT7fzX0Yd93E=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 h1:PZHqQACxYb8mYgms4RZbhZG0a7dPW06xOjmaH0EJC/I=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14/go.mod h1:VymhrMJUWs69D8u0/lZ7jSB6WgaG/NqHi3gX0aYf6U0=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 h1:bOS19y6zlJwagBfHxs0ESzr1XCOU2KXJCWcq3E2vfjY=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14/go.mod h1:1ipeGBMAxZ0xcTm6y6paC2C/J6f6OO7LBODV9afuAyM=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 h1:x2Ibm/Af8Fi+BH+Hsn9TXGdT+hKbDd5XOTZxTMxDk7o=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3/go.mod h1:IW1jwyrQgMdhisceG8fQLmQIydcT/jWY21rFhzgaKwo=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 h1:kDqdFvMY4AtKoACfzIGD8A0+hbT41KTKF//gq7jITfM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13/go.mod h1:lmKuogqSU3HzQCwZ9ZtcqOc5XGMqtDK7OIc2+DxiUEg=
-github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 h1:mLlUgHn02ue8whiR4BmxxGJLR2gwU6s6ZzJ5wDamBUs=
-github.com/aws/aws-sdk-go-v2/service/sts v1.39.1/go.mod h1:E19xDjpzPZC7LS2knI9E6BaRFDK43Eul7vd6rSq2HWk=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 h1:M6JI2aGFEzYxsF6CXIuRBnkge9Wf9a2xU39rNeXgu10=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8/go.mod h1:Fw+MyTwlwjFsSTE31mH211Np+CUslml8mzc0AFEG09s=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.5 h1:+LVB0xBqEgjQoqr9bGZbRzvg212B0f17JdflleJRNR4=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.5/go.mod h1:xoaxeqnnUaZjPjaICgIy5B+MHCSb/ZSOn4MvkFNOUA0=
 github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
 github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
 github.com/barkimedes/go-deepcopy v0.0.0-20220514131651-17c30cfc62df h1:GSoSVRLoBaFpOOds6QyY1L8AX7uoY+Ln3BHc22W40X0=
@@ -229,8 +229,8 @@ github.com/grafana/grafana-app-sdk v0.48.7 h1:9mF7nqkqP0QUYYDlznoOt+GIyjzj45wGfU
 github.com/grafana/grafana-app-sdk v0.48.7/go.mod h1:DWsaaH39ZMHwSOSoUBaeW8paMrRaYsjRYlLwCJYd78k=
 github.com/grafana/grafana-app-sdk/logging v0.48.7 h1:Oa5qg473gka5+W/WQk61Xbw4YdAv+wV2Z4bJtzeCaQw=
 github.com/grafana/grafana-app-sdk/logging v0.48.7/go.mod h1:5u3KalezoBAAo2Y3ytDYDAIIPvEqFLLDSxeiK99QxDU=
-github.com/grafana/grafana-aws-sdk v1.4.2 h1:GrUEoLbs46r8rG/GZL4L2b63Bo+rkIYKdtCT7kT5KkM=
-github.com/grafana/grafana-aws-sdk v1.4.2/go.mod h1:1qnZdYs6gQzxxF0dDodaE7Rn9fiMzuhwvtaAZ7ySnhY=
+github.com/grafana/grafana-aws-sdk v1.3.0 h1:/bfJzP93rCel1GbWoRSq0oUo424MZXt8jAp2BK9w8tM=
+github.com/grafana/grafana-aws-sdk v1.3.0/go.mod h1:VGycF0JkCGKND2O5je1ucOqPJ0ZNhZYzV3c2bNBAaGk=
 github.com/grafana/grafana-azure-sdk-go/v2 v2.3.1 h1:FFcEA01tW+SmuJIuDbHOdgUBL+d7DPrZ2N4zwzPhfGk=
 github.com/grafana/grafana-azure-sdk-go/v2 v2.3.1/go.mod h1:Oi4anANlCuTCc66jCyqIzfVbgLXFll8Wja+Y4vfANlc=
 github.com/grafana/grafana-plugin-sdk-go v0.284.0 h1:1bK7eWsnPBLUWDcWJWe218Ik5ad0a5JpEL4mH9ry7Ws=
@@ -243,8 +243,8 @@ github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604
 github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604/go.mod h1:O/QP1BCm0HHIzbKvgMzqb5sSyH88rzkFk84F4TfJjBU=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.9 h1:c1Us8i6eSmkW+Ez05d3co8kasnuOY813tbMN8i/a3Og=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.9/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
-github.com/grafana/sqlds/v5 v5.0.3 h1:+yUMUxfa0WANQsmS9xtTFSRX1Q55Iv1B9EjlrW4VlBU=
-github.com/grafana/sqlds/v5 v5.0.3/go.mod h1:GKeTTiC+GeR1X0z3f0Iee+hZnNgN62uQpj5XVMx5Uew=
+github.com/grafana/sqlds/v4 v4.2.7 h1:sFQhsS7DBakNMdxa++yOfJ9BVvkZwFJ0B95o57K0/XA=
+github.com/grafana/sqlds/v4 v4.2.7/go.mod h1:BQRjUG8rOqrBI4NAaeoWrIMuoNgfi8bdhCJ+5cgEfLU=
 github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 h1:QGLs/O40yoNK9vmy4rhUGBVyMf1lISBGtXRpsu/Qu/o=
 github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0/go.mod h1:hM2alZsMUni80N33RBe6J0e423LB+odMj7d3EMP9l20=
 github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 h1:B+8ClL/kCQkRiU82d9xajRPKYMrB7E0MbtzWVi1K4ns=

apps/plugins/kinds/meta.cue

@@ -217,13 +217,6 @@ metaV0Alpha1: {
 		title:        string
 		description?: string
 	}]
-	// +listType=atomic
-	addedFunctions?: [...{
-		// +listType=set
-		targets: [...string]
-		title:        string
-		description?: string
-	}]
 	// +listType=set
 	// +listMapKey=id
 	exposedComponents?: [...{

apps/plugins/pkg/apis/plugins/v0alpha1/meta_spec_gen.go

@@ -193,8 +193,6 @@ type MetaExtensions struct {
 	AddedComponents []MetaV0alpha1ExtensionsAddedComponents `json:"addedComponents,omitempty"`
 	// +listType=atomic
 	AddedLinks []MetaV0alpha1ExtensionsAddedLinks `json:"addedLinks,omitempty"`
-	// +listType=atomic
-	AddedFunctions []MetaV0alpha1ExtensionsAddedFunctions `json:"addedFunctions,omitempty"`
 	// +listType=set
 	// +listMapKey=id
 	ExposedComponents []MetaV0alpha1ExtensionsExposedComponents `json:"exposedComponents,omitempty"`
@@ -398,21 +396,6 @@ func NewMetaV0alpha1ExtensionsAddedLinks() *MetaV0alpha1ExtensionsAddedLinks {
 	}
 }
 
-// +k8s:openapi-gen=true
-type MetaV0alpha1ExtensionsAddedFunctions struct {
-	// +listType=set
-	Targets     []string `json:"targets"`
-	Title       string   `json:"title"`
-	Description *string  `json:"description,omitempty"`
-}
-
-// NewMetaV0alpha1ExtensionsAddedFunctions creates a new MetaV0alpha1ExtensionsAddedFunctions object.
-func NewMetaV0alpha1ExtensionsAddedFunctions() *MetaV0alpha1ExtensionsAddedFunctions {
-	return &MetaV0alpha1ExtensionsAddedFunctions{
-		Targets: []string{},
-	}
-}
-
 // +k8s:openapi-gen=true
 type MetaV0alpha1ExtensionsExposedComponents struct {
 	Id          string  `json:"id"`

apps/plugins/pkg/app/meta/converter.go

@@ -367,8 +367,7 @@ func jsonDataToMetaJSONData(jsonData plugins.JSONData) pluginsv0alpha1.MetaJSOND
 
 	// Map Extensions
 	if len(jsonData.Extensions.AddedLinks) > 0 || len(jsonData.Extensions.AddedComponents) > 0 ||
-		len(jsonData.Extensions.ExposedComponents) > 0 || len(jsonData.Extensions.ExtensionPoints) > 0 ||
-		len(jsonData.Extensions.AddedFunctions) > 0 {
+		len(jsonData.Extensions.ExposedComponents) > 0 || len(jsonData.Extensions.ExtensionPoints) > 0 {
 		extensions := &pluginsv0alpha1.MetaExtensions{}
 
 		if len(jsonData.Extensions.AddedLinks) > 0 {
@@ -399,20 +398,6 @@ func jsonDataToMetaJSONData(jsonData plugins.JSONData) pluginsv0alpha1.MetaJSOND
 			}
 		}
 
-		if len(jsonData.Extensions.AddedFunctions) > 0 {
-			extensions.AddedFunctions = make([]pluginsv0alpha1.MetaV0alpha1ExtensionsAddedFunctions, 0, len(jsonData.Extensions.AddedFunctions))
-			for _, comp := range jsonData.Extensions.AddedFunctions {
-				v0Comp := pluginsv0alpha1.MetaV0alpha1ExtensionsAddedFunctions{
-					Targets: comp.Targets,
-					Title:   comp.Title,
-				}
-				if comp.Description != "" {
-					v0Comp.Description = &comp.Description
-				}
-				extensions.AddedFunctions = append(extensions.AddedFunctions, v0Comp)
-			}
-		}
-
 		if len(jsonData.Extensions.ExposedComponents) > 0 {
 			extensions.ExposedComponents = make([]pluginsv0alpha1.MetaV0alpha1ExtensionsExposedComponents, 0, len(jsonData.Extensions.ExposedComponents))
 			for _, comp := range jsonData.Extensions.ExposedComponents {

docs/sources/administration/provisioning/index.md

@@ -428,25 +428,12 @@ Or using a Kubernetes format, for example `kubernetes-dashboard.json`:
 
 You _must_ use the Kubernetes resource format to provision dashboards v2 / dynamic dashboards.
 
+It later polls that path every `updateIntervalSeconds` for updates to the dashboard files and updates its database.
+
 {{< admonition type="note" >}}
 Grafana installs dashboards at the root level if you don't set the `folder` field.
 {{< /admonition >}}
 
-#### Detect updates to provisioned dashboards files
-
-After Grafana provisions your dashboards, it checks the filesystem for changes and updates dashboards as needed.
-
-The mechanism Grafana uses to do this depends on your `updateIntervalSeconds` value:
-
-- **More than 10 seconds**: Grafana polls the path at that interval.
-- **10 seconds or less**: Grafana watches the filesystem for changes and updates dashboards when it detects them.
-
-{{< admonition type="note" >}}
-When `updateIntervalSeconds` is 10 or less, Grafana relies on filesystem watch events to detect changes.
-Depending on your filesystem and how you mount or sync dashboard files (for example, Docker bind mounts or some network filesystems), those events might not reach Grafana.
-To work around this, set `updateIntervalSeconds` to more than 10 to force polling, or update your setup so filesystem watch events are propagated.
-{{< /admonition >}}
-
 #### Make changes to a provisioned dashboard
 
 You can make changes to a provisioned dashboard in the Grafana UI but its not possible to automatically save the changes back to the provisioning source.

docs/sources/alerting/alerting-rules/create-recording-rules/_index.md

@@ -48,14 +48,6 @@ Recording rules can be helpful in various scenarios, such as:
 
 The evaluation group of the recording rule determines how often the metric is pre-computed.
 
-## Recommendations
-
-- **Use frequent evaluation intervals**. Set frequent evaluation intervals for recording rules. Long intervals, such as an hour, can cause the recorded metric to be stale and lead to misaligned alert rule evaluations, especially when combined with a long pending period.
-- **Align alert evaluation with recording frequency**. The evaluation interval of an alert rule that depends on a recorded metric should be aligned with the recording rule's interval. If a recording rule runs every 3 minutes, the alert rule should also be evaluated at a similar frequency to ensure it acts on fresh data.
-- **Use `_over_time` functions for instant queries**. Since all alert rules are ultimately executed as an instant query, you can use functions like `max_over_time(my_metric[5m])` as an instant query. This allows you to get an aggregated value over a period without using a range query and a reduce expression.
-
-## Types of recording rules
-
 Similar to alert rules, Grafana supports two types of recording rules:
 
 1. [Grafana-managed recording rules](ref:grafana-managed-recording-rules), which can query any Grafana data source supported by alerting. It's the recommended option.

docs/sources/alerting/best-practices/_index.md

@@ -0,0 +1,57 @@
+---
+canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/
+description: This section provides a set of guides for useful alerting practices and recommendations
+keywords:
+  - grafana
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Best practices
+title: Grafana Alerting best practices
+weight: 170
+---
+
+# Grafana Alerting best practices
+
+This section provides a set of guides and examples of best practices for Grafana Alerting. Here you can learn more about how to handle common alert management problems and you can see examples of more advanced usage of Grafana Alerting.
+
+{{< section >}}
+
+Designing and configuring an alert management set up that works takes time. Here are some additional tips on how to create an effective alert management set up:
+
+{{< shared id="alert-planning-fundamentals" >}}
+
+**Which are the key metrics for your business that you want to monitor and alert on?**
+
+- Find events that are important to know about and not so trivial or frequent that recipients ignore them.
+- Alerts should only be created for big events that require immediate attention or intervention.
+- Consider quality over quantity.
+
+**How do you want to organize your alerts and notifications?**
+
+- Be selective about who you set to receive alerts. Consider sending them to the right teams, whoever is on call, and the specific channels.
+- Think carefully about priority and severity levels.
+- Automate as far as possible provisioning Alerting resources with the API or Terraform.
+
+**Which information should you include in notifications?**
+
+- Consider who the alert receivers and responders are.
+- Share information that helps responders identify and address potential issues.
+- Link alerts to dashboards to guide responders on which data to investigate.
+
+**How can you reduce alert fatigue?**
+
+- Avoid noisy, unnecessary alerts by using silences, mute timings, or pausing alert rule evaluation.
+- Continually tune your alert rules to review effectiveness. Remove alert rules to avoid duplication or ineffective alerts.
+- Continually review your thresholds and evaluation rules.
+
+**How should you configure recording rules?**
+
+- Use frequent evaluation intervals. It is recommended to set a frequent evaluation interval for recording rules. Long intervals, such as an hour, can cause the recorded metric to be stale and lead to misaligned alert rule evaluations, especially when combined with a long pending period.
+- Understand query types. Grafana Alerting uses both **Instant** and **Range** queries. Instant queries fetch a single data point, while Range queries fetch a series of data points over time. When using a Range query in an alert condition, you must use a Reduce expression to aggregate the series into a single value.
+- Align alert evaluation with recording frequency. The evaluation interval of an alert rule that depends on a recorded metric should be aligned with the recording rule's interval. If a recording rule runs every 3 minutes, the alert rule should also be evaluated at a similar frequency to ensure it acts on fresh data.
+- Use `_over_time` functions for instant queries. Since all alert rules are ultimately executed as an instant query, you can use functions like `max_over_time(my_metric[1h])` as an instant query. This allows you to get an aggregated value over a period without using a range query and a reduce expression.
+
+{{< /shared >}}

docs/sources/alerting/best-practices/connectivity-errors.md

@@ -1,7 +1,5 @@
 ---
-aliases:
-  - ../best-practices/connectivity-errors/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/connectivity-errors/
-canonical: https://grafana.com/docs/grafana/latest/alerting/guides/connectivity-errors/
+canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/connectivity-errors/
 description: Learn how to detect and handle connectivity issues in alerts using Prometheus, Grafana Alerting, or both.
 keywords:
   - grafana
@@ -16,7 +14,7 @@ labels:
     - oss
 menuTitle: Handle connectivity errors
 title: Handle connectivity errors in alerts
-weight: 1020
+weight: 1010
 refs:
   pending-period:
     - pattern: /docs/grafana/

docs/sources/alerting/best-practices/dynamic-labels.md

@@ -1,7 +1,5 @@
 ---
-aliases:
-  - ../best-practices/dynamic-labels/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/dynamic-labels/
-canonical: https://grafana.com/docs/grafana/latest/alerting/examples/dynamic-labels
+canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/dynamic-labels
 description: This example shows how to define dynamic labels based on query values, along with important behavior to keep in mind when using them.
 keywords:
   - grafana
@@ -12,7 +10,7 @@ labels:
     - cloud
     - enterprise
     - oss
-menuTitle: Dynamic labels
+menuTitle: Examples of dynamic labels
 title: Example of dynamic labels in alert instances
 weight: 1104
 refs:

docs/sources/alerting/best-practices/dynamic-thresholds.md

@@ -1,7 +1,5 @@
 ---
-aliases:
-  - ../best-practices/dynamic-thresholds/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/dynamic-thresholds/
-canonical: https://grafana.com/docs/grafana/latest/alerting/examples/dynamic-thresholds
+canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/dynamic-thresholds
 description: This example shows how to use a distinct threshold value per dimension using multi-dimensional alerts and a Math expression.
 keywords:
   - grafana
@@ -12,7 +10,7 @@ labels:
     - cloud
     - enterprise
     - oss
-menuTitle: Dynamic thresholds
+menuTitle: Examples of dynamic thresholds
 title: Example of dynamic thresholds per dimension
 weight: 1105
 refs:

docs/sources/alerting/best-practices/high-cardinality-alerts.md

@@ -1,7 +1,5 @@
 ---
-aliases:
-  - ../best-practices/high-cardinality-alerts/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/high-cardinality-alerts/
-canonical: https://grafana.com/docs/grafana/latest/alerting/examples/high-cardinality-alerts/
+canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/high-cardinality-alerts/
 description: Learn how to detect and alert on high-cardinality metrics that can overload your metrics backend and increase observability costs.
 keywords:
   - grafana
@@ -10,7 +8,7 @@ labels:
     - cloud
     - enterprise
     - oss
-menuTitle: High-cardinality alerts
+menuTitle: Examples of high-cardinality alerts
 title: Examples of high-cardinality alerts
 weight: 1105
 refs:

docs/sources/alerting/best-practices/missing-data.md

@@ -1,7 +1,5 @@
 ---
-aliases:
-  - ../best-practices/missing-data/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/missing-data/
-canonical: https://grafana.com/docs/grafana/latest/alerting/guides/missing-data/
+canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/missing-data/
 description: Learn how to detect missing metrics and design alerts that handle gaps in data in Prometheus and Grafana Alerting.
 keywords:
   - grafana
@@ -16,7 +14,7 @@ labels:
     - oss
 menuTitle: Handle missing data
 title: Handle missing data in Grafana Alerting
-weight: 1030
+weight: 1020
 refs:
   connectivity-errors-guide:
     - pattern: /docs/grafana/

docs/sources/alerting/best-practices/multi-dimensional-alerts.md

@@ -1,7 +1,5 @@
 ---
-aliases:
-  - ../best-practices/multi-dimensional-alerts/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/multi-dimensional-alerts/
-canonical: https://grafana.com/docs/grafana/latest/alerting/examples/multi-dimensional-alerts/
+canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/multi-dimensional-alerts/
 description: This example shows how a single alert rule can generate multiple alert instances using time series data.
 keywords:
   - grafana
@@ -10,7 +8,7 @@ labels:
     - cloud
     - enterprise
     - oss
-menuTitle: Multi-dimensional alerts
+menuTitle: Examples of multi-dimensional alerts
 title: Example of multi-dimensional alerts on time series data
 weight: 1101
 refs:

docs/sources/alerting/best-practices/table-data.md

@@ -1,7 +1,5 @@
 ---
-aliases:
-  - ../best-practices/table-data/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/table-data/
-canonical: https://grafana.com/docs/grafana/latest/alerting/examples/table-data
+canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/table-data
 description: This example shows how to create an alert rule using table data.
 keywords:
   - grafana
@@ -10,7 +8,7 @@ labels:
     - cloud
     - enterprise
     - oss
-menuTitle: Table data
+menuTitle: Examples of table data
 title: Example of alerting on tabular data
 weight: 1102
 refs:

docs/sources/alerting/best-practices/trace-based-alerts.md

@@ -1,7 +1,5 @@
 ---
-aliases:
-  - ../best-practices/trace-based-alerts/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/trace-based-alerts/
-canonical: https://grafana.com/docs/grafana/latest/alerting/examples/trace-based-alerts/
+canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/trace-based-alerts/
 description: This guide provides introductory examples and distinct approaches for setting up trace-based alerts in Grafana.
 keywords:
   - grafana
@@ -10,7 +8,7 @@ labels:
     - cloud
     - enterprise
     - oss
-title: Trace-based alerts
+title: Examples of trace-based alerts
 weight: 1103
 refs:
   testdata-data-source:

docs/sources/alerting/best-practices/tutorials.md

@@ -1,7 +1,5 @@
 ---
-aliases:
-  - ../best-practices/tutorials/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/tutorials/
-canonical: https://grafana.com/docs/grafana/latest/alerting/examples/tutorials/
+canonical: https://grafana.com/docs/grafana/latest/alerting/best-practices/tutorials/
 description: This section provides a set of step-by-step tutorials guides to get started with Grafana Aletings.
 keywords:
   - grafana

docs/sources/alerting/examples/_index.md

@@ -1,22 +0,0 @@
----
-canonical: https://grafana.com/docs/grafana/latest/alerting/examples/
-description: This section provides a set of guides for useful alerting practices and recommendations
-keywords:
-  - grafana
-labels:
-  products:
-    - cloud
-    - enterprise
-    - oss
-menuTitle: Examples
-title: Examples
-weight: 180
----
-
-# Examples
-
-This section provides practical examples that show how to work with different types of alerting data, apply alert design patterns, reuse alert logic, and take advantage of specific Grafana Alerting features.
-
-This section includes:
-
-{{< section >}}

docs/sources/alerting/guides/_index.md

@@ -1,35 +0,0 @@
----
-canonical: https://grafana.com/docs/grafana/latest/alerting/guides/
-description: This section provides a set of guides for useful alerting practices and recommendations
-keywords:
-  - grafana
-labels:
-  products:
-    - cloud
-    - enterprise
-    - oss
-menuTitle: Guides
-title: Guides
-weight: 170
-refs:
-  examples:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/examples/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/alerting/examples/
-  tutorials:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/examples/tutorials/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/alerting/examples/tutorials/
----
-
-# Guides
-
-Guides in the Grafana Alerting documentation provide best practices and practical recommendations to help you move from a basic alerting setup to real-world use cases.
-
-These guides cover topics such as:
-
-{{< section >}}
-
-For more hands-on examples, refer to [Examples](ref:examples) and [Tutorials](ref:tutorials).

docs/sources/alerting/guides/best-practices.md

@@ -1,201 +0,0 @@
----
-aliases:
-  - ../best-practices/ # /docs/grafana/<GRAFANA_VERSION>/alerting/best-practices/
-canonical: https://grafana.com/docs/grafana/latest/alerting/guides/best-practices/
-description: Designing and configuring an effective alerting system takes time. This guide focuses on building alerting systems that scale with real-world operations.
-keywords:
-  - grafana
-  - alerting
-  - guide
-labels:
-  products:
-    - cloud
-    - enterprise
-    - oss
-menuTitle: Best practices
-title: Best practices
-weight: 1010
-refs:
-  recovery-threshold:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/alert-rules/queries-conditions/#recovery-threshold
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/fundamentals/alert-rules/queries-conditions/#recovery-threshold
-  keep-firing-for:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/alert-rule-evaluation/#keep-firing-for
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/fundamentals/alert-rule-evaluation/#keep-firing-for
-  pending-period:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/alert-rule-evaluation/#pending-period
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/fundamentals/alert-rule-evaluation/#pending-period
-  silences:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/configure-notifications/create-silence/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/alerting/configure-notifications/create-silence/
-  timing-options:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/notifications/group-alert-notifications/#timing-options
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/alerting/fundamentals/notifications/group-alert-notifications/#timing-options
-  group-alert-notifications:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/notifications/group-alert-notifications/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/alerting/fundamentals/notifications/group-alert-notifications/
-  notification-policies:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/notifications/notification-policies/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/alerting/fundamentals/notifications/notification-policies/
-  annotations:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/alert-rules/annotation-label/#annotations
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/alerting/fundamentals/alert-rules/annotation-label/#annotations
-  multi-dimensional-alerts:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/examples/multi-dimensional-alerts/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/alerting/examples/multi-dimensional-alerts/
----
-
-# Alerting best practices
-
-Designing and configuring an effective alerting system takes time. This guide focuses on building alerting systems that scale with real-world operations.
-
-The practices described here are intentionally high-level and apply regardless of tooling. Whether you use Prometheus, Grafana Alerting, or another stack, the same constraints apply: complex systems, imperfect signals, and humans on call.
-
-Alerting is never finished. It evolves with incidents, organizational changes, and the systems it’s meant to protect.
-
-{{< shared id="alert-planning-fundamentals" >}}
-
-## Prioritize symptoms, but don’t ignore infrastructure signals
-
-Alerts should primarily detect user-facing failures, not internal component behavior. Users don't care that a pod restarted; they care when the application is slow or failing. Symptom-based alerts tie directly to user impact.
-
-Reliability metrics that impact users—latency, errors, availability—are better paging signals than infrastructure events or internal errors.
-
-That said, infrastructure signals still matter. They can act as early warning indicators and are often useful when alerting maturity is low. A sustained spike in CPU or memory usage might not justify a page, but it can help explain or anticipate symptom-based failures.
-
-Infrastructure alerts tend to be noisy and are often ignored when treated like paging signals. They are usually better suited for lower-severity channels such as dashboards, alert lists, or non-paging destinations like a dedicated Slack channel, where they can be monitored without interrupting on-call.
-
-The key is balance as your alerting matures. Use infrastructure alerts to support diagnosis and prevention, not as a replacement for symptom-based alerts.
-
-## Escalate priority based on confidence
-
-Alert priority is often tied to user impact and the urgency to respond, but confidence should determine when escalation is necessary.
-
-In this context, escalation defines how responders are notified as confidence grows. This can include increasing alert priority, widening notification, paging additional responders, or opening an incident once intervention is clearly required.
-
-Early signals are often ambiguous, and confidence in a non-transient failure is usually low. Paging too early creates noise; paging too late means users are impacted for longer before anyone acts. A small or sudden increase in latency may not justify immediate action, but it can indicate a failure in progress.
-
-Confidence increases as signals become stronger or begin to correlate.
-
-Escalation is justified when issues are sustained or reinforced by multiple signals. For example, high latency combined with a rising error rate, or the same event firing over a sustained period. These patterns reduce the chance of transient noise and increase the likelihood of real impact.
-
-Use confidence in user impact to drive escalation and avoid unnecessary pages.
-
-## Scope alerts for scalability and actionability
-
-In distributed systems, avoid creating separate alert rules for every host, service, or endpoint. Instead, define alert rules that scale automatically using [multi-dimensional alert rules](ref:multi-dimensional-alerts). This reduces rule duplication and allows alerting to scale as the system grows.
-
-Start simple. Default to a single dimension such as `service` or `endpoint` to keep alerts manageable. Add dimensions only when they improve actionability. For example, when missing a dimension like `region` hides failures or doesn't provide enough information to act quickly.
-
-Additional dimensions like `region` or `instance` can help identify the root cause, but more isn't always better.
-
-## Design alerts for first responders and clear actions
-
-Alerts should be designed for the first responder, not the person who created the alert. Anyone on call should be able to understand what's wrong and what to do next without deep knowledge of the system or alert configuration.
-
-Avoid vague alerts that force responders to spend time figuring out context. Every alert should clearly explain why it exists, what triggered it, and how to investigate. Use [annotations](ref:annotations) to link to relevant dashboards and runbooks, which are essential for faster resolution.
-
-Alerts should indicate a real problem and be actionable, even if the impact is low. Informational alerts add noise without improving reliability.
-
-If no action is possible, it shouldn't be an alert—consider using a dashboard instead. Over time, alerts behave like technical debt: easy to create, costly to maintain, and hard to remove.
-
-Review alerts often and remove those that don’t lead to action.
-
-## Alerts should have an owner and system scope
-
-Alerts without ownership are often ignored. Every alert must have an owner: a team responsible for maintaining the alert and responding when it fires.
-
-Alerts must also define a system scope, such as a service or infrastructure component. Scope provides organizational context and connects alerts with ownership. Defining clear scopes is easier when services are treated as first-class entities, and organizations are built around service ownership.
-
-> [Service Center in Grafana Cloud](/docs/grafana-cloud/alerting-and-irm/service-center/) can help operate a service-oriented view of your system and align alert scope with ownership.
-
-After scope, ownership, and alert priority are defined, routing determines where alerts go and how they escalate. **Notification routing is as important as the alerts**.
-
-Alerts should be delivered to the right team and channel based on priority, ownership, and team workflows. Use [notification policies](ref:notification-policies) to define a routing tree that matches the context of your service or scope:
-
-- Define a parent policy for default routing within the scope.
-- Define nested policies for specific cases or higher-priority issues.
-
-## Prevent notification overload with alert grouping
-
-Without alert grouping, responders can receive many notifications for the same underlying problem.
-
-For example, a database failure can trigger several alerts at the same time like increased latency, higher error rates, and internal errors. Paging separately for each symptom quickly turns into notification spam, even though there is a single root cause.
-
-[Notification grouping](ref:group-alert-notifications) consolidates related alerts into a single notification. Instead of receiving multiple pages for the same issue, responders get one alert that represents the incident and includes all related firing alerts.
-
-Grouping should follow operational boundaries such as service or owner, as defined by notification policies. Downstream or cascading failures should be grouped together so they surface as one issue rather than many.
-
-## Mitigate flapping alerts
-
-Short-lived failure spikes often trigger alerts that auto-resolve quickly. Alerting on transient failures creates noise and leads responders to ignore them.
-
-Require issues to persist before alerting. Set a [pending period](ref:pending-period) to define how long a condition must remain true before firing. For example, instead of alerting immediately on high error rate, require it to stay above the threshold for some minutes.
-
-Also, stabilize alerts by tuning query ranges and aggregations. Using raw data makes alerts sensitive to noise. Instead, evaluate over a time window and aggregate the data to smooth short spikes.
-
-```promql
-# Reacts to transient spikes. Avoid this.
-cpu_usage > 90
-
-# Smooth fluctuations.
-avg_over_time(cpu_usage[5m]) > 90
-```
-
-For latency and error-based alerts, percentiles are often more useful than averages:
-
-```promql
-quantile_over_time(0.95, http_duration_seconds[5m]) > 3
-```
-
-Finally, avoid rapid resolve-and-fire notifications by using [`keep_firing_for`](ref:keep-firing-for) or [recovery thresholds](ref:recovery-threshold) to keep alerts active briefly during recovery. Both options reduce flapping and unnecessary notifications.
-
-## Graduate symptom-based alerts into SLOs
-
-When a symptom-based alert fires frequently, it usually indicates a reliability concern that should be measured and managed more deliberately. This is often a sign that the alert could evolve into an [SLO](/docs/grafana-cloud/alerting-and-irm/slo/).
-
-Traditional alerts create pressure to react immediately, while error budgets introduce a buffer of time to act, changing how urgency is handled. Alerts can then be defined in terms of error budget burn rate rather than reacting to every minor deviation.
-
-SLOs also align distinct teams around common reliability goals by providing a shared definition of what "good" looks like. They help consolidate multiple symptom alerts into a single user-facing objective.
-
-For example, instead of several teams alerting on high latency, a single SLO can be used across teams to capture overall API performance.
-
-## Integrate alerting into incident post-mortems
-
-Every incident is an opportunity to improve alerting. After each incident, evaluate whether alerts helped responders act quickly or added unnecessary noise.
-
-Assess which alerts fired, and how they influenced incident response. Review whether alerts triggered too late, too early, or without enough context, and adjust thresholds, priority, or escalation based on what actually happened.
-
-Use [silences](ref:silences) during active incidents to reduce repeated notifications, but scope them carefully to avoid silencing unrelated alerts.
-
-Post-mortems should evaluate alerts with root causes and lessons learned. If responders lacked key information during the incident, enrich alerts with additional context, dashboards, or better guidance.
-
-## Alerts should be continuously improved
-
-Alerting is an iterative process. Alerts that aren’t reviewed and refined lose effectiveness as systems and traffic patterns change.
-
-Schedule regular reviews of existing alerts. Remove alerts that don’t lead to action, and tune alerts or thresholds that fire too often without providing useful signal. Reduce false positives to combat alert fatigue.
-
-Prioritize clarity and simplicity in alert design. Simpler alerts are easier to understand, maintain, and trust under pressure. Favor fewer high-quality, actionable alerts over a large number of low-value ones.
-
-Use dashboards and observability tools for investigation, not alerts.
-
-{{< /shared >}}

e2e-playwright/dashboard-new-layouts/dashboards-edit-variables.spec.ts

@@ -1,6 +1,6 @@
 import { test, expect } from '@grafana/plugin-e2e';
 
-import { flows, saveDashboard, type Variable } from './utils';
+import { flows, type Variable } from './utils';
 
 test.use({
   featureToggles: {
@@ -64,7 +64,20 @@ test.describe(
         label: 'VariableUnderTest',
       };
 
-      await flows.addNewTextBoxVariable(dashboardPage, variable);
+      // common steps to add a new variable
+      await flows.newEditPaneVariableClick(dashboardPage, selectors);
+      await flows.newEditPanelCommonVariableInputs(dashboardPage, selectors, variable);
+
+      // set the textbox variable value
+      const type = 'variable-type Value';
+      const fieldLabel = dashboardPage.getByGrafanaSelector(
+        selectors.components.PanelEditor.OptionsPane.fieldLabel(type)
+      );
+      await expect(fieldLabel).toBeVisible();
+      const inputField = fieldLabel.locator('input');
+      await expect(inputField).toBeVisible();
+      await inputField.fill(variable.value);
+      await inputField.blur();
 
       // select the variable in the dashboard and confirm the variable value is set
       await dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItem).click();
@@ -127,94 +140,5 @@ test.describe(
       await expect(panelContent).toBeVisible();
       await expect(markdownContent).toContainText('VariableUnderTest: 10m');
     });
-    test('can hide a variable', async ({ dashboardPage, selectors, page }) => {
-      const variable: Variable = {
-        type: 'textbox',
-        name: 'VariableUnderTest',
-        value: 'foo',
-        label: 'VariableUnderTest',
-      };
-
-      await saveDashboard(dashboardPage, page, selectors, 'can hide a variable');
-      await flows.addNewTextBoxVariable(dashboardPage, variable);
-
-      // check the variable is visible in the dashboard
-      const variableLabel = dashboardPage.getByGrafanaSelector(
-        selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label)
-      );
-      await expect(variableLabel).toBeVisible();
-      // hide the variable
-      await dashboardPage
-        .getByGrafanaSelector(selectors.pages.Dashboard.Settings.Variables.Edit.General.generalDisplaySelect)
-        .click();
-      await page.getByText('Hidden', { exact: true }).click();
-
-      // check that the variable is still visible
-      await expect(
-        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
-      ).toBeVisible();
-
-      // save dashboard and exit edit mode and check variable is not visible
-      await saveDashboard(dashboardPage, page, selectors);
-      await dashboardPage.getByGrafanaSelector(selectors.components.NavToolbar.editDashboard.editButton).click();
-      await expect(
-        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
-      ).toBeHidden();
-      // refresh and check that variable isn't visible
-      await page.reload();
-      await expect(
-        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
-      ).toBeHidden();
-      // check that the variable is visible in edit mode
-      await dashboardPage.getByGrafanaSelector(selectors.components.NavToolbar.editDashboard.editButton).click();
-      await expect(
-        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
-      ).toBeVisible();
-    });
-
-    test('can hide variable under the controls menu', async ({ dashboardPage, selectors, page }) => {
-      const variable: Variable = {
-        type: 'textbox',
-        name: 'VariableUnderTest',
-        value: 'foo',
-        label: 'VariableUnderTest',
-      };
-      await saveDashboard(dashboardPage, page, selectors, 'can hide a variable in controls menu');
-
-      await flows.addNewTextBoxVariable(dashboardPage, variable);
-
-      // check the variable is visible in the dashboard
-      const variableLabel = dashboardPage.getByGrafanaSelector(
-        selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label)
-      );
-      await expect(variableLabel).toBeVisible();
-      // hide the variable
-      await dashboardPage
-        .getByGrafanaSelector(selectors.pages.Dashboard.Settings.Variables.Edit.General.generalDisplaySelect)
-        .click();
-      await page.getByText('Controls menu', { exact: true }).click();
-
-      // check that the variable is hidden under the controls menu
-      await expect(
-        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
-      ).toBeHidden();
-      await dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.ControlsButton).click();
-      await expect(
-        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
-      ).toBeVisible();
-
-      // save dashboard and refresh
-      await saveDashboard(dashboardPage, page, selectors);
-      await page.reload();
-
-      //check that the variable is hidden under the controls menu
-      await expect(
-        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
-      ).toBeHidden();
-      await dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.ControlsButton).click();
-      await expect(
-        dashboardPage.getByGrafanaSelector(selectors.pages.Dashboard.SubMenu.submenuItemLabels(variable.label!))
-      ).toBeVisible();
-    });
   }
 );

e2e-playwright/dashboard-new-layouts/utils.ts

@@ -79,20 +79,6 @@ export const flows = {
       await variableLabelInput.blur();
     }
   },
-  async addNewTextBoxVariable(dashboardPage: DashboardPage, variable: Variable) {
-    await flows.newEditPaneVariableClick(dashboardPage, selectors);
-    await flows.newEditPanelCommonVariableInputs(dashboardPage, selectors, variable);
-    // set the textbox variable value
-    const type = 'variable-type Value';
-    const fieldLabel = dashboardPage.getByGrafanaSelector(
-      selectors.components.PanelEditor.OptionsPane.fieldLabel(type)
-    );
-    await expect(fieldLabel).toBeVisible();
-    const inputField = fieldLabel.locator('input');
-    await expect(inputField).toBeVisible();
-    await inputField.fill(variable.value);
-    await inputField.blur();
-  },
 };
 
 export type Variable = {
@@ -103,16 +89,8 @@ export type Variable = {
   value: string;
 };
 
-export async function saveDashboard(
-  dashboardPage: DashboardPage,
-  page: Page,
-  selectors: E2ESelectorGroups,
-  title?: string
-) {
+export async function saveDashboard(dashboardPage: DashboardPage, page: Page, selectors: E2ESelectorGroups) {
   await dashboardPage.getByGrafanaSelector(selectors.components.NavToolbar.editDashboard.saveButton).click();
-  if (title) {
-    await page.getByTestId(selectors.components.Drawer.DashboardSaveDrawer.saveAsTitleInput).fill(title);
-  }
   await dashboardPage.getByGrafanaSelector(selectors.components.Drawer.DashboardSaveDrawer.saveButton).click();
   await expect(page.getByText('Dashboard saved')).toBeVisible();
 }

go.mod

@@ -7,7 +7,7 @@ require (
 	buf.build/gen/go/parca-dev/parca/protocolbuffers/go v1.36.2-20250703125925-3f0fcf4bff96.1 // @grafana/observability-traces-and-profiling
 	cloud.google.com/go/kms v1.22.0 // @grafana/grafana-backend-group
 	cloud.google.com/go/storage v1.55.0 // @grafana/grafana-backend-group
-	connectrpc.com/connect v1.19.1 // @grafana/observability-traces-and-profiling
+	connectrpc.com/connect v1.18.1 // @grafana/observability-traces-and-profiling
 	cuelang.org/go v0.11.1 // @grafana/grafana-as-code
 	dario.cat/mergo v1.0.2 // @grafana/grafana-app-platform-squad
 	filippo.io/age v1.2.1 // @grafana/identity-access-team
@@ -89,18 +89,18 @@ require (
 	github.com/gorilla/mux v1.8.1 // @grafana/grafana-backend-group
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // @grafana/grafana-app-platform-squad
 	github.com/grafana/alerting v0.0.0-20251231150637-b7821017d69f // @grafana/alerting-backend
-	github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f // @grafana/identity-access-team
-	github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 // @grafana/identity-access-team
+	github.com/grafana/authlib v0.0.0-20260106131612-bb61e476969f // @grafana/identity-access-team
+	github.com/grafana/authlib/types v0.0.0-20260106131612-bb61e476969f // @grafana/identity-access-team
 	github.com/grafana/dataplane/examples v0.0.1 // @grafana/observability-metrics
 	github.com/grafana/dataplane/sdata v0.0.9 // @grafana/observability-metrics
-	github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4 // @grafana/grafana-backend-group
+	github.com/grafana/dskit v0.0.0-20251204003651-27988664e6ff // @grafana/grafana-backend-group
 	github.com/grafana/e2e v0.1.1 // @grafana-app-platform-squad
 	github.com/grafana/gofpdf v0.0.0-20250307124105-3b9c5d35577f // @grafana/sharing-squad
-	github.com/grafana/gomemcache v0.0.0-20250318131618-74242eea118d // @grafana/grafana-operator-experience-squad
+	github.com/grafana/gomemcache v0.0.0-20251127154401-74f93547077b // @grafana/grafana-operator-experience-squad
 	github.com/grafana/grafana-api-golang-client v0.27.0 // @grafana/alerting-backend
 	github.com/grafana/grafana-app-sdk v0.48.7 // @grafana/grafana-app-platform-squad
 	github.com/grafana/grafana-app-sdk/logging v0.48.7 // @grafana/grafana-app-platform-squad
-	github.com/grafana/grafana-aws-sdk v1.4.2 // @grafana/aws-datasources
+	github.com/grafana/grafana-aws-sdk v1.3.0 // @grafana/aws-datasources
 	github.com/grafana/grafana-azure-sdk-go/v2 v2.3.1 // @grafana/partner-datasources
 	github.com/grafana/grafana-cloud-migration-snapshot v1.9.0 // @grafana/grafana-operator-experience-squad
 	github.com/grafana/grafana-google-sdk-go v0.4.2 // @grafana/partner-datasources
@@ -111,7 +111,7 @@ require (
 	github.com/grafana/nanogit v0.3.0 // indirect; @grafana/grafana-git-ui-sync-team
 	github.com/grafana/otel-profiling-go v0.5.1 // @grafana/grafana-backend-group
 	github.com/grafana/pyroscope-go/godeltaprof v0.1.9 // @grafana/observability-traces-and-profiling
-	github.com/grafana/pyroscope/api v1.2.1-0.20251118081820-ace37f973a0f // @grafana/observability-traces-and-profiling
+	github.com/grafana/pyroscope/api v1.2.1-0.20250415190842-3ff7247547ae // @grafana/observability-traces-and-profiling
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // @grafana/grafana-search-and-storage
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // @grafana/plugins-platform-backend
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // @grafana/grafana-backend-group
@@ -151,7 +151,7 @@ require (
 	github.com/openfga/api/proto v0.0.0-20250909172242-b4b2a12f5c67 // @grafana/identity-access-team
 	github.com/openfga/language/pkg/go v0.2.0-beta.2.0.20251027165255-0f8f255e5f6c // @grafana/identity-access-team
 	github.com/openfga/openfga v1.11.1 // @grafana/identity-access-team
-	github.com/opentracing-contrib/go-grpc v0.1.1 // @grafana/grafana-search-and-storage
+	github.com/opentracing-contrib/go-grpc v0.1.2 // @grafana/grafana-search-and-storage
 	github.com/opentracing/opentracing-go v1.2.0 // @grafana/grafana-search-and-storage
 	github.com/openzipkin/zipkin-go v0.4.3 // @grafana/oss-big-tent
 	github.com/patrickmn/go-cache v2.1.0+incompatible // @grafana/alerting-backend
@@ -342,23 +342,23 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/at-wat/mqtt-go v0.19.6 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.31.17 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.21 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.31.10 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.14 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.84 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kms v1.41.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.84.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.29.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.38.5 // indirect
 	github.com/axiomhq/hyperloglog v0.0.0-20240507144631-af9851f82b27 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/barkimedes/go-deepcopy v0.0.0-20220514131651-17c30cfc62df // indirect
@@ -456,6 +456,7 @@ require (
 	github.com/gopherjs/gopherjs v1.17.2 // indirect
 	github.com/grafana/jsonparser v0.0.0-20240425183733-ea80629e1a32 // indirect
 	github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
+	github.com/grafana/sqlds/v4 v4.2.7 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20191002090509-6af20e3a5340 // indirect
 	github.com/hashicorp/consul/api v1.31.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -471,7 +472,7 @@ require (
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
-	github.com/hashicorp/memberlist v0.5.2 // indirect
+	github.com/hashicorp/memberlist v0.5.3 // indirect
 	github.com/hashicorp/serf v0.10.2 // indirect
 	github.com/hashicorp/vault/api v1.20.0 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
@@ -516,7 +517,7 @@ require (
 	github.com/mdlayher/socket v0.4.1 // indirect
 	github.com/mdlayher/vsock v1.2.1 // indirect
 	github.com/mfridman/interpolate v0.0.2 // indirect
-	github.com/miekg/dns v1.1.63 // indirect
+	github.com/miekg/dns v1.1.68 // indirect
 	github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 // indirect
 	github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
@@ -549,17 +550,17 @@ require (
 	github.com/open-telemetry/opentelemetry-collector-contrib/pkg/translator/jaeger v0.124.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/opentracing-contrib/go-stdlib v1.0.0 // indirect
+	github.com/opentracing-contrib/go-stdlib v1.1.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/perimeterx/marshmallow v1.1.5 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
-	github.com/pires/go-proxyproto v0.7.0 // indirect
+	github.com/pires/go-proxyproto v0.8.1 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/common/sigv4 v0.1.0 // indirect
-	github.com/prometheus/exporter-toolkit v0.14.0 // indirect
+	github.com/prometheus/exporter-toolkit v0.15.0 // indirect
 	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/protocolbuffers/txtpbfmt v0.0.0-20251124094003-fcb97cc64c7b // indirect
 	github.com/puzpuzpuz/xsync/v2 v2.5.1 // indirect
@@ -573,7 +574,7 @@ require (
 	github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/segmentio/encoding v0.5.3 // indirect
-	github.com/sercand/kuberesolver/v6 v6.0.0 // indirect
+	github.com/sercand/kuberesolver/v6 v6.0.1 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/sethvargo/go-retry v0.3.0 // indirect
 	github.com/shadowspore/fossil-delta v0.0.0-20241213113458-1d797d70cbe3 // indirect
@@ -681,9 +682,7 @@ require (
 	github.com/go-openapi/swag/stringutils v0.25.4 // indirect
 	github.com/go-openapi/swag/typeutils v0.25.4 // indirect
 	github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
-	github.com/google/gnostic v0.7.1 // indirect
 	github.com/gophercloud/gophercloud/v2 v2.9.0 // indirect
-	github.com/grafana/sqlds/v5 v5.0.3 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 // indirect
 	github.com/magiconair/properties v1.8.10 // indirect
 	github.com/moby/go-archive v0.1.0 // indirect

go.sum

@@ -627,8 +627,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS
 cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M=
 cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA=
 cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw=
-connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14=
-connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
+connectrpc.com/connect v1.18.1 h1:PAg7CjSAGvscaf6YZKUefjoih5Z/qYkyaTrBW8xvYPw=
+connectrpc.com/connect v1.18.1/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2prWDO8=
 contrib.go.opencensus.io/exporter/ocagent v0.6.0/go.mod h1:zmKjrJcdo0aYcVS7bmEeSEBLPA9YJp5bjrofdU3pIXs=
 cuelabs.dev/go/oci/ociregistry v0.0.0-20251212221603-3adeb8663819 h1:Zh+Ur3OsoWpvALHPLT45nOekHkgOt+IOfutBbPqM17I=
 cuelabs.dev/go/oci/ociregistry v0.0.0-20251212221603-3adeb8663819/go.mod h1:WjmQxb+W6nVNCgj8nXrF24lIz95AHwnSl36tpjDZSU8=
@@ -854,20 +854,20 @@ github.com/aws/aws-sdk-go-v2 v1.40.0 h1:/WMUA0kjhZExjOQN2z3oLALDREea1A7TobfuiBrK
 github.com/aws/aws-sdk-go-v2 v1.40.0/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11 h1:12SpdwU8Djs+YGklkinSSlcrPyj3H4VifVsKf78KbwA=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11/go.mod h1:dd+Lkp6YmMryke+qxW/VnKyhMBDTYP41Q2Bb+6gNZgY=
-github.com/aws/aws-sdk-go-v2/config v1.31.17 h1:QFl8lL6RgakNK86vusim14P2k8BFSxjvUkcWLDjgz9Y=
-github.com/aws/aws-sdk-go-v2/config v1.31.17/go.mod h1:V8P7ILjp/Uef/aX8TjGk6OHZN6IKPM5YW6S78QnRD5c=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.21 h1:56HGpsgnmD+2/KpG0ikvvR8+3v3COCwaF4r+oWwOeNA=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.21/go.mod h1:3YELwedmQbw7cXNaII2Wywd+YY58AmLPwX4LzARgmmA=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 h1:T1brd5dR3/fzNFAQch/iBKeX07/ffu/cLu+q+RuzEWk=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13/go.mod h1:Peg/GBAQ6JDt+RoBf4meB1wylmAipb7Kg2ZFakZTlwk=
+github.com/aws/aws-sdk-go-v2/config v1.31.10 h1:7LllDZAegXU3yk41mwM6KcPu0wmjKGQB1bg99bNdQm4=
+github.com/aws/aws-sdk-go-v2/config v1.31.10/go.mod h1:Ge6gzXPjqu4v0oHvgAwvGzYcK921GU0hQM25WF/Kl+8=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.14 h1:TxkI7QI+sFkTItN/6cJuMZEIVMFXeu2dI1ZffkXngKI=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.14/go.mod h1:12x4Uw/vijC11XkctTjy92TNCQ+UnNJkT7fzX0Yd93E=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8 h1:gLD09eaJUdiszm7vd1btiQUYE0Hj+0I2b8AS+75z9AY=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8/go.mod h1:4RW3oMPt1POR74qVOC4SbubxAwdP4pCT0nSw3jycOU4=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.84 h1:cTXRdLkpBanlDwISl+5chq5ui1d1YWg4PWMR9c3kXyw=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.84/go.mod h1:kwSy5X7tfIHN39uucmjQVs2LvDdXEjQucgQQEqCggEo=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 h1:PZHqQACxYb8mYgms4RZbhZG0a7dPW06xOjmaH0EJC/I=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14/go.mod h1:VymhrMJUWs69D8u0/lZ7jSB6WgaG/NqHi3gX0aYf6U0=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 h1:bOS19y6zlJwagBfHxs0ESzr1XCOU2KXJCWcq3E2vfjY=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14/go.mod h1:1ipeGBMAxZ0xcTm6y6paC2C/J6f6OO7LBODV9afuAyM=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36 h1:GMYy2EOWfzdP3wfVAGXBNKY5vK4K8vMET4sYOYltmqs=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36/go.mod h1:gDhdAV6wL3PmPqBhiPbnlS447GoWs8HTTOYef9/9Inw=
 github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.45.3 h1:Nn3qce+OHZuMj/edx4its32uxedAmquCDxtZkrdeiD4=
@@ -876,12 +876,12 @@ github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.51.0 h1:e5cbPZYTIY2nUEFie
 github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.51.0/go.mod h1:UseIHRfrm7PqeZo6fcTb6FUCXzCnh1KJbQbmOfxArGM=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.225.2 h1:IfMb3Ar8xEaWjgH/zeVHYD8izwJdQgRP5mKCTDt4GNk=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.225.2/go.mod h1:35jGWx7ECvCwTsApqicFYzZ7JFEnBc6oHUuOQ3xIS54=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 h1:x2Ibm/Af8Fi+BH+Hsn9TXGdT+hKbDd5XOTZxTMxDk7o=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3/go.mod h1:IW1jwyrQgMdhisceG8fQLmQIydcT/jWY21rFhzgaKwo=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4 h1:nAP2GYbfh8dd2zGZqFRSMlq+/F6cMPBUuCsGAMkN074=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4/go.mod h1:LT10DsiGjLWh4GbjInf9LQejkYEhBgBCjLG5+lvk4EE=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 h1:kDqdFvMY4AtKoACfzIGD8A0+hbT41KTKF//gq7jITfM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13/go.mod h1:lmKuogqSU3HzQCwZ9ZtcqOc5XGMqtDK7OIc2+DxiUEg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 h1:M6JI2aGFEzYxsF6CXIuRBnkge9Wf9a2xU39rNeXgu10=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8/go.mod h1:Fw+MyTwlwjFsSTE31mH211Np+CUslml8mzc0AFEG09s=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17 h1:qcLWgdhq45sDM9na4cvXax9dyLitn8EYBRl8Ak4XtG4=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17/go.mod h1:M+jkjBFZ2J6DJrjMv2+vkBbuht6kxJYtJiwoVgX4p4U=
 github.com/aws/aws-sdk-go-v2/service/kms v1.41.2 h1:zJeUxFP7+XP52u23vrp4zMcVhShTWbNO8dHV6xCSvFo=
@@ -894,12 +894,12 @@ github.com/aws/aws-sdk-go-v2/service/s3 v1.84.0 h1:0reDqfEN+tB+sozj2r92Bep8MEwBZ
 github.com/aws/aws-sdk-go-v2/service/s3 v1.84.0/go.mod h1:kUklwasNoCn5YpyAqC/97r6dzTA1SRKJfKq16SXeoDU=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.40.1 h1:w6a0H79HrHf3lr+zrw+pSzR5B+caiQFAKiNHlrUcnoc=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.40.1/go.mod h1:c6Vg0BRiU7v0MVhHupw90RyL120QBwAMLbDCzptGeMk=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 h1:0JPwLz1J+5lEOfy/g0SURC9cxhbQ1lIMHMa+AHZSzz0=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.1/go.mod h1:fKvyjJcz63iL/ftA6RaM8sRCtN4r4zl4tjL3qw5ec7k=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 h1:OWs0/j2UYR5LOGi88sD5/lhN6TDLG6SfA7CqsQO9zF0=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5/go.mod h1:klO+ejMvYsB4QATfEOIXk8WAEwN4N0aBfJpvC+5SZBo=
-github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 h1:mLlUgHn02ue8whiR4BmxxGJLR2gwU6s6ZzJ5wDamBUs=
-github.com/aws/aws-sdk-go-v2/service/sts v1.39.1/go.mod h1:E19xDjpzPZC7LS2knI9E6BaRFDK43Eul7vd6rSq2HWk=
+github.com/aws/aws-sdk-go-v2/service/sso v1.29.4 h1:FTdEN9dtWPB0EOURNtDPmwGp6GGvMqRJCAihkSl/1No=
+github.com/aws/aws-sdk-go-v2/service/sso v1.29.4/go.mod h1:mYubxV9Ff42fZH4kexj43gFPhgc/LyC7KqvUKt1watc=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.0 h1:I7ghctfGXrscr7r1Ga/mDqSJKm7Fkpl5Mwq79Z+rZqU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.0/go.mod h1:Zo9id81XP6jbayIFWNuDpA6lMBWhsVy+3ou2jLa4JnA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.5 h1:+LVB0xBqEgjQoqr9bGZbRzvg212B0f17JdflleJRNR4=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.5/go.mod h1:xoaxeqnnUaZjPjaICgIy5B+MHCSb/ZSOn4MvkFNOUA0=
 github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
 github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
 github.com/axiomhq/hyperloglog v0.0.0-20191112132149-a4c4c47bc57f/go.mod h1:2stgcRjl6QmW+gU2h5E7BQXg4HU0gzxKWDuT5HviN9s=
@@ -1503,8 +1503,6 @@ github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PU
 github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=
 github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
-github.com/google/gnostic v0.7.1 h1:t5Kc7j/8kYr8t2u11rykRrPPovlEMG4+xdc/SpekATs=
-github.com/google/gnostic v0.7.1/go.mod h1:KSw6sxnxEBFM8jLPfJd46xZP+yQcfE8XkiqfZx5zR28=
 github.com/google/gnostic-models v0.7.1 h1:SisTfuFKJSKM5CPZkffwi6coztzzeYUhc3v4yxLWH8c=
 github.com/google/gnostic-models v0.7.1/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -1631,14 +1629,20 @@ github.com/grafana/alerting v0.0.0-20251231150637-b7821017d69f h1:Br4SaUL3dnVopK
 github.com/grafana/alerting v0.0.0-20251231150637-b7821017d69f/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f h1:Cbm6OKkOcJ+7CSZsGsEJzktC/SIa5bxVeYKQLuYK86o=
 github.com/grafana/authlib v0.0.0-20250930082137-a40e2c2b094f/go.mod h1:axY0cdOg3q0TZHwpHnIz5x16xZ8ZBxJHShsSHHXcHQg=
+github.com/grafana/authlib v0.0.0-20260106131612-bb61e476969f h1:OfVtnO3+Ficm7W69dFD5IaZWlMvOLIWBBnppE99dVkU=
+github.com/grafana/authlib v0.0.0-20260106131612-bb61e476969f/go.mod h1:KUNx2Qz7mgh2tm2/TJXx0+uq5SkCrquCFI+dHln2Q50=
 github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4 h1:Muoy+FMGrHj3GdFbvsMzUT7eusgii9PKf9L1ZaXDDbY=
 github.com/grafana/authlib/types v0.0.0-20251119142549-be091cf2f4d4/go.mod h1:qeWYbnWzaYGl88JlL9+DsP1GT2Cudm58rLtx13fKZdw=
+github.com/grafana/authlib/types v0.0.0-20251203163023-dd5a97c606e3/go.mod h1:CZ5McGzO/q6lnRb8xvTODCC2bJniQoQ+gho0AVZC/zY=
+github.com/grafana/authlib/types v0.0.0-20260106131612-bb61e476969f h1:5ZI6e22sGdg36MAIMJkH6PUHtZU/QuwAScNfgWNlK0I=
+github.com/grafana/authlib/types v0.0.0-20260106131612-bb61e476969f/go.mod h1:j+YTXmAcD4zCNyl4QSNqYSEe/q9KgrH1btodnhK29hI=
 github.com/grafana/dataplane/examples v0.0.1 h1:K9M5glueWyLoL4//H+EtTQq16lXuHLmOhb6DjSCahzA=
 github.com/grafana/dataplane/examples v0.0.1/go.mod h1:h5YwY8s407/17XF5/dS8XrUtsTVV2RnuW8+m1Mp46mg=
 github.com/grafana/dataplane/sdata v0.0.9 h1:AGL1LZnCUG4MnQtnWpBPbQ8ZpptaZs14w6kE/MWfg7s=
 github.com/grafana/dataplane/sdata v0.0.9/go.mod h1:Jvs5ddpGmn6vcxT7tCTWAZ1mgi4sbcdFt9utQx5uMAU=
 github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4 h1:jSojuc7njleS3UOz223WDlXOinmuLAIPI0z2vtq8EgI=
 github.com/grafana/dskit v0.0.0-20250908063411-6b6da59b5cc4/go.mod h1:VahT+GtfQIM+o8ht2StR6J9g+Ef+C2Vokh5uuSmOD/4=
+github.com/grafana/dskit v0.0.0-20251204003651-27988664e6ff/go.mod h1:/pHIcyeZJBZbtboXOjRtPaMl5KK+2VRdNJbCHDkpDYs=
 github.com/grafana/e2e v0.1.1 h1:/b6xcv5BtoBnx8cZnCiey9DbjEc8z7gXHO5edoeRYxc=
 github.com/grafana/e2e v0.1.1/go.mod h1:RpNLgae5VT+BUHvPE+/zSypmOXKwEu4t+tnEMS1ATaE=
 github.com/grafana/go-mysql-server v0.20.1-grafana1 h1:yA4Mzt+tTdIlQutBUaiPnepULPQ7CS4hMu2GOpHqT6s=
@@ -1647,14 +1651,15 @@ github.com/grafana/gofpdf v0.0.0-20250307124105-3b9c5d35577f h1:5xkjl5Y/j2QefJKO
 github.com/grafana/gofpdf v0.0.0-20250307124105-3b9c5d35577f/go.mod h1:+O5QxOwwgP10jedZHapzXY+IPKTnzHBtIs5UUb9G+kI=
 github.com/grafana/gomemcache v0.0.0-20250318131618-74242eea118d h1:oXRJlb9UjVsl6LhqBdbyAQ9YFhExwsj4bjh5vwMNRZY=
 github.com/grafana/gomemcache v0.0.0-20250318131618-74242eea118d/go.mod h1:j/s0jkda4UXTemDs7Pgw/vMT06alWc42CHisvYac0qw=
+github.com/grafana/gomemcache v0.0.0-20251127154401-74f93547077b/go.mod h1:j/s0jkda4UXTemDs7Pgw/vMT06alWc42CHisvYac0qw=
 github.com/grafana/grafana-api-golang-client v0.27.0 h1:zIwMXcbCB4n588i3O2N6HfNcQogCNTd/vPkEXTr7zX8=
 github.com/grafana/grafana-api-golang-client v0.27.0/go.mod h1:uNLZEmgKtTjHBtCQMwNn3qsx2mpMb8zU+7T4Xv3NR9Y=
 github.com/grafana/grafana-app-sdk v0.48.7 h1:9mF7nqkqP0QUYYDlznoOt+GIyjzj45wGfUHB32u2ZMo=
 github.com/grafana/grafana-app-sdk v0.48.7/go.mod h1:DWsaaH39ZMHwSOSoUBaeW8paMrRaYsjRYlLwCJYd78k=
 github.com/grafana/grafana-app-sdk/logging v0.48.7 h1:Oa5qg473gka5+W/WQk61Xbw4YdAv+wV2Z4bJtzeCaQw=
 github.com/grafana/grafana-app-sdk/logging v0.48.7/go.mod h1:5u3KalezoBAAo2Y3ytDYDAIIPvEqFLLDSxeiK99QxDU=
-github.com/grafana/grafana-aws-sdk v1.4.2 h1:GrUEoLbs46r8rG/GZL4L2b63Bo+rkIYKdtCT7kT5KkM=
-github.com/grafana/grafana-aws-sdk v1.4.2/go.mod h1:1qnZdYs6gQzxxF0dDodaE7Rn9fiMzuhwvtaAZ7ySnhY=
+github.com/grafana/grafana-aws-sdk v1.3.0 h1:/bfJzP93rCel1GbWoRSq0oUo424MZXt8jAp2BK9w8tM=
+github.com/grafana/grafana-aws-sdk v1.3.0/go.mod h1:VGycF0JkCGKND2O5je1ucOqPJ0ZNhZYzV3c2bNBAaGk=
 github.com/grafana/grafana-azure-sdk-go/v2 v2.3.1 h1:FFcEA01tW+SmuJIuDbHOdgUBL+d7DPrZ2N4zwzPhfGk=
 github.com/grafana/grafana-azure-sdk-go/v2 v2.3.1/go.mod h1:Oi4anANlCuTCc66jCyqIzfVbgLXFll8Wja+Y4vfANlc=
 github.com/grafana/grafana-cloud-migration-snapshot v1.9.0 h1:JOzchPgptwJdruYoed7x28lFDwhzs7kssResYsnC0iI=
@@ -1687,14 +1692,14 @@ github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604
 github.com/grafana/prometheus-alertmanager v0.25.1-0.20250911094103-5456b6e45604/go.mod h1:O/QP1BCm0HHIzbKvgMzqb5sSyH88rzkFk84F4TfJjBU=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.9 h1:c1Us8i6eSmkW+Ez05d3co8kasnuOY813tbMN8i/a3Og=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.9/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
-github.com/grafana/pyroscope/api v1.2.1-0.20251118081820-ace37f973a0f h1:fTlIj5n4x5dU63XHItug7GLjtnaeJdPqBlqg4zlABq0=
-github.com/grafana/pyroscope/api v1.2.1-0.20251118081820-ace37f973a0f/go.mod h1:VBNcIhunCZsJ3/mcYx+j7uFf0P/108eiWa+8+Z9ll3o=
+github.com/grafana/pyroscope/api v1.2.1-0.20250415190842-3ff7247547ae h1:35W3Wjp9KWnSoV/DuymmyIj5aHE0CYlDQ5m2KeXUPAc=
+github.com/grafana/pyroscope/api v1.2.1-0.20250415190842-3ff7247547ae/go.mod h1:6CJ1uXmLZ13ufpO9xE4pST+DyaBt0uszzrV0YnoaVLQ=
 github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248=
 github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk=
 github.com/grafana/saml v0.4.15-0.20240917091248-ae3bbdad8a56 h1:SDGrP81Vcd102L3UJEryRd1eestRw73wt+b8vnVEFe0=
 github.com/grafana/saml v0.4.15-0.20240917091248-ae3bbdad8a56/go.mod h1:S4+611dxnKt8z/ulbvaJzcgSHsuhjVc1QHNTcr1R7Fw=
-github.com/grafana/sqlds/v5 v5.0.3 h1:+yUMUxfa0WANQsmS9xtTFSRX1Q55Iv1B9EjlrW4VlBU=
-github.com/grafana/sqlds/v5 v5.0.3/go.mod h1:GKeTTiC+GeR1X0z3f0Iee+hZnNgN62uQpj5XVMx5Uew=
+github.com/grafana/sqlds/v4 v4.2.7 h1:sFQhsS7DBakNMdxa++yOfJ9BVvkZwFJ0B95o57K0/XA=
+github.com/grafana/sqlds/v4 v4.2.7/go.mod h1:BQRjUG8rOqrBI4NAaeoWrIMuoNgfi8bdhCJ+5cgEfLU=
 github.com/grafana/tempo v1.5.1-0.20250529124718-87c2dc380cec h1:wnzJov9RhSHGaTYGzTygL4qq986fLen8xSqnQgaMd28=
 github.com/grafana/tempo v1.5.1-0.20250529124718-87c2dc380cec/go.mod h1:j1IY7J2rUz7TcTjFVVx6HCpyTlYOJPtXuGRZ7sI+vSo=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
@@ -1799,6 +1804,7 @@ github.com/hashicorp/memberlist v0.3.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOn
 github.com/hashicorp/memberlist v0.5.0/go.mod h1:yvyXLpo0QaGE59Y7hDTsTzDD25JYBZ4mHgHUZ8lrOI0=
 github.com/hashicorp/memberlist v0.5.2 h1:rJoNPWZ0juJBgqn48gjy59K5H4rNgvUoM1kUD7bXiuI=
 github.com/hashicorp/memberlist v0.5.2/go.mod h1:Ri9p/tRShbjYnpNf4FFPXG7wxEGY4Nrcn6E7jrVa//4=
+github.com/hashicorp/memberlist v0.5.3/go.mod h1:h60o12SZn/ua/j0B6iKAZezA4eDaGsIuPO70eOaJ6WE=
 github.com/hashicorp/nomad/api v0.0.0-20241218080744-e3ac00f30eec h1:+YBzb977VrmffaCX/OBm17dEVJUcWn5dW+eqs3aIJ/A=
 github.com/hashicorp/nomad/api v0.0.0-20241218080744-e3ac00f30eec/go.mod h1:svtxn6QnrQ69P23VvIWMR34tg3vmwLz4UdUzm1dSCgE=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
@@ -2053,6 +2059,7 @@ github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKju
 github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
 github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=
 github.com/miekg/dns v1.1.63/go.mod h1:6NGHfjhpmr5lt3XPLuyfDJi5AXbNIPM9PY6H6sF1Nfs=
+github.com/miekg/dns v1.1.68/go.mod h1:fujopn7TB3Pu3JM69XaawiU0wqjpL9/8xGop5UrTPps=
 github.com/migueleliasweb/go-github-mock v1.1.0 h1:GKaOBPsrPGkAKgtfuWY8MclS1xR6MInkx1SexJucMwE=
 github.com/migueleliasweb/go-github-mock v1.1.0/go.mod h1:pYe/XlGs4BGMfRY4vmeixVsODHnVDDhJ9zoi0qzSMHc=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 h1:AMFGa4R4MiIpspGNG7Z948v4n35fFGB3RR3G/ry4FWs=
@@ -2207,9 +2214,11 @@ github.com/openfga/openfga v1.11.1 h1:+cJBPi/J+RWPRg+cXOjwWEwjauiW8rdE3kEzcFy1ME
 github.com/openfga/openfga v1.11.1/go.mod h1:MuTGr/ghY7t2sEGwS/59pq9SkqO0QY1kQLIe8Upt+G8=
 github.com/opentracing-contrib/go-grpc v0.1.1 h1:Ws7IN1zyiL1DFqKQPhRXuKe5pLYzMfdxnC1qtajE2PE=
 github.com/opentracing-contrib/go-grpc v0.1.1/go.mod h1:Nu6sz+4zzgxXu8rvKfnwjBEmHsuhTigxRwV2RhELrS8=
+github.com/opentracing-contrib/go-grpc v0.1.2/go.mod h1:glU6rl1Fhfp9aXUHkE36K2mR4ht8vih0ekOVlWKEUHM=
 github.com/opentracing-contrib/go-stdlib v0.0.0-20190519235532-cf7a6c988dc9/go.mod h1:PLldrQSroqzH70Xl+1DQcGnefIbqsKR7UDaiux3zV+w=
 github.com/opentracing-contrib/go-stdlib v1.0.0 h1:TBS7YuVotp8myLon4Pv7BtCBzOTo1DeZCld0Z63mW2w=
 github.com/opentracing-contrib/go-stdlib v1.0.0/go.mod h1:qtI1ogk+2JhVPIXVc6q+NHziSmy2W5GbdQZFUHADCBU=
+github.com/opentracing-contrib/go-stdlib v1.1.0/go.mod h1:S0p+X9p6dcBkoMTL+Qq2VOvxKs9ys5PpYWXWqlCS0bQ=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
@@ -2243,6 +2252,7 @@ github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU
 github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
 github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
+github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -2321,6 +2331,7 @@ github.com/prometheus/common/sigv4 v0.1.0/go.mod h1:2Jkxxk9yYvCkE5G1sQT7GuEXm57J
 github.com/prometheus/exporter-toolkit v0.11.0/go.mod h1:BVnENhnNecpwoTLiABx7mrPB/OLRIgN74qlQbV+FK1Q=
 github.com/prometheus/exporter-toolkit v0.14.0 h1:NMlswfibpcZZ+H0sZBiTjrA3/aBFHkNZqE+iCj5EmRg=
 github.com/prometheus/exporter-toolkit v0.14.0/go.mod h1:Gu5LnVvt7Nr/oqTBUC23WILZepW0nffNo10XdhQcwWA=
+github.com/prometheus/exporter-toolkit v0.15.0/go.mod h1:OyRWd2iTo6Xge9Kedvv0IhCrJSBu36JCfJ2yVniRIYk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
@@ -2405,6 +2416,7 @@ github.com/segmentio/encoding v0.5.3 h1:OjMgICtcSFuNvQCdwqMCv9Tg7lEOXGwm1J5RPQcc
 github.com/segmentio/encoding v0.5.3/go.mod h1:HS1ZKa3kSN32ZHVZ7ZLPLXWvOVIiZtyJnO1gPH1sKt0=
 github.com/sercand/kuberesolver/v6 v6.0.0 h1:ScvS2Ga9snVkpOahln/BCLySr3/iBAHJf25u66DweZ0=
 github.com/sercand/kuberesolver/v6 v6.0.0/go.mod h1:Dxkqms3OJadP5zirIBPLi9FV8Qpys3T3w40XPEcVsu0=
+github.com/sercand/kuberesolver/v6 v6.0.1/go.mod h1:C0tsTuRMONSY+Xf7pv7RMW1/JlewY1+wS8SZE+1lf1s=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sethvargo/go-retry v0.3.0 h1:EEt31A35QhrcRZtrYFDTBg91cqZVnFL2navjDrah2SE=

go.work.sum

@@ -317,6 +317,7 @@ github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/trace v1.29.
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0/go.mod h1:otE2jQekW/PqXk1Awf5lmfokJx4uwuqcj1ab5SpGeW0=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/propagator v0.53.0 h1:RAHqDHJmNMLe6JvDoRIlXmb72w+62Ue/k5p/qP9yfAg=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/propagator v0.53.0/go.mod h1:dtCRwgvytbGKWdlrjMOg9geBoRwRpCYWIOM/JhVsDIc=
+github.com/HdrHistogram/hdrhistogram-go v1.2.0/go.mod h1:CiIeGiHSd06zjX+FypuEJ5EQ07KKtxZ+8J6hszwVQig=
 github.com/IBM/go-sdk-core/v5 v5.17.4 h1:VGb9+mRrnS2HpHZFM5hy4J6ppIWnwNrw0G+tLSgcJLc=
 github.com/IBM/go-sdk-core/v5 v5.17.4/go.mod h1:KsAAI7eStAWwQa4F96MLy+whYSh39JzNjklZRbN/8ns=
 github.com/IBM/ibm-cos-sdk-go v1.11.0 h1:Jp55NLN3OvBwucMGpP5wNybyjncsmTZ9+GPHai/1cE8=
@@ -424,30 +425,23 @@ github.com/aws/aws-msk-iam-sasl-signer-go v1.0.1/go.mod h1:MVYeeOhILFFemC/XlYTCl
 github.com/aws/aws-sdk-go-v2 v1.36.5/go.mod h1:EYrzvCCN9CMUTa5+6lf6MM4tq3Zjp8UhSGR/cBsjai0=
 github.com/aws/aws-sdk-go-v2 v1.38.1/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg=
 github.com/aws/aws-sdk-go-v2 v1.39.1/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY=
-github.com/aws/aws-sdk-go-v2 v1.39.6/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
 github.com/aws/aws-sdk-go-v2/config v1.29.17/go.mod h1:9P4wwACpbeXs9Pm9w1QTh6BwWwJjwYvJ1iCt5QbCXh8=
 github.com/aws/aws-sdk-go-v2/config v1.31.2/go.mod h1:17ft42Yb2lF6OigqSYiDAiUcX4RIkEMY6XxEMJsrAes=
-github.com/aws/aws-sdk-go-v2/config v1.31.10/go.mod h1:Ge6gzXPjqu4v0oHvgAwvGzYcK921GU0hQM25WF/Kl+8=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.70/go.mod h1:M+lWhhmomVGgtuPOhO85u4pEa3SmssPTdcYpP/5J/xc=
 github.com/aws/aws-sdk-go-v2/credentials v1.18.6/go.mod h1:/jdQkh1iVPa01xndfECInp1v1Wnp70v3K4MvtlLGVEc=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.14/go.mod h1:12x4Uw/vijC11XkctTjy92TNCQ+UnNJkT7fzX0Yd93E=
 github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.19.5 h1:oUEqVqonG3xuarrsze1KVJ30KagNYDemikTbdu8KlN8=
 github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.19.5/go.mod h1:VNM08cHlOsIbSHRqb6D/M2L4kKXfJv3A2/f0GNbOQSc=
 github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression v1.7.87 h1:oDPArGgCrG/4aTi86ij3S2PB59XXkTSKYVNQlmqRHXQ=
 github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression v1.7.87/go.mod h1:ZeQC4gVarhdcWeM1c90DyBLaBCNhEeAbKUXwVI/byvw=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32/go.mod h1:h4Sg6FQdexC1yYG9RDnOvLbW1a/P986++/Y/a+GyEM8=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.4/go.mod h1:9xzb8/SV62W6gHQGC/8rrvgNXU6ZoYM3sAIJCIrXJxY=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8/go.mod h1:4RW3oMPt1POR74qVOC4SbubxAwdP4pCT0nSw3jycOU4=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.69/go.mod h1:GJj8mmO6YT6EqgduWocwhMoxTLFitkhIrK+owzrYL2I=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36/go.mod h1:Q1lnJArKRXkenyog6+Y+zr7WDpk4e6XlR6gs20bbeNo=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4/go.mod h1:l4bdfCD7XyyZA9BolKBo1eLqgaJxl0/x91PL4Yqe0ao=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.8/go.mod h1:KcGkXFVU8U28qS4KvLEcPxytPZPBcRawaH2Pf/0jptE=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13/go.mod h1:oGnKwIYZ4XttyU2JWxFrwvhF6YKiK/9/wmE3v3Iu9K8=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36/go.mod h1:UdyGa7Q91id/sdyHPwth+043HhmP6yP9MBHgbZM0xo8=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4/go.mod h1:yDmJgqOiH4EA8Hndnv4KwAo8jCGTSnM5ASG1nBI+toA=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.8/go.mod h1:JnA+hPWeYAVbDssp83tv+ysAG8lTfLVXvSsyKg/7xNA=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13/go.mod h1:YE94ZoDArI7awZqJzBAZ3PDD2zSfuP7w6P2knOzIn8M=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34/go.mod h1:zf7Vcd1ViW7cPqYWEHLHJkS50X0JS2IKz9Cgaj6ugrs=
 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.44.0 h1:A99gjqZDbdhjtjJVZrmVzVKO2+p3MSg35bDWtbMQVxw=
 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.44.0/go.mod h1:mWB0GE1bqcVSvpW7OtFA0sKuHk52+IqtnsYU2jUfYAs=
@@ -455,13 +449,11 @@ github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.26.0 h1:0wOCTKrmwkyC8Bk7
 github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.26.0/go.mod h1:He/RikglWUczbkV+fkdpcV/3GdL/rTRNVy7VaUiezMo=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4/go.mod h1:/xFi9KtvBXP97ppCz1TAEvU1Uf66qvid89rbem3wCzQ=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0/go.mod h1:eb3gfbVIxIoGgJsi9pGne19dhCBpK6opTYpQqAmdy44=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.0/go.mod h1:iu6FSzgt+M2/x3Dk8zhycdIcHjEFb36IS8HVUVFoMg0=
 github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.17 h1:x187MqiHwBGjMGAed8Y8K1VGuCtFvQvXb24r+bwmSdo=
 github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.17/go.mod h1:mC9qMbA6e1pwEq6X3zDGtZRXMG2YaElJkbJlMVHLs5I=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17/go.mod h1:ygpklyoaypuyDvOM5ujWGrYWpAK3h7ugnmKCU/76Ys4=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4/go.mod h1:nLEfLnVMmLvyIG58/6gsSA03F1voKGaCfHV7+lR8S7s=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8/go.mod h1:Fw+MyTwlwjFsSTE31mH211Np+CUslml8mzc0AFEG09s=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15/go.mod h1:ZH34PJUc8ApjBIfgQCFvkWcUDBtl/WTD+uiYHjd8igA=
 github.com/aws/aws-sdk-go-v2/service/kinesis v1.33.0 h1:JPXkrQk5OS/+Q81fKH97Ll/Vmmy0p9vwHhxw+V+tVjg=
 github.com/aws/aws-sdk-go-v2/service/kinesis v1.33.0/go.mod h1:dJngkoVMrq0K7QvRkdRZYM4NUp6cdWa2GBdpm8zoY8U=
@@ -495,13 +487,10 @@ github.com/aws/aws-sdk-go-v2/service/ssm v1.60.1 h1:OwMzNDe5VVTXD4kGmeK/FtqAITiV
 github.com/aws/aws-sdk-go-v2/service/ssm v1.60.1/go.mod h1:IyVabkWrs8SNdOEZLyFFcW9bUltV4G6OQS0s6H20PHg=
 github.com/aws/aws-sdk-go-v2/service/sso v1.25.5/go.mod h1:b7SiVprpU+iGazDUqvRSLf5XmCdn+JtT1on7uNL6Ipc=
 github.com/aws/aws-sdk-go-v2/service/sso v1.28.2/go.mod h1:n9bTZFZcBa9hGGqVz3i/a6+NG0zmZgtkB9qVVFDqPA8=
-github.com/aws/aws-sdk-go-v2/service/sso v1.29.4/go.mod h1:mYubxV9Ff42fZH4kexj43gFPhgc/LyC7KqvUKt1watc=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3/go.mod h1:vq/GQR1gOFLquZMSrxUK/cpvKCNVYibNyJ1m7JrU88E=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.2/go.mod h1:eknndR9rU8UpE/OmFpqU78V1EcXPKFTTm5l/buZYgvM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.0/go.mod h1:Zo9id81XP6jbayIFWNuDpA6lMBWhsVy+3ou2jLa4JnA=
 github.com/aws/aws-sdk-go-v2/service/sts v1.34.0/go.mod h1:7ph2tGpfQvwzgistp2+zga9f+bCjlQJPkPUmMgDSD7w=
 github.com/aws/aws-sdk-go-v2/service/sts v1.38.0/go.mod h1:bEPcjW7IbolPfK67G1nilqWyoxYMSPrDiIQ3RdIdKgo=
-github.com/aws/aws-sdk-go-v2/service/sts v1.38.5/go.mod h1:xoaxeqnnUaZjPjaICgIy5B+MHCSb/ZSOn4MvkFNOUA0=
 github.com/aws/smithy-go v1.22.4/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw=
 github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
@@ -755,8 +744,6 @@ github.com/felixge/fgprof v0.9.4/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZP
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/flosch/pongo2/v4 v4.0.2 h1:gv+5Pe3vaSVmiJvh/BZa82b7/00YUGm0PIyVVLop0Hw=
 github.com/flosch/pongo2/v4 v4.0.2/go.mod h1:B5ObFANs/36VwxxlgKpdchIJHMvHB562PW+BWPhwZD8=
-github.com/flowstack/go-jsonschema v0.1.1 h1:dCrjGJRXIlbDsLAgTJZTjhwUJnnxVWl1OgNyYh5nyDc=
-github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0=
 github.com/fluent/fluent-bit-go v0.0.0-20230731091245-a7a013e2473c h1:yKN46XJHYC/gvgH2UsisJ31+n4K3S7QYZSfU2uAWjuI=
 github.com/fluent/fluent-bit-go v0.0.0-20230731091245-a7a013e2473c/go.mod h1:L92h+dgwElEyUuShEwjbiHjseW410WIcNz+Bjutc8YQ=
 github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8=
@@ -893,7 +880,6 @@ github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQ
 github.com/gookit/color v1.5.0/go.mod h1:43aQb+Zerm/BWh2GnrgOQm7ffz7tvQXEKV6BFMl7wAo=
 github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0=
 github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w=
-github.com/gophercloud/gophercloud v1.13.0 h1:8iY9d1DAbzMW6Vok1AxbbK5ZaUjzMp0tdyt4fX9IeJ0=
 github.com/gophercloud/gophercloud v1.13.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM=
 github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
 github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
@@ -904,19 +890,23 @@ github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB7
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grafana/alerting v0.0.0-20250729175202-b4b881b7b263/go.mod h1:VKxaR93Gff0ZlO2sPcdPVob1a/UzArFEW5zx3Bpyhls=
 github.com/grafana/alerting v0.0.0-20251009192429-9427c24835ae/go.mod h1:VGjS5gDwWEADPP6pF/drqLxEImgeuHlEW5u8E5EfIrM=
+github.com/grafana/alerting v0.0.0-20251223160021-926c74910196/go.mod h1:l7v67cgP7x72ajB9UPZlumdrHqNztpKoqQ52cU8T3LU=
 github.com/grafana/authlib v0.0.0-20250710201142-9542f2f28d43/go.mod h1:1fWkOiL+m32NBgRHZtlZGz2ji868tPZACYbqP3nBRJI=
 github.com/grafana/authlib/types v0.0.0-20250710201142-9542f2f28d43/go.mod h1:qeWYbnWzaYGl88JlL9+DsP1GT2Cudm58rLtx13fKZdw=
 github.com/grafana/authlib/types v0.0.0-20250926065801-df98203cff37/go.mod h1:qeWYbnWzaYGl88JlL9+DsP1GT2Cudm58rLtx13fKZdw=
+github.com/grafana/authlib/types v0.0.0-20251203163023-dd5a97c606e3 h1:T4AMrL8ZB1U25m/+FOmkqWPnz0X7u/Oqj1ISg4OrS2c=
 github.com/grafana/cloudflare-go v0.0.0-20230110200409-c627cf6792f2 h1:qhugDMdQ4Vp68H0tp/0iN17DM2ehRo1rLEdOFe/gB8I=
 github.com/grafana/cloudflare-go v0.0.0-20230110200409-c627cf6792f2/go.mod h1:w/aiO1POVIeXUQyl0VQSZjl5OAGDTL5aX+4v0RA1tcw=
 github.com/grafana/codejen v0.0.4-0.20230321061741-77f656893a3d/go.mod h1:zmwwM/DRyQB7pfuBjTWII3CWtxcXh8LTwAYGfDfpR6s=
 github.com/grafana/cog v0.0.43/go.mod h1:TDunc7TYF7EfzjwFOlC5AkMe3To/U2KqyyG3QVvrF38=
 github.com/grafana/dskit v0.0.0-20250611075409-46f51e1ce914/go.mod h1:OiN4P4aC6LwLzLbEupH3Ue83VfQoNMfG48rsna8jI/E=
 github.com/grafana/dskit v0.0.0-20250818234656-8ff9c6532e85/go.mod h1:kImsvJ1xnmeT9Z6StK+RdEKLzlpzBsKwJbEQfmBJdFs=
+github.com/grafana/dskit v0.0.0-20251204003651-27988664e6ff h1:eDbrQsfY1Y3vMfuy5suGI2DRNC1DFBcZMFMlNbPrdiE=
 github.com/grafana/go-gelf/v2 v2.0.1 h1:BOChP0h/jLeD+7F9mL7tq10xVkDG15he3T1zHuQaWak=
 github.com/grafana/go-gelf/v2 v2.0.1/go.mod h1:lexHie0xzYGwCgiRGcvZ723bSNyNI8ZRD4s0CLobh90=
 github.com/grafana/go-mysql-server v0.20.1-0.20251027172658-317a8d46ffa4/go.mod h1:EeYR0apo+8j2Dyxmn2ghkPlirO2S5mT1xHBrA+Efys8=
 github.com/grafana/gomemcache v0.0.0-20250228145437-da7b95fd2ac1/go.mod h1:j/s0jkda4UXTemDs7Pgw/vMT06alWc42CHisvYac0qw=
+github.com/grafana/gomemcache v0.0.0-20251127154401-74f93547077b h1:5qp8/5YPt/Z2RW5QHsxvwE05+LWQYIXydP2MwOkMfb8=
 github.com/grafana/grafana-app-sdk v0.40.1/go.mod h1:4P8h7VB6KcDjX9bAoBQc6IP8iNylxe6bSXLR9gA39gM=
 github.com/grafana/grafana-app-sdk v0.40.2/go.mod h1:BbNXPNki3mtbkWxYqJsyA1Cj9AShSyaY33z8WkyfVv0=
 github.com/grafana/grafana-app-sdk v0.41.0 h1:SYHN3U7B1myRKY3UZZDkFsue9TDmAOap0UrQVTqtYBU=
@@ -948,7 +938,6 @@ github.com/grafana/grafana-aws-sdk v1.0.2 h1:98eBuHYFmgvH0xO9kKf4RBsEsgQRp8EOA/9
 github.com/grafana/grafana-aws-sdk v1.0.2/go.mod h1:hO7q7yWV+t6dmiyJjMa3IbuYnYkBua+G/IAlOPVIYKE=
 github.com/grafana/grafana-aws-sdk v1.1.0/go.mod h1:7e+47EdHynteYWGoT5Ere9KeOXQObsk8F0vkOLQ1tz8=
 github.com/grafana/grafana-aws-sdk v1.2.0/go.mod h1:bBo7qOmM3f61vO+2JxTolNUph1l2TmtzmWcU9/Im+8A=
-github.com/grafana/grafana-aws-sdk v1.3.0/go.mod h1:VGycF0JkCGKND2O5je1ucOqPJ0ZNhZYzV3c2bNBAaGk=
 github.com/grafana/grafana-azure-sdk-go/v2 v2.1.6/go.mod h1:V7y2BmsWxS3A9Ohebwn4OiSfJJqi//4JQydQ8fHTduo=
 github.com/grafana/grafana-azure-sdk-go/v2 v2.2.0/go.mod h1:H9sVh9A4yg5egMGZeh0mifxT1Q/uqwKe1LBjBJU6pN8=
 github.com/grafana/grafana-plugin-sdk-go v0.263.0/go.mod h1:U43Cnrj/9DNYyvFcNdeUWNjMXTKNB0jcTcQGpWKd2gw=
@@ -996,7 +985,6 @@ github.com/grafana/prometheus-alertmanager v0.25.1-0.20250604130045-92c8f6389b36
 github.com/grafana/prometheus-alertmanager v0.25.1-0.20250604130045-92c8f6389b36/go.mod h1:O/QP1BCm0HHIzbKvgMzqb5sSyH88rzkFk84F4TfJjBU=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.8/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
 github.com/grafana/sqlds/v4 v4.2.4/go.mod h1:BQRjUG8rOqrBI4NAaeoWrIMuoNgfi8bdhCJ+5cgEfLU=
-github.com/grafana/sqlds/v4 v4.2.7/go.mod h1:BQRjUG8rOqrBI4NAaeoWrIMuoNgfi8bdhCJ+5cgEfLU=
 github.com/grafana/tail v0.0.0-20230510142333-77b18831edf0 h1:bjh0PVYSVVFxzINqPFYJmAmJNrWPgnVjuSdYJGHmtFU=
 github.com/grafana/tail v0.0.0-20230510142333-77b18831edf0/go.mod h1:7t5XR+2IA8P2qggOAHTj/GCZfoLBle3OvNSYh1VkRBU=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
@@ -1040,6 +1028,7 @@ github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI
 github.com/hashicorp/mdns v1.0.5 h1:1M5hW1cunYeoXOqHwEb/GBDDHAFo0Yqb/uz/beC6LbE=
 github.com/hashicorp/mdns v1.0.5/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc=
 github.com/hashicorp/memberlist v0.3.1/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
+github.com/hashicorp/memberlist v0.5.3 h1:tQ1jOCypD0WvMemw/ZhhtH+PWpzcftQvgCorLu0hndk=
 github.com/hashicorp/raft v1.7.0 h1:4u24Qn6lQ6uwziM++UgsyiT64Q8GyRn43CV41qPiz1o=
 github.com/hashicorp/raft v1.7.0/go.mod h1:N1sKh6Vn47mrWvEArQgILTyng8GoDRNYlgKyK7PMjs0=
 github.com/hashicorp/raft-wal v0.4.1 h1:aU8XZ6x8R9BAIB/83Z1dTDtXvDVmv9YVYeXxd/1QBSA=
@@ -1200,6 +1189,7 @@ github.com/mfridman/xflag v0.1.0/go.mod h1:/483ywM5ZO5SuMVjrIGquYNE5CzLrj5Ux/LxW
 github.com/microcosm-cc/bluemonday v1.0.25 h1:4NEwSfiJ+Wva0VxN5B8OwMicaJvD8r9tlJWm9rtloEg=
 github.com/microcosm-cc/bluemonday v1.0.25/go.mod h1:ZIOjCQp1OrzBBPIJmfX4qDYFuhU02nx4bn030ixfHLE=
 github.com/miekg/dns v1.1.56/go.mod h1:cRm6Oo2C8TY9ZS/TqsSrseAcncm74lfK5G+ikN2SWWY=
+github.com/miekg/dns v1.1.68 h1:jsSRkNozw7G/mnmXULynzMNIsgY2dHC8LO6U6Ij2JEA=
 github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/minio/minio-go/v7 v7.0.75/go.mod h1:qydcVzV8Hqtj1VtEocfxbmVFa2siu6HGa+LDEPogjD8=
 github.com/minio/sha256-simd v0.1.1 h1:5QHSlgo3nt5yKOJrC7W8w7X+NFl8cMPZm96iu8kKUJU=
@@ -1359,6 +1349,8 @@ github.com/openfga/api/proto v0.0.0-20250127102726-f9709139a369/go.mod h1:m74TNg
 github.com/openfga/language/pkg/go v0.2.0-beta.2.0.20250428093642-7aeebe78bbfe/go.mod h1:5Z0pbTT7Jz/oQFLfadb+C5t5NwHrduAO7j7L07Ec1GM=
 github.com/openfga/openfga v1.10.0/go.mod h1:6/m4GTwQsqECsGYQVD3t5sCX97rh3smnmxbMa3YAtJk=
 github.com/opentracing-contrib/go-grpc v0.0.0-20210225150812-73cb765af46e/go.mod h1:DYR5Eij8rJl8h7gblRrOZ8g0kW1umSpKqYIBTgeDtLo=
+github.com/opentracing-contrib/go-grpc v0.1.2 h1:MP16Ozc59kqqwn1v18aQxpeGZhsBanJ2iurZYaQSZ+g=
+github.com/opentracing-contrib/go-stdlib v1.1.0 h1:cZBWc4pA4e65tqTJddbflK435S0tDImj6c9BMvkdUH0=
 github.com/oschwald/geoip2-golang v1.11.0 h1:hNENhCn1Uyzhf9PTmquXENiWS6AlxAEnBII6r8krA3w=
 github.com/oschwald/geoip2-golang v1.11.0/go.mod h1:P9zG+54KPEFOliZ29i7SeYZ/GM6tfEL+rgSn03hYuUo=
 github.com/oschwald/maxminddb-golang v1.13.0 h1:R8xBorY71s84yO06NgTmQvqvTvlS/bnYZrrWX1MElnU=
@@ -1381,6 +1373,7 @@ github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2
 github.com/phpdave11/gofpdf v1.4.2 h1:KPKiIbfwbvC/wOncwhrpRdXVj2CZTCFlw4wnoyjtHfQ=
 github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
 github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
+github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e h1:aoZm08cpOy4WuID//EZDgcC4zIxODThtZNPirFr42+A=
 github.com/pkg/sftp v1.13.1 h1:I2qBYMChEhIjOgazfJmV3/mZM256btk6wkCDRmW7JYs=
@@ -1405,6 +1398,7 @@ github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8N
 github.com/prometheus/common v0.67.2/go.mod h1:63W3KZb1JOKgcjlIr64WW/LvFGAqKPj0atm+knVGEko=
 github.com/prometheus/common/assets v0.2.0 h1:0P5OrzoHrYBOSM1OigWL3mY8ZvV2N4zIE/5AahrSrfM=
 github.com/prometheus/exporter-toolkit v0.10.1-0.20230714054209-2f4150c63f97/go.mod h1:LoBCZeRh+5hX+fSULNyFnagYlQG/gBsyA/deNzROkq8=
+github.com/prometheus/exporter-toolkit v0.15.0 h1:Pcle5sSViwR1x0gdPd0wtYrPQENBieQAM7TmT0qtb2U=
 github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/statsd_exporter v0.21.0/go.mod h1:rbT83sZq2V+p73lHhPZfMc3MLCHmSHelCh9hSGYNLTQ=
 github.com/prometheus/statsd_exporter v0.26.1 h1:ucbIAdPmwAUcA+dU+Opok8Qt81Aw8HanlO+2N/Wjv7w=
@@ -1466,6 +1460,7 @@ github.com/sercand/kuberesolver v2.4.0+incompatible h1:WE2OlRf6wjLxHwNkkFLQGaZcV
 github.com/sercand/kuberesolver v2.4.0+incompatible/go.mod h1:lWF3GL0xptCB/vCiJPl/ZshwPsX/n4Y7u0CW9E7aQIQ=
 github.com/sercand/kuberesolver/v5 v5.1.1 h1:CYH+d67G0sGBj7q5wLK61yzqJJ8gLLC8aeprPTHb6yY=
 github.com/sercand/kuberesolver/v5 v5.1.1/go.mod h1:Fs1KbKhVRnB2aDWN12NjKCB+RgYMWZJ294T3BtmVCpQ=
+github.com/sercand/kuberesolver/v6 v6.0.1 h1:XZUTA0gy/lgDYp/UhEwv7Js24F1j8NJ833QrWv0Xux4=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/shirou/gopsutil v3.21.11+incompatible h1:+1+c1VGhc88SSonWP6foOcLhvnKlUeu/erjjvaPEYiI=
 github.com/shirou/gopsutil/v3 v3.23.12 h1:z90NtUkp3bMtmICZKpC4+WaknU1eXtp5vtbQ11DgpE4=
@@ -1856,7 +1851,6 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.4
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0/go.mod h1:ru6KHrNtNHxM4nD/vd6QrLVWgKhxPYgblq4VAtNawTQ=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ=
 go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.60.0/go.mod h1:CosX/aS4eHnG9D7nESYpV753l4j9q5j3SL/PUYd2lR8=
 go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.61.0/go.mod h1:HfvuU0kW9HewH14VCOLImqKvUgONodURG7Alj/IrnGI=
 go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.62.0/go.mod h1:WfEApdZDMlLUAev/0QQpr8EJ/z0VWDKYZ5tF5RH5T1U=
@@ -1965,6 +1959,7 @@ golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sU
 golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
 golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
 golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ=
@@ -1977,7 +1972,7 @@ golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5N
 golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
 golang.org/x/exp v0.0.0-20250811191247-51f88131bc50/go.mod h1:rT6SFzZ7oxADUDx58pcaKFTcZ+inxAa9fTrYx/uVYwg=
-golang.org/x/exp v0.0.0-20251002181428-27f1f14c8bb9/go.mod h1:TwQYMMnGpvZyc+JpB/UAuTNIsVJifOlSkrZkhcvpVUk=
+golang.org/x/exp v0.0.0-20251125195548-87e1e737ad39/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0=
 golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e h1:qyrTQ++p1afMkO4DPEeLGq/3oTsdlvdH4vqZUBWzUKM=
 golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.25.0 h1:Y6uW6rH1y5y/LK1J8BPWZtr6yZ7hrsy6hFrXjgsc2fQ=
@@ -2071,7 +2066,6 @@ golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
 golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
 golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
@@ -2150,6 +2144,7 @@ google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c/go.
 google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE=
 google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4/go.mod h1:NnuHhy+bxcg30o7FnVAZbXsPHUDQ9qKWAQKCD7VxFtk=
 google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:G5IanEx8/PgI9w6CFcYQf7jMtHQhZruvfM1i3qOqk5U=
+google.golang.org/genproto/googleapis/api v0.0.0-20251124214823-79d6a2a48846/go.mod h1:Fk4kyraUvqD7i5H6S43sj2W98fbZa75lpZz/eUyhfO0=
 google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
 google.golang.org/genproto/googleapis/bytestream v0.0.0-20250603155806-513f23925822 h1:zWFRixYR5QlotL+Uv3YfsPRENIrQFXiGs+iwqel6fOQ=
 google.golang.org/genproto/googleapis/bytestream v0.0.0-20250603155806-513f23925822/go.mod h1:h6yxum/C2qRb4txaZRLDHK8RyS0H/o2oEDeKY4onY/Y=

kinds/dashboard/dashboard_kind.cue

@@ -218,10 +218,8 @@ lineage: schemas: [{
 			// Optional field, if you want to extract part of a series name or metric node segment.
 			// Named capture groups can be used to separate the display text and value.
 			regex?: string
-			// Optional, indicates whether a custom type variable uses CSV or JSON to define its values
-			valuesFormat?: "csv" | "json" | *"csv"
-			// Determine whether regex applies to variable value or display text
-			regexApplyTo?: #VariableRegexApplyTo
+      // Determine whether regex applies to variable value or display text
+      regexApplyTo?: #VariableRegexApplyTo
 			// Additional static options for query variable
 			staticOptions?: [...#VariableOption]
 			// Ordering of static options in relation to options returned from data source for query variable

package.json

@@ -295,8 +295,8 @@
     "@grafana/plugin-ui": "^0.11.1",
     "@grafana/prometheus": "workspace:*",
     "@grafana/runtime": "workspace:*",
-    "@grafana/scenes": "v6.52.1",
-    "@grafana/scenes-react": "v6.52.1",
+    "@grafana/scenes": "6.52.0",
+    "@grafana/scenes-react": "6.52.0",
     "@grafana/schema": "workspace:*",
     "@grafana/sql": "workspace:*",
     "@grafana/ui": "workspace:*",

packages/grafana-data/src/types/featureToggles.gen.ts

@@ -1263,8 +1263,4 @@ export interface FeatureToggles {
   * Enables the creation of keepers that manage secrets stored on AWS secrets manager
   */
   secretsManagementAppPlatformAwsKeeper?: boolean;
-  /**
-  * Enables profiles exemplars support in profiles drilldown
-  */
-  profilesExemplars?: boolean;
 }

packages/grafana-data/src/types/templateVars.ts

@@ -103,7 +103,6 @@ export interface IntervalVariableModel extends VariableWithOptions {
 
 export interface CustomVariableModel extends VariableWithMultiSupport {
   type: 'custom';
-  valuesFormat?: 'csv' | 'json';
 }
 
 export interface DataSourceVariableModel extends VariableWithMultiSupport {

packages/grafana-e2e-selectors/src/selectors/pages.ts

@@ -266,9 +266,6 @@ export const versionedPages = {
     Controls: {
       '11.1.0': 'data-testid dashboard controls',
     },
-    ControlsButton: {
-      '12.3.0': 'data-testid dashboard controls button',
-    },
     SubMenu: {
       submenu: {
         [MIN_GRAFANA_VERSION]: 'Dashboard submenu',

packages/grafana-schema/src/raw/composable/grafanapyroscope/dataquery/x/GrafanaPyroscopeDataQuery_types.gen.ts

@@ -25,10 +25,6 @@ export interface GrafanaPyroscopeDataQuery extends common.DataQuery {
    * Allows to group the results.
    */
   groupBy: Array<string>;
-  /**
-   * If set to true, exemplars will be requested
-   */
-  includeExemplars: boolean;
   /**
    * Specifies the query label selectors.
    */
@@ -53,7 +49,6 @@ export interface GrafanaPyroscopeDataQuery extends common.DataQuery {
 
 export const defaultGrafanaPyroscopeDataQuery: Partial<GrafanaPyroscopeDataQuery> = {
   groupBy: [],
-  includeExemplars: false,
   labelSelector: '{}',
   spanSelector: [],
 };

packages/grafana-schema/src/raw/dashboard/x/dashboard_types.gen.ts

@@ -211,10 +211,6 @@ export interface VariableModel {
    * Type of variable
    */
   type: VariableType;
-  /**
-   * Optional, indicates whether a custom type variable uses CSV or JSON to define its values
-   */
-  valuesFormat?: ('csv' | 'json');
 }
 
 export const defaultVariableModel: Partial<VariableModel> = {
@@ -224,7 +220,6 @@ export const defaultVariableModel: Partial<VariableModel> = {
   options: [],
   skipUrlSync: false,
   staticOptions: [],
-  valuesFormat: 'csv',
 };
 
 /**

packages/grafana-schema/src/schema/dashboard/v2_examples.ts

@@ -317,7 +317,6 @@ export const handyTestingSchema: Spec = {
         query: 'option1, option2',
         skipUrlSync: false,
         allowCustomValue: true,
-        valuesFormat: 'csv',
       },
     },
     {

packages/grafana-schema/src/schema/dashboard/v2alpha1/types.spec.gen.ts

@@ -300,7 +300,7 @@ export interface FieldConfig {
 	description?: string;
 	// An explicit path to the field in the datasource.  When the frame meta includes a path,
 	// This will default to `${frame.meta.path}/${field.name}
-	//
+	// 
 	// When defined, this value can be used as an identifier within the datasource scope, and
 	// may be used to update the results
 	path?: string;
@@ -1353,7 +1353,6 @@ export interface CustomVariableSpec {
 	skipUrlSync: boolean;
 	description?: string;
 	allowCustomValue: boolean;
-  valuesFormat?: "csv" | "json";
 }
 
 export const defaultCustomVariableSpec = (): CustomVariableSpec => ({
@@ -1366,7 +1365,6 @@ export const defaultCustomVariableSpec = (): CustomVariableSpec => ({
 	hide: "dontHide",
 	skipUrlSync: false,
 	allowCustomValue: true,
-  valuesFormat: undefined,
 });
 
 // Group variable kind
@@ -1551,3 +1549,4 @@ export const defaultSpec = (): Spec => ({
 	title: "",
 	variables: [],
 });
+

packages/grafana-schema/src/schema/dashboard/v2beta1/types.spec.gen.ts

@@ -1359,7 +1359,6 @@ export interface CustomVariableSpec {
 	skipUrlSync: boolean;
 	description?: string;
 	allowCustomValue: boolean;
-	valuesFormat?: "csv" | "json";
 }
 
 export const defaultCustomVariableSpec = (): CustomVariableSpec => ({

packages/grafana-ui/src/components/RadialGauge/RadialArcPath.tsx

@@ -1,4 +1,4 @@
-import { useId, memo, HTMLAttributes, ReactNode, SVGProps } from 'react';
+import { useId, memo, HTMLAttributes, ReactNode } from 'react';
 
 import { FieldDisplay } from '@grafana/data';
 
@@ -50,13 +50,14 @@ export const RadialArcPath = memo(
   }: RadialArcPathProps) => {
     const id = useId();
 
-    const isGradient = 'gradient' in rest;
+    const bgDivStyle: HTMLAttributes<HTMLDivElement>['style'] = { width: '100%', height: '100%' };
+    if ('color' in rest) {
+      bgDivStyle.backgroundColor = rest.color;
+    } else {
+      bgDivStyle.backgroundImage = getGradientCss(rest.gradient, shape);
+    }
 
-    const { vizWidth, vizHeight, radius, centerX, centerY, barWidth } = dimensions;
-    const pad = Math.ceil(Math.max(2, barWidth / 2)); // pad to cover stroke caps and glow in Safari
-    const boxX = Math.round(centerX - radius - barWidth - pad);
-    const boxY = Math.round(centerY - radius - barWidth - pad);
-    const boxSize = Math.round((radius + barWidth) * 2 + pad * 2);
+    const { radius, centerX, centerY, barWidth } = dimensions;
 
     const path = drawRadialArcPath(angle, arcLengthDeg, dimensions, roundedBars);
 
@@ -71,14 +72,9 @@ export const RadialArcPath = memo(
     const dotRadius =
       endpointMarker === 'point' ? Math.min((barWidth / 2) * DOT_RADIUS_FACTOR, MAX_DOT_RADIUS) : barWidth / 2;
 
-    const bgDivStyle: HTMLAttributes<HTMLDivElement>['style'] = { width: boxSize, height: vizHeight, marginLeft: boxX };
-
-    const pathProps: SVGProps<SVGPathElement> = {};
     let barEndcapColors: [string, string] | undefined;
     let endpointMarks: ReactNode = null;
-    if (isGradient) {
-      bgDivStyle.backgroundImage = getGradientCss(rest.gradient, shape);
-
+    if ('gradient' in rest) {
       if (endpointMarker && (rest.gradient?.length ?? 0) > 0) {
         switch (endpointMarker) {
           case 'point':
@@ -119,39 +115,25 @@ export const RadialArcPath = memo(
       if (barEndcaps) {
         barEndcapColors = getBarEndcapColors(rest.gradient, fieldDisplay.display.percent);
       }
-
-      pathProps.fill = 'none';
-      pathProps.stroke = 'white';
-    } else {
-      bgDivStyle.backgroundColor = rest.color;
-
-      pathProps.fill = 'none';
-      pathProps.stroke = rest.color;
     }
 
-    const pathEl = (
-      <path d={path} strokeWidth={barWidth} strokeLinecap={roundedBars ? 'round' : 'butt'} {...pathProps} />
-    );
-
     return (
       <>
-        {isGradient && (
-          <defs>
-            <mask id={id} maskUnits="userSpaceOnUse" maskContentUnits="userSpaceOnUse">
-              <rect x={boxX} y={boxY} width={boxSize} height={boxSize} fill="black" />
-              {pathEl}
-            </mask>
-          </defs>
-        )}
+        {/* FIXME: optimize this by only using clippath + foreign obj for gradients */}
+        <clipPath id={id}>
+          <path d={path} />
+        </clipPath>
 
         <g filter={glowFilter}>
-          {isGradient ? (
-            <foreignObject x={0} y={0} width={vizWidth} height={vizHeight} mask={`url(#${id})`}>
-              <div style={bgDivStyle} />
-            </foreignObject>
-          ) : (
-            pathEl
-          )}
+          <foreignObject
+            x={centerX - radius - barWidth}
+            y={centerY - radius - barWidth}
+            width={(radius + barWidth) * 2}
+            height={(radius + barWidth) * 2}
+            clipPath={`url(#${id})`}
+          >
+            <div style={bgDivStyle} />
+          </foreignObject>
           {barEndcapColors?.[0] && <circle cx={xStart} cy={yStart} r={barWidth / 2} fill={barEndcapColors[0]} />}
           {barEndcapColors?.[1] && (
             <circle cx={xEnd} cy={yEnd} r={barWidth / 2} fill={barEndcapColors[1]} opacity={0.5} />

packages/grafana-ui/src/components/RadialGauge/RadialGauge.tsx

@@ -1,5 +1,5 @@
 import { css, cx } from '@emotion/css';
-import { useId, ReactNode } from 'react';
+import { useId } from 'react';
 
 import { DisplayValueAlignmentFactors, FALLBACK_COLOR, FieldDisplay, GrafanaTheme2, TimeRange } from '@grafana/data';
 import { selectors } from '@grafana/e2e-selectors';
@@ -107,14 +107,14 @@ export function RadialGauge(props: RadialGaugeProps) {
   const startAngle = shape === 'gauge' ? 250 : 0;
   const endAngle = shape === 'gauge' ? 110 : 360;
 
-  const defs: ReactNode[] = [];
-  const graphics: ReactNode[] = [];
-  let sparklineElement: ReactNode | null = null;
+  const defs: React.ReactNode[] = [];
+  const graphics: React.ReactNode[] = [];
+  let sparklineElement: React.ReactNode | null = null;
 
   for (let barIndex = 0; barIndex < values.length; barIndex++) {
     const displayValue = values[barIndex];
     const { angle, angleRange } = getValueAngleForValue(displayValue, startAngle, endAngle);
-    const gradientStops = gradient ? buildGradientColors(theme, displayValue) : undefined;
+    const gradientStops = buildGradientColors(gradient, theme, displayValue);
     const color = displayValue.display.color ?? FALLBACK_COLOR;
     const dimensions = calculateDimensions(
       width,
@@ -131,9 +131,7 @@ export function RadialGauge(props: RadialGaugeProps) {
     // FIXME: I want to move the ids for these filters into a context which the children
     // can reference via a hook, rather than passing them down as props
     const spotlightGradientId = `spotlight-${barIndex}-${gaugeId}`;
-    const spotlightGradientRef = endpointMarker === 'glow' ? `url(#${spotlightGradientId})` : undefined;
     const glowFilterId = `glow-${gaugeId}`;
-    const glowFilterRef = glowBar ? `url(#${glowFilterId})` : undefined;
 
     if (endpointMarker === 'glow') {
       defs.push(
@@ -156,7 +154,7 @@ export function RadialGauge(props: RadialGaugeProps) {
           fieldDisplay={displayValue}
           angleRange={angleRange}
           startAngle={startAngle}
-          glowFilter={glowFilterRef}
+          glowFilter={`url(#${glowFilterId})`}
           segmentCount={segmentCount}
           segmentSpacing={segmentSpacing}
           shape={shape}
@@ -172,8 +170,8 @@ export function RadialGauge(props: RadialGaugeProps) {
           angleRange={angleRange}
           startAngle={startAngle}
           roundedBars={roundedBars}
-          glowFilter={glowFilterRef}
-          endpointMarkerGlowFilter={spotlightGradientRef}
+          glowFilter={`url(#${glowFilterId})`}
+          endpointMarkerGlowFilter={`url(#${spotlightGradientId})`}
           shape={shape}
           gradient={gradientStops}
           fieldDisplay={displayValue}
@@ -185,7 +183,7 @@ export function RadialGauge(props: RadialGaugeProps) {
     // These elements are only added for first value / bar
     if (barIndex === 0) {
       if (glowBar) {
-        defs.push(<GlowGradient key={glowFilterId} id={glowFilterId} barWidth={dimensions.barWidth} />);
+        defs.push(<GlowGradient key="glow-filter" id={glowFilterId} barWidth={dimensions.barWidth} />);
       }
 
       if (glowCenter) {
@@ -236,7 +234,7 @@ export function RadialGauge(props: RadialGaugeProps) {
               endAngle={endAngle}
               angleRange={angleRange}
               roundedBars={roundedBars}
-              glowFilter={glowFilterRef}
+              glowFilter={`url(#${glowFilterId})`}
               shape={shape}
               gradient={gradientStops}
             />
@@ -262,7 +260,7 @@ export function RadialGauge(props: RadialGaugeProps) {
   const body = (
     <>
       <svg width={width} height={height} role="img" aria-label={t('gauge.category-gauge', 'Gauge')}>
-        {defs.length > 0 && <defs>{defs}</defs>}
+        <defs>{defs}</defs>
         {graphics}
       </svg>
       {sparklineElement}

packages/grafana-ui/src/components/RadialGauge/RadialText.tsx

@@ -1,3 +1,4 @@
+import { css } from '@emotion/css';
 import { memo } from 'react';
 
 import {
@@ -8,6 +9,7 @@ import {
   GrafanaTheme2,
 } from '@grafana/data';
 
+import { useStyles2 } from '../../themes/ThemeContext';
 import { calculateFontSize } from '../../utils/measureText';
 
 import { RadialShape, RadialTextMode, RadialGaugeDimensions } from './types';
@@ -48,6 +50,7 @@ export const RadialText = memo(
     valueManualFontSize,
     nameManualFontSize,
   }: RadialTextProps) => {
+    const styles = useStyles2(getStyles);
     const { centerX, centerY, radius, barWidth } = dimensions;
 
     if (textMode === 'none') {
@@ -103,9 +106,10 @@ export const RadialText = memo(
     const valueY = showName ? centerY - nameHeight * (1 - VALUE_SPACE_PERCENTAGE) : centerY;
     const nameY = showValue ? valueY + valueHeight * VALUE_SPACE_PERCENTAGE : centerY;
     const nameColor = showValue ? theme.colors.text.secondary : theme.colors.text.primary;
+    const suffixShift = (valueFontSize - unitFontSize * LINE_HEIGHT_FACTOR) / 2;
 
     // adjust the text up on gauges and when sparklines are present
-    let yOffset = valueFontSize / 4;
+    let yOffset = 0;
     if (shape === 'gauge') {
       // we render from the center of the gauge, so move up by half of half of the total height
       yOffset -= (valueHeight + nameHeight) / 4;
@@ -122,12 +126,15 @@ export const RadialText = memo(
             y={valueY}
             fontSize={valueFontSize}
             fill={theme.colors.text.primary}
+            className={styles.text}
             textAnchor="middle"
-            dominantBaseline="text-bottom"
+            dominantBaseline="middle"
           >
             <tspan fontSize={unitFontSize}>{displayValue.prefix ?? ''}</tspan>
             <tspan>{displayValue.text}</tspan>
-            <tspan fontSize={unitFontSize}>{displayValue.suffix ?? ''}</tspan>
+            <tspan className={styles.text} fontSize={unitFontSize} dy={suffixShift}>
+              {displayValue.suffix ?? ''}
+            </tspan>
           </text>
         )}
         {showName && (
@@ -136,7 +143,7 @@ export const RadialText = memo(
             x={centerX}
             y={nameY}
             textAnchor="middle"
-            dominantBaseline="text-bottom"
+            dominantBaseline="middle"
             fill={nameColor}
           >
             {displayValue.title}
@@ -148,3 +155,9 @@ export const RadialText = memo(
 );
 
 RadialText.displayName = 'RadialText';
+
+const getStyles = (_theme: GrafanaTheme2) => ({
+  text: css({
+    verticalAlign: 'bottom',
+  }),
+});

packages/grafana-ui/src/components/RadialGauge/__snapshots__/utils.test.ts.snap

@@ -1,17 +1,17 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`RadialGauge utils drawRadialArcPath should draw correct path for center x and y 1`] = `"M 150 120 A 80 80 0 1 1 149.98603736605492 120.00000121846968"`;
+exports[`RadialGauge utils drawRadialArcPath should draw correct path for center x and y 1`] = `"M 150 110 A 90 90 0 1 1 149.98429203681178 110.00000137077838 A 10 10 0 0 1 149.98778269529805 130.00000106616096 A 70 70 0 1 0 150 130 A 10 10 0 0 1 150 110 Z"`;
 
-exports[`RadialGauge utils drawRadialArcPath should draw correct path for half arc 1`] = `"M 100 20 A 80 80 0 0 1 100 180"`;
+exports[`RadialGauge utils drawRadialArcPath should draw correct path for half arc 1`] = `"M 100 10 A 90 90 0 0 1 100 190 L 100 170 A 70 70 0 0 0 100 30 L 100 10 Z"`;
 
-exports[`RadialGauge utils drawRadialArcPath should draw correct path for narrow bar width 1`] = `"M 100 20 A 80 80 0 0 1 100 180"`;
+exports[`RadialGauge utils drawRadialArcPath should draw correct path for narrow bar width 1`] = `"M 100 17.5 A 82.5 82.5 0 0 1 100 182.5 L 100 177.5 A 77.5 77.5 0 0 0 100 22.5 L 100 17.5 Z"`;
 
-exports[`RadialGauge utils drawRadialArcPath should draw correct path for narrow radius 1`] = `"M 100 50 A 50 50 0 0 1 100 150"`;
+exports[`RadialGauge utils drawRadialArcPath should draw correct path for narrow radius 1`] = `"M 100 40 A 60 60 0 0 1 100 160 L 100 140 A 40 40 0 0 0 100 60 L 100 40 Z"`;
 
-exports[`RadialGauge utils drawRadialArcPath should draw correct path for quarter arc 1`] = `"M 100 20 A 80 80 0 0 1 180 100"`;
+exports[`RadialGauge utils drawRadialArcPath should draw correct path for quarter arc 1`] = `"M 100 10 A 90 90 0 0 1 190 100 L 170 100 A 70 70 0 0 0 100 30 L 100 10 Z"`;
 
-exports[`RadialGauge utils drawRadialArcPath should draw correct path for rounded bars 1`] = `"M 100 20 A 80 80 0 1 1 20 100.00000000000001"`;
+exports[`RadialGauge utils drawRadialArcPath should draw correct path for rounded bars 1`] = `"M 100 10 A 90 90 0 1 1 10 100.00000000000001 A 10 10 0 0 1 30 100.00000000000001 A 70 70 0 1 0 100 30 A 10 10 0 0 1 100 10 Z"`;
 
-exports[`RadialGauge utils drawRadialArcPath should draw correct path for three quarter arc 1`] = `"M 100 20 A 80 80 0 1 1 20 100.00000000000001"`;
+exports[`RadialGauge utils drawRadialArcPath should draw correct path for three quarter arc 1`] = `"M 100 10 A 90 90 0 1 1 10 100.00000000000001 L 30 100.00000000000001 A 70 70 0 1 0 100 30 L 100 10 Z"`;
 
-exports[`RadialGauge utils drawRadialArcPath should draw correct path for wide bar width 1`] = `"M 100 20 A 80 80 0 0 1 100 180"`;
+exports[`RadialGauge utils drawRadialArcPath should draw correct path for wide bar width 1`] = `"M 100 -5 A 105 105 0 0 1 100 205 L 100 155 A 55 55 0 0 0 100 45 L 100 -5 Z"`;

packages/grafana-ui/src/components/RadialGauge/colors.test.ts

@@ -1,6 +1,6 @@
 import { defaultsDeep } from 'lodash';
 
-import { createTheme, Field, FieldDisplay, FieldType, ThresholdsMode } from '@grafana/data';
+import { createTheme, FALLBACK_COLOR, Field, FieldDisplay, FieldType, ThresholdsMode } from '@grafana/data';
 import { FieldColorModeId } from '@grafana/schema';
 
 import {
@@ -50,9 +50,35 @@ describe('RadialGauge color utils', () => {
         },
       });
 
+    it('should return the baseColor if gradient is false-y', () => {
+      expect(
+        buildGradientColors(false, createTheme(), buildFieldDisplay(createField(FieldColorModeId.Fixed)), '#FF0000')
+      ).toEqual([
+        { color: '#FF0000', percent: 0 },
+        { color: '#FF0000', percent: 1 },
+      ]);
+
+      expect(
+        buildGradientColors(undefined, createTheme(), buildFieldDisplay(createField(FieldColorModeId.Fixed)), '#FF0000')
+      ).toEqual([
+        { color: '#FF0000', percent: 0 },
+        { color: '#FF0000', percent: 1 },
+      ]);
+    });
+
+    it('uses the fallback color if no baseColor is set', () => {
+      expect(buildGradientColors(false, createTheme(), buildFieldDisplay(createField(FieldColorModeId.Fixed)))).toEqual(
+        [
+          { color: FALLBACK_COLOR, percent: 0 },
+          { color: FALLBACK_COLOR, percent: 1 },
+        ]
+      );
+    });
+
     it('should map threshold colors correctly (with baseColor if displayProcessor does not return colors)', () => {
       expect(
         buildGradientColors(
+          true,
           createTheme(),
           buildFieldDisplay(createField(FieldColorModeId.Thresholds), {
             view: { getFieldDisplayProcessor: jest.fn(() => jest.fn(() => ({ color: '#444444' }))) },
@@ -63,13 +89,14 @@ describe('RadialGauge color utils', () => {
 
     it('should map threshold colors correctly (with baseColor if displayProcessor does not return colors)', () => {
       expect(
-        buildGradientColors(createTheme(), buildFieldDisplay(createField(FieldColorModeId.Thresholds)), '#FF0000')
+        buildGradientColors(true, createTheme(), buildFieldDisplay(createField(FieldColorModeId.Thresholds)), '#FF0000')
       ).toMatchSnapshot();
     });
 
     it('should return gradient colors for continuous color modes', () => {
       expect(
         buildGradientColors(
+          true,
           createTheme(),
           buildFieldDisplay(createField(FieldColorModeId.ContinuousCividis)),
           '#00FF00'
@@ -80,6 +107,7 @@ describe('RadialGauge color utils', () => {
     it.each(['dark', 'light'] as const)('should return gradient colors for by-value color mode in %s theme', (mode) => {
       expect(
         buildGradientColors(
+          true,
           createTheme({ colors: { mode } }),
           buildFieldDisplay(createField(FieldColorModeId.ContinuousBlues))
         )
@@ -89,6 +117,7 @@ describe('RadialGauge color utils', () => {
     it.each(['dark', 'light'] as const)('should return gradient colors for fixed color mode in %s theme', (mode) => {
       expect(
         buildGradientColors(
+          true,
           createTheme({ colors: { mode } }),
           buildFieldDisplay(createField(FieldColorModeId.Fixed)),
           '#442299'

packages/grafana-ui/src/components/RadialGauge/colors.ts

@@ -7,10 +7,18 @@ import { GradientStop, RadialShape } from './types';
 import { getFieldConfigMinMax, getFieldDisplayProcessor, getValuePercentageForValue } from './utils';
 
 export function buildGradientColors(
+  gradient = false,
   theme: GrafanaTheme2,
   fieldDisplay: FieldDisplay,
   baseColor = fieldDisplay.display.color ?? FALLBACK_COLOR
 ): GradientStop[] {
+  if (!gradient) {
+    return [
+      { color: baseColor, percent: 0 },
+      { color: baseColor, percent: 1 },
+    ];
+  }
+
   const colorMode = getFieldColorMode(fieldDisplay.field.color?.mode);
 
   // thresholds get special handling

packages/grafana-ui/src/components/RadialGauge/effects.tsx

@@ -2,20 +2,14 @@ import { colorManipulator, GrafanaTheme2 } from '@grafana/data';
 
 import { RadialGaugeDimensions } from './types';
 
-// some utility transparent white colors for gradients
-const TRANSPARENT_WHITE = '#ffffff00';
-const MOSTLY_TRANSPARENT_WHITE = '#ffffff88';
-const MOSTLY_OPAQUE_WHITE = '#ffffffbb';
-const OPAQUE_WHITE = '#ffffff';
-
-const MIN_GLOW_SIZE = 0.75;
-const GLOW_FACTOR = 0.08;
-
 export interface GlowGradientProps {
   id: string;
   barWidth: number;
 }
 
+const MIN_GLOW_SIZE = 0.75;
+const GLOW_FACTOR = 0.08;
+
 export function GlowGradient({ id, barWidth }: GlowGradientProps) {
   // 0.75 is the minimum glow size, and it scales with bar width
   const glowSize = MIN_GLOW_SIZE + barWidth * GLOW_FACTOR;
@@ -33,6 +27,16 @@ export function GlowGradient({ id, barWidth }: GlowGradientProps) {
 
 const CENTER_GLOW_OPACITY = 0.25;
 
+export function CenterGlowGradient({ gaugeId, color }: { gaugeId: string; color: string }) {
+  const transparentColor = colorManipulator.alpha(color, CENTER_GLOW_OPACITY);
+  return (
+    <radialGradient id={`circle-glow-${gaugeId}`} r="50%" fr="0%">
+      <stop offset="0%" stopColor={transparentColor} />
+      <stop offset="90%" stopColor={'#ffffff00'} />
+    </radialGradient>
+  );
+}
+
 export interface CenterGlowProps {
   dimensions: RadialGaugeDimensions;
   gaugeId: string;
@@ -48,7 +52,7 @@ export function MiddleCircleGlow({ dimensions, gaugeId, color }: CenterGlowProps
       <defs>
         <radialGradient id={gradientId} r="50%" fr="0%">
           <stop offset="0%" stopColor={transparentColor} />
-          <stop offset="90%" stopColor={TRANSPARENT_WHITE} />
+          <stop offset="90%" stopColor="#ffffff00" />
         </radialGradient>
       </defs>
       <g>
@@ -58,15 +62,19 @@ export function MiddleCircleGlow({ dimensions, gaugeId, color }: CenterGlowProps
   );
 }
 
-interface SpotlightGradientProps {
+export function SpotlightGradient({
+  id,
+  dimensions,
+  roundedBars,
+  angle,
+  theme,
+}: {
   id: string;
   dimensions: RadialGaugeDimensions;
   angle: number;
   roundedBars: boolean;
   theme: GrafanaTheme2;
-}
-
-export function SpotlightGradient({ id, dimensions, roundedBars, angle, theme }: SpotlightGradientProps) {
+}) {
   if (theme.isLight) {
     return null;
   }
@@ -80,9 +88,9 @@ export function SpotlightGradient({ id, dimensions, roundedBars, angle, theme }:
 
   return (
     <linearGradient x1={x1} y1={y1} x2={x2} y2={y2} id={id} gradientUnits="userSpaceOnUse">
-      <stop offset="0%" stopColor={TRANSPARENT_WHITE} />
-      <stop offset="95%" stopColor={MOSTLY_TRANSPARENT_WHITE} />
-      {roundedBars && <stop offset="100%" stopColor={roundedBars ? MOSTLY_OPAQUE_WHITE : OPAQUE_WHITE} />}
+      <stop offset="0%" stopColor="#ffffff00" />
+      <stop offset="95%" stopColor="#ffffff88" />
+      {roundedBars && <stop offset="100%" stopColor={roundedBars ? '#ffffffbb' : 'white'} />}
     </linearGradient>
   );
 }

packages/grafana-ui/src/components/RadialGauge/types.ts

@@ -2,8 +2,6 @@ export type RadialTextMode = 'auto' | 'value_and_name' | 'value' | 'name' | 'non
 export type RadialShape = 'circle' | 'gauge';
 
 export interface RadialGaugeDimensions {
-  vizHeight: number;
-  vizWidth: number;
   margin: number;
   radius: number;
   centerX: number;

packages/grafana-ui/src/components/RadialGauge/utils.test.ts

@@ -283,9 +283,7 @@ describe('RadialGauge utils', () => {
   });
 
   describe('drawRadialArcPath', () => {
-    const defaultDims = Object.freeze({
-      vizHeight: 220,
-      vizWidth: 220,
+    const defaultDims: RadialGaugeDimensions = Object.freeze({
       centerX: 100,
       centerY: 100,
       radius: 80,
@@ -299,7 +297,7 @@ describe('RadialGauge utils', () => {
       scaleLabelsSpacing: 0,
       scaleLabelsRadius: 0,
       gaugeBottomY: 0,
-    }) satisfies RadialGaugeDimensions;
+    });
 
     it.each([
       { description: 'quarter arc', startAngle: 0, endAngle: 90 },
@@ -326,6 +324,11 @@ describe('RadialGauge utils', () => {
         expect(drawRadialArcPath(0, 360, defaultDims)).toEqual(drawRadialArcPath(0, 359.99, defaultDims));
         expect(drawRadialArcPath(0, 380, defaultDims)).toEqual(drawRadialArcPath(0, 380, defaultDims));
       });
+
+      it('should return empty string if inner radius collapses to zero or below', () => {
+        const smallRadiusDims = { ...defaultDims, radius: 5, barWidth: 20 };
+        expect(drawRadialArcPath(0, 180, smallRadiusDims)).toBe('');
+      });
     });
   });
 
@@ -338,9 +341,7 @@ describe('RadialGauge utils', () => {
 
   describe('getOptimalSegmentCount', () => {
     it('should adjust segment count based on dimensions and spacing', () => {
-      const dimensions = {
-        vizHeight: 220,
-        vizWidth: 220,
+      const dimensions: RadialGaugeDimensions = {
         centerX: 100,
         centerY: 100,
         radius: 80,
@@ -354,7 +355,7 @@ describe('RadialGauge utils', () => {
         scaleLabelsSpacing: 0,
         scaleLabelsRadius: 0,
         gaugeBottomY: 0,
-      } satisfies RadialGaugeDimensions;
+      };
 
       expect(getOptimalSegmentCount(dimensions, 2, 10, 360)).toBe(8);
       expect(getOptimalSegmentCount(dimensions, 1, 5, 360)).toBe(5);

packages/grafana-ui/src/components/RadialGauge/utils.ts

@@ -155,8 +155,6 @@ export function calculateDimensions(
   }
 
   return {
-    vizWidth: width,
-    vizHeight: height,
     margin,
     gaugeBottomY: centerY + belowCenterY,
     radius: innerRadius,
@@ -187,7 +185,7 @@ export function drawRadialArcPath(
   dimensions: RadialGaugeDimensions,
   roundedBars?: boolean
 ): string {
-  const { radius, centerX, centerY } = dimensions;
+  const { radius, centerX, centerY, barWidth } = dimensions;
 
   // For some reason a 100% full arc cannot be rendered
   if (endAngle >= 360) {
@@ -199,12 +197,66 @@ export function drawRadialArcPath(
 
   const largeArc = endAngle > 180 ? 1 : 0;
 
-  let x1 = centerX + radius * Math.cos(startRadians);
-  let y1 = centerY + radius * Math.sin(startRadians);
-  let x2 = centerX + radius * Math.cos(endRadians);
-  let y2 = centerY + radius * Math.sin(endRadians);
+  const outerR = radius + barWidth / 2;
+  const innerR = Math.max(0, radius - barWidth / 2);
+  if (innerR <= 0) {
+    return ''; // cannot draw arc with 0 inner radius
+  }
 
-  return ['M', x1, y1, 'A', radius, radius, 0, largeArc, 1, x2, y2].join(' ');
+  // get points for both an inner and outer arc. we draw
+  // the arc entirely with a path's fill instead of using stroke
+  // so that it can be used as a clip-path.
+  const ox1 = centerX + outerR * Math.cos(startRadians);
+  const oy1 = centerY + outerR * Math.sin(startRadians);
+  const ox2 = centerX + outerR * Math.cos(endRadians);
+  const oy2 = centerY + outerR * Math.sin(endRadians);
+
+  const ix1 = centerX + innerR * Math.cos(startRadians);
+  const iy1 = centerY + innerR * Math.sin(startRadians);
+  const ix2 = centerX + innerR * Math.cos(endRadians);
+  const iy2 = centerY + innerR * Math.sin(endRadians);
+
+  // calculate the cap width in case we're drawing rounded bars
+  const capR = barWidth / 2;
+
+  const pathParts = [
+    // start at outer start
+    'M',
+    ox1,
+    oy1,
+    // outer arc from start to end (clockwise)
+    'A',
+    outerR,
+    outerR,
+    0,
+    largeArc,
+    1,
+    ox2,
+    oy2,
+  ];
+
+  if (roundedBars) {
+    // rounded end cap: small arc connecting outer end to inner end
+    pathParts.push('A', capR, capR, 0, 0, 1, ix2, iy2);
+  } else {
+    // straight line to inner end (square butt)
+    pathParts.push('L', ix2, iy2);
+  }
+
+  // inner arc from end back to start (counter-clockwise)
+  pathParts.push('A', innerR, innerR, 0, largeArc, 0, ix1, iy1);
+
+  if (roundedBars) {
+    // rounded start cap: small arc connecting inner start back to outer start
+    pathParts.push('A', capR, capR, 0, 0, 1, ox1, oy1);
+  } else {
+    // straight line back to outer start (square butt)
+    pathParts.push('L', ox1, oy1);
+  }
+
+  pathParts.push('Z');
+
+  return pathParts.join(' ');
 }
 
 export function getAngleBetweenSegments(segmentSpacing: number, segmentCount: number, range: number) {

packages/grafana-ui/src/components/Table/TableNG/utils.ts

@@ -1108,18 +1108,12 @@ export function parseStyleJson(rawValue: unknown): CSSProperties | void {
   }
 }
 
-// Safari 26.0 introduced rendering bugs which require us to disable several features of the table.
-// The bugs were later fixed in Safari 26.2.
+// Safari 26 introduced rendering bugs which require us to disable several features of the table.
 export const IS_SAFARI_26 = (() => {
   if (navigator == null) {
     return false;
   }
   const userAgent = navigator.userAgent;
-  const safariVersionMatch = userAgent.match(/Version\/(\d+)\.(\d+)/);
-  if (!safariVersionMatch) {
-    return false;
-  }
-  const majorVersion = +safariVersionMatch[1];
-  const minorVersion = +safariVersionMatch[2];
-  return majorVersion === 26 && minorVersion <= 1;
+  const safariVersionMatch = userAgent.match(/Version\/(\d+)\./);
+  return safariVersionMatch && parseInt(safariVersionMatch[1], 10) === 26;
 })();

packages/grafana-ui/src/components/UsersIndicator/UserIcon.mdx

@@ -66,6 +66,6 @@ export interface UserView {
     avatarUrl?: string;
   };
   /** Datetime string when the user was last active */
-  lastActiveAt?: DateTimeInput;
+  lastActiveAt: DateTimeInput;
 }
 ```

packages/grafana-ui/src/components/UsersIndicator/UserIcon.tsx

@@ -10,7 +10,7 @@ import { Tooltip } from '../Tooltip/Tooltip';
 import { UserView } from './types';
 
 export interface UserIconProps {
-  /** An object that contains the user's details and an optional 'lastActiveAt' status */
+  /** An object that contains the user's details and 'lastActiveAt' status */
   userView: UserView;
   /** A boolean value that determines whether the tooltip should be shown or not */
   showTooltip?: boolean;
@@ -64,8 +64,7 @@ export const UserIcon = ({
   showTooltip = true,
 }: PropsWithChildren<UserIconProps>) => {
   const { user, lastActiveAt } = userView;
-  const hasActive = lastActiveAt !== undefined && lastActiveAt !== null;
-  const isActive = hasActive && dateTime(lastActiveAt).diff(dateTime(), 'minutes', true) >= -15;
+  const isActive = dateTime(lastActiveAt).diff(dateTime(), 'minutes', true) >= -15;
   const theme = useTheme2();
   const styles = useMemo(() => getStyles(theme, isActive), [theme, isActive]);
   const content = (
@@ -89,20 +88,18 @@ export const UserIcon = ({
     const tooltip = (
       <div className={styles.tooltipContainer}>
         <div className={styles.tooltipName}>{user.name}</div>
-        {hasActive && (
-          <div className={styles.tooltipDate}>
-            {isActive ? (
-              <div className={styles.dotContainer}>
-                <span>
-                  <Trans i18nKey="grafana-ui.user-icon.active-text">Active last 15m</Trans>
-                </span>
-                <span className={styles.dot}></span>
-              </div>
-            ) : (
-              formatViewed(lastActiveAt)
-            )}
-          </div>
-        )}
+        <div className={styles.tooltipDate}>
+          {isActive ? (
+            <div className={styles.dotContainer}>
+              <span>
+                <Trans i18nKey="grafana-ui.user-icon.active-text">Active last 15m</Trans>
+              </span>
+              <span className={styles.dot}></span>
+            </div>
+          ) : (
+            formatViewed(lastActiveAt)
+          )}
+        </div>
       </div>
     );
 

packages/grafana-ui/src/components/UsersIndicator/UsersIndicator.mdx

@@ -60,6 +60,6 @@ export interface UserView {
     avatarUrl?: string;
   };
   /** Datetime string when the user was last active */
-  lastActiveAt?: DateTimeInput;
+  lastActiveAt: DateTimeInput;
 }
 ```

packages/grafana-ui/src/components/UsersIndicator/UsersIndicator.tsx

@@ -9,7 +9,7 @@ import { UserIcon } from './UserIcon';
 import { UserView } from './types';
 
 export interface UsersIndicatorProps {
-  /** An object that contains the user's details and an optional 'lastActiveAt' status */
+  /** An object that contains the user's details and 'lastActiveAt' status */
   users: UserView[];
   /** A limit of how many user icons to show before collapsing them and showing a number of users instead */
   limit?: number;
@@ -40,7 +40,7 @@ export const UsersIndicator = ({ users, onClick, limit = 4 }: UsersIndicatorProp
       aria-label={t('grafana-ui.users-indicator.container-label', 'Users indicator container')}
     >
       {limitReached && (
-        <UserIcon onClick={onClick} userView={{ user: { name: 'Extra users' } }} showTooltip={false}>
+        <UserIcon onClick={onClick} userView={{ user: { name: 'Extra users' }, lastActiveAt: '' }} showTooltip={false}>
           {tooManyUsers
             ? // eslint-disable-next-line @grafana/i18n/no-untranslated-strings
               '...'

packages/grafana-ui/src/components/UsersIndicator/types.ts

@@ -8,5 +8,5 @@ export interface UserView {
     avatarUrl?: string;
   };
   /** Datetime string when the user was last active */
-  lastActiveAt?: DateTimeInput;
+  lastActiveAt: DateTimeInput;
 }

packages/grafana-ui/src/components/VizLegend/VizLegendTable.test.tsx

@@ -0,0 +1,78 @@
+import { render, screen } from '@testing-library/react';
+
+import { VizLegendTable } from './VizLegendTable';
+import { VizLegendItem } from './types';
+
+describe('VizLegendTable', () => {
+  const mockItems: VizLegendItem[] = [
+    { label: 'Series 1', color: 'red', yAxis: 1 },
+    { label: 'Series 2', color: 'blue', yAxis: 1 },
+    { label: 'Series 3', color: 'green', yAxis: 1 },
+  ];
+
+  it('renders without crashing', () => {
+    const { container } = render(<VizLegendTable items={mockItems} placement="bottom" />);
+    expect(container.querySelector('table')).toBeInTheDocument();
+  });
+
+  it('renders all items', () => {
+    render(<VizLegendTable items={mockItems} placement="bottom" />);
+    expect(screen.getByText('Series 1')).toBeInTheDocument();
+    expect(screen.getByText('Series 2')).toBeInTheDocument();
+    expect(screen.getByText('Series 3')).toBeInTheDocument();
+  });
+
+  it('renders table headers when items have display values', () => {
+    const itemsWithStats: VizLegendItem[] = [
+      {
+        label: 'Series 1',
+        color: 'red',
+        yAxis: 1,
+        getDisplayValues: () => [
+          { numeric: 100, text: '100', title: 'Max' },
+          { numeric: 50, text: '50', title: 'Min' },
+        ],
+      },
+    ];
+    render(<VizLegendTable items={itemsWithStats} placement="bottom" />);
+    expect(screen.getByText('Max')).toBeInTheDocument();
+    expect(screen.getByText('Min')).toBeInTheDocument();
+  });
+
+  it('renders sort icon when sorted', () => {
+    const { container } = render(
+      <VizLegendTable items={mockItems} placement="bottom" sortBy="Name" sortDesc={false} />
+    );
+    expect(container.querySelector('svg')).toBeInTheDocument();
+  });
+
+  it('calls onToggleSort when header is clicked', () => {
+    const onToggleSort = jest.fn();
+    render(<VizLegendTable items={mockItems} placement="bottom" onToggleSort={onToggleSort} isSortable={true} />);
+    const header = screen.getByText('Name');
+    header.click();
+    expect(onToggleSort).toHaveBeenCalledWith('Name');
+  });
+
+  it('does not call onToggleSort when not sortable', () => {
+    const onToggleSort = jest.fn();
+    render(<VizLegendTable items={mockItems} placement="bottom" onToggleSort={onToggleSort} isSortable={false} />);
+    const header = screen.getByText('Name');
+    header.click();
+    expect(onToggleSort).not.toHaveBeenCalled();
+  });
+
+  it('renders with long labels', () => {
+    const itemsWithLongLabels: VizLegendItem[] = [
+      {
+        label: 'This is a very long series name that should be scrollable within its table cell',
+        color: 'red',
+        yAxis: 1,
+      },
+    ];
+    render(<VizLegendTable items={itemsWithLongLabels} placement="bottom" />);
+    expect(
+      screen.getByText('This is a very long series name that should be scrollable within its table cell')
+    ).toBeInTheDocument();
+  });
+});

packages/grafana-ui/src/components/VizLegend/VizLegendTable.tsx

@@ -119,7 +119,6 @@ const getStyles = (theme: GrafanaTheme2) => ({
   table: css({
     width: '100%',
     'th:first-child': {
-      width: '100%',
       borderBottom: `1px solid ${theme.colors.border.weak}`,
     },
   }),

packages/grafana-ui/src/components/VizLegend/VizLegendTableItem.test.tsx

@@ -0,0 +1,112 @@
+import { render, screen } from '@testing-library/react';
+
+import { LegendTableItem } from './VizLegendTableItem';
+import { VizLegendItem } from './types';
+
+describe('LegendTableItem', () => {
+  const mockItem: VizLegendItem = {
+    label: 'Series 1',
+    color: 'red',
+    yAxis: 1,
+  };
+
+  it('renders without crashing', () => {
+    const { container } = render(
+      <table>
+        <tbody>
+          <LegendTableItem item={mockItem} />
+        </tbody>
+      </table>
+    );
+    expect(container.querySelector('tr')).toBeInTheDocument();
+  });
+
+  it('renders label text', () => {
+    render(
+      <table>
+        <tbody>
+          <LegendTableItem item={mockItem} />
+        </tbody>
+      </table>
+    );
+    expect(screen.getByText('Series 1')).toBeInTheDocument();
+  });
+
+  it('renders with long label text', () => {
+    const longLabelItem: VizLegendItem = {
+      ...mockItem,
+      label: 'This is a very long series name that should be scrollable in the table cell',
+    };
+    render(
+      <table>
+        <tbody>
+          <LegendTableItem item={longLabelItem} />
+        </tbody>
+      </table>
+    );
+    expect(
+      screen.getByText('This is a very long series name that should be scrollable in the table cell')
+    ).toBeInTheDocument();
+  });
+
+  it('renders stat values when provided', () => {
+    const itemWithStats: VizLegendItem = {
+      ...mockItem,
+      getDisplayValues: () => [
+        { numeric: 100, text: '100', title: 'Max' },
+        { numeric: 50, text: '50', title: 'Min' },
+      ],
+    };
+    render(
+      <table>
+        <tbody>
+          <LegendTableItem item={itemWithStats} />
+        </tbody>
+      </table>
+    );
+    expect(screen.getByText('100')).toBeInTheDocument();
+    expect(screen.getByText('50')).toBeInTheDocument();
+  });
+
+  it('renders right y-axis indicator when yAxis is 2', () => {
+    const rightAxisItem: VizLegendItem = {
+      ...mockItem,
+      yAxis: 2,
+    };
+    render(
+      <table>
+        <tbody>
+          <LegendTableItem item={rightAxisItem} />
+        </tbody>
+      </table>
+    );
+    expect(screen.getByText('(right y-axis)')).toBeInTheDocument();
+  });
+
+  it('calls onLabelClick when label is clicked', () => {
+    const onLabelClick = jest.fn();
+    render(
+      <table>
+        <tbody>
+          <LegendTableItem item={mockItem} onLabelClick={onLabelClick} />
+        </tbody>
+      </table>
+    );
+    const button = screen.getByRole('button');
+    button.click();
+    expect(onLabelClick).toHaveBeenCalledWith(mockItem, expect.any(Object));
+  });
+
+  it('does not call onClick when readonly', () => {
+    const onLabelClick = jest.fn();
+    render(
+      <table>
+        <tbody>
+          <LegendTableItem item={mockItem} onLabelClick={onLabelClick} readonly={true} />
+        </tbody>
+      </table>
+    );
+    const button = screen.getByRole('button');
+    expect(button).toBeDisabled();
+  });
+});

packages/grafana-ui/src/components/VizLegend/VizLegendTableItem.tsx

@@ -69,7 +69,7 @@ export const LegendTableItem = ({
 
   return (
     <tr className={cx(styles.row, className)}>
-      <td>
+      <td className={styles.labelCell}>
         <span className={styles.itemWrapper}>
           <VizLegendSeriesIcon
             color={item.color}
@@ -77,24 +77,26 @@ export const LegendTableItem = ({
             readonly={readonly}
             lineStyle={item.lineStyle}
           />
-          <button
-            disabled={readonly}
-            type="button"
-            title={item.label}
-            onBlur={onMouseOut}
-            onFocus={onMouseOver}
-            onMouseOver={onMouseOver}
-            onMouseOut={onMouseOut}
-            onClick={!readonly ? onClick : undefined}
-            className={cx(styles.label, item.disabled && styles.labelDisabled)}
-          >
-            {item.label}{' '}
-            {item.yAxis === 2 && (
-              <span className={styles.yAxisLabel}>
-                <Trans i18nKey="grafana-ui.viz-legend.right-axis-indicator">(right y-axis)</Trans>
-              </span>
-            )}
-          </button>
+          <div className={styles.labelCellInner}>
+            <button
+              disabled={readonly}
+              type="button"
+              title={item.label}
+              onBlur={onMouseOut}
+              onFocus={onMouseOver}
+              onMouseOver={onMouseOver}
+              onMouseOut={onMouseOut}
+              onClick={!readonly ? onClick : undefined}
+              className={cx(styles.label, item.disabled && styles.labelDisabled)}
+            >
+              {item.label}{' '}
+              {item.yAxis === 2 && (
+                <span className={styles.yAxisLabel}>
+                  <Trans i18nKey="grafana-ui.viz-legend.right-axis-indicator">(right y-axis)</Trans>
+                </span>
+              )}
+            </button>
+          </div>
         </span>
       </td>
       {item.getDisplayValues &&
@@ -128,6 +130,27 @@ const getStyles = (theme: GrafanaTheme2) => {
         background: rowHoverBg,
       },
     }),
+    labelCell: css({
+      label: 'LegendLabelCell',
+      maxWidth: 0,
+      width: '100%',
+    }),
+    labelCellInner: css({
+      label: 'LegendLabelCellInner',
+      display: 'block',
+      flex: 1,
+      minWidth: 0,
+      overflowX: 'auto',
+      overflowY: 'hidden',
+      paddingRight: theme.spacing(3),
+      scrollbarWidth: 'none',
+      msOverflowStyle: 'none',
+      maskImage: `linear-gradient(to right, black calc(100% - ${theme.spacing(3)}), transparent 100%)`,
+      WebkitMaskImage: `linear-gradient(to right, black calc(100% - ${theme.spacing(3)}), transparent 100%)`,
+      '&::-webkit-scrollbar': {
+        display: 'none',
+      },
+    }),
     label: css({
       label: 'LegendLabel',
       whiteSpace: 'nowrap',
@@ -135,9 +158,6 @@ const getStyles = (theme: GrafanaTheme2) => {
       border: 'none',
       fontSize: 'inherit',
       padding: 0,
-      maxWidth: '600px',
-      textOverflow: 'ellipsis',
-      overflow: 'hidden',
       userSelect: 'text',
     }),
     labelDisabled: css({

pkg/api/plugin_resource_test.go

@@ -20,6 +20,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/plugins"
+	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
 	"github.com/grafana/grafana/pkg/plugins/manager/pluginfakes"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/caching"
@@ -27,7 +28,6 @@ import (
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/oauthtoken/oauthtokentest"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration"
-	"github.com/grafana/grafana/pkg/services/pluginsintegration/coreplugin"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginconfig"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/plugincontext"

pkg/kinds/dashboard/dashboard_spec_gen.go

@@ -837,8 +837,6 @@ type VariableModel struct {
 	// Optional field, if you want to extract part of a series name or metric node segment.
 	// Named capture groups can be used to separate the display text and value.
 	Regex *string `json:"regex,omitempty"`
-	// Optional, indicates whether a custom type variable uses CSV or JSON to define its values
-	ValuesFormat *VariableModelValuesFormat `json:"valuesFormat,omitempty"`
 	// Determine whether regex applies to variable value or display text
 	RegexApplyTo *VariableRegexApplyTo `json:"regexApplyTo,omitempty"`
 	// Additional static options for query variable
@@ -854,7 +852,6 @@ func NewVariableModel() *VariableModel {
 		Multi:            (func(input bool) *bool { return &input })(false),
 		AllowCustomValue: (func(input bool) *bool { return &input })(true),
 		IncludeAll:       (func(input bool) *bool { return &input })(false),
-		ValuesFormat:     (func(input VariableModelValuesFormat) *VariableModelValuesFormat { return &input })(VariableModelValuesFormatCsv),
 	}
 }
 
@@ -1194,13 +1191,6 @@ const (
 	DataTransformerConfigTopicAlertStates DataTransformerConfigTopic = "alertStates"
 )
 
-type VariableModelValuesFormat string
-
-const (
-	VariableModelValuesFormatCsv  VariableModelValuesFormat = "csv"
-	VariableModelValuesFormatJson VariableModelValuesFormat = "json"
-)
-
 type VariableModelStaticOptionsOrder string
 
 const (

pkg/plugins/backendplugin/coreplugin/registry.go

@@ -14,8 +14,6 @@ import (
 
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin"
-	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
-	"github.com/grafana/grafana/pkg/plugins/backendplugin/provider"
 	"github.com/grafana/grafana/pkg/plugins/log"
 	"github.com/grafana/grafana/pkg/tsdb/azuremonitor"
 	cloudmonitoring "github.com/grafana/grafana/pkg/tsdb/cloud-monitoring"
@@ -94,10 +92,6 @@ func NewRegistry(store map[string]backendplugin.PluginFactoryFunc) *Registry {
 	}
 }
 
-func ProvideCoreProvider(coreRegistry *Registry) plugins.BackendFactoryProvider {
-	return provider.New(coreRegistry.BackendFactoryProvider(), provider.DefaultProvider)
-}
-
 func ProvideCoreRegistry(tracer trace.Tracer, am *azuremonitor.Service, cw *cloudwatch.Service, cm *cloudmonitoring.Service,
 	es *elasticsearch.Service, grap *graphite.Service, idb *influxdb.Service, lk *loki.Service, otsdb *opentsdb.Service,
 	pr *prometheus.Service, t *tempo.Service, td *testdatasource.Service, pg *postgres.Service, my *mysql.Service,
@@ -162,7 +156,7 @@ func asBackendPlugin(svc any) backendplugin.PluginFactoryFunc {
 
 	if opts.QueryDataHandler != nil || opts.CallResourceHandler != nil ||
 		opts.CheckHealthHandler != nil || opts.StreamHandler != nil {
-		return coreplugin.New(opts)
+		return New(opts)
 	}
 
 	return nil

pkg/plugins/backendplugin/provider/provider.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin"
+	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/grpcplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/pluginextensionv2"
 	"github.com/grafana/grafana/pkg/plugins/log"
@@ -26,6 +27,10 @@ func New(providers ...PluginBackendProvider) *Service {
 	}
 }
 
+func ProvideService(coreRegistry *coreplugin.Registry) *Service {
+	return New(coreRegistry.BackendFactoryProvider(), DefaultProvider)
+}
+
 func (s *Service) BackendFactory(ctx context.Context, p *plugins.Plugin) backendplugin.PluginFactoryFunc {
 	for _, provider := range s.providerChain {
 		if factory := provider(ctx, p); factory != nil {

pkg/registry/apis/iam/common/common.go

@@ -4,10 +4,10 @@ import (
 	"context"
 	"strconv"
 
+	"github.com/grafana/authlib/authz"
 	authlib "github.com/grafana/authlib/types"
 
 	iamv0alpha1 "github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1"
-	"github.com/grafana/grafana/pkg/apimachinery/identity"
 	"github.com/grafana/grafana/pkg/apimachinery/utils"
 	legacyiamv0 "github.com/grafana/grafana/pkg/apis/iam/v0alpha1"
 	"github.com/grafana/grafana/pkg/services/apiserver/endpoints/request"
@@ -54,10 +54,10 @@ type ListResponse[T Resource] struct {
 type ListFunc[T Resource] func(ctx context.Context, ns authlib.NamespaceInfo, p Pagination) (*ListResponse[T], error)
 
 // List is a helper function that will perform access check on resources if
-// prvovided with a authlib.AccessClient.
+// provided with a authlib.AccessClient.
 func List[T Resource](
 	ctx context.Context,
-	resource utils.ResourceInfo,
+	resourceInfo utils.ResourceInfo,
 	ac authlib.AccessClient,
 	p Pagination,
 	fn ListFunc[T],
@@ -67,63 +67,86 @@ func List[T Resource](
 		return nil, err
 	}
 
-	ident, err := identity.GetRequester(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	check := func(_, _ string) bool { return true }
-	if ac != nil {
-		var err error
-		check, _, err = ac.Compile(ctx, ident, authlib.ListRequest{
-			Resource:  resource.GroupResource().Resource,
-			Group:     resource.GroupResource().Group,
-			Verb:      "list",
-			Namespace: ns.Value,
-		})
-
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	res := &ListResponse[T]{Items: make([]T, 0, p.Limit)}
 
 	first, err := fn(ctx, ns, p)
 	if err != nil {
 		return nil, err
 	}
-
-	for _, item := range first.Items {
-		if !check(item.AuthID(), "") {
-			continue
-		}
-		res.Items = append(res.Items, item)
-	}
 	res.Continue = first.Continue
 	res.RV = first.RV
 
+	// If no access client, skip authorization
+	if ac == nil {
+		res.Items = append(res.Items, first.Items...)
+
+		for len(res.Items) < int(p.Limit) && res.Continue != 0 {
+			r, err := fn(ctx, ns, Pagination{Limit: p.Limit - int64(len(res.Items)), Continue: res.Continue})
+			if err != nil {
+				return nil, err
+			}
+			res.Items = append(res.Items, r.Items...)
+			res.Continue = r.Continue
+		}
+		return res, nil
+	}
+
+	// Use FilterAuthorized to batch authorize items
+	extractFn := func(item T) authz.BatchCheckItem {
+		return authz.BatchCheckItem{
+			Name:      item.AuthID(),
+			Folder:    "",
+			Verb:      "list",
+			Group:     resourceInfo.GroupResource().Group,
+			Resource:  resourceInfo.GroupResource().Resource,
+			Namespace: ns.Value,
+		}
+	}
+
+	// Convert first batch to iter.Seq and filter
+	firstCandidates := func(yield func(T) bool) {
+		for _, item := range first.Items {
+			if !yield(item) {
+				return
+			}
+		}
+	}
+
+	for item, err := range authz.FilterAuthorized(ctx, ac, firstCandidates, extractFn).Items {
+		if err != nil {
+			return nil, err
+		}
+		res.Items = append(res.Items, item)
+	}
+
 outer:
 	for len(res.Items) < int(p.Limit) && res.Continue != 0 {
-		// FIXME: it is not optimal to reduce the amout we look for here but it is the easiest way to
+		// FIXME: it is not optimal to reduce the amount we look for here but it is the easiest way to
 		// correctly handle pagination and continue tokens
 		r, err := fn(ctx, ns, Pagination{Limit: p.Limit - int64(len(res.Items)), Continue: res.Continue})
 		if err != nil {
 			return nil, err
 		}
 
-		for _, item := range r.Items {
-			if len(res.Items) == int(p.Limit) {
+		candidates := func(yield func(T) bool) {
+			for _, item := range r.Items {
+				if !yield(item) {
+					return
+				}
+			}
+		}
+
+		for item, authErr := range authz.FilterAuthorized(ctx, ac, candidates, extractFn).Items {
+			if authErr != nil {
+				return nil, authErr
+			}
+			if len(res.Items) >= int(p.Limit) {
 				res.Continue = r.Continue
 				break outer
 			}
-
-			if !check(item.AuthID(), "") {
-				continue
-			}
-
 			res.Items = append(res.Items, item)
 		}
+		res.Continue = r.Continue
 	}
 
 	return res, nil

pkg/registry/apis/ofrep/register.go

@@ -276,7 +276,7 @@ func (b *APIBuilder) oneFlagHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if b.providerType == setting.FeaturesServiceProviderType || b.providerType == setting.OFREPProviderType {
+	if b.providerType == setting.GOFFProviderType || b.providerType == setting.OFREPProviderType {
 		b.proxyFlagReq(ctx, flagKey, isAuthedReq, w, r)
 		return
 	}
@@ -304,7 +304,7 @@ func (b *APIBuilder) allFlagsHandler(w http.ResponseWriter, r *http.Request) {
 	isAuthedReq := b.isAuthenticatedRequest(r)
 	span.SetAttributes(attribute.Bool("authenticated", isAuthedReq))
 
-	if b.providerType == setting.FeaturesServiceProviderType || b.providerType == setting.OFREPProviderType {
+	if b.providerType == setting.GOFFProviderType || b.providerType == setting.OFREPProviderType {
 		b.proxyAllFlagReq(ctx, isAuthedReq, w, r)
 		return
 	}

pkg/registry/apis/secret/service/secure_value.go

@@ -6,6 +6,7 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/grafana/authlib/authz"
 	claims "github.com/grafana/authlib/types"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
@@ -297,35 +298,38 @@ func (s *SecureValueService) List(ctx context.Context, namespace xkube.Namespace
 		s.metrics.SecureValueListDuration.WithLabelValues(strconv.FormatBool(success)).Observe(time.Since(start).Seconds())
 	}()
 
-	user, ok := claims.AuthInfoFrom(ctx)
-	if !ok {
-		return nil, fmt.Errorf("missing auth info in context")
-	}
-
-	hasPermissionFor, _, err := s.accessClient.Compile(ctx, user, claims.ListRequest{
-		Group:     secretv1beta1.APIGroup,
-		Resource:  secretv1beta1.SecureValuesResourceInfo.GetName(),
-		Namespace: namespace.String(),
-		Verb:      utils.VerbGet, // Why not VerbList?
-	})
-	if err != nil {
-		return nil, fmt.Errorf("failed to compile checker: %w", err)
-	}
-
 	secureValuesMetadata, err := s.secureValueMetadataStorage.List(ctx, namespace)
 	if err != nil {
 		return nil, fmt.Errorf("fetching secure values from storage: %+w", err)
 	}
 
+	// Convert slice to iter.Seq
+	candidates := func(yield func(secretv1beta1.SecureValue) bool) {
+		for _, m := range secureValuesMetadata {
+			if !yield(m) {
+				return
+			}
+		}
+	}
+
+	extractFn := func(sv secretv1beta1.SecureValue) authz.BatchCheckItem {
+		return authz.BatchCheckItem{
+			Name:      sv.Name,
+			Folder:    "",
+			Verb:      utils.VerbGet, // Why not VerbList?
+			Group:     secretv1beta1.APIGroup,
+			Resource:  secretv1beta1.SecureValuesResourceInfo.GetName(),
+			Namespace: namespace.String(),
+		}
+	}
+
 	out := make([]secretv1beta1.SecureValue, 0)
 
-	for _, metadata := range secureValuesMetadata {
-		// Check whether the user has permission to access this specific SecureValue in the namespace.
-		if !hasPermissionFor(metadata.Name, "") {
-			continue
+	for item, err := range authz.FilterAuthorized(ctx, s.accessClient, candidates, extractFn).Items {
+		if err != nil {
+			return nil, fmt.Errorf("failed to check authorization: %w", err)
 		}
-
-		out = append(out, metadata)
+		out = append(out, item)
 	}
 
 	return &secretv1beta1.SecureValueList{

pkg/server/wire_gen.go

@@ -37,6 +37,8 @@ import (
 	"github.com/grafana/grafana/pkg/login/social/socialimpl"
 	"github.com/grafana/grafana/pkg/middleware/csrf"
 	"github.com/grafana/grafana/pkg/middleware/loggermw"
+	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
+	provider2 "github.com/grafana/grafana/pkg/plugins/backendplugin/provider"
 	manager4 "github.com/grafana/grafana/pkg/plugins/manager"
 	"github.com/grafana/grafana/pkg/plugins/manager/filestore"
 	"github.com/grafana/grafana/pkg/plugins/manager/process"
@@ -176,7 +178,6 @@ import (
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/angulardetectorsprovider"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/angularinspector"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/angularpatternsstore"
-	"github.com/grafana/grafana/pkg/services/pluginsintegration/coreplugin"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/dashboards"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/installsync"
 	"github.com/grafana/grafana/pkg/services/pluginsintegration/keyretriever"
@@ -556,7 +557,7 @@ func Initialize(ctx context.Context, cfg *setting.Cfg, opts Options, apiOpts api
 	zipkinService := zipkin.ProvideService(httpclientProvider)
 	jaegerService := jaeger.ProvideService(httpclientProvider)
 	corepluginRegistry := coreplugin.ProvideCoreRegistry(tracer, azuremonitorService, cloudwatchService, cloudmonitoringService, elasticsearchService, graphiteService, influxdbService, lokiService, opentsdbService, prometheusService, tempoService, testdatasourceService, postgresService, mysqlService, mssqlService, grafanadsService, pyroscopeService, parcaService, zipkinService, jaegerService)
-	backendFactoryProvider := coreplugin.ProvideCoreProvider(corepluginRegistry)
+	providerService := provider2.ProvideService(corepluginRegistry)
 	processService := process.ProvideService()
 	retrieverService := retriever.ProvideService(sqlStore, apikeyService, kvStore, userService, orgService)
 	serviceAccountPermissionsService, err := ossaccesscontrol.ProvideServiceAccountPermissions(cfg, featureToggles, routeRegisterImpl, sqlStore, accessControl, ossLicensingService, retrieverService, acimplService, teamService, userService, actionSetService)
@@ -572,7 +573,7 @@ func Initialize(ctx context.Context, cfg *setting.Cfg, opts Options, apiOpts api
 	service13 := service6.ProvideService(sqlStore, secretsService)
 	serviceregistrationService := serviceregistration.ProvideService(cfg, featureToggles, registryRegistry, service13)
 	noop := provisionedplugins.NewNoop()
-	initialize := pipeline.ProvideInitializationStage(pluginManagementCfg, inMemory, backendFactoryProvider, processService, serviceregistrationService, acimplService, actionSetService, envVarsProvider, tracingService, noop)
+	initialize := pipeline.ProvideInitializationStage(pluginManagementCfg, inMemory, providerService, processService, serviceregistrationService, acimplService, actionSetService, envVarsProvider, tracingService, noop)
 	terminate, err := pipeline.ProvideTerminationStage(pluginManagementCfg, inMemory, processService)
 	if err != nil {
 		return nil, err
@@ -1216,7 +1217,7 @@ func InitializeForTest(ctx context.Context, t sqlutil.ITestDB, testingT interfac
 	zipkinService := zipkin.ProvideService(httpclientProvider)
 	jaegerService := jaeger.ProvideService(httpclientProvider)
 	corepluginRegistry := coreplugin.ProvideCoreRegistry(tracer, azuremonitorService, cloudwatchService, cloudmonitoringService, elasticsearchService, graphiteService, influxdbService, lokiService, opentsdbService, prometheusService, tempoService, testdatasourceService, postgresService, mysqlService, mssqlService, grafanadsService, pyroscopeService, parcaService, zipkinService, jaegerService)
-	backendFactoryProvider := coreplugin.ProvideCoreProvider(corepluginRegistry)
+	providerService := provider2.ProvideService(corepluginRegistry)
 	processService := process.ProvideService()
 	retrieverService := retriever.ProvideService(sqlStore, apikeyService, kvStore, userService, orgService)
 	serviceAccountPermissionsService, err := ossaccesscontrol.ProvideServiceAccountPermissions(cfg, featureToggles, routeRegisterImpl, sqlStore, accessControl, ossLicensingService, retrieverService, acimplService, teamService, userService, actionSetService)
@@ -1232,7 +1233,7 @@ func InitializeForTest(ctx context.Context, t sqlutil.ITestDB, testingT interfac
 	service13 := service6.ProvideService(sqlStore, secretsService)
 	serviceregistrationService := serviceregistration.ProvideService(cfg, featureToggles, registryRegistry, service13)
 	noop := provisionedplugins.NewNoop()
-	initialize := pipeline.ProvideInitializationStage(pluginManagementCfg, inMemory, backendFactoryProvider, processService, serviceregistrationService, acimplService, actionSetService, envVarsProvider, tracingService, noop)
+	initialize := pipeline.ProvideInitializationStage(pluginManagementCfg, inMemory, providerService, processService, serviceregistrationService, acimplService, actionSetService, envVarsProvider, tracingService, noop)
 	terminate, err := pipeline.ProvideTerminationStage(pluginManagementCfg, inMemory, processService)
 	if err != nil {
 		return nil, err

pkg/services/accesscontrol/acimpl/basic_role_db_seed.go

@@ -1,44 +0,0 @@
-package acimpl
-
-import (
-	"context"
-	"time"
-
-	"github.com/grafana/grafana/pkg/services/accesscontrol"
-)
-
-const (
-	ossBasicRoleSeedLockName = "oss-ac-basic-role-seeder"
-	ossBasicRoleSeedTimeout  = 2 * time.Minute
-)
-
-// refreshBasicRolePermissionsInDB ensures basic role permissions are fully derived from in-memory registrations
-func (s *Service) refreshBasicRolePermissionsInDB(ctx context.Context, rolesSnapshot map[string][]accesscontrol.Permission) error {
-	if s.sql == nil || s.seeder == nil {
-		return nil
-	}
-
-	run := func(ctx context.Context) error {
-		desired := map[accesscontrol.SeedPermission]struct{}{}
-		for role, permissions := range rolesSnapshot {
-			for _, permission := range permissions {
-				desired[accesscontrol.SeedPermission{BuiltInRole: role, Action: permission.Action, Scope: permission.Scope}] = struct{}{}
-			}
-		}
-		s.seeder.SetDesiredPermissions(desired)
-		return s.seeder.Seed(ctx)
-	}
-
-	if s.serverLock == nil {
-		return run(ctx)
-	}
-
-	var err error
-	errLock := s.serverLock.LockExecuteAndRelease(ctx, ossBasicRoleSeedLockName, ossBasicRoleSeedTimeout, func(ctx context.Context) {
-		err = run(ctx)
-	})
-	if errLock != nil {
-		return errLock
-	}
-	return err
-}

pkg/services/accesscontrol/acimpl/basic_role_db_seed_test.go

@@ -1,128 +0,0 @@
-package acimpl
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/grafana/grafana/pkg/infra/db"
-	"github.com/grafana/grafana/pkg/infra/localcache"
-	"github.com/grafana/grafana/pkg/infra/tracing"
-	"github.com/grafana/grafana/pkg/services/accesscontrol"
-	"github.com/grafana/grafana/pkg/services/accesscontrol/database"
-	"github.com/grafana/grafana/pkg/services/accesscontrol/permreg"
-	"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
-	"github.com/grafana/grafana/pkg/services/featuremgmt"
-	"github.com/grafana/grafana/pkg/services/org"
-	"github.com/grafana/grafana/pkg/setting"
-	"github.com/grafana/grafana/pkg/util/testutil"
-)
-
-func TestIntegration_OSSBasicRolePermissions_PersistAndRefreshOnRegisterFixedRoles(t *testing.T) {
-	testutil.SkipIntegrationTestInShortMode(t)
-
-	ctx := context.Background()
-	sql := db.InitTestDB(t)
-	store := database.ProvideService(sql)
-
-	svc := ProvideOSSService(
-		setting.NewCfg(),
-		store,
-		&resourcepermissions.FakeActionSetSvc{},
-		localcache.ProvideService(),
-		featuremgmt.WithFeatures(),
-		tracing.InitializeTracerForTest(),
-		sql,
-		permreg.ProvidePermissionRegistry(),
-		nil,
-	)
-
-	require.NoError(t, svc.DeclareFixedRoles(accesscontrol.RoleRegistration{
-		Role: accesscontrol.RoleDTO{
-			Name: "fixed:test:role",
-			Permissions: []accesscontrol.Permission{
-				{Action: "test:read", Scope: ""},
-			},
-		},
-		Grants: []string{string(org.RoleViewer)},
-	}))
-
-	require.NoError(t, svc.RegisterFixedRoles(ctx))
-
-	// verify permission is persisted to DB for basic:viewer
-	require.NoError(t, sql.WithDbSession(ctx, func(sess *db.Session) error {
-		var role accesscontrol.Role
-		ok, err := sess.Table("role").Where("uid = ?", accesscontrol.BasicRoleUIDPrefix+"viewer").Get(&role)
-		require.NoError(t, err)
-		require.True(t, ok)
-
-		var count int64
-		count, err = sess.Table("permission").Where("role_id = ? AND action = ? AND scope = ?", role.ID, "test:read", "").Count()
-		require.NoError(t, err)
-		require.Equal(t, int64(1), count)
-		return nil
-	}))
-
-	// ensure RegisterFixedRoles refreshes it back to defaults
-	require.NoError(t, sql.WithDbSession(ctx, func(sess *db.Session) error {
-		ts := time.Now()
-		var role accesscontrol.Role
-		ok, err := sess.Table("role").Where("uid = ?", accesscontrol.BasicRoleUIDPrefix+"viewer").Get(&role)
-		require.NoError(t, err)
-		require.True(t, ok)
-
-		_, err = sess.Exec("DELETE FROM permission WHERE role_id = ?", role.ID)
-		require.NoError(t, err)
-		p := accesscontrol.Permission{
-			RoleID:  role.ID,
-			Action:  "custom:keep",
-			Scope:   "",
-			Created: ts,
-			Updated: ts,
-		}
-		p.Kind, p.Attribute, p.Identifier = accesscontrol.SplitScope(p.Scope)
-		_, err = sess.Table("permission").Insert(&p)
-		return err
-	}))
-
-	svc2 := ProvideOSSService(
-		setting.NewCfg(),
-		store,
-		&resourcepermissions.FakeActionSetSvc{},
-		localcache.ProvideService(),
-		featuremgmt.WithFeatures(),
-		tracing.InitializeTracerForTest(),
-		sql,
-		permreg.ProvidePermissionRegistry(),
-		nil,
-	)
-	require.NoError(t, svc2.DeclareFixedRoles(accesscontrol.RoleRegistration{
-		Role: accesscontrol.RoleDTO{
-			Name: "fixed:test:role",
-			Permissions: []accesscontrol.Permission{
-				{Action: "test:read", Scope: ""},
-			},
-		},
-		Grants: []string{string(org.RoleViewer)},
-	}))
-	require.NoError(t, svc2.RegisterFixedRoles(ctx))
-
-	require.NoError(t, sql.WithDbSession(ctx, func(sess *db.Session) error {
-		var role accesscontrol.Role
-		ok, err := sess.Table("role").Where("uid = ?", accesscontrol.BasicRoleUIDPrefix+"viewer").Get(&role)
-		require.NoError(t, err)
-		require.True(t, ok)
-
-		var count int64
-		count, err = sess.Table("permission").Where("role_id = ? AND action = ? AND scope = ?", role.ID, "test:read", "").Count()
-		require.NoError(t, err)
-		require.Equal(t, int64(1), count)
-
-		count, err = sess.Table("permission").Where("role_id = ? AND action = ?", role.ID, "custom:keep").Count()
-		require.NoError(t, err)
-		require.Equal(t, int64(0), count)
-		return nil
-	}))
-}

pkg/services/accesscontrol/acimpl/service.go

@@ -30,7 +30,6 @@ import (
 	"github.com/grafana/grafana/pkg/services/accesscontrol/migrator"
 	"github.com/grafana/grafana/pkg/services/accesscontrol/permreg"
 	"github.com/grafana/grafana/pkg/services/accesscontrol/pluginutils"
-	"github.com/grafana/grafana/pkg/services/accesscontrol/seeding"
 	"github.com/grafana/grafana/pkg/services/dashboards"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/folder"
@@ -97,12 +96,6 @@ func ProvideOSSService(
 		roles:          accesscontrol.BuildBasicRoleDefinitions(),
 		store:          store,
 		permRegistry:   permRegistry,
-		sql:            db,
-		serverLock:     lock,
-	}
-
-	if backend, ok := store.(*database.AccessControlStore); ok {
-		s.seeder = seeding.New(log.New("accesscontrol.seeder"), backend, backend)
 	}
 
 	return s
@@ -119,11 +112,8 @@ type Service struct {
 	rolesMu        sync.RWMutex
 	roles          map[string]*accesscontrol.RoleDTO
 	store          accesscontrol.Store
-	seeder         *seeding.Seeder
 	permRegistry   permreg.PermissionRegistry
 	isInitialized  bool
-	sql            db.DB
-	serverLock     *serverlock.ServerLockService
 }
 
 func (s *Service) GetUsageStats(_ context.Context) map[string]any {
@@ -441,54 +431,17 @@ func (s *Service) RegisterFixedRoles(ctx context.Context) error {
 	defer span.End()
 
 	s.rolesMu.Lock()
-	registrations := s.registrations.Slice()
+	defer s.rolesMu.Unlock()
+
 	s.registrations.Range(func(registration accesscontrol.RoleRegistration) bool {
 		s.registerRolesLocked(registration)
 		return true
 	})
 
 	s.isInitialized = true
-
-	rolesSnapshot := s.getBasicRolePermissionsLocked()
-	s.rolesMu.Unlock()
-
-	if s.seeder != nil {
-		if err := s.seeder.SeedRoles(ctx, registrations); err != nil {
-			return err
-		}
-		if err := s.seeder.RemoveAbsentRoles(ctx); err != nil {
-			return err
-		}
-	}
-
-	if err := s.refreshBasicRolePermissionsInDB(ctx, rolesSnapshot); err != nil {
-		return err
-	}
-
 	return nil
 }
 
-// getBasicRolePermissionsSnapshotFromRegistrationsLocked computes the desired basic role permissions from the
-// current registration list, using the shared seeding registration logic.
-//
-// it has to be called while holding the roles lock
-func (s *Service) getBasicRolePermissionsLocked() map[string][]accesscontrol.Permission {
-	desired := map[accesscontrol.SeedPermission]struct{}{}
-	s.registrations.Range(func(registration accesscontrol.RoleRegistration) bool {
-		seeding.AppendDesiredPermissions(desired, s.log, &registration.Role, registration.Grants, registration.Exclude)
-		return true
-	})
-
-	out := make(map[string][]accesscontrol.Permission)
-	for sp := range desired {
-		out[sp.BuiltInRole] = append(out[sp.BuiltInRole], accesscontrol.Permission{
-			Action: sp.Action,
-			Scope:  sp.Scope,
-		})
-	}
-	return out
-}
-
 // registerRolesLocked processes a single role registration and adds permissions to basic roles.
 // Must be called with s.rolesMu locked.
 func (s *Service) registerRolesLocked(registration accesscontrol.RoleRegistration) {
@@ -521,7 +474,6 @@ func (s *Service) DeclarePluginRoles(ctx context.Context, ID, name string, regs
 	defer span.End()
 
 	acRegs := pluginutils.ToRegistrations(ID, name, regs)
-	updatedBasicRoles := false
 	for _, r := range acRegs {
 		if err := pluginutils.ValidatePluginRole(ID, r.Role); err != nil {
 			return err
@@ -548,23 +500,11 @@ func (s *Service) DeclarePluginRoles(ctx context.Context, ID, name string, regs
 		if initialized {
 			s.rolesMu.Lock()
 			s.registerRolesLocked(r)
-			updatedBasicRoles = true
 			s.rolesMu.Unlock()
 			s.cache.Flush()
 		}
 	}
 
-	if updatedBasicRoles {
-		s.rolesMu.RLock()
-		rolesSnapshot := s.getBasicRolePermissionsLocked()
-		s.rolesMu.RUnlock()
-
-		// plugin roles can be declared after startup - keep DB in sync
-		if err := s.refreshBasicRolePermissionsInDB(ctx, rolesSnapshot); err != nil {
-			return err
-		}
-	}
-
 	return nil
 }
 

pkg/services/accesscontrol/authorizer.go

@@ -167,3 +167,99 @@ func (c *LegacyAccessClient) Compile(ctx context.Context, id claims.AuthInfo, re
 		return check(fmt.Sprintf("%s:%s:%s", opts.Resource, opts.Attr, name))
 	}, claims.NoopZookie{}, nil
 }
+
+func (c *LegacyAccessClient) BatchCheck(ctx context.Context, id claims.AuthInfo, req claims.BatchCheckRequest) (claims.BatchCheckResponse, error) {
+	ident, ok := id.(identity.Requester)
+	if !ok {
+		return claims.BatchCheckResponse{}, errors.New("expected identity.Requester for legacy access control")
+	}
+
+	results := make(map[string]claims.BatchCheckResult, len(req.Checks))
+
+	// Cache checkers by action to avoid recreating them for each check
+	checkerCache := make(map[string]func(scopes ...string) bool)
+
+	for _, check := range req.Checks {
+		opts, ok := c.opts[check.Resource]
+		if !ok {
+			// For now w  fallback to grafana admin if no options are found for resource.
+			if ident.GetIsGrafanaAdmin() {
+				results[check.CorrelationID] = claims.BatchCheckResult{Allowed: true}
+			} else {
+				results[check.CorrelationID] = claims.BatchCheckResult{Allowed: false}
+			}
+			continue
+		}
+
+		// Check if verb should be skipped
+		if opts.Unchecked[check.Verb] {
+			results[check.CorrelationID] = claims.BatchCheckResult{Allowed: true}
+			continue
+		}
+
+		action, ok := opts.Mapping[check.Verb]
+		if !ok {
+			results[check.CorrelationID] = claims.BatchCheckResult{
+				Allowed: false,
+				Error:   fmt.Errorf("missing action for %s %s", check.Verb, check.Resource),
+			}
+			continue
+		}
+
+		// Get or create cached checker for this action
+		checker, ok := checkerCache[action]
+		if !ok {
+			checker = Checker(ident, action)
+			checkerCache[action] = checker
+		}
+
+		// Handle list and create verbs (no specific name)
+		// TODO: Should we allow list/create without name in a BatchCheck request?
+		if check.Name == "" {
+			if check.Verb == utils.VerbList || check.Verb == utils.VerbCreate {
+				// For list/create without name, check if user has the action at all
+				// TODO: Is this correct for Create?
+				results[check.CorrelationID] = claims.BatchCheckResult{
+					Allowed: len(ident.GetPermissions()[action]) > 0,
+				}
+			} else {
+				results[check.CorrelationID] = claims.BatchCheckResult{
+					Allowed: false,
+					Error:   fmt.Errorf("unhandled authorization: %s %s", check.Group, check.Verb),
+				}
+			}
+			continue
+		}
+
+		// Check with resolver or direct scope
+		var allowed bool
+		if opts.Resolver != nil {
+			ns, err := claims.ParseNamespace(check.Namespace)
+			if err != nil {
+				results[check.CorrelationID] = claims.BatchCheckResult{
+					Allowed: false,
+					Error:   err,
+				}
+				continue
+			}
+			scopes, err := opts.Resolver.Resolve(ctx, ns, check.Name)
+			if err != nil {
+				results[check.CorrelationID] = claims.BatchCheckResult{
+					Allowed: false,
+					Error:   err,
+				}
+				continue
+			}
+			allowed = checker(scopes...)
+		} else {
+			allowed = checker(fmt.Sprintf("%s:%s:%s", opts.Resource, opts.Attr, check.Name))
+		}
+
+		results[check.CorrelationID] = claims.BatchCheckResult{Allowed: allowed}
+	}
+
+	return claims.BatchCheckResponse{
+		Results: results,
+		Zookie:  claims.NoopZookie{},
+	}, nil
+}

pkg/services/accesscontrol/authorizer_test.go

@@ -136,6 +136,220 @@ func TestLegacyAccessClient_Check(t *testing.T) {
 	})
 }
 
+func TestLegacyAccessClient_BatchCheck(t *testing.T) {
+	ac := acimpl.ProvideAccessControl(featuremgmt.WithFeatures())
+
+	t.Run("should return empty results for empty checks", func(t *testing.T) {
+		a := accesscontrol.NewLegacyAccessClient(ac)
+
+		res, err := a.BatchCheck(context.Background(), &identity.StaticRequester{}, authlib.BatchCheckRequest{
+			Checks: []authlib.BatchCheckItem{},
+		})
+
+		assert.NoError(t, err)
+		assert.Empty(t, res.Results)
+	})
+
+	t.Run("should reject unknown resource for non-admin", func(t *testing.T) {
+		a := accesscontrol.NewLegacyAccessClient(ac)
+
+		res, err := a.BatchCheck(context.Background(), &identity.StaticRequester{}, authlib.BatchCheckRequest{
+			Checks: []authlib.BatchCheckItem{
+				{CorrelationID: "check-1", Verb: "get", Resource: "unknown", Name: "1"},
+			},
+		})
+
+		assert.NoError(t, err)
+		assert.False(t, res.Results["check-1"].Allowed)
+	})
+
+	t.Run("should allow unknown resource for grafana admin", func(t *testing.T) {
+		a := accesscontrol.NewLegacyAccessClient(ac)
+
+		res, err := a.BatchCheck(context.Background(), &identity.StaticRequester{IsGrafanaAdmin: true}, authlib.BatchCheckRequest{
+			Checks: []authlib.BatchCheckItem{
+				{CorrelationID: "check-1", Verb: "get", Resource: "unknown", Name: "1"},
+			},
+		})
+
+		assert.NoError(t, err)
+		assert.True(t, res.Results["check-1"].Allowed)
+	})
+
+	t.Run("should allow unchecked verbs", func(t *testing.T) {
+		a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
+			Resource:  "dashboards",
+			Attr:      "uid",
+			Unchecked: map[string]bool{"get": true},
+		})
+
+		res, err := a.BatchCheck(context.Background(), &identity.StaticRequester{}, authlib.BatchCheckRequest{
+			Checks: []authlib.BatchCheckItem{
+				{CorrelationID: "check-1", Verb: "get", Resource: "dashboards", Name: "1"},
+			},
+		})
+
+		assert.NoError(t, err)
+		assert.True(t, res.Results["check-1"].Allowed)
+	})
+
+	t.Run("should return error for missing action mapping", func(t *testing.T) {
+		a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
+			Resource: "dashboards",
+			Attr:     "uid",
+			Mapping:  map[string]string{}, // Empty mapping
+		})
+
+		res, err := a.BatchCheck(context.Background(), &identity.StaticRequester{}, authlib.BatchCheckRequest{
+			Checks: []authlib.BatchCheckItem{
+				{CorrelationID: "check-1", Verb: "get", Resource: "dashboards", Name: "1"},
+			},
+		})
+
+		assert.NoError(t, err)
+		assert.False(t, res.Results["check-1"].Allowed)
+		assert.Error(t, res.Results["check-1"].Error)
+	})
+
+	t.Run("should allow when user has correct scope", func(t *testing.T) {
+		a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
+			Resource: "dashboards",
+			Attr:     "uid",
+			Mapping:  map[string]string{"get": "dashboards:read"},
+		})
+
+		ident := newIdent(accesscontrol.Permission{Action: "dashboards:read", Scope: "dashboards:uid:1"})
+
+		res, err := a.BatchCheck(context.Background(), ident, authlib.BatchCheckRequest{
+			Checks: []authlib.BatchCheckItem{
+				{CorrelationID: "check-1", Verb: "get", Resource: "dashboards", Name: "1"},
+			},
+		})
+
+		assert.NoError(t, err)
+		assert.True(t, res.Results["check-1"].Allowed)
+	})
+
+	t.Run("should reject when user has wrong scope", func(t *testing.T) {
+		a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
+			Resource: "dashboards",
+			Attr:     "uid",
+			Mapping:  map[string]string{"get": "dashboards:read"},
+		})
+
+		ident := newIdent(accesscontrol.Permission{Action: "dashboards:read", Scope: "dashboards:uid:2"})
+
+		res, err := a.BatchCheck(context.Background(), ident, authlib.BatchCheckRequest{
+			Checks: []authlib.BatchCheckItem{
+				{CorrelationID: "check-1", Verb: "get", Resource: "dashboards", Name: "1"},
+			},
+		})
+
+		assert.NoError(t, err)
+		assert.False(t, res.Results["check-1"].Allowed)
+	})
+
+	t.Run("should handle list without name", func(t *testing.T) {
+		a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
+			Resource: "dashboards",
+			Attr:     "uid",
+			Mapping:  map[string]string{"list": "dashboards:read"},
+		})
+
+		ident := newIdent(accesscontrol.Permission{Action: "dashboards:read", Scope: "dashboards:uid:*"})
+
+		res, err := a.BatchCheck(context.Background(), ident, authlib.BatchCheckRequest{
+			Checks: []authlib.BatchCheckItem{
+				{CorrelationID: "check-1", Verb: "list", Resource: "dashboards", Name: ""},
+			},
+		})
+
+		assert.NoError(t, err)
+		assert.True(t, res.Results["check-1"].Allowed)
+	})
+
+	t.Run("should handle multiple checks with mixed results", func(t *testing.T) {
+		a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
+			Resource: "dashboards",
+			Attr:     "uid",
+			Mapping:  map[string]string{"get": "dashboards:read"},
+		})
+
+		ident := newIdent(
+			accesscontrol.Permission{Action: "dashboards:read", Scope: "dashboards:uid:1"},
+			accesscontrol.Permission{Action: "dashboards:read", Scope: "dashboards:uid:3"},
+		)
+
+		res, err := a.BatchCheck(context.Background(), ident, authlib.BatchCheckRequest{
+			Checks: []authlib.BatchCheckItem{
+				{CorrelationID: "check-1", Verb: "get", Resource: "dashboards", Name: "1"},
+				{CorrelationID: "check-2", Verb: "get", Resource: "dashboards", Name: "2"},
+				{CorrelationID: "check-3", Verb: "get", Resource: "dashboards", Name: "3"},
+			},
+		})
+
+		assert.NoError(t, err)
+		assert.True(t, res.Results["check-1"].Allowed)
+		assert.False(t, res.Results["check-2"].Allowed)
+		assert.True(t, res.Results["check-3"].Allowed)
+	})
+
+	t.Run("should use resolver when provided", func(t *testing.T) {
+		resolver := accesscontrol.ResourceResolverFunc(func(ctx context.Context, ns authlib.NamespaceInfo, name string) ([]string, error) {
+			// Resolve dashboard name to folder scope
+			return []string{"folders:uid:folder-a"}, nil
+		})
+
+		a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
+			Resource: "dashboards",
+			Attr:     "uid",
+			Mapping:  map[string]string{"get": "dashboards:read"},
+			Resolver: resolver,
+		})
+
+		ident := newIdent(accesscontrol.Permission{Action: "dashboards:read", Scope: "folders:uid:folder-a"})
+
+		res, err := a.BatchCheck(context.Background(), ident, authlib.BatchCheckRequest{
+			Checks: []authlib.BatchCheckItem{
+				{CorrelationID: "check-1", Verb: "get", Resource: "dashboards", Name: "1", Namespace: "default"},
+			},
+		})
+
+		assert.NoError(t, err)
+		assert.True(t, res.Results["check-1"].Allowed)
+	})
+
+	t.Run("should cache checker by action", func(t *testing.T) {
+		a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
+			Resource: "dashboards",
+			Attr:     "uid",
+			Mapping:  map[string]string{"get": "dashboards:read", "update": "dashboards:write"},
+		})
+
+		ident := newIdent(
+			accesscontrol.Permission{Action: "dashboards:read", Scope: "dashboards:uid:*"},
+			accesscontrol.Permission{Action: "dashboards:write", Scope: "dashboards:uid:1"},
+		)
+
+		res, err := a.BatchCheck(context.Background(), ident, authlib.BatchCheckRequest{
+			Checks: []authlib.BatchCheckItem{
+				{CorrelationID: "read-1", Verb: "get", Resource: "dashboards", Name: "1"},
+				{CorrelationID: "read-2", Verb: "get", Resource: "dashboards", Name: "2"},
+				{CorrelationID: "write-1", Verb: "update", Resource: "dashboards", Name: "1"},
+				{CorrelationID: "write-2", Verb: "update", Resource: "dashboards", Name: "2"},
+			},
+		})
+
+		assert.NoError(t, err)
+		// Read with wildcard scope should allow all
+		assert.True(t, res.Results["read-1"].Allowed)
+		assert.True(t, res.Results["read-2"].Allowed)
+		// Write only has scope for uid:1
+		assert.True(t, res.Results["write-1"].Allowed)
+		assert.False(t, res.Results["write-2"].Allowed)
+	})
+}
+
 func newIdent(permissions ...accesscontrol.Permission) *identity.StaticRequester {
 	pmap := map[string][]string{}
 	for _, p := range permissions {

pkg/services/accesscontrol/database/seeder.go

@@ -1,623 +0,0 @@
-package database
-
-import (
-	"context"
-	"strings"
-	"time"
-
-	"github.com/grafana/grafana/pkg/infra/db"
-	"github.com/grafana/grafana/pkg/services/accesscontrol"
-	"github.com/grafana/grafana/pkg/services/accesscontrol/seeding"
-	"github.com/grafana/grafana/pkg/services/sqlstore/migrator"
-	"github.com/grafana/grafana/pkg/util/xorm/core"
-)
-
-const basicRolePermBatchSize = 500
-
-// LoadRoles returns all fixed and plugin roles (global org) with permissions, indexed by role name.
-func (s *AccessControlStore) LoadRoles(ctx context.Context) (map[string]*accesscontrol.RoleDTO, error) {
-	out := map[string]*accesscontrol.RoleDTO{}
-
-	err := s.sql.WithDbSession(ctx, func(sess *db.Session) error {
-		type roleRow struct {
-			ID          int64     `xorm:"id"`
-			OrgID       int64     `xorm:"org_id"`
-			Version     int64     `xorm:"version"`
-			UID         string    `xorm:"uid"`
-			Name        string    `xorm:"name"`
-			DisplayName string    `xorm:"display_name"`
-			Description string    `xorm:"description"`
-			Group       string    `xorm:"group_name"`
-			Hidden      bool      `xorm:"hidden"`
-			Updated     time.Time `xorm:"updated"`
-			Created     time.Time `xorm:"created"`
-		}
-
-		roles := []roleRow{}
-		if err := sess.Table("role").
-			Where("org_id = ?", accesscontrol.GlobalOrgID).
-			Where("(name LIKE ? OR name LIKE ?)", accesscontrol.FixedRolePrefix+"%", accesscontrol.PluginRolePrefix+"%").
-			Find(&roles); err != nil {
-			return err
-		}
-
-		if len(roles) == 0 {
-			return nil
-		}
-
-		roleIDs := make([]any, 0, len(roles))
-		roleByID := make(map[int64]*accesscontrol.RoleDTO, len(roles))
-		for _, r := range roles {
-			dto := &accesscontrol.RoleDTO{
-				ID:          r.ID,
-				OrgID:       r.OrgID,
-				Version:     r.Version,
-				UID:         r.UID,
-				Name:        r.Name,
-				DisplayName: r.DisplayName,
-				Description: r.Description,
-				Group:       r.Group,
-				Hidden:      r.Hidden,
-				Updated:     r.Updated,
-				Created:     r.Created,
-			}
-			out[dto.Name] = dto
-			roleByID[dto.ID] = dto
-			roleIDs = append(roleIDs, dto.ID)
-		}
-
-		type permRow struct {
-			RoleID int64  `xorm:"role_id"`
-			Action string `xorm:"action"`
-			Scope  string `xorm:"scope"`
-		}
-		perms := []permRow{}
-		if err := sess.Table("permission").In("role_id", roleIDs...).Find(&perms); err != nil {
-			return err
-		}
-
-		for _, p := range perms {
-			dto := roleByID[p.RoleID]
-			if dto == nil {
-				continue
-			}
-			dto.Permissions = append(dto.Permissions, accesscontrol.Permission{
-				RoleID: p.RoleID,
-				Action: p.Action,
-				Scope:  p.Scope,
-			})
-		}
-
-		return nil
-	})
-
-	return out, err
-}
-
-func (s *AccessControlStore) SetRole(ctx context.Context, existingRole *accesscontrol.RoleDTO, wantedRole accesscontrol.RoleDTO) error {
-	if existingRole == nil {
-		return nil
-	}
-
-	return s.sql.WithDbSession(ctx, func(sess *db.Session) error {
-		_, err := sess.Table("role").
-			Where("id = ? AND org_id = ?", existingRole.ID, accesscontrol.GlobalOrgID).
-			Update(map[string]any{
-				"display_name": wantedRole.DisplayName,
-				"description":  wantedRole.Description,
-				"group_name":   wantedRole.Group,
-				"hidden":       wantedRole.Hidden,
-				"updated":      time.Now(),
-			})
-		return err
-	})
-}
-
-func (s *AccessControlStore) SetPermissions(ctx context.Context, existingRole *accesscontrol.RoleDTO, wantedRole accesscontrol.RoleDTO) error {
-	if existingRole == nil {
-		return nil
-	}
-
-	type key struct{ Action, Scope string }
-	existing := map[key]struct{}{}
-	for _, p := range existingRole.Permissions {
-		existing[key{p.Action, p.Scope}] = struct{}{}
-	}
-	desired := map[key]struct{}{}
-	for _, p := range wantedRole.Permissions {
-		desired[key{p.Action, p.Scope}] = struct{}{}
-	}
-
-	toAdd := make([]accesscontrol.Permission, 0)
-	toRemove := make([]accesscontrol.SeedPermission, 0)
-
-	now := time.Now()
-	for k := range desired {
-		if _, ok := existing[k]; ok {
-			continue
-		}
-		perm := accesscontrol.Permission{
-			RoleID:  existingRole.ID,
-			Action:  k.Action,
-			Scope:   k.Scope,
-			Created: now,
-			Updated: now,
-		}
-		perm.Kind, perm.Attribute, perm.Identifier = accesscontrol.SplitScope(perm.Scope)
-		toAdd = append(toAdd, perm)
-	}
-
-	for k := range existing {
-		if _, ok := desired[k]; ok {
-			continue
-		}
-		toRemove = append(toRemove, accesscontrol.SeedPermission{Action: k.Action, Scope: k.Scope})
-	}
-
-	if len(toAdd) == 0 && len(toRemove) == 0 {
-		return nil
-	}
-
-	return s.sql.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
-		if len(toRemove) > 0 {
-			if err := DeleteRolePermissionTuples(sess, s.sql.GetDBType(), existingRole.ID, toRemove); err != nil {
-				return err
-			}
-		}
-
-		if len(toAdd) > 0 {
-			_, err := sess.InsertMulti(toAdd)
-			return err
-		}
-
-		return nil
-	})
-}
-
-func (s *AccessControlStore) CreateRole(ctx context.Context, role accesscontrol.RoleDTO) error {
-	now := time.Now()
-	uid := role.UID
-	if uid == "" && (strings.HasPrefix(role.Name, accesscontrol.FixedRolePrefix) || strings.HasPrefix(role.Name, accesscontrol.PluginRolePrefix)) {
-		uid = accesscontrol.PrefixedRoleUID(role.Name)
-	}
-	r := accesscontrol.Role{
-		OrgID:       accesscontrol.GlobalOrgID,
-		Version:     role.Version,
-		UID:         uid,
-		Name:        role.Name,
-		DisplayName: role.DisplayName,
-		Description: role.Description,
-		Group:       role.Group,
-		Hidden:      role.Hidden,
-		Created:     now,
-		Updated:     now,
-	}
-	if r.Version == 0 {
-		r.Version = 1
-	}
-
-	return s.sql.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
-		if _, err := sess.Insert(&r); err != nil {
-			return err
-		}
-
-		if len(role.Permissions) == 0 {
-			return nil
-		}
-
-		// De-duplicate permissions on (action, scope) to avoid unique constraint violations.
-		// Some role definitions may accidentally include duplicates.
-		type permKey struct{ Action, Scope string }
-		seen := make(map[permKey]struct{}, len(role.Permissions))
-
-		perms := make([]accesscontrol.Permission, 0, len(role.Permissions))
-		for _, p := range role.Permissions {
-			k := permKey{Action: p.Action, Scope: p.Scope}
-			if _, ok := seen[k]; ok {
-				continue
-			}
-			seen[k] = struct{}{}
-
-			perm := accesscontrol.Permission{
-				RoleID:  r.ID,
-				Action:  p.Action,
-				Scope:   p.Scope,
-				Created: now,
-				Updated: now,
-			}
-			perm.Kind, perm.Attribute, perm.Identifier = accesscontrol.SplitScope(perm.Scope)
-			perms = append(perms, perm)
-		}
-		_, err := sess.InsertMulti(perms)
-		return err
-	})
-}
-
-func (s *AccessControlStore) DeleteRoles(ctx context.Context, roleUIDs []string) error {
-	if len(roleUIDs) == 0 {
-		return nil
-	}
-
-	uids := make([]any, 0, len(roleUIDs))
-	for _, uid := range roleUIDs {
-		uids = append(uids, uid)
-	}
-
-	return s.sql.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
-		type row struct {
-			ID  int64  `xorm:"id"`
-			UID string `xorm:"uid"`
-		}
-		rows := []row{}
-		if err := sess.Table("role").
-			Where("org_id = ?", accesscontrol.GlobalOrgID).
-			In("uid", uids...).
-			Find(&rows); err != nil {
-			return err
-		}
-		if len(rows) == 0 {
-			return nil
-		}
-
-		roleIDs := make([]any, 0, len(rows))
-		for _, r := range rows {
-			roleIDs = append(roleIDs, r.ID)
-		}
-
-		// Remove permissions and assignments first to avoid FK issues (if enabled).
-		{
-			args := append([]any{"DELETE FROM permission WHERE role_id IN (?" + strings.Repeat(",?", len(roleIDs)-1) + ")"}, roleIDs...)
-			if _, err := sess.Exec(args...); err != nil {
-				return err
-			}
-		}
-		{
-			args := append([]any{"DELETE FROM user_role WHERE role_id IN (?" + strings.Repeat(",?", len(roleIDs)-1) + ")"}, roleIDs...)
-			if _, err := sess.Exec(args...); err != nil {
-				return err
-			}
-		}
-		{
-			args := append([]any{"DELETE FROM team_role WHERE role_id IN (?" + strings.Repeat(",?", len(roleIDs)-1) + ")"}, roleIDs...)
-			if _, err := sess.Exec(args...); err != nil {
-				return err
-			}
-		}
-		{
-			args := append([]any{"DELETE FROM builtin_role WHERE role_id IN (?" + strings.Repeat(",?", len(roleIDs)-1) + ")"}, roleIDs...)
-			if _, err := sess.Exec(args...); err != nil {
-				return err
-			}
-		}
-
-		args := append([]any{"DELETE FROM role WHERE org_id = ? AND uid IN (?" + strings.Repeat(",?", len(uids)-1) + ")", accesscontrol.GlobalOrgID}, uids...)
-		_, err := sess.Exec(args...)
-		return err
-	})
-}
-
-// OSS basic-role permission refresh uses seeding.Seeder.Seed() with a desired set computed in memory.
-// These methods implement the permission seeding part of seeding.SeedingBackend against the current permission table.
-func (s *AccessControlStore) LoadPrevious(ctx context.Context) (map[accesscontrol.SeedPermission]struct{}, error) {
-	var out map[accesscontrol.SeedPermission]struct{}
-	err := s.sql.WithDbSession(ctx, func(sess *db.Session) error {
-		rows, err := LoadBasicRoleSeedPermissions(sess)
-		if err != nil {
-			return err
-		}
-
-		out = make(map[accesscontrol.SeedPermission]struct{}, len(rows))
-		for _, r := range rows {
-			r.Origin = ""
-			out[r] = struct{}{}
-		}
-		return nil
-	})
-	return out, err
-}
-
-func (s *AccessControlStore) Apply(ctx context.Context, added, removed []accesscontrol.SeedPermission, updated map[accesscontrol.SeedPermission]accesscontrol.SeedPermission) error {
-	rolesToUpgrade := seeding.RolesToUpgrade(added, removed)
-
-	// Run the same OSS apply logic as ossBasicRoleSeedBackend.Apply inside a single transaction.
-	return s.sql.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
-		defs := accesscontrol.BuildBasicRoleDefinitions()
-		builtinToRoleID, err := EnsureBasicRolesExist(sess, defs)
-		if err != nil {
-			return err
-		}
-
-		backend := &ossBasicRoleSeedBackend{
-			sess:            sess,
-			now:             time.Now(),
-			builtinToRoleID: builtinToRoleID,
-			desired:         nil,
-			dbType:          s.sql.GetDBType(),
-		}
-		if err := backend.Apply(ctx, added, removed, updated); err != nil {
-			return err
-		}
-
-		return BumpBasicRoleVersions(sess, rolesToUpgrade)
-	})
-}
-
-// EnsureBasicRolesExist ensures the built-in basic roles exist in the role table and are bound in builtin_role.
-// It returns a mapping from builtin role name (for example "Admin") to role ID.
-func EnsureBasicRolesExist(sess *db.Session, defs map[string]*accesscontrol.RoleDTO) (map[string]int64, error) {
-	uidToBuiltin := make(map[string]string, len(defs))
-	uids := make([]any, 0, len(defs))
-	for builtin, def := range defs {
-		uidToBuiltin[def.UID] = builtin
-		uids = append(uids, def.UID)
-	}
-
-	type roleRow struct {
-		ID  int64  `xorm:"id"`
-		UID string `xorm:"uid"`
-	}
-
-	rows := []roleRow{}
-	if err := sess.Table("role").
-		Where("org_id = ?", accesscontrol.GlobalOrgID).
-		In("uid", uids...).
-		Find(&rows); err != nil {
-		return nil, err
-	}
-
-	ts := time.Now()
-
-	builtinToRoleID := make(map[string]int64, len(defs))
-	for _, r := range rows {
-		br, ok := uidToBuiltin[r.UID]
-		if !ok {
-			continue
-		}
-		builtinToRoleID[br] = r.ID
-	}
-
-	for builtin, def := range defs {
-		roleID, ok := builtinToRoleID[builtin]
-		if !ok {
-			role := accesscontrol.Role{
-				OrgID:       def.OrgID,
-				Version:     def.Version,
-				UID:         def.UID,
-				Name:        def.Name,
-				DisplayName: def.DisplayName,
-				Description: def.Description,
-				Group:       def.Group,
-				Hidden:      def.Hidden,
-				Created:     ts,
-				Updated:     ts,
-			}
-			if _, err := sess.Insert(&role); err != nil {
-				return nil, err
-			}
-			roleID = role.ID
-			builtinToRoleID[builtin] = roleID
-		}
-
-		has, err := sess.Table("builtin_role").
-			Where("role_id = ? AND role = ? AND org_id = ?", roleID, builtin, accesscontrol.GlobalOrgID).
-			Exist()
-		if err != nil {
-			return nil, err
-		}
-		if !has {
-			br := accesscontrol.BuiltinRole{
-				RoleID:  roleID,
-				OrgID:   accesscontrol.GlobalOrgID,
-				Role:    builtin,
-				Created: ts,
-				Updated: ts,
-			}
-			if _, err := sess.Table("builtin_role").Insert(&br); err != nil {
-				return nil, err
-			}
-		}
-	}
-
-	return builtinToRoleID, nil
-}
-
-// DeleteRolePermissionTuples deletes permissions for a single role by (action, scope) pairs.
-//
-// It uses a row-constructor IN clause where supported (MySQL, Postgres, SQLite) and falls back
-// to a WHERE ... OR ... form for MSSQL.
-func DeleteRolePermissionTuples(sess *db.Session, dbType core.DbType, roleID int64, perms []accesscontrol.SeedPermission) error {
-	if len(perms) == 0 {
-		return nil
-	}
-
-	if dbType == migrator.MSSQL {
-		// MSSQL doesn't support (action, scope) IN ((?,?),(?,?)) row constructors.
-		where := make([]string, 0, len(perms))
-		args := make([]any, 0, 1+len(perms)*2)
-		args = append(args, roleID)
-		for _, p := range perms {
-			where = append(where, "(action = ? AND scope = ?)")
-			args = append(args, p.Action, p.Scope)
-		}
-		_, err := sess.Exec(
-			append([]any{
-				"DELETE FROM permission WHERE role_id = ? AND (" + strings.Join(where, " OR ") + ")",
-			}, args...)...,
-		)
-		return err
-	}
-
-	args := make([]any, 0, 1+len(perms)*2)
-	args = append(args, roleID)
-	for _, p := range perms {
-		args = append(args, p.Action, p.Scope)
-	}
-	sql := "DELETE FROM permission WHERE role_id = ? AND (action, scope) IN (" +
-		strings.Repeat("(?, ?),", len(perms)-1) + "(?, ?))"
-	_, err := sess.Exec(append([]any{sql}, args...)...)
-	return err
-}
-
-type ossBasicRoleSeedBackend struct {
-	sess            *db.Session
-	now             time.Time
-	builtinToRoleID map[string]int64
-	desired         map[accesscontrol.SeedPermission]struct{}
-	dbType          core.DbType
-}
-
-func (b *ossBasicRoleSeedBackend) LoadPrevious(_ context.Context) (map[accesscontrol.SeedPermission]struct{}, error) {
-	rows, err := LoadBasicRoleSeedPermissions(b.sess)
-	if err != nil {
-		return nil, err
-	}
-
-	out := make(map[accesscontrol.SeedPermission]struct{}, len(rows))
-	for _, r := range rows {
-		// Ensure the key matches what OSS seeding uses (Origin is always empty for basic role refresh).
-		r.Origin = ""
-		out[r] = struct{}{}
-	}
-	return out, nil
-}
-
-func (b *ossBasicRoleSeedBackend) LoadDesired(_ context.Context) (map[accesscontrol.SeedPermission]struct{}, error) {
-	return b.desired, nil
-}
-
-func (b *ossBasicRoleSeedBackend) Apply(_ context.Context, added, removed []accesscontrol.SeedPermission, updated map[accesscontrol.SeedPermission]accesscontrol.SeedPermission) error {
-	// Delete removed permissions (this includes user-defined permissions that aren't in desired).
-	if len(removed) > 0 {
-		permsByRoleID := map[int64][]accesscontrol.SeedPermission{}
-		for _, p := range removed {
-			roleID, ok := b.builtinToRoleID[p.BuiltInRole]
-			if !ok {
-				continue
-			}
-			permsByRoleID[roleID] = append(permsByRoleID[roleID], p)
-		}
-
-		for roleID, perms := range permsByRoleID {
-			// Chunk to keep statement sizes and parameter counts bounded.
-			if err := batch(len(perms), basicRolePermBatchSize, func(start, end int) error {
-				return DeleteRolePermissionTuples(b.sess, b.dbType, roleID, perms[start:end])
-			}); err != nil {
-				return err
-			}
-		}
-	}
-
-	// Insert added permissions and updated-target permissions.
-	toInsertSeed := make([]accesscontrol.SeedPermission, 0, len(added)+len(updated))
-	toInsertSeed = append(toInsertSeed, added...)
-	for _, v := range updated {
-		toInsertSeed = append(toInsertSeed, v)
-	}
-	if len(toInsertSeed) == 0 {
-		return nil
-	}
-
-	// De-duplicate on (role_id, action, scope). This avoids unique constraint violations when:
-	// - the same permission appears in both added and updated
-	// - multiple plugin origins grant the same permission (Origin is not persisted in permission table)
-	type permKey struct {
-		RoleID int64
-		Action string
-		Scope  string
-	}
-	seen := make(map[permKey]struct{}, len(toInsertSeed))
-
-	toInsert := make([]accesscontrol.Permission, 0, len(toInsertSeed))
-	for _, p := range toInsertSeed {
-		roleID, ok := b.builtinToRoleID[p.BuiltInRole]
-		if !ok {
-			continue
-		}
-		k := permKey{RoleID: roleID, Action: p.Action, Scope: p.Scope}
-		if _, ok := seen[k]; ok {
-			continue
-		}
-		seen[k] = struct{}{}
-
-		perm := accesscontrol.Permission{
-			RoleID:  roleID,
-			Action:  p.Action,
-			Scope:   p.Scope,
-			Created: b.now,
-			Updated: b.now,
-		}
-		perm.Kind, perm.Attribute, perm.Identifier = accesscontrol.SplitScope(perm.Scope)
-		toInsert = append(toInsert, perm)
-	}
-
-	return batch(len(toInsert), basicRolePermBatchSize, func(start, end int) error {
-		// MySQL: ignore conflicts to make seeding idempotent under retries/concurrency.
-		// Conflicts can happen if the same permission already exists (unique on role_id, action, scope).
-		if b.dbType == migrator.MySQL {
-			args := make([]any, 0, (end-start)*8)
-			for i := start; i < end; i++ {
-				p := toInsert[i]
-				args = append(args, p.RoleID, p.Action, p.Scope, p.Kind, p.Attribute, p.Identifier, p.Updated, p.Created)
-			}
-			sql := append([]any{`INSERT IGNORE INTO permission (role_id, action, scope, kind, attribute, identifier, updated, created) VALUES ` +
-				strings.Repeat("(?, ?, ?, ?, ?, ?, ?, ?),", end-start-1) + "(?, ?, ?, ?, ?, ?, ?, ?)"}, args...)
-			_, err := b.sess.Exec(sql...)
-			return err
-		}
-
-		_, err := b.sess.InsertMulti(toInsert[start:end])
-		return err
-	})
-}
-
-func batch(count, size int, eachFn func(start, end int) error) error {
-	for i := 0; i < count; {
-		end := i + size
-		if end > count {
-			end = count
-		}
-		if err := eachFn(i, end); err != nil {
-			return err
-		}
-		i = end
-	}
-	return nil
-}
-
-// BumpBasicRoleVersions increments the role version for the given builtin basic roles (Viewer/Editor/Admin/Grafana Admin).
-// Unknown role names are ignored.
-func BumpBasicRoleVersions(sess *db.Session, basicRoles []string) error {
-	if len(basicRoles) == 0 {
-		return nil
-	}
-
-	defs := accesscontrol.BuildBasicRoleDefinitions()
-	uids := make([]any, 0, len(basicRoles))
-	for _, br := range basicRoles {
-		def, ok := defs[br]
-		if !ok {
-			continue
-		}
-		uids = append(uids, def.UID)
-	}
-	if len(uids) == 0 {
-		return nil
-	}
-
-	sql := "UPDATE role SET version = version + 1 WHERE org_id = ? AND uid IN (?" + strings.Repeat(",?", len(uids)-1) + ")"
-	_, err := sess.Exec(append([]any{sql, accesscontrol.GlobalOrgID}, uids...)...)
-	return err
-}
-
-// LoadBasicRoleSeedPermissions returns the current (builtin_role, action, scope) permissions granted to basic roles.
-// It sets Origin to empty.
-func LoadBasicRoleSeedPermissions(sess *db.Session) ([]accesscontrol.SeedPermission, error) {
-	rows := []accesscontrol.SeedPermission{}
-	err := sess.SQL(
-		`SELECT role.display_name AS builtin_role, p.action, p.scope, '' AS origin
-		 FROM role INNER JOIN permission AS p ON p.role_id = role.id
-		 WHERE role.org_id = ? AND role.name LIKE 'basic:%'`,
-		accesscontrol.GlobalOrgID,
-	).Find(&rows)
-	return rows, err
-}

pkg/services/accesscontrol/dualwrite/reconciler.go

@@ -15,7 +15,6 @@ import (
 	"github.com/grafana/grafana/pkg/infra/db"
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/infra/serverlock"
-	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/authz/zanzana"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/folder"
@@ -131,9 +130,6 @@ func (r *ZanzanaReconciler) Run(ctx context.Context) error {
 // Reconcile schedules as job that will run and reconcile resources between
 // legacy access control and zanzana.
 func (r *ZanzanaReconciler) Reconcile(ctx context.Context) error {
-	// Ensure we don't reconcile an empty/partial RBAC state before OSS has seeded basic role permissions.
-	// This matters most during startup where fixed-role loading + basic-role permission refresh runs as another background service.
-	r.waitForBasicRolesSeeded(ctx)
 	r.reconcile(ctx)
 
 	// FIXME:
@@ -149,57 +145,6 @@ func (r *ZanzanaReconciler) Reconcile(ctx context.Context) error {
 	}
 }
 
-func (r *ZanzanaReconciler) hasBasicRolePermissions(ctx context.Context) bool {
-	var count int64
-	// Basic role permissions are stored on "basic:%" roles in the global org (0).
-	// In a fresh DB, this will be empty until fixed roles are registered and the basic role permission refresh runs.
-	type row struct {
-		Count int64 `xorm:"count"`
-	}
-	_ = r.store.WithDbSession(ctx, func(sess *db.Session) error {
-		var rr row
-		_, err := sess.SQL(
-			`SELECT COUNT(*) AS count
-			 FROM role INNER JOIN permission AS p ON p.role_id = role.id
-			 WHERE role.org_id = ? AND role.name LIKE ?`,
-			accesscontrol.GlobalOrgID,
-			accesscontrol.BasicRolePrefix+"%",
-		).Get(&rr)
-		if err != nil {
-			return err
-		}
-		count = rr.Count
-		return nil
-	})
-	return count > 0
-}
-
-func (r *ZanzanaReconciler) waitForBasicRolesSeeded(ctx context.Context) {
-	// Best-effort: don't block forever. If we can't observe basic roles, proceed anyway.
-	const (
-		maxWait  = 15 * time.Second
-		interval = 1 * time.Second
-	)
-
-	deadline := time.NewTimer(maxWait)
-	defer deadline.Stop()
-	ticker := time.NewTicker(interval)
-	defer ticker.Stop()
-
-	for {
-		if r.hasBasicRolePermissions(ctx) {
-			return
-		}
-		select {
-		case <-ctx.Done():
-			return
-		case <-deadline.C:
-			return
-		case <-ticker.C:
-		}
-	}
-}
-
 func (r *ZanzanaReconciler) reconcile(ctx context.Context) {
 	run := func(ctx context.Context, namespace string) (ok bool) {
 		now := time.Now()

pkg/services/accesscontrol/dualwrite/reconciler_test.go

@@ -1,67 +0,0 @@
-package dualwrite
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/grafana/grafana/pkg/infra/db"
-	"github.com/grafana/grafana/pkg/services/accesscontrol"
-)
-
-func TestZanzanaReconciler_hasBasicRolePermissions(t *testing.T) {
-	env := setupTestEnv(t)
-
-	r := &ZanzanaReconciler{
-		store: env.db,
-	}
-
-	ctx := context.Background()
-	require.False(t, r.hasBasicRolePermissions(ctx))
-
-	err := env.db.WithDbSession(ctx, func(sess *db.Session) error {
-		now := time.Now()
-
-		_, err := sess.Exec(
-			`INSERT INTO role (org_id, uid, name, display_name, group_name, description, hidden, version, created, updated)
-			 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-			accesscontrol.GlobalOrgID,
-			"basic_viewer_uid_test",
-			accesscontrol.BasicRolePrefix+"viewer",
-			"Viewer",
-			"Basic",
-			"Viewer role",
-			false,
-			1,
-			now,
-			now,
-		)
-		if err != nil {
-			return err
-		}
-
-		var roleID int64
-		if _, err := sess.SQL(`SELECT id FROM role WHERE org_id = ? AND uid = ?`, accesscontrol.GlobalOrgID, "basic_viewer_uid_test").Get(&roleID); err != nil {
-			return err
-		}
-
-		_, err = sess.Exec(
-			`INSERT INTO permission (role_id, action, scope, kind, attribute, identifier, created, updated)
-			 VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
-			roleID,
-			"dashboards:read",
-			"dashboards:*",
-			"",
-			"",
-			"",
-			now,
-			now,
-		)
-		return err
-	})
-	require.NoError(t, err)
-
-	require.True(t, r.hasBasicRolePermissions(ctx))
-}

pkg/services/accesscontrol/dualwrite/resource_reconciler.go

@@ -3,13 +3,11 @@ package dualwrite
 import (
 	"context"
 	"fmt"
-	"strings"
 
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 
 	claims "github.com/grafana/authlib/types"
 
-	dashboardV1 "github.com/grafana/grafana/apps/dashboard/pkg/apis/dashboard/v1beta1"
 	authzextv1 "github.com/grafana/grafana/pkg/services/authz/proto/v1"
 	"github.com/grafana/grafana/pkg/services/authz/zanzana"
 )
@@ -21,30 +19,14 @@ type legacyTupleCollector func(ctx context.Context, orgID int64) (map[string]map
 type zanzanaTupleCollector func(ctx context.Context, client zanzana.Client, object string, namespace string) (map[string]*openfgav1.TupleKey, error)
 
 type resourceReconciler struct {
-	name               string
-	legacy             legacyTupleCollector
-	zanzana            zanzanaTupleCollector
-	client             zanzana.Client
-	orphanObjectPrefix string
-	orphanRelations    []string
+	name    string
+	legacy  legacyTupleCollector
+	zanzana zanzanaTupleCollector
+	client  zanzana.Client
 }
 
-func newResourceReconciler(name string, legacy legacyTupleCollector, zanzanaCollector zanzanaTupleCollector, client zanzana.Client) resourceReconciler {
-	r := resourceReconciler{name: name, legacy: legacy, zanzana: zanzanaCollector, client: client}
-
-	// we only need to worry about orphaned tuples for reconcilers that use the managed permissions collector (i.e. dashboards & folders)
-	switch name {
-	case "managed folder permissions":
-		// prefix for folders is `folder:`
-		r.orphanObjectPrefix = zanzana.NewObjectEntry(zanzana.TypeFolder, "", "", "", "")
-		r.orphanRelations = append([]string{}, zanzana.RelationsFolder...)
-	case "managed dashboard permissions":
-		// prefix for dashboards will be `resource:dashboard.grafana.app/dashboards/`
-		r.orphanObjectPrefix = fmt.Sprintf("%s/", zanzana.NewObjectEntry(zanzana.TypeResource, dashboardV1.APIGroup, dashboardV1.DASHBOARD_RESOURCE, "", ""))
-		r.orphanRelations = append([]string{}, zanzana.RelationsResouce...)
-	}
-
-	return r
+func newResourceReconciler(name string, legacy legacyTupleCollector, zanzana zanzanaTupleCollector, client zanzana.Client) resourceReconciler {
+	return resourceReconciler{name, legacy, zanzana, client}
 }
 
 func (r resourceReconciler) reconcile(ctx context.Context, namespace string) error {
@@ -53,15 +35,6 @@ func (r resourceReconciler) reconcile(ctx context.Context, namespace string) err
 		return err
 	}
 
-	// 0. Fetch all tuples currently stored in Zanzana. This will be used later on
-	// to cleanup orphaned tuples.
-	// This order needs to be kept (fetching from Zanzana first) to avoid accidentally
-	// cleaning up new tuples that were added after the legacy tuples were fetched.
-	allTuplesInZanzana, err := r.readAllTuples(ctx, namespace)
-	if err != nil {
-		return fmt.Errorf("failed to read all tuples from zanzana for %s: %w", r.name, err)
-	}
-
 	// 1. Fetch grafana resources stored in grafana db.
 	res, err := r.legacy(ctx, info.OrgID)
 	if err != nil {
@@ -114,14 +87,6 @@ func (r resourceReconciler) reconcile(ctx context.Context, namespace string) err
 		}
 	}
 
-	// when the last managed permission for a resource is removed, the legacy results will no
-	// longer contain any tuples for that resource. this process cleans it up when applicable.
-	orphans, err := r.collectOrphanDeletes(ctx, namespace, allTuplesInZanzana, res)
-	if err != nil {
-		return fmt.Errorf("failed to collect orphan deletes (%s): %w", r.name, err)
-	}
-	deletes = append(deletes, orphans...)
-
 	if len(writes) == 0 && len(deletes) == 0 {
 		return nil
 	}
@@ -154,79 +119,3 @@ func (r resourceReconciler) reconcile(ctx context.Context, namespace string) err
 
 	return nil
 }
-
-// collectOrphanDeletes collects tuples that are no longer present in the legacy results
-// but still are present in zanzana. when that is the case, we need to delete the tuple from
-// zanzana. this will happen when the last managed permission for a resource is removed.
-// this is only used for dashboards and folders, as those are the only resources that use the managed permissions collector.
-func (r resourceReconciler) collectOrphanDeletes(
-	ctx context.Context,
-	namespace string,
-	allTuplesInZanzana []*authzextv1.Tuple,
-	legacyReturnedTuples map[string]map[string]*openfgav1.TupleKey,
-) ([]*openfgav1.TupleKeyWithoutCondition, error) {
-	if r.orphanObjectPrefix == "" || len(r.orphanRelations) == 0 {
-		return []*openfgav1.TupleKeyWithoutCondition{}, nil
-	}
-
-	seen := map[string]struct{}{}
-	out := []*openfgav1.TupleKeyWithoutCondition{}
-
-	// what relation types we are interested in cleaning up
-	relationsToCleanup := map[string]struct{}{}
-	for _, rel := range r.orphanRelations {
-		relationsToCleanup[rel] = struct{}{}
-	}
-
-	for _, tuple := range allTuplesInZanzana {
-		if tuple == nil || tuple.Key == nil {
-			continue
-		}
-		// only cleanup the particular relation types we are interested in
-		if _, ok := relationsToCleanup[tuple.Key.Relation]; !ok {
-			continue
-		}
-		// only cleanup the particular object types we are interested in (either dashboards or folders)
-		if !strings.HasPrefix(tuple.Key.Object, r.orphanObjectPrefix) {
-			continue
-		}
-		// if legacy returned this object, it's not orphaned
-		if _, ok := legacyReturnedTuples[tuple.Key.Object]; ok {
-			continue
-		}
-		// keep track of the tuples we have already seen and marked for deletion
-		key := fmt.Sprintf("%s|%s|%s", tuple.Key.User, tuple.Key.Relation, tuple.Key.Object)
-		if _, ok := seen[key]; ok {
-			continue
-		}
-		seen[key] = struct{}{}
-		out = append(out, &openfgav1.TupleKeyWithoutCondition{
-			User:     tuple.Key.User,
-			Relation: tuple.Key.Relation,
-			Object:   tuple.Key.Object,
-		})
-	}
-
-	return out, nil
-}
-
-func (r resourceReconciler) readAllTuples(ctx context.Context, namespace string) ([]*authzextv1.Tuple, error) {
-	var (
-		out           []*authzextv1.Tuple
-		continueToken string
-	)
-	for {
-		res, err := r.client.Read(ctx, &authzextv1.ReadRequest{
-			Namespace:         namespace,
-			ContinuationToken: continueToken,
-		})
-		if err != nil {
-			return nil, err
-		}
-		out = append(out, res.Tuples...)
-		continueToken = res.ContinuationToken
-		if continueToken == "" {
-			return out, nil
-		}
-	}
-}

pkg/services/accesscontrol/dualwrite/resource_reconciler_orphan_test.go

@@ -1,110 +0,0 @@
-package dualwrite
-
-import (
-	"context"
-	"testing"
-
-	authlib "github.com/grafana/authlib/types"
-	openfgav1 "github.com/openfga/api/proto/openfga/v1"
-	"github.com/stretchr/testify/require"
-
-	authzextv1 "github.com/grafana/grafana/pkg/services/authz/proto/v1"
-	"github.com/grafana/grafana/pkg/services/authz/zanzana"
-)
-
-type fakeZanzanaClient struct {
-	readTuples []*authzextv1.Tuple
-	writeReqs  []*authzextv1.WriteRequest
-}
-
-func (f *fakeZanzanaClient) Read(ctx context.Context, req *authzextv1.ReadRequest) (*authzextv1.ReadResponse, error) {
-	return &authzextv1.ReadResponse{
-		Tuples:            f.readTuples,
-		ContinuationToken: "",
-	}, nil
-}
-
-func (f *fakeZanzanaClient) Write(ctx context.Context, req *authzextv1.WriteRequest) error {
-	f.writeReqs = append(f.writeReqs, req)
-	return nil
-}
-
-func (f *fakeZanzanaClient) BatchCheck(ctx context.Context, req *authzextv1.BatchCheckRequest) (*authzextv1.BatchCheckResponse, error) {
-	return &authzextv1.BatchCheckResponse{}, nil
-}
-
-func (f *fakeZanzanaClient) Mutate(ctx context.Context, req *authzextv1.MutateRequest) error {
-	return nil
-}
-
-func (f *fakeZanzanaClient) Query(ctx context.Context, req *authzextv1.QueryRequest) (*authzextv1.QueryResponse, error) {
-	return &authzextv1.QueryResponse{}, nil
-}
-
-func (f *fakeZanzanaClient) Check(ctx context.Context, info authlib.AuthInfo, req authlib.CheckRequest, folder string) (authlib.CheckResponse, error) {
-	return authlib.CheckResponse{Allowed: true}, nil
-}
-
-func (f *fakeZanzanaClient) Compile(ctx context.Context, info authlib.AuthInfo, req authlib.ListRequest) (authlib.ItemChecker, authlib.Zookie, error) {
-	return func(name, folder string) bool { return true }, authlib.NoopZookie{}, nil
-}
-
-func TestResourceReconciler_OrphanedManagedDashboardTuplesAreDeleted(t *testing.T) {
-	legacy := func(ctx context.Context, orgID int64) (map[string]map[string]*openfgav1.TupleKey, error) {
-		return map[string]map[string]*openfgav1.TupleKey{}, nil
-	}
-	zCollector := func(ctx context.Context, client zanzana.Client, object string, namespace string) (map[string]*openfgav1.TupleKey, error) {
-		return map[string]*openfgav1.TupleKey{}, nil
-	}
-
-	fake := &fakeZanzanaClient{}
-	r := newResourceReconciler("managed dashboard permissions", legacy, zCollector, fake)
-
-	require.NotEmpty(t, r.orphanObjectPrefix)
-	require.NotEmpty(t, r.orphanRelations)
-
-	relAllowed := r.orphanRelations[0]
-	objAllowed := r.orphanObjectPrefix + "dash-uid-1"
-
-	fake.readTuples = []*authzextv1.Tuple{
-		// should be removed
-		{
-			Key: &authzextv1.TupleKey{
-				User:     "user:1",
-				Relation: relAllowed,
-				Object:   objAllowed,
-			},
-		},
-
-		// same relation but different object type/prefix - should stay
-		{
-			Key: &authzextv1.TupleKey{
-				User:     "user:1",
-				Relation: relAllowed,
-				Object:   "folder:some-folder",
-			},
-		},
-		// same prefix but different relation - should stay
-		{
-			Key: &authzextv1.TupleKey{
-				User:     "user:1",
-				Relation: zanzana.RelationParent,
-				Object:   objAllowed,
-			},
-		},
-	}
-
-	err := r.reconcile(context.Background(), authlib.OrgNamespaceFormatter(1))
-	require.NoError(t, err)
-
-	require.Len(t, fake.writeReqs, 1)
-	wr := fake.writeReqs[0]
-	require.NotNil(t, wr.Deletes)
-	require.Nil(t, wr.Writes)
-
-	require.Len(t, wr.Deletes.TupleKeys, 1)
-	del := wr.Deletes.TupleKeys[0]
-	require.Equal(t, "user:1", del.User)
-	require.Equal(t, relAllowed, del.Relation)
-	require.Equal(t, objAllowed, del.Object)
-}

pkg/services/accesscontrol/models.go

@@ -1,7 +1,6 @@
 package accesscontrol
 
 import (
-	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -595,18 +594,3 @@ type QueryWithOrg struct {
 	OrgId  *int64 `json:"orgId"`
 	Global bool   `json:"global"`
 }
-
-type SeedPermission struct {
-	BuiltInRole string `xorm:"builtin_role"`
-	Action      string `xorm:"action"`
-	Scope       string `xorm:"scope"`
-	Origin      string `xorm:"origin"`
-}
-
-type RoleStore interface {
-	LoadRoles(ctx context.Context) (map[string]*RoleDTO, error)
-	SetRole(ctx context.Context, existingRole *RoleDTO, wantedRole RoleDTO) error
-	SetPermissions(ctx context.Context, existingRole *RoleDTO, wantedRole RoleDTO) error
-	CreateRole(ctx context.Context, role RoleDTO) error
-	DeleteRoles(ctx context.Context, roleUIDs []string) error
-}

pkg/services/accesscontrol/seeding/seeder.go

@@ -1,452 +0,0 @@
-package seeding
-
-import (
-	"context"
-	"fmt"
-	"regexp"
-	"slices"
-	"strings"
-
-	"github.com/grafana/grafana/pkg/infra/log"
-	"github.com/grafana/grafana/pkg/services/accesscontrol"
-	"github.com/grafana/grafana/pkg/services/accesscontrol/pluginutils"
-	"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
-)
-
-type Seeder struct {
-	log                 log.Logger
-	roleStore           accesscontrol.RoleStore
-	backend             SeedingBackend
-	builtinsPermissions map[accesscontrol.SeedPermission]struct{}
-	seededFixedRoles    map[string]bool
-	seededPluginRoles   map[string]bool
-	seededPlugins       map[string]bool
-	hasSeededAlready    bool
-}
-
-// SeedingBackend provides the seed-set specific operations needed to seed.
-type SeedingBackend interface {
-	// LoadPrevious returns the currently stored permissions for previously seeded roles.
-	LoadPrevious(ctx context.Context) (map[accesscontrol.SeedPermission]struct{}, error)
-
-	// Apply updates the database to match the desired permissions.
-	Apply(ctx context.Context,
-		added, removed []accesscontrol.SeedPermission,
-		updated map[accesscontrol.SeedPermission]accesscontrol.SeedPermission,
-	) error
-}
-
-func New(log log.Logger, roleStore accesscontrol.RoleStore, backend SeedingBackend) *Seeder {
-	return &Seeder{
-		log:                 log,
-		roleStore:           roleStore,
-		backend:             backend,
-		builtinsPermissions: map[accesscontrol.SeedPermission]struct{}{},
-		seededFixedRoles:    map[string]bool{},
-		seededPluginRoles:   map[string]bool{},
-		seededPlugins:       map[string]bool{},
-		hasSeededAlready:    false,
-	}
-}
-
-// SetDesiredPermissions replaces the in-memory desired permission set used by Seed().
-func (s *Seeder) SetDesiredPermissions(desired map[accesscontrol.SeedPermission]struct{}) {
-	if desired == nil {
-		s.builtinsPermissions = map[accesscontrol.SeedPermission]struct{}{}
-		return
-	}
-	s.builtinsPermissions = desired
-}
-
-// Seed loads current and desired permissions, diffs them (including scope updates), applies changes, and bumps versions.
-func (s *Seeder) Seed(ctx context.Context) error {
-	previous, err := s.backend.LoadPrevious(ctx)
-	if err != nil {
-		return err
-	}
-
-	// - Do not remove plugin permissions when the plugin didn't register this run (Origin set but not in seededPlugins).
-	// - Preserve legacy plugin app access permissions in the persisted seed set (these are granted by default).
-	if len(previous) > 0 {
-		filtered := make(map[accesscontrol.SeedPermission]struct{}, len(previous))
-		for p := range previous {
-			// Legacy plugin app access permissions (Origin set) are granted by default and managed outside seeding.
-			// Keep them out of the diff so seeding doesn't try to remove or "re-add" them on every run.
-			if p.Action == pluginaccesscontrol.ActionAppAccess && p.Origin != "" {
-				continue
-			}
-			if p.Origin != "" && !s.seededPlugins[p.Origin] {
-				continue
-			}
-			filtered[p] = struct{}{}
-		}
-		previous = filtered
-	}
-
-	added, removed, updated := s.permissionDiff(previous, s.builtinsPermissions)
-
-	if err := s.backend.Apply(ctx, added, removed, updated); err != nil {
-		return err
-	}
-	return nil
-}
-
-// SeedRoles populates the database with the roles and their assignments
-// It will create roles that do not exist and update roles that have changed
-// Do not use for provisioning. Validation is not enforced.
-func (s *Seeder) SeedRoles(ctx context.Context, registrationList []accesscontrol.RoleRegistration) error {
-	roleMap, err := s.roleStore.LoadRoles(ctx)
-	if err != nil {
-		return err
-	}
-
-	missingRoles := make([]accesscontrol.RoleRegistration, 0, len(registrationList))
-
-	// Diff existing roles with the ones we want to seed.
-	// If a role is missing, we add it to the missingRoles list
-	for _, registration := range registrationList {
-		registration := registration
-		role, ok := roleMap[registration.Role.Name]
-		switch {
-		case registration.Role.IsFixed():
-			s.seededFixedRoles[registration.Role.Name] = true
-		case registration.Role.IsPlugin():
-			s.seededPluginRoles[registration.Role.Name] = true
-			// To be resilient to failed plugin loadings, we remember the plugins that have registered,
-			// later we'll ignore permissions and roles of other plugins
-			s.seededPlugins[pluginutils.PluginIDFromName(registration.Role.Name)] = true
-		}
-
-		s.rememberPermissionAssignments(&registration.Role, registration.Grants, registration.Exclude)
-
-		if !ok {
-			missingRoles = append(missingRoles, registration)
-			continue
-		}
-
-		if needsRoleUpdate(role, registration.Role) {
-			if err := s.roleStore.SetRole(ctx, role, registration.Role); err != nil {
-				return err
-			}
-		}
-
-		if needsPermissionsUpdate(role, registration.Role) {
-			if err := s.roleStore.SetPermissions(ctx, role, registration.Role); err != nil {
-				return err
-			}
-		}
-	}
-
-	for _, registration := range missingRoles {
-		if err := s.roleStore.CreateRole(ctx, registration.Role); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func needsPermissionsUpdate(existingRole *accesscontrol.RoleDTO, wantedRole accesscontrol.RoleDTO) bool {
-	if existingRole == nil {
-		return true
-	}
-
-	if len(existingRole.Permissions) != len(wantedRole.Permissions) {
-		return true
-	}
-
-	for _, p := range wantedRole.Permissions {
-		found := false
-		for _, ep := range existingRole.Permissions {
-			if ep.Action == p.Action && ep.Scope == p.Scope {
-				found = true
-				break
-			}
-		}
-		if !found {
-			return true
-		}
-	}
-
-	return false
-}
-
-func needsRoleUpdate(existingRole *accesscontrol.RoleDTO, wantedRole accesscontrol.RoleDTO) bool {
-	if existingRole == nil {
-		return true
-	}
-
-	if existingRole.Name != wantedRole.Name {
-		return false
-	}
-
-	if existingRole.DisplayName != wantedRole.DisplayName {
-		return true
-	}
-
-	if existingRole.Description != wantedRole.Description {
-		return true
-	}
-
-	if existingRole.Group != wantedRole.Group {
-		return true
-	}
-
-	if existingRole.Hidden != wantedRole.Hidden {
-		return true
-	}
-
-	return false
-}
-
-// Deprecated: SeedRole is deprecated and should not be used.
-// SeedRoles only does boot up seeding and should not be used for runtime seeding.
-func (s *Seeder) SeedRole(ctx context.Context, role accesscontrol.RoleDTO, builtInRoles []string) error {
-	addedPermissions := make(map[string]struct{}, len(role.Permissions))
-	permissions := make([]accesscontrol.Permission, 0, len(role.Permissions))
-	for _, p := range role.Permissions {
-		key := fmt.Sprintf("%s:%s", p.Action, p.Scope)
-		if _, ok := addedPermissions[key]; !ok {
-			addedPermissions[key] = struct{}{}
-			permissions = append(permissions, accesscontrol.Permission{Action: p.Action, Scope: p.Scope})
-		}
-	}
-
-	wantedRole := accesscontrol.RoleDTO{
-		OrgID:       accesscontrol.GlobalOrgID,
-		Version:     role.Version,
-		UID:         role.UID,
-		Name:        role.Name,
-		DisplayName: role.DisplayName,
-		Description: role.Description,
-		Group:       role.Group,
-		Permissions: permissions,
-		Hidden:      role.Hidden,
-	}
-	roleMap, err := s.roleStore.LoadRoles(ctx)
-	if err != nil {
-		return err
-	}
-
-	existingRole := roleMap[wantedRole.Name]
-	if existingRole == nil {
-		if err := s.roleStore.CreateRole(ctx, wantedRole); err != nil {
-			return err
-		}
-	} else {
-		if needsRoleUpdate(existingRole, wantedRole) {
-			if err := s.roleStore.SetRole(ctx, existingRole, wantedRole); err != nil {
-				return err
-			}
-		}
-		if needsPermissionsUpdate(existingRole, wantedRole) {
-			if err := s.roleStore.SetPermissions(ctx, existingRole, wantedRole); err != nil {
-				return err
-			}
-		}
-	}
-
-	// Remember seeded roles
-	if wantedRole.IsFixed() {
-		s.seededFixedRoles[wantedRole.Name] = true
-	}
-	isPluginRole := wantedRole.IsPlugin()
-	if isPluginRole {
-		s.seededPluginRoles[wantedRole.Name] = true
-
-		// To be resilient to failed plugin loadings, we remember the plugins that have registered,
-		// later we'll ignore permissions and roles of other plugins
-		s.seededPlugins[pluginutils.PluginIDFromName(role.Name)] = true
-	}
-
-	s.rememberPermissionAssignments(&wantedRole, builtInRoles, []string{})
-	return nil
-}
-
-func (s *Seeder) rememberPermissionAssignments(role *accesscontrol.RoleDTO, builtInRoles []string, excludedRoles []string) {
-	AppendDesiredPermissions(s.builtinsPermissions, s.log, role, builtInRoles, excludedRoles)
-}
-
-// AppendDesiredPermissions accumulates permissions from a role registration onto basic roles (Viewer/Editor/Admin/Grafana Admin).
-// - It expands parents via accesscontrol.BuiltInRolesWithParents.
-// - It can optionally ignore plugin app access permissions (which are granted by default).
-func AppendDesiredPermissions(
-	out map[accesscontrol.SeedPermission]struct{},
-	logger log.Logger,
-	role *accesscontrol.RoleDTO,
-	builtInRoles []string,
-	excludedRoles []string,
-) {
-	if out == nil || role == nil {
-		return
-	}
-
-	for builtInRole := range accesscontrol.BuiltInRolesWithParents(builtInRoles) {
-		// Skip excluded grants
-		if slices.Contains(excludedRoles, builtInRole) {
-			continue
-		}
-
-		for _, perm := range role.Permissions {
-			if role.IsPlugin() && perm.Action == pluginaccesscontrol.ActionAppAccess {
-				logger.Debug("Role is attempting to grant access permission, but this permission is already granted by default and will be ignored",
-					"role", role.Name, "permission", perm.Action, "scope", perm.Scope)
-				continue
-			}
-
-			sp := accesscontrol.SeedPermission{
-				BuiltInRole: builtInRole,
-				Action:      perm.Action,
-				Scope:       perm.Scope,
-			}
-
-			if role.IsPlugin() {
-				sp.Origin = pluginutils.PluginIDFromName(role.Name)
-			}
-
-			out[sp] = struct{}{}
-		}
-	}
-}
-
-// permissionDiff returns:
-// - added: present in desired permissions, not in previous permissions
-// - removed: present in previous permissions, not in desired permissions
-// - updated: same role + action, but scope changed
-func (s *Seeder) permissionDiff(previous, desired map[accesscontrol.SeedPermission]struct{}) (added, removed []accesscontrol.SeedPermission, updated map[accesscontrol.SeedPermission]accesscontrol.SeedPermission) {
-	addedSet := make(map[accesscontrol.SeedPermission]struct{}, 0)
-	for n := range desired {
-		if _, already := previous[n]; !already {
-			addedSet[n] = struct{}{}
-		} else {
-			delete(previous, n)
-		}
-	}
-
-	// Check if any of the new permissions is actually an old permission with an updated scope
-	updated = make(map[accesscontrol.SeedPermission]accesscontrol.SeedPermission, 0)
-	for n := range addedSet {
-		for p := range previous {
-			if n.BuiltInRole == p.BuiltInRole && n.Action == p.Action {
-				updated[p] = n
-				delete(addedSet, n)
-			}
-		}
-	}
-
-	for p := range addedSet {
-		added = append(added, p)
-	}
-
-	for p := range previous {
-		if p.Action == pluginaccesscontrol.ActionAppAccess &&
-			p.Scope != pluginaccesscontrol.ScopeProvider.GetResourceAllScope() {
-			// Allows backward compatibility with plugins that have been seeded before the grant ignore rule was added
-			s.log.Info("This permission already existed so it will not be removed",
-				"role", p.BuiltInRole, "permission", p.Action, "scope", p.Scope)
-			continue
-		}
-
-		removed = append(removed, p)
-	}
-
-	return added, removed, updated
-}
-
-func (s *Seeder) ClearBasicRolesPluginPermissions(ID string) {
-	removable := []accesscontrol.SeedPermission{}
-
-	for key := range s.builtinsPermissions {
-		if matchPermissionByPluginID(key, ID) {
-			removable = append(removable, key)
-		}
-	}
-
-	for _, perm := range removable {
-		delete(s.builtinsPermissions, perm)
-	}
-}
-
-func matchPermissionByPluginID(perm accesscontrol.SeedPermission, pluginID string) bool {
-	if perm.Origin != pluginID {
-		return false
-	}
-	actionTemplate := regexp.MustCompile(fmt.Sprintf("%s[.:]", pluginID))
-	scopeTemplate := fmt.Sprintf(":%s", pluginID)
-	return actionTemplate.MatchString(perm.Action) || strings.HasSuffix(perm.Scope, scopeTemplate)
-}
-
-// RolesToUpgrade returns the unique basic roles that should have their version incremented.
-func RolesToUpgrade(added, removed []accesscontrol.SeedPermission) []string {
-	set := map[string]struct{}{}
-	for _, p := range added {
-		set[p.BuiltInRole] = struct{}{}
-	}
-	for _, p := range removed {
-		set[p.BuiltInRole] = struct{}{}
-	}
-	out := make([]string, 0, len(set))
-	for r := range set {
-		out = append(out, r)
-	}
-	return out
-}
-
-func (s *Seeder) ClearPluginRoles(ID string) {
-	expectedPrefix := fmt.Sprintf("%s%s:", accesscontrol.PluginRolePrefix, ID)
-
-	for roleName := range s.seededPluginRoles {
-		if strings.HasPrefix(roleName, expectedPrefix) {
-			delete(s.seededPluginRoles, roleName)
-		}
-	}
-}
-
-func (s *Seeder) MarkSeededAlready() {
-	s.hasSeededAlready = true
-}
-
-func (s *Seeder) HasSeededAlready() bool {
-	return s.hasSeededAlready
-}
-
-func (s *Seeder) RemoveAbsentRoles(ctx context.Context) error {
-	roleMap, errGet := s.roleStore.LoadRoles(ctx)
-	if errGet != nil {
-		s.log.Error("failed to get fixed roles from store", "err", errGet)
-		return errGet
-	}
-
-	toRemove := []string{}
-	for _, r := range roleMap {
-		if r == nil {
-			continue
-		}
-		if r.IsFixed() {
-			if !s.seededFixedRoles[r.Name] {
-				s.log.Info("role is not seeded anymore, mark it for deletion", "role", r.Name)
-				toRemove = append(toRemove, r.UID)
-			}
-			continue
-		}
-
-		if r.IsPlugin() {
-			if !s.seededPlugins[pluginutils.PluginIDFromName(r.Name)] {
-				// To be resilient to failed plugin loadings
-				// ignore stored roles related to plugins that have not registered this time
-				s.log.Debug("plugin role has not been registered on this run skipping its removal", "role", r.Name)
-				continue
-			}
-			if !s.seededPluginRoles[r.Name] {
-				s.log.Info("role is not seeded anymore, mark it for deletion", "role", r.Name)
-				toRemove = append(toRemove, r.UID)
-			}
-		}
-	}
-
-	if errDelete := s.roleStore.DeleteRoles(ctx, toRemove); errDelete != nil {
-		s.log.Error("failed to delete absent fixed and plugin roles", "err", errDelete)
-		return errDelete
-	}
-	return nil
-}

pkg/services/authz/proto/v1/extention.proto

@@ -9,8 +9,6 @@ import "google/protobuf/timestamp.proto";
 import "google/protobuf/wrappers.proto";
 
 service AuthzExtentionService {
-  rpc BatchCheck(BatchCheckRequest) returns (BatchCheckResponse);
-
   rpc Read(ReadRequest) returns (ReadResponse);
   rpc Write(WriteRequest) returns (WriteResponse);
 
@@ -231,29 +229,6 @@ message WriteRequest {
 
 message WriteResponse {}
 
-message BatchCheckRequest {
-  string subject = 1;
-  string namespace = 2;
-  repeated BatchCheckItem items = 3;
-}
-
-message BatchCheckItem {
-  string verb = 1;
-  string group = 2;
-  string resource = 3;
-  string name = 4;
-  string subresource = 5;
-  string folder = 6;
-}
-
-message BatchCheckResponse {
-  map<string, BatchCheckGroupResource> groups = 1;
-}
-
-message BatchCheckGroupResource {
-  map<string, bool> items = 1;
-}
-
 message QueryRequest {
   string namespace = 1;
   QueryOperation operation = 2;

pkg/services/authz/proto/v1/extention_grpc.pb.go

@@ -19,18 +19,16 @@ import (
 const _ = grpc.SupportPackageIsVersion8
 
 const (
-	AuthzExtentionService_BatchCheck_FullMethodName = "/authz.extention.v1.AuthzExtentionService/BatchCheck"
-	AuthzExtentionService_Read_FullMethodName       = "/authz.extention.v1.AuthzExtentionService/Read"
-	AuthzExtentionService_Write_FullMethodName      = "/authz.extention.v1.AuthzExtentionService/Write"
-	AuthzExtentionService_Mutate_FullMethodName     = "/authz.extention.v1.AuthzExtentionService/Mutate"
-	AuthzExtentionService_Query_FullMethodName      = "/authz.extention.v1.AuthzExtentionService/Query"
+	AuthzExtentionService_Read_FullMethodName   = "/authz.extention.v1.AuthzExtentionService/Read"
+	AuthzExtentionService_Write_FullMethodName  = "/authz.extention.v1.AuthzExtentionService/Write"
+	AuthzExtentionService_Mutate_FullMethodName = "/authz.extention.v1.AuthzExtentionService/Mutate"
+	AuthzExtentionService_Query_FullMethodName  = "/authz.extention.v1.AuthzExtentionService/Query"
 )
 
 // AuthzExtentionServiceClient is the client API for AuthzExtentionService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type AuthzExtentionServiceClient interface {
-	BatchCheck(ctx context.Context, in *BatchCheckRequest, opts ...grpc.CallOption) (*BatchCheckResponse, error)
 	Read(ctx context.Context, in *ReadRequest, opts ...grpc.CallOption) (*ReadResponse, error)
 	Write(ctx context.Context, in *WriteRequest, opts ...grpc.CallOption) (*WriteResponse, error)
 	Mutate(ctx context.Context, in *MutateRequest, opts ...grpc.CallOption) (*MutateResponse, error)
@@ -45,16 +43,6 @@ func NewAuthzExtentionServiceClient(cc grpc.ClientConnInterface) AuthzExtentionS
 	return &authzExtentionServiceClient{cc}
 }
 
-func (c *authzExtentionServiceClient) BatchCheck(ctx context.Context, in *BatchCheckRequest, opts ...grpc.CallOption) (*BatchCheckResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(BatchCheckResponse)
-	err := c.cc.Invoke(ctx, AuthzExtentionService_BatchCheck_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *authzExtentionServiceClient) Read(ctx context.Context, in *ReadRequest, opts ...grpc.CallOption) (*ReadResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(ReadResponse)
@@ -99,7 +87,6 @@ func (c *authzExtentionServiceClient) Query(ctx context.Context, in *QueryReques
 // All implementations should embed UnimplementedAuthzExtentionServiceServer
 // for forward compatibility
 type AuthzExtentionServiceServer interface {
-	BatchCheck(context.Context, *BatchCheckRequest) (*BatchCheckResponse, error)
 	Read(context.Context, *ReadRequest) (*ReadResponse, error)
 	Write(context.Context, *WriteRequest) (*WriteResponse, error)
 	Mutate(context.Context, *MutateRequest) (*MutateResponse, error)
@@ -110,9 +97,6 @@ type AuthzExtentionServiceServer interface {
 type UnimplementedAuthzExtentionServiceServer struct {
 }
 
-func (UnimplementedAuthzExtentionServiceServer) BatchCheck(context.Context, *BatchCheckRequest) (*BatchCheckResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method BatchCheck not implemented")
-}
 func (UnimplementedAuthzExtentionServiceServer) Read(context.Context, *ReadRequest) (*ReadResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Read not implemented")
 }
@@ -137,24 +121,6 @@ func RegisterAuthzExtentionServiceServer(s grpc.ServiceRegistrar, srv AuthzExten
 	s.RegisterService(&AuthzExtentionService_ServiceDesc, srv)
 }
 
-func _AuthzExtentionService_BatchCheck_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(BatchCheckRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(AuthzExtentionServiceServer).BatchCheck(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: AuthzExtentionService_BatchCheck_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(AuthzExtentionServiceServer).BatchCheck(ctx, req.(*BatchCheckRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _AuthzExtentionService_Read_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(ReadRequest)
 	if err := dec(in); err != nil {
@@ -234,10 +200,6 @@ var AuthzExtentionService_ServiceDesc = grpc.ServiceDesc{
 	ServiceName: "authz.extention.v1.AuthzExtentionService",
 	HandlerType: (*AuthzExtentionServiceServer)(nil),
 	Methods: []grpc.MethodDesc{
-		{
-			MethodName: "BatchCheck",
-			Handler:    _AuthzExtentionService_BatchCheck_Handler,
-		},
 		{
 			MethodName: "Read",
 			Handler:    _AuthzExtentionService_Read_Handler,

pkg/services/authz/rbac/service.go

@@ -186,6 +186,150 @@ func (s *Service) Check(ctx context.Context, req *authzv1.CheckRequest) (*authzv
 	return &authzv1.CheckResponse{Allowed: allowed}, nil
 }
 
+// BatchCheck implements authzv1.AuthzServiceServer.BatchCheck
+// This performs multiple access checks in a single request with optimized batching.
+// 1. Validates the subject once
+// 2. Groups checks by (namespace, action) to load permissions once per group
+// 3. Reuses the folder tree across checks
+func (s *Service) BatchCheck(ctx context.Context, req *authzv1.BatchCheckRequest) (*authzv1.BatchCheckResponse, error) {
+	ctx, span := s.tracer.Start(ctx, "authz_direct_db.service.BatchCheck")
+	defer span.End()
+
+	checks := req.GetChecks()
+	span.SetAttributes(attribute.Int("check_count", len(checks)))
+
+	ctxLogger := s.logger.FromContext(ctx).New(
+		"subject", req.GetSubject(),
+		"check_count", len(checks),
+	)
+	defer func(start time.Time) {
+		ctxLogger.Debug("BatchCheck execution time", "duration", time.Since(start).Milliseconds())
+	}(time.Now())
+
+	// Early check for auth info - required for namespace validation
+	if _, has := types.AuthInfoFrom(ctx); !has {
+		return nil, status.Error(codes.Internal, "could not get auth info from context")
+	}
+
+	if len(checks) == 0 {
+		return &authzv1.BatchCheckResponse{
+			Results: make(map[string]*authzv1.BatchCheckResult),
+			Zookie:  &authzv1.Zookie{Timestamp: time.Now().UnixMilli()},
+		}, nil
+	}
+
+	// Validate subject once for all checks
+	userUID, idType, err := s.validateSubject(ctx, req.GetSubject())
+	if err != nil {
+		ctxLogger.Error("invalid subject", "error", err)
+		// Return all checks as denied with the same error
+		results := make(map[string]*authzv1.BatchCheckResult, len(checks))
+		for _, item := range checks {
+			results[item.GetCorrelationId()] = &authzv1.BatchCheckResult{
+				Allowed: false,
+				Error:   err.Error(),
+			}
+		}
+		return &authzv1.BatchCheckResponse{Results: results, Zookie: &authzv1.Zookie{Timestamp: time.Now().UnixMilli()}}, nil
+	}
+
+	results := make(map[string]*authzv1.BatchCheckResult, len(checks))
+
+	// Group checks by (namespace, action) to batch permission lookups
+	type checkGroup struct {
+		namespace  types.NamespaceInfo
+		action     string
+		actionSets []string
+		items      []*authzv1.BatchCheckItem
+		checkReqs  []*checkRequest
+	}
+	groups := make(map[string]*checkGroup)
+
+	// First pass: validate and group checks
+	for _, item := range checks {
+		ns, err := validateNamespace(ctx, item.GetNamespace())
+		if err != nil {
+			results[item.GetCorrelationId()] = &authzv1.BatchCheckResult{Allowed: false, Error: err.Error()}
+			continue
+		}
+
+		action, actionSets, err := s.validateAction(ctx, item.GetGroup(), item.GetResource(), item.GetVerb())
+		if err != nil {
+			results[item.GetCorrelationId()] = &authzv1.BatchCheckResult{Allowed: false, Error: err.Error()}
+			continue
+		}
+
+		// Create the internal check request
+		checkReq := &checkRequest{
+			Namespace:    ns,
+			UserUID:      userUID,
+			IdentityType: idType,
+			Action:       action,
+			ActionSets:   actionSets,
+			Group:        item.GetGroup(),
+			Resource:     item.GetResource(),
+			Verb:         item.GetVerb(),
+			Name:         item.GetName(),
+			ParentFolder: item.GetFolder(),
+		}
+
+		// Group by namespace + action
+		groupKey := ns.Value + ":" + action
+		if g, ok := groups[groupKey]; ok {
+			g.items = append(g.items, item)
+			g.checkReqs = append(g.checkReqs, checkReq)
+		} else {
+			groups[groupKey] = &checkGroup{
+				namespace:  ns,
+				action:     action,
+				actionSets: actionSets,
+				items:      []*authzv1.BatchCheckItem{item},
+				checkReqs:  []*checkRequest{checkReq},
+			}
+		}
+	}
+
+	// Second pass: process each group with shared permissions
+	for _, group := range groups {
+		// Set namespace in context for this group (required by store methods)
+		groupCtx := request.WithNamespace(ctx, group.namespace.Value)
+
+		// Try to get cached permissions first, then fall back to store
+		permissions, err := s.getCachedIdentityPermissions(groupCtx, group.namespace, idType, userUID, group.action)
+		if err != nil {
+			// Cache miss - fetch from store
+			permissions, err = s.getIdentityPermissions(groupCtx, group.namespace, idType, userUID, group.action, group.actionSets)
+			if err != nil {
+				ctxLogger.Error("could not get permissions", "namespace", group.namespace.Value, "action", group.action, "error", err)
+				for _, item := range group.items {
+					results[item.GetCorrelationId()] = &authzv1.BatchCheckResult{Allowed: false, Error: err.Error()}
+				}
+				continue
+			}
+		}
+
+		// Check each item in the group using the shared permissions
+		for i, item := range group.items {
+			checkReq := group.checkReqs[i]
+
+			allowed, err := s.checkPermission(groupCtx, permissions, checkReq)
+			if err != nil {
+				results[item.GetCorrelationId()] = &authzv1.BatchCheckResult{Allowed: false, Error: err.Error()}
+				continue
+			}
+
+			results[item.GetCorrelationId()] = &authzv1.BatchCheckResult{Allowed: allowed}
+		}
+	}
+
+	span.SetAttributes(attribute.Int("groups_processed", len(groups)))
+
+	return &authzv1.BatchCheckResponse{
+		Results: results,
+		Zookie:  &authzv1.Zookie{Timestamp: time.Now().UnixMilli()},
+	}, nil
+}
+
 func (s *Service) List(ctx context.Context, req *authzv1.ListRequest) (*authzv1.ListResponse, error) {
 	ctx, span := s.tracer.Start(ctx, "authz_direct_db.service.List")
 	defer span.End()

pkg/services/authz/rbac/service_test.go

@@ -1829,6 +1829,613 @@ func TestService_CacheList(t *testing.T) {
 	})
 }
 
+func TestService_BatchCheck(t *testing.T) {
+	callingService := authn.NewAccessTokenAuthInfo(authn.Claims[authn.AccessTokenClaims]{
+		Claims: jwt.Claims{
+			Subject:  types.NewTypeID(types.TypeAccessPolicy, "some-service"),
+			Audience: []string{"authzservice"},
+		},
+		Rest: authn.AccessTokenClaims{Namespace: "org-12"},
+	})
+
+	t.Run("Require auth info", func(t *testing.T) {
+		s := setupService()
+		ctx := context.Background()
+		_, err := s.BatchCheck(ctx, &authzv1.BatchCheckRequest{
+			Subject: "user:test-uid",
+			Checks: []*authzv1.BatchCheckItem{
+				{
+					Namespace:     "org-12",
+					Group:         "dashboard.grafana.app",
+					Resource:      "dashboards",
+					Verb:          "get",
+					Name:          "dash1",
+					CorrelationId: "check1",
+				},
+			},
+		})
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "could not get auth info")
+	})
+
+	t.Run("Empty checks returns empty results", func(t *testing.T) {
+		s := setupService()
+		ctx := types.WithAuthInfo(context.Background(), callingService)
+
+		resp, err := s.BatchCheck(ctx, &authzv1.BatchCheckRequest{
+			Subject: "user:test-uid",
+			Checks:  []*authzv1.BatchCheckItem{},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.Empty(t, resp.Results)
+	})
+
+	type batchCheckTestCase struct {
+		name              string
+		checks            []*authzv1.BatchCheckItem
+		permissions       []accesscontrol.Permission
+		folders           []store.Folder
+		expectedResults   map[string]bool
+		expectedErrors    map[string]bool // true if error expected for this correlation ID
+		expectGlobalError bool
+	}
+
+	t.Run("Request validation", func(t *testing.T) {
+		testCases := []batchCheckTestCase{
+			{
+				name: "should return error for invalid namespace",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+				},
+				expectedResults: map[string]bool{"check1": false},
+				expectedErrors:  map[string]bool{"check1": true},
+			},
+			{
+				name: "should return error for namespace mismatch",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-13",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+				},
+				expectedResults: map[string]bool{"check1": false},
+				expectedErrors:  map[string]bool{"check1": true},
+			},
+			{
+				name: "should return error for unknown group",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "unknown.grafana.app",
+						Resource:      "unknown",
+						Verb:          "get",
+						Name:          "u1",
+						CorrelationId: "check1",
+					},
+				},
+				expectedResults: map[string]bool{"check1": false},
+				expectedErrors:  map[string]bool{"check1": true},
+			},
+			{
+				name: "should return error for unknown verb",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "unknown",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+				},
+				expectedResults: map[string]bool{"check1": false},
+				expectedErrors:  map[string]bool{"check1": true},
+			},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				s := setupService()
+				ctx := types.WithAuthInfo(context.Background(), callingService)
+				userID := &store.UserIdentifiers{UID: "test-uid", ID: 1}
+				store := &fakeStore{
+					userID:          userID,
+					userPermissions: tc.permissions,
+				}
+				s.store = store
+				s.permissionStore = store
+				s.identityStore = &fakeIdentityStore{}
+
+				resp, err := s.BatchCheck(ctx, &authzv1.BatchCheckRequest{
+					Subject: "user:test-uid",
+					Checks:  tc.checks,
+				})
+				require.NoError(t, err)
+				require.NotNil(t, resp)
+				for corrID, expectedAllowed := range tc.expectedResults {
+					result, ok := resp.Results[corrID]
+					require.True(t, ok, "result for %s not found", corrID)
+					require.Equal(t, expectedAllowed, result.Allowed, "unexpected allowed for %s", corrID)
+					if tc.expectedErrors[corrID] {
+						require.NotEmpty(t, result.Error, "expected error for %s", corrID)
+					}
+				}
+			})
+		}
+	})
+
+	t.Run("User permission checks", func(t *testing.T) {
+		testCases := []batchCheckTestCase{
+			{
+				name: "should allow user with permission on single resource",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+				},
+				permissions:     []accesscontrol.Permission{{Action: "dashboards:read", Scope: "dashboards:uid:dash1"}},
+				expectedResults: map[string]bool{"check1": true},
+			},
+			{
+				name: "should deny user without permission",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+				},
+				permissions:     []accesscontrol.Permission{{Action: "dashboards:read", Scope: "dashboards:uid:dash2"}},
+				expectedResults: map[string]bool{"check1": false},
+			},
+			{
+				name: "should handle multiple checks with mixed results",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash2",
+						CorrelationId: "check2",
+					},
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash3",
+						CorrelationId: "check3",
+					},
+				},
+				permissions: []accesscontrol.Permission{
+					{Action: "dashboards:read", Scope: "dashboards:uid:dash1"},
+					{Action: "dashboards:read", Scope: "dashboards:uid:dash3"},
+				},
+				expectedResults: map[string]bool{
+					"check1": true,
+					"check2": false,
+					"check3": true,
+				},
+			},
+			{
+				name: "should handle wildcard permission",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash2",
+						CorrelationId: "check2",
+					},
+				},
+				permissions:     []accesscontrol.Permission{{Action: "dashboards:read", Scope: "*", Kind: "*"}},
+				expectedResults: map[string]bool{"check1": true, "check2": true},
+			},
+			{
+				name: "should handle folder inheritance",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						Folder:        "child",
+						CorrelationId: "check1",
+					},
+				},
+				permissions: []accesscontrol.Permission{
+					{Action: "dashboards:read", Scope: "folders:uid:parent", Kind: "folders", Attribute: "uid", Identifier: "parent"},
+				},
+				folders: []store.Folder{
+					{UID: "parent"},
+					{UID: "child", ParentUID: strPtr("parent")},
+				},
+				expectedResults: map[string]bool{"check1": true},
+			},
+			{
+				name: "should handle action sets",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+				},
+				permissions:     []accesscontrol.Permission{{Action: "dashboards:admin", Scope: "dashboards:uid:dash1"}},
+				expectedResults: map[string]bool{"check1": true},
+			},
+			{
+				name: "should handle checks across different resources",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+					{
+						Namespace:     "org-12",
+						Group:         "folder.grafana.app",
+						Resource:      "folders",
+						Verb:          "get",
+						Name:          "fold1",
+						CorrelationId: "check2",
+					},
+				},
+				permissions: []accesscontrol.Permission{
+					{Action: "dashboards:read", Scope: "dashboards:uid:dash1"},
+					{Action: "folders:read", Scope: "folders:uid:fold1"},
+				},
+				expectedResults: map[string]bool{"check1": true, "check2": true},
+			},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				s := setupService()
+				ctx := types.WithAuthInfo(context.Background(), callingService)
+				userID := &store.UserIdentifiers{UID: "test-uid", ID: 1}
+				store := &fakeStore{
+					userID:          userID,
+					userPermissions: tc.permissions,
+					folders:         tc.folders,
+				}
+				s.store = store
+				s.permissionStore = store
+				s.folderStore = store
+				s.identityStore = &fakeIdentityStore{}
+
+				if tc.folders != nil {
+					s.folderCache.Set(ctx, folderCacheKey("org-12"), newFolderTree(tc.folders))
+				}
+
+				resp, err := s.BatchCheck(ctx, &authzv1.BatchCheckRequest{
+					Subject: "user:test-uid",
+					Checks:  tc.checks,
+				})
+				require.NoError(t, err)
+				require.NotNil(t, resp)
+				require.Len(t, resp.Results, len(tc.expectedResults))
+				for corrID, expectedAllowed := range tc.expectedResults {
+					result, ok := resp.Results[corrID]
+					require.True(t, ok, "result for %s not found", corrID)
+					require.Equal(t, expectedAllowed, result.Allowed, "unexpected allowed for %s", corrID)
+				}
+			})
+		}
+	})
+
+	t.Run("Anonymous permission checks", func(t *testing.T) {
+		testCases := []batchCheckTestCase{
+			{
+				name: "should allow anonymous with permission",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+				},
+				permissions:     []accesscontrol.Permission{{Action: "dashboards:read", Scope: "dashboards:uid:dash1"}},
+				expectedResults: map[string]bool{"check1": true},
+			},
+			{
+				name: "should deny anonymous without permission",
+				checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+				},
+				permissions:     []accesscontrol.Permission{{Action: "dashboards:read", Scope: "dashboards:uid:dash2"}},
+				expectedResults: map[string]bool{"check1": false},
+			},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				s := setupService()
+				ctx := types.WithAuthInfo(context.Background(), callingService)
+				store := &fakeStore{userPermissions: tc.permissions}
+				s.store = store
+				s.permissionStore = store
+				s.identityStore = &fakeIdentityStore{}
+
+				resp, err := s.BatchCheck(ctx, &authzv1.BatchCheckRequest{
+					Subject: "anonymous:0",
+					Checks:  tc.checks,
+				})
+				require.NoError(t, err)
+				require.NotNil(t, resp)
+				for corrID, expectedAllowed := range tc.expectedResults {
+					result, ok := resp.Results[corrID]
+					require.True(t, ok, "result for %s not found", corrID)
+					require.Equal(t, expectedAllowed, result.Allowed, "unexpected allowed for %s", corrID)
+				}
+			})
+		}
+	})
+
+	t.Run("Rendering permission checks", func(t *testing.T) {
+		t.Run("should allow rendering with permission", func(t *testing.T) {
+			s := setupService()
+			ctx := types.WithAuthInfo(context.Background(), callingService)
+
+			resp, err := s.BatchCheck(ctx, &authzv1.BatchCheckRequest{
+				Subject: "render:0",
+				Checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+				},
+			})
+			require.NoError(t, err)
+			require.NotNil(t, resp)
+			require.True(t, resp.Results["check1"].Allowed)
+		})
+
+		t.Run("should deny rendering access to another app resources", func(t *testing.T) {
+			s := setupService()
+			ctx := types.WithAuthInfo(context.Background(), callingService)
+
+			resp, err := s.BatchCheck(ctx, &authzv1.BatchCheckRequest{
+				Subject: "render:0",
+				Checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "another.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+				},
+			})
+			require.NoError(t, err)
+			require.NotNil(t, resp)
+			require.False(t, resp.Results["check1"].Allowed)
+			require.NotEmpty(t, resp.Results["check1"].Error)
+		})
+	})
+
+	t.Run("Invalid subject returns errors for all checks", func(t *testing.T) {
+		s := setupService()
+		ctx := types.WithAuthInfo(context.Background(), callingService)
+		store := &fakeStore{}
+		s.store = store
+		s.permissionStore = store
+		s.identityStore = &fakeIdentityStore{}
+
+		resp, err := s.BatchCheck(ctx, &authzv1.BatchCheckRequest{
+			Subject: "invalid:12",
+			Checks: []*authzv1.BatchCheckItem{
+				{
+					Namespace:     "org-12",
+					Group:         "dashboard.grafana.app",
+					Resource:      "dashboards",
+					Verb:          "get",
+					Name:          "dash1",
+					CorrelationId: "check1",
+				},
+				{
+					Namespace:     "org-12",
+					Group:         "dashboard.grafana.app",
+					Resource:      "dashboards",
+					Verb:          "get",
+					Name:          "dash2",
+					CorrelationId: "check2",
+				},
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.Len(t, resp.Results, 2)
+		for _, result := range resp.Results {
+			require.False(t, result.Allowed)
+			require.NotEmpty(t, result.Error)
+		}
+	})
+
+	t.Run("Grouping optimization", func(t *testing.T) {
+		t.Run("should batch permission lookups for same action", func(t *testing.T) {
+			s := setupService()
+			ctx := types.WithAuthInfo(context.Background(), callingService)
+			userID := &store.UserIdentifiers{UID: "test-uid", ID: 1}
+			fStore := &fakeStore{
+				userID: userID,
+				userPermissions: []accesscontrol.Permission{
+					{Action: "dashboards:read", Scope: "dashboards:uid:dash1"},
+					{Action: "dashboards:read", Scope: "dashboards:uid:dash2"},
+				},
+			}
+			s.store = fStore
+			s.permissionStore = fStore
+			s.identityStore = &fakeIdentityStore{}
+
+			resp, err := s.BatchCheck(ctx, &authzv1.BatchCheckRequest{
+				Subject: "user:test-uid",
+				Checks: []*authzv1.BatchCheckItem{
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash1",
+						CorrelationId: "check1",
+					},
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash2",
+						CorrelationId: "check2",
+					},
+					{
+						Namespace:     "org-12",
+						Group:         "dashboard.grafana.app",
+						Resource:      "dashboards",
+						Verb:          "get",
+						Name:          "dash3",
+						CorrelationId: "check3",
+					},
+				},
+			})
+			require.NoError(t, err)
+			require.NotNil(t, resp)
+			require.True(t, resp.Results["check1"].Allowed)
+			require.True(t, resp.Results["check2"].Allowed)
+			require.False(t, resp.Results["check3"].Allowed)
+
+			// Verify permissions were fetched only once (1 call for userID + 1 call for basicRole + 1 call for permissions)
+			require.Equal(t, 3, fStore.calls)
+		})
+	})
+}
+
+func TestService_CacheBatchCheck(t *testing.T) {
+	callingService := authn.NewAccessTokenAuthInfo(authn.Claims[authn.AccessTokenClaims]{
+		Claims: jwt.Claims{
+			Subject:  types.NewTypeID(types.TypeAccessPolicy, "some-service"),
+			Audience: []string{"authzservice"},
+		},
+		Rest: authn.AccessTokenClaims{Namespace: "org-12"},
+	})
+
+	ctx := types.WithAuthInfo(context.Background(), callingService)
+	userID := &store.UserIdentifiers{UID: "test-uid", ID: 1}
+
+	t.Run("Allow based on cached permissions", func(t *testing.T) {
+		s := setupService()
+
+		s.idCache.Set(ctx, userIdentifierCacheKey("org-12", "test-uid"), *userID)
+		s.permCache.Set(ctx, userPermCacheKey("org-12", "test-uid", "dashboards:read"), map[string]bool{"dashboards:uid:dash1": true})
+
+		resp, err := s.BatchCheck(ctx, &authzv1.BatchCheckRequest{
+			Subject: "user:test-uid",
+			Checks: []*authzv1.BatchCheckItem{
+				{
+					Namespace:     "org-12",
+					Group:         "dashboard.grafana.app",
+					Resource:      "dashboards",
+					Verb:          "get",
+					Name:          "dash1",
+					CorrelationId: "check1",
+				},
+			},
+		})
+		require.NoError(t, err)
+		require.True(t, resp.Results["check1"].Allowed)
+	})
+
+	t.Run("Fallback to database on cache miss", func(t *testing.T) {
+		s := setupService()
+
+		// Populate database but not cache
+		fStore := &fakeStore{
+			userID:          userID,
+			userPermissions: []accesscontrol.Permission{{Action: "dashboards:read", Scope: "dashboards:uid:dash2"}},
+		}
+		s.store = fStore
+		s.permissionStore = fStore
+		s.identityStore = &fakeIdentityStore{}
+
+		s.idCache.Set(ctx, userIdentifierCacheKey("org-12", "test-uid"), *userID)
+
+		resp, err := s.BatchCheck(ctx, &authzv1.BatchCheckRequest{
+			Subject: "user:test-uid",
+			Checks: []*authzv1.BatchCheckItem{
+				{
+					Namespace:     "org-12",
+					Group:         "dashboard.grafana.app",
+					Resource:      "dashboards",
+					Verb:          "get",
+					Name:          "dash2",
+					CorrelationId: "check1",
+				},
+			},
+		})
+		require.NoError(t, err)
+		require.True(t, resp.Results["check1"].Allowed)
+	})
+}
+
 func setupService() *Service {
 	cache := cache.NewLocalCache(cache.Config{Expiry: 5 * time.Minute, CleanupInterval: 5 * time.Minute})
 	logger := log.New("authz-rbac-service")

pkg/services/authz/zanzana/client.go

@@ -13,7 +13,6 @@ type Client interface {
 	authlib.AccessClient
 	Read(ctx context.Context, req *authzextv1.ReadRequest) (*authzextv1.ReadResponse, error)
 	Write(ctx context.Context, req *authzextv1.WriteRequest) error
-	BatchCheck(ctx context.Context, req *authzextv1.BatchCheckRequest) (*authzextv1.BatchCheckResponse, error)
 
 	Mutate(ctx context.Context, req *authzextv1.MutateRequest) error
 	Query(ctx context.Context, req *authzextv1.QueryRequest) (*authzextv1.QueryResponse, error)