[alerting_v2] Register rules as SML type and attachment in Agent Builder (elastic#265363)

## Summary
Resolves elastic#265349 

Registers Alerting V2 rules as an SML type and attachment in the Agent
Builder platform, enabling an end-to-end flow where the agent can
propose, create, and manage rules through conversation.



https://github.com/user-attachments/assets/aaa8f900-825f-4820-bc6e-a0604572bdee



### Flow

1. **Discovery** — Rules are registered as an SML type. The agent can
search for existing rules and attach them to a conversation.
2. **Proposal** — The agent uses the `manage_rule` tool to propose a
rule definition. This creates an inline attachment visible in the
conversation.
3. **Preview** — The user clicks "Preview" to open the canvas flyout,
which renders the full `RuleSidebar` (Conditions + Runbook tabs) and
`RuleHeaderDescription` (description + tags) from the rule details page
— the same components used in the standalone rules app.
4. **Save / Update** — The canvas header exposes:
- **Save as Rule** (unsaved): persists the agent's proposal to the
server.
- **Update Rule** (saved): pushes agent-revised data back to the server.
   - **View in Rules** (overflow): navigates to the rule details page.

### Implementation

- **Server**: SML rule type for discovery, rule attachment type with
create/update/delete/enable/disable operations, `manage_rule` tool, and
a `rule-management` skill.
- **UI**: Inline attachment card (name, status badge, kind badge,
schedule, description, tags) and canvas flyout embedding `RuleSidebar` +
`RuleHeaderDescription` inside the alerting_v2 DI container context.
- **DI fix**: The canvas flyout renders in the Agent Builder React tree
(no alerting_v2 DI container). `RuleCanvasContent` wraps its subtree
with `<Context.Provider value={container}>` so `useService` calls inside
`RuleSidebar` resolve correctly.

### Screenshot

<img width="1928" height="910" alt="image"
src="https://github.com/user-attachments/assets/de56dfab-19be-460d-a43f-d8ce08b5c888"
/>

### Checklist

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
\`release_note:breaking\` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct \`release_note:*\` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable \`backport:*\` labels.

### Identify risks

- The `data as unknown as RuleApiResponse` cast in `RuleCanvasContent`
bridges the gap between optional attachment data fields and required API
response fields. If the agent omits a required field, `RuleSidebar` may
render incomplete data — acceptable for a preview-only PR.

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Dominique Belcher <dominique.clarke@elastic.co>
Co-authored-by: Dominique Clarke <doclarke71@gmail.com>

Author: 4 people

packages/kbn-optimizer/limits.yml

@@ -7,7 +7,7 @@ pageLoadAssetSize:
   aiAssistantManagementSelection: 11569
   aiops: 15227
   alerting: 22371
-  alertingVTwo: 47881
+  alertingVTwo: 76778
   apm: 27979
   apmSourcesAccess: 2278
   automaticImport: 18629

x-pack/platform/packages/shared/agent-builder/agent-builder-common/base/namespaces.ts

@@ -11,6 +11,7 @@
  */
 export const internalNamespaces = {
   platformCore: 'platform.core',
+  platformAlerting: 'platform.alerting',
   platformDashboard: 'platform.dashboard',
   platformStreams: 'platform.streams',
   filestore: 'filestore',
@@ -27,6 +28,7 @@ export const internalNamespaces = {
  */
 export const protectedNamespaces: string[] = [
   internalNamespaces.platformCore,
+  internalNamespaces.platformAlerting,
   internalNamespaces.attachments,
   internalNamespaces.filestore,
   internalNamespaces.observability,

x-pack/platform/packages/shared/agent-builder/agent-builder-server/allow_lists.ts

@@ -18,6 +18,9 @@ export const AGENT_BUILDER_BUILTIN_TOOLS = [
   // Streams / Significant Events
   ...Object.values(platformStreamsSigEventsTools),
 
+  // Alerting
+  `${internalNamespaces.platformAlerting}.manage_rule`,
+
   // Observability
   `${internalNamespaces.observability}.get_anomaly_detection_jobs`,
   `${internalNamespaces.observability}.run_log_rate_analysis`,
@@ -102,6 +105,9 @@ export const AGENT_BUILDER_BUILTIN_SKILLS = [
   'visualization-creation',
   'graph-creation',
 
+  // Platform – Alerting
+  'rule-management',
+
   // Platform – Dashboard
   'dashboard-management',
 

x-pack/platform/packages/shared/agent-builder/agent-builder-server/skills/type_definition.ts

@@ -26,6 +26,7 @@ import type {
 export type SkillsDirectoryStructure = Directory<{
   skills: Directory<{
     platform: FileDirectory<{
+      alerting: FileDirectory;
       dashboard: FileDirectory;
       discover: FileDirectory;
       streams: FileDirectory;

x-pack/platform/packages/shared/response-ops/alerting-v2-schemas/src/index.ts

@@ -6,7 +6,9 @@
  */
 
 export * from './rule_data_schema';
+export * from './rule_attachment_schema';
 export * from './constants';
+export { durationSchema } from './common';
 export {
   validateDuration,
   validateMaxDuration,

x-pack/platform/packages/shared/response-ops/alerting-v2-schemas/src/rule_attachment_schema.ts

@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { z } from '@kbn/zod/v4';
+import { ruleResponseSchema } from './rule_data_schema';
+
+export const RULE_ATTACHMENT_TYPE = 'rule' as const;
+export const RULE_SML_TYPE = 'alerting_v2_rule' as const;
+
+/**
+ * Data stored inside a rule attachment.
+ *
+ * Server-generated fields (id, enabled, createdBy, createdAt, updatedBy, updatedAt)
+ * are optional so that the same schema covers both:
+ *   - proposed rules (by-value, not yet saved — no id or audit fields)
+ *   - saved rules    (by-reference, linked via attachment.origin = rule saved object id)
+ */
+export const ruleAttachmentDataSchema = ruleResponseSchema.extend({
+  id: z.string().optional(),
+  enabled: z.boolean().optional(),
+  createdBy: z.string().nullable().optional(),
+  createdAt: z.string().optional(),
+  updatedBy: z.string().nullable().optional(),
+  updatedAt: z.string().optional(),
+});
+
+export type RuleAttachmentData = z.infer<typeof ruleAttachmentDataSchema>;

x-pack/platform/packages/shared/response-ops/alerting-v2-schemas/src/rule_data_schema.ts

@@ -18,7 +18,7 @@ import { MAX_CONSECUTIVE_BREACHES, MIN_SCHEDULE_INTERVAL } from './constants';
 
 /** Primitives */
 
-const esqlQuerySchema = z
+export const esqlQuerySchema = z
   .string()
   .min(1)
   .max(10000)
@@ -31,54 +31,61 @@ const esqlQuerySchema = z
 
 /** Kind */
 
-export const ruleKindSchema = z.enum(['alert', 'signal']).describe('The kind of rule.');
+export const ruleKindSchema = z
+  .enum(['alert', 'signal'])
+  .describe(
+    'Rule kind: "alert" for stateful alerting with transitions, "signal" for stateless detection.'
+  );
 
 export type RuleKind = z.infer<typeof ruleKindSchema>;
 
 /** Metadata (required) */
 
-const metadataSchema = z
+export const metadataSchema = z
   .object({
-    name: z.string().min(1).max(256).describe('Unique rule name/identifier.'),
+    name: z.string().min(1).max(256).describe('Rule name (must be unique within the space).'),
     description: z
       .string()
       .max(1024)
       .optional()
-      .describe('Optional human-readable description of the rule.'),
+      .describe('Human-readable description of the rule.'),
     owner: z.string().max(256).optional().describe('Owner of the rule.'),
     tags: z
       .array(z.string().max(MAX_TAG_LENGTH))
       .max(100)
       .optional()
-      .describe('Tags for categorization.'),
+      .describe('Tags for categorization, e.g. ["production", "infra"].'),
   })
   .strict()
   .describe('Rule metadata.');
 
 /** Schedule (required) */
 
-const scheduleEverySchema = durationSchema.superRefine((value, ctx) => {
+/** Duration with an additional minimum-interval guard for schedule frequency. */
+export const scheduleEverySchema = durationSchema.superRefine((value, ctx) => {
   const error = validateMinDuration(value, MIN_SCHEDULE_INTERVAL);
   if (error) {
     ctx.addIssue({ code: z.ZodIssueCode.custom, message: error });
   }
 });
 
-const scheduleSchema = z
+export const scheduleSchema = z
   .object({
-    every: scheduleEverySchema.describe('Execution interval, e.g. 1m, 5m.'),
+    every: scheduleEverySchema.describe('Execution interval, e.g. 1m, 5m, 1h.'),
     lookback: durationSchema
       .optional()
-      .describe('Lookback window for the query (can also be expressed in ES|QL).'),
+      .describe('Lookback window for the query, e.g. 5m, 1h. Can also be expressed in ES|QL.'),
   })
   .strict()
   .describe('Execution schedule configuration.');
 
 /** Evaluation (required) */
 
-const evaluationQuerySchema = z
+export const evaluationQuerySchema = z
   .object({
-    base: esqlQuerySchema.describe('Base ES|QL query.'),
+    base: esqlQuerySchema.describe(
+      'Base ES|QL query. Time filters are applied automatically via the lookback window.'
+    ),
   })
   .strict();
 
@@ -95,25 +102,27 @@ export const recoveryPolicyTypeSchema = z.enum(['query', 'no_breach']);
 export const recoveryPolicyType = recoveryPolicyTypeSchema.enum;
 export type RecoveryPolicyType = z.infer<typeof recoveryPolicyTypeSchema>;
 
-const recoveryPolicySchema = z
+export const recoveryPolicySchema = z
   .object({
-    type: recoveryPolicyTypeSchema.describe('Recovery detection type.'),
+    type: recoveryPolicyTypeSchema.describe('Recovery detection type: "query" or "no_breach".'),
     query: z
       .object({
-        base: esqlQuerySchema.optional().describe('Base ES|QL query for recovery.'),
+        base: esqlQuerySchema
+          .optional()
+          .describe('Recovery ES|QL query. Required when type is "query".'),
       })
       .strict()
       .optional()
-      .describe('Recovery query when type is query.'),
+      .describe('Recovery query configuration; required when type is "query".'),
   })
   .strict()
   .describe('Recovery detection configuration.');
 
 /** State transition (optional, alert-only) */
 
-const stateTransitionOperatorSchema = z.enum(['AND', 'OR']);
+export const stateTransitionOperatorSchema = z.enum(['AND', 'OR']);
 
-const stateTransitionSchema = z
+export const stateTransitionSchema = z
   .object({
     pending_operator: stateTransitionOperatorSchema
       .optional()
@@ -124,8 +133,10 @@ const stateTransitionSchema = z
       .min(0)
       .max(MAX_CONSECUTIVE_BREACHES)
       .optional()
-      .describe('Consecutive breaches before active.'),
-    pending_timeframe: durationSchema.optional().describe('Time window for pending evaluation.'),
+      .describe('Consecutive breaches before transitioning to active.'),
+    pending_timeframe: durationSchema
+      .optional()
+      .describe('Time window for pending evaluation, e.g. 5m, 15m.'),
     recovering_operator: stateTransitionOperatorSchema
       .optional()
       .describe('How to combine count and timeframe for recovering.'),
@@ -135,10 +146,10 @@ const stateTransitionSchema = z
       .min(0)
       .max(MAX_CONSECUTIVE_BREACHES)
       .optional()
-      .describe('Consecutive recoveries before inactive.'),
+      .describe('Consecutive recoveries before transitioning to inactive.'),
     recovering_timeframe: durationSchema
       .optional()
-      .describe('Time window for recovering evaluation.'),
+      .describe('Time window for recovering evaluation, e.g. 5m, 15m.'),
   })
   .strict()
   .describe('Episode state transition thresholds (alert-only).')
@@ -147,12 +158,14 @@ const stateTransitionSchema = z
 
 /** Grouping (optional) */
 
-const groupingSchema = z
+export const groupingSchema = z
   .object({
     fields: z
       .array(z.string().max(256))
       .max(16)
-      .describe('Fields to group by (convention: use ES|QL GROUP BY fields).'),
+      .describe(
+        'Fields to group alerts by, e.g. ["host.name", "service.name"]. Should match ES|QL GROUP BY fields.'
+      ),
   })
   .strict()
   .describe('Grouping configuration.');
@@ -165,7 +178,9 @@ const noDataSchema = z
       .enum(['no_data', 'last_status', 'recover'])
       .optional()
       .describe('Behavior when no data is detected.'),
-    timeframe: durationSchema.optional().describe('Time window after which no data is detected.'),
+    timeframe: durationSchema
+      .optional()
+      .describe('Time window after which no data is detected, e.g. 10m, 1h.'),
   })
   .strict()
   .describe('No data handling configuration.');
@@ -217,28 +232,28 @@ const createRuleDataBaseSchema = z
   })
   .strip();
 
-/**
- * The `.refine` method adds a custom validation to the schema.
- * In this case, it enforces that the `state_transition` property is only allowed when `kind` is "alert".
- * The predicate `data.kind === 'alert' || data.state_transition == null` means:
- * - If the rule kind is "alert", `state_transition` may be present (or absent).
- * - For any other `kind`, `state_transition` must be `null` or `undefined`.
- * If validation fails, the specified error message will be associated with the `state_transition` field.
- */
+/** Cross-field validation predicates — shared between the CRUD API and the manage_rule tool. */
+
+export const isStateTransitionAllowed = (data: {
+  kind?: string;
+  state_transition?: unknown;
+}): boolean => data.kind === 'alert' || data.state_transition == null;
+
+export const isRecoveryPolicyQueryProvided = (data: {
+  recovery_policy?: { type?: string; query?: { base?: string } };
+}): boolean =>
+  data.recovery_policy?.type !== 'query' ||
+  (data.recovery_policy.query?.base != null && data.recovery_policy.query.base.length > 0);
+
 export const createRuleDataSchema = createRuleDataBaseSchema
-  .refine((data) => data.kind === 'alert' || data.state_transition == null, {
+  .refine(isStateTransitionAllowed, {
     message: 'state_transition is only allowed when kind is "alert".',
     path: ['state_transition'],
   })
-  .refine(
-    (data) =>
-      data.recovery_policy?.type !== 'query' ||
-      (data.recovery_policy.query?.base != null && data.recovery_policy.query.base.length > 0),
-    {
-      message: 'recovery_policy.query.base is required when recovery_policy.type is "query".',
-      path: ['recovery_policy', 'query', 'base'],
-    }
-  );
+  .refine(isRecoveryPolicyQueryProvided, {
+    message: 'recovery_policy.query.base is required when recovery_policy.type is "query".',
+    path: ['recovery_policy', 'query', 'base'],
+  });
 
 export type CreateRuleData = z.infer<typeof createRuleDataSchema>;
 

x-pack/platform/plugins/shared/alerting_v2/kibana.jsonc

@@ -31,7 +31,7 @@
       "eventLog",
       "unifiedDocViewer"
     ],
-    "optionalPlugins": ["usageCollection"],
+    "optionalPlugins": ["usageCollection", "agentBuilder", "agentContextLayer"],
     "requiredBundles": ["alerting", "kibanaReact"],
     "extraPublicDirs": []
   }

x-pack/platform/plugins/shared/alerting_v2/moon.yml

@@ -103,6 +103,13 @@ dependsOn:
   - '@kbn/unified-doc-viewer-plugin'
   - '@kbn/core-user-profile-browser'
   - '@kbn/user-profile-components'
+  - '@kbn/agent-builder-plugin'
+  - '@kbn/agent-builder-server'
+  - '@kbn/agent-builder-common'
+  - '@kbn/agent-builder-browser'
+  - '@kbn/agent-context-layer-plugin'
+  - '@kbn/core-saved-objects-api-server'
+  - '@kbn/core-elasticsearch-server'
 tags:
   - plugin
   - prod