Merge branch 'main' into copilot/fix-custom-instructions-field-title

Author: bhavyarm

.buildkite/ftr-manifests/ftr_platform_stateful_configs.yml

@@ -256,7 +256,6 @@ enabled:
   - x-pack/platform/test/functional/apps/cross_cluster_replication/config.ts
   - x-pack/platform/test/functional/apps/dashboard/group1/config.ts
   - x-pack/platform/test/functional/apps/dashboard/group3/config.ts
-  - x-pack/platform/test/functional/apps/data_views/config.ts
   - x-pack/platform/test/functional/apps/discover/group1/config.ts
   - x-pack/platform/test/functional/apps/discover/group2/config.ts
   - x-pack/platform/test/functional/apps/discover/group3/config.ts
@@ -321,14 +320,6 @@ enabled:
   - x-pack/platform/test/functional/apps/reporting_management/config.ts
   - x-pack/platform/test/functional/apps/rollup_job/config.ts
   - x-pack/platform/test/functional/apps/saved_objects_management/config.ts
-  - x-pack/platform/test/functional/apps/saved_query_management/config.discover.ts
-  - x-pack/platform/test/functional/apps/saved_query_management/config.dashboard.ts
-  - x-pack/platform/test/functional/apps/saved_query_management/config.maps.ts
-  - x-pack/platform/test/functional/apps/saved_query_management/config.visualize.ts
-  - x-pack/platform/test/functional/apps/saved_query_management/config.v2.discover.ts
-  - x-pack/platform/test/functional/apps/saved_query_management/config.v2.dashboard.ts
-  - x-pack/platform/test/functional/apps/saved_query_management/config.v2.maps.ts
-  - x-pack/platform/test/functional/apps/saved_query_management/config.v2.visualize.ts
   - x-pack/platform/test/functional/apps/security/config.ts
   - x-pack/platform/test/functional/apps/snapshot_restore/config.ts
   - x-pack/platform/test/functional/apps/spaces/config.ts

.buildkite/pipelines/evals/evals.suites.json

@@ -162,6 +162,20 @@
         "evals:attack-discovery"
       ]
     },
+    {
+      "id": "lead-generation",
+      "name": "Lead Generation",
+      "configPath": "x-pack/solutions/security/packages/kbn-evals-suite-lead-generation/playwright.config.ts",
+      "tags": [
+        "security",
+        "lead-generation",
+        "entity-analytics"
+      ],
+      "ciLabels": [
+        "evals:lead-generation"
+      ],
+      "serverConfigSet": "evals_lead_generation"
+    },
     {
       "id": "workflows",
       "name": "Workflows Authoring",

.buildkite/pipelines/flaky_tests/pipeline.ts

@@ -34,11 +34,8 @@ if (Number.isNaN(concurrency)) {
 
 const BASE_JOBS = 1;
 const MAX_JOBS = 500;
-// Each scoutConfig now fans out to one Buildkite step per (arch, domain) mode,
-// so a single entry can multiply into many jobs. Cap per-entry runs to keep the
-// total job budget under control and to give users a clear, fast failure when
-// they request too many repetitions for a single config.
-const MAX_SCOUT_COUNT_PER_CONFIG = 50;
+// 50 runs is enough to confirm a test is no longer flaky;
+const MAX_COUNT_PER_CONFIG = 50;
 
 // Scout discovery target for the flaky-setup step. We read the branch name
 // from `package.json` (set when forking a release branch).
@@ -88,6 +85,13 @@ function getTestSuitesFromJson(json: string) {
         fail(`testSuite.ftrConfig must be a string`);
       }
 
+      if (count > MAX_COUNT_PER_CONFIG) {
+        fail(
+          `testSuite.count for ftrConfig '${ftrConfig}' is ${count}; ` +
+            `max allowed is ${MAX_COUNT_PER_CONFIG}. Lower the count or split the run.`
+        );
+      }
+
       testSuites.push({
         type: 'ftrConfig',
         ftrConfig,
@@ -102,10 +106,10 @@ function getTestSuitesFromJson(json: string) {
         fail(`testSuite.scoutConfig must be a string`);
       }
 
-      if (count > MAX_SCOUT_COUNT_PER_CONFIG) {
+      if (count > MAX_COUNT_PER_CONFIG) {
         fail(
           `testSuite.count for scoutConfig '${scoutConfig}' is ${count}; ` +
-            `max allowed is ${MAX_SCOUT_COUNT_PER_CONFIG}. ` +
+            `max allowed is ${MAX_COUNT_PER_CONFIG}. ` +
             `Each Scout request fans out to one job per (arch x domain) mode, ` +
             `so high counts multiply quickly. Lower the count or split the run.`
         );
@@ -123,6 +127,14 @@ function getTestSuitesFromJson(json: string) {
     if (typeof key !== 'string') {
       fail(`testSuite.key must be a string`);
     }
+
+    if (count > MAX_COUNT_PER_CONFIG) {
+      fail(
+        `testSuite.count for group '${key}' is ${count}; ` +
+          `max allowed is ${MAX_COUNT_PER_CONFIG}. Lower the count or split the run.`
+      );
+    }
+
     testSuites.push({
       type: 'group',
       key,

.buildkite/pipelines/orchestrate_vm_builds.yml

@@ -14,7 +14,15 @@ steps:
         required: true
 
   - name: 'Upload trigger steps'
-    checkout: none
+    plugins:
+      - sparse-checkout#v1.6.0:
+          paths:
+            - .buildkite
+            - .node-version
+            - package.json
+            - tsconfig.base.json
+            - versions.json
+          cleanup_sparse_state: true
     command: |
       VM_IMAGES_BRANCH="$$(buildkite-agent meta-data get "VM_IMAGES_BRANCH")"
       KIBANA_BRANCH="$$(buildkite-agent meta-data get "KIBANA_BRANCH")"

.buildkite/scout_ci_config.yml

@@ -16,6 +16,7 @@ plugins:
     - dashboard_markdown
     - data
     - data_views
+    - data_view_management
     - dev_tools
     - discover
     - discover_enhanced
@@ -63,6 +64,7 @@ plugins:
     - task_manager
     - transform
     - triggers_actions_ui
+    - unified_search
     - upgrade_assistant
     - uptime
     - ux

.github/CODEOWNERS

@@ -472,6 +472,7 @@ src/platform/packages/shared/content-management/table_list_view @elastic/appex-s
 src/platform/packages/shared/content-management/table_list_view_common @elastic/appex-sharedux
 src/platform/packages/shared/content-management/table_list_view_table @elastic/appex-sharedux
 src/platform/packages/shared/content-management/user_profiles @elastic/appex-sharedux
+src/platform/packages/shared/context-switcher-components @elastic/appex-sharedux
 src/platform/packages/shared/controls/control-group-renderer @elastic/kibana-presentation
 src/platform/packages/shared/controls/controls-constants @elastic/kibana-presentation
 src/platform/packages/shared/controls/controls-schemas @elastic/kibana-presentation
@@ -1328,6 +1329,7 @@ x-pack/solutions/security/packages/kbn-evals-suite-alerts-rag @elastic/security-
 x-pack/solutions/security/packages/kbn-evals-suite-attack-discovery @elastic/security-threat-hunting
 x-pack/solutions/security/packages/kbn-evals-suite-endpoint @elastic/security-defend-workflows
 x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics @elastic/security-entity-analytics
+x-pack/solutions/security/packages/kbn-evals-suite-lead-generation @elastic/security-entity-analytics
 x-pack/solutions/security/packages/kbn-evals-suite-pci-compliance @elastic/security-defend-workflows
 x-pack/solutions/security/packages/kbn-evals-suite-security-ai-rules @elastic/security-detection-engine
 x-pack/solutions/security/packages/kbn-evals-suite-security-automatic-migrations @elastic/security-threat-hunting
@@ -1465,7 +1467,6 @@ x-pack/platform/test/serverless/api_integration/test_suites/platform_security @e
 /x-pack/platform/test/api_integration/apis/management/rollup/index_patterns_extensions.js @elastic/kibana-data-discovery
 /x-pack/platform/test/api_integration/apis/search @elastic/kibana-data-discovery
 /x-pack/platform/test/examples/search_examples @elastic/kibana-data-discovery
-/x-pack/platform/test/functional/apps/data_views @elastic/kibana-data-discovery
 /x-pack/platform/test/functional/apps/discover @elastic/kibana-data-discovery
 /x-pack/platform/test/functional/apps/saved_query_management @elastic/kibana-data-discovery
 /x-pack/platform/test/functional_with_es_ssl/apps/discover_ml/discover @elastic/kibana-data-discovery
@@ -2859,6 +2860,9 @@ x-pack/solutions/security/test/security_solution_api_integration/test_suites/sou
 /x-pack/solutions/security/plugins/security_solution/.agents/skills/flaky-test-doctor @elastic/security-engineering-productivity
 /x-pack/solutions/security/plugins/security_solution/.agents/skills/scout-best-practices-reviewer @elastic/security-engineering-productivity
 /x-pack/solutions/security/plugins/security_solution/.agents/skills/test-plan-generator @elastic/security-engineering-productivity
+/x-pack/solutions/security/plugins/security_solution/.agents/skills/bug-fixer @elastic/security-engineering-productivity
+/x-pack/solutions/security/plugins/security_solution/.agents/skills/bug-reproduce @elastic/security-engineering-productivity
+/x-pack/solutions/security/plugins/security_solution/.agents/skills/bug-fix @elastic/security-engineering-productivity
 /x-pack/solutions/security/test/security_solution_cypress/* @elastic/security-engineering-productivity
 /x-pack/solutions/security/test/security_solution_cypress/cypress/* @elastic/security-engineering-productivity
 /x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/login.ts @elastic/security-engineering-productivity

.github/codeql/custom-queries/dos/KibanaDoSExclusions.qll

@@ -0,0 +1,73 @@
+/**
+ * Shared predicates for excluding non-request-payload schema usages from
+ * Kibana DoS queries (unbounded strings, unbounded arrays, etc.).
+ *
+ * CONSERVATIVE POLICY: Only exclude file paths that NEVER contain HTTP request
+ * payload schemas. When in doubt, keep the finding — a false positive is far
+ * less costly than missing a real vulnerability.
+ *
+ * For one-off false positives in mixed-purpose files, use inline suppression:
+ *   // codeql[js/kibana/unbounded-string-in-schema] reason
+ *   // codeql[js/kibana/unbounded-array-in-schema] reason
+ *
+ * If a new file category consistently produces false positives, add a path
+ * pattern here rather than scattering per-line suppressions.
+ */
+
+import javascript
+
+/**
+ * Holds when `e` resides in a file whose schemas are known to never validate
+ * HTTP request payloads. These fall into structural/data-at-rest categories:
+ * plugin configuration, saved-object attributes, UI settings, content
+ * management layer schemas, sample-data registration, AI/LLM output schemas,
+ * and tooling config.
+ */
+predicate shouldExcludeFileFromDoSRules(Expr e) {
+  exists(string path | path = e.getFile().getRelativePath() |
+    // Plugin configuration (kibana.yml settings)
+    e.getFile().getBaseName() = "config.ts"
+    or
+    // Plugin server entry points (re-exports only)
+    (e.getFile().getBaseName() = "index.ts" and
+     path.regexpMatch(".*/plugins/[^/]+(/[^/]+)?/server/index\\.ts"))
+    or
+    // Saved-object attribute schemas (versioned shapes, never route payloads)
+    path.regexpMatch(".*/saved_objects/schemas/.*")
+    or
+    // Saved-object model-version migration schemas
+    path.regexpMatch(".*/saved_objects/model_versions/.*")
+    or
+    // Saved-object type sub-schemas (e.g. cases/server/saved_object_types/*/schemas/*)
+    path.regexpMatch(".*/saved_object_types/.*/schemas/.*")
+    or
+    // Dashboard saved-object attribute schemas
+    path.regexpMatch(".*/dashboard_saved_object/schema/.*")
+    or
+    // Content-management layer schemas (maps, lens, links CM CRUD)
+    path.regexpMatch(".*/content_management/schema/.*")
+    or
+    // UI-settings definitions (Advanced Settings value schemas)
+    e.getFile().getBaseName() = "ui_settings.ts"
+    or
+    path.regexpMatch(".*/ui_settings/.*")
+    or
+    // Sample-data registration schema (internal registration, not HTTP input)
+    path.regexpMatch(".*/sample_data/lib/sample_dataset_schema\\.ts")
+    or
+    // Connector-schema type-only files (no route handlers)
+    path.regexpMatch(".*/kbn-connector-schemas/.*/types/.*")
+    or
+    // LLM/AI structured-output schemas
+    path.regexpMatch(".*/compaction_schema\\.ts")
+    or
+    // Agent-builder tool parameter schemas (AI tool arguments, not HTTP routes)
+    path.regexpMatch(".*/agent_builder/tools/.*")
+    or
+    // Benchmark tooling config schemas
+    path.regexpMatch(".*/kbn-bench/.*")
+    or
+    // Scout test-environment config schemas
+    path.regexpMatch(".*/kbn-scout/.*/schema/.*")
+  )
+}

.github/codeql/custom-queries/dos/UnboundedArrayInRoute.md

@@ -11,7 +11,7 @@ An attacker could exploit unbounded array validation by sending extremely large
 - Application crashes due to out-of-memory conditions
 - Degraded performance affecting all users of the system
 
-The query specifically targets `schema.arrayOf()` calls that are missing the `maxSize` option in the second argument. It excludes configuration files (`config.ts`) and plugin entry points (`server/index.ts`) as these typically handle trusted internal configuration rather than external user input.
+The query specifically targets `schema.arrayOf()` calls that are missing the `maxSize` option in the second argument. It uses a shared exclusion list (defined in `KibanaDoSExclusions.qll`) to skip files whose schemas are known to never validate HTTP request payloads, such as saved-object attribute schemas, plugin configuration, UI settings definitions, content-management layer schemas, and similar structural/data-at-rest categories. See that file for the full set of excluded path patterns.
 
 ## Recommendation
 
@@ -119,6 +119,19 @@ router.post({
 }, handler);
 ```
 
+## False positives and suppression
+
+This query intentionally casts a wide net — it flags all unbounded `schema.arrayOf()` calls except those in file paths that are clearly non-payload contexts. Some findings will be in schemas that validate route **responses**, saved-object attributes in shared files, or other non-request-payload contexts. These are expected false positives.
+
+To suppress a legitimate false positive, add a `codeql[...]` comment on the line above the flagged call:
+
+```javascript
+// codeql[js/kibana/unbounded-array-in-schema] internal registration — not route input
+schema.arrayOf(schema.string())
+```
+
+The exclusion list in `KibanaDoSExclusions.qll` is maintained conservatively and may be updated as new non-payload schema patterns are identified. If you encounter a false positive that affects an entire file category (not a one-off), consider proposing an addition to the shared exclusion library rather than adding per-line suppressions.
+
 ## References
 
 - [OWASP: Denial of Service Attacks](https://owasp.org/www-community/attacks/Denial_of_Service)

.github/codeql/custom-queries/dos/UnboundedArrayInRoute.qhelp

@@ -19,10 +19,19 @@ requests. This can cause:
 <li>Degraded performance affecting all users of the system</li>
 </ul>
 <p>
-The query specifically targets <code>schema.arrayOf()</code> calls that are missing the 
-<code>maxSize</code> option in the second argument. It excludes configuration files 
-(<code>config.ts</code>) and plugin entry points (<code>server/index.ts</code>) as these 
-typically handle trusted internal configuration rather than external user input.
+The query specifically targets <code>schema.arrayOf()</code> calls that are missing the
+<code>maxSize</code> option in the second argument. It uses a shared exclusion list (defined
+in <code>KibanaDoSExclusions.qll</code>) to skip files whose schemas are known to never validate
+HTTP request payloads, such as saved-object attribute schemas, plugin configuration, UI settings
+definitions, content-management layer schemas, and similar structural/data-at-rest categories.
+See that file for the full set of excluded path patterns.
+</p>
+<p>
+Some findings will be in schemas that validate route <b>responses</b> or other non-request-payload
+contexts. These are expected false positives. To suppress a legitimate false positive, add a
+<code>codeql[js/kibana/unbounded-array-in-schema]</code> comment on the line above the flagged
+call. If a false positive affects an entire file category, consider proposing an addition to
+<code>KibanaDoSExclusions.qll</code> rather than adding per-line suppressions.
 </p>
 </overview>
 

.github/codeql/custom-queries/dos/UnboundedArrayInRoute.ql

@@ -14,6 +14,7 @@
  */
 
 import javascript
+import dos.KibanaDoSExclusions
 
 /**
  * Gets the local variable bound to 'schema' imported from '@kbn/config-schema'
@@ -22,7 +23,11 @@ LocalVariable schemaVariable() {
   exists(ImportDeclaration decl, ImportSpecifier spec |
     decl.getImportedPathExpr().getStringValue() = "@kbn/config-schema" and
     spec = decl.getASpecifier() and
-    spec.getImportedName() = "schema" and
+    (
+      spec.getImportedName() = "schema"
+      or
+      spec instanceof ImportNamespaceSpecifier
+    ) and
     result = spec.getLocal().getVariable()
   )
 }
@@ -54,25 +59,10 @@ class SchemaArrayOfCall extends CallExpr {
   }
 }
 
-/**
- * Identifies files that should be excluded from analysis:
- * - config.ts files (plugin configuration, not request validation)
- * - index.ts files at plugin server root (typically re-exports)
- */
-predicate isInExcludedFile(Expr e) {
-  e.getFile().getBaseName() = "config.ts"
-  or
-  // Exclude index.ts at plugin server root: plugins/*/server/index.ts or plugins/*/*/server/index.ts
-  (
-    e.getFile().getBaseName() = "index.ts" and
-    e.getFile().getRelativePath().regexpMatch(".*/plugins/[^/]+(/[^/]+)?/server/index\\.ts")
-  )
-}
-
 from SchemaArrayOfCall arrayCall
 where
   not arrayCall.hasMaxSize() and
-  not isInExcludedFile(arrayCall)
+  not shouldExcludeFileFromDoSRules(arrayCall)
 select arrayCall,
   "This schema.arrayOf() call does not specify a maxSize. Unbounded input can cause Denial of Service (DoS) vulnerabilities. Consider adding { maxSize: N } as the second argument."