[Osquery] Display scheduled actions in Osquery live queries view

[tomsonpl]

Summary

Scheduled osquery packs and saved queries currently only produce result documents — no action or response documents are created. This makes them invisible in the Live Queries History page. This PR bridges that gap by:

• Generating per-query action_id (UUIDv4) and start_date on pack create/update, persisted in the pack SO queries array and injected into the agent policy config for osquerybeat to correlate responses
• Creating idempotent tracking action documents in .logs-osquery_manager.actions-{spaceId} with input_type: 'osquery_scheduled', enabling scheduled packs to appear in history alongside live queries
• Deriving schedule_id (from SO id) and start_date (from created_at) in pack and saved query API responses — no new stored SO fields, no model version bump required
• Lazy backfilling existing packs: queries without action_id receive one on next update
• Updating the history list query to include osquery_scheduled actions, with a "Scheduled" badge and hidden re-run button
• Providing a minimal detail view for scheduled actions (total responses/rows, no per-agent breakdown or live polling)

How it works

Pack create/update
  ├─ Generate per-query action_id + start_date → stored in SO queries array
  ├─ convertSOQueriesToPackConfig() → injects action_id + start_date into policy config
  ├─ Fleet packagePolicy update → agents receive config with action_id + start_date
  ├─ createScheduledActionDocument() → writes tracking doc to actions index (idempotent, non-blocking)
  │
  ▼ osquerybeat (elastic/beats#48767)
  Reads action_id + start_date from config → creates response documents
  │
  ▼ Live Queries History
  Shows scheduled pack alongside live queries → minimal detail view

Key design decisions

• No Fleet action dispatch: Action documents go only to the osquery actions index, not .fleet-actions. Scheduled queries already run via policy config — Fleet actions would cause duplicate execution
• Idempotent action documents: Created once per pack, never updated or deleted. Subsequent pack updates skip creation if document exists
• Space-aware: Action documents written to .logs-osquery_manager.actions-{spaceId} matching pack space isolation
• No user_id on scheduled action documents — these are system-driven recurring executions
• Non-blocking: Action document creation failures are logged but don't fail pack CRUD operations

UI

Test plan

• Create a pack with policies → verify action document appears in .logs-osquery_manager.actions-{spaceId}
• Verify per-query action_id and start_date in agent policy config via Fleet API
• Update an existing pack without per-query action_id → verify backfill creates action_ids and action document
• Update the same pack again → verify action document is NOT recreated (idempotency)
• Live Queries History shows scheduled pack with "Scheduled" badge
• Scheduled action detail shows minimal view (total responses, total rows, no per-agent, no polling)
• Live query action detail is unchanged (per-agent status, expiration, 5s polling)
• Pack in non-default space → action document written to correct space-specific index

[elasticmachine]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!
• Click to trigger kibana-deploy-cloud-from-pr for this PR!
• Click to trigger kibana-entity-store-performance-from-pr for this PR!
• Click to trigger kibana-storybooks-from-pr for this PR!