[scout] migrate FTR Core api tests (elastic#263211)

## Summary

This PR migrates FTR Core API tests to Scout


Scout spec | FTR source(s) | Tests | Tags | Auth | Role | Notable
changes
-- | -- | -- | -- | -- | -- | --
compression.spec.ts | /core/compression.ts | 2 | deploymentAgnostic |
API key | viewer | Combined two near-identical FTR files (serverless +
DA) into one spec
translations.spec.ts | /core/translations.ts | 2 | deploymentAgnostic |
API key | viewer | cache-control/etag assertions gated
behind process.env.CI (only valid for distributable builds)
capabilities.spec.ts | /core/capabilities.ts | 1 | deploymentAgnostic |
API key | viewer | Combined serverless + stateful FTR sources
blocked_saved_objects_api.spec.ts | /core/saved_objects.ts | 10 |
serverless (search, oblt, security, workplaceai) | API key | viewer |
Uses COMMON_HEADERS (no x-elastic-internal-origin) to trigger
route-blocking middleware
ui_settings_validate.spec.ts | /core/ui_settings.ts (validate section) |
4 | serverless (search, oblt, security, workplaceai) | Cookie (samlAuth)
| viewer | Split from nested FTR ui_settings.ts into flat spec
ui_settings_crud.spec.ts | /core/ui_settings.ts (CRUD section) | 6 |
serverless (search, oblt, security, workplaceai) | Cookie (samlAuth) |
admin | Split from nested FTR ui_settings.ts; added afterAll cleanup
missing in FTR

<img width="1414" height="314" alt="Screenshot 2026-04-16 at 08 20 39"
src="https://github.com/user-attachments/assets/7c222285-8b30-48ee-9590-974ba46e48d3"
/>

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

Author: dmlemeshko

.buildkite/scout_ci_config.yml

@@ -54,6 +54,7 @@ plugins:
 
 packages:
   enabled:
+    - core
     - kbn-scout
     - kbn-streamlang-tests
   disabled:

src/core/moon.yml

@@ -180,6 +180,7 @@ dependsOn:
   - '@kbn/migrator-test-kit'
   - '@kbn/core-user-activity-server-mocks'
   - '@kbn/core-user-activity-server-internal'
+  - '@kbn/scout'
 tags:
   - core
   - package
@@ -192,6 +193,7 @@ fileGroups:
     - server/**/*
     - types/**/*
     - test_helpers/**/*
+    - test/scout/**/*
     - utils/**/*
     - index.ts
     - '!target/**/*'

…/test/api_integration/apis/core/index.ts …ore/test/scout/api/fixtures/constants.tssrc/platform/test/api_integration/apis/core/index.ts renamed to src/core/test/scout/api/fixtures/constants.ts src/platform/test/api_integration/apis/core/index.ts renamed to src/core/test/scout/api/fixtures/constants.ts

@@ -7,11 +7,11 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-import type { FtrProviderContext } from '../../ftr_provider_context';
+export const COMMON_HEADERS = {
+  'kbn-xsrf': 'some-xsrf-token',
+} as const;
 
-export default function ({ loadTestFile }: FtrProviderContext) {
-  describe('core', () => {
-    loadTestFile(require.resolve('./translations'));
-    loadTestFile(require.resolve('./capabilities'));
-  });
-}
+export const INTERNAL_HEADERS = {
+  ...COMMON_HEADERS,
+  'x-elastic-internal-origin': 'kibana',
+} as const;

src/core/test/scout/api/fixtures/index.ts

@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+export { COMMON_HEADERS, INTERNAL_HEADERS } from './constants';

src/core/test/scout/api/playwright.config.ts

@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { createPlaywrightConfig } from '@kbn/scout';
+
+export default createPlaywrightConfig({
+  testDir: './tests',
+});

src/core/test/scout/api/tests/blocked_saved_objects_api.spec.ts

@@ -0,0 +1,59 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { expect } from '@kbn/scout/api';
+import { apiTest, tags } from '@kbn/scout';
+import type { RoleApiCredentials } from '@kbn/scout';
+import { COMMON_HEADERS } from '../fixtures';
+
+const SERVERLESS_TAGS = [
+  ...tags.serverless.search,
+  ...tags.serverless.observability.complete,
+  ...tags.serverless.security.complete,
+  ...tags.serverless.workplaceai,
+];
+
+const BLOCKED_APIS: Array<{ path: string; method: 'get' | 'post' | 'put' | 'delete' }> = [
+  { path: '/api/saved_objects/_bulk_create', method: 'post' },
+  { path: '/api/saved_objects/_bulk_delete', method: 'post' },
+  { path: '/api/saved_objects/_bulk_get', method: 'post' },
+  { path: '/api/saved_objects/_bulk_resolve', method: 'post' },
+  { path: '/api/saved_objects/_bulk_update', method: 'post' },
+  { path: '/api/saved_objects/test/id', method: 'get' },
+  { path: '/api/saved_objects/test/id', method: 'post' },
+  { path: '/api/saved_objects/test/id', method: 'delete' },
+  { path: '/api/saved_objects/_find', method: 'get' },
+  { path: '/api/saved_objects/test/id', method: 'put' },
+];
+
+apiTest.describe('blocked internal saved objects API', { tag: SERVERLESS_TAGS }, () => {
+  let credentials: RoleApiCredentials;
+
+  apiTest.beforeAll(async ({ requestAuth }) => {
+    credentials = await requestAuth.getApiKey('viewer');
+  });
+
+  for (const { path, method } of BLOCKED_APIS) {
+    apiTest(`${method} ${path} returns 400`, async ({ apiClient }) => {
+      const response = await apiClient[method](path, {
+        headers: {
+          ...COMMON_HEADERS,
+          ...credentials.apiKeyHeader,
+        },
+      });
+
+      expect(response).toHaveStatusCode(400);
+      expect(response.body).toStrictEqual({
+        statusCode: 400,
+        error: 'Bad Request',
+        message: `uri [${path}] with method [${method}] exists but is not available with the current configuration`,
+      });
+    });
+  }
+});

src/core/test/scout/api/tests/capabilities.spec.ts

@@ -0,0 +1,40 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { expect } from '@kbn/scout/api';
+import { apiTest, tags } from '@kbn/scout';
+import type { RoleApiCredentials } from '@kbn/scout';
+import { INTERNAL_HEADERS } from '../fixtures';
+
+apiTest.describe('capabilities', { tag: tags.deploymentAgnostic }, () => {
+  let credentials: RoleApiCredentials;
+
+  apiTest.beforeAll(async ({ requestAuth }) => {
+    credentials = await requestAuth.getApiKey('viewer');
+  });
+
+  apiTest('returns a 400 when an invalid app id is provided', async ({ apiClient }) => {
+    const response = await apiClient.post('/api/core/capabilities', {
+      headers: {
+        ...INTERNAL_HEADERS,
+        ...credentials.apiKeyHeader,
+      },
+      body: {
+        applications: ['dashboard', 'discover', 'bad%app'],
+      },
+    });
+
+    expect(response).toHaveStatusCode(400);
+    expect(response.body).toStrictEqual({
+      statusCode: 400,
+      error: 'Bad Request',
+      message: '[request body.applications.2]: Invalid application id: bad%app',
+    });
+  });
+});

src/core/test/scout/api/tests/compression.spec.ts

@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { expect } from '@kbn/scout/api';
+import { apiTest, tags } from '@kbn/scout';
+import type { RoleApiCredentials } from '@kbn/scout';
+
+apiTest.describe('compression', { tag: tags.deploymentAgnostic }, () => {
+  let credentials: RoleApiCredentials;
+
+  apiTest.beforeAll(async ({ requestAuth }) => {
+    credentials = await requestAuth.getApiKey('viewer');
+  });
+
+  apiTest('uses compression when there is no referer', async ({ apiClient }) => {
+    const response = await apiClient.get('/app/kibana', {
+      headers: {
+        'accept-encoding': 'gzip',
+        ...credentials.apiKeyHeader,
+      },
+    });
+
+    expect(response).toHaveHeaders({ 'content-encoding': 'gzip' });
+  });
+
+  apiTest('uses compression when there is a whitelisted referer', async ({ apiClient }) => {
+    const response = await apiClient.get('/app/kibana', {
+      headers: {
+        'accept-encoding': 'gzip',
+        referer: 'https://some-host.com',
+        ...credentials.apiKeyHeader,
+      },
+    });
+
+    expect(response).toHaveHeaders({ 'content-encoding': 'gzip' });
+  });
+});

src/core/test/scout/api/tests/translations.spec.ts

@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { expect } from '@kbn/scout/api';
+import { apiTest, tags } from '@kbn/scout';
+import type { RoleApiCredentials } from '@kbn/scout';
+import { INTERNAL_HEADERS } from '../fixtures';
+
+apiTest.describe('translations', { tag: tags.deploymentAgnostic }, () => {
+  let credentials: RoleApiCredentials;
+
+  apiTest.beforeAll(async ({ requestAuth }) => {
+    credentials = await requestAuth.getApiKey('viewer');
+  });
+
+  apiTest('returns the translations with the correct headers', async ({ apiClient }) => {
+    const response = await apiClient.get('/translations/en.json', {
+      headers: {
+        ...INTERNAL_HEADERS,
+        ...credentials.apiKeyHeader,
+      },
+    });
+
+    expect(response).toHaveStatusCode(200);
+    expect(response.body.locale).toBe('en');
+    expect(response).toHaveHeaders({ 'content-type': 'application/json; charset=utf-8' });
+
+    // Distributable builds serve pre-built translations with immutable caching and no etag.
+    // Local dev servers return `must-revalidate` + etag instead, so we gate on CI.
+    // TODO: Replace `process.env.CI` with a Scout config flag (e.g. isDistributable) when available.
+    if (process.env.CI) {
+      expect(response).toHaveHeaders({
+        'cache-control': 'public, max-age=31536000, immutable',
+      });
+      expect(response.headers.etag).toBeUndefined();
+    }
+  });
+
+  apiTest('returns a 404 when not using the correct locale', async ({ apiClient }) => {
+    const response = await apiClient.get('/translations/foo.json', {
+      headers: {
+        ...INTERNAL_HEADERS,
+        ...credentials.apiKeyHeader,
+      },
+    });
+
+    expect(response).toHaveStatusCode(404);
+  });
+});