[Alerting] Preserve rule type payload across delayed-to-active graduation (elastic#266012)

## Summary

Resolves elastic#259886. Architectural alternative to elastic#265588.

When a delayed alert is reactivated by `delayRecoveredFlappingAlerts`
(flap-hold) and crosses `alertDelay` on a run where the executor does
**not** report it, the alert builder used to dispatch to `buildNewAlert`
with an empty payload — producing an active AAD doc with blank rule type
fields (e.g. `kibana.alert.reason`).

Rather than skip the graduation in that case, this PR makes the
framework own the `delayed -> active` transition explicitly so the
resulting active doc is always complete.

### Fix (code)

- **`buildDelayedAlert`** now stores the full executor payload on the
delayed AAD doc. Previously the delayed doc only carried framework
fields. Persisting the rule type payload turns each delayed doc into a
usable predecessor.
- **`buildGraduatedAlert`** is a new builder dedicated to `delayed ->
active` transitions. It deep-merges the predecessor delayed doc with the
current run's payload (per-field precedence: current wins, predecessor
fills gaps), sets `event.action: 'open'` and `kibana.alert.status:
active`, and treats the alert as user-visible for the first time
(`severity_improving: false`, no `previous_action_group`).
- **`AlertBuilder.buildActiveAlerts`** now branches on `trackedActive`
vs `trackedDelayed` to dispatch to ongoing / graduated / new
respectively, instead of the previous status check on a single tracked
alert.

The per-field merge means:

| Run shape on graduation | `cleanedPayload[K]` | Resulting field |
| --- | --- | --- |
| Executor reports `K` | present | fresh value (predecessor shadowed) |
| Flap-hold reactivation, no executor report | absent | predecessor's
value preserved |
| Partial report (some `K` reported) | present for some | executor where
present, predecessor where absent |

This matches the long-standing semantics of `buildOngoingAlert`, just
sourced from the delayed predecessor instead of an active one.

How to reproduce the issue (on the 6th execution we see an alert without
context):

Run | pattern | flappingHistory | active | recovered | activeCount |
pending recovered | flapping | AAD status
-- | -- | -- | -- | -- | -- | -- | -- | --
1 | a | T | x |   | 1 | 0 | FALSE | delayed
2 | a | T,F | x |   | 2 | 0 | FALSE | active
3 | - | T,F,T |   | x | 0 | - | FALSE | recovered
4 | - | T,F,T,F |   | x | 0 | - | FALSE | recovered
5 | a | T,F,T,F,T | x |   | 1 | 0 | FALSE | delayed
6 | - | T,F,T,F,T,T | x |   | 2 | 1 | TRUE | active

Author: ersin-erdal

x-pack/platform/plugins/shared/alerting/server/alerts_client/lib/alert_builder/alert_builder.ts

@@ -27,6 +27,7 @@ import type { IIndexPatternString } from '../../../alerts_service/resource_insta
 import type { TrackedAADAlerts } from '../../types';
 import { buildOngoingAlert } from './build_ongoing_alert';
 import { buildNewAlert } from './build_new_alert';
+import { buildGraduatedAlert } from './build_graduated_alert';
 import { buildRecoveredAlert } from './build_recovered_alert';
 import { buildUpdatedRecoveredAlert } from './build_updated_recovered_alert';
 import { buildDelayedAlert } from './build_delayed_alert';
@@ -184,18 +185,21 @@ export class AlertBuilder<
         continue;
       }
       if (activeAlert) {
-        const trackedAlert = this.trackedAlerts.get(activeAlert.getUuid());
-        if (!!trackedAlert && get(trackedAlert, ALERT_STATUS) === ALERT_STATUS_ACTIVE) {
+        const uuid = activeAlert.getUuid();
+        const trackedActive = this.trackedAlerts.active[uuid];
+        const trackedDelayed = this.trackedAlerts.delayed[uuid];
+
+        if (trackedActive) {
           const isImproving = isAlertImproving<
             AlertData,
             State,
             Context,
             ActionGroupIds,
             RecoveryActionGroupId
-          >(trackedAlert, activeAlert, this.ruleType.actionGroups);
+          >(trackedActive, activeAlert, this.ruleType.actionGroups);
           activeAlertsToIndex.push(
             buildOngoingAlert<AlertData, State, Context, ActionGroupIds, RecoveryActionGroupId>({
-              alert: trackedAlert,
+              alert: trackedActive,
               legacyAlert: activeAlert,
               rule: this.rule,
               ruleData: this.alertRuleData,
@@ -207,6 +211,26 @@ export class AlertBuilder<
               dangerouslyCreateAlertsInAllSpaces: this.createAlertsInAllSpaces,
             })
           );
+        } else if (trackedDelayed) {
+          // The alert is graduating from `delayed` to `active`. The delayed
+          // predecessor doc carries the rule type fields reported during the
+          // delayed runs, which the graduated builder merges in. This keeps
+          // the resulting active doc complete even when the executor does
+          // not report a fresh payload on the run that triggers graduation
+          // (e.g. flap-hold reactivation).
+          activeAlertsToIndex.push(
+            buildGraduatedAlert<AlertData, State, Context, ActionGroupIds, RecoveryActionGroupId>({
+              alert: trackedDelayed,
+              legacyAlert: activeAlert,
+              rule: this.rule,
+              ruleData: this.alertRuleData,
+              runTimestamp: this.runTimestampString,
+              timestamp: this.currentTime,
+              payload: this.reportedAlerts[id],
+              kibanaVersion: this.kibanaVersion,
+              dangerouslyCreateAlertsInAllSpaces: this.createAlertsInAllSpaces,
+            })
+          );
         } else {
           activeAlertsToIndex.push(
             buildNewAlert<AlertData, State, Context, ActionGroupIds, RecoveryActionGroupId>({
@@ -277,8 +301,13 @@ export class AlertBuilder<
       delayedAlertsToIndex.push(
         buildDelayedAlert<AlertData, State, Context, ActionGroupIds, RecoveryActionGroupId>({
           legacyAlert: delayedAlert,
-          timestamp: this.currentTime,
           rule: this.rule,
+          ruleData: this.alertRuleData,
+          payload: this.reportedAlerts[delayedAlert.getId()],
+          runTimestamp: this.runTimestampString,
+          timestamp: this.currentTime,
+          kibanaVersion: this.kibanaVersion,
+          dangerouslyCreateAlertsInAllSpaces: this.createAlertsInAllSpaces,
         })
       );
     }

x-pack/platform/plugins/shared/alerting/server/alerts_client/lib/alert_builder/build_delayed_alert.test.ts

@@ -7,21 +7,36 @@
 import { Alert as LegacyAlert } from '../../../alert/alert';
 import {
   ALERT_ACTION_GROUP,
+  ALERT_CONSECUTIVE_MATCHES,
+  ALERT_DURATION,
+  ALERT_FLAPPING,
+  ALERT_FLAPPING_HISTORY,
   ALERT_INSTANCE_ID,
+  ALERT_MAINTENANCE_WINDOW_IDS,
+  ALERT_MAINTENANCE_WINDOW_NAMES,
+  ALERT_MUTED,
+  ALERT_PENDING_RECOVERED_COUNT,
+  ALERT_RULE_EXECUTION_TIMESTAMP,
+  ALERT_RULE_EXECUTION_UUID,
+  ALERT_RULE_UUID,
+  ALERT_START,
   ALERT_STATUS,
+  ALERT_STATUS_DELAYED,
+  ALERT_TIME_RANGE,
   ALERT_UUID,
+  ALERT_WORKFLOW_STATUS,
+  EVENT_KIND,
+  SPACE_IDS,
+  TAGS,
   TIMESTAMP,
-  ALERT_CONSECUTIVE_MATCHES,
-  ALERT_RULE_UUID,
-  ALERT_RULE_EXECUTION_UUID,
-  ALERT_STATUS_DELAYED,
+  VERSION,
 } from '@kbn/rule-data-utils';
 import { alertRule } from '../test_fixtures';
 import { buildDelayedAlert } from './build_delayed_alert';
 import { get } from 'lodash';
 
 describe('buildDelayedAlert', () => {
-  test('should build alert document with info from legacy alert', () => {
+  test('should build alert document with framework fields from legacy alert', () => {
     const legacyAlert = new LegacyAlert<{}, {}, 'default'>('alert-A');
     legacyAlert.scheduleActions('default');
 
@@ -31,18 +46,124 @@ describe('buildDelayedAlert', () => {
     expect(
       buildDelayedAlert<{}, {}, {}, 'default', 'recovered'>({
         legacyAlert,
-        timestamp,
         rule: alertRule,
+        timestamp,
+        kibanaVersion: '8.9.0',
       })
     ).toEqual({
-      [ALERT_UUID]: legacyAlert.getUuid(),
+      ...alertRule,
+      [TIMESTAMP]: timestamp,
+      [EVENT_KIND]: 'signal',
+      [ALERT_RULE_EXECUTION_TIMESTAMP]: timestamp,
       [ALERT_RULE_UUID]: get(alertRule, ALERT_RULE_UUID),
       [ALERT_RULE_EXECUTION_UUID]: get(alertRule, ALERT_RULE_EXECUTION_UUID),
-      [TIMESTAMP]: timestamp,
       [ALERT_ACTION_GROUP]: legacyAlert.getScheduledActionOptions()?.actionGroup,
+      [ALERT_FLAPPING]: false,
+      [ALERT_FLAPPING_HISTORY]: [],
       [ALERT_INSTANCE_ID]: alertInstanceId,
-      [ALERT_CONSECUTIVE_MATCHES]: legacyAlert.getActiveCount(),
+      [ALERT_MAINTENANCE_WINDOW_IDS]: [],
+      [ALERT_MAINTENANCE_WINDOW_NAMES]: [],
+      [ALERT_CONSECUTIVE_MATCHES]: 0,
+      [ALERT_PENDING_RECOVERED_COUNT]: 0,
+      [ALERT_MUTED]: false,
+      [ALERT_STATUS]: ALERT_STATUS_DELAYED,
+      [ALERT_UUID]: legacyAlert.getUuid(),
+      [ALERT_WORKFLOW_STATUS]: 'open',
+      [SPACE_IDS]: ['default'],
+      [VERSION]: '8.9.0',
+      [TAGS]: ['rule-', '-tags'],
+    });
+  });
+
+  test('should include start, duration and time range when set', () => {
+    const now = Date.now();
+    const legacyAlert = new LegacyAlert<{}, {}, 'default'>('alert-A');
+    legacyAlert.scheduleActions('default').replaceState({ start: now, duration: '0' });
+
+    const built = buildDelayedAlert<{}, {}, {}, 'default', 'recovered'>({
+      legacyAlert,
+      rule: alertRule,
+      timestamp: '2023-03-28T12:27:28.159Z',
+      kibanaVersion: '8.9.0',
+    });
+
+    expect(built).toMatchObject({
+      [ALERT_DURATION]: 0,
+      [ALERT_START]: now,
+      [ALERT_TIME_RANGE]: { gte: now },
+      [ALERT_STATUS]: ALERT_STATUS_DELAYED,
+    });
+  });
+
+  test('should include rule type payload fields so the doc is a complete predecessor', () => {
+    const legacyAlert = new LegacyAlert<{}, {}, 'default'>('alert-A');
+    legacyAlert.scheduleActions('default');
+
+    const built = buildDelayedAlert<
+      { count: number; url: string; 'kibana.alert.nested_field': number },
+      {},
+      {},
+      'default',
+      'recovered'
+    >({
+      legacyAlert,
+      rule: alertRule,
+      payload: { count: 1, url: `https://url1`, 'kibana.alert.nested_field': 2 },
+      timestamp: '2023-03-28T12:27:28.159Z',
+      kibanaVersion: '8.9.0',
+    });
+
+    expect(built).toMatchObject({
+      count: 1,
+      url: `https://url1`,
+      'kibana.alert.nested_field': 2,
       [ALERT_STATUS]: ALERT_STATUS_DELAYED,
     });
   });
+
+  test('should set ALERT_WORKFLOW_STATUS from payload if specified', () => {
+    const legacyAlert = new LegacyAlert<{}, {}, 'default'>('alert-A');
+    legacyAlert.scheduleActions('default');
+
+    const built = buildDelayedAlert<{}, {}, {}, 'default', 'recovered'>({
+      legacyAlert,
+      rule: alertRule,
+      payload: { [ALERT_WORKFLOW_STATUS]: 'custom_workflow' },
+      timestamp: '2023-03-28T12:27:28.159Z',
+      kibanaVersion: '8.9.0',
+    });
+
+    expect(built[ALERT_WORKFLOW_STATUS]).toBe('custom_workflow');
+  });
+
+  test(`should set kibana.space_ids to '*' if dangerouslyCreateAlertsInAllSpaces=true`, () => {
+    const legacyAlert = new LegacyAlert<{}, {}, 'default'>('alert-A');
+    legacyAlert.scheduleActions('default');
+
+    const built = buildDelayedAlert<{}, {}, {}, 'default', 'recovered'>({
+      legacyAlert,
+      rule: alertRule,
+      timestamp: '2023-03-28T12:27:28.159Z',
+      kibanaVersion: '8.9.0',
+      dangerouslyCreateAlertsInAllSpaces: true,
+    });
+
+    expect(built[SPACE_IDS]).toEqual(['*']);
+  });
+
+  test('should merge tags from payload, rule, and de-duplicate', () => {
+    const legacyAlert = new LegacyAlert<{}, {}, 'default'>('alert-A');
+    legacyAlert.scheduleActions('default');
+
+    const built = buildDelayedAlert<{}, {}, {}, 'default', 'recovered'>({
+      legacyAlert,
+      rule: alertRule,
+      payload: { tags: ['payload-tag', 'rule-'] },
+      timestamp: '2023-03-28T12:27:28.159Z',
+      kibanaVersion: '8.9.0',
+    });
+
+    expect(built[TAGS]).toEqual(expect.arrayContaining(['payload-tag', 'rule-', '-tags']));
+    expect(built[TAGS]?.length).toBe(3);
+  });
 });