feat(cases): migrate endpoint attachment to unified v2 framework (elastic#260544)

## Summary

- Migrates the endpoint case attachment from the legacy
`ExternalReferenceAttachmentType` to the new unified
`UnifiedReferenceAttachmentType` on both client and server.
- New endpoint response-action attachments are written as `{ type:
'security.endpoint', attachmentId, metadata }`
(`UnifiedReferenceAttachmentPayload`) instead of the legacy
`externalReference` shape.
- Adds server-side `io-ts` schema validation for endpoint attachment
metadata (`command`, `comment`, `targets[]` with a closed union on
`agentType`, unknown keys rejected, non-empty `targets` required).
- Adds a generic `externalReference` ↔ unified transformer in the Cases
plugin so pre-existing legacy endpoint attachments render as unified on
read and unified writes fall back to legacy storage when the new SO type
is disabled — no data migration required.

## Details

Part of the [Cases Attachments v2
migration](elastic/security-team#15569). The
endpoint attachment (historically `externalReferenceAttachmentTypeId:
'endpoint'`) is now registered as the unified type
`SECURITY_ENDPOINT_ATTACHMENT_TYPE = 'security.endpoint'`, re-exported
from `@kbn/cases-plugin/common`.

### What changed

| Layer | Before | After |
|-------|--------|-------|
| Client registration (`security_solution/public/plugin.tsx`) |
`registerExternalReference(getExternalReferenceAttachmentEndpointRegular())`
| `registerUnified(getEndpointUnifiedAttachment())` |
| Server registration (`security_solution/server/plugin.ts`) |
`registerExternalReference({ id: CASE_ATTACHMENT_ENDPOINT_TYPE_ID })` |
`registerUnified({ id: SECURITY_ENDPOINT_ATTACHMENT_TYPE,
schemaValidator: validateEndpointAttachmentMetadata })` |
| Attachment creation (`base_response_actions_client.ts`) | `{ type:
'externalReference', externalReferenceId, externalReferenceStorage,
externalReferenceAttachmentTypeId: 'endpoint', externalReferenceMetadata
}` | `{ type: 'security.endpoint', attachmentId, metadata, owner }` |
| Metadata validation | none | `io-ts` validator run on the unified
write path |
| Client-side renderers | `external_reference.tsx` + 2 lazy wrappers |
`unified_attachment.tsx` + updated `endpoint_event.tsx` /
`endpoint_children.tsx` |
| Constant `CASE_ATTACHMENT_ENDPOINT_TYPE_ID` | defined in Security
Solution | removed; import `SECURITY_ENDPOINT_ATTACHMENT_TYPE` from
`@kbn/cases-plugin/common` |

### Backward compatibility (no data migration needed)

The legacy `registerExternalReference` calls are removed — BWC is
delivered instead by a generic transformer in the Cases plugin:

- **Read path** — the Kibana Cases UI reads cases via the internal
`resolve` endpoint with `mode: 'unified'`. The new
`externalReferenceAttachmentTransformer` in
`x-pack/platform/plugins/shared/cases/server/common/attachments/external_reference.ts`
converts any pre-existing legacy `externalReference` endpoint
attachments stored in `cases-comments` into the unified
`security.endpoint` shape on read, driven by
`EXTERNAL_REFERENCE_TYPE_MAP`. Existing cases render identically
post-deploy without any backfill.
- **Write path** — when `xpack.cases.attachments.enabled` is `false`
(default), the Cases plugin translates the unified payload back to the
legacy `externalReference` shape via `toLegacySchema` and persists it to
`cases-comments` — byte-for-byte equivalent to today's storage. When the
flag is `true`, the unified payload is stored as-is in the new
`cases-attachments` SO. Either way, the on-disk format stays consistent
with whatever the deployment is already using.

This also gives follow-up subtypes (e.g. `osquery`, other
response-action types) a clean seam: add an entry to
`EXTERNAL_REFERENCE_TYPE_MAP` / `UNIFIED_TO_EXTERNAL_REFERENCE_TYPE_MAP`
and they get the same round-trip behaviour for free.

### Public case APIs

`GET /api/cases/:id` (`totalComment`) and `GET
/api/cases/:id/comments/_find` continue to be scoped to user-generated
comments and do not surface endpoint attachments — this is pre-existing,
intended behaviour and is unchanged by this PR. The Kibana UI uses the
internal `resolve` endpoint which returns all attachment types and
renders endpoint attachments via the new unified registry.

## Incremental fixes after first review

A second pass addressed three review items from @szwarckonrad on the
upgrade-path walkthrough, plus one CI-driven snapshot follow-up. None of
them change the design described above; they harden the same migration
against edge cases the first pass missed.

1. **Back-compat for legacy-shape API writes**
(`security_solution/server/cases/attachments/register.ts` + `plugin.ts`)
— the legacy `endpoint` external-reference id is registered alongside
the new unified `security.endpoint` so existing API clients that still
POST `{ type: 'externalReference', externalReferenceAttachmentTypeId:
'endpoint', ... }` are not rejected with `400 "Attachment type endpoint
is not registered."`. The cases server's external-reference transformer
already converts these legacy SOs to the unified shape on read; this
restores the same behaviour for legacy-shape *writes*. Covered by a
focused unit test (`register.test.ts`) that explicitly asserts the BWC
registration so it can't be silently dropped in a future refactor.

2. **400 instead of 500 from the metadata validator**
(`endpoint_metadata_schema.ts`) — `validateEndpointAttachmentMetadata`
now throws `Boom.badRequest` on invalid metadata. Errors thrown from a
registered cases-plugin `schemaValidator` callback are surfaced to the
HTTP client as-is — a plain `Error` would have bubbled up as `500
Internal Server Error` with a stack trace in the server log for what is
really a caller mistake. Covered by new tests asserting `Boom.isBoom`
and `statusCode: 400` for
null/non-object/missing-fields/empty-targets/unknown-keys inputs.

3. **Byte-clean legacy storage**
(`cases/server/services/attachments/index.ts`) — when a unified payload
(`{ type: 'security.endpoint', attachmentId, metadata }`) is POSTed but
`xpack.cases.attachments.enabled` is OFF, the request attributes still
carry those keys after `io-ts` decoding and could leak into `_source`
(the `cases-comments` mapping is `dynamic: false`, so they would be
stored but not indexed). The new `stripUnifiedOnlyFields` helper
guarantees byte-for-byte equivalence with pre-migration legacy writes
for `create`/`bulkCreate`/`update`/`bulkUpdate`. Covered by two
regression tests in `services/attachments/index.test.ts`.

4. **Snapshot follow-up for #1**
(`cases_api_integration/.../external_references.ts`) — the
registry-snapshot assertion that guards the externalReference registry
now expects `endpoint: 'e13fe41b5c330dd923da91992ed0cedb7e30960f'`
again, with an inline comment explaining the BWC intent. **This file is
owned by Response Ops via CODEOWNERS** — the snapshot's purpose is
exactly to surface this kind of change for their review.

CI on the latest push: green (build #437809, 428/428 jobs).

## Test plan

- [x] Unit tests for the generic `externalReference` ↔ unified
transformer, storage-type resolver, and type-routing helper
(`x-pack/platform/plugins/shared/cases/server/common/attachments/*.test.ts`).
- [x] Unit tests for `validateEndpointAttachmentMetadata` covering:
valid metadata, each missing required field, empty `targets`, invalid
`agentType`, unknown top-level keys, and non-object input.
- [x] Updated `endpoint_actions_client` and
`base_response_actions_client` unit tests assert the new unified payload
shape (`type: 'security.endpoint'`, `attachmentId`, `metadata`).
- [x] Updated unit tests for `endpoint_event.tsx` /
`endpoint_children.tsx` against the unified props shape.
- [x] Integration-test registry expectations updated:
`security.endpoint` appears in `registered_unified_{basic,trial}.ts`.
`endpoint` is **kept** in `external_references.ts` with a comment
explaining the back-compat re-registration (see "Incremental fixes after
first review" below).
- [x] Type check and lint pass.
- [x] Manual end-to-end validation against **Microsoft Defender for
Endpoint** — unisolate action from Kibana correctly produces a
`cases-attachments` SO of `type: 'security.endpoint'` with
`microsoft_defender_endpoint` metadata, rendered by the UI via the
unified registry.
- [x] Manual end-to-end validation against **CrowdStrike Falcon** —
unisolate action from Kibana correctly produces a `cases-attachments` SO
of `type: 'security.endpoint'` with `crowdstrike` metadata, rendered by
the UI via the unified registry.
- [x] Manual verification: isolate a host via response actions and
confirm the case attachment renders correctly.

<img width="1798" height="1064" alt="CleanShot 2026-04-20 at 14 53
16@2x"
src="https://github.com/user-attachments/assets/8c216722-a2a4-42ac-b5ae-dc8962cb2d0d"
/>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

Author: 3 people

x-pack/platform/plugins/shared/cases/common/constants/attachments.ts

@@ -4,11 +4,16 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
+// NOTE: Do not import from '../types/domain' here to avoid circular dependencies
+// (types/domain -> constants/index -> constants/attachments -> types/domain).
+// Use string literals for legacy type names instead.
+
 import { SECURITY_SOLUTION_OWNER, OBSERVABILITY_OWNER, GENERAL_CASES_OWNER } from './owners';
 
 // ----------------Unified attachment types-------------------------
 export const COMMENT_ATTACHMENT_TYPE = 'comment';
 export const SECURITY_EVENT_ATTACHMENT_TYPE = 'security.event';
+export const SECURITY_ENDPOINT_ATTACHMENT_TYPE = 'security.endpoint';
 export const LENS_ATTACHMENT_TYPE = 'lens';
 
 export const ML_ANOMALY_SWIMLANE_ATTACHMENT_TYPE = 'ml.anomaly_swimlane';
@@ -34,6 +39,14 @@ export const LEGACY_AIOPS_CHANGE_POINT_CHART_ATTACHMENT_TYPE = 'aiopsChangePoint
 export const LEGACY_AIOPS_PATTERN_ANALYSIS_ATTACHMENT_TYPE = 'aiopsPatternAnalysisEmbeddable';
 export const LEGACY_AIOPS_LOG_RATE_ANALYSIS_ATTACHMENT_TYPE = 'aiopsLogRateAnalysisEmbeddable';
 
+/**
+ * Mapping from legacy externalReferenceAttachmentTypeId to unified type name.
+ * Used by the generic externalReference transformer to resolve the unified type.
+ */
+export const EXTERNAL_REFERENCE_TYPE_MAP: Record<string, string> = {
+  endpoint: SECURITY_ENDPOINT_ATTACHMENT_TYPE,
+} as const;
+
 export const LEGACY_ATTACHMENT_TYPES = new Set([
   LEGACY_ACTIONS_TYPE,
   LEGACY_ALERT_TYPE,
@@ -46,6 +59,7 @@ export const LEGACY_ATTACHMENT_TYPES = new Set([
 export const UNIFIED_ATTACHMENT_TYPES = new Set([
   COMMENT_ATTACHMENT_TYPE,
   SECURITY_EVENT_ATTACHMENT_TYPE,
+  SECURITY_ENDPOINT_ATTACHMENT_TYPE,
 ]);
 
 export const PERSISTABLE_STATE_LEGACY_TO_UNIFIED_MAP: Record<string, string> = {
@@ -84,6 +98,14 @@ export const LEGACY_TO_UNIFIED_MAP: Record<string, string> = {
 export const UNIFIED_TO_LEGACY_MAP: Record<string, string> = {
   [COMMENT_ATTACHMENT_TYPE]: LEGACY_USER_TYPE,
   [SECURITY_EVENT_ATTACHMENT_TYPE]: LEGACY_EVENT_TYPE,
+  [SECURITY_ENDPOINT_ATTACHMENT_TYPE]: LEGACY_EXTERNAL_REFERENCE_TYPE,
+} as const;
+
+/**
+ * Reverse mapping from unified type name back to externalReferenceAttachmentTypeId.
+ */
+export const UNIFIED_TO_EXTERNAL_REFERENCE_TYPE_MAP: Record<string, string> = {
+  [SECURITY_ENDPOINT_ATTACHMENT_TYPE]: 'endpoint',
 } as const;
 
 /**
@@ -92,6 +114,7 @@ export const UNIFIED_TO_LEGACY_MAP: Record<string, string> = {
 export const MIGRATED_ATTACHMENT_TYPES = new Set<string>([
   COMMENT_ATTACHMENT_TYPE,
   SECURITY_EVENT_ATTACHMENT_TYPE,
+  SECURITY_ENDPOINT_ATTACHMENT_TYPE,
   ...PERSISTABLE_ATTACHMENT_TYPES,
 ]);
 

x-pack/platform/plugins/shared/cases/common/index.ts

@@ -59,6 +59,7 @@ export {
   CASES_REOPEN_CAPABILITY,
   ASSIGN_CASE_CAPABILITY,
   SECURITY_EVENT_ATTACHMENT_TYPE,
+  SECURITY_ENDPOINT_ATTACHMENT_TYPE,
   MANAGE_TEMPLATES_CAPABILITY,
   ML_ANOMALY_SWIMLANE_ATTACHMENT_TYPE,
   ML_ANOMALY_CHARTS_ATTACHMENT_TYPE,

x-pack/platform/plugins/shared/cases/server/common/attachments/external_reference.test.ts

@@ -0,0 +1,218 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { AttachmentType, ExternalReferenceStorageType } from '../../../common/types/domain';
+import { externalReferenceAttachmentTransformer } from './external_reference';
+
+const baseLegacyAttributes = {
+  created_at: '2024-01-01T00:00:00.000Z',
+  created_by: {
+    username: 'elastic',
+    full_name: null,
+    email: null,
+    profile_uid: undefined,
+  },
+  pushed_at: null,
+  pushed_by: null,
+  updated_at: null,
+  updated_by: null,
+};
+
+const legacyEndpointAttributes = {
+  ...baseLegacyAttributes,
+  type: AttachmentType.externalReference as const,
+  externalReferenceId: 'action-123',
+  externalReferenceStorage: {
+    type: ExternalReferenceStorageType.elasticSearchDoc as const,
+  },
+  externalReferenceAttachmentTypeId: 'endpoint',
+  externalReferenceMetadata: {
+    command: 'isolate',
+    comment: 'Test comment',
+    targets: [{ endpointId: 'ep-1', hostname: 'host-1', agentType: 'endpoint' }],
+  },
+  owner: 'securitySolution',
+};
+
+const unifiedEndpointAttributes = {
+  ...baseLegacyAttributes,
+  type: 'security.endpoint',
+  attachmentId: 'action-123',
+  metadata: {
+    command: 'isolate',
+    comment: 'Test comment',
+    targets: [{ endpointId: 'ep-1', hostname: 'host-1', agentType: 'endpoint' }],
+  },
+  owner: 'securitySolution',
+};
+
+describe('externalReferenceAttachmentTransformer', () => {
+  describe('toUnifiedSchema', () => {
+    it('converts legacy external reference to unified format', () => {
+      const result =
+        externalReferenceAttachmentTransformer.toUnifiedSchema(legacyEndpointAttributes);
+      expect(result).toEqual(
+        expect.objectContaining({
+          type: 'security.endpoint',
+          attachmentId: 'action-123',
+          metadata: legacyEndpointAttributes.externalReferenceMetadata,
+          owner: 'securitySolution',
+        })
+      );
+    });
+
+    it('passes through already-unified attributes', () => {
+      const result =
+        externalReferenceAttachmentTransformer.toUnifiedSchema(unifiedEndpointAttributes);
+      expect(result).toEqual(unifiedEndpointAttributes);
+    });
+  });
+
+  describe('toLegacySchema', () => {
+    it('converts unified format to legacy external reference', () => {
+      const result =
+        externalReferenceAttachmentTransformer.toLegacySchema(unifiedEndpointAttributes);
+      expect(result).toEqual(
+        expect.objectContaining({
+          type: AttachmentType.externalReference,
+          externalReferenceId: 'action-123',
+          externalReferenceStorage: {
+            type: ExternalReferenceStorageType.elasticSearchDoc,
+          },
+          externalReferenceAttachmentTypeId: 'endpoint',
+          externalReferenceMetadata: unifiedEndpointAttributes.metadata,
+          owner: 'securitySolution',
+        })
+      );
+    });
+
+    it('passes through already-legacy attributes', () => {
+      const result =
+        externalReferenceAttachmentTransformer.toLegacySchema(legacyEndpointAttributes);
+      expect(result).toEqual(legacyEndpointAttributes);
+    });
+  });
+
+  describe('type guards', () => {
+    it('isType detects both legacy and unified', () => {
+      expect(externalReferenceAttachmentTransformer.isType(legacyEndpointAttributes as never)).toBe(
+        true
+      );
+      expect(
+        externalReferenceAttachmentTransformer.isType(unifiedEndpointAttributes as never)
+      ).toBe(true);
+      expect(
+        externalReferenceAttachmentTransformer.isType({ type: AttachmentType.alert } as never)
+      ).toBe(false);
+    });
+
+    it('does not match unmigrated external reference subtypes', () => {
+      const unmigrated = {
+        ...legacyEndpointAttributes,
+        externalReferenceAttachmentTypeId: 'some-unknown-type',
+      };
+      expect(externalReferenceAttachmentTransformer.isType(unmigrated as never)).toBe(false);
+    });
+
+    it('isUnifiedType detects only unified', () => {
+      expect(externalReferenceAttachmentTransformer.isUnifiedType(unifiedEndpointAttributes)).toBe(
+        true
+      );
+      expect(externalReferenceAttachmentTransformer.isUnifiedType(legacyEndpointAttributes)).toBe(
+        false
+      );
+    });
+
+    it('isLegacyType detects only legacy', () => {
+      expect(externalReferenceAttachmentTransformer.isLegacyType(legacyEndpointAttributes)).toBe(
+        true
+      );
+      expect(externalReferenceAttachmentTransformer.isLegacyType(unifiedEndpointAttributes)).toBe(
+        false
+      );
+    });
+
+    it('isUnifiedType rejects payloads where attachmentId is not a single id string', () => {
+      // External-reference unified attachments require `attachmentId: string`. The
+      // shared `AttachmentAttributesV2` union allows `string | string[]` for alert/event
+      // attachments, so the guard explicitly narrows to reject arrays coming via API.
+      expect(
+        externalReferenceAttachmentTransformer.isUnifiedType({
+          ...unifiedEndpointAttributes,
+          attachmentId: ['a', 'b'],
+        })
+      ).toBe(false);
+
+      expect(
+        externalReferenceAttachmentTransformer.isUnifiedType({
+          ...unifiedEndpointAttributes,
+          attachmentId: undefined,
+        })
+      ).toBe(false);
+    });
+  });
+
+  describe('payload transforms', () => {
+    const legacyPayload = {
+      type: AttachmentType.externalReference as const,
+      externalReferenceId: 'action-456',
+      externalReferenceStorage: {
+        type: ExternalReferenceStorageType.elasticSearchDoc as const,
+      },
+      externalReferenceAttachmentTypeId: 'endpoint',
+      externalReferenceMetadata: {
+        command: 'unisolate',
+        comment: '',
+        targets: [{ endpointId: 'ep-2', hostname: 'host-2', agentType: 'endpoint' }],
+      },
+      owner: 'securitySolution',
+    };
+
+    const unifiedPayload = {
+      type: 'security.endpoint',
+      attachmentId: 'action-456',
+      metadata: {
+        command: 'unisolate',
+        comment: '',
+        targets: [{ endpointId: 'ep-2', hostname: 'host-2', agentType: 'endpoint' }],
+      },
+      owner: 'securitySolution',
+    };
+
+    it('toUnifiedPayload converts legacy payload', () => {
+      const result = externalReferenceAttachmentTransformer.toUnifiedPayload(legacyPayload);
+      expect(result).toEqual(unifiedPayload);
+    });
+
+    it('toUnifiedPayload throws for non-legacy payload', () => {
+      expect(() => externalReferenceAttachmentTransformer.toUnifiedPayload(unifiedPayload)).toThrow(
+        'Expected legacy external reference attachment payload'
+      );
+    });
+
+    it('toLegacyPayload converts unified payload', () => {
+      const result = externalReferenceAttachmentTransformer.toLegacyPayload(unifiedPayload);
+      expect(result).toEqual(legacyPayload);
+    });
+
+    it('toLegacyPayload throws for non-unified payload', () => {
+      expect(() => externalReferenceAttachmentTransformer.toLegacyPayload(legacyPayload)).toThrow(
+        'Expected unified external reference attachment payload'
+      );
+    });
+
+    it('isLegacyPayload detects legacy payloads', () => {
+      expect(externalReferenceAttachmentTransformer.isLegacyPayload(legacyPayload)).toBe(true);
+      expect(externalReferenceAttachmentTransformer.isLegacyPayload(unifiedPayload)).toBe(false);
+    });
+
+    it('isUnifiedPayload detects unified payloads', () => {
+      expect(externalReferenceAttachmentTransformer.isUnifiedPayload(unifiedPayload)).toBe(true);
+      expect(externalReferenceAttachmentTransformer.isUnifiedPayload(legacyPayload)).toBe(false);
+    });
+  });
+});