[EARS] Make EARS feature-flag gate functionality per-provider (elastic#270426)

## Summary

Closes elastic/search-team#14522

Adds per-provider EARS feature flagging via a two-tier system:
- **Stable providers** (Microsoft, Slack): enabled whenever
`xpack.actions.auth.ears.enabled: true`
- **Experimental providers** (Google): only enabled when *both*
`ears.enabled: true` **and** `ears.enableExperimental: true`

This allows us to ship EARS for verified OAuth providers while keeping
unverified ones (Google, pending app verification) available only for
internal dogfooding.

### How it works

- Each connector spec's EARS auth type entry can declare `experimental:
true` (Google Calendar, Gmail, Google Drive do this)
- A new `xpack.actions.auth.ears.enableExperimental` boolean config
controls whether experimental EARS providers are available
- The filtering happens at schema generation time
(`generateSecretsSchemaFromSpec`), so both the UI and API are gated
- Existing EARS connectors for experimental providers show as disabled
in the connectors table when `enableExperimental` is off

### Promotion flow

When Google's OAuth app verification completes:
1. Remove `experimental: true` from the 3 Google specs (one-line diff
each)
2. **No deployment config changes needed** — Google EARS "just works"
for everyone

### Config

```yaml
# kibana.yml
xpack.actions.auth.ears:
  enabled: true                # global EARS gate (existing)
  enableExperimental: true     # opt-in for unverified providers (new)
```

### Changes

| Area | What |
|------|------|
| `kbn-connector-specs` | `AuthTypeDef.experimental` flag, filtering in
`generateSecretsSchemaFromSpec`, `isEarsExperimentalConnector` helper |
| `actions` plugin | `ears.enableExperimental` config,
`isEarsExperimentalEnabled()` utility, exposed to browser |
| `stack_connectors` | Thread `isEarsExperimentalEnabled` through
client-side schema generation |
| `agent_builder` | Per-provider disabled check in connectors table |
| `triggers_actions_ui` | Per-provider disabled check in connectors list
|
| Google specs | `experimental: true` on EARS auth type
(google_calendar, gmail, google_drive) |

## Test plan

- [ ] With `ears.enabled: true` and no `enableExperimental`:
Microsoft/Slack connectors show EARS option, Google connectors do not
- [ ] With `ears.enabled: true` and `enableExperimental: true`: all
connectors show EARS option
- [ ] With `ears.enabled: false`: no connectors show EARS option
regardless of `enableExperimental`
- [ ] Creating a Google EARS connector via API fails when
`enableExperimental` is off
- [ ] Previously created Google EARS connectors show as disabled when
`enableExperimental` is turned off
- [ ] Unit tests pass: `node scripts/jest
src/platform/packages/shared/kbn-connector-specs/`
- [ ] Unit tests pass: `node scripts/jest
x-pack/platform/plugins/shared/actions/server/`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

Author: 3 people

.github/CODEOWNERS

@@ -2533,6 +2533,10 @@ x-pack/platform/plugins/shared/actions/server/lib/ears @elastic/workchat-eng
 x-pack/platform/plugins/shared/actions/server/lib/axios_auth_strategies/ears_strategy.ts @elastic/workchat-eng @elastic/response-ops
 x-pack/platform/plugins/shared/actions/server/lib/axios_auth_strategies/ears_strategy.test.ts @elastic/workchat-eng @elastic/response-ops
 src/platform/packages/shared/kbn-connector-specs/src/auth_types/ears.ts @elastic/workchat-eng
+src/platform/packages/shared/kbn-connector-specs/src/lib/ears_experimental_utils.ts @elastic/workchat-eng
+src/platform/packages/shared/kbn-connector-specs/src/lib/ears_experimental_utils.test.ts @elastic/workchat-eng
+src/platform/packages/shared/kbn-connector-specs/src/lib/generate_secrets_schema_from_spec.ts @elastic/workchat-eng @elastic/response-ops
+src/platform/packages/shared/kbn-connector-specs/src/lib/generate_secrets_schema_from_spec.test.ts @elastic/workchat-eng @elastic/response-ops
 
 
 # Connector Specs

src/platform/packages/shared/kbn-connector-specs/index.ts

@@ -34,6 +34,7 @@ export {
   ESTIMATED_JSON_OUTPUT_OVERHEAD_BYTES,
 } from './src/connector_utils';
 export { normalizeAuthorizationHeaderValue } from './src/auth_types/oauth_authz_code_and_ears_helpers';
+export { isEarsExperimentalConnector } from './src/lib/ears_experimental_utils';
 
 export { ConnectorAuthorizationError, isConnectorAuthorizationError } from './src/errors';
 export type { ConnectorAuthorizationReason } from './src/errors';

src/platform/packages/shared/kbn-connector-specs/src/connector_spec.ts

@@ -267,6 +267,7 @@ export interface ConnectorTest {
 
 export interface AuthTypeDef {
   type: string;
+  isExperimental?: boolean;
   defaults: Record<string, unknown>;
   overrides?: {
     meta?: Record<string, Record<string, unknown>>;

src/platform/packages/shared/kbn-connector-specs/src/lib/ears_experimental_utils.test.ts

@@ -0,0 +1,34 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { isEarsExperimentalConnector } from './ears_experimental_utils';
+
+describe('isEarsExperimentalConnector', () => {
+  test('returns true for connector types whose EARS auth is marked experimental', () => {
+    // Google connectors have experimental: true on their EARS auth type
+    expect(isEarsExperimentalConnector('.google_calendar')).toBe(true);
+    expect(isEarsExperimentalConnector('.gmail')).toBe(true);
+    expect(isEarsExperimentalConnector('.google_drive')).toBe(true);
+  });
+
+  test('returns false for connector types whose EARS auth is stable', () => {
+    // Microsoft and Slack connectors have EARS without experimental flag
+    expect(isEarsExperimentalConnector('.microsoft_teams')).toBe(false);
+    expect(isEarsExperimentalConnector('.slack')).toBe(false);
+    expect(isEarsExperimentalConnector('.sharepoint_online')).toBe(false);
+  });
+
+  test('returns false for connector types with no EARS auth', () => {
+    expect(isEarsExperimentalConnector('.alienvault-otx')).toBe(false);
+  });
+
+  test('returns false for unknown connector types', () => {
+    expect(isEarsExperimentalConnector('.nonexistent')).toBe(false);
+  });
+});

src/platform/packages/shared/kbn-connector-specs/src/lib/ears_experimental_utils.ts

@@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { isString } from 'lodash';
+import * as allSpecs from '../all_specs';
+import { EARS_AUTH_ID } from '../auth_types/ears';
+import type { AuthTypeDef } from '../connector_spec';
+
+export const isEarsExperimentalAuthType = (
+  authType: string | AuthTypeDef
+): authType is AuthTypeDef =>
+  !isString(authType) && authType.type === EARS_AUTH_ID && authType.isExperimental === true;
+
+const experimentalEarsConnectorIds = new Set(
+  Object.values(allSpecs)
+    .filter((spec) => spec.auth?.types.some(isEarsExperimentalAuthType))
+    .map((spec) => spec.metadata.id)
+);
+
+export const isEarsExperimentalConnector = (connectorTypeId: string): boolean =>
+  experimentalEarsConnectorIds.has(connectorTypeId);

src/platform/packages/shared/kbn-connector-specs/src/lib/generate_secrets_schema_from_spec.test.ts

@@ -126,6 +126,97 @@ describe('generateSecretsSchemaFromSpec', () => {
     expect(authTypes).toContain('oauth_authorization_code');
   });
 
+  describe('experimental EARS filtering', () => {
+    const authSpecWithExperimentalEars = {
+      types: [
+        'bearer',
+        {
+          type: 'ears',
+          isExperimental: true,
+          defaults: { provider: 'google', scope: 'https://www.googleapis.com/auth/calendar' },
+        },
+      ],
+    };
+
+    const authSpecWithStableEars = {
+      types: [
+        'bearer',
+        {
+          type: 'ears',
+          defaults: { provider: 'slack', scope: 'channels:read' },
+        },
+      ],
+    };
+
+    test('excludes experimental EARS when isEarsEnabled but isEarsExperimentalEnabled is false', () => {
+      const schema = generateSecretsSchemaFromSpec(authSpecWithExperimentalEars, {
+        isEarsEnabled: true,
+        isEarsExperimentalEnabled: false,
+      });
+      const jsonSchema = z.toJSONSchema(schema) as {
+        oneOf?: Array<{ properties?: { authType?: { const?: string } } }>;
+      };
+      const oneOfOptions = jsonSchema.oneOf || [];
+      const authTypes = oneOfOptions
+        .map((opt) => opt.properties?.authType?.const)
+        .filter(Boolean) as string[];
+
+      expect(authTypes).toContain('bearer');
+      expect(authTypes).not.toContain('ears');
+    });
+
+    test('includes experimental EARS when both isEarsEnabled and isEarsExperimentalEnabled are true', () => {
+      const schema = generateSecretsSchemaFromSpec(authSpecWithExperimentalEars, {
+        isEarsEnabled: true,
+        isEarsExperimentalEnabled: true,
+      });
+      const jsonSchema = z.toJSONSchema(schema) as {
+        oneOf?: Array<{ properties?: { authType?: { const?: string } } }>;
+      };
+      const oneOfOptions = jsonSchema.oneOf || [];
+      const authTypes = oneOfOptions
+        .map((opt) => opt.properties?.authType?.const)
+        .filter(Boolean) as string[];
+
+      expect(authTypes).toContain('bearer');
+      expect(authTypes).toContain('ears');
+    });
+
+    test('includes stable EARS when isEarsEnabled is true regardless of isEarsExperimentalEnabled', () => {
+      const schema = generateSecretsSchemaFromSpec(authSpecWithStableEars, {
+        isEarsEnabled: true,
+        isEarsExperimentalEnabled: false,
+      });
+      const jsonSchema = z.toJSONSchema(schema) as {
+        oneOf?: Array<{ properties?: { authType?: { const?: string } } }>;
+      };
+      const oneOfOptions = jsonSchema.oneOf || [];
+      const authTypes = oneOfOptions
+        .map((opt) => opt.properties?.authType?.const)
+        .filter(Boolean) as string[];
+
+      expect(authTypes).toContain('bearer');
+      expect(authTypes).toContain('ears');
+    });
+
+    test('excludes all EARS when isEarsEnabled is false even if isEarsExperimentalEnabled is true', () => {
+      const schema = generateSecretsSchemaFromSpec(authSpecWithExperimentalEars, {
+        isEarsEnabled: false,
+        isEarsExperimentalEnabled: true,
+      });
+      const jsonSchema = z.toJSONSchema(schema) as {
+        oneOf?: Array<{ properties?: { authType?: { const?: string } } }>;
+      };
+      const oneOfOptions = jsonSchema.oneOf || [];
+      const authTypes = oneOfOptions
+        .map((opt) => opt.properties?.authType?.const)
+        .filter(Boolean) as string[];
+
+      expect(authTypes).toContain('bearer');
+      expect(authTypes).not.toContain('ears');
+    });
+  });
+
   describe('runtime parse behavior', () => {
     test('parses valid secrets for none auth type', () => {
       const schema = generateSecretsSchemaFromSpec({ types: ['none'] });

src/platform/packages/shared/kbn-connector-specs/src/lib/generate_secrets_schema_from_spec.ts

@@ -11,18 +11,21 @@ import { z } from '@kbn/zod/v4';
 import type { AuthMode, ConnectorSpec } from '../connector_spec';
 import * as authTypeSpecs from '../all_auth_types';
 import { getSchemaForAuthType } from '.';
+import { isEarsExperimentalAuthType } from './ears_experimental_utils';
 
 interface GenerateOptions {
   isPfxEnabled?: boolean;
   isEarsEnabled?: boolean;
+  isEarsExperimentalEnabled?: boolean;
   authMode?: AuthMode | '';
 }
 
 export const generateSecretsSchemaFromSpec = (
   authSpec: ConnectorSpec['auth'],
-  { isPfxEnabled, isEarsEnabled, authMode }: GenerateOptions = {
+  { isPfxEnabled, isEarsEnabled, isEarsExperimentalEnabled, authMode }: GenerateOptions = {
     isPfxEnabled: true,
     isEarsEnabled: false,
+    isEarsExperimentalEnabled: false,
   }
 ) => {
   const secretSchemas: z.core.$ZodTypeDiscriminable[] = [];
@@ -31,8 +34,13 @@ export const generateSecretsSchemaFromSpec = (
     if (schema.id === 'pfx_certificate' && !isPfxEnabled) {
       continue;
     }
-    if (schema.id === 'ears' && !isEarsEnabled) {
-      continue;
+    if (schema.id === 'ears') {
+      if (!isEarsEnabled) {
+        continue;
+      }
+      if (isEarsExperimentalAuthType(authType) && !isEarsExperimentalEnabled) {
+        continue;
+      }
     }
 
     const authTypeSpec = Object.values(authTypeSpecs).find((spec) => spec.id === schema.id);

src/platform/packages/shared/kbn-connector-specs/src/lib/serialize_connector_spec.test.ts

@@ -267,11 +267,16 @@ describe('serializeConnectorSpec', () => {
 
       const spy = jest.spyOn(generateSecretsModule, 'generateSecretsSchemaFromSpec');
 
-      serializeConnectorSpec(spec, { isPfxEnabled: false, isEarsEnabled: false });
+      serializeConnectorSpec(spec, {
+        isPfxEnabled: false,
+        isEarsEnabled: false,
+        isEarsExperimentalEnabled: false,
+      });
 
       expect(spy).toHaveBeenCalledWith(spec.auth, {
         isPfxEnabled: false,
         isEarsEnabled: false,
+        isEarsExperimentalEnabled: false,
       });
 
       spy.mockRestore();
@@ -298,7 +303,11 @@ describe('serializeConnectorSpec', () => {
       };
 
       const defaultEars = serializeConnectorSpec(spec);
-      const earsOn = serializeConnectorSpec(spec, { isPfxEnabled: true, isEarsEnabled: true });
+      const earsOn = serializeConnectorSpec(spec, {
+        isPfxEnabled: true,
+        isEarsEnabled: true,
+        isEarsExperimentalEnabled: false,
+      });
       interface SecretBranch {
         properties?: { authType?: { const?: string } };
       }
@@ -392,4 +401,53 @@ describe('serializeConnectorSpec', () => {
       }
     });
   });
+
+  describe('experimental EARS filtering', () => {
+    test('excludes experimental EARS auth when isEarsExperimentalEnabled is false', () => {
+      const testSpec = {
+        metadata: {
+          id: '.test-experimental-ears',
+          displayName: 'Test',
+          description: 'Test connector',
+          minimumLicense: 'basic' as const,
+          supportedFeatureIds: ['alerting' as const],
+        },
+        auth: {
+          types: [
+            'bearer',
+            {
+              type: 'ears',
+              isExperimental: true,
+              defaults: { provider: 'google', scope: 'test-scope' },
+            },
+          ],
+        },
+        actions: {
+          test: {
+            input: z.object({}),
+            handler: async () => ({ success: true }),
+          },
+        },
+      };
+
+      const result = serializeConnectorSpec(testSpec, {
+        isPfxEnabled: true,
+        isEarsEnabled: true,
+        isEarsExperimentalEnabled: false,
+      });
+
+      const schemaJson = result.schema as {
+        properties?: {
+          secrets?: { oneOf?: Array<{ properties?: { authType?: { const?: string } } }> };
+        };
+      };
+      const secretsOneOf = schemaJson.properties?.secrets?.oneOf || [];
+      const authTypes = secretsOneOf
+        .map((opt) => opt.properties?.authType?.const)
+        .filter(Boolean) as string[];
+
+      expect(authTypes).toContain('bearer');
+      expect(authTypes).not.toContain('ears');
+    });
+  });
 });

src/platform/packages/shared/kbn-connector-specs/src/lib/serialize_connector_spec.ts

@@ -14,6 +14,7 @@ import { generateSecretsSchemaFromSpec } from './generate_secrets_schema_from_sp
 export interface SerializeConnectorSpecOptions {
   isPfxEnabled: boolean;
   isEarsEnabled: boolean;
+  isEarsExperimentalEnabled: boolean;
 }
 
 export function serializeConnectorSpec(

src/platform/packages/shared/kbn-connector-specs/src/specs/gmail/gmail.ts

@@ -58,6 +58,7 @@ export const GmailConnector: ConnectorSpec = {
       },
       {
         type: 'ears',
+        isExperimental: true,
         overrides: {
           meta: { scope: { disabled: true } },
         },