elastic
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 15 additions & 12 deletions b/‎.github/CODEOWNERS‎
Lines changed: 15 additions & 12 deletions
diff --git a/‎.github/instructions/security.instructions.md‎
Lines changed: 186 additions & 0 deletions b/‎.github/instructions/security.instructions.md‎
Lines changed: 186 additions & 0 deletions
diff --git a/‎api_docs/actions.mdx‎
Lines changed: 1 addition & 1 deletion b/‎api_docs/actions.mdx‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api_docs/advanced_settings.mdx‎
Lines changed: 1 addition & 1 deletion b/‎api_docs/advanced_settings.mdx‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api_docs/agent_builder_platform.mdx‎
Lines changed: 1 addition & 1 deletion b/‎api_docs/agent_builder_platform.mdx‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api_docs/ai_assistant_management_selection.mdx‎
Lines changed: 1 addition & 1 deletion b/‎api_docs/ai_assistant_management_selection.mdx‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api_docs/aiops.mdx‎
Lines changed: 1 addition & 1 deletion b/‎api_docs/aiops.mdx‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api_docs/alerting.devdocs.json‎
Lines changed: 1 addition & 1 deletion b/‎api_docs/alerting.devdocs.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api_docs/alerting.mdx‎
Lines changed: 1 addition & 1 deletion b/‎api_docs/alerting.mdx‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api_docs/apm.devdocs.json‎
Lines changed: 1 addition & 1 deletion b/‎api_docs/apm.devdocs.json‎
Lines changed: 1 addition & 1 deletion
@@ -1084,6 +1084,7 @@ x-pack/platform/plugins/shared/screenshotting @elastic/kibana-reporting-services
 x-pack/platform/plugins/shared/searchprofiler @elastic/kibana-management
 x-pack/platform/plugins/shared/security @elastic/kibana-security
 x-pack/platform/plugins/shared/serverless @elastic/appex-sharedux
+x-pack/platform/plugins/shared/slo_shared @elastic/actionable-obs-team
 x-pack/platform/plugins/shared/spaces @elastic/kibana-security
 x-pack/platform/plugins/shared/stack_alerts @elastic/response-ops
 x-pack/platform/plugins/shared/stack_connectors @elastic/response-ops
@@ -2215,6 +2216,7 @@ x-pack/platform/plugins/private/cloud_integrations/cloud_full_story/server/confi
 /.github/workflows/codeql.yml @elastic/kibana-security
 /.github/workflows/codeql-pr.yml @elastic/kibana-security
 /.github/workflows/codeql-stats.yml @elastic/kibana-security
+/.github/instructions/security.instructions.md @elastic/kibana-security
 /.github/workflows/evaluate-dependency-health.yml @elastic/kibana-security
 /src/dev/eslint/security_eslint_rule_tests.ts @elastic/kibana-security
 /src/core/server/integration_tests/config/check_dynamic_config.test.ts @elastic/kibana-security
@@ -2727,21 +2729,22 @@ x-pack/solutions/security/test/security_solution_api_integration/test_suites/inv
 
 ## Generative AI owner connectors
 # OpenAI
-/x-pack/platform/plugins/shared/stack_connectors/public/connector_types/openai @elastic/security-generative-ai @elastic/obs-ai-team @elastic/appex-ai-infra
-/x-pack/platform/plugins/shared/stack_connectors/server/connector_types/openai @elastic/security-generative-ai @elastic/obs-ai-team @elastic/appex-ai-infra
-/x-pack/platform/plugins/shared/stack_connectors/common/openai @elastic/security-generative-ai @elastic/obs-ai-team @elastic/appex-ai-infra
-/src/platform/packages/shared/kbn-connector-schemas/openai @elastic/security-generative-ai @elastic/obs-ai-team @elastic/appex-ai-infra
+/x-pack/platform/plugins/shared/stack_connectors/public/connector_types/openai @elastic/security-generative-ai
+/x-pack/platform/plugins/shared/stack_connectors/server/connector_types/openai @elastic/security-generative-ai
+/x-pack/platform/plugins/shared/stack_connectors/common/openai @elastic/security-generative-ai
+/src/platform/packages/shared/kbn-connector-schemas/openai @elastic/security-generative-ai
+
 # Bedrock
-/x-pack/platform/plugins/shared/stack_connectors/public/connector_types/bedrock @elastic/security-generative-ai @elastic/obs-ai-team @elastic/appex-ai-infra
-/x-pack/platform/plugins/shared/stack_connectors/server/connector_types/bedrock @elastic/security-generative-ai @elastic/obs-ai-team @elastic/appex-ai-infra
-/x-pack/platform/plugins/shared/stack_connectors/common/bedrock @elastic/security-generative-ai @elastic/obs-ai-team @elastic/appex-ai-infra
-/src/platform/packages/shared/kbn-connector-schemas/bedrock @elastic/security-generative-ai @elastic/obs-ai-team @elastic/appex-ai-infra
+/x-pack/platform/plugins/shared/stack_connectors/public/connector_types/bedrock @elastic/security-generative-ai
+/x-pack/platform/plugins/shared/stack_connectors/server/connector_types/bedrock @elastic/security-generative-ai
+/x-pack/platform/plugins/shared/stack_connectors/common/bedrock @elastic/security-generative-ai
+/src/platform/packages/shared/kbn-connector-schemas/bedrock @elastic/security-generative-ai
 
 # Gemini
-/x-pack/platform/plugins/shared/stack_connectors/public/connector_types/gemini @elastic/security-generative-ai @elastic/obs-ai-team @elastic/appex-ai-infra
-/x-pack/platform/plugins/shared/stack_connectors/server/connector_types/gemini @elastic/security-generative-ai @elastic/obs-ai-team @elastic/appex-ai-infra
-/x-pack/platform/plugins/shared/stack_connectors/common/gemini @elastic/security-generative-ai @elastic/obs-ai-team @elastic/appex-ai-infra
-/src/platform/packages/shared/kbn-connector-schemas/gemini @elastic/security-generative-ai @elastic/obs-ai-team @elastic/appex-ai-infra
+/x-pack/platform/plugins/shared/stack_connectors/public/connector_types/gemini @elastic/security-generative-ai
+/x-pack/platform/plugins/shared/stack_connectors/server/connector_types/gemini @elastic/security-generative-ai
+/x-pack/platform/plugins/shared/stack_connectors/common/gemini @elastic/security-generative-ai
+/src/platform/packages/shared/kbn-connector-schemas/gemini @elastic/security-generative-ai
 
 # Inference API
 /x-pack/platform/plugins/shared/stack_connectors/public/connector_types/inference @elastic/appex-ai-infra @elastic/security-generative-ai @elastic/obs-ai-team
 
@@ -0,0 +1,186 @@
+---
+applyTo: "{**/plugins/**/*.ts,**/packages/**/*.ts}"
+excludeAgent: "coding-agent"
+---
+
+# Security & Authorization Review Guidelines
+
+> **Critical Security Requirement:** All API routes in Kibana must have proper authorization checks. Authorization is not optional, even for `internal` routes.
+
+## Review Style
+- Be specific and actionable in feedback
+- Explain the "why" behind recommendations
+- Acknowledge good patterns when you see them
+- Ask clarifying questions when code intent is unclear
+
+## Authorization Configuration
+
+Routes use the `security` configuration in `KibanaRouteOptions`:
+
+```ts
+router.get({
+  path: '/api/path',
+  security: {
+    authz: {
+      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
+    },
+  },
+  ...
+}, handler);
+```
+
+## Critical Review Checklist
+
+Focus on these three key areas when reviewing API authorization:
+
+###  1. Branching Logic with AuthzResult
+
+**REQUIRED:** If a route handler branches its logic based on user privileges (e.g., returns different data or features), it MUST use `request.authzResult` to check which privileges were granted. Do NOT use `capabilities.resolveCapabilities()` or other authorization checks for branching—`authzResult` is the single source of truth.
+
+**Patterns to search for:**
+- Routes with `anyRequired` or complex privilege configurations (OR logic)
+- Handlers that return different data or behavior based on user privileges
+- Handlers that conditionally expose features or data based on permissions
+- Handlers that check `capabilities.resolveCapabilities()` or similar methods for authorization decisions
+- Functions that check permissions/privileges and return boolean values used for branching
+
+** Correct Implementation:**
+```ts
+router.get({
+  path: '/api/path',
+  security: {
+    authz: {
+      requiredPrivileges: ['privilege_3', { anyRequired: ['privilege_1', 'privilege_2'] }],
+    },
+  },
+  ...
+}, (context, request, response) => {
+  //  CORRECT: Use request.authzResult to check which privileges were granted
+  const authzResult = request.authzResult;
+  // {
+  //   "<privilege_3>": true,
+  //   "<privilege_1>": true,
+  //   "<privilege_2>": false
+  // }
+
+  // Branch logic based on specific privileges
+  if (authzResult.privilege_1) {
+    // User has privilege_1, return enhanced data
+    return response.ok({ body: ...  });
+  } else if (authzResult.privilege_2) {
+    // User has privilege_2, return basic data
+    return response.ok({ body: ...  });
+  }
+
+  // Fallback (should not reach here if security config is correct)
+  return response.ok({ body: { data: ... } });
+});
+```
+
+**Flag using Capabilities Instead of AuthzResult:**
+```ts
+  // WRONG: Using capabilities.resolveCapabilities() for authorization branching
+  const canReadDecryptedParams = async (routeContext: RouteContext) => {
+    const { request, server } = routeContext;
+    
+    const capabilities = await server.coreStart.capabilities.resolveCapabilities(request, {
+      capabilityPath: 'my_capability.*',
+    });
+    
+    return capabilities.my_capability?.canReadParams ?? false;
+  };
+  
+  // In handler:
+  if (await canReadDecryptedParams(routeContext)) {
+    return getDecryptedParams(routeContext, paramId);
+  } else {
+    return getBasicParams(routeContext, paramId);
+  }
+  
+  // CORRECT: Use authzResult instead
+  router.get({
+    path: '/api/params',
+    security: {
+      authz: {
+        requiredPrivileges: [{ anyRequired: ['read_params_decrypted', 'read_params'] }],
+      },
+    },
+  }, (context, request, response) => {
+    if (request.authzResult.read_params_decrypted) {
+      return getDecryptedParams(routeContext, paramId);
+    } else {
+      return getBasicParams(routeContext, paramId);
+    }
+  });
+```
+
+###  2. Opt-Out Authorization Reason
+
+**When reviewing:** Check all routes with `authz: { enabled: false }` or `AuthzDisabled.*` usage. Verify they use predefined reasons when applicable, or provide specific context.
+
+**If a route opts out of authorization, use predefined `AuthzOptOutReason` enum or `AuthzDisabled` helpers:**
+
+```ts
+import { AuthzDisabled, AuthzOptOutReason } from '@kbn/core-security-server';
+
+//  CORRECT: Use predefined reason for Saved Objects client
+router.get({
+  path: '/api/path',
+  security: {
+    authz: AuthzDisabled.delegateToSOClient,
+  },
+  ...
+}, handler);
+
+//  CORRECT: Use predefined reason enum
+router.get({
+  path: '/api/path',
+  security: {
+    authz: {
+      enabled: false,
+      reason: AuthzOptOutReason.DelegateToSOClient,
+    },
+  },
+  ...
+}, handler);
+
+//  CORRECT: Custom string when no predefined reason applies
+router.get({
+  path: '/api/health',
+  security: {
+    authz: {
+      enabled: false,
+      reason: 'This route is a health check endpoint that returns no sensitive information',
+    },
+  },
+  ...
+}, handler);
+```
+
+**Flag if:** `reason` is:
+  -`"Opt out from authorization"` (too generic, no context)
+  - `"This route does not need authorization"` (no explanation why)
+  - `"Authorization not required"` (no context provided)
+  - `Authorization is delegated to SO Client` (semantically equivalent to the already predefined reason `AuthzOptOutReason.DelegateToSOClient`)
+
+## Summary
+
+**Key Points for Reviewers:**
+
+1. **Privilege names must follow `<operation>_<subject>` convention**
+   - Incorrect privilege names:
+     - `read-entity-a`: Uses `-` instead of `_`
+     - `delete_entity-a`: Mixes `_` and `-`
+     - `entity_manage`: Places the subject name before the operation
+   - Correct privilege names:
+     - `read_entity_a`
+     - `delete_entity_a`
+     - `manage_entity`
+2. **Routes with privilege-based branching MUST use `request.authzResult`**
+3. **Opt-out routes must have clear, specific reasons with context (not just "Opt out from authorization")*
+
+## References
+
+- [Kibana API Authorization Documentation](dev_docs/key_concepts/api_authorization.mdx)
+- [Kibana HTTP API Design Guidelines](dev_docs/contributing/kibana_http_api_design_guidelines.mdx)
+
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/actions
 title: "actions"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the actions plugin
-date: 2025-12-18
+date: 2025-12-19
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'actions']
 ---
 import actionsObj from './actions.devdocs.json';
 
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/advancedSettings
 title: "advancedSettings"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the advancedSettings plugin
-date: 2025-12-18
+date: 2025-12-19
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'advancedSettings']
 ---
 import advancedSettingsObj from './advanced_settings.devdocs.json';
 
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/agentBuilderPlatform
 title: "agentBuilderPlatform"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the agentBuilderPlatform plugin
-date: 2025-12-18
+date: 2025-12-19
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'agentBuilderPlatform']
 ---
 import agentBuilderPlatformObj from './agent_builder_platform.devdocs.json';
 
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/aiAssistantManagementSelection
 title: "aiAssistantManagementSelection"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the aiAssistantManagementSelection plugin
-date: 2025-12-18
+date: 2025-12-19
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'aiAssistantManagementSelection']
 ---
 import aiAssistantManagementSelectionObj from './ai_assistant_management_selection.devdocs.json';
 
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/aiops
 title: "aiops"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the aiops plugin
-date: 2025-12-18
+date: 2025-12-19
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'aiops']
 ---
 import aiopsObj from './aiops.devdocs.json';
 
@@ -5179,7 +5179,7 @@
           "BulkFillGapsByRuleIdsOptions",
           ") => Promise<",
           "BulkFillGapsByRuleIdsResult",
-          ">; getRuleIdsWithGaps: (params: Readonly<{ start?: string | undefined; end?: string | undefined; sortOrder?: \"asc\" | \"desc\" | undefined; statuses?: (\"unfilled\" | \"filled\" | \"partially_filled\")[] | undefined; hasUnfilledIntervals?: boolean | undefined; hasInProgressIntervals?: boolean | undefined; hasFilledIntervals?: boolean | undefined; highestPriorityGapFillStatuses?: (\"unfilled\" | \"filled\" | \"in_progress\")[] | undefined; ruleTypes?: Readonly<{} & { type: string; consumer: string; }>[] | undefined; maxRulesToFetch?: number | undefined; } & {}>) => Promise<Readonly<{ latestGapTimestamp?: number | undefined; } & { ruleIds: string[]; total: number; }>>; getGapsSummaryByRuleIds: (params: Readonly<{} & { start: string; end: string; ruleIds: string[]; }>) => Promise<Readonly<{} & { data: Readonly<{ gapFillStatus?: string | undefined; } & { ruleId: string; totalUnfilledDurationMs: number; totalInProgressDurationMs: number; totalFilledDurationMs: number; }>[]; }>>; getRuleTypesByQuery: (params: Readonly<{ filter?: string | undefined; ids?: string[] | undefined; } & {}>) => Promise<Readonly<{} & { ruleTypes: string[]; }>>; createGapAutoFillScheduler: (params: ",
+          ">; getRuleIdsWithGaps: (params: Readonly<{ start?: string | undefined; end?: string | undefined; sortOrder?: \"asc\" | \"desc\" | undefined; ruleIds?: string[] | undefined; statuses?: (\"unfilled\" | \"filled\" | \"partially_filled\")[] | undefined; hasUnfilledIntervals?: boolean | undefined; hasInProgressIntervals?: boolean | undefined; hasFilledIntervals?: boolean | undefined; highestPriorityGapFillStatuses?: (\"unfilled\" | \"filled\" | \"in_progress\")[] | undefined; ruleTypes?: Readonly<{} & { type: string; consumer: string; }>[] | undefined; maxRulesToFetch?: number | undefined; } & {}>) => Promise<Readonly<{ latestGapTimestamp?: number | undefined; } & { ruleIds: string[]; total: number; }>>; getGapsSummaryByRuleIds: (params: Readonly<{} & { start: string; end: string; ruleIds: string[]; }>) => Promise<Readonly<{} & { data: Readonly<{ gapFillStatus?: string | undefined; } & { ruleId: string; totalUnfilledDurationMs: number; totalInProgressDurationMs: number; totalFilledDurationMs: number; }>[]; }>>; getRuleTypesByQuery: (params: Readonly<{ filter?: string | undefined; ids?: string[] | undefined; } & {}>) => Promise<Readonly<{} & { ruleTypes: string[]; }>>; createGapAutoFillScheduler: (params: ",
           "CreateGapAutoFillSchedulerParams",
           ") => Promise<",
           "GapAutoFillSchedulerResponse",
 
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/alerting
 title: "alerting"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the alerting plugin
-date: 2025-12-18
+date: 2025-12-19
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'alerting']
 ---
 import alertingObj from './alerting.devdocs.json';
 
@@ -6491,7 +6491,7 @@
             "section": "def-common.Error",
             "text": "Error"
           },
-          "[]; }, ",
+          "[]; agentMarks: Record<string, number>; }, ",
           "APMRouteCreateOptions",
           ">; \"GET /internal/apm/traces/{traceId}\": ",
           {
Original file line number	Diff line number	Diff line change
`@@ -6491,7 +6491,7 @@`
`6491`	`6491`	`"section": "def-common.Error",`
`6492`	`6492`	`"text": "Error"`
`6493`	`6493`	`},`
`6494`		`- "[]; }, ",`
	`6494`	`+ "[]; agentMarks: Record<string, number>; }, ",`
`6495`	`6495`	`"APMRouteCreateOptions",`
`6496`	`6496`	`">; \"GET /internal/apm/traces/{traceId}\": ",`
`6497`	`6497`	`{`