elastic
diff --git a/‎.buildkite/pipelines/artifacts.yml‎
Lines changed: 1 addition & 0 deletions b/‎.buildkite/pipelines/artifacts.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.buildkite/scripts/steps/checks/api_contracts.sh‎
Lines changed: 12 additions & 0 deletions b/‎.buildkite/scripts/steps/checks/api_contracts.sh‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎.buildkite/scripts/steps/checks/notify_api_contract_owners.test.ts‎
Lines changed: 89 additions & 0 deletions b/‎.buildkite/scripts/steps/checks/notify_api_contract_owners.test.ts‎
Lines changed: 89 additions & 0 deletions
diff --git a/‎.buildkite/scripts/steps/checks/notify_api_contract_owners.ts‎
Lines changed: 109 additions & 0 deletions b/‎.buildkite/scripts/steps/checks/notify_api_contract_owners.ts‎
Lines changed: 109 additions & 0 deletions
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 0 deletions b/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 0 deletions
@@ -157,4 +157,5 @@ steps:
       imageProject: elastic-images-prod
       provider: gcp
       machineType: n2-standard-2
+      diskSizeGb: 180
     timeout_in_minutes: 30
@@ -16,11 +16,17 @@ if [[ -n "${GITHUB_PR_MERGE_BASE:-}" ]]; then
   MERGE_BASE_ARGS=(--mergeBase "$GITHUB_PR_MERGE_BASE")
 fi
 
+REPORT_DIR="packages/kbn-api-contracts/target/reports"
+STACK_REPORT="$REPORT_DIR/stack-impact.json"
+SERVERLESS_REPORT="$REPORT_DIR/serverless-impact.json"
+rm -f "$STACK_REPORT" "$SERVERLESS_REPORT"
+
 echo "Checking stack API contracts..."
 node scripts/check_api_contracts.js \
   --distribution stack \
   --specPath oas_docs/output/kibana.yaml \
   --baseBranch "$BASE_BRANCH" \
+  --reportPath "$STACK_REPORT" \
   "${MERGE_BASE_ARGS[@]+"${MERGE_BASE_ARGS[@]}"}" &
 STACK_PID=$!
 
@@ -29,6 +35,7 @@ node scripts/check_api_contracts.js \
   --distribution serverless \
   --specPath oas_docs/output/kibana.serverless.yaml \
   --baseBranch "$BASE_BRANCH" \
+  --reportPath "$SERVERLESS_REPORT" \
   "${MERGE_BASE_ARGS[@]+"${MERGE_BASE_ARGS[@]}"}" &
 SERVERLESS_PID=$!
 
@@ -38,5 +45,10 @@ wait $STACK_PID || STACK_EXIT=$?
 wait $SERVERLESS_PID || SERVERLESS_EXIT=$?
 
 if [ $STACK_EXIT -ne 0 ] || [ $SERVERLESS_EXIT -ne 0 ]; then
+  echo --- Notify API owners
+  if [[ "${BUILDKITE_PULL_REQUEST:-false}" != "false" ]]; then
+    ts-node .buildkite/scripts/steps/checks/notify_api_contract_owners.ts \
+      "$STACK_REPORT" "$SERVERLESS_REPORT" || echo "Warning: failed to post PR notification"
+  fi
   exit 1
 fi
@@ -0,0 +1,89 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+jest.mock('#pipeline-utils', () => ({
+  upsertComment: jest.fn(),
+}));
+
+import { buildCommentBody, type ImpactEntry } from './notify_api_contract_owners';
+
+const entry = (overrides: Partial<ImpactEntry> = {}): ImpactEntry => ({
+  path: '/api/spaces/space',
+  method: 'GET',
+  reason: 'Endpoint removed',
+  terraformResource: 'elasticstack_kibana_space',
+  owners: ['@elastic/kibana-security'],
+  ...overrides,
+});
+
+describe('buildCommentBody', () => {
+  it('renders a markdown table with one entry', () => {
+    const body = buildCommentBody([entry()]);
+
+    expect(body).toContain('## API Contract Breaking Changes');
+    expect(body).toContain('| `/api/spaces/space` `GET`');
+    expect(body).toContain('elasticstack_kibana_space');
+    expect(body).toContain('@elastic/kibana-security');
+  });
+
+  it('deduplicates owners in the cc line', () => {
+    const entries = [
+      entry({ owners: ['@elastic/kibana-security'] }),
+      entry({ path: '/api/spaces/space/{id}', owners: ['@elastic/kibana-security'] }),
+    ];
+    const body = buildCommentBody(entries);
+
+    const ccLine = body.split('\n').find((l) => l.startsWith('cc '))!;
+    const mentions = ccLine.replace('cc ', '').trim().split(' ');
+    expect(mentions).toEqual(['@elastic/kibana-security']);
+  });
+
+  it('aggregates multiple distinct owners', () => {
+    const entries = [
+      entry({ owners: ['@elastic/kibana-security'] }),
+      entry({
+        path: '/api/fleet/agent_policies',
+        method: 'POST',
+        terraformResource: 'elasticstack_fleet_agent_policy',
+        owners: ['@elastic/fleet'],
+      }),
+    ];
+    const body = buildCommentBody(entries);
+
+    expect(body).toContain('@elastic/kibana-security');
+    expect(body).toContain('@elastic/fleet');
+  });
+
+  it('shows _unknown_ when no owners exist', () => {
+    const body = buildCommentBody([entry({ owners: [] })]);
+
+    expect(body).toContain('cc _unknown_');
+  });
+
+  it('escapes pipe characters in the reason field', () => {
+    const body = buildCommentBody([entry({ reason: 'field|was|removed' })]);
+
+    expect(body).toContain('field\\|was\\|removed');
+    expect(body).not.toContain('field|was|removed');
+  });
+
+  it('escapes newlines in the reason field', () => {
+    const body = buildCommentBody([entry({ reason: 'line1\nline2' })]);
+
+    expect(body).toContain('line1 line2');
+    expect(body).not.toContain('line1\nline2');
+  });
+
+  it('omits method badge when method is undefined', () => {
+    const body = buildCommentBody([entry({ method: undefined })]);
+
+    expect(body).toContain('| `/api/spaces/space` |');
+    expect(body).not.toMatch(/`GET`|`POST`|`PUT`|`DELETE`/);
+  });
+});
@@ -0,0 +1,109 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { readFileSync, existsSync } from 'fs';
+import { upsertComment } from '#pipeline-utils';
+
+export interface ImpactEntry {
+  path: string;
+  method?: string;
+  reason: string;
+  terraformResource: string;
+  owners: string[];
+}
+
+interface ImpactReport {
+  impactedChanges: ImpactEntry[];
+}
+
+const COMMENT_CONTEXT = 'api-contracts-tf-breaking';
+
+const ALLOWLIST_PATH = 'packages/kbn-api-contracts/allowlist.json';
+const README_PATH = 'packages/kbn-api-contracts/README.md';
+
+export const buildCommentBody = (entries: ImpactEntry[]): string => {
+  const allOwners = [...new Set(entries.flatMap((e) => e.owners || []))];
+  const ownerMentions = allOwners.length > 0 ? allOwners.join(' ') : '_unknown_';
+
+  const escapeCell = (text: string): string => text.replace(/\|/g, '\\|').replace(/\n/g, ' ');
+
+  const rows = entries
+    .map((e) => {
+      const method = e.method ? ` \`${e.method.toUpperCase()}\`` : '';
+      return `| \`${e.path}\`${method} | ${escapeCell(e.terraformResource)} | ${escapeCell(
+        e.reason
+      )} | ${(e.owners || []).join(', ')} |`;
+    })
+    .join('\n');
+
+  return `## API Contract Breaking Changes — Terraform Provider Impact
+
+cc ${ownerMentions}
+
+The following breaking change(s) affect APIs consumed by the [Elastic Terraform Provider](https://github.com/elastic/terraform-provider-elasticstack).
+
+| Endpoint | Terraform Resource | Reason | Owners |
+|----------|--------------------|--------|--------|
+${rows}
+
+### What to do
+
+1. **Fix the breaking change** if it was unintentional.
+2. **If intentional**, add an approved entry to [\`${ALLOWLIST_PATH}\`](https://github.com/elastic/kibana/blob/main/${ALLOWLIST_PATH}) and coordinate with \`@elastic/terraform-provider\`.
+
+See the [\`@kbn/api-contracts\` README](https://github.com/elastic/kibana/blob/main/${README_PATH}) for details on the allowlist schema and workflow.`;
+};
+
+async function main() {
+  const reportPaths = process.argv.slice(2);
+
+  const allEntries: ImpactEntry[] = [];
+  for (const reportPath of reportPaths) {
+    if (!existsSync(reportPath)) {
+      continue;
+    }
+    try {
+      const report: ImpactReport = JSON.parse(readFileSync(reportPath, 'utf-8'));
+      if (!Array.isArray(report.impactedChanges)) {
+        console.error(`Report at ${reportPath} has no impactedChanges array, skipping`);
+        continue;
+      }
+      allEntries.push(...report.impactedChanges);
+    } catch {
+      console.error(`Failed to parse report at ${reportPath}, skipping`);
+    }
+  }
+
+  if (allEntries.length === 0) {
+    console.log('No TF-impacting breaking changes to report');
+    return;
+  }
+
+  const deduped = Array.from(
+    new Map(allEntries.map((e) => [`${e.path}::${e.method ?? ''}`, e])).values()
+  );
+
+  const body = buildCommentBody(deduped);
+  console.log('Posting PR comment notifying API owners...');
+
+  await upsertComment({
+    commentBody: body,
+    commentContext: COMMENT_CONTEXT,
+    clearPrevious: true,
+  });
+
+  console.log('PR comment posted successfully');
+}
+
+if (require.main === module) {
+  main().catch((error) => {
+    console.error('Failed to post API contract notification:', error);
+    process.exit(1);
+  });
+}
@@ -2715,6 +2715,7 @@ x-pack/solutions/security/test/security_solution_api_integration/test_suites/sie
 
 /x-pack/solutions/security/test/serverless/functional/test_suites/ftr/discover @elastic/security-threat-hunting
 x-pack/solutions/security/test/serverless/functional/configs/config.context_awareness.ts @elastic/security-threat-hunting
+/x-pack/solutions/security/plugins/security_solution/common/endpoint/schema/resolver.ts @elastic/security-threat-hunting
 
 ## Security Solution Threat Hunting areas - Threat Hunting Investigations