Fix observability UIAM config and add CPS observability variant

[flash1293]

Summary

• Adds observability_complete serverless config variant for cps_local
• Fixes uiam_local/observability_complete to import from the observability base config instead of security
• Adds cloud.id override for UIAM API key conversion in observability UIAM config
• Fixes UIAM token project_type mismatch by normalizing CLI aliases (oblt→observability, es→search) in @kbn/mock-idp-utils

Test plan

• Run node scripts/scout start-server --arch serverless --domain observability_complete --serverConfigSet cps_local and verify SAML auth succeeds
• Run node scripts/scout start-server --arch serverless --domain security_complete --serverConfigSet cps_local and verify it still works

🤖 Generated with Claude Code

[flash1293]

@copilot Actually, it's way simpler, revert all the changes here and just add an observability variant of src/platform/packages/shared/kbn-scout/src/servers/configs/config_sets/cps_local/serverless/security_complete.serverless.config.ts to src/platform/packages/shared/kbn-scout/src/servers/configs/config_sets/cps_local/serverless

[azasypkin]

👋 We're likely going to run into conflicts with #260546. Is this change time-critical for you, or can you wait until we enable UIAM for everyone by default in #260546 (1-2-3 days, if things go well)?

At that point, you likely won't need a custom Scout config at all.

[flash1293]

Would that replace the full PR? I still need a config to start observability with local loopback csp right?

[dmlemeshko]

nit: we are doing the same conversion in mock-id-plugin:

kibana/packages/kbn-mock-idp-plugin/server/plugin.ts

Lines 42 to 48 in 56c9003

	// BOOKMARK - List of Kibana project types
	const projectToAlias = new Map<string, string>([
	['observability', 'oblt'],
	['security', 'security'],
	['search', 'es'],
	['workplaceai', 'workplaceai'],
	]);

maybe we should import it in plugin from utils?

[azasypkin]

I still need a config to start observability with local loopback csp right?

Oh, this change won't be covered by my PR, as loopback CPS requires a custom configuration.

By the way, we added support for loopback CPS just to make quick local smoke testing easier, but I believe using this for anything serious, like automated tests or quality gates, is highly discouraged. It might break at any point without warning. @n1v0lg can keep me honest here.

Is there any reason you cannot rely on a proper CPS testing setup that @dmlemeshko has built recently? If that isn't possible yet, can we improve it so you can leverage it instead?

---

es → search

Learned the hard way that it should be es → elasticsearch to work with UIAM 🙂

[flash1293]

The use case is local smoke testing here. @dmlemeshko suggested this is how it should be done - the first version of this PR was just a small bash script that did the same thing.

I really just want a handy oneliner to start a CPS setup for local testing, please let me merge a version 😁

[azasypkin]

I really just want a handy oneliner to start a CPS setup for local testing, please let me merge a version 😁

Haha, okay, but you've been warned (though please change ['es', 'search'] to ['es', 'elasticsearch'] before merging) 🙂 If you decide to use this config for any automated CPS tests, please let me know.

[n1v0lg]

By the way, we added support for loopback CPS just to make quick local smoke testing easier, but I believe using this for anything serious, like automated tests or quality gates, is highly discouraged. It might break at any point without warning. @n1v0lg can keep me honest here.

Yes, loopback definitely to be avoided 🙏

[dmlemeshko]

kbn/scout updates lgtm

[flash1293]

Addressed review feedback:

• @dmlemeshko: Consolidated the projectToAlias map — it's now defined once in kbn-mock-idp-utils as projectTypeToAlias and exported. The plugin imports it instead of maintaining its own copy.
• @azasypkin: Fixed the UIAM normalization to map 'es' → 'elasticsearch' instead of 'search'. The projectTypeToAlias map still uses 'search' → 'es' since that's the Kibana solution name from the cloud plugin used for role file lookups.

@azasypkin could you take another look when you get a chance? Thanks!

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 96feb4e

Failed CI Steps

• Jest Tests #4

Test Failures

• [job] [logs] Jest Tests #4 / should call onSelectionChange on user selection

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
@kbn/mock-idp-utils	60	61	+1

Unknown metric groups

API count

id	before	after	diff
@kbn/mock-idp-utils	68	69	+1

History

• 💛 Build #420212 was flaky 9f490b6
• 💔 Build #419916 failed 2fa3121
• 💚 Build #419739 succeeded 9e5fd91

[azasypkin]

LGTM 👍