[OAS] Security roles: Add meta:{id} to plugin schemas for named OAS components

[Copilot]

Without meta:{id} on kbn-config-schema objects, the OAS generator emits anonymous inline schemas at every endpoint instead of reusable named $ref components — making the spec harder for downstream tools (e.g. Terraform provider codegen) to consume.

Changes

Route schemas (server/routes/authorization/roles/)

Added meta:{id} to all inline schema.object() calls across route files:

File	Schema ID(s)
get.ts	security_get_role_params, security_get_role_query
get_all.ts	security_get_all_roles_query
put.ts	security_put_role_params, security_put_role_query
delete.ts	security_delete_role_params
query.ts	security_query_roles_request

Model schemas (model/)

• put_payload.ts → security_role_put_payload
• bulk_create_or_update_payload.ts → security_bulk_create_or_update_roles_request

Sub-schemas (@kbn/security-plugin-types-server)

Named the reusable building blocks in role_schema.ts:

• elasticsearchRoleSchema → security_role_elasticsearch_privileges
• Indices entry → security_role_index_privilege
• Remote indices entry → security_role_remote_index_privilege
• Remote cluster entry → security_role_remote_cluster_privilege
• Kibana privileges entry → security_role_kibana_privileges_entry

Example — before vs. after for the PUT body:

// Before: anonymous inline object at every endpoint
return schema.object({ description, metadata, elasticsearch, kibana });

// After: emits $ref: '#/components/schemas/security_role_put_payload'
return schema.object(
  { description, metadata, elasticsearch, kibana },
  { meta: { id: 'security_role_put_payload' } }
);

OAS breaking change allowlist

Added entries in packages/kbn-api-contracts/allowlist.json for all 6 affected endpoints. The data shape is identical — only the OAS representation changes from inline to $ref.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• ci-stats.kibana.dev
  • Triggering command: /home/REDACTED/.nvm/versions/node/v22.22.0/bin/node /home/REDACTED/.nvm/versions/node/v22.22.0/bin/node scripts/yarn_install_scripts.js run ldd 0.8.2 jest-unit-tests.yml .yml /lib/node_modules/npm/bin/node-gyp-bin/ldd t/health_gateway/lib/ld-linux.so.2 t/health_gateway--version dd /lib64/ld-linux-x86-64.so.2 b/li�� erated/elasticses/^\([0-9]\)/v\1/g erated/elasticsearch/composable/^system$ n/node-gyp-bin/ldd erated/elasticseldd erated/elasticse/home/REDACTED/.cache/ms-playwright/webkit-2272/minibrowser-wpe/sys/lib/libjxl.so.0.8 dd .2 (dns block)
  • Triggering command: /home/REDACTED/.nvm/versions/node/v22.22.0/bin/node /home/REDACTED/.nvm/versions/node/v22.22.0/bin/node scripts/kbn bootstrap plugins/shared/maps/public/conne/home/REDACTED/work/kibana/kibana/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals/home/REDACTED/work/_temp/ghcca-node/node .dev�� tabbed_table_list_view.devdocs.json pes_png_common.devdocs.json plugins/shared/maps/public/conne/home/REDACTED/work/kibana/kibana/x-pack/solutions/security/plugins/security_solut/usr/lib plugins/shared/msort t.ts (dns block)
  • Triggering command: /home/REDACTED/.nvm/versions/node/v22.22.0/bin/node node scripts/jest x-pack/platform/plugins/shared/security/server/routes/authorization/roles/model/put_payload.test.ts ldd s/li�� src/core/packages/chrome/browser/home/REDACTED/.nvm/.cache/bin/node-v22.22.0-linux-x64/files/LICENhead src/core/packages/chrome/browser/home/REDACTED/.nvm/.cache/bin/node-v22.22.0-linux-x64/files/READM-n n/ldd submodules | heagit src/core/packageconfig n/node-gyp-bin/luser.email ldd nibr�� _console/ecs/generated/elasticse. _console/ecs/generated/elasticsearch/composable/component/host.json x86-64.so.2 _console/ecs/gensed _console/ecs/gen-e _console/ecs/gens/^\([0-9]\)/v\1/g x86-64.so.2 (dns block)
• clients3.google.com
  • Triggering command: /home/REDACTED/work/kibana/kibana/node_modules/@moonrepo/core-linux-x64-gnu/moon /home/REDACTED/work/kibana/kibana/node_modules/@moonrepo/core-linux-x64-gnu/moon run :build-webpack /lib64/ld-linux-x86-64.so.2 b/li�� s/chrome/browser/home/REDACTED/.nvm/README.md s/chrome/browser/home/REDACTED/.nvm/ROADMAP.md s/npm/bin/node-gyp-bin/ldd d -n 10 s/chrome/navigat/home/REDACTED/.cache/ms-playwright/webkit-2272/minibrowser-wpe/sys/li�� s/chrome/navigat/home/REDACTED/.nvm/nvm-exec .2 b/li�� e_errors.yaml .yaml x86-64.so.2 e_errors_with_reldd e_logs.yaml l_active_recovered_alert.yaml x86-64.so.2 (dns block)
• detectportal.firefox.com
  • Triggering command: /home/REDACTED/work/kibana/kibana/node_modules/@moonrepo/core-linux-x64-gnu/moon /home/REDACTED/work/kibana/kibana/node_modules/@moonrepo/core-linux-x64-gnu/moon run :build-webpack /lib64/ld-linux-x86-64.so.2 b/li�� s/chrome/browser/home/REDACTED/.nvm/README.md s/chrome/browser/home/REDACTED/.nvm/ROADMAP.md s/npm/bin/node-gyp-bin/ldd d -n 10 s/chrome/navigat/home/REDACTED/.cache/ms-playwright/webkit-2272/minibrowser-wpe/sys/li�� s/chrome/navigat/home/REDACTED/.nvm/nvm-exec .2 b/li�� e_errors.yaml .yaml x86-64.so.2 e_errors_with_reldd e_logs.yaml l_active_recovered_alert.yaml x86-64.so.2 (dns block)
• google.com
  • Triggering command: /home/REDACTED/work/kibana/kibana/node_modules/@moonrepo/core-linux-x64-gnu/moon /home/REDACTED/work/kibana/kibana/node_modules/@moonrepo/core-linux-x64-gnu/moon run :build-webpack /lib64/ld-linux-x86-64.so.2 b/li�� s/chrome/browser/home/REDACTED/.nvm/README.md s/chrome/browser/home/REDACTED/.nvm/ROADMAP.md s/npm/bin/node-gyp-bin/ldd d -n 10 s/chrome/navigat/home/REDACTED/.cache/ms-playwright/webkit-2272/minibrowser-wpe/sys/li�� s/chrome/navigat/home/REDACTED/.nvm/nvm-exec .2 b/li�� e_errors.yaml .yaml x86-64.so.2 e_errors_with_reldd e_logs.yaml l_active_recovered_alert.yaml x86-64.so.2 (dns block)
• googlechromelabs.github.io
  • Triggering command: /home/REDACTED/.nvm/versions/node/v22.22.0/bin/node /home/REDACTED/.nvm/versions/node/v22.22.0/bin/node install.js pi_logic.ts ldd b/li�� ts st.ts e_modules/npm/bin/node-gyp-bin/ldd naRoleSchema s ogic.ts /lib64/ld-linux-x86-64.so.2 nibr�� s/lib/libbrotlicommon.so.1 x-pack/platform/plugins/shared/fleet/server/conf/home/REDACTED/work/kibana/kibana/x-pack/platform/--version .2 x-pack/platform/ldd x-pack/platform//home/REDACTED/.cache/ms-playwright/webkit-2272/minibrowser-wpe/sys/lib/libsoup-3.0.so.0.7.4 yp-bin/ldd .2 (dns block)
• iojs.org
  • Triggering command: /usr/bin/curl curl -q --fail --compressed -L -s REDACTED -o - kbn-data-forge/e--norc kbn-data-forge/e--noprofile $0; sep=RS } kbn-�� kbn-data-forge/example_config/success_and_error_log_messages/esql_flapping_alert.yaml kbn-data-forge/example_config/anomalies_by_type/change_point_detection.yaml kbn-data-forge/example_config/anomalies_by_type/contextual_anomaly.yaml kbn-data-forge/etr kbn-data-forge/e[:upper:] kbn-data-forge/e[:lower:] kbn-data-forge/example_config/ramp_up_then_down.yaml (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[elasticmachine]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!
• Click to trigger kibana-deploy-cloud-from-pr for this PR!
• Click to trigger kibana-entity-store-performance-from-pr for this PR!
• Click to trigger kibana-storybooks-from-pr for this PR!

[elasticmachine]

⏳ Build in-progress, with failures

• Buildkite Build
• Commit: 056f247

Failed CI Steps

• Check OAS Snapshot

cc @kc13greiner @Copilot