[EA] Add Chat-First experience to Entity Analytics#264985
Merged
opauloh merged 78 commits intoelastic:mainfrom Apr 24, 2026
Merged
[EA] Add Chat-First experience to Entity Analytics#264985opauloh merged 78 commits intoelastic:mainfrom
opauloh merged 78 commits intoelastic:mainfrom
Conversation
Introduces a rich visual renderer for `security.entity` attachments in Agent Builder, gated behind the `entityAttachmentRichRenderer` experimental flag. Key changes: - Supports both single-entity (card) and multi-entity (table) payload shapes in the UI and server-side validation. - Updates the `security.get_entity` tool to automatically persist a `security.entity` attachment as a side effect when a single entity is resolved. - Implements a "composer injection" mechanism in the conversation context, allowing attachment renderers to prefill the chat input with type-aware "Continue the conversation" prompts. - Adds module-scoped query caching for entity details to ensure performance across multiple cards/tables in a single conversation.
…tions Enhances the `security.entity` attachment renderer to match the layout of the user/host details flyout. Adds new lightweight "mini" components for the summary grid, risk contributions, and resolution groups, decoupled from Redux to work within Agent Builder. Introduces a row-action popover in the table view and follow-up chips in the card view that prefill the composer with type-aware prompts for risk analysis, asset criticality, and graph exploration.
…y search Enhances the `security.search_entities` tool to support filtering by integration keys (e.g., `crowdstrike`) and automatically generates aggregate table attachments for multi-entity results. Key changes: - Updates the AI agent instructions to render inline `` tags for entity lists. - Implements deterministic attachment IDs for search results to ensure consistent versioning within a conversation. - Adds a `sources` parameter to the search tool using ESQL `MV_CONTAINS` filtering. - Introduces UI utilities to format raw integration keys into title-cased labels for the entity table.
Enhances the `security.get_entity` tool to support exact name matches (entity.name and user.full_name) and improves the reliability of rich entity attachment creation. Key changes: - Introduces an exact name match step to resolve entities by their display name or full name. - Updates attachment logic to allow high-confidence matches from ID RLIKE fallbacks (e.g., when a prefix is missing but the ID matches). - Prevents ambiguous attachments by suppressing rich cards when multiple entities share the same display name. - Updates tool instructions to guide the agent on supported identifier formats.
… Builder Implements several workarounds for upstream markdown and tag parsing limitations to improve the reliability of rich entity attachments. Key changes: - Hashes entity attachment IDs to prevent special characters (like `@` or `.`) from triggering autolinks, which previously broke XML tag recognition in the markdown pipeline. - Updates skill instructions to require a blank line after `` tags, preventing trailing prose from being dropped by the parser. - Uses a global CSS `:has()` selector to inject missing spacing between the attachment panel and subsequent content. - Updates tools and tests to support deterministic, hash-based attachment IDs.
…istics Enhances the `security.get_entity` tool to fetch and embed full risk score breakdowns directly into the attachment payload, allowing the chat card to render detailed contribution tables without additional client-side round-trips. Key changes: - Server-side tool now queries the risk time-series index for both primary and resolution-group risk documents during attachment creation. - Implements a stripping utility to prune heavy fields (like `inputs` and `related_entities`) from risk records before persistence. - Updates the entity card to prefer attachment-supplied risk stats over the limited scores available in the entity store. - Introduces structural validation for embedded risk data to maintain backward compatibility with older attachments.
Prevents the entity table from becoming unreadable in narrow chat panels by enforcing a minimum width and enabling horizontal overflow instead of aggressive text wrapping. Key changes: - Wraps the entity table in a scrollable container with a 800px minimum width. - Assigns fixed widths to the Name and Sources columns to ensure content remains legible. - Disables default EUI table responsiveness to maintain the multi-column layout within the scrollable area.
…olution Improves the accuracy of rich entity cards by persisting the canonical `entity.id` from the entity store, ensuring that local users and other entities with composite names can be correctly rehydrated in the UI. Key changes: - Adds an optional `entityStoreId` field to the entity attachment schema and Zod validation. - Updates the client-side `useEntityForAttachment` hook to prioritize filtering by `entity.id` over name-based fallbacks. - Modifies `get_entity` and `search_entities` tools to extract and embed the raw `entity.id` into attachment payloads. - Maintains backward compatibility for legacy attachments by falling back to per-type identity fields (e.g., `user.name`, `host.name`).
Switches the "Last seen" column to use the top-level `@timestamp` field from the entity store record instead of `entity.lifecycle.last_activity`. This ensures that a date is always displayed even when an entity has not yet been observed in logs. Key changes: - Adds a `timestamp` field to the entity attachment schema mapping to the record's `@timestamp`. - Updates the entity table column and tooltips to use this more reliable timestamp.
Consolidate entity analytics behavior in chat: - Single entity: renders the entity card (from ea/chat-first-exp-combined) - Multiple entities: renders the entity table (from ea/chat-first-exp-combined) - Dashboard requests: renders the Entity Analytics dashboard Canvas preview (from entity-analytics-in-chat) The unified `security.entity` rich renderer handles both card/table via `security.get_entity` and `security.search_entities`. The `security.entity_analytics_dashboard` attachment handles the dashboard experience. Deprecated `security.entity_card` and `security.entity_list` attachment types (from entity-analytics-in-chat) are removed. Made-with: Cursor
Updates the skill instructions to explicitly forbid the assistant from duplicating data in prose that is already displayed in rich UI attachments (cards and tables). This streamlines responses by focusing the assistant's narrative on interpretation, trends, and recommendations rather than re-emitting field-by-field markdown blocks.
Updates the agent instructions to ensure the Entity Analytics dashboard attachment is correctly prioritized when specific "dashboard" or "overview" phrasing is used. This prevents the agent from incorrectly defaulting to a simple entities table when a full dashboard experience is requested, and mandates rendering both attachments when they are complementary.
Contributor
|
Cloud deployments require a Github label, please add |
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
…ntities Registers a rich UI definition for `security.entity` attachments in Agent Builder. This adds a Canvas (Preview) view that mounts the full Security flyout overview for hosts, users, and services, powered by a lazy-loaded Redux context. It also enhances the inline entity table with per-row navigation icons for deep-linking into the Security Solution app.
…panel Adds an EuiResizeObserver to the risk level breakdown section to stack the table and donut chart vertically when the container width is less than 500px. This ensures the dashboard remains readable when rendered in narrow contexts, such as the Canvas flyout.
Contributor
|
when i request for a ton of risk users i got this reasoning and this output Screen.Recording.2026-04-24.at.12.33.07.movlooks like there is a loop in the request using the tool Reasoning: |
Contributor
|
I am in the process of fixing a couple of failing tests and a bug I found where opening the entity flyout from the agent chat breaks the entity analytics home page |
Contributor
|
It's related to my previous comment, i think there is an issue with the recursion. Screen.Recording.2026-04-24.at.13.29.04.movAsk the agent builder:
after that ask something like this:
you will receive a recursion error: |
… ISO strings Mock values for useGlobalTime were using moment.now().valueOf() (a number) but datemath.parse() expects a string, causing TypeError: text.substring is not a function. Made-with: Cursor
Guard entity analytics home table pagination state by defaulting missing/invalid pageIndex values to 0, preventing bucket_sort from receiving a null from offset when opening deep links that only set flyout params. Made-with: Cursor
…chat Keep existing Entity Analytics home query params when navigating from Agent Builder and append the flyout param instead of replacing the full query string, so pagination/grouping/watchlist URL state is retained. Made-with: Cursor
ymao1
reviewed
Apr 24, 2026
Rebase conflict in df35c46 caused this flag to be reverted to false; restoring to true as set by elastic#263560. Made-with: Cursor
Contributor
Contributor
⏳ Build in-progress
History
|
Contributor
|
Noticed that updating entities are not reflected in the card inside the chat (screenshot after I added a new entity to the resolution group). On one hand it makes sense that the card is the snapshot at the time of the question, but it looks almost exactly like the flyout content and then it can be confusing if the states diverge too much 
|
Contributor
|
nit UX thing - user icon in the chat table is a link, while data grids use other icons to open entity flyout. probably worth being consistent 
|
Contributor
Doesn't happen with Sonnet 4.6 😅 . Easily reproducible in 4.5. FWIW, I asked the AgentBuilder team about this earlier for an unrelated issue where I was seeing similar behavior and got this reply: "Claude is clauding" |
maxcold
approved these changes
Apr 24, 2026
Contributor
maxcold
left a comment
maxcold
left a comment
There was a problem hiding this comment.
Desk tested main flows, works as expected. Added a couple of comments about UX, but they are not blocking
ymao1
approved these changes
Apr 24, 2026
Contributor
ymao1
left a comment
ymao1
left a comment
There was a problem hiding this comment.
Looks great! Some navigation related issues where the current conversation is lost but can be addressed in followups.
Contributor
|
Starting backport for target branches: 9.4 https://github.com/elastic/kibana/actions/runs/24897126332 |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
smith
pushed a commit
to smith/kibana
that referenced
this pull request
Apr 24, 2026
Note: This is a combined work of elastic#264849 and elastic#264939 ## Summary Introduces a rich visual renderer for `security.entity` attachments in Agent Builder, gated behind the `entityAttachmentRichRenderer` experimental flag. Key changes: - Supports both single-entity (card) and multi-entity (table) payload shapes in the UI and server-side validation. - Updates the `security.get_entity` tool to automatically persist a `security.entity` attachment as a side effect when a single entity is resolved. ## Screenshots ### Entity Analytics Table Attachment <img width="601" height="665" alt="image" src="https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d" /> ### Entity Analytics Card Attachment <img width="668" height="699" alt="image" src="https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138" /> ### Entity Analytics Dashboard Attachment <img width="1221" height="826" alt="image" src="https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc" /> --------- Co-authored-by: YulNaumenko <jo.naumenko@gmail.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: jaredburgettelastic <jared.burgett@elastic.co>
hop-dev
added a commit
that referenced
this pull request
Apr 24, 2026
…265572) # Backport This will backport the following commits from `main` to `9.4`: - [[EA] Add Chat-First experience to Entity Analytics (#264985)](#264985) <!--- Backport version: 11.0.2 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Paulo Silva","email":"paulo.henrique@elastic.co"},"sourceCommit":{"committedDate":"2026-04-24T15:18:34Z","message":"[EA] Add Chat-First experience to Entity Analytics (#264985)\n\nNote: This is a combined work of\nhttps://github.com//pull/264849 and\nhttps://github.com//pull/264939\n\n## Summary\n\nIntroduces a rich visual renderer for `security.entity` attachments in\nAgent Builder, gated behind the `entityAttachmentRichRenderer`\nexperimental flag.\n\nKey changes:\n- Supports both single-entity (card) and multi-entity (table) payload\nshapes in the UI and server-side validation.\n- Updates the `security.get_entity` tool to automatically persist a\n`security.entity` attachment as a side effect when a single entity is\nresolved.\n\n## Screenshots\n\n### Entity Analytics Table Attachment\n\n<img width=\"601\" height=\"665\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d\"\n/>\n\n### Entity Analytics Card Attachment\n\n<img width=\"668\" height=\"699\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138\"\n/>\n\n### Entity Analytics Dashboard Attachment\n\n<img width=\"1221\" height=\"826\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc\"\n/>\n\n---------\n\nCo-authored-by: YulNaumenko <jo.naumenko@gmail.com>\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: jaredburgettelastic <jared.burgett@elastic.co>","sha":"bd98c9f51c3094a6f70c18ccfd069e344f11d15b","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:feature","Team:Cloud Security","ci:build-cloud-image","ci:cloud-deploy","Team:Entity Analytics","backport:version","v9.4.0","evals:entity-analytics","v9.5.0"],"title":"[EA] Add Chat-First experience to Entity Analytics","number":264985,"url":"https://github.com/elastic/kibana/pull/264985","mergeCommit":{"message":"[EA] Add Chat-First experience to Entity Analytics (#264985)\n\nNote: This is a combined work of\nhttps://github.com//pull/264849 and\nhttps://github.com//pull/264939\n\n## Summary\n\nIntroduces a rich visual renderer for `security.entity` attachments in\nAgent Builder, gated behind the `entityAttachmentRichRenderer`\nexperimental flag.\n\nKey changes:\n- Supports both single-entity (card) and multi-entity (table) payload\nshapes in the UI and server-side validation.\n- Updates the `security.get_entity` tool to automatically persist a\n`security.entity` attachment as a side effect when a single entity is\nresolved.\n\n## Screenshots\n\n### Entity Analytics Table Attachment\n\n<img width=\"601\" height=\"665\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d\"\n/>\n\n### Entity Analytics Card Attachment\n\n<img width=\"668\" height=\"699\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138\"\n/>\n\n### Entity Analytics Dashboard Attachment\n\n<img width=\"1221\" height=\"826\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc\"\n/>\n\n---------\n\nCo-authored-by: YulNaumenko <jo.naumenko@gmail.com>\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: jaredburgettelastic <jared.burgett@elastic.co>","sha":"bd98c9f51c3094a6f70c18ccfd069e344f11d15b"}},"sourceBranch":"main","suggestedTargetBranches":["9.4"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/264985","number":264985,"mergeCommit":{"message":"[EA] Add Chat-First experience to Entity Analytics (#264985)\n\nNote: This is a combined work of\nhttps://github.com//pull/264849 and\nhttps://github.com//pull/264939\n\n## Summary\n\nIntroduces a rich visual renderer for `security.entity` attachments in\nAgent Builder, gated behind the `entityAttachmentRichRenderer`\nexperimental flag.\n\nKey changes:\n- Supports both single-entity (card) and multi-entity (table) payload\nshapes in the UI and server-side validation.\n- Updates the `security.get_entity` tool to automatically persist a\n`security.entity` attachment as a side effect when a single entity is\nresolved.\n\n## Screenshots\n\n### Entity Analytics Table Attachment\n\n<img width=\"601\" height=\"665\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d\"\n/>\n\n### Entity Analytics Card Attachment\n\n<img width=\"668\" height=\"699\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138\"\n/>\n\n### Entity Analytics Dashboard Attachment\n\n<img width=\"1221\" height=\"826\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc\"\n/>\n\n---------\n\nCo-authored-by: YulNaumenko <jo.naumenko@gmail.com>\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: jaredburgettelastic <jared.burgett@elastic.co>","sha":"bd98c9f51c3094a6f70c18ccfd069e344f11d15b"}}]}] BACKPORT--> --------- Co-authored-by: Paulo Silva <paulo.henrique@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
rbrtj
pushed a commit
to walterra/kibana
that referenced
this pull request
Apr 27, 2026
Note: This is a combined work of elastic#264849 and elastic#264939 ## Summary Introduces a rich visual renderer for `security.entity` attachments in Agent Builder, gated behind the `entityAttachmentRichRenderer` experimental flag. Key changes: - Supports both single-entity (card) and multi-entity (table) payload shapes in the UI and server-side validation. - Updates the `security.get_entity` tool to automatically persist a `security.entity` attachment as a side effect when a single entity is resolved. ## Screenshots ### Entity Analytics Table Attachment <img width="601" height="665" alt="image" src="https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d" /> ### Entity Analytics Card Attachment <img width="668" height="699" alt="image" src="https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138" /> ### Entity Analytics Dashboard Attachment <img width="1221" height="826" alt="image" src="https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc" /> --------- Co-authored-by: YulNaumenko <jo.naumenko@gmail.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: jaredburgettelastic <jared.burgett@elastic.co>
SoniaSanzV
pushed a commit
to SoniaSanzV/kibana
that referenced
this pull request
Apr 27, 2026
Note: This is a combined work of elastic#264849 and elastic#264939 ## Summary Introduces a rich visual renderer for `security.entity` attachments in Agent Builder, gated behind the `entityAttachmentRichRenderer` experimental flag. Key changes: - Supports both single-entity (card) and multi-entity (table) payload shapes in the UI and server-side validation. - Updates the `security.get_entity` tool to automatically persist a `security.entity` attachment as a side effect when a single entity is resolved. ## Screenshots ### Entity Analytics Table Attachment <img width="601" height="665" alt="image" src="https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d" /> ### Entity Analytics Card Attachment <img width="668" height="699" alt="image" src="https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138" /> ### Entity Analytics Dashboard Attachment <img width="1221" height="826" alt="image" src="https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc" /> --------- Co-authored-by: YulNaumenko <jo.naumenko@gmail.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: jaredburgettelastic <jared.burgett@elastic.co>
enriquesanchez-elastic
added a commit
that referenced
this pull request
May 4, 2026
## Summary Companion eval coverage for #264985 (merged). Adds coverage that the `security.entity` conversation attachment is persisted as a side effect of `security.get_entity` (single card) and `security.search_entities` (table), and that no attachment is persisted when an entity cannot be resolved. ### Eval harness changes - `chat_client`: fetches `/api/agent_builder/conversations/{id}/attachments` after each `converse` and surfaces them on the task output. - `evaluate_dataset`: adds `AttachmentAssertion` schema (`type`/`shape`/`entityId`/`entityType`/`minEntities`/`count`/`criteria`) and an `Attachments` evaluator alongside `Criteria` and `ToolCalls`. Deterministic match for type/shape/identifier/count; LLM judge for free-form `criteria` over the matched payload. ### New spec `evals/v2/entity_attachment_side_effect.spec.ts`: - Bulk-indexes two seeded user entities (`attach-alice`, `attach-bob`) directly into the V2 latest alias (fast path — follows `highlights_v2.ts`), so the attachment codepath activates without running the full extractor + maintainer pipeline (`beforeAll` runs in ~5s vs several minutes). - Asserts single-card (`count.min: 1`, `shape: single`), table (`shape: table`, `minEntities: 2`), and negative (`count.exact: 0`) cases. ### Config - Enables `entityAttachmentRichRenderer` in the `evals_entity_analytics_v2` Scout configSet so tool-side attachment creation is active. - Adds `@kbn/entity-store` to `tsconfig.json` `kbn_references`. - README coverage matrix and assertion docs updated. ## Test plan - [ ] Start Scout server: `node scripts/scout start-server --arch stateful --domain classic --serverConfigSet evals_entity_analytics_v2` - [ ] Run the new spec: `node scripts/playwright test --config x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics/playwright.v2.config.ts x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics/evals/v2/entity_attachment_side_effect.spec.ts --project="<connector>"` - [ ] Attachments column reports `mean: 1, std: 0` across all 3 examples (single, table, negative). - [ ] Confirm existing v2 specs (`entity_store_v2_{get_entity,search_entities,multi_skill}.spec.ts`) still pass — they have no `attachments` assertions, so the new evaluator must auto-pass with `score: 1`. - [ ] Verify `afterAll` teardown cleans up entity engines. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
seanrathier
pushed a commit
to seanrathier/kibana
that referenced
this pull request
May 4, 2026
…5465) ## Summary Companion eval coverage for elastic#264985 (merged). Adds coverage that the `security.entity` conversation attachment is persisted as a side effect of `security.get_entity` (single card) and `security.search_entities` (table), and that no attachment is persisted when an entity cannot be resolved. ### Eval harness changes - `chat_client`: fetches `/api/agent_builder/conversations/{id}/attachments` after each `converse` and surfaces them on the task output. - `evaluate_dataset`: adds `AttachmentAssertion` schema (`type`/`shape`/`entityId`/`entityType`/`minEntities`/`count`/`criteria`) and an `Attachments` evaluator alongside `Criteria` and `ToolCalls`. Deterministic match for type/shape/identifier/count; LLM judge for free-form `criteria` over the matched payload. ### New spec `evals/v2/entity_attachment_side_effect.spec.ts`: - Bulk-indexes two seeded user entities (`attach-alice`, `attach-bob`) directly into the V2 latest alias (fast path — follows `highlights_v2.ts`), so the attachment codepath activates without running the full extractor + maintainer pipeline (`beforeAll` runs in ~5s vs several minutes). - Asserts single-card (`count.min: 1`, `shape: single`), table (`shape: table`, `minEntities: 2`), and negative (`count.exact: 0`) cases. ### Config - Enables `entityAttachmentRichRenderer` in the `evals_entity_analytics_v2` Scout configSet so tool-side attachment creation is active. - Adds `@kbn/entity-store` to `tsconfig.json` `kbn_references`. - README coverage matrix and assertion docs updated. ## Test plan - [ ] Start Scout server: `node scripts/scout start-server --arch stateful --domain classic --serverConfigSet evals_entity_analytics_v2` - [ ] Run the new spec: `node scripts/playwright test --config x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics/playwright.v2.config.ts x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics/evals/v2/entity_attachment_side_effect.spec.ts --project="<connector>"` - [ ] Attachments column reports `mean: 1, std: 0` across all 3 examples (single, table, negative). - [ ] Confirm existing v2 specs (`entity_store_v2_{get_entity,search_entities,multi_skill}.spec.ts`) still pass — they have no `attachments` assertions, so the new evaluator must auto-pass with `score: 1`. - [ ] Verify `afterAll` teardown cleans up entity engines. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note: This is a combined work of #264849 and #264939
Summary
Introduces a rich visual renderer for
security.entityattachments in Agent Builder, gated behind theentityAttachmentRichRendererexperimental flag.Key changes:
security.get_entitytool to automatically persist asecurity.entityattachment as a side effect when a single entity is resolved.Screenshots
Entity Analytics Table Attachment
Entity Analytics Card Attachment
Entity Analytics Dashboard Attachment