feat: streamline Elastic authentication to use only API key and update docs

[WashingtonKK]

Fixes #3785

This fixes the elastic integration by making the following adjustments:

• Restricts auth to API key and removes basic auth
• Updates documentation to be concise and straightforward
• Fixed the validation bug where an Elastic integration could appear ready even if the API key could not create Kibana connectors.

Screencast.from.2026-03-30.12-16-41.webm

---

Note

Medium Risk
Moderate risk because it changes Elastic integration configuration (removing basic auth) and rewires trigger provisioning/cleanup logic for Kibana connectors and case-status polling, which could impact existing installations and alert routing.

Overview
Elastic integration auth is now API-key only. The authType/basic-auth configuration fields and logic are removed, apiKey is required, and docs/instructions are updated accordingly.

Kibana validation is hardened. ValidateKibana now verifies connector create + delete permissions by creating a temporary validation connector and deleting it, preventing integrations from showing as ready when connector management is forbidden.

Trigger provisioning behavior is updated. When Alert Fires now schedules an internal action to locate the shared webhook connector by URL, attach/update it on the selected rule (and detach from any previous rule), and cleans up by detaching on trigger removal; EnsureKibanaRuleHasConnector now updates mismatched action params instead of no-op. When Case Status Changes shifts from provisioning a Kibana query rule to periodic polling of the cases API and emitting elastic.case.status.changed on detected status transitions. On Document Indexed now finds the shared connector by webhook URL (not by connector name) before creating its Kibana rule.

Webhook handler responsibilities are narrowed. The Elastic webhook handler now only manages shared connector creation/reuse and secret sync, no longer attaching/detaching connectors to specific Kibana rules. Tests are updated/added to cover the new flows and legacy tag payload parsing (comma-separated tags).

^{Reviewed by Cursor Bugbot for commit 8bdaa53. Bugbot is set up for automated code reviews on this repo. Configure here.}

[superplanehq-integration]

👋 Commands for maintainers:

• /sp start - Start an ephemeral machine (takes ~30s)
• /sp stop - Stop a running machine (auto-executed on pr close)

[WashingtonKK]

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}