[Response Ops] Fix single file connector auth type on edit (#244635)

## Summary

Closes #244390

## QA

0. Create a single file connector with multiple auth types.

<details>
  <summary>Webhook.patch</summary>
<pre>
diff --git
a/src/platform/packages/shared/kbn-connector-specs/src/all_specs.ts
b/src/platform/packages/shared/kbn-connector-specs/src/all_specs.ts
index fefd2a6..534be6c8c3f5 100644
--- a/src/platform/packages/shared/kbn-connector-specs/src/all_specs.ts
+++ b/src/platform/packages/shared/kbn-connector-specs/src/all_specs.ts
@@ -13,3 +13,4 @@ export * from './specs/greynoise';
 export * from './specs/shodan';
 export * from './specs/urlvoid';
 export * from './specs/virustotal';
+export * from './specs/webhook';
diff --git
a/src/platform/packages/shared/kbn-connector-specs/src/specs/webhook.ts
b/src/platform/packages/shared/kbn-connector-specs/src/specs/webhook.ts
new file mode 100644
index 000000000000..b5f1e6375ae2
--- /dev/null
+++
b/src/platform/packages/shared/kbn-connector-specs/src/specs/webhook.ts
@@ -0,0 +1,80 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V.
under one
+ * or more contributor license agreements. Licensed under the "Elastic
License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the
"Server Side
+ * Public License v 1"; you may not use this file except in compliance
with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General
Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { z } from '@kbn/zod/v4';
+import type { ConnectorSpec } from '../connector_spec';
+
+export const SingleFileWebhookConnector: ConnectorSpec = {
+  metadata: {
+    id: '.sf-webhook',
+    displayName: 'Single File Webhook',
+    description: 'demo',
+    minimumLicense: 'gold',
+    supportedFeatureIds: ['workflows'],
+  },
+
+  schema: z.object({
+    method: z
+      .enum(['GET', 'POST', 'PUT', 'PATCH', 'DELETE'])
+      .meta({
+        label: 'Method',
+      })
+      .default('POST'),
+    url: z.url().meta({ label: 'URL', placeholder: 'https://...' }),
+  }),
+
+  authTypes: ['none', 'basic', 'bearer'],
+
+  actions: {
+    submit: {
+      isTool: true,
+      input: z.object({
+        body: z.string(),
+      }),
+      handler: async (ctx, input) => {
+        try {
+          ctx.client.request({
+            method,
+            url,
+            data: input.body,
+          });
+
+          return {
+            ok: true,
+            message: 'Successfully connected to Single File Webhook',
+          };
+        } catch (error) {
+          return {
+            ok: false,
+            message: `Failed to connect: ${error}`,
+          };
+        }
+      },
+    },
+  },
+
+  test: {
+    handler: async (ctx) => {
+      try {
+        await ctx.client.get('');
+        return {
+          ok: true,
+          message: 'Successfully connected to Single File Webhook',
+        };
+      } catch (error) {
+        return {
+          ok: false,
+          message: `Failed to connect: ${error}`,
+        };
+      }
+    },
+    description: 'Verifies webhook connection alive',
+  },
+};
</pre>
</details>

1. Create a connector with an auth type that isn't the default one 
2. Open the connector to edit
3. Check that it's selecting the the auth type the connector was created
with

---------

Co-authored-by: kibanamachine <[email protected]>

Author: jcger

src/platform/packages/shared/kbn-connector-specs/src/lib/__snapshots__/generate_secrets_schema_from_spec.test.ts.snap

@@ -21,5 +21,5 @@ export const generateSecretsSchemaFromSpec = (authTypes: ConnectorSpec['authType
       z
         .discriminatedUnion('authType', [secretSchemas[0], ...secretSchemas.slice(1)])
         .meta({ label: 'Authentication' })
-    : z.object({}).default({});
+    : z.object({});
 };

src/platform/packages/shared/kbn-connector-specs/src/lib/generate_secrets_schema_from_spec.ts

@@ -0,0 +1,153 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import React from 'react';
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { z } from '@kbn/zod/v4';
+import { Form, useForm } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib';
+import { addMeta } from '../../../schema_connector_metadata';
+import { MultiOptionUnionWidget } from './multi_option_union_widget';
+
+describe('MultiOptionUnionWidget - Serializer/Deserializer Integration', () => {
+  // Simulates a connector schema with secrets discriminated union
+  const createSchema = () => {
+    const noneOption = z.object({ authType: z.literal('none') });
+    addMeta(noneOption, { label: 'None' });
+
+    const basicOption = z.object({
+      authType: z.literal('basic'),
+      username: z.string(),
+      password: z.string(),
+    });
+    addMeta(basicOption, { label: 'Basic Auth' });
+
+    const bearerOption = z.object({
+      authType: z.literal('bearer'),
+      token: z.string(),
+    });
+    addMeta(bearerOption, { label: 'Bearer Token' });
+
+    return z.object({
+      config: z.object({
+        url: z.string(),
+        authType: z.string().optional(),
+      }),
+      secrets: z.discriminatedUnion('authType', [noneOption, basicOption, bearerOption]),
+    });
+  };
+
+  // Simulates the deserializer that reconstructs secrets from config
+  const deserializer = (apiData: any) => {
+    if (!apiData?.config?.authType || apiData.secrets?.authType) {
+      return apiData;
+    }
+
+    // Reconstruct secrets from config.authType
+    return {
+      ...apiData,
+      secrets: { authType: apiData.config.authType },
+    };
+  };
+
+  // Simulates the serializer that copies authType to config
+  const serializer = (formData: any) => {
+    if (!formData?.secrets?.authType) {
+      return formData;
+    }
+
+    return {
+      ...formData,
+      config: {
+        ...formData.config,
+        authType: formData.secrets.authType,
+      },
+    };
+  };
+
+  const TestComponent = ({ initialData }: { initialData: any }) => {
+    const schema = createSchema();
+    const { form } = useForm({
+      defaultValue: initialData,
+      serializer,
+      deserializer,
+    });
+
+    return (
+      <Form form={form}>
+        <MultiOptionUnionWidget
+          path="secrets"
+          options={schema.shape.secrets.options}
+          discriminatorKey="authType"
+          schema={schema.shape.secrets}
+          fieldConfig={{
+            defaultValue: undefined,
+            validations: [{ validator: () => undefined }],
+          }}
+          fieldProps={{ label: 'Authentication', euiFieldProps: {} }}
+          formConfig={{}}
+        />
+        <button
+          type="button"
+          onClick={async () => {
+            const { data } = await form.submit();
+            // Expose serialized data for testing
+            (window as any).serializedData = data;
+          }}
+        >
+          Submit
+        </button>
+      </Form>
+    );
+  };
+
+  beforeEach(() => {
+    (window as any).serializedData = undefined;
+  });
+
+  it('should initialize from async form data (deserializer)', async () => {
+    const apiData = {
+      config: { url: 'https://example.com', authType: 'basic' },
+      secrets: {}, // Secrets are stripped by API
+    };
+
+    render(<TestComponent initialData={apiData} />);
+
+    await waitFor(() => {
+      const basicCard = screen.getByLabelText('Basic Auth');
+      expect(basicCard).toBeChecked();
+    });
+  });
+
+  it('should not overwrite user selection when form re-renders (ref flag pattern)', async () => {
+    const apiData = {
+      config: { url: 'https://example.com', authType: 'basic' },
+      secrets: {},
+    };
+
+    const { rerender } = render(<TestComponent initialData={apiData} />);
+
+    await waitFor(() => {
+      expect(screen.getByLabelText('Basic Auth')).toBeChecked();
+    });
+
+    await userEvent.click(screen.getByLabelText('Bearer Token'));
+
+    await waitFor(() => {
+      expect(screen.getByLabelText('Bearer Token')).toBeChecked();
+    });
+
+    // simulating parent re-render
+    rerender(<TestComponent initialData={apiData} />);
+
+    await waitFor(() => {
+      expect(screen.getByLabelText('Bearer Token')).toBeChecked();
+    });
+  });
+});

src/platform/packages/shared/response-ops/form-generator/src/widgets/components/discriminated_union_widget/multi_option_union_widget.serializer.test.tsx

@@ -7,8 +7,9 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-import React, { useState } from 'react';
+import React, { useState, useEffect, useRef } from 'react';
 import { EuiCheckableCard, EuiFormFieldset, EuiSpacer, EuiTitle } from '@elastic/eui';
+import { useFormData, useFormContext } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib';
 import { addMeta, getMeta } from '../../../schema_connector_metadata';
 import {
   getDiscriminatorFieldValue,
@@ -81,10 +82,31 @@ export const MultiOptionUnionWidget: React.FC<DiscriminatedUnionWidgetProps> = (
   fieldProps,
   formConfig,
 }) => {
-  const defaultOption = getDefaultOption(options, discriminatorKey, fieldConfig);
-  const [selectedOption, setSelectedOption] = useState(() =>
-    getDiscriminatorFieldValue(defaultOption, discriminatorKey)
-  );
+  const [selectedOption, setSelectedOption] = useState(() => {
+    const defaultOption = getDefaultOption(options, discriminatorKey, fieldConfig);
+    return getDiscriminatorFieldValue(defaultOption, discriminatorKey);
+  });
+
+  const [formData] = useFormData();
+  const { setFieldValue } = useFormContext();
+
+  const hasInitializedFromFormData = useRef(false);
+  const discriminatorValueFromForm = formData[rootPath]?.[discriminatorKey] as string | undefined;
+  const discriminatorFieldPath = `${rootPath}.${discriminatorKey}`;
+
+  useEffect(() => {
+    if (discriminatorValueFromForm && !hasInitializedFromFormData.current) {
+      setSelectedOption(discriminatorValueFromForm);
+      hasInitializedFromFormData.current = true;
+      return;
+    }
+
+    // After initialization: Sync selectedOption changes back to form data
+    // This happens when user clicks a different option
+    if (hasInitializedFromFormData.current && discriminatorValueFromForm !== selectedOption) {
+      setFieldValue(discriminatorFieldPath, selectedOption);
+    }
+  }, [discriminatorFieldPath, discriminatorValueFromForm, selectedOption, setFieldValue]);
 
   const isFieldsetDisabled = formConfig.disabled || getMeta(schema).disabled;
 

src/platform/packages/shared/response-ops/form-generator/src/widgets/components/discriminated_union_widget/multi_option_union_widget.tsx

@@ -6,10 +6,14 @@
  */
 
 import type { ConnectorSpec } from '@kbn/connector-specs';
-import { z as z4 } from '@kbn/zod/v4';
+import { z } from '@kbn/zod/v4';
 
 import type { ActionTypeConfig, ValidatorType } from '../../types';
 
 export const generateConfigSchema = (
   schema: ConnectorSpec['schema']
-): ValidatorType<ActionTypeConfig> => ({ schema: schema ?? z4.object({}) });
+): ValidatorType<ActionTypeConfig> => {
+  const authType = z.string().optional();
+  const configSchema = schema ? schema.extend({ authType }) : z.object({ authType });
+  return { schema: configSchema };
+};

x-pack/platform/plugins/shared/actions/server/lib/single_file_connectors/generate_config_schema.ts

@@ -0,0 +1,157 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { z } from '@kbn/zod/v4';
+import {
+  createConnectorFormSerializer,
+  createConnectorFormDeserializer,
+} from './connector_form_serializers';
+
+describe('createConnectorFormSerializer', () => {
+  it('should copy authType from secrets to config', () => {
+    const serializer = createConnectorFormSerializer();
+    const formData = {
+      config: { url: 'https://example.com' },
+      secrets: { authType: 'basic', username: 'user', password: 'pass' },
+    };
+
+    const result = serializer(formData);
+
+    expect(result.config.authType).toBe('basic');
+    expect(result.secrets.authType).toBe('basic');
+  });
+
+  it('should return data unchanged when secrets.authType is missing', () => {
+    const serializer = createConnectorFormSerializer();
+    const formData = {
+      config: { url: 'https://example.com' },
+      secrets: {},
+    };
+
+    const result = serializer(formData);
+
+    expect(result).toEqual(formData);
+    expect(result.config.authType).toBeUndefined();
+  });
+
+  it('should overwrite existing config.authType if secrets.authType exists', () => {
+    const serializer = createConnectorFormSerializer();
+    const formData = {
+      config: { url: 'https://example.com', authType: 'old' },
+      secrets: { authType: 'bearer', token: 'xyz' },
+    };
+
+    const result = serializer(formData);
+
+    expect(result.config.authType).toBe('bearer');
+  });
+
+  it('should handle undefined formData', () => {
+    const serializer = createConnectorFormSerializer();
+
+    const result = serializer(undefined);
+
+    expect(result).toBeUndefined();
+  });
+});
+
+describe('createConnectorFormDeserializer', () => {
+  const commonApiData = {
+    actionTypeId: 'test-connector',
+    isDeprecated: false,
+  };
+
+  const createTestSchema = () => {
+    return z.object({
+      config: z.object({
+        url: z.string(),
+        authType: z.string().optional(),
+      }),
+      secrets: z.discriminatedUnion('authType', [
+        z.object({ authType: z.literal('none') }),
+        z.object({ authType: z.literal('basic'), username: z.string(), password: z.string() }),
+        z.object({ authType: z.literal('bearer'), token: z.string() }),
+      ]),
+    });
+  };
+
+  it('should copy authType from config to secrets when editing', () => {
+    const schema = createTestSchema();
+    const deserializer = createConnectorFormDeserializer(schema);
+    const apiData = {
+      ...commonApiData,
+      config: { url: 'https://example.com', authType: 'basic' },
+      secrets: {},
+    };
+
+    const result = deserializer(apiData);
+
+    expect(result.secrets.authType).toBe('basic');
+    expect(result.config.authType).toBe('basic');
+  });
+
+  it('should return data unchanged when config.authType is missing', () => {
+    const schema = createTestSchema();
+    const deserializer = createConnectorFormDeserializer(schema);
+    const apiData = {
+      ...commonApiData,
+      config: { url: 'https://example.com' },
+      secrets: {},
+    };
+
+    const result = deserializer(apiData);
+
+    expect(result).toEqual(apiData);
+    expect(result.secrets.authType).toBeUndefined();
+  });
+
+  it('should return data unchanged when secrets.authType already exists', () => {
+    const schema = createTestSchema();
+    const deserializer = createConnectorFormDeserializer(schema);
+    const apiData = {
+      ...commonApiData,
+      config: { url: 'https://example.com', authType: 'basic' },
+      secrets: { authType: 'bearer', token: 'xyz' },
+    };
+
+    const result = deserializer(apiData);
+
+    expect(result).toEqual(apiData);
+    expect(result.secrets.authType).toBe('bearer');
+  });
+
+  it('should handle schema without discriminated union gracefully', () => {
+    const schema = z.object({
+      config: z.object({ url: z.string() }),
+      secrets: z.object({ token: z.string() }),
+    });
+    const deserializer = createConnectorFormDeserializer(schema);
+    const apiData = {
+      ...commonApiData,
+      config: { url: 'https://example.com', authType: 'basic' },
+      secrets: {},
+    };
+
+    const result = deserializer(apiData);
+
+    expect(result).toEqual(apiData);
+  });
+
+  it('should handle errors', () => {
+    const invalidSchema = {} as z.ZodObject<z.ZodRawShape>;
+    const deserializer = createConnectorFormDeserializer(invalidSchema);
+    const apiData = {
+      ...commonApiData,
+      config: { url: 'https://example.com', authType: 'basic' },
+      secrets: {},
+    };
+
+    const result = deserializer(apiData);
+
+    expect(result).toEqual(apiData);
+  });
+});