[CPS][Exceptions] - Exceptions should consider scope #258674
Description
Summary
On the exceptions flow in Security Solution, the chrome-level CPS (cross-project search) picker is not aligned with how field suggestions are resolved. When CPS is enabled and the user’s effective scope includes linked projects, fields that exist only on those linked indices do not appear in the suggestion list when building an exception.
Users can still enter the field name manually and save the exception, so workflows are not blocked, but the experience is misleading and harder to use because the UI implies a narrower field catalog than the data the user can actually target under CPS.
Requirements
- CPS picker on exceptions page and rule details
- The exceptions experience should surface the chrome-level CPS picker in a read-only state so users can see the same CPS context that applies when suggesting or validating fields.
- Field suggestions respect CPS scope
- Field autocomplete / suggestions for exceptions should reflect the effective CPS scope (including linked projects when that scope is active), so fields from indices visible only via linked projects appear alongside fields from the origin project where applicable.
- Non-blocking behavior preserved
- Manual entry of field names must continue to work as today; this issue is about parity of suggestions and clarity of context, not new validation rules.
Acceptance criteria (product-level)
- Exceptions UI shows the CPS picker in read-only form.
- With CPS enabled and linked projects in scope, field suggestions for exceptions include fields from linked-project indices that match the effective scope.
- Users who rely on manual field entry are unaffected.