[Anthropic] remap audit.updates to flattened type, update documentation

[vinit-chauhan]

Proposed commit message

anthropic: remap audit.updates to flattened type

The `anthropic.audit.updates` field was mapped as `keyword`, but the
Compliance API actually returns an array of setting-change objects,
each containing `type`, `previous_value`, and `current_value`. Indexing
this nested structure into a `keyword` field caused mapping conflicts
and dropped the per-setting before/after values.

Remap the field to `flattened` so the array-of-objects payload is
indexed intact and remains queryable. Update the pipeline test fixtures
and expected output to reflect the real object shape.

Also refresh the manifest and README descriptions to reference Claude's
Compliance API and document the agentless deployment option.

Bump the package version to 0.3.0.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• Confirm flattened is the desired type for anthropic.audit.updates (vs. a typed nested/object mapping) given expected query patterns.
• Replace the placeholder changelog link (https://github.com/elastic/integrations/pull/1) with the real PR number.
• Verify the README/manifest wording referencing "Claude's Compliance API" matches current product branding.

How to test this PR locally

cd packages/anthropic

# Validate the package builds and field mappings are consistent
elastic-package build
elastic-package check

# Run the audit pipeline tests against the updated fixtures
elastic-package test pipeline --data-streams audit

Confirm the admin_api_key_updated and claude_user_settings_updated test events now index anthropic.audit.updates as an array of objects (type/previous_value/current_value) with no mapping errors.

Related issues

• Closes [Anthropic] Branding, copy, agentless deployment, and field mapping fixes #19378

Screenshots

[infra-vault-gh-plugin-prod]

Pinging @elastic/integration-experience (Team:Integration-Experience)

[github-actions]

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

[elastic-vault-github-plugin-prod]

✅ All changelog entries have the correct PR link.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 28f7d9c

[qcorporation]

@jamiehynds do you want the version to be bumped to 1.0.0 ?

[vera-review-bot]

👀 I have started reviewing the PR

[vera-review-bot]

Vera Review Bot

For the current commit state, I did not find any issues.

---

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

[mergify]

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

• Queue this pull request