feat: adaptive anomaly detection engine — per-session cost spikes, frequency alerts, configurable multipliers (closes #301)

[vivekchand]

Closes #301

What

Upgrades the anomaly detection engine from a single daily-cost check to a full adaptive multi-signal detection system that fires alerts (Telegram + webhook + dashboard banner) when agent behavior deviates from rolling baselines.

New detection signals

Signal	Default threshold	Alert destination
Daily cost spike	>2x 7-day average	banner + Telegram + webhook
Per-session cost spike	>2x rolling 7-day session avg	banner + Telegram + webhook
Session frequency spike	>5x typical daily session count	banner + Telegram + webhook

Configurable thresholds

All multipliers are now user-configurable in the Alert Rules → Webhook Config UI:

• Daily cost spike multiplier (default: 2.0x)
• Per-session cost spike multiplier (default: 2.0x)
• Session frequency spike multiplier (default: 5.0x)
• Toggle alerts per signal type independently

Alert routing

All anomaly signals route through the existing _dispatch_configured_webhooks() and _fire_alert() pipeline — so they reach Slack, Discord, generic webhooks, and Telegram automatically based on existing config.

How

• _detect_per_session_cost_spikes(): Reuses _compute_session_cost_anomalies() output, fires _fire_alert + webhook for sessions in the last 2h that exceed N×rolling avg
• _detect_session_frequency_anomaly(): Counts sessions per day from transcript analytics, alerts when today exceeds N×7-day avg
• Both called from _budget_monitor_loop() (runs every 60s, with cooldown deduplication via rule_id)
• _default_alerts_webhook_config(): Extended with 5 new keys; all persisted via existing config file
• API /api/alerts/webhook: allowed-keys allowlist updated to include new multiplier fields
• UI: Alert Rules tab gets new checkboxes + multiplier inputs for session/frequency anomaly detection