Anomaly detection: unusual stream creation burst and abnormally high settle rates per tenant

[greatest0fallt1me]

Rule-based and metric thresholds for anomalous stream and settlement activity

    ## Description

    Add **lightweight** (first party) **anomaly** rules: e.g. **>N new streams/ hour** per

tenant, or sudden spike in settle or escrow unlock attempts. This is not
full machine learning; it is guardrails for early fraud, abuse, or bug blast
radius. Output alerts and optional hold flag for manual review.

    ## Requirements and context

    - **Metrics** in Prometheus/Datadog; rolling windows (1h, 24h).

• Rules in repo as code; tunable by env.

• False positive play: how to snooze/whitelist a tenant in incident.

• Privacy: rules use aggregates, not PII in alert body if avoidable.

• Tests for rule evaluation on synthetic time series.

    ## Suggested execution
  
    1. `git checkout -b feature/anomaly-stream-spike`
  

2. Add worker or scheduled query; start with 2–3 high-signal rules.

3. PR with example promql and alert.

4. Security review: not used as unilateral user fund freeze without policy (document).

5. Optional ML follow-up issue reference.

    ## Test and commit
   

• Run the full test suite; add or update tests until the agreed coverage bar is met.
• Cover edge cases listed in this issue; document any intentional exclusions with brief rationale in the PR.
• Include relevant test output (e.g. test runner summary) or a link to a passing CI run in the pull request.
• Add security notes for auth, keys, PII, chain settlement, or money movement (assumptions verified, out-of-scope items).

Example commit message

feat(security): add anomaly rules for stream and settlement spikes per tenant

Guidelines

• Target: at least 95% coverage on new or meaningfully changed code (per the repo’s standard tooling).
• Documentation: update contributor-facing or API documentation where a reviewer would be blocked without it.
• Timeframe: 96 hours to ready-for-review (surface blockers early).