Anomaly rules

Anomaly detects a deviation of the current value from a baseline (mean + σ stddev) over a window with an offset.

Fields

metric — a bare metric name (PromQL expressions are not supported — a buffer against operator-precedence surprises)
baseline_window — the window for mean/stddev (1h..7d)
baseline_offset — how far back to look at the baseline (5m..30d). 7d = "the same time a week ago".
sigma — how many σ to trigger (3 conservative, 2 jumpy, 5 "only when it's on fire")
direction — above / below / either

PromQL is synthesized as:

(metric - avg_over_time(metric[W] offset O)) > sigma * stddev_over_time(metric[W] offset O)

The store filters server-side, and the Go side receives only the anomalous samples.