feat(alerts): configurable email templates with HTML sanitization

[pescn]

Background

The current alert email dispatcher (alertDispatcher.ts) uses a hardcoded HTML template with manual escapeHtml() for output encoding. This works for the current plain-text-into-template approach but limits customization.

From PR #67 review feedback (@koitococo):

• Consider using a template engine like EJS
• Consider using DOMPurify for HTML sanitization
• Make email templates a configurable item

Requirements

Template Engine

• Integrate a template engine (EJS, Handlebars, or similar) for email rendering
• Store email templates in the settings table (JSONB) with sensible defaults
• Provide template variables: ruleName, ruleType, message, currentValue, threshold, details

HTML Sanitization

• If templates allow user-authored HTML, use DOMPurify (with jsdom for server-side) to sanitize rendered output
• Current escapeHtml() is correct for plain-text insertion; DOMPurify is needed when users can write arbitrary HTML in templates

Admin UI

• Add a template editor in Settings > Alerts or Settings > Grafana
• Preview rendered template with sample data
• Reset to default template option

Considerations

• Template validation before save (must compile without errors)
• Avoid breaking existing email delivery if template is malformed (fall back to default)
• Consider separate templates per alert rule type (budget, error_rate, latency, quota)

References

• PR feat: add Grafana integration and alert system #67 review: koitococo's comments on alertDispatcher.ts
• Current implementation: backend/src/services/alertDispatcher.ts (dispatchEmail)