#6616: Control UI: daily activity dashboard

Adds an **Activity** tab to the Control UI with: - **Date range**: 7 / 14 / 30 day presets and refresh - **Token usage**: input, output, total tokens and estimated cost (`usage.cost`) - **Incoming channels**: activity grouped by channel from sessions - **Memory**: session count and metadata (`sessions.list`) - **Security findings**: shallow audit results via new `security.audit` gateway RPC (config + channel security only; no filesystem or deep probe) **Changes:** - New Activity tab in navigation and app state - `ui/controllers/activity.ts`: loads usage.cost, sessions.list, security.audit - `ui/views/activity.ts`: dashboard UI with date selector and sections - `src/gateway/server-methods/security.ts`: `security.audit` RPC for dashboard - `app.loadActivity(days?)` wired in app.ts; `refreshActiveTab` loads activity when tab is Activity Tools-used section is a placeholder for follow-up. Made with [Cursor](https://cursor.com) <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR adds an **Activity** tab to the Control UI and wires it into navigation and tab refresh. The new UI view renders a date-range selector (7/14/30 days), token/cost usage from the existing `usage.cost` RPC, session-derived channel breakdown and recent session metadata from `sessions.list`, and a new shallow security audit section. On the gateway side, it introduces a new `security.audit` RPC (`src/gateway/server-methods/security.ts`) and registers it in the gateway method list and handler dispatch (`src/gateway/server-methods-list.ts`, `src/gateway/server-methods.ts`). The audit is explicitly shallow (`deep: false`, `includeFilesystem: false`) to support the dashboard. Main issues found are around Activity tab state/load concurrency (rapid preset clicks can lead to UI/data mismatch) and the date range not actually applying to the sessions/channel sections, plus a couple of small correctness/robustness items (duplicate branch in USD formatting, uncached potentially expensive security audit endpoint). <h3>Confidence Score: 3/5</h3> - This PR is reasonably safe to merge, but has a couple of user-visible correctness issues in the Activity tab behavior. - The gateway method registration and UI wiring are straightforward, but the Activity tab’s load concurrency guard combined with immediate state mutation can produce UI/data mismatches on rapid date changes, and the sessions/channel sections don’t respect the selected date range. These are likely to be noticed and should be addressed before merge for dashboard correctness. - ui/src/ui/app-render.ts, ui/src/ui/controllers/activity.ts, ui/src/ui/views/activity.ts, src/gateway/server-methods/security.ts <!-- greptile_other_comments_section --> _{(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!} <!-- /greptile_comment -->