Handle policy_rejected status (Anthropic April 4 billing change)

- anthropic-teams.js: detect HTTP 400 extra-usage policy blocks, return
  status='policy_rejected' with quota headers still readable
- report.js: display policy_rejected as CRITICAL with 'POLICY BLOCKED' label
- getSeverity: treat policy_rejected as critical

Currently the direct API (used by monitor) returns 200; pi's OAuth path
returns 400. This fix future-proofs against the block extending to direct
API calls, and correctly classifies the status if it does.

Refs: trentuna/commons#17, trentuna/token-monitor#4

report.js

@@ -10,6 +10,7 @@
 export function getSeverity(provider) {
   if (provider.type === 'teams-direct') {
     if (provider.status === 'rejected') return 'critical';
+    if (provider.status === 'policy_rejected') return 'critical';
     if (provider.utilization_7d > 0.85) return 'warning';
     if (provider.utilization_5h > 0.7) return 'warning';
     return 'ok';
@@ -99,6 +100,8 @@ export function generateReport(result) {
     if (p.type === 'teams-direct') {
       if (p.status === 'invalid_key') {
         detail = 'Invalid API key (401)';
+      } else if (p.status === 'policy_rejected') {
+        detail = `POLICY BLOCKED — 7d: ${pct(p.utilization_7d)} | extra-usage billing required`;
       } else if (p.status === 'rejected') {
         const resetIn = formatDuration(p.reset_in_seconds);
         detail = `MAXED — 7d: ${pct(p.utilization_7d)} | resets in ${resetIn}`;