keyviz: clamp HistoryColumns to MaxHistoryColumns upper bound

Round-1 review fix for PR #651 (Gemini medium):

newRingBuffer pre-allocates a slice of capacity HistoryColumns at
construction. A misconfiguration like --keyvizHistoryColumns=100000000
(operator typo) would reserve gigabytes upfront and likely OOM the
node before the heatmap returned its first column.

Add MaxHistoryColumns = 100_000 (~70 days at 60s Step) and clamp
opts.HistoryColumns in NewMemSampler so excessive values silently
land at the cap instead of being trusted as-is. The cap lives in the
keyviz package (next to the existing Default* constants) because the
risk is a property of the data structure, not the caller.

Operators wanting longer retention should use the Phase 3 persistence
path (per-Raft-group `!admin|keyviz|*` namespace) — not a giant
in-memory ring.

Test TestHistoryColumnsClampedAboveMax confirms both above-cap input
clamps to MaxHistoryColumns and exactly-at-cap input is preserved.

Author: bootjp

keyviz/sampler.go

@@ -82,6 +82,15 @@ const (
 	DefaultMaxMemberRoutesPerSlot = 256
 )
 
+// MaxHistoryColumns is the upper bound on opts.HistoryColumns. The
+// ring buffer pre-allocates a slice of capacity HistoryColumns at
+// construction; misconfiguration (e.g. an operator typo of
+// 100_000_000) would otherwise reserve gigabytes up front. 100 000
+// columns at the default 60s Step is ~70 days of history — longer
+// retention is the Phase 3 persistence path's job, not the in-memory
+// ring's.
+const MaxHistoryColumns = 100_000
+
 // MemSamplerOptions configures NewMemSampler. Zero values fall back to
 // the Default* constants above; passing a struct literal with only the
 // fields you care about is the expected call style.
@@ -303,6 +312,9 @@ func NewMemSampler(opts MemSamplerOptions) *MemSampler {
 	if opts.HistoryColumns <= 0 {
 		opts.HistoryColumns = DefaultHistoryColumns
 	}
+	if opts.HistoryColumns > MaxHistoryColumns {
+		opts.HistoryColumns = MaxHistoryColumns
+	}
 	if opts.MaxTrackedRoutes <= 0 {
 		opts.MaxTrackedRoutes = DefaultMaxTrackedRoutes
 	}

keyviz/sampler_test.go

@@ -869,6 +869,31 @@ func TestNonPositiveOptionsFallBackToDefaults(t *testing.T) {
 	}
 }
 
+// TestHistoryColumnsClampedAboveMax pins the upper bound on
+// HistoryColumns. The ring buffer pre-allocates a slice of capacity
+// HistoryColumns at construction; an operator typo (e.g.
+// 100_000_000) would otherwise reserve gigabytes up front. Confirm
+// that values above MaxHistoryColumns are silently clamped to
+// MaxHistoryColumns instead of trusted as-is.
+func TestHistoryColumnsClampedAboveMax(t *testing.T) {
+	t.Parallel()
+	s, _ := newTestSampler(t, MemSamplerOptions{
+		Step:           time.Second,
+		HistoryColumns: MaxHistoryColumns * 10,
+	})
+	if s.opts.HistoryColumns != MaxHistoryColumns {
+		t.Fatalf("HistoryColumns clamp = %d, want %d", s.opts.HistoryColumns, MaxHistoryColumns)
+	}
+	// At the cap exactly: preserved.
+	s2, _ := newTestSampler(t, MemSamplerOptions{
+		Step:           time.Second,
+		HistoryColumns: MaxHistoryColumns,
+	})
+	if s2.opts.HistoryColumns != MaxHistoryColumns {
+		t.Fatalf("HistoryColumns at cap = %d, want %d", s2.opts.HistoryColumns, MaxHistoryColumns)
+	}
+}
+
 // TestStepAccessor pins the Step() accessor contract: returns the
 // configured Step (after defaulting) for a constructed sampler, and
 // returns DefaultStep for a typed nil so callers wiring RunFlusher