feat: add bounded memory protection for session store

## Summary

The in-memory session store (`internal/session/store.go`) has no limits on the number of sessions or messages per session. A misbehaving client could exhaust server memory.

## What to add

- **Max sessions**: configurable limit (e.g., 1000), reject new sessions with an error when exceeded or evict LRU
- **Max messages per session**: configurable limit (e.g., 200 messages), trigger compaction or truncation when exceeded
- **Session ID validation**: currently truncated to 64 chars; consider restricting to alphanumeric + hyphens

## Related

- Deferred from PR #51 (Kimi review finding #2)
- Part of #5 (Memory and context persistence)
- Max messages limit is a prerequisite for context compaction (#5 Phase 3)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add bounded memory protection for session store #52

Summary

What to add

Related

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

feat: add bounded memory protection for session store #52

Description

Summary

What to add

Related

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions