bugfix: apply exemplars hint end-to-end and fix safety cap bypass

[zhxiaogg]

What this PR does:

Two bugs in exemplars hint handling (with(exemplars=true|false|N)):

1. Safety cap bypass: hint value in CompileMetricsQueryRange was not checked against maxExemplars, allowing users to exceed the max limit.

2. Hint only affected per-shard collection: the frontend combiner always used the config-level MaxExemplars, so the hint never bounded the total exemplars in the final result.

Fix by moving hint resolution into normalizeRequestExemplars at the frontend handler, where req.Exemplars is set once and flows through the sharder, combiner, and backend uniformly.

Which issue(s) this PR fixes:
Fixes CVE-2026-27878

Checklist

• Tests updated
• Documentation added
• CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

[oleg-kozlyuk-grafana]

Worth testing the exception cases, as per annotations

[tempo-ci-app]

The backport to release-v2.10 failed:

error cherry-picking: error running git cherry-pick: error running command 'git cherry-pick -x b13f74291d489672601a10297f8fbcbf7dd19192'
error: exit status 1
stdout: Auto-merging CHANGELOG.md
CONFLICT (content): Merge conflict in CHANGELOG.md
Auto-merging modules/frontend/metrics_query_range_handler.go
CONFLICT (content): Merge conflict in modules/frontend/metrics_query_range_handler.go
Auto-merging modules/frontend/metrics_query_range_handler_test.go
CONFLICT (content): Merge conflict in modules/frontend/metrics_query_range_handler_test.go
Auto-merging pkg/traceql/engine_metrics.go
CONFLICT (content): Merge conflict in pkg/traceql/engine_metrics.go
Auto-merging pkg/traceql/engine_metrics_test.go
CONFLICT (content): Merge conflict in pkg/traceql/engine_metrics_test.go

stderr: error: could not apply b13f74291... bugfix: apply exemplars hint end-to-end and fix safety cap bypass (#6559)
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".
hint: Disable this message with "git config set advice.mergeConflict false"

To backport manually, run these commands in your terminal:

git fetch
git switch --create backport-6559-to-release-v2.10 origin/release-v2.10
git cherry-pick -x b13f74291d489672601a10297f8fbcbf7dd19192

Resolve the conflicts, then add the changes and run git cherry-pick --continue:

git add . && git cherry-pick --continue

If you have the GitHub CLI installed:

git push --set-upstream origin backport-6559-to-release-v2.10
PR_BODY=$(gh pr view 6559 --json body --template 'Backport b13f74291d489672601a10297f8fbcbf7dd19192 from #6559{{ "\n\n---\n\n" }}{{ index . "body" }}')
echo "${PR_BODY}" | gh pr create --title '[release-v2.10] bugfix: apply exemplars hint end-to-end and fix safety cap bypass' --body-file - --label 'backport' --label '' --base release-v2.10 --web

Or, if you don't have the GitHub CLI installed (we recommend you install it!):

git push --set-upstream origin backport-6559-to-release-v2.10

And open a pull request where the base branch is release-v2.10 and the compare/head branch is backport-6559-to-release-v2.10