Phase 2 of the 150-200 component robustness work. Adds a per-tenant
series budget so a noisy tenant cannot exhaust the global TSDB
cardinality pool and starve siblings of fresh series.

Behavior is opt-in to preserve back-compat:
  - METRIC_MAX_CARDINALITY (existing, default 10000) — global series cap.
  - METRIC_MAX_CARDINALITY_PER_TENANT (new, default 0=unlimited) — when
    set, each tenant gets its own series budget.
  - Per-tenant cap is checked FIRST; global cap is the backstop.
  - Per-tenant overflow buckets are tenant-scoped (key suffix |<tenant>)
    so each tenant's overflow stats stay separate.

Telemetry surface change:
  - TSDBCardinalityOverflow (Counter) — kept for back-compat dashboards.
  - TSDBCardinalityOverflowByTenant (CounterVec, label tenant_id) — new.
    Sentinel "__global__" when the global cap (not per-tenant) triggered.
    Lets operators identify noisy tenants:
        sum by (tenant_id) (
          rate(otelcontext_tsdb_cardinality_overflow_by_tenant_total[5m])
        )

Aggregator API:
  - SetCardinalityLimit signature changed to (global, perTenant int,
    onOverflow func(tenantID string)). Sole external caller (main.go) is
    updated. Old single-arg callback shape is gone.
  - flush() resets seriesPerTenant alongside the buckets map so each
    new window starts every tenant with a fresh budget.

Tests cover: zero-config baseline, global-only legacy behavior, per-tenant
fairness (tenant A exhausts budget, tenant B unaffected), per-tenant
overflow buckets stay separate (no merge regression), flush resets
counts, both caps coexist with correct precedence, default behavior
unchanged when only global is set, overflow bucket stat accumulation.
8 tests, all pass under -race; full suite (13 packages) green.

Docs updated in CLAUDE.md (env-var section) and docs/OPERATIONS.md
(defaults section + new alert query under Observability).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>