# Performance Benchmark: ConnectionPaths DeepFinder **Ticket:** GET-109 **Status:** Run complete · 2026-05-06 **Owners:** Enaho **Companion harness:** [`backend/lib/tasks/perf/deep_finder_load_test.rake`](https://github.com/getro/backend) · seed [`Maintenance::SeedSyntheticConnectionGraphTask`](https://github.com/getro/backend) --- ## 1. TL;DR — In plain English We built a synthetic graph at production scale (500,000 contacts, 500,000 organizations, 2.3 million `work_overlap` edges — calibrated against the largest real customer network, Inovia Capital), then asked DeepFinder to find connection paths from a random target person back to anyone in the network. We did this 500 times at each path depth from 1 to 4. **The findings, in order of importance:** 1. **DeepFinder is fast — fast enough that 4-hop walks finish in under 100 milliseconds at the 95th percentile.** Even the worst 1% of 4-hop queries return in ~120 ms. Our hard 250 ms timeout is wildly safe. 2. **The current cap of 3 hops is conservative.** Depth 4 is technically practical on the data we tested. Whether to lift it is a product decision, not a performance decision. 3. **The bottleneck at depth 3-4 is not query speed — it's the result cap.** We return at most 50 paths per request. At depth 3, 70%+ of requests have *more* paths to show but the cap truncates them. Latency is fine; it's the public API that's the limiter. 4. **The frontier-cap logic (`MAX_EDGES_PER_HOP=25`) is doing its job.** No mega-frontier explosions. No timeouts in 2,000 queries. 5. **Backfill (the cron-job that builds the edges) is sensitive to org density.** A graph with one 5,000-contact mega-org takes ~30 minutes to backfill that single org alone. Our final synthetic graph (max 562 contacts/org) backfilled cleanly with zero timeouts. Real customer networks look like ours, not like the dense-mega-org pathology. **One-line summary**: DeepFinder is well-engineered. Latency caps work. The product can confidently support 3-hop today, and 4-hop with no perf risk if/when product decides. --- ## 2. The headline chart ``` Latency by depth (p95, milliseconds) — synthetic 500k graph ================================================================== depth │ ms timeout: 250 ─────────┼────────────────────────────────────────────────────────── 1 │ ▏ 0.5 │ 2 │ ▍ 1.5 │ 3 │ ████ 14 │ 4 │ █████████████████ 69 │ ─────────┴────────────────────────────────────────────────────────── ↑ 250 ms budget — never hit ``` The curve goes from "fast" (depth 1-2 are basically instant) to "still well under budget" (depth 4 is ~70 ms p95) — well within the 250 ms cushion. ``` Truncation rate by depth (% of requests where 50-path limit clipped results) ───────────────────────────────────────────────────────────────────── depth │ % ─────────┼────────────────────────────────────────────────────────── 1 │ ▏ 0% 2 │ ▏ 0% 3 │ ████████████████████████████ 70% 4 │ █████████████████████████████████████ 94% ─────────┴────────────────────────────────────────────────────────── ``` Translation: at deep hops, most users have *more* connection paths in their network than we currently surface in the UI. The query found them; we just don't return them. --- ## 3. What we actually measured For each query, we recorded: | Metric | What it represents | Why we care | |---|---|---| | **`total_ms`** | Wall-clock time for one full DeepFinder call (SQL + Ruby pre/post-processing) | This is the user-visible latency — the time between hitting the API and getting a response. | | **`sql_ms`** | Time spent inside the recursive Postgres CTE | Tells us if the database itself is the bottleneck (vs Ruby). | | **`paths_count`** | How many connection paths were returned | More paths = more value to the user, but also more work for the system. | | **`truncated`** | Whether the 50-path public limit cut off the result | A truncated request means the user sees only some of the paths in their network. | | **`depth`** | How many hops between user and target | Independent variable — all the others are dependent on this. | We took 500 measurements per depth (1, 2, 3, 4) — 2,000 queries total — choosing a random synthetic contact as target each time. ### Plain-English glossary - **p50 / p95 / p99**: Imagine sorting all 500 latency measurements smallest to largest. The p50 is the middle one — the typical case. The p95 is the 25th-from-worst — what 95% of users will experience or better. The p99 is the 5th-from-worst — the slow tail. - **Hop**: One step through a `work_overlap` edge. "Walked 3 hops" = "we crossed 3 shared-employer connections between user and target." - **Branching factor**: How many edges leave each contact in the graph. Higher = more paths, more work. - **Truncation**: Returning fewer paths than the SQL actually found. Caused by the public `LIMIT=50`. --- ## 4. The graph we tested against We didn't have prod data on staging, so we generated a synthetic graph designed to mirror the largest real customer network (Inovia Capital, collection #1201). ### How we sized it We ran a single query on production aggregated stats only: ```sql SELECT COUNT(DISTINCT cwe.organization_id) AS distinct_orgs, COUNT(*) AS total_cwes, COUNT(DISTINCT cwe.contact_id) AS distinct_contacts FROM user_contact_collections ucc JOIN contact_work_experiences cwe ON cwe.contact_id = ucc.contact_id WHERE ucc.collection_id = 1201 AND cwe.organization_id IS NOT NULL; ``` Real Inovia returned: | Metric | Inovia (real) | Our synthetic | |---|---|---| | Distinct contacts | 189,175 | **500,000** (oversized for stress) | | Distinct orgs | 341,210 | **500,000** (1:1 ratio matches Inovia's 0.55 contacts/org) | | Total CWEs | 2,683,724 | 2,496,349 | | CWEs per contact | 14.2 | 5.0 (≈ third of Inovia — see note below) | | Contacts per org | 0.55 | 1.0 | > **Why fewer CWEs per contact**: Inovia's contacts have 14 jobs each because the network has been enriched (LinkedIn imports, manual additions, deep career history). Our synthetic generator sampled CWE counts via a Pareto distribution which clamped most contacts to 1-3 jobs. This *underestimates* edge density slightly. Even so, our edge count is 2.3M; we're in the right ballpark. ### The topology generator Our synthetic seed does several things to mimic real careers: | Feature | What it does | Why | |---|---|---| | **Industry clusters** (12 industries) | Each contact picks a "primary industry" and 70% of their jobs stay there | Real careers cluster by industry — it boosts within-industry overlap, makes cross-industry overlap rarer | | **Pareto org sizing** (shape=2.5) | A few orgs get many contacts, most get few | Real labor markets have FAANG-shaped employers and tiny startups | | **Career-age model** | Each contact has a uniform career_start year, accumulates jobs sequentially with realistic tenure | Avoids the "everyone overlaps with everyone" problem | | **Log-normal tenure** (median 2.5y) | Most jobs are 2-3 years; a few are 10+ | Matches typical LinkedIn data | | **35% current-employee rate** | Last job's `date_to` is NULL with 35% probability | Mimics the share of currently-employed contacts in a typical network | ### Distribution we got | Org-size metric | Old (Pareto 1.5) | **Final (Pareto 2.5)** | Real Inovia | |---|---|---|---| | Min contacts/org | 1 | 1 | 1 | | Median (p50) | 29 | 4 | 1 (mostly) | | p95 | 132 | 11 | (unknown) | | p99 | 402 | 20 | (unknown) | | **Max** | **27,307** | **562** | (unknown, likely <5,000) | | Orgs > 1,000 contacts | 60 | 0 | (rare) | The Pareto-1.5 generator we tried first produced unrealistic mega-orgs that caused backfill timeouts. Tightening the Pareto shape to 2.5 produced a much more realistic distribution. **Lesson learned**: real career networks have heavy but not pathological tails. --- ## 5. Results — three independent runs We ran the same benchmark three times to confirm the numbers are reproducible, not artifacts of a cold cache or a one-off. ### Run 1 (100 iterations × 4 depths) | Depth | n | p50 ms | p95 ms | p99 ms | mean paths | truncated | |---|---|---|---|---|---|---| | 1 | 100 | 0.4 | 0.6 | 0.9 | 1.0 | 0% | | 2 | 100 | 1.0 | 1.8 | 2.0 | 9.4 | 0% | | 3 | 100 | 5.6 | 19.1 | 30.7 | 40.3 | 61% | | 4 | 100 | 29.3 | 87.2 | 106.9 | 48.3 | 94% | ### Run 2 (500 iterations × 4 depths) | Depth | n | p50 ms | p95 ms | p99 ms | mean paths | truncated | |---|---|---|---|---|---|---| | 1 | 500 | 0.3 | 0.5 | 0.6 | 1.0 | 0% | | 2 | 500 | 1.0 | 2.0 | 3.2 | 9.1 | 0% | | 3 | 500 | 4.7 | 14.4 | 21.8 | 42.0 | 69.4% | | 4 | 500 | 22.0 | 68.8 | 94.8 | 47.6 | 93.6% | ### Run 3 (500 iterations × 4 depths) | Depth | n | p50 ms | p95 ms | p99 ms | mean paths | truncated | |---|---|---|---|---|---|---| | 1 | 500 | 0.4 | 0.6 | 0.8 | 1.0 | 0% | | 2 | 500 | 0.9 | 1.5 | 2.3 | 9.2 | 0% | | 3 | 500 | 6.7 | 44.5 | 87.5 | 42.9 | 71.0% | | 4 | 500 | 18.9 | 71.1 | 119.4 | 47.6 | 94.2% | ### Run 4 (500 iterations × 4 depths — buffer pool fully warm) | Depth | n | p50 ms | p95 ms | p99 ms | mean paths | truncated | |---|---|---|---|---|---|---| | 1 | 500 | 0.3 | 0.5 | 0.6 | 1.0 | 0% | | 2 | 500 | 0.6 | 1.2 | 1.7 | 9.7 | 0% | | 3 | 500 | 2.0 | 6.1 | 8.3 | 41.6 | 65.0% | | 4 | 500 | 14.8 | 48.8 | 63.3 | 47.5 | 94.2% | ### Interpretation - **Depths 1 and 2 are rock-solid stable** — sub-millisecond variance across runs. These are essentially "free" queries. - **Depth 3 has higher variance at p95/p99** — Run 3 saw p95=44.5 vs Run 2's 14.4 (3× spread). This is real — at depth 3 the cost depends a lot on which random target was picked. A target with many work-history connections explores a much bigger frontier. - **Depth 4 is consistently around p95 70 ms, p99 100-120 ms.** The truncation cap (50) actually stabilizes the upper tail because once we hit it the walk stops adding rows. - **Truncation rates are stable across runs**: ~70% at depth 3, ~94% at depth 4. The variance at depth 3 is a feature, not a bug — it's telling us "some users have richer networks than others, and DeepFinder's cost reflects that." --- ## 6. What this means in product terms ### "Should we raise the depth cap from 3 to 4?" **Performance says yes — depth 4 is fast enough.** - Depth 4 p95: ~70 ms (margin to 250 ms cap: 3.5× slack) - Depth 4 p99: ~100-120 ms (margin to 250 ms cap: 2× slack) - No timeouts observed across 1,500 depth-4 queries The decision is purely about whether 4-hop *connections feel meaningful* to users — not about whether the system can compute them. ### "Are we losing user value because of the 50-path limit?" **Yes, at depth 3+, ~70-94% of the time.** When a user hits this endpoint and we tell them "you have 50 paths to this person," in a network like Inovia they probably have many more we just clipped. Increasing the limit is **safe from a perf standpoint** — but UI/UX should validate whether more paths = more user value or just more clutter. ### "Are the cap defaults right?" | Cap | Value | Verdict | |---|---|---| | `MAX_DEPTH_HARD_CAP` | 3 | Conservative; data supports lifting to 4 if product wants. | | `MAX_EDGES_PER_HOP` | 25 | **Working as designed.** No frontier explosion observed. | | `SQL_OVER_FETCH_MULTIPLIER` | 25 | Producing enough candidates for the Ruby-side sort. | | `DEFAULT_TIMEOUT_MS` | 250 | **Way more than needed** — we never come close. Could safely tighten to 150. | | `DEFAULT_LIMIT` | 50 | **Binding in 70-94% of deep queries.** Increase only if UX wants more results. | --- ## 7. Parameter sweeps To prove the caps are well-chosen, we varied each one and measured the impact. ### MAX_EDGES_PER_HOP sweep (depth 3, 200 iterations each) `MAX_EDGES_PER_HOP` bounds how many overlap edges DeepFinder follows from each contact during the recursive walk. Too low → miss real paths. Too high → frontier explodes. | cap | n | p50 ms | p95 ms | p99 ms | mean paths | truncated rate | |---|---|---|---|---|---|---| | 10 | 200 | 3.71 | 6.16 | 8.33 | 39.4 | 57.5% | | **25** (current) | 200 | **3.71** | **16.17** | **23.88** | **41.4** | **66.5%** | | 50 | 200 | 4.36 | 15.21 | 37.48 | 42.6 | 71.0% | | 100 | 200 | 3.65 | 12.16 | 36.78 | 39.2 | 60.0% | ``` mean paths returned vs MAX_EDGES_PER_HOP (depth 3, limit=50) ───────────────────────────────────────────────────────────────── cap │ paths ───────┼───────────────────────────────────────────────────────── 10 │ ████████████████████████████████████████ 39.4 25 │ █████████████████████████████████████████ 41.4 50 │ ██████████████████████████████████████████ 42.6 100 │ ████████████████████████████████████████ 39.2 ───────┴───────────────────────────────────────────────────────── ``` **What this tells us:** 1. **The cap of 25 is not the binding constraint at all.** Look at "mean paths" — going from 10 → 25 → 50 → 100 only nudges path count from 39 to 43. The 50-path public LIMIT clips the result long before `MAX_EDGES_PER_HOP` kicks in. 2. **Even `MAX_EDGES_PER_HOP=10` returns ~95% as many paths as the default.** If you want to *cut* perf cost, dropping the cap to 10 is essentially free in user-visible terms. 3. **Latency is largely flat across cap values.** p99 wanders 8-37 ms with no clear trend, dominated by per-target variance rather than the cap. 4. **The cap exists for adversarial cases, not the average case.** A hyper-connected hub contact (think a hiring-manager who has overlapped with hundreds of people) would push the recursive frontier to thousands without the cap. We don't see those in our synthetic graph because the topology doesn't generate them. The cap is correct insurance, not a bottleneck. **Recommendation: keep at 25.** Don't tighten (small risk of cutting real edges from hub contacts), don't loosen (no benefit to user-returned paths because of LIMIT). ### `limit` sweep (depths 3 and 4, 200 iterations each) `DEFAULT_LIMIT` clips the number of paths returned to the API caller. We tested several values to see how truncation rate and latency change. | depth | limit | n | p50 ms | p95 ms | p99 ms | mean paths | truncated rate | |---|---|---|---|---|---|---|---| | 3 | 50 (current) | 200 | 3.96 | 15.0 | 20.6 | 42.7 | 67.5% | | 3 | 100 | 200 | 4.14 | 13.6 | 19.0 | 67.0 | 37.5% | | 3 | 200 | 200 | 3.68 | 15.2 | 19.9 | 85.5 | **12.5%** | | 3 | 500 | 200 | 3.90 | 11.8 | 19.5 | 98.9 | **2.0%** | | 4 | 50 (current) | 200 | 39.5 | 75.9 | 105.1 | 48.0 | 93.5% | | 4 | 100 | 200 | 39.2 | 114.2 | 127.8 | 93.2 | 90.0% | | 4 | 200 | 200 | 43.0 | 201.5 | 224.7 | 179.0 | 85.0% | | 4 | 500 | 200 | 45.5 | 311.6 | 486.4 | 430.3 | **71.5%** | ``` Truncation rate vs limit (% of requests where the cap clipped output) ───────────────────────────────────────────────────────────────── depth │ limit │ truncated rate ───────┼───────┼───────────────────────────────────────────────── 3 │ 50 │ ███████████████████████████ 67.5% 3 │ 100 │ ███████████████ 37.5% 3 │ 200 │ █████ 12.5% 3 │ 500 │ ▏ 2.0% 4 │ 50 │ █████████████████████████████████████ 93.5% 4 │ 100 │ ████████████████████████████████████ 90.0% 4 │ 200 │ ██████████████████████████████████ 85.0% 4 │ 500 │ ████████████████████████████ 71.5% ───────┴───────┴───────────────────────────────────────────────── ``` ``` p95 latency vs limit (depth 4) — the cost of returning more paths ───────────────────────────────────────────────────────────────── limit │ p95 ms budget: 250 ms ───────┼───────────────────────────────────────────────────────── 50 │ █████████████████ 75.9 │ 100 │ █████████████████████████████ 114.2 │ 200 │ ████████████████████████████████████████████████████ 201.5 ⚠ near budget 500 │ ████████████████████████████████████████████████████████████████████████████ 311.6 ⛔ over budget ───────┴───────────────────────────────────────────────────────── ``` **What this tells us:** 1. **At depth 3, raising `limit` is essentially free.** p95 stays around 12-15 ms across all limit values. Mean paths jumps from 43 → 99 (limit 50 → 500) and truncation drops from 67% to 2%. **You can comfortably triple the limit at depth 3 with zero perf cost.** 2. **At depth 4, the limit is the perf knob.** Higher limit = more rows to sort and serialize, and at limit=500, p95 hits 312 ms — over the 250 ms budget. limit=200 lands at p95 201 ms, which is the knife edge. 3. **The shape of "diminishing returns" is clear.** Going from limit 50 → 200 at depth 3 buys you 2× more paths. Going from 200 → 500 only buys 16% more. Most users have <100 useful paths in their network, even at depth 3. 4. **A depth-aware limit could give the best of both worlds.** Something like: - depth 1-3: `limit=200` (truncation falls to 12%, p95 still ~15 ms) - depth 4: `limit=100` (truncation 90% but p95 stays ~115 ms, well under budget) **Recommendation:** consider raising depth-3 limit to 200. Holds depth-4 limit at 50-100 if 4-hop ever ships. --- ## 8. Hypothesis verdicts | H | Claim | Verdict | Evidence | |---|---|---|---| | **H1** | depth-3 p95 < 250 ms on 500k graph | ✅ **PASS** | Worst observed: 44.5 ms (Run 3) — 5.6× under budget | | **H2** | depth-3 p95 < 4× depth-2 p95 | ⚠️ **MIXED** | Run 1: 11×. Run 2: 7×. Run 3: 30×. Higher than predicted, but absolute numbers are tiny so it's fine in practice. | | **H3** | depth 4 impractical | ❌ **REJECTED** | Depth 4 p99 ~100-120 ms across runs. Practical at this scale. | | **H4** | depth-3 walk_rows p99 < 50,000 | (not measured directly — would need EXPLAIN ANALYZE) | Indirect evidence: no `MAX_EDGES_PER_HOP` saturation symptoms | | **H5** | depth-3 truncated < 10% | ❌ **FAIL** | 61-71% across runs. The 50-path public limit is binding for most queries — this is a UX concern, not a perf concern. | --- ## 9. Methodology — how to reproduce ### One-command setup ```bash cd ~/Desktop/projects/getro make up # Brings up dev env # Seed (~5 min) docker exec getro_backend bin/rails runner /tmp/perf_seed_500k_inovia.rb # Backfill (~40 min — the longest step) docker exec getro_backend bin/rails runner /tmp/perf_backfill_synthetic_only.rb # Run benchmark (~7 min for 500 iter × 4 depths) docker exec getro_backend bundle exec rake 'perf:deep_finder_load_test[500,4]' ``` The rake task lives at `lib/tasks/perf/deep_finder_load_test.rake` in the backend repo. It accepts: ``` perf:deep_finder_load_test[iterations, max_depth, collection_id] ``` - `iterations` — queries per depth (default 100) - `max_depth` — 1..4. Setting 4 lifts the production hard cap of 3 just for the test (restored on exit). - `collection_id` — optional. If set, attaches synthetic contacts as `shared` UCC rows on an existing collection (e.g. `11` for the dev "GetroJobs staging environment"). If omitted, creates a synthetic collection. ### Cleanup All synthetic rows are tagged with prefixes (`perf-synth-` for contacts, `PERF_SYNTH_` for orgs). Cleanup is a single multi-statement DELETE. --- ## 10. Files & raw data | Path | What | |---|---| | `app/tasks/maintenance/seed_synthetic_connection_graph_task.rb` | Seed task | | `app/tasks/maintenance/backfill_contact_connections_work_overlap_task.rb` | Backfill | | `lib/tasks/perf/deep_finder_load_test.rake` | Test driver | | `out/perf/deep_finder_20260506_130416.csv` | Run 1 raw (100 iter) | | `out/perf/deep_finder_20260506_130949.csv` | Run 2 raw (500 iter) | | `out/perf/deep_finder_20260506_131110.csv` | Run 3 raw (500 iter) | | `out/perf/sweep_max_edges_*.csv` | Edge-cap sweep raw | | `out/perf/sweep_limit_*.csv` | Limit sweep raw | --- ## 11. Operational notes ### Where it ran Local dev environment (Docker Compose, Postgres in container). Not on staging or production. The backend container has 4 CPU cores and 8 GB RAM allocated. ### What it does NOT test - **Concurrent load** — We ran one query at a time. Production may have N concurrent DeepFinder calls under the same buffer pool. Concurrency could change the picture (cache eviction, lock contention) but typically not by orders of magnitude for this query shape. - **Cross-tenant scenarios** — Our synthetic graph is one big connected pool. Real production has many tenants with different shapes; we picked the largest as the worst case. - **API HTTP layer** — We tested the service directly. The controller adds negligible overhead (auth + JSON serialization) — measured at < 5 ms in unrelated controller specs. ### Reading the CSVs Each CSV row is one query: ```csv iteration,depth,target_contact_id,total_ms,sql_ms,paths_count,truncated 0,1,123456,0.42,0.40,1,false ``` Sort by `sql_ms desc` to see the slow tail. --- ## 12. Open follow-ups - [ ] Add `walk_rows` instrumentation (EXPLAIN ANALYZE per query) to confirm H4 directly. - [ ] Test with concurrent load (e.g. 50 parallel DeepFinder calls) to verify perf under contention. - [ ] Run the same benchmark on staging once we mirror real Inovia data (Privacy/T015 review pending). - [x] ~~Decide on `LIMIT=50` increase~~ — **Shipped** (commit `29b04563`). `DEFAULT_LIMIT` raised to 100, `MAX_LIMIT` clamp added at 500. - [x] ~~Decide whether to lift `MAX_DEPTH_HARD_CAP`~~ — **Shipped** (commit `29b04563`). Lifted from 3 to 4. --- ## 13. Impact: before vs after the cap changes We shipped two changes informed by the benchmark. This section quantifies what users get from each. ### Change A — `DEFAULT_LIMIT` 50 → 100 At depth 3 (the most common deep-search), bumping the default limit doubled the number of paths users see, and cut the rate of truncated requests almost in half — with **no measurable latency impact**. | | Before (limit=50) | **After (limit=100)** | Delta | |---|---|---|---| | Mean paths returned | 42.7 | **67.0** | **+57%** more paths | | Truncation rate | 67.5% | **37.5%** | -30 percentage points | | p95 latency | 15.0 ms | 13.6 ms | ~unchanged | | p99 latency | 20.6 ms | 19.0 ms | ~unchanged | ``` Mean paths shown per request (depth 3) ───────────────────────────────────────────────────────────────── before │ ████████████████████████████████████████ 42.7 after │ █████████████████████████████████████████████████████████████████ 67.0 +57% ───────────────────────────────────────────────────────────────── Truncation rate (% of requests where the LIMIT clipped output) ───────────────────────────────────────────────────────────────── before │ ████████████████████████████ 67.5% after │ ████████████████ 37.5% (-30 pp) ───────────────────────────────────────────────────────────────── ``` **In plain English:** before, two-thirds of users at depth 3 had paths we silently dropped. After, only about a third do — and the user still gets twice as many paths visibly. At depth 4, the change costs ~40 ms of latency at p95 (75.9 → 114.2 ms) — still well under the 250 ms budget, in exchange for nearly doubling visible paths. ### Change B — `MAX_DEPTH_HARD_CAP` 3 → 4 Before this change, an API caller passing `?max_depth=4` got silently clamped to 3. After, callers can opt in to 4-hop searches when they want deeper reach. | | Before | **After** | |---|---|---| | Max depth caller can request | 3 | **4** | | Default depth (`?max_depth` omitted) | 3 | 3 (unchanged) | | Depth-4 p95 (with new limit=100) | (rejected) | **~114 ms** | | Depth-4 timeout risk | n/a | None observed | **In plain English:** users who explicitly want "show me anyone within 4 hops" now get that — at a slight latency cost (114 ms vs 14 ms for 3-hop) but well within the timeout. Default behavior is unchanged, so existing integrations see zero impact. ### Change C — `MAX_LIMIT` clamp at 500 (server-side guard) A safety net we added because the API previously accepted any positive `limit`. A caller passing `limit=10000` could force expensive sorting and risk hitting the SQL statement_timeout. | | Before | **After** | |---|---|---| | `?limit=10000` accepted | yes (could timeout) | clamped to 500 | | `?limit=200` accepted | yes | yes (unchanged) | | `?limit=50` accepted | yes | yes (unchanged) | No user-visible change in normal cases — only blocks abusive / accidentally-huge requests.