From 8071edf50f6611c8374e68a7ff3c6bb70052906a Mon Sep 17 00:00:00 2001
From: Bruno Carvalho <bruno.cs.soares@gmail.com>
Date: Sun, 21 Jun 2026 23:40:02 -0300
Subject: [PATCH] fix: harden trace context propagation and collector ingest

---
 addons/observability/observability.go    |  19 +-
 docs/engineering/architecture.md         |  12 +-
 docs/product/requirements.md             |   4 +-
 docs/product/roadmap.md                  |  13 +-
 docs/reference/observability.md          |  33 ++-
 docs/reference/realtime.md               |   4 +
 docs/reference/tracing.md                |  45 +++-
 runtime/trace/collector.go               | 238 ++++++++++++++++---
 runtime/trace/collector_internal_test.go |  43 ++++
 runtime/trace/span.go                    |   3 +-
 runtime/trace/trace_test.go              | 276 ++++++++++++++++++++++-
 runtime/trace/tracer.go                  |   5 +-
 runtime/trace/types.go                   | 161 ++++++++++++-
 13 files changed, 787 insertions(+), 69 deletions(-)
 create mode 100644 runtime/trace/collector_internal_test.go

diff --git a/addons/observability/observability.go b/addons/observability/observability.go
index aebc27a8..75362842 100644
--- a/addons/observability/observability.go
+++ b/addons/observability/observability.go
@@ -3,6 +3,8 @@
 package observability
 
 import (
+	"time"
+
 	"github.com/cssbruno/gowdk"
 	gowdktrace "github.com/cssbruno/gowdk/runtime/trace"
 )
@@ -21,9 +23,22 @@ func Addon() gowdk.Addon {
 	return gowdk.NewAddon("observability", gowdk.FeatureObservability)
 }
 
+// CollectorOption configures a Collector.
+type CollectorOption = gowdktrace.CollectorOption
+
 // NewCollector creates a bounded in-memory trace collector.
-func NewCollector(limit int) *Collector {
-	return gowdktrace.NewCollector(limit)
+func NewCollector(limit int, options ...CollectorOption) *Collector {
+	return gowdktrace.NewCollector(limit, options...)
+}
+
+// WithCollectorSSELimit configures the collector's concurrent SSE stream cap.
+func WithCollectorSSELimit(limit int) CollectorOption {
+	return gowdktrace.WithCollectorSSELimit(limit)
+}
+
+// WithCollectorIngestRate configures the collector's per-client POST rate.
+func WithCollectorIngestRate(limit int, window time.Duration) CollectorOption {
+	return gowdktrace.WithCollectorIngestRate(limit, window)
 }
 
 // NewTracer creates a dependency-free tracer.
diff --git a/docs/engineering/architecture.md b/docs/engineering/architecture.md
index 75e43ff4..9e25a34c 100644
--- a/docs/engineering/architecture.md
+++ b/docs/engineering/architecture.md
@@ -65,13 +65,13 @@ nacked-batch backoff options while adapters retain durable retry and
 dead-letter policy ownership.
 
 `runtime/trace` provides the first dependency-free GOWDK Trace core. It owns
-W3C-compatible trace/span IDs, `traceparent` propagation, context spans,
+W3C-compatible trace/span IDs, bounded `traceparent`/`tracestate` propagation, context spans,
 GOWDK surface/lane/source metadata, attributes, events, status, sampling,
 console/JSONL/ring/multi/exporter sinks, and a bounded in-process JSON/SSE
-collector. Generated app auto-instrumentation, durable storage, a browser trace
-viewer, and concrete OTLP transport are later integration work. Debug-gated
-generated instrumentation now covers backend, SSR/load, contract, browser, and
-island lanes through `addons/observability`.
+collector with hardened browser ingest. Durable storage and concrete production
+telemetry backends are app-owned integration work. Debug-gated generated
+instrumentation now covers backend, SSR/load, contract, browser, and island
+lanes through `addons/observability`.
 
 Still partial: broad local client-side reactivity, richer hybrid streaming and
 data refresh, non-HTTP revalidation, generated worker/cron binary scaffolding,
@@ -209,7 +209,7 @@ manifest report (`internal/lang/testdata/manifest_golden`).
 | `runtime/security` | Runtime-safe security text helpers. | Runtime | Provides conservative secret-like text redaction for generated app panic/error logging without importing compiler-private `internal/` packages. |
 | `runtime/testkit` | Generated audit test helpers. | Runtime | Provides small `httptest` helpers used by generated `gowdk_audit_test.go` files and `gowdk audit --run` to verify route status, method rejection, and configured response headers in-process against generated app handlers. |
 | `runtime/contracts` | Typed contract registry and in-process dispatch. | Runtime | Implemented for queries, commands, backend-owned domain and integration events, presentation events, jobs, metadata, stable observation names and labels for logs/metrics/traces, local command-buffered event dispatch, event-envelope capture/replay with stable IDs, dependency-free outbox/broker/presentation-fanout/event-source/seen-store interfaces, command event sinks, an event worker loop with ack/nack, context cancellation, optional post-ack deduplication windows, explicit nacked-batch backoff options, a dependency-free file outbox adapter, dependency-free in-memory broker/EventSource adapter, dependency-free in-memory and file-backed seen stores, and dependency-free SSE presentation fanout adapter with retry hints and drop-on-full per-client buffers. Concrete Redis Streams, Redis TTL seen-store, NATS, and WebSocket adapters are nested optional modules. Separate worker/cron binary generators and deployment recipes are platform tooling, not runtime core. |
-| `runtime/trace` | Dependency-free runtime tracing core. | Runtime | Provides W3C-compatible trace/span IDs, `traceparent` inject/extract helpers, context spans, GOWDK surface/lane/source metadata, attributes, events, status, always-on/off and ratio sampling, console/JSONL/ring/multi/exporter sinks, OTLP-shaped snapshots without an OpenTelemetry dependency, and a bounded JSON/SSE collector. Generated backend, SSR/load, guard, contract, browser, and island instrumentation is opt-in and debug-gated through `addons/observability`; durable trace storage and production sampling/access policy remain app-owned. |
+| `runtime/trace` | Dependency-free runtime tracing core. | Runtime | Provides W3C-compatible trace/span IDs, bounded `traceparent`/`tracestate` inject/extract helpers, context spans, GOWDK surface/lane/source metadata, attributes, events, status, always-on/off and ratio sampling, console/JSONL/ring/multi/exporter sinks, OTLP-shaped snapshots without an OpenTelemetry dependency, and a bounded JSON/SSE collector with hardened browser ingest. Generated backend, SSR/load, guard, contract, browser, and island instrumentation is opt-in and debug-gated through `addons/observability`; durable trace storage and production sampling/access policy remain app-owned. |
 | `runtime/actions` | Request-time action helpers. | Runtime | Owns CSRF token validation/generation, generated action registries, form decoding, and required-field validation helpers. |
 | `runtime/api` | Request-time API helpers. | Runtime | Owns strict JSON request decoding, query helpers, and JSON/error/no-content response helpers. |
 | `runtime/partial` | Request-time partial update helpers. | Runtime | Owns fragment responses, swap helpers, and partial client hook constants. |
diff --git a/docs/product/requirements.md b/docs/product/requirements.md
index 1ccf811b..51e613fd 100644
--- a/docs/product/requirements.md
+++ b/docs/product/requirements.md
@@ -55,7 +55,7 @@ language references, compiler docs, and examples.
 | PRD-027 | Provide opt-in browser presentation-event fanout without adding WebSocket dependencies to the root module. | Medium | Implemented | `FeatureRealtime` and `addons/realtime` provide config and `gowdk add realtime` wiring for presentation-event fanout. Dependency-free SSE fanout remains in the root module through `runtime/contracts/sse` and `realtime.NewSSE`; WebSocket fanout remains isolated in the nested `runtime/contracts/websocketfanout` module. Docs cover SSE versus WebSocket setup, deployment caveats, and the M14 boundary for live DOM reactivity. |
 | PRD-028 | Provide compiler-validated realtime UI subscription metadata. | Medium | Partial | ADR 0012 defines `g:subscribe` on query-owned elements. The compiler parses the directive, lowers it to `Program.RealtimeSubscriptions`, requires `realtime.Addon()`, validates referenced Go contracts as presentation events available to the web role, emits exact-span diagnostics, renders `data-gowdk-subscribe` and validated `data-gowdk-subscribe-type` markers, records build-report metadata, generated apps mount subscription-filtered SSE fanout at `/_gowdk/realtime/events` for bound subscriptions, generated stream handlers run inherited guards before opening SSE responses, the SSE adapter declares browser retry timing and drops events for full per-client buffers instead of blocking command execution, generated `gowdk.js` applies explicit `replaceHTML` realtime patches to subscribed query regions, and `examples/contracts` demonstrates the live flow. The compiler also scans explicit Go `RegisterInvalidation[event, query]` edges, lowers validated bound edges to `Program.QueryInvalidations`, rejects unknown queries/events or events no scanned command emits, records `query_invalidation` build-report events, prints `invalidates` graph edges, renders `data-gowdk-query-type` markers, emits generated `gowdk.query.invalidate` presentation events after command event dispatch, and refetches the current document to replace matching non-subscribed query regions. Custom retry/backoff/replay, active session-change stream revocation, richer patch shapes, fragment/API-specific query execution, and route-specific refresh endpoints remain planned hardening work. |
 | PRD-029 | Provide optional SEO build output for sitemap and robots files without making crawler policy core. | Medium | Partial | `addons/seo` registers `FeatureSEO` and `gowdk.SEOProvider`; `gowdk build` emits `sitemap.xml` and `robots.txt` only when the addon supplies a valid `BaseURL`. The sitemap includes public static and `paths {}`-expanded SPA routes plus configured extra URLs, while request-time and guardless default-denied pages are excluded and listed in `gowdk-build-report.json`. JSON-LD and request-time sitemap serving remain planned/out of scope for this slice. |
-| PRD-030 | Provide dependency-free runtime trace primitives and opt-in generated app instrumentation. | Medium | Partial | ADR 0013 defines `runtime/trace` as the root-module observability core. It provides W3C-compatible trace/span IDs, `traceparent` propagation, context spans, GOWDK surface/lane/source metadata, attributes/events/status, always-on/off and ratio sampling, console/JSONL/ring/multi/exporter sinks, a bounded JSON/SSE collector, browser span ingest, and a self-contained local viewer. `addons/observability` gates debug-only generated route/guard/handler/SSR-load/browser/island tracing, `runtime/contracts` propagates trace context through events/jobs/workers/outbox records, and the nested `runtime/trace/otel` module provides optional OTLP HTTP export without root OpenTelemetry dependencies. Durable production storage, hosted analysis, and production sampling/access policy remain app-owned. |
+| PRD-030 | Provide dependency-free runtime trace primitives and opt-in generated app instrumentation. | Medium | Partial | ADR 0013 defines `runtime/trace` as the root-module observability core. It provides W3C-compatible trace/span IDs, `traceparent`/`tracestate` propagation with bounded header parsing, context spans, GOWDK surface/lane/source metadata, attributes/events/status, always-on/off and ratio sampling, console/JSONL/ring/multi/exporter sinks, a bounded JSON/SSE collector, hardened browser span ingest, and a self-contained local viewer with dropped/rejected counters. `addons/observability` gates debug-only generated route/guard/handler/SSR-load/browser/island tracing, `runtime/contracts` propagates trace context through events/jobs/workers/outbox records, and the nested `runtime/trace/otel` module provides optional OTLP HTTP export without root OpenTelemetry dependencies. Durable production storage, hosted analysis, and production sampling/access policy remain app-owned. |
 | PRD-031 | Provide a config-owned localization contract for generated page routes and typed message catalogs. | Medium | Partial | `Config.I18N` declares locale codes, optional path prefixes, default locale, and default-prefix omission. Build-time SPA routes, dynamic `paths {}` output, request-time SSR/hybrid page routes, route metadata, site-map JSON, route manifests, and SEO sitemap output expand per locale. Build helpers receive `gowdk.BuildParams.Locale`, generated HTML receives `lang`, SSR handlers attach `runtime/app.Locale(ctx)`, and `runtime/i18n` provides typed Go catalog/bundle helpers. Message extraction, ICU/plural/date formatting, translated diagnostics, and per-endpoint locale policies remain planned or app-owned. |
 
 ## P0/P1/P2 Decision Backlog
@@ -82,7 +82,7 @@ implemented.
 | Forms | Keep progressive-enhancement-first form behavior; full POST and enhanced POST share action result semantics; domain validation stays in user Go. | Partial | Generated enhanced forms preserve no-JavaScript POST behavior, send partial request headers, swap server fragments, expose failed enhanced response status/body/detail events, and use escaped live-region validation fragments. Domain validation stays in user Go. |
 | APIs | Broaden APIs through public request/response helpers and typed body/query helpers, not framework-specific adapters. | Partial — `addons/api` provides strict JSON body decoding, typed query helpers, JSON/error/no-content response helpers for current `func(context.Context, *http.Request) (response.Response, error)` handlers, and config-level CORS policy for generated API/command/query routes. Generated typed handler signatures, per-route result contracts, per-endpoint CORS syntax, and richer examples remain planned. |
 | Contract runtime | Add typed Go queries, commands, backend-owned domain/integration events, presentation events, and jobs after endpoint/adapter IR is stable. Frontend UI events trigger commands or queries, commands have one owner, domain events are emitted after backend state changes succeed, local in-process dispatch is default, and broker/outbox/worker roles are optional. Runtime registry, role filtering, event capture/replay, outbox/broker/fanout/EventSource/seen-store interfaces, worker ack/nack/backoff, file/in-memory/Redis/NATS adapters, SSE/WebSocket fanout, generated command event sinks, generated registries, generated worker replay helpers, Go AST scanning, `go/types` diagnostics, duplicate-owner and emitted-event diagnostics, contract/list/graph/trace CLI, `g:command`/`g:query` metadata, query-bounded `g:subscribe`, explicit `RegisterInvalidation[event, query]` metadata, import-path-aware reference/subscription/invalidation linking, `g:event` rejection, IR binding status, app adapter IR, generated web command/query adapters, page-route query JSON negotiation, stable JSON success/error response shape, formatted generated adapter source, page-guard propagation, rate-limit/guard/CSRF ordering, report metadata, enforced scan diagnostics, generated subscription-filtered guarded SSE fanout, generated client `replaceHTML` patches, generated `gowdk.query.invalidate` events, and current-document refresh for matching non-subscribed invalidated query regions are implemented. Separate worker/cron binary generators, fragment/API-specific query execution, remaining exact diagnostic spans, richer realtime patch shapes, durable retry operations, and editor-first visualizations remain planned outside the milestone-14 runtime contract. | Implemented |
-| Observability | Keep root tracing dependency-free while making generated instrumentation opt-in and debug-gated. | Partial — `runtime/trace` provides W3C-compatible IDs, `traceparent` propagation, context spans, GOWDK surface/lane/source metadata, span attributes/events/status, always-on/off and ratio sampling, console/JSONL/ring/multi/exporter sinks, OTLP-shaped snapshots, bounded JSON/SSE local collection, browser ingest, and a self-contained viewer. `addons/observability` enables debug-only generated backend, SSR/load, frontend, and island tracing; contracts/outbox records carry optional trace context; `runtime/trace/otel` isolates OTLP HTTP export in a nested module. Durable storage, hosted analysis, and production sampling/access policy remain app-owned. |
+| Observability | Keep root tracing dependency-free while making generated instrumentation opt-in and debug-gated. | Partial — `runtime/trace` provides W3C-compatible IDs, bounded `traceparent`/`tracestate` propagation, context spans, GOWDK surface/lane/source metadata, span attributes/events/status, always-on/off and ratio sampling, console/JSONL/ring/multi/exporter sinks, OTLP-shaped snapshots, bounded JSON/SSE local collection, hardened browser ingest, and a self-contained viewer. `addons/observability` enables debug-only generated backend, SSR/load, frontend, and island tracing; contracts/outbox records carry optional trace context; `runtime/trace/otel` isolates OTLP HTTP export in a nested module. Durable storage, hosted analysis, full metrics/log correlation, and production sampling/access policy remain app-owned or future work. |
 | Cache | Keep `cache` and `revalidate` as HTTP cache policy; keep action-driven data refresh explicit through redirects, fragments, JSON, or reload responses. | Partial — route reports include route/endpoint cache metadata, build reports summarize generated cache policies, generated binaries apply immutable asset cache, SPA `no-cache`, request-time `no-store`, and page `cache`/`revalidate` for successful SPA/SSR HTML. |
 | Guards | Extend guards with safe local redirects and response helpers before richer request-local state. | Partial — guards keep the `func(runtime/guard.Context) error` signature. Ordinary errors fail closed with 403, while `runtime/guard.RedirectTo`, `runtime/guard.Redirect`, and `runtime/guard.Respond` intentionally write no-store redirects or custom responses. Richer request-local state is still deferred. |
 | Component CSS | Make component CSS explicit, compiler-scoped, and documented; Tailwind and processors remain optional. | Partial |
diff --git a/docs/product/roadmap.md b/docs/product/roadmap.md
index d66423ab..9801958e 100644
--- a/docs/product/roadmap.md
+++ b/docs/product/roadmap.md
@@ -151,11 +151,12 @@ level, the current baseline already includes:
   command/query contract web endpoints, and frontend audit surfaces, with
   declared `*.audit.gwdk` policies, generated runtime audit tests,
   registry-backed findings, and CI-friendly JSON output.
-- dependency-free `runtime/trace` primitives for W3C trace IDs,
-  `traceparent` propagation, context spans, sinks, sampling, local JSON/SSE
-  trace collection, browser span ingest, a self-contained viewer, debug-gated
-  generated app instrumentation through `addons/observability`, contract/event
-  propagation, and nested-module OTLP export.
+- dependency-free `runtime/trace` primitives for W3C trace IDs, bounded
+  `traceparent`/`tracestate` propagation, context spans, sinks, sampling, local
+  JSON/SSE trace collection, hardened browser span ingest, a self-contained
+  viewer, debug-gated generated app instrumentation through
+  `addons/observability`, contract/event propagation, and nested-module OTLP
+  export.
 
 Do not roadmap those completed slices as future work. Future work should
 stabilize their contracts, remove generation debt, and fill the missing
@@ -195,7 +196,7 @@ are stable.
 | 18 | CSS, assets, and packaging | External addon loading is hardened, richer page-aware CSS processor contracts are stable, and Tailwind/CSS deployment docs stay explicit that external tooling is user-installed. Implemented CSS asset hashing, component CSS scope/hash metadata, component non-CSS asset emission, and binary cache policy remain stable. Module selection remains artifact packaging, not runtime module orchestration. |
 | 19 | Framework adapters | GOWDK Runtime remains `net/http` first. Optional Chi, Echo, Gin, and Fiber adapters wrap the same generated `http.Handler`; Chi/Echo/Gin can mount routes from generated OpenAPI metadata, and generated code stays framework-neutral by default. |
 | 20 | Dev and tooling | `gowdk dev` can run generated app/runtime flows for backend routes and SSR, skip unchanged rebuilds, cache watched input state, show SPA/static and generated-app rebuild failures with diagnostic codes, source ranges, last-good build time, and changed files, show generic generated-app runtime 5xx failures without request details through the dev-only proxy bridge, and hot-swap changed JS island component roots when the current page has matching island boundaries. Generated app runtime mode now uses the proxy for browser overlay delivery and live reload after generated-app restarts. State-preserving/broader component HMR, richer LSP completions, and editor navigation remain tracked in [#424](https://github.com/cssbruno/GoWDK/issues/424). |
-| 21 | Observability | Partial. Generated apps can opt into GOWDK trace spans across route, guard, handler, SSR, action, API, fragment, contract, job, island, nav, and user lanes while keeping the root runtime dependency-free. `runtime/trace`, `addons/observability`, a local viewer, contract/event propagation, browser propagation, WASM island bridge reuse, and nested-module OTLP HTTP export are implemented. Durable trace storage, hosted analysis, and production sampling/access policy remain app-owned hardening work. |
+| 21 | Observability | Partial. Generated apps can opt into GOWDK trace spans across route, guard, handler, SSR, action, API, fragment, contract, job, island, nav, and user lanes while keeping the root runtime dependency-free. `runtime/trace`, `addons/observability`, a hardened local viewer/collector, contract/event propagation, browser propagation, WASM island bridge reuse, and nested-module OTLP HTTP export are implemented. Durable trace storage, hosted analysis, full metrics/log correlation, and production sampling/access policy remain app-owned or future work. |
 | 22 | Documentation sync | README, requirements, architecture, deployment, roadmap, and examples stay synchronized with implemented behavior and commands. |
 
 ## Candidate Release Order
diff --git a/docs/reference/observability.md b/docs/reference/observability.md
index de13691a..e97d885a 100644
--- a/docs/reference/observability.md
+++ b/docs/reference/observability.md
@@ -1,8 +1,12 @@
 # Observability
 
 `addons/observability` enables generated GOWDK Trace wiring for debug builds.
-It registers `FeatureObservability`; `runtime/trace` remains the dependency-free
-root runtime, and optional OTLP export lives in the nested
+The addon name stays `observability`, but the current implemented surface is
+GOWDK Trace plus local inspection primitives. It is not a hosted metrics, logs,
+or trace-analysis backend.
+
+It registers `FeatureObservability`; `runtime/trace` remains the
+dependency-free root runtime, and optional OTLP export lives in the nested
 `runtime/trace/otel` module.
 
 Enable it:
@@ -26,7 +30,8 @@ supplies an explicit `TraceAccess` function.
 
 Current generated instrumentation:
 
-- Backend request route spans extract incoming `traceparent`.
+- Backend request route spans extract incoming `traceparent` and valid
+  `tracestate`.
 - Generated SSR route and `server {}` spans record route IDs, render lane,
   source refs, response status, and load errors without storing raw request
   bodies or headers.
@@ -37,14 +42,26 @@ Current generated instrumentation:
 - `runtime/contracts.EventEnvelope` and file outbox records carry an optional
   `traceparent`; old records without it remain readable.
 - Generated browser runtime spans partial submits and SPA navigation, injects
-  `traceparent`, and posts frontend spans to the local collector.
+  trace context, and posts frontend spans to the local collector.
 - JS islands, WASM island loaders, and page-level client Go WASM loaders reuse
   `window.__gowdkTrace`.
 
 The generated local collector keeps a bounded in-memory ring of 1024 completed
-spans. Generated code records stable route/endpoint IDs and source metadata, and
-uses runtime redaction helpers for query strings, error messages, and app-owned
-trace events.
+spans. It requires JSON POST ingest, rejects cross-origin browser ingest, caps
+request/body/span/event/attribute/string sizes, limits POST ingest rate and SSE
+subscriber count, and exposes `dropped` plus `rejected` health counters in the
+JSON/viewer surface. Generated code records stable route/endpoint IDs and source
+metadata, and uses runtime redaction helpers for query strings, error messages,
+and app-owned trace events.
+
+## Mode Matrix
+
+| Mode | Generated spans | Local collector/viewer | Intended access |
+| --- | --- | --- | --- |
+| `gowdk dev` / local debug | Enabled when the addon is present and debug assets are on. | Mounted at `/_gowdk/traces`. | Localhost only by default. |
+| Preview/debug app builds | Enabled when `Build.DebugAssets()` is true. | Mounted only when the addon is present. | Keep behind `LocalTraceAccess` or an app-owned gate. |
+| Production builds | Disabled by default because debug assets are off. | Not mounted by generated code. | Use app-owned telemetry export and access policy. |
+| Direct `runtime/trace` use | App-controlled. | App-controlled. | The app must wrap public routes with auth, TLS, proxy, and rate-limit policy. |
 
 For app-owned Go handlers, record a user event on the active span:
 
@@ -67,3 +84,5 @@ tracer := trace.NewTracer(trace.WithSink(sink))
 Do not treat the local collector or viewer as a production observability
 backend. Production deployments should set sampling deliberately, keep viewer
 access gated or disabled, and send spans to app-owned telemetry infrastructure.
+Full slog correlation, expanded route metrics, durable storage, hosted analysis,
+and production access policy remain future observability work.
diff --git a/docs/reference/realtime.md b/docs/reference/realtime.md
index f42da2bf..72734827 100644
--- a/docs/reference/realtime.md
+++ b/docs/reference/realtime.md
@@ -277,6 +277,10 @@ Each presentation event is written as one text JSON `contracts.EventEnvelope`.
 - In-process SSE and WebSocket hubs only know about clients connected to the
   same process. Multi-instance deployments should pair fanout with a broker,
   outbox, or external pub/sub path when all clients must see the same event.
+- Generated realtime streams are guard-checked and subscription/type filtered,
+  but the current presentation fanout is not scoped by user, session, tenant, or
+  audience. Do not put user-specific payloads on the shared fanout unless the
+  application owns an additional filtering layer.
 - SSE responses set `X-Accel-Buffering: no`; reverse proxies may still need
   explicit buffering and timeout settings for long-lived streams.
 - WebSocket deployments should set origin checks and proxy upgrade headers.
diff --git a/docs/reference/tracing.md b/docs/reference/tracing.md
index 05a31bd4..578f0449 100644
--- a/docs/reference/tracing.md
+++ b/docs/reference/tracing.md
@@ -52,12 +52,19 @@ gowdktrace.Inject(ctx, headers)
 ctx = gowdktrace.Extract(context.Background(), headers)
 ```
 
-The wire format is W3C `traceparent`:
+The wire format is W3C `traceparent`, with valid `tracestate` preserved when
+present:
 
 ```text
 00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01
 ```
 
+`Extract` rejects malformed `traceparent` values and ignores malformed
+`tracestate` values while preserving the trace identity. Header limits are
+fixed: `traceparent` is capped at 256 bytes and `tracestate` at 512 bytes. The
+remote sampled flag is input context only; the local sampler still decides
+whether a new span is recorded.
+
 ## Sinks
 
 Current sinks:
@@ -68,8 +75,8 @@ Current sinks:
   overflow.
 - `MultiSink(...)`: sends spans to multiple sinks in order.
 - `ExporterSink(exporter)`: adapts an OTLP-like exporter interface.
-- `NewCollector(limit)`: sink plus local JSON/SSE HTTP handler and browser span
-  ingest.
+- `NewCollector(limit, options...)`: sink plus local JSON/SSE HTTP handler and
+  browser span ingest.
 
 ## Collector
 
@@ -85,7 +92,8 @@ http.Handle("/_gowdk/traces", collector.Handler())
 ```json
 {
   "spans": [],
-  "dropped": 0
+  "dropped": 0,
+  "rejected": 0
 }
 ```
 
@@ -94,6 +102,33 @@ streams `event: gowdk-trace` messages for existing and future spans. The viewer
 handler adds `GET /` for the self-contained UI and `POST /browser` for generated
 browser spans.
 
+POST ingest is treated as untrusted input:
+
+- requests must use `Content-Type: application/json` or `application/*+json`;
+- browser-originated requests must be same-origin when an `Origin` header is
+  present;
+- request bodies are capped at 1 MiB and batches at 128 spans;
+- span names, attributes, events, strings, and encoded snapshot size are
+  bounded before storage;
+- POST ingest is rate-limited per remote address by default;
+- SSE subscribers are capped by default and slow subscribers are dropped instead
+  of blocking span recording.
+
+Tune local collector limits when mounting it directly:
+
+```go
+collector := gowdktrace.NewCollector(
+	256,
+	gowdktrace.WithCollectorSSELimit(16),
+	gowdktrace.WithCollectorIngestRate(60, time.Minute),
+)
+```
+
+Generated apps mount the viewer behind `runtime/app.LocalTraceAccess`. If an
+application mounts `Collector.Handler()` or `ViewerHandler()` itself on an
+internet-facing route, the application must still provide normal authentication,
+authorization, TLS, reverse-proxy, and production rate-limit policy.
+
 ## Sampling
 
 - `AlwaysOn()`
@@ -109,3 +144,5 @@ The disabled `AlwaysOff` path with no start options is allocation-free.
   debug builds.
 - Concrete OTLP export lives in the nested `runtime/trace/otel` module so the
   root module does not depend on OpenTelemetry.
+- Durable storage, hosted trace analysis, production sampling policy, and
+  production access policy stay app-owned.
diff --git a/runtime/trace/collector.go b/runtime/trace/collector.go
index 3db50527..2aba5615 100644
--- a/runtime/trace/collector.go
+++ b/runtime/trace/collector.go
@@ -8,16 +8,26 @@ import (
 	"fmt"
 	"html/template"
 	"io"
+	"mime"
+	"net"
 	"net/http"
+	"net/url"
 	"strings"
 	"sync"
+	"sync/atomic"
+	"time"
 )
 
 const (
-	maxCollectorBodyBytes  = 1 << 20
-	maxCollectorBatchSpans = 128
+	maxCollectorBodyBytes     = 1 << 20
+	maxCollectorBatchSpans    = 128
+	defaultCollectorSSELimit  = 32
+	defaultCollectorRateLimit = 120
+	maxCollectorRateClients   = 1024
 )
 
+const defaultCollectorRateWindow = time.Minute
+
 var errTracePayloadTooLarge = errors.New("trace payload exceeds byte limit")
 
 var viewerTemplate = template.Must(template.New("gowdk-trace-viewer").Parse(`<!doctype html>
@@ -38,7 +48,7 @@ main{display:grid;grid-template-columns:minmax(260px,360px) 1fr;min-height:calc(
 </style>
 </head>
 <body>
-<header><h1>GOWDK Trace</h1><div class="meta"><span id="count">0</span> spans · <span id="dropped">0</span> dropped</div></header>
+<header><h1>GOWDK Trace</h1><div class="meta"><span id="count">0</span> spans · <span id="dropped">0</span> dropped · <span id="rejected">0</span> rejected</div></header>
 <main><section id="list"><div class="empty">Waiting for spans...</div></section><section id="detail"><pre id="json">{}</pre></section></main>
 <script>
 (() => {
@@ -47,6 +57,7 @@ main{display:grid;grid-template-columns:minmax(260px,360px) 1fr;min-height:calc(
   const detail = document.getElementById("json");
   const count = document.getElementById("count");
   const dropped = document.getElementById("dropped");
+  const rejected = document.getElementById("rejected");
   const mount = window.location.pathname.endsWith("/") ? window.location.pathname : window.location.pathname + "/";
   function render() {
     count.textContent = String(spans.length);
@@ -77,6 +88,7 @@ main{display:grid;grid-template-columns:minmax(260px,360px) 1fr;min-height:calc(
   }
   fetch(mount + "data").then((response) => response.json()).then((payload) => {
     dropped.textContent = String(payload.dropped || 0);
+    rejected.textContent = String(payload.rejected || 0);
     (payload.spans || []).forEach((span) => spans.push(span));
     render();
   }).catch(() => {});
@@ -93,17 +105,57 @@ main{display:grid;grid-template-columns:minmax(260px,360px) 1fr;min-height:calc(
 // Collector combines an in-memory ring sink with a small HTTP JSON/SSE
 // handler for local inspection.
 type Collector struct {
-	ring        *RingSink
-	mu          sync.Mutex
-	subscribers map[chan Snapshot]struct{}
+	ring             *RingSink
+	mu               sync.Mutex
+	subscribers      map[chan Snapshot]struct{}
+	sseLimit         int
+	ingestRateLimit  int
+	ingestRateWindow time.Duration
+	rateMu           sync.Mutex
+	rateWindows      map[string]collectorRateWindow
+	dropped          atomic.Uint64
+	rejected         atomic.Uint64
+}
+
+type collectorRateWindow struct {
+	reset time.Time
+	count int
+}
+
+// CollectorOption configures a Collector.
+type CollectorOption func(*Collector)
+
+// WithCollectorSSELimit sets the maximum number of concurrent SSE subscribers.
+// A non-positive limit disables the cap.
+func WithCollectorSSELimit(limit int) CollectorOption {
+	return func(collector *Collector) {
+		collector.sseLimit = limit
+	}
+}
+
+// WithCollectorIngestRate sets a fixed-window POST ingest rate per remote
+// address. A non-positive limit or window disables rate limiting.
+func WithCollectorIngestRate(limit int, window time.Duration) CollectorOption {
+	return func(collector *Collector) {
+		collector.ingestRateLimit = limit
+		collector.ingestRateWindow = window
+	}
 }
 
 // NewCollector creates a collector backed by a RingSink.
-func NewCollector(limit int) *Collector {
-	return &Collector{
-		ring:        NewRingSink(limit),
-		subscribers: map[chan Snapshot]struct{}{},
+func NewCollector(limit int, options ...CollectorOption) *Collector {
+	collector := &Collector{
+		ring:             NewRingSink(limit),
+		subscribers:      map[chan Snapshot]struct{}{},
+		sseLimit:         defaultCollectorSSELimit,
+		ingestRateLimit:  defaultCollectorRateLimit,
+		ingestRateWindow: defaultCollectorRateWindow,
+		rateWindows:      map[string]collectorRateWindow{},
+	}
+	for _, option := range options {
+		option(collector)
 	}
+	return collector
 }
 
 // RecordSpan implements Sink.
@@ -124,6 +176,7 @@ func (collector *Collector) RecordSpan(ctx context.Context, span Snapshot) error
 		select {
 		case subscriber <- span:
 		default:
+			collector.dropped.Add(1)
 		}
 	}
 	collector.mu.Unlock()
@@ -138,12 +191,20 @@ func (collector *Collector) Spans() []Snapshot {
 	return collector.ring.Spans()
 }
 
-// Dropped returns the ring overflow count.
+// Dropped returns the ring overflow and slow-subscriber drop count.
 func (collector *Collector) Dropped() uint64 {
 	if collector == nil {
 		return 0
 	}
-	return collector.ring.Dropped()
+	return collector.ring.Dropped() + collector.dropped.Load()
+}
+
+// Rejected returns the number of rejected ingest or stream requests.
+func (collector *Collector) Rejected() uint64 {
+	if collector == nil {
+		return 0
+	}
+	return collector.rejected.Load()
 }
 
 // Handler serves recent spans as JSON. Requests to /events or requests with an
@@ -157,20 +218,31 @@ func (collector *Collector) Handler() http.Handler {
 	}
 	return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
 		if request.Method == http.MethodPost {
+			if !requestHasJSONContentType(request) {
+				collector.rejectHTTP(response, "unsupported media type", http.StatusUnsupportedMediaType)
+				return
+			}
+			if !sameOriginRequest(request) {
+				collector.rejectHTTP(response, "forbidden", http.StatusForbidden)
+				return
+			}
+			if !collector.allowIngest(request) {
+				collector.rejectHTTP(response, http.StatusText(http.StatusTooManyRequests), http.StatusTooManyRequests)
+				return
+			}
 			if err := collector.recordJSON(request.Context(), request); err != nil {
 				if errors.Is(err, errTracePayloadTooLarge) {
-					http.Error(response, http.StatusText(http.StatusRequestEntityTooLarge), http.StatusRequestEntityTooLarge)
+					collector.rejectHTTP(response, http.StatusText(http.StatusRequestEntityTooLarge), http.StatusRequestEntityTooLarge)
 					return
 				}
-				http.Error(response, err.Error(), http.StatusBadRequest)
+				collector.rejectHTTP(response, err.Error(), http.StatusBadRequest)
 				return
 			}
 			response.WriteHeader(http.StatusNoContent)
 			return
 		}
 		if request.Method != http.MethodGet {
-			response.Header().Set("Allow", http.MethodGet+", "+http.MethodPost)
-			http.Error(response, "method not allowed", http.StatusMethodNotAllowed)
+			collector.methodNotAllowed(response, http.MethodGet+", "+http.MethodPost)
 			return
 		}
 		if request.URL.Path == "/events" || strings.Contains(request.Header.Get("Accept"), "text/event-stream") {
@@ -179,15 +251,16 @@ func (collector *Collector) Handler() http.Handler {
 		}
 		response.Header().Set("Content-Type", "application/json")
 		_ = json.NewEncoder(response).Encode(struct {
-			Spans   []Snapshot `json:"spans"`
-			Dropped uint64     `json:"dropped"`
-		}{Spans: collector.Spans(), Dropped: collector.Dropped()})
+			Spans    []Snapshot `json:"spans"`
+			Dropped  uint64     `json:"dropped"`
+			Rejected uint64     `json:"rejected"`
+		}{Spans: collector.Spans(), Dropped: collector.Dropped(), Rejected: collector.Rejected()})
 	})
 }
 
 // ViewerHandler serves a self-contained local trace viewer plus JSON and SSE
-// endpoints. It is intentionally unprotected; generated apps must mount it
-// behind an access gate when enabling it outside dev.
+// endpoints. Generated apps mount it behind an access gate when enabling it
+// outside dev; raw callers should do the same for internet-facing handlers.
 func (collector *Collector) ViewerHandler() http.Handler {
 	if collector == nil {
 		collector = NewCollector(defaultRingLimit)
@@ -197,21 +270,32 @@ func (collector *Collector) ViewerHandler() http.Handler {
 		switch strings.Trim(request.URL.Path, "/") {
 		case "":
 			if request.Method != http.MethodGet {
-				response.Header().Set("Allow", http.MethodGet)
-				http.Error(response, "method not allowed", http.StatusMethodNotAllowed)
+				collector.methodNotAllowed(response, http.MethodGet)
 				return
 			}
 			response.Header().Set("Content-Type", "text/html; charset=utf-8")
 			_ = viewerTemplate.Execute(response, nil)
 		case "data":
+			if request.Method != http.MethodGet {
+				collector.methodNotAllowed(response, http.MethodGet)
+				return
+			}
 			cloned := request.Clone(request.Context())
 			cloned.URL.Path = "/"
 			api.ServeHTTP(response, cloned)
 		case "events":
+			if request.Method != http.MethodGet {
+				collector.methodNotAllowed(response, http.MethodGet)
+				return
+			}
 			cloned := request.Clone(request.Context())
 			cloned.URL.Path = "/events"
 			api.ServeHTTP(response, cloned)
 		case "browser":
+			if request.Method != http.MethodPost {
+				collector.methodNotAllowed(response, http.MethodPost)
+				return
+			}
 			cloned := request.Clone(request.Context())
 			cloned.URL.Path = "/"
 			api.ServeHTTP(response, cloned)
@@ -221,6 +305,103 @@ func (collector *Collector) ViewerHandler() http.Handler {
 	})
 }
 
+func (collector *Collector) methodNotAllowed(response http.ResponseWriter, allow string) {
+	response.Header().Set("Allow", allow)
+	collector.rejectHTTP(response, "method not allowed", http.StatusMethodNotAllowed)
+}
+
+func (collector *Collector) rejectHTTP(response http.ResponseWriter, message string, status int) {
+	collector.rejected.Add(1)
+	http.Error(response, message, status)
+}
+
+func requestHasJSONContentType(request *http.Request) bool {
+	contentType := request.Header.Get("Content-Type")
+	if contentType == "" {
+		return false
+	}
+	mediaType, _, err := mime.ParseMediaType(contentType)
+	if err != nil {
+		return false
+	}
+	mediaType = strings.ToLower(mediaType)
+	return mediaType == "application/json" || strings.HasSuffix(mediaType, "+json")
+}
+
+func sameOriginRequest(request *http.Request) bool {
+	origin := strings.TrimSpace(request.Header.Get("Origin"))
+	if origin == "" {
+		return true
+	}
+	parsed, err := url.Parse(origin)
+	if err != nil || parsed.Scheme == "" || parsed.Host == "" {
+		return false
+	}
+	return strings.EqualFold(parsed.Scheme, requestScheme(request)) && strings.EqualFold(parsed.Host, request.Host)
+}
+
+func requestScheme(request *http.Request) string {
+	if request.URL != nil && request.URL.Scheme != "" {
+		return request.URL.Scheme
+	}
+	if request.TLS != nil {
+		return "https"
+	}
+	return "http"
+}
+
+func (collector *Collector) allowIngest(request *http.Request) bool {
+	if collector.ingestRateLimit <= 0 || collector.ingestRateWindow <= 0 {
+		return true
+	}
+	key := collectorRateKey(request)
+	now := time.Now()
+	collector.rateMu.Lock()
+	defer collector.rateMu.Unlock()
+	if collector.rateWindows == nil {
+		collector.rateWindows = map[string]collectorRateWindow{}
+	}
+	window, ok := collector.rateWindows[key]
+	if !ok && len(collector.rateWindows) >= maxCollectorRateClients {
+		collector.pruneExpiredRateWindowsLocked(now)
+		if len(collector.rateWindows) >= maxCollectorRateClients {
+			return false
+		}
+	}
+	if !ok || !now.Before(window.reset) {
+		collector.rateWindows[key] = collectorRateWindow{reset: now.Add(collector.ingestRateWindow), count: 1}
+		return true
+	}
+	if window.count >= collector.ingestRateLimit {
+		return false
+	}
+	window.count++
+	collector.rateWindows[key] = window
+	return true
+}
+
+func (collector *Collector) pruneExpiredRateWindowsLocked(now time.Time) {
+	for key, window := range collector.rateWindows {
+		if !now.Before(window.reset) {
+			delete(collector.rateWindows, key)
+		}
+	}
+}
+
+func collectorRateKey(request *http.Request) string {
+	if request == nil {
+		return "unknown"
+	}
+	host, _, err := net.SplitHostPort(request.RemoteAddr)
+	if err == nil && host != "" {
+		return host
+	}
+	if request.RemoteAddr != "" {
+		return request.RemoteAddr
+	}
+	return "unknown"
+}
+
 func (collector *Collector) recordJSON(ctx context.Context, request *http.Request) error {
 	defer request.Body.Close()
 	payload, err := io.ReadAll(io.LimitReader(request.Body, maxCollectorBodyBytes+1))
@@ -283,13 +464,18 @@ func (collector *Collector) serveSSE(response http.ResponseWriter, request *http
 		http.Error(response, "streaming unsupported", http.StatusInternalServerError)
 		return
 	}
-	response.Header().Set("Content-Type", "text/event-stream")
-	response.Header().Set("Cache-Control", "no-cache")
-	response.Header().Set("Connection", "keep-alive")
 	events := make(chan Snapshot, 16)
 	collector.mu.Lock()
+	if collector.sseLimit > 0 && len(collector.subscribers) >= collector.sseLimit {
+		collector.mu.Unlock()
+		collector.rejectHTTP(response, http.StatusText(http.StatusTooManyRequests), http.StatusTooManyRequests)
+		return
+	}
 	collector.subscribers[events] = struct{}{}
 	collector.mu.Unlock()
+	response.Header().Set("Content-Type", "text/event-stream")
+	response.Header().Set("Cache-Control", "no-cache")
+	response.Header().Set("Connection", "keep-alive")
 	defer func() {
 		collector.mu.Lock()
 		delete(collector.subscribers, events)
diff --git a/runtime/trace/collector_internal_test.go b/runtime/trace/collector_internal_test.go
new file mode 100644
index 00000000..aa7a7e94
--- /dev/null
+++ b/runtime/trace/collector_internal_test.go
@@ -0,0 +1,43 @@
+package trace
+
+import (
+	"context"
+	"testing"
+	"time"
+)
+
+func TestCollectorDropsFullSubscriberWithoutBlocking(t *testing.T) {
+	collector := NewCollector(4)
+	events := make(chan Snapshot, 1)
+	events <- Snapshot{Name: "queued"}
+	collector.mu.Lock()
+	collector.subscribers[events] = struct{}{}
+	collector.mu.Unlock()
+	t.Cleanup(func() {
+		collector.mu.Lock()
+		delete(collector.subscribers, events)
+		collector.mu.Unlock()
+		close(events)
+	})
+
+	done := make(chan error, 1)
+	go func() {
+		done <- collector.RecordSpan(context.Background(), Snapshot{
+			TraceID: NewTraceID(),
+			SpanID:  NewSpanID(),
+			Name:    "nonblocking",
+		})
+	}()
+
+	select {
+	case err := <-done:
+		if err != nil {
+			t.Fatal(err)
+		}
+	case <-time.After(100 * time.Millisecond):
+		t.Fatal("RecordSpan blocked on a full subscriber")
+	}
+	if collector.Dropped() == 0 {
+		t.Fatal("full subscriber send was not counted as dropped")
+	}
+}
diff --git a/runtime/trace/span.go b/runtime/trace/span.go
index 5b0fcf25..46a092c6 100644
--- a/runtime/trace/span.go
+++ b/runtime/trace/span.go
@@ -28,6 +28,7 @@ type Span struct {
 	traceID      TraceID
 	spanID       SpanID
 	parentSpanID SpanID
+	traceState   string
 	name         string
 	surface      Surface
 	lane         Lane
@@ -173,7 +174,7 @@ func (span *Span) TraceContext() TraceContext {
 	}
 	span.mu.Lock()
 	defer span.mu.Unlock()
-	return TraceContext{TraceID: span.traceID, SpanID: span.spanID, Sampled: true}
+	return TraceContext{TraceID: span.traceID, SpanID: span.spanID, Sampled: true, TraceState: span.traceState}
 }
 
 func (span *Span) tracerRef() *Tracer {
diff --git a/runtime/trace/trace_test.go b/runtime/trace/trace_test.go
index c684a94f..926f4a26 100644
--- a/runtime/trace/trace_test.go
+++ b/runtime/trace/trace_test.go
@@ -58,23 +58,117 @@ func TestStartRecordsSpanToSink(t *testing.T) {
 func TestTraceparentInjectExtractRoundTrip(t *testing.T) {
 	traceID := trace.TraceID("4bf92f3577b34da6a3ce929d0e0e4736")
 	spanID := trace.SpanID("00f067aa0ba902b7")
-	ctx := trace.ContextWithTraceContext(context.Background(), trace.TraceContext{TraceID: traceID, SpanID: spanID, Sampled: true})
+	ctx := trace.ContextWithTraceContext(context.Background(), trace.TraceContext{
+		TraceID:    traceID,
+		SpanID:     spanID,
+		Sampled:    true,
+		TraceState: "rojo=00f067aa0ba902b7,congo=t61rcWkgMzE",
+	})
 	header := http.Header{}
 	trace.Inject(ctx, header)
 	if got := header.Get("traceparent"); got != "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01" {
 		t.Fatalf("unexpected traceparent: %q", got)
 	}
+	if got := header.Get("tracestate"); got != "rojo=00f067aa0ba902b7,congo=t61rcWkgMzE" {
+		t.Fatalf("unexpected tracestate: %q", got)
+	}
 
 	extracted := trace.Extract(context.Background(), header)
 	traceContext, ok := trace.TraceContextFromContext(extracted)
 	if !ok {
 		t.Fatal("expected extracted trace context")
 	}
-	if traceContext.TraceID != traceID || traceContext.SpanID != spanID || !traceContext.Sampled || !traceContext.Remote {
+	if traceContext.TraceID != traceID || traceContext.SpanID != spanID || !traceContext.Sampled || !traceContext.Remote || traceContext.TraceState != "rojo=00f067aa0ba902b7,congo=t61rcWkgMzE" {
 		t.Fatalf("unexpected extracted context: %#v", traceContext)
 	}
 }
 
+func TestTraceContextRejectsMalformedTraceparent(t *testing.T) {
+	validTraceID := "4bf92f3577b34da6a3ce929d0e0e4736"
+	validSpanID := "00f067aa0ba902b7"
+	tests := []struct {
+		name        string
+		traceparent string
+	}{
+		{name: "malformed", traceparent: "not-a-traceparent"},
+		{name: "zero trace id", traceparent: "00-00000000000000000000000000000000-" + validSpanID + "-01"},
+		{name: "zero span id", traceparent: "00-" + validTraceID + "-0000000000000000-01"},
+		{name: "uppercase trace id", traceparent: "00-4BF92F3577B34DA6A3CE929D0E0E4736-" + validSpanID + "-01"},
+		{name: "uppercase flags", traceparent: "00-" + validTraceID + "-" + validSpanID + "-0A"},
+		{name: "unsupported version", traceparent: "fe-" + validTraceID + "-" + validSpanID + "-01"},
+		{name: "oversized", traceparent: strings.Repeat("0", trace.MaxTraceparentHeaderBytes+1)},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if _, err := trace.ParseTraceparent(tt.traceparent); err == nil {
+				t.Fatal("expected ParseTraceparent to reject invalid input")
+			}
+			header := http.Header{"Traceparent": []string{tt.traceparent}}
+			if _, ok := trace.TraceContextFromContext(trace.Extract(context.Background(), header)); ok {
+				t.Fatal("invalid traceparent should not enter context")
+			}
+		})
+	}
+}
+
+func TestTraceContextDropsInvalidTracestate(t *testing.T) {
+	header := http.Header{}
+	header.Set("traceparent", "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01")
+	header.Set("tracestate", "bad key=value")
+
+	ctx := trace.Extract(context.Background(), header)
+	traceContext, ok := trace.TraceContextFromContext(ctx)
+	if !ok {
+		t.Fatal("valid traceparent should still be extracted")
+	}
+	if traceContext.TraceState != "" {
+		t.Fatalf("invalid tracestate should be dropped, got %q", traceContext.TraceState)
+	}
+
+	header.Set("tracestate", strings.Repeat("a", trace.MaxTracestateHeaderBytes+1))
+	ctx = trace.Extract(context.Background(), header)
+	traceContext, ok = trace.TraceContextFromContext(ctx)
+	if !ok {
+		t.Fatal("valid traceparent should survive oversized tracestate")
+	}
+	if traceContext.TraceState != "" {
+		t.Fatalf("oversized tracestate should be dropped, got %q", traceContext.TraceState)
+	}
+}
+
+func TestTracestatePropagatesThroughChildSpan(t *testing.T) {
+	header := http.Header{}
+	header.Set("traceparent", "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01")
+	header.Set("tracestate", "rojo=00f067aa0ba902b7")
+	ctx := trace.Extract(context.Background(), header)
+
+	tracer := trace.NewTracer()
+	ctx, span := tracer.Start(ctx, "child")
+	if span == nil {
+		t.Fatal("expected sampled child span")
+	}
+	out := http.Header{}
+	trace.Inject(ctx, out)
+	if got := out.Get("tracestate"); got != "rojo=00f067aa0ba902b7" {
+		t.Fatalf("child span lost tracestate: %q", got)
+	}
+}
+
+func TestRemoteSampledFlagDoesNotOverrideLocalSampler(t *testing.T) {
+	header := http.Header{}
+	header.Set("traceparent", "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01")
+	ctx := trace.Extract(context.Background(), header)
+
+	tracer := trace.NewTracer(trace.WithSampler(trace.AlwaysOff()))
+	next, span := tracer.Start(ctx, "sampled-remote")
+	if span != nil {
+		t.Fatal("remote sampled flag should not override local sampler")
+	}
+	if next != ctx {
+		t.Fatal("sampled-out start should return the extracted context unchanged")
+	}
+}
+
 func TestRingSinkDropsOldest(t *testing.T) {
 	ring := trace.NewRingSink(2)
 	for _, name := range []string{"one", "two", "three"} {
@@ -269,7 +363,7 @@ func TestCollectorAcceptsValidSingleAndBatchPayloads(t *testing.T) {
 		t.Fatal(err)
 	}
 	response := httptest.NewRecorder()
-	handler.ServeHTTP(response, httptest.NewRequest(http.MethodPost, "/", bytes.NewReader(singlePayload)))
+	handler.ServeHTTP(response, jsonPostRequest(http.MethodPost, "/", singlePayload))
 	if response.Code != http.StatusNoContent {
 		t.Fatalf("single POST status = %d body=%q, want 204", response.Code, response.Body.String())
 	}
@@ -279,7 +373,7 @@ func TestCollectorAcceptsValidSingleAndBatchPayloads(t *testing.T) {
 		t.Fatal(err)
 	}
 	response = httptest.NewRecorder()
-	handler.ServeHTTP(response, httptest.NewRequest(http.MethodPost, "/", bytes.NewReader(batchPayload)))
+	handler.ServeHTTP(response, jsonPostRequest(http.MethodPost, "/", batchPayload))
 	if response.Code != http.StatusNoContent {
 		t.Fatalf("batch POST status = %d body=%q, want 204", response.Code, response.Body.String())
 	}
@@ -305,7 +399,7 @@ func TestCollectorRejectsInvalidBatchWithoutPartialRecord(t *testing.T) {
 				t.Fatal(err)
 			}
 			response := httptest.NewRecorder()
-			collector.Handler().ServeHTTP(response, httptest.NewRequest(http.MethodPost, "/", bytes.NewReader(payload)))
+			collector.Handler().ServeHTTP(response, jsonPostRequest(http.MethodPost, "/", payload))
 			if response.Code != http.StatusBadRequest {
 				t.Fatalf("POST status = %d body=%q, want 400", response.Code, response.Body.String())
 			}
@@ -331,7 +425,7 @@ func TestCollectorRejectsAmbiguousOrOversizedPayloads(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			collector := trace.NewCollector(4)
 			response := httptest.NewRecorder()
-			collector.Handler().ServeHTTP(response, httptest.NewRequest(http.MethodPost, "/", strings.NewReader(tt.body)))
+			collector.Handler().ServeHTTP(response, jsonPostRequest(http.MethodPost, "/", []byte(tt.body)))
 			if response.Code != tt.status {
 				t.Fatalf("POST status = %d body=%q, want %d", response.Code, response.Body.String(), tt.status)
 			}
@@ -342,6 +436,170 @@ func TestCollectorRejectsAmbiguousOrOversizedPayloads(t *testing.T) {
 	}
 }
 
+func TestCollectorRejectsMissingOrNonJSONContentType(t *testing.T) {
+	payload := []byte(snapshotJSON(t, validSnapshot("single")))
+	tests := []struct {
+		name        string
+		contentType string
+	}{
+		{name: "missing"},
+		{name: "plain text", contentType: "text/plain"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			collector := trace.NewCollector(4)
+			request := httptest.NewRequest(http.MethodPost, "/", bytes.NewReader(payload))
+			if tt.contentType != "" {
+				request.Header.Set("Content-Type", tt.contentType)
+			}
+			response := httptest.NewRecorder()
+
+			collector.Handler().ServeHTTP(response, request)
+
+			if response.Code != http.StatusUnsupportedMediaType {
+				t.Fatalf("POST status = %d body=%q, want 415", response.Code, response.Body.String())
+			}
+			if collector.Rejected() != 1 {
+				t.Fatalf("collector rejected count = %d, want 1", collector.Rejected())
+			}
+		})
+	}
+}
+
+func TestCollectorRejectsUnsupportedMethods(t *testing.T) {
+	collector := trace.NewCollector(4)
+	response := httptest.NewRecorder()
+
+	collector.Handler().ServeHTTP(response, httptest.NewRequest(http.MethodPut, "/", nil))
+
+	if response.Code != http.StatusMethodNotAllowed {
+		t.Fatalf("method status = %d body=%q, want 405", response.Code, response.Body.String())
+	}
+	if allow := response.Header().Get("Allow"); allow != "GET, POST" {
+		t.Fatalf("Allow = %q, want GET, POST", allow)
+	}
+	if collector.Rejected() != 1 {
+		t.Fatalf("collector rejected count = %d, want 1", collector.Rejected())
+	}
+}
+
+func TestCollectorRejectsCrossOriginBrowserIngest(t *testing.T) {
+	collector := trace.NewCollector(4)
+	payload := []byte(snapshotJSON(t, validSnapshot("browser")))
+	request := jsonPostRequest(http.MethodPost, "http://trace.local/browser", payload)
+	request.Header.Set("Origin", "http://evil.local")
+	response := httptest.NewRecorder()
+
+	collector.ViewerHandler().ServeHTTP(response, request)
+
+	if response.Code != http.StatusForbidden {
+		t.Fatalf("browser ingest status = %d body=%q, want 403", response.Code, response.Body.String())
+	}
+	if len(collector.Spans()) != 0 {
+		t.Fatalf("cross-origin request recorded spans: %#v", collector.Spans())
+	}
+}
+
+func TestCollectorAcceptsSameOriginAndMissingOriginBrowserIngest(t *testing.T) {
+	for _, tt := range []struct {
+		name   string
+		origin string
+	}{
+		{name: "same origin", origin: "http://trace.local"},
+		{name: "missing origin"},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			collector := trace.NewCollector(4)
+			payload := []byte(snapshotJSON(t, validSnapshot("browser")))
+			request := jsonPostRequest(http.MethodPost, "http://trace.local/browser", payload)
+			if tt.origin != "" {
+				request.Header.Set("Origin", tt.origin)
+			}
+			response := httptest.NewRecorder()
+
+			collector.ViewerHandler().ServeHTTP(response, request)
+
+			if response.Code != http.StatusNoContent {
+				t.Fatalf("browser ingest status = %d body=%q, want 204", response.Code, response.Body.String())
+			}
+			if got := collector.Spans(); len(got) != 1 || got[0].Name != "browser" {
+				t.Fatalf("browser ingest stored unexpected spans: %#v", got)
+			}
+		})
+	}
+}
+
+func TestCollectorRateLimitsIngest(t *testing.T) {
+	collector := trace.NewCollector(4, trace.WithCollectorIngestRate(1, time.Minute))
+	handler := collector.Handler()
+	payload := []byte(snapshotJSON(t, validSnapshot("limited")))
+
+	response := httptest.NewRecorder()
+	handler.ServeHTTP(response, jsonPostRequest(http.MethodPost, "/", payload))
+	if response.Code != http.StatusNoContent {
+		t.Fatalf("first POST status = %d body=%q, want 204", response.Code, response.Body.String())
+	}
+
+	response = httptest.NewRecorder()
+	handler.ServeHTTP(response, jsonPostRequest(http.MethodPost, "/", payload))
+	if response.Code != http.StatusTooManyRequests {
+		t.Fatalf("second POST status = %d body=%q, want 429", response.Code, response.Body.String())
+	}
+	if collector.Rejected() != 1 {
+		t.Fatalf("collector rejected count = %d, want 1", collector.Rejected())
+	}
+}
+
+func TestCollectorSSELimit(t *testing.T) {
+	collector := trace.NewCollector(4, trace.WithCollectorSSELimit(1))
+	if err := collector.RecordSpan(context.Background(), validSnapshot("existing")); err != nil {
+		t.Fatal(err)
+	}
+	server := httptest.NewServer(collector.Handler())
+	defer server.Close()
+
+	first, err := server.Client().Get(server.URL + "/events")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer first.Body.Close()
+	if first.StatusCode != http.StatusOK {
+		t.Fatalf("first SSE status = %d, want 200", first.StatusCode)
+	}
+
+	second, err := server.Client().Get(server.URL + "/events")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer second.Body.Close()
+	if second.StatusCode != http.StatusTooManyRequests {
+		t.Fatalf("second SSE status = %d, want 429", second.StatusCode)
+	}
+	if collector.Rejected() != 1 {
+		t.Fatalf("collector rejected count = %d, want 1", collector.Rejected())
+	}
+}
+
+func TestCollectorRejectedCounterIsExposedInJSON(t *testing.T) {
+	collector := trace.NewCollector(4)
+	collector.Handler().ServeHTTP(httptest.NewRecorder(), httptest.NewRequest(http.MethodPost, "/", strings.NewReader(`{}`)))
+
+	response := httptest.NewRecorder()
+	collector.Handler().ServeHTTP(response, httptest.NewRequest(http.MethodGet, "/", nil))
+	if response.Code != http.StatusOK {
+		t.Fatalf("json status = %d body=%q, want 200", response.Code, response.Body.String())
+	}
+	var payload struct {
+		Rejected uint64 `json:"rejected"`
+	}
+	if err := json.Unmarshal(response.Body.Bytes(), &payload); err != nil {
+		t.Fatal(err)
+	}
+	if payload.Rejected != 1 {
+		t.Fatalf("json rejected = %d, want 1", payload.Rejected)
+	}
+}
+
 func TestSpanSnapshotsAndRingResultsDeepCopyAttributes(t *testing.T) {
 	ring := trace.NewRingSink(2)
 	tracer := trace.NewTracer(trace.WithSink(ring))
@@ -480,6 +738,12 @@ func snapshotJSON(t *testing.T, span trace.Snapshot) string {
 	return string(payload)
 }
 
+func jsonPostRequest(method string, target string, payload []byte) *http.Request {
+	request := httptest.NewRequest(method, target, bytes.NewReader(payload))
+	request.Header.Set("Content-Type", "application/json")
+	return request
+}
+
 func stringAttributeSlice(t *testing.T, attrs []trace.Attribute, key string) []string {
 	t.Helper()
 	for _, attr := range attrs {
diff --git a/runtime/trace/tracer.go b/runtime/trace/tracer.go
index 0c75f3d0..aeda4510 100644
--- a/runtime/trace/tracer.go
+++ b/runtime/trace/tracer.go
@@ -88,8 +88,10 @@ func (tracer *Tracer) Start(ctx context.Context, name string, options ...StartOp
 		generator = defaultIDGenerator
 	}
 	traceID := parent.TraceID
+	traceState := parent.TraceState
 	if !traceID.Valid() {
 		traceID = generator.NewTraceID()
+		traceState = ""
 	}
 	spanID := generator.NewSpanID()
 	if !traceID.Valid() || !spanID.Valid() {
@@ -114,6 +116,7 @@ func (tracer *Tracer) Start(ctx context.Context, name string, options ...StartOp
 		tracer:     cfg.tracer,
 		traceID:    traceID,
 		spanID:     spanID,
+		traceState: traceState,
 		name:       name,
 		surface:    cfg.surface,
 		lane:       cfg.lane,
@@ -126,7 +129,7 @@ func (tracer *Tracer) Start(ctx context.Context, name string, options ...StartOp
 		span.parentSpanID = parent.SpanID
 	}
 	ctx = context.WithValue(ctx, spanContextKey{}, span)
-	ctx = ContextWithTraceContext(ctx, TraceContext{TraceID: traceID, SpanID: spanID, Sampled: true})
+	ctx = ContextWithTraceContext(ctx, TraceContext{TraceID: traceID, SpanID: spanID, Sampled: true, TraceState: traceState})
 	return ctx, span
 }
 
diff --git a/runtime/trace/types.go b/runtime/trace/types.go
index bb7d1455..8e2dd5f2 100644
--- a/runtime/trace/types.go
+++ b/runtime/trace/types.go
@@ -106,14 +106,25 @@ type Snapshot struct {
 }
 
 // TraceContext is the trace identity stored in context.Context and encoded in
-// W3C traceparent headers.
+// W3C traceparent/tracestate headers.
 type TraceContext struct {
-	TraceID TraceID
-	SpanID  SpanID
-	Sampled bool
-	Remote  bool
+	TraceID    TraceID
+	SpanID     SpanID
+	Sampled    bool
+	Remote     bool
+	TraceState string
 }
 
+const (
+	// MaxTraceparentHeaderBytes is the maximum traceparent header size accepted
+	// by Extract and ParseTraceparent.
+	MaxTraceparentHeaderBytes = 256
+	// MaxTracestateHeaderBytes is the W3C tracestate list-member byte budget.
+	MaxTracestateHeaderBytes = 512
+)
+
+const maxTracestateMembers = 32
+
 type contextKey struct{}
 type tracerContextKey struct{}
 
@@ -182,6 +193,14 @@ func ContextWithTraceContext(ctx context.Context, traceContext TraceContext) con
 	if !traceContext.TraceID.Valid() || !traceContext.SpanID.Valid() {
 		return ctx
 	}
+	if traceContext.TraceState != "" {
+		traceState, err := parseTracestate(traceContext.TraceState)
+		if err != nil {
+			traceContext.TraceState = ""
+		} else {
+			traceContext.TraceState = traceState
+		}
+	}
 	return context.WithValue(ctx, contextKey{}, traceContext)
 }
 
@@ -214,10 +233,35 @@ func TracerFromContext(ctx context.Context) (*Tracer, bool) {
 
 // ParseTraceparent parses a W3C traceparent header.
 func ParseTraceparent(value string) (TraceContext, error) {
+	return ParseTraceContext(value, "")
+}
+
+// ParseTraceContext parses W3C traceparent and tracestate headers. Invalid
+// traceparent input rejects the context. Invalid tracestate input is dropped so
+// a usable trace identity is still preserved without propagating ambiguous
+// vendor state.
+func ParseTraceContext(traceparent string, tracestate string) (TraceContext, error) {
+	traceContext, err := parseTraceparent(traceparent)
+	if err != nil {
+		return TraceContext{}, err
+	}
+	if traceState, err := parseTracestate(tracestate); err == nil {
+		traceContext.TraceState = traceState
+	}
+	return traceContext, nil
+}
+
+func parseTraceparent(value string) (TraceContext, error) {
+	if len(value) > MaxTraceparentHeaderBytes {
+		return TraceContext{}, errors.New("traceparent exceeds byte limit")
+	}
 	parts := strings.Split(strings.TrimSpace(value), "-")
 	if len(parts) != 4 {
 		return TraceContext{}, errors.New("traceparent must have four dash-separated fields")
 	}
+	if !validLowerHex(parts[0], 2) {
+		return TraceContext{}, errors.New("traceparent version is invalid")
+	}
 	if parts[0] != "00" {
 		return TraceContext{}, fmt.Errorf("unsupported traceparent version %q", parts[0])
 	}
@@ -229,13 +273,111 @@ func ParseTraceparent(value string) (TraceContext, error) {
 	if !spanID.Valid() {
 		return TraceContext{}, errors.New("traceparent span id is invalid")
 	}
+	if !validLowerHex(parts[3], 2) {
+		return TraceContext{}, errors.New("traceparent flags are invalid")
+	}
 	flags, err := strconv.ParseUint(parts[3], 16, 8)
-	if err != nil || len(parts[3]) != 2 {
+	if err != nil {
 		return TraceContext{}, errors.New("traceparent flags are invalid")
 	}
 	return TraceContext{TraceID: traceID, SpanID: spanID, Sampled: flags&1 == 1, Remote: true}, nil
 }
 
+func parseTracestate(value string) (string, error) {
+	if value == "" {
+		return "", nil
+	}
+	if len(value) > MaxTracestateHeaderBytes {
+		return "", errors.New("tracestate exceeds byte limit")
+	}
+	value = strings.TrimSpace(value)
+	if value == "" {
+		return "", nil
+	}
+	members := strings.Split(value, ",")
+	if len(members) > maxTracestateMembers {
+		return "", errors.New("tracestate has too many members")
+	}
+	seen := map[string]struct{}{}
+	normalized := make([]string, 0, len(members))
+	for _, raw := range members {
+		member := strings.TrimSpace(raw)
+		if member == "" {
+			return "", errors.New("tracestate member is empty")
+		}
+		key, memberValue, ok := strings.Cut(member, "=")
+		if !ok || key == "" {
+			return "", errors.New("tracestate member is invalid")
+		}
+		if key != strings.TrimSpace(key) || memberValue != strings.TrimSpace(memberValue) {
+			return "", errors.New("tracestate member whitespace is invalid")
+		}
+		if !validTracestateKey(key) || !validTracestateValue(memberValue) {
+			return "", errors.New("tracestate member is invalid")
+		}
+		if _, ok := seen[key]; ok {
+			return "", errors.New("tracestate member is duplicated")
+		}
+		seen[key] = struct{}{}
+		normalized = append(normalized, key+"="+memberValue)
+	}
+	return strings.Join(normalized, ","), nil
+}
+
+func validTracestateKey(key string) bool {
+	if len(key) > 256 {
+		return false
+	}
+	left, right, hasTenant := strings.Cut(key, "@")
+	if hasTenant {
+		return validTracestateKeyPart(left, false, 241) && validTracestateKeyPart(right, true, 14)
+	}
+	return validTracestateKeyPart(left, true, 256)
+}
+
+func validTracestateKeyPart(value string, requireLetterStart bool, maxLength int) bool {
+	if value == "" || len(value) > maxLength {
+		return false
+	}
+	for index, r := range value {
+		switch {
+		case r >= 'a' && r <= 'z':
+		case r >= '0' && r <= '9' && (!requireLetterStart || index > 0):
+		case index > 0 && (r == '_' || r == '-' || r == '*' || r == '/'):
+		default:
+			return false
+		}
+	}
+	return true
+}
+
+func validTracestateValue(value string) bool {
+	if len(value) > 256 {
+		return false
+	}
+	if strings.HasPrefix(value, " ") || strings.HasSuffix(value, " ") {
+		return false
+	}
+	for _, r := range value {
+		if r < 0x20 || r > 0x7e || r == ',' || r == '=' {
+			return false
+		}
+	}
+	return true
+}
+
+func validLowerHex(value string, length int) bool {
+	if len(value) != length {
+		return false
+	}
+	for _, r := range value {
+		if (r < '0' || r > '9') && (r < 'a' || r > 'f') {
+			return false
+		}
+	}
+	return true
+}
+
 // Traceparent encodes traceContext as a W3C traceparent header.
 func Traceparent(traceContext TraceContext) string {
 	if !traceContext.TraceID.Valid() || !traceContext.SpanID.Valid() {
@@ -255,12 +397,12 @@ type Carrier interface {
 	Set(string, string)
 }
 
-// Extract reads a W3C traceparent header from carrier into ctx.
+// Extract reads W3C traceparent/tracestate headers from carrier into ctx.
 func Extract(ctx context.Context, carrier Carrier) context.Context {
 	if carrier == nil {
 		return ctx
 	}
-	traceContext, err := ParseTraceparent(carrier.Get("traceparent"))
+	traceContext, err := ParseTraceContext(carrier.Get("traceparent"), carrier.Get("tracestate"))
 	if err != nil {
 		return ctx
 	}
@@ -279,4 +421,7 @@ func Inject(ctx context.Context, carrier Carrier) {
 	if value := Traceparent(traceContext); value != "" {
 		carrier.Set("traceparent", value)
 	}
+	if traceState, err := parseTracestate(traceContext.TraceState); err == nil && traceState != "" {
+		carrier.Set("tracestate", traceState)
+	}
 }