Fix access to a nullable field in HistoryEntry (#1193)

* Fix access to a nullable field in HistoryEntry

.gcloudignore

@@ -1,4 +1,5 @@
 python/
+node_modules/
 **/build/
 **/out/
 .*/

.gitignore

@@ -4,6 +4,7 @@
 ######################################################################
 # Java Ignores
 
+gjf.out
 *.class
 
 # Mobile Tools for Java (J2ME)

build.gradle

@@ -24,7 +24,7 @@ buildscript {
   }
 
   dependencies {
-    classpath 'com.google.cloud.tools:appengine-gradle-plugin:2.0.1'
+    classpath 'com.google.cloud.tools:appengine-gradle-plugin:2.4.1'
     classpath 'net.ltgt.gradle:gradle-errorprone-plugin:0.6.1'
     classpath 'org.sonatype.aether:aether-api:1.13.1'
     classpath 'org.sonatype.aether:aether-impl:1.13.1'
@@ -318,7 +318,7 @@ subprojects {
   // expose to users.
   if (project.name != 'docs') {
     javadocSource << project.sourceSets.main.allJava
-    javadocClasspath << project.sourceSets.main.compileClasspath
+    javadocClasspath << project.sourceSets.main.runtimeClasspath
     javadocClasspath << "${buildDir}/generated/sources/annotationProcessor/java/main"
     javadocDependentTasks << project.tasks.compileJava
   }
@@ -457,6 +457,8 @@ task javaIncrementalFormatApply {
 task javadoc(type: Javadoc) {
   source javadocSource
   classpath = files(javadocClasspath)
+  // Exclude the misbehaving generated-by-Soy Java files
+  exclude "**/*SoyInfo.java"
   destinationDir = file("${buildDir}/docs/javadoc")
   options.encoding = "UTF-8"
   // In a lot of places we don't write @return so suppress warnings about that.

buildSrc/build.gradle

@@ -72,6 +72,7 @@ dependencies {
   compile deps['com.google.auth:google-auth-library-credentials']
   compile deps['com.google.auth:google-auth-library-oauth2-http']
   compile deps['com.google.auto.value:auto-value-annotations']
+  compile deps['com.google.common.html.types:types']
   compile deps['com.google.cloud:google-cloud-core']
   compile deps['com.google.cloud:google-cloud-storage']
   compile deps['com.google.guava:guava']

buildSrc/gradle/dependency-locks/compile.lockfile

@@ -20,12 +20,12 @@ com.google.cloud:google-cloud-core:1.94.3
 com.google.cloud:google-cloud-storage:1.113.12
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:30.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.gwt:gwt-user:2.8.0-beta1
 com.google.http-client:google-http-client-apache-v2:1.39.0
 com.google.http-client:google-http-client-appengine:1.39.0
 com.google.http-client:google-http-client-gson:1.39.0
@@ -34,10 +34,11 @@ com.google.http-client:google-http-client:1.39.0
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
+com.google.jsinterop:jsinterop-annotations:1.0.1
 com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.3
 com.google.protobuf:protobuf-java:3.15.3
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.ibm.icu:icu4j:57.1
 commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
@@ -47,7 +48,6 @@ io.opencensus:opencensus-contrib-http-util:0.28.0
 javax.annotation:javax.annotation-api:1.3.2
 javax.annotation:jsr250-api:1.0
 javax.inject:javax.inject:1
-javax.validation:validation-api:1.0.0.GA
 org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.httpcomponents:httpclient:4.5.13
@@ -55,9 +55,9 @@ org.apache.httpcomponents:httpcore:4.4.14
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:3.5.0
 org.json:json:20160212
-org.ow2.asm:asm-analysis:6.0
-org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-analysis:7.0
+org.ow2.asm:asm-commons:7.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.threeten:threetenbp:1.5.0

buildSrc/gradle/dependency-locks/compileClasspath.lockfile

@@ -20,12 +20,12 @@ com.google.cloud:google-cloud-core:1.94.3
 com.google.cloud:google-cloud-storage:1.113.12
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:30.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.gwt:gwt-user:2.8.0-beta1
 com.google.http-client:google-http-client-apache-v2:1.39.0
 com.google.http-client:google-http-client-appengine:1.39.0
 com.google.http-client:google-http-client-gson:1.39.0
@@ -34,10 +34,11 @@ com.google.http-client:google-http-client:1.39.0
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
+com.google.jsinterop:jsinterop-annotations:1.0.1
 com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.3
 com.google.protobuf:protobuf-java:3.15.3
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.ibm.icu:icu4j:57.1
 commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
@@ -47,7 +48,6 @@ io.opencensus:opencensus-contrib-http-util:0.28.0
 javax.annotation:javax.annotation-api:1.3.2
 javax.annotation:jsr250-api:1.0
 javax.inject:javax.inject:1
-javax.validation:validation-api:1.0.0.GA
 org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.httpcomponents:httpclient:4.5.13
@@ -55,9 +55,9 @@ org.apache.httpcomponents:httpcore:4.4.14
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:3.5.0
 org.json:json:20160212
-org.ow2.asm:asm-analysis:6.0
-org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-analysis:7.0
+org.ow2.asm:asm-commons:7.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.threeten:threetenbp:1.5.0

buildSrc/gradle/dependency-locks/deploy_jar.lockfile

@@ -20,12 +20,12 @@ com.google.cloud:google-cloud-core:1.94.3
 com.google.cloud:google-cloud-storage:1.113.12
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:30.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.gwt:gwt-user:2.8.0-beta1
 com.google.http-client:google-http-client-apache-v2:1.39.0
 com.google.http-client:google-http-client-appengine:1.39.0
 com.google.http-client:google-http-client-gson:1.39.0
@@ -34,10 +34,11 @@ com.google.http-client:google-http-client:1.39.0
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
+com.google.jsinterop:jsinterop-annotations:1.0.1
 com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.3
 com.google.protobuf:protobuf-java:3.15.3
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.ibm.icu:icu4j:57.1
 commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
@@ -47,7 +48,6 @@ io.opencensus:opencensus-contrib-http-util:0.28.0
 javax.annotation:javax.annotation-api:1.3.2
 javax.annotation:jsr250-api:1.0
 javax.inject:javax.inject:1
-javax.validation:validation-api:1.0.0.GA
 org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.httpcomponents:httpclient:4.5.13
@@ -55,9 +55,9 @@ org.apache.httpcomponents:httpcore:4.4.14
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:3.5.0
 org.json:json:20160212
-org.ow2.asm:asm-analysis:6.0
-org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-analysis:7.0
+org.ow2.asm:asm-commons:7.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.threeten:threetenbp:1.5.0

buildSrc/gradle/dependency-locks/runtime.lockfile

@@ -20,12 +20,12 @@ com.google.cloud:google-cloud-core:1.94.3
 com.google.cloud:google-cloud-storage:1.113.12
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:30.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.gwt:gwt-user:2.8.0-beta1
 com.google.http-client:google-http-client-apache-v2:1.39.0
 com.google.http-client:google-http-client-appengine:1.39.0
 com.google.http-client:google-http-client-gson:1.39.0
@@ -34,10 +34,11 @@ com.google.http-client:google-http-client:1.39.0
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
+com.google.jsinterop:jsinterop-annotations:1.0.1
 com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.3
 com.google.protobuf:protobuf-java:3.15.3
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.ibm.icu:icu4j:57.1
 commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
@@ -47,7 +48,6 @@ io.opencensus:opencensus-contrib-http-util:0.28.0
 javax.annotation:javax.annotation-api:1.3.2
 javax.annotation:jsr250-api:1.0
 javax.inject:javax.inject:1
-javax.validation:validation-api:1.0.0.GA
 org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.httpcomponents:httpclient:4.5.13
@@ -55,9 +55,9 @@ org.apache.httpcomponents:httpcore:4.4.14
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:3.5.0
 org.json:json:20160212
-org.ow2.asm:asm-analysis:6.0
-org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-analysis:7.0
+org.ow2.asm:asm-commons:7.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.threeten:threetenbp:1.5.0

buildSrc/gradle/dependency-locks/runtimeClasspath.lockfile

@@ -20,12 +20,12 @@ com.google.cloud:google-cloud-core:1.94.3
 com.google.cloud:google-cloud-storage:1.113.12
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:30.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.gwt:gwt-user:2.8.0-beta1
 com.google.http-client:google-http-client-apache-v2:1.39.0
 com.google.http-client:google-http-client-appengine:1.39.0
 com.google.http-client:google-http-client-gson:1.39.0
@@ -34,10 +34,11 @@ com.google.http-client:google-http-client:1.39.0
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
+com.google.jsinterop:jsinterop-annotations:1.0.1
 com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.3
 com.google.protobuf:protobuf-java:3.15.3
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.ibm.icu:icu4j:57.1
 commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
@@ -47,7 +48,6 @@ io.opencensus:opencensus-contrib-http-util:0.28.0
 javax.annotation:javax.annotation-api:1.3.2
 javax.annotation:jsr250-api:1.0
 javax.inject:javax.inject:1
-javax.validation:validation-api:1.0.0.GA
 org.apache.commons:commons-lang3:3.8.1
 org.apache.commons:commons-text:1.6
 org.apache.httpcomponents:httpclient:4.5.13
@@ -55,9 +55,9 @@ org.apache.httpcomponents:httpcore:4.4.14
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:3.5.0
 org.json:json:20160212
-org.ow2.asm:asm-analysis:6.0
-org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-analysis:7.0
+org.ow2.asm:asm-commons:7.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0
 org.threeten:threetenbp:1.5.0

buildSrc/gradle/dependency-locks/testCompile.lockfile

@@ -20,12 +20,12 @@ com.google.cloud:google-cloud-core:1.94.3
 com.google.cloud:google-cloud-storage:1.113.12
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:30.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.gwt:gwt-user:2.8.0-beta1
 com.google.http-client:google-http-client-apache-v2:1.39.0
 com.google.http-client:google-http-client-appengine:1.39.0
 com.google.http-client:google-http-client-gson:1.39.0
@@ -34,10 +34,11 @@ com.google.http-client:google-http-client:1.39.0
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
+com.google.jsinterop:jsinterop-annotations:1.0.1
 com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.3
 com.google.protobuf:protobuf-java:3.15.3
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.google.truth.extensions:truth-java8-extension:1.1.2
 com.google.truth:truth:1.1.2
 com.ibm.icu:icu4j:57.1
@@ -49,7 +50,6 @@ io.opencensus:opencensus-contrib-http-util:0.28.0
 javax.annotation:javax.annotation-api:1.3.2
 javax.annotation:jsr250-api:1.0
 javax.inject:javax.inject:1
-javax.validation:validation-api:1.0.0.GA
 junit:junit:4.13.1
 net.bytebuddy:byte-buddy-agent:1.10.19
 net.bytebuddy:byte-buddy:1.10.19
@@ -70,9 +70,9 @@ org.junit:junit-bom:5.6.2
 org.mockito:mockito-core:3.7.7
 org.objenesis:objenesis:3.1
 org.opentest4j:opentest4j:1.2.0
-org.ow2.asm:asm-analysis:6.0
-org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
+org.ow2.asm:asm-analysis:7.0
+org.ow2.asm:asm-commons:7.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
 org.ow2.asm:asm:9.0
 org.threeten:threetenbp:1.5.0

buildSrc/gradle/dependency-locks/testCompileClasspath.lockfile

@@ -20,12 +20,12 @@ com.google.cloud:google-cloud-core:1.94.3
 com.google.cloud:google-cloud-storage:1.113.12
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:30.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.gwt:gwt-user:2.8.0-beta1
 com.google.http-client:google-http-client-apache-v2:1.39.0
 com.google.http-client:google-http-client-appengine:1.39.0
 com.google.http-client:google-http-client-gson:1.39.0
@@ -34,10 +34,11 @@ com.google.http-client:google-http-client:1.39.0
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
+com.google.jsinterop:jsinterop-annotations:1.0.1
 com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.3
 com.google.protobuf:protobuf-java:3.15.3
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.google.truth.extensions:truth-java8-extension:1.1.2
 com.google.truth:truth:1.1.2
 com.ibm.icu:icu4j:57.1
@@ -49,7 +50,6 @@ io.opencensus:opencensus-contrib-http-util:0.28.0
 javax.annotation:javax.annotation-api:1.3.2
 javax.annotation:jsr250-api:1.0
 javax.inject:javax.inject:1
-javax.validation:validation-api:1.0.0.GA
 junit:junit:4.13.1
 net.bytebuddy:byte-buddy-agent:1.10.19
 net.bytebuddy:byte-buddy:1.10.19
@@ -70,9 +70,9 @@ org.junit:junit-bom:5.6.2
 org.mockito:mockito-core:3.7.7
 org.objenesis:objenesis:3.1
 org.opentest4j:opentest4j:1.2.0
-org.ow2.asm:asm-analysis:6.0
-org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
+org.ow2.asm:asm-analysis:7.0
+org.ow2.asm:asm-commons:7.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
 org.ow2.asm:asm:9.0
 org.threeten:threetenbp:1.5.0

buildSrc/gradle/dependency-locks/testRuntime.lockfile

@@ -20,12 +20,12 @@ com.google.cloud:google-cloud-core:1.94.3
 com.google.cloud:google-cloud-storage:1.113.12
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:30.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.gwt:gwt-user:2.8.0-beta1
 com.google.http-client:google-http-client-apache-v2:1.39.0
 com.google.http-client:google-http-client-appengine:1.39.0
 com.google.http-client:google-http-client-gson:1.39.0
@@ -34,10 +34,11 @@ com.google.http-client:google-http-client:1.39.0
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
+com.google.jsinterop:jsinterop-annotations:1.0.1
 com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.3
 com.google.protobuf:protobuf-java:3.15.3
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.google.truth.extensions:truth-java8-extension:1.1.2
 com.google.truth:truth:1.1.2
 com.ibm.icu:icu4j:57.1
@@ -49,7 +50,6 @@ io.opencensus:opencensus-contrib-http-util:0.28.0
 javax.annotation:javax.annotation-api:1.3.2
 javax.annotation:jsr250-api:1.0
 javax.inject:javax.inject:1
-javax.validation:validation-api:1.0.0.GA
 junit:junit:4.13.1
 net.bytebuddy:byte-buddy-agent:1.10.19
 net.bytebuddy:byte-buddy:1.10.19
@@ -70,9 +70,9 @@ org.junit:junit-bom:5.6.2
 org.mockito:mockito-core:3.7.7
 org.objenesis:objenesis:3.1
 org.opentest4j:opentest4j:1.2.0
-org.ow2.asm:asm-analysis:6.0
-org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
+org.ow2.asm:asm-analysis:7.0
+org.ow2.asm:asm-commons:7.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
 org.ow2.asm:asm:9.0
 org.threeten:threetenbp:1.5.0

buildSrc/gradle/dependency-locks/testRuntimeClasspath.lockfile

@@ -20,12 +20,12 @@ com.google.cloud:google-cloud-core:1.94.3
 com.google.cloud:google-cloud-storage:1.113.12
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:30.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.gwt:gwt-user:2.8.0-beta1
 com.google.http-client:google-http-client-apache-v2:1.39.0
 com.google.http-client:google-http-client-appengine:1.39.0
 com.google.http-client:google-http-client-gson:1.39.0
@@ -34,10 +34,11 @@ com.google.http-client:google-http-client:1.39.0
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:4.1.0
 com.google.j2objc:j2objc-annotations:1.3
+com.google.jsinterop:jsinterop-annotations:1.0.1
 com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.3
 com.google.protobuf:protobuf-java:3.15.3
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.google.truth.extensions:truth-java8-extension:1.1.2
 com.google.truth:truth:1.1.2
 com.ibm.icu:icu4j:57.1
@@ -49,7 +50,6 @@ io.opencensus:opencensus-contrib-http-util:0.28.0
 javax.annotation:javax.annotation-api:1.3.2
 javax.annotation:jsr250-api:1.0
 javax.inject:javax.inject:1
-javax.validation:validation-api:1.0.0.GA
 junit:junit:4.13.1
 net.bytebuddy:byte-buddy-agent:1.10.19
 net.bytebuddy:byte-buddy:1.10.19
@@ -70,9 +70,9 @@ org.junit:junit-bom:5.6.2
 org.mockito:mockito-core:3.7.7
 org.objenesis:objenesis:3.1
 org.opentest4j:opentest4j:1.2.0
-org.ow2.asm:asm-analysis:6.0
-org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
+org.ow2.asm:asm-analysis:7.0
+org.ow2.asm:asm-commons:7.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
 org.ow2.asm:asm:9.0
 org.threeten:threetenbp:1.5.0

buildSrc/src/main/java/google/registry/gradle/plugin/CoverPageGenerator.java

@@ -23,6 +23,7 @@ import static google.registry.gradle.plugin.GcsPluginUtils.toByteArraySupplier;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSetMultimap;
+import com.google.common.html.types.TrustedResourceUrls;
 import com.google.template.soy.SoyFileSet;
 import com.google.template.soy.tofu.SoyTofu;
 import google.registry.gradle.plugin.ProjectData.TaskData;
@@ -118,7 +119,7 @@ final class CoverPageGenerator {
 
     builder.put("projectState", state.toString());
     builder.put("title", title);
-    builder.put("cssFiles", ImmutableSet.of("css/style.css"));
+    builder.put("cssFiles", ImmutableSet.of(TrustedResourceUrls.fromConstant("css/style.css")));
     builder.put("invocation", getInvocation());
     builder.put("tasksByState", getTasksByStateSoyData());
     return builder.build();

buildSrc/src/main/java/google/registry/gradle/plugin/ProjectData.java

@@ -91,7 +91,7 @@ abstract class ProjectData {
       /** The task was actually run and has finished successfully. */
       SUCCESS,
       /** The task was up-to-date and successful, and hence didn't need to run again. */
-      UP_TO_DATE;
+      UP_TO_DATE
     }
 
     abstract String uniqueName();

buildSrc/src/main/resources/google/registry/gradle/plugin/soy/coverpage.soy

@@ -16,7 +16,7 @@
 
 {template .coverPage}
   {@param title: string}
-  {@param cssFiles: list<string>}
+  {@param cssFiles: list<trusted_resource_uri>}
   {@param projectState: string}
   {@param invocation: string}
   {@param tasksByState: map<string, list<[uniqueName: string, description: string, log: string, reports: map<string, string>]>>}

common/src/testing/java/google/registry/testing/FakeClock.java

@@ -22,6 +22,7 @@ import google.registry.util.Clock;
 import java.util.concurrent.atomic.AtomicLong;
 import javax.annotation.concurrent.ThreadSafe;
 import org.joda.time.DateTime;
+import org.joda.time.Duration;
 import org.joda.time.ReadableDuration;
 import org.joda.time.ReadableInstant;
 
@@ -35,6 +36,8 @@ public final class FakeClock implements Clock {
   // threads should see a consistent flow.
   private final AtomicLong currentTimeMillis = new AtomicLong();
 
+  private volatile long autoIncrementStepMs;
+
   /** Creates a FakeClock that starts at START_OF_TIME. */
   public FakeClock() {
     this(START_OF_TIME);
@@ -48,7 +51,21 @@ public final class FakeClock implements Clock {
   /** Returns the current time. */
   @Override
   public DateTime nowUtc() {
-    return new DateTime(currentTimeMillis.get(), UTC);
+    return new DateTime(currentTimeMillis.addAndGet(autoIncrementStepMs), UTC);
+  }
+
+  /**
+   * Sets the increment applied to the clock whenever it is queried. The increment is zero by
+   * default: the clock is left unchanged when queried.
+   *
+   * <p>Passing a duration of zero to this method effectively unsets the auto increment mode.
+   *
+   * @param autoIncrementStep the new auto increment duration
+   * @return this
+   */
+  public FakeClock setAutoIncrementStep(ReadableDuration autoIncrementStep) {
+    this.autoIncrementStepMs = autoIncrementStep.getMillis();
+    return this;
   }
 
   /** Advances clock by one millisecond. */
@@ -65,4 +82,14 @@ public final class FakeClock implements Clock {
   public void setTo(ReadableInstant time) {
     currentTimeMillis.set(time.getMillis());
   }
+
+  /** Invokes {@link #setAutoIncrementStep} with one millisecond-step. */
+  public FakeClock setAutoIncrementByOneMilli() {
+    return setAutoIncrementStep(Duration.millis(1));
+  }
+
+  /** Disables the auto-increment mode. */
+  public FakeClock disableAutoIncrement() {
+    return setAutoIncrementStep(Duration.ZERO);
+  }
 }

config/nom_build.py

@@ -256,6 +256,7 @@ GRADLE_FLAGS = [
                'Specify a task to be excluded from execution.',
                True),
 ]
+
 def generate_gradle_properties() -> str:
     """Returns the expected contents of gradle.properties."""
     out = io.StringIO()
@@ -270,7 +271,7 @@ def generate_gradle_properties() -> str:
 def get_root() -> str:
     """Returns the root of the nomulus build tree."""
     cur_dir = os.getcwd()
-    if not os.path.exists(os.path.join(cur_dir, '.git')) or \
+    if not os.path.exists(os.path.join(cur_dir, 'buildSrc')) or \
        not os.path.exists(os.path.join(cur_dir, 'core')) or \
        not os.path.exists(os.path.join(cur_dir, 'gradle.properties')):
         raise Exception('You must run this script from the root directory')

config/presubmits.py

@@ -81,7 +81,7 @@ PRESUBMITS = {
             ".git", "/build/", "/generated/", "/generated_tests/",
             "node_modules/", "JUnitBackports.java", "registrar_bin.",
             "registrar_dbg.", "google-java-format-diff.py",
-            "nomulus.golden.sql", "soyutils_usegoog.js"
+            "nomulus.golden.sql", "soyutils_usegoog.js", "javascript/checks.js"
         }, REQUIRED):
         "File did not include the license header.",
 
@@ -213,6 +213,7 @@ PRESUBMITS = {
          "RdapDomainSearchAction.java",
          "RdapNameserverSearchAction.java",
          "RdapSearchActionBase.java",
+         "RegistryQuery",
          },
     ):
         "The first String parameter to EntityManager.create(Native)Query "

core/build.gradle

@@ -317,6 +317,7 @@ dependencies {
   testCompile deps['com.google.monitoring-client:contrib']
   testCompile deps['com.google.truth:truth']
   testCompile deps['com.google.truth.extensions:truth-java8-extension']
+  testCompile deps['org.checkerframework:checker-qual']
   testCompile deps['org.hamcrest:hamcrest']
   testCompile deps['org.hamcrest:hamcrest-core']
   testCompile deps['org.hamcrest:hamcrest-library']
@@ -423,7 +424,7 @@ task jaxbToJava {
       }
     }
     execInBash(
-        'find . -name *.java -exec sed -i /\\*\\ \\<p\\>\\$/d {} +',
+        "find . -name *.java -exec sed -i -e '/" + /\* <p>$/ + "/d' {} +",
         generatedDir)
   }
 }
@@ -432,12 +433,9 @@ task soyToJava {
   // Relative paths of soy directories.
   def spec11SoyDir = "google/registry/reporting/spec11/soy"
   def toolsSoyDir = "google/registry/tools/soy"
-  def uiSoyDir = "google/registry/ui/soy"
   def registrarSoyDir = "google/registry/ui/soy/registrar"
 
-  def soyRelativeDirs = [
-          spec11SoyDir, toolsSoyDir, uiSoyDir, registrarSoyDir,
-  ]
+  def soyRelativeDirs = [spec11SoyDir, toolsSoyDir, registrarSoyDir]
   soyRelativeDirs.each {
     inputs.dir "${resourcesSourceDir}/${it}"
     outputs.dir "${generatedDir}/${it}"
@@ -451,7 +449,8 @@ task soyToJava {
               "--outputDirectory", "${outputDirectory}",
               "--javaClassNameSource", "filename",
               "--allowExternalCalls", "true",
-              "--srcs", "${soyFiles.join(',')}"
+              "--srcs", "${soyFiles.join(',')}",
+              "--compileTimeGlobalsFile", "${resourcesSourceDir}/google/registry/ui/globals.txt"
     }
   }
 
@@ -468,14 +467,6 @@ task soyToJava {
                     dir: "${resourcesSourceDir}/${registrarSoyDir}",
                     include: ['**/*.soy']))
 
-    soyToJava('google.registry.ui.soy',
-            "${generatedDir}/${uiSoyDir}",
-            files {
-              file("${resourcesSourceDir}/${uiSoyDir}").listFiles()
-            }.filter {
-              it.name.endsWith(".soy")
-            })
-
     soyToJava('google.registry.reporting.spec11.soy',
             "${generatedDir}/${spec11SoyDir}",
             fileTree(
@@ -484,42 +475,24 @@ task soyToJava {
   }
 }
 
-task soyToJS {
-  def rootSoyDirectory = "${resourcesSourceDir}/google/registry/ui/soy"
-  def outputSoyDirectory = "${generatedDir}/google/registry/ui/soy"
+task soyToJS(type: JavaExec) {
+  def rootSoyDirectory = "${resourcesSourceDir}/google/registry/ui/soy/registrar"
+  def outputSoyDirectory = "${generatedDir}/google/registry/ui/soy/registrar"
   inputs.dir rootSoyDirectory
   outputs.dir outputSoyDirectory
 
-  ext.soyToJS = { outputDirectory, soyFiles , deps->
-    javaexec {
-      main = "com.google.template.soy.SoyToJsSrcCompiler"
-      classpath configurations.soy
+  def inputSoyFiles = files {
+    file("${rootSoyDirectory}").listFiles()
+  }.filter {
+    it.name.endsWith(".soy")
+  }
 
-      args "--outputPathFormat", "${outputDirectory}/{INPUT_FILE_NAME}.js",
+  classpath configurations.soy
+  main = "com.google.template.soy.SoyToJsSrcCompiler"
+  args "--outputPathFormat", "${outputSoyDirectory}/{INPUT_FILE_NAME}.js",
           "--allowExternalCalls", "false",
-          "--srcs", "${soyFiles.join(',')}",
-          "--shouldProvideRequireSoyNamespaces", "true",
+          "--srcs", "${inputSoyFiles.join(',')}",
           "--compileTimeGlobalsFile", "${resourcesSourceDir}/google/registry/ui/globals.txt"
-      if (deps != "") {
-        args "--deps", "${deps.join(',')}"
-      }
-    }
-  }
-
-  doLast {
-    def rootSoyFiles =
-      fileTree(
-        dir: "${rootSoyDirectory}",
-        include: ['*.soy'])
-
-    soyToJS("${outputSoyDirectory}", rootSoyFiles, "")
-    soyToJS("${outputSoyDirectory}/registrar",
-      files {
-        file("${rootSoyDirectory}/registrar").listFiles()
-      }.filter {
-        it.name.endsWith(".soy")
-      }, rootSoyFiles)
-  }
 }
 
 task stylesheetsToJavascript {
@@ -602,8 +575,8 @@ task compileProdJS(type: JavaExec) {
   closureArgs << "--generate_exports"
 
   // manually include all the required js files
-  closureArgs << "--js=${nodeModulesDir}/google-closure-library/**.js"
-  closureArgs << "--js=${jsDir}/soyutils_usegoog.js"
+  closureArgs << "--js=${nodeModulesDir}/google-closure-library/**/*.js"
+  closureArgs << "--js=${jsDir}/*.js"
   closureArgs << "--js=${cssSourceDir}/registrar_bin.css.js"
   closureArgs << "--js=${jsSourceDir}/**.js"
   closureArgs << "--js=${externsDir}/json.js"
@@ -630,15 +603,6 @@ compileProdJS.dependsOn processResources
 compileProdJS.dependsOn processTestResources
 compileProdJS.dependsOn soyToJS
 
-task karmaTest(type: Exec) {
-  dependsOn ':npmInstall'
-  workingDir rootProject.projectDir
-  executable 'node_modules/karma/bin/karma'
-  args('start', "${project.projectDir}/karma.conf.js")
-}
-
-test.dependsOn karmaTest
-
 // Make testing artifacts available to be depended up on by other projects.
 // TODO: factor out google.registry.testing to be a separate project.
 task testJar(type: Jar) {
@@ -805,6 +769,14 @@ if (environment in ['alpha', 'crash']) {
           mainClass: 'google.registry.beam.datastore.BulkDeleteDatastorePipeline',
           metaData: 'google/registry/beam/bulk_delete_datastore_pipeline_metadata.json'
       ],
+      [
+          mainClass: 'google.registry.beam.spec11.Spec11Pipeline',
+          metaData: 'google/registry/beam/spec11_pipeline_metadata.json'
+      ],
+      [
+          mainClass: 'google.registry.beam.invoicing.InvoicingPipeline',
+          metaData: 'google/registry/beam/invoicing_pipeline_metadata.json'
+      ],
   ]
   project.tasks.create("stage_beam_pipelines") {
     doLast {

core/gradle/dependency-locks/closureCompiler.lockfile

@@ -1,15 +1,4 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-args4j:args4j:2.0.26
-com.google.code.findbugs:jsr305:3.0.2
-com.google.code.gson:gson:2.7
-com.google.errorprone:error_prone_annotations:2.3.1
-com.google.guava:guava:25.1-jre
-com.google.j2objc:j2objc-annotations:1.1
-com.google.javascript:closure-compiler-externs:v20190301
-com.google.javascript:closure-compiler:v20190301
-com.google.jsinterop:jsinterop-annotations:1.0.0
-com.google.protobuf:protobuf-java:3.0.2
-org.checkerframework:checker-qual:2.0.0
-org.codehaus.mojo:animal-sniffer-annotations:1.14
+com.google.javascript:closure-compiler:v20210505

core/gradle/dependency-locks/compile.lockfile

@@ -105,9 +105,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger-system-backend:0.5.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
@@ -135,7 +136,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.2
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.googlecode.charts4j:charts4j:1.3
 com.googlecode.json-simple:json-simple:1.1.1
 com.ibm.icu:icu4j:68.2
@@ -253,10 +254,10 @@ org.postgresql:postgresql:42.2.18
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.slf4j:slf4j-api:1.7.30
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/compileClasspath.lockfile

@@ -104,9 +104,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
 com.google.guava:failureaccess:1.0.1
@@ -133,7 +134,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.14.0
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.googlecode.charts4j:charts4j:1.3
 com.googlecode.json-simple:json-simple:1.1.1
 com.ibm.icu:icu4j:68.2
@@ -246,10 +247,10 @@ org.postgresql:postgresql:42.2.18
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.slf4j:slf4j-api:1.7.30
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/default.lockfile

@@ -110,9 +110,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger-system-backend:0.5.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
@@ -140,7 +141,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.2
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.googlecode.charts4j:charts4j:1.3
 com.googlecode.json-simple:json-simple:1.1.1
 com.ibm.icu:icu4j:68.2
@@ -267,10 +268,10 @@ org.slf4j:jcl-over-slf4j:1.7.30
 org.slf4j:jul-to-slf4j:1.7.30
 org.slf4j:slf4j-api:1.7.30
 org.slf4j:slf4j-jdk14:1.7.28
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/deploy_jar.lockfile

@@ -110,9 +110,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger-system-backend:0.5.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
@@ -140,7 +141,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.2
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.googlecode.charts4j:charts4j:1.3
 com.googlecode.json-simple:json-simple:1.1.1
 com.ibm.icu:icu4j:68.2
@@ -266,10 +267,10 @@ org.slf4j:jcl-over-slf4j:1.7.30
 org.slf4j:jul-to-slf4j:1.7.30
 org.slf4j:slf4j-api:1.7.30
 org.slf4j:slf4j-jdk14:1.7.28
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/nonprodCompile.lockfile

@@ -105,9 +105,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger-system-backend:0.5.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
@@ -135,7 +136,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.2
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.googlecode.charts4j:charts4j:1.3
 com.googlecode.json-simple:json-simple:1.1.1
 com.ibm.icu:icu4j:68.2
@@ -253,10 +254,10 @@ org.postgresql:postgresql:42.2.18
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.slf4j:slf4j-api:1.7.30
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/nonprodCompileClasspath.lockfile

@@ -104,9 +104,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
 com.google.guava:failureaccess:1.0.1
@@ -133,7 +134,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.14.0
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.googlecode.charts4j:charts4j:1.3
 com.googlecode.json-simple:json-simple:1.1.1
 com.ibm.icu:icu4j:68.2
@@ -247,10 +248,10 @@ org.postgresql:postgresql:42.2.18
 org.rnorth.duct-tape:duct-tape:1.0.8
 org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.slf4j:slf4j-api:1.7.30
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/nonprodRuntime.lockfile

@@ -109,9 +109,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger-system-backend:0.5.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
@@ -139,7 +140,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.2
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.googlecode.charts4j:charts4j:1.3
 com.googlecode.json-simple:json-simple:1.1.1
 com.ibm.icu:icu4j:68.2
@@ -265,10 +266,10 @@ org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.slf4j:jcl-over-slf4j:1.7.30
 org.slf4j:jul-to-slf4j:1.7.30
 org.slf4j:slf4j-api:1.7.30
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/nonprodRuntimeClasspath.lockfile

@@ -109,9 +109,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger-system-backend:0.5.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
@@ -139,7 +140,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.2
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.googlecode.charts4j:charts4j:1.3
 com.googlecode.json-simple:json-simple:1.1.1
 com.ibm.icu:icu4j:68.2
@@ -265,10 +266,10 @@ org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.slf4j:jcl-over-slf4j:1.7.30
 org.slf4j:jul-to-slf4j:1.7.30
 org.slf4j:slf4j-api:1.7.30
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/runtime.lockfile

@@ -109,9 +109,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger-system-backend:0.5.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
@@ -139,7 +140,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.2
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.googlecode.charts4j:charts4j:1.3
 com.googlecode.json-simple:json-simple:1.1.1
 com.ibm.icu:icu4j:68.2
@@ -265,10 +266,10 @@ org.rnorth.visible-assertions:visible-assertions:2.1.2
 org.slf4j:jcl-over-slf4j:1.7.30
 org.slf4j:jul-to-slf4j:1.7.30
 org.slf4j:slf4j-api:1.7.30
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/runtimeClasspath.lockfile

@@ -110,9 +110,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger-system-backend:0.5.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
@@ -140,7 +141,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.2
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.googlecode.charts4j:charts4j:1.3
 com.googlecode.json-simple:json-simple:1.1.1
 com.ibm.icu:icu4j:68.2
@@ -266,10 +267,10 @@ org.slf4j:jcl-over-slf4j:1.7.30
 org.slf4j:jul-to-slf4j:1.7.30
 org.slf4j:slf4j-api:1.7.30
 org.slf4j:slf4j-jdk14:1.7.28
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/soy.lockfile

@@ -5,25 +5,25 @@ aopalliance:aopalliance:1.0
 args4j:args4j:2.0.23
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.7
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.errorprone:error_prone_annotations:2.3.4
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:30.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.gwt:gwt-user:2.8.0-beta1
 com.google.inject.extensions:guice-multibindings:4.1.0
 com.google.inject:guice:5.0.1
 com.google.j2objc:j2objc-annotations:1.3
+com.google.jsinterop:jsinterop-annotations:1.0.1
 com.google.protobuf:protobuf-java:3.13.0
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.ibm.icu:icu4j:57.1
 javax.annotation:jsr250-api:1.0
 javax.inject:javax.inject:1
-javax.validation:validation-api:1.0.0.GA
 org.checkerframework:checker-qual:3.5.0
 org.json:json:20160212
-org.ow2.asm:asm-analysis:6.0
-org.ow2.asm:asm-commons:6.0
-org.ow2.asm:asm-tree:6.0
-org.ow2.asm:asm-util:6.0
-org.ow2.asm:asm:6.0
+org.ow2.asm:asm-analysis:7.0
+org.ow2.asm:asm-commons:7.0
+org.ow2.asm:asm-tree:7.0
+org.ow2.asm:asm-util:7.0
+org.ow2.asm:asm:7.0

core/gradle/dependency-locks/testCompile.lockfile

@@ -106,9 +106,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger-system-backend:0.5.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
@@ -138,7 +139,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.2
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.google.truth.extensions:truth-java8-extension:1.1.2
 com.google.truth:truth:1.1.2
 com.googlecode.charts4j:charts4j:1.3
@@ -300,12 +301,12 @@ org.seleniumhq.selenium:selenium-remote-driver:3.141.59
 org.seleniumhq.selenium:selenium-safari-driver:3.141.59
 org.seleniumhq.selenium:selenium-support:3.141.59
 org.slf4j:slf4j-api:1.7.30
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:junit-jupiter:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:selenium:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:junit-jupiter:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:selenium:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/testCompileClasspath.lockfile

@@ -105,9 +105,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
 com.google.guava:failureaccess:1.0.1
@@ -136,7 +137,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.14.0
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.google.truth.extensions:truth-java8-extension:1.1.2
 com.google.truth:truth:1.1.2
 com.googlecode.charts4j:charts4j:1.3
@@ -294,12 +295,12 @@ org.seleniumhq.selenium:selenium-remote-driver:3.141.59
 org.seleniumhq.selenium:selenium-safari-driver:3.141.59
 org.seleniumhq.selenium:selenium-support:3.141.59
 org.slf4j:slf4j-api:1.7.30
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:junit-jupiter:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:selenium:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:junit-jupiter:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:selenium:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/testRuntime.lockfile

@@ -111,9 +111,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger-system-backend:0.5.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
@@ -143,7 +144,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.2
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.google.truth.extensions:truth-java8-extension:1.1.2
 com.google.truth:truth:1.1.2
 com.googlecode.charts4j:charts4j:1.3
@@ -313,12 +314,12 @@ org.seleniumhq.selenium:selenium-support:3.141.59
 org.slf4j:jcl-over-slf4j:1.7.30
 org.slf4j:jul-to-slf4j:1.7.30
 org.slf4j:slf4j-api:1.7.30
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:junit-jupiter:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:selenium:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:junit-jupiter:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:selenium:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/gradle/dependency-locks/testRuntimeClasspath.lockfile

@@ -111,9 +111,10 @@ com.google.cloud:google-cloud-secretmanager:1.4.0
 com.google.cloud:google-cloud-spanner:2.0.2
 com.google.code.findbugs:jsr305:3.0.2
 com.google.code.gson:gson:2.8.6
-com.google.common.html.types:types:1.0.4
+com.google.common.html.types:types:1.0.6
 com.google.dagger:dagger:2.33
 com.google.errorprone:error_prone_annotations:2.5.1
+com.google.escapevelocity:escapevelocity:0.9.1
 com.google.flogger:flogger-system-backend:0.5.1
 com.google.flogger:flogger:0.5.1
 com.google.flogger:google-extensions:0.5.1
@@ -143,7 +144,7 @@ com.google.oauth-client:google-oauth-client:1.31.4
 com.google.protobuf:protobuf-java-util:3.15.2
 com.google.protobuf:protobuf-java:3.15.2
 com.google.re2j:re2j:1.6
-com.google.template:soy:2018-03-14
+com.google.template:soy:2021-02-01
 com.google.truth.extensions:truth-java8-extension:1.1.2
 com.google.truth:truth:1.1.2
 com.googlecode.charts4j:charts4j:1.3
@@ -314,12 +315,12 @@ org.slf4j:jcl-over-slf4j:1.7.30
 org.slf4j:jul-to-slf4j:1.7.30
 org.slf4j:slf4j-api:1.7.30
 org.slf4j:slf4j-jdk14:1.7.28
-org.testcontainers:database-commons:1.15.1
-org.testcontainers:jdbc:1.15.1
-org.testcontainers:junit-jupiter:1.15.1
-org.testcontainers:postgresql:1.15.1
-org.testcontainers:selenium:1.15.1
-org.testcontainers:testcontainers:1.15.1
+org.testcontainers:database-commons:1.15.2
+org.testcontainers:jdbc:1.15.2
+org.testcontainers:junit-jupiter:1.15.2
+org.testcontainers:postgresql:1.15.2
+org.testcontainers:selenium:1.15.2
+org.testcontainers:testcontainers:1.15.2
 org.threeten:threetenbp:1.5.0
 org.tukaani:xz:1.5
 org.w3c.css:sac:1.3

core/karma.conf.js

@@ -1,75 +0,0 @@
-// Copyright 2019 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-process.env.CHROME_BIN = require('puppeteer').executablePath()
-
-module.exports = function(config) {
-  config.set({
-    basePath: '..',
-    browsers: ['ChromeHeadlessNoSandbox'],
-    customLaunchers: {
-      ChromeHeadlessNoSandbox: {
-        base: 'ChromeHeadless',
-        flags: ['--no-sandbox']
-      }
-    },
-    frameworks: ['jasmine', 'closure'],
-    singleRun: true,
-    autoWatch: false,
-    files: [
-      'node_modules/google-closure-library/closure/goog/base.js',
-      'core/src/test/javascript/**/*_test.js',
-      {
-        pattern: 'core/src/test/javascript/**/!(*_test).js',
-        included: false
-      },
-      {
-        pattern: 'core/src/main/javascript/**/*.js',
-        included: false
-      },
-      {
-        pattern: 'core/build/generated/sources/custom/java/main/**/*.soy.js',
-        included: false
-      },
-      {
-        pattern: 'node_modules/google-closure-library/closure/goog/deps.js',
-        included: false,
-        served: false
-      },
-      {
-        pattern: 'node_modules/google-closure-library/closure/goog/**/*.js',
-        included: false
-      },
-      {
-        pattern: 'core/build/resources/main/google/registry/ui/assets/images/*.png',
-        included: false
-      },
-      {
-        pattern: 'core/build/resources/main/google/registry/ui/assets/images/icons/svg/*.svg',
-        included: false
-      }
-    ],
-    preprocessors: {
-      'node_modules/google-closure-library/closure/goog/deps.js': ['closure', 'closure-deps'],
-      'node_modules/google-closure-library/closure/goog/base.js': ['closure'],
-      'node_modules/google-closure-library/closure/**/*.js': ['closure'],
-      'core/src/*/javascript/**/*.js': ['closure'],
-      'core/build/generated/sources/custom/java/main/**/*.soy.js': ['closure'],
-    },
-    proxies: {
-      "/assets/": "/base/core/build/resources/main/google/registry/ui/assets/"
-    }
-  });
-};
-

core/src/main/java/google/registry/backup/BackupUtils.java

@@ -14,7 +14,7 @@
 
 package google.registry.backup;
 
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.ofy.ObjectifyService.auditedOfy;
 
 import com.google.appengine.api.datastore.EntityTranslator;
 import com.google.common.collect.AbstractIterator;
@@ -45,7 +45,7 @@ public class BackupUtils {
    * {@link OutputStream} in delimited protocol buffer format.
    */
   static void serializeEntity(ImmutableObject entity, OutputStream stream) throws IOException {
-    EntityTranslator.convertToPb(ofy().save().toEntity(entity)).writeDelimitedTo(stream);
+    EntityTranslator.convertToPb(auditedOfy().save().toEntity(entity)).writeDelimitedTo(stream);
   }
 
   /**
@@ -61,11 +61,12 @@ public class BackupUtils {
       @Override
       protected ImmutableObject computeNext() {
         EntityProto proto = new EntityProto();
-        if (proto.parseDelimitedFrom(input)) {  // False means end of stream; other errors throw.
-          return ofy().load().fromEntity(EntityTranslator.createFromPb(proto));
+        if (proto.parseDelimitedFrom(input)) { // False means end of stream; other errors throw.
+          return auditedOfy().load().fromEntity(EntityTranslator.createFromPb(proto));
         }
         return endOfData();
-      }};
+      }
+    };
   }
 
   public static ImmutableList<ImmutableObject> deserializeEntities(byte[] bytes) {

core/src/main/java/google/registry/backup/CommitLogCheckpointAction.java

@@ -18,7 +18,7 @@ import static com.google.appengine.api.taskqueue.QueueFactory.getQueue;
 import static com.google.appengine.api.taskqueue.TaskOptions.Builder.withUrl;
 import static google.registry.backup.ExportCommitLogDiffAction.LOWER_CHECKPOINT_TIME_PARAM;
 import static google.registry.backup.ExportCommitLogDiffAction.UPPER_CHECKPOINT_TIME_PARAM;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.ofy.ObjectifyService.auditedOfy;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.isBeforeOrAt;
 
@@ -64,8 +64,7 @@ public final class CommitLogCheckpointAction implements Runnable {
     final CommitLogCheckpoint checkpoint = strategy.computeCheckpoint();
     logger.atInfo().log(
         "Generated candidate checkpoint for time: %s", checkpoint.getCheckpointTime());
-    tm()
-        .transact(
+    tm().transact(
             () -> {
               DateTime lastWrittenTime = CommitLogCheckpointRoot.loadRoot().getLastWrittenTime();
               if (isBeforeOrAt(checkpoint.getCheckpointTime(), lastWrittenTime)) {
@@ -73,7 +72,7 @@ public final class CommitLogCheckpointAction implements Runnable {
                     "Newer checkpoint already written at time: %s", lastWrittenTime);
                 return;
               }
-              ofy()
+              auditedOfy()
                   .saveWithoutBackup()
                   .entities(
                       checkpoint, CommitLogCheckpointRoot.create(checkpoint.getCheckpointTime()));

core/src/main/java/google/registry/backup/DeleteOldCommitLogsAction.java

@@ -17,7 +17,7 @@ package google.registry.backup;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;
 import static google.registry.mapreduce.MapreduceRunner.PARAM_DRY_RUN;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.ofy.ObjectifyService.auditedOfy;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static java.lang.Boolean.FALSE;
 import static java.lang.Boolean.TRUE;
@@ -75,9 +75,17 @@ public final class DeleteOldCommitLogsAction implements Runnable {
   @Inject MapreduceRunner mrRunner;
   @Inject Response response;
   @Inject Clock clock;
-  @Inject @Config("commitLogDatastoreRetention") Duration maxAge;
-  @Inject @Parameter(PARAM_DRY_RUN) boolean isDryRun;
-  @Inject DeleteOldCommitLogsAction() {}
+
+  @Inject
+  @Config("commitLogDatastoreRetention")
+  Duration maxAge;
+
+  @Inject
+  @Parameter(PARAM_DRY_RUN)
+  boolean isDryRun;
+
+  @Inject
+  DeleteOldCommitLogsAction() {}
 
   @Override
   public void run() {
@@ -138,12 +146,12 @@ public final class DeleteOldCommitLogsAction implements Runnable {
       // If it isn't a Key<CommitLogManifest> then it should be an EppResource, which we need to
       // load to emit the revisions.
       //
-      Object object = ofy().load().key(key).now();
+      Object object = auditedOfy().load().key(key).now();
       checkNotNull(object, "Received a key to a missing object. key: %s", key);
       checkState(
           object instanceof EppResource,
           "Received a key to an object that isn't EppResource nor CommitLogManifest."
-          + " Key: %s object type: %s",
+              + " Key: %s object type: %s",
           key,
           object.getClass().getName());
 
@@ -224,8 +232,7 @@ public final class DeleteOldCommitLogsAction implements Runnable {
    * OK to delete this manifestKey. If even one source returns "false" (meaning "it's not OK to
    * delete this manifest") then it won't be deleted.
    */
-  static class DeleteOldCommitLogsReducer
-      extends Reducer<Key<CommitLogManifest>, Boolean, Void> {
+  static class DeleteOldCommitLogsReducer extends Reducer<Key<CommitLogManifest>, Boolean, Void> {
 
     private static final long serialVersionUID = -4918760187627937268L;
 
@@ -241,12 +248,12 @@ public final class DeleteOldCommitLogsAction implements Runnable {
       }
 
       public abstract Status status();
+
       public abstract int numDeleted();
 
       static DeletionResult create(Status status, int numDeleted) {
-        return
-            new AutoValue_DeleteOldCommitLogsAction_DeleteOldCommitLogsReducer_DeletionResult(
-                status, numDeleted);
+        return new AutoValue_DeleteOldCommitLogsAction_DeleteOldCommitLogsReducer_DeletionResult(
+            status, numDeleted);
       }
     }
 
@@ -257,8 +264,7 @@ public final class DeleteOldCommitLogsAction implements Runnable {
 
     @Override
     public void reduce(
-        final Key<CommitLogManifest> manifestKey,
-        ReducerInput<Boolean> canDeleteVerdicts) {
+        final Key<CommitLogManifest> manifestKey, ReducerInput<Boolean> canDeleteVerdicts) {
       ImmutableMultiset<Boolean> canDeleteMultiset = ImmutableMultiset.copyOf(canDeleteVerdicts);
       if (canDeleteMultiset.count(TRUE) > 1) {
         getContext().incrementCounter("commit log manifests incorrectly mapped multiple times");
@@ -267,47 +273,54 @@ public final class DeleteOldCommitLogsAction implements Runnable {
         getContext().incrementCounter("commit log manifests referenced multiple times");
       }
       if (canDeleteMultiset.contains(FALSE)) {
-        getContext().incrementCounter(
-            canDeleteMultiset.contains(TRUE)
-            ? "old commit log manifests still referenced"
-            : "new (or nonexistent) commit log manifests referenced");
-        getContext().incrementCounter(
-            "EPP resource revisions handled",
-            canDeleteMultiset.count(FALSE));
+        getContext()
+            .incrementCounter(
+                canDeleteMultiset.contains(TRUE)
+                    ? "old commit log manifests still referenced"
+                    : "new (or nonexistent) commit log manifests referenced");
+        getContext()
+            .incrementCounter("EPP resource revisions handled", canDeleteMultiset.count(FALSE));
         return;
       }
 
-      DeletionResult deletionResult = tm().transactNew(() -> {
-        CommitLogManifest manifest = ofy().load().key(manifestKey).now();
-        // It is possible that the same manifestKey was run twice, if a shard had to be restarted
-        // or some weird failure. If this happens, we want to exit immediately.
-        // Note that this can never happen in dryRun.
-        if (manifest == null) {
-          return DeletionResult.create(DeletionResult.Status.ALREADY_DELETED, 0);
-        }
-        // Doing a sanity check on the date. This is the only place we use the CommitLogManifest,
-        // so maybe removing this test will improve performance. However, unless it's proven that
-        // the performance boost is significant (and we've tested this enough to be sure it never
-        // happens)- the safty of "let's not delete stuff we need from prod" is more important.
-        if (manifest.getCommitTime().isAfter(deletionThreshold)) {
-          return DeletionResult.create(DeletionResult.Status.AFTER_THRESHOLD, 0);
-        }
-        Iterable<Key<CommitLogMutation>> commitLogMutationKeys = ofy().load()
-            .type(CommitLogMutation.class)
-            .ancestor(manifestKey)
-            .keys()
-            .iterable();
-        ImmutableList<Key<?>> keysToDelete = ImmutableList.<Key<?>>builder()
-            .addAll(commitLogMutationKeys)
-            .add(manifestKey)
-            .build();
-        // Normally in a dry run we would log the entities that would be deleted, but those can
-        // number in the millions so we skip the logging.
-        if (!isDryRun) {
-          ofy().deleteWithoutBackup().keys(keysToDelete);
-        }
-        return DeletionResult.create(DeletionResult.Status.SUCCESS, keysToDelete.size());
-      });
+      DeletionResult deletionResult =
+          tm().transactNew(
+                  () -> {
+                    CommitLogManifest manifest = auditedOfy().load().key(manifestKey).now();
+                    // It is possible that the same manifestKey was run twice, if a shard had to be
+                    // restarted or some weird failure. If this happens, we want to exit
+                    // immediately. Note that this can never happen in dryRun.
+                    if (manifest == null) {
+                      return DeletionResult.create(DeletionResult.Status.ALREADY_DELETED, 0);
+                    }
+                    // Doing a sanity check on the date. This is the only place we use the
+                    // CommitLogManifest, so maybe removing this test will improve performance.
+                    // However, unless it's proven that the performance boost is significant (and
+                    // we've tested this enough to be sure it never happens)- the safety of "let's
+                    // not delete stuff we need from prod" is more important.
+                    if (manifest.getCommitTime().isAfter(deletionThreshold)) {
+                      return DeletionResult.create(DeletionResult.Status.AFTER_THRESHOLD, 0);
+                    }
+                    Iterable<Key<CommitLogMutation>> commitLogMutationKeys =
+                        auditedOfy()
+                            .load()
+                            .type(CommitLogMutation.class)
+                            .ancestor(manifestKey)
+                            .keys()
+                            .iterable();
+                    ImmutableList<Key<?>> keysToDelete =
+                        ImmutableList.<Key<?>>builder()
+                            .addAll(commitLogMutationKeys)
+                            .add(manifestKey)
+                            .build();
+                    // Normally in a dry run we would log the entities that would be deleted, but
+                    // those can number in the millions so we skip the logging.
+                    if (!isDryRun) {
+                      auditedOfy().deleteWithoutBackup().keys(keysToDelete);
+                    }
+                    return DeletionResult.create(
+                        DeletionResult.Status.SUCCESS, keysToDelete.size());
+                  });
 
       switch (deletionResult.status()) {
         case SUCCESS:

core/src/main/java/google/registry/backup/ExportCommitLogDiffAction.java

@@ -25,7 +25,7 @@ import static google.registry.backup.BackupUtils.GcsMetadataKeys.NUM_TRANSACTION
 import static google.registry.backup.BackupUtils.GcsMetadataKeys.UPPER_BOUND_CHECKPOINT;
 import static google.registry.backup.BackupUtils.serializeEntity;
 import static google.registry.model.ofy.CommitLogBucket.getBucketKey;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.ofy.ObjectifyService.auditedOfy;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static google.registry.util.DateTimeUtils.isAtOrAfter;
 import static java.nio.channels.Channels.newOutputStream;
@@ -89,11 +89,14 @@ public final class ExportCommitLogDiffAction implements Runnable {
     checkArgument(lowerCheckpointTime.isBefore(upperCheckpointTime));
     // Load the boundary checkpoints - lower is exclusive and may not exist (on the first export,
     // when lowerCheckpointTime is START_OF_TIME), whereas the upper is inclusive and must exist.
-    CommitLogCheckpoint lowerCheckpoint = lowerCheckpointTime.isAfter(START_OF_TIME)
-        ? verifyNotNull(ofy().load().key(CommitLogCheckpoint.createKey(lowerCheckpointTime)).now())
-        : null;
+    CommitLogCheckpoint lowerCheckpoint =
+        lowerCheckpointTime.isAfter(START_OF_TIME)
+            ? verifyNotNull(
+                auditedOfy().load().key(CommitLogCheckpoint.createKey(lowerCheckpointTime)).now())
+            : null;
     CommitLogCheckpoint upperCheckpoint =
-        verifyNotNull(ofy().load().key(CommitLogCheckpoint.createKey(upperCheckpointTime)).now());
+        verifyNotNull(
+            auditedOfy().load().key(CommitLogCheckpoint.createKey(upperCheckpointTime)).now());
 
     // Load the keys of all the manifests to include in this diff.
     List<Key<CommitLogManifest>> sortedKeys = loadAllDiffKeys(lowerCheckpoint, upperCheckpoint);
@@ -117,7 +120,7 @@ public final class ExportCommitLogDiffAction implements Runnable {
       // asynchronously load the entities for the next one.
       List<List<Key<CommitLogManifest>>> keyChunks = partition(sortedKeys, batchSize);
       // Objectify's map return type is asynchronous. Calling .values() will block until it loads.
-      Map<?, CommitLogManifest> nextChunkToExport = ofy().load().keys(keyChunks.get(0));
+      Map<?, CommitLogManifest> nextChunkToExport = auditedOfy().load().keys(keyChunks.get(0));
       for (int i = 0; i < keyChunks.size(); i++) {
         // Force the async load to finish.
         Collection<CommitLogManifest> chunkValues = nextChunkToExport.values();
@@ -125,10 +128,10 @@ public final class ExportCommitLogDiffAction implements Runnable {
         // Since there is no hard bound on how much data this might be, take care not to let the
         // Objectify session cache fill up and potentially run out of memory. This is the only safe
         // point to do this since at this point there is no async load in progress.
-        ofy().clearSessionCache();
+        auditedOfy().clearSessionCache();
         // Kick off the next async load, which can happen in parallel to the current GCS export.
         if (i + 1 < keyChunks.size()) {
-          nextChunkToExport = ofy().load().keys(keyChunks.get(i + 1));
+          nextChunkToExport = auditedOfy().load().keys(keyChunks.get(i + 1));
         }
         exportChunk(gcsStream, chunkValues);
         logger.atInfo().log("Exported %d manifests", chunkValues.size());
@@ -192,7 +195,8 @@ public final class ExportCommitLogDiffAction implements Runnable {
       return ImmutableSet.of();
     }
     Key<CommitLogBucket> bucketKey = getBucketKey(bucketNum);
-    return ofy().load()
+    return auditedOfy()
+        .load()
         .type(CommitLogManifest.class)
         .ancestor(bucketKey)
         .filterKey(">=", CommitLogManifest.createKey(bucketKey, lowerBound))
@@ -208,7 +212,7 @@ public final class ExportCommitLogDiffAction implements Runnable {
         new ImmutableList.Builder<>();
     for (CommitLogManifest manifest : chunk) {
       entities.add(ImmutableList.of(manifest));
-      entities.add(ofy().load().type(CommitLogMutation.class).ancestor(manifest));
+      entities.add(auditedOfy().load().type(CommitLogMutation.class).ancestor(manifest));
     }
     for (ImmutableObject entity : concat(entities.build())) {
       serializeEntity(entity, gcsStream);

core/src/main/java/google/registry/backup/ReplayCommitLogsToSqlAction.java

@@ -16,7 +16,7 @@ package google.registry.backup;
 
 import static google.registry.backup.ExportCommitLogDiffAction.DIFF_FILE_PREFIX;
 import static google.registry.model.ofy.EntityWritePriorities.getEntityPriority;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.ofy.ObjectifyService.auditedOfy;
 import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
 import static javax.servlet.http.HttpServletResponse.SC_NO_CONTENT;
 import static org.joda.time.Duration.standardHours;
@@ -27,7 +27,9 @@ import com.google.appengine.tools.cloudstorage.GcsFileMetadata;
 import com.google.appengine.tools.cloudstorage.GcsService;
 import com.google.common.collect.ImmutableList;
 import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryConfig;
+import google.registry.model.common.DatabaseMigrationStateSchedule;
+import google.registry.model.common.DatabaseMigrationStateSchedule.MigrationState;
+import google.registry.model.common.DatabaseMigrationStateSchedule.ReplayDirection;
 import google.registry.model.server.Lock;
 import google.registry.model.translators.VKeyTranslatorFactory;
 import google.registry.persistence.VKey;
@@ -39,6 +41,7 @@ import google.registry.schema.replay.DatastoreOnlyEntity;
 import google.registry.schema.replay.NonReplicatedEntity;
 import google.registry.schema.replay.ReplaySpecializer;
 import google.registry.schema.replay.SqlReplayCheckpoint;
+import google.registry.util.Clock;
 import google.registry.util.RequestStatusChecker;
 import java.io.IOException;
 import java.io.InputStream;
@@ -69,15 +72,19 @@ public class ReplayCommitLogsToSqlAction implements Runnable {
   @Inject Response response;
   @Inject RequestStatusChecker requestStatusChecker;
   @Inject GcsDiffFileLister diffLister;
+  @Inject Clock clock;
 
   @Inject
   ReplayCommitLogsToSqlAction() {}
 
   @Override
   public void run() {
-    if (!RegistryConfig.getCloudSqlReplayCommitLogs()) {
-      String message = "ReplayCommitLogsToSqlAction was called but disabled in the config.";
-      logger.atWarning().log(message);
+    MigrationState state = DatabaseMigrationStateSchedule.getValueAtTime(clock.nowUtc());
+    if (!state.getReplayDirection().equals(ReplayDirection.DATASTORE_TO_SQL)) {
+      String message =
+          String.format(
+              "Skipping ReplayCommitLogsToSqlAction because we are in migration phase %s.", state);
+      logger.atInfo().log(message);
       // App Engine will retry on any non-2xx status code, which we don't want in this case.
       response.setStatus(SC_NO_CONTENT);
       response.setPayload(message);
@@ -151,10 +158,16 @@ public class ReplayCommitLogsToSqlAction implements Runnable {
   }
 
   private void handleEntityPut(Entity entity) {
-    Object ofyPojo = ofy().toPojo(entity);
+    Object ofyPojo = auditedOfy().toPojo(entity);
     if (ofyPojo instanceof DatastoreEntity) {
       DatastoreEntity datastoreEntity = (DatastoreEntity) ofyPojo;
-      datastoreEntity.toSqlEntity().ifPresent(jpaTm()::put);
+      datastoreEntity
+          .toSqlEntity()
+          .ifPresent(
+              sqlEntity -> {
+                ReplaySpecializer.beforeSqlSave(sqlEntity);
+                jpaTm().put(sqlEntity);
+              });
     } else {
       // this should never happen, but we shouldn't fail on it
       logger.atSevere().log(

core/src/main/java/google/registry/backup/RestoreCommitLogsAction.java

@@ -18,7 +18,7 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.Iterators.peekingIterator;
 import static google.registry.backup.BackupUtils.createDeserializingIterator;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.ofy.ObjectifyService.auditedOfy;
 
 import com.google.appengine.api.datastore.DatastoreService;
 import com.google.appengine.api.datastore.Entity;
@@ -146,10 +146,10 @@ public class RestoreCommitLogsAction implements Runnable {
   private CommitLogManifest restoreOneTransaction(PeekingIterator<ImmutableObject> commitLogs) {
     final CommitLogManifest manifest = (CommitLogManifest) commitLogs.next();
     Result<?> deleteResult = deleteAsync(manifest.getDeletions());
-    List<Entity> entitiesToSave = Lists.newArrayList(ofy().save().toEntity(manifest));
+    List<Entity> entitiesToSave = Lists.newArrayList(auditedOfy().save().toEntity(manifest));
     while (commitLogs.hasNext() && commitLogs.peek() instanceof CommitLogMutation) {
       CommitLogMutation mutation = (CommitLogMutation) commitLogs.next();
-      entitiesToSave.add(ofy().save().toEntity(mutation));
+      entitiesToSave.add(auditedOfy().save().toEntity(mutation));
       entitiesToSave.add(EntityTranslator.createFromPbBytes(mutation.getEntityProtoBytes()));
     }
     saveRaw(entitiesToSave);
@@ -176,7 +176,8 @@ public class RestoreCommitLogsAction implements Runnable {
       return;
     }
     retrier.callWithRetry(
-        () -> ofy().saveWithoutBackup().entities(objectsToSave).now(), RuntimeException.class);
+        () -> auditedOfy().saveWithoutBackup().entities(objectsToSave).now(),
+        RuntimeException.class);
   }
 
   private Result<?> deleteAsync(Set<Key<?>> keysToDelete) {
@@ -185,7 +186,7 @@ public class RestoreCommitLogsAction implements Runnable {
     }
     return dryRun || keysToDelete.isEmpty()
         ? new ResultNow<Void>(null)
-        : ofy().deleteWithoutBackup().keys(keysToDelete);
+        : auditedOfy().deleteWithoutBackup().keys(keysToDelete);
   }
 
 }

core/src/main/java/google/registry/backup/VersionedEntity.java

@@ -47,7 +47,7 @@ import javax.annotation.Nullable;
  *
  * <ul>
  *   <li>Convert an Objectify entity to a Datastore {@link Entity}: {@code
- *       ofy().save().toEntity(..)}
+ *       auditedOfy().save().toEntity(..)}
  *   <li>Entity is serializable, but the more efficient approach is to convert an Entity to a
  *       ProtocolBuffer ({@link com.google.storage.onestore.v3.OnestoreEntity.EntityProto}) and then
  *       to raw bytes.

core/src/main/java/google/registry/batch/AsyncTaskEnqueuer.java

@@ -57,8 +57,6 @@ public final class AsyncTaskEnqueuer {
   public static final String QUEUE_ASYNC_DELETE = "async-delete-pull";
   public static final String QUEUE_ASYNC_HOST_RENAME = "async-host-rename-pull";
 
-  public static final String PATH_RESAVE_ENTITY = "/_dr/task/resaveEntity";
-
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
   private static final Duration MAX_ASYNC_ETA = Duration.standardDays(30);
 
@@ -112,7 +110,7 @@ public final class AsyncTaskEnqueuer {
     logger.atInfo().log("Enqueuing async re-save of %s to run at %s.", entityKey, whenToResave);
     String backendHostname = appEngineServiceUtils.getServiceHostname("backend");
     TaskOptions task =
-        TaskOptions.Builder.withUrl(PATH_RESAVE_ENTITY)
+        TaskOptions.Builder.withUrl(ResaveEntityAction.PATH)
             .method(Method.POST)
             .header("Host", backendHostname)
             .countdownMillis(etaDuration.getMillis())

core/src/main/java/google/registry/batch/DeleteContactsAndHostsAction.java

@@ -34,7 +34,7 @@ import static google.registry.model.ResourceTransferUtils.denyPendingTransfer;
 import static google.registry.model.ResourceTransferUtils.handlePendingTransferOnDelete;
 import static google.registry.model.ResourceTransferUtils.updateForeignKeyIndexDeletionTime;
 import static google.registry.model.eppcommon.StatusValue.PENDING_DELETE;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.ofy.ObjectifyService.auditedOfy;
 import static google.registry.model.reporting.HistoryEntry.Type.CONTACT_DELETE;
 import static google.registry.model.reporting.HistoryEntry.Type.CONTACT_DELETE_FAILURE;
 import static google.registry.model.reporting.HistoryEntry.Type.HOST_DELETE;
@@ -109,6 +109,7 @@ import org.joda.time.Duration;
  * A mapreduce that processes batch asynchronous deletions of contact and host resources by mapping
  * over all domains and checking for any references to the contacts/hosts in pending deletion.
  */
+@Deprecated
 @Action(
     service = Action.Service.BACKEND,
     path = "/_dr/task/deleteContactsAndHosts",
@@ -335,7 +336,7 @@ public class DeleteContactsAndHostsAction implements Runnable {
         DeletionRequest deletionRequest, boolean hasNoActiveReferences) {
       DateTime now = tm().getTransactionTime();
       EppResource resource =
-          ofy().load().key(deletionRequest.key()).now().cloneProjectedAtTime(now);
+          auditedOfy().load().key(deletionRequest.key()).now().cloneProjectedAtTime(now);
       // Double-check transactionally that the resource is still active and in PENDING_DELETE.
       if (!doesResourceStateAllowDeletion(resource, now)) {
         return DeletionResult.create(Type.ERRORED, "");
@@ -369,11 +370,10 @@ public class DeleteContactsAndHostsAction implements Runnable {
                       : "it was transferred prior to deletion");
 
       HistoryEntry historyEntry =
-          new HistoryEntry.Builder()
+          HistoryEntry.createBuilderForResource(resource)
               .setClientId(deletionRequest.requestingClientId())
               .setModificationTime(now)
               .setType(getHistoryEntryType(resource, deleteAllowed))
-              .setParent(deletionRequest.key())
               .build();
 
       PollMessage.OneTime pollMessage =
@@ -408,7 +408,9 @@ public class DeleteContactsAndHostsAction implements Runnable {
       } else {
         resourceToSave = resource.asBuilder().removeStatusValue(PENDING_DELETE).build();
       }
-      ofy().save().<ImmutableObject>entities(resourceToSave, historyEntry, pollMessage);
+      auditedOfy()
+          .save()
+          .<ImmutableObject>entities(resourceToSave, historyEntry.asHistoryEntry(), pollMessage);
       return DeletionResult.create(
           deleteAllowed ? Type.DELETED : Type.NOT_DELETED, pollMessageText);
     }
@@ -525,7 +527,8 @@ public class DeleteContactsAndHostsAction implements Runnable {
           Key.create(
               checkNotNull(params.get(PARAM_RESOURCE_KEY), "Resource to delete not specified"));
       EppResource resource =
-          checkNotNull(ofy().load().key(resourceKey).now(), "Resource to delete doesn't exist");
+          checkNotNull(
+              auditedOfy().load().key(resourceKey).now(), "Resource to delete doesn't exist");
       checkState(
           resource instanceof ContactResource || resource instanceof HostResource,
           "Cannot delete a %s via this action",

core/src/main/java/google/registry/batch/DeleteExpiredDomainsAction.java

@@ -17,8 +17,8 @@ package google.registry.batch;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.net.MediaType.PLAIN_TEXT_UTF_8;
 import static google.registry.flows.FlowUtils.marshalWithLenientRetry;
-import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.persistence.transaction.TransactionManagerUtil.transactIfJpaTm;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
 import static google.registry.util.ResourceUtils.readResourceUtf8;
 import static java.nio.charset.StandardCharsets.UTF_8;
@@ -36,6 +36,7 @@ import google.registry.flows.StatelessRequestSessionMetadata;
 import google.registry.model.domain.DomainBase;
 import google.registry.model.eppcommon.ProtocolDefinition;
 import google.registry.model.eppoutput.EppOutput;
+import google.registry.persistence.transaction.QueryComposer.Comparator;
 import google.registry.request.Action;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
@@ -128,12 +129,15 @@ public class DeleteExpiredDomainsAction implements Runnable {
     logger.atInfo().log(
         "Deleting non-renewing domains with autorenew end times up through %s.", runTime);
 
-    // Note: This query is (and must be) non-transactional, and thus, is only eventually consistent.
+    // Note: in Datastore, this query is (and must be) non-transactional, and thus, is only
+    // eventually consistent.
     ImmutableList<DomainBase> domainsToDelete =
-        ofy().load().type(DomainBase.class).filter("autorenewEndTime <=", runTime).list().stream()
-            // Datastore can't do two inequalities in one query, so the second happens in-memory.
-            .filter(d -> d.getDeletionTime().isEqual(END_OF_TIME))
-            .collect(toImmutableList());
+        transactIfJpaTm(
+            () ->
+                tm().createQueryComposer(DomainBase.class)
+                    .where("autorenewEndTime", Comparator.LTE, runTime)
+                    .where("deletionTime", Comparator.EQ, END_OF_TIME)
+                    .list());
     if (domainsToDelete.isEmpty()) {
       logger.atInfo().log("Found 0 domains to delete.");
       response.setPayload("Found 0 domains to delete.");

core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java

@@ -18,7 +18,7 @@ import static com.google.common.base.Preconditions.checkState;
 import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.mapreduce.MapreduceRunner.PARAM_DRY_RUN;
 import static google.registry.mapreduce.inputs.EppResourceInputs.createEntityInput;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.ofy.ObjectifyService.auditedOfy;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 
@@ -125,12 +125,11 @@ public class DeleteLoadTestDataAction implements Runnable {
           Key.create(EppResourceIndex.create(Key.create(resource)));
       final Key<? extends ForeignKeyIndex<?>> fki = ForeignKeyIndex.createKey(resource);
       int numEntitiesDeleted =
-          tm()
-              .transact(
+          tm().transact(
                   () -> {
                     // This ancestor query selects all descendant entities.
                     List<Key<Object>> resourceAndDependentKeys =
-                        ofy().load().ancestor(resource).keys().list();
+                        auditedOfy().load().ancestor(resource).keys().list();
                     ImmutableSet<Key<?>> allKeys =
                         new ImmutableSet.Builder<Key<?>>()
                             .add(fki)
@@ -140,7 +139,7 @@ public class DeleteLoadTestDataAction implements Runnable {
                     if (isDryRun) {
                       logger.atInfo().log("Would hard-delete the following entities: %s", allKeys);
                     } else {
-                      ofy().deleteWithoutBackup().keys(allKeys);
+                      auditedOfy().deleteWithoutBackup().keys(allKeys);
                     }
                     return allKeys.size();
                   });

core/src/main/java/google/registry/batch/DeleteProberDataAction.java

@@ -20,7 +20,7 @@ import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.mapreduce.MapreduceRunner.PARAM_DRY_RUN;
 import static google.registry.model.ResourceTransferUtils.updateForeignKeyIndexDeletionTime;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.ofy.ObjectifyService.auditedOfy;
 import static google.registry.model.registry.Registries.getTldsOfType;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_DELETE;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
@@ -44,11 +44,11 @@ import google.registry.mapreduce.MapreduceRunner;
 import google.registry.mapreduce.inputs.EppResourceInputs;
 import google.registry.model.EppResourceUtils;
 import google.registry.model.domain.DomainBase;
+import google.registry.model.domain.DomainHistory;
 import google.registry.model.index.EppResourceIndex;
 import google.registry.model.index.ForeignKeyIndex;
 import google.registry.model.registry.Registry;
 import google.registry.model.registry.Registry.TldType;
-import google.registry.model.reporting.HistoryEntry;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
@@ -166,7 +166,7 @@ public class DeleteProberDataAction implements Runnable {
     }
 
     private void deleteDomain(final Key<DomainBase> domainKey) {
-      final DomainBase domain = ofy().load().key(domainKey).now();
+      final DomainBase domain = auditedOfy().load().key(domainKey).now();
 
       DateTime now = DateTime.now(UTC);
 
@@ -220,14 +220,13 @@ public class DeleteProberDataAction implements Runnable {
       final Key<? extends ForeignKeyIndex<?>> fki = ForeignKeyIndex.createKey(domain);
 
       int entitiesDeleted =
-          tm()
-              .transact(
+          tm().transact(
                   () -> {
                     // This ancestor query selects all descendant HistoryEntries, BillingEvents,
                     // PollMessages,
                     // and TLD-specific entities, as well as the domain itself.
                     List<Key<Object>> domainAndDependentKeys =
-                        ofy().load().ancestor(domainKey).keys().list();
+                        auditedOfy().load().ancestor(domainKey).keys().list();
                     ImmutableSet<Key<?>> allKeys =
                         new ImmutableSet.Builder<Key<?>>()
                             .add(fki)
@@ -237,7 +236,7 @@ public class DeleteProberDataAction implements Runnable {
                     if (isDryRun) {
                       logger.atInfo().log("Would hard-delete the following entities: %s", allKeys);
                     } else {
-                      ofy().deleteWithoutBackup().keys(allKeys);
+                      auditedOfy().deleteWithoutBackup().keys(allKeys);
                     }
                     return allKeys.size();
                   });
@@ -254,9 +253,9 @@ public class DeleteProberDataAction implements Runnable {
                         .setDeletionTime(tm().getTransactionTime())
                         .setStatusValues(null)
                         .build();
-                HistoryEntry historyEntry =
-                    new HistoryEntry.Builder()
-                        .setParent(domain)
+                DomainHistory historyEntry =
+                    new DomainHistory.Builder()
+                        .setDomain(domain)
                         .setType(DOMAIN_DELETE)
                         .setModificationTime(tm().getTransactionTime())
                         .setBySuperuser(true)
@@ -264,11 +263,9 @@ public class DeleteProberDataAction implements Runnable {
                         .setClientId(registryAdminClientId)
                         .build();
                 // Note that we don't bother handling grace periods, billing events, pending
-                // transfers,
-                // poll messages, or auto-renews because these will all be hard-deleted the next
-                // time the
-                // mapreduce runs anyway.
-                ofy().save().entities(deletedDomain, historyEntry);
+                // transfers, poll messages, or auto-renews because these will all be hard-deleted
+                // the next time the mapreduce runs anyway.
+                tm().putAll(deletedDomain, historyEntry);
                 updateForeignKeyIndexDeletionTime(deletedDomain);
                 dnsQueue.addDomainRefreshTask(deletedDomain.getDomainName());
               });

core/src/main/java/google/registry/batch/ExpandRecurringBillingEventsAction.java

@@ -21,9 +21,12 @@ import static google.registry.mapreduce.MapreduceRunner.PARAM_DRY_RUN;
 import static google.registry.mapreduce.inputs.EppResourceInputs.createChildEntityInput;
 import static google.registry.model.common.Cursor.CursorType.RECURRING_BILLING;
 import static google.registry.model.domain.Period.Unit.YEARS;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.ofy.ObjectifyService.auditedOfy;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_AUTORENEW;
+import static google.registry.persistence.transaction.QueryComposer.Comparator.EQ;
+import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.persistence.transaction.TransactionManagerUtil.transactIfJpaTm;
 import static google.registry.pricing.PricingEngineProxy.getDomainRenewCost;
 import static google.registry.util.CollectionUtils.union;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
@@ -38,10 +41,8 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Range;
 import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
-import com.googlecode.objectify.Key;
 import google.registry.mapreduce.MapreduceRunner;
 import google.registry.mapreduce.inputs.NullInput;
-import google.registry.model.EppResource;
 import google.registry.model.ImmutableObject;
 import google.registry.model.billing.BillingEvent;
 import google.registry.model.billing.BillingEvent.Flag;
@@ -49,11 +50,12 @@ import google.registry.model.billing.BillingEvent.OneTime;
 import google.registry.model.billing.BillingEvent.Recurring;
 import google.registry.model.common.Cursor;
 import google.registry.model.domain.DomainBase;
+import google.registry.model.domain.DomainHistory;
 import google.registry.model.domain.Period;
 import google.registry.model.registry.Registry;
 import google.registry.model.reporting.DomainTransactionRecord;
 import google.registry.model.reporting.DomainTransactionRecord.TransactionReportField;
-import google.registry.model.reporting.HistoryEntry;
+import google.registry.persistence.VKey;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
@@ -91,30 +93,87 @@ public class ExpandRecurringBillingEventsAction implements Runnable {
 
   @Override
   public void run() {
-    Cursor cursor = ofy().load().key(Cursor.createGlobalKey(RECURRING_BILLING)).now();
     DateTime executeTime = clock.nowUtc();
-    DateTime persistedCursorTime = (cursor == null ? START_OF_TIME : cursor.getCursorTime());
+    DateTime persistedCursorTime =
+        transactIfJpaTm(
+            () ->
+                tm().loadByKeyIfPresent(Cursor.createGlobalVKey(RECURRING_BILLING))
+                    .orElse(Cursor.createGlobal(RECURRING_BILLING, START_OF_TIME))
+                    .getCursorTime());
     DateTime cursorTime = cursorTimeParam.orElse(persistedCursorTime);
     checkArgument(
-        cursorTime.isBefore(executeTime),
-        "Cursor time must be earlier than execution time.");
+        cursorTime.isBefore(executeTime), "Cursor time must be earlier than execution time.");
     logger.atInfo().log(
         "Running Recurring billing event expansion for billing time range [%s, %s).",
         cursorTime, executeTime);
-    mrRunner
-        .setJobName("Expand Recurring billing events into synthetic OneTime events.")
-        .setModuleName("backend")
-        .runMapreduce(
-            new ExpandRecurringBillingEventsMapper(isDryRun, cursorTime, clock.nowUtc()),
-            new ExpandRecurringBillingEventsReducer(isDryRun, persistedCursorTime),
-            // Add an extra shard that maps over a null recurring event (see the mapper for why).
-            ImmutableList.of(
-                new NullInput<>(),
-                createChildEntityInput(
-                    ImmutableSet.of(DomainBase.class), ImmutableSet.of(Recurring.class))))
-        .sendLinkToMapreduceConsole(response);
-  }
+    if (tm().isOfy()) {
+      mrRunner
+          .setJobName("Expand Recurring billing events into synthetic OneTime events.")
+          .setModuleName("backend")
+          .runMapreduce(
+              new ExpandRecurringBillingEventsMapper(isDryRun, cursorTime, clock.nowUtc()),
+              new ExpandRecurringBillingEventsReducer(isDryRun, persistedCursorTime),
+              // Add an extra shard that maps over a null recurring event (see the mapper for why).
+              ImmutableList.of(
+                  new NullInput<>(),
+                  createChildEntityInput(
+                      ImmutableSet.of(DomainBase.class), ImmutableSet.of(Recurring.class))))
+          .sendLinkToMapreduceConsole(response);
+    } else {
+      int numBillingEventsSaved =
+          jpaTm()
+              .transact(
+                  () ->
+                      jpaTm()
+                          .query(
+                              "FROM BillingRecurrence "
+                                  + "WHERE event_time <= :executeTime "
+                                  + "AND event_time < recurrence_end_time",
+                              Recurring.class)
+                          .setParameter("executeTime", executeTime.toDate())
+                          // Need to get a list from the transaction and then convert it to a stream
+                          // for further processing. If we get a stream directly, each elements gets
+                          // processed downstream eagerly but Hibernate returns a
+                          // ScrollableResultsIterator that cannot be advanced outside the
+                          // transaction, resulting in an exception.
+                          .getResultList())
+              .stream()
+              .map(
+                  recurring ->
+                      jpaTm()
+                          .transact(
+                              () ->
+                                  expandBillingEvent(recurring, executeTime, cursorTime, isDryRun)))
+              .reduce(0, Integer::sum);
 
+      if (!isDryRun) {
+        logger.atInfo().log("Saved OneTime billing events", numBillingEventsSaved);
+      } else {
+        logger.atInfo().log("Generated OneTime billing events (dry run)", numBillingEventsSaved);
+      }
+      logger.atInfo().log(
+          "Recurring event expansion %s complete for billing event range [%s, %s).",
+          isDryRun ? "(dry run) " : "", cursorTime, executeTime);
+      tm().transact(
+              () -> {
+                // Check for the unlikely scenario where the cursor has been altered during the
+                // expansion.
+                DateTime currentCursorTime =
+                    tm().loadByKeyIfPresent(Cursor.createGlobalVKey(RECURRING_BILLING))
+                        .orElse(Cursor.createGlobal(RECURRING_BILLING, START_OF_TIME))
+                        .getCursorTime();
+                if (!currentCursorTime.equals(persistedCursorTime)) {
+                  throw new IllegalStateException(
+                      String.format(
+                          "Current cursor position %s does not match persisted cursor position %s.",
+                          currentCursorTime, persistedCursorTime));
+                }
+                if (!isDryRun) {
+                  tm().put(Cursor.createGlobal(RECURRING_BILLING, executeTime));
+                }
+              });
+    }
+  }
   /** Mapper to expand {@link Recurring} billing events into synthetic {@link OneTime} events. */
   public static class ExpandRecurringBillingEventsMapper
       extends Mapper<Recurring, DateTime, DateTime> {
@@ -153,98 +212,7 @@ public class ExpandRecurringBillingEventsAction implements Runnable {
       try {
         numBillingEventsSaved =
             tm().transactNew(
-                    () -> {
-                      ImmutableSet.Builder<OneTime> syntheticOneTimesBuilder =
-                          new ImmutableSet.Builder<>();
-                      final Registry tld =
-                          Registry.get(getTldFromDomainName(recurring.getTargetId()));
-
-                      // Determine the complete set of times at which this recurring event should
-                      // occur (up to and including the runtime of the mapreduce).
-                      Iterable<DateTime> eventTimes =
-                          recurring
-                              .getRecurrenceTimeOfYear()
-                              .getInstancesInRange(
-                                  Range.closed(
-                                      recurring.getEventTime(),
-                                      earliestOf(recurring.getRecurrenceEndTime(), executeTime)));
-
-                      // Convert these event times to billing times
-                      final ImmutableSet<DateTime> billingTimes =
-                          getBillingTimesInScope(eventTimes, cursorTime, executeTime, tld);
-
-                      Key<? extends EppResource> domainKey = recurring.getParentKey().getParent();
-                      Iterable<OneTime> oneTimesForDomain =
-                          ofy().load().type(OneTime.class).ancestor(domainKey);
-
-                      // Determine the billing times that already have OneTime events persisted.
-                      ImmutableSet<DateTime> existingBillingTimes =
-                          getExistingBillingTimes(oneTimesForDomain, recurring);
-
-                      ImmutableSet.Builder<HistoryEntry> historyEntriesBuilder =
-                          new ImmutableSet.Builder<>();
-                      // Create synthetic OneTime events for all billing times that do not yet have
-                      // an event persisted.
-                      for (DateTime billingTime : difference(billingTimes, existingBillingTimes)) {
-                        // Construct a new HistoryEntry that parents over the OneTime
-                        HistoryEntry historyEntry =
-                            new HistoryEntry.Builder()
-                                .setBySuperuser(false)
-                                .setClientId(recurring.getClientId())
-                                .setModificationTime(tm().getTransactionTime())
-                                .setParent(domainKey)
-                                .setPeriod(Period.create(1, YEARS))
-                                .setReason(
-                                    "Domain autorenewal by ExpandRecurringBillingEventsAction")
-                                .setRequestedByRegistrar(false)
-                                .setType(DOMAIN_AUTORENEW)
-                                // Don't write a domain transaction record if the recurrence was
-                                // ended prior to the billing time (i.e. a domain was deleted
-                                // during the autorenew grace period).
-                                .setDomainTransactionRecords(
-                                    recurring.getRecurrenceEndTime().isBefore(billingTime)
-                                        ? ImmutableSet.of()
-                                        : ImmutableSet.of(
-                                            DomainTransactionRecord.create(
-                                                tld.getTldStr(),
-                                                // We report this when the autorenew grace period
-                                                // ends
-                                                billingTime,
-                                                TransactionReportField.netRenewsFieldFromYears(1),
-                                                1)))
-                                .build();
-                        historyEntriesBuilder.add(historyEntry);
-
-                        DateTime eventTime = billingTime.minus(tld.getAutoRenewGracePeriodLength());
-                        // Determine the cost for a one-year renewal.
-                        Money renewCost = getDomainRenewCost(recurring.getTargetId(), eventTime, 1);
-                        syntheticOneTimesBuilder.add(
-                            new OneTime.Builder()
-                                .setBillingTime(billingTime)
-                                .setClientId(recurring.getClientId())
-                                .setCost(renewCost)
-                                .setEventTime(eventTime)
-                                .setFlags(union(recurring.getFlags(), Flag.SYNTHETIC))
-                                .setParent(historyEntry)
-                                .setPeriodYears(1)
-                                .setReason(recurring.getReason())
-                                .setSyntheticCreationTime(executeTime)
-                                .setCancellationMatchingBillingEvent(recurring.createVKey())
-                                .setTargetId(recurring.getTargetId())
-                                .build());
-                      }
-                      Set<HistoryEntry> historyEntries = historyEntriesBuilder.build();
-                      Set<OneTime> syntheticOneTimes = syntheticOneTimesBuilder.build();
-                      if (!isDryRun) {
-                        ImmutableSet<ImmutableObject> entitiesToSave =
-                            new ImmutableSet.Builder<ImmutableObject>()
-                                .addAll(historyEntries)
-                                .addAll(syntheticOneTimes)
-                                .build();
-                        ofy().save().entities(entitiesToSave).now();
-                      }
-                      return syntheticOneTimes.size();
-                    });
+                    () -> expandBillingEvent(recurring, executeTime, cursorTime, isDryRun));
       } catch (Throwable t) {
         getContext().incrementCounter("error: " + t.getClass().getSimpleName());
         getContext().incrementCounter(ERROR_COUNTER);
@@ -256,45 +224,12 @@ public class ExpandRecurringBillingEventsAction implements Runnable {
       if (!isDryRun) {
         getContext().incrementCounter("Saved OneTime billing events", numBillingEventsSaved);
       } else {
-        getContext().incrementCounter(
-            "Generated OneTime billing events (dry run)", numBillingEventsSaved);
+        getContext()
+            .incrementCounter("Generated OneTime billing events (dry run)", numBillingEventsSaved);
       }
     }
-
-    /**
-     * Filters a set of {@link DateTime}s down to event times that are in scope for a particular
-     * mapreduce run, given the cursor time and the mapreduce execution time.
-     */
-    private ImmutableSet<DateTime> getBillingTimesInScope(
-        Iterable<DateTime> eventTimes,
-        DateTime cursorTime,
-        DateTime executeTime,
-        final Registry tld) {
-      return Streams.stream(eventTimes)
-          .map(eventTime -> eventTime.plus(tld.getAutoRenewGracePeriodLength()))
-          .filter(Range.closedOpen(cursorTime, executeTime))
-          .collect(toImmutableSet());
-    }
-
-    /**
-     * Determines an {@link ImmutableSet} of {@link DateTime}s that have already been persisted
-     * for a given recurring billing event.
-     */
-    private ImmutableSet<DateTime> getExistingBillingTimes(
-        Iterable<BillingEvent.OneTime> oneTimesForDomain,
-        final BillingEvent.Recurring recurringEvent) {
-      return Streams.stream(oneTimesForDomain)
-          .filter(
-              billingEvent ->
-                  recurringEvent
-                      .createVKey()
-                      .equals(billingEvent.getCancellationMatchingBillingEvent()))
-          .map(OneTime::getBillingTime)
-          .collect(toImmutableSet());
-    }
   }
 
-
   /**
    * "Reducer" to advance the cursor after all map jobs have been completed. The NullInput into the
    * mapper will cause the mapper to emit one timestamp pair (current cursor and execution time),
@@ -327,7 +262,8 @@ public class ExpandRecurringBillingEventsAction implements Runnable {
           isDryRun ? "(dry run) " : "", cursorTime, executionTime);
       tm().transact(
               () -> {
-                Cursor cursor = ofy().load().key(Cursor.createGlobalKey(RECURRING_BILLING)).now();
+                Cursor cursor =
+                    auditedOfy().load().key(Cursor.createGlobalKey(RECURRING_BILLING)).now();
                 DateTime currentCursorTime =
                     (cursor == null ? START_OF_TIME : cursor.getCursorTime());
                 if (!currentCursorTime.equals(expectedPersistedCursorTime)) {
@@ -342,4 +278,135 @@ public class ExpandRecurringBillingEventsAction implements Runnable {
               });
     }
   }
+
+  private static int expandBillingEvent(
+      Recurring recurring, DateTime executeTime, DateTime cursorTime, boolean isDryRun) {
+    ImmutableSet.Builder<OneTime> syntheticOneTimesBuilder = new ImmutableSet.Builder<>();
+    final Registry tld = Registry.get(getTldFromDomainName(recurring.getTargetId()));
+
+    // Determine the complete set of times at which this recurring event should
+    // occur (up to and including the runtime of the mapreduce).
+    Iterable<DateTime> eventTimes =
+        recurring
+            .getRecurrenceTimeOfYear()
+            .getInstancesInRange(
+                Range.closed(
+                    recurring.getEventTime(),
+                    earliestOf(recurring.getRecurrenceEndTime(), executeTime)));
+
+    // Convert these event times to billing times
+    final ImmutableSet<DateTime> billingTimes =
+        getBillingTimesInScope(eventTimes, cursorTime, executeTime, tld);
+
+    VKey<DomainBase> domainKey =
+        VKey.create(
+            DomainBase.class, recurring.getDomainRepoId(), recurring.getParentKey().getParent());
+    Iterable<OneTime> oneTimesForDomain;
+    if (tm().isOfy()) {
+      oneTimesForDomain = auditedOfy().load().type(OneTime.class).ancestor(domainKey.getOfyKey());
+    } else {
+      oneTimesForDomain =
+          tm().createQueryComposer(OneTime.class)
+              .where("domainRepoId", EQ, recurring.getDomainRepoId())
+              .list();
+    }
+
+    // Determine the billing times that already have OneTime events persisted.
+    ImmutableSet<DateTime> existingBillingTimes =
+        getExistingBillingTimes(oneTimesForDomain, recurring);
+
+    ImmutableSet.Builder<DomainHistory> historyEntriesBuilder = new ImmutableSet.Builder<>();
+    // Create synthetic OneTime events for all billing times that do not yet have
+    // an event persisted.
+    for (DateTime billingTime : difference(billingTimes, existingBillingTimes)) {
+      // Construct a new HistoryEntry that parents over the OneTime
+      DomainHistory historyEntry =
+          new DomainHistory.Builder()
+              .setBySuperuser(false)
+              .setClientId(recurring.getClientId())
+              .setModificationTime(tm().getTransactionTime())
+              .setDomain(tm().loadByKey(domainKey))
+              .setPeriod(Period.create(1, YEARS))
+              .setReason("Domain autorenewal by ExpandRecurringBillingEventsAction")
+              .setRequestedByRegistrar(false)
+              .setType(DOMAIN_AUTORENEW)
+              // Don't write a domain transaction record if the recurrence was
+              // ended prior to the billing time (i.e. a domain was deleted
+              // during the autorenew grace period).
+              .setDomainTransactionRecords(
+                  recurring.getRecurrenceEndTime().isBefore(billingTime)
+                      ? ImmutableSet.of()
+                      : ImmutableSet.of(
+                          DomainTransactionRecord.create(
+                              tld.getTldStr(),
+                              // We report this when the autorenew grace period
+                              // ends
+                              billingTime,
+                              TransactionReportField.netRenewsFieldFromYears(1),
+                              1)))
+              .build();
+      historyEntriesBuilder.add(historyEntry);
+
+      DateTime eventTime = billingTime.minus(tld.getAutoRenewGracePeriodLength());
+      // Determine the cost for a one-year renewal.
+      Money renewCost = getDomainRenewCost(recurring.getTargetId(), eventTime, 1);
+      syntheticOneTimesBuilder.add(
+          new OneTime.Builder()
+              .setBillingTime(billingTime)
+              .setClientId(recurring.getClientId())
+              .setCost(renewCost)
+              .setEventTime(eventTime)
+              .setFlags(union(recurring.getFlags(), Flag.SYNTHETIC))
+              .setParent(historyEntry)
+              .setPeriodYears(1)
+              .setReason(recurring.getReason())
+              .setSyntheticCreationTime(executeTime)
+              .setCancellationMatchingBillingEvent(recurring.createVKey())
+              .setTargetId(recurring.getTargetId())
+              .build());
+    }
+    Set<DomainHistory> historyEntries = historyEntriesBuilder.build();
+    Set<OneTime> syntheticOneTimes = syntheticOneTimesBuilder.build();
+    if (!isDryRun) {
+      ImmutableSet<ImmutableObject> entitiesToSave =
+          new ImmutableSet.Builder<ImmutableObject>()
+              .addAll(historyEntries)
+              .addAll(syntheticOneTimes)
+              .build();
+      tm().putAll(entitiesToSave);
+    }
+    return syntheticOneTimes.size();
+  }
+
+  /**
+   * Filters a set of {@link DateTime}s down to event times that are in scope for a particular
+   * mapreduce run, given the cursor time and the mapreduce execution time.
+   */
+  protected static ImmutableSet<DateTime> getBillingTimesInScope(
+      Iterable<DateTime> eventTimes,
+      DateTime cursorTime,
+      DateTime executeTime,
+      final Registry tld) {
+    return Streams.stream(eventTimes)
+        .map(eventTime -> eventTime.plus(tld.getAutoRenewGracePeriodLength()))
+        .filter(Range.closedOpen(cursorTime, executeTime))
+        .collect(toImmutableSet());
+  }
+
+  /**
+   * Determines an {@link ImmutableSet} of {@link DateTime}s that have already been persisted for a
+   * given recurring billing event.
+   */
+  private static ImmutableSet<DateTime> getExistingBillingTimes(
+      Iterable<BillingEvent.OneTime> oneTimesForDomain,
+      final BillingEvent.Recurring recurringEvent) {
+    return Streams.stream(oneTimesForDomain)
+        .filter(
+            billingEvent ->
+                recurringEvent
+                    .createVKey()
+                    .equals(billingEvent.getCancellationMatchingBillingEvent()))
+        .map(OneTime::getBillingTime)
+        .collect(toImmutableSet());
+  }
 }

core/src/main/java/google/registry/batch/RefreshDnsOnHostRenameAction.java

@@ -25,7 +25,7 @@ import static google.registry.batch.AsyncTaskMetrics.OperationType.DNS_REFRESH;
 import static google.registry.mapreduce.inputs.EppResourceInputs.createEntityInput;
 import static google.registry.model.EppResourceUtils.isActive;
 import static google.registry.model.EppResourceUtils.isDeleted;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.latestOf;
 import static java.util.concurrent.TimeUnit.DAYS;
 import static java.util.concurrent.TimeUnit.SECONDS;
@@ -44,7 +44,6 @@ import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
-import com.googlecode.objectify.Key;
 import google.registry.batch.AsyncTaskMetrics.OperationResult;
 import google.registry.dns.DnsQueue;
 import google.registry.mapreduce.MapreduceRunner;
@@ -64,6 +63,7 @@ import google.registry.util.SystemClock;
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.NoSuchElementException;
 import java.util.Optional;
 import java.util.logging.Level;
 import javax.annotation.Nullable;
@@ -123,7 +123,7 @@ public class RefreshDnsOnHostRenameAction implements Runnable {
     }
 
     ImmutableList.Builder<DnsRefreshRequest> requestsBuilder = new ImmutableList.Builder<>();
-    ImmutableList.Builder<Key<HostResource>> hostKeys = new ImmutableList.Builder<>();
+    ImmutableList.Builder<VKey<HostResource>> hostKeys = new ImmutableList.Builder<>();
     final List<DnsRefreshRequest> requestsToDelete = new ArrayList<>();
 
     for (TaskHandle task : tasks) {
@@ -204,10 +204,10 @@ public class RefreshDnsOnHostRenameAction implements Runnable {
         emit(true, true);
         return;
       }
-      Key<HostResource> referencingHostKey = null;
+      VKey<HostResource> referencingHostKey = null;
       for (DnsRefreshRequest request : refreshRequests) {
         if (isActive(domain, request.lastUpdateTime())
-            && domain.getNameservers().contains(VKey.from(request.hostKey()))) {
+            && domain.getNameservers().contains(request.hostKey())) {
           referencingHostKey = request.hostKey();
           break;
         }
@@ -293,7 +293,8 @@ public class RefreshDnsOnHostRenameAction implements Runnable {
 
     private static final long serialVersionUID = 1772812852271288622L;
 
-    abstract Key<HostResource> hostKey();
+    abstract VKey<HostResource> hostKey();
+
     abstract DateTime lastUpdateTime();
     abstract DateTime requestedTime();
     abstract boolean isRefreshNeeded();
@@ -301,7 +302,8 @@ public class RefreshDnsOnHostRenameAction implements Runnable {
 
     @AutoValue.Builder
     abstract static class Builder {
-      abstract Builder setHostKey(Key<HostResource> hostKey);
+      abstract Builder setHostKey(VKey<HostResource> hostKey);
+
       abstract Builder setLastUpdateTime(DateTime lastUpdateTime);
       abstract Builder setRequestedTime(DateTime requestedTime);
       abstract Builder setIsRefreshNeeded(boolean isRefreshNeeded);
@@ -314,10 +316,12 @@ public class RefreshDnsOnHostRenameAction implements Runnable {
      */
     static DnsRefreshRequest createFromTask(TaskHandle task, DateTime now) throws Exception {
       ImmutableMap<String, String> params = ImmutableMap.copyOf(task.extractParams());
-      Key<HostResource> hostKey =
-          Key.create(checkNotNull(params.get(PARAM_HOST_KEY), "Host to refresh not specified"));
+      VKey<HostResource> hostKey =
+          VKey.fromWebsafeKey(
+              checkNotNull(params.get(PARAM_HOST_KEY), "Host to refresh not specified"));
       HostResource host =
-          checkNotNull(ofy().load().key(hostKey).now(), "Host to refresh doesn't exist");
+          tm().transact(() -> tm().loadByKeyIfPresent(hostKey))
+              .orElseThrow(() -> new NoSuchElementException("Host to refresh doesn't exist"));
       boolean isHostDeleted =
           isDeleted(host, latestOf(now, host.getUpdateTimestamp().getTimestamp()));
       if (isHostDeleted) {

core/src/main/java/google/registry/batch/RelockDomainAction.java

@@ -16,7 +16,6 @@ package google.registry.batch;
 
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
-import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
@@ -33,6 +32,7 @@ import google.registry.model.eppcommon.StatusValue;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarContact;
 import google.registry.model.registry.RegistryLockDao;
+import google.registry.persistence.VKey;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
@@ -125,6 +125,7 @@ public class RelockDomainAction implements Runnable {
     response.setContentType(MediaType.PLAIN_TEXT_UTF_8);
 
     // nb: DomainLockUtils relies on the JPA transaction being the outermost transaction
+    // if we have Datastore as the primary DB (if SQL is the primary DB, it's irrelevant)
     jpaTm().transact(() -> tm().transact(this::relockDomain));
   }
 
@@ -139,12 +140,8 @@ public class RelockDomainAction implements Runnable {
                       new IllegalArgumentException(
                           String.format("Unknown revision ID %d", oldUnlockRevisionId)));
       domain =
-          ofy()
-              .load()
-              .type(DomainBase.class)
-              .id(oldLock.getRepoId())
-              .now()
-              .cloneProjectedAtTime(jpaTm().getTransactionTime());
+          tm().loadByKey(VKey.create(DomainBase.class, oldLock.getRepoId()))
+              .cloneProjectedAtTime(tm().getTransactionTime());
     } catch (Throwable t) {
       handleTransientFailure(Optional.ofNullable(oldLock), t);
       return;

core/src/main/java/google/registry/batch/ResaveAllEppResourcesAction.java

@@ -15,7 +15,7 @@
 package google.registry.batch;
 
 import static google.registry.mapreduce.MapreduceRunner.PARAM_FAST;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.model.ofy.ObjectifyService.auditedOfy;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
 import com.google.appengine.tools.mapreduce.Mapper;
@@ -104,13 +104,13 @@ public class ResaveAllEppResourcesAction implements Runnable {
       boolean resaved =
           tm().transact(
                   () -> {
-                    EppResource originalResource = ofy().load().key(resourceKey).now();
+                    EppResource originalResource = auditedOfy().load().key(resourceKey).now();
                     EppResource projectedResource =
                         originalResource.cloneProjectedAtTime(tm().getTransactionTime());
                     if (isFast && originalResource.equals(projectedResource)) {
                       return false;
                     } else {
-                      ofy().save().entity(projectedResource).now();
+                      auditedOfy().save().entity(projectedResource).now();
                       return true;
                     }
                   });

core/src/main/java/google/registry/batch/ResaveEntityAction.java

@@ -17,7 +17,6 @@ package google.registry.batch;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_REQUESTED_TIME;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESAVE_TIMES;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESOURCE_KEY;
-import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
 import com.google.common.collect.ImmutableSet;
@@ -26,6 +25,7 @@ import com.google.common.flogger.FluentLogger;
 import com.googlecode.objectify.Key;
 import google.registry.model.EppResource;
 import google.registry.model.ImmutableObject;
+import google.registry.persistence.VKey;
 import google.registry.request.Action;
 import google.registry.request.Action.Method;
 import google.registry.request.Parameter;
@@ -74,16 +74,17 @@ public class ResaveEntityAction implements Runnable {
   public void run() {
     logger.atInfo().log(
         "Re-saving entity %s which was enqueued at %s.", resourceKey, requestedTime);
-    tm().transact(() -> {
-      ImmutableObject entity = ofy().load().key(resourceKey).now();
-      ofy().save().entity(
-          (entity instanceof EppResource)
-              ? ((EppResource) entity).cloneProjectedAtTime(tm().getTransactionTime()) : entity
-      );
-      if (!resaveTimes.isEmpty()) {
-        asyncTaskEnqueuer.enqueueAsyncResave(entity, requestedTime, resaveTimes);
-      }
-    });
+    tm().transact(
+            () -> {
+              ImmutableObject entity = tm().loadByKey(VKey.from(resourceKey));
+              tm().put(
+                      (entity instanceof EppResource)
+                          ? ((EppResource) entity).cloneProjectedAtTime(tm().getTransactionTime())
+                          : entity);
+              if (!resaveTimes.isEmpty()) {
+                asyncTaskEnqueuer.enqueueAsyncResave(entity, requestedTime, resaveTimes);
+              }
+            });
     response.setPayload("Entity re-saved.");
   }
 }

core/src/main/java/google/registry/batch/WipeOutCloudSqlAction.java

@@ -19,6 +19,7 @@ import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
 import static javax.servlet.http.HttpServletResponse.SC_OK;
 
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
@@ -28,10 +29,11 @@ import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Retrier;
 import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.function.Supplier;
 import javax.inject.Inject;
-import org.flywaydb.core.api.FlywayException;
 
 /**
  * Wipes out all Cloud SQL data in a Nomulus GCP environment.
@@ -80,13 +82,13 @@ public class WipeOutCloudSqlAction implements Runnable {
     try {
       retrier.callWithRetry(
           () -> {
-            try (Connection conn = connectionSupplier.get();
-                Statement statement = conn.createStatement()) {
-              statement.execute("drop owned by schema_deployer;");
+            try (Connection conn = connectionSupplier.get()) {
+              dropAllTables(conn, listTables(conn));
+              dropAllSequences(conn, listSequences(conn));
             }
             return null;
           },
-          e -> !(e instanceof FlywayException));
+          e -> !(e instanceof SQLException));
       response.setStatus(SC_OK);
       response.setPayload("Wiped out Cloud SQL in " + projectId);
     } catch (RuntimeException e) {
@@ -95,4 +97,69 @@ public class WipeOutCloudSqlAction implements Runnable {
       response.setPayload("Failed to wipe out Cloud SQL in " + projectId);
     }
   }
+
+  /** Returns a list of all tables in the public schema of a Postgresql database. */
+  static ImmutableList<String> listTables(Connection connection) throws SQLException {
+    try (ResultSet resultSet =
+        connection.getMetaData().getTables(null, null, null, new String[] {"TABLE"})) {
+      ImmutableList.Builder<String> tables = new ImmutableList.Builder<>();
+      while (resultSet.next()) {
+        String schema = resultSet.getString("TABLE_SCHEM");
+        if (schema == null || !schema.equalsIgnoreCase("public")) {
+          continue;
+        }
+        String tableName = resultSet.getString("TABLE_NAME");
+        tables.add("public.\"" + tableName + "\"");
+      }
+      return tables.build();
+    }
+  }
+
+  static void dropAllTables(Connection conn, ImmutableList<String> tables) throws SQLException {
+    if (tables.isEmpty()) {
+      return;
+    }
+
+    try (Statement statement = conn.createStatement()) {
+      for (String table : tables) {
+        statement.addBatch(String.format("DROP TABLE IF EXISTS %s CASCADE;", table));
+      }
+      for (int code : statement.executeBatch()) {
+        if (code == Statement.EXECUTE_FAILED) {
+          throw new RuntimeException("Failed to drop some tables. Please check.");
+        }
+      }
+    }
+  }
+
+  /** Returns a list of all sequences in a Postgresql database. */
+  static ImmutableList<String> listSequences(Connection conn) throws SQLException {
+    try (Statement statement = conn.createStatement();
+        ResultSet resultSet =
+            statement.executeQuery("SELECT c.relname FROM pg_class c WHERE c.relkind = 'S';")) {
+      ImmutableList.Builder<String> sequences = new ImmutableList.Builder<>();
+      while (resultSet.next()) {
+        sequences.add('\"' + resultSet.getString(1) + '\"');
+      }
+      return sequences.build();
+    }
+  }
+
+  static void dropAllSequences(Connection conn, ImmutableList<String> sequences)
+      throws SQLException {
+    if (sequences.isEmpty()) {
+      return;
+    }
+
+    try (Statement statement = conn.createStatement()) {
+      for (String sequence : sequences) {
+        statement.addBatch(String.format("DROP SEQUENCE IF EXISTS %s CASCADE;", sequence));
+      }
+      for (int code : statement.executeBatch()) {
+        if (code == Statement.EXECUTE_FAILED) {
+          throw new RuntimeException("Failed to drop some sequences. Please check.");
+        }
+      }
+    }
+  }
 }

core/src/main/java/google/registry/batch/WipeoutDatastoreAction.java

@@ -0,0 +1,115 @@
+// Copyright 2021 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.batch;
+
+import static com.google.common.net.MediaType.PLAIN_TEXT_UTF_8;
+import static google.registry.beam.BeamUtils.createJobName;
+import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
+import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.api.services.dataflow.Dataflow;
+import com.google.api.services.dataflow.model.LaunchFlexTemplateParameter;
+import com.google.api.services.dataflow.model.LaunchFlexTemplateRequest;
+import com.google.api.services.dataflow.model.LaunchFlexTemplateResponse;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.flogger.FluentLogger;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.request.Action;
+import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.util.Clock;
+import javax.inject.Inject;
+
+/**
+ * Wipes out all Cloud Datastore data in a Nomulus GCP environment.
+ *
+ * <p>This class is created for the QA environment, where migration testing with production data
+ * will happen. A regularly scheduled wipeout is a prerequisite to using production data there.
+ */
+@Action(
+    service = Action.Service.BACKEND,
+    path = "/_dr/task/wipeOutDatastore",
+    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+public class WipeoutDatastoreAction implements Runnable {
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  private static final String PIPELINE_NAME = "bulk_delete_datastore_pipeline";
+
+  // As a short-lived class, hardcode allowed projects here instead of using config files.
+  private static final ImmutableSet<String> ALLOWED_PROJECTS =
+      ImmutableSet.of("domain-registry-qa");
+
+  private final String projectId;
+  private final String jobRegion;
+  private final Response response;
+  private final Dataflow dataflow;
+  private final String stagingBucketUrl;
+  private final Clock clock;
+
+  @Inject
+  WipeoutDatastoreAction(
+      @Config("projectId") String projectId,
+      @Config("defaultJobRegion") String jobRegion,
+      @Config("beamStagingBucketUrl") String stagingBucketUrl,
+      Clock clock,
+      Response response,
+      Dataflow dataflow) {
+    this.projectId = projectId;
+    this.jobRegion = jobRegion;
+    this.stagingBucketUrl = stagingBucketUrl;
+    this.clock = clock;
+    this.response = response;
+    this.dataflow = dataflow;
+  }
+
+  @Override
+  public void run() {
+    response.setContentType(PLAIN_TEXT_UTF_8);
+
+    if (!ALLOWED_PROJECTS.contains(projectId)) {
+      response.setStatus(SC_FORBIDDEN);
+      response.setPayload("Wipeout is not allowed in " + projectId);
+      return;
+    }
+
+    try {
+      LaunchFlexTemplateParameter parameters =
+          new LaunchFlexTemplateParameter()
+              .setJobName(createJobName("bulk-delete-datastore-", clock))
+              .setContainerSpecGcsPath(
+                  String.format("%s/%s_metadata.json", stagingBucketUrl, PIPELINE_NAME))
+              .setParameters(ImmutableMap.of("kindsToDelete", "*"));
+      LaunchFlexTemplateResponse launchResponse =
+          dataflow
+              .projects()
+              .locations()
+              .flexTemplates()
+              .launch(
+                  projectId,
+                  jobRegion,
+                  new LaunchFlexTemplateRequest().setLaunchParameter(parameters))
+              .execute();
+      response.setStatus(SC_OK);
+      response.setPayload("Launched " + launchResponse.getJob().getName());
+    } catch (Exception e) {
+      String msg = String.format("Failed to launch %s.", PIPELINE_NAME);
+      logger.atSevere().withCause(e).log(msg);
+      response.setStatus(SC_INTERNAL_SERVER_ERROR);
+      response.setPayload(msg);
+    }
+  }
+}

core/src/main/java/google/registry/beam/BeamUtils.java

@@ -14,10 +14,14 @@
 
 package google.registry.beam;
 
+import static com.google.common.base.Preconditions.checkArgument;
+
 import com.google.common.base.Joiner;
 import com.google.common.collect.ImmutableList;
 import com.google.common.io.Resources;
+import google.registry.util.Clock;
 import google.registry.util.ResourceUtils;
+import java.util.regex.Pattern;
 import org.apache.avro.generic.GenericRecord;
 import org.apache.beam.sdk.io.gcp.bigquery.SchemaAndRecord;
 
@@ -41,8 +45,7 @@ public class BeamUtils {
       ImmutableList<String> fieldNames, SchemaAndRecord schemaAndRecord) {
     GenericRecord record = schemaAndRecord.getRecord();
     ImmutableList<String> nullFields =
-        fieldNames
-            .stream()
+        fieldNames.stream()
             .filter(fieldName -> record.get(fieldName) == null)
             .collect(ImmutableList.toImmutableList());
     String missingFieldList = Joiner.on(", ").join(nullFields);
@@ -61,4 +64,19 @@ public class BeamUtils {
   public static String getQueryFromFile(Class<?> clazz, String filename) {
     return ResourceUtils.readResourceUtf8(Resources.getResource(clazz, "sql/" + filename));
   }
+
+  /** Creates a beam job name and validates that it conforms to the requirements. */
+  public static String createJobName(String prefix, Clock clock) {
+    // Flex template job name must be unique and consists of only characters [-a-z0-9], starting
+    // with a letter and ending with a letter or number. So we replace the "T" and "Z" in ISO 8601
+    // with lowercase letters.
+    String jobName =
+        String.format("%s-%s", prefix, clock.nowUtc().toString("yyyy-MM-dd't'HH-mm-ss'z'"));
+    checkArgument(
+        Pattern.compile("^[a-z][-a-z0-9]*[a-z0-9]*").matcher(jobName).matches(),
+        "The job name %s is illegal, it consists of only characters [-a-z0-9], "
+            + "starting with a letter and ending with a letter or number,",
+        jobName);
+    return jobName;
+  }
 }

core/src/main/java/google/registry/beam/common/RegistryJpaIO.java

@@ -21,21 +21,30 @@ import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Streams;
 import google.registry.backup.AppEngineEnvironment;
+import google.registry.beam.common.RegistryQuery.QueryComposerFactory;
+import google.registry.beam.common.RegistryQuery.RegistryQueryFactory;
 import google.registry.model.ofy.ObjectifyService;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.persistence.transaction.TransactionManagerFactory;
+import java.io.Serializable;
 import java.util.Objects;
 import java.util.concurrent.ThreadLocalRandom;
+import javax.persistence.criteria.CriteriaQuery;
+import org.apache.beam.sdk.coders.Coder;
+import org.apache.beam.sdk.coders.SerializableCoder;
 import org.apache.beam.sdk.metrics.Counter;
 import org.apache.beam.sdk.metrics.Metrics;
+import org.apache.beam.sdk.transforms.Create;
 import org.apache.beam.sdk.transforms.DoFn;
 import org.apache.beam.sdk.transforms.GroupIntoBatches;
 import org.apache.beam.sdk.transforms.PTransform;
 import org.apache.beam.sdk.transforms.ParDo;
+import org.apache.beam.sdk.transforms.Reshuffle;
 import org.apache.beam.sdk.transforms.SerializableFunction;
 import org.apache.beam.sdk.transforms.WithKeys;
 import org.apache.beam.sdk.util.ShardedKey;
 import org.apache.beam.sdk.values.KV;
+import org.apache.beam.sdk.values.PBegin;
 import org.apache.beam.sdk.values.PCollection;
 
 /**
@@ -51,10 +60,127 @@ public final class RegistryJpaIO {
 
   private RegistryJpaIO() {}
 
+  public static <R> Read<R, R> read(QueryComposerFactory<R> queryFactory) {
+    return Read.<R, R>builder().queryFactory(queryFactory).build();
+  }
+
+  public static <R, T> Read<R, T> read(
+      QueryComposerFactory<R> queryFactory, SerializableFunction<R, T> resultMapper) {
+    return Read.<R, T>builder().queryFactory(queryFactory).resultMapper(resultMapper).build();
+  }
+
+  /**
+   * Returns a {@link Read} connector based on the given {@code jpql} query string.
+   *
+   * <p>User should take care to prevent sql-injection attacks.
+   */
+  public static <R, T> Read<R, T> read(String jpql, SerializableFunction<R, T> resultMapper) {
+    return Read.<R, T>builder().jpqlQueryFactory(jpql).resultMapper(resultMapper).build();
+  }
+
   public static <T> Write<T> write() {
     return Write.<T>builder().build();
   }
 
+  /**
+   * A {@link PTransform transform} that transactionally executes a JPA {@link CriteriaQuery} and
+   * adds the results to the BEAM pipeline. Users have the option to transform the results before
+   * sending them to the next stages.
+   */
+  @AutoValue
+  public abstract static class Read<R, T> extends PTransform<PBegin, PCollection<T>> {
+
+    public static final String DEFAULT_NAME = "RegistryJpaIO.Read";
+
+    abstract String name();
+
+    abstract RegistryQueryFactory<R> queryFactory();
+
+    abstract SerializableFunction<R, T> resultMapper();
+
+    abstract Coder<T> coder();
+
+    abstract Builder<R, T> toBuilder();
+
+    @Override
+    @SuppressWarnings("deprecation") // Reshuffle still recommended by GCP.
+    public PCollection<T> expand(PBegin input) {
+      return input
+          .apply("Starting " + name(), Create.of((Void) null))
+          .apply(
+              "Run query for " + name(),
+              ParDo.of(new QueryRunner<>(queryFactory(), resultMapper())))
+          .setCoder(coder())
+          .apply("Reshuffle", Reshuffle.viaRandomKey());
+    }
+
+    public Read<R, T> withName(String name) {
+      return toBuilder().name(name).build();
+    }
+
+    public Read<R, T> withResultMapper(SerializableFunction<R, T> mapper) {
+      return toBuilder().resultMapper(mapper).build();
+    }
+
+    public Read<R, T> withCoder(Coder<T> coder) {
+      return toBuilder().coder(coder).build();
+    }
+
+    static <R, T> Builder<R, T> builder() {
+      return new AutoValue_RegistryJpaIO_Read.Builder()
+          .name(DEFAULT_NAME)
+          .resultMapper(x -> x)
+          .coder(SerializableCoder.of(Serializable.class));
+    }
+
+    @AutoValue.Builder
+    public abstract static class Builder<R, T> {
+
+      abstract Builder<R, T> name(String name);
+
+      abstract Builder<R, T> queryFactory(RegistryQueryFactory<R> queryFactory);
+
+      abstract Builder<R, T> resultMapper(SerializableFunction<R, T> mapper);
+
+      abstract Builder<R, T> coder(Coder coder);
+
+      abstract Read<R, T> build();
+
+      Builder<R, T> queryFactory(QueryComposerFactory<R> queryFactory) {
+        return queryFactory(RegistryQuery.createQueryFactory(queryFactory));
+      }
+
+      Builder<R, T> jpqlQueryFactory(String jpql) {
+        return queryFactory(RegistryQuery.createQueryFactory(jpql));
+      }
+    }
+
+    static class QueryRunner<R, T> extends DoFn<Void, T> {
+      private final RegistryQueryFactory<R> queryFactory;
+      private final SerializableFunction<R, T> resultMapper;
+
+      QueryRunner(RegistryQueryFactory<R> queryFactory, SerializableFunction<R, T> resultMapper) {
+        this.queryFactory = queryFactory;
+        this.resultMapper = resultMapper;
+      }
+
+      @ProcessElement
+      public void processElement(OutputReceiver<T> outputReceiver) {
+        // AppEngineEnvironment is need for handling VKeys, which involve Ofy keys. Unlike
+        // SqlBatchWriter, it is unnecessary to initialize ObjectifyService in this class.
+        try (AppEngineEnvironment env = new AppEngineEnvironment()) {
+          // TODO(b/187210388): JpaTransactionManager should support non-transactional query.
+          jpaTm()
+              .transactNoRetry(
+                  () ->
+                      queryFactory.apply(jpaTm()).stream()
+                          .map(resultMapper::apply)
+                          .forEach(outputReceiver::output));
+        }
+      }
+    }
+  }
+
   /**
    * A {@link PTransform transform} that writes a PCollection of entities to the SQL database using
    * the {@link JpaTransactionManager}.
@@ -182,8 +308,9 @@ public final class RegistryJpaIO {
 
     @Setup
     public void setup() {
-      // Below is needed as long as Objectify keys are still involved in the handling of SQL
-      // entities (e.g., in VKeys).
+      // AppEngineEnvironment is needed as long as Objectify keys are still involved in the handling
+      // of SQL entities (e.g., in VKeys). ObjectifyService needs to be initialized when conversion
+      // between Ofy entity and Datastore entity is needed.
       try (AppEngineEnvironment env = new AppEngineEnvironment()) {
         ObjectifyService.initOfy();
       }

core/src/main/java/google/registry/beam/common/RegistryQuery.java

@@ -0,0 +1,89 @@
+// Copyright 2021 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.beam.common;
+
+import google.registry.persistence.transaction.JpaTransactionManager;
+import google.registry.persistence.transaction.QueryComposer;
+import java.util.stream.Stream;
+import javax.persistence.EntityManager;
+import javax.persistence.Query;
+import org.apache.beam.sdk.transforms.SerializableFunction;
+
+/** Interface for query instances used by {@link RegistryJpaIO.Read}. */
+public interface RegistryQuery<T> {
+  Stream<T> stream();
+
+  /** Factory for {@link RegistryQuery}. */
+  interface RegistryQueryFactory<T>
+      extends SerializableFunction<JpaTransactionManager, RegistryQuery<T>> {}
+
+  // TODO(mmuller): Consider detached JpaQueryComposer that works with any JpaTransactionManager
+  // instance, i.e., change composer.buildQuery() to composer.buildQuery(JpaTransactionManager).
+  // This way QueryComposer becomes reusable and serializable (at least with Hibernate), and this
+  // interface would no longer be necessary.
+  interface QueryComposerFactory<T>
+      extends SerializableFunction<JpaTransactionManager, QueryComposer<T>> {}
+
+  /**
+   * Returns a {@link RegistryQueryFactory} that creates a JPQL query from constant text.
+   *
+   * @param <T> Type of each row in the result set, {@link Object} in single-select queries, and
+   *     {@code Object[]} in multi-select queries.
+   */
+  @SuppressWarnings("unchecked") // query.getResultStream: jpa api uses raw type
+  static <T> RegistryQueryFactory<T> createQueryFactory(String jpql) {
+    return (JpaTransactionManager jpa) ->
+        () -> {
+          EntityManager entityManager = jpa.getEntityManager();
+          Query query = entityManager.createQuery(jpql);
+          return query.getResultStream().map(e -> detach(entityManager, e));
+        };
+  }
+
+  static <T> RegistryQueryFactory<T> createQueryFactory(
+      QueryComposerFactory<T> queryComposerFactory) {
+    return (JpaTransactionManager jpa) ->
+        () -> queryComposerFactory.apply(jpa).withAutoDetachOnLoad(true).stream();
+  }
+
+  /**
+   * Removes an object from the JPA session cache if applicable.
+   *
+   * @param object An object that represents a row in the result set. It may be a JPA entity, a
+   *     non-entity object, or an array that holds JPA entities and/or non-entities.
+   */
+  static <T> T detach(EntityManager entityManager, T object) {
+    if (object.getClass().isArray()) {
+      for (Object arrayElement : (Object[]) object) {
+        detachObject(entityManager, arrayElement);
+      }
+    } else {
+      detachObject(entityManager, object);
+    }
+    return object;
+  }
+
+  static void detachObject(EntityManager entityManager, Object object) {
+    Class<?> objectClass = object.getClass();
+    if (objectClass.isPrimitive() || objectClass == String.class) {
+      return;
+    }
+    try {
+      entityManager.detach(object);
+    } catch (IllegalArgumentException e) {
+      // Not an entity. Do nothing.
+    }
+  }
+}

core/src/main/java/google/registry/beam/datastore/BulkDeleteDatastorePipeline.java

@@ -87,20 +87,18 @@ public class BulkDeleteDatastorePipeline {
 
   private final BulkDeletePipelineOptions options;
 
-  private final Pipeline pipeline;
-
   BulkDeleteDatastorePipeline(BulkDeletePipelineOptions options) {
     this.options = options;
-    pipeline = Pipeline.create(options);
   }
 
   public void run() {
-    setupPipeline();
+    Pipeline pipeline = Pipeline.create(options);
+    setupPipeline(pipeline);
     pipeline.run();
   }
 
   @SuppressWarnings("deprecation") // org.apache.beam.sdk.transforms.Reshuffle
-  private void setupPipeline() {
+  private void setupPipeline(Pipeline pipeline) {
     checkState(
         !FORBIDDEN_PROJECTS.contains(options.getProject()),
         "Bulk delete is forbidden in %s",

core/src/main/java/google/registry/beam/datastore/DatastoreV1.java

@@ -505,7 +505,7 @@ public class DatastoreV1 {
       }
 
       @StartBundle
-      public void startBundle(StartBundleContext c) throws Exception {
+      public void startBundle(StartBundleContext c) {
         datastore =
             datastoreFactory.getDatastore(
                 c.getPipelineOptions(), v1Options.getProjectId(), v1Options.getLocalhost());
@@ -548,7 +548,7 @@ public class DatastoreV1 {
       }
 
       @StartBundle
-      public void startBundle(StartBundleContext c) throws Exception {
+      public void startBundle(StartBundleContext c) {
         datastore =
             datastoreFactory.getDatastore(
                 c.getPipelineOptions(), options.getProjectId(), options.getLocalhost());
@@ -556,7 +556,7 @@ public class DatastoreV1 {
       }
 
       @ProcessElement
-      public void processElement(ProcessContext c) throws Exception {
+      public void processElement(ProcessContext c) {
         Query query = c.element();
 
         // If query has a user set limit, then do not split.
@@ -626,7 +626,7 @@ public class DatastoreV1 {
       }
 
       @StartBundle
-      public void startBundle(StartBundleContext c) throws Exception {
+      public void startBundle(StartBundleContext c) {
         datastore =
             datastoreFactory.getDatastore(
                 c.getPipelineOptions(), options.getProjectId(), options.getLocalhost());

core/src/main/java/google/registry/beam/initsql/BackupPaths.java

@@ -93,7 +93,7 @@ public final class BackupPaths {
     checkArgument(!isNullOrEmpty(exportDir), "Null or empty exportDir.");
     checkArgument(!isNullOrEmpty(kind), "Null or empty kind.");
     checkArgument(shard >= 0, "Negative shard %s not allowed.", shard);
-    return String.format(EXPORT_PATTERN_TEMPLATE, exportDir, kind, Integer.toString(shard));
+    return String.format(EXPORT_PATTERN_TEMPLATE, exportDir, kind, shard);
   }
 
   /** Returns an {@link ImmutableList} of regex patterns that match all CommitLog files. */

core/src/main/java/google/registry/beam/initsql/BeamJpaModule.java

@@ -1,201 +0,0 @@
-// Copyright 2020 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.beam.initsql;
-
-import static com.google.common.base.Preconditions.checkArgument;
-import static com.google.common.base.Preconditions.checkState;
-import static com.google.common.base.Strings.isNullOrEmpty;
-
-import com.google.common.base.Splitter;
-import dagger.Component;
-import dagger.Lazy;
-import dagger.Module;
-import dagger.Provides;
-import google.registry.config.CredentialModule;
-import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryConfig.ConfigModule;
-import google.registry.keyring.kms.KmsModule;
-import google.registry.persistence.PersistenceModule;
-import google.registry.persistence.PersistenceModule.JdbcJpaTm;
-import google.registry.persistence.PersistenceModule.SocketFactoryJpaTm;
-import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
-import google.registry.persistence.transaction.JpaTransactionManager;
-import google.registry.privileges.secretmanager.SecretManagerModule;
-import google.registry.util.UtilsModule;
-import java.io.BufferedReader;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.nio.channels.Channels;
-import java.nio.charset.StandardCharsets;
-import java.util.List;
-import javax.annotation.Nullable;
-import javax.inject.Singleton;
-import org.apache.beam.sdk.io.FileSystems;
-import org.apache.beam.sdk.io.fs.ResourceId;
-
-/**
- * Provides bindings for {@link JpaTransactionManager} to Cloud SQL.
- *
- * <p>This module is intended for use in BEAM pipelines, and uses a BEAM utility to access GCS like
- * a regular file system.
- */
-@Module
-public class BeamJpaModule {
-
-  private static final String GCS_SCHEME = "gs://";
-
-  @Nullable private final String sqlAccessInfoFile;
-  @Nullable private final String cloudKmsProjectId;
-  @Nullable private final TransactionIsolationLevel isolationOverride;
-
-  /**
-   * Constructs a new instance of {@link BeamJpaModule}.
-   *
-   * <p>Note: it is an unfortunately necessary antipattern to check for the validity of
-   * sqlAccessInfoFile in {@link #provideCloudSqlAccessInfo} rather than in the constructor.
-   * Unfortunately, this is a restriction imposed upon us by Dagger. Specifically, because we use
-   * this in at least one 1 {@link google.registry.tools.RegistryTool} command(s), it must be
-   * instantiated in {@code google.registry.tools.RegistryToolComponent} for all possible commands;
-   * Dagger doesn't permit it to ever be null. For the vast majority of commands, it will never be
-   * used (so a null credential file path is fine in those cases).
-   *
-   * @param sqlAccessInfoFile the path to a Cloud SQL credential file. This must refer to either a
-   *     real encrypted file on GCS as returned by {@link
-   *     BackupPaths#getCloudSQLCredentialFilePatterns} or an unencrypted file on local filesystem
-   *     with credentials to a test database.
-   * @param cloudKmsProjectId the GCP project where the credential decryption key can be found
-   * @param isolationOverride the desired Transaction Isolation level for all JDBC connections
-   */
-  public BeamJpaModule(
-      @Nullable String sqlAccessInfoFile,
-      @Nullable String cloudKmsProjectId,
-      @Nullable TransactionIsolationLevel isolationOverride) {
-    this.sqlAccessInfoFile = sqlAccessInfoFile;
-    this.cloudKmsProjectId = cloudKmsProjectId;
-    this.isolationOverride = isolationOverride;
-  }
-
-  public BeamJpaModule(@Nullable String sqlAccessInfoFile, @Nullable String cloudKmsProjectId) {
-    this(sqlAccessInfoFile, cloudKmsProjectId, null);
-  }
-
-  /** Returns true if the credential file is on GCS (and therefore expected to be encrypted). */
-  private boolean isCloudSqlCredential() {
-    return sqlAccessInfoFile.startsWith(GCS_SCHEME);
-  }
-
-  @Provides
-  @Singleton
-  SqlAccessInfo provideCloudSqlAccessInfo(Lazy<CloudSqlCredentialDecryptor> lazyDecryptor) {
-    checkArgument(!isNullOrEmpty(sqlAccessInfoFile), "Null or empty credentialFilePath");
-    String line = readOnlyLineFromCredentialFile();
-    if (isCloudSqlCredential()) {
-      line = lazyDecryptor.get().decrypt(line);
-    }
-    // See ./BackupPaths.java for explanation of the line format.
-    List<String> parts = Splitter.on(' ').splitToList(line.trim());
-    checkState(parts.size() == 3, "Expecting three phrases in %s", line);
-    if (isCloudSqlCredential()) {
-      return SqlAccessInfo.createCloudSqlAccessInfo(parts.get(0), parts.get(1), parts.get(2));
-    } else {
-      return SqlAccessInfo.createLocalSqlAccessInfo(parts.get(0), parts.get(1), parts.get(2));
-    }
-  }
-
-  String readOnlyLineFromCredentialFile() {
-    try {
-      ResourceId resourceId = FileSystems.matchSingleFileSpec(sqlAccessInfoFile).resourceId();
-      try (BufferedReader reader =
-          new BufferedReader(
-              new InputStreamReader(
-                  Channels.newInputStream(FileSystems.open(resourceId)), StandardCharsets.UTF_8))) {
-        return reader.readLine();
-      }
-    } catch (IOException e) {
-      throw new RuntimeException(e);
-    }
-  }
-
-  @Provides
-  @Config("beamCloudSqlJdbcUrl")
-  String provideJdbcUrl(SqlAccessInfo sqlAccessInfo) {
-    return sqlAccessInfo.jdbcUrl();
-  }
-
-  @Provides
-  @Config("beamCloudSqlInstanceConnectionName")
-  String provideSqlInstanceName(SqlAccessInfo sqlAccessInfo) {
-    return sqlAccessInfo
-        .cloudSqlInstanceName()
-        .orElseThrow(() -> new IllegalStateException("Cloud SQL not provisioned."));
-  }
-
-  @Provides
-  @Config("beamCloudSqlUsername")
-  String provideSqlUsername(SqlAccessInfo sqlAccessInfo) {
-    return sqlAccessInfo.user();
-  }
-
-  @Provides
-  @Config("beamCloudSqlPassword")
-  String provideSqlPassword(SqlAccessInfo sqlAccessInfo) {
-    return sqlAccessInfo.password();
-  }
-
-  @Provides
-  @Config("beamCloudKmsProjectId")
-  String kmsProjectId() {
-    return cloudKmsProjectId;
-  }
-
-  @Provides
-  @Config("beamCloudKmsKeyRing")
-  static String keyRingName() {
-    return "nomulus-tool-keyring";
-  }
-
-  @Provides
-  @Config("beamIsolationOverride")
-  @Nullable
-  TransactionIsolationLevel providesIsolationOverride() {
-    return isolationOverride;
-  }
-
-  @Provides
-  @Config("beamHibernateHikariMaximumPoolSize")
-  static int getBeamHibernateHikariMaximumPoolSize() {
-    // TODO(weiminyu): make this configurable. Should be equal to number of cores.
-    return 4;
-  }
-
-  @Singleton
-  @Component(
-      modules = {
-        ConfigModule.class,
-        CredentialModule.class,
-        BeamJpaModule.class,
-        KmsModule.class,
-        PersistenceModule.class,
-        SecretManagerModule.class,
-        UtilsModule.class
-      })
-  public interface JpaTransactionManagerComponent {
-    @SocketFactoryJpaTm
-    JpaTransactionManager cloudSqlJpaTransactionManager();
-
-    @JdbcJpaTm
-    JpaTransactionManager localDbJpaTransactionManager();
-  }
-}

core/src/main/java/google/registry/beam/initsql/InitSqlPipeline.java

@@ -120,26 +120,22 @@ public class InitSqlPipeline implements Serializable {
 
   private final InitSqlPipelineOptions options;
 
-  private final Pipeline pipeline;
-
   InitSqlPipeline(InitSqlPipelineOptions options) {
     this.options = options;
-    pipeline = Pipeline.create(options);
+  }
+
+  PipelineResult run() {
+    return run(Pipeline.create(options));
   }
 
   @VisibleForTesting
-  InitSqlPipeline(InitSqlPipelineOptions options, Pipeline pipeline) {
-    this.options = options;
-    this.pipeline = pipeline;
-  }
-
-  public PipelineResult run() {
-    setupPipeline();
+  PipelineResult run(Pipeline pipeline) {
+    setupPipeline(pipeline);
     return pipeline.run();
   }
 
   @VisibleForTesting
-  void setupPipeline() {
+  void setupPipeline(Pipeline pipeline) {
     options.setIsolationOverride(TransactionIsolationLevel.TRANSACTION_READ_UNCOMMITTED);
     PCollectionTuple datastoreSnapshot =
         pipeline.apply(

core/src/main/java/google/registry/beam/initsql/JpaSupplierFactory.java

@@ -1,60 +0,0 @@
-// Copyright 2020 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.beam.initsql;
-
-import google.registry.beam.initsql.BeamJpaModule.JpaTransactionManagerComponent;
-import google.registry.beam.initsql.Transforms.SerializableSupplier;
-import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
-import google.registry.persistence.transaction.JpaTransactionManager;
-import javax.annotation.Nullable;
-import org.apache.beam.sdk.transforms.SerializableFunction;
-
-public class JpaSupplierFactory implements SerializableSupplier<JpaTransactionManager> {
-
-  private static final long serialVersionUID = 1L;
-
-  private final String credentialFileUrl;
-  @Nullable private final String cloudKmsProjectId;
-  private final SerializableFunction<JpaTransactionManagerComponent, JpaTransactionManager>
-      jpaGetter;
-  @Nullable private final TransactionIsolationLevel isolationLevelOverride;
-
-  public JpaSupplierFactory(
-      String credentialFileUrl,
-      @Nullable String cloudKmsProjectId,
-      SerializableFunction<JpaTransactionManagerComponent, JpaTransactionManager> jpaGetter) {
-    this(credentialFileUrl, cloudKmsProjectId, jpaGetter, null);
-  }
-
-  public JpaSupplierFactory(
-      String credentialFileUrl,
-      @Nullable String cloudKmsProjectId,
-      SerializableFunction<JpaTransactionManagerComponent, JpaTransactionManager> jpaGetter,
-      @Nullable TransactionIsolationLevel isolationLevelOverride) {
-    this.credentialFileUrl = credentialFileUrl;
-    this.cloudKmsProjectId = cloudKmsProjectId;
-    this.jpaGetter = jpaGetter;
-    this.isolationLevelOverride = isolationLevelOverride;
-  }
-
-  @Override
-  public JpaTransactionManager get() {
-    return jpaGetter.apply(
-        DaggerBeamJpaModule_JpaTransactionManagerComponent.builder()
-            .beamJpaModule(
-                new BeamJpaModule(credentialFileUrl, cloudKmsProjectId, isolationLevelOverride))
-            .build());
-  }
-}

core/src/main/java/google/registry/beam/initsql/Transforms.java

@@ -19,13 +19,10 @@ import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;
 import static google.registry.beam.initsql.BackupPaths.getCommitLogTimestamp;
 import static google.registry.beam.initsql.BackupPaths.getExportFilePatterns;
-import static google.registry.model.ofy.ObjectifyService.ofy;
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
-import static google.registry.persistence.transaction.TransactionManagerFactory.setJpaTm;
+import static google.registry.model.ofy.ObjectifyService.auditedOfy;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static google.registry.util.DateTimeUtils.isBeforeOrAt;
 import static java.util.Comparator.comparing;
-import static org.apache.beam.sdk.values.TypeDescriptors.integers;
 import static org.apache.beam.sdk.values.TypeDescriptors.kvs;
 import static org.apache.beam.sdk.values.TypeDescriptors.strings;
 
@@ -35,15 +32,14 @@ import com.google.appengine.api.datastore.EntityTranslator;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
-import com.googlecode.objectify.Key;
-import google.registry.backup.AppEngineEnvironment;
 import google.registry.backup.CommitLogImports;
 import google.registry.backup.VersionedEntity;
+import google.registry.model.billing.BillingEvent.Flag;
+import google.registry.model.billing.BillingEvent.Reason;
 import google.registry.model.domain.DomainBase;
-import google.registry.model.ofy.ObjectifyService;
 import google.registry.model.reporting.HistoryEntry;
-import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.schema.replay.DatastoreAndSqlEntity;
 import google.registry.schema.replay.SqlEntity;
 import google.registry.tools.LevelDbLogReader;
@@ -53,7 +49,6 @@ import java.util.Iterator;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
-import java.util.concurrent.ThreadLocalRandom;
 import java.util.function.Supplier;
 import javax.annotation.Nullable;
 import org.apache.beam.sdk.coders.StringUtf8Coder;
@@ -62,18 +57,14 @@ import org.apache.beam.sdk.io.FileIO;
 import org.apache.beam.sdk.io.FileIO.ReadableFile;
 import org.apache.beam.sdk.io.fs.EmptyMatchTreatment;
 import org.apache.beam.sdk.io.fs.MatchResult.Metadata;
-import org.apache.beam.sdk.metrics.Counter;
-import org.apache.beam.sdk.metrics.Metrics;
 import org.apache.beam.sdk.transforms.Create;
 import org.apache.beam.sdk.transforms.DoFn;
 import org.apache.beam.sdk.transforms.Flatten;
 import org.apache.beam.sdk.transforms.GroupByKey;
-import org.apache.beam.sdk.transforms.GroupIntoBatches;
 import org.apache.beam.sdk.transforms.MapElements;
 import org.apache.beam.sdk.transforms.PTransform;
 import org.apache.beam.sdk.transforms.ParDo;
 import org.apache.beam.sdk.transforms.ProcessFunction;
-import org.apache.beam.sdk.transforms.SerializableFunction;
 import org.apache.beam.sdk.values.KV;
 import org.apache.beam.sdk.values.PBegin;
 import org.apache.beam.sdk.values.PCollection;
@@ -268,81 +259,58 @@ public final class Transforms {
                     .iterator()));
   }
 
-  /**
-   * Returns a {@link PTransform} that writes a {@link PCollection} of {@link VersionedEntity}s to a
-   * SQL database. and outputs an empty {@code PCollection<Void>}. This allows other operations to
-   * {@link org.apache.beam.sdk.transforms.Wait wait} for the completion of this transform.
-   *
-   * <p>Errors are handled according to the pipeline runner's default policy. As part of a one-time
-   * job, we will not add features unless proven necessary.
-   *
-   * @param transformId a unique ID for an instance of the returned transform
-   * @param maxWriters the max number of concurrent writes to SQL, which also determines the max
-   *     number of connection pools created
-   * @param batchSize the number of entities to write in each operation
-   * @param jpaSupplier supplier of a {@link JpaTransactionManager}
-   */
-  public static PTransform<PCollection<VersionedEntity>, PCollection<Void>> writeToSql(
-      String transformId,
-      int maxWriters,
-      int batchSize,
-      SerializableSupplier<JpaTransactionManager> jpaSupplier) {
-    return writeToSql(
-        transformId,
-        maxWriters,
-        batchSize,
-        jpaSupplier,
-        Transforms::convertVersionedEntityToSqlEntity,
-        TypeDescriptor.of(VersionedEntity.class));
-  }
+  // Production data repair configs go below. See b/185954992.
 
-  /**
-   * Returns a {@link PTransform} that writes a {@link PCollection} of entities to a SQL database.
-   * and outputs an empty {@code PCollection<Void>}. This allows other operations to {@link
-   * org.apache.beam.sdk.transforms.Wait wait} for the completion of this transform.
-   *
-   * <p>The converter and type descriptor are generics so that we can convert any type of entity to
-   * an object to be placed in SQL.
-   *
-   * <p>Errors are handled according to the pipeline runner's default policy. As part of a one-time
-   * job, we will not add features unless proven necessary.
-   *
-   * @param transformId a unique ID for an instance of the returned transform
-   * @param maxWriters the max number of concurrent writes to SQL, which also determines the max
-   *     number of connection pools created
-   * @param batchSize the number of entities to write in each operation
-   * @param jpaSupplier supplier of a {@link JpaTransactionManager}
-   * @param jpaConverter the function that converts the input object to a JPA entity
-   * @param objectDescriptor the type descriptor of the input object
-   */
-  public static <T> PTransform<PCollection<T>, PCollection<Void>> writeToSql(
-      String transformId,
-      int maxWriters,
-      int batchSize,
-      SerializableSupplier<JpaTransactionManager> jpaSupplier,
-      SerializableFunction<T, Object> jpaConverter,
-      TypeDescriptor<T> objectDescriptor) {
-    return new PTransform<PCollection<T>, PCollection<Void>>() {
-      @Override
-      public PCollection<Void> expand(PCollection<T> input) {
-        return input
-            .apply(
-                "Shard data for " + transformId,
-                MapElements.into(kvs(integers(), objectDescriptor))
-                    .via(ve -> KV.of(ThreadLocalRandom.current().nextInt(maxWriters), ve)))
-            .apply("Batch output by shard " + transformId, GroupIntoBatches.ofSize(batchSize))
-            .apply(
-                "Write in batch for " + transformId,
-                ParDo.of(new SqlBatchWriter<T>(transformId, jpaSupplier, jpaConverter)));
-      }
-    };
-  }
+  // Prober domains in bad state, without associated contacts, hosts, billings, and history.
+  // They can be safely ignored.
+  private static final ImmutableSet<String> IGNORED_DOMAINS =
+      ImmutableSet.of("6AF6D2-IQCANT", "2-IQANYT");
 
-  private static Key toOfyKey(Object ofyEntity) {
-    return Key.create(ofyEntity);
-  }
+  // Prober hosts referencing phantom registrars. They and their associated history entries can be
+  // safely ignored.
+  private static final ImmutableSet<String> IGNORED_HOSTS =
+      ImmutableSet.of(
+          "4E21_WJ0TEST-GOOGLE",
+          "4E21_WJ1TEST-GOOGLE",
+          "4E21_WJ2TEST-GOOGLE",
+          "4E21_WJ3TEST-GOOGLE");
+
+  // Prober contacts referencing phantom registrars. They and their associated history entries can
+  // be safely ignored.
+  private static final ImmutableSet IGNORED_CONTACTS =
+      ImmutableSet.of(
+          "1_WJ0TEST-GOOGLE", "1_WJ1TEST-GOOGLE", "1_WJ2TEST-GOOGLE", "1_WJ3TEST-GOOGLE");
 
   private static boolean isMigratable(Entity entity) {
+    // Checks specific to production data. See b/185954992 for details.
+    // The names of these bad entities in production do not conflict with other environments. For
+    // simplicities sake we apply them regardless of the source of the data.
+    if (entity.getKind().equals("DomainBase")
+        && IGNORED_DOMAINS.contains(entity.getKey().getName())) {
+      return false;
+    }
+    if (entity.getKind().equals("ContactResource")) {
+      String roid = entity.getKey().getName();
+      return !IGNORED_CONTACTS.contains(roid);
+    }
+    if (entity.getKind().equals("HostResource")) {
+      String roid = entity.getKey().getName();
+      return !IGNORED_HOSTS.contains(roid);
+    }
+    if (entity.getKind().equals("HistoryEntry")) {
+      // Remove production bad data: History of the contacts to be ignored:
+      com.google.appengine.api.datastore.Key parentKey = entity.getKey().getParent();
+      if (parentKey.getKind().equals("ContactResource")) {
+        String contactRoid = parentKey.getName();
+        return !IGNORED_CONTACTS.contains(contactRoid);
+      }
+      if (parentKey.getKind().equals("HostResource")) {
+        String hostRoid = parentKey.getName();
+        return !IGNORED_HOSTS.contains(hostRoid);
+      }
+    }
+    // End of production-specific checks.
+
     if (entity.getKind().equals("HistoryEntry")) {
       // DOMAIN_APPLICATION_CREATE is deprecated type and should not be migrated.
       // The Enum name DOMAIN_APPLICATION_CREATE no longer exists in Java and cannot
@@ -352,6 +320,18 @@ public final class Transforms {
     return true;
   }
 
+  private static Entity repairBadData(Entity entity) {
+    if (entity.getKind().equals("Cancellation")
+        && Objects.equals(entity.getProperty("reason"), "AUTO_RENEW")) {
+      // AUTO_RENEW has been moved from 'reason' to flags. Change reason to RENEW and add the
+      // AUTO_RENEW flag. Note: all affected entities have empty flags so we can simply assign
+      // instead of append. See b/185954992.
+      entity.setUnindexedProperty("reason", Reason.RENEW.name());
+      entity.setUnindexedProperty("flags", ImmutableList.of(Flag.AUTO_RENEW.name()));
+    }
+    return entity;
+  }
+
   private static SqlEntity toSqlEntity(Object ofyEntity) {
     if (ofyEntity instanceof HistoryEntry) {
       HistoryEntry ofyHistory = (HistoryEntry) ofyEntity;
@@ -372,7 +352,8 @@ public final class Transforms {
     return dsEntity
         .getEntity()
         .filter(Transforms::isMigratable)
-        .map(e -> ofy().toPojo(e))
+        .map(Transforms::repairBadData)
+        .map(e -> auditedOfy().toPojo(e))
         .map(Transforms::toSqlEntity)
         .orElse(null);
   }
@@ -458,93 +439,6 @@ public final class Transforms {
     }
   }
 
-  /**
-   * Writes a batch of entities to a SQL database.
-   *
-   * <p>Note that an arbitrary number of instances of this class may be created and freed in
-   * arbitrary order in a single JVM. Due to the tech debt that forced us to use a static variable
-   * to hold the {@code JpaTransactionManager} instance, we must ensure that JpaTransactionManager
-   * is not changed or torn down while being used by some instance.
-   */
-  private static class SqlBatchWriter<T> extends DoFn<KV<Integer, Iterable<T>>, Void> {
-
-    private static int instanceCount = 0;
-    private static JpaTransactionManager originalJpa;
-
-    private Counter counter;
-
-    private final SerializableSupplier<JpaTransactionManager> jpaSupplier;
-    private final SerializableFunction<T, Object> jpaConverter;
-
-    SqlBatchWriter(
-        String type,
-        SerializableSupplier<JpaTransactionManager> jpaSupplier,
-        SerializableFunction<T, Object> jpaConverter) {
-      counter = Metrics.counter("SQL_WRITE", type);
-      this.jpaSupplier = jpaSupplier;
-      this.jpaConverter = jpaConverter;
-    }
-
-    @Setup
-    public void setup() {
-      try (AppEngineEnvironment env = new AppEngineEnvironment()) {
-        ObjectifyService.initOfy();
-      }
-
-      synchronized (SqlBatchWriter.class) {
-        if (instanceCount == 0) {
-          originalJpa = jpaTm();
-          setJpaTm(jpaSupplier);
-        }
-        instanceCount++;
-      }
-    }
-
-    @Teardown
-    public void teardown() {
-      synchronized (SqlBatchWriter.class) {
-        instanceCount--;
-        if (instanceCount == 0) {
-          jpaTm().teardown();
-          setJpaTm(() -> originalJpa);
-        }
-      }
-    }
-
-    @ProcessElement
-    public void processElement(@Element KV<Integer, Iterable<T>> kv) {
-      try (AppEngineEnvironment env = new AppEngineEnvironment()) {
-        ImmutableList<Object> ofyEntities =
-            Streams.stream(kv.getValue())
-                .map(this.jpaConverter::apply)
-                // TODO(b/177340730): post migration delete the line below.
-                .filter(Objects::nonNull)
-                .collect(ImmutableList.toImmutableList());
-        try {
-          jpaTm().transact(() -> jpaTm().putAll(ofyEntities));
-          counter.inc(ofyEntities.size());
-        } catch (RuntimeException e) {
-          processSingly(ofyEntities);
-        }
-      }
-    }
-
-    /**
-     * Writes entities in a failed batch one by one to identify the first bad entity and throws a
-     * {@link RuntimeException} on it.
-     */
-    private void processSingly(ImmutableList<Object> ofyEntities) {
-      for (Object ofyEntity : ofyEntities) {
-        try {
-          jpaTm().transact(() -> jpaTm().put(ofyEntity));
-          counter.inc();
-        } catch (RuntimeException e) {
-          throw new RuntimeException(toOfyKey(ofyEntity).toString(), e);
-        }
-      }
-    }
-  }
-
   /**
    * Removes BillingEvents, {@link google.registry.model.poll.PollMessage PollMessages} and {@link
    * google.registry.model.host.HostResource} from a {@link DomainBase}. These are circular foreign

core/src/main/java/google/registry/beam/invoicing/BillingEvent.java

@@ -251,7 +251,14 @@ public abstract class BillingEvent implements Serializable {
   InvoiceGroupingKey getInvoiceGroupingKey() {
     return new AutoValue_BillingEvent_InvoiceGroupingKey(
         billingTime().toLocalDate().withDayOfMonth(1).toString(),
-        billingTime().toLocalDate().withDayOfMonth(1).plusYears(years()).minusDays(1).toString(),
+        years() == 0
+            ? ""
+            : billingTime()
+                .toLocalDate()
+                .withDayOfMonth(1)
+                .plusYears(years())
+                .minusDays(1)
+                .toString(),
         billingId(),
         String.format("%s - %s", registrarId(), tld()),
         String.format("%s | TLD: %s | TERM: %d-year", action(), tld(), years()),
@@ -260,6 +267,11 @@ public abstract class BillingEvent implements Serializable {
         poNumber());
   }
 
+  /** Returns the grouping key for this {@code BillingEvent}, to generate the detailed report. */
+  String getDetailedReportGroupingKey() {
+    return String.format("%s_%s", registrarId(), tld());
+  }
+
   /** Key for each {@code BillingEvent}, when aggregating for the overall invoice. */
   @AutoValue
   abstract static class InvoiceGroupingKey implements Serializable {

core/src/main/java/google/registry/beam/invoicing/InvoicingPipeline.java

@@ -14,28 +14,27 @@
 
 package google.registry.beam.invoicing;
 
-import com.google.auth.oauth2.GoogleCredentials;
+import static google.registry.beam.BeamUtils.getQueryFromFile;
+import static org.apache.beam.sdk.values.TypeDescriptors.strings;
+
 import google.registry.beam.invoicing.BillingEvent.InvoiceGroupingKey;
 import google.registry.beam.invoicing.BillingEvent.InvoiceGroupingKey.InvoiceGroupingKeyCoder;
-import google.registry.config.CredentialModule.LocalCredential;
-import google.registry.config.RegistryConfig.Config;
 import google.registry.reporting.billing.BillingModule;
-import google.registry.reporting.billing.GenerateInvoicesAction;
-import google.registry.util.GoogleCredentialsBundle;
+import google.registry.util.SqlTemplate;
 import java.io.Serializable;
-import javax.inject.Inject;
-import org.apache.beam.runners.dataflow.DataflowRunner;
-import org.apache.beam.runners.dataflow.options.DataflowPipelineOptions;
+import java.time.LocalDateTime;
+import java.time.LocalTime;
+import java.time.YearMonth;
+import java.time.format.DateTimeFormatter;
 import org.apache.beam.sdk.Pipeline;
+import org.apache.beam.sdk.PipelineResult;
 import org.apache.beam.sdk.coders.SerializableCoder;
-import org.apache.beam.sdk.io.DefaultFilenamePolicy.Params;
-import org.apache.beam.sdk.io.FileBasedSink;
+import org.apache.beam.sdk.coders.StringUtf8Coder;
+import org.apache.beam.sdk.io.FileIO;
 import org.apache.beam.sdk.io.TextIO;
 import org.apache.beam.sdk.io.gcp.bigquery.BigQueryIO;
-import org.apache.beam.sdk.options.Description;
 import org.apache.beam.sdk.options.PipelineOptionsFactory;
-import org.apache.beam.sdk.options.ValueProvider;
-import org.apache.beam.sdk.options.ValueProvider.NestedValueProvider;
+import org.apache.beam.sdk.transforms.Contextful;
 import org.apache.beam.sdk.transforms.Count;
 import org.apache.beam.sdk.transforms.Filter;
 import org.apache.beam.sdk.transforms.MapElements;
@@ -43,107 +42,48 @@ import org.apache.beam.sdk.transforms.PTransform;
 import org.apache.beam.sdk.values.KV;
 import org.apache.beam.sdk.values.PCollection;
 import org.apache.beam.sdk.values.TypeDescriptor;
-import org.apache.beam.sdk.values.TypeDescriptors;
 
 /**
- * Definition of a Dataflow pipeline template, which generates a given month's invoices.
+ * Definition of a Dataflow Flex pipeline template, which generates a given month's invoices.
  *
- * <p>To stage this template on GCS, run the {@link
- * google.registry.tools.DeployInvoicingPipelineCommand} Nomulus command.
+ * <p>To stage this template locally, run the {@code stage_beam_pipeline.sh} shell script.
  *
  * <p>Then, you can run the staged template via the API client library, gCloud or a raw REST call.
- * For an example using the API client library, see {@link GenerateInvoicesAction}.
  *
- * @see <a href="https://cloud.google.com/dataflow/docs/templates/overview">Dataflow Templates</a>
+ * @see <a href="https://cloud.google.com/dataflow/docs/guides/templates/using-flex-templates">Using
+ *     Flex Templates</a>
  */
 public class InvoicingPipeline implements Serializable {
 
-  private final String projectId;
-  private final String beamJobRegion;
-  private final String beamBucketUrl;
-  private final String invoiceTemplateUrl;
-  private final String beamStagingUrl;
-  private final String billingBucketUrl;
-  private final String invoiceFilePrefix;
-  private final GoogleCredentials googleCredentials;
+  private static final DateTimeFormatter TIMESTAMP_FORMATTER =
+      DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss.SSSSSS");
 
-  @Inject
-  public InvoicingPipeline(
-      @Config("projectId") String projectId,
-      @Config("defaultJobRegion") String beamJobRegion,
-      @Config("apacheBeamBucketUrl") String beamBucketUrl,
-      @Config("invoiceTemplateUrl") String invoiceTemplateUrl,
-      @Config("beamStagingUrl") String beamStagingUrl,
-      @Config("billingBucketUrl") String billingBucketUrl,
-      @Config("invoiceFilePrefix") String invoiceFilePrefix,
-      @LocalCredential GoogleCredentialsBundle googleCredentialsBundle) {
-    this.projectId = projectId;
-    this.beamJobRegion = beamJobRegion;
-    this.beamBucketUrl = beamBucketUrl;
-    this.invoiceTemplateUrl = invoiceTemplateUrl;
-    this.beamStagingUrl = beamStagingUrl;
-    this.billingBucketUrl = billingBucketUrl;
-    this.invoiceFilePrefix = invoiceFilePrefix;
-    this.googleCredentials = googleCredentialsBundle.getGoogleCredentials();
+  private final InvoicingPipelineOptions options;
+
+  InvoicingPipeline(InvoicingPipelineOptions options) {
+    this.options = options;
   }
 
-  /** Custom options for running the invoicing pipeline. */
-  public interface InvoicingPipelineOptions extends DataflowPipelineOptions {
-    /** Returns the yearMonth we're generating invoices for, in yyyy-MM format. */
-    @Description("The yearMonth we generate invoices for, in yyyy-MM format.")
-    ValueProvider<String> getYearMonth();
-    /**
-     * Sets the yearMonth we generate invoices for.
-     *
-     * <p>This is implicitly set when executing the Dataflow template, by specifying the 'yearMonth
-     * parameter.
-     */
-    void setYearMonth(ValueProvider<String> value);
+  PipelineResult run() {
+    Pipeline pipeline = Pipeline.create(options);
+    setupPipeline(pipeline);
+    return pipeline.run();
   }
 
-  /** Deploys the invoicing pipeline as a template on GCS, for a given projectID and GCS bucket. */
-  public void deploy() {
-    // We can't store options as a member variable due to serialization concerns.
-    InvoicingPipelineOptions options = PipelineOptionsFactory.as(InvoicingPipelineOptions.class);
-    options.setProject(projectId);
-    options.setRegion(beamJobRegion);
-    options.setRunner(DataflowRunner.class);
-    // This causes p.run() to stage the pipeline as a template on GCS, as opposed to running it.
-    options.setTemplateLocation(invoiceTemplateUrl);
-    options.setStagingLocation(beamStagingUrl);
-    // This credential is used when Dataflow deploys the template to GCS in target GCP project.
-    // So, make sure the credential has write permission to GCS in that project.
-    options.setGcpCredential(googleCredentials);
-
-    Pipeline p = Pipeline.create(options);
-
+  void setupPipeline(Pipeline pipeline) {
     PCollection<BillingEvent> billingEvents =
-        p.apply(
+        pipeline.apply(
             "Read BillingEvents from Bigquery",
             BigQueryIO.read(BillingEvent::parseFromRecord)
-                .fromQuery(InvoicingUtils.makeQueryProvider(options.getYearMonth(), projectId))
+                .fromQuery(makeQuery(options.getYearMonth(), options.getProject()))
                 .withCoder(SerializableCoder.of(BillingEvent.class))
                 .usingStandardSql()
                 .withoutValidation()
                 .withTemplateCompatibility());
-    applyTerminalTransforms(billingEvents, options.getYearMonth());
-    p.run();
-  }
 
-  /**
-   * Applies output transforms to the {@code BillingEvent} source collection.
-   *
-   * <p>This is factored out purely to facilitate testing.
-   */
-  void applyTerminalTransforms(
-      PCollection<BillingEvent> billingEvents, ValueProvider<String> yearMonthProvider) {
-    billingEvents
-        .apply("Generate overall invoice rows", new GenerateInvoiceRows())
-        .apply("Write overall invoice to CSV", writeInvoice(yearMonthProvider));
+    saveInvoiceCsv(billingEvents, options);
 
-    billingEvents.apply(
-        "Write detail reports to separate CSVs keyed by registrarId_tld pair",
-        writeDetailReports(yearMonthProvider));
+    saveDetailedCsv(billingEvents, options);
   }
 
   /** Transform that converts a {@code BillingEvent} into an invoice CSV row. */
@@ -156,49 +96,85 @@ public class InvoicingPipeline implements Serializable {
               "Map to invoicing key",
               MapElements.into(TypeDescriptor.of(InvoiceGroupingKey.class))
                   .via(BillingEvent::getInvoiceGroupingKey))
-          .apply(Filter.by((InvoiceGroupingKey key) -> key.unitPrice() != 0))
+          .apply(
+              "Filter out free events", Filter.by((InvoiceGroupingKey key) -> key.unitPrice() != 0))
           .setCoder(new InvoiceGroupingKeyCoder())
           .apply("Count occurrences", Count.perElement())
           .apply(
               "Format as CSVs",
-              MapElements.into(TypeDescriptors.strings())
+              MapElements.into(strings())
                   .via((KV<InvoiceGroupingKey, Long> kv) -> kv.getKey().toCsv(kv.getValue())));
     }
   }
 
-  /** Returns an IO transform that writes the overall invoice to a single CSV file. */
-  private TextIO.Write writeInvoice(ValueProvider<String> yearMonthProvider) {
-    return TextIO.write()
-        .to(
-            NestedValueProvider.of(
-                yearMonthProvider,
-                yearMonth ->
+  /** Saves the billing events to a single overall invoice CSV file. */
+  static void saveInvoiceCsv(
+      PCollection<BillingEvent> billingEvents, InvoicingPipelineOptions options) {
+    billingEvents
+        .apply("Generate overall invoice rows", new GenerateInvoiceRows())
+        .apply(
+            "Write overall invoice to CSV",
+            TextIO.write()
+                .to(
                     String.format(
                         "%s/%s/%s/%s-%s",
-                        billingBucketUrl,
+                        options.getBillingBucketUrl(),
                         BillingModule.INVOICES_DIRECTORY,
-                        yearMonth,
-                        invoiceFilePrefix,
-                        yearMonth)))
-        .withHeader(InvoiceGroupingKey.invoiceHeader())
-        .withoutSharding()
-        .withSuffix(".csv");
+                        options.getYearMonth(),
+                        options.getInvoiceFilePrefix(),
+                        options.getYearMonth()))
+                .withHeader(InvoiceGroupingKey.invoiceHeader())
+                .withoutSharding()
+                .withSuffix(".csv"));
   }
 
-  /** Returns an IO transform that writes detail reports to registrar-tld keyed CSV files. */
-  private TextIO.TypedWrite<BillingEvent, Params> writeDetailReports(
-      ValueProvider<String> yearMonthProvider) {
-    return TextIO.<BillingEvent>writeCustomType()
-        .to(
-            InvoicingUtils.makeDestinationFunction(
-                String.format("%s/%s", billingBucketUrl, BillingModule.INVOICES_DIRECTORY),
-                yearMonthProvider),
-            InvoicingUtils.makeEmptyDestinationParams(billingBucketUrl + "/errors"))
-        .withFormatFunction(BillingEvent::toCsv)
-        .withoutSharding()
-        .withTempDirectory(
-            FileBasedSink.convertToFileResourceIfPossible(beamBucketUrl + "/temporary"))
-        .withHeader(BillingEvent.getHeader())
-        .withSuffix(".csv");
+  /** Saves the billing events to detailed report CSV files keyed by registrar-tld pairs. */
+  static void saveDetailedCsv(
+      PCollection<BillingEvent> billingEvents, InvoicingPipelineOptions options) {
+    String yearMonth = options.getYearMonth();
+    billingEvents.apply(
+        "Write detailed report for each registrar-tld pair",
+        FileIO.<String, BillingEvent>writeDynamic()
+            .to(
+                String.format(
+                    "%s/%s/%s",
+                    options.getBillingBucketUrl(), BillingModule.INVOICES_DIRECTORY, yearMonth))
+            .by(BillingEvent::getDetailedReportGroupingKey)
+            .withNumShards(1)
+            .withDestinationCoder(StringUtf8Coder.of())
+            .withNaming(
+                key ->
+                    (window, pane, numShards, shardIndex, compression) ->
+                        String.format(
+                            "%s_%s_%s.csv", BillingModule.DETAIL_REPORT_PREFIX, yearMonth, key))
+            .via(
+                Contextful.fn(BillingEvent::toCsv),
+                TextIO.sink().withHeader(BillingEvent.getHeader())));
+  }
+
+  /** Create the Bigquery query for a given project and yearMonth at runtime. */
+  static String makeQuery(String yearMonth, String projectId) {
+    // Get the timestamp endpoints capturing the entire month with microsecond precision
+    YearMonth reportingMonth = YearMonth.parse(yearMonth);
+    LocalDateTime firstMoment = reportingMonth.atDay(1).atTime(LocalTime.MIDNIGHT);
+    LocalDateTime lastMoment = reportingMonth.atEndOfMonth().atTime(LocalTime.MAX);
+    // Construct the month's query by filling in the billing_events.sql template
+    return SqlTemplate.create(getQueryFromFile(InvoicingPipeline.class, "billing_events.sql"))
+        .put("FIRST_TIMESTAMP_OF_MONTH", firstMoment.format(TIMESTAMP_FORMATTER))
+        .put("LAST_TIMESTAMP_OF_MONTH", lastMoment.format(TIMESTAMP_FORMATTER))
+        .put("PROJECT_ID", projectId)
+        .put("DATASTORE_EXPORT_DATA_SET", "latest_datastore_export")
+        .put("ONETIME_TABLE", "OneTime")
+        .put("REGISTRY_TABLE", "Registry")
+        .put("REGISTRAR_TABLE", "Registrar")
+        .put("CANCELLATION_TABLE", "Cancellation")
+        .build();
+  }
+
+  public static void main(String[] args) {
+    PipelineOptionsFactory.register(InvoicingPipelineOptions.class);
+    InvoicingPipelineOptions options =
+        PipelineOptionsFactory.fromArgs(args).withValidation().as(InvoicingPipelineOptions.class);
+    new InvoicingPipeline(options).run();
   }
 }

core/src/main/java/google/registry/beam/invoicing/InvoicingPipelineOptions.java

@@ -0,0 +1,37 @@
+// Copyright 2021 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.beam.invoicing;
+
+import google.registry.beam.common.RegistryPipelineOptions;
+import org.apache.beam.sdk.options.Description;
+
+/** Custom options for running the invoicing pipeline. */
+public interface InvoicingPipelineOptions extends RegistryPipelineOptions {
+
+  @Description("The year and month we generate invoices for, in yyyy-MM format.")
+  String getYearMonth();
+
+  void setYearMonth(String value);
+
+  @Description("Filename prefix for the invoice CSV file.")
+  String getInvoiceFilePrefix();
+
+  void setInvoiceFilePrefix(String value);
+
+  @Description("The GCS bucket URL for invoices and detailed  reports to be uploaded.")
+  String getBillingBucketUrl();
+
+  void setBillingBucketUrl(String value);
+}

core/src/main/java/google/registry/beam/invoicing/InvoicingUtils.java

@@ -1,106 +0,0 @@
-// Copyright 2018 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.beam.invoicing;
-
-import static google.registry.beam.BeamUtils.getQueryFromFile;
-
-import google.registry.util.SqlTemplate;
-import java.time.LocalDateTime;
-import java.time.LocalTime;
-import java.time.YearMonth;
-import java.time.format.DateTimeFormatter;
-import org.apache.beam.sdk.io.DefaultFilenamePolicy.Params;
-import org.apache.beam.sdk.io.FileBasedSink;
-import org.apache.beam.sdk.options.ValueProvider;
-import org.apache.beam.sdk.options.ValueProvider.NestedValueProvider;
-import org.apache.beam.sdk.transforms.SerializableFunction;
-
-/** Pipeline helper functions used to generate invoices from instances of {@link BillingEvent}. */
-public class InvoicingUtils {
-
-  private InvoicingUtils() {}
-
-  private static final DateTimeFormatter TIMESTAMP_FORMATTER =
-      DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss.SSSSSS");
-
-  /**
-   * Returns a function mapping from {@code BillingEvent} to filename {@code Params}.
-   *
-   * <p>Beam uses this to determine which file a given {@code BillingEvent} should get placed into.
-   *
-   * @param outputBucket the GCS bucket we're outputting reports to
-   * @param yearMonthProvider a runtime provider for the yyyy-MM we're generating the invoice for
-   */
-  static SerializableFunction<BillingEvent, Params> makeDestinationFunction(
-      String outputBucket, ValueProvider<String> yearMonthProvider) {
-    return billingEvent ->
-        new Params()
-            .withShardTemplate("")
-            .withSuffix(".csv")
-            .withBaseFilename(
-                NestedValueProvider.of(
-                    yearMonthProvider,
-                    yearMonth ->
-                        FileBasedSink.convertToFileResourceIfPossible(
-                            String.format(
-                                "%s/%s/%s",
-                                outputBucket, yearMonth, billingEvent.toFilename(yearMonth)))));
-  }
-
-  /**
-   * Returns the default filename parameters for an unmappable {@code BillingEvent}.
-   *
-   * <p>The "failed" file should only be populated when an error occurs, which warrants further
-   * investigation.
-   */
-  static Params makeEmptyDestinationParams(String outputBucket) {
-    return new Params()
-        .withBaseFilename(
-            FileBasedSink.convertToFileResourceIfPossible(
-                String.format("%s/%s", outputBucket, "FAILURES")));
-  }
-
-  /**
-   * Returns a provider that creates a Bigquery query for a given project and yearMonth at runtime.
-   *
-   * <p>We only know yearMonth at runtime, so this provider fills in the {@code
-   * sql/billing_events.sql} template at runtime.
-   *
-   * @param yearMonthProvider a runtime provider that returns which month we're invoicing for.
-   * @param projectId the projectId we're generating invoicing for.
-   */
-  static ValueProvider<String> makeQueryProvider(
-      ValueProvider<String> yearMonthProvider, String projectId) {
-    return NestedValueProvider.of(
-        yearMonthProvider,
-        (yearMonth) -> {
-          // Get the timestamp endpoints capturing the entire month with microsecond precision
-          YearMonth reportingMonth = YearMonth.parse(yearMonth);
-          LocalDateTime firstMoment = reportingMonth.atDay(1).atTime(LocalTime.MIDNIGHT);
-          LocalDateTime lastMoment = reportingMonth.atEndOfMonth().atTime(LocalTime.MAX);
-          // Construct the month's query by filling in the billing_events.sql template
-          return SqlTemplate.create(getQueryFromFile(InvoicingPipeline.class, "billing_events.sql"))
-              .put("FIRST_TIMESTAMP_OF_MONTH", firstMoment.format(TIMESTAMP_FORMATTER))
-              .put("LAST_TIMESTAMP_OF_MONTH", lastMoment.format(TIMESTAMP_FORMATTER))
-              .put("PROJECT_ID", projectId)
-              .put("DATASTORE_EXPORT_DATA_SET", "latest_datastore_export")
-              .put("ONETIME_TABLE", "OneTime")
-              .put("REGISTRY_TABLE", "Registry")
-              .put("REGISTRAR_TABLE", "Registrar")
-              .put("CANCELLATION_TABLE", "Cancellation")
-              .build();
-        });
-  }
-}

core/src/main/java/google/registry/beam/spec11/SafeBrowsingTransforms.java

@@ -14,7 +14,6 @@
 
 package google.registry.beam.spec11;
 
-
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.apache.http.HttpStatus.SC_OK;
 
@@ -30,7 +29,6 @@ import java.net.URISyntaxException;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.function.Supplier;
-import org.apache.beam.sdk.options.ValueProvider;
 import org.apache.beam.sdk.transforms.DoFn;
 import org.apache.beam.sdk.transforms.windowing.GlobalWindow;
 import org.apache.beam.sdk.values.KV;
@@ -73,7 +71,7 @@ public class SafeBrowsingTransforms {
     private static final int BATCH_SIZE = 490;
 
     /** Provides the SafeBrowsing API key at runtime. */
-    private final ValueProvider<String> apiKeyProvider;
+    private final String apiKey;
 
     /**
      * Maps a subdomain's {@code fullyQualifiedDomainName} to its corresponding {@link Subdomain} to
@@ -93,20 +91,18 @@ public class SafeBrowsingTransforms {
     private final Retrier retrier;
 
     /**
-     * Constructs a {@link EvaluateSafeBrowsingFn} that gets its API key from the given provider.
+     * Constructs a {@link EvaluateSafeBrowsingFn} with a given API key.
      *
      * <p>We need to dual-cast the closeableHttpClientSupplier lambda because all {@code DoFn}
      * member variables need to be serializable. The (Supplier & Serializable) dual cast is safe
      * because class methods are generally serializable, especially a static function such as {@link
      * HttpClients#createDefault()}.
-     *
-     * @param apiKeyProvider provides the SafeBrowsing API key from {@code KMS} at runtime
      */
     @SuppressWarnings("unchecked")
-    EvaluateSafeBrowsingFn(ValueProvider<String> apiKeyProvider, Retrier retrier) {
-      this.apiKeyProvider = apiKeyProvider;
+    EvaluateSafeBrowsingFn(String apiKey, Retrier retrier) {
+      this.apiKey = apiKey;
       this.retrier = retrier;
-      this.closeableHttpClientSupplier = (Supplier & Serializable) HttpClients::createDefault;
+      closeableHttpClientSupplier = (Supplier & Serializable) HttpClients::createDefault;
     }
 
     /**
@@ -117,12 +113,10 @@ public class SafeBrowsingTransforms {
      */
     @VisibleForTesting
     EvaluateSafeBrowsingFn(
-        ValueProvider<String> apiKeyProvider,
-        Retrier retrier,
-        Supplier<CloseableHttpClient> clientSupplier) {
-      this.apiKeyProvider = apiKeyProvider;
+        String apiKey, Retrier retrier, Supplier<CloseableHttpClient> clientSupplier) {
+      this.apiKey = apiKey;
       this.retrier = retrier;
-      this.closeableHttpClientSupplier = clientSupplier;
+      closeableHttpClientSupplier = clientSupplier;
     }
 
     /** Evaluates any buffered {@link Subdomain} objects upon completing the bundle. */
@@ -159,7 +153,7 @@ public class SafeBrowsingTransforms {
       try {
         URIBuilder uriBuilder = new URIBuilder(SAFE_BROWSING_URL);
         // Add the API key param
-        uriBuilder.addParameter("key", apiKeyProvider.get());
+        uriBuilder.addParameter("key", apiKey);
 
         HttpPost httpPost = new HttpPost(uriBuilder.build());
         httpPost.addHeader(HTTP.CONTENT_TYPE, ContentType.APPLICATION_JSON.toString());
@@ -175,7 +169,7 @@ public class SafeBrowsingTransforms {
               }
             },
             IOException.class);
-      } catch (URISyntaxException | JSONException  e) {
+      } catch (URISyntaxException | JSONException e) {
         // Fail the pipeline on a parsing exception- this indicates the API likely changed.
         throw new RuntimeException("Caught parsing exception, failing pipeline.", e);
       } finally {
@@ -239,7 +233,9 @@ public class SafeBrowsingTransforms {
             String url = match.getJSONObject("threat").getString("url");
             Subdomain subdomain = subdomainBuffer.get(url);
             resultBuilder.add(
-                KV.of(subdomain, ThreatMatch.create(match, subdomain.domainName())));
+                KV.of(
+                    subdomain,
+                    ThreatMatch.create(match.getString("threatType"), subdomain.domainName())));
           }
         }
       }

core/src/main/java/google/registry/beam/spec11/Spec11Pipeline.java

@@ -17,32 +17,27 @@ package google.registry.beam.spec11;
 import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.beam.BeamUtils.getQueryFromFile;
 
-import com.google.auth.oauth2.GoogleCredentials;
 import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableSet;
-import google.registry.beam.initsql.Transforms;
-import google.registry.beam.initsql.Transforms.SerializableSupplier;
+import dagger.Component;
+import dagger.Module;
+import dagger.Provides;
+import google.registry.beam.common.RegistryJpaIO;
 import google.registry.beam.spec11.SafeBrowsingTransforms.EvaluateSafeBrowsingFn;
-import google.registry.config.CredentialModule.LocalCredential;
-import google.registry.config.RegistryConfig.Config;
+import google.registry.config.RegistryConfig.ConfigModule;
 import google.registry.model.reporting.Spec11ThreatMatch;
 import google.registry.model.reporting.Spec11ThreatMatch.ThreatType;
-import google.registry.persistence.transaction.JpaTransactionManager;
-import google.registry.util.GoogleCredentialsBundle;
 import google.registry.util.Retrier;
 import google.registry.util.SqlTemplate;
+import google.registry.util.UtilsModule;
 import java.io.Serializable;
-import javax.inject.Inject;
-import org.apache.beam.runners.dataflow.DataflowRunner;
-import org.apache.beam.runners.dataflow.options.DataflowPipelineOptions;
+import javax.inject.Singleton;
 import org.apache.beam.sdk.Pipeline;
+import org.apache.beam.sdk.PipelineResult;
 import org.apache.beam.sdk.coders.SerializableCoder;
 import org.apache.beam.sdk.io.TextIO;
 import org.apache.beam.sdk.io.gcp.bigquery.BigQueryIO;
-import org.apache.beam.sdk.options.Description;
 import org.apache.beam.sdk.options.PipelineOptionsFactory;
-import org.apache.beam.sdk.options.ValueProvider;
-import org.apache.beam.sdk.options.ValueProvider.NestedValueProvider;
 import org.apache.beam.sdk.transforms.GroupByKey;
 import org.apache.beam.sdk.transforms.MapElements;
 import org.apache.beam.sdk.transforms.ParDo;
@@ -58,21 +53,20 @@ import org.json.JSONException;
 import org.json.JSONObject;
 
 /**
- * Definition of a Dataflow pipeline template, which generates a given month's spec11 report.
+ * Definition of a Dataflow Flex template, which generates a given month's spec11 report.
  *
- * <p>To stage this template on GCS, run the {@link
- * google.registry.tools.DeploySpec11PipelineCommand} Nomulus command.
+ * <p>To stage this template locally, run the {@code stage_beam_pipeline.sh} shell script.
  *
  * <p>Then, you can run the staged template via the API client library, gCloud or a raw REST call.
  *
- * @see <a href="https://cloud.google.com/dataflow/docs/templates/overview">Dataflow Templates</a>
+ * @see <a href="https://cloud.google.com/dataflow/docs/guides/templates/using-flex-templates">Using
+ *     Flex Templates</a>
  */
 public class Spec11Pipeline implements Serializable {
 
   /**
    * Returns the subdirectory spec11 reports reside in for a given local date in yyyy-MM-dd format.
    *
-   * @see google.registry.beam.spec11.Spec11Pipeline
    * @see google.registry.reporting.spec11.Spec11EmailUtils
    */
   public static String getSpec11ReportFilePath(LocalDate localDate) {
@@ -87,84 +81,28 @@ public class Spec11Pipeline implements Serializable {
   /** The JSON object field into which we put the threat match array for Spec11 reports. */
   public static final String THREAT_MATCHES_FIELD = "threatMatches";
 
-  private final String projectId;
-  private final String beamJobRegion;
-  private final String beamStagingUrl;
-  private final String spec11TemplateUrl;
-  private final String reportingBucketUrl;
-  private final GoogleCredentials googleCredentials;
-  private final Retrier retrier;
-  private final SerializableSupplier<JpaTransactionManager> jpaSupplierFactory;
+  private final Spec11PipelineOptions options;
+  private final EvaluateSafeBrowsingFn safeBrowsingFn;
 
-  @Inject
-  public Spec11Pipeline(
-      @Config("projectId") String projectId,
-      @Config("defaultJobRegion") String beamJobRegion,
-      @Config("beamStagingUrl") String beamStagingUrl,
-      @Config("spec11TemplateUrl") String spec11TemplateUrl,
-      @Config("reportingBucketUrl") String reportingBucketUrl,
-      SerializableSupplier<JpaTransactionManager> jpaSupplierFactory,
-      @LocalCredential GoogleCredentialsBundle googleCredentialsBundle,
-      Retrier retrier) {
-    this.projectId = projectId;
-    this.beamJobRegion = beamJobRegion;
-    this.beamStagingUrl = beamStagingUrl;
-    this.spec11TemplateUrl = spec11TemplateUrl;
-    this.reportingBucketUrl = reportingBucketUrl;
-    this.jpaSupplierFactory = jpaSupplierFactory;
-    this.googleCredentials = googleCredentialsBundle.getGoogleCredentials();
-    this.retrier = retrier;
+  Spec11Pipeline(Spec11PipelineOptions options, EvaluateSafeBrowsingFn safeBrowsingFn) {
+    this.options = options;
+    this.safeBrowsingFn = safeBrowsingFn;
   }
 
-  /** Custom options for running the spec11 pipeline. */
-  public interface Spec11PipelineOptions extends DataflowPipelineOptions {
-    /** Returns the local date we're generating the report for, in yyyy-MM-dd format. */
-    @Description("The local date we generate the report for, in yyyy-MM-dd format.")
-    ValueProvider<String> getDate();
-
-    /**
-     * Sets the local date we generate invoices for.
-     *
-     * <p>This is implicitly set when executing the Dataflow template, by specifying the "date"
-     * parameter.
-     */
-    void setDate(ValueProvider<String> value);
-
-    /** Returns the SafeBrowsing API key we use to evaluate subdomain health. */
-    @Description("The API key we use to access the SafeBrowsing API.")
-    ValueProvider<String> getSafeBrowsingApiKey();
-
-    /**
-     * Sets the SafeBrowsing API key we use.
-     *
-     * <p>This is implicitly set when executing the Dataflow template, by specifying the
-     * "safeBrowsingApiKey" parameter.
-     */
-    void setSafeBrowsingApiKey(ValueProvider<String> value);
+  PipelineResult run() {
+    Pipeline pipeline = Pipeline.create(options);
+    setupPipeline(pipeline);
+    return pipeline.run();
   }
 
-  /** Deploys the spec11 pipeline as a template on GCS. */
-  public void deploy() {
-    // We can't store options as a member variable due to serialization concerns.
-    Spec11PipelineOptions options = PipelineOptionsFactory.as(Spec11PipelineOptions.class);
-    options.setProject(projectId);
-    options.setRegion(beamJobRegion);
-    options.setRunner(DataflowRunner.class);
-    // This causes p.run() to stage the pipeline as a template on GCS, as opposed to running it.
-    options.setTemplateLocation(spec11TemplateUrl);
-    options.setStagingLocation(beamStagingUrl);
-    // This credential is used when Dataflow deploys the template to GCS in target GCP project.
-    // So, make sure the credential has write permission to GCS in that project.
-    options.setGcpCredential(googleCredentials);
-
-    Pipeline p = Pipeline.create(options);
+  void setupPipeline(Pipeline pipeline) {
     PCollection<Subdomain> domains =
-        p.apply(
+        pipeline.apply(
             "Read active domains from BigQuery",
             BigQueryIO.read(Subdomain::parseFromRecord)
                 .fromQuery(
                     SqlTemplate.create(getQueryFromFile(Spec11Pipeline.class, "subdomains.sql"))
-                        .put("PROJECT_ID", projectId)
+                        .put("PROJECT_ID", options.getProject())
                         .put("DATASTORE_EXPORT_DATASET", "latest_datastore_export")
                         .put("REGISTRAR_TABLE", "Registrar")
                         .put("DOMAIN_BASE_TABLE", "DomainBase")
@@ -174,48 +112,40 @@ public class Spec11Pipeline implements Serializable {
                 .withoutValidation()
                 .withTemplateCompatibility());
 
-    evaluateUrlHealth(
-        domains,
-        new EvaluateSafeBrowsingFn(options.getSafeBrowsingApiKey(), retrier),
-        options.getDate());
-    p.run();
+    PCollection<KV<Subdomain, ThreatMatch>> threatMatches =
+        domains.apply("Run through SafeBrowsing API", ParDo.of(safeBrowsingFn));
+
+    saveToSql(threatMatches, options);
+    saveToGcs(threatMatches, options);
   }
 
-  /**
-   * Evaluate each {@link Subdomain} URL via the SafeBrowsing API.
-   *
-   * <p>This is factored out to facilitate testing.
-   */
-  void evaluateUrlHealth(
-      PCollection<Subdomain> domains,
-      EvaluateSafeBrowsingFn evaluateSafeBrowsingFn,
-      ValueProvider<String> dateProvider) {
-    PCollection<KV<Subdomain, ThreatMatch>> subdomainsSql =
-        domains.apply("Run through SafeBrowsing API", ParDo.of(evaluateSafeBrowsingFn));
-    TypeDescriptor<KV<Subdomain, ThreatMatch>> descriptor =
-        new TypeDescriptor<KV<Subdomain, ThreatMatch>>() {};
-    subdomainsSql.apply(
-        Transforms.writeToSql(
-            "Spec11ThreatMatch",
-            4,
-            4,
-            jpaSupplierFactory,
-            (kv) -> {
-              Subdomain subdomain = kv.getKey();
-              return new Spec11ThreatMatch.Builder()
-                  .setThreatTypes(ImmutableSet.of(ThreatType.valueOf(kv.getValue().threatType())))
-                  .setCheckDate(LocalDate.parse(dateProvider.get(), ISODateTimeFormat.date()))
-                  .setDomainName(subdomain.domainName())
-                  .setDomainRepoId(subdomain.domainRepoId())
-                  .setRegistrarId(subdomain.registrarId())
-                  .build();
-            },
-            descriptor));
+  static void saveToSql(
+      PCollection<KV<Subdomain, ThreatMatch>> threatMatches, Spec11PipelineOptions options) {
+    String transformId = "Spec11 Threat Matches";
+    LocalDate date = LocalDate.parse(options.getDate(), ISODateTimeFormat.date());
+    threatMatches.apply(
+        "Write to Sql: " + transformId,
+        RegistryJpaIO.<KV<Subdomain, ThreatMatch>>write()
+            .withName(transformId)
+            .withBatchSize(options.getSqlWriteBatchSize())
+            .withShards(options.getSqlWriteShards())
+            .withJpaConverter(
+                (kv) -> {
+                  Subdomain subdomain = kv.getKey();
+                  return new Spec11ThreatMatch.Builder()
+                      .setThreatTypes(
+                          ImmutableSet.of(ThreatType.valueOf(kv.getValue().threatType())))
+                      .setCheckDate(date)
+                      .setDomainName(subdomain.domainName())
+                      .setDomainRepoId(subdomain.domainRepoId())
+                      .setRegistrarId(subdomain.registrarId())
+                      .build();
+                }));
+  }
 
-    /* Store ThreatMatch objects in JSON. */
-    PCollection<KV<Subdomain, ThreatMatch>> subdomainsJson =
-        domains.apply("Run through SafeBrowsingAPI", ParDo.of(evaluateSafeBrowsingFn));
-    subdomainsJson
+  static void saveToGcs(
+      PCollection<KV<Subdomain, ThreatMatch>> threatMatches, Spec11PipelineOptions options) {
+    threatMatches
         .apply(
             "Map registrar ID to email/ThreatMatch pair",
             MapElements.into(
@@ -260,17 +190,54 @@ public class Spec11Pipeline implements Serializable {
             "Output to text file",
             TextIO.write()
                 .to(
-                    NestedValueProvider.of(
-                        dateProvider,
-                        date ->
-                            String.format(
-                                "%s/%s",
-                                reportingBucketUrl,
-                                getSpec11ReportFilePath(LocalDate.parse(date)))))
+                    String.format(
+                        "%s/%s",
+                        options.getReportingBucketUrl(),
+                        getSpec11ReportFilePath(LocalDate.parse(options.getDate()))))
                 .withoutSharding()
                 .withHeader("Map from registrar email / name to detected subdomain threats:"));
   }
 
+  public static void main(String[] args) {
+    PipelineOptionsFactory.register(Spec11PipelineOptions.class);
+    DaggerSpec11Pipeline_Spec11PipelineComponent.builder()
+        .spec11PipelineModule(new Spec11PipelineModule(args))
+        .build()
+        .spec11Pipeline()
+        .run();
+  }
+
+  @Module
+  static class Spec11PipelineModule {
+    private final String[] args;
+
+    Spec11PipelineModule(String[] args) {
+      this.args = args;
+    }
+
+    @Provides
+    Spec11PipelineOptions provideOptions() {
+      return PipelineOptionsFactory.fromArgs(args).withValidation().as(Spec11PipelineOptions.class);
+    }
+
+    @Provides
+    EvaluateSafeBrowsingFn provideSafeBrowsingFn(Spec11PipelineOptions options, Retrier retrier) {
+      return new EvaluateSafeBrowsingFn(options.getSafeBrowsingApiKey(), retrier);
+    }
+
+    @Provides
+    Spec11Pipeline providePipeline(
+        Spec11PipelineOptions options, EvaluateSafeBrowsingFn safeBrowsingFn) {
+      return new Spec11Pipeline(options, safeBrowsingFn);
+    }
+  }
+
+  @Component(modules = {Spec11PipelineModule.class, UtilsModule.class, ConfigModule.class})
+  @Singleton
+  interface Spec11PipelineComponent {
+    Spec11Pipeline spec11Pipeline();
+  }
+
   @AutoValue
   abstract static class EmailAndThreatMatch implements Serializable {
 

core/src/main/java/google/registry/beam/spec11/Spec11PipelineOptions.java

@@ -0,0 +1,37 @@
+// Copyright 2021 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.beam.spec11;
+
+import google.registry.beam.common.RegistryPipelineOptions;
+import org.apache.beam.sdk.options.Description;
+
+/** Custom options for running the spec11 pipeline. */
+public interface Spec11PipelineOptions extends RegistryPipelineOptions {
+
+  @Description("The local date we generate the report for, in yyyy-MM-dd format.")
+  String getDate();
+
+  void setDate(String value);
+
+  @Description("The API key we use to access the SafeBrowsing API.")
+  String getSafeBrowsingApiKey();
+
+  void setSafeBrowsingApiKey(String value);
+
+  @Description("The GCS bucket URL for Spec11 reports to be uploaded.")
+  String getReportingBucketUrl();
+
+  void setReportingBucketUrl(String value);
+}

core/src/main/java/google/registry/beam/spec11/ThreatMatch.java

@@ -15,6 +15,7 @@
 package google.registry.beam.spec11;
 
 import com.google.auto.value.AutoValue;
+import com.google.common.annotations.VisibleForTesting;
 import java.io.Serializable;
 import org.json.JSONException;
 import org.json.JSONObject;
@@ -31,16 +32,9 @@ public abstract class ThreatMatch implements Serializable {
   /** Returns the fully qualified domain name [SLD].[TLD] of the matched threat. */
   public abstract String fullyQualifiedDomainName();
 
-  /**
-   * Constructs a {@link ThreatMatch} by parsing a {@code SafeBrowsing API} response {@link
-   * JSONObject}.
-   *
-   * @throws JSONException when encountering parse errors in the response format
-   */
-  static ThreatMatch create(JSONObject threatMatchJSON, String fullyQualifiedDomainName)
-      throws JSONException {
-    return new AutoValue_ThreatMatch(
-        threatMatchJSON.getString(THREAT_TYPE_FIELD), fullyQualifiedDomainName);
+  @VisibleForTesting
+  static ThreatMatch create(String threatType, String fullyQualifiedDomainName) {
+    return new AutoValue_ThreatMatch(threatType, fullyQualifiedDomainName);
   }
 
   /** Returns a {@link JSONObject} representing a subset of this object's data. */

core/src/main/java/google/registry/config/RegistryConfig.java

@@ -203,7 +203,7 @@ public final class RegistryConfig {
      * Configuration for analytics services installed in the web console.
      *
      * @see google.registry.ui.server.registrar.ConsoleUiAction
-     * @see google.registry.ui.soy.AnalyticsSoyInfo
+     * @see google.registry.ui.soy.registrar.AnalyticsSoyInfo
      */
     @Provides
     @Config("analyticsConfig")
@@ -384,31 +384,12 @@ public final class RegistryConfig {
       return Duration.standardHours(1);
     }
 
-    /**
-     * Number of sharded entity group roots used for performing strongly consistent scans.
-     *
-     * <p><b>Warning:</b> This number may increase but never decrease.
-     *
-     * @see google.registry.model.index.EppResourceIndex
-     */
-    @Provides
-    @Config("eppResourceIndexBucketCount")
-    public static int provideEppResourceIndexBucketCount(RegistryConfigSettings config) {
-      return config.datastore.eppResourceIndexBucketsNum;
-    }
-
     @Provides
     @Config("cloudSqlJdbcUrl")
     public static String providesCloudSqlJdbcUrl(RegistryConfigSettings config) {
       return config.cloudSql.jdbcUrl;
     }
 
-    @Provides
-    @Config("cloudSqlUsername")
-    public static String providesCloudSqlUsername(RegistryConfigSettings config) {
-      return config.cloudSql.username;
-    }
-
     @Provides
     @Config("cloudSqlInstanceConnectionName")
     public static String providesCloudSqlInstanceConnectionName(RegistryConfigSettings config) {
@@ -570,53 +551,6 @@ public final class RegistryConfig {
       return config.gSuite.outgoingEmailDisplayName;
     }
 
-    /**
-     * Returns the name of the GCS bucket for storing Beam templates and results.
-     *
-     * @see google.registry.reporting.billing.GenerateInvoicesAction
-     */
-    @Provides
-    @Config("apacheBeamBucket")
-    public static String provideApacheBeamBucket(@Config("projectId") String projectId) {
-      return projectId + "-beam";
-    }
-
-    /**
-     * Returns the URL of the GCS location for storing Apache Beam related objects.
-     *
-     * @see google.registry.reporting.billing.GenerateInvoicesAction
-     */
-    @Provides
-    @Config("apacheBeamBucketUrl")
-    public static String provideApacheBeamBucketUrl(@Config("apacheBeamBucket") String beamBucket) {
-      return "gs://" + beamBucket;
-    }
-
-    /**
-     * Returns the URL of the GCS location for storing the monthly invoicing Beam template.
-     *
-     * @see google.registry.reporting.billing.GenerateInvoicesAction
-     * @see google.registry.beam.invoicing.InvoicingPipeline
-     */
-    @Provides
-    @Config("invoiceTemplateUrl")
-    public static String provideInvoiceTemplateUrl(
-        @Config("apacheBeamBucketUrl") String beamBucketUrl) {
-      return beamBucketUrl + "/templates/invoicing";
-    }
-
-    /**
-     * Returns the URL of the GCS location for storing the monthly spec11 Beam template.
-     *
-     * @see google.registry.beam.spec11.Spec11Pipeline
-     */
-    @Provides
-    @Config("spec11TemplateUrl")
-    public static String provideSpec11TemplateUrl(
-        @Config("apacheBeamBucketUrl") String beamBucketUrl) {
-      return beamBucketUrl + "/templates/spec11";
-    }
-
     /**
      * Returns whether an SSL certificate hash is required to log in via EPP and run flows.
      *
@@ -640,18 +574,6 @@ public final class RegistryConfig {
       return config.beam.defaultJobRegion;
     }
 
-    /**
-     * Returns the default job zone to run Apache Beam (Cloud Dataflow) jobs in.
-     *
-     * @see google.registry.reporting.billing.GenerateInvoicesAction
-     * @see google.registry.reporting.spec11.GenerateSpec11ReportAction
-     */
-    @Provides
-    @Config("defaultJobZone")
-    public static String provideDefaultJobZone(RegistryConfigSettings config) {
-      return config.beam.defaultJobZone;
-    }
-
     /** Returns the GCS bucket URL with all staged BEAM flex templates. */
     @Provides
     @Config("beamStagingBucketUrl")
@@ -659,19 +581,6 @@ public final class RegistryConfig {
       return config.beam.stagingBucketUrl;
     }
 
-    /**
-     * Returns the URL of the GCS location we store jar dependencies for beam pipelines.
-     *
-     * @see google.registry.beam.invoicing.InvoicingPipeline
-     * @see google.registry.beam.spec11.Spec11Pipeline
-     */
-    @Provides
-    @Config("beamStagingUrl")
-    public static String provideInvoiceStagingUrl(
-        @Config("apacheBeamBucketUrl") String beamBucketUrl) {
-      return beamBucketUrl + "/staging";
-    }
-
     /**
      * Returns the Google Cloud Storage bucket for Spec11 and ICANN transaction and activity reports
      * to be uploaded.
@@ -1233,14 +1142,6 @@ public final class RegistryConfig {
       return formatComments(config.registryPolicy.reservedTermsExportDisclaimer);
     }
 
-    /** Returns the clientId of the registrar used by the {@code CheckApiServlet}. */
-    // TODO(b/80417678): remove this once CheckApiAction no longer uses this id.
-    @Provides
-    @Config("checkApiServletRegistrarClientId")
-    public static String provideCheckApiServletRegistrarClientId(RegistryConfigSettings config) {
-      return config.registryPolicy.checkApiServletClientId;
-    }
-
     /**
      * Returns the clientId of the registrar that admins are automatically logged in as if they
      * aren't otherwise associated with one.
@@ -1342,12 +1243,6 @@ public final class RegistryConfig {
       return config.registryTool.clientSecret;
     }
 
-    @Provides
-    @Config("toolsCloudSqlUsername")
-    public static String providesToolsCloudSqlUsername(RegistryConfigSettings config) {
-      return config.registryTool.username;
-    }
-
     @Provides
     @Config("rdapTos")
     public static ImmutableList<String> provideRdapTos(RegistryConfigSettings config) {
@@ -1607,22 +1502,6 @@ public final class RegistryConfig {
     CONFIG_SETTINGS.get().cloudSql.replicateTransactions = replicateTransactions;
   }
 
-  /**
-   * Returns whether or not to replay commit logs to the SQL database after export to GCS.
-   *
-   * <p>If true, we will trigger the {@link google.registry.backup.ReplayCommitLogsToSqlAction}
-   * after the {@link google.registry.backup.ExportCommitLogDiffAction} to load the commit logs and
-   * replay them to SQL.
-   */
-  public static boolean getCloudSqlReplayCommitLogs() {
-    return CONFIG_SETTINGS.get().cloudSql.replayCommitLogs;
-  }
-
-  @VisibleForTesting
-  public static void overrideCloudSqlReplayCommitLogs(boolean replayCommitLogs) {
-    CONFIG_SETTINGS.get().cloudSql.replayCommitLogs = replayCommitLogs;
-  }
-
   /** Returns the roid suffix to be used for the roids of all contacts and hosts. */
   public static String getContactAndHostRoidSuffix() {
     return CONFIG_SETTINGS.get().registryPolicy.contactAndHostRoidSuffix;

core/src/main/java/google/registry/config/RegistryConfigSettings.java

@@ -123,16 +123,15 @@ public class RegistryConfigSettings {
   /** Configuration for Cloud SQL. */
   public static class CloudSql {
     public String jdbcUrl;
+    // TODO(05012021): remove username field after it is removed from all yaml files.
     public String username;
     public String instanceConnectionName;
     public boolean replicateTransactions;
-    public boolean replayCommitLogs;
   }
 
   /** Configuration for Apache Beam (Cloud Dataflow). */
   public static class Beam {
     public String defaultJobRegion;
-    public String defaultJobZone;
     public String stagingBucketUrl;
   }
 
@@ -221,6 +220,7 @@ public class RegistryConfigSettings {
   public static class RegistryTool {
     public String clientId;
     public String clientSecret;
+    // TODO(05012021): remove username field after it is removed from all yaml files.
     public String username;
   }
 

core/src/main/java/google/registry/config/files/default-config.yaml

@@ -225,15 +225,11 @@ cloudSql:
   # If jdbcUrl in this file is moved elsewhere, be sure to move this notice
   # with it until the change is applied.
   jdbcUrl: jdbc:postgresql://localhost
-  # Username for the database user.
-  username: username
   # This name is used by Cloud SQL when connecting to the database.
   instanceConnectionName: project-id:region:instance-id
   # Set this to true to replicate cloud SQL transactions to datastore in the
   # background.
   replicateTransactions: false
-  # Set this to true to enable replay of commit logs to SQL
-  replayCommitLogs: false
 
 cloudDns:
   # Set both properties to null in Production.
@@ -422,9 +418,6 @@ misc:
 beam:
   # The default region to run Apache Beam (Cloud Dataflow) jobs in.
   defaultJobRegion: us-east1
-  # The default zone to run Apache Beam (Cloud Dataflow) jobs in.
-  # TODO(weiminyu): consider dropping zone config. No obvious needs for this.
-  defaultJobZone: us-east1-c
   stagingBucketUrl: gcs-bucket-with-staged-templates
 
 keyring:
@@ -447,7 +440,6 @@ registryTool:
   clientId: YOUR_CLIENT_ID
   # OAuth client secret used by the tool.
   clientSecret: YOUR_CLIENT_SECRET
-  username: toolusername
 
 # Configuration options for checking SSL certificates.
 sslCertificateValidation:

core/src/main/java/google/registry/config/files/premium/example.txt

@@ -1,5 +1,5 @@
-# Example of a reserved list file.  This is simply a CSV file with two
-# columns: sub-domain name and price (specified as currency type and value).
+# Example of a premium list file.  This is simply a CSV file with two
+# columns: sub-domain name, and price (specified as currency type and value).
 #
 # These are manipulated using the "nomulus" tool
 # {create,update,delete,list}_premium_list commands.

core/src/main/java/google/registry/env/common/backend/WEB-INF/web.xml

@@ -385,6 +385,18 @@
     <url-pattern>/_dr/task/wipeOutCloudSql</url-pattern>
   </servlet-mapping>
 
+  <!-- Action to wipeout Cloud Datastore data -->
+  <servlet-mapping>
+    <servlet-name>backend-servlet</servlet-name>
+    <url-pattern>/_dr/task/wipeOutDatastore</url-pattern>
+  </servlet-mapping>
+
+  <!-- Action to create synthetic history entries during async replication to SQL -->
+  <servlet-mapping>
+    <servlet-name>backend-servlet</servlet-name>
+    <url-pattern>/_dr/task/createSyntheticHistoryEntries</url-pattern>
+  </servlet-mapping>
+
   <!-- Security config -->
   <security-constraint>
     <web-resource-collection>

core/src/main/java/google/registry/env/common/default/WEB-INF/datastore-indexes.xml

@@ -41,6 +41,11 @@
     <property name="nsHosts" direction="asc"/>
     <property name="deletionTime" direction="asc"/>
   </datastore-index>
+  <!-- For deleting expired not-previously-deleted domains. -->
+  <datastore-index kind="DomainBase" ancestor="false" source="manual">
+    <property name="deletionTime" direction="asc"/>
+    <property name="autorenewEndTime" direction="asc"/>
+  </datastore-index>
   <!-- For RDAP searches by linked nameserver. -->
   <datastore-index kind="DomainBase" ancestor="false" source="manual">
     <property name="nsHosts" direction="asc"/>

core/src/main/java/google/registry/env/qa/default/WEB-INF/cron.xml

@@ -91,4 +91,13 @@
     <target>backend</target>
   </cron>
 
+  <cron>
+    <url><![CDATA[/_dr/task/wipeOutDatastore]]></url>
+    <description>
+      This job runs an action that deletes all data in Cloud Datastore.
+    </description>
+    <schedule>every saturday 03:07</schedule>
+    <target>backend</target>
+  </cron>
+
 </cronentries>

core/src/main/java/google/registry/export/ExportPremiumTermsAction.java

@@ -32,12 +32,12 @@ import com.google.common.net.MediaType;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.model.registry.Registry;
 import google.registry.model.registry.label.PremiumList.PremiumListEntry;
-import google.registry.model.registry.label.PremiumListDualDao;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.RequestParameters;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
+import google.registry.schema.tld.PremiumListDao;
 import google.registry.storage.drive.DriveConnection;
 import java.io.IOException;
 import java.util.Optional;
@@ -113,7 +113,7 @@ public class ExportPremiumTermsAction implements Runnable {
           "Skipping premium terms export for TLD %s because Drive folder isn't specified", tld);
       return Optional.of("Skipping export because no Drive folder is associated with this TLD");
     }
-    if (registry.getPremiumList() == null) {
+    if (!registry.getPremiumList().isPresent()) {
       logger.atInfo().log("No premium terms to export for TLD %s", tld);
       return Optional.of("No premium lists configured");
     }
@@ -137,11 +137,13 @@ public class ExportPremiumTermsAction implements Runnable {
   }
 
   private String getFormattedPremiumTerms(Registry registry) {
-    String premiumListName = registry.getPremiumList().getName();
+    checkState(registry.getPremiumList().isPresent(), "%s does not have a premium list", tld);
+    String premiumListName = registry.getPremiumList().get().getName();
     checkState(
-        PremiumListDualDao.exists(premiumListName), "Could not load premium list for " + tld);
+        PremiumListDao.getLatestRevision(premiumListName).isPresent(),
+        "Could not load premium list for " + tld);
     SortedSet<String> premiumTerms =
-        Streams.stream(PremiumListDualDao.loadAllPremiumListEntries(premiumListName))
+        Streams.stream(PremiumListDao.loadAllPremiumListEntries(premiumListName))
             .map(PremiumListEntry::toString)
             .collect(ImmutableSortedSet.toImmutableSortedSet(String::compareTo));
 

core/src/main/java/google/registry/export/SyncGroupMembersAction.java

@@ -16,7 +16,6 @@ package google.registry.export;
 
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
-import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.util.CollectionUtils.nullToEmpty;
@@ -164,7 +163,7 @@ public final class SyncGroupMembersAction implements Runnable {
         registrarsToSave.add(result.getKey().asBuilder().setContactsRequireSyncing(false).build());
       }
     }
-    tm().transactNew(() -> ofy().save().entities(registrarsToSave.build()));
+    tm().transactNew(() -> tm().updateAll(registrarsToSave.build()));
     return errors;
   }
 

core/src/main/java/google/registry/export/sheet/SyncRegistrarsSheet.java

@@ -17,7 +17,6 @@ package google.registry.export.sheet;
 import static com.google.common.base.MoreObjects.firstNonNull;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static google.registry.model.common.Cursor.CursorType.SYNC_REGISTRAR_SHEET;
-import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.registrar.RegistrarContact.Type.ABUSE;
 import static google.registry.model.registrar.RegistrarContact.Type.ADMIN;
 import static google.registry.model.registrar.RegistrarContact.Type.BILLING;
@@ -26,6 +25,7 @@ import static google.registry.model.registrar.RegistrarContact.Type.MARKETING;
 import static google.registry.model.registrar.RegistrarContact.Type.TECH;
 import static google.registry.model.registrar.RegistrarContact.Type.WHOIS;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.persistence.transaction.TransactionManagerUtil.transactIfJpaTm;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 
 import com.google.common.base.Joiner;
@@ -40,6 +40,7 @@ import google.registry.model.registrar.RegistrarContact;
 import google.registry.util.Clock;
 import google.registry.util.DateTimeUtils;
 import java.io.IOException;
+import java.util.Optional;
 import java.util.function.Predicate;
 import javax.annotation.Nullable;
 import javax.inject.Inject;
@@ -61,8 +62,10 @@ class SyncRegistrarsSheet {
    * successfully completed, as measured by a cursor.
    */
   boolean wereRegistrarsModified() {
-    Cursor cursor = ofy().load().key(Cursor.createGlobalKey(SYNC_REGISTRAR_SHEET)).now();
-    DateTime lastUpdateTime = (cursor == null) ? START_OF_TIME : cursor.getCursorTime();
+    Optional<Cursor> cursor =
+        transactIfJpaTm(
+            () -> tm().loadByKeyIfPresent(Cursor.createGlobalVKey(SYNC_REGISTRAR_SHEET)));
+    DateTime lastUpdateTime = !cursor.isPresent() ? START_OF_TIME : cursor.get().getCursorTime();
     for (Registrar registrar : Registrar.loadAllCached()) {
       if (DateTimeUtils.isAtOrAfter(registrar.getLastUpdateTime(), lastUpdateTime)) {
         return true;

core/src/main/java/google/registry/flows/FlowModule.java

@@ -20,6 +20,8 @@ import com.google.common.base.Strings;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.flows.picker.FlowPicker;
+import google.registry.model.contact.ContactHistory;
+import google.registry.model.domain.DomainHistory;
 import google.registry.model.domain.metadata.MetadataExtension;
 import google.registry.model.eppcommon.AuthInfo;
 import google.registry.model.eppcommon.Trid;
@@ -30,6 +32,7 @@ import google.registry.model.eppinput.ResourceCommand;
 import google.registry.model.eppinput.ResourceCommand.SingleResourceCommand;
 import google.registry.model.eppoutput.EppResponse;
 import google.registry.model.eppoutput.Result;
+import google.registry.model.host.HostHistory;
 import google.registry.model.reporting.HistoryEntry;
 import java.lang.annotation.Documented;
 import java.util.Optional;
@@ -210,33 +213,78 @@ public class FlowModule {
     return Strings.nullToEmpty(((Poll) eppInput.getCommandWrapper().getCommand()).getMessageId());
   }
 
+  private static <B extends HistoryEntry.Builder<? extends HistoryEntry, ?>>
+      B makeHistoryEntryBuilder(
+          B builder,
+          Trid trid,
+          byte[] inputXmlBytes,
+          boolean isSuperuser,
+          String clientId,
+          EppInput eppInput) {
+    builder
+        .setTrid(trid)
+        .setXmlBytes(inputXmlBytes)
+        .setBySuperuser(isSuperuser)
+        .setClientId(clientId);
+    Optional<MetadataExtension> metadataExtension =
+        eppInput.getSingleExtension(MetadataExtension.class);
+    metadataExtension.ifPresent(
+        extension ->
+            builder
+                .setReason(extension.getReason())
+                .setRequestedByRegistrar(extension.getRequestedByRegistrar()));
+    return builder;
+  }
+
   /**
-   * Provides a partially filled in {@link HistoryEntry} builder.
+   * Provides a partially filled in {@link ContactHistory.Builder}
    *
    * <p>This is not marked with {@link FlowScope} so that each retry gets a fresh one. Otherwise,
    * the fact that the builder is one-use would cause NPEs.
    */
   @Provides
-  static HistoryEntry.Builder provideHistoryEntryBuilder(
+  static ContactHistory.Builder provideContactHistoryBuilder(
       Trid trid,
       @InputXml byte[] inputXmlBytes,
       @Superuser boolean isSuperuser,
       @ClientId String clientId,
       EppInput eppInput) {
-    HistoryEntry.Builder historyBuilder =
-        new HistoryEntry.Builder()
-            .setTrid(trid)
-            .setXmlBytes(inputXmlBytes)
-            .setBySuperuser(isSuperuser)
-            .setClientId(clientId);
-    Optional<MetadataExtension> metadataExtension =
-        eppInput.getSingleExtension(MetadataExtension.class);
-    if (metadataExtension.isPresent()) {
-      historyBuilder
-          .setReason(metadataExtension.get().getReason())
-          .setRequestedByRegistrar(metadataExtension.get().getRequestedByRegistrar());
-    }
-    return historyBuilder;
+    return makeHistoryEntryBuilder(
+        new ContactHistory.Builder(), trid, inputXmlBytes, isSuperuser, clientId, eppInput);
+  }
+
+  /**
+   * Provides a partially filled in {@link HostHistory.Builder}
+   *
+   * <p>This is not marked with {@link FlowScope} so that each retry gets a fresh one. Otherwise,
+   * the fact that the builder is one-use would cause NPEs.
+   */
+  @Provides
+  static HostHistory.Builder provideHostHistoryBuilder(
+      Trid trid,
+      @InputXml byte[] inputXmlBytes,
+      @Superuser boolean isSuperuser,
+      @ClientId String clientId,
+      EppInput eppInput) {
+    return makeHistoryEntryBuilder(
+        new HostHistory.Builder(), trid, inputXmlBytes, isSuperuser, clientId, eppInput);
+  }
+
+  /**
+   * Provides a partially filled in {@link DomainHistory.Builder}
+   *
+   * <p>This is not marked with {@link FlowScope} so that each retry gets a fresh one. Otherwise,
+   * the fact that the builder is one-use would cause NPEs.
+   */
+  @Provides
+  static DomainHistory.Builder provideDomainHistoryBuilder(
+      Trid trid,
+      @InputXml byte[] inputXmlBytes,
+      @Superuser boolean isSuperuser,
+      @ClientId String clientId,
+      EppInput eppInput) {
+    return makeHistoryEntryBuilder(
+        new DomainHistory.Builder(), trid, inputXmlBytes, isSuperuser, clientId, eppInput);
   }
 
   /**
@@ -249,7 +297,7 @@ public class FlowModule {
   static EppResponse.Builder provideEppResponseBuilder(Trid trid) {
     return new EppResponse.Builder()
         .setTrid(trid)
-        .setResultFromCode(Result.Code.SUCCESS);  // Default to success.
+        .setResultFromCode(Result.Code.SUCCESS); // Default to success.
   }
 
   @Provides

core/src/main/java/google/registry/flows/FlowUtils.java

@@ -15,22 +15,26 @@
 package google.registry.flows;
 
 import static com.google.common.base.Preconditions.checkState;
-import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.xml.ValidationMode.LENIENT;
 import static google.registry.xml.ValidationMode.STRICT;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
 import com.google.common.base.Throwables;
 import com.google.common.flogger.FluentLogger;
+import com.googlecode.objectify.Key;
 import google.registry.flows.EppException.CommandUseErrorException;
 import google.registry.flows.EppException.ParameterValueRangeErrorException;
 import google.registry.flows.EppException.SyntaxErrorException;
 import google.registry.flows.EppException.UnimplementedProtocolVersionException;
 import google.registry.flows.custom.EntityChanges;
+import google.registry.model.EppResource;
 import google.registry.model.eppcommon.EppXmlTransformer;
 import google.registry.model.eppinput.EppInput.WrongProtocolVersionException;
 import google.registry.model.eppoutput.EppOutput;
 import google.registry.model.host.InetAddressAdapter.IpVersionMismatchException;
+import google.registry.model.ofy.ObjectifyService;
+import google.registry.model.reporting.HistoryEntry;
 import google.registry.model.translators.CurrencyUnitAdapter.UnknownCurrencyException;
 import google.registry.xml.XmlException;
 import java.util.List;
@@ -51,8 +55,8 @@ public final class FlowUtils {
 
   /** Persists the saves and deletes in an {@link EntityChanges} to Datastore. */
   public static void persistEntityChanges(EntityChanges entityChanges) {
-    ofy().save().entities(entityChanges.getSaves());
-    ofy().delete().keys(entityChanges.getDeletes());
+    tm().putAll(entityChanges.getSaves());
+    tm().delete(entityChanges.getDeletes());
   }
 
   /**
@@ -99,6 +103,11 @@ public final class FlowUtils {
     }
   }
 
+  public static <H extends HistoryEntry> Key<H> createHistoryKey(
+      EppResource parent, Class<H> clazz) {
+    return Key.create(Key.create(parent), clazz, ObjectifyService.allocateId());
+  }
+
   /** Registrar is not logged in. */
   public static class NotLoggedInException extends CommandUseErrorException {
     public NotLoggedInException() {

core/src/main/java/google/registry/flows/ResourceFlowUtils.java

@@ -16,6 +16,7 @@ package google.registry.flows;
 
 import static com.google.common.collect.Sets.intersection;
 import static google.registry.model.EppResourceUtils.getLinkedDomainKeys;
+import static google.registry.model.EppResourceUtils.isLinked;
 import static google.registry.model.EppResourceUtils.loadByForeignKey;
 import static google.registry.model.index.ForeignKeyIndex.loadAndGetKey;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
@@ -62,7 +63,10 @@ public final class ResourceFlowUtils {
 
   private ResourceFlowUtils() {}
 
-  /** In {@link #failfastForAsyncDelete}, check this (arbitrary) number of query results. */
+  /**
+   * In {@link #checkLinkedDomains(String, DateTime, Class, Function)}, check this (arbitrary)
+   * number of query results.
+   */
   private static final int FAILFAST_CHECK_COUNT = 5;
 
   /** Check that the given clientId corresponds to the owner of given resource. */
@@ -73,36 +77,54 @@ public final class ResourceFlowUtils {
     }
   }
 
-  /** Check whether an asynchronous delete would obviously fail, and throw an exception if so. */
-  public static <R extends EppResource> void failfastForAsyncDelete(
+  /**
+   * Check whether if there are domains linked to the resource to be deleted. Throws an exception if
+   * so.
+   *
+   * <p>Note that in datastore this is a smoke test as the query for linked domains is eventually
+   * consistent, so we only check a few domains to fail fast.
+   */
+  public static <R extends EppResource> void checkLinkedDomains(
       final String targetId,
       final DateTime now,
       final Class<R> resourceClass,
-      final Function<DomainBase, ImmutableSet<?>> getPotentialReferences) throws EppException {
-    // Enter a transactionless context briefly.
+      final Function<DomainBase, ImmutableSet<?>> getPotentialReferences)
+      throws EppException {
     EppException failfastException =
-        tm().doTransactionless(
-                () -> {
-                  final ForeignKeyIndex<R> fki = ForeignKeyIndex.load(resourceClass, targetId, now);
-                  if (fki == null) {
-                    return new ResourceDoesNotExistException(resourceClass, targetId);
-                  }
-                  /* Query for the first few linked domains, and if found, actually load them. The
-                   * query is eventually consistent and so might be very stale, but the direct
-                   * load will not be stale, just non-transactional. If we find at least one
-                   * actual reference then we can reliably fail. If we don't find any, we can't
-                   * trust the query and need to do the full mapreduce.
-                   */
-                  Iterable<VKey<DomainBase>> keys =
-                      getLinkedDomainKeys(fki.getResourceKey(), now, FAILFAST_CHECK_COUNT);
+        tm().isOfy()
+            ? tm().doTransactionless(
+                    () -> {
+                      final ForeignKeyIndex<R> fki =
+                          ForeignKeyIndex.load(resourceClass, targetId, now);
+                      if (fki == null) {
+                        return new ResourceDoesNotExistException(resourceClass, targetId);
+                      }
+                      // Query for the first few linked domains, and if found, actually load them.
+                      // The query is eventually consistent and so might be very stale, but the
+                      // direct load will not be stale, just non-transactional. If we find at least
+                      // one  actual reference then we can reliably fail. If we don't find any,
+                      // we can't  trust the query and need to do the full mapreduce.
+                      Iterable<VKey<DomainBase>> keys =
+                          getLinkedDomainKeys(fki.getResourceKey(), now, FAILFAST_CHECK_COUNT);
 
-                  VKey<R> resourceVKey = fki.getResourceKey();
-                  Predicate<DomainBase> predicate =
-                      domain -> getPotentialReferences.apply(domain).contains(resourceVKey);
-                  return tm().loadByKeys(keys).values().stream().anyMatch(predicate)
-                      ? new ResourceToDeleteIsReferencedException()
-                      : null;
-                });
+                      VKey<R> resourceVKey = fki.getResourceKey();
+                      Predicate<DomainBase> predicate =
+                          domain -> getPotentialReferences.apply(domain).contains(resourceVKey);
+                      return tm().loadByKeys(keys).values().stream().anyMatch(predicate)
+                          ? new ResourceToDeleteIsReferencedException()
+                          : null;
+                    })
+            : tm().transact(
+                    () -> {
+                      final ForeignKeyIndex<R> fki =
+                          ForeignKeyIndex.load(resourceClass, targetId, now);
+                      if (fki == null) {
+                        return new ResourceDoesNotExistException(resourceClass, targetId);
+                      }
+                      return isLinked(fki.getResourceKey(), now)
+                          ? new ResourceToDeleteIsReferencedException()
+                          : null;
+                    });
     if (failfastException != null) {
       throw failfastException;
     }
@@ -123,8 +145,7 @@ public final class ResourceFlowUtils {
   }
 
   public static <R extends EppResource & ForeignKeyedEppResource> R loadAndVerifyExistence(
-      Class<R> clazz, String targetId, DateTime now)
-          throws ResourceDoesNotExistException {
+      Class<R> clazz, String targetId, DateTime now) throws ResourceDoesNotExistException {
     return verifyExistence(clazz, targetId, loadByForeignKey(clazz, targetId, now));
   }
 
@@ -156,16 +177,16 @@ public final class ResourceFlowUtils {
   }
 
   /** Check that the given AuthInfo is either missing or else is valid for the given resource. */
-  public static void verifyOptionalAuthInfo(
-      Optional<AuthInfo> authInfo, ContactResource contact) throws EppException {
+  public static void verifyOptionalAuthInfo(Optional<AuthInfo> authInfo, ContactResource contact)
+      throws EppException {
     if (authInfo.isPresent()) {
       verifyAuthInfo(authInfo.get(), contact);
     }
   }
 
   /** Check that the given AuthInfo is either missing or else is valid for the given resource. */
-  public static void verifyOptionalAuthInfo(
-      Optional<AuthInfo> authInfo, DomainBase domain) throws EppException {
+  public static void verifyOptionalAuthInfo(Optional<AuthInfo> authInfo, DomainBase domain)
+      throws EppException {
     if (authInfo.isPresent()) {
       verifyAuthInfo(authInfo.get(), domain);
     }
@@ -229,7 +250,7 @@ public final class ResourceFlowUtils {
   /** Check that the same values aren't being added and removed in an update command. */
   public static void checkSameValuesNotAddedAndRemoved(
       ImmutableSet<?> fieldsToAdd, ImmutableSet<?> fieldsToRemove)
-          throws AddRemoveSameValueException {
+      throws AddRemoveSameValueException {
     if (!intersection(fieldsToAdd, fieldsToRemove).isEmpty()) {
       throw new AddRemoveSameValueException();
     }

core/src/main/java/google/registry/flows/TlsCredentials.java

@@ -16,7 +16,6 @@ package google.registry.flows;
 
 import static com.google.common.base.MoreObjects.toStringHelper;
 import static google.registry.request.RequestParameters.extractOptionalHeader;
-import static google.registry.util.X509Utils.loadCertificate;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableList;
@@ -26,24 +25,17 @@ import com.google.common.net.InetAddresses;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryEnvironment;
 import google.registry.flows.EppException.AuthenticationErrorException;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Header;
 import google.registry.util.CidrAddressBlock;
-import google.registry.util.Clock;
 import google.registry.util.ProxyHttpHeaders;
-import java.io.ByteArrayInputStream;
 import java.net.InetAddress;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.Base64;
 import java.util.Optional;
 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
-import org.joda.time.DateTime;
 
 /**
  * Container and validation for TLS certificate and IP-allow-listing.
@@ -54,10 +46,6 @@ import org.joda.time.DateTime;
  *   <dt>X-SSL-Certificate
  *   <dd>This field should contain a base64 encoded digest of the client's TLS certificate. It is
  *       used only if the validation of the full certificate fails.
- *   <dt>X-SSL-Full-Certificate
- *   <dd>This field should contain a base64 encoding of the client's TLS certificate. It is
- *       validated during an EPP login command against a known good value that is transmitted out of
- *       band.
  *   <dt>X-Forwarded-For
  *   <dd>This field should contain the host and port of the connecting client. It is validated
  *       during an EPP login command against an IP allow list that is transmitted out of band.
@@ -66,30 +54,22 @@ import org.joda.time.DateTime;
 public class TlsCredentials implements TransportCredentials {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-  private static final DateTime CERT_ENFORCEMENT_START_TIME =
-      DateTime.parse("2021-03-01T16:00:00Z");
 
   private final boolean requireSslCertificates;
   private final Optional<String> clientCertificateHash;
-  private final Optional<String> clientCertificate;
   private final Optional<InetAddress> clientInetAddr;
   private final CertificateChecker certificateChecker;
-  private final Clock clock;
 
   @Inject
   public TlsCredentials(
       @Config("requireSslCertificates") boolean requireSslCertificates,
       @Header(ProxyHttpHeaders.CERTIFICATE_HASH) Optional<String> clientCertificateHash,
-      @Header(ProxyHttpHeaders.FULL_CERTIFICATE) Optional<String> clientCertificate,
       @Header(ProxyHttpHeaders.IP_ADDRESS) Optional<String> clientAddress,
-      CertificateChecker certificateChecker,
-      Clock clock) {
+      CertificateChecker certificateChecker) {
     this.requireSslCertificates = requireSslCertificates;
     this.clientCertificateHash = clientCertificateHash;
-    this.clientCertificate = clientCertificate;
     this.clientInetAddr = clientAddress.map(TlsCredentials::parseInetAddress);
     this.certificateChecker = certificateChecker;
-    this.clock = clock;
   }
 
   static InetAddress parseInetAddress(String asciiAddr) {
@@ -103,7 +83,7 @@ public class TlsCredentials implements TransportCredentials {
   @Override
   public void validate(Registrar registrar, String password) throws AuthenticationErrorException {
     validateIp(registrar);
-    validateCertificate(registrar);
+    validateCertificateHash(registrar);
     validatePassword(registrar, password);
   }
 
@@ -137,89 +117,8 @@ public class TlsCredentials implements TransportCredentials {
     throw new BadRegistrarIpAddressException();
   }
 
-  /**
-   * Verifies client SSL certificate is permitted to issue commands as {@code registrar}.
-   *
-   * @throws MissingRegistrarCertificateException if frontend didn't send certificate header
-   * @throws BadRegistrarCertificateException if registrar requires certificate and it didn't match
-   */
   @VisibleForTesting
-  void validateCertificate(Registrar registrar) throws AuthenticationErrorException {
-    // Check that certificate is present in registrar object
-    if (!registrar.getClientCertificate().isPresent()
-        && !registrar.getFailoverClientCertificate().isPresent()) {
-      // Log an error and validate using certificate hash instead
-      // TODO(sarahbot): throw a RegistrarCertificateNotConfiguredException once hash is no longer
-      // used as failover
-      logger.atWarning().log(
-          "There is no certificate configured for registrar %s.", registrar.getClientId());
-    } else if (!clientCertificate.isPresent()) {
-      // Check that the request included the full certificate
-      // Log an error and validate using certificate hash instead
-      // TODO(sarahbot): throw a MissingRegistrarCertificateException once hash is no longer used as
-      // failover
-      logger.atWarning().log(
-          "Request from registrar %s did not include X-SSL-Full-Certificate.",
-          registrar.getClientId());
-    } else {
-      X509Certificate passedCert;
-      Optional<X509Certificate> storedCert;
-      Optional<X509Certificate> storedFailoverCert;
-
-      try {
-        storedCert = deserializePemCert(registrar.getClientCertificate());
-        storedFailoverCert = deserializePemCert(registrar.getFailoverClientCertificate());
-        passedCert = decodeCertString(clientCertificate.get());
-      } catch (Exception e) {
-        // TODO(Sarahbot@): remove this catch once we know it's working
-        logger.atWarning().log(
-            "Error converting certificate string to certificate for %s: %s",
-            registrar.getClientId(), e);
-        validateCertificateHash(registrar);
-        return;
-      }
-
-      // Check if the certificate is equal to the one on file for the registrar.
-      if (passedCert.equals(storedCert.orElse(null))
-          || passedCert.equals(storedFailoverCert.orElse(null))) {
-        // Check certificate for any requirement violations
-        // TODO(Sarahbot@): Throw exceptions instead of just logging once requirement enforcement
-        // begins
-        try {
-          certificateChecker.validateCertificate(passedCert);
-        } catch (InsecureCertificateException e) {
-          // TODO(Sarahbot@): Remove this if statement after March 1. After March 1, exception
-          // should be thrown in all environments.
-          // throw exception in unit tests and Sandbox
-          if (RegistryEnvironment.get().equals(RegistryEnvironment.UNITTEST)
-              || RegistryEnvironment.get().equals(RegistryEnvironment.SANDBOX)
-              || clock.nowUtc().isAfter(CERT_ENFORCEMENT_START_TIME)) {
-            throw new CertificateContainsSecurityViolationsException(e);
-          }
-          logger.atWarning().log(
-              "Registrar certificate used for %s does not meet certificate requirements: %s",
-              registrar.getClientId(), e.getMessage());
-        } catch (Exception e) {
-          logger.atWarning().log(
-              "Error validating certificate for %s: %s", registrar.getClientId(), e);
-        }
-        // successfully validated, return here since hash validation is not necessary
-        return;
-      }
-      // Log an error and validate using certificate hash instead
-      // TODO(sarahbot): throw a BadRegistrarCertificateException once hash is no longer used as
-      // failover
-      logger.atWarning().log("Non-matching certificate for registrar %s.", registrar.getClientId());
-    }
-    validateCertificateHash(registrar);
-  }
-
-  private void validateCertificateHash(Registrar registrar) throws AuthenticationErrorException {
-    logger.atWarning().log(
-        "Error validating certificate for %s, attempting to validate using certificate hash.",
-        registrar.getClientId());
-    // Check the certificate hash as a failover
-    // TODO(sarahbot): Remove hash checks once certificate checks are working.
+  void validateCertificateHash(Registrar registrar) throws AuthenticationErrorException {
     if (!registrar.getClientCertificateHash().isPresent()
         && !registrar.getFailoverClientCertificateHash().isPresent()) {
       if (requireSslCertificates) {
@@ -247,6 +146,20 @@ public class TlsCredentials implements TransportCredentials {
           registrar.getFailoverClientCertificateHash());
       throw new BadRegistrarCertificateException();
     }
+    if (requireSslCertificates) {
+      String passedCert =
+          clientCertificateHash.equals(registrar.getClientCertificateHash())
+              ? registrar.getClientCertificate().get()
+              : registrar.getFailoverClientCertificate().get();
+      try {
+        certificateChecker.validateCertificate(passedCert);
+      } catch (InsecureCertificateException e) {
+        logger.atWarning().log(
+            "Registrar certificate used for %s does not meet certificate requirements: %s",
+            registrar.getClientId(), e.getMessage());
+        throw new CertificateContainsSecurityViolationsException(e);
+      }
+    }
   }
 
   private void validatePassword(Registrar registrar, String password)
@@ -256,26 +169,9 @@ public class TlsCredentials implements TransportCredentials {
     }
   }
 
-  // Converts a PEM formatted certificate string into an X509Certificate
-  private Optional<X509Certificate> deserializePemCert(Optional<String> certificateString)
-      throws CertificateException {
-    if (certificateString.isPresent()) {
-      return Optional.of(loadCertificate(certificateString.get()));
-    }
-    return Optional.empty();
-  }
-
-  // Decodes the string representation of an encoded certificate back into an X509Certificate
-  private X509Certificate decodeCertString(String encodedCertString) throws CertificateException {
-    byte decodedCert[] = Base64.getDecoder().decode(encodedCertString);
-    ByteArrayInputStream inputStream = new ByteArrayInputStream(decodedCert);
-    return loadCertificate(inputStream);
-  }
-
   @Override
   public String toString() {
     return toStringHelper(getClass())
-        .add("clientCertificate", clientCertificate.orElse(null))
         .add("clientCertificateHash", clientCertificateHash.orElse(null))
         .add("clientAddress", clientInetAddr.orElse(null))
         .toString();
@@ -336,14 +232,6 @@ public class TlsCredentials implements TransportCredentials {
       return extractOptionalHeader(req, ProxyHttpHeaders.CERTIFICATE_HASH);
     }
 
-    @Provides
-    @Header(ProxyHttpHeaders.FULL_CERTIFICATE)
-    static Optional<String> provideClientCertificate(HttpServletRequest req) {
-      // Note: This header is actually required, we just want to handle its absence explicitly
-      // by throwing an EPP exception rather than a generic Bad Request exception.
-      return extractOptionalHeader(req, ProxyHttpHeaders.FULL_CERTIFICATE);
-    }
-
     @Provides
     @Header(ProxyHttpHeaders.IP_ADDRESS)
     static Optional<String> provideIpAddress(HttpServletRequest req) {

core/src/main/java/google/registry/flows/contact/ContactCreateFlow.java

@@ -33,6 +33,7 @@ import google.registry.flows.annotations.ReportingSpec;
 import google.registry.flows.exceptions.ResourceAlreadyExistsForThisClientException;
 import google.registry.flows.exceptions.ResourceCreateContentionException;
 import google.registry.model.contact.ContactCommand.Create;
+import google.registry.model.contact.ContactHistory;
 import google.registry.model.contact.ContactResource;
 import google.registry.model.domain.metadata.MetadataExtension;
 import google.registry.model.eppinput.ResourceCommand;
@@ -61,7 +62,7 @@ public final class ContactCreateFlow implements TransactionalFlow {
   @Inject ExtensionManager extensionManager;
   @Inject @ClientId String clientId;
   @Inject @TargetId String targetId;
-  @Inject HistoryEntry.Builder historyBuilder;
+  @Inject ContactHistory.Builder historyBuilder;
   @Inject EppResponse.Builder responseBuilder;
   @Inject @Config("contactAndHostRoidSuffix") String roidSuffix;
   @Inject ContactCreateFlow() {}
@@ -93,12 +94,12 @@ public final class ContactCreateFlow implements TransactionalFlow {
     historyBuilder
         .setType(HistoryEntry.Type.CONTACT_CREATE)
         .setModificationTime(now)
-        .setXmlBytes(null)  // We don't want to store contact details in the history entry.
-        .setParent(Key.create(newContact));
+        .setXmlBytes(null) // We don't want to store contact details in the history entry.
+        .setContact(newContact);
     tm().insertAll(
             ImmutableSet.of(
                 newContact,
-                historyBuilder.build().toChildHistoryEntity(),
+                historyBuilder.build(),
                 ForeignKeyIndex.create(newContact, newContact.getDeletionTime()),
                 EppResourceIndex.create(Key.create(newContact))));
     return responseBuilder

core/src/main/java/google/registry/flows/contact/ContactDeleteFlow.java

@@ -15,16 +15,19 @@
 package google.registry.flows.contact;
 
 import static google.registry.flows.FlowUtils.validateClientIsLoggedIn;
-import static google.registry.flows.ResourceFlowUtils.failfastForAsyncDelete;
+import static google.registry.flows.ResourceFlowUtils.checkLinkedDomains;
 import static google.registry.flows.ResourceFlowUtils.loadAndVerifyExistence;
 import static google.registry.flows.ResourceFlowUtils.verifyNoDisallowedStatuses;
 import static google.registry.flows.ResourceFlowUtils.verifyOptionalAuthInfo;
 import static google.registry.flows.ResourceFlowUtils.verifyResourceOwnership;
+import static google.registry.model.ResourceTransferUtils.denyPendingTransfer;
+import static google.registry.model.ResourceTransferUtils.handlePendingTransferOnDelete;
+import static google.registry.model.eppoutput.Result.Code.SUCCESS;
 import static google.registry.model.eppoutput.Result.Code.SUCCESS_WITH_ACTION_PENDING;
+import static google.registry.model.transfer.TransferStatus.SERVER_CANCELLED;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
 import com.google.common.collect.ImmutableSet;
-import com.googlecode.objectify.Key;
 import google.registry.batch.AsyncTaskEnqueuer;
 import google.registry.flows.EppException;
 import google.registry.flows.ExtensionManager;
@@ -33,6 +36,7 @@ import google.registry.flows.FlowModule.Superuser;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.TransactionalFlow;
 import google.registry.flows.annotations.ReportingSpec;
+import google.registry.model.contact.ContactHistory;
 import google.registry.model.contact.ContactResource;
 import google.registry.model.domain.DomainBase;
 import google.registry.model.domain.metadata.MetadataExtension;
@@ -40,7 +44,8 @@ import google.registry.model.eppcommon.AuthInfo;
 import google.registry.model.eppcommon.StatusValue;
 import google.registry.model.eppcommon.Trid;
 import google.registry.model.eppoutput.EppResponse;
-import google.registry.model.reporting.HistoryEntry;
+import google.registry.model.eppoutput.Result.Code;
+import google.registry.model.reporting.HistoryEntry.Type;
 import google.registry.model.reporting.IcannReportingTypes.ActivityReportField;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -63,10 +68,11 @@ import org.joda.time.DateTime;
 @ReportingSpec(ActivityReportField.CONTACT_DELETE)
 public final class ContactDeleteFlow implements TransactionalFlow {
 
-  private static final ImmutableSet<StatusValue> DISALLOWED_STATUSES = ImmutableSet.of(
-      StatusValue.CLIENT_DELETE_PROHIBITED,
-      StatusValue.PENDING_DELETE,
-      StatusValue.SERVER_DELETE_PROHIBITED);
+  private static final ImmutableSet<StatusValue> DISALLOWED_STATUSES =
+      ImmutableSet.of(
+          StatusValue.CLIENT_DELETE_PROHIBITED,
+          StatusValue.PENDING_DELETE,
+          StatusValue.SERVER_DELETE_PROHIBITED);
 
   @Inject ExtensionManager extensionManager;
   @Inject @ClientId String clientId;
@@ -74,10 +80,12 @@ public final class ContactDeleteFlow implements TransactionalFlow {
   @Inject Trid trid;
   @Inject @Superuser boolean isSuperuser;
   @Inject Optional<AuthInfo> authInfo;
-  @Inject HistoryEntry.Builder historyBuilder;
+  @Inject ContactHistory.Builder historyBuilder;
   @Inject AsyncTaskEnqueuer asyncTaskEnqueuer;
   @Inject EppResponse.Builder responseBuilder;
-  @Inject ContactDeleteFlow() {}
+
+  @Inject
+  ContactDeleteFlow() {}
 
   @Override
   public final EppResponse run() throws EppException {
@@ -85,23 +93,45 @@ public final class ContactDeleteFlow implements TransactionalFlow {
     extensionManager.validate();
     validateClientIsLoggedIn(clientId);
     DateTime now = tm().getTransactionTime();
-    failfastForAsyncDelete(targetId, now, ContactResource.class, DomainBase::getReferencedContacts);
+    checkLinkedDomains(targetId, now, ContactResource.class, DomainBase::getReferencedContacts);
     ContactResource existingContact = loadAndVerifyExistence(ContactResource.class, targetId, now);
     verifyNoDisallowedStatuses(existingContact, DISALLOWED_STATUSES);
     verifyOptionalAuthInfo(authInfo, existingContact);
     if (!isSuperuser) {
       verifyResourceOwnership(clientId, existingContact);
     }
-    asyncTaskEnqueuer.enqueueAsyncDelete(
-        existingContact, tm().getTransactionTime(), clientId, trid, isSuperuser);
-    ContactResource newContact =
-        existingContact.asBuilder().addStatusValue(StatusValue.PENDING_DELETE).build();
-    historyBuilder
-        .setType(HistoryEntry.Type.CONTACT_PENDING_DELETE)
-        .setModificationTime(now)
-        .setParent(Key.create(existingContact));
-    tm().insert(historyBuilder.build().toChildHistoryEntity());
+    Type historyEntryType;
+    Code resultCode;
+    ContactResource newContact;
+    if (tm().isOfy()) {
+      asyncTaskEnqueuer.enqueueAsyncDelete(
+          existingContact, tm().getTransactionTime(), clientId, trid, isSuperuser);
+      newContact = existingContact.asBuilder().addStatusValue(StatusValue.PENDING_DELETE).build();
+      historyEntryType = Type.CONTACT_PENDING_DELETE;
+      resultCode = SUCCESS_WITH_ACTION_PENDING;
+    } else {
+      // Handle pending transfers on contact deletion.
+      newContact =
+          existingContact.getStatusValues().contains(StatusValue.PENDING_TRANSFER)
+              ? denyPendingTransfer(existingContact, SERVER_CANCELLED, now, clientId)
+              : existingContact;
+      // Wipe out PII on contact deletion.
+      newContact =
+          newContact.asBuilder().wipeOut().setStatusValues(null).setDeletionTime(now).build();
+      historyEntryType = Type.CONTACT_DELETE;
+      resultCode = SUCCESS;
+    }
+    ContactHistory contactHistory =
+        historyBuilder
+            .setType(historyEntryType)
+            .setModificationTime(now)
+            .setContact(newContact)
+            .build();
+    if (!tm().isOfy()) {
+      handlePendingTransferOnDelete(existingContact, newContact, now, contactHistory);
+    }
+    tm().insert(contactHistory);
     tm().update(newContact);
-    return responseBuilder.setResultFromCode(SUCCESS_WITH_ACTION_PENDING).build();
+    return responseBuilder.setResultFromCode(resultCode).build();
   }
 }

core/src/main/java/google/registry/flows/contact/ContactFlowUtils.java

@@ -20,19 +20,21 @@ import com.google.common.base.CharMatcher;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Sets;
+import com.googlecode.objectify.Key;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.ParameterValuePolicyErrorException;
 import google.registry.flows.EppException.ParameterValueSyntaxErrorException;
 import google.registry.model.contact.ContactAddress;
+import google.registry.model.contact.ContactHistory;
 import google.registry.model.contact.ContactResource;
 import google.registry.model.contact.PostalInfo;
 import google.registry.model.poll.PendingActionNotificationResponse.ContactPendingActionNotificationResponse;
 import google.registry.model.poll.PollMessage;
-import google.registry.model.reporting.HistoryEntry;
 import google.registry.model.transfer.TransferData;
 import google.registry.model.transfer.TransferResponse.ContactTransferResponse;
 import java.util.Set;
 import javax.annotation.Nullable;
+import org.joda.time.DateTime;
 
 /** Static utility functions for contact flows. */
 public class ContactFlowUtils {
@@ -66,31 +68,35 @@ public class ContactFlowUtils {
 
   /** Create a poll message for the gaining client in a transfer. */
   static PollMessage createGainingTransferPollMessage(
-      String targetId, TransferData transferData, HistoryEntry historyEntry) {
+      String targetId,
+      TransferData transferData,
+      DateTime now,
+      Key<ContactHistory> contactHistoryKey) {
     return new PollMessage.OneTime.Builder()
         .setClientId(transferData.getGainingClientId())
         .setEventTime(transferData.getPendingTransferExpirationTime())
         .setMsg(transferData.getTransferStatus().getMessage())
-        .setResponseData(ImmutableList.of(
-            createTransferResponse(targetId, transferData),
-            ContactPendingActionNotificationResponse.create(
-                  targetId,
-                  transferData.getTransferStatus().isApproved(),
-                  transferData.getTransferRequestTrid(),
-                  historyEntry.getModificationTime())))
-        .setParent(historyEntry)
+        .setResponseData(
+            ImmutableList.of(
+                createTransferResponse(targetId, transferData),
+                ContactPendingActionNotificationResponse.create(
+                    targetId,
+                    transferData.getTransferStatus().isApproved(),
+                    transferData.getTransferRequestTrid(),
+                    now)))
+        .setParentKey(contactHistoryKey)
         .build();
   }
 
   /** Create a poll message for the losing client in a transfer. */
   static PollMessage createLosingTransferPollMessage(
-      String targetId, TransferData transferData, HistoryEntry historyEntry) {
+      String targetId, TransferData transferData, Key<ContactHistory> contactHistoryKey) {
     return new PollMessage.OneTime.Builder()
         .setClientId(transferData.getLosingClientId())
         .setEventTime(transferData.getPendingTransferExpirationTime())
         .setMsg(transferData.getTransferStatus().getMessage())
         .setResponseData(ImmutableList.of(createTransferResponse(targetId, transferData)))
-        .setParent(historyEntry)
+        .setParentKey(contactHistoryKey)
         .build();
   }
 

core/src/main/java/google/registry/flows/contact/ContactTransferApproveFlow.java

@@ -32,6 +32,7 @@ import google.registry.flows.FlowModule.ClientId;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.TransactionalFlow;
 import google.registry.flows.annotations.ReportingSpec;
+import google.registry.model.contact.ContactHistory;
 import google.registry.model.contact.ContactResource;
 import google.registry.model.domain.metadata.MetadataExtension;
 import google.registry.model.eppcommon.AuthInfo;
@@ -66,7 +67,7 @@ public final class ContactTransferApproveFlow implements TransactionalFlow {
   @Inject @ClientId String clientId;
   @Inject @TargetId String targetId;
   @Inject Optional<AuthInfo> authInfo;
-  @Inject HistoryEntry.Builder historyBuilder;
+  @Inject ContactHistory.Builder historyBuilder;
   @Inject EppResponse.Builder responseBuilder;
   @Inject ContactTransferApproveFlow() {}
 
@@ -86,15 +87,17 @@ public final class ContactTransferApproveFlow implements TransactionalFlow {
     verifyResourceOwnership(clientId, existingContact);
     ContactResource newContact =
         approvePendingTransfer(existingContact, TransferStatus.CLIENT_APPROVED, now);
-    HistoryEntry historyEntry = historyBuilder
-        .setType(HistoryEntry.Type.CONTACT_TRANSFER_APPROVE)
-        .setModificationTime(now)
-        .setParent(Key.create(existingContact))
-        .build();
+    ContactHistory contactHistory =
+        historyBuilder
+            .setType(HistoryEntry.Type.CONTACT_TRANSFER_APPROVE)
+            .setModificationTime(now)
+            .setContact(newContact)
+            .build();
     // Create a poll message for the gaining client.
     PollMessage gainingPollMessage =
-        createGainingTransferPollMessage(targetId, newContact.getTransferData(), historyEntry);
-    tm().insertAll(ImmutableSet.of(historyEntry.toChildHistoryEntity(), gainingPollMessage));
+        createGainingTransferPollMessage(
+            targetId, newContact.getTransferData(), now, Key.create(contactHistory));
+    tm().insertAll(ImmutableSet.of(contactHistory, gainingPollMessage));
     tm().update(newContact);
     // Delete the billing event and poll messages that were written in case the transfer would have
     // been implicitly server approved.

core/src/main/java/google/registry/flows/contact/ContactTransferCancelFlow.java

@@ -32,6 +32,7 @@ import google.registry.flows.FlowModule.ClientId;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.TransactionalFlow;
 import google.registry.flows.annotations.ReportingSpec;
+import google.registry.model.contact.ContactHistory;
 import google.registry.model.contact.ContactResource;
 import google.registry.model.domain.metadata.MetadataExtension;
 import google.registry.model.eppcommon.AuthInfo;
@@ -66,7 +67,7 @@ public final class ContactTransferCancelFlow implements TransactionalFlow {
   @Inject Optional<AuthInfo> authInfo;
   @Inject @ClientId String clientId;
   @Inject @TargetId String targetId;
-  @Inject HistoryEntry.Builder historyBuilder;
+  @Inject ContactHistory.Builder historyBuilder;
   @Inject EppResponse.Builder responseBuilder;
   @Inject ContactTransferCancelFlow() {}
 
@@ -82,15 +83,17 @@ public final class ContactTransferCancelFlow implements TransactionalFlow {
     verifyTransferInitiator(clientId, existingContact);
     ContactResource newContact =
         denyPendingTransfer(existingContact, TransferStatus.CLIENT_CANCELLED, now, clientId);
-    HistoryEntry historyEntry = historyBuilder
-        .setType(HistoryEntry.Type.CONTACT_TRANSFER_CANCEL)
-        .setModificationTime(now)
-        .setParent(Key.create(existingContact))
-        .build();
+    ContactHistory contactHistory =
+        historyBuilder
+            .setType(HistoryEntry.Type.CONTACT_TRANSFER_CANCEL)
+            .setModificationTime(now)
+            .setContact(newContact)
+            .build();
     // Create a poll message for the losing client.
     PollMessage losingPollMessage =
-        createLosingTransferPollMessage(targetId, newContact.getTransferData(), historyEntry);
-    tm().insertAll(ImmutableSet.of(historyEntry.toChildHistoryEntity(), losingPollMessage));
+        createLosingTransferPollMessage(
+            targetId, newContact.getTransferData(), Key.create(contactHistory));
+    tm().insertAll(ImmutableSet.of(contactHistory, losingPollMessage));
     tm().update(newContact);
     // Delete the billing event and poll messages that were written in case the transfer would have
     // been implicitly server approved.

core/src/main/java/google/registry/flows/contact/ContactTransferRejectFlow.java

@@ -32,6 +32,7 @@ import google.registry.flows.FlowModule.ClientId;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.TransactionalFlow;
 import google.registry.flows.annotations.ReportingSpec;
+import google.registry.model.contact.ContactHistory;
 import google.registry.model.contact.ContactResource;
 import google.registry.model.domain.metadata.MetadataExtension;
 import google.registry.model.eppcommon.AuthInfo;
@@ -64,7 +65,7 @@ public final class ContactTransferRejectFlow implements TransactionalFlow {
   @Inject Optional<AuthInfo> authInfo;
   @Inject @ClientId String clientId;
   @Inject @TargetId String targetId;
-  @Inject HistoryEntry.Builder historyBuilder;
+  @Inject ContactHistory.Builder historyBuilder;
   @Inject EppResponse.Builder responseBuilder;
   @Inject ContactTransferRejectFlow() {}
 
@@ -80,14 +81,16 @@ public final class ContactTransferRejectFlow implements TransactionalFlow {
     verifyResourceOwnership(clientId, existingContact);
     ContactResource newContact =
         denyPendingTransfer(existingContact, TransferStatus.CLIENT_REJECTED, now, clientId);
-    HistoryEntry historyEntry = historyBuilder
-        .setType(HistoryEntry.Type.CONTACT_TRANSFER_REJECT)
-        .setModificationTime(now)
-        .setParent(Key.create(existingContact))
-        .build();
+    ContactHistory contactHistory =
+        historyBuilder
+            .setType(HistoryEntry.Type.CONTACT_TRANSFER_REJECT)
+            .setModificationTime(now)
+            .setContact(newContact)
+            .build();
     PollMessage gainingPollMessage =
-        createGainingTransferPollMessage(targetId, newContact.getTransferData(), historyEntry);
-    tm().insertAll(ImmutableSet.of(historyEntry.toChildHistoryEntity(), gainingPollMessage));
+        createGainingTransferPollMessage(
+            targetId, newContact.getTransferData(), now, Key.create(contactHistory));
+    tm().insertAll(ImmutableSet.of(contactHistory, gainingPollMessage));
     tm().update(newContact);
     // Delete the billing event and poll messages that were written in case the transfer would have
     // been implicitly server approved.

core/src/main/java/google/registry/flows/contact/ContactTransferRequestFlow.java

@@ -14,6 +14,7 @@
 
 package google.registry.flows.contact;
 
+import static google.registry.flows.FlowUtils.createHistoryKey;
 import static google.registry.flows.FlowUtils.validateClientIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.loadAndVerifyExistence;
 import static google.registry.flows.ResourceFlowUtils.verifyAuthInfo;
@@ -36,6 +37,7 @@ import google.registry.flows.TransactionalFlow;
 import google.registry.flows.annotations.ReportingSpec;
 import google.registry.flows.exceptions.AlreadyPendingTransferException;
 import google.registry.flows.exceptions.ObjectAlreadySponsoredException;
+import google.registry.model.contact.ContactHistory;
 import google.registry.model.contact.ContactResource;
 import google.registry.model.domain.metadata.MetadataExtension;
 import google.registry.model.eppcommon.AuthInfo;
@@ -81,7 +83,8 @@ public final class ContactTransferRequestFlow implements TransactionalFlow {
   @Inject @ClientId String gainingClientId;
   @Inject @TargetId String targetId;
   @Inject @Config("contactAutomaticTransferLength") Duration automaticTransferLength;
-  @Inject HistoryEntry.Builder historyBuilder;
+
+  @Inject ContactHistory.Builder historyBuilder;
   @Inject Trid trid;
   @Inject EppResponse.Builder responseBuilder;
   @Inject ContactTransferRequestFlow() {}
@@ -105,11 +108,7 @@ public final class ContactTransferRequestFlow implements TransactionalFlow {
       throw new ObjectAlreadySponsoredException();
     }
     verifyNoDisallowedStatuses(existingContact, DISALLOWED_STATUSES);
-    HistoryEntry historyEntry = historyBuilder
-        .setType(HistoryEntry.Type.CONTACT_TRANSFER_REQUEST)
-        .setModificationTime(now)
-        .setParent(Key.create(existingContact))
-        .build();
+
     DateTime transferExpirationTime = now.plus(automaticTransferLength);
     ContactTransferData serverApproveTransferData =
         new ContactTransferData.Builder()
@@ -120,12 +119,18 @@ public final class ContactTransferRequestFlow implements TransactionalFlow {
             .setPendingTransferExpirationTime(transferExpirationTime)
             .setTransferStatus(TransferStatus.SERVER_APPROVED)
             .build();
+    Key<ContactHistory> contactHistoryKey = createHistoryKey(existingContact, ContactHistory.class);
+    historyBuilder
+        .setId(contactHistoryKey.getId())
+        .setType(HistoryEntry.Type.CONTACT_TRANSFER_REQUEST)
+        .setModificationTime(now);
     // If the transfer is server approved, this message will be sent to the losing registrar. */
     PollMessage serverApproveLosingPollMessage =
-        createLosingTransferPollMessage(targetId, serverApproveTransferData, historyEntry);
+        createLosingTransferPollMessage(targetId, serverApproveTransferData, contactHistoryKey);
     // If the transfer is server approved, this message will be sent to the gaining registrar. */
     PollMessage serverApproveGainingPollMessage =
-        createGainingTransferPollMessage(targetId, serverApproveTransferData, historyEntry);
+        createGainingTransferPollMessage(
+            targetId, serverApproveTransferData, now, contactHistoryKey);
     ContactTransferData pendingTransferData =
         serverApproveTransferData
             .asBuilder()
@@ -137,8 +142,9 @@ public final class ContactTransferRequestFlow implements TransactionalFlow {
             .build();
     // When a transfer is requested, a poll message is created to notify the losing registrar.
     PollMessage requestPollMessage =
-        createLosingTransferPollMessage(targetId, pendingTransferData, historyEntry).asBuilder()
-            .setEventTime(now)  // Unlike the serverApprove messages, this applies immediately.
+        createLosingTransferPollMessage(targetId, pendingTransferData, contactHistoryKey)
+            .asBuilder()
+            .setEventTime(now) // Unlike the serverApprove messages, this applies immediately.
             .build();
     ContactResource newContact = existingContact.asBuilder()
         .setTransferData(pendingTransferData)
@@ -147,7 +153,7 @@ public final class ContactTransferRequestFlow implements TransactionalFlow {
     tm().update(newContact);
     tm().insertAll(
             ImmutableSet.of(
-                historyEntry.toChildHistoryEntity(),
+                historyBuilder.setContact(newContact).build(),
                 requestPollMessage,
                 serverApproveGainingPollMessage,
                 serverApproveLosingPollMessage));

core/src/main/java/google/registry/flows/contact/ContactUpdateFlow.java

@@ -27,7 +27,6 @@ import static google.registry.flows.contact.ContactFlowUtils.validateContactAgai
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
 import com.google.common.collect.ImmutableSet;
-import com.googlecode.objectify.Key;
 import google.registry.flows.EppException;
 import google.registry.flows.ExtensionManager;
 import google.registry.flows.FlowModule.ClientId;
@@ -38,6 +37,7 @@ import google.registry.flows.annotations.ReportingSpec;
 import google.registry.flows.exceptions.ResourceHasClientUpdateProhibitedException;
 import google.registry.model.contact.ContactCommand.Update;
 import google.registry.model.contact.ContactCommand.Update.Change;
+import google.registry.model.contact.ContactHistory;
 import google.registry.model.contact.ContactResource;
 import google.registry.model.contact.PostalInfo;
 import google.registry.model.domain.metadata.MetadataExtension;
@@ -82,7 +82,7 @@ public final class ContactUpdateFlow implements TransactionalFlow {
   @Inject @ClientId String clientId;
   @Inject @TargetId String targetId;
   @Inject @Superuser boolean isSuperuser;
-  @Inject HistoryEntry.Builder historyBuilder;
+  @Inject ContactHistory.Builder historyBuilder;
   @Inject EppResponse.Builder responseBuilder;
   @Inject ContactUpdateFlow() {}
 
@@ -102,11 +102,6 @@ public final class ContactUpdateFlow implements TransactionalFlow {
       verifyAllStatusesAreClientSettable(union(statusesToAdd, statusToRemove));
     }
     verifyNoDisallowedStatuses(existingContact, DISALLOWED_STATUSES);
-    historyBuilder
-        .setType(HistoryEntry.Type.CONTACT_UPDATE)
-        .setModificationTime(now)
-        .setXmlBytes(null)  // We don't want to store contact details in the history entry.
-        .setParent(Key.create(existingContact));
     checkSameValuesNotAddedAndRemoved(statusesToAdd, statusToRemove);
     ContactResource.Builder builder = existingContact.asBuilder();
     Change change = command.getInnerChange();
@@ -150,7 +145,12 @@ public final class ContactUpdateFlow implements TransactionalFlow {
     }
     validateAsciiPostalInfo(newContact.getInternationalizedPostalInfo());
     validateContactAgainstPolicy(newContact);
-    tm().insert(historyBuilder.build().toChildHistoryEntity());
+    historyBuilder
+        .setType(HistoryEntry.Type.CONTACT_UPDATE)
+        .setModificationTime(now)
+        .setXmlBytes(null) // We don't want to store contact details in the history entry.
+        .setContact(newContact);
+    tm().insert(historyBuilder.build());
     tm().update(newContact);
     return responseBuilder.build();
   }

core/src/main/java/google/registry/flows/custom/EntityChanges.java

@@ -16,8 +16,8 @@ package google.registry.flows.custom;
 
 import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableSet;
-import com.googlecode.objectify.Key;
 import google.registry.model.ImmutableObject;
+import google.registry.persistence.VKey;
 
 /** A wrapper class that encapsulates Datastore entities to both save and delete. */
 @AutoValue
@@ -25,7 +25,7 @@ public abstract class EntityChanges {
 
   public abstract ImmutableSet<ImmutableObject> getSaves();
 
-  public abstract ImmutableSet<Key<ImmutableObject>> getDeletes();
+  public abstract ImmutableSet<VKey<ImmutableObject>> getDeletes();
 
   public static Builder newBuilder() {
     // Default both entities to save and entities to delete to empty sets, so that the build()
@@ -48,11 +48,11 @@ public abstract class EntityChanges {
       return this;
     }
 
-    public abstract Builder setDeletes(ImmutableSet<Key<ImmutableObject>> entitiesToDelete);
+    public abstract Builder setDeletes(ImmutableSet<VKey<ImmutableObject>> entitiesToDelete);
 
-    public abstract ImmutableSet.Builder<Key<ImmutableObject>> deletesBuilder();
+    public abstract ImmutableSet.Builder<VKey<ImmutableObject>> deletesBuilder();
 
-    public Builder addDelete(Key<ImmutableObject> entityToDelete) {
+    public Builder addDelete(VKey<ImmutableObject> entityToDelete) {
       deletesBuilder().add(entityToDelete);
       return this;
     }

core/src/main/java/google/registry/flows/domain/DomainClaimsCheckFlow.java

@@ -45,7 +45,7 @@ import google.registry.model.eppinput.ResourceCommand;
 import google.registry.model.eppoutput.EppResponse;
 import google.registry.model.registry.Registry;
 import google.registry.model.reporting.IcannReportingTypes.ActivityReportField;
-import google.registry.model.tmch.ClaimsListDualDatabaseDao;
+import google.registry.model.tmch.ClaimsListDao;
 import google.registry.util.Clock;
 import java.util.HashSet;
 import java.util.Optional;
@@ -104,8 +104,7 @@ public final class DomainClaimsCheckFlow implements Flow {
           verifyClaimsPeriodNotEnded(registry, now);
         }
       }
-      Optional<String> claimKey =
-          ClaimsListDualDatabaseDao.get().getClaimKey(parsedDomain.parts().get(0));
+      Optional<String> claimKey = ClaimsListDao.get().getClaimKey(parsedDomain.parts().get(0));
       launchChecksBuilder.add(
           LaunchCheck.create(
               LaunchCheckName.create(claimKey.isPresent(), domainName), claimKey.orElse(null)));

core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java

@@ -80,6 +80,7 @@ import google.registry.model.billing.BillingEvent.Recurring;
 import google.registry.model.domain.DomainBase;
 import google.registry.model.domain.DomainCommand;
 import google.registry.model.domain.DomainCommand.Create;
+import google.registry.model.domain.DomainHistory;
 import google.registry.model.domain.GracePeriod;
 import google.registry.model.domain.Period;
 import google.registry.model.domain.fee.FeeCreateCommandExtension;
@@ -96,7 +97,6 @@ import google.registry.model.eppinput.EppInput;
 import google.registry.model.eppinput.ResourceCommand;
 import google.registry.model.eppoutput.CreateData.DomainCreateData;
 import google.registry.model.eppoutput.EppResponse;
-import google.registry.model.host.HostResource;
 import google.registry.model.index.EppResourceIndex;
 import google.registry.model.index.ForeignKeyIndex;
 import google.registry.model.ofy.ObjectifyService;
@@ -106,11 +106,11 @@ import google.registry.model.poll.PollMessage.Autorenew;
 import google.registry.model.registry.Registry;
 import google.registry.model.registry.Registry.TldState;
 import google.registry.model.registry.Registry.TldType;
+import google.registry.model.registry.label.ReservationType;
 import google.registry.model.reporting.DomainTransactionRecord;
 import google.registry.model.reporting.DomainTransactionRecord.TransactionReportField;
 import google.registry.model.reporting.HistoryEntry;
 import google.registry.model.reporting.IcannReportingTypes.ActivityReportField;
-import google.registry.persistence.VKey;
 import google.registry.tmch.LordnTaskUtils;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -206,7 +206,7 @@ public class DomainCreateFlow implements TransactionalFlow {
   @Inject @ClientId String clientId;
   @Inject @TargetId String targetId;
   @Inject @Superuser boolean isSuperuser;
-  @Inject HistoryEntry.Builder historyBuilder;
+  @Inject DomainHistory.Builder historyBuilder;
   @Inject EppResponse.Builder responseBuilder;
   @Inject AllocationTokenFlowUtils allocationTokenFlowUtils;
   @Inject DomainCreateFlowCustomLogic flowCustomLogic;
@@ -301,10 +301,14 @@ public class DomainCreateFlow implements TransactionalFlow {
     validateFeeChallenge(targetId, now, feeCreate, feesAndCredits);
     Optional<SecDnsCreateExtension> secDnsCreate =
         validateSecDnsExtension(eppInput.getSingleExtension(SecDnsCreateExtension.class));
-    String repoId = createDomainRepoId(ObjectifyService.allocateId(), registry.getTldStr());
     DateTime registrationExpirationTime = leapSafeAddYears(now, years);
-    HistoryEntry historyEntry = buildHistoryEntry(
-        repoId, registry, now, period, registry.getAddGracePeriodLength());
+    String repoId = createDomainRepoId(ObjectifyService.allocateId(), registry.getTldStr());
+    Key<DomainHistory> domainHistoryKey =
+        Key.create(
+            Key.create(DomainBase.class, repoId),
+            DomainHistory.class,
+            ObjectifyService.allocateId());
+    historyBuilder.setId(domainHistoryKey.getId());
     // Bill for the create.
     BillingEvent.OneTime createBillingEvent =
         createOneTimeBillingEvent(
@@ -314,33 +318,27 @@ public class DomainCreateFlow implements TransactionalFlow {
             isReserved(domainName, isSunriseCreate),
             years,
             feesAndCredits,
-            historyEntry,
+            domainHistoryKey,
             allocationToken,
             now);
     // Create a new autorenew billing event and poll message starting at the expiration time.
     BillingEvent.Recurring autorenewBillingEvent =
-        createAutorenewBillingEvent(historyEntry, registrationExpirationTime);
+        createAutorenewBillingEvent(domainHistoryKey, registrationExpirationTime);
     PollMessage.Autorenew autorenewPollMessage =
-        createAutorenewPollMessage(historyEntry, registrationExpirationTime);
+        createAutorenewPollMessage(domainHistoryKey, registrationExpirationTime);
     ImmutableSet.Builder<ImmutableObject> entitiesToSave = new ImmutableSet.Builder<>();
-    entitiesToSave.add(
-        historyEntry,
-        createBillingEvent,
-        autorenewBillingEvent,
-        autorenewPollMessage);
+    entitiesToSave.add(createBillingEvent, autorenewBillingEvent, autorenewPollMessage);
     // Bill for EAP cost, if any.
     if (!feesAndCredits.getEapCost().isZero()) {
       entitiesToSave.add(createEapBillingEvent(feesAndCredits, createBillingEvent));
     }
 
-    ImmutableSet.Builder<StatusValue> statuses = new ImmutableSet.Builder<>();
-    if (getReservationTypes(domainName).contains(NAME_COLLISION)) {
-      statuses.add(SERVER_HOLD);
-      entitiesToSave.add(
-          createNameCollisionOneTimePollMessage(targetId, historyEntry, clientId, now));
-    }
-
-    DomainBase newDomain =
+    ImmutableSet<ReservationType> reservationTypes = getReservationTypes(domainName);
+    ImmutableSet<StatusValue> statuses =
+        reservationTypes.contains(NAME_COLLISION)
+            ? ImmutableSet.of(SERVER_HOLD)
+            : ImmutableSet.of();
+    DomainBase domain =
         new DomainBase.Builder()
             .setCreationClientId(clientId)
             .setPersistedCurrentSponsorClientId(clientId)
@@ -351,35 +349,39 @@ public class DomainCreateFlow implements TransactionalFlow {
             .setAutorenewPollMessage(autorenewPollMessage.createVKey())
             .setLaunchNotice(hasClaimsNotice ? launchCreate.get().getNotice() : null)
             .setSmdId(signedMarkId)
-            .setDsData(secDnsCreate.isPresent() ? secDnsCreate.get().getDsData() : null)
+            .setDsData(secDnsCreate.map(SecDnsCreateExtension::getDsData).orElse(null))
             .setRegistrant(command.getRegistrant())
             .setAuthInfo(command.getAuthInfo())
             .setDomainName(targetId)
-            .setNameservers(
-                (ImmutableSet<VKey<HostResource>>)
-                    command.getNameservers().stream().collect(toImmutableSet()))
-            .setStatusValues(statuses.build())
+            .setNameservers(command.getNameservers().stream().collect(toImmutableSet()))
+            .setStatusValues(statuses)
             .setContacts(command.getContacts())
             .addGracePeriod(
                 GracePeriod.forBillingEvent(GracePeriodStatus.ADD, repoId, createBillingEvent))
             .build();
+    DomainHistory domainHistory =
+        buildDomainHistory(domain, registry, now, period, registry.getAddGracePeriodLength());
+    if (reservationTypes.contains(NAME_COLLISION)) {
+      entitiesToSave.add(
+          createNameCollisionOneTimePollMessage(targetId, domainHistory, clientId, now));
+    }
     entitiesToSave.add(
-        newDomain,
-        ForeignKeyIndex.create(newDomain, newDomain.getDeletionTime()),
-        EppResourceIndex.create(Key.create(newDomain)));
+        domain,
+        domainHistory,
+        ForeignKeyIndex.create(domain, domain.getDeletionTime()),
+        EppResourceIndex.create(Key.create(domain)));
     if (allocationToken.isPresent()
         && TokenType.SINGLE_USE.equals(allocationToken.get().getTokenType())) {
       entitiesToSave.add(
-          allocationTokenFlowUtils.redeemToken(
-              allocationToken.get(), HistoryEntry.createVKey(Key.create(historyEntry))));
+          allocationTokenFlowUtils.redeemToken(allocationToken.get(), domainHistory.createVKey()));
     }
-    enqueueTasks(newDomain, hasSignedMarks, hasClaimsNotice);
+    enqueueTasks(domain, hasSignedMarks, hasClaimsNotice);
 
     EntityChanges entityChanges =
         flowCustomLogic.beforeSave(
             DomainCreateFlowCustomLogic.BeforeSaveParameters.newBuilder()
-                .setNewDomain(newDomain)
-                .setHistoryEntry(historyEntry)
+                .setNewDomain(domain)
+                .setHistoryEntry(domainHistory)
                 .setEntityChanges(
                     EntityChanges.newBuilder().setSaves(entitiesToSave.build()).build())
                 .setYears(years)
@@ -483,8 +485,8 @@ public class DomainCreateFlow implements TransactionalFlow {
             : null);
   }
 
-  private HistoryEntry buildHistoryEntry(
-      String repoId, Registry registry, DateTime now, Period period, Duration addGracePeriod) {
+  private DomainHistory buildDomainHistory(
+      DomainBase domain, Registry registry, DateTime now, Period period, Duration addGracePeriod) {
     // We ignore prober transactions
     if (registry.getTldType() == TldType.REAL) {
       historyBuilder
@@ -500,7 +502,7 @@ public class DomainCreateFlow implements TransactionalFlow {
         .setType(HistoryEntry.Type.DOMAIN_CREATE)
         .setPeriod(period)
         .setModificationTime(now)
-        .setParent(Key.create(DomainBase.class, repoId))
+        .setDomain(domain)
         .build();
   }
 
@@ -511,7 +513,7 @@ public class DomainCreateFlow implements TransactionalFlow {
       boolean isReserved,
       int years,
       FeesAndCredits feesAndCredits,
-      HistoryEntry historyEntry,
+      Key<DomainHistory> domainHistoryKey,
       Optional<AllocationToken> allocationToken,
       DateTime now) {
     ImmutableSet.Builder<Flag> flagsBuilder = new ImmutableSet.Builder<>();
@@ -540,12 +542,12 @@ public class DomainCreateFlow implements TransactionalFlow {
                     ? registry.getAnchorTenantAddGracePeriodLength()
                     : registry.getAddGracePeriodLength()))
         .setFlags(flagsBuilder.build())
-        .setParent(historyEntry)
+        .setParent(domainHistoryKey)
         .build();
   }
 
   private Recurring createAutorenewBillingEvent(
-      HistoryEntry historyEntry, DateTime registrationExpirationTime) {
+      Key<DomainHistory> domainHistoryKey, DateTime registrationExpirationTime) {
     return new BillingEvent.Recurring.Builder()
         .setReason(Reason.RENEW)
         .setFlags(ImmutableSet.of(Flag.AUTO_RENEW))
@@ -553,18 +555,18 @@ public class DomainCreateFlow implements TransactionalFlow {
         .setClientId(clientId)
         .setEventTime(registrationExpirationTime)
         .setRecurrenceEndTime(END_OF_TIME)
-        .setParent(historyEntry)
+        .setParent(domainHistoryKey)
         .build();
   }
 
   private Autorenew createAutorenewPollMessage(
-      HistoryEntry historyEntry, DateTime registrationExpirationTime) {
+      Key<DomainHistory> domainHistoryKey, DateTime registrationExpirationTime) {
     return new PollMessage.Autorenew.Builder()
         .setTargetId(targetId)
         .setClientId(clientId)
         .setEventTime(registrationExpirationTime)
         .setMsg("Domain was auto-renewed.")
-        .setParent(historyEntry)
+        .setParentKey(domainHistoryKey)
         .build();
   }
 

core/src/main/java/google/registry/flows/domain/DomainDeleteFlow.java

@@ -16,6 +16,7 @@ package google.registry.flows.domain;
 
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Strings.isNullOrEmpty;
+import static google.registry.flows.FlowUtils.createHistoryKey;
 import static google.registry.flows.FlowUtils.persistEntityChanges;
 import static google.registry.flows.FlowUtils.validateClientIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.loadAndVerifyExistence;
@@ -63,6 +64,7 @@ import google.registry.flows.custom.EntityChanges;
 import google.registry.model.ImmutableObject;
 import google.registry.model.billing.BillingEvent;
 import google.registry.model.domain.DomainBase;
+import google.registry.model.domain.DomainHistory;
 import google.registry.model.domain.GracePeriod;
 import google.registry.model.domain.fee.BaseFee.FeeType;
 import google.registry.model.domain.fee.Credit;
@@ -125,7 +127,7 @@ public final class DomainDeleteFlow implements TransactionalFlow {
   @Inject @ClientId String clientId;
   @Inject @TargetId String targetId;
   @Inject @Superuser boolean isSuperuser;
-  @Inject HistoryEntry.Builder historyBuilder;
+  @Inject DomainHistory.Builder historyBuilder;
   @Inject DnsQueue dnsQueue;
   @Inject Trid trid;
   @Inject AsyncTaskEnqueuer asyncTaskEnqueuer;
@@ -177,8 +179,8 @@ public final class DomainDeleteFlow implements TransactionalFlow {
             ? Duration.ZERO
             // By default, this should be 30 days of grace, and 5 days of pending delete.
             : redemptionGracePeriodLength.plus(pendingDeleteLength);
-    HistoryEntry historyEntry =
-        buildHistoryEntry(existingDomain, registry, now, durationUntilDelete, inAddGracePeriod);
+    Key<DomainHistory> domainHistoryKey = createHistoryKey(existingDomain, DomainHistory.class);
+    historyBuilder.setId(domainHistoryKey.getId());
     DateTime deletionTime = now.plus(durationUntilDelete);
     if (durationUntilDelete.equals(Duration.ZERO)) {
       builder.setDeletionTime(now).setStatusValues(null);
@@ -208,20 +210,28 @@ public final class DomainDeleteFlow implements TransactionalFlow {
     // Enqueue the deletion poll message if the delete is asynchronous or if requested by a
     // superuser (i.e. the registrar didn't request this delete and thus should be notified even if
     // it is synchronous).
-    if (!durationUntilDelete.equals(Duration.ZERO) || isSuperuser) {
+    if (durationUntilDelete.isLongerThan(Duration.ZERO) || isSuperuser) {
       PollMessage.OneTime deletePollMessage =
-          createDeletePollMessage(existingDomain, historyEntry, deletionTime);
+          createDeletePollMessage(existingDomain, domainHistoryKey, deletionTime);
       entitiesToSave.add(deletePollMessage);
       builder.setDeletePollMessage(deletePollMessage.createVKey());
     }
 
+    // Send a second poll message immediately if the domain is being deleted asynchronously by a
+    // registrar other than the sponsoring registrar (which will necessarily be a superuser).
+    if (durationUntilDelete.isLongerThan(Duration.ZERO)
+        && !clientId.equals(existingDomain.getPersistedCurrentSponsorClientId())) {
+      entitiesToSave.add(
+          createImmediateDeletePollMessage(existingDomain, domainHistoryKey, now, deletionTime));
+    }
+
     // Cancel any grace periods that were still active, and set the expiration time accordingly.
     DateTime newExpirationTime = existingDomain.getRegistrationExpirationTime();
     for (GracePeriod gracePeriod : existingDomain.getGracePeriods()) {
       // No cancellation is written if the grace period was not for a billable event.
       if (gracePeriod.hasBillingEvent()) {
         entitiesToSave.add(
-            BillingEvent.Cancellation.forGracePeriod(gracePeriod, historyEntry, targetId));
+            BillingEvent.Cancellation.forGracePeriod(gracePeriod, now, domainHistoryKey, targetId));
         if (gracePeriod.getOneTimeBillingEvent() != null) {
           // Take the amount of amount of registration time being refunded off the expiration time.
           // This can be either add grace periods or renew grace periods.
@@ -237,24 +247,29 @@ public final class DomainDeleteFlow implements TransactionalFlow {
     builder.setRegistrationExpirationTime(newExpirationTime);
 
     DomainBase newDomain = builder.build();
+    DomainHistory domainHistory =
+        buildDomainHistory(newDomain, registry, now, durationUntilDelete, inAddGracePeriod);
     updateForeignKeyIndexDeletionTime(newDomain);
-    handlePendingTransferOnDelete(existingDomain, newDomain, now, historyEntry);
-    // Close the autorenew billing event and poll message. This may delete the poll message.
-    updateAutorenewRecurrenceEndTime(existingDomain, now);
+    handlePendingTransferOnDelete(existingDomain, newDomain, now, domainHistory);
+    // Close the autorenew billing event and poll message. This may delete the poll message.  Store
+    // the updated recurring billing event, we'll need it later and can't reload it.
+    BillingEvent.Recurring recurringBillingEvent =
+        updateAutorenewRecurrenceEndTime(existingDomain, now);
     // If there's a pending transfer, the gaining client's autorenew billing
     // event and poll message will already have been deleted in
     // ResourceDeleteFlow since it's listed in serverApproveEntities.
     dnsQueue.addDomainRefreshTask(existingDomain.getDomainName());
 
-    entitiesToSave.add(newDomain, historyEntry);
-    EntityChanges entityChanges = flowCustomLogic.beforeSave(
-        BeforeSaveParameters.newBuilder()
-            .setExistingDomain(existingDomain)
-            .setNewDomain(newDomain)
-            .setHistoryEntry(historyEntry)
-            .setEntityChanges(EntityChanges.newBuilder().setSaves(entitiesToSave.build()).build())
-            .build());
-    persistEntityChanges(entityChanges);
+    entitiesToSave.add(newDomain, domainHistory);
+    EntityChanges entityChanges =
+        flowCustomLogic.beforeSave(
+            BeforeSaveParameters.newBuilder()
+                .setExistingDomain(existingDomain)
+                .setNewDomain(newDomain)
+                .setHistoryEntry(domainHistory)
+                .setEntityChanges(
+                    EntityChanges.newBuilder().setSaves(entitiesToSave.build()).build())
+                .build());
     BeforeResponseReturnData responseData =
         flowCustomLogic.beforeResponse(
             BeforeResponseParameters.newBuilder()
@@ -262,8 +277,10 @@ public final class DomainDeleteFlow implements TransactionalFlow {
                     newDomain.getDeletionTime().isAfter(now)
                         ? SUCCESS_WITH_ACTION_PENDING
                         : SUCCESS)
-                .setResponseExtensions(getResponseExtensions(existingDomain, now))
+                .setResponseExtensions(
+                    getResponseExtensions(recurringBillingEvent, existingDomain, now))
                 .build());
+    persistEntityChanges(entityChanges);
     return responseBuilder
         .setResultFromCode(responseData.resultCode())
         .setExtensions(responseData.responseExtensions())
@@ -284,8 +301,8 @@ public final class DomainDeleteFlow implements TransactionalFlow {
     }
   }
 
-  private HistoryEntry buildHistoryEntry(
-      DomainBase existingResource,
+  private DomainHistory buildDomainHistory(
+      DomainBase domain,
       Registry registry,
       DateTime now,
       Duration durationUntilDelete,
@@ -299,31 +316,30 @@ public final class DomainDeleteFlow implements TransactionalFlow {
               registry.getRenewGracePeriodLength()));
       ImmutableSet<DomainTransactionRecord> cancelledRecords =
           createCancelingRecords(
-              existingResource,
+              domain,
               now,
               maxGracePeriod,
               Sets.immutableEnumSet(Sets.union(ADD_FIELDS, RENEW_FIELDS)));
-      historyBuilder
-          .setDomainTransactionRecords(
-              union(
-                  cancelledRecords,
-                  DomainTransactionRecord.create(
-                      existingResource.getTld(),
-                      now.plus(durationUntilDelete),
-                      inAddGracePeriod
-                          ? TransactionReportField.DELETED_DOMAINS_GRACE
-                          : TransactionReportField.DELETED_DOMAINS_NOGRACE,
-                      1)));
+      historyBuilder.setDomainTransactionRecords(
+          union(
+              cancelledRecords,
+              DomainTransactionRecord.create(
+                  domain.getTld(),
+                  now.plus(durationUntilDelete),
+                  inAddGracePeriod
+                      ? TransactionReportField.DELETED_DOMAINS_GRACE
+                      : TransactionReportField.DELETED_DOMAINS_NOGRACE,
+                  1)));
     }
     return historyBuilder
         .setType(HistoryEntry.Type.DOMAIN_DELETE)
         .setModificationTime(now)
-        .setParent(Key.create(existingResource))
+        .setDomain(domain)
         .build();
   }
 
   private PollMessage.OneTime createDeletePollMessage(
-      DomainBase existingDomain, HistoryEntry historyEntry, DateTime deletionTime) {
+      DomainBase existingDomain, Key<DomainHistory> domainHistoryKey, DateTime deletionTime) {
     Optional<MetadataExtension> metadataExtension =
         eppInput.getSingleExtension(MetadataExtension.class);
     boolean hasMetadataMessage =
@@ -342,13 +358,29 @@ public final class DomainDeleteFlow implements TransactionalFlow {
             ImmutableList.of(
                 DomainPendingActionNotificationResponse.create(
                     existingDomain.getDomainName(), true, trid, deletionTime)))
-        .setParent(historyEntry)
+        .setParentKey(domainHistoryKey)
+        .build();
+  }
+
+  private PollMessage.OneTime createImmediateDeletePollMessage(
+      DomainBase existingDomain,
+      Key<DomainHistory> domainHistoryKey,
+      DateTime now,
+      DateTime deletionTime) {
+    return new PollMessage.OneTime.Builder()
+        .setClientId(existingDomain.getPersistedCurrentSponsorClientId())
+        .setEventTime(now)
+        .setParentKey(domainHistoryKey)
+        .setMsg(
+            String.format(
+                "Domain %s was deleted by registry administrator with final deletion effective: %s",
+                existingDomain.getDomainName(), deletionTime))
         .build();
   }
 
   @Nullable
   private ImmutableList<FeeTransformResponseExtension> getResponseExtensions(
-      DomainBase existingDomain, DateTime now) {
+      BillingEvent.Recurring recurringBillingEvent, DomainBase existingDomain, DateTime now) {
     FeeTransformResponseExtension.Builder feeResponseBuilder = getDeleteResponseBuilder();
     if (feeResponseBuilder == null) {
       return ImmutableList.of();
@@ -356,7 +388,7 @@ public final class DomainDeleteFlow implements TransactionalFlow {
     ImmutableList.Builder<Credit> creditsBuilder = new ImmutableList.Builder<>();
     for (GracePeriod gracePeriod : existingDomain.getGracePeriods()) {
       if (gracePeriod.hasBillingEvent()) {
-        Money cost = getGracePeriodCost(gracePeriod, now);
+        Money cost = getGracePeriodCost(recurringBillingEvent, gracePeriod, now);
         creditsBuilder.add(Credit.create(
             cost.negated().getAmount(), FeeType.CREDIT, gracePeriod.getType().getXmlName()));
         feeResponseBuilder.setCurrency(checkNotNull(cost.getCurrencyUnit()));
@@ -369,12 +401,12 @@ public final class DomainDeleteFlow implements TransactionalFlow {
     return ImmutableList.of(feeResponseBuilder.setCredits(credits).build());
   }
 
-  private Money getGracePeriodCost(GracePeriod gracePeriod, DateTime now) {
+  private Money getGracePeriodCost(
+      BillingEvent.Recurring recurringBillingEvent, GracePeriod gracePeriod, DateTime now) {
     if (gracePeriod.getType() == GracePeriodStatus.AUTO_RENEW) {
+      // If we updated the autorenew billing event, reuse it.
       DateTime autoRenewTime =
-          tm().loadByKey(checkNotNull(gracePeriod.getRecurringBillingEvent()))
-              .getRecurrenceTimeOfYear()
-              .getLastInstanceBeforeOrAt(now);
+          recurringBillingEvent.getRecurrenceTimeOfYear().getLastInstanceBeforeOrAt(now);
       return getDomainRenewCost(targetId, autoRenewTime, 1);
     }
     return tm().loadByKey(checkNotNull(gracePeriod.getOneTimeBillingEvent())).getCost();