Prepare switch of credential annotation (#2014)

* Prepare switch of credential annotation

Prepare the switch from DefaultCredential to ApplicationCredential.

In nomulus tools, start using the new annotation. This is tested by
successfully using the nomulus curl command, which actually needs a
valid credential to work.

For remaining use cases of the old annotation in Nomulus server, add
some code that relies on the new credential to work. Once these code
are tested in sandbox and production, we will switch the annotations.

.gcloudignore

@@ -6,5 +6,4 @@ node_modules/
 repos/**
 **/.idea/
 *.jar
-!third_party/**/*.jar
 !/gradle/wrapper/**/*.jar

.github/workflows/codeql.yml

@@ -0,0 +1,63 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ 'master' ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ 'master' ]
+  schedule:
+    - cron: '24 4 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java', 'javascript', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        queries: security-and-quality
+
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

.gitignore

@@ -14,7 +14,6 @@ gjf.out
 *.jar
 *.war
 *.ear
-!/third_party/**/*.jar
 
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*

.lgtm.yml

@@ -1,6 +0,0 @@
-extraction:
-  java:
-    prepare:
-      packages: "npm"
-    index:
-      java_version: "11"

README.md

@@ -1,8 +1,8 @@
 # Nomulus
 
-| Internal Build | FOSS Build | LGTM | License | Code Search |
-|:--------------:|:----------:|:----:|:-------:|:-----------:|
-|[![Build Status for Google Registry internal build](https://storage.googleapis.com/domain-registry-kokoro/internal/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/internal/index.html)|[![Build Status for the open source build](https://storage.googleapis.com/domain-registry-kokoro/foss/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/foss/index.html)|[![Total alerts](https://img.shields.io/lgtm/alerts/g/google/nomulus.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/google/nomulus/alerts/)|[![License for this repo](https://img.shields.io/github/license/google/nomulus.svg)](https://github.com/google/nomulus/blob/master/LICENSE)|[![Link to Code Search](https://www.gstatic.com/devopsconsole/images/oss/favicons/oss-32x32.png)](https://cs.opensource.google/nomulus/nomulus)|
+| Internal Build | FOSS Build | License | Code Search |
+|:--------------:|:----------:|:-------:|:-----------:|
+|[![Build Status for Google Registry internal build](https://storage.googleapis.com/domain-registry-kokoro/internal/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/internal/index.html)|[![Build Status for the open source build](https://storage.googleapis.com/domain-registry-kokoro/foss/build.svg)](https://storage.googleapis.com/domain-registry-kokoro/foss/index.html)|[![License for this repo](https://img.shields.io/github/license/google/nomulus.svg)](https://github.com/google/nomulus/blob/master/LICENSE)|[![Link to Code Search](https://www.gstatic.com/devopsconsole/images/oss/favicons/oss-32x32.png)](https://cs.opensource.google/nomulus/nomulus)|
 
 ![Nomulus logo](./nomulus-logo.png)
 

appengine_war.gradle

@@ -47,6 +47,10 @@ war {
 
 if (project.path == ":services:default") {
     war {
+        from("${rootDir}/console-webapp/dist/console-webapp") {
+            include "**/*"
+            into("console")
+        }
         from("${coreResourcesDir}/google/registry/ui") {
             include "registrar_bin.js"
             if (environment != "production") {
@@ -99,8 +103,10 @@ explodeWar.doLast {
     file("${it.explodedAppDirectory}/WEB-INF/lib/tools.jar").setWritable(true)
 }
 
+appengineDeployAll.finalizedBy ':cloudSchedulerDeployer'
 rootProject.deploy.dependsOn appengineDeployAll
 rootProject.stage.dependsOn appengineStage
+tasks['war'].dependsOn ':console-webapp:buildConsoleWebappProd'
 tasks['war'].dependsOn ':core:compileProdJS'
 tasks['war'].dependsOn ':core:processResources'
 tasks['war'].dependsOn ':core:jar'

build.gradle

@@ -355,8 +355,6 @@ subprojects {
     }
   }
 
-  if (project.name == 'third_party') return
-
   project.tasks.test.dependsOn runPresubmits
 
   def commonlyExcludedResources = ['**/*.java', '**/BUILD']
@@ -528,6 +526,10 @@ task javaIncrementalFormatApply {
 
 task javadoc(type: Javadoc) {
   source javadocSource
+  // Java 11.0.17 has the following bug that affects annotation handling on
+  // package-info.java:
+  // https://bugs.openjdk.org/browse/JDK-8222091
+  exclude "**/package-info.java"
   classpath = files(javadocClasspath)
   destinationDir = file("${buildDir}/docs/javadoc")
   options.encoding = "UTF-8"
@@ -549,12 +551,28 @@ task coreDev {
   dependsOn 'javadoc'
   dependsOn 'checkDependenciesDotGradle'
   dependsOn 'checkLicense'
+  dependsOn ':console-webapp:runConsoleWebappUnitTests'
   dependsOn ':core:check'
   dependsOn 'assemble'
 }
 
 javadocDependentTasks.each { tasks.javadoc.dependsOn(it) }
 
+// Runs the script, which deploys cloud scheduler tasks based on the config
+task cloudSchedulerDeployer {
+  doLast {
+    def env = environment
+    if (!prodOrSandboxEnv) {
+      exec {
+        commandLine 'go', 'run',
+                "${rootDir}/release/builder/cloudSchedulerDeployer.go",
+                "${rootDir}/core/src/main/java/google/registry/env/${env}/default/WEB-INF/cloud-scheduler-tasks.xml",
+                "domain-registry-${env}"
+      }
+    }
+  }
+}
+
 // disable javadoc in subprojects, these will break because they don't have
 // the correct classpath (see above).
 gradle.taskGraph.whenReady { graph ->

buildSrc/gradle.lockfile

@@ -4,31 +4,37 @@
 antlr:antlr:2.7.7=checkstyle
 aopalliance:aopalliance:1.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 args4j:args4j:2.0.23=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.core:jackson-core:2.13.3=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson:jackson-bom:2.13.3=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-core:2.14.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson:jackson-bom:2.14.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.ben-manes.caffeine:caffeine:2.7.0=annotationProcessor,testAnnotationProcessor
 com.github.kevinstern:software-and-algorithms:1.0=annotationProcessor,testAnnotationProcessor
-com.google.api-client:google-api-client:1.35.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-common-protos:2.9.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-iam-v1:1.4.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:api-common:2.2.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-httpjson:0.103.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax:2.18.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-storage:v1-rev20220705-1.32.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-credentials:1.7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-oauth2-http:1.7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auto.value:auto-value-annotations:1.9=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auto.value:auto-value:1.9=annotationProcessor
+com.google.android:annotations:4.1.1.4=testRuntimeClasspath
+com.google.api-client:google-api-client:2.1.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:gapic-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-common-protos:2.13.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-iam-v1:1.8.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:api-common:2.5.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-grpc:2.22.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-httpjson:0.107.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax:2.22.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-storage:v1-rev20220705-2.0.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auth:google-auth-library-credentials:1.14.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auth:google-auth-library-oauth2-http:1.14.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auto.value:auto-value-annotations:1.10.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auto.value:auto-value:1.10.1=annotationProcessor,compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto:auto-common:0.10=annotationProcessor,testAnnotationProcessor
-com.google.cloud:google-cloud-core-http:2.8.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core:2.8.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-storage:2.10.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-grpc:2.9.4=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-http:2.9.4=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core:2.9.4=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-storage:2.17.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.code.findbugs:jFormatString:3.0.0=annotationProcessor,testAnnotationProcessor
 com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,compileClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
-com.google.code.gson:gson:2.9.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.code.gson:gson:2.10.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.common.html.types:types:1.0.6=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.errorprone:error_prone_annotation:2.3.4=annotationProcessor,testAnnotationProcessor
-com.google.errorprone:error_prone_annotations:2.11.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.18.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.errorprone:error_prone_annotations:2.3.4=annotationProcessor,checkstyle,testAnnotationProcessor
 com.google.errorprone:error_prone_check_api:2.3.4=annotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_core:2.3.4=annotationProcessor,testAnnotationProcessor
@@ -39,20 +45,21 @@ com.google.guava:guava:27.0.1-jre=annotationProcessor,testAnnotationProcessor
 com.google.guava:guava:29.0-jre=checkstyle
 com.google.guava:guava:31.1-jre=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,compileClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-apache-v2:1.42.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-appengine:1.42.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-gson:1.42.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-jackson2:1.42.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client:1.42.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-apache-v2:1.42.3=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-appengine:1.42.3=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-gson:1.42.3=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-jackson2:1.42.3=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client:1.42.3=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.inject.extensions:guice-multibindings:4.1.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.inject:guice:4.1.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.j2objc:j2objc-annotations:1.1=annotationProcessor,testAnnotationProcessor
 com.google.j2objc:j2objc-annotations:1.3=checkstyle,compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.jsinterop:jsinterop-annotations:1.0.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.oauth-client:google-oauth-client:1.34.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.protobuf:protobuf-java-util:3.21.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.protobuf:protobuf-java:3.21.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.protobuf:protobuf-java-util:3.21.12=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.protobuf:protobuf-java:3.21.12=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.protobuf:protobuf-java:3.4.0=annotationProcessor,testAnnotationProcessor
+com.google.re2j:re2j:1.6=testRuntimeClasspath
 com.google.template:soy:2021-02-01=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.truth.extensions:truth-java8-extension:1.1.3=testCompileClasspath,testRuntimeClasspath
 com.google.truth:truth:1.1.3=testCompileClasspath,testRuntimeClasspath
@@ -60,61 +67,76 @@ com.googlecode.java-diff-utils:diffutils:1.3.0=annotationProcessor,testAnnotatio
 com.ibm.icu:icu4j:57.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.puppycrawl.tools:checkstyle:8.37=checkstyle
 commons-beanutils:commons-beanutils:1.9.4=checkstyle
-commons-codec:commons-codec:1.11=compileClasspath,testCompileClasspath,testRuntimeClasspath
+commons-codec:commons-codec:1.15=compileClasspath,testCompileClasspath,testRuntimeClasspath
 commons-collections:commons-collections:3.2.2=checkstyle
 commons-logging:commons-logging:1.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 info.picocli:picocli:4.5.2=checkstyle
-io.grpc:grpc-context:1.47.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-alts:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-api:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-auth:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-context:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-core:1.52.1=testRuntimeClasspath
+io.grpc:grpc-googleapis:1.52.1=testRuntimeClasspath
+io.grpc:grpc-grpclb:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty-shaded:1.52.1=testRuntimeClasspath
+io.grpc:grpc-protobuf-lite:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-services:1.52.1=testRuntimeClasspath
+io.grpc:grpc-stub:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-xds:1.52.1=testRuntimeClasspath
 io.opencensus:opencensus-api:0.31.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-http-util:0.31.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.opencensus:opencensus-proto:0.2.0=testRuntimeClasspath
+io.perfmark:perfmark-api:0.26.0=testRuntimeClasspath
 javax.annotation:javax.annotation-api:1.3.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 javax.annotation:jsr250-api:1.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 javax.inject:javax.inject:1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 junit:junit:4.13.2=testCompileClasspath,testRuntimeClasspath
-net.bytebuddy:byte-buddy-agent:1.12.10=testCompileClasspath,testRuntimeClasspath
-net.bytebuddy:byte-buddy:1.12.10=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy-agent:1.12.22=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.12.22=testCompileClasspath,testRuntimeClasspath
 net.sf.saxon:Saxon-HE:10.3=checkstyle
 org.antlr:antlr4-runtime:4.8-1=checkstyle
-org.apache.commons:commons-lang3:3.11=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.commons:commons-text:1.9=compileClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-lang3:3.12.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-text:1.10.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.5.13=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore:4.4.15=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
 org.checkerframework:checker-qual:2.11.1=checkstyle
 org.checkerframework:checker-qual:3.0.0=annotationProcessor,testAnnotationProcessor
-org.checkerframework:checker-qual:3.22.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
+org.checkerframework:checker-qual:3.29.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.checkerframework:dataflow:3.0.0=annotationProcessor,testAnnotationProcessor
 org.checkerframework:javacutil:3.0.0=annotationProcessor,testAnnotationProcessor
 org.codehaus.mojo:animal-sniffer-annotations:1.17=annotationProcessor,testAnnotationProcessor
+org.codehaus.mojo:animal-sniffer-annotations:1.22=testRuntimeClasspath
+org.conscrypt:conscrypt-openjdk-uber:2.5.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.hamcrest:hamcrest-core:1.3=testCompileClasspath,testRuntimeClasspath
-org.jacoco:org.jacoco.agent:0.8.6=jacocoAgent,jacocoAnt
-org.jacoco:org.jacoco.ant:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.core:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.report:0.8.6=jacocoAnt
+org.jacoco:org.jacoco.agent:0.8.7=jacocoAgent,jacocoAnt
+org.jacoco:org.jacoco.ant:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.report:0.8.7=jacocoAnt
 org.javassist:javassist:3.26.0-GA=checkstyle
 org.json:json:20160212=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-api:5.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-engine:5.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit:junit-bom:5.9.0=testCompileClasspath,testRuntimeClasspath
-org.mockito:mockito-core:4.6.1=testCompileClasspath,testRuntimeClasspath
-org.objenesis:objenesis:3.2=testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit:junit-bom:5.9.2=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-core:5.0.0=testCompileClasspath,testRuntimeClasspath
+org.objenesis:objenesis:3.3=testRuntimeClasspath
 org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-analysis:7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.ow2.asm:asm-analysis:8.0.1=jacocoAnt
+org.ow2.asm:asm-analysis:9.1=jacocoAnt
 org.ow2.asm:asm-commons:7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.ow2.asm:asm-commons:8.0.1=jacocoAnt
+org.ow2.asm:asm-commons:9.1=jacocoAnt
 org.ow2.asm:asm-tree:7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.ow2.asm:asm-tree:8.0.1=jacocoAnt
+org.ow2.asm:asm-tree:9.1=jacocoAnt
 org.ow2.asm:asm-util:7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm:7.0=compileClasspath
-org.ow2.asm:asm:8.0.1=jacocoAnt
-org.ow2.asm:asm:9.1=testCompileClasspath,testRuntimeClasspath
+org.ow2.asm:asm:9.1=jacocoAnt,testCompileClasspath,testRuntimeClasspath
 org.pcollections:pcollections:2.1.2=annotationProcessor,testAnnotationProcessor
 org.plumelib:plume-util:1.0.6=annotationProcessor,testAnnotationProcessor
 org.plumelib:reflection-util:0.0.2=annotationProcessor,testAnnotationProcessor
 org.plumelib:require-javadoc:0.1.0=annotationProcessor,testAnnotationProcessor
 org.reflections:reflections:0.9.12=checkstyle
-org.threeten:threetenbp:1.6.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+org.threeten:threetenbp:1.6.5=compileClasspath,testCompileClasspath,testRuntimeClasspath
 empty=

buildSrc/src/main/java/google/registry/gradle/plugin/ProjectData.java

@@ -17,7 +17,6 @@ package google.registry.gradle.plugin;
 import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
-import google.registry.gradle.plugin.ProjectData.TaskData;
 import java.util.Map;
 import java.util.Optional;
 import java.util.function.Supplier;

common/build.gradle

@@ -38,6 +38,7 @@ configurations {
 
   // All testing util classes. Other projects may declare dependency as:
   // testImplementation project(path: 'common', configuration: 'testing')
+  create("testing")
   testing.extendsFrom testingCompileOnly
 }
 

common/gradle.lockfile

@@ -32,7 +32,7 @@ commons-collections:commons-collections:3.2.2=checkstyle
 info.picocli:picocli:4.5.2=checkstyle
 io.github.java-diff-utils:java-diff-utils:4.12=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 javax.inject:javax.inject:1=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-joda-time:joda-time:2.10.14=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+joda-time:joda-time:2.12.2=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 junit:junit:4.13.2=default,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 net.sf.saxon:Saxon-HE:10.3=checkstyle
 org.antlr:antlr4-runtime:4.8-1=checkstyle
@@ -45,22 +45,21 @@ org.checkerframework:dataflow:3.0.0=annotationProcessor,errorprone,testAnnotatio
 org.checkerframework:javacutil:3.0.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 org.codehaus.mojo:animal-sniffer-annotations:1.17=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 org.hamcrest:hamcrest-core:1.3=default,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-org.jacoco:org.jacoco.agent:0.8.6=jacocoAgent,jacocoAnt
-org.jacoco:org.jacoco.ant:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.core:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.report:0.8.6=jacocoAnt
+org.jacoco:org.jacoco.agent:0.8.7=jacocoAgent,jacocoAnt
+org.jacoco:org.jacoco.ant:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.report:0.8.7=jacocoAnt
 org.javassist:javassist:3.26.0-GA=checkstyle
-org.junit.jupiter:junit-jupiter-api:5.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-engine:5.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit:junit-bom:5.9.0=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit:junit-bom:5.9.2=testCompileClasspath,testRuntimeClasspath
 org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
-org.ow2.asm:asm-analysis:8.0.1=jacocoAnt
-org.ow2.asm:asm-commons:8.0.1=jacocoAnt
-org.ow2.asm:asm-tree:8.0.1=jacocoAnt
-org.ow2.asm:asm:8.0.1=jacocoAnt
-org.ow2.asm:asm:9.1=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+org.ow2.asm:asm-analysis:9.1=jacocoAnt
+org.ow2.asm:asm-commons:9.1=jacocoAnt
+org.ow2.asm:asm-tree:9.1=jacocoAnt
+org.ow2.asm:asm:9.1=compileClasspath,default,deploy_jar,jacocoAnt,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 org.pcollections:pcollections:2.1.2=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 org.plumelib:plume-util:1.0.6=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 org.plumelib:reflection-util:0.0.2=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor

common/src/main/java/google/registry/util/DateTimeUtils.java

@@ -35,7 +35,7 @@ public abstract class DateTimeUtils {
    *
    * <p>This value is (2^63-1)/1000 rounded down. AppEngine stores dates as 64 bit microseconds, but
    * Java uses milliseconds, so this is the largest representable date that will survive a
-   * round-trip through Datastore.
+   * round-trip through the database.
    */
   public static final DateTime END_OF_TIME = new DateTime(Long.MAX_VALUE / 1000, DateTimeZone.UTC);
 

config/checkstyle/checkstyle.xml

@@ -43,12 +43,6 @@ by Joshua Bloch in his book Effective Java -->
     <property name="message" value='Your Javadocs appear to use invalid &lt;a&gt; tag syntax in @see tags. Please use the correct syntax: @see &lt;a href="http(s)://your_url"&gt;url_description&lt;/a&gt;'/>
   </module>
 
-  <!-- Checks that our Ofy wrapper is used instead of the "real" ofy(). -->
-  <module name="RegexpSingleline">
-    <property name="format" value="com\.googlecode\.objectify\.ObjectifyService\.ofy"/>
-    <property name="message" value="Use google.registry.model.ofy.ObjectifyService.ofy(). Do not use com.googlecode.objectify.v4.ObjectifyService.ofy()."/>
-  </module>
-
   <!-- Checks that java.util.Optional is used instead of Guava's Optional. -->
   <module name="RegexpSingleline">
     <property name="format" value="com\.google\.common\.base\.Optional"/>
@@ -58,7 +52,7 @@ by Joshua Bloch in his book Effective Java -->
   <!-- Checks that the deprecated ExpectedException is not used. -->
   <module name="RegexpSingleline">
     <property name="format" value="org\.junit\.rules\.ExpectedException"/>
-    <property name="message" value="Use assertThrows and expectThrows from JUnitBackports instead of the deprecated methods on ExpectedException."/>
+    <property name="message" value="Use assertThrows and expectThrows instead of the deprecated methods on ExpectedException."/>
   </module>
 
   <module name="LineLength">

config/checkstyle/suppressions.xml

@@ -9,6 +9,4 @@
   <suppress files="[/\\].*[/\\]generated.*[/\\]" checks="."/>
   <!-- Ignore Javadoc checks in test files -->
   <suppress files="[/\\].*[/\\]src/test/java/.*[/\\]" checks="JavadocType"/>
-  <!-- ofy() regex check doesn't apply to these files -->
-  <suppress files="AugmentedDeleter.java|AugmentedSaver.java|Ofy.java" checks="RegexpSingleline"/>
 </suppressions>

config/dependency-license/allowed_licenses.json

@@ -207,6 +207,9 @@
     {
       "moduleLicense": "GNU Library General Public License v2.1 or later"
     },
+    {
+      "moduleLicense": "GNU Lesser General Public License v3.0"
+    },
     // This is just 3-clause BSD.
     {
       "moduleLicense": "Go License"
@@ -267,6 +270,10 @@
       "moduleLicense": "Public Domain",
       "moduleName": "org.tukaani:xz"
     },
+    {
+      "moduleLicense": "Public Domain",
+      "moduleName": "org.json:json"
+    },
     {
       // "Apache License, Version 2.0".
       "moduleLicense": null,

config/presubmits.py

@@ -25,7 +25,7 @@ import textwrap
 import re
 
 # We should never analyze any generated files
-UNIVERSALLY_SKIPPED_PATTERNS = {"/build/", "cloudbuild-caches", "/out/", ".git/", ".gradle/"}
+UNIVERSALLY_SKIPPED_PATTERNS = {"/build/", "cloudbuild-caches", "/out/", ".git/", ".gradle/", "/dist/", "karma.conf.js", "polyfills.ts", "test.ts"}
 # We can't rely on CI to have the Enum package installed so we do this instead.
 FORBIDDEN = 1
 REQUIRED = 2
@@ -86,7 +86,7 @@ PRESUBMITS = {
     # License check
     PresubmitCheck(
         r".*Copyright 20\d{2} The Nomulus Authors\. All Rights Reserved\.",
-        ("java", "js", "soy", "sql", "py", "sh", "gradle"), {
+        ("java", "js", "soy", "sql", "py", "sh", "gradle", "ts"), {
             ".git", "/build/", "/generated/", "/generated_tests/",
             "node_modules/", "LoggerConfig.java", "registrar_bin.",
             "registrar_dbg.", "google-java-format-diff.py",
@@ -95,7 +95,7 @@ PRESUBMITS = {
         "File did not include the license header.",
 
     # Files must end in a newline
-    PresubmitCheck(r".*\n$", ("java", "js", "soy", "sql", "py", "sh", "gradle"),
+    PresubmitCheck(r".*\n$", ("java", "js", "soy", "sql", "py", "sh", "gradle", "ts"),
                    {"node_modules/"}, REQUIRED):
         "Source files must end in a newline.",
 
@@ -109,15 +109,6 @@ PRESUBMITS = {
         "System.(out|err).println is only allowed in tools/ packages. Please "
         "use a logger instead.",
 
-    # ObjectifyService.register is restricted to main/ or AppEngineExtension.
-    PresubmitCheck(
-        r".*\bObjectifyService\.register", "java", {
-            "/build/", "/generated/", "node_modules/", "src/main/",
-            "AppEngineExtension.java"
-        }):
-      "ObjectifyService.register(...) is not allowed in tests. Please use "
-      "AppEngineExtension.register(...) instead.",
-
     # PostgreSQLContainer instantiation must specify docker tag
     # TODO(b/204572437): Fix the pattern to pass DatabaseSnapshotTest.java
     PresubmitCheck(

console-webapp/.editorconfig

@@ -0,0 +1,16 @@
+# Editor configuration, see https://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+indent_style = space
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.ts]
+quote_type = single
+
+[*.md]
+max_line_length = off
+trim_trailing_whitespace = false

console-webapp/.gitignore

@@ -0,0 +1,42 @@
+# See http://help.github.com/ignore-files/ for more about ignoring files.
+
+# Compiled output
+/dist
+/tmp
+/out-tsc
+/bazel-out
+
+# Node
+/node_modules
+npm-debug.log
+yarn-error.log
+
+# IDEs and editors
+.idea/
+.project
+.classpath
+.c9/
+*.launch
+.settings/
+*.sublime-workspace
+
+# Visual Studio Code
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+.history/*
+
+# Miscellaneous
+/.angular/cache
+.sass-cache/
+/connect.lock
+/coverage
+/libpeerconnection.log
+testem.log
+/typings
+
+# System files
+.DS_Store
+Thumbs.db

console-webapp/README.md

@@ -0,0 +1,52 @@
+# ConsoleWebapp
+
+A web application for managing [Nomulus](https://github.com/google/nomulus).
+
+## Status
+
+Console webapp is currently under active development and some parts of it are
+expected to change.
+
+## Deployment
+
+Webapp is deployed with the nomulus default service war to Google App Engine.
+During nomulus default service war build task, gradle script triggers the
+following:
+
+1) Console webapp build script `buildConsoleWebappProd`, which installs
+   dependencies, assembles a compiled ts -> js, minified, optimized static
+   artifact (html, css, js)
+2) Artifact assembled in step 1 then gets copied to core project web artifact
+   location, so that it can be deployed with the rest of the core webapp
+
+## Development server
+
+Run `npm run start:dev` to start both webapp dev server and API server instance.
+Navigate to `http://localhost:4200/`. The application will automatically reload
+if you change any of the source files.
+
+## Code scaffolding
+
+Run `ng generate component component-name` to generate a new component. You can
+also use `ng generate directive|pipe|service|class|guard|interface|enum|module`.
+
+## Build
+
+Run `ng build` to build the project. The build artifacts will be stored in
+the `dist/` directory.
+
+## Running unit tests
+
+Run `ng test` to execute the unit tests
+via [Karma](https://karma-runner.github.io).
+
+## Running end-to-end tests
+
+Run `ng e2e` to execute the end-to-end tests via a platform of your choice. To
+use this command, you need to first add a package that implements end-to-end
+testing capabilities.
+
+## Further help
+
+To get more help on the Angular CLI use `ng help` or go check out
+the [Angular CLI Overview and Command Reference](https://angular.io/cli) page.

console-webapp/angular.json

@@ -0,0 +1,109 @@
+{
+  "$schema": "./node_modules/@angular/cli/lib/config/schema.json",
+  "version": 1,
+  "newProjectRoot": "projects",
+  "projects": {
+    "console-webapp": {
+      "projectType": "application",
+      "schematics": {
+        "@schematics/angular:component": {
+          "style": "less"
+        }
+      },
+      "root": "",
+      "sourceRoot": "src",
+      "prefix": "app",
+      "architect": {
+        "build": {
+          "builder": "@angular-devkit/build-angular:browser",
+          "options": {
+            "outputPath": "dist/console-webapp",
+            "index": "src/index.html",
+            "main": "src/main.ts",
+            "polyfills": "src/polyfills.ts",
+            "tsConfig": "tsconfig.app.json",
+            "inlineStyleLanguage": "less",
+            "assets": [
+              "src/favicon.ico",
+              "src/assets"
+            ],
+            "styles": [
+              "./node_modules/@angular/material/prebuilt-themes/indigo-pink.css",
+              "src/styles.less"
+            ],
+            "scripts": []
+          },
+          "configurations": {
+            "production": {
+              "budgets": [
+                {
+                  "type": "initial",
+                  "maximumWarning": "500kb",
+                  "maximumError": "1mb"
+                },
+                {
+                  "type": "anyComponentStyle",
+                  "maximumWarning": "2kb",
+                  "maximumError": "4kb"
+                }
+              ],
+              "fileReplacements": [
+                {
+                  "replace": "src/environments/environment.ts",
+                  "with": "src/environments/environment.prod.ts"
+                }
+              ],
+              "outputHashing": "all"
+            },
+            "development": {
+              "buildOptimizer": false,
+              "optimization": false,
+              "vendorChunk": true,
+              "extractLicenses": false,
+              "sourceMap": true,
+              "namedChunks": true
+            }
+          },
+          "defaultConfiguration": "production"
+        },
+        "serve": {
+          "builder": "@angular-devkit/build-angular:dev-server",
+          "configurations": {
+            "production": {
+              "browserTarget": "console-webapp:build:production"
+            },
+            "development": {
+              "browserTarget": "console-webapp:build:development"
+            }
+          },
+          "defaultConfiguration": "development"
+        },
+        "extract-i18n": {
+          "builder": "@angular-devkit/build-angular:extract-i18n",
+          "options": {
+            "browserTarget": "console-webapp:build"
+          }
+        },
+        "test": {
+          "builder": "@angular-devkit/build-angular:karma",
+          "options": {
+            "main": "src/test.ts",
+            "polyfills": "src/polyfills.ts",
+            "tsConfig": "tsconfig.spec.json",
+            "karmaConfig": "karma.conf.js",
+            "inlineStyleLanguage": "less",
+            "assets": [
+              "src/favicon.ico",
+              "src/assets"
+            ],
+            "styles": [
+              "./node_modules/@angular/material/prebuilt-themes/indigo-pink.css",
+              "src/styles.less"
+            ],
+            "scripts": []
+          }
+        }
+      }
+    }
+  }
+}

console-webapp/build.gradle

@@ -0,0 +1,54 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+def consoleDir = "${rootDir}/console-webapp"
+
+clean {
+  delete "${consoleDir}/node_modules"
+  delete "${consoleDir}/dist"
+}
+
+task npmInstallDeps(type: Exec) {
+  workingDir "${consoleDir}/"
+  executable 'npm'
+  args 'i', '--no-audit', '--no-fund', '--loglevel=error'
+}
+
+task runConsoleWebappLocally(type: Exec) {
+  workingDir "${consoleDir}/"
+  executable 'npm'
+  args 'run', 'start:dev'
+}
+
+task runConsoleWebappUnitTests(type: Exec) {
+  workingDir "${consoleDir}/"
+  executable 'npm'
+  args 'run', 'test'
+}
+
+task buildConsoleWebappNonProd(type: Exec) {
+  workingDir "${consoleDir}/"
+  executable 'npm'
+  args 'run', 'build'
+}
+
+// Keeping the same as non prod for now before we figure out optimization we want to include
+task buildConsoleWebappProd(type: Exec) {
+  workingDir "${consoleDir}/"
+  executable 'npm'
+  args 'run', 'build'
+}
+
+tasks.runConsoleWebappUnitTests.dependsOn(tasks.npmInstallDeps)
+tasks.buildConsoleWebappProd.dependsOn(tasks.npmInstallDeps)

console-webapp/buildscript-gradle.lockfile

@@ -0,0 +1,4 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+empty=classpath

console-webapp/dev-proxy.config.json

@@ -0,0 +1,7 @@
+{
+  "/registrar":
+  {
+    "target": "http://localhost:8080/registrar",
+    "secure": false
+  }
+}

console-webapp/gradle.lockfile

@@ -0,0 +1,48 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+antlr:antlr:2.7.7=checkstyle
+com.github.ben-manes.caffeine:caffeine:2.7.0=annotationProcessor,errorprone,testAnnotationProcessor
+com.github.kevinstern:software-and-algorithms:1.0=annotationProcessor,errorprone,testAnnotationProcessor
+com.google.auto:auto-common:0.10=annotationProcessor,errorprone,testAnnotationProcessor
+com.google.code.findbugs:jFormatString:3.0.0=annotationProcessor,errorprone,testAnnotationProcessor
+com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,errorprone,testAnnotationProcessor
+com.google.errorprone:error_prone_annotation:2.3.4=annotationProcessor,errorprone,testAnnotationProcessor
+com.google.errorprone:error_prone_annotations:2.3.4=annotationProcessor,checkstyle,errorprone,testAnnotationProcessor
+com.google.errorprone:error_prone_check_api:2.3.4=annotationProcessor,errorprone,testAnnotationProcessor
+com.google.errorprone:error_prone_core:2.3.4=annotationProcessor,errorprone,testAnnotationProcessor
+com.google.errorprone:error_prone_type_annotations:2.3.4=annotationProcessor,errorprone,testAnnotationProcessor
+com.google.guava:failureaccess:1.0.1=annotationProcessor,checkstyle,errorprone,testAnnotationProcessor
+com.google.guava:guava:27.0.1-jre=annotationProcessor,errorprone,testAnnotationProcessor
+com.google.guava:guava:29.0-jre=checkstyle
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,errorprone,testAnnotationProcessor
+com.google.j2objc:j2objc-annotations:1.1=annotationProcessor,errorprone,testAnnotationProcessor
+com.google.j2objc:j2objc-annotations:1.3=checkstyle
+com.google.protobuf:protobuf-java:3.4.0=annotationProcessor,errorprone,testAnnotationProcessor
+com.googlecode.java-diff-utils:diffutils:1.3.0=annotationProcessor,errorprone,testAnnotationProcessor
+com.puppycrawl.tools:checkstyle:8.37=checkstyle
+commons-beanutils:commons-beanutils:1.9.4=checkstyle
+commons-collections:commons-collections:3.2.2=checkstyle
+info.picocli:picocli:4.5.2=checkstyle
+net.sf.saxon:Saxon-HE:10.3=checkstyle
+org.antlr:antlr4-runtime:4.8-1=checkstyle
+org.checkerframework:checker-qual:2.11.1=checkstyle
+org.checkerframework:checker-qual:3.0.0=annotationProcessor,errorprone,testAnnotationProcessor
+org.checkerframework:dataflow:3.0.0=annotationProcessor,errorprone,testAnnotationProcessor
+org.checkerframework:javacutil:3.0.0=annotationProcessor,errorprone,testAnnotationProcessor
+org.codehaus.mojo:animal-sniffer-annotations:1.17=annotationProcessor,errorprone,testAnnotationProcessor
+org.jacoco:org.jacoco.agent:0.8.7=jacocoAgent,jacocoAnt
+org.jacoco:org.jacoco.ant:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.report:0.8.7=jacocoAnt
+org.javassist:javassist:3.26.0-GA=checkstyle
+org.ow2.asm:asm-analysis:9.1=jacocoAnt
+org.ow2.asm:asm-commons:9.1=jacocoAnt
+org.ow2.asm:asm-tree:9.1=jacocoAnt
+org.ow2.asm:asm:9.1=jacocoAnt
+org.pcollections:pcollections:2.1.2=annotationProcessor,errorprone,testAnnotationProcessor
+org.plumelib:plume-util:1.0.6=annotationProcessor,errorprone,testAnnotationProcessor
+org.plumelib:reflection-util:0.0.2=annotationProcessor,errorprone,testAnnotationProcessor
+org.plumelib:require-javadoc:0.1.0=annotationProcessor,errorprone,testAnnotationProcessor
+org.reflections:reflections:0.9.12=checkstyle
+empty=archives,compileClasspath,default,deploy_jar,errorproneJavac,runtimeClasspath,testCompileClasspath,testRuntimeClasspath

console-webapp/karma.conf.js

@@ -0,0 +1,44 @@
+// Karma configuration file, see link for more information
+// https://karma-runner.github.io/1.0/config/configuration-file.html
+
+module.exports = function (config) {
+  config.set({
+    basePath: '',
+    frameworks: ['jasmine', '@angular-devkit/build-angular'],
+    plugins: [
+      require('karma-jasmine'),
+      require('karma-chrome-launcher'),
+      require('karma-jasmine-html-reporter'),
+      require('karma-coverage'),
+      require('@angular-devkit/build-angular/plugins/karma')
+    ],
+    client: {
+      jasmine: {
+        // you can add configuration options for Jasmine here
+        // the possible options are listed at https://jasmine.github.io/api/edge/Configuration.html
+        // for example, you can disable the random execution with `random: false`
+        // or set a specific seed with `seed: 4321`
+      },
+      clearContext: false // leave Jasmine Spec Runner output visible in browser
+    },
+    jasmineHtmlReporter: {
+      suppressAll: true // removes the duplicated traces
+    },
+    coverageReporter: {
+      dir: require('path').join(__dirname, './coverage/console-webapp'),
+      subdir: '.',
+      reporters: [
+        { type: 'html' },
+        { type: 'text-summary' }
+      ]
+    },
+    reporters: ['progress', 'kjhtml'],
+    port: 9876,
+    colors: true,
+    logLevel: config.LOG_INFO,
+    autoWatch: true,
+    browsers: ['Chrome'],
+    singleRun: false,
+    restartOnFileChange: true
+  });
+};

console-webapp/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "console-webapp",
+  "version": "0.0.0",
+  "scripts": {
+    "ng": "ng",
+    "start": "ng serve",
+    "build": "ng build --base-href=/console/",
+    "build:local": "ng build --base-href=/default/console/",
+    "watch": "ng build --watch --configuration development",
+    "test": "ng test --browsers=ChromeHeadless --watch=false",
+    "run:dev": "",
+    "start:dev": "concurrently \"./../gradlew :core:runTestServer\" \"ng serve --proxy-config dev-proxy.config.json\""
+  },
+  "private": true,
+  "dependencies": {
+    "@angular/animations": "^15.2.2",
+    "@angular/cdk": "^15.2.2",
+    "@angular/common": "^15.2.2",
+    "@angular/compiler": "^15.2.2",
+    "@angular/core": "^15.2.2",
+    "@angular/forms": "^15.2.2",
+    "@angular/material": "^15.2.2",
+    "@angular/platform-browser": "^15.2.2",
+    "@angular/platform-browser-dynamic": "^15.2.2",
+    "@angular/router": "^15.2.2",
+    "rxjs": "~7.5.0",
+    "tslib": "^2.3.0",
+    "zone.js": "~0.11.4"
+  },
+  "devDependencies": {
+    "@angular-devkit/build-angular": "^15.2.4",
+    "@angular/cli": "~15.2.4",
+    "@angular/compiler-cli": "^15.2.2",
+    "@types/jasmine": "~4.0.0",
+    "@types/node": "^18.11.18",
+    "concurrently": "^7.6.0",
+    "jasmine-core": "~4.3.0",
+    "karma": "~6.4.0",
+    "karma-chrome-launcher": "~3.1.0",
+    "karma-coverage": "~2.2.0",
+    "karma-jasmine": "~5.1.0",
+    "karma-jasmine-html-reporter": "~2.0.0",
+    "typescript": "~4.9.4"
+  }
+}

console-webapp/src/app/app-routing.module.ts

@@ -0,0 +1,29 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { NgModule } from '@angular/core';
+import { RouterModule, Routes } from '@angular/router';
+import {TldsComponent} from './tlds/tlds.component';
+import {HomeComponent} from './home/home.component';
+
+const routes: Routes = [
+  { path: 'home', component: HomeComponent },
+  { path: 'tlds', component: TldsComponent },
+];
+
+@NgModule({
+  imports: [RouterModule.forRoot(routes)],
+  exports: [RouterModule]
+})
+export class AppRoutingModule { }

console-webapp/src/app/app.component.html

@@ -0,0 +1,14 @@
+<div class="toolbar" role="banner">
+  Nomulus Console
+</div>
+
+<div class="content" role="main">
+  <nav>
+    <ul>
+      <li><a routerLink="/home" routerLinkActive="active" ariaCurrentWhenActive="page">Home page</a></li>
+      <li><a routerLink="/tlds" routerLinkActive="active" ariaCurrentWhenActive="page">TLDs</a></li>
+    </ul>
+  </nav>
+</div>
+
+<router-outlet></router-outlet>

console-webapp/src/app/app.component.less

@@ -0,0 +1,35 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+:host {
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
+  font-size: 14px;
+  color: #333;
+  box-sizing: border-box;
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+}
+
+h1,
+h2,
+h3,
+h4,
+h5,
+h6 {
+  margin: 8px 0;
+}
+
+p {
+  margin: 0;
+}

console-webapp/src/app/app.component.spec.ts

@@ -0,0 +1,37 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { TestBed } from '@angular/core/testing';
+import { RouterTestingModule } from '@angular/router/testing';
+import { AppComponent } from './app.component';
+
+describe('AppComponent', () => {
+  beforeEach(async () => {
+    await TestBed.configureTestingModule({
+      imports: [
+        RouterTestingModule
+      ],
+      declarations: [
+        AppComponent
+      ],
+    }).compileComponents();
+  });
+
+  it('should create the app', () => {
+    const fixture = TestBed.createComponent(AppComponent);
+    const app = fixture.componentInstance;
+    expect(app).toBeTruthy();
+  });
+
+});

console-webapp/src/app/app.component.ts

@@ -1,4 +1,4 @@
-// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,12 +12,13 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package google.registry.tools;
+import { Component } from '@angular/core';
 
-/**
- * Marker interface for commands that use the remote api.
- *
- * <p>Just implementing this is sufficient to use the remote api; {@link RegistryTool} will install
- * it as needed.
- */
-public interface CommandWithRemoteApi extends Command {}
+@Component({
+  selector: 'app-root',
+  templateUrl: './app.component.html',
+  styleUrls: ['./app.component.less']
+})
+export class AppComponent {
+
+}

console-webapp/src/app/app.module.ts

@@ -0,0 +1,41 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { NgModule } from '@angular/core';
+import { BrowserModule } from '@angular/platform-browser';
+
+import { AppRoutingModule } from './app-routing.module';
+import { AppComponent } from './app.component';
+import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
+import {MaterialModule} from './material.module';
+
+import { HomeComponent } from './home/home.component';
+import { TldsComponent } from './tlds/tlds.component';
+
+@NgModule({
+  declarations: [
+    AppComponent,
+    HomeComponent,
+    TldsComponent,
+  ],
+  imports: [
+    MaterialModule,
+    BrowserModule,
+    AppRoutingModule,
+    BrowserAnimationsModule
+  ],
+  providers: [],
+  bootstrap: [AppComponent]
+})
+export class AppModule { }

console-webapp/src/app/home/home.component.html

@@ -0,0 +1,14 @@
+<h3>Recent Activity</h3>
+<table mat-table [dataSource]="dataSource" class="mat-elevation-z8 console-home__activity">
+  <ng-container *ngFor="let column of columns" [matColumnDef]="column.columnDef">
+    <th mat-header-cell *matHeaderCellDef>
+      {{column.header}}
+    </th>
+    <td mat-cell *matCellDef="let row">
+      {{column.cell(row)}}
+    </td>
+  </ng-container>
+
+  <tr mat-header-row *matHeaderRowDef="displayedColumns"></tr>
+  <tr mat-row *matRowDef="let row; columns: displayedColumns;"></tr>
+</table>

console-webapp/src/app/home/home.component.less

@@ -0,0 +1,14 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+

console-webapp/src/app/home/home.component.spec.ts

@@ -0,0 +1,39 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { ComponentFixture, TestBed } from '@angular/core/testing';
+
+import { HomeComponent } from './home.component';
+import {MaterialModule} from '../material.module';
+
+describe('HomeComponent', () => {
+  let component: HomeComponent;
+  let fixture: ComponentFixture<HomeComponent>;
+
+  beforeEach(async () => {
+    await TestBed.configureTestingModule({
+      imports: [MaterialModule],
+      declarations: [ HomeComponent ]
+    })
+    .compileComponents();
+
+    fixture = TestBed.createComponent(HomeComponent);
+    component = fixture.componentInstance;
+    fixture.detectChanges();
+  });
+
+  it('should create', () => {
+    expect(component).toBeTruthy();
+  });
+});

console-webapp/src/app/home/home.component.ts

@@ -0,0 +1,94 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component } from '@angular/core';
+
+export interface ActivityRecord {
+  eventType: string;
+  userName: string;
+  registrarName: string;
+  timestamp: string;
+  details: string
+}
+
+const MOCK_DATA: ActivityRecord[] = [
+  {eventType: "Export DUMS", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Update Contact", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Delete Domain", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Export DUMS", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Update Contact", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Delete Domain", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Export DUMS", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Update Contact", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Delete Domain", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Export DUMS", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Update Contact", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Delete Domain", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Export DUMS", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Update Contact", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Delete Domain", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Export DUMS", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Update Contact", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Delete Domain", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Export DUMS", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Update Contact", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Delete Domain", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Export DUMS", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Update Contact", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+  {eventType: "Delete Domain", userName:"user3", registrarName: "registrar1", timestamp: "2022-03-15T19:46:39.007", details: "All Domains under management exported as .csv file" },
+];
+
+
+@Component({
+  selector: 'app-home',
+  templateUrl: './home.component.html',
+  styleUrls: ['./home.component.less']
+})
+export class HomeComponent {
+
+  columns = [
+    {
+      columnDef: 'eventType',
+      header: 'Event Type',
+      cell:(record: ActivityRecord) => `${record.eventType}`,
+    },
+    {
+      columnDef: 'userName',
+      header: 'User',
+      cell: (record: ActivityRecord)  => `${record.userName}`,
+    },
+    {
+      columnDef: 'registrarName',
+      header: 'Registrar',
+      cell: (record: ActivityRecord)  => `${record.registrarName}`,
+    },
+    {
+      columnDef: 'timestamp',
+      header: 'Timestamp',
+      cell: (record: ActivityRecord)  => `${record.timestamp}`,
+    },
+    {
+      columnDef: 'details',
+      header: 'Details',
+      cell: (record: ActivityRecord)  => `${record.details}`,
+    },
+  ];
+  dataSource = MOCK_DATA;
+  displayedColumns = this.columns.map(c => c.columnDef);
+
+  constructor() {
+
+
+  }
+}

console-webapp/src/app/material.module.ts

@@ -0,0 +1,26 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import {NgModule} from '@angular/core';
+import {MatCardModule} from '@angular/material/card';
+import {MatTableModule} from '@angular/material/table';
+
+const MATERIAL_MODULES = [
+  MatCardModule,
+  MatTableModule,
+];
+
+@NgModule({imports: MATERIAL_MODULES, exports: MATERIAL_MODULES})
+export class MaterialModule {
+}

console-webapp/src/app/tlds/tlds.component.html

@@ -0,0 +1,24 @@
+
+<div class="console-tlds__cards">
+  <mat-card class="console-tlds__card">
+    <mat-card-title>.how</mat-card-title>
+    <mat-card-subtitle>A place for thinkers, tinkerers, and knowledge seekers</mat-card-subtitle>
+    <mat-card-actions class="console-tlds__card-links">
+      <a title="Onboarding Now" href="#" target="_blank" rel="noopener">Onboarding Now</a>
+      <a title="Marketing Materials" href="#" target="_blank" rel="noopener">Marketing Materials</a>
+      <a title="Visit get.how for more information" href="#" target="_blank" rel="noopener">Visit get.how for more information</a>
+    </mat-card-actions>
+  </mat-card>
+</div>
+
+<div class="console-tlds__cards">
+  <mat-card class="console-tlds__card">
+    <mat-card-title>.soy</mat-card-title>
+    <mat-card-subtitle>A place for thinkers, tinkerers, and knowledge seekers</mat-card-subtitle>
+    <mat-card-actions class="console-tlds__card-links">
+      <a title="Onboarding Now" href="#" target="_blank" rel="noopener">Onboarding Now</a>
+      <a title="Marketing Materials" href="#" target="_blank" rel="noopener">Marketing Materials</a>
+      <a title="Visit get.how for more information" href="#" target="_blank" rel="noopener">Visit iam.soy for more information</a>
+    </mat-card-actions>
+  </mat-card>
+</div>

console-webapp/src/app/tlds/tlds.component.less

@@ -0,0 +1,28 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+.console-tlds {
+  &__cards {
+    display: flex;
+    border-top: 1px solid #ddd;
+    padding: 1rem;
+  }
+  &__card {
+    max-width: 300px;
+  }
+  &__card-links {
+    display: flex;
+    flex-direction: column;
+  }
+}

console-webapp/src/app/tlds/tlds.component.spec.ts

@@ -0,0 +1,39 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { ComponentFixture, TestBed } from '@angular/core/testing';
+
+import { TldsComponent } from './tlds.component';
+import {MaterialModule} from '../material.module';
+
+describe('TldsComponent', () => {
+  let component: TldsComponent;
+  let fixture: ComponentFixture<TldsComponent>;
+
+  beforeEach(async () => {
+    await TestBed.configureTestingModule({
+      imports: [MaterialModule],
+      declarations: [ TldsComponent ]
+    })
+    .compileComponents();
+
+    fixture = TestBed.createComponent(TldsComponent);
+    component = fixture.componentInstance;
+    fixture.detectChanges();
+  });
+
+  it('should create', () => {
+    expect(component).toBeTruthy();
+  });
+});

console-webapp/src/app/tlds/tlds.component.ts

@@ -1,4 +1,4 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,16 +12,18 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package google.registry.util;
+import { Component, OnInit } from '@angular/core';
 
-import com.google.appengine.api.datastore.Key;
-import java.util.Optional;
+@Component({
+  selector: 'app-tlds',
+  templateUrl: './tlds.component.html',
+  styleUrls: ['./tlds.component.less']
+})
+export class TldsComponent implements OnInit {
 
-/** Utility methods for working with the App Engine Datastore service. */
-public class DatastoreServiceUtils {
+  constructor() { }
 
-  /** Returns the name or id of a key, which may be a string or a long. */
-  public static Object getNameOrId(Key key) {
-    return Optional.<Object>ofNullable(key.getName()).orElse(key.getId());
+  ngOnInit(): void {
   }
+
 }

console-webapp/src/environments/environment.prod.ts

@@ -0,0 +1,17 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+export const environment = {
+  production: true
+};

console-webapp/src/environments/environment.ts

@@ -0,0 +1,30 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file can be replaced during build by using the `fileReplacements` array.
+// `ng build` replaces `environment.ts` with `environment.prod.ts`.
+// The list of file replacements can be found in `angular.json`.
+
+export const environment = {
+  production: false
+};
+
+/*
+ * For easier debugging in development mode, you can import the following file
+ * to ignore zone related error stack frames such as `zone.run`, `zoneDelegate.invokeTask`.
+ *
+ * This import should be commented out in production mode because it will have a negative impact
+ * on performance if an error is thrown.
+ */
+// import 'zone.js/plugins/zone-error';  // Included with Angular CLI.

console-webapp/src/index.html

@@ -0,0 +1,16 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>Nomulus Console</title>
+  <base href="/">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="icon" type="image/x-icon" href="favicon.ico">
+  <link rel="preconnect" href="https://fonts.gstatic.com">
+  <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500&display=swap" rel="stylesheet">
+  <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
+</head>
+<body class="mat-typography">
+  <app-root></app-root>
+</body>
+</html>

console-webapp/src/main.ts

@@ -1,4 +1,4 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,23 +12,15 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package google.registry.util;
+import { enableProdMode } from '@angular/core';
+import { platformBrowserDynamic } from '@angular/platform-browser-dynamic';
 
-import java.io.Serializable;
+import { AppModule } from './app/app.module';
+import { environment } from './environments/environment';
 
-/** Used to query whether requests are still running. */
-public interface RequestStatusChecker extends Serializable {
-
-  /**
-   * Returns the unique log identifier of the current request.
-   *
-   * <p>Multiple calls must return the same value during the same Request.
-   */
-  String getLogId();
-
-  /**
-   * Returns true if the given request is currently running.
-   */
-  boolean isRunning(String requestLogId);
+if (environment.production) {
+  enableProdMode();
 }
 
+platformBrowserDynamic().bootstrapModule(AppModule)
+  .catch(err => console.error(err));

console-webapp/src/polyfills.ts

@@ -0,0 +1,53 @@
+/**
+ * This file includes polyfills needed by Angular and is loaded before the app.
+ * You can add your own extra polyfills to this file.
+ *
+ * This file is divided into 2 sections:
+ *   1. Browser polyfills. These are applied before loading ZoneJS and are sorted by browsers.
+ *   2. Application imports. Files imported after ZoneJS that should be loaded before your main
+ *      file.
+ *
+ * The current setup is for so-called "evergreen" browsers; the last versions of browsers that
+ * automatically update themselves. This includes recent versions of Safari, Chrome (including
+ * Opera), Edge on the desktop, and iOS and Chrome on mobile.
+ *
+ * Learn more in https://angular.io/guide/browser-support
+ */
+
+/***************************************************************************************************
+ * BROWSER POLYFILLS
+ */
+
+/**
+ * By default, zone.js will patch all possible macroTask and DomEvents
+ * user can disable parts of macroTask/DomEvents patch by setting following flags
+ * because those flags need to be set before `zone.js` being loaded, and webpack
+ * will put import in the top of bundle, so user need to create a separate file
+ * in this directory (for example: zone-flags.ts), and put the following flags
+ * into that file, and then add the following code before importing zone.js.
+ * import './zone-flags';
+ *
+ * The flags allowed in zone-flags.ts are listed here.
+ *
+ * The following flags will work for all browsers.
+ *
+ * (window as any).__Zone_disable_requestAnimationFrame = true; // disable patch requestAnimationFrame
+ * (window as any).__Zone_disable_on_property = true; // disable patch onProperty such as onclick
+ * (window as any).__zone_symbol__UNPATCHED_EVENTS = ['scroll', 'mousemove']; // disable patch specified eventNames
+ *
+ *  in IE/Edge developer tools, the addEventListener will also be wrapped by zone.js
+ *  with the following flag, it will bypass `zone.js` patch for IE/Edge
+ *
+ *  (window as any).__Zone_enable_cross_context_check = true;
+ *
+ */
+
+/***************************************************************************************************
+ * Zone JS is required by default for Angular itself.
+ */
+import 'zone.js';  // Included with Angular CLI.
+
+
+/***************************************************************************************************
+ * APPLICATION IMPORTS
+ */

console-webapp/src/styles.less

@@ -0,0 +1,18 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+
+
+html, body { height: 100%; }
+body { margin: 0; font-family: Roboto, "Helvetica Neue", sans-serif; }

console-webapp/src/test.ts

@@ -0,0 +1,14 @@
+// This file is required by karma.conf.js and loads recursively all the .spec and framework files
+
+import 'zone.js/testing';
+import { getTestBed } from '@angular/core/testing';
+import {
+  BrowserDynamicTestingModule,
+  platformBrowserDynamicTesting
+} from '@angular/platform-browser-dynamic/testing';
+
+// First, initialize the Angular testing environment.
+getTestBed().initTestEnvironment(
+  BrowserDynamicTestingModule,
+  platformBrowserDynamicTesting(),
+);

console-webapp/tsconfig.app.json

@@ -0,0 +1,15 @@
+/* To learn more about this file see: https://angular.io/config/tsconfig. */
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./out-tsc/app",
+    "types": []
+  },
+  "files": [
+    "src/main.ts",
+    "src/polyfills.ts"
+  ],
+  "include": [
+    "src/**/*.d.ts"
+  ]
+}

console-webapp/tsconfig.json

@@ -0,0 +1,33 @@
+/* To learn more about this file see: https://angular.io/config/tsconfig. */
+{
+  "compileOnSave": false,
+  "compilerOptions": {
+    "baseUrl": "./",
+    "outDir": "./dist/out-tsc",
+    "forceConsistentCasingInFileNames": true,
+    "strict": true,
+    "noImplicitOverride": true,
+    "noPropertyAccessFromIndexSignature": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "sourceMap": true,
+    "declaration": false,
+    "downlevelIteration": true,
+    "experimentalDecorators": true,
+    "moduleResolution": "node",
+    "importHelpers": true,
+    "target": "ES2022",
+    "module": "es2020",
+    "lib": [
+      "es2020",
+      "dom"
+    ],
+    "useDefineForClassFields": false
+  },
+  "angularCompilerOptions": {
+    "enableI18nLegacyMessageIdFormat": false,
+    "strictInjectionParameters": true,
+    "strictInputAccessModifiers": true,
+    "strictTemplates": true
+  }
+}

console-webapp/tsconfig.spec.json

@@ -0,0 +1,18 @@
+/* To learn more about this file see: https://angular.io/config/tsconfig. */
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./out-tsc/spec",
+    "types": [
+      "jasmine"
+    ]
+  },
+  "files": [
+    "src/test.ts",
+    "src/polyfills.ts"
+  ],
+  "include": [
+    "src/**/*.spec.ts",
+    "src/**/*.d.ts"
+  ]
+}

core/build.gradle

@@ -68,8 +68,6 @@ def dockerIncompatibleTestPatterns = [
 // Nomulus classes, e.g., threads and objects retained by frameworks.
 // TODO(weiminyu): identify cause and fix offending tests.
 def fragileTestPatterns = [
-    // Test Datastore inexplicably aborts transaction.
-    "google/registry/model/tmch/ClaimsListShardTest.*",
     // Changes cache timeouts and for some reason appears to have contention
     // with other tests.
     "google/registry/whois/WhoisCommandFactoryTest.*",
@@ -163,17 +161,11 @@ configurations {
 dependencies {
   def deps = rootProject.dependencyMap
 
-  // Custom-built objectify jar at commit ecd5165, included in Nomulus
-  // release.
-  implementation files(
-      "${rootDir}/third_party/objectify/v4_1/objectify-4.1.3.jar")
-
   testRuntimeOnly files(sourceSets.test.resources.srcDirs)
 
   implementation deps['com.beust:jcommander']
   implementation deps['com.github.ben-manes.caffeine:caffeine']
   implementation deps['com.google.api:gax']
-  implementation deps['com.google.api.grpc:proto-google-cloud-datastore-v1']
   implementation deps['com.google.api.grpc:proto-google-common-protos']
   implementation deps['com.google.api.grpc:proto-google-cloud-secretmanager-v1']
   implementation deps['com.google.api-client:google-api-client']
@@ -186,7 +178,6 @@ dependencies {
   implementation deps['com.google.apis:google-api-services-admin-directory']
   implementation deps['com.google.apis:google-api-services-appengine']
   implementation deps['com.google.apis:google-api-services-bigquery']
-  implementation deps['com.google.apis:google-api-services-cloudkms']
   implementation deps['com.google.apis:google-api-services-dataflow']
   implementation deps['com.google.apis:google-api-services-dns']
   implementation deps['com.google.apis:google-api-services-drive']
@@ -195,13 +186,9 @@ dependencies {
   implementation deps['com.google.apis:google-api-services-sheets']
   implementation deps['com.google.apis:google-api-services-storage']
   testImplementation deps['com.google.appengine:appengine-api-stubs']
-  implementation deps['com.google.appengine.tools:appengine-gcs-client']
-  implementation deps['com.google.appengine.tools:appengine-pipeline']
-  implementation deps['com.google.appengine:appengine-remote-api']
   implementation deps['com.google.auth:google-auth-library-credentials']
   implementation deps['com.google.auth:google-auth-library-oauth2-http']
   implementation deps['com.google.cloud.bigdataoss:util']
-  implementation deps['com.google.cloud.datastore:datastore-v1-proto-client']
   implementation deps['com.google.cloud.sql:jdbc-socket-factory-core']
   runtimeOnly deps['com.google.cloud.sql:postgres-socket-factory']
   implementation deps['com.google.cloud:google-cloud-secretmanager']
@@ -268,7 +255,7 @@ dependencies {
   testImplementation deps['org.apache.sshd:sshd-sftp']
   testImplementation deps['org.apache.tomcat:tomcat-annotations-api']
   implementation deps['org.bouncycastle:bcpg-jdk15on']
-  testImplementation deps['org.bouncycastle:bcpkix-jdk15on']
+  implementation deps['org.bouncycastle:bcpkix-jdk15on']
   implementation deps['org.bouncycastle:bcprov-jdk15on']
   testImplementation deps['com.fasterxml.jackson.core:jackson-databind']
   runtime deps['org.glassfish.jaxb:jaxb-runtime']
@@ -279,6 +266,8 @@ dependencies {
   implementation deps['org.jsoup:jsoup']
   testImplementation deps['org.mortbay.jetty:jetty']
   implementation deps['org.postgresql:postgresql']
+  implementation "org.eclipse.jetty:jetty-server:9.4.49.v20220914"
+  implementation "org.eclipse.jetty:jetty-servlet:9.4.49.v20220914"
   testImplementation deps['org.seleniumhq.selenium:selenium-api']
   testImplementation deps['org.seleniumhq.selenium:selenium-chrome-driver']
   testImplementation deps['org.seleniumhq.selenium:selenium-java']
@@ -704,9 +693,6 @@ createToolTask(
     'google.registry.tools.DevTool',
     sourceSets.nonprod)
 
-createToolTask(
-    'jpaDemoPipeline', 'google.registry.beam.common.JpaDemoPipeline')
-
 project.tasks.create('generateSqlSchema', JavaExec) {
   classpath = sourceSets.nonprod.runtimeClasspath
   main = 'google.registry.tools.DevTool'
@@ -758,9 +744,14 @@ if (environment == 'alpha') {
           ],
       invoicing          :
           [
-              mainClass: 'google.registry.beam.invoicing.InvoicingPipeline',
+              mainClass: 'google.registry.beam.billing.InvoicingPipeline',
               metaData : 'google/registry/beam/invoicing_pipeline_metadata.json'
           ],
+      expandBilling      :
+          [
+              mainClass: 'google.registry.beam.billing.ExpandBillingRecurrencesPipeline',
+              metaData : 'google/registry/beam/expand_billing_recurrences_pipeline_metadata.json'
+          ],
       rde                :
           [
               mainClass: 'google.registry.beam.rde.RdePipeline',
@@ -771,6 +762,11 @@ if (environment == 'alpha') {
               mainClass: 'google.registry.beam.resave.ResaveAllEppResourcesPipeline',
               metaData: 'google/registry/beam/resave_all_epp_resources_pipeline_metadata.json'
           ],
+      wipeOutContactHistoryPii:
+              [
+                      mainClass: 'google.registry.beam.wipeout.WipeOutContactHistoryPiiPipeline',
+                      metaData: 'google/registry/beam/wipe_out_contact_history_pii_pipeline_metadata.json'
+              ],
   ]
   project.tasks.create("stageBeamPipelines") {
     doLast {
@@ -1033,6 +1029,7 @@ test {
   // TODO(weiminyu): Remove dependency on sqlIntegrationTest
 }.dependsOn(fragileTest, outcastTest, standardTest, registryToolIntegrationTest, sqlIntegrationTest)
 
+
 // When we override tests, we also break the cleanTest command.
 cleanTest.dependsOn(cleanFragileTest, cleanOutcastTest, cleanStandardTest,
                     cleanRegistryToolIntegrationTest, cleanSqlIntegrationTest)

core/gradle.lockfile

@@ -8,26 +8,27 @@ args4j:args4j:2.0.26=css
 cglib:cglib-nodep:2.2=css
 com.101tec:zkclient:0.10=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.beust:jcommander:1.60=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.core:jackson-annotations:2.13.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.core:jackson-core:2.13.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.core:jackson-databind:2.13.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.datatype:jackson-datatype-joda:2.13.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson:jackson-bom:2.13.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-annotations:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-core:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-databind:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.dataformat:jackson-dataformat-toml:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.datatype:jackson-datatype-joda:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson:jackson-bom:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.fasterxml:classmate:1.5.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.ben-manes.caffeine:caffeine:2.7.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.github.ben-manes.caffeine:caffeine:2.9.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.docker-java:docker-java-api:3.2.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.docker-java:docker-java-transport-zerodep:3.2.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.docker-java:docker-java-transport:3.2.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.jnr:jffi:1.3.9=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.jnr:jffi:1.3.10=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.jnr:jnr-a64asm:1.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.jnr:jnr-constants:0.10.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.jnr:jnr-enxio:0.32.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.jnr:jnr-ffi:2.2.11=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.jnr:jnr-posix:3.1.15=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.jnr:jnr-unixsocket:0.38.17=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.jnr:jnr-constants:0.10.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.jnr:jnr-enxio:0.32.14=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.jnr:jnr-ffi:2.2.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.jnr:jnr-posix:3.1.16=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.jnr:jnr-unixsocket:0.38.19=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.jnr:jnr-x86asm:1.0.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.kevinstern:software-and-algorithms:1.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.android:annotations:4.1.1.4=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
@@ -36,72 +37,71 @@ com.google.api-client:google-api-client-jackson2:1.32.2=compileClasspath,default
 com.google.api-client:google-api-client-java6:1.35.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api-client:google-api-client-servlet:1.35.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api-client:google-api-client:1.35.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1:2.12.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.136.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta2:0.136.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:gapic-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1:2.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.149.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta2:0.149.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:1.27.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigtable-v2:2.6.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-pubsub-v1:1.98.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-pubsublite-v1:1.5.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-admin-database-v1:6.23.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-admin-instance-v1:6.23.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-v1:6.23.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-storage-v2:2.2.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-common-protos:2.8.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1:2.12.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta1:0.136.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta2:0.136.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigtable-admin-v2:2.6.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigtable-v2:2.6.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-datastore-v1:0.93.10=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-firestore-v1:3.1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-monitoring-v3:1.64.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-pubsub-v1:1.98.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-pubsublite-v1:1.5.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-secretmanager-v1:2.3.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-secretmanager-v1beta1:2.3.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1:6.23.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-admin-instance-v1:6.23.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-v1:6.23.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-storage-v2:2.2.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2:2.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2beta2:0.93.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2beta3:0.93.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-common-protos:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-iam-v1:1.4.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:api-common:2.2.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-grpc:2.18.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-httpjson:0.103.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax:2.18.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigtable-v2:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-pubsub-v1:1.103.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-pubsublite-v1:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-admin-database-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-admin-instance-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-common-protos:2.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1:2.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta1:0.149.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta2:0.149.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigtable-admin-v2:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigtable-v2:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-datastore-v1:0.103.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-firestore-v1:3.7.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-monitoring-v3:1.64.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.api.grpc:proto-google-cloud-monitoring-v3:3.6.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-pubsub-v1:1.103.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-pubsublite-v1:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-secretmanager-v1:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-secretmanager-v1beta1:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-admin-instance-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2beta2:0.99.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2beta3:0.99.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-common-protos:2.13.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-iam-v1:1.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:api-common:2.5.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-grpc:2.22.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-httpjson:0.107.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax:2.22.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-admin-directory:directory_v1-rev118-1.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-appengine:v1-rev20220612-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-bigquery:v2-rev20211129-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-clouddebugger:v2-rev20210813-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-cloudkms:v1-rev20220701-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-cloudresourcemanager:v1-rev20211017-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-dataflow:v1b3-rev20210818-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-appengine:v1-rev20230109-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-bigquery:v2-rev20220924-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-clouddebugger:v2-rev20220318-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-cloudresourcemanager:v1-rev20220828-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-dataflow:v1b3-rev20220920-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-dns:v2beta1-rev99-1.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-drive:v2-rev393-1.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-groupssettings:v1-rev20210624-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-healthcare:v1-rev20211016-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-groupssettings:v1-rev20210624-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-healthcare:v1-rev20220818-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-iamcredentials:v1-rev20210326-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-monitoring:v3-rev20220715-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-pubsub:v1-rev20211130-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-sheets:v4-rev20220620-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-sqladmin:v1beta4-rev20220623-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-storage:v1-rev20220705-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine.tools:appengine-gcs-client:0.8.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine.tools:appengine-pipeline:0.2.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.5=testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-remote-api:2.0.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-monitoring:v3-rev20230123-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-pubsub:v1-rev20220904-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-sheets:v4-rev20221216-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-sqladmin:v1beta4-rev20230111-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-storage:v1-rev20220705-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.appengine:appengine-api-1.0-sdk:1.9.86=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+com.google.appengine:appengine-api-1.0-sdk:2.0.10=testCompileClasspath,testRuntimeClasspath
+com.google.appengine:appengine-api-stubs:2.0.10=testCompileClasspath,testRuntimeClasspath
 com.google.appengine:appengine-testing:1.9.86=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-credentials:1.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-oauth2-http:1.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auth:google-auth-library-credentials:1.14.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auth:google-auth-library-oauth2-http:1.14.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.0.1=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service:1.0.1=annotationProcessor
-com.google.auto.value:auto-value-annotations:1.9=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auto.value:auto-value:1.9=annotationProcessor,default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testRuntimeClasspath
+com.google.auto.value:auto-value-annotations:1.10.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auto.value:auto-value:1.10.1=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.auto:auto-common:0.10=errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.auto:auto-common:1.2=annotationProcessor
 com.google.closure-stylesheets:closure-stylesheets:1.5.0=css
@@ -109,38 +109,40 @@ com.google.cloud.bigdataoss:gcsio:2.2.6=compileClasspath,default,deploy_jar,nonp
 com.google.cloud.bigdataoss:util:2.2.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.bigtable:bigtable-client-core:1.26.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.bigtable:bigtable-metrics-api:1.26.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.datastore:datastore-v1-proto-client:2.2.10=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.sql:jdbc-socket-factory-core:1.6.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.sql:postgres-socket-factory:1.6.2=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigquerystorage:2.12.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigtable:2.6.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-grpc:2.6.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-http:2.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core:2.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-firestore:3.1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-monitoring:1.82.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-nio:0.124.10=testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-pubsub:1.116.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-pubsublite:1.5.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-secretmanager:2.3.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-spanner:6.23.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-storage:2.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-tasks:2.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:grpc-gcp:1.1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:proto-google-cloud-firestore-bundle-v1:3.1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud.datastore:datastore-v1-proto-client:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud.sql:jdbc-socket-factory-core:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud.sql:postgres-socket-factory:1.9.0=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigquerystorage:2.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigtable-stats:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigtable:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-grpc:2.9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-http:2.9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core:2.9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-firestore:3.7.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-monitoring:1.82.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.cloud:google-cloud-monitoring:3.6.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-nio:0.126.3=testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-pubsub:1.121.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-pubsublite:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-secretmanager:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-spanner:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-storage:2.17.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-tasks:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:grpc-gcp:1.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:proto-google-cloud-firestore-bundle-v1:3.7.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.code.findbugs:jFormatString:3.0.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.code.findbugs:jsr305:3.0.1=css
 com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,errorprone,nonprodAnnotationProcessor,nonprodCompileClasspath,nonprodRuntime,nonprodRuntimeClasspath,runtime,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+com.google.code.gson:gson:2.10.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.code.gson:gson:2.7=css,soy
-com.google.code.gson:gson:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.common.html.types:types:1.0.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testCompileClasspath,testRuntimeClasspath
-com.google.dagger:dagger-compiler:2.43=annotationProcessor,testAnnotationProcessor
-com.google.dagger:dagger-producers:2.43=annotationProcessor,testAnnotationProcessor
-com.google.dagger:dagger-spi:2.43=annotationProcessor,testAnnotationProcessor
-com.google.dagger:dagger:2.43=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+com.google.dagger:dagger-compiler:2.44.2=annotationProcessor,testAnnotationProcessor
+com.google.dagger:dagger-producers:2.44.2=annotationProcessor,testAnnotationProcessor
+com.google.dagger:dagger-spi:2.44.2=annotationProcessor,testAnnotationProcessor
+com.google.dagger:dagger:2.44.2=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.devtools.ksp:symbol-processing-api:1.7.0-1.0.6=annotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_annotation:2.3.4=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
-com.google.errorprone:error_prone_annotations:2.14.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.18.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.errorprone:error_prone_annotations:2.3.4=checkstyle,errorprone,nonprodAnnotationProcessor,soy
 com.google.errorprone:error_prone_annotations:2.7.1=annotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_check_api:2.3.4=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
@@ -163,12 +165,12 @@ com.google.guava:guava:31.0.1-jre=annotationProcessor,testAnnotationProcessor
 com.google.guava:guava:31.1-jre=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,errorprone,nonprodAnnotationProcessor,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.gwt:gwt-user:2.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-apache-v2:1.42.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-appengine:1.42.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-gson:1.42.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-jackson2:1.42.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-protobuf:1.41.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client:1.42.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-apache-v2:1.42.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-appengine:1.42.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-gson:1.42.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-jackson2:1.42.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-protobuf:1.41.8=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client:1.42.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.inject.extensions:guice-multibindings:4.1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testCompileClasspath,testRuntimeClasspath
 com.google.inject:guice:4.1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.inject:guice:5.1.0=soy
@@ -187,31 +189,32 @@ com.google.oauth-client:google-oauth-client-java6:1.34.1=compileClasspath,defaul
 com.google.oauth-client:google-oauth-client-jetty:1.34.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.oauth-client:google-oauth-client-servlet:1.34.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.oauth-client:google-oauth-client:1.34.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.protobuf:protobuf-java-util:3.21.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.protobuf:protobuf-java-util:3.21.12=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.protobuf:protobuf-java:2.5.0=css
-com.google.protobuf:protobuf-java:3.21.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.protobuf:protobuf-java:3.21.12=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.protobuf:protobuf-java:3.4.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.protobuf:protobuf-java:4.0.0-rc-2=soy
-com.google.re2j:re2j:1.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.re2j:re2j:1.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.template:soy:2021-02-01=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testCompileClasspath,testRuntimeClasspath
 com.google.truth.extensions:truth-java8-extension:1.1.3=testCompileClasspath,testRuntimeClasspath
 com.google.truth:truth:1.1.3=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.googlecode.java-diff-utils:diffutils:1.3.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.googlecode.json-simple:json-simple:1.1.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.ibm.icu:icu4j:57.1=compileClasspath,nonprodCompileClasspath,soy,testCompileClasspath
-com.ibm.icu:icu4j:71.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.ibm.icu:icu4j:72.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 com.jcraft:jsch:0.1.55=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.lmax:disruptor:3.4.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.puppycrawl.tools:checkstyle:8.37=checkstyle
 com.squareup.okhttp3:okhttp:3.11.0=testCompileClasspath,testRuntimeClasspath
 com.squareup.okio:okio:1.14.0=testCompileClasspath,testRuntimeClasspath
 com.squareup:javapoet:1.13.0=annotationProcessor,testAnnotationProcessor
+com.squareup:kotlinpoet:1.11.0=annotationProcessor,testAnnotationProcessor
 com.sun.activation:jakarta.activation:1.2.2=jaxb
 com.sun.activation:javax.activation:1.2.0=jaxb
 com.sun.istack:istack-commons-runtime:3.0.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.sun.istack:istack-commons-runtime:4.1.1=nonprodRuntime,runtime
 com.sun.xml.bind:jaxb-impl:2.3.3=jaxb
-com.sun.xml.bind:jaxb-osgi:4.0.0=jaxb
+com.sun.xml.bind:jaxb-osgi:4.0.1=jaxb
 com.sun.xml.bind:jaxb-xjc:2.3.3=jaxb
 com.sun.xml.fastinfoset:FastInfoset:1.2.15=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.thoughtworks.paranamer:paranamer:2.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -221,7 +224,7 @@ commons-beanutils:commons-beanutils:1.9.4=checkstyle
 commons-codec:commons-codec:1.15=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-collections:commons-collections:3.2.2=checkstyle
 commons-logging:commons-logging:1.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-dnsjava:dnsjava:3.5.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+dnsjava:dnsjava:3.5.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 guru.nidi.com.eclipsesource.j2v8:j2v8_linux_x86_64:4.6.0=nonprodRuntime,runtime,testRuntimeClasspath
 guru.nidi.com.eclipsesource.j2v8:j2v8_macosx_x86_64:4.6.0=nonprodRuntime,runtime,testRuntimeClasspath
 guru.nidi.com.eclipsesource.j2v8:j2v8_win32_x86:4.6.0=nonprodRuntime,runtime,testRuntimeClasspath
@@ -237,44 +240,41 @@ io.confluent:kafka-schema-registry-client:5.3.2=compileClasspath,default,deploy_
 io.dropwizard.metrics:metrics-core:3.1.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.github.classgraph:classgraph:4.8.104=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.github.java-diff-utils:java-diff-utils:4.12=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-alts:1.45.1=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-alts:1.47.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-api:1.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-auth:1.45.1=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-auth:1.47.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-census:1.45.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-context:1.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-core:1.45.1=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-core:1.47.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-googleapis:1.47.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-grpclb:1.45.1=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-grpclb:1.47.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-netty-shaded:1.45.1=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-netty-shaded:1.47.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-netty:1.45.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf-lite:1.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf:1.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-services:1.45.1=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-services:1.47.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-stub:1.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-xds:1.45.1=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-xds:1.47.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.netty:netty-buffer:4.1.72.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-codec-http2:4.1.72.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-codec-http:4.1.72.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-codec-socks:4.1.72.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.netty:netty-codec:4.1.72.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-common:4.1.72.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-handler-proxy:4.1.72.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.netty:netty-handler:4.1.72.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-resolver:4.1.72.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-tcnative-boringssl-static:2.0.46.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-tcnative-classes:2.0.46.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-transport:4.1.72.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-alts:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-api:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-auth:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-census:1.50.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-context:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-core:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-googleapis:1.52.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-grpclb:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty-shaded:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty:1.50.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf-lite:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-rls:1.50.2=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-services:1.50.2=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+io.grpc:grpc-services:1.52.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-stub:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-xds:1.50.2=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+io.grpc:grpc-xds:1.52.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.netty:netty-buffer:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-codec-http2:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-codec-http:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-codec-socks:4.1.79.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.netty:netty-codec:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-common:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-handler-proxy:4.1.79.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.netty:netty-handler:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-resolver:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-tcnative-boringssl-static:2.0.52.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-tcnative-classes:2.0.52.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-transport-native-unix-common:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-transport:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-api:0.31.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-exemplar-util:0.31.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-grpc-metrics:0.31.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.opencensus:opencensus-contrib-grpc-util:0.31.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.opencensus:opencensus-contrib-grpc-util:0.31.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-http-util:0.31.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-resource-util:0.31.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-exporter-metrics-util:0.31.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -282,7 +282,7 @@ io.opencensus:opencensus-exporter-stats-stackdriver:0.31.0=compileClasspath,defa
 io.opencensus:opencensus-impl-core:0.31.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-impl:0.31.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-proto:0.2.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.perfmark:perfmark-api:0.25.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.perfmark:perfmark-api:0.26.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 jakarta.activation:jakarta.activation-api:2.1.0=jaxb,nonprodRuntime,runtime
 jakarta.xml.bind:jakarta.xml.bind-api:4.0.0=jaxb,nonprodRuntime,runtime
 javacc:javacc:4.1=css
@@ -302,9 +302,9 @@ jline:jline:1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonp
 joda-time:joda-time:2.10.10=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 junit:junit:4.13.2=default,nonprodCompileClasspath,nonprodRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 net.arnx:nashorn-promise:0.1.1=nonprodRuntime,runtime,testRuntimeClasspath
-net.bytebuddy:byte-buddy-agent:1.12.10=testCompileClasspath,testRuntimeClasspath
-net.bytebuddy:byte-buddy:1.12.10=testCompileClasspath,testRuntimeClasspath
-net.bytebuddy:byte-buddy:1.12.9=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+net.bytebuddy:byte-buddy-agent:1.12.22=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.12.18=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+net.bytebuddy:byte-buddy:1.12.22=testCompileClasspath,testRuntimeClasspath
 net.java.dev.javacc:javacc:4.1=css
 net.java.dev.jna:jna:5.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 net.ltgt.gradle.incap:incap:0.2=annotationProcessor,testAnnotationProcessor
@@ -314,40 +314,38 @@ org.apache.arrow:arrow-format:5.0.0=compileClasspath,default,deploy_jar,nonprodC
 org.apache.arrow:arrow-memory-core:5.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.arrow:arrow-vector:5.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.avro:avro:1.8.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-fn-execution:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-job-management:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-pipeline:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-core-construction-java:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-core-java:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-direct-java:2.40.0=testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-google-cloud-dataflow-java:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-java-fn-execution:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-core:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-expansion-service:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-arrow:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-google-cloud-platform-core:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-protobuf:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-fn-execution:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-io-google-cloud-platform:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-io-kafka:2.40.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-vendor-bytebuddy-1_11_0:0.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-vendor-grpc-1_43_2:0.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-fn-execution:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-job-management:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-pipeline:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-core-construction-java:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-core-java:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-direct-java:2.44.0=testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-google-cloud-dataflow-java:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-java-fn-execution:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-core:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-expansion-service:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-arrow:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-google-cloud-platform-core:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-protobuf:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-fn-execution:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-io-google-cloud-platform:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-io-kafka:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-vendor-grpc-1_48_1:0.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.commons:commons-compress:1.21=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-compress:1.22=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-csv:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-exec:1.3=nonprodRuntime,runtime,testCompileClasspath,testRuntimeClasspath
-org.apache.commons:commons-lang3:3.11=testCompileClasspath,testRuntimeClasspath
-org.apache.commons:commons-lang3:3.12.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-org.apache.commons:commons-text:1.9=testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-lang3:3.12.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-text:1.10.0=testCompileClasspath,testRuntimeClasspath
 org.apache.ftpserver:ftplet-api:1.2.0=testCompileClasspath,testRuntimeClasspath
 org.apache.ftpserver:ftpserver-core:1.2.0=testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents:httpclient:4.5.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents:httpcore:4.4.15=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents:httpclient:4.5.14=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents:httpcore:4.4.16=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.mina:mina-core:2.1.6=testCompileClasspath,testRuntimeClasspath
 org.apache.sshd:sshd-core:2.0.0=testCompileClasspath,testRuntimeClasspath
 org.apache.sshd:sshd-scp:2.0.0=testCompileClasspath,testRuntimeClasspath
 org.apache.sshd:sshd-sftp:2.0.0=testCompileClasspath,testRuntimeClasspath
-org.apache.tomcat:tomcat-annotations-api:10.1.0-M17=testCompileClasspath,testRuntimeClasspath
+org.apache.tomcat:tomcat-annotations-api:11.0.0-M1=testCompileClasspath,testRuntimeClasspath
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
 org.bouncycastle:bcpg-jdk15on:1.67=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.bouncycastle:bcpkix-jdk15on:1.67=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -357,23 +355,30 @@ org.checkerframework:checker-compat-qual:2.5.5=annotationProcessor,compileClassp
 org.checkerframework:checker-qual:2.11.1=checkstyle
 org.checkerframework:checker-qual:3.0.0=errorprone,nonprodAnnotationProcessor
 org.checkerframework:checker-qual:3.12.0=annotationProcessor,testAnnotationProcessor
-org.checkerframework:checker-qual:3.22.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.checkerframework:checker-qual:3.29.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.checkerframework:checker-qual:3.5.0=nonprodRuntime,runtime,soy
 org.checkerframework:dataflow:3.0.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.checkerframework:javacutil:3.0.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.codehaus.jackson:jackson-core-asl:1.9.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.codehaus.jackson:jackson-mapper-asl:1.9.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.codehaus.mojo:animal-sniffer-annotations:1.17=errorprone,nonprodAnnotationProcessor
-org.codehaus.mojo:animal-sniffer-annotations:1.21=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-org.conscrypt:conscrypt-openjdk-uber:2.5.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.codehaus.mojo:animal-sniffer-annotations:1.22=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+org.conscrypt:conscrypt-openjdk-uber:2.5.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.easymock:easymock:3.0=css
 org.eclipse.angus:angus-activation:1.0.0=nonprodRuntime,runtime
-org.flywaydb:flyway-core:9.0.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.glassfish.jaxb:jaxb-core:4.0.0=nonprodRuntime,runtime
+org.eclipse.jetty:jetty-http:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-io:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-security:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-server:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-servlet:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-util-ajax:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-util:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.flywaydb:flyway-core:9.12.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.glassfish.jaxb:jaxb-core:4.0.1=nonprodRuntime,runtime
 org.glassfish.jaxb:jaxb-runtime:2.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.glassfish.jaxb:jaxb-runtime:4.0.0=nonprodRuntime,runtime
+org.glassfish.jaxb:jaxb-runtime:4.0.1=nonprodRuntime,runtime
 org.glassfish.jaxb:txw2:2.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.glassfish.jaxb:txw2:4.0.0=nonprodRuntime,runtime
+org.glassfish.jaxb:txw2:4.0.1=nonprodRuntime,runtime
 org.gwtproject:gwt-user:2.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.hamcrest:hamcrest-core:1.1=css
 org.hamcrest:hamcrest-core:1.3=default,nonprodCompileClasspath,nonprodRuntimeClasspath
@@ -382,67 +387,68 @@ org.hamcrest:hamcrest-library:2.2=testCompileClasspath,testRuntimeClasspath
 org.hamcrest:hamcrest:2.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
 org.hamcrest:hamcrest:2.2=testCompileClasspath,testRuntimeClasspath
 org.hibernate.common:hibernate-commons-annotations:5.1.2.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.hibernate:hibernate-core:5.6.10.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.hibernate:hibernate-hikaricp:5.6.10.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.jacoco:org.jacoco.agent:0.8.6=jacocoAgent,jacocoAnt
-org.jacoco:org.jacoco.ant:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.core:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.report:0.8.6=jacocoAnt
+org.hibernate:hibernate-core:5.6.14.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.hibernate:hibernate-hikaricp:5.6.14.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.jacoco:org.jacoco.agent:0.8.7=jacocoAgent,jacocoAnt
+org.jacoco:org.jacoco.ant:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.report:0.8.7=jacocoAnt
 org.javassist:javassist:3.26.0-GA=checkstyle
 org.jboss.logging:jboss-logging:3.4.3.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:1.1.1.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.jboss:jandex:2.4.2.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.jetbrains.kotlin:kotlin-reflect:1.6.10=annotationProcessor,testAnnotationProcessor
 org.jetbrains.kotlin:kotlin-stdlib-common:1.7.0=annotationProcessor,testAnnotationProcessor
 org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.7.0=annotationProcessor,testAnnotationProcessor
 org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.7.0=annotationProcessor,testAnnotationProcessor
 org.jetbrains.kotlin:kotlin-stdlib:1.7.0=annotationProcessor,testAnnotationProcessor
-org.jetbrains.kotlinx:kotlinx-metadata-jvm:0.4.2=annotationProcessor,testAnnotationProcessor
+org.jetbrains.kotlinx:kotlinx-metadata-jvm:0.5.0=annotationProcessor,testAnnotationProcessor
 org.jetbrains:annotations:13.0=annotationProcessor,testAnnotationProcessor
 org.jetbrains:annotations:17.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.joda:joda-money:1.0.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.joda:joda-money:1.0.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.json:json:20160212=soy
 org.json:json:20200518=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.jsoup:jsoup:1.15.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.junit-pioneer:junit-pioneer:1.7.1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-api:5.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-engine:5.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-migrationsupport:5.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-params:5.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-launcher:1.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-runner:1.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-suite-api:1.9.0=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-suite-commons:1.9.0=testRuntimeClasspath
-org.junit:junit-bom:5.9.0=testCompileClasspath,testRuntimeClasspath
+org.jsoup:jsoup:1.15.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.junit-pioneer:junit-pioneer:2.0.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-migrationsupport:5.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-params:5.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-launcher:1.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-runner:1.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-suite-api:1.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-suite-commons:1.9.2=testRuntimeClasspath
+org.junit:junit-bom:5.9.2=testCompileClasspath,testRuntimeClasspath
 org.jvnet.staxex:stax-ex:1.8=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.mockito:mockito-core:1.10.19=css
-org.mockito:mockito-core:4.6.1=testCompileClasspath,testRuntimeClasspath
-org.mockito:mockito-junit-jupiter:4.6.1=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-core:5.0.0=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-junit-jupiter:5.0.0=testCompileClasspath,testRuntimeClasspath
 org.mortbay.jetty:jetty-util:6.1.26=testCompileClasspath,testRuntimeClasspath
 org.mortbay.jetty:jetty:6.1.26=testCompileClasspath,testRuntimeClasspath
 org.objenesis:objenesis:2.1=css
-org.objenesis:objenesis:3.2=testRuntimeClasspath
+org.objenesis:objenesis:3.3=testRuntimeClasspath
 org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-analysis:7.0=soy
-org.ow2.asm:asm-analysis:8.0.1=jacocoAnt
-org.ow2.asm:asm-analysis:9.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.ow2.asm:asm-analysis:9.1=jacocoAnt
+org.ow2.asm:asm-analysis:9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-commons:7.0=soy
-org.ow2.asm:asm-commons:8.0.1=jacocoAnt
+org.ow2.asm:asm-commons:9.1=jacocoAnt
 org.ow2.asm:asm-commons:9.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-tree:7.0=soy
-org.ow2.asm:asm-tree:8.0.1=jacocoAnt
-org.ow2.asm:asm-tree:9.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.ow2.asm:asm-tree:9.1=jacocoAnt
+org.ow2.asm:asm-tree:9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-util:7.0=soy
-org.ow2.asm:asm-util:9.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.ow2.asm:asm-util:9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm:7.0=soy
-org.ow2.asm:asm:8.0.1=jacocoAnt
-org.ow2.asm:asm:9.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.ow2.asm:asm:9.1=jacocoAnt
+org.ow2.asm:asm:9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.pcollections:pcollections:2.1.2=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.plumelib:plume-util:1.0.6=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.plumelib:reflection-util:0.0.2=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.plumelib:require-javadoc:0.1.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
-org.postgresql:postgresql:42.4.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntime,nonprodRuntimeClasspath,runtime,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.postgresql:postgresql:42.5.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntime,nonprodRuntimeClasspath,runtime,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.reflections:reflections:0.9.12=checkstyle
 org.rnorth.duct-tape:duct-tape:1.0.8=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.seleniumhq.selenium:selenium-api:3.141.59=testCompileClasspath,testRuntimeClasspath
@@ -459,23 +465,23 @@ org.slf4j:jcl-over-slf4j:1.7.30=nonprodRuntime,runtime,testRuntimeClasspath
 org.slf4j:jul-to-slf4j:1.7.30=nonprodRuntime,runtime,testRuntimeClasspath
 org.slf4j:slf4j-api:1.7.30=nonprodRuntime,runtime
 org.slf4j:slf4j-api:1.7.36=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,testCompileClasspath
-org.slf4j:slf4j-api:2.0.0-alpha7=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
-org.slf4j:slf4j-jdk14:2.0.0-alpha7=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
+org.slf4j:slf4j-api:2.0.6=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
+org.slf4j:slf4j-jdk14:2.0.6=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
 org.springframework:spring-core:5.3.18=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.springframework:spring-expression:5.3.18=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.springframework:spring-jcl:5.3.18=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:database-commons:1.17.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:jdbc:1.17.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:junit-jupiter:1.17.3=testCompileClasspath,testRuntimeClasspath
-org.testcontainers:postgresql:1.17.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:selenium:1.17.3=testCompileClasspath,testRuntimeClasspath
-org.testcontainers:testcontainers:1.17.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.threeten:threetenbp:1.6.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:database-commons:1.17.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:jdbc:1.17.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:junit-jupiter:1.17.6=testCompileClasspath,testRuntimeClasspath
+org.testcontainers:postgresql:1.17.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:selenium:1.17.6=testCompileClasspath,testRuntimeClasspath
+org.testcontainers:testcontainers:1.17.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.threeten:threetenbp:1.6.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.tukaani:xz:1.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.w3c.css:sac:1.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.webjars.npm:viz.js-graphviz-java:2.1.3=nonprodRuntime,runtime,testRuntimeClasspath
 org.xerial.snappy:snappy-java:1.1.8.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.yaml:snakeyaml:1.30=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.yaml:snakeyaml:1.33=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 us.fatehi:schemacrawler-api:16.10.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 us.fatehi:schemacrawler-diagram:16.10.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 us.fatehi:schemacrawler-tools:16.10.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath

core/src/main/java/google/registry/batch/AsyncTaskEnqueuer.java

@@ -17,25 +17,15 @@ package google.registry.batch;
 import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.util.DateTimeUtils.isBeforeOrAt;
 
-import com.google.appengine.api.taskqueue.Queue;
-import com.google.appengine.api.taskqueue.TaskOptions;
-import com.google.appengine.api.taskqueue.TaskOptions.Method;
-import com.google.appengine.api.taskqueue.TransientFailureException;
 import com.google.common.base.Joiner;
 import com.google.common.collect.ArrayListMultimap;
 import com.google.common.collect.ImmutableSortedSet;
 import com.google.common.collect.Multimap;
 import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryConfig.Config;
 import google.registry.model.EppResource;
-import google.registry.model.eppcommon.Trid;
-import google.registry.model.host.Host;
 import google.registry.persistence.VKey;
 import google.registry.request.Action.Service;
-import google.registry.util.CloudTasksUtils;
-import google.registry.util.Retrier;
 import javax.inject.Inject;
-import javax.inject.Named;
 import org.joda.time.DateTime;
 import org.joda.time.Duration;
 
@@ -44,45 +34,25 @@ public final class AsyncTaskEnqueuer {
 
   /** The HTTP parameter names used by async flows. */
   public static final String PARAM_RESOURCE_KEY = "resourceKey";
-  public static final String PARAM_REQUESTING_CLIENT_ID = "requestingClientId";
-  public static final String PARAM_CLIENT_TRANSACTION_ID = "clientTransactionId";
-  public static final String PARAM_SERVER_TRANSACTION_ID = "serverTransactionId";
-  public static final String PARAM_IS_SUPERUSER = "isSuperuser";
-  public static final String PARAM_HOST_KEY = "hostKey";
   public static final String PARAM_REQUESTED_TIME = "requestedTime";
   public static final String PARAM_RESAVE_TIMES = "resaveTimes";
 
   /** The task queue names used by async flows. */
   public static final String QUEUE_ASYNC_ACTIONS = "async-actions";
-  public static final String QUEUE_ASYNC_DELETE = "async-delete-pull";
-  public static final String QUEUE_ASYNC_HOST_RENAME = "async-host-rename-pull";
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
   private static final Duration MAX_ASYNC_ETA = Duration.standardDays(30);
 
-  private final Duration asyncDeleteDelay;
-  private final Queue asyncDeletePullQueue;
-  private final Queue asyncDnsRefreshPullQueue;
-  private final Retrier retrier;
-
-  private CloudTasksUtils cloudTasksUtils;
+  private final CloudTasksUtils cloudTasksUtils;
 
   @Inject
-  public AsyncTaskEnqueuer(
-      @Named(QUEUE_ASYNC_DELETE) Queue asyncDeletePullQueue,
-      @Named(QUEUE_ASYNC_HOST_RENAME) Queue asyncDnsRefreshPullQueue,
-      @Config("asyncDeleteDelay") Duration asyncDeleteDelay,
-      CloudTasksUtils cloudTasksUtils,
-      Retrier retrier) {
-    this.asyncDeletePullQueue = asyncDeletePullQueue;
-    this.asyncDnsRefreshPullQueue = asyncDnsRefreshPullQueue;
-    this.asyncDeleteDelay = asyncDeleteDelay;
+  public AsyncTaskEnqueuer(CloudTasksUtils cloudTasksUtils) {
     this.cloudTasksUtils = cloudTasksUtils;
-    this.retrier = retrier;
   }
 
   /** Enqueues a task to asynchronously re-save an entity at some point in the future. */
-  public void enqueueAsyncResave(VKey<?> entityToResave, DateTime now, DateTime whenToResave) {
+  public void enqueueAsyncResave(
+      VKey<? extends EppResource> entityToResave, DateTime now, DateTime whenToResave) {
     enqueueAsyncResave(entityToResave, now, ImmutableSortedSet.of(whenToResave));
   }
 
@@ -93,7 +63,9 @@ public final class AsyncTaskEnqueuer {
    * itself to run at the next time if there are remaining re-saves scheduled.
    */
   public void enqueueAsyncResave(
-      VKey<?> entityKey, DateTime now, ImmutableSortedSet<DateTime> whenToResave) {
+      VKey<? extends EppResource> entityKey,
+      DateTime now,
+      ImmutableSortedSet<DateTime> whenToResave) {
     DateTime firstResave = whenToResave.first();
     checkArgument(isBeforeOrAt(now, firstResave), "Can't enqueue a resave to run in the past");
     Duration etaDuration = new Duration(now, firstResave);
@@ -113,48 +85,6 @@ public final class AsyncTaskEnqueuer {
     cloudTasksUtils.enqueue(
         QUEUE_ASYNC_ACTIONS,
         cloudTasksUtils.createPostTaskWithDelay(
-            ResaveEntityAction.PATH, Service.BACKEND.toString(), params, etaDuration));
-  }
-
-  /** Enqueues a task to asynchronously delete a contact or host, by key. */
-  public void enqueueAsyncDelete(
-      EppResource resourceToDelete,
-      DateTime now,
-      String requestingRegistrarId,
-      Trid trid,
-      boolean isSuperuser) {
-    logger.atInfo().log(
-        "Enqueuing async deletion of %s on behalf of registrar %s.",
-        resourceToDelete.getRepoId(), requestingRegistrarId);
-    TaskOptions task =
-        TaskOptions.Builder.withMethod(Method.PULL)
-            .countdownMillis(asyncDeleteDelay.getMillis())
-            .param(PARAM_RESOURCE_KEY, resourceToDelete.createVKey().stringify())
-            .param(PARAM_REQUESTING_CLIENT_ID, requestingRegistrarId)
-            .param(PARAM_SERVER_TRANSACTION_ID, trid.getServerTransactionId())
-            .param(PARAM_IS_SUPERUSER, Boolean.toString(isSuperuser))
-            .param(PARAM_REQUESTED_TIME, now.toString());
-    trid.getClientTransactionId()
-        .ifPresent(clTrid -> task.param(PARAM_CLIENT_TRANSACTION_ID, clTrid));
-    addTaskToQueueWithRetry(asyncDeletePullQueue, task);
-  }
-
-  /** Enqueues a task to asynchronously refresh DNS for a renamed host. */
-  public void enqueueAsyncDnsRefresh(Host host, DateTime now) {
-    VKey<Host> hostKey = host.createVKey();
-    logger.atInfo().log("Enqueuing async DNS refresh for renamed host %s.", hostKey);
-    addTaskToQueueWithRetry(
-        asyncDnsRefreshPullQueue,
-        TaskOptions.Builder.withMethod(Method.PULL)
-            .param(PARAM_HOST_KEY, hostKey.stringify())
-            .param(PARAM_REQUESTED_TIME, now.toString()));
-  }
-
-  /**
-   * Adds a task to a queue with retrying, to avoid aborting the entire flow over a transient issue
-   * enqueuing a task.
-   */
-  private void addTaskToQueueWithRetry(final Queue queue, final TaskOptions task) {
-    retrier.callWithRetry(() -> queue.add(task), TransientFailureException.class);
+            ResaveEntityAction.PATH, Service.BACKEND, params, etaDuration));
   }
 }

core/src/main/java/google/registry/batch/AsyncTaskMetrics.java

@@ -1,165 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.batch;
-
-import static com.google.appengine.api.taskqueue.QueueConstants.maxLeaseCount;
-import static com.google.monitoring.metrics.EventMetric.DEFAULT_FITTER;
-import static google.registry.batch.AsyncTaskMetrics.OperationType.CONTACT_AND_HOST_DELETE;
-import static google.registry.batch.AsyncTaskMetrics.OperationType.DNS_REFRESH;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.flogger.FluentLogger;
-import com.google.monitoring.metrics.DistributionFitter;
-import com.google.monitoring.metrics.EventMetric;
-import com.google.monitoring.metrics.FibonacciFitter;
-import com.google.monitoring.metrics.IncrementableMetric;
-import com.google.monitoring.metrics.LabelDescriptor;
-import com.google.monitoring.metrics.MetricRegistryImpl;
-import google.registry.util.Clock;
-import javax.inject.Inject;
-import org.joda.time.DateTime;
-import org.joda.time.Duration;
-
-/**
- * Instrumentation for async flows (contact/host deletion and DNS refreshes).
- *
- * @see AsyncTaskEnqueuer
- */
-public class AsyncTaskMetrics {
-
-  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
-  private final Clock clock;
-
-  @Inject
-  public AsyncTaskMetrics(Clock clock) {
-    this.clock = clock;
-  }
-
-  /**
-   * A Fibonacci fitter used for bucketing the batch count.
-   *
-   * <p>We use a Fibonacci filter because it provides better resolution at the low end than an
-   * exponential fitter, which is important because most batch sizes are likely to be very low,
-   * despite going up to 1,000 on the high end. Also, the precision is better, as batch size is
-   * inherently an integer, whereas an exponential fitter with an exponent base less than 2 would
-   * have unintuitive boundaries.
-   */
-  private static final DistributionFitter FITTER_BATCH_SIZE =
-      FibonacciFitter.create(maxLeaseCount());
-
-  private static final ImmutableSet<LabelDescriptor> LABEL_DESCRIPTORS =
-      ImmutableSet.of(
-          LabelDescriptor.create("operation_type", "The type of async flow operation."),
-          LabelDescriptor.create("result", "The result of the async flow operation."));
-
-  @VisibleForTesting
-  static final IncrementableMetric asyncFlowOperationCounts =
-      MetricRegistryImpl.getDefault()
-          .newIncrementableMetric(
-              "/async_flows/operations",
-              "Count of Async Flow Operations",
-              "count",
-              LABEL_DESCRIPTORS);
-
-  @VisibleForTesting
-  static final EventMetric asyncFlowOperationProcessingTime =
-      MetricRegistryImpl.getDefault()
-          .newEventMetric(
-              "/async_flows/processing_time",
-              "Async Flow Processing Time",
-              "milliseconds",
-              LABEL_DESCRIPTORS,
-              DEFAULT_FITTER);
-
-  @VisibleForTesting
-  static final EventMetric asyncFlowBatchSize =
-      MetricRegistryImpl.getDefault()
-          .newEventMetric(
-              "/async_flows/batch_size",
-              "Async Operation Batch Size",
-              "batch size",
-              ImmutableSet.of(
-                  LabelDescriptor.create("operation_type", "The type of async flow operation.")),
-              FITTER_BATCH_SIZE);
-
-  /** The type of asynchronous operation. */
-  public enum OperationType {
-    CONTACT_DELETE("contactDelete"),
-    HOST_DELETE("hostDelete"),
-    CONTACT_AND_HOST_DELETE("contactAndHostDelete"),
-    DNS_REFRESH("dnsRefresh");
-
-    private final String metricLabelValue;
-
-    OperationType(String metricLabelValue) {
-      this.metricLabelValue = metricLabelValue;
-    }
-
-    String getMetricLabelValue() {
-      return metricLabelValue;
-    }
-  }
-
-  /** The result of an asynchronous operation. */
-  public enum OperationResult {
-    /** The operation processed correctly and the result was success. */
-    SUCCESS("success"),
-
-    /** The operation processed correctly and the result was failure. */
-    FAILURE("failure"),
-
-    /** The operation did not process correctly due to some unexpected error. */
-    ERROR("error"),
-
-    /** The operation was skipped because the request is now stale. */
-    STALE("stale");
-
-    private final String metricLabelValue;
-
-    OperationResult(String metricLabelValue) {
-      this.metricLabelValue = metricLabelValue;
-    }
-
-    String getMetricLabelValue() {
-      return metricLabelValue;
-    }
-  }
-
-  public void recordAsyncFlowResult(
-      OperationType operationType, OperationResult operationResult, DateTime whenEnqueued) {
-    asyncFlowOperationCounts.increment(
-        operationType.getMetricLabelValue(), operationResult.getMetricLabelValue());
-    long processingMillis = new Duration(whenEnqueued, clock.nowUtc()).getMillis();
-    asyncFlowOperationProcessingTime.record(
-        processingMillis,
-        operationType.getMetricLabelValue(),
-        operationResult.getMetricLabelValue());
-    logger.atInfo().log(
-        "Asynchronous %s operation took %d ms to process, yielding result: %s.",
-        operationType.getMetricLabelValue(),
-        processingMillis,
-        operationResult.getMetricLabelValue());
-  }
-
-  public void recordContactHostDeletionBatchSize(long batchSize) {
-    asyncFlowBatchSize.record(batchSize, CONTACT_AND_HOST_DELETE.getMetricLabelValue());
-  }
-
-  public void recordDnsRefreshBatchSize(long batchSize) {
-    asyncFlowBatchSize.record(batchSize, DNS_REFRESH.getMetricLabelValue());
-  }
-}

core/src/main/java/google/registry/batch/BatchModule.java

@@ -14,13 +14,9 @@
 
 package google.registry.batch;
 
-import static com.google.appengine.api.taskqueue.QueueFactory.getQueue;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_REQUESTED_TIME;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESAVE_TIMES;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESOURCE_KEY;
-import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_ACTIONS;
-import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_DELETE;
-import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_HOST_RENAME;
 import static google.registry.request.RequestParameters.extractBooleanParameter;
 import static google.registry.request.RequestParameters.extractIntParameter;
 import static google.registry.request.RequestParameters.extractLongParameter;
@@ -32,13 +28,11 @@ import static google.registry.request.RequestParameters.extractRequiredDatetimeP
 import static google.registry.request.RequestParameters.extractRequiredParameter;
 import static google.registry.request.RequestParameters.extractSetOfDatetimeParameters;
 
-import com.google.appengine.api.taskqueue.Queue;
 import com.google.common.collect.ImmutableSet;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.request.Parameter;
 import java.util.Optional;
-import javax.inject.Named;
 import javax.servlet.http.HttpServletRequest;
 import org.joda.time.DateTime;
 
@@ -110,10 +104,27 @@ public class BatchModule {
   }
 
   @Provides
-  @Parameter(ExpandRecurringBillingEventsAction.PARAM_CURSOR_TIME)
-  static Optional<DateTime> provideCursorTime(HttpServletRequest req) {
-    return extractOptionalDatetimeParameter(
-        req, ExpandRecurringBillingEventsAction.PARAM_CURSOR_TIME);
+  @Parameter(ExpandBillingRecurrencesAction.PARAM_START_TIME)
+  static Optional<DateTime> provideStartTime(HttpServletRequest req) {
+    return extractOptionalDatetimeParameter(req, ExpandBillingRecurrencesAction.PARAM_START_TIME);
+  }
+
+  @Provides
+  @Parameter(ExpandBillingRecurrencesAction.PARAM_END_TIME)
+  static Optional<DateTime> provideEndTime(HttpServletRequest req) {
+    return extractOptionalDatetimeParameter(req, ExpandBillingRecurrencesAction.PARAM_END_TIME);
+  }
+
+  @Provides
+  @Parameter(WipeOutContactHistoryPiiAction.PARAM_CUTOFF_TIME)
+  static Optional<DateTime> provideCutoffTime(HttpServletRequest req) {
+    return extractOptionalDatetimeParameter(req, WipeOutContactHistoryPiiAction.PARAM_CUTOFF_TIME);
+  }
+
+  @Provides
+  @Parameter(ExpandBillingRecurrencesAction.PARAM_ADVANCE_CURSOR)
+  static boolean provideAdvanceCursor(HttpServletRequest req) {
+    return extractBooleanParameter(req, ExpandBillingRecurrencesAction.PARAM_ADVANCE_CURSOR);
   }
 
   @Provides
@@ -127,22 +138,4 @@ public class BatchModule {
   static boolean provideIsDryRun(HttpServletRequest req) {
     return extractBooleanParameter(req, PARAM_DRY_RUN);
   }
-
-  @Provides
-  @Named(QUEUE_ASYNC_ACTIONS)
-  static Queue provideAsyncActionsPushQueue() {
-    return getQueue(QUEUE_ASYNC_ACTIONS);
-  }
-
-  @Provides
-  @Named(QUEUE_ASYNC_DELETE)
-  static Queue provideAsyncDeletePullQueue() {
-    return getQueue(QUEUE_ASYNC_DELETE);
-  }
-
-  @Provides
-  @Named(QUEUE_ASYNC_HOST_RENAME)
-  static Queue provideAsyncHostRenamePullQueue() {
-    return getQueue(QUEUE_ASYNC_HOST_RENAME);
-  }
 }

core/src/main/java/google/registry/batch/CannedScriptExecutionAction.java

@@ -0,0 +1,61 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.batch;
+
+import static google.registry.request.Action.Method.POST;
+
+import com.google.common.flogger.FluentLogger;
+import google.registry.batch.cannedscript.CannedScripts;
+import google.registry.request.Action;
+import google.registry.request.auth.Auth;
+import javax.inject.Inject;
+
+/**
+ * Action that executes a canned script specified by the caller.
+ *
+ * <p>This class is introduced to help the safe rollout of credential changes. The delegated
+ * credentials in particular, benefit from this: they require manual configuration of the peer
+ * system in each environment, and may wait hours or even days after deployment until triggered by
+ * user activities.
+ *
+ * <p>This action can be invoked using the Nomulus CLI command: {@code nomulus -e ${env} curl
+ * --service BACKEND -X POST -u '/_dr/task/executeCannedScript?script=${script_name}'}
+ */
+// TODO(b/277239043): remove class after credential changes are rolled out.
+@Action(
+    service = Action.Service.BACKEND,
+    path = "/_dr/task/executeCannedScript",
+    method = POST,
+    automaticallyPrintOk = true,
+    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+public class CannedScriptExecutionAction implements Runnable {
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  @Inject
+  CannedScriptExecutionAction() {
+    logger.atInfo().log("Received request to run scripts.");
+  }
+
+  @Override
+  public void run() {
+    try {
+      CannedScripts.runAllChecks();
+      logger.atInfo().log("Finished running scripts.");
+    } catch (Throwable t) {
+      logger.atWarning().withCause(t).log("Error executing scripts.");
+      throw new RuntimeException("Execution failed.");
+    }
+  }
+}

core/src/main/java/google/registry/batch/CheckPackagesComplianceAction.java

@@ -0,0 +1,226 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package google.registry.batch;
+
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.util.DateTimeUtils.END_OF_TIME;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.Iterables;
+import com.google.common.flogger.FluentLogger;
+import com.google.common.primitives.Ints;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.model.domain.token.AllocationToken;
+import google.registry.model.domain.token.PackagePromotion;
+import google.registry.model.registrar.Registrar;
+import google.registry.request.Action;
+import google.registry.request.Action.Service;
+import google.registry.request.auth.Auth;
+import google.registry.ui.server.SendEmailUtils;
+import google.registry.util.Clock;
+import java.util.Optional;
+import javax.inject.Inject;
+import org.joda.time.Days;
+
+/**
+ * An action that checks all {@link PackagePromotion} objects for compliance with their max create
+ * limit.
+ */
+@Action(
+    service = Service.BACKEND,
+    path = CheckPackagesComplianceAction.PATH,
+    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+public class CheckPackagesComplianceAction implements Runnable {
+
+  public static final String PATH = "/_dr/task/checkPackagesCompliance";
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+  private final SendEmailUtils sendEmailUtils;
+  private final Clock clock;
+  private final String packageCreateLimitEmailSubject;
+  private final String packageDomainLimitWarningEmailSubject;
+  private final String packageDomainLimitUpgradeEmailSubject;
+  private final String packageCreateLimitEmailBody;
+  private final String packageDomainLimitWarningEmailBody;
+  private final String packageDomainLimitUpgradeEmailBody;
+  private final String registrySupportEmail;
+  private static final int THIRTY_DAYS = 30;
+  private static final int FORTY_DAYS = 40;
+
+  @Inject
+  public CheckPackagesComplianceAction(
+      SendEmailUtils sendEmailUtils,
+      Clock clock,
+      @Config("packageCreateLimitEmailSubject") String packageCreateLimitEmailSubject,
+      @Config("packageDomainLimitWarningEmailSubject") String packageDomainLimitWarningEmailSubject,
+      @Config("packageDomainLimitUpgradeEmailSubject") String packageDomainLimitUpgradeEmailSubject,
+      @Config("packageCreateLimitEmailBody") String packageCreateLimitEmailBody,
+      @Config("packageDomainLimitWarningEmailBody") String packageDomainLimitWarningEmailBody,
+      @Config("packageDomainLimitUpgradeEmailBody") String packageDomainLimitUpgradeEmailBody,
+      @Config("registrySupportEmail") String registrySupportEmail) {
+    this.sendEmailUtils = sendEmailUtils;
+    this.clock = clock;
+    this.packageCreateLimitEmailSubject = packageCreateLimitEmailSubject;
+    this.packageDomainLimitWarningEmailSubject = packageDomainLimitWarningEmailSubject;
+    this.packageDomainLimitUpgradeEmailSubject = packageDomainLimitUpgradeEmailSubject;
+    this.packageCreateLimitEmailBody = packageCreateLimitEmailBody;
+    this.packageDomainLimitWarningEmailBody = packageDomainLimitWarningEmailBody;
+    this.packageDomainLimitUpgradeEmailBody = packageDomainLimitUpgradeEmailBody;
+    this.registrySupportEmail = registrySupportEmail;
+  }
+
+  @Override
+  public void run() {
+    tm().transact(this::checkPackages);
+  }
+
+  private void checkPackages() {
+    ImmutableList<PackagePromotion> packages = tm().loadAllOf(PackagePromotion.class);
+    ImmutableMap.Builder<PackagePromotion, Long> packagesOverCreateLimitBuilder =
+        new ImmutableMap.Builder<>();
+    ImmutableMap.Builder<PackagePromotion, Long> packagesOverActiveDomainsLimitBuilder =
+        new ImmutableMap.Builder<>();
+    for (PackagePromotion packagePromo : packages) {
+      Long creates =
+          (Long)
+              tm().query(
+                      "SELECT COUNT(*) FROM DomainHistory WHERE current_package_token ="
+                          + " :token AND modificationTime >= :lastBilling AND type ="
+                          + " 'DOMAIN_CREATE'")
+                  .setParameter("token", packagePromo.getToken().getKey().toString())
+                  .setParameter("lastBilling", packagePromo.getNextBillingDate().minusYears(1))
+                  .getSingleResult();
+      if (creates > packagePromo.getMaxCreates()) {
+        long overage = creates - packagePromo.getMaxCreates();
+        logger.atInfo().log(
+            "Package with package token %s has exceeded their max domain creation limit"
+                + " by %d name(s).",
+            packagePromo.getToken().getKey(), overage);
+        packagesOverCreateLimitBuilder.put(packagePromo, creates);
+      }
+
+      Long activeDomains =
+          tm().query(
+                  "SELECT COUNT(*) FROM Domain WHERE currentPackageToken = :token"
+                      + " AND deletionTime = :endOfTime",
+                  Long.class)
+              .setParameter("token", packagePromo.getToken())
+              .setParameter("endOfTime", END_OF_TIME)
+              .getSingleResult();
+      if (activeDomains > packagePromo.getMaxDomains()) {
+        int overage = Ints.saturatedCast(activeDomains) - packagePromo.getMaxDomains();
+        logger.atInfo().log(
+            "Package with package token %s has exceed their max active domains limit by"
+                + " %d name(s).",
+            packagePromo.getToken().getKey(), overage);
+        packagesOverActiveDomainsLimitBuilder.put(packagePromo, activeDomains);
+      }
+    }
+    handlePackageCreationOverage(packagesOverCreateLimitBuilder.build());
+    handleActiveDomainOverage(packagesOverActiveDomainsLimitBuilder.build());
+  }
+
+  private void handlePackageCreationOverage(ImmutableMap<PackagePromotion, Long> overageList) {
+    if (overageList.isEmpty()) {
+      logger.atInfo().log("Found no packages over their create limit.");
+      return;
+    }
+    logger.atInfo().log("Found %d packages over their create limit.", overageList.size());
+    for (PackagePromotion packagePromotion : overageList.keySet()) {
+      AllocationToken packageToken = tm().loadByKey(packagePromotion.getToken());
+      Optional<Registrar> registrar =
+          Registrar.loadByRegistrarIdCached(
+              Iterables.getOnlyElement(packageToken.getAllowedRegistrarIds()));
+      if (registrar.isPresent()) {
+        String body =
+            String.format(
+                packageCreateLimitEmailBody,
+                packagePromotion.getId(),
+                packageToken.getToken(),
+                registrar.get().getRegistrarName(),
+                packagePromotion.getMaxCreates(),
+                overageList.get(packagePromotion));
+        sendNotification(packageToken, packageCreateLimitEmailSubject, body, registrar.get());
+      } else {
+        throw new IllegalStateException(
+            String.format("Could not find registrar for package token %s", packageToken));
+      }
+    }
+  }
+
+  private void handleActiveDomainOverage(ImmutableMap<PackagePromotion, Long> overageList) {
+    if (overageList.isEmpty()) {
+      logger.atInfo().log("Found no packages over their active domains limit.");
+      return;
+    }
+    logger.atInfo().log("Found %d packages over their active domains limit.", overageList.size());
+    for (PackagePromotion packagePromotion : overageList.keySet()) {
+      int daysSinceLastNotification =
+          packagePromotion
+              .getLastNotificationSent()
+              .map(sentDate -> Days.daysBetween(sentDate, clock.nowUtc()).getDays())
+              .orElse(Integer.MAX_VALUE);
+      if (daysSinceLastNotification < THIRTY_DAYS) {
+        // Don't send an email if notification was already sent within the last 30
+        // days
+        continue;
+      } else if (daysSinceLastNotification < FORTY_DAYS) {
+        // Send an upgrade email if last email was between 30 and 40 days ago
+        sendActiveDomainOverageEmail(
+            /* warning= */ false, packagePromotion, overageList.get(packagePromotion));
+      } else {
+        // Send a warning email
+        sendActiveDomainOverageEmail(
+            /* warning= */ true, packagePromotion, overageList.get(packagePromotion));
+      }
+    }
+  }
+
+  private void sendActiveDomainOverageEmail(
+      boolean warning, PackagePromotion packagePromotion, long activeDomains) {
+    String emailSubject =
+        warning ? packageDomainLimitWarningEmailSubject : packageDomainLimitUpgradeEmailSubject;
+    String emailTemplate =
+        warning ? packageDomainLimitWarningEmailBody : packageDomainLimitUpgradeEmailBody;
+    AllocationToken packageToken = tm().loadByKey(packagePromotion.getToken());
+    Optional<Registrar> registrar =
+        Registrar.loadByRegistrarIdCached(
+            Iterables.getOnlyElement(packageToken.getAllowedRegistrarIds()));
+    if (registrar.isPresent()) {
+      String body =
+          String.format(
+              emailTemplate,
+              packagePromotion.getId(),
+              packageToken.getToken(),
+              registrar.get().getRegistrarName(),
+              packagePromotion.getMaxDomains(),
+              activeDomains);
+      sendNotification(packageToken, emailSubject, body, registrar.get());
+      tm().put(packagePromotion.asBuilder().setLastNotificationSent(clock.nowUtc()).build());
+    } else {
+      throw new IllegalStateException(
+          String.format("Could not find registrar for package token %s", packageToken));
+    }
+  }
+
+  private void sendNotification(
+      AllocationToken packageToken, String subject, String body, Registrar registrar) {
+    logger.atInfo().log(
+        String.format(
+            "Compliance email sent to support regarding the %s registrar and the package with token"
+                + " %s.",
+            registrar.getRegistrarName(), packageToken.getToken()));
+    sendEmailUtils.sendEmail(subject, body, ImmutableList.of(registrySupportEmail));
+  }
+}

core/src/main/java/google/registry/batch/CloudTasksUtils.java

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package google.registry.util;
+package google.registry.batch;
 
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableList.toImmutableList;
@@ -36,12 +36,18 @@ import com.google.common.net.MediaType;
 import com.google.common.net.UrlEscapers;
 import com.google.protobuf.ByteString;
 import com.google.protobuf.util.Timestamps;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.request.Action.Service;
+import google.registry.util.Clock;
+import google.registry.util.CollectionUtils;
+import google.registry.util.Retrier;
 import java.io.Serializable;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Optional;
 import java.util.Random;
 import java.util.function.Supplier;
+import javax.inject.Inject;
 import org.joda.time.Duration;
 
 /** Utilities for dealing with Cloud Tasks. */
@@ -57,11 +63,12 @@ public class CloudTasksUtils implements Serializable {
   private final String locationId;
   private final SerializableCloudTasksClient client;
 
+  @Inject
   public CloudTasksUtils(
       Retrier retrier,
       Clock clock,
-      String projectId,
-      String locationId,
+      @Config("projectId") String projectId,
+      @Config("locationId") String locationId,
       SerializableCloudTasksClient client) {
     this.retrier = retrier;
     this.clock = clock;
@@ -108,7 +115,7 @@ public class CloudTasksUtils implements Serializable {
    *     the worker service</a>
    */
   private Task createTask(
-      String path, HttpMethod method, String service, Multimap<String, String> params) {
+      String path, HttpMethod method, Service service, Multimap<String, String> params) {
     checkArgument(
         path != null && !path.isEmpty() && path.charAt(0) == '/',
         "The path must start with a '/'.");
@@ -119,7 +126,8 @@ public class CloudTasksUtils implements Serializable {
     AppEngineHttpRequest.Builder requestBuilder =
         AppEngineHttpRequest.newBuilder()
             .setHttpMethod(method)
-            .setAppEngineRouting(AppEngineRouting.newBuilder().setService(service).build());
+            .setAppEngineRouting(
+                AppEngineRouting.newBuilder().setService(service.toString()).build());
 
     if (!CollectionUtils.isNullOrEmpty(params)) {
       Escaper escaper = UrlEscapers.urlPathSegmentEscaper();
@@ -165,7 +173,7 @@ public class CloudTasksUtils implements Serializable {
   private Task createTaskWithJitter(
       String path,
       HttpMethod method,
-      String service,
+      Service service,
       Multimap<String, String> params,
       Optional<Integer> jitterSeconds) {
     if (!jitterSeconds.isPresent() || jitterSeconds.get() <= 0) {
@@ -199,7 +207,7 @@ public class CloudTasksUtils implements Serializable {
   private Task createTaskWithDelay(
       String path,
       HttpMethod method,
-      String service,
+      Service service,
       Multimap<String, String> params,
       Duration delay) {
     if (delay.isEqual(Duration.ZERO)) {
@@ -211,11 +219,11 @@ public class CloudTasksUtils implements Serializable {
         .build();
   }
 
-  public Task createPostTask(String path, String service, Multimap<String, String> params) {
+  public Task createPostTask(String path, Service service, Multimap<String, String> params) {
     return createTask(path, HttpMethod.POST, service, params);
   }
 
-  public Task createGetTask(String path, String service, Multimap<String, String> params) {
+  public Task createGetTask(String path, Service service, Multimap<String, String> params) {
     return createTask(path, HttpMethod.GET, service, params);
   }
 
@@ -224,7 +232,7 @@ public class CloudTasksUtils implements Serializable {
    */
   public Task createPostTaskWithJitter(
       String path,
-      String service,
+      Service service,
       Multimap<String, String> params,
       Optional<Integer> jitterSeconds) {
     return createTaskWithJitter(path, HttpMethod.POST, service, params, jitterSeconds);
@@ -235,7 +243,7 @@ public class CloudTasksUtils implements Serializable {
    */
   public Task createGetTaskWithJitter(
       String path,
-      String service,
+      Service service,
       Multimap<String, String> params,
       Optional<Integer> jitterSeconds) {
     return createTaskWithJitter(path, HttpMethod.GET, service, params, jitterSeconds);
@@ -243,13 +251,13 @@ public class CloudTasksUtils implements Serializable {
 
   /** Create a {@link Task} via HTTP.POST that will be delayed for {@code delay}. */
   public Task createPostTaskWithDelay(
-      String path, String service, Multimap<String, String> params, Duration delay) {
+      String path, Service service, Multimap<String, String> params, Duration delay) {
     return createTaskWithDelay(path, HttpMethod.POST, service, params, delay);
   }
 
   /** Create a {@link Task} via HTTP.GET that will be delayed for {@code delay}. */
   public Task createGetTaskWithDelay(
-      String path, String service, Multimap<String, String> params, Duration delay) {
+      String path, Service service, Multimap<String, String> params, Duration delay) {
     return createTaskWithDelay(path, HttpMethod.GET, service, params, delay);
   }
 

core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java

@@ -44,7 +44,7 @@ import javax.inject.Inject;
 
 /**
  * Hard deletes load-test Contacts, Hosts, their subordinate history entries, and the associated
- * ForeignKey and EppResourceIndex entities.
+ * ForeignKey entities.
  *
  * <p>This only deletes contacts and hosts, NOT domains. To delete domains, use {@link
  * DeleteProberDataAction} and pass it the TLD(s) that the load test domains were created on. Note

core/src/main/java/google/registry/batch/DeleteProberDataAction.java

@@ -21,7 +21,6 @@ import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
 import static google.registry.config.RegistryEnvironment.PRODUCTION;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_DELETE;
 import static google.registry.model.tld.Registries.getTldsOfType;
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.request.RequestParameters.PARAM_TLDS;
@@ -33,12 +32,12 @@ import com.google.common.collect.Sets;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.config.RegistryEnvironment;
-import google.registry.dns.DnsQueue;
+import google.registry.dns.DnsUtils;
 import google.registry.model.CreateAutoTimestamp;
 import google.registry.model.EppResourceUtils;
 import google.registry.model.domain.Domain;
 import google.registry.model.domain.DomainHistory;
-import google.registry.model.tld.Registry.TldType;
+import google.registry.model.tld.Tld.TldType;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
@@ -53,7 +52,7 @@ import org.joda.time.Duration;
 
 /**
  * Deletes all prober {@link Domain}s and their subordinate history entries, poll messages, and
- * billing events, along with their ForeignKeyDomainIndex and EppResourceIndex entities.
+ * billing events, along with their ForeignKeyDomainIndex entities.
  */
 @Action(
     service = Action.Service.BACKEND,
@@ -91,7 +90,7 @@ public class DeleteProberDataAction implements Runnable {
   // Note: creationTime must be compared to a Java object (CreateAutoTimestamp) but deletionTime can
   // be compared directly to the SQL timestamp (it's a DateTime)
   private static final String DOMAIN_QUERY_STRING =
-      "FROM Domain d WHERE d.tld IN :tlds AND d.fullyQualifiedDomainName NOT LIKE 'nic.%' AND"
+      "FROM Domain d WHERE d.tld IN :tlds AND d.domainName NOT LIKE 'nic.%' AND"
           + " (d.subordinateHosts IS EMPTY OR d.subordinateHosts IS NULL) AND d.creationTime <"
           + " :creationTimeCutoff AND ((d.creationTime <= :nowAutoTimestamp AND d.deletionTime >"
           + " current_timestamp()) OR d.deletionTime < :nowMinusSoftDeleteDelay) ORDER BY d.repoId";
@@ -99,17 +98,22 @@ public class DeleteProberDataAction implements Runnable {
   /** Number of domains to retrieve and delete per SQL transaction. */
   private static final int BATCH_SIZE = 1000;
 
-  @Inject DnsQueue dnsQueue;
+  @Inject DnsUtils dnsUtils;
 
-  @Inject @Parameter(PARAM_DRY_RUN) boolean isDryRun;
+  @Inject
+  @Parameter(PARAM_DRY_RUN)
+  boolean isDryRun;
   /** List of TLDs to work on. If empty - will work on all TLDs that end with .test. */
-  @Inject @Parameter(PARAM_TLDS) ImmutableSet<String> tlds;
+  @Inject
+  @Parameter(PARAM_TLDS)
+  ImmutableSet<String> tlds;
 
   @Inject
   @Config("registryAdminClientId")
   String registryAdminRegistrarId;
 
-  @Inject DeleteProberDataAction() {}
+  @Inject
+  DeleteProberDataAction() {}
 
   @Override
   public void run() {
@@ -135,7 +139,7 @@ public class DeleteProberDataAction implements Runnable {
   private void runSqlJob(ImmutableSet<String> deletableTlds) {
     AtomicInteger softDeletedDomains = new AtomicInteger();
     AtomicInteger hardDeletedDomains = new AtomicInteger();
-    jpaTm().transact(() -> processDomains(deletableTlds, softDeletedDomains, hardDeletedDomains));
+    tm().transact(() -> processDomains(deletableTlds, softDeletedDomains, hardDeletedDomains));
     logger.atInfo().log(
         "%s %d domains.",
         isDryRun ? "Would have soft-deleted" : "Soft-deleted", softDeletedDomains.get());
@@ -151,9 +155,8 @@ public class DeleteProberDataAction implements Runnable {
     DateTime now = tm().getTransactionTime();
     // Scroll through domains, soft-deleting as necessary (very few will be soft-deleted) and
     // keeping track of which domains to hard-delete (there can be many, so we batch them up)
-    ScrollableResults scrollableResult =
-        jpaTm()
-            .query(DOMAIN_QUERY_STRING, Domain.class)
+    try (ScrollableResults scrollableResult =
+        tm().query(DOMAIN_QUERY_STRING, Domain.class)
             .setParameter("tlds", deletableTlds)
             .setParameter(
                 "creationTimeCutoff", CreateAutoTimestamp.create(now.minus(DOMAIN_USED_DURATION)))
@@ -161,28 +164,30 @@ public class DeleteProberDataAction implements Runnable {
             .setParameter("nowAutoTimestamp", CreateAutoTimestamp.create(now))
             .unwrap(Query.class)
             .setCacheMode(CacheMode.IGNORE)
-            .scroll(ScrollMode.FORWARD_ONLY);
-    ImmutableList.Builder<String> domainRepoIdsToHardDelete = new ImmutableList.Builder<>();
-    ImmutableList.Builder<String> hostNamesToHardDelete = new ImmutableList.Builder<>();
-    for (int i = 1; scrollableResult.next(); i = (i + 1) % BATCH_SIZE) {
-      Domain domain = (Domain) scrollableResult.get(0);
-      processDomain(
-          domain,
-          domainRepoIdsToHardDelete,
-          hostNamesToHardDelete,
-          softDeletedDomains,
-          hardDeletedDomains);
-      // Batch the deletion and DB flush + session clearing so we don't OOM
-      if (i == 0) {
-        hardDeleteDomainsAndHosts(domainRepoIdsToHardDelete.build(), hostNamesToHardDelete.build());
-        domainRepoIdsToHardDelete = new ImmutableList.Builder<>();
-        hostNamesToHardDelete = new ImmutableList.Builder<>();
-        jpaTm().getEntityManager().flush();
-        jpaTm().getEntityManager().clear();
+            .scroll(ScrollMode.FORWARD_ONLY)) {
+      ImmutableList.Builder<String> domainRepoIdsToHardDelete = new ImmutableList.Builder<>();
+      ImmutableList.Builder<String> hostNamesToHardDelete = new ImmutableList.Builder<>();
+      for (int i = 1; scrollableResult.next(); i = (i + 1) % BATCH_SIZE) {
+        Domain domain = (Domain) scrollableResult.get(0);
+        processDomain(
+            domain,
+            domainRepoIdsToHardDelete,
+            hostNamesToHardDelete,
+            softDeletedDomains,
+            hardDeletedDomains);
+        // Batch the deletion and DB flush + session clearing, so we don't OOM
+        if (i == 0) {
+          hardDeleteDomainsAndHosts(
+              domainRepoIdsToHardDelete.build(), hostNamesToHardDelete.build());
+          domainRepoIdsToHardDelete = new ImmutableList.Builder<>();
+          hostNamesToHardDelete = new ImmutableList.Builder<>();
+          tm().getEntityManager().flush();
+          tm().getEntityManager().clear();
+        }
       }
+      // process the remainder
+      hardDeleteDomainsAndHosts(domainRepoIdsToHardDelete.build(), hostNamesToHardDelete.build());
     }
-    // process the remainder
-    hardDeleteDomainsAndHosts(domainRepoIdsToHardDelete.build(), hostNamesToHardDelete.build());
   }
 
   private void processDomain(
@@ -219,32 +224,25 @@ public class DeleteProberDataAction implements Runnable {
 
   private void hardDeleteDomainsAndHosts(
       ImmutableList<String> domainRepoIds, ImmutableList<String> hostNames) {
-    jpaTm()
-        .query("DELETE FROM Host WHERE fullyQualifiedHostName IN :hostNames")
+    tm().query("DELETE FROM Host WHERE hostName IN :hostNames")
         .setParameter("hostNames", hostNames)
         .executeUpdate();
-    jpaTm()
-        .query("DELETE FROM BillingEvent WHERE domainRepoId IN :repoIds")
+    tm().query("DELETE FROM BillingEvent WHERE domainRepoId IN :repoIds")
         .setParameter("repoIds", domainRepoIds)
         .executeUpdate();
-    jpaTm()
-        .query("DELETE FROM BillingRecurrence WHERE domainRepoId IN :repoIds")
+    tm().query("DELETE FROM BillingRecurrence WHERE domainRepoId IN :repoIds")
         .setParameter("repoIds", domainRepoIds)
         .executeUpdate();
-    jpaTm()
-        .query("DELETE FROM BillingCancellation WHERE domainRepoId IN :repoIds")
+    tm().query("DELETE FROM BillingCancellation WHERE domainRepoId IN :repoIds")
         .setParameter("repoIds", domainRepoIds)
         .executeUpdate();
-    jpaTm()
-        .query("DELETE FROM DomainHistory WHERE domainRepoId IN :repoIds")
+    tm().query("DELETE FROM DomainHistory WHERE repoId IN :repoIds")
         .setParameter("repoIds", domainRepoIds)
         .executeUpdate();
-    jpaTm()
-        .query("DELETE FROM PollMessage WHERE domainRepoId IN :repoIds")
+    tm().query("DELETE FROM PollMessage WHERE domainRepoId IN :repoIds")
         .setParameter("repoIds", domainRepoIds)
         .executeUpdate();
-    jpaTm()
-        .query("DELETE FROM Domain WHERE repoId IN :repoIds")
+    tm().query("DELETE FROM Domain WHERE repoId IN :repoIds")
         .setParameter("repoIds", domainRepoIds)
         .executeUpdate();
   }
@@ -266,6 +264,6 @@ public class DeleteProberDataAction implements Runnable {
     // messages, or auto-renews because those will all be hard-deleted the next time the job runs
     // anyway.
     tm().putAll(ImmutableList.of(deletedDomain, historyEntry));
-    dnsQueue.addDomainRefreshTask(deletedDomain.getDomainName());
+    dnsUtils.requestDomainDnsRefresh(deletedDomain.getDomainName());
   }
 }

core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java

@@ -0,0 +1,163 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.batch;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
+import static google.registry.beam.BeamUtils.createJobName;
+import static google.registry.model.common.Cursor.CursorType.RECURRING_BILLING;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.util.DateTimeUtils.START_OF_TIME;
+import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.api.services.dataflow.Dataflow;
+import com.google.api.services.dataflow.model.LaunchFlexTemplateParameter;
+import com.google.api.services.dataflow.model.LaunchFlexTemplateRequest;
+import com.google.api.services.dataflow.model.LaunchFlexTemplateResponse;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.flogger.FluentLogger;
+import google.registry.beam.billing.ExpandBillingRecurrencesPipeline;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.config.RegistryEnvironment;
+import google.registry.model.billing.BillingEvent;
+import google.registry.model.billing.BillingRecurrence;
+import google.registry.model.common.Cursor;
+import google.registry.request.Action;
+import google.registry.request.Parameter;
+import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.util.Clock;
+import java.io.IOException;
+import java.util.Optional;
+import javax.inject.Inject;
+import org.joda.time.DateTime;
+
+/**
+ * An action that kicks off a {@link ExpandBillingRecurrencesPipeline} dataflow job to expand {@link
+ * BillingRecurrence} billing events into synthetic {@link BillingEvent} events.
+ */
+@Action(
+    service = Action.Service.BACKEND,
+    path = "/_dr/task/expandBillingRecurrences",
+    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
+public class ExpandBillingRecurrencesAction implements Runnable {
+
+  public static final String PARAM_START_TIME = "startTime";
+  public static final String PARAM_END_TIME = "endTime";
+  public static final String PARAM_ADVANCE_CURSOR = "advanceCursor";
+
+  private static final String PIPELINE_NAME = "expand_billing_recurrences_pipeline";
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  @Inject Clock clock;
+
+  @Inject
+  @Parameter(PARAM_DRY_RUN)
+  boolean isDryRun;
+
+  @Inject
+  @Parameter(PARAM_ADVANCE_CURSOR)
+  boolean advanceCursor;
+
+  @Inject
+  @Parameter(PARAM_START_TIME)
+  Optional<DateTime> startTimeParam;
+
+  @Inject
+  @Parameter(PARAM_END_TIME)
+  Optional<DateTime> endTimeParam;
+
+  @Inject
+  @Config("projectId")
+  String projectId;
+
+  @Inject
+  @Config("defaultJobRegion")
+  String jobRegion;
+
+  @Inject
+  @Config("beamStagingBucketUrl")
+  String stagingBucketUrl;
+
+  @Inject Dataflow dataflow;
+
+  @Inject Response response;
+
+  @Inject
+  ExpandBillingRecurrencesAction() {}
+
+  @Override
+  public void run() {
+    checkArgument(!(isDryRun && advanceCursor), "Cannot advance the cursor in a dry run.");
+    DateTime endTime = endTimeParam.orElse(clock.nowUtc());
+    checkArgument(
+        !endTime.isAfter(clock.nowUtc()), "End time (%s) must be at or before now", endTime);
+    DateTime startTime =
+        startTimeParam.orElse(
+            tm().transact(
+                    () ->
+                        tm().loadByKeyIfPresent(Cursor.createGlobalVKey(RECURRING_BILLING))
+                            .orElse(Cursor.createGlobal(RECURRING_BILLING, START_OF_TIME))
+                            .getCursorTime()));
+    checkArgument(
+        startTime.isBefore(endTime),
+        String.format("Start time (%s) must be before end time (%s)", startTime, endTime));
+    LaunchFlexTemplateParameter launchParameter =
+        new LaunchFlexTemplateParameter()
+            .setJobName(
+                createJobName(
+                    String.format(
+                        "expand-billing-%s", startTime.toString("yyyy-MM-dd't'HH-mm-ss'z'")),
+                    clock))
+            .setContainerSpecGcsPath(
+                String.format("%s/%s_metadata.json", stagingBucketUrl, PIPELINE_NAME))
+            .setParameters(
+                new ImmutableMap.Builder<String, String>()
+                    .put("registryEnvironment", RegistryEnvironment.get().name())
+                    .put("startTime", startTime.toString("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"))
+                    .put("endTime", endTime.toString("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"))
+                    .put("isDryRun", Boolean.toString(isDryRun))
+                    .put("advanceCursor", Boolean.toString(advanceCursor))
+                    .build());
+    logger.atInfo().log(
+        "Launching billing recurrence expansion pipeline for event time range [%s, %s)%s.",
+        startTime,
+        endTime,
+        isDryRun ? " in dry run mode" : advanceCursor ? "" : " without advancing the cursor");
+    try {
+      LaunchFlexTemplateResponse launchResponse =
+          dataflow
+              .projects()
+              .locations()
+              .flexTemplates()
+              .launch(
+                  projectId,
+                  jobRegion,
+                  new LaunchFlexTemplateRequest().setLaunchParameter(launchParameter))
+              .execute();
+      logger.atInfo().log("Got response: %s", launchResponse.getJob().toPrettyString());
+      response.setStatus(SC_OK);
+      response.setPayload(
+          String.format(
+              "Launched billing recurrence expansion pipeline: %s",
+              launchResponse.getJob().getId()));
+    } catch (IOException e) {
+      logger.atWarning().withCause(e).log("Pipeline Launch failed");
+      response.setStatus(SC_INTERNAL_SERVER_ERROR);
+      response.setPayload(String.format("Pipeline launch failed: %s", e.getMessage()));
+    }
+  }
+}

core/src/main/java/google/registry/batch/ExpandRecurringBillingEventsAction.java

@@ -1,364 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.batch;
-
-import static com.google.common.base.Preconditions.checkArgument;
-import static com.google.common.collect.ImmutableSet.toImmutableSet;
-import static com.google.common.collect.Sets.difference;
-import static com.google.common.collect.Sets.newHashSet;
-import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
-import static google.registry.model.common.Cursor.CursorType.RECURRING_BILLING;
-import static google.registry.model.domain.Period.Unit.YEARS;
-import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_AUTORENEW;
-import static google.registry.persistence.transaction.QueryComposer.Comparator.EQ;
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
-import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
-import static google.registry.util.CollectionUtils.union;
-import static google.registry.util.DateTimeUtils.START_OF_TIME;
-import static google.registry.util.DateTimeUtils.earliestOf;
-import static google.registry.util.DomainNameUtils.getTldFromDomainName;
-
-import com.google.auto.value.AutoValue;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Range;
-import com.google.common.collect.Streams;
-import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryConfig.Config;
-import google.registry.flows.domain.DomainPricingLogic;
-import google.registry.model.ImmutableObject;
-import google.registry.model.billing.BillingEvent;
-import google.registry.model.billing.BillingEvent.Flag;
-import google.registry.model.billing.BillingEvent.OneTime;
-import google.registry.model.billing.BillingEvent.Recurring;
-import google.registry.model.common.Cursor;
-import google.registry.model.domain.Domain;
-import google.registry.model.domain.DomainHistory;
-import google.registry.model.domain.Period;
-import google.registry.model.reporting.DomainTransactionRecord;
-import google.registry.model.reporting.DomainTransactionRecord.TransactionReportField;
-import google.registry.model.tld.Registry;
-import google.registry.persistence.VKey;
-import google.registry.request.Action;
-import google.registry.request.Parameter;
-import google.registry.request.Response;
-import google.registry.request.auth.Auth;
-import google.registry.util.Clock;
-import java.util.List;
-import java.util.Optional;
-import java.util.Set;
-import java.util.concurrent.TimeUnit;
-import javax.inject.Inject;
-import org.joda.time.DateTime;
-
-/**
- * An action that expands {@link Recurring} billing events into synthetic {@link OneTime} events.
- *
- * <p>The cursor used throughout this action (overridden if necessary using the parameter {@code
- * cursorTime}) represents the inclusive lower bound on the range of billing times that will be
- * expanded as a result of the job (the exclusive upper bound being the execution time of the job).
- */
-@Action(
-    service = Action.Service.BACKEND,
-    path = "/_dr/task/expandRecurringBillingEvents",
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
-public class ExpandRecurringBillingEventsAction implements Runnable {
-
-  public static final String PARAM_CURSOR_TIME = "cursorTime";
-  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
-  @Inject Clock clock;
-
-  @Inject
-  @Config("jdbcBatchSize")
-  int batchSize;
-
-  @Inject @Parameter(PARAM_DRY_RUN) boolean isDryRun;
-  @Inject @Parameter(PARAM_CURSOR_TIME) Optional<DateTime> cursorTimeParam;
-
-  @Inject DomainPricingLogic domainPricingLogic;
-  @Inject Response response;
-  @Inject ExpandRecurringBillingEventsAction() {}
-
-  @Override
-  public void run() {
-    DateTime executeTime = clock.nowUtc();
-    DateTime persistedCursorTime =
-        tm().transact(
-                () ->
-                    tm().loadByKeyIfPresent(Cursor.createGlobalVKey(RECURRING_BILLING))
-                        .orElse(Cursor.createGlobal(RECURRING_BILLING, START_OF_TIME))
-                        .getCursorTime());
-    DateTime cursorTime = cursorTimeParam.orElse(persistedCursorTime);
-    checkArgument(
-        cursorTime.isBefore(executeTime), "Cursor time must be earlier than execution time.");
-    logger.atInfo().log(
-        "Running Recurring billing event expansion for billing time range [%s, %s).",
-        cursorTime, executeTime);
-    expandSqlBillingEventsInBatches(executeTime, cursorTime, persistedCursorTime);
-  }
-
-  private void expandSqlBillingEventsInBatches(
-      DateTime executeTime, DateTime cursorTime, DateTime persistedCursorTime) {
-    int totalBillingEventsSaved = 0;
-    long maxProcessedRecurrenceId = 0;
-    SqlBatchResults sqlBatchResults;
-
-    do {
-      final long prevMaxProcessedRecurrenceId = maxProcessedRecurrenceId;
-      sqlBatchResults =
-          jpaTm()
-              .transact(
-                  () -> {
-                    Set<String> expandedDomains = newHashSet();
-                    int batchBillingEventsSaved = 0;
-                    long maxRecurrenceId = prevMaxProcessedRecurrenceId;
-                    List<Recurring> recurrings =
-                        jpaTm()
-                            .query(
-                                "FROM BillingRecurrence "
-                                    + "WHERE eventTime <= :executeTime "
-                                    + "AND eventTime < recurrenceEndTime "
-                                    + "AND id > :maxProcessedRecurrenceId "
-                                    + "AND recurrenceEndTime > :cursorTime "
-                                    + "ORDER BY id ASC",
-                                Recurring.class)
-                            .setParameter("executeTime", executeTime)
-                            .setParameter("maxProcessedRecurrenceId", prevMaxProcessedRecurrenceId)
-                            .setParameter("cursorTime", cursorTime)
-                            .setMaxResults(batchSize)
-                            .getResultList();
-                    for (Recurring recurring : recurrings) {
-                      if (expandedDomains.contains(recurring.getTargetId())) {
-                        // On the off chance this batch contains multiple recurrences for the same
-                        // domain (which is actually possible if a given domain is quickly renewed
-                        // multiple times in a row), then short-circuit after the first one is
-                        // processed that involves actually expanding a billing event. This is
-                        // necessary because otherwise we get an "Inserted/updated object reloaded"
-                        // error from Hibernate when those billing events would be loaded
-                        // inside a transaction where they were already written. Note, there is no
-                        // actual further work to be done in this case anyway, not unless it has
-                        // somehow been over a year since this action last ran successfully (and if
-                        // that were somehow true, the remaining billing events would still be
-                        // expanded on subsequent runs).
-                        continue;
-                      }
-                      int billingEventsSaved =
-                          expandBillingEvent(
-                              recurring, executeTime, cursorTime, isDryRun, domainPricingLogic);
-                      batchBillingEventsSaved += billingEventsSaved;
-                      if (billingEventsSaved > 0) {
-                        expandedDomains.add(recurring.getTargetId());
-                      }
-                      maxRecurrenceId = Math.max(maxRecurrenceId, recurring.getId());
-                    }
-                    return SqlBatchResults.create(
-                        batchBillingEventsSaved,
-                        maxRecurrenceId,
-                        maxRecurrenceId > prevMaxProcessedRecurrenceId);
-                  });
-      totalBillingEventsSaved += sqlBatchResults.batchBillingEventsSaved();
-      maxProcessedRecurrenceId = sqlBatchResults.maxProcessedRecurrenceId();
-      if (sqlBatchResults.batchBillingEventsSaved() > 0) {
-        logger.atInfo().log(
-            "Saved %d billing events in batch (%d total) with max recurrence id %d.",
-            sqlBatchResults.batchBillingEventsSaved(),
-            totalBillingEventsSaved,
-            maxProcessedRecurrenceId);
-      } else {
-        // If we're churning through a lot of no-op recurrences that don't need expanding (yet?),
-        // then only log one no-op every so often as a good balance between letting the user track
-        // that the action is still running while also not spamming the logs incessantly.
-        logger.atInfo().atMostEvery(3, TimeUnit.MINUTES).log(
-            "Processed up to max recurrence id %d (no billing events saved recently).",
-            maxProcessedRecurrenceId);
-      }
-    } while (sqlBatchResults.shouldContinue());
-
-    if (!isDryRun) {
-      logger.atInfo().log("Saved %d total OneTime billing events.", totalBillingEventsSaved);
-    } else {
-      logger.atInfo().log(
-          "Generated %d total OneTime billing events (dry run).", totalBillingEventsSaved);
-    }
-    logger.atInfo().log(
-        "Recurring event expansion %s complete for billing event range [%s, %s).",
-        isDryRun ? "(dry run) " : "", cursorTime, executeTime);
-    tm().transact(
-            () -> {
-              // Check for the unlikely scenario where the cursor has been altered during the
-              // expansion.
-              DateTime currentCursorTime =
-                  tm().loadByKeyIfPresent(Cursor.createGlobalVKey(RECURRING_BILLING))
-                      .orElse(Cursor.createGlobal(RECURRING_BILLING, START_OF_TIME))
-                      .getCursorTime();
-              if (!currentCursorTime.equals(persistedCursorTime)) {
-                throw new IllegalStateException(
-                    String.format(
-                        "Current cursor position %s does not match persisted cursor position %s.",
-                        currentCursorTime, persistedCursorTime));
-              }
-              if (!isDryRun) {
-                tm().put(Cursor.createGlobal(RECURRING_BILLING, executeTime));
-              }
-            });
-  }
-
-  @AutoValue
-  abstract static class SqlBatchResults {
-    abstract int batchBillingEventsSaved();
-
-    abstract long maxProcessedRecurrenceId();
-
-    abstract boolean shouldContinue();
-
-    static SqlBatchResults create(
-        int batchBillingEventsSaved, long maxProcessedRecurrenceId, boolean shouldContinue) {
-      return new AutoValue_ExpandRecurringBillingEventsAction_SqlBatchResults(
-          batchBillingEventsSaved, maxProcessedRecurrenceId, shouldContinue);
-    }
-  }
-
-  private static int expandBillingEvent(
-      Recurring recurring,
-      DateTime executeTime,
-      DateTime cursorTime,
-      boolean isDryRun,
-      DomainPricingLogic domainPricingLogic) {
-    ImmutableSet.Builder<OneTime> syntheticOneTimesBuilder = new ImmutableSet.Builder<>();
-    final Registry tld = Registry.get(getTldFromDomainName(recurring.getTargetId()));
-
-    // Determine the complete set of times at which this recurring event should
-    // occur (up to and including the runtime of the action).
-    Iterable<DateTime> eventTimes =
-        recurring
-            .getRecurrenceTimeOfYear()
-            .getInstancesInRange(
-                Range.closed(
-                    recurring.getEventTime(),
-                    earliestOf(recurring.getRecurrenceEndTime(), executeTime)));
-
-    // Convert these event times to billing times
-    final ImmutableSet<DateTime> billingTimes =
-        getBillingTimesInScope(eventTimes, cursorTime, executeTime, tld);
-
-    VKey<Domain> domainKey = VKey.createSql(Domain.class, recurring.getDomainRepoId());
-    Iterable<OneTime> oneTimesForDomain;
-    oneTimesForDomain =
-        tm().createQueryComposer(OneTime.class)
-            .where("domainRepoId", EQ, recurring.getDomainRepoId())
-            .list();
-
-    // Determine the billing times that already have OneTime events persisted.
-    ImmutableSet<DateTime> existingBillingTimes =
-        getExistingBillingTimes(oneTimesForDomain, recurring);
-
-    ImmutableSet.Builder<DomainHistory> historyEntriesBuilder = new ImmutableSet.Builder<>();
-    // Create synthetic OneTime events for all billing times that do not yet have
-    // an event persisted.
-    for (DateTime billingTime : difference(billingTimes, existingBillingTimes)) {
-      // Construct a new HistoryEntry that parents over the OneTime
-      DomainHistory historyEntry =
-          new DomainHistory.Builder()
-              .setBySuperuser(false)
-              .setRegistrarId(recurring.getRegistrarId())
-              .setModificationTime(tm().getTransactionTime())
-              .setDomain(tm().loadByKey(domainKey))
-              .setPeriod(Period.create(1, YEARS))
-              .setReason("Domain autorenewal by ExpandRecurringBillingEventsAction")
-              .setRequestedByRegistrar(false)
-              .setType(DOMAIN_AUTORENEW)
-              // Don't write a domain transaction record if the recurrence was
-              // ended prior to the billing time (i.e. a domain was deleted
-              // during the autorenew grace period).
-              .setDomainTransactionRecords(
-                  recurring.getRecurrenceEndTime().isBefore(billingTime)
-                      ? ImmutableSet.of()
-                      : ImmutableSet.of(
-                          DomainTransactionRecord.create(
-                              tld.getTldStr(),
-                              // We report this when the autorenew grace period
-                              // ends
-                              billingTime,
-                              TransactionReportField.netRenewsFieldFromYears(1),
-                              1)))
-              .build();
-      historyEntriesBuilder.add(historyEntry);
-
-      DateTime eventTime = billingTime.minus(tld.getAutoRenewGracePeriodLength());
-
-      syntheticOneTimesBuilder.add(
-          new OneTime.Builder()
-              .setBillingTime(billingTime)
-              .setRegistrarId(recurring.getRegistrarId())
-              // Determine the cost for a one-year renewal.
-              .setCost(
-                  domainPricingLogic
-                      .getRenewPrice(tld, recurring.getTargetId(), eventTime, 1, recurring)
-                      .getRenewCost())
-              .setEventTime(eventTime)
-              .setFlags(union(recurring.getFlags(), Flag.SYNTHETIC))
-              .setDomainHistory(historyEntry)
-              .setPeriodYears(1)
-              .setReason(recurring.getReason())
-              .setSyntheticCreationTime(executeTime)
-              .setCancellationMatchingBillingEvent(recurring)
-              .setTargetId(recurring.getTargetId())
-              .build());
-    }
-    Set<DomainHistory> historyEntries = historyEntriesBuilder.build();
-    Set<OneTime> syntheticOneTimes = syntheticOneTimesBuilder.build();
-    if (!isDryRun) {
-      ImmutableSet<ImmutableObject> entitiesToSave =
-          new ImmutableSet.Builder<ImmutableObject>()
-              .addAll(historyEntries)
-              .addAll(syntheticOneTimes)
-              .build();
-      tm().putAll(entitiesToSave);
-    }
-    return syntheticOneTimes.size();
-  }
-
-  /**
-   * Filters a set of {@link DateTime}s down to event times that are in scope for a particular
-   * action run, given the cursor time and the action execution time.
-   */
-  protected static ImmutableSet<DateTime> getBillingTimesInScope(
-      Iterable<DateTime> eventTimes,
-      DateTime cursorTime,
-      DateTime executeTime,
-      final Registry tld) {
-    return Streams.stream(eventTimes)
-        .map(eventTime -> eventTime.plus(tld.getAutoRenewGracePeriodLength()))
-        .filter(Range.closedOpen(cursorTime, executeTime))
-        .collect(toImmutableSet());
-  }
-
-  /**
-   * Determines an {@link ImmutableSet} of {@link DateTime}s that have already been persisted for a
-   * given recurring billing event.
-   */
-  private static ImmutableSet<DateTime> getExistingBillingTimes(
-      Iterable<BillingEvent.OneTime> oneTimesForDomain,
-      final BillingEvent.Recurring recurringEvent) {
-    return Streams.stream(oneTimesForDomain)
-        .filter(
-            billingEvent ->
-                recurringEvent
-                    .createVKey()
-                    .equals(billingEvent.getCancellationMatchingBillingEvent()))
-        .map(OneTime::getBillingTime)
-        .collect(toImmutableSet());
-  }
-}

core/src/main/java/google/registry/batch/RelockDomainAction.java

@@ -16,7 +16,6 @@ package google.registry.batch;
 
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.tools.LockOrUnlockDomainCommand.REGISTRY_LOCK_STATUSES;
@@ -189,7 +188,7 @@ public class RelockDomainAction implements Runnable {
         "Domain %s has a pending delete.",
         domainName);
     checkArgument(
-        !DateTimeUtils.isAtOrAfter(jpaTm().getTransactionTime(), domain.getDeletionTime()),
+        !DateTimeUtils.isAtOrAfter(tm().getTransactionTime(), domain.getDeletionTime()),
         "Domain %s has been deleted.",
         domainName);
     checkArgument(

core/src/main/java/google/registry/batch/ResaveEntityAction.java

@@ -23,7 +23,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedSet;
 import com.google.common.flogger.FluentLogger;
 import google.registry.model.EppResource;
-import google.registry.model.ImmutableObject;
 import google.registry.persistence.VKey;
 import google.registry.request.Action;
 import google.registry.request.Action.Method;
@@ -75,14 +74,11 @@ public class ResaveEntityAction implements Runnable {
         "Re-saving entity %s which was enqueued at %s.", resourceKey, requestedTime);
     tm().transact(
             () -> {
-              ImmutableObject entity = tm().loadByKey(VKey.create(resourceKey));
-              tm().put(
-                      (entity instanceof EppResource)
-                          ? ((EppResource) entity).cloneProjectedAtTime(tm().getTransactionTime())
-                          : entity);
+              EppResource entity = tm().loadByKey(VKey.createEppVKeyFromString(resourceKey));
+              tm().put(entity.cloneProjectedAtTime(tm().getTransactionTime()));
               if (!resaveTimes.isEmpty()) {
                 asyncTaskEnqueuer.enqueueAsyncResave(
-                    VKey.create(resourceKey), requestedTime, resaveTimes);
+                    VKey.createEppVKeyFromString(resourceKey), requestedTime, resaveTimes);
               }
             });
     response.setPayload("Entity re-saved.");

core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java

@@ -14,31 +14,39 @@
 
 package google.registry.batch;
 
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
-import static org.apache.http.HttpStatus.SC_INTERNAL_SERVER_ERROR;
-import static org.apache.http.HttpStatus.SC_OK;
+import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
+import static google.registry.beam.BeamUtils.createJobName;
+import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
 
-import com.google.common.annotations.VisibleForTesting;
+import com.google.api.services.dataflow.Dataflow;
+import com.google.api.services.dataflow.model.LaunchFlexTemplateParameter;
+import com.google.api.services.dataflow.model.LaunchFlexTemplateRequest;
+import com.google.api.services.dataflow.model.LaunchFlexTemplateResponse;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
+import google.registry.beam.wipeout.WipeOutContactHistoryPiiPipeline;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.config.RegistryEnvironment;
 import google.registry.model.contact.ContactHistory;
 import google.registry.request.Action;
 import google.registry.request.Action.Service;
+import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
-import java.util.concurrent.atomic.AtomicInteger;
-import java.util.stream.Stream;
+import java.io.IOException;
+import java.util.Optional;
 import javax.inject.Inject;
 import org.joda.time.DateTime;
 
 /**
- * An action that wipes out Personal Identifiable Information (PII) fields of {@link ContactHistory}
- * entities.
+ * An action that launches {@link WipeOutContactHistoryPiiPipeline} to wipe out Personal
+ * Identifiable Information (PII) fields of {@link ContactHistory} entities.
  *
- * <p>ContactHistory entities should be retained in the database for only certain amount of time.
- * This periodic wipe out action only applies to SQL.
+ * <p>{@link ContactHistory} entities should be retained in the database for only certain amount of
+ * time.
  */
 @Action(
     service = Service.BACKEND,
@@ -47,92 +55,89 @@ import org.joda.time.DateTime;
 public class WipeOutContactHistoryPiiAction implements Runnable {
 
   public static final String PATH = "/_dr/task/wipeOutContactHistoryPii";
+  public static final String PARAM_CUTOFF_TIME = "wipeoutTime";
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+  private static final String PIPELINE_NAME = "wipe_out_contact_history_pii_pipeline";
+
   private final Clock clock;
-  private final Response response;
+  private final boolean isDryRun;
+  private final Optional<DateTime> maybeCutoffTime;
   private final int minMonthsBeforeWipeOut;
-  private final int wipeOutQueryBatchSize;
+  private final String stagingBucketUrl;
+  private final String projectId;
+  private final String jobRegion;
+  private final Dataflow dataflow;
+  private final Response response;
 
   @Inject
   public WipeOutContactHistoryPiiAction(
       Clock clock,
+      @Parameter(PARAM_DRY_RUN) boolean isDryRun,
+      @Parameter(PARAM_CUTOFF_TIME) Optional<DateTime> maybeCutoffTime,
       @Config("minMonthsBeforeWipeOut") int minMonthsBeforeWipeOut,
-      @Config("wipeOutQueryBatchSize") int wipeOutQueryBatchSize,
+      @Config("beamStagingBucketUrl") String stagingBucketUrl,
+      @Config("projectId") String projectId,
+      @Config("defaultJobRegion") String jobRegion,
+      Dataflow dataflow,
       Response response) {
     this.clock = clock;
-    this.response = response;
+    this.isDryRun = isDryRun;
+    this.maybeCutoffTime = maybeCutoffTime;
     this.minMonthsBeforeWipeOut = minMonthsBeforeWipeOut;
-    this.wipeOutQueryBatchSize = wipeOutQueryBatchSize;
+    this.stagingBucketUrl = stagingBucketUrl;
+    this.projectId = projectId;
+    this.jobRegion = jobRegion;
+    this.dataflow = dataflow;
+    this.response = response;
   }
 
   @Override
   public void run() {
     response.setContentType(MediaType.PLAIN_TEXT_UTF_8);
+    DateTime cutoffTime =
+        maybeCutoffTime.orElse(clock.nowUtc().minusMonths(minMonthsBeforeWipeOut));
+    LaunchFlexTemplateParameter launchParameter =
+        new LaunchFlexTemplateParameter()
+            .setJobName(
+                createJobName(
+                    String.format(
+                        "contact-history-pii-wipeout-%s",
+                        cutoffTime.toString("yyyy-MM-dd't'HH-mm-ss'z'")),
+                    clock))
+            .setContainerSpecGcsPath(
+                String.format("%s/%s_metadata.json", stagingBucketUrl, PIPELINE_NAME))
+            .setParameters(
+                ImmutableMap.of(
+                    "registryEnvironment",
+                    RegistryEnvironment.get().name(),
+                    "cutoffTime",
+                    cutoffTime.toString("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
+                    "isDryRun",
+                    Boolean.toString(isDryRun)));
+    logger.atInfo().log(
+        "Launching Beam pipeline to wipe out all PII of contact history entities prior to %s%s.",
+        cutoffTime, " in dry run mode");
     try {
-      int totalNumOfWipedEntities = 0;
-      DateTime wipeOutTime = clock.nowUtc().minusMonths(minMonthsBeforeWipeOut);
-      logger.atInfo().log(
-          "About to wipe out all PII of contact history entities prior to %s.", wipeOutTime);
-
-      int numOfWipedEntities = 0;
-      do {
-        numOfWipedEntities =
-            jpaTm()
-                .transact(
-                    () ->
-                        wipeOutContactHistoryData(
-                            getNextContactHistoryEntitiesWithPiiBatch(wipeOutTime)));
-        totalNumOfWipedEntities += numOfWipedEntities;
-      } while (numOfWipedEntities > 0);
-      String msg =
-          String.format(
-              "Done. Wiped out PII of %d ContactHistory entities in total.",
-              totalNumOfWipedEntities);
-      logger.atInfo().log(msg);
-      response.setPayload(msg);
+      LaunchFlexTemplateResponse launchResponse =
+          dataflow
+              .projects()
+              .locations()
+              .flexTemplates()
+              .launch(
+                  projectId,
+                  jobRegion,
+                  new LaunchFlexTemplateRequest().setLaunchParameter(launchParameter))
+              .execute();
+      logger.atInfo().log("Got response: %s", launchResponse.getJob().toPrettyString());
       response.setStatus(SC_OK);
-
-    } catch (Exception e) {
-      logger.atSevere().withCause(e).log(
-          "Exception thrown during the process of wiping out contact history PII.");
-      response.setStatus(SC_INTERNAL_SERVER_ERROR);
       response.setPayload(
           String.format(
-              "Exception thrown during the process of wiping out contact history PII with cause"
-                  + ": %s",
-              e));
+              "Launched contact history PII wipeout pipeline: %s",
+              launchResponse.getJob().getId()));
+    } catch (IOException e) {
+      logger.atWarning().withCause(e).log("Pipeline Launch failed");
+      response.setStatus(SC_INTERNAL_SERVER_ERROR);
+      response.setPayload(String.format("Pipeline launch failed: %s", e.getMessage()));
     }
   }
-
-  /**
-   * Returns a stream of up to {@link #wipeOutQueryBatchSize} {@link ContactHistory} entities
-   * containing PII that are prior to @param wipeOutTime.
-   */
-  @VisibleForTesting
-  Stream<ContactHistory> getNextContactHistoryEntitiesWithPiiBatch(DateTime wipeOutTime) {
-    // email is one of the required fields in EPP, meaning it's initially not null.
-    // Therefore, checking if it's null is one way to avoid processing contact history entities
-    // that have been processed previously. Refer to RFC 5733 for more information.
-    return jpaTm()
-        .query(
-            "FROM ContactHistory WHERE modificationTime < :wipeOutTime " + "AND email IS NOT NULL",
-            ContactHistory.class)
-        .setParameter("wipeOutTime", wipeOutTime)
-        .setMaxResults(wipeOutQueryBatchSize)
-        .getResultStream();
-  }
-
-  /** Wipes out the PII of each of the {@link ContactHistory} entities in the stream. */
-  @VisibleForTesting
-  int wipeOutContactHistoryData(Stream<ContactHistory> contactHistoryEntities) {
-    AtomicInteger numOfEntities = new AtomicInteger(0);
-    contactHistoryEntities.forEach(
-        contactHistoryEntity -> {
-          jpaTm().update(contactHistoryEntity.asBuilder().wipeOutPii().build());
-          numOfEntities.incrementAndGet();
-        });
-    logger.atInfo().log(
-        "Wiped out all PII fields of %d ContactHistory entities.", numOfEntities.get());
-    return numOfEntities.get();
-  }
 }

core/src/main/java/google/registry/batch/cannedscript/CannedScripts.java

@@ -0,0 +1,199 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.batch.cannedscript;
+
+import com.google.api.gax.core.FixedCredentialsProvider;
+import com.google.api.services.bigquery.Bigquery;
+import com.google.api.services.dataflow.Dataflow;
+import com.google.api.services.dns.Dns;
+import com.google.cloud.storage.Storage;
+import com.google.cloud.storage.StorageOptions;
+import com.google.cloud.tasks.v2.CloudTasksClient;
+import com.google.cloud.tasks.v2.CloudTasksSettings;
+import com.google.common.base.Supplier;
+import com.google.common.base.Suppliers;
+import com.google.common.flogger.FluentLogger;
+import dagger.Component;
+import dagger.Module;
+import dagger.Provides;
+import google.registry.config.CredentialModule;
+import google.registry.config.CredentialModule.ApplicationDefaultCredential;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.config.RegistryConfig.ConfigModule;
+import google.registry.util.GoogleCredentialsBundle;
+import google.registry.util.UtilsModule;
+import java.io.IOException;
+import java.util.Optional;
+import javax.inject.Singleton;
+
+/** Canned actions invoked from {@link google.registry.batch.CannedScriptExecutionAction}. */
+// TODO(b/277239043): remove class after credential changes are rolled out.
+public class CannedScripts {
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  private static final Supplier<CannedScriptsComponent> COMPONENT_SUPPLIER =
+      Suppliers.memoize(DaggerCannedScripts_CannedScriptsComponent::create);
+
+  public static void runAllChecks() {
+    CannedScriptsComponent component = COMPONENT_SUPPLIER.get();
+    String projectId = component.projectId();
+    Bigquery bigquery = component.bigQuery();
+    try {
+      bigquery.datasets().list(projectId).execute().getDatasets().stream()
+          .findAny()
+          .ifPresent(
+              datasets ->
+                  logger.atInfo().log("Found a BQ dataset [%s]", datasets.getFriendlyName()));
+      logger.atInfo().log("Finished accessing BQ.");
+    } catch (IOException ioe) {
+      logger.atSevere().withCause(ioe).log("Failed to access bigquery.");
+    }
+    try {
+      Dataflow dataflow = component.dataflow();
+      dataflow.projects().jobs().list(projectId).execute().getJobs().stream()
+          .findAny()
+          .ifPresent(job -> logger.atInfo().log("Found a job [%s]", job.getName()));
+      logger.atInfo().log("Finished accessing Dataflow.");
+    } catch (IOException ioe) {
+      logger.atSevere().withCause(ioe).log("Failed to access dataflow.");
+    }
+    try {
+      Storage gcs = component.gcs();
+      gcs.listAcls(projectId + "-beam");
+      logger.atInfo().log("Finished accessing gcs.");
+    } catch (RuntimeException e) {
+      logger.atSevere().withCause(e).log("Failed to access gcs.");
+    }
+    try {
+      Dns dns = component.dns();
+      dns.managedZones().list(projectId).execute().getManagedZones().stream()
+          .findAny()
+          .ifPresent(zone -> logger.atInfo().log("Found one zone [%s].", zone.getName()));
+      logger.atInfo().log("Finished accessing dns.");
+    } catch (IOException ioe) {
+      logger.atSevere().withCause(ioe).log("Failed to access dns.");
+    }
+    try {
+      CloudTasksClient client = component.cloudtasksClient();
+      com.google.cloud.tasks.v2.Queue queue =
+          client.getQueue(
+              String.format(
+                  "projects/%s/locations/%s/queues/async-actions",
+                  projectId, component.locationId()));
+      logger.atInfo().log("Got async queue state [%s]", queue.getState().name());
+      logger.atInfo().log("Finished accessing cloudtasks.");
+    } catch (RuntimeException e) {
+      logger.atSevere().withCause(e).log("Failed to access cloudtasks.");
+    }
+  }
+
+  @Singleton
+  @Component(
+      modules = {
+        ConfigModule.class,
+        CredentialModule.class,
+        CannedScriptsModule.class,
+        UtilsModule.class
+      })
+  interface CannedScriptsComponent {
+    Bigquery bigQuery();
+
+    CloudTasksClient cloudtasksClient();
+
+    Dataflow dataflow();
+
+    Dns dns();
+
+    Storage gcs();
+
+    @Config("projectId")
+    String projectId();
+
+    @Config("locationId")
+    String locationId();
+  }
+
+  @Module
+  static class CannedScriptsModule {
+    @Provides
+    static Bigquery provideBigquery(
+        @ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle,
+        @Config("projectId") String projectId) {
+      return new Bigquery.Builder(
+              credentialsBundle.getHttpTransport(),
+              credentialsBundle.getJsonFactory(),
+              credentialsBundle.getHttpRequestInitializer())
+          .setApplicationName(projectId)
+          .build();
+    }
+
+    @Provides
+    static Dataflow provideDataflow(
+        @ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle,
+        @Config("projectId") String projectId) {
+      return new Dataflow.Builder(
+              credentialsBundle.getHttpTransport(),
+              credentialsBundle.getJsonFactory(),
+              credentialsBundle.getHttpRequestInitializer())
+          .setApplicationName(String.format("%s billing", projectId))
+          .build();
+    }
+
+    @Provides
+    static Storage provideGcs(
+        @ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle) {
+      return StorageOptions.newBuilder()
+          .setCredentials(credentialsBundle.getGoogleCredentials())
+          .build()
+          .getService();
+    }
+
+    @Provides
+    static Dns provideDns(
+        @ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle,
+        @Config("projectId") String projectId,
+        @Config("cloudDnsRootUrl") Optional<String> rootUrl,
+        @Config("cloudDnsServicePath") Optional<String> servicePath) {
+      Dns.Builder builder =
+          new Dns.Builder(
+                  credentialsBundle.getHttpTransport(),
+                  credentialsBundle.getJsonFactory(),
+                  credentialsBundle.getHttpRequestInitializer())
+              .setApplicationName(projectId);
+
+      rootUrl.ifPresent(builder::setRootUrl);
+      servicePath.ifPresent(builder::setServicePath);
+
+      return builder.build();
+    }
+
+    @Provides
+    public static CloudTasksClient provideCloudTasksClient(
+        @ApplicationDefaultCredential GoogleCredentialsBundle credentials) {
+      CloudTasksClient client;
+      try {
+        client =
+            CloudTasksClient.create(
+                CloudTasksSettings.newBuilder()
+                    .setCredentialsProvider(
+                        FixedCredentialsProvider.create(credentials.getGoogleCredentials()))
+                    .build());
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+      return client;
+    }
+  }
+}

core/src/main/java/google/registry/beam/BeamUtils.java

@@ -18,9 +18,7 @@ import static com.google.common.base.Preconditions.checkArgument;
 
 import com.google.common.base.Joiner;
 import com.google.common.collect.ImmutableList;
-import com.google.common.io.Resources;
 import google.registry.util.Clock;
-import google.registry.util.ResourceUtils;
 import java.util.regex.Pattern;
 import org.apache.avro.generic.GenericRecord;
 import org.apache.beam.sdk.io.gcp.bigquery.SchemaAndRecord;
@@ -57,14 +55,6 @@ public class BeamUtils {
     }
   }
 
-  /**
-   * Returns the {@link String} contents for a file in the {@code sql/} directory relative to a
-   * class.
-   */
-  public static String getQueryFromFile(Class<?> clazz, String filename) {
-    return ResourceUtils.readResourceUtf8(Resources.getResource(clazz, "sql/" + filename));
-  }
-
   /** Creates a beam job name and validates that it conforms to the requirements. */
   public static String createJobName(String prefix, Clock clock) {
     // Flex template job name must be unique and consists of only characters [-a-z0-9], starting

core/src/main/java/google/registry/beam/billing/BillingEvent.java

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package google.registry.beam.invoicing;
+package google.registry.beam.billing;
 
 import com.google.auto.value.AutoValue;
 import com.google.common.base.Joiner;
@@ -64,7 +64,7 @@ public abstract class BillingEvent implements Serializable {
           "amount",
           "flags");
 
-  /** Returns the unique Objectify ID for the {@code OneTime} associated with this event. */
+  /** Returns the unique ID for the {@code BillingEvent} associated with this event. */
   abstract long id();
 
   /** Returns the UTC DateTime this event becomes billable. */

core/src/main/java/google/registry/beam/billing/ExpandBillingRecurrencesPipeline.java

@@ -0,0 +1,508 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.beam.billing;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.collect.Sets.difference;
+import static google.registry.model.common.Cursor.CursorType.RECURRING_BILLING;
+import static google.registry.model.domain.Period.Unit.YEARS;
+import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_AUTORENEW;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.util.CollectionUtils.union;
+import static google.registry.util.DateTimeUtils.START_OF_TIME;
+import static google.registry.util.DateTimeUtils.earliestOf;
+import static google.registry.util.DateTimeUtils.latestOf;
+import static org.apache.beam.sdk.values.TypeDescriptors.voids;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Range;
+import dagger.Component;
+import google.registry.beam.common.RegistryJpaIO;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.config.RegistryConfig.ConfigModule;
+import google.registry.flows.custom.CustomLogicFactoryModule;
+import google.registry.flows.custom.CustomLogicModule;
+import google.registry.flows.domain.DomainPricingLogic;
+import google.registry.flows.domain.DomainPricingLogic.AllocationTokenInvalidForPremiumNameException;
+import google.registry.model.ImmutableObject;
+import google.registry.model.billing.BillingBase.Flag;
+import google.registry.model.billing.BillingCancellation;
+import google.registry.model.billing.BillingEvent;
+import google.registry.model.billing.BillingRecurrence;
+import google.registry.model.common.Cursor;
+import google.registry.model.domain.Domain;
+import google.registry.model.domain.DomainHistory;
+import google.registry.model.domain.Period;
+import google.registry.model.reporting.DomainTransactionRecord;
+import google.registry.model.reporting.DomainTransactionRecord.TransactionReportField;
+import google.registry.model.tld.Tld;
+import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
+import google.registry.util.Clock;
+import google.registry.util.SystemClock;
+import java.io.Serializable;
+import java.math.BigInteger;
+import java.util.Optional;
+import java.util.Set;
+import javax.inject.Singleton;
+import org.apache.beam.sdk.Pipeline;
+import org.apache.beam.sdk.PipelineResult;
+import org.apache.beam.sdk.coders.KvCoder;
+import org.apache.beam.sdk.coders.VarIntCoder;
+import org.apache.beam.sdk.coders.VarLongCoder;
+import org.apache.beam.sdk.metrics.Counter;
+import org.apache.beam.sdk.metrics.Metrics;
+import org.apache.beam.sdk.options.PipelineOptionsFactory;
+import org.apache.beam.sdk.transforms.Create;
+import org.apache.beam.sdk.transforms.DoFn;
+import org.apache.beam.sdk.transforms.GroupIntoBatches;
+import org.apache.beam.sdk.transforms.MapElements;
+import org.apache.beam.sdk.transforms.ParDo;
+import org.apache.beam.sdk.transforms.Wait;
+import org.apache.beam.sdk.values.KV;
+import org.apache.beam.sdk.values.PCollection;
+import org.apache.beam.sdk.values.PDone;
+import org.joda.time.DateTime;
+
+/**
+ * Definition of a Dataflow Flex pipeline template, which expands {@link BillingRecurrence} to
+ * {@link BillingEvent} when an autorenew occurs within the given time frame.
+ *
+ * <p>This pipeline works in three stages:
+ *
+ * <ul>
+ *   <li>Gather the {@link BillingRecurrence}s that are in scope for expansion. The exact condition
+ *       of {@link BillingRecurrence}s to include can be found in {@link
+ *       #getRecurrencesInScope(Pipeline)}.
+ *   <li>Expand the {@link BillingRecurrence}s to {@link BillingEvent} (and corresponding {@link
+ *       DomainHistory}) that fall within the [{@link #startTime}, {@link #endTime}) window,
+ *       excluding those that are already present (to make this pipeline idempotent when running
+ *       with the same parameters multiple times, either in parallel or in sequence). The {@link
+ *       BillingRecurrence} is also updated with the information on when it was last expanded, so it
+ *       would not be in scope for expansion until at least a year later.
+ *   <li>If the cursor for billing events should be advanced, advance it to {@link #endTime} after
+ *       all of the expansions in the previous step is done, only when it is currently at {@link
+ *       #startTime}.
+ * </ul>
+ *
+ * <p>Note that the creation of new {@link BillingEvent} and {@link DomainHistory} is done
+ * speculatively as soon as its event time is in scope for expansion (i.e. within the window of
+ * operation). If a domain is subsequently cancelled during the autorenew grace period, a {@link
+ * BillingCancellation} would have been created to cancel the {@link BillingEvent} out. Similarly, a
+ * {@link DomainHistory} for the delete will be created which negates the effect of the
+ * speculatively created {@link DomainHistory}, specifically for the transaction records. Both the
+ * {@link BillingEvent} and {@link DomainHistory} will only be used (and cancelled out) when the
+ * billing time becomes effective, which is after the grace period, when the cancellations would
+ * have been written, if need be. This is no different from what we do with manual renewals or
+ * normal creates, where entities are always created for the action regardless of whether their
+ * effects will be negated later due to subsequent actions within respective grace periods.
+ *
+ * <p>To stage this template locally, run {@code ./nom_build :core:sBP --environment=alpha \
+ * --pipeline=expandBilling}.
+ *
+ * <p>Then, you can run the staged template via the API client library, gCloud or a raw REST call.
+ *
+ * @see BillingCancellation#forGracePeriod
+ * @see google.registry.flows.domain.DomainFlowUtils#createCancelingRecords
+ * @see <a href="https://cloud.google.com/dataflow/docs/guides/templates/using-flex-templates">Using
+ *     Flex Templates</a>
+ */
+public class ExpandBillingRecurrencesPipeline implements Serializable {
+
+  private static final long serialVersionUID = -5827984301386630194L;
+
+  private static final DomainPricingLogic domainPricingLogic;
+
+  private static final int batchSize;
+
+  static {
+    PipelineComponent pipelineComponent =
+        DaggerExpandBillingRecurrencesPipeline_PipelineComponent.create();
+    domainPricingLogic = pipelineComponent.domainPricingLogic();
+    batchSize = pipelineComponent.batchSize();
+  }
+
+  // Inclusive lower bound of the expansion window.
+  private final DateTime startTime;
+  // Exclusive lower bound of the expansion window.
+  private final DateTime endTime;
+  private final boolean isDryRun;
+  private final boolean advanceCursor;
+  private final Counter recurrencesInScopeCounter =
+      Metrics.counter("ExpandBilling", "Recurrences in scope for expansion");
+  // Note that this counter is only accurate when running in dry run mode. Because SQL persistence
+  // is a side effect and not idempotent, a transaction to save OneTimes could be successful but the
+  // transform that contains it could be still be retried, rolling back the counter increment. The
+  // same transform, when retried, would skip the already expanded OneTime, causing this counter to
+  // be lower than it should be when not in dry run mode.
+  // See: https://beam.apache.org/documentation/programming-guide/#user-code-idempotence
+  private final Counter oneTimesToExpandCounter =
+      Metrics.counter("ExpandBilling", "OneTimes that would be expanded");
+
+  ExpandBillingRecurrencesPipeline(ExpandBillingRecurrencesPipelineOptions options, Clock clock) {
+    startTime = DateTime.parse(options.getStartTime());
+    endTime = DateTime.parse(options.getEndTime());
+    checkArgument(
+        !endTime.isAfter(clock.nowUtc()),
+        String.format("End time %s must be at or before now.", endTime));
+    checkArgument(
+        startTime.isBefore(endTime),
+        String.format("[%s, %s) is not a valid window of operation.", startTime, endTime));
+    isDryRun = options.getIsDryRun();
+    advanceCursor = options.getAdvanceCursor();
+  }
+
+  private PipelineResult run(Pipeline pipeline) {
+    setupPipeline(pipeline);
+    return pipeline.run();
+  }
+
+  void setupPipeline(Pipeline pipeline) {
+    PCollection<KV<Integer, Long>> recurrenceIds = getRecurrencesInScope(pipeline);
+    PCollection<Void> expanded = expandRecurrences(recurrenceIds);
+    if (!isDryRun && advanceCursor) {
+      advanceCursor(expanded);
+    }
+  }
+
+  PCollection<KV<Integer, Long>> getRecurrencesInScope(Pipeline pipeline) {
+    return pipeline.apply(
+        "Read all Recurrences in scope",
+        // Use native query because JPQL does not support timestamp arithmetics.
+        RegistryJpaIO.read(
+                "SELECT billing_recurrence_id "
+                    + "FROM \"BillingRecurrence\" "
+                    // Recurrence should not close before the first event time.
+                    + "WHERE event_time < recurrence_end_time "
+                    // First event time should be before end time.
+                    + "AND event_Time < :endTime "
+                    // Recurrence should not close before start time.
+                    + "AND :startTime < recurrence_end_time "
+                    // Last expansion should happen at least one year before end time.
+                    + "AND recurrence_last_expansion < :oneYearAgo "
+                    // The recurrence should not close before next expansion time.
+                    + "AND recurrence_last_expansion + INTERVAL '1 YEAR' < recurrence_end_time",
+                ImmutableMap.of(
+                    "endTime",
+                    endTime,
+                    "startTime",
+                    startTime,
+                    "oneYearAgo",
+                    endTime.minusYears(1)),
+                true,
+                (BigInteger id) -> {
+                  recurrencesInScopeCounter.inc();
+                  // Note that because all elements are mapped to the same dummy key, the next
+                  // batching transform will effectively be serial. This however does not matter for
+                  // our use case because the elements were obtained from a SQL read query, which
+                  // are returned sequentially already. Therefore, having a sequential step to group
+                  // them does not reduce overall parallelism of the pipeline, and the batches can
+                  // then be distributed to all available workers for further processing, where the
+                  // main benefit of parallelism shows. In benchmarking, turning the distribution
+                  // of elements in this step resulted in marginal improvement in overall
+                  // performance at best without clear indication on why or to which degree. If the
+                  // runtime becomes a concern later on, we could consider fine-tuning the sharding
+                  // of output elements in this step.
+                  //
+                  // See: https://stackoverflow.com/a/44956702/791306
+                  return KV.of(0, id.longValue());
+                })
+            .withCoder(KvCoder.of(VarIntCoder.of(), VarLongCoder.of())));
+  }
+
+  private PCollection<Void> expandRecurrences(PCollection<KV<Integer, Long>> recurrenceIds) {
+    return recurrenceIds
+        .apply(
+            "Group into batches",
+            GroupIntoBatches.<Integer, Long>ofSize(batchSize).withShardedKey())
+        .apply(
+            "Expand and save Recurrences into OneTimes and corresponding DomainHistories",
+            MapElements.into(voids())
+                .via(
+                    element -> {
+                      Iterable<Long> ids = element.getValue();
+                      tm().transact(
+                              () -> {
+                                ImmutableSet.Builder<ImmutableObject> results =
+                                    new ImmutableSet.Builder<>();
+                                ids.forEach(id -> expandOneRecurrence(id, results));
+                                if (!isDryRun) {
+                                  tm().putAll(results.build());
+                                }
+                              });
+                      return null;
+                    }));
+  }
+
+  private void expandOneRecurrence(
+      Long recurrenceId, ImmutableSet.Builder<ImmutableObject> results) {
+    BillingRecurrence billingRecurrence =
+        tm().loadByKey(BillingRecurrence.createVKey(recurrenceId));
+
+    // Determine the complete set of EventTimes this recurrence event should expand to within
+    // [max(recurrenceLastExpansion + 1 yr, startTime), min(recurrenceEndTime, endTime)).
+    //
+    // This range should always be legal for recurrences that are returned from the query. However,
+    // it is possible that the recurrence has changed between when the read transformation occurred
+    // and now. This could be caused by some out-of-process mutations (such as a domain deletion
+    // closing out a previously open-ended recurrence), or more subtly, Beam could execute the same
+    // work multiple times due to transient communication issues between workers and the scheduler.
+    // Such opportunistic retries are OK for pure functional transformations, but can cause
+    // unexpected behavior when side effects are executed more than once. For example, the
+    // recurrence_last_expansion field could be updated by a worker after a success expansion, which
+    // failed to report the status to the scheduler in time, which in turn scheduled another worker
+    // to work on the same batch. The second worker would see a new recurrence_last_expansion that
+    // causes the range to be illegal.
+    //
+    // The best way to handle any unexpected behavior is to simply drop the recurrence from
+    // expansion, if its new state still calls for an expansion, it would be picked up the next time
+    // the pipeline runs.
+    ImmutableSet<DateTime> eventTimes;
+    try {
+      eventTimes =
+          ImmutableSet.copyOf(
+              billingRecurrence
+                  .getRecurrenceTimeOfYear()
+                  .getInstancesInRange(
+                      Range.closedOpen(
+                          latestOf(
+                              billingRecurrence.getRecurrenceLastExpansion().plusYears(1),
+                              startTime),
+                          earliestOf(billingRecurrence.getRecurrenceEndTime(), endTime))));
+    } catch (IllegalArgumentException e) {
+      return;
+    }
+    Domain domain = tm().loadByKey(Domain.createVKey(billingRecurrence.getDomainRepoId()));
+    Tld tld = Tld.get(domain.getTld());
+
+    // Find the times for which the OneTime billing event are already created, making this expansion
+    // idempotent. There is no need to match to the domain repo ID as the cancellation matching
+    // billing event itself can only be for a single domain.
+    ImmutableSet<DateTime> existingEventTimes =
+        ImmutableSet.copyOf(
+            tm().query(
+                    "SELECT eventTime FROM BillingEvent WHERE cancellationMatchingBillingEvent ="
+                        + " :key",
+                    DateTime.class)
+                .setParameter("key", billingRecurrence.createVKey())
+                .getResultList());
+
+    Set<DateTime> eventTimesToExpand = difference(eventTimes, existingEventTimes);
+
+    if (eventTimesToExpand.isEmpty()) {
+      return;
+    }
+
+    DateTime recurrenceLastExpansionTime = billingRecurrence.getRecurrenceLastExpansion();
+
+    // Create new OneTime and DomainHistory for EventTimes that needs to be expanded.
+    for (DateTime eventTime : eventTimesToExpand) {
+      recurrenceLastExpansionTime = latestOf(recurrenceLastExpansionTime, eventTime);
+      oneTimesToExpandCounter.inc();
+      DateTime billingTime = eventTime.plus(tld.getAutoRenewGracePeriodLength());
+      // Note that the DomainHistory is created as of transaction time, as opposed to event time.
+      // This might be counterintuitive because other DomainHistories are created at the time
+      // mutation events occur, such as in DomainDeleteFlow or DomainRenewFlow. Therefore, it is
+      // possible to have a DomainHistory for a delete during the autorenew grace period with a
+      // modification time before that of the DomainHistory for the autorenew itself. This is not
+      // ideal, but necessary because we save the **current** state of the domain (as of transaction
+      // time) to the DomainHistory , instead of the state of the domain as of event time (which
+      // would required loading the domain from DomainHistory at event time).
+      //
+      // Even though doing the loading is seemly possible, it generally is a bad idea to create
+      // DomainHistories retroactively and in all instances that we create a HistoryEntry we always
+      // set the modification time to the transaction time. It would also violate the invariance
+      // that a DomainHistory with a higher revision ID (which is always allocated with monotonic
+      // increase) always has a later modification time.
+      //
+      // Lastly because the domain entity itself did not change as part of the expansion, we should
+      // not project it to transaction time before saving it in the history, which would require us
+      // to save the projected domain as well. Any changes to the domain itself are handled when
+      // the domain is actually used or explicitly projected and saved. The DomainHistory created
+      // here does not actually affect anything materially (e.g. RDE). We can understand it in such
+      // a way that this history represents not when the domain is autorenewed (at event time), but
+      // when its autorenew billing event is created (at transaction time).
+      DomainHistory historyEntry =
+          new DomainHistory.Builder()
+              .setBySuperuser(false)
+              .setRegistrarId(billingRecurrence.getRegistrarId())
+              .setModificationTime(tm().getTransactionTime())
+              .setDomain(domain)
+              .setPeriod(Period.create(1, YEARS))
+              .setReason("Domain autorenewal by ExpandRecurringBillingEventsPipeline")
+              .setRequestedByRegistrar(false)
+              .setType(DOMAIN_AUTORENEW)
+              .setDomainTransactionRecords(
+                  // Don't write a domain transaction record if the domain is deleted before billing
+                  // time (i.e. within the autorenew grace period). We cannot rely on a negating
+                  // DomainHistory created by DomainDeleteFlow because it only cancels transaction
+                  // records already present. In this case the domain was deleted before this
+                  // pipeline runs to expand the OneTime (which should be rare because this pipeline
+                  // should run every day), and no negating transaction records would have been
+                  // created when the deletion occurred. Again, there is no need to project the
+                  // domain, because if it were deleted before this transaction, its updated delete
+                  // time would have already been loaded here.
+                  //
+                  // We don't compare recurrence end time with billing time because the recurrence
+                  // could be caused for other reasons during the grace period, like a manual
+                  // renewal, in which case we still want to write the transaction record. Also,
+                  // the expansion happens when event time is in scope, which means the billing time
+                  // is still 45 days in the future, and the recurrence could have been closed
+                  // between now and then.
+                  //
+                  // A side effect of this logic is that if a transfer occurs within the ARGP, it
+                  // would have recorded both a TRANSFER_SUCCESSFUL and a NET_RENEWS_1_YEAR, even
+                  // though the transfer would have subsumed the autorenew. There is no perfect
+                  // solution for this because even if we expand the recurrence when the billing
+                  // event is in scope (as was the case in the old action), we still cannot use
+                  // recurrence end time < billing time as an indicator for if a transfer had
+                  // occurred during ARGP (see last paragraph, renewals during ARGP also close the
+                  // recurrence),therefore we still cannot always be correct when constructing the
+                  // transaction records that way (either we miss transfers, or we miss renewals
+                  // during ARGP).
+                  //
+                  // See: DomainFlowUtils#createCancellingRecords
+                  domain.getDeletionTime().isBefore(billingTime)
+                      ? ImmutableSet.of()
+                      : ImmutableSet.of(
+                          DomainTransactionRecord.create(
+                              tld.getTldStr(),
+                              // We report this when the autorenew grace period ends.
+                              billingTime,
+                              TransactionReportField.netRenewsFieldFromYears(1),
+                              1)))
+              .build();
+      results.add(historyEntry);
+
+      // It is OK to always create a OneTime, even though the domain might be deleted or transferred
+      // later during autorenew grace period, as a cancellation will always be written out in those
+      // instances.
+      BillingEvent billingEvent = null;
+      try {
+        billingEvent =
+            new BillingEvent.Builder()
+                .setBillingTime(billingTime)
+                .setRegistrarId(billingRecurrence.getRegistrarId())
+                // Determine the cost for a one-year renewal.
+                .setCost(
+                    domainPricingLogic
+                        .getRenewPrice(
+                            tld,
+                            billingRecurrence.getTargetId(),
+                            eventTime,
+                            1,
+                            billingRecurrence,
+                            Optional.empty())
+                        .getRenewCost())
+                .setEventTime(eventTime)
+                .setFlags(union(billingRecurrence.getFlags(), Flag.SYNTHETIC))
+                .setDomainHistory(historyEntry)
+                .setPeriodYears(1)
+                .setReason(billingRecurrence.getReason())
+                .setSyntheticCreationTime(endTime)
+                .setCancellationMatchingBillingEvent(billingRecurrence)
+                .setTargetId(billingRecurrence.getTargetId())
+                .build();
+      } catch (AllocationTokenInvalidForPremiumNameException e) {
+        // This should not be reached since we are not using an allocation token
+        return;
+      }
+      results.add(billingEvent);
+    }
+    results.add(
+        billingRecurrence
+            .asBuilder()
+            .setRecurrenceLastExpansion(recurrenceLastExpansionTime)
+            .build());
+  }
+
+  private PDone advanceCursor(PCollection<Void> persisted) {
+    return PDone.in(
+        persisted
+            .getPipeline()
+            .apply("Create one dummy element", Create.of((Void) null))
+            .apply("Wait for all saves to finish", Wait.on(persisted))
+            // Because only one dummy element is created in the start PCollection, this
+            // transform is guaranteed to only process one element and therefore only run once.
+            // Because the previous step waits for all emissions of voids from the expansion step to
+            // finish, this transform is guaranteed to run only after all expansions are done and
+            // persisted.
+            .apply(
+                "Advance cursor",
+                ParDo.of(
+                    new DoFn<Void, Void>() {
+                      @ProcessElement
+                      public void processElement() {
+                        tm().transact(
+                                () -> {
+                                  DateTime currentCursorTime =
+                                      tm().loadByKeyIfPresent(
+                                              Cursor.createGlobalVKey(RECURRING_BILLING))
+                                          .orElse(
+                                              Cursor.createGlobal(RECURRING_BILLING, START_OF_TIME))
+                                          .getCursorTime();
+                                  if (!currentCursorTime.equals(startTime)) {
+                                    throw new IllegalStateException(
+                                        String.format(
+                                            "Current cursor position %s does not match start time"
+                                                + " %s.",
+                                            currentCursorTime, startTime));
+                                  }
+                                  tm().put(Cursor.createGlobal(RECURRING_BILLING, endTime));
+                                });
+                      }
+                    }))
+            .getPipeline());
+  }
+
+  public static void main(String[] args) {
+    PipelineOptionsFactory.register(ExpandBillingRecurrencesPipelineOptions.class);
+    ExpandBillingRecurrencesPipelineOptions options =
+        PipelineOptionsFactory.fromArgs(args)
+            .withValidation()
+            .as(ExpandBillingRecurrencesPipelineOptions.class);
+    // Hardcode the transaction level to be at serializable we do not want concurrent runs of the
+    // pipeline for the same window to create duplicate OneTimes. This ensures that the set of
+    // existing OneTimes do not change by the time new OneTimes are inserted within a transaction.
+    //
+    // Per PostgreSQL, serializable isolation level does not introduce any blocking beyond that
+    // present in  repeatable read other than some overhead related to monitoring possible
+    // serializable anomalies. Therefore, in most cases, since each worker of the same job works on
+    // a different set of recurrences, it is not possible for their execution order to affect
+    // serialization outcome, and the performance penalty should be minimum when using serializable
+    // compared to using repeatable read.
+    //
+    // We should pay some attention to the runtime of the job and logs when we run this job daily on
+    // production to check the actual performance impact for using this isolation level (i.e. check
+    // the frequency of occurrence of retried transactions due to serialization errors) to assess
+    // the actual parallelism of the job.
+    //
+    // See: https://www.postgresql.org/docs/current/transaction-iso.html
+    options.setIsolationOverride(TransactionIsolationLevel.TRANSACTION_SERIALIZABLE);
+    Pipeline pipeline = Pipeline.create(options);
+    new ExpandBillingRecurrencesPipeline(options, new SystemClock()).run(pipeline);
+  }
+
+  @Singleton
+  @Component(
+      modules = {CustomLogicModule.class, CustomLogicFactoryModule.class, ConfigModule.class})
+  interface PipelineComponent {
+
+    DomainPricingLogic domainPricingLogic();
+
+    @Config("jdbcBatchSize")
+    int batchSize();
+  }
+}

core/src/main/java/google/registry/beam/billing/ExpandBillingRecurrencesPipelineOptions.java

@@ -0,0 +1,49 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.beam.billing;
+
+import google.registry.beam.common.RegistryPipelineOptions;
+import org.apache.beam.sdk.options.Default;
+import org.apache.beam.sdk.options.Description;
+
+public interface ExpandBillingRecurrencesPipelineOptions extends RegistryPipelineOptions {
+  @Description(
+      "The inclusive lower bound of on the range of event times that will be expanded, in ISO 8601"
+          + " format")
+  String getStartTime();
+
+  void setStartTime(String startTime);
+
+  @Description(
+      "The exclusive upper bound of on the range of event times that will be expanded, in ISO 8601"
+          + " format")
+  String getEndTime();
+
+  void setEndTime(String endTime);
+
+  @Description("If true, the expanded billing events and history entries will not be saved.")
+  @Default.Boolean(false)
+  boolean getIsDryRun();
+
+  void setIsDryRun(boolean isDryRun);
+
+  @Description(
+      "If true, set the RECURRING_BILLING global cursor to endTime after saving all expanded"
+          + " billing events and history entries.")
+  @Default.Boolean(true)
+  boolean getAdvanceCursor();
+
+  void setAdvanceCursor(boolean advanceCursor);
+}

core/src/main/java/google/registry/beam/billing/InvoicingPipeline.java

@@ -12,23 +12,23 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package google.registry.beam.invoicing;
+package google.registry.beam.billing;
 
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
-import static google.registry.beam.BeamUtils.getQueryFromFile;
 import static org.apache.beam.sdk.values.TypeDescriptors.strings;
 
 import com.google.common.flogger.FluentLogger;
+import google.registry.beam.billing.BillingEvent.InvoiceGroupingKey;
+import google.registry.beam.billing.BillingEvent.InvoiceGroupingKey.InvoiceGroupingKeyCoder;
 import google.registry.beam.common.RegistryJpaIO;
 import google.registry.beam.common.RegistryJpaIO.Read;
-import google.registry.beam.invoicing.BillingEvent.InvoiceGroupingKey;
-import google.registry.beam.invoicing.BillingEvent.InvoiceGroupingKey.InvoiceGroupingKeyCoder;
-import google.registry.model.billing.BillingEvent.Flag;
-import google.registry.model.billing.BillingEvent.OneTime;
+import google.registry.model.billing.BillingBase.Flag;
+import google.registry.model.billing.BillingEvent;
 import google.registry.model.registrar.Registrar;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
 import google.registry.reporting.billing.BillingModule;
 import google.registry.util.DomainNameUtils;
+import google.registry.util.ResourceUtils;
 import google.registry.util.SqlTemplate;
 import java.io.Serializable;
 import java.time.YearMonth;
@@ -37,6 +37,7 @@ import java.util.Optional;
 import java.util.regex.Pattern;
 import org.apache.beam.sdk.Pipeline;
 import org.apache.beam.sdk.PipelineResult;
+import org.apache.beam.sdk.coders.SerializableCoder;
 import org.apache.beam.sdk.coders.StringUtf8Coder;
 import org.apache.beam.sdk.io.FileIO;
 import org.apache.beam.sdk.io.TextIO;
@@ -85,28 +86,30 @@ public class InvoicingPipeline implements Serializable {
 
   void setupPipeline(Pipeline pipeline) {
     options.setIsolationOverride(TransactionIsolationLevel.TRANSACTION_READ_COMMITTED);
-    PCollection<BillingEvent> billingEvents = readFromCloudSql(options, pipeline);
+    PCollection<google.registry.beam.billing.BillingEvent> billingEvents =
+        readFromCloudSql(options, pipeline);
     saveInvoiceCsv(billingEvents, options);
     saveDetailedCsv(billingEvents, options);
   }
 
-  static PCollection<BillingEvent> readFromCloudSql(
+  static PCollection<google.registry.beam.billing.BillingEvent> readFromCloudSql(
       InvoicingPipelineOptions options, Pipeline pipeline) {
-    Read<Object[], BillingEvent> read =
-        RegistryJpaIO.read(
-            makeCloudSqlQuery(options.getYearMonth()), false, row -> parseRow(row).orElse(null));
+    Read<Object[], google.registry.beam.billing.BillingEvent> read =
+        RegistryJpaIO.<Object[], google.registry.beam.billing.BillingEvent>read(
+                makeCloudSqlQuery(options.getYearMonth()), false, row -> parseRow(row).orElse(null))
+            .withCoder(SerializableCoder.of(google.registry.beam.billing.BillingEvent.class));
 
-    PCollection<BillingEvent> billingEventsWithNulls =
+    PCollection<google.registry.beam.billing.BillingEvent> billingEventsWithNulls =
         pipeline.apply("Read BillingEvents from Cloud SQL", read);
 
     // Remove null billing events
     return billingEventsWithNulls.apply(Filter.by(Objects::nonNull));
   }
 
-  private static Optional<BillingEvent> parseRow(Object[] row) {
-    OneTime oneTime = (OneTime) row[0];
+  private static Optional<google.registry.beam.billing.BillingEvent> parseRow(Object[] row) {
+    BillingEvent billingEvent = (BillingEvent) row[0];
     Registrar registrar = (Registrar) row[1];
-    CurrencyUnit currency = oneTime.getCost().getCurrencyUnit();
+    CurrencyUnit currency = billingEvent.getCost().getCurrencyUnit();
     if (!registrar.getBillingAccountMap().containsKey(currency)) {
       logger.atSevere().log(
           "Registrar %s does not have a product account key for the currency unit: %s",
@@ -115,37 +118,40 @@ public class InvoicingPipeline implements Serializable {
     }
 
     return Optional.of(
-        BillingEvent.create(
-            oneTime.getId(),
-            oneTime.getBillingTime(),
-            oneTime.getEventTime(),
+        google.registry.beam.billing.BillingEvent.create(
+            billingEvent.getId(),
+            billingEvent.getBillingTime(),
+            billingEvent.getEventTime(),
             registrar.getRegistrarId(),
             registrar.getBillingAccountMap().get(currency),
             registrar.getPoNumber().orElse(""),
-            DomainNameUtils.getTldFromDomainName(oneTime.getTargetId()),
-            oneTime.getReason().toString(),
-            oneTime.getTargetId(),
-            oneTime.getDomainRepoId(),
-            Optional.ofNullable(oneTime.getPeriodYears()).orElse(0),
-            oneTime.getCost().getCurrencyUnit().toString(),
-            oneTime.getCost().getAmount().doubleValue(),
+            DomainNameUtils.getTldFromDomainName(billingEvent.getTargetId()),
+            billingEvent.getReason().toString(),
+            billingEvent.getTargetId(),
+            billingEvent.getDomainRepoId(),
+            Optional.ofNullable(billingEvent.getPeriodYears()).orElse(0),
+            billingEvent.getCost().getCurrencyUnit().toString(),
+            billingEvent.getCost().getAmount().doubleValue(),
             String.join(
-                " ", oneTime.getFlags().stream().map(Flag::toString).collect(toImmutableSet()))));
+                " ",
+                billingEvent.getFlags().stream().map(Flag::toString).collect(toImmutableSet()))));
   }
 
   /** Transform that converts a {@code BillingEvent} into an invoice CSV row. */
   private static class GenerateInvoiceRows
-      extends PTransform<PCollection<BillingEvent>, PCollection<String>> {
+      extends PTransform<
+          PCollection<google.registry.beam.billing.BillingEvent>, PCollection<String>> {
 
     private static final long serialVersionUID = -8090619008258393728L;
 
     @Override
-    public PCollection<String> expand(PCollection<BillingEvent> input) {
+    public PCollection<String> expand(
+        PCollection<google.registry.beam.billing.BillingEvent> input) {
       return input
           .apply(
               "Map to invoicing key",
               MapElements.into(TypeDescriptor.of(InvoiceGroupingKey.class))
-                  .via(BillingEvent::getInvoiceGroupingKey))
+                  .via(google.registry.beam.billing.BillingEvent::getInvoiceGroupingKey))
           .apply(
               "Filter out free events", Filter.by((InvoiceGroupingKey key) -> key.unitPrice() != 0))
           .setCoder(new InvoiceGroupingKeyCoder())
@@ -159,7 +165,8 @@ public class InvoicingPipeline implements Serializable {
 
   /** Saves the billing events to a single overall invoice CSV file. */
   static void saveInvoiceCsv(
-      PCollection<BillingEvent> billingEvents, InvoicingPipelineOptions options) {
+      PCollection<google.registry.beam.billing.BillingEvent> billingEvents,
+      InvoicingPipelineOptions options) {
     billingEvents
         .apply("Generate overall invoice rows", new GenerateInvoiceRows())
         .apply(
@@ -180,16 +187,17 @@ public class InvoicingPipeline implements Serializable {
 
   /** Saves the billing events to detailed report CSV files keyed by registrar-tld pairs. */
   static void saveDetailedCsv(
-      PCollection<BillingEvent> billingEvents, InvoicingPipelineOptions options) {
+      PCollection<google.registry.beam.billing.BillingEvent> billingEvents,
+      InvoicingPipelineOptions options) {
     String yearMonth = options.getYearMonth();
     billingEvents.apply(
         "Write detailed report for each registrar-tld pair",
-        FileIO.<String, BillingEvent>writeDynamic()
+        FileIO.<String, google.registry.beam.billing.BillingEvent>writeDynamic()
             .to(
                 String.format(
                     "%s/%s/%s",
                     options.getBillingBucketUrl(), BillingModule.INVOICES_DIRECTORY, yearMonth))
-            .by(BillingEvent::getDetailedReportGroupingKey)
+            .by(google.registry.beam.billing.BillingEvent::getDetailedReportGroupingKey)
             .withNumShards(1)
             .withDestinationCoder(StringUtf8Coder.of())
             .withNaming(
@@ -198,8 +206,8 @@ public class InvoicingPipeline implements Serializable {
                         String.format(
                             "%s_%s_%s.csv", BillingModule.DETAIL_REPORT_PREFIX, yearMonth, key))
             .via(
-                Contextful.fn(BillingEvent::toCsv),
-                TextIO.sink().withHeader(BillingEvent.getHeader())));
+                Contextful.fn(google.registry.beam.billing.BillingEvent::toCsv),
+                TextIO.sink().withHeader(google.registry.beam.billing.BillingEvent.getHeader())));
   }
 
   /** Create the Cloud SQL query for a given yearMonth at runtime. */
@@ -207,7 +215,8 @@ public class InvoicingPipeline implements Serializable {
     YearMonth endMonth = YearMonth.parse(yearMonth).plusMonths(1);
     String queryWithComments =
         SqlTemplate.create(
-                getQueryFromFile(InvoicingPipeline.class, "cloud_sql_billing_events.sql"))
+                ResourceUtils.readResourceUtf8(
+                    InvoicingPipeline.class, "sql/cloud_sql_billing_events.sql"))
             .put("FIRST_TIMESTAMP_OF_MONTH", yearMonth + "-01")
             .put(
                 "LAST_TIMESTAMP_OF_MONTH",

core/src/main/java/google/registry/beam/billing/InvoicingPipelineOptions.java

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package google.registry.beam.invoicing;
+package google.registry.beam.billing;
 
 import google.registry.beam.common.RegistryPipelineOptions;
 import org.apache.beam.sdk.options.Description;

core/src/main/java/google/registry/beam/common/DatabaseSnapshot.java

@@ -15,7 +15,7 @@
 package google.registry.beam.common;
 
 import static com.google.common.base.Preconditions.checkState;
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
 import com.google.common.flogger.FluentLogger;
 import java.util.List;
@@ -52,7 +52,7 @@ public class DatabaseSnapshot implements AutoCloseable {
   }
 
   private DatabaseSnapshot open() {
-    entityManager = jpaTm().getStandaloneEntityManager();
+    entityManager = tm().getStandaloneEntityManager();
     transaction = entityManager.getTransaction();
     transaction.setRollbackOnly();
     transaction.begin();

core/src/main/java/google/registry/beam/common/JpaDemoPipeline.java

@@ -1,76 +0,0 @@
-// Copyright 2020 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.beam.common;
-
-import static com.google.common.base.Verify.verify;
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
-
-import google.registry.model.contact.Contact;
-import google.registry.persistence.transaction.CriteriaQueryBuilder;
-import google.registry.persistence.transaction.JpaTransactionManager;
-import java.io.Serializable;
-import org.apache.beam.sdk.Pipeline;
-import org.apache.beam.sdk.metrics.Counter;
-import org.apache.beam.sdk.metrics.Metrics;
-import org.apache.beam.sdk.options.PipelineOptionsFactory;
-import org.apache.beam.sdk.transforms.DoFn;
-import org.apache.beam.sdk.transforms.ParDo;
-
-/**
- * Toy pipeline that demonstrates how to use {@link JpaTransactionManager} in BEAM pipelines.
- *
- * <p>This pipeline may also be used as an integration test for {@link RegistryJpaIO.Read} in a
- * project with realistic data.
- */
-public class JpaDemoPipeline implements Serializable {
-
-  public static void main(String[] args) {
-    RegistryPipelineOptions options =
-        PipelineOptionsFactory.fromArgs(args).withValidation().as(RegistryPipelineOptions.class);
-    RegistryPipelineOptions.validateRegistryPipelineOptions(options);
-
-    Pipeline pipeline = Pipeline.create(options);
-    pipeline
-        .apply(
-            "Read contacts",
-            RegistryJpaIO.read(
-                () -> CriteriaQueryBuilder.create(Contact.class).build(), Contact::getRepoId))
-        .apply(
-            "Count Contacts",
-            ParDo.of(
-                new DoFn<String, Void>() {
-                  private Counter counter = Metrics.counter("Contacts", "Read");
-
-                  @ProcessElement
-                  public void processElement() {
-                    // AppEngineEnvironment is needed as long as JPA entity classes still depends
-                    // on Objectify.
-                    int result =
-                        (Integer)
-                            jpaTm()
-                                .transact(
-                                    () ->
-                                        jpaTm()
-                                            .getEntityManager()
-                                            .createNativeQuery("select 1;")
-                                            .getSingleResult());
-                    verify(result == 1, "Expecting 1, got %s.", result);
-                    counter.inc();
-                  }
-                }));
-
-    pipeline.run();
-  }
-}

core/src/main/java/google/registry/beam/common/RegistryJpaIO.java

@@ -14,25 +14,20 @@
 
 package google.registry.beam.common;
 
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static org.apache.beam.sdk.values.TypeDescriptors.integers;
 
 import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Streams;
 import google.registry.beam.common.RegistryQuery.CriteriaQuerySupplier;
-import google.registry.model.UpdateAutoTimestamp;
-import google.registry.model.UpdateAutoTimestamp.DisableAutoUpdateResource;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.persistence.transaction.TransactionManagerFactory;
-import java.io.Serializable;
 import java.util.Map;
 import java.util.Objects;
-import java.util.concurrent.ThreadLocalRandom;
 import javax.annotation.Nullable;
 import javax.persistence.criteria.CriteriaQuery;
 import org.apache.beam.sdk.coders.Coder;
-import org.apache.beam.sdk.coders.SerializableCoder;
 import org.apache.beam.sdk.metrics.Counter;
 import org.apache.beam.sdk.metrics.Metrics;
 import org.apache.beam.sdk.transforms.Create;
@@ -54,8 +49,8 @@ import org.apache.beam.sdk.values.PCollection;
  *
  * <p>The {@code JpaTransactionManager} is instantiated once on each pipeline worker VM (through
  * {@link RegistryPipelineWorkerInitializer}), made available through the static method {@link
- * TransactionManagerFactory#jpaTm()}, and is shared by all threads on the VM. Configuration is
- * through {@link RegistryPipelineOptions}.
+ * TransactionManagerFactory#tm()}, and is shared by all threads on the VM. Configuration is through
+ * {@link RegistryPipelineOptions}.
  */
 public final class RegistryJpaIO {
 
@@ -76,7 +71,7 @@ public final class RegistryJpaIO {
   }
 
   /**
-   * Returns a {@link Read} connector based on the given {@code jpql} query string.
+   * Returns a {@link Read} connector based on the given native or {@code jpql} query string.
    *
    * <p>User should take care to prevent sql-injection attacks.
    */
@@ -135,6 +130,7 @@ public final class RegistryJpaIO {
 
     abstract SerializableFunction<R, T> resultMapper();
 
+    @Nullable
     abstract Coder<T> coder();
 
     @Nullable
@@ -145,13 +141,16 @@ public final class RegistryJpaIO {
     @Override
     @SuppressWarnings("deprecation") // Reshuffle still recommended by GCP.
     public PCollection<T> expand(PBegin input) {
-      return input
-          .apply("Starting " + name(), Create.of((Void) null))
-          .apply(
-              "Run query for " + name(),
-              ParDo.of(new QueryRunner<>(query(), resultMapper(), snapshotId())))
-          .setCoder(coder())
-          .apply("Reshuffle", Reshuffle.viaRandomKey());
+      PCollection<T> output =
+          input
+              .apply("Starting " + name(), Create.of((Void) null))
+              .apply(
+                  "Run query for " + name(),
+                  ParDo.of(new QueryRunner<>(query(), resultMapper(), snapshotId())));
+      if (coder() != null) {
+        output = output.setCoder(coder());
+      }
+      return output.apply("Reshuffle", Reshuffle.viaRandomKey());
     }
 
     public Read<R, T> withName(String name) {
@@ -179,9 +178,7 @@ public final class RegistryJpaIO {
     }
 
     static <R, T> Builder<R, T> builder() {
-      return new AutoValue_RegistryJpaIO_Read.Builder<R, T>()
-          .name(DEFAULT_NAME)
-          .coder(SerializableCoder.of(Serializable.class));
+      return new AutoValue_RegistryJpaIO_Read.Builder<R, T>().name(DEFAULT_NAME);
     }
 
     @AutoValue.Builder
@@ -193,7 +190,7 @@ public final class RegistryJpaIO {
 
       abstract Builder<R, T> resultMapper(SerializableFunction<R, T> mapper);
 
-      abstract Builder<R, T> coder(Coder coder);
+      abstract Builder<R, T> coder(Coder<T> coder);
 
       abstract Builder<R, T> snapshotId(@Nullable String sharedSnapshotId);
 
@@ -233,11 +230,10 @@ public final class RegistryJpaIO {
 
       @ProcessElement
       public void processElement(OutputReceiver<T> outputReceiver) {
-        jpaTm()
-            .transactNoRetry(
+        tm().transactNoRetry(
                 () -> {
                   if (snapshotId != null) {
-                    jpaTm().setDatabaseSnapshot(snapshotId);
+                    tm().setDatabaseSnapshot(snapshotId);
                   }
                   query.stream().map(resultMapper::apply).forEach(outputReceiver::output);
                 });
@@ -264,46 +260,13 @@ public final class RegistryJpaIO {
 
     public static final int DEFAULT_BATCH_SIZE = 1;
 
-    /** The default number of write shard. Please refer to {@link #shards} for more information. */
-    public static final int DEFAULT_SHARDS = 1;
-
     public abstract String name();
 
     /** Number of elements to be written in one call. */
     public abstract int batchSize();
 
-    /**
-     * The number of shards the output should be split into.
-     *
-     * <p>This value is a hint to the pipeline runner on the level of parallelism, and should be
-     * significantly greater than the number of threads working on this transformation (see next
-     * paragraph for more information). On the other hand, it should not be too large to the point
-     * that the number of elements per shard is lower than {@link #batchSize()}. As a rule of thumb,
-     * the following constraint should hold: {@code shards * batchSize * nThreads <=
-     * inputElementCount}. Although it is not always possible to determine the number of threads
-     * working on this transform, when the pipeline run is IO-bound, it most likely is close to the
-     * total number of threads in the pipeline, which is explained below.
-     *
-     * <p>With Cloud Dataflow runner, the total number of worker threads in a batch pipeline (which
-     * includes all existing Registry pipelines) is the number of vCPUs used by the pipeline, and
-     * can be set by the {@code --maxNumWorkers} and {@code --workerMachineType} parameters. The
-     * number of worker threads in a streaming pipeline can be set by the {@code --maxNumWorkers}
-     * and {@code --numberOfWorkerHarnessThreads} parameters.
-     *
-     * <p>Note that connections on the database server are a limited resource, therefore the number
-     * of threads that interact with the database should be set to an appropriate limit. Again, we
-     * cannot control this number, but can influence it by controlling the total number of threads.
-     */
-    public abstract int shards();
-
     public abstract SerializableFunction<T, Object> jpaConverter();
 
-    /**
-     * Signal to the writer that the {@link UpdateAutoTimestamp} property should be allowed to
-     * manipulate its value before persistence. The default value is {@code true}.
-     */
-    abstract boolean withUpdateAutoTimestamp();
-
     public Write<T> withName(String name) {
       return toBuilder().name(name).build();
     }
@@ -312,10 +275,6 @@ public final class RegistryJpaIO {
       return toBuilder().batchSize(batchSize).build();
     }
 
-    public Write<T> withShards(int shards) {
-      return toBuilder().shards(shards).build();
-    }
-
     /**
      * An optional function that converts the input entities to a form that can be written into the
      * database.
@@ -324,19 +283,12 @@ public final class RegistryJpaIO {
       return toBuilder().jpaConverter(jpaConverter).build();
     }
 
-    public Write<T> disableUpdateAutoTimestamp() {
-      return toBuilder().withUpdateAutoTimestamp(false).build();
-    }
-
     abstract Builder<T> toBuilder();
 
     @Override
     public PCollection<Void> expand(PCollection<T> input) {
       return input
-          .apply(
-              "Shard data " + name(),
-              WithKeys.<Integer, T>of(e -> ThreadLocalRandom.current().nextInt(shards()))
-                  .withKeyType(integers()))
+          .apply("Add key to data " + name(), WithKeys.<Integer, T>of(0).withKeyType(integers()))
           // The call to withShardedKey() is performance critical. The resulting transform ensures
           // that data is spread evenly across all worker threads.
           .apply(
@@ -344,16 +296,14 @@ public final class RegistryJpaIO {
               GroupIntoBatches.<Integer, T>ofSize(batchSize()).withShardedKey())
           .apply(
               "Write in batch for " + name(),
-              ParDo.of(new SqlBatchWriter<>(name(), jpaConverter(), withUpdateAutoTimestamp())));
+              ParDo.of(new SqlBatchWriter<>(name(), jpaConverter())));
     }
 
     static <T> Builder<T> builder() {
       return new AutoValue_RegistryJpaIO_Write.Builder<T>()
           .name(DEFAULT_NAME)
           .batchSize(DEFAULT_BATCH_SIZE)
-          .shards(DEFAULT_SHARDS)
-          .jpaConverter(x -> x)
-          .withUpdateAutoTimestamp(true);
+          .jpaConverter(x -> x);
     }
 
     @AutoValue.Builder
@@ -363,12 +313,8 @@ public final class RegistryJpaIO {
 
       abstract Builder<T> batchSize(int batchSize);
 
-      abstract Builder<T> shards(int jdbcNumConnsHint);
-
       abstract Builder<T> jpaConverter(SerializableFunction<T, Object> jpaConverter);
 
-      abstract Builder<T> withUpdateAutoTimestamp(boolean withUpdateAutoTimestamp);
-
       abstract Write<T> build();
     }
   }
@@ -377,24 +323,15 @@ public final class RegistryJpaIO {
   private static class SqlBatchWriter<T> extends DoFn<KV<ShardedKey<Integer>, Iterable<T>>, Void> {
     private final Counter counter;
     private final SerializableFunction<T, Object> jpaConverter;
-    private final boolean withAutoTimestamp;
 
-    SqlBatchWriter(
-        String type, SerializableFunction<T, Object> jpaConverter, boolean withAutoTimestamp) {
+    SqlBatchWriter(String type, SerializableFunction<T, Object> jpaConverter) {
       counter = Metrics.counter("SQL_WRITE", type);
       this.jpaConverter = jpaConverter;
-      this.withAutoTimestamp = withAutoTimestamp;
     }
 
     @ProcessElement
     public void processElement(@Element KV<ShardedKey<Integer>, Iterable<T>> kv) {
-      if (withAutoTimestamp) {
-        actuallyProcessElement(kv);
-        return;
-      }
-      try (DisableAutoUpdateResource disable = UpdateAutoTimestamp.disableAutoUpdate()) {
-        actuallyProcessElement(kv);
-      }
+      actuallyProcessElement(kv);
     }
 
     private void actuallyProcessElement(@Element KV<ShardedKey<Integer>, Iterable<T>> kv) {
@@ -405,7 +342,11 @@ public final class RegistryJpaIO {
               .filter(Objects::nonNull)
               .collect(ImmutableList.toImmutableList());
       try {
-        jpaTm().transact(() -> jpaTm().putAll(entities));
+        tm().transact(
+                () -> {
+                  // TODO(b/263502442): properly handle creations and blind-writes.
+                  tm().putAll(entities);
+                });
         counter.inc(entities.size());
       } catch (RuntimeException e) {
         processSingly(entities);
@@ -419,7 +360,11 @@ public final class RegistryJpaIO {
     private void processSingly(ImmutableList<Object> entities) {
       for (Object entity : entities) {
         try {
-          jpaTm().transact(() -> jpaTm().put(entity));
+          tm().transact(
+                  () -> {
+                    // TODO(b/263502442): properly handle creations and blind-writes.
+                    tm().put(entity);
+                  });
           counter.inc();
         } catch (RuntimeException e) {
           throw new RuntimeException(toEntityKeyString(entity), e);
@@ -430,14 +375,12 @@ public final class RegistryJpaIO {
     /** Returns this entity's primary key field(s) in a string. */
     private String toEntityKeyString(Object entity) {
       try {
-        return jpaTm()
-            .transact(
+        return tm().transact(
                 () ->
                     String.format(
                         "%s_%s",
                         entity.getClass().getSimpleName(),
-                        jpaTm()
-                            .getEntityManager()
+                        tm().getEntityManager()
                             .getEntityManagerFactory()
                             .getPersistenceUnitUtil()
                             .getIdentifier(entity)));

core/src/main/java/google/registry/beam/common/RegistryPipelineComponent.java

@@ -20,9 +20,7 @@ import dagger.Lazy;
 import google.registry.config.CredentialModule;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.config.RegistryConfig.ConfigModule;
-import google.registry.model.domain.Domain;
 import google.registry.persistence.PersistenceModule;
-import google.registry.persistence.PersistenceModule.BeamBulkQueryJpaTm;
 import google.registry.persistence.PersistenceModule.BeamJpaTm;
 import google.registry.persistence.PersistenceModule.BeamReadOnlyReplicaJpaTm;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
@@ -52,14 +50,6 @@ public interface RegistryPipelineComponent {
   @BeamJpaTm
   Lazy<JpaTransactionManager> getJpaTransactionManager();
 
-  /**
-   * Returns a {@link JpaTransactionManager} optimized for bulk loading multi-level JPA entities
-   * ({@link Domain} and {@link google.registry.model.domain.DomainHistory}). Please refer to {@link
-   * google.registry.model.bulkquery.BulkQueryEntities} for more information.
-   */
-  @BeamBulkQueryJpaTm
-  Lazy<JpaTransactionManager> getBulkQueryJpaTransactionManager();
-
   /**
    * A {@link JpaTransactionManager} that uses the Postgres read-only replica if configured (uses
    * the standard DB otherwise).

core/src/main/java/google/registry/beam/common/RegistryPipelineOptions.java

@@ -14,7 +14,6 @@
 
 package google.registry.beam.common;
 
-import google.registry.beam.common.RegistryJpaIO.Write;
 import google.registry.config.RegistryEnvironment;
 import google.registry.persistence.PersistenceModule.JpaTransactionManagerType;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
@@ -28,9 +27,9 @@ import org.apache.beam.sdk.options.Description;
  * Defines Nomulus-specific pipeline options, e.g. JPA configurations.
  *
  * <p>When using the Cloud Dataflow runner, users are recommended to set an upper bound on active
- * database connections by setting the pipeline worker options including {@code --maxNumWorkers},
- * {@code workerMachineType}, and {@code numberOfWorkerHarnessThreads}. Please refer to {@link
- * Write#shards()} for more information.
+ * database connections by setting the max number of pipeline worker threads using {@code
+ * --maxNumWorkers} and {@code workerMachineType} for batch pipelines, or {@code --maxNumWorkers}
+ * and {@code --numberOfWorkerHarnessThreads} for streaming pipelines.
  */
 public interface RegistryPipelineOptions extends GcpOptions {
 
@@ -57,14 +56,6 @@ public interface RegistryPipelineOptions extends GcpOptions {
 
   void setSqlWriteBatchSize(int sqlWriteBatchSize);
 
-  @Description(
-      "Number of shards to create out of the data before writing to the SQL database. Please refer "
-          + "to the Javadoc of RegistryJpaIO.Write.shards() for how to choose this value.")
-  @Default.Integer(100)
-  int getSqlWriteShards();
-
-  void setSqlWriteShards(int maxConcurrentSqlWriters);
-
   static RegistryPipelineComponent toRegistryPipelineComponent(RegistryPipelineOptions options) {
     return DaggerRegistryPipelineComponent.builder()
         .isolationOverride(options.getIsolationOverride())

core/src/main/java/google/registry/beam/common/RegistryPipelineWorkerInitializer.java

@@ -21,7 +21,6 @@ import com.google.common.flogger.FluentLogger;
 import dagger.Lazy;
 import google.registry.config.RegistryEnvironment;
 import google.registry.config.SystemPropertySetter;
-import google.registry.model.AppEngineEnvironment;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.persistence.transaction.TransactionManagerFactory;
 import org.apache.beam.sdk.harness.JvmInitializer;
@@ -53,9 +52,6 @@ public class RegistryPipelineWorkerInitializer implements JvmInitializer {
         toRegistryPipelineComponent(registryOptions);
     Lazy<JpaTransactionManager> transactionManagerLazy;
     switch (registryOptions.getJpaTransactionManagerType()) {
-      case BULK_QUERY:
-        transactionManagerLazy = registryPipelineComponent.getBulkQueryJpaTransactionManager();
-        break;
       case READ_ONLY_REPLICA:
         transactionManagerLazy =
             registryPipelineComponent.getReadOnlyReplicaJpaTransactionManager();
@@ -65,12 +61,6 @@ public class RegistryPipelineWorkerInitializer implements JvmInitializer {
         transactionManagerLazy = registryPipelineComponent.getJpaTransactionManager();
     }
     TransactionManagerFactory.setJpaTmOnBeamWorker(transactionManagerLazy::get);
-    // Masquerade all threads as App Engine threads so we can create Ofy keys in the pipeline. Also
-    // loads all ofy entities.
-    new AppEngineEnvironment("s~" + registryPipelineComponent.getProjectId())
-        .setEnvironmentForAllThreads();
-    // Set the system property so that we can call IdService.allocateId() without access to
-    // datastore.
     SystemPropertySetter.PRODUCTION_IMPL.setProperty(PROPERTY, "true");
   }
 }

core/src/main/java/google/registry/beam/common/RegistryQuery.java

@@ -14,7 +14,7 @@
 
 package google.registry.beam.common;
 
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
 import google.registry.persistence.transaction.JpaTransactionManager;
 import java.io.Serializable;
@@ -24,8 +24,10 @@ import java.util.stream.Stream;
 import javax.annotation.Nullable;
 import javax.persistence.EntityManager;
 import javax.persistence.Query;
+import javax.persistence.TemporalType;
 import javax.persistence.TypedQuery;
 import javax.persistence.criteria.CriteriaQuery;
+import org.joda.time.DateTime;
 
 /** Interface for query instances used by {@link RegistryJpaIO.Read}. */
 public interface RegistryQuery<T> extends Serializable {
@@ -53,11 +55,18 @@ public interface RegistryQuery<T> extends Serializable {
   static <T> RegistryQuery<T> createQuery(
       String sql, @Nullable Map<String, Object> parameters, boolean nativeQuery) {
     return () -> {
-      EntityManager entityManager = jpaTm().getEntityManager();
+      EntityManager entityManager = tm().getEntityManager();
       Query query =
           nativeQuery ? entityManager.createNativeQuery(sql) : entityManager.createQuery(sql);
       if (parameters != null) {
-        parameters.forEach(query::setParameter);
+        parameters.forEach(
+            (key, value) -> {
+              if (value instanceof DateTime) {
+                query.setParameter(key, ((DateTime) value).toDate(), TemporalType.TIMESTAMP);
+              } else {
+                query.setParameter(key, value);
+              }
+            });
       }
       JpaTransactionManager.setQueryFetchSize(query, QUERY_FETCH_SIZE);
       @SuppressWarnings("unchecked")
@@ -76,7 +85,7 @@ public interface RegistryQuery<T> extends Serializable {
       String jpql, @Nullable Map<String, Object> parameters, Class<T> clazz) {
     return () -> {
       // TODO(b/193662898): switch to jpaTm().query() when it can properly detach loaded entities.
-      EntityManager entityManager = jpaTm().getEntityManager();
+      EntityManager entityManager = tm().getEntityManager();
       TypedQuery<T> query = entityManager.createQuery(jpql, clazz);
       if (parameters != null) {
         parameters.forEach(query::setParameter);
@@ -98,7 +107,7 @@ public interface RegistryQuery<T> extends Serializable {
   static <T> RegistryQuery<T> createQuery(CriteriaQuerySupplier<T> criteriaQuery) {
     return () -> {
       // TODO(b/193662898): switch to jpaTm().query() when it can properly detach loaded entities.
-      EntityManager entityManager = jpaTm().getEntityManager();
+      EntityManager entityManager = tm().getEntityManager();
       TypedQuery<T> query = entityManager.createQuery(criteriaQuery.get());
       JpaTransactionManager.setQueryFetchSize(query, QUERY_FETCH_SIZE);
       return query.getResultStream().map(e -> detach(entityManager, e));

core/src/main/java/google/registry/beam/rde/RdeIO.java

@@ -26,13 +26,14 @@ import com.google.auto.value.AutoValue;
 import com.google.cloud.storage.BlobId;
 import com.google.common.collect.ImmutableMultimap;
 import com.google.common.flogger.FluentLogger;
+import google.registry.batch.CloudTasksUtils;
 import google.registry.gcs.GcsUtils;
 import google.registry.keyring.api.PgpHelper;
 import google.registry.model.common.Cursor;
 import google.registry.model.rde.RdeMode;
 import google.registry.model.rde.RdeNamingUtils;
 import google.registry.model.rde.RdeRevision;
-import google.registry.model.tld.Registry;
+import google.registry.model.tld.Tld;
 import google.registry.rde.BrdaCopyAction;
 import google.registry.rde.DepositFragment;
 import google.registry.rde.Ghostryde;
@@ -46,7 +47,6 @@ import google.registry.rde.RdeUtil;
 import google.registry.request.Action.Service;
 import google.registry.request.RequestParameters;
 import google.registry.tldconfig.idn.IdnTableEnum;
-import google.registry.util.CloudTasksUtils;
 import google.registry.xjc.rdeheader.XjcRdeHeader;
 import google.registry.xjc.rdeheader.XjcRdeHeaderElement;
 import google.registry.xml.ValidationMode;
@@ -272,12 +272,12 @@ public class RdeIO {
       tm().transact(
               () -> {
                 PendingDeposit key = input.getKey();
-                Registry registry = Registry.get(key.tld());
+                Tld tld = Tld.get(key.tld());
                 Optional<Cursor> cursor =
                     tm().transact(
                             () ->
                                 tm().loadByKeyIfPresent(
-                                        Cursor.createScopedVKey(key.cursor(), registry)));
+                                        Cursor.createScopedVKey(key.cursor(), tld)));
                 DateTime position = getCursorTimeOrStartOfTime(cursor);
                 checkState(key.interval() != null, "Interval must be present");
                 DateTime newPosition = key.watermark().plus(key.interval());
@@ -290,7 +290,7 @@ public class RdeIO {
                     "Partial ordering of RDE deposits broken: %s %s",
                     position,
                     key);
-                tm().put(Cursor.createScoped(key.cursor(), newPosition, registry));
+                tm().put(Cursor.createScoped(key.cursor(), newPosition, tld));
                 logger.atInfo().log(
                     "Rolled forward %s on %s cursor to %s.", key.cursor(), key.tld(), newPosition);
                 RdeRevision.saveRevision(key.tld(), key.watermark(), key.mode(), input.getValue());
@@ -306,7 +306,7 @@ public class RdeIO {
                       RDE_UPLOAD_QUEUE,
                       cloudTasksUtils.createPostTaskWithDelay(
                           RdeUploadAction.PATH,
-                          Service.BACKEND.getServiceId(),
+                          Service.BACKEND,
                           ImmutableMultimap.of(
                               RequestParameters.PARAM_TLD,
                               key.tld(),
@@ -318,7 +318,7 @@ public class RdeIO {
                       BRDA_QUEUE,
                       cloudTasksUtils.createPostTaskWithDelay(
                           BrdaCopyAction.PATH,
-                          Service.BACKEND.getServiceId(),
+                          Service.BACKEND,
                           ImmutableMultimap.of(
                               RequestParameters.PARAM_TLD,
                               key.tld(),

core/src/main/java/google/registry/beam/rde/RdePipeline.java

@@ -26,7 +26,7 @@ import static google.registry.beam.rde.RdePipeline.TupleTags.REFERENCED_HOSTS;
 import static google.registry.beam.rde.RdePipeline.TupleTags.REVISION_ID;
 import static google.registry.beam.rde.RdePipeline.TupleTags.SUPERORDINATE_DOMAINS;
 import static google.registry.model.reporting.HistoryEntryDao.RESOURCE_TYPES_TO_HISTORY_TYPES;
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static org.apache.beam.sdk.values.TypeDescriptors.kvs;
 
 import com.google.common.collect.ImmutableList;
@@ -38,6 +38,7 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.io.BaseEncoding;
 import dagger.BindsInstance;
 import dagger.Component;
+import google.registry.batch.CloudTasksUtils;
 import google.registry.beam.common.RegistryJpaIO;
 import google.registry.beam.common.RegistryPipelineOptions;
 import google.registry.config.CloudTasksUtilsModule;
@@ -55,14 +56,13 @@ import google.registry.model.rde.RdeMode;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.Registrar.Type;
 import google.registry.model.reporting.HistoryEntry;
-import google.registry.model.reporting.HistoryEntryDao;
+import google.registry.model.reporting.HistoryEntry.HistoryEntryId;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
 import google.registry.persistence.VKey;
 import google.registry.rde.DepositFragment;
 import google.registry.rde.PendingDeposit;
 import google.registry.rde.PendingDeposit.PendingDepositCoder;
 import google.registry.rde.RdeMarshaller;
-import google.registry.util.CloudTasksUtils;
 import google.registry.util.UtilsModule;
 import google.registry.xml.ValidationMode;
 import java.io.ByteArrayInputStream;
@@ -71,11 +71,9 @@ import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.Serializable;
-import java.lang.reflect.InvocationTargetException;
 import java.util.HashSet;
 import javax.inject.Inject;
 import javax.inject.Singleton;
-import javax.persistence.IdClass;
 import org.apache.beam.sdk.Pipeline;
 import org.apache.beam.sdk.PipelineResult;
 import org.apache.beam.sdk.coders.KvCoder;
@@ -128,7 +126,7 @@ import org.joda.time.DateTime;
  * <h2>{@link EppResource}</h2>
  *
  * All EPP resources are loaded from the corresponding {@link HistoryEntry}, which has the resource
- * embedded. In general we find most recent history entry before watermark and filter out the ones
+ * embedded. In general, we find most recent history entry before watermark and filter out the ones
  * that are soft-deleted by watermark. The history is emitted as pairs of (resource repo ID: history
  * revision ID) from the SQL query.
  *
@@ -164,7 +162,7 @@ import org.joda.time.DateTime;
  *
  * The (pending deposit: deposit fragment) pairs from different resources are combined and grouped
  * by pending deposit. For each pending deposit, all the relevant deposit fragments are written into
- * a encrypted file stored on GCS. The filename is uniquely determined by the Beam job ID so there
+ * an encrypted file stored on GCS. The filename is uniquely determined by the Beam job ID so there
  * is no need to lock the GCS write operation to prevent stomping. The cursor for staging the
  * pending deposit is then rolled forward, and the next action is enqueued. The latter two
  * operations are performed in a transaction so the cursor is rolled back if enqueueing failed.
@@ -191,16 +189,6 @@ public class RdePipeline implements Serializable {
   private static final ImmutableSet<Type> IGNORED_REGISTRAR_TYPES =
       Sets.immutableEnumSet(Registrar.Type.MONITORING, Registrar.Type.TEST);
 
-  // The field name of the EPP resource embedded in its corresponding history entry.
-  private static final ImmutableMap<Class<? extends HistoryEntry>, String> EPP_RESOURCE_FIELD_NAME =
-      ImmutableMap.of(
-          DomainHistory.class,
-          "domainBase",
-          ContactHistory.class,
-          "contactBase",
-          HostHistory.class,
-          "hostBase");
-
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
   @Inject
@@ -301,10 +289,11 @@ public class RdePipeline implements Serializable {
         .apply(
             "Read all production Registrars",
             RegistryJpaIO.read(
-                "SELECT clientIdentifier FROM Registrar WHERE type NOT IN (:types)",
-                ImmutableMap.of("types", IGNORED_REGISTRAR_TYPES),
-                String.class,
-                id -> VKey.createSql(Registrar.class, id)))
+                    "SELECT registrarId FROM Registrar WHERE type NOT IN (:types)",
+                    ImmutableMap.of("types", IGNORED_REGISTRAR_TYPES),
+                    String.class,
+                    x -> x)
+                .withCoder(StringUtf8Coder.of()))
         .apply(
             "Marshall Registrar into DepositFragment",
             FlatMapElements.into(
@@ -312,9 +301,10 @@ public class RdePipeline implements Serializable {
                         TypeDescriptor.of(PendingDeposit.class),
                         TypeDescriptor.of(DepositFragment.class)))
                 .via(
-                    (VKey<Registrar> key) -> {
+                    (String registrarRepoId) -> {
+                      VKey<Registrar> key = VKey.create(Registrar.class, registrarRepoId);
                       includedRegistrarCounter.inc();
-                      Registrar registrar = jpaTm().transact(() -> jpaTm().loadByKey(key));
+                      Registrar registrar = tm().transact(() -> tm().loadByKey(key));
                       DepositFragment fragment = marshaller.marshalRegistrar(registrar);
                       ImmutableSet<KV<PendingDeposit, DepositFragment>> fragments =
                           pendingDeposits.stream()
@@ -335,31 +325,24 @@ public class RdePipeline implements Serializable {
    */
   private <T extends HistoryEntry> PCollection<KV<String, Long>> getMostRecentHistoryEntries(
       Pipeline pipeline, Class<T> historyClass) {
-    String repoIdFieldName = HistoryEntryDao.REPO_ID_FIELD_NAMES.get(historyClass);
-    String resourceFieldName = EPP_RESOURCE_FIELD_NAME.get(historyClass);
-    return pipeline
-        .apply(
-            String.format("Load most recent %s", historyClass.getSimpleName()),
-            RegistryJpaIO.read(
-                ("SELECT %repoIdField%, id FROM %entity% WHERE (%repoIdField%, modificationTime)"
-                     + " IN (SELECT %repoIdField%, MAX(modificationTime) FROM %entity% WHERE"
-                     + " modificationTime <= :watermark GROUP BY %repoIdField%) AND"
-                     + " %resourceField%.deletionTime > :watermark AND"
-                     + " COALESCE(%resourceField%.creationClientId, '') NOT LIKE 'prober-%' AND"
-                     + " COALESCE(%resourceField%.currentSponsorClientId, '') NOT LIKE 'prober-%'"
-                     + " AND COALESCE(%resourceField%.lastEppUpdateClientId, '') NOT LIKE"
+    return pipeline.apply(
+        String.format("Load most recent %s", historyClass.getSimpleName()),
+        RegistryJpaIO.read(
+                ("SELECT repoId, revisionId FROM %entity% WHERE (repoId, modificationTime) IN"
+                     + " (SELECT repoId, MAX(modificationTime) FROM %entity% WHERE"
+                     + " modificationTime <= :watermark GROUP BY repoId) AND resource.deletionTime"
+                     + " > :watermark AND COALESCE(resource.creationRegistrarId, '') NOT LIKE"
+                     + " 'prober-%' AND COALESCE(resource.currentSponsorRegistrarId, '') NOT LIKE"
+                     + " 'prober-%' AND COALESCE(resource.lastEppUpdateRegistrarId, '') NOT LIKE"
                      + " 'prober-%' "
                         + (historyClass == DomainHistory.class
-                            ? "AND %resourceField%.tld IN "
-                                + "(SELECT id FROM Tld WHERE tldType = 'REAL')"
+                            ? "AND resource.tld IN " + "(SELECT id FROM Tld WHERE tldType = 'REAL')"
                             : ""))
-                    .replace("%entity%", historyClass.getSimpleName())
-                    .replace("%repoIdField%", repoIdFieldName)
-                    .replace("%resourceField%", resourceFieldName),
+                    .replace("%entity%", historyClass.getSimpleName()),
                 ImmutableMap.of("watermark", watermark),
                 Object[].class,
-                row -> KV.of((String) row[0], (long) row[1])))
-        .setCoder(KvCoder.of(StringUtf8Coder.of(), VarLongCoder.of()));
+                row -> KV.of((String) row[0], (long) row[1]))
+            .withCoder(KvCoder.of(StringUtf8Coder.of(), VarLongCoder.of())));
   }
 
   private <T extends HistoryEntry> EppResource loadResourceByHistoryEntryId(
@@ -379,38 +362,26 @@ public class RdePipeline implements Serializable {
       checkState(
           dedupedIds.size() == 1,
           "Multiple unique revision IDs detected for %s repo ID %s: %s",
-          EPP_RESOURCE_FIELD_NAME.get(historyEntryClazz),
+          historyEntryClazz.getSimpleName(),
           repoId,
           ids);
       logger.atSevere().log(
           "Duplicate revision IDs detected for %s repo ID %s: %s",
-          EPP_RESOURCE_FIELD_NAME.get(historyEntryClazz), repoId, ids);
+          historyEntryClazz.getSimpleName(), repoId, ids);
     }
     return loadResourceByHistoryEntryId(historyEntryClazz, repoId, ids.get(0));
   }
 
   private <T extends HistoryEntry> EppResource loadResourceByHistoryEntryId(
       Class<T> historyEntryClazz, String repoId, long revisionId) {
-    try {
-      Class<?> idClazz = historyEntryClazz.getAnnotation(IdClass.class).value();
-      Serializable idObject =
-          (Serializable)
-              idClazz.getConstructor(String.class, long.class).newInstance(repoId, revisionId);
-      return jpaTm()
-          .transact(() -> jpaTm().loadByKey(VKey.createSql(historyEntryClazz, idObject)))
-          .getResourceAtPointInTime()
-          .map(resource -> resource.cloneProjectedAtTime(watermark))
-          .get();
-    } catch (NoSuchMethodException
-        | InvocationTargetException
-        | InstantiationException
-        | IllegalAccessException e) {
-      throw new RuntimeException(
-          String.format(
-              "Cannot load resource from %s with repoId %s and revisionId %s",
-              historyEntryClazz.getSimpleName(), repoId, revisionId),
-          e);
-    }
+
+    return tm().transact(
+            () ->
+                tm().loadByKey(
+                        VKey.create(historyEntryClazz, new HistoryEntryId(repoId, revisionId))))
+        .getResourceAtPointInTime()
+        .map(resource -> resource.cloneProjectedAtTime(watermark))
+        .get();
   }
 
   /**
@@ -495,12 +466,12 @@ public class RdePipeline implements Serializable {
                               // Contacts and hosts are only deposited in RDE, not BRDA.
                               if (pendingDeposit.mode() == RdeMode.FULL) {
                                 HashSet<Serializable> contacts = new HashSet<>();
-                                contacts.add(domain.getAdminContact().getSqlKey());
-                                contacts.add(domain.getTechContact().getSqlKey());
-                                contacts.add(domain.getRegistrant().getSqlKey());
+                                contacts.add(domain.getAdminContact().getKey());
+                                contacts.add(domain.getTechContact().getKey());
+                                contacts.add(domain.getRegistrant().getKey());
                                 // Billing contact is not mandatory.
                                 if (domain.getBillingContact() != null) {
-                                  contacts.add(domain.getBillingContact().getSqlKey());
+                                  contacts.add(domain.getBillingContact().getKey());
                                 }
                                 referencedContactCounter.inc(contacts.size());
                                 contacts.forEach(
@@ -518,7 +489,7 @@ public class RdePipeline implements Serializable {
                                                   .get(REFERENCED_HOSTS)
                                                   .output(
                                                       KV.of(
-                                                          (String) hostKey.getSqlKey(),
+                                                          (String) hostKey.getKey(),
                                                           pendingDeposit)));
                                 }
                               }
@@ -591,7 +562,7 @@ public class RdePipeline implements Serializable {
                                   // The output are pairs of
                                   // (superordinateDomainRepoId,
                                   //   (subordinateHostRepoId, (pendingDeposit, revisionId))).
-                                  KV.of((String) host.getSuperordinateDomain().getSqlKey(), kv));
+                                  KV.of((String) host.getSuperordinateDomain().getKey(), kv));
                         } else {
                           externalHostCounter.inc();
                           DepositFragment fragment = marshaller.marshalExternalHost(host);
@@ -698,8 +669,8 @@ public class RdePipeline implements Serializable {
   }
 
   /**
-   * Encodes the pending deposit set in an URL safe string that is sent to the pipeline worker by
-   * the pipeline launcher as a pipeline option.
+   * Encodes the pending deposit set in a URL safe string that is sent to the pipeline worker by the
+   * pipeline launcher as a pipeline option.
    */
   public static String encodePendingDeposits(ImmutableSet<PendingDeposit> pendingDeposits)
       throws IOException {
@@ -715,6 +686,7 @@ public class RdePipeline implements Serializable {
     PipelineOptionsFactory.register(RdePipelineOptions.class);
     RdePipelineOptions options =
         PipelineOptionsFactory.fromArgs(args).withValidation().as(RdePipelineOptions.class);
+
     RegistryPipelineOptions.validateRegistryPipelineOptions(options);
     options.setIsolationOverride(TransactionIsolationLevel.TRANSACTION_READ_COMMITTED);
     DaggerRdePipeline_RdePipelineComponent.builder().options(options).build().rdePipeline().run();

core/src/main/java/google/registry/beam/resave/ResaveAllEppResourcesPipeline.java

@@ -14,11 +14,14 @@
 
 package google.registry.beam.resave;
 
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
+import static com.google.common.collect.ImmutableList.toImmutableList;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static org.apache.beam.sdk.values.TypeDescriptors.integers;
 
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Streams;
 import google.registry.beam.common.RegistryJpaIO;
 import google.registry.beam.common.RegistryJpaIO.Read;
 import google.registry.model.EppResource;
@@ -27,12 +30,12 @@ import google.registry.model.domain.Domain;
 import google.registry.model.domain.DomainBase;
 import google.registry.model.host.Host;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
-import google.registry.persistence.transaction.CriteriaQueryBuilder;
+import google.registry.persistence.VKey;
 import google.registry.util.DateTimeUtils;
 import java.io.Serializable;
-import java.util.concurrent.ThreadLocalRandom;
 import org.apache.beam.sdk.Pipeline;
 import org.apache.beam.sdk.PipelineResult;
+import org.apache.beam.sdk.coders.StringUtf8Coder;
 import org.apache.beam.sdk.options.PipelineOptionsFactory;
 import org.apache.beam.sdk.transforms.DoFn;
 import org.apache.beam.sdk.transforms.GroupIntoBatches;
@@ -69,7 +72,7 @@ public class ResaveAllEppResourcesPipeline implements Serializable {
    * multiple times, and to avoid projecting and resaving the same domain multiple times.
    */
   private static final String DOMAINS_TO_PROJECT_QUERY =
-      "FROM Domain d WHERE (d.transferData.transferStatus = 'PENDING' AND"
+      "SELECT repoId FROM Domain d WHERE (d.transferData.transferStatus = 'PENDING' AND"
           + " d.transferData.pendingTransferExpirationTime < current_timestamp()) OR"
           + " (d.registrationExpirationTime < current_timestamp() AND d.deletionTime ="
           + " (:END_OF_TIME)) OR (EXISTS (SELECT 1 FROM GracePeriod gp WHERE gp.domainRepoId ="
@@ -88,7 +91,6 @@ public class ResaveAllEppResourcesPipeline implements Serializable {
   }
 
   void setupPipeline(Pipeline pipeline) {
-    options.setIsolationOverride(TransactionIsolationLevel.TRANSACTION_READ_COMMITTED);
     if (options.getFast()) {
       fastResaveContacts(pipeline);
       fastResaveDomains(pipeline);
@@ -99,13 +101,14 @@ public class ResaveAllEppResourcesPipeline implements Serializable {
 
   /** Projects to the current time and saves any contacts with expired transfers. */
   private void fastResaveContacts(Pipeline pipeline) {
-    Read<Contact, Contact> read =
+    Read<String, String> repoIdRead =
         RegistryJpaIO.read(
-            "FROM Contact WHERE transferData.transferStatus = 'PENDING' AND"
-                + " transferData.pendingTransferExpirationTime < current_timestamp()",
-            Contact.class,
-            c -> c);
-    projectAndResaveResources(pipeline, Contact.class, read);
+                "SELECT repoId FROM Contact WHERE transferData.transferStatus = 'PENDING' AND"
+                    + " transferData.pendingTransferExpirationTime < current_timestamp()",
+                String.class,
+                r -> r)
+            .withCoder(StringUtf8Coder.of());
+    projectAndResaveResources(pipeline, Contact.class, repoIdRead);
   }
 
   /**
@@ -116,61 +119,71 @@ public class ResaveAllEppResourcesPipeline implements Serializable {
    * DomainBase#cloneProjectedAtTime(DateTime)}.
    */
   private void fastResaveDomains(Pipeline pipeline) {
-    Read<Domain, Domain> read =
+    Read<String, String> repoIdRead =
         RegistryJpaIO.read(
-            DOMAINS_TO_PROJECT_QUERY,
-            ImmutableMap.of("END_OF_TIME", DateTimeUtils.END_OF_TIME),
-            Domain.class,
-            d -> d);
-    projectAndResaveResources(pipeline, Domain.class, read);
+                DOMAINS_TO_PROJECT_QUERY,
+                ImmutableMap.of("END_OF_TIME", DateTimeUtils.END_OF_TIME),
+                String.class,
+                r -> r)
+            .withCoder(StringUtf8Coder.of());
+    projectAndResaveResources(pipeline, Domain.class, repoIdRead);
   }
 
   /** Projects all resources to the current time and saves them. */
   private <T extends EppResource> void forceResaveAllResources(Pipeline pipeline, Class<T> clazz) {
-    Read<T, T> read = RegistryJpaIO.read(() -> CriteriaQueryBuilder.create(clazz).build());
-    projectAndResaveResources(pipeline, clazz, read);
+    Read<String, String> repoIdRead =
+        RegistryJpaIO.read(
+                // Note: cannot use SQL parameters for the table name
+                String.format("SELECT repoId FROM %s", clazz.getSimpleName()), String.class, r -> r)
+            .withCoder(StringUtf8Coder.of());
+    projectAndResaveResources(pipeline, clazz, repoIdRead);
   }
 
-  /** Projects and re-saves the result of the provided {@link Read}. */
+  /** Projects and re-saves all resources with repo IDs provided by the {@link Read}. */
   private <T extends EppResource> void projectAndResaveResources(
-      Pipeline pipeline, Class<T> clazz, Read<?, T> read) {
-    int numShards = options.getSqlWriteShards();
+      Pipeline pipeline, Class<T> clazz, Read<?, String> repoIdRead) {
     int batchSize = options.getSqlWriteBatchSize();
     String className = clazz.getSimpleName();
     pipeline
-        .apply("Read " + className, read)
+        .apply("Read " + className, repoIdRead)
         .apply(
             "Shard data for class" + className,
-            WithKeys.<Integer, T>of(e -> ThreadLocalRandom.current().nextInt(numShards))
-                .withKeyType(integers()))
+            WithKeys.<Integer, String>of(0).withKeyType(integers()))
         .apply(
             "Group into batches for class" + className,
-            GroupIntoBatches.<Integer, T>ofSize(batchSize).withShardedKey())
-        .apply("Map " + className + " to now", ParDo.of(new BatchedProjectionFunction<>()))
+            GroupIntoBatches.<Integer, String>ofSize(batchSize).withShardedKey())
         .apply(
-            "Write transformed " + className,
-            RegistryJpaIO.<EppResource>write()
-                .withName("Write transformed " + className)
-                .withBatchSize(batchSize)
-                .withShards(numShards));
+            "Load, map, and save " + className,
+            ParDo.of(new BatchedLoadProjectAndSaveFunction(clazz)));
   }
 
-  private static class BatchedProjectionFunction<T extends EppResource>
-      extends DoFn<KV<ShardedKey<Integer>, Iterable<T>>, EppResource> {
+  /** Function that loads, projects, and saves resources all in the same transaction. */
+  private static class BatchedLoadProjectAndSaveFunction
+      extends DoFn<KV<ShardedKey<Integer>, Iterable<String>>, Void> {
+
+    private final Class<? extends EppResource> clazz;
+
+    private BatchedLoadProjectAndSaveFunction(Class<? extends EppResource> clazz) {
+      this.clazz = clazz;
+    }
 
     @ProcessElement
     public void processElement(
-        @Element KV<ShardedKey<Integer>, Iterable<T>> element,
-        OutputReceiver<EppResource> outputReceiver) {
-      jpaTm()
-          .transact(
-              () ->
-                  element
-                      .getValue()
-                      .forEach(
-                          resource ->
-                              outputReceiver.output(
-                                  resource.cloneProjectedAtTime(jpaTm().getTransactionTime()))));
+        @Element KV<ShardedKey<Integer>, Iterable<String>> element,
+        OutputReceiver<Void> outputReceiver) {
+      tm().transact(
+              () -> {
+                DateTime now = tm().getTransactionTime();
+                ImmutableList<VKey<? extends EppResource>> keys =
+                    Streams.stream(element.getValue())
+                        .map(repoId -> VKey.create(clazz, repoId))
+                        .collect(toImmutableList());
+                ImmutableList<EppResource> mappedResources =
+                    tm().loadByKeys(keys).values().stream()
+                        .map(r -> r.cloneProjectedAtTime(now))
+                        .collect(toImmutableList());
+                tm().putAll(mappedResources);
+              });
     }
   }
 
@@ -180,6 +193,7 @@ public class ResaveAllEppResourcesPipeline implements Serializable {
         PipelineOptionsFactory.fromArgs(args)
             .withValidation()
             .as(ResaveAllEppResourcesPipelineOptions.class);
+    options.setIsolationOverride(TransactionIsolationLevel.TRANSACTION_REPEATABLE_READ);
     new ResaveAllEppResourcesPipeline(options).run();
   }
 }

core/src/main/java/google/registry/beam/spec11/SafeBrowsingTransforms.java

@@ -75,8 +75,8 @@ public class SafeBrowsingTransforms {
     private final String apiKey;
 
     /**
-     * Maps a domain name's {@code fullyQualifiedDomainName} to its corresponding {@link
-     * DomainNameInfo} to facilitate batching SafeBrowsing API requests.
+     * Maps a domain name's {@code domainName} to its corresponding {@link DomainNameInfo} to
+     * facilitate batching SafeBrowsing API requests.
      */
     private final Map<String, DomainNameInfo> domainNameInfoBuffer =
         new LinkedHashMap<>(BATCH_SIZE);
@@ -186,8 +186,8 @@ public class SafeBrowsingTransforms {
     private JSONObject createRequestBody() throws JSONException {
       // Accumulate all domain names to evaluate.
       JSONArray threatArray = new JSONArray();
-      for (String fullyQualifiedDomainName : domainNameInfoBuffer.keySet()) {
-        threatArray.put(new JSONObject().put("url", fullyQualifiedDomainName));
+      for (String domainName : domainNameInfoBuffer.keySet()) {
+        threatArray.put(new JSONObject().put("url", domainName));
       }
       // Construct the JSON request body
       return new JSONObject()

core/src/main/java/google/registry/beam/spec11/Spec11Pipeline.java

@@ -15,7 +15,7 @@
 package google.registry.beam.spec11;
 
 import static com.google.common.base.Preconditions.checkArgument;
-import static google.registry.persistence.transaction.TransactionManagerFactory.jpaTm;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
 import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableSet;
@@ -37,12 +37,15 @@ import java.io.Serializable;
 import javax.inject.Singleton;
 import org.apache.beam.sdk.Pipeline;
 import org.apache.beam.sdk.PipelineResult;
+import org.apache.beam.sdk.coders.KvCoder;
+import org.apache.beam.sdk.coders.StringUtf8Coder;
 import org.apache.beam.sdk.io.TextIO;
 import org.apache.beam.sdk.options.PipelineOptionsFactory;
 import org.apache.beam.sdk.transforms.DoFn;
 import org.apache.beam.sdk.transforms.GroupByKey;
 import org.apache.beam.sdk.transforms.MapElements;
 import org.apache.beam.sdk.transforms.ParDo;
+import org.apache.beam.sdk.transforms.Reshuffle;
 import org.apache.beam.sdk.values.KV;
 import org.apache.beam.sdk.values.PCollection;
 import org.apache.beam.sdk.values.TypeDescriptor;
@@ -112,11 +115,12 @@ public class Spec11Pipeline implements Serializable {
   static PCollection<DomainNameInfo> readFromCloudSql(Pipeline pipeline) {
     Read<Object[], KV<String, String>> read =
         RegistryJpaIO.read(
-            "select d.repoId, r.emailAddress from Domain d join Registrar r on"
-                + " d.currentSponsorClientId = r.clientIdentifier where r.type = 'REAL' and"
-                + " d.deletionTime > now()",
-            false,
-            Spec11Pipeline::parseRow);
+                "select d.repoId, r.emailAddress from Domain d join Registrar r on"
+                    + " d.currentSponsorRegistrarId = r.registrarId where r.type = 'REAL' and"
+                    + " d.deletionTime > now()",
+                false,
+                Spec11Pipeline::parseRow)
+            .withCoder(KvCoder.of(StringUtf8Coder.of(), StringUtf8Coder.of()));
 
     return pipeline
         .apply("Read active domains from Cloud SQL", read)
@@ -128,11 +132,8 @@ public class Spec11Pipeline implements Serializable {
                   public void processElement(
                       @Element KV<String, String> input, OutputReceiver<DomainNameInfo> output) {
                     Domain domain =
-                        jpaTm()
-                            .transact(
-                                () ->
-                                    jpaTm()
-                                        .loadByKey(VKey.createSql(Domain.class, input.getKey())));
+                        tm().transact(
+                                () -> tm().loadByKey(VKey.create(Domain.class, input.getKey())));
                     String emailAddress = input.getValue();
                     if (emailAddress == null) {
                       emailAddress = "";
@@ -154,26 +155,36 @@ public class Spec11Pipeline implements Serializable {
 
   static void saveToSql(
       PCollection<KV<DomainNameInfo, ThreatMatch>> threatMatches, Spec11PipelineOptions options) {
-    String transformId = "Spec11 Threat Matches";
     LocalDate date = LocalDate.parse(options.getDate(), ISODateTimeFormat.date());
-    threatMatches.apply(
-        "Write to Sql: " + transformId,
-        RegistryJpaIO.<KV<DomainNameInfo, ThreatMatch>>write()
-            .withName(transformId)
-            .withBatchSize(options.getSqlWriteBatchSize())
-            .withShards(options.getSqlWriteShards())
-            .withJpaConverter(
-                (kv) -> {
-                  DomainNameInfo domainNameInfo = kv.getKey();
-                  return new Spec11ThreatMatch.Builder()
-                      .setThreatTypes(
-                          ImmutableSet.of(ThreatType.valueOf(kv.getValue().threatType())))
-                      .setCheckDate(date)
-                      .setDomainName(domainNameInfo.domainName())
-                      .setDomainRepoId(domainNameInfo.domainRepoId())
-                      .setRegistrarId(domainNameInfo.registrarId())
-                      .build();
-                }));
+    String transformId = "Spec11 Threat Matches";
+    threatMatches
+        .apply(
+            "Construct objects",
+            ParDo.of(
+                new DoFn<KV<DomainNameInfo, ThreatMatch>, Spec11ThreatMatch>() {
+                  @ProcessElement
+                  public void processElement(
+                      @Element KV<DomainNameInfo, ThreatMatch> input,
+                      OutputReceiver<Spec11ThreatMatch> output) {
+                    Spec11ThreatMatch spec11ThreatMatch =
+                        new Spec11ThreatMatch.Builder()
+                            .setThreatTypes(
+                                ImmutableSet.of(ThreatType.valueOf(input.getValue().threatType())))
+                            .setCheckDate(date)
+                            .setDomainName(input.getKey().domainName())
+                            .setDomainRepoId(input.getKey().domainRepoId())
+                            .setRegistrarId(input.getKey().registrarId())
+                            // TODO(b/264416932) Assign id to prevent duplicate inserts.
+                            .build();
+                    output.output(spec11ThreatMatch);
+                  }
+                }))
+        .apply("Prevent Fusing", Reshuffle.viaRandomKey())
+        .apply(
+            "Write to Sql: " + transformId,
+            RegistryJpaIO.<Spec11ThreatMatch>write()
+                .withName(transformId)
+                .withBatchSize(options.getSqlWriteBatchSize()));
   }
 
   static void saveToGcs(
@@ -214,8 +225,7 @@ public class Spec11Pipeline implements Serializable {
                         return output.toString();
                       } catch (JSONException e) {
                         throw new RuntimeException(
-                            String.format(
-                                "Encountered an error constructing the JSON for %s", kv.toString()),
+                            String.format("Encountered an error constructing the JSON for %s", kv),
                             e);
                       }
                     }))

core/src/main/java/google/registry/beam/spec11/ThreatMatch.java

@@ -25,28 +25,34 @@ import org.json.JSONObject;
 public abstract class ThreatMatch implements Serializable {
 
   private static final String THREAT_TYPE_FIELD = "threatType";
-  private static final String DOMAIN_NAME_FIELD = "fullyQualifiedDomainName";
+  private static final String DOMAIN_NAME_FIELD = "domainName";
+  private static final String OUTDATED_NAME_FIELD = "fullyQualifiedDomainName";
 
   /** Returns what kind of threat it is (malware, phishing etc.) */
   public abstract String threatType();
   /** Returns the fully qualified domain name [SLD].[TLD] of the matched threat. */
-  public abstract String fullyQualifiedDomainName();
+  public abstract String domainName();
 
   @VisibleForTesting
-  static ThreatMatch create(String threatType, String fullyQualifiedDomainName) {
-    return new AutoValue_ThreatMatch(threatType, fullyQualifiedDomainName);
+  static ThreatMatch create(String threatType, String domainName) {
+    return new AutoValue_ThreatMatch(threatType, domainName);
   }
 
   /** Returns a {@link JSONObject} representing a subset of this object's data. */
   JSONObject toJSON() throws JSONException {
     return new JSONObject()
         .put(THREAT_TYPE_FIELD, threatType())
-        .put(DOMAIN_NAME_FIELD, fullyQualifiedDomainName());
+        .put(DOMAIN_NAME_FIELD, domainName());
   }
 
   /** Parses a {@link JSONObject} and returns an equivalent {@link ThreatMatch}. */
   public static ThreatMatch fromJSON(JSONObject threatMatch) throws JSONException {
+    // TODO: delete OUTDATED_NAME_FIELD once we no longer process reports saved with
+    // fullyQualifiedDomainName in them, likely 2023
     return new AutoValue_ThreatMatch(
-        threatMatch.getString(THREAT_TYPE_FIELD), threatMatch.getString(DOMAIN_NAME_FIELD));
+        threatMatch.getString(THREAT_TYPE_FIELD),
+        threatMatch.has(OUTDATED_NAME_FIELD)
+            ? threatMatch.getString(OUTDATED_NAME_FIELD)
+            : threatMatch.getString(DOMAIN_NAME_FIELD));
   }
 }

core/src/main/java/google/registry/beam/wipeout/WipeOutContactHistoryPiiPipeline.java

@@ -0,0 +1,166 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.beam.wipeout;
+
+import static com.google.common.collect.ImmutableList.toImmutableList;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static org.apache.beam.sdk.values.TypeDescriptors.voids;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.Streams;
+import google.registry.beam.common.RegistryJpaIO;
+import google.registry.model.contact.ContactHistory;
+import google.registry.model.reporting.HistoryEntry.HistoryEntryId;
+import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
+import google.registry.persistence.VKey;
+import java.io.Serializable;
+import org.apache.beam.sdk.Pipeline;
+import org.apache.beam.sdk.PipelineResult;
+import org.apache.beam.sdk.coders.KvCoder;
+import org.apache.beam.sdk.coders.StringUtf8Coder;
+import org.apache.beam.sdk.coders.VarLongCoder;
+import org.apache.beam.sdk.metrics.Counter;
+import org.apache.beam.sdk.metrics.Metrics;
+import org.apache.beam.sdk.options.PipelineOptionsFactory;
+import org.apache.beam.sdk.transforms.MapElements;
+import org.apache.beam.sdk.transforms.join.CoGroupByKey;
+import org.apache.beam.sdk.transforms.join.KeyedPCollectionTuple;
+import org.apache.beam.sdk.values.KV;
+import org.apache.beam.sdk.values.PCollection;
+import org.apache.beam.sdk.values.TupleTag;
+import org.joda.time.DateTime;
+
+/**
+ * Definition of a Dataflow Flex pipeline template, which finds out {@link ContactHistory} entries
+ * that are older than a given age (excluding the most recent one, even if it falls with the range)
+ * and wipe out PII information in them.
+ *
+ * <p>To stage this template locally, run {@code ./nom_build :core:sBP --environment=alpha \
+ * --pipeline=wipeOutContactHistoryPii}.
+ *
+ * <p>Then, you can run the staged template via the API client library, gCloud or a raw REST call.
+ */
+public class WipeOutContactHistoryPiiPipeline implements Serializable {
+
+  private static final long serialVersionUID = -4111052675715913820L;
+  private static final TupleTag<Long> REVISIONS_TO_WIPE = new TupleTag<>();
+  private static final TupleTag<Long> MOST_RECENT_REVISION = new TupleTag<>();
+
+  private final DateTime cutoffTime;
+  private final boolean dryRun;
+  private final Counter contactsInScope =
+      Metrics.counter("WipeOutContactHistoryPii", "contacts in scope");
+  private final Counter historiesToWipe =
+      Metrics.counter("WipeOutContactHistoryPii", "contact histories to wipe PII from");
+  private final Counter historiesWiped =
+      Metrics.counter("WipeOutContactHistoryPii", "contact histories actually updated");
+
+  WipeOutContactHistoryPiiPipeline(WipeOutContactHistoryPiiPipelineOptions options) {
+    dryRun = options.getIsDryRun();
+    cutoffTime = DateTime.parse(options.getCutoffTime());
+  }
+
+  void setup(Pipeline pipeline) {
+    KeyedPCollectionTuple.of(REVISIONS_TO_WIPE, getHistoryEntriesToWipe(pipeline))
+        .and(MOST_RECENT_REVISION, getMostRecentHistoryEntries(pipeline))
+        .apply("Group by contact", CoGroupByKey.create())
+        .apply(
+            "Wipe out PII",
+            MapElements.into(voids())
+                .via(
+                    kv -> {
+                      String repoId = kv.getKey();
+                      long mostRecentRevision = kv.getValue().getOnly(MOST_RECENT_REVISION);
+                      ImmutableList<Long> revisionsToWipe =
+                          Streams.stream(kv.getValue().getAll(REVISIONS_TO_WIPE))
+                              .filter(e -> e != mostRecentRevision)
+                              .collect(toImmutableList());
+                      if (revisionsToWipe.isEmpty()) {
+                        return null;
+                      }
+                      contactsInScope.inc();
+                      tm().transact(
+                              () -> {
+                                for (long revisionId : revisionsToWipe) {
+                                  historiesToWipe.inc();
+                                  ContactHistory history =
+                                      tm().loadByKey(
+                                              VKey.create(
+                                                  ContactHistory.class,
+                                                  new HistoryEntryId(repoId, revisionId)));
+                                  // In the unlikely case where multiple pipelines run at the
+                                  // same time, or where the runner decides to rerun a particular
+                                  // transform, we might have a history entry that has already been
+                                  // wiped at this point. There's no need to wipe it again.
+                                  if (!dryRun
+                                      && history.getContactBase().isPresent()
+                                      && history.getContactBase().get().getEmailAddress() != null) {
+                                    historiesWiped.inc();
+                                    tm().update(history.asBuilder().wipeOutPii().build());
+                                  }
+                                }
+                              });
+                      return null;
+                    }));
+  }
+
+  PCollection<KV<String, Long>> getHistoryEntriesToWipe(Pipeline pipeline) {
+    return pipeline.apply(
+        "Find contact histories to wipee",
+        // Email is one of the required fields in EPP, meaning it's initially not null when it
+        // is set by EPP flows (even though it is nullalbe in the SQL schema). Therefore,
+        // checking if it's null is one way to avoid processing contact history entities that
+        // have been processed previously. Refer to RFC 5733 for more information.
+        RegistryJpaIO.read(
+                "SELECT repoId, revisionId FROM ContactHistory WHERE email IS NOT NULL AND"
+                    + " modificationTime < :cutoffTime",
+                ImmutableMap.of("cutoffTime", cutoffTime),
+                Object[].class,
+                row -> KV.of((String) row[0], (long) row[1]))
+            .withCoder(KvCoder.of(StringUtf8Coder.of(), VarLongCoder.of())));
+  }
+
+  PCollection<KV<String, Long>> getMostRecentHistoryEntries(Pipeline pipeline) {
+    return pipeline.apply(
+        "Find the most recent historiy entry for each contact",
+        RegistryJpaIO.read(
+                "SELECT repoId, revisionId FROM ContactHistory"
+                    + " WHERE (repoId, modificationTime) IN"
+                    + " (SELECT repoId, MAX(modificationTime) FROM ContactHistory GROUP BY repoId)",
+                ImmutableMap.of(),
+                Object[].class,
+                row -> KV.of((String) row[0], (long) row[1]))
+            .withCoder(KvCoder.of(StringUtf8Coder.of(), VarLongCoder.of())));
+  }
+
+  PipelineResult run(Pipeline pipeline) {
+    setup(pipeline);
+    return pipeline.run();
+  }
+
+  public static void main(String[] args) {
+    PipelineOptionsFactory.register(WipeOutContactHistoryPiiPipelineOptions.class);
+    WipeOutContactHistoryPiiPipelineOptions options =
+        PipelineOptionsFactory.fromArgs(args)
+            .withValidation()
+            .as(WipeOutContactHistoryPiiPipelineOptions.class);
+    // Repeatable read should be more than enough since we are dealing with old history entries that
+    // are otherwise immutable.
+    options.setIsolationOverride(TransactionIsolationLevel.TRANSACTION_REPEATABLE_READ);
+    Pipeline pipeline = Pipeline.create(options);
+    new WipeOutContactHistoryPiiPipeline(options).run(pipeline);
+  }
+}

core/src/main/java/google/registry/beam/wipeout/WipeOutContactHistoryPiiPipelineOptions.java

@@ -0,0 +1,37 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.beam.wipeout;
+
+import google.registry.beam.common.RegistryPipelineOptions;
+import org.apache.beam.sdk.options.Default;
+import org.apache.beam.sdk.options.Description;
+
+public interface WipeOutContactHistoryPiiPipelineOptions extends RegistryPipelineOptions {
+
+  @Description(
+      "A contact history entry with a history modification time before this time will have its PII"
+          + " wiped, unless it is the most entry for the contact.")
+  String getCutoffTime();
+
+  void setCutoffTime(String value);
+
+  @Description(
+      "If true, the wiped out billing events will not be saved but the pipeline metrics counter"
+          + " will still be updated.")
+  @Default.Boolean(false)
+  boolean getIsDryRun();
+
+  void setIsDryRun(boolean value);
+}

core/src/main/java/google/registry/bigquery/BigqueryConnection.java

@@ -36,7 +36,6 @@ import com.google.api.services.bigquery.model.GetQueryResultsResponse;
 import com.google.api.services.bigquery.model.Job;
 import com.google.api.services.bigquery.model.JobConfiguration;
 import com.google.api.services.bigquery.model.JobConfigurationExtract;
-import com.google.api.services.bigquery.model.JobConfigurationLoad;
 import com.google.api.services.bigquery.model.JobConfigurationQuery;
 import com.google.api.services.bigquery.model.JobReference;
 import com.google.api.services.bigquery.model.JobStatistics;
@@ -57,7 +56,6 @@ import com.google.common.util.concurrent.ListenableFuture;
 import com.google.common.util.concurrent.ListeningExecutorService;
 import com.google.common.util.concurrent.MoreExecutors;
 import google.registry.bigquery.BigqueryUtils.DestinationFormat;
-import google.registry.bigquery.BigqueryUtils.SourceFormat;
 import google.registry.bigquery.BigqueryUtils.TableType;
 import google.registry.bigquery.BigqueryUtils.WriteDisposition;
 import google.registry.util.NonFinalForTesting;
@@ -375,23 +373,6 @@ public class BigqueryConnection implements AutoCloseable {
     }
   }
 
-  /**
-   * Starts an asynchronous load job to populate the specified destination table with the given
-   * source URIs and source format. Returns a ListenableFuture that holds the same destination table
-   * object on success.
-   */
-  public ListenableFuture<DestinationTable> startLoad(
-      DestinationTable dest, SourceFormat sourceFormat, Iterable<String> sourceUris) {
-    Job job = new Job()
-        .setConfiguration(new JobConfiguration()
-            .setLoad(new JobConfigurationLoad()
-                .setWriteDisposition(dest.getWriteDisposition().toString())
-                .setSourceFormat(sourceFormat.toString())
-                .setSourceUris(ImmutableList.copyOf(sourceUris))
-                .setDestinationTable(dest.getTableReference())));
-    return transform(runJobToCompletion(job, dest), this::updateTable, directExecutor());
-  }
-
   /**
    * Starts an asynchronous query job to populate the specified destination table with the results
    * of the specified query, or if the table is a view, to update the view to reflect that query.

core/src/main/java/google/registry/bigquery/BigqueryUtils.java

@@ -25,18 +25,6 @@ import org.joda.time.format.ISODateTimeFormat;
 /** Utilities related to Bigquery. */
 public class BigqueryUtils {
 
-  /** Bigquery modes for schema fields. */
-  public enum FieldMode {
-    NULLABLE,
-    REQUIRED,
-    REPEATED;
-
-    /** Return the name of the field mode as it should appear in the Bigquery schema. */
-    public String schemaName() {
-      return name();
-    }
-  }
-
   /** Bigquery schema field types. */
   public enum FieldType {
     STRING,
@@ -44,19 +32,7 @@ public class BigqueryUtils {
     FLOAT,
     TIMESTAMP,
     RECORD,
-    BOOLEAN;
-
-    /** Return the name of the field type as it should appear in the Bigquery schema. */
-    public String schemaName() {
-      return name();
-    }
-  }
-
-  /** Source formats for Bigquery load jobs. */
-  public enum SourceFormat {
-    CSV,
-    NEWLINE_DELIMITED_JSON,
-    DATASTORE_BACKUP
+    BOOLEAN
   }
 
   /** Destination formats for Bigquery extract jobs. */

core/src/main/java/google/registry/config/CloudTasksUtilsModule.java

@@ -19,18 +19,15 @@ import com.google.cloud.tasks.v2.CloudTasksClient;
 import com.google.cloud.tasks.v2.CloudTasksSettings;
 import dagger.Module;
 import dagger.Provides;
+import google.registry.batch.CloudTasksUtils;
+import google.registry.batch.CloudTasksUtils.GcpCloudTasksClient;
+import google.registry.batch.CloudTasksUtils.SerializableCloudTasksClient;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.util.Clock;
-import google.registry.util.CloudTasksUtils;
-import google.registry.util.CloudTasksUtils.GcpCloudTasksClient;
-import google.registry.util.CloudTasksUtils.SerializableCloudTasksClient;
 import google.registry.util.GoogleCredentialsBundle;
-import google.registry.util.Retrier;
 import java.io.IOException;
 import java.io.Serializable;
 import java.util.function.Supplier;
-import javax.inject.Singleton;
 
 /**
  * A {@link Module} that provides {@link CloudTasksUtils}.
@@ -41,17 +38,6 @@ import javax.inject.Singleton;
 @Module
 public abstract class CloudTasksUtilsModule {
 
-  @Singleton
-  @Provides
-  public static CloudTasksUtils provideCloudTasksUtils(
-      @Config("projectId") String projectId,
-      @Config("locationId") String locationId,
-      SerializableCloudTasksClient client,
-      Retrier retrier,
-      Clock clock) {
-    return new CloudTasksUtils(retrier, clock, projectId, locationId, client);
-  }
-
   // Provides a supplier instead of using a Dagger @Provider because the latter is not serializable.
   @Provides
   public static Supplier<CloudTasksClient> provideCloudTasksClientSupplier(

core/src/main/java/google/registry/config/CredentialModule.java

@@ -14,22 +14,21 @@
 
 package google.registry.config;
 
-import static java.nio.charset.StandardCharsets.UTF_8;
+import static com.google.common.base.Preconditions.checkArgument;
 
-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
+import com.google.auth.ServiceAccountSigner;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.common.collect.ImmutableList;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.keyring.api.KeyModule.Key;
+import google.registry.util.Clock;
 import google.registry.util.GoogleCredentialsBundle;
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.UncheckedIOException;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
+import java.time.Duration;
 import javax.inject.Qualifier;
 import javax.inject.Singleton;
 
@@ -37,6 +36,36 @@ import javax.inject.Singleton;
 @Module
 public abstract class CredentialModule {
 
+  /**
+   * Provides a {@link GoogleCredentialsBundle} backed by the application default credential from
+   * the Google Cloud Runtime. This credential may be used to access GCP APIs that are NOT part of
+   * the Google Workspace.
+   *
+   * <p>The credential returned by the Cloud Runtime depends on the runtime environment:
+   *
+   * <ul>
+   *   <li>On App Engine, returns a scope-less {@code ComputeEngineCredentials} for
+   *       PROJECT_ID@appspot.gserviceaccount.com
+   *   <li>On Compute Engine, returns a scope-less {@code ComputeEngineCredentials} for
+   *       PROJECT_NUMBER-compute@developer.gserviceaccount.com
+   *   <li>On end user host, this returns the credential downloaded by gcloud. Please refer to <a
+   *       href="https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login">Cloud
+   *       SDK documentation</a> for details.
+   * </ul>
+   */
+  @ApplicationDefaultCredential
+  @Provides
+  @Singleton
+  public static GoogleCredentialsBundle provideApplicationDefaultCredential() {
+    GoogleCredentials credential;
+    try {
+      credential = GoogleCredentials.getApplicationDefault();
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+    return GoogleCredentialsBundle.create(credential);
+  }
+
   /**
    * Provides the default {@link GoogleCredentialsBundle} from the Google Cloud runtime.
    *
@@ -70,102 +99,90 @@ public abstract class CredentialModule {
   }
 
   /**
-   * Provides the default {@link GoogleCredential} from the Google Cloud runtime for G Suite
-   * Drive API.
-   * TODO(b/138195359): Deprecate this credential once we figure out how to use
-   * {@link GoogleCredentials} for G Suite Drive API.
+   * Provides a {@link GoogleCredentialsBundle} for accessing Google Workspace APIs, such as Drive
+   * and Sheets.
    */
-  @GSuiteDriveCredential
+  @GoogleWorkspaceCredential
   @Provides
   @Singleton
-  public static GoogleCredential provideGSuiteDriveCredential(
+  public static GoogleCredentialsBundle provideGSuiteDriveCredential(
+      @ApplicationDefaultCredential GoogleCredentialsBundle applicationDefaultCredential,
       @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes) {
-    GoogleCredential credential;
-    try {
-      credential = GoogleCredential.getApplicationDefault();
-    } catch (IOException e) {
-      throw new RuntimeException(e);
-    }
-    if (credential.createScopedRequired()) {
-      credential = credential.createScoped(requiredScopes);
-    }
-    return credential;
-  }
-
-  /**
-   * Provides a {@link GoogleCredentialsBundle} from the service account's JSON key file.
-   *
-   * <p>On App Engine, a thread created using Java's built-in API needs this credential when it
-   * calls App Engine API. The Google Sheets API also needs this credential.
-   */
-  @JsonCredential
-  @Provides
-  @Singleton
-  public static GoogleCredentialsBundle provideJsonCredential(
-      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes,
-      @Key("jsonCredential") String jsonCredential) {
-    GoogleCredentials credential;
-    try {
-      credential =
-          GoogleCredentials.fromStream(new ByteArrayInputStream(jsonCredential.getBytes(UTF_8)));
-    } catch (IOException e) {
-      throw new UncheckedIOException(e);
-    }
-    if (credential.createScopedRequired()) {
-      credential = credential.createScoped(requiredScopes);
-    }
+    GoogleCredentials credential = applicationDefaultCredential.getGoogleCredentials();
+    // Although credential is scope-less, its `createScopedRequired` method still returns false.
+    credential = credential.createScoped(requiredScopes);
     return GoogleCredentialsBundle.create(credential);
   }
 
   /**
-   * Provides a {@link GoogleCredentialsBundle} with delegated admin access for a G Suite domain.
+   * Provides a {@link GoogleCredentialsBundle} with delegated access to Google Workspace APIs for
+   * the application default credential user.
    *
-   * <p>The G Suite domain must grant delegated admin access to the registry service account with
-   * all scopes in {@code requiredScopes}, including ones not related to G Suite.
+   * <p>The Workspace domain must grant delegated admin access to the default service account user
+   * (project-id@appspot.gserviceaccount.com on AppEngine) with all scopes in {@code defaultScopes}
+   * and {@code delegationScopes}.
    */
-  @DelegatedCredential
+  @AdcDelegatedCredential
   @Provides
   @Singleton
-  public static GoogleCredentialsBundle provideDelegatedCredential(
-      @Config("delegatedCredentialOauthScopes") ImmutableList<String> requiredScopes,
-      @JsonCredential GoogleCredentialsBundle credentialsBundle,
-      @Config("gSuiteAdminAccountEmailAddress") String gSuiteAdminAccountEmailAddress) {
-    return GoogleCredentialsBundle.create(credentialsBundle
-        .getGoogleCredentials()
-        .createDelegated(gSuiteAdminAccountEmailAddress)
-        .createScoped(requiredScopes));
+  public static GoogleCredentialsBundle provideSelfSignedDelegatedCredential(
+      @Config("defaultCredentialOauthScopes") ImmutableList<String> defaultScopes,
+      @Config("delegatedCredentialOauthScopes") ImmutableList<String> delegationScopes,
+      @ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("gSuiteAdminAccountEmailAddress") String gSuiteAdminAccountEmailAddress,
+      @Config("tokenRefreshDelay") Duration tokenRefreshDelay,
+      Clock clock) {
+    GoogleCredentials signer = credentialsBundle.getGoogleCredentials();
+
+    checkArgument(
+        signer instanceof ServiceAccountSigner,
+        "Expecting a ServiceAccountSigner, found %s.",
+        signer.getClass().getSimpleName());
+
+    try {
+      // Refreshing as sanity check on the ADC.
+      signer.refresh();
+    } catch (IOException e) {
+      throw new RuntimeException("Cannot refresh the ApplicationDefaultCredential", e);
+    }
+
+    DelegatedCredentials credential =
+        DelegatedCredentials.createSelfSignedDelegatedCredential(
+            (ServiceAccountSigner) signer,
+            ImmutableList.<String>builder().addAll(defaultScopes).addAll(delegationScopes).build(),
+            gSuiteAdminAccountEmailAddress,
+            clock,
+            tokenRefreshDelay);
+    return GoogleCredentialsBundle.create(credential);
   }
 
+  /** Dagger qualifier for the scope-less Application Default Credential. */
+  @Qualifier
+  @Documented
+  @Retention(RetentionPolicy.RUNTIME)
+  public @interface ApplicationDefaultCredential {}
+
   /** Dagger qualifier for the Application Default Credential. */
   @Qualifier
   @Documented
   @Retention(RetentionPolicy.RUNTIME)
+  @Deprecated // Switching to @ApplicationDefaultCredential
   public @interface DefaultCredential {}
 
-
-  /** Dagger qualifier for the credential for G Suite Drive API. */
+  /** Dagger qualifier for the credential for Google Workspace APIs. */
   @Qualifier
   @Documented
   @Retention(RetentionPolicy.RUNTIME)
-  public @interface GSuiteDriveCredential {}
+  public @interface GoogleWorkspaceCredential {}
 
   /**
-   * Dagger qualifier for a credential from a service account's JSON key, to be used in non-request
-   * threads.
+   * Dagger qualifier for a credential with delegated admin access for a dasher domain (for Google
+   * Workspace) backed by the application default credential (ADC).
    */
   @Qualifier
   @Documented
   @Retention(RetentionPolicy.RUNTIME)
-  public @interface JsonCredential {}
-
-  /**
-   * Dagger qualifier for a credential with delegated admin access for a dasher domain (for G
-   * Suite).
-   */
-  @Qualifier
-  @Documented
-  @Retention(RetentionPolicy.RUNTIME)
-  public @interface DelegatedCredential {}
+  public @interface AdcDelegatedCredential {}
 
   /** Dagger qualifier for the local credential used in the nomulus tool. */
   @Qualifier

core/src/main/java/google/registry/config/DelegatedCredentials.java

@@ -0,0 +1,268 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.config;
+
+import static com.google.common.base.Preconditions.checkArgument;
+
+import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpBackOffIOExceptionHandler;
+import com.google.api.client.http.HttpBackOffUnsuccessfulResponseHandler;
+import com.google.api.client.http.HttpRequest;
+import com.google.api.client.http.HttpRequestFactory;
+import com.google.api.client.http.HttpResponse;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.http.UrlEncodedContent;
+import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.client.json.JsonFactory;
+import com.google.api.client.json.JsonObjectParser;
+import com.google.api.client.json.gson.GsonFactory;
+import com.google.api.client.json.webtoken.JsonWebSignature;
+import com.google.api.client.json.webtoken.JsonWebToken;
+import com.google.api.client.util.ExponentialBackOff;
+import com.google.api.client.util.GenericData;
+import com.google.api.client.util.StringUtils;
+import com.google.auth.ServiceAccountSigner;
+import com.google.auth.http.HttpTransportFactory;
+import com.google.auth.oauth2.AccessToken;
+import com.google.auth.oauth2.GoogleCredentials;
+import com.google.common.base.Joiner;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.Iterables;
+import google.registry.util.Clock;
+import java.io.IOException;
+import java.math.BigDecimal;
+import java.time.Duration;
+import java.util.Collection;
+import java.util.Date;
+import java.util.Map;
+import java.util.ServiceLoader;
+import org.apache.commons.codec.binary.Base64;
+
+/**
+ * OAuth2 credentials for accessing Google Workspace APIs with domain-wide delegation. It fetches
+ * access tokens using JSON Web Tokens (JWT) signed by a user-provided {@link ServiceAccountSigner}.
+ *
+ * <p>This class accepts the application-default-credential as {@code ServiceAccountSigner},
+ * avoiding the need for exported private keys. In this case, the default credential user itself
+ * (project-id@appspot.gserviceaccount.com on AppEngine) must have domain-wide delegation to the
+ * Workspace APIs. The default credential user also must have the Token Creator role to itself.
+ *
+ * <p>If the user provides a credential {@code S} that carries its own private key, such as {@link
+ * com.google.auth.oauth2.ServiceAccountCredentials}, this class can use {@code S} to impersonate
+ * another service account {@code D} and gain delegated access as {@code D}, as long as S has the
+ * Token Creator role to {@code D}. This usage is documented here for future reference.
+ *
+ * <p>As of October 2022, the functionalities described above are not implemented in the GCP Java
+ * Auth library, although they are available in the Python library. We have filed a <a
+ * href="https://github.com/googleapis/google-auth-library-java/issues/1064">feature request</a>.
+ * This class is a stop-gap implementation.
+ *
+ * <p>The main body of this class is adapted from {@link
+ * com.google.auth.oauth2.ServiceAccountCredentials} with cosmetic changes. The important changes
+ * include the removal of all uses of the private key and the signing of the JWT (in {@link
+ * #signAssertion}). We choose not to extend {@code ServiceAccountCredentials} because it would add
+ * dependency to the non-public details of that class.
+ */
+public class DelegatedCredentials extends GoogleCredentials {
+
+  private static final long serialVersionUID = 617127523756785546L;
+
+  private static final String DEFAULT_TOKEN_URI = "https://accounts.google.com/o/oauth2/token";
+  private static final String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
+
+  private static final JsonFactory JSON_FACTORY = GsonFactory.getDefaultInstance();
+  private static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
+
+  private static final String VALUE_NOT_FOUND_MESSAGE = "%sExpected value %s not found.";
+  private static final String VALUE_WRONG_TYPE_MESSAGE = "%sExpected %s value %s of wrong type.";
+  private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
+
+  private static final Duration MAX_TOKEN_REFRESH_DELAY = Duration.ofHours(1);
+
+  private final ServiceAccountSigner signer;
+  private final String delegatedServiceAccountUser;
+  private final ImmutableList<String> scopes;
+  private final String delegatingUserEmail;
+
+  private final Clock clock;
+  private final Duration tokenRefreshDelay;
+
+  private final HttpTransportFactory transportFactory;
+
+  /**
+   * Creates a {@link DelegatedCredentials} instance that is self-signed by the signer, which must
+   * have delegated access to the Workspace APIs.
+   *
+   * @param signer Signs for the generated JWT tokens. This may be the application default
+   *     credential
+   * @param scopes The scopes to use when generating JWT tokens
+   * @param delegatingUserEmail The Workspace user whose permissions are delegated to the signer
+   * @param clock Used for setting token expiration times.
+   * @param tokenRefreshDelay The lifetime of each token. Should not exceed one hour according to
+   *     GCP recommendations.
+   * @return
+   */
+  static DelegatedCredentials createSelfSignedDelegatedCredential(
+      ServiceAccountSigner signer,
+      Collection<String> scopes,
+      String delegatingUserEmail,
+      Clock clock,
+      Duration tokenRefreshDelay) {
+    return new DelegatedCredentials(
+        signer, signer.getAccount(), scopes, delegatingUserEmail, clock, tokenRefreshDelay);
+  }
+
+  private DelegatedCredentials(
+      ServiceAccountSigner signer,
+      String delegatedServiceAccountUser,
+      Collection<String> scopes,
+      String delegatingUserEmail,
+      Clock clock,
+      Duration tokenRefreshDelay) {
+    checkArgument(
+        tokenRefreshDelay.getSeconds() <= MAX_TOKEN_REFRESH_DELAY.getSeconds(),
+        "Max refresh delay must not exceed %s.",
+        MAX_TOKEN_REFRESH_DELAY);
+
+    this.signer = signer;
+    this.delegatedServiceAccountUser = delegatedServiceAccountUser;
+    this.scopes = ImmutableList.copyOf(scopes);
+    this.delegatingUserEmail = delegatingUserEmail;
+
+    this.clock = clock;
+    this.tokenRefreshDelay = tokenRefreshDelay;
+
+    this.transportFactory =
+        getFromServiceLoader(
+            HttpTransportFactory.class, DelegatedCredentials::provideHttpTransport);
+  }
+
+  /**
+   * Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).
+   */
+  @Override
+  public AccessToken refreshAccessToken() throws IOException {
+    JsonFactory jsonFactory = JSON_FACTORY;
+    long currentTime = clock.nowUtc().getMillis();
+    String assertion = createAssertion(jsonFactory, currentTime);
+
+    GenericData tokenRequest = new GenericData();
+    tokenRequest.set("grant_type", GRANT_TYPE);
+    tokenRequest.set("assertion", assertion);
+    UrlEncodedContent content = new UrlEncodedContent(tokenRequest);
+
+    HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
+    HttpRequest request =
+        requestFactory.buildPostRequest(new GenericUrl(DEFAULT_TOKEN_URI), content);
+    request.setParser(new JsonObjectParser(jsonFactory));
+
+    request.setIOExceptionHandler(new HttpBackOffIOExceptionHandler(new ExponentialBackOff()));
+    request.setUnsuccessfulResponseHandler(
+        new HttpBackOffUnsuccessfulResponseHandler(new ExponentialBackOff())
+            .setBackOffRequired(
+                response -> {
+                  int code = response.getStatusCode();
+                  return (
+                  // Server error --- includes timeout errors, which use 500 instead of 408
+                  code / 100 == 5
+                      // Forbidden error --- for historical reasons, used for rate_limit_exceeded
+                      // errors instead of 429, but there currently seems no robust automatic way
+                      // to
+                      // distinguish these cases: see
+                      // https://github.com/google/google-api-java-client/issues/662
+                      || code == 403);
+                }));
+
+    HttpResponse response;
+    try {
+      response = request.execute();
+    } catch (IOException e) {
+      throw new IOException(
+          String.format("Error getting access token for service account: %s", e.getMessage()), e);
+    }
+
+    GenericData responseData = response.parseAs(GenericData.class);
+    String accessToken = validateString(responseData, "access_token", PARSE_ERROR_PREFIX);
+    int expiresInSeconds = validateInt32(responseData, "expires_in", PARSE_ERROR_PREFIX);
+    long expiresAtMilliseconds = clock.nowUtc().getMillis() + expiresInSeconds * 1000L;
+    return new AccessToken(accessToken, new Date(expiresAtMilliseconds));
+  }
+
+  String createAssertion(JsonFactory jsonFactory, long currentTime) throws IOException {
+    JsonWebSignature.Header header = new JsonWebSignature.Header();
+    header.setAlgorithm("RS256");
+    header.setType("JWT");
+
+    JsonWebToken.Payload payload = new JsonWebToken.Payload();
+    payload.setIssuer(this.delegatedServiceAccountUser);
+    payload.setIssuedAtTimeSeconds(currentTime / 1000);
+    payload.setExpirationTimeSeconds(currentTime / 1000 + tokenRefreshDelay.getSeconds());
+    payload.setSubject(delegatingUserEmail);
+    payload.put("scope", Joiner.on(' ').join(scopes));
+    payload.setAudience(DEFAULT_TOKEN_URI);
+
+    return signAssertion(jsonFactory, header, payload);
+  }
+
+  String signAssertion(
+      JsonFactory jsonFactory, JsonWebSignature.Header header, JsonWebToken.Payload payload)
+      throws IOException {
+    String content =
+        Base64.encodeBase64URLSafeString(jsonFactory.toByteArray(header))
+            + "."
+            + Base64.encodeBase64URLSafeString(jsonFactory.toByteArray(payload));
+    byte[] contentBytes = StringUtils.getBytesUtf8(content);
+    byte[] signature = signer.sign(contentBytes); // Changed from ServiceAccountCredentials.
+    return content + "." + Base64.encodeBase64URLSafeString(signature);
+  }
+
+  static HttpTransport provideHttpTransport() {
+    return HTTP_TRANSPORT;
+  }
+
+  protected static <T> T getFromServiceLoader(Class<? extends T> clazz, T defaultInstance) {
+    return Iterables.getFirst(ServiceLoader.load(clazz), defaultInstance);
+  }
+
+  /** Return the specified string from JSON or throw a helpful error message. */
+  static String validateString(Map<String, Object> map, String key, String errorPrefix)
+      throws IOException {
+    Object value = map.get(key);
+    if (value == null) {
+      throw new IOException(String.format(VALUE_NOT_FOUND_MESSAGE, errorPrefix, key));
+    }
+    if (!(value instanceof String)) {
+      throw new IOException(String.format(VALUE_WRONG_TYPE_MESSAGE, errorPrefix, "string", key));
+    }
+    return (String) value;
+  }
+
+  /** Return the specified integer from JSON or throw a helpful error message. */
+  static int validateInt32(Map<String, Object> map, String key, String errorPrefix)
+      throws IOException {
+    Object value = map.get(key);
+    if (value == null) {
+      throw new IOException(String.format(VALUE_NOT_FOUND_MESSAGE, errorPrefix, key));
+    }
+    if (value instanceof BigDecimal) {
+      BigDecimal bigDecimalValue = (BigDecimal) value;
+      return bigDecimalValue.intValueExact();
+    }
+    if (!(value instanceof Integer)) {
+      throw new IOException(String.format(VALUE_WRONG_TYPE_MESSAGE, errorPrefix, "integer", key));
+    }
+    return (Integer) value;
+  }
+}

core/src/main/java/google/registry/config/RegistryConfig.java

@@ -32,6 +32,8 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedMap;
 import dagger.Module;
 import dagger.Provides;
+import google.registry.dns.ReadDnsRefreshRequestsAction;
+import google.registry.model.common.DnsRefreshRequest;
 import google.registry.persistence.transaction.JpaTransactionManager;
 import google.registry.util.YamlUtils;
 import java.lang.annotation.Documented;
@@ -60,8 +62,8 @@ import org.joda.time.Duration;
  *
  * <p>This class does not represent the total configuration of the Nomulus service. It's <b>only
  * meant for settings that need to be configured <i>once</i></b>. Settings which may be subject to
- * change in the future, should instead be retrieved from Datastore. The {@link
- * google.registry.model.tld.Registry Registry} class is one such example of this.
+ * change in the future, should instead be retrieved from the database. The {@link
+ * google.registry.model.tld.Tld Tld} class is one such example of this.
  *
  * <p>Note: Only settings that are actually configurable belong in this file. It's not a catch-all
  * for anything widely used throughout the code base.
@@ -103,13 +105,25 @@ public final class RegistryConfig {
     @Provides
     @Config("projectId")
     public static String provideProjectId(RegistryConfigSettings config) {
-      return config.appEngine.projectId;
+      return config.gcpProject.projectId;
+    }
+
+    @Provides
+    @Config("serviceAccountEmails")
+    public static ImmutableList<String> provideServiceAccountEmails(RegistryConfigSettings config) {
+      return ImmutableList.copyOf(config.gcpProject.serviceAccountEmails);
+    }
+
+    @Provides
+    @Config("projectIdNumber")
+    public static long provideProjectIdNumber(RegistryConfigSettings config) {
+      return config.gcpProject.projectIdNumber;
     }
 
     @Provides
     @Config("locationId")
     public static String provideLocationId(RegistryConfigSettings config) {
-      return config.appEngine.locationId;
+      return config.gcpProject.locationId;
     }
 
     /**
@@ -282,9 +296,9 @@ public final class RegistryConfig {
 
     /**
      * The maximum number of domain and host updates to batch together to send to
-     * PublishDnsUpdatesAction, to avoid exceeding AppEngine's limits.
+     * PublishDnsUpdatesAction, to avoid exceeding HTTP request timeout limits.
      *
-     * @see google.registry.dns.ReadDnsQueueAction
+     * @see google.registry.dns.ReadDnsRefreshRequestsAction
      */
     @Provides
     @Config("dnsTldUpdateBatchSize")
@@ -315,23 +329,30 @@ public final class RegistryConfig {
     }
 
     /**
-     * The requested maximum duration for ReadDnsQueueAction.
+     * The requested maximum duration for {@link ReadDnsRefreshRequestsAction}.
      *
-     * <p>ReadDnsQueueAction reads update tasks from the dns-pull queue. It will continue reading
-     * tasks until either the queue is empty, or this duration has passed.
+     * <p>{@link ReadDnsRefreshRequestsAction} reads refresh requests from {@link DnsRefreshRequest}
+     * It will continue reading requests until either no requests exist that matche the condition,
+     * or this duration has passed.
      *
-     * <p>This time is the maximum duration between the first and last attempt to lease tasks from
-     * the dns-pull queue. The actual running time might be slightly longer, as we process the
-     * tasks.
+     * <p>This time is the maximum duration between the first and last attempt to read requests from
+     * {@link DnsRefreshRequest}. The actual running time might be slightly longer, as we process
+     * the requests.
      *
-     * <p>This value should be less than the cron-job repeat rate for ReadDnsQueueAction, to make
-     * sure we don't have multiple ReadDnsActions leasing tasks simultaneously.
+     * <p>The requests that are read will not be read again by any action until after this period
+     * has passed, so concurrent runs (or runs that are very close to each other) of {@link
+     * ReadDnsRefreshRequestsAction} will not keep reading the same requests with the earliest
+     * request time.
      *
-     * @see google.registry.dns.ReadDnsQueueAction
+     * <p>Still, this value should ideally be less than the cloud scheduler job repeat rate for
+     * {@link ReadDnsRefreshRequestsAction}, to not waste resources on multiple actions running at
+     * the same time.
+     *
+     * <p>see google.registry.dns.ReadDnsRefreshRequestsAction
      */
     @Provides
-    @Config("readDnsQueueActionRuntime")
-    public static Duration provideReadDnsQueueRuntime() {
+    @Config("readDnsRefreshRequestsActionRuntime")
+    public static Duration provideReadDnsRefreshRequestsRuntime() {
       return Duration.standardSeconds(45);
     }
 
@@ -569,9 +590,9 @@ public final class RegistryConfig {
     /**
      * Returns the default job region to run Apache Beam (Cloud Dataflow) jobs in.
      *
-     * @see google.registry.beam.invoicing.InvoicingPipeline
+     * @see google.registry.beam.billing.InvoicingPipeline
      * @see google.registry.beam.spec11.Spec11Pipeline
-     * @see google.registry.beam.invoicing.InvoicingPipeline
+     * @see google.registry.beam.billing.InvoicingPipeline
      */
     @Provides
     @Config("defaultJobRegion")
@@ -649,7 +670,7 @@ public final class RegistryConfig {
     /**
      * Returns the URL of the GCS bucket we store invoices and detail reports in.
      *
-     * @see google.registry.beam.invoicing.InvoicingPipeline
+     * @see google.registry.beam.billing.InvoicingPipeline
      */
     @Provides
     @Config("billingBucketUrl")
@@ -685,7 +706,7 @@ public final class RegistryConfig {
     /**
      * Returns the file prefix for the invoice CSV file.
      *
-     * @see google.registry.beam.invoicing.InvoicingPipeline
+     * @see google.registry.beam.billing.InvoicingPipeline
      * @see google.registry.reporting.billing.BillingEmailUtils
      */
     @Provides
@@ -918,7 +939,7 @@ public final class RegistryConfig {
      * <p>Note that this uses {@code @Named} instead of {@code @Config} so that it can be used from
      * the low-level util package, which cannot have a dependency on the config package.
      *
-     * @see google.registry.util.CloudTasksUtils
+     * @see google.registry.batch.CloudTasksUtils
      */
     @Provides
     @Named("transientFailureRetries")
@@ -1027,38 +1048,6 @@ public final class RegistryConfig {
       return 50;
     }
 
-    /**
-     * Returns the delay before executing async delete flow mapreduces.
-     *
-     * <p>This delay should be sufficiently longer than a transaction, to solve the following
-     * problem:
-     *
-     * <ul>
-     *   <li>a domain mutation flow starts a transaction
-     *   <li>the domain flow non-transactionally reads a resource and sees that it's not in
-     *       PENDING_DELETE
-     *   <li>the domain flow creates a new reference to this resource
-     *   <li>a contact/host delete flow runs and marks the resource PENDING_DELETE and commits
-     *   <li>the domain flow commits
-     * </ul>
-     *
-     * <p>Although we try not to add references to a PENDING_DELETE resource, strictly speaking that
-     * is ok as long as the mapreduce eventually sees the new reference (and therefore
-     * asynchronously fails the delete). Without this delay, the mapreduce might have started before
-     * the domain flow committed, and could potentially miss the reference.
-     *
-     * <p>If you are using EPP resource caching (eppResourceCachingEnabled in YAML), then this
-     * duration should also be longer than that cache duration (eppResourceCachingSeconds).
-     *
-     * @see google.registry.config.RegistryConfigSettings.Caching
-     * @see google.registry.batch.AsyncTaskEnqueuer
-     */
-    @Provides
-    @Config("asyncDeleteDelay")
-    public static Duration provideAsyncDeleteDelay(RegistryConfigSettings config) {
-      return Duration.standardSeconds(config.misc.asyncDeleteDelaySeconds);
-    }
-
     /**
      * The server ID used in the 'svID' element of an EPP 'greeting'.
      *
@@ -1076,24 +1065,6 @@ public final class RegistryConfig {
       return config.keyring.activeKeyring;
     }
 
-    /**
-     * The name to use for the Cloud KMS KeyRing containing encryption keys for Nomulus secrets.
-     *
-     * @see <a
-     *     href="https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings#KeyRing">projects.locations.keyRings</a>
-     */
-    @Provides
-    @Config("cloudKmsKeyRing")
-    public static String provideCloudKmsKeyRing(RegistryConfigSettings config) {
-      return config.keyring.kms.keyringName;
-    }
-
-    @Provides
-    @Config("cloudKmsProjectId")
-    public static String provideCloudKmsProjectId(RegistryConfigSettings config) {
-      return config.keyring.kms.projectId;
-    }
-
     @Provides
     @Config("customLogicFactoryClass")
     public static String provideCustomLogicFactoryClass(RegistryConfigSettings config) {
@@ -1197,6 +1168,12 @@ public final class RegistryConfig {
       return ImmutableSet.copyOf(config.oAuth.allowedOauthClientIds);
     }
 
+    @Provides
+    @Config("iapClientId")
+    public static Optional<String> provideIapClientId(RegistryConfigSettings config) {
+      return Optional.ofNullable(config.oAuth.iapClientId);
+    }
+
     /**
      * Provides the OAuth scopes required for accessing Google APIs using the default credential.
      */
@@ -1223,6 +1200,12 @@ public final class RegistryConfig {
       return ImmutableList.copyOf(config.credentialOAuth.localCredentialOauthScopes);
     }
 
+    @Provides
+    @Config("tokenRefreshDelay")
+    public static java.time.Duration provideTokenRefreshDelay(RegistryConfigSettings config) {
+      return java.time.Duration.ofSeconds(config.credentialOAuth.tokenRefreshDelaySeconds);
+    }
+
     /** OAuth client ID used by the nomulus tool. */
     @Provides
     @Config("toolsClientId")
@@ -1342,22 +1325,54 @@ public final class RegistryConfig {
       return config.contactHistory.minMonthsBeforeWipeOut;
     }
 
-    @Provides
-    @Config("wipeOutQueryBatchSize")
-    public static int provideWipeOutQueryBatchSize(RegistryConfigSettings config) {
-      return config.contactHistory.wipeOutQueryBatchSize;
-    }
-
     @Provides
     @Config("jdbcBatchSize")
     public static int provideHibernateJdbcBatchSize(RegistryConfigSettings config) {
       return config.hibernate.jdbcBatchSize;
     }
+
+    @Provides
+    @Config("packageCreateLimitEmailSubject")
+    public static String providePackageCreateLimitEmailSubject(RegistryConfigSettings config) {
+      return config.packageMonitoring.packageCreateLimitEmailSubject;
+    }
+
+    @Provides
+    @Config("packageCreateLimitEmailBody")
+    public static String providePackageCreateLimitEmailBody(RegistryConfigSettings config) {
+      return config.packageMonitoring.packageCreateLimitEmailBody;
+    }
+
+    @Provides
+    @Config("packageDomainLimitWarningEmailSubject")
+    public static String providePackageDomainLimitWarningEmailSubject(
+        RegistryConfigSettings config) {
+      return config.packageMonitoring.packageDomainLimitWarningEmailSubject;
+    }
+
+    @Provides
+    @Config("packageDomainLimitWarningEmailBody")
+    public static String providePackageDomainLimitWarningEmailBody(RegistryConfigSettings config) {
+      return config.packageMonitoring.packageDomainLimitWarningEmailBody;
+    }
+
+    @Provides
+    @Config("packageDomainLimitUpgradeEmailSubject")
+    public static String providePackageDomainLimitUpgradeEmailSubject(
+        RegistryConfigSettings config) {
+      return config.packageMonitoring.packageDomainLimitUpgradeEmailSubject;
+    }
+
+    @Provides
+    @Config("packageDomainLimitUpgradeEmailBody")
+    public static String providePackageDomainLimitUpgradeEmailBody(RegistryConfigSettings config) {
+      return config.packageMonitoring.packageDomainLimitUpgradeEmailBody;
+    }
   }
 
   /** Returns the App Engine project ID, which is based off the environment name. */
   public static String getProjectId() {
-    return CONFIG_SETTINGS.get().appEngine.projectId;
+    return CONFIG_SETTINGS.get().gcpProject.projectId;
   }
 
   /**
@@ -1370,7 +1385,7 @@ public final class RegistryConfig {
   }
 
   public static boolean areServersLocal() {
-    return CONFIG_SETTINGS.get().appEngine.isLocal;
+    return CONFIG_SETTINGS.get().gcpProject.isLocal;
   }
 
   /**
@@ -1379,7 +1394,7 @@ public final class RegistryConfig {
    * <p>This is used by the {@code nomulus} tool to connect to the App Engine remote API.
    */
   public static URL getDefaultServer() {
-    return makeUrl(CONFIG_SETTINGS.get().appEngine.defaultServiceUrl);
+    return makeUrl(CONFIG_SETTINGS.get().gcpProject.defaultServiceUrl);
   }
 
   /**
@@ -1388,7 +1403,7 @@ public final class RegistryConfig {
    * <p>This is used by the {@code nomulus} tool to connect to the App Engine remote API.
    */
   public static URL getBackendServer() {
-    return makeUrl(CONFIG_SETTINGS.get().appEngine.backendServiceUrl);
+    return makeUrl(CONFIG_SETTINGS.get().gcpProject.backendServiceUrl);
   }
 
   /**
@@ -1397,7 +1412,7 @@ public final class RegistryConfig {
    * <p>This is used by the {@code nomulus} tool to connect to the App Engine remote API.
    */
   public static URL getToolsServer() {
-    return makeUrl(CONFIG_SETTINGS.get().appEngine.toolsServiceUrl);
+    return makeUrl(CONFIG_SETTINGS.get().gcpProject.toolsServiceUrl);
   }
 
   /**
@@ -1406,7 +1421,7 @@ public final class RegistryConfig {
    * <p>This is used by the {@code nomulus} tool to connect to the App Engine remote API.
    */
   public static URL getPubapiServer() {
-    return makeUrl(CONFIG_SETTINGS.get().appEngine.pubapiServiceUrl);
+    return makeUrl(CONFIG_SETTINGS.get().gcpProject.pubapiServiceUrl);
   }
 
   /** Returns the amount of time a singleton should be cached, before expiring. */
@@ -1482,16 +1497,6 @@ public final class RegistryConfig {
     return CONFIG_SETTINGS.get().registryPolicy.defaultRegistrarWhoisServer;
   }
 
-  /** Returns the number of {@code EppResourceIndex} buckets to be used. */
-  public static int getEppResourceIndexBucketCount() {
-    return CONFIG_SETTINGS.get().datastore.eppResourceIndexBucketsNum;
-  }
-
-  /** Returns the base retry duration that gets doubled after each failure within {@code Ofy}. */
-  public static Duration getBaseOfyRetryDuration() {
-    return Duration.millis(CONFIG_SETTINGS.get().datastore.baseOfyRetryMillis);
-  }
-
   /** Returns the default database transaction isolation. */
   public static String getHibernateConnectionIsolation() {
     return CONFIG_SETTINGS.get().hibernate.connectionIsolation;

core/src/main/java/google/registry/config/RegistryConfigSettings.java

@@ -21,12 +21,11 @@ import java.util.Set;
 /** The POJO that YAML config files are deserialized into. */
 public class RegistryConfigSettings {
 
-  public AppEngine appEngine;
+  public GcpProject gcpProject;
   public GSuite gSuite;
   public OAuth oAuth;
   public CredentialOAuth credentialOAuth;
   public RegistryPolicy registryPolicy;
-  public Datastore datastore;
   public Hibernate hibernate;
   public CloudSql cloudSql;
   public CloudDns cloudDns;
@@ -43,16 +42,19 @@ public class RegistryConfigSettings {
   public SslCertificateValidation sslCertificateValidation;
   public ContactHistory contactHistory;
   public DnsUpdate dnsUpdate;
+  public PackageMonitoring packageMonitoring;
 
-  /** Configuration options that apply to the entire App Engine project. */
-  public static class AppEngine {
+  /** Configuration options that apply to the entire GCP project. */
+  public static class GcpProject {
     public String projectId;
+    public long projectIdNumber;
     public String locationId;
     public boolean isLocal;
     public String defaultServiceUrl;
     public String backendServiceUrl;
     public String toolsServiceUrl;
     public String pubapiServiceUrl;
+    public List<String> serviceAccountEmails;
   }
 
   /** Configuration options for OAuth settings for authenticating users. */
@@ -60,6 +62,7 @@ public class RegistryConfigSettings {
     public List<String> availableOauthScopes;
     public List<String> requiredOauthScopes;
     public List<String> allowedOauthClientIds;
+    public String iapClientId;
   }
 
   /** Configuration options for accessing Google APIs. */
@@ -67,6 +70,7 @@ public class RegistryConfigSettings {
     public List<String> defaultCredentialOauthScopes;
     public List<String> delegatedCredentialOauthScopes;
     public List<String> localCredentialOauthScopes;
+    public int tokenRefreshDelaySeconds;
   }
 
   /** Configuration options for the G Suite account used by Nomulus. */
@@ -106,12 +110,6 @@ public class RegistryConfigSettings {
     public boolean requireSslCertificates;
   }
 
-  /** Configuration for Cloud Datastore. */
-  public static class Datastore {
-    public int eppResourceIndexBucketsNum;
-    public int baseOfyRetryMillis;
-  }
-
   /** Configuration for Hibernate. */
   public static class Hibernate {
     public String connectionIsolation;
@@ -207,13 +205,13 @@ public class RegistryConfigSettings {
     public String alertRecipientEmailAddress;
     public String spec11OutgoingEmailAddress;
     public List<String> spec11BccEmailAddresses;
-    public int asyncDeleteDelaySeconds;
     public int transientFailureRetries;
   }
 
   /** Configuration for keyrings (used to store secrets outside of source). */
   public static class Keyring {
     public String activeKeyring;
+    // TODO(b/257276342): Remove after config files in nomulus-internal are updated.
     public Kms kms;
   }
 
@@ -245,7 +243,6 @@ public class RegistryConfigSettings {
   /** Configuration for contact history. */
   public static class ContactHistory {
     public int minMonthsBeforeWipeOut;
-    public int wipeOutQueryBatchSize;
   }
 
   /** Configuration for dns update. */
@@ -256,4 +253,14 @@ public class RegistryConfigSettings {
     public String registrySupportEmail;
     public String registryCcEmail;
   }
+
+  /** Configuration for package compliance monitoring. */
+  public static class PackageMonitoring {
+    public String packageCreateLimitEmailSubject;
+    public String packageCreateLimitEmailBody;
+    public String packageDomainLimitWarningEmailSubject;
+    public String packageDomainLimitWarningEmailBody;
+    public String packageDomainLimitUpgradeEmailSubject;
+    public String packageDomainLimitUpgradeEmailBody;
+  }
 }

core/src/main/java/google/registry/config/files/default-config.yaml

@@ -5,12 +5,14 @@
 # to override some of these values to configure and enable some services used in
 # production environments.
 
-appEngine:
-  # Globally unique App Engine project ID
+gcpProject:
+  # Globally unique GCP project ID
   projectId: registry-project-id
-  # Location of the App engine project, note that us-central1 and europe-west1 are special in that
-  # they are used without the trailing number in App Engine commands and Google Cloud Console.
-  # See: https://cloud.google.com/appengine/docs/locations
+  # Corresponding project ID number
+  projectIdNumber: 123456789012
+  # Location of the GCP project, note that us-central1 and europe-west1 are special in that
+  # they are used without the trailing number in GCP commands and Google Cloud Console.
+  # See: https://cloud.google.com/appengine/docs/locations as an example
   locationId: registry-location-id
 
   # whether to use local/test credentials when connecting to the servers
@@ -20,6 +22,11 @@ appEngine:
   backendServiceUrl: https://localhost
   toolsServiceUrl: https://localhost
   pubapiServiceUrl: https://localhost
+  # Service accounts eligible for authorization (e.g. default service account,
+  # account used by Cloud Scheduler) to send authenticated requests.
+  serviceAccountEmails:
+  - default-service-account-email@email.com
+  - cloud-scheduler-email@email.com
 
 gSuite:
   # Publicly accessible domain name of the running G Suite instance.
@@ -182,15 +189,6 @@ registryPolicy:
   # should generally be true for production environments, for added security.
   requireSslCertificates: true
 
-datastore:
-  # Number of EPP resource index buckets in Datastore. Don’t change after
-  # initial install.
-  eppResourceIndexBucketsNum: 997
-
-  # Milliseconds that Objectify waits to retry a Datastore transaction (this
-  # doubles after each failure).
-  baseOfyRetryMillis: 100
-
 hibernate:
   # Make 'SERIALIZABLE' the default isolation level to ensure correctness.
   #
@@ -313,6 +311,9 @@ oAuth:
   # in this list. Client IDs are typically of the format
   # numbers-alphanumerics.apps.googleusercontent.com
   allowedOauthClientIds: []
+  # GCP Identity-Aware Proxy client ID, if set up (note: this requires manual setup
+  # of User objects in the database for Nomulus tool users)
+  iapClientId: null
 
 credentialOAuth:
   # OAuth scopes required for accessing Google APIs using the default
@@ -344,6 +345,9 @@ credentialOAuth:
   - https://www.googleapis.com/auth/userinfo.email
   # View and manage your applications deployed on Google App Engine
   - https://www.googleapis.com/auth/appengine.admin
+  # The lifetime of an access token generated by our custom credentials classes
+  # Must be shorter than one hour.
+  tokenRefreshDelaySeconds: 1800
 
 icannReporting:
   # URL we PUT monthly ICANN transactions reports to.
@@ -422,18 +426,13 @@ misc:
   spec11BccEmailAddresses:
     - abuse@example.com
 
-  # How long to delay processing of asynchronous deletions. This should always
-  # be longer than eppResourceCachingSeconds, to prevent deleted contacts or
-  # hosts from being used on domains.
-  asyncDeleteDelaySeconds: 90
-
   # Number of times to retry a GAE operation when a transient exception is thrown.
   # The number of milliseconds it'll sleep before giving up is (2^n - 2) * 100.
   transientFailureRetries: 12
 
 beam:
   # The default region to run Apache Beam (Cloud Dataflow) jobs in.
-  defaultJobRegion: us-east1
+  defaultJobRegion: us-central1
   # The GCE machine type to use when a job is CPU-intensive (e. g. RDE). Be sure
   # to check the VM CPU quota for the job region. In a massively parallel
   # pipeline this quota can be easily reached and needs to be raised, otherwise
@@ -450,7 +449,8 @@ beam:
   stagingBucketUrl: gcs-bucket-with-staged-templates
 
 keyring:
-  # The name of the active keyring, either "KMS" or "Dummy".
+  # The name of the active keyring, either "Dummy" or "CSM". The latter stands
+  # for Cloud SecretManager.
   activeKeyring: Dummy
 
   # Configuration options specific to Google Cloud KMS.
@@ -474,8 +474,6 @@ registryTool:
 contactHistory:
   # The number of months that a ContactHistory entity should be stored in the database.
   minMonthsBeforeWipeOut: 18
-  # The batch size for querying ContactHistory table in the database.
-  wipeOutQueryBatchSize: 500
 
 # Configuration options relevant to the DNS update functionality.
 dnsUpdate:
@@ -540,3 +538,56 @@ sslCertificateValidation:
   allowedEcdsaCurves:
     - secp256r1
     - secp384r1
+
+# Configuration options for the package compliance monitoring
+packageMonitoring:
+  # Email subject text to notify tech support that a package has exceeded the limit for domain creates
+  packageCreateLimitEmailSubject: "ACTION REQUIRED: Package needs to be upgraded"
+  # Email body text template notify support that a package has exceeded the limit for domain creates
+  packageCreateLimitEmailBody: >
+    Dear Support,
+    
+    A package has exceeded its max create limit and needs to be upgraded to the 
+    next tier.
+    
+    Package ID: %1$s
+    Package Token: %2$s
+    Registrar: %3$s
+    Current Max Create Limit: %4$s
+    Creates Completed: %5$s
+
+  # Email subject text to notify support that a package has exceeded the limit
+  # for current active domains and a warning needs to be sent
+  packageDomainLimitWarningEmailSubject: "ACTION REQUIRED: Package has exceeded the domain limit - send warning"
+  # Email body text template to inform support that a package has exceeded the
+  # limit for active domains and a warning needs to be sent that the package
+  # will be upgraded in 30 days
+  packageDomainLimitWarningEmailBody: >
+    Dear Support,
+    
+    A package has exceeded its max domain limit. Please send a warning to the 
+    registrar that their package will be upgraded to the next tier in 30 days if 
+    the number of active domains does not return below the limit.
+    
+    Package ID: %1$s
+    Package Token: %2$s
+    Registrar: %3$s
+    Active Domain Limit: %4$s
+    Current Active Domains: %5$s
+
+  # Email subject text to notify support that a package has exceeded the limit
+  # for current active domains for more than 30 days and needs to be upgraded
+  packageDomainLimitUpgradeEmailSubject: "ACTION REQUIRED: Package has exceeded the domain limit - upgrade package"
+  # Email body text template to inform support that a package has exceeded the
+  # limit for active domains for more than 30 days and needs to be upgraded
+  packageDomainLimitUpgradeEmailBody: >
+    Dear Support,
+    
+    A package has exceeded its max domain limit for over 30 days and needs to be 
+    upgraded to the next tier.
+    
+    Package ID: %1$s
+    Package Token: %2$s
+    Registrar: %3$s
+    Active Domain Limit: %4$s
+    Current Active Domains: %5$s

core/src/main/java/google/registry/config/files/nomulus-config-production-sample.yaml

@@ -2,7 +2,7 @@
 # This is the same as what Google Registry runs in production, except with
 # placeholders for Google-specific settings.
 
-appEngine:
+gcpProject:
   projectId: placeholder
   # Set to true if running against local servers (localhost)
   isLocal: false