Move App Engine cron jobs to cloud scheduler (#1939)

We have decided to use a separate table (#1940) to track DNS refresh requests
due to performance reasons.

See: go/registry-pull-queue-redesign

buildSrc/gradle.lockfile

@@ -10,25 +10,25 @@ com.github.ben-manes.caffeine:caffeine:2.7.0=annotationProcessor,testAnnotationP
 com.github.kevinstern:software-and-algorithms:1.0=annotationProcessor,testAnnotationProcessor
 com.google.android:annotations:4.1.1.4=testRuntimeClasspath
 com.google.api-client:google-api-client:2.1.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:gapic-google-cloud-storage-v2:2.17.0-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-storage-v2:2.17.0-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-storage-v2:2.17.0-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-common-protos:2.12.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-iam-v1:1.7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:api-common:2.4.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-grpc:2.21.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-httpjson:0.106.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax:2.21.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:gapic-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-common-protos:2.13.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-iam-v1:1.8.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:api-common:2.5.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-grpc:2.22.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-httpjson:0.107.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax:2.22.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-storage:v1-rev20220705-2.0.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-credentials:1.14.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-oauth2-http:1.14.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.value:auto-value-annotations:1.10.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.value:auto-value:1.10.1=annotationProcessor,compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto:auto-common:0.10=annotationProcessor,testAnnotationProcessor
-com.google.cloud:google-cloud-core-grpc:2.9.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-http:2.9.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core:2.9.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-storage:2.17.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-grpc:2.9.4=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-http:2.9.4=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core:2.9.4=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-storage:2.17.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.code.findbugs:jFormatString:3.0.0=annotationProcessor,testAnnotationProcessor
 com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,compileClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.code.gson:gson:2.10.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
@@ -71,19 +71,19 @@ commons-codec:commons-codec:1.15=compileClasspath,testCompileClasspath,testRunti
 commons-collections:commons-collections:3.2.2=checkstyle
 commons-logging:commons-logging:1.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 info.picocli:picocli:4.5.2=checkstyle
-io.grpc:grpc-alts:1.51.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-api:1.51.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-auth:1.51.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-context:1.51.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-core:1.51.1=testRuntimeClasspath
-io.grpc:grpc-googleapis:1.51.1=testRuntimeClasspath
-io.grpc:grpc-grpclb:1.51.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-netty-shaded:1.51.1=testRuntimeClasspath
-io.grpc:grpc-protobuf-lite:1.51.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf:1.51.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-services:1.51.1=testRuntimeClasspath
-io.grpc:grpc-stub:1.51.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-xds:1.51.1=testRuntimeClasspath
+io.grpc:grpc-alts:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-api:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-auth:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-context:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-core:1.52.1=testRuntimeClasspath
+io.grpc:grpc-googleapis:1.52.1=testRuntimeClasspath
+io.grpc:grpc-grpclb:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty-shaded:1.52.1=testRuntimeClasspath
+io.grpc:grpc-protobuf-lite:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-services:1.52.1=testRuntimeClasspath
+io.grpc:grpc-stub:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-xds:1.52.1=testRuntimeClasspath
 io.opencensus:opencensus-api:0.31.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-http-util:0.31.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-proto:0.2.0=testRuntimeClasspath
@@ -92,8 +92,8 @@ javax.annotation:javax.annotation-api:1.3.2=compileClasspath,testCompileClasspat
 javax.annotation:jsr250-api:1.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 javax.inject:javax.inject:1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 junit:junit:4.13.2=testCompileClasspath,testRuntimeClasspath
-net.bytebuddy:byte-buddy-agent:1.12.19=testCompileClasspath,testRuntimeClasspath
-net.bytebuddy:byte-buddy:1.12.19=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy-agent:1.12.22=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.12.22=testCompileClasspath,testRuntimeClasspath
 net.sf.saxon:Saxon-HE:10.3=checkstyle
 org.antlr:antlr4-runtime:4.8-1=checkstyle
 org.apache.commons:commons-lang3:3.12.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
@@ -110,10 +110,10 @@ org.codehaus.mojo:animal-sniffer-annotations:1.17=annotationProcessor,testAnnota
 org.codehaus.mojo:animal-sniffer-annotations:1.22=testRuntimeClasspath
 org.conscrypt:conscrypt-openjdk-uber:2.5.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.hamcrest:hamcrest-core:1.3=testCompileClasspath,testRuntimeClasspath
-org.jacoco:org.jacoco.agent:0.8.6=jacocoAgent,jacocoAnt
-org.jacoco:org.jacoco.ant:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.core:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.report:0.8.6=jacocoAnt
+org.jacoco:org.jacoco.agent:0.8.7=jacocoAgent,jacocoAnt
+org.jacoco:org.jacoco.ant:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.report:0.8.7=jacocoAnt
 org.javassist:javassist:3.26.0-GA=checkstyle
 org.json:json:20160212=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.junit.jupiter:junit-jupiter-api:5.9.2=testCompileClasspath,testRuntimeClasspath
@@ -121,19 +121,18 @@ org.junit.jupiter:junit-jupiter-engine:5.9.2=testCompileClasspath,testRuntimeCla
 org.junit.platform:junit-platform-commons:1.9.2=testCompileClasspath,testRuntimeClasspath
 org.junit.platform:junit-platform-engine:1.9.2=testCompileClasspath,testRuntimeClasspath
 org.junit:junit-bom:5.9.2=testCompileClasspath,testRuntimeClasspath
-org.mockito:mockito-core:4.11.0=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-core:5.0.0=testCompileClasspath,testRuntimeClasspath
 org.objenesis:objenesis:3.3=testRuntimeClasspath
 org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-analysis:7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.ow2.asm:asm-analysis:8.0.1=jacocoAnt
+org.ow2.asm:asm-analysis:9.1=jacocoAnt
 org.ow2.asm:asm-commons:7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.ow2.asm:asm-commons:8.0.1=jacocoAnt
+org.ow2.asm:asm-commons:9.1=jacocoAnt
 org.ow2.asm:asm-tree:7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.ow2.asm:asm-tree:8.0.1=jacocoAnt
+org.ow2.asm:asm-tree:9.1=jacocoAnt
 org.ow2.asm:asm-util:7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm:7.0=compileClasspath
-org.ow2.asm:asm:8.0.1=jacocoAnt
-org.ow2.asm:asm:9.1=testCompileClasspath,testRuntimeClasspath
+org.ow2.asm:asm:9.1=jacocoAnt,testCompileClasspath,testRuntimeClasspath
 org.pcollections:pcollections:2.1.2=annotationProcessor,testAnnotationProcessor
 org.plumelib:plume-util:1.0.6=annotationProcessor,testAnnotationProcessor
 org.plumelib:reflection-util:0.0.2=annotationProcessor,testAnnotationProcessor

buildSrc/src/main/java/google/registry/gradle/plugin/ProjectData.java

@@ -17,7 +17,6 @@ package google.registry.gradle.plugin;
 import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
-import google.registry.gradle.plugin.ProjectData.TaskData;
 import java.util.Map;
 import java.util.Optional;
 import java.util.function.Supplier;

common/build.gradle

@@ -38,6 +38,7 @@ configurations {
 
   // All testing util classes. Other projects may declare dependency as:
   // testImplementation project(path: 'common', configuration: 'testing')
+  create("testing")
   testing.extendsFrom testingCompileOnly
 }
 

common/gradle.lockfile

@@ -45,10 +45,10 @@ org.checkerframework:dataflow:3.0.0=annotationProcessor,errorprone,testAnnotatio
 org.checkerframework:javacutil:3.0.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 org.codehaus.mojo:animal-sniffer-annotations:1.17=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 org.hamcrest:hamcrest-core:1.3=default,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-org.jacoco:org.jacoco.agent:0.8.6=jacocoAgent,jacocoAnt
-org.jacoco:org.jacoco.ant:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.core:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.report:0.8.6=jacocoAnt
+org.jacoco:org.jacoco.agent:0.8.7=jacocoAgent,jacocoAnt
+org.jacoco:org.jacoco.ant:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.report:0.8.7=jacocoAnt
 org.javassist:javassist:3.26.0-GA=checkstyle
 org.junit.jupiter:junit-jupiter-api:5.9.2=testCompileClasspath,testRuntimeClasspath
 org.junit.jupiter:junit-jupiter-engine:5.9.2=testCompileClasspath,testRuntimeClasspath
@@ -56,11 +56,10 @@ org.junit.platform:junit-platform-commons:1.9.2=testCompileClasspath,testRuntime
 org.junit.platform:junit-platform-engine:1.9.2=testCompileClasspath,testRuntimeClasspath
 org.junit:junit-bom:5.9.2=testCompileClasspath,testRuntimeClasspath
 org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
-org.ow2.asm:asm-analysis:8.0.1=jacocoAnt
-org.ow2.asm:asm-commons:8.0.1=jacocoAnt
-org.ow2.asm:asm-tree:8.0.1=jacocoAnt
-org.ow2.asm:asm:8.0.1=jacocoAnt
-org.ow2.asm:asm:9.1=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+org.ow2.asm:asm-analysis:9.1=jacocoAnt
+org.ow2.asm:asm-commons:9.1=jacocoAnt
+org.ow2.asm:asm-tree:9.1=jacocoAnt
+org.ow2.asm:asm:9.1=compileClasspath,default,deploy_jar,jacocoAnt,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 org.pcollections:pcollections:2.1.2=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 org.plumelib:plume-util:1.0.6=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 org.plumelib:reflection-util:0.0.2=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor

config/dependency-license/allowed_licenses.json

@@ -270,6 +270,10 @@
       "moduleLicense": "Public Domain",
       "moduleName": "org.tukaani:xz"
     },
+    {
+      "moduleLicense": "Public Domain",
+      "moduleName": "org.json:json"
+    },
     {
       // "Apache License, Version 2.0".
       "moduleLicense": null,

console-webapp/gradle.lockfile

@@ -31,15 +31,15 @@ org.checkerframework:checker-qual:3.0.0=annotationProcessor,errorprone,testAnnot
 org.checkerframework:dataflow:3.0.0=annotationProcessor,errorprone,testAnnotationProcessor
 org.checkerframework:javacutil:3.0.0=annotationProcessor,errorprone,testAnnotationProcessor
 org.codehaus.mojo:animal-sniffer-annotations:1.17=annotationProcessor,errorprone,testAnnotationProcessor
-org.jacoco:org.jacoco.agent:0.8.6=jacocoAgent,jacocoAnt
-org.jacoco:org.jacoco.ant:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.core:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.report:0.8.6=jacocoAnt
+org.jacoco:org.jacoco.agent:0.8.7=jacocoAgent,jacocoAnt
+org.jacoco:org.jacoco.ant:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.report:0.8.7=jacocoAnt
 org.javassist:javassist:3.26.0-GA=checkstyle
-org.ow2.asm:asm-analysis:8.0.1=jacocoAnt
-org.ow2.asm:asm-commons:8.0.1=jacocoAnt
-org.ow2.asm:asm-tree:8.0.1=jacocoAnt
-org.ow2.asm:asm:8.0.1=jacocoAnt
+org.ow2.asm:asm-analysis:9.1=jacocoAnt
+org.ow2.asm:asm-commons:9.1=jacocoAnt
+org.ow2.asm:asm-tree:9.1=jacocoAnt
+org.ow2.asm:asm:9.1=jacocoAnt
 org.pcollections:pcollections:2.1.2=annotationProcessor,errorprone,testAnnotationProcessor
 org.plumelib:plume-util:1.0.6=annotationProcessor,errorprone,testAnnotationProcessor
 org.plumelib:reflection-util:0.0.2=annotationProcessor,errorprone,testAnnotationProcessor

console-webapp/package-lock.json

@@ -6824,9 +6824,9 @@
       "dev": true
     },
     "node_modules/http-cache-semantics": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz",
-      "integrity": "sha512-carPklcUh7ROWRK7Cv27RPtdhYhUsela/ue5/jKzjegVvXDqM2ILE9Q2BGn9JZJh1g87cp56su/FgQSzcWS8cQ==",
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz",
+      "integrity": "sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ==",
       "dev": true
     },
     "node_modules/http-deceiver": {
@@ -11362,9 +11362,9 @@
       }
     },
     "node_modules/ua-parser-js": {
-      "version": "0.7.31",
-      "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.31.tgz",
-      "integrity": "sha512-qLK/Xe9E2uzmYI3qLeOmI0tEOt+TBBQyUIAh4aAgU05FVYzeZrKUdkAZfBNVGRaHVgV0TDkdEngJSw/SyQchkQ==",
+      "version": "0.7.33",
+      "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.33.tgz",
+      "integrity": "sha512-s8ax/CeZdK9R/56Sui0WM6y9OFREJarMRHqLB2EwkovemBxNQ+Bqu8GAsUnVcXKgphb++ghr/B2BZx4mahujPw==",
       "dev": true,
       "funding": [
         {
@@ -17202,9 +17202,9 @@
       "dev": true
     },
     "http-cache-semantics": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz",
-      "integrity": "sha512-carPklcUh7ROWRK7Cv27RPtdhYhUsela/ue5/jKzjegVvXDqM2ILE9Q2BGn9JZJh1g87cp56su/FgQSzcWS8cQ==",
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz",
+      "integrity": "sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ==",
       "dev": true
     },
     "http-deceiver": {
@@ -20623,9 +20623,9 @@
       "dev": true
     },
     "ua-parser-js": {
-      "version": "0.7.31",
-      "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.31.tgz",
-      "integrity": "sha512-qLK/Xe9E2uzmYI3qLeOmI0tEOt+TBBQyUIAh4aAgU05FVYzeZrKUdkAZfBNVGRaHVgV0TDkdEngJSw/SyQchkQ==",
+      "version": "0.7.33",
+      "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.33.tgz",
+      "integrity": "sha512-s8ax/CeZdK9R/56Sui0WM6y9OFREJarMRHqLB2EwkovemBxNQ+Bqu8GAsUnVcXKgphb++ghr/B2BZx4mahujPw==",
       "dev": true
     },
     "unicode-canonical-property-names-ecmascript": {

core/gradle.lockfile

@@ -37,49 +37,45 @@ com.google.api-client:google-api-client-jackson2:1.32.2=compileClasspath,default
 com.google.api-client:google-api-client-java6:1.35.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api-client:google-api-client-servlet:1.35.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api-client:google-api-client:1.35.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:gapic-google-cloud-storage-v2:2.16.0-alpha=testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:gapic-google-cloud-storage-v2:2.17.0-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1:2.23.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.147.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta2:0.147.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:gapic-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1:2.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.149.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta2:0.149.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:1.27.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigtable-v2:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-pubsub-v1:1.102.20=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-pubsublite-v1:1.7.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-admin-database-v1:6.31.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-admin-instance-v1:6.31.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-v1:6.31.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-storage-v2:2.16.0-alpha=testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-storage-v2:2.17.0-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-com.google.api.grpc:grpc-google-common-protos:2.9.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-iam-v1:1.6.22=testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1:2.23.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta1:0.147.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta2:0.147.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigtable-admin-v2:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigtable-v2:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-datastore-v1:0.102.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-firestore-v1:3.6.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigtable-v2:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-pubsub-v1:1.103.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-pubsublite-v1:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-admin-database-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-admin-instance-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-common-protos:2.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1:2.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta1:0.149.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta2:0.149.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigtable-admin-v2:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigtable-v2:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-datastore-v1:0.103.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-firestore-v1:3.7.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api.grpc:proto-google-cloud-monitoring-v3:1.64.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.api.grpc:proto-google-cloud-monitoring-v3:3.4.6=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-pubsub-v1:1.102.20=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-pubsublite-v1:1.7.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-secretmanager-v1:2.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-secretmanager-v1beta1:2.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1:6.31.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-admin-instance-v1:6.31.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-v1:6.31.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-storage-v2:2.16.0-alpha=testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-storage-v2:2.17.0-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2:2.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2beta2:0.98.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2beta3:0.98.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-common-protos:2.12.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-iam-v1:1.7.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:api-common:2.4.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-grpc:2.21.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-httpjson:0.106.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax:2.21.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-monitoring-v3:3.6.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-pubsub-v1:1.103.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-pubsublite-v1:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-secretmanager-v1:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-secretmanager-v1beta1:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-admin-instance-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2beta2:0.99.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2beta3:0.99.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-common-protos:2.13.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-iam-v1:1.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:api-common:2.5.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-grpc:2.22.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-httpjson:0.107.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax:2.22.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-admin-directory:directory_v1-rev118-1.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-appengine:v1-rev20230109-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-bigquery:v2-rev20220924-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -91,10 +87,10 @@ com.google.apis:google-api-services-drive:v2-rev393-1.25.0=compileClasspath,defa
 com.google.apis:google-api-services-groupssettings:v1-rev20210624-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-healthcare:v1-rev20220818-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-iamcredentials:v1-rev20210326-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-monitoring:v3-rev20221205-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-monitoring:v3-rev20230123-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-pubsub:v1-rev20220904-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-sheets:v4-rev20221216-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-sqladmin:v1beta4-rev20221209-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-sqladmin:v1beta4-rev20230111-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-storage:v1-rev20220705-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.appengine:appengine-api-1.0-sdk:1.9.86=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
 com.google.appengine:appengine-api-1.0-sdk:2.0.10=testCompileClasspath,testRuntimeClasspath
@@ -114,30 +110,26 @@ com.google.cloud.bigdataoss:util:2.2.6=compileClasspath,default,deploy_jar,nonpr
 com.google.cloud.bigtable:bigtable-client-core:1.26.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.bigtable:bigtable-metrics-api:1.26.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.datastore:datastore-v1-proto-client:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.sql:jdbc-socket-factory-core:1.8.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.sql:postgres-socket-factory:1.8.1=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigquerystorage:2.23.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigtable-stats:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigtable:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-grpc:2.9.0=testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-grpc:2.9.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-com.google.cloud:google-cloud-core-http:2.9.0=testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-http:2.9.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-com.google.cloud:google-cloud-core:2.9.0=testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core:2.9.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-com.google.cloud:google-cloud-firestore:3.6.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud.sql:jdbc-socket-factory-core:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud.sql:postgres-socket-factory:1.9.0=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigquerystorage:2.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigtable-stats:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigtable:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-grpc:2.9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-http:2.9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core:2.9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-firestore:3.7.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud:google-cloud-monitoring:1.82.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.cloud:google-cloud-monitoring:3.4.6=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-nio:0.126.0=testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-pubsub:1.120.20=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-pubsublite:1.7.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-secretmanager:2.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-spanner:6.31.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-storage:2.16.0=testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-storage:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-com.google.cloud:google-cloud-tasks:2.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:grpc-gcp:1.2.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:proto-google-cloud-firestore-bundle-v1:3.6.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-monitoring:3.6.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-nio:0.126.3=testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-pubsub:1.121.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-pubsublite:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-secretmanager:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-spanner:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-storage:2.17.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-tasks:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:grpc-gcp:1.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:proto-google-cloud-firestore-bundle-v1:3.7.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.code.findbugs:jFormatString:3.0.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.code.findbugs:jsr305:3.0.1=css
 com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,errorprone,nonprodAnnotationProcessor,nonprodCompileClasspath,nonprodRuntime,nonprodRuntimeClasspath,runtime,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
@@ -248,37 +240,37 @@ io.confluent:kafka-schema-registry-client:5.3.2=compileClasspath,default,deploy_
 io.dropwizard.metrics:metrics-core:3.1.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.github.classgraph:classgraph:4.8.104=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.github.java-diff-utils:java-diff-utils:4.12=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-alts:1.51.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-api:1.51.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-auth:1.51.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-census:1.49.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-context:1.51.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-core:1.51.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-googleapis:1.51.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-grpclb:1.51.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-netty-shaded:1.51.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-netty:1.49.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf-lite:1.51.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf:1.51.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-rls:1.49.2=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-services:1.49.2=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-services:1.51.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-stub:1.51.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-xds:1.49.2=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-xds:1.51.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.netty:netty-buffer:4.1.77.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-codec-http2:4.1.77.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-codec-http:4.1.77.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-codec-socks:4.1.77.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.netty:netty-codec:4.1.77.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-common:4.1.77.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-handler-proxy:4.1.77.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.netty:netty-handler:4.1.77.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-resolver:4.1.77.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-alts:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-api:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-auth:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-census:1.50.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-context:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-core:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-googleapis:1.52.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-grpclb:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty-shaded:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty:1.50.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf-lite:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-rls:1.50.2=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-services:1.50.2=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+io.grpc:grpc-services:1.52.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-stub:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-xds:1.50.2=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+io.grpc:grpc-xds:1.52.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.netty:netty-buffer:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-codec-http2:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-codec-http:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-codec-socks:4.1.79.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.netty:netty-codec:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-common:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-handler-proxy:4.1.79.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.netty:netty-handler:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-resolver:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.netty:netty-tcnative-boringssl-static:2.0.52.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.netty:netty-tcnative-classes:2.0.52.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.netty:netty-transport-native-unix-common:4.1.77.Final=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.netty:netty-transport:4.1.77.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-transport-native-unix-common:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-transport:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-api:0.31.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-exemplar-util:0.31.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-grpc-metrics:0.31.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -310,9 +302,9 @@ jline:jline:1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonp
 joda-time:joda-time:2.10.10=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 junit:junit:4.13.2=default,nonprodCompileClasspath,nonprodRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 net.arnx:nashorn-promise:0.1.1=nonprodRuntime,runtime,testRuntimeClasspath
-net.bytebuddy:byte-buddy-agent:1.12.19=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy-agent:1.12.22=testCompileClasspath,testRuntimeClasspath
 net.bytebuddy:byte-buddy:1.12.18=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-net.bytebuddy:byte-buddy:1.12.19=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.12.22=testCompileClasspath,testRuntimeClasspath
 net.java.dev.javacc:javacc:4.1=css
 net.java.dev.jna:jna:5.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 net.ltgt.gradle.incap:incap:0.2=annotationProcessor,testAnnotationProcessor
@@ -322,22 +314,22 @@ org.apache.arrow:arrow-format:5.0.0=compileClasspath,default,deploy_jar,nonprodC
 org.apache.arrow:arrow-memory-core:5.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.arrow:arrow-vector:5.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.avro:avro:1.8.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-fn-execution:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-job-management:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-pipeline:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-core-construction-java:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-core-java:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-direct-java:2.43.0=testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-google-cloud-dataflow-java:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-java-fn-execution:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-core:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-expansion-service:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-arrow:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-google-cloud-platform-core:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-protobuf:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-fn-execution:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-io-google-cloud-platform:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-io-kafka:2.43.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-fn-execution:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-job-management:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-pipeline:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-core-construction-java:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-core-java:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-direct-java:2.44.0=testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-google-cloud-dataflow-java:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-java-fn-execution:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-core:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-expansion-service:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-arrow:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-google-cloud-platform-core:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-protobuf:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-fn-execution:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-io-google-cloud-platform:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-io-kafka:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.beam:beam-vendor-grpc-1_48_1:0.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-compress:1.22=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -381,7 +373,7 @@ org.eclipse.jetty:jetty-server:9.4.49.v20220914=compileClasspath,default,deploy_
 org.eclipse.jetty:jetty-servlet:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-util-ajax:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-util:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.flywaydb:flyway-core:9.11.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.flywaydb:flyway-core:9.12.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.glassfish.jaxb:jaxb-core:4.0.1=nonprodRuntime,runtime
 org.glassfish.jaxb:jaxb-runtime:2.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.glassfish.jaxb:jaxb-runtime:4.0.1=nonprodRuntime,runtime
@@ -397,10 +389,10 @@ org.hamcrest:hamcrest:2.2=testCompileClasspath,testRuntimeClasspath
 org.hibernate.common:hibernate-commons-annotations:5.1.2.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.hibernate:hibernate-core:5.6.14.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.hibernate:hibernate-hikaricp:5.6.14.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.jacoco:org.jacoco.agent:0.8.6=jacocoAgent,jacocoAnt
-org.jacoco:org.jacoco.ant:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.core:0.8.6=jacocoAnt
-org.jacoco:org.jacoco.report:0.8.6=jacocoAnt
+org.jacoco:org.jacoco.agent:0.8.7=jacocoAgent,jacocoAnt
+org.jacoco:org.jacoco.ant:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
+org.jacoco:org.jacoco.report:0.8.7=jacocoAnt
 org.javassist:javassist:3.26.0-GA=checkstyle
 org.jboss.logging:jboss-logging:3.4.3.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:1.1.1.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -431,26 +423,26 @@ org.junit.platform:junit-platform-suite-commons:1.9.2=testRuntimeClasspath
 org.junit:junit-bom:5.9.2=testCompileClasspath,testRuntimeClasspath
 org.jvnet.staxex:stax-ex:1.8=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.mockito:mockito-core:1.10.19=css
-org.mockito:mockito-core:4.11.0=testCompileClasspath,testRuntimeClasspath
-org.mockito:mockito-junit-jupiter:4.11.0=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-core:5.0.0=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-junit-jupiter:5.0.0=testCompileClasspath,testRuntimeClasspath
 org.mortbay.jetty:jetty-util:6.1.26=testCompileClasspath,testRuntimeClasspath
 org.mortbay.jetty:jetty:6.1.26=testCompileClasspath,testRuntimeClasspath
 org.objenesis:objenesis:2.1=css
 org.objenesis:objenesis:3.3=testRuntimeClasspath
 org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-analysis:7.0=soy
-org.ow2.asm:asm-analysis:8.0.1=jacocoAnt
+org.ow2.asm:asm-analysis:9.1=jacocoAnt
 org.ow2.asm:asm-analysis:9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-commons:7.0=soy
-org.ow2.asm:asm-commons:8.0.1=jacocoAnt
+org.ow2.asm:asm-commons:9.1=jacocoAnt
 org.ow2.asm:asm-commons:9.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-tree:7.0=soy
-org.ow2.asm:asm-tree:8.0.1=jacocoAnt
+org.ow2.asm:asm-tree:9.1=jacocoAnt
 org.ow2.asm:asm-tree:9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-util:7.0=soy
 org.ow2.asm:asm-util:9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm:7.0=soy
-org.ow2.asm:asm:8.0.1=jacocoAnt
+org.ow2.asm:asm:9.1=jacocoAnt
 org.ow2.asm:asm:9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.pcollections:pcollections:2.1.2=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.plumelib:plume-util:1.0.6=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor

core/src/main/java/google/registry/batch/BatchModule.java

@@ -105,10 +105,22 @@ public class BatchModule {
   }
 
   @Provides
-  @Parameter(ExpandRecurringBillingEventsAction.PARAM_CURSOR_TIME)
-  static Optional<DateTime> provideCursorTime(HttpServletRequest req) {
+  @Parameter(ExpandRecurringBillingEventsAction.PARAM_START_TIME)
+  static Optional<DateTime> provideStartTime(HttpServletRequest req) {
     return extractOptionalDatetimeParameter(
-        req, ExpandRecurringBillingEventsAction.PARAM_CURSOR_TIME);
+        req, ExpandRecurringBillingEventsAction.PARAM_START_TIME);
+  }
+
+  @Provides
+  @Parameter(ExpandRecurringBillingEventsAction.PARAM_END_TIME)
+  static Optional<DateTime> provideEndTime(HttpServletRequest req) {
+    return extractOptionalDatetimeParameter(req, ExpandRecurringBillingEventsAction.PARAM_END_TIME);
+  }
+
+  @Provides
+  @Parameter(ExpandRecurringBillingEventsAction.PARAM_ADVANCE_CURSOR)
+  static boolean provideAdvanceCursor(HttpServletRequest req) {
+    return extractBooleanParameter(req, ExpandRecurringBillingEventsAction.PARAM_ADVANCE_CURSOR);
   }
 
   @Provides

core/src/main/java/google/registry/batch/ExpandRecurringBillingEventsAction.java

@@ -15,58 +15,39 @@
 package google.registry.batch;
 
 import static com.google.common.base.Preconditions.checkArgument;
-import static com.google.common.collect.ImmutableSet.toImmutableSet;
-import static com.google.common.collect.Sets.difference;
-import static com.google.common.collect.Sets.newHashSet;
 import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
+import static google.registry.beam.BeamUtils.createJobName;
 import static google.registry.model.common.Cursor.CursorType.RECURRING_BILLING;
-import static google.registry.model.domain.Period.Unit.YEARS;
-import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_AUTORENEW;
-import static google.registry.persistence.transaction.QueryComposer.Comparator.EQ;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
-import static google.registry.util.CollectionUtils.union;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
-import static google.registry.util.DateTimeUtils.earliestOf;
-import static google.registry.util.DomainNameUtils.getTldFromDomainName;
+import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
 
-import com.google.auto.value.AutoValue;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Range;
-import com.google.common.collect.Streams;
+import com.google.api.services.dataflow.Dataflow;
+import com.google.api.services.dataflow.model.LaunchFlexTemplateParameter;
+import com.google.api.services.dataflow.model.LaunchFlexTemplateRequest;
+import com.google.api.services.dataflow.model.LaunchFlexTemplateResponse;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
+import google.registry.beam.billing.ExpandRecurringBillingEventsPipeline;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.flows.domain.DomainPricingLogic;
-import google.registry.model.ImmutableObject;
-import google.registry.model.billing.BillingEvent;
-import google.registry.model.billing.BillingEvent.Flag;
+import google.registry.config.RegistryEnvironment;
 import google.registry.model.billing.BillingEvent.OneTime;
 import google.registry.model.billing.BillingEvent.Recurring;
 import google.registry.model.common.Cursor;
-import google.registry.model.domain.Domain;
-import google.registry.model.domain.DomainHistory;
-import google.registry.model.domain.Period;
-import google.registry.model.reporting.DomainTransactionRecord;
-import google.registry.model.reporting.DomainTransactionRecord.TransactionReportField;
-import google.registry.model.tld.Registry;
-import google.registry.persistence.VKey;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
-import java.util.List;
+import java.io.IOException;
 import java.util.Optional;
-import java.util.Set;
-import java.util.concurrent.TimeUnit;
 import javax.inject.Inject;
 import org.joda.time.DateTime;
 
 /**
- * An action that expands {@link Recurring} billing events into synthetic {@link OneTime} events.
- *
- * <p>The cursor used throughout this action (overridden if necessary using the parameter {@code
- * cursorTime}) represents the inclusive lower bound on the range of billing times that will be
- * expanded as a result of the job (the exclusive upper bound being the execution time of the job).
+ * An action that kicks off a {@link ExpandRecurringBillingEventsPipeline} dataflow job to expand
+ * {@link Recurring} billing events into synthetic {@link OneTime} events.
  */
 @Action(
     service = Action.Service.BACKEND,
@@ -74,303 +55,109 @@ import org.joda.time.DateTime;
     auth = Auth.AUTH_INTERNAL_OR_ADMIN)
 public class ExpandRecurringBillingEventsAction implements Runnable {
 
-  public static final String PARAM_CURSOR_TIME = "cursorTime";
+  public static final String PARAM_START_TIME = "startTime";
+  public static final String PARAM_END_TIME = "endTime";
+  public static final String PARAM_ADVANCE_CURSOR = "advanceCursor";
+
+  private static final String PIPELINE_NAME = "expand_recurring_billing_events_pipeline";
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
   @Inject Clock clock;
 
   @Inject
-  @Config("jdbcBatchSize")
-  int batchSize;
+  @Parameter(PARAM_DRY_RUN)
+  boolean isDryRun;
 
-  @Inject @Parameter(PARAM_DRY_RUN) boolean isDryRun;
-  @Inject @Parameter(PARAM_CURSOR_TIME) Optional<DateTime> cursorTimeParam;
+  @Inject
+  @Parameter(PARAM_ADVANCE_CURSOR)
+  boolean advanceCursor;
+
+  @Inject
+  @Parameter(PARAM_START_TIME)
+  Optional<DateTime> startTimeParam;
+
+  @Inject
+  @Parameter(PARAM_END_TIME)
+  Optional<DateTime> endTimeParam;
+
+  @Inject
+  @Config("projectId")
+  String projectId;
+
+  @Inject
+  @Config("defaultJobRegion")
+  String jobRegion;
+
+  @Inject
+  @Config("beamStagingBucketUrl")
+  String stagingBucketUrl;
+
+  @Inject Dataflow dataflow;
 
-  @Inject DomainPricingLogic domainPricingLogic;
   @Inject Response response;
-  @Inject ExpandRecurringBillingEventsAction() {}
+
+  @Inject
+  ExpandRecurringBillingEventsAction() {}
 
   @Override
   public void run() {
-    DateTime executeTime = clock.nowUtc();
-    DateTime persistedCursorTime =
-        tm().transact(
-                () ->
-                    tm().loadByKeyIfPresent(Cursor.createGlobalVKey(RECURRING_BILLING))
-                        .orElse(Cursor.createGlobal(RECURRING_BILLING, START_OF_TIME))
-                        .getCursorTime());
-    DateTime cursorTime = cursorTimeParam.orElse(persistedCursorTime);
+    checkArgument(!(isDryRun && advanceCursor), "Cannot advance the cursor in a dry run.");
+    DateTime endTime = endTimeParam.orElse(clock.nowUtc());
     checkArgument(
-        cursorTime.isBefore(executeTime), "Cursor time must be earlier than execution time.");
-    logger.atInfo().log(
-        "Running Recurring billing event expansion for billing time range [%s, %s).",
-        cursorTime, executeTime);
-    expandSqlBillingEventsInBatches(executeTime, cursorTime, persistedCursorTime);
-  }
-
-  private void expandSqlBillingEventsInBatches(
-      DateTime executeTime, DateTime cursorTime, DateTime persistedCursorTime) {
-    int totalBillingEventsSaved = 0;
-    long maxProcessedRecurrenceId = 0;
-    SqlBatchResults sqlBatchResults;
-
-    do {
-      final long prevMaxProcessedRecurrenceId = maxProcessedRecurrenceId;
-      sqlBatchResults =
-          tm().transact(
-                  () -> {
-                    Set<String> expandedDomains = newHashSet();
-                    int batchBillingEventsSaved = 0;
-                    long maxRecurrenceId = prevMaxProcessedRecurrenceId;
-                    List<Recurring> recurrings =
-                        tm().query(
-                                "FROM BillingRecurrence "
-                                    + "WHERE eventTime <= :executeTime "
-                                    + "AND eventTime < recurrenceEndTime "
-                                    + "AND id > :maxProcessedRecurrenceId "
-                                    + "AND recurrenceEndTime > :adjustedCursorTime "
-                                    + "ORDER BY id ASC",
-                                Recurring.class)
-                            .setParameter("executeTime", executeTime)
-                            .setParameter("maxProcessedRecurrenceId", prevMaxProcessedRecurrenceId)
-                            .setParameter(
-                                "adjustedCursorTime",
-                                cursorTime.minus(Registry.DEFAULT_AUTO_RENEW_GRACE_PERIOD))
-                            .setMaxResults(batchSize)
-                            .getResultList();
-                    for (Recurring recurring : recurrings) {
-                      if (expandedDomains.contains(recurring.getTargetId())) {
-                        // On the off chance this batch contains multiple recurrences for the same
-                        // domain (which is actually possible if a given domain is quickly renewed
-                        // multiple times in a row), then short-circuit after the first one is
-                        // processed that involves actually expanding a billing event. This is
-                        // necessary because otherwise we get an "Inserted/updated object reloaded"
-                        // error from Hibernate when those billing events would be loaded
-                        // inside a transaction where they were already written. Note, there is no
-                        // actual further work to be done in this case anyway, not unless it has
-                        // somehow been over a year since this action last ran successfully (and if
-                        // that were somehow true, the remaining billing events would still be
-                        // expanded on subsequent runs).
-                        continue;
-                      }
-                      int billingEventsSaved =
-                          expandBillingEvent(
-                              recurring, executeTime, cursorTime, isDryRun, domainPricingLogic);
-                      batchBillingEventsSaved += billingEventsSaved;
-                      if (billingEventsSaved > 0) {
-                        expandedDomains.add(recurring.getTargetId());
-                      }
-                      maxRecurrenceId = Math.max(maxRecurrenceId, recurring.getId());
-                    }
-                    return SqlBatchResults.create(
-                        batchBillingEventsSaved,
-                        maxRecurrenceId,
-                        maxRecurrenceId > prevMaxProcessedRecurrenceId);
-                  });
-      totalBillingEventsSaved += sqlBatchResults.batchBillingEventsSaved();
-      maxProcessedRecurrenceId = sqlBatchResults.maxProcessedRecurrenceId();
-      if (sqlBatchResults.batchBillingEventsSaved() > 0) {
-        logger.atInfo().log(
-            "Saved %d billing events in batch (%d total) with max recurrence id %d.",
-            sqlBatchResults.batchBillingEventsSaved(),
-            totalBillingEventsSaved,
-            maxProcessedRecurrenceId);
-      } else {
-        // If we're churning through a lot of no-op recurrences that don't need expanding (yet?),
-        // then only log one no-op every so often as a good balance between letting the user track
-        // that the action is still running while also not spamming the logs incessantly.
-        logger.atInfo().atMostEvery(3, TimeUnit.MINUTES).log(
-            "Processed up to max recurrence id %d (no billing events saved recently).",
-            maxProcessedRecurrenceId);
-      }
-    } while (sqlBatchResults.shouldContinue());
-
-    if (!isDryRun) {
-      logger.atInfo().log("Saved %d total OneTime billing events.", totalBillingEventsSaved);
-    } else {
-      logger.atInfo().log(
-          "Generated %d total OneTime billing events (dry run).", totalBillingEventsSaved);
-    }
-    logger.atInfo().log(
-        "Recurring event expansion %s complete for billing event range [%s, %s).",
-        isDryRun ? "(dry run) " : "", cursorTime, executeTime);
-    tm().transact(
-            () -> {
-              // Check for the unlikely scenario where the cursor has been altered during the
-              // expansion.
-              DateTime currentCursorTime =
-                  tm().loadByKeyIfPresent(Cursor.createGlobalVKey(RECURRING_BILLING))
-                      .orElse(Cursor.createGlobal(RECURRING_BILLING, START_OF_TIME))
-                      .getCursorTime();
-              if (!currentCursorTime.equals(persistedCursorTime)) {
-                throw new IllegalStateException(
+        !endTime.isAfter(clock.nowUtc()), "End time (%s) must be at or before now", endTime);
+    DateTime startTime =
+        startTimeParam.orElse(
+            tm().transact(
+                    () ->
+                        tm().loadByKeyIfPresent(Cursor.createGlobalVKey(RECURRING_BILLING))
+                            .orElse(Cursor.createGlobal(RECURRING_BILLING, START_OF_TIME))
+                            .getCursorTime()));
+    checkArgument(
+        startTime.isBefore(endTime),
+        String.format("Start time (%s) must be before end time (%s)", startTime, endTime));
+    LaunchFlexTemplateParameter launchParameter =
+        new LaunchFlexTemplateParameter()
+            .setJobName(
+                createJobName(
                     String.format(
-                        "Current cursor position %s does not match persisted cursor position %s.",
-                        currentCursorTime, persistedCursorTime));
-              }
-              if (!isDryRun) {
-                tm().put(Cursor.createGlobal(RECURRING_BILLING, executeTime));
-              }
-            });
-  }
-
-  @AutoValue
-  abstract static class SqlBatchResults {
-    abstract int batchBillingEventsSaved();
-
-    abstract long maxProcessedRecurrenceId();
-
-    abstract boolean shouldContinue();
-
-    static SqlBatchResults create(
-        int batchBillingEventsSaved, long maxProcessedRecurrenceId, boolean shouldContinue) {
-      return new AutoValue_ExpandRecurringBillingEventsAction_SqlBatchResults(
-          batchBillingEventsSaved, maxProcessedRecurrenceId, shouldContinue);
+                        "expand-billing-%s", startTime.toString("yyyy-MM-dd't'HH-mm-ss'z'")),
+                    clock))
+            .setContainerSpecGcsPath(
+                String.format("%s/%s_metadata.json", stagingBucketUrl, PIPELINE_NAME))
+            .setParameters(
+                new ImmutableMap.Builder<String, String>()
+                    .put("registryEnvironment", RegistryEnvironment.get().name())
+                    .put("startTime", startTime.toString("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"))
+                    .put("endTime", endTime.toString("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"))
+                    .put("isDryRun", Boolean.toString(isDryRun))
+                    .put("advanceCursor", Boolean.toString(advanceCursor))
+                    .build());
+    logger.atInfo().log(
+        "Launching recurring billing event expansion pipeline for event time range [%s, %s)%s.",
+        startTime,
+        endTime,
+        isDryRun ? " in dry run mode" : advanceCursor ? "" : " without advancing the cursor");
+    try {
+      LaunchFlexTemplateResponse launchResponse =
+          dataflow
+              .projects()
+              .locations()
+              .flexTemplates()
+              .launch(
+                  projectId,
+                  jobRegion,
+                  new LaunchFlexTemplateRequest().setLaunchParameter(launchParameter))
+              .execute();
+      logger.atInfo().log("Got response: %s", launchResponse.getJob().toPrettyString());
+      response.setStatus(SC_OK);
+      response.setPayload(
+          String.format(
+              "Launched recurring billing event expansion pipeline: %s",
+              launchResponse.getJob().getId()));
+    } catch (IOException e) {
+      logger.atWarning().withCause(e).log("Pipeline Launch failed");
+      response.setStatus(SC_INTERNAL_SERVER_ERROR);
+      response.setPayload(String.format("Pipeline launch failed: %s", e.getMessage()));
     }
   }
-
-  private static int expandBillingEvent(
-      Recurring recurring,
-      DateTime executeTime,
-      DateTime cursorTime,
-      boolean isDryRun,
-      DomainPricingLogic domainPricingLogic) {
-    ImmutableSet.Builder<OneTime> syntheticOneTimesBuilder = new ImmutableSet.Builder<>();
-    final Registry tld = Registry.get(getTldFromDomainName(recurring.getTargetId()));
-
-    // Determine the complete set of times at which this recurring event should
-    // occur (up to and including the runtime of the action).
-    Iterable<DateTime> eventTimes =
-        recurring
-            .getRecurrenceTimeOfYear()
-            .getInstancesInRange(
-                Range.closed(
-                    recurring.getEventTime(),
-                    earliestOf(recurring.getRecurrenceEndTime(), executeTime)));
-
-    // Convert these event times to billing times
-    final ImmutableSet<DateTime> billingTimes =
-        getBillingTimesInScope(eventTimes, cursorTime, executeTime, tld);
-
-    VKey<Domain> domainKey = VKey.create(Domain.class, recurring.getDomainRepoId());
-    Iterable<OneTime> oneTimesForDomain;
-    oneTimesForDomain =
-        tm().createQueryComposer(OneTime.class)
-            .where("domainRepoId", EQ, recurring.getDomainRepoId())
-            .list();
-
-    // Determine the billing times that already have OneTime events persisted.
-    ImmutableSet<DateTime> existingBillingTimes =
-        getExistingBillingTimes(oneTimesForDomain, recurring);
-
-    ImmutableSet.Builder<DomainHistory> historyEntriesBuilder = new ImmutableSet.Builder<>();
-    // Create synthetic OneTime events for all billing times that do not yet have
-    // an event persisted.
-    for (DateTime billingTime : difference(billingTimes, existingBillingTimes)) {
-      // Construct a new HistoryEntry that parents over the OneTime
-      DomainHistory historyEntry =
-          new DomainHistory.Builder()
-              .setBySuperuser(false)
-              .setRegistrarId(recurring.getRegistrarId())
-              .setModificationTime(tm().getTransactionTime())
-              .setDomain(tm().loadByKey(domainKey))
-              .setPeriod(Period.create(1, YEARS))
-              .setReason("Domain autorenewal by ExpandRecurringBillingEventsAction")
-              .setRequestedByRegistrar(false)
-              .setType(DOMAIN_AUTORENEW)
-              // Note: the following statement seems to not be entirely correct as manual renewal
-              // during the autorenew grace period also closes out the existing recurrence, but in
-              // that instance the autorenew history entry should still have the transaction records
-              // for obvious reasons. It can be argued the history entry should always have the
-              // transaction record, regardless of what happens afterward. If the domain is deleted
-              // later during the autorenew grace period, another history entry for the delete would
-              // record that mutation separately, but the previous autorenew should not have its
-              // history entry retroactively altered, or in this case have the transaction records
-              // omitted when its created belatedly (when billing time is in scope). However, since
-              // we will be rewriting this action and only want to do the absolute minimum change to
-              // fix it for now, we will leave the current logic in place to avoid any unnecessary
-              // complications.
-              //
-              // Don't write a domain transaction record if the recurrence was
-              // ended prior to the billing time (i.e. a domain was deleted
-              // during the autorenew grace period).
-              .setDomainTransactionRecords(
-                  recurring.getRecurrenceEndTime().isBefore(billingTime)
-                      ? ImmutableSet.of()
-                      : ImmutableSet.of(
-                          DomainTransactionRecord.create(
-                              tld.getTldStr(),
-                              // We report this when the autorenew grace period
-                              // ends
-                              billingTime,
-                              TransactionReportField.netRenewsFieldFromYears(1),
-                              1)))
-              .build();
-      historyEntriesBuilder.add(historyEntry);
-
-      DateTime eventTime = billingTime.minus(tld.getAutoRenewGracePeriodLength());
-
-      syntheticOneTimesBuilder.add(
-          new OneTime.Builder()
-              .setBillingTime(billingTime)
-              .setRegistrarId(recurring.getRegistrarId())
-              // Determine the cost for a one-year renewal.
-              .setCost(
-                  domainPricingLogic
-                      .getRenewPrice(tld, recurring.getTargetId(), eventTime, 1, recurring)
-                      .getRenewCost())
-              .setEventTime(eventTime)
-              .setFlags(union(recurring.getFlags(), Flag.SYNTHETIC))
-              .setDomainHistory(historyEntry)
-              .setPeriodYears(1)
-              .setReason(recurring.getReason())
-              .setSyntheticCreationTime(executeTime)
-              .setCancellationMatchingBillingEvent(recurring)
-              .setTargetId(recurring.getTargetId())
-              .build());
-    }
-    Set<DomainHistory> historyEntries = historyEntriesBuilder.build();
-    Set<OneTime> syntheticOneTimes = syntheticOneTimesBuilder.build();
-    if (!isDryRun) {
-      ImmutableSet<ImmutableObject> entitiesToSave =
-          new ImmutableSet.Builder<ImmutableObject>()
-              .addAll(historyEntries)
-              .addAll(syntheticOneTimes)
-              .build();
-      tm().putAll(entitiesToSave);
-    }
-    return syntheticOneTimes.size();
-  }
-
-  /**
-   * Filters a set of {@link DateTime}s down to event times that are in scope for a particular
-   * action run, given the cursor time and the action execution time.
-   */
-  protected static ImmutableSet<DateTime> getBillingTimesInScope(
-      Iterable<DateTime> eventTimes,
-      DateTime cursorTime,
-      DateTime executeTime,
-      final Registry tld) {
-    return Streams.stream(eventTimes)
-        .map(eventTime -> eventTime.plus(tld.getAutoRenewGracePeriodLength()))
-        .filter(Range.closedOpen(cursorTime, executeTime))
-        .collect(toImmutableSet());
-  }
-
-  /**
-   * Determines an {@link ImmutableSet} of {@link DateTime}s that have already been persisted for a
-   * given recurring billing event.
-   */
-  private static ImmutableSet<DateTime> getExistingBillingTimes(
-      Iterable<BillingEvent.OneTime> oneTimesForDomain,
-      final BillingEvent.Recurring recurringEvent) {
-    return Streams.stream(oneTimesForDomain)
-        .filter(
-            billingEvent ->
-                recurringEvent
-                    .createVKey()
-                    .equals(billingEvent.getCancellationMatchingBillingEvent()))
-        .map(OneTime::getBillingTime)
-        .collect(toImmutableSet());
-  }
 }

core/src/main/java/google/registry/beam/billing/ExpandRecurringBillingEventsPipeline.java

@@ -138,9 +138,15 @@ public class ExpandRecurringBillingEventsPipeline implements Serializable {
   private final boolean isDryRun;
   private final boolean advanceCursor;
   private final Counter recurringsInScopeCounter =
-      Metrics.counter("ExpandBilling", "RecurringsInScope");
-  private final Counter expandedOneTimeCounter =
-      Metrics.counter("ExpandBilling", "ExpandedOneTime");
+      Metrics.counter("ExpandBilling", "Recurrings in scope for expansion");
+  // Note that this counter is only accurate when running in dry run mode. Because SQL persistence
+  // is a side effect and not idempotent, a transaction to save OneTimes could be successful but the
+  // transform that contains it could be still be retried, rolling back the counter increment. The
+  // same transform, when retried, would skip the already expanded OneTime, causing this counter to
+  // be lower than it should be when not in dry run mode.
+  // See: https://beam.apache.org/documentation/programming-guide/#user-code-idempotence
+  private final Counter oneTimesToExpandCounter =
+      Metrics.counter("ExpandBilling", "OneTimes that would be expanded");
 
   ExpandRecurringBillingEventsPipeline(
       ExpandRecurringBillingEventsPipelineOptions options, Clock clock) {
@@ -148,7 +154,7 @@ public class ExpandRecurringBillingEventsPipeline implements Serializable {
     endTime = DateTime.parse(options.getEndTime());
     checkArgument(
         !endTime.isAfter(clock.nowUtc()),
-        String.format("End time %s must be on or before now.", endTime));
+        String.format("End time %s must be at or before now.", endTime));
     checkArgument(
         startTime.isBefore(endTime),
         String.format("[%s, %s) is not a valid window of operation.", startTime, endTime));
@@ -182,7 +188,7 @@ public class ExpandRecurringBillingEventsPipeline implements Serializable {
                     + "AND event_Time < :endTime "
                     // Recurrence should not close before start time.
                     + "AND :startTime < recurrence_end_time "
-                    // Last expansion should happen at least one year before start time.
+                    // Last expansion should happen at least one year before end time.
                     + "AND recurrence_last_expansion < :oneYearAgo "
                     // The recurrence should not close before next expansion time.
                     + "AND recurrence_last_expansion + INTERVAL '1 YEAR' < recurrence_end_time",
@@ -195,6 +201,7 @@ public class ExpandRecurringBillingEventsPipeline implements Serializable {
                     endTime.minusYears(1)),
                 true,
                 (BigInteger id) -> {
+                  recurringsInScopeCounter.inc();
                   // Note that because all elements are mapped to the same dummy key, the next
                   // batching transform will effectively be serial. This however does not matter for
                   // our use case because the elements were obtained from a SQL read query, which
@@ -239,20 +246,40 @@ public class ExpandRecurringBillingEventsPipeline implements Serializable {
 
   private void expandOneRecurring(Long recurringId, ImmutableSet.Builder<ImmutableObject> results) {
     Recurring recurring = tm().loadByKey(Recurring.createVKey(recurringId));
-    recurringsInScopeCounter.inc();
-    Domain domain = tm().loadByKey(Domain.createVKey(recurring.getDomainRepoId()));
-    Registry tld = Registry.get(domain.getTld());
 
     // Determine the complete set of EventTimes this recurring event should expand to within
     // [max(recurrenceLastExpansion + 1 yr, startTime), min(recurrenceEndTime, endTime)).
-    ImmutableSet<DateTime> eventTimes =
-        ImmutableSet.copyOf(
-            recurring
-                .getRecurrenceTimeOfYear()
-                .getInstancesInRange(
-                    Range.closedOpen(
-                        latestOf(recurring.getRecurrenceLastExpansion().plusYears(1), startTime),
-                        earliestOf(recurring.getRecurrenceEndTime(), endTime))));
+    //
+    // This range should always be legal for recurrings that are returned from the query. However,
+    // it is possible that the recurring has changed between when the read transformation occurred
+    // and now. This could be caused by some out-of-process mutations (such as a domain deletion
+    // closing out a previously open-ended recurrence), or more subtly, Beam could execute the same
+    // work multiple times due to transient communication issues between workers and the scheduler.
+    // Such opportunistic retries are OK for pure functional transformations, but can cause
+    // unexpected behavior when side effects are executed more than once. For example, the
+    // recurrence_last_expansion field could be updated by a worker after a success expansion, which
+    // failed to report the status to the scheduler in time, which in turn scheduled another worker
+    // to work on the same batch. The second worker would see a new recurrence_last_expansion that
+    // causes the range to be illegal.
+    //
+    // The best way to handle any unexpected behavior is to simply drop the recurring from
+    // expansion, if its new state still calls for an expansion, it would be picked up the next time
+    // the pipeline runs.
+    ImmutableSet<DateTime> eventTimes;
+    try {
+      eventTimes =
+          ImmutableSet.copyOf(
+              recurring
+                  .getRecurrenceTimeOfYear()
+                  .getInstancesInRange(
+                      Range.closedOpen(
+                          latestOf(recurring.getRecurrenceLastExpansion().plusYears(1), startTime),
+                          earliestOf(recurring.getRecurrenceEndTime(), endTime))));
+    } catch (IllegalArgumentException e) {
+      return;
+    }
+    Domain domain = tm().loadByKey(Domain.createVKey(recurring.getDomainRepoId()));
+    Registry tld = Registry.get(domain.getTld());
 
     // Find the times for which the OneTime billing event are already created, making this expansion
     // idempotent. There is no need to match to the domain repo ID as the cancellation matching
@@ -277,7 +304,7 @@ public class ExpandRecurringBillingEventsPipeline implements Serializable {
     // Create new OneTime and DomainHistory for EventTimes that needs to be expanded.
     for (DateTime eventTime : eventTimesToExpand) {
       recurrenceLastExpansionTime = latestOf(recurrenceLastExpansionTime, eventTime);
-      expandedOneTimeCounter.inc();
+      oneTimesToExpandCounter.inc();
       DateTime billingTime = eventTime.plus(tld.getAutoRenewGracePeriodLength());
       // Note that the DomainHistory is created as of transaction time, as opposed to event time.
       // This might be counterintuitive because other DomainHistories are created at the time

core/src/main/java/google/registry/config/RegistryConfig.java

@@ -106,6 +106,12 @@ public final class RegistryConfig {
       return config.gcpProject.projectId;
     }
 
+    @Provides
+    @Config("cloudSchedulerServiceAccountEmail")
+    public static String provideCloudSchedulerServiceAccountEmail(RegistryConfigSettings config) {
+      return config.gcpProject.cloudSchedulerServiceAccountEmail;
+    }
+
     @Provides
     @Config("projectIdNumber")
     public static long provideProjectIdNumber(RegistryConfigSettings config) {

core/src/main/java/google/registry/config/RegistryConfigSettings.java

@@ -54,6 +54,7 @@ public class RegistryConfigSettings {
     public String backendServiceUrl;
     public String toolsServiceUrl;
     public String pubapiServiceUrl;
+    public String cloudSchedulerServiceAccountEmail;
   }
 
   /** Configuration options for OAuth settings for authenticating users. */

core/src/main/java/google/registry/config/files/default-config.yaml

@@ -22,6 +22,8 @@ gcpProject:
   backendServiceUrl: https://localhost
   toolsServiceUrl: https://localhost
   pubapiServiceUrl: https://localhost
+  # Service account used by Cloud Scheduler to send authenticated requests.
+  cloudSchedulerServiceAccountEmail: cloud-scheduler-email@email.com
 
 gSuite:
   # Publicly accessible domain name of the running G Suite instance.
@@ -427,7 +429,7 @@ misc:
 
 beam:
   # The default region to run Apache Beam (Cloud Dataflow) jobs in.
-  defaultJobRegion: us-east1
+  defaultJobRegion: us-central1
   # The GCE machine type to use when a job is CPU-intensive (e. g. RDE). Be sure
   # to check the VM CPU quota for the job region. In a massively parallel
   # pipeline this quota can be easily reached and needs to be raised, otherwise

core/src/main/java/google/registry/env/alpha/default/WEB-INF/cloud-scheduler-tasks.xml

@@ -0,0 +1,140 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<taskentries>
+  <task>
+    <url>/_dr/task/rdeStaging</url>
+    <name>rdeStaging</name>
+    <description>
+      This job generates a full RDE escrow deposit as a single gigantic XML document
+      and streams it to cloud storage. When this job has finished successfully, it'll
+      launch a separate task that uploads the deposit file to Iron Mountain via SFTP.
+    </description>
+    <schedule>7 0 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=rde-upload&endpoint=/_dr/task/rdeUpload&forEachRealTld]]></url>
+    <name>rdeUpload</name>
+    <description>
+      This job is a no-op unless RdeUploadCursor falls behind for some reason.
+    </description>
+    <schedule>0 */4 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchDnl&runInEmpty]]></url>
+    <name>tmchDnl</name>
+    <description>
+      This job downloads the latest DNL from MarksDB and inserts it into the database.
+      (See: TmchDnlAction, ClaimsList)
+    </description>
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchSmdrl&runInEmpty]]></url>
+    <name>tmchSmdrl</name>
+    <description>
+      This job downloads the latest SMDRL from MarksDB and inserts it into the database.
+      (See: TmchSmdrlAction, SignedMarkRevocationList)
+    </description>
+    <schedule>15 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchCrl&runInEmpty]]></url>
+    <name>tmchCrl</name>
+    <description>
+      This job downloads the latest CRL from MarksDB and inserts it into the database.
+      (See: TmchCrlAction)
+    </description>
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/syncGroupMembers&runInEmpty]]></url>
+    <name>syncGroupMembers</name>
+    <description>
+      Syncs RegistrarContact changes in the past hour to Google Groups.
+    </description>
+    <schedule>0 */1 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=sheet&endpoint=/_dr/task/syncRegistrarsSheet&runInEmpty]]></url>
+    <name>syncRegistrarsSheet</name>
+    <description>
+      Synchronize Registrar entities to Google Spreadsheets.
+    </description>
+    <schedule>0 */1 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/resaveAllEppResourcesPipeline?fast=true]]></url>
+    <name>resaveAllEppResourcesPipeline</name>
+    <description>
+      This job resaves all our resources, projected in time to "now".
+    </description>
+    <!--Deviation from cron tasks schedule: 1st monday of month 09:00 is replaced
+    with 1st of the month 09:00 -->
+    <schedule>0 9 1 * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/expandRecurringBillingEvents?advanceCursor]]></url>
+    <name>expandRecurringBillingEvents</name>
+    <description>
+      This job runs an action that creates synthetic OneTime billing events from Recurring billing
+      events. Events are created for all instances of Recurring billing events that should exist
+      between the RECURRING_BILLING cursor's time and the execution time of the action.
+    </description>
+    <schedule>0 3 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/deleteExpiredDomains]]></url>
+    <name>deleteExpiredDomains</name>
+    <description>
+      This job runs an action that deletes domains that are past their
+      autorenew end date.
+    </description>
+    <schedule>7 3 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/deleteProberData&runInEmpty]]></url>
+    <name>deleteProberData</name>
+    <description>
+      This job clears out data from probers and runs once a week.
+    </description>
+    <schedule>0 14 * * 1</schedule>
+  </task>
+
+  <!-- TODO: Add borgmon job to check that these files are created and updated successfully. -->
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportReservedTerms&forEachRealTld]]></url>
+    <name>exportReservedTerms</name>
+    <description>
+      Reserved terms export to Google Drive job for creating once-daily exports.
+    </description>
+    <schedule>30 5 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportPremiumTerms&forEachRealTld]]></url>
+    <name>exportPremiumTerms</name>
+    <description>
+      Premium terms export to Google Drive job for creating once-daily exports.
+    </description>
+    <schedule>0 5 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
+    <name>readDnsQueue</name>
+    <description>
+      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
+      group.
+    </description>
+    <schedule>*/1 * * * *</schedule>
+  </task>
+</taskentries>

core/src/main/java/google/registry/env/alpha/default/WEB-INF/cron.xml

@@ -1,150 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!--TODO: ptkach - Remove this file after cloud scheduler is fully up and running -->
 <cronentries>
 
-  <!--
-    /cron/fanout params:
-        queue=<QUEUE_NAME>
-        endpoint=<ENDPOINT_NAME> // URL Path of servlet, which may contain placeholders:
-        runInEmpty               // Run once, with no tld parameter
-        forEachRealTld           // Run for tlds with getTldType() == TldType.REAL
-        forEachTestTld           // Run for tlds with getTldType() == TldType.TEST
-        exclude=TLD1[,TLD2]      // exclude something otherwise included
-   -->
-
-  <cron>
-    <url>/_dr/task/rdeStaging</url>
-    <description>
-      This job generates a full RDE escrow deposit as a single gigantic XML document
-      and streams it to cloud storage. When this job has finished successfully, it'll
-      launch a separate task that uploads the deposit file to Iron Mountain via SFTP.
-    </description>
-    <schedule>every day 00:07</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=rde-upload&endpoint=/_dr/task/rdeUpload&forEachRealTld]]></url>
-    <description>
-      This job is a no-op unless RdeUploadCursor falls behind for some reason.
-    </description>
-    <schedule>every 4 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchDnl&runInEmpty]]></url>
-    <description>
-      This job downloads the latest DNL from MarksDB and inserts it into the database.
-      (See: TmchDnlServlet, ClaimsList)
-    </description>
-    <schedule>every 12 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchSmdrl&runInEmpty]]></url>
-    <description>
-      This job downloads the latest SMDRL from MarksDB and inserts it into the database.
-      (See: TmchSmdrlServlet, SignedMarkRevocationList)
-    </description>
-    <schedule>every 12 hours from 00:15 to 12:15</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchCrl&runInEmpty]]></url>
-    <description>
-      This job downloads the latest CRL from MarksDB and inserts it into the database.
-      (See: TmchCrlServlet)
-    </description>
-    <schedule>every 12 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/syncGroupMembers&runInEmpty]]></url>
-    <description>
-      Syncs RegistrarContact changes in the past hour to Google Groups.
-    </description>
-    <schedule>every 1 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=sheet&endpoint=/_dr/task/syncRegistrarsSheet&runInEmpty]]></url>
-    <description>
-      Synchronize Registrar entities to Google Spreadsheets.
-    </description>
-    <schedule>every 1 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/resaveAllEppResourcesPipeline?fast=true]]></url>
-    <description>
-      This job resaves all our resources, projected in time to "now".
-    </description>
-    <schedule>1st monday of month 09:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/expandRecurringBillingEvents]]></url>
-    <description>
-      This job runs an action that creates synthetic OneTime billing events from Recurring billing
-      events. Events are created for all instances of Recurring billing events that should exist
-      between the RECURRING_BILLING cursor's time and the execution time of the action.
-    </description>
-    <schedule>every day 03:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/deleteExpiredDomains]]></url>
-    <description>
-      This job runs an action that deletes domains that are past their
-      autorenew end date.
-    </description>
-    <schedule>every day 03:07</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/deleteProberData&runInEmpty]]></url>
-    <description>
-      This job clears out data from probers and runs once a week.
-    </description>
-    <schedule>every monday 14:00</schedule>
-    <timezone>UTC</timezone>
-    <target>backend</target>
-  </cron>
-
-  <!-- TODO: Add borgmon job to check that these files are created and updated successfully. -->
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportReservedTerms&forEachRealTld]]></url>
-    <description>
-      Reserved terms export to Google Drive job for creating once-daily exports.
-    </description>
-    <schedule>every day 05:30</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportPremiumTerms&forEachRealTld]]></url>
-    <description>
-      Premium terms export to Google Drive job for creating once-daily exports.
-    </description>
-    <schedule>every day 05:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
-    <description>
-      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
-      group.
-    </description>
-    <schedule>every 1 minutes synchronized</schedule>
-    <target>backend</target>
-  </cron>
 </cronentries>

core/src/main/java/google/registry/env/common/default/WEB-INF/web.xml

@@ -94,6 +94,12 @@
     <url-pattern>/registry-lock-verify</url-pattern>
   </servlet-mapping>
 
+  <!-- Registrar console endpoints -->
+  <servlet-mapping>
+    <servlet-name>frontend-servlet</servlet-name>
+    <url-pattern>/console-api/*</url-pattern>
+  </servlet-mapping>
+
   <!-- Security config -->
   <security-constraint>
     <web-resource-collection>

core/src/main/java/google/registry/env/crash/default/WEB-INF/cloud-scheduler-tasks.xml

@@ -0,0 +1,163 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<taskentries>
+
+  <!--
+    /cron/fanout params:
+        queue=<QUEUE_NAME>
+        endpoint=<ENDPOINT_NAME> // URL Path of servlet, which may contain placeholders:
+        runInEmpty               // Run once, with no tld parameter
+        forEachRealTld           // Run for tlds with getTldType() == TldType.REAL
+        forEachTestTld           // Run for tlds with getTldType() == TldType.TEST
+        exclude=TLD1[,TLD2]      // exclude something otherwise included
+   -->
+
+  <task>
+    <url>/_dr/task/rdeStaging</url>
+    <name>rdeStaging</name>
+    <description>
+      This job generates a full RDE escrow deposit as a single gigantic XML document
+      and streams it to cloud storage. When this job has finished successfully, it'll
+      launch a separate task that uploads the deposit file to Iron Mountain via SFTP.
+    </description>
+    <!--
+      This only needs to run once per day, but we launch additional jobs in case the
+      cursor is lagging behind, so it'll catch up to the current date as quickly as
+      possible. The only job that'll run under normal circumstances is the one that's
+      close to midnight, since if the cursor is up-to-date, the task is a no-op.
+      We want it to be close to midnight because that reduces the chance that the
+      point-in-time code won't have to go to the extra trouble of fetching old
+      versions of objects from the database. However, we don't want it to run too
+      close to midnight, because there's always a chance that a change which was
+      timestamped before midnight hasn't fully been committed to the database. So
+      we add a 4+ minute grace period to ensure the transactions cool down, since
+      our queries are not transactional.
+    -->
+    <schedule>7 */4 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=rde-upload&endpoint=/_dr/task/rdeUpload&forEachRealTld]]></url>
+    <name>rdeUpload</name>
+    <description>
+      This job is a no-op unless RdeUploadCursor falls behind for some reason.
+    </description>
+    <schedule>0 */4 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=rde-report&endpoint=/_dr/task/rdeReport&forEachRealTld]]></url>
+    <name>rdeReport</name>
+    <description>
+      This job is a no-op unless RdeReportCursor falls behind for some reason.
+    </description>
+    <schedule>0 */4 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchDnl&runInEmpty]]></url>
+    <name>tmchDnl</name>
+    <description>
+      This job downloads the latest DNL from MarksDB and inserts it into the database.
+      (See: TmchDnlAction, ClaimsList)
+    </description>
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchSmdrl&runInEmpty]]></url>
+    <name>tmchSmdrl</name>
+    <description>
+      This job downloads the latest SMDRL from MarksDB and inserts it into the database.
+      (See: TmchSmdrlAction, SignedMarkRevocationList)
+    </description>
+    <schedule>15 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchCrl&runInEmpty]]></url>
+    <name>tmchCrl</name>
+    <description>
+      This job downloads the latest CRL from MarksDB and inserts it into the database.
+      (See: TmchCrlAction)
+    </description>
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/syncGroupMembers&runInEmpty]]></url>
+    <name>syncGroupMembers</name>
+    <description>
+      Syncs RegistrarContact changes in the past hour to Google Groups.
+    </description>
+    <schedule>0 */1 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=sheet&endpoint=/_dr/task/syncRegistrarsSheet&runInEmpty]]></url>
+    <name>syncRegistrarsSheet</name>
+    <description>
+      Synchronize Registrar entities to Google Spreadsheets.
+    </description>
+    <schedule>0 */1 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/deleteProberData&runInEmpty]]></url>
+    <name>deleteProberData</name>
+    <description>
+      This job clears out data from probers and runs once a week.
+    </description>
+    <schedule>0 14 * * 1</schedule>
+  </task>
+
+  <!-- TODO: Add borgmon job to check that these files are created and updated successfully. -->
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportReservedTerms&forEachRealTld]]></url>
+    <name>exportReservedTerms</name>
+    <description>
+      Reserved terms export to Google Drive job for creating once-daily exports.
+    </description>
+    <schedule>30 5 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportPremiumTerms&forEachRealTld]]></url>
+    <name>exportPremiumTerms</name>
+    <description>
+      Exports premium price lists to the Google Drive folders for each TLD once per day.
+    </description>
+    <schedule>0 5 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
+    <name>readDnsQueue</name>
+    <description>
+      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
+      group.
+    </description>
+    <schedule>*/1 * * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/deleteExpiredDomains]]></url>
+    <name>deleteExpiredDomains</name>
+    <description>
+      This job runs an action that deletes domains that are past their
+      autorenew end date.
+    </description>
+    <schedule>7 3 * * *</schedule>
+  </task>
+
+  <!--
+    The next two wipeout jobs are required when crash has production data.
+   -->
+  <task>
+    <url><![CDATA[/_dr/task/wipeOutCloudSql]]></url>
+    <name>wipeOutCloudSql</name>
+    <description>
+      This job runs an action that deletes all data in Cloud SQL.
+    </description>
+    <schedule>7 3 * * 6</schedule>
+  </task>
+</taskentries>

core/src/main/java/google/registry/env/crash/default/WEB-INF/cron.xml

@@ -1,165 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!--TODO: ptkach - Remove this file after cloud scheduler is fully up and running -->
 <cronentries>
 
-  <!--
-    /cron/fanout params:
-        queue=<QUEUE_NAME>
-        endpoint=<ENDPOINT_NAME> // URL Path of servlet, which may contain placeholders:
-        runInEmpty               // Run once, with no tld parameter
-        forEachRealTld           // Run for tlds with getTldType() == TldType.REAL
-        forEachTestTld           // Run for tlds with getTldType() == TldType.TEST
-        exclude=TLD1[,TLD2]      // exclude something otherwise included
-   -->
-
-  <cron>
-    <url>/_dr/task/rdeStaging</url>
-    <description>
-      This job generates a full RDE escrow deposit as a single gigantic XML document
-      and streams it to cloud storage. When this job has finished successfully, it'll
-      launch a separate task that uploads the deposit file to Iron Mountain via SFTP.
-    </description>
-    <!--
-      This only needs to run once per day, but we launch additional jobs in case the
-      cursor is lagging behind, so it'll catch up to the current date as quickly as
-      possible. The only job that'll run under normal circumstances is the one that's
-      close to midnight, since if the cursor is up-to-date, the task is a no-op.
-
-      We want it to be close to midnight because that reduces the chance that the
-      point-in-time code won't have to go to the extra trouble of fetching old
-      versions of objects from the database. However, we don't want it to run too
-      close to midnight, because there's always a chance that a change which was
-      timestamped before midnight hasn't fully been committed to the database. So
-      we add a 4+ minute grace period to ensure the transactions cool down, since
-      our queries are not transactional.
-    -->
-    <schedule>every 4 hours from 00:07 to 20:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=rde-upload&endpoint=/_dr/task/rdeUpload&forEachRealTld]]></url>
-    <description>
-      This job is a no-op unless RdeUploadCursor falls behind for some reason.
-    </description>
-    <schedule>every 4 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=rde-report&endpoint=/_dr/task/rdeReport&forEachRealTld]]></url>
-    <description>
-      This job is a no-op unless RdeReportCursor falls behind for some reason.
-    </description>
-    <schedule>every 4 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchDnl&runInEmpty]]></url>
-    <description>
-      This job downloads the latest DNL from MarksDB and inserts it into the database.
-      (See: TmchDnlServlet, ClaimsList)
-    </description>
-    <schedule>every 12 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchSmdrl&runInEmpty]]></url>
-    <description>
-      This job downloads the latest SMDRL from MarksDB and inserts it into the database.
-      (See: TmchSmdrlServlet, SignedMarkRevocationList)
-    </description>
-    <schedule>every 12 hours from 00:15 to 12:15</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchCrl&runInEmpty]]></url>
-    <description>
-      This job downloads the latest CRL from MarksDB and inserts it into the database.
-      (See: TmchCrlServlet)
-    </description>
-    <schedule>every 12 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/syncGroupMembers&runInEmpty]]></url>
-    <description>
-      Syncs RegistrarContact changes in the past hour to Google Groups.
-    </description>
-    <schedule>every 1 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=sheet&endpoint=/_dr/task/syncRegistrarsSheet&runInEmpty]]></url>
-    <description>
-      Synchronize Registrar entities to Google Spreadsheets.
-    </description>
-    <schedule>every 1 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/deleteProberData&runInEmpty]]></url>
-    <description>
-      This job clears out data from probers and runs once a week.
-    </description>
-    <schedule>every monday 14:00</schedule>
-    <timezone>UTC</timezone>
-    <target>backend</target>
-  </cron>
-
-  <!-- TODO: Add borgmon job to check that these files are created and updated successfully. -->
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportReservedTerms&forEachRealTld]]></url>
-    <description>
-      Reserved terms export to Google Drive job for creating once-daily exports.
-    </description>
-    <schedule>every day 05:30</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportPremiumTerms&forEachRealTld]]></url>
-    <description>
-      Exports premium price lists to the Google Drive folders for each TLD once per day.
-    </description>
-    <schedule>every day 05:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
-    <description>
-      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
-      group.
-    </description>
-    <schedule>every 1 minutes synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/deleteExpiredDomains]]></url>
-    <description>
-      This job runs an action that deletes domains that are past their
-      autorenew end date.
-    </description>
-    <schedule>every day 03:07</schedule>
-    <target>backend</target>
-  </cron>
-
-  <!--
-    The next two wipeout jobs are required when crash has production data.
-   -->
-  <cron>
-    <url><![CDATA[/_dr/task/wipeOutCloudSql]]></url>
-    <description>
-      This job runs an action that deletes all data in Cloud SQL.
-    </description>
-    <schedule>every saturday 03:07</schedule>
-    <target>backend</target>
-  </cron>
 </cronentries>

core/src/main/java/google/registry/env/production/default/WEB-INF/cloud-scheduler-tasks.xml

@@ -0,0 +1,288 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<taskentries>
+  <task>
+    <url>/_dr/task/rdeStaging</url>
+    <name>rdeStaging</name>
+    <description>
+      This job generates a full RDE escrow deposit as a single gigantic XML document
+      and streams it to cloud storage. When this job has finished successfully, it'll
+      launch a separate task that uploads the deposit file to Iron Mountain via SFTP.
+    </description>
+    <!--
+      This only needs to run once per day, but we launch additional jobs in case the
+      cursor is lagging behind, so it'll catch up to the current date as quickly as
+      possible. The only job that'll run under normal circumstances is the one that's
+      close to midnight, since if the cursor is up-to-date, the task is a no-op.
+      We want it to be close to midnight because that reduces the chance that the
+      point-in-time code won't have to go to the extra trouble of fetching old
+      versions of objects from the database. However, we don't want it to run too
+      close to midnight, because there's always a chance that a change which was
+      timestamped before midnight hasn't fully been committed to the database. So
+      we add a 4+ minute grace period to ensure the transactions cool down, since
+      our queries are not transactional.
+    -->
+    <schedule>7 */8 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=rde-upload&endpoint=/_dr/task/rdeUpload&forEachRealTld]]></url>
+    <name>rdeUpload</name>
+    <description>
+      This job is a no-op unless RdeUploadCursor falls behind for some reason.
+    </description>
+    <schedule>0 */4 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=rde-report&endpoint=/_dr/task/rdeReport&forEachRealTld]]></url>
+    <name>rdeReport</name>
+    <description>
+      This job is a no-op unless RdeReportCursor falls behind for some reason.
+    </description>
+    <schedule>0 */4 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchDnl&runInEmpty]]></url>
+    <name>tmchDnl</name>
+    <description>
+      This job downloads the latest DNL from MarksDB and inserts it into the database.
+      (See: TmchDnlAction, ClaimsList)
+    </description>
+    <schedule>0 0,12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchSmdrl&runInEmpty]]></url>
+    <name>tmchSmdrl</name>
+    <description>
+      This job downloads the latest SMDRL from MarksDB and inserts it into the database.
+      (See: TmchSmdrlAction, SignedMarkRevocationList)
+    </description>
+    <schedule>15 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchCrl&runInEmpty]]></url>
+    <name>tmchCrl</name>
+    <description>
+      This job downloads the latest CRL from MarksDB and inserts it into the database.
+      (See: TmchCrlAction)
+    </description>
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/syncGroupMembers&runInEmpty]]></url>
+    <name>syncGroupMembers</name>
+    <description>
+      Syncs RegistrarContact changes in the past hour to Google Groups.
+    </description>
+    <schedule>0 */1 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=sheet&endpoint=/_dr/task/syncRegistrarsSheet&runInEmpty]]></url>
+    <name>syncRegistrarsSheet</name>
+    <description>
+      Synchronize Registrar entities to Google Spreadsheets.
+    </description>
+    <schedule>0 */1 * * *</schedule>
+  </task>
+
+  <!-- TODO: @ptkach add resaveAllEppResourcesPipelineAction https://cs.opensource.google/nomulus/nomulus/+/master:core/src/main/java/google/registry/env/production/default/WEB-INF/cron.xml;l=105 -->
+
+  <task>
+    <url><![CDATA[/_dr/task/updateRegistrarRdapBaseUrls]]></url>
+    <name>updateRegistrarRdapBaseUrls</name>
+    <description>
+      This job reloads all registrar RDAP base URLs from ICANN.
+    </description>
+    <schedule>34 2 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportDomainLists&runInEmpty]]></url>
+    <name>exportDomainLists</name>
+    <description>
+      This job exports lists of all active domain names to Google Drive and Google Cloud Storage.
+    </description>
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/expandRecurringBillingEvents?advanceCursor]]></url>
+    <name>expandRecurringBillingEvents</name>
+    <description>
+      This job runs an action that creates synthetic OneTime billing events from Recurring billing
+      events. Events are created for all instances of Recurring billing events that should exist
+      between the RECURRING_BILLING cursor's time and the execution time of the action.
+    </description>
+    <schedule>0 3 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/deleteExpiredDomains]]></url>
+    <name>deleteExpiredDomains</name>
+    <description>
+      This job runs an action that deletes domains that are past their
+      autorenew end date.
+    </description>
+    <schedule>7 3 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/sendExpiringCertificateNotificationEmail]]></url>
+    <name>sendExpiringCertificateNotificationEmail</name>
+    <description>
+      This job runs an action that sends emails to partners if their certificates are expiring soon.
+    </description>
+    <schedule>30 4 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=nordn&endpoint=/_dr/task/nordnUpload&forEachRealTld&lordnPhase=sunrise]]></url>
+    <name>nordnUploadSunrise</name>
+    <description>
+      This job uploads LORDN Sunrise CSV files for each TLD to MarksDB. It should be
+      run at most every three hours, or at absolute minimum every 26 hours.
+    </description>
+    <!-- This may be set anywhere between "every 3 hours" and "every 25 hours". -->
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=nordn&endpoint=/_dr/task/nordnUpload&forEachRealTld&lordnPhase=claims]]></url>
+    <name>nordnUploadClaims</name>
+    <description>
+      This job uploads LORDN Claims CSV files for each TLD to MarksDB. It should be
+      run at most every three hours, or at absolute minimum every 26 hours.
+    </description>
+    <!-- This may be set anywhere between "every 3 hours" and "every 25 hours". -->
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=nordn&endpoint=/_dr/task/nordnUpload&forEachRealTld&lordnPhase=sunrise&pullQueue]]></url>
+    <name>nordnUploadSunrisePullQueue</name>
+    <description>
+      This job uploads LORDN Sunrise CSV files for each TLD to MarksDB using
+      pull queue. It should be run at most every three hours, or at absolute
+      minimum every 26 hours.
+    </description>
+    <!-- This may be set anywhere between "every 3 hours" and "every 25 hours". -->
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=nordn&endpoint=/_dr/task/nordnUpload&forEachRealTld&lordnPhase=claims&pullQueue]]></url>
+    <name>nordnUploadClaimsPullQueue</name>
+    <description>
+      This job uploads LORDN Claims CSV files for each TLD to MarksDB using pull
+      queue. It should be run at most every three hours, or at absolute minimum
+      every 26 hours.
+    </description>
+    <!-- This may be set anywhere between "every 3 hours" and "every 25 hours". -->
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/deleteProberData&runInEmpty]]></url>
+    <name>deleteProberData</name>
+    <description>
+      This job clears out data from probers and runs once a week.
+    </description>
+    <schedule>0 14 * * 1</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportReservedTerms&forEachRealTld]]></url>
+    <name>exportReservedTerms</name>
+    <description>
+      Reserved terms export to Google Drive job for creating once-daily exports.
+    </description>
+    <schedule>30 5 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportPremiumTerms&forEachRealTld]]></url>
+    <name>exportPremiumTerms</name>
+    <description>
+      Exports premium price lists to the Google Drive folders for each TLD once per day.
+    </description>
+    <schedule>0 5 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
+    <name>readDnsQueue</name>
+    <description>
+      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
+      group.
+    </description>
+    <schedule>*/1 * * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/icannReportingStaging&runInEmpty]]></url>
+    <name>icannReportingStaging</name>
+    <description>
+      Create ICANN activity and transaction reports for last month, storing them in
+      gs://[PROJECT-ID]-reporting/icann/monthly/yyyy-MM
+      Upon success, enqueues the icannReportingUpload task to POST these files to ICANN.
+    </description>
+    <schedule>0 9 2 * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/icannReportingUpload&runInEmpty]]></url>
+    <name>icannReportingUpload</name>
+    <description>
+      Checks if the monthly ICANN reports have been successfully uploaded. If they have not, attempts to upload them again.
+      Most of the time, this job should not do anything since the uploads are triggered when the reports are staged.
+      However, in the event that an upload failed for any reason (e.g. ICANN server is down, IP allow list issues),
+      this cron job will continue to retry uploads daily until they succeed.
+    </description>
+    <schedule>0 15 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/generateInvoices?shouldPublish=true&runInEmpty]]></url>
+    <name>generateInvoices</name>
+    <description>
+      Starts the beam/billing/InvoicingPipeline Dataflow template, which creates the overall invoice and
+      detail report CSVs for last month, storing them in gs://[PROJECT-ID]-billing/invoices/yyyy-MM.
+      Upon success, sends an e-mail copy of the invoice to billing personnel, and copies detail
+      reports to the associated registrars' drive folders.
+      See GenerateInvoicesAction for more details.
+    </description>
+    <!--WARNING: This must occur AFTER expandRecurringBillingEvents and AFTER exportSnapshot, as
+    it uses Bigquery as the source of truth for billable events. ExportSnapshot usually takes
+    about 2 hours to complete, so we give 11 hours to be safe. Normally, we give 24+ hours (see
+    icannReportingStaging), but the invoicing team prefers receiving the e-mail on the first of
+    each month. -->
+    <schedule>0 19 1 * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/generateSpec11&runInEmpty]]></url>
+    <name>generateSpec11</name>
+    <description>
+      Starts the beam/spec11/Spec11Pipeline Dataflow template, which creates today's Spec11
+      report. This report is stored in gs://[PROJECT-ID]-reporting/icann/spec11/yyyy-MM/.
+      This job will only send email notifications on the second of every month.
+      See GenerateSpec11ReportAction for more details.
+    </description>
+    <schedule>0 15 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/wipeOutContactHistoryPii]]></url>
+    <name>wipeOutContactHistoryPii</name>
+    <description>
+      This job runs weekly to wipe out PII fields of ContactHistory entities
+      that have been in the database for a certain period of time.
+    </description>
+    <schedule>0 15 * * 1</schedule>
+  </task>
+</taskentries>

core/src/main/java/google/registry/env/production/default/WEB-INF/cron.xml

@@ -1,288 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!--TODO: ptkach - Remove this file after cloud scheduler is fully up and running -->
 <cronentries>
-
-  <!--
-    /cron/fanout params:
-        queue=<QUEUE_NAME>
-        endpoint=<ENDPOINT_NAME> // URL Path of servlet, which may contain placeholders:
-        runInEmpty               // Run once, with no tld parameter
-        forEachRealTld           // Run for tlds with getTldType() == TldType.REAL
-        forEachTestTld           // Run for tlds with getTldType() == TldType.TEST
-        exclude=TLD1[,TLD2]      // exclude something otherwise included
-   -->
-
-  <cron>
-    <url>/_dr/task/rdeStaging</url>
-    <description>
-      This job generates a full RDE escrow deposit as a single gigantic XML document
-      and streams it to cloud storage. When this job has finished successfully, it'll
-      launch a separate task that uploads the deposit file to Iron Mountain via SFTP.
-    </description>
-    <!--
-      This only needs to run once per day, but we launch additional jobs in case the
-      cursor is lagging behind, so it'll catch up to the current date as quickly as
-      possible. The only job that'll run under normal circumstances is the one that's
-      close to midnight, since if the cursor is up-to-date, the task is a no-op.
-
-      We want it to be close to midnight because that reduces the chance that the
-      point-in-time code won't have to go to the extra trouble of fetching old
-      versions of objects from the database. However, we don't want it to run too
-      close to midnight, because there's always a chance that a change which was
-      timestamped before midnight hasn't fully been committed to the database. So
-      we add a 4+ minute grace period to ensure the transactions cool down, since
-      our queries are not transactional.
-    -->
-    <schedule>every 8 hours from 00:07 to 20:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=rde-upload&endpoint=/_dr/task/rdeUpload&forEachRealTld]]></url>
-    <description>
-      This job is a no-op unless RdeUploadCursor falls behind for some reason.
-    </description>
-    <schedule>every 4 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=rde-report&endpoint=/_dr/task/rdeReport&forEachRealTld]]></url>
-    <description>
-      This job is a no-op unless RdeReportCursor falls behind for some reason.
-    </description>
-    <schedule>every 4 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchDnl&runInEmpty]]></url>
-    <description>
-      This job downloads the latest DNL from MarksDB and inserts it into the database.
-      (See: TmchDnlServlet, ClaimsList)
-    </description>
-    <schedule>every 12 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchSmdrl&runInEmpty]]></url>
-    <description>
-      This job downloads the latest SMDRL from MarksDB and inserts it into the database.
-      (See: TmchSmdrlServlet, SignedMarkRevocationList)
-    </description>
-    <schedule>every 12 hours from 00:15 to 12:15</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchCrl&runInEmpty]]></url>
-    <description>
-      This job downloads the latest CRL from MarksDB and inserts it into the database.
-      (See: TmchCrlServlet)
-    </description>
-    <schedule>every 12 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/syncGroupMembers&runInEmpty]]></url>
-    <description>
-      Syncs RegistrarContact changes in the past hour to Google Groups.
-    </description>
-    <schedule>every 1 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=sheet&endpoint=/_dr/task/syncRegistrarsSheet&runInEmpty]]></url>
-    <description>
-      Synchronize Registrar entities to Google Spreadsheets.
-    </description>
-    <schedule>every 1 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <!-- TODO(b/249863289): disable until it is safe to run this pipeline
-  <cron>
-    <url><![CDATA[/_dr/task/resaveAllEppResourcesPipeline?fast=true]]></url>
-    <description>
-      This job resaves all our resources, projected in time to "now".
-    </description>
-    <schedule>1st monday of month 09:00</schedule>
-    <target>backend</target>
-  </cron>
-  -->
-
-  <cron>
-    <url><![CDATA[/_dr/task/updateRegistrarRdapBaseUrls]]></url>
-    <description>
-      This job reloads all registrar RDAP base URLs from ICANN.
-    </description>
-    <schedule>every day 02:34</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportDomainLists&runInEmpty]]></url>
-    <description>
-      This job exports lists of all active domain names to Google Drive and Google Cloud Storage.
-    </description>
-    <schedule>every 12 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/expandRecurringBillingEvents]]></url>
-    <description>
-      This job runs an action that creates synthetic OneTime billing events from Recurring billing
-      events. Events are created for all instances of Recurring billing events that should exist
-      between the RECURRING_BILLING cursor's time and the execution time of the action.
-    </description>
-    <schedule>every day 03:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/deleteExpiredDomains]]></url>
-    <description>
-      This job runs an action that deletes domains that are past their
-      autorenew end date.
-    </description>
-    <schedule>every day 03:07</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/sendExpiringCertificateNotificationEmail]]></url>
-    <description>
-      This job runs an action that sends emails to partners if their certificates are expiring soon.
-    </description>
-    <schedule>every day 04:30</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=nordn&endpoint=/_dr/task/nordnUpload&forEachRealTld&lordn-phase=sunrise]]></url>
-    <description>
-      This job uploads LORDN Sunrise CSV files for each TLD to MarksDB. It should be
-      run at most every three hours, or at absolute minimum every 26 hours.
-    </description>
-    <!-- This may be set anywhere between "every 3 hours" and "every 25 hours". -->
-    <schedule>every 12 hours synchronized</schedule>
-    <timezone>UTC</timezone>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=nordn&endpoint=/_dr/task/nordnUpload&forEachRealTld&lordn-phase=claims]]></url>
-    <description>
-      This job uploads LORDN Claims CSV files for each TLD to MarksDB. It should be
-      run at most every three hours, or at absolute minimum every 26 hours.
-    </description>
-    <!-- This may be set anywhere between "every 3 hours" and "every 25 hours". -->
-    <schedule>every 12 hours synchronized</schedule>
-    <timezone>UTC</timezone>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/deleteProberData&runInEmpty]]></url>
-    <description>
-      This job clears out data from probers and runs once a week.
-    </description>
-    <schedule>every monday 14:00</schedule>
-    <timezone>UTC</timezone>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportReservedTerms&forEachRealTld]]></url>
-    <description>
-      Reserved terms export to Google Drive job for creating once-daily exports.
-    </description>
-    <schedule>every day 05:30</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportPremiumTerms&forEachRealTld]]></url>
-    <description>
-      Exports premium price lists to the Google Drive folders for each TLD once per day.
-    </description>
-    <schedule>every day 05:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
-    <description>
-      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
-      group.
-    </description>
-    <schedule>every 1 minutes synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/icannReportingStaging&runInEmpty]]></url>
-    <description>
-      Create ICANN activity and transaction reports for last month, storing them in
-      gs://[PROJECT-ID]-reporting/icann/monthly/yyyy-MM
-      Upon success, enqueues the icannReportingUpload task to POST these files to ICANN.
-    </description>
-    <schedule>2 of month 09:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/icannReportingUpload&runInEmpty]]></url>
-    <description>
-      Checks if the monthly ICANN reports have been successfully uploaded. If they have not, attempts to upload them again.
-      Most of the time, this job should not do anything since the uploads are triggered when the reports are staged.
-      However, in the event that an upload failed for any reason (e.g. ICANN server is down, IP allow list issues),
-      this cron job will continue to retry uploads daily until they succeed.
-    </description>
-    <schedule>every day 15:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/generateInvoices?shouldPublish=true&runInEmpty]]></url>
-    <description>
-      Starts the beam/billing/InvoicingPipeline Dataflow template, which creates the overall invoice and
-      detail report CSVs for last month, storing them in gs://[PROJECT-ID]-billing/invoices/yyyy-MM.
-      Upon success, sends an e-mail copy of the invoice to billing personnel, and copies detail
-      reports to the associated registrars' drive folders.
-      See GenerateInvoicesAction for more details.
-    </description>
-    <!--WARNING: This must occur AFTER expandRecurringBillingEvents and AFTER exportSnapshot, as
-    it uses Bigquery as the source of truth for billable events. ExportSnapshot usually takes
-    about 2 hours to complete, so we give 11 hours to be safe. Normally, we give 24+ hours (see
-    icannReportingStaging), but the invoicing team prefers receiving the e-mail on the first of
-    each month. -->
-    <schedule>1 of month 19:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/generateSpec11&runInEmpty]]></url>
-    <description>
-      Starts the beam/spec11/Spec11Pipeline Dataflow template, which creates today's Spec11
-      report. This report is stored in gs://[PROJECT-ID]-reporting/icann/spec11/yyyy-MM/.
-      This job will only send email notifications on the second of every month.
-      See GenerateSpec11ReportAction for more details.
-    </description>
-    <schedule>every day 15:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/wipeOutContactHistoryPii]]></url>
-    <description>
-      This job runs weekly to wipe out PII fields of ContactHistory entities
-      that have been in the database for a certain period of time.
-    </description>
-    <schedule>every monday 15:00</schedule>
-    <target>backend</target>
-  </cron>
 </cronentries>

core/src/main/java/google/registry/env/qa/default/WEB-INF/cloud-scheduler-tasks.xml

@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<taskentries>
+  <task>
+    <url>/_dr/task/rdeStaging</url>
+    <name>rdeStaging</name>
+    <description>
+      This job generates a full RDE escrow deposit as a single gigantic XML document
+      and streams it to cloud storage. When this job has finished successfully, it'll
+      launch a separate task that uploads the deposit file to Iron Mountain via SFTP.
+    </description>
+    <schedule>7 0 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
+    <name>readDnsQueue</name>
+    <description>
+      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
+      group.
+    </description>
+    <schedule>*/1 * * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=sheet&endpoint=/_dr/task/syncRegistrarsSheet&runInEmpty]]></url>
+    <name>syncRegistrarsSheet</name>
+    <description>
+      Synchronize Registrar entities to Google Spreadsheets.
+    </description>
+    <schedule>0 */1 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/resaveAllEppResourcesPipeline?fast=true]]></url>
+    <name>resaveAllEppResourcesPipeline</name>
+    <description>
+      This job resaves all our resources, projected in time to "now".
+    </description>
+    <!--Deviation from cron tasks schedule: 1st monday of month 09:00 is replaced
+    with 1st of the month 09:00 -->
+    <schedule>0 9 1 * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/syncGroupMembers&runInEmpty]]></url>
+    <name>syncGroupMembers</name>
+    <description>
+      Syncs RegistrarContact changes in the past hour to Google Groups.
+    </description>
+    <schedule>0 */1 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/deleteExpiredDomains]]></url>
+    <name>deleteExpiredDomains</name>
+    <description>
+      This job runs an action that deletes domains that are past their
+      autorenew end date.
+    </description>
+    <schedule>7 3 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/wipeOutCloudSql]]></url>
+    <name>wipeOutCloudSql</name>
+    <description>
+      This job runs an action that deletes all data in Cloud SQL.
+    </description>
+    <schedule>7 3 * * 6</schedule>
+  </task>
+</taskentries>

core/src/main/java/google/registry/env/qa/default/WEB-INF/cron.xml

@@ -1,70 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!--TODO: ptkach - Remove this file after cloud scheduler is fully up and running -->
 <cronentries>
 
-  <cron>
-    <url>/_dr/task/rdeStaging</url>
-    <description>
-      This job generates a full RDE escrow deposit as a single gigantic XML document
-      and streams it to cloud storage. When this job has finished successfully, it'll
-      launch a separate task that uploads the deposit file to Iron Mountain via SFTP.
-    </description>
-    <schedule>every day 00:07</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
-    <description>
-      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
-      group.
-    </description>
-    <schedule>every 1 minutes synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=sheet&endpoint=/_dr/task/syncRegistrarsSheet&runInEmpty]]></url>
-    <description>
-      Synchronize Registrar entities to Google Spreadsheets.
-    </description>
-    <schedule>every 1 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/resaveAllEppResourcesPipeline?fast=true]]></url>
-    <description>
-      This job resaves all our resources, projected in time to "now".
-    </description>
-    <schedule>1st monday of month 09:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/syncGroupMembers&runInEmpty]]></url>
-    <description>
-      Syncs RegistrarContact changes in the past hour to Google Groups.
-    </description>
-    <schedule>every 1 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/deleteExpiredDomains]]></url>
-    <description>
-      This job runs an action that deletes domains that are past their
-      autorenew end date.
-    </description>
-    <schedule>every day 03:07</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/wipeOutCloudSql]]></url>
-    <description>
-      This job runs an action that deletes all data in Cloud SQL.
-    </description>
-    <schedule>every saturday 03:07</schedule>
-    <target>backend</target>
-  </cron>
 </cronentries>

core/src/main/java/google/registry/env/sandbox/default/WEB-INF/cloud-scheduler-tasks.xml

@@ -0,0 +1,156 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<taskentries>
+  <task>
+    <url>/_dr/task/rdeStaging</url>
+    <name>rdeStaging</name>
+    <description>
+      This job generates a full RDE escrow deposit as a single gigantic XML document
+      and streams it to cloud storage. When this job has finished successfully, it'll
+      launch a separate task that uploads the deposit file to Iron Mountain via SFTP.
+    </description>
+    <!--
+      This only needs to run once per day, but we launch additional jobs in case the
+      cursor is lagging behind, so it'll catch up to the current date eventually.
+
+      See <a href="../../../production/default/WEB-INF/cron.xml">production config</a> for an
+      explanation of job starting times.
+    -->
+    <schedule>7 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=rde-upload&endpoint=/_dr/task/rdeUpload&forEachRealTld]]></url>
+    <name>rdeUpload</name>
+    <description>
+      This job is a no-op unless RdeUploadCursor falls behind for some reason.
+    </description>
+    <schedule>0 */4 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchDnl&runInEmpty]]></url>
+    <name>tmchDnl</name>
+    <description>
+      This job downloads the latest DNL from MarksDB and inserts it into the database.
+      (See: TmchDnlAction, ClaimsList)
+    </description>
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchSmdrl&runInEmpty]]></url>
+    <name>tmchSmdrl</name>
+    <description>
+      This job downloads the latest SMDRL from MarksDB and inserts it into the database.
+      (See: TmchSmdrlAction, SignedMarkRevocationList)
+    </description>
+    <schedule>15 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchCrl&runInEmpty]]></url>
+    <name>tmchCrl</name>
+    <description>
+      This job downloads the latest CRL from MarksDB and inserts it into the database.
+      (See: TmchCrlAction)
+    </description>
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/syncGroupMembers&runInEmpty]]></url>
+    <name>syncGroupMembers</name>
+    <description>
+      Syncs RegistrarContact changes in the past hour to Google Groups.
+    </description>
+    <schedule>0 */1 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=sheet&endpoint=/_dr/task/syncRegistrarsSheet&runInEmpty]]></url>
+    <name>syncRegistrarsSheet</name>
+    <description>
+      Synchronize Registrar entities to Google Spreadsheets.
+    </description>
+    <schedule>0 */1 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportDomainLists&runInEmpty]]></url>
+    <name>exportDomainLists</name>
+    <description>
+      This job exports lists of all active domain names to Google Drive and Google Cloud Storage.
+    </description>
+    <schedule>0 */12 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/expandRecurringBillingEvents?advanceCursor]]></url>
+    <name>expandRecurringBillingEvents</name>
+    <description>
+      This job runs an action that creates synthetic OneTime billing events from Recurring billing
+      events. Events are created for all instances of Recurring billing events that should exist
+      between the RECURRING_BILLING cursor's time and the execution time of the action.
+    </description>
+    <schedule>0 3 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/deleteExpiredDomains]]></url>
+    <name>deleteExpiredDomains</name>
+    <description>
+      This job runs an action that deletes domains that are past their
+      autorenew end date.
+    </description>
+    <schedule>7 3 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/deleteProberData&runInEmpty]]></url>
+    <name>deleteProberData</name>
+    <description>
+      This job clears out data from probers and runs once a week.
+    </description>
+    <schedule>0 14 * * 1</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportReservedTerms&forEachRealTld]]></url>
+    <name>exportReservedTerms</name>
+    <description>
+      Reserved terms export to Google Drive job for creating once-daily exports.
+    </description>
+    <schedule>30 5 * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportPremiumTerms&forEachRealTld]]></url>
+    <name>exportPremiumTerms</name>
+    <description>
+      Exports premium price lists to the Google Drive folders for each TLD once per day.
+    </description>
+    <schedule>0 5 * * *</schedule>
+  </task>
+
+  <!-- TODO: @ptkach add resaveAllEppResourcesPipelineAction https://cs.opensource.google/nomulus/nomulus/+/master:core/src/main/java/google/registry/env/sandbox/default/WEB-INF/cron.xml;l=89 -->
+
+  <task>
+    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
+    <name>readDnsQueue</name>
+    <description>
+      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
+      group.
+    </description>
+    <schedule>*/1 * * * *</schedule>
+  </task>
+
+  <task>
+    <url><![CDATA[/_dr/task/wipeOutContactHistoryPii]]></url>
+    <name>wipeOutContactHistoryPii</name>
+    <description>
+      This job runs weekly to wipe out PII fields of ContactHistory entities
+      that have been in the database for a certain period of time.
+    </description>
+    <schedule>0 15 * * 1</schedule>
+  </task>
+</taskentries>

core/src/main/java/google/registry/env/sandbox/default/WEB-INF/cron.xml

@@ -1,177 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!--TODO: ptkach - Remove this file after cloud scheduler is fully up and running -->
 <cronentries>
 
-  <!--
-    /cron/fanout params:
-        queue=<QUEUE_NAME>
-        endpoint=<ENDPOINT_NAME> // URL Path of servlet, which may contain placeholders:
-        runInEmpty               // Run once, with no tld parameter
-        forEachRealTld           // Run for tlds with getTldType() == TldType.REAL
-        forEachTestTld           // Run for tlds with getTldType() == TldType.TEST
-        exclude=TLD1[,TLD2]      // exclude something otherwise included
-   -->
-
-  <cron>
-    <url>/_dr/task/rdeStaging</url>
-    <description>
-      This job generates a full RDE escrow deposit as a single gigantic XML document
-      and streams it to cloud storage. When this job has finished successfully, it'll
-      launch a separate task that uploads the deposit file to Iron Mountain via SFTP.
-    </description>
-    <!--
-      This only needs to run once per day, but we launch additional jobs in case the
-      cursor is lagging behind, so it'll catch up to the current date eventually.
-
-      See <a href="../../../production/default/WEB-INF/cron.xml">production config</a> for an
-      explanation of job starting times.
-    -->
-    <schedule>every 12 hours from 00:07 to 12:07</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=rde-upload&endpoint=/_dr/task/rdeUpload&forEachRealTld]]></url>
-    <description>
-      This job is a no-op unless RdeUploadCursor falls behind for some reason.
-    </description>
-    <schedule>every 4 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchDnl&runInEmpty]]></url>
-    <description>
-      This job downloads the latest DNL from MarksDB and inserts it into the database.
-      (See: TmchDnlServlet, ClaimsList)
-    </description>
-    <schedule>every 12 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchSmdrl&runInEmpty]]></url>
-    <description>
-      This job downloads the latest SMDRL from MarksDB and inserts it into the database.
-      (See: TmchSmdrlServlet, SignedMarkRevocationList)
-    </description>
-    <schedule>every 12 hours from 00:15 to 12:15</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=marksdb&endpoint=/_dr/task/tmchCrl&runInEmpty]]></url>
-    <description>
-      This job downloads the latest CRL from MarksDB and inserts it into the database.
-      (See: TmchCrlServlet)
-    </description>
-    <schedule>every 12 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/syncGroupMembers&runInEmpty]]></url>
-    <description>
-      Syncs RegistrarContact changes in the past hour to Google Groups.
-    </description>
-    <schedule>every 1 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=sheet&endpoint=/_dr/task/syncRegistrarsSheet&runInEmpty]]></url>
-    <description>
-      Synchronize Registrar entities to Google Spreadsheets.
-    </description>
-    <schedule>every 1 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <!-- TODO(b/249863289): disable until it is safe to run this pipeline
-  <cron>
-    <url><![CDATA[/_dr/task/resaveAllEppResourcesPipeline?fast=true]]></url>
-    <description>
-      This job resaves all our resources, projected in time to "now".
-    </description>
-    <schedule>1st monday of month 09:00</schedule>
-    <target>backend</target>
-  </cron>
-  -->
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportDomainLists&runInEmpty]]></url>
-    <description>
-      This job exports lists of all active domain names to Google Drive and Google Cloud Storage.
-    </description>
-    <schedule>every 12 hours synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/expandRecurringBillingEvents]]></url>
-    <description>
-      This job runs an action that creates synthetic OneTime billing events from Recurring billing
-      events. Events are created for all instances of Recurring billing events that should exist
-      between the RECURRING_BILLING cursor's time and the execution time of the action.
-    </description>
-    <schedule>every day 03:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/deleteExpiredDomains]]></url>
-    <description>
-      This job runs an action that deletes domains that are past their
-      autorenew end date.
-    </description>
-    <schedule>every day 03:07</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/deleteProberData&runInEmpty]]></url>
-    <description>
-      This job clears out data from probers and runs once a week.
-    </description>
-    <schedule>every monday 14:00</schedule>
-    <timezone>UTC</timezone>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportReservedTerms&forEachRealTld]]></url>
-    <description>
-      Reserved terms export to Google Drive job for creating once-daily exports.
-    </description>
-    <schedule>every day 05:30</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/fanout?queue=retryable-cron-tasks&endpoint=/_dr/task/exportPremiumTerms&forEachRealTld]]></url>
-    <description>
-      Exports premium price lists to the Google Drive folders for each TLD once per day.
-    </description>
-    <schedule>every day 05:00</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
-    <description>
-      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
-      group.
-    </description>
-    <schedule>every 1 minutes synchronized</schedule>
-    <target>backend</target>
-  </cron>
-
-  <cron>
-    <url><![CDATA[/_dr/task/wipeOutContactHistoryPii]]></url>
-    <description>
-      This job runs weekly to wipe out PII fields of ContactHistory entities
-      that have been in the database for a certain period of time.
-    </description>
-    <schedule>every monday 15:00</schedule>
-    <target>backend</target>
-  </cron>
 </cronentries>

core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java

@@ -15,6 +15,8 @@
 package google.registry.flows.domain;
 
 import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.base.Preconditions.checkState;
+import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.flows.FlowUtils.persistEntityChanges;
 import static google.registry.flows.FlowUtils.validateRegistrarIsLoggedIn;
@@ -52,6 +54,7 @@ import static google.registry.model.tld.Registry.TldState.QUIET_PERIOD;
 import static google.registry.model.tld.Registry.TldState.START_DATE_SUNRISE;
 import static google.registry.model.tld.label.ReservationType.NAME_COLLISION;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.util.CollectionUtils.isNullOrEmpty;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
 import static google.registry.util.DateTimeUtils.leapSafeAddYears;
 
@@ -61,6 +64,7 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.net.InternetDomainName;
 import google.registry.dns.DnsQueue;
 import google.registry.flows.EppException;
+import google.registry.flows.EppException.AssociationProhibitsOperationException;
 import google.registry.flows.EppException.CommandUseErrorException;
 import google.registry.flows.EppException.ParameterValuePolicyErrorException;
 import google.registry.flows.ExtensionManager;
@@ -82,6 +86,8 @@ import google.registry.model.billing.BillingEvent.Flag;
 import google.registry.model.billing.BillingEvent.Reason;
 import google.registry.model.billing.BillingEvent.Recurring;
 import google.registry.model.billing.BillingEvent.RenewalPriceBehavior;
+import google.registry.model.common.DatabaseMigrationStateSchedule;
+import google.registry.model.common.DatabaseMigrationStateSchedule.MigrationState;
 import google.registry.model.domain.Domain;
 import google.registry.model.domain.DomainCommand;
 import google.registry.model.domain.DomainCommand.Create;
@@ -117,7 +123,10 @@ import google.registry.model.tld.Registry.TldType;
 import google.registry.model.tld.label.ReservationType;
 import google.registry.model.tmch.ClaimsList;
 import google.registry.model.tmch.ClaimsListDao;
+import google.registry.persistence.VKey;
 import google.registry.tmch.LordnTaskUtils;
+import google.registry.tmch.LordnTaskUtils.LordnPhase;
+import java.util.Map;
 import java.util.Optional;
 import javax.annotation.Nullable;
 import javax.inject.Inject;
@@ -156,6 +165,7 @@ import org.joda.time.Duration;
  * @error {@link DomainFlowTmchUtils.NoMarksFoundMatchingDomainException}
  * @error {@link DomainFlowTmchUtils.FoundMarkNotYetValidException}
  * @error {@link DomainFlowTmchUtils.FoundMarkExpiredException}
+ * @error {@link DomainFlowTmchUtils.SignedMarkRevokedErrorException}
  * @error {@link DomainFlowUtils.NotAuthorizedForTldException}
  * @error {@link DomainFlowUtils.AcceptedTooLongAgoException}
  * @error {@link DomainFlowUtils.BadDomainNameCharacterException}
@@ -270,6 +280,13 @@ public final class DomainCreateFlow implements TransactionalFlow {
             registrarId,
             now,
             eppInput.getSingleExtension(AllocationTokenExtension.class));
+    boolean defaultTokenUsed = false;
+    if (!allocationToken.isPresent() && !registry.getDefaultPromoTokens().isEmpty()) {
+      allocationToken = checkForDefaultToken(registry, command);
+      if (allocationToken.isPresent()) {
+        defaultTokenUsed = true;
+      }
+    }
     boolean isAnchorTenant =
         isAnchorTenant(
             domainName, allocationToken, eppInput.getSingleExtension(MetadataExtension.class));
@@ -327,7 +344,7 @@ public final class DomainCreateFlow implements TransactionalFlow {
     FeesAndCredits feesAndCredits =
         pricingLogic.getCreatePrice(
             registry, targetId, now, years, isAnchorTenant, allocationToken);
-    validateFeeChallenge(feeCreate, feesAndCredits);
+    validateFeeChallenge(feeCreate, feesAndCredits, defaultTokenUsed);
     Optional<SecDnsCreateExtension> secDnsCreate =
         validateSecDnsExtension(eppInput.getSingleExtension(SecDnsCreateExtension.class));
     DateTime registrationExpirationTime = leapSafeAddYears(now, years);
@@ -367,7 +384,7 @@ public final class DomainCreateFlow implements TransactionalFlow {
         reservationTypes.contains(NAME_COLLISION)
             ? ImmutableSet.of(SERVER_HOLD)
             : ImmutableSet.of();
-    Domain domain =
+    Domain.Builder domainBuilder =
         new Domain.Builder()
             .setCreationRegistrarId(registrarId)
             .setPersistedCurrentSponsorRegistrarId(registrarId)
@@ -387,7 +404,14 @@ public final class DomainCreateFlow implements TransactionalFlow {
             .setContacts(command.getContacts())
             .addGracePeriod(
                 GracePeriod.forBillingEvent(GracePeriodStatus.ADD, repoId, createBillingEvent))
-            .build();
+            .setLordnPhase(
+                !DatabaseMigrationStateSchedule.getValueAtTime(tm().getTransactionTime())
+                        .equals(MigrationState.NORDN_SQL)
+                    ? LordnPhase.NONE
+                    : hasSignedMarks
+                        ? LordnPhase.SUNRISE
+                        : hasClaimsNotice ? LordnPhase.CLAIMS : LordnPhase.NONE);
+    Domain domain = domainBuilder.build();
     if (allocationToken.isPresent()
         && allocationToken.get().getTokenType().equals(TokenType.PACKAGE)) {
       if (years > 1) {
@@ -434,6 +458,36 @@ public final class DomainCreateFlow implements TransactionalFlow {
         .build();
   }
 
+  private Optional<AllocationToken> checkForDefaultToken(
+      Registry registry, DomainCommand.Create command) throws EppException {
+    Map<VKey<AllocationToken>, Optional<AllocationToken>> tokens =
+        AllocationToken.getAll(registry.getDefaultPromoTokens());
+    ImmutableList<Optional<AllocationToken>> tokenList =
+        registry.getDefaultPromoTokens().stream()
+            .map(tokens::get)
+            .filter(Optional::isPresent)
+            .collect(toImmutableList());
+    checkState(
+        !isNullOrEmpty(tokenList),
+        "Failure while loading default TLD promotions from the database");
+    // Check if any of the tokens are valid for this domain registration
+    for (Optional<AllocationToken> token : tokenList) {
+      try {
+        AllocationTokenFlowUtils.validateToken(
+            InternetDomainName.from(command.getDomainName()),
+            token.get(),
+            registrarId,
+            tm().getTransactionTime());
+      } catch (AssociationProhibitsOperationException e) {
+        // Allocation token was not valid for this registration, continue to check the next token in
+        // the list
+        continue;
+      }
+      // Only use the first valid token in the list
+      return token;
+    }
+    return Optional.empty();
+  }
   /**
    * Verifies that signed marks are only sent during sunrise.
    *
@@ -657,7 +711,9 @@ public final class DomainCreateFlow implements TransactionalFlow {
     if (newDomain.shouldPublishToDns()) {
       dnsQueue.addDomainRefreshTask(newDomain.getDomainName());
     }
-    if (hasClaimsNotice || hasSignedMarks) {
+    if (!DatabaseMigrationStateSchedule.getValueAtTime(tm().getTransactionTime())
+            .equals(MigrationState.NORDN_SQL)
+        && (hasClaimsNotice || hasSignedMarks)) {
       LordnTaskUtils.enqueueDomainTask(newDomain);
     }
   }

core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java

@@ -778,12 +778,13 @@ public class DomainFlowUtils {
    */
   public static void validateFeeChallenge(
       final Optional<? extends FeeTransformCommandExtension> feeCommand,
-      FeesAndCredits feesAndCredits)
+      FeesAndCredits feesAndCredits,
+      boolean defaultTokenUsed)
       throws EppException {
     if (feesAndCredits.hasAnyPremiumFees() && !feeCommand.isPresent()) {
       throw new FeesRequiredForPremiumNameException();
     }
-    validateFeesAckedIfPresent(feeCommand, feesAndCredits);
+    validateFeesAckedIfPresent(feeCommand, feesAndCredits, defaultTokenUsed);
   }
 
   /**
@@ -795,7 +796,8 @@ public class DomainFlowUtils {
    */
   public static void validateFeesAckedIfPresent(
       final Optional<? extends FeeTransformCommandExtension> feeCommand,
-      FeesAndCredits feesAndCredits)
+      FeesAndCredits feesAndCredits,
+      boolean defaultTokenUsed)
       throws EppException {
     // Check for the case where a fee command extension was required but not provided.
     // This only happens when the total fees are non-zero and include custom fees requiring the
@@ -856,7 +858,9 @@ public class DomainFlowUtils {
     // Checking if total amount is expected. Extra fees that we are not expecting may be passed in.
     // Or if there is only a single fee type expected.
     if (!feeTotal.equals(feesAndCredits.getTotalCost())) {
-      throw new FeesMismatchException(feesAndCredits.getTotalCost());
+      if (!defaultTokenUsed || feeTotal.isLessThan(feesAndCredits.getTotalCost())) {
+        throw new FeesMismatchException(feesAndCredits.getTotalCost());
+      }
     }
   }
 

core/src/main/java/google/registry/flows/domain/DomainRenewFlow.java

@@ -199,7 +199,7 @@ public final class DomainRenewFlow implements TransactionalFlow {
             now,
             years,
             existingRecurringBillingEvent);
-    validateFeeChallenge(feeRenew, feesAndCredits);
+    validateFeeChallenge(feeRenew, feesAndCredits, false);
     flowCustomLogic.afterValidation(
         AfterValidationParameters.newBuilder()
             .setExistingDomain(existingDomain)

core/src/main/java/google/registry/flows/domain/DomainRestoreRequestFlow.java

@@ -226,7 +226,7 @@ public final class DomainRestoreRequestFlow implements TransactionalFlow {
     if (!existingDomain.getGracePeriodStatuses().contains(GracePeriodStatus.REDEMPTION)) {
       throw new DomainNotEligibleForRestoreException();
     }
-    validateFeeChallenge(feeUpdate, feesAndCredits);
+    validateFeeChallenge(feeUpdate, feesAndCredits, false);
   }
 
   private static Domain performRestore(

core/src/main/java/google/registry/flows/domain/DomainTransferRequestFlow.java

@@ -210,7 +210,7 @@ public final class DomainTransferRequestFlow implements TransactionalFlow {
     }
 
     if (feesAndCredits.isPresent()) {
-      validateFeeChallenge(feeTransfer, feesAndCredits.get());
+      validateFeeChallenge(feeTransfer, feesAndCredits.get(), false);
     }
     HistoryEntryId domainHistoryId = createHistoryEntryId(existingDomain);
     historyBuilder

core/src/main/java/google/registry/flows/domain/DomainUpdateFlow.java

@@ -231,7 +231,7 @@ public final class DomainUpdateFlow implements TransactionalFlow {
     Optional<FeeUpdateCommandExtension> feeUpdate =
         eppInput.getSingleExtension(FeeUpdateCommandExtension.class);
     FeesAndCredits feesAndCredits = pricingLogic.getUpdatePrice(registry, targetId, now);
-    validateFeesAckedIfPresent(feeUpdate, feesAndCredits);
+    validateFeesAckedIfPresent(feeUpdate, feesAndCredits, false);
     verifyNotInPendingDelete(
         add.getContacts(),
         command.getInnerChange().getRegistrant(),
@@ -307,6 +307,13 @@ public final class DomainUpdateFlow implements TransactionalFlow {
     }
   }
 
+  /**
+   * Checks whether the new state of the domain is valid.
+   *
+   * <p>Note: Before adding or amending conditions, existing data has to be verified for being
+   * compliant with the additions or amendments, otherwise existing data can become invalid and
+   * cause Domain update failure.
+   */
   private void validateNewState(Domain newDomain) throws EppException {
     validateRequiredContactsPresent(newDomain.getRegistrant(), newDomain.getContacts());
     validateDsData(newDomain.getDsData());

core/src/main/java/google/registry/flows/domain/token/AllocationTokenFlowUtils.java

@@ -108,7 +108,7 @@ public class AllocationTokenFlowUtils {
    *
    * @throws EppException if the token is invalid in any way
    */
-  private static void validateToken(
+  public static void validateToken(
       InternetDomainName domainName, AllocationToken token, String registrarId, DateTime now)
       throws EppException {
 

core/src/main/java/google/registry/idn/Latin-IDN.txt

@@ -68,7 +68,6 @@ U+011F                         # LATIN SMALL LETTER G WITH BREVE
 U+01E7                         # LATIN SMALL LETTER G WITH CARON
 U+0121                         # LATIN SMALL LETTER G WITH DOT ABOVE
 U+0123                         # LATIN SMALL LETTER G WITH CEDILLA
-U+01E5                         # LATIN SMALL LETTER G WITH STROKE
 U+0068                         # LATIN SMALL LETTER H
 U+0127                         # LATIN SMALL LETTER H WITH STROKE
 U+0069                         # LATIN SMALL LETTER I

core/src/main/java/google/registry/model/CreateAutoTimestamp.java

@@ -16,6 +16,7 @@ package google.registry.model;
 
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
+import com.google.gson.annotations.Expose;
 import javax.annotation.Nullable;
 import javax.persistence.Column;
 import javax.persistence.Embeddable;
@@ -28,6 +29,7 @@ import org.joda.time.DateTime;
 public class CreateAutoTimestamp extends ImmutableObject implements UnsafeSerializable {
 
   @Column(nullable = false)
+  @Expose
   DateTime creationTime;
 
   @PrePersist

core/src/main/java/google/registry/model/EppResource.java

@@ -31,8 +31,8 @@ import com.github.benmanes.caffeine.cache.LoadingCache;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
+import com.google.gson.annotations.Expose;
 import google.registry.config.RegistryConfig;
-import google.registry.model.annotations.IdAllocation;
 import google.registry.model.eppcommon.StatusValue;
 import google.registry.model.transfer.TransferData;
 import google.registry.persistence.VKey;
@@ -66,7 +66,7 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
    *
    * @see <a href="https://tools.ietf.org/html/rfc5730">RFC 5730</a>
    */
-  @IdAllocation @Transient String repoId;
+  @Expose @Transient String repoId;
 
   /**
    * The ID of the registrar that is currently sponsoring this resource.
@@ -74,7 +74,7 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
    * <p>This can be null in the case of pre-Registry-3.0-migration history objects with null
    * resource fields.
    */
-  String currentSponsorRegistrarId;
+  @Expose String currentSponsorRegistrarId;
 
   /**
    * The ID of the registrar that created this resource.
@@ -82,7 +82,7 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
    * <p>This can be null in the case of pre-Registry-3.0-migration history objects with null
    * resource fields.
    */
-  String creationRegistrarId;
+  @Expose String creationRegistrarId;
 
   /**
    * The ID of the registrar that last updated this resource.
@@ -91,7 +91,7 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
    * edits; it only includes EPP-visible modifications such as {@literal <update>}. Can be null if
    * the resource has never been modified.
    */
-  String lastEppUpdateRegistrarId;
+  @Expose String lastEppUpdateRegistrarId;
 
   /**
    * The time when this resource was created.
@@ -105,6 +105,7 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
    */
   // Need to override the default non-null column attribute.
   @AttributeOverride(name = "creationTime", column = @Column)
+  @Expose
   CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null);
 
   /**
@@ -129,10 +130,10 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
    * edits; it only includes EPP-visible modifications such as {@literal <update>}. Can be null if
    * the resource has never been modified.
    */
-  DateTime lastEppUpdateTime;
+  @Expose DateTime lastEppUpdateTime;
 
   /** Status values associated with this resource. */
-  Set<StatusValue> statuses;
+  @Expose Set<StatusValue> statuses;
 
   public String getRepoId() {
     return repoId;

core/src/main/java/google/registry/model/common/DatabaseMigrationStateSchedule.java

@@ -44,6 +44,8 @@ public class DatabaseMigrationStateSchedule extends CrossTldSingleton {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
+  private static boolean useUncachedForTest = false;
+
   public enum PrimaryDatabase {
     CLOUD_SQL,
     DATASTORE
@@ -85,7 +87,10 @@ public class DatabaseMigrationStateSchedule extends CrossTldSingleton {
     SQL_ONLY(PrimaryDatabase.CLOUD_SQL, false, ReplayDirection.NO_REPLAY),
 
     /** Toggles SQL Sequence based allocateId */
-    SEQUENCE_BASED_ALLOCATE_ID(PrimaryDatabase.CLOUD_SQL, false, ReplayDirection.NO_REPLAY);
+    SEQUENCE_BASED_ALLOCATE_ID(PrimaryDatabase.CLOUD_SQL, false, ReplayDirection.NO_REPLAY),
+
+    /** Use SQL-based Nordn upload flow instead of the pull queue-based one. */
+    NORDN_SQL(PrimaryDatabase.CLOUD_SQL, false, ReplayDirection.NO_REPLAY);
 
     private final PrimaryDatabase primaryDatabase;
     private final boolean isReadOnly;
@@ -164,7 +169,9 @@ public class DatabaseMigrationStateSchedule extends CrossTldSingleton {
                 MigrationState.SQL_ONLY,
                 MigrationState.SQL_PRIMARY_READ_ONLY,
                 MigrationState.SQL_PRIMARY)
-            .putAll(MigrationState.SQL_ONLY, MigrationState.SEQUENCE_BASED_ALLOCATE_ID);
+            .putAll(MigrationState.SQL_ONLY, MigrationState.SEQUENCE_BASED_ALLOCATE_ID)
+            .putAll(MigrationState.SEQUENCE_BASED_ALLOCATE_ID, MigrationState.NORDN_SQL)
+            .putAll(MigrationState.NORDN_SQL, MigrationState.SEQUENCE_BASED_ALLOCATE_ID);
 
     // In addition, we can always transition from a state to itself (useful when updating the map).
     Arrays.stream(MigrationState.values()).forEach(state -> builder.put(state, state));
@@ -181,8 +188,8 @@ public class DatabaseMigrationStateSchedule extends CrossTldSingleton {
   public TimedTransitionProperty<MigrationState> migrationTransitions =
       TimedTransitionProperty.withInitialValue(MigrationState.DATASTORE_ONLY);
 
-  // Required for Objectify initialization
-  private DatabaseMigrationStateSchedule() {}
+  // Required for Hibernate initialization
+  protected DatabaseMigrationStateSchedule() {}
 
   @VisibleForTesting
   public DatabaseMigrationStateSchedule(
@@ -205,6 +212,11 @@ public class DatabaseMigrationStateSchedule extends CrossTldSingleton {
     CACHE.invalidateAll();
   }
 
+  @VisibleForTesting
+  public static void useUncachedForTest() {
+    useUncachedForTest = true;
+  }
+
   /** Loads the currently-set migration schedule from the cache, or the default if none exists. */
   public static TimedTransitionProperty<MigrationState> get() {
     return CACHE.get(DatabaseMigrationStateSchedule.class);
@@ -212,7 +224,9 @@ public class DatabaseMigrationStateSchedule extends CrossTldSingleton {
 
   /** Returns the database migration status at the given time. */
   public static MigrationState getValueAtTime(DateTime dateTime) {
-    return get().getValueAtTime(dateTime);
+    return useUncachedForTest
+        ? getUncached().getValueAtTime(dateTime)
+        : get().getValueAtTime(dateTime);
   }
 
   /** Loads the currently-set migration schedule from SQL, or the default if none exists. */

core/src/main/java/google/registry/model/domain/Domain.java

@@ -58,7 +58,7 @@ import org.joda.time.DateTime;
       @Index(columnList = "techContact"),
       @Index(columnList = "tld"),
       @Index(columnList = "registrantContact"),
-      @Index(columnList = "dnsRefreshRequestTime"),
+      @Index(columnList = "lordnPhase"),
       @Index(columnList = "billing_recurrence_id"),
       @Index(columnList = "transfer_billing_event_id"),
       @Index(columnList = "transfer_billing_recurrence_id")
@@ -199,7 +199,7 @@ public class Domain extends DomainBase implements ForeignKeyedEppResource {
           .setSubordinateHosts(domainBase.getSubordinateHosts())
           .setStatusValues(domainBase.getStatusValues())
           .setTransferData(domainBase.getTransferData())
-          .setDnsRefreshRequestTime(domainBase.getDnsRefreshRequestTime())
+          .setLordnPhase(domainBase.getLordnPhase())
           .setCurrentPackageToken(domainBase.getCurrentPackageToken().orElse(null));
     }
   }

core/src/main/java/google/registry/model/domain/DomainBase.java

@@ -40,7 +40,7 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedSet;
 import com.google.common.collect.Ordering;
 import com.google.common.collect.Sets;
-import google.registry.dns.RefreshDnsAction;
+import com.google.gson.annotations.Expose;
 import google.registry.flows.ResourceFlowUtils;
 import google.registry.model.EppResource;
 import google.registry.model.EppResource.ResourceWithTransferData;
@@ -61,6 +61,8 @@ import google.registry.model.transfer.DomainTransferData;
 import google.registry.model.transfer.TransferStatus;
 import google.registry.persistence.VKey;
 import google.registry.tldconfig.idn.IdnLabelValidator;
+import google.registry.tmch.LordnTaskUtils.LordnPhase;
+import google.registry.tmch.NordnUploadAction;
 import google.registry.util.CollectionUtils;
 import google.registry.util.DateTimeUtils;
 import java.util.HashSet;
@@ -76,6 +78,8 @@ import javax.persistence.AttributeOverrides;
 import javax.persistence.Column;
 import javax.persistence.Embeddable;
 import javax.persistence.Embedded;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
 import javax.persistence.Id;
 import javax.persistence.MappedSuperclass;
 import javax.persistence.Transient;
@@ -118,20 +122,20 @@ public class DomainBase extends EppResource
    *
    * @invariant domainName == domainName.toLowerCase(Locale.ENGLISH)
    */
-  String domainName;
+  @Expose String domainName;
 
   /** The top level domain this is under, de-normalized from {@link #domainName}. */
   String tld;
 
   /** References to hosts that are the nameservers for the domain. */
-  @Transient Set<VKey<Host>> nsHosts;
+  @Expose @Transient Set<VKey<Host>> nsHosts;
 
   /** Contacts. */
-  VKey<Contact> adminContact;
+  @Expose VKey<Contact> adminContact;
 
-  VKey<Contact> billingContact;
-  VKey<Contact> techContact;
-  VKey<Contact> registrantContact;
+  @Expose VKey<Contact> billingContact;
+  @Expose VKey<Contact> techContact;
+  @Expose VKey<Contact> registrantContact;
 
   /** Authorization info (aka transfer secret) of the domain. */
   @Embedded
@@ -172,10 +176,10 @@ public class DomainBase extends EppResource
   String idnTableName;
 
   /** Fully qualified host names of this domain's active subordinate hosts. */
-  Set<String> subordinateHosts;
+  @Expose Set<String> subordinateHosts;
 
   /** When this domain's registration will expire. */
-  DateTime registrationExpirationTime;
+  @Expose DateTime registrationExpirationTime;
 
   /**
    * The poll message associated with this domain being deleted.
@@ -227,7 +231,7 @@ public class DomainBase extends EppResource
    *
    * <p>Can be null if the resource has never been transferred.
    */
-  DateTime lastTransferTime;
+  @Expose DateTime lastTransferTime;
 
   /**
    * When the domain's autorenewal status will expire.
@@ -247,34 +251,27 @@ public class DomainBase extends EppResource
   DateTime autorenewEndTime;
 
   /**
-   * When this domain's DNS was requested to be refreshed, or null if its DNS is up-to-date.
+   * Which Lordn phase the domain is in after it is created but before the Nordn upload has
+   * processed the domain.
    *
-   * <p>This will almost always be null except in the couple of minutes' interval between when a
-   * DNS-affecting create or update operation takes place and when the {@link RefreshDnsAction}
-   * runs, which resets this back to null upon completion of the DNS refresh task. This is a {@link
-   * DateTime} rather than a simple dirty boolean so that the DNS refresh action can order by the
-   * DNS refresh request time and take action on the oldest ones first.
+   * <p>This will almost always be {@code NONE} except in the interval between when a domain that
+   * contains a signed mark or claims notice has been created, and when {@link NordnUploadAction}
+   * runs, which includes the domain in the CSV uploaded to TMCH and sets this back to {@code NONE}.
    *
-   * <p>Note that this is a Cloud SQL-based replacement for the {@code dns-pull} task queue. The
-   * domains that have a non-null value for this field should be exactly the same as the tasks that
-   * would be in the {@code dns-pull} queue.
-   *
-   * <p>Note that in the {@link DomainHistory} table this value means something slightly different:
-   * It means that the given domain action requested a DNS update. Unlike on the {@code Domain}
-   * table, this value is not then subsequently nulled out once the DNS refresh is complete; rather,
-   * it remains as a permanent record of which actions were DNS-affecting and which were not.
+   * <p>Note that in the {@code DomainHistory} table this value means something slightly different:
+   * It means that the given domain was created with a signed mark ({@code SUNRISE} or a claims
+   * notice ({@code CLAIMS}. Unlike on the {@code Domain} table, this value is not then subsequently
+   * set back to {@code NONE} once the Nordn upload is complete; rather, it remains as a permanent
+   * record of when which phase the domain is in when created.
    */
-  // TODO(mcilwain): Start using this field once we are further along in the DB migration.
-  DateTime dnsRefreshRequestTime;
+  @Enumerated(EnumType.STRING)
+  LordnPhase lordnPhase = LordnPhase.NONE;
 
   /** The {@link AllocationToken} for the package this domain is currently a part of. */
   @Nullable VKey<AllocationToken> currentPackageToken;
 
-  /**
-   * Returns the DNS refresh request time iff this domain's DNS needs refreshing, otherwise absent.
-   */
-  public Optional<DateTime> getDnsRefreshRequestTime() {
-    return Optional.ofNullable(dnsRefreshRequestTime);
+  public LordnPhase getLordnPhase() {
+    return lordnPhase;
   }
 
   public ImmutableSet<String> getSubordinateHosts() {
@@ -861,8 +858,8 @@ public class DomainBase extends EppResource
       return thisCastToDerived();
     }
 
-    public B setDnsRefreshRequestTime(Optional<DateTime> dnsRefreshRequestTime) {
-      getInstance().dnsRefreshRequestTime = dnsRefreshRequestTime.orElse(null);
+    public B setLordnPhase(LordnPhase lordnPhase) {
+      getInstance().lordnPhase = lordnPhase;
       return thisCastToDerived();
     }
 

core/src/main/java/google/registry/model/domain/token/AllocationToken.java

@@ -16,16 +16,22 @@ package google.registry.model.domain.token;
 
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkState;
+import static com.google.common.collect.ImmutableMap.toImmutableMap;
+import static google.registry.config.RegistryConfig.getSingletonCacheRefreshDuration;
 import static google.registry.model.domain.token.AllocationToken.TokenStatus.CANCELLED;
 import static google.registry.model.domain.token.AllocationToken.TokenStatus.ENDED;
 import static google.registry.model.domain.token.AllocationToken.TokenStatus.NOT_STARTED;
 import static google.registry.model.domain.token.AllocationToken.TokenStatus.VALID;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.forceEmptyToNull;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableCopy;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 
+import com.github.benmanes.caffeine.cache.CacheLoader;
+import com.github.benmanes.caffeine.cache.LoadingCache;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableMultimap;
 import com.google.common.collect.ImmutableSet;
@@ -34,6 +40,7 @@ import com.google.common.collect.Range;
 import google.registry.flows.EppException;
 import google.registry.flows.domain.DomainFlowUtils;
 import google.registry.model.Buildable;
+import google.registry.model.CacheUtils;
 import google.registry.model.CreateAutoTimestamp;
 import google.registry.model.UpdateAutoTimestampEntity;
 import google.registry.model.billing.BillingEvent.RenewalPriceBehavior;
@@ -41,6 +48,7 @@ import google.registry.model.common.TimedTransitionProperty;
 import google.registry.model.reporting.HistoryEntry.HistoryEntryId;
 import google.registry.persistence.VKey;
 import google.registry.persistence.WithVKey;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import javax.annotation.Nullable;
@@ -267,6 +275,39 @@ public class AllocationToken extends UpdateAutoTimestampEntity implements Builda
     return STATIC_TOKEN_BEHAVIORS.getOrDefault(token, TokenBehavior.DEFAULT);
   }
 
+  public static Optional<AllocationToken> get(VKey<AllocationToken> key) {
+    return ALLOCATION_TOKENS_CACHE.get(key);
+  }
+
+  public static Map<VKey<AllocationToken>, Optional<AllocationToken>> getAll(
+      ImmutableList<VKey<AllocationToken>> keys) {
+    return ALLOCATION_TOKENS_CACHE.getAll(keys);
+  }
+
+  /** A cache that loads the {@link AllocationToken} object for a given AllocationToken VKey. */
+  private static final LoadingCache<VKey<AllocationToken>, Optional<AllocationToken>>
+      ALLOCATION_TOKENS_CACHE =
+          CacheUtils.newCacheBuilder(getSingletonCacheRefreshDuration())
+              .build(
+                  new CacheLoader<VKey<AllocationToken>, Optional<AllocationToken>>() {
+                    @Override
+                    public Optional<AllocationToken> load(VKey<AllocationToken> key) {
+                      return tm().transact(() -> tm().loadByKeyIfPresent(key));
+                    }
+
+                    @Override
+                    public Map<VKey<AllocationToken>, Optional<AllocationToken>> loadAll(
+                        Iterable<? extends VKey<AllocationToken>> keys) {
+                      ImmutableSet<VKey<AllocationToken>> keySet = ImmutableSet.copyOf(keys);
+                      return tm().transact(
+                              () ->
+                                  keySet.stream()
+                                      .collect(
+                                          toImmutableMap(
+                                              key -> key, key -> tm().loadByKeyIfPresent(key))));
+                    }
+                  });
+
   @Override
   public VKey<AllocationToken> createVKey() {
     if (!AllocationToken.TokenBehavior.DEFAULT.equals(getTokenBehavior())) {

core/src/main/java/google/registry/model/host/Host.java

@@ -28,7 +28,7 @@ import javax.persistence.Table;
 /**
  * A persistable Host resource including mutable and non-mutable fields.
  *
- * <p>The {@link javax.persistence.Id} of the Host is the repoId.
+ * <p>The {@link Id} of the Host is the repoId.
  */
 @Entity(name = "Host")
 @Table(
@@ -48,7 +48,7 @@ import javax.persistence.Table;
       @Index(columnList = "hostName"),
       @Index(columnList = "creationTime"),
       @Index(columnList = "deletionTime"),
-      @Index(columnList = "currentSponsorRegistrarId")
+      @Index(columnList = "currentSponsorRegistrarId"),
     })
 @ExternalMessagingName("host")
 @WithVKey(String.class)
@@ -81,7 +81,7 @@ public class Host extends HostBase implements ForeignKeyedEppResource {
     }
 
     public Builder copyFrom(HostBase hostBase) {
-      return this.setCreationRegistrarId(hostBase.getCreationRegistrarId())
+      return setCreationRegistrarId(hostBase.getCreationRegistrarId())
           .setCreationTime(hostBase.getCreationTime())
           .setDeletionTime(hostBase.getDeletionTime())
           .setHostName(hostBase.getHostName())

core/src/main/java/google/registry/model/server/Lock.java

@@ -88,8 +88,7 @@ public class Lock extends ImmutableObject implements Serializable {
    * <p>See {@link RequestStatusCheckerImpl#getLogId} for details about how it's created in
    * practice.
    */
-  @Column(nullable = false)
-  String requestLogId;
+  @Column String requestLogId;
 
   /** When the lock can be considered implicitly released. */
   @Column(nullable = false)

core/src/main/java/google/registry/module/frontend/FrontendRequestComponent.java

@@ -25,6 +25,7 @@ import google.registry.monitoring.whitebox.WhiteboxModule;
 import google.registry.request.RequestComponentBuilder;
 import google.registry.request.RequestModule;
 import google.registry.request.RequestScope;
+import google.registry.ui.server.console.ConsoleDomainGetAction;
 import google.registry.ui.server.registrar.ConsoleOteSetupAction;
 import google.registry.ui.server.registrar.ConsoleRegistrarCreatorAction;
 import google.registry.ui.server.registrar.ConsoleUiAction;
@@ -61,6 +62,8 @@ interface FrontendRequestComponent {
 
   RegistryLockVerifyAction registryLockVerifyAction();
 
+  ConsoleDomainGetAction consoleDomainGetAction();
+
   @Subcomponent.Builder
   abstract class Builder implements RequestComponentBuilder<FrontendRequestComponent> {
     @Override public abstract Builder requestModule(RequestModule requestModule);

core/src/main/java/google/registry/persistence/VKey.java

@@ -22,6 +22,7 @@ import com.google.common.base.Joiner;
 import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
+import com.google.gson.annotations.Expose;
 import google.registry.model.EppResource;
 import google.registry.model.ImmutableObject;
 import google.registry.model.contact.Contact;
@@ -52,7 +53,7 @@ public class VKey<T> extends ImmutableObject implements Serializable {
           .collect(toImmutableMap(Class::getSimpleName, identity()));
 
   // The primary key for the referenced entity.
-  Serializable key;
+  @Expose Serializable key;
 
   Class<? extends T> kind;
 

core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java

@@ -15,10 +15,7 @@
 package google.registry.reporting.billing;
 
 import static google.registry.beam.BeamUtils.createJobName;
-import static google.registry.model.common.Cursor.CursorType.RECURRING_BILLING;
-import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
-import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
 import static javax.servlet.http.HttpServletResponse.SC_OK;
 
@@ -32,7 +29,6 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.config.RegistryEnvironment;
-import google.registry.model.common.Cursor;
 import google.registry.persistence.PersistenceModule;
 import google.registry.reporting.ReportingModule;
 import google.registry.request.Action;
@@ -44,7 +40,6 @@ import google.registry.util.Clock;
 import google.registry.util.CloudTasksUtils;
 import java.io.IOException;
 import javax.inject.Inject;
-import org.joda.time.DateTime;
 import org.joda.time.Duration;
 import org.joda.time.YearMonth;
 
@@ -113,19 +108,6 @@ public class GenerateInvoicesAction implements Runnable {
     response.setContentType(MediaType.PLAIN_TEXT_UTF_8);
     logger.atInfo().log("Launching invoicing pipeline for %s.", yearMonth);
     try {
-      DateTime currentCursorTime =
-          tm().transact(
-                  () ->
-                      tm().loadByKeyIfPresent(Cursor.createGlobalVKey(RECURRING_BILLING))
-                          .orElse(Cursor.createGlobal(RECURRING_BILLING, START_OF_TIME))
-                          .getCursorTime());
-
-      if (!YearMonth.fromDateFields(currentCursorTime.toDate()).isAfter(yearMonth)) {
-        throw new IllegalStateException(
-            "Latest billing events expansion cycle hasn't finished yet, terminating invoicing"
-                + " pipeline");
-      }
-
       LaunchFlexTemplateParameter parameter =
           new LaunchFlexTemplateParameter()
               .setJobName(createJobName("invoicing", clock))

core/src/main/java/google/registry/request/auth/AuthModule.java

@@ -21,6 +21,7 @@ import com.google.common.collect.ImmutableList;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
+import javax.inject.Qualifier;
 import javax.inject.Singleton;
 
 /**
@@ -30,15 +31,26 @@ import javax.inject.Singleton;
 public class AuthModule {
 
   private static final String IAP_ISSUER_URL = "https://cloud.google.com/iap";
+  private static final String SA_ISSUER_URL = "https://accounts.google.com";
 
   /** Provides the custom authentication mechanisms (including OAuth). */
   @Provides
   ImmutableList<AuthenticationMechanism> provideApiAuthenticationMechanisms(
       OAuthAuthenticationMechanism oauthAuthenticationMechanism,
-      IapHeaderAuthenticationMechanism iapHeaderAuthenticationMechanism) {
-    return ImmutableList.of(oauthAuthenticationMechanism, iapHeaderAuthenticationMechanism);
+      IapHeaderAuthenticationMechanism iapHeaderAuthenticationMechanism,
+      ServiceAccountAuthenticationMechanism serviceAccountAuthenticationMechanism) {
+    return ImmutableList.of(
+        oauthAuthenticationMechanism,
+        iapHeaderAuthenticationMechanism,
+        serviceAccountAuthenticationMechanism);
   }
 
+  @Qualifier
+  @interface IAP {}
+
+  @Qualifier
+  @interface ServiceAccount {}
+
   /** Provides the OAuthService instance. */
   @Provides
   OAuthService provideOauthService() {
@@ -46,10 +58,18 @@ public class AuthModule {
   }
 
   @Provides
+  @IAP
   @Singleton
   TokenVerifier provideTokenVerifier(
       @Config("projectId") String projectId, @Config("projectIdNumber") long projectIdNumber) {
     String audience = String.format("/projects/%d/apps/%s", projectIdNumber, projectId);
     return TokenVerifier.newBuilder().setAudience(audience).setIssuer(IAP_ISSUER_URL).build();
   }
+
+  @Provides
+  @ServiceAccount
+  @Singleton
+  TokenVerifier provideServiceAccountTokenVerifier(@Config("projectId") String projectId) {
+    return TokenVerifier.newBuilder().setAudience(projectId).setIssuer(SA_ISSUER_URL).build();
+  }
 }

core/src/main/java/google/registry/request/auth/IapHeaderAuthenticationMechanism.java

@@ -14,15 +14,11 @@
 
 package google.registry.request.auth;
 
-import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.auth.oauth2.TokenVerifier;
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryEnvironment;
 import google.registry.model.console.User;
 import google.registry.model.console.UserDao;
+import google.registry.request.auth.AuthModule.IAP;
 import java.util.Optional;
-import javax.annotation.Nullable;
 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
 
@@ -37,41 +33,22 @@ import javax.servlet.http.HttpServletRequest;
  * @see <a href="https://cloud.google.com/iap/docs/signed-headers-howto">the documentation on GCP
  *     IAP's signed headers for more information.</a>
  */
-public class IapHeaderAuthenticationMechanism implements AuthenticationMechanism {
+public class IapHeaderAuthenticationMechanism extends IdTokenAuthenticationBase {
 
   private static final String ID_TOKEN_HEADER_NAME = "X-Goog-IAP-JWT-Assertion";
 
-  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
-  // A workaround that allows "use" of the IAP-based authenticator when running local testing, i.e.
-  // the RegistryTestServer
-  private static Optional<User> userForTesting = Optional.empty();
-
-  private final TokenVerifier tokenVerifier;
-
   @Inject
-  public IapHeaderAuthenticationMechanism(TokenVerifier tokenVerifier) {
-    this.tokenVerifier = tokenVerifier;
+  public IapHeaderAuthenticationMechanism(@IAP TokenVerifier tokenVerifier) {
+    super(tokenVerifier);
   }
 
   @Override
-  public AuthResult authenticate(HttpServletRequest request) {
-    if (RegistryEnvironment.get().equals(RegistryEnvironment.UNITTEST)
-        && userForTesting.isPresent()) {
-      return AuthResult.create(AuthLevel.USER, UserAuthInfo.create(userForTesting.get()));
-    }
-    String rawIdToken = request.getHeader(ID_TOKEN_HEADER_NAME);
-    if (rawIdToken == null) {
-      return AuthResult.NOT_AUTHENTICATED;
-    }
-    JsonWebSignature token;
-    try {
-      token = tokenVerifier.verify(rawIdToken);
-    } catch (TokenVerifier.VerificationException e) {
-      logger.atInfo().withCause(e).log("Error when verifying access token");
-      return AuthResult.NOT_AUTHENTICATED;
-    }
-    String emailAddress = (String) token.getPayload().get("email");
+  String rawTokenFromRequest(HttpServletRequest request) {
+    return request.getHeader(ID_TOKEN_HEADER_NAME);
+  }
+
+  @Override
+  AuthResult authResultFromEmail(String emailAddress) {
     Optional<User> maybeUser = UserDao.loadUser(emailAddress);
     if (!maybeUser.isPresent()) {
       logger.atInfo().log("No user found for email address %s", emailAddress);
@@ -80,8 +57,4 @@ public class IapHeaderAuthenticationMechanism implements AuthenticationMechanism
     return AuthResult.create(AuthLevel.USER, UserAuthInfo.create(maybeUser.get()));
   }
 
-  @VisibleForTesting
-  public static void setUserAuthInfoForTestServer(@Nullable User user) {
-    userForTesting = Optional.ofNullable(user);
-  }
 }

core/src/main/java/google/registry/request/auth/IdTokenAuthenticationBase.java

@@ -0,0 +1,70 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.request.auth;
+
+import com.google.api.client.json.webtoken.JsonWebSignature;
+import com.google.auth.oauth2.TokenVerifier;
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.flogger.FluentLogger;
+import google.registry.config.RegistryEnvironment;
+import google.registry.model.console.User;
+import java.util.Optional;
+import javax.annotation.Nullable;
+import javax.servlet.http.HttpServletRequest;
+
+public abstract class IdTokenAuthenticationBase implements AuthenticationMechanism {
+
+  public static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  // A workaround that allows "use" of the IAP-based authenticator when running local testing, i.e.
+  // the RegistryTestServer
+  private static Optional<User> userForTesting = Optional.empty();
+
+  private final TokenVerifier tokenVerifier;
+
+  public IdTokenAuthenticationBase(TokenVerifier tokenVerifier) {
+    this.tokenVerifier = tokenVerifier;
+  }
+
+  abstract String rawTokenFromRequest(HttpServletRequest request);
+
+  abstract AuthResult authResultFromEmail(String email);
+
+  @Override
+  public AuthResult authenticate(HttpServletRequest request) {
+    if (RegistryEnvironment.get().equals(RegistryEnvironment.UNITTEST)
+        && userForTesting.isPresent()) {
+      return AuthResult.create(AuthLevel.USER, UserAuthInfo.create(userForTesting.get()));
+    }
+    String rawIdToken = rawTokenFromRequest(request);
+    if (rawIdToken == null) {
+      return AuthResult.NOT_AUTHENTICATED;
+    }
+    JsonWebSignature token;
+    try {
+      token = tokenVerifier.verify(rawIdToken);
+    } catch (TokenVerifier.VerificationException e) {
+      logger.atInfo().withCause(e).log("Error when verifying access token");
+      return AuthResult.NOT_AUTHENTICATED;
+    }
+    String emailAddress = (String) token.getPayload().get("email");
+    return authResultFromEmail(emailAddress);
+  }
+
+  @VisibleForTesting
+  public static void setUserAuthInfoForTestServer(@Nullable User user) {
+    userForTesting = Optional.ofNullable(user);
+  }
+}

core/src/main/java/google/registry/request/auth/ServiceAccountAuthenticationMechanism.java

@@ -0,0 +1,62 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.request.auth;
+
+import static com.google.common.net.HttpHeaders.AUTHORIZATION;
+import static google.registry.request.auth.AuthLevel.APP;
+
+import com.google.auth.oauth2.TokenVerifier;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.request.auth.AuthModule.ServiceAccount;
+import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * A way to authenticate HTTP requests signed by Service Account
+ *
+ * <p>Currently used by cloud scheduler service account
+ */
+public class ServiceAccountAuthenticationMechanism extends IdTokenAuthenticationBase {
+
+  private final String cloudSchedulerEmailPrefix;
+  private static final String BEARER_PREFIX = "Bearer ";
+
+  @Inject
+  public ServiceAccountAuthenticationMechanism(
+      @ServiceAccount TokenVerifier tokenVerifier,
+      @Config("cloudSchedulerServiceAccountEmail") String cloudSchedulerEmailPrefix) {
+
+    super(tokenVerifier);
+    this.cloudSchedulerEmailPrefix = cloudSchedulerEmailPrefix;
+  }
+
+  @Override
+  String rawTokenFromRequest(HttpServletRequest request) {
+    String rawToken = request.getHeader(AUTHORIZATION);
+    if (rawToken != null && rawToken.startsWith(BEARER_PREFIX)) {
+      return rawToken.substring(BEARER_PREFIX.length());
+    }
+    return null;
+  }
+
+  @Override
+  AuthResult authResultFromEmail(String emailAddress) {
+    if (emailAddress.equals(cloudSchedulerEmailPrefix)) {
+      return AuthResult.create(APP);
+    } else {
+      return AuthResult.NOT_AUTHENTICATED;
+    }
+  }
+}

core/src/main/java/google/registry/tldconfig/idn/extended_latin.txt

@@ -49,7 +49,6 @@ U+011F                         # LATIN SMALL LETTER G WITH BREVE
 U+01E7                         # LATIN SMALL LETTER G WITH CARON
 U+0121                         # LATIN SMALL LETTER G WITH DOT ABOVE
 U+0123                         # LATIN SMALL LETTER G WITH CEDILLA
-U+01E5                         # LATIN SMALL LETTER G WITH STROKE
 U+0068                         # LATIN SMALL LETTER H
 U+0127                         # LATIN SMALL LETTER H WITH STROKE
 U+0069                         # LATIN SMALL LETTER I

core/src/main/java/google/registry/tmch/LordnTaskUtils.java

@@ -38,10 +38,11 @@ public final class LordnTaskUtils {
 
   public static final String QUEUE_SUNRISE = "lordn-sunrise";
   public static final String QUEUE_CLAIMS = "lordn-claims";
-  public static final String COLUMNS_CLAIMS = "roid,domain-name,notice-id,registrar-id,"
-      + "registration-datetime,ack-datetime,application-datetime";
-  public static final String COLUMNS_SUNRISE = "roid,domain-name,SMD-id,registrar-id,"
-      + "registration-datetime,application-datetime";
+  public static final String COLUMNS_CLAIMS =
+      "roid,domain-name,notice-id,registrar-id,"
+          + "registration-datetime,ack-datetime,application-datetime";
+  public static final String COLUMNS_SUNRISE =
+      "roid,domain-name,SMD-id,registrar-id," + "registration-datetime,application-datetime";
 
   /** Enqueues a task in the LORDN queue representing a line of CSV for LORDN export. */
   public static void enqueueDomainTask(Domain domain) {
@@ -50,20 +51,27 @@ public final class LordnTaskUtils {
     // isn't yet populated when this method is called during the resource flow.
     String tld = domain.getTld();
     if (domain.getLaunchNotice() == null) {
-      getQueue(QUEUE_SUNRISE).add(TaskOptions.Builder
-          .withTag(tld)
-          .method(Method.PULL)
-          .payload(getCsvLineForSunriseDomain(domain, tm().getTransactionTime())));
+      getQueue(QUEUE_SUNRISE)
+          .add(
+              TaskOptions.Builder.withTag(tld)
+                  .method(Method.PULL)
+                  .payload(getCsvLineForSunriseDomain(domain, tm().getTransactionTime())));
     } else {
-      getQueue(QUEUE_CLAIMS).add(TaskOptions.Builder
-          .withTag(tld)
-          .method(Method.PULL)
-          .payload(getCsvLineForClaimsDomain(domain, tm().getTransactionTime())));
+      getQueue(QUEUE_CLAIMS)
+          .add(
+              TaskOptions.Builder.withTag(tld)
+                  .method(Method.PULL)
+                  .payload(getCsvLineForClaimsDomain(domain, tm().getTransactionTime())));
     }
   }
 
   /** Returns the corresponding CSV LORDN line for a sunrise domain. */
-  public static String getCsvLineForSunriseDomain(Domain domain, DateTime transactionTime) {
+  public static String getCsvLineForSunriseDomain(Domain domain) {
+    return getCsvLineForSunriseDomain(domain, domain.getCreationTime());
+  }
+
+  // TODO: Merge into the function above after pull queue migration.
+  private static String getCsvLineForSunriseDomain(Domain domain, DateTime transactionTime) {
     return Joiner.on(',')
         .join(
             domain.getRepoId(),
@@ -74,7 +82,12 @@ public final class LordnTaskUtils {
   }
 
   /** Returns the corresponding CSV LORDN line for a claims domain. */
-  public static String getCsvLineForClaimsDomain(Domain domain, DateTime transactionTime) {
+  public static String getCsvLineForClaimsDomain(Domain domain) {
+    return getCsvLineForClaimsDomain(domain, domain.getCreationTime());
+  }
+
+  // TODO: Merge into the function above after pull queue migration.
+  private static String getCsvLineForClaimsDomain(Domain domain, DateTime transactionTime) {
     return Joiner.on(',')
         .join(
             domain.getRepoId(),
@@ -95,4 +108,10 @@ public final class LordnTaskUtils {
   }
 
   private LordnTaskUtils() {}
+
+  public enum LordnPhase {
+    SUNRISE,
+    CLAIMS,
+    NONE
+  }
 }

core/src/main/java/google/registry/tmch/NordnUploadAction.java

@@ -19,9 +19,13 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.net.HttpHeaders.LOCATION;
 import static com.google.common.net.MediaType.CSV_UTF_8;
+import static google.registry.persistence.transaction.QueryComposer.Comparator.EQ;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.UrlConnectionUtils.getResponseBytes;
 import static google.registry.tmch.LordnTaskUtils.COLUMNS_CLAIMS;
 import static google.registry.tmch.LordnTaskUtils.COLUMNS_SUNRISE;
+import static google.registry.tmch.LordnTaskUtils.getCsvLineForClaimsDomain;
+import static google.registry.tmch.LordnTaskUtils.getCsvLineForSunriseDomain;
 import static java.nio.charset.StandardCharsets.US_ASCII;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static javax.servlet.http.HttpServletResponse.SC_ACCEPTED;
@@ -33,6 +37,7 @@ import com.google.appengine.api.taskqueue.TaskHandle;
 import com.google.appengine.api.taskqueue.TransientFailureException;
 import com.google.apphosting.api.DeadlineExceededException;
 import com.google.cloud.tasks.v2.Task;
+import com.google.common.base.Ascii;
 import com.google.common.base.Joiner;
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
@@ -42,6 +47,7 @@ import com.google.common.collect.Lists;
 import com.google.common.collect.Ordering;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.model.domain.Domain;
 import google.registry.request.Action;
 import google.registry.request.Action.Service;
 import google.registry.request.Parameter;
@@ -49,6 +55,7 @@ import google.registry.request.RequestParameters;
 import google.registry.request.UrlConnectionService;
 import google.registry.request.UrlConnectionUtils;
 import google.registry.request.auth.Auth;
+import google.registry.tmch.LordnTaskUtils.LordnPhase;
 import google.registry.util.Clock;
 import google.registry.util.CloudTasksUtils;
 import google.registry.util.Retrier;
@@ -59,6 +66,7 @@ import java.net.URL;
 import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
 import java.util.List;
+import java.util.Optional;
 import java.util.Random;
 import java.util.concurrent.TimeUnit;
 import javax.inject.Inject;
@@ -81,9 +89,11 @@ import org.joda.time.Duration;
 public final class NordnUploadAction implements Runnable {
 
   static final String PATH = "/_dr/task/nordnUpload";
-  static final String LORDN_PHASE_PARAM = "lordn-phase";
+  static final String LORDN_PHASE_PARAM = "lordnPhase";
+  // TODO: Delete after migrating off of pull queue.
+  static final String PULL_QUEUE_PARAM = "pullQueue";
 
-  private static final int QUEUE_BATCH_SIZE = 1000;
+  private static final int BATCH_SIZE = 1000;
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
   private static final Duration LEASE_PERIOD = Duration.standardHours(1);
 
@@ -100,31 +110,102 @@ public final class NordnUploadAction implements Runnable {
   @Inject LordnRequestInitializer lordnRequestInitializer;
   @Inject UrlConnectionService urlConnectionService;
 
-  @Inject @Config("tmchMarksdbUrl") String tmchMarksdbUrl;
-  @Inject @Parameter(LORDN_PHASE_PARAM) String phase;
-  @Inject @Parameter(RequestParameters.PARAM_TLD) String tld;
+  @Inject
+  @Config("tmchMarksdbUrl")
+  String tmchMarksdbUrl;
+
+  @Inject
+  @Parameter(LORDN_PHASE_PARAM)
+  String phase;
+
+  @Inject
+  @Parameter(RequestParameters.PARAM_TLD)
+  String tld;
+
+  @Inject
+  @Parameter(PULL_QUEUE_PARAM)
+  Optional<Boolean> usePullQueue;
 
   @Inject CloudTasksUtils cloudTasksUtils;
 
-  @Inject NordnUploadAction() {}
+  @Inject
+  NordnUploadAction() {}
 
   /**
    * These LORDN parameter names correspond to the relative paths in LORDN URLs and cannot be
    * changed on our end.
    */
-  private static final String PARAM_LORDN_PHASE_SUNRISE = "sunrise";
+  private static final String PARAM_LORDN_PHASE_SUNRISE =
+      Ascii.toLowerCase(LordnPhase.SUNRISE.toString());
 
-  private static final String PARAM_LORDN_PHASE_CLAIMS = "claims";
+  private static final String PARAM_LORDN_PHASE_CLAIMS =
+      Ascii.toLowerCase(LordnPhase.CLAIMS.toString());
 
   /** How long to wait before attempting to verify an upload by fetching the log. */
   private static final Duration VERIFY_DELAY = Duration.standardMinutes(30);
 
   @Override
   public void run() {
-    try {
-      processLordnTasks();
-    } catch (IOException | GeneralSecurityException e) {
-      throw new RuntimeException(e);
+    if (usePullQueue.orElse(false)) {
+      try {
+        processLordnTasks();
+      } catch (IOException | GeneralSecurityException e) {
+        throw new RuntimeException(e);
+      }
+    } else {
+      checkArgument(
+          phase.equals(PARAM_LORDN_PHASE_SUNRISE) || phase.equals(PARAM_LORDN_PHASE_CLAIMS),
+          "Invalid phase specified to NordnUploadAction: %s.",
+          phase);
+      tm().transact(
+              () -> {
+                // Note here that we load all domains pending Nordn in one batch, which should not
+                // be a problem for the rate of domain registration that we see. If we anticipate
+                // a peak in claims during TLD launch (sunrise is NOT first-come-first-serve, so
+                // there should be no expectation of a peak during it), we can consider temporarily
+                // increasing the frequency of Nordn upload to reduce the size of each batch.
+                //
+                // We did not further divide the domains into smaller batches because the
+                // read-upload-write operation per small batch needs to be inside a single
+                // transaction to prevent race conditions, and running several uploads in rapid
+                // sucession will likely overwhelm the MarksDB upload server, which recommands a
+                // maximum upload frequency of every 3 hours.
+                //
+                // See:
+                // https://datatracker.ietf.org/doc/html/draft-ietf-regext-tmch-func-spec-01#section-5.2.3.3
+                List<Domain> domains =
+                    tm().createQueryComposer(Domain.class)
+                        .where("lordnPhase", EQ, LordnPhase.valueOf(Ascii.toUpperCase(phase)))
+                        .where("tld", EQ, tld)
+                        .orderBy("creationTime")
+                        .list();
+                if (domains.isEmpty()) {
+                  return;
+                }
+                StringBuilder csv = new StringBuilder();
+                ImmutableList.Builder<Domain> newDomains = new ImmutableList.Builder<>();
+
+                domains.forEach(
+                    domain -> {
+                      if (phase.equals(PARAM_LORDN_PHASE_SUNRISE)) {
+                        csv.append(getCsvLineForSunriseDomain(domain)).append('\n');
+                      } else {
+                        csv.append(getCsvLineForClaimsDomain(domain)).append('\n');
+                      }
+                      Domain newDomain = domain.asBuilder().setLordnPhase(LordnPhase.NONE).build();
+                      newDomains.add(newDomain);
+                    });
+                String columns =
+                    phase.equals(PARAM_LORDN_PHASE_SUNRISE) ? COLUMNS_SUNRISE : COLUMNS_CLAIMS;
+                String header =
+                    String.format("1,%s,%d\n%s\n", clock.nowUtc(), domains.size(), columns);
+                try {
+                  uploadCsvToLordn(String.format("/LORDN/%s/%s", tld, phase), header + csv);
+                } catch (IOException | GeneralSecurityException e) {
+                  throw new RuntimeException(e);
+                }
+                tm().updateAll(newDomains.build());
+              });
     }
   }
 
@@ -158,7 +239,7 @@ public final class NordnUploadAction implements Runnable {
                   queue.leaseTasks(
                       LeaseOptions.Builder.withTag(tld)
                           .leasePeriod(LEASE_PERIOD.getMillis(), TimeUnit.MILLISECONDS)
-                          .countLimit(QUEUE_BATCH_SIZE)),
+                          .countLimit(BATCH_SIZE)),
               TransientFailureException.class,
               DeadlineExceededException.class);
       if (tasks.isEmpty()) {
@@ -171,7 +252,7 @@ public final class NordnUploadAction implements Runnable {
   private void processLordnTasks() throws IOException, GeneralSecurityException {
     checkArgument(
         phase.equals(PARAM_LORDN_PHASE_SUNRISE) || phase.equals(PARAM_LORDN_PHASE_CLAIMS),
-        "Invalid phase specified to Nordn servlet: %s.",
+        "Invalid phase specified to NordnUploadAction: %s.",
         phase);
     DateTime now = clock.nowUtc();
     Queue queue =
@@ -184,12 +265,12 @@ public final class NordnUploadAction implements Runnable {
     // Note: This upload/task deletion isn't done atomically (it's not clear how one would do so
     // anyway). As a result, it is possible that the upload might succeed yet the deletion of
     // enqueued tasks might fail. If so, this would result in the same lines being uploaded to NORDN
-    // across mulitple uploads. This is probably OK; all that we really cannot have is a missing
+    // across multiple uploads. This is probably OK; all that we really cannot have is a missing
     // line.
     if (!tasks.isEmpty()) {
       String csvData = convertTasksToCsv(tasks, now, columns);
       uploadCsvToLordn(String.format("/LORDN/%s/%s", tld, phase), csvData);
-      Lists.partition(tasks, QUEUE_BATCH_SIZE)
+      Lists.partition(tasks, BATCH_SIZE)
           .forEach(
               batch ->
                   retrier.callWithRetry(

core/src/main/java/google/registry/tmch/TmchCertificateAuthority.java

@@ -22,6 +22,7 @@ import static google.registry.util.ResourceUtils.readResourceUtf8;
 import com.github.benmanes.caffeine.cache.CacheLoader;
 import com.github.benmanes.caffeine.cache.LoadingCache;
 import com.google.common.collect.ImmutableMap;
+import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.config.RegistryConfig.ConfigModule.TmchCaMode;
 import google.registry.model.CacheUtils;
@@ -55,6 +56,7 @@ public final class TmchCertificateAuthority {
   private static final String ROOT_CRT_PILOT_FILE = "icann-tmch-pilot.crt";
   private static final String CRL_FILE = "icann-tmch.crl";
   private static final String CRL_PILOT_FILE = "icann-tmch-pilot.crl";
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
   private final TmchCaMode tmchCaMode;
   private final Clock clock;
@@ -142,8 +144,14 @@ public final class TmchCertificateAuthority {
    * @see X509Utils#verifyCrl
    */
   public void updateCrl(String asciiCrl, String url) throws GeneralSecurityException {
-    X509CRL crl = X509Utils.loadCrl(asciiCrl);
-    X509Utils.verifyCrl(getAndValidateRoot(), getCrl(), crl, clock.nowUtc().toDate());
+    X509CRL newCrl = X509Utils.loadCrl(asciiCrl);
+    X509CRL oldCrl = null;
+    try {
+      oldCrl = getCrl();
+    } catch (Exception e) {
+      logger.atWarning().withCause(e).log("Old CRL is invalid, ignored during CRL update.");
+    }
+    X509Utils.verifyCrl(getAndValidateRoot(), oldCrl, newCrl, clock.nowUtc().toDate());
     TmchCrl.set(asciiCrl, url);
   }
 

core/src/main/java/google/registry/tmch/TmchData.java

@@ -27,8 +27,10 @@ import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRing;
 /** Helper class for common data loaded from the jar and SQL at runtime. */
 public final class TmchData {
 
-  private static final String BEGIN_ENCODED_SMD = "-----BEGIN ENCODED SMD-----";
-  private static final String END_ENCODED_SMD = "-----END ENCODED SMD-----";
+  static final String BEGIN_ENCODED_SMD = "-----BEGIN ENCODED SMD-----";
+  static final String END_ENCODED_SMD = "-----END ENCODED SMD-----";
+
+  private TmchData() {}
 
   static PGPPublicKey loadPublicKey(ByteSource pgpPublicKeyFile) {
     try (InputStream input = pgpPublicKeyFile.openStream();

core/src/main/java/google/registry/tmch/TmchModule.java

@@ -16,6 +16,7 @@ package google.registry.tmch;
 
 import static com.google.common.io.Resources.asByteSource;
 import static com.google.common.io.Resources.getResource;
+import static google.registry.request.RequestParameters.extractOptionalBooleanParameter;
 import static google.registry.request.RequestParameters.extractRequiredParameter;
 
 import dagger.Module;
@@ -25,6 +26,7 @@ import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.Parameter;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.util.Optional;
 import javax.servlet.http.HttpServletRequest;
 import org.bouncycastle.openpgp.PGPPublicKey;
 
@@ -64,4 +66,10 @@ public final class TmchModule {
   static String provideNordnLogId(HttpServletRequest req) {
     return extractRequiredParameter(req, NordnVerifyAction.NORDN_LOG_ID_PARAM);
   }
+
+  @Provides
+  @Parameter(NordnUploadAction.PULL_QUEUE_PARAM)
+  static Optional<Boolean> provideUsePullQueue(HttpServletRequest req) {
+    return extractOptionalBooleanParameter(req, NordnUploadAction.PULL_QUEUE_PARAM);
+  }
 }

core/src/main/java/google/registry/tmch/icann-tmch-pilot.crt

@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEVjCCAz6gAwIBAgIgLrAbevoae52y3f6C2tB0Sn3p7XJm0T02FogxKCfNhXkw
-DQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxPDA6BgNVBAoTM0ludGVybmV0
-IENvcnBvcmF0aW9uIGZvciBBc3NpZ25lZCBOYW1lcyBhbmQgTnVtYmVyczEvMC0G
-A1UEAxMmSUNBTk4gVHJhZGVtYXJrIENsZWFyaW5naG91c2UgUGlsb3QgQ0EwHhcN
-MTMwNjI2MDAwMDAwWhcNMjMwNjI1MjM1OTU5WjB8MQswCQYDVQQGEwJVUzE8MDoG
-A1UEChMzSW50ZXJuZXQgQ29ycG9yYXRpb24gZm9yIEFzc2lnbmVkIE5hbWVzIGFu
-ZCBOdW1iZXJzMS8wLQYDVQQDEyZJQ0FOTiBUcmFkZW1hcmsgQ2xlYXJpbmdob3Vz
-ZSBQaWxvdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJiRqFg
-iCoDF8zMJMKHPMEuSpjbEl9ZWII+1WawDyt+jw841HsTT+6MwZsqExbQvukgvnuS
-lA3Rg3xTFxodMaVZWsVQJy2PXGHVFRLnCp05DYZsMGZabuN9mIekYwtjePo89Lz0
-JtU3ibL3squGG3gg6TLtPjks7Txm18BYPOYLznui32GUz+1aIZuk2p5A/rSldsh3
-bke68IX5WZhKuIxT0+BjS8yfLWI0HCUs71WVxzvlJ1v22/eMK0WEA6+ZhCbOKIav
-VtGNJrwIYwhZmxqfiR1HzHTLvrV0SLlJ2bwNk/yzKm8IJfuFezQ5BBtQ2RS9opFX
-X8ft3v+uQQQvi+MCAwEAAaOBwzCBwDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
-DgQWBBTDrT6m1hEARYBcOldKim3cMQ2ecTAOBgNVHQ8BAf8EBAMCAQYwNAYDVR0f
-BC0wKzApoCegJYYjaHR0cDovL2NybC5pY2Fubi5vcmcvdG1jaF9waWxvdC5jcmww
-RQYDVR0gBD4wPDA6BgMqAwQwMzAxBggrBgEFBQcCARYlaHR0cDovL3d3dy5pY2Fu
-bi5vcmcvcGlsb3RfcmVwb3NpdG9yeTANBgkqhkiG9w0BAQsFAAOCAQEAKUfEJ5X6
-QAttajjRVseJFQxRXGHTgCaDk8C/1nj1ielZAuZtgdUpWDUr0NnGCi+LHSsgdTYR
-+vMrxir7EVYQevrBobELkxeTEfjF9FVqjBHInyPFLOFkz15zGG2IwPJps+vhAd/7
-gT0ph1k2FEkJFGL5LwRf1ms4IX0vDkxTIX8Qxy1jczCiSsoV8pwlhh2NHAkpGQWN
-/pTS0Uqi7uU5Bm/IoGvPBzUp5n5SjUMnTZx/+1zAuerSabt483sXBcWsjgl7MqFt
-fONiAtNeMNfh60lTMu4zgVwLZTO4TQM5Q2uylPPmZtwnA88QvM2IL85cIYJHd0z9
-jpUQMBGHXF2WQA==
------END CERTIFICATE-----

core/src/main/java/google/registry/tmch/icann-tmch.crl

@@ -1,13 +0,0 @@
------BEGIN X509 CRL-----
-MIIB8DCB2QIBATANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJVUzE8MDoGA1UE
-ChMzSW50ZXJuZXQgQ29ycG9yYXRpb24gZm9yIEFzc2lnbmVkIE5hbWVzIGFuZCBO
-dW1iZXJzMSkwJwYDVQQDEyBJQ0FOTiBUcmFkZW1hcmsgQ2xlYXJpbmdob3VzZSBD
-QRcNMTgwMzAxMDAwMDAwWhcNMTgxMDA3MjM1OTU5WqAvMC0wHwYDVR0jBBgwFoAU
-XMDxlizKTFsp8UB00xs2PkfUbgQwCgYDVR0UBAMCAQswDQYJKoZIhvcNAQELBQAD
-ggEBAGhvQtqENy2Ga+nGg6kZRCzEWKy481v111Iycku/qL5aUlqSL5BkQst2Czaq
-xdKRSxKHkMaTChoezSaw5huOTd0prdSXVHPg/tmjxyuuS2pqWpuAICkrG06FgXgh
-AG5YCHt2DvCjeA9F3TMmbOkCMILQ/x+vsyg6Yv4Oiz8rFbFcUMntUKSrymt4dKpk
-S78CTkHH/3M3YNxZCo8JPwaQohC3Rck4M30Pg8C0qC9jjSrudA6hCa4223U6aZwC
-Kz3LNXdkqGWlDJPTf0YWwnT4ZyO7KKXVuEbPzg187htz3Jcr6b0x1UUoHGAkOv7i
-W4IwhPbUJ14/7pUuUef6airQUw8=
------END X509 CRL-----

core/src/main/java/google/registry/tmch/icann-tmch.crt

@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEQjCCAyqgAwIBAgIhAJNCMqhNjz3cXVJPj7yvcZvro1FKQR+dTC6tXazem5g+
-MA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNVBAYTAlVTMTwwOgYDVQQKEzNJbnRlcm5l
-dCBDb3Jwb3JhdGlvbiBmb3IgQXNzaWduZWQgTmFtZXMgYW5kIE51bWJlcnMxKTAn
-BgNVBAMTIElDQU5OIFRyYWRlbWFyayBDbGVhcmluZ2hvdXNlIENBMB4XDTEzMDcy
-NDAwMDAwMFoXDTIzMDcyMzIzNTk1OVowdjELMAkGA1UEBhMCVVMxPDA6BgNVBAoT
-M0ludGVybmV0IENvcnBvcmF0aW9uIGZvciBBc3NpZ25lZCBOYW1lcyBhbmQgTnVt
-YmVyczEpMCcGA1UEAxMgSUNBTk4gVHJhZGVtYXJrIENsZWFyaW5naG91c2UgQ0Ew
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5MX6qpRnqFzEXa9w3G0b8
-LTEVZzpOpcSq2BXJO16+iuZ964mpay2hm2BdZk89hSmZhUy2ePBR6PdS0GMmzzXL
-NiyTHJlDIPxxXTR39Iqs8QChJ8wle4pYUu8JUk2vJ0r7PhFweeCCQZ5gvHdCwopS
-bXeolj4NCqsvzU8iROsLRHSZbE83i2pkL+qBoyzjny9MO2rvMNPo5WrDNrno6hvC
-hlf8Pv77HTNCazI2MeW0ArfLin4pSe6nLnDsQA11SF9bbgwDgVMQFvmB8nEvUbZW
-Atnp3auaWqaylC+G0p3frFvMCUJMPrghiPwBABl3bk1GLjXXVl7D8SubKd2Xwv63
-AgMBAAGjgbowgbcwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUXMDxlizK
-TFsp8UB00xs2PkfUbgQwDgYDVR0PAQH/BAQDAgEGMC4GA1UdHwQnMCUwI6AhoB+G
-HWh0dHA6Ly9jcmwuaWNhbm4ub3JnL3RtY2guY3JsMEIGA1UdIAQ7MDkwBgYEVR0g
-ADAvBggrBgEFBQcCATAjMCEGCCsGAQUFBwIBFhVodHRwczovL2NhLmljYW5uLm9y
-Zy8wDQYJKoZIhvcNAQELBQADggEBAAM29FBdwQSAx8dD4ZYtCYjXxTonNCP2qveG
-wrpMJcq/I3Jp/N4etsnj+K5ej5sSlDuo8sTMF7lgMkgjrc6zgJl0+Gct2RhbRNzN
-5ittE9JwJZ3Us4vwiy6gqMO5Ie9YaKMZy2MYP2iFp6AhBKIc2Iz+8aFfnFzdSEx2
-b3xc+t1A09dzpnzU6zvHWUUkTYq9fTg1er1npni9ZErvp0jEyHVWi5GXvWap68XH
-pVF6TBmPW2UBEEnFgd3SxbMXLhaD/wzV12tlSYjxaNed+H5qbVVbSVwN9yBeWU29
-/pkZu79TqFFxTd4CJTWOBq0+yLO1Ts2ZZ1l+GgU6e3hI1XERSNc=
------END CERTIFICATE-----

core/src/main/java/google/registry/tools/GenerateAllocationTokensCommand.java

@@ -18,9 +18,11 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.Sets.difference;
 import static google.registry.model.billing.BillingEvent.RenewalPriceBehavior.DEFAULT;
+import static google.registry.model.domain.token.AllocationToken.TokenType.PACKAGE;
 import static google.registry.model.domain.token.AllocationToken.TokenType.SINGLE_USE;
 import static google.registry.model.domain.token.AllocationToken.TokenType.UNLIMITED_USE;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.util.CollectionUtils.isNullOrEmpty;
 import static google.registry.util.CollectionUtils.nullToEmpty;
 import static google.registry.util.StringGenerator.DEFAULT_PASSWORD_LENGTH;
 import static java.nio.charset.StandardCharsets.UTF_8;
@@ -253,6 +255,22 @@ class GenerateAllocationTokensCommand implements Command {
         !ImmutableList.of("").equals(allowedTlds),
         "Either omit --allowed_tlds if all TLDs are allowed, or include a comma-separated list");
 
+    if (!isNullOrEmpty(tokenStatusTransitions)) {
+      // Don't allow package tokens to be created with a scheduled end time since this could allow
+      // future domains to be attributed to the package and never be billed. Package promotion
+      // tokens should only be scheduled to end with a brief time period before the status
+      // transition occurs so that no new domains are registered using that token between when the
+      // status is scheduled and when the transition occurs.
+      // TODO(@sarahbot): Create a cleaner way to handle ending packages once we actually have
+      // customers using them
+      boolean hasEnding =
+          tokenStatusTransitions.containsValue(TokenStatus.ENDED)
+              || tokenStatusTransitions.containsValue(TokenStatus.CANCELLED);
+      checkArgument(
+          !(PACKAGE.equals(tokenType) && hasEnding),
+          "PACKAGE tokens should not be generated with ENDED or CANCELLED in their transition map");
+    }
+
     if (tokenStrings != null) {
       verifyTokenStringsDoNotExist();
     }

core/src/main/java/google/registry/tools/GenerateLordnCommand.java

@@ -94,10 +94,10 @@ final class GenerateLordnCommand implements Command {
       Domain domain) {
     String status = " ";
     if (domain.getLaunchNotice() == null && domain.getSmdId() != null) {
-      sunriseCsv.add(LordnTaskUtils.getCsvLineForSunriseDomain(domain, domain.getCreationTime()));
+      sunriseCsv.add(LordnTaskUtils.getCsvLineForSunriseDomain(domain));
       status = "S";
     } else if (domain.getLaunchNotice() != null || domain.getSmdId() != null) {
-      claimsCsv.add(LordnTaskUtils.getCsvLineForClaimsDomain(domain, domain.getCreationTime()));
+      claimsCsv.add(LordnTaskUtils.getCsvLineForClaimsDomain(domain));
       status = "C";
     }
     System.out.printf("%s[%s] ", domain.getDomainName(), status);

core/src/main/java/google/registry/tools/RequestFactoryModule.java

@@ -69,14 +69,15 @@ class RequestFactoryModule {
       return new NetHttpTransport()
           .createRequestFactory(
               request -> {
+                // Use the standard credential initializer to set the Authorization header
+                credentialsBundle.getHttpRequestInitializer().initialize(request);
                 // If using IAP, use the refresh token to acquire an IAP-enabled ID token and use
                 // that for authentication.
                 if (iapClientId.isPresent()) {
                   String idToken = getIdToken(credentialsBundle, iapClientId.get());
-                  request.getHeaders().setAuthorization("Bearer " + idToken);
-                } else {
-                  // Otherwise, use the standard credential HTTP initializer
-                  credentialsBundle.getHttpRequestInitializer().initialize(request);
+                  // Set the Proxy-Authentication header so that IAP can read from it, see
+                  // https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_proxy-authorization_header
+                  request.getHeaders().set("Proxy-Authorization", "Bearer " + idToken);
                 }
                 // GAE request times out after 10 min, so here we set the timeout to 10 min. This is
                 // needed to support some nomulus commands like updating premium lists that take

core/src/main/java/google/registry/tools/UpdateAllocationTokensCommand.java

@@ -14,6 +14,7 @@
 
 package google.registry.tools;
 
+import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableMap.toImmutableMap;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.Iterables.partition;
@@ -31,6 +32,7 @@ import google.registry.model.billing.BillingEvent.RenewalPriceBehavior;
 import google.registry.model.domain.token.AllocationToken;
 import google.registry.model.domain.token.AllocationToken.RegistrationBehavior;
 import google.registry.model.domain.token.AllocationToken.TokenStatus;
+import google.registry.model.domain.token.AllocationToken.TokenType;
 import google.registry.tools.params.TransitionListParameter.TokenStatusTransitions;
 import java.util.List;
 import java.util.Map;
@@ -114,6 +116,7 @@ final class UpdateAllocationTokensCommand extends UpdateOrDeleteAllocationTokens
   private static final Joiner JOINER = Joiner.on(", ");
 
   private ImmutableSet<AllocationToken> tokensToSave;
+  private boolean endToken = false;
 
   @Override
   public void init() {
@@ -126,6 +129,12 @@ final class UpdateAllocationTokensCommand extends UpdateOrDeleteAllocationTokens
       allowedTlds = ImmutableList.of();
     }
 
+    if (tokenStatusTransitions != null
+        && (tokenStatusTransitions.containsValue(TokenStatus.ENDED)
+            || tokenStatusTransitions.containsValue(TokenStatus.CANCELLED))) {
+      endToken = true;
+    }
+
     tokensToSave =
         tm().transact(
                 () ->
@@ -157,6 +166,19 @@ final class UpdateAllocationTokensCommand extends UpdateOrDeleteAllocationTokens
   }
 
   private AllocationToken updateToken(AllocationToken original) {
+    if (endToken && original.getTokenType().equals(TokenType.PACKAGE)) {
+      Long domainsInPackage =
+          tm().query("SELECT COUNT(*) FROM Domain WHERE currentPackageToken = :token", Long.class)
+              .setParameter("token", original.createVKey())
+              .getSingleResult();
+
+      checkArgument(
+          domainsInPackage == 0,
+          "Package token %s can not end its promotion because it still has %s domains in the"
+              + " package",
+          original.getToken(),
+          domainsInPackage);
+    }
     AllocationToken.Builder builder = original.asBuilder();
     Optional.ofNullable(allowedClientIds)
         .ifPresent(clientIds -> builder.setAllowedRegistrarIds(ImmutableSet.copyOf(clientIds)));

core/src/main/java/google/registry/ui/server/console/ConsoleDomainGetAction.java

@@ -0,0 +1,91 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.ui.server.console;
+
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+
+import com.google.api.client.http.HttpStatusCodes;
+import com.google.gson.Gson;
+import google.registry.model.EppResourceUtils;
+import google.registry.model.console.ConsolePermission;
+import google.registry.model.console.User;
+import google.registry.model.domain.Domain;
+import google.registry.request.Action;
+import google.registry.request.Parameter;
+import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthResult;
+import google.registry.request.auth.UserAuthInfo;
+import google.registry.ui.server.registrar.JsonGetAction;
+import java.util.Optional;
+import javax.inject.Inject;
+
+/** Returns a JSON representation of a domain to the registrar console. */
+@Action(
+    service = Action.Service.DEFAULT,
+    path = ConsoleDomainGetAction.PATH,
+    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
+public class ConsoleDomainGetAction implements JsonGetAction {
+
+  public static final String PATH = "/console-api/domain";
+
+  private final AuthResult authResult;
+  private final Response response;
+  private final Gson gson;
+  private final String paramDomain;
+
+  @Inject
+  public ConsoleDomainGetAction(
+      AuthResult authResult,
+      Response response,
+      Gson gson,
+      @Parameter("domain") String paramDomain) {
+    this.authResult = authResult;
+    this.response = response;
+    this.gson = gson;
+    this.paramDomain = paramDomain;
+  }
+
+  @Override
+  public void run() {
+    if (!authResult.isAuthenticated() || !authResult.userAuthInfo().isPresent()) {
+      response.setStatus(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
+      return;
+    }
+    UserAuthInfo authInfo = authResult.userAuthInfo().get();
+    if (!authInfo.consoleUser().isPresent()) {
+      response.setStatus(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
+      return;
+    }
+    User user = authInfo.consoleUser().get();
+    Optional<Domain> possibleDomain =
+        tm().transact(
+                () ->
+                    EppResourceUtils.loadByForeignKeyCached(
+                        Domain.class, paramDomain, tm().getTransactionTime()));
+    if (!possibleDomain.isPresent()) {
+      response.setStatus(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
+      return;
+    }
+    Domain domain = possibleDomain.get();
+    if (!user.getUserRoles()
+        .hasPermission(domain.getCurrentSponsorRegistrarId(), ConsolePermission.DOWNLOAD_DOMAINS)) {
+      response.setStatus(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
+      return;
+    }
+    response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
+    response.setPayload(gson.toJson(domain));
+  }
+}

core/src/main/java/google/registry/ui/server/registrar/RegistrarConsoleModule.java

@@ -156,4 +156,10 @@ public final class RegistrarConsoleModule {
   static Boolean provideIsLock(HttpServletRequest req) {
     return extractBooleanParameter(req, "isLock");
   }
+
+  @Provides
+  @Parameter("domain")
+  static String provideDomain(HttpServletRequest req) {
+    return extractRequiredParameter(req, "domain");
+  }
 }

core/src/main/resources/google/registry/beam/expand_recurring_billing_events_pipeline_metadata.json

@@ -23,12 +23,6 @@
       "helpText": "The exclusive upper bound of the operation window, in ISO 8601 format.",
       "is_optional": false
     },
-    {
-      "name": "shard",
-      "label": "The exclusive upper bound of the operation window.",
-      "helpText": "The exclusive upper bound of the operation window, in ISO 8601 format.",
-      "is_optional": true
-    },
     {
       "name": "isDryRun",
       "label": "Whether this job is a dry run.",

core/src/main/resources/google/registry/tmch/icann-tmch-pilot.crl

@@ -0,0 +1,20 @@
+-----BEGIN X509 CRL-----
+MIIDLjCCARYCAQEwDQYJKoZIhvcNAQENBQAwfDELMAkGA1UEBhMCVVMxPDA6BgNV
+BAoMM0ludGVybmV0IENvcnBvcmF0aW9uIGZvciBBc3NpZ25lZCBOYW1lcyBhbmQg
+TnVtYmVyczEvMC0GA1UEAwwmSUNBTk4gVHJhZGVtYXJrIENsZWFyaW5naG91c2Ug
+UGlsb3QgQ0EXDTIyMTExNjEzMzIyN1oXDTIzMDQwNjEzMzIyN1owNTAzAhQc4zug
+SmVXTpNkiBlOLRFSS6qBnhcNMjIxMTE2MTMzMjI3WjAMMAoGA1UdFQQDCgEAoC8w
+LTAfBgNVHSMEGDAWgBRHe0+uelGRtdG/nTbphn82FgSpRTAKBgNVHRQEAwIBATAN
+BgkqhkiG9w0BAQ0FAAOCAgEAD5pxGf7W2nxnCyoMhhRWclaBrY2VF+lYitpQdUIA
+Li3nhCXDiXwHWNtiyGjKaWJFsCFAph0EejKTR1iHh/7t7fZ5T2KhiqyREGGs2VT5
+AXTWTDZUdGtobmc9xmXowzF7YUWoZZenj1AwUt0/tDKth1ieZvoRWEKJ+0YCpIDQ
+LyfJKBFM6NEyrYiKu1szcdT7+Meii4M8ulYHkUXEJXQBN5+LuESkRrqach6n6zSS
+urvCG2I0ijqVj36TudwRrYU+sCpk8XR6//XyJbcjW5vuUd1/uYrJ+lSZCPaKfjIo
+gLKK1UJ9wLZbg28Hqtb5KxYsLtlzMsNFCbVebatl6QdS+J4OaCGLE4SM2NnsheN/
+qxErMS1eAzNVgpW+yY4JV47k54HDBZfgHmgA8lgyShn7w08dA2mWIYbmbKHcnh2N
+QSQ5wjYbTEy3a251t32pR76W5k/uduoMXestJEXD7yViMz3pFzu97l1huAP8C0Hs
+sMEysMomthMQChqNUZw19wakdxuCyiU+YrL7bHTTL2pAKYB0AKOGE1XgecnneC89
++K5vr5TUTWOpksUeuM5Oq2YYLicYuES1Nr/5GkszNCCY0J+fBL50AI0IItrfFjt1
+Xu/mlbiJKQZXMppWfLJUhu/8Ur1VYeYLeCNR3ju7jfvm3DkVzmqSc0b01uz5POTz
+Hak=
+-----END X509 CRL-----

core/src/main/resources/google/registry/tmch/icann-tmch-pilot.crt

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF7DCCA9SgAwIBAgIUemptMV4lw+1QL1e648o+wvANH4wwDQYJKoZIhvcNAQEN
+BQAwfDELMAkGA1UEBhMCVVMxPDA6BgNVBAoMM0ludGVybmV0IENvcnBvcmF0aW9u
+IGZvciBBc3NpZ25lZCBOYW1lcyBhbmQgTnVtYmVyczEvMC0GA1UEAwwmSUNBTk4g
+VHJhZGVtYXJrIENsZWFyaW5naG91c2UgUGlsb3QgQ0EwHhcNMjIxMTE1MTg1MDA5
+WhcNNDIxMTE1MTg1MDA5WjB8MQswCQYDVQQGEwJVUzE8MDoGA1UECgwzSW50ZXJu
+ZXQgQ29ycG9yYXRpb24gZm9yIEFzc2lnbmVkIE5hbWVzIGFuZCBOdW1iZXJzMS8w
+LQYDVQQDDCZJQ0FOTiBUcmFkZW1hcmsgQ2xlYXJpbmdob3VzZSBQaWxvdCBDQTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALQQS8gSAw6fsyqP+yWvfOtU
+D2hCe/RvbKMG6cJ6yuCMscxIEPT0xrVTkGfzG8b6T4j8iD9mVHDxO19z+y0ALog/
+IPeVLw/x/2QC5YTDlrQtbsT33BN+NFdp13mE324owiyVyYrPqN1B6MtdERQLkIFU
+PIlhTopHfnMtRNzwt2gPpNwy2q5lqK20dKzrG9W1kLd26nFfnN5T9fnv21TtBhSJ
+73qfoU8GuOZhytloJRmT/yvvZNH1JTHyvuG15Q6kDDf46E1d6PO1+tmBQnNIZBfp
+FALrqN1QX1znaHkd1smgLEC1JV/2iAOtxNUL0d1vJcQfmjHXBtMF8Yx1ulpJjN1c
+A6iLMJfO5znd8jQ9O6hkMUjYNRz+XTGHiCTZVkhlNeJiIQbBlILbsnuT4Q+Ywxu+
+83W/ymqq/G2tIJdqXapUGEulYw/09y0TMyMnkA0VO9eDNf/B1AaQxBCEhpP6OufR
+G/nEzbH/SknVhgeV8CkhZo4UeFOx5XFZVj1Y3vBsqVwQYTc0NG84Bv3HD6sDXQd0
+DtW0gjqXg2caxQBoX8F40MCkik5TvnOT8RawvWKJjakEKSgeMceu9LnjRgFk+96Z
+ig1vGVJi213rUgSv7oXcO3HgraHOLkzkMglqOBh7NrUnEdCrrDGKYZwxZ/46cofY
+yyOb+9y/UOWa8MWvoam7AgMBAAGjZjBkMB0GA1UdDgQWBBRHe0+uelGRtdG/nTbp
+hn82FgSpRTAfBgNVHSMEGDAWgBRHe0+uelGRtdG/nTbphn82FgSpRTASBgNVHRMB
+Af8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQ0FAAOCAgEA
+ElXV35T8rG25yyGzNTgI9lDntDy2D0c/WSPPn9LZQREddKEpMBSy8pztHLJurH7B
+uKeb+j0KXw+0IMG5ZKxacUbLlW8NGIXqBRkRiDfBDw374dsLIeB7Gb3PKMWsnvg5
+zZic/iW7Wrrur6xAjFsgFMz8KRuNseGFDZi3UF1O4xX6Wy2KV5HMvvbnzyQa4bN9
+mbnCEf8tVXws2ZWC4e7yEkbLFqDh5czujVGq+g8VEl82wFTn0s+u6roI3vCrqZN9
+Qh2/yOzhpnu+daDcIUqb8keNNIswE7n9A9Yl40xNfzZid8bP4fJXM2oVcXxqUnsD
+Khwk9wgk30XVuKokoWYB3ExAVTYeR6j3jZPpDp3wYHXV23hgexPykKSE/7TMByII
+K1egDjKLdUlReQ5Rca48IRRAa6f4igJoaSvmp3eEF4lmxgXMhHIDocUN0hVDDaPb
+WGkr+sChXtftIUVhE2bi746dNhiBLWWPz8FX/uZzD1srJA8kPmf8YWdH2d6yJ8BN
+2olV7QpDRpmCJwblyzLLeNWCQiwHQNN4MvtxJFFFZQfF6m6A6bZ5CKNM5GvJanRl
+/aS1ehO/DhOkcGelxAjMtTPqKhI1j+SBZqPdumrQDFhfHN/sM9F4g+I8datpu/2P
+Dop0Ki70evaFhD8jVE4z0zt59OUzEHjezWOTNoYU9GU=
+-----END CERTIFICATE-----

core/src/main/resources/google/registry/tmch/icann-tmch.crl

@@ -0,0 +1,18 @@
+-----BEGIN X509 CRL-----
+MIIC8DCB2QIBATANBgkqhkiG9w0BAQ0FADB2MQswCQYDVQQGEwJVUzE8MDoGA1UE
+CgwzSW50ZXJuZXQgQ29ycG9yYXRpb24gZm9yIEFzc2lnbmVkIE5hbWVzIGFuZCBO
+dW1iZXJzMSkwJwYDVQQDDCBJQ0FOTiBUcmFkZW1hcmsgQ2xlYXJpbmdob3VzZSBD
+QRcNMjIxMTE2MTMyNzU3WhcNMjMwNDA2MTMyNzU3WqAvMC0wHwYDVR0jBBgwFoAU
+P/RCC1aVjbgjAjp0MnrSEivX8cYwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQENBQAD
+ggIBAJkrxahXQDaniHHE+8/3GVSlXz2175xVfZ/zqq3twatKd4FWxXD5sr42595Z
+5T9EP5XFii5o/j49qM6a+Qc3V++LEcTj+VHFxvhG2czYhiuZXzFu1WmdmtSCe2+C
+9N7DgGl9VNRg14DKWoW5BPdmgy6/XZCEcxlQ6ft/caZ8G9pR+Q5i9rwCXDFXB1ni
+kIuMKnp5rq95GzF8WnbEGfM0s5YY/UfSozF35oPGtRSyCWdGoTmmpnp3DXMvElMW
+wMxtCRhdhxsS6YzeCPiORTzq08IiCJcVpud5ZdDdKzja1tF8iSc5MnMJ0pygT4ds
+uZOHmj8/bAA9cf9PK/8N5fd7jZZlPDKKbhT+EoKZTXzNwBiGy68tXerWENFkR0tF
+Sy9T45RcGve9L5nEV8bqawsxrmnuatSh/6fSTDiz4HO1/mW6/GAT1QPFYrU++p8o
+BR7WcKCHvQpUt5tXhh1hAZba6j4aeWpXUquyTtrjgqThvvBIT5m76k19BcRaOroE
+qf0WJOQcvn2hPBNEbSbbHOWaXpHbTI8R6gk+/utRc9/xkHF5vEQTfUPHTkjoK4dW
+S4p4P6tRcNoxzSfh7bN9nts2VFKcvSaF10m2G1bCyJB2QjKMZG7aGVX+9Pvnoa1v
+HgNDfKNZR1a/ZYcJm7QY5TRuQF+Evd/OcsVOdRhx804d08ms
+-----END X509 CRL-----

core/src/main/resources/google/registry/tmch/icann-tmch.crt

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF4DCCA8igAwIBAgIUHTVZH/TadFNIiEBCJ/OdngKfZwwwDQYJKoZIhvcNAQEN
+BQAwdjELMAkGA1UEBhMCVVMxPDA6BgNVBAoMM0ludGVybmV0IENvcnBvcmF0aW9u
+IGZvciBBc3NpZ25lZCBOYW1lcyBhbmQgTnVtYmVyczEpMCcGA1UEAwwgSUNBTk4g
+VHJhZGVtYXJrIENsZWFyaW5naG91c2UgQ0EwHhcNMjIxMTE1MTg0ODQxWhcNNDIx
+MTE1MTg0ODQxWjB2MQswCQYDVQQGEwJVUzE8MDoGA1UECgwzSW50ZXJuZXQgQ29y
+cG9yYXRpb24gZm9yIEFzc2lnbmVkIE5hbWVzIGFuZCBOdW1iZXJzMSkwJwYDVQQD
+DCBJQ0FOTiBUcmFkZW1hcmsgQ2xlYXJpbmdob3VzZSBDQTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAMf5/4d2gaDgG0Tbx5ewIKZNlH/KxURjRqWj7vzc
+SYnzszAcaTuwM1sHWTJtUUC0QP4QcG90e8Q7A7zhgYVm6POBV3U9hv/NVSZB6Set
+DK5lxU/cubQrPhf2Bc7AkGvfnJV8+/0GI5x9AF8dlSUj3yvl9VWvI8Iuph4xHm0g
+Fg6BHo4beUVsbdBwnBkSPEmsmNo0D0gf1rCIb/wYfWMZBqU8bduS36TUvHshMTB/
+Luad3QYyPhqgomizVzEjXebuGlyCtwlGOHdI5t2WlM7XF3RPXZVxA+nsFwRWm9UT
+r6ygGve3+9y1bjqudWu8mt9VevYCiesLPowUy9E8Vg8xKcsntUWs1KoZTQYxlohb
+u3cHNxBdYGflQ8m8cbkDeAvWNOgMlhPzWBDFqQeVuBQhiuF9iKR3RZHFAHXJy81t
+DKQgzR6YlMd3iCGfBVK/uUVr89UgJ1xv5hniSaFDYqtD5rZftvGb2YXsyeQjs0Pl
+QkZyaynVS5P3Tax57fQUcJR3YqgeoeXQNTit+/ieZju1zGLutGikYujciPBIWoBl
+S8YnOgPNyfjE+LrQG2RqsZOumqlN66ZjqYH4pCf6lI14PJUl4mUh2YpnIyjQd8Uq
+QxZmrqDOJAawd2LVuHr4GR6Vbm/oAyyCdQ5HztvCbXOK6v+pMdrrbtb+IlvQ5hcu
+FoqrAgMBAAGjZjBkMB0GA1UdDgQWBBQ/9EILVpWNuCMCOnQyetISK9fxxjAfBgNV
+HSMEGDAWgBQ/9EILVpWNuCMCOnQyetISK9fxxjASBgNVHRMBAf8ECDAGAQH/AgEA
+MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQ0FAAOCAgEAm8QZeNzTD52hZH3I
+Vy9pti6NRcVSudtzZloVFJ4g9GbIx1uw8k61bgUX70jwk4pPbcOji8RoZoYG842p
+3tgq50rlRYsKZZx24ZUVaQDz0WKTzjhs2qlk0pRM9XZukZ8SB2knhvJ3byxogxJ0
+kIP4ysS5op90dcWsrS0O9HF8eBtHYvw2+MuA5KleWB4Qo94+GjmFJsiJiIQ6S+sG
+M9PZbHSEWW64fNNsgeozlnY9vJ4qRF55tylrB+pXOxVcKDRD3l5GstobmC0waTv8
+ZvMtR6SQ1QeHRcdznzWsASvDSxhv0vBauKbuBs1T/wgcDF9XXikTx8PbbCQUoCbC
+4mX+ZNgIXyCbhSVnNBQKN+HBrddm/AqHRLLnfOOcGBqCQ5JLicLvnsRMVrpnoLPS
+nMbq2QT7J7F5i+q2v2TqeKEwmj4zzh/hX1PbppS8IA/MujivFjLdn1SL0halidYN
+ywqEF6gUJMoImJ9YWvGRnyv7pm+kgrF83MPbD43AX6Hq8zidYOIzwT4ZnCMlBWJ2
+iZWciK3/nPe6YH8P5cPddLxRAWBstd5tbDmdPkIMZ0vHccmfIMhlMrCO/IB8N2tv
+7QJR8V0nE3BIE9RfIa4BrfY5nQpGHWAdpXJH9WTXgcwWUB3JQcxD64c3GhVvp7e4
+Jwz/ypzBX6WYeSrb3OZWylJ4sWE=
+-----END CERTIFICATE-----

core/src/test/java/google/registry/beam/billing/ExpandRecurringBillingEventsPipelineTest.java

@@ -126,7 +126,7 @@ public class ExpandRecurringBillingEventsPipelineTest {
         assertThrows(IllegalArgumentException.class, this::runPipeline);
     assertThat(thrown)
         .hasMessageThat()
-        .contains("End time 2021-02-02T00:00:05.001Z must be on or before now");
+        .contains("End time 2021-02-02T00:00:05.001Z must be at or before now");
   }
 
   @Test

core/src/test/java/google/registry/flows/EppLifecycleDomainTest.java

@@ -49,6 +49,8 @@ import google.registry.model.tld.Registry.TldState;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
 import google.registry.testing.TaskQueueExtension;
+import google.registry.tmch.TmchData;
+import google.registry.tmch.TmchTestData;
 import org.joda.money.Money;
 import org.joda.time.DateTime;
 import org.junit.jupiter.api.BeforeEach;
@@ -64,6 +66,9 @@ class EppLifecycleDomainTest extends EppTestCase {
           "ACDATE", "2002-06-04T00:00:00Z",
           "EXDATE", "2003-06-01T00:04:00Z");
 
+  private static final String ENCODED_SMD =
+      TmchData.readEncodedSignedMark(TmchTestData.loadFile("smd/active.smd")).getEncodedData();
+
   @RegisterExtension
   final JpaIntegrationTestExtension jpa =
       new JpaTestExtensions.Builder().withClock(clock).buildIntegrationTestExtension();
@@ -1184,8 +1189,8 @@ class EppLifecycleDomainTest extends EppTestCase {
    */
   @Test
   void testDomainCreation_startDateSunriseFull() throws Exception {
-    // The signed mark is valid between 2013 and 2017
-    DateTime sunriseDate = DateTime.parse("2014-09-08T09:09:09Z");
+    // The signed mark is valid between 2022-11-22 and 2027-10-18.
+    DateTime sunriseDate = DateTime.parse("2025-09-08T09:09:09Z");
     DateTime gaDate = sunriseDate.plusDays(30);
     createTld(
         "example",
@@ -1201,7 +1206,7 @@ class EppLifecycleDomainTest extends EppTestCase {
     createContactsAndHosts();
 
     // During pre-delegation, any create should fail both with and without mark
-    assertThatCommand("domain_create_sunrise_encoded_mark.xml")
+    assertThatCommand("domain_create_sunrise_encoded_mark.xml", ImmutableMap.of("SMD", ENCODED_SMD))
         .atTime(sunriseDate.minusDays(2))
         .hasResponse(
             "response_error.xml",
@@ -1219,7 +1224,9 @@ class EppLifecycleDomainTest extends EppTestCase {
                 "MSG", "The current registry phase does not allow for general registrations"));
 
     // During sunrise, verify that the launch phase must be set to sunrise.
-    assertThatCommand("domain_create_start_date_sunrise_encoded_mark_wrong_phase.xml")
+    assertThatCommand(
+            "domain_create_start_date_sunrise_encoded_mark_wrong_phase.xml",
+            ImmutableMap.of("SMD", ENCODED_SMD))
         .atTime(sunriseDate)
         .hasResponse(
             "response_error.xml",
@@ -1230,14 +1237,14 @@ class EppLifecycleDomainTest extends EppTestCase {
 
     // During sunrise, create with mark will succeed but without will fail.
     // We also test we can delete without a mark.
-    assertThatCommand("domain_create_sunrise_encoded_mark.xml")
+    assertThatCommand("domain_create_sunrise_encoded_mark.xml", ImmutableMap.of("SMD", ENCODED_SMD))
         .atTime(sunriseDate.plusDays(1))
         .hasResponse(
             "domain_create_response.xml",
             ImmutableMap.of(
                 "DOMAIN", "test-validate.example",
-                "CRDATE", "2014-09-09T09:09:09Z",
-                "EXDATE", "2015-09-09T09:09:09Z"));
+                "CRDATE", "2025-09-09T09:09:09Z",
+                "EXDATE", "2026-09-09T09:09:09Z"));
 
     assertThatCommand("domain_delete.xml", ImmutableMap.of("DOMAIN", "test-validate.example"))
         .atTime(sunriseDate.plusDays(1).plusMinutes(1))
@@ -1264,15 +1271,14 @@ class EppLifecycleDomainTest extends EppTestCase {
                     "Declared launch extension phase does not match the current registry phase"));
 
     assertThatCommand(
-            "domain_create_no_hosts_or_dsdata.xml",
-            ImmutableMap.of("DOMAIN", "general.example"))
+            "domain_create_no_hosts_or_dsdata.xml", ImmutableMap.of("DOMAIN", "general.example"))
         .atTime(gaDate.plusDays(2))
         .hasResponse(
             "domain_create_response.xml",
             ImmutableMap.of(
                 "DOMAIN", "general.example",
-                "CRDATE", "2014-10-10T09:09:09Z",
-                "EXDATE", "2016-10-10T09:09:09Z"));
+                "CRDATE", "2025-10-10T09:09:09Z",
+                "EXDATE", "2027-10-10T09:09:09Z"));
 
     assertThatLogoutSucceeds();
   }
@@ -1280,8 +1286,8 @@ class EppLifecycleDomainTest extends EppTestCase {
   /** Test that missing type= argument on launch create works in start-date sunrise. */
   @Test
   void testDomainCreation_startDateSunrise_noType() throws Exception {
-    // The signed mark is valid between 2013 and 2017
-    DateTime sunriseDate = DateTime.parse("2014-09-08T09:09:09Z");
+    // The signed mark is valid between 2022-11-22 and 2027-10-18.
+    DateTime sunriseDate = DateTime.parse("2025-09-08T09:09:09Z");
     DateTime gaDate = sunriseDate.plusDays(30);
     createTld(
         "example",
@@ -1306,14 +1312,16 @@ class EppLifecycleDomainTest extends EppTestCase {
                 "CODE", "2303",
                 "MSG", "The domain with given ID (test-validate.example) doesn't exist."));
 
-    assertThatCommand("domain_create_start_date_sunrise_encoded_mark_no_type.xml")
+    assertThatCommand(
+            "domain_create_start_date_sunrise_encoded_mark_no_type.xml",
+            ImmutableMap.of("SMD", ENCODED_SMD))
         .atTime(sunriseDate.plusDays(1).plusMinutes(1))
         .hasResponse(
             "domain_create_response.xml",
             ImmutableMap.of(
                 "DOMAIN", "test-validate.example",
-                "CRDATE", "2014-09-09T09:10:09Z",
-                "EXDATE", "2015-09-09T09:10:09Z"));
+                "CRDATE", "2025-09-09T09:10:09Z",
+                "EXDATE", "2026-09-09T09:10:09Z"));
 
     assertThatCommand("domain_info.xml", ImmutableMap.of("DOMAIN", "test-validate.example"))
         .atTime(sunriseDate.plusDays(1).plusMinutes(2))
@@ -1321,8 +1329,8 @@ class EppLifecycleDomainTest extends EppTestCase {
             "domain_info_response_ok_wildcard.xml",
             ImmutableMap.of(
                 "DOMAIN", "test-validate.example",
-                "CRDATE", "2014-09-09T09:10:09Z",
-                "EXDATE", "2015-09-09T09:10:09Z"));
+                "CRDATE", "2025-09-09T09:10:09Z",
+                "EXDATE", "2026-09-09T09:10:09Z"));
 
     assertThatLogoutSucceeds();
   }

core/src/test/java/google/registry/model/domain/DomainTest.java

@@ -221,7 +221,6 @@ public class DomainTest {
                             "TheRegistrar",
                             oneTimeBillKey))
                     .setAutorenewEndTime(Optional.of(fakeClock.nowUtc().plusYears(2)))
-                    .setDnsRefreshRequestTime(Optional.of(fakeClock.nowUtc()))
                     .build()));
   }
 

core/src/test/java/google/registry/model/history/DomainHistoryTest.java

@@ -41,8 +41,6 @@ import google.registry.model.reporting.DomainTransactionRecord;
 import google.registry.model.reporting.DomainTransactionRecord.TransactionReportField;
 import google.registry.model.reporting.HistoryEntry;
 import google.registry.util.SerializeUtils;
-import java.util.Optional;
-import org.joda.time.DateTime;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
@@ -97,7 +95,6 @@ public class DomainHistoryTest extends EntityTestCase {
             .asBuilder()
             .setNameservers(host.createVKey())
             .setDsData(ImmutableSet.of(DomainDsData.create(1, 2, 3, new byte[] {0, 1, 2})))
-            .setDnsRefreshRequestTime(Optional.of(DateTime.parse("2020-03-09T16:40:00Z")))
             .build();
     insertInDb(domain);
     return domain;

core/src/test/java/google/registry/reporting/billing/GenerateInvoicesActionTest.java

@@ -15,8 +15,6 @@
 package google.registry.reporting.billing;
 
 import static com.google.common.truth.Truth.assertThat;
-import static google.registry.model.common.Cursor.CursorType.RECURRING_BILLING;
-import static google.registry.testing.DatabaseHelper.persistResource;
 import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
 import static javax.servlet.http.HttpServletResponse.SC_OK;
 import static org.mockito.Mockito.mock;
@@ -26,7 +24,6 @@ import static org.mockito.Mockito.when;
 import com.google.cloud.tasks.v2.HttpMethod;
 import com.google.common.net.MediaType;
 import google.registry.beam.BeamActionTestBase;
-import google.registry.model.common.Cursor;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
 import google.registry.reporting.ReportingModule;
@@ -35,10 +32,8 @@ import google.registry.testing.CloudTasksHelper.TaskMatcher;
 import google.registry.testing.FakeClock;
 import google.registry.util.CloudTasksUtils;
 import java.io.IOException;
-import org.joda.time.DateTime;
 import org.joda.time.Duration;
 import org.joda.time.YearMonth;
-import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
 
@@ -55,13 +50,6 @@ class GenerateInvoicesActionTest extends BeamActionTestBase {
   private CloudTasksUtils cloudTasksUtils = cloudTasksHelper.getTestCloudTasksUtils();
   private GenerateInvoicesAction action;
 
-  @BeforeEach
-  @Override
-  protected void beforeEach() throws Exception {
-    super.beforeEach();
-    persistResource(Cursor.createGlobal(RECURRING_BILLING, DateTime.parse("2017-11-30TZ")));
-  }
-
   @Test
   void testLaunchTemplateJob_withPublish() throws Exception {
     action =
@@ -142,55 +130,4 @@ class GenerateInvoicesActionTest extends BeamActionTestBase {
     verify(emailUtils).sendAlertEmail("Pipeline Launch failed due to Pipeline error");
     cloudTasksHelper.assertNoTasksEnqueued("beam-reporting");
   }
-
-  @Test
-  void testFailsToGenerateInvoicesNotExpandedBillingEvents() throws Exception {
-    persistResource(Cursor.createGlobal(RECURRING_BILLING, DateTime.parse("2017-10-30TZ")));
-    action =
-        new GenerateInvoicesAction(
-            "test-project",
-            "test-region",
-            "staging_bucket",
-            "billing_bucket",
-            "REG-INV",
-            false,
-            new YearMonth(2017, 10),
-            emailUtils,
-            cloudTasksUtils,
-            clock,
-            response,
-            dataflow);
-    action.run();
-    assertThat(response.getContentType()).isEqualTo(MediaType.PLAIN_TEXT_UTF_8);
-    assertThat(response.getStatus()).isEqualTo(SC_INTERNAL_SERVER_ERROR);
-    assertThat(response.getPayload())
-        .isEqualTo(
-            "Pipeline launch failed: Latest billing events expansion cycle hasn't finished yet,"
-                + " terminating invoicing pipeline");
-    cloudTasksHelper.assertNoTasksEnqueued("beam-reporting");
-  }
-
-  @Test
-  void testSucceedsToGenerateInvoicesFirstDayOfTheYear() throws Exception {
-    persistResource(Cursor.createGlobal(RECURRING_BILLING, DateTime.parse("2017-01-01T13:15:00Z")));
-    action =
-        new GenerateInvoicesAction(
-            "test-project",
-            "test-region",
-            "staging_bucket",
-            "billing_bucket",
-            "REG-INV",
-            false,
-            new YearMonth(2016, 12),
-            emailUtils,
-            cloudTasksUtils,
-            clock,
-            response,
-            dataflow);
-    action.run();
-    assertThat(response.getContentType()).isEqualTo(MediaType.PLAIN_TEXT_UTF_8);
-    assertThat(response.getStatus()).isEqualTo(SC_OK);
-    assertThat(response.getPayload()).isEqualTo("Launched invoicing pipeline: jobid");
-    cloudTasksHelper.assertNoTasksEnqueued("beam-reporting");
-  }
 }

core/src/test/java/google/registry/request/auth/ServiceAccountAuthenticationMechanismTest.java

@@ -0,0 +1,75 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.request.auth;
+
+import static com.google.common.net.HttpHeaders.AUTHORIZATION;
+import static com.google.common.truth.Truth.assertThat;
+import static org.mockito.Mockito.when;
+
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
+import com.google.api.client.json.webtoken.JsonWebSignature;
+import com.google.api.client.json.webtoken.JsonWebSignature.Header;
+import com.google.auth.oauth2.TokenVerifier;
+import javax.servlet.http.HttpServletRequest;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.mockito.junit.jupiter.MockitoSettings;
+import org.mockito.quality.Strictness;
+
+@ExtendWith(MockitoExtension.class)
+@MockitoSettings(strictness = Strictness.LENIENT)
+class ServiceAccountAuthenticationMechanismTest {
+
+  @Mock private TokenVerifier tokenVerifier;
+  @Mock private HttpServletRequest request;
+
+  private JsonWebSignature token;
+  private ServiceAccountAuthenticationMechanism serviceAccountAuthenticationMechanism;
+
+  @BeforeEach
+  void beforeEach() throws Exception {
+    serviceAccountAuthenticationMechanism =
+        new ServiceAccountAuthenticationMechanism(tokenVerifier, "sa-prefix@email.com");
+    when(request.getHeader(AUTHORIZATION)).thenReturn("Bearer jwtValue");
+    Payload payload = new Payload();
+    payload.setEmail("sa-prefix@email.com");
+    token = new JsonWebSignature(new Header(), payload, new byte[0], new byte[0]);
+    when(tokenVerifier.verify("jwtValue")).thenReturn(token);
+  }
+
+  @Test
+  void testSuccess_authenticates() throws Exception {
+    AuthResult authResult = serviceAccountAuthenticationMechanism.authenticate(request);
+    assertThat(authResult.isAuthenticated()).isTrue();
+    assertThat(authResult.authLevel()).isEqualTo(AuthLevel.APP);
+  }
+
+  @Test
+  void testFails_authenticateWrongEmail() throws Exception {
+    token.getPayload().set("email", "not-service-account-email@email.com");
+    AuthResult authResult = serviceAccountAuthenticationMechanism.authenticate(request);
+    assertThat(authResult.isAuthenticated()).isFalse();
+  }
+
+  @Test
+  void testFails_authenticateWrongHeader() throws Exception {
+    when(request.getHeader(AUTHORIZATION)).thenReturn("BEARER asd");
+    AuthResult authResult = serviceAccountAuthenticationMechanism.authenticate(request);
+    assertThat(authResult.isAuthenticated()).isFalse();
+  }
+}

core/src/test/java/google/registry/testing/DatabaseHelper.java

@@ -312,6 +312,7 @@ public final class DatabaseHelper {
     return persistResource(domain.asBuilder().setDeletionTime(deletionTime).build());
   }
 
+  // TODO: delete after pull queue migration.
   /** Persists a domain and enqueues a LORDN task of the appropriate type for it. */
   public static Domain persistDomainAndEnqueueLordn(final Domain domain) {
     final Domain persistedDomain = persistResource(domain);

core/src/test/java/google/registry/testing/DomainSubject.java

@@ -27,6 +27,7 @@ import google.registry.model.domain.launch.LaunchNotice;
 import google.registry.model.domain.secdns.DomainDsData;
 import google.registry.model.eppcommon.AuthInfo;
 import google.registry.testing.TruthChainer.And;
+import google.registry.tmch.LordnTaskUtils.LordnPhase;
 import java.util.Set;
 import org.joda.time.DateTime;
 
@@ -41,7 +42,7 @@ public final class DomainSubject extends AbstractEppResourceSubject<Domain, Doma
   }
 
   public And<DomainSubject> hasDomainName(String domainName) {
-    return hasValue(domainName, actual.getDomainName(), "has domainName");
+    return hasValue(domainName, actual.getDomainName(), "domainName");
   }
 
   public And<DomainSubject> hasExactlyDsData(DomainDsData... dsData) {
@@ -49,15 +50,19 @@ public final class DomainSubject extends AbstractEppResourceSubject<Domain, Doma
   }
 
   public And<DomainSubject> hasExactlyDsData(Set<DomainDsData> dsData) {
-    return hasValue(dsData, actual.getDsData(), "has dsData");
+    return hasValue(dsData, actual.getDsData(), "dsData");
   }
 
   public And<DomainSubject> hasNumDsData(int num) {
-    return hasValue(num, actual.getDsData().size(), "has num dsData");
+    return hasValue(num, actual.getDsData().size(), "dsData.size()");
   }
 
   public And<DomainSubject> hasLaunchNotice(LaunchNotice launchNotice) {
-    return hasValue(launchNotice, actual.getLaunchNotice(), "has launchNotice");
+    return hasValue(launchNotice, actual.getLaunchNotice(), "launchNotice");
+  }
+
+  public And<DomainSubject> hasLordnPhase(LordnPhase lordnPhase) {
+    return hasValue(lordnPhase, actual.getLordnPhase(), "lordnPhase");
   }
 
   public And<DomainSubject> hasAuthInfoPwd(String pw) {
@@ -67,7 +72,7 @@ public final class DomainSubject extends AbstractEppResourceSubject<Domain, Doma
 
   public And<DomainSubject> hasCurrentSponsorRegistrarId(String registrarId) {
     return hasValue(
-        registrarId, actual.getCurrentSponsorRegistrarId(), "has currentSponsorRegistrarId");
+        registrarId, actual.getCurrentSponsorRegistrarId(), "currentSponsorRegistrarId");
   }
 
   public And<DomainSubject> hasRegistrationExpirationTime(DateTime expiration) {

core/src/test/java/google/registry/tmch/NordnUploadActionTest.java

@@ -14,13 +14,17 @@
 
 package google.registry.tmch;
 
+import static com.google.appengine.api.taskqueue.QueueFactory.getQueue;
 import static com.google.common.net.HttpHeaders.AUTHORIZATION;
 import static com.google.common.net.HttpHeaders.CONTENT_TYPE;
 import static com.google.common.net.HttpHeaders.LOCATION;
 import static com.google.common.net.MediaType.FORM_DATA;
 import static com.google.common.truth.Truth.assertThat;
+import static google.registry.model.ForeignKeyUtils.load;
 import static google.registry.testing.DatabaseHelper.createTld;
+import static google.registry.testing.DatabaseHelper.loadByKey;
 import static google.registry.testing.DatabaseHelper.loadRegistrar;
+import static google.registry.testing.DatabaseHelper.newDomain;
 import static google.registry.testing.DatabaseHelper.persistDomainAndEnqueueLordn;
 import static google.registry.testing.DatabaseHelper.persistResource;
 import static java.nio.charset.StandardCharsets.UTF_8;
@@ -34,6 +38,7 @@ import static org.mockito.ArgumentMatchers.startsWith;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
 
 import com.google.appengine.api.taskqueue.LeaseOptions;
@@ -48,15 +53,17 @@ import com.google.common.collect.ImmutableList;
 import google.registry.model.domain.Domain;
 import google.registry.model.domain.launch.LaunchNotice;
 import google.registry.model.tld.Registry;
+import google.registry.persistence.VKey;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
+import google.registry.request.RequestParameters;
 import google.registry.testing.CloudTasksHelper;
 import google.registry.testing.CloudTasksHelper.TaskMatcher;
-import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeSleeper;
 import google.registry.testing.FakeUrlConnectionService;
 import google.registry.testing.TaskQueueExtension;
+import google.registry.tmch.LordnTaskUtils.LordnPhase;
 import google.registry.util.CloudTasksUtils;
 import google.registry.util.Retrier;
 import google.registry.util.UrlConnectionException;
@@ -67,25 +74,32 @@ import java.net.URL;
 import java.security.SecureRandom;
 import java.util.List;
 import java.util.Optional;
+import java.util.concurrent.TimeUnit;
 import org.joda.time.DateTime;
+import org.joda.time.Duration;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 
 /** Unit tests for {@link NordnUploadAction}. */
 class NordnUploadActionTest {
 
   private static final String CLAIMS_CSV =
-      "1,2010-05-01T10:11:12.000Z,1\n"
+      "1,2010-05-04T10:11:12.000Z,2\n"
           + "roid,domain-name,notice-id,registrar-id,registration-datetime,ack-datetime,"
           + "application-datetime\n"
-          + "2-TLD,claims-landrush1.tld,landrush1tcn,99999,2010-05-01T10:11:12.000Z,"
-          + "1969-12-31T23:00:00.000Z\n";
+          + "6-TLD,claims-landrush2.tld,landrush2tcn,88888,2010-05-03T10:11:12.000Z,"
+          + "2010-05-03T08:11:12.000Z\n"
+          + "8-TLD,claims-landrush1.tld,landrush1tcn,99999,2010-05-04T10:11:12.000Z,"
+          + "2010-05-04T09:11:12.000Z\n";
 
   private static final String SUNRISE_CSV =
-      "1,2010-05-01T10:11:12.000Z,1\n"
+      "1,2010-05-04T10:11:12.000Z,2\n"
           + "roid,domain-name,SMD-id,registrar-id,registration-datetime,application-datetime\n"
-          + "2-TLD,sunrise1.tld,my-smdid,99999,2010-05-01T10:11:12.000Z\n";
+          + "2-TLD,sunrise2.tld,new-smdid,88888,2010-05-01T10:11:12.000Z\n"
+          + "4-TLD,sunrise1.tld,my-smdid,99999,2010-05-02T10:11:12.000Z\n";
 
   private static final String LOCATION_URL = "http://trololol";
 
@@ -116,8 +130,12 @@ class NordnUploadActionTest {
     when(httpUrlConnection.getHeaderField(LOCATION)).thenReturn("http://trololol");
     when(httpUrlConnection.getOutputStream()).thenReturn(connectionOutputStream);
     persistResource(loadRegistrar("TheRegistrar").asBuilder().setIanaIdentifier(99999L).build());
+    persistResource(loadRegistrar("NewRegistrar").asBuilder().setIanaIdentifier(88888L).build());
     createTld("tld");
     persistResource(Registry.get("tld").asBuilder().setLordnUsername("lolcat").build());
+    persistSunriseModeDomain();
+    clock.advanceBy(Duration.standardDays(1));
+    persistClaimsModeDomain();
     action.clock = clock;
     action.cloudTasksUtils = cloudTasksUtils;
     action.urlConnectionService = urlConnectionService;
@@ -127,6 +145,7 @@ class NordnUploadActionTest {
     action.tmchMarksdbUrl = "http://127.0.0.1";
     action.random = new SecureRandom();
     action.retrier = new Retrier(new FakeSleeper(clock), 3);
+    action.usePullQueue = Optional.empty();
   }
 
   @Test
@@ -137,7 +156,7 @@ class NordnUploadActionTest {
             makeTaskHandle("task1", "example", "csvLine1", "lordn-sunrise"),
             makeTaskHandle("task3", "example", "ending", "lordn-sunrise"));
     assertThat(NordnUploadAction.convertTasksToCsv(tasks, clock.nowUtc(), "col1,col2"))
-        .isEqualTo("1,2010-05-01T10:11:12.000Z,3\ncol1,col2\ncsvLine1\ncsvLine2\nending\n");
+        .isEqualTo("1,2010-05-04T10:11:12.000Z,3\ncol1,col2\ncsvLine1\ncsvLine2\nending\n");
   }
 
   @Test
@@ -149,13 +168,13 @@ class NordnUploadActionTest {
             makeTaskHandle("task3", "example", "ending", "lordn-sunrise"),
             makeTaskHandle("task1", "example", "csvLine1", "lordn-sunrise"));
     assertThat(NordnUploadAction.convertTasksToCsv(tasks, clock.nowUtc(), "col1,col2"))
-        .isEqualTo("1,2010-05-01T10:11:12.000Z,3\ncol1,col2\ncsvLine1\ncsvLine2\nending\n");
+        .isEqualTo("1,2010-05-04T10:11:12.000Z,3\ncol1,col2\ncsvLine1\ncsvLine2\nending\n");
   }
 
   @Test
   void test_convertTasksToCsv_doesntFailOnEmptyTasks() {
     assertThat(NordnUploadAction.convertTasksToCsv(ImmutableList.of(), clock.nowUtc(), "col1,col2"))
-        .isEqualTo("1,2010-05-01T10:11:12.000Z,0\ncol1,col2\n");
+        .isEqualTo("1,2010-05-04T10:11:12.000Z,0\ncol1,col2\n");
   }
 
   @Test
@@ -187,122 +206,105 @@ class NordnUploadActionTest {
   }
 
   @Test
-  void testRun_claimsMode_appendsTldAndClaimsToRequestUrl() throws Exception {
-    persistClaimsModeDomain();
-    action.run();
-    assertThat(httpUrlConnection.getURL()).isEqualTo(new URL("http://127.0.0.1/LORDN/tld/claims"));
-  }
-
-  @Test
-  void testRun_sunriseMode_appendsTldAndClaimsToRequestUrl() throws Exception {
-    persistSunriseModeDomain();
-    action.run();
-    assertThat(httpUrlConnection.getURL()).isEqualTo(new URL("http://127.0.0.1/LORDN/tld/sunrise"));
-  }
-
-  @Test
-  void testRun_usesMultipartContentType() throws Exception {
-    persistClaimsModeDomain();
-    action.run();
-    verify(httpUrlConnection)
-        .setRequestProperty(eq(CONTENT_TYPE), startsWith("multipart/form-data; boundary="));
-    verify(httpUrlConnection).setRequestMethod("POST");
-  }
-
-  @Test
-  void testRun_hasPassword_setsAuthorizationHeader() {
-    persistClaimsModeDomain();
-    action.run();
-    verify(httpUrlConnection)
-        .setRequestProperty(
-            AUTHORIZATION, "Basic bG9sY2F0OmF0dGFjaw=="); // echo -n lolcat:attack | base64
-  }
-
-  @Test
-  void testRun_noPassword_doesntSendAuthorizationHeader() {
+  void testSuccess_noPassword_doesntSendAuthorizationHeader() {
     action.lordnRequestInitializer = new LordnRequestInitializer(Optional.empty());
-    persistClaimsModeDomain();
     action.run();
     verify(httpUrlConnection, times(0)).setRequestProperty(eq(AUTHORIZATION), anyString());
   }
 
   @Test
-  void testRun_claimsMode_payloadMatchesClaimsCsv() {
-    persistClaimsModeDomain();
+  void testSuccess_nothingScheduled() {
+    persistResource(
+        loadByKey(load(Domain.class, "claims-landrush1.tld", clock.nowUtc()))
+            .asBuilder()
+            .setLordnPhase(LordnPhase.NONE)
+            .build());
+    persistResource(
+        loadByKey(load(Domain.class, "claims-landrush2.tld", clock.nowUtc()))
+            .asBuilder()
+            .setLordnPhase(LordnPhase.NONE)
+            .build());
     action.run();
-    assertThat(connectionOutputStream.toString(UTF_8)).contains(CLAIMS_CSV);
+    verifyNoInteractions(httpUrlConnection);
+    cloudTasksHelper.assertNoTasksEnqueued(NordnVerifyAction.QUEUE);
+  }
+
+  @ParameterizedTest
+  @ValueSource(booleans = {true, false})
+  void testSuccess_claimsMode(boolean usePullQueue) throws Exception {
+    testRun("claims", "claims-landrush1.tld", "claims-landrush2.tld", CLAIMS_CSV, usePullQueue);
+  }
+
+  @ParameterizedTest
+  @ValueSource(booleans = {true, false})
+  void testSuccess_sunriseMode(boolean usePullQueue) throws Exception {
+    testRun("sunrise", "sunrise1.tld", "sunrise2.tld", SUNRISE_CSV, usePullQueue);
   }
 
   @Test
-  void testRun_claimsMode_verifyTaskGetsEnqueuedWithClaimsCsv() {
-    persistClaimsModeDomain();
-    action.run();
-    cloudTasksHelper.assertTasksEnqueued(
-        NordnVerifyAction.QUEUE,
-        new TaskMatcher()
-            .url(NordnVerifyAction.PATH)
-            .param(NordnVerifyAction.NORDN_URL_PARAM, LOCATION_URL)
-            .header(CONTENT_TYPE, FORM_DATA.toString()));
-  }
-
-  @Test
-  void testRun_sunriseMode_payloadMatchesSunriseCsv() {
-    persistSunriseModeDomain();
-    action.run();
-    assertThat(connectionOutputStream.toString(UTF_8)).contains(SUNRISE_CSV);
-  }
-
-  @Test
-  void test_noResponseContent_stillWorksNormally() throws Exception {
+  void testSuccess_noResponseContent_stillWorksNormally() throws Exception {
     // Returning null only affects logging.
     when(httpUrlConnection.getInputStream()).thenReturn(new ByteArrayInputStream(new byte[] {}));
-    persistSunriseModeDomain();
-    action.run();
-    assertThat(connectionOutputStream.toString(UTF_8)).contains(SUNRISE_CSV);
-  }
-
-  @Test
-  void testRun_sunriseMode_verifyTaskGetsEnqueuedWithSunriseCsv() {
-    persistSunriseModeDomain();
-    action.run();
-    cloudTasksHelper.assertTasksEnqueued(
-        NordnVerifyAction.QUEUE,
-        new TaskMatcher()
-            .url(NordnVerifyAction.PATH)
-            .param(NordnVerifyAction.NORDN_URL_PARAM, LOCATION_URL)
-            .header(CONTENT_TYPE, FORM_DATA.toString()));
+    testRun("claims", "claims-landrush1.tld", "claims-landrush2.tld", CLAIMS_CSV, false);
   }
 
   @Test
   void testFailure_nullRegistryUser() {
-    persistClaimsModeDomain();
     persistResource(Registry.get("tld").asBuilder().setLordnUsername(null).build());
     VerifyException thrown = assertThrows(VerifyException.class, action::run);
     assertThat(thrown).hasMessageThat().contains("lordnUsername is not set for tld.");
   }
 
   @Test
-  void testFetchFailure() throws Exception {
-    persistClaimsModeDomain();
+  void testFailure_errorResponseCode() throws Exception {
     when(httpUrlConnection.getResponseCode()).thenReturn(SC_INTERNAL_SERVER_ERROR);
     assertThrows(UrlConnectionException.class, action::run);
   }
 
-  private static void persistClaimsModeDomain() {
-    Domain domain = DatabaseHelper.newDomain("claims-landrush1.tld");
+  @Test
+  void testFailure_noLocationHeaderInResponse() throws Exception {
+    when(httpUrlConnection.getHeaderField(LOCATION)).thenReturn(null);
+    assertThrows(UrlConnectionException.class, action::run);
+  }
+
+  private void persistClaimsModeDomain() {
     persistDomainAndEnqueueLordn(
-        domain
+        newDomain("claims-landrush2.tld")
             .asBuilder()
+            .setCreationTimeForTest(clock.nowUtc())
+            .setCreationRegistrarId("NewRegistrar")
             .setLaunchNotice(
-                LaunchNotice.create(
-                    "landrush1tcn", null, null, domain.getCreationTime().minusHours(1)))
+                LaunchNotice.create("landrush2tcn", null, null, clock.nowUtc().minusHours(2)))
+            .setLordnPhase(LordnPhase.CLAIMS)
+            .build());
+    clock.advanceBy(Duration.standardDays(1));
+    persistDomainAndEnqueueLordn(
+        newDomain("claims-landrush1.tld")
+            .asBuilder()
+            .setCreationTimeForTest(clock.nowUtc())
+            .setLaunchNotice(
+                LaunchNotice.create("landrush1tcn", null, null, clock.nowUtc().minusHours(1)))
+            .setLordnPhase(LordnPhase.CLAIMS)
             .build());
   }
 
   private void persistSunriseModeDomain() {
-    action.phase = "sunrise";
-    Domain domain = DatabaseHelper.newDomain("sunrise1.tld");
-    persistDomainAndEnqueueLordn(domain.asBuilder().setSmdId("my-smdid").build());
+    persistDomainAndEnqueueLordn(
+        newDomain("sunrise2.tld")
+            .asBuilder()
+            .setCreationTimeForTest(clock.nowUtc())
+            .setCreationRegistrarId("NewRegistrar")
+            .setSmdId("new-smdid")
+            .setLordnPhase(LordnPhase.SUNRISE)
+            .build());
+    clock.advanceBy(Duration.standardDays(1));
+    persistDomainAndEnqueueLordn(
+        newDomain("sunrise1.tld")
+            .asBuilder()
+            .setCreationTimeForTest(clock.nowUtc())
+            .setSmdId("my-smdid")
+            .setLordnPhase(LordnPhase.SUNRISE)
+            .build());
   }
 
   private static TaskHandle makeTaskHandle(
@@ -311,4 +313,46 @@ class NordnUploadActionTest {
         TaskOptions.Builder.withPayload(payload).method(Method.PULL).tag(tag).taskName(taskName),
         queue);
   }
+
+  private void verifyColumnCleared(String domainName) {
+    VKey<Domain> domainKey = load(Domain.class, domainName, clock.nowUtc());
+    Domain domain = loadByKey(domainKey);
+    assertThat(domain.getLordnPhase()).isEqualTo(LordnPhase.NONE);
+  }
+
+  private void testRun(
+      String phase, String domain1, String domain2, String csv, boolean usePullQueue)
+      throws Exception {
+    action.usePullQueue = Optional.of(usePullQueue);
+    action.phase = phase;
+    action.run();
+    verify(httpUrlConnection)
+        .setRequestProperty(
+            AUTHORIZATION, "Basic bG9sY2F0OmF0dGFjaw=="); // echo -n lolcat:attack | base64
+    verify(httpUrlConnection)
+        .setRequestProperty(eq(CONTENT_TYPE), startsWith("multipart/form-data; boundary="));
+    verify(httpUrlConnection).setRequestMethod("POST");
+    assertThat(httpUrlConnection.getURL())
+        .isEqualTo(new URL("http://127.0.0.1/LORDN/tld/" + phase));
+    assertThat(connectionOutputStream.toString(UTF_8)).contains(csv);
+    if (!usePullQueue) {
+      verifyColumnCleared(domain1);
+      verifyColumnCleared(domain2);
+    } else {
+      assertThat(
+              getQueue("lordn-" + phase)
+                  .leaseTasks(
+                      LeaseOptions.Builder.withTag("tld")
+                          .leasePeriod(1, TimeUnit.HOURS)
+                          .countLimit(100)))
+          .isEmpty();
+    }
+    cloudTasksHelper.assertTasksEnqueued(
+        NordnVerifyAction.QUEUE,
+        new TaskMatcher()
+            .url(NordnVerifyAction.PATH)
+            .param(NordnVerifyAction.NORDN_URL_PARAM, LOCATION_URL)
+            .param(RequestParameters.PARAM_TLD, "tld")
+            .header(CONTENT_TYPE, FORM_DATA.toString()));
+  }
 }

core/src/test/java/google/registry/tmch/SmdrlCsvParserTest.java

@@ -33,7 +33,7 @@ class SmdrlCsvParserTest {
   private final FakeClock clock = new FakeClock();
 
   private static final CharSource SMDRL_LATEST_CSV =
-      TmchTestData.loadBytes("smdrl-latest.csv").asCharSource(US_ASCII);
+      TmchTestData.loadBytes("smdrl/smdrl-latest.csv").asCharSource(US_ASCII);
 
   @Test
   void testParse() throws Exception {

core/src/test/java/google/registry/tmch/TmchActionTestCase.java

@@ -62,7 +62,8 @@ abstract class TmchActionTestCase {
   @BeforeEach
   public void beforeEachTmchActionTestCase() throws Exception {
     marksdb.tmchMarksdbUrl = MARKSDB_URL;
-    marksdb.marksdbPublicKey = TmchData.loadPublicKey(TmchTestData.loadBytes("pubkey"));
+    marksdb.marksdbPublicKey =
+        TmchData.loadPublicKey(TmchTestData.loadBytes("crypto/marksdb-public-key-test.asc"));
     marksdb.urlConnectionService = urlConnectionService;
     when(httpUrlConnection.getResponseCode()).thenReturn(SC_OK);
   }

core/src/test/java/google/registry/tmch/TmchCertificateAuthorityTest.java

@@ -37,24 +37,31 @@ import org.junit.jupiter.api.extension.RegisterExtension;
 /** Unit tests for {@link TmchCertificateAuthority}. */
 class TmchCertificateAuthorityTest {
 
-  private static final String GOOD_TEST_CERTIFICATE = loadFile("icann-tmch-test-good.crt");
-  private static final String REVOKED_TEST_CERTIFICATE = loadFile("icann-tmch-test-revoked.crt");
+  // This certificate is extracted from the SMD file smd/active.smd. It is the
+  // intermediate (TMV) certificate that was signed by the root (CA) cert and signed the SMD
+  // file.
+  private static final String GOOD_TMV_CERTIFICATE = loadFile("crypto/icann-tmv-test-good.crt");
+  // This certificate is extracted from the SMD file smd/tmv-cert-revoked.smd. It is the (revoked)
+  // intermediate (TMV) certificate that was signed by the root (CA) cert and signed the SMD
+  // file.
+  private static final String REVOKED_TMV_CERTIFICATE =
+      loadFile("crypto/icann-tmv-test-revoked.crt");
 
   @RegisterExtension
   public final JpaIntegrationTestExtension jpa =
       new JpaTestExtensions.Builder().buildIntegrationTestExtension();
 
-  private final FakeClock clock = new FakeClock(DateTime.parse("2014-01-01T00:00:00Z"));
+  private final FakeClock clock = new FakeClock(DateTime.parse("2022-11-20T00:00:00Z"));
 
   @Test
   void testFailure_prodRootExpired() {
     TmchCertificateAuthority tmchCertificateAuthority =
         new TmchCertificateAuthority(PRODUCTION, clock);
-    clock.setTo(DateTime.parse("2024-01-01T00:00:00Z"));
+    clock.setTo(DateTime.parse("2500-01-01T00:00:00Z"));
     CertificateExpiredException e =
         assertThrows(
             CertificateExpiredException.class, tmchCertificateAuthority::getAndValidateRoot);
-    assertThat(e).hasMessageThat().contains("NotAfter: Sun Jul 23 23:59:59 UTC 2023");
+    assertThat(e).hasMessageThat().contains("NotAfter");
   }
 
   @Test
@@ -65,7 +72,7 @@ class TmchCertificateAuthorityTest {
     CertificateNotYetValidException e =
         assertThrows(
             CertificateNotYetValidException.class, tmchCertificateAuthority::getAndValidateRoot);
-    assertThat(e).hasMessageThat().contains("NotBefore: Wed Jul 24 00:00:00 UTC 2013");
+    assertThat(e).hasMessageThat().contains("NotBefore");
   }
 
   @Test
@@ -77,14 +84,14 @@ class TmchCertificateAuthorityTest {
     SignatureException e =
         assertThrows(
             SignatureException.class,
-            () -> tmchCertificateAuthority.verify(loadCertificate(GOOD_TEST_CERTIFICATE)));
+            () -> tmchCertificateAuthority.verify(loadCertificate(GOOD_TMV_CERTIFICATE)));
     assertThat(e).hasMessageThat().contains("Signature does not match");
   }
 
   @Test
   void testSuccess_verify() throws Exception {
     TmchCertificateAuthority tmchCertificateAuthority = new TmchCertificateAuthority(PILOT, clock);
-    tmchCertificateAuthority.verify(loadCertificate(GOOD_TEST_CERTIFICATE));
+    tmchCertificateAuthority.verify(loadCertificate(GOOD_TMV_CERTIFICATE));
   }
 
   @Test
@@ -94,7 +101,7 @@ class TmchCertificateAuthorityTest {
     SignatureException e =
         assertThrows(
             SignatureException.class,
-            () -> tmchCertificateAuthority.verify(loadCertificate(GOOD_TEST_CERTIFICATE)));
+            () -> tmchCertificateAuthority.verify(loadCertificate(GOOD_TMV_CERTIFICATE)));
     assertThat(e).hasMessageThat().contains("Signature does not match");
   }
 
@@ -104,7 +111,7 @@ class TmchCertificateAuthorityTest {
     CertificateRevokedException thrown =
         assertThrows(
             CertificateRevokedException.class,
-            () -> tmchCertificateAuthority.verify(loadCertificate(REVOKED_TEST_CERTIFICATE)));
-    assertThat(thrown).hasMessageThat().contains("revoked, reason: KEY_COMPROMISE");
+            () -> tmchCertificateAuthority.verify(loadCertificate(REVOKED_TMV_CERTIFICATE)));
+    assertThat(thrown).hasMessageThat().contains("revoked, reason: UNSPECIFIED");
   }
 }

core/src/test/java/google/registry/tmch/TmchCrlActionTest.java

@@ -15,7 +15,7 @@
 package google.registry.tmch;
 
 import static com.google.common.truth.Truth.assertThat;
-import static google.registry.testing.TestDataHelper.loadBytes;
+import static google.registry.tmch.TmchTestData.loadBytes;
 import static google.registry.util.ResourceUtils.readResourceBytes;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.Mockito.verify;
@@ -29,6 +29,7 @@ import java.security.SignatureException;
 import java.security.cert.CRLException;
 import java.security.cert.CertificateNotYetValidException;
 import org.joda.time.DateTime;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 /** Unit tests for {@link TmchCrlAction}. */
@@ -38,29 +39,30 @@ class TmchCrlActionTest extends TmchActionTestCase {
     TmchCrlAction action = new TmchCrlAction();
     action.marksdb = marksdb;
     action.tmchCertificateAuthority = new TmchCertificateAuthority(tmchCaMode, clock);
-    action.tmchCrlUrl = new URL("http://sloth.lol/tmch.crl");
+    action.tmchCrlUrl = new URL("https://sloth.lol/tmch.crl");
     return action;
   }
 
+  @BeforeEach
+  void before() {
+    clock.setTo(DateTime.parse("2023-03-24TZ"));
+  }
+
   @Test
   void testSuccess() throws Exception {
-    clock.setTo(DateTime.parse("2013-07-24TZ"));
     when(httpUrlConnection.getInputStream())
         .thenReturn(
             new ByteArrayInputStream(
-                readResourceBytes(TmchCertificateAuthority.class, "icann-tmch.crl").read()));
-    newTmchCrlAction(TmchCaMode.PRODUCTION).run();
+                readResourceBytes(TmchCertificateAuthority.class, "icann-tmch-pilot.crl").read()));
+    newTmchCrlAction(TmchCaMode.PILOT).run();
     verify(httpUrlConnection).getInputStream();
-    assertThat(connectedUrls).containsExactly(new URL("http://sloth.lol/tmch.crl"));
+    assertThat(connectedUrls).containsExactly(new URL("https://sloth.lol/tmch.crl"));
   }
 
   @Test
   void testFailure_crlTooOld() throws Exception {
-    clock.setTo(DateTime.parse("2020-01-01TZ"));
     when(httpUrlConnection.getInputStream())
-        .thenReturn(
-            new ByteArrayInputStream(
-                loadBytes(TmchCrlActionTest.class, "icann-tmch-pilot-old.crl").read()));
+        .thenReturn(new ByteArrayInputStream(loadBytes("crypto/icann-tmch-pilot-old.crl").read()));
     TmchCrlAction action = newTmchCrlAction(TmchCaMode.PILOT);
     Exception e = assertThrows(Exception.class, action::run);
     assertThat(e).hasCauseThat().isInstanceOf(CRLException.class);
@@ -72,12 +74,11 @@ class TmchCrlActionTest extends TmchActionTestCase {
 
   @Test
   void testFailure_crlNotSignedByRoot() throws Exception {
-    clock.setTo(DateTime.parse("2013-07-24TZ"));
     when(httpUrlConnection.getInputStream())
         .thenReturn(
             new ByteArrayInputStream(
-                readResourceBytes(TmchCertificateAuthority.class, "icann-tmch.crl").read()));
-    Exception e = assertThrows(Exception.class, newTmchCrlAction(TmchCaMode.PILOT)::run);
+                readResourceBytes(TmchCertificateAuthority.class, "icann-tmch-pilot.crl").read()));
+    Exception e = assertThrows(Exception.class, newTmchCrlAction(TmchCaMode.PRODUCTION)::run);
     assertThat(e).hasCauseThat().isInstanceOf(SignatureException.class);
     assertThat(e).hasCauseThat().hasMessageThat().isEqualTo("Signature does not match.");
   }

core/src/test/java/google/registry/tmch/TmchDnlActionTest.java

@@ -43,8 +43,8 @@ class TmchDnlActionTest extends TmchActionTestCase {
   void testDnl() throws Exception {
     assertThat(ClaimsListDao.get().getClaimKey("xn----7sbejwbn3axu3d")).isEmpty();
     when(httpUrlConnection.getInputStream())
-        .thenReturn(new ByteArrayInputStream(TmchTestData.loadBytes("dnl-latest.csv").read()))
-        .thenReturn(new ByteArrayInputStream(TmchTestData.loadBytes("dnl-latest.sig").read()));
+        .thenReturn(new ByteArrayInputStream(TmchTestData.loadBytes("dnl/dnl-latest.csv").read()))
+        .thenReturn(new ByteArrayInputStream(TmchTestData.loadBytes("dnl/dnl-latest.sig").read()));
     newTmchDnlAction().run();
     verify(httpUrlConnection, times(2)).getInputStream();
     assertThat(connectedUrls.stream().map(URL::toString).collect(toImmutableList()))

core/src/test/java/google/registry/tmch/TmchSmdrlActionTest.java

@@ -46,8 +46,8 @@ class TmchSmdrlActionTest extends TmchActionTestCase {
     assertThat(smdrl.isSmdRevoked("0000001681375789102250-65535", now)).isFalse();
     assertThat(smdrl.isSmdRevoked("0000001681375789102250-65536", now)).isFalse();
     when(httpUrlConnection.getInputStream())
-        .thenReturn(new ByteArrayInputStream(loadBytes("smdrl-latest.csv").read()))
-        .thenReturn(new ByteArrayInputStream(loadBytes("smdrl-latest.sig").read()));
+        .thenReturn(new ByteArrayInputStream(loadBytes("smdrl/smdrl-latest.csv").read()))
+        .thenReturn(new ByteArrayInputStream(loadBytes("smdrl/smdrl-latest.sig").read()));
     newTmchSmdrlAction().run();
     verify(httpUrlConnection, times(2)).getInputStream();
     assertThat(connectedUrls.stream().map(URL::toString).collect(toImmutableList()))

core/src/test/java/google/registry/tmch/TmchTestData.java

@@ -16,22 +16,33 @@ package google.registry.tmch;
 
 import static com.google.common.base.CharMatcher.whitespace;
 import static com.google.common.io.BaseEncoding.base64;
+import static google.registry.tmch.TmchData.BEGIN_ENCODED_SMD;
+import static google.registry.tmch.TmchData.END_ENCODED_SMD;
 
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableList;
 import com.google.common.io.ByteSource;
+import com.google.re2j.Matcher;
+import com.google.re2j.Pattern;
 import google.registry.testing.TestDataHelper;
 
-/** Utility class providing easy access to contents of the {@code testdata/} directory. */
+/**
+ * Utility class providing easy access to contents of the {@code
+ * core/src/test/resources/google/registry/tmch/} directory.
+ */
 public final class TmchTestData {
 
-  private static final String BEGIN_ENCODED_SMD = "-----BEGIN ENCODED SMD-----";
-  private static final String END_ENCODED_SMD = "-----END ENCODED SMD-----";
+  private TmchTestData() {}
 
-  /** Returns {@link ByteSource} for file in {@code tmch/testdata/} directory. */
+  /**
+   * Returns {@link ByteSource} for file in {@code core/src/test/resources/google/registry/tmch/}
+   * directory.
+   */
   public static ByteSource loadBytes(String filename) {
     return TestDataHelper.loadBytes(TmchTestData.class, filename);
   }
 
-  /** Loads data from file in {@code tmch/testdata/} as a String. */
+  /** Loads data from file in {@code core/src/test/resources/google/registry/tmch/} as a String. */
   public static String loadFile(String filename) {
     return TestDataHelper.loadFile(TmchTestData.class, filename);
   }
@@ -47,4 +58,15 @@ public final class TmchTestData {
                         data.indexOf(BEGIN_ENCODED_SMD) + BEGIN_ENCODED_SMD.length(),
                         data.indexOf(END_ENCODED_SMD))));
   }
+
+  public static ImmutableList<String> extractLabels(String filepath) {
+    String pattern = "U-labels: ";
+    String content = loadFile(filepath);
+    Matcher matcher = Pattern.compile(pattern + ".*").matcher(content);
+    matcher.find();
+    String matchedString = matcher.group().replace(pattern, "");
+    return matchedString.isEmpty()
+        ? ImmutableList.of()
+        : ImmutableList.copyOf(Splitter.on(',').trimResults().split(matchedString));
+  }
 }

core/src/test/java/google/registry/tmch/TmchTestDataExpirationTest.java

@@ -42,9 +42,9 @@ class TmchTestDataExpirationTest {
    * files and so that we can test various types of files, but this test will vail when the validity
    * of the ICANN-provided file expires.
    *
-   * <p>When this fails, check
-   * <a>https://newgtlds.icann.org/en/about/trademark-clearinghouse/registries-registrars</a> for a
-   * new updated SMD file.
+   * <p>When this fails, check <a
+   * href="https://newgtlds.icann.org/en/about/trademark-clearinghouse/registries-registrars">Signed
+   * Mark Data Files</a> for a new updated SMD file.
    */
   @Test
   void testActiveSignedMarkFiles_areValidAndNotExpired() throws Exception {
@@ -53,7 +53,7 @@ class TmchTestDataExpirationTest {
             new TmchXmlSignature(
                 new TmchCertificateAuthority(TmchCaMode.PILOT, new SystemClock())));
 
-    String filePath = "active/smd-active-21aug20-en.smd";
+    String filePath = "smd/active.smd";
     String tmchData = loadFile(TmchTestDataExpirationTest.class, filePath);
     EncodedSignedMark smd = TmchData.readEncodedSignedMark(tmchData);
     try {

core/src/test/java/google/registry/tmch/TmchXmlSignatureTest.java

@@ -28,14 +28,18 @@ import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.CertificateRevokedException;
 import javax.xml.crypto.dsig.XMLSignatureException;
 import org.joda.time.DateTime;
-import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+import org.junitpioneer.jupiter.cartesian.CartesianTest;
+import org.junitpioneer.jupiter.cartesian.CartesianTest.Values;
 
 /**
  * Unit tests for {@link TmchXmlSignature}.
  *
- * <p>This class does not test the {@code revoked/smd/} folder because it's not a crypto issue.
+ * <p>This class does not verify if the SMD itself is revoked, which is different from if the
+ * certificate signging the SMD is revoked, as it is not a crypto issue.
  */
 class TmchXmlSignatureTest {
 
@@ -44,38 +48,54 @@ class TmchXmlSignatureTest {
       new JpaTestExtensions.Builder().buildIntegrationTestExtension();
 
   // This should be a date which falls within the validity range of the test files contained in the
-  // testdata/active directory. Note that test files claiming to be valid for a particular date
+  // smd/ directory. Note that test files claiming to be valid for a particular date
   // range in the file header may not actually be valid the whole time, because they contain an
-  // embedded certificate which might have a shorter validity range.
+  // embedded (intermediate) certificate which might have a shorter validity range.
   //
   // New versions of the test files are published every few years by ICANN, and available at in the
-  // Signed Mark Data Files section of:
+  // "Signed Mark Data Files" section of:
   //
   // https://newgtlds.icann.org/en/about/trademark-clearinghouse/registries-registrars
   //
-  // The link labeled "Set of IDN test-SMDs" leads to a .tar.gz file containing the test files which
-  // in our directory structure reside in testdata/active and testdata/revoked/smd (it is not clear
-  // where the files in testdata/invalid and testdata/revoked/tmv come from; we probably made them
-  // ourselves, since there aren't as many of them). For purposes of testing, we could probably keep
-  // using old test files forever, and keep a corresponding old date, but it seems like a good idea
-  // to keep up to date if possible.
-  //
-  // When updating this date, also update the dates below, which test to make sure that dates before
-  // and after the validity window result in rejection.
-  private final FakeClock clock = new FakeClock(DateTime.parse("2018-05-15T23:15:37.4Z"));
+  // When updating this date, also update the "time travel" dates in two tests below, which test to
+  // make sure that dates before and after the validity window result in rejection.
+  private final FakeClock clock = new FakeClock(DateTime.parse("2023-01-15T23:15:37.4Z"));
 
   private byte[] smdData;
   private TmchXmlSignature tmchXmlSignature =
       new TmchXmlSignature(new TmchCertificateAuthority(TmchCaMode.PILOT, clock));
 
-  @BeforeEach
-  void beforeEach() {}
+  @Test
+  void testActive() throws Exception {
+    smdData = loadSmd("smd/active.smd");
+    tmchXmlSignature.verify(smdData);
+  }
+
+  @Test
+  void testRevoked() throws Exception {
+    smdData = loadSmd("smd/revoked.smd");
+    tmchXmlSignature.verify(smdData);
+  }
+
+  @Test
+  void testInvalid() {
+    smdData = loadSmd("smd/invalid.smd");
+    assertThrows(XMLSignatureException.class, () -> tmchXmlSignature.verify(smdData));
+  }
+
+  @Test
+  void testTmvCertRevoked() {
+    smdData = loadSmd("smd/tmv-cert-revoked.smd");
+    CertificateRevokedException e =
+        assertThrows(CertificateRevokedException.class, () -> tmchXmlSignature.verify(smdData));
+    assertThat(e).hasMessageThat().contains("Certificate has been revoked");
+  }
 
   @Test
   void testWrongCertificateAuthority() {
     tmchXmlSignature =
         new TmchXmlSignature(new TmchCertificateAuthority(TmchCaMode.PRODUCTION, clock));
-    smdData = loadSmd("active/Court-Agent-Arab-Active.smd");
+    smdData = loadSmd("smd/active.smd");
     CertificateSignatureException e =
         assertThrows(CertificateSignatureException.class, () -> tmchXmlSignature.verify(smdData));
     assertThat(e).hasMessageThat().contains("Signature does not match");
@@ -83,265 +103,40 @@ class TmchXmlSignatureTest {
 
   @Test
   void testTimeTravelBeforeCertificateWasCreated() {
-    smdData = loadSmd("active/Court-Agent-Arab-Active.smd");
-    clock.setTo(DateTime.parse("2013-05-01T00:00:00Z"));
+    smdData = loadSmd("smd/active.smd");
+    clock.setTo(DateTime.parse("2021-05-01T00:00:00Z"));
     assertThrows(CertificateNotYetValidException.class, () -> tmchXmlSignature.verify(smdData));
   }
 
   @Test
   void testTimeTravelAfterCertificateHasExpired() {
-    smdData = loadSmd("active/Court-Agent-Arab-Active.smd");
-    clock.setTo(DateTime.parse("2023-06-01T00:00:00Z"));
+    smdData = loadSmd("smd/active.smd");
+    clock.setTo(DateTime.parse("2028-06-01T00:00:00Z"));
     assertThrows(CertificateExpiredException.class, () -> tmchXmlSignature.verify(smdData));
   }
 
-  @Test
-  void testActiveCourtAgentArabActive() throws Exception {
-    smdData = loadSmd("active/Court-Agent-Arab-Active.smd");
+  @CartesianTest
+  void testInd(
+      @Values(strings = {"Agent", "Holder"}) String contact,
+      @Values(strings = {"Court", "Trademark", "TreatyStatute"}) String type,
+      @Values(strings = {"Arab", "Chinese", "English", "French"}) String language,
+      @Values(strings = {"Active", "Revoked"}) String status)
+      throws Exception {
+    smdData =
+        loadSmd(
+            String.format(
+                "idn/%s-%s/%s-%s-%s-%s.smd", contact, language, type, contact, language, status));
     tmchXmlSignature.verify(smdData);
   }
 
-  @Test
-  void testActiveCourtAgentChineseActive() throws Exception {
-    smdData = loadSmd("active/Court-Agent-Chinese-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveCourtAgentEnglishActive() throws Exception {
-    smdData = loadSmd("active/Court-Agent-English-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveCourtAgentFrenchActive() throws Exception {
-    smdData = loadSmd("active/Court-Agent-French-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveCourtAgentRussianActive() throws Exception {
-    smdData = loadSmd("active/Court-Agent-Russian-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveCourtHolderArabActive() throws Exception {
-    smdData = loadSmd("active/Court-Holder-Arab-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveCourtHolderChineseActive() throws Exception {
-    smdData = loadSmd("active/Court-Holder-Chinese-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveCourtHolderEnglishActive() throws Exception {
-    smdData = loadSmd("active/Court-Holder-English-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveCourtHolderFrenchActive() throws Exception {
-    smdData = loadSmd("active/Court-Holder-French-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveCourtHolderRussianActive() throws Exception {
-    smdData = loadSmd("active/Court-Holder-Russian-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTrademarkAgentArabActive() throws Exception {
-    smdData = loadSmd("active/Trademark-Agent-Arab-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTrademarkAgentChineseActive() throws Exception {
-    smdData = loadSmd("active/Trademark-Agent-Chinese-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTrademarkAgentEnglishActive() throws Exception {
-    smdData = loadSmd("active/Trademark-Agent-English-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTrademarkAgentFrenchActive() throws Exception {
-    smdData = loadSmd("active/Trademark-Agent-French-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTrademarkAgentRussianActive() throws Exception {
-    smdData = loadSmd("active/Trademark-Agent-Russian-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTrademarkHolderArabActive() throws Exception {
-    smdData = loadSmd("active/Trademark-Holder-Arab-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTrademarkHolderChineseActive() throws Exception {
-    smdData = loadSmd("active/Trademark-Holder-Chinese-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTrademarkHolderEnglishActive() throws Exception {
-    smdData = loadSmd("active/Trademark-Holder-English-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTrademarkHolderFrenchActive() throws Exception {
-    smdData = loadSmd("active/Trademark-Holder-French-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTrademarkHolderRussianActive() throws Exception {
-    smdData = loadSmd("active/Trademark-Holder-Russian-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTreatystatuteAgentArabActive() throws Exception {
-    smdData = loadSmd("active/TreatyStatute-Agent-Arab-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTreatystatuteAgentChineseActive() throws Exception {
-    smdData = loadSmd("active/TreatyStatute-Agent-Chinese-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTreatystatuteAgentEnglishActive() throws Exception {
-    smdData = loadSmd("active/TreatyStatute-Agent-English-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTreatystatuteAgentFrenchActive() throws Exception {
-    smdData = loadSmd("active/TreatyStatute-Agent-French-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTreatystatuteAgentRussianActive() throws Exception {
-    smdData = loadSmd("active/TreatyStatute-Agent-Russian-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTreatystatuteHolderArabActive() throws Exception {
-    smdData = loadSmd("active/TreatyStatute-Holder-Arab-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTreatystatuteHolderChineseActive() throws Exception {
-    smdData = loadSmd("active/TreatyStatute-Holder-Chinese-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTreatystatuteHolderEnglishActive() throws Exception {
-    smdData = loadSmd("active/TreatyStatute-Holder-English-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTreatystatuteHolderFrenchActive() throws Exception {
-    smdData = loadSmd("active/TreatyStatute-Holder-French-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testActiveTreatystatuteHolderRussianActive() throws Exception {
-    smdData = loadSmd("active/TreatyStatute-Holder-Russian-Active.smd");
-    tmchXmlSignature.verify(smdData);
-  }
-
-  @Test
-  void testInvalidInvalidsignatureCourtAgentFrenchActive() {
-    smdData = loadSmd("invalid/InvalidSignature-Court-Agent-French-Active.smd");
-    assertThrows(XMLSignatureException.class, () -> tmchXmlSignature.verify(smdData));
-  }
-
-  @Test
-  void testInvalidInvalidsignatureTrademarkAgentEnglishActive() {
-    smdData = loadSmd("invalid/InvalidSignature-Trademark-Agent-English-Active.smd");
-    assertThrows(XMLSignatureException.class, () -> tmchXmlSignature.verify(smdData));
-  }
-
-  @Test
-  void testInvalidInvalidsignatureTrademarkAgentRussianActive() {
-    smdData = loadSmd("invalid/InvalidSignature-Trademark-Agent-Russian-Active.smd");
-    assertThrows(XMLSignatureException.class, () -> tmchXmlSignature.verify(smdData));
-  }
-
-  @Test
-  void testInvalidInvalidsignatureTreatystatuteAgentChineseActive() {
-    smdData = loadSmd("invalid/InvalidSignature-TreatyStatute-Agent-Chinese-Active.smd");
-    assertThrows(XMLSignatureException.class, () -> tmchXmlSignature.verify(smdData));
-  }
-
-  @Test
-  void testInvalidInvalidsignatureTreatystatuteAgentEnglishActive() {
-    smdData = loadSmd("invalid/InvalidSignature-TreatyStatute-Agent-English-Active.smd");
-    assertThrows(XMLSignatureException.class, () -> tmchXmlSignature.verify(smdData));
-  }
-
-  @Test
-  void testRevokedTmvTmvrevokedCourtAgentFrenchActive() {
-    smdData = loadSmd("revoked/tmv/TMVRevoked-Court-Agent-French-Active.smd");
-    CertificateRevokedException e =
-        assertThrows(CertificateRevokedException.class, () -> tmchXmlSignature.verify(smdData));
-    assertThat(e).hasMessageThat().contains("KEY_COMPROMISE");
-  }
-
-  @Test
-  void testRevokedTmvTmvrevokedTrademarkAgentEnglishActive() {
-    smdData = loadSmd("revoked/tmv/TMVRevoked-Trademark-Agent-English-Active.smd");
+  @ParameterizedTest
+  @ValueSource(strings = {"Arab", "Chinese", "English", "French"})
+  void testIndTmvRevoked(String language) {
+    smdData =
+        loadSmd(
+            String.format("idn/RevokedCert/TMVRevoked-Trademark-Agent-%s-Active.smd", language));
     CertificateRevokedException e =
         assertThrows(CertificateRevokedException.class, () -> tmchXmlSignature.verify(smdData));
     assertThat(e).hasMessageThat().contains("Certificate has been revoked");
   }
-
-  @Test
-  void testRevokedTmvTmvrevokedTrademarkAgentRussianActive() {
-    smdData = loadSmd("revoked/tmv/TMVRevoked-Trademark-Agent-Russian-Active.smd");
-    CertificateRevokedException e =
-        assertThrows(CertificateRevokedException.class, () -> tmchXmlSignature.verify(smdData));
-    assertThat(e).hasMessageThat().contains("Certificate has been revoked");
-  }
-
-  @Test
-  void testRevokedTmvTmvrevokedTreatystatuteAgentChineseActive() {
-    smdData = loadSmd("revoked/tmv/TMVRevoked-TreatyStatute-Agent-Chinese-Active.smd");
-    CertificateRevokedException e =
-        assertThrows(CertificateRevokedException.class, () -> tmchXmlSignature.verify(smdData));
-    assertThat(e).hasMessageThat().contains("KEY_COMPROMISE");
-  }
-
-  @Test
-  void testRevokedTmvTmvrevokedTreatystatuteAgentEnglishActive() {
-    smdData = loadSmd("revoked/tmv/TMVRevoked-TreatyStatute-Agent-English-Active.smd");
-    CertificateRevokedException e =
-        assertThrows(CertificateRevokedException.class, () -> tmchXmlSignature.verify(smdData));
-    assertThat(e).hasMessageThat().contains("KEY_COMPROMISE");
-  }
 }

core/src/test/java/google/registry/tools/GenerateAllocationTokensCommandTest.java

@@ -395,6 +395,26 @@ class GenerateAllocationTokensCommandTest extends CommandTestCase<GenerateAlloca
         .isInstanceOf(IllegalArgumentException.class);
   }
 
+  @Test
+  void testFailure_invalidPackageTokenStatusTransition() {
+    assertThat(
+            assertThrows(
+                IllegalArgumentException.class,
+                () ->
+                    runCommand(
+                        "--number",
+                        "999",
+                        "--type",
+                        "PACKAGE",
+                        String.format(
+                            "--token_status_transitions=\"%s=NOT_STARTED,%s=VALID,%s=ENDED\"",
+                            START_OF_TIME, fakeClock.nowUtc(), fakeClock.nowUtc().plusDays(1)))))
+        .hasMessageThat()
+        .isEqualTo(
+            "PACKAGE tokens should not be generated with ENDED or CANCELLED in their transition"
+                + " map");
+  }
+
   @Test
   void testFailure_lengthOfZero() {
     IllegalArgumentException thrown =

core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java

@@ -100,6 +100,7 @@ public class RequestFactoryModuleTest {
 
   @Test
   void test_provideHttpRequestFactory_remote_withIap() throws Exception {
+    when(credentialsBundle.getHttpRequestInitializer()).thenReturn(httpRequestInitializer);
     // Mock the request/response to/from the IAP server requesting an ID token
     UserCredentials mockUserCredentials = mock(UserCredentials.class);
     when(credentialsBundle.getGoogleCredentials()).thenReturn(mockUserCredentials);
@@ -123,9 +124,10 @@ public class RequestFactoryModuleTest {
           RequestFactoryModule.provideHttpRequestFactory(
               credentialsBundle, Optional.of("iapClientId"));
       HttpRequest request = factory.buildGetRequest(new GenericUrl("http://localhost"));
-      assertThat(request.getHeaders().getAuthorization()).isEqualTo("Bearer iapIdToken");
+      assertThat(request.getHeaders().get("Proxy-Authorization")).isEqualTo("Bearer iapIdToken");
       assertThat(request.getConnectTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
       assertThat(request.getReadTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
+      verify(httpRequestInitializer).initialize(request);
       verifyNoMoreInteractions(httpRequestInitializer);
     } finally {
       RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal = origIsLocal;

core/src/test/java/google/registry/tools/UpdateAllocationTokensCommandTest.java

@@ -22,9 +22,12 @@ import static google.registry.model.domain.token.AllocationToken.TokenStatus.CAN
 import static google.registry.model.domain.token.AllocationToken.TokenStatus.ENDED;
 import static google.registry.model.domain.token.AllocationToken.TokenStatus.NOT_STARTED;
 import static google.registry.model.domain.token.AllocationToken.TokenStatus.VALID;
+import static google.registry.model.domain.token.AllocationToken.TokenType.PACKAGE;
 import static google.registry.model.domain.token.AllocationToken.TokenType.SINGLE_USE;
 import static google.registry.model.domain.token.AllocationToken.TokenType.UNLIMITED_USE;
+import static google.registry.testing.DatabaseHelper.createTld;
 import static google.registry.testing.DatabaseHelper.loadByEntity;
+import static google.registry.testing.DatabaseHelper.persistActiveDomain;
 import static google.registry.testing.DatabaseHelper.persistResource;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static org.joda.time.DateTimeZone.UTC;
@@ -255,7 +258,7 @@ class UpdateAllocationTokensCommandTest extends CommandTestCase<UpdateAllocation
 
   @Test
   void testUpdateStatusTransitions() throws Exception {
-    DateTime now = DateTime.now(UTC);
+    DateTime now = fakeClock.nowUtc();
     AllocationToken token = persistResource(builderWithPromo().build());
     runCommandForced(
         "--prefix",
@@ -270,7 +273,7 @@ class UpdateAllocationTokensCommandTest extends CommandTestCase<UpdateAllocation
 
   @Test
   void testUpdateStatusTransitions_badTransitions() {
-    DateTime now = DateTime.now(UTC);
+    DateTime now = fakeClock.nowUtc();
     persistResource(builderWithPromo().build());
     IllegalArgumentException thrown =
         assertThrows(
@@ -288,6 +291,73 @@ class UpdateAllocationTokensCommandTest extends CommandTestCase<UpdateAllocation
         .isEqualTo("tokenStatusTransitions map cannot transition from NOT_STARTED to ENDED.");
   }
 
+  @Test
+  void testUpdateStatusTransitions_endPackageTokenNoDomains() throws Exception {
+    DateTime now = fakeClock.nowUtc();
+    AllocationToken token =
+        persistResource(
+            new AllocationToken.Builder()
+                .setToken("token")
+                .setTokenType(PACKAGE)
+                .setRenewalPriceBehavior(SPECIFIED)
+                .setAllowedRegistrarIds(ImmutableSet.of("TheRegistrar"))
+                .setTokenStatusTransitions(
+                    ImmutableSortedMap.<DateTime, TokenStatus>naturalOrder()
+                        .put(START_OF_TIME, NOT_STARTED)
+                        .put(now.minusDays(1), VALID)
+                        .build())
+                .build());
+    runCommandForced(
+        "--prefix",
+        "token",
+        "--token_status_transitions",
+        String.format(
+            "\"%s=NOT_STARTED,%s=VALID,%s=ENDED\"", START_OF_TIME, now.minusDays(1), now));
+    token = reloadResource(token);
+    assertThat(token.getTokenStatusTransitions().toValueMap())
+        .containsExactly(START_OF_TIME, NOT_STARTED, now.minusDays(1), VALID, now, ENDED);
+  }
+
+  @Test
+  void testUpdateStatusTransitions_endPackageTokenWithActiveDomainsFails() throws Exception {
+    DateTime now = fakeClock.nowUtc();
+    AllocationToken token =
+        persistResource(
+            new AllocationToken.Builder()
+                .setToken("token")
+                .setTokenType(PACKAGE)
+                .setRenewalPriceBehavior(SPECIFIED)
+                .setAllowedRegistrarIds(ImmutableSet.of("TheRegistrar"))
+                .setTokenStatusTransitions(
+                    ImmutableSortedMap.<DateTime, TokenStatus>naturalOrder()
+                        .put(START_OF_TIME, NOT_STARTED)
+                        .put(now.minusDays(1), VALID)
+                        .build())
+                .build());
+    createTld("tld");
+    persistResource(
+        persistActiveDomain("example.tld")
+            .asBuilder()
+            .setCurrentPackageToken(token.createVKey())
+            .build());
+    IllegalArgumentException thrown =
+        assertThrows(
+            IllegalArgumentException.class,
+            () ->
+                runCommandForced(
+                    "--prefix",
+                    "token",
+                    "--token_status_transitions",
+                    String.format(
+                        "\"%s=NOT_STARTED,%s=VALID,%s=ENDED\"",
+                        START_OF_TIME, now.minusDays(1), now)));
+    assertThat(thrown)
+        .hasMessageThat()
+        .isEqualTo(
+            "Package token token can not end its promotion because it still has 1 domains in the"
+                + " package");
+  }
+
   @Test
   void testUpdate_onlyWithPrefix() throws Exception {
     AllocationToken token =

core/src/test/java/google/registry/ui/server/console/ConsoleDomainGetActionTest.java

@@ -0,0 +1,139 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.ui.server.console;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.testing.DatabaseHelper.createTld;
+import static org.mockito.Mockito.mock;
+
+import com.google.api.client.http.HttpStatusCodes;
+import com.google.common.collect.ImmutableMap;
+import com.google.gson.Gson;
+import google.registry.model.console.RegistrarRole;
+import google.registry.model.console.User;
+import google.registry.model.console.UserRoles;
+import google.registry.persistence.transaction.JpaTestExtensions;
+import google.registry.request.auth.AuthLevel;
+import google.registry.request.auth.AuthResult;
+import google.registry.request.auth.UserAuthInfo;
+import google.registry.testing.DatabaseHelper;
+import google.registry.testing.FakeResponse;
+import google.registry.util.UtilsModule;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+/** Tests for {@link google.registry.ui.server.console.ConsoleDomainGetAction}. */
+public class ConsoleDomainGetActionTest {
+
+  private static final Gson GSON = UtilsModule.provideGson();
+  private static final FakeResponse RESPONSE = new FakeResponse();
+
+  @RegisterExtension
+  final JpaTestExtensions.JpaIntegrationTestExtension jpa =
+      new JpaTestExtensions.Builder().buildIntegrationTestExtension();
+
+  @BeforeEach
+  void beforeEach() {
+    createTld("tld");
+    DatabaseHelper.persistActiveDomain("exists.tld");
+  }
+
+  @Test
+  void testSuccess_fullJsonRepresentation() {
+    ConsoleDomainGetAction action =
+        createAction(
+            AuthResult.create(
+                AuthLevel.USER,
+                UserAuthInfo.create(
+                    createUser(
+                        new UserRoles.Builder()
+                            .setRegistrarRoles(
+                                ImmutableMap.of("TheRegistrar", RegistrarRole.ACCOUNT_MANAGER))
+                            .build()))),
+            "exists.tld");
+    action.run();
+    assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
+    assertThat(RESPONSE.getPayload())
+        .isEqualTo(
+            "{\"domainName\":\"exists.tld\",\"adminContact\":{\"key\":\"3-ROID\"},\"techContact\":"
+                + "{\"key\":\"3-ROID\"},\"registrantContact\":{\"key\":\"3-ROID\"},\"registrationExpirationTime\":"
+                + "\"294247-01-10T04:00:54.775Z\",\"lastTransferTime\":\"null\",\"repoId\":\"2-TLD\","
+                + "\"currentSponsorRegistrarId\":\"TheRegistrar\",\"creationRegistrarId\":\"TheRegistrar\","
+                + "\"creationTime\":{\"creationTime\":\"1970-01-01T00:00:00.000Z\"},\"lastEppUpdateTime\":\"null\","
+                + "\"statuses\":[\"INACTIVE\"]}");
+  }
+
+  @Test
+  void testFailure_emptyAuth() {
+    ConsoleDomainGetAction action = createAction(AuthResult.NOT_AUTHENTICATED, "exists.tld");
+    action.run();
+    assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
+  }
+
+  @Test
+  void testFailure_appAuth() {
+    ConsoleDomainGetAction action = createAction(AuthResult.create(AuthLevel.APP), "exists.tld");
+    action.run();
+    assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
+  }
+
+  @Test
+  void testFailure_wrongTypeOfUser() {
+    ConsoleDomainGetAction action =
+        createAction(
+            AuthResult.create(
+                AuthLevel.USER,
+                UserAuthInfo.create(mock(com.google.appengine.api.users.User.class), false)),
+            "exists.tld");
+    action.run();
+    assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
+  }
+
+  @Test
+  void testFailure_noAccessToRegistrar() {
+    ConsoleDomainGetAction action =
+        createAction(
+            AuthResult.create(
+                AuthLevel.USER, UserAuthInfo.create(createUser(new UserRoles.Builder().build()))),
+            "exists.tld");
+    action.run();
+    assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
+  }
+
+  @Test
+  void testFailure_nonexistentDomain() {
+    ConsoleDomainGetAction action =
+        createAction(
+            AuthResult.create(
+                AuthLevel.USER,
+                UserAuthInfo.create(createUser(new UserRoles.Builder().setIsAdmin(true).build()))),
+            "nonexistent.tld");
+    action.run();
+    assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
+  }
+
+  private User createUser(UserRoles userRoles) {
+    return new User.Builder()
+        .setEmailAddress("email@email.com")
+        .setGaiaId("gaiaId")
+        .setUserRoles(userRoles)
+        .build();
+  }
+
+  private ConsoleDomainGetAction createAction(AuthResult authResult, String domain) {
+    return new ConsoleDomainGetAction(authResult, RESPONSE, GSON, domain);
+  }
+}

core/src/test/resources/google/registry/flows/domain/domain_create_response_encoded_signed_mark_name.xml

@@ -6,8 +6,8 @@
     <resData>
       <domain:creData xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
         <domain:name>%DOMAIN%</domain:name>
-        <domain:crDate>2014-09-09T09:09:09Z</domain:crDate>
-        <domain:exDate>2016-09-09T09:09:09Z</domain:exDate>
+        <domain:crDate>%CREATE_TIME%</domain:crDate>
+        <domain:exDate>%EXPIRATION_TIME%</domain:exDate>
       </domain:creData>
     </resData>
     <trID>

core/src/test/resources/google/registry/flows/domain/domain_create_response_fee.xml

@@ -14,7 +14,7 @@
     <extension>
       <fee:creData xmlns:fee="urn:ietf:params:xml:ns:fee-%FEE_VERSION%">
         <fee:currency>USD</fee:currency>
-        <fee:fee description="create">26.00</fee:fee>
+        <fee:fee description="create">%FEE%</fee:fee>
       </fee:creData>
     </extension>
     <trID>