Create reusable dialog / bottom sheet component (#2237)

* Add a dryrun tag to UpdatePremiumListCommand and early exit command if no new changes to the list

* Change prompt string when no change to list to reflect that there is no actual prompted user input

* Add camelCase and correct flag name

build.gradle

@@ -347,6 +347,7 @@ subprojects {
 
   def services = [':services:default',
                   ':services:backend',
+                  ':services:bsa',
                   ':services:tools',
                   ':services:pubapi']
 

console-webapp/src/app/app-routing.module.ts

@@ -28,6 +28,7 @@ import ContactComponent from './settings/contact/contact.component';
 import WhoisComponent from './settings/whois/whois.component';
 import SecurityComponent from './settings/security/security.component';
 import UsersComponent from './settings/users/users.component';
+import { DomainListComponent } from './domains/domainList.component';
 
 const routes: Routes = [
   { path: '', redirectTo: '/home', pathMatch: 'full' },
@@ -35,6 +36,11 @@ const routes: Routes = [
   { path: 'empty-registrar', component: EmptyRegistrar },
   { path: 'home', component: HomeComponent, canActivate: [RegistrarGuard] },
   { path: 'tlds', component: TldsComponent, canActivate: [RegistrarGuard] },
+  {
+    path: DomainListComponent.PATH,
+    component: DomainListComponent,
+    canActivate: [RegistrarGuard],
+  },
   {
     path: SettingsComponent.PATH,
     component: SettingsComponent,

console-webapp/src/app/app.module.ts

@@ -36,30 +36,31 @@ import { RegistrarGuard } from './registrar/registrar.guard';
 import SecurityComponent from './settings/security/security.component';
 import { MAT_FORM_FIELD_DEFAULT_OPTIONS } from '@angular/material/form-field';
 import { EmptyRegistrar } from './registrar/emptyRegistrar.component';
-import { RegistrarSelectorComponent } from './registrar/registrar-selector.component';
+import { RegistrarSelectorComponent } from './registrar/registrarSelector.component';
 import { GlobalLoaderService } from './shared/services/globalLoader.service';
-import { ContactWidgetComponent } from './home/widgets/contact-widget.component';
-import { PromotionsWidgetComponent } from './home/widgets/promotions-widget.component';
-import { TldsWidgetComponent } from './home/widgets/tlds-widget.component';
-import { ResourcesWidgetComponent } from './home/widgets/resources-widget.component';
-import { EppWidgetComponent } from './home/widgets/epp-widget.component';
-import { BillingWidgetComponent } from './home/widgets/billing-widget.component';
-import { DomainsWidgetComponent } from './home/widgets/domains-widget.component';
-import { SettingsWidgetComponent } from './home/widgets/settings-widget.component';
+import { ContactWidgetComponent } from './home/widgets/contactWidget.component';
+import { PromotionsWidgetComponent } from './home/widgets/promotionsWidget.component';
+import { TldsWidgetComponent } from './home/widgets/tldsWidget.component';
+import { ResourcesWidgetComponent } from './home/widgets/resourcesWidget.component';
+import { EppWidgetComponent } from './home/widgets/eppWidget.component';
+import { BillingWidgetComponent } from './home/widgets/billingWidget.component';
+import { DomainsWidgetComponent } from './home/widgets/domainsWidget.component';
+import { SettingsWidgetComponent } from './home/widgets/settingsWidget.component';
 import { UserDataService } from './shared/services/userData.service';
 import WhoisComponent from './settings/whois/whois.component';
 import { SnackBarModule } from './snackbar.module';
-import {
-  RegistrarDetailsComponent,
-  RegistrarDetailsWrapperComponent,
-} from './registrar/registrarDetails.component';
+import { RegistrarDetailsComponent } from './registrar/registrarDetails.component';
+import { DomainListComponent } from './domains/domainList.component';
+import { DialogBottomSheetWrapper } from './shared/components/dialogBottomSheet.component';
 
 @NgModule({
   declarations: [
     AppComponent,
+    DialogBottomSheetWrapper,
     BillingWidgetComponent,
     ContactDetailsDialogComponent,
     ContactWidgetComponent,
+    DomainListComponent,
     DomainsWidgetComponent,
     EmptyRegistrar,
     EppWidgetComponent,
@@ -68,7 +69,6 @@ import {
     PromotionsWidgetComponent,
     RegistrarComponent,
     RegistrarDetailsComponent,
-    RegistrarDetailsWrapperComponent,
     RegistrarSelectorComponent,
     ResourcesWidgetComponent,
     SecurityComponent,

console-webapp/src/app/domains/domainList.component.html

@@ -0,0 +1,60 @@
+<div class="console-domains">
+  <mat-form-field>
+    <mat-label>Filter</mat-label>
+    <input
+      type="search"
+      matInput
+      [(ngModel)]="searchTerm"
+      (ngModelChange)="sendInput()"
+      #input
+    />
+  </mat-form-field>
+
+  <div *ngIf="isLoading; else domains_content" class="console-domains__loading">
+    <mat-progress-bar mode="indeterminate"></mat-progress-bar>
+  </div>
+  <ng-template #domains_content>
+    <table mat-table [dataSource]="dataSource" class="mat-elevation-z8">
+      <ng-container matColumnDef="domainName">
+        <th mat-header-cell *matHeaderCellDef>Domain Name</th>
+        <td mat-cell *matCellDef="let element">{{ element.domainName }}</td>
+      </ng-container>
+
+      <ng-container matColumnDef="creationTime">
+        <th mat-header-cell *matHeaderCellDef>Creation Time</th>
+        <td mat-cell *matCellDef="let element">
+          {{ element.creationTime.creationTime }}
+        </td>
+      </ng-container>
+
+      <ng-container matColumnDef="registrationExpirationTime">
+        <th mat-header-cell *matHeaderCellDef>Expiration Time</th>
+        <td mat-cell *matCellDef="let element">
+          {{ element.registrationExpirationTime }}
+        </td>
+      </ng-container>
+
+      <ng-container matColumnDef="statuses">
+        <th mat-header-cell *matHeaderCellDef>Statuses</th>
+        <td mat-cell *matCellDef="let element">{{ element.statuses }}</td>
+      </ng-container>
+
+      <tr mat-header-row *matHeaderRowDef="displayedColumns"></tr>
+      <tr mat-row *matRowDef="let row; columns: displayedColumns"></tr>
+
+      <!-- Row shown when there is no matching data. -->
+      <tr class="mat-row" *matNoDataRow>
+        <td class="mat-cell" colspan="4">No domains found</td>
+      </tr>
+    </table>
+    <mat-paginator
+      [length]="totalResults"
+      [pageIndex]="pageNumber"
+      [pageSize]="resultsPerPage"
+      [pageSizeOptions]="[10, 25, 50, 100, 500]"
+      (page)="onPageChange($event)"
+      aria-label="Select page of domain results"
+      showFirstLastButtons
+    ></mat-paginator>
+  </ng-template>
+</div>

console-webapp/src/app/domains/domainList.component.spec.ts

@@ -0,0 +1,36 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { ComponentFixture, TestBed } from '@angular/core/testing';
+
+import { DomainListComponent } from './domainList.component';
+
+describe('DomainListComponent', () => {
+  let component: DomainListComponent;
+  let fixture: ComponentFixture<DomainListComponent>;
+
+  beforeEach(async () => {
+    await TestBed.configureTestingModule({
+      declarations: [DomainListComponent],
+    }).compileComponents();
+
+    fixture = TestBed.createComponent(DomainListComponent);
+    component = fixture.componentInstance;
+    fixture.detectChanges();
+  });
+
+  it('should create', () => {
+    expect(component).toBeTruthy();
+  });
+});

console-webapp/src/app/domains/domainList.component.ts

@@ -0,0 +1,98 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component, ViewChild } from '@angular/core';
+import { MatTableDataSource } from '@angular/material/table';
+import { BackendService } from '../shared/services/backend.service';
+import { MatPaginator, PageEvent } from '@angular/material/paginator';
+import { RegistrarService } from '../registrar/registrar.service';
+import { Domain, DomainListService } from './domainList.service';
+import { Subject, debounceTime } from 'rxjs';
+
+@Component({
+  selector: 'app-domain-list',
+  templateUrl: './domainList.component.html',
+  styleUrls: ['./domainList.component.scss'],
+  providers: [DomainListService],
+})
+export class DomainListComponent {
+  public static PATH = 'domain-list';
+  private readonly DEBOUNCE_MS = 500;
+
+  displayedColumns: string[] = [
+    'domainName',
+    'creationTime',
+    'registrationExpirationTime',
+    'statuses',
+  ];
+
+  dataSource: MatTableDataSource<Domain> = new MatTableDataSource();
+  isLoading = true;
+
+  searchTermSubject = new Subject<string>();
+  searchTerm?: string;
+
+  pageNumber?: number;
+  resultsPerPage = 50;
+  totalResults?: number;
+
+  @ViewChild(MatPaginator, { static: true }) paginator!: MatPaginator;
+
+  constructor(
+    private backendService: BackendService,
+    private domainListService: DomainListService,
+    private registrarService: RegistrarService
+  ) {}
+
+  ngOnInit() {
+    this.dataSource.paginator = this.paginator;
+    // Don't spam the server unnecessarily while the user is typing
+    this.searchTermSubject
+      .pipe(debounceTime(this.DEBOUNCE_MS))
+      .subscribe((searchTermValue) => {
+        this.reloadData();
+      });
+    this.reloadData();
+  }
+
+  ngOnDestroy() {
+    this.searchTermSubject.complete();
+  }
+
+  reloadData() {
+    this.isLoading = true;
+    this.domainListService
+      .retrieveDomains(
+        this.pageNumber,
+        this.resultsPerPage,
+        this.totalResults,
+        this.searchTerm
+      )
+      .subscribe((domainListResult) => {
+        this.dataSource.data = domainListResult.domains;
+        this.totalResults = domainListResult.totalResults;
+        this.isLoading = false;
+      });
+  }
+
+  sendInput() {
+    this.searchTermSubject.next(this.searchTerm!);
+  }
+
+  onPageChange(event: PageEvent) {
+    this.pageNumber = event.pageIndex;
+    this.resultsPerPage = event.pageSize;
+    this.reloadData();
+  }
+}

console-webapp/src/app/domains/domainList.service.ts

@@ -0,0 +1,68 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Injectable } from '@angular/core';
+import { BackendService } from '../shared/services/backend.service';
+import { RegistrarService } from '../registrar/registrar.service';
+import { tap } from 'rxjs';
+
+export interface CreateAutoTimestamp {
+  creationTime: string;
+}
+
+export interface Domain {
+  creationTime: CreateAutoTimestamp;
+  currentSponsorRegistrarId: string;
+  domainName: string;
+  registrationExpirationTime: string;
+  statuses: string[];
+}
+
+export interface DomainListResult {
+  checkpointTime: string;
+  domains: Domain[];
+  totalResults: number;
+}
+
+@Injectable()
+export class DomainListService {
+  checkpointTime?: string;
+
+  constructor(
+    private backendService: BackendService,
+    private registrarService: RegistrarService
+  ) {}
+
+  retrieveDomains(
+    pageNumber?: number,
+    resultsPerPage?: number,
+    totalResults?: number,
+    searchTerm?: string
+  ) {
+    return this.backendService
+      .getDomains(
+        this.registrarService.activeRegistrarId,
+        this.checkpointTime,
+        pageNumber,
+        resultsPerPage,
+        totalResults,
+        searchTerm
+      )
+      .pipe(
+        tap((domainListResult: DomainListResult) => {
+          this.checkpointTime = domainListResult.checkpointTime;
+        })
+      );
+  }
+}

console-webapp/src/app/home/widgets/billingWidget.component.ts

@@ -17,7 +17,7 @@ import { RegistrarService } from 'src/app/registrar/registrar.service';
 
 @Component({
   selector: '[app-billing-widget]',
-  templateUrl: './billing-widget.component.html',
+  templateUrl: './billingWidget.component.html',
 })
 export class BillingWidgetComponent {
   constructor(public registrarService: RegistrarService) {}

console-webapp/src/app/home/widgets/contactWidget.component.ts

@@ -17,7 +17,7 @@ import { UserDataService } from 'src/app/shared/services/userData.service';
 
 @Component({
   selector: '[app-contact-widget]',
-  templateUrl: './contact-widget.component.html',
+  templateUrl: './contactWidget.component.html',
 })
 export class ContactWidgetComponent {
   constructor(public userDataService: UserDataService) {}

console-webapp/src/app/home/widgets/domainsWidget.component.html

@@ -13,7 +13,12 @@
           Create a Domain
         </button>
         <p class="secondary-text">Register a new domain name</p>
-        <button mat-button color="primary" class="console-app__widget-link">
+        <button
+          mat-button
+          color="primary"
+          class="console-app__widget-link"
+          (click)="openDomainsPage()"
+        >
           View DUMs
         </button>
         <p class="secondary-text">

console-webapp/src/app/home/widgets/domainsWidget.component.ts

@@ -0,0 +1,29 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component } from '@angular/core';
+import { Router } from '@angular/router';
+import { DomainListComponent } from 'src/app/domains/domainList.component';
+
+@Component({
+  selector: '[app-domains-widget]',
+  templateUrl: './domainsWidget.component.html',
+})
+export class DomainsWidgetComponent {
+  constructor(private router: Router) {}
+
+  openDomainsPage() {
+    this.router.navigate([DomainListComponent.PATH]);
+  }
+}

console-webapp/src/app/home/widgets/eppWidget.component.ts

@@ -16,7 +16,7 @@ import { Component } from '@angular/core';
 
 @Component({
   selector: '[app-epp-widget]',
-  templateUrl: './epp-widget.component.html',
+  templateUrl: './eppWidget.component.html',
 })
 export class EppWidgetComponent {
   constructor() {}

console-webapp/src/app/home/widgets/promotionsWidget.component.ts

@@ -16,7 +16,7 @@ import { Component } from '@angular/core';
 
 @Component({
   selector: '[app-promotions-widget]',
-  templateUrl: './promotions-widget.component.html',
+  templateUrl: './promotionsWidget.component.html',
 })
 export class PromotionsWidgetComponent {
   constructor() {}

console-webapp/src/app/home/widgets/resourcesWidget.component.ts

@@ -17,7 +17,7 @@ import { UserDataService } from 'src/app/shared/services/userData.service';
 
 @Component({
   selector: '[app-resources-widget]',
-  templateUrl: './resources-widget.component.html',
+  templateUrl: './resourcesWidget.component.html',
 })
 export class ResourcesWidgetComponent {
   constructor(public userDataService: UserDataService) {}

console-webapp/src/app/home/widgets/settingsWidget.component.ts

@@ -21,7 +21,7 @@ import { SettingsComponent } from 'src/app/settings/settings.component';
 
 @Component({
   selector: '[app-settings-widget]',
-  templateUrl: './settings-widget.component.html',
+  templateUrl: './settingsWidget.component.html',
 })
 export class SettingsWidgetComponent {
   constructor(private router: Router) {}

console-webapp/src/app/home/widgets/tldsWidget.component.ts

@@ -16,7 +16,7 @@ import { Component } from '@angular/core';
 
 @Component({
   selector: '[app-tlds-widget]',
-  templateUrl: './tlds-widget.component.html',
+  templateUrl: './tldsWidget.component.html',
 })
 export class TldsWidgetComponent {
   constructor() {}

console-webapp/src/app/registrar/registrarDetails.component.html

@@ -1,7 +1,7 @@
-<div class="registrarDetails">
+<div class="registrarDetails" *ngIf="registrarInEdit">
   <h3 mat-dialog-title>Edit Registrar: {{ registrarInEdit.registrarId }}</h3>
   <div mat-dialog-content>
-    <form (ngSubmit)="saveAndClose($event)">
+    <form (ngSubmit)="saveAndClose()">
       <mat-form-field class="registrarDetails__input">
         <mat-label>Registry Lock:</mat-label>
         <mat-select
@@ -32,7 +32,7 @@
         />
       </mat-form-field>
       <mat-dialog-actions>
-        <button mat-button (click)="onCancel($event)">Cancel</button>
+        <button mat-button (click)="this.params?.close()">Cancel</button>
         <button type="submit" mat-button color="primary">Save</button>
       </mat-dialog-actions>
     </form>

console-webapp/src/app/registrar/registrarDetails.component.ts

@@ -12,61 +12,38 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Component, Injector } from '@angular/core';
+import { Component } from '@angular/core';
 import { Registrar, RegistrarService } from './registrar.service';
-import { BreakpointObserver } from '@angular/cdk/layout';
-import {
-  MAT_BOTTOM_SHEET_DATA,
-  MatBottomSheet,
-  MatBottomSheetRef,
-} from '@angular/material/bottom-sheet';
-import {
-  MAT_DIALOG_DATA,
-  MatDialog,
-  MatDialogRef,
-} from '@angular/material/dialog';
 import { MatChipInputEvent } from '@angular/material/chips';
+import { DialogBottomSheetContent } from '../shared/components/dialogBottomSheet.component';
 
-const MOBILE_LAYOUT_BREAKPOINT = '(max-width: 599px)';
+type RegistrarDetailsParams = {
+  close: Function;
+  data: {
+    registrar: Registrar;
+  };
+};
 
 @Component({
   selector: 'app-registrar-details',
   templateUrl: './registrarDetails.component.html',
   styleUrls: ['./registrarDetails.component.scss'],
 })
-export class RegistrarDetailsComponent {
+export class RegistrarDetailsComponent implements DialogBottomSheetContent {
   registrarInEdit!: Registrar;
-  private elementRef:
-    | MatBottomSheetRef<RegistrarDetailsComponent>
-    | MatDialogRef<RegistrarDetailsComponent>;
+  params?: RegistrarDetailsParams;
 
-  constructor(
-    protected registrarService: RegistrarService,
-    private injector: Injector
-  ) {
-    // We only inject one, either Dialog or Bottom Sheet data
-    // so one of the injectors is expected to fail
-    try {
-      var params = this.injector.get(MAT_DIALOG_DATA);
-      this.elementRef = this.injector.get(MatDialogRef);
-    } catch (e) {
-      var params = this.injector.get(MAT_BOTTOM_SHEET_DATA);
-      this.elementRef = this.injector.get(MatBottomSheetRef);
-    }
-    this.registrarInEdit = JSON.parse(JSON.stringify(params.registrar));
+  constructor(protected registrarService: RegistrarService) {}
+
+  init(params: RegistrarDetailsParams) {
+    this.params = params;
+    this.registrarInEdit = JSON.parse(
+      JSON.stringify(this.params.data.registrar)
+    );
   }
 
-  onCancel(e: MouseEvent) {
-    if (this.elementRef instanceof MatBottomSheetRef) {
-      this.elementRef.dismiss();
-    } else if (this.elementRef instanceof MatDialogRef) {
-      this.elementRef.close();
-    }
-  }
-
-  saveAndClose(e: MouseEvent) {
-    // TODO: Implement save call to API
-    this.onCancel(e);
+  saveAndClose() {
+    this.params?.close();
   }
 
   addTLD(e: MatChipInputEvent) {
@@ -82,24 +59,3 @@ export class RegistrarDetailsComponent {
     );
   }
 }
-
-@Component({
-  selector: 'app-registrar-details-wrapper',
-  template: '',
-})
-export class RegistrarDetailsWrapperComponent {
-  constructor(
-    private dialog: MatDialog,
-    private bottomSheet: MatBottomSheet,
-    protected breakpointObserver: BreakpointObserver
-  ) {}
-
-  open(registrar: Registrar) {
-    const config = { data: { registrar } };
-    if (this.breakpointObserver.isMatched(MOBILE_LAYOUT_BREAKPOINT)) {
-      this.bottomSheet.open(RegistrarDetailsComponent, config);
-    } else {
-      this.dialog.open(RegistrarDetailsComponent, config);
-    }
-  }
-}

console-webapp/src/app/registrar/registrarSelector.component.spec.ts

@@ -14,7 +14,7 @@
 
 import { ComponentFixture, TestBed } from '@angular/core/testing';
 
-import { RegistrarSelectorComponent } from './registrar-selector.component';
+import { RegistrarSelectorComponent } from './registrarSelector.component';
 
 describe('RegistrarSelectorComponent', () => {
   let component: RegistrarSelectorComponent;

console-webapp/src/app/registrar/registrarSelector.component.ts

@@ -21,8 +21,8 @@ const MOBILE_LAYOUT_BREAKPOINT = '(max-width: 599px)';
 
 @Component({
   selector: 'app-registrar-selector',
-  templateUrl: './registrar-selector.component.html',
-  styleUrls: ['./registrar-selector.component.scss'],
+  templateUrl: './registrarSelector.component.html',
+  styleUrls: ['./registrarSelector.component.scss'],
 })
 export class RegistrarSelectorComponent implements OnInit {
   protected isMobile: boolean = false;

console-webapp/src/app/registrar/registrarsTable.component.html

@@ -48,7 +48,7 @@
     [pageSizeOptions]="[5, 10, 20]"
     showFirstLastButtons
   ></mat-paginator>
-  <app-registrar-details-wrapper
+  <app-dialog-bottom-sheet-wrapper
     #registrarDetailsView
-  ></app-registrar-details-wrapper>
+  ></app-dialog-bottom-sheet-wrapper>
 </div>

console-webapp/src/app/registrar/registrarsTable.component.ts

@@ -17,7 +17,8 @@ import { Registrar, RegistrarService } from './registrar.service';
 import { MatPaginator } from '@angular/material/paginator';
 import { MatSort } from '@angular/material/sort';
 import { MatTableDataSource } from '@angular/material/table';
-import { RegistrarDetailsWrapperComponent } from './registrarDetails.component';
+import { RegistrarDetailsComponent } from './registrarDetails.component';
+import { DialogBottomSheetWrapper } from '../shared/components/dialogBottomSheet.component';
 
 @Component({
   selector: 'app-registrar',
@@ -82,7 +83,7 @@ export class RegistrarComponent {
   @ViewChild(MatPaginator) paginator!: MatPaginator;
   @ViewChild(MatSort) sort!: MatSort;
   @ViewChild('registrarDetailsView')
-  detailsComponentWrapper!: RegistrarDetailsWrapperComponent;
+  detailsComponentWrapper!: DialogBottomSheetWrapper;
 
   constructor(protected registrarService: RegistrarService) {
     this.dataSource = new MatTableDataSource<Registrar>(
@@ -97,7 +98,10 @@ export class RegistrarComponent {
 
   openDetails(event: MouseEvent, registrar: Registrar) {
     event.stopPropagation();
-    this.detailsComponentWrapper.open(registrar);
+    this.detailsComponentWrapper.open<RegistrarDetailsComponent>(
+      RegistrarDetailsComponent,
+      { registrar }
+    );
   }
 
   applyFilter(event: Event) {

console-webapp/src/app/settings/contact/contact.component.html

@@ -41,4 +41,7 @@
       <mat-icon>add</mat-icon>Create a Contact
     </button>
   </div>
+  <app-dialog-bottom-sheet-wrapper
+    #contactDetailsWrapper
+  ></app-dialog-bottom-sheet-wrapper>
 </div>

console-webapp/src/app/settings/contact/contact.component.ts

@@ -12,21 +12,14 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Component, Inject } from '@angular/core';
-import {
-  MatDialog,
-  MAT_DIALOG_DATA,
-  MatDialogRef,
-} from '@angular/material/dialog';
-import {
-  MatBottomSheet,
-  MAT_BOTTOM_SHEET_DATA,
-  MatBottomSheetRef,
-} from '@angular/material/bottom-sheet';
+import { Component, ViewChild } from '@angular/core';
 import { Contact, ContactService } from './contact.service';
-import { BreakpointObserver } from '@angular/cdk/layout';
 import { HttpErrorResponse } from '@angular/common/http';
 import { MatSnackBar } from '@angular/material/snack-bar';
+import {
+  DialogBottomSheetContent,
+  DialogBottomSheetWrapper,
+} from 'src/app/shared/components/dialogBottomSheet.component';
 
 enum Operations {
   DELETE,
@@ -40,7 +33,13 @@ interface GroupedContacts {
   contacts: Array<Contact>;
 }
 
-let isMobile: boolean;
+type ContactDetailsParams = {
+  close: Function;
+  data: {
+    contact: Contact;
+    operation: Operations;
+  };
+};
 
 const contactTypes: Array<GroupedContacts> = [
   { value: 'ADMIN', label: 'Primary contact', contacts: [] },
@@ -52,72 +51,46 @@ const contactTypes: Array<GroupedContacts> = [
   { value: 'WHOIS', label: 'WHOIS-Inquiry contact', contacts: [] },
 ];
 
-class ContactDetailsEventsResponder {
-  private ref?: MatDialogRef<any> | MatBottomSheetRef;
-  constructor() {
-    this.onClose = this.onClose.bind(this);
-  }
-
-  setRef(ref: MatDialogRef<any> | MatBottomSheetRef) {
-    this.ref = ref;
-  }
-
-  onClose() {
-    if (this.ref == undefined) {
-      throw "Reference to ContactDetailsDialogComponent hasn't been set. ";
-    }
-    if (this.ref instanceof MatBottomSheetRef) {
-      this.ref.dismiss();
-    } else if (this.ref instanceof MatDialogRef) {
-      this.ref.close();
-    }
-  }
-}
-
 @Component({
   selector: 'app-contact-details-dialog',
-  templateUrl: 'contact-details.component.html',
+  templateUrl: 'contactDetails.component.html',
   styleUrls: ['./contact.component.scss'],
 })
-export class ContactDetailsDialogComponent {
-  contact: Contact;
+export class ContactDetailsDialogComponent implements DialogBottomSheetContent {
+  contact?: Contact;
   contactTypes = contactTypes;
-  operation: Operations;
-  contactIndex: number;
-  onCloseCallback: Function;
+  contactIndex?: number;
+
+  params?: ContactDetailsParams;
 
   constructor(
     public contactService: ContactService,
-    private _snackBar: MatSnackBar,
-    @Inject(isMobile ? MAT_BOTTOM_SHEET_DATA : MAT_DIALOG_DATA)
-    public data: {
-      onClose: Function;
-      contact: Contact;
-      operation: Operations;
-    }
-  ) {
-    this.onCloseCallback = data.onClose;
-    this.contactIndex = contactService.contacts.findIndex(
-      (c) => c === data.contact
+    private _snackBar: MatSnackBar
+  ) {}
+
+  init(params: ContactDetailsParams) {
+    this.params = params;
+    this.contactIndex = this.contactService.contacts.findIndex(
+      (c) => c === params.data.contact
     );
-    this.contact = JSON.parse(JSON.stringify(data.contact));
-    this.operation = data.operation;
+    this.contact = JSON.parse(JSON.stringify(params.data.contact));
   }
 
-  onClose(e: MouseEvent) {
-    e.preventDefault();
-    this.onCloseCallback.call(this);
+  close() {
+    this.params?.close();
   }
 
   saveAndClose(e: SubmitEvent) {
     e.preventDefault();
+    if (!this.contact || this.contactIndex === undefined) return;
     if (!(e.target as HTMLFormElement).checkValidity()) {
       return;
     }
+    const operation = this.params?.data.operation;
     let operationObservable;
-    if (this.operation === Operations.ADD) {
+    if (operation === Operations.ADD) {
       operationObservable = this.contactService.addContact(this.contact);
-    } else if (this.operation === Operations.UPDATE) {
+    } else if (operation === Operations.UPDATE) {
       operationObservable = this.contactService.updateContact(
         this.contactIndex,
         this.contact
@@ -127,7 +100,7 @@ export class ContactDetailsDialogComponent {
     }
 
     operationObservable.subscribe({
-      complete: this.onCloseCallback.bind(this),
+      complete: () => this.close(),
       error: (err: HttpErrorResponse) => {
         this._snackBar.open(err.error);
       },
@@ -143,11 +116,11 @@ export class ContactDetailsDialogComponent {
 export default class ContactComponent {
   public static PATH = 'contact';
 
+  @ViewChild('contactDetailsWrapper')
+  detailsComponentWrapper!: DialogBottomSheetWrapper;
+
   loading: boolean = false;
   constructor(
-    private dialog: MatDialog,
-    private bottomSheet: MatBottomSheet,
-    private breakpointObserver: BreakpointObserver,
     public contactService: ContactService,
     private _snackBar: MatSnackBar
   ) {
@@ -195,20 +168,9 @@ export default class ContactComponent {
     operation: Operations = Operations.UPDATE
   ) {
     e.preventDefault();
-    // TODO: handle orientation change
-    isMobile = this.breakpointObserver.isMatched('(max-width: 599px)');
-    const responder = new ContactDetailsEventsResponder();
-    const config = { data: { onClose: responder.onClose, contact, operation } };
-
-    if (isMobile) {
-      const bottomSheetRef = this.bottomSheet.open(
-        ContactDetailsDialogComponent,
-        config
-      );
-      responder.setRef(bottomSheetRef);
-    } else {
-      const dialogRef = this.dialog.open(ContactDetailsDialogComponent, config);
-      responder.setRef(dialogRef);
-    }
+    this.detailsComponentWrapper.open<ContactDetailsDialogComponent>(
+      ContactDetailsDialogComponent,
+      { contact, operation }
+    );
   }
 }

console-webapp/src/app/settings/contact/contact.service.ts

@@ -45,7 +45,7 @@ export class ContactService {
     return this.backend
       .getContacts(this.registrarService.activeRegistrarId)
       .pipe(
-        tap((contacts) => {
+        tap((contacts = []) => {
           this.contacts = contacts;
         })
       );

console-webapp/src/app/settings/contact/contactDetails.component.html

@@ -1,5 +1,5 @@
 <h3 mat-dialog-title>Contact details</h3>
-<div mat-dialog-content>
+<div mat-dialog-content *ngIf="contact">
   <form (ngSubmit)="saveAndClose($event)">
     <p>
       <mat-form-field class="contact-details__input">
@@ -97,7 +97,7 @@
       >
     </section>
     <mat-dialog-actions>
-      <button mat-button (click)="onClose($event)">Cancel</button>
+      <button mat-button (click)="close()">Cancel</button>
       <button type="submit" mat-button>Save</button>
     </mat-dialog-actions>
   </form>

console-webapp/src/app/shared/components/dialogBottomSheet.component.ts

@@ -0,0 +1,69 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { BreakpointObserver } from '@angular/cdk/layout';
+import { ComponentType } from '@angular/cdk/portal';
+import { Component } from '@angular/core';
+import {
+  MatBottomSheet,
+  MatBottomSheetRef,
+} from '@angular/material/bottom-sheet';
+import { MatDialog, MatDialogRef } from '@angular/material/dialog';
+
+const MOBILE_LAYOUT_BREAKPOINT = '(max-width: 599px)';
+
+export interface DialogBottomSheetContent {
+  init(data: Object): void;
+}
+
+/**
+ * Wraps up a child component in an Angular Material Dalog for desktop or a Bottom Sheet
+ * component for mobile depending on a screen resolution, with Breaking Point being 599px.
+ * Child component is required to implement @see DialogBottomSheetContent interface
+ */
+@Component({
+  selector: 'app-dialog-bottom-sheet-wrapper',
+  template: '',
+})
+export class DialogBottomSheetWrapper {
+  private elementRef?: MatBottomSheetRef | MatDialogRef<any>;
+
+  constructor(
+    private dialog: MatDialog,
+    private bottomSheet: MatBottomSheet,
+    protected breakpointObserver: BreakpointObserver
+  ) {}
+
+  open<T extends DialogBottomSheetContent>(
+    component: ComponentType<T>,
+    data: any
+  ) {
+    const config = { data, close: () => this.close() };
+    if (this.breakpointObserver.isMatched(MOBILE_LAYOUT_BREAKPOINT)) {
+      this.elementRef = this.bottomSheet.open(component);
+      this.elementRef.instance.init(config);
+    } else {
+      this.elementRef = this.dialog.open(component);
+      this.elementRef.componentInstance.init(config);
+    }
+  }
+
+  close() {
+    if (this.elementRef instanceof MatBottomSheetRef) {
+      this.elementRef.dismiss();
+    } else if (this.elementRef instanceof MatDialogRef) {
+      this.elementRef.close();
+    }
+  }
+}

console-webapp/src/app/shared/services/backend.service.ts

@@ -21,6 +21,7 @@ import { Contact } from '../../settings/contact/contact.service';
 import { Registrar } from '../../registrar/registrar.service';
 import { UserData } from './userData.service';
 import { WhoisRegistrarFields } from 'src/app/settings/whois/whois.service';
+import { DomainListResult } from 'src/app/domains/domainList.service';
 
 @Injectable()
 export class BackendService {
@@ -63,6 +64,35 @@ export class BackendService {
     );
   }
 
+  getDomains(
+    registrarId: string,
+    checkpointTime?: string,
+    pageNumber?: number,
+    resultsPerPage?: number,
+    totalResults?: number,
+    searchTerm?: string
+  ): Observable<DomainListResult> {
+    var url = `/console-api/domain-list?registrarId=${registrarId}`;
+    if (checkpointTime) {
+      url += `&checkpointTime=${checkpointTime}`;
+    }
+    if (pageNumber) {
+      url += `&pageNumber=${pageNumber}`;
+    }
+    if (resultsPerPage) {
+      url += `&resultsPerPage=${resultsPerPage}`;
+    }
+    if (totalResults) {
+      url += `&totalResults=${totalResults}`;
+    }
+    if (searchTerm) {
+      url += `&searchTerm=${searchTerm}`;
+    }
+    return this.http
+      .get<DomainListResult>(url)
+      .pipe(catchError((err) => this.errorCatcher<DomainListResult>(err)));
+  }
+
   getRegistrars(): Observable<Registrar[]> {
     return this.http
       .get<Registrar[]>('/console-api/registrars')

console-webapp/src/styles.scss

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 @use "@angular/material" as mat;
-@import "app/registrar/registrar-selector.component.scss";
+@import "app/registrar/registrarSelector.component.scss";
 
 html,
 body {

core/src/main/java/google/registry/bsa/BlockList.java

@@ -12,12 +12,10 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { Component } from '@angular/core';
+package google.registry.bsa;
 
-@Component({
-  selector: '[app-domains-widget]',
-  templateUrl: './domains-widget.component.html',
-})
-export class DomainsWidgetComponent {
-  constructor() {}
+/** Identifiers of the BSA lists with blocking labels. */
+public enum BlockList {
+  BLOCK,
+  BLOCK_PLUS;
 }

core/src/main/java/google/registry/bsa/DownloadStage.java

@@ -0,0 +1,46 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+/** The processing stages of a download. */
+public enum DownloadStage {
+  /** Downloads BSA block list files. */
+  DOWNLOAD,
+  /** Generates block list diffs with the previous download. */
+  MAKE_DIFF,
+  /** Applies the label diffs to the database tables. */
+  APPLY_DIFF,
+  /**
+   * Makes a REST API call to BSA endpoint, declaring that processing starts for new orders in the
+   * diffs.
+   */
+  START_UPLOADING,
+  /** Makes a REST API call to BSA endpoint, sending the domains that cannot be blocked. */
+  UPLOAD_DOMAINS_IN_USE,
+  /** Makes a REST API call to BSA endpoint, declaring the completion of order processing. */
+  FINISH_UPLOADING,
+  /** The terminal stage after processing succeeds. */
+  DONE,
+  /**
+   * The terminal stage indicating that the downloads are discarded because their checksums are the
+   * same as that of the previous download.
+   */
+  NOP,
+  /**
+   * The terminal stage indicating that the downloads are not processed because their BSA-generated
+   * checksums do not match those calculated by us.
+   */
+  CHECKSUMS_NOT_MATCH;
+}

core/src/main/java/google/registry/bsa/IdnChecker.java

@@ -0,0 +1,95 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static com.google.common.collect.Maps.transformValues;
+import static google.registry.model.tld.Tld.isEnrolledWithBsa;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableMultimap;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import com.google.common.collect.Sets.SetView;
+import google.registry.model.tld.Tld;
+import google.registry.model.tld.Tld.TldType;
+import google.registry.model.tld.Tlds;
+import google.registry.tldconfig.idn.IdnLabelValidator;
+import google.registry.tldconfig.idn.IdnTableEnum;
+import google.registry.util.Clock;
+import javax.inject.Inject;
+import org.joda.time.DateTime;
+
+/**
+ * Checks labels' validity wrt Idns in TLDs enrolled with BSA.
+ *
+ * <p>Each instance takes a snapshot of the TLDs at instantiation time, and should be limited to the
+ * Request scope.
+ */
+public class IdnChecker {
+  private static final IdnLabelValidator IDN_LABEL_VALIDATOR = new IdnLabelValidator();
+
+  private final ImmutableMap<IdnTableEnum, ImmutableSet<Tld>> idnToTlds;
+  private final ImmutableSet<Tld> allTlds;
+
+  @Inject
+  IdnChecker(Clock clock) {
+    this.idnToTlds = getIdnToTldMap(clock.nowUtc());
+    allTlds = idnToTlds.values().stream().flatMap(ImmutableSet::stream).collect(toImmutableSet());
+  }
+
+  /** Returns all IDNs in which the {@code label} is valid. */
+  ImmutableSet<IdnTableEnum> getAllValidIdns(String label) {
+    return idnToTlds.keySet().stream()
+        .filter(idnTable -> idnTable.getTable().isValidLabel(label))
+        .collect(toImmutableSet());
+  }
+
+  /**
+   * Returns the TLDs that support at least one IDN in the {@code idnTables}.
+   *
+   * @param idnTables String names of {@link IdnTableEnum} values
+   */
+  public ImmutableSet<Tld> getSupportingTlds(ImmutableSet<String> idnTables) {
+    return idnTables.stream()
+        .map(IdnTableEnum::valueOf)
+        .filter(idnToTlds::containsKey)
+        .map(idnToTlds::get)
+        .flatMap(ImmutableSet::stream)
+        .collect(toImmutableSet());
+  }
+
+  /**
+   * Returns the TLDs that do not support any IDN in the {@code idnTables}.
+   *
+   * @param idnTables String names of {@link IdnTableEnum} values
+   */
+  public SetView<Tld> getForbiddingTlds(ImmutableSet<String> idnTables) {
+    return Sets.difference(allTlds, getSupportingTlds(idnTables));
+  }
+
+  private static ImmutableMap<IdnTableEnum, ImmutableSet<Tld>> getIdnToTldMap(DateTime now) {
+    ImmutableMultimap.Builder<IdnTableEnum, Tld> idnToTldMap = new ImmutableMultimap.Builder();
+    Tlds.getTldEntitiesOfType(TldType.REAL).stream()
+        .filter(tld -> isEnrolledWithBsa(tld, now))
+        .forEach(
+            tld -> {
+              for (IdnTableEnum idn : IDN_LABEL_VALIDATOR.getIdnTablesForTld(tld)) {
+                idnToTldMap.put(idn, tld);
+              }
+            });
+    return ImmutableMap.copyOf(transformValues(idnToTldMap.build().asMap(), ImmutableSet::copyOf));
+  }
+}

core/src/main/java/google/registry/bsa/PlaceholderAction.java

@@ -0,0 +1,45 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa;
+
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import google.registry.request.Action;
+import google.registry.request.Action.Service;
+import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import javax.inject.Inject;
+
+@Action(
+    service = Service.BSA,
+    path = PlaceholderAction.PATH,
+    method = Action.Method.GET,
+    auth = Auth.AUTH_API_ADMIN)
+public class PlaceholderAction implements Runnable {
+  private final Response response;
+
+  static final String PATH = "/_dr/task/bsaDownload";
+
+  @Inject
+  public PlaceholderAction(Response response) {
+    this.response = response;
+  }
+
+  @Override
+  public void run() {
+    response.setStatus(SC_OK);
+    response.setPayload("Hello World");
+  }
+}

core/src/main/java/google/registry/bsa/persistence/BsaDomainInUse.java

@@ -0,0 +1,102 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import com.google.common.base.Objects;
+import google.registry.bsa.persistence.BsaDomainInUse.BsaDomainInUseId;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.persistence.VKey;
+import java.io.Serializable;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.Id;
+import javax.persistence.IdClass;
+
+/** A domain matching a BSA label but is in use (registered or reserved), so cannot be blocked. */
+@Entity
+@IdClass(BsaDomainInUseId.class)
+public class BsaDomainInUse {
+  @Id String label;
+  @Id String tld;
+
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  Reason reason;
+
+  /**
+   * Creation time of this record, which is the most recent time when the domain was detected to be
+   * in use wrt BSA. It may be during the processing of a download, or during some other job that
+   * refreshes the state.
+   *
+   * <p>This field is for information only.
+   */
+  @SuppressWarnings("unused")
+  @Column(nullable = false)
+  CreateAutoTimestamp createTime = CreateAutoTimestamp.create(null);
+
+  // For Hibernate
+  BsaDomainInUse() {}
+
+  public BsaDomainInUse(String label, String tld, Reason reason) {
+    this.label = label;
+    this.tld = tld;
+    this.reason = reason;
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaDomainInUse)) {
+      return false;
+    }
+    BsaDomainInUse that = (BsaDomainInUse) o;
+    return Objects.equal(label, that.label)
+        && Objects.equal(tld, that.tld)
+        && reason == that.reason
+        && Objects.equal(createTime, that.createTime);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(label, tld, reason, createTime);
+  }
+
+  enum Reason {
+    REGISTERED,
+    RESERVED;
+  }
+
+  static class BsaDomainInUseId implements Serializable {
+
+    private String label;
+    private String tld;
+
+    // For Hibernate
+    BsaDomainInUseId() {}
+
+    BsaDomainInUseId(String label, String tld) {
+      this.label = label;
+      this.tld = tld;
+    }
+  }
+
+  static VKey<BsaDomainInUse> vKey(String label, String tld) {
+    return VKey.create(BsaDomainInUse.class, new BsaDomainInUseId(label, tld));
+  }
+}

core/src/main/java/google/registry/bsa/persistence/BsaDownload.java

@@ -0,0 +1,131 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static com.google.common.collect.ImmutableMap.toImmutableMap;
+import static google.registry.bsa.DownloadStage.DOWNLOAD;
+
+import com.google.common.base.Joiner;
+import com.google.common.base.Objects;
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSortedMap;
+import google.registry.bsa.BlockList;
+import google.registry.bsa.DownloadStage;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.model.UpdateAutoTimestamp;
+import google.registry.persistence.VKey;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Index;
+import javax.persistence.Table;
+import org.joda.time.DateTime;
+
+/** Records of ongoing and completed download jobs. */
+@Entity
+@Table(indexes = {@Index(columnList = "creationTime")})
+public class BsaDownload {
+
+  private static final Joiner CSV_JOINER = Joiner.on(',');
+  private static final Splitter CSV_SPLITTER = Splitter.on(',');
+
+  @Id
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  Long jobId;
+
+  @Column(nullable = false)
+  CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  UpdateAutoTimestamp updateTime = UpdateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  String blockListChecksums = "";
+
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  DownloadStage stage = DOWNLOAD;
+
+  BsaDownload() {}
+
+  long getJobId() {
+    return jobId;
+  }
+
+  DateTime getCreationTime() {
+    return creationTime.getTimestamp();
+  }
+
+  /**
+   * Returns the starting time of this job as a string, which can be used as folder name on GCS when
+   * storing download data.
+   */
+  public String getJobName() {
+    return getCreationTime().toString();
+  }
+
+  public DownloadStage getStage() {
+    return this.stage;
+  }
+
+  BsaDownload setStage(DownloadStage stage) {
+    this.stage = stage;
+    return this;
+  }
+
+  BsaDownload setChecksums(ImmutableMap<BlockList, String> checksums) {
+    blockListChecksums =
+        CSV_JOINER.withKeyValueSeparator("=").join(ImmutableSortedMap.copyOf(checksums));
+    return this;
+  }
+
+  ImmutableMap<BlockList, String> getChecksums() {
+    if (blockListChecksums.isEmpty()) {
+      return ImmutableMap.of();
+    }
+    return CSV_SPLITTER.withKeyValueSeparator('=').split(blockListChecksums).entrySet().stream()
+        .collect(
+            toImmutableMap(entry -> BlockList.valueOf(entry.getKey()), entry -> entry.getValue()));
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaDownload)) {
+      return false;
+    }
+    BsaDownload that = (BsaDownload) o;
+    return Objects.equal(creationTime, that.creationTime)
+        && Objects.equal(updateTime, that.updateTime)
+        && Objects.equal(blockListChecksums, that.blockListChecksums)
+        && stage == that.stage;
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(creationTime, updateTime, blockListChecksums, stage);
+  }
+
+  static VKey<BsaDownload> vKey(long jobId) {
+    return VKey.create(BsaDownload.class, Long.valueOf(jobId));
+  }
+}

core/src/main/java/google/registry/bsa/persistence/BsaLabel.java

@@ -0,0 +1,79 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import com.google.common.base.Objects;
+import google.registry.persistence.VKey;
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import org.joda.time.DateTime;
+
+/**
+ * Specifies a second-level TLD name that should be blocked from registration in all TLDs except by
+ * the label's owner.
+ *
+ * <p>The label is valid (wrt IDN) in at least one TLD.
+ */
+@Entity
+public final class BsaLabel {
+
+  @Id String label;
+
+  /**
+   * Creation time of this label. This field is for human use, and should give the name of the GCS
+   * folder that contains the downloaded BSA data.
+   *
+   * <p>See {@link BsaDownload#getCreationTime} and {@link BsaDownload#getJobName} for more
+   * information.
+   */
+  @SuppressWarnings("unused")
+  @Column(nullable = false)
+  DateTime creationTime;
+
+  // For Hibernate.
+  BsaLabel() {}
+
+  BsaLabel(String label, DateTime creationTime) {
+    this.label = label;
+    this.creationTime = creationTime;
+  }
+
+  /** Returns the label to be blocked. */
+  public String getLabel() {
+    return label;
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (!(o instanceof BsaLabel)) {
+      return false;
+    }
+    BsaLabel label1 = (BsaLabel) o;
+    return Objects.equal(label, label1.label) && Objects.equal(creationTime, label1.creationTime);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hashCode(label, creationTime);
+  }
+
+  static VKey<BsaLabel> vKey(String label) {
+    return VKey.create(BsaLabel.class, label);
+  }
+}

core/src/main/java/google/registry/bsa/persistence/DownloadSchedule.java

@@ -0,0 +1,73 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import com.google.auto.value.AutoValue;
+import com.google.common.collect.ImmutableMap;
+import google.registry.bsa.BlockList;
+import google.registry.bsa.DownloadStage;
+import java.util.Optional;
+
+/** Information needed when handling a download from BSA. */
+@AutoValue
+public abstract class DownloadSchedule {
+
+  abstract long jobId();
+
+  public abstract String jobName();
+
+  public abstract DownloadStage stage();
+
+  /** The most recent job that ended in the {@code DONE} stage. */
+  public abstract Optional<CompletedJob> latestCompleted();
+
+  /**
+   * Returns true if download should be processed even if the checksums show that it has not changed
+   * from the previous one.
+   */
+  abstract boolean alwaysDownload();
+
+  static DownloadSchedule of(BsaDownload currentJob) {
+    return new AutoValue_DownloadSchedule(
+        currentJob.getJobId(),
+        currentJob.getJobName(),
+        currentJob.getStage(),
+        Optional.empty(),
+        /* alwaysDownload= */ true);
+  }
+
+  static DownloadSchedule of(
+      BsaDownload currentJob, CompletedJob latestCompleted, boolean alwaysDownload) {
+    return new AutoValue_DownloadSchedule(
+        currentJob.getJobId(),
+        currentJob.getJobName(),
+        currentJob.getStage(),
+        Optional.of(latestCompleted),
+        /* alwaysDownload= */ alwaysDownload);
+  }
+
+  /** Information about a completed BSA download job. */
+  @AutoValue
+  public abstract static class CompletedJob {
+    public abstract String jobName();
+
+    public abstract ImmutableMap<BlockList, String> checksums();
+
+    static CompletedJob of(BsaDownload completedJob) {
+      return new AutoValue_DownloadSchedule_CompletedJob(
+          completedJob.getJobName(), completedJob.getChecksums());
+    }
+  }
+}

core/src/main/java/google/registry/bsa/persistence/DownloadScheduler.java

@@ -0,0 +1,131 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.bsa.persistence;
+
+import static com.google.common.base.Verify.verify;
+import static google.registry.bsa.DownloadStage.CHECKSUMS_NOT_MATCH;
+import static google.registry.bsa.DownloadStage.DONE;
+import static google.registry.bsa.DownloadStage.NOP;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static org.joda.time.Duration.standardSeconds;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.ImmutableList;
+import google.registry.bsa.persistence.DownloadSchedule.CompletedJob;
+import google.registry.util.Clock;
+import java.util.Optional;
+import javax.inject.Inject;
+import org.joda.time.Duration;
+
+/**
+ * Assigns work for each cron invocation of the BSA Download job.
+ *
+ * <p>The download job is invoked at a divisible fraction of the desired data freshness to
+ * accommodate potential retries. E.g., for 30-minute data freshness with up to two retries on
+ * error, the cron schedule for the job should be set to 10 minutes.
+ *
+ * <p>The processing of each BSA download progresses through multiple stages as described in {@code
+ * DownloadStage} until it reaches one of the terminal stages. Each stage is check-pointed on
+ * completion, therefore if an invocation fails mid-process, the next invocation will skip the
+ * completed stages. No new downloads will start as long as the most recent one is still being
+ * processed.
+ *
+ * <p>When a new download is scheduled, the block list checksums from the most recent completed job
+ * is included. If the new checksums match the previous ones, the download may be skipped and the
+ * job should terminate in the {@code NOP} stage. However, if the checksums have stayed unchanged
+ * for longer than the user-provided {@code maxNopInterval}, the download will be processed.
+ *
+ * <p>The BSA downloads contains server-provided checksums. If they do not match the checksums
+ * generated on Nomulus' side, the download is skipped and the job should terminate in the {@code
+ * CHECKSUMS_NOT_MATCH} stage.
+ */
+public final class DownloadScheduler {
+
+  /** Allows a new download to proceed if the cron job fires a little early due to NTP drift. */
+  private static final Duration CRON_JITTER = standardSeconds(5);
+
+  private final Duration downloadInterval;
+  private final Duration maxNopInterval;
+  private final Clock clock;
+
+  @Inject
+  DownloadScheduler(Duration downloadInterval, Duration maxNopInterval, Clock clock) {
+    this.downloadInterval = downloadInterval;
+    this.maxNopInterval = maxNopInterval;
+    this.clock = clock;
+  }
+
+  /**
+   * Returns a {@link DownloadSchedule} instance that describes the work to be performed by an
+   * invocation of the download action, if applicable; or {@link Optional#empty} when there is
+   * nothing to do.
+   */
+  public Optional<DownloadSchedule> schedule() {
+    return tm().transact(
+            () -> {
+              ImmutableList<BsaDownload> recentJobs = loadRecentProcessedJobs();
+              if (recentJobs.isEmpty()) {
+                // No jobs initiated ever.
+                return Optional.of(scheduleNewJob(Optional.empty()));
+              }
+              BsaDownload mostRecent = recentJobs.get(0);
+              if (mostRecent.getStage().equals(DONE)) {
+                return isTimeAgain(mostRecent, downloadInterval)
+                    ? Optional.of(scheduleNewJob(Optional.of(mostRecent)))
+                    : Optional.empty();
+              } else if (recentJobs.size() == 1) {
+                // First job ever, still in progress
+                return Optional.of(DownloadSchedule.of(recentJobs.get(0)));
+              } else {
+                // Job in progress, with completed previous jobs.
+                BsaDownload prev = recentJobs.get(1);
+                verify(prev.getStage().equals(DONE), "Unexpectedly found two ongoing jobs.");
+                return Optional.of(
+                    DownloadSchedule.of(
+                        mostRecent,
+                        CompletedJob.of(prev),
+                        isTimeAgain(mostRecent, maxNopInterval)));
+              }
+            });
+  }
+
+  private boolean isTimeAgain(BsaDownload mostRecent, Duration interval) {
+    return mostRecent.getCreationTime().plus(interval).minus(CRON_JITTER).isBefore(clock.nowUtc());
+  }
+
+  /**
+   * Adds a new {@link BsaDownload} to the database and returns a {@link DownloadSchedule} for it.
+   */
+  private DownloadSchedule scheduleNewJob(Optional<BsaDownload> prevJob) {
+    BsaDownload job = new BsaDownload();
+    tm().insert(job);
+    return prevJob
+        .map(
+            prev ->
+                DownloadSchedule.of(job, CompletedJob.of(prev), isTimeAgain(prev, maxNopInterval)))
+        .orElseGet(() -> DownloadSchedule.of(job));
+  }
+
+  @VisibleForTesting
+  ImmutableList<BsaDownload> loadRecentProcessedJobs() {
+    return ImmutableList.copyOf(
+        tm().getEntityManager()
+            .createQuery(
+                "FROM BsaDownload WHERE stage NOT IN :nop_stages ORDER BY creationTime DESC")
+            .setParameter("nop_stages", ImmutableList.of(CHECKSUMS_NOT_MATCH, NOP))
+            .setMaxResults(2)
+            .getResultList());
+  }
+}

core/src/main/java/google/registry/config/RegistryConfig.java

@@ -1397,6 +1397,47 @@ public final class RegistryConfig {
       return config.bulkPricingPackageMonitoring.bulkPricingPackageDomainLimitUpgradeEmailBody;
     }
 
+    @Provides
+    @Config("bsaGcsBucket")
+    public static String provideBsaGcsBucket(@Config("projectId") String projectId) {
+      return projectId + "-bsa";
+    }
+
+    @Provides
+    @Config("bsaChecksumAlgorithm")
+    public static String provideBsaChecksumAlgorithm(RegistryConfigSettings config) {
+      return config.bsa.bsaChecksumAlgorithm;
+    }
+
+    @Provides
+    @Config("bsaLockLeaseExpiry")
+    public static Duration provideBsaLockLeaseExpiry(RegistryConfigSettings config) {
+      return Duration.standardMinutes(config.bsa.bsaLockLeaseExpiryMinutes);
+    }
+
+    /** Returns the desired interval between successive BSA downloads. */
+    @Provides
+    @Config("bsaDownloadInterval")
+    public static Duration provideBsaDownloadInterval(RegistryConfigSettings config) {
+      return Duration.standardMinutes(config.bsa.bsaDownloadIntervalMinutes);
+    }
+
+    /**
+     * Returns the maximum period when a BSA download can be skipped due to the checksum-based
+     * equality check with the previous download.
+     */
+    @Provides
+    @Config("bsaMaxNopInterval")
+    public static Duration provideBsaMaxNopInterval(RegistryConfigSettings config) {
+      return Duration.standardHours(config.bsa.bsaMaxNopIntervalHours);
+    }
+
+    @Provides
+    @Config("bsaLabelTxnBatchSize")
+    public static int provideBsaLabelTxnBatchSize(RegistryConfigSettings config) {
+      return config.bsa.bsaLabelTxnBatchSize;
+    }
+
     @Provides
     @Config("bsaAuthUrl")
     public static String provideBsaAuthUrl(RegistryConfigSettings config) {
@@ -1415,6 +1456,27 @@ public final class RegistryConfig {
       return ImmutableMap.copyOf(config.bsa.dataUrls);
     }
 
+    /** Provides the BSA Http endpoint for reporting order processing status. */
+    @Provides
+    @Config("bsaOrderStatusUrl")
+    public static String provideBsaOrderStatusUrls(RegistryConfigSettings config) {
+      return config.bsa.orderStatusUrl;
+    }
+
+    /** Provides the BSA Http endpoint for reporting new unblockable domains. */
+    @Provides
+    @Config("bsaAddUnblockableDomainsUrl")
+    public static String provideBsaAddUnblockableDomainsUrls(RegistryConfigSettings config) {
+      return String.format("%s?%s", config.bsa.unblockableDomainsUrl, "action=add");
+    }
+
+    /** Provides the BSA Http endpoint for reporting domains that have become blockable. */
+    @Provides
+    @Config("bsaRemoveUnblockableDomainsUrl")
+    public static String provideBsaRemoveUnblockableDomainsUrls(RegistryConfigSettings config) {
+      return String.format("%s?%s", config.bsa.unblockableDomainsUrl, "action=remove");
+    }
+
     private static String formatComments(String text) {
       return Splitter.on('\n').omitEmptyStrings().trimResults().splitToList(text).stream()
           .map(s -> "# " + s)
@@ -1458,6 +1520,15 @@ public final class RegistryConfig {
     return makeUrl(CONFIG_SETTINGS.get().gcpProject.backendServiceUrl);
   }
 
+  /**
+   * Returns the address of the Nomulus app bsa HTTP server.
+   *
+   * <p>This is used by the {@code nomulus} tool to connect to the App Engine remote API.
+   */
+  public static URL getBsaServer() {
+    return makeUrl(CONFIG_SETTINGS.get().gcpProject.bsaServiceUrl);
+  }
+
   /**
    * Returns the address of the Nomulus app tools HTTP server.
    *

core/src/main/java/google/registry/config/RegistryConfigSettings.java

@@ -53,6 +53,7 @@ public class RegistryConfigSettings {
     public boolean isLocal;
     public String defaultServiceUrl;
     public String backendServiceUrl;
+    public String bsaServiceUrl;
     public String toolsServiceUrl;
     public String pubapiServiceUrl;
   }
@@ -266,8 +267,15 @@ public class RegistryConfigSettings {
 
   /** Configurations for integration with Brand Safety Alliance (BSA) API. */
   public static class Bsa {
+    public String bsaChecksumAlgorithm;
+    public int bsaLockLeaseExpiryMinutes;
+    public int bsaDownloadIntervalMinutes;
+    public int bsaMaxNopIntervalHours;
+    public int bsaLabelTxnBatchSize;
     public String authUrl;
     public int authTokenExpirySeconds;
     public Map<String, String> dataUrls;
+    public String orderStatusUrl;
+    public String unblockableDomainsUrl;
   }
 }

core/src/main/java/google/registry/config/files/default-config.yaml

@@ -20,9 +20,11 @@ gcpProject:
   # URLs of the services for the project.
   defaultServiceUrl: https://default.example.com
   backendServiceUrl: https://backend.example.com
+  bsaServiceUrl: https://bsa.example.com
   toolsServiceUrl: https://tools.example.com
   pubapiServiceUrl: https://pubapi.example.com
 
+
 gSuite:
   # Publicly accessible domain name of the running G Suite instance.
   domainName: domain-registry.example
@@ -615,3 +617,7 @@ bsa:
   dataUrls:
     "BLOCK": "https://"
     "BLOCK_PLUS": "https://"
+  # Http endpoint for reporting order processing status
+  orderStatusUrl: "https://"
+  # Http endpoint for reporting changes in the set of unblockable domains.
+  unblockableDomainsUrl: "https://"

core/src/main/java/google/registry/env/alpha/backend/WEB-INF/appengine-web.xml

@@ -18,13 +18,6 @@
               value="alpha"/>
   </system-properties>
 
-
-  <!-- Enable external traffic to go through VPC, required for static ip -->
-  <vpc-access-connector>
-    <name>projects/domain-registry-alpha/locations/us-central1/connectors/appengine-connector</name>
-    <egress-setting>all-traffic</egress-setting>
-  </vpc-access-connector>
-
   <static-files>
     <include path="/*.html" expiration="1m"/>
   </static-files>

core/src/main/java/google/registry/env/alpha/bsa/WEB-INF/appengine-web.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java17</runtime>
+  <service>bsa</service>
+  <app-engine-apis>true</app-engine-apis>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>100</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="alpha"/>
+  </system-properties>
+
+
+  <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry-alpha/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <static-files>
+    <include path="/*.html" expiration="1m"/>
+  </static-files>
+</appengine-web-app>

core/src/main/java/google/registry/env/common/META-INF/application.xml

@@ -31,6 +31,12 @@ encoding="UTF-8"?>
       <context-root>backend</context-root>
     </web>
   </module>
+  <module>
+    <web>
+      <web-uri>bsa</web-uri>
+      <context-root>bsa</context-root>
+    </web>
+  </module>
   <module>
     <web>
       <web-uri>tools</web-uri>

core/src/main/java/google/registry/env/common/bsa/WEB-INF/logging.properties

@@ -0,0 +1,17 @@
+# A default java.util.logging configuration.
+# (All App Engine logging is through java.util.logging by default).
+#
+# To use this configuration, copy it into your application's WEB-INF
+# folder and add the following to your appengine-web.xml:
+#
+# <system-properties>
+#   <property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
+# </system-properties>
+#
+
+# Set the default logging level for all loggers to INFO.
+.level = INFO
+
+# Turn off logging in Hibernate classes for misleading ERROR-level logs
+org.hibernate.engine.jdbc.batch.internal.BatchingBatch.level=OFF
+org.hibernate.engine.jdbc.spi.SqlExceptionHelper.level=OFF

core/src/main/java/google/registry/env/common/bsa/WEB-INF/web.xml

@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+                             http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
+  <!-- Servlets -->
+
+  <!-- Servlet for injected backends actions -->
+  <servlet>
+    <display-name>BsaServlet</display-name>
+    <servlet-name>bsa-servlet</servlet-name>
+    <servlet-class>google.registry.module.bsa.BsaServlet</servlet-class>
+    <load-on-startup>1</load-on-startup>
+  </servlet>
+
+  <!-- Test action -->
+  <servlet-mapping>
+    <servlet-name>bsa-servlet</servlet-name>
+    <url-pattern>/_dr/task/bsaDownload</url-pattern>
+  </servlet-mapping>
+
+  <!-- Security config -->
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Internal</web-resource-name>
+      <description>
+        Admin-only internal section. Requests for paths covered by the URL patterns below will be
+        checked for a logged-in user account that's allowed to access the AppEngine admin console
+        (NOTE: this includes Editor/Viewer permissions in addition to Owner and the new IAM
+        App Engine Admin role. See https://cloud.google.com/appengine/docs/java/access-control
+        specifically the "Access handlers that have a login:admin restriction" line.)
+
+        TODO(b/28219927): lift some of these restrictions so that we can allow OAuth authentication
+        for endpoints that need to be accessed by open-source automated processes.
+      </description>
+
+      <!-- Internal AppEngine endpoints.  The '_ah' is short for app hosting.  -->
+      <url-pattern>/_ah/*</url-pattern>
+
+      <!-- Registrar console (should not be available on non-default module). -->
+      <url-pattern>/registrar*</url-pattern>
+
+      <!-- Verbatim JavaScript sources (only visible to admins for debugging). -->
+      <url-pattern>/assets/sources/*</url-pattern>
+
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>admin</role-name>
+    </auth-constraint>
+
+    <!-- Repeated here since catch-all rule below is not inherited. -->
+    <user-data-constraint>
+      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+
+  <!-- Require TLS on all requests. -->
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Secure</web-resource-name>
+      <description>
+        Require encryption for all paths. http URLs will be redirected to https.
+      </description>
+      <url-pattern>/*</url-pattern>
+    </web-resource-collection>
+    <user-data-constraint>
+      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+</web-app>

core/src/main/java/google/registry/env/crash/backend/WEB-INF/appengine-web.xml

@@ -18,12 +18,6 @@
               value="crash"/>
   </system-properties>
 
-  <!-- Enable external traffic to go through VPC, required for static ip -->
-  <vpc-access-connector>
-    <name>projects/domain-registry-crash/locations/us-central1/connectors/appengine-connector</name>
-    <egress-setting>all-traffic</egress-setting>
-  </vpc-access-connector>
-
   <static-files>
     <include path="/*.html" expiration="1m"/>
   </static-files>

core/src/main/java/google/registry/env/crash/bsa/WEB-INF/appengine-web.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java17</runtime>
+  <service>bsa</service>
+  <app-engine-apis>true</app-engine-apis>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>10</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="crash"/>
+  </system-properties>
+
+  <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry-crash/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <static-files>
+    <include path="/*.html" expiration="1m"/>
+  </static-files>
+</appengine-web-app>

core/src/main/java/google/registry/env/local/bsa/WEB-INF/appengine-web.xml

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java17</runtime>
+  <service>bsa</service>
+  <app-engine-apis>true</app-engine-apis>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>10</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="local"/>
+    <property name="appengine.generated.dir"
+              value="/tmp/domain-registry-appengine-generated/local/"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html">
+      <http-header name="Cache-Control" value="max-age=0,must-revalidate" />
+    </include>
+  </static-files>
+</appengine-web-app>

core/src/main/java/google/registry/env/production/backend/WEB-INF/appengine-web.xml

@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java17</runtime>
+  <runtime>java8</runtime>
   <service>backend</service>
-  <app-engine-apis>true</app-engine-apis>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/production/bsa/WEB-INF/appengine-web.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java8</runtime>
+  <service>bsa</service>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4_1G</instance-class>
+  <basic-scaling>
+    <max-instances>100</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="production"/>
+  </system-properties>
+
+  <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <static-files>
+    <include path="/*.html" expiration="1d"/>
+  </static-files>
+
+  <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
+  <static-error-handlers>
+    <handler file="error.html"/>
+  </static-error-handlers>
+</appengine-web-app>

core/src/main/java/google/registry/env/production/default/WEB-INF/appengine-web.xml

@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java17</runtime>
+  <runtime>java8</runtime>
   <service>default</service>
-  <app-engine-apis>true</app-engine-apis>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>
   <manual-scaling>

core/src/main/java/google/registry/env/production/pubapi/WEB-INF/appengine-web.xml

@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java17</runtime>
+  <runtime>java8</runtime>
   <service>pubapi</service>
-  <app-engine-apis>true</app-engine-apis>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>
   <manual-scaling>

core/src/main/java/google/registry/env/production/tools/WEB-INF/appengine-web.xml

@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java17</runtime>
+  <runtime>java8</runtime>
   <service>tools</service>
-  <app-engine-apis>true</app-engine-apis>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/env/qa/backend/WEB-INF/appengine-web.xml

@@ -22,12 +22,6 @@
     <include path="/*.html" expiration="1h"/>
   </static-files>
 
-    <!-- Enable external traffic to go through VPC, required for static ip -->
-  <vpc-access-connector>
-    <name>projects/domain-registry-qa/locations/us-central1/connectors/appengine-connector</name>
-    <egress-setting>all-traffic</egress-setting>
-  </vpc-access-connector>
-
   <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
   <static-error-handlers>
     <handler file="error.html"/>

core/src/main/java/google/registry/env/qa/bsa/WEB-INF/appengine-web.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java17</runtime>
+  <service>bsa</service>
+  <app-engine-apis>true</app-engine-apis>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>10</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="qa"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html" expiration="1h"/>
+  </static-files>
+
+    <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry-qa/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
+  <static-error-handlers>
+    <handler file="error.html"/>
+  </static-error-handlers>
+</appengine-web-app>

core/src/main/java/google/registry/env/sandbox/backend/WEB-INF/appengine-web.xml

@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java17</runtime>
+  <runtime>java8</runtime>
   <service>backend</service>
-  <app-engine-apis>true</app-engine-apis>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>
@@ -22,12 +23,6 @@
     <include path="/*.html" expiration="1d"/>
   </static-files>
 
-  <!-- Enable external traffic to go through VPC, required for static ip -->
-  <vpc-access-connector>
-    <name>projects/domain-registry-sandbox/locations/us-central1/connectors/appengine-connector</name>
-    <egress-setting>all-traffic</egress-setting>
-  </vpc-access-connector>
-
   <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
   <static-error-handlers>
     <handler file="error.html"/>

core/src/main/java/google/registry/env/sandbox/bsa/WEB-INF/appengine-web.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+
+  <runtime>java8</runtime>
+  <service>bsa</service>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
+  <sessions-enabled>true</sessions-enabled>
+  <instance-class>B4</instance-class>
+  <basic-scaling>
+    <max-instances>100</max-instances>
+    <idle-timeout>10m</idle-timeout>
+  </basic-scaling>
+
+  <system-properties>
+    <property name="java.util.logging.config.file"
+              value="WEB-INF/logging.properties"/>
+    <property name="google.registry.environment"
+              value="sandbox"/>
+  </system-properties>
+
+  <static-files>
+    <include path="/*.html" expiration="1d"/>
+  </static-files>
+
+  <!-- Enable external traffic to go through VPC, required for static ip -->
+  <vpc-access-connector>
+    <name>projects/domain-registry-sandbox/locations/us-central1/connectors/appengine-connector</name>
+    <egress-setting>all-traffic</egress-setting>
+  </vpc-access-connector>
+
+  <!-- Prevent uncaught servlet errors from leaking a stack trace. -->
+  <static-error-handlers>
+    <handler file="error.html"/>
+  </static-error-handlers>
+</appengine-web-app>

core/src/main/java/google/registry/env/sandbox/default/WEB-INF/appengine-web.xml

@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java17</runtime>
+  <runtime>java8</runtime>
   <service>default</service>
-  <app-engine-apis>true</app-engine-apis>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>
   <manual-scaling>

core/src/main/java/google/registry/env/sandbox/pubapi/WEB-INF/appengine-web.xml

@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java17</runtime>
+  <runtime>java8</runtime>
   <service>pubapi</service>
-  <app-engine-apis>true</app-engine-apis>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4_1G</instance-class>
   <manual-scaling>

core/src/main/java/google/registry/env/sandbox/tools/WEB-INF/appengine-web.xml

@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
 
-  <runtime>java17</runtime>
+  <runtime>java8</runtime>
   <service>tools</service>
-  <app-engine-apis>true</app-engine-apis>
+  <!--app-engine-apis>true</app-engine-apis-->
+  <threadsafe>true</threadsafe>
   <sessions-enabled>true</sessions-enabled>
   <instance-class>B4</instance-class>
   <basic-scaling>

core/src/main/java/google/registry/flows/EppRequestHandler.java

@@ -75,14 +75,6 @@ public class EppRequestHandler {
           && eppOutput.getResponse().getResult().getCode() == SUCCESS_AND_CLOSE) {
         response.setHeader(ProxyHttpHeaders.EPP_SESSION, "close");
       }
-      // If a login request returns a success, a logged-in header is added to the response to inform
-      // the proxy that it is no longer necessary to send the full client certificate to the backend
-      // for this connection.
-      if (eppOutput.isResponse()
-          && eppOutput.getResponse().isLoginResponse()
-          && eppOutput.isSuccess()) {
-        response.setHeader(ProxyHttpHeaders.LOGGED_IN, "true");
-      }
     } catch (Exception e) {
       logger.atWarning().withCause(e).log("handleEppCommand general exception.");
       response.setStatus(SC_BAD_REQUEST);

core/src/main/java/google/registry/flows/TlsCredentials.java

@@ -26,6 +26,7 @@ import com.google.common.net.InetAddresses;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.config.RegistryEnvironment;
 import google.registry.flows.EppException.AuthenticationErrorException;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
@@ -66,11 +67,11 @@ public class TlsCredentials implements TransportCredentials {
   public TlsCredentials(
       @Config("requireSslCertificates") boolean requireSslCertificates,
       @Header(ProxyHttpHeaders.CERTIFICATE_HASH) Optional<String> clientCertificateHash,
-      @Header(ProxyHttpHeaders.IP_ADDRESS) Optional<String> clientAddress,
+      Optional<InetAddress> clientInetAddr,
       CertificateChecker certificateChecker) {
     this.requireSslCertificates = requireSslCertificates;
     this.clientCertificateHash = clientCertificateHash;
-    this.clientInetAddr = clientAddress.map(TlsCredentials::parseInetAddress);
+    this.clientInetAddr = clientInetAddr;
     this.certificateChecker = certificateChecker;
   }
 
@@ -104,18 +105,25 @@ public class TlsCredentials implements TransportCredentials {
     }
     // In the rare unexpected case that the client inet address wasn't passed along at all, then
     // by default deny access.
-    if (clientInetAddr.isPresent()) {
-      for (CidrAddressBlock cidrAddressBlock : ipAddressAllowList) {
-        if (cidrAddressBlock.contains(clientInetAddr.get())) {
-          // IP address is in allow list; return early.
-          return;
-        }
+    if (!clientInetAddr.isPresent()) {
+      logger.atWarning().log(
+          "Authentication error: Missing IP address for registrar %s.", registrar.getRegistrarId());
+      throw new BadRegistrarIpAddressException(clientInetAddr);
+    }
+    for (CidrAddressBlock cidrAddressBlock : ipAddressAllowList) {
+      if (cidrAddressBlock.contains(clientInetAddr.get())) {
+        // IP address is in allow list; return early.
+        return;
       }
     }
-    logger.atInfo().log(
+    logger.atWarning().log(
         "Authentication error: IP address %s is not allow-listed for registrar %s; allow list is:"
             + " %s",
-        clientInetAddr, registrar.getRegistrarId(), ipAddressAllowList);
+        clientInetAddr,
+        registrar.getRegistrarId(),
+        RegistryEnvironment.get() == RegistryEnvironment.PRODUCTION
+            ? "redacted in production"
+            : ipAddressAllowList);
     throw new BadRegistrarIpAddressException(clientInetAddr);
   }
 
@@ -232,7 +240,7 @@ public class TlsCredentials implements TransportCredentials {
               ? String.format(
                   "Registrar IP address %s is not in stored allow list",
                   clientInetAddr.get().getHostAddress())
-              : "Registrar IP address is not in stored allow list");
+              : "Registrar IP address is missing");
     }
   }
 
@@ -249,9 +257,14 @@ public class TlsCredentials implements TransportCredentials {
     }
 
     @Provides
-    @Header(ProxyHttpHeaders.IP_ADDRESS)
-    static Optional<String> provideIpAddress(HttpServletRequest req) {
-      return extractOptionalHeader(req, ProxyHttpHeaders.IP_ADDRESS);
+    static Optional<InetAddress> provideIpAddress(HttpServletRequest req) {
+      Optional<String> clientAddress = extractOptionalHeader(req, ProxyHttpHeaders.IP_ADDRESS);
+      Optional<String> fallbackClientAddress =
+          extractOptionalHeader(req, ProxyHttpHeaders.IP_ADDRESS);
+      Optional<InetAddress> clientInetAddr = clientAddress.map(TlsCredentials::parseInetAddress);
+      return clientInetAddr.isPresent()
+          ? clientInetAddr
+          : fallbackClientAddress.map(TlsCredentials::parseInetAddress);
     }
   }
 }

core/src/main/java/google/registry/flows/domain/DomainPricingLogic.java

@@ -18,7 +18,6 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.flows.domain.DomainFlowUtils.zeroInCurrency;
 import static google.registry.flows.domain.token.AllocationTokenFlowUtils.validateTokenForPossiblePremiumName;
 import static google.registry.pricing.PricingEngineProxy.getPricesForDomainName;
-import static google.registry.util.DomainNameUtils.getTldFromDomainName;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;
 
 import com.google.common.net.InternetDomainName;
@@ -31,11 +30,13 @@ import google.registry.flows.custom.DomainPricingCustomLogic.RenewPriceParameter
 import google.registry.flows.custom.DomainPricingCustomLogic.RestorePriceParameters;
 import google.registry.flows.custom.DomainPricingCustomLogic.TransferPriceParameters;
 import google.registry.flows.custom.DomainPricingCustomLogic.UpdatePriceParameters;
+import google.registry.model.billing.BillingBase.RenewalPriceBehavior;
 import google.registry.model.billing.BillingRecurrence;
 import google.registry.model.domain.fee.BaseFee;
 import google.registry.model.domain.fee.BaseFee.FeeType;
 import google.registry.model.domain.fee.Fee;
 import google.registry.model.domain.token.AllocationToken;
+import google.registry.model.domain.token.AllocationToken.RegistrationBehavior;
 import google.registry.model.domain.token.AllocationToken.TokenBehavior;
 import google.registry.model.pricing.PremiumPricingEngine.DomainPrices;
 import google.registry.model.tld.Tld;
@@ -132,12 +133,14 @@ public final class DomainPricingLogic {
     // recurrence is null if the domain is still available. Billing events are created
     // in the process of domain creation.
     if (billingRecurrence == null) {
-      renewCost = getDomainRenewCostWithDiscount(domainPrices, years, allocationToken);
+      renewCost =
+          getDomainRenewCostWithDiscount(tld, domainPrices, dateTime, years, allocationToken);
       isRenewCostPremiumPrice = domainPrices.isPremium();
     } else {
       switch (billingRecurrence.getRenewalPriceBehavior()) {
         case DEFAULT:
-          renewCost = getDomainRenewCostWithDiscount(domainPrices, years, allocationToken);
+          renewCost =
+              getDomainRenewCostWithDiscount(tld, domainPrices, dateTime, years, allocationToken);
           isRenewCostPremiumPrice = domainPrices.isPremium();
           break;
           // if the renewal price behavior is specified, then the renewal price should be the same
@@ -156,10 +159,7 @@ public final class DomainPricingLogic {
         case NONPREMIUM:
           renewCost =
               getDomainCostWithDiscount(
-                  false,
-                  years,
-                  allocationToken,
-                  Tld.get(getTldFromDomainName(domainName)).getStandardRenewCost(dateTime));
+                  false, years, allocationToken, tld.getStandardRenewCost(dateTime));
           isRenewCostPremiumPrice = false;
           break;
         default:
@@ -257,8 +257,20 @@ public final class DomainPricingLogic {
 
   /** Returns the domain renew cost with allocation-token-related discounts applied. */
   private Money getDomainRenewCostWithDiscount(
-      DomainPrices domainPrices, int years, Optional<AllocationToken> allocationToken)
+      Tld tld,
+      DomainPrices domainPrices,
+      DateTime dateTime,
+      int years,
+      Optional<AllocationToken> allocationToken)
       throws AllocationTokenInvalidForPremiumNameException {
+    // Short-circuit if the user sent an anchor-tenant or otherwise NONPREMIUM-renewal token
+    if (allocationToken.isPresent()) {
+      AllocationToken token = allocationToken.get();
+      if (token.getRegistrationBehavior().equals(RegistrationBehavior.ANCHOR_TENANT)
+          || token.getRenewalPriceBehavior().equals(RenewalPriceBehavior.NONPREMIUM)) {
+        return tld.getStandardRenewCost(dateTime).multipliedBy(years);
+      }
+    }
     return getDomainCostWithDiscount(
         domainPrices.isPremium(), years, allocationToken, domainPrices.getRenewCost());
   }

core/src/main/java/google/registry/groups/GmailClient.java

@@ -138,6 +138,7 @@ public final class GmailClient {
         BodyPart attachmentPart = new MimeBodyPart();
         attachmentPart.setContent(attachment.content(), attachment.contentType().toString());
         attachmentPart.setFileName(attachment.filename());
+        attachmentPart.setDisposition(MimeBodyPart.ATTACHMENT);
         multipart.addBodyPart(attachmentPart);
       }
       msg.addRecipients(RecipientType.BCC, toArray(emailMessage.bccs(), Address.class));

core/src/main/java/google/registry/model/EppResource.java

@@ -20,6 +20,7 @@ import static com.google.common.collect.Sets.difference;
 import static com.google.common.collect.Sets.union;
 import static google.registry.config.RegistryConfig.getEppResourceCachingDuration;
 import static google.registry.config.RegistryConfig.getEppResourceMaxCachedEntries;
+import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.nullToEmpty;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableCopy;
@@ -357,13 +358,13 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
 
         @Override
         public EppResource load(VKey<? extends EppResource> key) {
-          return tm().reTransact(() -> tm().loadByKey(key));
+          return replicaTm().reTransact(() -> replicaTm().loadByKey(key));
         }
 
         @Override
         public Map<VKey<? extends EppResource>, EppResource> loadAll(
             Iterable<? extends VKey<? extends EppResource>> keys) {
-          return tm().reTransact(() -> tm().loadByKeys(keys));
+          return replicaTm().reTransact(() -> replicaTm().loadByKeys(keys));
         }
       };
 

core/src/main/java/google/registry/model/ForeignKeyUtils.java

@@ -165,10 +165,11 @@ public final class ForeignKeyUtils {
    * foreign keys should not use this cache.
    *
    * <p>Note that here the key of the {@link LoadingCache} is of type {@code VKey<? extends
-   * EppResource>}, but they are not legal {VKey}s to {@link EppResource}s, whose keys are the SQL
-   * primary keys, i.e. the {@code repoId}s. Instead, their keys are the foreign keys used to query
-   * the database. We use {@link VKey} here because it is a convenient composite class that contains
-   * both the resource type and the foreign key, which are needed to for the query and caching.
+   * EppResource>}, but they are not legal {@link VKey}s to {@link EppResource}s, whose keys are the
+   * SQL primary keys, i.e. the {@code repoId}s. Instead, their keys are the foreign keys used to
+   * query the database. We use {@link VKey} here because it is a convenient composite class that
+   * contains both the resource type and the foreign key, which are needed to for the query and
+   * caching.
    *
    * <p>Also note that the value type of this cache is {@link Optional} because the foreign keys in
    * question are coming from external commands, and thus don't necessarily represent entities in

core/src/main/java/google/registry/model/tld/Tld.java

@@ -256,6 +256,11 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
     return VKey.create(Tld.class, tldStr);
   }
 
+  /** Checks if {@code tld} is enrolled with BSA. */
+  public static boolean isEnrolledWithBsa(Tld tld, DateTime now) {
+    return tld.getBsaEnrollStartTime().orElse(END_OF_TIME).isBefore(now);
+  }
+
   /**
    * The name of the pricing engine that this TLD uses.
    *
@@ -550,9 +555,15 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
   @JsonSerialize(using = SortedEnumSetSerializer.class)
   Set<IdnTableEnum> idnTables;
 
-  // TODO(11/30/2023): uncomment below two lines
-  // /** The start time of this TLD's enrollment in the BSA program, if applicable. */
-  // @JsonIgnore @Nullable DateTime bsaEnrollStartTime;
+  /**
+   * The start time of this TLD's enrollment in the BSA program, if applicable.
+   *
+   * <p>This property is excluded from source-based configuration and is managed directly in the
+   * database.
+   */
+  // TODO(b/309175410): implement setup and cleanup procedure for joining or leaving BSA, and see
+  // if it can be integrated with the ConfigTldCommand.
+  @JsonIgnore @Nullable DateTime bsaEnrollStartTime;
 
   public String getTldStr() {
     return tldStr;
@@ -574,12 +585,9 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
   }
 
   /** Returns the time when this TLD was enrolled in the Brand Safety Alliance (BSA) program. */
-  @JsonIgnore // Annotation can be removed once we add the field and annotate it.
-  @Nullable
-  public DateTime getBsaEnrollStartTime() {
-    // TODO(11/30/2023): uncomment below.
-    // return this.bsaEnrollStartTime;
-    return null;
+  @JsonIgnore
+  public Optional<DateTime> getBsaEnrollStartTime() {
+    return Optional.ofNullable(this.bsaEnrollStartTime);
   }
 
   /** Retrieve whether invoicing is enabled. */
@@ -1101,10 +1109,9 @@ public class Tld extends ImmutableObject implements Buildable, UnsafeSerializabl
       return this;
     }
 
-    public Builder setBsaEnrollStartTime(DateTime enrollTime) {
+    public Builder setBsaEnrollStartTime(Optional<DateTime> enrollTime) {
       // TODO(b/309175133): forbid if enrolled with BSA
-      // TODO(11/30/2023): uncomment below line
-      // getInstance().bsaEnrollStartTime = enrollTime;
+      getInstance().bsaEnrollStartTime = enrollTime.orElse(null);
       return this;
     }
 

core/src/main/java/google/registry/model/tld/label/PremiumListDao.java

@@ -45,7 +45,7 @@ import org.joda.money.Money;
  * {@link PremiumList} object in SQL, and caching these entries so that future lookups can be
  * quicker.
  */
-public class PremiumListDao {
+public final class PremiumListDao {
 
   /**
    * In-memory cache for premium lists.
@@ -102,7 +102,7 @@ public class PremiumListDao {
   /**
    * Returns the most recent revision of the PremiumList with the specified name, if it exists.
    *
-   * <p>Note that this does not load <code>PremiumList.labelsToPrices</code>! If you need to check
+   * <p>Note that this does not load {@code PremiumList.labelsToPrices}! If you need to check
    * prices, use {@link #getPremiumPrice}.
    */
   public static Optional<PremiumList> getLatestRevision(String premiumListName) {
@@ -169,7 +169,7 @@ public class PremiumListDao {
   }
 
   private static Optional<PremiumList> getLatestRevisionUncached(String premiumListName) {
-    return tm().transact(
+    return tm().reTransact(
             () ->
                 tm().query(
                         "FROM PremiumList WHERE name = :name ORDER BY revisionId DESC",
@@ -197,10 +197,10 @@ public class PremiumListDao {
 
   /**
    * Loads the price for the given revisionId + label combination. Note that this does a database
-   * retrieval so it should only be done in a cached context.
+   * retrieval, so it should only be done in a cached context.
    */
   static Optional<BigDecimal> getPriceForLabelUncached(RevisionIdAndLabel revisionIdAndLabel) {
-    return tm().transact(
+    return tm().reTransact(
             () ->
                 tm().query(
                         "SELECT pe.price FROM PremiumEntry pe WHERE pe.revisionId = :revisionId"

core/src/main/java/google/registry/model/tld/label/ReservedList.java

@@ -199,7 +199,7 @@ public final class ReservedList
   public synchronized ImmutableMap<String, ReservedListEntry> getReservedListEntries() {
     if (reservedListMap == null) {
       reservedListMap =
-          tm().transact(
+          tm().reTransact(
                   () ->
                       tm()
                           .createQueryComposer(ReservedListEntry.class)

core/src/main/java/google/registry/model/tld/label/ReservedListDao.java

@@ -47,7 +47,7 @@ public class ReservedListDao {
    * exists.
    */
   public static Optional<ReservedList> getLatestRevision(String reservedListName) {
-    return tm().transact(
+    return tm().reTransact(
             () ->
                 tm().query(
                         "FROM ReservedList WHERE revisionId IN "

core/src/main/java/google/registry/model/tmch/ClaimsListDao.java

@@ -65,7 +65,7 @@ public class ClaimsListDao {
    * doesn't exist.
    */
   private static ClaimsList getUncached() {
-    return tm().transact(
+    return tm().reTransact(
             () -> {
               Long revisionId =
                   tm().query("SELECT MAX(revisionId) FROM ClaimsList", Long.class)

core/src/main/java/google/registry/module/bsa/BsaComponent.java

@@ -0,0 +1,46 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.bsa;
+
+import com.google.monitoring.metrics.MetricReporter;
+import dagger.Component;
+import dagger.Lazy;
+import google.registry.config.CredentialModule;
+import google.registry.config.RegistryConfig.ConfigModule;
+import google.registry.module.bsa.BsaRequestComponent.BsaRequestComponentModule;
+import google.registry.monitoring.whitebox.StackdriverModule;
+import google.registry.request.Modules.GsonModule;
+import google.registry.request.Modules.UserServiceModule;
+import google.registry.request.auth.AuthModule;
+import google.registry.util.UtilsModule;
+import javax.inject.Singleton;
+
+@Singleton
+@Component(
+    modules = {
+      AuthModule.class,
+      UtilsModule.class,
+      UserServiceModule.class,
+      GsonModule.class,
+      ConfigModule.class,
+      StackdriverModule.class,
+      CredentialModule.class,
+      BsaRequestComponentModule.class
+    })
+interface BsaComponent {
+  BsaRequestHandler requestHandler();
+
+  Lazy<MetricReporter> metricReporter();
+}

core/src/main/java/google/registry/module/bsa/BsaRequestComponent.java

@@ -0,0 +1,45 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.bsa;
+
+import dagger.Module;
+import dagger.Subcomponent;
+import google.registry.bsa.PlaceholderAction;
+import google.registry.request.RequestComponentBuilder;
+import google.registry.request.RequestModule;
+import google.registry.request.RequestScope;
+
+@RequestScope
+@Subcomponent(
+    modules = {
+      RequestModule.class,
+    })
+interface BsaRequestComponent {
+
+  PlaceholderAction bsaAction();
+
+  @Subcomponent.Builder
+  abstract class Builder implements RequestComponentBuilder<BsaRequestComponent> {
+
+    @Override
+    public abstract Builder requestModule(RequestModule requestModule);
+
+    @Override
+    public abstract BsaRequestComponent build();
+  }
+
+  @Module(subcomponents = BsaRequestComponent.class)
+  class BsaRequestComponentModule {}
+}

core/src/main/java/google/registry/module/bsa/BsaRequestHandler.java

@@ -0,0 +1,29 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.bsa;
+
+import google.registry.request.RequestHandler;
+import google.registry.request.auth.RequestAuthenticator;
+import javax.inject.Inject;
+import javax.inject.Provider;
+
+public class BsaRequestHandler extends RequestHandler<BsaRequestComponent> {
+  @Inject
+  public BsaRequestHandler(
+      Provider<BsaRequestComponent.Builder> componentBuilderProvider,
+      RequestAuthenticator requestAuthenticator) {
+    super(componentBuilderProvider, requestAuthenticator);
+  }
+}

core/src/main/java/google/registry/module/bsa/BsaServlet.java

@@ -0,0 +1,30 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.bsa;
+
+import com.google.monitoring.metrics.MetricReporter;
+import dagger.Lazy;
+import google.registry.module.ServletBase;
+
+public final class BsaServlet extends ServletBase {
+
+  private static final BsaComponent component = DaggerBsaComponent.create();
+  private static final BsaRequestHandler requestHandler = component.requestHandler();
+  private static final Lazy<MetricReporter> metricReporter = component.metricReporter();
+
+  public BsaServlet() {
+    super(requestHandler, metricReporter);
+  }
+}

core/src/main/java/google/registry/module/bsa/package-info.java

@@ -0,0 +1,16 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+@javax.annotation.ParametersAreNonnullByDefault
+package google.registry.module.bsa;

core/src/main/java/google/registry/persistence/PersistenceModule.java

@@ -267,7 +267,7 @@ public abstract class PersistenceModule {
         name -> overrides.put(HIKARI_DS_CLOUD_SQL_INSTANCE, name));
     overrides.put(
         Environment.ISOLATION, TransactionIsolationLevel.TRANSACTION_REPEATABLE_READ.name());
-    return new JpaTransactionManagerImpl(create(overrides), clock);
+    return new JpaTransactionManagerImpl(create(overrides), clock, true);
   }
 
   @Provides
@@ -283,7 +283,7 @@ public abstract class PersistenceModule {
         name -> overrides.put(HIKARI_DS_CLOUD_SQL_INSTANCE, name));
     overrides.put(
         Environment.ISOLATION, TransactionIsolationLevel.TRANSACTION_REPEATABLE_READ.name());
-    return new JpaTransactionManagerImpl(create(overrides), clock);
+    return new JpaTransactionManagerImpl(create(overrides), clock, true);
   }
 
   /** Constructs the {@link EntityManagerFactory} instance. */

core/src/main/java/google/registry/persistence/transaction/DatabaseException.java

@@ -39,7 +39,7 @@ import javax.persistence.PersistenceException;
  * <p>See the {@code logging.properties} files in the {@code env} package for the specific Hibernate
  * classes that have logging suppressed.
  */
-class DatabaseException extends PersistenceException {
+public class DatabaseException extends PersistenceException {
 
   private transient String cachedMessage;
 

core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java

@@ -33,6 +33,7 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.flogger.StackSize;
+import google.registry.config.RegistryEnvironment;
 import google.registry.model.ImmutableObject;
 import google.registry.persistence.JpaRetries;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
@@ -85,13 +86,19 @@ public class JpaTransactionManagerImpl implements JpaTransactionManager {
   // EntityManagerFactory is thread safe.
   private final EntityManagerFactory emf;
   private final Clock clock;
+  private final boolean readOnly;
 
   private static final ThreadLocal<TransactionInfo> transactionInfo =
       ThreadLocal.withInitial(TransactionInfo::new);
 
-  public JpaTransactionManagerImpl(EntityManagerFactory emf, Clock clock) {
+  public JpaTransactionManagerImpl(EntityManagerFactory emf, Clock clock, boolean readOnly) {
     this.emf = emf;
     this.clock = clock;
+    this.readOnly = readOnly;
+  }
+
+  public JpaTransactionManagerImpl(EntityManagerFactory emf, Clock clock) {
+    this(emf, clock, false);
   }
 
   @Override
@@ -158,7 +165,10 @@ public class JpaTransactionManagerImpl implements JpaTransactionManager {
       if (!getHibernateAllowNestedTransactions()) {
         throw new IllegalStateException(NESTED_TRANSACTION_MESSAGE);
       }
-      logger.atWarning().withStackTrace(StackSize.MEDIUM).log(NESTED_TRANSACTION_MESSAGE);
+      if (RegistryEnvironment.get() != RegistryEnvironment.PRODUCTION
+          && RegistryEnvironment.get() != RegistryEnvironment.UNITTEST) {
+        logger.atWarning().withStackTrace(StackSize.MEDIUM).log(NESTED_TRANSACTION_MESSAGE);
+      }
       // This prevents inner transaction from retrying, thus avoiding a cascade retry effect.
       return transactNoRetry(work, isolationLevel);
     }
@@ -200,6 +210,10 @@ public class JpaTransactionManagerImpl implements JpaTransactionManager {
     try {
       txn.begin();
       txnInfo.start(clock);
+      if (readOnly) {
+        getEntityManager().createNativeQuery("SET TRANSACTION READ ONLY").executeUpdate();
+        logger.atInfo().log("Using read-only SQL replica");
+      }
       if (isolationLevel != null && isolationLevel != getDefaultTransactionIsolationLevel()) {
         getEntityManager()
             .createNativeQuery(

core/src/main/java/google/registry/request/Action.java

@@ -30,11 +30,13 @@ public @interface Action {
 
   /** App Engine services supported by the request processor. */
   enum Service {
+    BSA("bsa"),
     DEFAULT("default"),
     TOOLS("tools"),
     BACKEND("backend"),
     PUBAPI("pubapi");
 
+
     private final String serviceId;
 
     Service(String serviceId) {

core/src/main/java/google/registry/request/UrlConnectionUtils.java

@@ -28,6 +28,7 @@ import com.google.common.net.MediaType;
 import java.io.DataOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.HttpURLConnection;
 import java.net.URLConnection;
 import java.util.Random;
 
@@ -36,26 +37,37 @@ public final class UrlConnectionUtils {
 
   private UrlConnectionUtils() {}
 
-  /** Retrieves the response from the given connection as a byte array. */
-  public static byte[] getResponseBytes(URLConnection connection) throws IOException {
-    try (InputStream is = connection.getInputStream()) {
+  /**
+   * Retrieves the response from the given connection as a byte array.
+   *
+   * <p>Note that in the event the response code is 4XX or 5XX, we use the error stream as any
+   * payload is included there.
+   *
+   * @see HttpURLConnection#getErrorStream()
+   */
+  public static byte[] getResponseBytes(HttpURLConnection connection) throws IOException {
+    int responseCode = connection.getResponseCode();
+    try (InputStream is =
+        responseCode < 400 ? connection.getInputStream() : connection.getErrorStream()) {
       return ByteStreams.toByteArray(is);
+    } catch (NullPointerException e) {
+      return new byte[] {};
     }
   }
 
   /** Sets auth on the given connection with the given username/password. */
-  public static void setBasicAuth(URLConnection connection, String username, String password) {
+  public static void setBasicAuth(HttpURLConnection connection, String username, String password) {
     setBasicAuth(connection, String.format("%s:%s", username, password));
   }
 
   /** Sets auth on the given connection with the given string, formatted "username:password". */
-  public static void setBasicAuth(URLConnection connection, String usernameAndPassword) {
+  public static void setBasicAuth(HttpURLConnection connection, String usernameAndPassword) {
     String token = base64().encode(usernameAndPassword.getBytes(UTF_8));
     connection.setRequestProperty(AUTHORIZATION, "Basic " + token);
   }
 
   /** Sets the given byte[] payload on the given connection with a particular content type. */
-  public static void setPayload(URLConnection connection, byte[] bytes, String contentType)
+  public static void setPayload(HttpURLConnection connection, byte[] bytes, String contentType)
       throws IOException {
     connection.setRequestProperty(CONTENT_TYPE, contentType);
     connection.setDoOutput(true);
@@ -72,7 +84,7 @@ public final class UrlConnectionUtils {
    * @see <a href="http://www.ietf.org/rfc/rfc2388.txt">RFC2388 - Returning Values from Forms</a>
    */
   public static void setPayloadMultipart(
-      URLConnection connection,
+      HttpURLConnection connection,
       String name,
       String filename,
       MediaType contentType,

core/src/main/java/google/registry/tldconfig/idn/IdnLabelValidator.java

@@ -38,9 +38,7 @@ public final class IdnLabelValidator {
   public Optional<String> findValidIdnTableForTld(String label, String tldStr) {
     String unicodeString = Idn.toUnicode(label);
     Tld tld = Tld.get(tldStr); // uses the cache
-    ImmutableSet<IdnTableEnum> idnTablesForTld = tld.getIdnTables();
-    ImmutableSet<IdnTableEnum> idnTables =
-        idnTablesForTld.isEmpty() ? DEFAULT_IDN_TABLES : idnTablesForTld;
+    ImmutableSet<IdnTableEnum> idnTables = getIdnTablesForTld(tld);
     for (IdnTableEnum idnTable : idnTables) {
       if (idnTable.getTable().isValidLabel(unicodeString)) {
         return Optional.of(idnTable.getTable().getName());
@@ -48,4 +46,10 @@ public final class IdnLabelValidator {
     }
     return Optional.empty();
   }
+
+  /** Returns the names of the IDN tables supported by a {@code tld}. */
+  public ImmutableSet<IdnTableEnum> getIdnTablesForTld(Tld tld) {
+    ImmutableSet<IdnTableEnum> idnTablesForTld = tld.getIdnTables();
+    return idnTablesForTld.isEmpty() ? DEFAULT_IDN_TABLES : idnTablesForTld;
+  }
 }

core/src/main/java/google/registry/tldconfig/idn/IdnTable.java

@@ -84,7 +84,7 @@ public final class IdnTable {
    * Returns true if the given label is valid for this IDN table. A label is considered valid if all
    * of its codepoints are in the IDN table.
    */
-  boolean isValidLabel(String label) {
+  public boolean isValidLabel(String label) {
     final int length = label.length();
     for (int i = 0; i < length; ) {
       int codepoint = label.codePointAt(i);

core/src/main/java/google/registry/tools/ConfigureTldCommand.java

@@ -72,9 +72,9 @@ public class ConfigureTldCommand extends MutatingCommand {
   boolean breakglass;
 
   @Parameter(
-      names = {"-d", "--dryrun"},
+      names = {"-d", "--dry_run"},
       description = "Does not execute the entity mutation")
-  boolean dryrun;
+  boolean dryRun;
 
   @Inject ObjectMapper mapper;
 
@@ -122,6 +122,13 @@ public class ConfigureTldCommand extends MutatingCommand {
     checkPremiumList(newTld);
     checkDnsWriters(newTld);
     checkCurrency(newTld);
+    // bsaEnrollStartTime only exists in DB. Need to carry it over to the updated copy. See Tld.java
+    // for more information.
+    Optional<DateTime> bsaEnrollTime =
+        Optional.ofNullable(oldTld).flatMap(Tld::getBsaEnrollStartTime);
+    if (bsaEnrollTime.isPresent()) {
+      newTld = newTld.asBuilder().setBsaEnrollStartTime(bsaEnrollTime).build();
+    }
     // Set the new TLD to breakglass mode if breakglass flag was used
     if (breakglass) {
       newTld = newTld.asBuilder().setBreakglassMode(true).build();
@@ -131,7 +138,7 @@ public class ConfigureTldCommand extends MutatingCommand {
 
   @Override
   protected boolean dontRunCommand() {
-    if (dryrun) {
+    if (dryRun) {
       return true;
     }
     if (!newDiff) {

core/src/main/java/google/registry/tools/CreateOrUpdateTldCommand.java

@@ -463,8 +463,7 @@ abstract class CreateOrUpdateTldCommand extends MutatingCommand {
     }
   }
 
-  private void checkReservedListValidityForTld(String tld, Set<String> reservedListNames)
-      throws UnsupportedEncodingException {
+  private void checkReservedListValidityForTld(String tld, Set<String> reservedListNames) {
     ImmutableList.Builder<String> builder = new ImmutableList.Builder<>();
     for (String reservedListName : reservedListNames) {
       if (!reservedListName.startsWith("common_") && !reservedListName.startsWith(tld + "_")) {

core/src/main/java/google/registry/tools/ServiceConnection.java

@@ -170,6 +170,8 @@ public class ServiceConnection {
         return RegistryConfig.getToolsServer();
       case BACKEND:
         return RegistryConfig.getBackendServer();
+      case BSA:
+        return RegistryConfig.getBsaServer();
       case PUBAPI:
         return RegistryConfig.getPubapiServer();
     }

core/src/main/java/google/registry/tools/UpdateOrDeleteAllocationTokensCommand.java

@@ -67,9 +67,12 @@ abstract class UpdateOrDeleteAllocationTokensCommand extends ConfirmingCommand {
       checkArgument(!prefix.isEmpty(), "Provided prefix should not be blank");
       return tm().transact(
               () ->
-                  tm().loadAllOf(AllocationToken.class).stream()
-                      .filter(token -> token.getToken().startsWith(prefix))
-                      .map(AllocationToken::createVKey)
+                  tm().query(
+                          "SELECT token FROM AllocationToken WHERE token LIKE :prefix",
+                          String.class)
+                      .setParameter("prefix", String.format("%s%%", prefix))
+                      .getResultStream()
+                      .map(token -> VKey.create(AllocationToken.class, token))
                       .collect(toImmutableList()));
     }
   }

core/src/main/java/google/registry/tools/UpdatePremiumListCommand.java

@@ -18,6 +18,7 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.util.ListNamingUtils.convertFilePathToName;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
+import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.base.Strings;
 import google.registry.model.tld.label.PremiumList;
@@ -29,6 +30,14 @@ import java.nio.file.Files;
 @Parameters(separators = " =", commandDescription = "Update a PremiumList in Database.")
 class UpdatePremiumListCommand extends CreateOrUpdatePremiumListCommand {
 
+  @Parameter(
+      names = {"-d", "--dry_run"},
+      description = "Does not execute the entity mutation")
+  boolean dryRun;
+
+  // indicates if there is a new change made by this command
+  private boolean newChange = false;
+
   @Override
   protected String prompt() throws Exception {
     name = Strings.isNullOrEmpty(name) ? convertFilePathToName(inputFile) : name;
@@ -43,8 +52,23 @@ class UpdatePremiumListCommand extends CreateOrUpdatePremiumListCommand {
     checkArgument(!inputData.isEmpty(), "New premium list data cannot be empty");
     currency = existingList.getCurrency();
     PremiumList updatedPremiumList = PremiumListUtils.parseToPremiumList(name, currency, inputData);
-    return String.format(
-        "Update premium list for %s?\n Old List: %s\n New List: %s",
-        name, existingList, updatedPremiumList);
+    if (!existingList
+        .getLabelsToPrices()
+        .entrySet()
+        .equals(updatedPremiumList.getLabelsToPrices().entrySet())) {
+      newChange = true;
+      return String.format(
+          "Update premium list for %s?\n Old List: %s\n New List: %s",
+          name, existingList, updatedPremiumList);
+    } else {
+      return String.format(
+          "This update contains no changes to the premium list for %s.\n List Contents: %s",
+          name, existingList);
+    }
+  }
+
+  @Override
+  protected boolean dontRunCommand() {
+    return dryRun || !newChange;
   }
 }

core/src/main/java/google/registry/tools/UpdateReservedListCommand.java

@@ -14,6 +14,7 @@
 
 package google.registry.tools;
 
+import static google.registry.util.DiffUtils.prettyPrintEntityDeepDiff;
 import static google.registry.util.ListNamingUtils.convertFilePathToName;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
@@ -46,17 +47,27 @@ final class UpdateReservedListCommand extends CreateOrUpdateReservedListCommand
             .setReservedListMapFromLines(allLines)
             .setShouldPublish(shouldPublish);
     reservedList = updated.build();
-    // only call stageEntityChange if there are changes in entries
-
-    if (!existingReservedList
-        .getReservedListEntries()
-        .equals(reservedList.getReservedListEntries())) {
-      return String.format(
-          "Update reserved list for %s?\nOld list: %s\n New list: %s",
-          name,
-          outputReservedListEntries(existingReservedList),
-          outputReservedListEntries(reservedList));
+    boolean shouldPublishChanged =
+        existingReservedList.getShouldPublish() != reservedList.getShouldPublish();
+    boolean reservedListEntriesChanged =
+        !existingReservedList
+            .getReservedListEntries()
+            .equals(reservedList.getReservedListEntries());
+    if (!shouldPublishChanged && !reservedListEntriesChanged) {
+      return "No entity changes to apply.";
     }
-    return "No entity changes to apply.";
+    String result = String.format("Update reserved list for %s?\n", name);
+    if (shouldPublishChanged) {
+      result +=
+          String.format(
+              "shouldPublish: %s -> %s\n",
+              existingReservedList.getShouldPublish(), reservedList.getShouldPublish());
+    }
+    if (reservedListEntriesChanged) {
+      result +=
+          prettyPrintEntityDeepDiff(
+              existingReservedList.getReservedListEntries(), reservedList.getReservedListEntries());
+    }
+    return result;
   }
 }