Add expiration/deletion to Valkey cache (#3024)

This will be necessary for the batch job that runs however often to
"catch up" to the existing state.

We also only store "real" domains in Valkey.

.github/workflows/codeql.yml

@@ -31,7 +31,7 @@ jobs:
       uses: actions/setup-java@v4
       with:
         distribution: 'temurin'
-        java-version: '21'
+        java-version: '25'
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/dependency-submission.yml

@@ -20,6 +20,6 @@ jobs:
       uses: actions/setup-java@v4
       with:
         distribution: 'temurin'
-        java-version: '21'
+        java-version: '25'
     - name: Generate and submit dependency graph
       uses: gradle/actions/dependency-submission@v3

.gitignore

@@ -18,6 +18,13 @@ gjf.out
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*
 
+# Environment-specific configuration files
+core/src/main/java/google/registry/config/files/nomulus-config-alpha.yaml
+core/src/main/java/google/registry/config/files/nomulus-config-crash.yaml
+core/src/main/java/google/registry/config/files/nomulus-config-production.yaml
+core/src/main/java/google/registry/config/files/nomulus-config-qa.yaml
+core/src/main/java/google/registry/config/files/nomulus-config-sandbox.yaml
+
 ######################################################################
 # Eclipse Ignores
 
@@ -114,9 +121,5 @@ core/**/registrar_dbg*.js
 core/**/registrar_bin*.css
 core/**/registrar_dbg*.css
 
-# Appengine generated files
-core/WEB-INF/appengine-generated/*.bin
-core/WEB-INF/appengine-generated/*.xml
-
 # jEnv
 .java-version

GEMINI.md

@@ -0,0 +1,175 @@
+# Engineering Standards for Gemini CLI
+
+This document outlines foundational mandates, architectural patterns, and project-specific conventions to ensure high-quality, idiomatic, and consistent code from the first iteration. When modifying this file, always review the full document to prevent the introduction of duplicate instructions and ensure the content remains coherent and logically organized.
+
+## Core Mandates
+
+### 1. Rigorous Import Management
+- **Addition:** When adding new symbols, ensure the corresponding import is added.
+- **Removal:** When removing the last usage of a class or symbol from a file (e.g., removing a `@Inject Clock clock;` field), **immediately remove the associated import**. Do not wait for a build failure to identify unused imports.
+- **No Redundant Qualifications:** NEVER use fully qualified class names (e.g., `java.time.temporal.ChronoUnit.DAYS`) in code when an import can be used instead. Always prefer adding an import and using the simple name.
+- **Static Imports for Utilities:** Always statically import methods from utility classes like `DateTimeUtils` or `CacheUtils`. (e.g., use `toInstant(...)` instead of `DateTimeUtils.toInstant(...)`).
+- **Checkstyle:** Proactively fix common checkstyle errors (line length > 100, formatting, unused imports) during the initial code write. Do not wait for CI/build failures to address these, as iterative fixes are inefficient.
+- **Verification**: Before finalizing any change, scan the imports section for redundancy.
+- **License Headers**: When creating new files, ensure the license header uses the current year (e.g., 2026). Existing files should retain their original year.
+
+## 2. Time and Precision Handling (java.time Migration)
+
+- **Idiomatic java.time Usage:** Avoid redundant conversions between `Instant` and `DateTime`. If a field or parameter is an `Instant`, use it directly. Do not convert to `DateTime` just to call a deprecated method if an `Instant` alternative exists or can be easily created. Furthermore, you should not call `toInstant()` or `toDateTime()` conversion methods when not strictly necessary; always prefer to use an alternative method that returns the correct type if one exists (e.g. use `tm().getTxTime()` which returns an `Instant` instead of calling `tm().getTransactionTime().toInstant()`).
+- **CRITICAL MISTAKES TO AVOID:**
+    - NEVER use `toInstant(clock.nowUtc())` or `toInstant(fakeClock.nowUtc())`. Both `Clock` and `FakeClock` have a `now()` method that natively returns a `java.time.Instant`. You MUST use `clock.now()` or `fakeClock.now()` directly.
+    - NEVER double-wrap conversions like `toInstant(toDateTime(...))` or `toDateTime(toInstant(...))`.
+    - NEVER mark `Instant` parameters or local variables as `final` unnecessarily, as it clutters the codebase.
+    - When using test helpers like `assertThatCommand().atTime(...)` or `ForeignKeyUtils.loadResource(...)`, ALWAYS use the `Instant` overloads. DO NOT wrap `Instant` instances in `toDateTime(...)` just to pass them to deprecated overloads.
+- **UTC Timezones:** Do not use `ZoneId.of("UTC")`. Use a statically imported `UTC` from `ZoneOffset` instead (`import static java.time.ZoneOffset.UTC;`).
+- **Millisecond Precision:** Always truncate `Instant.now()` to milliseconds (using `.truncatedTo(ChronoUnit.MILLIS)`) to maintain consistency with Joda `DateTime` and the PostgreSQL schema (which enforces millisecond precision via JPA converters).
+- **Clock Injection:**
+    - Avoid direct calls to `Instant.now()`, `DateTime.now()`, `ZonedDateTime.now()`, or `System.currentTimeMillis()`.
+    - Inject `google.registry.util.Clock` (production) or `google.registry.testing.FakeClock` (tests).
+    - Use `clock.nowDate()` to get a `ZonedDateTime` in UTC.
+    - When defining timestamps for tests, prefer using a fixed, static constant (e.g., `Instant.parse("2024-03-27T10:15:30.105Z")`) over capturing `clock.now()` to prevent flaky tests caused by the passage of real time. Avoid using the Unix epoch (`START_INSTANT`) unless specifically testing epoch-related logic; instead, use realistic dates and vary them across different test suites to ensure logic isn't dependent on a specific "standard" date.
+- **Beam Pipelines:**
+    - Ensure `Clock` is serializable (it is by default in this project) when used in Beam `DoFn`s.
+    - Pass the `Clock` through the constructor or via Dagger provider methods in the pipeline module.
+- **Command-Line Tools:**
+    - Use `@Inject Clock clock;` in `Command` implementations.
+    - The `clock` field should be **package-private** (no access modifier) to allow manual initialization in corresponding test classes.
+    - In test classes (e.g., `UpdateDomainCommandTest`), manually set `command.clock = fakeClock;` in the `@BeforeEach` method.
+    - Base test classes like `EppToolCommandTestCase` should handle this assignment for their generic command types where applicable.
+
+### 3. Dependency Injection (Dagger)
+- **Concrete Types:** Dagger `inject` methods must use explicit concrete types. Generic `inject(Command)` methods will not work.
+- **Test Components:** Use `TestRegistryToolComponent` for command-line tool tests to bridge the gap between `main` and `nonprod/test` source sets.
+
+### 4. Database Consistency
+- **JPA Converters:** Be aware that JPA converters (like `DateTimeConverter`) may perform truncation or transformation. Ensure application-level logic matches these transformations to avoid "dirty" state or unexpected diffs.
+- **Transaction Management:**
+    - **Top-Level:** Define database transactions (`tm().transact(...)`) at the highest possible level in the call chain (e.g., in an Action, a Command, or a Flow). This ensures all operations are atomic and handled by the retry logic.
+    - **DAO Methods:** Avoid declaring transactions inside low-level DAO methods. Use `tm().assertInTransaction()` to ensure that these methods are only called within a valid transactional context.
+    - **Utility/Cache Methods:** Use `tm().reTransact(...)` for utility methods or Caffeine cache loaders that might be invoked from both transactional and non-transactional paths.
+        - `reTransact` will join an existing transaction if one is present (acting as a no-op) or start a new one if not.
+        - This is particularly useful for in-memory caches where the loader must be able to fetch data regardless of whether the caller is currently in a transaction.
+    - **Transactional Time:** Ensure code that relies on `tm().getTransactionTime()` is executed within a transaction context.
+
+### 5. Testing Best Practices
+- **FakeClock and Sleeper:** Use `FakeClock` and `Sleeper` for any logic involving timeouts, delays, or expiration.
+- **Empirical Reproduction:** Before fixing a bug, always create a test case that reproduces the failure.
+- **Base Classes:** Leverage `CommandTestCase`, `EppToolCommandTestCase`, etc., to reduce boilerplate and ensure consistent setup (e.g., clock initialization).
+
+### 6. Project Dependencies
+- **Common Module:** When using `Clock` or other core utilities in a new or separate module (like `load-testing`), ensure `implementation project(':common')` is added to the module's `build.gradle`.
+
+### 7. Search and Discovery
+- **No CodeSearch:** This project is hosted on GitHub, not Google3. Do NOT use `mcp_Coding_search_for_files_codesearch` or other internal Google3 search tools.
+- **Local Grep:** Use local shell commands like `git grep` or `grep` via `run_shell_command` to search the codebase.
+
+## Performance and Efficiency
+- **Turn Minimization:** Aim for "perfect" code in the first iteration. Iterative fixes for checkstyle or compilation errors consume significant context and time.
+- **Context Management:** Use sub-agents for batch refactoring or high-volume output tasks to keep the main session history lean and efficient.
+- **Code Formatting:** Do not write custom Python scripts or manual regex replacements to fix code formatting issues (e.g., unused imports, import ordering, line length). Instead, use the project's built-in formatting tools: run `./gradlew spotlessApply` to fix unused/unordered imports and `./gradlew javaIncrementalFormatApply` (or `google-java-format --replace <files>`) to automatically fix Java formatting and indentation errors.
+
+## General Code Review Lessons & Avoidable Mistakes
+Based on historical PR reviews, avoid the following common mistakes:
+- **No Unnecessary Casts:** Do not unnecessarily cast objects if the method signature accepts the type directly (e.g., avoid `(Instant) fakeClock.now()` or `(ImmutableSet<String>) bsaQuery(...)` if it compiles without it).
+- **Visibility Modifiers:** Do not use `/* package */` comments to denote package-private visibility. Just leave the modifier blank; it is an established idiom in this codebase.
+
+### Advanced Java & Guava Idioms
+- **Immutable Types:** Declare variables, fields, and return types explicitly as Guava immutable types (e.g., `ImmutableList<T>`, `ImmutableMap<K, V>`) instead of their generic interfaces (`List<T>`, `Map<K, V>`) to clearly communicate immutability contracts to callers. Use `toImmutableList()` and `toImmutableMap()` collectors in streams rather than manually accumulating into an `ArrayList` or `HashMap`.
+- **Constructors:** Do not perform heavy logic, I/O, or external API calls inside constructors. Initialization logic should be deferred or handled in a factory method or a dedicated startup routine.
+- **Exception Handling:** Do not catch generic `Exception` or `Throwable` if a more specific exception is expected. Never "log and re-throw" the same exception; either handle it entirely (and log), or throw it up the chain. For batch processes, catch exceptions at the individual item/chunk level so one failure doesn't abort the entire batch.
+- **Fail Fast:** Validate inputs and fail fast (using `Preconditions.checkArgument` or similar) at the highest level possible rather than passing invalid state (like `null`s) deeper into business logic.
+- **Magic Numbers:** Always document magic numbers or hardcoded limits (like `50.0` or `30`) with inline comments explaining the rationale.
+- **Null Safety and Optional:** Prefer using `Optional` for any variable that is expected to potentially be null. For any other variable that can be null but cannot use an `Optional` (e.g., function parameters or return types where `Optional` is not idiomatic), it MUST be annotated with `@Nullable`. Always use the `javax.annotation.Nullable` annotation.
+
+---
+
+# Gemini Engineering Guide: Nomulus Codebase
+
+This document captures high-level architectural patterns, lessons learned from large-scale refactorings (like the Joda-Time to `java.time` migration), and specific instructions to avoid common pitfalls in this environment.
+
+## 🏛 Architecture Overview
+
+- **Transaction Management:** The codebase uses a custom wrapper around JPA. Always use `tm()` (from `TransactionManagerFactory`) to interact with the database.
+- **Dependency Injection:** Dagger 2 is used extensively. If you see "cannot find symbol" errors for classes starting with `Dagger...`, the project is in a state where annotation processing failed. Fix compilation in core models first to restore generated code.
+- **Value Types:** AutoValue and "ImmutableObject" patterns are dominant. Most models follow a `Buildable` pattern with a nested `Builder`.
+- **Temporal Logic:** The project is migrating from Joda-Time to `java.time`.
+  - Core boundaries: `DateTimeUtils.START_OF_TIME_INSTANT` (Unix Epoch) and `END_OF_TIME_INSTANT` (Long.MAX_VALUE / 1000).
+  - Year Arithmetic: Use `DateTimeUtils.plusYears()` and `DateTimeUtils.minusYears()` to handle February 29th logic correctly.
+
+## Source Control
+- **Committing:** Always create a new commit on the branch if one hasn't been created yet for the branch's specific work. Only perform amending (`git commit --amend --no-edit`) for subsequent changes once the initial commit has been successfully created.
+- **One Commit Per PR:** All changes for a single PR must be squashed into a single commit before merging.
+- **Default to Amend:** Once an initial commit is created for a PR, all subsequent functional changes should be amended into that same commit by default (`git commit --amend --no-edit`). This ensures the PR remains a single, clean unit of work throughout the development lifecycle.
+- **Commit Message Style:** Follow standard Git commit best practices. The subject line (first line) MUST be a maximum of 50 characters, concise, capitalized, and **must not end with punctuation** (e.g., a period). The body MUST explicitly encapsulate and summarize all changes made across the entire diff, detailing the "what" and "why" comprehensively.
+- **Strict Completion Verification:** You MUST NEVER declare a task, commit, or amendment as complete until you have explicitly verified that the workspace is clean. You MUST follow this exact sequence of actions across multiple conversational turns if necessary:
+  1. Execute the `git commit` or `git commit --amend` command.
+  2. Wait for the tool to return successfully.
+  3. Execute `git status`.
+  4. Wait for the tool to return and explicitly verify the output contains `nothing to commit, working tree clean` (or similar indication that no unstaged changes remain). If changes remain, stage them and amend the commit, then repeat this verification loop.
+  5. **Only after** step 4 has successfully returned a clean working directory may you generate a text response to the user declaring that the task is complete.
+- **Diff Review:** Before finalizing a task, review the full diff (e.g., `git diff HEAD^`) to ensure all changes are functional and relevant. Identify and revert any formatting-only changes in files that do not contain functional updates to keep the commit focused.
+
+## Self-Review Guidelines
+Before finalizing any PR or declaring a task complete, you MUST perform a thorough, rigorous self-review of your entire diff. Run `git diff HEAD^` (or review the staged changes) and actively verify the following against every modified line:
+
+1. **Imports & FQNs:** Did I leave any fully-qualified class names or static variables inline? Did I add the necessary imports for them? *Crucial Exception:* If the file already imports a class with the identical name (e.g., it uses both `java.time.Duration` and `org.joda.time.Duration`), one MUST remain fully qualified to avoid a compilation conflict.
+2. **Redundant Conversions:** Did I use `toDateTime(clock.now())` where `clock.nowUtc()` would suffice? Did I use `toDateTime(END_INSTANT)` instead of `END_OF_TIME`? Did I use `.toInstant()` or `.toDateTime()` on something that could be avoided by using a different method overload (e.g., `tm().getTxTime()`)?
+3. **Verbose Math:** Did I write any verbose time conversions inline? Are there `DateTimeUtils` methods I should be using instead? If not, should I abstract this math into `DateTimeUtils`?
+4. **Assertion Cleanliness:** Am I polluting test assertions with `toDateTime(...)` wraps? If so, I need to add overloaded assertions to the Truth Subjects instead.
+5. **Diff Scope:** Are there any formatting-only changes in files that I did not functionally modify? If so, revert them. Does the total line count of the diff align with the approved scope (e.g., ~1,000 lines for migrations)?
+6. **Commit Message:** Does the commit message title fit within 50 characters? Does the body encapsulate the entirety of the changes across the diff cleanly and professionally?
+7. **Missing Tests & Coverage:** *Perform a structured check for any new methods or modified behavior.* Did I add a new utility method (like `plusMonths(Instant, int)`) or change core logic? If so, I MUST open the corresponding test file and write tests to cover the new functionality (including edge cases, negative values, and leap years) before considering the task complete. A code review is not thorough if it only checks for compilation. I must actively ensure every new branch of logic has a test.
+
+Only after actively confirming these checks against your diff are you permitted to finalize the task.
+
+## Refactoring & Migration Guardrails
+
+
+### 1. Compiler Warnings are Errors (`-Werror`)
+This project treats Error Prone warnings as errors.
+- **`@InlineMeSuggester`**: When creating deprecated Joda-Time bridge methods (e.g., `getTimestamp() -> return toDateTime(getTimestampInstant())`), you **MUST** immediately add `@SuppressWarnings("InlineMeSuggester")`. If you don't, the build will fail.
+- **Repeatable Annotations**: `@SuppressWarnings` is **NOT** repeatable in this environment. If a method or class already has a suppression (e.g., `@SuppressWarnings("unchecked")`), you must merge them:
+  - ❌ `@SuppressWarnings("unchecked") @SuppressWarnings("InlineMeSuggester")`
+  - ✅ `@SuppressWarnings({"unchecked", "InlineMeSuggester"})`
+
+### 2. Resolving Ambiguity
+- **Null Overloads**: Adding an `Instant` overload to a method that previously took `DateTime` will break all `create(null)` calls. You must cast them: `create((Instant) null)`.
+- **Type Erasure**: Methods taking `Optional<DateTime>` and `Optional<Instant>` will clash due to erasure. Use distinct names, e.g., `setAutorenewEndTimeInstant(Optional<Instant> time)`.
+
+### 3. Build Strategy
+- **Surgical Changes**: In large-scale migrations, focus on "leaf" nodes first (Utilities -> Models -> Flows -> Actions).
+- **PR Size**: Minimize PR size by retaining Joda-Time bridge methods for high-level "Action" and "Flow" classes unless a full migration is requested. Reverting changes to DNS and Reporting logic while updating the underlying models is a valid strategy to keep PRs reviewable.
+- **Validation**: Always run `./gradlew build -x test` before attempting to run unit tests. Unit tests will not run if there are compilation errors in any part of the `core` module. Before finalizing a PR or declaring a task done, you MUST verify your changes. **Prefer scoped builds** (e.g., `./gradlew :core:build`) if you are only modifying backend Java code. Running the global `./gradlew build` triggers the frontend `console-webapp` build, which unnecessarily runs `npmInstallDeps` and modifies `package-lock.json`. If you must run a global build, you must revert `console-webapp/package-lock.json` afterwards. Do not declare success if formatting checks (e.g., `spotlessCheck` or `javaIncrementalFormatCheck`) or tests fail. If formatting fails, run `./gradlew spotlessApply` and then re-run your build command to verify everything passes.
+
+## 🚫 Common Pitfalls to Avoid
+
+- **Mixing Joda and Java Durations:** Methods like `Tld.get().getRenewGracePeriodLength()` return a **Joda** `Duration`, which cannot be passed directly to `Instant.plus(...)` because it doesn't implement `TemporalAmount`. You MUST use `.plusMillis(duration.getMillis())` instead.
+- **Serialization Precision (`.000Z`):** When asserting against or generating XML/YAML files, remember that millisecond precision (`.000Z`) is required. Always use `DateTimeUtils.formatInstant(...)` to format `Instant` objects (it preserves the `.000Z` suffix) instead of `Instant.toString()` (which drops it for exact seconds). We have added custom Jackson `InstantKeySerializer`s for this purpose, but you must keep this precision in mind when manually updating `.xml` or `.yaml` test data.
+- **Static Imports:** Methods like `toDateTime`, `toInstant`, `plusYears`, `plusMonths`, and `minusDays` from `DateTimeUtils` MUST be statically imported. Do NOT use them fully qualified (e.g., `DateTimeUtils.plusMonths(...)`).
+
+- **Redundant Parses:** Never write `toDateTime(Instant.parse(...))` or `toInstant(DateTime.parse(...))`. If you need a `DateTime`, use `DateTime.parse(...)` directly. If you need an `Instant`, use `Instant.parse(...)` directly.
+- **cloneProjectedAtTime vs cloneProjectedAtInstant:** When converting tests and logic that use `clock.now()` to project resource state into the future or past, do not wrap the Java `Instant` in `toDateTime()` just to call `cloneProjectedAtTime()`. Instead, switch the method call to use the native `cloneProjectedAtInstant()` method which is available on all `EppResource` models.
+- **Do not go in circles with the build:** If you see an `InlineMeSuggester` error, apply the suppression to **ALL** similar methods in that file and related files in one turn. Do not fix them one by one. Furthermore, do not run a global `./gradlew build` when a scoped `./gradlew :core:build` or `./gradlew :core:test` is faster and more appropriate. Run global builds only when doing final verification.
+- **Exception Conversion in Tests:** When migrating time types (e.g., from Joda `DateTime` to Java `Instant`), be extremely careful with tests that verify parsing failures (e.g., `assertThrows(IllegalArgumentException.class, ...)`). Joda's `DateTime.parse()` throws an `IllegalArgumentException` on failure, but `Instant.parse()` throws a `java.time.format.DateTimeParseException`. You must update the expected exception type in these tests to ensure they actually test the correct behavior, and verify the tests are not failing prematurely on the first line if it contains invalid data meant to be ignored.
+- Dagger/AutoValue corruption: If you modify a builder or a component incorrectly, Dagger will fail to generate code, leading to hundreds of "cannot find symbol" errors. If this happens, `git checkout` the last working state of the specific file and re-apply changes more surgically.
+- **`replace` tool context**: When using `replace` on large files (like `Tld.java` or `DomainBase.java`), provide significant surrounding context. These files have many similar method signatures (getters/setters) that can lead to incorrect replacements.
+
+---
+
+# GitHub and Pull Request Protocol
+
+This protocol defines the standard for interacting with GitHub repositories and processing Pull Request (PR) feedback.
+
+## 1. Interaction via `gh` CLI
+- **Primary Tool:** ALWAYS use the `gh` CLI for all GitHub-related operations (listing PRs, viewing PR content, checking status, adding comments).
+- **Credential Safety:** Never expose tokens or credentials in shell commands.
+
+## 2. Processing PR Feedback
+- **Systematic Review:** When asked to address PR comments, first fetch all comments using `gh pr view <number> --json reviews,comments`.
+- **Minimal Scope Expansion:** Address comments surgically. If a fix requires changes beyond a few lines or expands the PR's original scope significantly, DO NOT implement it without explicit user approval. Instead, report the issue to the user.
+- **Verification:** After addressing feedback, run the full build (`./gradlew build`) and relevant tests to ensure no regressions were introduced.
+
+## 3. PR Lifecycle Management
+- **One Commit Per PR:** Ensure all changes are squashed into a single, clean commit. Use `git commit --amend --no-edit` for follow-up fixes.
+- **Clean Workspace:** Always run `git status` and verify the repository state before declaring a task complete.
+- **Package Lock:** The Gradle build automatically modifies `console-webapp/package-lock.json` via the `npmInstallDeps` task. ALWAYS revert this file (`git checkout console-webapp/package-lock.json`) before staging changes or finalizing a commit unless you explicitly modified NPM dependencies.

README.md

@@ -30,8 +30,8 @@ running system:
 
 *   [Install
     guide](https://github.com/google/nomulus/blob/master/docs/install.md)
-*   View the source code for the [GAE app](https://github.com/google/nomulus/tree/master/core/src/main/java/google/registry)
-    and for the [GKE proxy](https://github.com/google/nomulus/tree/master/proxy/src/main/java/google/registry)
+*   View the source code for the [Main HTTP server](https://github.com/google/nomulus/tree/master/core/src/main/java/google/registry)
+    and for the [EPP proxy](https://github.com/google/nomulus/tree/master/proxy/src/main/java/google/registry)
 *   [Other docs](https://github.com/google/nomulus/tree/master/docs)
 *   [Javadoc](https://javadoc.nomulus.foo/)
 *   [Nomulus discussion
@@ -59,8 +59,6 @@ Nomulus has the following capabilities:
     implementation that works with BIND. If you are using Google Cloud DNS, you
     may need to understand its capabilities and provide your own
     multi-[AS](https://en.wikipedia.org/wiki/Autonomous_system_\(Internet\)) solution.
-*   **[WHOIS](https://en.wikipedia.org/wiki/WHOIS)**: A text-based protocol that
-    returns ownership and contact information on registered domain names.
 *   **[Registration Data Access Protocol
     (RDAP)](https://en.wikipedia.org/wiki/Registration_Data_Access_Protocol)**:
     A JSON API that returns structured, machine-readable information about
@@ -139,4 +137,4 @@ additional components that need to be configured separately.
 *   Some Open Source DNS Projects that may be useful, but which we have not
     tested:
     *   [AtomiaDNS](https://github.com/atomia/atomiadns)
-    *   [PowerDNS](https://github.com/PowerDNS/pdns)
+    *   [PowerDNS](https://github.com/PowerDNS/pdns)

appengine_war.gradle

@@ -1,109 +0,0 @@
-// Copyright 2019 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-apply plugin: 'war'
-
-def environment = rootProject.environment
-def gcpProject = rootProject.gcpProject
-
-// Set this directory before applying the appengine plugin so that the
-// plugin will recognize this as an app-engine standard app (and also
-// obtains the appengine-web.xml from the correct location)
-project.convention.plugins['war'].webAppDirName =
-        "../../core/src/main/java/google/registry/env/${environment}/${project.name}"
-
-apply plugin: 'com.google.cloud.tools.appengine'
-
-def coreResourcesDir = "${rootDir}/core/build/resources/main"
-def coreLibsDir = "${rootDir}/core/build/libs"
-
-// Get the web.xml file for the service.
-war {
-    webInf {
-        from "../../core/src/main/java/google/registry/env/common/${project.name}/WEB-INF"
-    }
-}
-
-war {
-    from("${coreResourcesDir}/google/registry/ui/html") {
-        include "*.html"
-    }
-    from("${coreLibsDir}") {
-        include "core.jar"
-        into("WEB-INF/lib")
-    }
-}
-
-if (project.path == ":services:default") {
-    war {
-        from("${coreResourcesDir}/google/registry/ui/html") {
-            include "*.html"
-            into("registrar")
-        }
-    }
-}
-
-appengine {
-    deploy {
-        // appengineDeployAll task requires the version to be set. So,
-        // this config lets gcloud select a version name when deploying
-        // to alpha or sandbox from our workstation.
-        if (!rootProject.prodOrSandboxEnv) {
-            version = 'GCLOUD_CONFIG'
-        }
-
-        // Don't set gcpProject directly, it gets overriden in ./build.gradle.
-        // Do -P environment={crash,alpha} instead.  For sandbox/production,
-        // use Spinnaker.
-        projectId = gcpProject
-    }
-}
-
-dependencies {
-    implementation project(path: ':core', configuration: 'deploy_jar')
-}
-
-// The tools.jar file gets pulled in from the java environment and for some
-// reason gets exploded "readonly", causing subsequent builds to fail when
-// they can't overwrite it.  The hack below makes the file writable after
-// we're done exploding it.
-//
-// Fun fact: We only use this jar for documentation generation and as such we
-// don't need it in our warfile, as it is not used by the application at
-// runtime.  But it's not clear how to exclude it, as we seem to be
-// constructing the jar from the entire WEB-INF directory and per-file
-// exclude rules don't seem to work on it.  Better solutions are welcome :-)
-explodeWar.doLast {
-    file("${it.explodedAppDirectory}/WEB-INF/lib/tools.jar").setWritable(true)
-}
-
-appengineDeployAll.mustRunAfter ':console-webapp:deploy'
-appengineDeployAll.finalizedBy ':deployCloudSchedulerAndQueue'
-rootProject.deploy.dependsOn appengineDeployAll
-
-rootProject.stage.dependsOn appengineStage
-tasks['war'].dependsOn ':core:processResources'
-tasks['war'].dependsOn ':core:jar'
-
-// Impose verification for all of the deployment tasks.  We haven't found a
-// better way to do this other than to apply to each of them independently.
-// If a new task gets added, it will still fail if "environment"  is not defined
-// because gcpProject is null.  We just won't get as friendly an error message.
-appengineDeployAll.configure rootProject.verifyDeploymentConfig
-appengineDeploy.configure rootProject.verifyDeploymentConfig
-appengineDeployCron.configure rootProject.verifyDeploymentConfig
-appengineDeployDispatch.configure rootProject.verifyDeploymentConfig
-appengineDeployDos.configure rootProject.verifyDeploymentConfig
-appengineDeployIndex.configure rootProject.verifyDeploymentConfig
-appengineDeployQueue.configure rootProject.verifyDeploymentConfig

build.gradle

@@ -11,7 +11,6 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-
 import org.gradle.api.tasks.testing.logging.TestExceptionFormat
 import org.gradle.api.tasks.testing.logging.TestLogEvent
 
@@ -28,8 +27,9 @@ buildscript {
   }
 
   dependencies {
-    classpath 'com.google.cloud.tools:appengine-gradle-plugin:2.4.1'
-    classpath 'net.ltgt.gradle:gradle-errorprone-plugin:3.1.0'
+    classpath 'com.google.cloud.tools:appengine-gradle-plugin:2.5.0'
+    classpath 'net.ltgt.gradle:gradle-errorprone-plugin:5.1.0'
+    classpath 'com.gradleup.shadow:com.gradleup.shadow.gradle.plugin:9.4.0'
     classpath 'org.sonatype.aether:aether-api:1.13.1'
     classpath 'org.sonatype.aether:aether-impl:1.13.1'
   }
@@ -40,15 +40,15 @@ plugins {
 
   // Re-enable when compatible with Gradle 8
   // id 'nebula.lint' version '16.0.2'
-  id 'net.ltgt.errorprone' version '3.1.0'
+  id 'net.ltgt.errorprone' version '5.1.0'
   id 'checkstyle'
-  id 'com.github.johnrengelman.shadow' version '8.1.1'
+  id 'com.gradleup.shadow' version '9.4.0' apply false
 
   // NodeJs plugin
-  id "com.github.node-gradle.node" version "3.0.1"
+  id "com.github.node-gradle.node" version "7.1.0"
 
   id 'idea'
-  id 'com.diffplug.spotless' version '6.20.0'
+  id 'com.diffplug.spotless' version '8.4.0'
 
   id 'jacoco'
   id 'com.dorongold.task-tree' version '2.1.0'
@@ -73,7 +73,15 @@ apply from: 'dependency_lic.gradle'
 
 apply from: 'utils.gradle'
 
-tasks.build.dependsOn(tasks.checkLicense)
+// The license-report plugin must run with --no-parallel due to
+// complex cross-subject references. The `mutex` pattern does not
+// help because a mutex does not enforce task execution order.
+// For now we separate checkLicense from build so that the latter may
+// still take advantage of parallelism, which cuts down the build time
+// by about 20%. The presubmit and release procedures that want to check
+// licenses must invoke checkLicense explicitly with the `--no-parallel`
+// flag.
+// tasks.build.dependsOn(tasks.checkLicense)
 
 // Provide defaults for all of the project properties.
 
@@ -84,10 +92,10 @@ tasks.build.dependsOn(tasks.checkLicense)
 // Paths to main and test sources.
 ext.projectRootDir = "${rootDir}"
 
-// Tasks to deploy/stage all App Engine services
+// Tasks to deploy/stage all services
 task deploy {
   group = 'deployment'
-  description = 'Deploys all services to App Engine.'
+  description = 'Deploys all services.'
 }
 
 task stage {
@@ -153,7 +161,7 @@ allprojects {
     if (!mavenUrl.isEmpty()) {
       maven {
         println "Java dependencies: Using repo ${mavenUrl}..."
-        url mavenUrl
+        url = mavenUrl
         allowInsecureProtocol = allowInsecure == "true"
       }
     } else {
@@ -161,7 +169,7 @@ allprojects {
       mavenCentral()
       google()
       maven {
-        url "https://packages.confluent.io/maven/"
+        url = "https://packages.confluent.io/maven/"
         content {
           includeGroup "io.confluent"
         }
@@ -192,6 +200,7 @@ allprojects {
                                 "--add-exports",
                                 "jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED"]
         options.forkOptions.jvmArgs = ["-J--add-exports=jdk.compiler/com.sun.tools.javac.main=ALL-UNNAMED",
+                                       "-J--add-exports=jdk.compiler/com.sun.tools.javac.model=ALL-UNNAMED",
                                        "-J--add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED",
                                        "-J--add-exports=jdk.compiler/com.sun.tools.javac.comp=ALL-UNNAMED",
                                        "-J--add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED",
@@ -255,6 +264,14 @@ subprojects {
   // Skip no-op project
   if (project.name == 'services') return
 
+  apply plugin: 'com.gradleup.shadow'
+
+  tasks.configureEach {
+    if (it.class.name.contains('ShadowJar')) {
+      it.zip64 = true
+    }
+  }
+
   ext.createUberJar = {
       taskName,
       binaryName,
@@ -263,7 +280,8 @@ subprojects {
       List<SourceSetOutput> srcOutput = [project.sourceSets.main.output],
       List<String> excludes = [] ->
     project.tasks.create(
-        taskName, com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar) {
+        taskName, project.tasks.shadowJar.class) {
+      zip64 = true
       mergeServiceFiles()
       archiveBaseName = binaryName
       if (mainClass != '') {
@@ -291,7 +309,7 @@ subprojects {
       // We do seem to get duplicates when constructing uber-jars, either
       // this is a product of something in gradle 7 or a product of gradle 7
       // now giving an error about them when it didn't previously.
-      duplicatesStrategy DuplicatesStrategy.WARN
+      duplicatesStrategy = DuplicatesStrategy.WARN
     }
   }
 
@@ -315,14 +333,14 @@ subprojects {
       // exception.
       //
       // For all other projects, due to problem with the gradle-license-report
-      // plugin, the dependencyLicenseReport configuration must opt out of
+      // plugin, the `detached` configurations by this plugin must opt out of
       // dependency-locking. See dependency_lic.gradle for the reason why.
       //
       // To selectively activate dependency locking without hardcoding them
       // in the 'configurations' block, the following code must run after
       // project evaluation, when all configurations have been created.
-      configurations.each {
-        if (it.name != 'dependencyLicenseReport' && it.name != 'integration') {
+      configurations.all {
+        if (!it.name.contains('detachedConfiguration')) {
           it.resolutionStrategy.activateDependencyLocking()
         }
       }
@@ -331,9 +349,6 @@ subprojects {
 
   // Set up all of the deployment projects.
   if (services.contains(project.path)) {
-
-    apply from: "${rootDir.path}/appengine_war.gradle"
-
     // Return early, do not apply the settings below.
     return
   }
@@ -344,8 +359,14 @@ subprojects {
   // search for `flex-template-base-image` and update the parameter value.
   // There are at least two instances, one in core/build.gradle, one in
   // release/stage_beam_pipeline.sh
-  sourceCompatibility = JavaVersion.VERSION_21
-  targetCompatibility = JavaVersion.VERSION_21
+  // Also need to change:
+  // - base images in Dockerfiles under core, jetty, and proxy.
+  // - Java installation command in the builder image under release.
+  // - cloudbuild-release.yaml under release.
+  java {
+    sourceCompatibility = JavaVersion.VERSION_25
+    targetCompatibility = JavaVersion.VERSION_25
+  }
 
   project.tasks.test.dependsOn runPresubmits
 
@@ -372,25 +393,19 @@ subprojects {
 
   // No need to produce javadoc for the jetty subproject, which has no APIs to
   // expose to users.
-  if (project.name != 'jetty') {
+  if (project.name != 'jetty' && !services.contains(project.path)) {
     javadocSource << project.sourceSets.main.allJava
-    javadocClasspath << project.sourceSets.main.runtimeClasspath
+    javadocClasspath << { project.sourceSets.main.runtimeClasspath.files }
     javadocClasspath << "${buildDir}/generated/sources/annotationProcessor/java/main"
-    javadocDependentTasks << project.tasks.compileJava
+    if (project.tasks.findByName('compileJava')) {
+      javadocDependentTasks << project.tasks.compileJava
+    }
+    if (project.tasks.findByName('processResources')) {
+      javadocDependentTasks << project.tasks.processResources
+    }
   }
 }
 
-// Force SDK download and deployment to be sequential, otherwise parallel tasks
-// will fail. For SDK download, they will try to write to the same location to
-// upgrade gcloud. For deployment, they will try to deploy different services to
-// the same project at the same time.
-for (int i = 1; i < services.size(); i++) {
-  project("${services[i]}").downloadCloudSdk
-          .dependsOn(project("${services[i - 1]}").downloadCloudSdk)
-  project("${services[i]}").appengineDeployAll
-          .dependsOn(project("${services[i - 1]}").appengineDeployAll)
-}
-
 // If "-P verboseTestOutput=true" is passed in, configure all subprojects to dump all of their
 // output and final test status (pass/fail, errors) for each test class.
 //
@@ -523,7 +538,10 @@ task javadoc(type: Javadoc) {
   // In a lot of places we don't write @return so suppress warnings about that.
   // We don't report HTML lint errors because XJB-generated POJO files have
   // incorrect tags (like dangling </p> without the corresponding open tag.
-  options.addBooleanOption('Xdoclint:all,-missing,-html', true)
+  // Starting in Java 25, references to primitives and arrays are forbidden.
+  // The JAXB-generated classes have array references, and we suppress the
+  // error with '-reference'.
+  options.addBooleanOption('Xdoclint:all,-missing,-html,-reference', true)
   options.addBooleanOption("-allow-script-in-comments",true)
   options.tags = ["type:a:Generic Type",
                   "error:a:Expected Error",
@@ -543,6 +561,14 @@ task coreDev {
   dependsOn 'checkLicense'
   dependsOn ':core:check'
   dependsOn 'assemble'
+
+  if (gradle.startParameter.parallelProjectExecutionEnabled
+      && gradle.startParameter.taskNames.contains("coreDev")) {
+    throw new GradleException(
+        "ERROR: 'coreDev' cannot run with --parallel due to checkLicense constraints.\n"
+            + "Please run: ./gradlew coreDev --no-parallel"
+    )
+  }
 }
 
 javadocDependentTasks.each { tasks.javadoc.dependsOn(it) }

buildscript-gradle.lockfile

@@ -4,59 +4,68 @@
 com.diffplug.durian:durian-collect:1.2.0=classpath
 com.diffplug.durian:durian-core:1.2.0=classpath
 com.diffplug.durian:durian-io:1.2.0=classpath
-com.diffplug.durian:durian-swt.os:4.2.0=classpath
-com.diffplug.spotless:com.diffplug.spotless.gradle.plugin:6.20.0=classpath
-com.diffplug.spotless:spotless-lib-extra:2.40.0=classpath
-com.diffplug.spotless:spotless-lib:2.40.0=classpath
-com.diffplug.spotless:spotless-plugin-gradle:6.20.0=classpath
+com.diffplug.durian:durian-swt.os:4.3.0=classpath
+com.diffplug.spotless:com.diffplug.spotless.gradle.plugin:8.4.0=classpath
+com.diffplug.spotless:spotless-lib-extra:4.5.0=classpath
+com.diffplug.spotless:spotless-lib:4.5.0=classpath
+com.diffplug.spotless:spotless-plugin-gradle:8.4.0=classpath
 com.dorongold.plugins:task-tree:2.1.0=classpath
 com.dorongold.task-tree:com.dorongold.task-tree.gradle.plugin:2.1.0=classpath
-com.github.johnrengelman.shadow:com.github.johnrengelman.shadow.gradle.plugin:8.1.1=classpath
-com.github.johnrengelman:shadow:8.1.1=classpath
-com.github.node-gradle.node:com.github.node-gradle.node.gradle.plugin:3.0.1=classpath
-com.github.node-gradle:gradle-node-plugin:3.0.1=classpath
-com.google.cloud.tools:appengine-gradle-plugin:2.4.1=classpath
-com.google.cloud.tools:appengine-plugins-core:0.9.1=classpath
+com.fasterxml.jackson.core:jackson-annotations:2.14.2=classpath
+com.fasterxml.jackson.core:jackson-core:2.14.2=classpath
+com.fasterxml.jackson.core:jackson-databind:2.14.2=classpath
+com.fasterxml.jackson:jackson-bom:2.14.2=classpath
+com.fasterxml.woodstox:woodstox-core:7.1.1=classpath
+com.github.node-gradle.node:com.github.node-gradle.node.gradle.plugin:7.1.0=classpath
+com.github.node-gradle:gradle-node-plugin:7.1.0=classpath
+com.google.cloud.tools:appengine-gradle-plugin:2.5.0=classpath
+com.google.cloud.tools:appengine-plugins-core:0.10.0=classpath
 com.google.code.findbugs:jsr305:3.0.2=classpath
-com.google.code.gson:gson:2.8.6=classpath
-com.google.errorprone:error_prone_annotations:2.3.4=classpath
+com.google.code.gson:gson:2.10.1=classpath
+com.google.errorprone:error_prone_annotations:2.18.0=classpath
 com.google.guava:failureaccess:1.0.1=classpath
-com.google.guava:guava:28.2-jre=classpath
+com.google.guava:guava-parent:32.1.2-jre=classpath
+com.google.guava:guava:32.1.2-jre=classpath
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=classpath
-com.google.j2objc:j2objc-annotations:1.3=classpath
 com.googlecode.concurrent-trees:concurrent-trees:2.6.1=classpath
 com.googlecode.javaewah:JavaEWAH:1.2.3=classpath
-com.squareup.okhttp3:okhttp:4.10.0=classpath
-com.squareup.okio:okio-jvm:3.0.0=classpath
-com.squareup.okio:okio:3.0.0=classpath
-commons-io:commons-io:2.11.0=classpath
-dev.equo.ide:solstice:1.3.1=classpath
-net.ltgt.errorprone:net.ltgt.errorprone.gradle.plugin:3.1.0=classpath
-net.ltgt.gradle:gradle-errorprone-plugin:3.1.0=classpath
-org.apache.ant:ant-launcher:1.10.13=classpath
-org.apache.ant:ant:1.10.13=classpath
-org.apache.commons:commons-compress:1.20=classpath
+com.gradleup.shadow:com.gradleup.shadow.gradle.plugin:9.4.0=classpath
+com.gradleup.shadow:shadow-gradle-plugin:9.4.0=classpath
+com.squareup.okhttp3:okhttp:4.12.0=classpath
+com.squareup.okio:okio-jvm:3.6.0=classpath
+com.squareup.okio:okio:3.6.0=classpath
+commons-codec:commons-codec:1.21.0=classpath
+commons-io:commons-io:2.21.0=classpath
+dev.equo.ide:solstice:1.8.1=classpath
+net.ltgt.errorprone:net.ltgt.errorprone.gradle.plugin:5.1.0=classpath
+net.ltgt.gradle:gradle-errorprone-plugin:5.1.0=classpath
+org.apache.ant:ant-launcher:1.10.15=classpath
+org.apache.ant:ant:1.10.15=classpath
+org.apache.commons:commons-compress:1.21=classpath
 org.apache.commons:commons-lang3:3.5=classpath
-org.checkerframework:checker-qual:2.10.0=classpath
-org.codehaus.plexus:plexus-utils:3.5.1=classpath
-org.eclipse.jgit:org.eclipse.jgit:6.6.0.202305301015-r=classpath
-org.eclipse.platform:org.eclipse.osgi:3.18.300=classpath
+org.apache.maven:maven-api-annotations:4.0.0-rc-5=classpath
+org.apache.maven:maven-api-xml:4.0.0-rc-5=classpath
+org.apache.maven:maven-xml:4.0.0-rc-5=classpath
+org.checkerframework:checker-qual:3.33.0=classpath
+org.codehaus.plexus:plexus-utils:4.0.2=classpath
+org.codehaus.plexus:plexus-xml:4.1.1=classpath
+org.codehaus.woodstox:stax2-api:4.2.2=classpath
+org.eclipse.jgit:org.eclipse.jgit:7.5.0.202512021534-r=classpath
+org.eclipse.platform:org.eclipse.osgi:3.24.100=classpath
 org.glassfish:javax.json:1.0.4=classpath
 org.jdom:jdom2:2.0.6.1=classpath
-org.jetbrains.kotlin:kotlin-stdlib-common:1.6.20=classpath
-org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.5.31=classpath
-org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.5.31=classpath
-org.jetbrains.kotlin:kotlin-stdlib:1.6.20=classpath
+org.jetbrains.kotlin:kotlin-metadata-jvm:2.3.20-RC3=classpath
+org.jetbrains.kotlin:kotlin-stdlib-common:2.3.20-RC3=classpath
+org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.9.10=classpath
+org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.10=classpath
+org.jetbrains.kotlin:kotlin-stdlib:2.3.20-RC3=classpath
 org.jetbrains:annotations:13.0=classpath
-org.ow2.asm:asm-commons:9.4=classpath
-org.ow2.asm:asm-tree:9.4=classpath
-org.ow2.asm:asm:9.4=classpath
-org.slf4j:slf4j-api:1.7.36=classpath
+org.slf4j:slf4j-api:2.0.17=classpath
 org.sonatype.aether:aether-api:1.13.1=classpath
 org.sonatype.aether:aether-impl:1.13.1=classpath
 org.sonatype.aether:aether-spi:1.13.1=classpath
 org.sonatype.aether:aether-util:1.13.1=classpath
 org.tukaani:xz:1.9=classpath
-org.vafer:jdependency:2.8.0=classpath
-org.yaml:snakeyaml:1.21=classpath
+org.vafer:jdependency:2.15=classpath
+org.yaml:snakeyaml:2.0=classpath
 empty=

common/gradle.lockfile

@@ -1,71 +1,85 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-aopalliance:aopalliance:1.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.github.ben-manes.caffeine:caffeine:3.0.5=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.github.ben-manes.caffeine:caffeine:3.2.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-com.github.kevinstern:software-and-algorithms:1.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.auto.service:auto-service-annotations:1.0.1=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
+com.github.ben-manes.caffeine:caffeine:3.0.5=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+com.github.ben-manes.caffeine:caffeine:3.2.3=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.github.kevinstern:software-and-algorithms:1.0=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+com.google.auto.service:auto-service-annotations:1.0.1=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
 com.google.auto.value:auto-value-annotations:1.11.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-com.google.auto.value:auto-value-annotations:1.9=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.auto:auto-common:1.2.1=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,compileClasspath,deploy_jar,errorprone,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath,testing,testingAnnotationProcessor,testingCompileClasspath
-com.google.errorprone:error_prone_annotation:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.errorprone:error_prone_annotations:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.errorprone:error_prone_annotations:2.36.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-com.google.errorprone:error_prone_annotations:2.7.1=checkstyle
-com.google.errorprone:error_prone_check_api:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.errorprone:error_prone_core:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.errorprone:error_prone_type_annotations:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.errorprone:javac:9+181-r4173-1=errorproneJavac
-com.google.flogger:flogger:0.8=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-com.google.guava:failureaccess:1.0.1=annotationProcessor,checkstyle,errorprone,testAnnotationProcessor,testingAnnotationProcessor
+com.google.auto.value:auto-value-annotations:1.9=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+com.google.auto:auto-common:1.2.2=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+com.google.code.findbugs:jsr305:3.0.2=checkstyle,compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.google.errorprone:error_prone_annotation:2.48.0=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+com.google.errorprone:error_prone_annotations:2.36.0=checkstyle
+com.google.errorprone:error_prone_annotations:2.43.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.google.errorprone:error_prone_annotations:2.48.0=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+com.google.errorprone:error_prone_check_api:2.48.0=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+com.google.errorprone:error_prone_core:2.48.0=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+com.google.flogger:flogger:0.9=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.google.googlejavaformat:google-java-format:1.34.1=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
 com.google.guava:failureaccess:1.0.2=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-com.google.guava:guava-parent:32.1.1-jre=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.guava:guava:31.0.1-jre=checkstyle
-com.google.guava:guava:32.1.1-jre=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.guava:guava:33.2.1-android=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=checkstyle,compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-com.google.inject:guice:5.1.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.j2objc:j2objc-annotations:1.3=checkstyle
-com.google.j2objc:j2objc-annotations:3.0.0=compileClasspath,testCompileClasspath,testingCompileClasspath
-com.google.protobuf:protobuf-java:3.19.6=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.truth:truth:1.4.4=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-com.puppycrawl.tools:checkstyle:9.3=checkstyle
-commons-beanutils:commons-beanutils:1.9.4=checkstyle
+com.google.guava:failureaccess:1.0.3=annotationProcessor,checkstyle,testAnnotationProcessor,testingAnnotationProcessor
+com.google.guava:guava:33.4.3-android=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.google.guava:guava:33.4.8-jre=checkstyle
+com.google.guava:guava:33.5.0-jre=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,compileClasspath,deploy_jar,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath,testing,testingAnnotationProcessor,testingCompileClasspath
+com.google.j2objc:j2objc-annotations:3.0.0=checkstyle,compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.google.j2objc:j2objc-annotations:3.1=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+com.google.protobuf:protobuf-java:4.33.2=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+com.google.truth:truth:1.4.5=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.puppycrawl.tools:checkstyle:10.24.0=checkstyle
+commons-beanutils:commons-beanutils:1.10.1=checkstyle
+commons-codec:commons-codec:1.15=checkstyle
 commons-collections:commons-collections:3.2.2=checkstyle
-info.picocli:picocli:4.6.2=checkstyle
-io.github.eisop:dataflow-errorprone:3.34.0-eisop1=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-io.github.java-diff-utils:java-diff-utils:4.12=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-io.github.java-diff-utils:java-diff-utils:4.15=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-jakarta.inject:jakarta.inject-api:1.0.5=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-javax.inject:javax.inject:1=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-joda-time:joda-time:2.13.1=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+info.picocli:picocli:4.7.7=checkstyle
+io.github.eisop:dataflow-errorprone:3.41.0-eisop1=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+io.github.java-diff-utils:java-diff-utils:4.12=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+io.github.java-diff-utils:java-diff-utils:4.16=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+jakarta.inject:jakarta.inject-api:2.0.1=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+javax.inject:javax.inject:1=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+joda-time:joda-time:2.14.1=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 junit:junit:4.13.2=testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-net.sf.saxon:Saxon-HE:10.6=checkstyle
-org.antlr:antlr4-runtime:4.9.3=checkstyle
+net.sf.saxon:Saxon-HE:12.5=checkstyle
+org.antlr:antlr4-runtime:4.13.2=checkstyle
+org.apache.commons:commons-lang3:3.8.1=checkstyle
+org.apache.commons:commons-text:1.3=checkstyle
+org.apache.httpcomponents.client5:httpclient5:5.1.3=checkstyle
+org.apache.httpcomponents.core5:httpcore5-h2:5.1.3=checkstyle
+org.apache.httpcomponents.core5:httpcore5:5.1.3=checkstyle
+org.apache.httpcomponents:httpclient:4.5.13=checkstyle
+org.apache.httpcomponents:httpcore:4.4.14=checkstyle
+org.apache.maven.doxia:doxia-core:1.12.0=checkstyle
+org.apache.maven.doxia:doxia-logging-api:1.12.0=checkstyle
+org.apache.maven.doxia:doxia-module-xdoc:1.12.0=checkstyle
+org.apache.maven.doxia:doxia-sink-api:1.12.0=checkstyle
+org.apache.xbean:xbean-reflect:3.7=checkstyle
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
-org.checkerframework:checker-compat-qual:2.5.3=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-org.checkerframework:checker-qual:3.12.0=checkstyle
-org.checkerframework:checker-qual:3.33.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-org.checkerframework:checker-qual:3.42.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+org.checkerframework:checker-qual:3.19.0=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
+org.checkerframework:checker-qual:3.43.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+org.checkerframework:checker-qual:3.49.3=checkstyle
+org.codehaus.plexus:plexus-classworlds:2.6.0=checkstyle
+org.codehaus.plexus:plexus-component-annotations:2.1.0=checkstyle
+org.codehaus.plexus:plexus-container-default:2.1.0=checkstyle
+org.codehaus.plexus:plexus-utils:3.3.0=checkstyle
 org.hamcrest:hamcrest-core:1.3=testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-org.jacoco:org.jacoco.agent:0.8.12=jacocoAgent,jacocoAnt
-org.jacoco:org.jacoco.ant:0.8.12=jacocoAnt
-org.jacoco:org.jacoco.core:0.8.12=jacocoAnt
-org.jacoco:org.jacoco.report:0.8.12=jacocoAnt
+org.jacoco:org.jacoco.agent:0.8.14=jacocoAgent,jacocoAnt
+org.jacoco:org.jacoco.ant:0.8.14=jacocoAnt
+org.jacoco:org.jacoco.core:0.8.14=jacocoAnt
+org.jacoco:org.jacoco.report:0.8.14=jacocoAnt
 org.javassist:javassist:3.28.0-GA=checkstyle
-org.jspecify:jspecify:1.0.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-org.junit.jupiter:junit-jupiter-api:5.12.0-RC1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-engine:5.12.0-RC1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.12.0-RC1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.12.0-RC1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-launcher:1.12.0-RC1=testCompileClasspath,testRuntimeClasspath
-org.junit:junit-bom:5.12.0-RC1=testCompileClasspath,testRuntimeClasspath
+org.jspecify:jspecify:1.0.0=annotationProcessor,checkstyle,compileClasspath,deploy_jar,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath,testing,testingAnnotationProcessor,testingCompileClasspath
+org.junit.jupiter:junit-jupiter-api:5.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-launcher:1.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit:junit-bom:5.13.4=testCompileClasspath,testRuntimeClasspath
 org.opentest4j:opentest4j:1.3.0=testCompileClasspath,testRuntimeClasspath
-org.ow2.asm:asm-commons:9.7=jacocoAnt
-org.ow2.asm:asm-tree:9.7=jacocoAnt
-org.ow2.asm:asm:9.7=compileClasspath,deploy_jar,jacocoAnt,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-org.pcollections:pcollections:3.1.4=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
+org.ow2.asm:asm-commons:9.9=jacocoAnt
+org.ow2.asm:asm-tree:9.9=jacocoAnt
+org.ow2.asm:asm:9.8=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+org.ow2.asm:asm:9.9=jacocoAnt
+org.pcollections:pcollections:4.0.1=annotationProcessor,testAnnotationProcessor,testingAnnotationProcessor
 org.reflections:reflections:0.10.2=checkstyle
-empty=testingCompile,testingRuntime,testingRuntimeClasspath
+org.xmlresolver:xmlresolver:5.2.2=checkstyle
+empty=shadow,testingCompile,testingRuntime,testingRuntimeClasspath

common/src/main/java/google/registry/util/Clock.java

@@ -15,6 +15,9 @@
 package google.registry.util;
 
 import java.io.Serializable;
+import java.time.Instant;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
 import javax.annotation.concurrent.ThreadSafe;
 import org.joda.time.DateTime;
 
@@ -30,5 +33,14 @@ import org.joda.time.DateTime;
 public interface Clock extends Serializable {
 
   /** Returns current time in UTC timezone. */
+  @Deprecated
   DateTime nowUtc();
+
+  /** Returns current Instant (which is always in UTC). */
+  Instant now();
+
+  /** Returns the current time as a {@link ZonedDateTime} in UTC. */
+  default ZonedDateTime nowDate() {
+    return ZonedDateTime.ofInstant(now(), ZoneOffset.UTC);
+  }
 }

common/src/main/java/google/registry/util/DateTimeUtils.java

@@ -20,6 +20,15 @@ import com.google.common.collect.Iterables;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Ordering;
 import java.sql.Date;
+import java.time.Instant;
+import java.time.ZoneOffset;
+import java.time.format.DateTimeFormatter;
+import java.time.format.DateTimeFormatterBuilder;
+import java.time.format.DateTimeParseException;
+import java.time.format.SignStyle;
+import java.time.temporal.ChronoField;
+import java.time.temporal.ChronoUnit;
+import javax.annotation.Nullable;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 import org.joda.time.LocalDate;
@@ -28,67 +37,201 @@ import org.joda.time.LocalDate;
 public abstract class DateTimeUtils {
 
   /** The start of the epoch, in a convenient constant. */
-  public static final DateTime START_OF_TIME = new DateTime(0, DateTimeZone.UTC);
+  @Deprecated public static final DateTime START_OF_TIME = new DateTime(0, DateTimeZone.UTC);
+
+  /** The start of the UNIX epoch (which is defined in UTC), in a convenient constant. */
+  public static final Instant START_INSTANT = Instant.ofEpochMilli(0);
 
   /**
    * A date in the far future that we can treat as infinity.
    *
-   * <p>This value is (2^63-1)/1000 rounded down. AppEngine stores dates as 64 bit microseconds, but
-   * Java uses milliseconds, so this is the largest representable date that will survive a
+   * <p>This value is (2^63-1)/1000 rounded down. Postgres can store dates as 64 bit microseconds,
+   * but Java uses milliseconds, so this is the largest representable date that will survive a
    * round-trip through the database.
    */
+  @Deprecated
   public static final DateTime END_OF_TIME = new DateTime(Long.MAX_VALUE / 1000, DateTimeZone.UTC);
 
+  /**
+   * An instant in the far future that we can treat as infinity.
+   *
+   * <p>This value is (2^63-1)/1000 rounded down. Postgres can store dates as 64 bit microseconds,
+   * but Java uses milliseconds, so this is the largest representable date that will survive a
+   * round-trip through the database.
+   */
+  public static final Instant END_INSTANT = Instant.ofEpochMilli(Long.MAX_VALUE / 1000);
+
+  /**
+   * Standard ISO 8601 formatter with millisecond precision in UTC.
+   *
+   * <p>Example: {@code 2024-03-27T10:15:30.105Z}
+   *
+   * <p>Handles large/negative years by using a sign prefix if necessary, compatible with {@link
+   * Instant#parse}.
+   */
+  private static final DateTimeFormatter ISO_8601_FORMATTER =
+      new DateTimeFormatterBuilder()
+          .appendValue(ChronoField.YEAR, 4, 10, SignStyle.NORMAL)
+          .appendPattern("-MM-dd'T'HH:mm:ss.SSS'Z'")
+          .toFormatter()
+          .withZone(ZoneOffset.UTC);
+
+  /** Formats an {@link Instant} to an ISO-8601 string. */
+  public static String formatInstant(Instant instant) {
+    return ISO_8601_FORMATTER.format(instant);
+  }
+
+  /**
+   * Parses an ISO-8601 string to an {@link Instant}.
+   *
+   * <p>This method is lenient and supports both strings with and without millisecond precision
+   * (e.g. {@code 2024-03-27T10:15:30Z} and {@code 2024-03-27T10:15:30.105Z}). It also supports
+   * large years (e.g. {@code 294247-01-10T04:00:54.775Z}).
+   */
+  public static Instant parseInstant(String timestamp) {
+    try {
+      // Try the standard millisecond precision format first.
+      return Instant.from(ISO_8601_FORMATTER.parse(timestamp));
+    } catch (DateTimeParseException e) {
+      // Fall back to the standard ISO instant parser which handles varied precision.
+      return Instant.parse(timestamp);
+    }
+  }
+
   /** Returns the earliest of a number of given {@link DateTime} instances. */
   public static DateTime earliestOf(DateTime first, DateTime... rest) {
+    return earliestDateTimeOf(Lists.asList(first, rest));
+  }
+
+  /** Returns the earliest of a number of given {@link Instant} instances. */
+  public static Instant earliestOf(Instant first, Instant... rest) {
     return earliestOf(Lists.asList(first, rest));
   }
 
   /** Returns the earliest element in a {@link DateTime} iterable. */
-  public static DateTime earliestOf(Iterable<DateTime> dates) {
+  public static DateTime earliestDateTimeOf(Iterable<DateTime> dates) {
     checkArgument(!Iterables.isEmpty(dates));
     return Ordering.<DateTime>natural().min(dates);
   }
 
+  /** Returns the earliest element in a {@link Instant} iterable. */
+  public static Instant earliestOf(Iterable<Instant> instants) {
+    checkArgument(!Iterables.isEmpty(instants));
+    return Ordering.<Instant>natural().min(instants);
+  }
+
   /** Returns the latest of a number of given {@link DateTime} instances. */
   public static DateTime latestOf(DateTime first, DateTime... rest) {
+    return latestDateTimeOf(Lists.asList(first, rest));
+  }
+
+  /** Returns the latest of a number of given {@link Instant} instances. */
+  public static Instant latestOf(Instant first, Instant... rest) {
     return latestOf(Lists.asList(first, rest));
   }
 
   /** Returns the latest element in a {@link DateTime} iterable. */
-  public static DateTime latestOf(Iterable<DateTime> dates) {
+  public static DateTime latestDateTimeOf(Iterable<DateTime> dates) {
     checkArgument(!Iterables.isEmpty(dates));
     return Ordering.<DateTime>natural().max(dates);
   }
 
+  /** Returns the latest element in a {@link Instant} iterable. */
+  public static Instant latestOf(Iterable<Instant> instants) {
+    checkArgument(!Iterables.isEmpty(instants));
+    return Ordering.<Instant>natural().max(instants);
+  }
+
   /** Returns whether the first {@link DateTime} is equal to or earlier than the second. */
   public static boolean isBeforeOrAt(DateTime timeToCheck, DateTime timeToCompareTo) {
     return !timeToCheck.isAfter(timeToCompareTo);
   }
 
+  /** Returns whether the first {@link Instant} is equal to or earlier than the second. */
+  public static boolean isBeforeOrAt(Instant timeToCheck, Instant timeToCompareTo) {
+    return !timeToCheck.isAfter(timeToCompareTo);
+  }
+
   /** Returns whether the first {@link DateTime} is equal to or later than the second. */
   public static boolean isAtOrAfter(DateTime timeToCheck, DateTime timeToCompareTo) {
     return !timeToCheck.isBefore(timeToCompareTo);
   }
 
+  /** Returns whether the first {@link Instant} is equal to or later than the second. */
+  public static boolean isAtOrAfter(Instant timeToCheck, Instant timeToCompareTo) {
+    return !timeToCheck.isBefore(timeToCompareTo);
+  }
+
   /**
    * Adds years to a date, in the {@code Duration} sense of semantic years. Use this instead of
    * {@link DateTime#plusYears} to ensure that we never end up on February 29.
    */
-  public static DateTime leapSafeAddYears(DateTime now, int years) {
+  public static DateTime plusYears(DateTime now, int years) {
     checkArgument(years >= 0);
     return years == 0 ? now : now.plusYears(1).plusYears(years - 1);
   }
 
+  /**
+   * Adds years to a date, in the {@code Duration} sense of semantic years. Use this instead of
+   * {@link java.time.ZonedDateTime#plusYears} to ensure that we never end up on February 29.
+   */
+  public static Instant plusYears(Instant now, int years) {
+    checkArgument(years >= 0);
+    return (years == 0)
+        ? now
+        : now.atZone(ZoneOffset.UTC).plusYears(1).plusYears(years - 1).toInstant();
+  }
+
+  /** Adds months to a date. */
+  public static Instant plusMonths(Instant now, int months) {
+    checkArgument(months >= 0);
+    return now.atZone(ZoneOffset.UTC).plusMonths(months).toInstant();
+  }
+
+  /** Subtracts months from a date. */
+  public static Instant minusMonths(Instant now, int months) {
+    checkArgument(months >= 0);
+    return now.atZone(ZoneOffset.UTC).minusMonths(months).toInstant();
+  }
+
   /**
    * Subtracts years from a date, in the {@code Duration} sense of semantic years. Use this instead
    * of {@link DateTime#minusYears} to ensure that we never end up on February 29.
    */
-  public static DateTime leapSafeSubtractYears(DateTime now, int years) {
+  public static DateTime minusYears(DateTime now, int years) {
     checkArgument(years >= 0);
     return years == 0 ? now : now.minusYears(1).minusYears(years - 1);
   }
 
+  /**
+   * Subtracts years from a date, in the {@code Duration} sense of semantic years. Use this instead
+   * of {@link java.time.ZonedDateTime#minusYears} to ensure that we never end up on February 29.
+   */
+  public static Instant minusYears(Instant now, long years) {
+    checkArgument(years >= 0);
+    return (years == 0)
+        ? now
+        : now.atZone(ZoneOffset.UTC).minusYears(1).minusYears(years - 1).toInstant();
+  }
+
+  /**
+   * @deprecated Use {@link #plusYears(DateTime, int)}
+   */
+  @Deprecated
+  @SuppressWarnings("InlineMeSuggester")
+  public static DateTime leapSafeAddYears(DateTime now, int years) {
+    return plusYears(now, years);
+  }
+
+  /**
+   * @deprecated Use {@link #minusYears(DateTime, int)}
+   */
+  @Deprecated
+  @SuppressWarnings("InlineMeSuggester")
+  public static DateTime leapSafeSubtractYears(DateTime now, int years) {
+    return minusYears(now, years);
+  }
+
   public static Date toSqlDate(LocalDate localDate) {
     return new Date(localDate.toDateTimeAtStartOfDay().getMillis());
   }
@@ -96,4 +239,46 @@ public abstract class DateTimeUtils {
   public static LocalDate toLocalDate(Date date) {
     return new LocalDate(date.getTime(), DateTimeZone.UTC);
   }
+
+  /** Convert a joda {@link DateTime} to a java.time {@link Instant}, null-safe. */
+  @Nullable
+  public static Instant toInstant(@Nullable DateTime dateTime) {
+    return (dateTime == null) ? null : Instant.ofEpochMilli(dateTime.getMillis());
+  }
+
+  /** Convert a java.time {@link Instant} to a joda {@link DateTime}, null-safe. */
+  @Nullable
+  public static DateTime toDateTime(@Nullable Instant instant) {
+    return (instant == null) ? null : new DateTime(instant.toEpochMilli(), DateTimeZone.UTC);
+  }
+
+  /** Convert a java.time {@link java.time.Instant} to a joda {@link org.joda.time.Instant}. */
+  @Nullable
+  public static org.joda.time.Instant toJodaInstant(@Nullable java.time.Instant instant) {
+    return (instant == null) ? null : org.joda.time.Instant.ofEpochMilli(instant.toEpochMilli());
+  }
+
+  public static Instant plusHours(Instant instant, long hours) {
+    return instant.plus(hours, ChronoUnit.HOURS);
+  }
+
+  public static Instant minusHours(Instant instant, long hours) {
+    return instant.minus(hours, ChronoUnit.HOURS);
+  }
+
+  public static Instant plusMinutes(Instant instant, long minutes) {
+    return instant.plus(minutes, ChronoUnit.MINUTES);
+  }
+
+  public static Instant minusMinutes(Instant instant, long minutes) {
+    return instant.minus(minutes, ChronoUnit.MINUTES);
+  }
+
+  public static Instant plusDays(Instant instant, int days) {
+    return instant.atZone(ZoneOffset.UTC).plusDays(days).toInstant();
+  }
+
+  public static Instant minusDays(Instant instant, int days) {
+    return instant.atZone(ZoneOffset.UTC).minusDays(days).toInstant();
+  }
 }

common/src/main/java/google/registry/util/SystemClock.java

@@ -16,8 +16,10 @@ package google.registry.util;
 
 import static org.joda.time.DateTimeZone.UTC;
 
+import jakarta.inject.Inject;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import javax.annotation.concurrent.ThreadSafe;
-import javax.inject.Inject;
 import org.joda.time.DateTime;
 
 /** Clock implementation that proxies to the real system clock. */
@@ -34,4 +36,13 @@ public class SystemClock implements Clock {
   public DateTime nowUtc() {
     return DateTime.now(UTC);
   }
+
+  @Override
+  public Instant now() {
+    // Truncate to milliseconds to match the precision of Joda DateTime and our database schema
+    // (which uses millisecond precision via DateTimeConverter). This prevents subtle comparison
+    // bugs where a high-precision Instant would be considered "after" a truncated database
+    // timestamp.
+    return Instant.now().truncatedTo(ChronoUnit.MILLIS);
+  }
 }

common/src/main/java/google/registry/util/SystemSleeper.java

@@ -17,9 +17,10 @@ package google.registry.util;
 import static com.google.common.base.Preconditions.checkArgument;
 
 import com.google.common.util.concurrent.Uninterruptibles;
+import jakarta.inject.Inject;
 import java.io.Serializable;
+import java.time.Duration;
 import javax.annotation.concurrent.ThreadSafe;
-import javax.inject.Inject;
 import org.joda.time.ReadableDuration;
 
 /** Implementation of {@link Sleeper} for production use. */
@@ -40,6 +41,6 @@ public final class SystemSleeper implements Sleeper, Serializable {
   @Override
   public void sleepUninterruptibly(ReadableDuration duration) {
     checkArgument(duration.getMillis() >= 0);
-    Uninterruptibles.sleepUninterruptibly(java.time.Duration.ofMillis(duration.getMillis()));
+    Uninterruptibles.sleepUninterruptibly(Duration.ofMillis(duration.getMillis()));
   }
 }

common/src/testing/java/google/registry/testing/FakeClock.java

@@ -19,6 +19,7 @@ import static org.joda.time.DateTimeZone.UTC;
 import static org.joda.time.Duration.millis;
 
 import google.registry.util.Clock;
+import java.time.Instant;
 import java.util.concurrent.atomic.AtomicLong;
 import javax.annotation.concurrent.ThreadSafe;
 import org.joda.time.DateTime;
@@ -48,12 +49,22 @@ public final class FakeClock implements Clock {
     setTo(startTime);
   }
 
+  /** Creates a FakeClock initialized to a specific time. */
+  public FakeClock(Instant startTime) {
+    setTo(startTime);
+  }
+
   /** Returns the current time. */
   @Override
   public DateTime nowUtc() {
     return new DateTime(currentTimeMillis.addAndGet(autoIncrementStepMs), UTC);
   }
 
+  @Override
+  public Instant now() {
+    return Instant.ofEpochMilli(currentTimeMillis.addAndGet(autoIncrementStepMs));
+  }
+
   /**
    * Sets the increment applied to the clock whenever it is queried. The increment is zero by
    * default: the clock is left unchanged when queried.
@@ -83,6 +94,11 @@ public final class FakeClock implements Clock {
     currentTimeMillis.set(time.getMillis());
   }
 
+  /** Sets the time to the specified instant. */
+  public void setTo(Instant time) {
+    currentTimeMillis.set(time.toEpochMilli());
+  }
+
   /** Invokes {@link #setAutoIncrementStep} with one millisecond-step. */
   public FakeClock setAutoIncrementByOneMilli() {
     return setAutoIncrementStep(Duration.millis(1));

common/src/testing/java/google/registry/testing/truth/TextDiffSubject.java

@@ -33,6 +33,8 @@ import com.google.common.truth.Fact;
 import com.google.common.truth.FailureMetadata;
 import com.google.common.truth.SimpleSubjectBuilder;
 import com.google.common.truth.Subject;
+import com.google.errorprone.annotations.FormatMethod;
+import com.google.errorprone.annotations.FormatString;
 import java.io.IOException;
 import java.net.URL;
 import java.util.Collection;
@@ -92,17 +94,19 @@ public class TextDiffSubject extends Subject {
 
   private ImmutableList<String> filterComments(List<String> lines) {
     return lines.stream()
+        .filter(line -> !line.isBlank())
         .filter(line -> comments.stream().noneMatch(line::startsWith))
         .collect(ImmutableList.toImmutableList());
   }
 
   public void hasSameContentAs(List<String> expectedContent) {
     checkNotNull(expectedContent, "expectedContent");
-    ImmutableList<String> expected = filterComments(expectedContent);
-    if (filterComments(expected).equals(filterComments(actual))) {
+    ImmutableList<String> filteredExpected = filterComments(expectedContent);
+    ImmutableList<String> filteredActual = filterComments(actual);
+    if (filteredExpected.equals(filteredActual)) {
       return;
     }
-    String diffString = diffFormat.generateDiff(expected, actual);
+    String diffString = diffFormat.generateDiff(filteredExpected, filteredActual);
     failWithoutActual(
         Fact.simpleFact(
             Joiner.on('\n')
@@ -123,8 +127,9 @@ public class TextDiffSubject extends Subject {
     return assertThat(Resources.asCharSource(resourceUrl, UTF_8).readLines());
   }
 
+  @FormatMethod
   public static SimpleSubjectBuilder<TextDiffSubject, URL> assertWithMessageAboutUrlSource(
-      String format, Object... params) {
+      @FormatString String format, Object... params) {
     return assertWithMessage(format, params).about(urlFactory());
   }
 
@@ -190,7 +195,7 @@ public class TextDiffSubject extends Subject {
 
   private record SideBySideRowFormatter(int maxExpectedLineLength, int maxActualLineLength) {
 
-    public String formatRow(String expected, String actual, char padChar) {
+    String formatRow(String expected, String actual, char padChar) {
       return String.format(
           "|%s|%s|",
           Strings.padEnd(expected, maxExpectedLineLength, padChar),

config/dependency-license/allowed_licenses.json

@@ -244,6 +244,12 @@
     {
       "moduleLicense": "The JSON License"
     },
+    {
+      "moduleLicense": "LGPL-2.1-or-later"
+    },
+    {
+      "moduleLicense": "Apache License version 2.0"
+    },
     {
       "moduleLicense": "LGPL-2.1+"
     },
@@ -302,6 +308,11 @@
       "moduleLicense": null,
       "moduleName": "com.fasterxml.jackson:jackson-bom"
     },
+    {
+      // "Apache License, Version 2.0".
+      "moduleLicense": null,
+      "moduleName": "tools.jackson:jackson-bom"
+    },
     {
       // "Apache License, Version 2.0".
       "moduleLicense": null,

config/nom_build.py

@@ -56,7 +56,7 @@ PROPERTIES_HEADER = """\
 # nom_build), run ./nom_build --help.
 #
 # DO NOT EDIT THIS FILE BY HAND
-org.gradle.jvmargs=-Xmx1024m
+org.gradle.jvmargs=-Xmx4096m
 org.gradle.caching=true
 org.gradle.parallel=true
 """
@@ -104,7 +104,7 @@ PROPERTIES = [
     Property('testFilter',
              'Comma separated list of test patterns, if specified run only '
              'these.'),
-    Property('environment', 'GAE Environment for deployment and staging.'),
+    Property('environment', 'Environment for deployment and staging.'),
 
     # Cloud SQL properties
     Property('dbServer',
@@ -117,28 +117,19 @@ PROPERTIES = [
     Property('dbUser', 'Database user name for use in connection'),
     Property('dbPassword', 'Database password for use in connection'),
 
-    Property('publish_repo',
-             'Maven repository that hosts the Cloud SQL schema jar and the '
-             'registry server test jars. Such jars are needed for '
-             'server/schema integration tests. Please refer to <a '
-             'href="./integration/README.md">integration project</a> for more '
-             'information.'),
-    Property('baseSchemaTag',
-             'The nomulus version tag of the schema for use in the schema'
-             'deployment integration test (:db:schemaIncrementalDeployTest)'),
-    Property('schema_version',
-             'The nomulus version tag of the schema for use in a database'
-             'integration test.'),
-    Property('nomulus_version',
-             'The version of nomulus to test against in a database '
-             'integration test.'),
     Property('dot_path',
              'The path to "dot", part of the graphviz package that converts '
              'a BEAM pipeline to image. Setting this property to empty string '
              'will disable image generation.',
              '/usr/bin/dot'),
     Property('pipeline',
-             'The name of the Beam pipeline being staged.')
+             'The name of the Beam pipeline being staged.'),
+    Property('nomulus_env',
+             'For use by scripts. Normally not set manually.'),
+    Property('schema_env',
+             'For use by scripts. Normally not set manually.'),
+    Property('schemaTestArtifactsDir',
+             'For use by scripts. Normally not set manually.')
 ]
 
 GRADLE_FLAGS = [

config/presubmits.py

@@ -25,7 +25,11 @@ import textwrap
 import re
 
 # We should never analyze any generated files
-UNIVERSALLY_SKIPPED_PATTERNS = {"/build/", "cloudbuild-caches", "/out/", ".git/", ".gradle/", "/dist/", "/console-alpha/", "/console-crash/", "/console-qa", "/console-sandbox", "/console-production", "karma.conf.js", "polyfills.ts", "test.ts", "/docs/console-endpoints/"}
+UNIVERSALLY_SKIPPED_PATTERNS = {"/build/", "cloudbuild-caches", "/out/", ".git/",
+     ".gradle/", "/dist/", "/console-alpha/", "/console-crash/", "/console-qa",
+     "/console-sandbox", "/console-production", "karma.conf.js", "polyfills.ts",
+     "test.ts", "/docs/console-endpoints/", "/bin/generated-sources/",
+     "/bin/generated-test-sources/", "src/main/generated", "src/test/generated"}
 # We can't rely on CI to have the Enum package installed so we do this instead.
 FORBIDDEN = 1
 REQUIRED = 2
@@ -87,25 +91,22 @@ PRESUBMITS = {
     PresubmitCheck(
         r".*Copyright 20\d{2} The Nomulus Authors\. All Rights Reserved\.",
         ("java", "js", "soy", "sql", "py", "sh", "gradle", "ts"), {
-            ".git", "/build/", "/bin/generated-sources/", "/bin/generated-test-sources/",
-            "node_modules/", "LoggerConfig.java", "registrar_bin.",
+            ".git", "/build/", "node_modules/", "LoggerConfig.java", "registrar_bin.",
             "registrar_dbg.", "google-java-format-diff.py",
-            "nomulus.golden.sql", "soyutils_usegoog.js", "javascript/checks.js",
-            "/src/main/generated", "/src/test/generated"
+            "nomulus.golden.sql", "soyutils_usegoog.js", "javascript/checks.js"
         }, REQUIRED):
         "File did not include the license header.",
 
     # Files must end in a newline
-    PresubmitCheck(r".*\n$", ("java", "js", "soy", "sql", "py", "sh", "gradle", "ts"),
-                   {"node_modules/"}, REQUIRED):
+    PresubmitCheck(r".*\n$", ("java", "js", "soy", "sql", "py", "sh", "gradle", "ts", "xml"),
+                   {"node_modules/", ".idea"}, REQUIRED):
         "Source files must end in a newline.",
 
     # System.(out|err).println should only appear in tools/ or load-testing/
     PresubmitCheck(
-        r".*\bSystem\.(out|err)\.print", "java", {
-            "StackdriverDashboardBuilder.java", "/tools/", "/example/",
-            "/load-testing/", "RegistryTestServerMain.java",
-            "TestServerExtension.java", "FlowDocumentationTool.java"
+        r".*\bSystem\s*\.\s*(?:out|err)\s*\.\s*print.*", "java", {
+            "/tools/", "/example/", "/load-testing/",
+            "RegistryTestServerMain.java", "TestServerExtension.java"
         }):
         "System.(out|err).println is only allowed in tools/ packages. Please "
         "use a logger instead.",
@@ -118,7 +119,7 @@ PRESUBMITS = {
     ):
         "In SOY please use the ({@param name: string} /** User name. */) style"
         " parameter passing instead of the ( * @param name User name.) style "
-        "parameter pasing.",
+        "parameter passing.",
     PresubmitCheck(
         r'.*\{[^}]+\w+:\s+"',
         "soy",
@@ -137,43 +138,8 @@ PRESUBMITS = {
         {},
     ):
         "All soy templates must use strict autoescaping",
-
-    # various JS linting checks
     PresubmitCheck(
-        r".*goog\.base\(",
-        "js",
-        {"/node_modules/"},
-    ):
-        "Use of goog.base is not allowed.",
-    PresubmitCheck(
-        r".*goog\.dom\.classes",
-        "js",
-        {"/node_modules/"},
-    ):
-        "Instead of goog.dom.classes, use goog.dom.classlist which is smaller "
-        "and faster.",
-    PresubmitCheck(
-        r".*goog\.getMsg",
-        "js",
-        {"/node_modules/"},
-    ):
-        "Put messages in Soy, instead of using goog.getMsg().",
-    PresubmitCheck(
-        r".*(innerHTML|outerHTML)\s*(=|[+]=)([^=]|$)",
-        "js",
-        {"/node_modules/", "registrar_bin."},
-    ):
-        "Do not assign directly to the dom. Use goog.dom.setTextContent to set"
-        " to plain text, goog.dom.removeChildren to clear, or "
-        "soy.renderElement to render anything else",
-    PresubmitCheck(
-        r".*console\.(log|info|warn|error)",
-        "js",
-        {"/node_modules/", "google/registry/ui/js/util.js", "registrar_bin."},
-    ):
-        "JavaScript files should not include console logging.",
-    PresubmitCheck(
-        r".*\nimport (static )?.*\.shaded\..*",
+        r".*\nimport\s+(?:static\s+)?.*\.shaded\..*",
         "java",
         {"/node_modules/"},
     ):
@@ -187,7 +153,7 @@ PRESUBMITS = {
     PresubmitCheck(
         r".*java\.util\.Date.*",
         "java",
-        {"/node_modules/", "JpaTransactionManagerImpl.java"},
+        {"/node_modules/", "JpaTransactionManagerImpl.java", "DateTimeUtils.java"},
     ):
         "Do not use java.util.Date. Use classes in java.time package instead.",
     PresubmitCheck(
@@ -197,7 +163,7 @@ PRESUBMITS = {
     ):
         "Use status code from jakarta.servlet.http.HttpServletResponse.",
     PresubmitCheck(
-        r".*mock\(Response\.class\).*",
+        r".*mock\(\s*Response\.class\s*\).*",
         "java",
         {"/node_modules/"},
     ):
@@ -208,6 +174,129 @@ PRESUBMITS = {
         {"/node_modules/"},
     ):
         "Do not use javax.servlet.* Use jakarta.servlet.* instead.",
+    PresubmitCheck(
+        r".*javax\.inject\..*",
+        "java",
+        {"/node_modules/"},
+    ):
+        "Do not use javax.inject.* Use jakarta.inject.* instead.",
+    PresubmitCheck(
+        r".*import\s+jakarta\.persistence\.(?:Pre|Post)(?:Persist|Load|Remove|Update)\s*;",
+        "java",
+        {"EntityCallbacksListener.java"},
+    ):
+        "Hibernate lifecycle events aren't called for embedded entities, so it's "
+        "usually best to avoid them. Instead, use the annotations defined in "
+        "EntityCallbacksListener.java",
+    PresubmitCheck(
+        r".*\.isEqualTo\(\s*Optional\.of\(.*",
+        "java",
+        {},
+    ):
+        "Do not use .isEqualTo(Optional.of(...)). Use Truth's .hasValue(...) instead.",
+    # TODO: Remove the java.time migration presubmit checks below once the entire codebase has been migrated to java.time.
+    PresubmitCheck(
+        r".*toDateTime\(\s*toInstant\(.*",
+        "java",
+        {"DateTimeUtilsTest.java"},
+    ):
+        "Do not double-wrap toDateTime(toInstant(...)).",
+    PresubmitCheck(
+        r".*toInstant\(\s*toDateTime\(.*",
+        "java",
+        {"DateTimeUtilsTest.java"},
+    ):
+        "Do not double-wrap toInstant(toDateTime(...)).",
+    PresubmitCheck(
+        r".*toInstant\([^;]*[cC]lock\.nowUtc\(\).*",
+        "java",
+        {},
+    ):
+        "Do not use toInstant(clock.nowUtc()). Use clock.now() instead.",
+    PresubmitCheck(
+        r".*toDateTime\([^;]*[cC]lock\.now\(\).*",
+        "java",
+        {},
+    ):
+        "Do not use toDateTime(clock.now()). Use clock.nowUtc() instead.",
+    PresubmitCheck(
+        r".*toInstant\([^;]*tm\(\)\.getTransactionTime\(\).*",
+        "java",
+        {},
+    ):
+        "Do not use toInstant(tm().getTransactionTime()). Use tm().getTxTime() instead.",
+    PresubmitCheck(
+        r".*toDateTime\([^;]*tm\(\)\.getTxTime\(\).*",
+        "java",
+        {},
+    ):
+        "Do not use toDateTime(tm().getTxTime()). Use tm().getTransactionTime() instead.",
+    PresubmitCheck(
+        r".*\(\s*Instant\s*\)\s*(?:this\.)?(?:fakeClock|clock)\.now\(\s*\).*",
+        "java",
+        {},
+    ):
+        "Do not unnecessarily cast clock.now() to Instant.",
+    PresubmitCheck(
+        r".*toDateTime\(\s*Instant\.now\(.*",
+        "java",
+        {},
+    ):
+        "Do not wrap Instant.now() in toDateTime. Use DateTime.now(UTC) directly.",
+    PresubmitCheck(
+        r".*toInstant\(\s*DateTime\.now\(.*",
+        "java",
+        {},
+    ):
+        "Do not wrap DateTime.now() in toInstant. Use Instant.now().truncatedTo(ChronoUnit.MILLIS) directly.",
+    PresubmitCheck(
+        r".*toDateTime\(\s*Instant\.parse\(.*",
+        "java",
+        {"DateTimeUtilsTest.java"},
+    ):
+        "Do not wrap Instant.parse in toDateTime. Use DateTime.parse directly.",
+    PresubmitCheck(
+        r".*toInstant\(\s*DateTime\.parse\(.*",
+        "java",
+        {"DateTimeUtilsTest.java"},
+    ):
+        "Do not wrap DateTime.parse in toInstant. Use Instant.parse directly.",
+    PresubmitCheck(
+        r".*cloneProjectedAtTime\(\s*toDateTime\(.*",
+        "java",
+        {},
+    ):
+        "Do not use cloneProjectedAtTime(toDateTime(...)). Use cloneProjectedAtInstant(...) instead.",
+    PresubmitCheck(
+        r".*ZoneId\.of\(\s*\"UTC\"\s*\).*",
+        "java",
+        {},
+    ):
+        "Do not use ZoneId.of(\"UTC\"). Use java.time.ZoneOffset.UTC.",
+    PresubmitCheck(
+        r".*toDateTime\(\s*END_INSTANT\s*\).*",
+        "java",
+        {"DateTimeUtilsTest.java"},
+    ):
+        "Do not wrap END_INSTANT in toDateTime. Use END_OF_TIME.",
+    PresubmitCheck(
+        r".*toInstant\(\s*END_OF_TIME\s*\).*",
+        "java",
+        {"DateTimeUtilsTest.java"},
+    ):
+        "Do not wrap END_OF_TIME in toInstant. Use END_INSTANT.",
+    PresubmitCheck(
+        r".*toDateTime\(\s*START_INSTANT\s*\).*",
+        "java",
+        {"DateTimeUtilsTest.java"},
+    ):
+        "Do not wrap START_INSTANT in toDateTime. Use START_OF_TIME.",
+    PresubmitCheck(
+        r".*toInstant\(\s*START_OF_TIME\s*\).*",
+        "java",
+        {"DateTimeUtilsTest.java"},
+    ):
+        "Do not wrap START_OF_TIME in toInstant. Use START_INSTANT."
 }
 
 # Note that this regex only works for one kind of Flyway file.  If we want to
@@ -295,26 +384,6 @@ def verify_flyway_index():
   return not success
 
 
-def verify_javascript_deps():
-  """Verifies that we haven't introduced any new javascript dependencies."""
-  with open('package.json') as f:
-    package = json.load(f)
-
-  deps = list(package['dependencies'].keys())
-  if deps != EXPECTED_JS_PACKAGES:
-    print('Unexpected javascript dependencies.  Was expecting '
-          '%s, got %s.' % (EXPECTED_JS_PACKAGES, deps))
-    print(textwrap.dedent("""
-        * If the new dependencies are intentional, please verify that the
-        * license is one of the allowed licenses (see
-        * config/dependency-license/allowed_licenses.json) and add an entry
-        * for the package (with the license in a comment) to the
-        * EXPECTED_JS_PACKAGES variable in config/presubmits.py.
-        """))
-    return True
-  return False
-
-
 def get_files():
   for root, dirnames, filenames in os.walk("."):
     for filename in filenames:
@@ -322,7 +391,6 @@ def get_files():
 
 
 if __name__ == "__main__":
-  print('python version is %s' % sys.version)
   failed = False
   for file in get_files():
     error_messages = []
@@ -339,8 +407,5 @@ if __name__ == "__main__":
   # when we put it here it fails fast before all of the tests are run.
   failed |= verify_flyway_index()
 
-  # Make sure we haven't introduced any javascript dependencies.
-  failed |= verify_javascript_deps()
-
   if failed:
     sys.exit(1)

console-webapp/README.md

@@ -9,7 +9,7 @@ expected to change.
 
 ## Deployment
 
-Webapp is deployed with the nomulus default service war to Google App Engine.
+The webapp is deployed with the nomulus default service war to GKE.
 During nomulus default service war build task, gradle script triggers the
 following:
 

console-webapp/angular.json

@@ -15,7 +15,7 @@
       "prefix": "app",
       "architect": {
         "build": {
-          "builder": "@angular-devkit/build-angular:application",
+          "builder": "@angular/build:application",
           "options": {
             "outputPath": {
               "base": "staged/dist/",
@@ -112,7 +112,7 @@
           "defaultConfiguration": "production"
         },
         "serve": {
-          "builder": "@angular-devkit/build-angular:dev-server",
+          "builder": "@angular/build:dev-server",
           "configurations": {
             "production": {
               "buildTarget": "console-webapp:build:production"
@@ -136,16 +136,18 @@
           "defaultConfiguration": "development"
         },
         "extract-i18n": {
-          "builder": "@angular-devkit/build-angular:extract-i18n",
+          "builder": "@angular/build:extract-i18n",
           "options": {
             "buildTarget": "console-webapp:build"
           }
         },
         "test": {
-          "builder": "@angular-devkit/build-angular:karma",
+          "builder": "@angular/build:karma",
           "options": {
             "main": "src/test.ts",
-            "polyfills": "src/polyfills.ts",
+            "polyfills": [
+              "src/polyfills.ts"
+            ],
             "tsConfig": "tsconfig.spec.json",
             "karmaConfig": "karma.conf.js",
             "inlineStyleLanguage": "scss",
@@ -183,5 +185,31 @@
     "schematicCollections": [
       "@angular-eslint/schematics"
     ]
+  },
+  "schematics": {
+    "@schematics/angular:component": {
+      "type": "component"
+    },
+    "@schematics/angular:directive": {
+      "type": "directive"
+    },
+    "@schematics/angular:service": {
+      "type": "service"
+    },
+    "@schematics/angular:guard": {
+      "typeSeparator": "."
+    },
+    "@schematics/angular:interceptor": {
+      "typeSeparator": "."
+    },
+    "@schematics/angular:module": {
+      "typeSeparator": "."
+    },
+    "@schematics/angular:pipe": {
+      "typeSeparator": "."
+    },
+    "@schematics/angular:resolver": {
+      "typeSeparator": "."
+    }
   }
 }

console-webapp/build.gradle

@@ -101,16 +101,9 @@ task checkFormatting(type: Exec) {
   args 'run', 'prettify:check'
 }
 
-task deploy(type: Exec) {
-  workingDir "${consoleDir}/staged"
-  executable 'gcloud'
-  args 'app', 'deploy', "${projectParam}", '--quiet'
-}
-
 tasks.buildConsoleWebapp.dependsOn(tasks.npmInstallDeps)
 tasks.runConsoleWebappUnitTests.dependsOn(tasks.npmInstallDeps)
 tasks.applyFormatting.dependsOn(tasks.npmInstallDeps)
 tasks.checkFormatting.dependsOn(tasks.npmInstallDeps)
 tasks.build.dependsOn(tasks.checkFormatting)
 tasks.build.dependsOn(tasks.runConsoleWebappUnitTests)
-tasks.deploy.dependsOn(tasks.buildConsoleWebapp)

console-webapp/gradle.lockfile

@@ -1,47 +1,63 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-aopalliance:aopalliance:1.0=annotationProcessor,errorprone,testAnnotationProcessor
-com.github.ben-manes.caffeine:caffeine:3.0.5=annotationProcessor,errorprone,testAnnotationProcessor
-com.github.kevinstern:software-and-algorithms:1.0=annotationProcessor,errorprone,testAnnotationProcessor
-com.google.auto.service:auto-service-annotations:1.0.1=annotationProcessor,errorprone,testAnnotationProcessor
-com.google.auto.value:auto-value-annotations:1.9=annotationProcessor,errorprone,testAnnotationProcessor
-com.google.auto:auto-common:1.2.1=annotationProcessor,errorprone,testAnnotationProcessor
-com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,errorprone,testAnnotationProcessor
-com.google.errorprone:error_prone_annotation:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor
-com.google.errorprone:error_prone_annotations:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor
-com.google.errorprone:error_prone_annotations:2.7.1=checkstyle
-com.google.errorprone:error_prone_check_api:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor
-com.google.errorprone:error_prone_core:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor
-com.google.errorprone:error_prone_type_annotations:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor
-com.google.errorprone:javac:9+181-r4173-1=errorproneJavac
-com.google.guava:failureaccess:1.0.1=annotationProcessor,checkstyle,errorprone,testAnnotationProcessor
-com.google.guava:guava-parent:32.1.1-jre=annotationProcessor,errorprone,testAnnotationProcessor
-com.google.guava:guava:31.0.1-jre=checkstyle
-com.google.guava:guava:32.1.1-jre=annotationProcessor,errorprone,testAnnotationProcessor
-com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=checkstyle
-com.google.inject:guice:5.1.0=annotationProcessor,errorprone,testAnnotationProcessor
-com.google.j2objc:j2objc-annotations:1.3=checkstyle
-com.google.protobuf:protobuf-java:3.19.6=annotationProcessor,errorprone,testAnnotationProcessor
-com.puppycrawl.tools:checkstyle:9.3=checkstyle
-commons-beanutils:commons-beanutils:1.9.4=checkstyle
+com.github.ben-manes.caffeine:caffeine:3.0.5=annotationProcessor,testAnnotationProcessor
+com.github.kevinstern:software-and-algorithms:1.0=annotationProcessor,testAnnotationProcessor
+com.google.auto.service:auto-service-annotations:1.0.1=annotationProcessor,testAnnotationProcessor
+com.google.auto.value:auto-value-annotations:1.9=annotationProcessor,testAnnotationProcessor
+com.google.auto:auto-common:1.2.2=annotationProcessor,testAnnotationProcessor
+com.google.code.findbugs:jsr305:3.0.2=checkstyle
+com.google.errorprone:error_prone_annotation:2.48.0=annotationProcessor,testAnnotationProcessor
+com.google.errorprone:error_prone_annotations:2.36.0=checkstyle
+com.google.errorprone:error_prone_annotations:2.48.0=annotationProcessor,testAnnotationProcessor
+com.google.errorprone:error_prone_check_api:2.48.0=annotationProcessor,testAnnotationProcessor
+com.google.errorprone:error_prone_core:2.48.0=annotationProcessor,testAnnotationProcessor
+com.google.googlejavaformat:google-java-format:1.34.1=annotationProcessor,testAnnotationProcessor
+com.google.guava:failureaccess:1.0.3=annotationProcessor,checkstyle,testAnnotationProcessor
+com.google.guava:guava:33.4.8-jre=checkstyle
+com.google.guava:guava:33.5.0-jre=annotationProcessor,testAnnotationProcessor
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,testAnnotationProcessor
+com.google.j2objc:j2objc-annotations:3.0.0=checkstyle
+com.google.j2objc:j2objc-annotations:3.1=annotationProcessor,testAnnotationProcessor
+com.google.protobuf:protobuf-java:4.33.2=annotationProcessor,testAnnotationProcessor
+com.puppycrawl.tools:checkstyle:10.24.0=checkstyle
+commons-beanutils:commons-beanutils:1.10.1=checkstyle
+commons-codec:commons-codec:1.15=checkstyle
 commons-collections:commons-collections:3.2.2=checkstyle
-info.picocli:picocli:4.6.2=checkstyle
-io.github.eisop:dataflow-errorprone:3.34.0-eisop1=annotationProcessor,errorprone,testAnnotationProcessor
-io.github.java-diff-utils:java-diff-utils:4.12=annotationProcessor,errorprone,testAnnotationProcessor
-javax.inject:javax.inject:1=annotationProcessor,errorprone,testAnnotationProcessor
-net.sf.saxon:Saxon-HE:10.6=checkstyle
-org.antlr:antlr4-runtime:4.9.3=checkstyle
-org.checkerframework:checker-qual:3.12.0=checkstyle
-org.checkerframework:checker-qual:3.33.0=annotationProcessor,errorprone,testAnnotationProcessor
-org.jacoco:org.jacoco.agent:0.8.12=jacocoAgent,jacocoAnt
-org.jacoco:org.jacoco.ant:0.8.12=jacocoAnt
-org.jacoco:org.jacoco.core:0.8.12=jacocoAnt
-org.jacoco:org.jacoco.report:0.8.12=jacocoAnt
+info.picocli:picocli:4.7.7=checkstyle
+io.github.eisop:dataflow-errorprone:3.41.0-eisop1=annotationProcessor,testAnnotationProcessor
+io.github.java-diff-utils:java-diff-utils:4.12=annotationProcessor,testAnnotationProcessor
+javax.inject:javax.inject:1=annotationProcessor,testAnnotationProcessor
+net.sf.saxon:Saxon-HE:12.5=checkstyle
+org.antlr:antlr4-runtime:4.13.2=checkstyle
+org.apache.commons:commons-lang3:3.8.1=checkstyle
+org.apache.commons:commons-text:1.3=checkstyle
+org.apache.httpcomponents.client5:httpclient5:5.1.3=checkstyle
+org.apache.httpcomponents.core5:httpcore5-h2:5.1.3=checkstyle
+org.apache.httpcomponents.core5:httpcore5:5.1.3=checkstyle
+org.apache.httpcomponents:httpclient:4.5.13=checkstyle
+org.apache.httpcomponents:httpcore:4.4.14=checkstyle
+org.apache.maven.doxia:doxia-core:1.12.0=checkstyle
+org.apache.maven.doxia:doxia-logging-api:1.12.0=checkstyle
+org.apache.maven.doxia:doxia-module-xdoc:1.12.0=checkstyle
+org.apache.maven.doxia:doxia-sink-api:1.12.0=checkstyle
+org.apache.xbean:xbean-reflect:3.7=checkstyle
+org.checkerframework:checker-qual:3.19.0=annotationProcessor,testAnnotationProcessor
+org.checkerframework:checker-qual:3.49.3=checkstyle
+org.codehaus.plexus:plexus-classworlds:2.6.0=checkstyle
+org.codehaus.plexus:plexus-component-annotations:2.1.0=checkstyle
+org.codehaus.plexus:plexus-container-default:2.1.0=checkstyle
+org.codehaus.plexus:plexus-utils:3.3.0=checkstyle
+org.jacoco:org.jacoco.agent:0.8.14=jacocoAgent,jacocoAnt
+org.jacoco:org.jacoco.ant:0.8.14=jacocoAnt
+org.jacoco:org.jacoco.core:0.8.14=jacocoAnt
+org.jacoco:org.jacoco.report:0.8.14=jacocoAnt
 org.javassist:javassist:3.28.0-GA=checkstyle
-org.ow2.asm:asm-commons:9.7=jacocoAnt
-org.ow2.asm:asm-tree:9.7=jacocoAnt
-org.ow2.asm:asm:9.7=jacocoAnt
-org.pcollections:pcollections:3.1.4=annotationProcessor,errorprone,testAnnotationProcessor
+org.jspecify:jspecify:1.0.0=annotationProcessor,checkstyle,testAnnotationProcessor
+org.ow2.asm:asm-commons:9.9=jacocoAnt
+org.ow2.asm:asm-tree:9.9=jacocoAnt
+org.ow2.asm:asm:9.9=jacocoAnt
+org.pcollections:pcollections:4.0.1=annotationProcessor,testAnnotationProcessor
 org.reflections:reflections:0.10.2=checkstyle
-empty=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.xmlresolver:xmlresolver:5.2.2=checkstyle
+empty=compileClasspath,deploy_jar,runtimeClasspath,shadow,testCompileClasspath,testRuntimeClasspath

console-webapp/karma.conf.js

@@ -21,7 +21,7 @@ module.exports = function (config) {
       require('karma-chrome-launcher'),
       require('karma-jasmine-html-reporter'),
       require('karma-coverage'),
-      require('@angular-devkit/build-angular/plugins/karma')
+      
     ],
     client: {
       jasmine: {

console-webapp/package.json

@@ -16,29 +16,29 @@
   },
   "private": true,
   "dependencies": {
-    "@angular/animations": "^19.1.4",
-    "@angular/cdk": "^19.1.2",
-    "@angular/common": "^19.1.4",
-    "@angular/compiler": "^19.1.4",
-    "@angular/core": "^19.1.4",
-    "@angular/forms": "^19.1.4",
-    "@angular/material": "^19.1.2",
-    "@angular/platform-browser": "^19.1.4",
-    "@angular/platform-browser-dynamic": "^19.1.4",
-    "@angular/router": "^19.1.4",
+    "@angular/animations": "^21.1.5",
+    "@angular/cdk": "^21.1.5",
+    "@angular/common": "^21.1.5",
+    "@angular/compiler": "^21.1.5",
+    "@angular/core": "^21.1.5",
+    "@angular/forms": "^21.1.5",
+    "@angular/material": "^21.1.5",
+    "@angular/platform-browser": "^21.1.5",
+    "@angular/platform-browser-dynamic": "^21.1.5",
+    "@angular/router": "^21.1.5",
     "rxjs": "~7.5.0",
     "tslib": "^2.3.0",
     "zone.js": "~0.15.0"
   },
   "devDependencies": {
-    "@angular-devkit/build-angular": "^19.1.5",
     "@angular-eslint/builder": "19.0.2",
     "@angular-eslint/eslint-plugin": "19.0.2",
     "@angular-eslint/eslint-plugin-template": "19.0.2",
     "@angular-eslint/schematics": "19.0.2",
     "@angular-eslint/template-parser": "19.0.2",
-    "@angular/cli": "~19.1.5",
-    "@angular/compiler-cli": "^19.1.4",
+    "@angular/build": "^21.1.4",
+    "@angular/cli": "~21.1.4",
+    "@angular/compiler-cli": "^21.1.5",
     "@types/jasmine": "~4.0.0",
     "@types/node": "^18.19.74",
     "@typescript-eslint/eslint-plugin": "^7.2.0",
@@ -52,6 +52,6 @@
     "karma-jasmine": "~5.1.0",
     "karma-jasmine-html-reporter": "~2.0.0",
     "prettier": "2.8.7",
-    "typescript": "^5.7.3"
+    "typescript": "^5.9.3"
   }
-}
+}

console-webapp/src/app/app-routing.module.ts

@@ -24,8 +24,10 @@ import { ResourcesComponent } from './resources/resources.component';
 import ContactComponent from './settings/contact/contact.component';
 import SecurityComponent from './settings/security/security.component';
 import { SettingsComponent } from './settings/settings.component';
-import WhoisComponent from './settings/whois/whois.component';
 import { SupportComponent } from './support/support.component';
+import RdapComponent from './settings/rdap/rdap.component';
+import { HistoryComponent } from './history/history.component';
+import { PasswordResetVerifyComponent } from './shared/components/passwordReset/passwordResetVerify.component';
 
 export interface RouteWithIcon extends Route {
   iconName?: string;
@@ -38,6 +40,10 @@ export const PATHS = {
 };
 export const routes: RouteWithIcon[] = [
   { path: '', redirectTo: '/home', pathMatch: 'full' },
+  {
+    path: PasswordResetVerifyComponent.PATH,
+    component: PasswordResetVerifyComponent,
+  },
   {
     path: RegistryLockVerifyComponent.PATH,
     component: RegistryLockVerifyComponent,
@@ -59,13 +65,18 @@ export const routes: RouteWithIcon[] = [
     title: 'Dashboard',
     iconName: 'view_comfy_alt',
   },
-  // { path: 'tlds', component: TldsComponent, title: "TLDs", iconName: "event_list" },
   {
     path: DomainListComponent.PATH,
     component: DomainListComponent,
     title: 'Domains',
     iconName: 'view_list',
   },
+  {
+    path: HistoryComponent.PATH,
+    component: HistoryComponent,
+    // title: 'History',
+    // iconName: 'history',
+  },
   {
     path: SettingsComponent.PATH,
     component: SettingsComponent,
@@ -83,9 +94,9 @@ export const routes: RouteWithIcon[] = [
         title: 'Contacts',
       },
       {
-        path: WhoisComponent.PATH,
-        component: WhoisComponent,
-        title: 'WHOIS Info',
+        path: RdapComponent.PATH,
+        component: RdapComponent,
+        title: 'RDAP Info',
       },
       {
         path: SecurityComponent.PATH,

console-webapp/src/app/app.component.html

@@ -1,10 +1,9 @@
 <div class="console-app mat-typography">
   <app-header (toggleNavOpen)="toggleSidenav()"></app-header>
   <div class="console-app__global-spinner">
-    <mat-progress-bar
-      mode="indeterminate"
-      *ngIf="globalLoader.isLoading"
-    ></mat-progress-bar>
+    @if (globalLoader.isLoading) {
+    <mat-progress-bar mode="indeterminate"></mat-progress-bar>
+    }
   </div>
   <mat-sidenav-container class="console-app__container">
     <mat-sidenav-content class="console-app__content-wrapper">

console-webapp/src/app/app.component.spec.ts

@@ -14,30 +14,71 @@
 
 import { provideHttpClient } from '@angular/common/http';
 import { provideHttpClientTesting } from '@angular/common/http/testing';
-import { TestBed } from '@angular/core/testing';
-import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
+import { ComponentFixture, fakeAsync, TestBed } from '@angular/core/testing';
+import { NoopAnimationsModule } from '@angular/platform-browser/animations';
 import { AppComponent } from './app.component';
-import { MaterialModule } from './material.module';
-import { BackendService } from './shared/services/backend.service';
-import { AppRoutingModule } from './app-routing.module';
+import { routes } from './app-routing.module';
 import { AppModule } from './app.module';
+import { PocReminderComponent } from './shared/components/pocReminder/pocReminder.component';
+import { RouterModule } from '@angular/router';
+import { MatSnackBar, MatSnackBarModule } from '@angular/material/snack-bar';
+import { UserData, UserDataService } from './shared/services/userData.service';
+import { Registrar, RegistrarService } from './registrar/registrar.service';
+import { MatSidenavModule } from '@angular/material/sidenav';
+import { signal, WritableSignal } from '@angular/core';
 
 describe('AppComponent', () => {
+  let component: AppComponent;
+  let fixture: ComponentFixture<AppComponent>;
+  let mockRegistrarService: {
+    registrar: WritableSignal<Partial<Registrar> | null | undefined>;
+    registrarId: WritableSignal<string>;
+    registrars: WritableSignal<Array<Partial<Registrar>>>;
+  };
+  let mockUserDataService: { userData: WritableSignal<Partial<UserData>> };
+  let mockSnackBar: jasmine.SpyObj<MatSnackBar>;
+
+  const dummyPocReminderComponent = class {}; // Dummy class for type checking
+
   beforeEach(async () => {
+    mockRegistrarService = {
+      registrar: signal<Registrar | null | undefined>(undefined),
+      registrarId: signal('123'),
+      registrars: signal([]),
+    };
+
+    mockUserDataService = {
+      userData: signal({
+        globalRole: 'NONE',
+      }),
+    };
+
+    mockSnackBar = jasmine.createSpyObj('MatSnackBar', ['openFromComponent']);
+
     await TestBed.configureTestingModule({
-      declarations: [AppComponent],
       imports: [
-        MaterialModule,
-        BrowserAnimationsModule,
-        AppRoutingModule,
+        MatSidenavModule,
+        NoopAnimationsModule,
+        MatSnackBarModule,
         AppModule,
+        RouterModule.forRoot(routes),
       ],
       providers: [
-        BackendService,
+        { provide: RegistrarService, useValue: mockRegistrarService },
+        { provide: UserDataService, useValue: mockUserDataService },
+        { provide: MatSnackBar, useValue: mockSnackBar },
+        { provide: PocReminderComponent, useClass: dummyPocReminderComponent },
         provideHttpClient(),
         provideHttpClientTesting(),
       ],
     }).compileComponents();
+
+    fixture = TestBed.createComponent(AppComponent);
+    component = fixture.componentInstance;
+  });
+
+  afterEach(() => {
+    jasmine.clock().uninstall();
   });
 
   it('should create the app', () => {
@@ -46,4 +87,51 @@ describe('AppComponent', () => {
     const app = fixture.componentInstance;
     expect(app).toBeTruthy();
   });
+
+  describe('PoC Verification Reminder', () => {
+    beforeEach(() => {
+      jasmine.clock().install();
+    });
+
+    it('should open snackbar if lastPocVerificationDate is older than one year', fakeAsync(() => {
+      const MOCK_TODAY = new Date('2024-07-15T10:00:00.000Z');
+      jasmine.clock().mockDate(MOCK_TODAY);
+
+      const twoYearsAgo = new Date(MOCK_TODAY);
+      twoYearsAgo.setFullYear(MOCK_TODAY.getFullYear() - 2);
+
+      mockRegistrarService.registrar.set({
+        lastPocVerificationDate: twoYearsAgo.toISOString(),
+      });
+
+      fixture.detectChanges();
+      TestBed.flushEffects();
+
+      expect(mockSnackBar.openFromComponent).toHaveBeenCalledWith(
+        PocReminderComponent,
+        {
+          horizontalPosition: 'center',
+          verticalPosition: 'top',
+          duration: 1000000000,
+        }
+      );
+    }));
+
+    it('should NOT open snackbar if lastPocVerificationDate is within last year', fakeAsync(() => {
+      const MOCK_TODAY = new Date('2024-07-15T10:00:00.000Z');
+      jasmine.clock().mockDate(MOCK_TODAY);
+
+      const sixMonthsAgo = new Date(MOCK_TODAY);
+      sixMonthsAgo.setMonth(MOCK_TODAY.getMonth() - 6);
+
+      mockRegistrarService.registrar.set({
+        lastPocVerificationDate: sixMonthsAgo.toISOString(),
+      });
+
+      fixture.detectChanges();
+      TestBed.flushEffects();
+
+      expect(mockSnackBar.openFromComponent).not.toHaveBeenCalled();
+    }));
+  });
 });

console-webapp/src/app/app.component.ts

@@ -12,13 +12,15 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { AfterViewInit, Component, ViewChild } from '@angular/core';
+import { AfterViewInit, Component, effect, ViewChild } from '@angular/core';
 import { MatSidenav } from '@angular/material/sidenav';
 import { NavigationEnd, Router } from '@angular/router';
 import { RegistrarService } from './registrar/registrar.service';
 import { BreakPointObserverService } from './shared/services/breakPoint.service';
 import { GlobalLoaderService } from './shared/services/globalLoader.service';
 import { UserDataService } from './shared/services/userData.service';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import { PocReminderComponent } from './shared/components/pocReminder/pocReminder.component';
 
 @Component({
   selector: 'app-root',
@@ -35,8 +37,28 @@ export class AppComponent implements AfterViewInit {
     protected userDataService: UserDataService,
     protected globalLoader: GlobalLoaderService,
     protected breakpointObserver: BreakPointObserverService,
-    private router: Router
-  ) {}
+    private router: Router,
+    private _snackBar: MatSnackBar
+  ) {
+    effect(() => {
+      const registrar = this.registrarService.registrar();
+      const oneYearAgo = new Date();
+      oneYearAgo.setFullYear(oneYearAgo.getFullYear() - 1);
+      oneYearAgo.setHours(0, 0, 0, 0);
+      if (
+        registrar &&
+        registrar.lastPocVerificationDate &&
+        new Date(registrar.lastPocVerificationDate) < oneYearAgo &&
+        this.userDataService?.userData()?.globalRole === 'NONE'
+      ) {
+        this._snackBar.openFromComponent(PocReminderComponent, {
+          horizontalPosition: 'center',
+          verticalPosition: 'top',
+          duration: 1000000000,
+        });
+      }
+    });
+  }
 
   ngAfterViewInit() {
     this.router.events.subscribe((event) => {

console-webapp/src/app/app.module.ts

@@ -47,8 +47,6 @@ import EppPasswordEditComponent from './settings/security/eppPasswordEdit.compon
 import SecurityComponent from './settings/security/security.component';
 import SecurityEditComponent from './settings/security/securityEdit.component';
 import { SettingsComponent } from './settings/settings.component';
-import WhoisComponent from './settings/whois/whois.component';
-import WhoisEditComponent from './settings/whois/whoisEdit.component';
 import { NotificationsComponent } from './shared/components/notifications/notifications.component';
 import { SelectedRegistrarWrapper } from './shared/components/selectedRegistrarWrapper/selectedRegistrarWrapper.component';
 import { LocationBackDirective } from './shared/directives/locationBack.directive';
@@ -58,8 +56,14 @@ import { GlobalLoaderService } from './shared/services/globalLoader.service';
 import { UserDataService } from './shared/services/userData.service';
 import { SnackBarModule } from './snackbar.module';
 import { SupportComponent } from './support/support.component';
-import { TldsComponent } from './tlds/tlds.component';
 import { ForceFocusDirective } from './shared/directives/forceFocus.directive';
+import RdapComponent from './settings/rdap/rdap.component';
+import RdapEditComponent from './settings/rdap/rdapEdit.component';
+import { PocReminderComponent } from './shared/components/pocReminder/pocReminder.component';
+import { PasswordResetVerifyComponent } from './shared/components/passwordReset/passwordResetVerify.component';
+import { PasswordInputForm } from './shared/components/passwordReset/passwordInputForm.component';
+import { HistoryComponent } from './history/history.component';
+import { HistoryListComponent } from './history/historyList.component';
 
 @NgModule({
   declarations: [SelectedRegistrarWrapper],
@@ -76,30 +80,34 @@ export class SelectedRegistrarModule {}
     ContactDetailsComponent,
     DomainListComponent,
     EppPasswordEditComponent,
+    ForceFocusDirective,
     HeaderComponent,
+    HistoryComponent,
+    HistoryListComponent,
     HomeComponent,
     LocationBackDirective,
-    ForceFocusDirective,
-    UserLevelVisibility,
     NavigationComponent,
     NewRegistrarComponent,
     NotificationsComponent,
+    PasswordInputForm,
+    PasswordResetVerifyComponent,
+    PocReminderComponent,
+    RdapComponent,
+    RdapEditComponent,
+    ReasonDialogComponent,
     RegistrarComponent,
     RegistrarDetailsComponent,
-    RegistryLockComponent,
     RegistrarSelectorComponent,
+    RegistryLockComponent,
     RegistryLockVerifyComponent,
     ResourcesComponent,
+    ResponseDialogComponent,
     SecurityComponent,
     SecurityEditComponent,
     SettingsComponent,
     SettingsContactComponent,
     SupportComponent,
-    TldsComponent,
-    WhoisComponent,
-    WhoisEditComponent,
-    ReasonDialogComponent,
-    ResponseDialogComponent,
+    UserLevelVisibility,
   ],
   bootstrap: [AppComponent],
   imports: [
@@ -108,8 +116,8 @@ export class SelectedRegistrarModule {}
     BrowserModule,
     FormsModule,
     MaterialModule,
-    SnackBarModule,
     SelectedRegistrarModule,
+    SnackBarModule,
   ],
   providers: [
     BackendService,

console-webapp/src/app/domains/domainList.component.html

@@ -143,13 +143,14 @@
             <ng-container matColumnDef="domainName">
               <mat-header-cell *matHeaderCellDef>Domain Name</mat-header-cell>
               <mat-cell *matCellDef="let element">
+                @if (getOperationMessage(element.domainName)) {
                 <mat-icon
-                  *ngIf="getOperationMessage(element.domainName)"
                   [matTooltip]="getOperationMessage(element.domainName)"
                   matTooltipPosition="above"
                   class="primary-text"
                   >info</mat-icon
                 >
+                }
                 <span>{{ element.domainName }}</span>
               </mat-cell>
             </ng-container>
@@ -209,9 +210,9 @@
             <mat-row *matRowDef="let row; columns: displayedColumns"></mat-row>
 
             <!-- Row shown when there is no matching data. -->
-            <mat-row *matNoDataRow>
-              <mat-cell colspan="6">No domains found</mat-cell>
-            </mat-row>
+            <tr class="mat-row" *matNoDataRow>
+              <td class="mat-cell" colspan="6">No domains found</td>
+            </tr>
           </mat-table>
           <mat-paginator
             [length]="totalResults"

console-webapp/src/app/domains/domainList.component.ts

@@ -33,6 +33,7 @@ import {
   MatDialogRef,
 } from '@angular/material/dialog';
 import { RESTRICTED_ELEMENTS } from '../shared/directives/userLevelVisiblity.directive';
+import { CdkColumnDef } from '@angular/cdk/table';
 
 interface DomainResponse {
   message: string;
@@ -114,6 +115,7 @@ export class ReasonDialogComponent {
   templateUrl: './domainList.component.html',
   styleUrls: ['./domainList.component.scss'],
   standalone: false,
+  providers: [CdkColumnDef],
 })
 export class DomainListComponent {
   public static PATH = 'domain-list';

console-webapp/src/app/header/header.component.html

@@ -1,14 +1,15 @@
 <p class="console-app__header">
   <mat-toolbar>
+    @if (breakpointObserver.isMobileView()) {
     <button
       mat-icon-button
       aria-label="Open navigation menu"
       (click)="toggleNavPane()"
-      *ngIf="breakpointObserver.isMobileView()"
       class="console-app__menu-btn"
     >
       <mat-icon>menu</mat-icon>
     </button>
+    }
     <a
       [routerLink]="'/home'"
       routerLinkActive="active"
@@ -65,7 +66,9 @@
       </svg>
     </a>
     <span class="spacer"></span>
-    <app-registrar-selector *ngIf="!breakpointObserver.isMobileView()" />
+    @if (!breakpointObserver.isMobileView()) {
+    <app-registrar-selector />
+    }
     <button
       class="console-app__header-user-icon"
       mat-mini-fab
@@ -79,5 +82,7 @@
       <button mat-menu-item (click)="logOut()">Log out</button>
     </mat-menu>
   </mat-toolbar>
-  <app-registrar-selector *ngIf="breakpointObserver.isMobileView()" />
+  @if (breakpointObserver.isMobileView()) {
+  <app-registrar-selector />
+  }
 </p>

console-webapp/src/app/history/history.component.html

@@ -0,0 +1,62 @@
+<app-selected-registrar-wrapper>
+  <div class="history-log">
+    <h1 class="mat-headline-4" forceFocus>
+      Registrar Console Activity History
+    </h1>
+    <mat-tab-group
+      [elementId]="getElementIdForUserLog()"
+      class="history-log__tabs"
+    >
+      <mat-tab label="Registrar Activity">
+        <div class="spacer"></div>
+
+        <app-history-list
+          [historyRecords]="historyService.historyRecordsRegistrar()"
+          [isLoading]="isLoading"
+        />
+      </mat-tab>
+      <mat-tab label="User Activity">
+        <div class="spacer"></div>
+        <form (ngSubmit)="loadHistory()" #form="ngForm">
+          <section>
+            <mat-form-field appearance="outline">
+              <mat-label>Console User Email: </mat-label>
+              <input
+                matInput
+                id="email"
+                type="email"
+                name="consoleUserEmail"
+                required
+                email
+                [(ngModel)]="consoleUserEmail"
+                #emailControl="ngModel"
+              />
+            </mat-form-field>
+          </section>
+          <div class="spacer"></div>
+          <button
+            mat-flat-button
+            color="primary"
+            type="submit"
+            aria-label="Search user history"
+            [disabled]="!form.valid"
+          >
+            Search
+          </button>
+        </form>
+        <div class="spacer"></div>
+        <app-history-list
+          [historyRecords]="historyService.historyRecordsUser()"
+          [isLoading]="isLoading"
+        />
+      </mat-tab>
+    </mat-tab-group>
+  </div>
+
+  <app-history-list
+    [elementId]="getElementIdForUserLog()"
+    [isReverse]="true"
+    [historyRecords]="historyService.historyRecordsUser()"
+    [isLoading]="isLoading"
+  />
+</app-selected-registrar-wrapper>

console-webapp/src/app/history/history.component.scss

@@ -1,4 +1,4 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,5 +12,11 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-@javax.annotation.ParametersAreNonnullByDefault
-package google.registry.module.backend;
+.history-log {
+  font-family: "Roboto", sans-serif;
+  max-width: 760px;
+
+  .spacer {
+    margin: 20px 0;
+  }
+}

console-webapp/src/app/history/history.component.ts

@@ -0,0 +1,80 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component, effect } from '@angular/core';
+import { UserDataService } from '../shared/services/userData.service';
+import { BackendService } from '../shared/services/backend.service';
+import { RegistrarService } from '../registrar/registrar.service';
+import { HistoryService } from './history.service';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import {
+  GlobalLoader,
+  GlobalLoaderService,
+} from '../shared/services/globalLoader.service';
+import { HttpErrorResponse } from '@angular/common/http';
+import { RESTRICTED_ELEMENTS } from '../shared/directives/userLevelVisiblity.directive';
+
+@Component({
+  selector: 'app-history',
+  templateUrl: './history.component.html',
+  styleUrls: ['./history.component.scss'],
+  providers: [HistoryService],
+  standalone: false,
+})
+export class HistoryComponent implements GlobalLoader {
+  public static PATH = 'history';
+
+  consoleUserEmail: string = '';
+  isLoading: boolean = false;
+
+  constructor(
+    private backendService: BackendService,
+    private registrarService: RegistrarService,
+    protected historyService: HistoryService,
+    protected globalLoader: GlobalLoaderService,
+    protected userDataService: UserDataService,
+    private _snackBar: MatSnackBar
+  ) {
+    effect(() => {
+      if (registrarService.registrarId()) {
+        this.loadHistory();
+      }
+    });
+  }
+
+  getElementIdForUserLog() {
+    return RESTRICTED_ELEMENTS.ACTIVITY_PER_USER;
+  }
+
+  loadingTimeout() {
+    this._snackBar.open('Timeout loading records history');
+  }
+
+  loadHistory() {
+    this.globalLoader.startGlobalLoader(this);
+    this.isLoading = true;
+    this.historyService
+      .getHistoryLog(this.registrarService.registrarId(), this.consoleUserEmail)
+      .subscribe({
+        error: (err: HttpErrorResponse) => {
+          this._snackBar.open(err.error || err.message);
+          this.isLoading = false;
+        },
+        next: () => {
+          this.globalLoader.stopGlobalLoader(this);
+          this.isLoading = false;
+        },
+      });
+  }
+}

console-webapp/src/app/history/history.service.ts

@@ -0,0 +1,46 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Injectable, signal } from '@angular/core';
+import { BackendService } from '../shared/services/backend.service';
+import { tap } from 'rxjs';
+
+export interface HistoryRecord {
+  modificationTime: string;
+  type: string;
+  description: string;
+  actingUser: {
+    emailAddress: string;
+  };
+}
+
+@Injectable()
+export class HistoryService {
+  historyRecordsRegistrar = signal<HistoryRecord[]>([]);
+  historyRecordsUser = signal<HistoryRecord[]>([]);
+
+  constructor(private backendService: BackendService) {}
+
+  getHistoryLog(registrarId: string, userEmail?: string) {
+    return this.backendService.getHistoryLog(registrarId, userEmail).pipe(
+      tap((historyRecords: HistoryRecord[]) => {
+        if (userEmail) {
+          this.historyRecordsUser.set(historyRecords);
+        } else {
+          this.historyRecordsRegistrar.set(historyRecords);
+        }
+      })
+    );
+  }
+}

console-webapp/src/app/history/historyList.component.html

@@ -0,0 +1,45 @@
+@if (!isLoading && historyRecords.length == 0) {
+<div class="history-list__no-records">
+  <mat-icon class="history-list__no-records-icon secondary-text"
+    >apps_outage</mat-icon
+  >
+  <h1>No records found</h1>
+</div>
+} @else {
+<mat-card>
+  <mat-card-content>
+    <mat-list role="list">
+      @for (item of historyRecords; track item; let last = $last) {
+      <mat-list-item class="history-list__item">
+        <mat-icon
+          [ngClass]="getIconClass(item.type)"
+          class="history-list__icon"
+        >
+          {{ getIconForType(item.type) }}
+        </mat-icon>
+        <div class="history-list__content">
+          <div class="history-list__description">
+            <span class="history-list__description--main">{{ item.type }}</span>
+            <div>
+              @if (parseDescription(item.description).detail) {
+              <mat-chip class="history-list__chip">
+                {{ parseDescription(item.description).detail }}
+              </mat-chip>
+              }
+            </div>
+          </div>
+          <div class="history-list__user">
+            <b>User - {{ item.actingUser.emailAddress }}</b>
+          </div>
+        </div>
+        <span class="history-list__timestamp">
+          {{ item.modificationTime | date : "MMM d, y, h:mm a" }}
+        </span>
+      </mat-list-item>
+      @if (!last) {
+      <mat-divider></mat-divider>
+      } }
+    </mat-list>
+  </mat-card-content>
+</mat-card>
+}

console-webapp/src/app/history/historyList.component.scss

@@ -0,0 +1,81 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+.history-list {
+  font-family: "Roboto", sans-serif;
+  &__item {
+    display: flex;
+    align-items: center;
+    // Override default mat-list-item height to fit content
+    height: auto !important;
+    padding: 16px 0;
+  }
+
+  &__no-records {
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    flex-direction: column;
+  }
+  &__no-records-icon {
+    width: 4rem;
+    height: 4rem;
+    font-size: 4rem;
+    margin-top: 1.5rem;
+  }
+
+  &__icon {
+    margin-right: 16px;
+
+    &--update {
+      color: #1976d2;
+    }
+
+    &--security {
+      color: #d32f2f;
+    }
+  }
+
+  &__description {
+    &--main {
+      font-size: 1rem;
+      font-weight: 500;
+      color: rgba(0, 0, 0, 0.87);
+      margin-bottom: 1em;
+    }
+  }
+
+  &__content {
+    flex-grow: 1;
+    display: flex;
+    flex-direction: column;
+    gap: 4px;
+    margin-right: 16px;
+  }
+
+  &__chip {
+    margin: 0.5rem 0;
+  }
+
+  &__user {
+    font-size: 0.9rem;
+    color: rgba(0, 0, 0, 0.6);
+  }
+
+  &__timestamp {
+    color: rgba(0, 0, 0, 0.6);
+    white-space: nowrap;
+    text-align: right;
+  }
+}

console-webapp/src/app/history/historyList.component.ts

@@ -0,0 +1,66 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { ChangeDetectionStrategy, Component, Input } from '@angular/core';
+import { HistoryRecord } from './history.service';
+
+@Component({
+  selector: 'app-history-list',
+  templateUrl: './historyList.component.html',
+  styleUrls: ['./historyList.component.scss'],
+  changeDetection: ChangeDetectionStrategy.OnPush,
+  standalone: false,
+})
+export class HistoryListComponent {
+  @Input() historyRecords: HistoryRecord[] = [];
+  @Input() isLoading: boolean = false;
+
+  getIconForType(type: string): string {
+    switch (type) {
+      case 'REGISTRAR_UPDATE':
+        return 'edit';
+      case 'REGISTRAR_SECURITY_UPDATE':
+        return 'security';
+      default:
+        return 'history'; // A fallback icon
+    }
+  }
+
+  getIconClass(type: string): string {
+    switch (type) {
+      case 'REGISTRAR_UPDATE':
+        return 'history-log__icon--update';
+      case 'REGISTRAR_SECURITY_UPDATE':
+        return 'history-log__icon--security';
+      default:
+        return '';
+    }
+  }
+
+  parseDescription(description: string): {
+    main: string;
+    detail: string | null;
+  } {
+    if (!description) {
+      return { main: 'N/A', detail: null };
+    }
+    const parts = description.split('|');
+    const detail = parts.length > 1 ? parts[1].replace(/_/g, ' ') : parts[0];
+
+    return {
+      main: parts[0],
+      detail: detail,
+    };
+  }
+}

console-webapp/src/app/home/home.component.spec.ts

@@ -17,6 +17,9 @@ import { ComponentFixture, TestBed } from '@angular/core/testing';
 import { HomeComponent } from './home.component';
 import { MaterialModule } from '../material.module';
 import { AppModule } from '../app.module';
+import { BackendService } from '../shared/services/backend.service';
+import { provideHttpClient } from '@angular/common/http';
+import { provideHttpClientTesting } from '@angular/common/http/testing';
 
 describe('HomeComponent', () => {
   let component: HomeComponent;
@@ -26,6 +29,11 @@ describe('HomeComponent', () => {
     await TestBed.configureTestingModule({
       imports: [MaterialModule, AppModule],
       declarations: [HomeComponent],
+      providers: [
+        BackendService,
+        provideHttpClient(),
+        provideHttpClientTesting(),
+      ],
     }).compileComponents();
 
     fixture = TestBed.createComponent(HomeComponent);

console-webapp/src/app/navigation/navigation.component.html

@@ -12,9 +12,11 @@
     [class.active]="router.url.includes(node.path)"
     [elementId]="getElementId(node)"
   >
-    <mat-icon class="console-app__nav-icon" *ngIf="node.iconName">
+    @if (node.iconName) {
+    <mat-icon class="console-app__nav-icon">
       {{ node.iconName }}
     </mat-icon>
+    }
     {{ node.title }}
   </mat-tree-node>
   <mat-nested-tree-node
@@ -34,9 +36,11 @@
           {{ treeControl.isExpanded(node) ? "expand_more" : "chevron_right" }}
         </mat-icon>
       </button>
-      <mat-icon class="console-app__nav-icon" *ngIf="node.iconName">
+      @if (node.iconName) {
+      <mat-icon class="console-app__nav-icon">
         {{ node.iconName }}
       </mat-icon>
+      }
       {{ node.title }}
     </div>
     <div

console-webapp/src/app/navigation/navigation.component.ts

@@ -57,7 +57,7 @@ export class NavigationComponent {
   }
 
   ngOnDestroy() {
-    this.subscription.unsubscribe();
+    this.subscription && this.subscription.unsubscribe();
   }
 
   getElementId(node: RouteWithIcon) {

console-webapp/src/app/ote/oteStatus.component.html

@@ -1,25 +1,28 @@
 <h1 class="mat-headline-4">OT&E Status Check</h1>
 @if(registrarId() === null) {
 <h1>Missing registrarId param</h1>
-} @else if(isOte()) {
-<h1 *ngIf="oteStatusResponse().length">
+} @else if(isOte()) { @if (oteStatusResponse().length) {
+<h1>
   Status:
   <span>{{ oteStatusUnfinished().length ? "Unfinished" : "Completed" }}</span>
 </h1>
+}
 <div class="console-app__ote-status">
   @if(oteStatusCompleted().length) {
   <div class="console-app__ote-status_completed">
     <h1>Completed</h1>
-    <div *ngFor="let entry of oteStatusCompleted()">
-      <mat-icon>check_box</mat-icon>{{ entry.description }}
-    </div>
+    @for (entry of oteStatusCompleted(); track entry) {
+    <div><mat-icon>check_box</mat-icon>{{ entry.description }}</div>
+    }
   </div>
   } @if(oteStatusUnfinished().length) {
   <div class="console-app__ote-status_unfinished">
     <h1>Unfinished</h1>
-    <div *ngFor="let entry of oteStatusUnfinished()">
+    @for (entry of oteStatusUnfinished(); track entry) {
+    <div>
       <mat-icon>check_box_outline_blank</mat-icon>{{ entry.description }}
     </div>
+    }
   </div>
   }
 </div>

console-webapp/src/app/ote/oteStatus.component.ts

@@ -18,7 +18,7 @@ import { MatSnackBar } from '@angular/material/snack-bar';
 import { RegistrarService } from '../registrar/registrar.service';
 import { MaterialModule } from '../material.module';
 import { SnackBarModule } from '../snackbar.module';
-import { CommonModule } from '@angular/common';
+
 import { ActivatedRoute, ParamMap } from '@angular/router';
 import { take } from 'rxjs';
 
@@ -31,7 +31,7 @@ export interface OteStatusResponse {
 
 @Component({
   selector: 'app-ote-status',
-  imports: [MaterialModule, SnackBarModule, CommonModule],
+  imports: [MaterialModule, SnackBarModule],
   templateUrl: './oteStatus.component.html',
   styleUrls: ['./oteStatus.component.scss'],
 })

console-webapp/src/app/registrar/newRegistrar.component.ts

@@ -48,7 +48,6 @@ export default class NewRegistrarComponent {
     this.newRegistrar = {
       registrarId: '',
       url: '',
-      whoisServer: '',
       registrarName: '',
       icannReferralEmail: '',
       localizedAddress: {

console-webapp/src/app/registrar/registrar.service.ts

@@ -50,17 +50,16 @@ export interface SecuritySettings
   ipAddressAllowList?: Array<IpAllowListItem>;
 }
 
-export interface WhoisRegistrarFields {
+export interface RdapRegistrarFields {
   ianaIdentifier?: number;
   icannReferralEmail: string;
   localizedAddress: Address;
   registrarId: string;
   url: string;
-  whoisServer: string;
 }
 
 export interface Registrar
-  extends WhoisRegistrarFields,
+  extends RdapRegistrarFields,
     SecuritySettingsBackendModel {
   allowedTlds?: string[];
   billingAccountMap?: object;
@@ -72,6 +71,7 @@ export interface Registrar
   registrarName: string;
   registryLockAllowed?: boolean;
   type?: string;
+  lastPocVerificationDate?: string;
 }
 
 @Injectable({

console-webapp/src/app/registrar/registrarDetails.component.html

@@ -11,9 +11,8 @@
         <mat-icon>arrow_back</mat-icon>
       </button>
       <div class="spacer"></div>
-      @if(!inEdit && !registrarNotFound) {
+      @if(!inEdit && !registrarNotFound) { @if (oteButtonVisible) {
       <button
-        *ngIf="oteButtonVisible"
         mat-stroked-button
         (click)="checkOteStatus()"
         aria-label="Check OT&E account status"
@@ -21,6 +20,7 @@
       >
         Check OT&E Status
       </button>
+      }
       <button
         mat-flat-button
         color="primary"
@@ -39,10 +39,11 @@
     <h1>Registrar not found</h1>
     } @else {
     <h1>{{ registrarInEdit.registrarId }}</h1>
-    <h2 *ngIf="registrarInEdit.registrarName !== registrarInEdit.registrarId">
+    @if (registrarInEdit.registrarName !== registrarInEdit.registrarId) {
+    <h2>
       {{ registrarInEdit.registrarName }}
     </h2>
-    @if(inEdit) {
+    } @if(inEdit) {
     <form (ngSubmit)="saveAndClose()">
       <div>
         <mat-form-field appearance="outline">
@@ -60,15 +61,14 @@
         <mat-form-field appearance="outline">
           <mat-label>Onboarded TLDs: </mat-label>
           <mat-chip-grid #chipGrid aria-label="Enter TLD">
-            <mat-chip-row
-              *ngFor="let tld of registrarInEdit.allowedTlds"
-              (removed)="removeTLD(tld)"
-            >
+            @for (tld of registrarInEdit.allowedTlds; track tld) {
+            <mat-chip-row (removed)="removeTLD(tld)">
               {{ tld }}
               <button matChipRemove aria-label="'remove ' + tld">
                 <mat-icon>cancel</mat-icon>
               </button>
             </mat-chip-row>
+            }
           </mat-chip-grid>
           <input
             placeholder="New tld..."

console-webapp/src/app/registrar/registrarSelector.component.ts

@@ -25,7 +25,10 @@ export class RegistrarSelectorComponent {
   registrarInput = signal<string>(this.registrarService.registrarId());
   filteredOptions?: string[];
   allRegistrarIds = computed(() =>
-    this.registrarService.registrars().map((r) => r.registrarId)
+    this.registrarService
+      .registrars()
+      .map((r) => r.registrarId)
+      .sort()
   );
 
   constructor(protected registrarService: RegistrarService) {

console-webapp/src/app/registrar/registrarsTable.component.html

@@ -5,15 +5,16 @@
   <div class="console-app__registrars-header">
     <h1 class="mat-headline-4" forceFocus>Registrars</h1>
     <div class="spacer"></div>
+    @if (oteButtonVisible) {
     <button
       mat-stroked-button
-      *ngIf="oteButtonVisible"
       (click)="createOteAccount()"
       aria-label="Generate OT&E accounts"
       [elementId]="getElementIdForOteBlock()"
     >
       Create OT&E accounts
     </button>
+    }
     <button
       class="console-app__registrars-new"
       mat-flat-button
@@ -43,10 +44,8 @@
         class="console-app__registrars-table"
         matSort
       >
-        <ng-container
-          *ngFor="let column of columns"
-          [matColumnDef]="column.columnDef"
-        >
+        @for (column of columns; track column) {
+        <ng-container [matColumnDef]="column.columnDef">
           <mat-header-cell *matHeaderCellDef>
             {{ column.header }}
           </mat-header-cell>
@@ -55,6 +54,7 @@
             [innerHTML]="column.cell(row)"
           ></mat-cell>
         </ng-container>
+        }
         <mat-header-row *matHeaderRowDef="displayedColumns"></mat-header-row>
         <mat-row
           *matRowDef="let row; columns: displayedColumns"

console-webapp/src/app/settings/contact/contact.component.html

@@ -22,13 +22,12 @@
   </div>
   } @else {
   <mat-table [dataSource]="dataSource" class="mat-elevation-z0">
-    <ng-container
-      *ngFor="let column of columns"
-      [matColumnDef]="column.columnDef"
-    >
+    @for (column of columns; track column) {
+    <ng-container [matColumnDef]="column.columnDef">
       <mat-header-cell *matHeaderCellDef> {{ column.header }} </mat-header-cell>
       <mat-cell *matCellDef="let row" [innerHTML]="column.cell(row)"></mat-cell>
     </ng-container>
+    }
     <mat-header-row *matHeaderRowDef="displayedColumns"></mat-header-row>
     <mat-row
       *matRowDef="let row; columns: displayedColumns"

console-webapp/src/app/settings/contact/contact.component.ts

@@ -16,11 +16,7 @@ import { Component, effect, ViewEncapsulation } from '@angular/core';
 import { MatTableDataSource } from '@angular/material/table';
 import { take } from 'rxjs';
 import { RegistrarService } from 'src/app/registrar/registrar.service';
-import {
-  ContactService,
-  contactTypeToViewReadyContact,
-  ViewReadyContact,
-} from './contact.service';
+import { ContactService, ViewReadyContact } from './contact.service';
 
 @Component({
   selector: 'app-contact',

console-webapp/src/app/settings/contact/contact.service.ts

@@ -35,7 +35,7 @@ export const contactTypeToTextMap: contactTypesToUserFriendlyTypes = {
   LEGAL: 'Legal contact',
   MARKETING: 'Marketing contact',
   TECH: 'Technical contact',
-  WHOIS: 'WHOIS-Inquiry contact',
+  WHOIS: 'RDAP-Inquiry contact',
 };
 
 type UserFriendlyType = (typeof contactTypeToTextMap)[contactType];
@@ -47,9 +47,9 @@ export interface Contact {
   registrarId?: string;
   faxNumber?: string;
   types: Array<contactType>;
-  visibleInWhoisAsAdmin?: boolean;
-  visibleInWhoisAsTech?: boolean;
-  visibleInDomainWhoisAsAbuse?: boolean;
+  visibleInRdapAsAdmin?: boolean;
+  visibleInRdapAsTech?: boolean;
+  visibleInDomainRdapAsAbuse?: boolean;
 }
 
 export interface ViewReadyContact extends Contact {
@@ -59,7 +59,10 @@ export interface ViewReadyContact extends Contact {
 export function contactTypeToViewReadyContact(c: Contact): ViewReadyContact {
   return {
     ...c,
-    userFriendlyTypes: c.types?.map((cType) => contactTypeToTextMap[cType]),
+    userFriendlyTypes: (c.types || []).map(
+      (cType) => contactTypeToTextMap[cType]
+    ),
+    types: c.types || [],
   };
 }
 
@@ -83,7 +86,7 @@ export class ContactService {
       : contactTypeToViewReadyContact({
           emailAddress: '',
           name: '',
-          types: ['ADMIN'],
+          types: ['TECH'],
           faxNumber: '',
           phoneNumber: '',
           registrarId: '',
@@ -98,19 +101,21 @@ export class ContactService {
     );
   }
 
-  saveContacts(contacts: ViewReadyContact[]): Observable<Contact[]> {
+  updateContact(contact: ViewReadyContact) {
     return this.backend
-      .postContacts(this.registrarService.registrarId(), contacts)
+      .updateContact(this.registrarService.registrarId(), contact)
       .pipe(switchMap((_) => this.fetchContacts()));
   }
 
   addContact(contact: ViewReadyContact) {
-    const newContacts = this.contacts().concat([contact]);
-    return this.saveContacts(newContacts);
+    return this.backend
+      .createContact(this.registrarService.registrarId(), contact)
+      .pipe(switchMap((_) => this.fetchContacts()));
   }
 
   deleteContact(contact: ViewReadyContact) {
-    const newContacts = this.contacts().filter((c) => c !== contact);
-    return this.saveContacts(newContacts);
+    return this.backend
+      .deleteContact(this.registrarService.registrarId(), contact)
+      .pipe(switchMap((_) => this.fetchContacts()));
   }
 }

console-webapp/src/app/settings/contact/contactDetails.component.html

@@ -1,9 +1,5 @@
-<div
-  class="console-app__contact"
-  *ngIf="contactService.contactInEdit"
-  cdkTrapFocus
-  [cdkTrapFocusAutoCapture]="true"
->
+@if (contactService.contactInEdit) {
+<div class="console-app__contact" cdkTrapFocus [cdkTrapFocusAutoCapture]="true">
   <div class="console-app__contact-controls">
     <button
       mat-icon-button
@@ -32,7 +28,6 @@
     </button>
     }
   </div>
-
   @if(isEditing || contactService.isContactNewView) {
   <h1>Contact Details</h1>
   <form (ngSubmit)="save($event)">
@@ -46,7 +41,6 @@
           [ngModelOptions]="{ standalone: true }"
         />
       </mat-form-field>
-
       <mat-form-field appearance="outline">
         <mat-label>Primary account email: </mat-label>
         <input
@@ -56,9 +50,14 @@
           [required]="true"
           [(ngModel)]="contactService.contactInEdit.emailAddress"
           [ngModelOptions]="{ standalone: true }"
+          [disabled]="emailAddressIsDisabled()"
+          [matTooltip]="
+            emailAddressIsDisabled()
+              ? 'Reach out to registry customer support to update email address'
+              : ''
+          "
         />
       </mat-form-field>
-
       <mat-form-field appearance="outline">
         <mat-label>Phone: </mat-label>
         <input
@@ -68,7 +67,6 @@
           placeholder="+0.0000000000"
         />
       </mat-form-field>
-
       <mat-form-field appearance="outline">
         <mat-label>Fax: </mat-label>
         <input
@@ -78,48 +76,47 @@
         />
       </mat-form-field>
     </section>
-
     <section>
       <h1>Contact Type</h1>
       <p class="console-app__contact-required">
         <mat-icon color="accent">error</mat-icon>Required to select at least one
+        (primary contact can't be updated)
       </p>
       <div class="">
+        @for (contactType of contactTypeToTextMap | keyvalue; track contactType)
+        { @if (shouldDisplayCheckbox(contactType.key)) {
         <mat-checkbox
-          *ngFor="let contactType of contactTypeToTextMap | keyvalue"
           [checked]="checkboxIsChecked(contactType.key)"
           (change)="checkboxOnChange($event, contactType.key)"
           [disabled]="checkboxIsDisabled(contactType.key)"
         >
           {{ contactType.value }}
         </mat-checkbox>
+        } }
       </div>
     </section>
-
     <section>
-      <h1>WHOIS Preferences</h1>
+      <h1>RDAP Preferences</h1>
       <div>
         <mat-checkbox
-          [(ngModel)]="contactService.contactInEdit.visibleInWhoisAsAdmin"
+          [(ngModel)]="contactService.contactInEdit.visibleInRdapAsAdmin"
           [ngModelOptions]="{ standalone: true }"
-          >Show in Registrar WHOIS record as admin contact</mat-checkbox
+          >Show in Registrar RDAP record as admin contact</mat-checkbox
         >
       </div>
-
       <div>
         <mat-checkbox
-          [(ngModel)]="contactService.contactInEdit.visibleInWhoisAsTech"
+          [(ngModel)]="contactService.contactInEdit.visibleInRdapAsTech"
           [ngModelOptions]="{ standalone: true }"
-          >Show in Registrar WHOIS record as technical contact</mat-checkbox
+          >Show in Registrar RDAP record as technical contact</mat-checkbox
         >
       </div>
-
       <div>
         <mat-checkbox
-          [(ngModel)]="contactService.contactInEdit.visibleInDomainWhoisAsAbuse"
+          [(ngModel)]="contactService.contactInEdit.visibleInDomainRdapAsAbuse"
           [ngModelOptions]="{ standalone: true }"
-          >Show Phone and Email in Domain WHOIS Record as registrar abuse
-          contact (per CL&D requirements)</mat-checkbox
+          >Show Phone and Email in Domain RDAP Record as registrar abuse contact
+          (per CL&D requirements)</mat-checkbox
         >
       </div>
     </section>
@@ -176,30 +173,28 @@
     <mat-card-content>
       <mat-list role="list">
         <mat-list-item role="listitem">
-          <h2>WHOIS Preferences</h2>
+          <h2>RDAP Preferences</h2>
         </mat-list-item>
-        @if(contactService.contactInEdit.visibleInWhoisAsAdmin) {
+        @if(contactService.contactInEdit.visibleInRdapAsAdmin) {
         <mat-divider></mat-divider>
         <mat-list-item role="listitem">
           <span class="console-app__list-value"
-            >Show in Registrar WHOIS record as admin contact</span
+            >Show in Registrar RDAP record as admin contact</span
           >
         </mat-list-item>
-        } @if(contactService.contactInEdit.visibleInWhoisAsTech) {
+        } @if(contactService.contactInEdit.visibleInRdapAsTech) {
         <mat-divider></mat-divider>
-        <mat-list-item
-          role="listitem"
-          *ngIf="contactService.contactInEdit.visibleInWhoisAsTech"
-        >
+        @if (contactService.contactInEdit.visibleInRdapAsTech) {
+        <mat-list-item role="listitem">
           <span class="console-app__list-value"
-            >Show in Registrar WHOIS record as technical contact</span
+            >Show in Registrar RDAP record as technical contact</span
           >
         </mat-list-item>
-        } @if(contactService.contactInEdit.visibleInDomainWhoisAsAbuse) {
+        } } @if(contactService.contactInEdit.visibleInDomainRdapAsAbuse) {
         <mat-divider></mat-divider>
         <mat-list-item role="listitem">
           <span class="console-app__list-value"
-            >Show Phone and Email in Domain WHOIS Record as registrar abuse
+            >Show Phone and Email in Domain RDAP Record as registrar abuse
             contact (per CL&D requirements)</span
           >
         </mat-list-item>
@@ -209,3 +204,4 @@
   </mat-card>
   }
 </div>
+}

console-webapp/src/app/settings/contact/contactDetails.component.ts

@@ -69,9 +69,13 @@ export class ContactDetailsComponent {
 
   save(e: SubmitEvent) {
     e.preventDefault();
+    if ((this.contactService.contactInEdit.types || []).length === 0) {
+      this._snackBar.open('Required to select contact type');
+      return;
+    }
     const request = this.contactService.isContactNewView
       ? this.contactService.addContact(this.contactService.contactInEdit)
-      : this.contactService.saveContacts(this.contactService.contacts());
+      : this.contactService.updateContact(this.contactService.contactInEdit);
     request.subscribe({
       complete: () => {
         this.goBack();
@@ -82,6 +86,10 @@ export class ContactDetailsComponent {
     });
   }
 
+  shouldDisplayCheckbox(type: string) {
+    return type !== 'ADMIN' || this.checkboxIsChecked(type);
+  }
+
   checkboxIsChecked(type: string) {
     return this.contactService.contactInEdit.types.includes(
       type as contactType
@@ -89,6 +97,9 @@ export class ContactDetailsComponent {
   }
 
   checkboxIsDisabled(type: string) {
+    if (type === 'ADMIN') {
+      return true;
+    }
     return (
       this.contactService.contactInEdit.types.length === 1 &&
       this.contactService.contactInEdit.types[0] === (type as contactType)
@@ -105,4 +116,8 @@ export class ContactDetailsComponent {
         );
     }
   }
+
+  emailAddressIsDisabled() {
+    return this.contactService.contactInEdit.types.includes('ADMIN');
+  }
 }

console-webapp/src/app/settings/rdap/rdap.component.html

@@ -1,18 +1,18 @@
-@if(whoisService.editing) {
-<app-whois-edit></app-whois-edit>
+@if(rdapService.editing) {
+<app-rdap-edit></app-rdap-edit>
 } @else {
-<div class="console-app__whois">
-  <div class="console-app__whois-controls">
+<div class="console-app__rdap">
+  <div class="console-app__rdap-controls">
     <span>
-      General registrar information for your WHOIS record. This information is
-      always visible in WHOIS.
+      General registrar information for your RDAP record. This information is
+      always visible in RDAP.
     </span>
     <div class="spacer"></div>
     <button
       mat-flat-button
       color="primary"
-      aria-label="Edit WHOIS record"
-      (click)="whoisService.editing = true"
+      aria-label="Edit RDAP record"
+      (click)="rdapService.editing = true"
     >
       <mat-icon>edit</mat-icon>
       Edit
@@ -61,45 +61,5 @@
       </mat-list>
     </mat-card-content>
   </mat-card>
-
-  <mat-card appearance="outlined">
-    <mat-card-content>
-      <mat-list role="list">
-        <mat-list-item role="listitem">
-          <h2>Technical Info</h2>
-        </mat-list-item>
-        <mat-divider></mat-divider>
-        <mat-list-item role="listitem">
-          <span class="console-app__list-key">IANA Identifier</span>
-          <span class="console-app__list-value">{{
-            registrarService.registrar()?.ianaIdentifier
-          }}</span>
-        </mat-list-item>
-        <mat-divider></mat-divider>
-        <mat-list-item role="listitem">
-          <div>
-            <span class="console-app__list-key">ICANN Referral Email</span>
-            <span class="console-app__list-value">{{
-              registrarService.registrar()?.icannReferralEmail
-            }}</span>
-          </div>
-        </mat-list-item>
-        <mat-divider></mat-divider>
-        <mat-list-item role="listitem">
-          <span class="console-app__list-key">WHOIS server</span>
-          <span class="console-app__list-value">{{
-            registrarService.registrar()?.whoisServer
-          }}</span>
-        </mat-list-item>
-        <mat-divider></mat-divider>
-        <mat-list-item role="listitem">
-          <span class="console-app__list-key">Referral URL</span>
-          <span class="console-app__list-value">{{
-            registrarService.registrar()?.url
-          }}</span>
-        </mat-list-item>
-      </mat-list>
-    </mat-card-content>
-  </mat-card>
 </div>
 }

console-webapp/src/app/settings/rdap/rdap.component.scss

@@ -1,4 +1,4 @@
-.console-app__whois {
+.console-app__rdap {
   max-width: 616px;
 
   &-controls {

console-webapp/src/app/settings/rdap/rdap.component.spec.ts

@@ -20,15 +20,15 @@ import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
 import { MaterialModule } from 'src/app/material.module';
 import { RegistrarService } from 'src/app/registrar/registrar.service';
 import { BackendService } from 'src/app/shared/services/backend.service';
-import WhoisComponent from './whois.component';
+import RdapComponent from './rdap.component';
 
-describe('WhoisComponent', () => {
-  let component: WhoisComponent;
-  let fixture: ComponentFixture<WhoisComponent>;
+describe('RdapComponent', () => {
+  let component: RdapComponent;
+  let fixture: ComponentFixture<RdapComponent>;
 
   beforeEach(async () => {
     await TestBed.configureTestingModule({
-      declarations: [WhoisComponent],
+      declarations: [RdapComponent],
       imports: [MaterialModule, BrowserAnimationsModule],
       providers: [
         BackendService,
@@ -45,7 +45,7 @@ describe('WhoisComponent', () => {
       ],
     }).compileComponents();
 
-    fixture = TestBed.createComponent(WhoisComponent);
+    fixture = TestBed.createComponent(RdapComponent);
     component = fixture.componentInstance;
     fixture.detectChanges();
   });

console-webapp/src/app/settings/rdap/rdap.component.ts

@@ -14,17 +14,16 @@
 
 import { Component, computed } from '@angular/core';
 import { RegistrarService } from 'src/app/registrar/registrar.service';
-
-import { WhoisService } from './whois.service';
+import { RdapService } from './rdap.service';
 
 @Component({
-  selector: 'app-whois',
-  templateUrl: './whois.component.html',
-  styleUrls: ['./whois.component.scss'],
+  selector: 'app-rdap',
+  templateUrl: './rdap.component.html',
+  styleUrls: ['./rdap.component.scss'],
   standalone: false,
 })
-export default class WhoisComponent {
-  public static PATH = 'whois';
+export default class RdapComponent {
+  public static PATH = 'rdap';
   formattedAddress = computed(() => {
     let result = '';
     const registrar = this.registrarService.registrar();
@@ -47,7 +46,7 @@ export default class WhoisComponent {
   });
 
   constructor(
-    public whoisService: WhoisService,
+    public rdapService: RdapService,
     public registrarService: RegistrarService
   ) {}
 }

console-webapp/src/app/settings/rdap/rdap.service.ts

@@ -16,14 +16,14 @@ import { Injectable } from '@angular/core';
 import { switchMap } from 'rxjs';
 import {
   RegistrarService,
-  WhoisRegistrarFields,
+  RdapRegistrarFields,
 } from 'src/app/registrar/registrar.service';
 import { BackendService } from 'src/app/shared/services/backend.service';
 
 @Injectable({
   providedIn: 'root',
 })
-export class WhoisService {
+export class RdapService {
   editing: boolean = false;
 
   constructor(
@@ -31,8 +31,8 @@ export class WhoisService {
     private registrarService: RegistrarService
   ) {}
 
-  saveChanges(newWhoisRegistrarFields: WhoisRegistrarFields) {
-    return this.backend.postWhoisRegistrarFields(newWhoisRegistrarFields).pipe(
+  saveChanges(newRdapRegistrarFields: RdapRegistrarFields) {
+    return this.backend.postRdapRegistrarFields(newRdapRegistrarFields).pipe(
       switchMap(() => {
         return this.registrarService.loadRegistrars();
       })

console-webapp/src/app/settings/rdap/rdapEdit.component.html

@@ -1,29 +1,26 @@
+@if (registrarInEdit) {
 <div
-  class="console-app__whois-edit"
-  *ngIf="registrarInEdit"
+  class="console-app__rdap-edit"
   cdkTrapFocus
   [cdkTrapFocusAutoCapture]="true"
 >
   <button
     mat-icon-button
-    class="console-app__whois-edit-back"
-    aria-label="Back to whois view"
-    (click)="whoisService.editing = false"
+    class="console-app__rdap-edit-back"
+    aria-label="Back to rdap view"
+    (click)="rdapService.editing = false"
   >
     <mat-icon>arrow_back</mat-icon>
   </button>
-
-  <div class="console-app__whois-edit-controls">
+  <div class="console-app__rdap-edit-controls">
     <span>
-      General registrar information for your WHOIS record. This information is
-      always visible in WHOIS.
+      General registrar information for your RDAP record. This information is
+      always visible in RDAP.
     </span>
     <div class="spacer"></div>
   </div>
-
-  <div class="console-app__whois-edit">
+  <div class="console-app__rdap-edit">
     <h1>Personal info</h1>
-
     <form (ngSubmit)="save($event)">
       <mat-form-field appearance="outline">
         <mat-label>Email: </mat-label>
@@ -34,7 +31,6 @@
           [ngModelOptions]="{ standalone: true }"
         />
       </mat-form-field>
-
       <mat-form-field appearance="outline">
         <mat-label>Phone: </mat-label>
         <input
@@ -44,7 +40,6 @@
           [ngModelOptions]="{ standalone: true }"
         />
       </mat-form-field>
-
       <mat-form-field appearance="outline">
         <mat-label>Fax: </mat-label>
         <input
@@ -54,7 +49,6 @@
           [ngModelOptions]="{ standalone: true }"
         />
       </mat-form-field>
-
       <mat-form-field appearance="outline">
         <mat-label>Street Address (line 1): </mat-label>
         <input
@@ -64,7 +58,6 @@
           [(ngModel)]="registrarInEdit.localizedAddress.street![0]"
         />
       </mat-form-field>
-
       <mat-form-field appearance="outline">
         <mat-label>Street Address (line 2): </mat-label>
         <input
@@ -74,7 +67,6 @@
           [(ngModel)]="registrarInEdit.localizedAddress.street![1]"
         />
       </mat-form-field>
-
       <mat-form-field appearance="outline">
         <mat-label>City: </mat-label>
         <input
@@ -84,7 +76,6 @@
           [(ngModel)]="(registrarInEdit.localizedAddress || {}).city"
         />
       </mat-form-field>
-
       <mat-form-field appearance="outline">
         <mat-label>State or Province: </mat-label>
         <input
@@ -94,7 +85,6 @@
           [(ngModel)]="(registrarInEdit.localizedAddress || {}).state"
         />
       </mat-form-field>
-
       <mat-form-field appearance="outline">
         <mat-label>Country: </mat-label>
         <input
@@ -104,7 +94,6 @@
           [(ngModel)]="(registrarInEdit.localizedAddress || {}).countryCode"
         />
       </mat-form-field>
-
       <mat-form-field appearance="outline">
         <mat-label>Postal code: </mat-label>
         <input
@@ -114,49 +103,15 @@
           [(ngModel)]="(registrarInEdit.localizedAddress || {}).zip"
         />
       </mat-form-field>
-
-      <h1>Technical info</h1>
-
-      <mat-form-field appearance="outline">
-        <mat-label>WHOIS server: </mat-label>
-        <input
-          matInput
-          type="text"
-          [(ngModel)]="registrarInEdit.whoisServer"
-          [ngModelOptions]="{ standalone: true }"
-        />
-      </mat-form-field>
-
-      <mat-form-field appearance="outline">
-        <mat-label>Referral URL: </mat-label>
-        <input
-          matInput
-          type="text"
-          [(ngModel)]="registrarInEdit.url"
-          [ngModelOptions]="{ standalone: true }"
-        />
-      </mat-form-field>
-
-      @if((userDataService.userData()?.globalRole || 'NONE') !== "NONE") {
-      <mat-form-field appearance="outline">
-        <mat-label>ICANN Referral Email: </mat-label>
-        <input
-          matInput
-          type="text"
-          [(ngModel)]="registrarInEdit.icannReferralEmail"
-          [ngModelOptions]="{ standalone: true }"
-        />
-      </mat-form-field>
-      }
-
       <button
         mat-flat-button
         color="primary"
         type="submit"
-        aria-label="Save WHOIS settings"
+        aria-label="Save RDAO settings"
       >
         Save
       </button>
     </form>
   </div>
 </div>
+}

console-webapp/src/app/settings/rdap/rdapEdit.component.scss

@@ -1,4 +1,4 @@
-.console-app__whois-edit {
+.console-app__rdap-edit {
   max-width: 616px;
 
   &-controls {

console-webapp/src/app/settings/rdap/rdapEdit.component.ts

@@ -20,20 +20,20 @@ import {
   RegistrarService,
 } from 'src/app/registrar/registrar.service';
 import { UserDataService } from 'src/app/shared/services/userData.service';
-import { WhoisService } from './whois.service';
+import { RdapService } from './rdap.service';
 
 @Component({
-  selector: 'app-whois-edit',
-  templateUrl: './whoisEdit.component.html',
-  styleUrls: ['./whoisEdit.component.scss'],
+  selector: 'app-rdap-edit',
+  templateUrl: './rdapEdit.component.html',
+  styleUrls: ['./rdapEdit.component.scss'],
   standalone: false,
 })
-export default class WhoisEditComponent {
+export default class RdapEditComponent {
   registrarInEdit: Registrar | undefined;
 
   constructor(
     public userDataService: UserDataService,
-    public whoisService: WhoisService,
+    public rdapService: RdapService,
     public registrarService: RegistrarService,
     private _snackBar: MatSnackBar
   ) {
@@ -49,9 +49,9 @@ export default class WhoisEditComponent {
     e.preventDefault();
     if (!this.registrarInEdit) return;
 
-    this.whoisService.saveChanges(this.registrarInEdit).subscribe({
+    this.rdapService.saveChanges(this.registrarInEdit).subscribe({
       complete: () => {
-        this.whoisService.editing = false;
+        this.rdapService.editing = false;
       },
       error: (err: HttpErrorResponse) => {
         this._snackBar.open(err.error);

console-webapp/src/app/settings/security/eppPasswordEdit.component.html

@@ -16,65 +16,20 @@
   <p class="secondary-text">
     Passwords must be between 6 and 16 alphanumeric characters
   </p>
-  <form
-    (ngSubmit)="save()"
+  <password-input-form-component
+    [displayOldPasswordField]="true"
     [formGroup]="passwordUpdateForm"
-    class="settings-security__edit-password-form"
-  >
-    <div class="settings-security__edit-password-field">
-      <mat-form-field appearance="outline">
-        <mat-label>Old password: </mat-label>
-        <input
-          matInput
-          type="text"
-          formControlName="oldPassword"
-          required
-          autocomplete="current-password"
-        />
-        <mat-error *ngIf="hasError('oldPassword') as errorText">{{
-          errorText
-        }}</mat-error>
-      </mat-form-field>
-    </div>
-    <div class="settings-security__edit-password-field">
-      <mat-form-field appearance="outline">
-        <mat-label>New password: </mat-label>
-        <input
-          matInput
-          type="text"
-          formControlName="newPassword"
-          required
-          autocomplete="new-password"
-        />
-        <mat-error *ngIf="hasError('newPassword') as errorText">{{
-          errorText
-        }}</mat-error>
-      </mat-form-field>
-    </div>
-    <div class="settings-security__edit-password-field">
-      <mat-form-field appearance="outline">
-        <mat-label>Confirm new password: </mat-label>
-        <input
-          matInput
-          type="text"
-          formControlName="newPasswordRepeat"
-          required
-          autocomplete="new-password"
-        />
-        <mat-error *ngIf="hasError('newPasswordRepeat') as errorText">{{
-          errorText
-        }}</mat-error>
-      </mat-form-field>
-    </div>
+    (submitResults)="save($event)"
+  />
+  <div class="settings-security__reset-password-field">
+    <h2>Need to reset your EPP password?</h2>
     <button
       mat-flat-button
       color="primary"
-      [disabled]="!passwordUpdateForm.valid"
-      aria-label="Save epp password update"
-      type="submit"
-      class="settings-security__edit-password-save"
+      aria-label="Reset EPP password via email"
+      (click)="requestEppPasswordReset()"
     >
-      Save
+      Reset EPP password via email
     </button>
-  </form>
+  </div>
 </div>

console-webapp/src/app/settings/security/eppPasswordEdit.component.scss

@@ -1,16 +1,19 @@
-.settings-security__edit-password {
-  max-width: 616px;
-  &-field {
-    width: 100%;
-    mat-form-field {
-      margin-bottom: 20px;
-      width: 100%;
-    }
-  }
-  &-form {
-    margin-top: 30px;
-  }
-  &-save {
-    margin-top: 30px;
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+.settings-security {
+  &__reset-password-field {
+    margin-top: 60px;
   }
 }

console-webapp/src/app/settings/security/eppPasswordEdit.component.ts

@@ -14,20 +14,46 @@
 
 import { HttpErrorResponse } from '@angular/common/http';
 import { Component } from '@angular/core';
-import {
-  AbstractControl,
-  FormControl,
-  FormGroup,
-  ValidatorFn,
-  Validators,
-} from '@angular/forms';
+import { FormControl, FormGroup, Validators } from '@angular/forms';
 import { MatSnackBar } from '@angular/material/snack-bar';
 import { RegistrarService } from 'src/app/registrar/registrar.service';
 import { SecurityService } from './security.service';
+import { UserDataService } from 'src/app/shared/services/userData.service';
+import { MatDialog, MatDialogRef } from '@angular/material/dialog';
 
-type errorCode = 'required' | 'maxlength' | 'minlength' | 'passwordsDontMatch';
+import { MaterialModule } from 'src/app/material.module';
+import { filter, switchMap, take } from 'rxjs';
+import { BackendService } from 'src/app/shared/services/backend.service';
+import {
+  PasswordInputForm,
+  PasswordResults,
+} from 'src/app/shared/components/passwordReset/passwordInputForm.component';
 
-type errorFriendlyText = { [type in errorCode]: String };
+@Component({
+  selector: 'app-reset-epp-password-dialog',
+  template: `
+    <h2 mat-dialog-title>Please confirm the password reset:</h2>
+    <mat-dialog-content>
+      This will send an EPP password reset email to the admin POC.
+    </mat-dialog-content>
+    <mat-dialog-actions>
+      <button mat-button (click)="onCancel()">Cancel</button>
+      <button mat-button color="warn" (click)="onSave()">Confirm</button>
+    </mat-dialog-actions>
+  `,
+  imports: [MaterialModule],
+})
+export class ResetEppPasswordComponent {
+  constructor(public dialogRef: MatDialogRef<ResetEppPasswordComponent>) {}
+
+  onSave(): void {
+    this.dialogRef.close(true);
+  }
+
+  onCancel(): void {
+    this.dialogRef.close(false);
+  }
+}
 
 @Component({
   selector: 'app-epp-password-edit',
@@ -36,76 +62,38 @@ type errorFriendlyText = { [type in errorCode]: String };
   standalone: false,
 })
 export default class EppPasswordEditComponent {
-  MIN_MAX_LENGHT = new String(
-    'Passwords must be between 6 and 16 alphanumeric characters'
-  );
-
-  errorTextMap: errorFriendlyText = {
-    required: "This field can't be empty",
-    maxlength: this.MIN_MAX_LENGHT,
-    minlength: this.MIN_MAX_LENGHT,
-    passwordsDontMatch: "Passwords don't match",
-  };
-
-  constructor(
-    public securityService: SecurityService,
-    private _snackBar: MatSnackBar,
-    public registrarService: RegistrarService
-  ) {}
-
-  hasError(controlName: string) {
-    const maybeErrors = this.passwordUpdateForm.get(controlName)?.errors;
-    const maybeError =
-      maybeErrors && (Object.keys(maybeErrors)[0] as errorCode);
-    if (maybeError) {
-      return this.errorTextMap[maybeError];
-    }
-    return '';
-  }
-
-  newPasswordsMatch: ValidatorFn = (control: AbstractControl) => {
-    if (
-      this.passwordUpdateForm?.get('newPassword')?.value ===
-      this.passwordUpdateForm?.get('newPasswordRepeat')?.value
-    ) {
-      this.passwordUpdateForm?.get('newPasswordRepeat')?.setErrors(null);
-    } else {
-      // latest angular just won't detect the error without setTimeout
-      setTimeout(() => {
-        this.passwordUpdateForm
-          ?.get('newPasswordRepeat')
-          ?.setErrors({ passwordsDontMatch: control.value });
-      });
-    }
-    return null;
-  };
+  static EPP_VALIDATORS = [
+    Validators.required,
+    Validators.minLength(6),
+    Validators.maxLength(16),
+    PasswordInputForm.newPasswordsMatch,
+  ];
 
   passwordUpdateForm = new FormGroup({
     oldPassword: new FormControl('', [Validators.required]),
-    newPassword: new FormControl('', [
-      Validators.required,
-      Validators.minLength(6),
-      Validators.maxLength(16),
-      this.newPasswordsMatch,
-    ]),
-    newPasswordRepeat: new FormControl('', [
-      Validators.required,
-      Validators.minLength(6),
-      Validators.maxLength(16),
-      this.newPasswordsMatch,
-    ]),
+    newPassword: new FormControl('', EppPasswordEditComponent.EPP_VALIDATORS),
+    newPasswordRepeat: new FormControl(
+      '',
+      EppPasswordEditComponent.EPP_VALIDATORS
+    ),
   });
 
-  save() {
-    const { oldPassword, newPassword, newPasswordRepeat } =
-      this.passwordUpdateForm.value;
-    if (!oldPassword || !newPassword || !newPasswordRepeat) return;
+  constructor(
+    public registrarService: RegistrarService,
+    public securityService: SecurityService,
+    protected userDataService: UserDataService,
+    private backendService: BackendService,
+    private resetPasswordDialog: MatDialog,
+    private _snackBar: MatSnackBar
+  ) {}
+
+  save(passwordResults: PasswordResults) {
     this.securityService
       .saveEppPassword({
         registrarId: this.registrarService.registrarId(),
-        oldPassword,
-        newPassword,
-        newPasswordRepeat,
+        oldPassword: passwordResults.oldPassword!,
+        newPassword: passwordResults.newPassword,
+        newPasswordRepeat: passwordResults.newPasswordRepeat,
       })
       .subscribe({
         complete: () => {
@@ -120,4 +108,26 @@ export default class EppPasswordEditComponent {
   goBack() {
     this.securityService.isEditingPassword = false;
   }
+
+  sendEppPasswordResetRequest() {
+    return this.backendService.requestEppPasswordReset(
+      this.registrarService.registrarId()
+    );
+  }
+
+  requestEppPasswordReset() {
+    const dialogRef = this.resetPasswordDialog.open(ResetEppPasswordComponent);
+    dialogRef
+      .afterClosed()
+      .pipe(
+        take(1),
+        filter((result) => !!result)
+      )
+      .pipe(switchMap((_) => this.sendEppPasswordResetRequest()))
+      .subscribe({
+        next: (_) => this.goBack(),
+        error: (err: HttpErrorResponse) =>
+          this._snackBar.open(err.error || err.message),
+      });
+  }
 }

console-webapp/src/app/settings/security/security.component.html

@@ -68,7 +68,7 @@
           >
         </mat-list-item>
         <mat-divider></mat-divider>
-        @for (item of dataSource.ipAddressAllowList; track item.value) {
+        @for (item of dataSource.ipAddressAllowList; track $index){
         <mat-list-item role="listitem">
           <span class="console-app__list-value">{{ item.value }}</span>
         </mat-list-item>

console-webapp/src/app/settings/security/security.component.spec.ts

@@ -12,7 +12,13 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { ComponentFixture, TestBed, waitForAsync } from '@angular/core/testing';
+import {
+  ComponentFixture,
+  fakeAsync,
+  TestBed,
+  tick,
+  waitForAsync,
+} from '@angular/core/testing';
 
 import { provideHttpClient } from '@angular/common/http';
 import { provideHttpClientTesting } from '@angular/common/http/testing';
@@ -30,43 +36,32 @@ import { MOCK_REGISTRAR_SERVICE } from 'src/testdata/registrar/registrar.service
 describe('SecurityComponent', () => {
   let component: SecurityComponent;
   let fixture: ComponentFixture<SecurityComponent>;
-  let fetchSecurityDetailsSpy: Function;
   let saveSpy: Function;
+  let securityServiceStub: Partial<SecurityService>;
 
   beforeEach(async () => {
-    const securityServiceSpy = jasmine.createSpyObj(SecurityService, [
-      'fetchSecurityDetails',
-      'saveChanges',
-    ]);
-
-    fetchSecurityDetailsSpy =
-      securityServiceSpy.fetchSecurityDetails.and.returnValue(of());
-
-    saveSpy = securityServiceSpy.saveChanges.and.returnValue(of());
+    securityServiceStub = {
+      isEditingSecurity: false,
+      isEditingPassword: false,
+      saveChanges: jasmine.createSpy('saveChanges').and.returnValue(of({})),
+    };
 
     await TestBed.configureTestingModule({
       declarations: [SecurityEditComponent, SecurityComponent],
       imports: [MaterialModule, BrowserAnimationsModule, FormsModule],
       providers: [
         BackendService,
-        SecurityService,
+        { provide: SecurityService, useValue: securityServiceStub },
         { provide: RegistrarService, useValue: MOCK_REGISTRAR_SERVICE },
         provideHttpClient(),
         provideHttpClientTesting(),
       ],
-    })
-      .overrideComponent(SecurityComponent, {
-        set: {
-          providers: [
-            { provide: SecurityService, useValue: securityServiceSpy },
-          ],
-        },
-      })
-      .compileComponents();
+    }).compileComponents();
+
+    saveSpy = securityServiceStub.saveChanges as jasmine.Spy;
 
     fixture = TestBed.createComponent(SecurityComponent);
     component = fixture.componentInstance;
-    fixture.detectChanges();
   });
 
   it('should create', () => {
@@ -93,17 +88,36 @@ describe('SecurityComponent', () => {
     });
   }));
 
-  it('should remove ip', waitForAsync(() => {
-    component.dataSource.ipAddressAllowList =
-      component.dataSource.ipAddressAllowList?.splice(1);
-    fixture.whenStable().then(() => {
-      fixture.detectChanges();
-      let listElems: Array<HTMLElement> = Array.from(
-        fixture.nativeElement.querySelectorAll('span.console-app__list-value')
-      );
-      expect(listElems.map((e) => e.textContent)).toContain(
-        'No IP addresses on file.'
-      );
+  it('should remove ip', fakeAsync(() => {
+    fixture.detectChanges();
+    tick();
+
+    const editBtn = fixture.nativeElement.querySelector(
+      'button[aria-label="Edit security settings"]'
+    );
+    editBtn.click();
+
+    tick();
+    fixture.detectChanges();
+
+    const removeIpBtn = fixture.nativeElement.querySelector(
+      '.console-app__removeIp'
+    );
+    removeIpBtn.click();
+
+    tick();
+    fixture.detectChanges();
+
+    const saveBtn = fixture.nativeElement.querySelector(
+      '.settings-security__edit-save'
+    );
+    saveBtn.click();
+
+    tick();
+    fixture.detectChanges();
+
+    expect(saveSpy).toHaveBeenCalledWith({
+      ipAddressAllowList: [],
     });
   }));
 
@@ -119,21 +133,34 @@ describe('SecurityComponent', () => {
     expect(component.securityService.isEditingPassword).toBeTrue();
   });
 
-  it('should call save', waitForAsync(async () => {
-    component.editSecurity();
-    await fixture.whenStable();
+  it('should call save', fakeAsync(() => {
     fixture.detectChanges();
+    tick();
+
+    const editBtn = fixture.nativeElement.querySelector(
+      'button[aria-label="Edit security settings"]'
+    );
+    editBtn.click();
+
+    tick();
+    fixture.detectChanges();
+
     const el = fixture.nativeElement.querySelector(
       '.console-app__clientCertificateValue'
     );
     el.value = 'test';
     el.dispatchEvent(new Event('input'));
+
+    tick();
     fixture.detectChanges();
-    await fixture.whenStable();
-    fixture.nativeElement
-      .querySelector('.settings-security__edit-save')
-      .click();
-    expect(saveSpy).toHaveBeenCalledOnceWith({
+
+    const saveBtn = fixture.nativeElement.querySelector(
+      '.settings-security__edit-save'
+    );
+    saveBtn.click();
+
+    tick();
+    expect(saveSpy).toHaveBeenCalledWith({
       ipAddressAllowList: [{ value: '123.123.123.123' }],
       clientCertificate: 'test',
     });

console-webapp/src/app/settings/security/security.service.ts

@@ -13,7 +13,7 @@
 // limitations under the License.
 
 import { Injectable } from '@angular/core';
-import { switchMap, timeout } from 'rxjs';
+import { switchMap } from 'rxjs';
 import {
   IpAllowListItem,
   RegistrarService,
@@ -69,7 +69,6 @@ export class SecurityService {
         uiToApiConverter(newSecuritySettings)
       )
       .pipe(
-        timeout(2000),
         switchMap(() => {
           return this.registrarService.loadRegistrars();
         })

console-webapp/src/app/settings/security/securityEdit.component.html

@@ -23,9 +23,11 @@
       <button
         matSuffix
         mat-icon-button
+        class="console-app__removeIp"
         [attr.aria-label]="'Remove IP entry ' + ip.value"
         (click)="removeIpEntry(ip)"
         [disabled]="isUpdating"
+        type="button"
       >
         <mat-icon>close</mat-icon>
       </button>

console-webapp/src/app/settings/settings.component.html

@@ -19,13 +19,13 @@
       >
       <a
         mat-tab-link
-        routerLink="whois"
+        routerLink="rdap"
         routerLinkActive
         queryParamsHandling="merge"
         #rla2="routerLinkActive"
         [active]="rla2.isActive"
-        aria-label="Access whois settings"
-        >WHOIS Info</a
+        aria-label="Access rdap settings"
+        >RDAP Info</a
       >
       <a
         mat-tab-link

console-webapp/src/app/shared/components/passwordReset/passwordInputForm.component.html

@@ -0,0 +1,63 @@
+<form
+  (ngSubmit)="save()"
+  [formGroup]="formGroup()!"
+  class="console-app__password-input-form"
+>
+  @if (displayOldPasswordField()) {
+  <div class="console-app__password-input-form-field">
+    <mat-form-field appearance="outline">
+      <mat-label>Old password: </mat-label>
+      <input
+        matInput
+        type="text"
+        formControlName="oldPassword"
+        required
+        autocomplete="current-password"
+      />
+      @if (hasError('oldPassword'); as errorText) {
+      <mat-error>{{ errorText }}</mat-error>
+      }
+    </mat-form-field>
+  </div>
+  }
+  <div class="console-app__password-input-form-field">
+    <mat-form-field appearance="outline">
+      <mat-label>New password: </mat-label>
+      <input
+        matInput
+        type="text"
+        formControlName="newPassword"
+        required
+        autocomplete="new-password"
+      />
+      @if (hasError('newPassword'); as errorText) {
+      <mat-error>{{ errorText }}</mat-error>
+      }
+    </mat-form-field>
+  </div>
+  <div class="console-app__password-input-form-field">
+    <mat-form-field appearance="outline">
+      <mat-label>Confirm new password: </mat-label>
+      <input
+        matInput
+        type="text"
+        formControlName="newPasswordRepeat"
+        required
+        autocomplete="new-password"
+      />
+      @if (hasError('newPasswordRepeat'); as errorText) {
+      <mat-error>{{ errorText }}</mat-error>
+      }
+    </mat-form-field>
+  </div>
+  <button
+    mat-flat-button
+    color="primary"
+    [disabled]="!formGroup()?.valid"
+    aria-label="Save new password"
+    type="submit"
+    class="console-app__password-input-form-save"
+  >
+    Save
+  </button>
+</form>

console-webapp/src/app/shared/components/passwordReset/passwordInputForm.component.scss

@@ -1,4 +1,4 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,17 +12,19 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-.console-tlds {
-  &__cards {
-    display: flex;
-    border-top: 1px solid #ddd;
-    padding: 1rem;
+.console-app__password-input-form {
+  max-width: 450px;
+  &-field {
+    width: 100%;
+    mat-form-field {
+      margin-bottom: 20px;
+      width: 100%;
+    }
   }
-  &__card {
-    max-width: 300px;
+  &-form {
+    margin-top: 30px;
   }
-  &__card-links {
-    display: flex;
-    flex-direction: column;
+  &-save {
+    margin-top: 30px;
   }
 }

console-webapp/src/app/shared/components/passwordReset/passwordInputForm.component.ts

@@ -0,0 +1,82 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component, EventEmitter, input, Output } from '@angular/core';
+import { AbstractControl, FormGroup, ValidatorFn } from '@angular/forms';
+
+type errorCode = 'required' | 'maxlength' | 'minlength' | 'passwordsDontMatch';
+
+type errorFriendlyText = { [type in errorCode]: String };
+
+export interface PasswordResults {
+  oldPassword: string | null;
+  newPassword: string;
+  newPasswordRepeat: string;
+}
+
+@Component({
+  selector: 'password-input-form-component',
+  templateUrl: './passwordInputForm.component.html',
+  styleUrls: ['./passwordInputForm.component.scss'],
+  standalone: false,
+})
+export class PasswordInputForm {
+  static newPasswordsMatch: ValidatorFn = (control: AbstractControl) => {
+    const parent = control.parent;
+    if (
+      parent?.get('newPassword')?.value ===
+      parent?.get('newPasswordRepeat')?.value
+    ) {
+      parent?.get('newPasswordRepeat')?.setErrors(null);
+    } else {
+      // latest angular just won't detect the error without setTimeout
+      setTimeout(() => {
+        parent
+          ?.get('newPasswordRepeat')
+          ?.setErrors({ passwordsDontMatch: control.value });
+      });
+    }
+    return null;
+  };
+
+  MIN_MAX_LENGTH = 'Passwords must be between 6 and 16 alphanumeric characters';
+
+  errorTextMap: errorFriendlyText = {
+    required: "This field can't be empty",
+    maxlength: this.MIN_MAX_LENGTH,
+    minlength: this.MIN_MAX_LENGTH,
+    passwordsDontMatch: "Passwords don't match",
+  };
+
+  displayOldPasswordField = input<boolean>(false);
+  formGroup = input<FormGroup>();
+  @Output() submitResults = new EventEmitter<PasswordResults>();
+
+  hasError(controlName: string) {
+    const maybeErrors = this.formGroup()!.get(controlName)?.errors;
+    const maybeError =
+      maybeErrors && (Object.keys(maybeErrors)[0] as errorCode);
+    if (maybeError) {
+      return this.errorTextMap[maybeError];
+    }
+    return '';
+  }
+
+  save() {
+    const results: PasswordResults = this.formGroup()!.value;
+    if (this.displayOldPasswordField() && !results.oldPassword) return;
+    if (!results.newPassword || !results.newPasswordRepeat) return;
+    this.submitResults.emit(results);
+  }
+}

console-webapp/src/app/shared/components/passwordReset/passwordResetVerify.component.html

@@ -0,0 +1,27 @@
+<p>
+  <button mat-icon-button aria-label="Go home" [routerLink]="['']">
+    <mat-icon>arrow_back</mat-icon>
+  </button>
+</p>
+@if (isLoading) {
+<div class="console-app__password-reset-verify-spinner">
+  <mat-spinner />
+</div>
+} @else if (errorMessage) {
+<h1 class="mat-headline-4">Failure</h1>
+<div class="console-app__password-reset-content">
+  <div class="console-app__password-reset-subhead">
+    An error occurred: {{ errorMessage }}.<br /><br />Please double-check the
+    verification code and try again.
+  </div>
+</div>
+} @else {
+<div class="console-app__password-reset-verify">
+  <h1 class="mat-headline-4">{{ type }} password reset</h1>
+  <password-input-form-component
+    [displayOldPasswordField]="false"
+    [formGroup]="passwordUpdateForm!"
+    (submitResults)="save($event)"
+  />
+</div>
+}

console-webapp/src/app/shared/components/passwordReset/passwordResetVerify.component.ts

@@ -0,0 +1,110 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component } from '@angular/core';
+import { ActivatedRoute, ParamMap, Router } from '@angular/router';
+import { HttpErrorResponse } from '@angular/common/http';
+import { take } from 'rxjs';
+import { RegistrarService } from 'src/app/registrar/registrar.service';
+import { BackendService } from '../../services/backend.service';
+import { FormControl, FormGroup, Validators } from '@angular/forms';
+import {
+  PasswordInputForm,
+  PasswordResults,
+} from './passwordInputForm.component';
+import EppPasswordEditComponent from 'src/app/settings/security/eppPasswordEdit.component';
+import { MatSnackBar } from '@angular/material/snack-bar';
+
+export interface PasswordResetVerifyResponse {
+  registrarId: string;
+  type: string;
+}
+
+@Component({
+  selector: 'app-password-reset-verify',
+  templateUrl: './passwordResetVerify.component.html',
+  standalone: false,
+})
+export class PasswordResetVerifyComponent {
+  public static PATH = 'password-reset-verify';
+
+  REGISTRY_LOCK_PASSWORD_VALIDATORS = [
+    Validators.required,
+    PasswordInputForm.newPasswordsMatch,
+  ];
+
+  isLoading = true;
+  type?: string;
+  errorMessage?: string;
+  requestVerificationCode = '';
+
+  passwordUpdateForm: FormGroup<any> | null = null;
+
+  constructor(
+    protected backendService: BackendService,
+    protected registrarService: RegistrarService,
+    private route: ActivatedRoute,
+    private router: Router,
+    private _snackBar: MatSnackBar
+  ) {}
+
+  ngOnInit() {
+    this.route.queryParamMap.pipe(take(1)).subscribe((params: ParamMap) => {
+      this.requestVerificationCode =
+        params.get('resetRequestVerificationCode') || '';
+      this.backendService
+        .getPasswordResetInformation(this.requestVerificationCode)
+        .subscribe({
+          error: (err: HttpErrorResponse) => {
+            this.isLoading = false;
+            this.errorMessage = err.error;
+          },
+          next: this.presentData.bind(this),
+        });
+    });
+  }
+
+  presentData(verificationResponse: PasswordResetVerifyResponse) {
+    this.type = verificationResponse.type === 'EPP' ? 'EPP' : 'Registry lock';
+    this.registrarService.registrarId.set(verificationResponse.registrarId);
+    const validators =
+      verificationResponse.type === 'EPP'
+        ? EppPasswordEditComponent.EPP_VALIDATORS
+        : this.REGISTRY_LOCK_PASSWORD_VALIDATORS;
+
+    this.passwordUpdateForm = new FormGroup({
+      newPassword: new FormControl('', validators),
+      newPasswordRepeat: new FormControl('', validators),
+    });
+    this.isLoading = false;
+  }
+
+  save(passwordResults: PasswordResults) {
+    this.backendService
+      .finalizePasswordReset(
+        this.requestVerificationCode,
+        passwordResults.newPassword
+      )
+      .subscribe({
+        error: (err: HttpErrorResponse) => {
+          this.isLoading = false;
+          this.errorMessage = err.error;
+        },
+        next: (_) => {
+          this.router.navigate(['']);
+          this._snackBar.open('Password reset completed successfully');
+        },
+      });
+  }
+}

console-webapp/src/app/shared/components/pocReminder/pocReminder.component.html

@@ -0,0 +1,14 @@
+<div class="console-app__pocReminder">
+  <p class="">
+    Please take a moment to complete annual review of
+    <a routerLink="/settings">contacts</a>.
+  </p>
+  <span matSnackBarActions>
+    <button mat-button matSnackBarAction (click)="confirmReviewed()">
+      Confirm reviewed
+    </button>
+    <button mat-button matSnackBarAction (click)="snackBarRef.dismiss()">
+      Close
+    </button>
+  </span>
+</div>

console-webapp/src/app/shared/components/pocReminder/pocReminder.component.scss

@@ -0,0 +1,5 @@
+.console-app__pocReminder {
+  a {
+    color: white !important;
+  }
+}

console-webapp/src/app/shared/components/pocReminder/pocReminder.component.ts

@@ -0,0 +1,53 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component } from '@angular/core';
+import { MatSnackBar, MatSnackBarRef } from '@angular/material/snack-bar';
+import { RegistrarService } from '../../../registrar/registrar.service';
+import { HttpErrorResponse } from '@angular/common/http';
+
+@Component({
+  selector: 'app-poc-reminder',
+  templateUrl: './pocReminder.component.html',
+  styleUrls: ['./pocReminder.component.scss'],
+  standalone: false,
+})
+export class PocReminderComponent {
+  constructor(
+    public snackBarRef: MatSnackBarRef<PocReminderComponent>,
+    private registrarService: RegistrarService,
+    private _snackBar: MatSnackBar
+  ) {}
+
+  confirmReviewed() {
+    if (this.registrarService.registrar()) {
+      const todayMidnight = new Date();
+      todayMidnight.setHours(0, 0, 0, 0);
+      this.registrarService
+        // @ts-ignore - if check  above won't allow empty object to be submitted
+        .updateRegistrar({
+          ...this.registrarService.registrar(),
+          lastPocVerificationDate: todayMidnight.toISOString(),
+        })
+        .subscribe({
+          error: (err: HttpErrorResponse) => {
+            this._snackBar.open(err.error || err.message);
+          },
+          next: () => {
+            this.snackBarRef.dismiss();
+          },
+        });
+    }
+  }
+}

console-webapp/src/app/shared/directives/userLevelVisiblity.directive.ts

@@ -16,6 +16,7 @@ import { Directive, ElementRef, Input, effect } from '@angular/core';
 import { UserDataService } from '../services/userData.service';
 
 export enum RESTRICTED_ELEMENTS {
+  ACTIVITY_PER_USER,
   REGISTRAR_ELEMENT,
   OTE,
   USERS,
@@ -40,6 +41,8 @@ export const DISABLED_ELEMENTS_PER_ROLE = {
 export class UserLevelVisibility {
   @Input() elementId!: RESTRICTED_ELEMENTS | null;
 
+  @Input() isReverse: boolean = false;
+
   constructor(
     private userDataService: UserDataService,
     private el: ElementRef
@@ -56,9 +59,9 @@ export class UserLevelVisibility {
       // @ts-ignore
       (DISABLED_ELEMENTS_PER_ROLE[globalRole] || []).includes(this.elementId)
     ) {
-      this.el.nativeElement.style.display = 'none';
+      this.el.nativeElement.style.display = this.isReverse ? '' : 'none';
     } else {
-      this.el.nativeElement.style.display = '';
+      this.el.nativeElement.style.display = this.isReverse ? 'none' : '';
     }
   }
 }

console-webapp/src/app/shared/services/backend.service.ts

@@ -25,11 +25,13 @@ import { User } from 'src/app/users/users.service';
 import {
   Registrar,
   SecuritySettingsBackendModel,
-  WhoisRegistrarFields,
+  RdapRegistrarFields,
 } from '../../registrar/registrar.service';
 import { Contact } from '../../settings/contact/contact.service';
 import { EppPasswordBackendModel } from '../../settings/security/security.service';
 import { UserData } from './userData.service';
+import { PasswordResetVerifyResponse } from '../components/passwordReset/passwordResetVerify.component';
+import { HistoryRecord } from '../../history/history.service';
 
 @Injectable()
 export class BackendService {
@@ -70,13 +72,26 @@ export class BackendService {
       .pipe(catchError((err) => this.errorCatcher<Contact[]>(err)));
   }
 
-  postContacts(
-    registrarId: string,
-    contacts: Contact[]
-  ): Observable<Contact[]> {
-    return this.http.post<Contact[]>(
+  updateContact(registrarId: string, contact: Contact): Observable<Contact> {
+    return this.http.put<Contact>(
       `/console-api/settings/contacts?registrarId=${registrarId}`,
-      contacts
+      contact
+    );
+  }
+
+  createContact(registrarId: string, contact: Contact): Observable<Contact> {
+    return this.http.post<Contact>(
+      `/console-api/settings/contacts?registrarId=${registrarId}`,
+      contact
+    );
+  }
+
+  deleteContact(registrarId: string, contact: Contact): Observable<Contact> {
+    return this.http.delete<Contact>(
+      `/console-api/settings/contacts?registrarId=${registrarId}`,
+      {
+        body: JSON.stringify(contact),
+      }
     );
   }
 
@@ -109,6 +124,16 @@ export class BackendService {
       .pipe(catchError((err) => this.errorCatcher<DomainListResult>(err)));
   }
 
+  getHistoryLog(registrarId: string, userEmail?: string) {
+    return this.http
+      .get<HistoryRecord[]>(
+        userEmail
+          ? `/console-api/history?registrarId=${registrarId}&consoleUserEmail=${userEmail}`
+          : `/console-api/history?registrarId=${registrarId}`
+      )
+      .pipe(catchError((err) => this.errorCatcher<HistoryRecord[]>(err)));
+  }
+
   getRegistrars(): Observable<Registrar[]> {
     return this.http
       .get<Registrar[]>('/console-api/registrars')
@@ -209,12 +234,12 @@ export class BackendService {
       .pipe(catchError((err) => this.errorCatcher<UserData>(err)));
   }
 
-  postWhoisRegistrarFields(
-    whoisRegistrarFields: WhoisRegistrarFields
-  ): Observable<WhoisRegistrarFields> {
-    return this.http.post<WhoisRegistrarFields>(
-      '/console-api/settings/whois-fields',
-      whoisRegistrarFields
+  postRdapRegistrarFields(
+    rdapRegistrarFields: RdapRegistrarFields
+  ): Observable<RdapRegistrarFields> {
+    return this.http.post<RdapRegistrarFields>(
+      '/console-api/settings/rdap-fields',
+      rdapRegistrarFields
     );
   }
 
@@ -267,4 +292,37 @@ export class BackendService {
       `/console-api/registry-lock-verify?lockVerificationCode=${lockVerificationCode}`
     );
   }
+
+  requestRegistryLockPasswordReset(
+    registrarId: string,
+    registryLockEmail: string
+  ) {
+    return this.http.post('/console-api/password-reset-request', {
+      type: 'REGISTRY_LOCK',
+      registrarId,
+      registryLockEmail,
+    });
+  }
+
+  requestEppPasswordReset(registrarId: string) {
+    return this.http.post('/console-api/password-reset-request', {
+      type: 'EPP',
+      registrarId,
+    });
+  }
+
+  getPasswordResetInformation(
+    verificationCode: string
+  ): Observable<PasswordResetVerifyResponse> {
+    return this.http.get<PasswordResetVerifyResponse>(
+      `/console-api/password-reset-verify?resetRequestVerificationCode=${verificationCode}`
+    );
+  }
+
+  finalizePasswordReset(verificationCode: string, newPassword: string) {
+    return this.http.post(
+      `/console-api/password-reset-verify?resetRequestVerificationCode=${verificationCode}`,
+      newPassword
+    );
+  }
 }

console-webapp/src/app/tlds/tlds.component.html

@@ -1 +0,0 @@
-<div class="console-tlds__cards"></div>

console-webapp/src/app/tlds/tlds.component.spec.ts

@@ -1,38 +0,0 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-import { ComponentFixture, TestBed } from '@angular/core/testing';
-
-import { TldsComponent } from './tlds.component';
-import { MaterialModule } from '../material.module';
-
-describe('TldsComponent', () => {
-  let component: TldsComponent;
-  let fixture: ComponentFixture<TldsComponent>;
-
-  beforeEach(async () => {
-    await TestBed.configureTestingModule({
-      imports: [MaterialModule],
-      declarations: [TldsComponent],
-    }).compileComponents();
-
-    fixture = TestBed.createComponent(TldsComponent);
-    component = fixture.componentInstance;
-    fixture.detectChanges();
-  });
-
-  it('should create', () => {
-    expect(component).toBeTruthy();
-  });
-});

console-webapp/src/app/users/userDetails.component.html

@@ -50,15 +50,17 @@
       <mat-icon>delete</mat-icon>
     </button>
   </div>
-  <div *ngIf="isNewUser" class="console-app__user-details-save-password">
+  @if (isNewUser) {
+  <div class="console-app__user-details-save-password">
     <mat-icon>priority_high</mat-icon>
     Please save the password. For your security, we do not store passwords in a
     recoverable format.
   </div>
-
-  <p *ngIf="isLoading">
+  } @if (isLoading) {
+  <p>
     <mat-progress-bar mode="query"></mat-progress-bar>
   </p>
+  }
 
   <mat-card appearance="outlined">
     <mat-card-content>
@@ -80,7 +82,15 @@
             roleToDescription(userDetails().role)
           }}</span>
         </mat-list-item>
-        @if (userDetails().password) {
+        @if (userDetails().registryLockEmailAddress) {
+        <mat-divider></mat-divider>
+        <mat-list-item role="listitem">
+          <span class="console-app__list-key">Registry Lock email</span>
+          <span class="console-app__list-value">{{
+            userDetails().registryLockEmailAddress
+          }}</span>
+        </mat-list-item>
+        } @if (userDetails().password) {
         <mat-divider></mat-divider>
         <mat-list-item role="listitem">
           <span class="console-app__list-key">Password</span>

console-webapp/src/app/users/userDetails.component.scss

@@ -35,5 +35,8 @@
       border: 1px solid #ddd;
       border-radius: 10px;
     }
+    .console-app__list-key {
+      width: 160px;
+    }
   }
 }

console-webapp/src/app/users/userDetails.component.ts

@@ -12,7 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { CommonModule } from '@angular/common';
 import { Component, computed } from '@angular/core';
 import { MatSnackBar } from '@angular/material/snack-bar';
 import { SelectedRegistrarModule } from '../app.module';
@@ -31,7 +30,6 @@ import { UserEditFormComponent } from './userEditForm.component';
     FormsModule,
     MaterialModule,
     SnackBarModule,
-    CommonModule,
     SelectedRegistrarModule,
     UserEditFormComponent,
   ],

console-webapp/src/app/users/userEditForm.component.html

@@ -1,45 +1,57 @@
-<form (ngSubmit)="saveEdit($event)" #form>
-  <p *ngIf="isNew()">
-    <mat-form-field appearance="outline">
-      <mat-label
-        >User name prefix:
-        <mat-icon
-          matTooltip="Prefix will be combined with registrar ID to create a unique user name - {prefix}.{registrarId}@registry.google"
-          >help_outline</mat-icon
-        ></mat-label
-      >
-      <input
-        matInput
-        minlength="3"
-        maxlength="3"
-        [required]="true"
-        [(ngModel)]="user().emailAddress"
-        [ngModelOptions]="{ standalone: true }"
-      />
-    </mat-form-field>
-  </p>
-  <p>
-    <mat-form-field appearance="outline">
-      <mat-label
-        >User Role:
-        <mat-icon
-          matTooltip="Viewer role doesn't allow making updates; Editor role allows updates, like Contacts delete or SSL certificate change"
-          >help_outline</mat-icon
-        ></mat-label
-      >
-      <mat-select [(ngModel)]="user().role" name="userRole">
-        <mat-option value="PRIMARY_CONTACT">Editor</mat-option>
-        <mat-option value="ACCOUNT_MANAGER">Viewer</mat-option>
-      </mat-select>
-    </mat-form-field>
-  </p>
+<div class="console-app__user-edit">
+  <form (ngSubmit)="saveEdit($event)" #form>
+    @if (isNew()) {
+    <p>
+      <mat-form-field appearance="outline">
+        <mat-label
+          >User name prefix:
+          <mat-icon
+            matTooltip="Prefix will be combined with registrar ID to create a unique user name - {prefix}.{registrarId}@registry.google"
+            >help_outline</mat-icon
+          ></mat-label
+        >
+        <input
+          matInput
+          minlength="3"
+          maxlength="3"
+          [required]="true"
+          [(ngModel)]="user().emailAddress"
+          [ngModelOptions]="{ standalone: true }"
+        />
+      </mat-form-field>
+    </p>
+    }
+    <p>
+      <mat-form-field appearance="outline">
+        <mat-label
+          >User Role:
+          <mat-icon
+            matTooltip="Viewer role doesn't allow making updates; Editor role allows updates, like Contacts delete or SSL certificate change"
+            >help_outline</mat-icon
+          ></mat-label
+        >
+        <mat-select [(ngModel)]="user().role" name="userRole">
+          <mat-option value="TECH_CONTACT">Editor</mat-option>
+          <mat-option value="ACCOUNT_MANAGER">Viewer</mat-option>
+        </mat-select>
+      </mat-form-field>
+    </p>
+    <button
+      mat-flat-button
+      color="primary"
+      aria-label="Save user"
+      type="submit"
+      aria-label="Save changes to the user"
+    >
+      Save
+    </button>
+  </form>
   <button
     mat-flat-button
     color="primary"
-    aria-label="Save user"
-    type="submit"
-    aria-label="Save changes to the user"
+    aria-label="Reset registry lock password"
+    (click)="requestRegistryLockPasswordReset()"
   >
-    Save
+    Reset registry lock password
   </button>
-</form>
+</div>

console-webapp/src/app/users/userEditForm.component.scss

@@ -0,0 +1,20 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+.console-app__user-edit {
+  button {
+    display: block;
+    margin-bottom: 5px;
+  }
+}

console-webapp/src/app/users/userEditForm.component.ts

@@ -12,24 +12,66 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { CommonModule } from '@angular/common';
 import {
   Component,
   ElementRef,
   EventEmitter,
+  Inject,
   input,
   Output,
   ViewChild,
 } from '@angular/core';
 import { MaterialModule } from '../material.module';
 import { FormsModule } from '@angular/forms';
-import { User } from './users.service';
+import { User, UsersService } from './users.service';
+import { UserDataService } from '../shared/services/userData.service';
+import { BackendService } from '../shared/services/backend.service';
+import { RegistrarService } from '../registrar/registrar.service';
+import {
+  MAT_DIALOG_DATA,
+  MatDialog,
+  MatDialogRef,
+} from '@angular/material/dialog';
+import { filter, switchMap, take } from 'rxjs';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import { HttpErrorResponse } from '@angular/common/http';
+
+@Component({
+  selector: 'app-reset-lock-password-dialog',
+  template: `
+    <h2 mat-dialog-title>Please confirm the password reset:</h2>
+    <mat-dialog-content>
+      This will send a registry lock password reset email to
+      {{ data.registryLockEmailAddress }}.
+    </mat-dialog-content>
+    <mat-dialog-actions>
+      <button mat-button (click)="onCancel()">Cancel</button>
+      <button mat-button color="warn" (click)="onSave()">Confirm</button>
+    </mat-dialog-actions>
+  `,
+  imports: [MaterialModule],
+})
+export class ResetRegistryLockPasswordComponent {
+  constructor(
+    public dialogRef: MatDialogRef<ResetRegistryLockPasswordComponent>,
+    @Inject(MAT_DIALOG_DATA)
+    public data: { registryLockEmailAddress: string }
+  ) {}
+
+  onSave(): void {
+    this.dialogRef.close(true);
+  }
+
+  onCancel(): void {
+    this.dialogRef.close(false);
+  }
+}
 
 @Component({
   selector: 'app-user-edit-form',
   templateUrl: './userEditForm.component.html',
   styleUrls: ['./userEditForm.component.scss'],
-  imports: [FormsModule, MaterialModule, CommonModule],
+  imports: [FormsModule, MaterialModule],
   providers: [],
 })
 export class UserEditFormComponent {
@@ -39,12 +81,22 @@ export class UserEditFormComponent {
     {
       emailAddress: '',
       role: 'ACCOUNT_MANAGER',
+      registryLockEmailAddress: '',
     },
     { transform: (user: User) => structuredClone(user) }
   );
 
   @Output() onEditComplete = new EventEmitter<User>();
 
+  constructor(
+    protected userDataService: UserDataService,
+    private backendService: BackendService,
+    private resetRegistryLockPasswordDialog: MatDialog,
+    private registrarService: RegistrarService,
+    private usersService: UsersService,
+    private _snackBar: MatSnackBar
+  ) {}
+
   saveEdit(e: SubmitEvent) {
     e.preventDefault();
     if (this.form.nativeElement.checkValidity()) {
@@ -53,4 +105,34 @@ export class UserEditFormComponent {
       this.form.nativeElement.reportValidity();
     }
   }
+
+  sendRegistryLockPasswordResetRequest() {
+    return this.backendService.requestRegistryLockPasswordReset(
+      this.registrarService.registrarId(),
+      this.user().registryLockEmailAddress!
+    );
+  }
+
+  requestRegistryLockPasswordReset() {
+    const dialogRef = this.resetRegistryLockPasswordDialog.open(
+      ResetRegistryLockPasswordComponent,
+      {
+        data: {
+          registryLockEmailAddress: this.user().registryLockEmailAddress,
+        },
+      }
+    );
+    dialogRef
+      .afterClosed()
+      .pipe(
+        take(1),
+        filter((result) => !!result)
+      )
+      .pipe(switchMap((_) => this.sendRegistryLockPasswordResetRequest()))
+      .subscribe({
+        next: (_) => this.usersService.currentlyOpenUserEmail.set(''),
+        error: (err: HttpErrorResponse) =>
+          this._snackBar.open(err.error || err.message),
+      });
+  }
 }

console-webapp/src/app/users/users.component.ts

@@ -12,7 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { CommonModule } from '@angular/common';
 import { HttpErrorResponse } from '@angular/common/http';
 import { Component, effect } from '@angular/core';
 import { MatSnackBar } from '@angular/material/snack-bar';
@@ -22,7 +21,6 @@ import { RegistrarService } from '../registrar/registrar.service';
 import { SnackBarModule } from '../snackbar.module';
 import { UserDetailsComponent } from './userDetails.component';
 import { User, UsersService } from './users.service';
-import { UserDataService } from '../shared/services/userData.service';
 import { FormsModule } from '@angular/forms';
 import { UsersListComponent } from './usersList.component';
 import { MatSelectChange } from '@angular/material/select';
@@ -36,7 +34,6 @@ import { UserEditFormComponent } from './userEditForm.component';
     FormsModule,
     MaterialModule,
     SnackBarModule,
-    CommonModule,
     SelectedRegistrarModule,
     UsersListComponent,
     UserEditFormComponent,
@@ -55,7 +52,6 @@ export class UsersComponent {
   constructor(
     protected registrarService: RegistrarService,
     protected usersService: UsersService,
-    private userDataService: UserDataService,
     private _snackBar: MatSnackBar
   ) {
     effect(() => {

console-webapp/src/app/users/users.service.ts

@@ -33,6 +33,7 @@ export interface User {
   emailAddress: string;
   role: string;
   password?: string;
+  registryLockEmailAddress?: string;
 }
 
 @Injectable()

console-webapp/src/app/users/usersList.component.html

@@ -5,15 +5,14 @@
     class="console-app__users-table"
     matSort
   >
-    <ng-container
-      *ngFor="let column of columns"
-      [matColumnDef]="column.columnDef"
-    >
+    @for (column of columns; track column) {
+    <ng-container [matColumnDef]="column.columnDef">
       <mat-header-cell *matHeaderCellDef>
         {{ column.header }}
       </mat-header-cell>
       <mat-cell *matCellDef="let row" [innerHTML]="column.cell(row)"></mat-cell>
     </ng-container>
+    }
     <mat-header-row *matHeaderRowDef="displayedColumns"></mat-header-row>
     <mat-row
       *matRowDef="let row; columns: displayedColumns"

console-webapp/src/app/users/usersList.component.ts

@@ -12,7 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { CommonModule } from '@angular/common';
 import {
   Component,
   effect,
@@ -43,7 +42,7 @@ export const columns = [
   selector: 'app-users-list',
   templateUrl: './usersList.component.html',
   styleUrls: ['./usersList.component.scss'],
-  imports: [MaterialModule, CommonModule],
+  imports: [MaterialModule],
   providers: [],
 })
 export class UsersListComponent {

console-webapp/src/index.html

@@ -6,7 +6,12 @@
     <base href="/" />
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <link rel="icon" type="image/x-icon" href="favicon.ico" />
+    <link rel="preconnect" href="https://fonts.googleapis.com" />
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
+    <link
+      href="https://fonts.googleapis.com/css2?family=Google+Sans:ital,opsz,wght@0,17..18,400..700;1,17..18,400..700&display=swap"
+      rel="stylesheet"
+    />
     <link
       href="https://fonts.googleapis.com/css2?family=Google+Sans+Text:wght@400;500;700&display=swap"
       rel="stylesheet"

console-webapp/src/main.ts

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { enableProdMode } from '@angular/core';
+import { enableProdMode, provideZoneChangeDetection } from '@angular/core';
 import { platformBrowserDynamic } from '@angular/platform-browser-dynamic';
 
 import { AppModule } from './app/app.module';
@@ -23,5 +23,7 @@ if (environment.production || environment.sandbox) {
 }
 
 platformBrowserDynamic()
-  .bootstrapModule(AppModule)
+  .bootstrapModule(AppModule, {
+    applicationProviders: [provideZoneChangeDetection()],
+  })
   .catch((err) => console.error(err));

console-webapp/tsconfig.json

@@ -14,14 +14,10 @@
     "sourceMap": true,
     "declaration": false,
     "experimentalDecorators": true,
-    "moduleResolution": "node",
+    "moduleResolution": "bundler",
     "importHelpers": true,
     "target": "ES2022",
     "module": "es2020",
-    "lib": [
-      "es2020",
-      "dom"
-    ],
     "useDefineForClassFields": false
   },
   "angularCompilerOptions": {

core/Dockerfile

@@ -1,3 +1,3 @@
-FROM eclipse-temurin:21
+FROM eclipse-temurin:25
 ADD build/libs/nomulus.jar /nomulus.jar
 ENTRYPOINT ["java", "-jar", "/nomulus.jar"]

core/build.gradle

@@ -17,7 +17,7 @@ import java.util.Optional
 
 plugins {
   id 'java-library'
-  id "org.flywaydb.flyway" version "11.0.1"
+  id "org.flywaydb.flyway" version "12.2.0"
   id 'maven-publish'
 }
 
@@ -30,7 +30,6 @@ def screenshotsForGoldensDir = "${project.buildDir}/screenshots_for_goldens"
 def newGoldensDir = "${project.buildDir}/new_golden_images"
 def goldensDir =
   "${javaTestDir}/google/registry/webdriver/goldens/chrome-linux"
-def jsDir = "${project.projectDir}/src/main/javascript"
 
 // Tests that fail when running Gradle in a docker container, e. g. when
 // building the release artifacts in Google Cloud Build.
@@ -55,12 +54,12 @@ def dockerIncompatibleTestPatterns = [
 // objects retained by frameworks.
 // TODO(weiminyu): identify cause and fix offending tests.
 def fragileTestPatterns = [
-    // Changes cache timeouts and for some reason appears to have contention
-    // with other tests.
-    "google/registry/whois/WhoisCommandFactoryTest.*",
+    // Breaks random other tests when running with standardTests.
+    "google/registry/bsa/UploadBsaUnavailableDomainsActionTest.*",
     // Currently changes a global configuration parameter that for some reason
     // results in timestamp inversions for other tests.  TODO(mmuller): fix.
     "google/registry/flows/host/HostInfoFlowTest.*",
+    "google/registry/beam/common/RegistryPipelineWorkerInitializerTest.*",
 ] + dockerIncompatibleTestPatterns
 
 sourceSets {
@@ -75,11 +74,7 @@ sourceSets {
   nonprod {
     java {
       compileClasspath += main.output
-
-      // Add the DB runtime classpath to nonprod so we can load the flyway
-      // scripts.
-      runtimeClasspath += main.output +
-          rootProject.project(":db").sourceSets.main.runtimeClasspath
+      runtimeClasspath += main.output
     }
   }
   test {
@@ -103,15 +98,24 @@ configurations {
   devtool
 
   nonprodImplementation.extendsFrom implementation
+  nonprodRuntimeOnly.extendsFrom runtimeOnly
 
   testImplementation.extendsFrom nonprodImplementation
 
   // Published jars that are used for server/schema compatibility tests.
   // See <a href="../integration/README.md">the integration project</a>
   // for details.
-  nomulus_test
+  nomulus_test {
+    canBeConsumed = true
+    canBeResolved = false
+  }
+  testRuntimeElements {
+    canBeConsumed = true
+    canBeResolved = false
+    extendsFrom testRuntimeOnly
+  }
 
-  // Exclude non-canonical servlet-api jars. Our AppEngine deployment uses
+  // Exclude non-canonical servlet-api jars. Our deployment uses
   // javax.servlet:servlet-api:2.5
   // For reasons we do not understand, marking the following dependencies as
   // compileOnly instead of compile does not exclude them from runtimeClasspath.
@@ -186,6 +190,9 @@ dependencies {
   testRuntimeOnly deps['guru.nidi:graphviz-java-all-j2v8']
   testImplementation deps['io.github.classgraph:classgraph']
   testRuntimeOnly deps['io.github.java-diff-utils:java-diff-utils']
+  testImplementation deps['io.github.ss-bhatt:testcontainers-valkey']
+  implementation deps['io.protostuff:protostuff-core']
+  implementation deps['io.protostuff:protostuff-runtime']
   implementation deps['jakarta.inject:jakarta.inject-api']
   implementation deps['jakarta.mail:jakarta.mail-api']
   implementation deps['jakarta.persistence:jakarta.persistence-api']
@@ -239,6 +246,7 @@ dependencies {
   implementation deps['org.testcontainers:postgresql']
   testImplementation deps['org.testcontainers:selenium']
   testImplementation deps['org.testcontainers:testcontainers']
+  implementation deps['redis.clients:jedis']
   implementation deps['us.fatehi:schemacrawler']
   implementation deps['us.fatehi:schemacrawler-api']
   implementation deps['us.fatehi:schemacrawler-diagram']
@@ -252,6 +260,7 @@ dependencies {
   implementation project(':util')
   // Import NomulusPostreSql from ':db' for implementation but exclude dependencies.
   implementation project(path: ':db', configuration: 'implementationApi')
+  nonprodRuntimeOnly project(':db')
   testRuntimeOnly project(':db')
 
   annotationProcessor deps['com.google.auto.service:auto-service']
@@ -271,7 +280,6 @@ dependencies {
   testImplementation deps['org.hamcrest:hamcrest']
   testImplementation deps['org.hamcrest:hamcrest-core']
   testImplementation deps['org.hamcrest:hamcrest-library']
-  testImplementation deps['junit:junit']
   testImplementation deps['org.junit.jupiter:junit-jupiter-api']
   testImplementation deps['org.junit.jupiter:junit-jupiter-engine']
   testImplementation deps['org.junit.jupiter:junit-jupiter-migrationsupport']
@@ -293,13 +301,8 @@ dependencies {
   jaxb deps['org.glassfish.jaxb:jaxb-xjc']
 
   // Dependency needed for soy to java compilation.
-  // Read dependencies.gradle on why the protobuf version is pinned directly.
-  soy 'com.google.protobuf:protobuf-java:[3.25.5, 4.0.0)!!'
   soy deps['com.google.template:soy']
 
-  // Tool dependencies.  used for doc generation.
-  implementation files("${System.properties['java.home']}/../lib/tools.jar")
-
   // Flyway classes needed to generate the golden file.
   implementation deps['org.flywaydb:flyway-core']
   implementation deps['org.flywaydb:flyway-database-postgresql']
@@ -343,7 +346,7 @@ task jaxbToJava {
             destdir: "${generatedDir}",
             binding: "${xjcTempSourceDir}/bindings.xjb",
             removeOldOutput: 'yes', extension: 'true') {
-      project.fileTree(
+      fileTree(
               dir: new File("$xjcTempSourceDir"),
               include: ['**/*.xsd'])
               .addToAntBuilder(ant, 'schema', FileCollection.AntType.FileSet)
@@ -381,13 +384,14 @@ task soyToJava {
   }
 
   ext.soyToJava = { javaPackage, outputDirectory, soyFiles ->
-    javaexec {
-      main = "com.google.template.soy.SoyParseInfoGenerator"
-      classpath configurations.soy
-      args "--javaPackage", "${javaPackage}",
+    project.services.get(ExecOperations).javaexec {
+      mainClass = "com.google.template.soy.SoyParseInfoGenerator"
+      classpath = configurations.soy
+      jvmArgs = ["--sun-misc-unsafe-memory-access=allow", "--enable-native-access=ALL-UNNAMED"]
+      args = ["--javaPackage", "${javaPackage}",
               "--outputDirectory", "${outputDirectory}",
               "--javaClassNameSource", "filename",
-              "--srcs", "${soyFiles.join(',')}"
+              "--srcs", "${soyFiles.join(',')}"]
     }
 
     // Replace the "@link" tags after the "@deprecated" tags in the generated
@@ -401,8 +405,8 @@ task soyToJava {
     }
 
     outputs.each { file ->
-      exec {
-        commandLine 'sed', '-i""', '-e', 's/@link/LINK/g', file.getCanonicalPath()
+      project.services.get(ExecOperations).exec {
+        commandLine = ['sed', '-i""', '-e', 's/@link/LINK/g', file.getCanonicalPath()]
       }
     }
   }
@@ -433,13 +437,13 @@ task testJar(type: Jar) {
 }
 
 artifacts {
-  testRuntimeOnly testJar
+  add('testRuntimeElements', testJar)
 }
 
 task findGoldenImages(type: JavaExec) {
   classpath = sourceSets.test.runtimeClasspath
-  main = 'google.registry.webdriver.GoldenImageFinder'
-
+  mainClass = 'google.registry.webdriver.GoldenImageFinder'
+  jvmArgs "--sun-misc-unsafe-memory-access=allow"
   def arguments = []
   arguments << "--screenshots_for_goldens_dir=${screenshotsForGoldensDir}"
   arguments << "--new_goldens_dir=${newGoldensDir}"
@@ -485,11 +489,12 @@ Optional<List<String>> getToolArgsList() {
 // parameter.
 ext.createToolTask = {
     taskName,
-    mainClass,
+    mainClassName,
     sourceSet = sourceSets.main ->
   project.tasks.create(taskName, JavaExec) {
     classpath = sourceSet.runtimeClasspath
-    main = mainClass
+    mainClass = mainClassName
+    jvmArgs "--sun-misc-unsafe-memory-access=allow", "--enable-native-access=ALL-UNNAMED"
 
     doFirst {
       getToolArgsList().ifPresent {
@@ -506,7 +511,8 @@ createToolTask(
 
 project.tasks.create('generateSqlSchema', JavaExec) {
   classpath = sourceSets.nonprod.runtimeClasspath
-  main = 'google.registry.tools.DevTool'
+  mainClass = 'google.registry.tools.DevTool'
+  jvmArgs "--sun-misc-unsafe-memory-access=allow"
   args = [
       '-e', 'alpha',
       'generate_sql_schema', '--start_postgresql', '-o',
@@ -519,7 +525,7 @@ task generateGoldenImages(type: FilteringTest) {
   tests = ["**/webdriver/*"]
 
   // Sets the maximum number of test executors that may exist at the same time.
-  maxParallelForks 5
+  maxParallelForks = 5
 
   systemProperty 'test.screenshot.dir', screenshotsForGoldensDir
   systemProperty 'test.screenshot.runAllAttempts', 'true'
@@ -573,11 +579,6 @@ if (environment == 'alpha') {
               mainClass: 'google.registry.beam.resave.ResaveAllEppResourcesPipeline',
               metaData: 'google/registry/beam/resave_all_epp_resources_pipeline_metadata.json'
           ],
-      wipeOutContactHistoryPii:
-              [
-                      mainClass: 'google.registry.beam.wipeout.WipeOutContactHistoryPiiPipeline',
-                      metaData: 'google/registry/beam/wipe_out_contact_history_pii_pipeline_metadata.json'
-              ],
   ]
   project.tasks.create("stageBeamPipelines") {
     doLast {
@@ -597,7 +598,7 @@ if (environment == 'alpha') {
             gs://${gcpProject}-deploy/live/beam/${metaDataBaseName} \
             --image-gcr-path ${imageName}:live \
             --sdk-language JAVA \
-            --flex-template-base-image gcr.io/dataflow-templates-base/java21-template-launcher-base:latest \
+            --flex-template-base-image gcr.io/dataflow-templates-base/java25-template-launcher-base:latest \
             --metadata-file ${projectDir}/src/main/resources/${metaData} \
             --jar ${uberJarName} \
             --env FLEX_TEMPLATE_JAVA_MAIN_CLASS=${mainClass} \
@@ -650,23 +651,6 @@ artifacts {
   nomulus_test testUberJar
 }
 
-publishing {
-  repositories {
-    maven {
-      url project.publish_repo
-    }
-  }
-  publications {
-    nomulusTestsPublication(MavenPublication) {
-      groupId 'google.registry'
-      artifactId 'nomulus_test'
-      version project.nomulus_version
-      artifact nomulusFossJar
-      artifact testUberJar
-    }
-  }
-}
-
 task buildToolImage(dependsOn: nomulus, type: Exec) {
   commandLine 'docker', 'build', '-t', 'nomulus-tool', '.'
 }
@@ -685,8 +669,9 @@ artifacts {
 }
 
 task runTestServer(type: JavaExec) {
-  main = 'google.registry.server.RegistryTestServerMain'
+  mainClass = 'google.registry.server.RegistryTestServerMain'
   classpath = sourceSets.test.runtimeClasspath
+  jvmArgs "--sun-misc-unsafe-memory-access=allow"
   dependsOn(rootProject.project('console-webapp').tasks.named('buildConsoleWebapp'))
 }
 
@@ -711,6 +696,8 @@ abstract class FilteringTest extends Test {
 
   FilteringTest() {
     useJUnitPlatform();
+    testClassesDirs = project.sourceSets.test.output.classesDirs
+    classpath = project.sourceSets.test.runtimeClasspath
   }
 
   private void applyTestFilter() {
@@ -765,7 +752,7 @@ task fragileTest(type: FilteringTest) {
   }
 
   // Run every test class in a freshly started process.
-  forkEvery 1
+  forkEvery = 1
 
   doFirst {
     new File(screenshotsDir).deleteDir()
@@ -780,6 +767,9 @@ task sqlIntegrationTest(type: FilteringTest) {
   useJUnit()
   excludeTestCases = false
   tests = ['google/registry/schema/integration/SqlIntegrationTestSuite.*']
+
+  testClassesDirs = sourceSets.test.output.classesDirs
+  classpath = sourceSets.test.runtimeClasspath
 }
 
 // Verifies that RegistryTool can be instantiated:
@@ -805,13 +795,13 @@ task standardTest(type: FilteringTest) {
   // Run every test class in its own process.
   // Uncomment to unblock build while troubleshooting inexplicable test errors.
   // This setting makes the build take 35 minutes, without it it takes about 10.
-  // forkEvery 1
+  // forkEvery = 1
 
   // Sets the maximum number of test executors that may exist at the same time.
   // Also, Gradle executes tests in 1 thread and some of our test infrastructures
   // depend on that, e.g. DualDatabaseTestInvocationContextProvider injects
   // different implementation of TransactionManager into TransactionManagerFactory.
-  maxParallelForks 64
+  maxParallelForks = 64
 
   systemProperty 'test.projectRoot', rootProject.projectRootDir
   systemProperty 'test.resourcesDir', resourcesDir

core/buildscript-gradle.lockfile

@@ -1,13 +1,11 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-com.fasterxml.jackson.core:jackson-annotations:2.15.2=classpath
-com.fasterxml.jackson.core:jackson-core:2.15.2=classpath
-com.fasterxml.jackson.core:jackson-databind:2.15.2=classpath
-com.fasterxml.jackson.dataformat:jackson-dataformat-toml:2.15.2=classpath
-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.15.2=classpath
-com.fasterxml.jackson:jackson-bom:2.15.2=classpath
-gradle.plugin.org.flywaydb:gradle-plugin-publishing:11.0.1=classpath
-org.flywaydb.flyway:org.flywaydb.flyway.gradle.plugin:11.0.1=classpath
-org.flywaydb:flyway-core:11.0.1=classpath
+com.fasterxml.jackson.core:jackson-annotations:2.21=classpath
+gradle.plugin.org.flywaydb:gradle-plugin-publishing:12.2.0=classpath
+org.flywaydb.flyway:org.flywaydb.flyway.gradle.plugin:12.2.0=classpath
+org.flywaydb:flyway-core:12.2.0=classpath
+tools.jackson.core:jackson-core:3.1.0=classpath
+tools.jackson.core:jackson-databind:3.1.0=classpath
+tools.jackson:jackson-bom:3.1.0=classpath
 empty=