Add SQL table for password resets (#2751)

We plan on using this for EPP password resets and registry lock password
resets for now.

console-webapp/src/app/app-routing.module.ts

@@ -24,8 +24,8 @@ import { ResourcesComponent } from './resources/resources.component';
 import ContactComponent from './settings/contact/contact.component';
 import SecurityComponent from './settings/security/security.component';
 import { SettingsComponent } from './settings/settings.component';
-import WhoisComponent from './settings/whois/whois.component';
 import { SupportComponent } from './support/support.component';
+import RdapComponent from './settings/rdap/rdap.component';
 
 export interface RouteWithIcon extends Route {
   iconName?: string;
@@ -83,9 +83,9 @@ export const routes: RouteWithIcon[] = [
         title: 'Contacts',
       },
       {
-        path: WhoisComponent.PATH,
-        component: WhoisComponent,
-        title: 'WHOIS Info',
+        path: RdapComponent.PATH,
+        component: RdapComponent,
+        title: 'RDAP Info',
       },
       {
         path: SecurityComponent.PATH,

console-webapp/src/app/app.module.ts

@@ -47,8 +47,6 @@ import EppPasswordEditComponent from './settings/security/eppPasswordEdit.compon
 import SecurityComponent from './settings/security/security.component';
 import SecurityEditComponent from './settings/security/securityEdit.component';
 import { SettingsComponent } from './settings/settings.component';
-import WhoisComponent from './settings/whois/whois.component';
-import WhoisEditComponent from './settings/whois/whoisEdit.component';
 import { NotificationsComponent } from './shared/components/notifications/notifications.component';
 import { SelectedRegistrarWrapper } from './shared/components/selectedRegistrarWrapper/selectedRegistrarWrapper.component';
 import { LocationBackDirective } from './shared/directives/locationBack.directive';
@@ -60,6 +58,8 @@ import { SnackBarModule } from './snackbar.module';
 import { SupportComponent } from './support/support.component';
 import { TldsComponent } from './tlds/tlds.component';
 import { ForceFocusDirective } from './shared/directives/forceFocus.directive';
+import RdapComponent from './settings/rdap/rdap.component';
+import RdapEditComponent from './settings/rdap/rdapEdit.component';
 
 @NgModule({
   declarations: [SelectedRegistrarWrapper],
@@ -76,30 +76,30 @@ export class SelectedRegistrarModule {}
     ContactDetailsComponent,
     DomainListComponent,
     EppPasswordEditComponent,
+    ForceFocusDirective,
     HeaderComponent,
     HomeComponent,
     LocationBackDirective,
-    ForceFocusDirective,
-    UserLevelVisibility,
     NavigationComponent,
     NewRegistrarComponent,
     NotificationsComponent,
+    RdapComponent,
+    RdapEditComponent,
+    ReasonDialogComponent,
     RegistrarComponent,
     RegistrarDetailsComponent,
-    RegistryLockComponent,
     RegistrarSelectorComponent,
+    RegistryLockComponent,
     RegistryLockVerifyComponent,
     ResourcesComponent,
+    ResponseDialogComponent,
     SecurityComponent,
     SecurityEditComponent,
     SettingsComponent,
     SettingsContactComponent,
     SupportComponent,
     TldsComponent,
-    WhoisComponent,
-    WhoisEditComponent,
-    ReasonDialogComponent,
-    ResponseDialogComponent,
+    UserLevelVisibility,
   ],
   bootstrap: [AppComponent],
   imports: [
@@ -108,8 +108,8 @@ export class SelectedRegistrarModule {}
     BrowserModule,
     FormsModule,
     MaterialModule,
-    SnackBarModule,
     SelectedRegistrarModule,
+    SnackBarModule,
   ],
   providers: [
     BackendService,

console-webapp/src/app/registrar/newRegistrar.component.ts

@@ -48,7 +48,6 @@ export default class NewRegistrarComponent {
     this.newRegistrar = {
       registrarId: '',
       url: '',
-      whoisServer: '',
       registrarName: '',
       icannReferralEmail: '',
       localizedAddress: {

console-webapp/src/app/registrar/registrar.service.ts

@@ -50,17 +50,16 @@ export interface SecuritySettings
   ipAddressAllowList?: Array<IpAllowListItem>;
 }
 
-export interface WhoisRegistrarFields {
+export interface RdapRegistrarFields {
   ianaIdentifier?: number;
   icannReferralEmail: string;
   localizedAddress: Address;
   registrarId: string;
   url: string;
-  whoisServer: string;
 }
 
 export interface Registrar
-  extends WhoisRegistrarFields,
+  extends RdapRegistrarFields,
     SecuritySettingsBackendModel {
   allowedTlds?: string[];
   billingAccountMap?: object;

console-webapp/src/app/settings/contact/contact.component.ts

@@ -16,11 +16,7 @@ import { Component, effect, ViewEncapsulation } from '@angular/core';
 import { MatTableDataSource } from '@angular/material/table';
 import { take } from 'rxjs';
 import { RegistrarService } from 'src/app/registrar/registrar.service';
-import {
-  ContactService,
-  contactTypeToViewReadyContact,
-  ViewReadyContact,
-} from './contact.service';
+import { ContactService, ViewReadyContact } from './contact.service';
 
 @Component({
   selector: 'app-contact',

console-webapp/src/app/settings/contact/contact.service.ts

@@ -24,7 +24,7 @@ export type contactType =
   | 'LEGAL'
   | 'MARKETING'
   | 'TECH'
-  | 'WHOIS';
+  | 'RDAP';
 
 type contactTypesToUserFriendlyTypes = { [type in contactType]: string };
 
@@ -35,7 +35,7 @@ export const contactTypeToTextMap: contactTypesToUserFriendlyTypes = {
   LEGAL: 'Legal contact',
   MARKETING: 'Marketing contact',
   TECH: 'Technical contact',
-  WHOIS: 'WHOIS-Inquiry contact',
+  RDAP: 'RDAP-Inquiry contact',
 };
 
 type UserFriendlyType = (typeof contactTypeToTextMap)[contactType];
@@ -83,7 +83,7 @@ export class ContactService {
       : contactTypeToViewReadyContact({
           emailAddress: '',
           name: '',
-          types: ['ADMIN'],
+          types: ['TECH'],
           faxNumber: '',
           phoneNumber: '',
           registrarId: '',

console-webapp/src/app/settings/contact/contactDetails.component.html

@@ -56,6 +56,7 @@
           [required]="true"
           [(ngModel)]="contactService.contactInEdit.emailAddress"
           [ngModelOptions]="{ standalone: true }"
+          [disabled]="emailAddressIsDisabled()"
         />
       </mat-form-field>
 
@@ -85,24 +86,28 @@
         <mat-icon color="accent">error</mat-icon>Required to select at least one
       </p>
       <div class="">
-        <mat-checkbox
+        <ng-container
           *ngFor="let contactType of contactTypeToTextMap | keyvalue"
-          [checked]="checkboxIsChecked(contactType.key)"
-          (change)="checkboxOnChange($event, contactType.key)"
-          [disabled]="checkboxIsDisabled(contactType.key)"
         >
-          {{ contactType.value }}
-        </mat-checkbox>
+          <mat-checkbox
+            *ngIf="shouldDisplayCheckbox(contactType.key)"
+            [checked]="checkboxIsChecked(contactType.key)"
+            (change)="checkboxOnChange($event, contactType.key)"
+            [disabled]="checkboxIsDisabled(contactType.key)"
+          >
+            {{ contactType.value }}
+          </mat-checkbox>
+        </ng-container>
       </div>
     </section>
 
     <section>
-      <h1>WHOIS Preferences</h1>
+      <h1>RDAP Preferences</h1>
       <div>
         <mat-checkbox
           [(ngModel)]="contactService.contactInEdit.visibleInWhoisAsAdmin"
           [ngModelOptions]="{ standalone: true }"
-          >Show in Registrar WHOIS record as admin contact</mat-checkbox
+          >Show in Registrar RDAP record as admin contact</mat-checkbox
         >
       </div>
 
@@ -110,7 +115,7 @@
         <mat-checkbox
           [(ngModel)]="contactService.contactInEdit.visibleInWhoisAsTech"
           [ngModelOptions]="{ standalone: true }"
-          >Show in Registrar WHOIS record as technical contact</mat-checkbox
+          >Show in Registrar RDAP record as technical contact</mat-checkbox
         >
       </div>
 
@@ -118,8 +123,8 @@
         <mat-checkbox
           [(ngModel)]="contactService.contactInEdit.visibleInDomainWhoisAsAbuse"
           [ngModelOptions]="{ standalone: true }"
-          >Show Phone and Email in Domain WHOIS Record as registrar abuse
-          contact (per CL&D requirements)</mat-checkbox
+          >Show Phone and Email in Domain RDAP Record as registrar abuse contact
+          (per CL&D requirements)</mat-checkbox
         >
       </div>
     </section>
@@ -176,13 +181,13 @@
     <mat-card-content>
       <mat-list role="list">
         <mat-list-item role="listitem">
-          <h2>WHOIS Preferences</h2>
+          <h2>RDAP Preferences</h2>
         </mat-list-item>
         @if(contactService.contactInEdit.visibleInWhoisAsAdmin) {
         <mat-divider></mat-divider>
         <mat-list-item role="listitem">
           <span class="console-app__list-value"
-            >Show in Registrar WHOIS record as admin contact</span
+            >Show in Registrar RDAP record as admin contact</span
           >
         </mat-list-item>
         } @if(contactService.contactInEdit.visibleInWhoisAsTech) {
@@ -192,14 +197,14 @@
           *ngIf="contactService.contactInEdit.visibleInWhoisAsTech"
         >
           <span class="console-app__list-value"
-            >Show in Registrar WHOIS record as technical contact</span
+            >Show in Registrar RDAP record as technical contact</span
           >
         </mat-list-item>
         } @if(contactService.contactInEdit.visibleInDomainWhoisAsAbuse) {
         <mat-divider></mat-divider>
         <mat-list-item role="listitem">
           <span class="console-app__list-value"
-            >Show Phone and Email in Domain WHOIS Record as registrar abuse
+            >Show Phone and Email in Domain RDAP Record as registrar abuse
             contact (per CL&D requirements)</span
           >
         </mat-list-item>

console-webapp/src/app/settings/contact/contactDetails.component.ts

@@ -82,6 +82,10 @@ export class ContactDetailsComponent {
     });
   }
 
+  shouldDisplayCheckbox(type: string) {
+    return type !== 'ADMIN' || this.checkboxIsChecked(type);
+  }
+
   checkboxIsChecked(type: string) {
     return this.contactService.contactInEdit.types.includes(
       type as contactType
@@ -89,6 +93,9 @@ export class ContactDetailsComponent {
   }
 
   checkboxIsDisabled(type: string) {
+    if (type === 'ADMIN') {
+      return true;
+    }
     return (
       this.contactService.contactInEdit.types.length === 1 &&
       this.contactService.contactInEdit.types[0] === (type as contactType)
@@ -105,4 +112,8 @@ export class ContactDetailsComponent {
         );
     }
   }
+
+  emailAddressIsDisabled() {
+    return this.contactService.contactInEdit.types.includes('ADMIN');
+  }
 }

console-webapp/src/app/settings/rdap/rdap.component.html

@@ -1,18 +1,18 @@
-@if(whoisService.editing) {
-<app-whois-edit></app-whois-edit>
+@if(rdapService.editing) {
+<app-rdap-edit></app-rdap-edit>
 } @else {
-<div class="console-app__whois">
-  <div class="console-app__whois-controls">
+<div class="console-app__rdap">
+  <div class="console-app__rdap-controls">
     <span>
-      General registrar information for your WHOIS record. This information is
-      always visible in WHOIS.
+      General registrar information for your RDAP record. This information is
+      always visible in RDAP.
     </span>
     <div class="spacer"></div>
     <button
       mat-flat-button
       color="primary"
-      aria-label="Edit WHOIS record"
-      (click)="whoisService.editing = true"
+      aria-label="Edit RDAP record"
+      (click)="rdapService.editing = true"
     >
       <mat-icon>edit</mat-icon>
       Edit
@@ -61,45 +61,5 @@
       </mat-list>
     </mat-card-content>
   </mat-card>
-
-  <mat-card appearance="outlined">
-    <mat-card-content>
-      <mat-list role="list">
-        <mat-list-item role="listitem">
-          <h2>Technical Info</h2>
-        </mat-list-item>
-        <mat-divider></mat-divider>
-        <mat-list-item role="listitem">
-          <span class="console-app__list-key">IANA Identifier</span>
-          <span class="console-app__list-value">{{
-            registrarService.registrar()?.ianaIdentifier
-          }}</span>
-        </mat-list-item>
-        <mat-divider></mat-divider>
-        <mat-list-item role="listitem">
-          <div>
-            <span class="console-app__list-key">ICANN Referral Email</span>
-            <span class="console-app__list-value">{{
-              registrarService.registrar()?.icannReferralEmail
-            }}</span>
-          </div>
-        </mat-list-item>
-        <mat-divider></mat-divider>
-        <mat-list-item role="listitem">
-          <span class="console-app__list-key">WHOIS server</span>
-          <span class="console-app__list-value">{{
-            registrarService.registrar()?.whoisServer
-          }}</span>
-        </mat-list-item>
-        <mat-divider></mat-divider>
-        <mat-list-item role="listitem">
-          <span class="console-app__list-key">Referral URL</span>
-          <span class="console-app__list-value">{{
-            registrarService.registrar()?.url
-          }}</span>
-        </mat-list-item>
-      </mat-list>
-    </mat-card-content>
-  </mat-card>
 </div>
 }

console-webapp/src/app/settings/rdap/rdap.component.scss

@@ -1,4 +1,4 @@
-.console-app__whois {
+.console-app__rdap {
   max-width: 616px;
 
   &-controls {

console-webapp/src/app/settings/rdap/rdap.component.spec.ts

@@ -20,15 +20,15 @@ import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
 import { MaterialModule } from 'src/app/material.module';
 import { RegistrarService } from 'src/app/registrar/registrar.service';
 import { BackendService } from 'src/app/shared/services/backend.service';
-import WhoisComponent from './whois.component';
+import RdapComponent from './rdap.component';
 
-describe('WhoisComponent', () => {
-  let component: WhoisComponent;
-  let fixture: ComponentFixture<WhoisComponent>;
+describe('RdapComponent', () => {
+  let component: RdapComponent;
+  let fixture: ComponentFixture<RdapComponent>;
 
   beforeEach(async () => {
     await TestBed.configureTestingModule({
-      declarations: [WhoisComponent],
+      declarations: [RdapComponent],
       imports: [MaterialModule, BrowserAnimationsModule],
       providers: [
         BackendService,
@@ -45,7 +45,7 @@ describe('WhoisComponent', () => {
       ],
     }).compileComponents();
 
-    fixture = TestBed.createComponent(WhoisComponent);
+    fixture = TestBed.createComponent(RdapComponent);
     component = fixture.componentInstance;
     fixture.detectChanges();
   });

console-webapp/src/app/settings/rdap/rdap.component.ts

@@ -14,17 +14,16 @@
 
 import { Component, computed } from '@angular/core';
 import { RegistrarService } from 'src/app/registrar/registrar.service';
-
-import { WhoisService } from './whois.service';
+import { RdapService } from './rdap.service';
 
 @Component({
-  selector: 'app-whois',
-  templateUrl: './whois.component.html',
-  styleUrls: ['./whois.component.scss'],
+  selector: 'app-rdap',
+  templateUrl: './rdap.component.html',
+  styleUrls: ['./rdap.component.scss'],
   standalone: false,
 })
-export default class WhoisComponent {
-  public static PATH = 'whois';
+export default class RdapComponent {
+  public static PATH = 'rdap';
   formattedAddress = computed(() => {
     let result = '';
     const registrar = this.registrarService.registrar();
@@ -47,7 +46,7 @@ export default class WhoisComponent {
   });
 
   constructor(
-    public whoisService: WhoisService,
+    public rdapService: RdapService,
     public registrarService: RegistrarService
   ) {}
 }

console-webapp/src/app/settings/rdap/rdap.service.ts

@@ -16,14 +16,14 @@ import { Injectable } from '@angular/core';
 import { switchMap } from 'rxjs';
 import {
   RegistrarService,
-  WhoisRegistrarFields,
+  RdapRegistrarFields,
 } from 'src/app/registrar/registrar.service';
 import { BackendService } from 'src/app/shared/services/backend.service';
 
 @Injectable({
   providedIn: 'root',
 })
-export class WhoisService {
+export class RdapService {
   editing: boolean = false;
 
   constructor(
@@ -31,8 +31,8 @@ export class WhoisService {
     private registrarService: RegistrarService
   ) {}
 
-  saveChanges(newWhoisRegistrarFields: WhoisRegistrarFields) {
-    return this.backend.postWhoisRegistrarFields(newWhoisRegistrarFields).pipe(
+  saveChanges(newRdapRegistrarFields: RdapRegistrarFields) {
+    return this.backend.postRdapRegistrarFields(newRdapRegistrarFields).pipe(
       switchMap(() => {
         return this.registrarService.loadRegistrars();
       })

console-webapp/src/app/settings/rdap/rdapEdit.component.html

@@ -1,27 +1,27 @@
 <div
-  class="console-app__whois-edit"
+  class="console-app__rdap-edit"
   *ngIf="registrarInEdit"
   cdkTrapFocus
   [cdkTrapFocusAutoCapture]="true"
 >
   <button
     mat-icon-button
-    class="console-app__whois-edit-back"
-    aria-label="Back to whois view"
-    (click)="whoisService.editing = false"
+    class="console-app__rdap-edit-back"
+    aria-label="Back to rdap view"
+    (click)="rdapService.editing = false"
   >
     <mat-icon>arrow_back</mat-icon>
   </button>
 
-  <div class="console-app__whois-edit-controls">
+  <div class="console-app__rdap-edit-controls">
     <span>
-      General registrar information for your WHOIS record. This information is
-      always visible in WHOIS.
+      General registrar information for your RDAP record. This information is
+      always visible in RDAP.
     </span>
     <div class="spacer"></div>
   </div>
 
-  <div class="console-app__whois-edit">
+  <div class="console-app__rdap-edit">
     <h1>Personal info</h1>
 
     <form (ngSubmit)="save($event)">
@@ -115,45 +115,11 @@
         />
       </mat-form-field>
 
-      <h1>Technical info</h1>
-
-      <mat-form-field appearance="outline">
-        <mat-label>WHOIS server: </mat-label>
-        <input
-          matInput
-          type="text"
-          [(ngModel)]="registrarInEdit.whoisServer"
-          [ngModelOptions]="{ standalone: true }"
-        />
-      </mat-form-field>
-
-      <mat-form-field appearance="outline">
-        <mat-label>Referral URL: </mat-label>
-        <input
-          matInput
-          type="text"
-          [(ngModel)]="registrarInEdit.url"
-          [ngModelOptions]="{ standalone: true }"
-        />
-      </mat-form-field>
-
-      @if((userDataService.userData()?.globalRole || 'NONE') !== "NONE") {
-      <mat-form-field appearance="outline">
-        <mat-label>ICANN Referral Email: </mat-label>
-        <input
-          matInput
-          type="text"
-          [(ngModel)]="registrarInEdit.icannReferralEmail"
-          [ngModelOptions]="{ standalone: true }"
-        />
-      </mat-form-field>
-      }
-
       <button
         mat-flat-button
         color="primary"
         type="submit"
-        aria-label="Save WHOIS settings"
+        aria-label="Save RDAO settings"
       >
         Save
       </button>

console-webapp/src/app/settings/rdap/rdapEdit.component.scss

@@ -1,4 +1,4 @@
-.console-app__whois-edit {
+.console-app__rdap-edit {
   max-width: 616px;
 
   &-controls {

console-webapp/src/app/settings/rdap/rdapEdit.component.ts

@@ -20,20 +20,20 @@ import {
   RegistrarService,
 } from 'src/app/registrar/registrar.service';
 import { UserDataService } from 'src/app/shared/services/userData.service';
-import { WhoisService } from './whois.service';
+import { RdapService } from './rdap.service';
 
 @Component({
-  selector: 'app-whois-edit',
-  templateUrl: './whoisEdit.component.html',
-  styleUrls: ['./whoisEdit.component.scss'],
+  selector: 'app-rdap-edit',
+  templateUrl: './rdapEdit.component.html',
+  styleUrls: ['./rdapEdit.component.scss'],
   standalone: false,
 })
-export default class WhoisEditComponent {
+export default class RdapEditComponent {
   registrarInEdit: Registrar | undefined;
 
   constructor(
     public userDataService: UserDataService,
-    public whoisService: WhoisService,
+    public rdapService: RdapService,
     public registrarService: RegistrarService,
     private _snackBar: MatSnackBar
   ) {
@@ -49,9 +49,9 @@ export default class WhoisEditComponent {
     e.preventDefault();
     if (!this.registrarInEdit) return;
 
-    this.whoisService.saveChanges(this.registrarInEdit).subscribe({
+    this.rdapService.saveChanges(this.registrarInEdit).subscribe({
       complete: () => {
-        this.whoisService.editing = false;
+        this.rdapService.editing = false;
       },
       error: (err: HttpErrorResponse) => {
         this._snackBar.open(err.error);

console-webapp/src/app/settings/settings.component.html

@@ -19,13 +19,13 @@
       >
       <a
         mat-tab-link
-        routerLink="whois"
+        routerLink="rdap"
         routerLinkActive
         queryParamsHandling="merge"
         #rla2="routerLinkActive"
         [active]="rla2.isActive"
-        aria-label="Access whois settings"
-        >WHOIS Info</a
+        aria-label="Access rdap settings"
+        >RDAP Info</a
       >
       <a
         mat-tab-link

console-webapp/src/app/shared/services/backend.service.ts

@@ -25,7 +25,7 @@ import { User } from 'src/app/users/users.service';
 import {
   Registrar,
   SecuritySettingsBackendModel,
-  WhoisRegistrarFields,
+  RdapRegistrarFields,
 } from '../../registrar/registrar.service';
 import { Contact } from '../../settings/contact/contact.service';
 import { EppPasswordBackendModel } from '../../settings/security/security.service';
@@ -209,12 +209,12 @@ export class BackendService {
       .pipe(catchError((err) => this.errorCatcher<UserData>(err)));
   }
 
-  postWhoisRegistrarFields(
-    whoisRegistrarFields: WhoisRegistrarFields
-  ): Observable<WhoisRegistrarFields> {
-    return this.http.post<WhoisRegistrarFields>(
-      '/console-api/settings/whois-fields',
-      whoisRegistrarFields
+  postRdapRegistrarFields(
+    rdapRegistrarFields: RdapRegistrarFields
+  ): Observable<RdapRegistrarFields> {
+    return this.http.post<RdapRegistrarFields>(
+      '/console-api/settings/rdap-fields',
+      rdapRegistrarFields
     );
   }
 

core/build.gradle

@@ -61,6 +61,7 @@ def fragileTestPatterns = [
     // Currently changes a global configuration parameter that for some reason
     // results in timestamp inversions for other tests.  TODO(mmuller): fix.
     "google/registry/flows/host/HostInfoFlowTest.*",
+    "google/registry/beam/common/RegistryPipelineWorkerInitializerTest.*",
 ] + dockerIncompatibleTestPatterns
 
 sourceSets {

core/src/main/java/google/registry/batch/SendExpiringCertificateNotificationEmailAction.java

@@ -33,7 +33,7 @@ import google.registry.flows.certs.CertificateChecker;
 import google.registry.groups.GmailClient;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase.Type;
+import google.registry.model.registrar.RegistrarPoc.Type;
 import google.registry.request.Action;
 import google.registry.request.Action.GaeService;
 import google.registry.request.Response;

core/src/main/java/google/registry/beam/billing/ExpandBillingRecurrencesPipeline.java

@@ -36,8 +36,6 @@ import google.registry.config.RegistryConfig.ConfigModule;
 import google.registry.flows.custom.CustomLogicFactoryModule;
 import google.registry.flows.custom.CustomLogicModule;
 import google.registry.flows.domain.DomainPricingLogic;
-import google.registry.flows.domain.DomainPricingLogic.AllocationTokenInvalidForCurrencyException;
-import google.registry.flows.domain.DomainPricingLogic.AllocationTokenInvalidForPremiumNameException;
 import google.registry.model.ImmutableObject;
 import google.registry.model.billing.BillingBase.Flag;
 import google.registry.model.billing.BillingCancellation;
@@ -389,38 +387,30 @@ public class ExpandBillingRecurrencesPipeline implements Serializable {
       // It is OK to always create a OneTime, even though the domain might be deleted or transferred
       // later during autorenew grace period, as a cancellation will always be written out in those
       // instances.
-      BillingEvent billingEvent = null;
-      try {
-        billingEvent =
-            new BillingEvent.Builder()
-                .setBillingTime(billingTime)
-                .setRegistrarId(billingRecurrence.getRegistrarId())
-                // Determine the cost for a one-year renewal.
-                .setCost(
-                    domainPricingLogic
-                        .getRenewPrice(
-                            tld,
-                            billingRecurrence.getTargetId(),
-                            eventTime,
-                            1,
-                            billingRecurrence,
-                            Optional.empty())
-                        .getRenewCost())
-                .setEventTime(eventTime)
-                .setFlags(union(billingRecurrence.getFlags(), Flag.SYNTHETIC))
-                .setDomainHistory(historyEntry)
-                .setPeriodYears(1)
-                .setReason(billingRecurrence.getReason())
-                .setSyntheticCreationTime(endTime)
-                .setCancellationMatchingBillingEvent(billingRecurrence)
-                .setTargetId(billingRecurrence.getTargetId())
-                .build();
-      } catch (AllocationTokenInvalidForCurrencyException
-          | AllocationTokenInvalidForPremiumNameException e) {
-        // This should not be reached since we are not using an allocation token
-        return;
-      }
-      results.add(billingEvent);
+      results.add(
+          new BillingEvent.Builder()
+              .setBillingTime(billingTime)
+              .setRegistrarId(billingRecurrence.getRegistrarId())
+              // Determine the cost for a one-year renewal.
+              .setCost(
+                  domainPricingLogic
+                      .getRenewPrice(
+                          tld,
+                          billingRecurrence.getTargetId(),
+                          eventTime,
+                          1,
+                          billingRecurrence,
+                          Optional.empty())
+                      .getRenewCost())
+              .setEventTime(eventTime)
+              .setFlags(union(billingRecurrence.getFlags(), Flag.SYNTHETIC))
+              .setDomainHistory(historyEntry)
+              .setPeriodYears(1)
+              .setReason(billingRecurrence.getReason())
+              .setSyntheticCreationTime(endTime)
+              .setCancellationMatchingBillingEvent(billingRecurrence)
+              .setTargetId(billingRecurrence.getTargetId())
+              .build());
     }
     results.add(
         billingRecurrence

core/src/main/java/google/registry/beam/common/RegistryPipelineWorkerInitializer.java

@@ -40,6 +40,8 @@ public class RegistryPipelineWorkerInitializer implements JvmInitializer {
 
   @Override
   public void beforeProcessing(PipelineOptions options) {
+    // TODO(b/416299900): remove next line after GAE is removed.
+    System.setProperty("google.registry.jetty", "true");
     RegistryPipelineOptions registryOptions = options.as(RegistryPipelineOptions.class);
     RegistryEnvironment environment = registryOptions.getRegistryEnvironment();
     if (environment == null || environment.equals(RegistryEnvironment.UNITTEST)) {

core/src/main/java/google/registry/beam/rde/RdePipeline.java

@@ -58,7 +58,7 @@ import google.registry.model.host.Host;
 import google.registry.model.host.HostHistory;
 import google.registry.model.rde.RdeMode;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarBase.Type;
+import google.registry.model.registrar.Registrar.Type;
 import google.registry.model.reporting.HistoryEntry;
 import google.registry.model.reporting.HistoryEntry.HistoryEntryId;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;

core/src/main/java/google/registry/config/CredentialModule.java

@@ -144,7 +144,6 @@ public abstract class CredentialModule {
       Duration tokenRefreshDelay,
       Clock clock) {
     GoogleCredentials signer = credentialsBundle.getGoogleCredentials();
-
     checkArgument(
         signer instanceof ServiceAccountSigner,
         "Expecting a ServiceAccountSigner, found %s.",

core/src/main/java/google/registry/config/files/default-config.yaml

@@ -243,7 +243,7 @@ hibernate:
   # that BEAM pipelines are not subject to the maximumPoolSize value defined
   # here. See PersistenceModule.java for more information.
   hikariMinimumIdle: 1
-  hikariMaximumPoolSize: 10
+  hikariMaximumPoolSize: 20
   hikariIdleTimeout: 300000
   # The batch size is basically the number of insertions / updates in a single
   # transaction that will be batched together into one INSERT/UPDATE statement.

core/src/main/java/google/registry/dns/PublishDnsUpdatesAction.java

@@ -50,7 +50,6 @@ import google.registry.model.domain.Domain;
 import google.registry.model.host.Host;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase;
 import google.registry.model.tld.Tld;
 import google.registry.request.Action;
 import google.registry.request.Action.GaeService;
@@ -296,7 +295,7 @@ public final class PublishDnsUpdatesAction implements Runnable, Callable<Void> {
 
       ImmutableList<InternetAddress> recipients =
           registrar.get().getContacts().stream()
-              .filter(c -> c.getTypes().contains(RegistrarPocBase.Type.ADMIN))
+              .filter(c -> c.getTypes().contains(RegistrarPoc.Type.ADMIN))
               .map(RegistrarPoc::getEmailAddress)
               .map(PublishDnsUpdatesAction::emailToInternetAddress)
               .collect(toImmutableList());

core/src/main/java/google/registry/export/SyncGroupMembersAction.java

@@ -33,7 +33,6 @@ import google.registry.groups.GroupsConnection;
 import google.registry.groups.GroupsConnection.Role;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase;
 import google.registry.request.Action;
 import google.registry.request.Action.GaeService;
 import google.registry.request.Response;
@@ -101,7 +100,7 @@ public final class SyncGroupMembersAction implements Runnable {
    * Returns the Google Groups email address for the given registrar ID and RegistrarContact.Type.
    */
   public static String getGroupEmailAddressForContactType(
-      String registrarId, RegistrarPocBase.Type type, String gSuiteDomainName) {
+      String registrarId, RegistrarPoc.Type type, String gSuiteDomainName) {
     // Take the registrar's ID, make it lowercase, and remove all characters that aren't
     // alphanumeric, hyphens, or underscores.
     return String.format(
@@ -176,7 +175,7 @@ public final class SyncGroupMembersAction implements Runnable {
       Set<RegistrarPoc> registrarPocs = registrar.getContacts();
       long totalAdded = 0;
       long totalRemoved = 0;
-      for (final RegistrarPocBase.Type type : RegistrarPocBase.Type.values()) {
+      for (final RegistrarPoc.Type type : RegistrarPoc.Type.values()) {
         groupKey =
             getGroupEmailAddressForContactType(registrar.getRegistrarId(), type, gSuiteDomainName);
         Set<String> currentMembers = groupsConnection.getMembersOfGroup(groupKey);

core/src/main/java/google/registry/export/sheet/SyncRegistrarsSheet.java

@@ -17,13 +17,13 @@ package google.registry.export.sheet;
 import static com.google.common.base.MoreObjects.firstNonNull;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static google.registry.model.common.Cursor.CursorType.SYNC_REGISTRAR_SHEET;
-import static google.registry.model.registrar.RegistrarPocBase.Type.ABUSE;
-import static google.registry.model.registrar.RegistrarPocBase.Type.ADMIN;
-import static google.registry.model.registrar.RegistrarPocBase.Type.BILLING;
-import static google.registry.model.registrar.RegistrarPocBase.Type.LEGAL;
-import static google.registry.model.registrar.RegistrarPocBase.Type.MARKETING;
-import static google.registry.model.registrar.RegistrarPocBase.Type.TECH;
-import static google.registry.model.registrar.RegistrarPocBase.Type.WHOIS;
+import static google.registry.model.registrar.RegistrarPoc.Type.ABUSE;
+import static google.registry.model.registrar.RegistrarPoc.Type.ADMIN;
+import static google.registry.model.registrar.RegistrarPoc.Type.BILLING;
+import static google.registry.model.registrar.RegistrarPoc.Type.LEGAL;
+import static google.registry.model.registrar.RegistrarPoc.Type.MARKETING;
+import static google.registry.model.registrar.RegistrarPoc.Type.TECH;
+import static google.registry.model.registrar.RegistrarPoc.Type.WHOIS;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 
@@ -36,7 +36,6 @@ import google.registry.model.common.Cursor;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
 import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase;
 import google.registry.util.Clock;
 import google.registry.util.DateTimeUtils;
 import jakarta.inject.Inject;
@@ -174,7 +173,7 @@ class SyncRegistrarsSheet {
     return result.toString();
   }
 
-  private static Predicate<RegistrarPoc> byType(final RegistrarPocBase.Type type) {
+  private static Predicate<RegistrarPoc> byType(final RegistrarPoc.Type type) {
     return contact -> contact.getTypes().contains(type);
   }
 

core/src/main/java/google/registry/flows/domain/DomainCheckFlow.java

@@ -14,7 +14,6 @@
 
 package google.registry.flows.domain;
 
-import static com.google.common.base.Strings.emptyToNull;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.ImmutableMap.toImmutableMap;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
@@ -42,6 +41,7 @@ import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Maps;
+import com.google.common.flogger.FluentLogger;
 import com.google.common.net.InternetDomainName;
 import google.registry.config.RegistryConfig;
 import google.registry.config.RegistryConfig.Config;
@@ -55,14 +55,7 @@ import google.registry.flows.annotations.ReportingSpec;
 import google.registry.flows.custom.DomainCheckFlowCustomLogic;
 import google.registry.flows.custom.DomainCheckFlowCustomLogic.BeforeResponseParameters;
 import google.registry.flows.custom.DomainCheckFlowCustomLogic.BeforeResponseReturnData;
-import google.registry.flows.domain.DomainPricingLogic.AllocationTokenInvalidForPremiumNameException;
-import google.registry.flows.domain.token.AllocationTokenDomainCheckResults;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotInPromotionException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForCommandException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForRegistrarException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForTldException;
 import google.registry.model.EppResource;
 import google.registry.model.ForeignKeyUtils;
 import google.registry.model.billing.BillingRecurrence;
@@ -87,7 +80,6 @@ import google.registry.model.tld.Tld;
 import google.registry.model.tld.Tld.TldState;
 import google.registry.model.tld.label.ReservationType;
 import google.registry.persistence.VKey;
-import google.registry.pricing.PricingEngineProxy;
 import google.registry.util.Clock;
 import jakarta.inject.Inject;
 import java.util.Collection;
@@ -131,6 +123,8 @@ import org.joda.time.DateTime;
 @ReportingSpec(ActivityReportField.DOMAIN_CHECK)
 public final class DomainCheckFlow implements TransactionalFlow {
 
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
   private static final String STANDARD_FEE_RESPONSE_CLASS = "STANDARD";
   private static final String STANDARD_PROMOTION_FEE_RESPONSE_CLASS = "STANDARD PROMOTION";
 
@@ -146,7 +140,6 @@ public final class DomainCheckFlow implements TransactionalFlow {
   @Inject @Superuser boolean isSuperuser;
   @Inject Clock clock;
   @Inject EppResponse.Builder responseBuilder;
-  @Inject AllocationTokenFlowUtils allocationTokenFlowUtils;
   @Inject DomainCheckFlowCustomLogic flowCustomLogic;
   @Inject DomainPricingLogic pricingLogic;
 
@@ -195,36 +188,15 @@ public final class DomainCheckFlow implements TransactionalFlow {
         existingDomains.size() == parsedDomains.size()
             ? ImmutableSet.of()
             : getBsaBlockedDomains(parsedDomains.values(), now);
-    Optional<AllocationTokenExtension> allocationTokenExtension =
-        eppInput.getSingleExtension(AllocationTokenExtension.class);
-    Optional<AllocationTokenDomainCheckResults> tokenDomainCheckResults =
-        allocationTokenExtension.map(
-            tokenExtension ->
-                allocationTokenFlowUtils.checkDomainsWithToken(
-                    ImmutableList.copyOf(parsedDomains.values()),
-                    tokenExtension.getAllocationToken(),
-                    registrarId,
-                    now));
 
     ImmutableList.Builder<DomainCheck> checksBuilder = new ImmutableList.Builder<>();
     ImmutableSet.Builder<String> availableDomains = new ImmutableSet.Builder<>();
     ImmutableMap<String, TldState> tldStates =
         Maps.toMap(seenTlds, tld -> Tld.get(tld).getTldState(now));
-    ImmutableMap<InternetDomainName, String> domainCheckResults =
-        tokenDomainCheckResults
-            .map(AllocationTokenDomainCheckResults::domainCheckResults)
-            .orElse(ImmutableMap.of());
-    Optional<AllocationToken> allocationToken =
-        tokenDomainCheckResults.flatMap(AllocationTokenDomainCheckResults::token);
     for (String domainName : domainNames) {
       Optional<String> message =
           getMessageForCheck(
-              parsedDomains.get(domainName),
-              existingDomains,
-              bsaBlockedDomainNames,
-              domainCheckResults,
-              tldStates,
-              allocationToken);
+              domainName, existingDomains, bsaBlockedDomainNames, tldStates, parsedDomains, now);
       boolean isAvailable = message.isEmpty();
       checksBuilder.add(DomainCheck.create(isAvailable, domainName, message.orElse(null)));
       if (isAvailable) {
@@ -237,11 +209,7 @@ public final class DomainCheckFlow implements TransactionalFlow {
                 .setDomainChecks(checksBuilder.build())
                 .setResponseExtensions(
                     getResponseExtensions(
-                        parsedDomains,
-                        existingDomains,
-                        availableDomains.build(),
-                        now,
-                        allocationToken))
+                        parsedDomains, existingDomains, availableDomains.build(), now))
                 .setAsOfDate(now)
                 .build());
     return responseBuilder
@@ -251,10 +219,39 @@ public final class DomainCheckFlow implements TransactionalFlow {
   }
 
   private Optional<String> getMessageForCheck(
+      String domainName,
+      ImmutableMap<String, VKey<Domain>> existingDomains,
+      ImmutableSet<InternetDomainName> bsaBlockedDomainNames,
+      ImmutableMap<String, TldState> tldStates,
+      ImmutableMap<String, InternetDomainName> parsedDomains,
+      DateTime now) {
+    InternetDomainName idn = parsedDomains.get(domainName);
+    Optional<AllocationToken> token;
+    try {
+      // Which token we use may vary based on the domain -- a provided token may be invalid for
+      // some domains, or there may be DEFAULT PROMO tokens only applicable on some domains
+      token =
+          AllocationTokenFlowUtils.loadTokenFromExtensionOrGetDefault(
+              registrarId,
+              now,
+              eppInput.getSingleExtension(AllocationTokenExtension.class),
+              Tld.get(idn.parent().toString()),
+              domainName,
+              FeeQueryCommandExtensionItem.CommandName.CREATE);
+    } catch (AllocationTokenFlowUtils.NonexistentAllocationTokenException
+        | AllocationTokenFlowUtils.AllocationTokenInvalidException e) {
+      // The provided token was catastrophically invalid in some way
+      logger.atInfo().withCause(e).log("Cannot load/use allocation token.");
+      return Optional.of(e.getMessage());
+    }
+    return getMessageForCheckWithToken(
+        idn, existingDomains, bsaBlockedDomainNames, tldStates, token);
+  }
+
+  private Optional<String> getMessageForCheckWithToken(
       InternetDomainName domainName,
       ImmutableMap<String, VKey<Domain>> existingDomains,
       ImmutableSet<InternetDomainName> bsaBlockedDomains,
-      ImmutableMap<InternetDomainName, String> tokenCheckResults,
       ImmutableMap<String, TldState> tldStates,
       Optional<AllocationToken> allocationToken) {
     if (existingDomains.containsKey(domainName.toString())) {
@@ -271,11 +268,6 @@ public final class DomainCheckFlow implements TransactionalFlow {
         }
       }
     }
-    Optional<String> tokenResult =
-        Optional.ofNullable(emptyToNull(tokenCheckResults.get(domainName)));
-    if (tokenResult.isPresent()) {
-      return tokenResult;
-    }
     if (isRegisterBsaCreate(domainName, allocationToken)
         || !bsaBlockedDomains.contains(domainName)) {
       return Optional.empty();
@@ -290,8 +282,7 @@ public final class DomainCheckFlow implements TransactionalFlow {
       ImmutableMap<String, InternetDomainName> domainNames,
       ImmutableMap<String, VKey<Domain>> existingDomains,
       ImmutableSet<String> availableDomains,
-      DateTime now,
-      Optional<AllocationToken> allocationToken)
+      DateTime now)
       throws EppException {
     Optional<FeeCheckCommandExtension> feeCheckOpt =
         eppInput.getSingleExtension(FeeCheckCommandExtension.class);
@@ -309,84 +300,24 @@ public final class DomainCheckFlow implements TransactionalFlow {
         RegistryConfig.getTieredPricingPromotionRegistrarIds().contains(registrarId);
     for (FeeCheckCommandExtensionItem feeCheckItem : feeCheck.getItems()) {
       for (String domainName : getDomainNamesToCheckForFee(feeCheckItem, domainNames.keySet())) {
-        Optional<AllocationToken> defaultToken =
-            DomainFlowUtils.checkForDefaultToken(
-                Tld.get(InternetDomainName.from(domainName).parent().toString()),
-                domainName,
-                feeCheckItem.getCommandName(),
-                registrarId,
-                now);
         FeeCheckResponseExtensionItem.Builder<?> builder = feeCheckItem.createResponseBuilder();
         Optional<Domain> domain = Optional.ofNullable(domainObjs.get(domainName));
+        Tld tld = Tld.get(domainNames.get(domainName).parent().toString());
+        Optional<AllocationToken> token;
         try {
-          if (allocationToken.isPresent()) {
-            AllocationTokenFlowUtils.validateToken(
-                InternetDomainName.from(domainName),
-                allocationToken.get(),
-                feeCheckItem.getCommandName(),
-                registrarId,
-                PricingEngineProxy.isDomainPremium(domainName, now),
-                now);
-          }
-          handleFeeRequest(
-              feeCheckItem,
-              builder,
-              domainNames.get(domainName),
-              domain,
-              feeCheck.getCurrency(),
-              now,
-              pricingLogic,
-              allocationToken.isPresent() ? allocationToken : defaultToken,
-              availableDomains.contains(domainName),
-              recurrences.getOrDefault(domainName, null));
-          // In the case of a registrar that is running a tiered pricing promotion, we issue two
-          // responses for the CREATE fee check command: one (the default response) with the
-          // non-promotional price, and one (an extra STANDARD PROMO response) with the actual
-          // promotional price.
-          if (defaultToken.isPresent()
-              && shouldUseTieredPricingPromotion
-              && feeCheckItem
-                  .getCommandName()
-                  .equals(FeeQueryCommandExtensionItem.CommandName.CREATE)) {
-            // First, set the promotional (real) price under the STANDARD PROMO class
-            builder
-                .setClass(STANDARD_PROMOTION_FEE_RESPONSE_CLASS)
-                .setCommand(
-                    FeeQueryCommandExtensionItem.CommandName.CUSTOM,
-                    feeCheckItem.getPhase(),
-                    feeCheckItem.getSubphase());
-
-            // Next, get the non-promotional price and set it as the standard response to the CREATE
-            // fee check command
-            FeeCheckResponseExtensionItem.Builder<?> nonPromotionalBuilder =
-                feeCheckItem.createResponseBuilder();
-            handleFeeRequest(
-                feeCheckItem,
-                nonPromotionalBuilder,
-                domainNames.get(domainName),
-                domain,
-                feeCheck.getCurrency(),
-                now,
-                pricingLogic,
-                allocationToken,
-                availableDomains.contains(domainName),
-                recurrences.getOrDefault(domainName, null));
-            responseItems.add(
-                nonPromotionalBuilder
-                    .setClass(STANDARD_FEE_RESPONSE_CLASS)
-                    .setDomainNameIfSupported(domainName)
-                    .build());
-          }
-          responseItems.add(builder.setDomainNameIfSupported(domainName).build());
-        } catch (AllocationTokenInvalidForPremiumNameException
-            | AllocationTokenNotValidForCommandException
-            | AllocationTokenNotValidForDomainException
-            | AllocationTokenNotValidForRegistrarException
-            | AllocationTokenNotValidForTldException
-            | AllocationTokenNotInPromotionException e) {
-          // Allocation token is either not an active token or it is not valid for the EPP command,
-          // registrar, domain, or TLD.
-          Tld tld = Tld.get(InternetDomainName.from(domainName).parent().toString());
+          // The precise token to use for this fee request may vary based on the domain or even the
+          // precise command issued (some tokens may be valid only for certain actions)
+          token =
+              AllocationTokenFlowUtils.loadTokenFromExtensionOrGetDefault(
+                  registrarId,
+                  now,
+                  eppInput.getSingleExtension(AllocationTokenExtension.class),
+                  tld,
+                  domainName,
+                  feeCheckItem.getCommandName());
+        } catch (AllocationTokenFlowUtils.NonexistentAllocationTokenException
+            | AllocationTokenFlowUtils.AllocationTokenInvalidException e) {
+          // The provided token was catastrophically invalid in some way
           responseItems.add(
               builder
                   .setDomainNameIfSupported(domainName)
@@ -398,7 +329,60 @@ public final class DomainCheckFlow implements TransactionalFlow {
                   .setCurrencyIfSupported(tld.getCurrency())
                   .setClass("token-not-supported")
                   .build());
+          continue;
         }
+        handleFeeRequest(
+            feeCheckItem,
+            builder,
+            domainNames.get(domainName),
+            domain,
+            feeCheck.getCurrency(),
+            now,
+            pricingLogic,
+            token,
+            availableDomains.contains(domainName),
+            recurrences.getOrDefault(domainName, null));
+        // In the case of a registrar that is running a tiered pricing promotion, we issue two
+        // responses for the CREATE fee check command: one (the default response) with the
+        // non-promotional price, and one (an extra STANDARD PROMO response) with the actual
+        // promotional price.
+        if (token
+                .map(t -> t.getTokenType().equals(AllocationToken.TokenType.DEFAULT_PROMO))
+                .orElse(false)
+            && shouldUseTieredPricingPromotion
+            && feeCheckItem
+                .getCommandName()
+                .equals(FeeQueryCommandExtensionItem.CommandName.CREATE)) {
+          // First, set the promotional (real) price under the STANDARD PROMO class
+          builder
+              .setClass(STANDARD_PROMOTION_FEE_RESPONSE_CLASS)
+              .setCommand(
+                  FeeQueryCommandExtensionItem.CommandName.CUSTOM,
+                  feeCheckItem.getPhase(),
+                  feeCheckItem.getSubphase());
+
+          // Next, get the non-promotional price and set it as the standard response to the CREATE
+          // fee check command
+          FeeCheckResponseExtensionItem.Builder<?> nonPromotionalBuilder =
+              feeCheckItem.createResponseBuilder();
+          handleFeeRequest(
+              feeCheckItem,
+              nonPromotionalBuilder,
+              domainNames.get(domainName),
+              domain,
+              feeCheck.getCurrency(),
+              now,
+              pricingLogic,
+              Optional.empty(),
+              availableDomains.contains(domainName),
+              recurrences.getOrDefault(domainName, null));
+          responseItems.add(
+              nonPromotionalBuilder
+                  .setClass(STANDARD_FEE_RESPONSE_CLASS)
+                  .setDomainNameIfSupported(domainName)
+                  .build());
+        }
+        responseItems.add(builder.setDomainNameIfSupported(domainName).build());
       }
     }
     return ImmutableList.of(feeCheck.createResponse(responseItems.build()));

core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java

@@ -133,11 +133,8 @@ import org.joda.time.Duration;
  * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForRegistrarException}
  * @error {@link
- *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForTldException}
- * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AlreadyRedeemedAllocationTokenException}
- * @error {@link
- *     google.registry.flows.domain.token.AllocationTokenFlowUtils.InvalidAllocationTokenException}
+ * @error {@link AllocationTokenFlowUtils.NonexistentAllocationTokenException}
  * @error {@link google.registry.flows.exceptions.OnlyToolCanPassMetadataException}
  * @error {@link ResourceAlreadyExistsForThisClientException}
  * @error {@link ResourceCreateContentionException}
@@ -205,7 +202,6 @@ import org.joda.time.Duration;
  * @error {@link DomainFlowUtils.UnexpectedClaimsNoticeException}
  * @error {@link DomainFlowUtils.UnsupportedFeeAttributeException}
  * @error {@link DomainFlowUtils.UnsupportedMarkTypeException}
- * @error {@link DomainPricingLogic.AllocationTokenInvalidForPremiumNameException}
  */
 @ReportingSpec(ActivityReportField.DOMAIN_CREATE)
 public final class DomainCreateFlow implements MutatingFlow {
@@ -221,7 +217,6 @@ public final class DomainCreateFlow implements MutatingFlow {
   @Inject @Superuser boolean isSuperuser;
   @Inject DomainHistory.Builder historyBuilder;
   @Inject EppResponse.Builder responseBuilder;
-  @Inject AllocationTokenFlowUtils allocationTokenFlowUtils;
   @Inject DomainCreateFlowCustomLogic flowCustomLogic;
   @Inject DomainFlowTmchUtils tmchUtils;
   @Inject DomainPricingLogic pricingLogic;
@@ -264,25 +259,20 @@ public final class DomainCreateFlow implements MutatingFlow {
     }
     boolean isSunriseCreate = hasSignedMarks && (tldState == START_DATE_SUNRISE);
     Optional<AllocationToken> allocationToken =
-        allocationTokenFlowUtils.verifyAllocationTokenCreateIfPresent(
-            command,
-            tld,
+        AllocationTokenFlowUtils.loadTokenFromExtensionOrGetDefault(
             registrarId,
             now,
-            eppInput.getSingleExtension(AllocationTokenExtension.class));
-    boolean defaultTokenUsed = false;
-    if (allocationToken.isEmpty()) {
-      allocationToken =
-          DomainFlowUtils.checkForDefaultToken(
-              tld, command.getDomainName(), CommandName.CREATE, registrarId, now);
-      if (allocationToken.isPresent()) {
-        defaultTokenUsed = true;
-      }
-    }
+            eppInput.getSingleExtension(AllocationTokenExtension.class),
+            tld,
+            command.getDomainName(),
+            CommandName.CREATE);
+    boolean defaultTokenUsed =
+        allocationToken.map(t -> t.getTokenType().equals(TokenType.DEFAULT_PROMO)).orElse(false);
     boolean isAnchorTenant =
         isAnchorTenant(
             domainName, allocationToken, eppInput.getSingleExtension(MetadataExtension.class));
     verifyAnchorTenantValidPeriod(isAnchorTenant, years);
+
     // Superusers can create reserved domains, force creations on domains that require a claims
     // notice without specifying a claims key, ignore the registry phase, and override blocks on
     // registering premium domains.
@@ -416,7 +406,7 @@ public final class DomainCreateFlow implements MutatingFlow {
     entitiesToSave.add(domain, domainHistory);
     if (allocationToken.isPresent() && allocationToken.get().getTokenType().isOneTimeUse()) {
       entitiesToSave.add(
-          allocationTokenFlowUtils.redeemToken(
+          AllocationTokenFlowUtils.redeemToken(
               allocationToken.get(), domainHistory.getHistoryEntryId()));
     }
     if (domain.shouldPublishToDns()) {

core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java

@@ -42,7 +42,6 @@ import static google.registry.model.tld.label.ReservationType.RESERVED_FOR_ANCHO
 import static google.registry.model.tld.label.ReservationType.RESERVED_FOR_SPECIFIC_USE;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.pricing.PricingEngineProxy.isDomainPremium;
-import static google.registry.util.CollectionUtils.isNullOrEmpty;
 import static google.registry.util.CollectionUtils.nullToEmpty;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
 import static google.registry.util.DateTimeUtils.isAtOrAfter;
@@ -67,7 +66,6 @@ import com.google.common.collect.Sets;
 import com.google.common.collect.Streams;
 import com.google.common.net.InternetDomainName;
 import google.registry.flows.EppException;
-import google.registry.flows.EppException.AssociationProhibitsOperationException;
 import google.registry.flows.EppException.AuthorizationErrorException;
 import google.registry.flows.EppException.CommandUseErrorException;
 import google.registry.flows.EppException.ObjectDoesNotExistException;
@@ -77,8 +75,6 @@ import google.registry.flows.EppException.ParameterValueSyntaxErrorException;
 import google.registry.flows.EppException.RequiredParameterMissingException;
 import google.registry.flows.EppException.StatusProhibitsOperationException;
 import google.registry.flows.EppException.UnimplementedOptionException;
-import google.registry.flows.domain.DomainPricingLogic.AllocationTokenInvalidForPremiumNameException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils;
 import google.registry.flows.exceptions.ResourceHasClientUpdateProhibitedException;
 import google.registry.model.EppResource;
 import google.registry.model.billing.BillingBase.Flag;
@@ -101,7 +97,6 @@ import google.registry.model.domain.fee.BaseFee.FeeType;
 import google.registry.model.domain.fee.Credit;
 import google.registry.model.domain.fee.Fee;
 import google.registry.model.domain.fee.FeeQueryCommandExtensionItem;
-import google.registry.model.domain.fee.FeeQueryCommandExtensionItem.CommandName;
 import google.registry.model.domain.fee.FeeQueryResponseExtensionItem;
 import google.registry.model.domain.fee.FeeTransformCommandExtension;
 import google.registry.model.domain.fee.FeeTransformResponseExtension;
@@ -124,7 +119,7 @@ import google.registry.model.eppoutput.EppResponse.ResponseExtension;
 import google.registry.model.host.Host;
 import google.registry.model.poll.PollMessage.Autorenew;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarBase.State;
+import google.registry.model.registrar.Registrar.State;
 import google.registry.model.reporting.DomainTransactionRecord;
 import google.registry.model.reporting.DomainTransactionRecord.TransactionReportField;
 import google.registry.model.reporting.HistoryEntry.HistoryEntryId;
@@ -1233,52 +1228,6 @@ public class DomainFlowUtils {
         .getResultList();
   }
 
-  /**
-   * Checks if there is a valid default token to be used for a domain create command.
-   *
-   * <p>If there is more than one valid default token for the registration, only the first valid
-   * token found on the TLD's default token list will be returned.
-   */
-  public static Optional<AllocationToken> checkForDefaultToken(
-      Tld tld, String domainName, CommandName commandName, String registrarId, DateTime now)
-      throws EppException {
-    if (isNullOrEmpty(tld.getDefaultPromoTokens())) {
-      return Optional.empty();
-    }
-    Map<VKey<AllocationToken>, Optional<AllocationToken>> tokens =
-        AllocationToken.getAll(tld.getDefaultPromoTokens());
-    ImmutableList<Optional<AllocationToken>> tokenList =
-        tld.getDefaultPromoTokens().stream()
-            .map(tokens::get)
-            .filter(Optional::isPresent)
-            .collect(toImmutableList());
-    checkState(
-        !isNullOrEmpty(tokenList),
-        "Failure while loading default TLD promotions from the database");
-    // Check if any of the tokens are valid for this domain registration
-    for (Optional<AllocationToken> token : tokenList) {
-      try {
-        AllocationTokenFlowUtils.validateToken(
-            InternetDomainName.from(domainName),
-            token.get(),
-            commandName,
-            registrarId,
-            isDomainPremium(domainName, now),
-            now);
-      } catch (AssociationProhibitsOperationException
-          | StatusProhibitsOperationException
-          | AllocationTokenInvalidForPremiumNameException e) {
-        // Allocation token was not valid for this registration, continue to check the next token in
-        // the list
-        continue;
-      }
-      // Only use the first valid token in the list
-      return token;
-    }
-    // No valid default token found
-    return Optional.empty();
-  }
-
   /** Resource linked to this domain does not exist. */
   static class LinkedResourcesDoNotExistException extends ObjectDoesNotExistException {
     public LinkedResourcesDoNotExistException(Class<?> type, ImmutableSet<String> resourceIds) {

core/src/main/java/google/registry/flows/domain/DomainPricingLogic.java

@@ -16,14 +16,13 @@ package google.registry.flows.domain;
 
 import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.flows.domain.DomainFlowUtils.zeroInCurrency;
-import static google.registry.flows.domain.token.AllocationTokenFlowUtils.validateTokenForPossiblePremiumName;
+import static google.registry.flows.domain.token.AllocationTokenFlowUtils.discountTokenInvalidForPremiumName;
 import static google.registry.pricing.PricingEngineProxy.getPricesForDomainName;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;
 
 import com.google.common.net.InternetDomainName;
 import google.registry.config.RegistryConfig;
 import google.registry.flows.EppException;
-import google.registry.flows.EppException.CommandUseErrorException;
 import google.registry.flows.custom.DomainPricingCustomLogic;
 import google.registry.flows.custom.DomainPricingCustomLogic.CreatePriceParameters;
 import google.registry.flows.custom.DomainPricingCustomLogic.RenewPriceParameters;
@@ -129,9 +128,7 @@ public final class DomainPricingLogic {
       DateTime dateTime,
       int years,
       @Nullable BillingRecurrence billingRecurrence,
-      Optional<AllocationToken> allocationToken)
-      throws AllocationTokenInvalidForCurrencyException,
-          AllocationTokenInvalidForPremiumNameException {
+      Optional<AllocationToken> allocationToken) {
     checkArgument(years > 0, "Number of years must be positive");
     Money renewCost;
     DomainPrices domainPrices = getPricesForDomainName(domainName, dateTime);
@@ -260,8 +257,7 @@ public final class DomainPricingLogic {
 
   /** Returns the domain create cost with allocation-token-related discounts applied. */
   private Money getDomainCreateCostWithDiscount(
-      DomainPrices domainPrices, int years, Optional<AllocationToken> allocationToken, Tld tld)
-      throws EppException {
+      DomainPrices domainPrices, int years, Optional<AllocationToken> allocationToken, Tld tld) {
     return getDomainCostWithDiscount(
         domainPrices.isPremium(),
         years,
@@ -277,9 +273,7 @@ public final class DomainPricingLogic {
       DomainPrices domainPrices,
       DateTime dateTime,
       int years,
-      Optional<AllocationToken> allocationToken)
-      throws AllocationTokenInvalidForCurrencyException,
-          AllocationTokenInvalidForPremiumNameException {
+      Optional<AllocationToken> allocationToken) {
     // Short-circuit if the user sent an anchor-tenant or otherwise NONPREMIUM-renewal token
     if (allocationToken.isPresent()) {
       AllocationToken token = allocationToken.get();
@@ -315,44 +309,41 @@ public final class DomainPricingLogic {
       Optional<AllocationToken> allocationToken,
       Money firstYearCost,
       Optional<Money> subsequentYearCost,
-      Tld tld)
-      throws AllocationTokenInvalidForCurrencyException,
-          AllocationTokenInvalidForPremiumNameException {
+      Tld tld) {
     checkArgument(years > 0, "Registration years to get cost for must be positive.");
-    validateTokenForPossiblePremiumName(allocationToken, isPremium);
     Money totalDomainFlowCost =
         firstYearCost.plus(subsequentYearCost.orElse(firstYearCost).multipliedBy(years - 1));
+    if (allocationToken.isEmpty()) {
+      return totalDomainFlowCost;
+    }
+    AllocationToken token = allocationToken.get();
+    if (discountTokenInvalidForPremiumName(token, isPremium)) {
+      return totalDomainFlowCost;
+    }
+    if (!token.getTokenBehavior().equals(TokenBehavior.DEFAULT)) {
+      return totalDomainFlowCost;
+    }
 
     // Apply the allocation token discount, if applicable.
-    if (allocationToken.isPresent()
-        && allocationToken.get().getTokenBehavior().equals(TokenBehavior.DEFAULT)) {
-      if (allocationToken.get().getDiscountPrice().isPresent()) {
-        if (!tld.getCurrency()
-            .equals(allocationToken.get().getDiscountPrice().get().getCurrencyUnit())) {
-          throw new AllocationTokenInvalidForCurrencyException();
-        }
-
-        int nonDiscountedYears = Math.max(0, years - allocationToken.get().getDiscountYears());
-        totalDomainFlowCost =
-            allocationToken
-                .get()
-                .getDiscountPrice()
-                .get()
-                .multipliedBy(allocationToken.get().getDiscountYears())
-                .plus(subsequentYearCost.orElse(firstYearCost).multipliedBy(nonDiscountedYears));
-      } else {
-        // Assumes token has discount fraction set.
-        int discountedYears = Math.min(years, allocationToken.get().getDiscountYears());
+    if (token.getDiscountPrice().isPresent()
+        && tld.getCurrency().equals(token.getDiscountPrice().get().getCurrencyUnit())) {
+      int nonDiscountedYears = Math.max(0, years - token.getDiscountYears());
+      totalDomainFlowCost =
+          token
+              .getDiscountPrice()
+              .get()
+              .multipliedBy(token.getDiscountYears())
+              .plus(subsequentYearCost.orElse(firstYearCost).multipliedBy(nonDiscountedYears));
+    } else if (token.getDiscountFraction() > 0) {
+      int discountedYears = Math.min(years, token.getDiscountYears());
         if (discountedYears > 0) {
-          var discount =
-              firstYearCost
-                  .plus(subsequentYearCost.orElse(firstYearCost).multipliedBy(discountedYears - 1))
-                  .multipliedBy(
-                      allocationToken.get().getDiscountFraction(), RoundingMode.HALF_EVEN);
+        var discount =
+            firstYearCost
+                .plus(subsequentYearCost.orElse(firstYearCost).multipliedBy(discountedYears - 1))
+                .multipliedBy(token.getDiscountFraction(), RoundingMode.HALF_EVEN);
           totalDomainFlowCost = totalDomainFlowCost.minus(discount);
         }
       }
-    }
     return totalDomainFlowCost;
   }
 
@@ -376,18 +367,4 @@ public final class DomainPricingLogic {
                 : domainPrices.getRenewCost();
     return DomainPrices.create(isPremium, createCost, renewCost);
   }
-
-  /** An allocation token was provided that is invalid for premium domains. */
-  public static class AllocationTokenInvalidForPremiumNameException
-      extends CommandUseErrorException {
-    public AllocationTokenInvalidForPremiumNameException() {
-      super("Token not valid for premium name");
-    }
-  }
-
-  public static class AllocationTokenInvalidForCurrencyException extends CommandUseErrorException {
-    public AllocationTokenInvalidForCurrencyException() {
-      super("Token and domain currencies do not match.");
-    }
-  }
 }

core/src/main/java/google/registry/flows/domain/DomainRenewFlow.java

@@ -31,7 +31,7 @@ import static google.registry.flows.domain.DomainFlowUtils.validateRegistrationP
 import static google.registry.flows.domain.DomainFlowUtils.verifyRegistrarIsActive;
 import static google.registry.flows.domain.DomainFlowUtils.verifyUnitIsYears;
 import static google.registry.flows.domain.token.AllocationTokenFlowUtils.maybeApplyBulkPricingRemovalToken;
-import static google.registry.flows.domain.token.AllocationTokenFlowUtils.verifyTokenAllowedOnDomain;
+import static google.registry.flows.domain.token.AllocationTokenFlowUtils.verifyBulkTokenAllowedOnDomain;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_RENEW;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.leapSafeAddYears;
@@ -124,15 +124,12 @@ import org.joda.time.Duration;
  * @error {@link RemoveBulkPricingTokenOnNonBulkPricingDomainException}
  * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException}
- * @error {@link
- *     google.registry.flows.domain.token.AllocationTokenFlowUtils.InvalidAllocationTokenException}
+ * @error {@link AllocationTokenFlowUtils.NonexistentAllocationTokenException}
  * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotInPromotionException}
  * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForRegistrarException}
  * @error {@link
- *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForTldException}
- * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AlreadyRedeemedAllocationTokenException}
  */
 @ReportingSpec(ActivityReportField.DOMAIN_RENEW)
@@ -154,7 +151,6 @@ public final class DomainRenewFlow implements MutatingFlow {
   @Inject @Superuser boolean isSuperuser;
   @Inject DomainHistory.Builder historyBuilder;
   @Inject EppResponse.Builder responseBuilder;
-  @Inject AllocationTokenFlowUtils allocationTokenFlowUtils;
   @Inject DomainRenewFlowCustomLogic flowCustomLogic;
   @Inject DomainPricingLogic pricingLogic;
   @Inject DomainRenewFlow() {}
@@ -174,22 +170,17 @@ public final class DomainRenewFlow implements MutatingFlow {
     String tldStr = existingDomain.getTld();
     Tld tld = Tld.get(tldStr);
     Optional<AllocationToken> allocationToken =
-        allocationTokenFlowUtils.verifyAllocationTokenIfPresent(
-            existingDomain,
-            tld,
+        AllocationTokenFlowUtils.loadTokenFromExtensionOrGetDefault(
             registrarId,
             now,
-            CommandName.RENEW,
-            eppInput.getSingleExtension(AllocationTokenExtension.class));
-    boolean defaultTokenUsed = false;
-    if (allocationToken.isEmpty()) {
-      allocationToken =
-          DomainFlowUtils.checkForDefaultToken(
-              tld, existingDomain.getDomainName(), CommandName.RENEW, registrarId, now);
-      if (allocationToken.isPresent()) {
-        defaultTokenUsed = true;
-      }
-    }
+            eppInput.getSingleExtension(AllocationTokenExtension.class),
+            tld,
+            existingDomain.getDomainName(),
+            CommandName.RENEW);
+    boolean defaultTokenUsed =
+        allocationToken
+            .map(t -> t.getTokenType().equals(AllocationToken.TokenType.DEFAULT_PROMO))
+            .orElse(false);
     verifyRenewAllowed(authInfo, existingDomain, command, allocationToken);
 
     // If client passed an applicable static token this updates the domain
@@ -259,7 +250,7 @@ public final class DomainRenewFlow implements MutatingFlow {
         newDomain, domainHistory, explicitRenewEvent, newAutorenewEvent, newAutorenewPollMessage);
     if (allocationToken.isPresent() && allocationToken.get().getTokenType().isOneTimeUse()) {
       entitiesToSave.add(
-          allocationTokenFlowUtils.redeemToken(
+          AllocationTokenFlowUtils.redeemToken(
               allocationToken.get(), domainHistory.getHistoryEntryId()));
     }
     EntityChanges entityChanges =
@@ -327,7 +318,7 @@ public final class DomainRenewFlow implements MutatingFlow {
     }
     verifyUnitIsYears(command.getPeriod());
     // We only allow __REMOVE_BULK_PRICING__ token on bulk pricing domains for now
-    verifyTokenAllowedOnDomain(existingDomain, allocationToken);
+    verifyBulkTokenAllowedOnDomain(existingDomain, allocationToken);
     // If the date they specify doesn't match the expiration, fail. (This is an idempotence check).
     if (!command.getCurrentExpirationDate().equals(
         existingDomain.getRegistrationExpirationTime().toLocalDate())) {

core/src/main/java/google/registry/flows/domain/DomainTransferApproveFlow.java

@@ -54,7 +54,6 @@ import google.registry.model.billing.BillingRecurrence;
 import google.registry.model.domain.Domain;
 import google.registry.model.domain.DomainHistory;
 import google.registry.model.domain.GracePeriod;
-import google.registry.model.domain.fee.FeeQueryCommandExtensionItem.CommandName;
 import google.registry.model.domain.metadata.MetadataExtension;
 import google.registry.model.domain.rgp.GracePeriodStatus;
 import google.registry.model.domain.token.AllocationTokenExtension;
@@ -94,15 +93,12 @@ import org.joda.time.DateTime;
  * @error {@link DomainFlowUtils.NotAuthorizedForTldException}
  * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException}
- * @error {@link
- *     google.registry.flows.domain.token.AllocationTokenFlowUtils.InvalidAllocationTokenException}
+ * @error {@link AllocationTokenFlowUtils.NonexistentAllocationTokenException}
  * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotInPromotionException}
  * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForRegistrarException}
  * @error {@link
- *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForTldException}
- * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AlreadyRedeemedAllocationTokenException}
  */
 @ReportingSpec(ActivityReportField.DOMAIN_TRANSFER_APPROVE)
@@ -116,7 +112,6 @@ public final class DomainTransferApproveFlow implements MutatingFlow {
   @Inject DomainHistory.Builder historyBuilder;
   @Inject EppResponse.Builder responseBuilder;
   @Inject DomainPricingLogic pricingLogic;
-  @Inject AllocationTokenFlowUtils allocationTokenFlowUtils;
   @Inject EppInput eppInput;
 
   @Inject DomainTransferApproveFlow() {}
@@ -132,13 +127,8 @@ public final class DomainTransferApproveFlow implements MutatingFlow {
     extensionManager.validate();
     DateTime now = tm().getTransactionTime();
     Domain existingDomain = loadAndVerifyExistence(Domain.class, targetId, now);
-    allocationTokenFlowUtils.verifyAllocationTokenIfPresent(
-        existingDomain,
-        Tld.get(existingDomain.getTld()),
-        registrarId,
-        now,
-        CommandName.TRANSFER,
-        eppInput.getSingleExtension(AllocationTokenExtension.class));
+    AllocationTokenFlowUtils.loadAllocationTokenFromExtension(
+        registrarId, targetId, now, eppInput.getSingleExtension(AllocationTokenExtension.class));
     verifyOptionalAuthInfo(authInfo, existingDomain);
     verifyHasPendingTransfer(existingDomain);
     verifyResourceOwnership(registrarId, existingDomain);

core/src/main/java/google/registry/flows/domain/DomainTransferRequestFlow.java

@@ -58,7 +58,6 @@ import google.registry.model.domain.Domain;
 import google.registry.model.domain.DomainCommand.Transfer;
 import google.registry.model.domain.DomainHistory;
 import google.registry.model.domain.Period;
-import google.registry.model.domain.fee.FeeQueryCommandExtensionItem.CommandName;
 import google.registry.model.domain.fee.FeeTransferCommandExtension;
 import google.registry.model.domain.fee.FeeTransformResponseExtension;
 import google.registry.model.domain.metadata.MetadataExtension;
@@ -123,15 +122,12 @@ import org.joda.time.DateTime;
  * @error {@link DomainFlowUtils.UnsupportedFeeAttributeException}
  * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException}
- * @error {@link
- *     google.registry.flows.domain.token.AllocationTokenFlowUtils.InvalidAllocationTokenException}
+ * @error {@link AllocationTokenFlowUtils.NonexistentAllocationTokenException}
  * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotInPromotionException}
  * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForRegistrarException}
  * @error {@link
- *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForTldException}
- * @error {@link
  *     google.registry.flows.domain.token.AllocationTokenFlowUtils.AlreadyRedeemedAllocationTokenException}
  */
 @ReportingSpec(ActivityReportField.DOMAIN_TRANSFER_REQUEST)
@@ -154,7 +150,6 @@ public final class DomainTransferRequestFlow implements MutatingFlow {
   @Inject AsyncTaskEnqueuer asyncTaskEnqueuer;
   @Inject EppResponse.Builder responseBuilder;
   @Inject DomainPricingLogic pricingLogic;
-  @Inject AllocationTokenFlowUtils allocationTokenFlowUtils;
 
   @Inject DomainTransferRequestFlow() {}
 
@@ -170,12 +165,10 @@ public final class DomainTransferRequestFlow implements MutatingFlow {
     extensionManager.validate();
     DateTime now = tm().getTransactionTime();
     Domain existingDomain = loadAndVerifyExistence(Domain.class, targetId, now);
-    allocationTokenFlowUtils.verifyAllocationTokenIfPresent(
-        existingDomain,
-        Tld.get(existingDomain.getTld()),
+    AllocationTokenFlowUtils.loadAllocationTokenFromExtension(
         gainingClientId,
+        targetId,
         now,
-        CommandName.TRANSFER,
         eppInput.getSingleExtension(AllocationTokenExtension.class));
     Optional<DomainTransferRequestSuperuserExtension> superuserExtension =
         eppInput.getSingleExtension(DomainTransferRequestSuperuserExtension.class);

core/src/main/java/google/registry/flows/domain/token/AllocationTokenFlowUtils.java

@@ -15,218 +15,97 @@
 package google.registry.flows.domain.token;
 
 import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.base.Preconditions.checkState;
+import static com.google.common.collect.ImmutableList.toImmutableList;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.pricing.PricingEngineProxy.isDomainPremium;
+import static google.registry.util.CollectionUtils.isNullOrEmpty;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.Maps;
+import com.google.common.collect.ImmutableList;
 import com.google.common.net.InternetDomainName;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.AssociationProhibitsOperationException;
 import google.registry.flows.EppException.AuthorizationErrorException;
 import google.registry.flows.EppException.StatusProhibitsOperationException;
-import google.registry.flows.domain.DomainPricingLogic.AllocationTokenInvalidForPremiumNameException;
-import google.registry.model.billing.BillingBase.RenewalPriceBehavior;
+import google.registry.model.billing.BillingBase;
 import google.registry.model.billing.BillingRecurrence;
 import google.registry.model.domain.Domain;
-import google.registry.model.domain.DomainCommand;
 import google.registry.model.domain.fee.FeeQueryCommandExtensionItem.CommandName;
 import google.registry.model.domain.token.AllocationToken;
 import google.registry.model.domain.token.AllocationToken.TokenBehavior;
-import google.registry.model.domain.token.AllocationToken.TokenStatus;
 import google.registry.model.domain.token.AllocationTokenExtension;
 import google.registry.model.reporting.HistoryEntry.HistoryEntryId;
 import google.registry.model.tld.Tld;
 import google.registry.persistence.VKey;
-import jakarta.inject.Inject;
-import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import org.joda.time.DateTime;
 
 /** Utility functions for dealing with {@link AllocationToken}s in domain flows. */
 public class AllocationTokenFlowUtils {
 
-  @Inject
-  public AllocationTokenFlowUtils() {}
-
-  /**
-   * Checks if the allocation token applies to the given domain names, used for domain checks.
-   *
-   * @return A map of domain names to domain check error response messages. If a message is present
-   *     for a a given domain then it does not validate with this allocation token; domains that do
-   *     validate have blank messages (i.e. no error).
-   */
-  public AllocationTokenDomainCheckResults checkDomainsWithToken(
-      List<InternetDomainName> domainNames, String token, String registrarId, DateTime now) {
-    // If the token is completely invalid, return the error message for all domain names
-    AllocationToken tokenEntity;
-    try {
-      tokenEntity = loadToken(token);
-    } catch (EppException e) {
-      return new AllocationTokenDomainCheckResults(
-          Optional.empty(), Maps.toMap(domainNames, ignored -> e.getMessage()));
-    }
-
-    // If the token is only invalid for some domain names (e.g. an invalid TLD), include those error
-    // results for only those domain names
-    ImmutableMap.Builder<InternetDomainName, String> resultsBuilder = new ImmutableMap.Builder<>();
-    for (InternetDomainName domainName : domainNames) {
-      try {
-        validateToken(
-            domainName,
-            tokenEntity,
-            CommandName.CREATE,
-            registrarId,
-            isDomainPremium(domainName.toString(), now),
-            now);
-        resultsBuilder.put(domainName, "");
-      } catch (EppException e) {
-        resultsBuilder.put(domainName, e.getMessage());
-      }
-    }
-    return new AllocationTokenDomainCheckResults(Optional.of(tokenEntity), resultsBuilder.build());
-  }
+  private AllocationTokenFlowUtils() {}
 
   /** Redeems a SINGLE_USE {@link AllocationToken}, returning the redeemed copy. */
-  public AllocationToken redeemToken(AllocationToken token, HistoryEntryId redemptionHistoryId) {
+  public static AllocationToken redeemToken(
+      AllocationToken token, HistoryEntryId redemptionHistoryId) {
     checkArgument(
         token.getTokenType().isOneTimeUse(), "Only SINGLE_USE tokens can be marked as redeemed");
     return token.asBuilder().setRedemptionHistoryId(redemptionHistoryId).build();
   }
 
-  /**
-   * Validates a given token. The token could be invalid if it has allowed client IDs or TLDs that
-   * do not include this client ID / TLD, or if the token has a promotion that is not currently
-   * running, or the token is not valid for a premium name when necessary.
-   *
-   * @throws EppException if the token is invalid in any way
-   */
-  public static void validateToken(
-      InternetDomainName domainName,
-      AllocationToken token,
-      CommandName commandName,
-      String registrarId,
-      boolean isPremium,
-      DateTime now)
-      throws EppException {
-
-    // Only tokens with default behavior require validation
-    if (!TokenBehavior.DEFAULT.equals(token.getTokenBehavior())) {
-      return;
-    }
-    validateTokenForPossiblePremiumName(Optional.of(token), isPremium);
-    if (!token.getAllowedEppActions().isEmpty()
-        && !token.getAllowedEppActions().contains(commandName)) {
-      throw new AllocationTokenNotValidForCommandException();
-    }
-    if (!token.getAllowedRegistrarIds().isEmpty()
-        && !token.getAllowedRegistrarIds().contains(registrarId)) {
-      throw new AllocationTokenNotValidForRegistrarException();
-    }
-    if (!token.getAllowedTlds().isEmpty()
-        && !token.getAllowedTlds().contains(domainName.parent().toString())) {
-      throw new AllocationTokenNotValidForTldException();
-    }
-    if (token.getDomainName().isPresent()
-        && !token.getDomainName().get().equals(domainName.toString())) {
-      throw new AllocationTokenNotValidForDomainException();
-    }
-    // Tokens without status transitions will just have a single-entry NOT_STARTED map, so only
-    // check the status transitions map if it's non-trivial.
-    if (token.getTokenStatusTransitions().size() > 1
-        && !TokenStatus.VALID.equals(token.getTokenStatusTransitions().getValueAtTime(now))) {
-      throw new AllocationTokenNotInPromotionException();
-    }
-  }
-
-  /** Validates that the given token is valid for a premium name if the name is premium. */
-  public static void validateTokenForPossiblePremiumName(
-      Optional<AllocationToken> token, boolean isPremium)
-      throws AllocationTokenInvalidForPremiumNameException {
-    if (token.isPresent()
-        && (token.get().getDiscountFraction() != 0.0 || token.get().getDiscountPrice().isPresent())
+  /** Don't apply discounts on premium domains if the token isn't configured that way. */
+  public static boolean discountTokenInvalidForPremiumName(
+      AllocationToken token, boolean isPremium) {
+    return (token.getDiscountFraction() != 0.0 || token.getDiscountPrice().isPresent())
         && isPremium
-        && !token.get().shouldDiscountPremiums()) {
-      throw new AllocationTokenInvalidForPremiumNameException();
-    }
+        && !token.shouldDiscountPremiums();
   }
 
-  /** Loads a given token and validates that it is not redeemed */
-  private static AllocationToken loadToken(String token) throws EppException {
-    if (Strings.isNullOrEmpty(token)) {
-      // We load the token directly from the input XML. If it's null or empty we should throw
-      // an InvalidAllocationTokenException before the database load attempt fails.
-      // See https://tools.ietf.org/html/draft-ietf-regext-allocation-token-04#section-2.1
-      throw new InvalidAllocationTokenException();
-    }
-
-    Optional<AllocationToken> maybeTokenEntity = AllocationToken.maybeGetStaticTokenInstance(token);
-    if (maybeTokenEntity.isPresent()) {
-      return maybeTokenEntity.get();
-    }
-
-    // TODO(b/368069206): `reTransact` needed by tests only.
-    maybeTokenEntity =
-        tm().reTransact(() -> tm().loadByKeyIfPresent(VKey.create(AllocationToken.class, token)));
-
-    if (maybeTokenEntity.isEmpty()) {
-      throw new InvalidAllocationTokenException();
-    }
-    if (maybeTokenEntity.get().isRedeemed()) {
-      throw new AlreadyRedeemedAllocationTokenException();
-    }
-    return maybeTokenEntity.get();
-  }
-
-  /** Verifies and returns the allocation token if one is specified, otherwise does nothing. */
-  public Optional<AllocationToken> verifyAllocationTokenCreateIfPresent(
-      DomainCommand.Create command,
-      Tld tld,
+  /** Loads and verifies the allocation token if one is specified, otherwise does nothing. */
+  public static Optional<AllocationToken> loadAllocationTokenFromExtension(
       String registrarId,
+      String domainName,
       DateTime now,
       Optional<AllocationTokenExtension> extension)
-      throws EppException {
+      throws NonexistentAllocationTokenException, AllocationTokenInvalidException {
     if (extension.isEmpty()) {
       return Optional.empty();
     }
-    AllocationToken tokenEntity = loadToken(extension.get().getAllocationToken());
-    validateToken(
-        InternetDomainName.from(command.getDomainName()),
-        tokenEntity,
-        CommandName.CREATE,
-        registrarId,
-        isDomainPremium(command.getDomainName(), now),
-        now);
-    return Optional.of(tokenEntity);
+    return Optional.of(
+        loadAndValidateToken(extension.get().getAllocationToken(), registrarId, domainName, now));
   }
 
-  /** Verifies and returns the allocation token if one is specified, otherwise does nothing. */
-  public Optional<AllocationToken> verifyAllocationTokenIfPresent(
-      Domain existingDomain,
-      Tld tld,
+  /**
+   * Loads the relevant token, if present, for the given extension + request.
+   *
+   * <p>This may be the allocation token provided in the request, if it is present and valid for the
+   * request. Otherwise, it may be a default allocation token if one is present and valid for the
+   * request.
+   */
+  public static Optional<AllocationToken> loadTokenFromExtensionOrGetDefault(
       String registrarId,
       DateTime now,
-      CommandName commandName,
-      Optional<AllocationTokenExtension> extension)
-      throws EppException {
-    if (extension.isEmpty()) {
-      return Optional.empty();
+      Optional<AllocationTokenExtension> extension,
+      Tld tld,
+      String domainName,
+      CommandName commandName)
+      throws NonexistentAllocationTokenException, AllocationTokenInvalidException {
+    Optional<AllocationToken> fromExtension =
+        loadAllocationTokenFromExtension(registrarId, domainName, now, extension);
+    if (fromExtension.isPresent()
+        && tokenIsValidAgainstDomain(
+            InternetDomainName.from(domainName), fromExtension.get(), commandName, now)) {
+      return fromExtension;
     }
-    AllocationToken tokenEntity = loadToken(extension.get().getAllocationToken());
-    validateToken(
-        InternetDomainName.from(existingDomain.getDomainName()),
-        tokenEntity,
-        commandName,
-        registrarId,
-        isDomainPremium(existingDomain.getDomainName(), now),
-        now);
-    return Optional.of(tokenEntity);
+    return checkForDefaultToken(tld, domainName, commandName, registrarId, now);
   }
 
-  public static void verifyTokenAllowedOnDomain(
+  /** Verifies that the given domain can have a bulk pricing token removed from it. */
+  public static void verifyBulkTokenAllowedOnDomain(
       Domain domain, Optional<AllocationToken> allocationToken) throws EppException {
-
     boolean domainHasBulkToken = domain.getCurrentBulkToken().isPresent();
     boolean hasRemoveBulkPricingToken =
         allocationToken.isPresent()
@@ -239,6 +118,11 @@ public class AllocationTokenFlowUtils {
     }
   }
 
+  /**
+   * Removes the bulk pricing token from the provided domain, if applicable.
+   *
+   * @param allocationToken the (possibly) REMOVE_BULK_PRICING token provided by the client.
+   */
   public static Domain maybeApplyBulkPricingRemovalToken(
       Domain domain, Optional<AllocationToken> allocationToken) {
     if (allocationToken.isEmpty()
@@ -249,7 +133,7 @@ public class AllocationTokenFlowUtils {
     BillingRecurrence newBillingRecurrence =
         tm().loadByKey(domain.getAutorenewBillingEvent())
             .asBuilder()
-            .setRenewalPriceBehavior(RenewalPriceBehavior.DEFAULT)
+            .setRenewalPriceBehavior(BillingBase.RenewalPriceBehavior.DEFAULT)
             .setRenewalPrice(null)
             .build();
 
@@ -267,35 +151,139 @@ public class AllocationTokenFlowUtils {
         .build();
   }
 
+  /**
+   * Checks if the given token is valid for the given request.
+   *
+   * <p>Note that if the token is not valid, that is not a catastrophic error -- we may move on to
+   * trying a different token or skip token usage entirely.
+   */
+  @VisibleForTesting
+  static boolean tokenIsValidAgainstDomain(
+      InternetDomainName domainName, AllocationToken token, CommandName commandName, DateTime now) {
+    if (discountTokenInvalidForPremiumName(token, isDomainPremium(domainName.toString(), now))) {
+      return false;
+    }
+    if (!token.getAllowedEppActions().isEmpty()
+        && !token.getAllowedEppActions().contains(commandName)) {
+      return false;
+    }
+    if (!token.getAllowedTlds().isEmpty()
+        && !token.getAllowedTlds().contains(domainName.parent().toString())) {
+      return false;
+    }
+    return token.getDomainName().isEmpty()
+        || token.getDomainName().get().equals(domainName.toString());
+  }
+
+  /**
+   * Checks if there is a valid default token to be used for a domain create command.
+   *
+   * <p>If there is more than one valid default token for the registration, only the first valid
+   * token found on the TLD's default token list will be returned.
+   */
+  private static Optional<AllocationToken> checkForDefaultToken(
+      Tld tld, String domainName, CommandName commandName, String registrarId, DateTime now) {
+    ImmutableList<VKey<AllocationToken>> tokensFromTld = tld.getDefaultPromoTokens();
+    if (isNullOrEmpty(tokensFromTld)) {
+      return Optional.empty();
+    }
+    Map<VKey<AllocationToken>, Optional<AllocationToken>> tokens =
+        AllocationToken.getAll(tokensFromTld);
+    checkState(
+        !isNullOrEmpty(tokens), "Failure while loading default TLD tokens from the database");
+    // Iterate over the list to maintain token ordering (since we return the first valid token)
+    ImmutableList<AllocationToken> tokenList =
+        tokensFromTld.stream()
+            .map(tokens::get)
+            .filter(Optional::isPresent)
+            .map(Optional::get)
+            .collect(toImmutableList());
+
+    // Check if any of the tokens are valid for this domain registration
+    for (AllocationToken token : tokenList) {
+      try {
+        validateTokenEntity(token, registrarId, domainName, now);
+      } catch (AllocationTokenInvalidException e) {
+        // Token is not valid for this registrar, etc. -- continue trying tokens
+        continue;
+      }
+      if (tokenIsValidAgainstDomain(InternetDomainName.from(domainName), token, commandName, now)) {
+        return Optional.of(token);
+      }
+    }
+    // No valid default token found
+    return Optional.empty();
+  }
+
+  /** Loads a given token and validates it against the registrar, time, etc */
+  private static AllocationToken loadAndValidateToken(
+      String token, String registrarId, String domainName, DateTime now)
+      throws NonexistentAllocationTokenException, AllocationTokenInvalidException {
+    if (Strings.isNullOrEmpty(token)) {
+      // We load the token directly from the input XML. If it's null or empty we should throw
+      // an NonexistentAllocationTokenException before the database load attempt fails.
+      // See https://tools.ietf.org/html/draft-ietf-regext-allocation-token-04#section-2.1
+      throw new NonexistentAllocationTokenException();
+    }
+
+    Optional<AllocationToken> maybeTokenEntity = AllocationToken.maybeGetStaticTokenInstance(token);
+    if (maybeTokenEntity.isPresent()) {
+      return maybeTokenEntity.get();
+    }
+
+    maybeTokenEntity = AllocationToken.get(VKey.create(AllocationToken.class, token));
+    if (maybeTokenEntity.isEmpty()) {
+      throw new NonexistentAllocationTokenException();
+    }
+    AllocationToken tokenEntity = maybeTokenEntity.get();
+    validateTokenEntity(tokenEntity, registrarId, domainName, now);
+    return tokenEntity;
+  }
+
+  private static void validateTokenEntity(
+      AllocationToken token, String registrarId, String domainName, DateTime now)
+      throws AllocationTokenInvalidException {
+    if (token.isRedeemed()) {
+      throw new AlreadyRedeemedAllocationTokenException();
+    }
+    if (!token.getAllowedRegistrarIds().isEmpty()
+        && !token.getAllowedRegistrarIds().contains(registrarId)) {
+      throw new AllocationTokenNotValidForRegistrarException();
+    }
+    // Tokens without status transitions will just have a single-entry NOT_STARTED map, so only
+    // check the status transitions map if it's non-trivial.
+    if (token.getTokenStatusTransitions().size() > 1
+        && !AllocationToken.TokenStatus.VALID.equals(
+            token.getTokenStatusTransitions().getValueAtTime(now))) {
+      throw new AllocationTokenNotInPromotionException();
+    }
+
+    if (token.getDomainName().isPresent() && !token.getDomainName().get().equals(domainName)) {
+      throw new AllocationTokenNotValidForDomainException();
+    }
+  }
+
   // Note: exception messages should be <= 32 characters long for domain check results
 
+  /** The allocation token exists but is not valid, e.g. the wrong registrar. */
+  public abstract static class AllocationTokenInvalidException
+      extends StatusProhibitsOperationException {
+    AllocationTokenInvalidException(String message) {
+      super(message);
+    }
+  }
+
   /** The allocation token is not currently valid. */
   public static class AllocationTokenNotInPromotionException
-      extends StatusProhibitsOperationException {
+      extends AllocationTokenInvalidException {
     AllocationTokenNotInPromotionException() {
       super("Alloc token not in promo period");
     }
   }
 
-  /** The allocation token is not valid for this TLD. */
-  public static class AllocationTokenNotValidForTldException
-      extends AssociationProhibitsOperationException {
-    AllocationTokenNotValidForTldException() {
-      super("Alloc token invalid for TLD");
-    }
-  }
-
-  /** The allocation token is not valid for this domain. */
-  public static class AllocationTokenNotValidForDomainException
-      extends AssociationProhibitsOperationException {
-    AllocationTokenNotValidForDomainException() {
-      super("Alloc token invalid for domain");
-    }
-  }
-
   /** The allocation token is not valid for this registrar. */
   public static class AllocationTokenNotValidForRegistrarException
-      extends AssociationProhibitsOperationException {
+      extends AllocationTokenInvalidException {
     AllocationTokenNotValidForRegistrarException() {
       super("Alloc token invalid for client");
     }
@@ -303,23 +291,23 @@ public class AllocationTokenFlowUtils {
 
   /** The allocation token was already redeemed. */
   public static class AlreadyRedeemedAllocationTokenException
-      extends AssociationProhibitsOperationException {
+      extends AllocationTokenInvalidException {
     AlreadyRedeemedAllocationTokenException() {
       super("Alloc token was already redeemed");
     }
   }
 
-  /** The allocation token is not valid for this EPP command. */
-  public static class AllocationTokenNotValidForCommandException
-      extends AssociationProhibitsOperationException {
-    AllocationTokenNotValidForCommandException() {
-      super("Allocation token not valid for the EPP command");
+  /** The allocation token is not valid for this domain. */
+  public static class AllocationTokenNotValidForDomainException
+      extends AllocationTokenInvalidException {
+    AllocationTokenNotValidForDomainException() {
+      super("Alloc token invalid for domain");
+    }
     }
-  }
 
   /** The allocation token is invalid. */
-  public static class InvalidAllocationTokenException extends AuthorizationErrorException {
-    InvalidAllocationTokenException() {
+  public static class NonexistentAllocationTokenException extends AuthorizationErrorException {
+    NonexistentAllocationTokenException() {
       super("The allocation token is invalid");
     }
   }

core/src/main/java/google/registry/model/console/ConsoleEppActionHistory.java

@@ -1,99 +0,0 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.console;
-
-import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
-
-import google.registry.model.reporting.HistoryEntry;
-import google.registry.model.reporting.HistoryEntry.HistoryEntryId;
-import google.registry.persistence.VKey;
-import jakarta.persistence.Access;
-import jakarta.persistence.AccessType;
-import jakarta.persistence.AttributeOverride;
-import jakarta.persistence.Column;
-import jakarta.persistence.Entity;
-import jakarta.persistence.Index;
-import jakarta.persistence.Table;
-
-/**
- * A persisted history object representing an EPP action via the console.
- *
- * <p>In addition to the generic history fields (time, URL, etc.) we also persist a reference to the
- * history entry so that we can refer to it if necessary.
- */
-@Access(AccessType.FIELD)
-@Entity
-@Table(
-    indexes = {
-      @Index(columnList = "historyActingUser"),
-      @Index(columnList = "repoId"),
-      @Index(columnList = "revisionId")
-    })
-public class ConsoleEppActionHistory extends ConsoleUpdateHistory {
-
-  @AttributeOverride(name = "repoId", column = @Column(nullable = false))
-  HistoryEntryId historyEntryId;
-
-  @Column(nullable = false)
-  Class<? extends HistoryEntry> historyEntryClass;
-
-  public HistoryEntryId getHistoryEntryId() {
-    return historyEntryId;
-  }
-
-  public Class<? extends HistoryEntry> getHistoryEntryClass() {
-    return historyEntryClass;
-  }
-
-  /** Creates a {@link VKey} instance for this entity. */
-  @Override
-  public VKey<ConsoleEppActionHistory> createVKey() {
-    return VKey.create(ConsoleEppActionHistory.class, getRevisionId());
-  }
-
-  @Override
-  public Builder asBuilder() {
-    return new Builder(clone(this));
-  }
-
-  /** Builder for the immutable UserUpdateHistory. */
-  public static class Builder
-      extends ConsoleUpdateHistory.Builder<ConsoleEppActionHistory, Builder> {
-
-    public Builder() {}
-
-    public Builder(ConsoleEppActionHistory instance) {
-      super(instance);
-    }
-
-    @Override
-    public ConsoleEppActionHistory build() {
-      checkArgumentNotNull(getInstance().historyEntryId, "History entry ID must be specified");
-      checkArgumentNotNull(
-          getInstance().historyEntryClass, "History entry class must be specified");
-      return super.build();
-    }
-
-    public Builder setHistoryEntryId(HistoryEntryId historyEntryId) {
-      getInstance().historyEntryId = historyEntryId;
-      return this;
-    }
-
-    public Builder setHistoryEntryClass(Class<? extends HistoryEntry> historyEntryClass) {
-      getInstance().historyEntryClass = historyEntryClass;
-      return this;
-    }
-  }
-}

core/src/main/java/google/registry/model/console/ConsoleUpdateHistory.java

@@ -1,4 +1,4 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -19,26 +19,87 @@ import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import google.registry.model.Buildable;
 import google.registry.model.ImmutableObject;
 import google.registry.model.annotations.IdAllocation;
-import jakarta.persistence.Access;
-import jakarta.persistence.AccessType;
+import google.registry.persistence.WithVKey;
 import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
 import jakarta.persistence.EnumType;
 import jakarta.persistence.Enumerated;
 import jakarta.persistence.Id;
+import jakarta.persistence.Index;
 import jakarta.persistence.JoinColumn;
 import jakarta.persistence.ManyToOne;
-import jakarta.persistence.MappedSuperclass;
+import jakarta.persistence.Table;
+import java.util.Optional;
 import org.joda.time.DateTime;
 
-/**
- * A record of a resource that was updated through the console.
- *
- * <p>This abstract class has several subclasses that (mostly) include the modified resource itself
- * so that the entire object history is persisted to SQL.
- */
-@Access(AccessType.FIELD)
-@MappedSuperclass
-public abstract class ConsoleUpdateHistory extends ImmutableObject implements Buildable {
+@Entity
+@WithVKey(Long.class)
+@Table(
+    indexes = {
+      @Index(columnList = "actingUser", name = "idx_console_update_history_acting_user"),
+      @Index(columnList = "type", name = "idx_console_update_history_type"),
+      @Index(columnList = "modificationTime", name = "idx_console_update_history_modification_time")
+    })
+public class ConsoleUpdateHistory extends ImmutableObject implements Buildable {
+
+  @Id @IdAllocation @Column Long revisionId;
+
+  @Column(nullable = false)
+  DateTime modificationTime;
+
+  /** The HTTP method (e.g. POST, PUT) used to make this modification. */
+  @Column(nullable = false)
+  String method;
+
+  /** The type of modification. */
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  Type type;
+
+  /** The URL of the action that was used to make the modification. */
+  @Column(nullable = false)
+  String url;
+
+  /** An optional further description of the action. */
+  String description;
+
+  /** The user that performed the modification. */
+  @JoinColumn(name = "actingUser", referencedColumnName = "emailAddress", nullable = false)
+  @ManyToOne
+  User actingUser;
+
+  public Long getRevisionId() {
+    return revisionId;
+  }
+
+  public DateTime getModificationTime() {
+    return modificationTime;
+  }
+
+  public Optional<String> getDescription() {
+    return Optional.ofNullable(description);
+  }
+
+  public String getMethod() {
+    return method;
+  }
+
+  public Type getType() {
+    return type;
+  }
+
+  public String getUrl() {
+    return url;
+  }
+
+  public User getActingUser() {
+    return actingUser;
+  }
+
+  @Override
+  public Builder asBuilder() {
+    return new Builder(clone(this));
+  }
 
   public enum Type {
     DOMAIN_DELETE,
@@ -53,118 +114,51 @@ public abstract class ConsoleUpdateHistory extends ImmutableObject implements Bu
     USER_UPDATE
   }
 
-  /** Autogenerated ID of this event. */
-  @Id
-  @IdAllocation
-  @Column(nullable = false, name = "historyRevisionId")
-  protected Long revisionId;
+  public static class Builder extends Buildable.Builder<ConsoleUpdateHistory> {
+    public Builder() {}
 
-  /** The user that performed the modification. */
-  @JoinColumn(name = "historyActingUser", referencedColumnName = "emailAddress", nullable = false)
-  @ManyToOne
-  User actingUser;
-
-  /** The URL of the action that was used to make the modification. */
-  @Column(nullable = false, name = "historyUrl")
-  String url;
-
-  /** The HTTP method (e.g. POST, PUT) used to make this modification. */
-  @Column(nullable = false, name = "historyMethod")
-  String method;
-
-  /** The raw body of the request that was used to make this modification. */
-  @Column(name = "historyRequestBody")
-  String requestBody;
-
-  /** The time at which the modification was mode. */
-  @Column(nullable = false, name = "historyModificationTime")
-  DateTime modificationTime;
-
-  /** The type of modification. */
-  @Column(nullable = false, name = "historyType")
-  @Enumerated(EnumType.STRING)
-  Type type;
-
-  public long getRevisionId() {
-    return revisionId;
-  }
-
-  public User getActingUser() {
-    return actingUser;
-  }
-
-  public String getUrl() {
-    return url;
-  }
-
-  public String getMethod() {
-    return method;
-  }
-
-  public String getRequestBody() {
-    return requestBody;
-  }
-
-  public DateTime getModificationTime() {
-    return modificationTime;
-  }
-
-  public Type getType() {
-    return type;
-  }
-
-  @Override
-  public abstract Builder<? extends ConsoleUpdateHistory, ?> asBuilder();
-
-  /** Builder for the immutable ConsoleUpdateHistory. */
-  public abstract static class Builder<
-          T extends ConsoleUpdateHistory, B extends ConsoleUpdateHistory.Builder<?, ?>>
-      extends GenericBuilder<T, B> {
-
-    protected Builder() {}
-
-    protected Builder(T instance) {
+    private Builder(ConsoleUpdateHistory instance) {
       super(instance);
     }
 
     @Override
-    public T build() {
+    public ConsoleUpdateHistory build() {
+      checkArgumentNotNull(getInstance().modificationTime, "Modification time must be specified");
       checkArgumentNotNull(getInstance().actingUser, "Acting user must be specified");
       checkArgumentNotNull(getInstance().url, "URL must be specified");
       checkArgumentNotNull(getInstance().method, "HTTP method must be specified");
-      checkArgumentNotNull(getInstance().modificationTime, "modificationTime must be specified");
-      checkArgumentNotNull(getInstance().type, "Console History type must be specified");
+      checkArgumentNotNull(getInstance().type, "ConsoleUpdateHistory type must be specified");
       return super.build();
     }
 
-    public B setActingUser(User actingUser) {
-      getInstance().actingUser = actingUser;
-      return thisCastToDerived();
-    }
-
-    public B setUrl(String url) {
-      getInstance().url = url;
-      return thisCastToDerived();
-    }
-
-    public B setMethod(String method) {
-      getInstance().method = method;
-      return thisCastToDerived();
-    }
-
-    public B setRequestBody(String requestBody) {
-      getInstance().requestBody = requestBody;
-      return thisCastToDerived();
-    }
-
-    public B setModificationTime(DateTime modificationTime) {
+    public Builder setModificationTime(DateTime modificationTime) {
       getInstance().modificationTime = modificationTime;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setType(Type type) {
+    public Builder setActingUser(User actingUser) {
+      getInstance().actingUser = actingUser;
+      return this;
+    }
+
+    public Builder setUrl(String url) {
+      getInstance().url = url;
+      return this;
+    }
+
+    public Builder setMethod(String method) {
+      getInstance().method = method;
+      return this;
+    }
+
+    public Builder setDescription(String description) {
+      getInstance().description = description;
+      return this;
+    }
+
+    public Builder setType(Type type) {
       getInstance().type = type;
-      return thisCastToDerived();
+      return this;
     }
   }
 }

core/src/main/java/google/registry/model/console/RegistrarPocUpdateHistory.java

@@ -1,99 +0,0 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.console;
-
-import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
-
-import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase;
-import google.registry.persistence.VKey;
-import jakarta.persistence.Access;
-import jakarta.persistence.AccessType;
-import jakarta.persistence.Column;
-import jakarta.persistence.Entity;
-import jakarta.persistence.Index;
-import jakarta.persistence.PostLoad;
-import jakarta.persistence.Table;
-
-/**
- * A persisted history object representing an update to a RegistrarPoc.
- *
- * <p>In addition to the generic history fields (time, URL, etc.) we also persist a copy of the
- * modified RegistrarPoc object at this point in time.
- */
-@Access(AccessType.FIELD)
-@Entity
-@Table(
-    indexes = {
-      @Index(columnList = "historyActingUser"),
-      @Index(columnList = "emailAddress"),
-      @Index(columnList = "registrarId")
-    })
-public class RegistrarPocUpdateHistory extends ConsoleUpdateHistory {
-
-  RegistrarPocBase registrarPoc;
-
-  // These fields exist so that they can be populated in the SQL table
-  @Column(nullable = false)
-  String emailAddress;
-
-  @Column(nullable = false)
-  String registrarId;
-
-  public RegistrarPocBase getRegistrarPoc() {
-    return registrarPoc;
-  }
-
-  @PostLoad
-  void postLoad() {
-    registrarPoc.setEmailAddress(emailAddress);
-    registrarPoc.setRegistrarId(registrarId);
-  }
-
-  /** Creates a {@link VKey} instance for this entity. */
-  @Override
-  public VKey<RegistrarPocUpdateHistory> createVKey() {
-    return VKey.create(RegistrarPocUpdateHistory.class, getRevisionId());
-  }
-
-  @Override
-  public Builder asBuilder() {
-    return new Builder(clone(this));
-  }
-
-  /** Builder for the immutable UserUpdateHistory. */
-  public static class Builder
-      extends ConsoleUpdateHistory.Builder<RegistrarPocUpdateHistory, Builder> {
-
-    public Builder() {}
-
-    public Builder(RegistrarPocUpdateHistory instance) {
-      super(instance);
-    }
-
-    @Override
-    public RegistrarPocUpdateHistory build() {
-      checkArgumentNotNull(getInstance().registrarPoc, "Registrar POC must be specified");
-      return super.build();
-    }
-
-    public Builder setRegistrarPoc(RegistrarPoc registrarPoc) {
-      getInstance().registrarPoc = registrarPoc;
-      getInstance().registrarId = registrarPoc.getRegistrarId();
-      getInstance().emailAddress = registrarPoc.getEmailAddress();
-      return this;
-    }
-  }
-}

core/src/main/java/google/registry/model/console/RegistrarUpdateHistory.java

@@ -1,89 +0,0 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.console;
-
-import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
-
-import google.registry.model.registrar.RegistrarBase;
-import google.registry.persistence.VKey;
-import jakarta.persistence.Access;
-import jakarta.persistence.AccessType;
-import jakarta.persistence.Column;
-import jakarta.persistence.Entity;
-import jakarta.persistence.Index;
-import jakarta.persistence.PostLoad;
-import jakarta.persistence.Table;
-
-/**
- * A persisted history object representing an update to a Registrar.
- *
- * <p>In addition to the generic history fields (time, URL, etc.) we also persist a copy of the
- * modified Registrar object at this point in time.
- */
-@Access(AccessType.FIELD)
-@Entity
-@Table(indexes = {@Index(columnList = "historyActingUser"), @Index(columnList = "registrarId")})
-public class RegistrarUpdateHistory extends ConsoleUpdateHistory {
-
-  RegistrarBase registrar;
-
-  // This field exists so that it exists in the SQL table
-  @Column(nullable = false)
-  @SuppressWarnings("unused")
-  private String registrarId;
-
-  public RegistrarBase getRegistrar() {
-    return registrar;
-  }
-
-  @PostLoad
-  void postLoad() {
-    registrar.setRegistrarId(registrarId);
-  }
-
-  /** Creates a {@link VKey} instance for this entity. */
-  @Override
-  public VKey<RegistrarUpdateHistory> createVKey() {
-    return VKey.create(RegistrarUpdateHistory.class, getRevisionId());
-  }
-
-  @Override
-  public Builder asBuilder() {
-    return new RegistrarUpdateHistory.Builder(clone(this));
-  }
-
-  /** Builder for the immutable UserUpdateHistory. */
-  public static class Builder
-      extends ConsoleUpdateHistory.Builder<RegistrarUpdateHistory, Builder> {
-
-    public Builder() {}
-
-    public Builder(RegistrarUpdateHistory instance) {
-      super(instance);
-    }
-
-    @Override
-    public RegistrarUpdateHistory build() {
-      checkArgumentNotNull(getInstance().registrar, "Registrar must be specified");
-      return super.build();
-    }
-
-    public Builder setRegistrar(RegistrarBase registrar) {
-      getInstance().registrar = registrar;
-      getInstance().registrarId = registrar.getRegistrarId();
-      return this;
-    }
-  }
-}

core/src/main/java/google/registry/model/console/SimpleConsoleUpdateHistory.java

@@ -1,153 +0,0 @@
-// Copyright 2025 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.console;
-
-import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
-
-import google.registry.model.Buildable;
-import google.registry.model.ImmutableObject;
-import google.registry.model.annotations.IdAllocation;
-import google.registry.persistence.WithVKey;
-import jakarta.persistence.Column;
-import jakarta.persistence.Entity;
-import jakarta.persistence.EnumType;
-import jakarta.persistence.Enumerated;
-import jakarta.persistence.Id;
-import jakarta.persistence.Index;
-import jakarta.persistence.JoinColumn;
-import jakarta.persistence.ManyToOne;
-import jakarta.persistence.Table;
-import java.util.Optional;
-import org.joda.time.DateTime;
-
-@Entity
-@WithVKey(Long.class)
-@Table(
-    name = "ConsoleUpdateHistory",
-    indexes = {
-      @Index(columnList = "actingUser", name = "idx_console_update_history_acting_user"),
-      @Index(columnList = "type", name = "idx_console_update_history_type"),
-      @Index(columnList = "modificationTime", name = "idx_console_update_history_modification_time")
-    })
-// TODO: rename this to ConsoleUpdateHistory when that class is removed
-public class SimpleConsoleUpdateHistory extends ImmutableObject implements Buildable {
-
-  @Id @IdAllocation @Column Long revisionId;
-
-  @Column(nullable = false)
-  DateTime modificationTime;
-
-  /** The HTTP method (e.g. POST, PUT) used to make this modification. */
-  @Column(nullable = false)
-  String method;
-
-  /** The type of modification. */
-  @Column(nullable = false)
-  @Enumerated(EnumType.STRING)
-  ConsoleUpdateHistory.Type type;
-
-  /** The URL of the action that was used to make the modification. */
-  @Column(nullable = false)
-  String url;
-
-  /** An optional further description of the action. */
-  String description;
-
-  /** The user that performed the modification. */
-  @JoinColumn(name = "actingUser", referencedColumnName = "emailAddress", nullable = false)
-  @ManyToOne
-  User actingUser;
-
-  public Long getRevisionId() {
-    return revisionId;
-  }
-
-  public DateTime getModificationTime() {
-    return modificationTime;
-  }
-
-  public Optional<String> getDescription() {
-    return Optional.ofNullable(description);
-  }
-
-  public String getMethod() {
-    return method;
-  }
-
-  public ConsoleUpdateHistory.Type getType() {
-    return type;
-  }
-
-  public String getUrl() {
-    return url;
-  }
-
-  public User getActingUser() {
-    return actingUser;
-  }
-
-  @Override
-  public Builder asBuilder() {
-    return new Builder(clone(this));
-  }
-
-  public static class Builder extends Buildable.Builder<SimpleConsoleUpdateHistory> {
-    public Builder() {}
-
-    private Builder(SimpleConsoleUpdateHistory instance) {
-      super(instance);
-    }
-
-    @Override
-    public SimpleConsoleUpdateHistory build() {
-      checkArgumentNotNull(getInstance().modificationTime, "Modification time must be specified");
-      checkArgumentNotNull(getInstance().actingUser, "Acting user must be specified");
-      checkArgumentNotNull(getInstance().url, "URL must be specified");
-      checkArgumentNotNull(getInstance().method, "HTTP method must be specified");
-      checkArgumentNotNull(getInstance().type, "ConsoleUpdateHistory type must be specified");
-      return super.build();
-    }
-
-    public Builder setModificationTime(DateTime modificationTime) {
-      getInstance().modificationTime = modificationTime;
-      return this;
-    }
-
-    public Builder setActingUser(User actingUser) {
-      getInstance().actingUser = actingUser;
-      return this;
-    }
-
-    public Builder setUrl(String url) {
-      getInstance().url = url;
-      return this;
-    }
-
-    public Builder setMethod(String method) {
-      getInstance().method = method;
-      return this;
-    }
-
-    public Builder setDescription(String description) {
-      getInstance().description = description;
-      return this;
-    }
-
-    public Builder setType(ConsoleUpdateHistory.Type type) {
-      getInstance().type = type;
-      return this;
-    }
-  }
-}

core/src/main/java/google/registry/model/console/User.java

@@ -1,4 +1,4 @@
-// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+// Copyright 2024 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -15,23 +15,30 @@
 package google.registry.model.console;
 
 import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.base.Strings.isNullOrEmpty;
+import static com.google.common.io.BaseEncoding.base64;
+import static google.registry.model.registrar.Registrar.checkValidEmail;
 import static google.registry.tools.server.UpdateUserGroupAction.GROUP_UPDATE_QUEUE;
+import static google.registry.util.PasswordUtils.SALT_SUPPLIER;
+import static google.registry.util.PasswordUtils.hashPassword;
+import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 
 import com.google.cloud.tasks.v2.Task;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableMultimap;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
+import com.google.gson.annotations.Expose;
 import google.registry.batch.CloudTasksUtils;
-import google.registry.persistence.VKey;
+import google.registry.model.Buildable;
+import google.registry.model.UpdateAutoTimestampEntity;
 import google.registry.request.Action;
 import google.registry.tools.IamClient;
 import google.registry.tools.ServiceConnection;
 import google.registry.tools.server.UpdateUserGroupAction;
-import google.registry.tools.server.UpdateUserGroupAction.Mode;
+import google.registry.util.PasswordUtils;
 import google.registry.util.RegistryEnvironment;
-import jakarta.persistence.Access;
-import jakarta.persistence.AccessType;
+import jakarta.persistence.Column;
 import jakarta.persistence.Embeddable;
 import jakarta.persistence.Entity;
 import jakarta.persistence.Id;
@@ -44,11 +51,33 @@ import javax.annotation.Nullable;
 @Embeddable
 @Entity
 @Table
-public class User extends UserBase {
+public class User extends UpdateAutoTimestampEntity implements Buildable {
 
   public static final String IAP_SECURED_WEB_APP_USER_ROLE = "roles/iap.httpsResourceAccessor";
+
+  private static final long serialVersionUID = 6936728603828566721L;
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
+  /** Email address of the user in question. */
+  @Id @Expose String emailAddress;
+
+  /** Optional external email address to use for registry lock confirmation emails. */
+  @Column String registryLockEmailAddress;
+
+  /** Roles (which grant permissions) associated with this user. */
+  @Expose
+  @Column(nullable = false)
+  UserRoles userRoles;
+
+  /**
+   * A hashed password that exists iff this contact is registry-lock-enabled. The hash is a base64
+   * encoded SHA256 string.
+   */
+  String registryLockPasswordHash;
+
+  /** Randomly generated hash salt. */
+  String registryLockPasswordSalt;
+
   /**
    * Grants the user permission to pass IAP.
    *
@@ -113,9 +142,13 @@ public class User extends UserBase {
       logger.atInfo().log("Removing %s from group %s", emailAddress, groupEmailAddress.get());
       if (cloudTasksUtils != null) {
         modifyGroupMembershipAsync(
-            emailAddress, groupEmailAddress.get(), cloudTasksUtils, Mode.REMOVE);
+            emailAddress,
+            groupEmailAddress.get(),
+            cloudTasksUtils,
+            UpdateUserGroupAction.Mode.REMOVE);
       } else {
-        modifyGroupMembershipSync(emailAddress, groupEmailAddress.get(), connection, Mode.REMOVE);
+        modifyGroupMembershipSync(
+            emailAddress, groupEmailAddress.get(), connection, UpdateUserGroupAction.Mode.REMOVE);
       }
     }
   }
@@ -124,7 +157,7 @@ public class User extends UserBase {
       String userEmailAddress,
       String groupEmailAddress,
       CloudTasksUtils cloudTasksUtils,
-      Mode mode) {
+      UpdateUserGroupAction.Mode mode) {
     Task task =
         cloudTasksUtils.createTask(
             UpdateUserGroupAction.class,
@@ -140,7 +173,10 @@ public class User extends UserBase {
   }
 
   private static void modifyGroupMembershipSync(
-      String userEmailAddress, String groupEmailAddress, ServiceConnection connection, Mode mode) {
+      String userEmailAddress,
+      String groupEmailAddress,
+      ServiceConnection connection,
+      UpdateUserGroupAction.Mode mode) {
     try {
       connection.sendPostRequest(
           UpdateUserGroupAction.PATH,
@@ -158,30 +194,117 @@ public class User extends UserBase {
     }
   }
 
-  @Id
-  @Override
-  @Access(AccessType.PROPERTY)
+  /**
+   * Sets the user email address.
+   *
+   * <p>This should only be used for restoring an object being loaded in a PostLoad method
+   * (effectively, when it is still under construction by Hibernate). In all other cases, the object
+   * should be regarded as immutable and changes should go through a Builder.
+   *
+   * <p>In addition to this special case use, this method must exist to satisfy Hibernate.
+   */
+  void setEmailAddress(String emailAddress) {
+    this.emailAddress = emailAddress;
+  }
+
   public String getEmailAddress() {
-    return super.getEmailAddress();
+    return emailAddress;
+  }
+
+  public Optional<String> getRegistryLockEmailAddress() {
+    return Optional.ofNullable(registryLockEmailAddress);
+  }
+
+  public UserRoles getUserRoles() {
+    return userRoles;
+  }
+
+  public boolean hasRegistryLockPassword() {
+    return !isNullOrEmpty(registryLockPasswordHash) && !isNullOrEmpty(registryLockPasswordSalt);
+  }
+
+  public boolean verifyRegistryLockPassword(String registryLockPassword) {
+    if (isNullOrEmpty(registryLockPassword)
+        || isNullOrEmpty(registryLockPasswordSalt)
+        || isNullOrEmpty(registryLockPasswordHash)) {
+      return false;
+    }
+    return PasswordUtils.verifyPassword(
+        registryLockPassword, registryLockPasswordHash, registryLockPasswordSalt);
+  }
+
+  /**
+   * Whether the user has the registry lock permission on any registrar or globally.
+   *
+   * <p>If so, they should be allowed to (re)set their registry lock password.
+   */
+  public boolean hasAnyRegistryLockPermission() {
+    if (userRoles == null) {
+      return false;
+    }
+    if (userRoles.isAdmin() || userRoles.hasGlobalPermission(ConsolePermission.REGISTRY_LOCK)) {
+      return true;
+    }
+    return userRoles.getRegistrarRoles().values().stream()
+        .anyMatch(role -> role.hasPermission(ConsolePermission.REGISTRY_LOCK));
   }
 
   @Override
-  public Builder asBuilder() {
-    return new Builder(clone(this));
-  }
-
-  @Override
-  public VKey<User> createVKey() {
-    return VKey.create(User.class, getEmailAddress());
+  public Builder<? extends User, ?> asBuilder() {
+    return new Builder<>(clone(this));
   }
 
   /** Builder for constructing immutable {@link User} objects. */
-  public static class Builder extends UserBase.Builder<User, Builder> {
+  public static class Builder<T extends User, B extends Builder<T, B>>
+      extends GenericBuilder<T, B> {
 
     public Builder() {}
 
-    public Builder(User user) {
-      super(user);
+    public Builder(T abstractUser) {
+      super(abstractUser);
+    }
+
+    @Override
+    public T build() {
+      checkArgumentNotNull(getInstance().emailAddress, "Email address cannot be null");
+      checkArgumentNotNull(getInstance().userRoles, "User roles cannot be null");
+      return super.build();
+    }
+
+    public B setEmailAddress(String emailAddress) {
+      getInstance().emailAddress = checkValidEmail(emailAddress);
+      return thisCastToDerived();
+    }
+
+    public B setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
+      getInstance().registryLockEmailAddress =
+          registryLockEmailAddress == null ? null : checkValidEmail(registryLockEmailAddress);
+      return thisCastToDerived();
+    }
+
+    public B setUserRoles(UserRoles userRoles) {
+      checkArgumentNotNull(userRoles, "User roles cannot be null");
+      getInstance().userRoles = userRoles;
+      return thisCastToDerived();
+    }
+
+    public B removeRegistryLockPassword() {
+      getInstance().registryLockPasswordHash = null;
+      getInstance().registryLockPasswordSalt = null;
+      return thisCastToDerived();
+    }
+
+    public B setRegistryLockPassword(String registryLockPassword) {
+      checkArgument(
+          getInstance().hasAnyRegistryLockPermission(), "User has no registry lock permission");
+      checkArgument(
+          !getInstance().hasRegistryLockPassword(), "User already has a password, remove it first");
+      checkArgument(
+          !isNullOrEmpty(registryLockPassword), "Registry lock password was null or empty");
+      byte[] salt = SALT_SUPPLIER.get();
+      getInstance().registryLockPasswordSalt = base64().encode(salt);
+      getInstance().registryLockPasswordHash = hashPassword(registryLockPassword, salt);
+      return thisCastToDerived();
     }
   }
 }

core/src/main/java/google/registry/model/console/UserBase.java

@@ -1,186 +0,0 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.console;
-
-import static com.google.common.base.Preconditions.checkArgument;
-import static com.google.common.base.Strings.isNullOrEmpty;
-import static com.google.common.io.BaseEncoding.base64;
-import static google.registry.model.registrar.Registrar.checkValidEmail;
-import static google.registry.util.PasswordUtils.SALT_SUPPLIER;
-import static google.registry.util.PasswordUtils.hashPassword;
-import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
-
-import com.google.gson.annotations.Expose;
-import google.registry.model.Buildable;
-import google.registry.model.UpdateAutoTimestampEntity;
-import google.registry.util.PasswordUtils;
-import jakarta.persistence.Access;
-import jakarta.persistence.AccessType;
-import jakarta.persistence.Column;
-import jakarta.persistence.Embeddable;
-import jakarta.persistence.Id;
-import jakarta.persistence.MappedSuperclass;
-import jakarta.persistence.Transient;
-import java.util.Optional;
-import javax.annotation.Nullable;
-
-/**
- * A console user, either a registry employee or a registrar partner.
- *
- * <p>This class deliberately does not include an {@link Id} so that any foreign-keyed fields can
- * refer to the proper parent entity's ID, whether we're storing this in the DB itself or as part of
- * another entity.
- */
-@Access(AccessType.FIELD)
-@Embeddable
-@MappedSuperclass
-public class UserBase extends UpdateAutoTimestampEntity implements Buildable {
-
-  private static final long serialVersionUID = 6936728603828566721L;
-
-  /** Email address of the user in question. */
-  @Transient @Expose String emailAddress;
-
-  /** Optional external email address to use for registry lock confirmation emails. */
-  @Column String registryLockEmailAddress;
-
-  /** Roles (which grant permissions) associated with this user. */
-  @Expose
-  @Column(nullable = false)
-  UserRoles userRoles;
-
-  /**
-   * A hashed password that exists iff this contact is registry-lock-enabled. The hash is a base64
-   * encoded SHA256 string.
-   */
-  String registryLockPasswordHash;
-
-  /** Randomly generated hash salt. */
-  String registryLockPasswordSalt;
-
-  /**
-   * Sets the user email address.
-   *
-   * <p>This should only be used for restoring an object being loaded in a PostLoad method
-   * (effectively, when it is still under construction by Hibernate). In all other cases, the object
-   * should be regarded as immutable and changes should go through a Builder.
-   *
-   * <p>In addition to this special case use, this method must exist to satisfy Hibernate.
-   */
-  void setEmailAddress(String emailAddress) {
-    this.emailAddress = emailAddress;
-  }
-
-  public String getEmailAddress() {
-    return emailAddress;
-  }
-
-  public Optional<String> getRegistryLockEmailAddress() {
-    return Optional.ofNullable(registryLockEmailAddress);
-  }
-
-  public UserRoles getUserRoles() {
-    return userRoles;
-  }
-
-  public boolean hasRegistryLockPassword() {
-    return !isNullOrEmpty(registryLockPasswordHash) && !isNullOrEmpty(registryLockPasswordSalt);
-  }
-
-  public boolean verifyRegistryLockPassword(String registryLockPassword) {
-    if (isNullOrEmpty(registryLockPassword)
-        || isNullOrEmpty(registryLockPasswordSalt)
-        || isNullOrEmpty(registryLockPasswordHash)) {
-      return false;
-    }
-    return PasswordUtils.verifyPassword(
-        registryLockPassword, registryLockPasswordHash, registryLockPasswordSalt);
-  }
-
-  /**
-   * Whether the user has the registry lock permission on any registrar or globally.
-   *
-   * <p>If so, they should be allowed to (re)set their registry lock password.
-   */
-  public boolean hasAnyRegistryLockPermission() {
-    if (userRoles == null) {
-      return false;
-    }
-    if (userRoles.isAdmin() || userRoles.hasGlobalPermission(ConsolePermission.REGISTRY_LOCK)) {
-      return true;
-    }
-    return userRoles.getRegistrarRoles().values().stream()
-        .anyMatch(role -> role.hasPermission(ConsolePermission.REGISTRY_LOCK));
-  }
-
-  @Override
-  public Builder<? extends UserBase, ?> asBuilder() {
-    return new Builder<>(clone(this));
-  }
-
-  /** Builder for constructing immutable {@link UserBase} objects. */
-  public static class Builder<T extends UserBase, B extends Builder<T, B>>
-      extends GenericBuilder<T, B> {
-
-    public Builder() {}
-
-    public Builder(T abstractUser) {
-      super(abstractUser);
-    }
-
-    @Override
-    public T build() {
-      checkArgumentNotNull(getInstance().emailAddress, "Email address cannot be null");
-      checkArgumentNotNull(getInstance().userRoles, "User roles cannot be null");
-      return super.build();
-    }
-
-    public B setEmailAddress(String emailAddress) {
-      getInstance().emailAddress = checkValidEmail(emailAddress);
-      return thisCastToDerived();
-    }
-
-    public B setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
-      getInstance().registryLockEmailAddress =
-          registryLockEmailAddress == null ? null : checkValidEmail(registryLockEmailAddress);
-      return thisCastToDerived();
-    }
-
-    public B setUserRoles(UserRoles userRoles) {
-      checkArgumentNotNull(userRoles, "User roles cannot be null");
-      getInstance().userRoles = userRoles;
-      return thisCastToDerived();
-    }
-
-    public B removeRegistryLockPassword() {
-      getInstance().registryLockPasswordHash = null;
-      getInstance().registryLockPasswordSalt = null;
-      return thisCastToDerived();
-    }
-
-    public B setRegistryLockPassword(String registryLockPassword) {
-      checkArgument(
-          getInstance().hasAnyRegistryLockPermission(), "User has no registry lock permission");
-      checkArgument(
-          !getInstance().hasRegistryLockPassword(), "User already has a password, remove it first");
-      checkArgument(
-          !isNullOrEmpty(registryLockPassword), "Registry lock password was null or empty");
-      byte[] salt = SALT_SUPPLIER.get();
-      getInstance().registryLockPasswordSalt = base64().encode(salt);
-      getInstance().registryLockPasswordHash = hashPassword(registryLockPassword, salt);
-      return thisCastToDerived();
-    }
-  }
-}

core/src/main/java/google/registry/model/console/UserUpdateHistory.java

@@ -1,85 +0,0 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.console;
-
-import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
-
-import google.registry.persistence.VKey;
-import jakarta.persistence.Access;
-import jakarta.persistence.AccessType;
-import jakarta.persistence.Column;
-import jakarta.persistence.Entity;
-import jakarta.persistence.Index;
-import jakarta.persistence.PostLoad;
-import jakarta.persistence.Table;
-
-/**
- * A persisted history object representing an update to a User.
- *
- * <p>In addition to the generic history fields (time, URL, etc.) we also persist a copy of the
- * modified User object at this point in time.
- */
-@Access(AccessType.FIELD)
-@Entity
-@Table(indexes = {@Index(columnList = "historyActingUser"), @Index(columnList = "emailAddress")})
-public class UserUpdateHistory extends ConsoleUpdateHistory {
-
-  UserBase user;
-
-  @Column(nullable = false, name = "emailAddress")
-  String emailAddress;
-
-  public UserBase getUser() {
-    return user;
-  }
-
-  @PostLoad
-  void postLoad() {
-    user.setEmailAddress(emailAddress);
-  }
-
-  /** Creates a {@link VKey} instance for this entity. */
-  @Override
-  public VKey<UserUpdateHistory> createVKey() {
-    return VKey.create(UserUpdateHistory.class, getRevisionId());
-  }
-
-  @Override
-  public Builder asBuilder() {
-    return new Builder(clone(this));
-  }
-
-  /** Builder for the immutable UserUpdateHistory. */
-  public static class Builder extends ConsoleUpdateHistory.Builder<UserUpdateHistory, Builder> {
-
-    public Builder() {}
-
-    public Builder(UserUpdateHistory instance) {
-      super(instance);
-    }
-
-    @Override
-    public UserUpdateHistory build() {
-      checkArgumentNotNull(getInstance().user, "User must be specified");
-      return super.build();
-    }
-
-    public Builder setUser(User user) {
-      getInstance().user = user;
-      getInstance().emailAddress = user.getEmailAddress();
-      return this;
-    }
-  }
-}

core/src/main/java/google/registry/model/registrar/RegistrarPoc.java

@@ -1,4 +1,4 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+// Copyright 2024 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -14,17 +14,40 @@
 
 package google.registry.model.registrar;
 
+import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.base.Preconditions.checkNotNull;
+import static com.google.common.base.Strings.isNullOrEmpty;
+import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static com.google.common.io.BaseEncoding.base64;
+import static google.registry.model.registrar.Registrar.checkValidEmail;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.util.CollectionUtils.nullToEmptyImmutableSortedCopy;
+import static google.registry.util.PasswordUtils.SALT_SUPPLIER;
+import static google.registry.util.PasswordUtils.hashPassword;
+import static java.util.stream.Collectors.joining;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.ImmutableSortedSet;
+import com.google.gson.annotations.Expose;
+import google.registry.model.Buildable.GenericBuilder;
 import google.registry.model.ImmutableObject;
-import google.registry.model.registrar.RegistrarPoc.RegistrarPocId;
+import google.registry.model.JsonMapBuilder;
+import google.registry.model.Jsonifiable;
+import google.registry.model.UnsafeSerializable;
 import google.registry.persistence.VKey;
-import jakarta.persistence.Access;
-import jakarta.persistence.AccessType;
+import google.registry.util.PasswordUtils;
+import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
 import jakarta.persistence.Id;
 import jakarta.persistence.IdClass;
 import java.io.Serializable;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import javax.annotation.Nullable;
 
 /**
  * A contact for a Registrar. Note, equality, hashCode and comparable have been overridden to only
@@ -35,21 +58,244 @@ import java.io.Serializable;
  * set to true.
  */
 @Entity
-@IdClass(RegistrarPocId.class)
-@Access(AccessType.FIELD)
-public class RegistrarPoc extends RegistrarPocBase {
+@IdClass(RegistrarPoc.RegistrarPocId.class)
+public class RegistrarPoc extends ImmutableObject implements Jsonifiable, UnsafeSerializable {
+  /**
+   * Registrar contacts types for partner communication tracking.
+   *
+   * <p><b>Note:</b> These types only matter to the registry. They are not meant to be used for
+   * WHOIS or RDAP results.
+   */
+  public enum Type {
+    ABUSE("abuse", true),
+    ADMIN("primary", true),
+    BILLING("billing", true),
+    LEGAL("legal", true),
+    MARKETING("marketing", false),
+    TECH("technical", true),
+    WHOIS("whois-inquiry", true);
+
+    private final String displayName;
+
+    private final boolean required;
+
+    public String getDisplayName() {
+      return displayName;
+    }
+
+    public boolean isRequired() {
+      return required;
+    }
+
+    Type(String display, boolean required) {
+      displayName = display;
+      this.required = required;
+    }
+  }
+
+  /** The name of the contact. */
+  @Expose String name;
+
+  /** The contact email address of the contact. */
+  @Id @Expose String emailAddress;
+
+  @Id @Expose public String registrarId;
+
+  /** External email address of this contact used for registry lock confirmations. */
+  String registryLockEmailAddress;
+
+  /** The voice number of the contact. */
+  @Expose String phoneNumber;
+
+  /** The fax number of the contact. */
+  @Expose String faxNumber;
+
+  /**
+   * Multiple types are used to associate the registrar contact with various mailing groups. This
+   * data is internal to the registry.
+   */
+  @Enumerated(EnumType.STRING)
+  @Expose
+  Set<Type> types;
+
+  /**
+   * Whether this contact is publicly visible in WHOIS registrar query results as an Admin contact.
+   */
+  @Column(nullable = false)
+  @Expose
+  boolean visibleInWhoisAsAdmin = false;
+
+  /**
+   * Whether this contact is publicly visible in WHOIS registrar query results as a Technical
+   * contact.
+   */
+  @Column(nullable = false)
+  @Expose
+  boolean visibleInWhoisAsTech = false;
+
+  /**
+   * Whether this contact's phone number and email address is publicly visible in WHOIS domain query
+   * results as registrar abuse contact info.
+   */
+  @Column(nullable = false)
+  @Expose
+  boolean visibleInDomainWhoisAsAbuse = false;
+
+  /**
+   * Whether the contact is allowed to set their registry lock password through the registrar
+   * console. This will be set to false on contact creation and when the user sets a password.
+   */
+  @Column(nullable = false)
+  boolean allowedToSetRegistryLockPassword = false;
+
+  /**
+   * A hashed password that exists iff this contact is registry-lock-enabled. The hash is a base64
+   * encoded SHA256 string.
+   */
+  String registryLockPasswordHash;
+
+  /** Randomly generated hash salt. */
+  String registryLockPasswordSalt;
+
+  /**
+   * Helper to update the contacts associated with a Registrar. This requires querying for the
+   * existing contacts, deleting existing contacts that are not part of the given {@code contacts}
+   * set, and then saving the given {@code contacts}.
+   *
+   * <p>IMPORTANT NOTE: If you call this method then it is your responsibility to also persist the
+   * relevant Registrar entity with the {@link Registrar#contactsRequireSyncing} field set to true.
+   */
+  public static void updateContacts(
+      final Registrar registrar, final ImmutableSet<RegistrarPoc> contacts) {
+    ImmutableSet<String> emailAddressesToKeep =
+        contacts.stream().map(RegistrarPoc::getEmailAddress).collect(toImmutableSet());
+    tm().query(
+            "DELETE FROM RegistrarPoc WHERE registrarId = :registrarId AND "
+                + "emailAddress NOT IN :emailAddressesToKeep")
+        .setParameter("registrarId", registrar.getRegistrarId())
+        .setParameter("emailAddressesToKeep", emailAddressesToKeep)
+        .executeUpdate();
+
+    tm().putAll(contacts);
+  }
+
+  public String getName() {
+    return name;
+  }
 
-  @Id
-  @Access(AccessType.PROPERTY)
-  @Override
   public String getEmailAddress() {
     return emailAddress;
   }
 
-  @Id
-  @Access(AccessType.PROPERTY)
-  public String getRegistrarId() {
-    return registrarId;
+  public Optional<String> getRegistryLockEmailAddress() {
+    return Optional.ofNullable(registryLockEmailAddress);
+  }
+
+  public String getPhoneNumber() {
+    return phoneNumber;
+  }
+
+  public String getFaxNumber() {
+    return faxNumber;
+  }
+
+  public ImmutableSortedSet<Type> getTypes() {
+    return nullToEmptyImmutableSortedCopy(types);
+  }
+
+  public boolean getVisibleInWhoisAsAdmin() {
+    return visibleInWhoisAsAdmin;
+  }
+
+  public boolean getVisibleInWhoisAsTech() {
+    return visibleInWhoisAsTech;
+  }
+
+  public boolean getVisibleInDomainWhoisAsAbuse() {
+    return visibleInDomainWhoisAsAbuse;
+  }
+
+  public Builder<? extends RegistrarPoc, ?> asBuilder() {
+    return new Builder<>(clone(this));
+  }
+
+  public boolean isAllowedToSetRegistryLockPassword() {
+    return allowedToSetRegistryLockPassword;
+  }
+
+  public boolean isRegistryLockAllowed() {
+    return !isNullOrEmpty(registryLockPasswordHash) && !isNullOrEmpty(registryLockPasswordSalt);
+  }
+
+  public boolean verifyRegistryLockPassword(String registryLockPassword) {
+    if (isNullOrEmpty(registryLockPassword)
+        || isNullOrEmpty(registryLockPasswordSalt)
+        || isNullOrEmpty(registryLockPasswordHash)) {
+      return false;
+    }
+    return PasswordUtils.verifyPassword(
+        registryLockPassword, registryLockPasswordHash, registryLockPasswordSalt);
+  }
+
+  /**
+   * Returns a string representation that's human friendly.
+   *
+   * <p>The output will look something like this:
+   *
+   * <pre>{@code
+   * Some Person
+   * person@example.com
+   * Tel: +1.2125650666
+   * Types: [ADMIN, WHOIS]
+   * Visible in WHOIS as Admin contact: Yes
+   * Visible in WHOIS as Technical contact: No
+   * Registrar-Console access: Yes
+   * Login Email Address: person@registry.example
+   * }</pre>
+   */
+  public String toStringMultilinePlainText() {
+    StringBuilder result = new StringBuilder(256);
+    result.append(getName()).append('\n');
+    result.append(getEmailAddress()).append('\n');
+    if (phoneNumber != null) {
+      result.append("Tel: ").append(getPhoneNumber()).append('\n');
+    }
+    if (faxNumber != null) {
+      result.append("Fax: ").append(getFaxNumber()).append('\n');
+    }
+    result.append("Types: ").append(getTypes()).append('\n');
+    result
+        .append("Visible in registrar WHOIS query as Admin contact: ")
+        .append(getVisibleInWhoisAsAdmin() ? "Yes" : "No")
+        .append('\n');
+    result
+        .append("Visible in registrar WHOIS query as Technical contact: ")
+        .append(getVisibleInWhoisAsTech() ? "Yes" : "No")
+        .append('\n');
+    result
+        .append(
+            "Phone number and email visible in domain WHOIS query as "
+                + "Registrar Abuse contact info: ")
+        .append(getVisibleInDomainWhoisAsAbuse() ? "Yes" : "No")
+        .append('\n');
+    return result.toString();
+  }
+
+  @Override
+  public Map<String, Object> toJsonMap() {
+    return new JsonMapBuilder()
+        .put("name", name)
+        .put("emailAddress", emailAddress)
+        .put("registryLockEmailAddress", registryLockEmailAddress)
+        .put("phoneNumber", phoneNumber)
+        .put("faxNumber", faxNumber)
+        .put("types", getTypes().stream().map(Object::toString).collect(joining(",")))
+        .put("visibleInWhoisAsAdmin", visibleInWhoisAsAdmin)
+        .put("visibleInWhoisAsTech", visibleInWhoisAsTech)
+        .put("visibleInDomainWhoisAsAbuse", visibleInDomainWhoisAsAbuse)
+        .put("allowedToSetRegistryLockPassword", allowedToSetRegistryLockPassword)
+        .put("registryLockAllowed", isRegistryLockAllowed())
+        .build();
   }
 
   @Override
@@ -57,9 +303,124 @@ public class RegistrarPoc extends RegistrarPocBase {
     return VKey.create(RegistrarPoc.class, new RegistrarPocId(emailAddress, registrarId));
   }
 
-  @Override
-  public Builder asBuilder() {
-    return new Builder(clone(this));
+  /**
+   * These methods set the email address and registrar ID
+   *
+   * <p>This should only be used for restoring the fields of an object being loaded in a PostLoad
+   * method (effectively, when it is still under construction by Hibernate). In all other cases, the
+   * object should be regarded as immutable and changes should go through a Builder.
+   *
+   * <p>In addition to this special case use, this method must exist to satisfy Hibernate.
+   */
+  public void setEmailAddress(String emailAddress) {
+    this.emailAddress = emailAddress;
+  }
+
+  public void setRegistrarId(String registrarId) {
+    this.registrarId = registrarId;
+  }
+
+  /** A builder for constructing a {@link RegistrarPoc}, since it is immutable. */
+  public static class Builder<T extends RegistrarPoc, B extends Builder<T, B>>
+      extends GenericBuilder<T, B> {
+    public Builder() {}
+
+    protected Builder(T instance) {
+      super(instance);
+    }
+
+    /** Build the registrar, nullifying empty fields. */
+    @Override
+    public T build() {
+      checkNotNull(getInstance().registrarId, "Registrar ID cannot be null");
+      checkValidEmail(getInstance().emailAddress);
+      // Check allowedToSetRegistryLockPassword here because if we want to allow the user to set
+      // a registry lock password, we must also set up the correct registry lock email concurrently
+      // or beforehand.
+      if (getInstance().allowedToSetRegistryLockPassword) {
+        checkArgument(
+            !isNullOrEmpty(getInstance().registryLockEmailAddress),
+            "Registry lock email must not be null if allowing registry lock access");
+      }
+      return cloneEmptyToNull(super.build());
+    }
+
+    public B setName(String name) {
+      getInstance().name = name;
+      return thisCastToDerived();
+    }
+
+    public B setEmailAddress(String emailAddress) {
+      getInstance().emailAddress = emailAddress;
+      return thisCastToDerived();
+    }
+
+    public B setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
+      getInstance().registryLockEmailAddress = registryLockEmailAddress;
+      return thisCastToDerived();
+    }
+
+    public B setPhoneNumber(String phoneNumber) {
+      getInstance().phoneNumber = phoneNumber;
+      return thisCastToDerived();
+    }
+
+    public B setRegistrarId(String registrarId) {
+      getInstance().registrarId = registrarId;
+      return thisCastToDerived();
+    }
+
+    public B setRegistrar(Registrar registrar) {
+      getInstance().registrarId = registrar.getRegistrarId();
+      return thisCastToDerived();
+    }
+
+    public B setFaxNumber(String faxNumber) {
+      getInstance().faxNumber = faxNumber;
+      return thisCastToDerived();
+    }
+
+    public B setTypes(Iterable<Type> types) {
+      getInstance().types = ImmutableSet.copyOf(types);
+      return thisCastToDerived();
+    }
+
+    public B setVisibleInWhoisAsAdmin(boolean visible) {
+      getInstance().visibleInWhoisAsAdmin = visible;
+      return thisCastToDerived();
+    }
+
+    public B setVisibleInWhoisAsTech(boolean visible) {
+      getInstance().visibleInWhoisAsTech = visible;
+      return thisCastToDerived();
+    }
+
+    public B setVisibleInDomainWhoisAsAbuse(boolean visible) {
+      getInstance().visibleInDomainWhoisAsAbuse = visible;
+      return thisCastToDerived();
+    }
+
+    public B setAllowedToSetRegistryLockPassword(boolean allowedToSetRegistryLockPassword) {
+      if (allowedToSetRegistryLockPassword) {
+        getInstance().registryLockPasswordSalt = null;
+        getInstance().registryLockPasswordHash = null;
+      }
+      getInstance().allowedToSetRegistryLockPassword = allowedToSetRegistryLockPassword;
+      return thisCastToDerived();
+    }
+
+    public B setRegistryLockPassword(String registryLockPassword) {
+      checkArgument(
+          getInstance().allowedToSetRegistryLockPassword,
+          "Not allowed to set registry lock password for this contact");
+      checkArgument(
+          !isNullOrEmpty(registryLockPassword), "Registry lock password was null or empty");
+      byte[] salt = SALT_SUPPLIER.get();
+      getInstance().registryLockPasswordSalt = base64().encode(salt);
+      getInstance().registryLockPasswordHash = hashPassword(registryLockPassword, salt);
+      getInstance().allowedToSetRegistryLockPassword = false;
+      return thisCastToDerived();
+    }
   }
 
   /** Class to represent the composite primary key for {@link RegistrarPoc} entity. */
@@ -90,13 +451,4 @@ public class RegistrarPoc extends RegistrarPocBase {
       return registrarId;
     }
   }
-
-  public static class Builder extends RegistrarPocBase.Builder<RegistrarPoc, Builder> {
-
-    public Builder() {}
-
-    public Builder(RegistrarPoc registrarPoc) {
-      super(registrarPoc);
-    }
-  }
 }

core/src/main/java/google/registry/model/registrar/RegistrarPocBase.java

@@ -1,425 +0,0 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.registrar;
-
-import static com.google.common.base.Preconditions.checkArgument;
-import static com.google.common.base.Preconditions.checkNotNull;
-import static com.google.common.base.Strings.isNullOrEmpty;
-import static com.google.common.collect.ImmutableSet.toImmutableSet;
-import static com.google.common.io.BaseEncoding.base64;
-import static google.registry.model.registrar.RegistrarBase.checkValidEmail;
-import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
-import static google.registry.util.CollectionUtils.nullToEmptyImmutableSortedCopy;
-import static google.registry.util.PasswordUtils.SALT_SUPPLIER;
-import static google.registry.util.PasswordUtils.hashPassword;
-import static java.util.stream.Collectors.joining;
-
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSortedSet;
-import com.google.gson.annotations.Expose;
-import google.registry.model.Buildable.GenericBuilder;
-import google.registry.model.ImmutableObject;
-import google.registry.model.JsonMapBuilder;
-import google.registry.model.Jsonifiable;
-import google.registry.model.UnsafeSerializable;
-import google.registry.util.PasswordUtils;
-import jakarta.persistence.Access;
-import jakarta.persistence.AccessType;
-import jakarta.persistence.Column;
-import jakarta.persistence.Embeddable;
-import jakarta.persistence.EnumType;
-import jakarta.persistence.Enumerated;
-import jakarta.persistence.Id;
-import jakarta.persistence.MappedSuperclass;
-import jakarta.persistence.Transient;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
-import javax.annotation.Nullable;
-
-/**
- * A contact for a Registrar. Note, equality, hashCode and comparable have been overridden to only
- * enable key equality.
- *
- * <p>IMPORTANT NOTE: Any time that you change, update, or delete RegistrarContact entities, you
- * *MUST* also modify the persisted Registrar entity with {@link Registrar#contactsRequireSyncing}
- * set to true.
- *
- * <p>This class deliberately does not include an {@link Id} so that any foreign-keyed fields can
- * refer to the proper parent entity's ID, whether we're storing this in the DB itself or as part of
- * another entity.
- */
-@Access(AccessType.FIELD)
-@Embeddable
-@MappedSuperclass
-public class RegistrarPocBase extends ImmutableObject implements Jsonifiable, UnsafeSerializable {
-  /**
-   * Registrar contacts types for partner communication tracking.
-   *
-   * <p><b>Note:</b> These types only matter to the registry. They are not meant to be used for
-   * WHOIS or RDAP results.
-   */
-  public enum Type {
-    ABUSE("abuse", true),
-    ADMIN("primary", true),
-    BILLING("billing", true),
-    LEGAL("legal", true),
-    MARKETING("marketing", false),
-    TECH("technical", true),
-    WHOIS("whois-inquiry", true);
-
-    private final String displayName;
-
-    private final boolean required;
-
-    public String getDisplayName() {
-      return displayName;
-    }
-
-    public boolean isRequired() {
-      return required;
-    }
-
-    Type(String display, boolean required) {
-      displayName = display;
-      this.required = required;
-    }
-  }
-
-  /** The name of the contact. */
-  @Expose String name;
-
-  /** The contact email address of the contact. */
-  @Expose @Transient String emailAddress;
-
-  @Expose @Transient public String registrarId;
-
-  /** External email address of this contact used for registry lock confirmations. */
-  String registryLockEmailAddress;
-
-  /** The voice number of the contact. */
-  @Expose String phoneNumber;
-
-  /** The fax number of the contact. */
-  @Expose String faxNumber;
-
-  /**
-   * Multiple types are used to associate the registrar contact with various mailing groups. This
-   * data is internal to the registry.
-   */
-  @Enumerated(EnumType.STRING)
-  @Expose
-  Set<Type> types;
-
-  /**
-   * Whether this contact is publicly visible in WHOIS registrar query results as an Admin contact.
-   */
-  @Column(nullable = false)
-  @Expose
-  boolean visibleInWhoisAsAdmin = false;
-
-  /**
-   * Whether this contact is publicly visible in WHOIS registrar query results as a Technical
-   * contact.
-   */
-  @Column(nullable = false)
-  @Expose
-  boolean visibleInWhoisAsTech = false;
-
-  /**
-   * Whether this contact's phone number and email address is publicly visible in WHOIS domain query
-   * results as registrar abuse contact info.
-   */
-  @Column(nullable = false)
-  @Expose
-  boolean visibleInDomainWhoisAsAbuse = false;
-
-  /**
-   * Whether the contact is allowed to set their registry lock password through the registrar
-   * console. This will be set to false on contact creation and when the user sets a password.
-   */
-  @Column(nullable = false)
-  boolean allowedToSetRegistryLockPassword = false;
-
-  /**
-   * A hashed password that exists iff this contact is registry-lock-enabled. The hash is a base64
-   * encoded SHA256 string.
-   */
-  String registryLockPasswordHash;
-
-  /** Randomly generated hash salt. */
-  String registryLockPasswordSalt;
-
-  /**
-   * Helper to update the contacts associated with a Registrar. This requires querying for the
-   * existing contacts, deleting existing contacts that are not part of the given {@code contacts}
-   * set, and then saving the given {@code contacts}.
-   *
-   * <p>IMPORTANT NOTE: If you call this method then it is your responsibility to also persist the
-   * relevant Registrar entity with the {@link Registrar#contactsRequireSyncing} field set to true.
-   */
-  public static void updateContacts(
-      final Registrar registrar, final ImmutableSet<RegistrarPoc> contacts) {
-    ImmutableSet<String> emailAddressesToKeep =
-        contacts.stream().map(RegistrarPoc::getEmailAddress).collect(toImmutableSet());
-    tm().query(
-            "DELETE FROM RegistrarPoc WHERE registrarId = :registrarId AND "
-                + "emailAddress NOT IN :emailAddressesToKeep")
-        .setParameter("registrarId", registrar.getRegistrarId())
-        .setParameter("emailAddressesToKeep", emailAddressesToKeep)
-        .executeUpdate();
-
-    tm().putAll(contacts);
-  }
-
-  public String getName() {
-    return name;
-  }
-
-  public String getEmailAddress() {
-    return emailAddress;
-  }
-
-  public Optional<String> getRegistryLockEmailAddress() {
-    return Optional.ofNullable(registryLockEmailAddress);
-  }
-
-  public String getPhoneNumber() {
-    return phoneNumber;
-  }
-
-  public String getFaxNumber() {
-    return faxNumber;
-  }
-
-  public ImmutableSortedSet<Type> getTypes() {
-    return nullToEmptyImmutableSortedCopy(types);
-  }
-
-  public boolean getVisibleInWhoisAsAdmin() {
-    return visibleInWhoisAsAdmin;
-  }
-
-  public boolean getVisibleInWhoisAsTech() {
-    return visibleInWhoisAsTech;
-  }
-
-  public boolean getVisibleInDomainWhoisAsAbuse() {
-    return visibleInDomainWhoisAsAbuse;
-  }
-
-  public Builder<? extends RegistrarPocBase, ?> asBuilder() {
-    return new Builder<>(clone(this));
-  }
-
-  public boolean isAllowedToSetRegistryLockPassword() {
-    return allowedToSetRegistryLockPassword;
-  }
-
-  public boolean isRegistryLockAllowed() {
-    return !isNullOrEmpty(registryLockPasswordHash) && !isNullOrEmpty(registryLockPasswordSalt);
-  }
-
-  public boolean verifyRegistryLockPassword(String registryLockPassword) {
-    if (isNullOrEmpty(registryLockPassword)
-        || isNullOrEmpty(registryLockPasswordSalt)
-        || isNullOrEmpty(registryLockPasswordHash)) {
-      return false;
-    }
-    return PasswordUtils.verifyPassword(
-        registryLockPassword, registryLockPasswordHash, registryLockPasswordSalt);
-  }
-
-  /**
-   * Returns a string representation that's human friendly.
-   *
-   * <p>The output will look something like this:
-   *
-   * <pre>{@code
-   * Some Person
-   * person@example.com
-   * Tel: +1.2125650666
-   * Types: [ADMIN, WHOIS]
-   * Visible in WHOIS as Admin contact: Yes
-   * Visible in WHOIS as Technical contact: No
-   * Registrar-Console access: Yes
-   * Login Email Address: person@registry.example
-   * }</pre>
-   */
-  public String toStringMultilinePlainText() {
-    StringBuilder result = new StringBuilder(256);
-    result.append(getName()).append('\n');
-    result.append(getEmailAddress()).append('\n');
-    if (phoneNumber != null) {
-      result.append("Tel: ").append(getPhoneNumber()).append('\n');
-    }
-    if (faxNumber != null) {
-      result.append("Fax: ").append(getFaxNumber()).append('\n');
-    }
-    result.append("Types: ").append(getTypes()).append('\n');
-    result
-        .append("Visible in registrar WHOIS query as Admin contact: ")
-        .append(getVisibleInWhoisAsAdmin() ? "Yes" : "No")
-        .append('\n');
-    result
-        .append("Visible in registrar WHOIS query as Technical contact: ")
-        .append(getVisibleInWhoisAsTech() ? "Yes" : "No")
-        .append('\n');
-    result
-        .append(
-            "Phone number and email visible in domain WHOIS query as "
-                + "Registrar Abuse contact info: ")
-        .append(getVisibleInDomainWhoisAsAbuse() ? "Yes" : "No")
-        .append('\n');
-    return result.toString();
-  }
-
-  @Override
-  public Map<String, Object> toJsonMap() {
-    return new JsonMapBuilder()
-        .put("name", name)
-        .put("emailAddress", emailAddress)
-        .put("registryLockEmailAddress", registryLockEmailAddress)
-        .put("phoneNumber", phoneNumber)
-        .put("faxNumber", faxNumber)
-        .put("types", getTypes().stream().map(Object::toString).collect(joining(",")))
-        .put("visibleInWhoisAsAdmin", visibleInWhoisAsAdmin)
-        .put("visibleInWhoisAsTech", visibleInWhoisAsTech)
-        .put("visibleInDomainWhoisAsAbuse", visibleInDomainWhoisAsAbuse)
-        .put("allowedToSetRegistryLockPassword", allowedToSetRegistryLockPassword)
-        .put("registryLockAllowed", isRegistryLockAllowed())
-        .build();
-  }
-
-  /**
-   * These methods set the email address and registrar ID
-   *
-   * <p>This should only be used for restoring the fields of an object being loaded in a PostLoad
-   * method (effectively, when it is still under construction by Hibernate). In all other cases, the
-   * object should be regarded as immutable and changes should go through a Builder.
-   *
-   * <p>In addition to this special case use, this method must exist to satisfy Hibernate.
-   */
-  public void setEmailAddress(String emailAddress) {
-    this.emailAddress = emailAddress;
-  }
-
-  public void setRegistrarId(String registrarId) {
-    this.registrarId = registrarId;
-  }
-
-  /** A builder for constructing a {@link RegistrarPoc}, since it is immutable. */
-  public static class Builder<T extends RegistrarPocBase, B extends Builder<T, B>>
-      extends GenericBuilder<T, B> {
-    public Builder() {}
-
-    protected Builder(T instance) {
-      super(instance);
-    }
-
-    /** Build the registrar, nullifying empty fields. */
-    @Override
-    public T build() {
-      checkNotNull(getInstance().registrarId, "Registrar ID cannot be null");
-      checkValidEmail(getInstance().emailAddress);
-      // Check allowedToSetRegistryLockPassword here because if we want to allow the user to set
-      // a registry lock password, we must also set up the correct registry lock email concurrently
-      // or beforehand.
-      if (getInstance().allowedToSetRegistryLockPassword) {
-        checkArgument(
-            !isNullOrEmpty(getInstance().registryLockEmailAddress),
-            "Registry lock email must not be null if allowing registry lock access");
-      }
-      return cloneEmptyToNull(super.build());
-    }
-
-    public B setName(String name) {
-      getInstance().name = name;
-      return thisCastToDerived();
-    }
-
-    public B setEmailAddress(String emailAddress) {
-      getInstance().emailAddress = emailAddress;
-      return thisCastToDerived();
-    }
-
-    public B setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
-      getInstance().registryLockEmailAddress = registryLockEmailAddress;
-      return thisCastToDerived();
-    }
-
-    public B setPhoneNumber(String phoneNumber) {
-      getInstance().phoneNumber = phoneNumber;
-      return thisCastToDerived();
-    }
-
-    public B setRegistrarId(String registrarId) {
-      getInstance().registrarId = registrarId;
-      return thisCastToDerived();
-    }
-
-    public B setRegistrar(Registrar registrar) {
-      getInstance().registrarId = registrar.getRegistrarId();
-      return thisCastToDerived();
-    }
-
-    public B setFaxNumber(String faxNumber) {
-      getInstance().faxNumber = faxNumber;
-      return thisCastToDerived();
-    }
-
-    public B setTypes(Iterable<Type> types) {
-      getInstance().types = ImmutableSet.copyOf(types);
-      return thisCastToDerived();
-    }
-
-    public B setVisibleInWhoisAsAdmin(boolean visible) {
-      getInstance().visibleInWhoisAsAdmin = visible;
-      return thisCastToDerived();
-    }
-
-    public B setVisibleInWhoisAsTech(boolean visible) {
-      getInstance().visibleInWhoisAsTech = visible;
-      return thisCastToDerived();
-    }
-
-    public B setVisibleInDomainWhoisAsAbuse(boolean visible) {
-      getInstance().visibleInDomainWhoisAsAbuse = visible;
-      return thisCastToDerived();
-    }
-
-    public B setAllowedToSetRegistryLockPassword(boolean allowedToSetRegistryLockPassword) {
-      if (allowedToSetRegistryLockPassword) {
-        getInstance().registryLockPasswordSalt = null;
-        getInstance().registryLockPasswordHash = null;
-      }
-      getInstance().allowedToSetRegistryLockPassword = allowedToSetRegistryLockPassword;
-      return thisCastToDerived();
-    }
-
-    public B setRegistryLockPassword(String registryLockPassword) {
-      checkArgument(
-          getInstance().allowedToSetRegistryLockPassword,
-          "Not allowed to set registry lock password for this contact");
-      checkArgument(
-          !isNullOrEmpty(registryLockPassword), "Registry lock password was null or empty");
-      byte[] salt = SALT_SUPPLIER.get();
-      getInstance().registryLockPasswordSalt = base64().encode(salt);
-      getInstance().registryLockPasswordHash = hashPassword(registryLockPassword, salt);
-      getInstance().allowedToSetRegistryLockPassword = false;
-      return thisCastToDerived();
-    }
-  }
-}

core/src/main/java/google/registry/module/RequestComponent.java

@@ -127,8 +127,8 @@ import google.registry.ui.server.console.ConsoleUsersAction;
 import google.registry.ui.server.console.RegistrarsAction;
 import google.registry.ui.server.console.domains.ConsoleBulkDomainAction;
 import google.registry.ui.server.console.settings.ContactAction;
+import google.registry.ui.server.console.settings.RdapRegistrarFieldsAction;
 import google.registry.ui.server.console.settings.SecurityAction;
-import google.registry.ui.server.console.settings.WhoisRegistrarFieldsAction;
 import google.registry.whois.WhoisAction;
 import google.registry.whois.WhoisHttpAction;
 import google.registry.whois.WhoisModule;
@@ -337,7 +337,7 @@ interface RequestComponent {
 
   WhoisHttpAction whoisHttpAction();
 
-  WhoisRegistrarFieldsAction whoisRegistrarFieldsAction();
+  RdapRegistrarFieldsAction rdapRegistrarFieldsAction();
 
   WipeOutContactHistoryPiiAction wipeOutContactHistoryPiiAction();
 

core/src/main/java/google/registry/module/frontend/FrontendRequestComponent.java

@@ -41,8 +41,8 @@ import google.registry.ui.server.console.ConsoleUsersAction;
 import google.registry.ui.server.console.RegistrarsAction;
 import google.registry.ui.server.console.domains.ConsoleBulkDomainAction;
 import google.registry.ui.server.console.settings.ContactAction;
+import google.registry.ui.server.console.settings.RdapRegistrarFieldsAction;
 import google.registry.ui.server.console.settings.SecurityAction;
-import google.registry.ui.server.console.settings.WhoisRegistrarFieldsAction;
 
 /** Dagger component with per-request lifetime for "default" App Engine module. */
 @RequestScope
@@ -92,7 +92,7 @@ public interface FrontendRequestComponent {
 
   SecurityAction securityAction();
 
-  WhoisRegistrarFieldsAction whoisRegistrarFieldsAction();
+  RdapRegistrarFieldsAction rdapRegistrarFieldsAction();
 
   @Subcomponent.Builder
   abstract class Builder implements RequestComponentBuilder<FrontendRequestComponent> {

core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java

@@ -276,10 +276,6 @@ public class JpaTransactionManagerImpl implements JpaTransactionManager {
       }
       T result = work.call();
       txn.commit();
-      long duration = clock.nowUtc().getMillis() - txnInfo.transactionTime.getMillis();
-      if (duration >= 100) {
-        logger.atInfo().log("Transaction duration: %d milliseconds", duration);
-      }
       return result;
     } catch (Throwable e) {
       // Catch a Throwable here so even Errors would lead to a rollback.

core/src/main/java/google/registry/rde/RegistrarToXjcConverter.java

@@ -19,9 +19,8 @@ import static com.google.common.base.Preconditions.checkState;
 
 import com.google.common.collect.ImmutableMap;
 import google.registry.model.registrar.Registrar;
+import google.registry.model.registrar.Registrar.State;
 import google.registry.model.registrar.RegistrarAddress;
-import google.registry.model.registrar.RegistrarBase;
-import google.registry.model.registrar.RegistrarBase.State;
 import google.registry.xjc.contact.XjcContactE164Type;
 import google.registry.xjc.rderegistrar.XjcRdeRegistrar;
 import google.registry.xjc.rderegistrar.XjcRdeRegistrarAddrType;
@@ -41,7 +40,7 @@ final class RegistrarToXjcConverter {
   private static final String UNKNOWN_CC = "US";
 
   /** A conversion map between internal Registrar states and external RDE states. */
-  private static final ImmutableMap<RegistrarBase.State, XjcRdeRegistrarStatusType>
+  private static final ImmutableMap<Registrar.State, XjcRdeRegistrarStatusType>
       REGISTRAR_STATUS_CONVERSIONS =
           ImmutableMap.of(
               State.ACTIVE, XjcRdeRegistrarStatusType.OK,

core/src/main/java/google/registry/reporting/icann/ActivityReportingQueryBuilder.java

@@ -85,9 +85,6 @@ public final class ActivityReportingQueryBuilder implements QueryBuilder {
     String monthlyLogsQuery =
         SqlTemplate.create(getQueryFromFile(MONTHLY_LOGS + ".sql"))
             .put("PROJECT_ID", projectId)
-            .put("APPENGINE_LOGS_DATA_SET", "appengine_logs")
-            .put("GKE_LOGS_DATA_SET", "gke_logs")
-            .put("REQUEST_TABLE", "appengine_googleapis_com_request_log_")
             .put("FIRST_DAY_OF_MONTH", logTableFormatter.print(firstDayOfMonth))
             .put("LAST_DAY_OF_MONTH", logTableFormatter.print(lastDayOfMonth))
             .build();
@@ -96,9 +93,6 @@ public final class ActivityReportingQueryBuilder implements QueryBuilder {
     String eppQuery =
         SqlTemplate.create(getQueryFromFile(EPP_METRICS + ".sql"))
             .put("PROJECT_ID", projectId)
-            .put("APPENGINE_LOGS_DATA_SET", "appengine_logs")
-            .put("GKE_LOGS_DATA_SET", "gke_logs")
-            .put("APP_LOGS_TABLE", "_var_log_app_")
             .put("FIRST_DAY_OF_MONTH", logTableFormatter.print(firstDayOfMonth))
             .put("LAST_DAY_OF_MONTH", logTableFormatter.print(lastDayOfMonth))
             .build();

core/src/main/java/google/registry/reporting/icann/TransactionsReportingQueryBuilder.java

@@ -112,9 +112,6 @@ public final class TransactionsReportingQueryBuilder implements QueryBuilder {
     String attemptedAddsQuery =
         SqlTemplate.create(getQueryFromFile(ATTEMPTED_ADDS + ".sql"))
             .put("PROJECT_ID", projectId)
-            .put("APPENGINE_LOGS_DATA_SET", "appengine_logs")
-            .put("GKE_LOGS_DATA_SET", "gke_logs")
-            .put("APP_LOGS_TABLE", "_var_log_app_")
             .put("FIRST_DAY_OF_MONTH", logTableFormatter.print(earliestReportTime))
             .put("LAST_DAY_OF_MONTH", logTableFormatter.print(latestReportTime))
             .build();

core/src/main/java/google/registry/request/auth/AuthenticatedRegistrarAccessor.java

@@ -27,7 +27,7 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.groups.GroupsConnection;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarBase.State;
+import google.registry.model.registrar.Registrar.State;
 import jakarta.inject.Inject;
 import java.util.Optional;
 import javax.annotation.concurrent.Immutable;

core/src/main/java/google/registry/tools/CreateOrUpdateRegistrarCommand.java

@@ -30,7 +30,6 @@ import com.google.common.collect.ImmutableSet;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
-import google.registry.model.registrar.RegistrarBase;
 import google.registry.tools.params.KeyValueMapParameter.CurrencyUnitToStringMap;
 import google.registry.tools.params.OptionalLongParameter;
 import google.registry.tools.params.OptionalPhoneNumberParameter;
@@ -61,11 +60,11 @@ abstract class CreateOrUpdateRegistrarCommand extends MutatingCommand {
   List<String> mainParameters;
 
   @Parameter(names = "--registrar_type", description = "Type of the registrar")
-  RegistrarBase.Type registrarType;
+  Registrar.Type registrarType;
 
   @Nullable
   @Parameter(names = "--registrar_state", description = "Initial state of the registrar")
-  RegistrarBase.State registrarState;
+  Registrar.State registrarState;
 
   @Parameter(
       names = "--allowed_tlds",

core/src/main/java/google/registry/tools/CreateRegistrarCommand.java

@@ -18,7 +18,7 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.base.Strings.emptyToNull;
 import static com.google.common.collect.Iterables.getOnlyElement;
-import static google.registry.model.registrar.RegistrarBase.State.ACTIVE;
+import static google.registry.model.registrar.Registrar.State.ACTIVE;
 import static google.registry.tools.RegistryToolEnvironment.PRODUCTION;
 import static google.registry.tools.RegistryToolEnvironment.SANDBOX;
 import static google.registry.tools.RegistryToolEnvironment.UNITTEST;

core/src/main/java/google/registry/tools/RegistrarPocCommand.java

@@ -29,7 +29,6 @@ import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase;
 import google.registry.tools.params.OptionalPhoneNumberParameter;
 import google.registry.tools.params.PathParameter;
 import google.registry.tools.params.StringListParameter;
@@ -153,7 +152,7 @@ final class RegistrarPocCommand extends MutatingCommand {
   private static final ImmutableSet<Mode> MODES_REQUIRING_CONTACT_SYNC =
       ImmutableSet.of(Mode.CREATE, Mode.UPDATE, Mode.DELETE);
 
-  @Nullable private ImmutableSet<RegistrarPocBase.Type> contactTypes;
+  @Nullable private ImmutableSet<RegistrarPoc.Type> contactTypes;
 
   @Override
   protected void init() throws Exception {
@@ -169,7 +168,7 @@ final class RegistrarPocCommand extends MutatingCommand {
     } else {
       contactTypes =
           contactTypeNames.stream()
-              .map(Enums.stringConverter(RegistrarPocBase.Type.class))
+              .map(Enums.stringConverter(RegistrarPoc.Type.class))
               .collect(toImmutableSet());
     }
     ImmutableSet<RegistrarPoc> contacts = registrar.getContacts();

core/src/main/java/google/registry/tools/server/CreateGroupsAction.java

@@ -24,7 +24,7 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.groups.GroupsConnection;
 import google.registry.groups.GroupsConnection.Role;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarPocBase;
+import google.registry.model.registrar.RegistrarPoc;
 import google.registry.request.Action;
 import google.registry.request.Action.GaeService;
 import google.registry.request.HttpException.BadRequestException;
@@ -65,7 +65,7 @@ public class CreateGroupsAction implements Runnable {
     if (registrar == null) {
       return;
     }
-    List<RegistrarPocBase.Type> types = asList(RegistrarPocBase.Type.values());
+    List<RegistrarPoc.Type> types = asList(RegistrarPoc.Type.values());
     // Concurrently create the groups for each RegistrarContact.Type, collecting the results from
     // each call (which are either an Exception if it failed, or absent() if it succeeded).
     List<Optional<Exception>> results =

core/src/main/java/google/registry/ui/server/RegistrarFormFields.java

@@ -29,7 +29,6 @@ import com.google.re2j.Pattern;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
 import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase;
 import google.registry.ui.forms.FormException;
 import google.registry.ui.forms.FormField;
 import google.registry.ui.forms.FormFieldException;
@@ -201,10 +200,10 @@ public final class RegistrarFormFields {
   public static final FormField<String, String> CONTACT_REGISTRY_LOCK_PASSWORD_FIELD =
       FormFields.NAME.asBuilderNamed("registryLockPassword").build();
 
-  public static final FormField<String, Set<RegistrarPocBase.Type>> CONTACT_TYPES =
+  public static final FormField<String, Set<RegistrarPoc.Type>> CONTACT_TYPES =
       FormField.named("types")
           .uppercased()
-          .asEnum(RegistrarPocBase.Type.class)
+          .asEnum(RegistrarPoc.Type.class)
           .asSet(Splitter.on(',').omitEmptyStrings().trimResults())
           .build();
 

core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java

@@ -37,11 +37,10 @@ import google.registry.batch.CloudTasksUtils;
 import google.registry.config.RegistryConfig;
 import google.registry.export.sheet.SyncRegistrarsSheetAction;
 import google.registry.model.console.ConsolePermission;
-import google.registry.model.console.SimpleConsoleUpdateHistory;
+import google.registry.model.console.ConsoleUpdateHistory;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase;
 import google.registry.request.HttpException;
 import google.registry.security.XsrfTokenManager;
 import google.registry.util.DiffUtils;
@@ -218,7 +217,7 @@ public abstract class ConsoleApiAction implements Runnable {
                 consoleApiParams.authResult().userIdForLogging(),
                 DiffUtils.prettyPrintDiffedMap(diffs, null)),
             contacts.stream()
-                .filter(c -> c.getTypes().contains(RegistrarPocBase.Type.ADMIN))
+                .filter(c -> c.getTypes().contains(RegistrarPoc.Type.ADMIN))
                 .map(RegistrarPoc::getEmailAddress)
                 .collect(toImmutableList()));
   }
@@ -262,7 +261,7 @@ public abstract class ConsoleApiAction implements Runnable {
     }
   }
 
-  protected void finishAndPersistConsoleUpdateHistory(SimpleConsoleUpdateHistory.Builder builder) {
+  protected void finishAndPersistConsoleUpdateHistory(ConsoleUpdateHistory.Builder builder) {
     builder.setActingUser(consoleApiParams.authResult().user().get());
     builder.setUrl(consoleApiParams.request().getRequestURI());
     builder.setMethod(consoleApiParams.request().getMethod());

core/src/main/java/google/registry/ui/server/console/ConsoleEppPasswordAction.java

@@ -28,7 +28,6 @@ import com.google.gson.annotations.Expose;
 import google.registry.flows.EppException.AuthenticationErrorException;
 import google.registry.flows.PasswordOnlyTransportCredentials;
 import google.registry.model.console.ConsoleUpdateHistory;
-import google.registry.model.console.SimpleConsoleUpdateHistory;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
@@ -108,7 +107,7 @@ public class ConsoleEppPasswordAction extends ConsoleApiAction {
                   registrar.asBuilder().setPassword(eppRequestBody.newPassword()).build();
               tm().put(updatedRegistrar);
               finishAndPersistConsoleUpdateHistory(
-                  new SimpleConsoleUpdateHistory.Builder()
+                  new ConsoleUpdateHistory.Builder()
                       .setType(ConsoleUpdateHistory.Type.EPP_PASSWORD_UPDATE)
                       .setDescription(registrar.getRegistrarId()));
               sendExternalUpdates(

core/src/main/java/google/registry/ui/server/console/ConsoleOteAction.java

@@ -35,7 +35,6 @@ import google.registry.model.OteStats.StatType;
 import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarBase;
 import google.registry.request.Action;
 import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
@@ -140,7 +139,7 @@ public class ConsoleOteAction extends ConsoleApiAction {
                     SC_BAD_REQUEST);
                 return;
               }
-              if (!RegistrarBase.Type.OTE.equals(registrar.get().getType())) {
+              if (!Registrar.Type.OTE.equals(registrar.get().getType())) {
                 setFailedResponse(
                     String.format("Registrar with ID %s is not an OT&E registrar", registrarId),
                     SC_BAD_REQUEST);

core/src/main/java/google/registry/ui/server/console/ConsoleUpdateRegistrarAction.java

@@ -24,7 +24,6 @@ import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableSet;
 import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.ConsoleUpdateHistory;
-import google.registry.model.console.SimpleConsoleUpdateHistory;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
@@ -98,11 +97,12 @@ public class ConsoleUpdateRegistrarAction extends ConsoleApiAction {
                               .map(DomainNameUtils::canonicalizeHostname)
                               .collect(Collectors.toSet()))
                       .setRegistryLockAllowed(registrarParam.isRegistryLockAllowed())
+                      .setLastPocVerificationDate(registrarParam.getLastPocVerificationDate())
                       .build();
 
               tm().put(updatedRegistrar);
               finishAndPersistConsoleUpdateHistory(
-                  new SimpleConsoleUpdateHistory.Builder()
+                  new ConsoleUpdateHistory.Builder()
                       .setType(ConsoleUpdateHistory.Type.REGISTRAR_UPDATE)
                       .setDescription(updatedRegistrar.getRegistrarId()));
               sendExternalUpdatesIfNecessary(

core/src/main/java/google/registry/ui/server/console/ConsoleUsersAction.java

@@ -165,7 +165,7 @@ public class ConsoleUsersAction extends ConsoleApiAction {
     User updatedUser = updateUserRegistrarRoles(email, registrarId, null);
 
     // User has no registrars assigned
-    if (updatedUser.getUserRoles().getRegistrarRoles().size() == 0) {
+    if (updatedUser.getUserRoles().getRegistrarRoles().isEmpty()) {
       try {
         directory.users().delete(email).execute();
       } catch (IOException e) {

core/src/main/java/google/registry/ui/server/console/RegistrarsAction.java

@@ -28,11 +28,9 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
 import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.ConsoleUpdateHistory;
-import google.registry.model.console.SimpleConsoleUpdateHistory;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarBase;
-import google.registry.model.registrar.RegistrarBase.State;
+import google.registry.model.registrar.Registrar.State;
 import google.registry.model.registrar.RegistrarPoc;
 import google.registry.request.Action;
 import google.registry.request.Action.GaeService;
@@ -55,8 +53,8 @@ import java.util.Optional;
 public class RegistrarsAction extends ConsoleApiAction {
   private static final int PASSWORD_LENGTH = 16;
   private static final int PASSCODE_LENGTH = 5;
-  private static final ImmutableList<RegistrarBase.Type> allowedRegistrarTypes =
-      ImmutableList.of(Registrar.Type.REAL, RegistrarBase.Type.OTE);
+  private static final ImmutableList<Registrar.Type> allowedRegistrarTypes =
+      ImmutableList.of(Registrar.Type.REAL, Registrar.Type.OTE);
   private static final String SQL_TEMPLATE =
       """
             SELECT * FROM "Registrar"
@@ -174,7 +172,7 @@ public class RegistrarsAction extends ConsoleApiAction {
                   registrar.getRegistrarId());
               tm().putAll(registrar, contact);
               finishAndPersistConsoleUpdateHistory(
-                  new SimpleConsoleUpdateHistory.Builder()
+                  new ConsoleUpdateHistory.Builder()
                       .setType(ConsoleUpdateHistory.Type.REGISTRAR_CREATE)
                       .setDescription(registrar.getRegistrarId()));
             });

core/src/main/java/google/registry/ui/server/console/domains/ConsoleBulkDomainAction.java

@@ -26,7 +26,7 @@ import google.registry.flows.EppController;
 import google.registry.flows.EppRequestSource;
 import google.registry.flows.PasswordOnlyTransportCredentials;
 import google.registry.flows.StatelessRequestSessionMetadata;
-import google.registry.model.console.SimpleConsoleUpdateHistory;
+import google.registry.model.console.ConsoleUpdateHistory;
 import google.registry.model.console.User;
 import google.registry.model.eppcommon.ProtocolDefinition;
 import google.registry.model.eppoutput.EppOutput;
@@ -113,7 +113,7 @@ public class ConsoleBulkDomainAction extends ConsoleApiAction {
                     .forEach(
                         e ->
                             finishAndPersistConsoleUpdateHistory(
-                                new SimpleConsoleUpdateHistory.Builder()
+                                new ConsoleUpdateHistory.Builder()
                                     .setDescription(e.getKey())
                                     .setType(actionType.getConsoleUpdateHistoryType()))));
   }

core/src/main/java/google/registry/ui/server/console/settings/ContactAction.java

@@ -32,7 +32,7 @@ import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase.Type;
+import google.registry.model.registrar.RegistrarPoc.Type;
 import google.registry.persistence.transaction.QueryComposer.Comparator;
 import google.registry.request.Action;
 import google.registry.request.Action.GaeService;
@@ -169,6 +169,7 @@ public class ContactAction extends ConsoleApiAction {
         throw new ContactRequirementException(t);
       }
     }
+    enforcePrimaryContactRestrictions(oldContactsByType, newContactsByType);
     ensurePhoneNumberNotRemovedForContactTypes(oldContactsByType, newContactsByType, Type.TECH);
     Optional<RegistrarPoc> domainWhoisAbuseContact =
         getDomainWhoisVisibleAbuseContact(updatedContacts);
@@ -187,6 +188,23 @@ public class ContactAction extends ConsoleApiAction {
     checkContactRegistryLockRequirements(existingContacts, updatedContacts);
   }
 
+  private static void enforcePrimaryContactRestrictions(
+      Multimap<Type, RegistrarPoc> oldContactsByType,
+      Multimap<Type, RegistrarPoc> newContactsByType) {
+    ImmutableSet<String> oldAdminEmails =
+        oldContactsByType.get(Type.ADMIN).stream()
+            .map(RegistrarPoc::getEmailAddress)
+            .collect(toImmutableSet());
+    ImmutableSet<String> newAdminEmails =
+        newContactsByType.get(Type.ADMIN).stream()
+            .map(RegistrarPoc::getEmailAddress)
+            .collect(toImmutableSet());
+    if (!newAdminEmails.containsAll(oldAdminEmails)) {
+      throw new ContactRequirementException(
+          "Cannot remove or change the email address of primary contacts");
+    }
+  }
+
   private static void checkContactRegistryLockRequirements(
       ImmutableSet<RegistrarPoc> existingContacts, ImmutableSet<RegistrarPoc> updatedContacts) {
     // Any contact(s) with new passwords must be allowed to set them

core/src/main/java/google/registry/ui/server/console/settings/RdapRegistrarFieldsAction.java

@@ -17,13 +17,11 @@ package google.registry.ui.server.console.settings;
 import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
-import static jakarta.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
 import static jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static jakarta.servlet.http.HttpServletResponse.SC_OK;
 
 import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.ConsoleUpdateHistory;
-import google.registry.model.console.SimpleConsoleUpdateHistory;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
@@ -36,7 +34,6 @@ import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAcce
 import google.registry.ui.server.console.ConsoleApiAction;
 import google.registry.ui.server.console.ConsoleApiParams;
 import jakarta.inject.Inject;
-import java.util.Objects;
 import java.util.Optional;
 
 /**
@@ -48,17 +45,17 @@ import java.util.Optional;
 @Action(
     service = GaeService.DEFAULT,
     gkeService = GkeService.CONSOLE,
-    path = WhoisRegistrarFieldsAction.PATH,
+    path = RdapRegistrarFieldsAction.PATH,
     method = {POST},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)
-public class WhoisRegistrarFieldsAction extends ConsoleApiAction {
+public class RdapRegistrarFieldsAction extends ConsoleApiAction {
 
-  static final String PATH = "/console-api/settings/whois-fields";
+  static final String PATH = "/console-api/settings/rdap-fields";
   private final AuthenticatedRegistrarAccessor registrarAccessor;
   private final Optional<Registrar> registrar;
 
   @Inject
-  public WhoisRegistrarFieldsAction(
+  public RdapRegistrarFieldsAction(
       ConsoleApiParams consoleApiParams,
       AuthenticatedRegistrarAccessor registrarAccessor,
       @Parameter("registrar") Optional<Registrar> registrar) {
@@ -72,10 +69,10 @@ public class WhoisRegistrarFieldsAction extends ConsoleApiAction {
     checkArgument(registrar.isPresent(), "'registrar' parameter is not present");
     checkPermission(
         user, registrar.get().getRegistrarId(), ConsolePermission.EDIT_REGISTRAR_DETAILS);
-    tm().transact(() -> loadAndModifyRegistrar(registrar.get(), user));
+    tm().transact(() -> loadAndModifyRegistrar(registrar.get()));
   }
 
-  private void loadAndModifyRegistrar(Registrar providedRegistrar, User user) {
+  private void loadAndModifyRegistrar(Registrar providedRegistrar) {
     Registrar savedRegistrar;
     try {
       // reload to make sure the object has all the correct fields
@@ -85,29 +82,17 @@ public class WhoisRegistrarFieldsAction extends ConsoleApiAction {
       return;
     }
 
-    // icannReferralEmail can't be updated by partners, only by global users with
-    // EDIT_REGISTRAR_DETAILS permission
-    if (!Objects.equals(
-            savedRegistrar.getIcannReferralEmail(), providedRegistrar.getIcannReferralEmail())
-        && !user.getUserRoles().hasGlobalPermission(ConsolePermission.EDIT_REGISTRAR_DETAILS)) {
-      setFailedResponse(
-          "Icann Referral Email update is not permitted for this user", SC_BAD_REQUEST);
-    }
-
     Registrar newRegistrar =
         savedRegistrar
             .asBuilder()
-            .setWhoisServer(providedRegistrar.getWhoisServer())
-            .setUrl(providedRegistrar.getUrl())
             .setLocalizedAddress(providedRegistrar.getLocalizedAddress())
             .setPhoneNumber(providedRegistrar.getPhoneNumber())
             .setFaxNumber(providedRegistrar.getFaxNumber())
-            .setIcannReferralEmail(providedRegistrar.getIcannReferralEmail())
             .setEmailAddress(providedRegistrar.getEmailAddress())
             .build();
     tm().put(newRegistrar);
     finishAndPersistConsoleUpdateHistory(
-        new SimpleConsoleUpdateHistory.Builder()
+        new ConsoleUpdateHistory.Builder()
             .setType(ConsoleUpdateHistory.Type.REGISTRAR_UPDATE)
             .setDescription(newRegistrar.getRegistrarId()));
     sendExternalUpdatesIfNecessary(

core/src/main/java/google/registry/ui/server/console/settings/SecurityAction.java

@@ -26,7 +26,6 @@ import google.registry.flows.certs.CertificateChecker;
 import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
 import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.ConsoleUpdateHistory;
-import google.registry.model.console.SimpleConsoleUpdateHistory;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
@@ -120,7 +119,7 @@ public class SecurityAction extends ConsoleApiAction {
     Registrar updatedRegistrar = updatedRegistrarBuilder.build();
     tm().put(updatedRegistrar);
     finishAndPersistConsoleUpdateHistory(
-        new SimpleConsoleUpdateHistory.Builder()
+        new ConsoleUpdateHistory.Builder()
             .setType(ConsoleUpdateHistory.Type.REGISTRAR_SECURITY_UPDATE)
             .setDescription(registrarId));
 

core/src/main/resources/META-INF/persistence.xml

@@ -47,12 +47,8 @@
     <class>google.registry.model.billing.BillingRecurrence</class>
     <class>google.registry.model.common.Cursor</class>
     <class>google.registry.model.common.DnsRefreshRequest</class>
-    <class>google.registry.model.console.ConsoleEppActionHistory</class>
-    <class>google.registry.model.console.RegistrarPocUpdateHistory</class>
-    <class>google.registry.model.console.RegistrarUpdateHistory</class>
-    <class>google.registry.model.console.SimpleConsoleUpdateHistory</class>
+    <class>google.registry.model.console.ConsoleUpdateHistory</class>
     <class>google.registry.model.console.User</class>
-    <class>google.registry.model.console.UserUpdateHistory</class>
     <class>google.registry.model.contact.ContactHistory</class>
     <class>google.registry.model.contact.Contact</class>
     <class>google.registry.model.domain.Domain</class>

core/src/main/resources/google/registry/reporting/icann/sql/attempted_adds.sql

@@ -16,7 +16,7 @@
   -- Determine the number of attempted adds each registrar made.
 
   -- Since the specification requests all 'attempted' adds, we regex the
-  -- monthly App Engine logs, searching for all create commands and associating
+  -- monthly GKE logs, searching for all create commands and associating
   -- them with their corresponding registrars.
 
   -- Example log generated by FlowReporter in App Engine and GKE logs:
@@ -27,7 +27,7 @@
   -- ,"targetId":"","targetIds":[],"tld":"",
   -- "tlds":[],"icannActivityReportField":""}
 
--- This outer select just converts the registrar's clientId to their name.
+-- This outer select just converts the registrar's ID to their name.
 SELECT
   tld,
   registrar_table.registrar_name AS registrar_name,
@@ -38,34 +38,20 @@ FROM (
     JSON_EXTRACT_SCALAR(json, '$.tld') AS tld,
     JSON_EXTRACT_SCALAR(json, '$.clientId') AS clientId,
     COUNT(json) AS count
-  FROM ((
-      -- Extract JSON metadata package from monthly logs
+  FROM (
+    -- Extract JSON metadata package from monthly logs
     SELECT
-      REGEXP_EXTRACT(textPayload, r'FLOW-LOG-SIGNATURE-METADATA: (.*)\n?$') AS json
+      REGEXP_EXTRACT(jsonPayload.message, r'FLOW-LOG-SIGNATURE-METADATA: (.*)\n?$') AS json
     FROM
-      `%PROJECT_ID%.%APPENGINE_LOGS_DATA_SET%.%APP_LOGS_TABLE%*`
+      `%PROJECT_ID%.gke_logs.stderr_*`
     WHERE
       _TABLE_SUFFIX BETWEEN '%FIRST_DAY_OF_MONTH%'
       AND '%LAST_DAY_OF_MONTH%'
-      AND STARTS_WITH(textPayload, "FLOW-LOG-SIGNATURE-METADATA")
+      AND STARTS_WITH(jsonPayload.message, "FLOW-LOG-SIGNATURE-METADATA")
       -- Look for domain creates
-      AND REGEXP_CONTAINS(textPayload, r'"commandType":"create","resourceType":"domain"')
+      AND REGEXP_CONTAINS(jsonPayload.message, r'"commandType":"create","resourceType":"domain"')
       -- Filter prober data
-      AND NOT REGEXP_CONTAINS(textPayload, r'"prober-[a-z]{2}-((any)|(canary))"'))
-    UNION ALL (
-        -- Extract JSON metadata package from monthly logs
-      SELECT
-        REGEXP_EXTRACT(jsonPayload.message, r'FLOW-LOG-SIGNATURE-METADATA: (.*)\n?$') AS json
-      FROM
-        `%PROJECT_ID%.%GKE_LOGS_DATA_SET%.stderr_*`
-      WHERE
-        _TABLE_SUFFIX BETWEEN '%FIRST_DAY_OF_MONTH%'
-        AND '%LAST_DAY_OF_MONTH%'
-        AND STARTS_WITH(jsonPayload.message, "FLOW-LOG-SIGNATURE-METADATA")
-        -- Look for domain creates
-        AND REGEXP_CONTAINS(jsonPayload.message, r'"commandType":"create","resourceType":"domain"')
-        -- Filter prober data
-        AND NOT REGEXP_CONTAINS(jsonPayload.message, r'"prober-[a-z]{2}-((any)|(canary))"')))
+      AND NOT REGEXP_CONTAINS(jsonPayload.message, r'"prober-[a-z]{2}-((any)|(canary))"'))
   GROUP BY
     tld,
     clientId ) AS logs_table

core/src/main/resources/google/registry/reporting/icann/sql/epp_metrics.sql

@@ -15,7 +15,7 @@
 
   -- Query FlowReporter JSON log messages and calculate SRS metrics.
 
-  -- We use ugly regex's over the monthly appengine logs to determine how many
+  -- We use ugly regexes over the monthly GKE logs to determine how many
   -- EPP requests we received for each command. For example:
   -- {"commandType":"check"...,"targetIds":["ais.a.how"],
   -- "tld":"","tlds":["a.how"],"icannActivityReportField":"srs-dom-check"}
@@ -35,30 +35,15 @@ FROM (
     JSON_EXTRACT_SCALAR(json,
       '$.icannActivityReportField') AS activityReportField
   FROM (
-    -- For reasons that I don't understand, if I directly select the three columns
-    -- from the union, BigQuery complains about column number mismatch, so I have to
-    -- make a temporary union table and select on it.
     SELECT
-      *
-    FROM (
-      SELECT
-        -- Extract the logged JSON payload.
-        REGEXP_EXTRACT(textPayload, r'FLOW-LOG-SIGNATURE-METADATA: (.*)\n?$')
-        AS json
-      FROM `%PROJECT_ID%.%APPENGINE_LOGS_DATA_SET%.%APP_LOGS_TABLE%*`
-      WHERE
-        STARTS_WITH(textPayload, "FLOW-LOG-SIGNATURE-METADATA")
-        AND _TABLE_SUFFIX BETWEEN '%FIRST_DAY_OF_MONTH%' AND '%LAST_DAY_OF_MONTH%')
-    UNION ALL (
-      SELECT
-        -- Extract the logged JSON payload.
-        REGEXP_EXTRACT(jsonPayload.message, r'FLOW-LOG-SIGNATURE-METADATA: (.*)\n?$')
-        AS json
-      FROM `%PROJECT_ID%.%GKE_LOGS_DATA_SET%.stderr_*`
-      WHERE
-        STARTS_WITH(jsonPayload.message, "FLOW-LOG-SIGNATURE-METADATA")
-        AND _TABLE_SUFFIX BETWEEN '%FIRST_DAY_OF_MONTH%' AND '%LAST_DAY_OF_MONTH%')
-  )) AS regexes
+      -- Extract the logged JSON payload.
+      REGEXP_EXTRACT(jsonPayload.message, r'FLOW-LOG-SIGNATURE-METADATA: (.*)\n?$')
+      AS json
+    FROM `%PROJECT_ID%.gke_logs.stderr_*`
+    WHERE
+      STARTS_WITH(jsonPayload.message, "FLOW-LOG-SIGNATURE-METADATA")
+      AND _TABLE_SUFFIX BETWEEN '%FIRST_DAY_OF_MONTH%' AND '%LAST_DAY_OF_MONTH%')
+  ) AS regexes
 JOIN
   -- Unnest the JSON-parsed tlds.
   UNNEST(regexes.tlds) AS tld

core/src/main/resources/google/registry/reporting/icann/sql/monthly_logs.sql

@@ -13,7 +13,7 @@
   -- See the License for the specific language governing permissions and
   -- limitations under the License.
 
-  -- Query to fetch AppEngine and GKE request logs for the report month.
+  -- Query to fetch GKE request logs for the report month.
 
   -- START_OF_MONTH and END_OF_MONTH should be in YYYYMM01 format.
 
@@ -23,13 +23,6 @@ FROM (
   SELECT
     jsonPayload.httrequest.requesturl AS requestPath
   FROM
-    `%PROJECT_ID%.%GKE_LOGS_DATA_SET%.stderr_*`
-  WHERE
-    _TABLE_SUFFIX BETWEEN '%FIRST_DAY_OF_MONTH%' AND '%LAST_DAY_OF_MONTH%')
-UNION ALL (
-  SELECT
-    protoPayload.resource AS requestPath
-  FROM
-    `%PROJECT_ID%.%APPENGINE_LOGS_DATA_SET%.%REQUEST_TABLE%*`
+    `%PROJECT_ID%.gke_logs.stderr_*`
   WHERE
     _TABLE_SUFFIX BETWEEN '%FIRST_DAY_OF_MONTH%' AND '%LAST_DAY_OF_MONTH%')

core/src/test/java/google/registry/batch/SendExpiringCertificateNotificationEmailActionTest.java

@@ -36,8 +36,7 @@ import google.registry.groups.GmailClient;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
 import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase;
-import google.registry.model.registrar.RegistrarPocBase.Type;
+import google.registry.model.registrar.RegistrarPoc.Type;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
 import google.registry.testing.FakeClock;
@@ -57,13 +56,13 @@ class SendExpiringCertificateNotificationEmailActionTest {
 
   private static final String EXPIRATION_WARNING_EMAIL_BODY_TEXT =
       """
-           Dear %1$s,
+       Dear %1$s,
 
-          We would like to inform you that your %2$s certificate will expire at %3$s.
-           Kind update your account using the following steps:
-            1. Navigate to support and login using your %4$s@registry.example credentials.
-            2. Click Settings -> Privacy on the top left corner.
-            3. Click Edit and enter certificate string.  3. Click SaveRegards,Example Registry""";
+      We would like to inform you that your %2$s certificate will expire at %3$s.
+       Kind update your account using the following steps:
+        1. Navigate to support and login using your %4$s@registry.example credentials.
+        2. Click Settings -> Privacy on the top left corner.
+        3. Click Edit and enter certificate string.  3. Click SaveRegards,Example Registry""";
 
   private static final String EXPIRATION_WARNING_EMAIL_SUBJECT_TEXT = "Expiration Warning Email";
 
@@ -220,7 +219,7 @@ class SendExpiringCertificateNotificationEmailActionTest {
                 .setEmailAddress("will@example-registrar.tld")
                 .setPhoneNumber("+1.3105551213")
                 .setFaxNumber("+1.3105551213")
-                .setTypes(ImmutableSet.of(RegistrarPocBase.Type.TECH))
+                .setTypes(ImmutableSet.of(RegistrarPoc.Type.TECH))
                 .setVisibleInWhoisAsAdmin(true)
                 .setVisibleInWhoisAsTech(false)
                 .build());
@@ -510,7 +509,7 @@ class SendExpiringCertificateNotificationEmailActionTest {
                 .setEmailAddress("jd@example-registrar.tld")
                 .setPhoneNumber("+1.3105551213")
                 .setFaxNumber("+1.3105551213")
-                .setTypes(ImmutableSet.of(RegistrarPocBase.Type.TECH))
+                .setTypes(ImmutableSet.of(RegistrarPoc.Type.TECH))
                 .setVisibleInWhoisAsAdmin(true)
                 .setVisibleInWhoisAsTech(false)
                 .build(),
@@ -520,7 +519,7 @@ class SendExpiringCertificateNotificationEmailActionTest {
                 .setEmailAddress("js@example-registrar.tld")
                 .setPhoneNumber("+1.1111111111")
                 .setFaxNumber("+1.1111111111")
-                .setTypes(ImmutableSet.of(RegistrarPocBase.Type.TECH))
+                .setTypes(ImmutableSet.of(RegistrarPoc.Type.TECH))
                 .build(),
             new RegistrarPoc.Builder()
                 .setRegistrar(registrar)
@@ -528,7 +527,7 @@ class SendExpiringCertificateNotificationEmailActionTest {
                 .setEmailAddress("will@example-registrar.tld")
                 .setPhoneNumber("+1.3105551213")
                 .setFaxNumber("+1.3105551213")
-                .setTypes(ImmutableSet.of(RegistrarPocBase.Type.TECH))
+                .setTypes(ImmutableSet.of(RegistrarPoc.Type.TECH))
                 .setVisibleInWhoisAsAdmin(true)
                 .setVisibleInWhoisAsTech(false)
                 .build(),
@@ -538,7 +537,7 @@ class SendExpiringCertificateNotificationEmailActionTest {
                 .setEmailAddress("mike@example-registrar.tld")
                 .setPhoneNumber("+1.1111111111")
                 .setFaxNumber("+1.1111111111")
-                .setTypes(ImmutableSet.of(RegistrarPocBase.Type.ADMIN))
+                .setTypes(ImmutableSet.of(RegistrarPoc.Type.ADMIN))
                 .build(),
             new RegistrarPoc.Builder()
                 .setRegistrar(registrar)
@@ -546,7 +545,7 @@ class SendExpiringCertificateNotificationEmailActionTest {
                 .setEmailAddress("john@example-registrar.tld")
                 .setPhoneNumber("+1.3105551215")
                 .setFaxNumber("+1.3105551216")
-                .setTypes(ImmutableSet.of(RegistrarPocBase.Type.ADMIN))
+                .setTypes(ImmutableSet.of(RegistrarPoc.Type.ADMIN))
                 .setVisibleInWhoisAsTech(true)
                 .build());
     persistSimpleResources(contacts);
@@ -700,7 +699,7 @@ class SendExpiringCertificateNotificationEmailActionTest {
 
   /** Returns persisted sample contacts with a customized contact email type. */
   private static ImmutableList<RegistrarPoc> persistSampleContacts(
-      Registrar registrar, RegistrarPocBase.Type emailType) {
+      Registrar registrar, RegistrarPoc.Type emailType) {
     return persistSimpleResources(
         ImmutableList.of(
             new RegistrarPoc.Builder()

core/src/test/java/google/registry/beam/common/RegistryPipelineWorkerInitializerTest.java

@@ -0,0 +1,36 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.beam.common;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import google.registry.util.RegistryEnvironment;
+import org.apache.beam.sdk.options.PipelineOptionsFactory;
+import org.junit.jupiter.api.Test;
+
+public class RegistryPipelineWorkerInitializerTest {
+
+  @Test
+  void test() {
+    RegistryPipelineOptions options =
+        PipelineOptionsFactory.fromArgs(
+                "--registryEnvironment=ALPHA", "--isolationOverride=TRANSACTION_SERIALIZABLE")
+            .withValidation()
+            .as(RegistryPipelineOptions.class);
+    new RegistryPipelineWorkerInitializer().beforeProcessing(options);
+    assertThat(RegistryEnvironment.isOnJetty()).isTrue();
+    System.clearProperty("google.registry.jetty");
+  }
+}

core/src/test/java/google/registry/beam/rde/RdePipelineTest.java

@@ -70,7 +70,7 @@ import google.registry.model.rde.RdeMode;
 import google.registry.model.rde.RdeRevision;
 import google.registry.model.rde.RdeRevision.RdeRevisionId;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarBase.State;
+import google.registry.model.registrar.Registrar.State;
 import google.registry.model.reporting.DomainTransactionRecord;
 import google.registry.model.reporting.DomainTransactionRecord.TransactionReportField;
 import google.registry.model.reporting.HistoryEntry;
@@ -388,22 +388,22 @@ public class RdePipelineTest {
                       assertThat(domainFrags.stream().findFirst().get().xml().strip())
                           .isEqualTo(
                               """
-                          <rdeDomain:domain>
-                              <rdeDomain:name>cat.fun</rdeDomain:name>
-                              <rdeDomain:roid>15-FUN</rdeDomain:roid>
-                              <rdeDomain:uName>cat.fun</rdeDomain:uName>
-                              <rdeDomain:status s="ok"/>
-                              <rdeDomain:contact type="admin">contact456</rdeDomain:contact>
-                              <rdeDomain:contact type="tech">contact456</rdeDomain:contact>
-                              <rdeDomain:ns>
-                                  <domain:hostObj>ns1.external.tld</domain:hostObj>
-                                  <domain:hostObj>ns1.hello.soy</domain:hostObj>
-                              </rdeDomain:ns>
-                              <rdeDomain:clID>TheRegistrar</rdeDomain:clID>
-                              <rdeDomain:crRr>TheRegistrar</rdeDomain:crRr>
-                              <rdeDomain:crDate>1970-01-01T00:00:00Z</rdeDomain:crDate>
-                              <rdeDomain:exDate>294247-01-10T04:00:54Z</rdeDomain:exDate>
-                          </rdeDomain:domain>""");
+                              <rdeDomain:domain>
+                                  <rdeDomain:name>cat.fun</rdeDomain:name>
+                                  <rdeDomain:roid>15-FUN</rdeDomain:roid>
+                                  <rdeDomain:uName>cat.fun</rdeDomain:uName>
+                                  <rdeDomain:status s="ok"/>
+                                  <rdeDomain:contact type="admin">contact456</rdeDomain:contact>
+                                  <rdeDomain:contact type="tech">contact456</rdeDomain:contact>
+                                  <rdeDomain:ns>
+                                      <domain:hostObj>ns1.external.tld</domain:hostObj>
+                                      <domain:hostObj>ns1.hello.soy</domain:hostObj>
+                                  </rdeDomain:ns>
+                                  <rdeDomain:clID>TheRegistrar</rdeDomain:clID>
+                                  <rdeDomain:crRr>TheRegistrar</rdeDomain:crRr>
+                                  <rdeDomain:crDate>1970-01-01T00:00:00Z</rdeDomain:crDate>
+                                  <rdeDomain:exDate>294247-01-10T04:00:54Z</rdeDomain:exDate>
+                              </rdeDomain:domain>""");
                     }
                     if (kv.getKey().mode().equals(FULL)) {
                       // Contact fragments for hello.soy.
@@ -425,23 +425,23 @@ public class RdePipelineTest {
                         assertThat(domainFrags.stream().findFirst().get().xml().strip())
                             .isEqualTo(
                                 """
-                          <rdeDomain:domain>
-                              <rdeDomain:name>hello.soy</rdeDomain:name>
-                              <rdeDomain:roid>E-SOY</rdeDomain:roid>
-                              <rdeDomain:uName>hello.soy</rdeDomain:uName>
-                              <rdeDomain:status s="ok"/>
-                              <rdeDomain:registrant>contact1234</rdeDomain:registrant>
-                              <rdeDomain:contact type="admin">contact789</rdeDomain:contact>
-                              <rdeDomain:contact type="tech">contact1234</rdeDomain:contact>
-                              <rdeDomain:ns>
-                                  <domain:hostObj>ns1.external.tld</domain:hostObj>
-                                  <domain:hostObj>ns1.lol.cat</domain:hostObj>
-                              </rdeDomain:ns>
-                              <rdeDomain:clID>TheRegistrar</rdeDomain:clID>
-                              <rdeDomain:crRr>TheRegistrar</rdeDomain:crRr>
-                              <rdeDomain:crDate>1970-01-01T00:00:00Z</rdeDomain:crDate>
-                              <rdeDomain:exDate>294247-01-10T04:00:54Z</rdeDomain:exDate>
-                          </rdeDomain:domain>""");
+                                <rdeDomain:domain>
+                                    <rdeDomain:name>hello.soy</rdeDomain:name>
+                                    <rdeDomain:roid>E-SOY</rdeDomain:roid>
+                                    <rdeDomain:uName>hello.soy</rdeDomain:uName>
+                                    <rdeDomain:status s="ok"/>
+                                    <rdeDomain:registrant>contact1234</rdeDomain:registrant>
+                                    <rdeDomain:contact type="admin">contact789</rdeDomain:contact>
+                                    <rdeDomain:contact type="tech">contact1234</rdeDomain:contact>
+                                    <rdeDomain:ns>
+                                        <domain:hostObj>ns1.external.tld</domain:hostObj>
+                                        <domain:hostObj>ns1.lol.cat</domain:hostObj>
+                                    </rdeDomain:ns>
+                                    <rdeDomain:clID>TheRegistrar</rdeDomain:clID>
+                                    <rdeDomain:crRr>TheRegistrar</rdeDomain:crRr>
+                                    <rdeDomain:crDate>1970-01-01T00:00:00Z</rdeDomain:crDate>
+                                    <rdeDomain:exDate>294247-01-10T04:00:54Z</rdeDomain:exDate>
+                                </rdeDomain:domain>""");
                       } else {
                         // Contact fragments for cat.fun.
                         assertThat(
@@ -471,20 +471,20 @@ public class RdePipelineTest {
                       assertThat(domainFrags.stream().findFirst().get().xml().strip())
                           .isEqualTo(
                               """
-                          <rdeDomain:domain>
-                              <rdeDomain:name>hello.soy</rdeDomain:name>
-                              <rdeDomain:roid>E-SOY</rdeDomain:roid>
-                              <rdeDomain:uName>hello.soy</rdeDomain:uName>
-                              <rdeDomain:status s="ok"/>
-                              <rdeDomain:ns>
-                                  <domain:hostObj>ns1.external.tld</domain:hostObj>
-                                  <domain:hostObj>ns1.lol.cat</domain:hostObj>
-                              </rdeDomain:ns>
-                              <rdeDomain:clID>TheRegistrar</rdeDomain:clID>
-                              <rdeDomain:crRr>TheRegistrar</rdeDomain:crRr>
-                              <rdeDomain:crDate>1970-01-01T00:00:00Z</rdeDomain:crDate>
-                              <rdeDomain:exDate>294247-01-10T04:00:54Z</rdeDomain:exDate>
-                          </rdeDomain:domain>""");
+                              <rdeDomain:domain>
+                                  <rdeDomain:name>hello.soy</rdeDomain:name>
+                                  <rdeDomain:roid>E-SOY</rdeDomain:roid>
+                                  <rdeDomain:uName>hello.soy</rdeDomain:uName>
+                                  <rdeDomain:status s="ok"/>
+                                  <rdeDomain:ns>
+                                      <domain:hostObj>ns1.external.tld</domain:hostObj>
+                                      <domain:hostObj>ns1.lol.cat</domain:hostObj>
+                                  </rdeDomain:ns>
+                                  <rdeDomain:clID>TheRegistrar</rdeDomain:clID>
+                                  <rdeDomain:crRr>TheRegistrar</rdeDomain:crRr>
+                                  <rdeDomain:crDate>1970-01-01T00:00:00Z</rdeDomain:crDate>
+                                  <rdeDomain:exDate>294247-01-10T04:00:54Z</rdeDomain:exDate>
+                              </rdeDomain:domain>""");
                     }
                   });
               return null;

core/src/test/java/google/registry/export/SyncGroupMembersActionTest.java

@@ -16,9 +16,9 @@ package google.registry.export;
 
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.export.SyncGroupMembersAction.getGroupEmailAddressForContactType;
-import static google.registry.model.registrar.RegistrarPocBase.Type.ADMIN;
-import static google.registry.model.registrar.RegistrarPocBase.Type.MARKETING;
-import static google.registry.model.registrar.RegistrarPocBase.Type.TECH;
+import static google.registry.model.registrar.RegistrarPoc.Type.ADMIN;
+import static google.registry.model.registrar.RegistrarPoc.Type.MARKETING;
+import static google.registry.model.registrar.RegistrarPoc.Type.TECH;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.testing.DatabaseHelper.loadRegistrar;
 import static google.registry.testing.DatabaseHelper.persistResource;

core/src/test/java/google/registry/export/sheet/SyncRegistrarsSheetTest.java

@@ -38,7 +38,6 @@ import google.registry.model.common.Cursor;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
 import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
 import google.registry.testing.DatabaseHelper;
@@ -158,8 +157,7 @@ public class SyncRegistrarsSheetTest {
                 .setName("Jane Doe")
                 .setEmailAddress("contact@example.com")
                 .setPhoneNumber("+1.1234567890")
-                .setTypes(
-                    ImmutableSet.of(RegistrarPocBase.Type.ADMIN, RegistrarPocBase.Type.BILLING))
+                .setTypes(ImmutableSet.of(RegistrarPoc.Type.ADMIN, RegistrarPoc.Type.BILLING))
                 .build(),
             new RegistrarPoc.Builder()
                 .setRegistrar(registrar)
@@ -167,7 +165,7 @@ public class SyncRegistrarsSheetTest {
                 .setEmailAddress("john.doe@example.tld")
                 .setPhoneNumber("+1.1234567890")
                 .setFaxNumber("+1.1234567891")
-                .setTypes(ImmutableSet.of(RegistrarPocBase.Type.ADMIN))
+                .setTypes(ImmutableSet.of(RegistrarPoc.Type.ADMIN))
                 // Purposely flip the internal/external admin/tech
                 // distinction to make sure we're not relying on it.  Sigh.
                 .setVisibleInWhoisAsAdmin(false)
@@ -177,7 +175,7 @@ public class SyncRegistrarsSheetTest {
                 .setRegistrar(registrar)
                 .setName("Jane Smith")
                 .setEmailAddress("pride@example.net")
-                .setTypes(ImmutableSet.of(RegistrarPocBase.Type.TECH))
+                .setTypes(ImmutableSet.of(RegistrarPoc.Type.TECH))
                 .build());
     // Use registrar key for contacts' parent.
     DateTime registrarCreationTime = persistResource(registrar).getCreationTime();
@@ -199,37 +197,37 @@ public class SyncRegistrarsSheetTest {
         .containsEntry(
             "primaryContacts",
             """
-                Jane Doe
-                contact@example.com
-                Tel: +1.1234567890
-                Types: [ADMIN, BILLING]
-                Visible in registrar WHOIS query as Admin contact: No
-                Visible in registrar WHOIS query as Technical contact: No
-                Phone number and email visible in domain WHOIS query as Registrar Abuse contact\
-                 info: No
+            Jane Doe
+            contact@example.com
+            Tel: +1.1234567890
+            Types: [ADMIN, BILLING]
+            Visible in registrar WHOIS query as Admin contact: No
+            Visible in registrar WHOIS query as Technical contact: No
+            Phone number and email visible in domain WHOIS query as Registrar Abuse contact\
+             info: No
 
-                John Doe
-                john.doe@example.tld
-                Tel: +1.1234567890
-                Fax: +1.1234567891
-                Types: [ADMIN]
-                Visible in registrar WHOIS query as Admin contact: No
-                Visible in registrar WHOIS query as Technical contact: Yes
-                Phone number and email visible in domain WHOIS query as Registrar Abuse contact\
-                 info: No
-                """);
+            John Doe
+            john.doe@example.tld
+            Tel: +1.1234567890
+            Fax: +1.1234567891
+            Types: [ADMIN]
+            Visible in registrar WHOIS query as Admin contact: No
+            Visible in registrar WHOIS query as Technical contact: Yes
+            Phone number and email visible in domain WHOIS query as Registrar Abuse contact\
+             info: No
+            """);
     assertThat(row)
         .containsEntry(
             "techContacts",
             """
-                Jane Smith
-                pride@example.net
-                Types: [TECH]
-                Visible in registrar WHOIS query as Admin contact: No
-                Visible in registrar WHOIS query as Technical contact: No
-                Phone number and email visible in domain WHOIS query as Registrar Abuse contact\
-                 info: No
-                """);
+            Jane Smith
+            pride@example.net
+            Types: [TECH]
+            Visible in registrar WHOIS query as Admin contact: No
+            Visible in registrar WHOIS query as Technical contact: No
+            Phone number and email visible in domain WHOIS query as Registrar Abuse contact\
+             info: No
+            """);
     assertThat(row).containsEntry("marketingContacts", "");
     assertThat(row).containsEntry("abuseContacts", "");
     assertThat(row).containsEntry("whoisInquiryContacts", "");
@@ -238,30 +236,30 @@ public class SyncRegistrarsSheetTest {
         .containsEntry(
             "billingContacts",
             """
-                Jane Doe
-                contact@example.com
-                Tel: +1.1234567890
-                Types: [ADMIN, BILLING]
-                Visible in registrar WHOIS query as Admin contact: No
-                Visible in registrar WHOIS query as Technical contact: No
-                Phone number and email visible in domain WHOIS query as Registrar Abuse contact\
-                 info: No
-                """);
+            Jane Doe
+            contact@example.com
+            Tel: +1.1234567890
+            Types: [ADMIN, BILLING]
+            Visible in registrar WHOIS query as Admin contact: No
+            Visible in registrar WHOIS query as Technical contact: No
+            Phone number and email visible in domain WHOIS query as Registrar Abuse contact\
+             info: No
+            """);
     assertThat(row).containsEntry("contactsMarkedAsWhoisAdmin", "");
     assertThat(row)
         .containsEntry(
             "contactsMarkedAsWhoisTech",
             """
-                John Doe
-                john.doe@example.tld
-                Tel: +1.1234567890
-                Fax: +1.1234567891
-                Types: [ADMIN]
-                Visible in registrar WHOIS query as Admin contact: No
-                Visible in registrar WHOIS query as Technical contact: Yes
-                Phone number and email visible in domain WHOIS query as Registrar Abuse contact\
-                 info: No
-                """);
+            John Doe
+            john.doe@example.tld
+            Tel: +1.1234567890
+            Fax: +1.1234567891
+            Types: [ADMIN]
+            Visible in registrar WHOIS query as Admin contact: No
+            Visible in registrar WHOIS query as Technical contact: Yes
+            Phone number and email visible in domain WHOIS query as Registrar Abuse contact\
+             info: No
+            """);
     assertThat(row).containsEntry("emailAddress", "nowhere@example.org");
     assertThat(row).containsEntry(
         "address.street", "I get fallen back upon since there's no l10n addr");

core/src/test/java/google/registry/flows/domain/DomainCheckFlowTest.java

@@ -211,8 +211,8 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
     doCheckTest(
         create(true, "example1.tld", null),
         create(false, "example2.tld", "Alloc token invalid for domain"),
-        create(false, "reserved.tld", "Reserved"),
-        create(false, "specificuse.tld", "Reserved; alloc. token required"));
+        create(false, "reserved.tld", "Alloc token invalid for domain"),
+        create(false, "specificuse.tld", "Alloc token invalid for domain"));
   }
 
   @Test
@@ -230,8 +230,8 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
     doCheckTest(
         create(false, "example1.tld", "Blocked by a GlobalBlock service"),
         create(false, "example2.tld", "Alloc token invalid for domain"),
-        create(false, "reserved.tld", "Reserved"),
-        create(false, "specificuse.tld", "Reserved; alloc. token required"));
+        create(false, "reserved.tld", "Alloc token invalid for domain"),
+        create(false, "specificuse.tld", "Alloc token invalid for domain"));
   }
 
   @Test
@@ -257,17 +257,6 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
         create(true, "example3.tld", null));
   }
 
-  @Test
-  void testSuccess_oneExists_allocationTokenIsInvalid() throws Exception {
-    setEppInput("domain_check_allocationtoken.xml");
-    persistActiveDomain("example1.tld");
-    doCheckTest(
-        create(false, "example1.tld", "In use"),
-        create(false, "example2.tld", "The allocation token is invalid"),
-        create(false, "reserved.tld", "Reserved"),
-        create(false, "specificuse.tld", "Reserved; alloc. token required"));
-  }
-
   @Test
   void testSuccess_oneExists_allocationTokenIsValid() throws Exception {
     setEppInput("domain_check_allocationtoken.xml");
@@ -300,24 +289,6 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
     runFlowAssertResponse(loadFile("domain_check_allocationtoken_fee_anchor_response.xml"));
   }
 
-  @Test
-  void testSuccess_oneExists_allocationTokenIsRedeemed() throws Exception {
-    setEppInput("domain_check_allocationtoken.xml");
-    Domain domain = persistActiveDomain("example1.tld");
-    HistoryEntryId historyEntryId = new HistoryEntryId(domain.getRepoId(), 1L);
-    persistResource(
-        new AllocationToken.Builder()
-            .setToken("abc123")
-            .setTokenType(SINGLE_USE)
-            .setRedemptionHistoryId(historyEntryId)
-            .build());
-    doCheckTest(
-        create(false, "example1.tld", "In use"),
-        create(false, "example2.tld", "Alloc token was already redeemed"),
-        create(false, "reserved.tld", "Reserved"),
-        create(false, "specificuse.tld", "Reserved; alloc. token required"));
-  }
-
   @Test
   void testSuccess_oneExists_allocationTokenForReservedDomain() throws Exception {
     setEppInput("domain_check_allocationtoken.xml");
@@ -329,9 +300,9 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
             .setTokenType(SINGLE_USE)
             .build());
     doCheckTest(
-        create(false, "example1.tld", "In use"),
+        create(false, "example1.tld", "Alloc token invalid for domain"),
         create(false, "example2.tld", "Alloc token invalid for domain"),
-        create(false, "reserved.tld", "Reserved"),
+        create(false, "reserved.tld", "Alloc token invalid for domain"),
         create(true, "specificuse.tld", null));
   }
 
@@ -350,23 +321,6 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
     runFlowAssertResponse(loadFile("domain_check_allocationtoken_fee_specificuse_response.xml"));
   }
 
-  @Test
-  void testSuccess_oneExists_allocationTokenForWrongDomain() throws Exception {
-    setEppInput("domain_check_allocationtoken.xml");
-    persistActiveDomain("example1.tld");
-    persistResource(
-        new AllocationToken.Builder()
-            .setDomainName("someotherdomain.tld")
-            .setToken("abc123")
-            .setTokenType(SINGLE_USE)
-            .build());
-    doCheckTest(
-        create(false, "example1.tld", "In use"),
-        create(false, "example2.tld", "Alloc token invalid for domain"),
-        create(false, "reserved.tld", "Reserved"),
-        create(false, "specificuse.tld", "Reserved; alloc. token required"));
-  }
-
   @Test
   void testSuccess_notOutOfDateToken_forSpecificDomain() throws Exception {
     setEppInput("domain_check_allocationtoken.xml");
@@ -385,44 +339,10 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
     doCheckTest(
         create(false, "example1.tld", "Alloc token invalid for domain"),
         create(false, "example2.tld", "Alloc token invalid for domain"),
-        create(false, "reserved.tld", "Reserved"),
+        create(false, "reserved.tld", "Alloc token invalid for domain"),
         create(true, "specificuse.tld", null));
   }
 
-  @Test
-  void testSuccess_outOfDateToken_forSpecificDomain() throws Exception {
-    setEppInput("domain_check_allocationtoken.xml");
-    persistResource(
-        new AllocationToken.Builder()
-            .setToken("abc123")
-            .setTokenType(SINGLE_USE)
-            .setDomainName("specificuse.tld")
-            .setTokenStatusTransitions(
-                ImmutableSortedMap.<DateTime, TokenStatus>naturalOrder()
-                    .put(START_OF_TIME, TokenStatus.NOT_STARTED)
-                    .put(clock.nowUtc().minusDays(2), TokenStatus.VALID)
-                    .put(clock.nowUtc().minusDays(1), TokenStatus.ENDED)
-                    .build())
-            .build());
-    doCheckTest(
-        create(false, "example1.tld", "Alloc token invalid for domain"),
-        create(false, "example2.tld", "Alloc token invalid for domain"),
-        create(false, "reserved.tld", "Reserved"),
-        create(false, "specificuse.tld", "Alloc token not in promo period"));
-  }
-
-  @Test
-  void testSuccess_nothingExists_reservationsOverrideInvalidAllocationTokens() throws Exception {
-    setEppInput("domain_check_reserved_allocationtoken.xml");
-    // Fill out these reasons
-    doCheckTest(
-        create(false, "collision.tld", "Cannot be delegated"),
-        create(false, "reserved.tld", "Reserved"),
-        create(false, "anchor.tld", "Reserved; alloc. token required"),
-        create(false, "allowedinsunrise.tld", "Reserved"),
-        create(false, "premiumcollision.tld", "Cannot be delegated"));
-  }
-
   @Test
   void testSuccess_allocationTokenPromotion_singleYear() throws Exception {
     createTld("example");
@@ -500,7 +420,75 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
   }
 
   @Test
-  void testFailure_allocationTokenPromotion_PremiumsNotSet() throws Exception {
+  void testSuccess_allocationTokenInvalid_overridesOtherErrors() throws Exception {
+    setEppInput("domain_check_allocationtoken.xml");
+    persistActiveDomain("example1.tld");
+    doCheckTest(
+        create(false, "example1.tld", "The allocation token is invalid"),
+        create(false, "example2.tld", "The allocation token is invalid"),
+        create(false, "reserved.tld", "The allocation token is invalid"),
+        create(false, "specificuse.tld", "The allocation token is invalid"));
+  }
+
+  @Test
+  void testSuccess_allocationTokenForWrongDomain_overridesOtherConcerns() throws Exception {
+    setEppInput("domain_check_allocationtoken.xml");
+    persistActiveDomain("example1.tld");
+    persistResource(
+        new AllocationToken.Builder()
+            .setDomainName("someotherdomain.tld")
+            .setToken("abc123")
+            .setTokenType(SINGLE_USE)
+            .build());
+    doCheckTest(
+        create(false, "example1.tld", "Alloc token invalid for domain"),
+        create(false, "example2.tld", "Alloc token invalid for domain"),
+        create(false, "reserved.tld", "Alloc token invalid for domain"),
+        create(false, "specificuse.tld", "Alloc token invalid for domain"));
+  }
+
+  @Test
+  void testSuccess_outOfDateToken_overridesOtherIssues() throws Exception {
+    setEppInput("domain_check_allocationtoken.xml");
+    persistResource(
+        new AllocationToken.Builder()
+            .setToken("abc123")
+            .setTokenType(SINGLE_USE)
+            .setDomainName("specificuse.tld")
+            .setTokenStatusTransitions(
+                ImmutableSortedMap.<DateTime, TokenStatus>naturalOrder()
+                    .put(START_OF_TIME, TokenStatus.NOT_STARTED)
+                    .put(clock.nowUtc().minusDays(2), TokenStatus.VALID)
+                    .put(clock.nowUtc().minusDays(1), TokenStatus.ENDED)
+                    .build())
+            .build());
+    doCheckTest(
+        create(false, "example1.tld", "Alloc token not in promo period"),
+        create(false, "example2.tld", "Alloc token not in promo period"),
+        create(false, "reserved.tld", "Alloc token not in promo period"),
+        create(false, "specificuse.tld", "Alloc token not in promo period"));
+  }
+
+  @Test
+  void testSuccess_redeemedTokenOverridesOtherConcerns() throws Exception {
+    setEppInput("domain_check_allocationtoken.xml");
+    Domain domain = persistActiveDomain("example1.tld");
+    HistoryEntryId historyEntryId = new HistoryEntryId(domain.getRepoId(), 1L);
+    persistResource(
+        new AllocationToken.Builder()
+            .setToken("abc123")
+            .setTokenType(SINGLE_USE)
+            .setRedemptionHistoryId(historyEntryId)
+            .build());
+    doCheckTest(
+        create(false, "example1.tld", "Alloc token was already redeemed"),
+        create(false, "example2.tld", "Alloc token was already redeemed"),
+        create(false, "reserved.tld", "Alloc token was already redeemed"),
+        create(false, "specificuse.tld", "Alloc token was already redeemed"));
+  }
+
+  @Test
+  void testSuccess_allocationTokenPromotion_noPremium_stillPasses() throws Exception {
     createTld("example");
     persistResource(
         new AllocationToken.Builder()
@@ -515,7 +503,7 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
         ImmutableMap.of("DOMAIN", "rich.example"));
     doCheckTest(
         create(true, "example1.example", null),
-        create(false, "rich.example", "Token not valid for premium name"),
+        create(true, "rich.example", null),
         create(true, "example3.example", null));
   }
 
@@ -572,7 +560,8 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
     doCheckTest(
         create(false, "example1.tld", "Alloc token not in promo period"),
         create(false, "example2.example", "Alloc token not in promo period"),
-        create(false, "reserved.tld", "Reserved"));
+        create(false, "reserved.tld", "Alloc token not in promo period"),
+        create(false, "rich.example", "Alloc token not in promo period"));
   }
 
   @Test
@@ -593,9 +582,10 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
             .build());
     setEppInput("domain_check_allocationtoken_fee.xml");
     doCheckTest(
-        create(false, "example1.tld", "Alloc token invalid for TLD"),
+        create(true, "example1.tld", null),
         create(true, "example2.example", null),
-        create(false, "reserved.tld", "Reserved"));
+        create(false, "reserved.tld", "Reserved"),
+        create(true, "rich.example", null));
   }
 
   @Test
@@ -618,7 +608,8 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
     doCheckTest(
         create(false, "example1.tld", "Alloc token invalid for client"),
         create(false, "example2.example", "Alloc token invalid for client"),
-        create(false, "reserved.tld", "Reserved"));
+        create(false, "reserved.tld", "Alloc token invalid for client"),
+        create(false, "rich.example", "Alloc token invalid for client"));
   }
 
   @Test
@@ -999,6 +990,7 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
             .setToken("abc123")
             .setTokenType(UNLIMITED_USE)
             .setAllowedEppActions(ImmutableSet.of(CommandName.CREATE, CommandName.TRANSFER))
+            .setDiscountFraction(0.1)
             .build());
     setEppInput("domain_check_fee_multiple_commands_allocationtoken_v06.xml");
     runFlowAssertResponse(
@@ -1028,6 +1020,7 @@ class DomainCheckFlowTest extends ResourceCheckFlowTestCase<DomainCheckFlow, Dom
             .setToken("abc123")
             .setTokenType(UNLIMITED_USE)
             .setAllowedEppActions(ImmutableSet.of(CommandName.CREATE, CommandName.TRANSFER))
+            .setDiscountFraction(0.1)
             .build());
     setEppInput("domain_check_fee_multiple_commands_allocationtoken_v12.xml");
     runFlowAssertResponse(

core/src/test/java/google/registry/flows/domain/DomainCreateFlowTest.java

@@ -141,13 +141,10 @@ import google.registry.flows.domain.DomainFlowUtils.TrailingDashException;
 import google.registry.flows.domain.DomainFlowUtils.UnexpectedClaimsNoticeException;
 import google.registry.flows.domain.DomainFlowUtils.UnsupportedFeeAttributeException;
 import google.registry.flows.domain.DomainFlowUtils.UnsupportedMarkTypeException;
-import google.registry.flows.domain.DomainPricingLogic.AllocationTokenInvalidForPremiumNameException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotInPromotionException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForRegistrarException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForTldException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AlreadyRedeemedAllocationTokenException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.InvalidAllocationTokenException;
+import google.registry.flows.domain.token.AllocationTokenFlowUtils.NonexistentAllocationTokenException;
 import google.registry.flows.exceptions.OnlyToolCanPassMetadataException;
 import google.registry.flows.exceptions.ResourceAlreadyExistsForThisClientException;
 import google.registry.flows.exceptions.ResourceCreateContentionException;
@@ -174,7 +171,7 @@ import google.registry.model.eppoutput.EppResponse;
 import google.registry.model.poll.PendingActionNotificationResponse.DomainPendingActionNotificationResponse;
 import google.registry.model.poll.PollMessage;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarBase.State;
+import google.registry.model.registrar.Registrar.State;
 import google.registry.model.reporting.DomainTransactionRecord;
 import google.registry.model.reporting.DomainTransactionRecord.TransactionReportField;
 import google.registry.model.reporting.HistoryEntry;
@@ -529,51 +526,10 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
         "domain_create_allocationtoken.xml",
         ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2"));
     persistContactsAndHosts();
-    EppException thrown = assertThrows(InvalidAllocationTokenException.class, this::runFlow);
+    EppException thrown = assertThrows(NonexistentAllocationTokenException.class, this::runFlow);
     assertAboutEppExceptions().that(thrown).marshalsToXml();
   }
 
-  @Test
-  void testFailure_reservedDomainCreate_allocationTokenIsForADifferentDomain() {
-    // Try to register a reserved domain name with an allocation token valid for a different domain
-    // name.
-    setEppInput(
-        "domain_create_allocationtoken.xml", ImmutableMap.of("DOMAIN", "resdom.tld", "YEARS", "2"));
-    persistContactsAndHosts();
-    persistResource(
-        new AllocationToken.Builder()
-            .setToken("abc123")
-            .setTokenType(SINGLE_USE)
-            .setDomainName("otherdomain.tld")
-            .build());
-    clock.advanceOneMilli();
-    EppException thrown =
-        assertThrows(AllocationTokenNotValidForDomainException.class, this::runFlow);
-    assertAboutEppExceptions().that(thrown).marshalsToXml();
-    assertAllocationTokenWasNotRedeemed("abc123");
-  }
-
-  @Test
-  void testFailure_nonreservedDomainCreate_allocationTokenIsForADifferentDomain() {
-    // Try to register a non-reserved domain name with an allocation token valid for a different
-    // domain name.
-    setEppInput(
-        "domain_create_allocationtoken.xml",
-        ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2"));
-    persistContactsAndHosts();
-    persistResource(
-        new AllocationToken.Builder()
-            .setToken("abc123")
-            .setTokenType(SINGLE_USE)
-            .setDomainName("otherdomain.tld")
-            .build());
-    clock.advanceOneMilli();
-    EppException thrown =
-        assertThrows(AllocationTokenNotValidForDomainException.class, this::runFlow);
-    assertAboutEppExceptions().that(thrown).marshalsToXml();
-    assertAllocationTokenWasNotRedeemed("abc123");
-  }
-
   @Test
   void testFailure_alreadyRedemeedAllocationToken() {
     setEppInput(
@@ -1704,32 +1660,6 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     assertThat(billingEvent.getCost()).isEqualTo(Money.of(USD, 204.44));
   }
 
-  @Test
-  void testSuccess_promotionDoesNotApplyToPremiumPrice() {
-    // Discounts only apply to premium domains if the token is explicitly configured to allow it.
-    createTld("example");
-    persistContactsAndHosts();
-    persistResource(
-        new AllocationToken.Builder()
-            .setToken("abc123")
-            .setTokenType(UNLIMITED_USE)
-            .setDiscountFraction(0.5)
-            .setTokenStatusTransitions(
-                ImmutableSortedMap.<DateTime, TokenStatus>naturalOrder()
-                    .put(START_OF_TIME, TokenStatus.NOT_STARTED)
-                    .put(clock.nowUtc().plusMillis(1), TokenStatus.VALID)
-                    .put(clock.nowUtc().plusSeconds(1), TokenStatus.ENDED)
-                    .build())
-            .build());
-    clock.advanceOneMilli();
-    setEppInput(
-        "domain_create_premium_allocationtoken.xml",
-        ImmutableMap.of("YEARS", "2", "FEE", "193.50"));
-    assertAboutEppExceptions()
-        .that(assertThrows(AllocationTokenInvalidForPremiumNameException.class, this::runFlow))
-        .marshalsToXml();
-  }
-
   @Test
   void testSuccess_token_premiumDomainZeroPrice_noFeeExtension() throws Exception {
     createTld("example");
@@ -1774,30 +1704,6 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
         .marshalsToXml();
   }
 
-  @Test
-  void testSuccess_promoTokenNotValidForTld() {
-    persistContactsAndHosts();
-    persistResource(
-        new AllocationToken.Builder()
-            .setToken("abc123")
-            .setTokenType(UNLIMITED_USE)
-            .setAllowedTlds(ImmutableSet.of("example"))
-            .setDiscountFraction(0.5)
-            .setTokenStatusTransitions(
-                ImmutableSortedMap.<DateTime, TokenStatus>naturalOrder()
-                    .put(START_OF_TIME, TokenStatus.NOT_STARTED)
-                    .put(clock.nowUtc().minusDays(1), TokenStatus.VALID)
-                    .put(clock.nowUtc().plusDays(1), TokenStatus.ENDED)
-                    .build())
-            .build());
-    setEppInput(
-        "domain_create_allocationtoken.xml",
-        ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2"));
-    assertAboutEppExceptions()
-        .that(assertThrows(AllocationTokenNotValidForTldException.class, this::runFlow))
-        .marshalsToXml();
-  }
-
   @Test
   void testSuccess_promoTokenNotValidForRegistrar() {
     persistContactsAndHosts();
@@ -3671,22 +3577,6 @@ class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow, Domain
     assertThrows(MissingClaimsNoticeException.class, this::runFlow);
   }
 
-  @Test
-  void testFailure_anchorTenant_mismatchedName_viaToken() throws Exception {
-    persistResource(
-        new AllocationToken.Builder()
-            .setToken("abc123")
-            .setTokenType(SINGLE_USE)
-            .setRegistrationBehavior(RegistrationBehavior.ANCHOR_TENANT)
-            .setDomainName("example.tld")
-            .build());
-    persistContactsAndHosts();
-    setEppInput(
-        "domain_create_allocationtoken.xml",
-        ImmutableMap.of("DOMAIN", "example-one.tld", "YEARS", "2"));
-    assertThrows(AllocationTokenNotValidForDomainException.class, this::runFlow);
-  }
-
   @Test
   void testSuccess_bulkToken_addsTokenToDomain() throws Exception {
     AllocationToken token =

core/src/test/java/google/registry/flows/domain/DomainPricingLogicTest.java

@@ -28,7 +28,6 @@ import static google.registry.testing.DatabaseHelper.persistPremiumList;
 import static google.registry.testing.DatabaseHelper.persistResource;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
-import static org.joda.money.CurrencyUnit.JPY;
 import static org.joda.money.CurrencyUnit.USD;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
@@ -39,8 +38,6 @@ import google.registry.flows.EppException;
 import google.registry.flows.HttpSessionMetadata;
 import google.registry.flows.SessionMetadata;
 import google.registry.flows.custom.DomainPricingCustomLogic;
-import google.registry.flows.domain.DomainPricingLogic.AllocationTokenInvalidForCurrencyException;
-import google.registry.flows.domain.DomainPricingLogic.AllocationTokenInvalidForPremiumNameException;
 import google.registry.model.billing.BillingBase.Reason;
 import google.registry.model.billing.BillingBase.RenewalPriceBehavior;
 import google.registry.model.billing.BillingRecurrence;
@@ -214,32 +211,6 @@ public class DomainPricingLogicTest {
                 .build());
   }
 
-  @Test
-  void
-      testGetDomainCreatePrice_withDiscountPriceToken_domainCurrencyDoesNotMatchTokensCurrency_throwsException() {
-    AllocationToken allocationToken =
-        persistResource(
-            new AllocationToken.Builder()
-                .setToken("abc123")
-                .setTokenType(SINGLE_USE)
-                .setDiscountPrice(Money.of(JPY, new BigDecimal("250")))
-                .setDiscountPremiums(false)
-                .build());
-
-    // Domain's currency is not JPY (is USD).
-    assertThrows(
-        AllocationTokenInvalidForCurrencyException.class,
-        () ->
-            domainPricingLogic.getCreatePrice(
-                tld,
-                "default.example",
-                clock.nowUtc(),
-                3,
-                false,
-                false,
-                Optional.of(allocationToken)));
-  }
-
   @Test
   void testGetDomainRenewPrice_oneYear_standardDomain_noBilling_isStandardPrice()
       throws EppException {
@@ -335,77 +306,6 @@ public class DomainPricingLogicTest {
                 .build());
   }
 
-  @Test
-  void
-      testGetDomainRenewPrice_oneYear_premiumDomain_default_withTokenNotValidForPremiums_throwsException() {
-    AllocationToken allocationToken =
-        persistResource(
-            new AllocationToken.Builder()
-                .setToken("abc123")
-                .setTokenType(SINGLE_USE)
-                .setDiscountFraction(0.5)
-                .setDiscountPremiums(false)
-                .build());
-    assertThrows(
-        AllocationTokenInvalidForPremiumNameException.class,
-        () ->
-            domainPricingLogic.getRenewPrice(
-                tld,
-                "premium.example",
-                clock.nowUtc(),
-                1,
-                persistDomainAndSetRecurrence("premium.example", DEFAULT, Optional.empty()),
-                Optional.of(allocationToken)));
-  }
-
-  @Test
-  void
-      testGetDomainRenewPrice_oneYear_premiumDomain_default_withDiscountPriceToken_throwsException() {
-    AllocationToken allocationToken =
-        persistResource(
-            new AllocationToken.Builder()
-                .setToken("abc123")
-                .setTokenType(SINGLE_USE)
-                .setDiscountPrice(Money.of(USD, 5))
-                .setDiscountPremiums(false)
-                .build());
-    assertThrows(
-        AllocationTokenInvalidForPremiumNameException.class,
-        () ->
-            domainPricingLogic.getRenewPrice(
-                tld,
-                "premium.example",
-                clock.nowUtc(),
-                1,
-                persistDomainAndSetRecurrence("premium.example", DEFAULT, Optional.empty()),
-                Optional.of(allocationToken)));
-  }
-
-  @Test
-  void
-      testGetDomainRenewPrice_withDiscountPriceToken_domainCurrencyDoesNotMatchTokensCurrency_throwsException() {
-    AllocationToken allocationToken =
-        persistResource(
-            new AllocationToken.Builder()
-                .setToken("abc123")
-                .setTokenType(SINGLE_USE)
-                .setDiscountPrice(Money.of(JPY, new BigDecimal("250")))
-                .setDiscountPremiums(false)
-                .build());
-
-    // Domain's currency is not JPY (is USD).
-    assertThrows(
-        AllocationTokenInvalidForCurrencyException.class,
-        () ->
-            domainPricingLogic.getRenewPrice(
-                tld,
-                "default.example",
-                clock.nowUtc(),
-                1,
-                persistDomainAndSetRecurrence("default.example", DEFAULT, Optional.empty()),
-                Optional.of(allocationToken)));
-  }
-
   @Test
   void testGetDomainRenewPrice_multiYear_premiumDomain_default_isPremiumCost() throws EppException {
     assertThat(
@@ -450,30 +350,6 @@ public class DomainPricingLogicTest {
                 .build());
   }
 
-  @Test
-  void
-      testGetDomainRenewPrice_multiYear_premiumDomain_default_withTokenNotValidForPremiums_throwsException() {
-    AllocationToken allocationToken =
-        persistResource(
-            new AllocationToken.Builder()
-                .setToken("abc123")
-                .setTokenType(SINGLE_USE)
-                .setDiscountFraction(0.5)
-                .setDiscountPremiums(false)
-                .setDiscountYears(2)
-                .build());
-    assertThrows(
-        AllocationTokenInvalidForPremiumNameException.class,
-        () ->
-            domainPricingLogic.getRenewPrice(
-                tld,
-                "premium.example",
-                clock.nowUtc(),
-                5,
-                persistDomainAndSetRecurrence("premium.example", DEFAULT, Optional.empty()),
-                Optional.of(allocationToken)));
-  }
-
   @Test
   void testGetDomainRenewPrice_oneYear_standardDomain_default_isNonPremiumPrice()
       throws EppException {

core/src/test/java/google/registry/flows/domain/DomainRenewFlowTest.java

@@ -69,13 +69,12 @@ import google.registry.flows.domain.DomainFlowUtils.NotAuthorizedForTldException
 import google.registry.flows.domain.DomainFlowUtils.RegistrarMustBeActiveForThisOperationException;
 import google.registry.flows.domain.DomainFlowUtils.UnsupportedFeeAttributeException;
 import google.registry.flows.domain.DomainRenewFlow.IncorrectCurrentExpirationDateException;
+import google.registry.flows.domain.token.AllocationTokenFlowUtils;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotInPromotionException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForRegistrarException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForTldException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AlreadyRedeemedAllocationTokenException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.InvalidAllocationTokenException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.MissingRemoveBulkPricingTokenOnBulkPricingDomainException;
+import google.registry.flows.domain.token.AllocationTokenFlowUtils.NonexistentAllocationTokenException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.RemoveBulkPricingTokenOnNonBulkPricingDomainException;
 import google.registry.flows.exceptions.ResourceStatusProhibitsOperationException;
 import google.registry.model.billing.BillingBase.Flag;
@@ -93,7 +92,7 @@ import google.registry.model.domain.token.AllocationToken.TokenStatus;
 import google.registry.model.eppcommon.StatusValue;
 import google.registry.model.poll.PollMessage;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarBase.State;
+import google.registry.model.registrar.Registrar.State;
 import google.registry.model.reporting.DomainTransactionRecord;
 import google.registry.model.reporting.DomainTransactionRecord.TransactionReportField;
 import google.registry.model.reporting.HistoryEntry;
@@ -459,10 +458,14 @@ class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, Domain>
     ImmutableMap<String, String> customFeeMap =
         updateSubstitutions(
             FEE_06_MAP,
-            "NAME", "costly-renew.tld",
-            "PERIOD", "1",
-            "EX_DATE", "2001-04-03T22:00:00.0Z",
-            "FEE", "111.00");
+            "NAME",
+            "costly-renew.tld",
+            "PERIOD",
+            "1",
+            "EX_DATE",
+            "2001-04-03T22:00:00.0Z",
+            "FEE",
+            "111.00");
     setEppInput("domain_renew_fee.xml", customFeeMap);
     persistDomain();
     doSuccessfulTest(
@@ -694,7 +697,7 @@ class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, Domain>
         "domain_renew_allocationtoken.xml",
         ImmutableMap.of("DOMAIN", "example.tld", "YEARS", "2", "TOKEN", "abc123"));
     persistDomain();
-    EppException thrown = assertThrows(InvalidAllocationTokenException.class, this::runFlow);
+    EppException thrown = assertThrows(NonexistentAllocationTokenException.class, this::runFlow);
     assertAboutEppExceptions().that(thrown).marshalsToXml();
   }
 
@@ -711,9 +714,12 @@ class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, Domain>
             .setDomainName("otherdomain.tld")
             .build());
     clock.advanceOneMilli();
-    EppException thrown =
-        assertThrows(AllocationTokenNotValidForDomainException.class, this::runFlow);
-    assertAboutEppExceptions().that(thrown).marshalsToXml();
+    assertAboutEppExceptions()
+        .that(
+            assertThrows(
+                AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException.class,
+                this::runFlow))
+        .marshalsToXml();
     assertAllocationTokenWasNotRedeemed("abc123");
   }
 
@@ -784,9 +790,10 @@ class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, Domain>
                     .put(clock.nowUtc().plusDays(1), TokenStatus.ENDED)
                     .build())
             .build());
-    assertAboutEppExceptions()
-        .that(assertThrows(AllocationTokenNotValidForTldException.class, this::runFlow))
-        .marshalsToXml();
+    runFlowAssertResponse(
+        loadFile(
+            "domain_renew_response.xml",
+            ImmutableMap.of("DOMAIN", "example.tld", "EXDATE", "2002-04-03T22:00:00.0Z")));
     assertAllocationTokenWasNotRedeemed("abc123");
   }
 

core/src/test/java/google/registry/flows/domain/DomainRestoreRequestFlowTest.java

@@ -69,7 +69,7 @@ import google.registry.model.domain.rgp.GracePeriodStatus;
 import google.registry.model.eppcommon.StatusValue;
 import google.registry.model.poll.PollMessage;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarBase.State;
+import google.registry.model.registrar.Registrar.State;
 import google.registry.model.reporting.DomainTransactionRecord;
 import google.registry.model.reporting.DomainTransactionRecord.TransactionReportField;
 import google.registry.model.reporting.HistoryEntry;

core/src/test/java/google/registry/flows/domain/DomainTransferApproveFlowTest.java

@@ -52,12 +52,11 @@ import google.registry.flows.ResourceFlowUtils.BadAuthInfoForResourceException;
 import google.registry.flows.ResourceFlowUtils.ResourceDoesNotExistException;
 import google.registry.flows.ResourceFlowUtils.ResourceNotOwnedException;
 import google.registry.flows.domain.DomainFlowUtils.NotAuthorizedForTldException;
+import google.registry.flows.domain.token.AllocationTokenFlowUtils;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotInPromotionException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForRegistrarException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForTldException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AlreadyRedeemedAllocationTokenException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.InvalidAllocationTokenException;
+import google.registry.flows.domain.token.AllocationTokenFlowUtils.NonexistentAllocationTokenException;
 import google.registry.flows.exceptions.NotPendingTransferException;
 import google.registry.model.billing.BillingBase;
 import google.registry.model.billing.BillingBase.Reason;
@@ -897,7 +896,7 @@ class DomainTransferApproveFlowTest
   @Test
   void testFailure_invalidAllocationToken() throws Exception {
     setEppInput("domain_transfer_approve_allocation_token.xml");
-    EppException thrown = assertThrows(InvalidAllocationTokenException.class, this::runFlow);
+    EppException thrown = assertThrows(NonexistentAllocationTokenException.class, this::runFlow);
     assertAboutEppExceptions().that(thrown).marshalsToXml();
   }
 
@@ -910,9 +909,12 @@ class DomainTransferApproveFlowTest
             .setDomainName("otherdomain.tld")
             .build());
     setEppInput("domain_transfer_approve_allocation_token.xml");
-    EppException thrown =
-        assertThrows(AllocationTokenNotValidForDomainException.class, this::runFlow);
-    assertAboutEppExceptions().that(thrown).marshalsToXml();
+    assertAboutEppExceptions()
+        .that(
+            assertThrows(
+                AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException.class,
+                this::runFlow))
+        .marshalsToXml();
   }
 
   @Test
@@ -971,8 +973,7 @@ class DomainTransferApproveFlowTest
                     .build())
             .build());
     setEppInput("domain_transfer_approve_allocation_token.xml");
-    EppException thrown = assertThrows(AllocationTokenNotValidForTldException.class, this::runFlow);
-    assertAboutEppExceptions().that(thrown).marshalsToXml();
+    runFlowAssertResponse(loadFile("domain_transfer_approve_response.xml"));
   }
 
   @Test

core/src/test/java/google/registry/flows/domain/DomainTransferRequestFlowTest.java

@@ -79,11 +79,9 @@ import google.registry.flows.domain.DomainFlowUtils.PremiumNameBlockedException;
 import google.registry.flows.domain.DomainFlowUtils.RegistrarMustBeActiveForThisOperationException;
 import google.registry.flows.domain.DomainFlowUtils.UnsupportedFeeAttributeException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotInPromotionException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForRegistrarException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForTldException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AlreadyRedeemedAllocationTokenException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.InvalidAllocationTokenException;
+import google.registry.flows.domain.token.AllocationTokenFlowUtils.NonexistentAllocationTokenException;
 import google.registry.flows.exceptions.AlreadyPendingTransferException;
 import google.registry.flows.exceptions.InvalidTransferPeriodValueException;
 import google.registry.flows.exceptions.MissingTransferRequestAuthInfoException;
@@ -114,7 +112,7 @@ import google.registry.model.eppcommon.Trid;
 import google.registry.model.poll.PendingActionNotificationResponse;
 import google.registry.model.poll.PollMessage;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarBase.State;
+import google.registry.model.registrar.Registrar.State;
 import google.registry.model.reporting.DomainTransactionRecord;
 import google.registry.model.reporting.HistoryEntry;
 import google.registry.model.reporting.HistoryEntry.HistoryEntryId;
@@ -505,7 +503,7 @@ class DomainTransferRequestFlowTest
         implicitTransferTime,
         transferCost,
         originalGracePeriods,
-        /* expectTransferBillingEvent = */ true,
+        /* expectTransferBillingEvent= */ true,
         extraExpectedBillingEvents);
 
     assertPollMessagesEmitted(expectedExpirationTime, implicitTransferTime);
@@ -1859,22 +1857,7 @@ class DomainTransferRequestFlowTest
   void testFailure_invalidAllocationToken() throws Exception {
     setupDomain("example", "tld");
     setEppInput("domain_transfer_request_allocation_token.xml", ImmutableMap.of("TOKEN", "abc123"));
-    EppException thrown = assertThrows(InvalidAllocationTokenException.class, this::runFlow);
-    assertAboutEppExceptions().that(thrown).marshalsToXml();
-  }
-
-  @Test
-  void testFailure_allocationTokenIsForDifferentName() throws Exception {
-    setupDomain("example", "tld");
-    persistResource(
-        new AllocationToken.Builder()
-            .setToken("abc123")
-            .setTokenType(SINGLE_USE)
-            .setDomainName("otherdomain.tld")
-            .build());
-    setEppInput("domain_transfer_request_allocation_token.xml", ImmutableMap.of("TOKEN", "abc123"));
-    EppException thrown =
-        assertThrows(AllocationTokenNotValidForDomainException.class, this::runFlow);
+    EppException thrown = assertThrows(NonexistentAllocationTokenException.class, this::runFlow);
     assertAboutEppExceptions().that(thrown).marshalsToXml();
   }
 
@@ -1920,27 +1903,6 @@ class DomainTransferRequestFlowTest
     assertAboutEppExceptions().that(thrown).marshalsToXml();
   }
 
-  @Test
-  void testFailure_allocationTokenNotValidForTld() throws Exception {
-    setupDomain("example", "tld");
-    persistResource(
-        new AllocationToken.Builder()
-            .setToken("abc123")
-            .setTokenType(UNLIMITED_USE)
-            .setAllowedTlds(ImmutableSet.of("example"))
-            .setDiscountFraction(0.5)
-            .setTokenStatusTransitions(
-                ImmutableSortedMap.<DateTime, TokenStatus>naturalOrder()
-                    .put(START_OF_TIME, TokenStatus.NOT_STARTED)
-                    .put(clock.nowUtc().minusDays(1), TokenStatus.VALID)
-                    .put(clock.nowUtc().plusDays(1), TokenStatus.ENDED)
-                    .build())
-            .build());
-    setEppInput("domain_transfer_request_allocation_token.xml", ImmutableMap.of("TOKEN", "abc123"));
-    EppException thrown = assertThrows(AllocationTokenNotValidForTldException.class, this::runFlow);
-    assertAboutEppExceptions().that(thrown).marshalsToXml();
-  }
-
   @Test
   void testFailure_allocationTokenAlreadyRedeemed() throws Exception {
     setupDomain("example", "tld");

core/src/test/java/google/registry/flows/domain/token/AllocationTokenFlowUtilsTest.java

@@ -19,31 +19,25 @@ import static google.registry.model.domain.token.AllocationToken.TokenStatus.CAN
 import static google.registry.model.domain.token.AllocationToken.TokenStatus.ENDED;
 import static google.registry.model.domain.token.AllocationToken.TokenStatus.NOT_STARTED;
 import static google.registry.model.domain.token.AllocationToken.TokenStatus.VALID;
+import static google.registry.model.domain.token.AllocationToken.TokenType.DEFAULT_PROMO;
 import static google.registry.model.domain.token.AllocationToken.TokenType.SINGLE_USE;
 import static google.registry.model.domain.token.AllocationToken.TokenType.UNLIMITED_USE;
 import static google.registry.testing.DatabaseHelper.createTld;
-import static google.registry.testing.DatabaseHelper.persistActiveDomain;
 import static google.registry.testing.DatabaseHelper.persistResource;
 import static google.registry.testing.EppExceptionSubject.assertAboutEppExceptions;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
-import static org.joda.time.DateTimeZone.UTC;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedMap;
 import com.google.common.net.InternetDomainName;
 import google.registry.flows.EppException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotInPromotionException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForCommandException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForRegistrarException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.AllocationTokenNotValidForTldException;
-import google.registry.flows.domain.token.AllocationTokenFlowUtils.InvalidAllocationTokenException;
-import google.registry.model.domain.Domain;
-import google.registry.model.domain.DomainCommand;
+import google.registry.flows.domain.token.AllocationTokenFlowUtils.NonexistentAllocationTokenException;
 import google.registry.model.domain.fee.FeeQueryCommandExtensionItem.CommandName;
 import google.registry.model.domain.token.AllocationToken;
 import google.registry.model.domain.token.AllocationToken.TokenStatus;
@@ -52,7 +46,7 @@ import google.registry.model.reporting.HistoryEntry.HistoryEntryId;
 import google.registry.model.tld.Tld;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
-import google.registry.testing.DatabaseHelper;
+import google.registry.testing.FakeClock;
 import java.util.Optional;
 import org.joda.time.DateTime;
 import org.junit.jupiter.api.BeforeEach;
@@ -62,319 +56,322 @@ import org.junit.jupiter.api.extension.RegisterExtension;
 /** Unit tests for {@link AllocationTokenFlowUtils}. */
 class AllocationTokenFlowUtilsTest {
 
-  private final AllocationTokenFlowUtils flowUtils = new AllocationTokenFlowUtils();
+  private final FakeClock clock = new FakeClock(DateTime.parse("2025-01-10T01:00:00.000Z"));
 
   @RegisterExtension
   final JpaIntegrationTestExtension jpa =
-      new JpaTestExtensions.Builder().buildIntegrationTestExtension();
+      new JpaTestExtensions.Builder().withClock(clock).buildIntegrationTestExtension();
 
   private final AllocationTokenExtension allocationTokenExtension =
       mock(AllocationTokenExtension.class);
 
+  private Tld tld;
+
   @BeforeEach
   void beforeEach() {
-    createTld("tld");
+    tld = createTld("tld");
   }
 
   @Test
-  void test_validateToken_successfullyVerifiesValidTokenOnCreate() throws Exception {
+  void testSuccess_redeemsToken() {
+    HistoryEntryId historyEntryId = new HistoryEntryId("repoId", 10L);
+    assertThat(
+            AllocationTokenFlowUtils.redeemToken(singleUseTokenBuilder().build(), historyEntryId)
+                .getRedemptionHistoryId())
+        .hasValue(historyEntryId);
+  }
+
+  @Test
+  void testInvalidForPremiumName_validForPremium() {
+    AllocationToken token = singleUseTokenBuilder().setDiscountPremiums(true).build();
+    assertThat(AllocationTokenFlowUtils.discountTokenInvalidForPremiumName(token, true)).isFalse();
+  }
+
+  @Test
+  void testInvalidForPremiumName_notPremium() {
+    assertThat(
+            AllocationTokenFlowUtils.discountTokenInvalidForPremiumName(
+                singleUseTokenBuilder().build(), false))
+        .isFalse();
+  }
+
+  @Test
+  void testInvalidForPremiumName_invalidForPremium() {
+    assertThat(
+            AllocationTokenFlowUtils.discountTokenInvalidForPremiumName(
+                singleUseTokenBuilder().build(), true))
+        .isTrue();
+  }
+
+  @Test
+  void testSuccess_loadFromExtension() throws Exception {
     AllocationToken token =
         persistResource(
             new AllocationToken.Builder()
                 .setToken("tokeN")
-                .setAllowedEppActions(ImmutableSet.of(CommandName.CREATE, CommandName.RESTORE))
+                .setAllowedEppActions(ImmutableSet.of(CommandName.CREATE))
                 .setTokenType(SINGLE_USE)
                 .build());
     when(allocationTokenExtension.getAllocationToken()).thenReturn("tokeN");
     assertThat(
-            flowUtils
-                .verifyAllocationTokenCreateIfPresent(
-                    createCommand("blah.tld"),
-                    Tld.get("tld"),
-                    "TheRegistrar",
-                    DateTime.now(UTC),
-                    Optional.of(allocationTokenExtension))
-                .get())
-        .isEqualTo(token);
+            AllocationTokenFlowUtils.loadAllocationTokenFromExtension(
+                "TheRegistrar",
+                "example.tld",
+                clock.nowUtc(),
+                Optional.of(allocationTokenExtension)))
+        .hasValue(token);
   }
 
   @Test
-  void test_validateToken_successfullyVerifiesValidTokenExistingDomain() throws Exception {
+  void testSuccess_loadOrDefault_fromExtensionEvenWhenDefaultPresent() throws Exception {
+    persistDefaultToken();
     AllocationToken token =
         persistResource(
             new AllocationToken.Builder()
                 .setToken("tokeN")
-                .setAllowedEppActions(ImmutableSet.of(CommandName.CREATE, CommandName.RENEW))
+                .setAllowedEppActions(ImmutableSet.of(CommandName.CREATE))
                 .setTokenType(SINGLE_USE)
                 .build());
     when(allocationTokenExtension.getAllocationToken()).thenReturn("tokeN");
     assertThat(
-            flowUtils
-                .verifyAllocationTokenIfPresent(
-                    DatabaseHelper.newDomain("blah.tld"),
-                    Tld.get("tld"),
-                    "TheRegistrar",
-                    DateTime.now(UTC),
-                    CommandName.RENEW,
-                    Optional.of(allocationTokenExtension))
-                .get())
-        .isEqualTo(token);
+            AllocationTokenFlowUtils.loadTokenFromExtensionOrGetDefault(
+                "TheRegistrar",
+                clock.nowUtc(),
+                Optional.of(allocationTokenExtension),
+                tld,
+                "example.tld",
+                CommandName.CREATE))
+        .hasValue(token);
   }
 
-  void test_validateToken_emptyAllowedEppActions_successfullyVerifiesValidTokenExistingDomain()
-      throws Exception {
-    AllocationToken token =
-        persistResource(
-            new AllocationToken.Builder().setToken("tokeN").setTokenType(SINGLE_USE).build());
-    when(allocationTokenExtension.getAllocationToken()).thenReturn("tokeN");
+  @Test
+  void testSuccess_loadOrDefault_defaultWhenNonePresent() throws Exception {
+    AllocationToken defaultToken = persistDefaultToken();
     assertThat(
-            flowUtils
-                .verifyAllocationTokenIfPresent(
-                    DatabaseHelper.newDomain("blah.tld"),
-                    Tld.get("tld"),
-                    "TheRegistrar",
-                    DateTime.now(UTC),
-                    CommandName.RENEW,
-                    Optional.of(allocationTokenExtension))
-                .get())
-        .isEqualTo(token);
+            AllocationTokenFlowUtils.loadTokenFromExtensionOrGetDefault(
+                "TheRegistrar",
+                clock.nowUtc(),
+                Optional.empty(),
+                tld,
+                "example.tld",
+                CommandName.CREATE))
+        .hasValue(defaultToken);
   }
 
   @Test
-  void test_validateTokenCreate_failsOnNonexistentToken() {
-    assertValidateCreateThrowsEppException(InvalidAllocationTokenException.class);
-  }
-
-  @Test
-  void test_validateTokenExistingDomain_failsOnNonexistentToken() {
-    assertValidateExistingDomainThrowsEppException(InvalidAllocationTokenException.class);
-  }
-
-  @Test
-  void test_validateTokenCreate_failsOnNullToken() {
-    assertAboutEppExceptions()
-        .that(
-            assertThrows(
-                InvalidAllocationTokenException.class,
-                () ->
-                    flowUtils.verifyAllocationTokenCreateIfPresent(
-                        createCommand("blah.tld"),
-                        Tld.get("tld"),
-                        "TheRegistrar",
-                        DateTime.now(UTC),
-                        Optional.of(allocationTokenExtension))))
-        .marshalsToXml();
-  }
-
-  @Test
-  void test_validateTokenExistingDomain_failsOnNullToken() {
-    assertAboutEppExceptions()
-        .that(
-            assertThrows(
-                InvalidAllocationTokenException.class,
-                () ->
-                    flowUtils.verifyAllocationTokenIfPresent(
-                        DatabaseHelper.newDomain("blah.tld"),
-                        Tld.get("tld"),
-                        "TheRegistrar",
-                        DateTime.now(UTC),
-                        CommandName.RENEW,
-                        Optional.of(allocationTokenExtension))))
-        .marshalsToXml();
-  }
-
-  @Test
-  void test_validateTokenCreate_invalidForClientId() {
-    persistResource(
-        createOneMonthPromoTokenBuilder(DateTime.now(UTC).minusDays(1))
-            .setAllowedRegistrarIds(ImmutableSet.of("NewRegistrar"))
-            .build());
-    assertValidateCreateThrowsEppException(AllocationTokenNotValidForRegistrarException.class);
-  }
-
-  @Test
-  void test_validateTokenExistingDomain_invalidForClientId() {
-    persistResource(
-        createOneMonthPromoTokenBuilder(DateTime.now(UTC).minusDays(1))
-            .setAllowedRegistrarIds(ImmutableSet.of("NewRegistrar"))
-            .build());
-    assertValidateExistingDomainThrowsEppException(
-        AllocationTokenNotValidForRegistrarException.class);
-  }
-
-  @Test
-  void test_validateTokenCreate_invalidForTld() {
-    persistResource(
-        createOneMonthPromoTokenBuilder(DateTime.now(UTC).minusDays(1))
-            .setAllowedTlds(ImmutableSet.of("nottld"))
-            .build());
-    assertValidateCreateThrowsEppException(AllocationTokenNotValidForTldException.class);
-  }
-
-  @Test
-  void test_validateTokenExistingDomain_invalidForTld() {
-    persistResource(
-        createOneMonthPromoTokenBuilder(DateTime.now(UTC).minusDays(1))
-            .setAllowedTlds(ImmutableSet.of("nottld"))
-            .build());
-    assertValidateExistingDomainThrowsEppException(AllocationTokenNotValidForTldException.class);
-  }
-
-  @Test
-  void test_validateTokenCreate_beforePromoStart() {
-    persistResource(createOneMonthPromoTokenBuilder(DateTime.now(UTC).plusDays(1)).build());
-    assertValidateCreateThrowsEppException(AllocationTokenNotInPromotionException.class);
-  }
-
-  @Test
-  void test_validateTokenExistingDomain_beforePromoStart() {
-    persistResource(createOneMonthPromoTokenBuilder(DateTime.now(UTC).plusDays(1)).build());
-    assertValidateExistingDomainThrowsEppException(AllocationTokenNotInPromotionException.class);
-  }
-
-  @Test
-  void test_validateTokenCreate_afterPromoEnd() {
-    persistResource(createOneMonthPromoTokenBuilder(DateTime.now(UTC).minusMonths(2)).build());
-    assertValidateCreateThrowsEppException(AllocationTokenNotInPromotionException.class);
-  }
-
-  @Test
-  void test_validateTokenExistingDomain_afterPromoEnd() {
-    persistResource(createOneMonthPromoTokenBuilder(DateTime.now(UTC).minusMonths(2)).build());
-    assertValidateExistingDomainThrowsEppException(AllocationTokenNotInPromotionException.class);
-  }
-
-  @Test
-  void test_validateTokenCreate_promoCancelled() {
-    // the promo would be valid, but it was cancelled 12 hours ago
-    persistResource(
-        createOneMonthPromoTokenBuilder(DateTime.now(UTC).minusDays(1))
-            .setTokenStatusTransitions(
-                ImmutableSortedMap.<DateTime, TokenStatus>naturalOrder()
-                    .put(START_OF_TIME, NOT_STARTED)
-                    .put(DateTime.now(UTC).minusMonths(1), VALID)
-                    .put(DateTime.now(UTC).minusHours(12), CANCELLED)
-                    .build())
-            .build());
-    assertValidateCreateThrowsEppException(AllocationTokenNotInPromotionException.class);
-  }
-
-  @Test
-  void test_validateTokenExistingDomain_promoCancelled() {
-    // the promo would be valid, but it was cancelled 12 hours ago
-    persistResource(
-        createOneMonthPromoTokenBuilder(DateTime.now(UTC).minusDays(1))
-            .setTokenStatusTransitions(
-                ImmutableSortedMap.<DateTime, TokenStatus>naturalOrder()
-                    .put(START_OF_TIME, NOT_STARTED)
-                    .put(DateTime.now(UTC).minusMonths(1), VALID)
-                    .put(DateTime.now(UTC).minusHours(12), CANCELLED)
-                    .build())
-            .build());
-    assertValidateExistingDomainThrowsEppException(AllocationTokenNotInPromotionException.class);
-  }
-
-  @Test
-  void test_validateTokenCreate_invalidCommand() {
-    persistResource(
-        createOneMonthPromoTokenBuilder(DateTime.now(UTC).minusDays(1))
-            .setAllowedEppActions(ImmutableSet.of(CommandName.RENEW))
-            .build());
-    assertValidateCreateThrowsEppException(AllocationTokenNotValidForCommandException.class);
-  }
-
-  @Test
-  void test_validateTokenExistingDomain_invalidCommand() {
-    persistResource(
-        createOneMonthPromoTokenBuilder(DateTime.now(UTC).minusDays(1))
-            .setAllowedEppActions(ImmutableSet.of(CommandName.CREATE))
-            .build());
-    assertValidateExistingDomainThrowsEppException(
-        AllocationTokenNotValidForCommandException.class);
-  }
-
-  @Test
-  void test_checkDomainsWithToken_successfullyVerifiesValidToken() {
-    persistResource(
-        new AllocationToken.Builder().setToken("tokeN").setTokenType(SINGLE_USE).build());
-    assertThat(
-            flowUtils
-                .checkDomainsWithToken(
-                    ImmutableList.of(
-                        InternetDomainName.from("blah.tld"), InternetDomainName.from("blah2.tld")),
-                    "tokeN",
-                    "TheRegistrar",
-                    DateTime.now(UTC))
-                .domainCheckResults())
-        .containsExactlyEntriesIn(
-            ImmutableMap.of(
-                InternetDomainName.from("blah.tld"), "", InternetDomainName.from("blah2.tld"), ""))
-        .inOrder();
-  }
-
-  @Test
-  void test_checkDomainsWithToken_showsFailureMessageForRedeemedToken() {
-    Domain domain = persistActiveDomain("example.tld");
-    HistoryEntryId historyEntryId = new HistoryEntryId(domain.getRepoId(), 1051L);
+  void testSuccess_loadOrDefault_defaultWhenTokenIsPresentButNotApplicable() throws Exception {
+    AllocationToken defaultToken = persistDefaultToken();
     persistResource(
         new AllocationToken.Builder()
             .setToken("tokeN")
+            .setAllowedEppActions(ImmutableSet.of(CommandName.CREATE))
             .setTokenType(SINGLE_USE)
-            .setRedemptionHistoryId(historyEntryId)
+            .setAllowedTlds(ImmutableSet.of("othertld"))
             .build());
+    when(allocationTokenExtension.getAllocationToken()).thenReturn("tokeN");
     assertThat(
-            flowUtils
-                .checkDomainsWithToken(
-                    ImmutableList.of(
-                        InternetDomainName.from("blah.tld"), InternetDomainName.from("blah2.tld")),
-                    "tokeN",
-                    "TheRegistrar",
-                    DateTime.now(UTC))
-                .domainCheckResults())
-        .containsExactlyEntriesIn(
-            ImmutableMap.of(
-                InternetDomainName.from("blah.tld"),
-                "Alloc token was already redeemed",
-                InternetDomainName.from("blah2.tld"),
-                "Alloc token was already redeemed"))
-        .inOrder();
+            AllocationTokenFlowUtils.loadTokenFromExtensionOrGetDefault(
+                "TheRegistrar",
+                clock.nowUtc(),
+                Optional.of(allocationTokenExtension),
+                tld,
+                "example.tld",
+                CommandName.CREATE))
+        .hasValue(defaultToken);
   }
 
-  private void assertValidateCreateThrowsEppException(Class<? extends EppException> clazz) {
+  @Test
+  void testValidAgainstDomain_validAllReasons() {
+    AllocationToken token = singleUseTokenBuilder().setDiscountPremiums(true).build();
+    assertThat(
+            AllocationTokenFlowUtils.tokenIsValidAgainstDomain(
+                InternetDomainName.from("rich.tld"), token, CommandName.CREATE, clock.nowUtc()))
+        .isTrue();
+  }
+
+  @Test
+  void testValidAgainstDomain_invalidPremium() {
+    AllocationToken token = singleUseTokenBuilder().build();
+    assertThat(
+            AllocationTokenFlowUtils.tokenIsValidAgainstDomain(
+                InternetDomainName.from("rich.tld"), token, CommandName.CREATE, clock.nowUtc()))
+        .isFalse();
+  }
+
+  @Test
+  void testValidAgainstDomain_invalidAction() {
+    AllocationToken token =
+        singleUseTokenBuilder().setAllowedEppActions(ImmutableSet.of(CommandName.RESTORE)).build();
+    assertThat(
+            AllocationTokenFlowUtils.tokenIsValidAgainstDomain(
+                InternetDomainName.from("domain.tld"), token, CommandName.CREATE, clock.nowUtc()))
+        .isFalse();
+  }
+
+  @Test
+  void testValidAgainstDomain_invalidTld() {
+    createTld("othertld");
+    AllocationToken token = singleUseTokenBuilder().build();
+    assertThat(
+            AllocationTokenFlowUtils.tokenIsValidAgainstDomain(
+                InternetDomainName.from("domain.othertld"),
+                token,
+                CommandName.CREATE,
+                clock.nowUtc()))
+        .isFalse();
+  }
+
+  @Test
+  void testValidAgainstDomain_invalidDomain() {
+    AllocationToken token = singleUseTokenBuilder().setDomainName("anchor.tld").build();
+    assertThat(
+            AllocationTokenFlowUtils.tokenIsValidAgainstDomain(
+                InternetDomainName.from("domain.tld"), token, CommandName.CREATE, clock.nowUtc()))
+        .isFalse();
+  }
+
+  @Test
+  void testFailure_redeemToken_nonSingleUse() {
+    assertThrows(
+        IllegalArgumentException.class,
+        () ->
+            AllocationTokenFlowUtils.redeemToken(
+                createOneMonthPromoTokenBuilder(clock.nowUtc()).build(),
+                new HistoryEntryId("repoId", 10L)));
+  }
+
+  @Test
+  void testFailure_loadFromExtension_nonexistentToken() {
+    assertLoadTokenFromExtensionThrowsException(NonexistentAllocationTokenException.class);
+  }
+
+  @Test
+  void testFailure_loadFromExtension_nullToken() {
+    when(allocationTokenExtension.getAllocationToken()).thenReturn(null);
+    assertLoadTokenFromExtensionThrowsException(NonexistentAllocationTokenException.class);
+  }
+
+  @Test
+  void testFailure_tokenInvalidForRegistrar() {
+    persistResource(
+        createOneMonthPromoTokenBuilder(clock.nowUtc().minusDays(1))
+            .setAllowedRegistrarIds(ImmutableSet.of("NewRegistrar"))
+            .build());
+    assertLoadTokenFromExtensionThrowsException(AllocationTokenNotValidForRegistrarException.class);
+  }
+
+  @Test
+  void testFailure_beforePromoStart() {
+    persistResource(createOneMonthPromoTokenBuilder(clock.nowUtc().plusDays(1)).build());
+    assertLoadTokenFromExtensionThrowsException(AllocationTokenNotInPromotionException.class);
+  }
+
+  @Test
+  void testFailure_afterPromoEnd() {
+    persistResource(createOneMonthPromoTokenBuilder(clock.nowUtc().minusMonths(2)).build());
+    assertLoadTokenFromExtensionThrowsException(AllocationTokenNotInPromotionException.class);
+  }
+
+  @Test
+  void testFailure_promoCancelled() {
+    // the promo would be valid, but it was cancelled 12 hours ago
+    persistResource(
+        createOneMonthPromoTokenBuilder(clock.nowUtc().minusDays(1))
+            .setTokenStatusTransitions(
+                ImmutableSortedMap.<DateTime, TokenStatus>naturalOrder()
+                    .put(START_OF_TIME, NOT_STARTED)
+                    .put(clock.nowUtc().minusMonths(1), VALID)
+                    .put(clock.nowUtc().minusHours(12), CANCELLED)
+                    .build())
+            .build());
+    assertLoadTokenFromExtensionThrowsException(AllocationTokenNotInPromotionException.class);
+  }
+
+  @Test
+  void testFailure_loadOrDefault_badTokenProvided() throws Exception {
+    when(allocationTokenExtension.getAllocationToken()).thenReturn("asdf");
+    assertThrows(
+        NonexistentAllocationTokenException.class,
+        () ->
+            AllocationTokenFlowUtils.loadTokenFromExtensionOrGetDefault(
+                "TheRegistrar",
+                clock.nowUtc(),
+                Optional.of(allocationTokenExtension),
+                tld,
+                "example.tld",
+                CommandName.CREATE));
+  }
+
+  @Test
+  void testFailure_loadOrDefault_noValidTokens() throws Exception {
+    assertThat(
+            AllocationTokenFlowUtils.loadTokenFromExtensionOrGetDefault(
+                "TheRegistrar",
+                clock.nowUtc(),
+                Optional.empty(),
+                tld,
+                "example.tld",
+                CommandName.CREATE))
+        .isEmpty();
+  }
+
+  @Test
+  void testFailure_loadOrDefault_badDomainName() throws Exception {
+    // Tokens tied to a domain should throw a catastrophic exception if used for a different domain
+    persistResource(singleUseTokenBuilder().setDomainName("someotherdomain.tld").build());
+    when(allocationTokenExtension.getAllocationToken()).thenReturn("tokeN");
+    assertThrows(
+        AllocationTokenFlowUtils.AllocationTokenNotValidForDomainException.class,
+        () ->
+            AllocationTokenFlowUtils.loadTokenFromExtensionOrGetDefault(
+                "TheRegistrar",
+                clock.nowUtc(),
+                Optional.of(allocationTokenExtension),
+                tld,
+                "example.tld",
+                CommandName.CREATE));
+  }
+
+  private AllocationToken persistDefaultToken() {
+    AllocationToken defaultToken =
+        persistResource(
+            new AllocationToken.Builder()
+                .setToken("defaultToken")
+                .setDiscountFraction(0.1)
+                .setAllowedTlds(ImmutableSet.of("tld"))
+                .setAllowedRegistrarIds(ImmutableSet.of("TheRegistrar"))
+                .setTokenType(DEFAULT_PROMO)
+                .build());
+    tld =
+        persistResource(
+            tld.asBuilder()
+                .setDefaultPromoTokens(ImmutableList.of(defaultToken.createVKey()))
+                .build());
+    return defaultToken;
+  }
+
+  private void assertLoadTokenFromExtensionThrowsException(Class<? extends EppException> clazz) {
     assertAboutEppExceptions()
         .that(
             assertThrows(
                 clazz,
                 () ->
-                    flowUtils.verifyAllocationTokenCreateIfPresent(
-                        createCommand("blah.tld"),
-                        Tld.get("tld"),
+                    AllocationTokenFlowUtils.loadAllocationTokenFromExtension(
                         "TheRegistrar",
-                        DateTime.now(UTC),
+                        "example.tld",
+                        clock.nowUtc(),
                         Optional.of(allocationTokenExtension))))
         .marshalsToXml();
   }
 
-  private void assertValidateExistingDomainThrowsEppException(Class<? extends EppException> clazz) {
-    assertAboutEppExceptions()
-        .that(
-            assertThrows(
-                clazz,
-                () ->
-                    flowUtils.verifyAllocationTokenIfPresent(
-                        DatabaseHelper.newDomain("blah.tld"),
-                        Tld.get("tld"),
-                        "TheRegistrar",
-                        DateTime.now(UTC),
-                        CommandName.RENEW,
-                        Optional.of(allocationTokenExtension))))
-        .marshalsToXml();
-  }
-
-  private static DomainCommand.Create createCommand(String domainName) {
-    DomainCommand.Create command = mock(DomainCommand.Create.class);
-    when(command.getDomainName()).thenReturn(domainName);
-    return command;
+  private AllocationToken.Builder singleUseTokenBuilder() {
+    when(allocationTokenExtension.getAllocationToken()).thenReturn("tokeN");
+    return new AllocationToken.Builder()
+        .setTokenType(SINGLE_USE)
+        .setToken("tokeN")
+        .setAllowedTlds(ImmutableSet.of("tld"))
+        .setDiscountFraction(0.1)
+        .setAllowedRegistrarIds(ImmutableSet.of("TheRegistrar"));
   }
 
   private AllocationToken.Builder createOneMonthPromoTokenBuilder(DateTime promoStart) {

core/src/test/java/google/registry/flows/session/LoginFlowTestCase.java

@@ -36,7 +36,7 @@ import google.registry.flows.session.LoginFlow.TooManyFailedLoginsException;
 import google.registry.flows.session.LoginFlow.UnsupportedLanguageException;
 import google.registry.model.eppoutput.EppOutput;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarBase.State;
+import google.registry.model.registrar.Registrar.State;
 import google.registry.testing.DatabaseHelper;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;

core/src/test/java/google/registry/model/console/ConsoleEppActionHistoryTest.java

@@ -1,68 +0,0 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.console;
-
-import static com.google.common.collect.Iterables.getOnlyElement;
-import static com.google.common.truth.Truth.assertThat;
-import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
-import static google.registry.testing.DatabaseHelper.createTld;
-import static google.registry.testing.DatabaseHelper.persistActiveContact;
-import static google.registry.testing.DatabaseHelper.persistDomainWithDependentResources;
-
-import google.registry.model.EntityTestCase;
-import google.registry.model.domain.DomainHistory;
-import google.registry.testing.DatabaseHelper;
-import google.registry.util.DateTimeUtils;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-
-/** Tests for {@link ConsoleEppActionHistory}. */
-public class ConsoleEppActionHistoryTest extends EntityTestCase {
-
-  ConsoleEppActionHistoryTest() {
-    super(JpaEntityCoverageCheck.ENABLED);
-  }
-
-  @BeforeEach
-  void beforeEach() {
-    createTld("tld");
-    persistDomainWithDependentResources(
-        "example",
-        "tld",
-        persistActiveContact("contact1234"),
-        fakeClock.nowUtc(),
-        fakeClock.nowUtc(),
-        DateTimeUtils.END_OF_TIME);
-  }
-
-  @Test
-  void testPersistence() {
-    User user = DatabaseHelper.createAdminUser("email@email.com");
-    DomainHistory domainHistory = getOnlyElement(DatabaseHelper.loadAllOf(DomainHistory.class));
-    ConsoleEppActionHistory history =
-        new ConsoleEppActionHistory.Builder()
-            .setType(ConsoleUpdateHistory.Type.DOMAIN_DELETE)
-            .setActingUser(user)
-            .setModificationTime(fakeClock.nowUtc())
-            .setMethod("POST")
-            .setUrl("https://some/url/for/creating/a/domain")
-            .setHistoryEntryClass(DomainHistory.class)
-            .setHistoryEntryId(domainHistory.getHistoryEntryId())
-            .build();
-    tm().transact(() -> tm().put(history));
-    assertThat(getOnlyElement(DatabaseHelper.loadAllOf(ConsoleEppActionHistory.class)))
-        .isEqualTo(history);
-  }
-}

core/src/test/java/google/registry/model/console/ConsoleUpdateHistoryTest.java

@@ -27,8 +27,8 @@ import google.registry.util.DateTimeUtils;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
-public class SimpleConsoleUpdateHistoryTest extends EntityTestCase {
-  SimpleConsoleUpdateHistoryTest() {
+public class ConsoleUpdateHistoryTest extends EntityTestCase {
+  ConsoleUpdateHistoryTest() {
     super(JpaEntityCoverageCheck.ENABLED);
   }
 
@@ -47,8 +47,8 @@ public class SimpleConsoleUpdateHistoryTest extends EntityTestCase {
   @Test
   void testPersistence() {
     User user = persistResource(DatabaseHelper.createAdminUser("email@email.com"));
-    SimpleConsoleUpdateHistory history =
-        new SimpleConsoleUpdateHistory.Builder()
+    ConsoleUpdateHistory history =
+        new ConsoleUpdateHistory.Builder()
             .setType(ConsoleUpdateHistory.Type.DOMAIN_SUSPEND)
             .setActingUser(user)
             .setMethod("POST")

core/src/test/java/google/registry/model/console/RegistrarPocUpdateHistoryTest.java

@@ -1,61 +0,0 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.console;
-
-import static com.google.common.truth.Truth.assertThat;
-import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
-
-import com.google.common.collect.Iterables;
-import google.registry.model.EntityTestCase;
-import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPoc.RegistrarPocId;
-import google.registry.persistence.VKey;
-import google.registry.testing.DatabaseHelper;
-import org.junit.jupiter.api.Test;
-
-/** Tests for {@link RegistrarPocUpdateHistory}. */
-public class RegistrarPocUpdateHistoryTest extends EntityTestCase {
-
-  RegistrarPocUpdateHistoryTest() {
-    super(JpaEntityCoverageCheck.ENABLED);
-  }
-
-  @Test
-  void testPersistence() {
-    User user = DatabaseHelper.createAdminUser("email@email.com");
-    RegistrarPoc registrarPoc =
-        DatabaseHelper.loadByKey(
-            VKey.create(
-                RegistrarPoc.class,
-                new RegistrarPocId("johndoe@theregistrar.com", "TheRegistrar")));
-    RegistrarPocUpdateHistory history =
-        new RegistrarPocUpdateHistory.Builder()
-            .setRegistrarPoc(registrarPoc)
-            .setActingUser(user)
-            .setModificationTime(fakeClock.nowUtc())
-            .setType(ConsoleUpdateHistory.Type.USER_UPDATE)
-            .setMethod("POST")
-            .setUrl("someUrl")
-            .build();
-    tm().transact(() -> tm().put(history));
-
-    // Change the POC and make sure the history stays the same
-    tm().transact(() -> tm().put(registrarPoc.asBuilder().setName("Some Othername").build()));
-
-    RegistrarPocUpdateHistory fromDb =
-        Iterables.getOnlyElement(DatabaseHelper.loadAllOf(RegistrarPocUpdateHistory.class));
-    assertThat(fromDb.getRegistrarPoc().getName()).isEqualTo("John Doe");
-  }
-}

core/src/test/java/google/registry/model/console/RegistrarUpdateHistoryTest.java

@@ -1,55 +0,0 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.console;
-
-import static com.google.common.truth.Truth.assertThat;
-import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
-
-import com.google.common.collect.Iterables;
-import google.registry.model.EntityTestCase;
-import google.registry.model.registrar.Registrar;
-import google.registry.testing.DatabaseHelper;
-import org.junit.jupiter.api.Test;
-
-/** Tests for {@link RegistrarUpdateHistory}. */
-public class RegistrarUpdateHistoryTest extends EntityTestCase {
-
-  RegistrarUpdateHistoryTest() {
-    super(JpaEntityCoverageCheck.ENABLED);
-  }
-
-  @Test
-  void testPersistence() {
-    User user = DatabaseHelper.createAdminUser("email@email.com");
-    Registrar theRegistrar = DatabaseHelper.loadRegistrar("TheRegistrar");
-    RegistrarUpdateHistory history =
-        new RegistrarUpdateHistory.Builder()
-            .setRegistrar(theRegistrar)
-            .setActingUser(user)
-            .setModificationTime(fakeClock.nowUtc())
-            .setType(ConsoleUpdateHistory.Type.USER_UPDATE)
-            .setMethod("POST")
-            .setUrl("someUrl")
-            .build();
-    tm().transact(() -> tm().put(history));
-
-    // Change the registrar and make sure the history stays the same
-    tm().transact(() -> tm().put(theRegistrar.asBuilder().setUrl("https://other.url").build()));
-
-    RegistrarUpdateHistory fromDb =
-        Iterables.getOnlyElement(DatabaseHelper.loadAllOf(RegistrarUpdateHistory.class));
-    assertThat(fromDb.getRegistrar().getUrl()).isEqualTo("http://my.fake.url");
-  }
-}

core/src/test/java/google/registry/model/console/UserUpdateHistoryTest.java

@@ -1,65 +0,0 @@
-// Copyright 2024 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.console;
-
-import static com.google.common.truth.Truth.assertThat;
-import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
-import static google.registry.testing.DatabaseHelper.loadAllOf;
-
-import com.google.common.collect.Iterables;
-import google.registry.model.EntityTestCase;
-import google.registry.testing.DatabaseHelper;
-import org.junit.jupiter.api.Test;
-
-/** Tests for {@link UserUpdateHistory}. */
-public class UserUpdateHistoryTest extends EntityTestCase {
-
-  UserUpdateHistoryTest() {
-    super(JpaEntityCoverageCheck.ENABLED);
-  }
-
-  @Test
-  void testPersistence() {
-    User user = DatabaseHelper.createAdminUser("email@email.com");
-    User otherUser = DatabaseHelper.createAdminUser("otherEmail@email.com");
-    UserUpdateHistory history =
-        new UserUpdateHistory.Builder()
-            .setUser(otherUser)
-            .setActingUser(user)
-            .setModificationTime(fakeClock.nowUtc())
-            .setType(ConsoleUpdateHistory.Type.USER_UPDATE)
-            .setMethod("POST")
-            .setUrl("someUrl")
-            .build();
-    tm().transact(() -> tm().put(history));
-
-    // Change the acted-upon user and make sure that nothing changed in the history DB
-    tm().transact(
-            () ->
-                tm().put(
-                        otherUser
-                            .asBuilder()
-                            .setUserRoles(
-                                otherUser
-                                    .getUserRoles()
-                                    .asBuilder()
-                                    .setGlobalRole(GlobalRole.SUPPORT_LEAD)
-                                    .build())
-                            .build()));
-
-    UserUpdateHistory fromDb = Iterables.getOnlyElement(loadAllOf(UserUpdateHistory.class));
-    assertThat(fromDb.getUser().getUserRoles().getGlobalRole()).isEqualTo(GlobalRole.FTE);
-  }
-}

core/src/test/java/google/registry/model/registrar/RegistrarTest.java

@@ -39,8 +39,8 @@ import com.google.common.collect.ImmutableSortedMap;
 import com.google.common.collect.ImmutableSortedSet;
 import google.registry.config.RegistryConfig;
 import google.registry.model.EntityTestCase;
-import google.registry.model.registrar.RegistrarBase.State;
-import google.registry.model.registrar.RegistrarBase.Type;
+import google.registry.model.registrar.Registrar.State;
+import google.registry.model.registrar.Registrar.Type;
 import google.registry.model.tld.Tld;
 import google.registry.model.tld.Tld.TldType;
 import google.registry.model.tld.Tlds;
@@ -129,7 +129,7 @@ class RegistrarTest extends EntityTestCase {
             .setVisibleInWhoisAsTech(false)
             .setPhoneNumber("+1.2125551213")
             .setFaxNumber("+1.2125551213")
-            .setTypes(ImmutableSet.of(RegistrarPocBase.Type.ABUSE, RegistrarPocBase.Type.ADMIN))
+            .setTypes(ImmutableSet.of(RegistrarPoc.Type.ABUSE, RegistrarPoc.Type.ADMIN))
             .build();
     persistSimpleResources(
         ImmutableList.of(
@@ -140,8 +140,7 @@ class RegistrarTest extends EntityTestCase {
                 .setEmailAddress("johndoe@example.com")
                 .setPhoneNumber("+1.2125551213")
                 .setFaxNumber("+1.2125551213")
-                .setTypes(
-                    ImmutableSet.of(RegistrarPocBase.Type.LEGAL, RegistrarPocBase.Type.MARKETING))
+                .setTypes(ImmutableSet.of(RegistrarPoc.Type.LEGAL, RegistrarPoc.Type.MARKETING))
                 .build()));
   }
 
@@ -327,7 +326,7 @@ class RegistrarTest extends EntityTestCase {
                 .setVisibleInWhoisAsTech(true)
                 .setPhoneNumber("+1.2125551213")
                 .setFaxNumber("+1.2125551213")
-                .setTypes(ImmutableSet.of(RegistrarPocBase.Type.TECH))
+                .setTypes(ImmutableSet.of(RegistrarPoc.Type.TECH))
                 .build());
     RegistrarPoc newTechAbuseContact =
         persistSimpleResource(
@@ -339,13 +338,13 @@ class RegistrarTest extends EntityTestCase {
                 .setVisibleInWhoisAsTech(true)
                 .setPhoneNumber("+1.2125551213")
                 .setFaxNumber("+1.2125551213")
-                .setTypes(ImmutableSet.of(RegistrarPocBase.Type.TECH, RegistrarPocBase.Type.ABUSE))
+                .setTypes(ImmutableSet.of(RegistrarPoc.Type.TECH, RegistrarPoc.Type.ABUSE))
                 .build());
     ImmutableSortedSet<RegistrarPoc> techContacts =
-        registrar.getContactsOfType(RegistrarPocBase.Type.TECH);
+        registrar.getContactsOfType(RegistrarPoc.Type.TECH);
     assertThat(techContacts).containsExactly(newTechContact, newTechAbuseContact).inOrder();
     ImmutableSortedSet<RegistrarPoc> abuseContacts =
-        registrar.getContactsOfType(RegistrarPocBase.Type.ABUSE);
+        registrar.getContactsOfType(RegistrarPoc.Type.ABUSE);
     assertThat(abuseContacts).containsExactly(newTechAbuseContact, abuseAdminContact).inOrder();
   }
 
@@ -497,6 +496,28 @@ class RegistrarTest extends EntityTestCase {
         .isEqualTo(fakeClock.nowUtc());
   }
 
+  @Test
+  void testSuccess_setLastPocVerificationDate() {
+    assertThat(
+            registrar
+                .asBuilder()
+                .setLastPocVerificationDate(fakeClock.nowUtc())
+                .build()
+                .getLastPocVerificationDate())
+        .isEqualTo(fakeClock.nowUtc());
+  }
+
+  @Test
+  void testFailure_setLastPocVerificationDate_nullDate() {
+    IllegalArgumentException thrown =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> new Registrar.Builder().setLastPocVerificationDate(null).build());
+    assertThat(thrown)
+        .hasMessageThat()
+        .isEqualTo("Registrar lastPocVerificationDate cannot be null");
+  }
+
   @Test
   void testFailure_setLastExpiringFailoverCertNotificationSentDate_nullDate() {
     IllegalArgumentException thrown =

core/src/test/java/google/registry/module/frontend/FrontendTestComponent.java

@@ -0,0 +1,60 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.frontend;
+
+import dagger.Component;
+import google.registry.config.CloudTasksUtilsModule;
+import google.registry.config.CredentialModule;
+import google.registry.config.RegistryConfig;
+import google.registry.flows.ServerTridProviderModule;
+import google.registry.flows.custom.CustomLogicFactoryModule;
+import google.registry.groups.GmailModule;
+import google.registry.groups.GroupsModule;
+import google.registry.groups.GroupssettingsModule;
+import google.registry.keyring.KeyringModule;
+import google.registry.keyring.api.KeyModule;
+import google.registry.monitoring.whitebox.StackdriverModule;
+import google.registry.privileges.secretmanager.SecretManagerModule;
+import google.registry.request.Modules;
+import google.registry.request.auth.AuthModule;
+import google.registry.ui.ConsoleDebug;
+import google.registry.util.UtilsModule;
+import jakarta.inject.Singleton;
+
+@Singleton
+@Component(
+    modules = {
+      AuthModule.class,
+      CloudTasksUtilsModule.class,
+      RegistryConfig.ConfigModule.class,
+      ConsoleDebug.ConsoleConfigModule.class,
+      CredentialModule.class,
+      CustomLogicFactoryModule.class,
+      CloudTasksUtilsModule.class,
+      FrontendRequestComponent.FrontendRequestComponentModule.class,
+      GmailModule.class,
+      GroupsModule.class,
+      GroupssettingsModule.class,
+      MockDirectoryModule.class,
+      Modules.GsonModule.class,
+      KeyModule.class,
+      KeyringModule.class,
+      Modules.NetHttpTransportModule.class,
+      SecretManagerModule.class,
+      ServerTridProviderModule.class,
+      StackdriverModule.class,
+      UtilsModule.class
+    })
+interface FrontendTestComponent extends FrontendComponent {}

core/src/test/java/google/registry/module/frontend/FrontendTestServlet.java

@@ -0,0 +1,30 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.frontend;
+
+import com.google.monitoring.metrics.MetricReporter;
+import dagger.Lazy;
+import google.registry.module.ServletBase;
+
+public class FrontendTestServlet extends ServletBase {
+
+  private static final FrontendTestComponent component = DaggerFrontendTestComponent.create();
+  private static final FrontendRequestHandler requestHandler = component.requestHandler();
+  private static final Lazy<MetricReporter> metricReporter = component.metricReporter();
+
+  public FrontendTestServlet() {
+    super(requestHandler, metricReporter);
+  }
+}

core/src/test/java/google/registry/module/frontend/MockDirectoryModule.java

@@ -0,0 +1,45 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.module.frontend;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import com.google.api.services.directory.Directory;
+import com.google.api.services.directory.model.User;
+import dagger.Module;
+import dagger.Provides;
+import java.io.IOException;
+
+@Module
+public class MockDirectoryModule {
+  @Provides
+  static Directory provideDirectory() {
+    Directory directory = mock(Directory.class);
+    Directory.Users users = mock(Directory.Users.class);
+    Directory.Users.Insert insert = mock(Directory.Users.Insert.class);
+    Directory.Users.Delete delete = mock(Directory.Users.Delete.class);
+    when(directory.users()).thenReturn(users);
+    try {
+      when(users.insert(any(User.class))).thenReturn(insert);
+      when(users.delete(anyString())).thenReturn(delete);
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+    return directory;
+  }
+}

core/src/test/java/google/registry/persistence/converter/StringValueEnumeratedTest.java

@@ -19,7 +19,7 @@ import static google.registry.persistence.transaction.TransactionManagerFactory.
 import static google.registry.testing.DatabaseHelper.insertInDb;
 
 import google.registry.model.ImmutableObject;
-import google.registry.model.registrar.RegistrarBase.State;
+import google.registry.model.registrar.Registrar.State;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaUnitTestExtension;
 import jakarta.persistence.Entity;

core/src/test/java/google/registry/persistence/transaction/JpaTransactionManagerExtension.java

@@ -30,10 +30,9 @@ import com.google.common.collect.Maps;
 import com.google.common.collect.Streams;
 import com.google.common.io.Resources;
 import google.registry.model.registrar.Registrar;
+import google.registry.model.registrar.Registrar.State;
 import google.registry.model.registrar.RegistrarAddress;
-import google.registry.model.registrar.RegistrarBase.State;
 import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase;
 import google.registry.persistence.HibernateSchemaExporter;
 import google.registry.persistence.NomulusPostgreSql;
 import google.registry.persistence.PersistenceModule;
@@ -410,7 +409,7 @@ public abstract class JpaTransactionManagerExtension
         .setVisibleInWhoisAsTech(false)
         .setEmailAddress("janedoe@theregistrar.com")
         .setPhoneNumber("+1.1234567890")
-        .setTypes(ImmutableSet.of(RegistrarPocBase.Type.ADMIN))
+        .setTypes(ImmutableSet.of(RegistrarPoc.Type.ADMIN))
         .build();
   }
 
@@ -424,7 +423,7 @@ public abstract class JpaTransactionManagerExtension
         .setName("John Doe")
         .setEmailAddress("johndoe@theregistrar.com")
         .setPhoneNumber("+1.1234567890")
-        .setTypes(ImmutableSet.of(RegistrarPocBase.Type.ADMIN))
+        .setTypes(ImmutableSet.of(RegistrarPoc.Type.ADMIN))
         .build();
   }
 
@@ -435,7 +434,7 @@ public abstract class JpaTransactionManagerExtension
         .setEmailAddress("Marla.Singer@crr.com")
         .setRegistryLockEmailAddress("Marla.Singer.RegistryLock@crr.com")
         .setPhoneNumber("+1.2128675309")
-        .setTypes(ImmutableSet.of(RegistrarPocBase.Type.TECH))
+        .setTypes(ImmutableSet.of(RegistrarPoc.Type.TECH))
         .setAllowedToSetRegistryLockPassword(true)
         .setRegistryLockPassword("hi")
         .build();

core/src/test/java/google/registry/rdap/RdapJsonFormatterTest.java

@@ -39,7 +39,6 @@ import google.registry.model.eppcommon.StatusValue;
 import google.registry.model.host.Host;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarPoc;
-import google.registry.model.registrar.RegistrarPocBase;
 import google.registry.model.reporting.HistoryEntry;
 import google.registry.model.transfer.DomainTransferData;
 import google.registry.model.transfer.TransferStatus;
@@ -261,7 +260,7 @@ class RdapJsonFormatterTest {
             .setEmailAddress("babydoe@example.com")
             .setPhoneNumber("+1.2125551217")
             .setFaxNumber("+1.2125551218")
-            .setTypes(ImmutableSet.of(RegistrarPocBase.Type.ADMIN))
+            .setTypes(ImmutableSet.of(RegistrarPoc.Type.ADMIN))
             .setVisibleInWhoisAsAdmin(false)
             .setVisibleInWhoisAsTech(false)
             .build(),
@@ -270,7 +269,7 @@ class RdapJsonFormatterTest {
             .setName("John Doe")
             .setEmailAddress("johndoe@example.com")
             .setFaxNumber("+1.2125551213")
-            .setTypes(ImmutableSet.of(RegistrarPocBase.Type.ADMIN))
+            .setTypes(ImmutableSet.of(RegistrarPoc.Type.ADMIN))
             .setVisibleInWhoisAsAdmin(false)
             .setVisibleInWhoisAsTech(true)
             .build(),
@@ -279,7 +278,7 @@ class RdapJsonFormatterTest {
             .setName("Jane Doe")
             .setEmailAddress("janedoe@example.com")
             .setPhoneNumber("+1.2125551215")
-            .setTypes(ImmutableSet.of(RegistrarPocBase.Type.TECH, RegistrarPocBase.Type.ADMIN))
+            .setTypes(ImmutableSet.of(RegistrarPoc.Type.TECH, RegistrarPoc.Type.ADMIN))
             .setVisibleInWhoisAsAdmin(true)
             .setVisibleInWhoisAsTech(false)
             .build(),
@@ -289,7 +288,7 @@ class RdapJsonFormatterTest {
             .setEmailAddress("playdoe@example.com")
             .setPhoneNumber("+1.2125551217")
             .setFaxNumber("+1.2125551218")
-            .setTypes(ImmutableSet.of(RegistrarPocBase.Type.BILLING))
+            .setTypes(ImmutableSet.of(RegistrarPoc.Type.BILLING))
             .setVisibleInWhoisAsAdmin(true)
             .setVisibleInWhoisAsTech(true)
             .build());