Add cache for User entities in OIDC auth flow (#2822)

* Add cache for User entities in OIDC auth flow

* refactor: Address review feedback

- Refactor database call into a single, reusable method
- Increase the default cache size to 200
- Remove .recordStats() and using spy for testing
- Split unit tests into separate implementation test that use Mockito spies instead of checking internal cache stats

common/gradle.lockfile

@@ -3,7 +3,7 @@
 # This file is expected to be part of source control.
 aopalliance:aopalliance:1.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.github.ben-manes.caffeine:caffeine:3.0.5=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.github.ben-manes.caffeine:caffeine:3.2.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.github.ben-manes.caffeine:caffeine:3.2.2=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 com.github.kevinstern:software-and-algorithms:1.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.auto.service:auto-service-annotations:1.0.1=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.auto.value:auto-value-annotations:1.11.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
@@ -12,13 +12,13 @@ com.google.auto:auto-common:1.2.1=annotationProcessor,errorprone,testAnnotationP
 com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,compileClasspath,deploy_jar,errorprone,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath,testing,testingAnnotationProcessor,testingCompileClasspath
 com.google.errorprone:error_prone_annotation:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.errorprone:error_prone_annotations:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-com.google.errorprone:error_prone_annotations:2.36.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.google.errorprone:error_prone_annotations:2.40.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 com.google.errorprone:error_prone_annotations:2.7.1=checkstyle
 com.google.errorprone:error_prone_check_api:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.errorprone:error_prone_core:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.errorprone:error_prone_type_annotations:2.23.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.errorprone:javac:9+181-r4173-1=errorproneJavac
-com.google.flogger:flogger:0.8=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+com.google.flogger:flogger:0.9=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 com.google.guava:failureaccess:1.0.1=annotationProcessor,checkstyle,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 com.google.guava:failureaccess:1.0.2=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 com.google.guava:guava-parent:32.1.1-jre=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
@@ -37,15 +37,14 @@ commons-collections:commons-collections:3.2.2=checkstyle
 info.picocli:picocli:4.6.2=checkstyle
 io.github.eisop:dataflow-errorprone:3.34.0-eisop1=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 io.github.java-diff-utils:java-diff-utils:4.12=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-io.github.java-diff-utils:java-diff-utils:4.15=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+io.github.java-diff-utils:java-diff-utils:4.16=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 jakarta.inject:jakarta.inject-api:2.0.1=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 javax.inject:javax.inject:1=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
-joda-time:joda-time:2.13.1=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+joda-time:joda-time:2.14.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 junit:junit:4.13.2=testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 net.sf.saxon:Saxon-HE:10.6=checkstyle
 org.antlr:antlr4-runtime:4.9.3=checkstyle
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
-org.checkerframework:checker-compat-qual:2.5.3=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 org.checkerframework:checker-qual:3.12.0=checkstyle
 org.checkerframework:checker-qual:3.33.0=annotationProcessor,errorprone,testAnnotationProcessor,testingAnnotationProcessor
 org.checkerframework:checker-qual:3.42.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
@@ -56,12 +55,12 @@ org.jacoco:org.jacoco.core:0.8.12=jacocoAnt
 org.jacoco:org.jacoco.report:0.8.12=jacocoAnt
 org.javassist:javassist:3.28.0-GA=checkstyle
 org.jspecify:jspecify:1.0.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-org.junit.jupiter:junit-jupiter-api:5.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-engine:5.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-launcher:1.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit:junit-bom:5.12.1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-launcher:1.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit:junit-bom:5.13.4=testCompileClasspath,testRuntimeClasspath
 org.opentest4j:opentest4j:1.3.0=testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-commons:9.7=jacocoAnt
 org.ow2.asm:asm-tree:9.7=jacocoAnt

common/src/testing/java/google/registry/testing/truth/TextDiffSubject.java

@@ -92,17 +92,19 @@ public class TextDiffSubject extends Subject {
 
   private ImmutableList<String> filterComments(List<String> lines) {
     return lines.stream()
+        .filter(line -> !line.isBlank())
         .filter(line -> comments.stream().noneMatch(line::startsWith))
         .collect(ImmutableList.toImmutableList());
   }
 
   public void hasSameContentAs(List<String> expectedContent) {
     checkNotNull(expectedContent, "expectedContent");
-    ImmutableList<String> expected = filterComments(expectedContent);
-    if (filterComments(expected).equals(filterComments(actual))) {
+    ImmutableList<String> filteredExpected = filterComments(expectedContent);
+    ImmutableList<String> filteredActual = filterComments(actual);
+    if (filteredExpected.equals(filteredActual)) {
       return;
     }
-    String diffString = diffFormat.generateDiff(expected, actual);
+    String diffString = diffFormat.generateDiff(filteredExpected, filteredActual);
     failWithoutActual(
         Fact.simpleFact(
             Joiner.on('\n')

console-webapp/src/app/app-routing.module.ts

@@ -26,6 +26,7 @@ import SecurityComponent from './settings/security/security.component';
 import { SettingsComponent } from './settings/settings.component';
 import { SupportComponent } from './support/support.component';
 import RdapComponent from './settings/rdap/rdap.component';
+import { PasswordResetVerifyComponent } from './shared/components/passwordReset/passwordResetVerify.component';
 
 export interface RouteWithIcon extends Route {
   iconName?: string;
@@ -38,6 +39,10 @@ export const PATHS = {
 };
 export const routes: RouteWithIcon[] = [
   { path: '', redirectTo: '/home', pathMatch: 'full' },
+  {
+    path: PasswordResetVerifyComponent.PATH,
+    component: PasswordResetVerifyComponent,
+  },
   {
     path: RegistryLockVerifyComponent.PATH,
     component: RegistryLockVerifyComponent,

console-webapp/src/app/app.module.ts

@@ -61,6 +61,8 @@ import { ForceFocusDirective } from './shared/directives/forceFocus.directive';
 import RdapComponent from './settings/rdap/rdap.component';
 import RdapEditComponent from './settings/rdap/rdapEdit.component';
 import { PocReminderComponent } from './shared/components/pocReminder/pocReminder.component';
+import { PasswordResetVerifyComponent } from './shared/components/passwordReset/passwordResetVerify.component';
+import { PasswordInputForm } from './shared/components/passwordReset/passwordInputForm.component';
 
 @NgModule({
   declarations: [SelectedRegistrarWrapper],
@@ -84,10 +86,12 @@ export class SelectedRegistrarModule {}
     NavigationComponent,
     NewRegistrarComponent,
     NotificationsComponent,
+    PasswordInputForm,
+    PasswordResetVerifyComponent,
+    PocReminderComponent,
     RdapComponent,
     RdapEditComponent,
     ReasonDialogComponent,
-    PocReminderComponent,
     RegistrarComponent,
     RegistrarDetailsComponent,
     RegistrarSelectorComponent,

console-webapp/src/app/registrar/registrarSelector.component.ts

@@ -25,7 +25,10 @@ export class RegistrarSelectorComponent {
   registrarInput = signal<string>(this.registrarService.registrarId());
   filteredOptions?: string[];
   allRegistrarIds = computed(() =>
-    this.registrarService.registrars().map((r) => r.registrarId)
+    this.registrarService
+      .registrars()
+      .map((r) => r.registrarId)
+      .sort()
   );
 
   constructor(protected registrarService: RegistrarService) {

console-webapp/src/app/settings/contact/contact.service.ts

@@ -24,7 +24,7 @@ export type contactType =
   | 'LEGAL'
   | 'MARKETING'
   | 'TECH'
-  | 'RDAP';
+  | 'WHOIS';
 
 type contactTypesToUserFriendlyTypes = { [type in contactType]: string };
 
@@ -35,7 +35,7 @@ export const contactTypeToTextMap: contactTypesToUserFriendlyTypes = {
   LEGAL: 'Legal contact',
   MARKETING: 'Marketing contact',
   TECH: 'Technical contact',
-  RDAP: 'RDAP-Inquiry contact',
+  WHOIS: 'RDAP-Inquiry contact',
 };
 
 type UserFriendlyType = (typeof contactTypeToTextMap)[contactType];
@@ -59,7 +59,10 @@ export interface ViewReadyContact extends Contact {
 export function contactTypeToViewReadyContact(c: Contact): ViewReadyContact {
   return {
     ...c,
-    userFriendlyTypes: c.types?.map((cType) => contactTypeToTextMap[cType]),
+    userFriendlyTypes: (c.types || []).map(
+      (cType) => contactTypeToTextMap[cType]
+    ),
+    types: c.types || [],
   };
 }
 
@@ -98,19 +101,21 @@ export class ContactService {
     );
   }
 
-  saveContacts(contacts: ViewReadyContact[]): Observable<Contact[]> {
+  updateContact(contact: ViewReadyContact) {
     return this.backend
-      .postContacts(this.registrarService.registrarId(), contacts)
+      .updateContact(this.registrarService.registrarId(), contact)
       .pipe(switchMap((_) => this.fetchContacts()));
   }
 
   addContact(contact: ViewReadyContact) {
-    const newContacts = this.contacts().concat([contact]);
-    return this.saveContacts(newContacts);
+    return this.backend
+      .createContact(this.registrarService.registrarId(), contact)
+      .pipe(switchMap((_) => this.fetchContacts()));
   }
 
   deleteContact(contact: ViewReadyContact) {
-    const newContacts = this.contacts().filter((c) => c !== contact);
-    return this.saveContacts(newContacts);
+    return this.backend
+      .deleteContact(this.registrarService.registrarId(), contact)
+      .pipe(switchMap((_) => this.fetchContacts()));
   }
 }

console-webapp/src/app/settings/contact/contactDetails.component.ts

@@ -69,9 +69,13 @@ export class ContactDetailsComponent {
 
   save(e: SubmitEvent) {
     e.preventDefault();
+    if ((this.contactService.contactInEdit.types || []).length === 0) {
+      this._snackBar.open('Required to select contact type');
+      return;
+    }
     const request = this.contactService.isContactNewView
       ? this.contactService.addContact(this.contactService.contactInEdit)
-      : this.contactService.saveContacts(this.contactService.contacts());
+      : this.contactService.updateContact(this.contactService.contactInEdit);
     request.subscribe({
       complete: () => {
         this.goBack();

console-webapp/src/app/settings/security/eppPasswordEdit.component.html

@@ -16,65 +16,22 @@
   <p class="secondary-text">
     Passwords must be between 6 and 16 alphanumeric characters
   </p>
-  <form
-    (ngSubmit)="save()"
+  <password-input-form-component
+    [displayOldPasswordField]="true"
     [formGroup]="passwordUpdateForm"
-    class="settings-security__edit-password-form"
-  >
-    <div class="settings-security__edit-password-field">
-      <mat-form-field appearance="outline">
-        <mat-label>Old password: </mat-label>
-        <input
-          matInput
-          type="text"
-          formControlName="oldPassword"
-          required
-          autocomplete="current-password"
-        />
-        <mat-error *ngIf="hasError('oldPassword') as errorText">{{
-          errorText
-        }}</mat-error>
-      </mat-form-field>
-    </div>
-    <div class="settings-security__edit-password-field">
-      <mat-form-field appearance="outline">
-        <mat-label>New password: </mat-label>
-        <input
-          matInput
-          type="text"
-          formControlName="newPassword"
-          required
-          autocomplete="new-password"
-        />
-        <mat-error *ngIf="hasError('newPassword') as errorText">{{
-          errorText
-        }}</mat-error>
-      </mat-form-field>
-    </div>
-    <div class="settings-security__edit-password-field">
-      <mat-form-field appearance="outline">
-        <mat-label>Confirm new password: </mat-label>
-        <input
-          matInput
-          type="text"
-          formControlName="newPasswordRepeat"
-          required
-          autocomplete="new-password"
-        />
-        <mat-error *ngIf="hasError('newPasswordRepeat') as errorText">{{
-          errorText
-        }}</mat-error>
-      </mat-form-field>
-    </div>
+    (submitResults)="save($event)"
+  />
+  @if(userDataService.userData()?.isAdmin) {
+  <div class="settings-security__reset-password-field">
+    <h2>Need to reset your EPP password?</h2>
     <button
       mat-flat-button
       color="primary"
-      [disabled]="!passwordUpdateForm.valid"
-      aria-label="Save epp password update"
-      type="submit"
-      class="settings-security__edit-password-save"
+      aria-label="Reset EPP password via email"
+      (click)="requestEppPasswordReset()"
     >
-      Save
+      Reset EPP password via email
     </button>
-  </form>
+  </div>
+  }
 </div>

console-webapp/src/app/settings/security/eppPasswordEdit.component.scss

@@ -1,16 +1,19 @@
-.settings-security__edit-password {
-  max-width: 616px;
-  &-field {
-    width: 100%;
-    mat-form-field {
-      margin-bottom: 20px;
-      width: 100%;
-    }
-  }
-  &-form {
-    margin-top: 30px;
-  }
-  &-save {
-    margin-top: 30px;
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+.settings-security {
+  &__reset-password-field {
+    margin-top: 60px;
   }
 }

console-webapp/src/app/settings/security/eppPasswordEdit.component.ts

@@ -14,20 +14,46 @@
 
 import { HttpErrorResponse } from '@angular/common/http';
 import { Component } from '@angular/core';
-import {
-  AbstractControl,
-  FormControl,
-  FormGroup,
-  ValidatorFn,
-  Validators,
-} from '@angular/forms';
+import { FormControl, FormGroup, Validators } from '@angular/forms';
 import { MatSnackBar } from '@angular/material/snack-bar';
 import { RegistrarService } from 'src/app/registrar/registrar.service';
 import { SecurityService } from './security.service';
+import { UserDataService } from 'src/app/shared/services/userData.service';
+import { MatDialog, MatDialogRef } from '@angular/material/dialog';
+import { CommonModule } from '@angular/common';
+import { MaterialModule } from 'src/app/material.module';
+import { filter, switchMap, take } from 'rxjs';
+import { BackendService } from 'src/app/shared/services/backend.service';
+import {
+  PasswordInputForm,
+  PasswordResults,
+} from 'src/app/shared/components/passwordReset/passwordInputForm.component';
 
-type errorCode = 'required' | 'maxlength' | 'minlength' | 'passwordsDontMatch';
+@Component({
+  selector: 'app-reset-epp-password-dialog',
+  template: `
+    <h2 mat-dialog-title>Please confirm the password reset:</h2>
+    <mat-dialog-content>
+      This will send an EPP password reset email to the admin POC.
+    </mat-dialog-content>
+    <mat-dialog-actions>
+      <button mat-button (click)="onCancel()">Cancel</button>
+      <button mat-button color="warn" (click)="onSave()">Confirm</button>
+    </mat-dialog-actions>
+  `,
+  imports: [CommonModule, MaterialModule],
+})
+export class ResetEppPasswordComponent {
+  constructor(public dialogRef: MatDialogRef<ResetEppPasswordComponent>) {}
 
-type errorFriendlyText = { [type in errorCode]: String };
+  onSave(): void {
+    this.dialogRef.close(true);
+  }
+
+  onCancel(): void {
+    this.dialogRef.close(false);
+  }
+}
 
 @Component({
   selector: 'app-epp-password-edit',
@@ -36,76 +62,38 @@ type errorFriendlyText = { [type in errorCode]: String };
   standalone: false,
 })
 export default class EppPasswordEditComponent {
-  MIN_MAX_LENGHT = new String(
-    'Passwords must be between 6 and 16 alphanumeric characters'
-  );
-
-  errorTextMap: errorFriendlyText = {
-    required: "This field can't be empty",
-    maxlength: this.MIN_MAX_LENGHT,
-    minlength: this.MIN_MAX_LENGHT,
-    passwordsDontMatch: "Passwords don't match",
-  };
-
-  constructor(
-    public securityService: SecurityService,
-    private _snackBar: MatSnackBar,
-    public registrarService: RegistrarService
-  ) {}
-
-  hasError(controlName: string) {
-    const maybeErrors = this.passwordUpdateForm.get(controlName)?.errors;
-    const maybeError =
-      maybeErrors && (Object.keys(maybeErrors)[0] as errorCode);
-    if (maybeError) {
-      return this.errorTextMap[maybeError];
-    }
-    return '';
-  }
-
-  newPasswordsMatch: ValidatorFn = (control: AbstractControl) => {
-    if (
-      this.passwordUpdateForm?.get('newPassword')?.value ===
-      this.passwordUpdateForm?.get('newPasswordRepeat')?.value
-    ) {
-      this.passwordUpdateForm?.get('newPasswordRepeat')?.setErrors(null);
-    } else {
-      // latest angular just won't detect the error without setTimeout
-      setTimeout(() => {
-        this.passwordUpdateForm
-          ?.get('newPasswordRepeat')
-          ?.setErrors({ passwordsDontMatch: control.value });
-      });
-    }
-    return null;
-  };
+  static EPP_VALIDATORS = [
+    Validators.required,
+    Validators.minLength(6),
+    Validators.maxLength(16),
+    PasswordInputForm.newPasswordsMatch,
+  ];
 
   passwordUpdateForm = new FormGroup({
     oldPassword: new FormControl('', [Validators.required]),
-    newPassword: new FormControl('', [
-      Validators.required,
-      Validators.minLength(6),
-      Validators.maxLength(16),
-      this.newPasswordsMatch,
-    ]),
-    newPasswordRepeat: new FormControl('', [
-      Validators.required,
-      Validators.minLength(6),
-      Validators.maxLength(16),
-      this.newPasswordsMatch,
-    ]),
+    newPassword: new FormControl('', EppPasswordEditComponent.EPP_VALIDATORS),
+    newPasswordRepeat: new FormControl(
+      '',
+      EppPasswordEditComponent.EPP_VALIDATORS
+    ),
   });
 
-  save() {
-    const { oldPassword, newPassword, newPasswordRepeat } =
-      this.passwordUpdateForm.value;
-    if (!oldPassword || !newPassword || !newPasswordRepeat) return;
+  constructor(
+    public registrarService: RegistrarService,
+    public securityService: SecurityService,
+    protected userDataService: UserDataService,
+    private backendService: BackendService,
+    private resetPasswordDialog: MatDialog,
+    private _snackBar: MatSnackBar
+  ) {}
+
+  save(passwordResults: PasswordResults) {
     this.securityService
       .saveEppPassword({
         registrarId: this.registrarService.registrarId(),
-        oldPassword,
-        newPassword,
-        newPasswordRepeat,
+        oldPassword: passwordResults.oldPassword!,
+        newPassword: passwordResults.newPassword,
+        newPasswordRepeat: passwordResults.newPasswordRepeat,
       })
       .subscribe({
         complete: () => {
@@ -120,4 +108,26 @@ export default class EppPasswordEditComponent {
   goBack() {
     this.securityService.isEditingPassword = false;
   }
+
+  sendEppPasswordResetRequest() {
+    return this.backendService.requestEppPasswordReset(
+      this.registrarService.registrarId()
+    );
+  }
+
+  requestEppPasswordReset() {
+    const dialogRef = this.resetPasswordDialog.open(ResetEppPasswordComponent);
+    dialogRef
+      .afterClosed()
+      .pipe(
+        take(1),
+        filter((result) => !!result)
+      )
+      .pipe(switchMap((_) => this.sendEppPasswordResetRequest()))
+      .subscribe({
+        next: (_) => this.goBack(),
+        error: (err: HttpErrorResponse) =>
+          this._snackBar.open(err.error || err.message),
+      });
+  }
 }

console-webapp/src/app/shared/components/passwordReset/passwordInputForm.component.html

@@ -0,0 +1,63 @@
+<form
+  (ngSubmit)="save()"
+  [formGroup]="formGroup()!"
+  class="console-app__password-input-form"
+>
+  @if (displayOldPasswordField()) {
+  <div class="console-app__password-input-form-field">
+    <mat-form-field appearance="outline">
+      <mat-label>Old password: </mat-label>
+      <input
+        matInput
+        type="text"
+        formControlName="oldPassword"
+        required
+        autocomplete="current-password"
+      />
+      <mat-error *ngIf="hasError('oldPassword') as errorText">{{
+        errorText
+      }}</mat-error>
+    </mat-form-field>
+  </div>
+  }
+  <div class="console-app__password-input-form-field">
+    <mat-form-field appearance="outline">
+      <mat-label>New password: </mat-label>
+      <input
+        matInput
+        type="text"
+        formControlName="newPassword"
+        required
+        autocomplete="new-password"
+      />
+      <mat-error *ngIf="hasError('newPassword') as errorText">{{
+        errorText
+      }}</mat-error>
+    </mat-form-field>
+  </div>
+  <div class="console-app__password-input-form-field">
+    <mat-form-field appearance="outline">
+      <mat-label>Confirm new password: </mat-label>
+      <input
+        matInput
+        type="text"
+        formControlName="newPasswordRepeat"
+        required
+        autocomplete="new-password"
+      />
+      <mat-error *ngIf="hasError('newPasswordRepeat') as errorText">{{
+        errorText
+      }}</mat-error>
+    </mat-form-field>
+  </div>
+  <button
+    mat-flat-button
+    color="primary"
+    [disabled]="!formGroup()?.valid"
+    aria-label="Save new password"
+    type="submit"
+    class="console-app__password-input-form-save"
+  >
+    Save
+  </button>
+</form>

console-webapp/src/app/shared/components/passwordReset/passwordInputForm.component.scss

@@ -0,0 +1,30 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+.console-app__password-input-form {
+  max-width: 450px;
+  &-field {
+    width: 100%;
+    mat-form-field {
+      margin-bottom: 20px;
+      width: 100%;
+    }
+  }
+  &-form {
+    margin-top: 30px;
+  }
+  &-save {
+    margin-top: 30px;
+  }
+}

console-webapp/src/app/shared/components/passwordReset/passwordInputForm.component.ts

@@ -0,0 +1,82 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component, EventEmitter, input, Output } from '@angular/core';
+import { AbstractControl, FormGroup, ValidatorFn } from '@angular/forms';
+
+type errorCode = 'required' | 'maxlength' | 'minlength' | 'passwordsDontMatch';
+
+type errorFriendlyText = { [type in errorCode]: String };
+
+export interface PasswordResults {
+  oldPassword: string | null;
+  newPassword: string;
+  newPasswordRepeat: string;
+}
+
+@Component({
+  selector: 'password-input-form-component',
+  templateUrl: './passwordInputForm.component.html',
+  styleUrls: ['./passwordInputForm.component.scss'],
+  standalone: false,
+})
+export class PasswordInputForm {
+  static newPasswordsMatch: ValidatorFn = (control: AbstractControl) => {
+    const parent = control.parent;
+    if (
+      parent?.get('newPassword')?.value ===
+      parent?.get('newPasswordRepeat')?.value
+    ) {
+      parent?.get('newPasswordRepeat')?.setErrors(null);
+    } else {
+      // latest angular just won't detect the error without setTimeout
+      setTimeout(() => {
+        parent
+          ?.get('newPasswordRepeat')
+          ?.setErrors({ passwordsDontMatch: control.value });
+      });
+    }
+    return null;
+  };
+
+  MIN_MAX_LENGTH = 'Passwords must be between 6 and 16 alphanumeric characters';
+
+  errorTextMap: errorFriendlyText = {
+    required: "This field can't be empty",
+    maxlength: this.MIN_MAX_LENGTH,
+    minlength: this.MIN_MAX_LENGTH,
+    passwordsDontMatch: "Passwords don't match",
+  };
+
+  displayOldPasswordField = input<boolean>(false);
+  formGroup = input<FormGroup>();
+  @Output() submitResults = new EventEmitter<PasswordResults>();
+
+  hasError(controlName: string) {
+    const maybeErrors = this.formGroup()!.get(controlName)?.errors;
+    const maybeError =
+      maybeErrors && (Object.keys(maybeErrors)[0] as errorCode);
+    if (maybeError) {
+      return this.errorTextMap[maybeError];
+    }
+    return '';
+  }
+
+  save() {
+    const results: PasswordResults = this.formGroup()!.value;
+    if (this.displayOldPasswordField() && !results.oldPassword) return;
+    if (!results.newPassword || !results.newPasswordRepeat) return;
+    this.submitResults.emit(results);
+  }
+}

console-webapp/src/app/shared/components/passwordReset/passwordResetVerify.component.html

@@ -0,0 +1,27 @@
+<p>
+  <button mat-icon-button aria-label="Go home" [routerLink]="['']">
+    <mat-icon>arrow_back</mat-icon>
+  </button>
+</p>
+@if (isLoading) {
+<div class="console-app__password-reset-verify-spinner">
+  <mat-spinner />
+</div>
+} @else if (errorMessage) {
+<h1 class="mat-headline-4">Failure</h1>
+<div class="console-app__password-reset-content">
+  <div class="console-app__password-reset-subhead">
+    An error occurred: {{ errorMessage }}.<br /><br />Please double-check the
+    verification code and try again.
+  </div>
+</div>
+} @else {
+<div class="console-app__password-reset-verify">
+  <h1 class="mat-headline-4">{{ type }} password reset</h1>
+  <password-input-form-component
+    [displayOldPasswordField]="false"
+    [formGroup]="passwordUpdateForm!"
+    (submitResults)="save($event)"
+  />
+</div>
+}

console-webapp/src/app/shared/components/passwordReset/passwordResetVerify.component.ts

@@ -0,0 +1,105 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component } from '@angular/core';
+import { ActivatedRoute, ParamMap, Router } from '@angular/router';
+import { HttpErrorResponse } from '@angular/common/http';
+import { take } from 'rxjs';
+import { RegistrarService } from 'src/app/registrar/registrar.service';
+import { BackendService } from '../../services/backend.service';
+import { FormControl, FormGroup, Validators } from '@angular/forms';
+import {
+  PasswordInputForm,
+  PasswordResults,
+} from './passwordInputForm.component';
+import EppPasswordEditComponent from 'src/app/settings/security/eppPasswordEdit.component';
+
+export interface PasswordResetVerifyResponse {
+  registrarId: string;
+  type: string;
+}
+
+@Component({
+  selector: 'app-password-reset-verify',
+  templateUrl: './passwordResetVerify.component.html',
+  standalone: false,
+})
+export class PasswordResetVerifyComponent {
+  public static PATH = 'password-reset-verify';
+
+  REGISTRY_LOCK_PASSWORD_VALIDATORS = [
+    Validators.required,
+    PasswordInputForm.newPasswordsMatch,
+  ];
+
+  isLoading = true;
+  type?: string;
+  errorMessage?: string;
+  requestVerificationCode = '';
+
+  passwordUpdateForm: FormGroup<any> | null = null;
+
+  constructor(
+    protected backendService: BackendService,
+    protected registrarService: RegistrarService,
+    private route: ActivatedRoute,
+    private router: Router
+  ) {}
+
+  ngOnInit() {
+    this.route.queryParamMap.pipe(take(1)).subscribe((params: ParamMap) => {
+      this.requestVerificationCode =
+        params.get('resetRequestVerificationCode') || '';
+      this.backendService
+        .getPasswordResetInformation(this.requestVerificationCode)
+        .subscribe({
+          error: (err: HttpErrorResponse) => {
+            this.isLoading = false;
+            this.errorMessage = err.error;
+          },
+          next: this.presentData.bind(this),
+        });
+    });
+  }
+
+  presentData(verificationResponse: PasswordResetVerifyResponse) {
+    this.type = verificationResponse.type === 'EPP' ? 'EPP' : 'Registry lock';
+    this.registrarService.registrarId.set(verificationResponse.registrarId);
+    const validators =
+      verificationResponse.type === 'EPP'
+        ? EppPasswordEditComponent.EPP_VALIDATORS
+        : this.REGISTRY_LOCK_PASSWORD_VALIDATORS;
+
+    this.passwordUpdateForm = new FormGroup({
+      newPassword: new FormControl('', validators),
+      newPasswordRepeat: new FormControl('', validators),
+    });
+    this.isLoading = false;
+  }
+
+  save(passwordResults: PasswordResults) {
+    this.backendService
+      .finalizePasswordReset(
+        this.requestVerificationCode,
+        passwordResults.newPassword
+      )
+      .subscribe({
+        error: (err: HttpErrorResponse) => {
+          this.isLoading = false;
+          this.errorMessage = err.error;
+        },
+        next: (_) => this.router.navigate(['']),
+      });
+  }
+}

console-webapp/src/app/shared/services/backend.service.ts

@@ -30,6 +30,7 @@ import {
 import { Contact } from '../../settings/contact/contact.service';
 import { EppPasswordBackendModel } from '../../settings/security/security.service';
 import { UserData } from './userData.service';
+import { PasswordResetVerifyResponse } from '../components/passwordReset/passwordResetVerify.component';
 
 @Injectable()
 export class BackendService {
@@ -70,13 +71,26 @@ export class BackendService {
       .pipe(catchError((err) => this.errorCatcher<Contact[]>(err)));
   }
 
-  postContacts(
-    registrarId: string,
-    contacts: Contact[]
-  ): Observable<Contact[]> {
-    return this.http.post<Contact[]>(
+  updateContact(registrarId: string, contact: Contact): Observable<Contact> {
+    return this.http.put<Contact>(
       `/console-api/settings/contacts?registrarId=${registrarId}`,
-      contacts
+      contact
+    );
+  }
+
+  createContact(registrarId: string, contact: Contact): Observable<Contact> {
+    return this.http.post<Contact>(
+      `/console-api/settings/contacts?registrarId=${registrarId}`,
+      contact
+    );
+  }
+
+  deleteContact(registrarId: string, contact: Contact): Observable<Contact> {
+    return this.http.delete<Contact>(
+      `/console-api/settings/contacts?registrarId=${registrarId}`,
+      {
+        body: JSON.stringify(contact),
+      }
     );
   }
 
@@ -267,4 +281,37 @@ export class BackendService {
       `/console-api/registry-lock-verify?lockVerificationCode=${lockVerificationCode}`
     );
   }
+
+  requestRegistryLockPasswordReset(
+    registrarId: string,
+    registryLockEmail: string
+  ) {
+    return this.http.post('/console-api/password-reset-request', {
+      type: 'REGISTRY_LOCK',
+      registrarId,
+      registryLockEmail,
+    });
+  }
+
+  requestEppPasswordReset(registrarId: string) {
+    return this.http.post('/console-api/password-reset-request', {
+      type: 'EPP',
+      registrarId,
+    });
+  }
+
+  getPasswordResetInformation(
+    verificationCode: string
+  ): Observable<PasswordResetVerifyResponse> {
+    return this.http.get<PasswordResetVerifyResponse>(
+      `/console-api/password-reset-verify?resetRequestVerificationCode=${verificationCode}`
+    );
+  }
+
+  finalizePasswordReset(verificationCode: string, newPassword: string) {
+    return this.http.post(
+      `/console-api/password-reset-verify?resetRequestVerificationCode=${verificationCode}`,
+      newPassword
+    );
+  }
 }

console-webapp/src/app/users/userDetails.component.html

@@ -80,7 +80,15 @@
             roleToDescription(userDetails().role)
           }}</span>
         </mat-list-item>
-        @if (userDetails().password) {
+        @if (userDetails().registryLockEmailAddress) {
+        <mat-divider></mat-divider>
+        <mat-list-item role="listitem">
+          <span class="console-app__list-key">Registry Lock email</span>
+          <span class="console-app__list-value">{{
+            userDetails().registryLockEmailAddress
+          }}</span>
+        </mat-list-item>
+        } @if (userDetails().password) {
         <mat-divider></mat-divider>
         <mat-list-item role="listitem">
           <span class="console-app__list-key">Password</span>

console-webapp/src/app/users/userDetails.component.scss

@@ -35,5 +35,8 @@
       border: 1px solid #ddd;
       border-radius: 10px;
     }
+    .console-app__list-key {
+      width: 160px;
+    }
   }
 }

console-webapp/src/app/users/userEditForm.component.html

@@ -1,45 +1,57 @@
-<form (ngSubmit)="saveEdit($event)" #form>
-  <p *ngIf="isNew()">
-    <mat-form-field appearance="outline">
-      <mat-label
-        >User name prefix:
-        <mat-icon
-          matTooltip="Prefix will be combined with registrar ID to create a unique user name - {prefix}.{registrarId}@registry.google"
-          >help_outline</mat-icon
-        ></mat-label
-      >
-      <input
-        matInput
-        minlength="3"
-        maxlength="3"
-        [required]="true"
-        [(ngModel)]="user().emailAddress"
-        [ngModelOptions]="{ standalone: true }"
-      />
-    </mat-form-field>
-  </p>
-  <p>
-    <mat-form-field appearance="outline">
-      <mat-label
-        >User Role:
-        <mat-icon
-          matTooltip="Viewer role doesn't allow making updates; Editor role allows updates, like Contacts delete or SSL certificate change"
-          >help_outline</mat-icon
-        ></mat-label
-      >
-      <mat-select [(ngModel)]="user().role" name="userRole">
-        <mat-option value="PRIMARY_CONTACT">Editor</mat-option>
-        <mat-option value="ACCOUNT_MANAGER">Viewer</mat-option>
-      </mat-select>
-    </mat-form-field>
-  </p>
+<div class="console-app__user-edit">
+  <form (ngSubmit)="saveEdit($event)" #form>
+    <p *ngIf="isNew()">
+      <mat-form-field appearance="outline">
+        <mat-label
+          >User name prefix:
+          <mat-icon
+            matTooltip="Prefix will be combined with registrar ID to create a unique user name - {prefix}.{registrarId}@registry.google"
+            >help_outline</mat-icon
+          ></mat-label
+        >
+        <input
+          matInput
+          minlength="3"
+          maxlength="3"
+          [required]="true"
+          [(ngModel)]="user().emailAddress"
+          [ngModelOptions]="{ standalone: true }"
+        />
+      </mat-form-field>
+    </p>
+    <p>
+      <mat-form-field appearance="outline">
+        <mat-label
+          >User Role:
+          <mat-icon
+            matTooltip="Viewer role doesn't allow making updates; Editor role allows updates, like Contacts delete or SSL certificate change"
+            >help_outline</mat-icon
+          ></mat-label
+        >
+        <mat-select [(ngModel)]="user().role" name="userRole">
+          <mat-option value="PRIMARY_CONTACT">Editor</mat-option>
+          <mat-option value="ACCOUNT_MANAGER">Viewer</mat-option>
+        </mat-select>
+      </mat-form-field>
+    </p>
+    <button
+      mat-flat-button
+      color="primary"
+      aria-label="Save user"
+      type="submit"
+      aria-label="Save changes to the user"
+    >
+      Save
+    </button>
+  </form>
+  @if(userDataService.userData()?.isAdmin) {
   <button
     mat-flat-button
     color="primary"
-    aria-label="Save user"
-    type="submit"
-    aria-label="Save changes to the user"
+    aria-label="Reset registry lock password"
+    (click)="requestRegistryLockPasswordReset()"
   >
-    Save
+    Reset registry lock password
   </button>
-</form>
+  }
+</div>

console-webapp/src/app/users/userEditForm.component.scss

@@ -0,0 +1,20 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+.console-app__user-edit {
+  button {
+    display: block;
+    margin-bottom: 5px;
+  }
+}

console-webapp/src/app/users/userEditForm.component.ts

@@ -17,13 +17,56 @@ import {
   Component,
   ElementRef,
   EventEmitter,
+  Inject,
   input,
   Output,
   ViewChild,
 } from '@angular/core';
 import { MaterialModule } from '../material.module';
 import { FormsModule } from '@angular/forms';
-import { User } from './users.service';
+import { User, UsersService } from './users.service';
+import { UserDataService } from '../shared/services/userData.service';
+import { BackendService } from '../shared/services/backend.service';
+import { RegistrarService } from '../registrar/registrar.service';
+import {
+  MAT_DIALOG_DATA,
+  MatDialog,
+  MatDialogRef,
+} from '@angular/material/dialog';
+import { filter, switchMap, take } from 'rxjs';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import { HttpErrorResponse } from '@angular/common/http';
+
+@Component({
+  selector: 'app-reset-lock-password-dialog',
+  template: `
+    <h2 mat-dialog-title>Please confirm the password reset:</h2>
+    <mat-dialog-content>
+      This will send a registry lock password reset email to
+      {{ data.registryLockEmailAddress }}.
+    </mat-dialog-content>
+    <mat-dialog-actions>
+      <button mat-button (click)="onCancel()">Cancel</button>
+      <button mat-button color="warn" (click)="onSave()">Confirm</button>
+    </mat-dialog-actions>
+  `,
+  imports: [CommonModule, MaterialModule],
+})
+export class ResetRegistryLockPasswordComponent {
+  constructor(
+    public dialogRef: MatDialogRef<ResetRegistryLockPasswordComponent>,
+    @Inject(MAT_DIALOG_DATA)
+    public data: { registryLockEmailAddress: string }
+  ) {}
+
+  onSave(): void {
+    this.dialogRef.close(true);
+  }
+
+  onCancel(): void {
+    this.dialogRef.close(false);
+  }
+}
 
 @Component({
   selector: 'app-user-edit-form',
@@ -39,12 +82,22 @@ export class UserEditFormComponent {
     {
       emailAddress: '',
       role: 'ACCOUNT_MANAGER',
+      registryLockEmailAddress: '',
     },
     { transform: (user: User) => structuredClone(user) }
   );
 
   @Output() onEditComplete = new EventEmitter<User>();
 
+  constructor(
+    protected userDataService: UserDataService,
+    private backendService: BackendService,
+    private resetRegistryLockPasswordDialog: MatDialog,
+    private registrarService: RegistrarService,
+    private usersService: UsersService,
+    private _snackBar: MatSnackBar
+  ) {}
+
   saveEdit(e: SubmitEvent) {
     e.preventDefault();
     if (this.form.nativeElement.checkValidity()) {
@@ -53,4 +106,34 @@ export class UserEditFormComponent {
       this.form.nativeElement.reportValidity();
     }
   }
+
+  sendRegistryLockPasswordResetRequest() {
+    return this.backendService.requestRegistryLockPasswordReset(
+      this.registrarService.registrarId(),
+      this.user().registryLockEmailAddress!
+    );
+  }
+
+  requestRegistryLockPasswordReset() {
+    const dialogRef = this.resetRegistryLockPasswordDialog.open(
+      ResetRegistryLockPasswordComponent,
+      {
+        data: {
+          registryLockEmailAddress: this.user().registryLockEmailAddress,
+        },
+      }
+    );
+    dialogRef
+      .afterClosed()
+      .pipe(
+        take(1),
+        filter((result) => !!result)
+      )
+      .pipe(switchMap((_) => this.sendRegistryLockPasswordResetRequest()))
+      .subscribe({
+        next: (_) => this.usersService.currentlyOpenUserEmail.set(''),
+        error: (err: HttpErrorResponse) =>
+          this._snackBar.open(err.error || err.message),
+      });
+  }
 }

console-webapp/src/app/users/users.component.ts

@@ -22,7 +22,6 @@ import { RegistrarService } from '../registrar/registrar.service';
 import { SnackBarModule } from '../snackbar.module';
 import { UserDetailsComponent } from './userDetails.component';
 import { User, UsersService } from './users.service';
-import { UserDataService } from '../shared/services/userData.service';
 import { FormsModule } from '@angular/forms';
 import { UsersListComponent } from './usersList.component';
 import { MatSelectChange } from '@angular/material/select';
@@ -55,7 +54,6 @@ export class UsersComponent {
   constructor(
     protected registrarService: RegistrarService,
     protected usersService: UsersService,
-    private userDataService: UserDataService,
     private _snackBar: MatSnackBar
   ) {
     effect(() => {

console-webapp/src/app/users/users.service.ts

@@ -33,6 +33,7 @@ export interface User {
   emailAddress: string;
   role: string;
   password?: string;
+  registryLockEmailAddress?: string;
 }
 
 @Injectable()

core/build.gradle

@@ -58,6 +58,8 @@ def fragileTestPatterns = [
     // Changes cache timeouts and for some reason appears to have contention
     // with other tests.
     "google/registry/whois/WhoisCommandFactoryTest.*",
+    // Breaks random other tests when running with standardTests.
+    "google/registry/bsa/UploadBsaUnavailableDomainsActionTest.*",
     // Currently changes a global configuration parameter that for some reason
     // results in timestamp inversions for other tests.  TODO(mmuller): fix.
     "google/registry/flows/host/HostInfoFlowTest.*",
@@ -272,7 +274,6 @@ dependencies {
   testImplementation deps['org.hamcrest:hamcrest']
   testImplementation deps['org.hamcrest:hamcrest-core']
   testImplementation deps['org.hamcrest:hamcrest-library']
-  testImplementation deps['junit:junit']
   testImplementation deps['org.junit.jupiter:junit-jupiter-api']
   testImplementation deps['org.junit.jupiter:junit-jupiter-engine']
   testImplementation deps['org.junit.jupiter:junit-jupiter-migrationsupport']

core/gradle.lockfile

@@ -4,20 +4,19 @@
 aopalliance:aopalliance:1.0=annotationProcessor,compileClasspath,deploy_jar,errorprone,nonprodAnnotationProcessor,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 args4j:args4j:2.33=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testCompileClasspath,testRuntimeClasspath
 com.charleskorn.kaml:kaml:0.20.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.fasterxml.jackson.core:jackson-annotations:2.18.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.core:jackson-core:2.18.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.core:jackson-databind:2.18.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.dataformat:jackson-dataformat-toml:2.18.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.18.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.datatype:jackson-datatype-joda:2.18.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson:jackson-bom:2.18.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-annotations:2.20-rc1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-core:2.20.0-rc1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-databind:2.20.0-rc1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.20.0-rc1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.datatype:jackson-datatype-joda:2.20.0-rc1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.20.0-rc1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson:jackson-bom:2.20.0-rc1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.fasterxml:classmate:1.5.1=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 com.github.ben-manes.caffeine:caffeine:3.0.5=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
-com.github.ben-manes.caffeine:caffeine:3.2.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.docker-java:docker-java-api:3.4.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.docker-java:docker-java-transport-zerodep:3.4.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.docker-java:docker-java-transport:3.4.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.ben-manes.caffeine:caffeine:3.2.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.docker-java:docker-java-api:3.4.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.docker-java:docker-java-transport-zerodep:3.4.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.docker-java:docker-java-transport:3.4.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.jnr:jffi:1.3.13=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.jnr:jnr-a64asm:1.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.jnr:jnr-constants:0.10.4=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -32,85 +31,80 @@ com.google.api-client:google-api-client-jackson2:2.0.1=compileClasspath,nonprodC
 com.google.api-client:google-api-client-jackson2:2.7.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 com.google.api-client:google-api-client-java6:2.1.4=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api-client:google-api-client-servlet:2.7.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api-client:google-api-client-servlet:2.7.2=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.api-client:google-api-client:2.7.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api-client:google-api-client-servlet:2.8.1=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.api-client:google-api-client:2.8.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api.grpc:gapic-google-cloud-storage-v2:2.44.1-beta=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:gapic-google-cloud-storage-v2:2.50.0=testCompileClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1:3.11.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.183.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta2:0.183.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigtable-v2:2.51.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-pubsub-v1:1.118.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-pubsublite-v1:1.15.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-admin-database-v1:6.85.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-admin-instance-v1:6.85.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-v1:6.85.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:gapic-google-cloud-storage-v2:2.55.0=testCompileClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1:3.15.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.187.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta2:0.187.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigtable-v2:2.60.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-pubsub-v1:1.122.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-pubsublite-v1:1.15.9=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-admin-database-v1:6.95.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-admin-instance-v1:6.95.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-v1:6.95.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api.grpc:grpc-google-cloud-storage-control-v2:2.44.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api.grpc:grpc-google-cloud-storage-v2:2.44.1-beta=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-storage-v2:2.50.0=testCompileClasspath
-com.google.api.grpc:grpc-google-common-protos:2.50.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1:3.11.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1alpha:3.11.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta1:0.183.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta2:0.183.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigtable-admin-v2:2.51.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigtable-v2:2.51.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-compute-v1:1.69.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-datastore-v1:0.116.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-firestore-v1:3.30.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-monitoring-v3:3.57.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-pubsub-v1:1.118.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-pubsublite-v1:1.15.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-storage-v2:2.55.0=testCompileClasspath
+com.google.api.grpc:grpc-google-common-protos:2.58.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1:3.15.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1alpha:3.15.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta1:0.187.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta2:0.187.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta:3.15.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigtable-admin-v2:2.60.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigtable-v2:2.60.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-compute-v1:1.82.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-datastore-v1:0.120.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-firestore-v1:3.31.6=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-monitoring-v3:3.65.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-pubsub-v1:1.122.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-pubsublite-v1:1.15.9=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api.grpc:proto-google-cloud-secretmanager-v1:2.51.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-secretmanager-v1:2.59.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.api.grpc:proto-google-cloud-secretmanager-v1beta1:2.59.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.api.grpc:proto-google-cloud-secretmanager-v1:2.72.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.api.grpc:proto-google-cloud-secretmanager-v1beta1:2.72.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
 com.google.api.grpc:proto-google-cloud-secretmanager-v1beta2:2.51.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-secretmanager-v1beta2:2.59.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1:6.85.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-admin-instance-v1:6.85.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-v1:6.85.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-secretmanager-v1beta2:2.72.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1:6.95.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-admin-instance-v1:6.95.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-v1:6.95.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api.grpc:proto-google-cloud-storage-control-v2:2.44.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api.grpc:proto-google-cloud-storage-v2:2.44.1-beta=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-storage-v2:2.50.0=testCompileClasspath
+com.google.api.grpc:proto-google-cloud-storage-v2:2.55.0=testCompileClasspath
 com.google.api.grpc:proto-google-cloud-tasks-v2:2.51.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2:2.59.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2:2.72.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
 com.google.api.grpc:proto-google-cloud-tasks-v2beta2:0.141.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2beta2:0.149.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2beta2:0.162.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
 com.google.api.grpc:proto-google-cloud-tasks-v2beta3:0.141.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2beta3:0.149.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.api.grpc:proto-google-common-protos:2.53.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-common-protos:2.54.1=testCompileClasspath
-com.google.api.grpc:proto-google-iam-v1:1.45.1=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-iam-v1:1.48.0=compileClasspath,nonprodCompileClasspath
-com.google.api.grpc:proto-google-iam-v1:1.49.1=testCompileClasspath
-com.google.api:api-common:2.45.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api:api-common:2.46.1=testCompileClasspath
-com.google.api:gax-grpc:2.59.1=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api:gax-grpc:2.62.0=compileClasspath,nonprodCompileClasspath
-com.google.api:gax-grpc:2.63.1=testCompileClasspath
-com.google.api:gax-httpjson:2.62.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api:gax-httpjson:2.63.1=testCompileClasspath
-com.google.api:gax:2.62.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api:gax:2.63.1=testCompileClasspath
-com.google.apis:google-api-services-admin-directory:directory_v1-rev20250217-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-bigquery:v2-rev20241222-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2beta3:0.162.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.api.grpc:proto-google-common-protos:2.60.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-iam-v1:1.53.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-iam-v1:1.55.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.api:api-common:2.52.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-grpc:2.67.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.api:gax-grpc:2.69.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.api:gax-httpjson:2.69.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax:2.69.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-admin-directory:directory_v1-rev20250804-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-bigquery:v2-rev20250511-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-cloudresourcemanager:v1-rev20240310-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-dataflow:v1b3-rev20250310-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-dns:v1-rev20250227-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-drive:v3-rev20250220-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-gmail:v1-rev20240520-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-dataflow:v1b3-rev20250812-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-dns:v1-rev20250411-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-drive:v3-rev20250723-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-gmail:v1-rev20250630-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-groupssettings:v1-rev20220614-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-healthcare:v1-rev20240130-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-iam:v2-rev20250213-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-iam:v2-rev20250502-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-iamcredentials:v1-rev20211203-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-monitoring:v3-rev20250227-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-monitoring:v3-rev20250731-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-pubsub:v1-rev20220904-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-sheets:v4-rev20250211-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-sqladmin:v1beta4-rev20250205-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-storage:v1-rev20241206-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-storage:v1-rev20250224-2.0.0=testCompileClasspath
-com.google.auth:google-auth-library-credentials:1.33.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-oauth2-http:1.33.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-sheets:v4-rev20250616-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-sqladmin:v1beta4-rev20250613-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-storage:v1-rev20250524-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-storage:v1-rev20250718-2.0.0=testCompileClasspath
+com.google.auth:google-auth-library-credentials:1.37.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auth:google-auth-library-oauth2-http:1.37.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.0.1=errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.auto.service:auto-service-annotations:1.1.1=annotationProcessor,compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service:1.1.1=annotationProcessor
@@ -121,50 +115,51 @@ com.google.auto:auto-common:1.2.1=annotationProcessor,errorprone,nonprodAnnotati
 com.google.cloud.bigdataoss:gcsio:2.2.26=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.bigdataoss:util:2.2.26=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.bigtable:bigtable-client-core-config:1.28.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.datastore:datastore-v1-proto-client:2.25.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud.datastore:datastore-v1-proto-client:2.29.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.opentelemetry:detector-resources-support:0.33.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.opentelemetry:exporter-metrics:0.33.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.opentelemetry:shared-resourcemapping:0.33.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.cloud.sql:jdbc-socket-factory-core:1.23.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.sql:postgres-socket-factory:1.23.1=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigquerystorage:3.11.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigtable:2.51.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-compute:1.69.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-grpc:2.49.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-grpc:2.53.1=testCompileClasspath
+com.google.cloud.sql:jdbc-socket-factory-core:1.25.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud.sql:postgres-socket-factory:1.25.3=deploy_jar,runtimeClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigquerystorage:3.15.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigtable:2.60.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-compute:1.82.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-grpc:2.57.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-grpc:2.59.0=testCompileClasspath
 com.google.cloud:google-cloud-core-http:2.47.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-http:2.53.1=testCompileClasspath
-com.google.cloud:google-cloud-core:2.49.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core:2.53.1=testCompileClasspath
-com.google.cloud:google-cloud-firestore:3.30.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-monitoring:3.57.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-http:2.59.0=testCompileClasspath
+com.google.cloud:google-cloud-core:2.57.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core:2.59.0=testCompileClasspath
+com.google.cloud:google-cloud-firestore:3.31.6=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-monitoring:3.65.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud:google-cloud-nio:0.127.24=testRuntimeClasspath
-com.google.cloud:google-cloud-nio:0.127.33=testCompileClasspath
-com.google.cloud:google-cloud-pubsub:1.136.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-pubsublite:1.15.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-nio:0.128.2=testCompileClasspath
+com.google.cloud:google-cloud-pubsub:1.140.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-pubsublite:1.15.9=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud:google-cloud-secretmanager:2.51.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-secretmanager:2.59.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.cloud:google-cloud-spanner:6.85.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-secretmanager:2.72.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.cloud:google-cloud-spanner:6.95.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud:google-cloud-storage-control:2.44.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud:google-cloud-storage:2.44.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-storage:2.50.0=testCompileClasspath
+com.google.cloud:google-cloud-storage:2.55.0=testCompileClasspath
 com.google.cloud:google-cloud-tasks:2.51.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-tasks:2.59.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+com.google.cloud:google-cloud-tasks:2.72.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
 com.google.cloud:grpc-gcp:1.6.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud:libraries-bom:26.48.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:proto-google-cloud-firestore-bundle-v1:3.30.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:proto-google-cloud-firestore-bundle-v1:3.31.6=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,compileClasspath,deploy_jar,errorprone,nonprodAnnotationProcessor,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.code.gson:gson:2.10.1=soy
 com.google.code.gson:gson:2.12.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.common.html.types:types:1.0.8=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testCompileClasspath,testRuntimeClasspath
-com.google.dagger:dagger-compiler:2.55=annotationProcessor,testAnnotationProcessor
-com.google.dagger:dagger-spi:2.55=annotationProcessor,testAnnotationProcessor
-com.google.dagger:dagger:2.55=annotationProcessor,compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
-com.google.devtools.ksp:symbol-processing-api:2.0.21-1.0.28=annotationProcessor,testAnnotationProcessor
+com.google.dagger:dagger-compiler:2.57.1=annotationProcessor,testAnnotationProcessor
+com.google.dagger:dagger-spi:2.57.1=annotationProcessor,testAnnotationProcessor
+com.google.dagger:dagger:2.57=deploy_jar
+com.google.dagger:dagger:2.57.1=annotationProcessor,compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+com.google.devtools.ksp:symbol-processing-api:2.1.21-2.0.2=annotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_annotation:2.23.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_annotations:2.20.0=soy
 com.google.errorprone:error_prone_annotations:2.23.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
-com.google.errorprone:error_prone_annotations:2.36.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.41.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.errorprone:error_prone_annotations:2.7.1=checkstyle
 com.google.errorprone:error_prone_check_api:2.23.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_core:2.23.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
@@ -181,25 +176,25 @@ com.google.flogger:google-extensions:0.7.4=soy
 com.google.flogger:google-extensions:0.8=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.googlejavaformat:google-java-format:1.5=annotationProcessor,testAnnotationProcessor
 com.google.guava:failureaccess:1.0.1=checkstyle,errorprone,nonprodAnnotationProcessor,soy
-com.google.guava:failureaccess:1.0.2=annotationProcessor,compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+com.google.guava:failureaccess:1.0.2=annotationProcessor,testAnnotationProcessor
+com.google.guava:failureaccess:1.0.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.guava:guava-parent:32.1.1-jre=errorprone,nonprodAnnotationProcessor,soy
 com.google.guava:guava-testlib:33.3.0-jre=testRuntimeClasspath
-com.google.guava:guava-testlib:33.4.0-jre=testCompileClasspath
+com.google.guava:guava-testlib:33.4.8-jre=testCompileClasspath
 com.google.guava:guava:31.0.1-jre=checkstyle
 com.google.guava:guava:32.1.1-jre=errorprone,nonprodAnnotationProcessor,soy
 com.google.guava:guava:33.0.0-jre=annotationProcessor,testAnnotationProcessor
-com.google.guava:guava:33.4.0-jre=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.guava:guava:33.4.8-jre=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.gwt:gwt-user:2.10.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-apache-v2:1.45.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-apache-v2:1.46.3=testCompileClasspath
+com.google.http-client:google-http-client-apache-v2:2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.http-client:google-http-client-appengine:1.45.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-appengine:1.46.3=testCompileClasspath
-com.google.http-client:google-http-client-gson:1.46.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-appengine:1.47.1=testCompileClasspath
+com.google.http-client:google-http-client-gson:2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.http-client:google-http-client-jackson2:1.45.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-jackson2:1.46.3=testCompileClasspath
-com.google.http-client:google-http-client-protobuf:1.45.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client:1.46.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-jackson2:1.47.1=testCompileClasspath
+com.google.http-client:google-http-client-protobuf:1.47.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client:2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.inject:guice:5.1.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.inject:guice:7.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testCompileClasspath,testRuntimeClasspath
 com.google.j2objc:j2objc-annotations:1.3=checkstyle
@@ -215,13 +210,12 @@ com.google.oauth-client:google-oauth-client-jetty:1.36.0=deploy_jar,nonprodRunti
 com.google.oauth-client:google-oauth-client-jetty:1.39.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
 com.google.oauth-client:google-oauth-client-servlet:1.36.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 com.google.oauth-client:google-oauth-client-servlet:1.39.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.oauth-client:google-oauth-client:1.37.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.oauth-client:google-oauth-client:1.39.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.protobuf:protobuf-java-util:4.29.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.oauth-client:google-oauth-client:1.39.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.protobuf:protobuf-java-util:4.29.4=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.protobuf:protobuf-java:3.19.6=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.protobuf:protobuf-java:3.21.7=soy
-com.google.protobuf:protobuf-java:3.25.6=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.re2j:re2j:1.7=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.protobuf:protobuf-java:3.25.8=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.re2j:re2j:1.8=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.template:soy:2024-02-26=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testCompileClasspath,testRuntimeClasspath
 com.google.truth:truth:1.4.4=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.googlecode.json-simple:json-simple:1.1.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -255,11 +249,12 @@ com.sun.istack:istack-commons-tools:4.1.2=jaxb
 com.sun.xml.bind.external:relaxng-datatype:4.0.5=jaxb
 com.sun.xml.bind.external:rngom:4.0.5=jaxb
 com.sun.xml.dtd-parser:dtd-parser:1.5.1=jaxb
-com.zaxxer:HikariCP:6.2.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.zaxxer:HikariCP:7.0.1=deploy_jar
+com.zaxxer:HikariCP:7.0.2=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-beanutils:commons-beanutils:1.9.4=checkstyle
-commons-codec:commons-codec:1.18.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+commons-codec:commons-codec:1.19.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-collections:commons-collections:3.2.2=checkstyle
-commons-io:commons-io:2.18.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+commons-io:commons-io:2.20.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-logging:commons-logging:1.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 dnsjava:dnsjava:3.6.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 guru.nidi.com.eclipsesource.j2v8:j2v8_linux_x86_64:4.6.0=testRuntimeClasspath
@@ -274,37 +269,27 @@ io.apicurio:apicurio-registry-protobuf-schema-utilities:3.0.0.M2=compileClasspat
 io.github.classgraph:classgraph:4.8.162=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.github.eisop:dataflow-errorprone:3.34.0-eisop1=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 io.github.java-diff-utils:java-diff-utils:4.12=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
-io.github.java-diff-utils:java-diff-utils:4.15=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-alts:1.69.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-alts:1.70.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-api:1.70.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-auth:1.69.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-auth:1.70.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-census:1.69.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-context:1.70.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-core:1.69.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-core:1.70.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-googleapis:1.69.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-grpclb:1.69.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-grpclb:1.70.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-inprocess:1.69.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-inprocess:1.70.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-netty-shaded:1.69.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-netty-shaded:1.70.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-netty:1.69.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-opentelemetry:1.67.1=compileClasspath,nonprodCompileClasspath
-io.grpc:grpc-opentelemetry:1.68.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-opentelemetry:1.70.0=testCompileClasspath
+io.github.java-diff-utils:java-diff-utils:4.16=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-alts:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-api:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-auth:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-census:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-context:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-core:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-googleapis:1.71.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-grpclb:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-inprocess:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty-shaded:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-opentelemetry:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.grpc:grpc-protobuf-lite:1.67.1=compileClasspath,nonprodCompileClasspath
-io.grpc:grpc-protobuf-lite:1.69.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf:1.69.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf:1.70.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-rls:1.69.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-services:1.69.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-stub:1.69.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-stub:1.70.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-util:1.69.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-xds:1.69.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf-lite:1.71.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-rls:1.71.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-services:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-stub:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-util:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-xds:1.71.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.netty:netty-buffer:4.1.110.Final=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.netty:netty-codec-http2:4.1.110.Final=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.netty:netty-codec-http:4.1.110.Final=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -334,38 +319,29 @@ io.opentelemetry.contrib:opentelemetry-gcp-resources:1.37.0-alpha=compileClasspa
 io.opentelemetry.instrumentation:opentelemetry-grpc-1.6:2.1.0-alpha=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opentelemetry.instrumentation:opentelemetry-instrumentation-api-incubator:2.1.0-alpha=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opentelemetry.instrumentation:opentelemetry-instrumentation-api:2.1.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.opentelemetry.semconv:opentelemetry-semconv:1.27.0-alpha=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-io.opentelemetry.semconv:opentelemetry-semconv:1.28.0-alpha=testCompileClasspath,testRuntimeClasspath
-io.opentelemetry:opentelemetry-api-incubator:1.45.0-alpha=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath
-io.opentelemetry:opentelemetry-api-incubator:1.46.0-alpha=testRuntimeClasspath
-io.opentelemetry:opentelemetry-api:1.45.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-io.opentelemetry:opentelemetry-api:1.46.0=testRuntimeClasspath
-io.opentelemetry:opentelemetry-api:1.47.0=testCompileClasspath
+io.opentelemetry.semconv:opentelemetry-semconv:1.29.0-alpha=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.opentelemetry:opentelemetry-api-incubator:1.42.1-alpha=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.opentelemetry:opentelemetry-api:1.47.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.opentelemetry:opentelemetry-api:1.53.0=testCompileClasspath,testRuntimeClasspath
 io.opentelemetry:opentelemetry-bom:1.42.1=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.opentelemetry:opentelemetry-context:1.45.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-io.opentelemetry:opentelemetry-context:1.46.0=testRuntimeClasspath
-io.opentelemetry:opentelemetry-context:1.47.0=testCompileClasspath
-io.opentelemetry:opentelemetry-exporter-logging:1.46.0=testCompileClasspath,testRuntimeClasspath
+io.opentelemetry:opentelemetry-common:1.53.0=testCompileClasspath,testRuntimeClasspath
+io.opentelemetry:opentelemetry-context:1.47.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.opentelemetry:opentelemetry-context:1.53.0=testCompileClasspath,testRuntimeClasspath
+io.opentelemetry:opentelemetry-exporter-logging:1.53.0=testCompileClasspath,testRuntimeClasspath
 io.opentelemetry:opentelemetry-extension-incubator:1.35.0-alpha=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.opentelemetry:opentelemetry-sdk-common:1.45.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-io.opentelemetry:opentelemetry-sdk-common:1.46.0=testRuntimeClasspath
-io.opentelemetry:opentelemetry-sdk-common:1.47.0=testCompileClasspath
+io.opentelemetry:opentelemetry-sdk-common:1.47.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.opentelemetry:opentelemetry-sdk-common:1.53.0=testCompileClasspath,testRuntimeClasspath
 io.opentelemetry:opentelemetry-sdk-extension-autoconfigure-spi:1.42.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-io.opentelemetry:opentelemetry-sdk-extension-autoconfigure-spi:1.46.0=testRuntimeClasspath
-io.opentelemetry:opentelemetry-sdk-extension-autoconfigure-spi:1.47.0=testCompileClasspath
-io.opentelemetry:opentelemetry-sdk-extension-autoconfigure:1.46.0=testCompileClasspath,testRuntimeClasspath
-io.opentelemetry:opentelemetry-sdk-logs:1.45.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-io.opentelemetry:opentelemetry-sdk-logs:1.46.0=testRuntimeClasspath
-io.opentelemetry:opentelemetry-sdk-logs:1.47.0=testCompileClasspath
-io.opentelemetry:opentelemetry-sdk-metrics:1.45.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-io.opentelemetry:opentelemetry-sdk-metrics:1.46.0=testRuntimeClasspath
-io.opentelemetry:opentelemetry-sdk-metrics:1.47.0=testCompileClasspath
-io.opentelemetry:opentelemetry-sdk-trace:1.45.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-io.opentelemetry:opentelemetry-sdk-trace:1.46.0=testRuntimeClasspath
-io.opentelemetry:opentelemetry-sdk-trace:1.47.0=testCompileClasspath
-io.opentelemetry:opentelemetry-sdk:1.45.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-io.opentelemetry:opentelemetry-sdk:1.46.0=testRuntimeClasspath
-io.opentelemetry:opentelemetry-sdk:1.47.0=testCompileClasspath
+io.opentelemetry:opentelemetry-sdk-extension-autoconfigure-spi:1.53.0=testCompileClasspath,testRuntimeClasspath
+io.opentelemetry:opentelemetry-sdk-extension-autoconfigure:1.53.0=testCompileClasspath,testRuntimeClasspath
+io.opentelemetry:opentelemetry-sdk-logs:1.47.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.opentelemetry:opentelemetry-sdk-logs:1.53.0=testCompileClasspath,testRuntimeClasspath
+io.opentelemetry:opentelemetry-sdk-metrics:1.47.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.opentelemetry:opentelemetry-sdk-metrics:1.53.0=testCompileClasspath,testRuntimeClasspath
+io.opentelemetry:opentelemetry-sdk-trace:1.47.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.opentelemetry:opentelemetry-sdk-trace:1.53.0=testCompileClasspath,testRuntimeClasspath
+io.opentelemetry:opentelemetry-sdk:1.47.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
+io.opentelemetry:opentelemetry-sdk:1.53.0=testCompileClasspath,testRuntimeClasspath
 io.opentelemetry:opentelemetry-semconv:1.26.0-alpha=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.outfoxx:swiftpoet:1.3.1=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 io.perfmark:perfmark-api:0.27.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
@@ -387,10 +363,10 @@ javax.validation:validation-api:1.0.0.GA=compileClasspath,deploy_jar,nonprodComp
 joda-time:joda-time:2.12.7=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 junit:junit:4.13.2=nonprodCompileClasspath,nonprodRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 net.arnx:nashorn-promise:0.1.1=testRuntimeClasspath
-net.bytebuddy:byte-buddy-agent:1.15.11=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy-agent:1.17.6=testCompileClasspath,testRuntimeClasspath
 net.bytebuddy:byte-buddy:1.14.12=compileClasspath,nonprodCompileClasspath
 net.bytebuddy:byte-buddy:1.14.15=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath
-net.bytebuddy:byte-buddy:1.15.11=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.17.6=testCompileClasspath,testRuntimeClasspath
 net.java.dev.jna:jna:5.13.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 net.ltgt.gradle.incap:incap:0.2=annotationProcessor,testAnnotationProcessor
 net.sf.saxon:Saxon-HE:10.6=checkstyle
@@ -404,33 +380,33 @@ org.apache.arrow:arrow-format:15.0.2=compileClasspath,deploy_jar,nonprodCompileC
 org.apache.arrow:arrow-memory-core:15.0.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.arrow:arrow-vector:15.0.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.avro:avro:1.11.4=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-fn-execution:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-job-management:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-pipeline:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-fn-execution:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-job-management:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-pipeline:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.beam:beam-runners-core-construction-java:2.54.0=testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-core-java:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-direct-java:2.63.0=testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-google-cloud-dataflow-java:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-java-fn-execution:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-core:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-expansion-service:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-arrow:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-avro:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-google-cloud-platform-core:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-protobuf:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-core-java:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-direct-java:2.67.0=testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-google-cloud-dataflow-java:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-java-fn-execution:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-core:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-expansion-service:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-arrow:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-avro:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-google-cloud-platform-core:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-protobuf:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.beam:beam-sdks-java-fn-execution:2.54.0=testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-harness:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-io-google-cloud-platform:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-transform-service-launcher:2.63.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-harness:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-io-google-cloud-platform:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-transform-service-launcher:2.67.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.beam:beam-vendor-grpc-1_60_1:0.1=testCompileClasspath,testRuntimeClasspath
 org.apache.beam:beam-vendor-grpc-1_69_0:0.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.beam:beam-vendor-guava-32_1_2-jre:0.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-compress:1.26.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.commons:commons-csv:1.13.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.commons:commons-exec:1.4.0=testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-csv:1.14.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-exec:1.5.0=testRuntimeClasspath
 org.apache.commons:commons-lang3:3.14.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-org.apache.commons:commons-lang3:3.17.0=testCompileClasspath,testRuntimeClasspath
-org.apache.commons:commons-text:1.13.0=testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-lang3:3.18.0=testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-text:1.14.0=testCompileClasspath,testRuntimeClasspath
 org.apache.ftpserver:ftplet-api:1.2.1=testCompileClasspath,testRuntimeClasspath
 org.apache.ftpserver:ftpserver-core:1.2.1=testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.5.14=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -440,37 +416,39 @@ org.apache.sshd:sshd-common:2.15.0=testCompileClasspath,testRuntimeClasspath
 org.apache.sshd:sshd-core:2.15.0=testCompileClasspath,testRuntimeClasspath
 org.apache.sshd:sshd-scp:2.15.0=testCompileClasspath,testRuntimeClasspath
 org.apache.sshd:sshd-sftp:2.15.0=testCompileClasspath,testRuntimeClasspath
-org.apache.tomcat:tomcat-annotations-api:11.0.5=testCompileClasspath,testRuntimeClasspath
+org.apache.tomcat:tomcat-annotations-api:11.0.10=testCompileClasspath,testRuntimeClasspath
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
-org.bouncycastle:bcpg-jdk18on:1.80=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.bouncycastle:bcpkix-jdk18on:1.80=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.bouncycastle:bcprov-jdk18on:1.80=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.bouncycastle:bcutil-jdk18on:1.80=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.checkerframework:checker-compat-qual:2.5.3=compileClasspath,nonprodCompileClasspath,soy,testCompileClasspath
-org.checkerframework:checker-compat-qual:2.5.5=annotationProcessor,testAnnotationProcessor
+org.bouncycastle:bcpg-jdk18on:1.81=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.bouncycastle:bcpkix-jdk18on:1.81=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.bouncycastle:bcprov-jdk18on:1.81=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.bouncycastle:bcutil-jdk18on:1.81=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.checkerframework:checker-compat-qual:2.5.3=annotationProcessor,compileClasspath,nonprodCompileClasspath,soy,testAnnotationProcessor,testCompileClasspath
 org.checkerframework:checker-compat-qual:2.5.6=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 org.checkerframework:checker-qual:3.12.0=checkstyle
 org.checkerframework:checker-qual:3.33.0=errorprone,nonprodAnnotationProcessor,soy
 org.checkerframework:checker-qual:3.41.0=annotationProcessor,testAnnotationProcessor
-org.checkerframework:checker-qual:3.49.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.checkerframework:checker-qual:3.49.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+org.checkerframework:checker-qual:3.49.3=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 org.codehaus.mojo:animal-sniffer-annotations:1.24=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.conscrypt:conscrypt-openjdk-uber:2.5.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.angus:angus-activation:2.0.2=deploy_jar,jaxb,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-org.eclipse.angus:jakarta.mail:2.0.3=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+org.eclipse.angus:jakarta.mail:2.0.4=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 org.eclipse.collections:eclipse-collections-api:11.1.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.collections:eclipse-collections:11.1.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.eclipse.jetty.ee10:jetty-ee10-servlet:12.1.0.alpha1=testCompileClasspath,testRuntimeClasspath
-org.eclipse.jetty.ee10:jetty-ee10-webapp:12.1.0.alpha1=testCompileClasspath,testRuntimeClasspath
-org.eclipse.jetty:jetty-ee:12.1.0.alpha1=testCompileClasspath,testRuntimeClasspath
-org.eclipse.jetty:jetty-http:12.1.0.alpha1=testCompileClasspath,testRuntimeClasspath
-org.eclipse.jetty:jetty-io:12.1.0.alpha1=testCompileClasspath,testRuntimeClasspath
-org.eclipse.jetty:jetty-security:12.1.0.alpha1=testCompileClasspath,testRuntimeClasspath
-org.eclipse.jetty:jetty-server:12.1.0.alpha1=testCompileClasspath,testRuntimeClasspath
-org.eclipse.jetty:jetty-session:12.1.0.alpha1=testCompileClasspath,testRuntimeClasspath
-org.eclipse.jetty:jetty-util:12.1.0.alpha1=testCompileClasspath,testRuntimeClasspath
-org.eclipse.jetty:jetty-xml:12.1.0.alpha1=testCompileClasspath,testRuntimeClasspath
-org.flywaydb:flyway-core:11.4.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.flywaydb:flyway-database-postgresql:11.4.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty.ee10:jetty-ee10-servlet:12.1.0=testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty.ee10:jetty-ee10-webapp:12.1.0=testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty.ee:jetty-ee-webapp:12.1.0=testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-http:12.1.0=testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-io:12.1.0=testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-security:12.1.0=testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-server:12.1.0=testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-session:12.1.0=testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-util:12.1.0=testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-xml:12.1.0=testCompileClasspath,testRuntimeClasspath
+org.flywaydb:flyway-core:11.11.1=deploy_jar
+org.flywaydb:flyway-core:11.11.2=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.flywaydb:flyway-database-postgresql:11.11.1=deploy_jar
+org.flywaydb:flyway-database-postgresql:11.11.2=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.glassfish.jaxb:codemodel:4.0.5=jaxb
 org.glassfish.jaxb:jaxb-core:4.0.2=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 org.glassfish.jaxb:jaxb-core:4.0.5=jaxb
@@ -498,6 +476,7 @@ org.javassist:javassist:3.28.0-GA=checkstyle
 org.jboss.logging:jboss-logging:3.5.0.Final=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 org.jcommander:jcommander:2.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.jetbrains.kotlin:kotlin-bom:1.4.0=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+org.jetbrains.kotlin:kotlin-metadata-jvm:2.1.21=annotationProcessor,testAnnotationProcessor
 org.jetbrains.kotlin:kotlin-reflect:1.6.10=annotationProcessor,testAnnotationProcessor
 org.jetbrains.kotlin:kotlin-reflect:1.9.20=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 org.jetbrains.kotlin:kotlin-stdlib-common:1.9.20=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -506,7 +485,7 @@ org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.9.10=compileClasspath,deploy_jar,nonpr
 org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.8.0=annotationProcessor,testAnnotationProcessor
 org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.10=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.jetbrains.kotlin:kotlin-stdlib:1.9.20=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.jetbrains.kotlin:kotlin-stdlib:2.0.21=annotationProcessor,testAnnotationProcessor
+org.jetbrains.kotlin:kotlin-stdlib:2.1.21=annotationProcessor,testAnnotationProcessor
 org.jetbrains.kotlinx:kotlinx-coroutines-core-jvm:1.5.2=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 org.jetbrains.kotlinx:kotlinx-coroutines-core:1.5.2=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 org.jetbrains.kotlinx:kotlinx-datetime-jvm:0.4.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -515,26 +494,26 @@ org.jetbrains.kotlinx:kotlinx-serialization-core-jvm:1.0.1=deploy_jar,nonprodRun
 org.jetbrains.kotlinx:kotlinx-serialization-core:1.0.1=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 org.jetbrains:annotations:13.0=annotationProcessor,testAnnotationProcessor
 org.jetbrains:annotations:17.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.jline:jline:3.29.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.joda:joda-money:2.0.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.jline:jline:3.30.5=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.joda:joda-money:2.0.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.json:json:20230618=soy
 org.json:json:20250107=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.jsoup:jsoup:1.19.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.jsoup:jsoup:1.21.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.jspecify:jspecify:1.0.0=annotationProcessor,compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 org.junit-pioneer:junit-pioneer:2.3.0=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-api:5.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-engine:5.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-migrationsupport:5.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-params:5.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-launcher:1.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-runner:1.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-suite-api:1.12.1=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-suite-commons:1.12.1=testRuntimeClasspath
-org.junit:junit-bom:5.12.1=testCompileClasspath,testRuntimeClasspath
-org.mockito:mockito-core:5.16.0=testCompileClasspath,testRuntimeClasspath
-org.mockito:mockito-junit-jupiter:5.16.0=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-migrationsupport:5.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-params:5.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-launcher:1.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-runner:1.13.3=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-suite-api:1.13.4=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-suite-commons:1.13.4=testRuntimeClasspath
+org.junit:junit-bom:5.13.4=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-core:5.19.0=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-junit-jupiter:5.19.0=testCompileClasspath,testRuntimeClasspath
 org.objenesis:objenesis:3.3=testRuntimeClasspath
 org.ogce:xpp3:1.1.6=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.opentest4j:opentest4j:1.3.0=testCompileClasspath,testRuntimeClasspath
@@ -552,50 +531,58 @@ org.ow2.asm:asm:9.5=soy
 org.ow2.asm:asm:9.7=jacocoAnt
 org.ow2.asm:asm:9.7.1=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.pcollections:pcollections:3.1.4=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
-org.postgresql:postgresql:42.7.5=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.postgresql:postgresql:42.7.7=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.reflections:reflections:0.10.2=checkstyle
 org.rnorth.duct-tape:duct-tape:1.0.8=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-api:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-chrome-driver:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-chromium-driver:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-devtools-v131:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-devtools-v132:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-devtools-v133:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-devtools-v85:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-edge-driver:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-firefox-driver:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-http:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-ie-driver:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-java:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-json:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-manager:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-os:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-remote-driver:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-safari-driver:4.29.0=testCompileClasspath,testRuntimeClasspath
-org.seleniumhq.selenium:selenium-support:4.29.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-api:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-chrome-driver:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-chromium-driver:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-devtools-v137:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-devtools-v138:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-devtools-v139:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-edge-driver:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-firefox-driver:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-http:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-ie-driver:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-java:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-json:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-manager:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-os:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-remote-driver:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-safari-driver:4.35.0=testCompileClasspath,testRuntimeClasspath
+org.seleniumhq.selenium:selenium-support:4.35.0=testCompileClasspath,testRuntimeClasspath
 org.slf4j:jcl-over-slf4j:1.7.36=testCompileClasspath,testRuntimeClasspath
 org.slf4j:jul-to-slf4j:1.7.30=testRuntimeClasspath
-org.slf4j:slf4j-api:2.0.16=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.slf4j:slf4j-jdk14:2.0.16=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.slf4j:slf4j-api:2.0.17=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.slf4j:slf4j-jdk14:2.0.17=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.snakeyaml:snakeyaml-engine:2.1=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-org.testcontainers:database-commons:1.20.6=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:jdbc:1.20.6=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:junit-jupiter:1.20.6=testCompileClasspath,testRuntimeClasspath
-org.testcontainers:postgresql:1.20.6=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:selenium:1.20.6=testCompileClasspath,testRuntimeClasspath
-org.testcontainers:testcontainers:1.20.6=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:database-commons:1.21.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:jdbc:1.21.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:junit-jupiter:1.21.3=testCompileClasspath,testRuntimeClasspath
+org.testcontainers:postgresql:1.21.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:selenium:1.21.3=testCompileClasspath,testRuntimeClasspath
+org.testcontainers:testcontainers:1.21.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.threeten:threetenbp:1.7.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.w3c.css:sac:1.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.webjars.npm:viz.js-graphviz-java:2.1.3=testRuntimeClasspath
 org.xerial.snappy:snappy-java:1.1.10.4=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.yaml:snakeyaml:2.3=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-us.fatehi:schemacrawler-api:16.25.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-us.fatehi:schemacrawler-diagram:16.25.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-us.fatehi:schemacrawler-loader:16.25.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-us.fatehi:schemacrawler-postgresql:16.25.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-us.fatehi:schemacrawler-text:16.25.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-us.fatehi:schemacrawler-tools:16.25.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-us.fatehi:schemacrawler-utility:16.25.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-us.fatehi:schemacrawler:16.25.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.yaml:snakeyaml:2.4=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+us.fatehi:schemacrawler-api:16.26.3=deploy_jar
+us.fatehi:schemacrawler-api:16.27.1=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+us.fatehi:schemacrawler-diagram:16.26.3=deploy_jar
+us.fatehi:schemacrawler-diagram:16.27.1=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+us.fatehi:schemacrawler-loader:16.26.3=deploy_jar
+us.fatehi:schemacrawler-loader:16.27.1=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+us.fatehi:schemacrawler-operations:16.27.1=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+us.fatehi:schemacrawler-postgresql:16.26.3=deploy_jar
+us.fatehi:schemacrawler-postgresql:16.27.1=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+us.fatehi:schemacrawler-text:16.26.3=deploy_jar
+us.fatehi:schemacrawler-text:16.27.1=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+us.fatehi:schemacrawler-tools:16.26.3=deploy_jar
+us.fatehi:schemacrawler-tools:16.27.1=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+us.fatehi:schemacrawler-utility:16.26.3=deploy_jar
+us.fatehi:schemacrawler-utility:16.27.1=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+us.fatehi:schemacrawler:16.26.3=deploy_jar
+us.fatehi:schemacrawler:16.27.1=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 xerces:xmlParserAPIs:2.6.2=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 empty=devtool,nomulus_test

core/src/main/java/google/registry/batch/RelockDomainAction.java

@@ -15,7 +15,6 @@
 package google.registry.batch;
 
 import static com.google.common.base.Preconditions.checkArgument;
-import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.tools.LockOrUnlockDomainCommand.REGISTRY_LOCK_STATUSES;
@@ -30,8 +29,6 @@ import google.registry.groups.GmailClient;
 import google.registry.model.domain.Domain;
 import google.registry.model.domain.RegistryLock;
 import google.registry.model.eppcommon.StatusValue;
-import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarPoc;
 import google.registry.model.tld.RegistryLockDao;
 import google.registry.persistence.VKey;
 import google.registry.request.Action;
@@ -70,12 +67,14 @@ public class RelockDomainAction implements Runnable {
       """
       The domain %s was successfully re-locked.
 
-      Please contact support at %s if you have any questions.""";
+      Please contact support at %s if you have any questions.\
+      """;
   private static final String RELOCK_NON_RETRYABLE_FAILURE_EMAIL_TEMPLATE =
       """
       There was an error when automatically re-locking %s. Error message: %s
 
-      Please contact support at %s if you have any questions.""";
+      Please contact support at %s if you have any questions.\
+      """;
   private static final String RELOCK_TRANSIENT_FAILURE_EMAIL_TEMPLATE =
       "There was an unexpected error when automatically re-locking %s. We will continue retrying "
           + "the lock for five hours. Please contact support at %s if you have any questions";
@@ -171,7 +170,7 @@ public class RelockDomainAction implements Runnable {
     domainLockUtils.administrativelyApplyLock(
         oldLock.getDomainName(),
         oldLock.getRegistrarId(),
-        oldLock.getRegistrarPocId(),
+        oldLock.getRegistryLockEmail(),
         oldLock.isSuperuser());
     logger.atInfo().log("Re-locked domain %s.", oldLock.getDomainName());
     response.setStatus(SC_OK);
@@ -221,7 +220,7 @@ public class RelockDomainAction implements Runnable {
         EmailMessage.newBuilder()
             .setBody(body)
             .setSubject(String.format("Error re-locking domain %s", oldLock.getDomainName()))
-            .setRecipients(getEmailRecipients(oldLock.getRegistrarId()))
+            .setRecipients(ImmutableSet.of(getEmailRecipient(oldLock)))
             .build());
   }
 
@@ -250,7 +249,7 @@ public class RelockDomainAction implements Runnable {
         EmailMessage.newBuilder()
             .setBody(body)
             .setSubject(String.format("Successful re-lock of domain %s", oldLock.getDomainName()))
-            .setRecipients(getEmailRecipients(oldLock.getRegistrarId()))
+            .setRecipients(ImmutableSet.of(getEmailRecipient(oldLock)))
             .build());
   }
 
@@ -261,7 +260,7 @@ public class RelockDomainAction implements Runnable {
     // For an unexpected failure, notify both the lock-enabled contacts and our alerting email
     ImmutableSet<InternetAddress> allRecipients =
         new ImmutableSet.Builder<InternetAddress>()
-            .addAll(getEmailRecipients(oldLock.getRegistrarId()))
+            .add(getEmailRecipient(oldLock))
             .add(alertRecipientAddress)
             .build();
     gmailClient.sendEmail(
@@ -281,31 +280,12 @@ public class RelockDomainAction implements Runnable {
             .build());
   }
 
-  private ImmutableSet<InternetAddress> getEmailRecipients(String registrarId) {
-    Registrar registrar =
-        Registrar.loadByRegistrarIdCached(registrarId)
-            .orElseThrow(
-                () ->
-                    new IllegalStateException(String.format("Unknown registrar %s", registrarId)));
-
-    ImmutableSet<String> registryLockEmailAddresses =
-        registrar.getContacts().stream()
-            .filter(RegistrarPoc::isRegistryLockAllowed)
-            .map(RegistrarPoc::getRegistryLockEmailAddress)
-            .filter(Optional::isPresent)
-            .map(Optional::get)
-            .collect(toImmutableSet());
-
-    ImmutableSet.Builder<InternetAddress> builder = new ImmutableSet.Builder<>();
-    // can't use streams due to the 'throws' in the InternetAddress constructor
-    for (String registryLockEmailAddress : registryLockEmailAddresses) {
-      try {
-        builder.add(new InternetAddress(registryLockEmailAddress));
-      } catch (AddressException e) {
-        // This shouldn't stop any other emails going out, so swallow it
-        logger.atWarning().log("Invalid email address '%s'.", registryLockEmailAddress);
-      }
+  private InternetAddress getEmailRecipient(RegistryLock lock) {
+    try {
+      return new InternetAddress(lock.getRegistryLockEmail());
+    } catch (AddressException e) {
+      // this really shouldn't happen
+      throw new RuntimeException(e);
     }
-    return builder.build();
   }
 }

core/src/main/java/google/registry/batch/SendExpiringCertificateNotificationEmailAction.java

@@ -275,7 +275,7 @@ public class SendExpiringCertificateNotificationEmailAction implements Runnable
    */
   @VisibleForTesting
   ImmutableSet<InternetAddress> getEmailAddresses(Registrar registrar, Type contactType) {
-    ImmutableSortedSet<RegistrarPoc> contacts = registrar.getContactsOfType(contactType);
+    ImmutableSortedSet<RegistrarPoc> contacts = registrar.getPocsOfType(contactType);
     ImmutableSet.Builder<InternetAddress> recipientEmails = new ImmutableSet.Builder<>();
     for (RegistrarPoc contact : contacts) {
       try {

core/src/main/java/google/registry/bsa/BsaValidateAction.java

@@ -215,10 +215,12 @@ public class BsaValidateAction implements Runnable {
     if (Objects.equals(expectedReason, domain.reason())) {
       return Optional.empty();
     }
-    if (isRegistered || domain.reason().equals(Reason.REGISTERED)) {
-      if (isStalenessAllowed(isRegistered, activeDomains.get(domain.domainName()))) {
+    // Registered name still reported with other reasons: Don't report if registration is recent.
+    // Note that staleness is not tolerated if deregistered name is still reported as registered:
+    // in this case we do not have the VKey on hand, and it is not worth the effort to find it
+    // out.
+    if (isRegistered && isStalenessAllowed(activeDomains.get(domain.domainName()))) {
         return Optional.empty();
-      }
     }
     return Optional.of(
         String.format(
@@ -228,15 +230,10 @@ public class BsaValidateAction implements Runnable {
             domain.reason()));
   }
 
-  boolean isStalenessAllowed(boolean isNewDomain, VKey<Domain> domainVKey) {
+  boolean isStalenessAllowed(VKey<Domain> domainVKey) {
     Domain domain = bsaQuery(() -> replicaTm().loadByKey(domainVKey));
     var now = clock.nowUtc();
-    if (isNewDomain) {
-      return domain.getCreationTime().plus(maxStaleness).isAfter(now);
-    } else {
-      return domain.getDeletionTime().isBefore(now)
-          && domain.getDeletionTime().plus(maxStaleness).isAfter(now);
-    }
+    return domain.getCreationTime().plus(maxStaleness).isAfter(now);
   }
 
   /** Returns unique labels across all block lists in the download specified by {@code jobName}. */

core/src/main/java/google/registry/bsa/UploadBsaUnavailableDomainsAction.java

@@ -25,16 +25,16 @@ import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.POST;
 import static jakarta.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
 import static java.nio.charset.StandardCharsets.US_ASCII;
+import static java.nio.charset.StandardCharsets.UTF_8;
 
 import com.google.cloud.storage.BlobId;
-import com.google.common.base.Joiner;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedSet;
 import com.google.common.collect.Ordering;
 import com.google.common.flogger.FluentLogger;
+import com.google.common.hash.Hasher;
 import com.google.common.hash.Hashing;
-import com.google.common.io.ByteSource;
 import google.registry.bsa.api.BsaCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.gcs.GcsUtils;
@@ -47,10 +47,13 @@ import google.registry.request.auth.Auth;
 import google.registry.util.Clock;
 import jakarta.inject.Inject;
 import jakarta.persistence.TypedQuery;
-import java.io.ByteArrayOutputStream;
+import java.io.BufferedInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
+import java.io.PipedInputStream;
+import java.io.PipedOutputStream;
 import java.io.Writer;
 import java.util.Optional;
 import java.util.zip.GZIPOutputStream;
@@ -60,14 +63,17 @@ import okhttp3.OkHttpClient;
 import okhttp3.Request;
 import okhttp3.RequestBody;
 import okhttp3.Response;
+import okio.BufferedSink;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 import org.joda.time.DateTime;
 
 /**
  * Daily action that uploads unavailable domain names on applicable TLDs to BSA.
  *
  * <p>The upload is a single zipped text file containing combined details for all BSA-enrolled TLDs.
- * The text is a newline-delimited list of punycoded fully qualified domain names, and contains all
- * domains on each TLD that are registered and/or reserved.
+ * The text is a newline-delimited list of punycoded fully qualified domain names with a trailing
+ * newline at the end, and contains all domains on each TLD that are registered and/or reserved.
  *
  * <p>The file is also uploaded to GCS to preserve it as a record for ourselves.
  */
@@ -118,7 +124,7 @@ public class UploadBsaUnavailableDomainsAction implements Runnable {
     // TODO(mcilwain): Implement a date Cursor, have the cronjob run frequently, and short-circuit
     //                 the run if the daily upload is already completed.
     DateTime runTime = clock.nowUtc();
-    String unavailableDomains = Joiner.on("\n").join(getUnavailableDomains(runTime));
+    ImmutableSortedSet<String> unavailableDomains = getUnavailableDomains(runTime);
     if (unavailableDomains.isEmpty()) {
       logger.atWarning().log("No unavailable domains found; terminating.");
       emailSender.sendNotification(
@@ -136,12 +142,16 @@ public class UploadBsaUnavailableDomainsAction implements Runnable {
   }
 
   /** Uploads the unavailable domains list to GCS in the unavailable domains bucket. */
-  boolean uploadToGcs(String unavailableDomains, DateTime runTime) {
+  boolean uploadToGcs(ImmutableSortedSet<String> unavailableDomains, DateTime runTime) {
     logger.atInfo().log("Uploading unavailable names file to GCS in bucket %s", gcsBucket);
     BlobId blobId = BlobId.of(gcsBucket, createFilename(runTime));
+    // `gcsUtils.openOutputStream` returns a buffered stream
     try (OutputStream gcsOutput = gcsUtils.openOutputStream(blobId);
         Writer osWriter = new OutputStreamWriter(gcsOutput, US_ASCII)) {
-      osWriter.write(unavailableDomains);
+      for (var domainName : unavailableDomains) {
+        osWriter.write(domainName);
+        osWriter.write("\n");
+      }
       return true;
     } catch (Exception e) {
       logger.atSevere().withCause(e).log(
@@ -150,10 +160,14 @@ public class UploadBsaUnavailableDomainsAction implements Runnable {
     }
   }
 
-  boolean uploadToBsa(String unavailableDomains, DateTime runTime) {
+  boolean uploadToBsa(ImmutableSortedSet<String> unavailableDomains, DateTime runTime) {
     try {
-      byte[] gzippedContents = gzipUnavailableDomains(unavailableDomains);
-      String sha512Hash = ByteSource.wrap(gzippedContents).hash(Hashing.sha512()).toString();
+      Hasher sha512Hasher = Hashing.sha512().newHasher();
+      unavailableDomains.stream()
+          .map(name -> name + "\n")
+          .forEachOrdered(line -> sha512Hasher.putString(line, UTF_8));
+      String sha512Hash = sha512Hasher.hash().toString();
+
       String filename = createFilename(runTime);
       OkHttpClient client = new OkHttpClient().newBuilder().build();
 
@@ -169,7 +183,9 @@ public class UploadBsaUnavailableDomainsAction implements Runnable {
               .addFormDataPart(
                   "file",
                   String.format("%s.gz", filename),
-                  RequestBody.create(gzippedContents, MediaType.parse("application/octet-stream")))
+                  new StreamingRequestBody(
+                      gzippedStream(unavailableDomains),
+                      MediaType.parse("application/octet-stream")))
               .build();
 
       Request request =
@@ -196,15 +212,6 @@ public class UploadBsaUnavailableDomainsAction implements Runnable {
     }
   }
 
-  private byte[] gzipUnavailableDomains(String unavailableDomains) throws IOException {
-    try (ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream()) {
-      try (GZIPOutputStream gzipOutputStream = new GZIPOutputStream(byteArrayOutputStream)) {
-        gzipOutputStream.write(unavailableDomains.getBytes(US_ASCII));
-      }
-      return byteArrayOutputStream.toByteArray();
-    }
-  }
-
   private static String createFilename(DateTime runTime) {
     return String.format("unavailable_domains_%s.txt", runTime.toString());
   }
@@ -280,4 +287,65 @@ public class UploadBsaUnavailableDomainsAction implements Runnable {
   private static String toDomain(String domainLabel, Tld tld) {
     return String.format("%s.%s", domainLabel, tld.getTldStr());
   }
+
+  private InputStream gzippedStream(ImmutableSortedSet<String> unavailableDomains)
+      throws IOException {
+    PipedInputStream inputStream = new PipedInputStream();
+    PipedOutputStream outputStream = new PipedOutputStream(inputStream);
+
+    new Thread(
+            () -> {
+              try {
+                gzipUnavailableDomains(outputStream, unavailableDomains);
+              } catch (Throwable e) {
+                logger.atSevere().withCause(e).log("Failed to gzip unavailable domains.");
+                try {
+                  // This will cause the next read to throw an IOException.
+                  inputStream.close();
+                } catch (IOException ignore) {
+                  // Won't happen for  `PipedInputStream.close()`
+                }
+              }
+            })
+        .start();
+
+    return inputStream;
+  }
+
+  private void gzipUnavailableDomains(
+      PipedOutputStream outputStream, ImmutableSortedSet<String> unavailableDomains)
+      throws IOException {
+    // `GZIPOutputStream` is buffered.
+    try (GZIPOutputStream gzipOutputStream = new GZIPOutputStream(outputStream)) {
+      for (String name : unavailableDomains) {
+        var line = name + "\n";
+        gzipOutputStream.write(line.getBytes(US_ASCII));
+      }
+    }
+  }
+
+  private static class StreamingRequestBody extends RequestBody {
+    private final BufferedInputStream inputStream;
+    private final MediaType mediaType;
+
+    StreamingRequestBody(InputStream inputStream, MediaType mediaType) {
+      this.inputStream = new BufferedInputStream(inputStream);
+      this.mediaType = mediaType;
+    }
+
+    @Nullable
+    @Override
+    public MediaType contentType() {
+      return mediaType;
+    }
+
+    @Override
+    public void writeTo(@NotNull BufferedSink bufferedSink) throws IOException {
+      byte[] buffer = new byte[2048];
+      int bytesRead;
+      while ((bytesRead = inputStream.read(buffer)) != -1) {
+        bufferedSink.write(buffer, 0, bytesRead);
+      }
+    }
+  }
 }

core/src/main/java/google/registry/config/RegistryConfig.java

@@ -1591,6 +1591,26 @@ public final class RegistryConfig {
     return CONFIG_SETTINGS.get().caching.eppResourceMaxCachedEntries;
   }
 
+  /** Returns if we have enabled caching for User Authentication */
+  public static boolean getUserAuthCachingEnabled() {
+    return CONFIG_SETTINGS.get().caching.userAuthCachingEnabled;
+  }
+
+  @VisibleForTesting
+  public static void overrideIsUserAuthCachingEnabledForTesting(boolean enabled) {
+    CONFIG_SETTINGS.get().caching.userAuthCachingEnabled = enabled;
+  }
+
+  /** Returns the expiry duration for the user authentication cache. */
+  public static java.time.Duration getUserAuthCachingDuration() {
+    return java.time.Duration.ofSeconds(CONFIG_SETTINGS.get().caching.userAuthCachingSeconds);
+  }
+
+  /** Returns the maximum number of entries in user authentication cache. */
+  public static int getUserAuthMaxCachedEntries() {
+    return CONFIG_SETTINGS.get().caching.userAuthMaxCachedEntries;
+  }
+
   /** Returns the amount of time that a particular claims list should be cached. */
   public static java.time.Duration getClaimsListCacheDuration() {
     return java.time.Duration.ofSeconds(CONFIG_SETTINGS.get().caching.claimsListCachingSeconds);

core/src/main/java/google/registry/config/RegistryConfigSettings.java

@@ -161,6 +161,9 @@ public class RegistryConfigSettings {
     public int eppResourceCachingSeconds;
     public int eppResourceMaxCachedEntries;
     public int claimsListCachingSeconds;
+    public boolean userAuthCachingEnabled;
+    public int userAuthCachingSeconds;
+    public int userAuthMaxCachedEntries;
   }
 
   /** Configuration for ICANN monthly reporting. */

core/src/main/java/google/registry/config/files/default-config.yaml

@@ -243,7 +243,7 @@ hibernate:
   # that BEAM pipelines are not subject to the maximumPoolSize value defined
   # here. See PersistenceModule.java for more information.
   hikariMinimumIdle: 1
-  hikariMaximumPoolSize: 20
+  hikariMaximumPoolSize: 40
   hikariIdleTimeout: 300000
   # The batch size is basically the number of insertions / updates in a single
   # transaction that will be batched together into one INSERT/UPDATE statement.
@@ -255,7 +255,7 @@ hibernate:
   # The fetch size is the number of entities retrieved at a time from the
   # database cursor. Here we set a small default geared toward Nomulus server
   # transactions. Large queries can override the defaults on a per-query basis.
-  jdbcFetchSize: 20
+  jdbcFetchSize: 40
 
 cloudSql:
   # jdbc url for the Cloud SQL database.
@@ -326,6 +326,20 @@ caching:
   # long duration is acceptable because claims lists don't change frequently.
   claimsListCachingSeconds: 21600 # six hours
 
+  #-- User Authentication Cache Settings --#
+
+  # Whether to cache User objects during OIDC token authentication to reduce database load.
+  # This helps mitigate high QPS from frequent hello commands and session-less requests.
+  userAuthCachingEnabled: true 
+
+  # The duration in seconds for which a User object is cached after being loaded.
+  # A short duration is recommended to avoid stale data.
+  userAuthCachingSeconds: 60
+
+  # The maximum number of User objects to store in the cache per pod.
+  # This helps limit the memory footprint of the cache.
+  userAuthMaxCachedEntries: 200
+
 # Note: Only allowedServiceAccountEmails and oauthClientId should be configured.
 # Other fields are related to OAuth-based authentication and will be removed.
 auth:

core/src/main/java/google/registry/config/files/tasks/cloud-scheduler-tasks-alpha.xml

@@ -88,6 +88,7 @@
       should exist between the RECURRING_BILLING cursor's time and the execution
       time of the action.
     </description>
+    <!-- Runs shortly after DeleteExpiredDomainsAction so it can delete domains before they renew -->
     <schedule>0 3 * * *</schedule>
   </task>
 
@@ -98,7 +99,8 @@
       This job runs an action that deletes domains that are past their
       autorenew end date.
     </description>
-    <schedule>7 3 * * *</schedule>
+    <!-- Runs shortly before ExpandBillingRecurrencesPipeline to catch and delete domains before they renew -->
+    <schedule>45 2 * * *</schedule>
   </task>
 
   <task>

core/src/main/java/google/registry/config/files/tasks/cloud-scheduler-tasks-crash.xml

@@ -146,6 +146,7 @@
       This job runs an action that deletes domains that are past their
       autorenew end date.
     </description>
-    <schedule>7 3 * * *</schedule>
+    <!-- Runs shortly before ExpandBillingRecurrencesPipeline to catch and delete domains before they renew -->
+    <schedule>45 2 * * *</schedule>
   </task>
 </entries>

core/src/main/java/google/registry/config/files/tasks/cloud-scheduler-tasks-production.xml

@@ -130,6 +130,7 @@
       should exist between the RECURRING_BILLING cursor's time and the execution
       time of the action.
     </description>
+    <!-- Runs shortly after DeleteExpiredDomainsAction so it can delete domains before they renew -->
     <schedule>0 3 * * *</schedule>
   </task>
 
@@ -140,7 +141,8 @@
       This job runs an action that deletes domains that are past their
       autorenew end date.
     </description>
-    <schedule>7 3 * * *</schedule>
+    <!-- Runs shortly before ExpandBillingRecurrencesPipeline to catch and delete domains before they renew -->
+    <schedule>45 2 * * *</schedule>
   </task>
 
   <task>

core/src/main/java/google/registry/config/files/tasks/cloud-scheduler-tasks-qa.xml

@@ -57,6 +57,7 @@
       This job runs an action that deletes domains that are past their
       autorenew end date.
     </description>
-    <schedule>7 3 * * *</schedule>
+    <!-- Runs shortly before ExpandBillingRecurrencesPipeline to catch and delete domains before they renew -->
+    <schedule>45 2 * * *</schedule>
   </task>
 </entries>

core/src/main/java/google/registry/config/files/tasks/cloud-scheduler-tasks-sandbox.xml

@@ -90,6 +90,7 @@
       should exist between the RECURRING_BILLING cursor's time and the execution
       time of the action.
     </description>
+    <!-- Runs shortly after DeleteExpiredDomainsAction so it can delete domains before they renew -->
     <schedule>0 3 * * *</schedule>
   </task>
 
@@ -113,7 +114,8 @@
       This job runs an action that deletes domains that are past their
       autorenew end date.
     </description>
-    <schedule>7 3 * * *</schedule>
+    <!-- Runs shortly before ExpandBillingRecurrencesPipeline to catch and delete domains before they renew -->
+    <schedule>45 2 * * *</schedule>
   </task>
 
   <task>

core/src/main/java/google/registry/dns/writer/DnsWritersModule.java

@@ -0,0 +1,29 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.dns.writer;
+
+import dagger.Module;
+import google.registry.dns.writer.clouddns.CloudDnsWriterModule;
+import google.registry.dns.writer.dnsupdate.DnsUpdateWriterModule;
+
+/**
+ * Groups all {@link DnsWriter} implementations to be installed.
+ *
+ * <p>To cherry-pick the DNS writers to install, overwrite this file with your private version in
+ * the release process.
+ */
+@Module(
+    includes = {CloudDnsWriterModule.class, DnsUpdateWriterModule.class, VoidDnsWriterModule.class})
+public class DnsWritersModule {}

core/src/main/java/google/registry/export/ExportDomainListsAction.java

@@ -15,6 +15,7 @@
 package google.registry.export;
 
 import static com.google.common.base.Verify.verifyNotNull;
+import static google.registry.model.common.FeatureFlag.FeatureName.INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS;
 import static google.registry.model.tld.Tlds.getTldsOfType;
 import static google.registry.persistence.PersistenceModule.TransactionIsolationLevel.TRANSACTION_REPEATABLE_READ;
 import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
@@ -75,7 +76,8 @@ public class ExportDomainListsAction implements Runnable {
         ON d.repo_id = gp.domain_repo_id
         WHERE d.tld = :tld
         AND d.deletion_time > CAST(:now AS timestamptz)
-        ORDER BY d.domain_name""";
+        ORDER BY d.domain_name
+      """;
 
   // This may be a CSV, but it is uses a .txt file extension for back-compatibility
   static final String REGISTERED_DOMAINS_FILENAME_FORMAT = "registered_domains_%s.txt";
@@ -93,10 +95,7 @@ public class ExportDomainListsAction implements Runnable {
     logger.atInfo().log("Exporting domain lists for TLDs %s.", realTlds);
 
     boolean includeDeletionTimes =
-        tm().transact(
-                () ->
-                    FeatureFlag.isActiveNowOrElse(
-                        FeatureFlag.FeatureName.INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS, false));
+        tm().transact(() -> FeatureFlag.isActiveNow(INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS));
     realTlds.forEach(
         tld -> {
           List<String> domainsList =

core/src/main/java/google/registry/flows/CheckApiAction.java

@@ -185,7 +185,8 @@ public class CheckApiAction implements Runnable {
   }
 
   private boolean checkExists(String domainString, DateTime now) {
-    return !ForeignKeyUtils.loadCached(Domain.class, ImmutableList.of(domainString), now).isEmpty();
+    return !ForeignKeyUtils.loadByCache(Domain.class, ImmutableList.of(domainString), now)
+        .isEmpty();
   }
 
   private Optional<String> checkReserved(InternetDomainName domainName) {

core/src/main/java/google/registry/flows/EppRequestHandler.java

@@ -26,6 +26,7 @@ import com.google.common.net.MediaType;
 import google.registry.model.eppoutput.EppOutput;
 import google.registry.request.Response;
 import google.registry.util.ProxyHttpHeaders;
+import google.registry.util.StopwatchLogger;
 import jakarta.inject.Inject;
 
 /** Handle an EPP request and response. */
@@ -55,7 +56,10 @@ public class EppRequestHandler {
           eppController.handleEppCommand(
               sessionMetadata, credentials, eppRequestSource, isDryRun, isSuperuser, inputXmlBytes);
       response.setContentType(APPLICATION_EPP_XML);
+      final StopwatchLogger stopwatch = new StopwatchLogger();
       byte[] eppResponseXmlBytes = marshalWithLenientRetry(eppOutput);
+      stopwatch.tick("Completed EPP output marshaling.");
+
       response.setPayload(new String(eppResponseXmlBytes, UTF_8));
       logger.atInfo().log(
           "EPP response: %s", prettyPrint(EppXmlSanitizer.sanitizeEppXml(eppResponseXmlBytes)));

core/src/main/java/google/registry/flows/FlowRunner.java

@@ -29,6 +29,7 @@ import google.registry.model.eppoutput.EppOutput;
 import google.registry.monitoring.whitebox.EppMetric;
 import google.registry.persistence.PersistenceModule.TransactionIsolationLevel;
 import google.registry.persistence.transaction.JpaTransactionManager;
+import google.registry.util.StopwatchLogger;
 import jakarta.inject.Inject;
 import jakarta.inject.Provider;
 import java.util.Optional;
@@ -77,23 +78,32 @@ public class FlowRunner {
       flowReporter.recordToLogs();
     }
     eppMetricBuilder.setCommandNameFromFlow(flowClass.getSimpleName());
+    final StopwatchLogger stopwatch = new StopwatchLogger();
+
     // We may already be in a transaction, e.g., when invoked by DeleteExpiredDomainsAction.
     if (!isTransactional || jpaTransactionManager.inTransaction()) {
+      stopwatch.tick("We're in transaction, running the flow now.");
       return EppOutput.create(flowProvider.get().run());
     }
+
+    stopwatch.tick("We're not in transaction, calling transact.");
     try {
       return jpaTransactionManager.transact(
           isolationLevelOverride.orElse(null),
           () -> {
             try {
+              stopwatch.tick("Running the flow in transaction.");
               EppOutput output = EppOutput.create(flowProvider.get().run());
+              stopwatch.tick("Completed the flow in transaction.");
               if (isDryRun) {
                 throw new DryRunException(output);
               }
               if (flowClass.equals(LoginFlow.class)) {
                 // In LoginFlow, registrarId isn't known until after the flow executes, so save
                 // it then.
+                stopwatch.tick("Login flow started setting registrar id.");
                 eppMetricBuilder.setRegistrarId(sessionMetadata.getRegistrarId());
+                stopwatch.tick("Login flow finished setting registrar id.");
               }
               return output;
             } catch (EppException e) {

core/src/main/java/google/registry/flows/FlowUtils.java

@@ -21,6 +21,7 @@ import static google.registry.xml.ValidationMode.STRICT;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
 import com.google.common.base.Throwables;
+import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
 import google.registry.flows.EppException.CommandUseErrorException;
 import google.registry.flows.EppException.ParameterValueRangeErrorException;
@@ -30,6 +31,7 @@ import google.registry.flows.custom.EntityChanges;
 import google.registry.model.EppResource;
 import google.registry.model.adapters.CurrencyUnitAdapter.UnknownCurrencyException;
 import google.registry.model.eppcommon.EppXmlTransformer;
+import google.registry.model.eppcommon.StatusValue;
 import google.registry.model.eppinput.EppInput.WrongProtocolVersionException;
 import google.registry.model.eppoutput.EppOutput;
 import google.registry.model.host.InetAddressAdapter.IpVersionMismatchException;
@@ -40,6 +42,9 @@ import java.util.List;
 /** Static utility functions for flows. */
 public final class FlowUtils {
 
+  public static final ImmutableSet<StatusValue> DELETE_PROHIBITED_STATUSES =
+      ImmutableSet.of(StatusValue.CLIENT_DELETE_PROHIBITED, StatusValue.SERVER_DELETE_PROHIBITED);
+
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
   private FlowUtils() {}

core/src/main/java/google/registry/flows/contact/ContactCreateFlow.java

@@ -19,6 +19,7 @@ import static google.registry.flows.ResourceFlowUtils.verifyResourceDoesNotExist
 import static google.registry.flows.contact.ContactFlowUtils.validateAsciiPostalInfo;
 import static google.registry.flows.contact.ContactFlowUtils.validateContactAgainstPolicy;
 import static google.registry.model.EppResourceUtils.createRepoId;
+import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_PROHIBITED;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
 import com.google.common.collect.ImmutableSet;
@@ -29,8 +30,10 @@ import google.registry.flows.FlowModule.RegistrarId;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.MutatingFlow;
 import google.registry.flows.annotations.ReportingSpec;
+import google.registry.flows.exceptions.ContactsProhibitedException;
 import google.registry.flows.exceptions.ResourceAlreadyExistsForThisClientException;
 import google.registry.flows.exceptions.ResourceCreateContentionException;
+import google.registry.model.common.FeatureFlag;
 import google.registry.model.contact.Contact;
 import google.registry.model.contact.ContactCommand.Create;
 import google.registry.model.contact.ContactHistory;
@@ -47,6 +50,7 @@ import org.joda.time.DateTime;
  * An EPP flow that creates a new contact.
  *
  * @error {@link google.registry.flows.FlowUtils.NotLoggedInException}
+ * @error {@link ContactsProhibitedException}
  * @error {@link ResourceAlreadyExistsForThisClientException}
  * @error {@link ResourceCreateContentionException}
  * @error {@link ContactFlowUtils.BadInternationalizedPostalInfoException}
@@ -69,6 +73,9 @@ public final class ContactCreateFlow implements MutatingFlow {
     extensionManager.register(MetadataExtension.class);
     validateRegistrarIsLoggedIn(registrarId);
     extensionManager.validate();
+    if (FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_PROHIBITED)) {
+      throw new ContactsProhibitedException();
+    }
     Create command = (Create) resourceCommand;
     DateTime now = tm().getTransactionTime();
     verifyResourceDoesNotExist(Contact.class, targetId, now, registrarId);

core/src/main/java/google/registry/flows/contact/ContactDeleteFlow.java

@@ -14,6 +14,7 @@
 
 package google.registry.flows.contact;
 
+import static google.registry.flows.FlowUtils.DELETE_PROHIBITED_STATUSES;
 import static google.registry.flows.FlowUtils.validateRegistrarIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.checkLinkedDomains;
 import static google.registry.flows.ResourceFlowUtils.loadAndVerifyExistence;
@@ -65,12 +66,6 @@ import org.joda.time.DateTime;
 @ReportingSpec(ActivityReportField.CONTACT_DELETE)
 public final class ContactDeleteFlow implements MutatingFlow {
 
-  private static final ImmutableSet<StatusValue> DISALLOWED_STATUSES =
-      ImmutableSet.of(
-          StatusValue.CLIENT_DELETE_PROHIBITED,
-          StatusValue.PENDING_DELETE,
-          StatusValue.SERVER_DELETE_PROHIBITED);
-
   @Inject ExtensionManager extensionManager;
   @Inject @RegistrarId String registrarId;
   @Inject @TargetId String targetId;
@@ -91,9 +86,10 @@ public final class ContactDeleteFlow implements MutatingFlow {
     DateTime now = tm().getTransactionTime();
     checkLinkedDomains(targetId, now, Contact.class);
     Contact existingContact = loadAndVerifyExistence(Contact.class, targetId, now);
-    verifyNoDisallowedStatuses(existingContact, DISALLOWED_STATUSES);
     verifyOptionalAuthInfo(authInfo, existingContact);
+    verifyNoDisallowedStatuses(existingContact, ImmutableSet.of(StatusValue.PENDING_DELETE));
     if (!isSuperuser) {
+      verifyNoDisallowedStatuses(existingContact, DELETE_PROHIBITED_STATUSES);
       verifyResourceOwnership(registrarId, existingContact);
     }
     // Handle pending transfers on contact deletion.

core/src/main/java/google/registry/flows/contact/ContactUpdateFlow.java

@@ -24,6 +24,7 @@ import static google.registry.flows.ResourceFlowUtils.verifyOptionalAuthInfo;
 import static google.registry.flows.ResourceFlowUtils.verifyResourceOwnership;
 import static google.registry.flows.contact.ContactFlowUtils.validateAsciiPostalInfo;
 import static google.registry.flows.contact.ContactFlowUtils.validateContactAgainstPolicy;
+import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_PROHIBITED;
 import static google.registry.model.reporting.HistoryEntry.Type.CONTACT_UPDATE;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
@@ -35,7 +36,9 @@ import google.registry.flows.FlowModule.Superuser;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.MutatingFlow;
 import google.registry.flows.annotations.ReportingSpec;
+import google.registry.flows.exceptions.ContactsProhibitedException;
 import google.registry.flows.exceptions.ResourceHasClientUpdateProhibitedException;
+import google.registry.model.common.FeatureFlag;
 import google.registry.model.contact.Contact;
 import google.registry.model.contact.ContactCommand.Update;
 import google.registry.model.contact.ContactCommand.Update.Change;
@@ -55,6 +58,7 @@ import org.joda.time.DateTime;
 /**
  * An EPP flow that updates a contact.
  *
+ * @error {@link ContactsProhibitedException}
  * @error {@link google.registry.flows.FlowUtils.NotLoggedInException}
  * @error {@link google.registry.flows.ResourceFlowUtils.AddRemoveSameValueException}
  * @error {@link google.registry.flows.ResourceFlowUtils.ResourceDoesNotExistException}
@@ -92,6 +96,9 @@ public final class ContactUpdateFlow implements MutatingFlow {
     extensionManager.register(MetadataExtension.class);
     validateRegistrarIsLoggedIn(registrarId);
     extensionManager.validate();
+    if (FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_PROHIBITED)) {
+      throw new ContactsProhibitedException();
+    }
     Update command = (Update) resourceCommand;
     DateTime now = tm().getTransactionTime();
     Contact existingContact = loadAndVerifyExistence(Contact.class, targetId, now);

core/src/main/java/google/registry/flows/domain/DomainCheckFlow.java

@@ -432,7 +432,7 @@ public final class DomainCheckFlow implements TransactionalFlow {
             .filter(existingDomains::containsKey)
             .collect(toImmutableMap(d -> d, existingDomains::get));
     ImmutableMap<VKey<? extends EppResource>, EppResource> loadedDomains =
-        EppResource.loadCached(ImmutableList.copyOf(existingDomainsToLoad.values()));
+        EppResource.loadByCacheIfEnabled(ImmutableList.copyOf(existingDomainsToLoad.values()));
     return ImmutableMap.copyOf(
         Maps.transformEntries(existingDomainsToLoad, (k, v) -> (Domain) loadedDomains.get(v)));
   }

core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java

@@ -72,7 +72,9 @@ import google.registry.flows.custom.DomainCreateFlowCustomLogic;
 import google.registry.flows.custom.DomainCreateFlowCustomLogic.BeforeResponseParameters;
 import google.registry.flows.custom.DomainCreateFlowCustomLogic.BeforeResponseReturnData;
 import google.registry.flows.custom.EntityChanges;
+import google.registry.flows.domain.DomainFlowUtils.RegistrantProhibitedException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils;
+import google.registry.flows.exceptions.ContactsProhibitedException;
 import google.registry.flows.exceptions.ResourceAlreadyExistsForThisClientException;
 import google.registry.flows.exceptions.ResourceCreateContentionException;
 import google.registry.model.ImmutableObject;
@@ -147,6 +149,7 @@ import org.joda.time.Duration;
  * @error {@link DomainCreateFlow.NoGeneralRegistrationsInCurrentPhaseException}
  * @error {@link DomainCreateFlow.NoTrademarkedRegistrationsBeforeSunriseException}
  * @error {@link BulkDomainRegisteredForTooManyYearsException}
+ * @error {@link ContactsProhibitedException}
  * @error {@link DomainCreateFlow.SignedMarksOnlyDuringSunriseException}
  * @error {@link DomainFlowTmchUtils.NoMarksFoundMatchingDomainException}
  * @error {@link DomainFlowTmchUtils.FoundMarkNotYetValidException}
@@ -194,6 +197,7 @@ import org.joda.time.Duration;
  * @error {@link DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverAllowListException}
  * @error {@link DomainFlowUtils.PremiumNameBlockedException}
  * @error {@link DomainFlowUtils.RegistrantNotAllowedException}
+ * @error {@link RegistrantProhibitedException}
  * @error {@link DomainFlowUtils.RegistrarMustBeActiveForThisOperationException}
  * @error {@link DomainFlowUtils.TldDoesNotExistException}
  * @error {@link DomainFlowUtils.TooManyDsRecordsException}
@@ -244,7 +248,7 @@ public final class DomainCreateFlow implements MutatingFlow {
     verifyResourceDoesNotExist(Domain.class, targetId, now, registrarId);
     // Validate that this is actually a legal domain name on a TLD that the registrar has access to.
     InternetDomainName domainName = validateDomainName(command.getDomainName());
-    String domainLabel = domainName.parts().get(0);
+    String domainLabel = domainName.parts().getFirst();
     Tld tld = Tld.get(domainName.parent().toString());
     validateCreateCommandContactsAndNameservers(command, tld, domainName);
     TldState tldState = tld.getTldState(now);

core/src/main/java/google/registry/flows/domain/DomainDeleteFlow.java

@@ -17,6 +17,7 @@ package google.registry.flows.domain;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Strings.isNullOrEmpty;
 import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
+import static google.registry.flows.FlowUtils.DELETE_PROHIBITED_STATUSES;
 import static google.registry.flows.FlowUtils.createHistoryEntryId;
 import static google.registry.flows.FlowUtils.persistEntityChanges;
 import static google.registry.flows.FlowUtils.validateRegistrarIsLoggedIn;
@@ -122,11 +123,6 @@ public final class DomainDeleteFlow implements MutatingFlow, SqlStatementLogging
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
-  private static final ImmutableSet<StatusValue> DISALLOWED_STATUSES = ImmutableSet.of(
-      StatusValue.CLIENT_DELETE_PROHIBITED,
-      StatusValue.PENDING_DELETE,
-      StatusValue.SERVER_DELETE_PROHIBITED);
-
   @Inject ExtensionManager extensionManager;
   @Inject EppInput eppInput;
   @Inject SessionMetadata sessionMetadata;
@@ -304,9 +300,10 @@ public final class DomainDeleteFlow implements MutatingFlow, SqlStatementLogging
 
   private void verifyDeleteAllowed(Domain existingDomain, Tld tld, DateTime now)
       throws EppException {
-    verifyNoDisallowedStatuses(existingDomain, DISALLOWED_STATUSES);
     verifyOptionalAuthInfo(authInfo, existingDomain);
+    verifyNoDisallowedStatuses(existingDomain, ImmutableSet.of(StatusValue.PENDING_DELETE));
     if (!isSuperuser) {
+      verifyNoDisallowedStatuses(existingDomain, DELETE_PROHIBITED_STATUSES);
       verifyResourceOwnership(registrarId, existingDomain);
       verifyNotInPredelegation(tld, now);
       checkAllowedAccessToTld(registrarId, tld.getTld().toString());

core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java

@@ -25,7 +25,7 @@ import static com.google.common.collect.Sets.intersection;
 import static com.google.common.collect.Sets.union;
 import static google.registry.bsa.persistence.BsaLabelUtils.isLabelBlocked;
 import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_OPTIONAL;
-import static google.registry.model.common.FeatureFlag.isActiveNow;
+import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_PROHIBITED;
 import static google.registry.model.domain.Domain.MAX_REGISTRATION_YEARS;
 import static google.registry.model.domain.token.AllocationToken.TokenType.REGISTER_BSA;
 import static google.registry.model.tld.Tld.TldState.GENERAL_AVAILABILITY;
@@ -75,11 +75,13 @@ import google.registry.flows.EppException.ParameterValueSyntaxErrorException;
 import google.registry.flows.EppException.RequiredParameterMissingException;
 import google.registry.flows.EppException.StatusProhibitsOperationException;
 import google.registry.flows.EppException.UnimplementedOptionException;
+import google.registry.flows.exceptions.ContactsProhibitedException;
 import google.registry.flows.exceptions.ResourceHasClientUpdateProhibitedException;
 import google.registry.model.EppResource;
 import google.registry.model.billing.BillingBase.Flag;
 import google.registry.model.billing.BillingBase.Reason;
 import google.registry.model.billing.BillingRecurrence;
+import google.registry.model.common.FeatureFlag;
 import google.registry.model.contact.Contact;
 import google.registry.model.domain.DesignatedContact;
 import google.registry.model.domain.DesignatedContact.Type;
@@ -417,7 +419,7 @@ public class DomainFlowUtils {
     contacts.stream().map(DesignatedContact::getContactKey).forEach(keysToLoad::add);
     registrant.ifPresent(keysToLoad::add);
     keysToLoad.addAll(nameservers);
-    verifyNotInPendingDelete(EppResource.loadCached(keysToLoad.build()).values());
+    verifyNotInPendingDelete(EppResource.loadByCacheIfEnabled(keysToLoad.build()).values());
   }
 
   private static void verifyNotInPendingDelete(Iterable<EppResource> resources)
@@ -478,27 +480,76 @@ public class DomainFlowUtils {
     }
   }
 
-  static void validateRequiredContactsPresentIfRequiredForDataset(
+  /**
+   * Enforces the presence/absence of contact data on domain creates depending on the minimum data
+   * set migration schedule.
+   */
+  static void validateCreateContactData(
       Optional<VKey<Contact>> registrant, Set<DesignatedContact> contacts)
-      throws RequiredParameterMissingException {
-    // TODO(b/353347632): Change this flag check to a registry config check.
-    if (isActiveNow(MINIMUM_DATASET_CONTACTS_OPTIONAL)) {
-      // Contacts are not required once we have begun the migration to the minimum dataset
-      return;
-    }
-    if (registrant.isEmpty()) {
-      throw new MissingRegistrantException();
-    }
+      throws RequiredParameterMissingException, ParameterValuePolicyErrorException {
+    // TODO(b/353347632): Change these flag checks to a registry config check once minimum data set
+    //                    migration is completed.
+    if (FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_PROHIBITED)) {
+      if (registrant.isPresent()) {
+        throw new RegistrantProhibitedException();
+      }
+      if (!contacts.isEmpty()) {
+        throw new ContactsProhibitedException();
+      }
+    } else if (!FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_OPTIONAL)) {
+      if (registrant.isEmpty()) {
+        throw new MissingRegistrantException();
+      }
 
-    Set<Type> roles = new HashSet<>();
-    for (DesignatedContact contact : contacts) {
-      roles.add(contact.getType());
+      Set<Type> roles = new HashSet<>();
+      for (DesignatedContact contact : contacts) {
+        roles.add(contact.getType());
+      }
+      if (!roles.contains(Type.ADMIN)) {
+        throw new MissingAdminContactException();
+      }
+      if (!roles.contains(Type.TECH)) {
+        throw new MissingTechnicalContactException();
+      }
     }
-    if (!roles.contains(Type.ADMIN)) {
-      throw new MissingAdminContactException();
-    }
-    if (!roles.contains(Type.TECH)) {
-      throw new MissingTechnicalContactException();
+  }
+
+  /**
+   * Enforces the presence/absence of contact data on domain updates depending on the minimum data
+   * set migration schedule.
+   */
+  static void validateUpdateContactData(
+      Optional<VKey<Contact>> existingRegistrant,
+      Optional<VKey<Contact>> newRegistrant,
+      Set<DesignatedContact> existingContacts,
+      Set<DesignatedContact> newContacts)
+      throws RequiredParameterMissingException, ParameterValuePolicyErrorException {
+    // TODO(b/353347632): Change these flag checks to a registry config check once minimum data set
+    //                    migration is completed.
+    if (FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_PROHIBITED)) {
+      // Throw if the update specifies a new registrant that is different from the existing one.
+      if (newRegistrant.isPresent() && !newRegistrant.equals(existingRegistrant)) {
+        throw new RegistrantProhibitedException();
+      }
+      // Throw if the update specifies any new contacts that weren't already present on the domain.
+      if (!Sets.difference(newContacts, existingContacts).isEmpty()) {
+        throw new ContactsProhibitedException();
+      }
+    } else if (!FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_OPTIONAL)) {
+      // Throw if the update empties out a registrant that had been present.
+      if (newRegistrant.isEmpty() && existingRegistrant.isPresent()) {
+        throw new MissingRegistrantException();
+      }
+      // Throw if the update contains no admin contact when one had been present.
+      if (existingContacts.stream().anyMatch(c -> c.getType().equals(Type.ADMIN))
+          && newContacts.stream().noneMatch(c -> c.getType().equals(Type.ADMIN))) {
+        throw new MissingAdminContactException();
+      }
+      // Throw if the update contains no tech contact when one had been present.
+      if (existingContacts.stream().anyMatch(c -> c.getType().equals(Type.TECH))
+          && newContacts.stream().noneMatch(c -> c.getType().equals(Type.TECH))) {
+        throw new MissingTechnicalContactException();
+      }
     }
   }
 
@@ -1042,8 +1093,7 @@ public class DomainFlowUtils {
     String tldStr = tld.getTldStr();
     validateRegistrantAllowedOnTld(tldStr, command.getRegistrantContactId());
     validateNoDuplicateContacts(command.getContacts());
-    validateRequiredContactsPresentIfRequiredForDataset(
-        command.getRegistrant(), command.getContacts());
+    validateCreateContactData(command.getRegistrant(), command.getContacts());
     ImmutableSet<String> hostNames = command.getNameserverHostNames();
     validateNameserversCountForTld(tldStr, domainName, hostNames.size());
     validateNameserversAllowedOnTld(tldStr, hostNames);
@@ -1347,7 +1397,7 @@ public class DomainFlowUtils {
   }
 
   /** Domain name is under tld which doesn't exist. */
-  static class TldDoesNotExistException extends ParameterValueRangeErrorException {
+  public static class TldDoesNotExistException extends ParameterValueRangeErrorException {
     public TldDoesNotExistException(String tld) {
       super(String.format("Domain name is under tld %s which doesn't exist", tld));
     }
@@ -1367,6 +1417,13 @@ public class DomainFlowUtils {
     }
   }
 
+  /** Having a registrant is prohibited by registry policy. */
+  static class RegistrantProhibitedException extends ParameterValuePolicyErrorException {
+    public RegistrantProhibitedException() {
+      super("Having a registrant is prohibited by registry policy");
+    }
+  }
+
   /** Admin contact is required. */
   static class MissingAdminContactException extends RequiredParameterMissingException {
     public MissingAdminContactException() {

core/src/main/java/google/registry/flows/domain/DomainUpdateFlow.java

@@ -37,11 +37,11 @@ import static google.registry.flows.domain.DomainFlowUtils.validateNameserversAl
 import static google.registry.flows.domain.DomainFlowUtils.validateNameserversCountForTld;
 import static google.registry.flows.domain.DomainFlowUtils.validateNoDuplicateContacts;
 import static google.registry.flows.domain.DomainFlowUtils.validateRegistrantAllowedOnTld;
-import static google.registry.flows.domain.DomainFlowUtils.validateRequiredContactsPresentIfRequiredForDataset;
+import static google.registry.flows.domain.DomainFlowUtils.validateUpdateContactData;
 import static google.registry.flows.domain.DomainFlowUtils.verifyClientUpdateNotProhibited;
 import static google.registry.flows.domain.DomainFlowUtils.verifyNotInPendingDelete;
 import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_OPTIONAL;
-import static google.registry.model.common.FeatureFlag.isActiveNow;
+import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_PROHIBITED;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_UPDATE;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
@@ -64,9 +64,11 @@ import google.registry.flows.custom.DomainUpdateFlowCustomLogic.BeforeSaveParame
 import google.registry.flows.custom.EntityChanges;
 import google.registry.flows.domain.DomainFlowUtils.MissingRegistrantException;
 import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverAllowListException;
+import google.registry.flows.domain.DomainFlowUtils.RegistrantProhibitedException;
 import google.registry.model.ImmutableObject;
 import google.registry.model.billing.BillingBase.Reason;
 import google.registry.model.billing.BillingEvent;
+import google.registry.model.common.FeatureFlag;
 import google.registry.model.contact.Contact;
 import google.registry.model.domain.DesignatedContact;
 import google.registry.model.domain.Domain;
@@ -130,6 +132,7 @@ import org.joda.time.DateTime;
  * @error {@link NameserversNotSpecifiedForTldWithNameserverAllowListException}
  * @error {@link DomainFlowUtils.NotAuthorizedForTldException}
  * @error {@link DomainFlowUtils.RegistrantNotAllowedException}
+ * @error {@link RegistrantProhibitedException}
  * @error {@link DomainFlowUtils.SecDnsAllUsageException}
  * @error {@link DomainFlowUtils.TooManyDsRecordsException}
  * @error {@link DomainFlowUtils.TooManyNameserversException}
@@ -183,7 +186,7 @@ public final class DomainUpdateFlow implements MutatingFlow {
     Domain newDomain = performUpdate(command, existingDomain, now);
     DomainHistory domainHistory =
         historyBuilder.setType(DOMAIN_UPDATE).setDomain(newDomain).build();
-    validateNewState(newDomain);
+    validateNewState(existingDomain, newDomain);
     if (requiresDnsUpdate(existingDomain, newDomain)) {
       requestDomainDnsRefresh(targetId);
     }
@@ -304,11 +307,12 @@ public final class DomainUpdateFlow implements MutatingFlow {
 
   private Optional<VKey<Contact>> determineUpdatedRegistrant(Change change, Domain domain)
       throws EppException {
-    // During phase 1 of minimum dataset transition, allow registrant to be removed
+    // During or after the minimum dataset transition, allow registrant to be removed.
     if (change.getRegistrantContactId().isPresent()
         && change.getRegistrantContactId().get().isEmpty()) {
       // TODO(b/353347632): Change this flag check to a registry config check.
-      if (isActiveNow(MINIMUM_DATASET_CONTACTS_OPTIONAL)) {
+      if (FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_OPTIONAL)
+          || FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_PROHIBITED)) {
         return Optional.empty();
       } else {
         throw new MissingRegistrantException();
@@ -324,9 +328,13 @@ public final class DomainUpdateFlow implements MutatingFlow {
    * compliant with the additions or amendments, otherwise existing data can become invalid and
    * cause Domain update failure.
    */
-  private static void validateNewState(Domain newDomain) throws EppException {
-    validateRequiredContactsPresentIfRequiredForDataset(
-        newDomain.getRegistrant(), newDomain.getContacts());
+  private static void validateNewState(Domain existingDomain, Domain newDomain)
+      throws EppException {
+    validateUpdateContactData(
+        existingDomain.getRegistrant(),
+        newDomain.getRegistrant(),
+        existingDomain.getContacts(),
+        newDomain.getContacts());
     validateDsData(newDomain.getDsData());
     validateNameserversCountForTld(
         newDomain.getTld(),

core/src/main/java/google/registry/flows/exceptions/ContactsProhibitedException.java

@@ -0,0 +1,24 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.flows.exceptions;
+
+import google.registry.flows.EppException.ParameterValuePolicyErrorException;
+
+/** Having contacts is prohibited by registry policy */
+public class ContactsProhibitedException extends ParameterValuePolicyErrorException {
+  public ContactsProhibitedException() {
+    super("Having contacts is prohibited by registry policy");
+  }
+}

core/src/main/java/google/registry/flows/host/HostDeleteFlow.java

@@ -15,6 +15,7 @@
 package google.registry.flows.host;
 
 import static google.registry.dns.DnsUtils.requestHostDnsRefresh;
+import static google.registry.flows.FlowUtils.DELETE_PROHIBITED_STATUSES;
 import static google.registry.flows.FlowUtils.validateRegistrarIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.checkLinkedDomains;
 import static google.registry.flows.ResourceFlowUtils.loadAndVerifyExistence;
@@ -65,12 +66,6 @@ import org.joda.time.DateTime;
 @ReportingSpec(ActivityReportField.HOST_DELETE)
 public final class HostDeleteFlow implements MutatingFlow {
 
-  private static final ImmutableSet<StatusValue> DISALLOWED_STATUSES =
-      ImmutableSet.of(
-          StatusValue.CLIENT_DELETE_PROHIBITED,
-          StatusValue.PENDING_DELETE,
-          StatusValue.SERVER_DELETE_PROHIBITED);
-
   @Inject ExtensionManager extensionManager;
   @Inject @RegistrarId String registrarId;
   @Inject @TargetId String targetId;
@@ -91,8 +86,9 @@ public final class HostDeleteFlow implements MutatingFlow {
     validateHostName(targetId);
     checkLinkedDomains(targetId, now, Host.class);
     Host existingHost = loadAndVerifyExistence(Host.class, targetId, now);
-    verifyNoDisallowedStatuses(existingHost, DISALLOWED_STATUSES);
+    verifyNoDisallowedStatuses(existingHost, ImmutableSet.of(StatusValue.PENDING_DELETE));
     if (!isSuperuser) {
+      verifyNoDisallowedStatuses(existingHost, DELETE_PROHIBITED_STATUSES);
       // Hosts transfer with their superordinate domains, so for hosts with a superordinate domain,
       // the client id, needs to be read off of it.
       EppResource owningResource =

core/src/main/java/google/registry/flows/session/LoginFlow.java

@@ -47,6 +47,7 @@ import google.registry.model.eppinput.EppInput.Options;
 import google.registry.model.eppinput.EppInput.Services;
 import google.registry.model.eppoutput.EppResponse;
 import google.registry.model.registrar.Registrar;
+import google.registry.util.StopwatchLogger;
 import jakarta.inject.Inject;
 import java.util.Optional;
 import java.util.Set;
@@ -97,19 +98,25 @@ public class LoginFlow implements MutatingFlow {
 
   /** Run the flow without bothering to log errors. The {@link #run} method will do that for us. */
   private EppResponse runWithoutLogging() throws EppException {
+    final StopwatchLogger stopwatch = new StopwatchLogger();
     extensionManager.validate();  // There are no legal extensions for this flow.
+    stopwatch.tick("LoginFlow extension validate");
     Login login = (Login) eppInput.getCommandWrapper().getCommand();
+    stopwatch.tick("LoginFlow getCommand");
     if (!registrarId.isEmpty()) {
       throw new AlreadyLoggedInException();
     }
     Options options = login.getOptions();
+    stopwatch.tick("LoginFlow getOptions");
     if (!ProtocolDefinition.LANGUAGE.equals(options.getLanguage())) {
       throw new UnsupportedLanguageException();
     }
     Services services = login.getServices();
+    stopwatch.tick("LoginFlow getServices");
     Set<String> unsupportedObjectServices = difference(
         nullToEmpty(services.getObjectServices()),
         ProtocolDefinition.SUPPORTED_OBJECT_SERVICES);
+    stopwatch.tick("LoginFlow difference unsupportedObjectServices");
     if (!unsupportedObjectServices.isEmpty()) {
       throw new UnimplementedObjectServiceException();
     }
@@ -121,11 +128,12 @@ public class LoginFlow implements MutatingFlow {
       }
       serviceExtensionUrisBuilder.add(uri);
     }
+    stopwatch.tick("LoginFlow serviceExtensionUrisBuilder");
     Optional<Registrar> registrar = Registrar.loadByRegistrarIdCached(login.getClientId());
     if (registrar.isEmpty()) {
       throw new BadRegistrarIdException(login.getClientId());
     }
-
+    stopwatch.tick("LoginFlow loadByRegistrarIdCached");
     // AuthenticationErrorExceptions will propagate up through here.
     try {
       credentials.validate(registrar.get(), login.getPassword());
@@ -137,6 +145,7 @@ public class LoginFlow implements MutatingFlow {
         throw e;
       }
     }
+    stopwatch.tick("LoginFlow credentials.validate");
     if (!registrar.get().isLive()) {
       throw new RegistrarAccountNotActiveException();
     }
@@ -145,17 +154,24 @@ public class LoginFlow implements MutatingFlow {
       String newPassword = login.getNewPassword().get();
       // Load fresh from database (bypassing the cache) to ensure we don't save stale data.
       Optional<Registrar> freshRegistrar = Registrar.loadByRegistrarId(login.getClientId());
+      stopwatch.tick("LoginFlow reload freshRegistrar");
       if (freshRegistrar.isEmpty()) {
         throw new BadRegistrarIdException(login.getClientId());
       }
       tm().put(freshRegistrar.get().asBuilder().setPassword(newPassword).build());
+      stopwatch.tick("LoginFlow updated password");
     }
 
     // We are in!
     sessionMetadata.resetFailedLoginAttempts();
+    stopwatch.tick("LoginFlow resetFailedLoginAttempts");
     sessionMetadata.setRegistrarId(login.getClientId());
+    stopwatch.tick("LoginFlow setRegistrarId");
     sessionMetadata.setServiceExtensionUris(serviceExtensionUrisBuilder.build());
-    return responseBuilder.setIsLoginResponse().build();
+    stopwatch.tick("LoginFlow setServiceExtensionUris");
+    EppResponse eppResponse = responseBuilder.setIsLoginResponse().build();
+    stopwatch.tick("LoginFlow eppResponse build()");
+    return eppResponse;
   }
 
   /** Registrar with this ID could not be found. */

core/src/main/java/google/registry/loadtest/LoadTestAction.java

@@ -17,10 +17,7 @@ package google.registry.loadtest;
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.Lists.partition;
-import static google.registry.security.XsrfTokenManager.X_CSRF_TOKEN;
 import static google.registry.util.ResourceUtils.readResourceUtf8;
-import static java.util.Arrays.asList;
-import static org.joda.time.DateTimeZone.UTC;
 
 import com.google.cloud.tasks.v2.Task;
 import com.google.common.collect.ImmutableList;
@@ -34,7 +31,7 @@ import google.registry.request.Action;
 import google.registry.request.Action.GaeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
-import google.registry.security.XsrfTokenManager;
+import google.registry.util.Clock;
 import google.registry.util.RegistryEnvironment;
 import jakarta.inject.Inject;
 import java.time.Instant;
@@ -67,11 +64,9 @@ public class LoadTestAction implements Runnable {
   private static final int NUM_QUEUES = 10;
   private static final int MAX_TASKS_PER_LOAD = 100;
   private static final int ARBITRARY_VALID_HOST_LENGTH = 40;
-  private static final int MAX_CONTACT_LENGTH = 13;
   private static final int MAX_DOMAIN_LABEL_LENGTH = 63;
 
   private static final String EXISTING_DOMAIN = "testdomain";
-  private static final String EXISTING_CONTACT = "contact";
   private static final String EXISTING_HOST = "ns1";
 
   private static final Random random = new Random();
@@ -85,8 +80,8 @@ public class LoadTestAction implements Runnable {
 
   /**
    * The number of seconds to delay the execution of the first load testing tasks by. Preparatory
-   * work of creating independent contacts and hosts that will be used for later domain creation
-   * testing occurs during this period, so make sure that it is long enough.
+   * work of creating independent hosts that will be used for later domain creation testing occurs
+   * during this period, so make sure that it is long enough.
    */
   @Inject
   @Parameter("delaySeconds")
@@ -120,21 +115,6 @@ public class LoadTestAction implements Runnable {
   @Parameter("domainChecks")
   int domainChecksPerSecond;
 
-  /** The number of successful contact creates to enqueue per second over the length of the test. */
-  @Inject
-  @Parameter("successfulContactCreates")
-  int successfulContactCreatesPerSecond;
-
-  /** The number of failed contact creates to enqueue per second over the length of the test. */
-  @Inject
-  @Parameter("failedContactCreates")
-  int failedContactCreatesPerSecond;
-
-  /** The number of successful contact infos to enqueue per second over the length of the test. */
-  @Inject
-  @Parameter("contactInfos")
-  int contactInfosPerSecond;
-
   /** The number of successful host creates to enqueue per second over the length of the test. */
   @Inject
   @Parameter("successfulHostCreates")
@@ -152,9 +132,8 @@ public class LoadTestAction implements Runnable {
 
   @Inject CloudTasksUtils cloudTasksUtils;
 
-  private final String xmlContactCreateTmpl;
-  private final String xmlContactCreateFail;
-  private final String xmlContactInfo;
+  @Inject Clock clock;
+
   private final String xmlDomainCheck;
   private final String xmlDomainCreateTmpl;
   private final String xmlDomainCreateFail;
@@ -163,53 +142,35 @@ public class LoadTestAction implements Runnable {
   private final String xmlHostCreateFail;
   private final String xmlHostInfo;
 
-  /**
-   * The XSRF token to be used for making requests to the epptool endpoint.
-   *
-   * <p>Note that the email address is set to empty, because the logged-in user hitting this
-   * endpoint will not be the same as when the tasks themselves fire and hit the epptool endpoint.
-   */
-  private final String xsrfToken;
-
   @Inject
-  LoadTestAction(@Parameter("tld") String tld, XsrfTokenManager xsrfTokenManager) {
-    xmlContactCreateTmpl = loadXml("contact_create");
-    xmlContactCreateFail = xmlContactCreateTmpl.replace("%contact%", EXISTING_CONTACT);
-    xmlContactInfo = loadXml("contact_info").replace("%contact%", EXISTING_CONTACT);
+  LoadTestAction(@Parameter("tld") String tld) {
     xmlDomainCheck =
         loadXml("domain_check").replace("%tld%", tld).replace("%domain%", EXISTING_DOMAIN);
     xmlDomainCreateTmpl = loadXml("domain_create").replace("%tld%", tld);
     xmlDomainCreateFail =
         xmlDomainCreateTmpl
             .replace("%domain%", EXISTING_DOMAIN)
-            .replace("%contact%", EXISTING_CONTACT)
             .replace("%host%", EXISTING_HOST);
     xmlDomainInfo =
         loadXml("domain_info").replace("%tld%", tld).replace("%domain%", EXISTING_DOMAIN);
     xmlHostCreateTmpl = loadXml("host_create");
     xmlHostCreateFail = xmlHostCreateTmpl.replace("%host%", EXISTING_HOST);
     xmlHostInfo = loadXml("host_info").replace("%host%", EXISTING_HOST);
-    xsrfToken = xsrfTokenManager.generateToken("");
   }
 
   @Override
   public void run() {
     validateAndLogRequest();
-    DateTime initialStartSecond = DateTime.now(UTC).plusSeconds(delaySeconds);
+    DateTime initialStartSecond = clock.nowUtc().plusSeconds(delaySeconds);
     ImmutableList.Builder<String> preTaskXmls = new ImmutableList.Builder<>();
-    ImmutableList.Builder<String> contactNamesBuilder = new ImmutableList.Builder<>();
     ImmutableList.Builder<String> hostPrefixesBuilder = new ImmutableList.Builder<>();
     for (int i = 0; i < successfulDomainCreatesPerSecond; i++) {
-      String contactName = getRandomLabel(MAX_CONTACT_LENGTH);
       String hostPrefix = getRandomLabel(ARBITRARY_VALID_HOST_LENGTH);
-      contactNamesBuilder.add(contactName);
       hostPrefixesBuilder.add(hostPrefix);
       preTaskXmls.add(
-          xmlContactCreateTmpl.replace("%contact%", contactName),
           xmlHostCreateTmpl.replace("%host%", hostPrefix));
     }
-    enqueue(createTasks(preTaskXmls.build(), DateTime.now(UTC)));
-    ImmutableList<String> contactNames = contactNamesBuilder.build();
+    enqueue(createTasks(preTaskXmls.build(), clock.nowUtc()));
     ImmutableList<String> hostPrefixes = hostPrefixesBuilder.build();
 
     ImmutableList.Builder<Task> tasks = new ImmutableList.Builder<>();
@@ -217,30 +178,17 @@ public class LoadTestAction implements Runnable {
       DateTime startSecond = initialStartSecond.plusSeconds(offsetSeconds);
       // The first "failed" creates might actually succeed if the object doesn't already exist, but
       // that shouldn't affect the load numbers.
-      tasks.addAll(
-          createTasks(
-              createNumCopies(xmlContactCreateFail, failedContactCreatesPerSecond), startSecond));
       tasks.addAll(
           createTasks(createNumCopies(xmlHostCreateFail, failedHostCreatesPerSecond), startSecond));
       tasks.addAll(
           createTasks(
               createNumCopies(xmlDomainCreateFail, failedDomainCreatesPerSecond), startSecond));
       // We can do infos on the known existing objects.
-      tasks.addAll(
-          createTasks(createNumCopies(xmlContactInfo, contactInfosPerSecond), startSecond));
       tasks.addAll(createTasks(createNumCopies(xmlHostInfo, hostInfosPerSecond), startSecond));
       tasks.addAll(createTasks(createNumCopies(xmlDomainInfo, domainInfosPerSecond), startSecond));
       // The domain check template uses "example.TLD" which won't exist, and one existing domain.
       tasks.addAll(
           createTasks(createNumCopies(xmlDomainCheck, domainChecksPerSecond), startSecond));
-      // Do successful creates on random names
-      tasks.addAll(
-          createTasks(
-              createNumCopies(xmlContactCreateTmpl, successfulContactCreatesPerSecond)
-                  .stream()
-                  .map(randomNameReplacer("%contact%", MAX_CONTACT_LENGTH))
-                  .collect(toImmutableList()),
-              startSecond));
       tasks.addAll(
           createTasks(
               createNumCopies(xmlHostCreateTmpl, successfulHostCreatesPerSecond)
@@ -253,7 +201,6 @@ public class LoadTestAction implements Runnable {
               createNumCopies(xmlDomainCreateTmpl, successfulDomainCreatesPerSecond)
                   .stream()
                   .map(randomNameReplacer("%domain%", MAX_DOMAIN_LABEL_LENGTH))
-                  .map(listNameReplacer("%contact%", contactNames))
                   .map(listNameReplacer("%host%", hostPrefixes))
                   .collect(toImmutableList()),
               startSecond));
@@ -272,9 +219,6 @@ public class LoadTestAction implements Runnable {
             || failedDomainCreatesPerSecond > 0
             || domainInfosPerSecond > 0
             || domainChecksPerSecond > 0
-            || successfulContactCreatesPerSecond > 0
-            || failedContactCreatesPerSecond > 0
-            || contactInfosPerSecond > 0
             || successfulHostCreatesPerSecond > 0
             || failedHostCreatesPerSecond > 0
             || hostInfosPerSecond > 0,
@@ -282,8 +226,7 @@ public class LoadTestAction implements Runnable {
     logger.atInfo().log(
         "Running load test with the following params. registrarId: %s, delaySeconds: %d, "
             + "runSeconds: %d, successful|failed domain creates/s: %d|%d, domain infos/s: %d, "
-            + "domain checks/s: %d, successful|failed contact creates/s: %d|%d, "
-            + "contact infos/s: %d, successful|failed host creates/s: %d|%d, host infos/s: %d.",
+            + "domain checks/s: %d, successful|failed host creates/s: %d|%d, host infos/s: %d.",
         registrarId,
         delaySeconds,
         runSeconds,
@@ -291,9 +234,6 @@ public class LoadTestAction implements Runnable {
         failedDomainCreatesPerSecond,
         domainInfosPerSecond,
         domainChecksPerSecond,
-        successfulContactCreatesPerSecond,
-        failedContactCreatesPerSecond,
-        contactInfosPerSecond,
         successfulHostCreatesPerSecond,
         failedHostCreatesPerSecond,
         hostInfosPerSecond);
@@ -303,10 +243,10 @@ public class LoadTestAction implements Runnable {
     return readResourceUtf8(LoadTestAction.class, String.format("templates/%s.xml", name));
   }
 
-  private List<String> createNumCopies(String xml, int numCopies) {
+  private ImmutableList<String> createNumCopies(String xml, int numCopies) {
     String[] xmls = new String[numCopies];
     Arrays.fill(xmls, xml);
-    return asList(xmls);
+    return ImmutableList.copyOf(xmls);
   }
 
   private Function<String, String> listNameReplacer(final String toReplace, List<String> choices) {
@@ -326,35 +266,27 @@ public class LoadTestAction implements Runnable {
     return name.toString();
   }
 
-  private List<Task> createTasks(List<String> xmls, DateTime start) {
+  private ImmutableList<Task> createTasks(ImmutableList<String> xmls, DateTime start) {
     ImmutableList.Builder<Task> tasks = new ImmutableList.Builder<>();
     for (int i = 0; i < xmls.size(); i++) {
       // Space tasks evenly within across a second.
       Instant scheduleTime =
           Instant.ofEpochMilli(start.plusMillis((int) (1000.0 / xmls.size() * i)).getMillis());
       tasks.add(
-          Task.newBuilder()
-              .setAppEngineHttpRequest(
-                  cloudTasksUtils
-                      .createTask(
-                          EppToolAction.class,
-                          Action.Method.POST,
-                          ImmutableMultimap.of(
-                              "clientId",
-                              registrarId,
-                              "superuser",
-                              Boolean.FALSE.toString(),
-                              "dryRun",
-                              Boolean.FALSE.toString(),
-                              "xml",
-                              xmls.get(i)))
-                      .toBuilder()
-                      .getAppEngineHttpRequest()
-                      .toBuilder()
-                      // TODO: investigate if the following is necessary now that
-                      // LegacyAuthenticationMechanism is gone.
-                      .putHeaders(X_CSRF_TOKEN, xsrfToken)
-                      .build())
+          cloudTasksUtils
+              .createTask(
+                  EppToolAction.class,
+                  Action.Method.POST,
+                  ImmutableMultimap.of(
+                      "clientId",
+                      registrarId,
+                      "superuser",
+                      Boolean.FALSE.toString(),
+                      "dryRun",
+                      Boolean.FALSE.toString(),
+                      "xml",
+                      xmls.get(i)))
+              .toBuilder()
               .setScheduleTime(
                   Timestamp.newBuilder()
                       .setSeconds(scheduleTime.getEpochSecond())
@@ -365,7 +297,7 @@ public class LoadTestAction implements Runnable {
     return tasks.build();
   }
 
-  private void enqueue(List<Task> tasks) {
+  private void enqueue(ImmutableList<Task> tasks) {
     List<List<Task>> chunks = partition(tasks, MAX_TASKS_PER_LOAD);
     // Farm out tasks to multiple queues to work around queue qps quotas.
     for (int i = 0; i < chunks.size(); i++) {

core/src/main/java/google/registry/loadtest/templates/contact_create.xml

@@ -1,33 +0,0 @@
-<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
-  <command>
-    <create>
-      <contact:create
-       xmlns:contact="urn:ietf:params:xml:ns:contact-1.0">
-        <contact:id>%contact%</contact:id>
-        <contact:postalInfo type="int">
-          <contact:name>John Doe</contact:name>
-          <contact:org>Example Inc.</contact:org>
-          <contact:addr>
-            <contact:street>123 Example Dr.</contact:street>
-            <contact:street>Suite 100</contact:street>
-            <contact:city>Dulles</contact:city>
-            <contact:sp>VA</contact:sp>
-            <contact:pc>20166-6503</contact:pc>
-            <contact:cc>US</contact:cc>
-          </contact:addr>
-        </contact:postalInfo>
-        <contact:voice x="1234">+1.7035555555</contact:voice>
-        <contact:fax>+1.7035555556</contact:fax>
-        <contact:email>jdoe@example.com</contact:email>
-        <contact:authInfo>
-          <contact:pw>2fooBAR</contact:pw>
-        </contact:authInfo>
-        <contact:disclose flag="1">
-          <contact:voice/>
-          <contact:email/>
-        </contact:disclose>
-      </contact:create>
-    </create>
-    <clTRID>trid</clTRID>
-  </command>
-</epp>

core/src/main/java/google/registry/loadtest/templates/contact_info.xml

@@ -1,14 +0,0 @@
-<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
-  <command>
-    <info>
-      <contact:info
-       xmlns:contact="urn:ietf:params:xml:ns:contact-1.0">
-        <contact:id>%contact%</contact:id>
-        <contact:authInfo>
-          <contact:pw>2fooBAR</contact:pw>
-        </contact:authInfo>
-      </contact:info>
-    </info>
-    <clTRID>trid</clTRID>
-  </command>
-</epp>

core/src/main/java/google/registry/loadtest/templates/domain_create.xml

@@ -8,9 +8,6 @@
         <domain:ns>
           <domain:hostObj>%host%.example.com</domain:hostObj>
         </domain:ns>
-        <domain:registrant>%contact%</domain:registrant>
-        <domain:contact type="admin">%contact%</domain:contact>
-        <domain:contact type="tech">%contact%</domain:contact>
         <domain:authInfo>
           <domain:pw>2fooBAR</domain:pw>
         </domain:authInfo>

core/src/main/java/google/registry/loadtest/templates/host_create.xml

@@ -4,6 +4,7 @@
       <host:create
        xmlns:host="urn:ietf:params:xml:ns:host-1.0">
         <host:name>%host%.example.com</host:name>
+        <host:addr ip="v4">8.8.8.8</host:addr>
       </host:create>
     </create>
     <clTRID>trid</clTRID>

core/src/main/java/google/registry/model/EppResource.java

@@ -404,7 +404,7 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
    * <p>Don't use this unless you really need it for performance reasons, and be sure that you are
    * OK with the trade-offs in loss of transactional consistency.
    */
-  public static ImmutableMap<VKey<? extends EppResource>, EppResource> loadCached(
+  public static ImmutableMap<VKey<? extends EppResource>, EppResource> loadByCacheIfEnabled(
       Iterable<VKey<? extends EppResource>> keys) {
     if (!RegistryConfig.isEppResourceCachingEnabled()) {
       return tm().reTransact(() -> tm().loadByKeys(keys));
@@ -413,15 +413,12 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
   }
 
   /**
-   * Loads a given EppResource by its key using the cache (if enabled).
+   * Loads a given EppResource by its key using the cache.
    *
-   * <p>Don't use this unless you really need it for performance reasons, and be sure that you are
-   * OK with the trade-offs in loss of transactional consistency.
+   * <p>This method ignores the `isEppResourceCachingEnabled` config setting. It is reserved for use
+   * cases that can tolerate slightly stale data, e.g., RDAP queries.
    */
-  public static <T extends EppResource> T loadCached(VKey<T> key) {
-    if (!RegistryConfig.isEppResourceCachingEnabled()) {
-      return tm().reTransact(() -> tm().loadByKey(key));
-    }
+  public static <T extends EppResource> T loadByCache(VKey<T> key) {
     // Safe to cast because loading a Key<T> returns an entity of type T.
     @SuppressWarnings("unchecked")
     T resource = (T) cacheEppResources.get(key);

core/src/main/java/google/registry/model/EppResourceUtils.java

@@ -16,6 +16,7 @@ package google.registry.model;
 
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static google.registry.util.DateTimeUtils.isAtOrAfter;
@@ -40,6 +41,7 @@ import google.registry.model.transfer.DomainTransferData;
 import google.registry.model.transfer.TransferData;
 import google.registry.model.transfer.TransferStatus;
 import google.registry.persistence.VKey;
+import google.registry.persistence.transaction.TransactionManager;
 import jakarta.persistence.Query;
 import java.util.Collection;
 import java.util.Comparator;
@@ -109,12 +111,12 @@ public final class EppResourceUtils {
    */
   public static <T extends EppResource> Optional<T> loadByForeignKey(
       Class<T> clazz, String foreignKey, DateTime now) {
-    return loadByForeignKeyHelper(clazz, foreignKey, now, false);
+    return loadByForeignKeyHelper(tm(), clazz, foreignKey, now, false);
   }
 
   /**
    * Loads the last created version of an {@link EppResource} from the database by foreign key,
-   * using a cache.
+   * using a cache, if caching is enabled in config settings.
    *
    * <p>Returns null if no resource with this foreign key was ever created, or if the most recently
    * created resource was deleted before time "now".
@@ -134,20 +136,36 @@ public final class EppResourceUtils {
    * @param foreignKey id to match
    * @param now the current logical time to project resources at
    */
-  public static <T extends EppResource> Optional<T> loadByForeignKeyCached(
+  public static <T extends EppResource> Optional<T> loadByForeignKeyByCacheIfEnabled(
       Class<T> clazz, String foreignKey, DateTime now) {
     return loadByForeignKeyHelper(
-        clazz, foreignKey, now, RegistryConfig.isEppResourceCachingEnabled());
+        tm(), clazz, foreignKey, now, RegistryConfig.isEppResourceCachingEnabled());
+  }
+
+  /**
+   * Loads the last created version of an {@link EppResource} from the replica database by foreign
+   * key, using a cache.
+   *
+   * <p>This method ignores the config setting for caching, and is reserved for use cases that can
+   * tolerate slightly stale data.
+   */
+  public static <T extends EppResource> Optional<T> loadByForeignKeyByCache(
+      Class<T> clazz, String foreignKey, DateTime now) {
+    return loadByForeignKeyHelper(replicaTm(), clazz, foreignKey, now, true);
   }
 
   private static <T extends EppResource> Optional<T> loadByForeignKeyHelper(
-      Class<T> clazz, String foreignKey, DateTime now, boolean useCache) {
+      TransactionManager txnManager,
+      Class<T> clazz,
+      String foreignKey,
+      DateTime now,
+      boolean useCache) {
     checkArgument(
         ForeignKeyedEppResource.class.isAssignableFrom(clazz),
         "loadByForeignKey may only be called for foreign keyed EPP resources");
     VKey<T> key =
         useCache
-            ? ForeignKeyUtils.loadCached(clazz, ImmutableList.of(foreignKey), now).get(foreignKey)
+            ? ForeignKeyUtils.loadByCache(clazz, ImmutableList.of(foreignKey), now).get(foreignKey)
             : ForeignKeyUtils.load(clazz, foreignKey, now);
     // The returned key is null if the resource is hard deleted or soft deleted by the given time.
     if (key == null) {
@@ -155,10 +173,10 @@ public final class EppResourceUtils {
     }
     T resource =
         useCache
-            ? EppResource.loadCached(key)
+            ? EppResource.loadByCache(key)
             // This transaction is buried very deeply inside many outer nested calls, hence merits
             // the use of reTransact() for now pending a substantial refactoring.
-            : tm().reTransact(() -> tm().loadByKeyIfPresent(key).orElse(null));
+            : txnManager.reTransact(() -> txnManager.loadByKeyIfPresent(key).orElse(null));
     if (resource == null || isAtOrAfter(now, resource.getDeletionTime())) {
       return Optional.empty();
     }

core/src/main/java/google/registry/model/ForeignKeyUtils.java

@@ -204,11 +204,25 @@ public final class ForeignKeyUtils {
    * <p>Don't use the cached version of this method unless you really need it for performance
    * reasons, and are OK with the trade-offs in loss of transactional consistency.
    */
-  public static <E extends EppResource> ImmutableMap<String, VKey<E>> loadCached(
+  public static <E extends EppResource> ImmutableMap<String, VKey<E>> loadByCacheIfEnabled(
       Class<E> clazz, Collection<String> foreignKeys, final DateTime now) {
     if (!RegistryConfig.isEppResourceCachingEnabled()) {
       return load(clazz, foreignKeys, now);
     }
+    return loadByCache(clazz, foreignKeys, now);
+  }
+
+  /**
+   * Load a list of {@link VKey} to {@link EppResource} instances by class and foreign key strings
+   * that are active at or after the specified moment in time, using the cache.
+   *
+   * <p>The returned map will omit any keys for which the {@link EppResource} doesn't exist or has
+   * been soft-deleted.
+   *
+   * <p>This method is reserved for use cases that can tolerate slightly stale data.
+   */
+  public static <E extends EppResource> ImmutableMap<String, VKey<E>> loadByCache(
+      Class<E> clazz, Collection<String> foreignKeys, final DateTime now) {
     return foreignKeyCache
         .getAll(foreignKeys.stream().map(fk -> VKey.create(clazz, fk)).collect(toImmutableList()))
         .entrySet()

core/src/main/java/google/registry/model/common/FeatureFlag.java

@@ -62,11 +62,31 @@ public class FeatureFlag extends ImmutableObject implements Buildable {
     INACTIVE
   }
 
+  /** The names of the feature flags that can be individually set. */
   public enum FeatureName {
-    TEST_FEATURE,
-    MINIMUM_DATASET_CONTACTS_OPTIONAL,
-    MINIMUM_DATASET_CONTACTS_PROHIBITED,
-    INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS
+    /** Feature flag name used for testing only. */
+    TEST_FEATURE(FeatureStatus.INACTIVE),
+
+    /** If we're not requiring the presence of contact data on domain EPP commands. */
+    MINIMUM_DATASET_CONTACTS_OPTIONAL(FeatureStatus.INACTIVE),
+
+    /** If we're not permitting the presence of contact data on any EPP commands. */
+    MINIMUM_DATASET_CONTACTS_PROHIBITED(FeatureStatus.INACTIVE),
+
+    /**
+     * If we're including the upcoming domain drop date in the exported list of registered domains.
+     */
+    INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS(FeatureStatus.INACTIVE);
+
+    private final FeatureStatus defaultStatus;
+
+    FeatureName(FeatureStatus defaultStatus) {
+      this.defaultStatus = defaultStatus;
+    }
+
+    FeatureStatus getDefaultStatus() {
+      return this.defaultStatus;
+    }
   }
 
   /** The name of the flag/feature. */
@@ -155,24 +175,24 @@ public class FeatureFlag extends ImmutableObject implements Buildable {
     return status.getValueAtTime(time);
   }
 
-  /** Returns if the flag is active, or the default value if the flag does not exist. */
-  public static boolean isActiveNowOrElse(FeatureName featureName, boolean defaultValue) {
-    tm().assertInTransaction();
-    return CACHE
-        .get(featureName)
-        .map(flag -> flag.getStatus(tm().getTransactionTime()).equals(ACTIVE))
-        .orElse(defaultValue);
-  }
-
-  /** Returns if the FeatureFlag with the given FeatureName is active now. */
+  /**
+   * Returns whether the flag is active now, or else the flag's default value if it doesn't exist.
+   */
   public static boolean isActiveNow(FeatureName featureName) {
     tm().assertInTransaction();
     return isActiveAt(featureName, tm().getTransactionTime());
   }
 
-  /** Returns if the FeatureFlag with the given FeatureName is active at a given time. */
+  /**
+   * Returns whether the flag is active at the given time, or else the flag's default value if it
+   * doesn't exist.
+   */
   public static boolean isActiveAt(FeatureName featureName, DateTime dateTime) {
-    return FeatureFlag.get(featureName).getStatus(dateTime).equals(ACTIVE);
+    tm().assertInTransaction();
+    return CACHE
+        .get(featureName)
+        .map(flag -> flag.getStatus(dateTime).equals(ACTIVE))
+        .orElse(featureName.getDefaultStatus().equals(ACTIVE));
   }
 
   @Override

core/src/main/java/google/registry/model/console/ConsolePermission.java

@@ -16,6 +16,8 @@ package google.registry.model.console;
 
 /** Permissions that users may have in the UI, either per-registrar or globally. */
 public enum ConsolePermission {
+  AUDIT_ACTIVITY_BY_USER,
+  AUDIT_ACTIVITY_BY_REGISTRAR,
   /** View basic information about a registrar. */
   VIEW_REGISTRAR_DETAILS,
   /** Edit basic information about a registrar. */

core/src/main/java/google/registry/model/console/ConsoleRoleDefinitions.java

@@ -55,6 +55,8 @@ public class ConsoleRoleDefinitions {
       new ImmutableSet.Builder<ConsolePermission>()
           .addAll(SUPPORT_AGENT_PERMISSIONS)
           .add(
+              ConsolePermission.AUDIT_ACTIVITY_BY_USER,
+              ConsolePermission.AUDIT_ACTIVITY_BY_REGISTRAR,
               ConsolePermission.MANAGE_REGISTRARS,
               ConsolePermission.GET_REGISTRANT_EMAIL,
               ConsolePermission.SUSPEND_DOMAIN,
@@ -111,6 +113,7 @@ public class ConsoleRoleDefinitions {
       new ImmutableSet.Builder<ConsolePermission>()
           .addAll(TECH_CONTACT_PERMISSIONS)
           .add(ConsolePermission.MANAGE_USERS)
+          .add(ConsolePermission.AUDIT_ACTIVITY_BY_REGISTRAR)
           .build();
 
   private ConsoleRoleDefinitions() {}

core/src/main/java/google/registry/model/console/ConsoleUpdateHistory.java

@@ -16,6 +16,7 @@ package google.registry.model.console;
 
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 
+import com.google.gson.annotations.Expose;
 import google.registry.model.Buildable;
 import google.registry.model.ImmutableObject;
 import google.registry.model.annotations.IdAllocation;
@@ -45,6 +46,7 @@ public class ConsoleUpdateHistory extends ImmutableObject implements Buildable {
   @Id @IdAllocation @Column Long revisionId;
 
   @Column(nullable = false)
+  @Expose
   DateTime modificationTime;
 
   /** The HTTP method (e.g. POST, PUT) used to make this modification. */
@@ -54,6 +56,7 @@ public class ConsoleUpdateHistory extends ImmutableObject implements Buildable {
   /** The type of modification. */
   @Column(nullable = false)
   @Enumerated(EnumType.STRING)
+  @Expose
   Type type;
 
   /** The URL of the action that was used to make the modification. */
@@ -61,11 +64,12 @@ public class ConsoleUpdateHistory extends ImmutableObject implements Buildable {
   String url;
 
   /** An optional further description of the action. */
-  String description;
+  @Expose String description;
 
   /** The user that performed the modification. */
   @JoinColumn(name = "actingUser", referencedColumnName = "emailAddress", nullable = false)
   @ManyToOne
+  @Expose
   User actingUser;
 
   public Long getRevisionId() {
@@ -102,18 +106,24 @@ public class ConsoleUpdateHistory extends ImmutableObject implements Buildable {
   }
 
   public enum Type {
+    DUM_DOWNLOAD,
     DOMAIN_DELETE,
     DOMAIN_SUSPEND,
     DOMAIN_UNSUSPEND,
     EPP_PASSWORD_UPDATE,
     REGISTRAR_CREATE,
+    REGISTRAR_CONTACTS_UPDATE,
     REGISTRAR_SECURITY_UPDATE,
     REGISTRAR_UPDATE,
+    REGISTRY_LOCK,
+    REGISTRY_UNLOCK,
     USER_CREATE,
     USER_DELETE,
-    USER_UPDATE
+    USER_UPDATE,
   }
 
+  public static final String DESCRIPTION_SEPARATOR = "|";
+
   public static class Builder extends Buildable.Builder<ConsoleUpdateHistory> {
     public Builder() {}
 

core/src/main/java/google/registry/model/console/PasswordResetRequest.java

@@ -0,0 +1,150 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.model.console;
+
+import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
+
+import google.registry.model.Buildable;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.model.ImmutableObject;
+import google.registry.persistence.WithVKey;
+import jakarta.persistence.AttributeOverride;
+import jakarta.persistence.AttributeOverrides;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.Id;
+import java.util.Optional;
+import java.util.UUID;
+import org.joda.time.DateTime;
+
+/**
+ * Represents a password reset request of some type.
+ *
+ * <p>Password reset requests must be performed within an hour of the time that they were requested,
+ * as well as requiring that the requester and the fulfiller have the proper respective permissions.
+ */
+@Entity
+@WithVKey(String.class)
+public class PasswordResetRequest extends ImmutableObject implements Buildable {
+
+  public enum Type {
+    EPP,
+    REGISTRY_LOCK
+  }
+
+  @Id private String verificationCode;
+
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  Type type;
+
+  @AttributeOverrides({
+    @AttributeOverride(
+        name = "creationTime",
+        column = @Column(name = "requestTime", nullable = false))
+  })
+  CreateAutoTimestamp requestTime = CreateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  String requester;
+
+  @Column DateTime fulfillmentTime;
+
+  @Column(nullable = false)
+  String destinationEmail;
+
+  @Column(nullable = false)
+  String registrarId;
+
+  public String getVerificationCode() {
+    return verificationCode;
+  }
+
+  public Type getType() {
+    return type;
+  }
+
+  public DateTime getRequestTime() {
+    return requestTime.getTimestamp();
+  }
+
+  public String getRequester() {
+    return requester;
+  }
+
+  public Optional<DateTime> getFulfillmentTime() {
+    return Optional.ofNullable(fulfillmentTime);
+  }
+
+  public String getDestinationEmail() {
+    return destinationEmail;
+  }
+
+  public String getRegistrarId() {
+    return registrarId;
+  }
+
+  @Override
+  public Builder asBuilder() {
+    return new Builder(clone(this));
+  }
+
+  /** Builder for constructing immutable {@link PasswordResetRequest} objects. */
+  public static class Builder extends Buildable.Builder<PasswordResetRequest> {
+
+    public Builder() {}
+
+    private Builder(PasswordResetRequest instance) {
+      super(instance);
+    }
+
+    @Override
+    public PasswordResetRequest build() {
+      checkArgumentNotNull(getInstance().type, "Type must be specified");
+      checkArgumentNotNull(getInstance().requester, "Requester must be specified");
+      checkArgumentNotNull(getInstance().destinationEmail, "Destination email must be specified");
+      checkArgumentNotNull(getInstance().registrarId, "Registrar ID must be specified");
+      getInstance().verificationCode = UUID.randomUUID().toString();
+      return super.build();
+    }
+
+    public Builder setType(Type type) {
+      getInstance().type = type;
+      return this;
+    }
+
+    public Builder setRequester(String requester) {
+      getInstance().requester = requester;
+      return this;
+    }
+
+    public Builder setDestinationEmail(String destinationEmail) {
+      getInstance().destinationEmail = destinationEmail;
+      return this;
+    }
+
+    public Builder setRegistrarId(String registrarId) {
+      getInstance().registrarId = registrarId;
+      return this;
+    }
+
+    public Builder setFulfillmentTime(DateTime fulfillmentTime) {
+      getInstance().fulfillmentTime = fulfillmentTime;
+      return this;
+    }
+  }
+}

core/src/main/java/google/registry/model/console/User.java

@@ -62,7 +62,7 @@ public class User extends UpdateAutoTimestampEntity implements Buildable {
   @Id @Expose String emailAddress;
 
   /** Optional external email address to use for registry lock confirmation emails. */
-  @Column String registryLockEmailAddress;
+  @Column @Expose String registryLockEmailAddress;
 
   /** Roles (which grant permissions) associated with this user. */
   @Expose
@@ -250,51 +250,50 @@ public class User extends UpdateAutoTimestampEntity implements Buildable {
   }
 
   @Override
-  public Builder<? extends User, ?> asBuilder() {
-    return new Builder<>(clone(this));
+  public Builder asBuilder() {
+    return new Builder(clone(this));
   }
 
   /** Builder for constructing immutable {@link User} objects. */
-  public static class Builder<T extends User, B extends Builder<T, B>>
-      extends GenericBuilder<T, B> {
+  public static class Builder extends Buildable.Builder<User> {
 
     public Builder() {}
 
-    public Builder(T abstractUser) {
-      super(abstractUser);
+    public Builder(User user) {
+      super(user);
     }
 
     @Override
-    public T build() {
+    public User build() {
       checkArgumentNotNull(getInstance().emailAddress, "Email address cannot be null");
       checkArgumentNotNull(getInstance().userRoles, "User roles cannot be null");
       return super.build();
     }
 
-    public B setEmailAddress(String emailAddress) {
+    public Builder setEmailAddress(String emailAddress) {
       getInstance().emailAddress = checkValidEmail(emailAddress);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
+    public Builder setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
       getInstance().registryLockEmailAddress =
           registryLockEmailAddress == null ? null : checkValidEmail(registryLockEmailAddress);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setUserRoles(UserRoles userRoles) {
+    public Builder setUserRoles(UserRoles userRoles) {
       checkArgumentNotNull(userRoles, "User roles cannot be null");
       getInstance().userRoles = userRoles;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B removeRegistryLockPassword() {
+    public Builder removeRegistryLockPassword() {
       getInstance().registryLockPasswordHash = null;
       getInstance().registryLockPasswordSalt = null;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistryLockPassword(String registryLockPassword) {
+    public Builder setRegistryLockPassword(String registryLockPassword) {
       checkArgument(
           getInstance().hasAnyRegistryLockPermission(), "User has no registry lock permission");
       checkArgument(
@@ -304,7 +303,7 @@ public class User extends UpdateAutoTimestampEntity implements Buildable {
       byte[] salt = SALT_SUPPLIER.get();
       getInstance().registryLockPasswordSalt = base64().encode(salt);
       getInstance().registryLockPasswordHash = hashPassword(registryLockPassword, salt);
-      return thisCastToDerived();
+      return this;
     }
   }
 }

core/src/main/java/google/registry/model/domain/DomainCommand.java

@@ -441,7 +441,8 @@ public class DomainCommand {
   private static <T extends EppResource> ImmutableMap<String, VKey<T>> loadByForeignKeysCached(
       final Set<String> foreignKeys, final Class<T> clazz, final DateTime now)
       throws InvalidReferencesException {
-    ImmutableMap<String, VKey<T>> fks = ForeignKeyUtils.loadCached(clazz, foreignKeys, now);
+    ImmutableMap<String, VKey<T>> fks =
+        ForeignKeyUtils.loadByCacheIfEnabled(clazz, foreignKeys, now);
     if (!fks.keySet().equals(foreignKeys)) {
       throw new InvalidReferencesException(
           clazz, ImmutableSet.copyOf(difference(foreignKeys, fks.keySet())));

core/src/main/java/google/registry/model/domain/RegistryLock.java

@@ -101,8 +101,15 @@ public final class RegistryLock extends UpdateAutoTimestampEntity implements Bui
   @Column(nullable = false)
   private String registrarId;
 
-  /** The POC that performed the action, or null if it was a superuser. */
-  @Expose private String registrarPocId;
+  /**
+   * The email address of the user that performed the action, or null if it was a superuser.
+   *
+   * <p>Note: this is misnamed in the database due to historical reasons, where we used the
+   * registrar POC ID as the email address rather than a separate specialized field.
+   */
+  @Column(name = "registrarPocId")
+  @Expose
+  private String registryLockEmail;
 
   /** When the lock is first requested. */
   @AttributeOverrides({
@@ -161,8 +168,8 @@ public final class RegistryLock extends UpdateAutoTimestampEntity implements Bui
     return registrarId;
   }
 
-  public String getRegistrarPocId() {
-    return registrarPocId;
+  public String getRegistryLockEmail() {
+    return registryLockEmail;
   }
 
   public DateTime getLockRequestTime() {
@@ -255,7 +262,7 @@ public final class RegistryLock extends UpdateAutoTimestampEntity implements Bui
       checkArgumentNotNull(getInstance().registrarId, "Registrar ID cannot be null");
       checkArgumentNotNull(getInstance().verificationCode, "Verification code cannot be null");
       checkArgument(
-          getInstance().registrarPocId != null || getInstance().isSuperuser,
+          getInstance().registryLockEmail != null || getInstance().isSuperuser,
           "Registrar POC ID must be provided if superuser is false");
       return super.build();
     }
@@ -275,8 +282,8 @@ public final class RegistryLock extends UpdateAutoTimestampEntity implements Bui
       return this;
     }
 
-    public Builder setRegistrarPocId(String registrarPocId) {
-      getInstance().registrarPocId = registrarPocId;
+    public Builder setRegistryLockEmail(String registryLockEmail) {
+      getInstance().registryLockEmail = registryLockEmail;
       return this;
     }
 

core/src/main/java/google/registry/model/domain/fee12/FeeCheckResponseExtensionItemCommandV12.java

@@ -18,7 +18,7 @@ import static google.registry.util.CollectionUtils.forceEmptyToNull;
 
 import com.google.common.base.Ascii;
 import com.google.common.collect.ImmutableList;
-import google.registry.model.Buildable.GenericBuilder;
+import google.registry.model.Buildable;
 import google.registry.model.ImmutableObject;
 import google.registry.model.domain.Period;
 import google.registry.model.domain.fee.Fee;
@@ -77,8 +77,7 @@ public class FeeCheckResponseExtensionItemCommandV12 extends ImmutableObject {
   }
 
   /** Builder for {@link FeeCheckResponseExtensionItemCommandV12}. */
-  public static class Builder
-      extends GenericBuilder<FeeCheckResponseExtensionItemCommandV12, Builder> {
+  public static class Builder extends Buildable.Builder<FeeCheckResponseExtensionItemCommandV12> {
 
     public Builder setCommandName(CommandName commandName) {
       getInstance().commandName = Ascii.toLowerCase(commandName.name());

core/src/main/java/google/registry/model/registrar/Registrar.java

@@ -27,6 +27,7 @@ import static com.google.common.io.BaseEncoding.base64;
 import static google.registry.config.RegistryConfig.getDefaultRegistrarWhoisServer;
 import static google.registry.model.CacheUtils.memoizeWithShortExpiration;
 import static google.registry.model.tld.Tlds.assertTldsExist;
+import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableCopy;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableSortedCopy;
@@ -62,6 +63,7 @@ import google.registry.model.tld.Tld.TldType;
 import google.registry.persistence.VKey;
 import google.registry.persistence.converter.CidrBlockListUserType;
 import google.registry.persistence.converter.CurrencyToStringMapUserType;
+import google.registry.persistence.transaction.TransactionManager;
 import google.registry.util.CidrAddressBlock;
 import google.registry.util.PasswordUtils;
 import jakarta.mail.internet.AddressException;
@@ -576,7 +578,20 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
    * address.
    */
   public ImmutableSortedSet<RegistrarPoc> getContacts() {
-    return getContactPocs().stream()
+    return getPocs(tm()).stream()
+        .filter(Objects::nonNull)
+        .collect(toImmutableSortedSet(CONTACT_EMAIL_COMPARATOR));
+  }
+
+  /**
+   * Returns a list of all {@link RegistrarPoc} objects for this registrar sorted by their email
+   * address.
+   *
+   * <p>This method queries the replica database. It is reserved for use cases that can tolerate
+   * slightly stale data.
+   */
+  public ImmutableSortedSet<RegistrarPoc> getPocsFromReplica() {
+    return getPocs(replicaTm()).stream()
         .filter(Objects::nonNull)
         .collect(toImmutableSortedSet(CONTACT_EMAIL_COMPARATOR));
   }
@@ -585,8 +600,8 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
    * Returns a list of {@link RegistrarPoc} objects of a given type for this registrar sorted by
    * their email address.
    */
-  public ImmutableSortedSet<RegistrarPoc> getContactsOfType(final RegistrarPoc.Type type) {
-    return getContactPocs().stream()
+  public ImmutableSortedSet<RegistrarPoc> getPocsOfType(final RegistrarPoc.Type type) {
+    return getPocs(tm()).stream()
         .filter(Objects::nonNull)
         .filter((@Nullable RegistrarPoc contact) -> contact.getTypes().contains(type))
         .collect(toImmutableSortedSet(CONTACT_EMAIL_COMPARATOR));
@@ -600,13 +615,8 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
     return getContacts().stream().filter(RegistrarPoc::getVisibleInDomainWhoisAsAbuse).findFirst();
   }
 
-  private ImmutableSet<RegistrarPoc> getContactPocs() {
-    return tm().transact(
-            () ->
-                tm().query("FROM RegistrarPoc WHERE registrarId = :registrarId", RegistrarPoc.class)
-                    .setParameter("registrarId", registrarId)
-                    .getResultStream()
-                    .collect(toImmutableSet()));
+  private ImmutableList<RegistrarPoc> getPocs(TransactionManager txnManager) {
+    return txnManager.transact(() -> RegistrarPoc.loadForRegistrar(registrarId));
   }
 
   @Override
@@ -680,8 +690,8 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
   }
 
   @Override
-  public Builder<? extends Registrar, ?> asBuilder() {
-    return new Builder<>(clone(this));
+  public Builder asBuilder() {
+    return new Builder(clone(this));
   }
 
   @Override
@@ -696,59 +706,58 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
   }
 
   /** A builder for constructing {@link Registrar}, since it is immutable. */
-  public static class Builder<T extends Registrar, B extends Builder<T, B>>
-      extends GenericBuilder<T, B> {
+  public static class Builder extends Buildable.Builder<Registrar> {
     public Builder() {}
 
-    public Builder(T instance) {
+    public Builder(Registrar instance) {
       super(instance);
     }
 
-    public B setRegistrarId(String registrarId) {
+    public Builder setRegistrarId(String registrarId) {
       // Registrar id must be [3,16] chars long. See "clIDType" in the base EPP schema of RFC 5730.
       // (Need to validate this here as there's no matching EPP XSD for validation.)
       checkArgument(
           Range.closed(3, 16).contains(registrarId.length()),
           "Registrar ID must be 3-16 characters long.");
       getInstance().registrarId = registrarId;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setIanaIdentifier(@Nullable Long ianaIdentifier) {
+    public Builder setIanaIdentifier(@Nullable Long ianaIdentifier) {
       checkArgument(
           ianaIdentifier == null || ianaIdentifier > 0, "IANA ID must be a positive number");
       getInstance().ianaIdentifier = ianaIdentifier;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setPoNumber(Optional<String> poNumber) {
+    public Builder setPoNumber(Optional<String> poNumber) {
       getInstance().poNumber = poNumber.orElse(null);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setBillingAccountMap(@Nullable Map<CurrencyUnit, String> billingAccountMap) {
+    public Builder setBillingAccountMap(@Nullable Map<CurrencyUnit, String> billingAccountMap) {
       getInstance().billingAccountMap = nullToEmptyImmutableCopy(billingAccountMap);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistrarName(String registrarName) {
+    public Builder setRegistrarName(String registrarName) {
       getInstance().registrarName = registrarName;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setType(Type type) {
+    public Builder setType(Type type) {
       getInstance().type = type;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setState(State state) {
+    public Builder setState(State state) {
       getInstance().state = state;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setAllowedTlds(Set<String> allowedTlds) {
+    public Builder setAllowedTlds(Set<String> allowedTlds) {
       getInstance().allowedTlds = ImmutableSortedSet.copyOf(assertTldsExist(allowedTlds));
-      return thisCastToDerived();
+      return this;
     }
 
     /**
@@ -761,7 +770,7 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
      * {@code .now()} when saving the Registry entity to make sure it's actually saved before trying
      * to set the allowed TLDs.
      */
-    public B setAllowedTldsUncached(Set<String> allowedTlds) {
+    public Builder setAllowedTldsUncached(Set<String> allowedTlds) {
       ImmutableSet<VKey<Tld>> newTldKeys =
           Sets.difference(allowedTlds, getInstance().getAllowedTlds()).stream()
               .map(Tld::createVKey)
@@ -770,10 +779,10 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
           Sets.difference(newTldKeys, tm().loadByKeysIfPresent(newTldKeys).keySet());
       checkArgument(missingTldKeys.isEmpty(), "Trying to set nonexistent TLDs: %s", missingTldKeys);
       getInstance().allowedTlds = ImmutableSortedSet.copyOf(allowedTlds);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setClientCertificate(String clientCertificate, DateTime now) {
+    public Builder setClientCertificate(String clientCertificate, DateTime now) {
       clientCertificate = emptyToNull(clientCertificate);
       String clientCertificateHash = calculateHash(clientCertificate);
       if (!Objects.equals(clientCertificate, getInstance().clientCertificate)
@@ -782,23 +791,23 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
         getInstance().clientCertificateHash = clientCertificateHash;
         getInstance().lastCertificateUpdateTime = now;
       }
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setLastExpiringCertNotificationSentDate(DateTime now) {
+    public Builder setLastExpiringCertNotificationSentDate(DateTime now) {
       checkArgumentNotNull(now, "Registrar lastExpiringCertNotificationSentDate cannot be null");
       getInstance().lastExpiringCertNotificationSentDate = now;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setLastExpiringFailoverCertNotificationSentDate(DateTime now) {
+    public Builder setLastExpiringFailoverCertNotificationSentDate(DateTime now) {
       checkArgumentNotNull(
           now, "Registrar lastExpiringFailoverCertNotificationSentDate cannot be null");
       getInstance().lastExpiringFailoverCertNotificationSentDate = now;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setFailoverClientCertificate(String clientCertificate, DateTime now) {
+    public Builder setFailoverClientCertificate(String clientCertificate, DateTime now) {
       clientCertificate = emptyToNull(clientCertificate);
       String clientCertificateHash = calculateHash(clientCertificate);
       if (!Objects.equals(clientCertificate, getInstance().failoverClientCertificate)
@@ -807,13 +816,13 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
         getInstance().failoverClientCertificateHash = clientCertificateHash;
         getInstance().lastCertificateUpdateTime = now;
       }
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setLastPocVerificationDate(DateTime now) {
+    public Builder setLastPocVerificationDate(DateTime now) {
       checkArgumentNotNull(now, "Registrar lastPocVerificationDate cannot be null");
       getInstance().lastPocVerificationDate = now;
-      return thisCastToDerived();
+      return this;
     }
 
     private static String calculateHash(String clientCertificate) {
@@ -845,75 +854,75 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
                   Objects.equals(newInstance.ianaIdentifier, registrar.getIanaIdentifier()));
     }
 
-    public B setContactsRequireSyncing(boolean contactsRequireSyncing) {
+    public Builder setContactsRequireSyncing(boolean contactsRequireSyncing) {
       getInstance().contactsRequireSyncing = contactsRequireSyncing;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setIpAddressAllowList(Iterable<CidrAddressBlock> ipAddressAllowList) {
+    public Builder setIpAddressAllowList(Iterable<CidrAddressBlock> ipAddressAllowList) {
       getInstance().ipAddressAllowList = ImmutableList.copyOf(ipAddressAllowList);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setLocalizedAddress(RegistrarAddress localizedAddress) {
+    public Builder setLocalizedAddress(RegistrarAddress localizedAddress) {
       getInstance().localizedAddress = localizedAddress;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setInternationalizedAddress(RegistrarAddress internationalizedAddress) {
+    public Builder setInternationalizedAddress(RegistrarAddress internationalizedAddress) {
       getInstance().internationalizedAddress = internationalizedAddress;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setPhoneNumber(String phoneNumber) {
+    public Builder setPhoneNumber(String phoneNumber) {
       getInstance().phoneNumber = (phoneNumber == null) ? null : checkValidPhoneNumber(phoneNumber);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setFaxNumber(String faxNumber) {
+    public Builder setFaxNumber(String faxNumber) {
       getInstance().faxNumber = (faxNumber == null) ? null : checkValidPhoneNumber(faxNumber);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setEmailAddress(String emailAddress) {
+    public Builder setEmailAddress(String emailAddress) {
       getInstance().emailAddress = checkValidEmail(emailAddress);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setWhoisServer(String whoisServer) {
+    public Builder setWhoisServer(String whoisServer) {
       getInstance().whoisServer = whoisServer;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRdapBaseUrls(Set<String> rdapBaseUrls) {
+    public Builder setRdapBaseUrls(Set<String> rdapBaseUrls) {
       getInstance().rdapBaseUrls = ImmutableSet.copyOf(rdapBaseUrls);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setBlockPremiumNames(boolean blockPremiumNames) {
+    public Builder setBlockPremiumNames(boolean blockPremiumNames) {
       getInstance().blockPremiumNames = blockPremiumNames;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setUrl(String url) {
+    public Builder setUrl(String url) {
       getInstance().url = url;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setIcannReferralEmail(String icannReferralEmail) {
+    public Builder setIcannReferralEmail(String icannReferralEmail) {
       getInstance().icannReferralEmail = checkValidEmail(icannReferralEmail);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setDriveFolderId(@Nullable String driveFolderId) {
+    public Builder setDriveFolderId(@Nullable String driveFolderId) {
       checkArgument(
           driveFolderId == null || !driveFolderId.contains("/"),
           "Drive folder ID must not be a full URL");
       getInstance().driveFolderId = driveFolderId;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setPassword(String password) {
+    public Builder setPassword(String password) {
       // Passwords must be [6,16] chars long. See "pwType" in the base EPP schema of RFC 5730.
       checkArgument(
           Range.closed(6, 16).contains(nullToEmpty(password).length()),
@@ -921,7 +930,7 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
       byte[] salt = SALT_SUPPLIER.get();
       getInstance().salt = base64().encode(salt);
       getInstance().passwordHash = hashPassword(password, salt);
-      return thisCastToDerived();
+      return this;
     }
 
     /**
@@ -929,18 +938,18 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
      *
      * @throws IllegalArgumentException if provided passcode is not 5-digit numeric
      */
-    public B setPhonePasscode(String phonePasscode) {
+    public Builder setPhonePasscode(String phonePasscode) {
       checkArgument(
           phonePasscode == null || PHONE_PASSCODE_PATTERN.matcher(phonePasscode).matches(),
           "Not a valid telephone passcode (must be 5 digits long): %s",
           phonePasscode);
       getInstance().phonePasscode = phonePasscode;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistryLockAllowed(boolean registryLockAllowed) {
+    public Builder setRegistryLockAllowed(boolean registryLockAllowed) {
       getInstance().registryLockAllowed = registryLockAllowed;
-      return thisCastToDerived();
+      return this;
     }
 
     /**
@@ -948,14 +957,14 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
      * and breaks the verification that an object has not been updated since it was copied.
      */
     @VisibleForTesting
-    public B setLastUpdateTime(DateTime timestamp) {
+    public Builder setLastUpdateTime(DateTime timestamp) {
       getInstance().setUpdateTimestamp(UpdateAutoTimestamp.create(timestamp));
-      return thisCastToDerived();
+      return this;
     }
 
     /** Build the registrar, nullifying empty fields. */
     @Override
-    public T build() {
+    public Registrar build() {
       checkArgumentNotNull(getInstance().type, "Registrar type cannot be null");
       checkArgumentNotNull(getInstance().registrarName, "Registrar name cannot be null");
       checkArgument(

core/src/main/java/google/registry/model/registrar/RegistrarPoc.java

@@ -14,29 +14,25 @@
 
 package google.registry.model.registrar;
 
-import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkNotNull;
-import static com.google.common.base.Strings.isNullOrEmpty;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
-import static com.google.common.io.BaseEncoding.base64;
 import static google.registry.model.registrar.Registrar.checkValidEmail;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableSortedCopy;
-import static google.registry.util.PasswordUtils.SALT_SUPPLIER;
-import static google.registry.util.PasswordUtils.hashPassword;
 import static java.util.stream.Collectors.joining;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedSet;
 import com.google.gson.annotations.Expose;
-import google.registry.model.Buildable.GenericBuilder;
+import google.registry.model.Buildable;
 import google.registry.model.ImmutableObject;
 import google.registry.model.JsonMapBuilder;
 import google.registry.model.Jsonifiable;
 import google.registry.model.UnsafeSerializable;
 import google.registry.persistence.VKey;
-import google.registry.util.PasswordUtils;
+import google.registry.persistence.transaction.QueryComposer;
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
 import jakarta.persistence.EnumType;
@@ -45,9 +41,7 @@ import jakarta.persistence.Id;
 import jakarta.persistence.IdClass;
 import java.io.Serializable;
 import java.util.Map;
-import java.util.Optional;
 import java.util.Set;
-import javax.annotation.Nullable;
 
 /**
  * A contact for a Registrar. Note, equality, hashCode and comparable have been overridden to only
@@ -93,6 +87,10 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
     }
   }
 
+  @Expose
+  @Column(insertable = false, updatable = false)
+  protected Long id;
+
   /** The name of the contact. */
   @Expose String name;
 
@@ -101,9 +99,6 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
 
   @Id @Expose public String registrarId;
 
-  /** External email address of this contact used for registry lock confirmations. */
-  String registryLockEmailAddress;
-
   /** The voice number of the contact. */
   @Expose String phoneNumber;
 
@@ -141,22 +136,10 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
   @Expose
   boolean visibleInDomainWhoisAsAbuse = false;
 
-  /**
-   * Whether the contact is allowed to set their registry lock password through the registrar
-   * console. This will be set to false on contact creation and when the user sets a password.
-   */
+  /** Legacy field, around until we can remove the non-null constraint and the column from SQL. */
   @Column(nullable = false)
   boolean allowedToSetRegistryLockPassword = false;
 
-  /**
-   * A hashed password that exists iff this contact is registry-lock-enabled. The hash is a base64
-   * encoded SHA256 string.
-   */
-  String registryLockPasswordHash;
-
-  /** Randomly generated hash salt. */
-  String registryLockPasswordSalt;
-
   /**
    * Helper to update the contacts associated with a Registrar. This requires querying for the
    * existing contacts, deleting existing contacts that are not part of the given {@code contacts}
@@ -179,6 +162,10 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
     tm().putAll(contacts);
   }
 
+  public Long getId() {
+    return id;
+  }
+
   public String getName() {
     return name;
   }
@@ -187,10 +174,6 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
     return emailAddress;
   }
 
-  public Optional<String> getRegistryLockEmailAddress() {
-    return Optional.ofNullable(registryLockEmailAddress);
-  }
-
   public String getPhoneNumber() {
     return phoneNumber;
   }
@@ -215,26 +198,8 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
     return visibleInDomainWhoisAsAbuse;
   }
 
-  public Builder<? extends RegistrarPoc, ?> asBuilder() {
-    return new Builder<>(clone(this));
-  }
-
-  public boolean isAllowedToSetRegistryLockPassword() {
-    return allowedToSetRegistryLockPassword;
-  }
-
-  public boolean isRegistryLockAllowed() {
-    return !isNullOrEmpty(registryLockPasswordHash) && !isNullOrEmpty(registryLockPasswordSalt);
-  }
-
-  public boolean verifyRegistryLockPassword(String registryLockPassword) {
-    if (isNullOrEmpty(registryLockPassword)
-        || isNullOrEmpty(registryLockPasswordSalt)
-        || isNullOrEmpty(registryLockPasswordHash)) {
-      return false;
-    }
-    return PasswordUtils.verifyPassword(
-        registryLockPassword, registryLockPasswordHash, registryLockPasswordSalt);
+  public Builder asBuilder() {
+    return new Builder(clone(this));
   }
 
   /**
@@ -286,15 +251,13 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
     return new JsonMapBuilder()
         .put("name", name)
         .put("emailAddress", emailAddress)
-        .put("registryLockEmailAddress", registryLockEmailAddress)
         .put("phoneNumber", phoneNumber)
         .put("faxNumber", faxNumber)
         .put("types", getTypes().stream().map(Object::toString).collect(joining(",")))
         .put("visibleInWhoisAsAdmin", visibleInWhoisAsAdmin)
         .put("visibleInWhoisAsTech", visibleInWhoisAsTech)
         .put("visibleInDomainWhoisAsAbuse", visibleInDomainWhoisAsAbuse)
-        .put("allowedToSetRegistryLockPassword", allowedToSetRegistryLockPassword)
-        .put("registryLockAllowed", isRegistryLockAllowed())
+        .put("id", getId())
         .build();
   }
 
@@ -321,106 +284,76 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
   }
 
   /** A builder for constructing a {@link RegistrarPoc}, since it is immutable. */
-  public static class Builder<T extends RegistrarPoc, B extends Builder<T, B>>
-      extends GenericBuilder<T, B> {
+  public static class Builder extends Buildable.Builder<RegistrarPoc> {
     public Builder() {}
 
-    protected Builder(T instance) {
+    protected Builder(RegistrarPoc instance) {
       super(instance);
     }
 
     /** Build the registrar, nullifying empty fields. */
     @Override
-    public T build() {
+    public RegistrarPoc build() {
       checkNotNull(getInstance().registrarId, "Registrar ID cannot be null");
       checkValidEmail(getInstance().emailAddress);
-      // Check allowedToSetRegistryLockPassword here because if we want to allow the user to set
-      // a registry lock password, we must also set up the correct registry lock email concurrently
-      // or beforehand.
-      if (getInstance().allowedToSetRegistryLockPassword) {
-        checkArgument(
-            !isNullOrEmpty(getInstance().registryLockEmailAddress),
-            "Registry lock email must not be null if allowing registry lock access");
-      }
       return cloneEmptyToNull(super.build());
     }
 
-    public B setName(String name) {
+    public Builder setName(String name) {
       getInstance().name = name;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setEmailAddress(String emailAddress) {
+    public Builder setEmailAddress(String emailAddress) {
       getInstance().emailAddress = emailAddress;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
-      getInstance().registryLockEmailAddress = registryLockEmailAddress;
-      return thisCastToDerived();
-    }
-
-    public B setPhoneNumber(String phoneNumber) {
+    public Builder setPhoneNumber(String phoneNumber) {
       getInstance().phoneNumber = phoneNumber;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistrarId(String registrarId) {
+    public Builder setRegistrarId(String registrarId) {
       getInstance().registrarId = registrarId;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistrar(Registrar registrar) {
+    public Builder setRegistrar(Registrar registrar) {
       getInstance().registrarId = registrar.getRegistrarId();
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setFaxNumber(String faxNumber) {
+    public Builder setFaxNumber(String faxNumber) {
       getInstance().faxNumber = faxNumber;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setTypes(Iterable<Type> types) {
+    public Builder setTypes(Iterable<Type> types) {
       getInstance().types = ImmutableSet.copyOf(types);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setVisibleInWhoisAsAdmin(boolean visible) {
+    public Builder setVisibleInWhoisAsAdmin(boolean visible) {
       getInstance().visibleInWhoisAsAdmin = visible;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setVisibleInWhoisAsTech(boolean visible) {
+    public Builder setVisibleInWhoisAsTech(boolean visible) {
       getInstance().visibleInWhoisAsTech = visible;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setVisibleInDomainWhoisAsAbuse(boolean visible) {
+    public Builder setVisibleInDomainWhoisAsAbuse(boolean visible) {
       getInstance().visibleInDomainWhoisAsAbuse = visible;
-      return thisCastToDerived();
+      return this;
     }
+  }
 
-    public B setAllowedToSetRegistryLockPassword(boolean allowedToSetRegistryLockPassword) {
-      if (allowedToSetRegistryLockPassword) {
-        getInstance().registryLockPasswordSalt = null;
-        getInstance().registryLockPasswordHash = null;
-      }
-      getInstance().allowedToSetRegistryLockPassword = allowedToSetRegistryLockPassword;
-      return thisCastToDerived();
-    }
-
-    public B setRegistryLockPassword(String registryLockPassword) {
-      checkArgument(
-          getInstance().allowedToSetRegistryLockPassword,
-          "Not allowed to set registry lock password for this contact");
-      checkArgument(
-          !isNullOrEmpty(registryLockPassword), "Registry lock password was null or empty");
-      byte[] salt = SALT_SUPPLIER.get();
-      getInstance().registryLockPasswordSalt = base64().encode(salt);
-      getInstance().registryLockPasswordHash = hashPassword(registryLockPassword, salt);
-      getInstance().allowedToSetRegistryLockPassword = false;
-      return thisCastToDerived();
-    }
+  public static ImmutableList<RegistrarPoc> loadForRegistrar(String registrarId) {
+    return tm().createQueryComposer(RegistrarPoc.class)
+        .where("registrarId", QueryComposer.Comparator.EQ, registrarId)
+        .list();
   }
 
   /** Class to represent the composite primary key for {@link RegistrarPoc} entity. */

core/src/main/java/google/registry/model/smd/SignedMarkRevocationList.java

@@ -95,10 +95,4 @@ public class SignedMarkRevocationList extends ImmutableObject {
   public int size() {
     return revokes.size();
   }
-
-  /** Save this list to Cloud SQL. Returns {@code this}. */
-  public SignedMarkRevocationList save() {
-    SignedMarkRevocationListDao.save(this);
-    return this;
-  }
 }

core/src/main/java/google/registry/model/smd/SignedMarkRevocationListDao.java

@@ -44,11 +44,25 @@ public class SignedMarkRevocationListDao {
     return smdrl.orElseGet(() -> SignedMarkRevocationList.create(START_OF_TIME, ImmutableMap.of()));
   }
 
-  /** Save the given {@link SignedMarkRevocationList} */
-  static void save(SignedMarkRevocationList signedMarkRevocationList) {
-    tm().transact(() -> tm().insert(signedMarkRevocationList));
+  /**
+   * Persists a {@link SignedMarkRevocationList} instance and returns the persisted entity.
+   *
+   * <p>Note that the input parameter is untouched. Use the returned object if metadata fields like
+   * {@code revisionId} are needed.
+   */
+  public static SignedMarkRevocationList save(SignedMarkRevocationList signedMarkRevocationList) {
+    var persisted =
+        tm().transact(
+                () -> {
+                  var entity =
+                      SignedMarkRevocationList.create(
+                          signedMarkRevocationList.getCreationTime(),
+                          ImmutableMap.copyOf(signedMarkRevocationList.revokes));
+                  tm().insert(entity);
+                  return entity;
+                });
     logger.atInfo().log(
-        "Inserted %,d signed mark revocations into Cloud SQL.",
-        signedMarkRevocationList.revokes.size());
+        "Inserted %,d signed mark revocations into Cloud SQL.", persisted.revokes.size());
+    return persisted;
   }
 }

core/src/main/java/google/registry/model/tld/label/PremiumListDao.java

@@ -133,24 +133,30 @@ public final class PremiumListDao {
   }
 
   /** Saves the given premium list (and its premium list entries) to Cloud SQL. */
-  public static PremiumList save(PremiumList premiumList) {
-    tm().transact(
-            () -> {
-              tm().insert(premiumList);
-              tm().getEntityManager().flush(); // This populates the revisionId.
-              long revisionId = premiumList.getRevisionId();
+  public static PremiumList save(PremiumList premiumListToPersist) {
+    PremiumList persisted =
+        tm().transact(
+                () -> {
+                  // Make a new copy in each attempt to insert. See javadoc of the insert method for
+                  // more information.
+                  PremiumList premiumList = premiumListToPersist.asBuilder().build();
+                  tm().insert(premiumList);
+                  tm().getEntityManager().flush(); // This populates the revisionId.
+                  long revisionId = premiumList.getRevisionId();
 
-              if (!isNullOrEmpty(premiumList.getLabelsToPrices())) {
-                ImmutableSet.Builder<PremiumEntry> entries = new ImmutableSet.Builder<>();
-                premiumList
-                    .getLabelsToPrices()
-                    .forEach(
-                        (key, value) -> entries.add(PremiumEntry.create(revisionId, value, key)));
-                tm().insertAll(entries.build());
-              }
-            });
-    premiumListCache.invalidate(premiumList.getName());
-    return premiumList;
+                  if (!isNullOrEmpty(premiumList.getLabelsToPrices())) {
+                    ImmutableSet.Builder<PremiumEntry> entries = new ImmutableSet.Builder<>();
+                    premiumList
+                        .getLabelsToPrices()
+                        .forEach(
+                            (key, value) ->
+                                entries.add(PremiumEntry.create(revisionId, value, key)));
+                    tm().insertAll(entries.build());
+                  }
+                  return premiumList;
+                });
+    premiumListCache.invalidate(persisted.getName());
+    return persisted;
   }
 
   public static void delete(PremiumList premiumList) {

core/src/main/java/google/registry/model/tld/label/ReservedListDao.java

@@ -27,14 +27,26 @@ public class ReservedListDao {
 
   private ReservedListDao() {}
 
-  /** Persist a new reserved list to Cloud SQL. */
-  public static void save(ReservedList reservedList) {
+  /**
+   * Persists a new reserved list to Cloud SQL and returns the persisted entity.
+   *
+   * <p>Note that the input parameter is untouched. Use the returned object if metadata fields like
+   * {@code revisionId} are needed.
+   */
+  public static ReservedList save(ReservedList reservedList) {
     checkArgumentNotNull(reservedList, "Must specify reservedList");
     logger.atInfo().log("Saving reserved list %s to Cloud SQL.", reservedList.getName());
-    tm().transact(() -> tm().insert(reservedList));
+    var persisted =
+        tm().transact(
+                () -> {
+                  var entity = reservedList.asBuilder().build();
+                  tm().insert(entity);
+                  return entity;
+                });
     logger.atInfo().log(
         "Saved reserved list %s with %d entries to Cloud SQL.",
         reservedList.getName(), reservedList.getReservedListEntries().size());
+    return persisted;
   }
 
   /** Deletes a reserved list from Cloud SQL. */

core/src/main/java/google/registry/model/tmch/ClaimsListDao.java

@@ -49,10 +49,23 @@ public class ClaimsListDao {
     return CacheUtils.newCacheBuilder(expiry).build(ignored -> ClaimsListDao.getUncached());
   }
 
-  /** Saves the given {@link ClaimsList} to Cloud SQL. */
-  public static void save(ClaimsList claimsList) {
-    tm().transact(() -> tm().insert(claimsList));
-    CACHE.put(ClaimsListDao.class, claimsList);
+  /**
+   * Persists a {@link ClaimsList} instance and returns the persisted entity.
+   *
+   * <p>Note that the input parameter is untouched. Use the returned object if metadata fields like
+   * {@code revisionId} are needed.
+   */
+  public static ClaimsList save(ClaimsList claimsList) {
+    var persisted =
+        tm().transact(
+                () -> {
+                  var entity =
+                      ClaimsList.create(claimsList.tmdbGenerationTime, claimsList.labelsToKeys);
+                  tm().insert(entity);
+                  return entity;
+                });
+    CACHE.put(ClaimsListDao.class, persisted);
+    return persisted;
   }
 
   /** Returns the most recent revision of the {@link ClaimsList} from the cache. */

core/src/main/java/google/registry/module/RequestComponent.java

@@ -38,10 +38,8 @@ import google.registry.dns.PublishDnsUpdatesAction;
 import google.registry.dns.ReadDnsRefreshRequestsAction;
 import google.registry.dns.RefreshDnsAction;
 import google.registry.dns.RefreshDnsOnHostRenameAction;
-import google.registry.dns.writer.VoidDnsWriterModule;
-import google.registry.dns.writer.clouddns.CloudDnsWriterModule;
+import google.registry.dns.writer.DnsWritersModule;
 import google.registry.dns.writer.dnsupdate.DnsUpdateConfigModule;
-import google.registry.dns.writer.dnsupdate.DnsUpdateWriterModule;
 import google.registry.export.ExportDomainListsAction;
 import google.registry.export.ExportPremiumTermsAction;
 import google.registry.export.ExportReservedTermsAction;
@@ -117,6 +115,7 @@ import google.registry.ui.server.console.ConsoleDomainGetAction;
 import google.registry.ui.server.console.ConsoleDomainListAction;
 import google.registry.ui.server.console.ConsoleDumDownloadAction;
 import google.registry.ui.server.console.ConsoleEppPasswordAction;
+import google.registry.ui.server.console.ConsoleHistoryDataAction;
 import google.registry.ui.server.console.ConsoleModule;
 import google.registry.ui.server.console.ConsoleOteAction;
 import google.registry.ui.server.console.ConsoleRegistryLockAction;
@@ -124,6 +123,8 @@ import google.registry.ui.server.console.ConsoleRegistryLockVerifyAction;
 import google.registry.ui.server.console.ConsoleUpdateRegistrarAction;
 import google.registry.ui.server.console.ConsoleUserDataAction;
 import google.registry.ui.server.console.ConsoleUsersAction;
+import google.registry.ui.server.console.PasswordResetRequestAction;
+import google.registry.ui.server.console.PasswordResetVerifyAction;
 import google.registry.ui.server.console.RegistrarsAction;
 import google.registry.ui.server.console.domains.ConsoleBulkDomainAction;
 import google.registry.ui.server.console.settings.ContactAction;
@@ -140,14 +141,13 @@ import google.registry.whois.WhoisModule;
       BatchModule.class,
       BillingModule.class,
       CheckApiModule.class,
-      CloudDnsWriterModule.class,
       ConsoleModule.class,
       CronModule.class,
       CustomLogicModule.class,
       DnsCountQueryCoordinatorModule.class,
       DnsModule.class,
       DnsUpdateConfigModule.class,
-      DnsUpdateWriterModule.class,
+      DnsWritersModule.class,
       EppTlsModule.class,
       EppToolModule.class,
       IcannReportingModule.class,
@@ -160,7 +160,6 @@ import google.registry.whois.WhoisModule;
       Spec11Module.class,
       TmchModule.class,
       ToolsServerModule.class,
-      VoidDnsWriterModule.class,
       WhiteboxModule.class,
       WhoisModule.class,
     })
@@ -187,6 +186,8 @@ interface RequestComponent {
 
   ConsoleEppPasswordAction consoleEppPasswordAction();
 
+  ConsoleHistoryDataAction consoleHistoryDataAction();
+
   ConsoleOteAction consoleOteAction();
 
   ConsoleRegistryLockAction consoleRegistryLockAction();
@@ -253,6 +254,10 @@ interface RequestComponent {
 
   NordnVerifyAction nordnVerifyAction();
 
+  PasswordResetRequestAction passwordResetRequestAction();
+
+  PasswordResetVerifyAction passwordResetVerifyAction();
+
   PublishDnsUpdatesAction publishDnsUpdatesAction();
 
   PublishInvoicesAction uploadInvoicesAction();
@@ -285,6 +290,8 @@ interface RequestComponent {
 
   RdapNameserverSearchAction rdapNameserverSearchAction();
 
+  RdapRegistrarFieldsAction rdapRegistrarFieldsAction();
+
   RdeReportAction rdeReportAction();
 
   RdeReporter rdeReporter();
@@ -336,9 +343,7 @@ interface RequestComponent {
   WhoisAction whoisAction();
 
   WhoisHttpAction whoisHttpAction();
-
-  RdapRegistrarFieldsAction rdapRegistrarFieldsAction();
-
+  
   WipeOutContactHistoryPiiAction wipeOutContactHistoryPiiAction();
 
   @Subcomponent.Builder

core/src/main/java/google/registry/module/backend/BackendComponent.java

@@ -22,7 +22,6 @@ import google.registry.bigquery.BigqueryModule;
 import google.registry.config.CloudTasksUtilsModule;
 import google.registry.config.CredentialModule;
 import google.registry.config.RegistryConfig.ConfigModule;
-import google.registry.dns.writer.VoidDnsWriterModule;
 import google.registry.export.DriveModule;
 import google.registry.export.sheet.SheetsServiceModule;
 import google.registry.flows.ServerTridProviderModule;
@@ -73,7 +72,6 @@ import jakarta.inject.Singleton;
       SheetsServiceModule.class,
       StackdriverModule.class,
       UrlConnectionServiceModule.class,
-      VoidDnsWriterModule.class,
       UtilsModule.class
     })
 interface BackendComponent {

core/src/main/java/google/registry/module/backend/BackendRequestComponent.java

@@ -34,10 +34,8 @@ import google.registry.dns.PublishDnsUpdatesAction;
 import google.registry.dns.ReadDnsRefreshRequestsAction;
 import google.registry.dns.RefreshDnsAction;
 import google.registry.dns.RefreshDnsOnHostRenameAction;
-import google.registry.dns.writer.VoidDnsWriterModule;
-import google.registry.dns.writer.clouddns.CloudDnsWriterModule;
+import google.registry.dns.writer.DnsWritersModule;
 import google.registry.dns.writer.dnsupdate.DnsUpdateConfigModule;
-import google.registry.dns.writer.dnsupdate.DnsUpdateWriterModule;
 import google.registry.export.ExportDomainListsAction;
 import google.registry.export.ExportPremiumTermsAction;
 import google.registry.export.ExportReservedTermsAction;
@@ -82,13 +80,12 @@ import google.registry.tmch.TmchSmdrlAction;
     modules = {
       BatchModule.class,
       BillingModule.class,
-      CloudDnsWriterModule.class,
       CronModule.class,
       CustomLogicModule.class,
       DnsCountQueryCoordinatorModule.class,
       DnsModule.class,
       DnsUpdateConfigModule.class,
-      DnsUpdateWriterModule.class,
+      DnsWritersModule.class,
       IcannReportingModule.class,
       RdeModule.class,
       ReportingModule.class,
@@ -96,7 +93,6 @@ import google.registry.tmch.TmchSmdrlAction;
       SheetModule.class,
       Spec11Module.class,
       TmchModule.class,
-      VoidDnsWriterModule.class,
       WhiteboxModule.class,
     })
 public interface BackendRequestComponent {

core/src/main/java/google/registry/module/frontend/FrontendRequestComponent.java

@@ -38,6 +38,8 @@ import google.registry.ui.server.console.ConsoleRegistryLockVerifyAction;
 import google.registry.ui.server.console.ConsoleUpdateRegistrarAction;
 import google.registry.ui.server.console.ConsoleUserDataAction;
 import google.registry.ui.server.console.ConsoleUsersAction;
+import google.registry.ui.server.console.PasswordResetRequestAction;
+import google.registry.ui.server.console.PasswordResetVerifyAction;
 import google.registry.ui.server.console.RegistrarsAction;
 import google.registry.ui.server.console.domains.ConsoleBulkDomainAction;
 import google.registry.ui.server.console.settings.ContactAction;
@@ -84,6 +86,12 @@ public interface FrontendRequestComponent {
 
   FlowComponent.Builder flowComponentBuilder();
 
+  PasswordResetRequestAction passwordResetRequestAction();
+
+  PasswordResetVerifyAction passwordResetVerifyAction();
+
+  RdapRegistrarFieldsAction rdapRegistrarFieldsAction();
+
   ReadinessProbeActionFrontend readinessProbeActionFrontend();
 
   ReadinessProbeConsoleAction readinessProbeConsoleAction();
@@ -92,8 +100,6 @@ public interface FrontendRequestComponent {
 
   SecurityAction securityAction();
 
-  RdapRegistrarFieldsAction rdapRegistrarFieldsAction();
-
   @Subcomponent.Builder
   abstract class Builder implements RequestComponentBuilder<FrontendRequestComponent> {
     @Override public abstract Builder requestModule(RequestModule requestModule);

core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java

@@ -344,6 +344,18 @@ public class JpaTransactionManagerImpl implements JpaTransactionManager {
     return txnInfo.transactionTime;
   }
 
+  /**
+   * Inserts an object into the database.
+   *
+   * <p>If {@code entity} has an auto-generated identity field (i.e., a field annotated with {@link
+   * jakarta.persistence.GeneratedValue}), the caller must not assign a value to this field,
+   * otherwise Hibernate would mistake the entity as detached and raise an error.
+   *
+   * <p>The practical implication of the above is that when inserting such an entity using a
+   * retriable transaction , the entity should be instantiated inside the transaction body. A failed
+   * attempt may still assign and ID to the entity, therefore reusing the same entity would cause
+   * retries to fail.
+   */
   @Override
   public void insert(Object entity) {
     checkArgumentNotNull(entity, "entity must be specified");

core/src/main/java/google/registry/rdap/AbstractJsonableObject.java

@@ -336,7 +336,7 @@ abstract class AbstractJsonableObject implements Jsonable {
       // According to RFC 9083 section 3, the syntax of dates and times is defined in RFC3339.
       //
       // According to RFC3339, we should use ISO8601, which is what DateTime.toString does!
-      return new JsonPrimitive(((DateTime) object).toString());
+      return new JsonPrimitive(object.toString());
     }
     if (object == null) {
       return JsonNull.INSTANCE;

core/src/main/java/google/registry/rdap/RdapActionBase.java

@@ -24,10 +24,14 @@ import static jakarta.servlet.http.HttpServletResponse.SC_NOT_FOUND;
 import static jakarta.servlet.http.HttpServletResponse.SC_OK;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
+import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
+import com.google.gson.JsonArray;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.model.EppResource;
 import google.registry.model.registrar.Registrar;
@@ -41,6 +45,7 @@ import google.registry.request.HttpException;
 import google.registry.request.Parameter;
 import google.registry.request.RequestMethod;
 import google.registry.request.RequestPath;
+import google.registry.request.RequestUrl;
 import google.registry.request.Response;
 import google.registry.util.Clock;
 import jakarta.inject.Inject;
@@ -50,7 +55,7 @@ import java.util.Optional;
 import org.joda.time.DateTime;
 
 /**
- * Base RDAP (new WHOIS) action for all requests.
+ * Base RDAP action for all requests.
  *
  * @see <a href="https://tools.ietf.org/html/rfc9082">RFC 9082: Registration Data Access Protocol
  *     (RDAP) Query Format</a>
@@ -75,6 +80,7 @@ public abstract class RdapActionBase implements Runnable {
   @Inject Response response;
   @Inject @RequestMethod Action.Method requestMethod;
   @Inject @RequestPath String requestPath;
+  @Inject @RequestUrl String requestUrl;
   @Inject RdapAuthorization rdapAuthorization;
   @Inject RdapJsonFormatter rdapJsonFormatter;
   @Inject @Parameter("includeDeleted") Optional<Boolean> includeDeletedParam;
@@ -132,7 +138,7 @@ public abstract class RdapActionBase implements Runnable {
     // RFC7480 4.2 - servers receiving an RDAP request return an entity with a Content-Type header
     // containing the RDAP-specific JSON media type.
     response.setContentType(RESPONSE_MEDIA_TYPE);
-    // RDAP Technical Implementation Guide 1.13 - when responding to RDAP valid requests, we MUST
+    // RDAP Technical Implementation Guide 1.14 - when responding to RDAP valid requests, we MUST
     // include the Access-Control-Allow-Origin, which MUST be "*" unless otherwise specified.
     response.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN, "*");
     try {
@@ -198,7 +204,9 @@ public abstract class RdapActionBase implements Runnable {
     TopLevelReplyObject topLevelObject =
         TopLevelReplyObject.create(replyObject, rdapJsonFormatter.createTosNotice());
     Gson gson = formatOutputParam.orElse(false) ? FORMATTED_OUTPUT_GSON : GSON;
-    response.setPayload(gson.toJson(topLevelObject.toJson()));
+    JsonObject jsonResult = topLevelObject.toJson();
+    addLinkValuesRecursively(jsonResult);
+    response.setPayload(gson.toJson(jsonResult));
   }
 
   /**
@@ -264,4 +272,34 @@ public abstract class RdapActionBase implements Runnable {
     return rdapJsonFormatter.getRequestTime();
   }
 
+  /**
+   * Adds a request-referencing "value" to each link object.
+   *
+   * <p>This is the "context URI" as described in RFC 8288. Basically, this contains a reference to
+   * the request URL that generated this RDAP response.
+   *
+   * <p>This is required per the RDAP February 2024 response profile sections 2.6.3 and 2.10, and
+   * the technical implementation guide sections 3.2 and 3.3.2.
+   *
+   * <p>We must do this here (instead of where the links are generated) because many of the links
+   * (e.g. terms of service) are static constants, and thus cannot by default know what the request
+   * URL was.
+   */
+  private void addLinkValuesRecursively(JsonElement jsonElement) {
+    if (jsonElement instanceof JsonArray jsonArray) {
+      jsonArray.forEach(this::addLinkValuesRecursively);
+    } else if (jsonElement instanceof JsonObject jsonObject) {
+      if (jsonObject.get("links") instanceof JsonArray linksArray) {
+        addLinkValues(linksArray);
+      }
+      jsonObject.entrySet().forEach(entry -> addLinkValuesRecursively(entry.getValue()));
+    }
+  }
+
+  private void addLinkValues(JsonArray linksArray) {
+    Streams.stream(linksArray)
+        .map(JsonElement::getAsJsonObject)
+        .filter(o -> !o.has("value"))
+        .forEach(o -> o.addProperty("value", requestUrl));
+  }
 }

core/src/main/java/google/registry/rdap/RdapAutnumAction.java

@@ -26,7 +26,7 @@ import google.registry.request.auth.Auth;
 import jakarta.inject.Inject;
 
 /**
- * RDAP (new WHOIS) action for RDAP autonomous system number requests.
+ * RDAP action for RDAP autonomous system number requests.
  *
  * <p>This feature is not implemented because it's only necessary for <i>address</i> registries like
  * ARIN, not domain registries.

core/src/main/java/google/registry/rdap/RdapDataStructures.java

@@ -41,14 +41,13 @@ final class RdapDataStructures {
       // Conformance to RFC 9083
       jsonArray.add("rdap_level_0");
 
-      // Conformance to the RDAP Response Profile V2.1
+      // Conformance to the RDAP Response Profile V2.2 (February 2024)
+      // (see section 1.2)
+      jsonArray.add("icann_rdap_response_profile_1");
+
+      // Conformance to the RDAP Technical Implementation Guide V2.2 (February 2024)
       // (see section 1.3)
-      jsonArray.add("icann_rdap_response_profile_0");
-
-      // Conformance to the RDAP Technical Implementation Guide V2.1
-      // (see section 1.14)
-      jsonArray.add("icann_rdap_technical_implementation_guide_0");
-
+      jsonArray.add("icann_rdap_technical_implementation_guide_1");
       return jsonArray;
     }
   }
@@ -334,7 +333,6 @@ final class RdapDataStructures {
    */
   @RestrictJsonNames("status[]")
   enum RdapStatus implements Jsonable {
-
     // Status values specified in RFC 9083 § 10.2.2.
     VALIDATED("validated"),
     RENEW_PROHIBITED("renew prohibited"),

core/src/main/java/google/registry/rdap/RdapDomainAction.java

@@ -15,7 +15,7 @@
 package google.registry.rdap;
 
 import static google.registry.flows.domain.DomainFlowUtils.validateDomainName;
-import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.EppResourceUtils.loadByForeignKeyByCache;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.HEAD;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
@@ -36,7 +36,7 @@ import google.registry.request.auth.Auth;
 import jakarta.inject.Inject;
 import java.util.Optional;
 
-/** RDAP (new WHOIS) action for domain requests. */
+/** RDAP action for domain requests. */
 @Action(
     service = GaeService.PUBAPI,
     path = "/rdap/domain/",
@@ -57,6 +57,9 @@ public class RdapDomainAction extends RdapActionBase {
     InternetDomainName domainName;
     try {
       domainName = validateDomainName(pathSearchString);
+    } catch (DomainFlowUtils.TldDoesNotExistException e) {
+      // A special case where a valid domain name on a nonexistent TLD should return 404
+      throw new NotFoundException(pathSearchString + " not found");
     } catch (EppException e) {
       throw new BadRequestException(
           String.format(
@@ -65,7 +68,7 @@ public class RdapDomainAction extends RdapActionBase {
     }
     // The query string is not used; the RDAP syntax is /rdap/domain/mydomain.com.
     Optional<Domain> domain =
-        loadByForeignKeyCached(
+        loadByForeignKeyByCache(
             Domain.class,
             pathSearchString,
             shouldIncludeDeleted() ? START_OF_TIME : rdapJsonFormatter.getRequestTime());

core/src/main/java/google/registry/rdap/RdapDomainSearchAction.java

@@ -15,7 +15,7 @@
 package google.registry.rdap;
 
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
-import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.EppResourceUtils.loadByForeignKeyByCache;
 import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.HEAD;
@@ -51,6 +51,7 @@ import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.util.NonFinalForTesting;
 import jakarta.inject.Inject;
+import jakarta.persistence.Query;
 import jakarta.persistence.criteria.CriteriaBuilder;
 import java.net.InetAddress;
 import java.util.Comparator;
@@ -60,17 +61,15 @@ import java.util.stream.Stream;
 import org.hibernate.Hibernate;
 
 /**
- * RDAP (new WHOIS) action for domain search requests.
+ * RDAP action for domain search requests.
  *
- * <p>All commands and responses conform to the RDAP spec as defined in RFCs 7480 through 7485.
+ * <p>All commands and responses conform to the RDAP spec as defined in STD 95 and its RFCs.
  *
  * @see <a href="http://tools.ietf.org/html/rfc9082">RFC 9082: Registration Data Access Protocol
  *     (RDAP) Query Format</a>
  * @see <a href="http://tools.ietf.org/html/rfc9083">RFC 9083: JSON Responses for the Registration
  *     Data Access Protocol (RDAP)</a>
  */
-// TODO: This isn't required by the RDAP Technical Implementation Guide, and hence should be
-// deleted, at least until it's actually required.
 @Action(
     service = GaeService.PUBAPI,
     path = "/rdap/domains",
@@ -184,7 +183,7 @@ public class RdapDomainSearchAction extends RdapSearchActionBase {
   private DomainSearchResponse searchByDomainNameWithoutWildcard(
       final RdapSearchPattern partialStringQuery) {
     Optional<Domain> domain =
-        loadByForeignKeyCached(
+        loadByForeignKeyByCache(
             Domain.class, partialStringQuery.getInitialString(), getRequestTime());
     return makeSearchResults(
         shouldBeVisible(domain) ? ImmutableList.of(domain.get()) : ImmutableList.of());
@@ -339,7 +338,7 @@ public class RdapDomainSearchAction extends RdapSearchActionBase {
     Optional<String> desiredRegistrar = getDesiredRegistrar();
     if (desiredRegistrar.isPresent()) {
       Optional<Host> host =
-          loadByForeignKeyCached(
+          loadByForeignKeyByCache(
               Host.class,
               partialStringQuery.getInitialString(),
               shouldIncludeDeleted() ? START_OF_TIME : getRequestTime());
@@ -364,7 +363,7 @@ public class RdapDomainSearchAction extends RdapSearchActionBase {
     // through the subordinate hosts. This is more efficient, and lets us permit wildcard searches
     // with no initial string.
     Domain domain =
-        loadByForeignKeyCached(
+        loadByForeignKeyByCache(
                 Domain.class,
                 partialStringQuery.getSuffix(),
                 shouldIncludeDeleted() ? START_OF_TIME : getRequestTime())
@@ -381,7 +380,7 @@ public class RdapDomainSearchAction extends RdapSearchActionBase {
       if (partialStringQuery.matches(fqhn)) {
         if (desiredRegistrar.isPresent()) {
           Optional<Host> host =
-              loadByForeignKeyCached(
+              loadByForeignKeyByCache(
                   Host.class, fqhn, shouldIncludeDeleted() ? START_OF_TIME : getRequestTime());
           if (host.isPresent()
               && desiredRegistrar
@@ -442,7 +441,7 @@ public class RdapDomainSearchAction extends RdapSearchActionBase {
         replicaTm()
             .transact(
                 () -> {
-                  jakarta.persistence.Query query =
+                  Query query =
                       replicaTm()
                           .getEntityManager()
                           .createNativeQuery(queryBuilder.toString())

core/src/main/java/google/registry/rdap/RdapEntityAction.java

@@ -14,18 +14,13 @@
 
 package google.registry.rdap;
 
-import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.rdap.RdapUtils.getRegistrarByIanaIdentifier;
 import static google.registry.rdap.RdapUtils.getRegistrarByName;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.HEAD;
 
-import com.google.common.collect.ImmutableSet;
 import com.google.common.primitives.Longs;
-import com.google.re2j.Pattern;
-import google.registry.model.contact.Contact;
 import google.registry.model.registrar.Registrar;
-import google.registry.persistence.VKey;
 import google.registry.rdap.RdapJsonFormatter.OutputDataType;
 import google.registry.rdap.RdapMetrics.EndpointType;
 import google.registry.rdap.RdapObjectClasses.RdapEntity;
@@ -37,14 +32,12 @@ import jakarta.inject.Inject;
 import java.util.Optional;
 
 /**
- * RDAP (new WHOIS) action for entity (contact and registrar) requests. the ICANN operational
- * profile dictates that the "handle" for registrars is to be the IANA registrar ID:
+ * RDAP action for entity (i.e. registrar) requests. the ICANN operational profile dictates that the
+ * "handle" for registrars is to be the IANA registrar ID:
  *
- * <p>2.8.3. Registries MUST support lookup for entities with the registrar role within other
- * objects using the handle (as described in 3.1.5 of RFC 9082). The handle of the entity with the
- * registrar role MUST be equal to IANA Registrar ID. The entity with the registrar role in the RDAP
- * response MUST contain a publicIDs member to identify the IANA Registrar ID from the IANA’s
- * Registrar ID registry. The type value of the publicID object MUST be equal to IANA Registrar ID.
+ * <p>2.4.1.Registry RDAP servers MUST support Registrar object lookup using an entity path request
+ * for entities with the registrar role using the handle (as described in 3.1.5 of RFC9082) where
+ * the handle of the entity with the registrar role is be [sic] equal to the IANA Registrar ID.
  */
 @Action(
     service = GaeService.PUBAPI,
@@ -54,8 +47,6 @@ import java.util.Optional;
     auth = Auth.AUTH_PUBLIC)
 public class RdapEntityAction extends RdapActionBase {
 
-  private static final Pattern ROID_PATTERN = Pattern.compile("[-_.a-zA-Z0-9]+");
-
   @Inject public RdapEntityAction() {
     super("entity", EndpointType.ENTITY);
   }
@@ -63,24 +54,6 @@ public class RdapEntityAction extends RdapActionBase {
   @Override
   public RdapEntity getJsonObjectForResource(
       String pathSearchString, boolean isHeadRequest) {
-    // The query string is not used; the RDAP syntax is /rdap/entity/handle (the handle is the roid
-    // for contacts and the client identifier/fn for registrars). Since RDAP's concept of an entity
-    // includes both contacts and registrars, search for one first, then the other.
-
-    // RDAP Technical Implementation Guide 2.3.1 - MUST support contact entity lookup using the
-    // handle
-    if (ROID_PATTERN.matcher(pathSearchString).matches()) {
-      VKey<Contact> contactVKey = VKey.create(Contact.class, pathSearchString);
-      Optional<Contact> contact =
-          replicaTm().transact(() -> replicaTm().loadByKeyIfPresent(contactVKey));
-      // As per Andy Newton on the regext mailing list, contacts by themselves have no role, since
-      // they are global, and might have different roles for different domains.
-      if (contact.isPresent() && isAuthorized(contact.get())) {
-        return rdapJsonFormatter.createRdapContactEntity(
-            contact.get(), ImmutableSet.of(), OutputDataType.FULL);
-      }
-    }
-
     // RDAP Technical Implementation Guide 2.4.1 - MUST support registrar entity lookup using the
     // IANA ID as handle
     Long ianaIdentifier = Longs.tryParse(pathSearchString);
@@ -98,13 +71,13 @@ public class RdapEntityAction extends RdapActionBase {
       return rdapJsonFormatter.createRdapRegistrarEntity(registrar.get(), OutputDataType.FULL);
     }
 
-    // At this point, we have failed to find either a contact or a registrar.
+    // At this point, we have failed to find a registrar.
     //
     // RFC7480 5.3 - if the server wishes to respond that it doesn't have data satisfying the
     // query, it MUST reply with 404 response code.
     //
     // Note we don't do RFC7480 5.3 - returning a different code if we wish to say "this info
-    // exists but we don't want to show it to you", because we DON'T wish to say that.
+    // exists, but we don't want to show it to you", because we DON'T wish to say that.
     throw new NotFoundException(pathSearchString + " not found");
   }
 }

core/src/main/java/google/registry/rdap/RdapEntitySearchAction.java

@@ -15,22 +15,16 @@
 package google.registry.rdap;
 
 import static com.google.common.collect.ImmutableList.toImmutableList;
-import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.rdap.RdapUtils.getRegistrarByIanaIdentifier;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.HEAD;
 
 import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
 import com.google.common.collect.Streams;
 import com.google.common.primitives.Booleans;
 import com.google.common.primitives.Longs;
-import google.registry.model.contact.Contact;
 import google.registry.model.registrar.Registrar;
-import google.registry.persistence.VKey;
-import google.registry.persistence.transaction.CriteriaQueryBuilder;
-import google.registry.rdap.RdapAuthorization.Role;
 import google.registry.rdap.RdapJsonFormatter.OutputDataType;
 import google.registry.rdap.RdapMetrics.EndpointType;
 import google.registry.rdap.RdapMetrics.SearchType;
@@ -49,35 +43,18 @@ import java.util.List;
 import java.util.Optional;
 
 /**
- * RDAP (new WHOIS) action for entity (contact and registrar) search requests.
+ * RDAP action for entity (i.e. registrar) search requests.
  *
- * <p>All commands and responses conform to the RDAP spec as defined in RFCs 7480 through 7485.
+ * <p>All commands and responses conform to the RDAP spec as defined in STD 95 and its RFCs.
  *
- * <p>The RDAP specification lumps contacts and registrars together and calls them "entities", which
- * is confusing for us, because "entity" means something else in SQL. But here, when we use the
- * term, it means either a contact or registrar. When searching for entities, we always start by
- * returning all matching contacts, and after that all matching registrars.
- *
- * <p>There are two ways to search for entities: by full name (for contacts, the search name, for
- * registrars, the registrar name) or by handle (for contacts, the ROID, for registrars, the IANA
- * number). The ICANN operational profile document specifies this meaning for handle searches.
- *
- * <p>Cursors are complicated by the fact that we are essentially doing two independent searches:
- * one for contacts, and one for registrars. To accommodate this, the cursor has a prefix indicating
- * the type of the last returned item. If the last item was a contact, we return c:{value}, where
- * the value is either the search name or the ROID. If the last item was a registrar, we return
- * r:{value}, where the value is either the registrar name or the IANA number. If we get a c:
- * cursor, we use it to weed out contacts, and fetch all registrars. If we get an r: cursor, we know
- * that we can skip the contact search altogether (because we returned a registrar, and all
- * registrars come after all contacts).
+ * <p>There are two ways to search for entities: by full name (the registrar name) or by handle (the
+ * IANA number). The ICANN operational profile document specifies this meaning for handle searches.
  *
  * @see <a href="http://tools.ietf.org/html/rfc9082">RFC 9082: Registration Data Access Protocol
  *     (RDAP) Query Format</a>
  * @see <a href="http://tools.ietf.org/html/rfc9083">RFC 9083: JSON Responses for the Registration
  *     Data Access Protocol (RDAP)</a>
  */
-// TODO: This isn't required by the RDAP Technical Implementation Guide, and hence should be
-// deleted, at least until it's actually required.
 @Action(
     service = GaeService.PUBAPI,
     path = "/rdap/entities",
@@ -87,31 +64,10 @@ public class RdapEntitySearchAction extends RdapSearchActionBase {
 
   @Inject @Parameter("fn") Optional<String> fnParam;
   @Inject @Parameter("handle") Optional<String> handleParam;
-  @Inject @Parameter("subtype") Optional<String> subtypeParam;
   @Inject public RdapEntitySearchAction() {
     super("entity search", EndpointType.ENTITIES);
   }
 
-  private enum QueryType {
-    FULL_NAME,
-    HANDLE
-  }
-
-  private enum Subtype {
-    ALL,
-    CONTACTS,
-    REGISTRARS
-  }
-
-  private enum CursorType {
-    NONE,
-    CONTACT,
-    REGISTRAR
-  }
-
-  private static final String CONTACT_CURSOR_PREFIX = "c:";
-  private static final String REGISTRAR_CURSOR_PREFIX = "r:";
-
   /** Parses the parameters and calls the appropriate search function. */
   @Override
   public EntitySearchResponse getSearchResponse(boolean isHeadRequest) {
@@ -120,61 +76,23 @@ public class RdapEntitySearchAction extends RdapSearchActionBase {
       throw new BadRequestException("You must specify either fn=XXXX or handle=YYYY");
     }
 
-    // Check the subtype.
-    Subtype subtype;
-    if (subtypeParam.isEmpty() || subtypeParam.get().equalsIgnoreCase("all")) {
-      subtype = Subtype.ALL;
-    } else if (subtypeParam.get().equalsIgnoreCase("contacts")) {
-      subtype = Subtype.CONTACTS;
-    } else if (subtypeParam.get().equalsIgnoreCase("registrars")) {
-      subtype = Subtype.REGISTRARS;
-    } else {
-      throw new BadRequestException("Subtype parameter must specify contacts, registrars or all");
-    }
-
-    CursorType cursorType;
-    Optional<String> cursorQueryString;
-    if (cursorString.isEmpty()) {
-      cursorType = CursorType.NONE;
-      cursorQueryString = Optional.empty();
-    } else {
-      if (cursorString.get().startsWith(CONTACT_CURSOR_PREFIX)) {
-        cursorType = CursorType.CONTACT;
-        cursorQueryString =
-            Optional.of(cursorString.get().substring(CONTACT_CURSOR_PREFIX.length()));
-      } else if (cursorString.get().startsWith(REGISTRAR_CURSOR_PREFIX)) {
-        cursorType = CursorType.REGISTRAR;
-        cursorQueryString =
-            Optional.of(cursorString.get().substring(REGISTRAR_CURSOR_PREFIX.length()));
-      } else {
-        throw new BadRequestException(String.format("invalid cursor: %s", cursorTokenParam));
-      }
-    }
-
     // Search by name.
     EntitySearchResponse results;
     if (fnParam.isPresent()) {
       metricInformationBuilder.setSearchType(SearchType.BY_FULL_NAME);
       // syntax: /rdap/entities?fn=Bobby%20Joe*
-      // The name is the contact name or registrar name (not registrar contact name).
+      // The name is the registrar name (not registrar contact name).
       results =
           searchByName(
-              recordWildcardType(RdapSearchPattern.createFromUnicodeString(fnParam.get())),
-              cursorType,
-              cursorQueryString,
-              subtype);
-
-    // Search by handle.
+              recordWildcardType(RdapSearchPattern.createFromUnicodeString(fnParam.get())));
     } else {
+      // Search by handle.
       metricInformationBuilder.setSearchType(SearchType.BY_HANDLE);
       // syntax: /rdap/entities?handle=12345-*
-      // The handle is either the contact roid or the registrar clientId.
+      // The handle is the registrar ID.
       results =
           searchByHandle(
-              recordWildcardType(RdapSearchPattern.createFromUnicodeString(handleParam.get())),
-              cursorType,
-              cursorQueryString,
-              subtype);
+              recordWildcardType(RdapSearchPattern.createFromUnicodeString(handleParam.get())));
     }
 
     // Build the result object and return it.
@@ -196,91 +114,32 @@ public class RdapEntitySearchAction extends RdapSearchActionBase {
    * <p>According to RFC 9082 section 6.1, punycode is only used for domain name labels, so we can
    * assume that entity names are regular unicode.
    *
-   * <p>The includeDeleted flag is ignored when searching for contacts, because contact names are
-   * set to null when the contact is deleted, so a deleted contact can never have a name.
-   *
-   * <p>Since we are restricting access to contact names, we don't want name searches to return
-   * contacts whose names are not visible. That would allow unscrupulous users to query by name and
-   * infer that all returned contacts contain that name string. So we check the authorization level
-   * to determine what to do.
-   *
    * @see <a
    *     href="https://newgtlds.icann.org/sites/default/files/agreements/agreement-approved-09jan14-en.htm">1.6
    *     of Section 4 of the Base Registry Agreement</a>
    */
-  private EntitySearchResponse searchByName(
-      final RdapSearchPattern partialStringQuery,
-      CursorType cursorType,
-      Optional<String> cursorQueryString,
-      Subtype subtype) {
+  private EntitySearchResponse searchByName(final RdapSearchPattern partialStringQuery) {
     // Don't allow wildcard suffixes when searching for entities.
     if (partialStringQuery.getHasWildcard() && (partialStringQuery.getSuffix() != null)) {
       throw new UnprocessableEntityException(
           "Suffixes not allowed in wildcard entity name searches");
     }
-    // For wildcards, make sure the initial string is long enough, except in the special case of
-    // searching for all registrars, where we aren't worried about inefficient searches.
-    if (partialStringQuery.getHasWildcard()
-        && (subtype != Subtype.REGISTRARS)
-        && (partialStringQuery.getInitialString().length()
-            < RdapSearchPattern.MIN_INITIAL_STRING_LENGTH)) {
-      throw new UnprocessableEntityException(
-          "Initial search string required in wildcard entity name searches");
-    }
-    // Get the registrar matches. If we have a registrar cursor, weed out registrars up to and
-    // including the one we ended with last time. We can skip registrars if subtype is CONTACTS.
-    ImmutableList<Registrar> registrars;
-    if (subtype == Subtype.CONTACTS) {
-      registrars = ImmutableList.of();
-    } else {
-      registrars =
-          Streams.stream(Registrar.loadAllCached())
-              .sorted(
-                  Comparator.comparing(Registrar::getRegistrarName, String.CASE_INSENSITIVE_ORDER))
-              .filter(
-                  registrar ->
-                      partialStringQuery.matches(registrar.getRegistrarName())
-                          && ((cursorType != CursorType.REGISTRAR)
-                              || (registrar.getRegistrarName().compareTo(cursorQueryString.get())
-                                  > 0))
-                          && shouldBeVisible(registrar))
-              .limit(rdapResultSetMaxSize + 1)
-              .collect(toImmutableList());
-    }
-    // Get the contact matches and return the results, fetching an additional contact to detect
-    // truncation. Don't bother searching for contacts by name if the request would not be able to
-    // see any names anyway. Also, if a registrar cursor is present, we have already moved past the
-    // contacts, and don't need to fetch them this time. We can skip contacts if subtype is
-    // REGISTRARS.
-    RdapResultSet<Contact> resultSet;
-    if (subtype == Subtype.REGISTRARS) {
-      resultSet = RdapResultSet.create(ImmutableList.of());
-    } else {
-      if ((rdapAuthorization.role() == RdapAuthorization.Role.PUBLIC)
-          || (cursorType == CursorType.REGISTRAR)) {
-        resultSet = RdapResultSet.create(ImmutableList.of());
-      } else {
-        resultSet =
-            replicaTm()
-                .transact(
-                    () -> {
-                      CriteriaQueryBuilder<Contact> builder =
-                          queryItems(
-                              Contact.class,
-                              "searchName",
-                              partialStringQuery,
-                              cursorQueryString,
-                              DeletedItemHandling.EXCLUDE);
-                      if (!rdapAuthorization.role().equals(Role.ADMINISTRATOR)) {
-                        builder =
-                            builder.whereFieldIsIn(
-                                "currentSponsorRegistrarId", rdapAuthorization.registrarIds());
-                      }
-                      return getMatchingResources(builder, false, rdapResultSetMaxSize + 1);
-                    });
-      }
-    }
-    return makeSearchResults(resultSet, registrars, QueryType.FULL_NAME);
+    // Get the registrar matches. If we have a cursor, weed out registrars up to and including the
+    // one we ended with last time.
+    ImmutableList<Registrar> registrars =
+        Streams.stream(Registrar.loadAllCached())
+            .sorted(
+                Comparator.comparing(Registrar::getRegistrarName, String.CASE_INSENSITIVE_ORDER))
+            .filter(
+                registrar ->
+                    partialStringQuery.matches(registrar.getRegistrarName())
+                        && (cursorString.isEmpty()
+                            || (registrar.getRegistrarName().compareTo(cursorString.get()) > 0))
+                        && shouldBeVisible(registrar))
+            .limit(rdapResultSetMaxSize + 1)
+            .collect(toImmutableList());
+
+    return makeSearchResults(registrars);
   }
 
   /**
@@ -290,101 +149,41 @@ public class RdapEntitySearchAction extends RdapSearchActionBase {
    *
    * <p>We don't allow suffixes after a wildcard in entity searches. Suffixes are used in domain
    * searches to specify a TLD, and in nameserver searches to specify a locally managed domain name.
-   * In both cases, the suffix can be turned into an additional query filter field. For contacts,
-   * there is no equivalent string suffix that can be used as a query filter, so we disallow use.
+   * In both cases, the suffix can be turned into an additional query filter field.
    */
-  private EntitySearchResponse searchByHandle(
-      final RdapSearchPattern partialStringQuery,
-      CursorType cursorType,
-      Optional<String> cursorQueryString,
-      Subtype subtype) {
+  private EntitySearchResponse searchByHandle(final RdapSearchPattern partialStringQuery) {
     if (partialStringQuery.getSuffix() != null) {
       throw new UnprocessableEntityException("Suffixes not allowed in entity handle searches");
     }
     // Handle queries without a wildcard (and not including deleted) -- load by ID.
     if (!partialStringQuery.getHasWildcard() && !shouldIncludeDeleted()) {
-      ImmutableList<Contact> contactList;
-      if (subtype == Subtype.REGISTRARS) {
-        contactList = ImmutableList.of();
-      } else {
-        Optional<Contact> contact =
-            replicaTm()
-                .transact(
-                    () ->
-                        replicaTm()
-                            .loadByKeyIfPresent(
-                                VKey.create(Contact.class, partialStringQuery.getInitialString())));
-        contactList =
-            (contact.isPresent() && shouldBeVisible(contact.get()))
-                ? ImmutableList.of(contact.get())
-                : ImmutableList.of();
-      }
-      ImmutableList<Registrar> registrarList;
-      if (subtype == Subtype.CONTACTS) {
-        registrarList = ImmutableList.of();
-      } else {
-        registrarList = getMatchingRegistrars(partialStringQuery.getInitialString());
-      }
-      return makeSearchResults(
-          contactList,
-          IncompletenessWarningType.COMPLETE,
-          contactList.size(),
-          registrarList,
-          QueryType.HANDLE);
+      return makeSearchResults(getMatchingRegistrars(partialStringQuery.getInitialString()));
+    }
     // Handle queries with a wildcard (or including deleted), but no suffix. Because the handle
     // for registrars is the IANA identifier number, don't allow wildcard searches for registrars,
     // by simply not searching for registrars if a wildcard is present (unless the request is for
-    // all registrars, in which case we know what to do). Fetch an extra contact to detect result
-    // set truncation.
+    // all registrars, in which case we know what to do).
+    ImmutableList<Registrar> registrars;
+    if (partialStringQuery.getHasWildcard() && partialStringQuery.getInitialString().isEmpty()) {
+      // Even though we are searching by IANA identifier, we should still sort by name, because
+      // the IANA identifier can by missing, and sorting on that would screw up our cursors.
+      registrars =
+          Streams.stream(Registrar.loadAllCached())
+              .sorted(
+                  Comparator.comparing(Registrar::getRegistrarName, String.CASE_INSENSITIVE_ORDER))
+              .filter(
+                  registrar ->
+                      (cursorString.isEmpty()
+                              || (registrar.getRegistrarName().compareTo(cursorString.get()) > 0))
+                          && shouldBeVisible(registrar))
+              .limit(rdapResultSetMaxSize + 1)
+              .collect(toImmutableList());
+    } else if (partialStringQuery.getHasWildcard()) {
+      registrars = ImmutableList.of();
     } else {
-      ImmutableList<Registrar> registrars;
-      if ((subtype == Subtype.REGISTRARS)
-          && partialStringQuery.getHasWildcard()
-          && partialStringQuery.getInitialString().isEmpty()) {
-        // Even though we are searching by IANA identifier, we should still sort by name, because
-        // the IANA identifier can by missing, and sorting on that would screw up our cursors.
-        registrars =
-            Streams.stream(Registrar.loadAllCached())
-                .sorted(
-                    Comparator.comparing(
-                        Registrar::getRegistrarName, String.CASE_INSENSITIVE_ORDER))
-                .filter(
-                    registrar ->
-                        ((cursorType != CursorType.REGISTRAR)
-                                || (registrar.getRegistrarName().compareTo(cursorQueryString.get())
-                                    > 0))
-                            && shouldBeVisible(registrar))
-                .limit(rdapResultSetMaxSize + 1)
-                .collect(toImmutableList());
-      } else if ((subtype == Subtype.CONTACTS) || partialStringQuery.getHasWildcard()) {
-        registrars = ImmutableList.of();
-      } else {
-        registrars = getMatchingRegistrars(partialStringQuery.getInitialString());
-      }
-      // Get the contact matches and return the results, fetching an additional contact to detect
-      // truncation. If we are including deleted entries, we must fetch more entries, in case some
-      // get excluded due to permissioning. Any cursor present must be a contact cursor, because we
-      // would never return a registrar for this search.
-      int querySizeLimit = getStandardQuerySizeLimit();
-      RdapResultSet<Contact> contactResultSet;
-      if (subtype == Subtype.REGISTRARS) {
-        contactResultSet = RdapResultSet.create(ImmutableList.of());
-      } else {
-        contactResultSet =
-            replicaTm()
-                .transact(
-                    () ->
-                        getMatchingResources(
-                            queryItemsByKey(
-                                Contact.class,
-                                partialStringQuery,
-                                cursorQueryString,
-                                getDeletedItemHandling()),
-                            shouldIncludeDeleted(),
-                            querySizeLimit));
-      }
-      return makeSearchResults(contactResultSet, registrars, QueryType.HANDLE);
+      registrars = getMatchingRegistrars(partialStringQuery.getInitialString());
     }
+    return makeSearchResults(registrars);
   }
 
   /** Looks up registrars by handle (i.e. IANA identifier). */
@@ -399,90 +198,25 @@ public class RdapEntitySearchAction extends RdapSearchActionBase {
         : ImmutableList.of();
   }
 
-  /**
-   * Builds a JSON array of entity info maps based on the specified contacts and registrars.
-   *
-   * <p>This is a convenience wrapper for the four-argument makeSearchResults; it unpacks the
-   * properties of the {@link RdapResultSet} structure and passes them as separate arguments.
-   */
-  private EntitySearchResponse makeSearchResults(
-      RdapResultSet<Contact> resultSet, List<Registrar> registrars, QueryType queryType) {
-    return makeSearchResults(
-        resultSet.resources(),
-        resultSet.incompletenessWarningType(),
-        resultSet.numResourcesRetrieved(),
-        registrars,
-        queryType);
-  }
-
-  /**
-   * Builds a JSON array of entity info maps based on the specified contacts and registrars.
-   *
-   * <p>The number of contacts retrieved is recorded for use by the metrics.
-   *
-   * @param contacts the list of contacts which can be returned
-   * @param incompletenessWarningType MIGHT_BE_INCOMPLETE if the list of contacts might be
-   *     incomplete; this only matters if the total count of contacts and registrars combined is
-   *     less than a full result set's worth
-   * @param numContactsRetrieved the number of contacts retrieved in the process of generating the
-   *     results
-   * @param registrars the list of registrars which can be returned
-   * @param queryType whether the query was by full name or by handle
-   * @return an {@link RdapSearchResults} object
-   */
-  private EntitySearchResponse makeSearchResults(
-      List<Contact> contacts,
-      IncompletenessWarningType incompletenessWarningType,
-      int numContactsRetrieved,
-      List<Registrar> registrars,
-      QueryType queryType) {
-
-    metricInformationBuilder.setNumContactsRetrieved(numContactsRetrieved);
-
+  /** Builds a JSON array of entity info maps based on the specified registrars. */
+  private EntitySearchResponse makeSearchResults(List<Registrar> registrars) {
     // Determine what output data type to use, depending on whether more than one entity will be
     // returned.
     OutputDataType outputDataType =
-        (contacts.size() + registrars.size() > 1) ? OutputDataType.SUMMARY : OutputDataType.FULL;
-
-    // There can be more results than our max size, partially because we have two pools to draw from
-    // (contacts and registrars), and partially because we try to fetch one more than the max size,
-    // so we can tell whether to display the truncation notification.
-    //
-    // Each time we add a contact or registrar to the output data set, remember what the appropriate
-    // cursor would be if it were the last item returned. When we stop adding items, the last cursor
-    // value we remembered will be the right one to pass back.
-    EntitySearchResponse.Builder builder =
-        EntitySearchResponse.builder()
-            .setIncompletenessWarningType(incompletenessWarningType);
-    Optional<String> newCursor = Optional.empty();
-    for (Contact contact : Iterables.limit(contacts, rdapResultSetMaxSize)) {
-      // As per Andy Newton on the regext mailing list, contacts by themselves have no role, since
-      // they are global, and might have different roles for different domains.
+        registrars.size() > 1 ? OutputDataType.SUMMARY : OutputDataType.FULL;
+    EntitySearchResponse.Builder builder = EntitySearchResponse.builder();
+    Iterable<Registrar> limitedRegistrars = Iterables.limit(registrars, rdapResultSetMaxSize);
+    for (Registrar registrar : limitedRegistrars) {
       builder
           .entitySearchResultsBuilder()
-          .add(
-              rdapJsonFormatter.createRdapContactEntity(
-                  contact, ImmutableSet.of(), outputDataType));
-      newCursor =
-          Optional.of(
-              CONTACT_CURSOR_PREFIX
-                  + ((queryType == QueryType.FULL_NAME)
-                      ? contact.getSearchName()
-                      : contact.getRepoId()));
+          .add(rdapJsonFormatter.createRdapRegistrarEntity(registrar, outputDataType));
     }
-    if (rdapResultSetMaxSize > contacts.size()) {
-      for (Registrar registrar :
-          Iterables.limit(registrars, rdapResultSetMaxSize - contacts.size())) {
-        builder
-            .entitySearchResultsBuilder()
-            .add(rdapJsonFormatter.createRdapRegistrarEntity(registrar, outputDataType));
-        newCursor = Optional.of(REGISTRAR_CURSOR_PREFIX + registrar.getRegistrarName());
-      }
-    }
-    if (rdapResultSetMaxSize < contacts.size() + registrars.size()) {
-      builder.setNextPageUri(createNavigationUri(newCursor.get()));
+    if (rdapResultSetMaxSize < registrars.size()) {
+      builder.setNextPageUri(
+          createNavigationUri(Iterables.getLast(limitedRegistrars).getRegistrarName()));
       builder.setIncompletenessWarningType(IncompletenessWarningType.TRUNCATED);
-      return builder.build();
+    } else {
+      builder.setIncompletenessWarningType(IncompletenessWarningType.COMPLETE);
     }
     return builder.build();
   }

core/src/main/java/google/registry/rdap/RdapHelpAction.java

@@ -28,7 +28,7 @@ import google.registry.request.auth.Auth;
 import jakarta.inject.Inject;
 import java.util.Optional;
 
-/** RDAP (new WHOIS) action for help requests. */
+/** RDAP action for help requests. */
 @Action(
     service = GaeService.PUBAPI,
     path = RdapHelpAction.PATH,

core/src/main/java/google/registry/rdap/RdapIcannStandardInformation.java

@@ -22,42 +22,34 @@ import google.registry.rdap.RdapDataStructures.Remark;
 /**
  * This file contains boilerplate required by the ICANN RDAP Profile.
  *
- * @see <a href="https://www.icann.org/resources/pages/rdap-operational-profile-2016-07-26-en">RDAP
- *     Operational Profile for gTLD Registries and Registrars</a>
+ * @see <a
+ *     href="https://itp.cdn.icann.org/en/files/registry-operators/rdap-response-profile-21feb24-en.pdf">
+ *     RDAP Response Profile</a>
  */
 public class RdapIcannStandardInformation {
 
-  /** Required by ICANN RDAP Profile section 1.4.10. */
-  private static final Notice CONFORMANCE_NOTICE =
-      Notice.builder()
-          .setDescription(
-              "This response conforms to the RDAP Operational Profile for gTLD Registries and"
-                  + " Registrars version 1.0")
-          .build();
-
-  /** Required by ICANN RDAP Profile section 1.5.18. */
+  /** Required by RDAP Response Profile section 2.6.3. */
   private static final Notice DOMAIN_STATUS_CODES_NOTICE =
       Notice.builder()
           .setTitle("Status Codes")
           .setDescription(
-              "For more information on domain status codes, please visit"
-                  + " https://icann.org/epp")
+              "For more information on domain status codes, please visit https://icann.org/epp")
           .addLink(
               Link.builder()
-                  .setRel("alternate")
+                  .setRel("glossary")
                   .setHref("https://icann.org/epp")
                   .setType("text/html")
                   .build())
           .build();
 
-  /** Required by ICANN RDAP Response Profile section 2.11. */
+  /** Required by RDAP Response Profile section 2.10. */
   private static final Notice INACCURACY_COMPLAINT_FORM_NOTICE =
       Notice.builder()
           .setTitle("RDDS Inaccuracy Complaint Form")
           .setDescription("URL of the ICANN RDDS Inaccuracy Complaint Form: https://icann.org/wicf")
           .addLink(
               Link.builder()
-                  .setRel("alternate")
+                  .setRel("help")
                   .setHref("https://icann.org/wicf")
                   .setType("text/html")
                   .build())
@@ -79,28 +71,16 @@ public class RdapIcannStandardInformation {
   /** Boilerplate notices required by domain responses. */
   static final ImmutableList<Notice> DOMAIN_BOILERPLATE_NOTICES =
       ImmutableList.of(
-          CONFORMANCE_NOTICE,
           // RDAP Response Profile 2.6.3
           DOMAIN_STATUS_CODES_NOTICE,
-          // RDAP Response Profile 2.11
+          // RDAP Response Profile 2.10
           INACCURACY_COMPLAINT_FORM_NOTICE);
 
   /** Boilerplate notice for when a domain is blocked by BSA. */
   static final ImmutableList<Notice> DOMAIN_BLOCKED_BY_BSA_BOILERPLATE_NOTICES =
       ImmutableList.of(DOMAIN_BLOCKED_BY_BSA_NOTICE);
 
-  /** Boilerplate remarks required by nameserver and entity responses. */
-  static final ImmutableList<Notice> NAMESERVER_AND_ENTITY_BOILERPLATE_NOTICES =
-      ImmutableList.of(CONFORMANCE_NOTICE);
-
-  /**
-   * Required by ICANN RDAP Profile section 1.4.9, as corrected by Gustavo Lozano of ICANN.
-   *
-   * <p>Also mentioned in the RDAP Technical Implementation Guide 3.6.
-   *
-   * @see <a href="http://mm.icann.org/pipermail/gtld-tech/2016-October/000822.html">Questions about
-   *     the ICANN RDAP Profile</a>
-   */
+  /** Required by the RDAP Technical Implementation Guide 3.6. */
   static final Remark SUMMARY_DATA_REMARK =
       Remark.builder()
           .setTitle("Incomplete Data")
@@ -109,14 +89,7 @@ public class RdapIcannStandardInformation {
           .setType(Remark.Type.OBJECT_TRUNCATED_UNEXPLAINABLE)
           .build();
 
-  /**
-   * Required by ICANN RDAP Profile section 1.4.8, as corrected by Gustavo Lozano of ICANN.
-   *
-   * <p>Also mentioned in the RDAP Technical Implementation Guide 3.5.
-   *
-   * @see <a href="http://mm.icann.org/pipermail/gtld-tech/2016-October/000822.html">Questions about
-   *     the ICANN RDAP Profile</a>
-   */
+  /** Required by the RDAP Technical Implementation Guide 3.5. */
   static final Notice TRUNCATED_RESULT_SET_NOTICE =
       Notice.builder()
           .setTitle("Search Policy")
@@ -144,43 +117,4 @@ public class RdapIcannStandardInformation {
   /** Possibly incomplete notice as a singleton list, for easy use. */
   static final ImmutableList<Notice> POSSIBLY_INCOMPLETE_NOTICES =
       ImmutableList.of(POSSIBLY_INCOMPLETE_RESULT_SET_NOTICE);
-
-  /**
-   * Included when requester is not logged in as the owner of the contact being returned.
-   *
-   * <p>Format required by ICANN RDAP Response Profile 15feb19 section 2.7.4.3.
-   */
-  static final Remark CONTACT_PERSONAL_DATA_HIDDEN_DATA_REMARK =
-      Remark.builder()
-          .setTitle("REDACTED FOR PRIVACY")
-          .setDescription(
-              "Some of the data in this object has been removed.",
-              "Contact personal data is visible only to the owning registrar.")
-          .setType(Remark.Type.OBJECT_REDACTED_AUTHORIZATION)
-          .addLink(
-              Link.builder()
-                  .setRel("alternate")
-                  .setHref(
-                      "https://github.com/google/nomulus/blob/master/docs/rdap.md#authentication")
-                  .setType("text/html")
-                  .build())
-          .build();
-
-  /**
-   * Included in ALL contact responses, even if the user is authorized.
-   *
-   * <p>Format required by ICANN RDAP Response Profile 15feb19 section 2.7.5.3.
-   *
-   * <p>NOTE that unlike other redacted fields, there's no allowance to give the email to authorized
-   * users or allow for registrar consent.
-   */
-  static final Remark CONTACT_EMAIL_REDACTED_FOR_DOMAIN =
-      Remark.builder()
-          .setTitle("EMAIL REDACTED FOR PRIVACY")
-          .setDescription(
-              "Please query the RDDS service of the Registrar of Record identifies in this output"
-                  + " for information on how to contact the Registrant of the queried domain"
-                  + " name.")
-          .setType(Remark.Type.OBJECT_REDACTED_AUTHORIZATION)
-          .build();
 }

core/src/main/java/google/registry/rdap/RdapIpAction.java

@@ -26,7 +26,7 @@ import google.registry.request.auth.Auth;
 import jakarta.inject.Inject;
 
 /**
- * RDAP (new WHOIS) action for RDAP IP address requests.
+ * RDAP action for RDAP IP address requests.
  *
  * <p>This feature is not implemented because it's only necessary for <i>address</i> registries like
  * ARIN, not domain registries.

core/src/main/java/google/registry/rdap/RdapJsonFormatter.java

@@ -18,32 +18,25 @@ import static com.google.common.base.Predicates.not;
 import static com.google.common.base.Strings.nullToEmpty;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
-import static com.google.common.collect.ImmutableSetMultimap.toImmutableSetMultimap;
 import static google.registry.model.EppResourceUtils.isLinked;
 import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
-import static google.registry.util.CollectionUtils.union;
 
+import com.github.benmanes.caffeine.cache.LoadingCache;
 import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSetMultimap;
-import com.google.common.collect.Maps;
 import com.google.common.collect.Ordering;
 import com.google.common.collect.Sets;
 import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.InetAddresses;
 import com.google.gson.JsonArray;
+import google.registry.config.RegistryConfig;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.model.CacheUtils;
 import google.registry.model.EppResource;
 import google.registry.model.adapters.EnumToAttributeAdapter.EppEnum;
-import google.registry.model.contact.Contact;
-import google.registry.model.contact.ContactPhoneNumber;
-import google.registry.model.contact.PostalInfo;
-import google.registry.model.domain.DesignatedContact;
-import google.registry.model.domain.DesignatedContact.Type;
 import google.registry.model.domain.Domain;
 import google.registry.model.domain.rgp.GracePeriodStatus;
 import google.registry.model.eppcommon.Address;
@@ -54,32 +47,28 @@ import google.registry.model.registrar.RegistrarAddress;
 import google.registry.model.registrar.RegistrarPoc;
 import google.registry.model.reporting.HistoryEntry;
 import google.registry.model.reporting.HistoryEntryDao;
-import google.registry.persistence.VKey;
 import google.registry.rdap.RdapDataStructures.Event;
 import google.registry.rdap.RdapDataStructures.EventAction;
 import google.registry.rdap.RdapDataStructures.Link;
 import google.registry.rdap.RdapDataStructures.Notice;
 import google.registry.rdap.RdapDataStructures.PublicId;
 import google.registry.rdap.RdapDataStructures.RdapStatus;
-import google.registry.rdap.RdapObjectClasses.RdapContactEntity;
 import google.registry.rdap.RdapObjectClasses.RdapDomain;
 import google.registry.rdap.RdapObjectClasses.RdapEntity;
-import google.registry.rdap.RdapObjectClasses.RdapEntity.Role;
 import google.registry.rdap.RdapObjectClasses.RdapNameserver;
 import google.registry.rdap.RdapObjectClasses.RdapRegistrarEntity;
+import google.registry.rdap.RdapObjectClasses.RdapRegistrarPocEntity;
 import google.registry.rdap.RdapObjectClasses.SecureDns;
 import google.registry.rdap.RdapObjectClasses.Vcard;
 import google.registry.rdap.RdapObjectClasses.VcardArray;
 import google.registry.request.RequestServerName;
 import google.registry.util.Clock;
 import jakarta.inject.Inject;
-import jakarta.persistence.Entity;
 import java.net.Inet4Address;
 import java.net.Inet6Address;
 import java.net.InetAddress;
 import java.net.URI;
 import java.nio.file.Paths;
-import java.util.HashMap;
 import java.util.Locale;
 import java.util.Optional;
 import java.util.Set;
@@ -103,6 +92,16 @@ public class RdapJsonFormatter {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
+  @VisibleForTesting
+  record HistoryTimeAndRegistrar(DateTime modificationTime, String registrarId) {}
+
+  private static final LoadingCache<String, ImmutableMap<EventAction, HistoryTimeAndRegistrar>>
+      DOMAIN_HISTORIES_BY_REPO_ID =
+          CacheUtils.newCacheBuilder(RegistryConfig.getEppResourceCachingDuration())
+              // Cache more than the EPP resource cache because we're only caching small objects
+              .maximumSize(RegistryConfig.getEppResourceMaxCachedEntries() * 4L)
+              .build(repoId -> getLastHistoryByType(repoId, Domain.class));
+
   private DateTime requestTime = null;
 
   @Inject
@@ -125,8 +124,8 @@ public class RdapJsonFormatter {
    * What type of data to generate.
    *
    * <p>Summary data includes only information about the object itself, while full data includes
-   * associated items (e.g. for domains, full data includes the hosts, contacts and history entries
-   * connected with the domain).
+   * associated items (e.g. for domains, full data includes the hosts and history entries connected
+   * with the domain).
    *
    * <p>Summary data is appropriate for search queries which return many results, to avoid load on
    * the system. According to the ICANN operational profile, a remark must be attached to the
@@ -212,7 +211,7 @@ public class RdapJsonFormatter {
    * Map of EPP event values to the RDAP equivalents.
    *
    * <p>Only has entries for optional events, either stated as optional in the RDAP Response Profile
-   * 15feb19, or not mentioned at all but thought to be useful anyway.
+   * section 2.3.2, or not mentioned at all but thought to be useful anyway.
    *
    * <p>Any required event should be added elsewhere, preferably without using HistoryEntries (so
    * that we don't need to load HistoryEntries for "summary" responses).
@@ -251,10 +250,6 @@ public class RdapJsonFormatter {
   private static final Ordering<Host> HOST_RESOURCE_ORDERING =
       Ordering.natural().onResultOf(Host::getHostName);
 
-  /** Sets the ordering for designated contacts; order them in a fixed order by contact type. */
-  private static final Ordering<DesignatedContact> DESIGNATED_CONTACT_ORDERING =
-      Ordering.natural().onResultOf(DesignatedContact::getType);
-
   /** Creates the TOS notice that is added to every reply. */
   Notice createTosNotice() {
     String linkValue = makeRdapServletRelativeUrl("help", RdapHelpAction.TOS_PATH);
@@ -271,7 +266,7 @@ public class RdapJsonFormatter {
       URI htmlUri = htmlBaseURI.resolve(rdapTosStaticUrl);
       noticeBuilder.addLink(
           Link.builder()
-              .setRel("alternate")
+              .setRel("terms-of-service")
               .setHref(htmlUri.toString())
               .setType("text/html")
               .build());
@@ -283,8 +278,8 @@ public class RdapJsonFormatter {
    * Creates a JSON object for a {@link Domain}.
    *
    * <p>NOTE that domain searches aren't in the spec yet - they're in the RFC 9082 that describes
-   * the query format, but they aren't in the RDAP Technical Implementation Guide 15feb19, meaning
-   * we don't have to implement them yet and the RDAP Response Profile doesn't apply to them.
+   * the query format, but they aren't in the RDAP Technical Implementation Guide, meaning we don't
+   * have to implement them yet and the RDAP Response Profile doesn't apply to them.
    *
    * <p>We're implementing domain searches anyway, BUT we won't have the response for searches
    * conform to the RDAP Response Profile.
@@ -298,9 +293,9 @@ public class RdapJsonFormatter {
     if (outputDataType != OutputDataType.FULL) {
       builder.remarksBuilder().add(RdapIcannStandardInformation.SUMMARY_DATA_REMARK);
     }
-    // RDAP Response Profile 15feb19 section 2.1 discusses the domain name.
+    // RDAP Response Profile section 2.1 discusses the domain name.
     builder.setLdhName(domain.getDomainName());
-    // RDAP Response Profile 15feb19 section 2.2:
+    // RDAP Response Profile section 2.2:
     // The domain handle MUST be the ROID
     builder.setHandle(domain.getRepoId());
     // If this is a summary (search result) - we'll return now. Since there's no requirement for
@@ -308,9 +303,9 @@ public class RdapJsonFormatter {
     if (outputDataType == OutputDataType.SUMMARY) {
       return builder.build();
     }
-    // RDAP Response Profile 15feb19 section 2.3.1:
+    // RDAP Response Profile section 2.3.1:
     // The domain object in the RDAP response MUST contain the following events:
-    // [registration, expiration, last update of RDAP database]
+    // [registration, expiration]
     builder
         .eventsBuilder()
         .add(
@@ -324,14 +319,18 @@ public class RdapJsonFormatter {
                 .setEventAction(EventAction.EXPIRATION)
                 .setEventDate(domain.getRegistrationExpirationTime())
                 .build(),
+            // RDAP response profile section 1.5:
+            // The topmost object in the RDAP response MUST contain an event of "eventAction" type
+            // "last update of RDAP database" with a value equal to the timestamp when the RDAP
+            // database was last updated
             Event.builder()
                 .setEventAction(EventAction.LAST_UPDATE_OF_RDAP_DATABASE)
                 .setEventDate(getRequestTime())
                 .build());
-    // RDAP Response Profile 15feb19 section 2.3.2 discusses optional events. We add some of those
+    // RDAP Response Profile section 2.3.2 discusses optional events. We add some of those
     // here. We also add a few others we find interesting.
     builder.eventsBuilder().addAll(makeOptionalEvents(domain));
-    // RDAP Response Profile 15feb19 section 2.4.1:
+    // RDAP Response Profile section 2.4.1:
     // The domain object in the RDAP response MUST contain an entity with the Registrar role.
     //
     // See {@link createRdapRegistrarEntity} for details of section 2.4 conformance
@@ -369,58 +368,19 @@ public class RdapJsonFormatter {
     // RDAP Response Profile 2.6.3, must have a notice about statuses. That is in {@link
     // RdapIcannStandardInformation#domainBoilerplateNotices}
 
-    // Kick off the database loads of the nameservers that we will need, so it can load
-    // asynchronously while we load and process the contacts.
     ImmutableSet<Host> loadedHosts =
         replicaTm()
             .transact(
                 () ->
                     ImmutableSet.copyOf(replicaTm().loadByKeys(domain.getNameservers()).values()));
-    // Load the registrant and other contacts and add them to the data.
-    ImmutableSet<VKey<Contact>> contacts = domain.getReferencedContacts();
-    ImmutableMap<VKey<? extends Contact>, Contact> loadedContacts =
-        contacts.isEmpty()
-            ? ImmutableMap.of()
-            : replicaTm().transact(() -> replicaTm().loadByKeysIfPresent(contacts));
-
-    // RDAP Response Profile 2.7.1, 2.7.3 - we MUST have the contacts. 2.7.4 discusses redaction of
-    // fields we don't want to show (as opposed to not having contacts at all) because of GDPR etc.
-    //
-    // The GDPR redaction is handled in createRdapContactEntity.
-
-    // Load all contacts that are present and group them by type (it is common for a single contact
-    // entity to be used across multiple contact types on domain, e.g. registrant and admin).
-    ImmutableSetMultimap<VKey<Contact>, Type> contactsToRoles =
-        domain.getAllContacts().stream()
-            .sorted(DESIGNATED_CONTACT_ORDERING)
-            .collect(
-                toImmutableSetMultimap(
-                    DesignatedContact::getContactKey, DesignatedContact::getType));
-
-    // Convert the contact entities to RDAP output contacts (this also converts the contact types
-    // to RDAP roles).
-    for (VKey<Contact> contactKey : contactsToRoles.keySet()) {
-      Set<Role> roles =
-          contactsToRoles.get(contactKey).stream()
-              .map(RdapJsonFormatter::convertContactTypeToRdapRole)
-              .collect(toImmutableSet());
-      if (roles.isEmpty()) {
-        continue;
-      }
-      builder
-          .entitiesBuilder()
-          .add(
-              createRdapContactEntity(
-                  loadedContacts.get(contactKey), roles, OutputDataType.INTERNAL));
-    }
 
     // Add the nameservers to the data; the load was kicked off above for efficiency.
-    // RDAP Response Profile 2.9: we MUST have the nameservers
+    // RDAP Response Profile 2.8: we MUST have the nameservers
     for (Host host : HOST_RESOURCE_ORDERING.immutableSortedCopy(loadedHosts)) {
       builder.nameserversBuilder().add(createRdapNameserver(host, OutputDataType.INTERNAL));
     }
 
-    // RDAP Response Profile 2.10 - MUST contain a secureDns member including at least a
+    // RDAP Response Profile 2.9 - MUST contain a secureDns member including at least a
     // delegationSigned element. Other elements (e.g. dsData) MUST be included if the domain name is
     // signed and the elements are stored in the Registry
     //
@@ -445,13 +405,13 @@ public class RdapJsonFormatter {
       builder.remarksBuilder().add(RdapIcannStandardInformation.SUMMARY_DATA_REMARK);
     }
 
-    // We need the ldhName: RDAP Response Profile 2.9.1, 4.1
+    // We need the ldhName: RDAP Response Profile 2.8.1, 4.1
     builder.setLdhName(host.getHostName());
     // Handle is optional, but if given it MUST be the ROID.
     // We will set it always as it's important as a "self link"
     builder.setHandle(host.getRepoId());
 
-    // Status is optional for internal Nameservers - RDAP Response Profile 2.9.2
+    // Status is optional for internal Nameservers - RDAP Response Profile 2.8.2
     // It isn't mentioned at all anywhere else. So we can just not put it at all?
     //
     // To be safe, we'll put it on the "FULL" version anyway
@@ -483,7 +443,7 @@ public class RdapJsonFormatter {
 
     // For query responses - we MUST have all the ip addresses: RDAP Response Profile 4.2.
     //
-    // However, it is optional for internal responses: RDAP Response Profile 2.9.2
+    // However, it is optional for internal responses: RDAP Response Profile 2.8.2
     if (outputDataType != OutputDataType.INTERNAL) {
       for (InetAddress inetAddress : host.getInetAddresses()) {
         if (inetAddress instanceof Inet4Address) {
@@ -501,7 +461,7 @@ public class RdapJsonFormatter {
       builder.entitiesBuilder().add(createRdapRegistrarEntity(registrar, OutputDataType.INTERNAL));
     }
     if (outputDataType != OutputDataType.INTERNAL) {
-      // Rdap Response Profile 4.4, must have "last update of RDAP database" response. But this is
+      // Rdap Response Profile 1.5, must have "last update of RDAP database" response. But this is
       // only for direct query responses and not for internal objects.
       builder.setLastUpdateOfRdapDatabaseEvent(
           Event.builder()
@@ -512,143 +472,12 @@ public class RdapJsonFormatter {
     return builder.build();
   }
 
-  /**
-   * Creates a JSON object for a {@link Contact} and associated contact type.
-   *
-   * <p>If the contact isn't present (i.e. because of minimum registration data set), then always
-   * show all of its fields as if they were redacted, and always deny RDAP authorization.
-   *
-   * @param contact the contact resource object from which the JSON object should be created
-   * @param roles the roles of this contact
-   * @param outputDataType whether to generate full or summary data
-   */
-  RdapContactEntity createRdapContactEntity(
-      Contact contact, Iterable<RdapEntity.Role> roles, OutputDataType outputDataType) {
-    RdapContactEntity.Builder contactBuilder = RdapContactEntity.builder();
-
-    // RDAP Response Profile 2.7.1, 2.7.3 - we MUST have the contacts. 2.7.4 discusses censoring of
-    // fields we don't want to show (as opposed to not having contacts at all) because of GDPR etc.
-    //
-    // 2.8 allows for unredacted output for authorized people.
-    boolean isAuthorized =
-        rdapAuthorization.isAuthorizedForRegistrar(contact.getCurrentSponsorRegistrarId());
-
-    VcardArray.Builder vcardBuilder = VcardArray.builder();
-
-    if (isAuthorized) {
-      fillRdapContactEntityWhenAuthorized(contactBuilder, vcardBuilder, contact, outputDataType);
-    } else {
-      // GTLD Registration Data Temp Spec 17may18, Appendix A, 2.3, 2.4 and RDAP Response Profile
-      // 2.7.4.1, 2.7.4.2 - the following fields must be redacted:
-      // for REGISTRANT:
-      // handle (ROID), FN (name), TEL (telephone/fax and extension), street, city, postal code
-      // for ADMIN, TECH:
-      // handle (ROID), FN (name), TEL (telephone/fax and extension), Organization, street, city,
-      // state/province, postal code, country
-      //
-      // Note that in theory we have to show the Organization and state/province and country for the
-      // REGISTRANT. For now, we won't do that until we make sure it's really OK for GDPR
-      //
-      // RDAP Response Profile 2.7.4.3: if we redact values from the contact, we MUST include a
-      // remark
-      contactBuilder
-          .remarksBuilder()
-          .add(RdapIcannStandardInformation.CONTACT_PERSONAL_DATA_HIDDEN_DATA_REMARK);
-      contactBuilder.setHandle("");
-      // The VCard format requires a "fn" entry even if it is empty (redacted)
-      vcardBuilder.add(Vcard.create("fn", "text", ""));
-    }
-
-    contactBuilder.setVcardArray(vcardBuilder.build());
-    contactBuilder.rolesBuilder().addAll(roles);
-
-    // RDAP Response Profile 2.7.5.1, 2.7.5.3:
-    // email MUST be omitted, and we MUST have a Remark saying so
-    contactBuilder
-        .remarksBuilder()
-        .add(RdapIcannStandardInformation.CONTACT_EMAIL_REDACTED_FOR_DOMAIN);
-
-    if (outputDataType != OutputDataType.INTERNAL) {
-      // Rdap Response Profile 2.7.6 must have "last update of RDAP database" response. But this is
-      // only for direct query responses and not for internal objects. I'm not sure why it's in that
-      // section at all...
-      contactBuilder.setLastUpdateOfRdapDatabaseEvent(
-          Event.builder()
-              .setEventAction(EventAction.LAST_UPDATE_OF_RDAP_DATABASE)
-              .setEventDate(getRequestTime())
-              .build());
-    }
-    return contactBuilder.build();
-  }
-
-  private void fillRdapContactEntityWhenAuthorized(
-      RdapContactEntity.Builder contactBuilder,
-      VcardArray.Builder vcardBuilder,
-      Contact contact,
-      OutputDataType outputDataType) {
-    // ROID needs to be redacted if we aren't authorized, so we can't have a self-link for
-    // unauthorized users
-    contactBuilder.linksBuilder().add(makeSelfLink("entity", contact.getRepoId()));
-    // RDAP Response Profile 2.7.3 - we MUST provide a handle set with the ROID, subject to
-    // redaction.
-    contactBuilder.setHandle(contact.getRepoId());
-    if (outputDataType.equals(OutputDataType.FULL)) {
-      // RDAP Response Profile doesn't mention status for contacts, so we only show it if we're both
-      // FULL and Authorized.
-      contactBuilder
-          .statusBuilder()
-          .addAll(
-              makeStatusValueList(
-                  isLinked(contact.createVKey(), getRequestTime())
-                      ? union(contact.getStatusValues(), StatusValue.LINKED)
-                      : contact.getStatusValues(),
-                  false,
-                  contact.getDeletionTime().isBefore(getRequestTime())));
-      // If we are outputting all data (not just summary data), also add events taken from the
-      // history entries. This isn't strictly required.
-      //
-      // We also only add it for authorized users because millisecond times can fingerprint a user
-      // just as much as the handle can.
-      contactBuilder.eventsBuilder().addAll(makeOptionalEvents(contact));
-    } else {
-      // Only show the "summary data remark" if the user is authorized to see this data - because
-      // unauthorized users don't have a self link meaning they can't navigate to the full data.
-      contactBuilder.remarksBuilder().add(RdapIcannStandardInformation.SUMMARY_DATA_REMARK);
-    }
-    // Adding the VCard members when not redacted.
-    //
-    // RDAP Response Profile 2.7.3 - we MUST have FN, ADR, TEL, EMAIL.
-    //
-    // Note that 2.7.5 also says the EMAIL must be omitted, so we'll omit it
-    PostalInfo postalInfo = contact.getInternationalizedPostalInfo();
-    if (postalInfo == null) {
-      postalInfo = contact.getLocalizedPostalInfo();
-    }
-    if (postalInfo != null) {
-      if (postalInfo.getName() != null) {
-        vcardBuilder.add(Vcard.create("fn", "text", postalInfo.getName()));
-      }
-      if (postalInfo.getOrg() != null) {
-        vcardBuilder.add(Vcard.create("org", "text", postalInfo.getOrg()));
-      }
-      addVCardAddressEntry(vcardBuilder, postalInfo.getAddress());
-    }
-    ContactPhoneNumber voicePhoneNumber = contact.getVoiceNumber();
-    if (voicePhoneNumber != null) {
-      vcardBuilder.add(makePhoneEntry(PHONE_TYPE_VOICE, makePhoneString(voicePhoneNumber)));
-    }
-    ContactPhoneNumber faxPhoneNumber = contact.getFaxNumber();
-    if (faxPhoneNumber != null) {
-      vcardBuilder.add(makePhoneEntry(PHONE_TYPE_FAX, makePhoneString(faxPhoneNumber)));
-    }
-  }
-
   /**
    * Creates a JSON object for a {@link Registrar}.
    *
    * <p>This object can be INTERNAL to the Domain and Nameserver responses, with requirements
-   * discussed in the RDAP Response Profile 15feb19 sections 2.4 (internal to Domain) and 4.3
-   * (internal to Namesever)
+   * discussed in the RDAP Response Profile sections 2.4 (internal to Domain) and 4.3 (internal to
+   * Namesever)
    *
    * @param registrar the registrar object from which the RDAP response
    * @param outputDataType whether to generate FULL, SUMMARY, or INTERNAL data.
@@ -712,6 +541,15 @@ public class RdapJsonFormatter {
       builder.linksBuilder().add(makeSelfLink("entity", ianaIdentifier.toString()));
     }
 
+    // RDAP Response Profile 2.4.6: must have a links entry pointing to the registrar URL, with a
+    // rel:about and a value containing the registrar RDAP base URL (if present)
+    if (registrar.getUrl() != null) {
+      Link.Builder registrarLinkBuilder =
+          Link.builder().setHref(registrar.getUrl()).setRel("about").setType("text/html");
+      registrar.getRdapBaseUrls().stream().findFirst().ifPresent(registrarLinkBuilder::setValue);
+      builder.linksBuilder().add(registrarLinkBuilder.build());
+    }
+
     // There's no mention of the registrar STATUS in the RDAP Response Profile, so we'll only add it
     // for FULL response
     // We could probably not add it at all, but it could be useful for us internally
@@ -723,42 +561,40 @@ public class RdapJsonFormatter {
 
     builder.setVcardArray(vcardBuilder.build());
 
-    // Registrar contacts are a bit complicated.
+    // Registrar POCs are a bit complicated.
     //
-    // Rdap Response Profile 3.2, we SHOULD have at least ADMIN and TECH contacts. It says
+    // Rdap Response Profile 3.2, we SHOULD have at least ADMIN and TECH POCs. It says
     // nothing about ABUSE at all.
     //
-    // Rdap Response Profile 4.3 doesn't mention contacts at all, meaning probably we don't have to
-    // have any contacts there. But the Registrar itself is Optional in that case, so we will just
+    // Rdap Response Profile 4.3 doesn't mention POCs at all, meaning probably we don't have to
+    // have any POCs there. But the Registrar itself is Optional in that case, so we will just
     // skip it completely.
     //
     // Rdap Response Profile 2.4.5 says the Registrar inside a Domain response MUST include the
-    // ABUSE contact, but doesn't require any other contact.
+    // ABUSE POC, but doesn't require any other POCs.
     //
     // Write the minimum, meaning only ABUSE for INTERNAL registrars, nothing for SUMMARY and
     // everything for FULL.
-    //
     if (outputDataType != OutputDataType.SUMMARY) {
-      ImmutableList<RdapContactEntity> registrarContacts =
-          registrar.getContacts().stream()
-              .map(RdapJsonFormatter::makeRdapJsonForRegistrarContact)
+      ImmutableList<RdapRegistrarPocEntity> registrarPocs =
+          registrar.getPocsFromReplica().stream()
+              .map(RdapJsonFormatter::makeRdapJsonForRegistrarPoc)
               .filter(Optional::isPresent)
               .map(Optional::get)
               .filter(
-                  contact ->
+                  poc ->
                       outputDataType == OutputDataType.FULL
-                          || contact.roles().contains(RdapEntity.Role.ABUSE))
+                          || poc.roles().contains(RdapEntity.Role.ABUSE))
               .collect(toImmutableList());
-      if (registrarContacts.stream()
-          .noneMatch(contact -> contact.roles().contains(RdapEntity.Role.ABUSE))) {
+      if (registrarPocs.stream().noneMatch(poc -> poc.roles().contains(RdapEntity.Role.ABUSE))) {
         logger.atWarning().log(
-            "Registrar '%s' (IANA ID %s) is missing ABUSE contact.",
+            "Registrar '%s' (IANA ID %s) is missing ABUSE POC.",
             registrar.getRegistrarId(), registrar.getIanaIdentifier());
       }
-      builder.entitiesBuilder().addAll(registrarContacts);
+      builder.entitiesBuilder().addAll(registrarPocs);
     }
 
-    // Rdap Response Profile 3.3, must have "last update of RDAP database" response. But this is
+    // Rdap Response Profile 1.5, must have "last update of RDAP database" response. But this is
     // only for direct query responses and not for internal objects.
     if (outputDataType != OutputDataType.INTERNAL) {
       builder.setLastUpdateOfRdapDatabaseEvent(
@@ -773,7 +609,7 @@ public class RdapJsonFormatter {
   /**
    * Creates a JSON object for a {@link RegistrarPoc}.
    *
-   * <p>Returns empty if this contact shouldn't be visible (doesn't have a role).
+   * <p>Returns empty if this POC shouldn't be visible (doesn't have a role).
    *
    * <p>NOTE that registrar locations in the response require different roles and different VCard
    * members according to the spec. Currently, this function returns all the rolls and all the
@@ -783,19 +619,18 @@ public class RdapJsonFormatter {
    * <p>Specifically:
    * <li>Registrar inside a Domain only requires the ABUSE role, and only the TEL and EMAIL members
    *     (RDAP Response Profile 2.4.5)
-   * <li>Registrar responses to direct query don't require any contact, but *should* have the TECH
-   *     and ADMIN roles, but require the FN, TEL and EMAIL members
-   * <li>Registrar inside a Nameserver isn't required at all, and if given doesn't require any
-   *     contacts
+   * <li>Registrar responses to direct query don't require any POCs, but *should* have the TECH and
+   *     ADMIN roles, but require the FN, TEL and EMAIL members
+   * <li>Registrar inside a Nameserver isn't required at all, and if given doesn't require any POCs
    *
-   * @param registrarPoc the registrar contact for which the JSON object should be created
+   * @param registrarPoc the registrar POC for which the JSON object should be created
    */
-  static Optional<RdapContactEntity> makeRdapJsonForRegistrarContact(RegistrarPoc registrarPoc) {
+  static Optional<RdapRegistrarPocEntity> makeRdapJsonForRegistrarPoc(RegistrarPoc registrarPoc) {
     ImmutableList<RdapEntity.Role> roles = makeRdapRoleList(registrarPoc);
     if (roles.isEmpty()) {
       return Optional.empty();
     }
-    RdapContactEntity.Builder builder = RdapContactEntity.builder();
+    RdapRegistrarPocEntity.Builder builder = RdapRegistrarPocEntity.builder();
     builder.statusBuilder().addAll(STATUS_LIST_ACTIVE);
     builder.rolesBuilder().addAll(roles);
     // Create the vCard.
@@ -822,20 +657,10 @@ public class RdapJsonFormatter {
     return Optional.of(builder.build());
   }
 
-  /** Converts a domain registry contact type into a role as defined by RFC 9083. */
-  private static RdapEntity.Role convertContactTypeToRdapRole(DesignatedContact.Type contactType) {
-    return switch (contactType) {
-      case REGISTRANT -> RdapEntity.Role.REGISTRANT;
-      case TECH -> RdapEntity.Role.TECH;
-      case BILLING -> RdapEntity.Role.BILLING;
-      case ADMIN -> RdapEntity.Role.ADMIN;
-    };
-  }
-
   /**
-   * Creates the list of RDAP roles for a registrar contact, using the visibleInWhoisAs* flags.
+   * Creates the list of RDAP roles for a registrar POC, using the visibleInWhoisAs* flags.
    *
-   * <p>Only contacts with a non-empty role list should be visible.
+   * <p>Only POCs with a non-empty role list should be visible.
    *
    * <p>The RDAP response profile only mandates the "abuse" entity:
    *
@@ -860,8 +685,18 @@ public class RdapJsonFormatter {
   }
 
   @VisibleForTesting
-  ImmutableMap<EventAction, HistoryEntry> getLastHistoryEntryByType(EppResource resource) {
-    HashMap<EventAction, HistoryEntry> lastEntryOfType = Maps.newHashMap();
+  static ImmutableMap<EventAction, HistoryTimeAndRegistrar> getLastHistoryByType(
+      EppResource eppResource) {
+    if (eppResource instanceof Domain) {
+      return DOMAIN_HISTORIES_BY_REPO_ID.get(eppResource.getRepoId());
+    }
+    return getLastHistoryByType(eppResource.getRepoId(), eppResource.getClass());
+  }
+
+  private static ImmutableMap<EventAction, HistoryTimeAndRegistrar> getLastHistoryByType(
+      String repoId, Class<? extends EppResource> resourceType) {
+    ImmutableMap.Builder<EventAction, HistoryTimeAndRegistrar> lastEntryOfType =
+        new ImmutableMap.Builder<>();
     // Events (such as transfer, but also create) can appear multiple times. We only want the last
     // time they appeared.
     //
@@ -873,49 +708,48 @@ public class RdapJsonFormatter {
     // 2.3.2.3 An event of *eventAction* type *transfer*, with the last date and time that the
     // domain was transferred. The event of *eventAction* type *transfer* MUST be omitted if the
     // domain name has not been transferred since it was created.
-    VKey<? extends EppResource> resourceVkey = resource.createVKey();
-    Class<? extends HistoryEntry> historyClass =
-        HistoryEntryDao.getHistoryClassFromParent(resourceVkey.getKind());
-    String entityName = historyClass.getAnnotation(Entity.class).name();
-    if (Strings.isNullOrEmpty(entityName)) {
-      entityName = historyClass.getSimpleName();
-    }
+    String entityName = HistoryEntryDao.getHistoryClassFromParent(resourceType).getSimpleName();
     String jpql =
         GET_LAST_HISTORY_BY_TYPE_JPQL_TEMPLATE
             .replace("%entityName%", entityName)
-            .replace("%repoIdValue%", resourceVkey.getKey().toString());
-    Iterable<HistoryEntry> historyEntries =
-        replicaTm()
-            .transact(
-                () ->
-                    replicaTm()
-                        .getEntityManager()
-                        .createQuery(jpql, HistoryEntry.class)
-                        .getResultList());
-    for (HistoryEntry historyEntry : historyEntries) {
-      EventAction rdapEventAction =
-          HISTORY_ENTRY_TYPE_TO_RDAP_EVENT_ACTION_MAP.get(historyEntry.getType());
-      // Only save the historyEntries if this is a type we care about.
-      if (rdapEventAction == null) {
-        continue;
-      }
-      lastEntryOfType.put(rdapEventAction, historyEntry);
-    }
-    return ImmutableMap.copyOf(lastEntryOfType);
+            .replace("%repoIdValue%", repoId);
+    replicaTm()
+        .transact(
+            () ->
+                replicaTm()
+                    .getEntityManager()
+                    .createQuery(jpql, HistoryEntry.class)
+                    .getResultStream()
+                    .forEach(
+                        historyEntry -> {
+                          EventAction rdapEventAction =
+                              HISTORY_ENTRY_TYPE_TO_RDAP_EVENT_ACTION_MAP.get(
+                                  historyEntry.getType());
+                          // Only save the entries if this is a type we care about.
+                          if (rdapEventAction != null) {
+                            lastEntryOfType.put(
+                                rdapEventAction,
+                                new HistoryTimeAndRegistrar(
+                                    historyEntry.getModificationTime(),
+                                    historyEntry.getRegistrarId()));
+                          }
+                        }));
+    return lastEntryOfType.buildKeepingLast();
   }
 
   /**
-   * Creates the list of optional events to list in domain, nameserver, or contact replies.
+   * Creates the list of optional events to list in domain or nameserver replies.
    *
    * <p>Only has entries for optional events that won't be shown in "SUMMARY" versions of these
-   * objects. These are either stated as optional in the RDAP Response Profile 15feb19, or not
-   * mentioned at all but thought to be useful anyway.
+   * objects. These are either stated as optional in the RDAP Response Profile, or not mentioned at
+   * all but thought to be useful anyway.
    *
    * <p>Any required event should be added elsewhere, preferably without using HistoryEntries (so
    * that we don't need to load HistoryEntries for "summary" responses).
    */
   private ImmutableList<Event> makeOptionalEvents(EppResource resource) {
-    ImmutableMap<EventAction, HistoryEntry> lastEntryOfType = getLastHistoryEntryByType(resource);
+    ImmutableMap<EventAction, HistoryTimeAndRegistrar> lastHistoryOfType =
+        getLastHistoryByType(resource);
     ImmutableList.Builder<Event> eventsBuilder = new ImmutableList.Builder<>();
     DateTime creationTime = resource.getCreationTime();
     DateTime lastChangeTime =
@@ -923,12 +757,12 @@ public class RdapJsonFormatter {
     // The order of the elements is stable - it's the order in which the enum elements are defined
     // in EventAction
     for (EventAction rdapEventAction : EventAction.values()) {
-      HistoryEntry historyEntry = lastEntryOfType.get(rdapEventAction);
+      HistoryTimeAndRegistrar historyTimeAndRegistrar = lastHistoryOfType.get(rdapEventAction);
       // Check if there was any entry of this type
-      if (historyEntry == null) {
+      if (historyTimeAndRegistrar == null) {
         continue;
       }
-      DateTime modificationTime = historyEntry.getModificationTime();
+      DateTime modificationTime = historyTimeAndRegistrar.modificationTime();
       // We will ignore all events that happened before the "creation time", since these events are
       // from a "previous incarnation of the domain" (for a domain that was owned by someone,
       // deleted, and then bought by someone else)
@@ -938,7 +772,7 @@ public class RdapJsonFormatter {
       eventsBuilder.add(
           Event.builder()
               .setEventAction(rdapEventAction)
-              .setEventActor(historyEntry.getRegistrarId())
+              .setEventActor(historyTimeAndRegistrar.registrarId())
               .setEventDate(modificationTime)
               .build());
       // The last change time might not be the lastEppUpdateTime, since some changes happen without
@@ -947,29 +781,24 @@ public class RdapJsonFormatter {
         lastChangeTime = modificationTime;
       }
     }
-    // RDAP Response Profile 15feb19 section 2.3.2.2:
+    // RDAP Response Profile section 2.3.2.2:
     // The event of eventAction type last changed MUST be omitted if the domain name has not been
     // updated since it was created
     if (lastChangeTime.isAfter(creationTime)) {
-      eventsBuilder.add(makeEvent(EventAction.LAST_CHANGED, null, lastChangeTime));
+      // Creates an RDAP event object as defined by RFC 9083
+      eventsBuilder.add(
+          Event.builder()
+              .setEventAction(EventAction.LAST_CHANGED)
+              .setEventDate(lastChangeTime)
+              .build());
     }
     return eventsBuilder.build();
   }
 
-  /** Creates an RDAP event object as defined by RFC 9083. */
-  private static Event makeEvent(
-      EventAction eventAction, @Nullable String eventActor, DateTime eventDate) {
-    Event.Builder builder = Event.builder().setEventAction(eventAction).setEventDate(eventDate);
-    if (eventActor != null) {
-      builder.setEventActor(eventActor);
-    }
-    return builder.build();
-  }
-
   /**
    * Creates a vCard address entry: array of strings specifying the components of the address.
    *
-   * <p>Rdap Response Profile 3.1.1: MUST contain the following fields: Street, City, Country Rdap
+   * <p>RDAP Response Profile 3.1.1: MUST contain the following fields: Street, City, Country Rdap
    * Response Profile 3.1.2: optional fields: State/Province, Postal Code, Fax Number
    *
    * @see <a href="https://tools.ietf.org/html/rfc7095">RFC 7095: jCard: The JSON Format for
@@ -1035,15 +864,6 @@ public class RdapJsonFormatter {
     return Vcard.create("tel", type, "uri", phoneNumber);
   }
 
-  /** Creates a phone string in URI format, as per the vCard spec. */
-  private static String makePhoneString(ContactPhoneNumber phoneNumber) {
-    String phoneString = String.format("tel:%s", phoneNumber.getPhoneNumber());
-    if (phoneNumber.getExtension() != null) {
-      phoneString = phoneString + ";ext=" + phoneNumber.getExtension();
-    }
-    return phoneString;
-  }
-
   /**
    * Creates a string array of status values.
    *

core/src/main/java/google/registry/rdap/RdapMetrics.java

@@ -133,16 +133,6 @@ public class RdapMetrics {
               LABEL_DESCRIPTORS_FOR_RETRIEVAL_COUNTS,
               FIBONACCI_FITTER);
 
-  @VisibleForTesting
-  static final EventMetric numberOfContactsRetrieved =
-      MetricRegistryImpl.getDefault()
-          .newEventMetric(
-              "/rdap/num_contacts_retrieved",
-              "Number of contacts retrieved",
-              "count",
-              LABEL_DESCRIPTORS_FOR_RETRIEVAL_COUNTS,
-              FIBONACCI_FITTER);
-
   @Inject
   public RdapMetrics() {}
 
@@ -191,15 +181,6 @@ public class RdapMetrics {
           getLabelStringForPrefixLength(rdapMetricInformation.prefixLength()),
           rdapMetricInformation.includeDeleted() ? "YES" : "NO");
     }
-    if (rdapMetricInformation.numContactsRetrieved().isPresent()) {
-      numberOfContactsRetrieved.record(
-          rdapMetricInformation.numContactsRetrieved().get(),
-          rdapMetricInformation.endpointType().toString(),
-          rdapMetricInformation.searchType().toString(),
-          rdapMetricInformation.wildcardType().toString(),
-          getLabelStringForPrefixLength(rdapMetricInformation.prefixLength()),
-          rdapMetricInformation.includeDeleted() ? "YES" : "NO");
-    }
   }
 
   /**
@@ -221,10 +202,8 @@ public class RdapMetrics {
    *     than were actually returned in the response; absent if a search was not performed.
    * @param numHostsRetrieved Number of hosts retrieved from the database; this might be more than
    *     were actually returned in the response; absent if a search was not performed.
-   * @param numContactsRetrieved Number of contacts retrieved from the database; this might be more
-   *     than were actually returned in the response; absent if a search was not performed.
    */
-  record RdapMetricInformation(
+  public record RdapMetricInformation(
       EndpointType endpointType,
       SearchType searchType,
       WildcardType wildcardType,
@@ -236,8 +215,7 @@ public class RdapMetrics {
       int statusCode,
       IncompletenessWarningType incompletenessWarningType,
       Optional<Long> numDomainsRetrieved,
-      Optional<Long> numHostsRetrieved,
-      Optional<Long> numContactsRetrieved) {
+      Optional<Long> numHostsRetrieved) {
 
     @AutoBuilder
     interface Builder {
@@ -265,8 +243,6 @@ public class RdapMetrics {
 
       Builder setNumHostsRetrieved(long numHostsRetrieved);
 
-      Builder setNumContactsRetrieved(long numContactRetrieved);
-
       RdapMetricInformation build();
     }
 

core/src/main/java/google/registry/rdap/RdapNameserverAction.java

@@ -15,7 +15,7 @@
 package google.registry.rdap;
 
 import static google.registry.flows.host.HostFlowUtils.validateHostName;
-import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.EppResourceUtils.loadByForeignKeyByCache;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.HEAD;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
@@ -33,7 +33,7 @@ import google.registry.request.auth.Auth;
 import jakarta.inject.Inject;
 import java.util.Optional;
 
-/** RDAP (new WHOIS) action for nameserver requests. */
+/** RDAP action for nameserver requests. */
 @Action(
     service = GaeService.PUBAPI,
     path = "/rdap/nameserver/",
@@ -48,7 +48,7 @@ public class RdapNameserverAction extends RdapActionBase {
 
   @Override
   public RdapNameserver getJsonObjectForResource(String pathSearchString, boolean isHeadRequest) {
-    // RDAP Technical Implementation Guide 2.2.1 - we must support A-label (Punycode) and U-label
+    // RDAP Technical Implementation Guide 2.1.1 - we must support A-label (Punycode) and U-label
     // (Unicode) formats. canonicalizeName will transform Unicode to Punycode so we support both.
     pathSearchString = canonicalizeName(pathSearchString);
     // The RDAP syntax is /rdap/nameserver/ns1.mydomain.com.
@@ -63,7 +63,7 @@ public class RdapNameserverAction extends RdapActionBase {
     // If there are no undeleted nameservers with the given name, the foreign key should point to
     // the most recently deleted one.
     Optional<Host> host =
-        loadByForeignKeyCached(
+        loadByForeignKeyByCache(
             Host.class,
             pathSearchString,
             shouldIncludeDeleted() ? START_OF_TIME : getRequestTime());

core/src/main/java/google/registry/rdap/RdapNameserverSearchAction.java

@@ -14,7 +14,7 @@
 
 package google.registry.rdap;
 
-import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.EppResourceUtils.loadByForeignKeyByCache;
 import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.HEAD;
@@ -47,9 +47,9 @@ import java.util.List;
 import java.util.Optional;
 
 /**
- * RDAP (new WHOIS) action for nameserver search requests.
+ * RDAP action for nameserver search requests.
  *
- * <p>All commands and responses conform to the RDAP spec as defined in RFCs 7480 through 7485.
+ * <p>All commands and responses conform to the RDAP spec as defined in STD 95 and its RFCs.
  *
  * @see <a href="http://tools.ietf.org/html/rfc9082">RFC 9082: Registration Data Access Protocol
  *     (RDAP) Query Format</a>
@@ -159,7 +159,8 @@ public class RdapNameserverSearchAction extends RdapSearchActionBase {
             .setIncompletenessWarningType(IncompletenessWarningType.COMPLETE);
 
     Optional<Host> host =
-        loadByForeignKeyCached(Host.class, partialStringQuery.getInitialString(), getRequestTime());
+        loadByForeignKeyByCache(
+            Host.class, partialStringQuery.getInitialString(), getRequestTime());
 
     metricInformationBuilder.setNumHostsRetrieved(host.isPresent() ? 1 : 0);
 
@@ -175,7 +176,7 @@ public class RdapNameserverSearchAction extends RdapSearchActionBase {
   private NameserverSearchResponse searchByNameUsingSuperordinateDomain(
       RdapSearchPattern partialStringQuery) {
     Optional<Domain> domain =
-        loadByForeignKeyCached(Domain.class, partialStringQuery.getSuffix(), getRequestTime());
+        loadByForeignKeyByCache(Domain.class, partialStringQuery.getSuffix(), getRequestTime());
     if (domain.isEmpty()) {
       // Don't allow wildcards with suffixes which are not domains we manage. That would risk a
       // table scan in many easily foreseeable cases. The user might ask for ns*.zombo.com,
@@ -193,7 +194,7 @@ public class RdapNameserverSearchAction extends RdapSearchActionBase {
       // We can't just check that the host name starts with the initial query string, because
       // then the query ns.exam*.example.com would match against nameserver ns.example.com.
       if (partialStringQuery.matches(fqhn)) {
-        Optional<Host> host = loadByForeignKeyCached(Host.class, fqhn, getRequestTime());
+        Optional<Host> host = loadByForeignKeyByCache(Host.class, fqhn, getRequestTime());
         if (shouldBeVisible(host)) {
           hostList.add(host.get());
           if (hostList.size() > rdapResultSetMaxSize) {

core/src/main/java/google/registry/rdap/RdapObjectClasses.java

@@ -45,11 +45,7 @@ import java.util.Optional;
 /** Object Classes defined in RFC 9083 section 5. */
 final class RdapObjectClasses {
 
-  /**
-   * Temporary implementation of VCards.
-   *
-   * <p>Will create a better implementation soon.
-   */
+  /** Rough implementation of VCards. */
   @RestrictJsonNames({})
   @AutoValue
   public abstract static class Vcard implements Jsonable {
@@ -140,8 +136,8 @@ final class RdapObjectClasses {
   public enum BoilerplateType {
     DOMAIN(RdapIcannStandardInformation.DOMAIN_BOILERPLATE_NOTICES),
     DOMAIN_BLOCKED_BY_BSA(RdapIcannStandardInformation.DOMAIN_BLOCKED_BY_BSA_BOILERPLATE_NOTICES),
-    NAMESERVER(RdapIcannStandardInformation.NAMESERVER_AND_ENTITY_BOILERPLATE_NOTICES),
-    ENTITY(RdapIcannStandardInformation.NAMESERVER_AND_ENTITY_BOILERPLATE_NOTICES),
+    NAMESERVER(ImmutableList.of()),
+    ENTITY(ImmutableList.of()),
     OTHER(ImmutableList.of());
 
     @SuppressWarnings("ImmutableEnumChecker") // immutable lists are, in fact, immutable
@@ -173,8 +169,8 @@ final class RdapObjectClasses {
    * The Top Level JSON reply, Adds the required top-level boilerplate to a ReplyPayloadBase.
    *
    * <p>RFC 9083 specifies that the top-level object should include an entry indicating the
-   * conformance level. ICANN RDAP spec for 15feb19 mandates several additional entries, in sections
-   * 2.6.3, 2.11 of the Response Profile and 3.3, 3.5, of the Technical Implementation Guide.
+   * conformance level. The RDAP spec mandates several additional entries, in sections 2.6.3, 2.10
+   * of the Response Profile and 3.3, 3.5, of the Technical Implementation Guide.
    */
   @AutoValue
   @RestrictJsonNames({})
@@ -257,8 +253,8 @@ final class RdapObjectClasses {
   /**
    * The Entity Object Class defined in 5.1 of RFC 9083.
    *
-   * <p>Entities are used both for Contacts and for Registrars. We will create different subobjects
-   * for each one for type safety.
+   * <p>Entities are used both for Registrar POCs and for Registrars. We will create different
+   * subobjects for each one for type safety.
    *
    * <p>We're missing the "autnums" and "networks" fields
    */
@@ -313,8 +309,8 @@ final class RdapObjectClasses {
   /**
    * Registrar version of the Entity Object Class defined in 5.1 of RFC 9083.
    *
-   * <p>Entities are used both for Contacts and for Registrars. We will create different subobjects
-   * for each one for type safety.
+   * <p>Entities are used both for Registrar POCs and for Registrars. We will create different
+   * subobjects for each one for type safety.
    */
   @AutoValue
   public abstract static class RdapRegistrarEntity extends RdapEntity {
@@ -330,21 +326,21 @@ final class RdapObjectClasses {
   }
 
   /**
-   * Contact version of the Entity Object Class defined in 5.1 of RFC 9083.
+   * RegistrarPoc version of the Entity Object Class defined in 5.1 of RFC 9083.
    *
-   * <p>Entities are used both for Contacts and for Registrars. We will create different subobjects
-   * for each one for type safety.
+   * <p>Entities are used both for Registrar POCs and for Registrars. We will create different
+   * subobjects for each one for type safety.
    */
   @AutoValue
-  public abstract static class RdapContactEntity extends RdapEntity {
+  public abstract static class RdapRegistrarPocEntity extends RdapEntity {
 
     static Builder builder() {
-      return new AutoValue_RdapObjectClasses_RdapContactEntity.Builder();
+      return new AutoValue_RdapObjectClasses_RdapRegistrarPocEntity.Builder();
     }
 
     @AutoValue.Builder
     abstract static class Builder extends RdapEntity.Builder<Builder> {
-      abstract RdapContactEntity build();
+      abstract RdapRegistrarPocEntity build();
     }
   }
 
@@ -353,7 +349,7 @@ final class RdapObjectClasses {
    *
    * <p>Takes care of the name and unicode field.
    *
-   * <p>See RDAP Response Profile 15feb19 sections 2.1 and 4.1.
+   * <p>See RDAP Response Profile sections 2.1 and 4.1.
    *
    * <p>Note the ldhName field is only required for non-IDN names or IDN names when the query was an
    * A-label. It is optional for IDN names when the query was a U-label. Because we don't want to
@@ -471,7 +467,7 @@ final class RdapObjectClasses {
     }
 
     /**
-     * an integer representing the signature lifetime in seconds to be used when creating the RRSIG
+     * An integer representing the signature lifetime in seconds to be used when creating the RRSIG
      * DS record in the parent zone [RFC5910].
      *
      * <p>Note that although it isn't given as optional in RFC 9083, in RFC5910 it's mentioned as

core/src/main/java/google/registry/rdap/RdapSearchActionBase.java

@@ -31,7 +31,6 @@ import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.HttpException.UnprocessableEntityException;
 import google.registry.request.Parameter;
 import google.registry.request.ParameterMap;
-import google.registry.request.RequestUrl;
 import jakarta.inject.Inject;
 import jakarta.persistence.criteria.CriteriaBuilder;
 import java.io.UnsupportedEncodingException;
@@ -45,7 +44,7 @@ import java.util.Objects;
 import java.util.Optional;
 
 /**
- * Base RDAP (new WHOIS) action for domain, nameserver and entity search requests.
+ * Base RDAP action for domain, nameserver and entity search requests.
  *
  * @see <a href="https://tools.ietf.org/html/rfc9082">RFC 9082: Registration Data Access Protocol
  *     (RDAP) Query Format</a>
@@ -54,7 +53,6 @@ public abstract class RdapSearchActionBase extends RdapActionBase {
 
   private static final int RESULT_SET_SIZE_SCALING_FACTOR = 30;
 
-  @Inject @RequestUrl String requestUrl;
   @Inject @ParameterMap ImmutableListMultimap<String, String> parameterMap;
   @Inject @Parameter("cursor") Optional<String> cursorTokenParam;
   @Inject @Parameter("registrar") Optional<String> registrarParam;
@@ -157,7 +155,6 @@ public abstract class RdapSearchActionBase extends RdapActionBase {
    */
   <T extends EppResource> RdapResultSet<T> getMatchingResources(
       CriteriaQueryBuilder<T> builder, boolean checkForVisibility, int querySizeLimit) {
-    replicaTm().assertInTransaction();
     Optional<String> desiredRegistrar = getDesiredRegistrar();
     if (desiredRegistrar.isPresent()) {
       builder =