Remove nested transaction from requestDnsRefresh (#2044 )

* Remove nested transaction from requestDnsRefresh * Add a bulk version * Remove transaction time as field * Only add delay once * have PublishDnsUpdatesAction use bulk refresh
Add breakglass_mode to Tld table (#2046 )
2026-02-02 11:02:23 +00:00 · 2023-06-07 16:00:50 -04:00 · 2023-06-06 16:13:08 -04:00 · 2023-06-05 16:48:30 -04:00 · 2023-06-02 15:32:18 -04:00 · 2023-05-31 16:34:57 -04:00
243 changed files with 9397 additions and 10033 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -103,7 +103,7 @@ nomulus.iws
 .gradle/
 **/build
 cloudbuild-caches/
-node_modules/**
+**/node_modules/**
 /repos/

 # Compiled JS/CSS code
--- a/appengine_war.gradle
+++ b/appengine_war.gradle
@@ -103,7 +103,7 @@ explodeWar.doLast {
    file("${it.explodedAppDirectory}/WEB-INF/lib/tools.jar").setWritable(true)
 }

-appengineDeployAll.finalizedBy ':cloudSchedulerDeployer'
+appengineDeployAll.finalizedBy ':deployCloudSchedulerAndQueue'
 rootProject.deploy.dependsOn appengineDeployAll
 rootProject.stage.dependsOn appengineStage
 tasks['war'].dependsOn ':console-webapp:buildConsoleWebappProd'
--- a/build.gradle
+++ b/build.gradle
@@ -558,17 +558,23 @@ task coreDev {

 javadocDependentTasks.each { tasks.javadoc.dependsOn(it) }

-// Runs the script, which deploys cloud scheduler tasks based on the config
-task cloudSchedulerDeployer {
+// Runs the script, which deploys cloud scheduler and tasks based on the config
+task deployCloudSchedulerAndQueue {
  doLast {
    def env = environment
    if (!prodOrSandboxEnv) {
      exec {
        commandLine 'go', 'run',
-                "${rootDir}/release/builder/cloudSchedulerDeployer.go",
+                "${rootDir}/release/builder/deployCloudSchedulerAndQueue.go",
                "${rootDir}/core/src/main/java/google/registry/env/${env}/default/WEB-INF/cloud-scheduler-tasks.xml",
                "domain-registry-${env}"
      }
+      exec {
+        commandLine 'go', 'run',
+                "${rootDir}/release/builder/deployCloudSchedulerAndQueue.go",
+                "${rootDir}/core/src/main/java/google/registry/env/common/default/WEB-INF/cloud-tasks-queue.xml",
+                "domain-registry-${env}"
+      }
    }
  }
 }
--- a/buildSrc/gradle.lockfile
+++ b/buildSrc/gradle.lockfile
@@ -4,31 +4,31 @@
 antlr:antlr:2.7.7=checkstyle
 aopalliance:aopalliance:1.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 args4j:args4j:2.0.23=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.core:jackson-core:2.14.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson:jackson-bom:2.14.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-core:2.14.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson:jackson-bom:2.14.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.ben-manes.caffeine:caffeine:2.7.0=annotationProcessor,testAnnotationProcessor
 com.github.kevinstern:software-and-algorithms:1.0=annotationProcessor,testAnnotationProcessor
 com.google.android:annotations:4.1.1.4=testRuntimeClasspath
-com.google.api-client:google-api-client:2.1.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:gapic-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-common-protos:2.13.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-iam-v1:1.8.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:api-common:2.5.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-grpc:2.22.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-httpjson:0.107.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax:2.22.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-storage:v1-rev20220705-2.0.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-credentials:1.14.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-oauth2-http:1.14.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api-client:google-api-client:2.2.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:gapic-google-cloud-storage-v2:2.22.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-storage-v2:2.22.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-storage-v2:2.22.2-alpha=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-common-protos:2.18.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-iam-v1:1.13.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:api-common:2.10.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-grpc:2.27.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-httpjson:0.112.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax:2.27.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-storage:v1-rev20230301-2.0.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auth:google-auth-library-credentials:1.16.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auth:google-auth-library-oauth2-http:1.16.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.value:auto-value-annotations:1.10.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auto.value:auto-value:1.10.1=annotationProcessor,compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auto.value:auto-value:1.10.1=annotationProcessor
 com.google.auto:auto-common:0.10=annotationProcessor,testAnnotationProcessor
-com.google.cloud:google-cloud-core-grpc:2.9.4=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-http:2.9.4=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core:2.9.4=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-storage:2.17.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-grpc:2.17.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-http:2.17.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core:2.17.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-storage:2.22.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.code.findbugs:jFormatString:3.0.0=annotationProcessor,testAnnotationProcessor
 com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,compileClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.code.gson:gson:2.10.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
@@ -45,11 +45,11 @@ com.google.guava:guava:27.0.1-jre=annotationProcessor,testAnnotationProcessor
 com.google.guava:guava:29.0-jre=checkstyle
 com.google.guava:guava:31.1-jre=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,compileClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-apache-v2:1.42.3=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-appengine:1.42.3=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-gson:1.42.3=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-jackson2:1.42.3=compileClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client:1.42.3=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-apache-v2:1.43.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-appengine:1.43.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-gson:1.43.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-jackson2:1.43.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client:1.43.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.inject.extensions:guice-multibindings:4.1.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.inject:guice:4.1.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.j2objc:j2objc-annotations:1.1=annotationProcessor,testAnnotationProcessor
@@ -71,19 +71,20 @@ commons-codec:commons-codec:1.15=compileClasspath,testCompileClasspath,testRunti
 commons-collections:commons-collections:3.2.2=checkstyle
 commons-logging:commons-logging:1.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 info.picocli:picocli:4.5.2=checkstyle
-io.grpc:grpc-alts:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-api:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-auth:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-context:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-core:1.52.1=testRuntimeClasspath
-io.grpc:grpc-googleapis:1.52.1=testRuntimeClasspath
-io.grpc:grpc-grpclb:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-netty-shaded:1.52.1=testRuntimeClasspath
-io.grpc:grpc-protobuf-lite:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-services:1.52.1=testRuntimeClasspath
-io.grpc:grpc-stub:1.52.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-xds:1.52.1=testRuntimeClasspath
+io.grpc:grpc-alts:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-api:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-auth:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-context:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-core:1.54.0=testRuntimeClasspath
+io.grpc:grpc-googleapis:1.54.0=testRuntimeClasspath
+io.grpc:grpc-grpclb:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty-shaded:1.54.0=testRuntimeClasspath
+io.grpc:grpc-protobuf-lite:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-rls:1.54.0=testRuntimeClasspath
+io.grpc:grpc-services:1.54.0=testRuntimeClasspath
+io.grpc:grpc-stub:1.54.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-xds:1.54.0=testRuntimeClasspath
 io.opencensus:opencensus-api:0.31.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-http-util:0.31.1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-proto:0.2.0=testRuntimeClasspath
@@ -92,22 +93,22 @@ javax.annotation:javax.annotation-api:1.3.2=compileClasspath,testCompileClasspat
 javax.annotation:jsr250-api:1.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 javax.inject:javax.inject:1=compileClasspath,testCompileClasspath,testRuntimeClasspath
 junit:junit:4.13.2=testCompileClasspath,testRuntimeClasspath
-net.bytebuddy:byte-buddy-agent:1.12.22=testCompileClasspath,testRuntimeClasspath
-net.bytebuddy:byte-buddy:1.12.22=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy-agent:1.14.4=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.14.4=testCompileClasspath,testRuntimeClasspath
 net.sf.saxon:Saxon-HE:10.3=checkstyle
 org.antlr:antlr4-runtime:4.8-1=checkstyle
 org.apache.commons:commons-lang3:3.12.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.10.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents:httpclient:4.5.13=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents:httpcore:4.4.15=compileClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents:httpclient:4.5.14=compileClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents:httpcore:4.4.16=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
 org.checkerframework:checker-qual:2.11.1=checkstyle
 org.checkerframework:checker-qual:3.0.0=annotationProcessor,testAnnotationProcessor
-org.checkerframework:checker-qual:3.29.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
+org.checkerframework:checker-qual:3.32.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.checkerframework:dataflow:3.0.0=annotationProcessor,testAnnotationProcessor
 org.checkerframework:javacutil:3.0.0=annotationProcessor,testAnnotationProcessor
 org.codehaus.mojo:animal-sniffer-annotations:1.17=annotationProcessor,testAnnotationProcessor
-org.codehaus.mojo:animal-sniffer-annotations:1.22=testRuntimeClasspath
+org.codehaus.mojo:animal-sniffer-annotations:1.23=testRuntimeClasspath
 org.conscrypt:conscrypt-openjdk-uber:2.5.2=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.hamcrest:hamcrest-core:1.3=testCompileClasspath,testRuntimeClasspath
 org.jacoco:org.jacoco.agent:0.8.7=jacocoAgent,jacocoAnt
@@ -116,12 +117,12 @@ org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
 org.jacoco:org.jacoco.report:0.8.7=jacocoAnt
 org.javassist:javassist:3.26.0-GA=checkstyle
 org.json:json:20160212=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-api:5.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-engine:5.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit:junit-bom:5.9.2=testCompileClasspath,testRuntimeClasspath
-org.mockito:mockito-core:5.0.0=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit:junit-bom:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-core:5.3.1=testCompileClasspath,testRuntimeClasspath
 org.objenesis:objenesis:3.3=testRuntimeClasspath
 org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-analysis:7.0=compileClasspath,testCompileClasspath,testRuntimeClasspath
@@ -138,5 +139,5 @@ org.plumelib:plume-util:1.0.6=annotationProcessor,testAnnotationProcessor
 org.plumelib:reflection-util:0.0.2=annotationProcessor,testAnnotationProcessor
 org.plumelib:require-javadoc:0.1.0=annotationProcessor,testAnnotationProcessor
 org.reflections:reflections:0.9.12=checkstyle
-org.threeten:threetenbp:1.6.5=compileClasspath,testCompileClasspath,testRuntimeClasspath
+org.threeten:threetenbp:1.6.8=compileClasspath,testCompileClasspath,testRuntimeClasspath
 empty=
--- a/common/gradle.lockfile
+++ b/common/gradle.lockfile
@@ -32,7 +32,7 @@ commons-collections:commons-collections:3.2.2=checkstyle
 info.picocli:picocli:4.5.2=checkstyle
 io.github.java-diff-utils:java-diff-utils:4.12=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 javax.inject:javax.inject:1=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
-joda-time:joda-time:2.12.2=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
+joda-time:joda-time:2.12.5=compileClasspath,default,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 junit:junit:4.13.2=default,testCompileClasspath,testRuntimeClasspath,testing,testingCompileClasspath
 net.sf.saxon:Saxon-HE:10.3=checkstyle
 org.antlr:antlr4-runtime:4.8-1=checkstyle
@@ -50,11 +50,11 @@ org.jacoco:org.jacoco.ant:0.8.7=jacocoAnt
 org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
 org.jacoco:org.jacoco.report:0.8.7=jacocoAnt
 org.javassist:javassist:3.26.0-GA=checkstyle
-org.junit.jupiter:junit-jupiter-api:5.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-engine:5.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit:junit-bom:5.9.2=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit:junit-bom:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
 org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-analysis:9.1=jacocoAnt
 org.ow2.asm:asm-commons:9.1=jacocoAnt
--- a/config/presubmits.py
+++ b/config/presubmits.py
@@ -25,7 +25,7 @@ import textwrap
 import re

 # We should never analyze any generated files
-UNIVERSALLY_SKIPPED_PATTERNS = {"/build/", "cloudbuild-caches", "/out/", ".git/", ".gradle/", "/dist/", "karma.conf.js", "polyfills.ts", "test.ts"}
+UNIVERSALLY_SKIPPED_PATTERNS = {"/build/", "cloudbuild-caches", "/out/", ".git/", ".gradle/", "/dist/", "karma.conf.js", "polyfills.ts", "test.ts", "/docs/console-endpoints/"}
 # We can't rely on CI to have the Enum package installed so we do this instead.
 FORBIDDEN = 1
 REQUIRED = 2
--- a/console-webapp/package-lock.json
+++ b/console-webapp/package-lock.json
@@ -3898,10 +3898,13 @@
      "dev": true
    },
    "node_modules/@types/cors": {
-      "version": "2.8.12",
-      "resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.12.tgz",
-      "integrity": "sha512-vt+kDhq/M2ayberEtJcIN/hxXy1Pk+59g2FV/ZQceeaTyCtCucjL2Q7FXlFjtWn4n15KCr1NE2lNNFhp0lEThw==",
-      "dev": true
+      "version": "2.8.13",
+      "resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.13.tgz",
+      "integrity": "sha512-RG8AStHlUiV5ysZQKq97copd2UmVYw3/pRMLefISZ3S1hK104Cwm7iLQ3fTKx+lsUH2CE8FlLaYeEA2LSeqYUA==",
+      "dev": true,
+      "dependencies": {
+        "@types/node": "*"
+      }
    },
    "node_modules/@types/eslint": {
      "version": "8.4.6",
@@ -5907,9 +5910,9 @@
      }
    },
    "node_modules/engine.io": {
-      "version": "6.2.1",
-      "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.2.1.tgz",
-      "integrity": "sha512-ECceEFcAaNRybd3lsGQKas3ZlMVjN3cyWwMP25D2i0zWfyiytVbTpRPa34qrr+FHddtpBVOmq4H/DCv1O0lZRA==",
+      "version": "6.4.2",
+      "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.4.2.tgz",
+      "integrity": "sha512-FKn/3oMiJjrOEOeUub2WCox6JhxBXq/Zn3fZOMCBxKnNYtsdKjxhl7yR3fZhM9PV+rdE75SU5SYMc+2PGzo+Tg==",
      "dev": true,
      "dependencies": {
        "@types/cookie": "^0.4.1",
@@ -5921,16 +5924,16 @@
        "cors": "~2.8.5",
        "debug": "~4.3.1",
        "engine.io-parser": "~5.0.3",
-        "ws": "~8.2.3"
+        "ws": "~8.11.0"
      },
      "engines": {
        "node": ">=10.0.0"
      }
    },
    "node_modules/engine.io-parser": {
-      "version": "5.0.4",
-      "resolved": "https://registry.npmjs.org/engine.io-parser/-/engine.io-parser-5.0.4.tgz",
-      "integrity": "sha512-+nVFp+5z1E3HcToEnO7ZIj3g+3k9389DvWtvJZz0T6/eOCPIyyxehFcedoYrZQrp0LgQbD9pPXhpMBKMd5QURg==",
+      "version": "5.0.6",
+      "resolved": "https://registry.npmjs.org/engine.io-parser/-/engine.io-parser-5.0.6.tgz",
+      "integrity": "sha512-tjuoZDMAdEhVnSFleYPCtdL2GXwVTGtNjoeJd9IhIG3C1xs9uwxqRNEu5WpnDZCaozwVlK/nuQhpodhXSIMaxw==",
      "dev": true,
      "engines": {
        "node": ">=10.0.0"
@@ -10880,32 +10883,35 @@
      }
    },
    "node_modules/socket.io": {
-      "version": "4.5.2",
-      "resolved": "https://registry.npmjs.org/socket.io/-/socket.io-4.5.2.tgz",
-      "integrity": "sha512-6fCnk4ARMPZN448+SQcnn1u8OHUC72puJcNtSgg2xS34Cu7br1gQ09YKkO1PFfDn/wyUE9ZgMAwosJed003+NQ==",
+      "version": "4.6.1",
+      "resolved": "https://registry.npmjs.org/socket.io/-/socket.io-4.6.1.tgz",
+      "integrity": "sha512-KMcaAi4l/8+xEjkRICl6ak8ySoxsYG+gG6/XfRCPJPQ/haCRIJBTL4wIl8YCsmtaBovcAXGLOShyVWQ/FG8GZA==",
      "dev": true,
      "dependencies": {
        "accepts": "~1.3.4",
        "base64id": "~2.0.0",
        "debug": "~4.3.2",
-        "engine.io": "~6.2.0",
-        "socket.io-adapter": "~2.4.0",
-        "socket.io-parser": "~4.2.0"
+        "engine.io": "~6.4.1",
+        "socket.io-adapter": "~2.5.2",
+        "socket.io-parser": "~4.2.1"
      },
      "engines": {
        "node": ">=10.0.0"
      }
    },
    "node_modules/socket.io-adapter": {
-      "version": "2.4.0",
-      "resolved": "https://registry.npmjs.org/socket.io-adapter/-/socket.io-adapter-2.4.0.tgz",
-      "integrity": "sha512-W4N+o69rkMEGVuk2D/cvca3uYsvGlMwsySWV447y99gUPghxq42BxqLNMndb+a1mm/5/7NeXVQS7RLa2XyXvYg==",
-      "dev": true
+      "version": "2.5.2",
+      "resolved": "https://registry.npmjs.org/socket.io-adapter/-/socket.io-adapter-2.5.2.tgz",
+      "integrity": "sha512-87C3LO/NOMc+eMcpcxUBebGjkpMDkNBS9tf7KJqcDsmL936EChtVva71Dw2q4tQcuVC+hAUy4an2NO/sYXmwRA==",
+      "dev": true,
+      "dependencies": {
+        "ws": "~8.11.0"
+      }
    },
    "node_modules/socket.io-parser": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.1.tgz",
-      "integrity": "sha512-V4GrkLy+HeF1F/en3SpUaM+7XxYXpuMUWLGde1kSSh5nQMN4hLrbPIkD+otwh6q9R6NOQBN4AMaOZ2zVjui82g==",
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.3.tgz",
+      "integrity": "sha512-JMafRntWVO2DCJimKsRTh/wnqVvO4hrfwOqtO7f+uzwsQMuxO6VwImtYxaQ+ieoyshWOTJyV0fA21lccEXRPpQ==",
      "dev": true,
      "dependencies": {
        "@socket.io/component-emitter": "~3.1.0",
@@ -12219,9 +12225,9 @@
      "dev": true
    },
    "node_modules/ws": {
-      "version": "8.2.3",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.2.3.tgz",
-      "integrity": "sha512-wBuoj1BDpC6ZQ1B7DWQBYVLphPWkm8i9Y0/3YdHjHKHiohOJ1ws+3OccDWtH+PoC9DZD5WOTrJvNbWvjS6JWaA==",
+      "version": "8.11.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.11.0.tgz",
+      "integrity": "sha512-HPG3wQd9sNQoT9xHyNCXoDUa+Xw/VevmY9FoHyQ+g+rrMn4j6FB4np7Z0OhdTgjx6MgQLK7jwSy1YecU1+4Asg==",
      "dev": true,
      "engines": {
        "node": ">=10.0.0"
@@ -15175,10 +15181,13 @@
      "dev": true
    },
    "@types/cors": {
-      "version": "2.8.12",
-      "resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.12.tgz",
-      "integrity": "sha512-vt+kDhq/M2ayberEtJcIN/hxXy1Pk+59g2FV/ZQceeaTyCtCucjL2Q7FXlFjtWn4n15KCr1NE2lNNFhp0lEThw==",
-      "dev": true
+      "version": "2.8.13",
+      "resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.13.tgz",
+      "integrity": "sha512-RG8AStHlUiV5ysZQKq97copd2UmVYw3/pRMLefISZ3S1hK104Cwm7iLQ3fTKx+lsUH2CE8FlLaYeEA2LSeqYUA==",
+      "dev": true,
+      "requires": {
+        "@types/node": "*"
+      }
    },
    "@types/eslint": {
      "version": "8.4.6",
@@ -16746,9 +16755,9 @@
      }
    },
    "engine.io": {
-      "version": "6.2.1",
-      "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.2.1.tgz",
-      "integrity": "sha512-ECceEFcAaNRybd3lsGQKas3ZlMVjN3cyWwMP25D2i0zWfyiytVbTpRPa34qrr+FHddtpBVOmq4H/DCv1O0lZRA==",
+      "version": "6.4.2",
+      "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.4.2.tgz",
+      "integrity": "sha512-FKn/3oMiJjrOEOeUub2WCox6JhxBXq/Zn3fZOMCBxKnNYtsdKjxhl7yR3fZhM9PV+rdE75SU5SYMc+2PGzo+Tg==",
      "dev": true,
      "requires": {
        "@types/cookie": "^0.4.1",
@@ -16760,13 +16769,13 @@
        "cors": "~2.8.5",
        "debug": "~4.3.1",
        "engine.io-parser": "~5.0.3",
-        "ws": "~8.2.3"
+        "ws": "~8.11.0"
      }
    },
    "engine.io-parser": {
-      "version": "5.0.4",
-      "resolved": "https://registry.npmjs.org/engine.io-parser/-/engine.io-parser-5.0.4.tgz",
-      "integrity": "sha512-+nVFp+5z1E3HcToEnO7ZIj3g+3k9389DvWtvJZz0T6/eOCPIyyxehFcedoYrZQrp0LgQbD9pPXhpMBKMd5QURg==",
+      "version": "5.0.6",
+      "resolved": "https://registry.npmjs.org/engine.io-parser/-/engine.io-parser-5.0.6.tgz",
+      "integrity": "sha512-tjuoZDMAdEhVnSFleYPCtdL2GXwVTGtNjoeJd9IhIG3C1xs9uwxqRNEu5WpnDZCaozwVlK/nuQhpodhXSIMaxw==",
      "dev": true
    },
    "enhanced-resolve": {
@@ -20509,29 +20518,32 @@
      "dev": true
    },
    "socket.io": {
-      "version": "4.5.2",
-      "resolved": "https://registry.npmjs.org/socket.io/-/socket.io-4.5.2.tgz",
-      "integrity": "sha512-6fCnk4ARMPZN448+SQcnn1u8OHUC72puJcNtSgg2xS34Cu7br1gQ09YKkO1PFfDn/wyUE9ZgMAwosJed003+NQ==",
+      "version": "4.6.1",
+      "resolved": "https://registry.npmjs.org/socket.io/-/socket.io-4.6.1.tgz",
+      "integrity": "sha512-KMcaAi4l/8+xEjkRICl6ak8ySoxsYG+gG6/XfRCPJPQ/haCRIJBTL4wIl8YCsmtaBovcAXGLOShyVWQ/FG8GZA==",
      "dev": true,
      "requires": {
        "accepts": "~1.3.4",
        "base64id": "~2.0.0",
        "debug": "~4.3.2",
-        "engine.io": "~6.2.0",
-        "socket.io-adapter": "~2.4.0",
-        "socket.io-parser": "~4.2.0"
+        "engine.io": "~6.4.1",
+        "socket.io-adapter": "~2.5.2",
+        "socket.io-parser": "~4.2.1"
      }
    },
    "socket.io-adapter": {
-      "version": "2.4.0",
-      "resolved": "https://registry.npmjs.org/socket.io-adapter/-/socket.io-adapter-2.4.0.tgz",
-      "integrity": "sha512-W4N+o69rkMEGVuk2D/cvca3uYsvGlMwsySWV447y99gUPghxq42BxqLNMndb+a1mm/5/7NeXVQS7RLa2XyXvYg==",
-      "dev": true
+      "version": "2.5.2",
+      "resolved": "https://registry.npmjs.org/socket.io-adapter/-/socket.io-adapter-2.5.2.tgz",
+      "integrity": "sha512-87C3LO/NOMc+eMcpcxUBebGjkpMDkNBS9tf7KJqcDsmL936EChtVva71Dw2q4tQcuVC+hAUy4an2NO/sYXmwRA==",
+      "dev": true,
+      "requires": {
+        "ws": "~8.11.0"
+      }
    },
    "socket.io-parser": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.1.tgz",
-      "integrity": "sha512-V4GrkLy+HeF1F/en3SpUaM+7XxYXpuMUWLGde1kSSh5nQMN4hLrbPIkD+otwh6q9R6NOQBN4AMaOZ2zVjui82g==",
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.3.tgz",
+      "integrity": "sha512-JMafRntWVO2DCJimKsRTh/wnqVvO4hrfwOqtO7f+uzwsQMuxO6VwImtYxaQ+ieoyshWOTJyV0fA21lccEXRPpQ==",
      "dev": true,
      "requires": {
        "@socket.io/component-emitter": "~3.1.0",
@@ -21486,9 +21498,9 @@
      "dev": true
    },
    "ws": {
-      "version": "8.2.3",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.2.3.tgz",
-      "integrity": "sha512-wBuoj1BDpC6ZQ1B7DWQBYVLphPWkm8i9Y0/3YdHjHKHiohOJ1ws+3OccDWtH+PoC9DZD5WOTrJvNbWvjS6JWaA==",
+      "version": "8.11.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.11.0.tgz",
+      "integrity": "sha512-HPG3wQd9sNQoT9xHyNCXoDUa+Xw/VevmY9FoHyQ+g+rrMn4j6FB4np7Z0OhdTgjx6MgQLK7jwSy1YecU1+4Asg==",
      "dev": true,
      "requires": {}
    },
--- a/core/build.gradle
+++ b/core/build.gradle
@@ -181,6 +181,7 @@ dependencies {
  implementation deps['com.google.apis:google-api-services-dataflow']
  implementation deps['com.google.apis:google-api-services-dns']
  implementation deps['com.google.apis:google-api-services-drive']
+  implementation deps['com.google.apis:google-api-services-gmail']
  implementation deps['com.google.apis:google-api-services-groupssettings']
  implementation deps['com.google.apis:google-api-services-monitoring']
  implementation deps['com.google.apis:google-api-services-sheets']
--- a/core/gradle.lockfile
+++ b/core/gradle.lockfile
@@ -8,20 +8,19 @@ args4j:args4j:2.0.26=css
 cglib:cglib-nodep:2.2=css
 com.101tec:zkclient:0.10=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.beust:jcommander:1.60=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.core:jackson-annotations:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.core:jackson-core:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.core:jackson-databind:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.dataformat:jackson-dataformat-toml:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.datatype:jackson-datatype-joda:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.fasterxml.jackson:jackson-bom:2.14.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-annotations:2.14.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-core:2.14.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-databind:2.14.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.14.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.datatype:jackson-datatype-joda:2.14.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.14.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.fasterxml.jackson:jackson-bom:2.14.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.fasterxml:classmate:1.5.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.ben-manes.caffeine:caffeine:2.7.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.github.ben-manes.caffeine:caffeine:2.9.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.docker-java:docker-java-api:3.2.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.docker-java:docker-java-transport-zerodep:3.2.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.docker-java:docker-java-transport:3.2.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.docker-java:docker-java-api:3.3.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.docker-java:docker-java-transport-zerodep:3.3.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.docker-java:docker-java-transport:3.3.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.jnr:jffi:1.3.10=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.jnr:jnr-a64asm:1.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.github.jnr:jnr-constants:0.10.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -37,114 +36,114 @@ com.google.api-client:google-api-client-jackson2:1.32.2=compileClasspath,default
 com.google.api-client:google-api-client-java6:1.35.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api-client:google-api-client-servlet:1.35.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api-client:google-api-client:1.35.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:gapic-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1:2.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.149.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta2:0.149.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigtable-admin-v2:1.27.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-bigtable-v2:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-pubsub-v1:1.103.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-pubsublite-v1:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-admin-database-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-admin-instance-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-spanner-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:grpc-google-common-protos:2.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1:2.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta1:0.149.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta2:0.149.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigtable-admin-v2:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-bigtable-v2:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-datastore-v1:0.103.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-firestore-v1:3.7.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:gapic-google-cloud-storage-v2:2.22.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1:2.34.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta1:0.158.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigquerystorage-v1beta2:0.158.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-bigtable-v2:2.20.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-pubsub-v1:1.105.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-pubsublite-v1:1.12.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-admin-database-v1:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-admin-instance-v1:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-spanner-v1:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-cloud-storage-v2:2.22.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:grpc-google-common-protos:2.14.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1:2.34.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta1:0.158.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigquerystorage-v1beta2:0.158.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigtable-admin-v2:2.20.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-bigtable-v2:2.20.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-datastore-v1:0.105.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-firestore-v1:3.9.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api.grpc:proto-google-cloud-monitoring-v3:1.64.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.api.grpc:proto-google-cloud-monitoring-v3:3.6.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-pubsub-v1:1.103.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-pubsublite-v1:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-secretmanager-v1:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-secretmanager-v1beta1:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-admin-instance-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-spanner-v1:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-storage-v2:2.17.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2beta2:0.99.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-cloud-tasks-v2beta3:0.99.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-common-protos:2.13.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api.grpc:proto-google-iam-v1:1.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:api-common:2.5.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-grpc:2.22.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax-httpjson:0.107.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.api:gax:2.22.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-monitoring-v3:3.14.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-pubsub-v1:1.105.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-pubsublite-v1:1.12.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-secretmanager-v1:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-secretmanager-v1beta1:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-admin-database-v1:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-admin-instance-v1:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-spanner-v1:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-storage-v2:2.22.2-alpha=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2beta2:0.107.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-cloud-tasks-v2beta3:0.107.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-common-protos:2.18.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api.grpc:proto-google-iam-v1:1.13.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:api-common:2.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-grpc:2.27.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax-httpjson:0.112.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.api:gax:2.27.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-admin-directory:directory_v1-rev118-1.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-appengine:v1-rev20230109-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-appengine:v1-rev20230424-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-bigquery:v2-rev20220924-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-clouddebugger:v2-rev20220318-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-cloudresourcemanager:v1-rev20220828-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-dataflow:v1b3-rev20220920-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-dns:v2beta1-rev99-1.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-drive:v2-rev393-1.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-gmail:v1-rev20220404-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-groupssettings:v1-rev20210624-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-healthcare:v1-rev20220818-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-iamcredentials:v1-rev20210326-1.32.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-monitoring:v3-rev20230123-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-monitoring:v3-rev20230521-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-pubsub:v1-rev20220904-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-sheets:v4-rev20221216-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-sqladmin:v1beta4-rev20230111-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.apis:google-api-services-storage:v1-rev20220705-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-sheets:v4-rev20230227-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-sqladmin:v1beta4-rev20230403-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.apis:google-api-services-storage:v1-rev20230301-2.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.appengine:appengine-api-1.0-sdk:1.9.86=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.10=testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.10=testCompileClasspath,testRuntimeClasspath
+com.google.appengine:appengine-api-1.0-sdk:2.0.14=testCompileClasspath,testRuntimeClasspath
+com.google.appengine:appengine-api-stubs:2.0.14=testCompileClasspath,testRuntimeClasspath
 com.google.appengine:appengine-testing:1.9.86=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-credentials:1.14.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auth:google-auth-library-oauth2-http:1.14.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auto.service:auto-service-annotations:1.0.1=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.auto.service:auto-service:1.0.1=annotationProcessor
+com.google.auth:google-auth-library-credentials:1.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auth:google-auth-library-oauth2-http:1.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auto.service:auto-service-annotations:1.1.0=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.auto.service:auto-service:1.1.0=annotationProcessor
 com.google.auto.value:auto-value-annotations:1.10.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.value:auto-value:1.10.1=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.auto:auto-common:0.10=errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
-com.google.auto:auto-common:1.2=annotationProcessor
+com.google.auto:auto-common:1.2.1=annotationProcessor
 com.google.closure-stylesheets:closure-stylesheets:1.5.0=css
 com.google.cloud.bigdataoss:gcsio:2.2.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.bigdataoss:util:2.2.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.bigtable:bigtable-client-core:1.26.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.bigtable:bigtable-metrics-api:1.26.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud.bigtable:bigtable-client-core-config:1.28.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud.datastore:datastore-v1-proto-client:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.sql:jdbc-socket-factory-core:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud.sql:postgres-socket-factory:1.9.0=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigquerystorage:2.25.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigtable-stats:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-bigtable:2.16.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-grpc:2.9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core-http:2.9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-core:2.9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-firestore:3.7.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud.sql:jdbc-socket-factory-core:1.11.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud.sql:postgres-socket-factory:1.11.2=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigquerystorage:2.34.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigtable-stats:2.20.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-bigtable:2.20.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-grpc:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core-http:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-core:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-firestore:3.9.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.cloud:google-cloud-monitoring:1.82.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-com.google.cloud:google-cloud-monitoring:3.6.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-nio:0.126.3=testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-pubsub:1.121.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-pubsublite:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-secretmanager:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-spanner:6.33.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-storage:2.17.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:google-cloud-tasks:2.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:grpc-gcp:1.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.cloud:proto-google-cloud-firestore-bundle-v1:3.7.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-monitoring:3.14.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-nio:0.126.15=testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-pubsub:1.123.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-pubsublite:1.12.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-secretmanager:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-spanner:6.38.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-storage:2.22.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:google-cloud-tasks:2.17.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:grpc-gcp:1.4.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.cloud:proto-google-cloud-firestore-bundle-v1:3.9.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.code.findbugs:jFormatString:3.0.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.code.findbugs:jsr305:3.0.1=css
 com.google.code.findbugs:jsr305:3.0.2=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,errorprone,nonprodAnnotationProcessor,nonprodCompileClasspath,nonprodRuntime,nonprodRuntimeClasspath,runtime,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.code.gson:gson:2.10.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.code.gson:gson:2.7=css,soy
 com.google.common.html.types:types:1.0.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testCompileClasspath,testRuntimeClasspath
-com.google.dagger:dagger-compiler:2.44.2=annotationProcessor,testAnnotationProcessor
-com.google.dagger:dagger-producers:2.44.2=annotationProcessor,testAnnotationProcessor
-com.google.dagger:dagger-spi:2.44.2=annotationProcessor,testAnnotationProcessor
-com.google.dagger:dagger:2.44.2=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
-com.google.devtools.ksp:symbol-processing-api:1.7.0-1.0.6=annotationProcessor,testAnnotationProcessor
+com.google.dagger:dagger-compiler:2.46.1=annotationProcessor,testAnnotationProcessor
+com.google.dagger:dagger-producers:2.46.1=annotationProcessor,testAnnotationProcessor
+com.google.dagger:dagger-spi:2.46.1=annotationProcessor,testAnnotationProcessor
+com.google.dagger:dagger:2.46.1=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+com.google.devtools.ksp:symbol-processing-api:1.8.0-1.0.9=annotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_annotation:2.3.4=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
+com.google.errorprone:error_prone_annotations:2.11.0=annotationProcessor
 com.google.errorprone:error_prone_annotations:2.18.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.errorprone:error_prone_annotations:2.3.4=checkstyle,errorprone,nonprodAnnotationProcessor,soy
-com.google.errorprone:error_prone_annotations:2.7.1=annotationProcessor,testAnnotationProcessor
+com.google.errorprone:error_prone_annotations:2.3.4=checkstyle,errorprone,nonprodAnnotationProcessor
+com.google.errorprone:error_prone_annotations:2.7.1=soy,testAnnotationProcessor
 com.google.errorprone:error_prone_check_api:2.3.4=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_core:2.3.4=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.google.errorprone:error_prone_type_annotations:2.3.4=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
@@ -160,20 +159,19 @@ com.google.guava:guava-testlib:31.1-jre=testCompileClasspath,testRuntimeClasspat
 com.google.guava:guava:20.0=css
 com.google.guava:guava:27.0.1-jre=errorprone,nonprodAnnotationProcessor
 com.google.guava:guava:29.0-jre=checkstyle
-com.google.guava:guava:30.1-jre=soy
-com.google.guava:guava:31.0.1-jre=annotationProcessor,testAnnotationProcessor
-com.google.guava:guava:31.1-jre=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.guava:guava:31.0.1-jre=soy,testAnnotationProcessor
+com.google.guava:guava:31.1-jre=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,errorprone,nonprodAnnotationProcessor,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.gwt:gwt-user:2.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-apache-v2:1.42.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-appengine:1.42.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-gson:1.42.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client-jackson2:1.42.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-apache-v2:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-appengine:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-gson:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client-jackson2:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.http-client:google-http-client-protobuf:1.41.8=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.http-client:google-http-client:1.42.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.http-client:google-http-client:1.43.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.inject.extensions:guice-multibindings:4.1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testCompileClasspath,testRuntimeClasspath
 com.google.inject:guice:4.1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.inject:guice:5.1.0=soy
+com.google.inject:guice:7.0.0=soy
 com.google.j2objc:j2objc-annotations:1.1=errorprone,nonprodAnnotationProcessor
 com.google.j2objc:j2objc-annotations:1.3=annotationProcessor,checkstyle,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 com.google.javascript:closure-compiler-externs:v20160713=css
@@ -201,7 +199,7 @@ com.google.truth:truth:1.1.3=default,deploy_jar,nonprodRuntimeClasspath,runtimeC
 com.googlecode.java-diff-utils:diffutils:1.3.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 com.googlecode.json-simple:json-simple:1.1.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.ibm.icu:icu4j:57.1=compileClasspath,nonprodCompileClasspath,soy,testCompileClasspath
-com.ibm.icu:icu4j:72.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+com.ibm.icu:icu4j:73.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 com.jcraft:jsch:0.1.55=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.lmax:disruptor:3.4.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.puppycrawl.tools:checkstyle:8.37=checkstyle
@@ -214,7 +212,7 @@ com.sun.activation:javax.activation:1.2.0=jaxb
 com.sun.istack:istack-commons-runtime:3.0.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.sun.istack:istack-commons-runtime:4.1.1=nonprodRuntime,runtime
 com.sun.xml.bind:jaxb-impl:2.3.3=jaxb
-com.sun.xml.bind:jaxb-osgi:4.0.1=jaxb
+com.sun.xml.bind:jaxb-osgi:4.0.2=jaxb
 com.sun.xml.bind:jaxb-xjc:2.3.3=jaxb
 com.sun.xml.fastinfoset:FastInfoset:1.2.15=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.thoughtworks.paranamer:paranamer:2.7=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -224,6 +222,7 @@ commons-beanutils:commons-beanutils:1.9.4=checkstyle
 commons-codec:commons-codec:1.15=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-collections:commons-collections:3.2.2=checkstyle
 commons-logging:commons-logging:1.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+dev.failsafe:failsafe:3.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 dnsjava:dnsjava:3.5.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 guru.nidi.com.eclipsesource.j2v8:j2v8_linux_x86_64:4.6.0=nonprodRuntime,runtime,testRuntimeClasspath
 guru.nidi.com.eclipsesource.j2v8:j2v8_macosx_x86_64:4.6.0=nonprodRuntime,runtime,testRuntimeClasspath
@@ -237,27 +236,26 @@ io.confluent:common-config:5.3.2=compileClasspath,default,deploy_jar,nonprodComp
 io.confluent:common-utils:5.3.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.confluent:kafka-avro-serializer:5.3.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.confluent:kafka-schema-registry-client:5.3.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.dropwizard.metrics:metrics-core:3.1.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.github.classgraph:classgraph:4.8.104=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.github.java-diff-utils:java-diff-utils:4.12=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-alts:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-api:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-auth:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-census:1.50.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-context:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-core:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-googleapis:1.52.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-grpclb:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-netty-shaded:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-netty:1.50.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf-lite:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-protobuf:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-rls:1.50.2=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-services:1.50.2=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-services:1.52.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-io.grpc:grpc-stub:1.52.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-io.grpc:grpc-xds:1.50.2=compileClasspath,nonprodCompileClasspath,testCompileClasspath
-io.grpc:grpc-xds:1.52.1=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-alts:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-api:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-auth:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-census:1.53.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-context:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-core:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-googleapis:1.54.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-grpclb:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty-shaded:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-netty:1.53.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf-lite:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-protobuf:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-rls:1.54.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-services:1.53.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+io.grpc:grpc-services:1.54.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-stub:1.54.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-xds:1.53.0=compileClasspath,nonprodCompileClasspath,testCompileClasspath
+io.grpc:grpc-xds:1.54.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 io.netty:netty-buffer:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.netty:netty-codec-http2:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.netty:netty-codec-http:4.1.79.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -283,14 +281,16 @@ io.opencensus:opencensus-impl-core:0.31.0=compileClasspath,default,deploy_jar,no
 io.opencensus:opencensus-impl:0.31.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.opencensus:opencensus-proto:0.2.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.perfmark:perfmark-api:0.26.0=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
-jakarta.activation:jakarta.activation-api:2.1.0=jaxb,nonprodRuntime,runtime
+jakarta.activation:jakarta.activation-api:2.1.0=jaxb
+jakarta.activation:jakarta.activation-api:2.1.1=nonprodRuntime,runtime
+jakarta.inject:jakarta.inject-api:2.0.1=soy
 jakarta.xml.bind:jakarta.xml.bind-api:4.0.0=jaxb,nonprodRuntime,runtime
 javacc:javacc:4.1=css
 javax.activation:activation:1.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 javax.activation:javax.activation-api:1.2.0=compileClasspath,default,deploy_jar,jaxb,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 javax.annotation:javax.annotation-api:1.3.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 javax.annotation:jsr250-api:1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testCompileClasspath,testRuntimeClasspath
-javax.inject:javax.inject:1=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,soy,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
+javax.inject:javax.inject:1=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 javax.jdo:jdo2-api:2.3-20090302111651=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 javax.mail:mail:1.5.0-b01=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 javax.persistence:javax.persistence-api:2.2=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
@@ -302,11 +302,11 @@ jline:jline:1.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonp
 joda-time:joda-time:2.10.10=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 junit:junit:4.13.2=default,nonprodCompileClasspath,nonprodRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 net.arnx:nashorn-promise:0.1.1=nonprodRuntime,runtime,testRuntimeClasspath
-net.bytebuddy:byte-buddy-agent:1.12.22=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy-agent:1.14.4=testCompileClasspath,testRuntimeClasspath
 net.bytebuddy:byte-buddy:1.12.18=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
-net.bytebuddy:byte-buddy:1.12.22=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.14.4=testCompileClasspath,testRuntimeClasspath
 net.java.dev.javacc:javacc:4.1=css
-net.java.dev.jna:jna:5.8.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+net.java.dev.jna:jna:5.12.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 net.ltgt.gradle.incap:incap:0.2=annotationProcessor,testAnnotationProcessor
 net.sf.saxon:Saxon-HE:10.3=checkstyle
 org.antlr:antlr4-runtime:4.8-1=checkstyle
@@ -314,26 +314,27 @@ org.apache.arrow:arrow-format:5.0.0=compileClasspath,default,deploy_jar,nonprodC
 org.apache.arrow:arrow-memory-core:5.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.arrow:arrow-vector:5.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.avro:avro:1.8.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-fn-execution:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-job-management:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-model-pipeline:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-core-construction-java:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-core-java:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-direct-java:2.44.0=testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-google-cloud-dataflow-java:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-runners-java-fn-execution:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-core:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-expansion-service:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-arrow:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-google-cloud-platform-core:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-extensions-protobuf:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-fn-execution:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-io-google-cloud-platform:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.beam:beam-sdks-java-io-kafka:2.44.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-fn-execution:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-job-management:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-model-pipeline:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-core-construction-java:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-core-java:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-direct-java:2.47.0=testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-google-cloud-dataflow-java:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-runners-java-fn-execution:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-core:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-expansion-service:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-arrow:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-avro:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-google-cloud-platform-core:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-extensions-protobuf:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-fn-execution:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-io-google-cloud-platform:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.beam:beam-sdks-java-io-kafka:2.47.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.beam:beam-vendor-grpc-1_48_1:0.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.beam:beam-vendor-guava-26_0-jre:0.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.commons:commons-compress:1.22=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.commons:commons-csv:1.9.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-compress:1.23.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-csv:1.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-exec:1.3=nonprodRuntime,runtime,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-lang3:3.12.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.10.0=testCompileClasspath,testRuntimeClasspath
@@ -345,7 +346,7 @@ org.apache.mina:mina-core:2.1.6=testCompileClasspath,testRuntimeClasspath
 org.apache.sshd:sshd-core:2.0.0=testCompileClasspath,testRuntimeClasspath
 org.apache.sshd:sshd-scp:2.0.0=testCompileClasspath,testRuntimeClasspath
 org.apache.sshd:sshd-sftp:2.0.0=testCompileClasspath,testRuntimeClasspath
-org.apache.tomcat:tomcat-annotations-api:11.0.0-M1=testCompileClasspath,testRuntimeClasspath
+org.apache.tomcat:tomcat-annotations-api:11.0.0-M6=testCompileClasspath,testRuntimeClasspath
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
 org.bouncycastle:bcpg-jdk15on:1.67=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.bouncycastle:bcpkix-jdk15on:1.67=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -354,18 +355,18 @@ org.checkerframework:checker-compat-qual:2.5.3=nonprodRuntime,runtime
 org.checkerframework:checker-compat-qual:2.5.5=annotationProcessor,compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath
 org.checkerframework:checker-qual:2.11.1=checkstyle
 org.checkerframework:checker-qual:3.0.0=errorprone,nonprodAnnotationProcessor
-org.checkerframework:checker-qual:3.12.0=annotationProcessor,testAnnotationProcessor
-org.checkerframework:checker-qual:3.29.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.checkerframework:checker-qual:3.5.0=nonprodRuntime,runtime,soy
+org.checkerframework:checker-qual:3.12.0=annotationProcessor,soy,testAnnotationProcessor
+org.checkerframework:checker-qual:3.31.0=nonprodRuntime,runtime
+org.checkerframework:checker-qual:3.32.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.checkerframework:dataflow:3.0.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.checkerframework:javacutil:3.0.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.codehaus.jackson:jackson-core-asl:1.9.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.codehaus.jackson:jackson-mapper-asl:1.9.13=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.codehaus.mojo:animal-sniffer-annotations:1.17=errorprone,nonprodAnnotationProcessor
-org.codehaus.mojo:animal-sniffer-annotations:1.22=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
+org.codehaus.mojo:animal-sniffer-annotations:1.23=default,deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testRuntimeClasspath
 org.conscrypt:conscrypt-openjdk-uber:2.5.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.easymock:easymock:3.0=css
-org.eclipse.angus:angus-activation:1.0.0=nonprodRuntime,runtime
+org.eclipse.angus:angus-activation:2.0.0=nonprodRuntime,runtime
 org.eclipse.jetty:jetty-http:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-io:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-security:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -373,12 +374,12 @@ org.eclipse.jetty:jetty-server:9.4.49.v20220914=compileClasspath,default,deploy_
 org.eclipse.jetty:jetty-servlet:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-util-ajax:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-util:9.4.49.v20220914=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.flywaydb:flyway-core:9.12.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.glassfish.jaxb:jaxb-core:4.0.1=nonprodRuntime,runtime
+org.flywaydb:flyway-core:9.19.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.glassfish.jaxb:jaxb-core:4.0.2=nonprodRuntime,runtime
 org.glassfish.jaxb:jaxb-runtime:2.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.glassfish.jaxb:jaxb-runtime:4.0.1=nonprodRuntime,runtime
+org.glassfish.jaxb:jaxb-runtime:4.0.2=nonprodRuntime,runtime
 org.glassfish.jaxb:txw2:2.3.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.glassfish.jaxb:txw2:4.0.1=nonprodRuntime,runtime
+org.glassfish.jaxb:txw2:4.0.2=nonprodRuntime,runtime
 org.gwtproject:gwt-user:2.10.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.hamcrest:hamcrest-core:1.1=css
 org.hamcrest:hamcrest-core:1.3=default,nonprodCompileClasspath,nonprodRuntimeClasspath
@@ -387,8 +388,8 @@ org.hamcrest:hamcrest-library:2.2=testCompileClasspath,testRuntimeClasspath
 org.hamcrest:hamcrest:2.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
 org.hamcrest:hamcrest:2.2=testCompileClasspath,testRuntimeClasspath
 org.hibernate.common:hibernate-commons-annotations:5.1.2.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.hibernate:hibernate-core:5.6.14.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.hibernate:hibernate-hikaricp:5.6.14.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.hibernate:hibernate-core:5.6.15.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.hibernate:hibernate-hikaricp:5.6.15.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.jacoco:org.jacoco.agent:0.8.7=jacocoAgent,jacocoAnt
 org.jacoco:org.jacoco.ant:0.8.7=jacocoAnt
 org.jacoco:org.jacoco.core:0.8.7=jacocoAnt
@@ -398,33 +399,32 @@ org.jboss.logging:jboss-logging:3.4.3.Final=compileClasspath,default,deploy_jar,
 org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:1.1.1.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.jboss:jandex:2.4.2.Final=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.jetbrains.kotlin:kotlin-reflect:1.6.10=annotationProcessor,testAnnotationProcessor
-org.jetbrains.kotlin:kotlin-stdlib-common:1.7.0=annotationProcessor,testAnnotationProcessor
-org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.7.0=annotationProcessor,testAnnotationProcessor
-org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.7.0=annotationProcessor,testAnnotationProcessor
-org.jetbrains.kotlin:kotlin-stdlib:1.7.0=annotationProcessor,testAnnotationProcessor
-org.jetbrains.kotlinx:kotlinx-metadata-jvm:0.5.0=annotationProcessor,testAnnotationProcessor
+org.jetbrains.kotlin:kotlin-stdlib-common:1.8.0=annotationProcessor,testAnnotationProcessor
+org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.6.10=annotationProcessor,testAnnotationProcessor
+org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.10=annotationProcessor,testAnnotationProcessor
+org.jetbrains.kotlin:kotlin-stdlib:1.8.0=annotationProcessor,testAnnotationProcessor
 org.jetbrains:annotations:13.0=annotationProcessor,testAnnotationProcessor
 org.jetbrains:annotations:17.0.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.joda:joda-money:1.0.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.json:json:20160212=soy
-org.json:json:20200518=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.jsoup:jsoup:1.15.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.junit-pioneer:junit-pioneer:2.0.0-RC1=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-api:5.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-engine:5.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-migrationsupport:5.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.jupiter:junit-jupiter-params:5.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-launcher:1.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-runner:1.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-suite-api:1.9.2=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-suite-commons:1.9.2=testRuntimeClasspath
-org.junit:junit-bom:5.9.2=testCompileClasspath,testRuntimeClasspath
+org.json:json:20230227=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.jsoup:jsoup:1.16.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.junit-pioneer:junit-pioneer:2.0.1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-migrationsupport:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-params:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-launcher:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-runner:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-suite-api:1.10.0-M1=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-suite-commons:1.10.0-M1=testRuntimeClasspath
+org.junit:junit-bom:5.10.0-M1=testCompileClasspath,testRuntimeClasspath
 org.jvnet.staxex:stax-ex:1.8=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.mockito:mockito-core:1.10.19=css
-org.mockito:mockito-core:5.0.0=testCompileClasspath,testRuntimeClasspath
-org.mockito:mockito-junit-jupiter:5.0.0=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-core:5.3.1=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-junit-jupiter:5.3.1=testCompileClasspath,testRuntimeClasspath
 org.mortbay.jetty:jetty-util:6.1.26=testCompileClasspath,testRuntimeClasspath
 org.mortbay.jetty:jetty:6.1.26=testCompileClasspath,testRuntimeClasspath
 org.objenesis:objenesis:2.1=css
@@ -432,23 +432,23 @@ org.objenesis:objenesis:3.3=testRuntimeClasspath
 org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-analysis:7.0=soy
 org.ow2.asm:asm-analysis:9.1=jacocoAnt
-org.ow2.asm:asm-analysis:9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.ow2.asm:asm-analysis:9.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-commons:7.0=soy
 org.ow2.asm:asm-commons:9.1=jacocoAnt
 org.ow2.asm:asm-commons:9.2=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-tree:7.0=soy
 org.ow2.asm:asm-tree:9.1=jacocoAnt
-org.ow2.asm:asm-tree:9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.ow2.asm:asm-tree:9.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-util:7.0=soy
-org.ow2.asm:asm-util:9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.ow2.asm:asm-util:9.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm:7.0=soy
 org.ow2.asm:asm:9.1=jacocoAnt
-org.ow2.asm:asm:9.4=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.ow2.asm:asm:9.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.pcollections:pcollections:2.1.2=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.plumelib:plume-util:1.0.6=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.plumelib:reflection-util:0.0.2=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
 org.plumelib:require-javadoc:0.1.0=annotationProcessor,errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
-org.postgresql:postgresql:42.5.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntime,nonprodRuntimeClasspath,runtime,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.postgresql:postgresql:42.6.0=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntime,nonprodRuntimeClasspath,runtime,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.reflections:reflections:0.9.12=checkstyle
 org.rnorth.duct-tape:duct-tape:1.0.8=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.seleniumhq.selenium:selenium-api:3.141.59=testCompileClasspath,testRuntimeClasspath
@@ -465,18 +465,18 @@ org.slf4j:jcl-over-slf4j:1.7.30=nonprodRuntime,runtime,testRuntimeClasspath
 org.slf4j:jul-to-slf4j:1.7.30=nonprodRuntime,runtime,testRuntimeClasspath
 org.slf4j:slf4j-api:1.7.30=nonprodRuntime,runtime
 org.slf4j:slf4j-api:1.7.36=compileClasspath,nonprodCompileClasspath,nonprodRuntimeClasspath,testCompileClasspath
-org.slf4j:slf4j-api:2.0.6=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
-org.slf4j:slf4j-jdk14:2.0.6=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
-org.springframework:spring-core:5.3.18=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.springframework:spring-expression:5.3.18=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.springframework:spring-jcl:5.3.18=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:database-commons:1.17.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:jdbc:1.17.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:junit-jupiter:1.17.6=testCompileClasspath,testRuntimeClasspath
-org.testcontainers:postgresql:1.17.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.testcontainers:selenium:1.17.6=testCompileClasspath,testRuntimeClasspath
-org.testcontainers:testcontainers:1.17.6=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.threeten:threetenbp:1.6.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.slf4j:slf4j-api:2.0.7=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
+org.slf4j:slf4j-jdk14:2.0.7=default,deploy_jar,runtimeClasspath,testRuntimeClasspath
+org.springframework:spring-core:5.3.25=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.springframework:spring-expression:5.3.25=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.springframework:spring-jcl:5.3.25=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:database-commons:1.18.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:jdbc:1.18.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:junit-jupiter:1.18.1=testCompileClasspath,testRuntimeClasspath
+org.testcontainers:postgresql:1.18.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.testcontainers:selenium:1.18.1=testCompileClasspath,testRuntimeClasspath
+org.testcontainers:testcontainers:1.18.1=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.threeten:threetenbp:1.6.8=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.tukaani:xz:1.5=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.w3c.css:sac:1.3=compileClasspath,default,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.webjars.npm:viz.js-graphviz-java:2.1.3=nonprodRuntime,runtime,testRuntimeClasspath
--- a/core/src/main/java/google/registry/batch/BatchModule.java
+++ b/core/src/main/java/google/registry/batch/BatchModule.java
@@ -17,7 +17,6 @@ package google.registry.batch;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_REQUESTED_TIME;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESAVE_TIMES;
 import static google.registry.batch.AsyncTaskEnqueuer.PARAM_RESOURCE_KEY;
-import static google.registry.batch.CannedScriptExecutionAction.SCRIPT_PARAM;
 import static google.registry.request.RequestParameters.extractBooleanParameter;
 import static google.registry.request.RequestParameters.extractIntParameter;
 import static google.registry.request.RequestParameters.extractLongParameter;
@@ -139,11 +138,4 @@ public class BatchModule {
  static boolean provideIsDryRun(HttpServletRequest req) {
    return extractBooleanParameter(req, PARAM_DRY_RUN);
  }
-
-  // TODO(b/234424397): remove method after credential changes are rolled out.
-  @Provides
-  @Parameter(SCRIPT_PARAM)
-  static String provideScriptName(HttpServletRequest req) {
-    return extractRequiredParameter(req, SCRIPT_PARAM);
-  }
 }
--- a/core/src/main/java/google/registry/batch/CannedScriptExecutionAction.java
+++ b/core/src/main/java/google/registry/batch/CannedScriptExecutionAction.java
@@ -16,26 +16,23 @@ package google.registry.batch;

 import static google.registry.request.Action.Method.POST;

-import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
-import google.registry.batch.cannedscript.GroupsApiChecker;
 import google.registry.request.Action;
-import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import javax.inject.Inject;

 /**
 * Action that executes a canned script specified by the caller.
 *
- * <p>This class is introduced to help the safe rollout of credential changes. The delegated
- * credentials in particular, benefit from this: they require manual configuration of the peer
- * system in each environment, and may wait hours or even days after deployment until triggered by
- * user activities.
+ * <p>This class provides a hook for invoking hard-coded methods. The main use case is to verify in
+ * Sandbox and Production environments new features that depend on environment-specific
+ * configurations. For example, the {@code DelegatedCredential}, which requires correct GWorkspace
+ * configuration, has been tested this way. Since it is a hassle to add or remove endpoints, we keep
+ * this class all the time.
 *
 * <p>This action can be invoked using the Nomulus CLI command: {@code nomulus -e ${env} curl
- * --service BACKEND -X POST -u '/_dr/task/executeCannedScript?script=${script_name}'}
+ * --service BACKEND -X POST -u '/_dr/task/executeCannedScript}'}
 */
-// TODO(b/234424397): remove class after credential changes are rolled out.
@Action(
    service = Action.Service.BACKEND,
    path = "/_dr/task/executeCannedScript",
@@ -45,29 +42,18 @@ import javax.inject.Inject;
 public class CannedScriptExecutionAction implements Runnable {
  private static final FluentLogger logger = FluentLogger.forEnclosingClass();

-  static final String SCRIPT_PARAM = "script";
-
-  static final ImmutableMap<String, Runnable> SCRIPTS =
-      ImmutableMap.of("runGroupsApiChecks", GroupsApiChecker::runGroupsApiChecks);
-
-  private final String scriptName;
-
  @Inject
-  CannedScriptExecutionAction(@Parameter(SCRIPT_PARAM) String scriptName) {
-    logger.atInfo().log("Received request to run script %s", scriptName);
-    this.scriptName = scriptName;
+  CannedScriptExecutionAction() {
+    logger.atInfo().log("Received request to run scripts.");
  }

  @Override
  public void run() {
-    if (!SCRIPTS.containsKey(scriptName)) {
-      throw new IllegalArgumentException("Script not found:" + scriptName);
-    }
    try {
-      SCRIPTS.get(scriptName).run();
-      logger.atInfo().log("Finished running %s.", scriptName);
+      // Invoke canned scripts here.
+      logger.atInfo().log("Finished running scripts.");
    } catch (Throwable t) {
-      logger.atWarning().withCause(t).log("Error executing %s", scriptName);
+      logger.atWarning().withCause(t).log("Error executing scripts.");
      throw new RuntimeException("Execution failed.");
    }
  }
--- a/core/src/main/java/google/registry/batch/CloudTasksUtils.java
+++ b/core/src/main/java/google/registry/batch/CloudTasksUtils.java
@@ -16,6 +16,7 @@ package google.registry.batch;

 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableList.toImmutableList;
+import static google.registry.tools.ServiceConnection.getServer;
 import static java.util.concurrent.TimeUnit.SECONDS;

 import com.google.api.gax.rpc.ApiException;
@@ -23,6 +24,8 @@ import com.google.cloud.tasks.v2.AppEngineHttpRequest;
 import com.google.cloud.tasks.v2.AppEngineRouting;
 import com.google.cloud.tasks.v2.CloudTasksClient;
 import com.google.cloud.tasks.v2.HttpMethod;
+import com.google.cloud.tasks.v2.HttpRequest;
+import com.google.cloud.tasks.v2.OidcToken;
 import com.google.cloud.tasks.v2.QueueName;
 import com.google.cloud.tasks.v2.Task;
 import com.google.common.base.Joiner;
@@ -46,7 +49,10 @@ import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Optional;
 import java.util.Random;
+import java.util.function.BiConsumer;
+import java.util.function.Consumer;
 import java.util.function.Supplier;
+import javax.annotation.Nullable;
 import javax.inject.Inject;
 import org.joda.time.Duration;

@@ -61,6 +67,9 @@ public class CloudTasksUtils implements Serializable {
  private final Clock clock;
  private final String projectId;
  private final String locationId;
+  // defaultServiceAccount and iapClientId are nullable because Optional isn't serializable
+  @Nullable private final String defaultServiceAccount;
+  @Nullable private final String iapClientId;
  private final SerializableCloudTasksClient client;

  @Inject
@@ -69,11 +78,15 @@ public class CloudTasksUtils implements Serializable {
      Clock clock,
      @Config("projectId") String projectId,
      @Config("locationId") String locationId,
+      @Config("defaultServiceAccount") Optional<String> defaultServiceAccount,
+      @Config("iapClientId") Optional<String> iapClientId,
      SerializableCloudTasksClient client) {
    this.retrier = retrier;
    this.clock = clock;
    this.projectId = projectId;
    this.locationId = locationId;
+    this.defaultServiceAccount = defaultServiceAccount.orElse(null);
+    this.iapClientId = iapClientId.orElse(null);
    this.client = client;
  }

@@ -98,6 +111,74 @@ public class CloudTasksUtils implements Serializable {
    return enqueue(queue, Arrays.asList(tasks));
  }

+  /**
+   * Converts a (possible) set of params into an HTTP request via the appropriate method.
+   *
+   * <p>For GET requests we add them on to the URL, and for POST requests we add them in the body of
+   * the request.
+   *
+   * <p>The parameters {@code putHeadersFunction} and {@code setBodyFunction} are used so that this
+   * method can be called with either an AppEngine HTTP request or a standard non-AppEngine HTTP
+   * request. The two objects do not have the same methods, but both have ways of setting headers /
+   * body.
+   *
+   * @return the resulting path (unchanged for POST requests, with params added for GET requests)
+   */
+  private String processRequestParameters(
+      String path,
+      HttpMethod method,
+      Multimap<String, String> params,
+      BiConsumer<String, String> putHeadersFunction,
+      Consumer<ByteString> setBodyFunction) {
+    if (CollectionUtils.isNullOrEmpty(params)) {
+      return path;
+    }
+    Escaper escaper = UrlEscapers.urlPathSegmentEscaper();
+    String encodedParams =
+        Joiner.on("&")
+            .join(
+                params.entries().stream()
+                    .map(
+                        entry ->
+                            String.format(
+                                "%s=%s",
+                                escaper.escape(entry.getKey()), escaper.escape(entry.getValue())))
+                    .collect(toImmutableList()));
+    if (method.equals(HttpMethod.GET)) {
+      return String.format("%s?%s", path, encodedParams);
+    }
+    putHeadersFunction.accept(HttpHeaders.CONTENT_TYPE, MediaType.FORM_DATA.toString());
+    setBodyFunction.accept(ByteString.copyFrom(encodedParams, StandardCharsets.UTF_8));
+    return path;
+  }
+
+  /**
+   * Creates a {@link Task} that does not use AppEngine for submission.
+   *
+   * <p>This uses the standard Cloud Tasks auth format to create and send an OIDC ID token set to
+   * the default service account. That account must have permission to submit tasks to Cloud Tasks.
+   */
+  private Task createNonAppEngineTask(
+      String path, HttpMethod method, Service service, Multimap<String, String> params) {
+    HttpRequest.Builder requestBuilder = HttpRequest.newBuilder().setHttpMethod(method);
+    path =
+        processRequestParameters(
+            path, method, params, requestBuilder::putHeaders, requestBuilder::setBody);
+    OidcToken.Builder oidcTokenBuilder =
+        OidcToken.newBuilder().setServiceAccountEmail(defaultServiceAccount);
+    // If the service is using IAP, add that as the audience for the token so the request can be
+    // appropriately authed. Otherwise, use the project name.
+    if (iapClientId != null) {
+      oidcTokenBuilder.setAudience(iapClientId);
+    } else {
+      oidcTokenBuilder.setAudience(projectId);
+    }
+    requestBuilder.setOidcToken(oidcTokenBuilder.build());
+    String totalPath = String.format("%s%s", getServer(service), path);
+    requestBuilder.setUrl(totalPath);
+    return Task.newBuilder().setHttpRequest(requestBuilder.build()).build();
+  }
+
  /**
   * Create a {@link Task} to be enqueued.
   *
@@ -123,34 +204,21 @@ public class CloudTasksUtils implements Serializable {
        method.equals(HttpMethod.GET) || method.equals(HttpMethod.POST),
        "HTTP method %s is used. Only GET and POST are allowed.",
        method);
-    AppEngineHttpRequest.Builder requestBuilder =
-        AppEngineHttpRequest.newBuilder()
-            .setHttpMethod(method)
-            .setAppEngineRouting(
-                AppEngineRouting.newBuilder().setService(service.toString()).build());
-
-    if (!CollectionUtils.isNullOrEmpty(params)) {
-      Escaper escaper = UrlEscapers.urlPathSegmentEscaper();
-      String encodedParams =
-          Joiner.on("&")
-              .join(
-                  params.entries().stream()
-                      .map(
-                          entry ->
-                              String.format(
-                                  "%s=%s",
-                                  escaper.escape(entry.getKey()), escaper.escape(entry.getValue())))
-                      .collect(toImmutableList()));
-      if (method == HttpMethod.GET) {
-        path = String.format("%s?%s", path, encodedParams);
-      } else {
-        requestBuilder
-            .putHeaders(HttpHeaders.CONTENT_TYPE, MediaType.FORM_DATA.toString())
-            .setBody(ByteString.copyFrom(encodedParams, StandardCharsets.UTF_8));
-      }
+    // If the default service account is configured, send a standard non-AppEngine HTTP request
+    if (defaultServiceAccount != null) {
+      return createNonAppEngineTask(path, method, service, params);
+    } else {
+      AppEngineHttpRequest.Builder requestBuilder =
+          AppEngineHttpRequest.newBuilder()
+              .setHttpMethod(method)
+              .setAppEngineRouting(
+                  AppEngineRouting.newBuilder().setService(service.toString()).build());
+      path =
+          processRequestParameters(
+              path, method, params, requestBuilder::putHeaders, requestBuilder::setBody);
+      requestBuilder.setRelativeUri(path);
+      return Task.newBuilder().setAppEngineHttpRequest(requestBuilder.build()).build();
    }
-    requestBuilder.setRelativeUri(path);
-    return Task.newBuilder().setAppEngineHttpRequest(requestBuilder.build()).build();
  }

  /**
--- a/core/src/main/java/google/registry/batch/DeleteProberDataAction.java
+++ b/core/src/main/java/google/registry/batch/DeleteProberDataAction.java
@@ -19,8 +19,9 @@ import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.batch.BatchModule.PARAM_DRY_RUN;
 import static google.registry.config.RegistryEnvironment.PRODUCTION;
+import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_DELETE;
-import static google.registry.model.tld.Registries.getTldsOfType;
+import static google.registry.model.tld.Tlds.getTldsOfType;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.request.RequestParameters.PARAM_TLDS;
@@ -32,7 +33,6 @@ import com.google.common.collect.Sets;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.config.RegistryEnvironment;
-import google.registry.dns.DnsUtils;
 import google.registry.model.CreateAutoTimestamp;
 import google.registry.model.EppResourceUtils;
 import google.registry.model.domain.Domain;
@@ -98,8 +98,6 @@ public class DeleteProberDataAction implements Runnable {
  /** Number of domains to retrieve and delete per SQL transaction. */
  private static final int BATCH_SIZE = 1000;

-  @Inject DnsUtils dnsUtils;
-
  @Inject
  @Parameter(PARAM_DRY_RUN)
  boolean isDryRun;
@@ -222,7 +220,7 @@ public class DeleteProberDataAction implements Runnable {
    }
  }

-  private void hardDeleteDomainsAndHosts(
+  private static void hardDeleteDomainsAndHosts(
      ImmutableList<String> domainRepoIds, ImmutableList<String> hostNames) {
    tm().query("DELETE FROM Host WHERE hostName IN :hostNames")
        .setParameter("hostNames", hostNames)
@@ -264,6 +262,6 @@ public class DeleteProberDataAction implements Runnable {
    // messages, or auto-renews because those will all be hard-deleted the next time the job runs
    // anyway.
    tm().putAll(ImmutableList.of(deletedDomain, historyEntry));
-    dnsUtils.requestDomainDnsRefresh(deletedDomain.getDomainName());
+    requestDomainDnsRefresh(deletedDomain.getDomainName());
  }
 }
--- a/core/src/main/java/google/registry/batch/cannedscript/GroupsApiChecker.java
+++ b/core/src/main/java/google/registry/batch/cannedscript/GroupsApiChecker.java
@@ -1,122 +0,0 @@
-// Copyright 2022 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.batch.cannedscript;
-
-import static com.google.common.collect.ImmutableList.toImmutableList;
-import static google.registry.util.RegistrarUtils.normalizeRegistrarId;
-
-import com.google.api.services.admin.directory.Directory;
-import com.google.api.services.groupssettings.Groupssettings;
-import com.google.common.base.Supplier;
-import com.google.common.base.Suppliers;
-import com.google.common.base.Throwables;
-import com.google.common.collect.Streams;
-import com.google.common.flogger.FluentLogger;
-import dagger.Component;
-import dagger.Module;
-import dagger.Provides;
-import google.registry.config.CredentialModule;
-import google.registry.config.CredentialModule.AdcDelegatedCredential;
-import google.registry.config.RegistryConfig.Config;
-import google.registry.config.RegistryConfig.ConfigModule;
-import google.registry.groups.DirectoryGroupsConnection;
-import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarPoc;
-import google.registry.util.GoogleCredentialsBundle;
-import google.registry.util.UtilsModule;
-import java.util.List;
-import java.util.Set;
-import javax.inject.Singleton;
-
-/**
- * Verifies that the credential with the {@link AdcDelegatedCredential} annotation can be used to
- * access the Google Workspace Groups API.
- */
-// TODO(b/234424397): remove class after credential changes are rolled out.
-public class GroupsApiChecker {
-  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
-  private static final Supplier<GroupsConnectionComponent> COMPONENT_SUPPLIER =
-      Suppliers.memoize(DaggerGroupsApiChecker_GroupsConnectionComponent::create);
-
-  public static void runGroupsApiChecks() {
-    GroupsConnectionComponent component = COMPONENT_SUPPLIER.get();
-    DirectoryGroupsConnection groupsConnection = component.groupsConnection();
-
-    List<Registrar> registrars =
-        Streams.stream(Registrar.loadAllCached())
-            .filter(registrar -> registrar.isLive() && registrar.getType() == Registrar.Type.REAL)
-            .collect(toImmutableList());
-    for (Registrar registrar : registrars) {
-      for (final RegistrarPoc.Type type : RegistrarPoc.Type.values()) {
-        String groupKey =
-            String.format(
-                "%s-%s-contacts@%s",
-                normalizeRegistrarId(registrar.getRegistrarId()),
-                type.getDisplayName(),
-                component.gSuiteDomainName());
-        try {
-          Set<String> currentMembers = groupsConnection.getMembersOfGroup(groupKey);
-          logger.atInfo().log("Found %s members for %s.", currentMembers.size(), groupKey);
-        } catch (Exception e) {
-          Throwables.throwIfUnchecked(e);
-          throw new RuntimeException(e);
-        }
-      }
-    }
-  }
-
-  @Singleton
-  @Component(
-      modules = {
-        ConfigModule.class,
-        CredentialModule.class,
-        GroupsApiModule.class,
-        UtilsModule.class
-      })
-  interface GroupsConnectionComponent {
-    DirectoryGroupsConnection groupsConnection();
-
-    @Config("gSuiteDomainName")
-    String gSuiteDomainName();
-  }
-
-  @Module
-  static class GroupsApiModule {
-    @Provides
-    static Directory provideDirectory(
-        @AdcDelegatedCredential GoogleCredentialsBundle credentialsBundle,
-        @Config("projectId") String projectId) {
-      return new Directory.Builder(
-              credentialsBundle.getHttpTransport(),
-              credentialsBundle.getJsonFactory(),
-              credentialsBundle.getHttpRequestInitializer())
-          .setApplicationName(projectId)
-          .build();
-    }
-
-    @Provides
-    static Groupssettings provideGroupsSettings(
-        @AdcDelegatedCredential GoogleCredentialsBundle credentialsBundle,
-        @Config("projectId") String projectId) {
-      return new Groupssettings.Builder(
-              credentialsBundle.getHttpTransport(),
-              credentialsBundle.getJsonFactory(),
-              credentialsBundle.getHttpRequestInitializer())
-          .setApplicationName(projectId)
-          .build();
-    }
-  }
-}
--- a/core/src/main/java/google/registry/beam/billing/BillingEvent.java
+++ b/core/src/main/java/google/registry/beam/billing/BillingEvent.java
@@ -189,7 +189,7 @@ public abstract class BillingEvent implements Serializable {
                .minusDays(1)
                .toString(),
        billingId(),
-        String.format("%s - %s", registrarId(), tld()),
+        registrarId(),
        String.format("%s | TLD: %s | TERM: %d-year", action(), tld(), years()),
        amount(),
        currency(),
@@ -233,7 +233,7 @@ public abstract class BillingEvent implements Serializable {
    /** Returns the billing account id, which is the {@code BillingEvent.billingId}. */
    abstract String productAccountKey();

-    /** Returns the invoice grouping key, which is in the format "registrarId - tld". */
+    /** Returns the invoice grouping key, which is the registrar ID. */
    abstract String usageGroupingKey();

    /** Returns a description of the item, formatted as "action | TLD: tld | TERM: n-year." */
--- a/core/src/main/java/google/registry/beam/rde/RdeIO.java
+++ b/core/src/main/java/google/registry/beam/rde/RdeIO.java
@@ -43,7 +43,7 @@ import google.registry.rde.RdeMarshaller;
 import google.registry.rde.RdeModule;
 import google.registry.rde.RdeResourceType;
 import google.registry.rde.RdeUploadAction;
-import google.registry.rde.RdeUtil;
+import google.registry.rde.RdeUtils;
 import google.registry.request.Action.Service;
 import google.registry.request.RequestParameters;
 import google.registry.tldconfig.idn.IdnTableEnum;
@@ -166,7 +166,7 @@ public class RdeIO {
      final int revision =
          Optional.ofNullable(key.revision())
              .orElseGet(() -> RdeRevision.getNextRevision(tld, watermark, mode));
-      String id = RdeUtil.timestampToId(watermark);
+      String id = RdeUtils.timestampToId(watermark);
      String prefix =
          options.getJobName()
              + '/'
--- a/core/src/main/java/google/registry/bigquery/BigqueryModule.java
+++ b/core/src/main/java/google/registry/bigquery/BigqueryModule.java
@@ -20,7 +20,7 @@ import com.google.common.collect.ImmutableList;
 import dagger.Module;
 import dagger.Provides;
 import dagger.multibindings.Multibinds;
-import google.registry.config.CredentialModule.DefaultCredential;
+import google.registry.config.CredentialModule.ApplicationDefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;
 import java.util.Map;
@@ -34,7 +34,7 @@ public abstract class BigqueryModule {

  @Provides
  static Bigquery provideBigquery(
-      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
+      @ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle,
      @Config("projectId") String projectId) {
    return new Bigquery.Builder(
            credentialsBundle.getHttpTransport(),
--- a/core/src/main/java/google/registry/config/CloudTasksUtilsModule.java
+++ b/core/src/main/java/google/registry/config/CloudTasksUtilsModule.java
@@ -22,7 +22,7 @@ import dagger.Provides;
 import google.registry.batch.CloudTasksUtils;
 import google.registry.batch.CloudTasksUtils.GcpCloudTasksClient;
 import google.registry.batch.CloudTasksUtils.SerializableCloudTasksClient;
-import google.registry.config.CredentialModule.DefaultCredential;
+import google.registry.config.CredentialModule.ApplicationDefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;
 import java.io.IOException;
@@ -41,7 +41,7 @@ public abstract class CloudTasksUtilsModule {
  // Provides a supplier instead of using a Dagger @Provider because the latter is not serializable.
  @Provides
  public static Supplier<CloudTasksClient> provideCloudTasksClientSupplier(
-      @DefaultCredential GoogleCredentialsBundle credentials) {
+      @ApplicationDefaultCredential GoogleCredentialsBundle credentials) {
    return (Supplier<CloudTasksClient> & Serializable)
        () -> {
          CloudTasksClient client;
--- a/core/src/main/java/google/registry/config/CredentialModule.java
+++ b/core/src/main/java/google/registry/config/CredentialModule.java
@@ -66,38 +66,6 @@ public abstract class CredentialModule {
    return GoogleCredentialsBundle.create(credential);
  }

-  /**
-   * Provides the default {@link GoogleCredentialsBundle} from the Google Cloud runtime.
-   *
-   * <p>The credential returned depends on the runtime environment:
-   *
-   * <ul>
-   *   <li>On AppEngine, returns the service account credential for
-   *       PROJECT_ID@appspot.gserviceaccount.com
-   *   <li>On Compute Engine, returns the service account credential for
-   *       PROJECT_NUMBER-compute@developer.gserviceaccount.com
-   *   <li>On end user host, this returns the credential downloaded by gcloud. Please refer to <a
-   *       href="https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login">Cloud
-   *       SDK documentation</a> for details.
-   * </ul>
-   */
-  @DefaultCredential
-  @Provides
-  @Singleton
-  public static GoogleCredentialsBundle provideDefaultCredential(
-      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes) {
-    GoogleCredentials credential;
-    try {
-      credential = GoogleCredentials.getApplicationDefault();
-    } catch (IOException e) {
-      throw new RuntimeException(e);
-    }
-    if (credential.createScopedRequired()) {
-      credential = credential.createScoped(requiredScopes);
-    }
-    return GoogleCredentialsBundle.create(credential);
-  }
-
  /**
   * Provides a {@link GoogleCredentialsBundle} for accessing Google Workspace APIs, such as Drive
   * and Sheets.
@@ -162,13 +130,6 @@ public abstract class CredentialModule {
  @Retention(RetentionPolicy.RUNTIME)
  public @interface ApplicationDefaultCredential {}

-  /** Dagger qualifier for the Application Default Credential. */
-  @Qualifier
-  @Documented
-  @Retention(RetentionPolicy.RUNTIME)
-  @Deprecated // Switching to @ApplicationDefaultCredential
-  public @interface DefaultCredential {}
-
  /** Dagger qualifier for the credential for Google Workspace APIs. */
  @Qualifier
  @Documented
--- a/core/src/main/java/google/registry/config/RegistryConfig.java
+++ b/core/src/main/java/google/registry/config/RegistryConfig.java
@@ -108,12 +108,6 @@ public final class RegistryConfig {
      return config.gcpProject.projectId;
    }

-    @Provides
-    @Config("serviceAccountEmails")
-    public static ImmutableList<String> provideServiceAccountEmails(RegistryConfigSettings config) {
-      return ImmutableList.copyOf(config.gcpProject.serviceAccountEmails);
-    }
-
    @Provides
    @Config("projectIdNumber")
    public static long provideProjectIdNumber(RegistryConfigSettings config) {
@@ -126,6 +120,18 @@ public final class RegistryConfig {
      return config.gcpProject.locationId;
    }

+    @Provides
+    @Config("serviceAccountEmails")
+    public static ImmutableList<String> provideServiceAccountEmails(RegistryConfigSettings config) {
+      return ImmutableList.copyOf(config.gcpProject.serviceAccountEmails);
+    }
+
+    @Provides
+    @Config("defaultServiceAccount")
+    public static Optional<String> provideDefaultServiceAccount(RegistryConfigSettings config) {
+      return Optional.ofNullable(config.gcpProject.defaultServiceAccount);
+    }
+
    /**
     * The filename of the logo to be displayed in the header of the registrar console.
     *
--- a/core/src/main/java/google/registry/config/RegistryConfigSettings.java
+++ b/core/src/main/java/google/registry/config/RegistryConfigSettings.java
@@ -55,6 +55,7 @@ public class RegistryConfigSettings {
    public String toolsServiceUrl;
    public String pubapiServiceUrl;
    public List<String> serviceAccountEmails;
+    public String defaultServiceAccount;
  }

  /** Configuration options for OAuth settings for authenticating users. */
--- a/core/src/main/java/google/registry/config/files/default-config.yaml
+++ b/core/src/main/java/google/registry/config/files/default-config.yaml
@@ -27,6 +27,9 @@ gcpProject:
  serviceAccountEmails:
  - default-service-account-email@email.com
  - cloud-scheduler-email@email.com
+  # The default service account with which the service is running. For example,
+  # on GAE this would be {project-id}@appspot.gserviceaccount.com
+  defaultServiceAccount: null

 gSuite:
  # Publicly accessible domain name of the running G Suite instance.
--- a/core/src/main/java/google/registry/cron/TldFanoutAction.java
+++ b/core/src/main/java/google/registry/cron/TldFanoutAction.java
@@ -27,9 +27,9 @@ import static google.registry.cron.CronModule.FOR_EACH_TEST_TLD_PARAM;
 import static google.registry.cron.CronModule.JITTER_SECONDS_PARAM;
 import static google.registry.cron.CronModule.QUEUE_PARAM;
 import static google.registry.cron.CronModule.RUN_IN_EMPTY_PARAM;
-import static google.registry.model.tld.Registries.getTldsOfType;
 import static google.registry.model.tld.Tld.TldType.REAL;
 import static google.registry.model.tld.Tld.TldType.TEST;
+import static google.registry.model.tld.Tlds.getTldsOfType;

 import com.google.cloud.tasks.v2.Task;
 import com.google.common.collect.ArrayListMultimap;
@@ -140,13 +140,25 @@ public final class TldFanoutAction implements Runnable {
    for (String tld : tlds) {
      Task task = createTask(tld, flowThruParams);
      Task createdTask = cloudTasksUtils.enqueue(queue, task);
-      outputPayload.append(
-          String.format(
-              "- Task: '%s', tld: '%s', endpoint: '%s'\n",
-              createdTask.getName(), tld, createdTask.getAppEngineHttpRequest().getRelativeUri()));
-      logger.atInfo().log(
-          "Task: '%s', tld: '%s', endpoint: '%s'.",
-          createdTask.getName(), tld, createdTask.getAppEngineHttpRequest().getRelativeUri());
+      if (createdTask.hasAppEngineHttpRequest()) {
+        outputPayload.append(
+            String.format(
+                "- Task: '%s', tld: '%s', endpoint: '%s'\n",
+                createdTask.getName(),
+                tld,
+                createdTask.getAppEngineHttpRequest().getRelativeUri()));
+        logger.atInfo().log(
+            "Task: '%s', tld: '%s', endpoint: '%s'.",
+            createdTask.getName(), tld, createdTask.getAppEngineHttpRequest().getRelativeUri());
+      } else {
+        outputPayload.append(
+            String.format(
+                "- Task: '%s', tld: '%s', endpoint: '%s'\n",
+                createdTask.getName(), tld, createdTask.getHttpRequest().getUrl()));
+        logger.atInfo().log(
+            "Task: '%s', tld: '%s', endpoint: '%s'.",
+            createdTask.getName(), tld, createdTask.getHttpRequest().getUrl());
+      }
    }
    response.setContentType(PLAIN_TEXT_UTF_8);
    response.setPayload(outputPayload.toString());
--- a/core/src/main/java/google/registry/dns/DnsConstants.java
+++ b/core/src/main/java/google/registry/dns/DnsConstants.java
@@ -1,41 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.dns;
-
-/** Static class for DNS-related constants. */
-public class DnsConstants {
-  private DnsConstants() {}
-
-  /** The name of the DNS pull queue. */
-  public static final String DNS_PULL_QUEUE_NAME = "dns-pull";  // See queue.xml.
-
-  /** The name of the DNS publish push queue. */
-  public static final String DNS_PUBLISH_PUSH_QUEUE_NAME = "dns-publish";  // See queue.xml.
-
-  /** The parameter to use for storing the target type ("domain" or "host" or "zone"). */
-  public static final String DNS_TARGET_TYPE_PARAM = "Target-Type";
-
-  /** The parameter to use for storing the target name (domain or host name) with the task. */
-  public static final String DNS_TARGET_NAME_PARAM = "Target-Name";
-
-  /** The parameter to use for storing the creation time with the task. */
-  public static final String DNS_TARGET_CREATE_TIME_PARAM = "Create-Time";
-
-  /** The possible values of the {@code DNS_TARGET_TYPE_PARAM} parameter. */
-  public enum TargetType {
-    DOMAIN,
-    HOST
-  }
-}
--- a/core/src/main/java/google/registry/dns/DnsModule.java
+++ b/core/src/main/java/google/registry/dns/DnsModule.java
@@ -14,8 +14,6 @@

 package google.registry.dns;

-import static google.registry.dns.DnsConstants.DNS_PUBLISH_PUSH_QUEUE_NAME;
-import static google.registry.dns.DnsConstants.DNS_PULL_QUEUE_NAME;
 import static google.registry.dns.RefreshDnsOnHostRenameAction.PARAM_HOST_KEY;
 import static google.registry.request.RequestParameters.extractEnumParameter;
 import static google.registry.request.RequestParameters.extractIntParameter;
@@ -24,20 +22,17 @@ import static google.registry.request.RequestParameters.extractOptionalParameter
 import static google.registry.request.RequestParameters.extractRequiredParameter;
 import static google.registry.request.RequestParameters.extractSetOfParameters;

-import com.google.appengine.api.taskqueue.Queue;
-import com.google.appengine.api.taskqueue.QueueFactory;
 import com.google.common.hash.HashFunction;
 import com.google.common.hash.Hashing;
 import dagger.Binds;
 import dagger.Module;
 import dagger.Provides;
-import google.registry.dns.DnsConstants.TargetType;
+import google.registry.dns.DnsUtils.TargetType;
 import google.registry.dns.writer.DnsWriterZone;
 import google.registry.request.Parameter;
 import google.registry.request.RequestParameters;
 import java.util.Optional;
 import java.util.Set;
-import javax.inject.Named;
 import javax.servlet.http.HttpServletRequest;
 import org.joda.time.DateTime;

@@ -71,18 +66,6 @@ public abstract class DnsModule {
    return Hashing.murmur3_32_fixed();
  }

-  @Provides
-  @Named(DNS_PULL_QUEUE_NAME)
-  static Queue provideDnsPullQueue() {
-    return QueueFactory.getQueue(DNS_PULL_QUEUE_NAME);
-  }
-
-  @Provides
-  @Named(DNS_PUBLISH_PUSH_QUEUE_NAME)
-  static Queue provideDnsUpdatePushQueue() {
-    return QueueFactory.getQueue(DNS_PUBLISH_PUSH_QUEUE_NAME);
-  }
-
  @Provides
  @Parameter(PARAM_PUBLISH_TASK_ENQUEUED)
  static DateTime provideCreateTime(HttpServletRequest req) {
--- a/core/src/main/java/google/registry/dns/DnsQueue.java
+++ b/core/src/main/java/google/registry/dns/DnsQueue.java
@@ -1,170 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.dns;
-
-import static com.google.appengine.api.taskqueue.QueueFactory.getQueue;
-import static com.google.common.base.Preconditions.checkArgument;
-import static google.registry.dns.DnsConstants.DNS_PULL_QUEUE_NAME;
-import static google.registry.dns.DnsConstants.DNS_TARGET_CREATE_TIME_PARAM;
-import static google.registry.dns.DnsConstants.DNS_TARGET_NAME_PARAM;
-import static google.registry.dns.DnsConstants.DNS_TARGET_TYPE_PARAM;
-import static google.registry.model.tld.Registries.assertTldExists;
-import static google.registry.request.RequestParameters.PARAM_TLD;
-import static google.registry.util.DomainNameUtils.getTldFromDomainName;
-import static java.util.concurrent.TimeUnit.MILLISECONDS;
-
-import com.google.appengine.api.taskqueue.Queue;
-import com.google.appengine.api.taskqueue.QueueConstants;
-import com.google.appengine.api.taskqueue.TaskHandle;
-import com.google.appengine.api.taskqueue.TaskOptions;
-import com.google.appengine.api.taskqueue.TaskOptions.Method;
-import com.google.appengine.api.taskqueue.TransientFailureException;
-import com.google.apphosting.api.DeadlineExceededException;
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.ImmutableList;
-import com.google.common.flogger.FluentLogger;
-import com.google.common.net.InternetDomainName;
-import com.google.common.util.concurrent.RateLimiter;
-import google.registry.config.RegistryConfig;
-import google.registry.dns.DnsConstants.TargetType;
-import google.registry.model.tld.Registries;
-import google.registry.util.Clock;
-import google.registry.util.NonFinalForTesting;
-import java.util.List;
-import java.util.Optional;
-import java.util.logging.Level;
-import javax.inject.Inject;
-import javax.inject.Named;
-import org.joda.time.Duration;
-
-/**
- * Methods for manipulating the queue used for DNS write tasks.
- *
- * <p>This includes a {@link RateLimiter} to limit the {@link Queue#leaseTasks} call rate to 9 QPS,
- * to stay under the 10 QPS limit for this function.
- *
- * <p>Note that overlapping calls to {@link ReadDnsQueueAction} (the only place where {@link
- * DnsQueue#leaseTasks} is used) will have different rate limiters, so they could exceed the allowed
- * rate. This should be rare though - because {@link DnsQueue#leaseTasks} is only used in {@link
- * ReadDnsQueueAction}, which is run as a cron job with running time shorter than the cron repeat
- * time - meaning there should never be two instances running at once.
- *
- * @see RegistryConfig.ConfigModule#provideReadDnsRefreshRequestsRuntime()
- */
-public class DnsQueue {
-
-  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
-  private final Queue queue;
-
-  final Clock clock;
-
-  // Queue.leaseTasks is limited to 10 requests per second as per
-  // https://cloud.google.com/appengine/docs/standard/java/javadoc/com/google/appengine/api/taskqueue/Queue.html
-  // "If you generate more than 10 LeaseTasks requests per second, only the first 10 requests will
-  // return results. The others will return no results."
-  private static final RateLimiter rateLimiter = RateLimiter.create(9);
-
-  @Inject
-  DnsQueue(@Named(DNS_PULL_QUEUE_NAME) Queue queue, Clock clock) {
-    this.queue = queue;
-    this.clock = clock;
-  }
-
-  Clock getClock() {
-    return clock;
-  }
-
-  @VisibleForTesting
-  public static DnsQueue createForTesting(Clock clock) {
-    return new DnsQueue(getQueue(DNS_PULL_QUEUE_NAME), clock);
-  }
-
-  @NonFinalForTesting
-  @VisibleForTesting
-  long leaseTasksBatchSize = QueueConstants.maxLeaseCount();
-
-  /** Enqueues the given task type with the given target name to the DNS queue. */
-  private TaskHandle addToQueue(
-      TargetType targetType, String targetName, String tld, Duration countdown) {
-    logger.atInfo().log(
-        "Adding task type=%s, target=%s, tld=%s to pull queue %s (%d tasks currently on queue).",
-        targetType, targetName, tld, DNS_PULL_QUEUE_NAME, queue.fetchStatistics().getNumTasks());
-    return queue.add(
-        TaskOptions.Builder.withDefaults()
-            .method(Method.PULL)
-            .countdownMillis(countdown.getMillis())
-            .param(DNS_TARGET_TYPE_PARAM, targetType.toString())
-            .param(DNS_TARGET_NAME_PARAM, targetName)
-            .param(DNS_TARGET_CREATE_TIME_PARAM, clock.nowUtc().toString())
-            .param(PARAM_TLD, tld));
-  }
-
-  /** Adds a task to the queue to refresh the DNS information for the specified subordinate host. */
-  TaskHandle addHostRefreshTask(String hostName) {
-    Optional<InternetDomainName> tld = Registries.findTldForName(InternetDomainName.from(hostName));
-    checkArgument(
-        tld.isPresent(), String.format("%s is not a subordinate host to a known tld", hostName));
-    return addToQueue(TargetType.HOST, hostName, tld.get().toString(), Duration.ZERO);
-  }
-
-  /** Enqueues a task to refresh DNS for the specified domain now. */
-  TaskHandle addDomainRefreshTask(String domainName) {
-    return addDomainRefreshTask(domainName, Duration.ZERO);
-  }
-
-  /** Enqueues a task to refresh DNS for the specified domain at some point in the future. */
-  TaskHandle addDomainRefreshTask(String domainName, Duration countdown) {
-    return addToQueue(
-        TargetType.DOMAIN,
-        domainName,
-        assertTldExists(getTldFromDomainName(domainName)),
-        countdown);
-  }
-
-  /**
-   * Returns the maximum number of tasks that can be leased with {@link #leaseTasks}.
-   *
-   * <p>If this many tasks are returned, then there might be more tasks still waiting in the queue.
-   *
-   * <p>If less than this number of tasks are returned, then there are no more items in the queue.
-   */
-  public long getLeaseTasksBatchSize() {
-    return leaseTasksBatchSize;
-  }
-
-  /** Returns handles for a batch of tasks, leased for the specified duration. */
-  public List<TaskHandle> leaseTasks(Duration leaseDuration) {
-    try {
-      rateLimiter.acquire();
-      int numTasks = queue.fetchStatistics().getNumTasks();
-      logger.at((numTasks >= leaseTasksBatchSize) ? Level.WARNING : Level.INFO).log(
-          "There are %d tasks in the DNS queue '%s'.", numTasks, DNS_PULL_QUEUE_NAME);
-      return queue.leaseTasks(leaseDuration.getMillis(), MILLISECONDS, leaseTasksBatchSize);
-    } catch (TransientFailureException | DeadlineExceededException e) {
-      logger.atSevere().withCause(e).log("Failed leasing tasks too fast.");
-      return ImmutableList.of();
-    }
-  }
-
-  /** Delete a list of tasks, removing them from the queue permanently. */
-  public void deleteTasks(List<TaskHandle> tasks) {
-    try {
-      queue.deleteTask(tasks);
-    } catch (TransientFailureException | DeadlineExceededException e) {
-      logger.atSevere().withCause(e).log("Failed deleting tasks too fast.");
-    }
-  }
-}
--- a/core/src/main/java/google/registry/dns/DnsUtils.java
+++ b/core/src/main/java/google/registry/dns/DnsUtils.java
@@ -17,62 +17,73 @@ package google.registry.dns;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;

+import com.google.common.collect.ImmutableCollection;
 import com.google.common.collect.ImmutableList;
 import com.google.common.net.InternetDomainName;
-import google.registry.dns.DnsConstants.TargetType;
-import google.registry.model.common.DatabaseMigrationStateSchedule;
-import google.registry.model.common.DatabaseMigrationStateSchedule.MigrationState;
 import google.registry.model.common.DnsRefreshRequest;
-import google.registry.model.tld.Registries;
 import google.registry.model.tld.Tld;
+import google.registry.model.tld.Tlds;
 import java.util.Collection;
 import java.util.Optional;
-import javax.inject.Inject;
 import org.joda.time.DateTime;
 import org.joda.time.Duration;

 /** Utility class to handle DNS refresh requests. */
-// TODO: Make this a static util function once we are done with the DNS pull queue migration.
-public class DnsUtils {
+public final class DnsUtils {

-  private final DnsQueue dnsQueue;
+  /** The name of the DNS publish push queue. */
+  public static final String DNS_PUBLISH_PUSH_QUEUE_NAME = "dns-publish"; // See queue.xml.

-  @Inject
-  DnsUtils(DnsQueue dnsQueue) {
-    this.dnsQueue = dnsQueue;
-  }
+  private DnsUtils() {}

-  private void requestDnsRefresh(String name, TargetType type, Duration delay) {
+  private static void requestDnsRefresh(String name, TargetType type, Duration delay) {
+    tm().assertInTransaction();
    // Throws an IllegalArgumentException if the name is not under a managed TLD -- we only update
    // DNS for names that are under our management.
-    String tld = Registries.findTldForNameOrThrow(InternetDomainName.from(name)).toString();
-    if (usePullQueue()) {
-      if (TargetType.HOST.equals(type)) {
-        dnsQueue.addHostRefreshTask(name);
-      } else {
-        dnsQueue.addDomainRefreshTask(name, delay);
-      }
-    } else {
-      tm().transact(
-              () ->
-                  tm().insert(
-                          new DnsRefreshRequest(
-                              type, name, tld, tm().getTransactionTime().plus(delay))));
-    }
+    String tld = Tlds.findTldForNameOrThrow(InternetDomainName.from(name)).toString();
+    tm().insert(new DnsRefreshRequest(type, name, tld, tm().getTransactionTime().plus(delay)));
  }

-  public void requestDomainDnsRefresh(String domainName, Duration delay) {
+  private static void requestDnsRefresh(
+      ImmutableCollection<String> names, TargetType type, Duration delay) {
+    tm().assertInTransaction();
+    DateTime requestTime = tm().getTransactionTime().plus(delay);
+    tm().insertAll(
+            names.stream()
+                .map(
+                    name ->
+                        new DnsRefreshRequest(
+                            type,
+                            name,
+                            Tlds.findTldForNameOrThrow(InternetDomainName.from(name)).toString(),
+                            requestTime))
+                .collect(toImmutableList()));
+  }
+
+  public static void requestDomainDnsRefresh(String domainName, Duration delay) {
    requestDnsRefresh(domainName, TargetType.DOMAIN, delay);
  }

-  public void requestDomainDnsRefresh(String domainName) {
+  public static void requestDomainDnsRefresh(ImmutableCollection<String> names, Duration delay) {
+    requestDnsRefresh(names, TargetType.DOMAIN, delay);
+  }
+
+  public static void requestDomainDnsRefresh(String domainName) {
    requestDomainDnsRefresh(domainName, Duration.ZERO);
  }

-  public void requestHostDnsRefresh(String hostName) {
+  public static void requestDomainDnsRefresh(ImmutableCollection<String> names) {
+    requestDomainDnsRefresh(names, Duration.ZERO);
+  }
+
+  public static void requestHostDnsRefresh(String hostName) {
    requestDnsRefresh(hostName, TargetType.HOST, Duration.ZERO);
  }

+  public static void requestHostDnsRefresh(ImmutableCollection<String> hostNames) {
+    requestDnsRefresh(hostNames, TargetType.HOST, Duration.ZERO);
+  }
+
  /**
   * Returns pending DNS update requests that need further processing up to batch size, in ascending
   * order of their request time, and updates their processing time to now.
@@ -85,7 +96,7 @@ public class DnsUtils {
   *   <li>The last time they were processed is before the cooldown period.
   * </ul>
   */
-  public ImmutableList<DnsRefreshRequest> readAndUpdateRequestsWithLatestProcessTime(
+  public static ImmutableList<DnsRefreshRequest> readAndUpdateRequestsWithLatestProcessTime(
      String tld, Duration cooldown, int batchSize) {
    return tm().transact(
            () -> {
@@ -105,7 +116,7 @@ public class DnsUtils {
                      // queued up for publishing, not when it is actually published by the DNS
                      // writer. This timestamp acts as a cooldown so the same request will not be
                      // retried too frequently. See DnsRefreshRequest.getLastProcessTime for a
-                      // detailed explaination.
+                      // detailed explanation.
                      .map(e -> e.updateProcessTime(transactionTime))
                      .collect(toImmutableList());
              tm().updateAll(requests);
@@ -119,7 +130,7 @@ public class DnsUtils {
   * <p>Note that if a request entity has already been deleted, the method still succeeds without
   * error because all we care about is that it no longer exists after the method runs.
   */
-  public void deleteRequests(Collection<DnsRefreshRequest> requests) {
+  public static void deleteRequests(Collection<DnsRefreshRequest> requests) {
    tm().transact(
            () ->
                tm().delete(
@@ -129,7 +140,7 @@ public class DnsUtils {
  }

  public static long getDnsAPlusAAAATtlForHost(String host, Duration dnsDefaultATtl) {
-    Optional<InternetDomainName> tldName = Registries.findTldForName(InternetDomainName.from(host));
+    Optional<InternetDomainName> tldName = Tlds.findTldForName(InternetDomainName.from(host));
    Duration dnsAPlusAaaaTtl = dnsDefaultATtl;
    if (tldName.isPresent()) {
      Tld tld = Tld.get(tldName.get().toString());
@@ -140,8 +151,9 @@ public class DnsUtils {
    return dnsAPlusAaaaTtl.getStandardSeconds();
  }

-  private boolean usePullQueue() {
-    return !DatabaseMigrationStateSchedule.getValueAtTime(dnsQueue.getClock().nowUtc())
-        .equals(MigrationState.DNS_SQL);
+  /** The possible values of the {@code DNS_TARGET_TYPE_PARAM} parameter. */
+  public enum TargetType {
+    DOMAIN,
+    HOST
  }
 }
--- a/core/src/main/java/google/registry/dns/PublishDnsUpdatesAction.java
+++ b/core/src/main/java/google/registry/dns/PublishDnsUpdatesAction.java
@@ -15,7 +15,6 @@
 package google.registry.dns;

 import static com.google.common.collect.ImmutableList.toImmutableList;
-import static google.registry.dns.DnsConstants.DNS_PUBLISH_PUSH_QUEUE_NAME;
 import static google.registry.dns.DnsModule.PARAM_DNS_WRITER;
 import static google.registry.dns.DnsModule.PARAM_DOMAINS;
 import static google.registry.dns.DnsModule.PARAM_HOSTS;
@@ -23,7 +22,11 @@ import static google.registry.dns.DnsModule.PARAM_LOCK_INDEX;
 import static google.registry.dns.DnsModule.PARAM_NUM_PUBLISH_LOCKS;
 import static google.registry.dns.DnsModule.PARAM_PUBLISH_TASK_ENQUEUED;
 import static google.registry.dns.DnsModule.PARAM_REFRESH_REQUEST_TIME;
+import static google.registry.dns.DnsUtils.DNS_PUBLISH_PUSH_QUEUE_NAME;
+import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
+import static google.registry.dns.DnsUtils.requestHostDnsRefresh;
 import static google.registry.model.EppResourceUtils.loadByForeignKey;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.request.RequestParameters.PARAM_TLD;
 import static google.registry.util.CollectionUtils.nullToEmpty;
@@ -32,6 +35,7 @@ import static javax.servlet.http.HttpServletResponse.SC_ACCEPTED;
 import com.google.common.base.Joiner;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMultimap;
+import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.InternetDomainName;
 import dagger.Lazy;
@@ -85,7 +89,6 @@ public final class PublishDnsUpdatesAction implements Runnable, Callable<Void> {

  private static final FluentLogger logger = FluentLogger.forEnclosingClass();

-  private final DnsUtils dnsUtils;
  private final DnsWriterProxy dnsWriterProxy;
  private final DnsMetrics dnsMetrics;
  private final Duration timeout;
@@ -94,10 +97,10 @@ public final class PublishDnsUpdatesAction implements Runnable, Callable<Void> {
  /**
   * The DNS writer to use for this batch.
   *
-   * <p>This comes from the fanout in {@link ReadDnsQueueAction} which dispatches each batch to be
-   * published by each DNS writer on the TLD. So this field contains the value of one of the DNS
-   * writers configured in {@link Tld#getDnsWriters()}, as of the time the batch was written out
-   * (and not necessarily currently).
+   * <p>This comes from the fanout in {@link ReadDnsRefreshRequestsAction} which dispatches each
+   * batch to be published by each DNS writer on the TLD. So this field contains the value of one of
+   * the DNS writers configured in {@link Tld#getDnsWriters()}, as of the time the batch was written
+   * out (and not necessarily currently).
   */
  private final String dnsWriter;

@@ -139,7 +142,6 @@ public final class PublishDnsUpdatesAction implements Runnable, Callable<Void> {
      @Config("gSuiteOutgoingEmailAddress") InternetAddress gSuiteOutgoingEmailAddress,
      @Header(APP_ENGINE_RETRY_HEADER) Optional<Integer> appEngineRetryCount,
      @Header(CLOUD_TASKS_RETRY_HEADER) Optional<Integer> cloudTasksRetryCount,
-      DnsUtils dnsUtils,
      DnsWriterProxy dnsWriterProxy,
      DnsMetrics dnsMetrics,
      LockHandler lockHandler,
@@ -147,12 +149,11 @@ public final class PublishDnsUpdatesAction implements Runnable, Callable<Void> {
      CloudTasksUtils cloudTasksUtils,
      SendEmailService sendEmailService,
      Response response) {
-    this.dnsUtils = dnsUtils;
    this.dnsWriterProxy = dnsWriterProxy;
    this.dnsMetrics = dnsMetrics;
    this.timeout = timeout;
    this.sendEmailService = sendEmailService;
-    this.retryCount =
+    retryCount =
        cloudTasksRetryCount.orElse(
            appEngineRetryCount.orElseThrow(
                () -> new IllegalStateException("Missing a valid retry count header")));
@@ -276,7 +277,7 @@ public final class PublishDnsUpdatesAction implements Runnable, Callable<Void> {
    return null;
  }

-  private InternetAddress emailToInternetAddress(String email) {
+  private static InternetAddress emailToInternetAddress(String email) {
    try {
      return new InternetAddress(email, true);
    } catch (Exception e) {
@@ -306,7 +307,7 @@ public final class PublishDnsUpdatesAction implements Runnable, Callable<Void> {
          registrar.get().getContacts().stream()
              .filter(c -> c.getTypes().contains(RegistrarPoc.Type.ADMIN))
              .map(RegistrarPoc::getEmailAddress)
-              .map(this::emailToInternetAddress)
+              .map(PublishDnsUpdatesAction::emailToInternetAddress)
              .collect(toImmutableList());

      sendEmailService.sendEmail(
@@ -355,12 +356,11 @@ public final class PublishDnsUpdatesAction implements Runnable, Callable<Void> {
  /** Adds all the domains and hosts in the batch back to the queue to be processed later. */
  private void requeueBatch() {
    logger.atInfo().log("Requeueing batch for retry.");
-    for (String domain : nullToEmpty(domains)) {
-      dnsUtils.requestDomainDnsRefresh(domain);
-    }
-    for (String host : nullToEmpty(hosts)) {
-      dnsUtils.requestHostDnsRefresh(host);
-    }
+    tm().transact(
+            () -> {
+              requestDomainDnsRefresh(ImmutableSet.copyOf(nullToEmpty(domains)));
+              requestHostDnsRefresh(ImmutableSet.copyOf(nullToEmpty(hosts)));
+            });
  }

  /** Returns if the lock parameters are valid for this action. */
--- a/core/src/main/java/google/registry/dns/ReadDnsQueueAction.java
+++ b/core/src/main/java/google/registry/dns/ReadDnsQueueAction.java
@@ -1,401 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.dns;
-
-import static com.google.common.collect.ImmutableSetMultimap.toImmutableSetMultimap;
-import static com.google.common.collect.Sets.difference;
-import static google.registry.dns.DnsConstants.DNS_PUBLISH_PUSH_QUEUE_NAME;
-import static google.registry.dns.DnsConstants.DNS_TARGET_CREATE_TIME_PARAM;
-import static google.registry.dns.DnsConstants.DNS_TARGET_NAME_PARAM;
-import static google.registry.dns.DnsConstants.DNS_TARGET_TYPE_PARAM;
-import static google.registry.dns.DnsModule.PARAM_DNS_WRITER;
-import static google.registry.dns.DnsModule.PARAM_DOMAINS;
-import static google.registry.dns.DnsModule.PARAM_HOSTS;
-import static google.registry.dns.DnsModule.PARAM_LOCK_INDEX;
-import static google.registry.dns.DnsModule.PARAM_NUM_PUBLISH_LOCKS;
-import static google.registry.dns.DnsModule.PARAM_PUBLISH_TASK_ENQUEUED;
-import static google.registry.dns.DnsModule.PARAM_REFRESH_REQUEST_TIME;
-import static google.registry.request.RequestParameters.PARAM_TLD;
-import static google.registry.util.DomainNameUtils.getSecondLevelDomain;
-import static java.nio.charset.StandardCharsets.UTF_8;
-
-import com.google.appengine.api.taskqueue.TaskHandle;
-import com.google.auto.value.AutoValue;
-import com.google.cloud.tasks.v2.Task;
-import com.google.common.collect.ComparisonChain;
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableMultimap;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSetMultimap;
-import com.google.common.collect.Iterables;
-import com.google.common.collect.Ordering;
-import com.google.common.flogger.FluentLogger;
-import com.google.common.hash.HashFunction;
-import com.google.common.hash.Hashing;
-import google.registry.batch.CloudTasksUtils;
-import google.registry.config.RegistryConfig.Config;
-import google.registry.dns.DnsConstants.TargetType;
-import google.registry.model.tld.Registries;
-import google.registry.model.tld.Tld;
-import google.registry.request.Action;
-import google.registry.request.Action.Service;
-import google.registry.request.Parameter;
-import google.registry.request.auth.Auth;
-import google.registry.util.Clock;
-import java.io.UnsupportedEncodingException;
-import java.util.Collection;
-import java.util.Comparator;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.stream.Collectors;
-import javax.inject.Inject;
-import org.joda.time.DateTime;
-import org.joda.time.Duration;
-
-/**
- * Action for fanning out DNS refresh tasks by TLD, using data taken from the DNS pull queue.
- *
- * <h3>Parameters Reference</h3>
- *
- * <ul>
- *   <li>{@code jitterSeconds} Randomly delay each task by up to this many seconds.
- * </ul>
- */
-@Action(
-    service = Action.Service.BACKEND,
-    path = "/_dr/cron/readDnsQueue",
-    automaticallyPrintOk = true,
-    auth = Auth.AUTH_INTERNAL_OR_ADMIN)
-public final class ReadDnsQueueAction implements Runnable {
-
-  private static final String PARAM_JITTER_SECONDS = "jitterSeconds";
-  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
-  /**
-   * Buffer time since the end of this action until retriable tasks are available again.
-   *
-   * <p>We read batches of tasks from the queue in a loop. Any task that will need to be retried has
-   * to be kept out of the queue for the duration of this action - otherwise we will lease it again
-   * in a subsequent loop.
-   *
-   * <p>The 'requestedMaximumDuration' value is the maximum delay between the first and last calls
-   * to lease tasks, hence we want the lease duration to be (slightly) longer than that.
-   * LEASE_PADDING is the value we add to {@link #requestedMaximumDuration} to make sure the lease
-   * duration is indeed longer.
-   */
-  private static final Duration LEASE_PADDING = Duration.standardMinutes(1);
-
-  private final int tldUpdateBatchSize;
-  private final Duration requestedMaximumDuration;
-  private final Optional<Integer> jitterSeconds;
-  private final Clock clock;
-  private final DnsQueue dnsQueue;
-  private final HashFunction hashFunction;
-  private final CloudTasksUtils cloudTasksUtils;
-
-  @Inject
-  ReadDnsQueueAction(
-      @Config("dnsTldUpdateBatchSize") int tldUpdateBatchSize,
-      @Config("readDnsRefreshRequestsActionRuntime") Duration requestedMaximumDuration,
-      @Parameter(PARAM_JITTER_SECONDS) Optional<Integer> jitterSeconds,
-      Clock clock,
-      DnsQueue dnsQueue,
-      HashFunction hashFunction,
-      CloudTasksUtils cloudTasksUtils) {
-    this.tldUpdateBatchSize = tldUpdateBatchSize;
-    this.requestedMaximumDuration = requestedMaximumDuration;
-    this.jitterSeconds = jitterSeconds;
-    this.clock = clock;
-    this.dnsQueue = dnsQueue;
-    this.hashFunction = hashFunction;
-    this.cloudTasksUtils = cloudTasksUtils;
-  }
-
-  /** Container for items we pull out of the DNS pull queue and process for fanout. */
-  @AutoValue
-  abstract static class RefreshItem implements Comparable<RefreshItem> {
-    static RefreshItem create(TargetType type, String name, DateTime creationTime) {
-      return new AutoValue_ReadDnsQueueAction_RefreshItem(type, name, creationTime);
-    }
-
-    abstract TargetType type();
-
-    abstract String name();
-
-    abstract DateTime creationTime();
-
-    @Override
-    public int compareTo(RefreshItem other) {
-      return ComparisonChain.start()
-          .compare(this.type(), other.type())
-          .compare(this.name(), other.name())
-          .compare(this.creationTime(), other.creationTime())
-          .result();
-    }
-  }
-
-  /** Leases all tasks from the pull queue and creates per-tld update actions for them. */
-  @Override
-  public void run() {
-    DateTime requestedEndTime = clock.nowUtc().plus(requestedMaximumDuration);
-    ImmutableSet<String> tlds = Registries.getTlds();
-    while (requestedEndTime.isAfterNow()) {
-      List<TaskHandle> tasks = dnsQueue.leaseTasks(requestedMaximumDuration.plus(LEASE_PADDING));
-      logger.atInfo().log("Leased %d DNS update tasks.", tasks.size());
-      if (!tasks.isEmpty()) {
-        dispatchTasks(ImmutableSet.copyOf(tasks), tlds);
-      }
-      if (tasks.size() < dnsQueue.getLeaseTasksBatchSize()) {
-        return;
-      }
-    }
-  }
-
-  /** A set of tasks grouped based on the action to take on them. */
-  @AutoValue
-  abstract static class ClassifiedTasks {
-
-    /**
-     * List of tasks we want to keep in the queue (want to retry in the future).
-     *
-     * <p>Normally, any task we lease from the queue will be deleted - either because we are going
-     * to process it now (these tasks are part of refreshItemsByTld), or because these tasks are
-     * "corrupt" in some way (don't parse, don't have the required parameters etc.).
-     *
-     * <p>Some tasks however are valid, but can't be processed at the moment. These tasks will be
-     * kept in the queue for future processing.
-     *
-     * <p>This includes tasks belonging to paused TLDs (which we want to process once the TLD is
-     * unpaused) and tasks belonging to (currently) unknown TLDs.
-     */
-    abstract ImmutableSet<TaskHandle> tasksToKeep();
-
-    /** The paused TLDs for which we found at least one refresh request. */
-    abstract ImmutableSet<String> pausedTlds();
-
-    /**
-     * The unknown TLDs for which we found at least one refresh request.
-     *
-     * <p>Unknown TLDs might have valid requests because the list of TLDs is heavily cached. Hence,
-     * when we add a new TLD - it is possible that some instances will not have that TLD in their
-     * list yet. We don't want to discard these tasks, so we wait a bit and retry them again.
-     *
-     * <p>This is less likely for production TLDs but is quite likely for test TLDs where we might
-     * create a TLD and then use it within seconds.
-     */
-    abstract ImmutableSet<String> unknownTlds();
-
-    /**
-     * All the refresh items we need to actually fulfill, grouped by TLD.
-     *
-     * <p>By default, the multimap is ordered - this can be changed with the builder.
-     *
-     * <p>The items for each TLD will be grouped together, and domains and hosts will be grouped
-     * within a TLD.
-     *
-     * <p>The grouping and ordering of domains and hosts is not technically necessary, but a
-     * predictable ordering makes it possible to write detailed tests.
-     */
-    abstract ImmutableSetMultimap<String, RefreshItem> refreshItemsByTld();
-
-    static Builder builder() {
-      Builder builder = new AutoValue_ReadDnsQueueAction_ClassifiedTasks.Builder();
-      builder
-          .refreshItemsByTldBuilder()
-          .orderKeysBy(Ordering.natural())
-          .orderValuesBy(Ordering.natural());
-      return builder;
-    }
-
-    @AutoValue.Builder
-    abstract static class Builder {
-      abstract ImmutableSet.Builder<TaskHandle> tasksToKeepBuilder();
-      abstract ImmutableSet.Builder<String> pausedTldsBuilder();
-      abstract ImmutableSet.Builder<String> unknownTldsBuilder();
-      abstract ImmutableSetMultimap.Builder<String, RefreshItem> refreshItemsByTldBuilder();
-
-      abstract ClassifiedTasks build();
-    }
-  }
-
-  /**
-   * Creates per-tld update actions for tasks leased from the pull queue.
-   *
-   * <p>Will return "irrelevant" tasks to the queue for future processing. "Irrelevant" tasks are
-   * tasks for paused TLDs or tasks for TLDs not part of {@link Registries#getTlds()}.
-   */
-  private void dispatchTasks(ImmutableSet<TaskHandle> tasks, ImmutableSet<String> tlds) {
-    ClassifiedTasks classifiedTasks = classifyTasks(tasks, tlds);
-    if (!classifiedTasks.pausedTlds().isEmpty()) {
-      logger.atInfo().log(
-          "The dns-pull queue is paused for TLDs: %s.", classifiedTasks.pausedTlds());
-    }
-    if (!classifiedTasks.unknownTlds().isEmpty()) {
-      logger.atWarning().log(
-          "The dns-pull queue has unknown TLDs: %s.", classifiedTasks.unknownTlds());
-    }
-    bucketRefreshItems(classifiedTasks.refreshItemsByTld());
-    if (!classifiedTasks.tasksToKeep().isEmpty()) {
-      logger.atWarning().log(
-          "Keeping %d DNS update tasks in the queue.", classifiedTasks.tasksToKeep().size());
-    }
-    // Delete the tasks we don't want to see again from the queue.
-    //
-    // tasksToDelete includes both the tasks that we already fulfilled in this call (were part of
-    // refreshItemsByTld) and "corrupt" tasks we weren't able to parse correctly (this shouldn't
-    // happen, and we logged a "severe" error)
-    //
-    // We let the lease on the rest of the tasks (the tasks we want to keep) expire on its own. The
-    // reason we don't release these tasks back to the queue immediately is that we are going to
-    // immediately read another batch of tasks from the queue - and we don't want to get the same
-    // tasks again.
-    ImmutableSet<TaskHandle> tasksToDelete =
-        difference(tasks, classifiedTasks.tasksToKeep()).immutableCopy();
-    logger.atInfo().log("Removing %d DNS update tasks from the queue.", tasksToDelete.size());
-    dnsQueue.deleteTasks(tasksToDelete.asList());
-    logger.atInfo().log("Done processing DNS tasks.");
-  }
-
-  /**
-   * Classifies the given tasks based on what action we need to take on them.
-   *
-   * <p>Note that some tasks might appear in multiple categories (if multiple actions are to be
-   * taken on them) or in no category (if no action is to be taken on them)
-   */
-  private static ClassifiedTasks classifyTasks(
-      ImmutableSet<TaskHandle> tasks, ImmutableSet<String> tlds) {
-
-    ClassifiedTasks.Builder classifiedTasksBuilder = ClassifiedTasks.builder();
-
-    // Read all tasks on the DNS pull queue and load them into the refresh item multimap.
-    for (TaskHandle task : tasks) {
-      try {
-        Map<String, String> params = ImmutableMap.copyOf(task.extractParams());
-        DateTime creationTime = DateTime.parse(params.get(DNS_TARGET_CREATE_TIME_PARAM));
-        String tld = params.get(PARAM_TLD);
-        if (tld == null) {
-          logger.atSevere().log(
-              "Discarding invalid DNS refresh request %s; no TLD specified.", task);
-        } else if (!tlds.contains(tld)) {
-          classifiedTasksBuilder.tasksToKeepBuilder().add(task);
-          classifiedTasksBuilder.unknownTldsBuilder().add(tld);
-        } else if (Tld.get(tld).getDnsPaused()) {
-          classifiedTasksBuilder.tasksToKeepBuilder().add(task);
-          classifiedTasksBuilder.pausedTldsBuilder().add(tld);
-        } else {
-          String typeString = params.get(DNS_TARGET_TYPE_PARAM);
-          String name = params.get(DNS_TARGET_NAME_PARAM);
-          TargetType type = TargetType.valueOf(typeString);
-          switch (type) {
-            case DOMAIN:
-            case HOST:
-              classifiedTasksBuilder
-                  .refreshItemsByTldBuilder()
-                  .put(tld, RefreshItem.create(type, name, creationTime));
-              break;
-            default:
-              logger.atSevere().log(
-                  "Discarding DNS refresh request %s of type %s.", task, typeString);
-              break;
-          }
-        }
-      } catch (RuntimeException | UnsupportedEncodingException e) {
-        logger.atSevere().withCause(e).log("Discarding invalid DNS refresh request %s.", task);
-      }
-    }
-    return classifiedTasksBuilder.build();
-  }
-
-  /**
-   * Subdivides the tld to {@link RefreshItem} multimap into buckets by lock index, if applicable.
-   *
-   * <p>If the tld has numDnsPublishLocks <= 1, we enqueue all updates on the default lock 1 of 1.
-   */
-  private void bucketRefreshItems(ImmutableSetMultimap<String, RefreshItem> refreshItemsByTld) {
-    // Loop through the multimap by TLD and generate refresh tasks for the hosts and domains for
-    // each configured DNS writer.
-    for (Map.Entry<String, Collection<RefreshItem>> tldRefreshItemsEntry
-        : refreshItemsByTld.asMap().entrySet()) {
-      String tld = tldRefreshItemsEntry.getKey();
-      int numPublishLocks = Tld.get(tld).getNumDnsPublishLocks();
-      // 1 lock or less implies no TLD-wide locks, simply enqueue everything under lock 1 of 1
-      if (numPublishLocks <= 1) {
-        enqueueUpdates(tld, 1, 1, tldRefreshItemsEntry.getValue());
-      } else {
-        tldRefreshItemsEntry.getValue().stream()
-            .collect(
-                toImmutableSetMultimap(
-                    refreshItem -> getLockIndex(tld, numPublishLocks, refreshItem),
-                    refreshItem -> refreshItem))
-            .asMap()
-            .forEach((key, value) -> enqueueUpdates(tld, key, numPublishLocks, value));
-      }
-    }
-  }
-
-  /**
-   * Returns the lock index for a given refreshItem.
-   *
-   * <p>We hash the second level domain for all records, to group in-bailiwick hosts (the only ones
-   * we refresh DNS for) with their superordinate domains. We use consistent hashing to determine
-   * the lock index because it gives us [0,N) bucketing properties out of the box, then add 1 to
-   * make indexes within [1,N].
-   */
-  private int getLockIndex(String tld, int numPublishLocks, RefreshItem refreshItem) {
-    String domain = getSecondLevelDomain(refreshItem.name(), tld);
-    return Hashing.consistentHash(hashFunction.hashString(domain, UTF_8), numPublishLocks) + 1;
-  }
-
-  /**
-   * Creates DNS refresh tasks for all writers for the tld within a lock index and batches large
-   * updates into smaller chunks.
-   */
-  private void enqueueUpdates(
-      String tld, int lockIndex, int numPublishLocks, Collection<RefreshItem> items) {
-    for (List<RefreshItem> chunk : Iterables.partition(items, tldUpdateBatchSize)) {
-      DateTime earliestCreateTime =
-          chunk.stream().map(RefreshItem::creationTime).min(Comparator.naturalOrder()).get();
-      for (String dnsWriter : Tld.get(tld).getDnsWriters()) {
-        Task task =
-            cloudTasksUtils.createPostTaskWithJitter(
-                PublishDnsUpdatesAction.PATH,
-                Service.BACKEND,
-                ImmutableMultimap.<String, String>builder()
-                    .put(PARAM_TLD, tld)
-                    .put(PARAM_DNS_WRITER, dnsWriter)
-                    .put(PARAM_LOCK_INDEX, Integer.toString(lockIndex))
-                    .put(PARAM_NUM_PUBLISH_LOCKS, Integer.toString(numPublishLocks))
-                    .put(PARAM_PUBLISH_TASK_ENQUEUED, clock.nowUtc().toString())
-                    .put(PARAM_REFRESH_REQUEST_TIME, earliestCreateTime.toString())
-                    .put(
-                        PARAM_DOMAINS,
-                        chunk.stream()
-                            .filter(item -> item.type() == TargetType.DOMAIN)
-                            .map(RefreshItem::name)
-                            .collect(Collectors.joining(",")))
-                    .put(
-                        PARAM_HOSTS,
-                        chunk.stream()
-                            .filter(item -> item.type() == TargetType.HOST)
-                            .map(RefreshItem::name)
-                            .collect(Collectors.joining(",")))
-                    .build(),
-                jitterSeconds);
-        cloudTasksUtils.enqueue(DNS_PUBLISH_PUSH_QUEUE_NAME, task);
-      }
-    }
-  }
-}
--- a/core/src/main/java/google/registry/dns/ReadDnsRefreshRequestsAction.java
+++ b/core/src/main/java/google/registry/dns/ReadDnsRefreshRequestsAction.java
@@ -15,7 +15,6 @@
 package google.registry.dns;

 import static com.google.common.collect.ImmutableSetMultimap.toImmutableSetMultimap;
-import static google.registry.dns.DnsConstants.DNS_PUBLISH_PUSH_QUEUE_NAME;
 import static google.registry.dns.DnsModule.PARAM_DNS_JITTER_SECONDS;
 import static google.registry.dns.DnsModule.PARAM_DNS_WRITER;
 import static google.registry.dns.DnsModule.PARAM_DOMAINS;
@@ -24,6 +23,9 @@ import static google.registry.dns.DnsModule.PARAM_LOCK_INDEX;
 import static google.registry.dns.DnsModule.PARAM_NUM_PUBLISH_LOCKS;
 import static google.registry.dns.DnsModule.PARAM_PUBLISH_TASK_ENQUEUED;
 import static google.registry.dns.DnsModule.PARAM_REFRESH_REQUEST_TIME;
+import static google.registry.dns.DnsUtils.DNS_PUBLISH_PUSH_QUEUE_NAME;
+import static google.registry.dns.DnsUtils.deleteRequests;
+import static google.registry.dns.DnsUtils.readAndUpdateRequestsWithLatestProcessTime;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.request.RequestParameters.PARAM_TLD;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
@@ -39,7 +41,7 @@ import com.google.common.hash.HashFunction;
 import com.google.common.hash.Hashing;
 import google.registry.batch.CloudTasksUtils;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.dns.DnsConstants.TargetType;
+import google.registry.dns.DnsUtils.TargetType;
 import google.registry.model.common.DnsRefreshRequest;
 import google.registry.model.tld.Tld;
 import google.registry.request.Action;
@@ -72,7 +74,6 @@ public final class ReadDnsRefreshRequestsAction implements Runnable {
  private final Optional<Integer> jitterSeconds;
  private final String tld;
  private final Clock clock;
-  private final DnsUtils dnsUtils;
  private final HashFunction hashFunction;
  private final CloudTasksUtils cloudTasksUtils;

@@ -83,7 +84,6 @@ public final class ReadDnsRefreshRequestsAction implements Runnable {
      @Parameter(PARAM_DNS_JITTER_SECONDS) Optional<Integer> jitterSeconds,
      @Parameter(PARAM_TLD) String tld,
      Clock clock,
-      DnsUtils dnsUtils,
      HashFunction hashFunction,
      CloudTasksUtils cloudTasksUtils) {
    this.tldUpdateBatchSize = tldUpdateBatchSize;
@@ -91,7 +91,6 @@ public final class ReadDnsRefreshRequestsAction implements Runnable {
    this.jitterSeconds = jitterSeconds;
    this.tld = tld;
    this.clock = clock;
-    this.dnsUtils = dnsUtils;
    this.hashFunction = hashFunction;
    this.cloudTasksUtils = cloudTasksUtils;
  }
@@ -112,7 +111,7 @@ public final class ReadDnsRefreshRequestsAction implements Runnable {
    int processBatchSize = tldUpdateBatchSize * Tld.get(tld).getNumDnsPublishLocks();
    while (requestedEndTime.isAfter(clock.nowUtc())) {
      ImmutableList<DnsRefreshRequest> requests =
-          dnsUtils.readAndUpdateRequestsWithLatestProcessTime(
+          readAndUpdateRequestsWithLatestProcessTime(
              tld, requestedMaximumDuration, processBatchSize);
      logger.atInfo().log("Read %d DNS update requests for TLD %s.", requests.size(), tld);
      if (!requests.isEmpty()) {
@@ -138,7 +137,7 @@ public final class ReadDnsRefreshRequestsAction implements Runnable {
            (lockIndex, bucketedRequests) -> {
              try {
                enqueueUpdates(lockIndex, numPublishLocks, bucketedRequests);
-                dnsUtils.deleteRequests(bucketedRequests);
+                deleteRequests(bucketedRequests);
                logger.atInfo().log(
                    "Processed %d DNS update requests for TLD %s.", bucketedRequests.size(), tld);
              } catch (Exception e) {
--- a/core/src/main/java/google/registry/dns/RefreshDnsAction.java
+++ b/core/src/main/java/google/registry/dns/RefreshDnsAction.java
@@ -14,9 +14,12 @@

 package google.registry.dns;

+import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
+import static google.registry.dns.DnsUtils.requestHostDnsRefresh;
 import static google.registry.model.EppResourceUtils.loadByForeignKey;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;

-import google.registry.dns.DnsConstants.TargetType;
+import google.registry.dns.DnsUtils.TargetType;
 import google.registry.model.EppResource;
 import google.registry.model.EppResource.ForeignKeyedEppResource;
 import google.registry.model.annotations.ExternalMessagingName;
@@ -39,7 +42,6 @@ import javax.inject.Inject;
 public final class RefreshDnsAction implements Runnable {

  private final Clock clock;
-  private final DnsUtils dnsUtils;
  private final String domainOrHostName;
  private final TargetType type;

@@ -47,12 +49,10 @@ public final class RefreshDnsAction implements Runnable {
  RefreshDnsAction(
      @Parameter("domainOrHostName") String domainOrHostName,
      @Parameter("type") TargetType type,
-      Clock clock,
-      DnsUtils dnsUtils) {
+      Clock clock) {
    this.domainOrHostName = domainOrHostName;
    this.type = type;
    this.clock = clock;
-    this.dnsUtils = dnsUtils;
  }

  @Override
@@ -60,18 +60,21 @@ public final class RefreshDnsAction implements Runnable {
    if (!domainOrHostName.contains(".")) {
      throw new BadRequestException("URL parameter 'name' must be fully qualified");
    }
-    switch (type) {
-      case DOMAIN:
-        loadAndVerifyExistence(Domain.class, domainOrHostName);
-        dnsUtils.requestDomainDnsRefresh(domainOrHostName);
-        break;
-      case HOST:
-        verifyHostIsSubordinate(loadAndVerifyExistence(Host.class, domainOrHostName));
-        dnsUtils.requestHostDnsRefresh(domainOrHostName);
-        break;
-      default:
-        throw new BadRequestException("Unsupported type: " + type);
-    }
+    tm().transact(
+            () -> {
+              switch (type) {
+                case DOMAIN:
+                  loadAndVerifyExistence(Domain.class, domainOrHostName);
+                  requestDomainDnsRefresh(domainOrHostName);
+                  break;
+                case HOST:
+                  verifyHostIsSubordinate(loadAndVerifyExistence(Host.class, domainOrHostName));
+                  requestHostDnsRefresh(domainOrHostName);
+                  break;
+                default:
+                  throw new BadRequestException("Unsupported type: " + type);
+              }
+            });
  }

  private <T extends EppResource & ForeignKeyedEppResource>
--- a/core/src/main/java/google/registry/dns/RefreshDnsOnHostRenameAction.java
+++ b/core/src/main/java/google/registry/dns/RefreshDnsOnHostRenameAction.java
@@ -14,6 +14,7 @@

 package google.registry.dns;

+import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
 import static google.registry.dns.RefreshDnsOnHostRenameAction.PATH;
 import static google.registry.model.EppResourceUtils.getLinkedDomainKeys;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
@@ -45,14 +46,11 @@ public class RefreshDnsOnHostRenameAction implements Runnable {

  private final VKey<Host> hostKey;
  private final Response response;
-  private final DnsUtils dnsUtils;

  @Inject
-  RefreshDnsOnHostRenameAction(
-      @Parameter(PARAM_HOST_KEY) String hostKey, Response response, DnsUtils dnsUtils) {
+  RefreshDnsOnHostRenameAction(@Parameter(PARAM_HOST_KEY) String hostKey, Response response) {
    this.hostKey = VKey.createEppVKeyFromString(hostKey);
    this.response = response;
-    this.dnsUtils = dnsUtils;
  }

  @Override
@@ -76,7 +74,7 @@ public class RefreshDnsOnHostRenameAction implements Runnable {
                    .stream()
                    .map(domainKey -> tm().loadByKey(domainKey))
                    .filter(Domain::shouldPublishToDns)
-                    .forEach(domain -> dnsUtils.requestDomainDnsRefresh(domain.getDomainName()));
+                    .forEach(domain -> requestDomainDnsRefresh(domain.getDomainName()));
              }

              if (!hostValid) {
--- a/core/src/main/java/google/registry/dns/writer/clouddns/CloudDnsWriter.java
+++ b/core/src/main/java/google/registry/dns/writer/clouddns/CloudDnsWriter.java
@@ -40,8 +40,8 @@ import google.registry.dns.writer.DnsWriterZone;
 import google.registry.model.domain.Domain;
 import google.registry.model.domain.secdns.DomainDsData;
 import google.registry.model.host.Host;
-import google.registry.model.tld.Registries;
 import google.registry.model.tld.Tld;
+import google.registry.model.tld.Tlds;
 import google.registry.util.Clock;
 import google.registry.util.Concurrent;
 import google.registry.util.Retrier;
@@ -248,7 +248,7 @@ public class CloudDnsWriter extends BaseDnsWriter {
  public void publishHost(String hostName) {
    // Get the superordinate domain name of the host.
    InternetDomainName host = InternetDomainName.from(hostName);
-    Optional<InternetDomainName> tld = Registries.findTldForName(host);
+    Optional<InternetDomainName> tld = Tlds.findTldForName(host);

    // Host not managed by our registry, no need to update DNS.
    if (!tld.isPresent()) {
--- a/core/src/main/java/google/registry/dns/writer/clouddns/CloudDnsWriterModule.java
+++ b/core/src/main/java/google/registry/dns/writer/clouddns/CloudDnsWriterModule.java
@@ -22,7 +22,7 @@ import dagger.Provides;
 import dagger.multibindings.IntoMap;
 import dagger.multibindings.IntoSet;
 import dagger.multibindings.StringKey;
-import google.registry.config.CredentialModule.DefaultCredential;
+import google.registry.config.CredentialModule.ApplicationDefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.dns.writer.DnsWriter;
 import google.registry.util.GoogleCredentialsBundle;
@@ -35,7 +35,7 @@ public abstract class CloudDnsWriterModule {

  @Provides
  static Dns provideDns(
-      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
+      @ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle,
      @Config("projectId") String projectId,
      @Config("cloudDnsRootUrl") Optional<String> rootUrl,
      @Config("cloudDnsServicePath") Optional<String> servicePath) {
--- a/core/src/main/java/google/registry/dns/writer/dnsupdate/DnsUpdateWriter.java
+++ b/core/src/main/java/google/registry/dns/writer/dnsupdate/DnsUpdateWriter.java
@@ -31,8 +31,8 @@ import google.registry.dns.writer.DnsWriterZone;
 import google.registry.model.domain.Domain;
 import google.registry.model.domain.secdns.DomainDsData;
 import google.registry.model.host.Host;
-import google.registry.model.tld.Registries;
 import google.registry.model.tld.Tld;
+import google.registry.model.tld.Tlds;
 import google.registry.util.Clock;
 import java.io.IOException;
 import java.net.Inet4Address;
@@ -154,7 +154,7 @@ public class DnsUpdateWriter extends BaseDnsWriter {
    // Get the superordinate domain name of the host.
    InternetDomainName host = InternetDomainName.from(hostName);
    ImmutableList<String> hostParts = host.parts();
-    Optional<InternetDomainName> tld = Registries.findTldForName(host);
+    Optional<InternetDomainName> tld = Tlds.findTldForName(host);

    // host not managed by our registry, no need to update DNS.
    if (!tld.isPresent()) {
--- a/core/src/main/java/google/registry/env/alpha/default/WEB-INF/cloud-scheduler-tasks.xml
+++ b/core/src/main/java/google/registry/env/alpha/default/WEB-INF/cloud-scheduler-tasks.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<taskentries>
+<entries>
  <task>
    <url>/_dr/task/rdeStaging</url>
    <name>rdeStaging</name>
@@ -129,16 +129,6 @@
    <schedule>0 5 * * *</schedule>
  </task>

-  <task>
-    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
-    <name>readDnsQueue</name>
-    <description>
-      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
-      group.
-    </description>
-    <schedule>*/1 * * * *</schedule>
-  </task>
-
  <task>
    <url>
      <![CDATA[/_dr/cron/fanout?queue=dns-refresh&forEachRealTld&forEachTestTld&endpoint=/_dr/task/readDnsRefreshRequests&dnsJitterSeconds=45]]></url>
@@ -148,4 +138,4 @@
    </description>
    <schedule>*/1 * * * *</schedule>
  </task>
-</taskentries>
+</entries>
--- a/core/src/main/java/google/registry/env/common/backend/WEB-INF/web.xml
+++ b/core/src/main/java/google/registry/env/common/backend/WEB-INF/web.xml
@@ -151,12 +151,6 @@
    <url-pattern>/_dr/task/nordnVerify</url-pattern>
  </servlet-mapping>

-  <!-- Reads the DNS push and pull queues and kick off the appropriate tasks to update zone. -->
-  <servlet-mapping>
-    <servlet-name>backend-servlet</servlet-name>
-    <url-pattern>/_dr/cron/readDnsQueue</url-pattern>
-  </servlet-mapping>
-
  <!-- Reads the DNS refresh requests and kick off the appropriate tasks to update zone. -->
  <servlet-mapping>
    <servlet-name>backend-servlet</servlet-name>
--- a/core/src/main/java/google/registry/env/common/default/WEB-INF/cloud-tasks-queue.xml
+++ b/core/src/main/java/google/registry/env/common/default/WEB-INF/cloud-tasks-queue.xml
@@ -0,0 +1,113 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entries>
+  <!-- Queue template with all supported params -->
+  <!-- More information - https://cloud.google.com/sdk/gcloud/reference/tasks/queues/create -->
+  <!--
+    <queue>
+      <name></name>
+      <max-attempts></max-attempts>
+      <max-backoff></max-backoff>
+      <max-concurrent-dispatches></max-concurrent-dispatches>
+      <max-dispatches-per-second></max-dispatches-per-second>
+      <max-doublings></max-doublings>
+      <max-retry-duration></max-retry-duration>
+      <min-backoff></min-backoff>
+    </queue>
+  -->
+
+  <!-- Queue for reading DNS update requests and batching them off to the dns-publish queue. -->
+  <queue>
+    <name>dns-refresh</name>
+    <max-dispatches-per-second>100</max-dispatches-per-second>
+  </queue>
+
+  <!-- Queue for publishing DNS updates in batches. -->
+  <queue>
+    <name>dns-publish</name>
+    <max-dispatches-per-second>100</max-dispatches-per-second>
+    <!-- 30 sec backoff increasing linearly up to 30 minutes. -->
+    <min-backoff>30s</min-backoff>
+    <max-backoff>1800s</max-backoff>
+    <max-doublings>0</max-doublings>
+  </queue>
+
+  <!-- Queue for uploading RDE deposits to the escrow provider. -->
+  <queue>
+    <name>rde-upload</name>
+    <max-dispatches-per-second>0.166666667</max-dispatches-per-second>
+    <max-concurrent-dispatches>5</max-concurrent-dispatches>
+    <max-retry-duration>14400s</max-retry-duration>
+  </queue>
+
+  <!-- Queue for uploading RDE reports to ICANN. -->
+  <queue>
+    <name>rde-report</name>
+    <max-dispatches-per-second>1</max-dispatches-per-second>
+    <max-concurrent-dispatches>1</max-concurrent-dispatches>
+    <max-retry-duration>14400s</max-retry-duration>
+  </queue>
+
+  <!-- Queue for copying BRDA deposits to GCS. -->
+  <queue>
+    <name>brda</name>
+    <max-dispatches-per-second>0.016666667</max-dispatches-per-second>
+    <max-concurrent-dispatches>10</max-concurrent-dispatches>
+    <max-retry-duration>82800s</max-retry-duration>
+  </queue>
+
+  <!-- Queue for tasks that trigger domain DNS update upon host rename. -->
+  <queue>
+    <name>async-host-rename</name>
+    <max-dispatches-per-second>1</max-dispatches-per-second>
+  </queue>
+
+  <!-- Queue for tasks that wait for a Beam pipeline to complete (i.e. Spec11 and invoicing). -->
+  <queue>
+    <name>beam-reporting</name>
+    <max-dispatches-per-second>0.016666667</max-dispatches-per-second>
+    <max-concurrent-dispatches>1</max-concurrent-dispatches>
+    <max-attempts>5</max-attempts>
+    <min-backoff>180s</min-backoff>
+    <max-backoff>180s</max-backoff>
+  </queue>
+
+
+  <!-- Queue for tasks that communicate with TMCH MarksDB webserver. -->
+  <queue>
+    <name>marksdb</name>
+    <max-dispatches-per-second>0.016666667</max-dispatches-per-second>
+    <max-concurrent-dispatches>1</max-concurrent-dispatches>
+    <max-retry-duration>39600s</max-retry-duration>  <!-- cron interval minus hour -->
+  </queue>
+
+  <!-- Queue for tasks to produce LORDN CSV reports, populated by a Cloud Scheduler fanout job. -->
+  <queue>
+    <name>nordn</name>
+    <max-dispatches-per-second>1</max-dispatches-per-second>
+    <max-concurrent-dispatches>10</max-concurrent-dispatches>
+    <max-retry-duration>39600s</max-retry-duration>  <!-- cron interval minus hour -->
+  </queue>
+
+  <!-- Queue for tasks that sync data to Google Spreadsheets. -->
+  <queue>
+    <name>sheet</name>
+    <max-dispatches-per-second>1</max-dispatches-per-second>
+    <!-- max-concurrent-dispatches is intentionally omitted. -->
+    <max-retry-duration>3600s</max-retry-duration>
+  </queue>
+
+  <!-- Queue for infrequent cron tasks (i.e. hourly or less often) that should retry three times on failure. -->
+  <queue>
+    <name>retryable-cron-tasks</name>
+    <max-dispatches-per-second>1</max-dispatches-per-second>
+    <max-attempts>3</max-attempts>
+  </queue>
+
+  <!--  &lt;!&ndash; Queue for async actions that should be run at some point in the future. &ndash;&gt;-->
+  <queue>
+    <name>async-actions</name>
+    <max-dispatches-per-second>1</max-dispatches-per-second>
+    <max-concurrent-dispatches>5</max-concurrent-dispatches>
+  </queue>
+
+</entries>
--- a/core/src/main/java/google/registry/env/common/default/WEB-INF/queue.xml
+++ b/core/src/main/java/google/registry/env/common/default/WEB-INF/queue.xml
@@ -1,123 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<queue-entries>
-
-  <queue>
-    <name>dns-pull</name>
-    <mode>pull</mode>
-  </queue>
-
-  <!-- Queue for reading DNS update requests and batching them off to the dns-publish queue. -->
-  <queue>
-    <name>dns-refresh</name>
-    <rate>100/s</rate>
-  </queue>
-
-  <!-- Queue for publishing DNS updates in batches. -->
-  <queue>
-    <name>dns-publish</name>
-    <rate>100/s</rate>
-    <bucket-size>100</bucket-size>
-    <!-- 30 sec backoff increasing linearly up to 30 minutes. -->
-    <retry-parameters>
-      <min-backoff-seconds>30</min-backoff-seconds>
-      <max-backoff-seconds>1800</max-backoff-seconds>
-      <max-doublings>0</max-doublings>
-    </retry-parameters>
-  </queue>
-
-  <!-- Queue for uploading RDE deposits to the escrow provider. -->
-  <queue>
-    <name>rde-upload</name>
-    <rate>10/m</rate>
-    <bucket-size>50</bucket-size>
-    <max-concurrent-requests>5</max-concurrent-requests>
-    <retry-parameters>
-      <task-age-limit>4h</task-age-limit>
-    </retry-parameters>
-  </queue>
-
-  <!-- Queue for uploading RDE reports to ICANN. -->
-  <queue>
-    <name>rde-report</name>
-    <rate>1/s</rate>
-    <max-concurrent-requests>1</max-concurrent-requests>
-    <retry-parameters>
-      <task-age-limit>4h</task-age-limit>
-    </retry-parameters>
-  </queue>
-
-  <!-- Queue for copying BRDA deposits to GCS. -->
-  <queue>
-    <name>brda</name>
-    <rate>1/m</rate>
-    <max-concurrent-requests>10</max-concurrent-requests>
-    <retry-parameters>
-      <task-age-limit>23h</task-age-limit>
-    </retry-parameters>
-  </queue>
-
-  <!-- Queue for tasks that trigger domain DNS update upon host rename. -->
-  <queue>
-    <name>async-host-rename</name>
-    <rate>1/s</rate>
-  </queue>
-
-  <!-- Queue for tasks that wait for a Beam pipeline to complete (i.e. Spec11 and invoicing). -->
-  <queue>
-    <name>beam-reporting</name>
-    <rate>1/m</rate>
-    <max-concurrent-requests>1</max-concurrent-requests>
-    <retry-parameters>
-      <task-retry-limit>5</task-retry-limit>
-      <min-backoff-seconds>180</min-backoff-seconds>
-      <max-backoff-seconds>180</max-backoff-seconds>
-    </retry-parameters>
-  </queue>
-
-  <!-- Queue for tasks that communicate with TMCH MarksDB webserver. -->
-  <queue>
-    <name>marksdb</name>
-    <rate>1/m</rate>
-    <max-concurrent-requests>1</max-concurrent-requests>
-    <retry-parameters>
-      <task-age-limit>11h</task-age-limit>  <!-- cron interval minus hour -->
-    </retry-parameters>
-  </queue>
-
-  <!-- Queue for tasks to produce LORDN CSV reports, populated by a Cloud Scheduler fanout job. -->
-  <queue>
-    <name>nordn</name>
-    <rate>1/s</rate>
-    <max-concurrent-requests>10</max-concurrent-requests>
-    <retry-parameters>
-      <task-age-limit>11h</task-age-limit>  <!-- cron interval minus hour -->
-    </retry-parameters>
-  </queue>
-
-  <!-- Queue for tasks that sync data to Google Spreadsheets. -->
-  <queue>
-    <name>sheet</name>
-    <rate>1/s</rate>
-    <!-- max-concurrent-requests is intentionally omitted. -->
-    <retry-parameters>
-      <task-age-limit>1h</task-age-limit>
-    </retry-parameters>
-  </queue>
-
-  <!-- Queue for infrequent cron tasks (i.e. hourly or less often) that should retry three times on failure. -->
-  <queue>
-    <name>retryable-cron-tasks</name>
-    <rate>1/s</rate>
-    <retry-parameters>
-      <task-retry-limit>3</task-retry-limit>
-    </retry-parameters>
-  </queue>
-
-  <!-- Queue for async actions that should be run at some point in the future. -->
-  <queue>
-    <name>async-actions</name>
-    <rate>1/s</rate>
-    <max-concurrent-requests>5</max-concurrent-requests>
-  </queue>
-
-</queue-entries>
--- a/core/src/main/java/google/registry/env/crash/default/WEB-INF/cloud-scheduler-tasks.xml
+++ b/core/src/main/java/google/registry/env/crash/default/WEB-INF/cloud-scheduler-tasks.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<taskentries>
+<entries>

  <!--
    /cron/fanout params:
@@ -129,16 +129,6 @@
    <schedule>0 5 * * *</schedule>
  </task>

-  <task>
-    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
-    <name>readDnsQueue</name>
-    <description>
-      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
-      group.
-    </description>
-    <schedule>*/1 * * * *</schedule>
-  </task>
-
  <task>
    <url>
      <![CDATA[/_dr/cron/fanout?queue=dns-refresh&forEachRealTld&forEachTestTld&endpoint=/_dr/task/readDnsRefreshRequests&dnsJitterSeconds=45]]></url>
@@ -158,16 +148,4 @@
    </description>
    <schedule>7 3 * * *</schedule>
  </task>
-
-  <!--
-    The next two wipeout jobs are required when crash has production data.
-   -->
-  <task>
-    <url><![CDATA[/_dr/task/wipeOutCloudSql]]></url>
-    <name>wipeOutCloudSql</name>
-    <description>
-      This job runs an action that deletes all data in Cloud SQL.
-    </description>
-    <schedule>7 3 * * 6</schedule>
-  </task>
-</taskentries>
+</entries>
--- a/core/src/main/java/google/registry/env/production/default/WEB-INF/cloud-scheduler-tasks.xml
+++ b/core/src/main/java/google/registry/env/production/default/WEB-INF/cloud-scheduler-tasks.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<taskentries>
+<entries>
  <task>
    <url>/_dr/task/rdeStaging</url>
    <name>rdeStaging</name>
@@ -201,16 +201,6 @@
    <schedule>0 5 * * *</schedule>
  </task>

-  <task>
-    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
-    <name>readDnsQueue</name>
-    <description>
-      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
-      group.
-    </description>
-    <schedule>*/1 * * * *</schedule>
-  </task>
-
  <task>
    <url>
      <![CDATA[/_dr/cron/fanout?queue=dns-refresh&forEachRealTld&forEachTestTld&endpoint=/_dr/task/readDnsRefreshRequests&dnsJitterSeconds=45]]></url>
@@ -283,4 +273,4 @@
    </description>
    <schedule>0 15 * * 1</schedule>
  </task>
-</taskentries>
+</entries>
--- a/core/src/main/java/google/registry/env/qa/default/WEB-INF/cloud-scheduler-tasks.xml
+++ b/core/src/main/java/google/registry/env/qa/default/WEB-INF/cloud-scheduler-tasks.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<taskentries>
+<entries>
  <task>
    <url>/_dr/task/rdeStaging</url>
    <name>rdeStaging</name>
@@ -11,16 +11,6 @@
    <schedule>7 0 * * *</schedule>
  </task>

-  <task>
-    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
-    <name>readDnsQueue</name>
-    <description>
-      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
-      group.
-    </description>
-    <schedule>*/1 * * * *</schedule>
-  </task>
-
  <task>
    <url>
      <![CDATA[/_dr/cron/fanout?queue=dns-refresh&forEachRealTld&forEachTestTld&endpoint=/_dr/task/readDnsRefreshRequests&dnsJitterSeconds=45]]></url>
@@ -78,4 +68,4 @@
    </description>
    <schedule>7 3 * * 6</schedule>
  </task>
-</taskentries>
+</entries>
--- a/core/src/main/java/google/registry/env/sandbox/default/WEB-INF/cloud-scheduler-tasks.xml
+++ b/core/src/main/java/google/registry/env/sandbox/default/WEB-INF/cloud-scheduler-tasks.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<taskentries>
+<entries>
  <task>
    <url>/_dr/task/rdeStaging</url>
    <name>rdeStaging</name>
@@ -143,16 +143,6 @@
    <schedule>0 5 * * *</schedule>
  </task>

-  <task>
-    <url><![CDATA[/_dr/cron/readDnsQueue?jitterSeconds=45]]></url>
-    <name>readDnsQueue</name>
-    <description>
-      Lease all tasks from the dns-pull queue, group by TLD, and invoke PublishDnsUpdates for each
-      group.
-    </description>
-    <schedule>*/1 * * * *</schedule>
-  </task>
-
  <task>
    <url>
      <![CDATA[/_dr/cron/fanout?queue=dns-refresh&forEachRealTld&forEachTestTld&endpoint=/_dr/task/readDnsRefreshRequests&dnsJitterSeconds=45]]></url>
@@ -172,4 +162,4 @@
    </description>
    <schedule>0 15 * * 1</schedule>
  </task>
-</taskentries>
+</entries>
--- a/core/src/main/java/google/registry/export/ExportDomainListsAction.java
+++ b/core/src/main/java/google/registry/export/ExportDomainListsAction.java
@@ -15,7 +15,7 @@
 package google.registry.export;

 import static com.google.common.base.Verify.verifyNotNull;
-import static google.registry.model.tld.Registries.getTldsOfType;
+import static google.registry.model.tld.Tlds.getTldsOfType;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
 import static java.nio.charset.StandardCharsets.UTF_8;
--- a/core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java
@@ -16,6 +16,7 @@ package google.registry.flows.domain;

 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
 import static google.registry.flows.FlowUtils.persistEntityChanges;
 import static google.registry.flows.FlowUtils.validateRegistrarIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.verifyResourceDoesNotExist;
@@ -59,7 +60,6 @@ import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.net.InternetDomainName;
-import google.registry.dns.DnsUtils;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.CommandUseErrorException;
 import google.registry.flows.EppException.ParameterValuePolicyErrorException;
@@ -227,7 +227,6 @@ public final class DomainCreateFlow implements TransactionalFlow {
  @Inject DomainCreateFlowCustomLogic flowCustomLogic;
  @Inject DomainFlowTmchUtils tmchUtils;
  @Inject DomainPricingLogic pricingLogic;
-  @Inject DnsUtils dnsUtils;

  @Inject DomainCreateFlow() {}

@@ -426,7 +425,7 @@ public final class DomainCreateFlow implements TransactionalFlow {
              allocationToken.get(), domainHistory.getHistoryEntryId()));
    }
    if (domain.shouldPublishToDns()) {
-      dnsUtils.requestDomainDnsRefresh(domain.getDomainName());
+      requestDomainDnsRefresh(domain.getDomainName());
    }
    EntityChanges entityChanges =
        flowCustomLogic.beforeSave(
--- a/core/src/main/java/google/registry/flows/domain/DomainDeleteFlow.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainDeleteFlow.java
@@ -16,6 +16,7 @@ package google.registry.flows.domain;

 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Strings.isNullOrEmpty;
+import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
 import static google.registry.flows.FlowUtils.createHistoryEntryId;
 import static google.registry.flows.FlowUtils.persistEntityChanges;
 import static google.registry.flows.FlowUtils.validateRegistrarIsLoggedIn;
@@ -44,7 +45,6 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedSet;
 import com.google.common.collect.Sets;
 import google.registry.batch.AsyncTaskEnqueuer;
-import google.registry.dns.DnsUtils;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.AssociationProhibitsOperationException;
 import google.registry.flows.ExtensionManager;
@@ -130,7 +130,6 @@ public final class DomainDeleteFlow implements TransactionalFlow {
  @Inject @TargetId String targetId;
  @Inject @Superuser boolean isSuperuser;
  @Inject DomainHistory.Builder historyBuilder;
-  @Inject DnsUtils dnsUtils;
  @Inject Trid trid;
  @Inject AsyncTaskEnqueuer asyncTaskEnqueuer;
  @Inject EppResponse.Builder responseBuilder;
@@ -262,7 +261,7 @@ public final class DomainDeleteFlow implements TransactionalFlow {
    // If there's a pending transfer, the gaining client's autorenew billing
    // event and poll message will already have been deleted in
    // ResourceDeleteFlow since it's listed in serverApproveEntities.
-    dnsUtils.requestDomainDnsRefresh(existingDomain.getDomainName());
+    requestDomainDnsRefresh(existingDomain.getDomainName());

    entitiesToSave.add(newDomain, domainHistory);
    EntityChanges entityChanges =
@@ -431,7 +430,7 @@ public final class DomainDeleteFlow implements TransactionalFlow {

  /** Domain to be deleted has subordinate hosts. */
  static class DomainToDeleteHasHostsException extends AssociationProhibitsOperationException {
-    public DomainToDeleteHasHostsException() {
+    DomainToDeleteHasHostsException() {
      super("Domain to be deleted has subordinate hosts");
    }
  }
--- a/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java
@@ -26,12 +26,12 @@ import static com.google.common.collect.Sets.difference;
 import static com.google.common.collect.Sets.intersection;
 import static com.google.common.collect.Sets.union;
 import static google.registry.model.domain.Domain.MAX_REGISTRATION_YEARS;
-import static google.registry.model.tld.Registries.findTldForName;
-import static google.registry.model.tld.Registries.getTlds;
 import static google.registry.model.tld.Tld.TldState.GENERAL_AVAILABILITY;
 import static google.registry.model.tld.Tld.TldState.PREDELEGATION;
 import static google.registry.model.tld.Tld.TldState.QUIET_PERIOD;
 import static google.registry.model.tld.Tld.TldState.START_DATE_SUNRISE;
+import static google.registry.model.tld.Tlds.findTldForName;
+import static google.registry.model.tld.Tlds.getTlds;
 import static google.registry.model.tld.label.ReservationType.ALLOWED_IN_SUNRISE;
 import static google.registry.model.tld.label.ReservationType.FULLY_BLOCKED;
 import static google.registry.model.tld.label.ReservationType.NAME_COLLISION;
--- a/core/src/main/java/google/registry/flows/domain/DomainRestoreRequestFlow.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainRestoreRequestFlow.java
@@ -14,6 +14,7 @@

 package google.registry.flows.domain;

+import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
 import static google.registry.flows.FlowUtils.createHistoryEntryId;
 import static google.registry.flows.FlowUtils.validateRegistrarIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.loadAndVerifyExistence;
@@ -34,7 +35,6 @@ import static google.registry.util.DateTimeUtils.END_OF_TIME;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.net.InternetDomainName;
-import google.registry.dns.DnsUtils;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.CommandUseErrorException;
 import google.registry.flows.EppException.StatusProhibitsOperationException;
@@ -122,7 +122,6 @@ public final class DomainRestoreRequestFlow implements TransactionalFlow {
  @Inject @TargetId String targetId;
  @Inject @Superuser boolean isSuperuser;
  @Inject DomainHistory.Builder historyBuilder;
-  @Inject DnsUtils dnsUtils;
  @Inject EppResponse.Builder responseBuilder;
  @Inject DomainPricingLogic pricingLogic;
  @Inject DomainRestoreRequestFlow() {}
@@ -185,7 +184,7 @@ public final class DomainRestoreRequestFlow implements TransactionalFlow {
    entitiesToSave.add(newDomain, domainHistory, autorenewEvent, autorenewPollMessage);
    tm().putAll(entitiesToSave.build());
    tm().delete(existingDomain.getDeletePollMessage());
-    dnsUtils.requestDomainDnsRefresh(existingDomain.getDomainName());
+    requestDomainDnsRefresh(existingDomain.getDomainName());
    return responseBuilder
        .setExtensions(createResponseExtensions(feesAndCredits, feeUpdate, isExpired))
        .build();
@@ -305,14 +304,14 @@ public final class DomainRestoreRequestFlow implements TransactionalFlow {

  /** Restore command cannot have other changes specified. */
  static class RestoreCommandIncludesChangesException extends CommandUseErrorException {
-    public RestoreCommandIncludesChangesException() {
+    RestoreCommandIncludesChangesException() {
      super("Restore command cannot have other changes specified");
    }
  }

  /** Domain is not eligible for restore. */
  static class DomainNotEligibleForRestoreException extends StatusProhibitsOperationException {
-    public DomainNotEligibleForRestoreException() {
+    DomainNotEligibleForRestoreException() {
      super("Domain is not eligible for restore");
    }
  }
--- a/core/src/main/java/google/registry/flows/domain/DomainUpdateFlow.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainUpdateFlow.java
@@ -19,6 +19,7 @@ import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.ImmutableSortedSet.toImmutableSortedSet;
 import static com.google.common.collect.Sets.symmetricDifference;
 import static com.google.common.collect.Sets.union;
+import static google.registry.dns.DnsUtils.requestDomainDnsRefresh;
 import static google.registry.flows.FlowUtils.persistEntityChanges;
 import static google.registry.flows.FlowUtils.validateRegistrarIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.checkSameValuesNotAddedAndRemoved;
@@ -49,7 +50,6 @@ import com.google.common.collect.ImmutableSortedSet;
 import com.google.common.collect.Ordering;
 import com.google.common.collect.Sets;
 import com.google.common.net.InternetDomainName;
-import google.registry.dns.DnsUtils;
 import google.registry.flows.EppException;
 import google.registry.flows.ExtensionManager;
 import google.registry.flows.FlowModule.RegistrarId;
@@ -156,7 +156,6 @@ public final class DomainUpdateFlow implements TransactionalFlow {
  @Inject @Superuser boolean isSuperuser;
  @Inject Trid trid;
  @Inject DomainHistory.Builder historyBuilder;
-  @Inject DnsUtils dnsUtils;
  @Inject EppResponse.Builder responseBuilder;
  @Inject DomainUpdateFlowCustomLogic flowCustomLogic;
  @Inject DomainPricingLogic pricingLogic;
@@ -183,7 +182,7 @@ public final class DomainUpdateFlow implements TransactionalFlow {
        historyBuilder.setType(DOMAIN_UPDATE).setDomain(newDomain).build();
    validateNewState(newDomain);
    if (requiresDnsUpdate(existingDomain, newDomain)) {
-      dnsUtils.requestDomainDnsRefresh(targetId);
+      requestDomainDnsRefresh(targetId);
    }
    ImmutableSet.Builder<ImmutableObject> entitiesToSave = new ImmutableSet.Builder<>();
    entitiesToSave.add(newDomain, domainHistory);
@@ -207,7 +206,7 @@ public final class DomainUpdateFlow implements TransactionalFlow {
  }

  /** Determines if any of the changes to new domain should trigger DNS update. */
-  private boolean requiresDnsUpdate(Domain existingDomain, Domain newDomain) {
+  private static boolean requiresDnsUpdate(Domain existingDomain, Domain newDomain) {
    return existingDomain.shouldPublishToDns() != newDomain.shouldPublishToDns()
        || !Objects.equals(newDomain.getDsData(), existingDomain.getDsData())
        || !Objects.equals(newDomain.getNsHosts(), existingDomain.getNsHosts());
@@ -256,7 +255,7 @@ public final class DomainUpdateFlow implements TransactionalFlow {
    // We have to verify no duplicate contacts _before_ constructing the domain because it is
    // illegal to construct a domain with duplicate contacts.
    Sets.SetView<DesignatedContact> newContacts =
-        Sets.union(Sets.difference(domain.getContacts(), remove.getContacts()), add.getContacts());
+        union(Sets.difference(domain.getContacts(), remove.getContacts()), add.getContacts());
    validateNoDuplicateContacts(newContacts);

    Domain.Builder domainBuilder =
@@ -301,7 +300,7 @@ public final class DomainUpdateFlow implements TransactionalFlow {
    return domainBuilder.build();
  }

-  private void validateRegistrantIsntBeingRemoved(Change change) throws EppException {
+  private static void validateRegistrantIsntBeingRemoved(Change change) throws EppException {
    if (change.getRegistrantContactId() != null && change.getRegistrantContactId().isEmpty()) {
      throw new MissingRegistrantException();
    }
@@ -314,7 +313,7 @@ public final class DomainUpdateFlow implements TransactionalFlow {
   * compliant with the additions or amendments, otherwise existing data can become invalid and
   * cause Domain update failure.
   */
-  private void validateNewState(Domain newDomain) throws EppException {
+  private static void validateNewState(Domain newDomain) throws EppException {
    validateRequiredContactsPresent(newDomain.getRegistrant(), newDomain.getContacts());
    validateDsData(newDomain.getDsData());
    validateNameserversCountForTld(
@@ -368,17 +367,17 @@ public final class DomainUpdateFlow implements TransactionalFlow {
            .collect(toImmutableSortedSet(Ordering.natural()));

    String msg;
-    if (addedServerStatuses.size() > 0 && removedServerStatuses.size() > 0) {
+    if (!addedServerStatuses.isEmpty() && !removedServerStatuses.isEmpty()) {
      msg =
          String.format(
              "The registry administrator has added the status(es) %s and removed the status(es)"
                  + " %s.",
              addedServerStatuses, removedServerStatuses);
-    } else if (addedServerStatuses.size() > 0) {
+    } else if (!addedServerStatuses.isEmpty()) {
      msg =
          String.format(
              "The registry administrator has added the status(es) %s.", addedServerStatuses);
-    } else if (removedServerStatuses.size() > 0) {
+    } else if (!removedServerStatuses.isEmpty()) {
      msg =
          String.format(
              "The registry administrator has removed the status(es) %s.", removedServerStatuses);
--- a/core/src/main/java/google/registry/flows/host/HostCreateFlow.java
+++ b/core/src/main/java/google/registry/flows/host/HostCreateFlow.java
@@ -14,6 +14,7 @@

 package google.registry.flows.host;

+import static google.registry.dns.DnsUtils.requestHostDnsRefresh;
 import static google.registry.flows.FlowUtils.validateRegistrarIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.verifyResourceDoesNotExist;
 import static google.registry.flows.host.HostFlowUtils.lookupSuperordinateDomain;
@@ -28,7 +29,6 @@ import static google.registry.util.CollectionUtils.isNullOrEmpty;

 import com.google.common.collect.ImmutableSet;
 import google.registry.config.RegistryConfig.Config;
-import google.registry.dns.DnsUtils;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.ParameterValueRangeErrorException;
 import google.registry.flows.EppException.RequiredParameterMissingException;
@@ -85,7 +85,6 @@ public final class HostCreateFlow implements TransactionalFlow {
  @Inject @RegistrarId String registrarId;
  @Inject @TargetId String targetId;
  @Inject HostHistory.Builder historyBuilder;
-  @Inject DnsUtils dnsUtils;
  @Inject EppResponse.Builder responseBuilder;

  @Inject
@@ -138,7 +137,7 @@ public final class HostCreateFlow implements TransactionalFlow {
                  .build());
      // Only update DNS if this is a subordinate host. External hosts have no glue to write, so
      // they are only written as NS records from the referencing domain.
-      dnsUtils.requestHostDnsRefresh(targetId);
+      requestHostDnsRefresh(targetId);
    }
    tm().insertAll(entitiesToSave);
    return responseBuilder.setResData(HostCreateData.create(targetId, now)).build();
--- a/core/src/main/java/google/registry/flows/host/HostDeleteFlow.java
+++ b/core/src/main/java/google/registry/flows/host/HostDeleteFlow.java
@@ -14,6 +14,7 @@

 package google.registry.flows.host;

+import static google.registry.dns.DnsUtils.requestHostDnsRefresh;
 import static google.registry.flows.FlowUtils.validateRegistrarIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.checkLinkedDomains;
 import static google.registry.flows.ResourceFlowUtils.loadAndVerifyExistence;
@@ -24,7 +25,6 @@ import static google.registry.model.eppoutput.Result.Code.SUCCESS;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;

 import com.google.common.collect.ImmutableSet;
-import google.registry.dns.DnsUtils;
 import google.registry.flows.EppException;
 import google.registry.flows.ExtensionManager;
 import google.registry.flows.FlowModule.RegistrarId;
@@ -71,7 +71,6 @@ public final class HostDeleteFlow implements TransactionalFlow {
          StatusValue.PENDING_DELETE,
          StatusValue.SERVER_DELETE_PROHIBITED);

-  @Inject DnsUtils dnsUtils;
  @Inject ExtensionManager extensionManager;
  @Inject @RegistrarId String registrarId;
  @Inject @TargetId String targetId;
@@ -104,7 +103,7 @@ public final class HostDeleteFlow implements TransactionalFlow {
    }
    Host newHost = existingHost.asBuilder().setStatusValues(null).setDeletionTime(now).build();
    if (existingHost.isSubordinate()) {
-      dnsUtils.requestHostDnsRefresh(existingHost.getHostName());
+      requestHostDnsRefresh(existingHost.getHostName());
      tm().update(
              tm().loadByKey(existingHost.getSuperordinateDomain())
                  .asBuilder()
--- a/core/src/main/java/google/registry/flows/host/HostFlowUtils.java
+++ b/core/src/main/java/google/registry/flows/host/HostFlowUtils.java
@@ -16,7 +16,7 @@ package google.registry.flows.host;

 import static google.registry.model.EppResourceUtils.isActive;
 import static google.registry.model.EppResourceUtils.loadByForeignKey;
-import static google.registry.model.tld.Registries.findTldForName;
+import static google.registry.model.tld.Tlds.findTldForName;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static java.util.stream.Collectors.joining;

--- a/core/src/main/java/google/registry/flows/host/HostUpdateFlow.java
+++ b/core/src/main/java/google/registry/flows/host/HostUpdateFlow.java
@@ -16,6 +16,7 @@ package google.registry.flows.host;

 import static com.google.common.base.MoreObjects.firstNonNull;
 import static com.google.common.collect.Sets.union;
+import static google.registry.dns.DnsUtils.requestHostDnsRefresh;
 import static google.registry.dns.RefreshDnsOnHostRenameAction.PARAM_HOST_KEY;
 import static google.registry.dns.RefreshDnsOnHostRenameAction.QUEUE_HOST_RENAME;
 import static google.registry.flows.FlowUtils.validateRegistrarIsLoggedIn;
@@ -37,7 +38,6 @@ import com.google.common.collect.ImmutableMultimap;
 import com.google.common.collect.ImmutableSet;
 import google.registry.batch.AsyncTaskEnqueuer;
 import google.registry.batch.CloudTasksUtils;
-import google.registry.dns.DnsUtils;
 import google.registry.dns.RefreshDnsOnHostRenameAction;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.ObjectAlreadyExistsException;
@@ -124,7 +124,6 @@ public final class HostUpdateFlow implements TransactionalFlow {
  @Inject @Superuser boolean isSuperuser;
  @Inject HostHistory.Builder historyBuilder;
  @Inject AsyncTaskEnqueuer asyncTaskEnqueuer;
-  @Inject DnsUtils dnsUtils;
  @Inject EppResponse.Builder responseBuilder;
  @Inject CloudTasksUtils cloudTasksUtils;

@@ -241,7 +240,7 @@ public final class HostUpdateFlow implements TransactionalFlow {
    verifyNoDisallowedStatuses(existingHost, DISALLOWED_STATUSES);
  }

-  private void verifyHasIpsIffIsExternal(Update command, Host existingHost, Host newHost)
+  private static void verifyHasIpsIffIsExternal(Update command, Host existingHost, Host newHost)
      throws EppException {
    boolean wasSubordinate = existingHost.isSubordinate();
    boolean willBeSubordinate = newHost.isSubordinate();
@@ -266,14 +265,14 @@ public final class HostUpdateFlow implements TransactionalFlow {
    // Only update DNS for subordinate hosts. External hosts have no glue to write, so they
    // are only written as NS records from the referencing domain.
    if (existingHost.isSubordinate()) {
-      dnsUtils.requestHostDnsRefresh(existingHost.getHostName());
+      requestHostDnsRefresh(existingHost.getHostName());
    }
    // In case of a rename, there are many updates we need to queue up.
    if (((Update) resourceCommand).getInnerChange().getHostName() != null) {
      // If the renamed host is also subordinate, then we must enqueue an update to write the new
      // glue.
      if (newHost.isSubordinate()) {
-        dnsUtils.requestHostDnsRefresh(newHost.getHostName());
+        requestHostDnsRefresh(newHost.getHostName());
      }
      // We must also enqueue updates for all domains that use this host as their nameserver so
      // that their NS records can be updated to point at the new name.
@@ -317,14 +316,14 @@ public final class HostUpdateFlow implements TransactionalFlow {

  /** Host with specified name already exists. */
  static class HostAlreadyExistsException extends ObjectAlreadyExistsException {
-    public HostAlreadyExistsException(String hostName) {
+    HostAlreadyExistsException(String hostName) {
      super(String.format("Object with given ID (%s) already exists", hostName));
    }
  }

  /** Cannot add IP addresses to an external host. */
  static class CannotAddIpToExternalHostException extends ParameterValueRangeErrorException {
-    public CannotAddIpToExternalHostException() {
+    CannotAddIpToExternalHostException() {
      super("Cannot add IP addresses to external hosts");
    }
  }
@@ -332,14 +331,14 @@ public final class HostUpdateFlow implements TransactionalFlow {
  /** Cannot remove all IP addresses from a subordinate host. */
  static class CannotRemoveSubordinateHostLastIpException
      extends StatusProhibitsOperationException {
-    public CannotRemoveSubordinateHostLastIpException() {
+    CannotRemoveSubordinateHostLastIpException() {
      super("Cannot remove all IP addresses from a subordinate host");
    }
  }

  /** Cannot rename an external host. */
  static class CannotRenameExternalHostException extends StatusProhibitsOperationException {
-    public CannotRenameExternalHostException() {
+    CannotRenameExternalHostException() {
      super("Cannot rename an external host");
    }
  }
--- a/core/src/main/java/google/registry/gcs/GcsUtils.java
+++ b/core/src/main/java/google/registry/gcs/GcsUtils.java
@@ -31,7 +31,7 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
-import google.registry.config.CredentialModule.DefaultCredential;
+import google.registry.config.CredentialModule.ApplicationDefaultCredential;
 import google.registry.util.GoogleCredentialsBundle;
 import java.io.IOException;
 import java.io.InputStream;
@@ -64,7 +64,7 @@ public class GcsUtils implements Serializable {
  }

  @Inject
-  public GcsUtils(@DefaultCredential GoogleCredentialsBundle credentialsBundle) {
+  public GcsUtils(@ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle) {
    this(
        StorageOptions.newBuilder()
            .setCredentials(credentialsBundle.getGoogleCredentials())
--- a/core/src/main/java/google/registry/model/EppResource.java
+++ b/core/src/main/java/google/registry/model/EppResource.java
@@ -403,7 +403,7 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
  public static ImmutableMap<VKey<? extends EppResource>, EppResource> loadCached(
      Iterable<VKey<? extends EppResource>> keys) {
    if (!RegistryConfig.isEppResourceCachingEnabled()) {
-      return tm().loadByKeys(keys);
+      return tm().transact(() -> tm().loadByKeys(keys));
    }
    return ImmutableMap.copyOf(cacheEppResources.getAll(keys));
  }
@@ -416,7 +416,7 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
   */
  public static <T extends EppResource> T loadCached(VKey<T> key) {
    if (!RegistryConfig.isEppResourceCachingEnabled()) {
-      return tm().loadByKey(key);
+      return tm().transact(() -> tm().loadByKey(key));
    }
    // Safe to cast because loading a Key<T> returns an entity of type T.
    @SuppressWarnings("unchecked")
--- a/core/src/main/java/google/registry/model/common/DatabaseMigrationStateSchedule.java
+++ b/core/src/main/java/google/registry/model/common/DatabaseMigrationStateSchedule.java
@@ -1,275 +0,0 @@
-// Copyright 2021 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.common;
-
-import static com.google.common.base.Preconditions.checkArgument;
-import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
-import static google.registry.util.DateTimeUtils.START_OF_TIME;
-
-import com.github.benmanes.caffeine.cache.LoadingCache;
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.ImmutableMultimap;
-import com.google.common.collect.ImmutableSortedMap;
-import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryEnvironment;
-import google.registry.model.CacheUtils;
-import google.registry.model.annotations.DeleteAfterMigration;
-import java.time.Duration;
-import java.util.Arrays;
-import javax.persistence.Entity;
-import javax.persistence.PersistenceException;
-import org.joda.time.DateTime;
-
-/**
- * A wrapper object representing the stage-to-time mapping of the Registry 3.0 Cloud SQL migration.
- *
- * <p>The entity is stored in SQL throughout the entire migration so as to have a single point of
- * access.
- */
-@DeleteAfterMigration
-@Entity
-public class DatabaseMigrationStateSchedule extends CrossTldSingleton {
-
-  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
-  private static boolean useUncachedForTest = false;
-
-  public enum PrimaryDatabase {
-    CLOUD_SQL,
-    DATASTORE
-  }
-
-  public enum ReplayDirection {
-    NO_REPLAY,
-    DATASTORE_TO_SQL,
-    SQL_TO_DATASTORE
-  }
-
-  /**
-   * The current phase of the migration plus information about which database to use and whether or
-   * not the phase is read-only.
-   */
-  public enum MigrationState {
-    /** Datastore is the only DB being used. */
-    DATASTORE_ONLY(PrimaryDatabase.DATASTORE, false, ReplayDirection.NO_REPLAY),
-
-    /** Datastore is the primary DB, with changes replicated to Cloud SQL. */
-    DATASTORE_PRIMARY(PrimaryDatabase.DATASTORE, false, ReplayDirection.DATASTORE_TO_SQL),
-
-    /** Datastore is the primary DB, with replication, and async actions are disallowed. */
-    DATASTORE_PRIMARY_NO_ASYNC(PrimaryDatabase.DATASTORE, false, ReplayDirection.DATASTORE_TO_SQL),
-
-    /** Datastore is the primary DB, with replication, and all mutating actions are disallowed. */
-    DATASTORE_PRIMARY_READ_ONLY(PrimaryDatabase.DATASTORE, true, ReplayDirection.DATASTORE_TO_SQL),
-
-    /**
-     * Cloud SQL is the primary DB, with replication back to Datastore, and all mutating actions are
-     * disallowed.
-     */
-    SQL_PRIMARY_READ_ONLY(PrimaryDatabase.CLOUD_SQL, true, ReplayDirection.SQL_TO_DATASTORE),
-
-    /** Cloud SQL is the primary DB, with changes replicated to Datastore. */
-    SQL_PRIMARY(PrimaryDatabase.CLOUD_SQL, false, ReplayDirection.SQL_TO_DATASTORE),
-
-    /** Cloud SQL is the only DB being used. */
-    SQL_ONLY(PrimaryDatabase.CLOUD_SQL, false, ReplayDirection.NO_REPLAY),
-
-    /** Toggles SQL Sequence based allocateId */
-    SEQUENCE_BASED_ALLOCATE_ID(PrimaryDatabase.CLOUD_SQL, false, ReplayDirection.NO_REPLAY),
-
-    /** Use SQL-based Nordn upload flow instead of the pull queue-based one. */
-    NORDN_SQL(PrimaryDatabase.CLOUD_SQL, false, ReplayDirection.NO_REPLAY),
-
-    /** Use SQL-based DNS update flow instead of the pull queue-based one. */
-    DNS_SQL(PrimaryDatabase.CLOUD_SQL, false, ReplayDirection.NO_REPLAY);
-
-    private final PrimaryDatabase primaryDatabase;
-    private final boolean isReadOnly;
-    private final ReplayDirection replayDirection;
-
-    public PrimaryDatabase getPrimaryDatabase() {
-      return primaryDatabase;
-    }
-
-    public boolean isReadOnly() {
-      return isReadOnly;
-    }
-
-    public ReplayDirection getReplayDirection() {
-      return replayDirection;
-    }
-
-    MigrationState(
-        PrimaryDatabase primaryDatabase, boolean isReadOnly, ReplayDirection replayDirection) {
-      this.primaryDatabase = primaryDatabase;
-      this.isReadOnly = isReadOnly;
-      this.replayDirection = replayDirection;
-    }
-  }
-
-  /**
-   * Cache of the current migration schedule. The key is meaningless; this is essentially a memoized
-   * Supplier that can be reset for testing purposes and after writes.
-   */
-  @VisibleForTesting
-  public static final LoadingCache<
-          Class<DatabaseMigrationStateSchedule>, TimedTransitionProperty<MigrationState>>
-      // Each instance should cache the migration schedule for five minutes before reloading
-      CACHE =
-          CacheUtils.newCacheBuilder(Duration.ofMinutes(5))
-              .build(singletonClazz -> DatabaseMigrationStateSchedule.getUncached());
-
-  // Restrictions on the state transitions, e.g. no going from DATASTORE_ONLY to SQL_ONLY
-  private static final ImmutableMultimap<MigrationState, MigrationState> VALID_STATE_TRANSITIONS =
-      createValidStateTransitions();
-
-  /**
-   * The valid state transitions. Generally, one can advance the state one step or move backward any
-   * number of steps, as long as the step we're moving back to has the same primary database as the
-   * one we're in. Otherwise, we must move to the corresponding READ_ONLY stage first.
-   */
-  private static ImmutableMultimap<MigrationState, MigrationState> createValidStateTransitions() {
-    ImmutableMultimap.Builder<MigrationState, MigrationState> builder =
-        new ImmutableMultimap.Builder<MigrationState, MigrationState>()
-            .put(MigrationState.DATASTORE_ONLY, MigrationState.DATASTORE_PRIMARY)
-            .putAll(
-                MigrationState.DATASTORE_PRIMARY,
-                MigrationState.DATASTORE_ONLY,
-                MigrationState.DATASTORE_PRIMARY_NO_ASYNC)
-            .putAll(
-                MigrationState.DATASTORE_PRIMARY_NO_ASYNC,
-                MigrationState.DATASTORE_ONLY,
-                MigrationState.DATASTORE_PRIMARY,
-                MigrationState.DATASTORE_PRIMARY_READ_ONLY)
-            .putAll(
-                MigrationState.DATASTORE_PRIMARY_READ_ONLY,
-                MigrationState.DATASTORE_ONLY,
-                MigrationState.DATASTORE_PRIMARY,
-                MigrationState.DATASTORE_PRIMARY_NO_ASYNC,
-                MigrationState.SQL_PRIMARY_READ_ONLY,
-                MigrationState.SQL_PRIMARY)
-            .putAll(
-                MigrationState.SQL_PRIMARY_READ_ONLY,
-                MigrationState.DATASTORE_PRIMARY_READ_ONLY,
-                MigrationState.SQL_PRIMARY)
-            .putAll(
-                MigrationState.SQL_PRIMARY,
-                MigrationState.SQL_PRIMARY_READ_ONLY,
-                MigrationState.SQL_ONLY)
-            .putAll(
-                MigrationState.SQL_ONLY,
-                MigrationState.SQL_PRIMARY_READ_ONLY,
-                MigrationState.SQL_PRIMARY)
-            .putAll(MigrationState.SQL_ONLY, MigrationState.SEQUENCE_BASED_ALLOCATE_ID)
-            .putAll(MigrationState.SEQUENCE_BASED_ALLOCATE_ID, MigrationState.NORDN_SQL)
-            .putAll(
-                MigrationState.NORDN_SQL,
-                MigrationState.SEQUENCE_BASED_ALLOCATE_ID,
-                MigrationState.DNS_SQL)
-            .putAll(MigrationState.DNS_SQL, MigrationState.NORDN_SQL);
-
-    // In addition, we can always transition from a state to itself (useful when updating the map).
-    Arrays.stream(MigrationState.values()).forEach(state -> builder.put(state, state));
-    return builder.build();
-  }
-
-  // Default map to return if we have never saved any -- only use Datastore.
-  @VisibleForTesting
-  public static final TimedTransitionProperty<MigrationState> DEFAULT_TRANSITION_MAP =
-      TimedTransitionProperty.fromValueMap(
-          ImmutableSortedMap.of(START_OF_TIME, MigrationState.DATASTORE_ONLY));
-
-  @VisibleForTesting
-  public TimedTransitionProperty<MigrationState> migrationTransitions =
-      TimedTransitionProperty.withInitialValue(MigrationState.DATASTORE_ONLY);
-
-  // Required for Hibernate initialization
-  protected DatabaseMigrationStateSchedule() {}
-
-  @VisibleForTesting
-  public DatabaseMigrationStateSchedule(
-      TimedTransitionProperty<MigrationState> migrationTransitions) {
-    this.migrationTransitions = migrationTransitions;
-  }
-
-  /** Sets and persists to SQL the provided migration transition schedule. */
-  public static void set(ImmutableSortedMap<DateTime, MigrationState> migrationTransitionMap) {
-    tm().assertInTransaction();
-    TimedTransitionProperty<MigrationState> transitions =
-        TimedTransitionProperty.make(
-            migrationTransitionMap,
-            VALID_STATE_TRANSITIONS,
-            "validStateTransitions",
-            MigrationState.DATASTORE_ONLY,
-            "migrationTransitionMap must start with DATASTORE_ONLY");
-    validateTransitionAtCurrentTime(transitions);
-    tm().put(new DatabaseMigrationStateSchedule(transitions));
-    CACHE.invalidateAll();
-  }
-
-  @VisibleForTesting
-  public static void useUncachedForTest() {
-    useUncachedForTest = true;
-  }
-
-  /** Loads the currently-set migration schedule from the cache, or the default if none exists. */
-  public static TimedTransitionProperty<MigrationState> get() {
-    return CACHE.get(DatabaseMigrationStateSchedule.class);
-  }
-
-  /** Returns the database migration status at the given time. */
-  public static MigrationState getValueAtTime(DateTime dateTime) {
-    return useUncachedForTest
-        ? getUncached().getValueAtTime(dateTime)
-        : get().getValueAtTime(dateTime);
-  }
-
-  /** Loads the currently-set migration schedule from SQL, or the default if none exists. */
-  @VisibleForTesting
-  static TimedTransitionProperty<MigrationState> getUncached() {
-    return tm().transact(
-            () -> {
-              try {
-                return tm().loadSingleton(DatabaseMigrationStateSchedule.class)
-                    .map(s -> s.migrationTransitions)
-                    .orElse(DEFAULT_TRANSITION_MAP);
-              } catch (PersistenceException e) {
-                if (!RegistryEnvironment.get().equals(RegistryEnvironment.UNITTEST)) {
-                  throw e;
-                }
-                logger.atWarning().withCause(e).log(
-                    "Error when retrieving migration schedule; this should only happen in tests.");
-                return DEFAULT_TRANSITION_MAP;
-              }
-            });
-  }
-
-  /**
-   * A provided map of transitions may be valid by itself (i.e. it shifts states properly, doesn't
-   * skip states, and doesn't backtrack incorrectly) while still being invalid. In addition to the
-   * transitions in the map being valid, the single transition from the current map at the current
-   * time to the new map at the current time must also be valid.
-   */
-  private static void validateTransitionAtCurrentTime(
-      TimedTransitionProperty<MigrationState> newTransitions) {
-    MigrationState currentValue = getUncached().getValueAtTime(tm().getTransactionTime());
-    MigrationState nextCurrentValue = newTransitions.getValueAtTime(tm().getTransactionTime());
-    checkArgument(
-        VALID_STATE_TRANSITIONS.get(currentValue).contains(nextCurrentValue),
-        "Cannot transition from current state-as-of-now %s to new state-as-of-now %s",
-        currentValue,
-        nextCurrentValue);
-  }
-}
--- a/core/src/main/java/google/registry/model/common/DnsRefreshRequest.java
+++ b/core/src/main/java/google/registry/model/common/DnsRefreshRequest.java
@@ -18,7 +18,7 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;

-import google.registry.dns.DnsConstants.TargetType;
+import google.registry.dns.DnsUtils.TargetType;
 import google.registry.dns.PublishDnsUpdatesAction;
 import google.registry.model.ImmutableObject;
 import google.registry.persistence.VKey;
--- a/core/src/main/java/google/registry/model/console/ConsolePermission.java
+++ b/core/src/main/java/google/registry/model/console/ConsolePermission.java
@@ -16,6 +16,10 @@ package google.registry.model.console;

 /** Permissions that users may have in the UI, either per-registrar or globally. */
 public enum ConsolePermission {
+  /** View basic information about a registrar. */
+  VIEW_REGISTRAR_DETAILS,
+  /** Edit basic information about a registrar. */
+  EDIT_REGISTRAR_DETAILS,
  /** Add, update, or remove other console users. */
  MANAGE_USERS,
  /** Add, update, or remove registrars. */
--- a/core/src/main/java/google/registry/model/console/ConsoleRoleDefinitions.java
+++ b/core/src/main/java/google/registry/model/console/ConsoleRoleDefinitions.java
@@ -27,6 +27,8 @@ public class ConsoleRoleDefinitions {
  /** Permissions for a registry support agent. */
  static final ImmutableSet<ConsolePermission> SUPPORT_AGENT_PERMISSIONS =
      ImmutableSet.of(
+          ConsolePermission.VIEW_REGISTRAR_DETAILS,
+          ConsolePermission.EDIT_REGISTRAR_DETAILS,
          ConsolePermission.MANAGE_USERS,
          ConsolePermission.MANAGE_ACCREDITATION,
          ConsolePermission.CONFIGURE_EPP_CONNECTION,
@@ -69,6 +71,7 @@ public class ConsoleRoleDefinitions {
  /** Permissions for a registrar partner account manager. */
  static final ImmutableSet<ConsolePermission> ACCOUNT_MANAGER_PERMISSIONS =
      ImmutableSet.of(
+          ConsolePermission.VIEW_REGISTRAR_DETAILS,
          ConsolePermission.DOWNLOAD_DOMAINS,
          ConsolePermission.VIEW_TLD_PORTFOLIO,
          ConsolePermission.CONTACT_SUPPORT,
@@ -89,6 +92,7 @@ public class ConsoleRoleDefinitions {
      new ImmutableSet.Builder<ConsolePermission>()
          .addAll(ACCOUNT_MANAGER_WITH_REGISTRY_LOCK_PERMISSIONS)
          .add(
+              ConsolePermission.EDIT_REGISTRAR_DETAILS,
              ConsolePermission.MANAGE_ACCREDITATION,
              ConsolePermission.CONFIGURE_EPP_CONNECTION,
              ConsolePermission.CHANGE_NOMULUS_PASSWORD,
--- a/core/src/main/java/google/registry/model/registrar/Registrar.java
+++ b/core/src/main/java/google/registry/model/registrar/Registrar.java
@@ -26,7 +26,7 @@ import static com.google.common.collect.Sets.immutableEnumSet;
 import static com.google.common.io.BaseEncoding.base64;
 import static google.registry.config.RegistryConfig.getDefaultRegistrarWhoisServer;
 import static google.registry.model.CacheUtils.memoizeWithShortExpiration;
-import static google.registry.model.tld.Registries.assertTldsExist;
+import static google.registry.model.tld.Tlds.assertTldsExist;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableCopy;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableSortedCopy;
--- a/core/src/main/java/google/registry/model/registrar/RegistrarPoc.java
+++ b/core/src/main/java/google/registry/model/registrar/RegistrarPoc.java
@@ -29,6 +29,7 @@ import static java.util.stream.Collectors.joining;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedSet;
+import com.google.gson.annotations.Expose;
 import google.registry.model.Buildable;
 import google.registry.model.ImmutableObject;
 import google.registry.model.JsonMapBuilder;
@@ -94,7 +95,7 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
  }

  /** The name of the contact. */
-  String name;
+  @Expose String name;

  /**
   * The contact email address of the contact.
@@ -102,24 +103,24 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
   * <p>This is different from the login email which is assgined to the regstrar and cannot be
   * changed.
   */
-  @Id String emailAddress;
+  @Expose @Id String emailAddress;

-  @Id String registrarId;
+  @Expose @Id public String registrarId;

  /** External email address of this contact used for registry lock confirmations. */
  String registryLockEmailAddress;

  /** The voice number of the contact. */
-  String phoneNumber;
+  @Expose String phoneNumber;

  /** The fax number of the contact. */
-  String faxNumber;
+  @Expose String faxNumber;

  /**
   * Multiple types are used to associate the registrar contact with various mailing groups. This
   * data is internal to the registry.
   */
-  Set<Type> types;
+  @Expose Set<Type> types;

  /** A GAIA email address that was assigned to the registrar for console login purpose. */
  String loginEmailAddress;
@@ -127,19 +128,19 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
  /**
   * Whether this contact is publicly visible in WHOIS registrar query results as an Admin contact.
   */
-  boolean visibleInWhoisAsAdmin = false;
+  @Expose boolean visibleInWhoisAsAdmin = false;

  /**
   * Whether this contact is publicly visible in WHOIS registrar query results as a Technical
   * contact.
   */
-  boolean visibleInWhoisAsTech = false;
+  @Expose boolean visibleInWhoisAsTech = false;

  /**
   * Whether this contact's phone number and email address is publicly visible in WHOIS domain query
   * results as registrar abuse contact info.
   */
-  boolean visibleInDomainWhoisAsAbuse = false;
+  @Expose boolean visibleInDomainWhoisAsAbuse = false;

  /**
   * Whether the contact is allowed to set their registry lock password through the registrar
--- a/core/src/main/java/google/registry/model/tld/Registries.java
+++ b/core/src/main/java/google/registry/model/tld/Registries.java
@@ -40,15 +40,15 @@ import java.util.stream.Stream;
 import javax.persistence.EntityManager;

 /** Utilities for finding and listing {@link Tld} entities. */
-public final class Registries {
+public final class Tlds {

-  private Registries() {}
+  private Tlds() {}

-  /** Supplier of a cached registries map. */
+  /** Supplier of a cached TLDs map. */
  private static Supplier<ImmutableMap<String, TldType>> cache = createFreshCache();

  /**
-   * Returns a newly-created Supplier of a registries to types map.
+   * Returns a newly-created Supplier of a TLDs to types map.
   *
   * <p>The supplier's get() method enters a transactionless context briefly to avoid enrolling the
   * query inside an unrelated client-affecting transaction.
@@ -84,7 +84,7 @@ public final class Registries {
    return ImmutableSet.copyOf(filterValues(cache.get(), equalTo(type)).keySet());
  }

-  /** Returns the Registry entities themselves of the given type loaded fresh from the database. */
+  /** Returns the TLD entities themselves of the given type loaded fresh from the database. */
  public static ImmutableSet<Tld> getTldEntitiesOfType(TldType type) {
    return Tld.get(filterValues(cache.get(), equalTo(type)).keySet());
  }
--- a/core/src/main/java/google/registry/model/tld/label/BaseDomainLabelList.java
+++ b/core/src/main/java/google/registry/model/tld/label/BaseDomainLabelList.java
@@ -18,7 +18,7 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.base.Strings.isNullOrEmpty;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
-import static google.registry.model.tld.Registries.getTlds;
+import static google.registry.model.tld.Tlds.getTlds;

 import com.google.common.collect.HashMultiset;
 import com.google.common.collect.ImmutableList;
--- a/core/src/main/java/google/registry/module/backend/BackendRequestComponent.java
+++ b/core/src/main/java/google/registry/module/backend/BackendRequestComponent.java
@@ -32,7 +32,6 @@ import google.registry.cron.CronModule;
 import google.registry.cron.TldFanoutAction;
 import google.registry.dns.DnsModule;
 import google.registry.dns.PublishDnsUpdatesAction;
-import google.registry.dns.ReadDnsQueueAction;
 import google.registry.dns.ReadDnsRefreshRequestsAction;
 import google.registry.dns.RefreshDnsAction;
 import google.registry.dns.RefreshDnsOnHostRenameAction;
@@ -143,8 +142,6 @@ interface BackendRequestComponent {

  PublishSpec11ReportAction publishSpec11ReportAction();

-  ReadDnsQueueAction readDnsQueueAction();
-
  ReadDnsRefreshRequestsAction readDnsRefreshRequestsAction();

  RdeReportAction rdeReportAction();
--- a/core/src/main/java/google/registry/module/frontend/FrontendRequestComponent.java
+++ b/core/src/main/java/google/registry/module/frontend/FrontendRequestComponent.java
@@ -26,6 +26,7 @@ import google.registry.request.RequestComponentBuilder;
 import google.registry.request.RequestModule;
 import google.registry.request.RequestScope;
 import google.registry.ui.server.console.ConsoleDomainGetAction;
+import google.registry.ui.server.console.settings.ContactAction;
 import google.registry.ui.server.registrar.ConsoleOteSetupAction;
 import google.registry.ui.server.registrar.ConsoleRegistrarCreatorAction;
 import google.registry.ui.server.registrar.ConsoleUiAction;
@@ -64,6 +65,8 @@ interface FrontendRequestComponent {

  ConsoleDomainGetAction consoleDomainGetAction();

+  ContactAction contactAction();
+
  @Subcomponent.Builder
  abstract class Builder implements RequestComponentBuilder<FrontendRequestComponent> {
    @Override public abstract Builder requestModule(RequestModule requestModule);
--- a/core/src/main/java/google/registry/monitoring/whitebox/EppMetric.java
+++ b/core/src/main/java/google/registry/monitoring/whitebox/EppMetric.java
@@ -20,7 +20,7 @@ import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
 import google.registry.model.eppoutput.Result.Code;
-import google.registry.model.tld.Registries;
+import google.registry.model.tld.Tlds;
 import google.registry.util.Clock;
 import java.util.Optional;
 import org.joda.time.DateTime;
@@ -104,7 +104,7 @@ public abstract class EppMetric {
          String tld = Iterables.getOnlyElement(tlds);
          // Only record TLDs that actually exist, otherwise we can blow up cardinality by recording
          // an arbitrarily large number of strings.
-          setTld(Optional.ofNullable(Registries.getTlds().contains(tld) ? tld : "_invalid"));
+          setTld(Optional.ofNullable(Tlds.getTlds().contains(tld) ? tld : "_invalid"));
          break;
        default:
          setTld("_various");
--- a/core/src/main/java/google/registry/persistence/converter/DatabaseMigrationScheduleTransitionConverter.java
+++ b/core/src/main/java/google/registry/persistence/converter/DatabaseMigrationScheduleTransitionConverter.java
@@ -1,37 +0,0 @@
-// Copyright 2021 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.persistence.converter;
-
-import google.registry.model.annotations.DeleteAfterMigration;
-import google.registry.model.common.DatabaseMigrationStateSchedule;
-import google.registry.model.common.DatabaseMigrationStateSchedule.MigrationState;
-import javax.persistence.Converter;
-
-/** JPA converter for {@link DatabaseMigrationStateSchedule} transitions. */
-@DeleteAfterMigration
-@Converter(autoApply = true)
-public class DatabaseMigrationScheduleTransitionConverter
-    extends TimedTransitionPropertyConverterBase<MigrationState> {
-
-  @Override
-  protected String convertValueToString(MigrationState value) {
-    return value.name();
-  }
-
-  @Override
-  protected MigrationState convertStringToValue(String string) {
-    return MigrationState.valueOf(string);
-  }
-}
--- a/core/src/main/java/google/registry/rde/ContactToXjcConverter.java
+++ b/core/src/main/java/google/registry/rde/ContactToXjcConverter.java
@@ -112,8 +112,8 @@ final class ContactToXjcConverter {
  private static XjcRdeContactTransferDataType convertTransferData(TransferData model) {
    XjcRdeContactTransferDataType bean = new XjcRdeContactTransferDataType();
    bean.setTrStatus(XjcEppcomTrStatusType.fromValue(model.getTransferStatus().getXmlName()));
-    bean.setReRr(RdeUtil.makeXjcRdeRrType(model.getGainingRegistrarId()));
-    bean.setAcRr(RdeUtil.makeXjcRdeRrType(model.getLosingRegistrarId()));
+    bean.setReRr(RdeUtils.makeXjcRdeRrType(model.getGainingRegistrarId()));
+    bean.setAcRr(RdeUtils.makeXjcRdeRrType(model.getLosingRegistrarId()));
    bean.setReDate(model.getTransferRequestTime());
    bean.setAcDate(model.getPendingTransferExpirationTime());
    return bean;
--- a/core/src/main/java/google/registry/rde/DomainToXjcConverter.java
+++ b/core/src/main/java/google/registry/rde/DomainToXjcConverter.java
@@ -262,8 +262,8 @@ final class DomainToXjcConverter {
    XjcRdeDomainTransferDataType bean = new XjcRdeDomainTransferDataType();
    bean.setTrStatus(
        XjcEppcomTrStatusType.fromValue(model.getTransferStatus().getXmlName()));
-    bean.setReRr(RdeUtil.makeXjcRdeRrType(model.getGainingRegistrarId()));
-    bean.setAcRr(RdeUtil.makeXjcRdeRrType(model.getLosingRegistrarId()));
+    bean.setReRr(RdeUtils.makeXjcRdeRrType(model.getGainingRegistrarId()));
+    bean.setAcRr(RdeUtils.makeXjcRdeRrType(model.getLosingRegistrarId()));
    bean.setReDate(model.getTransferRequestTime());
    bean.setAcDate(model.getPendingTransferExpirationTime());
    bean.setExDate(model.getTransferredRegistrationExpirationTime());
--- a/core/src/main/java/google/registry/rde/PendingDepositChecker.java
+++ b/core/src/main/java/google/registry/rde/PendingDepositChecker.java
@@ -23,9 +23,9 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.model.common.Cursor;
 import google.registry.model.common.Cursor.CursorType;
 import google.registry.model.rde.RdeMode;
-import google.registry.model.tld.Registries;
 import google.registry.model.tld.Tld;
 import google.registry.model.tld.Tld.TldType;
+import google.registry.model.tld.Tlds;
 import google.registry.util.Clock;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -83,7 +83,7 @@ public final class PendingDepositChecker {
    ImmutableSetMultimap.Builder<String, PendingDeposit> builder =
        new ImmutableSetMultimap.Builder<>();
    DateTime now = clock.nowUtc();
-    for (String tldStr : Registries.getTldsOfType(TldType.REAL)) {
+    for (String tldStr : Tlds.getTldsOfType(TldType.REAL)) {
      Tld tld = Tld.get(tldStr);
      if (!tld.getEscrowEnabled()) {
        continue;
--- a/core/src/main/java/google/registry/rde/RdeReportAction.java
+++ b/core/src/main/java/google/registry/rde/RdeReportAction.java
@@ -19,6 +19,7 @@ import static com.google.common.net.MediaType.PLAIN_TEXT_UTF_8;
 import static google.registry.model.common.Cursor.getCursorTimeOrStartOfTime;
 import static google.registry.model.rde.RdeMode.FULL;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.rde.RdeUtils.findMostRecentPrefixForWatermark;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.util.DateTimeUtils.isBeforeOrAt;

@@ -98,8 +99,10 @@ public final class RdeReportAction implements Runnable, EscrowTask {
        RdeRevision.getCurrentRevision(tld, watermark, FULL)
            .orElseThrow(
                () -> new IllegalStateException("RdeRevision was not set on generated deposit"));
-    String name =
-        prefix.orElse("") + RdeNamingUtils.makeRydeFilename(tld, watermark, FULL, 1, revision);
+    if (!prefix.isPresent()) {
+      prefix = Optional.of(findMostRecentPrefixForWatermark(watermark, bucket, tld, gcsUtils));
+    }
+    String name = prefix.get() + RdeNamingUtils.makeRydeFilename(tld, watermark, FULL, 1, revision);
    BlobId reportFilename = BlobId.of(bucket, name + "-report.xml.ghostryde");
    verify(gcsUtils.existsAndNotEmpty(reportFilename), "Missing file: %s", reportFilename);
    reporter.send(readReportFromGcs(reportFilename));
--- a/core/src/main/java/google/registry/rde/RdeReporter.java
+++ b/core/src/main/java/google/registry/rde/RdeReporter.java
@@ -43,6 +43,7 @@ import java.io.ByteArrayInputStream;
 import java.net.MalformedURLException;
 import java.net.SocketTimeoutException;
 import java.net.URL;
+import java.util.Arrays;
 import javax.inject.Inject;

 /**
@@ -86,22 +87,23 @@ public class RdeReporter {
        retrier.callWithRetry(
            () -> {
              HTTPResponse rsp1 = urlFetchService.fetch(req);
-              switch (rsp1.getResponseCode()) {
-                case SC_OK:
-                case SC_BAD_REQUEST:
-                  break;
-                default:
-                  throw new RuntimeException("PUT failed");
+              int responseCode = rsp1.getResponseCode();
+              if (responseCode != SC_OK && responseCode != SC_BAD_REQUEST) {
+                logger.atSevere().log(
+                    "Failure when trying to PUT RDE report to ICANN server: %d\n%s",
+                    responseCode, Arrays.toString(rsp1.getContent()));
+                throw new RuntimeException("Error uploading deposits to ICANN");
              }
              return rsp1;
            },
            SocketTimeoutException.class);

-    // Ensure the XML response is valid.
+    // Ensure the XML response is valid. The EPP result code would not be 1000 if we get an
+    // SC_BAD_REQUEST as the HTTP response code.
    XjcIirdeaResult result = parseResult(rsp.getContent());
    if (result.getCode().getValue() != 1000) {
      logger.atWarning().log(
-          "PUT rejected: %d %s\n%s",
+          "Rejected when trying to PUT RDE report to ICANN server: %d %s\n%s",
          result.getCode().getValue(), result.getMsg(), result.getDescription());
      throw new InternalServerErrorException(result.getMsg());
    }
--- a/core/src/main/java/google/registry/rde/RdeUploadAction.java
+++ b/core/src/main/java/google/registry/rde/RdeUploadAction.java
@@ -23,6 +23,7 @@ import static google.registry.model.common.Cursor.getCursorTimeOrStartOfTime;
 import static google.registry.model.rde.RdeMode.FULL;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.rde.RdeModule.RDE_REPORT_QUEUE;
+import static google.registry.rde.RdeUtils.findMostRecentPrefixForWatermark;
 import static google.registry.request.Action.Method.POST;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static google.registry.util.DateTimeUtils.isBeforeOrAt;
@@ -31,7 +32,6 @@ import static java.util.Arrays.asList;
 import com.google.cloud.storage.BlobId;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.HashMultimap;
-import com.google.common.collect.Ordering;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.io.ByteStreams;
 import com.jcraft.jsch.JSch;
@@ -136,26 +136,10 @@ public final class RdeUploadAction implements Runnable, EscrowTask {

  @Override
  public void runWithLock(final DateTime watermark) throws Exception {
-    // If a prefix is not provided, but we are in SQL mode, try to determine the prefix. This should
-    // only happen when the RDE upload cron job runs to catch up any un-retried (i. e. expected)
-    // RDE failures.
+    // If a prefix is not provided,try to determine the prefix. This should only happen when the RDE
+    // upload cron job runs to catch up any un-retried (i. e. expected) RDE failures.
    if (!prefix.isPresent()) {
-      // The prefix is always in the format of: rde-2022-02-21t00-00-00z-2022-02-21t00-07-33z, where
-      // the first datetime is the watermark and the second one is the time when the RDE beam job
-      // launched. We search for the latest folder that starts with "rde-[watermark]".
-      String partialPrefix =
-          String.format("rde-%s", watermark.toString("yyyy-MM-dd't'HH-mm-ss'z'"));
-      String latestFilenameSuffix =
-          gcsUtils.listFolderObjects(bucket, partialPrefix).stream()
-              .max(Ordering.natural())
-              .orElse(null);
-      if (latestFilenameSuffix == null) {
-        throw new NoContentException(
-            String.format("RDE deposit for TLD %s on %s does not exist", tld, watermark));
-      }
-      int firstSlashPosition = latestFilenameSuffix.indexOf('/');
-      prefix =
-          Optional.of(partialPrefix + latestFilenameSuffix.substring(0, firstSlashPosition + 1));
+      prefix = Optional.of(findMostRecentPrefixForWatermark(watermark, bucket, tld, gcsUtils));
    }
    logger.atInfo().log("Verifying readiness to upload the RDE deposit.");
    Optional<Cursor> cursor =
@@ -193,7 +177,7 @@ public final class RdeUploadAction implements Runnable, EscrowTask {
                () -> new IllegalStateException("RdeRevision was not set on generated deposit"));
    final String nameWithoutPrefix =
        RdeNamingUtils.makeRydeFilename(tld, watermark, FULL, 1, revision);
-    final String name = prefix.orElse("") + nameWithoutPrefix;
+    final String name = prefix.get() + nameWithoutPrefix;
    final BlobId xmlFilename = BlobId.of(bucket, name + ".xml.ghostryde");
    final BlobId xmlLengthFilename = BlobId.of(bucket, name + ".xml.length");
    BlobId reportFilename = BlobId.of(bucket, name + "-report.xml.ghostryde");
--- a/core/src/main/java/google/registry/rde/RdeUtils.java
+++ b/core/src/main/java/google/registry/rde/RdeUtils.java
@@ -17,9 +17,12 @@ package google.registry.rde;
 import static google.registry.util.HexDumper.dumpHex;
 import static java.nio.charset.StandardCharsets.UTF_8;

+import com.google.common.collect.Ordering;
 import com.google.common.io.BaseEncoding;
 import com.google.re2j.Matcher;
 import com.google.re2j.Pattern;
+import google.registry.gcs.GcsUtils;
+import google.registry.request.HttpException.NoContentException;
 import google.registry.xjc.rde.XjcRdeRrType;
 import google.registry.xml.XmlException;
 import java.io.BufferedInputStream;
@@ -31,7 +34,7 @@ import org.joda.time.format.DateTimeFormatter;
 import org.joda.time.format.ISODateTimeFormat;

 /** Helper methods for RDE. */
-public final class RdeUtil {
+public final class RdeUtils {

  /** Number of bytes in head of XML deposit that will contain the information we want. */
  private static final int PEEK_SIZE = 2048;
@@ -70,6 +73,32 @@ public final class RdeUtil {
    return DATETIME_FORMATTER.parseDateTime(watermarkMatcher.group(1));
  }

+  /** Find the most recent folder in the given GCS bucket for the given watermark. */
+  public static String findMostRecentPrefixForWatermark(
+      DateTime watermark, String bucket, String tld, GcsUtils gcsUtils) throws NoContentException {
+    // The prefix is always in the format of: rde-2022-02-21t00-00-00z-2022-02-21t00-07-33z, where
+    // the first datetime is the watermark and the second one is the time when the RDE beam job
+    // launched. We search for the latest folder that starts with "rde-[watermark]".
+    String partialPrefix = String.format("rde-%s", watermark.toString("yyyy-MM-dd't'HH-mm-ss'z'"));
+    String latestFilenameSuffix = null;
+    try {
+      latestFilenameSuffix =
+          gcsUtils.listFolderObjects(bucket, partialPrefix).stream()
+              .max(Ordering.natural())
+              .orElse(null);
+    } catch (IOException e) {
+      throw new NoContentException(
+          String.format(
+              "Error reading folders starting with %s in bucket %s", partialPrefix, bucket));
+    }
+    if (latestFilenameSuffix == null) {
+      throw new NoContentException(
+          String.format("RDE deposit for TLD %s on %s does not exist", tld, watermark));
+    }
+    int firstSlashPosition = latestFilenameSuffix.indexOf('/');
+    return partialPrefix + latestFilenameSuffix.substring(0, firstSlashPosition + 1);
+  }
+
  /**
   * Generates an ID matching the regex {@code \w&lbrace;1,13&rbrace; } from a millisecond
   * timestamp.
@@ -89,5 +118,5 @@ public final class RdeUtil {
    return bean;
  }

-  private RdeUtil() {}
+  private RdeUtils() {}
 }
--- a/core/src/main/java/google/registry/reporting/ReportingModule.java
+++ b/core/src/main/java/google/registry/reporting/ReportingModule.java
@@ -21,7 +21,7 @@ import static google.registry.request.RequestParameters.extractRequiredParameter
 import com.google.api.services.dataflow.Dataflow;
 import dagger.Module;
 import dagger.Provides;
-import google.registry.config.CredentialModule.DefaultCredential;
+import google.registry.config.CredentialModule.ApplicationDefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.Parameter;
@@ -134,7 +134,7 @@ public class ReportingModule {
  /** Constructs a {@link Dataflow} API client with default settings. */
  @Provides
  static Dataflow provideDataflow(
-      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
+      @ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle,
      @Config("projectId") String projectId) {
    return new Dataflow.Builder(
            credentialsBundle.getHttpTransport(),
--- a/core/src/main/java/google/registry/reporting/icann/IcannHttpReporter.java
+++ b/core/src/main/java/google/registry/reporting/icann/IcannHttpReporter.java
@@ -16,7 +16,7 @@ package google.registry.reporting.icann;

 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.net.MediaType.CSV_UTF_8;
-import static google.registry.model.tld.Registries.assertTldExists;
+import static google.registry.model.tld.Tlds.assertTldExists;
 import static java.nio.charset.StandardCharsets.UTF_8;

 import com.google.api.client.http.ByteArrayContent;
--- a/core/src/main/java/google/registry/reporting/icann/IcannReportingUploadAction.java
+++ b/core/src/main/java/google/registry/reporting/icann/IcannReportingUploadAction.java
@@ -29,9 +29,9 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.gcs.GcsUtils;
 import google.registry.model.common.Cursor;
 import google.registry.model.common.Cursor.CursorType;
-import google.registry.model.tld.Registries;
 import google.registry.model.tld.Tld;
 import google.registry.model.tld.Tld.TldType;
+import google.registry.model.tld.Tlds;
 import google.registry.persistence.VKey;
 import google.registry.request.Action;
 import google.registry.request.HttpException.ServiceUnavailableException;
@@ -203,7 +203,7 @@ public final class IcannReportingUploadAction implements Runnable {
  /** Returns a map of each cursor to the tld. */
  private ImmutableMap<Cursor, String> loadCursors() {

-    ImmutableSet<Tld> registries = Registries.getTldEntitiesOfType(TldType.REAL);
+    ImmutableSet<Tld> registries = Tlds.getTldEntitiesOfType(TldType.REAL);

    ImmutableMap<VKey<? extends Cursor>, Tld> activityKeyMap =
        loadKeyMap(registries, CursorType.ICANN_UPLOAD_ACTIVITY);
--- a/core/src/main/java/google/registry/request/OptionalJsonPayload.java
+++ b/core/src/main/java/google/registry/request/OptionalJsonPayload.java
@@ -0,0 +1,29 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.request;
+
+import java.lang.annotation.Documented;
+import javax.inject.Qualifier;
+
+/**
+ * Dagger qualifier for the HTTP request payload as parsed JSON wrapped in Optional. Can be used for
+ * any kind of request methods - GET, POST, etc. Will provide Optional.empty() if body is not
+ * present.
+ *
+ * @see RequestModule
+ */
+@Qualifier
+@Documented
+public @interface OptionalJsonPayload {}
--- a/core/src/main/java/google/registry/request/RequestMetrics.java
+++ b/core/src/main/java/google/registry/request/RequestMetrics.java
@@ -24,7 +24,7 @@ import com.google.common.flogger.FluentLogger;
 import com.google.monitoring.metrics.EventMetric;
 import com.google.monitoring.metrics.LabelDescriptor;
 import com.google.monitoring.metrics.MetricRegistryImpl;
-import google.registry.request.auth.AuthLevel;
+import google.registry.request.auth.AuthSettings.AuthLevel;
 import java.util.List;
 import java.util.stream.Collectors;
 import org.joda.time.Duration;
--- a/core/src/main/java/google/registry/request/RequestModule.java
+++ b/core/src/main/java/google/registry/request/RequestModule.java
@@ -17,8 +17,8 @@ package google.registry.request;
 import static com.google.common.net.MediaType.JSON_UTF_8;
 import static google.registry.dns.PublishDnsUpdatesAction.APP_ENGINE_RETRY_HEADER;
 import static google.registry.dns.PublishDnsUpdatesAction.CLOUD_TASKS_RETRY_HEADER;
-import static google.registry.model.tld.Registries.assertTldExists;
-import static google.registry.model.tld.Registries.assertTldsExist;
+import static google.registry.model.tld.Tlds.assertTldExists;
+import static google.registry.model.tld.Tlds.assertTldsExist;
 import static google.registry.request.RequestParameters.extractOptionalHeader;
 import static google.registry.request.RequestParameters.extractRequiredParameter;
 import static google.registry.request.RequestParameters.extractSetOfParameters;
@@ -31,6 +31,8 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.io.ByteStreams;
 import com.google.common.io.CharStreams;
 import com.google.common.net.MediaType;
+import com.google.gson.Gson;
+import com.google.gson.JsonObject;
 import com.google.protobuf.ByteString;
 import dagger.Module;
 import dagger.Provides;
@@ -194,8 +196,7 @@ public final class RequestModule {
  @JsonPayload
  @SuppressWarnings("unchecked")
  static Map<String, Object> provideJsonPayload(
-      @Header("Content-Type") MediaType contentType,
-      @Payload String payload) {
+      @Header("Content-Type") MediaType contentType, @Payload String payload) {
    if (!JSON_UTF_8.is(contentType.withCharset(UTF_8))) {
      throw new UnsupportedMediaTypeException(
          String.format("Expected %s Content-Type", JSON_UTF_8.withoutParameters()));
@@ -247,4 +248,15 @@ public final class RequestModule {
  static Optional<Integer> provideCloudTasksRetryCount(HttpServletRequest req) {
    return extractOptionalHeader(req, CLOUD_TASKS_RETRY_HEADER).map(Integer::parseInt);
  }
+
+  @Provides
+  @OptionalJsonPayload
+  public static Optional<JsonObject> provideJsonBody(HttpServletRequest req, Gson gson) {
+    try {
+      JsonObject body = gson.fromJson(req.getReader(), JsonObject.class);
+      return Optional.of(body);
+    } catch (Exception e) {
+      return Optional.empty();
+    }
+  }
 }
--- a/core/src/main/java/google/registry/request/auth/AppEngineInternalAuthenticationMechanism.java
+++ b/core/src/main/java/google/registry/request/auth/AppEngineInternalAuthenticationMechanism.java
@@ -14,8 +14,8 @@

 package google.registry.request.auth;

-import static google.registry.request.auth.AuthLevel.APP;
-import static google.registry.request.auth.AuthLevel.NONE;
+import static google.registry.request.auth.AuthSettings.AuthLevel.APP;
+import static google.registry.request.auth.AuthSettings.AuthLevel.NONE;

 import com.google.appengine.api.users.UserService;
 import javax.inject.Inject;
--- a/core/src/main/java/google/registry/request/auth/Auth.java
+++ b/core/src/main/java/google/registry/request/auth/Auth.java
@@ -15,9 +15,9 @@
 package google.registry.request.auth;

 import com.google.common.collect.ImmutableList;
-import google.registry.request.auth.RequestAuthenticator.AuthMethod;
-import google.registry.request.auth.RequestAuthenticator.AuthSettings;
-import google.registry.request.auth.RequestAuthenticator.UserPolicy;
+import google.registry.request.auth.AuthSettings.AuthLevel;
+import google.registry.request.auth.AuthSettings.AuthMethod;
+import google.registry.request.auth.AuthSettings.UserPolicy;

 /** Enum used to configure authentication settings for Actions. */
 public enum Auth {
@@ -25,21 +25,18 @@ public enum Auth {
  /**
   * Allows anyone access, doesn't attempt to authenticate user.
   *
-   * Will never return absent(), but only authenticates access from App Engine task-queues. For
+   * <p>Will never return absent(), but only authenticates access from App Engine task-queues. For
   * everyone else - returns NOT_AUTHENTICATED.
   */
-  AUTH_PUBLIC_ANONYMOUS(
-      ImmutableList.of(AuthMethod.INTERNAL),
-      AuthLevel.NONE,
-      UserPolicy.PUBLIC),
+  AUTH_PUBLIC_ANONYMOUS(ImmutableList.of(AuthMethod.INTERNAL), AuthLevel.NONE, UserPolicy.PUBLIC),

  /**
-   * Allows anyone access, does attempt to authenticate user.
+   * Allows anyone to access, does attempt to authenticate user.
   *
-   * If a user is logged in, will authenticate (and return) them. Otherwise, access is still
+   * <p>If a user is logged in, will authenticate (and return) them. Otherwise, access is still
   * granted, but NOT_AUTHENTICATED is returned.
   *
-   * Will never return absent().
+   * <p>Will never return absent().
   */
  AUTH_PUBLIC(
      ImmutableList.of(AuthMethod.INTERNAL, AuthMethod.API, AuthMethod.LEGACY),
@@ -47,17 +44,15 @@ public enum Auth {
      UserPolicy.PUBLIC),

  /**
-   * Allows anyone access, as long as they are logged in.
+   * Allows anyone to access, as long as they are logged in.
   *
-   * Does not allow access from App Engine task-queues.
+   * <p>Does not allow access from App Engine task-queues.
   */
  AUTH_PUBLIC_LOGGED_IN(
-      ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY),
-      AuthLevel.USER,
-      UserPolicy.PUBLIC),
+      ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.USER, UserPolicy.PUBLIC),

  /**
-   * Allows anyone access, as long as they use OAuth to authenticate.
+   * Allows anyone to access, as long as they use OAuth to authenticate.
   *
   * <p>Also allows access from App Engine task-queue. Note that OAuth client ID still needs to be
   * allow-listed in the config file for OAuth-based authentication to succeed.
@@ -80,10 +75,7 @@ public enum Auth {

  private final AuthSettings authSettings;

-  Auth(
-      ImmutableList<AuthMethod> methods,
-      AuthLevel minimumLevel,
-      UserPolicy userPolicy) {
+  Auth(ImmutableList<AuthMethod> methods, AuthLevel minimumLevel, UserPolicy userPolicy) {
    authSettings = AuthSettings.create(methods, minimumLevel, userPolicy);
  }

--- a/core/src/main/java/google/registry/request/auth/AuthLevel.java
+++ b/core/src/main/java/google/registry/request/auth/AuthLevel.java
@@ -1,52 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request.auth;
-
-/**
- * Authentication level.
- *
- * <p>Used by {@link Auth} to specify what authentication is required, and by {@link AuthResult})
- * to specify what authentication was found. These are a series of levels, from least to most
- * authentication required. The lowest level of requirement, NONE, can be satisfied by any level
- * of authentication, while the highest level, USER, can only be satisfied by the authentication of
- * a specific user. The level returned may be higher than what was required, if more authentication
- * turns out to be possible. For instance, if an authenticated user is found, USER will be returned
- * even if no authentication was required.
- */
-public enum AuthLevel {
-
-  /** No authentication was required/found. */
-  NONE,
-
-  /**
-   * Authentication required, but user not required.
-   *
-   * <p>In Auth: Authentication is required, but app-internal authentication (which isn't associated
-   * with a specific user) is permitted.
-   *
-   * <p>In AuthResult: App-internal authentication was successful.
-   */
-  APP,
-
-  /**
-   * Authentication required, user required.
-   *
-   * <p>In Auth: Authentication is required, and app-internal authentication is forbidden, meaning
-   * that a valid authentication result will contain specific user information.
-   *
-   * <p>In AuthResult: A valid user was authenticated.
-   */
-  USER
-}
--- a/core/src/main/java/google/registry/request/auth/AuthModule.java
+++ b/core/src/main/java/google/registry/request/auth/AuthModule.java
@@ -14,6 +14,8 @@

 package google.registry.request.auth;

+import static com.google.common.net.HttpHeaders.AUTHORIZATION;
+
 import com.google.appengine.api.oauth.OAuthService;
 import com.google.appengine.api.oauth.OAuthServiceFactory;
 import com.google.auth.oauth2.TokenVerifier;
@@ -21,35 +23,46 @@ import com.google.common.collect.ImmutableList;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.request.auth.OidcTokenAuthenticationMechanism.IapOidcAuthenticationMechanism;
+import google.registry.request.auth.OidcTokenAuthenticationMechanism.RegularOidcAuthenticationMechanism;
+import google.registry.request.auth.OidcTokenAuthenticationMechanism.TokenExtractor;
 import javax.inject.Qualifier;
 import javax.inject.Singleton;

-/**
- * Dagger module for authentication routines.
- */
+/** Dagger module for authentication routines. */
@Module
 public class AuthModule {

+  // IAP-signed JWT will be in this header.
+  // See https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers.
+  public static final String IAP_HEADER_NAME = "X-Goog-IAP-JWT-Assertion";
+  // GAE will put the content in header "proxy-authorization" in this header when it routes the
+  // request to the app.
+  public static final String PROXY_HEADER_NAME = "X-Google-Proxy-Authorization";
+  public static final String BEARER_PREFIX = "Bearer ";
+  // TODO: Change the IAP audience format once we are on GKE.
+  // See: https://cloud.google.com/iap/docs/signed-headers-howto#verifying_the_jwt_payload
+  private static final String IAP_AUDIENCE_FORMAT = "/projects/%d/apps/%s";
  private static final String IAP_ISSUER_URL = "https://cloud.google.com/iap";
  private static final String SA_ISSUER_URL = "https://accounts.google.com";

-  /** Provides the custom authentication mechanisms (including OAuth). */
+  /** Provides the custom authentication mechanisms (including OAuth and OIDC). */
  @Provides
  ImmutableList<AuthenticationMechanism> provideApiAuthenticationMechanisms(
      OAuthAuthenticationMechanism oauthAuthenticationMechanism,
-      IapHeaderAuthenticationMechanism iapHeaderAuthenticationMechanism,
-      ServiceAccountAuthenticationMechanism serviceAccountAuthenticationMechanism) {
+      IapOidcAuthenticationMechanism iapOidcAuthenticationMechanism,
+      RegularOidcAuthenticationMechanism regularOidcAuthenticationMechanism) {
    return ImmutableList.of(
        oauthAuthenticationMechanism,
-        iapHeaderAuthenticationMechanism,
-        serviceAccountAuthenticationMechanism);
+        iapOidcAuthenticationMechanism,
+        regularOidcAuthenticationMechanism);
  }

  @Qualifier
-  @interface IAP {}
+  @interface IapOidc {}

  @Qualifier
-  @interface ServiceAccount {}
+  @interface RegularOidc {}

  /** Provides the OAuthService instance. */
  @Provides
@@ -58,18 +71,42 @@ public class AuthModule {
  }

  @Provides
-  @IAP
+  @IapOidc
  @Singleton
-  TokenVerifier provideTokenVerifier(
+  TokenVerifier provideIapTokenVerifier(
      @Config("projectId") String projectId, @Config("projectIdNumber") long projectIdNumber) {
-    String audience = String.format("/projects/%d/apps/%s", projectIdNumber, projectId);
+    String audience = String.format(IAP_AUDIENCE_FORMAT, projectIdNumber, projectId);
    return TokenVerifier.newBuilder().setAudience(audience).setIssuer(IAP_ISSUER_URL).build();
  }

  @Provides
-  @ServiceAccount
+  @RegularOidc
  @Singleton
-  TokenVerifier provideServiceAccountTokenVerifier(@Config("projectId") String projectId) {
+  TokenVerifier provideRegularTokenVerifier(@Config("projectId") String projectId) {
    return TokenVerifier.newBuilder().setAudience(projectId).setIssuer(SA_ISSUER_URL).build();
  }
+
+  @Provides
+  @IapOidc
+  @Singleton
+  TokenExtractor provideIapTokenExtractor() {
+    return request -> request.getHeader(IAP_HEADER_NAME);
+  }
+
+  @Provides
+  @RegularOidc
+  @Singleton
+  TokenExtractor provideRegularTokenExtractor() {
+    return request -> {
+      // TODO: only check the Authorizaiton header after the migration to OIDC is complete.
+      String rawToken = request.getHeader(PROXY_HEADER_NAME);
+      if (rawToken == null) {
+        rawToken = request.getHeader(AUTHORIZATION);
+      }
+      if (rawToken != null && rawToken.startsWith(BEARER_PREFIX)) {
+        return rawToken.substring(BEARER_PREFIX.length());
+      }
+      return null;
+    };
+  }
 }
--- a/core/src/main/java/google/registry/request/auth/AuthResult.java
+++ b/core/src/main/java/google/registry/request/auth/AuthResult.java
@@ -17,6 +17,7 @@ package google.registry.request.auth;
 import static com.google.common.base.Preconditions.checkNotNull;

 import com.google.auto.value.AutoValue;
+import google.registry.request.auth.AuthSettings.AuthLevel;
 import java.util.Optional;
 import javax.annotation.Nullable;

@@ -66,6 +67,5 @@ public abstract class AuthResult {
   * returns NOT_AUTHENTICATED in this case, as opposed to absent() if authentication failed and was
   * required. So as a return from an authorization check, this can be treated as a success.
   */
-  public static final AuthResult NOT_AUTHENTICATED =
-      AuthResult.create(AuthLevel.NONE);
+  public static final AuthResult NOT_AUTHENTICATED = create(AuthLevel.NONE);
 }
--- a/core/src/main/java/google/registry/request/auth/AuthSettings.java
+++ b/core/src/main/java/google/registry/request/auth/AuthSettings.java
@@ -0,0 +1,109 @@
+// Copyright 2023 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.request.auth;
+
+import com.google.auto.value.AutoValue;
+import com.google.common.collect.ImmutableList;
+import com.google.errorprone.annotations.Immutable;
+
+/**
+ * Parameters used to configure the authenticator.
+ *
+ * <p>AuthSettings shouldn't be used directly, instead - use one of the predefined {@link Auth} enum
+ * values.
+ */
+@Immutable
+@AutoValue
+public abstract class AuthSettings {
+
+  public abstract ImmutableList<AuthMethod> methods();
+
+  public abstract AuthLevel minimumLevel();
+
+  public abstract UserPolicy userPolicy();
+
+  static AuthSettings create(
+      ImmutableList<AuthMethod> methods, AuthLevel minimumLevel, UserPolicy userPolicy) {
+    return new AutoValue_AuthSettings(methods, minimumLevel, userPolicy);
+  }
+
+  /** Available methods for authentication. */
+  public enum AuthMethod {
+
+    /** App Engine internal authentication. Must always be provided as the first method. */
+    INTERNAL,
+
+    /** Authentication methods suitable for API-style access, such as OAuth 2. */
+    API,
+
+    /** Legacy authentication using cookie-based App Engine Users API. Must come last if present. */
+    LEGACY
+  }
+
+  /**
+   * Authentication level.
+   *
+   * <p>Used by {@link Auth} to specify what authentication is required, and by {@link AuthResult})
+   * to specify what authentication was found. These are a series of levels, from least to most
+   * authentication required. The lowest level of requirement, NONE, can be satisfied by any level
+   * of authentication, while the highest level, USER, can only be satisfied by the authentication
+   * of a specific user. The level returned may be higher than what was required, if more
+   * authentication turns out to be possible. For instance, if an authenticated user is found, USER
+   * will be returned even if no authentication was required.
+   */
+  public enum AuthLevel {
+
+    /** No authentication was required/found. */
+    NONE,
+
+    /**
+     * Authentication required, but user not required.
+     *
+     * <p>In Auth: Authentication is required, but app-internal authentication (which isn't
+     * associated with a specific user) is permitted.
+     *
+     * <p>In AuthResult: App-internal authentication was successful.
+     */
+    APP,
+
+    /**
+     * Authentication required, user required.
+     *
+     * <p>In Auth: Authentication is required, and app-internal authentication is forbidden, meaning
+     * that a valid authentication result will contain specific user information.
+     *
+     * <p>In AuthResult: A valid user was authenticated.
+     */
+    USER
+  }
+
+  /** User authorization policy options. */
+  public enum UserPolicy {
+
+    /** This action ignores end users; the only configured auth method must be INTERNAL. */
+    IGNORED,
+
+    /** No user policy is enforced; anyone can access this action. */
+    PUBLIC,
+
+    /**
+     * If there is a user, it must be an admin, as determined by isUserAdmin().
+     *
+     * <p>Note that, according to App Engine, anybody with access to the app in the GCP Console,
+     * including editors and viewers, is an admin.
+     */
+    ADMIN
+  }
+}
--- a/core/src/main/java/google/registry/request/auth/IapHeaderAuthenticationMechanism.java
+++ b/core/src/main/java/google/registry/request/auth/IapHeaderAuthenticationMechanism.java
@@ -1,60 +0,0 @@
-// Copyright 2022 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request.auth;
-
-import com.google.auth.oauth2.TokenVerifier;
-import google.registry.model.console.User;
-import google.registry.model.console.UserDao;
-import google.registry.request.auth.AuthModule.IAP;
-import java.util.Optional;
-import javax.inject.Inject;
-import javax.servlet.http.HttpServletRequest;
-
-/**
- * A way to authenticate HTTP requests that have gone through the GCP Identity-Aware Proxy.
- *
- * <p>When the user logs in, IAP provides a JWT in the <code>X-Goog-IAP-JWT-Assertion</code> header.
- * This header is included on all requests to IAP-enabled services (which should be all of them that
- * receive requests from the front end). The token verification libraries ensure that the signed
- * token has the proper audience and issuer.
- *
- * @see <a href="https://cloud.google.com/iap/docs/signed-headers-howto">the documentation on GCP
- *     IAP's signed headers for more information.</a>
- */
-public class IapHeaderAuthenticationMechanism extends IdTokenAuthenticationBase {
-
-  private static final String ID_TOKEN_HEADER_NAME = "X-Goog-IAP-JWT-Assertion";
-
-  @Inject
-  public IapHeaderAuthenticationMechanism(@IAP TokenVerifier tokenVerifier) {
-    super(tokenVerifier);
-  }
-
-  @Override
-  String rawTokenFromRequest(HttpServletRequest request) {
-    return request.getHeader(ID_TOKEN_HEADER_NAME);
-  }
-
-  @Override
-  AuthResult authResultFromEmail(String emailAddress) {
-    Optional<User> maybeUser = UserDao.loadUser(emailAddress);
-    if (!maybeUser.isPresent()) {
-      logger.atInfo().log("No user found for email address %s", emailAddress);
-      return AuthResult.NOT_AUTHENTICATED;
-    }
-    return AuthResult.create(AuthLevel.USER, UserAuthInfo.create(maybeUser.get()));
-  }
-
-}
--- a/core/src/main/java/google/registry/request/auth/IdTokenAuthenticationBase.java
+++ b/core/src/main/java/google/registry/request/auth/IdTokenAuthenticationBase.java
@@ -1,70 +0,0 @@
-// Copyright 2022 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request.auth;
-
-import com.google.api.client.json.webtoken.JsonWebSignature;
-import com.google.auth.oauth2.TokenVerifier;
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.flogger.FluentLogger;
-import google.registry.config.RegistryEnvironment;
-import google.registry.model.console.User;
-import java.util.Optional;
-import javax.annotation.Nullable;
-import javax.servlet.http.HttpServletRequest;
-
-public abstract class IdTokenAuthenticationBase implements AuthenticationMechanism {
-
-  public static final FluentLogger logger = FluentLogger.forEnclosingClass();
-
-  // A workaround that allows "use" of the IAP-based authenticator when running local testing, i.e.
-  // the RegistryTestServer
-  private static Optional<User> userForTesting = Optional.empty();
-
-  private final TokenVerifier tokenVerifier;
-
-  public IdTokenAuthenticationBase(TokenVerifier tokenVerifier) {
-    this.tokenVerifier = tokenVerifier;
-  }
-
-  abstract String rawTokenFromRequest(HttpServletRequest request);
-
-  abstract AuthResult authResultFromEmail(String email);
-
-  @Override
-  public AuthResult authenticate(HttpServletRequest request) {
-    if (RegistryEnvironment.get().equals(RegistryEnvironment.UNITTEST)
-        && userForTesting.isPresent()) {
-      return AuthResult.create(AuthLevel.USER, UserAuthInfo.create(userForTesting.get()));
-    }
-    String rawIdToken = rawTokenFromRequest(request);
-    if (rawIdToken == null) {
-      return AuthResult.NOT_AUTHENTICATED;
-    }
-    JsonWebSignature token;
-    try {
-      token = tokenVerifier.verify(rawIdToken);
-    } catch (Exception e) {
-      logger.atInfo().withCause(e).log("Error when verifying access token");
-      return AuthResult.NOT_AUTHENTICATED;
-    }
-    String emailAddress = (String) token.getPayload().get("email");
-    return authResultFromEmail(emailAddress);
-  }
-
-  @VisibleForTesting
-  public static void setUserAuthInfoForTestServer(@Nullable User user) {
-    userForTesting = Optional.ofNullable(user);
-  }
-}
--- a/core/src/main/java/google/registry/request/auth/LegacyAuthenticationMechanism.java
+++ b/core/src/main/java/google/registry/request/auth/LegacyAuthenticationMechanism.java
@@ -16,8 +16,8 @@ package google.registry.request.auth;

 import static com.google.common.base.Strings.emptyToNull;
 import static com.google.common.base.Strings.nullToEmpty;
-import static google.registry.request.auth.AuthLevel.NONE;
-import static google.registry.request.auth.AuthLevel.USER;
+import static google.registry.request.auth.AuthSettings.AuthLevel.NONE;
+import static google.registry.request.auth.AuthSettings.AuthLevel.USER;
 import static google.registry.security.XsrfTokenManager.P_CSRF_TOKEN;
 import static google.registry.security.XsrfTokenManager.X_CSRF_TOKEN;

--- a/core/src/main/java/google/registry/request/auth/OAuthAuthenticationMechanism.java
+++ b/core/src/main/java/google/registry/request/auth/OAuthAuthenticationMechanism.java
@@ -15,8 +15,9 @@
 package google.registry.request.auth;

 import static com.google.common.net.HttpHeaders.AUTHORIZATION;
-import static google.registry.request.auth.AuthLevel.NONE;
-import static google.registry.request.auth.AuthLevel.USER;
+import static google.registry.request.auth.AuthModule.BEARER_PREFIX;
+import static google.registry.request.auth.AuthSettings.AuthLevel.NONE;
+import static google.registry.request.auth.AuthSettings.AuthLevel.USER;

 import com.google.appengine.api.oauth.OAuthRequestException;
 import com.google.appengine.api.oauth.OAuthService;
@@ -35,8 +36,6 @@ import javax.servlet.http.HttpServletRequest;
 */
 public class OAuthAuthenticationMechanism implements AuthenticationMechanism {

-  private static final String BEARER_PREFIX = "Bearer ";
-
  private static final FluentLogger logger = FluentLogger.forEnclosingClass();

  private final OAuthService oauthService;
--- a/core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java
+++ b/core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java
@@ -0,0 +1,173 @@
+// Copyright 2022 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.request.auth;
+
+import static google.registry.request.auth.AuthSettings.AuthLevel.APP;
+
+import com.google.api.client.json.webtoken.JsonWebSignature;
+import com.google.auth.oauth2.TokenVerifier;
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.ImmutableList;
+import com.google.common.flogger.FluentLogger;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.config.RegistryEnvironment;
+import google.registry.model.console.User;
+import google.registry.model.console.UserDao;
+import google.registry.request.auth.AuthModule.IapOidc;
+import google.registry.request.auth.AuthModule.RegularOidc;
+import google.registry.request.auth.AuthSettings.AuthLevel;
+import java.util.Optional;
+import javax.annotation.Nullable;
+import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * An authenticam mechanism that verifies the OIDC token.
+ *
+ * <p>Currently, two flavors are supported: one that checkes for the OIDC token as a regular bearer
+ * token, and another that checks for the OIDC token passed by IAP. In both cases, the {@link
+ * AuthResult} with the highest {@link AuthLevel} possible is returned. So, if the email address for
+ * which the token is minted exists both as a {@link User} and as a service account, the returned
+ * {@link AuthResult} is at {@link AuthLevel#USER}.
+ *
+ * @see <a href="https://developers.google.com/identity/openid-connect/openid-connect">OpenID
+ *     Connect </a>
+ */
+public abstract class OidcTokenAuthenticationMechanism implements AuthenticationMechanism {
+
+  public static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  // A workaround that allows "use" of the OIDC authenticator when running local testing, i.e.
+  // the RegistryTestServer
+  private static AuthResult authResultForTesting = null;
+
+  protected final TokenVerifier tokenVerifier;
+
+  protected final TokenExtractor tokenExtractor;
+
+  private final ImmutableList<String> serviceAccountEmails;
+
+  protected OidcTokenAuthenticationMechanism(
+      ImmutableList<String> serviceAccountEmails,
+      TokenVerifier tokenVerifier,
+      TokenExtractor tokenExtractor) {
+    this.serviceAccountEmails = serviceAccountEmails;
+    this.tokenVerifier = tokenVerifier;
+    this.tokenExtractor = tokenExtractor;
+  }
+
+  @Override
+  public AuthResult authenticate(HttpServletRequest request) {
+    if (RegistryEnvironment.get().equals(RegistryEnvironment.UNITTEST)
+        && authResultForTesting != null) {
+      logger.atWarning().log("Using AuthResult %s for testing.", authResultForTesting);
+      return authResultForTesting;
+    }
+    String rawIdToken = tokenExtractor.extract(request);
+    if (rawIdToken == null) {
+      return AuthResult.NOT_AUTHENTICATED;
+    }
+    JsonWebSignature token;
+    try {
+      token = tokenVerifier.verify(rawIdToken);
+    } catch (Exception e) {
+      logger.atInfo().withCause(e).log("Error when verifying access token");
+      return AuthResult.NOT_AUTHENTICATED;
+    }
+    String email = (String) token.getPayload().get("email");
+    if (email == null) {
+      logger.atWarning().log("No email address from the OIDC token:\n%s", token.getPayload());
+      return AuthResult.NOT_AUTHENTICATED;
+    }
+    Optional<User> maybeUser = UserDao.loadUser(email);
+    if (maybeUser.isPresent()) {
+      return AuthResult.create(AuthLevel.USER, UserAuthInfo.create(maybeUser.get()));
+    }
+    logger.atInfo().log("No end user found for email address %s", email);
+    if (serviceAccountEmails.stream().anyMatch(e -> e.equals(email))) {
+      return AuthResult.create(APP);
+    }
+    logger.atInfo().log("No service account found for email address %s", email);
+    logger.atWarning().log(
+        "The email address %s is not tied to a principal with access to Nomulus", email);
+    return AuthResult.NOT_AUTHENTICATED;
+  }
+
+  @VisibleForTesting
+  public static void setAuthResultForTesting(@Nullable AuthResult authResult) {
+    authResultForTesting = authResult;
+  }
+
+  @VisibleForTesting
+  public static void unsetAuthResultForTesting() {
+    authResultForTesting = null;
+  }
+
+  @FunctionalInterface
+  protected interface TokenExtractor {
+    @Nullable
+    String extract(HttpServletRequest request);
+  }
+
+  /**
+   * A mechanism to authenticate HTTP requests that have gone through the GCP Identity-Aware Proxy.
+   *
+   * <p>When the user logs in, IAP provides a JWT in the {@code X-Goog-IAP-JWT-Assertion} header.
+   * This header is included on all requests to IAP-enabled services (which should be all of them
+   * that receive requests from the front end). The token verification libraries ensure that the
+   * signed token has the proper audience and issuer.
+   *
+   * @see <a href="https://cloud.google.com/iap/docs/signed-headers-howto">the documentation on GCP
+   *     IAP's signed headers for more information.</a>
+   */
+  static class IapOidcAuthenticationMechanism extends OidcTokenAuthenticationMechanism {
+
+    @Inject
+    protected IapOidcAuthenticationMechanism(
+        @Config("serviceAccountEmails") ImmutableList<String> serviceAccountEmails,
+        @IapOidc TokenVerifier tokenVerifier,
+        @IapOidc TokenExtractor tokenExtractor) {
+      super(serviceAccountEmails, tokenVerifier, tokenExtractor);
+    }
+  }
+
+  /**
+   * A mechanism to authenticate HTTP requests with an OIDC token as a bearer token.
+   *
+   * <p>If the endpoint is not behind IAP, we can try to authenticate the OIDC token supplied in the
+   * request header directly. Ideally we would like all endpoints to be behind IAP, but being able
+   * to authenticate the token directly provides us with the flexibility to do away with OAuth-based
+   * {@link OAuthAuthenticationMechanism} that is tied to App Engine runtime without having to turn
+   * on IAP, which is an all-or-nothing switch for each GAE service (i.e. no way to turn it on only
+   * for certain GAE endpoints).
+   *
+   * <p>Note that this mechanism will try to first extract the token under the "proxy-authorization"
+   * header, before trying "authorization". This is because currently the GAE OAuth service always
+   * uses "authorization", and we would like to provide a way for both auth mechanisms to be working
+   * at the same time for the same request.
+   *
+   * @see <a href=https://datatracker.ietf.org/doc/html/rfc6750>Bearer Token Usage</a>
+   */
+  static class RegularOidcAuthenticationMechanism extends OidcTokenAuthenticationMechanism {
+
+    @Inject
+    protected RegularOidcAuthenticationMechanism(
+        @Config("serviceAccountEmails") ImmutableList<String> serviceAccountEmails,
+        @RegularOidc TokenVerifier tokenVerifier,
+        @RegularOidc TokenExtractor tokenExtractor) {
+      super(serviceAccountEmails, tokenVerifier, tokenExtractor);
+    }
+  }
+}
--- a/core/src/main/java/google/registry/request/auth/RequestAuthenticator.java
+++ b/core/src/main/java/google/registry/request/auth/RequestAuthenticator.java
@@ -16,11 +16,12 @@ package google.registry.request.auth;

 import static com.google.common.base.Preconditions.checkArgument;

-import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Ordering;
 import com.google.common.flogger.FluentLogger;
-import com.google.errorprone.annotations.Immutable;
+import google.registry.request.auth.AuthSettings.AuthLevel;
+import google.registry.request.auth.AuthSettings.AuthMethod;
+import google.registry.request.auth.AuthSettings.UserPolicy;
 import java.util.Optional;
 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
@@ -44,57 +45,6 @@ public class RequestAuthenticator {
    this.legacyAuthenticationMechanism = legacyAuthenticationMechanism;
  }

-  /**
-   * Parameters used to configure the authenticator.
-   *
-   * AuthSettings shouldn't be used directly, instead - use one of the predefined {@link Auth} enum
-   * values.
-   */
-  @Immutable
-  @AutoValue
-  public abstract static class AuthSettings {
-
-    public abstract ImmutableList<AuthMethod> methods();
-    public abstract AuthLevel minimumLevel();
-    public abstract UserPolicy userPolicy();
-
-    static AuthSettings create(
-        ImmutableList<AuthMethod> methods, AuthLevel minimumLevel, UserPolicy userPolicy) {
-      return new AutoValue_RequestAuthenticator_AuthSettings(methods, minimumLevel, userPolicy);
-    }
-  }
-
-  /** Available methods for authentication. */
-  public enum AuthMethod {
-
-    /** App Engine internal authentication. Must always be provided as the first method. */
-    INTERNAL,
-
-    /** Authentication methods suitable for API-style access, such as OAuth 2. */
-    API,
-
-    /** Legacy authentication using cookie-based App Engine Users API. Must come last if present. */
-    LEGACY
-  }
-
-  /** User authorization policy options. */
-  public enum UserPolicy {
-
-    /** This action ignores end users; the only configured auth method must be INTERNAL. */
-    IGNORED,
-
-    /** No user policy is enforced; anyone can access this action. */
-    PUBLIC,
-
-    /**
-     * If there is a user, it must be an admin, as determined by isUserAdmin().
-     *
-     * <p>Note that, according to App Engine, anybody with access to the app in the GCP Console,
-     * including editors and viewers, is an admin.
-     */
-    ADMIN
-  }
-
  /**
   * Attempts to authenticate and authorize the user, according to the settings of the action.
   *
@@ -169,7 +119,7 @@ public class RequestAuthenticator {
            return authResult;
          }
          break;
-        // API-based user authentication mechanisms, such as OAuth
+          // API-based user authentication mechanisms, such as OAuth
        case API:
          // checkAuthConfig will have insured that the user policy is not IGNORED.
          for (AuthenticationMechanism authMechanism : apiAuthenticationMechanisms) {
@@ -181,7 +131,7 @@ public class RequestAuthenticator {
            }
          }
          break;
-        // Legacy authentication via UserService
+          // Legacy authentication via UserService
        case LEGACY:
          // checkAuthConfig will have insured that the user policy is not IGNORED.
          authResult = legacyAuthenticationMechanism.authenticate(req);
@@ -209,7 +159,7 @@ public class RequestAuthenticator {
        "Actions with INTERNAL auth method may not require USER auth level");
    checkArgument(
        !(auth.userPolicy().equals(UserPolicy.IGNORED)
-          && !authMethods.equals(ImmutableList.of(AuthMethod.INTERNAL))),
+            && !authMethods.equals(ImmutableList.of(AuthMethod.INTERNAL))),
        "Actions with auth methods beyond INTERNAL must not specify the IGNORED user policy");
  }
 }
--- a/core/src/main/java/google/registry/request/auth/ServiceAccountAuthenticationMechanism.java
+++ b/core/src/main/java/google/registry/request/auth/ServiceAccountAuthenticationMechanism.java
@@ -1,63 +0,0 @@
-// Copyright 2023 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request.auth;
-
-import static com.google.common.net.HttpHeaders.AUTHORIZATION;
-import static google.registry.request.auth.AuthLevel.APP;
-
-import com.google.auth.oauth2.TokenVerifier;
-import com.google.common.collect.ImmutableList;
-import google.registry.config.RegistryConfig.Config;
-import google.registry.request.auth.AuthModule.ServiceAccount;
-import javax.inject.Inject;
-import javax.servlet.http.HttpServletRequest;
-
-/**
- * A way to authenticate HTTP requests signed by Service Account
- *
- * <p>Currently used by cloud scheduler service account
- */
-public class ServiceAccountAuthenticationMechanism extends IdTokenAuthenticationBase {
-
-  private static final String BEARER_PREFIX = "Bearer ";
-
-  private final ImmutableList<String> serviceAccountEmails;
-
-  @Inject
-  public ServiceAccountAuthenticationMechanism(
-      @ServiceAccount TokenVerifier tokenVerifier,
-      @Config("serviceAccountEmails") ImmutableList<String> serviceAccountEmails) {
-    super(tokenVerifier);
-    this.serviceAccountEmails = serviceAccountEmails;
-  }
-
-  @Override
-  String rawTokenFromRequest(HttpServletRequest request) {
-    String rawToken = request.getHeader(AUTHORIZATION);
-    if (rawToken != null && rawToken.startsWith(BEARER_PREFIX)) {
-      return rawToken.substring(BEARER_PREFIX.length());
-    }
-    return null;
-  }
-
-  @Override
-  AuthResult authResultFromEmail(String emailAddress) {
-    if (serviceAccountEmails.stream().anyMatch(e -> e.equals(emailAddress))) {
-      return AuthResult.create(APP);
-    } else {
-      return AuthResult.NOT_AUTHENTICATED;
-    }
-  }
-}
--- a/core/src/main/java/google/registry/tools/AuthModule.java
+++ b/core/src/main/java/google/registry/tools/AuthModule.java
@@ -35,7 +35,6 @@ import dagger.Lazy;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.ApplicationDefaultCredential;
-import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.CredentialModule.LocalCredential;
 import google.registry.config.CredentialModule.LocalCredentialJson;
 import google.registry.config.RegistryConfig.Config;
@@ -222,10 +221,6 @@ public class AuthModule {

  @Module
  abstract static class LocalCredentialModule {
-    @Binds
-    @DefaultCredential
-    abstract GoogleCredentialsBundle provideLocalCredentialAsDefaultCredential(
-        @LocalCredential GoogleCredentialsBundle credential);

    @Binds
    @ApplicationDefaultCredential
--- a/core/src/main/java/google/registry/tools/CountDomainsCommand.java
+++ b/core/src/main/java/google/registry/tools/CountDomainsCommand.java
@@ -14,7 +14,7 @@

 package google.registry.tools;

-import static google.registry.model.tld.Registries.assertTldsExist;
+import static google.registry.model.tld.Tlds.assertTldsExist;
 import static google.registry.persistence.transaction.QueryComposer.Comparator;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;

--- a/core/src/main/java/google/registry/tools/CreateAnchorTenantCommand.java
+++ b/core/src/main/java/google/registry/tools/CreateAnchorTenantCommand.java
@@ -16,7 +16,7 @@ package google.registry.tools;

 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Strings.isNullOrEmpty;
-import static google.registry.model.tld.Registries.findTldForNameOrThrow;
+import static google.registry.model.tld.Tlds.findTldForNameOrThrow;
 import static google.registry.pricing.PricingEngineProxy.getDomainCreateCost;
 import static google.registry.util.StringGenerator.DEFAULT_PASSWORD_LENGTH;
 import static org.joda.time.DateTimeZone.UTC;
--- a/core/src/main/java/google/registry/tools/CreateOrUpdateReservedListCommand.java
+++ b/core/src/main/java/google/registry/tools/CreateOrUpdateReservedListCommand.java
@@ -20,6 +20,7 @@ import google.registry.model.tld.label.ReservedList;
 import google.registry.model.tld.label.ReservedListDao;
 import google.registry.tools.params.PathParameter;
 import java.nio.file.Path;
+import java.util.stream.Collectors;
 import javax.annotation.Nullable;

 /**
@@ -69,4 +70,12 @@ public abstract class CreateOrUpdateReservedListCommand extends ConfirmingComman
    }
    return message;
  }
+
+  String outputReservedListEntries(ReservedList rl) {
+    return "["
+        + rl.getReservedListEntries().values().stream()
+            .map(rle -> String.format("(%s)", rle.toString()))
+            .collect(Collectors.joining(", "))
+        + "]";
+  }
 }
--- a/core/src/main/java/google/registry/tools/CreateOrUpdateTldCommand.java
+++ b/core/src/main/java/google/registry/tools/CreateOrUpdateTldCommand.java
@@ -28,10 +28,10 @@ import com.google.common.collect.ImmutableSortedMap;
 import com.google.common.collect.ImmutableSortedSet;
 import com.google.common.collect.Sets;
 import google.registry.model.pricing.StaticPremiumListPricingEngine;
-import google.registry.model.tld.Registries;
 import google.registry.model.tld.Tld;
 import google.registry.model.tld.Tld.TldState;
 import google.registry.model.tld.Tld.TldType;
+import google.registry.model.tld.Tlds;
 import google.registry.model.tld.label.PremiumList;
 import google.registry.model.tld.label.PremiumListDao;
 import google.registry.tldconfig.idn.IdnTableEnum;
@@ -459,8 +459,8 @@ abstract class CreateOrUpdateTldCommand extends MutatingCommand {
    } finally {
      // Manually reset the cache here so that subsequent commands (e.g. in SetupOteCommand) see
      // the latest version of the data.
-      // TODO(b/24903801): change all those places to use uncached code paths to get Registries.
-      Registries.resetCache();
+      // TODO(b/24903801): change all those places to use uncached code paths to get TLDs.
+      Tlds.resetCache();
    }
  }

--- a/core/src/main/java/google/registry/tools/CreatePremiumListCommand.java
+++ b/core/src/main/java/google/registry/tools/CreatePremiumListCommand.java
@@ -15,7 +15,7 @@
 package google.registry.tools;

 import static com.google.common.base.Preconditions.checkArgument;
-import static google.registry.model.tld.Registries.assertTldExists;
+import static google.registry.model.tld.Tlds.assertTldExists;
 import static google.registry.util.ListNamingUtils.convertFilePathToName;
 import static java.nio.charset.StandardCharsets.UTF_8;

--- a/core/src/main/java/google/registry/tools/CreateReservedListCommand.java
+++ b/core/src/main/java/google/registry/tools/CreateReservedListCommand.java
@@ -15,7 +15,7 @@
 package google.registry.tools;

 import static com.google.common.base.Preconditions.checkArgument;
-import static google.registry.model.tld.Registries.assertTldExists;
+import static google.registry.model.tld.Tlds.assertTldExists;
 import static google.registry.util.ListNamingUtils.convertFilePathToName;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.joda.time.DateTimeZone.UTC;
@@ -28,7 +28,6 @@ import com.google.common.base.Strings;
 import google.registry.model.tld.label.ReservedList;
 import java.nio.file.Files;
 import java.util.List;
-import java.util.stream.Collectors;
 import org.joda.time.DateTime;

 /** Command to create a {@link ReservedList}. */
@@ -64,11 +63,8 @@ final class CreateReservedListCommand extends CreateOrUpdateReservedListCommand
            .setCreationTimestamp(now)
            .build();

-    String entries =
-        reservedList.getReservedListEntries().entrySet().stream()
-            .map(entry -> String.format("%s=%s", entry.getKey(), entry.getValue()))
-            .collect(Collectors.joining(", "));
-    return String.format("%s\nreservedListMap={%s}\n", reservedList, entries);
+    return String.format(
+        "%s\nreservedListMap=%s\n", reservedList, outputReservedListEntries(reservedList));
  }

  private static void validateListName(String name) {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
sarahcaseybot	798a6ffc74	Remove nested transaction from requestDnsRefresh (#2044 ) * Remove nested transaction from requestDnsRefresh * Add a bulk version * Remove transaction time as field * Only add delay once * have PublishDnsUpdatesAction use bulk refresh	2023-06-07 16:00:50 -04:00
sarahcaseybot	fe86ef0a7d	Add breakglass_mode to Tld table (#2046 ) * Add breakglass_mode to Tld table * Add a default value	2023-06-06 16:13:08 -04:00
Weimin Yu	9dd41947e0	Add gmail dependency to project (#2047 ) The Java code will be added in a followup PR. Also fixed tests failing due to org.json upgrade: decimal whole numbers no longer have their fractional parts removed, so currency value strings must end with ".00" instead of ".0".	2023-06-05 16:48:30 -04:00
gbrodman	931a350f3d	Remove slash from console contacts endpoint (#2045 ) Endpoints shouldn't themselves end in slashes	2023-06-02 15:32:18 -04:00
Pavlo Tkach	db1b92638f	Create console settings contact endpoints (#2033 )	2023-05-31 16:34:57 -04:00
Lai Jiang	74baae397a	Find the most recent prefix for RdeReportAction (#2043 ) When RdeReportAction is invoked without a prefix parameter (as in the case when it is kicked off by cron jobs for potential catch ups), we need to used the same heuristics that's employed in RdeUploadAction to find the most recent prefix for the given watermark, otherwise the job will not find any deposits to upload. Also renamed RdeUtil to RdeUtils, to be consistent with our naming conventions.	2023-05-25 14:57:03 -04:00
sarahcaseybot	fddecea18e	Rename Registries to Tlds (#2042 ) * Rename Registries to Tlds * Change Tlds to TLDs in comments	2023-05-24 17:08:09 -04:00
Pavlo Tkach	36a60bdf8b	Add swagger API documentation (#2035 )	2023-05-24 16:10:50 -04:00
dependabot[bot]	58ed53314c	Bump socket.io-parser from 4.2.1 to 4.2.3 in /console-webapp (#2040 ) Bumps [socket.io-parser](https://github.com/socketio/socket.io-parser) from 4.2.1 to 4.2.3. - [Release notes](https://github.com/socketio/socket.io-parser/releases) - [Changelog](https://github.com/socketio/socket.io-parser/blob/main/CHANGELOG.md) - [Commits](https://github.com/socketio/socket.io-parser/compare/4.2.1...4.2.3) --- updated-dependencies: - dependency-name: socket.io-parser dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-24 07:23:15 -04:00
Lai Jiang	5eaf99e02a	Show HTTP response code when PUT fails (#2038 )	2023-05-23 17:01:56 -04:00
Pavlo Tkach	9a5f094d1d	Remove unused queue.xml file left after Cloud Tasks Queue migration (#2039 )	2023-05-23 13:59:21 -04:00
Lai Jiang	6cbc2fa5ef	Wrap tm().loadByKey() in a transaction when caching is not enabled. (#2030 ) We have caching enabled so we never exercised this line.	2023-05-19 14:21:48 -04:00
Lai Jiang	6883093735	Drop DatabaseMigrationStateSchedule table (#2002 )	2023-05-18 13:44:24 -04:00
Lai Jiang	a6078bc4f4	Refactor OIDC-based auth mechanism (#2025 ) IAP and regular OIDC auth mechanisms are unified under a base class that produces either APP or USER level AuthResult based on the principal email found in the OIDC token. Also moved some enum classes to better organize code structure.	2023-05-16 16:43:11 -04:00
gbrodman	6b75cf8496	Add view/edit basic registrar details permissions (#2036 ) This encompasses most of the basic information that is viewable in the existing console, basically, just viewing the base info of the Registrar object.	2023-05-16 15:32:25 -04:00
Lai Jiang	219e9d3afb	Update install.md (#2029 )	2023-05-16 10:07:20 -04:00
sarahcaseybot	acdbc65c51	Change Registry object reference to Tld in configuration.md (#2021 )	2023-05-12 12:32:02 -04:00
Weimin Yu	d510531f65	Remove the deprecatd DefaultCredential (#2032 ) Use the ApplicationDefaultCredential annotation instead. The new annotation has been verified in sandbox and production using the 'executeCannedScript' endpoint. The verification code is removed in this PR too.	2023-05-11 13:46:36 -04:00
Lai Jiang	0d4dd57fe7	Fix a typo (#2031 )	2023-05-11 13:26:07 -04:00
Pavlo Tkach	2667a0e977	Expand nomulus get_domain command to load up deleted domain data too (#2018 )	2023-05-10 16:05:03 -04:00
gbrodman	1aef31efff	Allow usage of standard HTTP requests in CloudTasksUtils (#2013 ) This adds a possible configuration point "defaultServiceAccount" (which in GAE will be the standard GAE service account). If this is configured, CloudTasksUtils can create tasks with standard HTTP requests with an OIDC token corresponding to that service account, as opposed to using the AppEngine-specific request methods. This also works with IAP, in that if IAP is on and we specify the IAP client ID in the config, CloudTasksUtils will use the IAP client ID as the token audience and the request will successfully be passed through the IAP layer. Tetsted in QA.	2023-05-09 16:02:12 -04:00
Lai Jiang	4d19245c29	Change usage grouping key in the invoice CSV (#2024 ) This column is used by the billing team to create invoices. Registrars have asked that a single invoice be created for a given registrar, instead of one per registrar-tld pair. This should have no other effect on the billing pipeline as the invoice grouping key has a description field that also contains the TLD, so the granularity as a whole does not change.	2023-05-09 11:25:11 -04:00
Lai Jiang	4b34307a6e	Delete DatabaseMigrationStateSchedule (#2001 ) We have been using it as a poor man's timed flag that triggers a system behavior change after a certain time. We have no foreseeable future use for it now that the DNS pull queue related code is deleted. If in the future a need for such a flag arises, we are better off implementing a proper flag system than hijacking this class any way.	2023-05-08 14:36:28 -04:00
Pavlo Tkach	55243e7cf6	Adds cloud scheduler and tasks deployer (#1999 )	2023-05-04 15:57:32 -04:00
Lai Jiang	e14764b4c8	Remove DNS pull queue (#2000 ) This is the last dependency on GAE pull queue, therefore we can delete the pull queue config from queue.xml as well.	2023-05-04 13:21:53 -04:00
dependabot[bot]	68810f7a30	Bump engine.io and socket.io in /console-webapp (#2022 ) Bumps [engine.io](https://github.com/socketio/engine.io) and [socket.io](https://github.com/socketio/socket.io). These dependencies needed to be updated together. Updates `engine.io` from 6.2.1 to 6.4.2 - [Release notes](https://github.com/socketio/engine.io/releases) - [Changelog](https://github.com/socketio/engine.io/blob/main/CHANGELOG.md) - [Commits](https://github.com/socketio/engine.io/compare/6.2.1...6.4.2) Updates `socket.io` from 4.5.2 to 4.6.1 - [Release notes](https://github.com/socketio/socket.io/releases) - [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md) - [Commits](https://github.com/socketio/socket.io/compare/4.5.2...4.6.1) --- updated-dependencies: - dependency-name: engine.io dependency-type: indirect - dependency-name: socket.io dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-04 12:50:19 -04:00
Ben McIlwain	14d245b1e3	Remove duplicate info from create/update reserved list command output (#2020 ) It was repeating the domain label twice for every reserved list entry. It used to look like this: baddies=baddies,FULLY_BLOCKED	2023-05-03 17:31:23 -04:00
Weimin Yu	61ab29ae9e	Prober ssl cert update automation (#2019 ) Defined CloudBuild script and docker image that automatically updates probers' SSL certs	2023-05-03 15:57:50 -04:00
Weimin Yu	6742e5bf23	Remove CloudSql wipeout cron job in crash (#2017 ) No more production data in crash. This allows us to repopulate crash with test data.	2023-05-02 14:44:09 -04:00
Weimin Yu	c7f69eba1d	Prepare switch of credential annotation (#2014 ) * Prepare switch of credential annotation Prepare the switch from DefaultCredential to ApplicationCredential. In nomulus tools, start using the new annotation. This is tested by successfully using the nomulus curl command, which actually needs a valid credential to work. For remaining use cases of the old annotation in Nomulus server, add some code that relies on the new credential to work. Once these code are tested in sandbox and production, we will switch the annotations.	2023-05-01 11:23:19 -04:00