testing

This is only enabled for admins, for now at least. It sends an email to
the registry lock email address to reset it.

console-webapp/src/app/app.component.spec.ts

@@ -14,30 +14,71 @@
 
 import { provideHttpClient } from '@angular/common/http';
 import { provideHttpClientTesting } from '@angular/common/http/testing';
-import { TestBed } from '@angular/core/testing';
-import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
+import { ComponentFixture, fakeAsync, TestBed } from '@angular/core/testing';
+import { NoopAnimationsModule } from '@angular/platform-browser/animations';
 import { AppComponent } from './app.component';
-import { MaterialModule } from './material.module';
-import { BackendService } from './shared/services/backend.service';
-import { AppRoutingModule } from './app-routing.module';
+import { routes } from './app-routing.module';
 import { AppModule } from './app.module';
+import { PocReminderComponent } from './shared/components/pocReminder/pocReminder.component';
+import { RouterModule } from '@angular/router';
+import { MatSnackBar, MatSnackBarModule } from '@angular/material/snack-bar';
+import { UserData, UserDataService } from './shared/services/userData.service';
+import { Registrar, RegistrarService } from './registrar/registrar.service';
+import { MatSidenavModule } from '@angular/material/sidenav';
+import { signal, WritableSignal } from '@angular/core';
 
 describe('AppComponent', () => {
+  let component: AppComponent;
+  let fixture: ComponentFixture<AppComponent>;
+  let mockRegistrarService: {
+    registrar: WritableSignal<Partial<Registrar> | null | undefined>;
+    registrarId: WritableSignal<string>;
+    registrars: WritableSignal<Array<Partial<Registrar>>>;
+  };
+  let mockUserDataService: { userData: WritableSignal<Partial<UserData>> };
+  let mockSnackBar: jasmine.SpyObj<MatSnackBar>;
+
+  const dummyPocReminderComponent = class {}; // Dummy class for type checking
+
   beforeEach(async () => {
+    mockRegistrarService = {
+      registrar: signal<Registrar | null | undefined>(undefined),
+      registrarId: signal('123'),
+      registrars: signal([]),
+    };
+
+    mockUserDataService = {
+      userData: signal({
+        globalRole: 'NONE',
+      }),
+    };
+
+    mockSnackBar = jasmine.createSpyObj('MatSnackBar', ['openFromComponent']);
+
     await TestBed.configureTestingModule({
-      declarations: [AppComponent],
       imports: [
-        MaterialModule,
-        BrowserAnimationsModule,
-        AppRoutingModule,
+        MatSidenavModule,
+        NoopAnimationsModule,
+        MatSnackBarModule,
         AppModule,
+        RouterModule.forRoot(routes),
       ],
       providers: [
-        BackendService,
+        { provide: RegistrarService, useValue: mockRegistrarService },
+        { provide: UserDataService, useValue: mockUserDataService },
+        { provide: MatSnackBar, useValue: mockSnackBar },
+        { provide: PocReminderComponent, useClass: dummyPocReminderComponent },
         provideHttpClient(),
         provideHttpClientTesting(),
       ],
     }).compileComponents();
+
+    fixture = TestBed.createComponent(AppComponent);
+    component = fixture.componentInstance;
+  });
+
+  afterEach(() => {
+    jasmine.clock().uninstall();
   });
 
   it('should create the app', () => {
@@ -46,4 +87,51 @@ describe('AppComponent', () => {
     const app = fixture.componentInstance;
     expect(app).toBeTruthy();
   });
+
+  describe('PoC Verification Reminder', () => {
+    beforeEach(() => {
+      jasmine.clock().install();
+    });
+
+    it('should open snackbar if lastPocVerificationDate is older than one year', fakeAsync(() => {
+      const MOCK_TODAY = new Date('2024-07-15T10:00:00.000Z');
+      jasmine.clock().mockDate(MOCK_TODAY);
+
+      const twoYearsAgo = new Date(MOCK_TODAY);
+      twoYearsAgo.setFullYear(MOCK_TODAY.getFullYear() - 2);
+
+      mockRegistrarService.registrar.set({
+        lastPocVerificationDate: twoYearsAgo.toISOString(),
+      });
+
+      fixture.detectChanges();
+      TestBed.flushEffects();
+
+      expect(mockSnackBar.openFromComponent).toHaveBeenCalledWith(
+        PocReminderComponent,
+        {
+          horizontalPosition: 'center',
+          verticalPosition: 'top',
+          duration: 1000000000,
+        }
+      );
+    }));
+
+    it('should NOT open snackbar if lastPocVerificationDate is within last year', fakeAsync(() => {
+      const MOCK_TODAY = new Date('2024-07-15T10:00:00.000Z');
+      jasmine.clock().mockDate(MOCK_TODAY);
+
+      const sixMonthsAgo = new Date(MOCK_TODAY);
+      sixMonthsAgo.setMonth(MOCK_TODAY.getMonth() - 6);
+
+      mockRegistrarService.registrar.set({
+        lastPocVerificationDate: sixMonthsAgo.toISOString(),
+      });
+
+      fixture.detectChanges();
+      TestBed.flushEffects();
+
+      expect(mockSnackBar.openFromComponent).not.toHaveBeenCalled();
+    }));
+  });
 });

console-webapp/src/app/app.component.ts

@@ -12,13 +12,15 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { AfterViewInit, Component, ViewChild } from '@angular/core';
+import { AfterViewInit, Component, effect, ViewChild } from '@angular/core';
 import { MatSidenav } from '@angular/material/sidenav';
 import { NavigationEnd, Router } from '@angular/router';
 import { RegistrarService } from './registrar/registrar.service';
 import { BreakPointObserverService } from './shared/services/breakPoint.service';
 import { GlobalLoaderService } from './shared/services/globalLoader.service';
 import { UserDataService } from './shared/services/userData.service';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import { PocReminderComponent } from './shared/components/pocReminder/pocReminder.component';
 
 @Component({
   selector: 'app-root',
@@ -35,8 +37,28 @@ export class AppComponent implements AfterViewInit {
     protected userDataService: UserDataService,
     protected globalLoader: GlobalLoaderService,
     protected breakpointObserver: BreakPointObserverService,
-    private router: Router
-  ) {}
+    private router: Router,
+    private _snackBar: MatSnackBar
+  ) {
+    effect(() => {
+      const registrar = this.registrarService.registrar();
+      const oneYearAgo = new Date();
+      oneYearAgo.setFullYear(oneYearAgo.getFullYear() - 1);
+      oneYearAgo.setHours(0, 0, 0, 0);
+      if (
+        registrar &&
+        registrar.lastPocVerificationDate &&
+        new Date(registrar.lastPocVerificationDate) < oneYearAgo &&
+        this.userDataService?.userData()?.globalRole === 'NONE'
+      ) {
+        this._snackBar.openFromComponent(PocReminderComponent, {
+          horizontalPosition: 'center',
+          verticalPosition: 'top',
+          duration: 1000000000,
+        });
+      }
+    });
+  }
 
   ngAfterViewInit() {
     this.router.events.subscribe((event) => {

console-webapp/src/app/app.module.ts

@@ -60,6 +60,7 @@ import { TldsComponent } from './tlds/tlds.component';
 import { ForceFocusDirective } from './shared/directives/forceFocus.directive';
 import RdapComponent from './settings/rdap/rdap.component';
 import RdapEditComponent from './settings/rdap/rdapEdit.component';
+import { PocReminderComponent } from './shared/components/pocReminder/pocReminder.component';
 
 @NgModule({
   declarations: [SelectedRegistrarWrapper],
@@ -86,6 +87,7 @@ export class SelectedRegistrarModule {}
     RdapComponent,
     RdapEditComponent,
     ReasonDialogComponent,
+    PocReminderComponent,
     RegistrarComponent,
     RegistrarDetailsComponent,
     RegistrarSelectorComponent,

console-webapp/src/app/navigation/navigation.component.ts

@@ -57,7 +57,7 @@ export class NavigationComponent {
   }
 
   ngOnDestroy() {
-    this.subscription.unsubscribe();
+    this.subscription && this.subscription.unsubscribe();
   }
 
   getElementId(node: RouteWithIcon) {

console-webapp/src/app/registrar/registrar.service.ts

@@ -71,6 +71,7 @@ export interface Registrar
   registrarName: string;
   registryLockAllowed?: boolean;
   type?: string;
+  lastPocVerificationDate?: string;
 }
 
 @Injectable({

console-webapp/src/app/settings/contact/contact.component.ts

@@ -16,11 +16,7 @@ import { Component, effect, ViewEncapsulation } from '@angular/core';
 import { MatTableDataSource } from '@angular/material/table';
 import { take } from 'rxjs';
 import { RegistrarService } from 'src/app/registrar/registrar.service';
-import {
-  ContactService,
-  contactTypeToViewReadyContact,
-  ViewReadyContact,
-} from './contact.service';
+import { ContactService, ViewReadyContact } from './contact.service';
 
 @Component({
   selector: 'app-contact',

console-webapp/src/app/settings/contact/contact.service.ts

@@ -24,7 +24,7 @@ export type contactType =
   | 'LEGAL'
   | 'MARKETING'
   | 'TECH'
-  | 'RDAP';
+  | 'WHOIS';
 
 type contactTypesToUserFriendlyTypes = { [type in contactType]: string };
 
@@ -35,7 +35,7 @@ export const contactTypeToTextMap: contactTypesToUserFriendlyTypes = {
   LEGAL: 'Legal contact',
   MARKETING: 'Marketing contact',
   TECH: 'Technical contact',
-  RDAP: 'RDAP-Inquiry contact',
+  WHOIS: 'RDAP-Inquiry contact',
 };
 
 type UserFriendlyType = (typeof contactTypeToTextMap)[contactType];
@@ -59,7 +59,10 @@ export interface ViewReadyContact extends Contact {
 export function contactTypeToViewReadyContact(c: Contact): ViewReadyContact {
   return {
     ...c,
-    userFriendlyTypes: c.types?.map((cType) => contactTypeToTextMap[cType]),
+    userFriendlyTypes: (c.types || []).map(
+      (cType) => contactTypeToTextMap[cType]
+    ),
+    types: c.types || [],
   };
 }
 
@@ -83,7 +86,7 @@ export class ContactService {
       : contactTypeToViewReadyContact({
           emailAddress: '',
           name: '',
-          types: ['ADMIN'],
+          types: ['TECH'],
           faxNumber: '',
           phoneNumber: '',
           registrarId: '',
@@ -98,19 +101,21 @@ export class ContactService {
     );
   }
 
-  saveContacts(contacts: ViewReadyContact[]): Observable<Contact[]> {
+  updateContact(contact: ViewReadyContact) {
     return this.backend
-      .postContacts(this.registrarService.registrarId(), contacts)
+      .updateContact(this.registrarService.registrarId(), contact)
       .pipe(switchMap((_) => this.fetchContacts()));
   }
 
   addContact(contact: ViewReadyContact) {
-    const newContacts = this.contacts().concat([contact]);
-    return this.saveContacts(newContacts);
+    return this.backend
+      .createContact(this.registrarService.registrarId(), contact)
+      .pipe(switchMap((_) => this.fetchContacts()));
   }
 
   deleteContact(contact: ViewReadyContact) {
-    const newContacts = this.contacts().filter((c) => c !== contact);
-    return this.saveContacts(newContacts);
+    return this.backend
+      .deleteContact(this.registrarService.registrarId(), contact)
+      .pipe(switchMap((_) => this.fetchContacts()));
   }
 }

console-webapp/src/app/settings/contact/contactDetails.component.html

@@ -56,6 +56,7 @@
           [required]="true"
           [(ngModel)]="contactService.contactInEdit.emailAddress"
           [ngModelOptions]="{ standalone: true }"
+          [disabled]="emailAddressIsDisabled()"
         />
       </mat-form-field>
 
@@ -85,14 +86,18 @@
         <mat-icon color="accent">error</mat-icon>Required to select at least one
       </p>
       <div class="">
-        <mat-checkbox
+        <ng-container
           *ngFor="let contactType of contactTypeToTextMap | keyvalue"
-          [checked]="checkboxIsChecked(contactType.key)"
-          (change)="checkboxOnChange($event, contactType.key)"
-          [disabled]="checkboxIsDisabled(contactType.key)"
         >
-          {{ contactType.value }}
-        </mat-checkbox>
+          <mat-checkbox
+            *ngIf="shouldDisplayCheckbox(contactType.key)"
+            [checked]="checkboxIsChecked(contactType.key)"
+            (change)="checkboxOnChange($event, contactType.key)"
+            [disabled]="checkboxIsDisabled(contactType.key)"
+          >
+            {{ contactType.value }}
+          </mat-checkbox>
+        </ng-container>
       </div>
     </section>
 

console-webapp/src/app/settings/contact/contactDetails.component.ts

@@ -69,9 +69,13 @@ export class ContactDetailsComponent {
 
   save(e: SubmitEvent) {
     e.preventDefault();
+    if ((this.contactService.contactInEdit.types || []).length === 0) {
+      this._snackBar.open('Required to select contact type');
+      return;
+    }
     const request = this.contactService.isContactNewView
       ? this.contactService.addContact(this.contactService.contactInEdit)
-      : this.contactService.saveContacts(this.contactService.contacts());
+      : this.contactService.updateContact(this.contactService.contactInEdit);
     request.subscribe({
       complete: () => {
         this.goBack();
@@ -82,6 +86,10 @@ export class ContactDetailsComponent {
     });
   }
 
+  shouldDisplayCheckbox(type: string) {
+    return type !== 'ADMIN' || this.checkboxIsChecked(type);
+  }
+
   checkboxIsChecked(type: string) {
     return this.contactService.contactInEdit.types.includes(
       type as contactType
@@ -89,6 +97,9 @@ export class ContactDetailsComponent {
   }
 
   checkboxIsDisabled(type: string) {
+    if (type === 'ADMIN') {
+      return true;
+    }
     return (
       this.contactService.contactInEdit.types.length === 1 &&
       this.contactService.contactInEdit.types[0] === (type as contactType)
@@ -105,4 +116,8 @@ export class ContactDetailsComponent {
         );
     }
   }
+
+  emailAddressIsDisabled() {
+    return this.contactService.contactInEdit.types.includes('ADMIN');
+  }
 }

console-webapp/src/app/shared/components/pocReminder/pocReminder.component.html

@@ -0,0 +1,14 @@
+<div class="console-app__pocReminder">
+  <p class="">
+    Please take a moment to complete annual review of
+    <a routerLink="/settings">contacts</a>.
+  </p>
+  <span matSnackBarActions>
+    <button mat-button matSnackBarAction (click)="confirmReviewed()">
+      Confirm reviewed
+    </button>
+    <button mat-button matSnackBarAction (click)="snackBarRef.dismiss()">
+      Close
+    </button>
+  </span>
+</div>

console-webapp/src/app/shared/components/pocReminder/pocReminder.component.scss

@@ -0,0 +1,5 @@
+.console-app__pocReminder {
+  a {
+    color: white !important;
+  }
+}

console-webapp/src/app/shared/components/pocReminder/pocReminder.component.ts

@@ -0,0 +1,53 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { Component } from '@angular/core';
+import { MatSnackBar, MatSnackBarRef } from '@angular/material/snack-bar';
+import { RegistrarService } from '../../../registrar/registrar.service';
+import { HttpErrorResponse } from '@angular/common/http';
+
+@Component({
+  selector: 'app-poc-reminder',
+  templateUrl: './pocReminder.component.html',
+  styleUrls: ['./pocReminder.component.scss'],
+  standalone: false,
+})
+export class PocReminderComponent {
+  constructor(
+    public snackBarRef: MatSnackBarRef<PocReminderComponent>,
+    private registrarService: RegistrarService,
+    private _snackBar: MatSnackBar
+  ) {}
+
+  confirmReviewed() {
+    if (this.registrarService.registrar()) {
+      const todayMidnight = new Date();
+      todayMidnight.setHours(0, 0, 0, 0);
+      this.registrarService
+        // @ts-ignore - if check  above won't allow empty object to be submitted
+        .updateRegistrar({
+          ...this.registrarService.registrar(),
+          lastPocVerificationDate: todayMidnight.toISOString(),
+        })
+        .subscribe({
+          error: (err: HttpErrorResponse) => {
+            this._snackBar.open(err.error || err.message);
+          },
+          next: () => {
+            this.snackBarRef.dismiss();
+          },
+        });
+    }
+  }
+}

console-webapp/src/app/shared/services/backend.service.ts

@@ -70,13 +70,26 @@ export class BackendService {
       .pipe(catchError((err) => this.errorCatcher<Contact[]>(err)));
   }
 
-  postContacts(
-    registrarId: string,
-    contacts: Contact[]
-  ): Observable<Contact[]> {
-    return this.http.post<Contact[]>(
+  updateContact(registrarId: string, contact: Contact): Observable<Contact> {
+    return this.http.put<Contact>(
       `/console-api/settings/contacts?registrarId=${registrarId}`,
-      contacts
+      contact
+    );
+  }
+
+  createContact(registrarId: string, contact: Contact): Observable<Contact> {
+    return this.http.post<Contact>(
+      `/console-api/settings/contacts?registrarId=${registrarId}`,
+      contact
+    );
+  }
+
+  deleteContact(registrarId: string, contact: Contact): Observable<Contact> {
+    return this.http.delete<Contact>(
+      `/console-api/settings/contacts?registrarId=${registrarId}`,
+      {
+        body: JSON.stringify(contact),
+      }
     );
   }
 
@@ -267,4 +280,15 @@ export class BackendService {
       `/console-api/registry-lock-verify?lockVerificationCode=${lockVerificationCode}`
     );
   }
+
+  requestRegistryLockPasswordReset(
+    registrarId: string,
+    registryLockEmail: string
+  ) {
+    return this.http.post('/console-api/password-reset-request', {
+      type: 'REGISTRY_LOCK',
+      registrarId,
+      registryLockEmail,
+    });
+  }
 }

console-webapp/src/app/users/userDetails.component.html

@@ -80,7 +80,15 @@
             roleToDescription(userDetails().role)
           }}</span>
         </mat-list-item>
-        @if (userDetails().password) {
+        @if (userDetails().registryLockEmailAddress) {
+        <mat-divider></mat-divider>
+        <mat-list-item role="listitem">
+          <span class="console-app__list-key">Registry Lock email</span>
+          <span class="console-app__list-value">{{
+            userDetails().registryLockEmailAddress
+          }}</span>
+        </mat-list-item>
+        } @if (userDetails().password) {
         <mat-divider></mat-divider>
         <mat-list-item role="listitem">
           <span class="console-app__list-key">Password</span>

console-webapp/src/app/users/userDetails.component.scss

@@ -35,5 +35,8 @@
       border: 1px solid #ddd;
       border-radius: 10px;
     }
+    .console-app__list-key {
+      width: 160px;
+    }
   }
 }

console-webapp/src/app/users/userEditForm.component.html

@@ -1,45 +1,57 @@
-<form (ngSubmit)="saveEdit($event)" #form>
-  <p *ngIf="isNew()">
-    <mat-form-field appearance="outline">
-      <mat-label
-        >User name prefix:
-        <mat-icon
-          matTooltip="Prefix will be combined with registrar ID to create a unique user name - {prefix}.{registrarId}@registry.google"
-          >help_outline</mat-icon
-        ></mat-label
-      >
-      <input
-        matInput
-        minlength="3"
-        maxlength="3"
-        [required]="true"
-        [(ngModel)]="user().emailAddress"
-        [ngModelOptions]="{ standalone: true }"
-      />
-    </mat-form-field>
-  </p>
-  <p>
-    <mat-form-field appearance="outline">
-      <mat-label
-        >User Role:
-        <mat-icon
-          matTooltip="Viewer role doesn't allow making updates; Editor role allows updates, like Contacts delete or SSL certificate change"
-          >help_outline</mat-icon
-        ></mat-label
-      >
-      <mat-select [(ngModel)]="user().role" name="userRole">
-        <mat-option value="PRIMARY_CONTACT">Editor</mat-option>
-        <mat-option value="ACCOUNT_MANAGER">Viewer</mat-option>
-      </mat-select>
-    </mat-form-field>
-  </p>
+<div class="console-app__user-edit">
+  <form (ngSubmit)="saveEdit($event)" #form>
+    <p *ngIf="isNew()">
+      <mat-form-field appearance="outline">
+        <mat-label
+          >User name prefix:
+          <mat-icon
+            matTooltip="Prefix will be combined with registrar ID to create a unique user name - {prefix}.{registrarId}@registry.google"
+            >help_outline</mat-icon
+          ></mat-label
+        >
+        <input
+          matInput
+          minlength="3"
+          maxlength="3"
+          [required]="true"
+          [(ngModel)]="user().emailAddress"
+          [ngModelOptions]="{ standalone: true }"
+        />
+      </mat-form-field>
+    </p>
+    <p>
+      <mat-form-field appearance="outline">
+        <mat-label
+          >User Role:
+          <mat-icon
+            matTooltip="Viewer role doesn't allow making updates; Editor role allows updates, like Contacts delete or SSL certificate change"
+            >help_outline</mat-icon
+          ></mat-label
+        >
+        <mat-select [(ngModel)]="user().role" name="userRole">
+          <mat-option value="PRIMARY_CONTACT">Editor</mat-option>
+          <mat-option value="ACCOUNT_MANAGER">Viewer</mat-option>
+        </mat-select>
+      </mat-form-field>
+    </p>
+    <button
+      mat-flat-button
+      color="primary"
+      aria-label="Save user"
+      type="submit"
+      aria-label="Save changes to the user"
+    >
+      Save
+    </button>
+  </form>
+  @if(userDataService.userData()?.isAdmin) {
   <button
     mat-flat-button
     color="primary"
-    aria-label="Save user"
-    type="submit"
-    aria-label="Save changes to the user"
+    aria-label="Reset registry lock password"
+    (click)="requestRegistryLockPasswordReset()"
   >
-    Save
+    Reset registry lock password
   </button>
-</form>
+  }
+</div>

console-webapp/src/app/users/userEditForm.component.scss

@@ -0,0 +1,20 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+.console-app__user-edit {
+  button {
+    display: block;
+    margin-bottom: 5px;
+  }
+}

console-webapp/src/app/users/userEditForm.component.ts

@@ -17,13 +17,56 @@ import {
   Component,
   ElementRef,
   EventEmitter,
+  Inject,
   input,
   Output,
   ViewChild,
 } from '@angular/core';
 import { MaterialModule } from '../material.module';
 import { FormsModule } from '@angular/forms';
-import { User } from './users.service';
+import { User, UsersService } from './users.service';
+import { UserDataService } from '../shared/services/userData.service';
+import { BackendService } from '../shared/services/backend.service';
+import { RegistrarService } from '../registrar/registrar.service';
+import {
+  MAT_DIALOG_DATA,
+  MatDialog,
+  MatDialogRef,
+} from '@angular/material/dialog';
+import { filter, switchMap, take } from 'rxjs';
+import { MatSnackBar } from '@angular/material/snack-bar';
+import { HttpErrorResponse } from '@angular/common/http';
+
+@Component({
+  selector: 'app-reset-lock-password-dialog',
+  template: `
+    <h2 mat-dialog-title>Please confirm the password reset:</h2>
+    <mat-dialog-content>
+      This will send a registry lock password reset email to
+      {{ data.registryLockEmailAddress }}.
+    </mat-dialog-content>
+    <mat-dialog-actions>
+      <button mat-button (click)="onCancel()">Cancel</button>
+      <button mat-button color="warn" (click)="onSave()">Confirm</button>
+    </mat-dialog-actions>
+  `,
+  imports: [CommonModule, MaterialModule],
+})
+export class ResetRegistryLockPasswordComponent {
+  constructor(
+    public dialogRef: MatDialogRef<ResetRegistryLockPasswordComponent>,
+    @Inject(MAT_DIALOG_DATA)
+    public data: { registryLockEmailAddress: string }
+  ) {}
+
+  onSave(): void {
+    this.dialogRef.close(true);
+  }
+
+  onCancel(): void {
+    this.dialogRef.close(false);
+  }
+}
 
 @Component({
   selector: 'app-user-edit-form',
@@ -39,12 +82,22 @@ export class UserEditFormComponent {
     {
       emailAddress: '',
       role: 'ACCOUNT_MANAGER',
+      registryLockEmailAddress: '',
     },
     { transform: (user: User) => structuredClone(user) }
   );
 
   @Output() onEditComplete = new EventEmitter<User>();
 
+  constructor(
+    protected userDataService: UserDataService,
+    private backendService: BackendService,
+    private resetRegistryLockPasswordDialog: MatDialog,
+    private registrarService: RegistrarService,
+    private usersService: UsersService,
+    private _snackBar: MatSnackBar
+  ) {}
+
   saveEdit(e: SubmitEvent) {
     e.preventDefault();
     if (this.form.nativeElement.checkValidity()) {
@@ -53,4 +106,34 @@ export class UserEditFormComponent {
       this.form.nativeElement.reportValidity();
     }
   }
+
+  sendRegistryLockPasswordResetRequest() {
+    return this.backendService.requestRegistryLockPasswordReset(
+      this.registrarService.registrarId(),
+      this.user().registryLockEmailAddress!
+    );
+  }
+
+  requestRegistryLockPasswordReset() {
+    const dialogRef = this.resetRegistryLockPasswordDialog.open(
+      ResetRegistryLockPasswordComponent,
+      {
+        data: {
+          registryLockEmailAddress: this.user().registryLockEmailAddress,
+        },
+      }
+    );
+    dialogRef
+      .afterClosed()
+      .pipe(
+        take(1),
+        filter((result) => !!result)
+      )
+      .pipe(switchMap((_) => this.sendRegistryLockPasswordResetRequest()))
+      .subscribe({
+        next: (_) => this.usersService.currentlyOpenUserEmail.set(''),
+        error: (err: HttpErrorResponse) =>
+          this._snackBar.open(err.error || err.message),
+      });
+  }
 }

console-webapp/src/app/users/users.service.ts

@@ -33,6 +33,7 @@ export interface User {
   emailAddress: string;
   role: string;
   password?: string;
+  registryLockEmailAddress?: string;
 }
 
 @Injectable()

core/build.gradle

@@ -17,7 +17,7 @@ import java.util.Optional
 
 plugins {
   id 'java-library'
-  id "org.flywaydb.flyway" version "11.0.1"
+  id "org.flywaydb.flyway" version "9.22.3"
   id 'maven-publish'
 }
 
@@ -61,6 +61,7 @@ def fragileTestPatterns = [
     // Currently changes a global configuration parameter that for some reason
     // results in timestamp inversions for other tests.  TODO(mmuller): fix.
     "google/registry/flows/host/HostInfoFlowTest.*",
+    "google/registry/beam/common/RegistryPipelineWorkerInitializerTest.*",
 ] + dockerIncompatibleTestPatterns
 
 sourceSets {

core/src/main/java/google/registry/beam/billing/BillingEvent.java

@@ -172,7 +172,7 @@ public record BillingEvent(
                 .minusDays(1)
                 .toString(),
         billingId(),
-        registrarId(),
+        "",
         String.format("%s | TLD: %s | TERM: %d-year", action(), tld(), years()),
         amount(),
         currency(),

core/src/main/java/google/registry/beam/common/RegistryPipelineWorkerInitializer.java

@@ -40,6 +40,8 @@ public class RegistryPipelineWorkerInitializer implements JvmInitializer {
 
   @Override
   public void beforeProcessing(PipelineOptions options) {
+    // TODO(b/416299900): remove next line after GAE is removed.
+    System.setProperty("google.registry.jetty", "true");
     RegistryPipelineOptions registryOptions = options.as(RegistryPipelineOptions.class);
     RegistryEnvironment environment = registryOptions.getRegistryEnvironment();
     if (environment == null || environment.equals(RegistryEnvironment.UNITTEST)) {

core/src/main/java/google/registry/dns/writer/DnsWritersModule.java

@@ -0,0 +1,29 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.dns.writer;
+
+import dagger.Module;
+import google.registry.dns.writer.clouddns.CloudDnsWriterModule;
+import google.registry.dns.writer.dnsupdate.DnsUpdateWriterModule;
+
+/**
+ * Groups all {@link DnsWriter} implementations to be installed.
+ *
+ * <p>To cherry-pick the DNS writers to install, overwrite this file with your private version in
+ * the release process.
+ */
+@Module(
+    includes = {CloudDnsWriterModule.class, DnsUpdateWriterModule.class, VoidDnsWriterModule.class})
+public class DnsWritersModule {}

core/src/main/java/google/registry/export/ExportDomainListsAction.java

@@ -15,6 +15,7 @@
 package google.registry.export;
 
 import static com.google.common.base.Verify.verifyNotNull;
+import static google.registry.model.common.FeatureFlag.FeatureName.INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS;
 import static google.registry.model.tld.Tlds.getTldsOfType;
 import static google.registry.persistence.PersistenceModule.TransactionIsolationLevel.TRANSACTION_REPEATABLE_READ;
 import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
@@ -75,7 +76,8 @@ public class ExportDomainListsAction implements Runnable {
         ON d.repo_id = gp.domain_repo_id
         WHERE d.tld = :tld
         AND d.deletion_time > CAST(:now AS timestamptz)
-        ORDER BY d.domain_name""";
+        ORDER BY d.domain_name
+      """;
 
   // This may be a CSV, but it is uses a .txt file extension for back-compatibility
   static final String REGISTERED_DOMAINS_FILENAME_FORMAT = "registered_domains_%s.txt";
@@ -93,10 +95,7 @@ public class ExportDomainListsAction implements Runnable {
     logger.atInfo().log("Exporting domain lists for TLDs %s.", realTlds);
 
     boolean includeDeletionTimes =
-        tm().transact(
-                () ->
-                    FeatureFlag.isActiveNowOrElse(
-                        FeatureFlag.FeatureName.INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS, false));
+        tm().transact(() -> FeatureFlag.isActiveNow(INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS));
     realTlds.forEach(
         tld -> {
           List<String> domainsList =

core/src/main/java/google/registry/flows/CheckApiAction.java

@@ -185,7 +185,8 @@ public class CheckApiAction implements Runnable {
   }
 
   private boolean checkExists(String domainString, DateTime now) {
-    return !ForeignKeyUtils.loadCached(Domain.class, ImmutableList.of(domainString), now).isEmpty();
+    return !ForeignKeyUtils.loadByCache(Domain.class, ImmutableList.of(domainString), now)
+        .isEmpty();
   }
 
   private Optional<String> checkReserved(InternetDomainName domainName) {

core/src/main/java/google/registry/flows/contact/ContactCreateFlow.java

@@ -19,6 +19,7 @@ import static google.registry.flows.ResourceFlowUtils.verifyResourceDoesNotExist
 import static google.registry.flows.contact.ContactFlowUtils.validateAsciiPostalInfo;
 import static google.registry.flows.contact.ContactFlowUtils.validateContactAgainstPolicy;
 import static google.registry.model.EppResourceUtils.createRepoId;
+import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_PROHIBITED;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
 import com.google.common.collect.ImmutableSet;
@@ -29,8 +30,10 @@ import google.registry.flows.FlowModule.RegistrarId;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.MutatingFlow;
 import google.registry.flows.annotations.ReportingSpec;
+import google.registry.flows.exceptions.ContactsProhibitedException;
 import google.registry.flows.exceptions.ResourceAlreadyExistsForThisClientException;
 import google.registry.flows.exceptions.ResourceCreateContentionException;
+import google.registry.model.common.FeatureFlag;
 import google.registry.model.contact.Contact;
 import google.registry.model.contact.ContactCommand.Create;
 import google.registry.model.contact.ContactHistory;
@@ -47,6 +50,7 @@ import org.joda.time.DateTime;
  * An EPP flow that creates a new contact.
  *
  * @error {@link google.registry.flows.FlowUtils.NotLoggedInException}
+ * @error {@link ContactsProhibitedException}
  * @error {@link ResourceAlreadyExistsForThisClientException}
  * @error {@link ResourceCreateContentionException}
  * @error {@link ContactFlowUtils.BadInternationalizedPostalInfoException}
@@ -69,6 +73,9 @@ public final class ContactCreateFlow implements MutatingFlow {
     extensionManager.register(MetadataExtension.class);
     validateRegistrarIsLoggedIn(registrarId);
     extensionManager.validate();
+    if (FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_PROHIBITED)) {
+      throw new ContactsProhibitedException();
+    }
     Create command = (Create) resourceCommand;
     DateTime now = tm().getTransactionTime();
     verifyResourceDoesNotExist(Contact.class, targetId, now, registrarId);

core/src/main/java/google/registry/flows/contact/ContactUpdateFlow.java

@@ -24,6 +24,7 @@ import static google.registry.flows.ResourceFlowUtils.verifyOptionalAuthInfo;
 import static google.registry.flows.ResourceFlowUtils.verifyResourceOwnership;
 import static google.registry.flows.contact.ContactFlowUtils.validateAsciiPostalInfo;
 import static google.registry.flows.contact.ContactFlowUtils.validateContactAgainstPolicy;
+import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_PROHIBITED;
 import static google.registry.model.reporting.HistoryEntry.Type.CONTACT_UPDATE;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
@@ -35,7 +36,9 @@ import google.registry.flows.FlowModule.Superuser;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.MutatingFlow;
 import google.registry.flows.annotations.ReportingSpec;
+import google.registry.flows.exceptions.ContactsProhibitedException;
 import google.registry.flows.exceptions.ResourceHasClientUpdateProhibitedException;
+import google.registry.model.common.FeatureFlag;
 import google.registry.model.contact.Contact;
 import google.registry.model.contact.ContactCommand.Update;
 import google.registry.model.contact.ContactCommand.Update.Change;
@@ -55,6 +58,7 @@ import org.joda.time.DateTime;
 /**
  * An EPP flow that updates a contact.
  *
+ * @error {@link ContactsProhibitedException}
  * @error {@link google.registry.flows.FlowUtils.NotLoggedInException}
  * @error {@link google.registry.flows.ResourceFlowUtils.AddRemoveSameValueException}
  * @error {@link google.registry.flows.ResourceFlowUtils.ResourceDoesNotExistException}
@@ -92,6 +96,9 @@ public final class ContactUpdateFlow implements MutatingFlow {
     extensionManager.register(MetadataExtension.class);
     validateRegistrarIsLoggedIn(registrarId);
     extensionManager.validate();
+    if (FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_PROHIBITED)) {
+      throw new ContactsProhibitedException();
+    }
     Update command = (Update) resourceCommand;
     DateTime now = tm().getTransactionTime();
     Contact existingContact = loadAndVerifyExistence(Contact.class, targetId, now);

core/src/main/java/google/registry/flows/domain/DomainCheckFlow.java

@@ -432,7 +432,7 @@ public final class DomainCheckFlow implements TransactionalFlow {
             .filter(existingDomains::containsKey)
             .collect(toImmutableMap(d -> d, existingDomains::get));
     ImmutableMap<VKey<? extends EppResource>, EppResource> loadedDomains =
-        EppResource.loadCached(ImmutableList.copyOf(existingDomainsToLoad.values()));
+        EppResource.loadByCacheIfEnabled(ImmutableList.copyOf(existingDomainsToLoad.values()));
     return ImmutableMap.copyOf(
         Maps.transformEntries(existingDomainsToLoad, (k, v) -> (Domain) loadedDomains.get(v)));
   }

core/src/main/java/google/registry/flows/domain/DomainCreateFlow.java

@@ -72,7 +72,9 @@ import google.registry.flows.custom.DomainCreateFlowCustomLogic;
 import google.registry.flows.custom.DomainCreateFlowCustomLogic.BeforeResponseParameters;
 import google.registry.flows.custom.DomainCreateFlowCustomLogic.BeforeResponseReturnData;
 import google.registry.flows.custom.EntityChanges;
+import google.registry.flows.domain.DomainFlowUtils.RegistrantProhibitedException;
 import google.registry.flows.domain.token.AllocationTokenFlowUtils;
+import google.registry.flows.exceptions.ContactsProhibitedException;
 import google.registry.flows.exceptions.ResourceAlreadyExistsForThisClientException;
 import google.registry.flows.exceptions.ResourceCreateContentionException;
 import google.registry.model.ImmutableObject;
@@ -147,6 +149,7 @@ import org.joda.time.Duration;
  * @error {@link DomainCreateFlow.NoGeneralRegistrationsInCurrentPhaseException}
  * @error {@link DomainCreateFlow.NoTrademarkedRegistrationsBeforeSunriseException}
  * @error {@link BulkDomainRegisteredForTooManyYearsException}
+ * @error {@link ContactsProhibitedException}
  * @error {@link DomainCreateFlow.SignedMarksOnlyDuringSunriseException}
  * @error {@link DomainFlowTmchUtils.NoMarksFoundMatchingDomainException}
  * @error {@link DomainFlowTmchUtils.FoundMarkNotYetValidException}
@@ -194,6 +197,7 @@ import org.joda.time.Duration;
  * @error {@link DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverAllowListException}
  * @error {@link DomainFlowUtils.PremiumNameBlockedException}
  * @error {@link DomainFlowUtils.RegistrantNotAllowedException}
+ * @error {@link RegistrantProhibitedException}
  * @error {@link DomainFlowUtils.RegistrarMustBeActiveForThisOperationException}
  * @error {@link DomainFlowUtils.TldDoesNotExistException}
  * @error {@link DomainFlowUtils.TooManyDsRecordsException}
@@ -244,7 +248,7 @@ public final class DomainCreateFlow implements MutatingFlow {
     verifyResourceDoesNotExist(Domain.class, targetId, now, registrarId);
     // Validate that this is actually a legal domain name on a TLD that the registrar has access to.
     InternetDomainName domainName = validateDomainName(command.getDomainName());
-    String domainLabel = domainName.parts().get(0);
+    String domainLabel = domainName.parts().getFirst();
     Tld tld = Tld.get(domainName.parent().toString());
     validateCreateCommandContactsAndNameservers(command, tld, domainName);
     TldState tldState = tld.getTldState(now);

core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java

@@ -25,7 +25,7 @@ import static com.google.common.collect.Sets.intersection;
 import static com.google.common.collect.Sets.union;
 import static google.registry.bsa.persistence.BsaLabelUtils.isLabelBlocked;
 import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_OPTIONAL;
-import static google.registry.model.common.FeatureFlag.isActiveNow;
+import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_PROHIBITED;
 import static google.registry.model.domain.Domain.MAX_REGISTRATION_YEARS;
 import static google.registry.model.domain.token.AllocationToken.TokenType.REGISTER_BSA;
 import static google.registry.model.tld.Tld.TldState.GENERAL_AVAILABILITY;
@@ -75,11 +75,13 @@ import google.registry.flows.EppException.ParameterValueSyntaxErrorException;
 import google.registry.flows.EppException.RequiredParameterMissingException;
 import google.registry.flows.EppException.StatusProhibitsOperationException;
 import google.registry.flows.EppException.UnimplementedOptionException;
+import google.registry.flows.exceptions.ContactsProhibitedException;
 import google.registry.flows.exceptions.ResourceHasClientUpdateProhibitedException;
 import google.registry.model.EppResource;
 import google.registry.model.billing.BillingBase.Flag;
 import google.registry.model.billing.BillingBase.Reason;
 import google.registry.model.billing.BillingRecurrence;
+import google.registry.model.common.FeatureFlag;
 import google.registry.model.contact.Contact;
 import google.registry.model.domain.DesignatedContact;
 import google.registry.model.domain.DesignatedContact.Type;
@@ -417,7 +419,7 @@ public class DomainFlowUtils {
     contacts.stream().map(DesignatedContact::getContactKey).forEach(keysToLoad::add);
     registrant.ifPresent(keysToLoad::add);
     keysToLoad.addAll(nameservers);
-    verifyNotInPendingDelete(EppResource.loadCached(keysToLoad.build()).values());
+    verifyNotInPendingDelete(EppResource.loadByCacheIfEnabled(keysToLoad.build()).values());
   }
 
   private static void verifyNotInPendingDelete(Iterable<EppResource> resources)
@@ -478,27 +480,37 @@ public class DomainFlowUtils {
     }
   }
 
-  static void validateRequiredContactsPresentIfRequiredForDataset(
+  /**
+   * Enforces the presence/absence of contact data depending on the minimum data set migration
+   * schedule.
+   */
+  static void validateContactDataPresence(
       Optional<VKey<Contact>> registrant, Set<DesignatedContact> contacts)
-      throws RequiredParameterMissingException {
-    // TODO(b/353347632): Change this flag check to a registry config check.
-    if (isActiveNow(MINIMUM_DATASET_CONTACTS_OPTIONAL)) {
-      // Contacts are not required once we have begun the migration to the minimum dataset
-      return;
-    }
-    if (registrant.isEmpty()) {
-      throw new MissingRegistrantException();
-    }
+      throws RequiredParameterMissingException, ParameterValuePolicyErrorException {
+    // TODO(b/353347632): Change these flag checks to a registry config check once minimum data set
+    //                    migration is completed.
+    if (FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_PROHIBITED)) {
+      if (registrant.isPresent()) {
+        throw new RegistrantProhibitedException();
+      }
+      if (!contacts.isEmpty()) {
+        throw new ContactsProhibitedException();
+      }
+    } else if (!FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_OPTIONAL)) {
+      if (registrant.isEmpty()) {
+        throw new MissingRegistrantException();
+      }
 
-    Set<Type> roles = new HashSet<>();
-    for (DesignatedContact contact : contacts) {
-      roles.add(contact.getType());
-    }
-    if (!roles.contains(Type.ADMIN)) {
-      throw new MissingAdminContactException();
-    }
-    if (!roles.contains(Type.TECH)) {
-      throw new MissingTechnicalContactException();
+      Set<Type> roles = new HashSet<>();
+      for (DesignatedContact contact : contacts) {
+        roles.add(contact.getType());
+      }
+      if (!roles.contains(Type.ADMIN)) {
+        throw new MissingAdminContactException();
+      }
+      if (!roles.contains(Type.TECH)) {
+        throw new MissingTechnicalContactException();
+      }
     }
   }
 
@@ -1042,8 +1054,7 @@ public class DomainFlowUtils {
     String tldStr = tld.getTldStr();
     validateRegistrantAllowedOnTld(tldStr, command.getRegistrantContactId());
     validateNoDuplicateContacts(command.getContacts());
-    validateRequiredContactsPresentIfRequiredForDataset(
-        command.getRegistrant(), command.getContacts());
+    validateContactDataPresence(command.getRegistrant(), command.getContacts());
     ImmutableSet<String> hostNames = command.getNameserverHostNames();
     validateNameserversCountForTld(tldStr, domainName, hostNames.size());
     validateNameserversAllowedOnTld(tldStr, hostNames);
@@ -1367,6 +1378,13 @@ public class DomainFlowUtils {
     }
   }
 
+  /** Having a registrant is prohibited by registry policy. */
+  static class RegistrantProhibitedException extends ParameterValuePolicyErrorException {
+    public RegistrantProhibitedException() {
+      super("Having a registrant is prohibited by registry policy");
+    }
+  }
+
   /** Admin contact is required. */
   static class MissingAdminContactException extends RequiredParameterMissingException {
     public MissingAdminContactException() {

core/src/main/java/google/registry/flows/domain/DomainInfoFlow.java

@@ -31,6 +31,7 @@ import google.registry.flows.ExtensionManager;
 import google.registry.flows.FlowModule.RegistrarId;
 import google.registry.flows.FlowModule.Superuser;
 import google.registry.flows.FlowModule.TargetId;
+import google.registry.flows.MutatingFlow;
 import google.registry.flows.TransactionalFlow;
 import google.registry.flows.annotations.ReportingSpec;
 import google.registry.flows.custom.DomainInfoFlowCustomLogic;
@@ -53,6 +54,8 @@ import google.registry.model.eppinput.ResourceCommand;
 import google.registry.model.eppoutput.EppResponse;
 import google.registry.model.eppoutput.EppResponse.ResponseExtension;
 import google.registry.model.reporting.IcannReportingTypes.ActivityReportField;
+import google.registry.persistence.IsolationLevel;
+import google.registry.persistence.PersistenceModule;
 import google.registry.util.Clock;
 import jakarta.inject.Inject;
 import java.util.Optional;
@@ -62,8 +65,12 @@ import org.joda.time.DateTime;
  * An EPP flow that returns information about a domain.
  *
  * <p>The registrar that owns the domain, and any registrar presenting a valid authInfo for the
- * domain, will get a rich result with all of the domain's fields. All other requests will be
- * answered with a minimal result containing only basic information about the domain.
+ * domain, will get a rich result with all the domain's fields. All other requests will be answered
+ * with a minimal result containing only basic information about the domain.
+ *
+ * <p>This implements {@link MutatingFlow} instead of {@link TransactionalFlow} as a workaround so
+ * that the common workflow of "create domain, then immediately get domain info" does not run into
+ * replication lag issues where the info command claims the domain does not exist.
  *
  * @error {@link google.registry.flows.FlowUtils.NotLoggedInException}
  * @error {@link google.registry.flows.FlowUtils.UnknownCurrencyEppException}
@@ -76,7 +83,8 @@ import org.joda.time.DateTime;
  * @error {@link DomainFlowUtils.TransfersAreAlwaysForOneYearException}
  */
 @ReportingSpec(ActivityReportField.DOMAIN_INFO)
-public final class DomainInfoFlow implements TransactionalFlow {
+@IsolationLevel(PersistenceModule.TransactionIsolationLevel.TRANSACTION_REPEATABLE_READ)
+public final class DomainInfoFlow implements MutatingFlow {
 
   @Inject ExtensionManager extensionManager;
   @Inject ResourceCommand resourceCommand;

core/src/main/java/google/registry/flows/domain/DomainUpdateFlow.java

@@ -30,6 +30,7 @@ import static google.registry.flows.ResourceFlowUtils.verifyResourceOwnership;
 import static google.registry.flows.domain.DomainFlowUtils.checkAllowedAccessToTld;
 import static google.registry.flows.domain.DomainFlowUtils.cloneAndLinkReferences;
 import static google.registry.flows.domain.DomainFlowUtils.updateDsData;
+import static google.registry.flows.domain.DomainFlowUtils.validateContactDataPresence;
 import static google.registry.flows.domain.DomainFlowUtils.validateContactsHaveTypes;
 import static google.registry.flows.domain.DomainFlowUtils.validateDsData;
 import static google.registry.flows.domain.DomainFlowUtils.validateFeesAckedIfPresent;
@@ -37,11 +38,10 @@ import static google.registry.flows.domain.DomainFlowUtils.validateNameserversAl
 import static google.registry.flows.domain.DomainFlowUtils.validateNameserversCountForTld;
 import static google.registry.flows.domain.DomainFlowUtils.validateNoDuplicateContacts;
 import static google.registry.flows.domain.DomainFlowUtils.validateRegistrantAllowedOnTld;
-import static google.registry.flows.domain.DomainFlowUtils.validateRequiredContactsPresentIfRequiredForDataset;
 import static google.registry.flows.domain.DomainFlowUtils.verifyClientUpdateNotProhibited;
 import static google.registry.flows.domain.DomainFlowUtils.verifyNotInPendingDelete;
 import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_OPTIONAL;
-import static google.registry.model.common.FeatureFlag.isActiveNow;
+import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_PROHIBITED;
 import static google.registry.model.reporting.HistoryEntry.Type.DOMAIN_UPDATE;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
@@ -64,9 +64,11 @@ import google.registry.flows.custom.DomainUpdateFlowCustomLogic.BeforeSaveParame
 import google.registry.flows.custom.EntityChanges;
 import google.registry.flows.domain.DomainFlowUtils.MissingRegistrantException;
 import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverAllowListException;
+import google.registry.flows.domain.DomainFlowUtils.RegistrantProhibitedException;
 import google.registry.model.ImmutableObject;
 import google.registry.model.billing.BillingBase.Reason;
 import google.registry.model.billing.BillingEvent;
+import google.registry.model.common.FeatureFlag;
 import google.registry.model.contact.Contact;
 import google.registry.model.domain.DesignatedContact;
 import google.registry.model.domain.Domain;
@@ -130,6 +132,7 @@ import org.joda.time.DateTime;
  * @error {@link NameserversNotSpecifiedForTldWithNameserverAllowListException}
  * @error {@link DomainFlowUtils.NotAuthorizedForTldException}
  * @error {@link DomainFlowUtils.RegistrantNotAllowedException}
+ * @error {@link RegistrantProhibitedException}
  * @error {@link DomainFlowUtils.SecDnsAllUsageException}
  * @error {@link DomainFlowUtils.TooManyDsRecordsException}
  * @error {@link DomainFlowUtils.TooManyNameserversException}
@@ -304,11 +307,12 @@ public final class DomainUpdateFlow implements MutatingFlow {
 
   private Optional<VKey<Contact>> determineUpdatedRegistrant(Change change, Domain domain)
       throws EppException {
-    // During phase 1 of minimum dataset transition, allow registrant to be removed
+    // During or after the minimum dataset transition, allow registrant to be removed.
     if (change.getRegistrantContactId().isPresent()
         && change.getRegistrantContactId().get().isEmpty()) {
       // TODO(b/353347632): Change this flag check to a registry config check.
-      if (isActiveNow(MINIMUM_DATASET_CONTACTS_OPTIONAL)) {
+      if (FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_OPTIONAL)
+          || FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_PROHIBITED)) {
         return Optional.empty();
       } else {
         throw new MissingRegistrantException();
@@ -325,8 +329,7 @@ public final class DomainUpdateFlow implements MutatingFlow {
    * cause Domain update failure.
    */
   private static void validateNewState(Domain newDomain) throws EppException {
-    validateRequiredContactsPresentIfRequiredForDataset(
-        newDomain.getRegistrant(), newDomain.getContacts());
+    validateContactDataPresence(newDomain.getRegistrant(), newDomain.getContacts());
     validateDsData(newDomain.getDsData());
     validateNameserversCountForTld(
         newDomain.getTld(),

core/src/main/java/google/registry/flows/exceptions/ContactsProhibitedException.java

@@ -0,0 +1,24 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.flows.exceptions;
+
+import google.registry.flows.EppException.ParameterValuePolicyErrorException;
+
+/** Having contacts is prohibited by registry policy */
+public class ContactsProhibitedException extends ParameterValuePolicyErrorException {
+  public ContactsProhibitedException() {
+    super("Having contacts is prohibited by registry policy");
+  }
+}

core/src/main/java/google/registry/model/EppResource.java

@@ -404,7 +404,7 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
    * <p>Don't use this unless you really need it for performance reasons, and be sure that you are
    * OK with the trade-offs in loss of transactional consistency.
    */
-  public static ImmutableMap<VKey<? extends EppResource>, EppResource> loadCached(
+  public static ImmutableMap<VKey<? extends EppResource>, EppResource> loadByCacheIfEnabled(
       Iterable<VKey<? extends EppResource>> keys) {
     if (!RegistryConfig.isEppResourceCachingEnabled()) {
       return tm().reTransact(() -> tm().loadByKeys(keys));
@@ -413,15 +413,12 @@ public abstract class EppResource extends UpdateAutoTimestampEntity implements B
   }
 
   /**
-   * Loads a given EppResource by its key using the cache (if enabled).
+   * Loads a given EppResource by its key using the cache.
    *
-   * <p>Don't use this unless you really need it for performance reasons, and be sure that you are
-   * OK with the trade-offs in loss of transactional consistency.
+   * <p>This method ignores the `isEppResourceCachingEnabled` config setting. It is reserved for use
+   * cases that can tolerate slightly stale data, e.g., RDAP queries.
    */
-  public static <T extends EppResource> T loadCached(VKey<T> key) {
-    if (!RegistryConfig.isEppResourceCachingEnabled()) {
-      return tm().reTransact(() -> tm().loadByKey(key));
-    }
+  public static <T extends EppResource> T loadByCache(VKey<T> key) {
     // Safe to cast because loading a Key<T> returns an entity of type T.
     @SuppressWarnings("unchecked")
     T resource = (T) cacheEppResources.get(key);

core/src/main/java/google/registry/model/EppResourceUtils.java

@@ -16,6 +16,7 @@ package google.registry.model;
 
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static google.registry.util.DateTimeUtils.isAtOrAfter;
@@ -40,6 +41,7 @@ import google.registry.model.transfer.DomainTransferData;
 import google.registry.model.transfer.TransferData;
 import google.registry.model.transfer.TransferStatus;
 import google.registry.persistence.VKey;
+import google.registry.persistence.transaction.TransactionManager;
 import jakarta.persistence.Query;
 import java.util.Collection;
 import java.util.Comparator;
@@ -109,12 +111,12 @@ public final class EppResourceUtils {
    */
   public static <T extends EppResource> Optional<T> loadByForeignKey(
       Class<T> clazz, String foreignKey, DateTime now) {
-    return loadByForeignKeyHelper(clazz, foreignKey, now, false);
+    return loadByForeignKeyHelper(tm(), clazz, foreignKey, now, false);
   }
 
   /**
    * Loads the last created version of an {@link EppResource} from the database by foreign key,
-   * using a cache.
+   * using a cache, if caching is enabled in config settings.
    *
    * <p>Returns null if no resource with this foreign key was ever created, or if the most recently
    * created resource was deleted before time "now".
@@ -134,20 +136,36 @@ public final class EppResourceUtils {
    * @param foreignKey id to match
    * @param now the current logical time to project resources at
    */
-  public static <T extends EppResource> Optional<T> loadByForeignKeyCached(
+  public static <T extends EppResource> Optional<T> loadByForeignKeyByCacheIfEnabled(
       Class<T> clazz, String foreignKey, DateTime now) {
     return loadByForeignKeyHelper(
-        clazz, foreignKey, now, RegistryConfig.isEppResourceCachingEnabled());
+        tm(), clazz, foreignKey, now, RegistryConfig.isEppResourceCachingEnabled());
+  }
+
+  /**
+   * Loads the last created version of an {@link EppResource} from the replica database by foreign
+   * key, using a cache.
+   *
+   * <p>This method ignores the config setting for caching, and is reserved for use cases that can
+   * tolerate slightly stale data.
+   */
+  public static <T extends EppResource> Optional<T> loadByForeignKeyByCache(
+      Class<T> clazz, String foreignKey, DateTime now) {
+    return loadByForeignKeyHelper(replicaTm(), clazz, foreignKey, now, true);
   }
 
   private static <T extends EppResource> Optional<T> loadByForeignKeyHelper(
-      Class<T> clazz, String foreignKey, DateTime now, boolean useCache) {
+      TransactionManager txnManager,
+      Class<T> clazz,
+      String foreignKey,
+      DateTime now,
+      boolean useCache) {
     checkArgument(
         ForeignKeyedEppResource.class.isAssignableFrom(clazz),
         "loadByForeignKey may only be called for foreign keyed EPP resources");
     VKey<T> key =
         useCache
-            ? ForeignKeyUtils.loadCached(clazz, ImmutableList.of(foreignKey), now).get(foreignKey)
+            ? ForeignKeyUtils.loadByCache(clazz, ImmutableList.of(foreignKey), now).get(foreignKey)
             : ForeignKeyUtils.load(clazz, foreignKey, now);
     // The returned key is null if the resource is hard deleted or soft deleted by the given time.
     if (key == null) {
@@ -155,10 +173,10 @@ public final class EppResourceUtils {
     }
     T resource =
         useCache
-            ? EppResource.loadCached(key)
+            ? EppResource.loadByCache(key)
             // This transaction is buried very deeply inside many outer nested calls, hence merits
             // the use of reTransact() for now pending a substantial refactoring.
-            : tm().reTransact(() -> tm().loadByKeyIfPresent(key).orElse(null));
+            : txnManager.reTransact(() -> txnManager.loadByKeyIfPresent(key).orElse(null));
     if (resource == null || isAtOrAfter(now, resource.getDeletionTime())) {
       return Optional.empty();
     }

core/src/main/java/google/registry/model/ForeignKeyUtils.java

@@ -204,11 +204,25 @@ public final class ForeignKeyUtils {
    * <p>Don't use the cached version of this method unless you really need it for performance
    * reasons, and are OK with the trade-offs in loss of transactional consistency.
    */
-  public static <E extends EppResource> ImmutableMap<String, VKey<E>> loadCached(
+  public static <E extends EppResource> ImmutableMap<String, VKey<E>> loadByCacheIfEnabled(
       Class<E> clazz, Collection<String> foreignKeys, final DateTime now) {
     if (!RegistryConfig.isEppResourceCachingEnabled()) {
       return load(clazz, foreignKeys, now);
     }
+    return loadByCache(clazz, foreignKeys, now);
+  }
+
+  /**
+   * Load a list of {@link VKey} to {@link EppResource} instances by class and foreign key strings
+   * that are active at or after the specified moment in time, using the cache.
+   *
+   * <p>The returned map will omit any keys for which the {@link EppResource} doesn't exist or has
+   * been soft-deleted.
+   *
+   * <p>This method is reserved for use cases that can tolerate slightly stale data.
+   */
+  public static <E extends EppResource> ImmutableMap<String, VKey<E>> loadByCache(
+      Class<E> clazz, Collection<String> foreignKeys, final DateTime now) {
     return foreignKeyCache
         .getAll(foreignKeys.stream().map(fk -> VKey.create(clazz, fk)).collect(toImmutableList()))
         .entrySet()

core/src/main/java/google/registry/model/common/FeatureFlag.java

@@ -62,11 +62,31 @@ public class FeatureFlag extends ImmutableObject implements Buildable {
     INACTIVE
   }
 
+  /** The names of the feature flags that can be individually set. */
   public enum FeatureName {
-    TEST_FEATURE,
-    MINIMUM_DATASET_CONTACTS_OPTIONAL,
-    MINIMUM_DATASET_CONTACTS_PROHIBITED,
-    INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS
+    /** Feature flag name used for testing only. */
+    TEST_FEATURE(FeatureStatus.INACTIVE),
+
+    /** If we're not requiring the presence of contact data on domain EPP commands. */
+    MINIMUM_DATASET_CONTACTS_OPTIONAL(FeatureStatus.INACTIVE),
+
+    /** If we're not permitting the presence of contact data on any EPP commands. */
+    MINIMUM_DATASET_CONTACTS_PROHIBITED(FeatureStatus.INACTIVE),
+
+    /**
+     * If we're including the upcoming domain drop date in the exported list of registered domains.
+     */
+    INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS(FeatureStatus.INACTIVE);
+
+    private final FeatureStatus defaultStatus;
+
+    FeatureName(FeatureStatus defaultStatus) {
+      this.defaultStatus = defaultStatus;
+    }
+
+    FeatureStatus getDefaultStatus() {
+      return this.defaultStatus;
+    }
   }
 
   /** The name of the flag/feature. */
@@ -155,24 +175,24 @@ public class FeatureFlag extends ImmutableObject implements Buildable {
     return status.getValueAtTime(time);
   }
 
-  /** Returns if the flag is active, or the default value if the flag does not exist. */
-  public static boolean isActiveNowOrElse(FeatureName featureName, boolean defaultValue) {
-    tm().assertInTransaction();
-    return CACHE
-        .get(featureName)
-        .map(flag -> flag.getStatus(tm().getTransactionTime()).equals(ACTIVE))
-        .orElse(defaultValue);
-  }
-
-  /** Returns if the FeatureFlag with the given FeatureName is active now. */
+  /**
+   * Returns whether the flag is active now, or else the flag's default value if it doesn't exist.
+   */
   public static boolean isActiveNow(FeatureName featureName) {
     tm().assertInTransaction();
     return isActiveAt(featureName, tm().getTransactionTime());
   }
 
-  /** Returns if the FeatureFlag with the given FeatureName is active at a given time. */
+  /**
+   * Returns whether the flag is active at the given time, or else the flag's default value if it
+   * doesn't exist.
+   */
   public static boolean isActiveAt(FeatureName featureName, DateTime dateTime) {
-    return FeatureFlag.get(featureName).getStatus(dateTime).equals(ACTIVE);
+    tm().assertInTransaction();
+    return CACHE
+        .get(featureName)
+        .map(flag -> flag.getStatus(dateTime).equals(ACTIVE))
+        .orElse(featureName.getDefaultStatus().equals(ACTIVE));
   }
 
   @Override

core/src/main/java/google/registry/model/console/ConsolePermission.java

@@ -16,6 +16,8 @@ package google.registry.model.console;
 
 /** Permissions that users may have in the UI, either per-registrar or globally. */
 public enum ConsolePermission {
+  AUDIT_ACTIVITY_BY_USER,
+  AUDIT_ACTIVITY_BY_REGISTRAR,
   /** View basic information about a registrar. */
   VIEW_REGISTRAR_DETAILS,
   /** Edit basic information about a registrar. */

core/src/main/java/google/registry/model/console/ConsoleRoleDefinitions.java

@@ -55,6 +55,8 @@ public class ConsoleRoleDefinitions {
       new ImmutableSet.Builder<ConsolePermission>()
           .addAll(SUPPORT_AGENT_PERMISSIONS)
           .add(
+              ConsolePermission.AUDIT_ACTIVITY_BY_USER,
+              ConsolePermission.AUDIT_ACTIVITY_BY_REGISTRAR,
               ConsolePermission.MANAGE_REGISTRARS,
               ConsolePermission.GET_REGISTRANT_EMAIL,
               ConsolePermission.SUSPEND_DOMAIN,
@@ -111,6 +113,7 @@ public class ConsoleRoleDefinitions {
       new ImmutableSet.Builder<ConsolePermission>()
           .addAll(TECH_CONTACT_PERMISSIONS)
           .add(ConsolePermission.MANAGE_USERS)
+          .add(ConsolePermission.AUDIT_ACTIVITY_BY_REGISTRAR)
           .build();
 
   private ConsoleRoleDefinitions() {}

core/src/main/java/google/registry/model/console/ConsoleUpdateHistory.java

@@ -16,6 +16,7 @@ package google.registry.model.console;
 
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 
+import com.google.gson.annotations.Expose;
 import google.registry.model.Buildable;
 import google.registry.model.ImmutableObject;
 import google.registry.model.annotations.IdAllocation;
@@ -45,6 +46,7 @@ public class ConsoleUpdateHistory extends ImmutableObject implements Buildable {
   @Id @IdAllocation @Column Long revisionId;
 
   @Column(nullable = false)
+  @Expose
   DateTime modificationTime;
 
   /** The HTTP method (e.g. POST, PUT) used to make this modification. */
@@ -54,6 +56,7 @@ public class ConsoleUpdateHistory extends ImmutableObject implements Buildable {
   /** The type of modification. */
   @Column(nullable = false)
   @Enumerated(EnumType.STRING)
+  @Expose
   Type type;
 
   /** The URL of the action that was used to make the modification. */
@@ -61,11 +64,12 @@ public class ConsoleUpdateHistory extends ImmutableObject implements Buildable {
   String url;
 
   /** An optional further description of the action. */
-  String description;
+  @Expose String description;
 
   /** The user that performed the modification. */
   @JoinColumn(name = "actingUser", referencedColumnName = "emailAddress", nullable = false)
   @ManyToOne
+  @Expose
   User actingUser;
 
   public Long getRevisionId() {
@@ -102,18 +106,24 @@ public class ConsoleUpdateHistory extends ImmutableObject implements Buildable {
   }
 
   public enum Type {
+    DUM_DOWNLOAD,
     DOMAIN_DELETE,
     DOMAIN_SUSPEND,
     DOMAIN_UNSUSPEND,
     EPP_PASSWORD_UPDATE,
     REGISTRAR_CREATE,
+    REGISTRAR_CONTACTS_UPDATE,
     REGISTRAR_SECURITY_UPDATE,
     REGISTRAR_UPDATE,
+    REGISTRY_LOCK,
+    REGISTRY_UNLOCK,
     USER_CREATE,
     USER_DELETE,
-    USER_UPDATE
+    USER_UPDATE,
   }
 
+  public static final String DESCRIPTION_SEPARATOR = "|";
+
   public static class Builder extends Buildable.Builder<ConsoleUpdateHistory> {
     public Builder() {}
 

core/src/main/java/google/registry/model/console/PasswordResetRequest.java

@@ -0,0 +1,150 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.model.console;
+
+import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
+
+import google.registry.model.Buildable;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.model.ImmutableObject;
+import google.registry.persistence.WithVKey;
+import jakarta.persistence.AttributeOverride;
+import jakarta.persistence.AttributeOverrides;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.Id;
+import java.util.Optional;
+import java.util.UUID;
+import org.joda.time.DateTime;
+
+/**
+ * Represents a password reset request of some type.
+ *
+ * <p>Password reset requests must be performed within an hour of the time that they were requested,
+ * as well as requiring that the requester and the fulfiller have the proper respective permissions.
+ */
+@Entity
+@WithVKey(String.class)
+public class PasswordResetRequest extends ImmutableObject implements Buildable {
+
+  public enum Type {
+    EPP,
+    REGISTRY_LOCK
+  }
+
+  @Id private String verificationCode;
+
+  @Column(nullable = false)
+  @Enumerated(EnumType.STRING)
+  Type type;
+
+  @AttributeOverrides({
+    @AttributeOverride(
+        name = "creationTime",
+        column = @Column(name = "requestTime", nullable = false))
+  })
+  CreateAutoTimestamp requestTime = CreateAutoTimestamp.create(null);
+
+  @Column(nullable = false)
+  String requester;
+
+  @Column DateTime fulfillmentTime;
+
+  @Column(nullable = false)
+  String destinationEmail;
+
+  @Column(nullable = false)
+  String registrarId;
+
+  public String getVerificationCode() {
+    return verificationCode;
+  }
+
+  public Type getType() {
+    return type;
+  }
+
+  public DateTime getRequestTime() {
+    return requestTime.getTimestamp();
+  }
+
+  public String getRequester() {
+    return requester;
+  }
+
+  public Optional<DateTime> getFulfillmentTime() {
+    return Optional.ofNullable(fulfillmentTime);
+  }
+
+  public String getDestinationEmail() {
+    return destinationEmail;
+  }
+
+  public String getRegistrarId() {
+    return registrarId;
+  }
+
+  @Override
+  public Builder asBuilder() {
+    return new Builder(clone(this));
+  }
+
+  /** Builder for constructing immutable {@link PasswordResetRequest} objects. */
+  public static class Builder extends Buildable.Builder<PasswordResetRequest> {
+
+    public Builder() {}
+
+    private Builder(PasswordResetRequest instance) {
+      super(instance);
+    }
+
+    @Override
+    public PasswordResetRequest build() {
+      checkArgumentNotNull(getInstance().type, "Type must be specified");
+      checkArgumentNotNull(getInstance().requester, "Requester must be specified");
+      checkArgumentNotNull(getInstance().destinationEmail, "Destination email must be specified");
+      checkArgumentNotNull(getInstance().registrarId, "Registrar ID must be specified");
+      getInstance().verificationCode = UUID.randomUUID().toString();
+      return super.build();
+    }
+
+    public Builder setType(Type type) {
+      getInstance().type = type;
+      return this;
+    }
+
+    public Builder setRequester(String requester) {
+      getInstance().requester = requester;
+      return this;
+    }
+
+    public Builder setDestinationEmail(String destinationEmail) {
+      getInstance().destinationEmail = destinationEmail;
+      return this;
+    }
+
+    public Builder setRegistrarId(String registrarId) {
+      getInstance().registrarId = registrarId;
+      return this;
+    }
+
+    public Builder setFulfillmentTime(DateTime fulfillmentTime) {
+      getInstance().fulfillmentTime = fulfillmentTime;
+      return this;
+    }
+  }
+}

core/src/main/java/google/registry/model/console/User.java

@@ -62,7 +62,7 @@ public class User extends UpdateAutoTimestampEntity implements Buildable {
   @Id @Expose String emailAddress;
 
   /** Optional external email address to use for registry lock confirmation emails. */
-  @Column String registryLockEmailAddress;
+  @Column @Expose String registryLockEmailAddress;
 
   /** Roles (which grant permissions) associated with this user. */
   @Expose
@@ -250,51 +250,50 @@ public class User extends UpdateAutoTimestampEntity implements Buildable {
   }
 
   @Override
-  public Builder<? extends User, ?> asBuilder() {
-    return new Builder<>(clone(this));
+  public Builder asBuilder() {
+    return new Builder(clone(this));
   }
 
   /** Builder for constructing immutable {@link User} objects. */
-  public static class Builder<T extends User, B extends Builder<T, B>>
-      extends GenericBuilder<T, B> {
+  public static class Builder extends Buildable.Builder<User> {
 
     public Builder() {}
 
-    public Builder(T abstractUser) {
-      super(abstractUser);
+    public Builder(User user) {
+      super(user);
     }
 
     @Override
-    public T build() {
+    public User build() {
       checkArgumentNotNull(getInstance().emailAddress, "Email address cannot be null");
       checkArgumentNotNull(getInstance().userRoles, "User roles cannot be null");
       return super.build();
     }
 
-    public B setEmailAddress(String emailAddress) {
+    public Builder setEmailAddress(String emailAddress) {
       getInstance().emailAddress = checkValidEmail(emailAddress);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
+    public Builder setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
       getInstance().registryLockEmailAddress =
           registryLockEmailAddress == null ? null : checkValidEmail(registryLockEmailAddress);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setUserRoles(UserRoles userRoles) {
+    public Builder setUserRoles(UserRoles userRoles) {
       checkArgumentNotNull(userRoles, "User roles cannot be null");
       getInstance().userRoles = userRoles;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B removeRegistryLockPassword() {
+    public Builder removeRegistryLockPassword() {
       getInstance().registryLockPasswordHash = null;
       getInstance().registryLockPasswordSalt = null;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistryLockPassword(String registryLockPassword) {
+    public Builder setRegistryLockPassword(String registryLockPassword) {
       checkArgument(
           getInstance().hasAnyRegistryLockPermission(), "User has no registry lock permission");
       checkArgument(
@@ -304,7 +303,7 @@ public class User extends UpdateAutoTimestampEntity implements Buildable {
       byte[] salt = SALT_SUPPLIER.get();
       getInstance().registryLockPasswordSalt = base64().encode(salt);
       getInstance().registryLockPasswordHash = hashPassword(registryLockPassword, salt);
-      return thisCastToDerived();
+      return this;
     }
   }
 }

core/src/main/java/google/registry/model/domain/DomainCommand.java

@@ -441,7 +441,8 @@ public class DomainCommand {
   private static <T extends EppResource> ImmutableMap<String, VKey<T>> loadByForeignKeysCached(
       final Set<String> foreignKeys, final Class<T> clazz, final DateTime now)
       throws InvalidReferencesException {
-    ImmutableMap<String, VKey<T>> fks = ForeignKeyUtils.loadCached(clazz, foreignKeys, now);
+    ImmutableMap<String, VKey<T>> fks =
+        ForeignKeyUtils.loadByCacheIfEnabled(clazz, foreignKeys, now);
     if (!fks.keySet().equals(foreignKeys)) {
       throw new InvalidReferencesException(
           clazz, ImmutableSet.copyOf(difference(foreignKeys, fks.keySet())));

core/src/main/java/google/registry/model/domain/fee12/FeeCheckResponseExtensionItemCommandV12.java

@@ -18,7 +18,7 @@ import static google.registry.util.CollectionUtils.forceEmptyToNull;
 
 import com.google.common.base.Ascii;
 import com.google.common.collect.ImmutableList;
-import google.registry.model.Buildable.GenericBuilder;
+import google.registry.model.Buildable;
 import google.registry.model.ImmutableObject;
 import google.registry.model.domain.Period;
 import google.registry.model.domain.fee.Fee;
@@ -77,8 +77,7 @@ public class FeeCheckResponseExtensionItemCommandV12 extends ImmutableObject {
   }
 
   /** Builder for {@link FeeCheckResponseExtensionItemCommandV12}. */
-  public static class Builder
-      extends GenericBuilder<FeeCheckResponseExtensionItemCommandV12, Builder> {
+  public static class Builder extends Buildable.Builder<FeeCheckResponseExtensionItemCommandV12> {
 
     public Builder setCommandName(CommandName commandName) {
       getInstance().commandName = Ascii.toLowerCase(commandName.name());

core/src/main/java/google/registry/model/registrar/Registrar.java

@@ -27,6 +27,7 @@ import static com.google.common.io.BaseEncoding.base64;
 import static google.registry.config.RegistryConfig.getDefaultRegistrarWhoisServer;
 import static google.registry.model.CacheUtils.memoizeWithShortExpiration;
 import static google.registry.model.tld.Tlds.assertTldsExist;
+import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableCopy;
 import static google.registry.util.CollectionUtils.nullToEmptyImmutableSortedCopy;
@@ -62,6 +63,7 @@ import google.registry.model.tld.Tld.TldType;
 import google.registry.persistence.VKey;
 import google.registry.persistence.converter.CidrBlockListUserType;
 import google.registry.persistence.converter.CurrencyToStringMapUserType;
+import google.registry.persistence.transaction.TransactionManager;
 import google.registry.util.CidrAddressBlock;
 import google.registry.util.PasswordUtils;
 import jakarta.mail.internet.AddressException;
@@ -403,6 +405,9 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
    */
   DateTime lastExpiringFailoverCertNotificationSentDate = START_OF_TIME;
 
+  /** The time that the POCs have been reviewed last. */
+  @Expose DateTime lastPocVerificationDate = START_OF_TIME;
+
   /** Telephone support passcode (5-digit numeric) */
   String phonePasscode;
 
@@ -461,6 +466,10 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
     return registrarName;
   }
 
+  public DateTime getLastPocVerificationDate() {
+    return lastPocVerificationDate;
+  }
+
   public Type getType() {
     return type;
   }
@@ -569,7 +578,20 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
    * address.
    */
   public ImmutableSortedSet<RegistrarPoc> getContacts() {
-    return getContactPocs().stream()
+    return getContactPocs(tm()).stream()
+        .filter(Objects::nonNull)
+        .collect(toImmutableSortedSet(CONTACT_EMAIL_COMPARATOR));
+  }
+
+  /**
+   * Returns a list of all {@link RegistrarPoc} objects for this registrar sorted by their email
+   * address.
+   *
+   * <p>This method queries the replica database. It is reserved for use cases that can tolerate
+   * slightly stale data.
+   */
+  public ImmutableSortedSet<RegistrarPoc> getContactsFromReplica() {
+    return getContactPocs(replicaTm()).stream()
         .filter(Objects::nonNull)
         .collect(toImmutableSortedSet(CONTACT_EMAIL_COMPARATOR));
   }
@@ -579,7 +601,7 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
    * their email address.
    */
   public ImmutableSortedSet<RegistrarPoc> getContactsOfType(final RegistrarPoc.Type type) {
-    return getContactPocs().stream()
+    return getContactPocs(tm()).stream()
         .filter(Objects::nonNull)
         .filter((@Nullable RegistrarPoc contact) -> contact.getTypes().contains(type))
         .collect(toImmutableSortedSet(CONTACT_EMAIL_COMPARATOR));
@@ -593,13 +615,8 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
     return getContacts().stream().filter(RegistrarPoc::getVisibleInDomainWhoisAsAbuse).findFirst();
   }
 
-  private ImmutableSet<RegistrarPoc> getContactPocs() {
-    return tm().transact(
-            () ->
-                tm().query("FROM RegistrarPoc WHERE registrarId = :registrarId", RegistrarPoc.class)
-                    .setParameter("registrarId", registrarId)
-                    .getResultStream()
-                    .collect(toImmutableSet()));
+  private ImmutableList<RegistrarPoc> getContactPocs(TransactionManager txnManager) {
+    return txnManager.transact(() -> RegistrarPoc.loadForRegistrar(registrarId));
   }
 
   @Override
@@ -614,6 +631,7 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
         .putString(
             "lastExpiringFailoverCertNotificationSentDate",
             lastExpiringFailoverCertNotificationSentDate)
+        .putString("lastPocVerificationDate", lastPocVerificationDate)
         .put("registrarName", registrarName)
         .put("type", type)
         .put("state", state)
@@ -672,8 +690,8 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
   }
 
   @Override
-  public Builder<? extends Registrar, ?> asBuilder() {
-    return new Builder<>(clone(this));
+  public Builder asBuilder() {
+    return new Builder(clone(this));
   }
 
   @Override
@@ -688,59 +706,58 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
   }
 
   /** A builder for constructing {@link Registrar}, since it is immutable. */
-  public static class Builder<T extends Registrar, B extends Builder<T, B>>
-      extends GenericBuilder<T, B> {
+  public static class Builder extends Buildable.Builder<Registrar> {
     public Builder() {}
 
-    public Builder(T instance) {
+    public Builder(Registrar instance) {
       super(instance);
     }
 
-    public B setRegistrarId(String registrarId) {
+    public Builder setRegistrarId(String registrarId) {
       // Registrar id must be [3,16] chars long. See "clIDType" in the base EPP schema of RFC 5730.
       // (Need to validate this here as there's no matching EPP XSD for validation.)
       checkArgument(
           Range.closed(3, 16).contains(registrarId.length()),
           "Registrar ID must be 3-16 characters long.");
       getInstance().registrarId = registrarId;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setIanaIdentifier(@Nullable Long ianaIdentifier) {
+    public Builder setIanaIdentifier(@Nullable Long ianaIdentifier) {
       checkArgument(
           ianaIdentifier == null || ianaIdentifier > 0, "IANA ID must be a positive number");
       getInstance().ianaIdentifier = ianaIdentifier;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setPoNumber(Optional<String> poNumber) {
+    public Builder setPoNumber(Optional<String> poNumber) {
       getInstance().poNumber = poNumber.orElse(null);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setBillingAccountMap(@Nullable Map<CurrencyUnit, String> billingAccountMap) {
+    public Builder setBillingAccountMap(@Nullable Map<CurrencyUnit, String> billingAccountMap) {
       getInstance().billingAccountMap = nullToEmptyImmutableCopy(billingAccountMap);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistrarName(String registrarName) {
+    public Builder setRegistrarName(String registrarName) {
       getInstance().registrarName = registrarName;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setType(Type type) {
+    public Builder setType(Type type) {
       getInstance().type = type;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setState(State state) {
+    public Builder setState(State state) {
       getInstance().state = state;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setAllowedTlds(Set<String> allowedTlds) {
+    public Builder setAllowedTlds(Set<String> allowedTlds) {
       getInstance().allowedTlds = ImmutableSortedSet.copyOf(assertTldsExist(allowedTlds));
-      return thisCastToDerived();
+      return this;
     }
 
     /**
@@ -753,7 +770,7 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
      * {@code .now()} when saving the Registry entity to make sure it's actually saved before trying
      * to set the allowed TLDs.
      */
-    public B setAllowedTldsUncached(Set<String> allowedTlds) {
+    public Builder setAllowedTldsUncached(Set<String> allowedTlds) {
       ImmutableSet<VKey<Tld>> newTldKeys =
           Sets.difference(allowedTlds, getInstance().getAllowedTlds()).stream()
               .map(Tld::createVKey)
@@ -762,10 +779,10 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
           Sets.difference(newTldKeys, tm().loadByKeysIfPresent(newTldKeys).keySet());
       checkArgument(missingTldKeys.isEmpty(), "Trying to set nonexistent TLDs: %s", missingTldKeys);
       getInstance().allowedTlds = ImmutableSortedSet.copyOf(allowedTlds);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setClientCertificate(String clientCertificate, DateTime now) {
+    public Builder setClientCertificate(String clientCertificate, DateTime now) {
       clientCertificate = emptyToNull(clientCertificate);
       String clientCertificateHash = calculateHash(clientCertificate);
       if (!Objects.equals(clientCertificate, getInstance().clientCertificate)
@@ -774,23 +791,23 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
         getInstance().clientCertificateHash = clientCertificateHash;
         getInstance().lastCertificateUpdateTime = now;
       }
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setLastExpiringCertNotificationSentDate(DateTime now) {
+    public Builder setLastExpiringCertNotificationSentDate(DateTime now) {
       checkArgumentNotNull(now, "Registrar lastExpiringCertNotificationSentDate cannot be null");
       getInstance().lastExpiringCertNotificationSentDate = now;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setLastExpiringFailoverCertNotificationSentDate(DateTime now) {
+    public Builder setLastExpiringFailoverCertNotificationSentDate(DateTime now) {
       checkArgumentNotNull(
           now, "Registrar lastExpiringFailoverCertNotificationSentDate cannot be null");
       getInstance().lastExpiringFailoverCertNotificationSentDate = now;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setFailoverClientCertificate(String clientCertificate, DateTime now) {
+    public Builder setFailoverClientCertificate(String clientCertificate, DateTime now) {
       clientCertificate = emptyToNull(clientCertificate);
       String clientCertificateHash = calculateHash(clientCertificate);
       if (!Objects.equals(clientCertificate, getInstance().failoverClientCertificate)
@@ -799,7 +816,13 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
         getInstance().failoverClientCertificateHash = clientCertificateHash;
         getInstance().lastCertificateUpdateTime = now;
       }
-      return thisCastToDerived();
+      return this;
+    }
+
+    public Builder setLastPocVerificationDate(DateTime now) {
+      checkArgumentNotNull(now, "Registrar lastPocVerificationDate cannot be null");
+      getInstance().lastPocVerificationDate = now;
+      return this;
     }
 
     private static String calculateHash(String clientCertificate) {
@@ -831,75 +854,75 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
                   Objects.equals(newInstance.ianaIdentifier, registrar.getIanaIdentifier()));
     }
 
-    public B setContactsRequireSyncing(boolean contactsRequireSyncing) {
+    public Builder setContactsRequireSyncing(boolean contactsRequireSyncing) {
       getInstance().contactsRequireSyncing = contactsRequireSyncing;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setIpAddressAllowList(Iterable<CidrAddressBlock> ipAddressAllowList) {
+    public Builder setIpAddressAllowList(Iterable<CidrAddressBlock> ipAddressAllowList) {
       getInstance().ipAddressAllowList = ImmutableList.copyOf(ipAddressAllowList);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setLocalizedAddress(RegistrarAddress localizedAddress) {
+    public Builder setLocalizedAddress(RegistrarAddress localizedAddress) {
       getInstance().localizedAddress = localizedAddress;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setInternationalizedAddress(RegistrarAddress internationalizedAddress) {
+    public Builder setInternationalizedAddress(RegistrarAddress internationalizedAddress) {
       getInstance().internationalizedAddress = internationalizedAddress;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setPhoneNumber(String phoneNumber) {
+    public Builder setPhoneNumber(String phoneNumber) {
       getInstance().phoneNumber = (phoneNumber == null) ? null : checkValidPhoneNumber(phoneNumber);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setFaxNumber(String faxNumber) {
+    public Builder setFaxNumber(String faxNumber) {
       getInstance().faxNumber = (faxNumber == null) ? null : checkValidPhoneNumber(faxNumber);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setEmailAddress(String emailAddress) {
+    public Builder setEmailAddress(String emailAddress) {
       getInstance().emailAddress = checkValidEmail(emailAddress);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setWhoisServer(String whoisServer) {
+    public Builder setWhoisServer(String whoisServer) {
       getInstance().whoisServer = whoisServer;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRdapBaseUrls(Set<String> rdapBaseUrls) {
+    public Builder setRdapBaseUrls(Set<String> rdapBaseUrls) {
       getInstance().rdapBaseUrls = ImmutableSet.copyOf(rdapBaseUrls);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setBlockPremiumNames(boolean blockPremiumNames) {
+    public Builder setBlockPremiumNames(boolean blockPremiumNames) {
       getInstance().blockPremiumNames = blockPremiumNames;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setUrl(String url) {
+    public Builder setUrl(String url) {
       getInstance().url = url;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setIcannReferralEmail(String icannReferralEmail) {
+    public Builder setIcannReferralEmail(String icannReferralEmail) {
       getInstance().icannReferralEmail = checkValidEmail(icannReferralEmail);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setDriveFolderId(@Nullable String driveFolderId) {
+    public Builder setDriveFolderId(@Nullable String driveFolderId) {
       checkArgument(
           driveFolderId == null || !driveFolderId.contains("/"),
           "Drive folder ID must not be a full URL");
       getInstance().driveFolderId = driveFolderId;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setPassword(String password) {
+    public Builder setPassword(String password) {
       // Passwords must be [6,16] chars long. See "pwType" in the base EPP schema of RFC 5730.
       checkArgument(
           Range.closed(6, 16).contains(nullToEmpty(password).length()),
@@ -907,7 +930,7 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
       byte[] salt = SALT_SUPPLIER.get();
       getInstance().salt = base64().encode(salt);
       getInstance().passwordHash = hashPassword(password, salt);
-      return thisCastToDerived();
+      return this;
     }
 
     /**
@@ -915,18 +938,18 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
      *
      * @throws IllegalArgumentException if provided passcode is not 5-digit numeric
      */
-    public B setPhonePasscode(String phonePasscode) {
+    public Builder setPhonePasscode(String phonePasscode) {
       checkArgument(
           phonePasscode == null || PHONE_PASSCODE_PATTERN.matcher(phonePasscode).matches(),
           "Not a valid telephone passcode (must be 5 digits long): %s",
           phonePasscode);
       getInstance().phonePasscode = phonePasscode;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistryLockAllowed(boolean registryLockAllowed) {
+    public Builder setRegistryLockAllowed(boolean registryLockAllowed) {
       getInstance().registryLockAllowed = registryLockAllowed;
-      return thisCastToDerived();
+      return this;
     }
 
     /**
@@ -934,14 +957,14 @@ public class Registrar extends UpdateAutoTimestampEntity implements Buildable, J
      * and breaks the verification that an object has not been updated since it was copied.
      */
     @VisibleForTesting
-    public B setLastUpdateTime(DateTime timestamp) {
+    public Builder setLastUpdateTime(DateTime timestamp) {
       getInstance().setUpdateTimestamp(UpdateAutoTimestamp.create(timestamp));
-      return thisCastToDerived();
+      return this;
     }
 
     /** Build the registrar, nullifying empty fields. */
     @Override
-    public T build() {
+    public Registrar build() {
       checkArgumentNotNull(getInstance().type, "Registrar type cannot be null");
       checkArgumentNotNull(getInstance().registrarName, "Registrar name cannot be null");
       checkArgument(

core/src/main/java/google/registry/model/registrar/RegistrarPoc.java

@@ -27,15 +27,17 @@ import static google.registry.util.PasswordUtils.hashPassword;
 import static java.util.stream.Collectors.joining;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSortedSet;
 import com.google.gson.annotations.Expose;
-import google.registry.model.Buildable.GenericBuilder;
+import google.registry.model.Buildable;
 import google.registry.model.ImmutableObject;
 import google.registry.model.JsonMapBuilder;
 import google.registry.model.Jsonifiable;
 import google.registry.model.UnsafeSerializable;
 import google.registry.persistence.VKey;
+import google.registry.persistence.transaction.QueryComposer;
 import google.registry.util.PasswordUtils;
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
@@ -93,6 +95,10 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
     }
   }
 
+  @Expose
+  @Column(insertable = false, updatable = false)
+  protected Long id;
+
   /** The name of the contact. */
   @Expose String name;
 
@@ -179,6 +185,10 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
     tm().putAll(contacts);
   }
 
+  public Long getId() {
+    return id;
+  }
+
   public String getName() {
     return name;
   }
@@ -215,8 +225,8 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
     return visibleInDomainWhoisAsAbuse;
   }
 
-  public Builder<? extends RegistrarPoc, ?> asBuilder() {
-    return new Builder<>(clone(this));
+  public Builder asBuilder() {
+    return new Builder(clone(this));
   }
 
   public boolean isAllowedToSetRegistryLockPassword() {
@@ -295,6 +305,7 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
         .put("visibleInDomainWhoisAsAbuse", visibleInDomainWhoisAsAbuse)
         .put("allowedToSetRegistryLockPassword", allowedToSetRegistryLockPassword)
         .put("registryLockAllowed", isRegistryLockAllowed())
+        .put("id", getId())
         .build();
   }
 
@@ -321,17 +332,16 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
   }
 
   /** A builder for constructing a {@link RegistrarPoc}, since it is immutable. */
-  public static class Builder<T extends RegistrarPoc, B extends Builder<T, B>>
-      extends GenericBuilder<T, B> {
+  public static class Builder extends Buildable.Builder<RegistrarPoc> {
     public Builder() {}
 
-    protected Builder(T instance) {
+    protected Builder(RegistrarPoc instance) {
       super(instance);
     }
 
     /** Build the registrar, nullifying empty fields. */
     @Override
-    public T build() {
+    public RegistrarPoc build() {
       checkNotNull(getInstance().registrarId, "Registrar ID cannot be null");
       checkValidEmail(getInstance().emailAddress);
       // Check allowedToSetRegistryLockPassword here because if we want to allow the user to set
@@ -345,71 +355,71 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
       return cloneEmptyToNull(super.build());
     }
 
-    public B setName(String name) {
+    public Builder setName(String name) {
       getInstance().name = name;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setEmailAddress(String emailAddress) {
+    public Builder setEmailAddress(String emailAddress) {
       getInstance().emailAddress = emailAddress;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
+    public Builder setRegistryLockEmailAddress(@Nullable String registryLockEmailAddress) {
       getInstance().registryLockEmailAddress = registryLockEmailAddress;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setPhoneNumber(String phoneNumber) {
+    public Builder setPhoneNumber(String phoneNumber) {
       getInstance().phoneNumber = phoneNumber;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistrarId(String registrarId) {
+    public Builder setRegistrarId(String registrarId) {
       getInstance().registrarId = registrarId;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistrar(Registrar registrar) {
+    public Builder setRegistrar(Registrar registrar) {
       getInstance().registrarId = registrar.getRegistrarId();
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setFaxNumber(String faxNumber) {
+    public Builder setFaxNumber(String faxNumber) {
       getInstance().faxNumber = faxNumber;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setTypes(Iterable<Type> types) {
+    public Builder setTypes(Iterable<Type> types) {
       getInstance().types = ImmutableSet.copyOf(types);
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setVisibleInWhoisAsAdmin(boolean visible) {
+    public Builder setVisibleInWhoisAsAdmin(boolean visible) {
       getInstance().visibleInWhoisAsAdmin = visible;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setVisibleInWhoisAsTech(boolean visible) {
+    public Builder setVisibleInWhoisAsTech(boolean visible) {
       getInstance().visibleInWhoisAsTech = visible;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setVisibleInDomainWhoisAsAbuse(boolean visible) {
+    public Builder setVisibleInDomainWhoisAsAbuse(boolean visible) {
       getInstance().visibleInDomainWhoisAsAbuse = visible;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setAllowedToSetRegistryLockPassword(boolean allowedToSetRegistryLockPassword) {
+    public Builder setAllowedToSetRegistryLockPassword(boolean allowedToSetRegistryLockPassword) {
       if (allowedToSetRegistryLockPassword) {
         getInstance().registryLockPasswordSalt = null;
         getInstance().registryLockPasswordHash = null;
       }
       getInstance().allowedToSetRegistryLockPassword = allowedToSetRegistryLockPassword;
-      return thisCastToDerived();
+      return this;
     }
 
-    public B setRegistryLockPassword(String registryLockPassword) {
+    public Builder setRegistryLockPassword(String registryLockPassword) {
       checkArgument(
           getInstance().allowedToSetRegistryLockPassword,
           "Not allowed to set registry lock password for this contact");
@@ -419,10 +429,16 @@ public class RegistrarPoc extends ImmutableObject implements Jsonifiable, Unsafe
       getInstance().registryLockPasswordSalt = base64().encode(salt);
       getInstance().registryLockPasswordHash = hashPassword(registryLockPassword, salt);
       getInstance().allowedToSetRegistryLockPassword = false;
-      return thisCastToDerived();
+      return this;
     }
   }
 
+  public static ImmutableList<RegistrarPoc> loadForRegistrar(String registrarId) {
+    return tm().createQueryComposer(RegistrarPoc.class)
+        .where("registrarId", QueryComposer.Comparator.EQ, registrarId)
+        .list();
+  }
+
   /** Class to represent the composite primary key for {@link RegistrarPoc} entity. */
   @VisibleForTesting
   public static class RegistrarPocId extends ImmutableObject implements Serializable {

core/src/main/java/google/registry/module/RequestComponent.java

@@ -38,10 +38,8 @@ import google.registry.dns.PublishDnsUpdatesAction;
 import google.registry.dns.ReadDnsRefreshRequestsAction;
 import google.registry.dns.RefreshDnsAction;
 import google.registry.dns.RefreshDnsOnHostRenameAction;
-import google.registry.dns.writer.VoidDnsWriterModule;
-import google.registry.dns.writer.clouddns.CloudDnsWriterModule;
+import google.registry.dns.writer.DnsWritersModule;
 import google.registry.dns.writer.dnsupdate.DnsUpdateConfigModule;
-import google.registry.dns.writer.dnsupdate.DnsUpdateWriterModule;
 import google.registry.export.ExportDomainListsAction;
 import google.registry.export.ExportPremiumTermsAction;
 import google.registry.export.ExportReservedTermsAction;
@@ -117,6 +115,7 @@ import google.registry.ui.server.console.ConsoleDomainGetAction;
 import google.registry.ui.server.console.ConsoleDomainListAction;
 import google.registry.ui.server.console.ConsoleDumDownloadAction;
 import google.registry.ui.server.console.ConsoleEppPasswordAction;
+import google.registry.ui.server.console.ConsoleHistoryDataAction;
 import google.registry.ui.server.console.ConsoleModule;
 import google.registry.ui.server.console.ConsoleOteAction;
 import google.registry.ui.server.console.ConsoleRegistryLockAction;
@@ -124,6 +123,8 @@ import google.registry.ui.server.console.ConsoleRegistryLockVerifyAction;
 import google.registry.ui.server.console.ConsoleUpdateRegistrarAction;
 import google.registry.ui.server.console.ConsoleUserDataAction;
 import google.registry.ui.server.console.ConsoleUsersAction;
+import google.registry.ui.server.console.PasswordResetRequestAction;
+import google.registry.ui.server.console.PasswordResetVerifyAction;
 import google.registry.ui.server.console.RegistrarsAction;
 import google.registry.ui.server.console.domains.ConsoleBulkDomainAction;
 import google.registry.ui.server.console.settings.ContactAction;
@@ -140,14 +141,13 @@ import google.registry.whois.WhoisModule;
       BatchModule.class,
       BillingModule.class,
       CheckApiModule.class,
-      CloudDnsWriterModule.class,
       ConsoleModule.class,
       CronModule.class,
       CustomLogicModule.class,
       DnsCountQueryCoordinatorModule.class,
       DnsModule.class,
       DnsUpdateConfigModule.class,
-      DnsUpdateWriterModule.class,
+      DnsWritersModule.class,
       EppTlsModule.class,
       EppToolModule.class,
       IcannReportingModule.class,
@@ -160,7 +160,6 @@ import google.registry.whois.WhoisModule;
       Spec11Module.class,
       TmchModule.class,
       ToolsServerModule.class,
-      VoidDnsWriterModule.class,
       WhiteboxModule.class,
       WhoisModule.class,
     })
@@ -187,6 +186,8 @@ interface RequestComponent {
 
   ConsoleEppPasswordAction consoleEppPasswordAction();
 
+  ConsoleHistoryDataAction consoleHistoryDataAction();
+
   ConsoleOteAction consoleOteAction();
 
   ConsoleRegistryLockAction consoleRegistryLockAction();
@@ -253,6 +254,10 @@ interface RequestComponent {
 
   NordnVerifyAction nordnVerifyAction();
 
+  PasswordResetRequestAction passwordResetRequestAction();
+
+  PasswordResetVerifyAction passwordResetVerifyAction();
+
   PublishDnsUpdatesAction publishDnsUpdatesAction();
 
   PublishInvoicesAction uploadInvoicesAction();
@@ -285,6 +290,8 @@ interface RequestComponent {
 
   RdapNameserverSearchAction rdapNameserverSearchAction();
 
+  RdapRegistrarFieldsAction rdapRegistrarFieldsAction();
+
   RdeReportAction rdeReportAction();
 
   RdeReporter rdeReporter();
@@ -336,9 +343,7 @@ interface RequestComponent {
   WhoisAction whoisAction();
 
   WhoisHttpAction whoisHttpAction();
-
-  RdapRegistrarFieldsAction rdapRegistrarFieldsAction();
-
+  
   WipeOutContactHistoryPiiAction wipeOutContactHistoryPiiAction();
 
   @Subcomponent.Builder

core/src/main/java/google/registry/module/backend/BackendComponent.java

@@ -22,7 +22,6 @@ import google.registry.bigquery.BigqueryModule;
 import google.registry.config.CloudTasksUtilsModule;
 import google.registry.config.CredentialModule;
 import google.registry.config.RegistryConfig.ConfigModule;
-import google.registry.dns.writer.VoidDnsWriterModule;
 import google.registry.export.DriveModule;
 import google.registry.export.sheet.SheetsServiceModule;
 import google.registry.flows.ServerTridProviderModule;
@@ -73,7 +72,6 @@ import jakarta.inject.Singleton;
       SheetsServiceModule.class,
       StackdriverModule.class,
       UrlConnectionServiceModule.class,
-      VoidDnsWriterModule.class,
       UtilsModule.class
     })
 interface BackendComponent {

core/src/main/java/google/registry/module/backend/BackendRequestComponent.java

@@ -34,10 +34,8 @@ import google.registry.dns.PublishDnsUpdatesAction;
 import google.registry.dns.ReadDnsRefreshRequestsAction;
 import google.registry.dns.RefreshDnsAction;
 import google.registry.dns.RefreshDnsOnHostRenameAction;
-import google.registry.dns.writer.VoidDnsWriterModule;
-import google.registry.dns.writer.clouddns.CloudDnsWriterModule;
+import google.registry.dns.writer.DnsWritersModule;
 import google.registry.dns.writer.dnsupdate.DnsUpdateConfigModule;
-import google.registry.dns.writer.dnsupdate.DnsUpdateWriterModule;
 import google.registry.export.ExportDomainListsAction;
 import google.registry.export.ExportPremiumTermsAction;
 import google.registry.export.ExportReservedTermsAction;
@@ -82,13 +80,12 @@ import google.registry.tmch.TmchSmdrlAction;
     modules = {
       BatchModule.class,
       BillingModule.class,
-      CloudDnsWriterModule.class,
       CronModule.class,
       CustomLogicModule.class,
       DnsCountQueryCoordinatorModule.class,
       DnsModule.class,
       DnsUpdateConfigModule.class,
-      DnsUpdateWriterModule.class,
+      DnsWritersModule.class,
       IcannReportingModule.class,
       RdeModule.class,
       ReportingModule.class,
@@ -96,7 +93,6 @@ import google.registry.tmch.TmchSmdrlAction;
       SheetModule.class,
       Spec11Module.class,
       TmchModule.class,
-      VoidDnsWriterModule.class,
       WhiteboxModule.class,
     })
 public interface BackendRequestComponent {

core/src/main/java/google/registry/module/frontend/FrontendRequestComponent.java

@@ -38,6 +38,8 @@ import google.registry.ui.server.console.ConsoleRegistryLockVerifyAction;
 import google.registry.ui.server.console.ConsoleUpdateRegistrarAction;
 import google.registry.ui.server.console.ConsoleUserDataAction;
 import google.registry.ui.server.console.ConsoleUsersAction;
+import google.registry.ui.server.console.PasswordResetRequestAction;
+import google.registry.ui.server.console.PasswordResetVerifyAction;
 import google.registry.ui.server.console.RegistrarsAction;
 import google.registry.ui.server.console.domains.ConsoleBulkDomainAction;
 import google.registry.ui.server.console.settings.ContactAction;
@@ -84,6 +86,12 @@ public interface FrontendRequestComponent {
 
   FlowComponent.Builder flowComponentBuilder();
 
+  PasswordResetRequestAction passwordResetRequestAction();
+
+  PasswordResetVerifyAction passwordResetVerifyAction();
+
+  RdapRegistrarFieldsAction rdapRegistrarFieldsAction();
+
   ReadinessProbeActionFrontend readinessProbeActionFrontend();
 
   ReadinessProbeConsoleAction readinessProbeConsoleAction();
@@ -92,8 +100,6 @@ public interface FrontendRequestComponent {
 
   SecurityAction securityAction();
 
-  RdapRegistrarFieldsAction rdapRegistrarFieldsAction();
-
   @Subcomponent.Builder
   abstract class Builder implements RequestComponentBuilder<FrontendRequestComponent> {
     @Override public abstract Builder requestModule(RequestModule requestModule);

core/src/main/java/google/registry/rdap/AbstractJsonableObject.java

@@ -336,7 +336,7 @@ abstract class AbstractJsonableObject implements Jsonable {
       // According to RFC 9083 section 3, the syntax of dates and times is defined in RFC3339.
       //
       // According to RFC3339, we should use ISO8601, which is what DateTime.toString does!
-      return new JsonPrimitive(((DateTime) object).toString());
+      return new JsonPrimitive(object.toString());
     }
     if (object == null) {
       return JsonNull.INSTANCE;

core/src/main/java/google/registry/rdap/RdapActionBase.java

@@ -24,10 +24,14 @@ import static jakarta.servlet.http.HttpServletResponse.SC_NOT_FOUND;
 import static jakarta.servlet.http.HttpServletResponse.SC_OK;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
+import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
+import com.google.gson.JsonArray;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.model.EppResource;
 import google.registry.model.registrar.Registrar;
@@ -41,6 +45,7 @@ import google.registry.request.HttpException;
 import google.registry.request.Parameter;
 import google.registry.request.RequestMethod;
 import google.registry.request.RequestPath;
+import google.registry.request.RequestUrl;
 import google.registry.request.Response;
 import google.registry.util.Clock;
 import jakarta.inject.Inject;
@@ -50,7 +55,7 @@ import java.util.Optional;
 import org.joda.time.DateTime;
 
 /**
- * Base RDAP (new WHOIS) action for all requests.
+ * Base RDAP action for all requests.
  *
  * @see <a href="https://tools.ietf.org/html/rfc9082">RFC 9082: Registration Data Access Protocol
  *     (RDAP) Query Format</a>
@@ -75,6 +80,7 @@ public abstract class RdapActionBase implements Runnable {
   @Inject Response response;
   @Inject @RequestMethod Action.Method requestMethod;
   @Inject @RequestPath String requestPath;
+  @Inject @RequestUrl String requestUrl;
   @Inject RdapAuthorization rdapAuthorization;
   @Inject RdapJsonFormatter rdapJsonFormatter;
   @Inject @Parameter("includeDeleted") Optional<Boolean> includeDeletedParam;
@@ -132,7 +138,7 @@ public abstract class RdapActionBase implements Runnable {
     // RFC7480 4.2 - servers receiving an RDAP request return an entity with a Content-Type header
     // containing the RDAP-specific JSON media type.
     response.setContentType(RESPONSE_MEDIA_TYPE);
-    // RDAP Technical Implementation Guide 1.13 - when responding to RDAP valid requests, we MUST
+    // RDAP Technical Implementation Guide 1.14 - when responding to RDAP valid requests, we MUST
     // include the Access-Control-Allow-Origin, which MUST be "*" unless otherwise specified.
     response.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN, "*");
     try {
@@ -198,7 +204,9 @@ public abstract class RdapActionBase implements Runnable {
     TopLevelReplyObject topLevelObject =
         TopLevelReplyObject.create(replyObject, rdapJsonFormatter.createTosNotice());
     Gson gson = formatOutputParam.orElse(false) ? FORMATTED_OUTPUT_GSON : GSON;
-    response.setPayload(gson.toJson(topLevelObject.toJson()));
+    JsonObject jsonResult = topLevelObject.toJson();
+    addLinkValuesRecursively(jsonResult);
+    response.setPayload(gson.toJson(jsonResult));
   }
 
   /**
@@ -264,4 +272,34 @@ public abstract class RdapActionBase implements Runnable {
     return rdapJsonFormatter.getRequestTime();
   }
 
+  /**
+   * Adds a request-referencing "value" to each link object.
+   *
+   * <p>This is the "context URI" as described in RFC 8288. Basically, this contains a reference to
+   * the request URL that generated this RDAP response.
+   *
+   * <p>This is required per the RDAP February 2024 response profile sections 2.6.3 and 2.10, and
+   * the technical implementation guide sections 3.2 and 3.3.2.
+   *
+   * <p>We must do this here (instead of where the links are generated) because many of the links
+   * (e.g. terms of service) are static constants, and thus cannot by default know what the request
+   * URL was.
+   */
+  private void addLinkValuesRecursively(JsonElement jsonElement) {
+    if (jsonElement instanceof JsonArray jsonArray) {
+      jsonArray.forEach(this::addLinkValuesRecursively);
+    } else if (jsonElement instanceof JsonObject jsonObject) {
+      if (jsonObject.get("links") instanceof JsonArray linksArray) {
+        addLinkValues(linksArray);
+      }
+      jsonObject.entrySet().forEach(entry -> addLinkValuesRecursively(entry.getValue()));
+    }
+  }
+
+  private void addLinkValues(JsonArray linksArray) {
+    Streams.stream(linksArray)
+        .map(JsonElement::getAsJsonObject)
+        .filter(o -> !o.has("value"))
+        .forEach(o -> o.addProperty("value", requestUrl));
+  }
 }

core/src/main/java/google/registry/rdap/RdapAutnumAction.java

@@ -26,7 +26,7 @@ import google.registry.request.auth.Auth;
 import jakarta.inject.Inject;
 
 /**
- * RDAP (new WHOIS) action for RDAP autonomous system number requests.
+ * RDAP action for RDAP autonomous system number requests.
  *
  * <p>This feature is not implemented because it's only necessary for <i>address</i> registries like
  * ARIN, not domain registries.

core/src/main/java/google/registry/rdap/RdapDataStructures.java

@@ -41,14 +41,13 @@ final class RdapDataStructures {
       // Conformance to RFC 9083
       jsonArray.add("rdap_level_0");
 
-      // Conformance to the RDAP Response Profile V2.1
+      // Conformance to the RDAP Response Profile V2.2 (February 2024)
+      // (see section 1.2)
+      jsonArray.add("icann_rdap_response_profile_1");
+
+      // Conformance to the RDAP Technical Implementation Guide V2.2 (February 2024)
       // (see section 1.3)
-      jsonArray.add("icann_rdap_response_profile_0");
-
-      // Conformance to the RDAP Technical Implementation Guide V2.1
-      // (see section 1.14)
-      jsonArray.add("icann_rdap_technical_implementation_guide_0");
-
+      jsonArray.add("icann_rdap_technical_implementation_guide_1");
       return jsonArray;
     }
   }

core/src/main/java/google/registry/rdap/RdapDomainAction.java

@@ -15,7 +15,7 @@
 package google.registry.rdap;
 
 import static google.registry.flows.domain.DomainFlowUtils.validateDomainName;
-import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.EppResourceUtils.loadByForeignKeyByCache;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.HEAD;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
@@ -36,7 +36,7 @@ import google.registry.request.auth.Auth;
 import jakarta.inject.Inject;
 import java.util.Optional;
 
-/** RDAP (new WHOIS) action for domain requests. */
+/** RDAP action for domain requests. */
 @Action(
     service = GaeService.PUBAPI,
     path = "/rdap/domain/",
@@ -65,7 +65,7 @@ public class RdapDomainAction extends RdapActionBase {
     }
     // The query string is not used; the RDAP syntax is /rdap/domain/mydomain.com.
     Optional<Domain> domain =
-        loadByForeignKeyCached(
+        loadByForeignKeyByCache(
             Domain.class,
             pathSearchString,
             shouldIncludeDeleted() ? START_OF_TIME : rdapJsonFormatter.getRequestTime());

core/src/main/java/google/registry/rdap/RdapDomainSearchAction.java

@@ -15,7 +15,7 @@
 package google.registry.rdap;
 
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
-import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.EppResourceUtils.loadByForeignKeyByCache;
 import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.HEAD;
@@ -51,6 +51,7 @@ import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.util.NonFinalForTesting;
 import jakarta.inject.Inject;
+import jakarta.persistence.Query;
 import jakarta.persistence.criteria.CriteriaBuilder;
 import java.net.InetAddress;
 import java.util.Comparator;
@@ -60,17 +61,15 @@ import java.util.stream.Stream;
 import org.hibernate.Hibernate;
 
 /**
- * RDAP (new WHOIS) action for domain search requests.
+ * RDAP action for domain search requests.
  *
- * <p>All commands and responses conform to the RDAP spec as defined in RFCs 7480 through 7485.
+ * <p>All commands and responses conform to the RDAP spec as defined in STD 95 and its RFCs.
  *
  * @see <a href="http://tools.ietf.org/html/rfc9082">RFC 9082: Registration Data Access Protocol
  *     (RDAP) Query Format</a>
  * @see <a href="http://tools.ietf.org/html/rfc9083">RFC 9083: JSON Responses for the Registration
  *     Data Access Protocol (RDAP)</a>
  */
-// TODO: This isn't required by the RDAP Technical Implementation Guide, and hence should be
-// deleted, at least until it's actually required.
 @Action(
     service = GaeService.PUBAPI,
     path = "/rdap/domains",
@@ -184,7 +183,7 @@ public class RdapDomainSearchAction extends RdapSearchActionBase {
   private DomainSearchResponse searchByDomainNameWithoutWildcard(
       final RdapSearchPattern partialStringQuery) {
     Optional<Domain> domain =
-        loadByForeignKeyCached(
+        loadByForeignKeyByCache(
             Domain.class, partialStringQuery.getInitialString(), getRequestTime());
     return makeSearchResults(
         shouldBeVisible(domain) ? ImmutableList.of(domain.get()) : ImmutableList.of());
@@ -339,7 +338,7 @@ public class RdapDomainSearchAction extends RdapSearchActionBase {
     Optional<String> desiredRegistrar = getDesiredRegistrar();
     if (desiredRegistrar.isPresent()) {
       Optional<Host> host =
-          loadByForeignKeyCached(
+          loadByForeignKeyByCache(
               Host.class,
               partialStringQuery.getInitialString(),
               shouldIncludeDeleted() ? START_OF_TIME : getRequestTime());
@@ -364,7 +363,7 @@ public class RdapDomainSearchAction extends RdapSearchActionBase {
     // through the subordinate hosts. This is more efficient, and lets us permit wildcard searches
     // with no initial string.
     Domain domain =
-        loadByForeignKeyCached(
+        loadByForeignKeyByCache(
                 Domain.class,
                 partialStringQuery.getSuffix(),
                 shouldIncludeDeleted() ? START_OF_TIME : getRequestTime())
@@ -381,7 +380,7 @@ public class RdapDomainSearchAction extends RdapSearchActionBase {
       if (partialStringQuery.matches(fqhn)) {
         if (desiredRegistrar.isPresent()) {
           Optional<Host> host =
-              loadByForeignKeyCached(
+              loadByForeignKeyByCache(
                   Host.class, fqhn, shouldIncludeDeleted() ? START_OF_TIME : getRequestTime());
           if (host.isPresent()
               && desiredRegistrar
@@ -442,7 +441,7 @@ public class RdapDomainSearchAction extends RdapSearchActionBase {
         replicaTm()
             .transact(
                 () -> {
-                  jakarta.persistence.Query query =
+                  Query query =
                       replicaTm()
                           .getEntityManager()
                           .createNativeQuery(queryBuilder.toString())

core/src/main/java/google/registry/rdap/RdapEntityAction.java

@@ -37,14 +37,12 @@ import jakarta.inject.Inject;
 import java.util.Optional;
 
 /**
- * RDAP (new WHOIS) action for entity (contact and registrar) requests. the ICANN operational
- * profile dictates that the "handle" for registrars is to be the IANA registrar ID:
+ * RDAP action for entity (contact and registrar) requests. the ICANN operational profile dictates
+ * that the "handle" for registrars is to be the IANA registrar ID:
  *
- * <p>2.8.3. Registries MUST support lookup for entities with the registrar role within other
- * objects using the handle (as described in 3.1.5 of RFC 9082). The handle of the entity with the
- * registrar role MUST be equal to IANA Registrar ID. The entity with the registrar role in the RDAP
- * response MUST contain a publicIDs member to identify the IANA Registrar ID from the IANA’s
- * Registrar ID registry. The type value of the publicID object MUST be equal to IANA Registrar ID.
+ * <p>2.4.1.Registry RDAP servers MUST support Registrar object lookup using an entity path request
+ * for entities with the registrar role using the handle (as described in 3.1.5 of RFC9082) where
+ * the handle of the entity with the registrar role is be [sic] equal to the IANA Registrar ID.
  */
 @Action(
     service = GaeService.PUBAPI,
@@ -104,7 +102,7 @@ public class RdapEntityAction extends RdapActionBase {
     // query, it MUST reply with 404 response code.
     //
     // Note we don't do RFC7480 5.3 - returning a different code if we wish to say "this info
-    // exists but we don't want to show it to you", because we DON'T wish to say that.
+    // exists, but we don't want to show it to you", because we DON'T wish to say that.
     throw new NotFoundException(pathSearchString + " not found");
   }
 }

core/src/main/java/google/registry/rdap/RdapEntitySearchAction.java

@@ -49,9 +49,9 @@ import java.util.List;
 import java.util.Optional;
 
 /**
- * RDAP (new WHOIS) action for entity (contact and registrar) search requests.
+ * RDAP action for entity (contact and registrar) search requests.
  *
- * <p>All commands and responses conform to the RDAP spec as defined in RFCs 7480 through 7485.
+ * <p>All commands and responses conform to the RDAP spec as defined in STD 95 and its RFCs.
  *
  * <p>The RDAP specification lumps contacts and registrars together and calls them "entities", which
  * is confusing for us, because "entity" means something else in SQL. But here, when we use the
@@ -76,8 +76,6 @@ import java.util.Optional;
  * @see <a href="http://tools.ietf.org/html/rfc9083">RFC 9083: JSON Responses for the Registration
  *     Data Access Protocol (RDAP)</a>
  */
-// TODO: This isn't required by the RDAP Technical Implementation Guide, and hence should be
-// deleted, at least until it's actually required.
 @Action(
     service = GaeService.PUBAPI,
     path = "/rdap/entities",

core/src/main/java/google/registry/rdap/RdapHelpAction.java

@@ -28,7 +28,7 @@ import google.registry.request.auth.Auth;
 import jakarta.inject.Inject;
 import java.util.Optional;
 
-/** RDAP (new WHOIS) action for help requests. */
+/** RDAP action for help requests. */
 @Action(
     service = GaeService.PUBAPI,
     path = RdapHelpAction.PATH,

core/src/main/java/google/registry/rdap/RdapIcannStandardInformation.java

@@ -22,42 +22,34 @@ import google.registry.rdap.RdapDataStructures.Remark;
 /**
  * This file contains boilerplate required by the ICANN RDAP Profile.
  *
- * @see <a href="https://www.icann.org/resources/pages/rdap-operational-profile-2016-07-26-en">RDAP
- *     Operational Profile for gTLD Registries and Registrars</a>
+ * @see <a
+ *     href="https://itp.cdn.icann.org/en/files/registry-operators/rdap-response-profile-21feb24-en.pdf">
+ *     RDAP Response Profile</a>
  */
 public class RdapIcannStandardInformation {
 
-  /** Required by ICANN RDAP Profile section 1.4.10. */
-  private static final Notice CONFORMANCE_NOTICE =
-      Notice.builder()
-          .setDescription(
-              "This response conforms to the RDAP Operational Profile for gTLD Registries and"
-                  + " Registrars version 1.0")
-          .build();
-
-  /** Required by ICANN RDAP Profile section 1.5.18. */
+  /** Required by RDAP Response Profile section 2.6.3. */
   private static final Notice DOMAIN_STATUS_CODES_NOTICE =
       Notice.builder()
           .setTitle("Status Codes")
           .setDescription(
-              "For more information on domain status codes, please visit"
-                  + " https://icann.org/epp")
+              "For more information on domain status codes, please visit https://icann.org/epp")
           .addLink(
               Link.builder()
-                  .setRel("alternate")
+                  .setRel("glossary")
                   .setHref("https://icann.org/epp")
                   .setType("text/html")
                   .build())
           .build();
 
-  /** Required by ICANN RDAP Response Profile section 2.11. */
+  /** Required by RDAP Response Profile section 2.10. */
   private static final Notice INACCURACY_COMPLAINT_FORM_NOTICE =
       Notice.builder()
           .setTitle("RDDS Inaccuracy Complaint Form")
           .setDescription("URL of the ICANN RDDS Inaccuracy Complaint Form: https://icann.org/wicf")
           .addLink(
               Link.builder()
-                  .setRel("alternate")
+                  .setRel("help")
                   .setHref("https://icann.org/wicf")
                   .setType("text/html")
                   .build())
@@ -79,28 +71,16 @@ public class RdapIcannStandardInformation {
   /** Boilerplate notices required by domain responses. */
   static final ImmutableList<Notice> DOMAIN_BOILERPLATE_NOTICES =
       ImmutableList.of(
-          CONFORMANCE_NOTICE,
           // RDAP Response Profile 2.6.3
           DOMAIN_STATUS_CODES_NOTICE,
-          // RDAP Response Profile 2.11
+          // RDAP Response Profile 2.10
           INACCURACY_COMPLAINT_FORM_NOTICE);
 
   /** Boilerplate notice for when a domain is blocked by BSA. */
   static final ImmutableList<Notice> DOMAIN_BLOCKED_BY_BSA_BOILERPLATE_NOTICES =
       ImmutableList.of(DOMAIN_BLOCKED_BY_BSA_NOTICE);
 
-  /** Boilerplate remarks required by nameserver and entity responses. */
-  static final ImmutableList<Notice> NAMESERVER_AND_ENTITY_BOILERPLATE_NOTICES =
-      ImmutableList.of(CONFORMANCE_NOTICE);
-
-  /**
-   * Required by ICANN RDAP Profile section 1.4.9, as corrected by Gustavo Lozano of ICANN.
-   *
-   * <p>Also mentioned in the RDAP Technical Implementation Guide 3.6.
-   *
-   * @see <a href="http://mm.icann.org/pipermail/gtld-tech/2016-October/000822.html">Questions about
-   *     the ICANN RDAP Profile</a>
-   */
+  /** Required by the RDAP Technical Implementation Guide 3.6. */
   static final Remark SUMMARY_DATA_REMARK =
       Remark.builder()
           .setTitle("Incomplete Data")
@@ -109,14 +89,7 @@ public class RdapIcannStandardInformation {
           .setType(Remark.Type.OBJECT_TRUNCATED_UNEXPLAINABLE)
           .build();
 
-  /**
-   * Required by ICANN RDAP Profile section 1.4.8, as corrected by Gustavo Lozano of ICANN.
-   *
-   * <p>Also mentioned in the RDAP Technical Implementation Guide 3.5.
-   *
-   * @see <a href="http://mm.icann.org/pipermail/gtld-tech/2016-October/000822.html">Questions about
-   *     the ICANN RDAP Profile</a>
-   */
+  /** Required by the RDAP Technical Implementation Guide 3.5. */
   static final Notice TRUNCATED_RESULT_SET_NOTICE =
       Notice.builder()
           .setTitle("Search Policy")
@@ -148,7 +121,9 @@ public class RdapIcannStandardInformation {
   /**
    * Included when requester is not logged in as the owner of the contact being returned.
    *
-   * <p>Format required by ICANN RDAP Response Profile 15feb19 section 2.7.4.3.
+   * <p>>Note: if we were keeping this around, we'd want/need to implement the <a
+   * href="https://datatracker.ietf.org/doc/rfc9537/">official RDAP redaction spec</a> for contacts.
+   * We are getting rid of contacts in 2025 though so this should be unnecessary.
    */
   static final Remark CONTACT_PERSONAL_DATA_HIDDEN_DATA_REMARK =
       Remark.builder()
@@ -169,10 +144,9 @@ public class RdapIcannStandardInformation {
   /**
    * Included in ALL contact responses, even if the user is authorized.
    *
-   * <p>Format required by ICANN RDAP Response Profile 15feb19 section 2.7.5.3.
-   *
-   * <p>NOTE that unlike other redacted fields, there's no allowance to give the email to authorized
-   * users or allow for registrar consent.
+   * <p>>Note: if we were keeping this around, we'd want/need to implement the <a
+   * href="https://datatracker.ietf.org/doc/rfc9537/">official RDAP redaction spec</a> for contacts.
+   * We are getting rid of contacts in 2025 though so this should be unnecessary.
    */
   static final Remark CONTACT_EMAIL_REDACTED_FOR_DOMAIN =
       Remark.builder()

core/src/main/java/google/registry/rdap/RdapIpAction.java

@@ -26,7 +26,7 @@ import google.registry.request.auth.Auth;
 import jakarta.inject.Inject;
 
 /**
- * RDAP (new WHOIS) action for RDAP IP address requests.
+ * RDAP action for RDAP IP address requests.
  *
  * <p>This feature is not implemented because it's only necessary for <i>address</i> registries like
  * ARIN, not domain registries.

core/src/main/java/google/registry/rdap/RdapJsonFormatter.java

@@ -23,20 +23,21 @@ import static google.registry.model.EppResourceUtils.isLinked;
 import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.util.CollectionUtils.union;
 
+import com.github.benmanes.caffeine.cache.LoadingCache;
 import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSetMultimap;
-import com.google.common.collect.Maps;
 import com.google.common.collect.Ordering;
 import com.google.common.collect.Sets;
 import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.InetAddresses;
 import com.google.gson.JsonArray;
+import google.registry.config.RegistryConfig;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.model.CacheUtils;
 import google.registry.model.EppResource;
 import google.registry.model.adapters.EnumToAttributeAdapter.EppEnum;
 import google.registry.model.contact.Contact;
@@ -73,13 +74,11 @@ import google.registry.rdap.RdapObjectClasses.VcardArray;
 import google.registry.request.RequestServerName;
 import google.registry.util.Clock;
 import jakarta.inject.Inject;
-import jakarta.persistence.Entity;
 import java.net.Inet4Address;
 import java.net.Inet6Address;
 import java.net.InetAddress;
 import java.net.URI;
 import java.nio.file.Paths;
-import java.util.HashMap;
 import java.util.Locale;
 import java.util.Optional;
 import java.util.Set;
@@ -103,6 +102,16 @@ public class RdapJsonFormatter {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
+  @VisibleForTesting
+  record HistoryTimeAndRegistrar(DateTime modificationTime, String registrarId) {}
+
+  private static final LoadingCache<String, ImmutableMap<EventAction, HistoryTimeAndRegistrar>>
+      DOMAIN_HISTORIES_BY_REPO_ID =
+          CacheUtils.newCacheBuilder(RegistryConfig.getEppResourceCachingDuration())
+              // Cache more than the EPP resource cache because we're only caching small objects
+              .maximumSize(RegistryConfig.getEppResourceMaxCachedEntries() * 4L)
+              .build(repoId -> getLastHistoryByType(repoId, Domain.class));
+
   private DateTime requestTime = null;
 
   @Inject
@@ -212,7 +221,7 @@ public class RdapJsonFormatter {
    * Map of EPP event values to the RDAP equivalents.
    *
    * <p>Only has entries for optional events, either stated as optional in the RDAP Response Profile
-   * 15feb19, or not mentioned at all but thought to be useful anyway.
+   * section 2.3.2, or not mentioned at all but thought to be useful anyway.
    *
    * <p>Any required event should be added elsewhere, preferably without using HistoryEntries (so
    * that we don't need to load HistoryEntries for "summary" responses).
@@ -271,7 +280,7 @@ public class RdapJsonFormatter {
       URI htmlUri = htmlBaseURI.resolve(rdapTosStaticUrl);
       noticeBuilder.addLink(
           Link.builder()
-              .setRel("alternate")
+              .setRel("terms-of-service")
               .setHref(htmlUri.toString())
               .setType("text/html")
               .build());
@@ -283,8 +292,8 @@ public class RdapJsonFormatter {
    * Creates a JSON object for a {@link Domain}.
    *
    * <p>NOTE that domain searches aren't in the spec yet - they're in the RFC 9082 that describes
-   * the query format, but they aren't in the RDAP Technical Implementation Guide 15feb19, meaning
-   * we don't have to implement them yet and the RDAP Response Profile doesn't apply to them.
+   * the query format, but they aren't in the RDAP Technical Implementation Guide, meaning we don't
+   * have to implement them yet and the RDAP Response Profile doesn't apply to them.
    *
    * <p>We're implementing domain searches anyway, BUT we won't have the response for searches
    * conform to the RDAP Response Profile.
@@ -298,9 +307,9 @@ public class RdapJsonFormatter {
     if (outputDataType != OutputDataType.FULL) {
       builder.remarksBuilder().add(RdapIcannStandardInformation.SUMMARY_DATA_REMARK);
     }
-    // RDAP Response Profile 15feb19 section 2.1 discusses the domain name.
+    // RDAP Response Profile section 2.1 discusses the domain name.
     builder.setLdhName(domain.getDomainName());
-    // RDAP Response Profile 15feb19 section 2.2:
+    // RDAP Response Profile section 2.2:
     // The domain handle MUST be the ROID
     builder.setHandle(domain.getRepoId());
     // If this is a summary (search result) - we'll return now. Since there's no requirement for
@@ -308,9 +317,9 @@ public class RdapJsonFormatter {
     if (outputDataType == OutputDataType.SUMMARY) {
       return builder.build();
     }
-    // RDAP Response Profile 15feb19 section 2.3.1:
+    // RDAP Response Profile section 2.3.1:
     // The domain object in the RDAP response MUST contain the following events:
-    // [registration, expiration, last update of RDAP database]
+    // [registration, expiration]
     builder
         .eventsBuilder()
         .add(
@@ -324,14 +333,18 @@ public class RdapJsonFormatter {
                 .setEventAction(EventAction.EXPIRATION)
                 .setEventDate(domain.getRegistrationExpirationTime())
                 .build(),
+            // RDAP response profile section 1.5:
+            // The topmost object in the RDAP response MUST contain an event of "eventAction" type
+            // "last update of RDAP database" with a value equal to the timestamp when the RDAP
+            // database was last updated
             Event.builder()
                 .setEventAction(EventAction.LAST_UPDATE_OF_RDAP_DATABASE)
                 .setEventDate(getRequestTime())
                 .build());
-    // RDAP Response Profile 15feb19 section 2.3.2 discusses optional events. We add some of those
+    // RDAP Response Profile section 2.3.2 discusses optional events. We add some of those
     // here. We also add a few others we find interesting.
     builder.eventsBuilder().addAll(makeOptionalEvents(domain));
-    // RDAP Response Profile 15feb19 section 2.4.1:
+    // RDAP Response Profile section 2.4.1:
     // The domain object in the RDAP response MUST contain an entity with the Registrar role.
     //
     // See {@link createRdapRegistrarEntity} for details of section 2.4 conformance
@@ -369,8 +382,6 @@ public class RdapJsonFormatter {
     // RDAP Response Profile 2.6.3, must have a notice about statuses. That is in {@link
     // RdapIcannStandardInformation#domainBoilerplateNotices}
 
-    // Kick off the database loads of the nameservers that we will need, so it can load
-    // asynchronously while we load and process the contacts.
     ImmutableSet<Host> loadedHosts =
         replicaTm()
             .transact(
@@ -415,12 +426,12 @@ public class RdapJsonFormatter {
     }
 
     // Add the nameservers to the data; the load was kicked off above for efficiency.
-    // RDAP Response Profile 2.9: we MUST have the nameservers
+    // RDAP Response Profile 2.8: we MUST have the nameservers
     for (Host host : HOST_RESOURCE_ORDERING.immutableSortedCopy(loadedHosts)) {
       builder.nameserversBuilder().add(createRdapNameserver(host, OutputDataType.INTERNAL));
     }
 
-    // RDAP Response Profile 2.10 - MUST contain a secureDns member including at least a
+    // RDAP Response Profile 2.9 - MUST contain a secureDns member including at least a
     // delegationSigned element. Other elements (e.g. dsData) MUST be included if the domain name is
     // signed and the elements are stored in the Registry
     //
@@ -445,13 +456,13 @@ public class RdapJsonFormatter {
       builder.remarksBuilder().add(RdapIcannStandardInformation.SUMMARY_DATA_REMARK);
     }
 
-    // We need the ldhName: RDAP Response Profile 2.9.1, 4.1
+    // We need the ldhName: RDAP Response Profile 2.8.1, 4.1
     builder.setLdhName(host.getHostName());
     // Handle is optional, but if given it MUST be the ROID.
     // We will set it always as it's important as a "self link"
     builder.setHandle(host.getRepoId());
 
-    // Status is optional for internal Nameservers - RDAP Response Profile 2.9.2
+    // Status is optional for internal Nameservers - RDAP Response Profile 2.8.2
     // It isn't mentioned at all anywhere else. So we can just not put it at all?
     //
     // To be safe, we'll put it on the "FULL" version anyway
@@ -483,7 +494,7 @@ public class RdapJsonFormatter {
 
     // For query responses - we MUST have all the ip addresses: RDAP Response Profile 4.2.
     //
-    // However, it is optional for internal responses: RDAP Response Profile 2.9.2
+    // However, it is optional for internal responses: RDAP Response Profile 2.8.2
     if (outputDataType != OutputDataType.INTERNAL) {
       for (InetAddress inetAddress : host.getInetAddresses()) {
         if (inetAddress instanceof Inet4Address) {
@@ -501,7 +512,7 @@ public class RdapJsonFormatter {
       builder.entitiesBuilder().add(createRdapRegistrarEntity(registrar, OutputDataType.INTERNAL));
     }
     if (outputDataType != OutputDataType.INTERNAL) {
-      // Rdap Response Profile 4.4, must have "last update of RDAP database" response. But this is
+      // Rdap Response Profile 1.5, must have "last update of RDAP database" response. But this is
       // only for direct query responses and not for internal objects.
       builder.setLastUpdateOfRdapDatabaseEvent(
           Event.builder()
@@ -526,10 +537,7 @@ public class RdapJsonFormatter {
       Contact contact, Iterable<RdapEntity.Role> roles, OutputDataType outputDataType) {
     RdapContactEntity.Builder contactBuilder = RdapContactEntity.builder();
 
-    // RDAP Response Profile 2.7.1, 2.7.3 - we MUST have the contacts. 2.7.4 discusses censoring of
-    // fields we don't want to show (as opposed to not having contacts at all) because of GDPR etc.
-    //
-    // 2.8 allows for unredacted output for authorized people.
+    // RDAP Response Profile 2.7.1, 2.7.3 - we MUST have the contacts
     boolean isAuthorized =
         rdapAuthorization.isAuthorizedForRegistrar(contact.getCurrentSponsorRegistrarId());
 
@@ -569,7 +577,7 @@ public class RdapJsonFormatter {
         .add(RdapIcannStandardInformation.CONTACT_EMAIL_REDACTED_FOR_DOMAIN);
 
     if (outputDataType != OutputDataType.INTERNAL) {
-      // Rdap Response Profile 2.7.6 must have "last update of RDAP database" response. But this is
+      // Rdap Response Profile 1.5 must have "last update of RDAP database" response. But this is
       // only for direct query responses and not for internal objects. I'm not sure why it's in that
       // section at all...
       contactBuilder.setLastUpdateOfRdapDatabaseEvent(
@@ -647,8 +655,8 @@ public class RdapJsonFormatter {
    * Creates a JSON object for a {@link Registrar}.
    *
    * <p>This object can be INTERNAL to the Domain and Nameserver responses, with requirements
-   * discussed in the RDAP Response Profile 15feb19 sections 2.4 (internal to Domain) and 4.3
-   * (internal to Namesever)
+   * discussed in the RDAP Response Profile sections 2.4 (internal to Domain) and 4.3 (internal to
+   * Namesever)
    *
    * @param registrar the registrar object from which the RDAP response
    * @param outputDataType whether to generate FULL, SUMMARY, or INTERNAL data.
@@ -712,6 +720,15 @@ public class RdapJsonFormatter {
       builder.linksBuilder().add(makeSelfLink("entity", ianaIdentifier.toString()));
     }
 
+    // RDAP Response Profile 2.4.6: must have a links entry pointing to the registrar URL, with a
+    // rel:about and a value containing the registrar RDAP base URL (if present)
+    if (registrar.getUrl() != null) {
+      Link.Builder registrarLinkBuilder =
+          Link.builder().setHref(registrar.getUrl()).setRel("about").setType("text/html");
+      registrar.getRdapBaseUrls().stream().findFirst().ifPresent(registrarLinkBuilder::setValue);
+      builder.linksBuilder().add(registrarLinkBuilder.build());
+    }
+
     // There's no mention of the registrar STATUS in the RDAP Response Profile, so we'll only add it
     // for FULL response
     // We could probably not add it at all, but it could be useful for us internally
@@ -737,10 +754,9 @@ public class RdapJsonFormatter {
     //
     // Write the minimum, meaning only ABUSE for INTERNAL registrars, nothing for SUMMARY and
     // everything for FULL.
-    //
     if (outputDataType != OutputDataType.SUMMARY) {
       ImmutableList<RdapContactEntity> registrarContacts =
-          registrar.getContacts().stream()
+          registrar.getContactsFromReplica().stream()
               .map(RdapJsonFormatter::makeRdapJsonForRegistrarContact)
               .filter(Optional::isPresent)
               .map(Optional::get)
@@ -758,7 +774,7 @@ public class RdapJsonFormatter {
       builder.entitiesBuilder().addAll(registrarContacts);
     }
 
-    // Rdap Response Profile 3.3, must have "last update of RDAP database" response. But this is
+    // Rdap Response Profile 1.5, must have "last update of RDAP database" response. But this is
     // only for direct query responses and not for internal objects.
     if (outputDataType != OutputDataType.INTERNAL) {
       builder.setLastUpdateOfRdapDatabaseEvent(
@@ -860,8 +876,18 @@ public class RdapJsonFormatter {
   }
 
   @VisibleForTesting
-  ImmutableMap<EventAction, HistoryEntry> getLastHistoryEntryByType(EppResource resource) {
-    HashMap<EventAction, HistoryEntry> lastEntryOfType = Maps.newHashMap();
+  static ImmutableMap<EventAction, HistoryTimeAndRegistrar> getLastHistoryByType(
+      EppResource eppResource) {
+    if (eppResource instanceof Domain) {
+      return DOMAIN_HISTORIES_BY_REPO_ID.get(eppResource.getRepoId());
+    }
+    return getLastHistoryByType(eppResource.getRepoId(), eppResource.getClass());
+  }
+
+  private static ImmutableMap<EventAction, HistoryTimeAndRegistrar> getLastHistoryByType(
+      String repoId, Class<? extends EppResource> resourceType) {
+    ImmutableMap.Builder<EventAction, HistoryTimeAndRegistrar> lastEntryOfType =
+        new ImmutableMap.Builder<>();
     // Events (such as transfer, but also create) can appear multiple times. We only want the last
     // time they appeared.
     //
@@ -873,49 +899,48 @@ public class RdapJsonFormatter {
     // 2.3.2.3 An event of *eventAction* type *transfer*, with the last date and time that the
     // domain was transferred. The event of *eventAction* type *transfer* MUST be omitted if the
     // domain name has not been transferred since it was created.
-    VKey<? extends EppResource> resourceVkey = resource.createVKey();
-    Class<? extends HistoryEntry> historyClass =
-        HistoryEntryDao.getHistoryClassFromParent(resourceVkey.getKind());
-    String entityName = historyClass.getAnnotation(Entity.class).name();
-    if (Strings.isNullOrEmpty(entityName)) {
-      entityName = historyClass.getSimpleName();
-    }
+    String entityName = HistoryEntryDao.getHistoryClassFromParent(resourceType).getSimpleName();
     String jpql =
         GET_LAST_HISTORY_BY_TYPE_JPQL_TEMPLATE
             .replace("%entityName%", entityName)
-            .replace("%repoIdValue%", resourceVkey.getKey().toString());
-    Iterable<HistoryEntry> historyEntries =
-        replicaTm()
-            .transact(
-                () ->
-                    replicaTm()
-                        .getEntityManager()
-                        .createQuery(jpql, HistoryEntry.class)
-                        .getResultList());
-    for (HistoryEntry historyEntry : historyEntries) {
-      EventAction rdapEventAction =
-          HISTORY_ENTRY_TYPE_TO_RDAP_EVENT_ACTION_MAP.get(historyEntry.getType());
-      // Only save the historyEntries if this is a type we care about.
-      if (rdapEventAction == null) {
-        continue;
-      }
-      lastEntryOfType.put(rdapEventAction, historyEntry);
-    }
-    return ImmutableMap.copyOf(lastEntryOfType);
+            .replace("%repoIdValue%", repoId);
+    replicaTm()
+        .transact(
+            () ->
+                replicaTm()
+                    .getEntityManager()
+                    .createQuery(jpql, HistoryEntry.class)
+                    .getResultStream()
+                    .forEach(
+                        historyEntry -> {
+                          EventAction rdapEventAction =
+                              HISTORY_ENTRY_TYPE_TO_RDAP_EVENT_ACTION_MAP.get(
+                                  historyEntry.getType());
+                          // Only save the entries if this is a type we care about.
+                          if (rdapEventAction != null) {
+                            lastEntryOfType.put(
+                                rdapEventAction,
+                                new HistoryTimeAndRegistrar(
+                                    historyEntry.getModificationTime(),
+                                    historyEntry.getRegistrarId()));
+                          }
+                        }));
+    return lastEntryOfType.buildKeepingLast();
   }
 
   /**
    * Creates the list of optional events to list in domain, nameserver, or contact replies.
    *
    * <p>Only has entries for optional events that won't be shown in "SUMMARY" versions of these
-   * objects. These are either stated as optional in the RDAP Response Profile 15feb19, or not
-   * mentioned at all but thought to be useful anyway.
+   * objects. These are either stated as optional in the RDAP Response Profile, or not mentioned at
+   * all but thought to be useful anyway.
    *
    * <p>Any required event should be added elsewhere, preferably without using HistoryEntries (so
    * that we don't need to load HistoryEntries for "summary" responses).
    */
   private ImmutableList<Event> makeOptionalEvents(EppResource resource) {
-    ImmutableMap<EventAction, HistoryEntry> lastEntryOfType = getLastHistoryEntryByType(resource);
+    ImmutableMap<EventAction, HistoryTimeAndRegistrar> lastHistoryOfType =
+        getLastHistoryByType(resource);
     ImmutableList.Builder<Event> eventsBuilder = new ImmutableList.Builder<>();
     DateTime creationTime = resource.getCreationTime();
     DateTime lastChangeTime =
@@ -923,12 +948,12 @@ public class RdapJsonFormatter {
     // The order of the elements is stable - it's the order in which the enum elements are defined
     // in EventAction
     for (EventAction rdapEventAction : EventAction.values()) {
-      HistoryEntry historyEntry = lastEntryOfType.get(rdapEventAction);
+      HistoryTimeAndRegistrar historyTimeAndRegistrar = lastHistoryOfType.get(rdapEventAction);
       // Check if there was any entry of this type
-      if (historyEntry == null) {
+      if (historyTimeAndRegistrar == null) {
         continue;
       }
-      DateTime modificationTime = historyEntry.getModificationTime();
+      DateTime modificationTime = historyTimeAndRegistrar.modificationTime();
       // We will ignore all events that happened before the "creation time", since these events are
       // from a "previous incarnation of the domain" (for a domain that was owned by someone,
       // deleted, and then bought by someone else)
@@ -938,7 +963,7 @@ public class RdapJsonFormatter {
       eventsBuilder.add(
           Event.builder()
               .setEventAction(rdapEventAction)
-              .setEventActor(historyEntry.getRegistrarId())
+              .setEventActor(historyTimeAndRegistrar.registrarId())
               .setEventDate(modificationTime)
               .build());
       // The last change time might not be the lastEppUpdateTime, since some changes happen without
@@ -947,29 +972,24 @@ public class RdapJsonFormatter {
         lastChangeTime = modificationTime;
       }
     }
-    // RDAP Response Profile 15feb19 section 2.3.2.2:
+    // RDAP Response Profile section 2.3.2.2:
     // The event of eventAction type last changed MUST be omitted if the domain name has not been
     // updated since it was created
     if (lastChangeTime.isAfter(creationTime)) {
-      eventsBuilder.add(makeEvent(EventAction.LAST_CHANGED, null, lastChangeTime));
+      // Creates an RDAP event object as defined by RFC 9083
+      eventsBuilder.add(
+          Event.builder()
+              .setEventAction(EventAction.LAST_CHANGED)
+              .setEventDate(lastChangeTime)
+              .build());
     }
     return eventsBuilder.build();
   }
 
-  /** Creates an RDAP event object as defined by RFC 9083. */
-  private static Event makeEvent(
-      EventAction eventAction, @Nullable String eventActor, DateTime eventDate) {
-    Event.Builder builder = Event.builder().setEventAction(eventAction).setEventDate(eventDate);
-    if (eventActor != null) {
-      builder.setEventActor(eventActor);
-    }
-    return builder.build();
-  }
-
   /**
    * Creates a vCard address entry: array of strings specifying the components of the address.
    *
-   * <p>Rdap Response Profile 3.1.1: MUST contain the following fields: Street, City, Country Rdap
+   * <p>RDAP Response Profile 3.1.1: MUST contain the following fields: Street, City, Country Rdap
    * Response Profile 3.1.2: optional fields: State/Province, Postal Code, Fax Number
    *
    * @see <a href="https://tools.ietf.org/html/rfc7095">RFC 7095: jCard: The JSON Format for

core/src/main/java/google/registry/rdap/RdapNameserverAction.java

@@ -15,7 +15,7 @@
 package google.registry.rdap;
 
 import static google.registry.flows.host.HostFlowUtils.validateHostName;
-import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.EppResourceUtils.loadByForeignKeyByCache;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.HEAD;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
@@ -33,7 +33,7 @@ import google.registry.request.auth.Auth;
 import jakarta.inject.Inject;
 import java.util.Optional;
 
-/** RDAP (new WHOIS) action for nameserver requests. */
+/** RDAP action for nameserver requests. */
 @Action(
     service = GaeService.PUBAPI,
     path = "/rdap/nameserver/",
@@ -48,7 +48,7 @@ public class RdapNameserverAction extends RdapActionBase {
 
   @Override
   public RdapNameserver getJsonObjectForResource(String pathSearchString, boolean isHeadRequest) {
-    // RDAP Technical Implementation Guide 2.2.1 - we must support A-label (Punycode) and U-label
+    // RDAP Technical Implementation Guide 2.1.1 - we must support A-label (Punycode) and U-label
     // (Unicode) formats. canonicalizeName will transform Unicode to Punycode so we support both.
     pathSearchString = canonicalizeName(pathSearchString);
     // The RDAP syntax is /rdap/nameserver/ns1.mydomain.com.
@@ -63,7 +63,7 @@ public class RdapNameserverAction extends RdapActionBase {
     // If there are no undeleted nameservers with the given name, the foreign key should point to
     // the most recently deleted one.
     Optional<Host> host =
-        loadByForeignKeyCached(
+        loadByForeignKeyByCache(
             Host.class,
             pathSearchString,
             shouldIncludeDeleted() ? START_OF_TIME : getRequestTime());

core/src/main/java/google/registry/rdap/RdapNameserverSearchAction.java

@@ -14,7 +14,7 @@
 
 package google.registry.rdap;
 
-import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.EppResourceUtils.loadByForeignKeyByCache;
 import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.HEAD;
@@ -47,9 +47,9 @@ import java.util.List;
 import java.util.Optional;
 
 /**
- * RDAP (new WHOIS) action for nameserver search requests.
+ * RDAP action for nameserver search requests.
  *
- * <p>All commands and responses conform to the RDAP spec as defined in RFCs 7480 through 7485.
+ * <p>All commands and responses conform to the RDAP spec as defined in STD 95 and its RFCs.
  *
  * @see <a href="http://tools.ietf.org/html/rfc9082">RFC 9082: Registration Data Access Protocol
  *     (RDAP) Query Format</a>
@@ -159,7 +159,8 @@ public class RdapNameserverSearchAction extends RdapSearchActionBase {
             .setIncompletenessWarningType(IncompletenessWarningType.COMPLETE);
 
     Optional<Host> host =
-        loadByForeignKeyCached(Host.class, partialStringQuery.getInitialString(), getRequestTime());
+        loadByForeignKeyByCache(
+            Host.class, partialStringQuery.getInitialString(), getRequestTime());
 
     metricInformationBuilder.setNumHostsRetrieved(host.isPresent() ? 1 : 0);
 
@@ -175,7 +176,7 @@ public class RdapNameserverSearchAction extends RdapSearchActionBase {
   private NameserverSearchResponse searchByNameUsingSuperordinateDomain(
       RdapSearchPattern partialStringQuery) {
     Optional<Domain> domain =
-        loadByForeignKeyCached(Domain.class, partialStringQuery.getSuffix(), getRequestTime());
+        loadByForeignKeyByCache(Domain.class, partialStringQuery.getSuffix(), getRequestTime());
     if (domain.isEmpty()) {
       // Don't allow wildcards with suffixes which are not domains we manage. That would risk a
       // table scan in many easily foreseeable cases. The user might ask for ns*.zombo.com,
@@ -193,7 +194,7 @@ public class RdapNameserverSearchAction extends RdapSearchActionBase {
       // We can't just check that the host name starts with the initial query string, because
       // then the query ns.exam*.example.com would match against nameserver ns.example.com.
       if (partialStringQuery.matches(fqhn)) {
-        Optional<Host> host = loadByForeignKeyCached(Host.class, fqhn, getRequestTime());
+        Optional<Host> host = loadByForeignKeyByCache(Host.class, fqhn, getRequestTime());
         if (shouldBeVisible(host)) {
           hostList.add(host.get());
           if (hostList.size() > rdapResultSetMaxSize) {

core/src/main/java/google/registry/rdap/RdapObjectClasses.java

@@ -45,11 +45,7 @@ import java.util.Optional;
 /** Object Classes defined in RFC 9083 section 5. */
 final class RdapObjectClasses {
 
-  /**
-   * Temporary implementation of VCards.
-   *
-   * <p>Will create a better implementation soon.
-   */
+  /** Rough implementation of VCards. */
   @RestrictJsonNames({})
   @AutoValue
   public abstract static class Vcard implements Jsonable {
@@ -140,8 +136,8 @@ final class RdapObjectClasses {
   public enum BoilerplateType {
     DOMAIN(RdapIcannStandardInformation.DOMAIN_BOILERPLATE_NOTICES),
     DOMAIN_BLOCKED_BY_BSA(RdapIcannStandardInformation.DOMAIN_BLOCKED_BY_BSA_BOILERPLATE_NOTICES),
-    NAMESERVER(RdapIcannStandardInformation.NAMESERVER_AND_ENTITY_BOILERPLATE_NOTICES),
-    ENTITY(RdapIcannStandardInformation.NAMESERVER_AND_ENTITY_BOILERPLATE_NOTICES),
+    NAMESERVER(ImmutableList.of()),
+    ENTITY(ImmutableList.of()),
     OTHER(ImmutableList.of());
 
     @SuppressWarnings("ImmutableEnumChecker") // immutable lists are, in fact, immutable
@@ -173,8 +169,8 @@ final class RdapObjectClasses {
    * The Top Level JSON reply, Adds the required top-level boilerplate to a ReplyPayloadBase.
    *
    * <p>RFC 9083 specifies that the top-level object should include an entry indicating the
-   * conformance level. ICANN RDAP spec for 15feb19 mandates several additional entries, in sections
-   * 2.6.3, 2.11 of the Response Profile and 3.3, 3.5, of the Technical Implementation Guide.
+   * conformance level. The RDAP spec mandates several additional entries, in sections 2.6.3, 2.10
+   * of the Response Profile and 3.3, 3.5, of the Technical Implementation Guide.
    */
   @AutoValue
   @RestrictJsonNames({})
@@ -353,7 +349,7 @@ final class RdapObjectClasses {
    *
    * <p>Takes care of the name and unicode field.
    *
-   * <p>See RDAP Response Profile 15feb19 sections 2.1 and 4.1.
+   * <p>See RDAP Response Profile sections 2.1 and 4.1.
    *
    * <p>Note the ldhName field is only required for non-IDN names or IDN names when the query was an
    * A-label. It is optional for IDN names when the query was a U-label. Because we don't want to
@@ -471,7 +467,7 @@ final class RdapObjectClasses {
     }
 
     /**
-     * an integer representing the signature lifetime in seconds to be used when creating the RRSIG
+     * An integer representing the signature lifetime in seconds to be used when creating the RRSIG
      * DS record in the parent zone [RFC5910].
      *
      * <p>Note that although it isn't given as optional in RFC 9083, in RFC5910 it's mentioned as

core/src/main/java/google/registry/rdap/RdapSearchActionBase.java

@@ -31,7 +31,6 @@ import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.HttpException.UnprocessableEntityException;
 import google.registry.request.Parameter;
 import google.registry.request.ParameterMap;
-import google.registry.request.RequestUrl;
 import jakarta.inject.Inject;
 import jakarta.persistence.criteria.CriteriaBuilder;
 import java.io.UnsupportedEncodingException;
@@ -45,7 +44,7 @@ import java.util.Objects;
 import java.util.Optional;
 
 /**
- * Base RDAP (new WHOIS) action for domain, nameserver and entity search requests.
+ * Base RDAP action for domain, nameserver and entity search requests.
  *
  * @see <a href="https://tools.ietf.org/html/rfc9082">RFC 9082: Registration Data Access Protocol
  *     (RDAP) Query Format</a>
@@ -54,7 +53,6 @@ public abstract class RdapSearchActionBase extends RdapActionBase {
 
   private static final int RESULT_SET_SIZE_SCALING_FACTOR = 30;
 
-  @Inject @RequestUrl String requestUrl;
   @Inject @ParameterMap ImmutableListMultimap<String, String> parameterMap;
   @Inject @Parameter("cursor") Optional<String> cursorTokenParam;
   @Inject @Parameter("registrar") Optional<String> registrarParam;
@@ -157,7 +155,6 @@ public abstract class RdapSearchActionBase extends RdapActionBase {
    */
   <T extends EppResource> RdapResultSet<T> getMatchingResources(
       CriteriaQueryBuilder<T> builder, boolean checkForVisibility, int querySizeLimit) {
-    replicaTm().assertInTransaction();
     Optional<String> desiredRegistrar = getDesiredRegistrar();
     if (desiredRegistrar.isPresent()) {
       builder =

core/src/main/java/google/registry/rdap/RdapSearchPattern.java

@@ -39,8 +39,8 @@ public final class RdapSearchPattern {
   /**
    * Pattern for allowed LDH searches.
    *
-   * <p>Based on RFC 9082 4.1. Must contains only alphanumeric plus dots and hyphens. A single
-   * whildcard asterix is allowed - but if exists must be the last character of a domain name label
+   * <p>Based on RFC 9082 4.1. Must contain only alphanumeric plus dots and hyphens. A single
+   * wildcard asterix is allowed - but if exists must be the last character of a domain name label
    * (so exam* and exam*.com are allowed, but exam*le.com isn't allowd)
    *
    * <p>The prefix is in group(1), and the suffix without the dot (if it exists) is in group(4). If
@@ -123,7 +123,7 @@ public final class RdapSearchPattern {
    * Creates a SearchPattern using the provided domain search pattern in LDH format.
    *
    * <p>The domain search pattern can have a single wildcard asterix that can match 0 or more
-   * charecters. If such an asterix exists - it must be at the end of a domain label.
+   * characters. If such an asterix exists - it must be at the end of a domain label.
    *
    * @param searchQuery the string containing the partial match pattern
    * @throws UnprocessableEntityException if {@code pattern} does not meet the requirements of RFC
@@ -150,7 +150,7 @@ public final class RdapSearchPattern {
    * Creates a SearchPattern using the provided domain search pattern in LDH or Unicode format.
    *
    * <p>The domain search pattern can have a single wildcard asterix that can match 0 or more
-   * charecters. If such an asterix exists - it must be at the end of a domain label.
+   * characters. If such an asterix exists - it must be at the end of a domain label.
    *
    * <p>In theory, according to RFC 9082 4.1 - we should make some checks about partial matching in
    * unicode queries. We don't, but we might want to just disable partial matches for unicode inputs

core/src/main/java/google/registry/rdap/RdapUtils.java

@@ -37,7 +37,7 @@ public final class RdapUtils {
    *
    * <p>Used for RDAP Technical Implementation Guide 2.4.2 - search of registrar by the fn element.
    *
-   * <p>For convenience, we use case insensitive search.
+   * <p>For convenience, we use case-insensitive search.
    */
   static Optional<Registrar> getRegistrarByName(String registrarName) {
     return Streams.stream(Registrar.loadAllCached())

core/src/main/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsAction.java

@@ -25,6 +25,7 @@ import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
 import google.registry.model.registrar.Registrar;
+import google.registry.persistence.PersistenceModule;
 import google.registry.request.Action;
 import google.registry.request.Action.GaeService;
 import google.registry.request.HttpException.InternalServerErrorException;
@@ -36,7 +37,7 @@ import jakarta.inject.Inject;
 import java.io.IOException;
 import java.io.StringReader;
 import java.net.HttpURLConnection;
-import java.net.URL;
+import java.net.URI;
 import java.security.GeneralSecurityException;
 import org.apache.commons.csv.CSVFormat;
 import org.apache.commons.csv.CSVParser;
@@ -72,7 +73,7 @@ public final class UpdateRegistrarRdapBaseUrlsAction implements Runnable {
   public void run() {
     try {
       ImmutableMap<String, String> ianaIdsToUrls = getIanaIdsToUrls();
-      tm().transact(() -> processAllRegistrars(ianaIdsToUrls));
+      processAllRegistrars(ianaIdsToUrls);
     } catch (Exception e) {
       throw new InternalServerErrorException("Error when retrieving RDAP base URL CSV file", e);
     }
@@ -80,7 +81,14 @@ public final class UpdateRegistrarRdapBaseUrlsAction implements Runnable {
 
   private static void processAllRegistrars(ImmutableMap<String, String> ianaIdsToUrls) {
     int nonUpdatedRegistrars = 0;
-    for (Registrar registrar : Registrar.loadAll()) {
+    // Split into multiple transactions to avoid load-save-reload conflicts. Re-building a registrar
+    // requires a full (cached) load of all registrars to avoid IANA ID conflicts, so if multiple
+    // registrars are modified in the same transaction, the second build call will fail.
+    Iterable<Registrar> registrars =
+        tm().transact(
+                PersistenceModule.TransactionIsolationLevel.TRANSACTION_REPEATABLE_READ,
+                Registrar::loadAll);
+    for (Registrar registrar : registrars) {
       // Only update REAL registrars
       if (registrar.getType() != Registrar.Type.REAL) {
         continue;
@@ -100,7 +108,12 @@ public final class UpdateRegistrarRdapBaseUrlsAction implements Runnable {
               "Updating RDAP base URLs for registrar %s from %s to %s",
               registrar.getRegistrarId(), registrar.getRdapBaseUrls(), baseUrls);
         }
-        tm().put(registrar.asBuilder().setRdapBaseUrls(baseUrls).build());
+        tm().transact(
+                () -> {
+                  // Reload inside a transaction to avoid race conditions
+                  Registrar reloadedRegistrar = tm().loadByEntity(registrar);
+                  tm().put(reloadedRegistrar.asBuilder().setRdapBaseUrls(baseUrls).build());
+                });
       }
     }
     logger.atInfo().log("No change in RDAP base URLs for %d registrars", nonUpdatedRegistrars);
@@ -108,9 +121,9 @@ public final class UpdateRegistrarRdapBaseUrlsAction implements Runnable {
 
   private ImmutableMap<String, String> getIanaIdsToUrls()
       throws IOException, GeneralSecurityException {
-    CSVParser csv;
-    HttpURLConnection connection = urlConnectionService.createConnection(new URL(RDAP_IDS_URL));
-    // Explictly set the accepted encoding, as we know Brotli causes us problems when talking to
+    HttpURLConnection connection =
+        urlConnectionService.createConnection(URI.create(RDAP_IDS_URL).toURL());
+    // Explicitly set the accepted encoding, as we know Brotli causes us problems when talking to
     // ICANN.
     connection.setRequestProperty(ACCEPT_ENCODING, "gzip");
     String csvString;
@@ -128,11 +141,11 @@ public final class UpdateRegistrarRdapBaseUrlsAction implements Runnable {
     } finally {
       connection.disconnect();
     }
-    csv =
+    CSVParser csv =
         CSVFormat.Builder.create(CSVFormat.DEFAULT)
             .setHeader()
             .setSkipHeaderRecord(true)
-            .build()
+            .get()
             .parse(new StringReader(csvString));
     ImmutableMap.Builder<String, String> result = new ImmutableMap.Builder<>();
     for (CSVRecord record : csv) {

core/src/main/java/google/registry/tools/CreateCdnsTld.java

@@ -72,11 +72,11 @@ final class CreateCdnsTld extends ConfirmingCommand {
             .setDescription(description)
             .setNameServerSet(
                 RegistryToolEnvironment.get() == RegistryToolEnvironment.PRODUCTION
-                ? "cloud-dns-registry"
-                : "cloud-dns-registry-test")
+                    ? "cloud-dns-registry"
+                    : "cloud-dns-registry-test")
             .setDnsName(dnsName)
             .setName((name != null) ? name : dnsName)
-            .setDnssecConfig(new ManagedZoneDnsSecConfig().setNonExistence("NSEC").setState("ON"));
+            .setDnssecConfig(new ManagedZoneDnsSecConfig().setNonExistence("nsec").setState("on"));
   }
 
   @Override

core/src/main/java/google/registry/tools/CreateDomainCommand.java

@@ -16,6 +16,9 @@ package google.registry.tools;
 
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Strings.isNullOrEmpty;
+import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_OPTIONAL;
+import static google.registry.model.common.FeatureFlag.FeatureName.MINIMUM_DATASET_CONTACTS_PROHIBITED;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.pricing.PricingEngineProxy.getPricesForDomainName;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static org.joda.time.DateTimeZone.UTC;
@@ -23,6 +26,7 @@ import static org.joda.time.DateTimeZone.UTC;
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.template.soy.data.SoyMapData;
+import google.registry.model.common.FeatureFlag;
 import google.registry.model.pricing.PremiumPricingEngine.DomainPrices;
 import google.registry.tools.soy.DomainCreateSoyInfo;
 import google.registry.util.StringGenerator;
@@ -58,9 +62,15 @@ final class CreateDomainCommand extends CreateOrUpdateDomainCommand {
 
   @Override
   protected void initMutatingEppToolCommand() {
-    checkArgumentNotNull(registrant, "Registrant must be specified");
-    checkArgument(!admins.isEmpty(), "At least one admin must be specified");
-    checkArgument(!techs.isEmpty(), "At least one tech must be specified");
+    tm().transact(
+            () -> {
+              if (!FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_OPTIONAL)
+                  && !FeatureFlag.isActiveNow(MINIMUM_DATASET_CONTACTS_PROHIBITED)) {
+                checkArgumentNotNull(registrant, "Registrant must be specified");
+                checkArgument(!admins.isEmpty(), "At least one admin must be specified");
+                checkArgument(!techs.isEmpty(), "At least one tech must be specified");
+              }
+            });
     if (isNullOrEmpty(password)) {
       password = passwordGenerator.createString(PASSWORD_LENGTH);
     }

core/src/main/java/google/registry/tools/DomainLockUtils.java

@@ -16,7 +16,7 @@ package google.registry.tools;
 
 import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.batch.AsyncTaskEnqueuer.QUEUE_ASYNC_ACTIONS;
-import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.EppResourceUtils.loadByForeignKeyByCacheIfEnabled;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.tools.LockOrUnlockDomainCommand.REGISTRY_LOCK_STATUSES;
 
@@ -326,7 +326,7 @@ public final class DomainLockUtils {
 
   private Domain getDomain(String domainName, String registrarId, DateTime now) {
     Domain domain =
-        loadByForeignKeyCached(Domain.class, domainName, now)
+        loadByForeignKeyByCacheIfEnabled(Domain.class, domainName, now)
             .orElseThrow(() -> new IllegalArgumentException("Domain doesn't exist"));
     // The user must have specified either the correct registrar ID or the admin registrar ID
     checkArgument(

core/src/main/java/google/registry/tools/RegistryToolComponent.java

@@ -23,9 +23,7 @@ import google.registry.config.CloudTasksUtilsModule;
 import google.registry.config.CredentialModule.LocalCredentialJson;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.config.RegistryConfig.ConfigModule;
-import google.registry.dns.writer.VoidDnsWriterModule;
-import google.registry.dns.writer.clouddns.CloudDnsWriterModule;
-import google.registry.dns.writer.dnsupdate.DnsUpdateWriterModule;
+import google.registry.dns.writer.DnsWritersModule;
 import google.registry.keyring.KeyringModule;
 import google.registry.keyring.api.KeyModule;
 import google.registry.model.ModelModule;
@@ -56,9 +54,8 @@ import javax.annotation.Nullable;
       BatchModule.class,
       BigqueryModule.class,
       ConfigModule.class,
-      CloudDnsWriterModule.class,
       CloudTasksUtilsModule.class,
-      DnsUpdateWriterModule.class,
+      DnsWritersModule.class,
       GsonModule.class,
       KeyModule.class,
       KeyringModule.class,
@@ -71,7 +68,6 @@ import javax.annotation.Nullable;
       SecretManagerModule.class,
       UrlConnectionServiceModule.class,
       UtilsModule.class,
-      VoidDnsWriterModule.class,
       NonCachingWhoisModule.class
     })
 interface RegistryToolComponent {

core/src/main/java/google/registry/tools/UniformRapidSuspensionCommand.java

@@ -251,11 +251,12 @@ final class UniformRapidSuspensionCommand extends MutatingEppToolCommand {
     if (undo) {
       return "";
     }
-    StringBuilder undoBuilder = new StringBuilder("UNDO COMMAND:\n\n)")
-        .append("nomulus -e ")
-        .append(RegistryToolEnvironment.get())
-        .append(" uniform_rapid_suspension --undo --domain_name ")
-        .append(domainName);
+    StringBuilder undoBuilder =
+        new StringBuilder("UNDO COMMAND:\n\n")
+            .append("nomulus -e ")
+            .append(RegistryToolEnvironment.get())
+            .append(" uniform_rapid_suspension --undo --domain_name ")
+            .append(domainName);
     if (!existingNameservers.isEmpty()) {
       undoBuilder.append(" --hosts ").append(Joiner.on(',').join(existingNameservers));
     }

core/src/main/java/google/registry/ui/server/console/ConsoleDomainGetAction.java

@@ -55,7 +55,7 @@ public class ConsoleDomainGetAction extends ConsoleApiAction {
     Optional<Domain> possibleDomain =
         tm().transact(
                 () ->
-                    EppResourceUtils.loadByForeignKeyCached(
+                    EppResourceUtils.loadByForeignKeyByCacheIfEnabled(
                         Domain.class, paramDomain, tm().getTransactionTime()));
     if (possibleDomain.isEmpty()) {
       consoleApiParams.response().setStatus(SC_NOT_FOUND);

core/src/main/java/google/registry/ui/server/console/ConsoleDumDownloadAction.java

@@ -14,7 +14,6 @@
 
 package google.registry.ui.server.console;
 
-import static com.google.common.collect.ImmutableList.toImmutableList;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.GET;
 import static org.joda.time.DateTimeZone.UTC;
@@ -24,6 +23,7 @@ import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.model.console.ConsolePermission;
+import google.registry.model.console.ConsoleUpdateHistory;
 import google.registry.model.console.User;
 import google.registry.request.Action;
 import google.registry.request.Action.GaeService;
@@ -34,7 +34,6 @@ import google.registry.util.Clock;
 import jakarta.inject.Inject;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import java.util.List;
 import org.apache.commons.csv.CSVFormat;
 import org.apache.commons.csv.CSVPrinter;
 import org.joda.time.DateTime;
@@ -100,27 +99,40 @@ public class ConsoleDumDownloadAction extends ConsoleApiAction {
       consoleApiParams.response().setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
       return;
     }
+    tm().transact(
+            () -> {
+              finishAndPersistConsoleUpdateHistory(
+                  new ConsoleUpdateHistory.Builder()
+                      .setType(ConsoleUpdateHistory.Type.DUM_DOWNLOAD)
+                      .setDescription(registrarId));
+            });
     consoleApiParams.response().setStatus(HttpServletResponse.SC_OK);
   }
 
   private void writeCsv(CSVPrinter printer) throws IOException {
     String sql = SQL_TEMPLATE.replaceAll(":now", clock.nowUtc().toString());
 
-    // We deliberately don't want to use ImmutableList.copyOf because underlying list may contain
-    // large amount of records and that will degrade performance.
-    List<String> queryResult =
-        tm().transact(
-                () ->
-                    tm().getEntityManager()
-                        .createNativeQuery(sql)
-                        .setParameter("registrarId", registrarId)
-                        .setHint("org.hibernate.fetchSize", 1000)
-                        .getResultList());
-
-    ImmutableList<String[]> formattedRecords =
-        queryResult.stream().map(r -> r.split(",")).collect(toImmutableList());
     printer.printRecord(
         ImmutableList.of("Domain Name", "Creation Time", "Expiration Time", "Domain Statuses"));
-    printer.printRecords(formattedRecords);
+
+    tm().transact(
+            () -> {
+              try (var resultStream =
+                  tm().getEntityManager()
+                      .createNativeQuery(sql, String.class)
+                      .setParameter("registrarId", registrarId)
+                      .setHint("org.hibernate.fetchSize", 1000)
+                      .getResultStream()) {
+
+                resultStream.forEach(
+                    row -> {
+                      try {
+                        printer.printRecord((Object[]) ((String) row).split(","));
+                      } catch (IOException e) {
+                        throw new RuntimeException(e);
+                      }
+                    });
+              }
+            });
   }
 }

core/src/main/java/google/registry/ui/server/console/ConsoleHistoryDataAction.java

@@ -0,0 +1,116 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.ui.server.console;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.request.Action.Method.GET;
+import static jakarta.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
+import static jakarta.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.common.base.Strings;
+import google.registry.model.console.ConsolePermission;
+import google.registry.model.console.ConsoleUpdateHistory;
+import google.registry.model.console.User;
+import google.registry.request.Action;
+import google.registry.request.Action.GaeService;
+import google.registry.request.Action.GkeService;
+import google.registry.request.Parameter;
+import google.registry.request.auth.Auth;
+import jakarta.inject.Inject;
+import java.util.List;
+import java.util.Optional;
+
+@Action(
+    service = GaeService.DEFAULT,
+    gkeService = GkeService.CONSOLE,
+    path = ConsoleHistoryDataAction.PATH,
+    method = {GET},
+    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
+public class ConsoleHistoryDataAction extends ConsoleApiAction {
+
+  private static final String SQL_USER_HISTORY =
+      """
+            SELECT * FROM "ConsoleUpdateHistory"
+            WHERE acting_user = :actingUser
+      """;
+
+  private static final String SQL_REGISTRAR_HISTORY =
+      """
+      SELECT *
+      FROM "ConsoleUpdateHistory"
+      WHERE SPLIT_PART(description, '|', 1) = :registrarId;
+      """;
+
+  public static final String PATH = "/console-api/history";
+
+  private final String registrarId;
+  private final Optional<String> consoleUserEmail;
+
+  @Inject
+  public ConsoleHistoryDataAction(
+      ConsoleApiParams consoleApiParams,
+      @Parameter("registrarId") String registrarId,
+      @Parameter("consoleUserEmail") Optional<String> consoleUserEmail) {
+    super(consoleApiParams);
+    this.registrarId = registrarId;
+    this.consoleUserEmail = consoleUserEmail;
+  }
+
+  @Override
+  protected void getHandler(User user) {
+    if (this.consoleUserEmail.isPresent()) {
+      this.historyByUser(user, this.consoleUserEmail.get());
+      return;
+    }
+
+    this.historyByRegistrarId(user, this.registrarId);
+  }
+
+  private void historyByUser(User user, String consoleUserEmail) {
+    if (!user.getUserRoles().hasGlobalPermission(ConsolePermission.AUDIT_ACTIVITY_BY_USER)) {
+      setFailedResponse(
+          "User doesn't have a permission to check audit activity by user", SC_BAD_REQUEST);
+      return;
+    }
+
+    List<ConsoleUpdateHistory> queryResult =
+        tm().transact(
+                () ->
+                    tm().getEntityManager()
+                        .createNativeQuery(SQL_USER_HISTORY, ConsoleUpdateHistory.class)
+                        .setParameter("actingUser", consoleUserEmail)
+                        .setHint("org.hibernate.fetchSize", 1000)
+                        .getResultList());
+
+    consoleApiParams.response().setPayload(consoleApiParams.gson().toJson(queryResult));
+    consoleApiParams.response().setStatus(SC_OK);
+  }
+
+  private void historyByRegistrarId(User user, String registrarId) {
+    checkArgument(!Strings.isNullOrEmpty(registrarId), "Empty registrarId param");
+    checkPermission(user, registrarId, ConsolePermission.AUDIT_ACTIVITY_BY_REGISTRAR);
+    List<ConsoleUpdateHistory> queryResult =
+        tm().transact(
+                () ->
+                    tm().getEntityManager()
+                        .createNativeQuery(SQL_REGISTRAR_HISTORY, ConsoleUpdateHistory.class)
+                        .setParameter("registrarId", registrarId)
+                        .setHint("org.hibernate.fetchSize", 1000)
+                        .getResultList());
+    consoleApiParams.response().setPayload(consoleApiParams.gson().toJson(queryResult));
+    consoleApiParams.response().setStatus(SC_OK);
+  }
+}

core/src/main/java/google/registry/ui/server/console/ConsoleModule.java

@@ -19,7 +19,6 @@ import static google.registry.request.RequestParameters.extractOptionalIntParame
 import static google.registry.request.RequestParameters.extractOptionalParameter;
 import static google.registry.request.RequestParameters.extractRequiredParameter;
 
-import com.google.common.collect.ImmutableSet;
 import com.google.gson.Gson;
 import com.google.gson.JsonElement;
 import dagger.Module;
@@ -37,6 +36,7 @@ import google.registry.ui.server.console.ConsoleEppPasswordAction.EppPasswordDat
 import google.registry.ui.server.console.ConsoleOteAction.OteCreateData;
 import google.registry.ui.server.console.ConsoleRegistryLockAction.ConsoleRegistryLockPostInput;
 import google.registry.ui.server.console.ConsoleUsersAction.UserData;
+import google.registry.ui.server.console.PasswordResetRequestAction.PasswordResetRequestData;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.Optional;
 import org.joda.time.DateTime;
@@ -192,10 +192,10 @@ public final class ConsoleModule {
   }
 
   @Provides
-  @Parameter("contacts")
-  public static Optional<ImmutableSet<RegistrarPoc>> provideContacts(
+  @Parameter("contact")
+  public static Optional<RegistrarPoc> provideContacts(
       Gson gson, @OptionalJsonPayload Optional<JsonElement> payload) {
-    return payload.map(s -> ImmutableSet.copyOf(gson.fromJson(s, RegistrarPoc[].class)));
+    return payload.map(s -> gson.fromJson(s, RegistrarPoc.class));
   }
 
   @Provides
@@ -247,6 +247,12 @@ public final class ConsoleModule {
     return extractRequiredParameter(req, "bulkDomainAction");
   }
 
+  @Provides
+  @Parameter("resetRequestVerificationCode")
+  public static String provideResetRequestVerificationCode(HttpServletRequest req) {
+    return extractRequiredParameter(req, "resetRequestVerificationCode");
+  }
+
   @Provides
   @Parameter("eppPasswordChangeRequest")
   public static Optional<EppPasswordData> provideEppPasswordChangeRequest(
@@ -274,4 +280,21 @@ public final class ConsoleModule {
       Gson gson, @OptionalJsonPayload Optional<JsonElement> payload) {
     return payload.map(e -> gson.fromJson(e, ConsoleRegistryLockPostInput.class));
   }
+
+  @Provides
+  @Parameter("passwordResetRequestData")
+  public static PasswordResetRequestData providePasswordResetRequestData(
+      Gson gson, @OptionalJsonPayload Optional<JsonElement> payload) {
+    return payload
+        .map(e -> gson.fromJson(e, PasswordResetRequestData.class))
+        .orElseThrow(
+            () -> new IllegalArgumentException("Must provide password request reset data"));
+  }
+
+  @Provides
+  @Parameter("newPassword")
+  public static Optional<String> provideNewPassword(
+      Gson gson, @OptionalJsonPayload Optional<JsonElement> payload) {
+    return payload.map(e -> gson.fromJson(e, String.class));
+  }
 }

core/src/main/java/google/registry/ui/server/console/ConsoleRegistryLockVerifyAction.java

@@ -14,10 +14,12 @@
 
 package google.registry.ui.server.console;
 
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.GET;
 
 import com.google.common.base.Ascii;
 import com.google.gson.annotations.Expose;
+import google.registry.model.console.ConsoleUpdateHistory;
 import google.registry.model.console.User;
 import google.registry.model.domain.RegistryLock;
 import google.registry.request.Action;
@@ -64,6 +66,21 @@ public class ConsoleRegistryLockVerifyAction extends ConsoleApiAction {
     RegistryLockVerificationResponse lockResponse =
         new RegistryLockVerificationResponse(
             Ascii.toLowerCase(action.toString()), lock.getDomainName(), lock.getRegistrarId());
+    tm().transact(
+            () -> {
+              finishAndPersistConsoleUpdateHistory(
+                  new ConsoleUpdateHistory.Builder()
+                      .setType(
+                          action == RegistryLockAction.LOCKED
+                              ? ConsoleUpdateHistory.Type.REGISTRY_LOCK
+                              : ConsoleUpdateHistory.Type.REGISTRY_UNLOCK)
+                      .setDescription(
+                          String.format(
+                              "%s%s%s",
+                              lock.getRegistrarId(),
+                              ConsoleUpdateHistory.DESCRIPTION_SEPARATOR,
+                              lockResponse)));
+            });
     consoleApiParams.response().setPayload(consoleApiParams.gson().toJson(lockResponse));
     consoleApiParams.response().setStatus(HttpServletResponse.SC_OK);
   }

core/src/main/java/google/registry/ui/server/console/ConsoleUpdateRegistrarAction.java

@@ -17,6 +17,7 @@ package google.registry.ui.server.console;
 import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.POST;
+import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static google.registry.util.PreconditionsUtils.checkArgumentPresent;
 import static org.apache.http.HttpStatus.SC_OK;
 
@@ -37,6 +38,7 @@ import google.registry.util.RegistryEnvironment;
 import jakarta.inject.Inject;
 import java.util.Optional;
 import java.util.stream.Collectors;
+import org.joda.time.DateTime;
 
 @Action(
     service = GaeService.DEFAULT,
@@ -88,17 +90,35 @@ public class ConsoleUpdateRegistrarAction extends ConsoleApiAction {
                 }
               }
 
-              Registrar updatedRegistrar =
+              DateTime now = tm().getTransactionTime();
+              DateTime newLastPocVerificationDate =
+                  registrarParam.getLastPocVerificationDate() == null
+                      ? START_OF_TIME
+                      : registrarParam.getLastPocVerificationDate();
+
+              checkArgument(
+                  newLastPocVerificationDate.isBefore(now),
+                  "Invalid value of LastPocVerificationDate - value is in the future");
+
+              var updatedRegistrarBuilder =
                   existingRegistrar
                       .get()
                       .asBuilder()
-                      .setAllowedTlds(
-                          registrarParam.getAllowedTlds().stream()
-                              .map(DomainNameUtils::canonicalizeHostname)
-                              .collect(Collectors.toSet()))
-                      .setRegistryLockAllowed(registrarParam.isRegistryLockAllowed())
-                      .build();
+                      .setLastPocVerificationDate(newLastPocVerificationDate);
 
+              if (user.getUserRoles()
+                  .hasGlobalPermission(ConsolePermission.EDIT_REGISTRAR_DETAILS)) {
+                updatedRegistrarBuilder =
+                    updatedRegistrarBuilder
+                        .setAllowedTlds(
+                            registrarParam.getAllowedTlds().stream()
+                                .map(DomainNameUtils::canonicalizeHostname)
+                                .collect(Collectors.toSet()))
+                        .setRegistryLockAllowed(registrarParam.isRegistryLockAllowed())
+                        .setLastPocVerificationDate(newLastPocVerificationDate);
+              }
+
+              var updatedRegistrar = updatedRegistrarBuilder.build();
               tm().put(updatedRegistrar);
               finishAndPersistConsoleUpdateHistory(
                   new ConsoleUpdateHistory.Builder()

core/src/main/java/google/registry/ui/server/console/ConsoleUsersAction.java

@@ -35,6 +35,7 @@ import com.google.common.collect.ImmutableSet;
 import com.google.gson.annotations.Expose;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.model.console.ConsolePermission;
+import google.registry.model.console.ConsoleUpdateHistory;
 import google.registry.model.console.RegistrarRole;
 import google.registry.model.console.User;
 import google.registry.model.console.UserRoles;
@@ -118,6 +119,7 @@ public class ConsoleUsersAction extends ConsoleApiAction {
                 u ->
                     new UserData(
                         u.getEmailAddress(),
+                        u.getRegistryLockEmailAddress().orElse(null),
                         u.getUserRoles().getRegistrarRoles().get(registrarId).toString(),
                         null))
             .collect(Collectors.toList());
@@ -177,6 +179,12 @@ public class ConsoleUsersAction extends ConsoleApiAction {
       tm().delete(key);
       User.revokeIapPermission(email, maybeGroupEmailAddress, cloudTasksUtils, null, iamClient);
       sendConfirmationEmail(registrarId, email, "Deleted user");
+      finishAndPersistConsoleUpdateHistory(
+          new ConsoleUpdateHistory.Builder()
+              .setType(ConsoleUpdateHistory.Type.USER_DELETE)
+              .setDescription(
+                  String.format(
+                      "%s%s%s", registrarId, ConsoleUpdateHistory.DESCRIPTION_SEPARATOR, email)));
     }
 
     consoleApiParams.response().setStatus(SC_OK);
@@ -230,7 +238,15 @@ public class ConsoleUsersAction extends ConsoleApiAction {
         .setPayload(
             consoleApiParams
                 .gson()
-                .toJson(new UserData(newEmail, ACCOUNT_MANAGER.toString(), newUser.getPassword())));
+                .toJson(
+                    new UserData(
+                        newEmail, null, ACCOUNT_MANAGER.toString(), newUser.getPassword())));
+    finishAndPersistConsoleUpdateHistory(
+        new ConsoleUpdateHistory.Builder()
+            .setType(ConsoleUpdateHistory.Type.USER_CREATE)
+            .setDescription(
+                String.format(
+                    "%s%s%s", registrarId, ConsoleUpdateHistory.DESCRIPTION_SEPARATOR, newEmail)));
   }
 
   private void runUpdateInTransaction() {
@@ -245,6 +261,15 @@ public class ConsoleUsersAction extends ConsoleApiAction {
 
     sendConfirmationEmail(registrarId, this.userData.get().emailAddress, "Updated user");
     consoleApiParams.response().setStatus(SC_OK);
+    finishAndPersistConsoleUpdateHistory(
+        new ConsoleUpdateHistory.Builder()
+            .setType(ConsoleUpdateHistory.Type.USER_UPDATE)
+            .setDescription(
+                String.format(
+                    "%s%s%s",
+                    registrarId,
+                    ConsoleUpdateHistory.DESCRIPTION_SEPARATOR,
+                    this.userData.get().emailAddress)));
   }
 
   private boolean isModifyingRequestValid() {
@@ -323,5 +348,8 @@ public class ConsoleUsersAction extends ConsoleApiAction {
   }
 
   public record UserData(
-      @Expose String emailAddress, @Expose String role, @Expose @Nullable String password) {}
+      @Expose String emailAddress,
+      @Expose String registryLockEmailAddress,
+      @Expose String role,
+      @Expose @Nullable String password) {}
 }

core/src/main/java/google/registry/ui/server/console/PasswordResetRequestAction.java

@@ -0,0 +1,150 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.ui.server.console;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+
+import com.google.gson.annotations.Expose;
+import google.registry.model.console.ConsolePermission;
+import google.registry.model.console.PasswordResetRequest;
+import google.registry.model.console.User;
+import google.registry.model.registrar.RegistrarPoc;
+import google.registry.persistence.transaction.QueryComposer;
+import google.registry.request.Action;
+import google.registry.request.Parameter;
+import google.registry.request.auth.Auth;
+import google.registry.util.EmailMessage;
+import jakarta.inject.Inject;
+import jakarta.mail.internet.AddressException;
+import jakarta.mail.internet.InternetAddress;
+import jakarta.servlet.http.HttpServletResponse;
+import javax.annotation.Nullable;
+
+@Action(
+    service = Action.GaeService.DEFAULT,
+    gkeService = Action.GkeService.CONSOLE,
+    path = PasswordResetRequestAction.PATH,
+    method = Action.Method.POST,
+    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
+public class PasswordResetRequestAction extends ConsoleApiAction {
+
+  static final String PATH = "/console-api/password-reset-request";
+  static final String VERIFICATION_EMAIL_TEMPLATE =
+      """
+      Please click the link below to perform the requested password reset. Note: this\
+       code will expire in one hour.
+
+      %s\
+      """;
+
+  private final PasswordResetRequestData passwordResetRequestData;
+
+  @Inject
+  public PasswordResetRequestAction(
+      ConsoleApiParams consoleApiParams,
+      @Parameter("passwordResetRequestData") PasswordResetRequestData passwordResetRequestData) {
+    super(consoleApiParams);
+    this.passwordResetRequestData = passwordResetRequestData;
+  }
+
+  @Override
+  protected void postHandler(User user) {
+    // Temporary flag when testing email sending etc
+    if (!user.getUserRoles().isAdmin()) {
+      setFailedResponse("", HttpServletResponse.SC_FORBIDDEN);
+    }
+    tm().transact(() -> performRequest(user));
+    consoleApiParams.response().setStatus(HttpServletResponse.SC_OK);
+  }
+
+  private void performRequest(User user) {
+    checkArgument(passwordResetRequestData.type != null, "Type cannot be null");
+    checkArgument(passwordResetRequestData.registrarId != null, "Registrar ID cannot be null");
+    PasswordResetRequest.Type type = passwordResetRequestData.type;
+    String registrarId = passwordResetRequestData.registrarId;
+
+    ConsolePermission requiredPermission;
+    String destinationEmail;
+    String emailSubject;
+    switch (type) {
+      case EPP:
+        requiredPermission = ConsolePermission.EDIT_REGISTRAR_DETAILS;
+        destinationEmail = getAdminPocEmail(registrarId);
+        emailSubject = "EPP password reset request";
+        break;
+      case REGISTRY_LOCK:
+        checkArgument(
+            passwordResetRequestData.registryLockEmail != null,
+            "Must provide registry lock email to reset");
+        requiredPermission = ConsolePermission.MANAGE_USERS;
+        destinationEmail = passwordResetRequestData.registryLockEmail;
+        checkUserExistsWithRegistryLockEmail(destinationEmail);
+        emailSubject = "Registry lock password reset request";
+        break;
+      default:
+        throw new IllegalArgumentException("Unknown type " + type);
+    }
+
+    checkPermission(user, registrarId, requiredPermission);
+
+    InternetAddress destinationAddress;
+    try {
+      destinationAddress = new InternetAddress(destinationEmail);
+    } catch (AddressException e) {
+      // Shouldn't happen
+      throw new RuntimeException(e);
+    }
+
+    PasswordResetRequest resetRequest =
+        new PasswordResetRequest.Builder()
+            .setRequester(user.getEmailAddress())
+            .setRegistrarId(registrarId)
+            .setType(type)
+            .setDestinationEmail(destinationEmail)
+            .build();
+    tm().put(resetRequest);
+    String verificationUrl =
+        String.format(
+            "https://%s/console/#/password-reset-verify?resetRequestVerificationCode=%s",
+            consoleApiParams.request().getServerName(), resetRequest.getVerificationCode());
+    String body = String.format(VERIFICATION_EMAIL_TEMPLATE, verificationUrl);
+    consoleApiParams
+        .sendEmailUtils()
+        .gmailClient
+        .sendEmail(EmailMessage.create(emailSubject, body, destinationAddress));
+  }
+
+  static User checkUserExistsWithRegistryLockEmail(String destinationEmail) {
+    return tm().createQueryComposer(User.class)
+        .where("registryLockEmailAddress", QueryComposer.Comparator.EQ, destinationEmail)
+        .first()
+        .orElseThrow(
+            () -> new IllegalArgumentException("Unknown user with lock email " + destinationEmail));
+  }
+
+  private String getAdminPocEmail(String registrarId) {
+    return RegistrarPoc.loadForRegistrar(registrarId).stream()
+        .filter(poc -> poc.getTypes().contains(RegistrarPoc.Type.ADMIN))
+        .map(RegistrarPoc::getEmailAddress)
+        .findAny()
+        .orElseThrow(() -> new IllegalStateException("No admin contacts found for " + registrarId));
+  }
+
+  public record PasswordResetRequestData(
+      @Expose PasswordResetRequest.Type type,
+      @Expose String registrarId,
+      @Expose @Nullable String registryLockEmail) {}
+}

core/src/main/java/google/registry/ui/server/console/PasswordResetVerifyAction.java

@@ -0,0 +1,131 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.ui.server.console;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.request.Action.Method.GET;
+import static google.registry.request.Action.Method.POST;
+import static google.registry.ui.server.console.PasswordResetRequestAction.checkUserExistsWithRegistryLockEmail;
+
+import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableMap;
+import google.registry.model.console.ConsolePermission;
+import google.registry.model.console.PasswordResetRequest;
+import google.registry.model.console.User;
+import google.registry.model.registrar.Registrar;
+import google.registry.persistence.VKey;
+import google.registry.request.Action;
+import google.registry.request.Parameter;
+import google.registry.request.auth.Auth;
+import jakarta.inject.Inject;
+import jakarta.servlet.http.HttpServletResponse;
+import java.util.Optional;
+import org.joda.time.Duration;
+
+@Action(
+    service = Action.GaeService.DEFAULT,
+    gkeService = Action.GkeService.CONSOLE,
+    path = PasswordResetVerifyAction.PATH,
+    method = {GET, POST},
+    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
+public class PasswordResetVerifyAction extends ConsoleApiAction {
+
+  static final String PATH = "/console-api/password-reset-verify";
+
+  private final String verificationCode;
+  private final Optional<String> newPassword;
+
+  @Inject
+  public PasswordResetVerifyAction(
+      ConsoleApiParams consoleApiParams,
+      @Parameter("resetRequestVerificationCode") String verificationCode,
+      @Parameter("newPassword") Optional<String> newPassword) {
+    super(consoleApiParams);
+    this.verificationCode = verificationCode;
+    this.newPassword = newPassword;
+  }
+
+  @Override
+  protected void getHandler(User user) {
+    // Temporary flag when testing email sending etc
+    if (!user.getUserRoles().isAdmin()) {
+      setFailedResponse("", HttpServletResponse.SC_FORBIDDEN);
+    }
+    PasswordResetRequest request = tm().transact(() -> loadAndValidateResetRequest(user));
+    ImmutableMap<String, ?> result =
+        ImmutableMap.of("type", request.getType(), "registrarId", request.getRegistrarId());
+    consoleApiParams.response().setPayload(consoleApiParams.gson().toJson(result));
+    consoleApiParams.response().setStatus(HttpServletResponse.SC_OK);
+  }
+
+  @Override
+  protected void postHandler(User user) {
+    // Temporary flag when testing email sending etc
+    if (!user.getUserRoles().isAdmin()) {
+      setFailedResponse("", HttpServletResponse.SC_FORBIDDEN);
+    }
+    checkArgument(!Strings.isNullOrEmpty(newPassword.orElse(null)), "Password must be provided");
+    tm().transact(
+            () -> {
+              PasswordResetRequest request = loadAndValidateResetRequest(user);
+              switch (request.getType()) {
+                case EPP -> handleEppPasswordReset(request);
+                case REGISTRY_LOCK -> handleRegistryLockPasswordReset(request);
+              }
+              tm().put(request.asBuilder().setFulfillmentTime(tm().getTransactionTime()).build());
+            });
+    consoleApiParams.response().setStatus(HttpServletResponse.SC_OK);
+  }
+
+  private void handleEppPasswordReset(PasswordResetRequest request) {
+    Registrar registrar = Registrar.loadByRegistrarId(request.getRegistrarId()).get();
+    tm().put(registrar.asBuilder().setPassword(newPassword.get()).build());
+  }
+
+  private void handleRegistryLockPasswordReset(PasswordResetRequest request) {
+    User affectedUser = checkUserExistsWithRegistryLockEmail(request.getDestinationEmail());
+    tm().put(
+            affectedUser
+                .asBuilder()
+                .removeRegistryLockPassword()
+                .setRegistryLockPassword(newPassword.get())
+                .build());
+  }
+
+  private PasswordResetRequest loadAndValidateResetRequest(User user) {
+    PasswordResetRequest request =
+        tm().loadByKeyIfPresent(VKey.create(PasswordResetRequest.class, verificationCode))
+            .orElseThrow(this::createVerificationCodeException);
+    ConsolePermission requiredVerifyPermission =
+        switch (request.getType()) {
+          case EPP -> ConsolePermission.MANAGE_USERS;
+          case REGISTRY_LOCK -> ConsolePermission.REGISTRY_LOCK;
+        };
+    checkPermission(user, request.getRegistrarId(), requiredVerifyPermission);
+    if (request
+        .getRequestTime()
+        .plus(Duration.standardHours(1))
+        .isBefore(tm().getTransactionTime())) {
+      throw createVerificationCodeException();
+    }
+    return request;
+  }
+
+  private IllegalArgumentException createVerificationCodeException() {
+    return new IllegalArgumentException(
+        "Unknown, invalid, or expired verification code " + verificationCode);
+  }
+}

core/src/main/java/google/registry/ui/server/console/settings/ContactAction.java

@@ -15,12 +15,13 @@
 package google.registry.ui.server.console.settings;
 
 import static com.google.common.base.Preconditions.checkArgument;
-import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.Sets.difference;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
+import static google.registry.request.Action.Method.DELETE;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.POST;
+import static google.registry.request.Action.Method.PUT;
 import static jakarta.servlet.http.HttpServletResponse.SC_OK;
 
 import com.google.common.collect.HashMultimap;
@@ -29,70 +30,131 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Multimap;
 import com.google.common.flogger.FluentLogger;
 import google.registry.model.console.ConsolePermission;
+import google.registry.model.console.ConsoleUpdateHistory;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarPoc;
 import google.registry.model.registrar.RegistrarPoc.Type;
-import google.registry.persistence.transaction.QueryComposer.Comparator;
 import google.registry.request.Action;
 import google.registry.request.Action.GaeService;
 import google.registry.request.Action.GkeService;
 import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.ui.forms.FormException;
-import google.registry.ui.server.RegistrarFormFields;
 import google.registry.ui.server.console.ConsoleApiAction;
 import google.registry.ui.server.console.ConsoleApiParams;
 import jakarta.inject.Inject;
-import java.util.Collections;
 import java.util.HashSet;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
+import java.util.function.BiFunction;
 
 @Action(
     service = GaeService.DEFAULT,
     gkeService = GkeService.CONSOLE,
     path = ContactAction.PATH,
-    method = {GET, POST},
+    method = {GET, POST, DELETE, PUT},
     auth = Auth.AUTH_PUBLIC_LOGGED_IN)
 public class ContactAction extends ConsoleApiAction {
   static final String PATH = "/console-api/settings/contacts";
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
-  private final Optional<ImmutableSet<RegistrarPoc>> contacts;
+  private final Optional<RegistrarPoc> contact;
   private final String registrarId;
 
   @Inject
   public ContactAction(
       ConsoleApiParams consoleApiParams,
       @Parameter("registrarId") String registrarId,
-      @Parameter("contacts") Optional<ImmutableSet<RegistrarPoc>> contacts) {
+      @Parameter("contact") Optional<RegistrarPoc> contact) {
     super(consoleApiParams);
     this.registrarId = registrarId;
-    this.contacts = contacts;
+    this.contact = contact;
   }
 
   @Override
   protected void getHandler(User user) {
     checkPermission(user, registrarId, ConsolePermission.VIEW_REGISTRAR_DETAILS);
-    ImmutableList<RegistrarPoc> am =
-        tm().transact(
-                () ->
-                    tm()
-                        .createQueryComposer(RegistrarPoc.class)
-                        .where("registrarId", Comparator.EQ, registrarId)
-                        .stream()
-                        .filter(r -> !r.getTypes().isEmpty())
-                        .collect(toImmutableList()));
-
+    ImmutableList<RegistrarPoc> contacts =
+        tm().transact(() -> RegistrarPoc.loadForRegistrar(registrarId));
     consoleApiParams.response().setStatus(SC_OK);
-    consoleApiParams.response().setPayload(consoleApiParams.gson().toJson(am));
+    consoleApiParams.response().setPayload(consoleApiParams.gson().toJson(contacts));
+  }
+
+  @Override
+  protected void deleteHandler(User user) {
+    updateContacts(
+        user,
+        "Deleted " + contact.get().getEmailAddress(),
+        (registrar, oldContacts) ->
+            oldContacts.stream()
+                .filter(
+                    oldContact ->
+                        !oldContact.getEmailAddress().equals(contact.get().getEmailAddress()))
+                .collect(toImmutableSet()));
   }
 
   @Override
   protected void postHandler(User user) {
+    updateContacts(
+        user,
+        "Created " + contact.get().getEmailAddress(),
+        (registrar, oldContacts) -> {
+          RegistrarPoc newContact = contact.get();
+          return ImmutableSet.<RegistrarPoc>builder()
+              .addAll(oldContacts)
+              .add(
+                  new RegistrarPoc()
+                      .asBuilder()
+                      .setTypes(newContact.getTypes())
+                      .setVisibleInWhoisAsTech(newContact.getVisibleInWhoisAsTech())
+                      .setVisibleInWhoisAsAdmin(newContact.getVisibleInWhoisAsAdmin())
+                      .setVisibleInDomainWhoisAsAbuse(newContact.getVisibleInDomainWhoisAsAbuse())
+                      .setFaxNumber(newContact.getFaxNumber())
+                      .setName(newContact.getName())
+                      .setEmailAddress(newContact.getEmailAddress())
+                      .setPhoneNumber(newContact.getPhoneNumber())
+                      .setRegistrar(registrar)
+                      .build())
+              .build();
+        });
+  }
+
+  @Override
+  protected void putHandler(User user) {
+    updateContacts(
+        user,
+        "Updated " + contact.get().getEmailAddress(),
+        (registrar, oldContacts) -> {
+          RegistrarPoc updatedContact = contact.get();
+          return oldContacts.stream()
+              .map(
+                  oldContact ->
+                      oldContact.getId().equals(updatedContact.getId())
+                          ? oldContact
+                              .asBuilder()
+                              .setTypes(updatedContact.getTypes())
+                              .setVisibleInWhoisAsTech(updatedContact.getVisibleInWhoisAsTech())
+                              .setVisibleInWhoisAsAdmin(updatedContact.getVisibleInWhoisAsAdmin())
+                              .setVisibleInDomainWhoisAsAbuse(
+                                  updatedContact.getVisibleInDomainWhoisAsAbuse())
+                              .setFaxNumber(updatedContact.getFaxNumber())
+                              .setName(updatedContact.getName())
+                              .setEmailAddress(updatedContact.getEmailAddress())
+                              .setPhoneNumber(updatedContact.getPhoneNumber())
+                              .build()
+                          : oldContact)
+              .collect(toImmutableSet());
+        });
+  }
+
+  private void updateContacts(
+      User user,
+      String historyDescription,
+      BiFunction<Registrar, ImmutableSet<RegistrarPoc>, ImmutableSet<RegistrarPoc>>
+          contactsUpdater) {
     checkPermission(user, registrarId, ConsolePermission.EDIT_REGISTRAR_DETAILS);
-    checkArgument(contacts.isPresent(), "Contacts parameter is not present");
+    checkArgument(contact.isPresent(), "Contact parameter is not present");
     Registrar registrar =
         Registrar.loadByRegistrarId(registrarId)
             .orElseThrow(
@@ -101,20 +163,10 @@ public class ContactAction extends ConsoleApiAction {
                         String.format("Unknown registrar %s", registrarId)));
 
     ImmutableSet<RegistrarPoc> oldContacts = registrar.getContacts();
-    ImmutableSet<RegistrarPoc> updatedContacts =
-        RegistrarFormFields.getRegistrarContactBuilders(
-                oldContacts,
-                Collections.singletonMap(
-                    "contacts",
-                    contacts.get().stream()
-                        .map(RegistrarPoc::toJsonMap)
-                        .collect(toImmutableList())))
-            .stream()
-            .map(builder -> builder.setRegistrar(registrar).build())
-            .collect(toImmutableSet());
+    ImmutableSet<RegistrarPoc> newContacts = contactsUpdater.apply(registrar, oldContacts);
 
     try {
-      checkContactRequirements(oldContacts, updatedContacts);
+      checkContactRequirements(oldContacts, newContacts);
     } catch (FormException e) {
       logger.atWarning().withCause(e).log(
           "Error processing contacts post request for registrar: %s", registrarId);
@@ -123,14 +175,22 @@ public class ContactAction extends ConsoleApiAction {
 
     tm().transact(
             () -> {
-              RegistrarPoc.updateContacts(registrar, updatedContacts);
+              RegistrarPoc.updateContacts(registrar, newContacts);
               Registrar updatedRegistrar =
                   registrar.asBuilder().setContactsRequireSyncing(true).build();
               tm().put(updatedRegistrar);
               sendExternalUpdatesIfNecessary(
-                  EmailInfo.create(registrar, updatedRegistrar, oldContacts, updatedContacts));
+                  EmailInfo.create(registrar, updatedRegistrar, oldContacts, newContacts));
+              finishAndPersistConsoleUpdateHistory(
+                  new ConsoleUpdateHistory.Builder()
+                      .setType(ConsoleUpdateHistory.Type.REGISTRAR_CONTACTS_UPDATE)
+                      .setDescription(
+                          String.format(
+                              "%s%s%s",
+                              registrarId,
+                              ConsoleUpdateHistory.DESCRIPTION_SEPARATOR,
+                              historyDescription)));
             });
-
     consoleApiParams.response().setStatus(SC_OK);
   }
 
@@ -169,6 +229,8 @@ public class ContactAction extends ConsoleApiAction {
         throw new ContactRequirementException(t);
       }
     }
+
+    enforcePrimaryContactRestrictions(oldContactsByType, newContactsByType);
     ensurePhoneNumberNotRemovedForContactTypes(oldContactsByType, newContactsByType, Type.TECH);
     Optional<RegistrarPoc> domainWhoisAbuseContact =
         getDomainWhoisVisibleAbuseContact(updatedContacts);
@@ -187,6 +249,23 @@ public class ContactAction extends ConsoleApiAction {
     checkContactRegistryLockRequirements(existingContacts, updatedContacts);
   }
 
+  private static void enforcePrimaryContactRestrictions(
+      Multimap<Type, RegistrarPoc> oldContactsByType,
+      Multimap<Type, RegistrarPoc> newContactsByType) {
+    ImmutableSet<String> oldAdminEmails =
+        oldContactsByType.get(Type.ADMIN).stream()
+            .map(RegistrarPoc::getEmailAddress)
+            .collect(toImmutableSet());
+    ImmutableSet<String> newAdminEmails =
+        newContactsByType.get(Type.ADMIN).stream()
+            .map(RegistrarPoc::getEmailAddress)
+            .collect(toImmutableSet());
+    if (!newAdminEmails.containsAll(oldAdminEmails)) {
+      throw new ContactRequirementException(
+          "Cannot remove or change the email address of primary contacts");
+    }
+  }
+
   private static void checkContactRegistryLockRequirements(
       ImmutableSet<RegistrarPoc> existingContacts, ImmutableSet<RegistrarPoc> updatedContacts) {
     // Any contact(s) with new passwords must be allowed to set them

core/src/main/java/google/registry/ui/server/console/settings/RdapRegistrarFieldsAction.java

@@ -35,6 +35,7 @@ import google.registry.ui.server.console.ConsoleApiAction;
 import google.registry.ui.server.console.ConsoleApiParams;
 import jakarta.inject.Inject;
 import java.util.Optional;
+import java.util.StringJoiner;
 
 /**
  * Console action for editing fields on a registrar that are visible in WHOIS/RDAP.
@@ -82,19 +83,37 @@ public class RdapRegistrarFieldsAction extends ConsoleApiAction {
       return;
     }
 
-    Registrar newRegistrar =
-        savedRegistrar
-            .asBuilder()
-            .setLocalizedAddress(providedRegistrar.getLocalizedAddress())
-            .setPhoneNumber(providedRegistrar.getPhoneNumber())
-            .setFaxNumber(providedRegistrar.getFaxNumber())
-            .setEmailAddress(providedRegistrar.getEmailAddress())
-            .build();
+    StringJoiner updates = new StringJoiner(",");
+
+    var newRegistrarBuilder = savedRegistrar.asBuilder();
+
+    if (!providedRegistrar.getLocalizedAddress().equals(savedRegistrar.getLocalizedAddress())) {
+      newRegistrarBuilder.setLocalizedAddress(providedRegistrar.getLocalizedAddress());
+      updates.add("ADDRESS");
+    }
+    if (!providedRegistrar.getPhoneNumber().equals(savedRegistrar.getPhoneNumber())) {
+      newRegistrarBuilder.setPhoneNumber(providedRegistrar.getPhoneNumber());
+      updates.add("PHONE");
+    }
+    if (!providedRegistrar.getFaxNumber().equals(savedRegistrar.getPhoneNumber())) {
+      newRegistrarBuilder.setFaxNumber(providedRegistrar.getFaxNumber());
+      updates.add("FAX");
+    }
+    if (!providedRegistrar.getEmailAddress().equals(savedRegistrar.getEmailAddress())) {
+      newRegistrarBuilder.setEmailAddress(providedRegistrar.getEmailAddress());
+      updates.add("EMAIL");
+    }
+    var newRegistrar = newRegistrarBuilder.build();
     tm().put(newRegistrar);
     finishAndPersistConsoleUpdateHistory(
         new ConsoleUpdateHistory.Builder()
             .setType(ConsoleUpdateHistory.Type.REGISTRAR_UPDATE)
-            .setDescription(newRegistrar.getRegistrarId()));
+            .setDescription(
+                String.format(
+                    "%s%s%s",
+                    newRegistrar.getRegistrarId(),
+                    ConsoleUpdateHistory.DESCRIPTION_SEPARATOR,
+                    updates)));
     sendExternalUpdatesIfNecessary(
         EmailInfo.create(
             savedRegistrar,

core/src/main/java/google/registry/ui/server/console/settings/SecurityAction.java

@@ -39,6 +39,7 @@ import google.registry.ui.server.console.ConsoleApiAction;
 import google.registry.ui.server.console.ConsoleApiParams;
 import jakarta.inject.Inject;
 import java.util.Optional;
+import java.util.StringJoiner;
 
 @Action(
     service = GaeService.DEFAULT,
@@ -86,10 +87,15 @@ public class SecurityAction extends ConsoleApiAction {
 
   private void setResponse(Registrar savedRegistrar) {
     Registrar registrarParameter = registrar.get();
-    Registrar.Builder updatedRegistrarBuilder =
-        savedRegistrar
-            .asBuilder()
-            .setIpAddressAllowList(registrarParameter.getIpAddressAllowList());
+    Registrar.Builder updatedRegistrarBuilder = savedRegistrar.asBuilder();
+    StringJoiner updates = new StringJoiner(",");
+
+    if (!savedRegistrar
+        .getIpAddressAllowList()
+        .equals(registrarParameter.getIpAddressAllowList())) {
+      updatedRegistrarBuilder.setIpAddressAllowList(registrarParameter.getIpAddressAllowList());
+      updates.add("IP_CHANGE");
+    }
 
     try {
       if (!savedRegistrar
@@ -99,6 +105,7 @@ public class SecurityAction extends ConsoleApiAction {
           String newClientCert = registrarParameter.getClientCertificate().get();
           certificateChecker.validateCertificate(newClientCert);
           updatedRegistrarBuilder.setClientCertificate(newClientCert, tm().getTransactionTime());
+          updates.add("PRIMARY_SSL_CERT_CHANGE");
         }
       }
       if (!savedRegistrar
@@ -109,6 +116,7 @@ public class SecurityAction extends ConsoleApiAction {
           certificateChecker.validateCertificate(newFailoverCert);
           updatedRegistrarBuilder.setFailoverClientCertificate(
               newFailoverCert, tm().getTransactionTime());
+          updates.add("FAILOVER_SSL_CERT_CHANGE");
         }
       }
     } catch (InsecureCertificateException e) {
@@ -121,7 +129,9 @@ public class SecurityAction extends ConsoleApiAction {
     finishAndPersistConsoleUpdateHistory(
         new ConsoleUpdateHistory.Builder()
             .setType(ConsoleUpdateHistory.Type.REGISTRAR_SECURITY_UPDATE)
-            .setDescription(registrarId));
+            .setDescription(
+                String.format(
+                    "%s%s%s", registrarId, ConsoleUpdateHistory.DESCRIPTION_SEPARATOR, updates)));
 
     sendExternalUpdatesIfNecessary(
         EmailInfo.create(savedRegistrar, updatedRegistrar, ImmutableSet.of(), ImmutableSet.of()));

core/src/main/java/google/registry/whois/DomainLookupCommand.java

@@ -17,7 +17,7 @@ package google.registry.whois;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static google.registry.flows.domain.DomainFlowUtils.isBlockedByBsa;
 import static google.registry.model.EppResourceUtils.loadByForeignKey;
-import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.EppResourceUtils.loadByForeignKeyByCache;
 import static google.registry.model.tld.Tlds.findTldForName;
 import static google.registry.model.tld.Tlds.getTlds;
 import static google.registry.persistence.transaction.TransactionManagerFactory.replicaTm;
@@ -94,7 +94,7 @@ public class DomainLookupCommand implements WhoisCommand {
   private Optional<WhoisResponse> getResponse(InternetDomainName domainName, DateTime now) {
     Optional<Domain> domainResource =
         cached
-            ? loadByForeignKeyCached(Domain.class, domainName.toString(), now)
+            ? loadByForeignKeyByCache(Domain.class, domainName.toString(), now)
             : loadByForeignKey(Domain.class, domainName.toString(), now);
     return domainResource.map(
         domain -> new DomainWhoisResponse(domain, fullOutput, whoisRedactedEmailText, now));

core/src/main/java/google/registry/whois/DomainWhoisResponse.java

@@ -81,7 +81,7 @@ final class DomainWhoisResponse extends WhoisResponseImpl {
         domain.getCurrentSponsorRegistrarId());
     Registrar registrar = registrarOptional.get();
     Optional<RegistrarPoc> abuseContact =
-        registrar.getContacts().stream()
+        registrar.getContactsFromReplica().stream()
             .filter(RegistrarPoc::getVisibleInDomainWhoisAsAbuse)
             .findFirst();
     return WhoisResponseResults.create(
@@ -154,7 +154,7 @@ final class DomainWhoisResponse extends WhoisResponseImpl {
       // If we refer to a contact that doesn't exist, that's a bug. It means referential integrity
       // has somehow been broken. We skip the rest of this contact, but log it to hopefully bring it
       // someone's attention.
-      Contact contact1 = EppResource.loadCached(contact.get());
+      Contact contact1 = EppResource.loadByCache(contact.get());
       if (contact1 == null) {
         logger.atSevere().log(
             "(BUG) Broken reference found from domain %s to contact %s.",

core/src/main/java/google/registry/whois/NameserverLookupByHostCommand.java

@@ -16,7 +16,7 @@ package google.registry.whois;
 
 import static com.google.common.base.Preconditions.checkNotNull;
 import static google.registry.model.EppResourceUtils.loadByForeignKey;
-import static google.registry.model.EppResourceUtils.loadByForeignKeyCached;
+import static google.registry.model.EppResourceUtils.loadByForeignKeyByCache;
 import static google.registry.model.tld.Tlds.findTldForName;
 import static google.registry.model.tld.Tlds.getTlds;
 import static jakarta.servlet.http.HttpServletResponse.SC_NOT_FOUND;
@@ -57,7 +57,7 @@ public class NameserverLookupByHostCommand implements WhoisCommand {
   private Optional<WhoisResponse> getResponse(InternetDomainName hostName, DateTime now) {
     Optional<Host> host =
         cached
-            ? loadByForeignKeyCached(Host.class, hostName.toString(), now)
+            ? loadByForeignKeyByCache(Host.class, hostName.toString(), now)
             : loadByForeignKey(Host.class, hostName.toString(), now);
     return host.map(h -> new NameserverWhoisResponse(h, now));
   }

core/src/main/java/google/registry/whois/RegistrarWhoisResponse.java

@@ -44,7 +44,7 @@ class RegistrarWhoisResponse extends WhoisResponseImpl {
 
   @Override
   public WhoisResponseResults getResponse(boolean preferUnicode, String disclaimer) {
-    Set<RegistrarPoc> contacts = registrar.getContacts();
+    Set<RegistrarPoc> contacts = registrar.getContactsFromReplica();
     String plaintext =
         new RegistrarEmitter()
             .emitField("Registrar", registrar.getRegistrarName())

core/src/main/resources/META-INF/persistence.xml

@@ -47,13 +47,14 @@
     <class>google.registry.model.billing.BillingRecurrence</class>
     <class>google.registry.model.common.Cursor</class>
     <class>google.registry.model.common.DnsRefreshRequest</class>
+    <class>google.registry.model.common.FeatureFlag</class>
     <class>google.registry.model.console.ConsoleUpdateHistory</class>
+    <class>google.registry.model.console.PasswordResetRequest</class>
     <class>google.registry.model.console.User</class>
     <class>google.registry.model.contact.ContactHistory</class>
     <class>google.registry.model.contact.Contact</class>
     <class>google.registry.model.domain.Domain</class>
     <class>google.registry.model.domain.DomainHistory</class>
-    <class>google.registry.model.common.FeatureFlag</class>
     <class>google.registry.model.domain.GracePeriod</class>
     <class>google.registry.model.domain.GracePeriod$GracePeriodHistory</class>
     <class>google.registry.model.domain.secdns.DomainDsData</class>

core/src/main/resources/google/registry/tools/soy/DomainCreate.soy

@@ -20,9 +20,9 @@
   {@param domain: string}
   {@param period: int}
   {@param nameservers: list<string>}
-  {@param registrant: string}
-  {@param admins: list<string>}
-  {@param techs: list<string>}
+  {@param? registrant: string|null}
+  {@param? admins: list<string>|null}
+  {@param? techs: list<string>|null}
   {@param password: string}
   {@param? currency: string|null}
   {@param? price: string|null}
@@ -45,13 +45,19 @@
               {/for}
             </domain:ns>
           {/if}
-          <domain:registrant>{$registrant}</domain:registrant>
-          {for $admin in $admins}
-            <domain:contact type="admin">{$admin}</domain:contact>
-          {/for}
-          {for $tech in $techs}
-            <domain:contact type="tech">{$tech}</domain:contact>
-          {/for}
+          {if $registrant != null}
+            <domain:registrant>{$registrant}</domain:registrant>
+          {/if}
+          {if $admins != null}
+            {for $admin in $admins}
+              <domain:contact type="admin">{$admin}</domain:contact>
+            {/for}
+          {/if}
+          {if $techs != null}
+            {for $tech in $techs}
+              <domain:contact type="tech">{$tech}</domain:contact>
+            {/for}
+          {/if}
           <domain:authInfo>
             <domain:pw>{$password}</domain:pw>
           </domain:authInfo>

core/src/test/java/google/registry/batch/DeleteProberDataActionTest.java

@@ -27,7 +27,6 @@ import static google.registry.testing.DatabaseHelper.persistActiveHost;
 import static google.registry.testing.DatabaseHelper.persistDeletedDomain;
 import static google.registry.testing.DatabaseHelper.persistDomainAsDeleted;
 import static google.registry.testing.DatabaseHelper.persistResource;
-import static google.registry.testing.DatabaseHelper.persistSimpleResource;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
 import static org.joda.time.DateTimeZone.UTC;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -287,7 +286,7 @@ class DeleteProberDataActionTest {
   private static Set<ImmutableObject> persistDomainAndDescendants(String fqdn) {
     Domain domain = persistDeletedDomain(fqdn, DELETION_TIME);
     DomainHistory historyEntry =
-        persistSimpleResource(
+        persistResource(
             new DomainHistory.Builder()
                 .setDomain(domain)
                 .setType(HistoryEntry.Type.DOMAIN_CREATE)
@@ -295,7 +294,7 @@ class DeleteProberDataActionTest {
                 .setModificationTime(DELETION_TIME.minusYears(3))
                 .build());
     BillingEvent billingEvent =
-        persistSimpleResource(
+        persistResource(
             new BillingEvent.Builder()
                 .setDomainHistory(historyEntry)
                 .setBillingTime(DELETION_TIME.plusYears(1))
@@ -307,7 +306,7 @@ class DeleteProberDataActionTest {
                 .setTargetId(fqdn)
                 .build());
     PollMessage.OneTime pollMessage =
-        persistSimpleResource(
+        persistResource(
             new PollMessage.OneTime.Builder()
                 .setHistoryEntry(historyEntry)
                 .setEventTime(DELETION_TIME)
@@ -315,7 +314,7 @@ class DeleteProberDataActionTest {
                 .setMsg("Domain registered")
                 .build());
     GracePeriod gracePeriod =
-        persistSimpleResource(
+        persistResource(
             GracePeriod.create(
                 ADD,
                 domain.getRepoId(),

core/src/test/java/google/registry/batch/SendExpiringCertificateNotificationEmailActionTest.java

@@ -18,7 +18,7 @@ import static com.google.common.truth.Truth.assertThat;
 import static google.registry.persistence.transaction.JpaTransactionManagerExtension.makeRegistrar1;
 import static google.registry.testing.DatabaseHelper.loadByEntity;
 import static google.registry.testing.DatabaseHelper.persistResource;
-import static google.registry.testing.DatabaseHelper.persistSimpleResources;
+import static google.registry.testing.DatabaseHelper.persistResources;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static org.apache.http.HttpStatus.SC_OK;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -62,7 +62,8 @@ class SendExpiringCertificateNotificationEmailActionTest {
        Kind update your account using the following steps:
         1. Navigate to support and login using your %4$s@registry.example credentials.
         2. Click Settings -> Privacy on the top left corner.
-        3. Click Edit and enter certificate string.  3. Click SaveRegards,Example Registry""";
+        3. Click Edit and enter certificate string.  3. Click SaveRegards,Example Registry\
+      """;
 
   private static final String EXPIRATION_WARNING_EMAIL_SUBJECT_TEXT = "Expiration Warning Email";
 
@@ -223,7 +224,7 @@ class SendExpiringCertificateNotificationEmailActionTest {
                 .setVisibleInWhoisAsAdmin(true)
                 .setVisibleInWhoisAsTech(false)
                 .build());
-    persistSimpleResources(contacts);
+    persistResources(contacts);
     RuntimeException thrown =
         assertThrows(
             RuntimeException.class,
@@ -548,7 +549,7 @@ class SendExpiringCertificateNotificationEmailActionTest {
                 .setTypes(ImmutableSet.of(RegistrarPoc.Type.ADMIN))
                 .setVisibleInWhoisAsTech(true)
                 .build());
-    persistSimpleResources(contacts);
+    persistResources(contacts);
     assertThat(action.getEmailAddresses(registrar, Type.TECH))
         .containsExactly(
             new InternetAddress("will@example-registrar.tld"),
@@ -700,7 +701,7 @@ class SendExpiringCertificateNotificationEmailActionTest {
   /** Returns persisted sample contacts with a customized contact email type. */
   private static ImmutableList<RegistrarPoc> persistSampleContacts(
       Registrar registrar, RegistrarPoc.Type emailType) {
-    return persistSimpleResources(
+    return persistResources(
         ImmutableList.of(
             new RegistrarPoc.Builder()
                 .setRegistrar(registrar)

core/src/test/java/google/registry/beam/billing/BillingEventTest.java

@@ -85,7 +85,7 @@ class BillingEventTest {
     assertThat(invoiceKey.startDate()).isEqualTo("2017-10-01");
     assertThat(invoiceKey.endDate()).isEqualTo("2022-09-30");
     assertThat(invoiceKey.productAccountKey()).isEqualTo("12345-CRRHELLO");
-    assertThat(invoiceKey.usageGroupingKey()).isEqualTo("myRegistrar");
+    assertThat(invoiceKey.usageGroupingKey()).isEqualTo("");
     assertThat(invoiceKey.description()).isEqualTo("RENEW | TLD: test | TERM: 5-year");
     assertThat(invoiceKey.unitPrice()).isEqualTo(20.5);
     assertThat(invoiceKey.unitPriceCurrency()).isEqualTo("USD");
@@ -106,7 +106,7 @@ class BillingEventTest {
     assertThat(invoiceKey.toCsv(3L))
         .isEqualTo(
             "2017-10-01,2022-09-30,12345-CRRHELLO,61.50,USD,10125,1,PURCHASE,"
-                + "myRegistrar,3,RENEW | TLD: test | TERM: 5-year,20.50,USD,");
+                + ",3,RENEW | TLD: test | TERM: 5-year,20.50,USD,");
   }
 
   @Test
@@ -116,7 +116,7 @@ class BillingEventTest {
     assertThat(invoiceKey.toCsv(3L))
         .isEqualTo(
             "2017-10-01,,12345-CRRHELLO,61.50,USD,10125,1,PURCHASE,"
-                + "myRegistrar,3,RENEW | TLD: test | TERM: 0-year,20.50,USD,");
+                + ",3,RENEW | TLD: test | TERM: 0-year,20.50,USD,");
   }
 
   @Test

core/src/test/java/google/registry/beam/billing/InvoicingPipelineTest.java

@@ -199,6 +199,36 @@ class InvoicingPipelineTest {
               0,
               "USD",
               20.0,
+              ""),
+          google.registry.beam.billing.BillingEvent.create(
+              15,
+              DateTime.parse("2017-10-02T00:00:00.0Z"),
+              DateTime.parse("2017-10-04T00:00:00.0Z"),
+              "theRegistrarCopy",
+              "234",
+              "",
+              "test",
+              "CREATE",
+              "mydomainfromanotherclient.test",
+              "REPO-ID",
+              5,
+              "JPY",
+              70.0,
+              ""),
+          google.registry.beam.billing.BillingEvent.create(
+              16,
+              DateTime.parse("2017-10-04T00:00:00Z"),
+              DateTime.parse("2017-10-04T00:00:00Z"),
+              "theRegistrarCopy",
+              "234",
+              "",
+              "test",
+              "RENEW",
+              "mydomain2fromanotherclient.test",
+              "REPO-ID",
+              3,
+              "USD",
+              20.5,
               ""));
 
   private static final ImmutableMap<String, ImmutableList<String>> EXPECTED_DETAILED_REPORT_MAP =
@@ -224,18 +254,26 @@ class InvoicingPipelineTest {
           "invoice_details_2017-10_anotherRegistrar_test.csv",
           ImmutableList.of(
               "5,2017-10-04 00:00:00 UTC,2017-10-04 00:00:00 UTC,anotherRegistrar,789,,"
-                  + "test,CREATE,mydomain5.test,REPO-ID,1,USD,0.00,SUNRISE ANCHOR_TENANT"));
+                  + "test,CREATE,mydomain5.test,REPO-ID,1,USD,0.00,SUNRISE ANCHOR_TENANT"),
+          "invoice_details_2017-10_theRegistrarCopy_test.csv",
+          ImmutableList.of(
+              "15,2017-10-02 00:00:00 UTC,2017-10-04 00:00:00"
+                  + " UTC,theRegistrarCopy,234,,test,CREATE,mydomainfromanotherclient.test,REPO-ID,5,JPY,70.00,",
+              "16,2017-10-04 00:00:00 UTC,2017-10-04 00:00:00"
+                  + " UTC,theRegistrarCopy,234,,test,RENEW,mydomain2fromanotherclient.test,REPO-ID,3,USD,20.50,"));
 
   private static final ImmutableList<String> EXPECTED_INVOICE_OUTPUT =
       ImmutableList.of(
-          "2017-10-01,2020-09-30,234,41.00,USD,10125,1,PURCHASE,theRegistrar,2,"
+          "2017-10-01,2020-09-30,234,61.50,USD,10125,1,PURCHASE,,3,"
               + "RENEW | TLD: test | TERM: 3-year,20.50,USD,",
-          "2017-10-01,2022-09-30,234,70.00,JPY,10125,1,PURCHASE,theRegistrar,1,"
+          "2017-10-01,2022-09-30,234,70.00,JPY,10125,1,PURCHASE,,1,"
               + "CREATE | TLD: hello | TERM: 5-year,70.00,JPY,",
-          "2017-10-01,,234,20.00,USD,10125,1,PURCHASE,theRegistrar,1,"
+          "2017-10-01,,234,20.00,USD,10125,1,PURCHASE,,1,"
               + "SERVER_STATUS | TLD: test | TERM: 0-year,20.00,USD,",
-          "2017-10-01,2018-09-30,456,20.50,USD,10125,1,PURCHASE,bestdomains,1,"
-              + "RENEW | TLD: test | TERM: 1-year,20.50,USD,116688");
+          "2017-10-01,2018-09-30,456,20.50,USD,10125,1,PURCHASE,,1,"
+              + "RENEW | TLD: test | TERM: 1-year,20.50,USD,116688",
+          "2017-10-01,2022-09-30,234,70.00,JPY,10125,1,PURCHASE,,1,CREATE | TLD: test | TERM:"
+              + " 5-year,70.00,JPY,");
 
   private final InvoicingPipelineOptions options =
       PipelineOptionsFactory.create().as(InvoicingPipelineOptions.class);
@@ -355,21 +393,21 @@ class InvoicingPipelineTest {
         .isEqualTo(
             """
 
-      SELECT b, r FROM BillingEvent b
-      JOIN Registrar r ON b.clientId = r.registrarId
-      JOIN Domain d ON b.domainRepoId = d.repoId
-      JOIN Tld t ON t.tldStr = d.tld
-      LEFT JOIN BillingCancellation c ON b.id = c.billingEvent
-      LEFT JOIN BillingCancellation cr ON b.cancellationMatchingBillingEvent = cr.billingRecurrence
-      WHERE r.billingAccountMap IS NOT NULL
-      AND r.type = 'REAL'
-      AND t.invoicingEnabled IS TRUE
-      AND CAST(b.billingTime AS timestamp)
-          BETWEEN CAST('2017-10-01T00:00:00Z' AS timestamp)
-          AND CAST('2017-11-01T00:00:00Z' AS timestamp)
-      AND c.id IS NULL
-      AND cr.id IS NULL
-      """);
+SELECT b, r FROM BillingEvent b
+JOIN Registrar r ON b.clientId = r.registrarId
+JOIN Domain d ON b.domainRepoId = d.repoId
+JOIN Tld t ON t.tldStr = d.tld
+LEFT JOIN BillingCancellation c ON b.id = c.billingEvent
+LEFT JOIN BillingCancellation cr ON b.cancellationMatchingBillingEvent = cr.billingRecurrence
+WHERE r.billingAccountMap IS NOT NULL
+AND r.type = 'REAL'
+AND t.invoicingEnabled IS TRUE
+AND CAST(b.billingTime AS timestamp)
+    BETWEEN CAST('2017-10-01T00:00:00Z' AS timestamp)
+    AND CAST('2017-11-01T00:00:00Z' AS timestamp)
+AND c.id IS NULL
+AND cr.id IS NULL
+""");
   }
 
   /** Returns the text contents of a file under the beamBucket/results directory. */
@@ -391,6 +429,13 @@ class InvoicingPipelineTest {
             .setBillingAccountMap(ImmutableMap.of(JPY, "234", USD, "234"))
             .build();
     persistResource(registrar1);
+    Registrar registrar11 = persistNewRegistrar("theRegistrarCopy");
+    registrar11 =
+        registrar11
+            .asBuilder()
+            .setBillingAccountMap(ImmutableMap.of(JPY, "234", USD, "234"))
+            .build();
+    persistResource(registrar11);
     Registrar registrar2 = persistNewRegistrar("bestdomains");
     registrar2 =
         registrar2
@@ -547,6 +592,21 @@ class InvoicingPipelineTest {
             .setDomainHistory(domainHistoryRecurrence)
             .build();
     persistResource(cancellationRecurrence);
+
+    // Domains created for registrar with = key but != client id.
+    Domain domain14 = persistActiveDomain("mydomainfromanotherclient.test");
+    Domain domain15 = persistActiveDomain("mydomain2fromanotherclient.test");
+
+    persistBillingEvent(
+        15,
+        domain14,
+        registrar11,
+        Reason.CREATE,
+        5,
+        Money.ofMajor(JPY, 70),
+        DateTime.parse("2017-10-04T00:00:00.0Z"),
+        DateTime.parse("2017-10-02T00:00:00.0Z"));
+    persistBillingEvent(16, domain15, registrar11, Reason.RENEW, 3, Money.of(USD, 20.5));
   }
 
   private static DomainHistory persistDomainHistory(Domain domain, Registrar registrar) {

core/src/test/java/google/registry/beam/common/RegistryJpaReadTest.java

@@ -15,9 +15,10 @@
 package google.registry.beam.common;
 
 import static google.registry.persistence.transaction.JpaTransactionManagerExtension.makeRegistrar1;
-import static google.registry.testing.DatabaseHelper.insertInDb;
 import static google.registry.testing.DatabaseHelper.newContact;
 import static google.registry.testing.DatabaseHelper.newTld;
+import static google.registry.testing.DatabaseHelper.persistResource;
+import static google.registry.testing.DatabaseHelper.persistResources;
 import static google.registry.util.DateTimeUtils.END_OF_TIME;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 
@@ -75,7 +76,7 @@ public class RegistryJpaReadTest {
   @BeforeEach
   void beforeEach() {
     Registrar ofyRegistrar = JpaIntegrationTestExtension.makeRegistrar2();
-    insertInDb(ofyRegistrar);
+    persistResource(ofyRegistrar);
 
     ImmutableList.Builder<Contact> builder = new ImmutableList.Builder<>();
 
@@ -84,7 +85,7 @@ public class RegistryJpaReadTest {
       builder.add(contact);
     }
     contacts = builder.build();
-    insertInDb(contacts);
+    persistResources(contacts);
   }
 
   @Test
@@ -211,6 +212,6 @@ public class RegistryJpaReadTest {
                     null,
                     100L))
             .build();
-    insertInDb(registry, registrar, contact, domain);
+    persistResources(registry, registrar, contact, domain);
   }
 }

core/src/test/java/google/registry/beam/common/RegistryPipelineWorkerInitializerTest.java

@@ -0,0 +1,36 @@
+// Copyright 2025 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.beam.common;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import google.registry.util.RegistryEnvironment;
+import org.apache.beam.sdk.options.PipelineOptionsFactory;
+import org.junit.jupiter.api.Test;
+
+public class RegistryPipelineWorkerInitializerTest {
+
+  @Test
+  void test() {
+    RegistryPipelineOptions options =
+        PipelineOptionsFactory.fromArgs(
+                "--registryEnvironment=ALPHA", "--isolationOverride=TRANSACTION_SERIALIZABLE")
+            .withValidation()
+            .as(RegistryPipelineOptions.class);
+    new RegistryPipelineWorkerInitializer().beforeProcessing(options);
+    assertThat(RegistryEnvironment.isOnJetty()).isTrue();
+    System.clearProperty("google.registry.jetty");
+  }
+}

core/src/test/java/google/registry/beam/rde/RdePipelineTest.java

@@ -30,7 +30,6 @@ import static google.registry.rde.RdeResourceType.DOMAIN;
 import static google.registry.rde.RdeResourceType.HOST;
 import static google.registry.rde.RdeResourceType.REGISTRAR;
 import static google.registry.testing.DatabaseHelper.createTld;
-import static google.registry.testing.DatabaseHelper.insertSimpleResources;
 import static google.registry.testing.DatabaseHelper.newDomain;
 import static google.registry.testing.DatabaseHelper.persistActiveContact;
 import static google.registry.testing.DatabaseHelper.persistActiveDomain;
@@ -38,6 +37,7 @@ import static google.registry.testing.DatabaseHelper.persistActiveHost;
 import static google.registry.testing.DatabaseHelper.persistEppResource;
 import static google.registry.testing.DatabaseHelper.persistNewRegistrar;
 import static google.registry.testing.DatabaseHelper.persistResource;
+import static google.registry.testing.DatabaseHelper.persistResources;
 import static google.registry.util.ResourceUtils.readResourceUtf8;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.junit.Assert.assertThrows;
@@ -223,7 +223,7 @@ public class RdePipelineTest {
 
   @BeforeEach
   void beforeEach() throws Exception {
-    insertSimpleResources(ImmutableList.of(makeRegistrar1(), makeRegistrar2()));
+    persistResources(ImmutableList.of(makeRegistrar1(), makeRegistrar2()));
 
     // Two real registrars have been created by loadInitialData(), named "New Registrar" and "The
     // Registrar". Create one included registrar (external_monitoring) and two excluded ones.
@@ -403,7 +403,8 @@ public class RdePipelineTest {
                                   <rdeDomain:crRr>TheRegistrar</rdeDomain:crRr>
                                   <rdeDomain:crDate>1970-01-01T00:00:00Z</rdeDomain:crDate>
                                   <rdeDomain:exDate>294247-01-10T04:00:54Z</rdeDomain:exDate>
-                              </rdeDomain:domain>""");
+                              </rdeDomain:domain>\
+                              """);
                     }
                     if (kv.getKey().mode().equals(FULL)) {
                       // Contact fragments for hello.soy.
@@ -441,7 +442,8 @@ public class RdePipelineTest {
                                     <rdeDomain:crRr>TheRegistrar</rdeDomain:crRr>
                                     <rdeDomain:crDate>1970-01-01T00:00:00Z</rdeDomain:crDate>
                                     <rdeDomain:exDate>294247-01-10T04:00:54Z</rdeDomain:exDate>
-                                </rdeDomain:domain>""");
+                                </rdeDomain:domain>\
+                                """);
                       } else {
                         // Contact fragments for cat.fun.
                         assertThat(
@@ -484,7 +486,8 @@ public class RdePipelineTest {
                                   <rdeDomain:crRr>TheRegistrar</rdeDomain:crRr>
                                   <rdeDomain:crDate>1970-01-01T00:00:00Z</rdeDomain:crDate>
                                   <rdeDomain:exDate>294247-01-10T04:00:54Z</rdeDomain:exDate>
-                              </rdeDomain:domain>""");
+                              </rdeDomain:domain>\
+                              """);
                     }
                   });
               return null;

core/src/test/java/google/registry/export/sheet/SyncRegistrarsSheetTest.java

@@ -23,7 +23,7 @@ import static google.registry.testing.DatabaseHelper.createTld;
 import static google.registry.testing.DatabaseHelper.loadByKey;
 import static google.registry.testing.DatabaseHelper.persistNewRegistrar;
 import static google.registry.testing.DatabaseHelper.persistResource;
-import static google.registry.testing.DatabaseHelper.persistSimpleResources;
+import static google.registry.testing.DatabaseHelper.persistResources;
 import static org.joda.money.CurrencyUnit.JPY;
 import static org.joda.money.CurrencyUnit.USD;
 import static org.joda.time.DateTimeZone.UTC;
@@ -179,7 +179,7 @@ public class SyncRegistrarsSheetTest {
                 .build());
     // Use registrar key for contacts' parent.
     DateTime registrarCreationTime = persistResource(registrar).getCreationTime();
-    persistSimpleResources(contacts);
+    persistResources(contacts);
 
     clock.advanceBy(standardMinutes(1));
     newSyncRegistrarsSheet().run("foobar");