Replace jira.cfops.it with jira.cfdata.org in connection/http2_test.go

TUN-9863: Update pipelines to use cloudflared EV Certificate
TUN-9800: Migrate apt internal builds to Gitlab
2025-11-21 05:33:09 +00:00 · 2025-11-19 18:05:33 +00:00 · 2025-11-10 14:43:10 +00:00 · 2025-11-07 16:30:58 +00:00 · 2025-11-07 15:26:22 +00:00 · 2025-11-07 08:15:20 +00:00
2479 changed files with 193685 additions and 135184 deletions
--- a/.ci/apt-internal.gitlab-ci.yml
+++ b/.ci/apt-internal.gitlab-ci.yml
@ -0,0 +1,151 @@
 .register_inputs: &register_inputs
  stage: release-internal
  runOnBranches: "^master$"
  COMPONENT: "common"
 .register_inputs_stable_bookworm: &register_inputs_stable_bookworm
  <<: *register_inputs
  runOnChangesTo: ['RELEASE_NOTES']
  FLAVOR: "bookworm"
  SERIES: "stable"
 .register_inputs_stable_trixie: &register_inputs_stable_trixie
  <<: *register_inputs
  runOnChangesTo: ['RELEASE_NOTES']
  FLAVOR: "trixie"
  SERIES: "stable"
 .register_inputs_next_bookworm: &register_inputs_next_bookworm
  <<: *register_inputs
  FLAVOR: "bookworm"
  SERIES: next
 .register_inputs_next_trixie: &register_inputs_next_trixie
  <<: *register_inputs
  FLAVOR: "trixie"
  SERIES: next
 ################################################
 ### Generate Debian Package for Internal APT ###
 ################################################
 .cloudflared-apt-build: &cloudflared_apt_build
  stage: package
  needs:
    - ci-image-get-image-ref
    - linux-packaging # For consistency, we only run this job after we knew we could build the packages for external delivery
  image: $BUILD_IMAGE
  cache: {}
  script:
    - make cloudflared-deb
  artifacts:
    paths:
      - cloudflared*.deb
 ##############
 ### Stable ###
 ##############
 cloudflared-amd64-stable:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-release]
  variables: &amd64-stable-vars
    GOOS: linux
    GOARCH: amd64
    FIPS: true
    ORIGINAL_NAME: true
    CGO_ENABLED: 1
 cloudflared-arm64-stable:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-release]
  variables: &arm64-stable-vars
    GOOS: linux
    GOARCH: arm64
    FIPS: false # TUN-7595
    ORIGINAL_NAME: true
    CGO_ENABLED: 1
 ############
 ### Next ###
 ############
 cloudflared-amd64-next:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *amd64-stable-vars
    NIGHTLY: true
 cloudflared-arm64-next:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *arm64-stable-vars
    NIGHTLY: true
 include:
  - local: .ci/commons.gitlab-ci.yml
  ##########################################
  ### Publish Packages to Internal Repos ###
  ##########################################
  # Bookworm AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_bookworm
      jobPrefix: cloudflared-bookworm-amd64
      needs: &amd64-stable ["cloudflared-amd64-stable"]
  # Bookworm ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_bookworm
      jobPrefix: cloudflared-bookworm-arm64
      needs: &arm64-stable ["cloudflared-arm64-stable"]
  # Trixie AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_trixie
      jobPrefix: cloudflared-trixie-amd64
      needs: *amd64-stable
  # Trixie ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_trixie
      jobPrefix: cloudflared-trixie-arm64
      needs: *arm64-stable
  ##################################################
  ### Publish Nightly Packages to Internal Repos ###
  ##################################################
  # Bookworm AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_bookworm
      jobPrefix: cloudflared-nightly-bookworm-amd64
      needs: &amd64-next ['cloudflared-amd64-next']
  # Bookworm ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_bookworm
      jobPrefix: cloudflared-nightly-bookworm-arm64
      needs: &arm64-next ['cloudflared-arm64-next']
  # Trixie AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_trixie
      jobPrefix: cloudflared-nightly-trixie-amd64
      needs: *amd64-next
  # Trixie ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_trixie
      jobPrefix: cloudflared-nightly-trixie-arm64
      needs: *arm64-next
--- a/.ci/ci-image.gitlab-ci.yml
+++ b/.ci/ci-image.gitlab-ci.yml
@ -0,0 +1,31 @@
 # Builds a custom CI Image when necessary
 include:
  #####################################################
  ############## Build and Push CI Image ##############
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
    inputs:
      stage: pre-build
      jobPrefix: ci-image
      runOnChangesTo: [".ci/image/**"]
      runOnMR: true
      runOnBranches: '^master$'
      commentImageRefs: false
      runner: vm-linux-x86-4cpu-8gb
      EXTRA_DIB_ARGS: "--manifest=.ci/image/.docker-images"
  #####################################################
  ## Resolve the image reference for downstream jobs ##
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/get-image-ref@~latest
    inputs:
      stage: pre-build
      jobPrefix: ci-image
      runOnMR: true
      runOnBranches: '^master$'
      IMAGE_PATH: "$REGISTRY_HOST/stash/tun/cloudflared/ci-image/master"
      VARIABLE_NAME: BUILD_IMAGE
      needs:
        - job: ci-image-build-push-image
          optional: true
--- a/.ci/commons.gitlab-ci.yml
+++ b/.ci/commons.gitlab-ci.yml
@ -0,0 +1,45 @@
 ## A set of predefined rules to use on the different jobs
 .default-rules:
  # Rules to run the job only on the master branch
  run-on-master:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - when: never
  # Rules to run the job only on merge requests
  run-on-mr:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: on_success
    - when: never
  # Rules to run the job on merge_requests and master branch
  run-always:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - when: never
  # Rules to run the job only when a release happens
  run-on-release:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      changes:
          - 'RELEASE_NOTES'
      when: on_success
    - when: never
 .component-tests:
  image: $BUILD_IMAGE
  rules:
    - !reference [.default-rules, run-always]
  variables:
    COMPONENT_TESTS_CONFIG: component-test-config.yaml
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZC5leGUKY3JlZGVudGlhbHNfZmlsZTogY3JlZC5qc29uCm9yaWdpbmNlcnQ6IGNlcnQucGVtCnpvbmVfZG9tYWluOiBhcmdvdHVubmVsdGVzdC5jb20Kem9uZV90YWc6IDQ4Nzk2ZjFlNzBiYjc2NjljMjliYjUxYmEyODJiZjY1
  secrets:
    DNS_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/component_tests_token/data@kv
      file: false
    COMPONENT_TESTS_ORIGINCERT:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/component_tests_cert_pem/data@kv
      file: false
  cache: {}
--- a/.ci/github.gitlab-ci.yml
+++ b/.ci/github.gitlab-ci.yml
@ -0,0 +1,17 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ######################################
 ### Sync master branch with Github ###
 ######################################
 push-github:
  stage: sync
  rules:
    - !reference [.default-rules, run-on-master]
  script:
    - ./.ci/scripts/github-push.sh
  secrets:
    CLOUDFLARED_DEPLOY_SSH_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv
      file: false
  cache: {}
--- a/.ci/image/.docker-images
+++ b/.ci/image/.docker-images
@ -0,0 +1,2 @@
 images:
  - name: ci-image
--- a/.ci/image/Dockerfile
+++ b/.ci/image/Dockerfile
@ -0,0 +1,35 @@
 ARG CLOUDFLARE_DOCKER_REGISTRY_HOST
 FROM ${CLOUDFLARE_DOCKER_REGISTRY_HOST:-registry.cfdata.org}/stash/cf/debian-images/bookworm/main:2025.7.0@sha256:6350da2f7e728dae2c1420f6dafc38e23cacc0b399d3d5b2f40fe48d9c8ff1ca
 RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install --no-install-recommends --allow-downgrades -y \
        build-essential \
        git \
        go-boring=1.24.9-1 \
        libffi-dev \
        procps \
        python3-dev \
        python3-pip \
        python3-setuptools \
        python3-venv \
        # libmsi and libgcab are libraries the wixl binary depends on.
        libmsi-dev \
        libgcab-dev \
        # deb and rpm build tools
        rubygem-fpm \
        rpm \
        # create deb and rpm repository files
        reprepro \
        createrepo-c \
        # gcc for cross architecture compilation in arm
        gcc-aarch64-linux-gnu \
        libc6-dev-arm64-cross && \
    rm -rf /var/lib/apt/lists/* && \
    # Install wixl
    curl -o /usr/local/bin/wixl -L https://pkg.cloudflare.com/binaries/wixl && \
    chmod a+x /usr/local/bin/wixl && \
    mkdir -p opt
 WORKDIR /opt
--- a/.ci/linux.gitlab-ci.yml
+++ b/.ci/linux.gitlab-ci.yml
@ -0,0 +1,122 @@
 .golang-inputs: &golang_inputs
  runOnMR: true
  runOnBranches: '^master$'
  outputDir: artifacts
  runner: linux-x86-8cpu-16gb
  stage: build
  golangVersion: "boring-1.24"
  imageVersion: "3371-f5539bd6f83d@sha256:a2a68f580070f9411d0d3155959ed63b700ef319b5fcc62db340e92227bbc628"
  CGO_ENABLED: 1
 .default-packaging-job: &packaging-job-defaults
  stage: package
  needs:
    - ci-image-get-image-ref
  rules:
    - !reference [.default-rules, run-on-master]
  image: $BUILD_IMAGE
  cache: {}
  artifacts:
    paths:
      - artifacts/*
 include:
  ###################
  ### Linux Build ###
  ###################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      jobPrefix: linux-build
      GOLANG_MAKE_TARGET: ci-build
  ########################
  ### Linux FIPS Build ###
  ########################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      jobPrefix: linux-fips-build
      GOLANG_MAKE_TARGET: ci-fips-build
  #################
  ### Unit Tests ##
  #################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      stage: test
      jobPrefix: test
      GOLANG_MAKE_TARGET: ci-test
  ######################
  ### Unit Tests FIPS ##
  ######################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      stage: test
      jobPrefix: test-fips
      GOLANG_MAKE_TARGET: ci-fips-test
  #################
  ### Vuln Check ##
  #################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      runOnBranches: '^$'
      stage: validate
      jobPrefix: vulncheck
      GOLANG_MAKE_TARGET: vulncheck
 #################################
 ### Run Linux Component Tests ###
 #################################
 linux-component-tests: &linux-component-tests
  stage: test
  extends: .component-tests
  needs:
    - ci-image-get-image-ref
    - linux-build-boring-make
  script:
    - ./.ci/scripts/component-tests.sh
  variables: &component-tests-variables
    CI: 1
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkCmNyZWRlbnRpYWxzX2ZpbGU6IGNyZWQuanNvbgpvcmlnaW5jZXJ0OiBjZXJ0LnBlbQp6b25lX2RvbWFpbjogYXJnb3R1bm5lbHRlc3QuY29tCnpvbmVfdGFnOiA0ODc5NmYxZTcwYmI3NjY5YzI5YmI1MWJhMjgyYmY2NQ==
  tags:
    - linux-x86-8cpu-16gb
  artifacts:
    reports:
      junit: report.xml
 ######################################
 ### Run Linux FIPS Component Tests ###
 ######################################
 linux-component-tests-fips:
  <<: *linux-component-tests
  needs:
    - ci-image-get-image-ref
    - linux-fips-build-boring-make
  variables:
    <<: *component-tests-variables
    COMPONENT_TESTS_FIPS: 1
 ################################
 ####### Linux Packaging ########
 ################################
 linux-packaging:
  <<: *packaging-job-defaults
  parallel:
    matrix:
      - ARCH: ["386", "amd64", "arm", "armhf", "arm64"]
  script:
    - ./.ci/scripts/linux/build-packages.sh ${ARCH}
 ################################
 ##### Linux FIPS Packaging #####
 ################################
 linux-packaging-fips:
  <<: *packaging-job-defaults
  script:
    - ./.ci/scripts/linux/build-packages-fips.sh
--- a/.ci/mac.gitlab-ci.yml
+++ b/.ci/mac.gitlab-ci.yml
@ -0,0 +1,66 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ###############################
 ### Defaults for Mac Builds ###
 ###############################
 .mac-build-defaults: &mac-build-defaults
  rules:
    - !reference [.default-rules, run-on-mr]
  tags:
    - "macstadium-${RUNNER_ARCH}"
  parallel:
    matrix:
      - RUNNER_ARCH: [arm, intel]
  cache: {}
 ######################################
 ### Build Cloudflared Mac Binaries ###
 ######################################
 macos-build-cloudflared: &mac-build
  <<: *mac-build-defaults
  stage: build
  artifacts:
    paths:
      - artifacts/*
  script:
    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
    - ARCH=$(uname -m)
    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
    - ./.ci/scripts/mac/install-go.sh
    - BUILD_SCRIPT=.ci/scripts/mac/build.sh
    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
    - set -euo pipefail
    - echo "Executing ${BUILD_SCRIPT}"
    - exec ${BUILD_SCRIPT}
 ###############################################
 ### Build and Sign Cloudflared Mac Binaries ###
 ###############################################
 macos-build-and-sign-cloudflared:
  <<: *mac-build
  rules:
    - !reference [.default-rules, run-on-master]
  secrets:
    APPLE_DEV_CA_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
      file: false
    CFD_CODE_SIGN_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
      file: false
    CFD_INSTALLER_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
      file: false
    CFD_INSTALLER_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
      file: false
    CFD_INSTALLER_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
      file: false
--- a/.ci/release.gitlab-ci.yml
+++ b/.ci/release.gitlab-ci.yml
@ -0,0 +1,133 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
  ######################################
  ### Build and Push DockerHub Image ###
  ######################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
    inputs:
      stage: release
      jobPrefix: docker-hub
      runOnMR: false
      runOnBranches: '^master$'
      runOnChangesTo: ['RELEASE_NOTES']
      needs:
        - generate-version-file
        - release-cloudflared-to-r2
      commentImageRefs: false
      runner: vm-linux-x86-4cpu-8gb
      # Based on if the CI reference is protected or not the CI component will
      # either use _BRANCH or _PROD, therefore, to prevent the pipelines from failing
      # we simply set both to the same value.
      DOCKER_USER_BRANCH: &docker-hub-user svcgithubdockerhubcloudflar045
      DOCKER_PASSWORD_BRANCH: &docker-hub-password gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data
      DOCKER_USER_PROD: *docker-hub-user
      DOCKER_PASSWORD_PROD: *docker-hub-password
      EXTRA_DIB_ARGS: --overwrite
 .default-release-job: &release-job-defaults
  stage: release
  image: $BUILD_IMAGE
  cache:
    paths:
      - .cache/pip
  variables: &release-job-variables
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
    # KV Vars
    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
    KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963
    # R2 Vars
    R2_BUCKET: cloudflared-pkgs
    R2_ACCOUNT_ID: *cf-account
    # APT and RPM Repository Vars
    GPG_PUBLIC_KEY_URL: "https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
    PKG_URL: "https://pkg.cloudflare.com/cloudflared"
    BINARY_NAME: cloudflared
  secrets:
    KV_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
      file: false
    API_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
      file: false
    R2_CLIENT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv
      file: false
    R2_CLIENT_SECRET:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv
      file: false
    LINUX_SIGNING_PUBLIC_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv
      file: false
    LINUX_SIGNING_PRIVATE_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv
      file: false
    LINUX_SIGNING_PUBLIC_KEY_2:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv
      file: false
    LINUX_SIGNING_PRIVATE_KEY_2:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv
      file: false
 ###########################################
 ### Push Cloudflared Binaries to Github ###
 ###########################################
 release-cloudflared-to-github:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
    - linux-packaging
    - linux-packaging-fips
    - macos-build-and-sign-cloudflared
    - windows-package-sign
  script:
    - ./.ci/scripts/release-target.sh github-release
 #########################################
 ### Upload Cloudflared Binaries to R2 ###
 #########################################
 release-cloudflared-to-r2:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
    - linux-packaging # We only release non-FIPS binaries to R2
    - release-cloudflared-to-github
  script:
    - ./.ci/scripts/release-target.sh r2-linux-release
 #################################################
 ### Upload Cloudflared Nightly Binaries to R2 ###
 #################################################
 release-cloudflared-nightly-to-r2:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *release-job-variables
    R2_BUCKET: cloudflared-pkgs-next
    GPG_PUBLIC_KEY_URL: "https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
    PKG_URL: "https://next.pkg.cloudflare.com/cloudflared"
  needs:
    - ci-image-get-image-ref
    - linux-packaging # We only release non-FIPS binaries to R2
  script:
    - ./.ci/scripts/release-target.sh r2-linux-release
 #############################
 ### Generate Version File ###
 #############################
 generate-version-file:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
  script:
    - make generate-docker-version
  artifacts:
    paths:
      - versions
--- a/.ci/scripts/component-tests.sh
+++ b/.ci/scripts/component-tests.sh
@ -0,0 +1,25 @@
 #!/bin/bash
 set -e -o pipefail
 # Fetch cloudflared from the artifacts folder
 mv ./artifacts/cloudflared ./cloudflared
 python3 -m venv env
 . env/bin/activate
 pip install --upgrade -r component-tests/requirements.txt
 # Creates and routes a Named Tunnel for this build. Also constructs
 # config file from env vars.
 python3 component-tests/setup.py --type create
 # Define the cleanup function
 cleanup() {
    # The Named Tunnel is deleted and its route unprovisioned here.
    python3 component-tests/setup.py --type cleanup
 }
 # The trap will call the cleanup function on script exit
 trap cleanup EXIT
 pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
--- a/.ci/scripts/fmt-check.sh
+++ b/.ci/scripts/fmt-check.sh
@ -1,8 +1,7 @@
 #!/bin/bash
 set -e -o pipefail
-OUTPUT=$(goimports -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
+OUTPUT=$(go run -mod=readonly golang.org/x/tools/cmd/goimports@v0.30.0 -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
 if [ -n "$OUTPUT" ] ; then
  PAGER=$(which colordiff || echo cat)
--- a/.ci/scripts/github-push.sh
+++ b/.ci/scripts/github-push.sh
@ -0,0 +1,31 @@
 #!/bin/bash
 set -e -o pipefail
 BRANCH="master"
 TMP_PATH="$PWD/tmp"
 PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key"
 PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub"
 mkdir -p $TMP_PATH
 # Setup Private Key
 echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH
 chmod 400 $PRIVATE_KEY_PATH
 # Download GitHub Public Key for KnownHostsFile
 ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH
 # Setup git ssh command with the right configurations
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH"
 # Add GitHub as a new remote
 git remote add github git@github.com:cloudflare/cloudflared.git || true
 # GitLab doesn't pull branch references, instead it creates a new one on each pipeline.
 # Therefore, we need to manually fetch the reference to then push it to GitHub.
 git fetch origin $BRANCH:$BRANCH
 git push -u github $BRANCH
 if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then
  git push -u github "$TAG"
 fi
--- a/.ci/scripts/linux/build-packages-fips.sh
+++ b/.ci/scripts/linux/build-packages-fips.sh
@ -1,8 +1,9 @@
 #!/bin/bash
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # This controls the directory the built artifacts go into
-export ARTIFACT_DIR=built_artifacts/
+export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 arch=("amd64")
@ -16,7 +17,7 @@ make cloudflared-deb
 mv cloudflared-fips\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-fips-linux-$arch.deb
 # rpm packages invert the - and _ and use x86_64 instead of amd64.
-RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
+RPMVERSION=$(echo $VERSION | sed -r 's/-/_/g')
 RPMARCH="x86_64"
 make cloudflared-rpm
 mv cloudflared-fips-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-fips-linux-$RPMARCH.rpm
--- a/.ci/scripts/linux/build-packages.sh
+++ b/.ci/scripts/linux/build-packages.sh
@ -0,0 +1,59 @@
 #!/bin/bash
 # Check if architecture argument is provided
 if [ $# -eq 0 ]; then
    echo "Error: Architecture argument is required"
    echo "Usage: $0 <architecture>"
    exit 1
 fi
 # Parameters
 arch=$1
 # Get Version
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 export TARGET_OS=linux
 unset TARGET_ARM
 export TARGET_ARCH=$arch
 ## Support for arm platforms without hardware FPU enabled
 if [[ $arch == arm ]] ; then
    export TARGET_ARCH=arm
    export TARGET_ARM=5
 fi
 ## Support for armhf builds
 if [[ $arch == armhf ]] ; then
    export TARGET_ARCH=arm
    export TARGET_ARM=7
 fi
 make cloudflared-deb
 mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
 # rpm packages invert the - and _ and use x86_64 instead of amd64.
 RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
 RPMARCH=$arch
 if [ $arch == "amd64" ];then
    RPMARCH="x86_64"
 fi
 if [ $arch == "arm64" ]; then
    RPMARCH="aarch64"
 fi
 make cloudflared-rpm
 mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
 # finally move the linux binary as well.
 mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
--- a/.ci/scripts/mac/build.sh
+++ b/.ci/scripts/mac/build.sh
@ -0,0 +1,228 @@
 #!/bin/bash
 set -exo pipefail
 if [[ "$(uname)" != "Darwin" ]] ; then
    echo "This should be run on macOS"
    exit 1
 fi
 if [[ "amd64" != "${TARGET_ARCH}" && "arm64" != "${TARGET_ARCH}" ]]
 then
  echo "TARGET_ARCH must be amd64 or arm64"
  exit 1
 fi
 go version
 export GO111MODULE=on
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
 TARGET_DIRECTORY=".build"
 BINARY_NAME="cloudflared"
 VERSION=$(git describe --tags --always --dirty="-dev")
 PRODUCT="cloudflared"
 APPLE_CA_CERT="apple_dev_ca.cert"
 CODE_SIGN_PRIV="code_sign.p12"
 CODE_SIGN_CERT="code_sign.cer"
 INSTALLER_PRIV="installer.p12"
 INSTALLER_CERT="installer.cer"
 BUNDLE_ID="com.cloudflare.cloudflared"
 SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
 export PATH="$PATH:/usr/local/bin"
 FILENAME="$(pwd)/artifacts/cloudflared-darwin-$TARGET_ARCH.tgz"
 PKGNAME="$(pwd)/artifacts/cloudflared-$TARGET_ARCH.pkg"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
 # Imports certificates to the Apple KeyChain
 import_certificate() {
    local CERTIFICATE_NAME=$1
    local CERTIFICATE_ENV_VAR=$2
    local CERTIFICATE_FILE_NAME=$3
    echo "Importing $CERTIFICATE_NAME"
    if [[ ! -z "$CERTIFICATE_ENV_VAR" ]]; then
      # write certificate to disk and then import it keychain
      echo -n -e ${CERTIFICATE_ENV_VAR} | base64 -D > ${CERTIFICATE_FILE_NAME}
      # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
      # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
      local out=$(security import ${CERTIFICATE_FILE_NAME} -T /usr/bin/pkgbuild -A 2>&1) || true
      local exitcode=$?
      # delete the certificate from disk
      rm -rf ${CERTIFICATE_FILE_NAME}
      if [ -n "$out" ]; then
        if [ $exitcode -eq 0 ]; then
            echo "$out"
        else
            if [ "$out" != "${SEC_DUP_MSG}" ]; then
                echo "$out" >&2
                exit $exitcode
            else
                echo "already imported code signing certificate"
            fi
        fi
      fi
    fi
 }
 create_cloudflared_build_keychain() {
  # Reusing the private key password as the keychain key
  local PRIVATE_KEY_PASS=$1
  # Create keychain only if it doesn't already exist
  if [ ! -f "$HOME/Library/Keychains/cloudflared_build_keychain.keychain-db" ]; then
    security create-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
  else
    echo "Keychain already exists: cloudflared_build_keychain"
  fi
  # Append temp keychain to the user domain
  security list-keychains -d user -s cloudflared_build_keychain $(security list-keychains -d user | sed s/\"//g)
  # Remove relock timeout
  security set-keychain-settings cloudflared_build_keychain
  # Unlock keychain so it doesn't require password
  security unlock-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
 }
 # Imports private keys to the Apple KeyChain
 import_private_keys() {
    local PRIVATE_KEY_NAME=$1
    local PRIVATE_KEY_ENV_VAR=$2
    local PRIVATE_KEY_FILE_NAME=$3
    local PRIVATE_KEY_PASS=$4
    echo "Importing $PRIVATE_KEY_NAME"
    if [[ ! -z "$PRIVATE_KEY_ENV_VAR" ]]; then
      if [[ ! -z "$PRIVATE_KEY_PASS" ]]; then
        # write private key to disk and then import it keychain
        echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}
        # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
        # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
        local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k cloudflared_build_keychain -P "$PRIVATE_KEY_PASS" -T /usr/bin/pkgbuild -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
        local exitcode=$?
        rm -rf ${PRIVATE_KEY_FILE_NAME}
        if [ -n "$out" ]; then
          if [ $exitcode -eq 0 ]; then
              echo "$out"
          else
              if [ "$out" != "${SEC_DUP_MSG}" ]; then
                  echo "$out" >&2
                  exit $exitcode
              fi
          fi
        fi
      fi
    fi
 }
 # Create temp keychain only for this build
 create_cloudflared_build_keychain "${CFD_CODE_SIGN_PASS}"
 # Add Apple Root Developer certificate to the key chain
 import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}"
 # Add code signing private key to the key chain
 import_private_keys "Developer ID Application" "${CFD_CODE_SIGN_KEY}" "${CODE_SIGN_PRIV}" "${CFD_CODE_SIGN_PASS}"
 # Add code signing certificate to the key chain
 import_certificate "Developer ID Application" "${CFD_CODE_SIGN_CERT}" "${CODE_SIGN_CERT}"
 # Add package signing private key to the key chain
 import_private_keys "Developer ID Installer" "${CFD_INSTALLER_KEY}" "${INSTALLER_PRIV}" "${CFD_INSTALLER_PASS}"
 # Add package signing certificate to the key chain
 import_certificate "Developer ID Installer" "${CFD_INSTALLER_CERT}" "${INSTALLER_CERT}"
 # get the code signing certificate name
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
  else
    CODE_SIGN_NAME=""
  fi
 fi
 # get the package signing certificate name
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
  else
    PKG_SIGN_NAME=""
  fi
 fi
 # cleanup the build directory because the previous execution might have failed without cleaning up.
 rm -rf "${TARGET_DIRECTORY}"
 export TARGET_OS="darwin"
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 # This allows apple tools to use the certificates in the keychain without requiring password input.
 # This command always needs to run after the certificates have been loaded into the keychain
 if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
  security set-key-partition-list -S apple-tool:,apple: -s -k "${CFD_CODE_SIGN_PASS}" cloudflared_build_keychain
 fi
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
  codesign --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
 # notarize the binary
 # TODO: TUN-5789
 fi
 ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
 # creating build directory
 rm -rf $ARCH_TARGET_DIRECTORY
 mkdir -p "${ARCH_TARGET_DIRECTORY}"
 mkdir -p "${ARCH_TARGET_DIRECTORY}/contents"
 cp -r ".mac_resources/scripts" "${ARCH_TARGET_DIRECTORY}/scripts"
 # copy cloudflared into the build directory
 cp ${BINARY_NAME} "${ARCH_TARGET_DIRECTORY}/contents/${PRODUCT}"
 # compress cloudflared into a tar and gzipped file
 tar czf "$FILENAME" "${BINARY_NAME}"
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
  pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      --keychain cloudflared_build_keychain \
      --sign "${PKG_SIGN_NAME}" \
      ${PKGNAME}
      # notarize the package
      # TODO: TUN-5789
 else
    pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      ${PKGNAME}
 fi
 # cleanup build directory because this script is not ran within containers,
 # which might lead to future issues in subsequent runs.
 rm -rf "${TARGET_DIRECTORY}"
 # cleanup the keychain
 security default-keychain -d user -s login.keychain-db
 security list-keychains -d user -s login.keychain-db
 security delete-keychain cloudflared_build_keychain
--- a/.ci/scripts/mac/install-go.sh
+++ b/.ci/scripts/mac/install-go.sh
@ -0,0 +1,10 @@
 rm -rf /tmp/go
 export GOCACHE=/tmp/gocache
 rm -rf $GOCACHE
 brew install go@1.24
 go version
 which go
 go env
--- a/.ci/scripts/package-windows.sh
+++ b/.ci/scripts/package-windows.sh
@ -0,0 +1,23 @@
 #!/bin/bash
 python3 -m venv env
 . env/bin/activate
 pip install pynacl==1.4.0 pygithub==1.55
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
 export BUILT_ARTIFACT_DIR=artifacts/
 export FINAL_ARTIFACT_DIR=artifacts/
 mkdir -p $BUILT_ARTIFACT_DIR
 mkdir -p $FINAL_ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
    export TARGET_ARCH=$arch
    # Copy .exe from artifacts directory
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
    make cloudflared-msi
    # Copy msi into final directory
    mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
 done
--- a/.ci/scripts/release-target.sh
+++ b/.ci/scripts/release-target.sh
@ -0,0 +1,18 @@
 #!/bin/bash
 set -e -o pipefail
 # Check if a make target is provided as an argument
 if [ $# -eq 0 ]; then
    echo "Error: Make target argument is required"
    echo "Usage: $0 <make-target>"
    exit 1
 fi
 MAKE_TARGET=$1
 python3 -m venv venv
 source venv/bin/activate
 # Our release scripts are written in python, so we should install their dependecies here.
 pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
 make $MAKE_TARGET
--- a/.ci/scripts/vuln-check.sh
+++ b/.ci/scripts/vuln-check.sh
@ -0,0 +1,52 @@
 #!/bin/bash
 set -e
 # Define the file to store the list of vulnerabilities to ignore.
 IGNORE_FILE=".vulnignore"
 # Check if the ignored vulnerabilities file exists. If not, create an empty one.
 if [ ! -f "$IGNORE_FILE" ]; then
    touch "$IGNORE_FILE"
    echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE"
    echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >> "$IGNORE_FILE"
    echo "# You can also add comments on the same line after the ID." >> "$IGNORE_FILE"
    echo "" >> "$IGNORE_FILE"
 fi
 # Run govulncheck and capture its output.
 VULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true)
 # Print the govuln output
 echo "====================================="
 echo "Full Output of govulncheck:"
 echo "====================================="
 echo "$VULN_OUTPUT"
 echo "====================================="
 echo "End of govulncheck Output"
 echo "====================================="
 # Process the ignore file to remove comments and empty lines.
 # The 'cut' command gets the vulnerability ID and removes anything after the '#'.
 # The 'grep' command filters out empty lines and lines starting with '#'.
 CLEAN_IGNORES=$(grep -v '^\s*#' "$IGNORE_FILE" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true)
 # Filter out the ignored vulnerabilities.
 UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability')
 # If the list of ignored vulnerabilities is not empty, filter them out.
 if [ -n "$CLEAN_IGNORES" ]; then
    UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true)
 fi
 # If there are any vulnerabilities that were not in our ignore list, print them and exit with an error.
 if [ -n "$UNIGNORED_VULNS" ]; then
    echo "🚨 Found new, unignored vulnerabilities:"
    echo "-------------------------------------"
    echo "$UNIGNORED_VULNS"
    echo "-------------------------------------"
    echo "Exiting with an error. ❌"
    exit 1
 else
    echo "🎉 No new vulnerabilities found. All clear! ✨"
    exit 0
 fi
--- a/.ci/scripts/windows/builds.ps1
+++ b/.ci/scripts/windows/builds.ps1
@ -0,0 +1,29 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $env:TARGET_OS = "windows"
 $env:LOCAL_OS = "windows"
 $TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 New-Item -Path ".\artifacts" -ItemType Directory
 Write-Output "Building for amd64"
 $env:TARGET_ARCH = "amd64"
 $env:LOCAL_ARCH = "amd64"
 $env:CGO_ENABLED = 1
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
 # Sign build
 azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-amd64.exe
 Write-Output "Building for 386"
 $env:TARGET_ARCH = "386"
 $env:LOCAL_ARCH = "386"
 $env:CGO_ENABLED = 0
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
 ## Sign build
 azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-386.exe
--- a/.ci/scripts/windows/component-test.ps1
+++ b/.ci/scripts/windows/component-test.ps1
@ -0,0 +1,40 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $env:TARGET_OS = "windows"
 $env:LOCAL_OS = "windows"
 $env:TARGET_ARCH = "amd64"
 $env:LOCAL_ARCH = "amd64"
 $env:CGO_ENABLED = 1
 python --version
 python -m pip --version
 Write-Host "Building cloudflared"
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
 Write-Host "Running unit tests"
 # Not testing with race detector because of https://github.com/golang/go/issues/61058
 # We already test it on other platforms
 go test -failfast -v -mod=vendor ./...
 if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 # On Gitlab runners we need to add all of this addresses to the NO_PROXY list in order for the tests to run.
 $env:NO_PROXY = "pypi.org,files.pythonhosted.org,api.cloudflare.com,argotunneltest.com,argotunnel.com,trycloudflare.com,${env:NO_PROXY}"
 Write-Host "No Proxy: ${env:NO_PROXY}"
 Write-Host "Running component tests"
 try {
    python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
    python component-tests/setup.py --type create
    python -m pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
    if ($LASTEXITCODE -ne 0) {
        throw "Failed component tests"
    }
 } finally {
    python component-tests/setup.py --type cleanup
 }
--- a/.ci/scripts/windows/go-wrapper.ps1
+++ b/.ci/scripts/windows/go-wrapper.ps1
@ -0,0 +1,69 @@
 Param(
    [string]$GoVersion,
    [string]$ScriptToExecute
 )
 # The script is a wrapper that downloads a specific version
 # of go, adds it to the PATH and executes a script with that go
 # version in the path.
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 # Get the path to the system's temporary directory.
 $tempPath = [System.IO.Path]::GetTempPath()
 # Create a unique name for the new temporary folder.
 $folderName = "go_" + (Get-Random)
 # Join the temp path and the new folder name to create the full path.
 $fullPath = Join-Path -Path $tempPath -ChildPath $folderName
 # Store the current value of PATH environment variable.
 $oldPath = $env:Path
 # Use a try...finally block to ensure the temporrary folder and PATH are cleaned up.
 try {
    # Create the temporary folder.
    Write-Host "Creating temporary folder at: $fullPath"
    $newTempFolder = New-Item -ItemType Directory -Path $fullPath -Force
    # Download go
    $url = "https://go.dev/dl/$GoVersion.windows-amd64.zip"
    $destinationFile = Join-Path -Path $newTempFolder.FullName -ChildPath "go$GoVersion.windows-amd64.zip"
    Write-Host "Downloading go from: $url"
    Invoke-WebRequest -Uri $url -OutFile $destinationFile
    Write-Host "File downloaded to: $destinationFile"
    # Unzip the downloaded file.
    Write-Host "Unzipping the file..."
    Expand-Archive -Path $destinationFile -DestinationPath $newTempFolder.FullName -Force
    Write-Host "File unzipped successfully."
    # Define the go/bin path wich is inside the temporary folder
    $goBinPath = Join-Path -Path $fullPath -ChildPath "go\bin"
    # Add the go/bin path to the PATH environment variable.
    $env:Path = "$goBinPath;$($env:Path)"
    Write-Host "Added $goBinPath to the environment PATH."
    go env
    go version
    & $ScriptToExecute
 } finally {
    # Cleanup: Remove the path from the environment variable and then the temporary folder.
    Write-Host "Starting cleanup..."
    $env:Path = $oldPath
    Write-Host "Reverted changes in the environment PATH."
    # Remove the temporary folder and its contents.
    if (Test-Path -Path $fullPath) {
        Remove-Item -Path $fullPath -Recurse -Force
        Write-Host "Temporary folder and its contents have been removed."
    } else {
        Write-Host "Temporary folder does not exist, no cleanup needed."
    }
 }
--- a/.ci/scripts/windows/sign-msi.ps1
+++ b/.ci/scripts/windows/sign-msi.ps1
@ -0,0 +1,26 @@
 # Sign Windows artifacts using azuretool
 # This script processes MSI files from the artifacts directory
 $ErrorActionPreference = "Stop"
 # Define paths
 $ARTIFACT_DIR = "artifacts"
 $TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 Write-Host "Looking for Windows artifacts to sign in $ARTIFACT_DIR..."
 # Find all Windows MSI files
 $msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter "cloudflared-windows-*.msi" -ErrorAction SilentlyContinue
 if ($msiFiles.Count -eq 0) {
    Write-Host "No Windows MSI files found in $ARTIFACT_DIR"
    exit 1
 }
 Write-Host "Found $($msiFiles.Count) file(s) to sign:"
 foreach ($file in $msiFiles) {
    Write-Host "Running azuretool sign for $($file.Name)"
    azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\\$ARTIFACT_DIR\\$($file.Name)
 }
 Write-Host "Signing process completed"
--- a/.ci/windows.gitlab-ci.yml
+++ b/.ci/windows.gitlab-ci.yml
@ -0,0 +1,114 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ###################################
 ### Defaults for Windows Builds ###
 ###################################
 .windows-build-defaults: &windows-build-defaults
  rules:
    - !reference [.default-rules, run-always]
  tags:
    - windows-x86
  cache: {}
 ##########################################
 ### Build Cloudflared Windows Binaries ###
 ##########################################
 windows-build-cloudflared:
  <<: *windows-build-defaults
  stage: build
  script:
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\builds.ps1"
  artifacts:
    paths:
      - artifacts/*
 ######################################################
 ### Load Environment Variables for Component Tests ###
 ######################################################
 windows-load-env-variables:
  stage: pre-build
  extends: .component-tests
  script:
    - echo "COMPONENT_TESTS_CONFIG=$COMPONENT_TESTS_CONFIG" >> windows.env
    - echo "COMPONENT_TESTS_CONFIG_CONTENT=$COMPONENT_TESTS_CONFIG_CONTENT" >> windows.env
    - echo "DNS_API_TOKEN=$DNS_API_TOKEN" >> windows.env
    # We have to encode the `COMPONENT_TESTS_ORIGINCERT` secret, because it content is a file, otherwise we can't export it using gitlab
    - echo "COMPONENT_TESTS_ORIGINCERT=$(echo "$COMPONENT_TESTS_ORIGINCERT" | base64 -w0)" >> windows.env
    - echo "KEY_VAULT_URL=$KEY_VAULT_URL" >> windows.env
    - echo "KEY_VAULT_CLIENT_ID=$KEY_VAULT_CLIENT_ID" >> windows.env
    - echo "KEY_VAULT_TENANT_ID=$KEY_VAULT_TENANT_ID" >> windows.env
    - echo "KEY_VAULT_SECRET=$KEY_VAULT_SECRET" >> windows.env
    - echo "KEY_VAULT_CERTIFICATE=$KEY_VAULT_CERTIFICATE" >> windows.env
  variables:
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkLmV4ZQpjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
  secrets:
    KEY_VAULT_URL:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_url@kv
      file: false
    KEY_VAULT_CLIENT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_client_id@kv
      file: false
    KEY_VAULT_TENANT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_tenant_id@kv
      file: false
    KEY_VAULT_SECRET:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv
      file: false
    KEY_VAULT_CERTIFICATE:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate_v2/key_vault_certificate@kv
      file: false
  artifacts:
    access: 'none'
    reports:
      dotenv: windows.env
 ###################################
 ### Run Windows Component Tests ###
 ###################################
 windows-component-tests-cloudflared:
  <<: *windows-build-defaults
  stage: test
  needs: ["windows-load-env-variables"]
  script:
    # We have to decode the secret we encoded on the `windows-load-env-variables` job
    - $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
  artifacts:
    reports:
      junit: report.xml
 ################################
 ### Package Windows Binaries ###
 ################################
 windows-package:
  rules:
    - !reference [.default-rules, run-on-master]
  stage: package
  needs:
    - ci-image-get-image-ref
    - windows-build-cloudflared
  image: $BUILD_IMAGE
  script:
    - .ci/scripts/package-windows.sh
  cache: {}
  artifacts:
    paths:
      - artifacts/*
 #############################
 ### Sign Windows Binaries ###
 #############################
 windows-package-sign:
  <<: *windows-build-defaults
  rules:
    - !reference [.default-rules, run-on-master]
  stage: package
  needs:
    - windows-package
    - windows-load-env-variables
  script:
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\sign-msi.ps1"
  artifacts:
    paths:
      - artifacts/*
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@ -4,15 +4,15 @@ jobs:
  check:
    strategy:
      matrix:
-        go-version: [1.19.x]
+        go-version: [1.22.x]
        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    steps:
    - name: Install Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v5
      with:
        go-version: ${{ matrix.go-version }}
    - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: Test
      run: make test
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -0,0 +1,24 @@
 on:
  pull_request: {}
  workflow_dispatch: {}
  push: 
    branches:
      - main
      - master
  schedule:
    - cron: '0 0 * * *'
 name: Semgrep config
 jobs:
  semgrep:
    name: semgrep/ci
    runs-on: ubuntu-latest
    env:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
      SEMGREP_URL: https://cloudflare.semgrep.dev
      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
    container:
      image: semgrep/semgrep
    steps:
      - uses: actions/checkout@v4
      - run: semgrep ci
--- a/.gitignore
+++ b/.gitignore
@ -17,3 +17,4 @@ cscope.*
 ssh_server_tests/.env
 /.cover
 built_artifacts/
 component-tests/.venv
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,58 @@
 variables:
  GO_VERSION: "go1.24.9"
  GIT_DEPTH: "0"
 default:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.cfdata.org
 stages: [sync, pre-build, build, validate, test, package, release, release-internal, review]
 include:
  #####################################################
  ########## Import Commons Configurations ############
  #####################################################
  - local: .ci/commons.gitlab-ci.yml
  #####################################################
  ########### Sync Repository with Github #############
  #####################################################
  - local: .ci/github.gitlab-ci.yml
  #####################################################
  ############# Build or Fetch CI Image ###############
  #####################################################
  - local: .ci/ci-image.gitlab-ci.yml
  #####################################################
  ################## Linux Builds ###################
  #####################################################
  - local: .ci/linux.gitlab-ci.yml
  #####################################################
  ################## Windows Builds ###################
  #####################################################
  - local: .ci/windows.gitlab-ci.yml
  #####################################################
  ################### macOS Builds ####################
  #####################################################
  - local: .ci/mac.gitlab-ci.yml
  #####################################################
  ################# Release Packages ##################
  #####################################################
  - local: .ci/release.gitlab-ci.yml
  #####################################################
  ########## Release Packages Internally ##############
  #####################################################
  - local: .ci/apt-internal.gitlab-ci.yml
  #####################################################
  ############## Manual Claude Review #################
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/ai/review@~latest
    inputs:
      whenToRun: "manual"
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -0,0 +1,89 @@
 linters:
  enable:
    # Some of the linters below are commented out. We should uncomment and start running them, but they return
    # too many problems to fix in one commit. Something for later.
    - asasalint        # Check for pass []any as any in variadic func(...any).
    - asciicheck       # Checks that all code identifiers does not have non-ASCII symbols in the name.
    - bidichk          # Checks for dangerous unicode character sequences.
    - bodyclose        # Checks whether HTTP response body is closed successfully.
    - decorder         # Check declaration order and count of types, constants, variables and functions.
    - dogsled          # Checks assignments with too many blank identifiers (e.g. x, , , _, := f()).
    - dupl             # Tool for code clone detection.
    - dupword          # Checks for duplicate words in the source code.
    - durationcheck    # Check for two durations multiplied together.
    - errcheck         # Errcheck is a program for checking for unchecked errors in Go code. These unchecked errors can be critical bugs in some cases.
    - errname          # Checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error.
    - exhaustive       # Check exhaustiveness of enum switch statements.
    - gofmt            # Gofmt checks whether code was gofmt-ed. By default this tool runs with -s option to check for code simplification.
    - goimports        # Check import statements are formatted according to the 'goimport' command. Reformat imports in autofix mode.
    - gosec            # Inspects source code for security problems.
    - gosimple         # Linter for Go source code that specializes in simplifying code.
    - govet            # Vet examines Go source code and reports suspicious constructs. It is roughly the same as 'go vet' and uses its passes.
    - ineffassign      # Detects when assignments to existing variables are not used.
    - importas         # Enforces consistent import aliases.
    - misspell         # Finds commonly misspelled English words.
    - prealloc         # Finds slice declarations that could potentially be pre-allocated.
    - promlinter       # Check Prometheus metrics naming via promlint.
    - sloglint         # Ensure consistent code style when using log/slog.
    - sqlclosecheck    # Checks that sql.Rows, sql.Stmt, sqlx.NamedStmt, pgx.Query are closed.
    - staticcheck      # It's a set of rules from staticcheck. It's not the same thing as the staticcheck binary.
    - usetesting       # Reports uses of functions with replacement inside the testing package.
    - testableexamples # Linter checks if examples are testable (have an expected output).
    - testifylint      # Checks usage of github.com/stretchr/testify.
    - tparallel        # Tparallel detects inappropriate usage of t.Parallel() method in your Go test codes.
    - unconvert        # Remove unnecessary type conversions.
    - unused           # Checks Go code for unused constants, variables, functions and types.
    - wastedassign     # Finds wasted assignment statements.
    - whitespace       # Whitespace is a linter that checks for unnecessary newlines at the start and end of functions, if, for, etc.
    - zerologlint      # Detects the wrong usage of zerolog that a user forgets to dispatch with Send or Msg.
  # Other linters are disabled, list of all is here: https://golangci-lint.run/usage/linters/
 run:
  timeout: 5m
  modules-download-mode: vendor
 # output configuration options
 output:
  formats:
    - format: 'colored-line-number'
  print-issued-lines: true
  print-linter-name: true
 issues:
  # Maximum issues count per one linter.
  # Set to 0 to disable.
  # Default: 50
  max-issues-per-linter: 50
  # Maximum count of issues with the same text.
  # Set to 0 to disable.
  # Default: 3
  max-same-issues: 15
  # Show only new issues: if there are unstaged changes or untracked files,
  # only those changes are analyzed, else only changes in HEAD~ are analyzed.
  # It's a super-useful option for integration of golangci-lint into existing large codebase.
  # It's not practical to fix all existing issues at the moment of integration:
  # much better don't allow issues in new code.
  #
  # Default: false
  new: true
  # Show only new issues created after git revision `REV`.
  # Default: ""
  new-from-rev: ac34f94d423273c8fa8fdbb5f2ac60e55f2c77d5
  # Show issues in any part of update files (requires new-from-rev or new-from-patch).
  # Default: false
  whole-files: true
  # Which dirs to exclude: issues from them won't be reported.
  # Can use regexp here: `generated.*`, regexp is applied on full path,
  # including the path prefix if one is set.
  # Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).
  # "/" will be replaced by current OS file path separator to properly work on Windows.
  # Default: []
  exclude-dirs:
    - vendor
 linters-settings:
  # Check exhaustiveness of enum switch statements.
  exhaustive:
    # Presence of "default" case in switch statements satisfies exhaustiveness,
    # even if all enum members are not listed.
    # Default: false
    default-signifies-exhaustive: true
--- a/.teamcity/build-macos.sh
+++ b/.teamcity/build-macos.sh
@ -1,184 +0,0 @@
 #!/bin/bash
 set -exo pipefail
 if [[ "$(uname)" != "Darwin" ]] ; then
    echo "This should be run on macOS"
    exit 1
 fi
 go version
 export GO111MODULE=on
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
 FILENAME="$(pwd)/artifacts/cloudflared-darwin-amd64.tgz"
 PKGNAME="$(pwd)/artifacts/cloudflared-amd64.pkg"
 TARGET_DIRECTORY=".build"
 BINARY_NAME="cloudflared"
 VERSION=$(git describe --tags --always --dirty="-dev")
 PRODUCT="cloudflared"
 CODE_SIGN_PRIV="code_sign.p12"
 CODE_SIGN_CERT="code_sign.cer"
 INSTALLER_PRIV="installer.p12"
 INSTALLER_CERT="installer.cer"
 BUNDLE_ID="com.cloudflare.cloudflared"
 SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
 export PATH="$PATH:/usr/local/bin"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 # Add code signing private key to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
  if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
    # write private key to disk and then import it keychain
    echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
    # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error 
    # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
    out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1) || true 
    exitcode=$?
    if [ -n "$out" ]; then
      if [ $exitcode -eq 0 ]; then
          echo "$out"
      else
          if [ "$out" != "${SEC_DUP_MSG}" ]; then
              echo "$out" >&2
              exit $exitcode
          fi
      fi
    fi
    rm ${CODE_SIGN_PRIV}
  fi
 fi
 # Add code signing certificate to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
  out1=$(security import ${CODE_SIGN_CERT} -A 2>&1) || true
  exitcode1=$?
  if [ -n "$out1" ]; then
    if [ $exitcode1 -eq 0 ]; then
        echo "$out1"
    else
        if [ "$out1" != "${SEC_DUP_MSG}" ]; then
            echo "$out1" >&2
            exit $exitcode1
        else 
            echo "already imported code signing certificate"
        fi
    fi
  fi
  rm ${CODE_SIGN_CERT}
 fi
 # Add package signing private key to the key chain
 if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
  if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
    # write private key to disk and then import it into the keychain
    echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
    out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1) || true
    exitcode2=$?
    if [ -n "$out2" ]; then
      if [ $exitcode2 -eq 0 ]; then
          echo "$out2"
      else
          if [ "$out2" != "${SEC_DUP_MSG}" ]; then
              echo "$out2" >&2
              exit $exitcode2
          fi
      fi
    fi
    rm ${INSTALLER_PRIV}
  fi
 fi
 # Add package signing certificate to the key chain
 if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
  out3=$(security import ${INSTALLER_CERT} -A 2>&1) || true
  exitcode3=$?
  if [ -n "$out3" ]; then
    if [ $exitcode3 -eq 0 ]; then
        echo "$out3"
    else
        if [ "$out3" != "${SEC_DUP_MSG}" ]; then
            echo "$out3" >&2
            exit $exitcode3
        else 
            echo "already imported installer certificate"
        fi
    fi
  fi
  rm ${INSTALLER_CERT}
 fi
 # get the code signing certificate name
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
  else
    CODE_SIGN_NAME=""
  fi
 fi
 # get the package signing certificate name
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
  else
    PKG_SIGN_NAME=""
  fi
 fi
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
  codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
 # notarize the binary
 # TODO: https://jira.cfdata.org/browse/TUN-5789
 fi
 # creating build directory
 rm -rf $TARGET_DIRECTORY
 mkdir "${TARGET_DIRECTORY}"
 mkdir "${TARGET_DIRECTORY}/contents"
 cp -r ".mac_resources/scripts" "${TARGET_DIRECTORY}/scripts"
 # copy cloudflared into the build directory
 cp ${BINARY_NAME} "${TARGET_DIRECTORY}/contents/${PRODUCT}"
 # compress cloudflared into a tar and gzipped file
 tar czf "$FILENAME" "${BINARY_NAME}"
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
  pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${TARGET_DIRECTORY}/scripts \
      --root ${TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      --sign "${PKG_SIGN_NAME}" \
      ${PKGNAME}
      # notarize the package
      # TODO: https://jira.cfdata.org/browse/TUN-5789
 else
    pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${TARGET_DIRECTORY}/scripts \
      --root ${TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      ${PKGNAME}
 fi
 # cleaning up the build directory
 rm -rf $TARGET_DIRECTORY
--- a/.teamcity/package-windows.sh
+++ b/.teamcity/package-windows.sh
@ -1,17 +0,0 @@
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=built_artifacts/
 mkdir -p $ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
    export TARGET_ARCH=$arch
    # Copy exe into final directory
    cp ./artifacts/cloudflared-windows-$arch.exe $ARTIFACT_DIR/cloudflared-windows-$arch.exe
    cp ./artifacts/cloudflared-windows-$arch.exe ./cloudflared.exe
    make cloudflared-msi
    # Copy msi into final directory
    mv cloudflared-$VERSION-$arch.msi $ARTIFACT_DIR/cloudflared-windows-$arch.msi
 done
--- a/.teamcity/update-homebrew-core.sh
+++ b/.teamcity/update-homebrew-core.sh
@ -1,26 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 if ! VERSION="$(git describe --tags --exact-match 2>/dev/null)" ; then
    echo "Skipping public release for an untagged commit."
    echo "##teamcity[buildStatus status='SUCCESS' text='Skipped due to lack of tag']"
    exit 0
 fi
 if [[ "${HOMEBREW_GITHUB_API_TOKEN:-}" == "" ]] ; then
    echo "Missing GITHUB_API_TOKEN"
    exit 1
 fi
 # "install" Homebrew
 git clone https://github.com/Homebrew/brew tmp/homebrew
 eval "$(tmp/homebrew/bin/brew shellenv)"
 brew update --force --quiet
 chmod -R go-w "$(brew --prefix)/share/zsh"
 git config --global user.name "cloudflare-warp-bot"
 git config --global user.email "warp-bot@cloudflare.com"
 # bump formula pr
 brew bump-formula-pr cloudflared --version="$VERSION" --no-browse --no-audit
--- a/.teamcity/update-homebrew.sh
+++ b/.teamcity/update-homebrew.sh
@ -1,66 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 FILENAME="${PWD}/artifacts/cloudflared-darwin-amd64.tgz"
 if ! VERSION="$(git describe --tags --exact-match 2>/dev/null)" ; then
    echo "Skipping public release for an untagged commit."
    echo "##teamcity[buildStatus status='SUCCESS' text='Skipped due to lack of tag']"
    exit 0
 fi
 if [[ ! -f "$FILENAME" ]] ; then
    echo "Missing $FILENAME"
    exit 1
 fi
 if [[ "${GITHUB_PRIVATE_KEY_B64:-}" == "" ]] ; then
    echo "Missing GITHUB_PRIVATE_KEY_B64"
    exit 1
 fi
 # upload to s3 bucket for use by Homebrew formula
 s3cmd \
    --acl-public --access_key="$AWS_ACCESS_KEY_ID" --secret_key="$AWS_SECRET_ACCESS_KEY" --host-bucket="%(bucket)s.s3.cfdata.org" \
    put "$FILENAME" "s3://cftunnel-docs/dl/cloudflared-$VERSION-darwin-amd64.tgz"
 s3cmd \
    --acl-public --access_key="$AWS_ACCESS_KEY_ID" --secret_key="$AWS_SECRET_ACCESS_KEY" --host-bucket="%(bucket)s.s3.cfdata.org" \
    cp "s3://cftunnel-docs/dl/cloudflared-$VERSION-darwin-amd64.tgz" "s3://cftunnel-docs/dl/cloudflared-stable-darwin-amd64.tgz"
 SHA256=$(sha256sum "$FILENAME" | cut -b1-64)
 # set up git (note that UserKnownHostsFile is an absolute path so we can cd wherever)
 mkdir -p tmp
 ssh-keyscan -t rsa github.com > tmp/github.txt
 echo "$GITHUB_PRIVATE_KEY_B64" | base64 --decode > tmp/private.key
 chmod 0400 tmp/private.key
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PWD/tmp/github.txt -i $PWD/tmp/private.key -o IdentitiesOnly=yes"
 # clone Homebrew repo into tmp/homebrew-cloudflare
 git clone git@github.com:cloudflare/homebrew-cloudflare.git tmp/homebrew-cloudflare    
 cd tmp/homebrew-cloudflare
 git checkout -f master
 git reset --hard origin/master
 # modify cloudflared.rb
 URL="https://packages.argotunnel.com/dl/cloudflared-$VERSION-darwin-amd64.tgz"
 tee cloudflared.rb <<EOF
 class Cloudflared < Formula
  desc 'Cloudflare Tunnel'
  homepage 'https://developers.cloudflare.com/cloudflare-one/connections/connect-apps'
  url '$URL'
  sha256 '$SHA256'
  version '$VERSION'
  def install
    bin.install 'cloudflared'
  end
 end
 EOF
 # push cloudflared.rb
 git add cloudflared.rb
 git diff
 git config user.name "cloudflare-warp-bot"
 git config user.email "warp-bot@cloudflare.com"
 git commit -m "Release Cloudflare Tunnel $VERSION"
 git push -v origin master
--- a/.vulnignore
+++ b/.vulnignore
@ -0,0 +1,3 @@
 # Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.
 # You can also add comments on the same line after the ID.
 GO-2025-3942 # Ignore core-dns vulnerability since we will be removing the proxy-dns feature in the near future
--- a/CHANGES.md
+++ b/CHANGES.md
@ -1,3 +1,30 @@
 ## 2025.7.1
 ### Notices
 - `cloudflared` will no longer officially support Debian and Ubuntu distros that reached end-of-life: `buster`, `bullseye`, `impish`, `trusty`.
 ## 2025.1.1
 ### New Features
 - This release introduces the use of new Post Quantum curves and the ability to use Post Quantum curves when running tunnels with the QUIC protocol this applies to non-FIPS and FIPS builds.
 ## 2024.12.2
 ### New Features
 - This release introduces the ability to collect troubleshooting information from one instance of cloudflared running on the local machine. The command can be executed as `cloudflared tunnel diag`.
 ## 2024.12.1
 ### Notices
 - The use of the `--metrics` is still honoured meaning that if this flag is set the metrics server will try to bind it, however, this version includes a change that makes the metrics server bind to a port with a semi-deterministic approach. If the metrics flag is not present the server will bind to the first available port of the range 20241 to 20245. In case of all ports being unavailable then the fallback is to bind to a random port.
 ## 2024.10.0
 ### Bug Fixes
 - We fixed a bug related to `--grace-period`. Tunnels that use QUIC as transport weren't abiding by this waiting period before forcefully closing the connections to the edge. From now on, both QUIC and HTTP2 tunnels will wait for either the grace period to end (defaults to 30 seconds) or until the last in-flight request is handled. Users that wish to maintain the previous behavior should set `--grace-period` to 0 if `--protocol` is set to `quic`. This will force `cloudflared` to shutdown as soon as either SIGTERM or SIGINT is received.
 ## 2024.2.1
 ### Notices
 - Starting from this version, tunnel diagnostics will be enabled by default. This will allow the engineering team to remotely get diagnostics from cloudflared during debug activities. Users still have the capability to opt-out of this feature by defining `--management-diagnostics=false` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`).
 ## 2023.9.0
 ### Notices
 - The `warp-routing` `enabled: boolean` flag is no longer supported in the configuration file. Warp Routing traffic (eg TCP, UDP, ICMP) traffic is proxied to cloudflared if routes to the target tunnel are configured. This change does not affect remotely managed tunnels, but for locally managed tunnels, users that might be relying on this feature flag to block traffic should instead guarantee that tunnel has no Private Routes configured for the tunnel.
 ## 2023.7.0
 ### New Features
 - You can now enable additional diagnostics over the management.argotunnel.com service for your active cloudflared connectors via a new runtime flag `--management-diagnostics` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`). This feature is provided as opt-in and requires the flag to enable. Endpoints such as /metrics provides your prometheus metrics endpoint another mechanism to be reached. Additionally /debug/pprof/(goroutine|heap) are also introduced to allow for remotely retrieving active pprof information from a running cloudflared connector.
--- a/21
+++ b/21
@ -1,11 +1,15 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.19 as builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 \
+  CGO_ENABLED=0 \
-    TARGET_GOOS=${TARGET_GOOS} \
+  TARGET_GOOS=${TARGET_GOOS} \
-    TARGET_GOARCH=${TARGET_GOARCH}
+  TARGET_GOARCH=${TARGET_GOARCH} \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
  # which changes how cloudflared binds the metrics server
  CONTAINER_BUILD=1
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
@ -16,15 +20,18 @@ COPY . .
 RUN make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian11:nonroot
+FROM gcr.io/distroless/base-debian12:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
-# run as non-privileged user
+# run as nonroot user
-USER nonroot
+# We need to use numeric user id's because Kubernetes doesn't support strings:
 # https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@ -1,7 +1,10 @@
 # use a builder image for building cloudflare
-FROM golang:1.19 as builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 
+  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
  # which changes how cloudflared binds the metrics server
  CONTAINER_BUILD=1 
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
@ -12,15 +15,18 @@ COPY . .
 RUN GOOS=linux GOARCH=amd64 make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian11:nonroot
+FROM gcr.io/distroless/base-debian12:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
-# run as non-privileged user
+# run as nonroot user
-USER nonroot
+# We need to use numeric user id's because Kubernetes doesn't support strings:
 # https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@ -1,7 +1,10 @@
 # use a builder image for building cloudflare
-FROM golang:1.19 as builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 
+  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
  # which changes how cloudflared binds the metrics server
  CONTAINER_BUILD=1
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
@ -12,15 +15,18 @@ COPY . .
 RUN GOOS=linux GOARCH=arm64 make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian11:nonroot-arm64
+FROM gcr.io/distroless/base-debian12:nonroot-arm64
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
-# run as non-privileged user
+# run as nonroot user
-USER nonroot
+# We need to use numeric user id's because Kubernetes doesn't support strings:
 # https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/150
+++ b/150
@ -1,3 +1,6 @@
 # The targets cannot be run in parallel
 .NOTPARALLEL:
 VERSION       := $(shell git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 MSI_VERSION   := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut -c2-)
 #MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.
@ -21,12 +24,22 @@ else
 	DEB_PACKAGE_NAME := $(BINARY_NAME)
 endif
-DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
+# Use git in windows since we don't have access to the `date` tool
 ifeq ($(TARGET_OS), windows)
 	DATE := $(shell git log -1 --format="%ad" --date=format-local:'%Y-%m-%dT%H:%M UTC' -- RELEASE_NOTES)
 else
 	DATE := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H:%M UTC')
 endif
 VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
 ifdef PACKAGE_MANAGER
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
 endif
 ifdef CONTAINER_BUILD
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/metrics.Runtime=virtual"
 endif
 LINK_FLAGS :=
 ifeq ($(FIPS), true)
 	LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
@ -57,6 +70,8 @@ else ifeq ($(LOCAL_ARCH),x86_64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),amd64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),386)
    TARGET_ARCH ?= 386
 else ifeq ($(LOCAL_ARCH),i686)
    TARGET_ARCH ?= amd64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
@ -113,6 +128,8 @@ endif
 #for FIPS compliance, FPM defaults to MD5.
 RPM_DIGEST := --rpm-digest sha256
 GO_TEST_LOG_OUTPUT = /tmp/gotest.log
 .PHONY: all
 all: cloudflared test
@ -120,15 +137,17 @@ all: cloudflared test
 clean:
 	go clean
 .PHONY: vulncheck
 vulncheck:
 	@./.ci/scripts/vuln-check.sh
 .PHONY: cloudflared
 cloudflared:
 ifeq ($(FIPS), true)
 	$(info Building cloudflared with go-fips)
 	cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go
 endif
-	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -v -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
+	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
 ifeq ($(FIPS), true)
 	rm -f cmd/cloudflared/fips.go
 	./check-fips.sh cloudflared
 endif
@ -143,11 +162,9 @@ generate-docker-version:
 .PHONY: test
 test: vet
-ifndef CI
+	$Q go test -json -v -mod=vendor -race $(LDFLAGS) ./... 2>&1 | tee $(GO_TEST_LOG_OUTPUT)
-	go test -v -mod=vendor -race $(LDFLAGS) ./...
+ifneq ($(FIPS), true)
-else
+	@go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest -input $(GO_TEST_LOG_OUTPUT)
 	@mkdir -p .cover
 	go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
 endif
 .PHONY: cover
@ -160,9 +177,17 @@ cover:
 	# Generate the HTML report that can be viewed from the browser in CI.
 	$Q go tool cover -html ".cover/c.out" -o .cover/all.html
-.PHONY: test-ssh-server
+.PHONY: fuzz
-test-ssh-server:
+fuzz:
-	docker-compose -f ssh_server_tests/docker-compose.yml up
+	@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
 	@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
 	@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzSessionRead -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzNewIdentity -fuzztime=600s ./tracing
 	@go test -fuzz=FuzzNewAccessValidator -fuzztime=600s ./validation
 cloudflared.1: cloudflared_man_template
 	sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1
@ -196,72 +221,71 @@ cloudflared-deb: cloudflared cloudflared.1
 cloudflared-rpm: cloudflared cloudflared.1
 	$(call build_package,rpm)
 .PHONY: cloudflared-pkg
 cloudflared-pkg: cloudflared cloudflared.1
 	$(call build_package,osxpkg)
 .PHONY: cloudflared-msi
 cloudflared-msi:
 	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
-.PHONY: cloudflared-darwin-amd64.tgz
+.PHONY: github-release-dryrun
-cloudflared-darwin-amd64.tgz: cloudflared
+github-release-dryrun:
-	tar czf cloudflared-darwin-amd64.tgz cloudflared
+	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION) --dry-run
 	rm cloudflared
 .PHONY: homebrew-upload
 homebrew-upload: cloudflared-darwin-amd64.tgz
 	aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $$^ $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz
 	aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz  $(S3_URI)/cloudflared-stable-$1.tgz
 .PHONY: homebrew-release
 homebrew-release: homebrew-upload
 	./publish-homebrew-formula.sh cloudflared-darwin-amd64.tgz $(VERSION) homebrew-cloudflare
 .PHONY: github-release
-github-release: cloudflared
+github-release:
-	python3 github_release.py --path $(EXECUTABLE_PATH) --release-version $(VERSION)
+	python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
 .PHONY: github-release-built-pkgs
 github-release-built-pkgs:
 	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
 .PHONY: release-pkgs-linux
 release-pkgs-linux:
 	python3 ./release_pkgs.py
 .PHONY: github-message
 github-message:
 	python3 github_message.py --release-version $(VERSION)
-.PHONY: github-mac-upload
+.PHONY: r2-linux-release
-github-mac-upload:
+r2-linux-release:
-	python3 github_release.py --path artifacts/cloudflared-darwin-amd64.tgz --release-version $(VERSION) --name cloudflared-darwin-amd64.tgz
+	python3 ./release_pkgs.py
 	python3 github_release.py --path artifacts/cloudflared-amd64.pkg --release-version $(VERSION) --name cloudflared-amd64.pkg
-.PHONY: github-windows-upload
+.PHONY: r2-next-linux-release
-github-windows-upload:
+# Publishes to a separate R2 repository during GPG key rollover, using dual-key signing.
-	python3 github_release.py --path built_artifacts/cloudflared-windows-amd64.exe --release-version $(VERSION) --name cloudflared-windows-amd64.exe
+r2-next-linux-release:
-	python3 github_release.py --path built_artifacts/cloudflared-windows-amd64.msi --release-version $(VERSION) --name cloudflared-windows-amd64.msi
+	python3 ./release_pkgs.py --upload-repo-file
 	python3 github_release.py --path built_artifacts/cloudflared-windows-386.exe --release-version $(VERSION) --name cloudflared-windows-386.exe
 	python3 github_release.py --path built_artifacts/cloudflared-windows-386.msi --release-version $(VERSION) --name cloudflared-windows-386.msi
-.PHONY: tunnelrpc-deps
+.PHONY: capnp
-tunnelrpc-deps:
+capnp:
 	which capnp  # https://capnproto.org/install.html
 	which capnpc-go  # go install zombiezen.com/go/capnproto2/capnpc-go@latest
-	capnp compile -ogo tunnelrpc/tunnelrpc.capnp
+	capnp compile -ogo tunnelrpc/proto/tunnelrpc.capnp tunnelrpc/proto/quic_metadata_protocol.capnp
 .PHONY: quic-deps
 quic-deps:
 	which capnp
 	which capnpc-go
 	capnp compile -ogo quic/schema/quic_metadata_protocol.capnp
 .PHONY: vet
 vet:
-	go vet -v -mod=vendor github.com/cloudflare/cloudflared/...
+	$Q go vet -mod=vendor github.com/cloudflare/cloudflared/...
 .PHONY: fmt
 fmt:
-	goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc)
+	@goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
 	@go fmt $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
 .PHONY: fmt-check
 fmt-check:
 	@./.ci/scripts/fmt-check.sh
 .PHONY: lint
 lint:
 	@golangci-lint run
 .PHONY: mocks
 mocks:
 	go generate mocks/mockgen.go
 .PHONY: ci-build
 ci-build:
 	@GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
 	@mkdir -p artifacts
 	@mv cloudflared artifacts/cloudflared
 .PHONY: ci-fips-build
 ci-fips-build:
 	@FIPS=true GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
 	@mkdir -p artifacts
 	@mv cloudflared artifacts/cloudflared
 .PHONY: ci-test
 ci-test: fmt-check lint test
 	@go run -mod=readonly github.com/jstemmer/go-junit-report/v2@latest -in $(GO_TEST_LOG_OUTPUT) -parser gojson -out report.xml -set-exit-code
 .PHONY: ci-fips-test
 ci-fips-test:
 	@FIPS=true $(MAKE) ci-test
--- a/README.md
+++ b/README.md
@ -3,14 +3,14 @@
 Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
 This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
 via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
-Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
+Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel) of the Cloudflare Docs.
 All usages related with proxying to your origins are available under `cloudflared tunnel help`.
 You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
 at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
 Such usages are available under `cloudflared access help`.
-You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
+You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/)
 to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
@ -19,43 +19,64 @@ to access private origins behind Tunnels for Layer 4 traffic without requiring `
 Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
 website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
 routing), but for legacy reasons this requirement is still necessary:
-1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
+1. [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/)
-2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
+2. [Change your domain nameservers to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/)
 ## Installing `cloudflared`
 Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
-* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
+* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
-* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
+* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
-* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
+* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#windows)
-* Build from source with the [instructions here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#build-from-source)
+* To build from source, install the required version of go, mentioned in the [Development](#development) section below. Then you can run `make cloudflared`.
-User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
+User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/
 ## Creating Tunnels and routing traffic
 Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
-* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
+* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/)
 * Route traffic to that Tunnel:
-  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
+  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/)
-  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
+  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/)
-  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
+  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)
 ## TryCloudflare
-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare).
+Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/).
 ## Deprecated versions
-Cloudflare currently supports versions of `cloudflared` 2020.5.1 and later. Breaking changes unrelated to feature availability may be introduced that will impact versions released prior to 2020.5.1. You can read more about upgrading `cloudflared` in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#updating-cloudflared).
+Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/update-cloudflared/).
-| Version(s) | Deprecation status |
+For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
-|---|---|
+
-| 2020.5.1 and later | Supported |
+## Development
-| Versions prior to 2020.5.1 | No longer supported |
+
 ### Requirements
 - [GNU Make](https://www.gnu.org/software/make/)
 - [capnp](https://capnproto.org/install.html)
 - [go >= 1.24](https://go.dev/doc/install)
 - Optional tools:
  - [capnpc-go](https://pkg.go.dev/zombiezen.com/go/capnproto2/capnpc-go)
  - [goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports)
  - [golangci-lint](https://github.com/golangci/golangci-lint)
  - [gomocks](https://pkg.go.dev/go.uber.org/mock)
 ### Build
 To build cloudflared locally run `make cloudflared`
 ### Test
 To locally run the tests run `make test`
 ### Linting
 To format the code and keep a good code quality use `make fmt` and `make lint`
 ### Mocks
 After changes on interfaces you might need to regenerate the mocks, so run `make mock`
--- a/381
+++ b/381
@ -1,3 +1,384 @@
 2025.11.1
 - 2025-11-07 TUN-9800: Fix docker hub push step
 2025.11.0
 - 2025-11-06 TUN-9863: Introduce Code Signing for Windows Builds
 - 2025-11-06 TUN-9800: Prefix gitlab steps with operating system
 - 2025-11-04 chore: Update cloudflared signing key name in index.html
 - 2025-10-31 chore: add claude review
 - 2025-10-31 Chore: Update documentation links in README
 - 2025-10-31 TUN-9800: Add pipelines for linux packaging
 2025.10.1
 - 2025-10-30 chore: Update ci image to use goboring 1.24.9
 - 2025-10-28 TUN-9849: Add cf-proxy-* to control response headers
 - 2025-10-24 TUN-9961: Add pkg.cloudflared.com index.html to git repo
 - 2025-10-23 TUN-9954: Update from go1.24.6 to go1.24.9
 - 2025-10-23 Fix systemd service installation hanging
 - 2025-10-21 TUN-9941: Use new GPG key for RPM builds
 - 2025-10-21 TUN-9941: Fix typo causing r2-release-next deployment to fail
 - 2025-10-21 TUN-9941: Lookup correct key for RPM signature
 - 2025-10-15 TUN-9919: Make RPM postinstall scriplet idempotent
 - 2025-10-14 TUN-9916: Fix the cloudflared binary path used in the component test
 2025.10.0
 - 2025-10-14 chore: Fix upload of RPM repo file during double signing
 - 2025-10-13 TUN-9882: Bump datagram v3 write channel capacity
 - 2025-10-10 chore: Fix import of GPG keys when two keys are provided
 - 2025-10-10 chore: Fix parameter order when uploading RPM .repo file to R2
 - 2025-10-10 TUN-9883: Add new datagram v3 feature flag
 - 2025-10-09 chore: Force usage of go-boring 1.24
 - 2025-10-08 TUN-9882: Improve metrics for datagram v3
 - 2025-10-07 GRC-16749: Add fedramp tags to catalog
 - 2025-10-07 TUN-9882: Add buffers for UDP and ICMP datagrams in datagram v3
 - 2025-10-07 TUN-9882: Add write deadline for UDP origin writes
 - 2025-09-29 TUN-9776: Support signing Debian packages with two keys for rollover
 - 2025-09-22 TUN-9800: Add pipeline to sync between gitlab and github repos
 2025.9.1
 - 2025-09-22 TUN-9855: Create script to ignore vulnerabilities from govuln check
 - 2025-09-19 TUN-9852: Remove fmt.Println from cloudflared access command
 2025.9.0
 - 2025-09-15 TUN-9820: Add support for FedRAMP in originRequest Access config
 - 2025-09-11 TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI
 - 2025-09-04 TUN-9803: Add windows builds to gitlab-ci
 - 2025-08-27 TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token
 2025.8.1
 - 2025-08-19 AUTH-7480 update fed callback url for login helper
 - 2025-08-19 CUSTESC-53681: Correct QUIC connection management for datagram handlers
 - 2025-08-12 AUTH-7260: Add support for login interstitial auto closure
 2025.8.0
 - 2025-08-07 vuln: Fix GO-2025-3770 vulnerability
 - 2025-07-23 TUN-9583: set proper url and hostname for cloudflared tail command
 - 2025-07-07 TUN-9542: Remove unsupported Debian-based releases
 2025.7.0
 - 2025-07-03 TUN-9540: Use numeric user id for Dockerfiles
 - 2025-07-01 TUN-9161: Remove P256Kyber768Draft00PQKex curve from nonFips curve preferences
 - 2025-07-01 TUN-9531: Bump go-boring from 1.24.2 to 1.24.4
 - 2025-07-01 TUN-9511: Add metrics for virtual DNS origin
 - 2025-06-30 TUN-9470: Add OriginDialerService to include TCP
 - 2025-06-30 TUN-9473: Add --dns-resolver-addrs flag
 - 2025-06-27 TUN-9472: Add virtual DNS service
 - 2025-06-23 TUN-9469: Centralize UDP origin proxy dialing as ingress service
 2025.6.1
 - 2025-06-16 TUN-9467: add vulncheck to cloudflared
 - 2025-06-16 TUN-9495: Remove references to cloudflare-go
 - 2025-06-16 TUN-9371: Add logging format as JSON
 - 2025-06-12 TUN-9467: bump coredns to solve CVE
 2025.6.0
 - 2025-06-06 TUN-9016: update go to 1.24
 - 2025-06-05 TUN-9171: Use `is_default_network` instead of `is_default` to create vnet's
 2025.5.0
 - 2025-05-14 TUN-9319: Add dynamic loading of features to connections via ConnectionOptionsSnapshot
 - 2025-05-13 TUN-9322: Add metric for unsupported RPC commands for datagram v3
 - 2025-05-07 TUN-9291: Remove dynamic reloading of features for datagram v3
 2025.4.2
 - 2025-04-30 chore: Do not use gitlab merge request pipelines
 - 2025-04-30 DEVTOOLS-16383: Create GitlabCI pipeline to release Mac builds
 - 2025-04-24 TUN-9255: Improve flush on write conditions in http2 tunnel type to match what is done on the edge
 - 2025-04-10 SDLC-3727 - Adding FIPS status to backstage
 2025.4.0
 - 2025-04-02 Fix broken links in `cmd/cloudflared/*.go` related to running tunnel as a service
 - 2025-04-02 chore: remove repetitive words
 - 2025-04-01 Fix messages to point to one.dash.cloudflare.com
 - 2025-04-01 feat: emit explicit errors for the `service` command on unsupported OSes
 - 2025-04-01 Use RELEASE_NOTES date instead of build date
 - 2025-04-01 chore: Update tunnel configuration link in the readme
 - 2025-04-01 fix: expand home directory for credentials file
 - 2025-04-01 fix: Use path and filepath operation appropriately
 - 2025-04-01 feat: Adds a new command line for tunnel run for token file
 - 2025-04-01 chore: fix linter rules
 - 2025-03-17 TUN-9101: Don't ignore errors on `cloudflared access ssh`
 - 2025-03-06 TUN-9089: Pin go import to v0.30.0, v0.31.0 requires go 1.23
 2025.2.1
 - 2025-02-26 TUN-9016: update base-debian to v12
 - 2025-02-25 TUN-8960: Connect to FED API GW based on the OriginCert's endpoint
 - 2025-02-25 TUN-9007: modify logic to resolve region when the tunnel token has an endpoint field
 - 2025-02-13 SDLC-3762: Remove backstage.io/source-location from catalog-info.yaml
 - 2025-02-06 TUN-8914: Create a flags module to group all cloudflared cli flags
 2025.2.0
 - 2025-02-03 TUN-8914: Add a new configuration to locally override the max-active-flows
 - 2025-02-03 Bump x/crypto to 0.31.0
 2025.1.1
 - 2025-01-30 TUN-8858: update go to 1.22.10 and include quic-go FIPS changes
 - 2025-01-30 TUN-8855: fix lint issues
 - 2025-01-30 TUN-8855: Update PQ curve preferences
 - 2025-01-30 TUN-8857: remove restriction for using FIPS and PQ
 - 2025-01-30 TUN-8894: report FIPS+PQ error to Sentry when dialling to the edge
 - 2025-01-22 TUN-8904: Rename Connect Response Flow Rate Limited metadata
 - 2025-01-21 AUTH-6633 Fix cloudflared access login + warp as auth
 - 2025-01-20 TUN-8861: Add session limiter to UDP session manager
 - 2025-01-20 TUN-8861: Rename Session Limiter to Flow Limiter
 - 2025-01-17 TUN-8900: Add import of Apple Developer Certificate Authority to macOS Pipeline
 - 2025-01-17 TUN-8871: Accept login flag to authenticate with Fedramp environment
 - 2025-01-16 TUN-8866: Add linter to cloudflared repository
 - 2025-01-14 TUN-8861: Add session limiter to TCP session manager
 - 2025-01-13 TUN-8861: Add configuration for active sessions limiter
 - 2025-01-09 TUN-8848: Don't treat connection shutdown as an error condition when RPC server is done
 2025.1.0
 - 2025-01-06 TUN-8842: Add Ubuntu Noble and 'any' debian distributions to release script
 - 2025-01-06 TUN-8807: Add support_datagram_v3 to remote feature rollout
 - 2024-12-20 TUN-8829: add CONTAINER_BUILD to dockerfiles
 2024.12.2
 - 2024-12-19 TUN-8822: Prevent concurrent usage of ICMPDecoder
 - 2024-12-18 TUN-8818: update changes document to reflect newly added diag subcommand
 - 2024-12-17 TUN-8817: Increase close session channel by one since there are two writers
 - 2024-12-13 TUN-8797: update CHANGES.md with note about semi-deterministic approach used to bind metrics server
 - 2024-12-13 TUN-8724: Add CLI command for diagnostic procedure
 - 2024-12-11 TUN-8786: calculate cli flags once for the diagnostic procedure
 - 2024-12-11 TUN-8792: Make diag/system endpoint always return a JSON
 - 2024-12-10 TUN-8783: fix log collectors for the diagnostic procedure
 - 2024-12-10 TUN-8785: include the icmp sources in the diag's tunnel state
 - 2024-12-10 TUN-8784: Set JSON encoder options to print formatted JSON when writing diag files
 2024.12.1
 - 2024-12-10 TUN-8795: update createrepo to createrepo_c to fix the release_pkgs.py script
 2024.12.0
 - 2024-12-09 TUN-8640: Add ICMP support for datagram V3
 - 2024-12-09 TUN-8789: make python package installation consistent
 - 2024-12-06 TUN-8781: Add Trixie, drop Buster. Default to Bookworm
 - 2024-12-05 TUN-8775: Make sure the session Close can only be called once
 - 2024-12-04 TUN-8725: implement diagnostic procedure
 - 2024-12-04 TUN-8767: include raw output from network collector in diagnostic zipfile
 - 2024-12-04 TUN-8770: add cli configuration and tunnel configuration to diagnostic zipfile
 - 2024-12-04 TUN-8768: add job report to diagnostic zipfile
 - 2024-12-03 TUN-8726: implement compression routine to be used in diagnostic procedure
 - 2024-12-03 TUN-8732: implement port selection algorithm
 - 2024-12-03 TUN-8762: fix argument order when invoking tracert and modify network info output parsing.
 - 2024-12-03 TUN-8769: fix k8s log collector arguments
 - 2024-12-03 TUN-8727: extend client to include function to get cli configuration and tunnel configuration
 - 2024-11-29 TUN-8729: implement network collection for diagnostic procedure
 - 2024-11-29 TUN-8727: implement metrics, runtime, system, and tunnelstate in diagnostic http client
 - 2024-11-27 TUN-8733: add log collection for docker
 - 2024-11-27 TUN-8734: add log collection for kubernetes
 - 2024-11-27 TUN-8640: Refactor ICMPRouter to support new ICMPResponders
 - 2024-11-26 TUN-8735: add managed/local log collection
 - 2024-11-25 TUN-8728: implement diag/tunnel endpoint
 - 2024-11-25 TUN-8730: implement diag/configuration
 - 2024-11-22 TUN-8737: update metrics server port selection
 - 2024-11-22 TUN-8731: Implement diag/system endpoint
 - 2024-11-21 TUN-8748: Migrated datagram V3 flows to use migrated context
 2024.11.1
 - 2024-11-18 Add cloudflared tunnel ready command
 - 2024-11-14 Make metrics a requirement for tunnel ready command
 - 2024-11-12 TUN-8701:  Simplify flow registration logs for datagram v3
 - 2024-11-11 add: new go-fuzz targets
 - 2024-11-07 TUN-8701: Add metrics and adjust logs for datagram v3
 - 2024-11-06 TUN-8709: Add session migration for datagram v3
 - 2024-11-04 Fixed 404 in README.md to TryCloudflare
 - 2024-09-24 Update semgrep.yml
 2024.11.0
 - 2024-11-05 VULN-66059: remove ssh server tests
 - 2024-11-04 TUN-8700: Add datagram v3 muxer
 - 2024-11-04 TUN-8646: Allow experimental feature support for datagram v3
 - 2024-11-04 TUN-8641: Expose methods to simplify V3 Datagram parsing on the edge
 - 2024-10-31 TUN-8708: Bump python min version to 3.10
 - 2024-10-31 TUN-8667: Add datagram v3 session manager
 - 2024-10-25 TUN-8692: remove dashes from session id
 - 2024-10-24 TUN-8694: Rework release script
 - 2024-10-24 TUN-8661: Refactor connection methods to support future different datagram muxing methods
 - 2024-07-22 TUN-8553: Bump go to 1.22.5 and go-boring 1.22.5-1
 2024.10.1
 - 2024-10-23 TUN-8694: Fix github release script
 - 2024-10-21 Revert "TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport"
 - 2024-10-18 TUN-8688: Correct UDP bind for IPv6 edge connectivity on macOS
 - 2024-10-17 TUN-8685: Bump coredns dependency
 - 2024-10-16 TUN-8638: Add datagram v3 serializers and deserializers
 - 2024-10-15 chore: Remove h2mux code
 - 2024-10-11 TUN-8631: Abort release on version mismatch
 2024.10.0
 - 2024-10-01 TUN-8646: Add datagram v3 support feature flag
 - 2024-09-30 TUN-8621: Fix cloudflared version in change notes to account for release date
 - 2024-09-19 Adding semgrep yaml file
 - 2024-09-12 TUN-8632: Delay checking auto-update by the provided frequency
 - 2024-09-11 TUN-8630: Check checksum of downloaded binary to compare to current for auto-updating
 - 2024-09-09 TUN-8629: Cloudflared update on Windows requires running it twice to update
 - 2024-09-06 PPIP-2310: Update quick tunnel disclaimer
 - 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering
 - 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport
 - 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled
 2024.9.1
 - 2024-09-10 Revert Release 2024.9.0
 2024.9.0
 - 2024-09-10 TUN-8621: Fix cloudflared version in change notes.
 - 2024-09-06 PPIP-2310: Update quick tunnel disclaimer
 - 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering
 - 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport
 - 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled
 2024.8.3
 - 2024-08-15 TUN-8591 login command without extra text
 - 2024-03-25 remove code that will not be executed
 - 2024-03-25 remove code that will not be executed
 2024.8.2
 - 2024-08-05 TUN-8583: change final directory of artifacts
 - 2024-08-05 TUN-8585: Avoid creating GH client when dry-run is true
 2024.7.3
 - 2024-07-31 TUN-8546: Fix final artifacts paths
 2024.7.2
 - 2024-07-17 TUN-8546: rework MacOS build script
 2024.7.1
 - 2024-07-16 TUN-8543: use -p flag to create intermediate directories
 2024.7.0
 - 2024-07-05 TUN-8520: add macos arm64 build
 - 2024-07-05 TUN-8523: refactor makefile and cfsetup
 - 2024-07-02 TUN-8504: Use pre-installed python version instead of downloading it on Windows builds
 - 2024-06-26 TUN-8489: Add default noop logger for capnprpc
 - 2024-06-25 TUN-8487: Add user-agent for quick-tunnel requests
 - 2023-12-12 TUN-8057: cloudflared uses new PQ curve ID
 2024.6.1
 - 2024-06-12 TUN-8461: Don't log Failed to send session payload if the error is EOF
 - 2024-06-07 TUN-8456: Update quic-go to 0.45 and collect mtu and congestion control metrics
 - 2024-06-06 TUN-8452: Add flag to control QUIC stream-level flow control limit
 - 2024-06-06 TUN-8451: Log QUIC flow control frames and transport parameters received
 - 2024-06-05 TUN-8449: Add flag to control QUIC connection-level flow control limit and increase default to 30MB
 2024.6.0
 - 2024-05-30 TUN-8441: Correct UDP total sessions metric to a counter and add new ICMP metrics
 - 2024-05-28 TUN-8422: Add metrics for capnp method calls
 - 2024-05-24 TUN-8424: Refactor capnp registration server
 - 2024-05-23 TUN-8427: Fix BackoffHandler's internally shared clock structure
 - 2024-05-21 TUN-8425: Remove ICMP binding for quick tunnels
 - 2024-05-20 TUN-8423: Deprecate older legacy tunnel capnp interfaces
 - 2024-05-15 TUN-8419: Add capnp safe transport
 - 2024-05-13 TUN-8415: Refactor capnp rpc into a single module
 2024.5.0
 - 2024-05-07 TUN-8407: Upgrade go to version 1.22.2
 2024.4.1
 - 2024-04-22 TUN-8380: Add sleep before requesting quick tunnel as temporary fix for component tests
 - 2024-04-19 TUN-8374: Close UDP socket if registration fails
 - 2024-04-18 TUN-8371: Bump quic-go to v0.42.0
 - 2024-04-03 TUN-8333: Bump go-jose dependency to v4
 - 2024-04-02 TUN-8331: Add unit testing for AccessJWTValidator middleware
 2024.4.0
 - 2024-04-02 feat: provide short version (#1206)
 - 2024-04-02 Format code
 - 2024-01-18 feat: auto tls sni
 - 2023-12-24 fix checkInPingGroup bugs
 - 2023-12-15 Add environment variables for TCP tunnel hostname / destination / URL.
 2024.3.0
 - 2024-03-14 TUN-8281: Run cloudflared query list tunnels/routes endpoint in a paginated way
 - 2024-03-13 TUN-8297: Improve write timeout logging on safe_stream.go
 - 2024-03-07 TUN-8290: Remove `|| true` from postrm.sh
 - 2024-03-05 TUN-8275: Skip write timeout log on "no network activity"
 - 2024-01-23 Update postrm.sh to fix incomplete uninstall
 - 2024-01-05 fix typo in errcheck for response parsing logic in CreateTunnel routine
 - 2023-12-23 Update linux_service.go
 - 2023-12-07 ci: bump actions/checkout to v4
 - 2023-12-07 ci/check: bump actions/setup-go to v5
 - 2023-04-28 check.yaml: bump actions/setup-go to v4
 2024.2.1
 - 2024-02-20 TUN-8242: Update Changes.md file with new remote diagnostics behaviour
 - 2024-02-19 TUN-8238: Fix type mismatch introduced by fast-forward
 - 2024-02-16 TUN-8243: Collect metrics on the number of QUIC frames sent/received
 - 2024-02-15 TUN-8238: Refactor proxy logging
 - 2024-02-14 TUN-8242: Enable remote diagnostics by default
 - 2024-02-12 TUN-8236: Add write timeout to quic and tcp connections
 - 2024-02-09 TUN-8224: Fix safety of TCP stream logging, separate connect and ack log messages
 2024.2.0
 - 2024-02-07 TUN-8224: Count and collect metrics on stream connect successes/errors
 2024.1.5
 - 2024-01-22 TUN-8176: Support ARM platforms that don't have an FPU or have it enabled in kernel
 - 2024-01-15 TUN-8158: Bring back commit e6537418859afcac29e56a39daa08bcabc09e048 and fixes infinite loop on linux when the socket is closed
 2024.1.4
 - 2024-01-19 Revert "TUN-8158: Add logging to confirm when ICMP reply is returned to the edge"
 2024.1.3
 - 2024-01-15 TUN-8161: Fix broken ARM build for armv6
 - 2024-01-15 TUN-8158: Add logging to confirm when ICMP reply is returned to the edge
 2024.1.2
 - 2024-01-11 TUN-8147: Disable ECN usage due to bugs in detecting if supported
 - 2024-01-11 TUN-8146: Fix export path for install-go command
 - 2024-01-11 TUN-8146: Fix Makefile targets should not be run in parallel and install-go script was missing shebang
 - 2024-01-10 TUN-8140: Remove homebrew scripts
 2024.1.1
 - 2024-01-10 TUN-8134: Revert installed prefix to /usr
 - 2024-01-09 TUN-8130: Fix path to install go for mac build
 - 2024-01-09 TUN-8129: Use the same build command between branch and release builds
 - 2024-01-09 TUN-8130: Install go tool chain in /tmp on build agents
 - 2024-01-09 TUN-8134: Install cloudflare go as part of make install
 - 2024-01-08 TUN-8118: Disable FIPS module to build with go-boring without CGO_ENABLED
 2024.1.0
 - 2024-01-01 TUN-7934: Update quic-go to a version that queues datagrams for better throughput and drops large datagram
 - 2023-12-20 TUN-8072: Need to set GOCACHE in mac go installation script
 - 2023-12-17 TUN-8072: Add script to download cloudflare go for Mac build agents
 - 2023-12-15 Fix nil pointer dereference segfault when passing "null" config json to cloudflared tunnel ingress validate (#1070)
 - 2023-12-15 configuration.go: fix developerPortal link (#960)
 - 2023-12-14 tunnelrpc/pogs: fix dropped test errors (#1106)
 - 2023-12-14 cmd/cloudflared/updater: fix dropped error (#1055)
 - 2023-12-14 use os.Executable to discover the path to cloudflared (#1040)
 - 2023-12-14 Remove extraneous `period` from Path Environment Variable (#1009)
 - 2023-12-14 Use CLI context when running tunnel (#597)
 - 2023-12-14 TUN-8066: Define scripts to build on Windows agents
 - 2023-12-11 TUN-8052: Update go to 1.21.5
 - 2023-12-07 TUN-7970: Default to enable post quantum encryption for quic transport
 - 2023-12-04 TUN-8006: Update quic-go to latest upstream
 - 2023-11-15 VULN-44842 Add a flag that allows users to not send the Access JWT to stdout
 - 2023-11-13 TUN-7965: Remove legacy incident status page check
 - 2023-11-13 AUTH-5682 Org token flow in Access logins should pass CF_AppSession cookie
 2023.10.0
 - 2023-10-06 TUN-7864: Document cloudflared versions support
 - 2023-10-03 CUSTESC-33731: Make rule match test report rule in 0-index base
 - 2023-09-22 TUN-7824: Fix usage of systemctl status to detect which services are installed
 - 2023-09-20 TUN-7813: Improve tunnel delete command to use cascade delete
 - 2023-09-20 TUN-7787: cloudflared only list ip routes targeted for cfd_tunnel
 - 2023-09-15 TUN-7787: Refactor cloudflared to use new route endpoints based on route IDs
 - 2023-09-08 TUN-7776: Remove warp-routing flag from cloudflared
 - 2023-09-05 TUN-7756: Clarify that QUIC is mandatory to support ICMP proxying
 2023.8.2
 - 2023-08-25 TUN-7700: Implement feature selector to determine if connections will prefer post quantum cryptography
 - 2023-08-22 TUN-7707: Use X25519Kyber768Draft00 curve when post-quantum feature is enabled
 2023.8.1
 - 2023-08-23 TUN-7718: Update R2 Token to no longer encode secret
 2023.8.0
 - 2023-07-26 TUN-7584: Bump go 1.20.6
 2023.7.3
 - 2023-07-25 TUN-7628: Correct Host parsing for Access
 - 2023-07-24 TUN-7624: Fix flaky TestBackoffGracePeriod test in cloudflared
 2023.7.2
 - 2023-07-19 TUN-7599: Onboard cloudflared to Software Dashboard
 - 2023-07-19 TUN-7587: Remove junos builds
--- a/build-packages.sh
+++ b/build-packages.sh
@ -1,40 +0,0 @@
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Avoid depending on C code since we don't need it.
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=built_artifacts/
 mkdir -p $ARTIFACT_DIR
 linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
 export TARGET_OS=linux
 for arch in ${linuxArchs[@]}; do
    unset TARGET_ARM
    export TARGET_ARCH=$arch
    ## Support for armhf builds 
    if [[ $arch == armhf ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=7 
    fi
    make cloudflared-deb
    mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
    # rpm packages invert the - and _ and use x86_64 instead of amd64.
    RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
    RPMARCH=$arch
    if [ $arch == "amd64" ];then
        RPMARCH="x86_64"
    fi
    if [ $arch == "arm64" ]; then
        RPMARCH="aarch64"
    fi
    make cloudflared-rpm
    mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
    # finally move the linux binary as well.
    mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
 done
--- a/carrier/carrier.go
+++ b/carrier/carrier.go
@ -26,11 +26,13 @@ const (
 )
 type StartOptions struct {
-	AppInfo         *token.AppInfo
+	AppInfo               *token.AppInfo
-	OriginURL       string
+	OriginURL             string
-	Headers         http.Header
+	Headers               http.Header
-	Host            string
+	Host                  string
-	TLSClientConfig *tls.Config
+	TLSClientConfig       *tls.Config
 	AutoCloseInterstitial bool
 	IsFedramp             bool
 }
 // Connection wraps up all the needed functions to forward over the tunnel
@ -46,7 +48,6 @@ type StdinoutStream struct{}
 // Read will read from Stdin
 func (c *StdinoutStream) Read(p []byte) (int, error) {
 	return os.Stdin.Read(p)
 }
 // Write will write to Stdout
@ -139,7 +140,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 		return nil, err
 	}
-	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, log)
+	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, options.AutoCloseInterstitial, options.IsFedramp, log)
 	if err != nil {
 		return nil, err
 	}
--- a/catalog-info.yaml
+++ b/catalog-info.yaml
@ -4,7 +4,6 @@ metadata:
  name: cloudflared
  description: Client for Cloudflare Tunnels
  annotations:
    backstage.io/source-location: url:https://bitbucket.cfdata.org/projects/TUN/repos/cloudflared/browse
    cloudflare.com/software-excellence-opt-in: "true"
    cloudflare.com/jira-project-key: "TUN"
    cloudflare.com/jira-project-component: "Cloudflare Tunnel"
@ -14,3 +13,8 @@ spec:
  type: "service"
  lifecycle: "Active"
  owner: "teams/tunnel-teams-routing"
  cf:
    compliance:
      fedramp-high: "pending"
      fedramp-moderate: "yes"
    FIPS: "required"
--- a/cfapi/base_client.go
+++ b/cfapi/base_client.go
@ -109,20 +109,34 @@ func (r *RESTClient) sendRequest(method string, url url.URL, body interface{}) (
 	return r.client.Do(req)
 }
-func parseResponse(reader io.Reader, data interface{}) error {
+func parseResponseEnvelope(reader io.Reader) (*response, error) {
 	// Schema for Tunnelstore responses in the v1 API.
 	// Roughly, it's a wrapper around a particular result that adds failures/errors/etc
 	var result response
 	// First, parse the wrapper and check the API call succeeded
 	if err := json.NewDecoder(reader).Decode(&result); err != nil {
-		return errors.Wrap(err, "failed to decode response")
+		return nil, errors.Wrap(err, "failed to decode response")
 	}
 	if err := result.checkErrors(); err != nil {
-		return err
+		return nil, err
 	}
 	if !result.Success {
-		return ErrAPINoSuccess
+		return nil, ErrAPINoSuccess
 	}
 	return &result, nil
 }
 func parseResponse(reader io.Reader, data interface{}) error {
 	result, err := parseResponseEnvelope(reader)
 	if err != nil {
 		return err
 	}
 	return parseResponseBody(result, data)
 }
 func parseResponseBody(result *response, data interface{}) error {
 	// At this point we know the API call succeeded, so, parse out the inner
 	// result into the datatype provided as a parameter.
 	if err := json.Unmarshal(result.Result, &data); err != nil {
@ -131,11 +145,58 @@ func parseResponse(reader io.Reader, data interface{}) error {
 	return nil
 }
 func fetchExhaustively[T any](requestFn func(int) (*http.Response, error)) ([]*T, error) {
 	page := 0
 	var fullResponse []*T
 	for {
 		page += 1
 		envelope, parsedBody, err := fetchPage[T](requestFn, page)
 		if err != nil {
 			return nil, errors.Wrap(err, fmt.Sprintf("Error Parsing page %d", page))
 		}
 		fullResponse = append(fullResponse, parsedBody...)
 		if envelope.Pagination.Count < envelope.Pagination.PerPage || len(fullResponse) >= envelope.Pagination.TotalCount {
 			break
 		}
 	}
 	return fullResponse, nil
 }
 func fetchPage[T any](requestFn func(int) (*http.Response, error), page int) (*response, []*T, error) {
 	pageResp, err := requestFn(page)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "REST request failed")
 	}
 	defer pageResp.Body.Close()
 	if pageResp.StatusCode == http.StatusOK {
 		envelope, err := parseResponseEnvelope(pageResp.Body)
 		if err != nil {
 			return nil, nil, err
 		}
 		var parsedRspBody []*T
 		return envelope, parsedRspBody, parseResponseBody(envelope, &parsedRspBody)
 	}
 	return nil, nil, errors.New(fmt.Sprintf("Failed to fetch page. Server returned: %d", pageResp.StatusCode))
 }
 type response struct {
-	Success  bool            `json:"success,omitempty"`
+	Success    bool            `json:"success,omitempty"`
-	Errors   []apiErr        `json:"errors,omitempty"`
+	Errors     []apiErr        `json:"errors,omitempty"`
-	Messages []string        `json:"messages,omitempty"`
+	Messages   []string        `json:"messages,omitempty"`
-	Result   json.RawMessage `json:"result,omitempty"`
+	Result     json.RawMessage `json:"result,omitempty"`
 	Pagination Pagination      `json:"result_info,omitempty"`
 }
 type Pagination struct {
 	Count      int `json:"count,omitempty"`
 	Page       int `json:"page,omitempty"`
 	PerPage    int `json:"per_page,omitempty"`
 	TotalCount int `json:"total_count,omitempty"`
 }
 func (r *response) checkErrors() error {
--- a/cfapi/client.go
+++ b/cfapi/client.go
@ -9,7 +9,7 @@ type TunnelClient interface {
 	GetTunnel(tunnelID uuid.UUID) (*Tunnel, error)
 	GetTunnelToken(tunnelID uuid.UUID) (string, error)
 	GetManagementToken(tunnelID uuid.UUID) (string, error)
-	DeleteTunnel(tunnelID uuid.UUID) error
+	DeleteTunnel(tunnelID uuid.UUID, cascade bool) error
 	ListTunnels(filter *TunnelFilter) ([]*Tunnel, error)
 	ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error)
 	CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error
@ -22,7 +22,7 @@ type HostnameClient interface {
 type IPRouteClient interface {
 	ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error)
 	AddRoute(newRoute NewRoute) (Route, error)
-	DeleteRoute(params DeleteRouteParams) error
+	DeleteRoute(id uuid.UUID) error
 	GetByIP(params GetRouteByIpParams) (DetailedRoute, error)
 }
--- a/cfapi/ip_route.go
+++ b/cfapi/ip_route.go
@ -75,10 +75,12 @@ type NewRoute struct {
 // MarshalJSON handles fields with non-JSON types (e.g. net.IPNet).
 func (r NewRoute) MarshalJSON() ([]byte, error) {
 	return json.Marshal(&struct {
 		Network  string     `json:"network"`
 		TunnelID uuid.UUID  `json:"tunnel_id"`
 		Comment  string     `json:"comment"`
 		VNetID   *uuid.UUID `json:"virtual_network_id,omitempty"`
 	}{
 		Network:  r.Network.String(),
 		TunnelID: r.TunnelID,
 		Comment:  r.Comment,
 		VNetID:   r.VNetID,
@ -87,6 +89,7 @@ func (r NewRoute) MarshalJSON() ([]byte, error) {
 // DetailedRoute is just a Route with some extra fields, e.g. TunnelName.
 type DetailedRoute struct {
 	ID       uuid.UUID `json:"id"`
 	Network  CIDR      `json:"network"`
 	TunnelID uuid.UUID `json:"tunnel_id"`
 	// Optional field. When unset, it means the DetailedRoute belongs to the default virtual network.
@ -115,7 +118,8 @@ func (r DetailedRoute) TableString() string {
 	}
 	return fmt.Sprintf(
-		"%s\t%s\t%s\t%s\t%s\t%s\t%s\t",
+		"%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t",
 		r.ID,
 		r.Network.String(),
 		vnetColumn,
 		r.Comment,
@ -126,12 +130,6 @@ func (r DetailedRoute) TableString() string {
 	)
 }
 type DeleteRouteParams struct {
 	Network net.IPNet
 	// Optional field. If unset, backend will assume the default vnet for the account.
 	VNetID *uuid.UUID
 }
 type GetRouteByIpParams struct {
 	Ip net.IP
 	// Optional field. If unset, backend will assume the default vnet for the account.
@ -139,26 +137,30 @@ type GetRouteByIpParams struct {
 }
 // ListRoutes calls the Tunnelstore GET endpoint for all routes under an account.
 // Due to pagination on the server side it will call the endpoint multiple times if needed.
 func (r *RESTClient) ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error) {
-	endpoint := r.baseEndpoints.accountRoutes
+	fetchFn := func(page int) (*http.Response, error) {
-	endpoint.RawQuery = filter.Encode()
+		endpoint := r.baseEndpoints.accountRoutes
-	resp, err := r.sendRequest("GET", endpoint, nil)
+		filter.Page(page)
-	if err != nil {
+		endpoint.RawQuery = filter.Encode()
-		return nil, errors.Wrap(err, "REST request failed")
+		rsp, err := r.sendRequest("GET", endpoint, nil)
 	}
 	defer resp.Body.Close()
-	if resp.StatusCode == http.StatusOK {
+		if err != nil {
-		return parseListDetailedRoutes(resp.Body)
+			return nil, errors.Wrap(err, "REST request failed")
 		}
 		if rsp.StatusCode != http.StatusOK {
 			rsp.Body.Close()
 			return nil, r.statusCodeToError("list routes", rsp)
 		}
 		return rsp, nil
 	}
-
+	return fetchExhaustively[DetailedRoute](fetchFn)
 	return nil, r.statusCodeToError("list routes", resp)
 }
 // AddRoute calls the Tunnelstore POST endpoint for a given route.
 func (r *RESTClient) AddRoute(newRoute NewRoute) (Route, error) {
 	endpoint := r.baseEndpoints.accountRoutes
-	endpoint.Path = path.Join(endpoint.Path, "network", url.PathEscape(newRoute.Network.String()))
+	endpoint.Path = path.Join(endpoint.Path)
 	resp, err := r.sendRequest("POST", endpoint, newRoute)
 	if err != nil {
 		return Route{}, errors.Wrap(err, "REST request failed")
@ -173,10 +175,9 @@ func (r *RESTClient) AddRoute(newRoute NewRoute) (Route, error) {
 }
 // DeleteRoute calls the Tunnelstore DELETE endpoint for a given route.
-func (r *RESTClient) DeleteRoute(params DeleteRouteParams) error {
+func (r *RESTClient) DeleteRoute(id uuid.UUID) error {
 	endpoint := r.baseEndpoints.accountRoutes
-	endpoint.Path = path.Join(endpoint.Path, "network", url.PathEscape(params.Network.String()))
+	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
 	setVnetParam(&endpoint, params.VNetID)
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
@ -211,12 +212,6 @@ func (r *RESTClient) GetByIP(params GetRouteByIpParams) (DetailedRoute, error) {
 	return DetailedRoute{}, r.statusCodeToError("get route by IP", resp)
 }
 func parseListDetailedRoutes(body io.ReadCloser) ([]*DetailedRoute, error) {
 	var routes []*DetailedRoute
 	err := parseResponse(body, &routes)
 	return routes, err
 }
 func parseRoute(body io.ReadCloser) (Route, error) {
 	var route Route
 	err := parseResponse(body, &route)
--- a/cfapi/ip_route_filter.go
+++ b/cfapi/ip_route_filter.go
@ -58,31 +58,29 @@ type IpRouteFilter struct {
 // NewIpRouteFilterFromCLI parses CLI flags to discover which filters should get applied.
 func NewIpRouteFilterFromCLI(c *cli.Context) (*IpRouteFilter, error) {
-	f := &IpRouteFilter{
+	f := NewIPRouteFilter()
 		queryParams: url.Values{},
 	}
 	// Set deletion filter
 	if flag := filterIpRouteDeleted.Name; c.IsSet(flag) && c.Bool(flag) {
-		f.deleted()
+		f.Deleted()
 	} else {
-		f.notDeleted()
+		f.NotDeleted()
 	}
 	if subset, err := cidrFromFlag(c, filterSubsetIpRoute); err != nil {
 		return nil, err
 	} else if subset != nil {
-		f.networkIsSupersetOf(*subset)
+		f.NetworkIsSupersetOf(*subset)
 	}
 	if superset, err := cidrFromFlag(c, filterSupersetIpRoute); err != nil {
 		return nil, err
 	} else if superset != nil {
-		f.networkIsSupersetOf(*superset)
+		f.NetworkIsSupersetOf(*superset)
 	}
 	if comment := c.String(filterIpRouteComment.Name); comment != "" {
-		f.commentIs(comment)
+		f.CommentIs(comment)
 	}
 	if tunnelID := c.String(filterIpRouteTunnelID.Name); tunnelID != "" {
@ -90,7 +88,7 @@ func NewIpRouteFilterFromCLI(c *cli.Context) (*IpRouteFilter, error) {
 		if err != nil {
 			return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteTunnelID.Name)
 		}
-		f.tunnelID(u)
+		f.TunnelID(u)
 	}
 	if vnetId := c.String(filterIpRouteByVnet.Name); vnetId != "" {
@ -98,7 +96,7 @@ func NewIpRouteFilterFromCLI(c *cli.Context) (*IpRouteFilter, error) {
 		if err != nil {
 			return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteByVnet.Name)
 		}
-		f.vnetID(u)
+		f.VNetID(u)
 	}
 	if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
@ -124,35 +122,44 @@ func cidrFromFlag(c *cli.Context, flag cli.StringFlag) (*net.IPNet, error) {
 	return subset, nil
 }
-func (f *IpRouteFilter) commentIs(comment string) {
+func NewIPRouteFilter() *IpRouteFilter {
 	values := &IpRouteFilter{queryParams: url.Values{}}
 	// always list cfd_tunnel routes only
 	values.queryParams.Set("tun_types", "cfd_tunnel")
 	return values
 }
 func (f *IpRouteFilter) CommentIs(comment string) {
 	f.queryParams.Set("comment", comment)
 }
-func (f *IpRouteFilter) notDeleted() {
+func (f *IpRouteFilter) NotDeleted() {
 	f.queryParams.Set("is_deleted", "false")
 }
-func (f *IpRouteFilter) deleted() {
+func (f *IpRouteFilter) Deleted() {
 	f.queryParams.Set("is_deleted", "true")
 }
-func (f *IpRouteFilter) networkIsSubsetOf(superset net.IPNet) {
+func (f *IpRouteFilter) NetworkIsSubsetOf(superset net.IPNet) {
 	f.queryParams.Set("network_subset", superset.String())
 }
-func (f *IpRouteFilter) networkIsSupersetOf(subset net.IPNet) {
+func (f *IpRouteFilter) NetworkIsSupersetOf(subset net.IPNet) {
 	f.queryParams.Set("network_superset", subset.String())
 }
-func (f *IpRouteFilter) existedAt(existedAt time.Time) {
+func (f *IpRouteFilter) ExistedAt(existedAt time.Time) {
 	f.queryParams.Set("existed_at", existedAt.Format(time.RFC3339))
 }
-func (f *IpRouteFilter) tunnelID(id uuid.UUID) {
+func (f *IpRouteFilter) TunnelID(id uuid.UUID) {
 	f.queryParams.Set("tunnel_id", id.String())
 }
-func (f *IpRouteFilter) vnetID(id uuid.UUID) {
+func (f *IpRouteFilter) VNetID(id uuid.UUID) {
 	f.queryParams.Set("virtual_network_id", id.String())
 }
@ -160,6 +167,10 @@ func (f *IpRouteFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f *IpRouteFilter) Page(page int) {
 	f.queryParams.Set("page", strconv.Itoa(page))
 }
 func (f IpRouteFilter) Encode() string {
 	return f.queryParams.Encode()
 }
--- a/cfapi/ip_route_test.go
+++ b/cfapi/ip_route_test.go
@ -69,6 +69,7 @@ func TestDetailedRouteJsonRoundtrip(t *testing.T) {
 	}{
 		{
 			`{
 				"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"comment":"test",
@ -80,6 +81,7 @@ func TestDetailedRouteJsonRoundtrip(t *testing.T) {
 		},
 		{
 			`{
 				"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"virtual_network_id":"38c95083-8191-4110-8339-3f438d44fdb9",
@ -167,9 +169,10 @@ func TestRouteTableString(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, network)
 	r := DetailedRoute{
 		ID:      uuid.Nil,
 		Network: CIDR(*network),
 	}
 	row := r.TableString()
 	fmt.Println(row)
-	require.True(t, strings.HasPrefix(row, "1.2.3.4/32"))
+	require.True(t, strings.HasPrefix(row, "00000000-0000-0000-0000-000000000000\t1.2.3.4/32"))
 }
--- a/cfapi/tunnel.go
+++ b/cfapi/tunnel.go
@ -93,7 +93,7 @@ func (r *RESTClient) CreateTunnel(name string, tunnelSecret []byte) (*TunnelWith
 	switch resp.StatusCode {
 	case http.StatusOK:
 		var tunnel TunnelWithToken
-		if serdeErr := parseResponse(resp.Body, &tunnel); err != nil {
+		if serdeErr := parseResponse(resp.Body, &tunnel); serdeErr != nil {
 			return nil, serdeErr
 		}
 		return &tunnel, nil
@ -159,9 +159,14 @@ func (r *RESTClient) GetManagementToken(tunnelID uuid.UUID) (token string, err e
 	return "", r.statusCodeToError("get tunnel token", resp)
 }
-func (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID) error {
+func (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))
 	// Cascade will delete all tunnel dependencies (connections, routes, etc.) that
 	// are linked to the deleted tunnel.
 	if cascade {
 		endpoint.RawQuery = "cascade=true"
 	}
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
@ -172,25 +177,22 @@ func (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID) error {
 }
 func (r *RESTClient) ListTunnels(filter *TunnelFilter) ([]*Tunnel, error) {
-	endpoint := r.baseEndpoints.accountLevel
+	fetchFn := func(page int) (*http.Response, error) {
-	endpoint.RawQuery = filter.encode()
+		endpoint := r.baseEndpoints.accountLevel
-	resp, err := r.sendRequest("GET", endpoint, nil)
+		filter.Page(page)
-	if err != nil {
+		endpoint.RawQuery = filter.encode()
-		return nil, errors.Wrap(err, "REST request failed")
+		rsp, err := r.sendRequest("GET", endpoint, nil)
-	}
+		if err != nil {
-	defer resp.Body.Close()
+			return nil, errors.Wrap(err, "REST request failed")
-
+		}
-	if resp.StatusCode == http.StatusOK {
+		if rsp.StatusCode != http.StatusOK {
-		return parseListTunnels(resp.Body)
+			rsp.Body.Close()
 			return nil, r.statusCodeToError("list tunnels", rsp)
 		}
 		return rsp, nil
 	}
-	return nil, r.statusCodeToError("list tunnels", resp)
+	return fetchExhaustively[Tunnel](fetchFn)
 }
 func parseListTunnels(body io.ReadCloser) ([]*Tunnel, error) {
 	var tunnels []*Tunnel
 	err := parseResponse(body, &tunnels)
 	return tunnels, err
 }
 func (r *RESTClient) ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error) {
--- a/cfapi/tunnel_filter.go
+++ b/cfapi/tunnel_filter.go
@ -50,6 +50,10 @@ func (f *TunnelFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f *TunnelFilter) Page(page int) {
 	f.queryParams.Set("page", strconv.Itoa(page))
 }
 func (f TunnelFilter) encode() string {
 	return f.queryParams.Encode()
 }
--- a/cfapi/tunnel_test.go
+++ b/cfapi/tunnel_test.go
@ -3,7 +3,6 @@ package cfapi
 import (
 	"bytes"
 	"fmt"
 	"io"
 	"net"
 	"reflect"
 	"strings"
@ -16,52 +15,6 @@ import (
 var loc, _ = time.LoadLocation("UTC")
 func Test_parseListTunnels(t *testing.T) {
 	type args struct {
 		body string
 	}
 	tests := []struct {
 		name    string
 		args    args
 		want    []*Tunnel
 		wantErr bool
 	}{
 		{
 			name: "empty list",
 			args: args{body: `{"success": true, "result": []}`},
 			want: []*Tunnel{},
 		},
 		{
 			name:    "success is false",
 			args:    args{body: `{"success": false, "result": []}`},
 			wantErr: true,
 		},
 		{
 			name:    "errors are present",
 			args:    args{body: `{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": []}`},
 			wantErr: true,
 		},
 		{
 			name:    "invalid response",
 			args:    args{body: `abc`},
 			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			body := io.NopCloser(bytes.NewReader([]byte(tt.args.body)))
 			got, err := parseListTunnels(body)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("parseListTunnels() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("parseListTunnels() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
 func Test_unmarshalTunnel(t *testing.T) {
 	type args struct {
 		body string
--- a/cfapi/virtual_network.go
+++ b/cfapi/virtual_network.go
@ -16,7 +16,7 @@ import (
 type NewVirtualNetwork struct {
 	Name      string `json:"name"`
 	Comment   string `json:"comment"`
-	IsDefault bool   `json:"is_default"`
+	IsDefault bool   `json:"is_default_network"`
 }
 type VirtualNetwork struct {
--- a/cfsetup.yaml
+++ b/cfsetup.yaml
@ -1,259 +1,2 @@
-pinned_go: &pinned_go go=1.19.6-1
+# A valid cfsetup.yaml is required but we dont have any real config to specify
-pinned_go_fips: &pinned_go_fips go-boring=1.19.6-1
+dummy_key: true
 build_dir: &build_dir /cfsetup_build
 default-flavor: bullseye
 buster: &buster
  build:
    build_dir: *build_dir
    builddeps: &build_deps
      - *pinned_go
      - build-essential
      - gotest-to-teamcity
    pre-cache: &build_pre_cache
      - export GOCACHE=/cfsetup_build/.cache/go-build
      - go install golang.org/x/tools/cmd/goimports@latest
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - make cloudflared
  build-fips:
    build_dir: *build_dir
    builddeps: &build_deps_fips
      - *pinned_go_fips
      - build-essential
      - gotest-to-teamcity
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - make cloudflared
  cover: 
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache: 
     - make cover
  # except FIPS (handled in github-fips-release-pkgs) and macos (handled in github-release-macos-amd64)
  github-release-pkgs:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - reprepro
      - createrepo
    pre-cache: &github_release_pkgs_pre_cache
      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
      - chmod a+x /usr/local/bin/wixl
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
      - pip3 install boto3==1.22.9
      - pip3 install python-gnupg==0.4.9
    post-cache:
      # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
      - ./build-packages.sh
      # release the packages built and moved to /cfsetup/built_artifacts
      - make github-release-built-pkgs
      # publish packages to linux repos
      - make release-pkgs-linux
  # handle FIPS separately so that we built with gofips compiler
  github-fips-release-pkgs:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
    pre-cache: *github_release_pkgs_pre_cache
    post-cache:
      # same logic as above, but for FIPS packages only
      - ./build-packages-fips.sh
      - make github-release-built-pkgs
  generate-versions-file:
    build_dir: *build_dir
    builddeps: 
      - *pinned_go
      - build-essential
    post-cache:
      - make generate-docker-version
  build-deb:
    build_dir: *build_dir
    builddeps: &build_deb_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - make cloudflared-deb
  build-fips-internal-deb:
    build_dir: *build_dir
    builddeps: &build_fips_deb_deps
      - *pinned_go_fips
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-amd64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export NIGHTLY=true
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-arm64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - export NIGHTLY=true
      #- export FIPS=true # TUN-7595
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-deb-arm64:
    build_dir: *build_dir
    builddeps: *build_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - make cloudflared-deb
  github-release-macos-amd64:
    build_dir: *build_dir
    builddeps: &build_pygithub
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
    pre-cache: &install_pygithub
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
    post-cache:
      - make github-mac-upload
  github-release-windows:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
    pre-cache:
      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
      - chmod a+x /usr/local/bin/wixl
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
    post-cache:
      - .teamcity/package-windows.sh
      - make github-windows-upload
  test:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export PATH="$HOME/go/bin:$PATH"
      - ./fmt-check.sh
      - make test | gotest-to-teamcity
  test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_fips
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export PATH="$HOME/go/bin:$PATH"
      - ./fmt-check.sh
      - make test | gotest-to-teamcity
  component-test:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - python3.7
      - python3-pip
      - python3-setuptools
      # procps installs the ps command which is needed in test_sysv_service because the init script
      # uses ps pid to determine if the agent is running
      - procps
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    pre-cache: &component_test_pre_cache
      - sudo pip3 install --upgrade -r component-tests/requirements.txt
    post-cache: &component_test_post_cache
      # Creates and routes a Named Tunnel for this build. Also constructs config file from env vars.
      - python3 component-tests/setup.py --type create
      - pytest component-tests -o log_cli=true --log-cli-level=INFO
      # The Named Tunnel is deleted and its route unprovisioned here.
      - python3 component-tests/setup.py --type cleanup
  component-test-fips:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - python3.7
      - python3-pip
      - python3-setuptools
      # procps installs the ps command which is needed in test_sysv_service because the init script
      # uses ps pid to determine if the agent is running
      - procps
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    pre-cache: *component_test_pre_cache
    post-cache: *component_test_post_cache
  update-homebrew:
    builddeps:
      - openssh-client
      - s3cmd
      - jq
      - build-essential
      - procps
    post-cache:
      - .teamcity/update-homebrew.sh
      - .teamcity/update-homebrew-core.sh
  github-message-release:
    build_dir: *build_dir
    builddeps: *build_pygithub
    pre-cache: *install_pygithub
    post-cache:
      - make github-message
 bullseye: *buster
 bookworm: *buster
--- a/client/config.go
+++ b/client/config.go
@ -0,0 +1,74 @@
 package client
 import (
 	"fmt"
 	"net"
 	"github.com/google/uuid"
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 // Config captures the local client runtime configuration.
 type Config struct {
 	ConnectorID uuid.UUID
 	Version     string
 	Arch        string
 	featureSelector features.FeatureSelector
 }
 func NewConfig(version string, arch string, featureSelector features.FeatureSelector) (*Config, error) {
 	connectorID, err := uuid.NewRandom()
 	if err != nil {
 		return nil, fmt.Errorf("unable to generate a connector UUID: %w", err)
 	}
 	return &Config{
 		ConnectorID:     connectorID,
 		Version:         version,
 		Arch:            arch,
 		featureSelector: featureSelector,
 	}, nil
 }
 // ConnectionOptionsSnapshot is a snapshot of the current client information used to initialize a connection.
 //
 // The FeatureSnapshot is the features that are available for this connection. At the client level they may
 // change, but they will not change within the scope of this struct.
 type ConnectionOptionsSnapshot struct {
 	client              pogs.ClientInfo
 	originLocalIP       net.IP
 	numPreviousAttempts uint8
 	FeatureSnapshot     features.FeatureSnapshot
 }
 func (c *Config) ConnectionOptionsSnapshot(originIP net.IP, previousAttempts uint8) *ConnectionOptionsSnapshot {
 	snapshot := c.featureSelector.Snapshot()
 	return &ConnectionOptionsSnapshot{
 		client: pogs.ClientInfo{
 			ClientID: c.ConnectorID[:],
 			Version:  c.Version,
 			Arch:     c.Arch,
 			Features: snapshot.FeaturesList,
 		},
 		originLocalIP:       originIP,
 		numPreviousAttempts: previousAttempts,
 		FeatureSnapshot:     snapshot,
 	}
 }
 func (c ConnectionOptionsSnapshot) ConnectionOptions() *pogs.ConnectionOptions {
 	return &pogs.ConnectionOptions{
 		Client:              c.client,
 		OriginLocalIP:       c.originLocalIP,
 		ReplaceExisting:     false,
 		CompressionQuality:  0,
 		NumPreviousAttempts: c.numPreviousAttempts,
 	}
 }
 func (c ConnectionOptionsSnapshot) LogFields(event *zerolog.Event) *zerolog.Event {
 	return event.Strs("features", c.client.Features)
 }
--- a/client/config_test.go
+++ b/client/config_test.go
@ -0,0 +1,50 @@
 package client
 import (
 	"net"
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/cloudflare/cloudflared/features"
 )
 func TestGenerateConnectionOptions(t *testing.T) {
 	version := "1234"
 	arch := "linux_amd64"
 	originIP := net.ParseIP("192.168.1.1")
 	var previousAttempts uint8 = 4
 	config, err := NewConfig(version, arch, &mockFeatureSelector{})
 	require.NoError(t, err)
 	require.Equal(t, version, config.Version)
 	require.Equal(t, arch, config.Arch)
 	// Validate ConnectionOptionsSnapshot fields
 	connOptions := config.ConnectionOptionsSnapshot(originIP, previousAttempts)
 	require.Equal(t, version, connOptions.client.Version)
 	require.Equal(t, arch, connOptions.client.Arch)
 	require.Equal(t, config.ConnectorID[:], connOptions.client.ClientID)
 	// Vaidate snapshot feature fields against the connOptions generated
 	snapshot := config.featureSelector.Snapshot()
 	require.Equal(t, features.DatagramV3, snapshot.DatagramVersion)
 	require.Equal(t, features.DatagramV3, connOptions.FeatureSnapshot.DatagramVersion)
 	pogsConnOptions := connOptions.ConnectionOptions()
 	require.Equal(t, connOptions.client, pogsConnOptions.Client)
 	require.Equal(t, originIP, pogsConnOptions.OriginLocalIP)
 	require.False(t, pogsConnOptions.ReplaceExisting)
 	require.Equal(t, uint8(0), pogsConnOptions.CompressionQuality)
 	require.Equal(t, previousAttempts, pogsConnOptions.NumPreviousAttempts)
 }
 type mockFeatureSelector struct{}
 func (m *mockFeatureSelector) Snapshot() features.FeatureSnapshot {
 	return features.FeatureSnapshot{
 		PostQuantum:     features.PostQuantumPrefer,
 		DatagramVersion: features.DatagramV3,
 		FeaturesList:    []string{features.FeaturePostQuantum, features.FeatureDatagramV3_2},
 	}
 }
--- a/cloudflared.wxs
+++ b/cloudflared.wxs
@ -46,7 +46,7 @@
                <!--Set the cloudflared bin location to the Path Environment Variable-->
                <Environment Id="ENV0"
                    Name="PATH"
-                    Value="[INSTALLDIR]."
+                    Value="[INSTALLDIR]"
                    Permanent="no"
                    Part="last"
                    Action="create"
--- a/cmd/cloudflared/access/carrier.go
+++ b/cmd/cloudflared/access/carrier.go
@ -47,6 +47,7 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 	options := &carrier.StartOptions{
 		OriginURL: forwarder.URL,
 		Headers:   headers, //TODO: TUN-2688 support custom headers from config file
 		IsFedramp: forwarder.IsFedramp,
 	}
 	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
@ -70,14 +71,14 @@ func ssh(c *cli.Context) error {
 	// get the hostname from the cmdline and error out if its not provided
 	rawHostName := c.String(sshHostnameFlag)
-	hostname, err := validation.ValidateHostname(rawHostName)
+	url, err := parseURL(rawHostName)
-	if err != nil || rawHostName == "" {
+	if err != nil {
 		log.Err(err).Send()
 		return cli.ShowCommandHelp(c, "ssh")
 	}
 	originURL := ensureURLScheme(hostname)
 	// get the headers from the cmdline and add them
-	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
+	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
 	if c.IsSet(sshTokenIDFlag) {
 		headers.Set(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
 	}
@ -89,9 +90,10 @@ func ssh(c *cli.Context) error {
 	carrier.SetBastionDest(headers, c.String(sshDestinationFlag))
 	options := &carrier.StartOptions{
-		OriginURL: originURL,
+		OriginURL: url.String(),
 		Headers:   headers,
-		Host:      hostname,
+		Host:      url.Host,
 		IsFedramp: c.Bool(fedrampFlag),
 	}
 	if connectTo := c.String(sshConnectTo); connectTo != "" {
@ -104,7 +106,7 @@ func ssh(c *cli.Context) error {
 		case 3:
 			options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1])
 			options.TLSClientConfig = &tls.Config{
-				InsecureSkipVerify: true,
+				InsecureSkipVerify: true, // #nosec G402
 				ServerName:         parts[0],
 			}
 			log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0])
@ -138,20 +140,8 @@ func ssh(c *cli.Context) error {
 			// default to 10 if provided but unset
 			maxMessages = 10
 		}
-		logger := log.With().Str("host", hostname).Logger()
+		logger := log.With().Str("host", url.Host).Logger()
 		s = stream.NewDebugStream(s, &logger, maxMessages)
 	}
-	carrier.StartClient(wsConn, s, options)
+	return carrier.StartClient(wsConn, s, options)
 	return nil
 }
 func buildRequestHeaders(values []string) http.Header {
 	headers := make(http.Header)
 	for _, valuePair := range values {
 		header, value, found := strings.Cut(valuePair, ":")
 		if found {
 			headers.Add(strings.TrimSpace(header), strings.TrimSpace(value))
 		}
 	}
 	return headers
 }
--- a/cmd/cloudflared/access/carrier_test.go
+++ b/cmd/cloudflared/access/carrier_test.go
@ -1,19 +0,0 @@
 package access
 import (
 	"net/http"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestBuildRequestHeaders(t *testing.T) {
 	headers := make(http.Header)
 	headers.Add("client", "value")
 	headers.Add("secret", "safe-value")
 	values := buildRequestHeaders([]string{"client: value", "secret: safe-value", "trash", "cf-trace-id: 000:000:0:1:asd"})
 	assert.Equal(t, headers.Get("client"), values.Get("client"))
 	assert.Equal(t, headers.Get("secret"), values.Get("secret"))
 	assert.Equal(t, headers.Get("cf-trace-id"), values.Get("000:000:0:1:asd"))
 }
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@ -19,6 +19,7 @@ import (
 	"github.com/cloudflare/cloudflared/carrier"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/sshgen"
 	"github.com/cloudflare/cloudflared/token"
@ -26,6 +27,8 @@ import (
 )
 const (
 	appURLFlag         = "app"
 	loginQuietFlag     = "quiet"
 	sshHostnameFlag    = "hostname"
 	sshDestinationFlag = "destination"
 	sshURLFlag         = "url"
@ -48,6 +51,7 @@ Host {{.Hostname}}
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
 {{end}}
 `
 	fedrampFlag = "fedramp"
 )
 const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
@ -76,20 +80,43 @@ func Commands() []*cli.Command {
 			Aliases:  []string{"forward"},
 			Category: "Access",
 			Usage:    "access <subcommand>",
 			Flags: []cli.Flag{&cli.BoolFlag{
 				Name:  fedrampFlag,
 				Usage: "use when performing operations in fedramp account",
 			}},
 			Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access
 			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are
 			able to reach sensitive resources. The commands provided here allow you to interact with Access protected
 			applications from the command line.`,
 			Subcommands: []*cli.Command{
 				{
-					Name:   "login",
+					Name:      "login",
-					Action: cliutil.Action(login),
+					Action:    cliutil.Action(login),
-					Usage:  "login <url of access application>",
+					Usage:     "login <url of access application>",
 					ArgsUsage: "url of Access application",
 					Description: `The login subcommand initiates an authentication flow with your identity provider.
 					The subcommand will launch a browser. For headless systems, a url is provided.
 					Once authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)
 					scoped to your identity, the application you intend to reach, and valid for a session duration set by your
 					administrator. cloudflared stores the token in local storage.`,
 					Flags: []cli.Flag{
 						&cli.BoolFlag{
 							Name:    loginQuietFlag,
 							Aliases: []string{"q"},
 							Usage:   "do not print the jwt to the command line",
 						},
 						&cli.BoolFlag{
 							Name:  "no-verbose",
 							Usage: "print only the jwt to stdout",
 						},
 						&cli.BoolFlag{
 							Name:  "auto-close",
 							Usage: "automatically close the auth interstitial after action",
 						},
 						&cli.StringFlag{
 							Name: appURLFlag,
 						},
 					},
 				},
 				{
 					Name:   "curl",
@ -103,12 +130,12 @@ func Commands() []*cli.Command {
 				{
 					Name:        "token",
 					Action:      cliutil.Action(generateToken),
-					Usage:       "token -app=<url of access application>",
+					Usage:       "token <url of access application>",
 					ArgsUsage:   "url of Access application",
 					Description: `The token subcommand produces a JWT which can be used to authenticate requests.`,
 					Flags: []cli.Flag{
 						&cli.StringFlag{
-							Name: "app",
+							Name: appURLFlag,
 						},
 					},
 				},
@ -124,15 +151,18 @@ func Commands() []*cli.Command {
 							Name:    sshHostnameFlag,
 							Aliases: []string{"tunnel-host", "T"},
 							Usage:   "specify the hostname of your application.",
 							EnvVars: []string{"TUNNEL_SERVICE_HOSTNAME"},
 						},
 						&cli.StringFlag{
-							Name:  sshDestinationFlag,
+							Name:    sshDestinationFlag,
-							Usage: "specify the destination address of your SSH server.",
+							Usage:   "specify the destination address of your SSH server.",
 							EnvVars: []string{"TUNNEL_SERVICE_DESTINATION"},
 						},
 						&cli.StringFlag{
 							Name:    sshURLFlag,
 							Aliases: []string{"listener", "L"},
 							Usage:   "specify the host:port to forward data to Cloudflare edge.",
 							EnvVars: []string{"TUNNEL_SERVICE_URL"},
 						},
 						&cli.StringSliceFlag{
 							Name:    sshHeaderFlag,
@ -152,15 +182,15 @@ func Commands() []*cli.Command {
 							EnvVars: []string{"TUNNEL_SERVICE_TOKEN_SECRET"},
 						},
 						&cli.StringFlag{
-							Name:  logger.LogFileFlag,
+							Name:  cfdflags.LogFile,
 							Usage: "Save application log to this file for reporting issues.",
 						},
 						&cli.StringFlag{
-							Name:  logger.LogSSHDirectoryFlag,
+							Name:  cfdflags.LogDirectory,
 							Usage: "Save application log to this directory for reporting issues.",
 						},
 						&cli.StringFlag{
-							Name:    logger.LogSSHLevelFlag,
+							Name:    cfdflags.LogLevelSSH,
 							Aliases: []string{"loglevel"}, //added to match the tunnel side
 							Usage:   "Application logging level {debug, info, warn, error, fatal}. ",
 						},
@ -221,10 +251,8 @@ func login(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
-	args := c.Args()
+	appURL, err := getAppURLFromArgs(c)
-	rawURL := ensureURLScheme(args.First())
+	if err != nil {
 	appURL, err := url.Parse(rawURL)
 	if args.Len() < 1 || err != nil {
 		log.Error().Msg("Please provide the url of the Access application")
 		return err
 	}
@ -247,21 +275,22 @@ func login(c *cli.Context) error {
 		fmt.Fprintln(os.Stderr, "token for provided application was empty.")
 		return errors.New("empty application token")
 	}
-	fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
+
 	if c.Bool(loginQuietFlag) {
 		return nil
 	}
 	// Chatty by default for backward compat. The new --app flag
 	// is an implicit opt-out of the backwards-compatible chatty output.
 	if c.Bool("no-verbose") || c.IsSet(appURLFlag) {
 		fmt.Fprint(os.Stdout, cfdToken)
 	} else {
 		fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
 	}
 	return nil
 }
 // ensureURLScheme prepends a URL with https:// if it doesn't have a scheme. http:// URLs will not be converted.
 func ensureURLScheme(url string) string {
 	url = strings.Replace(strings.ToLower(url), "http://", "https://", 1)
 	if !strings.HasPrefix(url, "https://") {
 		url = fmt.Sprintf("https://%s", url)
 	}
 	return url
 }
 // curl provides a wrapper around curl, passing Access JWT along in request
 func curl(c *cli.Context) error {
 	err := sentry.Init(sentry.ClientOptions{
@ -302,7 +331,7 @@ func curl(c *cli.Context) error {
 			log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
 			return run("curl", cmdArgs...)
 		}
-		tok, err = token.FetchToken(appURL, appInfo, log)
+		tok, err = token.FetchToken(appURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
 		if err != nil {
 			log.Err(err).Msg("Failed to refresh token")
 			return err
@ -323,7 +352,7 @@ func run(cmd string, args ...string) error {
 		return err
 	}
 	go func() {
-		io.Copy(os.Stderr, stderr)
+		_, _ = io.Copy(os.Stderr, stderr)
 	}()
 	stdout, err := c.StdoutPipe()
@ -331,11 +360,22 @@ func run(cmd string, args ...string) error {
 		return err
 	}
 	go func() {
-		io.Copy(os.Stdout, stdout)
+		_, _ = io.Copy(os.Stdout, stdout)
 	}()
 	return c.Run()
 }
 func getAppURLFromArgs(c *cli.Context) (*url.URL, error) {
 	var appURLStr string
 	args := c.Args()
 	if args.Len() < 1 {
 		appURLStr = c.String(appURLFlag)
 	} else {
 		appURLStr = args.First()
 	}
 	return parseURL(appURLStr)
 }
 // token dumps provided token to stdout
 func generateToken(c *cli.Context) error {
 	err := sentry.Init(sentry.ClientOptions{
@ -345,8 +385,8 @@ func generateToken(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	appURL, err := url.Parse(ensureURLScheme(c.String("app")))
+	appURL, err := getAppURLFromArgs(c)
-	if err != nil || c.NumFlags() < 1 {
+	if err != nil {
 		fmt.Fprintln(os.Stderr, "Please provide a url.")
 		return err
 	}
@ -398,7 +438,7 @@ func sshGen(c *cli.Context) error {
 		return cli.ShowCommandHelp(c, "ssh-gen")
 	}
-	originURL, err := url.Parse(ensureURLScheme(hostname))
+	originURL, err := parseURL(hostname)
 	if err != nil {
 		return err
 	}
@ -411,7 +451,7 @@ func sshGen(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, log)
+	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
 	if err != nil {
 		return err
 	}
@ -477,6 +517,11 @@ func processURL(s string) (*url.URL, error) {
 // cloudflaredPath pulls the full path of cloudflared on disk
 func cloudflaredPath() string {
 	path, err := os.Executable()
 	if err == nil && isFileThere(path) {
 		return path
 	}
 	for _, p := range strings.Split(os.Getenv("PATH"), ":") {
 		path := fmt.Sprintf("%s/%s", p, "cloudflared")
 		if isFileThere(path) {
@ -496,17 +541,17 @@ func isFileThere(candidate string) bool {
 }
 // verifyTokenAtEdge checks for a token on disk, or generates a new one.
-// Then makes a request to to the origin with the token to ensure it is valid.
+// Then makes a request to the origin with the token to ensure it is valid.
 // Returns nil if token is valid.
 func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error {
-	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
+	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
 	if c.IsSet(sshTokenIDFlag) {
 		headers.Add(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
 	}
 	if c.IsSet(sshTokenSecretFlag) {
 		headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
-	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers}
+	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers, AutoCloseInterstitial: c.Bool(cfdflags.AutoCloseInterstitial), IsFedramp: c.Bool(fedrampFlag)}
 	if valid, err := isTokenValid(options, log); err != nil {
 		return err
--- a/cmd/cloudflared/access/cmd_test.go
+++ b/cmd/cloudflared/access/cmd_test.go
@ -1,25 +0,0 @@
 package access
 import "testing"
 func Test_ensureURLScheme(t *testing.T) {
 	type args struct {
 		url string
 	}
 	tests := []struct {
 		name string
 		args args
 		want string
 	}{
 		{"no scheme", args{"localhost:123"}, "https://localhost:123"},
 		{"http scheme", args{"http://test"}, "https://test"},
 		{"https scheme", args{"https://test"}, "https://test"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if got := ensureURLScheme(tt.args.url); got != tt.want {
 				t.Errorf("ensureURLScheme() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
--- a/cmd/cloudflared/access/validation.go
+++ b/cmd/cloudflared/access/validation.go
@ -0,0 +1,55 @@
 package access
 import (
 	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
 	"golang.org/x/net/http/httpguts"
 )
 // parseRequestHeaders will take user-provided header values as strings "Content-Type: application/json" and create
 // a http.Header object.
 func parseRequestHeaders(values []string) http.Header {
 	headers := make(http.Header)
 	for _, valuePair := range values {
 		header, value, found := strings.Cut(valuePair, ":")
 		if found {
 			headers.Add(strings.TrimSpace(header), strings.TrimSpace(value))
 		}
 	}
 	return headers
 }
 // parseHostname will attempt to convert a user provided URL string into a string with some light error checking on
 // certain expectations from the URL.
 // Will convert all HTTP URLs to HTTPS
 func parseURL(input string) (*url.URL, error) {
 	if input == "" {
 		return nil, errors.New("no input provided")
 	}
 	if !strings.HasPrefix(input, "https://") && !strings.HasPrefix(input, "http://") {
 		input = fmt.Sprintf("https://%s", input)
 	}
 	url, err := url.ParseRequestURI(input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse as URL: %w", err)
 	}
 	if url.Scheme != "https" {
 		url.Scheme = "https"
 	}
 	if url.Host == "" {
 		return nil, errors.New("failed to parse Host")
 	}
 	host, err := httpguts.PunycodeHostPort(url.Host)
 	if err != nil || host == "" {
 		return nil, err
 	}
 	if !httpguts.ValidHostHeader(host) {
 		return nil, errors.New("invalid Host provided")
 	}
 	url.Host = host
 	return url, nil
 }
--- a/cmd/cloudflared/access/validation_test.go
+++ b/cmd/cloudflared/access/validation_test.go
@ -0,0 +1,80 @@
 package access
 import (
 	"fmt"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestParseRequestHeaders(t *testing.T) {
 	values := parseRequestHeaders([]string{"client: value", "secret: safe-value", "trash", "cf-trace-id: 000:000:0:1:asd"})
 	assert.Len(t, values, 3)
 	assert.Equal(t, "value", values.Get("client"))
 	assert.Equal(t, "safe-value", values.Get("secret"))
 	assert.Equal(t, "000:000:0:1:asd", values.Get("cf-trace-id"))
 }
 func TestParseURL(t *testing.T) {
 	schemes := []string{
 		"http://",
 		"https://",
 		"",
 	}
 	hosts := []struct {
 		input    string
 		expected string
 	}{
 		{"localhost", "localhost"},
 		{"127.0.0.1", "127.0.0.1"},
 		{"127.0.0.1:9090", "127.0.0.1:9090"},
 		{"::1", "::1"},
 		{"::1:8080", "::1:8080"},
 		{"[::1]", "[::1]"},
 		{"[::1]:8080", "[::1]:8080"},
 		{":8080", ":8080"},
 		{"example.com", "example.com"},
 		{"hello.example.com", "hello.example.com"},
 		{"bücher.example.com", "xn--bcher-kva.example.com"},
 	}
 	paths := []string{
 		"",
 		"/test",
 		"/example.com?qwe=123",
 	}
 	for i, scheme := range schemes {
 		for j, host := range hosts {
 			for k, path := range paths {
 				t.Run(fmt.Sprintf("%d_%d_%d", i, j, k), func(t *testing.T) {
 					input := fmt.Sprintf("%s%s%s", scheme, host.input, path)
 					expected := fmt.Sprintf("%s%s%s", "https://", host.expected, path)
 					url, err := parseURL(input)
 					assert.NoError(t, err, "input: %s\texpected: %s", input, expected)
 					assert.Equal(t, expected, url.String())
 					assert.Equal(t, host.expected, url.Host)
 					assert.Equal(t, "https", url.Scheme)
 				})
 			}
 		}
 	}
 	t.Run("no input", func(t *testing.T) {
 		_, err := parseURL("")
 		assert.ErrorContains(t, err, "no input provided")
 	})
 	t.Run("missing host", func(t *testing.T) {
 		_, err := parseURL("https:///host")
 		assert.ErrorContains(t, err, "failed to parse Host")
 	})
 	t.Run("invalid path only", func(t *testing.T) {
 		_, err := parseURL("/host")
 		assert.ErrorContains(t, err, "failed to parse Host")
 	})
 	t.Run("invalid parse URL", func(t *testing.T) {
 		_, err := parseURL("https://host\\host")
 		assert.ErrorContains(t, err, "failed to parse as URL")
 	})
 }
--- a/cmd/cloudflared/cliutil/build_info.go
+++ b/cmd/cloudflared/cliutil/build_info.go
@ -1,7 +1,10 @@
 package cliutil
 import (
 	"crypto/sha256"
 	"fmt"
 	"io"
 	"os"
 	"runtime"
 	"github.com/rs/zerolog"
@ -13,6 +16,7 @@ type BuildInfo struct {
 	GoArch             string `json:"go_arch"`
 	BuildType          string `json:"build_type"`
 	CloudflaredVersion string `json:"cloudflared_version"`
 	Checksum           string `json:"checksum"`
 }
 func GetBuildInfo(buildType, version string) *BuildInfo {
@ -22,11 +26,12 @@ func GetBuildInfo(buildType, version string) *BuildInfo {
 		GoArch:             runtime.GOARCH,
 		BuildType:          buildType,
 		CloudflaredVersion: version,
 		Checksum:           currentBinaryChecksum(),
 	}
 }
 func (bi *BuildInfo) Log(log *zerolog.Logger) {
-	log.Info().Msgf("Version %s", bi.CloudflaredVersion)
+	log.Info().Msgf("Version %s (Checksum %s)", bi.CloudflaredVersion, bi.Checksum)
 	if bi.BuildType != "" {
 		log.Info().Msgf("Built%s", bi.GetBuildTypeMsg())
 	}
@ -51,3 +56,28 @@ func (bi *BuildInfo) GetBuildTypeMsg() string {
 func (bi *BuildInfo) UserAgent() string {
 	return fmt.Sprintf("cloudflared/%s", bi.CloudflaredVersion)
 }
 // FileChecksum opens a file and returns the SHA256 checksum.
 func FileChecksum(filePath string) (string, error) {
 	f, err := os.Open(filePath)
 	if err != nil {
 		return "", err
 	}
 	defer f.Close()
 	h := sha256.New()
 	if _, err := io.Copy(h, f); err != nil {
 		return "", err
 	}
 	return fmt.Sprintf("%x", h.Sum(nil)), nil
 }
 func currentBinaryChecksum() string {
 	currentPath, err := os.Executable()
 	if err != nil {
 		return ""
 	}
 	sum, _ := FileChecksum(currentPath)
 	return sum
 }
--- a/cmd/cloudflared/cliutil/logger.go
+++ b/cmd/cloudflared/cliutil/logger.go
@ -4,25 +4,32 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
-	"github.com/cloudflare/cloudflared/logger"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 )
 var (
 	debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
 		"This can expose sensitive information in your logs."
 	FlagLogOutput = &cli.StringFlag{
 		Name:    flags.LogFormatOutput,
 		Usage:   "Output format for the logs (default, json)",
 		Value:   flags.LogFormatOutputValueDefault,
 		EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT", "TUNNEL_LOG_OUTPUT"},
 	}
 )
 func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    logger.LogLevelFlag,
+			Name:    flags.LogLevel,
 			Value:   "info",
 			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
 			EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    logger.LogTransportLevelFlag,
+			Name:    flags.TransportLogLevel,
 			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
 			Value:   "info",
 			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
@ -30,22 +37,23 @@ func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    logger.LogFileFlag,
+			Name:    flags.LogFile,
 			Usage:   "Save application log to this file for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGFILE"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    logger.LogDirectoryFlag,
+			Name:    flags.LogDirectory,
 			Usage:   "Save application log to this directory for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "trace-output",
+			Name:    flags.TraceOutput,
 			Usage:   "Name of trace output file, generated when cloudflared stops.",
 			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
 			Hidden:  shouldHide,
 		}),
 		FlagLogOutput,
 	}
 }
--- a/cmd/cloudflared/flags/flags.go
+++ b/cmd/cloudflared/flags/flags.go
@ -0,0 +1,169 @@
 package flags
 const (
 	// HaConnections specifies how many connections to make to the edge
 	HaConnections = "ha-connections"
 	// SshPort is the port on localhost the cloudflared ssh server will run on
 	SshPort = "local-ssh-port"
 	// SshIdleTimeout defines the duration a SSH session can remain idle before being closed
 	SshIdleTimeout = "ssh-idle-timeout"
 	// SshMaxTimeout defines the max duration a SSH session can remain open for
 	SshMaxTimeout = "ssh-max-timeout"
 	// SshLogUploaderBucketName is the bucket name to use for the SSH log uploader
 	SshLogUploaderBucketName = "bucket-name"
 	// SshLogUploaderRegionName is the AWS region name to use for the SSH log uploader
 	SshLogUploaderRegionName = "region-name"
 	// SshLogUploaderSecretID is the Secret id of SSH log uploader
 	SshLogUploaderSecretID = "secret-id"
 	// SshLogUploaderAccessKeyID is the Access key id of SSH log uploader
 	SshLogUploaderAccessKeyID = "access-key-id"
 	// SshLogUploaderSessionTokenID is the Session token of SSH log uploader
 	SshLogUploaderSessionTokenID = "session-token"
 	// SshLogUploaderS3URL is the S3 URL of SSH log uploader (e.g. don't use AWS s3 and use google storage bucket instead)
 	SshLogUploaderS3URL = "s3-url-host"
 	// HostKeyPath is the path of the dir to save SSH host keys too
 	HostKeyPath = "host-key-path"
 	// RpcTimeout is how long to wait for a Capnp RPC request to the edge
 	RpcTimeout = "rpc-timeout"
 	// WriteStreamTimeout sets if we should have a timeout when writing data to a stream towards the destination (edge/origin).
 	WriteStreamTimeout = "write-stream-timeout"
 	// QuicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.
 	// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
 	// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.
 	QuicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery"
 	// QuicConnLevelFlowControlLimit controls the max flow control limit allocated for a QUIC connection. This controls how much data is the
 	// receiver willing to buffer. Once the limit is reached, the sender will send a DATA_BLOCKED frame to indicate it has more data to write,
 	// but it's blocked by flow control
 	QuicConnLevelFlowControlLimit = "quic-connection-level-flow-control-limit"
 	// QuicStreamLevelFlowControlLimit is similar to quicConnLevelFlowControlLimit but for each QUIC stream. When the sender is blocked,
 	// it will send a STREAM_DATA_BLOCKED frame
 	QuicStreamLevelFlowControlLimit = "quic-stream-level-flow-control-limit"
 	// Ui is to enable launching cloudflared in interactive UI mode
 	Ui = "ui"
 	// ConnectorLabel is the command line flag to give a meaningful label to a specific connector
 	ConnectorLabel = "label"
 	// MaxActiveFlows is the command line flag to set the maximum number of flows that cloudflared can be processing at the same time
 	MaxActiveFlows = "max-active-flows"
 	// Tag is the command line flag to set custom tags used to identify this tunnel via added HTTP request headers to the origin
 	Tag = "tag"
 	// Protocol is the command line flag to set the protocol to use to connect to the Cloudflare Edge
 	Protocol = "protocol"
 	// PostQuantum is the command line flag to force the connection to Cloudflare Edge to use Post Quantum cryptography
 	PostQuantum = "post-quantum"
 	// Features is the command line flag to opt into various features that are still being developed or tested
 	Features = "features"
 	// EdgeIpVersion is the command line flag to set the Cloudflare Edge IP address version to connect with
 	EdgeIpVersion = "edge-ip-version"
 	// EdgeBindAddress is the command line flag to bind to IP address for outgoing connections to Cloudflare Edge
 	EdgeBindAddress = "edge-bind-address"
 	// Force is the command line flag to specify if you wish to force an action
 	Force = "force"
 	// Edge is the command line flag to set the address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment
 	Edge = "edge"
 	// Region is the command line flag to set the Cloudflare Edge region to connect to
 	Region = "region"
 	// IsAutoUpdated is the command line flag to signal the new process that cloudflared has been autoupdated
 	IsAutoUpdated = "is-autoupdated"
 	// LBPool is the command line flag to set the name of the load balancing pool to add this origin to
 	LBPool = "lb-pool"
 	// Retries is the command line flag to set the maximum number of retries for connection/protocol errors
 	Retries = "retries"
 	// MaxEdgeAddrRetries is the command line flag to set the maximum number of times to retry on edge addrs before falling back to a lower protocol
 	MaxEdgeAddrRetries = "max-edge-addr-retries"
 	// GracePeriod is the command line flag to set the maximum amount of time that cloudflared waits to shut down if it is still serving requests
 	GracePeriod = "grace-period"
 	// ICMPV4Src is the command line flag to set the source address and the interface name to send/receive ICMPv4 messages
 	ICMPV4Src = "icmpv4-src"
 	// ICMPV6Src is the command line flag to set the source address and the interface name to send/receive ICMPv6 messages
 	ICMPV6Src = "icmpv6-src"
 	// ProxyDns is the command line flag to run DNS server over HTTPS
 	ProxyDns = "proxy-dns"
 	// Name is the command line to set the name of the tunnel
 	Name = "name"
 	// AutoUpdateFreq is the command line for setting the frequency that cloudflared checks for updates
 	AutoUpdateFreq = "autoupdate-freq"
 	// NoAutoUpdate is the command line flag to disable cloudflared from checking for updates
 	NoAutoUpdate = "no-autoupdate"
 	// LogLevel is the command line flag for the cloudflared logging level
 	LogLevel = "loglevel"
 	// LogLevelSSH is the command line flag for the cloudflared ssh logging level
 	LogLevelSSH = "log-level"
 	// TransportLogLevel is the command line flag for the transport logging level
 	TransportLogLevel = "transport-loglevel"
 	// LogFile is the command line flag to define the file where application logs will be stored
 	LogFile = "logfile"
 	// LogDirectory is the command line flag to define the directory where application logs will be stored.
 	LogDirectory = "log-directory"
 	// LogFormatOutput allows the command line logs to be output as JSON.
 	LogFormatOutput             = "output"
 	LogFormatOutputValueDefault = "default"
 	LogFormatOutputValueJSON    = "json"
 	// TraceOutput is the command line flag to set the name of trace output file
 	TraceOutput = "trace-output"
 	// OriginCert is the command line flag to define the path for the origin certificate used by cloudflared
 	OriginCert = "origincert"
 	// Metrics is the command line flag to define the address of the metrics server
 	Metrics = "metrics"
 	// MetricsUpdateFreq is the command line flag to define how frequently tunnel metrics are updated
 	MetricsUpdateFreq = "metrics-update-freq"
 	// ApiURL is the command line flag used to define the base URL of the API
 	ApiURL = "api-url"
 	// Virtual DNS resolver service resolver addresses to use instead of dynamically fetching them from the OS.
 	VirtualDNSServiceResolverAddresses = "dns-resolver-addrs"
 	// Management hostname to signify incoming management requests
 	ManagementHostname = "management-hostname"
 	// Automatically close the login interstitial browser window after the user makes a decision.
 	AutoCloseInterstitial = "auto-close"
 )
--- a/cmd/cloudflared/generic_service.go
+++ b/cmd/cloudflared/generic_service.go
@ -1,14 +1,40 @@
 //go:build !windows && !darwin && !linux
 // +build !windows,!darwin,!linux
 package main
 import (
 	"fmt"
 	"os"
 	cli "github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
 		Usage: "Manages the cloudflared system service (not supported on this operating system)",
 		Subcommands: []*cli.Command{
 			{
 				Name:   "install",
 				Usage:  "Install cloudflared as a system service (not supported on this operating system)",
 				Action: cliutil.ConfiguredAction(installGenericService),
 			},
 			{
 				Name:   "uninstall",
 				Usage:  "Uninstall the cloudflared service (not supported on this operating system)",
 				Action: cliutil.ConfiguredAction(uninstallGenericService),
 			},
 		},
 	})
 	app.Run(os.Args)
 }
 func installGenericService(c *cli.Context) error {
 	return fmt.Errorf("service installation is not supported on this operating system")
 }
 func uninstallGenericService(c *cli.Context) error {
 	return fmt.Errorf("service uninstallation is not supported on this operating system")
 }
--- a/cmd/cloudflared/linux_service.go
+++ b/cmd/cloudflared/linux_service.go
@ -1,10 +1,10 @@
 //go:build linux
 // +build linux
 package main
 import (
 	"fmt"
 	"io"
 	"os"
 	"github.com/rs/zerolog"
@ -16,7 +16,7 @@ import (
 	"github.com/cloudflare/cloudflared/logger"
 )
-func runApp(app *cli.App, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, _ chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
 		Usage: "Manages the cloudflared system service",
@ -36,7 +36,7 @@ func runApp(app *cli.App, graceShutdownC chan struct{}) {
 			},
 		},
 	})
-	app.Run(os.Args)
+	_ = app.Run(os.Args)
 }
 // The directory and files that are used by the service.
@ -56,10 +56,11 @@ var systemdAllTemplates = map[string]ServiceTemplate{
 		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredService),
 		Content: `[Unit]
 Description=cloudflared
-After=network.target
+After=network-online.target
 Wants=network-online.target
 [Service]
-TimeoutStartSec=0
+TimeoutStartSec=15
 Type=notify
 ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
 Restart=on-failure
@ -73,7 +74,8 @@ WantedBy=multi-user.target
 		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredUpdateService),
 		Content: `[Unit]
 Description=Update cloudflared
-After=network.target
+After=network-online.target
 Wants=network-online.target
 [Service]
 ExecStart=/bin/bash -c '{{ .Path }} update; code=$?; if [ $code -eq 11 ]; then systemctl restart cloudflared; exit 0; fi; exit $code'
@ -96,6 +98,7 @@ WantedBy=timers.target
 var sysvTemplate = ServiceTemplate{
 	Path:     "/etc/init.d/cloudflared",
 	FileMode: 0755,
 	// nolint: dupword
 	Content: `#!/bin/sh
 # For RedHat and cousins:
 # chkconfig: 2345 99 01
@ -183,13 +186,11 @@ exit 0
 `,
 }
-var (
+var noUpdateServiceFlag = &cli.BoolFlag{
-	noUpdateServiceFlag = &cli.BoolFlag{
+	Name:  "no-update-service",
-		Name:  "no-update-service",
+	Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
-		Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
+	Value: false,
-		Value: false,
+}
 	}
 )
 func isSystemd() bool {
 	if _, err := os.Stat("/run/systemd/system"); err == nil {
@ -370,7 +371,7 @@ func uninstallSystemd(log *zerolog.Logger) error {
 	// Get only the installed services
 	installedServices := make(map[string]ServiceTemplate)
 	for serviceName, serviceTemplate := range systemdAllTemplates {
-		if err := runCommand("systemctl", "status", serviceName); err == nil {
+		if err := runCommand("systemctl", "list-units", "--all", "|", "grep", serviceName); err == nil {
 			installedServices[serviceName] = serviceTemplate
 		} else {
 			log.Info().Msgf("Service '%s' not installed, skipping its uninstall", serviceName)
@ -429,3 +430,38 @@ func uninstallSysv(log *zerolog.Logger) error {
 	}
 	return nil
 }
 func ensureConfigDirExists(configDir string) error {
 	ok, err := config.FileExists(configDir)
 	if !ok && err == nil {
 		err = os.Mkdir(configDir, 0755)
 	}
 	return err
 }
 func copyFile(src, dest string) error {
 	srcFile, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer srcFile.Close()
 	destFile, err := os.Create(dest)
 	if err != nil {
 		return err
 	}
 	ok := false
 	defer func() {
 		destFile.Close()
 		if !ok {
 			_ = os.Remove(dest)
 		}
 	}()
 	if _, err := io.Copy(destFile, srcFile); err != nil {
 		return err
 	}
 	ok = true
 	return nil
 }
--- a/cmd/cloudflared/macos_service.go
+++ b/cmd/cloudflared/macos_service.go
@ -1,5 +1,4 @@
 //go:build darwin
 // +build darwin
 package main
@ -7,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
@ -18,7 +18,7 @@ const (
 	launchdIdentifier = "com.cloudflare.cloudflared"
 )
-func runApp(app *cli.App, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, _ chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
 		Usage: "Manages the cloudflared launch agent",
@ -120,7 +120,7 @@ func installLaunchd(c *cli.Context) error {
 		log.Info().Msg("Installing cloudflared client as an user launch agent. " +
 			"Note that cloudflared client will only run when the user is logged in. " +
 			"If you want to run cloudflared client at boot, install with root permission. " +
-			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service")
+			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/macos/")
 	}
 	etPath, err := os.Executable()
 	if err != nil {
@ -208,3 +208,15 @@ func uninstallLaunchd(c *cli.Context) error {
 	}
 	return err
 }
 func userHomeDir() (string, error) {
 	// This returns the home dir of the executing user using OS-specific method
 	// for discovering the home dir. It's not recommended to call this function
 	// when the user has root permission as $HOME depends on what options the user
 	// use with sudo.
 	homeDir, err := homedir.Dir()
 	if err != nil {
 		return "", errors.Wrap(err, "Cannot determine home directory for the user")
 	}
 	return homeDir, nil
 }
--- a/cmd/cloudflared/main.go
+++ b/cmd/cloudflared/main.go
@ -2,18 +2,17 @@ package main
 import (
 	"fmt"
-	"math/rand"
+	"os"
 	"strings"
 	"time"
 	"github.com/getsentry/sentry-go"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"go.uber.org/automaxprocs/maxprocs"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tail"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
@ -49,9 +48,10 @@ var (
 )
 func main() {
-	rand.Seed(time.Now().UnixNano())
+	// FIXME: TUN-8148: Disable QUIC_GO ECN due to bugs in proper detection if supported
 	os.Setenv("QUIC_GO_DISABLE_ECN", "1")
 	metrics.RegisterBuildInfo(BuildType, BuildTime, Version)
-	maxprocs.Set()
+	_, _ = maxprocs.Set()
 	bInfo := cliutil.GetBuildInfo(BuildType, Version)
 	// Graceful shutdown channel used by the app. When closed, app must terminate gracefully.
@ -87,7 +87,7 @@ func main() {
 	tunnel.Init(bInfo, graceShutdownC) // we need this to support the tunnel sub command...
 	access.Init(graceShutdownC, Version)
-	updater.Init(Version)
+	updater.Init(bInfo)
 	tracing.Init(Version)
 	token.Init(Version)
 	tail.Init(bInfo)
@ -106,7 +106,7 @@ func commands(version func(c *cli.Context)) []*cli.Command {
 					Usage: "specify if you wish to update to the latest beta version",
 				},
 				&cli.BoolFlag{
-					Name:   "force",
+					Name:   cfdflags.Force,
 					Usage:  "specify if you wish to force an upgrade to the latest version regardless of the current version",
 					Hidden: true,
 				},
@ -130,11 +130,22 @@ To determine if an update happened in a script, check for error code 11.`,
 		{
 			Name: "version",
 			Action: func(c *cli.Context) (err error) {
 				if c.Bool("short") {
 					fmt.Println(strings.Split(c.App.Version, " ")[0])
 					return nil
 				}
 				version(c)
 				return nil
 			},
 			Usage:       versionText,
 			Description: versionText,
 			Flags: []cli.Flag{
 				&cli.BoolFlag{
 					Name:    "short",
 					Aliases: []string{"s"},
 					Usage:   "print just the version number",
 				},
 			},
 		},
 	}
 	cmds = append(cmds, tunnel.Commands()...)
@ -169,18 +180,6 @@ func action(graceShutdownC chan struct{}) cli.ActionFunc {
 	})
 }
 func userHomeDir() (string, error) {
 	// This returns the home dir of the executing user using OS-specific method
 	// for discovering the home dir. It's not recommended to call this function
 	// when the user has root permission as $HOME depends on what options the user
 	// use with sudo.
 	homeDir, err := homedir.Dir()
 	if err != nil {
 		return "", errors.Wrap(err, "Cannot determine home directory for the user")
 	}
 	return homeDir, nil
 }
 // In order to keep the amount of noise sent to Sentry low, typical network errors can be filtered out here by a substring match.
 func captureError(err error) {
 	errorMessage := err.Error()
--- a/cmd/cloudflared/service_template.go
+++ b/cmd/cloudflared/service_template.go
@ -1,18 +1,16 @@
 package main
 import (
 	"bufio"
 	"bytes"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
-	"path"
+	"path/filepath"
 	"text/template"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/cloudflare/cloudflared/config"
 )
 type ServiceTemplate struct {
@ -44,7 +42,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 		return err
 	}
 	if _, err = os.Stat(resolvedPath); err == nil {
-		return fmt.Errorf(serviceAlreadyExistsWarn(resolvedPath))
+		return errors.New(serviceAlreadyExistsWarn(resolvedPath))
 	}
 	var buffer bytes.Buffer
@ -57,7 +55,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 		fileMode = st.FileMode
 	}
-	plistFolder := path.Dir(resolvedPath)
+	plistFolder := filepath.Dir(resolvedPath)
 	err = os.MkdirAll(plistFolder, 0o755)
 	if err != nil {
 		return fmt.Errorf("error creating %s: %v", plistFolder, err)
@ -109,114 +107,3 @@ func runCommand(command string, args ...string) error {
 	}
 	return nil
 }
 func ensureConfigDirExists(configDir string) error {
 	ok, err := config.FileExists(configDir)
 	if !ok && err == nil {
 		err = os.Mkdir(configDir, 0755)
 	}
 	return err
 }
 // openFile opens the file at path. If create is set and the file exists, returns nil, true, nil
 func openFile(path string, create bool) (file *os.File, exists bool, err error) {
 	expandedPath, err := homedir.Expand(path)
 	if err != nil {
 		return nil, false, err
 	}
 	if create {
 		fileInfo, err := os.Stat(expandedPath)
 		if err == nil && fileInfo.Size() > 0 {
 			return nil, true, nil
 		}
 		file, err = os.OpenFile(expandedPath, os.O_RDWR|os.O_CREATE, 0600)
 	} else {
 		file, err = os.Open(expandedPath)
 	}
 	return file, false, err
 }
 func copyCredential(srcCredentialPath, destCredentialPath string) error {
 	destFile, exists, err := openFile(destCredentialPath, true)
 	if err != nil {
 		return err
 	} else if exists {
 		// credentials already exist, do nothing
 		return nil
 	}
 	defer destFile.Close()
 	srcFile, _, err := openFile(srcCredentialPath, false)
 	if err != nil {
 		return err
 	}
 	defer srcFile.Close()
 	// Copy certificate
 	_, err = io.Copy(destFile, srcFile)
 	if err != nil {
 		return fmt.Errorf("unable to copy %s to %s: %v", srcCredentialPath, destCredentialPath, err)
 	}
 	return nil
 }
 func copyFile(src, dest string) error {
 	srcFile, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer srcFile.Close()
 	destFile, err := os.Create(dest)
 	if err != nil {
 		return err
 	}
 	ok := false
 	defer func() {
 		destFile.Close()
 		if !ok {
 			_ = os.Remove(dest)
 		}
 	}()
 	if _, err := io.Copy(destFile, srcFile); err != nil {
 		return err
 	}
 	ok = true
 	return nil
 }
 func copyConfig(srcConfigPath, destConfigPath string) error {
 	// Copy or create config
 	destFile, exists, err := openFile(destConfigPath, true)
 	if err != nil {
 		return fmt.Errorf("cannot open %s with error: %s", destConfigPath, err)
 	} else if exists {
 		// config already exists, do nothing
 		return nil
 	}
 	defer destFile.Close()
 	srcFile, _, err := openFile(srcConfigPath, false)
 	if err != nil {
 		fmt.Println("Your service needs a config file that at least specifies the hostname option.")
 		fmt.Println("Type in a hostname now, or leave it blank and create the config file later.")
 		fmt.Print("Hostname: ")
 		reader := bufio.NewReader(os.Stdin)
 		input, _ := reader.ReadString('\n')
 		if input == "" {
 			return err
 		}
 		fmt.Fprintf(destFile, "hostname: %s\n", input)
 	} else {
 		defer srcFile.Close()
 		_, err = io.Copy(destFile, srcFile)
 		if err != nil {
 			return fmt.Errorf("unable to copy %s to %s: %v", srcConfigPath, destConfigPath, err)
 		}
 	}
 	return nil
 }
--- a/cmd/cloudflared/tail/cmd.go
+++ b/cmd/cloudflared/tail/cmd.go
@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"os"
@ -18,14 +19,12 @@ import (
 	"nhooyr.io/websocket"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/management"
 )
-var (
+var buildInfo *cliutil.BuildInfo
 	buildInfo *cliutil.BuildInfo
 )
 func Init(bi *cliutil.BuildInfo) {
 	buildInfo = bi
@ -52,11 +51,12 @@ func buildTailManagementTokenSubcommand() *cli.Command {
 func managementTokenCommand(c *cli.Context) error {
 	log := createLogger(c)
 	token, err := getManagementToken(c, log)
 	if err != nil {
 		return err
 	}
-	var tokenResponse = struct {
+	tokenResponse := struct {
 		Token string `json:"token"`
 	}{Token: token}
@ -100,13 +100,7 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 				EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
 			},
 			&cli.StringFlag{
-				Name:    "output",
+				Name:    cfdflags.ManagementHostname,
 				Usage:   "Output format for the logs (default, json)",
 				Value:   "default",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT"},
 			},
 			&cli.StringFlag{
 				Name:    "management-hostname",
 				Usage:   "Management hostname to signify incoming management requests",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 				Hidden:  true,
@ -119,17 +113,18 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 				Value:  "",
 			},
 			&cli.StringFlag{
-				Name:    logger.LogLevelFlag,
+				Name:    cfdflags.LogLevel,
 				Value:   "info",
 				Usage:   "Application logging level {debug, info, warn, error, fatal}",
 				EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			},
 			&cli.StringFlag{
-				Name:    credentials.OriginCertFlag,
+				Name:    cfdflags.OriginCert,
 				Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 				EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 				Value:   credentials.FindDefaultOriginCertPath(),
 			},
 			cliutil.FlagLogOutput,
 		},
 		Subcommands: subcommands,
 	}
@ -169,23 +164,35 @@ func handleValidationError(resp *http.Response, log *zerolog.Logger) {
 // logger will be created to emit only against the os.Stderr as to not obstruct with normal output from
 // management requests
 func createLogger(c *cli.Context) *zerolog.Logger {
-	level, levelErr := zerolog.ParseLevel(c.String(logger.LogLevelFlag))
+	level, levelErr := zerolog.ParseLevel(c.String(cfdflags.LogLevel))
 	if levelErr != nil {
 		level = zerolog.InfoLevel
 	}
-	log := zerolog.New(zerolog.ConsoleWriter{
+	var writer io.Writer
-		Out:        colorable.NewColorable(os.Stderr),
+	switch c.String(cfdflags.LogFormatOutput) {
-		TimeFormat: time.RFC3339,
+	case cfdflags.LogFormatOutputValueJSON:
-	}).With().Timestamp().Logger().Level(level)
+		// zerolog by default outputs as JSON
 		writer = os.Stderr
 	case cfdflags.LogFormatOutputValueDefault:
 		// "default" and unset use the same logger output format
 		fallthrough
 	default:
 		writer = zerolog.ConsoleWriter{
 			Out:        colorable.NewColorable(os.Stderr),
 			TimeFormat: time.RFC3339,
 		}
 	}
 	log := zerolog.New(writer).With().Timestamp().Logger().Level(level)
 	return &log
 }
 // parseFilters will attempt to parse provided filters to send to with the EventStartStreaming
 func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
 	var level *management.LogLevel
 	var events []management.LogEventType
 	var sample float64
 	events := make([]management.LogEventType, 0)
 	argLevel := c.String("level")
 	argEvents := c.StringSlice("event")
 	argSample := c.Float64("sample")
@ -225,12 +232,19 @@ func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
 // getManagementToken will make a call to the Cloudflare API to acquire a management token for the requested tunnel.
 func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
-	userCreds, err := credentials.Read(c.String(credentials.OriginCertFlag), log)
+	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
 	if err != nil {
 		return "", err
 	}
-	client, err := userCreds.Client(c.String("api-url"), buildInfo.UserAgent(), log)
+	var apiURL string
 	if userCreds.IsFEDEndpoint() {
 		apiURL = credentials.FedRampBaseApiURL
 	} else {
 		apiURL = c.String(cfdflags.ApiURL)
 	}
 	client, err := userCreds.Client(apiURL, buildInfo.UserAgent(), log)
 	if err != nil {
 		return "", err
 	}
@ -255,7 +269,7 @@ func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
 // buildURL will build the management url to contain the required query parameters to authenticate the request.
 func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 	var err error
-	managementHostname := c.String("management-hostname")
+
 	token := c.String("token")
 	if token == "" {
 		token, err = getManagementToken(c, log)
@ -263,6 +277,19 @@ func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 			return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
 		}
 	}
 	claims, err := management.ParseToken(token)
 	if err != nil {
 		return url.URL{}, fmt.Errorf("failed to determine if token is FED: %w", err)
 	}
 	var managementHostname string
 	if claims.IsFed() {
 		managementHostname = credentials.FedRampHostname
 	} else {
 		managementHostname = c.String(cfdflags.ManagementHostname)
 	}
 	query := url.Values{}
 	query.Add("access_token", token)
 	connector := c.String("connector-id")
@ -331,6 +358,7 @@ func Run(c *cli.Context) error {
 		header["cf-trace-id"] = []string{trace}
 	}
 	ctx := c.Context
 	// nolint: bodyclose
 	conn, resp, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
 		HTTPHeader: header,
 	})
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/url"
 	"os"
 	"path/filepath"
 	"runtime/trace"
 	"strings"
 	"sync"
@ -14,8 +15,7 @@ import (
 	"github.com/coreos/go-systemd/v22/daemon"
 	"github.com/facebookgo/grace/gracenet"
 	"github.com/getsentry/sentry-go"
-	"github.com/google/uuid"
+	"github.com/mitchellh/go-homedir"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
@ -23,13 +23,14 @@ import (
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/diagnostic"
 	"github.com/cloudflare/cloudflared/edgediscovery"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/management"
@ -39,56 +40,13 @@ import (
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
 	"github.com/cloudflare/cloudflared/tunneldns"
 	"github.com/cloudflare/cloudflared/tunnelstate"
 	"github.com/cloudflare/cloudflared/validation"
 )
 const (
 	sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b:3e8827f6f9f740738eb11138f7bebb68@sentry.io/189878"
 	// ha-Connections specifies how many connections to make to the edge
 	haConnectionsFlag = "ha-connections"
 	// sshPortFlag is the port on localhost the cloudflared ssh server will run on
 	sshPortFlag = "local-ssh-port"
 	// sshIdleTimeoutFlag defines the duration a SSH session can remain idle before being closed
 	sshIdleTimeoutFlag = "ssh-idle-timeout"
 	// sshMaxTimeoutFlag defines the max duration a SSH session can remain open for
 	sshMaxTimeoutFlag = "ssh-max-timeout"
 	// bucketNameFlag is the bucket name to use for the SSH log uploader
 	bucketNameFlag = "bucket-name"
 	// regionNameFlag is the AWS region name to use for the SSH log uploader
 	regionNameFlag = "region-name"
 	// secretIDFlag is the Secret id of SSH log uploader
 	secretIDFlag = "secret-id"
 	// accessKeyIDFlag is the Access key id of SSH log uploader
 	accessKeyIDFlag = "access-key-id"
 	// sessionTokenIDFlag is the Session token of SSH log uploader
 	sessionTokenIDFlag = "session-token"
 	// s3URLFlag is the S3 URL of SSH log uploader (e.g. don't use AWS s3 and use google storage bucket instead)
 	s3URLFlag = "s3-url-host"
 	// hostKeyPath is the path of the dir to save SSH host keys too
 	hostKeyPath = "host-key-path"
 	// udpUnregisterSessionTimeout is how long we wait before we stop trying to unregister a UDP session from the edge
 	udpUnregisterSessionTimeoutFlag = "udp-unregister-session-timeout"
 	// quicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.
 	// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
 	// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.
 	quicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery"
 	// uiFlag is to enable launching cloudflared in interactive UI mode
 	uiFlag = "ui"
 	LogFieldCommand             = "command"
 	LogFieldExpandedPath        = "expandedPath"
 	LogFieldPIDPathname         = "pidPathname"
@ -103,7 +61,6 @@ Eg. cloudflared tunnel --url localhost:8080/.
 Please note that Quick Tunnels are meant to be ephemeral and should only be used for testing purposes.
 For production usage, we recommend creating Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)
 `
 	connectorLabelFlag = "label"
 )
 var (
@ -113,7 +70,96 @@ var (
 	routeFailMsg = fmt.Sprintf("failed to provision routing, please create it manually via Cloudflare dashboard or UI; "+
 		"most likely you already have a conflicting record there. You can also rerun this command with --%s to overwrite "+
 		"any existing DNS records for this hostname.", overwriteDNSFlag)
-	deprecatedClassicTunnelErr = fmt.Errorf("Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)")
+	errDeprecatedClassicTunnel = errors.New("Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)")
 	// TODO: TUN-8756 the list below denotes the flags that do not possess any kind of sensitive information
 	// however this approach is not maintainble in the long-term.
 	nonSecretFlagsList = []string{
 		"config",
 		cfdflags.AutoUpdateFreq,
 		cfdflags.NoAutoUpdate,
 		cfdflags.Metrics,
 		"pidfile",
 		"url",
 		"hello-world",
 		"socks5",
 		"proxy-connect-timeout",
 		"proxy-tls-timeout",
 		"proxy-tcp-keepalive",
 		"proxy-no-happy-eyeballs",
 		"proxy-keepalive-connections",
 		"proxy-keepalive-timeout",
 		"proxy-connection-timeout",
 		"proxy-expect-continue-timeout",
 		"http-host-header",
 		"origin-server-name",
 		"unix-socket",
 		"origin-ca-pool",
 		"no-tls-verify",
 		"no-chunked-encoding",
 		"http2-origin",
 		cfdflags.ManagementHostname,
 		"service-op-ip",
 		"local-ssh-port",
 		"ssh-idle-timeout",
 		"ssh-max-timeout",
 		"bucket-name",
 		"region-name",
 		"s3-url-host",
 		"host-key-path",
 		"ssh-server",
 		"bastion",
 		"proxy-address",
 		"proxy-port",
 		cfdflags.LogLevel,
 		cfdflags.TransportLogLevel,
 		cfdflags.LogFile,
 		cfdflags.LogDirectory,
 		cfdflags.TraceOutput,
 		cfdflags.ProxyDns,
 		"proxy-dns-port",
 		"proxy-dns-address",
 		"proxy-dns-upstream",
 		"proxy-dns-max-upstream-conns",
 		"proxy-dns-bootstrap",
 		cfdflags.IsAutoUpdated,
 		cfdflags.Edge,
 		cfdflags.Region,
 		cfdflags.EdgeIpVersion,
 		cfdflags.EdgeBindAddress,
 		"cacert",
 		"hostname",
 		"id",
 		cfdflags.LBPool,
 		cfdflags.ApiURL,
 		cfdflags.MetricsUpdateFreq,
 		cfdflags.Tag,
 		"heartbeat-interval",
 		"heartbeat-count",
 		cfdflags.MaxEdgeAddrRetries,
 		cfdflags.Retries,
 		"ha-connections",
 		"rpc-timeout",
 		"write-stream-timeout",
 		"quic-disable-pmtu-discovery",
 		"quic-connection-level-flow-control-limit",
 		"quic-stream-level-flow-control-limit",
 		cfdflags.ConnectorLabel,
 		cfdflags.GracePeriod,
 		"compression-quality",
 		"use-reconnect-token",
 		"dial-edge-timeout",
 		"stdin-control",
 		cfdflags.Name,
 		cfdflags.Ui,
 		"quick-service",
 		"max-fetch-size",
 		cfdflags.PostQuantum,
 		"management-diagnostics",
 		cfdflags.Protocol,
 		"overwrite-dns",
 		"help",
 		cfdflags.MaxActiveFlows,
 	}
 )
 func Flags() []cli.Flag {
@ -128,11 +174,13 @@ func Commands() []*cli.Command {
 		buildVirtualNetworkSubcommand(false),
 		buildRunCommand(),
 		buildListCommand(),
 		buildReadyCommand(),
 		buildInfoCommand(),
 		buildIngressSubcommand(),
 		buildDeleteCommand(),
 		buildCleanupCommand(),
 		buildTokenCommand(),
 		buildDiagCommand(),
 		// for compatibility, allow following as tunnel subcommands
 		proxydns.Command(true),
 		cliutil.RemovedCommand("db-connect"),
@ -159,7 +207,7 @@ then protect with Cloudflare Access).
  B) Locally reachable TCP/UDP-based private services to Cloudflare connected private users in the same account, e.g.,
 those enrolled to a Zero Trust WARP Client.
-You can manage your Tunnels via dash.teams.cloudflare.com. This approach will only require you to run a single command
+You can manage your Tunnels via one.dash.cloudflare.com. This approach will only require you to run a single command
 later in each machine where you wish to run a Tunnel.
 Alternatively, you can manage your Tunnels via the command line. Begin by obtaining a certificate to be able to do so:
@ -195,7 +243,7 @@ func TunnelCommand(c *cli.Context) error {
 	// --name required
 	// --url or --hello-world required
 	// --hostname optional
-	if name := c.String("name"); name != "" {
+	if name := c.String(cfdflags.Name); name != "" {
 		hostname, err := validation.ValidateHostname(c.String("hostname"))
 		if err != nil {
 			return errors.Wrap(err, "Invalid hostname provided")
@ -212,7 +260,7 @@ func TunnelCommand(c *cli.Context) error {
 	// A unauthenticated named tunnel hosted on <random>.<quick-tunnels-service>.com
 	// We don't support running proxy-dns and a quick tunnel at the same time as the same process
 	shouldRunQuickTunnel := c.IsSet("url") || c.IsSet(ingress.HelloWorldFlag)
-	if !c.IsSet("proxy-dns") && c.String("quick-service") != "" && shouldRunQuickTunnel {
+	if !c.IsSet(cfdflags.ProxyDns) && c.String("quick-service") != "" && shouldRunQuickTunnel {
 		return RunQuickTunnel(sc)
 	}
@ -223,10 +271,10 @@ func TunnelCommand(c *cli.Context) error {
 	// Classic tunnel usage is no longer supported
 	if c.String("hostname") != "" {
-		return deprecatedClassicTunnelErr
+		return errDeprecatedClassicTunnel
 	}
-	if c.IsSet("proxy-dns") {
+	if c.IsSet(cfdflags.ProxyDns) {
 		if shouldRunQuickTunnel {
 			return fmt.Errorf("running a quick tunnel with `proxy-dns` is not supported")
 		}
@ -273,7 +321,7 @@ func runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath stri
 func routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) {
 	if hostname := c.String("hostname"); hostname != "" {
-		if lbPool := c.String("lb-pool"); lbPool != "" {
+		if lbPool := c.String(cfdflags.LBPool); lbPool != "" {
 			return cfapi.NewLBRoute(hostname, lbPool), true
 		}
 		return cfapi.NewDNSRoute(hostname, c.Bool(overwriteDNSFlagName)), true
@ -284,7 +332,7 @@ func routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) {
 func StartServer(
 	c *cli.Context,
 	info *cliutil.BuildInfo,
-	namedTunnel *connection.NamedTunnelProperties,
+	namedTunnel *connection.TunnelProperties,
 	log *zerolog.Logger,
 ) error {
 	err := sentry.Init(sentry.ClientOptions{
@ -303,7 +351,7 @@ func StartServer(
 		log.Info().Msg(config.ErrNoConfigFile.Error())
 	}
-	if c.IsSet("trace-output") {
+	if c.IsSet(cfdflags.TraceOutput) {
 		tmpTraceFile, err := os.CreateTemp("", "trace")
 		if err != nil {
 			log.Err(err).Msg("Failed to create new temporary file to save trace output")
@ -315,7 +363,7 @@ func StartServer(
 			if err := tmpTraceFile.Close(); err != nil {
 				traceLog.Err(err).Msg("Failed to close temporary trace output file")
 			}
-			traceOutputFilepath := c.String("trace-output")
+			traceOutputFilepath := c.String(cfdflags.TraceOutput)
 			if err := os.Rename(tmpTraceFile.Name(), traceOutputFilepath); err != nil {
 				traceLog.
 					Err(err).
@ -340,12 +388,12 @@ func StartServer(
 	logClientOptions(c, log)
 	// this context drives the server, when it's cancelled tunnel and all other components (origins, dns, etc...) should stop
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(c.Context)
 	defer cancel()
 	go waitForSignal(graceShutdownC, log)
-	if c.IsSet("proxy-dns") {
+	if c.IsSet(cfdflags.ProxyDns) {
 		dnsReadySignal := make(chan struct{})
 		wg.Add(1)
 		go func() {
@ -367,7 +415,7 @@ func StartServer(
 	go func() {
 		defer wg.Done()
 		autoupdater := updater.NewAutoUpdater(
-			c.Bool("no-autoupdate"), c.Duration("autoupdate-freq"), &listeners, log,
+			c.Bool(cfdflags.NoAutoUpdate), c.Duration(cfdflags.AutoUpdateFreq), &listeners, log,
 		)
 		errC <- autoupdater.Run(ctx)
 	}()
@ -392,65 +440,98 @@ func StartServer(
 		observer.SendURL(quickTunnelURL)
 	}
-	tunnelConfig, orchestratorConfig, err := prepareTunnelConfig(c, info, log, logTransport, observer, namedTunnel)
+	tunnelConfig, orchestratorConfig, err := prepareTunnelConfig(ctx, c, info, log, logTransport, observer, namedTunnel)
 	if err != nil {
 		log.Err(err).Msg("Couldn't start tunnel")
 		return err
 	}
-	var clientID uuid.UUID
+	connectorID := tunnelConfig.ClientConfig.ConnectorID
-	if tunnelConfig.NamedTunnel != nil {
+
-		clientID, err = uuid.FromBytes(tunnelConfig.NamedTunnel.Client.ClientID)
+	// Disable ICMP packet routing for quick tunnels
-		if err != nil {
+	if quickTunnelURL != "" {
-			// set to nil for classic tunnels
+		tunnelConfig.ICMPRouterServer = nil
-			clientID = uuid.Nil
+	}
 	serviceIP := c.String("service-op-ip")
 	if edgeAddrs, err := edgediscovery.ResolveEdge(log, tunnelConfig.Region, tunnelConfig.EdgeIPVersion); err == nil {
 		if serviceAddr, err := edgeAddrs.GetAddrForRPC(); err == nil {
 			serviceIP = serviceAddr.TCP.String()
 		}
 	}
-	internalRules := []ingress.Rule{}
+	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
-	if features.Contains(features.FeatureManagementLogs) {
+	var isFEDEndpoint bool
-		serviceIP := c.String("service-op-ip")
+	if err != nil {
-		if edgeAddrs, err := edgediscovery.ResolveEdge(log, tunnelConfig.Region, tunnelConfig.EdgeIPVersion); err == nil {
+		isFEDEndpoint = false
-			if serviceAddr, err := edgeAddrs.GetAddrForRPC(); err == nil {
+	} else {
-				serviceIP = serviceAddr.TCP.String()
+		isFEDEndpoint = userCreds.IsFEDEndpoint()
 			}
 		}
 		mgmt := management.New(
 			c.String("management-hostname"),
 			c.Bool("management-diagnostics"),
 			serviceIP,
 			clientID,
 			c.String(connectorLabelFlag),
 			logger.ManagementLogger.Log,
 			logger.ManagementLogger,
 		)
 		internalRules = []ingress.Rule{ingress.NewManagementRule(mgmt)}
 	}
 	var managementHostname string
 	if isFEDEndpoint {
 		managementHostname = credentials.FedRampHostname
 	} else {
 		managementHostname = c.String(cfdflags.ManagementHostname)
 	}
 	mgmt := management.New(
 		managementHostname,
 		c.Bool("management-diagnostics"),
 		serviceIP,
 		connectorID,
 		c.String(cfdflags.ConnectorLabel),
 		logger.ManagementLogger.Log,
 		logger.ManagementLogger,
 	)
 	internalRules := []ingress.Rule{ingress.NewManagementRule(mgmt)}
 	orchestrator, err := orchestration.NewOrchestrator(ctx, orchestratorConfig, tunnelConfig.Tags, internalRules, tunnelConfig.Log)
 	if err != nil {
 		return err
 	}
-	metricsListener, err := listeners.Listen("tcp", c.String("metrics"))
+	metricsListener, err := metrics.CreateMetricsListener(&listeners, c.String("metrics"))
 	if err != nil {
 		log.Err(err).Msg("Error opening metrics server listener")
 		return errors.Wrap(err, "Error opening metrics server listener")
 	}
 	defer metricsListener.Close()
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		readinessServer := metrics.NewReadyServer(log, clientID)
+		tracker := tunnelstate.NewConnTracker(log)
-		observer.RegisterSink(readinessServer)
+		observer.RegisterSink(tracker)
 		ipv4, ipv6, err := determineICMPSources(c, log)
 		sources := make([]string, 0)
 		if err == nil {
 			sources = append(sources, ipv4.String())
 			sources = append(sources, ipv6.String())
 		}
 		readinessServer := metrics.NewReadyServer(connectorID, tracker)
 		cliFlags := nonSecretCliFlags(log, c, nonSecretFlagsList)
 		diagnosticHandler := diagnostic.NewDiagnosticHandler(
 			log,
 			0,
 			diagnostic.NewSystemCollectorImpl(buildInfo.CloudflaredVersion),
 			tunnelConfig.NamedTunnel.Credentials.TunnelID,
 			connectorID,
 			tracker,
 			cliFlags,
 			sources,
 		)
 		metricsConfig := metrics.Config{
 			ReadyServer:         readinessServer,
 			DiagnosticHandler:   diagnosticHandler,
 			QuickTunnelHostname: quickTunnelURL,
 			Orchestrator:        orchestrator,
 		}
 		errC <- metrics.ServeMetrics(metricsListener, ctx, metricsConfig, log)
 	}()
-	reconnectCh := make(chan supervisor.ReconnectSignal, c.Int(haConnectionsFlag))
+	reconnectCh := make(chan supervisor.ReconnectSignal, c.Int(cfdflags.HaConnections))
 	if c.IsSet("stdin-control") {
 		log.Info().Msg("Enabling control through stdin")
 		go stdinControl(reconnectCh, log)
@ -487,8 +568,10 @@ func waitToShutdown(wg *sync.WaitGroup,
 		log.Debug().Msg("Graceful shutdown signalled")
 		if gracePeriod > 0 {
 			// wait for either grace period or service termination
 			ticker := time.NewTicker(gracePeriod)
 			defer ticker.Stop()
 			select {
-			case <-time.Tick(gracePeriod):
+			case <-ticker.C:
 			case <-errC:
 			}
 		}
@ -516,7 +599,7 @@ func waitToShutdown(wg *sync.WaitGroup,
 func notifySystemd(waitForSignal *signal.Signal) {
 	<-waitForSignal.Wait()
-	daemon.SdNotify(false, "READY=1")
+	_, _ = daemon.SdNotify(false, "READY=1")
 }
 func writePidFile(waitForSignal *signal.Signal, pidPathname string, log *zerolog.Logger) {
@ -568,31 +651,31 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 	flags = append(flags, []cli.Flag{
 		credentialsFileFlag,
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:   "is-autoupdated",
+			Name:   cfdflags.IsAutoUpdated,
 			Usage:  "Signal the new process that Cloudflare Tunnel connector has been autoupdated",
 			Value:  false,
 			Hidden: true,
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
-			Name:    "edge",
+			Name:    cfdflags.Edge,
 			Usage:   "Address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment.",
 			EnvVars: []string{"TUNNEL_EDGE"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "region",
+			Name:    cfdflags.Region,
 			Usage:   "Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region.",
 			EnvVars: []string{"TUNNEL_REGION"},
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "edge-ip-version",
+			Name:    cfdflags.EdgeIpVersion,
 			Usage:   "Cloudflare Edge IP address version to connect with. {4, 6, auto}",
 			EnvVars: []string{"TUNNEL_EDGE_IP_VERSION"},
 			Value:   "4",
 			Hidden:  false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "edge-bind-address",
+			Name:    cfdflags.EdgeBindAddress,
 			Usage:   "Bind to IP address for outgoing connections to Cloudflare Edge.",
 			EnvVars: []string{"TUNNEL_EDGE_BIND_ADDRESS"},
 			Hidden:  false,
@ -616,7 +699,7 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "lb-pool",
+			Name:    cfdflags.LBPool,
 			Usage:   "The name of a (new/existing) load balancing pool to add this origin to.",
 			EnvVars: []string{"TUNNEL_LB_POOL"},
 			Hidden:  shouldHide,
@ -640,24 +723,24 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "api-url",
+			Name:    cfdflags.ApiURL,
 			Usage:   "Base URL for Cloudflare API v4",
 			EnvVars: []string{"TUNNEL_API_URL"},
 			Value:   "https://api.cloudflare.com/client/v4",
 			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    "metrics-update-freq",
+			Name:    cfdflags.MetricsUpdateFreq,
 			Usage:   "Frequency to update tunnel metrics",
 			Value:   time.Second * 5,
 			EnvVars: []string{"TUNNEL_METRICS_UPDATE_FREQ"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
-			Name:    "tag",
+			Name:    cfdflags.Tag,
-			Usage:   "Custom tags used to identify this tunnel, in format `KEY=VALUE`. Multiple tags may be specified",
+			Usage:   "Custom tags used to identify this tunnel via added HTTP request headers to the origin, in format `KEY=VALUE`. Multiple tags may be specified.",
 			EnvVars: []string{"TUNNEL_TAG"},
-			Hidden:  shouldHide,
+			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:   "heartbeat-interval",
@ -673,43 +756,64 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden: true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:   "max-edge-addr-retries",
+			Name:   cfdflags.MaxEdgeAddrRetries,
 			Usage:  "Maximum number of times to retry on edge addrs before falling back to a lower protocol",
 			Value:  8,
 			Hidden: true,
 		}),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:    "retries",
+			Name:    cfdflags.Retries,
 			Value:   5,
 			Usage:   "Maximum number of retries for connection/protocol errors.",
 			EnvVars: []string{"TUNNEL_RETRIES"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:   haConnectionsFlag,
+			Name:   cfdflags.HaConnections,
 			Value:  4,
 			Hidden: true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:   udpUnregisterSessionTimeoutFlag,
+			Name:   cfdflags.RpcTimeout,
 			Value:  5 * time.Second,
 			Hidden: true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:    cfdflags.WriteStreamTimeout,
 			EnvVars: []string{"TUNNEL_STREAM_WRITE_TIMEOUT"},
 			Usage:   "Use this option to add a stream write timeout for connections when writing towards the origin or edge. Default is 0 which disables the write timeout.",
 			Value:   0 * time.Second,
 			Hidden:  true,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    quicDisablePathMTUDiscovery,
+			Name:    cfdflags.QuicDisablePathMTUDiscovery,
 			EnvVars: []string{"TUNNEL_DISABLE_QUIC_PMTU"},
 			Usage:   "Use this option to disable PTMU discovery for QUIC connections. This will result in lower packet sizes. Not however, that this may cause instability for UDP proxying.",
 			Value:   false,
 			Hidden:  true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:    cfdflags.QuicConnLevelFlowControlLimit,
 			EnvVars: []string{"TUNNEL_QUIC_CONN_LEVEL_FLOW_CONTROL_LIMIT"},
 			Usage:   "Use this option to change the connection-level flow control limit for QUIC transport.",
 			Value:   30 * (1 << 20), // 30 MB
 			Hidden:  true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:    cfdflags.QuicStreamLevelFlowControlLimit,
 			EnvVars: []string{"TUNNEL_QUIC_STREAM_LEVEL_FLOW_CONTROL_LIMIT"},
 			Usage:   "Use this option to change the connection-level flow control limit for QUIC transport.",
 			Value:   6 * (1 << 20), // 6 MB
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:  connectorLabelFlag,
+			Name:  cfdflags.ConnectorLabel,
 			Usage: "Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.",
 			Value: "",
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    "grace-period",
+			Name:    cfdflags.GracePeriod,
 			Usage:   "When cloudflared receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shutdown. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received.",
 			Value:   time.Second * 30,
 			EnvVars: []string{"TUNNEL_GRACE_PERIOD"},
@ -745,14 +849,14 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Value:   false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "name",
+			Name:    cfdflags.Name,
 			Aliases: []string{"n"},
 			EnvVars: []string{"TUNNEL_NAME"},
 			Usage:   "Stable name to identify the tunnel. Using this flag will create, route and run a tunnel. For production usage, execute each command separately",
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:   uiFlag,
+			Name:   cfdflags.Ui,
 			Usage:  "(depreciated) Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys.",
 			Value:  false,
 			Hidden: true,
@ -770,17 +874,16 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden:  true,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    "post-quantum",
+			Name:    cfdflags.PostQuantum,
 			Usage:   "When given creates an experimental post-quantum secure tunnel",
 			Aliases: []string{"pq"},
 			EnvVars: []string{"TUNNEL_POST_QUANTUM"},
 			Hidden:  FipsEnabled,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    "management-diagnostics",
 			Usage:   "Enables the in-depth diagnostic routes to be made available over the management service (/debug/pprof, /metrics, etc.)",
 			EnvVars: []string{"TUNNEL_MANAGEMENT_DIAGNOSTICS"},
-			Value:   false,
+			Value:   true,
 		}),
 		selectProtocolFlag,
 		overwriteDNSFlag,
@ -799,29 +902,35 @@ func configureCloudflaredFlags(shouldHide bool) []cli.Flag {
 			Hidden: shouldHide,
 		},
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    credentials.OriginCertFlag,
+			Name:    cfdflags.OriginCert,
 			Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 			EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 			Value:   credentials.FindDefaultOriginCertPath(),
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:   "autoupdate-freq",
+			Name:   cfdflags.AutoUpdateFreq,
 			Usage:  fmt.Sprintf("Autoupdate frequency. Default is %v.", updater.DefaultCheckUpdateFreq),
 			Value:  updater.DefaultCheckUpdateFreq,
 			Hidden: shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    "no-autoupdate",
+			Name:    cfdflags.NoAutoUpdate,
 			Usage:   "Disable periodic check for updates, restarting the server with the new version.",
 			EnvVars: []string{"NO_AUTOUPDATE"},
 			Value:   false,
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "metrics",
+			Name:  cfdflags.Metrics,
-			Value:   "localhost:",
+			Value: metrics.GetMetricsDefaultAddress(metrics.Runtime),
-			Usage:   "Listen address for metrics reporting.",
+			Usage: fmt.Sprintf(
 				`Listen address for metrics reporting. If no address is passed cloudflared will try to bind to %v.
 If all are unavailable, a random port will be used. Note that when running cloudflared from an virtual
 environment the default address binds to all interfaces, hence, it is important to isolate the host
 and virtualized host network stacks from each other`,
 				metrics.GetMetricsKnownAddresses(metrics.Runtime),
 			),
 			EnvVars: []string{"TUNNEL_METRICS"},
 			Hidden:  shouldHide,
 		}),
@ -948,7 +1057,7 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 			Value:   false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "management-hostname",
+			Name:    cfdflags.ManagementHostname,
 			Usage:   "Management hostname to signify incoming management requests",
 			EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 			Hidden:  true,
@ -977,62 +1086,62 @@ func legacyTunnelFlag(msg string) string {
 func sshFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    sshPortFlag,
+			Name:    cfdflags.SshPort,
 			Usage:   "Localhost port that cloudflared SSH server will run on",
 			Value:   "2222",
 			EnvVars: []string{"LOCAL_SSH_PORT"},
 			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    sshIdleTimeoutFlag,
+			Name:    cfdflags.SshIdleTimeout,
 			Usage:   "Connection timeout after no activity",
 			EnvVars: []string{"SSH_IDLE_TIMEOUT"},
 			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    sshMaxTimeoutFlag,
+			Name:    cfdflags.SshMaxTimeout,
 			Usage:   "Absolute connection timeout",
 			EnvVars: []string{"SSH_MAX_TIMEOUT"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    bucketNameFlag,
+			Name:    cfdflags.SshLogUploaderBucketName,
 			Usage:   "Bucket name of where to upload SSH logs",
 			EnvVars: []string{"BUCKET_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    regionNameFlag,
+			Name:    cfdflags.SshLogUploaderRegionName,
 			Usage:   "Region name of where to upload SSH logs",
 			EnvVars: []string{"REGION_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    secretIDFlag,
+			Name:    cfdflags.SshLogUploaderSecretID,
 			Usage:   "Secret ID of where to upload SSH logs",
 			EnvVars: []string{"SECRET_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    accessKeyIDFlag,
+			Name:    cfdflags.SshLogUploaderAccessKeyID,
 			Usage:   "Access Key ID of where to upload SSH logs",
 			EnvVars: []string{"ACCESS_CLIENT_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    sessionTokenIDFlag,
+			Name:    cfdflags.SshLogUploaderSessionTokenID,
 			Usage:   "Session Token to use in the configuration of SSH logs uploading",
 			EnvVars: []string{"SESSION_TOKEN_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    s3URLFlag,
+			Name:    cfdflags.SshLogUploaderS3URL,
 			Usage:   "S3 url of where to upload SSH logs",
 			EnvVars: []string{"S3_URL"},
 			Hidden:  true,
 		}),
 		altsrc.NewPathFlag(&cli.PathFlag{
-			Name:    hostKeyPath,
+			Name:    cfdflags.HostKeyPath,
 			Usage:   "Absolute path of directory to save SSH host keys in",
 			EnvVars: []string{"HOST_KEY_PATH"},
 			Hidden:  true,
@ -1072,7 +1181,7 @@ func sshFlags(shouldHide bool) []cli.Flag {
 func configureProxyDNSFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    "proxy-dns",
+			Name:    cfdflags.ProxyDns,
 			Usage:   "Run a DNS over HTTPS proxy server.",
 			EnvVars: []string{"TUNNEL_DNS"},
 			Hidden:  shouldHide,
@ -1152,3 +1261,46 @@ reconnect [delay]
 		}
 	}
 }
 func nonSecretCliFlags(log *zerolog.Logger, cli *cli.Context, flagInclusionList []string) map[string]string {
 	flagsNames := cli.FlagNames()
 	flags := make(map[string]string, len(flagsNames))
 	for _, flag := range flagsNames {
 		value := cli.String(flag)
 		if value == "" {
 			continue
 		}
 		isIncluded := isFlagIncluded(flagInclusionList, flag)
 		if !isIncluded {
 			continue
 		}
 		switch flag {
 		case cfdflags.LogDirectory, cfdflags.LogFile:
 			{
 				absolute, err := filepath.Abs(value)
 				if err != nil {
 					log.Error().Err(err).Msgf("could not convert %s path to absolute", flag)
 				} else {
 					flags[flag] = absolute
 				}
 			}
 		default:
 			flags[flag] = value
 		}
 	}
 	return flags
 }
 func isFlagIncluded(flagInclusionList []string, flag string) bool {
 	for _, include := range flagInclusionList {
 		if include == flag {
 			return true
 		}
 	}
 	return false
 }
--- a/cmd/cloudflared/tunnel/config_test.go
+++ b/cmd/cloudflared/tunnel/config_test.go
@ -1,13 +0,0 @@
 package tunnel
 import (
 	"testing"
 	"github.com/stretchr/testify/require"
 )
 func TestDedup(t *testing.T) {
 	expected := []string{"a", "b"}
 	actual := dedup([]string{"a", "b", "a"})
 	require.ElementsMatch(t, expected, actual)
 }
--- a/cmd/cloudflared/tunnel/configuration.go
+++ b/cmd/cloudflared/tunnel/configuration.go
@ -1,55 +1,61 @@
 package tunnel
 import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	mathRand "math/rand"
 	"net"
 	"net/netip"
 	"os"
 	"strings"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"golang.org/x/term"
 	"github.com/cloudflare/cloudflared/client"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/edgediscovery"
 	"github.com/cloudflare/cloudflared/edgediscovery/allregions"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/cloudflare/cloudflared/ingress/origins"
 	"github.com/cloudflare/cloudflared/orchestration"
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
-const secretValue = "*****"
+const (
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
 )
 var (
 	developerPortal = "https://developers.cloudflare.com/argo-tunnel"
 	serviceUrl      = developerPortal + "/reference/service/"
 	argumentsUrl    = developerPortal + "/reference/arguments/"
 	secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
-	configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version", "edge-bind-address"}
+	configFlags = []string{
-)
+		flags.AutoUpdateFreq,
-
+		flags.NoAutoUpdate,
-func generateRandomClientID(log *zerolog.Logger) (string, error) {
+		flags.Retries,
-	u, err := uuid.NewRandom()
+		flags.Protocol,
-	if err != nil {
+		flags.LogLevel,
-		log.Error().Msgf("couldn't create UUID for client ID %s", err)
+		flags.TransportLogLevel,
-		return "", err
+		flags.OriginCert,
 		flags.Metrics,
 		flags.MetricsUpdateFreq,
 		flags.EdgeIpVersion,
 		flags.EdgeBindAddress,
 		flags.MaxActiveFlows,
 	}
-	return u.String(), nil
+)
 }
 func logClientOptions(c *cli.Context, log *zerolog.Logger) {
 	flags := make(map[string]interface{})
@ -105,38 +111,45 @@ func isSecretEnvVar(key string) bool {
 	return false
 }
-func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.NamedTunnelProperties) bool {
+func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.TunnelProperties) bool {
-	return c.IsSet("proxy-dns") &&
+	return c.IsSet(flags.ProxyDns) &&
-		!(c.IsSet("name") || // adhoc-named tunnel
+		!(c.IsSet(flags.Name) || // adhoc-named tunnel
 			c.IsSet(ingress.HelloWorldFlag) || // quick or named tunnel
 			namedTunnel != nil) // named tunnel
 }
 func prepareTunnelConfig(
 	ctx context.Context,
 	c *cli.Context,
 	info *cliutil.BuildInfo,
 	log, logTransport *zerolog.Logger,
 	observer *connection.Observer,
-	namedTunnel *connection.NamedTunnelProperties,
+	namedTunnel *connection.TunnelProperties,
 ) (*supervisor.TunnelConfig, *orchestration.Config, error) {
-	clientID, err := uuid.NewRandom()
+	transportProtocol := c.String(flags.Protocol)
 	isPostQuantumEnforced := c.Bool(flags.PostQuantum)
 	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, c.StringSlice(flags.Features), isPostQuantumEnforced, log)
 	if err != nil {
-		return nil, nil, errors.Wrap(err, "can't generate connector UUID")
+		return nil, nil, errors.Wrap(err, "Failed to create feature selector")
 	}
-	log.Info().Msgf("Generated Connector ID: %s", clientID)
+
-	tags, err := NewTagSliceFromCLI(c.StringSlice("tag"))
+	clientConfig, err := client.NewConfig(info.Version(), info.OSArch(), featureSelector)
 	if err != nil {
 		return nil, nil, err
 	}
 	log.Info().Msgf("Generated Connector ID: %s", clientConfig.ConnectorID)
 	tags, err := NewTagSliceFromCLI(c.StringSlice(flags.Tag))
 	if err != nil {
 		log.Err(err).Msg("Tag parse failure")
 		return nil, nil, errors.Wrap(err, "Tag parse failure")
 	}
-	tags = append(tags, tunnelpogs.Tag{Name: "ID", Value: clientID.String()})
+	tags = append(tags, pogs.Tag{Name: "ID", Value: clientConfig.ConnectorID.String()})
-	transportProtocol := c.String("protocol")
+	clientFeatures := featureSelector.Snapshot()
-	needPQ := c.Bool("post-quantum")
+	pqMode := clientFeatures.PostQuantum
-	if needPQ {
+	if pqMode == features.PostQuantumStrict {
 		if FipsEnabled {
 			return nil, nil, fmt.Errorf("post-quantum not supported in FIPS mode")
 		}
 		// Error if the user tries to force a non-quic transport protocol
 		if transportProtocol != connection.AutoSelectFlag && transportProtocol != connection.QUIC.String() {
 			return nil, nil, fmt.Errorf("post-quantum is only supported with the quic transport")
@ -144,23 +157,13 @@ func prepareTunnelConfig(
 		transportProtocol = connection.QUIC.String()
 	}
 	clientFeatures := dedup(append(c.StringSlice("features"), features.DefaultFeatures...))
 	if needPQ {
 		clientFeatures = append(clientFeatures, features.FeaturePostQuantum)
 	}
 	namedTunnel.Client = tunnelpogs.ClientInfo{
 		ClientID: clientID[:],
 		Features: clientFeatures,
 		Version:  info.Version(),
 		Arch:     info.OSArch(),
 	}
 	cfg := config.GetConfiguration()
 	ingressRules, err := ingress.ParseIngressFromConfigAndCLI(cfg, c, log)
 	if err != nil {
 		return nil, nil, err
 	}
-	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), c.Bool("post-quantum"), edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)
+	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), isPostQuantumEnforced, edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)
 	if err != nil {
 		return nil, nil, err
 	}
@ -186,11 +189,11 @@ func prepareTunnelConfig(
 	if err != nil {
 		return nil, nil, err
 	}
-	edgeIPVersion, err := parseConfigIPVersion(c.String("edge-ip-version"))
+	edgeIPVersion, err := parseConfigIPVersion(c.String(flags.EdgeIpVersion))
 	if err != nil {
 		return nil, nil, err
 	}
-	edgeBindAddr, err := parseConfigBindAddress(c.String("edge-bind-address"))
+	edgeBindAddr, err := parseConfigBindAddress(c.String(flags.EdgeBindAddress))
 	if err != nil {
 		return nil, nil, err
 	}
@ -203,55 +206,82 @@ func prepareTunnelConfig(
 		log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version")
 	}
-	var pqKexIdx int
+	region := c.String(flags.Region)
-	if needPQ {
+	endpoint := namedTunnel.Credentials.Endpoint
-		pqKexIdx = mathRand.Intn(len(supervisor.PQKexes))
+	var resolvedRegion string
-		log.Info().Msgf(
+	// set resolvedRegion to either the region passed as argument
-			"Using experimental hybrid post-quantum key agreement %s",
+	// or to the endpoint in the credentials.
-			supervisor.PQKexNames[supervisor.PQKexes[pqKexIdx]],
+	// Region and endpoint are interchangeable
-		)
+	if region != "" && endpoint != "" {
 		return nil, nil, fmt.Errorf("region provided with a token that has an endpoint")
 	} else if region != "" {
 		resolvedRegion = region
 	} else if endpoint != "" {
 		resolvedRegion = endpoint
 	}
 	warpRoutingConfig := ingress.NewWarpRoutingConfig(&cfg.WarpRouting)
 	// Setup origin dialer service and virtual services
 	originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
 		DefaultDialer:   ingress.NewDialer(warpRoutingConfig),
 		TCPWriteTimeout: c.Duration(flags.WriteStreamTimeout),
 	}, log)
 	// Setup DNS Resolver Service
 	originMetrics := origins.NewMetrics(prometheus.DefaultRegisterer)
 	dnsResolverAddrs := c.StringSlice(flags.VirtualDNSServiceResolverAddresses)
 	dnsService := origins.NewDNSResolverService(origins.NewDNSDialer(), log, originMetrics)
 	if len(dnsResolverAddrs) > 0 {
 		addrs, err := parseResolverAddrPorts(dnsResolverAddrs)
 		if err != nil {
 			return nil, nil, fmt.Errorf("invalid %s provided: %w", flags.VirtualDNSServiceResolverAddresses, err)
 		}
 		dnsService = origins.NewStaticDNSResolverService(addrs, origins.NewDNSDialer(), log, originMetrics)
 	}
 	originDialerService.AddReservedService(dnsService, []netip.AddrPort{origins.VirtualDNSServiceAddr})
 	tunnelConfig := &supervisor.TunnelConfig{
 		ClientConfig:    clientConfig,
 		GracePeriod:     gracePeriod,
-		ReplaceExisting: c.Bool("force"),
+		EdgeAddrs:       c.StringSlice(flags.Edge),
-		OSArch:          info.OSArch(),
+		Region:          resolvedRegion,
 		ClientID:        clientID.String(),
 		EdgeAddrs:       c.StringSlice("edge"),
 		Region:          c.String("region"),
 		EdgeIPVersion:   edgeIPVersion,
 		EdgeBindAddr:    edgeBindAddr,
-		HAConnections:   c.Int(haConnectionsFlag),
+		HAConnections:   c.Int(flags.HaConnections),
-		IncidentLookup:  supervisor.NewIncidentLookup(),
+		IsAutoupdated:   c.Bool(flags.IsAutoUpdated),
-		IsAutoupdated:   c.Bool("is-autoupdated"),
+		LBPool:          c.String(flags.LBPool),
 		LBPool:          c.String("lb-pool"),
 		Tags:            tags,
 		Log:             log,
 		LogTransport:    logTransport,
 		Observer:        observer,
 		ReportedVersion: info.Version(),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
-		Retries:                     uint(c.Int("retries")),
+		Retries:                             uint(c.Int(flags.Retries)), // nolint: gosec
-		RunFromTerminal:             isRunningFromTerminal(),
+		RunFromTerminal:                     isRunningFromTerminal(),
-		NamedTunnel:                 namedTunnel,
+		NamedTunnel:                         namedTunnel,
-		ProtocolSelector:            protocolSelector,
+		ProtocolSelector:                    protocolSelector,
-		EdgeTLSConfigs:              edgeTLSConfigs,
+		EdgeTLSConfigs:                      edgeTLSConfigs,
-		NeedPQ:                      needPQ,
+		MaxEdgeAddrRetries:                  uint8(c.Int(flags.MaxEdgeAddrRetries)), // nolint: gosec
-		PQKexIdx:                    pqKexIdx,
+		RPCTimeout:                          c.Duration(flags.RpcTimeout),
-		MaxEdgeAddrRetries:          uint8(c.Int("max-edge-addr-retries")),
+		WriteStreamTimeout:                  c.Duration(flags.WriteStreamTimeout),
-		UDPUnregisterSessionTimeout: c.Duration(udpUnregisterSessionTimeoutFlag),
+		DisableQUICPathMTUDiscovery:         c.Bool(flags.QuicDisablePathMTUDiscovery),
-		DisableQUICPathMTUDiscovery: c.Bool(quicDisablePathMTUDiscovery),
+		QUICConnectionLevelFlowControlLimit: c.Uint64(flags.QuicConnLevelFlowControlLimit),
 		QUICStreamLevelFlowControlLimit:     c.Uint64(flags.QuicStreamLevelFlowControlLimit),
 		OriginDNSService:                    dnsService,
 		OriginDialerService:                 originDialerService,
 	}
-	packetConfig, err := newPacketConfig(c, log)
+	icmpRouter, err := newICMPRouter(c, log)
 	if err != nil {
 		log.Warn().Err(err).Msg("ICMP proxy feature is disabled")
 	} else {
-		tunnelConfig.PacketConfig = packetConfig
+		tunnelConfig.ICMPRouterServer = icmpRouter
 	}
 	orchestratorConfig := &orchestration.Config{
-		Ingress:            &ingressRules,
+		Ingress:             &ingressRules,
-		WarpRouting:        ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
+		WarpRouting:         warpRoutingConfig,
-		ConfigurationFlags: parseConfigFlags(c),
+		OriginDialerService: originDialerService,
 		ConfigurationFlags:  parseConfigFlags(c),
 	}
 	return tunnelConfig, orchestratorConfig, nil
 }
@ -269,9 +299,9 @@ func parseConfigFlags(c *cli.Context) map[string]string {
 }
 func gracePeriod(c *cli.Context) (time.Duration, error) {
-	period := c.Duration("grace-period")
+	period := c.Duration(flags.GracePeriod)
 	if period > connection.MaxGracePeriod {
-		return time.Duration(0), fmt.Errorf("grace-period must be equal or less than %v", connection.MaxGracePeriod)
+		return time.Duration(0), fmt.Errorf("%s must be equal or less than %v", flags.GracePeriod, connection.MaxGracePeriod)
 	}
 	return period, nil
 }
@ -280,25 +310,6 @@ func isRunningFromTerminal() bool {
 	return term.IsTerminal(int(os.Stdout.Fd()))
 }
 // Remove any duplicates from the slice
 func dedup(slice []string) []string {
 	// Convert the slice into a set
 	set := make(map[string]bool, 0)
 	for _, str := range slice {
 		set[str] = true
 	}
 	// Convert the set back into a slice
 	keys := make([]string, len(set))
 	i := 0
 	for str := range set {
 		keys[i] = str
 		i++
 	}
 	return keys
 }
 // ParseConfigIPVersion returns the IP version from possible expected values from config
 func parseConfigIPVersion(version string) (v allregions.ConfigIPVersion, err error) {
 	switch version {
@ -359,33 +370,39 @@ func adjustIPVersionByBindAddress(ipVersion allregions.ConfigIPVersion, ip net.I
 	}
 }
-func newPacketConfig(c *cli.Context, logger *zerolog.Logger) (*ingress.GlobalRouterConfig, error) {
+func newICMPRouter(c *cli.Context, logger *zerolog.Logger) (ingress.ICMPRouterServer, error) {
-	ipv4Src, err := determineICMPv4Src(c.String("icmpv4-src"), logger)
+	ipv4Src, ipv6Src, err := determineICMPSources(c, logger)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
+		return nil, err
 	}
 	icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, logger, icmpFunnelTimeout)
 	if err != nil {
 		return nil, err
 	}
 	return icmpRouter, nil
 }
 func determineICMPSources(c *cli.Context, logger *zerolog.Logger) (netip.Addr, netip.Addr, error) {
 	ipv4Src, err := determineICMPv4Src(c.String(flags.ICMPV4Src), logger)
 	if err != nil {
 		return netip.Addr{}, netip.Addr{}, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
 	}
 	logger.Info().Msgf("ICMP proxy will use %s as source for IPv4", ipv4Src)
-	ipv6Src, zone, err := determineICMPv6Src(c.String("icmpv6-src"), logger, ipv4Src)
+	ipv6Src, zone, err := determineICMPv6Src(c.String(flags.ICMPV6Src), logger, ipv4Src)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy")
+		return netip.Addr{}, netip.Addr{}, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy")
 	}
 	if zone != "" {
 		logger.Info().Msgf("ICMP proxy will use %s in zone %s as source for IPv6", ipv6Src, zone)
 	} else {
 		logger.Info().Msgf("ICMP proxy will use %s as source for IPv6", ipv6Src)
 	}
-	icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, zone, logger)
+	return ipv4Src, ipv6Src, nil
 	if err != nil {
 		return nil, err
 	}
 	return &ingress.GlobalRouterConfig{
 		ICMPRouter: icmpRouter,
 		IPv4Src:    ipv4Src,
 		IPv6Src:    ipv6Src,
 		Zone:       zone,
 	}, nil
 }
 func determineICMPv4Src(userDefinedSrc string, logger *zerolog.Logger) (netip.Addr, error) {
@ -415,13 +432,12 @@ type interfaceIP struct {
 func determineICMPv6Src(userDefinedSrc string, logger *zerolog.Logger, ipv4Src netip.Addr) (addr netip.Addr, zone string, err error) {
 	if userDefinedSrc != "" {
-		userDefinedIP, zone, _ := strings.Cut(userDefinedSrc, "%")
+		addr, err := netip.ParseAddr(userDefinedSrc)
 		addr, err := netip.ParseAddr(userDefinedIP)
 		if err != nil {
 			return netip.Addr{}, "", err
 		}
 		if addr.Is6() {
-			return addr, zone, nil
+			return addr, addr.Zone(), nil
 		}
 		return netip.Addr{}, "", fmt.Errorf("expect IPv6, but %s is IPv4", userDefinedSrc)
 	}
@ -502,3 +518,19 @@ func findLocalAddr(dst net.IP, port int) (netip.Addr, error) {
 	localAddr := localAddrPort.Addr()
 	return localAddr, nil
 }
 func parseResolverAddrPorts(input []string) ([]netip.AddrPort, error) {
 	// We don't allow more than 10 resolvers to be provided statically for the resolver service.
 	if len(input) > 10 {
 		return nil, errors.New("too many addresses provided, max: 10")
 	}
 	addrs := make([]netip.AddrPort, 0, len(input))
 	for _, val := range input {
 		addr, err := netip.ParseAddrPort(val)
 		if err != nil {
 			return nil, err
 		}
 		addrs = append(addrs, addr)
 	}
 	return addrs, nil
 }
--- a/cmd/cloudflared/tunnel/configuration_test.go
+++ b/cmd/cloudflared/tunnel/configuration_test.go
@ -1,5 +1,4 @@
 //go:build ignore
 // +build ignore
 // TODO: Remove the above build tag and include this test when we start compiling with Golang 1.10.0+
--- a/cmd/cloudflared/tunnel/credential_finder.go
+++ b/cmd/cloudflared/tunnel/credential_finder.go
@ -4,6 +4,7 @@ import (
 	"fmt"
 	"path/filepath"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
@ -57,7 +58,7 @@ func newSearchByID(id uuid.UUID, c *cli.Context, log *zerolog.Logger, fs fileSys
 }
 func (s searchByID) Path() (string, error) {
-	originCertPath := s.c.String(credentials.OriginCertFlag)
+	originCertPath := s.c.String(cfdflags.OriginCert)
 	originCertLog := s.log.With().
 		Str("originCertPath", originCertPath).
 		Logger()
--- a/cmd/cloudflared/tunnel/fips.go
+++ b/cmd/cloudflared/tunnel/fips.go
@ -1,3 +0,0 @@
 package tunnel
 var FipsEnabled bool
--- a/cmd/cloudflared/tunnel/ingress_subcommands.go
+++ b/cmd/cloudflared/tunnel/ingress_subcommands.go
@ -139,7 +139,7 @@ func testURLCommand(c *cli.Context) error {
 	}
 	_, i := ing.FindMatchingRule(requestURL.Hostname(), requestURL.Path)
-	fmt.Printf("Matched rule #%d\n", i+1)
+	fmt.Printf("Matched rule #%d\n", i)
 	fmt.Println(ing.Rules[i].MultiLineString())
 	return nil
 }
--- a/cmd/cloudflared/tunnel/login.go
+++ b/cmd/cloudflared/tunnel/login.go
@ -12,6 +12,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
@ -19,8 +20,31 @@ import (
 )
 const (
-	baseLoginURL     = "https://dash.cloudflare.com/argotunnel"
+	baseLoginURL         = "https://dash.cloudflare.com/argotunnel"
-	callbackStoreURL = "https://login.cloudflareaccess.org/"
+	callbackURL          = "https://login.cloudflareaccess.org/"
 	fedBaseLoginURL      = "https://dash.fed.cloudflare.com/argotunnel"
 	fedCallbackStoreURL  = "https://login.fed.cloudflareaccess.org/"
 	fedRAMPParamName     = "fedramp"
 	loginURLParamName    = "loginURL"
 	callbackURLParamName = "callbackURL"
 )
 var (
 	loginURL = &cli.StringFlag{
 		Name:  loginURLParamName,
 		Value: baseLoginURL,
 		Usage: "The URL used to login (default is https://dash.cloudflare.com/argotunnel)",
 	}
 	callbackStore = &cli.StringFlag{
 		Name:  callbackURLParamName,
 		Value: callbackURL,
 		Usage: "The URL used for the callback (default is https://login.cloudflareaccess.org/)",
 	}
 	fedramp = &cli.BoolFlag{
 		Name:    fedRAMPParamName,
 		Aliases: []string{"f"},
 		Usage:   "Login with FedRAMP High environment.",
 	}
 )
 func buildLoginSubcommand(hidden bool) *cli.Command {
@ -30,6 +54,11 @@ func buildLoginSubcommand(hidden bool) *cli.Command {
 		Usage:     "Generate a configuration file with your login details",
 		ArgsUsage: " ",
 		Hidden:    hidden,
 		Flags: []cli.Flag{
 			loginURL,
 			callbackStore,
 			fedramp,
 		},
 	}
 }
@ -38,15 +67,25 @@ func login(c *cli.Context) error {
 	path, ok, err := checkForExistingCert()
 	if ok {
-		fmt.Fprintf(os.Stdout, "You have an existing certificate at %s which login would overwrite.\nIf this is intentional, please move or delete that file then run this command again.\n", path)
+		log.Error().Err(err).Msgf("You have an existing certificate at %s which login would overwrite.\nIf this is intentional, please move or delete that file then run this command again.\n", path)
 		return nil
 	} else if err != nil {
 		return err
 	}
-	loginURL, err := url.Parse(baseLoginURL)
+	var (
 		baseloginURL     = c.String(loginURLParamName)
 		callbackStoreURL = c.String(callbackURLParamName)
 	)
 	isFEDRamp := c.Bool(fedRAMPParamName)
 	if isFEDRamp {
 		baseloginURL = fedBaseLoginURL
 		callbackStoreURL = fedCallbackStoreURL
 	}
 	loginURL, err := url.Parse(baseloginURL)
 	if err != nil {
 		// shouldn't happen, URL is hardcoded
 		return err
 	}
@ -58,10 +97,28 @@ func login(c *cli.Context) error {
 		callbackStoreURL,
 		false,
 		false,
 		c.Bool(cfdflags.AutoCloseInterstitial),
 		isFEDRamp,
 		log,
 	)
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "Failed to write the certificate due to the following error:\n%v\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", err, path)
+		log.Error().Err(err).Msgf("Failed to write the certificate.\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", path)
 		return err
 	}
 	cert, err := credentials.DecodeOriginCert(resourceData)
 	if err != nil {
 		log.Error().Err(err).Msg("failed to decode origin certificate")
 		return err
 	}
 	if isFEDRamp {
 		cert.Endpoint = credentials.FedEndpoint
 	}
 	resourceData, err = cert.EncodeOriginCert()
 	if err != nil {
 		log.Error().Err(err).Msg("failed to encode origin certificate")
 		return err
 	}
@ -69,7 +126,7 @@ func login(c *cli.Context) error {
 		return errors.Wrap(err, fmt.Sprintf("error writing cert to %s", path))
 	}
-	fmt.Fprintf(os.Stdout, "You have successfully logged in.\nIf you wish to copy your credentials to a server, they have been saved to:\n%s\n", path)
+	log.Info().Msgf("You have successfully logged in.\nIf you wish to copy your credentials to a server, they have been saved to:\n%s\n", path)
 	return nil
 }
--- a/cmd/cloudflared/tunnel/quick_tunnel.go
+++ b/cmd/cloudflared/tunnel/quick_tunnel.go
@ -3,6 +3,7 @@ package tunnel
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"strings"
 	"time"
@ -10,15 +11,13 @@ import (
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/connection"
 )
 const httpTimeout = 15 * time.Second
-const disclaimer = "Thank you for trying Cloudflare Tunnel. Doing so, without a Cloudflare account, is a quick way to" +
+const disclaimer = "Thank you for trying Cloudflare Tunnel. Doing so, without a Cloudflare account, is a quick way to experiment and try it out. However, be aware that these account-less Tunnels have no uptime guarantee, are subject to the Cloudflare Online Services Terms of Use (https://www.cloudflare.com/website-terms/), and Cloudflare reserves the right to investigate your use of Tunnels for violations of such terms. If you intend to use Tunnels in production you should use a pre-created named tunnel by following: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps"
 	" experiment and try it out. However, be aware that these account-less Tunnels have no uptime guarantee. If you " +
 	"intend to use Tunnels in production you should use a pre-created named tunnel by following: " +
 	"https://developers.cloudflare.com/cloudflare-one/connections/connect-apps"
 // RunQuickTunnel requests a tunnel from the specified service.
 // We use this to power quick tunnels on trycloudflare.com, but the
@ -35,14 +34,29 @@ func RunQuickTunnel(sc *subcommandContext) error {
 		Timeout: httpTimeout,
 	}
-	resp, err := client.Post(fmt.Sprintf("%s/tunnel", sc.c.String("quick-service")), "application/json", nil)
+	req, err := http.NewRequest(http.MethodPost, fmt.Sprintf("%s/tunnel", sc.c.String("quick-service")), nil)
 	if err != nil {
 		return errors.Wrap(err, "failed to build quick tunnel request")
 	}
 	req.Header.Add("Content-Type", "application/json")
 	req.Header.Add("User-Agent", buildInfo.UserAgent())
 	resp, err := client.Do(req)
 	if err != nil {
 		return errors.Wrap(err, "failed to request quick Tunnel")
 	}
 	defer resp.Body.Close()
 	// This will read the entire response into memory so we can print it in case of error
 	rsp_body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return errors.Wrap(err, "failed to read quick-tunnel response")
 	}
 	var data QuickTunnelResponse
-	if err := json.NewDecoder(resp.Body).Decode(&data); err != nil {
+	if err := json.Unmarshal(rsp_body, &data); err != nil {
 		rsp_string := string(rsp_body)
 		fields := map[string]interface{}{"status_code": resp.Status}
 		sc.log.Err(err).Fields(fields).Msgf("Error unmarshaling QuickTunnel response: %s", rsp_string)
 		return errors.Wrap(err, "failed to unmarshal quick Tunnel")
 	}
@ -69,17 +83,17 @@ func RunQuickTunnel(sc *subcommandContext) error {
 		sc.log.Info().Msg(line)
 	}
-	if !sc.c.IsSet("protocol") {
+	if !sc.c.IsSet(flags.Protocol) {
-		sc.c.Set("protocol", "quic")
+		_ = sc.c.Set(flags.Protocol, "quic")
 	}
 	// Override the number of connections used. Quick tunnels shouldn't be used for production usage,
 	// so, use a single connection instead.
-	sc.c.Set(haConnectionsFlag, "1")
+	_ = sc.c.Set(flags.HaConnections, "1")
 	return StartServer(
 		sc.c,
 		buildInfo,
-		&connection.NamedTunnelProperties{Credentials: credentials, QuickTunnelUrl: data.Result.Hostname},
+		&connection.TunnelProperties{Credentials: credentials, QuickTunnelUrl: data.Result.Hostname},
 		sc.log,
 	)
 }
--- a/cmd/cloudflared/tunnel/signal_test.go
+++ b/cmd/cloudflared/tunnel/signal_test.go
@ -1,5 +1,4 @@
 //go:build !windows
 // +build !windows
 package tunnel
--- a/cmd/cloudflared/tunnel/subcommand_context.go
+++ b/cmd/cloudflared/tunnel/subcommand_context.go
@ -9,22 +9,26 @@ import (
 	"strings"
 	"github.com/google/uuid"
 	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cfapi"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 )
-type errInvalidJSONCredential struct {
+const fedRampBaseApiURL = "https://api.fed.cloudflare.com/client/v4"
 type invalidJSONCredentialError struct {
 	err  error
 	path string
 }
-func (e errInvalidJSONCredential) Error() string {
+func (e invalidJSONCredentialError) Error() string {
 	return "Invalid JSON when parsing tunnel credentials file"
 }
@ -51,7 +55,12 @@ func newSubcommandContext(c *cli.Context) (*subcommandContext, error) {
 // Returns something that can find the given tunnel's credentials file.
 func (sc *subcommandContext) credentialFinder(tunnelID uuid.UUID) CredFinder {
 	if path := sc.c.String(CredFileFlag); path != "" {
-		return newStaticPath(path, sc.fs)
+		// Expand path if CredFileFlag contains `~`
 		absPath, err := homedir.Expand(path)
 		if err != nil {
 			return newStaticPath(path, sc.fs)
 		}
 		return newStaticPath(absPath, sc.fs)
 	}
 	return newSearchByID(tunnelID, sc.c, sc.log, sc.fs)
 }
@ -64,7 +73,16 @@ func (sc *subcommandContext) client() (cfapi.Client, error) {
 	if err != nil {
 		return nil, err
 	}
-	sc.tunnelstoreClient, err = cred.Client(sc.c.String("api-url"), buildInfo.UserAgent(), sc.log)
+
 	var apiURL string
 	if cred.IsFEDEndpoint() {
 		sc.log.Info().Str("api-url", fedRampBaseApiURL).Msg("using fedramp base api")
 		apiURL = fedRampBaseApiURL
 	} else {
 		apiURL = sc.c.String(cfdflags.ApiURL)
 	}
 	sc.tunnelstoreClient, err = cred.Client(apiURL, buildInfo.UserAgent(), sc.log)
 	if err != nil {
 		return nil, err
 	}
@ -73,7 +91,7 @@ func (sc *subcommandContext) client() (cfapi.Client, error) {
 func (sc *subcommandContext) credential() (*credentials.User, error) {
 	if sc.userCredential == nil {
-		uc, err := credentials.Read(sc.c.String(credentials.OriginCertFlag), sc.log)
+		uc, err := credentials.Read(sc.c.String(cfdflags.OriginCert), sc.log)
 		if err != nil {
 			return nil, err
 		}
@ -94,13 +112,13 @@ func (sc *subcommandContext) readTunnelCredentials(credFinder CredFinder) (conne
 	var credentials connection.Credentials
 	if err = json.Unmarshal(body, &credentials); err != nil {
-		if strings.HasSuffix(filePath, ".pem") {
+		if filepath.Ext(filePath) == ".pem" {
 			return connection.Credentials{}, fmt.Errorf("The tunnel credentials file should be .json but you gave a .pem. " +
 				"The tunnel credentials file was originally created by `cloudflared tunnel create`. " +
 				"You may have accidentally used the filepath to cert.pem, which is generated by `cloudflared tunnel " +
 				"login`.")
 		}
-		return connection.Credentials{}, errInvalidJSONCredential{path: filePath, err: err}
+		return connection.Credentials{}, invalidJSONCredentialError{path: filePath, err: err}
 	}
 	return credentials, nil
 }
@ -122,7 +140,7 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 		if err != nil {
 			return nil, errors.Wrap(err, "Couldn't decode tunnel secret from base64")
 		}
-		tunnelSecret = []byte(decodedSecret)
+		tunnelSecret = decodedSecret
 		if len(tunnelSecret) < 32 {
 			return nil, errors.New("Decoded tunnel secret must be at least 32 bytes long")
 		}
@ -137,10 +155,12 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 	if err != nil {
 		return nil, err
 	}
 	tunnelCredentials := connection.Credentials{
 		AccountTag:   credential.AccountID(),
 		TunnelSecret: tunnelSecret,
 		TunnelID:     tunnel.ID,
 		Endpoint:     credential.Endpoint(),
 	}
 	usedCertPath := false
 	if credentialsFilePath == "" {
@ -156,11 +176,11 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 		var errorLines []string
 		errorLines = append(errorLines, fmt.Sprintf("Your tunnel '%v' was created with ID %v. However, cloudflared couldn't write tunnel credentials to %s.", tunnel.Name, tunnel.ID, credentialsFilePath))
 		errorLines = append(errorLines, fmt.Sprintf("The file-writing error is: %v", writeFileErr))
-		if deleteErr := client.DeleteTunnel(tunnel.ID); deleteErr != nil {
+		if deleteErr := client.DeleteTunnel(tunnel.ID, true); deleteErr != nil {
 			errorLines = append(errorLines, fmt.Sprintf("Cloudflared tried to delete the tunnel for you, but encountered an error. You should use `cloudflared tunnel delete %v` to delete the tunnel yourself, because the tunnel can't be run without the tunnelfile.", tunnel.ID))
 			errorLines = append(errorLines, fmt.Sprintf("The delete tunnel error is: %v", deleteErr))
 		} else {
-			errorLines = append(errorLines, fmt.Sprintf("The tunnel was deleted, because the tunnel can't be run without the credentials file"))
+			errorLines = append(errorLines, "The tunnel was deleted, because the tunnel can't be run without the credentials file")
 		}
 		errorMsg := strings.Join(errorLines, "\n")
 		return nil, errors.New(errorMsg)
@ -189,7 +209,7 @@ func (sc *subcommandContext) list(filter *cfapi.TunnelFilter) ([]*cfapi.Tunnel,
 }
 func (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error {
-	forceFlagSet := sc.c.Bool("force")
+	forceFlagSet := sc.c.Bool(cfdflags.Force)
 	client, err := sc.client()
 	if err != nil {
@ -206,13 +226,8 @@ func (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error {
 		if !tunnel.DeletedAt.IsZero() {
 			return fmt.Errorf("Tunnel %s has already been deleted", tunnel.ID)
 		}
 		if forceFlagSet {
 			if err := client.CleanupConnections(tunnel.ID, cfapi.NewCleanupParams()); err != nil {
 				return errors.Wrapf(err, "Error cleaning up connections for tunnel %s", tunnel.ID)
 			}
 		}
-		if err := client.DeleteTunnel(tunnel.ID); err != nil {
+		if err := client.DeleteTunnel(tunnel.ID, forceFlagSet); err != nil {
 			return errors.Wrapf(err, "Error deleting tunnel %s", tunnel.ID)
 		}
@ -234,7 +249,7 @@ func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Cre
 	var err error
 	if credentialsContents := sc.c.String(CredContentsFlag); credentialsContents != "" {
 		if err = json.Unmarshal([]byte(credentialsContents), &credentials); err != nil {
-			err = errInvalidJSONCredential{path: "TUNNEL_CRED_CONTENTS", err: err}
+			err = invalidJSONCredentialError{path: "TUNNEL_CRED_CONTENTS", err: err}
 		}
 	} else {
 		credFinder := sc.credentialFinder(tunnelID)
@ -250,7 +265,7 @@ func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Cre
 func (sc *subcommandContext) run(tunnelID uuid.UUID) error {
 	credentials, err := sc.findCredentials(tunnelID)
 	if err != nil {
-		if e, ok := err.(errInvalidJSONCredential); ok {
+		if e, ok := err.(invalidJSONCredentialError); ok {
 			sc.log.Error().Msgf("The credentials file at %s contained invalid JSON. This is probably caused by passing the wrong filepath. Reminder: the credentials file is a .json file created via `cloudflared tunnel create`.", e.path)
 			sc.log.Error().Msgf("Invalid JSON when parsing credentials file: %s", e.err.Error())
 		}
@ -266,7 +281,7 @@ func (sc *subcommandContext) runWithCredentials(credentials connection.Credentia
 	return StartServer(
 		sc.c,
 		buildInfo,
-		&connection.NamedTunnelProperties{Credentials: credentials},
+		&connection.TunnelProperties{Credentials: credentials},
 		sc.log,
 	)
 }
--- a/cmd/cloudflared/tunnel/subcommand_context_teamnet.go
+++ b/cmd/cloudflared/tunnel/subcommand_context_teamnet.go
@ -1,6 +1,9 @@
 package tunnel
 import (
 	"net"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/cloudflare/cloudflared/cfapi"
@ -24,12 +27,12 @@ func (sc *subcommandContext) addRoute(newRoute cfapi.NewRoute) (cfapi.Route, err
 	return client.AddRoute(newRoute)
 }
-func (sc *subcommandContext) deleteRoute(params cfapi.DeleteRouteParams) error {
+func (sc *subcommandContext) deleteRoute(id uuid.UUID) error {
 	client, err := sc.client()
 	if err != nil {
 		return errors.Wrap(err, noClientMsg)
 	}
-	return client.DeleteRoute(params)
+	return client.DeleteRoute(id)
 }
 func (sc *subcommandContext) getRouteByIP(params cfapi.GetRouteByIpParams) (cfapi.DetailedRoute, error) {
@ -39,3 +42,25 @@ func (sc *subcommandContext) getRouteByIP(params cfapi.GetRouteByIpParams) (cfap
 	}
 	return client.GetByIP(params)
 }
 func (sc *subcommandContext) getRouteId(network net.IPNet, vnetId *uuid.UUID) (uuid.UUID, error) {
 	filters := cfapi.NewIPRouteFilter()
 	filters.NotDeleted()
 	filters.NetworkIsSubsetOf(network)
 	filters.NetworkIsSupersetOf(network)
 	if vnetId != nil {
 		filters.VNetID(*vnetId)
 	}
 	result, err := sc.listRoutes(filters)
 	if err != nil {
 		return uuid.Nil, err
 	}
 	if len(result) != 1 {
 		return uuid.Nil, errors.New("unable to find route for provided network and vnet")
 	}
 	return result[0].ID, nil
 }
--- a/cmd/cloudflared/tunnel/subcommand_context_test.go
+++ b/cmd/cloudflared/tunnel/subcommand_context_test.go
@ -219,7 +219,7 @@ func (d *deleteMockTunnelStore) GetTunnelToken(tunnelID uuid.UUID) (string, erro
 	return "token", nil
 }
-func (d *deleteMockTunnelStore) DeleteTunnel(tunnelID uuid.UUID) error {
+func (d *deleteMockTunnelStore) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {
 	tunnel, ok := d.mockTunnels[tunnelID]
 	if !ok {
 		return fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
--- a/cmd/cloudflared/tunnel/subcommands.go
+++ b/cmd/cloudflared/tunnel/subcommands.go
@ -5,6 +5,8 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"path/filepath"
 	"regexp"
@ -14,28 +16,40 @@ import (
 	"time"
 	"github.com/google/uuid"
-	homedir "github.com/mitchellh/go-homedir"
+	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"golang.org/x/net/idna"
-	yaml "gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v3"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/diagnostic"
 	"github.com/cloudflare/cloudflared/fips"
 	"github.com/cloudflare/cloudflared/metrics"
 )
 const (
-	allSortByOptions     = "name, id, createdAt, deletedAt, numConnections"
+	allSortByOptions        = "name, id, createdAt, deletedAt, numConnections"
-	connsSortByOptions   = "id, startedAt, numConnections, version"
+	connsSortByOptions      = "id, startedAt, numConnections, version"
-	CredFileFlagAlias    = "cred-file"
+	CredFileFlagAlias       = "cred-file"
-	CredFileFlag         = "credentials-file"
+	CredFileFlag            = "credentials-file"
-	CredContentsFlag     = "credentials-contents"
+	CredContentsFlag        = "credentials-contents"
-	TunnelTokenFlag      = "token"
+	TunnelTokenFlag         = "token"
-	overwriteDNSFlagName = "overwrite-dns"
+	TunnelTokenFileFlag     = "token-file"
 	overwriteDNSFlagName    = "overwrite-dns"
 	noDiagLogsFlagName      = "no-diag-logs"
 	noDiagMetricsFlagName   = "no-diag-metrics"
 	noDiagSystemFlagName    = "no-diag-system"
 	noDiagRuntimeFlagName   = "no-diag-runtime"
 	noDiagNetworkFlagName   = "no-diag-network"
 	diagContainerIDFlagName = "diag-container-id"
 	diagPodFlagName         = "diag-pod-id"
 	LogFieldTunnelID = "tunnelID"
 )
@ -47,7 +61,7 @@ var (
 		Usage:   "Include deleted tunnels in the list",
 	}
 	listNameFlag = &cli.StringFlag{
-		Name:    "name",
+		Name:    flags.Name,
 		Aliases: []string{"n"},
 		Usage:   "List tunnels with the given `NAME`",
 	}
@ -95,7 +109,7 @@ var (
 		EnvVars: []string{"TUNNEL_LIST_INVERT_SORT"},
 	}
 	featuresFlag = altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
-		Name:    "features",
+		Name:    flags.Features,
 		Aliases: []string{"F"},
 		Usage:   "Opt into various features that are still being developed or tested.",
 	})
@ -113,18 +127,23 @@ var (
 	})
 	tunnelTokenFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    TunnelTokenFlag,
-		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence.",
+		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence. Also takes precedence over token-file",
 		EnvVars: []string{"TUNNEL_TOKEN"},
 	})
 	tunnelTokenFileFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    TunnelTokenFileFlag,
 		Usage:   "Filepath at which to read the tunnel token. When provided along with credentials, this will take precedence.",
 		EnvVars: []string{"TUNNEL_TOKEN_FILE"},
 	})
 	forceDeleteFlag = &cli.BoolFlag{
-		Name:    "force",
+		Name:    flags.Force,
 		Aliases: []string{"f"},
-		Usage: "Cleans up any stale connections before the tunnel is deleted. cloudflared will not " +
+		Usage: "Deletes a tunnel even if tunnel is connected and it has dependencies associated to it. (eg. IP routes)." +
-			"delete a tunnel with connections without this flag.",
+			" It is not possible to delete tunnels that have connections or non-deleted dependencies, without this flag.",
 		EnvVars: []string{"TUNNEL_RUN_FORCE_OVERWRITE"},
 	}
 	selectProtocolFlag = altsrc.NewStringFlag(&cli.StringFlag{
-		Name:    "protocol",
+		Name:    flags.Protocol,
 		Value:   connection.AutoSelectFlag,
 		Aliases: []string{"p"},
 		Usage:   fmt.Sprintf("Protocol implementation to connect with Cloudflare's edge network. %s", connection.AvailableProtocolFlagMessage),
@ -132,11 +151,11 @@ var (
 		Hidden:  true,
 	})
 	postQuantumFlag = altsrc.NewBoolFlag(&cli.BoolFlag{
-		Name:    "post-quantum",
+		Name:    flags.PostQuantum,
 		Usage:   "When given creates an experimental post-quantum secure tunnel",
 		Aliases: []string{"pq"},
 		EnvVars: []string{"TUNNEL_POST_QUANTUM"},
-		Hidden:  FipsEnabled,
+		Hidden:  fips.IsFipsEnabled(),
 	})
 	sortInfoByFlag = &cli.StringFlag{
 		Name:    "sort-by",
@ -168,15 +187,65 @@ var (
 		EnvVars: []string{"TUNNEL_CREATE_SECRET"},
 	}
 	icmpv4SrcFlag = &cli.StringFlag{
-		Name:    "icmpv4-src",
+		Name:    flags.ICMPV4Src,
 		Usage:   "Source address to send/receive ICMPv4 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to 0.0.0.0.",
 		EnvVars: []string{"TUNNEL_ICMPV4_SRC"},
 	}
 	icmpv6SrcFlag = &cli.StringFlag{
-		Name:    "icmpv6-src",
+		Name:    flags.ICMPV6Src,
 		Usage:   "Source address and the interface name to send/receive ICMPv6 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to ::.",
 		EnvVars: []string{"TUNNEL_ICMPV6_SRC"},
 	}
 	metricsFlag = &cli.StringFlag{
 		Name:  flags.Metrics,
 		Usage: "The metrics server address i.e.: 127.0.0.1:12345. If your instance is running in a Docker/Kubernetes environment you need to setup port forwarding for your application.",
 		Value: "",
 	}
 	diagContainerFlag = &cli.StringFlag{
 		Name:  diagContainerIDFlagName,
 		Usage: "Container ID or Name to collect logs from",
 		Value: "",
 	}
 	diagPodFlag = &cli.StringFlag{
 		Name:  diagPodFlagName,
 		Usage: "Kubernetes POD to collect logs from",
 		Value: "",
 	}
 	noDiagLogsFlag = &cli.BoolFlag{
 		Name:  noDiagLogsFlagName,
 		Usage: "Log collection will not be performed",
 		Value: false,
 	}
 	noDiagMetricsFlag = &cli.BoolFlag{
 		Name:  noDiagMetricsFlagName,
 		Usage: "Metric collection will not be performed",
 		Value: false,
 	}
 	noDiagSystemFlag = &cli.BoolFlag{
 		Name:  noDiagSystemFlagName,
 		Usage: "System information collection will not be performed",
 		Value: false,
 	}
 	noDiagRuntimeFlag = &cli.BoolFlag{
 		Name:  noDiagRuntimeFlagName,
 		Usage: "Runtime information collection will not be performed",
 		Value: false,
 	}
 	noDiagNetworkFlag = &cli.BoolFlag{
 		Name:  noDiagNetworkFlagName,
 		Usage: "Network diagnostics won't be performed",
 		Value: false,
 	}
 	maxActiveFlowsFlag = &cli.Uint64Flag{
 		Name:    flags.MaxActiveFlows,
 		Usage:   "Overrides the remote configuration for max active private network flows (TCP/UDP) that this cloudflared instance supports",
 		EnvVars: []string{"TUNNEL_MAX_ACTIVE_FLOWS"},
 	}
 	dnsResolverAddrsFlag = &cli.StringSliceFlag{
 		Name:    flags.VirtualDNSServiceResolverAddresses,
 		Usage:   "Overrides the dynamic DNS resolver resolution to use these address:port's instead.",
 		EnvVars: []string{"TUNNEL_DNS_RESOLVER_ADDRS"},
 	}
 )
 func buildCreateCommand() *cli.Command {
@ -279,7 +348,7 @@ func listCommand(c *cli.Context) error {
 	if !c.Bool("show-deleted") {
 		filter.NoDeleted()
 	}
-	if name := c.String("name"); name != "" {
+	if name := c.String(flags.Name); name != "" {
 		filter.ByName(name)
 	}
 	if namePrefix := c.String("name-prefix"); namePrefix != "" {
@ -373,7 +442,6 @@ func formatAndPrintTunnelList(tunnels []*cfapi.Tunnel, showRecentlyDisconnected
 }
 func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected bool) string {
 	// Count connections per colo
 	numConnsPerColo := make(map[string]uint, len(connections))
 	for _, connection := range connections {
@ -390,13 +458,51 @@ func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected boo
 	sort.Strings(sortedColos)
 	// Map each colo to its frequency, combine into output string.
-	var output []string
+	output := make([]string, 0, len(sortedColos))
 	for _, coloName := range sortedColos {
 		output = append(output, fmt.Sprintf("%dx%s", numConnsPerColo[coloName], coloName))
 	}
 	return strings.Join(output, ", ")
 }
 func buildReadyCommand() *cli.Command {
 	return &cli.Command{
 		Name:               "ready",
 		Action:             cliutil.ConfiguredAction(readyCommand),
 		Usage:              "Call /ready endpoint and return proper exit code",
 		UsageText:          "cloudflared tunnel [tunnel command options] ready [subcommand options]",
 		Description:        "cloudflared tunnel ready will return proper exit code based on the /ready endpoint",
 		Flags:              []cli.Flag{},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func readyCommand(c *cli.Context) error {
 	metricsOpts := c.String(flags.Metrics)
 	if !c.IsSet(flags.Metrics) {
 		return errors.New("--metrics has to be provided")
 	}
 	requestURL := fmt.Sprintf("http://%s/ready", metricsOpts)
 	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
 	if err != nil {
 		return err
 	}
 	res, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return err
 	}
 	defer res.Body.Close()
 	if res.StatusCode != 200 {
 		body, err := io.ReadAll(res.Body)
 		if err != nil {
 			return err
 		}
 		return fmt.Errorf("http://%s/ready endpoint returned status code %d\n%s", metricsOpts, res.StatusCode, body)
 	}
 	return nil
 }
 func buildInfoCommand() *cli.Command {
 	return &cli.Command{
 		Name:        "info",
@ -613,8 +719,11 @@ func buildRunCommand() *cli.Command {
 		selectProtocolFlag,
 		featuresFlag,
 		tunnelTokenFlag,
 		tunnelTokenFileFlag,
 		icmpv4SrcFlag,
 		icmpv6SrcFlag,
 		maxActiveFlowsFlag,
 		dnsResolverAddrsFlag,
 	}
 	flags = append(flags, configureProxyFlags(false)...)
 	return &cli.Command{
@ -652,12 +761,22 @@ func runCommand(c *cli.Context) error {
 			"your origin will not be reachable. You should remove the `hostname` property to avoid this warning.")
 	}
 	tokenStr := c.String(TunnelTokenFlag)
 	// Check if tokenStr is blank before checking for tokenFile
 	if tokenStr == "" {
 		if tokenFile := c.String(TunnelTokenFileFlag); tokenFile != "" {
 			data, err := os.ReadFile(tokenFile)
 			if err != nil {
 				return cliutil.UsageError("Failed to read token file: %s", err.Error())
 			}
 			tokenStr = strings.TrimSpace(string(data))
 		}
 	}
 	// Check if token is provided and if not use default tunnelID flag method
-	if tokenStr := c.String(TunnelTokenFlag); tokenStr != "" {
+	if tokenStr != "" {
 		if token, err := ParseToken(tokenStr); err == nil {
 			return sc.runWithCredentials(token.Credentials())
 		}
 		return cliutil.UsageError("Provided Tunnel token is not valid.")
 	} else {
 		tunnelRef := c.Args().First()
@ -862,8 +981,10 @@ func lbRouteFromArg(c *cli.Context) (cfapi.HostnameRoute, error) {
 	return cfapi.NewLBRoute(lbName, lbPool), nil
 }
-var nameRegex = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
+var (
-var hostNameRegex = regexp.MustCompile("^[*_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
+	nameRegex     = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
 	hostNameRegex = regexp.MustCompile("^[*_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
 )
 func validateName(s string, allowWildcardSubdomain bool) bool {
 	if allowWildcardSubdomain {
@ -951,3 +1072,78 @@ SUBCOMMAND OPTIONS:
 `
 	return fmt.Sprintf(template, parentFlagsHelp)
 }
 func buildDiagCommand() *cli.Command {
 	return &cli.Command{
 		Name:        "diag",
 		Action:      cliutil.ConfiguredAction(diagCommand),
 		Usage:       "Creates a diagnostic report from a local cloudflared instance",
 		UsageText:   "cloudflared tunnel [tunnel command options] diag [subcommand options]",
 		Description: "cloudflared tunnel diag will create a diagnostic report of a local cloudflared instance. The diagnostic procedure collects: logs, metrics, system information, traceroute to Cloudflare Edge, and runtime information. Since there may be multiple instances of cloudflared running the --metrics option may be provided to target a specific instance.",
 		Flags: []cli.Flag{
 			metricsFlag,
 			diagContainerFlag,
 			diagPodFlag,
 			noDiagLogsFlag,
 			noDiagMetricsFlag,
 			noDiagSystemFlag,
 			noDiagRuntimeFlag,
 			noDiagNetworkFlag,
 		},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func diagCommand(ctx *cli.Context) error {
 	sctx, err := newSubcommandContext(ctx)
 	if err != nil {
 		return err
 	}
 	log := sctx.log
 	options := diagnostic.Options{
 		KnownAddresses: metrics.GetMetricsKnownAddresses(metrics.Runtime),
 		Address:        sctx.c.String(flags.Metrics),
 		ContainerID:    sctx.c.String(diagContainerIDFlagName),
 		PodID:          sctx.c.String(diagPodFlagName),
 		Toggles: diagnostic.Toggles{
 			NoDiagLogs:    sctx.c.Bool(noDiagLogsFlagName),
 			NoDiagMetrics: sctx.c.Bool(noDiagMetricsFlagName),
 			NoDiagSystem:  sctx.c.Bool(noDiagSystemFlagName),
 			NoDiagRuntime: sctx.c.Bool(noDiagRuntimeFlagName),
 			NoDiagNetwork: sctx.c.Bool(noDiagNetworkFlagName),
 		},
 	}
 	if options.Address == "" {
 		log.Info().Msg("If your instance is running in a Docker/Kubernetes environment you need to setup port forwarding for your application.")
 	}
 	states, err := diagnostic.RunDiagnostic(log, options)
 	if errors.Is(err, diagnostic.ErrMetricsServerNotFound) {
 		log.Warn().Msg("No instances found")
 		return nil
 	}
 	if errors.Is(err, diagnostic.ErrMultipleMetricsServerFound) {
 		if states != nil {
 			log.Info().Msgf("Found multiple instances running:")
 			for _, state := range states {
 				log.Info().Msgf("Instance: tunnel-id=%s connector-id=%s metrics-address=%s", state.TunnelID, state.ConnectorID, state.URL.String())
 			}
 			log.Info().Msgf("To select one instance use the option --metrics")
 		}
 		return nil
 	}
 	if errors.Is(err, diagnostic.ErrLogConfigurationIsInvalid) {
 		log.Info().Msg("Couldn't extract logs from the instance. If the instance is running in a containerized environment use the option --diag-container-id or --diag-pod-id. If there is no logging configuration use --no-diag-logs.")
 	}
 	if err != nil {
 		log.Warn().Msg("Diagnostic completed with one or more errors")
 	} else {
 		log.Info().Msg("Diagnostic completed")
 	}
 	return nil
 }
--- a/cmd/cloudflared/tunnel/tag.go
+++ b/cmd/cloudflared/tunnel/tag.go
@ -4,23 +4,23 @@ import (
 	"fmt"
 	"regexp"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 // Restrict key names to characters allowed in an HTTP header name.
 // Restrict key values to printable characters (what is recognised as data in an HTTP header value).
 var tagRegexp = regexp.MustCompile("^([a-zA-Z0-9!#$%&'*+\\-.^_`|~]+)=([[:print:]]+)$")
-func NewTagFromCLI(compoundTag string) (tunnelpogs.Tag, bool) {
+func NewTagFromCLI(compoundTag string) (pogs.Tag, bool) {
 	matches := tagRegexp.FindStringSubmatch(compoundTag)
 	if len(matches) == 0 {
-		return tunnelpogs.Tag{}, false
+		return pogs.Tag{}, false
 	}
-	return tunnelpogs.Tag{Name: matches[1], Value: matches[2]}, true
+	return pogs.Tag{Name: matches[1], Value: matches[2]}, true
 }
-func NewTagSliceFromCLI(tags []string) ([]tunnelpogs.Tag, error) {
+func NewTagSliceFromCLI(tags []string) ([]pogs.Tag, error) {
-	var tagSlice []tunnelpogs.Tag
+	var tagSlice []pogs.Tag
 	for _, compoundTag := range tags {
 		if tag, ok := NewTagFromCLI(compoundTag); ok {
 			tagSlice = append(tagSlice, tag)
--- a/cmd/cloudflared/tunnel/tag_test.go
+++ b/cmd/cloudflared/tunnel/tag_test.go
@ -3,7 +3,7 @@ package tunnel
 import (
 	"testing"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 	"github.com/stretchr/testify/assert"
 )
@ -11,12 +11,12 @@ import (
 func TestSingleTag(t *testing.T) {
 	testCases := []struct {
 		Input  string
-		Output tunnelpogs.Tag
+		Output pogs.Tag
 		Fail   bool
 	}{
-		{Input: "x=y", Output: tunnelpogs.Tag{Name: "x", Value: "y"}},
+		{Input: "x=y", Output: pogs.Tag{Name: "x", Value: "y"}},
-		{Input: "More-Complex=Tag Values", Output: tunnelpogs.Tag{Name: "More-Complex", Value: "Tag Values"}},
+		{Input: "More-Complex=Tag Values", Output: pogs.Tag{Name: "More-Complex", Value: "Tag Values"}},
-		{Input: "First=Equals=Wins", Output: tunnelpogs.Tag{Name: "First", Value: "Equals=Wins"}},
+		{Input: "First=Equals=Wins", Output: pogs.Tag{Name: "First", Value: "Equals=Wins"}},
 		{Input: "x=", Fail: true},
 		{Input: "=y", Fail: true},
 		{Input: "=", Fail: true},
--- a/cmd/cloudflared/tunnel/teamnet_subcommands.go
+++ b/cmd/cloudflared/tunnel/teamnet_subcommands.go
@ -21,6 +21,8 @@ var (
 		Aliases: []string{"vn"},
 		Usage:   "The ID or name of the virtual network to which the route is associated to.",
 	}
 	errAddRoute = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete")
 )
 func buildRouteIPSubcommand() *cli.Command {
@ -30,7 +32,7 @@ func buildRouteIPSubcommand() *cli.Command {
 		UsageText: "cloudflared tunnel [--config FILEPATH] route COMMAND [arguments...]",
 		Description: `cloudflared can provision routes for any IP space in your corporate network. Users enrolled in
 your Cloudflare for Teams organization can reach those IPs through the Cloudflare WARP
-client. You can then configure L7/L4 filtering on https://dash.teams.cloudflare.com to
+client. You can then configure L7/L4 filtering on https://one.dash.cloudflare.com to
 determine who can reach certain routes.
 By default IP routes all exist within a single virtual network. If you use the same IP
 space(s) in different physical private networks, all meant to be reachable via IP routes,
@ -68,11 +70,9 @@ which virtual network's routing table you want to add the route to with:
 				Name:      "delete",
 				Action:    cliutil.ConfiguredAction(deleteRouteCommand),
 				Usage:     "Delete a row from your organization's private routing table",
-				UsageText: "cloudflared tunnel [--config FILEPATH] route ip delete [flags] [CIDR]",
+				UsageText: "cloudflared tunnel [--config FILEPATH] route ip delete [flags] [Route ID or CIDR]",
-				Description: `Deletes the row for a given CIDR from your routing table. That portion of your network
+				Description: `Deletes the row for the given route ID from your routing table. That portion of your network
-will no longer be reachable by the WARP clients. Note that if you use virtual
+will no longer be reachable.`,
 networks, then you have to tell which virtual network whose routing table you
 have a row deleted from.`,
 				Flags: []cli.Flag{vnetFlag},
 			},
 			{
@ -187,33 +187,36 @@ func deleteRouteCommand(c *cli.Context) error {
 	}
 	if c.NArg() != 1 {
-		return errors.New("You must supply exactly one argument, the network whose route you want to delete (in CIDR form e.g. 1.2.3.4/32)")
+		return errAddRoute
 	}
-	_, network, err := net.ParseCIDR(c.Args().First())
+	var routeId uuid.UUID
 	routeId, err = uuid.Parse(c.Args().First())
 	if err != nil {
-		return errors.Wrap(err, "Invalid network CIDR")
+		_, network, err := net.ParseCIDR(c.Args().First())
-	}
+		if err != nil || network == nil {
-	if network == nil {
+			return errAddRoute
-		return errors.New("Invalid network CIDR")
+		}
 	}
-	params := cfapi.DeleteRouteParams{
+		var vnetId *uuid.UUID
-		Network: *network,
+		if c.IsSet(vnetFlag.Name) {
-	}
+			id, err := getVnetId(sc, c.String(vnetFlag.Name))
 			if err != nil {
 				return err
 			}
 			vnetId = &id
 		}
-	if c.IsSet(vnetFlag.Name) {
+		routeId, err = sc.getRouteId(*network, vnetId)
 		vnetId, err := getVnetId(sc, c.String(vnetFlag.Name))
 		if err != nil {
 			return err
 		}
 		params.VNetID = &vnetId
 	}
-	if err := sc.deleteRoute(params); err != nil {
+	if err := sc.deleteRoute(routeId); err != nil {
 		return errors.Wrap(err, "API error")
 	}
-	fmt.Printf("Successfully deleted route for %s\n", network)
+	fmt.Printf("Successfully deleted route with ID %s\n", routeId)
 	return nil
 }
@ -269,7 +272,7 @@ func formatAndPrintRouteList(routes []*cfapi.DetailedRoute) {
 	defer writer.Flush()
 	// Print column headers with tabbed columns
-	_, _ = fmt.Fprintln(writer, "NETWORK\tVIRTUAL NET ID\tCOMMENT\tTUNNEL ID\tTUNNEL NAME\tCREATED\tDELETED\t")
+	_, _ = fmt.Fprintln(writer, "ID\tNETWORK\tVIRTUAL NET ID\tCOMMENT\tTUNNEL ID\tTUNNEL NAME\tCREATED\tDELETED\t")
 	// Loop through routes, create formatted string for each, and print using tabwriter
 	for _, route := range routes {
--- a/cmd/cloudflared/updater/update.go
+++ b/cmd/cloudflared/updater/update.go
@ -14,13 +14,15 @@ import (
 	"github.com/urfave/cli/v2"
 	"golang.org/x/term"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 )
 const (
 	DefaultCheckUpdateFreq        = time.Hour * 24
-	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/"
+	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/"
 	noUpdateOnWindowsMessage      = "cloudflared will not automatically update on Windows systems."
 	noUpdateManagedPackageMessage = "cloudflared will not automatically update if installed by a package manager."
 	isManagedInstallFile          = ".installedFromPackageManager"
@ -31,12 +33,13 @@ const (
 )
 var (
-	version                string
+	buildInfo              *cliutil.BuildInfo
 	BuiltForPackageManager = ""
 )
 // BinaryUpdated implements ExitCoder interface, the app will exit with status code 11
 // https://pkg.go.dev/github.com/urfave/cli/v2?tab=doc#ExitCoder
 // nolint: errname
 type statusSuccess struct {
 	newVersion string
 }
@ -49,16 +52,16 @@ func (u *statusSuccess) ExitCode() int {
 	return 11
 }
-// UpdateErr implements ExitCoder interface, the app will exit with status code 10
+// statusError implements ExitCoder interface, the app will exit with status code 10
-type statusErr struct {
+type statusError struct {
 	err error
 }
-func (e *statusErr) Error() string {
+func (e *statusError) Error() string {
 	return fmt.Sprintf("failed to update cloudflared: %v", e.err)
 }
-func (e *statusErr) ExitCode() int {
+func (e *statusError) ExitCode() int {
 	return 10
 }
@ -78,11 +81,11 @@ type UpdateOutcome struct {
 }
 func (uo *UpdateOutcome) noUpdate() bool {
-	return uo.Error == nil && uo.Updated == false
+	return uo.Error == nil && !uo.Updated
 }
-func Init(v string) {
+func Init(info *cliutil.BuildInfo) {
-	version = v
+	buildInfo = info
 }
 func CheckForUpdate(options updateOptions) (CheckResult, error) {
@ -100,11 +103,12 @@ func CheckForUpdate(options updateOptions) (CheckResult, error) {
 		cfdPath = encodeWindowsPath(cfdPath)
 	}
-	s := NewWorkersService(version, url, cfdPath, Options{IsBeta: options.isBeta,
+	s := NewWorkersService(buildInfo.CloudflaredVersion, url, cfdPath, Options{IsBeta: options.isBeta,
 		IsForced: options.isForced, RequestedVersion: options.intendedVersion})
 	return s.Check()
 }
 func encodeWindowsPath(path string) string {
 	// We do this because Windows allows spaces in directories such as
 	// Program Files but does not allow these directories to be spaced in batch files.
@ -151,7 +155,7 @@ func Update(c *cli.Context) error {
 		log.Info().Msg("cloudflared is set to update from staging")
 	}
-	isForced := c.Bool("force")
+	isForced := c.Bool(cfdflags.Force)
 	if isForced {
 		log.Info().Msg("cloudflared is set to upgrade to the latest publish version regardless of the current version")
 	}
@ -164,7 +168,7 @@ func Update(c *cli.Context) error {
 		intendedVersion: c.String("version"),
 	})
 	if updateOutcome.Error != nil {
-		return &statusErr{updateOutcome.Error}
+		return &statusError{updateOutcome.Error}
 	}
 	if updateOutcome.noUpdate() {
@ -196,10 +200,9 @@ func loggedUpdate(log *zerolog.Logger, options updateOptions) UpdateOutcome {
 // AutoUpdater periodically checks for new version of cloudflared.
 type AutoUpdater struct {
-	configurable     *configurable
+	configurable *configurable
-	listeners        *gracenet.Net
+	listeners    *gracenet.Net
-	updateConfigChan chan *configurable
+	log          *zerolog.Logger
 	log              *zerolog.Logger
 }
 // AutoUpdaterConfigurable is the attributes of AutoUpdater that can be reconfigured during runtime
@ -210,10 +213,9 @@ type configurable struct {
 func NewAutoUpdater(updateDisabled bool, freq time.Duration, listeners *gracenet.Net, log *zerolog.Logger) *AutoUpdater {
 	return &AutoUpdater{
-		configurable:     createUpdateConfig(updateDisabled, freq, log),
+		configurable: createUpdateConfig(updateDisabled, freq, log),
-		listeners:        listeners,
+		listeners:    listeners,
-		updateConfigChan: make(chan *configurable),
+		log:          log,
 		log:              log,
 	}
 }
@ -232,19 +234,27 @@ func createUpdateConfig(updateDisabled bool, freq time.Duration, log *zerolog.Lo
 	}
 }
 // Run will perodically check for cloudflared updates, download them, and then restart the current cloudflared process
 // to use the new version. It delays the first update check by the configured frequency as to not attempt a
 // download immediately and restart after starting (in the case that there is an upgrade available).
 func (a *AutoUpdater) Run(ctx context.Context) error {
 	ticker := time.NewTicker(a.configurable.freq)
 	for {
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
 		case <-ticker.C:
 		}
 		updateOutcome := loggedUpdate(a.log, updateOptions{updateDisabled: !a.configurable.enabled})
 		if updateOutcome.Updated {
-			Init(updateOutcome.Version)
+			buildInfo.CloudflaredVersion = updateOutcome.Version
 			if IsSysV() {
 				// SysV doesn't have a mechanism to keep service alive, we have to restart the process
 				a.log.Info().Msg("Restarting service managed by SysV...")
 				pid, err := a.listeners.StartProcess()
 				if err != nil {
 					a.log.Err(err).Msg("Unable to restart server automatically")
-					return &statusErr{err: err}
+					return &statusError{err: err}
 				}
 				// stop old process after autoupdate. Otherwise we create a new process
 				// after each update
@ -254,25 +264,9 @@ func (a *AutoUpdater) Run(ctx context.Context) error {
 		} else if updateOutcome.UserMessage != "" {
 			a.log.Warn().Msg(updateOutcome.UserMessage)
 		}
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
 		case newConfigurable := <-a.updateConfigChan:
 			ticker.Stop()
 			a.configurable = newConfigurable
 			ticker = time.NewTicker(a.configurable.freq)
 			// Check if there is new version of cloudflared after receiving new AutoUpdaterConfigurable
 		case <-ticker.C:
 		}
 	}
 }
 // Update is the method to pass new AutoUpdaterConfigurable to a running AutoUpdater. It is safe to be called concurrently
 func (a *AutoUpdater) Update(updateDisabled bool, newFreq time.Duration) {
 	a.updateConfigChan <- createUpdateConfig(updateDisabled, newFreq, a.log)
 }
 func isAutoupdateEnabled(log *zerolog.Logger, updateDisabled bool, updateFreq time.Duration) bool {
 	if !supportAutoUpdate(log) {
 		return false
--- a/cmd/cloudflared/updater/update_test.go
+++ b/cmd/cloudflared/updater/update_test.go
@ -9,8 +9,14 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 func init() {
 	Init(cliutil.GetBuildInfo("TEST", "TEST"))
 }
 func TestDisabledAutoUpdater(t *testing.T) {
 	listeners := &gracenet.Net{}
 	log := zerolog.Nop()
--- a/cmd/cloudflared/updater/workers_service.go
+++ b/cmd/cloudflared/updater/workers_service.go
@ -3,6 +3,7 @@ package updater
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"runtime"
 )
@ -56,6 +57,9 @@ func (s *WorkersService) Check() (CheckResult, error) {
 	}
 	req, err := http.NewRequest(http.MethodGet, s.url, nil)
 	if err != nil {
 		return nil, err
 	}
 	q := req.URL.Query()
 	q.Add(OSKeyName, runtime.GOOS)
 	q.Add(ArchitectureKeyName, runtime.GOARCH)
@ -76,6 +80,10 @@ func (s *WorkersService) Check() (CheckResult, error) {
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != 200 {
 		return nil, fmt.Errorf("unable to check for update: %d", resp.StatusCode)
 	}
 	var v VersionResponse
 	if err := json.NewDecoder(resp.Body).Decode(&v); err != nil {
 		return nil, err
--- a/cmd/cloudflared/updater/workers_service_test.go
+++ b/cmd/cloudflared/updater/workers_service_test.go
@ -1,5 +1,4 @@
 //go:build !windows
 // +build !windows
 package updater
--- a/cmd/cloudflared/updater/workers_update.go
+++ b/cmd/cloudflared/updater/workers_update.go
@ -3,7 +3,6 @@ package updater
 import (
 	"archive/tar"
 	"compress/gzip"
 	"crypto/sha256"
 	"errors"
 	"fmt"
 	"io"
@ -11,11 +10,15 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"text/template"
 	"time"
 	"github.com/getsentry/sentry-go"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 const (
@ -27,9 +30,9 @@ const (
 	// start the service
 	// exit with code 0 if we've reached this point indicating success.
 	windowsUpdateCommandTemplate = `sc stop cloudflared >nul 2>&1
 del "{{.OldPath}}"
 rename "{{.TargetPath}}" {{.OldName}}
 rename "{{.NewPath}}" {{.BinaryName}}
 del "{{.OldPath}}"
 sc start cloudflared >nul 2>&1
 exit /b 0`
 	batchFileName = "cfd_update.bat"
@ -86,8 +89,25 @@ func (v *WorkersVersion) Apply() error {
 		return err
 	}
-	// check that the file is what is expected
+	downloadSum, err := cliutil.FileChecksum(newFilePath)
-	if err := isValidChecksum(v.checksum, newFilePath); err != nil {
+	if err != nil {
 		return err
 	}
 	// Check that the file downloaded matches what is expected.
 	if v.checksum != downloadSum {
 		return errors.New("checksum validation failed")
 	}
 	// Check if the currently running version has the same checksum
 	if downloadSum == buildInfo.Checksum {
 		// Currently running binary matches the downloaded binary so we have no reason to update. This is
 		// typically unexpected, as such we emit a sentry event.
 		localHub := sentry.CurrentHub().Clone()
 		err := errors.New("checksum validation matches currently running process")
 		localHub.CaptureException(err)
 		// Make sure to cleanup the new downloaded file since we aren't upgrading versions.
 		os.Remove(newFilePath)
 		return err
 	}
@ -114,7 +134,7 @@ func (v *WorkersVersion) Apply() error {
 	if err := os.Rename(newFilePath, v.targetPath); err != nil {
 		//attempt rollback
-		os.Rename(oldFilePath, v.targetPath)
+		_ = os.Rename(oldFilePath, v.targetPath)
 		return err
 	}
 	os.Remove(oldFilePath)
@ -161,7 +181,7 @@ func download(url, filepath string, isCompressed bool) error {
 		tr := tar.NewReader(gr)
 		// advance the reader pass the header, which will be the single binary file
-		tr.Next()
+		_, _ = tr.Next()
 		r = tr
 	}
@ -178,7 +198,7 @@ func download(url, filepath string, isCompressed bool) error {
 // isCompressedFile is a really simple file extension check to see if this is a macos tar and gzipped
 func isCompressedFile(urlstring string) bool {
-	if strings.HasSuffix(urlstring, ".tgz") {
+	if path.Ext(urlstring) == ".tgz" {
 		return true
 	}
@ -186,28 +206,7 @@ func isCompressedFile(urlstring string) bool {
 	if err != nil {
 		return false
 	}
-	return strings.HasSuffix(u.Path, ".tgz")
+	return path.Ext(u.Path) == ".tgz"
 }
 // checks if the checksum in the json response matches the checksum of the file download
 func isValidChecksum(checksum, filePath string) error {
 	f, err := os.Open(filePath)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	h := sha256.New()
 	if _, err := io.Copy(h, f); err != nil {
 		return err
 	}
 	hash := fmt.Sprintf("%x", h.Sum(nil))
 	if checksum != hash {
 		return errors.New("checksum validation failed")
 	}
 	return nil
 }
 // writeBatchFile writes a batch file out to disk
@ -250,7 +249,6 @@ func runWindowsBatch(batchFile string) error {
 		if exitError, ok := err.(*exec.ExitError); ok {
 			return fmt.Errorf("Error during update : %s;", string(exitError.Stderr))
 		}
 	}
 	return err
 }
--- a/cmd/cloudflared/windows_service.go
+++ b/cmd/cloudflared/windows_service.go
@ -1,5 +1,4 @@
 //go:build windows
 // +build windows
 package main
@ -27,7 +26,7 @@ import (
 const (
 	windowsServiceName        = "Cloudflared"
 	windowsServiceDescription = "Cloudflared agent"
-	windowsServiceUrl         = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/windows/"
+	windowsServiceUrl         = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/windows/"
 	recoverActionDelay      = time.Second * 20
 	failureCountResetPeriod = time.Hour * 24
@ -191,7 +190,7 @@ func installWindowsService(c *cli.Context) error {
 	log := zeroLogger.With().Str(LogFieldWindowsServiceName, windowsServiceName).Logger()
 	if err == nil {
 		s.Close()
-		return fmt.Errorf(serviceAlreadyExistsWarn(windowsServiceName))
+		return errors.New(serviceAlreadyExistsWarn(windowsServiceName))
 	}
 	extraArgs, err := getServiceExtraArgsFromCliArgs(c, &log)
 	if err != nil {
@ -239,7 +238,7 @@ func uninstallWindowsService(c *cli.Context) error {
 	defer m.Disconnect()
 	s, err := m.OpenService(windowsServiceName)
 	if err != nil {
-		return fmt.Errorf("Agent service %s is not installed, so it could not be uninstalled", windowsServiceName)
+		return fmt.Errorf("agent service %s is not installed, so it could not be uninstalled", windowsServiceName)
 	}
 	defer s.Close()
--- a/component-tests/README.md
+++ b/component-tests/README.md
@ -1,9 +1,9 @@
 # Requirements
-1. Python 3.7 or later with packages in the given `requirements.txt`
+1. Python 3.10 or later with packages in the given `requirements.txt`
-   - E.g. with conda:
+   - E.g. with venv:
-   - `conda create -n component-tests python=3.7`  
+   - `python3 -m venv ./.venv`  
-   - `conda activate component-tests`
+   - `source ./.venv/bin/activate`
-   - `pip3 install -r requirements.txt`
+   - `python3 -m pip install -r requirements.txt`
 2. Create a config yaml file, for example:
 ```
--- a/component-tests/requirements.txt
+++ b/component-tests/requirements.txt
@ -1,8 +1,8 @@
-cloudflare==2.8.15
+cloudflare==2.14.3
 flaky==3.7.0
 pytest==7.3.1
 pytest-asyncio==0.21.0
-pyyaml==5.4.1
+pyyaml==6.0.1
 requests==2.28.2
 retrying==1.3.4
 websockets==11.0.1
--- a/component-tests/setup.py
+++ b/component-tests/setup.py
@ -74,7 +74,7 @@ def delete_tunnel(config):
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
 def create_dns(config, hostname, type, content):
-    cf = CloudFlare.CloudFlare(debug=True, token=get_env("DNS_API_TOKEN"))
+    cf = CloudFlare.CloudFlare(debug=False, token=get_env("DNS_API_TOKEN"))
    cf.zones.dns_records.post(
        config["zone_tag"],
        data={'name': hostname, 'type': type, 'content': content, 'proxied': True}
@ -89,7 +89,7 @@ def create_named_dns(config, random_uuid):
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
 def delete_dns(config, hostname):
-    cf = CloudFlare.CloudFlare(debug=True, token=get_env("DNS_API_TOKEN"))
+    cf = CloudFlare.CloudFlare(debug=False, token=get_env("DNS_API_TOKEN"))
    zone_tag = config["zone_tag"]
    dns_records = cf.zones.dns_records.get(zone_tag, params={'name': hostname})
    if len(dns_records) > 0:
--- a/component-tests/test_config.py
+++ b/component-tests/test_config.py
@ -36,17 +36,17 @@ class TestConfig:
        _ = start_cloudflared(tmp_path, config, validate_args)
        self.match_rule(tmp_path, config,
-                        "http://example.com/index.html", 1)
+                        "http://example.com/index.html", 0)
        self.match_rule(tmp_path, config,
-                        "https://example.com/index.html", 1)
+                        "https://example.com/index.html", 0)
        self.match_rule(tmp_path, config,
-                        "https://api.example.com/login", 2)
+                        "https://api.example.com/login", 1)
        self.match_rule(tmp_path, config,
-                        "https://wss.example.com", 3)
+                        "https://wss.example.com", 2)
        self.match_rule(tmp_path, config,
-                        "https://ssh.example.com", 4)
+                        "https://ssh.example.com", 3)
        self.match_rule(tmp_path, config,
-                        "https://api.example.com", 5)
+                        "https://api.example.com", 4)
    # This is used to check that the command tunnel ingress url <url> matches rule number <rule_num>. Note that rule number uses 1-based indexing
--- a/component-tests/test_management.py
+++ b/component-tests/test_management.py
@ -55,7 +55,7 @@ class TestManagement:
        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
        LOGGER.debug(config)
        config_path = write_config(tmp_path, config.full_config)
-        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1", "--management-diagnostics"], new_process=True):
+        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
            cfd_cli = CloudflaredCli(config, config_path, LOGGER)
            url = cfd_cli.get_management_url("metrics", config, config_path)
@ -76,7 +76,7 @@ class TestManagement:
        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
        LOGGER.debug(config)
        config_path = write_config(tmp_path, config.full_config)
-        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1", "--management-diagnostics"], new_process=True):
+        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
            cfd_cli = CloudflaredCli(config, config_path, LOGGER)
            url = cfd_cli.get_management_url("debug/pprof/heap", config, config_path)
@ -97,7 +97,7 @@ class TestManagement:
        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
        LOGGER.debug(config)
        config_path = write_config(tmp_path, config.full_config)
-        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True):
+        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1", "--management-diagnostics=false"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
            cfd_cli = CloudflaredCli(config, config_path, LOGGER)
            url = cfd_cli.get_management_url("metrics", config, config_path)
@ -107,7 +107,13 @@ class TestManagement:
            assert resp.status_code == 404, "Expected cloudflared to return 404 for /metrics"
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
 def send_request(url, headers={}):
    with requests.Session() as s:
-        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        resp = s.get(url, timeout=BACKOFF_SECS, headers=headers)
        if resp.status_code == 530:
            LOGGER.debug(f"Received 530 status, retrying request to {url}")
            raise Exception(f"Received 530 status code from {url}")
        return resp
--- a/Show More
+++ b/Show More