Replace jira.cfops.it with jira.cfdata.org in connection/http2_test.go

TUN-9863: Update pipelines to use cloudflared EV Certificate
TUN-9800: Migrate apt internal builds to Gitlab
2025-11-21 05:33:09 +00:00 · 2025-11-19 18:05:33 +00:00 · 2025-11-10 14:43:10 +00:00 · 2025-11-07 16:30:58 +00:00 · 2025-11-07 15:26:22 +00:00 · 2025-11-07 08:15:20 +00:00
1443 changed files with 95063 additions and 55992 deletions
--- a/.ci/apt-internal.gitlab-ci.yml
+++ b/.ci/apt-internal.gitlab-ci.yml
@ -0,0 +1,151 @@
 .register_inputs: &register_inputs
  stage: release-internal
  runOnBranches: "^master$"
  COMPONENT: "common"
 .register_inputs_stable_bookworm: &register_inputs_stable_bookworm
  <<: *register_inputs
  runOnChangesTo: ['RELEASE_NOTES']
  FLAVOR: "bookworm"
  SERIES: "stable"
 .register_inputs_stable_trixie: &register_inputs_stable_trixie
  <<: *register_inputs
  runOnChangesTo: ['RELEASE_NOTES']
  FLAVOR: "trixie"
  SERIES: "stable"
 .register_inputs_next_bookworm: &register_inputs_next_bookworm
  <<: *register_inputs
  FLAVOR: "bookworm"
  SERIES: next
 .register_inputs_next_trixie: &register_inputs_next_trixie
  <<: *register_inputs
  FLAVOR: "trixie"
  SERIES: next
 ################################################
 ### Generate Debian Package for Internal APT ###
 ################################################
 .cloudflared-apt-build: &cloudflared_apt_build
  stage: package
  needs:
    - ci-image-get-image-ref
    - linux-packaging # For consistency, we only run this job after we knew we could build the packages for external delivery
  image: $BUILD_IMAGE
  cache: {}
  script:
    - make cloudflared-deb
  artifacts:
    paths:
      - cloudflared*.deb
 ##############
 ### Stable ###
 ##############
 cloudflared-amd64-stable:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-release]
  variables: &amd64-stable-vars
    GOOS: linux
    GOARCH: amd64
    FIPS: true
    ORIGINAL_NAME: true
    CGO_ENABLED: 1
 cloudflared-arm64-stable:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-release]
  variables: &arm64-stable-vars
    GOOS: linux
    GOARCH: arm64
    FIPS: false # TUN-7595
    ORIGINAL_NAME: true
    CGO_ENABLED: 1
 ############
 ### Next ###
 ############
 cloudflared-amd64-next:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *amd64-stable-vars
    NIGHTLY: true
 cloudflared-arm64-next:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *arm64-stable-vars
    NIGHTLY: true
 include:
  - local: .ci/commons.gitlab-ci.yml
  ##########################################
  ### Publish Packages to Internal Repos ###
  ##########################################
  # Bookworm AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_bookworm
      jobPrefix: cloudflared-bookworm-amd64
      needs: &amd64-stable ["cloudflared-amd64-stable"]
  # Bookworm ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_bookworm
      jobPrefix: cloudflared-bookworm-arm64
      needs: &arm64-stable ["cloudflared-arm64-stable"]
  # Trixie AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_trixie
      jobPrefix: cloudflared-trixie-amd64
      needs: *amd64-stable
  # Trixie ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_trixie
      jobPrefix: cloudflared-trixie-arm64
      needs: *arm64-stable
  ##################################################
  ### Publish Nightly Packages to Internal Repos ###
  ##################################################
  # Bookworm AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_bookworm
      jobPrefix: cloudflared-nightly-bookworm-amd64
      needs: &amd64-next ['cloudflared-amd64-next']
  # Bookworm ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_bookworm
      jobPrefix: cloudflared-nightly-bookworm-arm64
      needs: &arm64-next ['cloudflared-arm64-next']
  # Trixie AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_trixie
      jobPrefix: cloudflared-nightly-trixie-amd64
      needs: *amd64-next
  # Trixie ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_trixie
      jobPrefix: cloudflared-nightly-trixie-arm64
      needs: *arm64-next
--- a/.ci/ci-image.gitlab-ci.yml
+++ b/.ci/ci-image.gitlab-ci.yml
@ -0,0 +1,31 @@
 # Builds a custom CI Image when necessary
 include:
  #####################################################
  ############## Build and Push CI Image ##############
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
    inputs:
      stage: pre-build
      jobPrefix: ci-image
      runOnChangesTo: [".ci/image/**"]
      runOnMR: true
      runOnBranches: '^master$'
      commentImageRefs: false
      runner: vm-linux-x86-4cpu-8gb
      EXTRA_DIB_ARGS: "--manifest=.ci/image/.docker-images"
  #####################################################
  ## Resolve the image reference for downstream jobs ##
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/get-image-ref@~latest
    inputs:
      stage: pre-build
      jobPrefix: ci-image
      runOnMR: true
      runOnBranches: '^master$'
      IMAGE_PATH: "$REGISTRY_HOST/stash/tun/cloudflared/ci-image/master"
      VARIABLE_NAME: BUILD_IMAGE
      needs:
        - job: ci-image-build-push-image
          optional: true
--- a/.ci/commons.gitlab-ci.yml
+++ b/.ci/commons.gitlab-ci.yml
@ -0,0 +1,45 @@
 ## A set of predefined rules to use on the different jobs
 .default-rules:
  # Rules to run the job only on the master branch
  run-on-master:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - when: never
  # Rules to run the job only on merge requests
  run-on-mr:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: on_success
    - when: never
  # Rules to run the job on merge_requests and master branch
  run-always:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - when: never
  # Rules to run the job only when a release happens
  run-on-release:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      changes:
          - 'RELEASE_NOTES'
      when: on_success
    - when: never
 .component-tests:
  image: $BUILD_IMAGE
  rules:
    - !reference [.default-rules, run-always]
  variables:
    COMPONENT_TESTS_CONFIG: component-test-config.yaml
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZC5leGUKY3JlZGVudGlhbHNfZmlsZTogY3JlZC5qc29uCm9yaWdpbmNlcnQ6IGNlcnQucGVtCnpvbmVfZG9tYWluOiBhcmdvdHVubmVsdGVzdC5jb20Kem9uZV90YWc6IDQ4Nzk2ZjFlNzBiYjc2NjljMjliYjUxYmEyODJiZjY1
  secrets:
    DNS_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/component_tests_token/data@kv
      file: false
    COMPONENT_TESTS_ORIGINCERT:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/component_tests_cert_pem/data@kv
      file: false
  cache: {}
--- a/.ci/github.gitlab-ci.yml
+++ b/.ci/github.gitlab-ci.yml
@ -0,0 +1,17 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ######################################
 ### Sync master branch with Github ###
 ######################################
 push-github:
  stage: sync
  rules:
    - !reference [.default-rules, run-on-master]
  script:
    - ./.ci/scripts/github-push.sh
  secrets:
    CLOUDFLARED_DEPLOY_SSH_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv
      file: false
  cache: {}
--- a/.ci/image/.docker-images
+++ b/.ci/image/.docker-images
@ -0,0 +1,2 @@
 images:
  - name: ci-image
--- a/.ci/image/Dockerfile
+++ b/.ci/image/Dockerfile
@ -0,0 +1,35 @@
 ARG CLOUDFLARE_DOCKER_REGISTRY_HOST
 FROM ${CLOUDFLARE_DOCKER_REGISTRY_HOST:-registry.cfdata.org}/stash/cf/debian-images/bookworm/main:2025.7.0@sha256:6350da2f7e728dae2c1420f6dafc38e23cacc0b399d3d5b2f40fe48d9c8ff1ca
 RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install --no-install-recommends --allow-downgrades -y \
        build-essential \
        git \
        go-boring=1.24.9-1 \
        libffi-dev \
        procps \
        python3-dev \
        python3-pip \
        python3-setuptools \
        python3-venv \
        # libmsi and libgcab are libraries the wixl binary depends on.
        libmsi-dev \
        libgcab-dev \
        # deb and rpm build tools
        rubygem-fpm \
        rpm \
        # create deb and rpm repository files
        reprepro \
        createrepo-c \
        # gcc for cross architecture compilation in arm
        gcc-aarch64-linux-gnu \
        libc6-dev-arm64-cross && \
    rm -rf /var/lib/apt/lists/* && \
    # Install wixl
    curl -o /usr/local/bin/wixl -L https://pkg.cloudflare.com/binaries/wixl && \
    chmod a+x /usr/local/bin/wixl && \
    mkdir -p opt
 WORKDIR /opt
--- a/.ci/linux.gitlab-ci.yml
+++ b/.ci/linux.gitlab-ci.yml
@ -0,0 +1,122 @@
 .golang-inputs: &golang_inputs
  runOnMR: true
  runOnBranches: '^master$'
  outputDir: artifacts
  runner: linux-x86-8cpu-16gb
  stage: build
  golangVersion: "boring-1.24"
  imageVersion: "3371-f5539bd6f83d@sha256:a2a68f580070f9411d0d3155959ed63b700ef319b5fcc62db340e92227bbc628"
  CGO_ENABLED: 1
 .default-packaging-job: &packaging-job-defaults
  stage: package
  needs:
    - ci-image-get-image-ref
  rules:
    - !reference [.default-rules, run-on-master]
  image: $BUILD_IMAGE
  cache: {}
  artifacts:
    paths:
      - artifacts/*
 include:
  ###################
  ### Linux Build ###
  ###################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      jobPrefix: linux-build
      GOLANG_MAKE_TARGET: ci-build
  ########################
  ### Linux FIPS Build ###
  ########################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      jobPrefix: linux-fips-build
      GOLANG_MAKE_TARGET: ci-fips-build
  #################
  ### Unit Tests ##
  #################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      stage: test
      jobPrefix: test
      GOLANG_MAKE_TARGET: ci-test
  ######################
  ### Unit Tests FIPS ##
  ######################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      stage: test
      jobPrefix: test-fips
      GOLANG_MAKE_TARGET: ci-fips-test
  #################
  ### Vuln Check ##
  #################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      runOnBranches: '^$'
      stage: validate
      jobPrefix: vulncheck
      GOLANG_MAKE_TARGET: vulncheck
 #################################
 ### Run Linux Component Tests ###
 #################################
 linux-component-tests: &linux-component-tests
  stage: test
  extends: .component-tests
  needs:
    - ci-image-get-image-ref
    - linux-build-boring-make
  script:
    - ./.ci/scripts/component-tests.sh
  variables: &component-tests-variables
    CI: 1
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkCmNyZWRlbnRpYWxzX2ZpbGU6IGNyZWQuanNvbgpvcmlnaW5jZXJ0OiBjZXJ0LnBlbQp6b25lX2RvbWFpbjogYXJnb3R1bm5lbHRlc3QuY29tCnpvbmVfdGFnOiA0ODc5NmYxZTcwYmI3NjY5YzI5YmI1MWJhMjgyYmY2NQ==
  tags:
    - linux-x86-8cpu-16gb
  artifacts:
    reports:
      junit: report.xml
 ######################################
 ### Run Linux FIPS Component Tests ###
 ######################################
 linux-component-tests-fips:
  <<: *linux-component-tests
  needs:
    - ci-image-get-image-ref
    - linux-fips-build-boring-make
  variables:
    <<: *component-tests-variables
    COMPONENT_TESTS_FIPS: 1
 ################################
 ####### Linux Packaging ########
 ################################
 linux-packaging:
  <<: *packaging-job-defaults
  parallel:
    matrix:
      - ARCH: ["386", "amd64", "arm", "armhf", "arm64"]
  script:
    - ./.ci/scripts/linux/build-packages.sh ${ARCH}
 ################################
 ##### Linux FIPS Packaging #####
 ################################
 linux-packaging-fips:
  <<: *packaging-job-defaults
  script:
    - ./.ci/scripts/linux/build-packages-fips.sh
--- a/.ci/mac.gitlab-ci.yml
+++ b/.ci/mac.gitlab-ci.yml
@ -0,0 +1,66 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ###############################
 ### Defaults for Mac Builds ###
 ###############################
 .mac-build-defaults: &mac-build-defaults
  rules:
    - !reference [.default-rules, run-on-mr]
  tags:
    - "macstadium-${RUNNER_ARCH}"
  parallel:
    matrix:
      - RUNNER_ARCH: [arm, intel]
  cache: {}
 ######################################
 ### Build Cloudflared Mac Binaries ###
 ######################################
 macos-build-cloudflared: &mac-build
  <<: *mac-build-defaults
  stage: build
  artifacts:
    paths:
      - artifacts/*
  script:
    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
    - ARCH=$(uname -m)
    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
    - ./.ci/scripts/mac/install-go.sh
    - BUILD_SCRIPT=.ci/scripts/mac/build.sh
    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
    - set -euo pipefail
    - echo "Executing ${BUILD_SCRIPT}"
    - exec ${BUILD_SCRIPT}
 ###############################################
 ### Build and Sign Cloudflared Mac Binaries ###
 ###############################################
 macos-build-and-sign-cloudflared:
  <<: *mac-build
  rules:
    - !reference [.default-rules, run-on-master]
  secrets:
    APPLE_DEV_CA_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
      file: false
    CFD_CODE_SIGN_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
      file: false
    CFD_INSTALLER_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
      file: false
    CFD_INSTALLER_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
      file: false
    CFD_INSTALLER_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
      file: false
--- a/.ci/release.gitlab-ci.yml
+++ b/.ci/release.gitlab-ci.yml
@ -0,0 +1,133 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
  ######################################
  ### Build and Push DockerHub Image ###
  ######################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
    inputs:
      stage: release
      jobPrefix: docker-hub
      runOnMR: false
      runOnBranches: '^master$'
      runOnChangesTo: ['RELEASE_NOTES']
      needs:
        - generate-version-file
        - release-cloudflared-to-r2
      commentImageRefs: false
      runner: vm-linux-x86-4cpu-8gb
      # Based on if the CI reference is protected or not the CI component will
      # either use _BRANCH or _PROD, therefore, to prevent the pipelines from failing
      # we simply set both to the same value.
      DOCKER_USER_BRANCH: &docker-hub-user svcgithubdockerhubcloudflar045
      DOCKER_PASSWORD_BRANCH: &docker-hub-password gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data
      DOCKER_USER_PROD: *docker-hub-user
      DOCKER_PASSWORD_PROD: *docker-hub-password
      EXTRA_DIB_ARGS: --overwrite
 .default-release-job: &release-job-defaults
  stage: release
  image: $BUILD_IMAGE
  cache:
    paths:
      - .cache/pip
  variables: &release-job-variables
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
    # KV Vars
    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
    KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963
    # R2 Vars
    R2_BUCKET: cloudflared-pkgs
    R2_ACCOUNT_ID: *cf-account
    # APT and RPM Repository Vars
    GPG_PUBLIC_KEY_URL: "https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
    PKG_URL: "https://pkg.cloudflare.com/cloudflared"
    BINARY_NAME: cloudflared
  secrets:
    KV_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
      file: false
    API_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
      file: false
    R2_CLIENT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv
      file: false
    R2_CLIENT_SECRET:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv
      file: false
    LINUX_SIGNING_PUBLIC_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv
      file: false
    LINUX_SIGNING_PRIVATE_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv
      file: false
    LINUX_SIGNING_PUBLIC_KEY_2:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv
      file: false
    LINUX_SIGNING_PRIVATE_KEY_2:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv
      file: false
 ###########################################
 ### Push Cloudflared Binaries to Github ###
 ###########################################
 release-cloudflared-to-github:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
    - linux-packaging
    - linux-packaging-fips
    - macos-build-and-sign-cloudflared
    - windows-package-sign
  script:
    - ./.ci/scripts/release-target.sh github-release
 #########################################
 ### Upload Cloudflared Binaries to R2 ###
 #########################################
 release-cloudflared-to-r2:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
    - linux-packaging # We only release non-FIPS binaries to R2
    - release-cloudflared-to-github
  script:
    - ./.ci/scripts/release-target.sh r2-linux-release
 #################################################
 ### Upload Cloudflared Nightly Binaries to R2 ###
 #################################################
 release-cloudflared-nightly-to-r2:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *release-job-variables
    R2_BUCKET: cloudflared-pkgs-next
    GPG_PUBLIC_KEY_URL: "https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
    PKG_URL: "https://next.pkg.cloudflare.com/cloudflared"
  needs:
    - ci-image-get-image-ref
    - linux-packaging # We only release non-FIPS binaries to R2
  script:
    - ./.ci/scripts/release-target.sh r2-linux-release
 #############################
 ### Generate Version File ###
 #############################
 generate-version-file:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
  script:
    - make generate-docker-version
  artifacts:
    paths:
      - versions
--- a/.ci/scripts/component-tests.sh
+++ b/.ci/scripts/component-tests.sh
@ -0,0 +1,25 @@
 #!/bin/bash
 set -e -o pipefail
 # Fetch cloudflared from the artifacts folder
 mv ./artifacts/cloudflared ./cloudflared
 python3 -m venv env
 . env/bin/activate
 pip install --upgrade -r component-tests/requirements.txt
 # Creates and routes a Named Tunnel for this build. Also constructs
 # config file from env vars.
 python3 component-tests/setup.py --type create
 # Define the cleanup function
 cleanup() {
    # The Named Tunnel is deleted and its route unprovisioned here.
    python3 component-tests/setup.py --type cleanup
 }
 # The trap will call the cleanup function on script exit
 trap cleanup EXIT
 pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
--- a/.ci/scripts/fmt-check.sh
+++ b/.ci/scripts/fmt-check.sh
@ -1,8 +1,7 @@
 #!/bin/bash
 set -e -o pipefail
-OUTPUT=$(goimports -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
+OUTPUT=$(go run -mod=readonly golang.org/x/tools/cmd/goimports@v0.30.0 -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
 if [ -n "$OUTPUT" ] ; then
  PAGER=$(which colordiff || echo cat)
--- a/.ci/scripts/github-push.sh
+++ b/.ci/scripts/github-push.sh
@ -0,0 +1,31 @@
 #!/bin/bash
 set -e -o pipefail
 BRANCH="master"
 TMP_PATH="$PWD/tmp"
 PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key"
 PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub"
 mkdir -p $TMP_PATH
 # Setup Private Key
 echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH
 chmod 400 $PRIVATE_KEY_PATH
 # Download GitHub Public Key for KnownHostsFile
 ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH
 # Setup git ssh command with the right configurations
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH"
 # Add GitHub as a new remote
 git remote add github git@github.com:cloudflare/cloudflared.git || true
 # GitLab doesn't pull branch references, instead it creates a new one on each pipeline.
 # Therefore, we need to manually fetch the reference to then push it to GitHub.
 git fetch origin $BRANCH:$BRANCH
 git push -u github $BRANCH
 if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then
  git push -u github "$TAG"
 fi
--- a/.ci/scripts/linux/build-packages-fips.sh
+++ b/.ci/scripts/linux/build-packages-fips.sh
@ -3,7 +3,7 @@ VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # This controls the directory the built artifacts go into
-export ARTIFACT_DIR=built_artifacts/
+export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 arch=("amd64")
@ -17,7 +17,7 @@ make cloudflared-deb
 mv cloudflared-fips\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-fips-linux-$arch.deb
 # rpm packages invert the - and _ and use x86_64 instead of amd64.
-RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
+RPMVERSION=$(echo $VERSION | sed -r 's/-/_/g')
 RPMARCH="x86_64"
 make cloudflared-rpm
 mv cloudflared-fips-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-fips-linux-$RPMARCH.rpm
--- a/.ci/scripts/linux/build-packages.sh
+++ b/.ci/scripts/linux/build-packages.sh
@ -0,0 +1,59 @@
 #!/bin/bash
 # Check if architecture argument is provided
 if [ $# -eq 0 ]; then
    echo "Error: Architecture argument is required"
    echo "Usage: $0 <architecture>"
    exit 1
 fi
 # Parameters
 arch=$1
 # Get Version
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 export TARGET_OS=linux
 unset TARGET_ARM
 export TARGET_ARCH=$arch
 ## Support for arm platforms without hardware FPU enabled
 if [[ $arch == arm ]] ; then
    export TARGET_ARCH=arm
    export TARGET_ARM=5
 fi
 ## Support for armhf builds
 if [[ $arch == armhf ]] ; then
    export TARGET_ARCH=arm
    export TARGET_ARM=7
 fi
 make cloudflared-deb
 mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
 # rpm packages invert the - and _ and use x86_64 instead of amd64.
 RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
 RPMARCH=$arch
 if [ $arch == "amd64" ];then
    RPMARCH="x86_64"
 fi
 if [ $arch == "arm64" ]; then
    RPMARCH="aarch64"
 fi
 make cloudflared-rpm
 mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
 # finally move the linux binary as well.
 mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
--- a/.ci/scripts/mac/build.sh
+++ b/.ci/scripts/mac/build.sh
@ -0,0 +1,228 @@
 #!/bin/bash
 set -exo pipefail
 if [[ "$(uname)" != "Darwin" ]] ; then
    echo "This should be run on macOS"
    exit 1
 fi
 if [[ "amd64" != "${TARGET_ARCH}" && "arm64" != "${TARGET_ARCH}" ]]
 then
  echo "TARGET_ARCH must be amd64 or arm64"
  exit 1
 fi
 go version
 export GO111MODULE=on
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
 TARGET_DIRECTORY=".build"
 BINARY_NAME="cloudflared"
 VERSION=$(git describe --tags --always --dirty="-dev")
 PRODUCT="cloudflared"
 APPLE_CA_CERT="apple_dev_ca.cert"
 CODE_SIGN_PRIV="code_sign.p12"
 CODE_SIGN_CERT="code_sign.cer"
 INSTALLER_PRIV="installer.p12"
 INSTALLER_CERT="installer.cer"
 BUNDLE_ID="com.cloudflare.cloudflared"
 SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
 export PATH="$PATH:/usr/local/bin"
 FILENAME="$(pwd)/artifacts/cloudflared-darwin-$TARGET_ARCH.tgz"
 PKGNAME="$(pwd)/artifacts/cloudflared-$TARGET_ARCH.pkg"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
 # Imports certificates to the Apple KeyChain
 import_certificate() {
    local CERTIFICATE_NAME=$1
    local CERTIFICATE_ENV_VAR=$2
    local CERTIFICATE_FILE_NAME=$3
    echo "Importing $CERTIFICATE_NAME"
    if [[ ! -z "$CERTIFICATE_ENV_VAR" ]]; then
      # write certificate to disk and then import it keychain
      echo -n -e ${CERTIFICATE_ENV_VAR} | base64 -D > ${CERTIFICATE_FILE_NAME}
      # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
      # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
      local out=$(security import ${CERTIFICATE_FILE_NAME} -T /usr/bin/pkgbuild -A 2>&1) || true
      local exitcode=$?
      # delete the certificate from disk
      rm -rf ${CERTIFICATE_FILE_NAME}
      if [ -n "$out" ]; then
        if [ $exitcode -eq 0 ]; then
            echo "$out"
        else
            if [ "$out" != "${SEC_DUP_MSG}" ]; then
                echo "$out" >&2
                exit $exitcode
            else
                echo "already imported code signing certificate"
            fi
        fi
      fi
    fi
 }
 create_cloudflared_build_keychain() {
  # Reusing the private key password as the keychain key
  local PRIVATE_KEY_PASS=$1
  # Create keychain only if it doesn't already exist
  if [ ! -f "$HOME/Library/Keychains/cloudflared_build_keychain.keychain-db" ]; then
    security create-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
  else
    echo "Keychain already exists: cloudflared_build_keychain"
  fi
  # Append temp keychain to the user domain
  security list-keychains -d user -s cloudflared_build_keychain $(security list-keychains -d user | sed s/\"//g)
  # Remove relock timeout
  security set-keychain-settings cloudflared_build_keychain
  # Unlock keychain so it doesn't require password
  security unlock-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
 }
 # Imports private keys to the Apple KeyChain
 import_private_keys() {
    local PRIVATE_KEY_NAME=$1
    local PRIVATE_KEY_ENV_VAR=$2
    local PRIVATE_KEY_FILE_NAME=$3
    local PRIVATE_KEY_PASS=$4
    echo "Importing $PRIVATE_KEY_NAME"
    if [[ ! -z "$PRIVATE_KEY_ENV_VAR" ]]; then
      if [[ ! -z "$PRIVATE_KEY_PASS" ]]; then
        # write private key to disk and then import it keychain
        echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}
        # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
        # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
        local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k cloudflared_build_keychain -P "$PRIVATE_KEY_PASS" -T /usr/bin/pkgbuild -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
        local exitcode=$?
        rm -rf ${PRIVATE_KEY_FILE_NAME}
        if [ -n "$out" ]; then
          if [ $exitcode -eq 0 ]; then
              echo "$out"
          else
              if [ "$out" != "${SEC_DUP_MSG}" ]; then
                  echo "$out" >&2
                  exit $exitcode
              fi
          fi
        fi
      fi
    fi
 }
 # Create temp keychain only for this build
 create_cloudflared_build_keychain "${CFD_CODE_SIGN_PASS}"
 # Add Apple Root Developer certificate to the key chain
 import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}"
 # Add code signing private key to the key chain
 import_private_keys "Developer ID Application" "${CFD_CODE_SIGN_KEY}" "${CODE_SIGN_PRIV}" "${CFD_CODE_SIGN_PASS}"
 # Add code signing certificate to the key chain
 import_certificate "Developer ID Application" "${CFD_CODE_SIGN_CERT}" "${CODE_SIGN_CERT}"
 # Add package signing private key to the key chain
 import_private_keys "Developer ID Installer" "${CFD_INSTALLER_KEY}" "${INSTALLER_PRIV}" "${CFD_INSTALLER_PASS}"
 # Add package signing certificate to the key chain
 import_certificate "Developer ID Installer" "${CFD_INSTALLER_CERT}" "${INSTALLER_CERT}"
 # get the code signing certificate name
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
  else
    CODE_SIGN_NAME=""
  fi
 fi
 # get the package signing certificate name
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
  else
    PKG_SIGN_NAME=""
  fi
 fi
 # cleanup the build directory because the previous execution might have failed without cleaning up.
 rm -rf "${TARGET_DIRECTORY}"
 export TARGET_OS="darwin"
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 # This allows apple tools to use the certificates in the keychain without requiring password input.
 # This command always needs to run after the certificates have been loaded into the keychain
 if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
  security set-key-partition-list -S apple-tool:,apple: -s -k "${CFD_CODE_SIGN_PASS}" cloudflared_build_keychain
 fi
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
  codesign --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
 # notarize the binary
 # TODO: TUN-5789
 fi
 ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
 # creating build directory
 rm -rf $ARCH_TARGET_DIRECTORY
 mkdir -p "${ARCH_TARGET_DIRECTORY}"
 mkdir -p "${ARCH_TARGET_DIRECTORY}/contents"
 cp -r ".mac_resources/scripts" "${ARCH_TARGET_DIRECTORY}/scripts"
 # copy cloudflared into the build directory
 cp ${BINARY_NAME} "${ARCH_TARGET_DIRECTORY}/contents/${PRODUCT}"
 # compress cloudflared into a tar and gzipped file
 tar czf "$FILENAME" "${BINARY_NAME}"
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
  pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      --keychain cloudflared_build_keychain \
      --sign "${PKG_SIGN_NAME}" \
      ${PKGNAME}
      # notarize the package
      # TODO: TUN-5789
 else
    pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      ${PKGNAME}
 fi
 # cleanup build directory because this script is not ran within containers,
 # which might lead to future issues in subsequent runs.
 rm -rf "${TARGET_DIRECTORY}"
 # cleanup the keychain
 security default-keychain -d user -s login.keychain-db
 security list-keychains -d user -s login.keychain-db
 security delete-keychain cloudflared_build_keychain
--- a/.teamcity/mac/install-cloudflare-go.sh
+++ b/.teamcity/mac/install-cloudflare-go.sh
@ -2,9 +2,9 @@ rm -rf /tmp/go
 export GOCACHE=/tmp/gocache
 rm -rf $GOCACHE
-./.teamcity/install-cloudflare-go.sh
+brew install go@1.24
 export PATH="/tmp/go/bin:$PATH"
 go version
 which go
 go env
--- a/.ci/scripts/package-windows.sh
+++ b/.ci/scripts/package-windows.sh
@ -0,0 +1,23 @@
 #!/bin/bash
 python3 -m venv env
 . env/bin/activate
 pip install pynacl==1.4.0 pygithub==1.55
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
 export BUILT_ARTIFACT_DIR=artifacts/
 export FINAL_ARTIFACT_DIR=artifacts/
 mkdir -p $BUILT_ARTIFACT_DIR
 mkdir -p $FINAL_ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
    export TARGET_ARCH=$arch
    # Copy .exe from artifacts directory
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
    make cloudflared-msi
    # Copy msi into final directory
    mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
 done
--- a/.ci/scripts/release-target.sh
+++ b/.ci/scripts/release-target.sh
@ -0,0 +1,18 @@
 #!/bin/bash
 set -e -o pipefail
 # Check if a make target is provided as an argument
 if [ $# -eq 0 ]; then
    echo "Error: Make target argument is required"
    echo "Usage: $0 <make-target>"
    exit 1
 fi
 MAKE_TARGET=$1
 python3 -m venv venv
 source venv/bin/activate
 # Our release scripts are written in python, so we should install their dependecies here.
 pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
 make $MAKE_TARGET
--- a/.ci/scripts/vuln-check.sh
+++ b/.ci/scripts/vuln-check.sh
@ -0,0 +1,52 @@
 #!/bin/bash
 set -e
 # Define the file to store the list of vulnerabilities to ignore.
 IGNORE_FILE=".vulnignore"
 # Check if the ignored vulnerabilities file exists. If not, create an empty one.
 if [ ! -f "$IGNORE_FILE" ]; then
    touch "$IGNORE_FILE"
    echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE"
    echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >> "$IGNORE_FILE"
    echo "# You can also add comments on the same line after the ID." >> "$IGNORE_FILE"
    echo "" >> "$IGNORE_FILE"
 fi
 # Run govulncheck and capture its output.
 VULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true)
 # Print the govuln output
 echo "====================================="
 echo "Full Output of govulncheck:"
 echo "====================================="
 echo "$VULN_OUTPUT"
 echo "====================================="
 echo "End of govulncheck Output"
 echo "====================================="
 # Process the ignore file to remove comments and empty lines.
 # The 'cut' command gets the vulnerability ID and removes anything after the '#'.
 # The 'grep' command filters out empty lines and lines starting with '#'.
 CLEAN_IGNORES=$(grep -v '^\s*#' "$IGNORE_FILE" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true)
 # Filter out the ignored vulnerabilities.
 UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability')
 # If the list of ignored vulnerabilities is not empty, filter them out.
 if [ -n "$CLEAN_IGNORES" ]; then
    UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true)
 fi
 # If there are any vulnerabilities that were not in our ignore list, print them and exit with an error.
 if [ -n "$UNIGNORED_VULNS" ]; then
    echo "🚨 Found new, unignored vulnerabilities:"
    echo "-------------------------------------"
    echo "$UNIGNORED_VULNS"
    echo "-------------------------------------"
    echo "Exiting with an error. ❌"
    exit 1
 else
    echo "🎉 No new vulnerabilities found. All clear! ✨"
    exit 0
 fi
--- a/.ci/scripts/windows/builds.ps1
+++ b/.ci/scripts/windows/builds.ps1
@ -0,0 +1,29 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $env:TARGET_OS = "windows"
 $env:LOCAL_OS = "windows"
 $TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 New-Item -Path ".\artifacts" -ItemType Directory
 Write-Output "Building for amd64"
 $env:TARGET_ARCH = "amd64"
 $env:LOCAL_ARCH = "amd64"
 $env:CGO_ENABLED = 1
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
 # Sign build
 azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-amd64.exe
 Write-Output "Building for 386"
 $env:TARGET_ARCH = "386"
 $env:LOCAL_ARCH = "386"
 $env:CGO_ENABLED = 0
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
 ## Sign build
 azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-386.exe
--- a/.ci/scripts/windows/component-test.ps1
+++ b/.ci/scripts/windows/component-test.ps1
@ -0,0 +1,40 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $env:TARGET_OS = "windows"
 $env:LOCAL_OS = "windows"
 $env:TARGET_ARCH = "amd64"
 $env:LOCAL_ARCH = "amd64"
 $env:CGO_ENABLED = 1
 python --version
 python -m pip --version
 Write-Host "Building cloudflared"
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
 Write-Host "Running unit tests"
 # Not testing with race detector because of https://github.com/golang/go/issues/61058
 # We already test it on other platforms
 go test -failfast -v -mod=vendor ./...
 if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 # On Gitlab runners we need to add all of this addresses to the NO_PROXY list in order for the tests to run.
 $env:NO_PROXY = "pypi.org,files.pythonhosted.org,api.cloudflare.com,argotunneltest.com,argotunnel.com,trycloudflare.com,${env:NO_PROXY}"
 Write-Host "No Proxy: ${env:NO_PROXY}"
 Write-Host "Running component tests"
 try {
    python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
    python component-tests/setup.py --type create
    python -m pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
    if ($LASTEXITCODE -ne 0) {
        throw "Failed component tests"
    }
 } finally {
    python component-tests/setup.py --type cleanup
 }
--- a/.ci/scripts/windows/go-wrapper.ps1
+++ b/.ci/scripts/windows/go-wrapper.ps1
@ -0,0 +1,69 @@
 Param(
    [string]$GoVersion,
    [string]$ScriptToExecute
 )
 # The script is a wrapper that downloads a specific version
 # of go, adds it to the PATH and executes a script with that go
 # version in the path.
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 # Get the path to the system's temporary directory.
 $tempPath = [System.IO.Path]::GetTempPath()
 # Create a unique name for the new temporary folder.
 $folderName = "go_" + (Get-Random)
 # Join the temp path and the new folder name to create the full path.
 $fullPath = Join-Path -Path $tempPath -ChildPath $folderName
 # Store the current value of PATH environment variable.
 $oldPath = $env:Path
 # Use a try...finally block to ensure the temporrary folder and PATH are cleaned up.
 try {
    # Create the temporary folder.
    Write-Host "Creating temporary folder at: $fullPath"
    $newTempFolder = New-Item -ItemType Directory -Path $fullPath -Force
    # Download go
    $url = "https://go.dev/dl/$GoVersion.windows-amd64.zip"
    $destinationFile = Join-Path -Path $newTempFolder.FullName -ChildPath "go$GoVersion.windows-amd64.zip"
    Write-Host "Downloading go from: $url"
    Invoke-WebRequest -Uri $url -OutFile $destinationFile
    Write-Host "File downloaded to: $destinationFile"
    # Unzip the downloaded file.
    Write-Host "Unzipping the file..."
    Expand-Archive -Path $destinationFile -DestinationPath $newTempFolder.FullName -Force
    Write-Host "File unzipped successfully."
    # Define the go/bin path wich is inside the temporary folder
    $goBinPath = Join-Path -Path $fullPath -ChildPath "go\bin"
    # Add the go/bin path to the PATH environment variable.
    $env:Path = "$goBinPath;$($env:Path)"
    Write-Host "Added $goBinPath to the environment PATH."
    go env
    go version
    & $ScriptToExecute
 } finally {
    # Cleanup: Remove the path from the environment variable and then the temporary folder.
    Write-Host "Starting cleanup..."
    $env:Path = $oldPath
    Write-Host "Reverted changes in the environment PATH."
    # Remove the temporary folder and its contents.
    if (Test-Path -Path $fullPath) {
        Remove-Item -Path $fullPath -Recurse -Force
        Write-Host "Temporary folder and its contents have been removed."
    } else {
        Write-Host "Temporary folder does not exist, no cleanup needed."
    }
 }
--- a/.ci/scripts/windows/sign-msi.ps1
+++ b/.ci/scripts/windows/sign-msi.ps1
@ -0,0 +1,26 @@
 # Sign Windows artifacts using azuretool
 # This script processes MSI files from the artifacts directory
 $ErrorActionPreference = "Stop"
 # Define paths
 $ARTIFACT_DIR = "artifacts"
 $TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 Write-Host "Looking for Windows artifacts to sign in $ARTIFACT_DIR..."
 # Find all Windows MSI files
 $msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter "cloudflared-windows-*.msi" -ErrorAction SilentlyContinue
 if ($msiFiles.Count -eq 0) {
    Write-Host "No Windows MSI files found in $ARTIFACT_DIR"
    exit 1
 }
 Write-Host "Found $($msiFiles.Count) file(s) to sign:"
 foreach ($file in $msiFiles) {
    Write-Host "Running azuretool sign for $($file.Name)"
    azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\\$ARTIFACT_DIR\\$($file.Name)
 }
 Write-Host "Signing process completed"
--- a/.ci/windows.gitlab-ci.yml
+++ b/.ci/windows.gitlab-ci.yml
@ -0,0 +1,114 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ###################################
 ### Defaults for Windows Builds ###
 ###################################
 .windows-build-defaults: &windows-build-defaults
  rules:
    - !reference [.default-rules, run-always]
  tags:
    - windows-x86
  cache: {}
 ##########################################
 ### Build Cloudflared Windows Binaries ###
 ##########################################
 windows-build-cloudflared:
  <<: *windows-build-defaults
  stage: build
  script:
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\builds.ps1"
  artifacts:
    paths:
      - artifacts/*
 ######################################################
 ### Load Environment Variables for Component Tests ###
 ######################################################
 windows-load-env-variables:
  stage: pre-build
  extends: .component-tests
  script:
    - echo "COMPONENT_TESTS_CONFIG=$COMPONENT_TESTS_CONFIG" >> windows.env
    - echo "COMPONENT_TESTS_CONFIG_CONTENT=$COMPONENT_TESTS_CONFIG_CONTENT" >> windows.env
    - echo "DNS_API_TOKEN=$DNS_API_TOKEN" >> windows.env
    # We have to encode the `COMPONENT_TESTS_ORIGINCERT` secret, because it content is a file, otherwise we can't export it using gitlab
    - echo "COMPONENT_TESTS_ORIGINCERT=$(echo "$COMPONENT_TESTS_ORIGINCERT" | base64 -w0)" >> windows.env
    - echo "KEY_VAULT_URL=$KEY_VAULT_URL" >> windows.env
    - echo "KEY_VAULT_CLIENT_ID=$KEY_VAULT_CLIENT_ID" >> windows.env
    - echo "KEY_VAULT_TENANT_ID=$KEY_VAULT_TENANT_ID" >> windows.env
    - echo "KEY_VAULT_SECRET=$KEY_VAULT_SECRET" >> windows.env
    - echo "KEY_VAULT_CERTIFICATE=$KEY_VAULT_CERTIFICATE" >> windows.env
  variables:
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkLmV4ZQpjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
  secrets:
    KEY_VAULT_URL:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_url@kv
      file: false
    KEY_VAULT_CLIENT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_client_id@kv
      file: false
    KEY_VAULT_TENANT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_tenant_id@kv
      file: false
    KEY_VAULT_SECRET:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv
      file: false
    KEY_VAULT_CERTIFICATE:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate_v2/key_vault_certificate@kv
      file: false
  artifacts:
    access: 'none'
    reports:
      dotenv: windows.env
 ###################################
 ### Run Windows Component Tests ###
 ###################################
 windows-component-tests-cloudflared:
  <<: *windows-build-defaults
  stage: test
  needs: ["windows-load-env-variables"]
  script:
    # We have to decode the secret we encoded on the `windows-load-env-variables` job
    - $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
  artifacts:
    reports:
      junit: report.xml
 ################################
 ### Package Windows Binaries ###
 ################################
 windows-package:
  rules:
    - !reference [.default-rules, run-on-master]
  stage: package
  needs:
    - ci-image-get-image-ref
    - windows-build-cloudflared
  image: $BUILD_IMAGE
  script:
    - .ci/scripts/package-windows.sh
  cache: {}
  artifacts:
    paths:
      - artifacts/*
 #############################
 ### Sign Windows Binaries ###
 #############################
 windows-package-sign:
  <<: *windows-build-defaults
  rules:
    - !reference [.default-rules, run-on-master]
  stage: package
  needs:
    - windows-package
    - windows-load-env-variables
  script:
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\sign-msi.ps1"
  artifacts:
    paths:
      - artifacts/*
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -0,0 +1,24 @@
 on:
  pull_request: {}
  workflow_dispatch: {}
  push: 
    branches:
      - main
      - master
  schedule:
    - cron: '0 0 * * *'
 name: Semgrep config
 jobs:
  semgrep:
    name: semgrep/ci
    runs-on: ubuntu-latest
    env:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
      SEMGREP_URL: https://cloudflare.semgrep.dev
      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
    container:
      image: semgrep/semgrep
    steps:
      - uses: actions/checkout@v4
      - run: semgrep ci
--- a/.gitignore
+++ b/.gitignore
@ -17,3 +17,4 @@ cscope.*
 ssh_server_tests/.env
 /.cover
 built_artifacts/
 component-tests/.venv
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,58 @@
 variables:
  GO_VERSION: "go1.24.9"
  GIT_DEPTH: "0"
 default:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.cfdata.org
 stages: [sync, pre-build, build, validate, test, package, release, release-internal, review]
 include:
  #####################################################
  ########## Import Commons Configurations ############
  #####################################################
  - local: .ci/commons.gitlab-ci.yml
  #####################################################
  ########### Sync Repository with Github #############
  #####################################################
  - local: .ci/github.gitlab-ci.yml
  #####################################################
  ############# Build or Fetch CI Image ###############
  #####################################################
  - local: .ci/ci-image.gitlab-ci.yml
  #####################################################
  ################## Linux Builds ###################
  #####################################################
  - local: .ci/linux.gitlab-ci.yml
  #####################################################
  ################## Windows Builds ###################
  #####################################################
  - local: .ci/windows.gitlab-ci.yml
  #####################################################
  ################### macOS Builds ####################
  #####################################################
  - local: .ci/mac.gitlab-ci.yml
  #####################################################
  ################# Release Packages ##################
  #####################################################
  - local: .ci/release.gitlab-ci.yml
  #####################################################
  ########## Release Packages Internally ##############
  #####################################################
  - local: .ci/apt-internal.gitlab-ci.yml
  #####################################################
  ############## Manual Claude Review #################
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/ai/review@~latest
    inputs:
      whenToRun: "manual"
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -0,0 +1,89 @@
 linters:
  enable:
    # Some of the linters below are commented out. We should uncomment and start running them, but they return
    # too many problems to fix in one commit. Something for later.
    - asasalint        # Check for pass []any as any in variadic func(...any).
    - asciicheck       # Checks that all code identifiers does not have non-ASCII symbols in the name.
    - bidichk          # Checks for dangerous unicode character sequences.
    - bodyclose        # Checks whether HTTP response body is closed successfully.
    - decorder         # Check declaration order and count of types, constants, variables and functions.
    - dogsled          # Checks assignments with too many blank identifiers (e.g. x, , , _, := f()).
    - dupl             # Tool for code clone detection.
    - dupword          # Checks for duplicate words in the source code.
    - durationcheck    # Check for two durations multiplied together.
    - errcheck         # Errcheck is a program for checking for unchecked errors in Go code. These unchecked errors can be critical bugs in some cases.
    - errname          # Checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error.
    - exhaustive       # Check exhaustiveness of enum switch statements.
    - gofmt            # Gofmt checks whether code was gofmt-ed. By default this tool runs with -s option to check for code simplification.
    - goimports        # Check import statements are formatted according to the 'goimport' command. Reformat imports in autofix mode.
    - gosec            # Inspects source code for security problems.
    - gosimple         # Linter for Go source code that specializes in simplifying code.
    - govet            # Vet examines Go source code and reports suspicious constructs. It is roughly the same as 'go vet' and uses its passes.
    - ineffassign      # Detects when assignments to existing variables are not used.
    - importas         # Enforces consistent import aliases.
    - misspell         # Finds commonly misspelled English words.
    - prealloc         # Finds slice declarations that could potentially be pre-allocated.
    - promlinter       # Check Prometheus metrics naming via promlint.
    - sloglint         # Ensure consistent code style when using log/slog.
    - sqlclosecheck    # Checks that sql.Rows, sql.Stmt, sqlx.NamedStmt, pgx.Query are closed.
    - staticcheck      # It's a set of rules from staticcheck. It's not the same thing as the staticcheck binary.
    - usetesting       # Reports uses of functions with replacement inside the testing package.
    - testableexamples # Linter checks if examples are testable (have an expected output).
    - testifylint      # Checks usage of github.com/stretchr/testify.
    - tparallel        # Tparallel detects inappropriate usage of t.Parallel() method in your Go test codes.
    - unconvert        # Remove unnecessary type conversions.
    - unused           # Checks Go code for unused constants, variables, functions and types.
    - wastedassign     # Finds wasted assignment statements.
    - whitespace       # Whitespace is a linter that checks for unnecessary newlines at the start and end of functions, if, for, etc.
    - zerologlint      # Detects the wrong usage of zerolog that a user forgets to dispatch with Send or Msg.
  # Other linters are disabled, list of all is here: https://golangci-lint.run/usage/linters/
 run:
  timeout: 5m
  modules-download-mode: vendor
 # output configuration options
 output:
  formats:
    - format: 'colored-line-number'
  print-issued-lines: true
  print-linter-name: true
 issues:
  # Maximum issues count per one linter.
  # Set to 0 to disable.
  # Default: 50
  max-issues-per-linter: 50
  # Maximum count of issues with the same text.
  # Set to 0 to disable.
  # Default: 3
  max-same-issues: 15
  # Show only new issues: if there are unstaged changes or untracked files,
  # only those changes are analyzed, else only changes in HEAD~ are analyzed.
  # It's a super-useful option for integration of golangci-lint into existing large codebase.
  # It's not practical to fix all existing issues at the moment of integration:
  # much better don't allow issues in new code.
  #
  # Default: false
  new: true
  # Show only new issues created after git revision `REV`.
  # Default: ""
  new-from-rev: ac34f94d423273c8fa8fdbb5f2ac60e55f2c77d5
  # Show issues in any part of update files (requires new-from-rev or new-from-patch).
  # Default: false
  whole-files: true
  # Which dirs to exclude: issues from them won't be reported.
  # Can use regexp here: `generated.*`, regexp is applied on full path,
  # including the path prefix if one is set.
  # Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).
  # "/" will be replaced by current OS file path separator to properly work on Windows.
  # Default: []
  exclude-dirs:
    - vendor
 linters-settings:
  # Check exhaustiveness of enum switch statements.
  exhaustive:
    # Presence of "default" case in switch statements satisfies exhaustiveness,
    # even if all enum members are not listed.
    # Default: false
    default-signifies-exhaustive: true
--- a/.teamcity/install-cloudflare-go.sh
+++ b/.teamcity/install-cloudflare-go.sh
@ -1,8 +0,0 @@
 # !/usr/bin/env bash
 cd /tmp
 git clone -q https://github.com/cloudflare/go
 cd go/src
 # https://github.com/cloudflare/go/tree/ec0a014545f180b0c74dfd687698657a9e86e310 is version go1.22.2-devel-cf
 git checkout -q ec0a014545f180b0c74dfd687698657a9e86e310
 ./make.bash
--- a/.teamcity/mac/build.sh
+++ b/.teamcity/mac/build.sh
@ -1,195 +0,0 @@
 #!/bin/bash
 set -exo pipefail
 if [[ "$(uname)" != "Darwin" ]] ; then
    echo "This should be run on macOS"
    exit 1
 fi
 if [[ "amd64" != "${TARGET_ARCH}" && "arm64" != "${TARGET_ARCH}" ]]
 then
  echo "TARGET_ARCH must be amd64 or arm64"
  exit 1
 fi
 go version
 export GO111MODULE=on
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
 TARGET_DIRECTORY=".build"
 BINARY_NAME="cloudflared"
 VERSION=$(git describe --tags --always --dirty="-dev")
 PRODUCT="cloudflared"
 CODE_SIGN_PRIV="code_sign.p12"
 CODE_SIGN_CERT="code_sign.cer"
 INSTALLER_PRIV="installer.p12"
 INSTALLER_CERT="installer.cer"
 BUNDLE_ID="com.cloudflare.cloudflared"
 SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
 export PATH="$PATH:/usr/local/bin"
 FILENAME="$(pwd)/artifacts/cloudflared-darwin-$TARGET_ARCH.tgz"
 PKGNAME="$(pwd)/artifacts/cloudflared-$TARGET_ARCH.pkg"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
 # Add code signing private key to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
  if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
    # write private key to disk and then import it keychain
    echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
    # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error 
    # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
    out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1) || true 
    exitcode=$?
    if [ -n "$out" ]; then
      if [ $exitcode -eq 0 ]; then
          echo "$out"
      else
          if [ "$out" != "${SEC_DUP_MSG}" ]; then
              echo "$out" >&2
              exit $exitcode
          fi
      fi
    fi
    rm ${CODE_SIGN_PRIV}
  fi
 fi
 # Add code signing certificate to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
  out1=$(security import ${CODE_SIGN_CERT} -A 2>&1) || true
  exitcode1=$?
  if [ -n "$out1" ]; then
    if [ $exitcode1 -eq 0 ]; then
        echo "$out1"
    else
        if [ "$out1" != "${SEC_DUP_MSG}" ]; then
            echo "$out1" >&2
            exit $exitcode1
        else 
            echo "already imported code signing certificate"
        fi
    fi
  fi
  rm ${CODE_SIGN_CERT}
 fi
 # Add package signing private key to the key chain
 if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
  if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
    # write private key to disk and then import it into the keychain
    echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
    out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1) || true
    exitcode2=$?
    if [ -n "$out2" ]; then
      if [ $exitcode2 -eq 0 ]; then
          echo "$out2"
      else
          if [ "$out2" != "${SEC_DUP_MSG}" ]; then
              echo "$out2" >&2
              exit $exitcode2
          fi
      fi
    fi
    rm ${INSTALLER_PRIV}
  fi
 fi
 # Add package signing certificate to the key chain
 if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
  out3=$(security import ${INSTALLER_CERT} -A 2>&1) || true
  exitcode3=$?
  if [ -n "$out3" ]; then
    if [ $exitcode3 -eq 0 ]; then
        echo "$out3"
    else
        if [ "$out3" != "${SEC_DUP_MSG}" ]; then
            echo "$out3" >&2
            exit $exitcode3
        else 
            echo "already imported installer certificate"
        fi
    fi
  fi
  rm ${INSTALLER_CERT}
 fi
 # get the code signing certificate name
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
  else
    CODE_SIGN_NAME=""
  fi
 fi
 # get the package signing certificate name
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
  else
    PKG_SIGN_NAME=""
  fi
 fi
 # cleanup the build directory because the previous execution might have failed without cleaning up.
 rm -rf "${TARGET_DIRECTORY}"
 export TARGET_OS="darwin"
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
  codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
 # notarize the binary
 # TODO: TUN-5789
 fi
 ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
 # creating build directory
 rm -rf $ARCH_TARGET_DIRECTORY
 mkdir -p "${ARCH_TARGET_DIRECTORY}"
 mkdir -p "${ARCH_TARGET_DIRECTORY}/contents"
 cp -r ".mac_resources/scripts" "${ARCH_TARGET_DIRECTORY}/scripts"
 # copy cloudflared into the build directory
 cp ${BINARY_NAME} "${ARCH_TARGET_DIRECTORY}/contents/${PRODUCT}"
 # compress cloudflared into a tar and gzipped file
 tar czf "$FILENAME" "${BINARY_NAME}"
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
  pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      --sign "${PKG_SIGN_NAME}" \
      ${PKGNAME}
      # notarize the package
      # TODO: TUN-5789
 else
    pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      ${PKGNAME}
 fi
 # cleanup build directory because this script is not ran within containers,
 # which might lead to future issues in subsequent runs.
 rm -rf "${TARGET_DIRECTORY}"
--- a/.teamcity/package-windows.sh
+++ b/.teamcity/package-windows.sh
@ -1,16 +0,0 @@
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=built_artifacts/
 mkdir -p $ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
    export TARGET_ARCH=$arch
    # Copy exe into final directory
    cp $ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
    make cloudflared-msi
    # Copy msi into final directory
    mv cloudflared-$VERSION-$arch.msi $ARTIFACT_DIR/cloudflared-windows-$arch.msi
 done
--- a/.teamcity/windows/builds.ps1
+++ b/.teamcity/windows/builds.ps1
@ -1,28 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 # Relative path to working directory
 $CloudflaredDirectory = "go\src\github.com\cloudflare\cloudflared"
 cd $CloudflaredDirectory
 Write-Output "Building for amd64"
 $env:TARGET_OS = "windows"
 $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 go env
 go version
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
 copy .\cloudflared.exe .\cloudflared-windows-amd64.exe
 Write-Output "Building for 386"
 $env:CGO_ENABLED = 0
 $env:TARGET_ARCH = "386"
 make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
 copy .\cloudflared.exe .\cloudflared-windows-386.exe
--- a/.teamcity/windows/component-test.ps1
+++ b/.teamcity/windows/component-test.ps1
@ -1,47 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $WorkingDirectory = Get-Location
 $CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
 go env
 go version
 $env:TARGET_OS = "windows"
 $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 python --version
 python -m pip --version
 cd $CloudflaredDirectory
 go env
 go version
 Write-Output "Building cloudflared"
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
 echo $LASTEXITCODE
 Write-Output "Running unit tests"
 # Not testing with race detector because of https://github.com/golang/go/issues/61058
 # We already test it on other platforms
 & go test -failfast -mod=vendor ./...
 if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 Write-Output "Running component tests"
 python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt
 python component-tests/setup.py --type create
 python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
 if ($LASTEXITCODE -ne 0) {
    python component-tests/setup.py --type cleanup
    throw "Failed component tests"
 }
 python component-tests/setup.py --type cleanup
--- a/.teamcity/windows/install-cloudflare-go.ps1
+++ b/.teamcity/windows/install-cloudflare-go.ps1
@ -1,16 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 Write-Output "Downloading cloudflare go..."
 Set-Location "$Env:Temp"
 git clone -q https://github.com/cloudflare/go
 Write-Output "Building go..."
 cd go/src
 # https://github.com/cloudflare/go/tree/ec0a014545f180b0c74dfd687698657a9e86e310 is version go1.22.2-devel-cf
 git checkout -q ec0a014545f180b0c74dfd687698657a9e86e310
 & ./make.bat
 Write-Output "Installed"
--- a/.teamcity/windows/install-go-msi.ps1
+++ b/.teamcity/windows/install-go-msi.ps1
@ -1,20 +0,0 @@
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $GoMsiVersion = "go1.22.2.windows-amd64.msi"
 Write-Output "Downloading go installer..."
 Set-Location "$Env:Temp"
 (New-Object System.Net.WebClient).DownloadFile(
    "https://go.dev/dl/$GoMsiVersion",
    "$Env:Temp\$GoMsiVersion"
 )
 Write-Output "Installing go..."
 Install-Package "$Env:Temp\$GoMsiVersion" -Force
 # Go installer updates global $PATH
 go env
 Write-Output "Installed"
--- a/.vulnignore
+++ b/.vulnignore
@ -0,0 +1,3 @@
 # Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.
 # You can also add comments on the same line after the ID.
 GO-2025-3942 # Ignore core-dns vulnerability since we will be removing the proxy-dns feature in the near future
--- a/CHANGES.md
+++ b/CHANGES.md
@ -1,3 +1,23 @@
 ## 2025.7.1
 ### Notices
 - `cloudflared` will no longer officially support Debian and Ubuntu distros that reached end-of-life: `buster`, `bullseye`, `impish`, `trusty`.
 ## 2025.1.1
 ### New Features
 - This release introduces the use of new Post Quantum curves and the ability to use Post Quantum curves when running tunnels with the QUIC protocol this applies to non-FIPS and FIPS builds.
 ## 2024.12.2
 ### New Features
 - This release introduces the ability to collect troubleshooting information from one instance of cloudflared running on the local machine. The command can be executed as `cloudflared tunnel diag`.
 ## 2024.12.1
 ### Notices
 - The use of the `--metrics` is still honoured meaning that if this flag is set the metrics server will try to bind it, however, this version includes a change that makes the metrics server bind to a port with a semi-deterministic approach. If the metrics flag is not present the server will bind to the first available port of the range 20241 to 20245. In case of all ports being unavailable then the fallback is to bind to a random port.
 ## 2024.10.0
 ### Bug Fixes
 - We fixed a bug related to `--grace-period`. Tunnels that use QUIC as transport weren't abiding by this waiting period before forcefully closing the connections to the edge. From now on, both QUIC and HTTP2 tunnels will wait for either the grace period to end (defaults to 30 seconds) or until the last in-flight request is handled. Users that wish to maintain the previous behavior should set `--grace-period` to 0 if `--protocol` is set to `quic`. This will force `cloudflared` to shutdown as soon as either SIGTERM or SIGINT is received.
 ## 2024.2.1
 ### Notices
 - Starting from this version, tunnel diagnostics will be enabled by default. This will allow the engineering team to remotely get diagnostics from cloudflared during debug activities. Users still have the capability to opt-out of this feature by defining `--management-diagnostics=false` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`).
--- a/25
+++ b/25
@ -1,32 +1,37 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.22.2 as builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 \
+  CGO_ENABLED=0 \
-    TARGET_GOOS=${TARGET_GOOS} \
+  TARGET_GOOS=${TARGET_GOOS} \
-    TARGET_GOARCH=${TARGET_GOARCH}
+  TARGET_GOARCH=${TARGET_GOARCH} \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
  # which changes how cloudflared binds the metrics server
  CONTAINER_BUILD=1
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
-RUN PATH="/tmp/go/bin:$PATH" make cloudflared
+RUN make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian11:nonroot
+FROM gcr.io/distroless/base-debian12:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
-# run as non-privileged user
+# run as nonroot user
-USER nonroot
+# We need to use numeric user id's because Kubernetes doesn't support strings:
 # https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@ -1,28 +1,32 @@
 # use a builder image for building cloudflare
-FROM golang:1.22.2 as builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
-    CGO_ENABLED=0
+  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
  # which changes how cloudflared binds the metrics server
  CONTAINER_BUILD=1 
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
-RUN GOOS=linux GOARCH=amd64 PATH="/tmp/go/bin:$PATH" make cloudflared
+RUN GOOS=linux GOARCH=amd64 make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian11:nonroot
+FROM gcr.io/distroless/base-debian12:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
-# run as non-privileged user
+# run as nonroot user
-USER nonroot
+# We need to use numeric user id's because Kubernetes doesn't support strings:
 # https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@ -1,28 +1,32 @@
 # use a builder image for building cloudflare
-FROM golang:1.22.2 as builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
-    CGO_ENABLED=0
+  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
  # which changes how cloudflared binds the metrics server
  CONTAINER_BUILD=1
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
-RUN GOOS=linux GOARCH=arm64 PATH="/tmp/go/bin:$PATH" make cloudflared
+RUN GOOS=linux GOARCH=arm64 make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian11:nonroot-arm64
+FROM gcr.io/distroless/base-debian12:nonroot-arm64
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
-# run as non-privileged user
+# run as nonroot user
-USER nonroot
+# We need to use numeric user id's because Kubernetes doesn't support strings:
 # https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/109
+++ b/109
@ -24,12 +24,22 @@ else
 	DEB_PACKAGE_NAME := $(BINARY_NAME)
 endif
-DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
+# Use git in windows since we don't have access to the `date` tool
 ifeq ($(TARGET_OS), windows)
 	DATE := $(shell git log -1 --format="%ad" --date=format-local:'%Y-%m-%dT%H:%M UTC' -- RELEASE_NOTES)
 else
 	DATE := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H:%M UTC')
 endif
 VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
 ifdef PACKAGE_MANAGER
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
 endif
 ifdef CONTAINER_BUILD
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/metrics.Runtime=virtual"
 endif
 LINK_FLAGS :=
 ifeq ($(FIPS), true)
 	LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
@ -52,8 +62,6 @@ PACKAGE_DIR    := $(CURDIR)/packaging
 PREFIX         := /usr
 INSTALL_BINDIR := $(PREFIX)/bin/
 INSTALL_MANDIR := $(PREFIX)/share/man/man1/
 CF_GO_PATH     := /tmp/go
 PATH           := $(CF_GO_PATH)/bin:$(PATH)
 LOCAL_ARCH ?= $(shell uname -m)
 ifneq ($(GOARCH),)
@ -62,6 +70,8 @@ else ifeq ($(LOCAL_ARCH),x86_64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),amd64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),386)
    TARGET_ARCH ?= 386
 else ifeq ($(LOCAL_ARCH),i686)
    TARGET_ARCH ?= amd64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
@ -118,6 +128,8 @@ endif
 #for FIPS compliance, FPM defaults to MD5.
 RPM_DIGEST := --rpm-digest sha256
 GO_TEST_LOG_OUTPUT = /tmp/gotest.log
 .PHONY: all
 all: cloudflared test
@ -125,15 +137,17 @@ all: cloudflared test
 clean:
 	go clean
 .PHONY: vulncheck
 vulncheck:
 	@./.ci/scripts/vuln-check.sh
 .PHONY: cloudflared
 cloudflared:
 ifeq ($(FIPS), true)
 	$(info Building cloudflared with go-fips)
 	cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go
 endif
 	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
 ifeq ($(FIPS), true)
 	rm -f cmd/cloudflared/fips.go
 	./check-fips.sh cloudflared
 endif
@ -148,11 +162,9 @@ generate-docker-version:
 .PHONY: test
 test: vet
-ifndef CI
+	$Q go test -json -v -mod=vendor -race $(LDFLAGS) ./... 2>&1 | tee $(GO_TEST_LOG_OUTPUT)
-	go test -v -mod=vendor -race $(LDFLAGS) ./...
+ifneq ($(FIPS), true)
-else
+	@go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest -input $(GO_TEST_LOG_OUTPUT)
 	@mkdir -p .cover
 	go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
 endif
 .PHONY: cover
@ -165,23 +177,22 @@ cover:
 	# Generate the HTML report that can be viewed from the browser in CI.
 	$Q go tool cover -html ".cover/c.out" -o .cover/all.html
-.PHONY: test-ssh-server
+.PHONY: fuzz
-test-ssh-server:
+fuzz:
-	docker-compose -f ssh_server_tests/docker-compose.yml up
+	@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
-
+	@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
-.PHONY: install-go
+	@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
-install-go:
+	@go test -fuzz=FuzzSessionRead -fuzztime=600s ./quic/v3
-	rm -rf ${CF_GO_PATH}
+	@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
-	./.teamcity/install-cloudflare-go.sh
+	@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
-
+	@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
-.PHONY: cleanup-go
+	@go test -fuzz=FuzzNewIdentity -fuzztime=600s ./tracing
-cleanup-go:
+	@go test -fuzz=FuzzNewAccessValidator -fuzztime=600s ./validation
 	rm -rf ${CF_GO_PATH}
 cloudflared.1: cloudflared_man_template
 	sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1
-install: install-go cloudflared cloudflared.1 cleanup-go
+install: cloudflared cloudflared.1
 	mkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR)
 	install -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared
 	install -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1
@ -210,23 +221,28 @@ cloudflared-deb: cloudflared cloudflared.1
 cloudflared-rpm: cloudflared cloudflared.1
 	$(call build_package,rpm)
 .PHONY: cloudflared-pkg
 cloudflared-pkg: cloudflared cloudflared.1
 	$(call build_package,osxpkg)
 .PHONY: cloudflared-msi
 cloudflared-msi:
 	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
 .PHONY: github-release-dryrun
 github-release-dryrun:
 	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION) --dry-run
 .PHONY: github-release
 github-release:
-	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
+	python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
 	python3 github_message.py --release-version $(VERSION)
 .PHONY: r2-linux-release
 r2-linux-release:
 	python3 ./release_pkgs.py
 .PHONY: r2-next-linux-release
 # Publishes to a separate R2 repository during GPG key rollover, using dual-key signing.
 r2-next-linux-release:
 	python3 ./release_pkgs.py --upload-repo-file
 .PHONY: capnp
 capnp:
 	which capnp  # https://capnproto.org/install.html
@ -235,8 +251,41 @@ capnp:
 .PHONY: vet
 vet:
-	go vet -mod=vendor github.com/cloudflare/cloudflared/...
+	$Q go vet -mod=vendor github.com/cloudflare/cloudflared/...
 .PHONY: fmt
 fmt:
-	goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
+	@goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
 	@go fmt $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
 .PHONY: fmt-check
 fmt-check:
 	@./.ci/scripts/fmt-check.sh
 .PHONY: lint
 lint:
 	@golangci-lint run
 .PHONY: mocks
 mocks:
 	go generate mocks/mockgen.go
 .PHONY: ci-build
 ci-build:
 	@GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
 	@mkdir -p artifacts
 	@mv cloudflared artifacts/cloudflared
 .PHONY: ci-fips-build
 ci-fips-build:
 	@FIPS=true GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
 	@mkdir -p artifacts
 	@mv cloudflared artifacts/cloudflared
 .PHONY: ci-test
 ci-test: fmt-check lint test
 	@go run -mod=readonly github.com/jstemmer/go-junit-report/v2@latest -in $(GO_TEST_LOG_OUTPUT) -parser gojson -out report.xml -set-exit-code
 .PHONY: ci-fips-test
 ci-fips-test:
 	@FIPS=true $(MAKE) ci-test
--- a/README.md
+++ b/README.md
@ -3,14 +3,14 @@
 Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
 This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
 via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
-Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
+Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel) of the Cloudflare Docs.
 All usages related with proxying to your origins are available under `cloudflared tunnel help`.
 You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
 at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
 Such usages are available under `cloudflared access help`.
-You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
+You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/)
 to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
@ -19,40 +19,64 @@ to access private origins behind Tunnels for Layer 4 traffic without requiring `
 Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
 website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
 routing), but for legacy reasons this requirement is still necessary:
-1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
+1. [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/)
-2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
+2. [Change your domain nameservers to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/)
 ## Installing `cloudflared`
 Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
-* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
+* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
-* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
+* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
-* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
+* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#windows)
-* To build from source, first you need to download the go toolchain by running `./.teamcity/install-cloudflare-go.sh` and follow the output. Then you can run `make cloudflared`
+* To build from source, install the required version of go, mentioned in the [Development](#development) section below. Then you can run `make cloudflared`.
-User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
+User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/
 ## Creating Tunnels and routing traffic
 Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
-* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
+* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/)
 * Route traffic to that Tunnel:
-  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
+  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/)
-  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
+  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/)
-  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
+  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)
 ## TryCloudflare
-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare).
+Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/).
 ## Deprecated versions
-Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
+Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/update-cloudflared/).
 For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
 ## Development
 ### Requirements
 - [GNU Make](https://www.gnu.org/software/make/)
 - [capnp](https://capnproto.org/install.html)
 - [go >= 1.24](https://go.dev/doc/install)
 - Optional tools:
  - [capnpc-go](https://pkg.go.dev/zombiezen.com/go/capnproto2/capnpc-go)
  - [goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports)
  - [golangci-lint](https://github.com/golangci/golangci-lint)
  - [gomocks](https://pkg.go.dev/go.uber.org/mock)
 ### Build
 To build cloudflared locally run `make cloudflared`
 ### Test
 To locally run the tests run `make test`
 ### Linting
 To format the code and keep a good code quality use `make fmt` and `make lint`
 ### Mocks
 After changes on interfaces you might need to regenerate the mocks, so run `make mock`
--- a/239
+++ b/239
@ -1,5 +1,240 @@
-2024.8.0
+2025.11.1
- 2024-08-01 TUN-8546: remove call to non existant make target
+- 2025-11-07 TUN-9800: Fix docker hub push step
 2025.11.0
 - 2025-11-06 TUN-9863: Introduce Code Signing for Windows Builds
 - 2025-11-06 TUN-9800: Prefix gitlab steps with operating system
 - 2025-11-04 chore: Update cloudflared signing key name in index.html
 - 2025-10-31 chore: add claude review
 - 2025-10-31 Chore: Update documentation links in README
 - 2025-10-31 TUN-9800: Add pipelines for linux packaging
 2025.10.1
 - 2025-10-30 chore: Update ci image to use goboring 1.24.9
 - 2025-10-28 TUN-9849: Add cf-proxy-* to control response headers
 - 2025-10-24 TUN-9961: Add pkg.cloudflared.com index.html to git repo
 - 2025-10-23 TUN-9954: Update from go1.24.6 to go1.24.9
 - 2025-10-23 Fix systemd service installation hanging
 - 2025-10-21 TUN-9941: Use new GPG key for RPM builds
 - 2025-10-21 TUN-9941: Fix typo causing r2-release-next deployment to fail
 - 2025-10-21 TUN-9941: Lookup correct key for RPM signature
 - 2025-10-15 TUN-9919: Make RPM postinstall scriplet idempotent
 - 2025-10-14 TUN-9916: Fix the cloudflared binary path used in the component test
 2025.10.0
 - 2025-10-14 chore: Fix upload of RPM repo file during double signing
 - 2025-10-13 TUN-9882: Bump datagram v3 write channel capacity
 - 2025-10-10 chore: Fix import of GPG keys when two keys are provided
 - 2025-10-10 chore: Fix parameter order when uploading RPM .repo file to R2
 - 2025-10-10 TUN-9883: Add new datagram v3 feature flag
 - 2025-10-09 chore: Force usage of go-boring 1.24
 - 2025-10-08 TUN-9882: Improve metrics for datagram v3
 - 2025-10-07 GRC-16749: Add fedramp tags to catalog
 - 2025-10-07 TUN-9882: Add buffers for UDP and ICMP datagrams in datagram v3
 - 2025-10-07 TUN-9882: Add write deadline for UDP origin writes
 - 2025-09-29 TUN-9776: Support signing Debian packages with two keys for rollover
 - 2025-09-22 TUN-9800: Add pipeline to sync between gitlab and github repos
 2025.9.1
 - 2025-09-22 TUN-9855: Create script to ignore vulnerabilities from govuln check
 - 2025-09-19 TUN-9852: Remove fmt.Println from cloudflared access command
 2025.9.0
 - 2025-09-15 TUN-9820: Add support for FedRAMP in originRequest Access config
 - 2025-09-11 TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI
 - 2025-09-04 TUN-9803: Add windows builds to gitlab-ci
 - 2025-08-27 TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token
 2025.8.1
 - 2025-08-19 AUTH-7480 update fed callback url for login helper
 - 2025-08-19 CUSTESC-53681: Correct QUIC connection management for datagram handlers
 - 2025-08-12 AUTH-7260: Add support for login interstitial auto closure
 2025.8.0
 - 2025-08-07 vuln: Fix GO-2025-3770 vulnerability
 - 2025-07-23 TUN-9583: set proper url and hostname for cloudflared tail command
 - 2025-07-07 TUN-9542: Remove unsupported Debian-based releases
 2025.7.0
 - 2025-07-03 TUN-9540: Use numeric user id for Dockerfiles
 - 2025-07-01 TUN-9161: Remove P256Kyber768Draft00PQKex curve from nonFips curve preferences
 - 2025-07-01 TUN-9531: Bump go-boring from 1.24.2 to 1.24.4
 - 2025-07-01 TUN-9511: Add metrics for virtual DNS origin
 - 2025-06-30 TUN-9470: Add OriginDialerService to include TCP
 - 2025-06-30 TUN-9473: Add --dns-resolver-addrs flag
 - 2025-06-27 TUN-9472: Add virtual DNS service
 - 2025-06-23 TUN-9469: Centralize UDP origin proxy dialing as ingress service
 2025.6.1
 - 2025-06-16 TUN-9467: add vulncheck to cloudflared
 - 2025-06-16 TUN-9495: Remove references to cloudflare-go
 - 2025-06-16 TUN-9371: Add logging format as JSON
 - 2025-06-12 TUN-9467: bump coredns to solve CVE
 2025.6.0
 - 2025-06-06 TUN-9016: update go to 1.24
 - 2025-06-05 TUN-9171: Use `is_default_network` instead of `is_default` to create vnet's
 2025.5.0
 - 2025-05-14 TUN-9319: Add dynamic loading of features to connections via ConnectionOptionsSnapshot
 - 2025-05-13 TUN-9322: Add metric for unsupported RPC commands for datagram v3
 - 2025-05-07 TUN-9291: Remove dynamic reloading of features for datagram v3
 2025.4.2
 - 2025-04-30 chore: Do not use gitlab merge request pipelines
 - 2025-04-30 DEVTOOLS-16383: Create GitlabCI pipeline to release Mac builds
 - 2025-04-24 TUN-9255: Improve flush on write conditions in http2 tunnel type to match what is done on the edge
 - 2025-04-10 SDLC-3727 - Adding FIPS status to backstage
 2025.4.0
 - 2025-04-02 Fix broken links in `cmd/cloudflared/*.go` related to running tunnel as a service
 - 2025-04-02 chore: remove repetitive words
 - 2025-04-01 Fix messages to point to one.dash.cloudflare.com
 - 2025-04-01 feat: emit explicit errors for the `service` command on unsupported OSes
 - 2025-04-01 Use RELEASE_NOTES date instead of build date
 - 2025-04-01 chore: Update tunnel configuration link in the readme
 - 2025-04-01 fix: expand home directory for credentials file
 - 2025-04-01 fix: Use path and filepath operation appropriately
 - 2025-04-01 feat: Adds a new command line for tunnel run for token file
 - 2025-04-01 chore: fix linter rules
 - 2025-03-17 TUN-9101: Don't ignore errors on `cloudflared access ssh`
 - 2025-03-06 TUN-9089: Pin go import to v0.30.0, v0.31.0 requires go 1.23
 2025.2.1
 - 2025-02-26 TUN-9016: update base-debian to v12
 - 2025-02-25 TUN-8960: Connect to FED API GW based on the OriginCert's endpoint
 - 2025-02-25 TUN-9007: modify logic to resolve region when the tunnel token has an endpoint field
 - 2025-02-13 SDLC-3762: Remove backstage.io/source-location from catalog-info.yaml
 - 2025-02-06 TUN-8914: Create a flags module to group all cloudflared cli flags
 2025.2.0
 - 2025-02-03 TUN-8914: Add a new configuration to locally override the max-active-flows
 - 2025-02-03 Bump x/crypto to 0.31.0
 2025.1.1
 - 2025-01-30 TUN-8858: update go to 1.22.10 and include quic-go FIPS changes
 - 2025-01-30 TUN-8855: fix lint issues
 - 2025-01-30 TUN-8855: Update PQ curve preferences
 - 2025-01-30 TUN-8857: remove restriction for using FIPS and PQ
 - 2025-01-30 TUN-8894: report FIPS+PQ error to Sentry when dialling to the edge
 - 2025-01-22 TUN-8904: Rename Connect Response Flow Rate Limited metadata
 - 2025-01-21 AUTH-6633 Fix cloudflared access login + warp as auth
 - 2025-01-20 TUN-8861: Add session limiter to UDP session manager
 - 2025-01-20 TUN-8861: Rename Session Limiter to Flow Limiter
 - 2025-01-17 TUN-8900: Add import of Apple Developer Certificate Authority to macOS Pipeline
 - 2025-01-17 TUN-8871: Accept login flag to authenticate with Fedramp environment
 - 2025-01-16 TUN-8866: Add linter to cloudflared repository
 - 2025-01-14 TUN-8861: Add session limiter to TCP session manager
 - 2025-01-13 TUN-8861: Add configuration for active sessions limiter
 - 2025-01-09 TUN-8848: Don't treat connection shutdown as an error condition when RPC server is done
 2025.1.0
 - 2025-01-06 TUN-8842: Add Ubuntu Noble and 'any' debian distributions to release script
 - 2025-01-06 TUN-8807: Add support_datagram_v3 to remote feature rollout
 - 2024-12-20 TUN-8829: add CONTAINER_BUILD to dockerfiles
 2024.12.2
 - 2024-12-19 TUN-8822: Prevent concurrent usage of ICMPDecoder
 - 2024-12-18 TUN-8818: update changes document to reflect newly added diag subcommand
 - 2024-12-17 TUN-8817: Increase close session channel by one since there are two writers
 - 2024-12-13 TUN-8797: update CHANGES.md with note about semi-deterministic approach used to bind metrics server
 - 2024-12-13 TUN-8724: Add CLI command for diagnostic procedure
 - 2024-12-11 TUN-8786: calculate cli flags once for the diagnostic procedure
 - 2024-12-11 TUN-8792: Make diag/system endpoint always return a JSON
 - 2024-12-10 TUN-8783: fix log collectors for the diagnostic procedure
 - 2024-12-10 TUN-8785: include the icmp sources in the diag's tunnel state
 - 2024-12-10 TUN-8784: Set JSON encoder options to print formatted JSON when writing diag files
 2024.12.1
 - 2024-12-10 TUN-8795: update createrepo to createrepo_c to fix the release_pkgs.py script
 2024.12.0
 - 2024-12-09 TUN-8640: Add ICMP support for datagram V3
 - 2024-12-09 TUN-8789: make python package installation consistent
 - 2024-12-06 TUN-8781: Add Trixie, drop Buster. Default to Bookworm
 - 2024-12-05 TUN-8775: Make sure the session Close can only be called once
 - 2024-12-04 TUN-8725: implement diagnostic procedure
 - 2024-12-04 TUN-8767: include raw output from network collector in diagnostic zipfile
 - 2024-12-04 TUN-8770: add cli configuration and tunnel configuration to diagnostic zipfile
 - 2024-12-04 TUN-8768: add job report to diagnostic zipfile
 - 2024-12-03 TUN-8726: implement compression routine to be used in diagnostic procedure
 - 2024-12-03 TUN-8732: implement port selection algorithm
 - 2024-12-03 TUN-8762: fix argument order when invoking tracert and modify network info output parsing.
 - 2024-12-03 TUN-8769: fix k8s log collector arguments
 - 2024-12-03 TUN-8727: extend client to include function to get cli configuration and tunnel configuration
 - 2024-11-29 TUN-8729: implement network collection for diagnostic procedure
 - 2024-11-29 TUN-8727: implement metrics, runtime, system, and tunnelstate in diagnostic http client
 - 2024-11-27 TUN-8733: add log collection for docker
 - 2024-11-27 TUN-8734: add log collection for kubernetes
 - 2024-11-27 TUN-8640: Refactor ICMPRouter to support new ICMPResponders
 - 2024-11-26 TUN-8735: add managed/local log collection
 - 2024-11-25 TUN-8728: implement diag/tunnel endpoint
 - 2024-11-25 TUN-8730: implement diag/configuration
 - 2024-11-22 TUN-8737: update metrics server port selection
 - 2024-11-22 TUN-8731: Implement diag/system endpoint
 - 2024-11-21 TUN-8748: Migrated datagram V3 flows to use migrated context
 2024.11.1
 - 2024-11-18 Add cloudflared tunnel ready command
 - 2024-11-14 Make metrics a requirement for tunnel ready command
 - 2024-11-12 TUN-8701:  Simplify flow registration logs for datagram v3
 - 2024-11-11 add: new go-fuzz targets
 - 2024-11-07 TUN-8701: Add metrics and adjust logs for datagram v3
 - 2024-11-06 TUN-8709: Add session migration for datagram v3
 - 2024-11-04 Fixed 404 in README.md to TryCloudflare
 - 2024-09-24 Update semgrep.yml
 2024.11.0
 - 2024-11-05 VULN-66059: remove ssh server tests
 - 2024-11-04 TUN-8700: Add datagram v3 muxer
 - 2024-11-04 TUN-8646: Allow experimental feature support for datagram v3
 - 2024-11-04 TUN-8641: Expose methods to simplify V3 Datagram parsing on the edge
 - 2024-10-31 TUN-8708: Bump python min version to 3.10
 - 2024-10-31 TUN-8667: Add datagram v3 session manager
 - 2024-10-25 TUN-8692: remove dashes from session id
 - 2024-10-24 TUN-8694: Rework release script
 - 2024-10-24 TUN-8661: Refactor connection methods to support future different datagram muxing methods
 - 2024-07-22 TUN-8553: Bump go to 1.22.5 and go-boring 1.22.5-1
 2024.10.1
 - 2024-10-23 TUN-8694: Fix github release script
 - 2024-10-21 Revert "TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport"
 - 2024-10-18 TUN-8688: Correct UDP bind for IPv6 edge connectivity on macOS
 - 2024-10-17 TUN-8685: Bump coredns dependency
 - 2024-10-16 TUN-8638: Add datagram v3 serializers and deserializers
 - 2024-10-15 chore: Remove h2mux code
 - 2024-10-11 TUN-8631: Abort release on version mismatch
 2024.10.0
 - 2024-10-01 TUN-8646: Add datagram v3 support feature flag
 - 2024-09-30 TUN-8621: Fix cloudflared version in change notes to account for release date
 - 2024-09-19 Adding semgrep yaml file
 - 2024-09-12 TUN-8632: Delay checking auto-update by the provided frequency
 - 2024-09-11 TUN-8630: Check checksum of downloaded binary to compare to current for auto-updating
 - 2024-09-09 TUN-8629: Cloudflared update on Windows requires running it twice to update
 - 2024-09-06 PPIP-2310: Update quick tunnel disclaimer
 - 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering
 - 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport
 - 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled
 2024.9.1
 - 2024-09-10 Revert Release 2024.9.0
 2024.9.0
 - 2024-09-10 TUN-8621: Fix cloudflared version in change notes.
 - 2024-09-06 PPIP-2310: Update quick tunnel disclaimer
 - 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering
 - 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport
 - 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled
 2024.8.3
 - 2024-08-15 TUN-8591 login command without extra text
 - 2024-03-25 remove code that will not be executed
 - 2024-03-25 remove code that will not be executed
 2024.8.2
 - 2024-08-05 TUN-8583: change final directory of artifacts
 - 2024-08-05 TUN-8585: Avoid creating GH client when dry-run is true
 2024.7.3
 - 2024-07-31 TUN-8546: Fix final artifacts paths
--- a/build-packages.sh
+++ b/build-packages.sh
@ -1,48 +0,0 @@
 #!/bin/bash
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=built_artifacts/
 mkdir -p $ARTIFACT_DIR
 linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
 export TARGET_OS=linux
 for arch in ${linuxArchs[@]}; do
    unset TARGET_ARM
    export TARGET_ARCH=$arch
    ## Support for arm platforms without hardware FPU enabled
    if [[ $arch == arm ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=5
    fi
    ## Support for armhf builds 
    if [[ $arch == armhf ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=7 
    fi
    make cloudflared-deb
    mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
    # rpm packages invert the - and _ and use x86_64 instead of amd64.
    RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
    RPMARCH=$arch
    if [ $arch == "amd64" ];then
        RPMARCH="x86_64"
    fi
    if [ $arch == "arm64" ]; then
        RPMARCH="aarch64"
    fi
    make cloudflared-rpm
    mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
    # finally move the linux binary as well.
    mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
 done
--- a/carrier/carrier.go
+++ b/carrier/carrier.go
@ -26,11 +26,13 @@ const (
 )
 type StartOptions struct {
-	AppInfo         *token.AppInfo
+	AppInfo               *token.AppInfo
-	OriginURL       string
+	OriginURL             string
-	Headers         http.Header
+	Headers               http.Header
-	Host            string
+	Host                  string
-	TLSClientConfig *tls.Config
+	TLSClientConfig       *tls.Config
 	AutoCloseInterstitial bool
 	IsFedramp             bool
 }
 // Connection wraps up all the needed functions to forward over the tunnel
@ -46,7 +48,6 @@ type StdinoutStream struct{}
 // Read will read from Stdin
 func (c *StdinoutStream) Read(p []byte) (int, error) {
 	return os.Stdin.Read(p)
 }
 // Write will write to Stdout
@ -139,7 +140,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 		return nil, err
 	}
-	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, log)
+	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, options.AutoCloseInterstitial, options.IsFedramp, log)
 	if err != nil {
 		return nil, err
 	}
--- a/catalog-info.yaml
+++ b/catalog-info.yaml
@ -4,7 +4,6 @@ metadata:
  name: cloudflared
  description: Client for Cloudflare Tunnels
  annotations:
    backstage.io/source-location: url:https://bitbucket.cfdata.org/projects/TUN/repos/cloudflared/browse
    cloudflare.com/software-excellence-opt-in: "true"
    cloudflare.com/jira-project-key: "TUN"
    cloudflare.com/jira-project-component: "Cloudflare Tunnel"
@ -14,3 +13,8 @@ spec:
  type: "service"
  lifecycle: "Active"
  owner: "teams/tunnel-teams-routing"
  cf:
    compliance:
      fedramp-high: "pending"
      fedramp-moderate: "yes"
    FIPS: "required"
--- a/cfapi/virtual_network.go
+++ b/cfapi/virtual_network.go
@ -16,7 +16,7 @@ import (
 type NewVirtualNetwork struct {
 	Name      string `json:"name"`
 	Comment   string `json:"comment"`
-	IsDefault bool   `json:"is_default"`
+	IsDefault bool   `json:"is_default_network"`
 }
 type VirtualNetwork struct {
--- a/cfsetup.yaml
+++ b/cfsetup.yaml
@ -1,236 +1,2 @@
-pinned_go: &pinned_go go-boring=1.22.2-1
+# A valid cfsetup.yaml is required but we dont have any real config to specify
-
+dummy_key: true
 build_dir: &build_dir /cfsetup_build
 default-flavor: bullseye
 buster: &buster
  build-linux:
    build_dir: *build_dir
    builddeps: &build_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
    pre-cache: &build_pre_cache
      - export GOCACHE=/cfsetup_build/.cache/go-build
      - go install golang.org/x/tools/cmd/goimports@latest
    post-cache:
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  build-linux-fips:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
      - export FIPS=true
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  cover:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
     - make cover
  # except FIPS and macos 
  build-linux-release:
    build_dir: *build_dir
    builddeps: &build_deps_release
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - python3-dev
      - python3-pip
      - python3-setuptools
      - wget
    pre-cache: &build_release_pre_cache
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
      - pip3 install boto3==1.22.9
      - pip3 install python-gnupg==0.4.9
    post-cache:
      # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
      - ./build-packages.sh
  # handle FIPS separately so that we built with gofips compiler
  build-linux-fips-release:
    build_dir: *build_dir
    builddeps: *build_deps_release
    pre-cache: *build_release_pre_cache
    post-cache:
      # same logic as above, but for FIPS packages only
      - ./build-packages-fips.sh
  generate-versions-file:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
    post-cache:
      - make generate-docker-version
  build-deb:
    build_dir: *build_dir
    builddeps: &build_deb_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - make cloudflared-deb
  build-fips-internal-deb:
    build_dir: *build_dir
    builddeps: &build_fips_deb_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-amd64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export NIGHTLY=true
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-arm64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - export NIGHTLY=true
      #- export FIPS=true # TUN-7595
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-deb-arm64:
    build_dir: *build_dir
    builddeps: *build_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - make cloudflared-deb
  package-windows:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
    pre-cache:
      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
      - chmod a+x /usr/local/bin/wixl
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
    post-cache:
      - .teamcity/package-windows.sh
  test:
    build_dir: *build_dir
    builddeps: &build_deps_tests
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - gotest-to-teamcity
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export PATH="$HOME/go/bin:$PATH"
      - ./fmt-check.sh
      - make test | gotest-to-teamcity
  test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_tests
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export PATH="$HOME/go/bin:$PATH"
      - ./fmt-check.sh
      - make test | gotest-to-teamcity
  component-test:
    build_dir: *build_dir
    builddeps: &build_deps_component_test
      - *pinned_go
      - python3.7
      - python3-pip
      - python3-setuptools
      # procps installs the ps command which is needed in test_sysv_service because the init script
      # uses ps pid to determine if the agent is running
      - procps
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    pre-cache: &component_test_pre_cache
      - sudo pip3 install --upgrade -r component-tests/requirements.txt
    post-cache: &component_test_post_cache
      # Creates and routes a Named Tunnel for this build. Also constructs config file from env vars.
      - python3 component-tests/setup.py --type create
      - pytest component-tests -o log_cli=true --log-cli-level=INFO
      # The Named Tunnel is deleted and its route unprovisioned here.
      - python3 component-tests/setup.py --type cleanup
  component-test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_component_test
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    pre-cache: *component_test_pre_cache
    post-cache: *component_test_post_cache
  github-release:
    build_dir: *build_dir
    builddeps: 
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
    pre-cache:
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
    post-cache:
      - make github-release
  r2-linux-release:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - wget
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - reprepro
      - createrepo
    pre-cache:
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
      - pip3 install boto3==1.22.9
      - pip3 install python-gnupg==0.4.9
    post-cache:
      - make r2-linux-release
 bullseye: *buster
 bookworm: *buster
--- a/client/config.go
+++ b/client/config.go
@ -0,0 +1,74 @@
 package client
 import (
 	"fmt"
 	"net"
 	"github.com/google/uuid"
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 // Config captures the local client runtime configuration.
 type Config struct {
 	ConnectorID uuid.UUID
 	Version     string
 	Arch        string
 	featureSelector features.FeatureSelector
 }
 func NewConfig(version string, arch string, featureSelector features.FeatureSelector) (*Config, error) {
 	connectorID, err := uuid.NewRandom()
 	if err != nil {
 		return nil, fmt.Errorf("unable to generate a connector UUID: %w", err)
 	}
 	return &Config{
 		ConnectorID:     connectorID,
 		Version:         version,
 		Arch:            arch,
 		featureSelector: featureSelector,
 	}, nil
 }
 // ConnectionOptionsSnapshot is a snapshot of the current client information used to initialize a connection.
 //
 // The FeatureSnapshot is the features that are available for this connection. At the client level they may
 // change, but they will not change within the scope of this struct.
 type ConnectionOptionsSnapshot struct {
 	client              pogs.ClientInfo
 	originLocalIP       net.IP
 	numPreviousAttempts uint8
 	FeatureSnapshot     features.FeatureSnapshot
 }
 func (c *Config) ConnectionOptionsSnapshot(originIP net.IP, previousAttempts uint8) *ConnectionOptionsSnapshot {
 	snapshot := c.featureSelector.Snapshot()
 	return &ConnectionOptionsSnapshot{
 		client: pogs.ClientInfo{
 			ClientID: c.ConnectorID[:],
 			Version:  c.Version,
 			Arch:     c.Arch,
 			Features: snapshot.FeaturesList,
 		},
 		originLocalIP:       originIP,
 		numPreviousAttempts: previousAttempts,
 		FeatureSnapshot:     snapshot,
 	}
 }
 func (c ConnectionOptionsSnapshot) ConnectionOptions() *pogs.ConnectionOptions {
 	return &pogs.ConnectionOptions{
 		Client:              c.client,
 		OriginLocalIP:       c.originLocalIP,
 		ReplaceExisting:     false,
 		CompressionQuality:  0,
 		NumPreviousAttempts: c.numPreviousAttempts,
 	}
 }
 func (c ConnectionOptionsSnapshot) LogFields(event *zerolog.Event) *zerolog.Event {
 	return event.Strs("features", c.client.Features)
 }
--- a/client/config_test.go
+++ b/client/config_test.go
@ -0,0 +1,50 @@
 package client
 import (
 	"net"
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/cloudflare/cloudflared/features"
 )
 func TestGenerateConnectionOptions(t *testing.T) {
 	version := "1234"
 	arch := "linux_amd64"
 	originIP := net.ParseIP("192.168.1.1")
 	var previousAttempts uint8 = 4
 	config, err := NewConfig(version, arch, &mockFeatureSelector{})
 	require.NoError(t, err)
 	require.Equal(t, version, config.Version)
 	require.Equal(t, arch, config.Arch)
 	// Validate ConnectionOptionsSnapshot fields
 	connOptions := config.ConnectionOptionsSnapshot(originIP, previousAttempts)
 	require.Equal(t, version, connOptions.client.Version)
 	require.Equal(t, arch, connOptions.client.Arch)
 	require.Equal(t, config.ConnectorID[:], connOptions.client.ClientID)
 	// Vaidate snapshot feature fields against the connOptions generated
 	snapshot := config.featureSelector.Snapshot()
 	require.Equal(t, features.DatagramV3, snapshot.DatagramVersion)
 	require.Equal(t, features.DatagramV3, connOptions.FeatureSnapshot.DatagramVersion)
 	pogsConnOptions := connOptions.ConnectionOptions()
 	require.Equal(t, connOptions.client, pogsConnOptions.Client)
 	require.Equal(t, originIP, pogsConnOptions.OriginLocalIP)
 	require.False(t, pogsConnOptions.ReplaceExisting)
 	require.Equal(t, uint8(0), pogsConnOptions.CompressionQuality)
 	require.Equal(t, previousAttempts, pogsConnOptions.NumPreviousAttempts)
 }
 type mockFeatureSelector struct{}
 func (m *mockFeatureSelector) Snapshot() features.FeatureSnapshot {
 	return features.FeatureSnapshot{
 		PostQuantum:     features.PostQuantumPrefer,
 		DatagramVersion: features.DatagramV3,
 		FeaturesList:    []string{features.FeaturePostQuantum, features.FeatureDatagramV3_2},
 	}
 }
--- a/cmd/cloudflared/access/carrier.go
+++ b/cmd/cloudflared/access/carrier.go
@ -47,6 +47,7 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 	options := &carrier.StartOptions{
 		OriginURL: forwarder.URL,
 		Headers:   headers, //TODO: TUN-2688 support custom headers from config file
 		IsFedramp: forwarder.IsFedramp,
 	}
 	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
@ -92,6 +93,7 @@ func ssh(c *cli.Context) error {
 		OriginURL: url.String(),
 		Headers:   headers,
 		Host:      url.Host,
 		IsFedramp: c.Bool(fedrampFlag),
 	}
 	if connectTo := c.String(sshConnectTo); connectTo != "" {
@ -104,7 +106,7 @@ func ssh(c *cli.Context) error {
 		case 3:
 			options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1])
 			options.TLSClientConfig = &tls.Config{
-				InsecureSkipVerify: true,
+				InsecureSkipVerify: true, // #nosec G402
 				ServerName:         parts[0],
 			}
 			log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0])
@ -141,6 +143,5 @@ func ssh(c *cli.Context) error {
 		logger := log.With().Str("host", url.Host).Logger()
 		s = stream.NewDebugStream(s, &logger, maxMessages)
 	}
-	carrier.StartClient(wsConn, s, options)
+	return carrier.StartClient(wsConn, s, options)
 	return nil
 }
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@ -19,6 +19,7 @@ import (
 	"github.com/cloudflare/cloudflared/carrier"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/sshgen"
 	"github.com/cloudflare/cloudflared/token"
@ -26,6 +27,7 @@ import (
 )
 const (
 	appURLFlag         = "app"
 	loginQuietFlag     = "quiet"
 	sshHostnameFlag    = "hostname"
 	sshDestinationFlag = "destination"
@ -49,6 +51,7 @@ Host {{.Hostname}}
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
 {{end}}
 `
 	fedrampFlag = "fedramp"
 )
 const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
@ -77,15 +80,20 @@ func Commands() []*cli.Command {
 			Aliases:  []string{"forward"},
 			Category: "Access",
 			Usage:    "access <subcommand>",
 			Flags: []cli.Flag{&cli.BoolFlag{
 				Name:  fedrampFlag,
 				Usage: "use when performing operations in fedramp account",
 			}},
 			Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access
 			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are
 			able to reach sensitive resources. The commands provided here allow you to interact with Access protected
 			applications from the command line.`,
 			Subcommands: []*cli.Command{
 				{
-					Name:   "login",
+					Name:      "login",
-					Action: cliutil.Action(login),
+					Action:    cliutil.Action(login),
-					Usage:  "login <url of access application>",
+					Usage:     "login <url of access application>",
 					ArgsUsage: "url of Access application",
 					Description: `The login subcommand initiates an authentication flow with your identity provider.
 					The subcommand will launch a browser. For headless systems, a url is provided.
 					Once authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)
@ -97,6 +105,17 @@ func Commands() []*cli.Command {
 							Aliases: []string{"q"},
 							Usage:   "do not print the jwt to the command line",
 						},
 						&cli.BoolFlag{
 							Name:  "no-verbose",
 							Usage: "print only the jwt to stdout",
 						},
 						&cli.BoolFlag{
 							Name:  "auto-close",
 							Usage: "automatically close the auth interstitial after action",
 						},
 						&cli.StringFlag{
 							Name: appURLFlag,
 						},
 					},
 				},
 				{
@ -111,12 +130,12 @@ func Commands() []*cli.Command {
 				{
 					Name:        "token",
 					Action:      cliutil.Action(generateToken),
-					Usage:       "token -app=<url of access application>",
+					Usage:       "token <url of access application>",
 					ArgsUsage:   "url of Access application",
 					Description: `The token subcommand produces a JWT which can be used to authenticate requests.`,
 					Flags: []cli.Flag{
 						&cli.StringFlag{
-							Name: "app",
+							Name: appURLFlag,
 						},
 					},
 				},
@ -163,15 +182,15 @@ func Commands() []*cli.Command {
 							EnvVars: []string{"TUNNEL_SERVICE_TOKEN_SECRET"},
 						},
 						&cli.StringFlag{
-							Name:  logger.LogFileFlag,
+							Name:  cfdflags.LogFile,
 							Usage: "Save application log to this file for reporting issues.",
 						},
 						&cli.StringFlag{
-							Name:  logger.LogSSHDirectoryFlag,
+							Name:  cfdflags.LogDirectory,
 							Usage: "Save application log to this directory for reporting issues.",
 						},
 						&cli.StringFlag{
-							Name:    logger.LogSSHLevelFlag,
+							Name:    cfdflags.LogLevelSSH,
 							Aliases: []string{"loglevel"}, //added to match the tunnel side
 							Usage:   "Application logging level {debug, info, warn, error, fatal}. ",
 						},
@ -232,9 +251,8 @@ func login(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
-	args := c.Args()
+	appURL, err := getAppURLFromArgs(c)
-	appURL, err := parseURL(args.First())
+	if err != nil {
 	if args.Len() < 1 || err != nil {
 		log.Error().Msg("Please provide the url of the Access application")
 		return err
 	}
@ -261,7 +279,14 @@ func login(c *cli.Context) error {
 	if c.Bool(loginQuietFlag) {
 		return nil
 	}
-	fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
+
 	// Chatty by default for backward compat. The new --app flag
 	// is an implicit opt-out of the backwards-compatible chatty output.
 	if c.Bool("no-verbose") || c.IsSet(appURLFlag) {
 		fmt.Fprint(os.Stdout, cfdToken)
 	} else {
 		fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
 	}
 	return nil
 }
@ -306,7 +331,7 @@ func curl(c *cli.Context) error {
 			log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
 			return run("curl", cmdArgs...)
 		}
-		tok, err = token.FetchToken(appURL, appInfo, log)
+		tok, err = token.FetchToken(appURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
 		if err != nil {
 			log.Err(err).Msg("Failed to refresh token")
 			return err
@ -327,7 +352,7 @@ func run(cmd string, args ...string) error {
 		return err
 	}
 	go func() {
-		io.Copy(os.Stderr, stderr)
+		_, _ = io.Copy(os.Stderr, stderr)
 	}()
 	stdout, err := c.StdoutPipe()
@ -335,11 +360,22 @@ func run(cmd string, args ...string) error {
 		return err
 	}
 	go func() {
-		io.Copy(os.Stdout, stdout)
+		_, _ = io.Copy(os.Stdout, stdout)
 	}()
 	return c.Run()
 }
 func getAppURLFromArgs(c *cli.Context) (*url.URL, error) {
 	var appURLStr string
 	args := c.Args()
 	if args.Len() < 1 {
 		appURLStr = c.String(appURLFlag)
 	} else {
 		appURLStr = args.First()
 	}
 	return parseURL(appURLStr)
 }
 // token dumps provided token to stdout
 func generateToken(c *cli.Context) error {
 	err := sentry.Init(sentry.ClientOptions{
@ -349,8 +385,8 @@ func generateToken(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	appURL, err := parseURL(c.String("app"))
+	appURL, err := getAppURLFromArgs(c)
-	if err != nil || c.NumFlags() < 1 {
+	if err != nil {
 		fmt.Fprintln(os.Stderr, "Please provide a url.")
 		return err
 	}
@ -415,7 +451,7 @@ func sshGen(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, log)
+	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
 	if err != nil {
 		return err
 	}
@ -505,7 +541,7 @@ func isFileThere(candidate string) bool {
 }
 // verifyTokenAtEdge checks for a token on disk, or generates a new one.
-// Then makes a request to to the origin with the token to ensure it is valid.
+// Then makes a request to the origin with the token to ensure it is valid.
 // Returns nil if token is valid.
 func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error {
 	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
@ -515,7 +551,7 @@ func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context,
 	if c.IsSet(sshTokenSecretFlag) {
 		headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
-	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers}
+	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers, AutoCloseInterstitial: c.Bool(cfdflags.AutoCloseInterstitial), IsFedramp: c.Bool(fedrampFlag)}
 	if valid, err := isTokenValid(options, log); err != nil {
 		return err
--- a/cmd/cloudflared/cliutil/build_info.go
+++ b/cmd/cloudflared/cliutil/build_info.go
@ -1,7 +1,10 @@
 package cliutil
 import (
 	"crypto/sha256"
 	"fmt"
 	"io"
 	"os"
 	"runtime"
 	"github.com/rs/zerolog"
@ -13,6 +16,7 @@ type BuildInfo struct {
 	GoArch             string `json:"go_arch"`
 	BuildType          string `json:"build_type"`
 	CloudflaredVersion string `json:"cloudflared_version"`
 	Checksum           string `json:"checksum"`
 }
 func GetBuildInfo(buildType, version string) *BuildInfo {
@ -22,11 +26,12 @@ func GetBuildInfo(buildType, version string) *BuildInfo {
 		GoArch:             runtime.GOARCH,
 		BuildType:          buildType,
 		CloudflaredVersion: version,
 		Checksum:           currentBinaryChecksum(),
 	}
 }
 func (bi *BuildInfo) Log(log *zerolog.Logger) {
-	log.Info().Msgf("Version %s", bi.CloudflaredVersion)
+	log.Info().Msgf("Version %s (Checksum %s)", bi.CloudflaredVersion, bi.Checksum)
 	if bi.BuildType != "" {
 		log.Info().Msgf("Built%s", bi.GetBuildTypeMsg())
 	}
@ -51,3 +56,28 @@ func (bi *BuildInfo) GetBuildTypeMsg() string {
 func (bi *BuildInfo) UserAgent() string {
 	return fmt.Sprintf("cloudflared/%s", bi.CloudflaredVersion)
 }
 // FileChecksum opens a file and returns the SHA256 checksum.
 func FileChecksum(filePath string) (string, error) {
 	f, err := os.Open(filePath)
 	if err != nil {
 		return "", err
 	}
 	defer f.Close()
 	h := sha256.New()
 	if _, err := io.Copy(h, f); err != nil {
 		return "", err
 	}
 	return fmt.Sprintf("%x", h.Sum(nil)), nil
 }
 func currentBinaryChecksum() string {
 	currentPath, err := os.Executable()
 	if err != nil {
 		return ""
 	}
 	sum, _ := FileChecksum(currentPath)
 	return sum
 }
--- a/cmd/cloudflared/cliutil/logger.go
+++ b/cmd/cloudflared/cliutil/logger.go
@ -4,25 +4,32 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
-	"github.com/cloudflare/cloudflared/logger"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 )
 var (
 	debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
 		"This can expose sensitive information in your logs."
 	FlagLogOutput = &cli.StringFlag{
 		Name:    flags.LogFormatOutput,
 		Usage:   "Output format for the logs (default, json)",
 		Value:   flags.LogFormatOutputValueDefault,
 		EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT", "TUNNEL_LOG_OUTPUT"},
 	}
 )
 func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    logger.LogLevelFlag,
+			Name:    flags.LogLevel,
 			Value:   "info",
 			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
 			EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    logger.LogTransportLevelFlag,
+			Name:    flags.TransportLogLevel,
 			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
 			Value:   "info",
 			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
@ -30,22 +37,23 @@ func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    logger.LogFileFlag,
+			Name:    flags.LogFile,
 			Usage:   "Save application log to this file for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGFILE"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    logger.LogDirectoryFlag,
+			Name:    flags.LogDirectory,
 			Usage:   "Save application log to this directory for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "trace-output",
+			Name:    flags.TraceOutput,
 			Usage:   "Name of trace output file, generated when cloudflared stops.",
 			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
 			Hidden:  shouldHide,
 		}),
 		FlagLogOutput,
 	}
 }
--- a/cmd/cloudflared/flags/flags.go
+++ b/cmd/cloudflared/flags/flags.go
@ -0,0 +1,169 @@
 package flags
 const (
 	// HaConnections specifies how many connections to make to the edge
 	HaConnections = "ha-connections"
 	// SshPort is the port on localhost the cloudflared ssh server will run on
 	SshPort = "local-ssh-port"
 	// SshIdleTimeout defines the duration a SSH session can remain idle before being closed
 	SshIdleTimeout = "ssh-idle-timeout"
 	// SshMaxTimeout defines the max duration a SSH session can remain open for
 	SshMaxTimeout = "ssh-max-timeout"
 	// SshLogUploaderBucketName is the bucket name to use for the SSH log uploader
 	SshLogUploaderBucketName = "bucket-name"
 	// SshLogUploaderRegionName is the AWS region name to use for the SSH log uploader
 	SshLogUploaderRegionName = "region-name"
 	// SshLogUploaderSecretID is the Secret id of SSH log uploader
 	SshLogUploaderSecretID = "secret-id"
 	// SshLogUploaderAccessKeyID is the Access key id of SSH log uploader
 	SshLogUploaderAccessKeyID = "access-key-id"
 	// SshLogUploaderSessionTokenID is the Session token of SSH log uploader
 	SshLogUploaderSessionTokenID = "session-token"
 	// SshLogUploaderS3URL is the S3 URL of SSH log uploader (e.g. don't use AWS s3 and use google storage bucket instead)
 	SshLogUploaderS3URL = "s3-url-host"
 	// HostKeyPath is the path of the dir to save SSH host keys too
 	HostKeyPath = "host-key-path"
 	// RpcTimeout is how long to wait for a Capnp RPC request to the edge
 	RpcTimeout = "rpc-timeout"
 	// WriteStreamTimeout sets if we should have a timeout when writing data to a stream towards the destination (edge/origin).
 	WriteStreamTimeout = "write-stream-timeout"
 	// QuicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.
 	// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
 	// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.
 	QuicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery"
 	// QuicConnLevelFlowControlLimit controls the max flow control limit allocated for a QUIC connection. This controls how much data is the
 	// receiver willing to buffer. Once the limit is reached, the sender will send a DATA_BLOCKED frame to indicate it has more data to write,
 	// but it's blocked by flow control
 	QuicConnLevelFlowControlLimit = "quic-connection-level-flow-control-limit"
 	// QuicStreamLevelFlowControlLimit is similar to quicConnLevelFlowControlLimit but for each QUIC stream. When the sender is blocked,
 	// it will send a STREAM_DATA_BLOCKED frame
 	QuicStreamLevelFlowControlLimit = "quic-stream-level-flow-control-limit"
 	// Ui is to enable launching cloudflared in interactive UI mode
 	Ui = "ui"
 	// ConnectorLabel is the command line flag to give a meaningful label to a specific connector
 	ConnectorLabel = "label"
 	// MaxActiveFlows is the command line flag to set the maximum number of flows that cloudflared can be processing at the same time
 	MaxActiveFlows = "max-active-flows"
 	// Tag is the command line flag to set custom tags used to identify this tunnel via added HTTP request headers to the origin
 	Tag = "tag"
 	// Protocol is the command line flag to set the protocol to use to connect to the Cloudflare Edge
 	Protocol = "protocol"
 	// PostQuantum is the command line flag to force the connection to Cloudflare Edge to use Post Quantum cryptography
 	PostQuantum = "post-quantum"
 	// Features is the command line flag to opt into various features that are still being developed or tested
 	Features = "features"
 	// EdgeIpVersion is the command line flag to set the Cloudflare Edge IP address version to connect with
 	EdgeIpVersion = "edge-ip-version"
 	// EdgeBindAddress is the command line flag to bind to IP address for outgoing connections to Cloudflare Edge
 	EdgeBindAddress = "edge-bind-address"
 	// Force is the command line flag to specify if you wish to force an action
 	Force = "force"
 	// Edge is the command line flag to set the address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment
 	Edge = "edge"
 	// Region is the command line flag to set the Cloudflare Edge region to connect to
 	Region = "region"
 	// IsAutoUpdated is the command line flag to signal the new process that cloudflared has been autoupdated
 	IsAutoUpdated = "is-autoupdated"
 	// LBPool is the command line flag to set the name of the load balancing pool to add this origin to
 	LBPool = "lb-pool"
 	// Retries is the command line flag to set the maximum number of retries for connection/protocol errors
 	Retries = "retries"
 	// MaxEdgeAddrRetries is the command line flag to set the maximum number of times to retry on edge addrs before falling back to a lower protocol
 	MaxEdgeAddrRetries = "max-edge-addr-retries"
 	// GracePeriod is the command line flag to set the maximum amount of time that cloudflared waits to shut down if it is still serving requests
 	GracePeriod = "grace-period"
 	// ICMPV4Src is the command line flag to set the source address and the interface name to send/receive ICMPv4 messages
 	ICMPV4Src = "icmpv4-src"
 	// ICMPV6Src is the command line flag to set the source address and the interface name to send/receive ICMPv6 messages
 	ICMPV6Src = "icmpv6-src"
 	// ProxyDns is the command line flag to run DNS server over HTTPS
 	ProxyDns = "proxy-dns"
 	// Name is the command line to set the name of the tunnel
 	Name = "name"
 	// AutoUpdateFreq is the command line for setting the frequency that cloudflared checks for updates
 	AutoUpdateFreq = "autoupdate-freq"
 	// NoAutoUpdate is the command line flag to disable cloudflared from checking for updates
 	NoAutoUpdate = "no-autoupdate"
 	// LogLevel is the command line flag for the cloudflared logging level
 	LogLevel = "loglevel"
 	// LogLevelSSH is the command line flag for the cloudflared ssh logging level
 	LogLevelSSH = "log-level"
 	// TransportLogLevel is the command line flag for the transport logging level
 	TransportLogLevel = "transport-loglevel"
 	// LogFile is the command line flag to define the file where application logs will be stored
 	LogFile = "logfile"
 	// LogDirectory is the command line flag to define the directory where application logs will be stored.
 	LogDirectory = "log-directory"
 	// LogFormatOutput allows the command line logs to be output as JSON.
 	LogFormatOutput             = "output"
 	LogFormatOutputValueDefault = "default"
 	LogFormatOutputValueJSON    = "json"
 	// TraceOutput is the command line flag to set the name of trace output file
 	TraceOutput = "trace-output"
 	// OriginCert is the command line flag to define the path for the origin certificate used by cloudflared
 	OriginCert = "origincert"
 	// Metrics is the command line flag to define the address of the metrics server
 	Metrics = "metrics"
 	// MetricsUpdateFreq is the command line flag to define how frequently tunnel metrics are updated
 	MetricsUpdateFreq = "metrics-update-freq"
 	// ApiURL is the command line flag used to define the base URL of the API
 	ApiURL = "api-url"
 	// Virtual DNS resolver service resolver addresses to use instead of dynamically fetching them from the OS.
 	VirtualDNSServiceResolverAddresses = "dns-resolver-addrs"
 	// Management hostname to signify incoming management requests
 	ManagementHostname = "management-hostname"
 	// Automatically close the login interstitial browser window after the user makes a decision.
 	AutoCloseInterstitial = "auto-close"
 )
--- a/cmd/cloudflared/generic_service.go
+++ b/cmd/cloudflared/generic_service.go
@ -3,11 +3,38 @@
 package main
 import (
 	"fmt"
 	"os"
 	cli "github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
 		Usage: "Manages the cloudflared system service (not supported on this operating system)",
 		Subcommands: []*cli.Command{
 			{
 				Name:   "install",
 				Usage:  "Install cloudflared as a system service (not supported on this operating system)",
 				Action: cliutil.ConfiguredAction(installGenericService),
 			},
 			{
 				Name:   "uninstall",
 				Usage:  "Uninstall the cloudflared service (not supported on this operating system)",
 				Action: cliutil.ConfiguredAction(uninstallGenericService),
 			},
 		},
 	})
 	app.Run(os.Args)
 }
 func installGenericService(c *cli.Context) error {
 	return fmt.Errorf("service installation is not supported on this operating system")
 }
 func uninstallGenericService(c *cli.Context) error {
 	return fmt.Errorf("service uninstallation is not supported on this operating system")
 }
--- a/cmd/cloudflared/linux_service.go
+++ b/cmd/cloudflared/linux_service.go
@ -4,6 +4,7 @@ package main
 import (
 	"fmt"
 	"io"
 	"os"
 	"github.com/rs/zerolog"
@ -15,7 +16,7 @@ import (
 	"github.com/cloudflare/cloudflared/logger"
 )
-func runApp(app *cli.App, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, _ chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
 		Usage: "Manages the cloudflared system service",
@ -35,7 +36,7 @@ func runApp(app *cli.App, graceShutdownC chan struct{}) {
 			},
 		},
 	})
-	app.Run(os.Args)
+	_ = app.Run(os.Args)
 }
 // The directory and files that are used by the service.
@ -59,7 +60,7 @@ After=network-online.target
 Wants=network-online.target
 [Service]
-TimeoutStartSec=0
+TimeoutStartSec=15
 Type=notify
 ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
 Restart=on-failure
@ -97,6 +98,7 @@ WantedBy=timers.target
 var sysvTemplate = ServiceTemplate{
 	Path:     "/etc/init.d/cloudflared",
 	FileMode: 0755,
 	// nolint: dupword
 	Content: `#!/bin/sh
 # For RedHat and cousins:
 # chkconfig: 2345 99 01
@ -184,13 +186,11 @@ exit 0
 `,
 }
-var (
+var noUpdateServiceFlag = &cli.BoolFlag{
-	noUpdateServiceFlag = &cli.BoolFlag{
+	Name:  "no-update-service",
-		Name:  "no-update-service",
+	Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
-		Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
+	Value: false,
-		Value: false,
+}
 	}
 )
 func isSystemd() bool {
 	if _, err := os.Stat("/run/systemd/system"); err == nil {
@ -430,3 +430,38 @@ func uninstallSysv(log *zerolog.Logger) error {
 	}
 	return nil
 }
 func ensureConfigDirExists(configDir string) error {
 	ok, err := config.FileExists(configDir)
 	if !ok && err == nil {
 		err = os.Mkdir(configDir, 0755)
 	}
 	return err
 }
 func copyFile(src, dest string) error {
 	srcFile, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer srcFile.Close()
 	destFile, err := os.Create(dest)
 	if err != nil {
 		return err
 	}
 	ok := false
 	defer func() {
 		destFile.Close()
 		if !ok {
 			_ = os.Remove(dest)
 		}
 	}()
 	if _, err := io.Copy(destFile, srcFile); err != nil {
 		return err
 	}
 	ok = true
 	return nil
 }
--- a/cmd/cloudflared/macos_service.go
+++ b/cmd/cloudflared/macos_service.go
@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
@ -17,7 +18,7 @@ const (
 	launchdIdentifier = "com.cloudflare.cloudflared"
 )
-func runApp(app *cli.App, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, _ chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
 		Usage: "Manages the cloudflared launch agent",
@ -119,7 +120,7 @@ func installLaunchd(c *cli.Context) error {
 		log.Info().Msg("Installing cloudflared client as an user launch agent. " +
 			"Note that cloudflared client will only run when the user is logged in. " +
 			"If you want to run cloudflared client at boot, install with root permission. " +
-			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service")
+			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/macos/")
 	}
 	etPath, err := os.Executable()
 	if err != nil {
@ -207,3 +208,15 @@ func uninstallLaunchd(c *cli.Context) error {
 	}
 	return err
 }
 func userHomeDir() (string, error) {
 	// This returns the home dir of the executing user using OS-specific method
 	// for discovering the home dir. It's not recommended to call this function
 	// when the user has root permission as $HOME depends on what options the user
 	// use with sudo.
 	homeDir, err := homedir.Dir()
 	if err != nil {
 		return "", errors.Wrap(err, "Cannot determine home directory for the user")
 	}
 	return homeDir, nil
 }
--- a/cmd/cloudflared/main.go
+++ b/cmd/cloudflared/main.go
@ -2,19 +2,17 @@ package main
 import (
 	"fmt"
 	"math/rand"
 	"os"
 	"strings"
 	"time"
 	"github.com/getsentry/sentry-go"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"go.uber.org/automaxprocs/maxprocs"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tail"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
@ -52,10 +50,8 @@ var (
 func main() {
 	// FIXME: TUN-8148: Disable QUIC_GO ECN due to bugs in proper detection if supported
 	os.Setenv("QUIC_GO_DISABLE_ECN", "1")
 	rand.Seed(time.Now().UnixNano())
 	metrics.RegisterBuildInfo(BuildType, BuildTime, Version)
-	maxprocs.Set()
+	_, _ = maxprocs.Set()
 	bInfo := cliutil.GetBuildInfo(BuildType, Version)
 	// Graceful shutdown channel used by the app. When closed, app must terminate gracefully.
@ -91,7 +87,7 @@ func main() {
 	tunnel.Init(bInfo, graceShutdownC) // we need this to support the tunnel sub command...
 	access.Init(graceShutdownC, Version)
-	updater.Init(Version)
+	updater.Init(bInfo)
 	tracing.Init(Version)
 	token.Init(Version)
 	tail.Init(bInfo)
@ -110,7 +106,7 @@ func commands(version func(c *cli.Context)) []*cli.Command {
 					Usage: "specify if you wish to update to the latest beta version",
 				},
 				&cli.BoolFlag{
-					Name:   "force",
+					Name:   cfdflags.Force,
 					Usage:  "specify if you wish to force an upgrade to the latest version regardless of the current version",
 					Hidden: true,
 				},
@ -184,18 +180,6 @@ func action(graceShutdownC chan struct{}) cli.ActionFunc {
 	})
 }
 func userHomeDir() (string, error) {
 	// This returns the home dir of the executing user using OS-specific method
 	// for discovering the home dir. It's not recommended to call this function
 	// when the user has root permission as $HOME depends on what options the user
 	// use with sudo.
 	homeDir, err := homedir.Dir()
 	if err != nil {
 		return "", errors.Wrap(err, "Cannot determine home directory for the user")
 	}
 	return homeDir, nil
 }
 // In order to keep the amount of noise sent to Sentry low, typical network errors can be filtered out here by a substring match.
 func captureError(err error) {
 	errorMessage := err.Error()
--- a/cmd/cloudflared/service_template.go
+++ b/cmd/cloudflared/service_template.go
@ -1,18 +1,16 @@
 package main
 import (
 	"bufio"
 	"bytes"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
-	"path"
+	"path/filepath"
 	"text/template"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/cloudflare/cloudflared/config"
 )
 type ServiceTemplate struct {
@ -44,7 +42,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 		return err
 	}
 	if _, err = os.Stat(resolvedPath); err == nil {
-		return fmt.Errorf(serviceAlreadyExistsWarn(resolvedPath))
+		return errors.New(serviceAlreadyExistsWarn(resolvedPath))
 	}
 	var buffer bytes.Buffer
@ -57,7 +55,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 		fileMode = st.FileMode
 	}
-	plistFolder := path.Dir(resolvedPath)
+	plistFolder := filepath.Dir(resolvedPath)
 	err = os.MkdirAll(plistFolder, 0o755)
 	if err != nil {
 		return fmt.Errorf("error creating %s: %v", plistFolder, err)
@ -109,114 +107,3 @@ func runCommand(command string, args ...string) error {
 	}
 	return nil
 }
 func ensureConfigDirExists(configDir string) error {
 	ok, err := config.FileExists(configDir)
 	if !ok && err == nil {
 		err = os.Mkdir(configDir, 0755)
 	}
 	return err
 }
 // openFile opens the file at path. If create is set and the file exists, returns nil, true, nil
 func openFile(path string, create bool) (file *os.File, exists bool, err error) {
 	expandedPath, err := homedir.Expand(path)
 	if err != nil {
 		return nil, false, err
 	}
 	if create {
 		fileInfo, err := os.Stat(expandedPath)
 		if err == nil && fileInfo.Size() > 0 {
 			return nil, true, nil
 		}
 		file, err = os.OpenFile(expandedPath, os.O_RDWR|os.O_CREATE, 0600)
 	} else {
 		file, err = os.Open(expandedPath)
 	}
 	return file, false, err
 }
 func copyCredential(srcCredentialPath, destCredentialPath string) error {
 	destFile, exists, err := openFile(destCredentialPath, true)
 	if err != nil {
 		return err
 	} else if exists {
 		// credentials already exist, do nothing
 		return nil
 	}
 	defer destFile.Close()
 	srcFile, _, err := openFile(srcCredentialPath, false)
 	if err != nil {
 		return err
 	}
 	defer srcFile.Close()
 	// Copy certificate
 	_, err = io.Copy(destFile, srcFile)
 	if err != nil {
 		return fmt.Errorf("unable to copy %s to %s: %v", srcCredentialPath, destCredentialPath, err)
 	}
 	return nil
 }
 func copyFile(src, dest string) error {
 	srcFile, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer srcFile.Close()
 	destFile, err := os.Create(dest)
 	if err != nil {
 		return err
 	}
 	ok := false
 	defer func() {
 		destFile.Close()
 		if !ok {
 			_ = os.Remove(dest)
 		}
 	}()
 	if _, err := io.Copy(destFile, srcFile); err != nil {
 		return err
 	}
 	ok = true
 	return nil
 }
 func copyConfig(srcConfigPath, destConfigPath string) error {
 	// Copy or create config
 	destFile, exists, err := openFile(destConfigPath, true)
 	if err != nil {
 		return fmt.Errorf("cannot open %s with error: %s", destConfigPath, err)
 	} else if exists {
 		// config already exists, do nothing
 		return nil
 	}
 	defer destFile.Close()
 	srcFile, _, err := openFile(srcConfigPath, false)
 	if err != nil {
 		fmt.Println("Your service needs a config file that at least specifies the hostname option.")
 		fmt.Println("Type in a hostname now, or leave it blank and create the config file later.")
 		fmt.Print("Hostname: ")
 		reader := bufio.NewReader(os.Stdin)
 		input, _ := reader.ReadString('\n')
 		if input == "" {
 			return err
 		}
 		fmt.Fprintf(destFile, "hostname: %s\n", input)
 	} else {
 		defer srcFile.Close()
 		_, err = io.Copy(destFile, srcFile)
 		if err != nil {
 			return fmt.Errorf("unable to copy %s to %s: %v", srcConfigPath, destConfigPath, err)
 		}
 	}
 	return nil
 }
--- a/cmd/cloudflared/tail/cmd.go
+++ b/cmd/cloudflared/tail/cmd.go
@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"os"
@ -18,14 +19,12 @@ import (
 	"nhooyr.io/websocket"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/management"
 )
-var (
+var buildInfo *cliutil.BuildInfo
 	buildInfo *cliutil.BuildInfo
 )
 func Init(bi *cliutil.BuildInfo) {
 	buildInfo = bi
@ -52,11 +51,12 @@ func buildTailManagementTokenSubcommand() *cli.Command {
 func managementTokenCommand(c *cli.Context) error {
 	log := createLogger(c)
 	token, err := getManagementToken(c, log)
 	if err != nil {
 		return err
 	}
-	var tokenResponse = struct {
+	tokenResponse := struct {
 		Token string `json:"token"`
 	}{Token: token}
@ -100,13 +100,7 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 				EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
 			},
 			&cli.StringFlag{
-				Name:    "output",
+				Name:    cfdflags.ManagementHostname,
 				Usage:   "Output format for the logs (default, json)",
 				Value:   "default",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT"},
 			},
 			&cli.StringFlag{
 				Name:    "management-hostname",
 				Usage:   "Management hostname to signify incoming management requests",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 				Hidden:  true,
@ -119,17 +113,18 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 				Value:  "",
 			},
 			&cli.StringFlag{
-				Name:    logger.LogLevelFlag,
+				Name:    cfdflags.LogLevel,
 				Value:   "info",
 				Usage:   "Application logging level {debug, info, warn, error, fatal}",
 				EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			},
 			&cli.StringFlag{
-				Name:    credentials.OriginCertFlag,
+				Name:    cfdflags.OriginCert,
 				Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 				EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 				Value:   credentials.FindDefaultOriginCertPath(),
 			},
 			cliutil.FlagLogOutput,
 		},
 		Subcommands: subcommands,
 	}
@ -169,23 +164,35 @@ func handleValidationError(resp *http.Response, log *zerolog.Logger) {
 // logger will be created to emit only against the os.Stderr as to not obstruct with normal output from
 // management requests
 func createLogger(c *cli.Context) *zerolog.Logger {
-	level, levelErr := zerolog.ParseLevel(c.String(logger.LogLevelFlag))
+	level, levelErr := zerolog.ParseLevel(c.String(cfdflags.LogLevel))
 	if levelErr != nil {
 		level = zerolog.InfoLevel
 	}
-	log := zerolog.New(zerolog.ConsoleWriter{
+	var writer io.Writer
-		Out:        colorable.NewColorable(os.Stderr),
+	switch c.String(cfdflags.LogFormatOutput) {
-		TimeFormat: time.RFC3339,
+	case cfdflags.LogFormatOutputValueJSON:
-	}).With().Timestamp().Logger().Level(level)
+		// zerolog by default outputs as JSON
 		writer = os.Stderr
 	case cfdflags.LogFormatOutputValueDefault:
 		// "default" and unset use the same logger output format
 		fallthrough
 	default:
 		writer = zerolog.ConsoleWriter{
 			Out:        colorable.NewColorable(os.Stderr),
 			TimeFormat: time.RFC3339,
 		}
 	}
 	log := zerolog.New(writer).With().Timestamp().Logger().Level(level)
 	return &log
 }
 // parseFilters will attempt to parse provided filters to send to with the EventStartStreaming
 func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
 	var level *management.LogLevel
 	var events []management.LogEventType
 	var sample float64
 	events := make([]management.LogEventType, 0)
 	argLevel := c.String("level")
 	argEvents := c.StringSlice("event")
 	argSample := c.Float64("sample")
@ -225,12 +232,19 @@ func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
 // getManagementToken will make a call to the Cloudflare API to acquire a management token for the requested tunnel.
 func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
-	userCreds, err := credentials.Read(c.String(credentials.OriginCertFlag), log)
+	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
 	if err != nil {
 		return "", err
 	}
-	client, err := userCreds.Client(c.String("api-url"), buildInfo.UserAgent(), log)
+	var apiURL string
 	if userCreds.IsFEDEndpoint() {
 		apiURL = credentials.FedRampBaseApiURL
 	} else {
 		apiURL = c.String(cfdflags.ApiURL)
 	}
 	client, err := userCreds.Client(apiURL, buildInfo.UserAgent(), log)
 	if err != nil {
 		return "", err
 	}
@ -255,7 +269,7 @@ func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
 // buildURL will build the management url to contain the required query parameters to authenticate the request.
 func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 	var err error
-	managementHostname := c.String("management-hostname")
+
 	token := c.String("token")
 	if token == "" {
 		token, err = getManagementToken(c, log)
@ -263,6 +277,19 @@ func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 			return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
 		}
 	}
 	claims, err := management.ParseToken(token)
 	if err != nil {
 		return url.URL{}, fmt.Errorf("failed to determine if token is FED: %w", err)
 	}
 	var managementHostname string
 	if claims.IsFed() {
 		managementHostname = credentials.FedRampHostname
 	} else {
 		managementHostname = c.String(cfdflags.ManagementHostname)
 	}
 	query := url.Values{}
 	query.Add("access_token", token)
 	connector := c.String("connector-id")
@ -331,6 +358,7 @@ func Run(c *cli.Context) error {
 		header["cf-trace-id"] = []string{trace}
 	}
 	ctx := c.Context
 	// nolint: bodyclose
 	conn, resp, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
 		HTTPHeader: header,
 	})
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/url"
 	"os"
 	"path/filepath"
 	"runtime/trace"
 	"strings"
 	"sync"
@ -14,8 +15,7 @@ import (
 	"github.com/coreos/go-systemd/v22/daemon"
 	"github.com/facebookgo/grace/gracenet"
 	"github.com/getsentry/sentry-go"
-	"github.com/google/uuid"
+	"github.com/mitchellh/go-homedir"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
@ -23,13 +23,14 @@ import (
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/diagnostic"
 	"github.com/cloudflare/cloudflared/edgediscovery"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/management"
@ -39,67 +40,13 @@ import (
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
 	"github.com/cloudflare/cloudflared/tunneldns"
 	"github.com/cloudflare/cloudflared/tunnelstate"
 	"github.com/cloudflare/cloudflared/validation"
 )
 const (
 	sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b:3e8827f6f9f740738eb11138f7bebb68@sentry.io/189878"
 	// ha-Connections specifies how many connections to make to the edge
 	haConnectionsFlag = "ha-connections"
 	// sshPortFlag is the port on localhost the cloudflared ssh server will run on
 	sshPortFlag = "local-ssh-port"
 	// sshIdleTimeoutFlag defines the duration a SSH session can remain idle before being closed
 	sshIdleTimeoutFlag = "ssh-idle-timeout"
 	// sshMaxTimeoutFlag defines the max duration a SSH session can remain open for
 	sshMaxTimeoutFlag = "ssh-max-timeout"
 	// bucketNameFlag is the bucket name to use for the SSH log uploader
 	bucketNameFlag = "bucket-name"
 	// regionNameFlag is the AWS region name to use for the SSH log uploader
 	regionNameFlag = "region-name"
 	// secretIDFlag is the Secret id of SSH log uploader
 	secretIDFlag = "secret-id"
 	// accessKeyIDFlag is the Access key id of SSH log uploader
 	accessKeyIDFlag = "access-key-id"
 	// sessionTokenIDFlag is the Session token of SSH log uploader
 	sessionTokenIDFlag = "session-token"
 	// s3URLFlag is the S3 URL of SSH log uploader (e.g. don't use AWS s3 and use google storage bucket instead)
 	s3URLFlag = "s3-url-host"
 	// hostKeyPath is the path of the dir to save SSH host keys too
 	hostKeyPath = "host-key-path"
 	// rpcTimeout is how long to wait for a Capnp RPC request to the edge
 	rpcTimeout = "rpc-timeout"
 	// writeStreamTimeout sets if we should have a timeout when writing data to a stream towards the destination (edge/origin).
 	writeStreamTimeout = "write-stream-timeout"
 	// quicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.
 	// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
 	// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.
 	quicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery"
 	// quicConnLevelFlowControlLimit controls the max flow control limit allocated for a QUIC connection. This controls how much data is the
 	// receiver willing to buffer. Once the limit is reached, the sender will send a DATA_BLOCKED frame to indicate it has more data to write,
 	// but it's blocked by flow control
 	quicConnLevelFlowControlLimit = "quic-connection-level-flow-control-limit"
 	// quicStreamLevelFlowControlLimit is similar to quicConnLevelFlowControlLimit but for each QUIC stream. When the sender is blocked,
 	// it will send a STREAM_DATA_BLOCKED frame
 	quicStreamLevelFlowControlLimit = "quic-stream-level-flow-control-limit"
 	// uiFlag is to enable launching cloudflared in interactive UI mode
 	uiFlag = "ui"
 	LogFieldCommand             = "command"
 	LogFieldExpandedPath        = "expandedPath"
 	LogFieldPIDPathname         = "pidPathname"
@ -114,7 +61,6 @@ Eg. cloudflared tunnel --url localhost:8080/.
 Please note that Quick Tunnels are meant to be ephemeral and should only be used for testing purposes.
 For production usage, we recommend creating Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)
 `
 	connectorLabelFlag = "label"
 )
 var (
@ -124,7 +70,96 @@ var (
 	routeFailMsg = fmt.Sprintf("failed to provision routing, please create it manually via Cloudflare dashboard or UI; "+
 		"most likely you already have a conflicting record there. You can also rerun this command with --%s to overwrite "+
 		"any existing DNS records for this hostname.", overwriteDNSFlag)
-	deprecatedClassicTunnelErr = fmt.Errorf("Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)")
+	errDeprecatedClassicTunnel = errors.New("Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)")
 	// TODO: TUN-8756 the list below denotes the flags that do not possess any kind of sensitive information
 	// however this approach is not maintainble in the long-term.
 	nonSecretFlagsList = []string{
 		"config",
 		cfdflags.AutoUpdateFreq,
 		cfdflags.NoAutoUpdate,
 		cfdflags.Metrics,
 		"pidfile",
 		"url",
 		"hello-world",
 		"socks5",
 		"proxy-connect-timeout",
 		"proxy-tls-timeout",
 		"proxy-tcp-keepalive",
 		"proxy-no-happy-eyeballs",
 		"proxy-keepalive-connections",
 		"proxy-keepalive-timeout",
 		"proxy-connection-timeout",
 		"proxy-expect-continue-timeout",
 		"http-host-header",
 		"origin-server-name",
 		"unix-socket",
 		"origin-ca-pool",
 		"no-tls-verify",
 		"no-chunked-encoding",
 		"http2-origin",
 		cfdflags.ManagementHostname,
 		"service-op-ip",
 		"local-ssh-port",
 		"ssh-idle-timeout",
 		"ssh-max-timeout",
 		"bucket-name",
 		"region-name",
 		"s3-url-host",
 		"host-key-path",
 		"ssh-server",
 		"bastion",
 		"proxy-address",
 		"proxy-port",
 		cfdflags.LogLevel,
 		cfdflags.TransportLogLevel,
 		cfdflags.LogFile,
 		cfdflags.LogDirectory,
 		cfdflags.TraceOutput,
 		cfdflags.ProxyDns,
 		"proxy-dns-port",
 		"proxy-dns-address",
 		"proxy-dns-upstream",
 		"proxy-dns-max-upstream-conns",
 		"proxy-dns-bootstrap",
 		cfdflags.IsAutoUpdated,
 		cfdflags.Edge,
 		cfdflags.Region,
 		cfdflags.EdgeIpVersion,
 		cfdflags.EdgeBindAddress,
 		"cacert",
 		"hostname",
 		"id",
 		cfdflags.LBPool,
 		cfdflags.ApiURL,
 		cfdflags.MetricsUpdateFreq,
 		cfdflags.Tag,
 		"heartbeat-interval",
 		"heartbeat-count",
 		cfdflags.MaxEdgeAddrRetries,
 		cfdflags.Retries,
 		"ha-connections",
 		"rpc-timeout",
 		"write-stream-timeout",
 		"quic-disable-pmtu-discovery",
 		"quic-connection-level-flow-control-limit",
 		"quic-stream-level-flow-control-limit",
 		cfdflags.ConnectorLabel,
 		cfdflags.GracePeriod,
 		"compression-quality",
 		"use-reconnect-token",
 		"dial-edge-timeout",
 		"stdin-control",
 		cfdflags.Name,
 		cfdflags.Ui,
 		"quick-service",
 		"max-fetch-size",
 		cfdflags.PostQuantum,
 		"management-diagnostics",
 		cfdflags.Protocol,
 		"overwrite-dns",
 		"help",
 		cfdflags.MaxActiveFlows,
 	}
 )
 func Flags() []cli.Flag {
@ -139,11 +174,13 @@ func Commands() []*cli.Command {
 		buildVirtualNetworkSubcommand(false),
 		buildRunCommand(),
 		buildListCommand(),
 		buildReadyCommand(),
 		buildInfoCommand(),
 		buildIngressSubcommand(),
 		buildDeleteCommand(),
 		buildCleanupCommand(),
 		buildTokenCommand(),
 		buildDiagCommand(),
 		// for compatibility, allow following as tunnel subcommands
 		proxydns.Command(true),
 		cliutil.RemovedCommand("db-connect"),
@ -170,7 +207,7 @@ then protect with Cloudflare Access).
  B) Locally reachable TCP/UDP-based private services to Cloudflare connected private users in the same account, e.g.,
 those enrolled to a Zero Trust WARP Client.
-You can manage your Tunnels via dash.teams.cloudflare.com. This approach will only require you to run a single command
+You can manage your Tunnels via one.dash.cloudflare.com. This approach will only require you to run a single command
 later in each machine where you wish to run a Tunnel.
 Alternatively, you can manage your Tunnels via the command line. Begin by obtaining a certificate to be able to do so:
@ -206,7 +243,7 @@ func TunnelCommand(c *cli.Context) error {
 	// --name required
 	// --url or --hello-world required
 	// --hostname optional
-	if name := c.String("name"); name != "" {
+	if name := c.String(cfdflags.Name); name != "" {
 		hostname, err := validation.ValidateHostname(c.String("hostname"))
 		if err != nil {
 			return errors.Wrap(err, "Invalid hostname provided")
@ -223,7 +260,7 @@ func TunnelCommand(c *cli.Context) error {
 	// A unauthenticated named tunnel hosted on <random>.<quick-tunnels-service>.com
 	// We don't support running proxy-dns and a quick tunnel at the same time as the same process
 	shouldRunQuickTunnel := c.IsSet("url") || c.IsSet(ingress.HelloWorldFlag)
-	if !c.IsSet("proxy-dns") && c.String("quick-service") != "" && shouldRunQuickTunnel {
+	if !c.IsSet(cfdflags.ProxyDns) && c.String("quick-service") != "" && shouldRunQuickTunnel {
 		return RunQuickTunnel(sc)
 	}
@ -234,10 +271,10 @@ func TunnelCommand(c *cli.Context) error {
 	// Classic tunnel usage is no longer supported
 	if c.String("hostname") != "" {
-		return deprecatedClassicTunnelErr
+		return errDeprecatedClassicTunnel
 	}
-	if c.IsSet("proxy-dns") {
+	if c.IsSet(cfdflags.ProxyDns) {
 		if shouldRunQuickTunnel {
 			return fmt.Errorf("running a quick tunnel with `proxy-dns` is not supported")
 		}
@ -284,7 +321,7 @@ func runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath stri
 func routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) {
 	if hostname := c.String("hostname"); hostname != "" {
-		if lbPool := c.String("lb-pool"); lbPool != "" {
+		if lbPool := c.String(cfdflags.LBPool); lbPool != "" {
 			return cfapi.NewLBRoute(hostname, lbPool), true
 		}
 		return cfapi.NewDNSRoute(hostname, c.Bool(overwriteDNSFlagName)), true
@ -314,7 +351,7 @@ func StartServer(
 		log.Info().Msg(config.ErrNoConfigFile.Error())
 	}
-	if c.IsSet("trace-output") {
+	if c.IsSet(cfdflags.TraceOutput) {
 		tmpTraceFile, err := os.CreateTemp("", "trace")
 		if err != nil {
 			log.Err(err).Msg("Failed to create new temporary file to save trace output")
@ -326,7 +363,7 @@ func StartServer(
 			if err := tmpTraceFile.Close(); err != nil {
 				traceLog.Err(err).Msg("Failed to close temporary trace output file")
 			}
-			traceOutputFilepath := c.String("trace-output")
+			traceOutputFilepath := c.String(cfdflags.TraceOutput)
 			if err := os.Rename(tmpTraceFile.Name(), traceOutputFilepath); err != nil {
 				traceLog.
 					Err(err).
@ -356,7 +393,7 @@ func StartServer(
 	go waitForSignal(graceShutdownC, log)
-	if c.IsSet("proxy-dns") {
+	if c.IsSet(cfdflags.ProxyDns) {
 		dnsReadySignal := make(chan struct{})
 		wg.Add(1)
 		go func() {
@ -378,7 +415,7 @@ func StartServer(
 	go func() {
 		defer wg.Done()
 		autoupdater := updater.NewAutoUpdater(
-			c.Bool("no-autoupdate"), c.Duration("autoupdate-freq"), &listeners, log,
+			c.Bool(cfdflags.NoAutoUpdate), c.Duration(cfdflags.AutoUpdateFreq), &listeners, log,
 		)
 		errC <- autoupdater.Run(ctx)
 	}()
@ -408,65 +445,93 @@ func StartServer(
 		log.Err(err).Msg("Couldn't start tunnel")
 		return err
 	}
-	var clientID uuid.UUID
+	connectorID := tunnelConfig.ClientConfig.ConnectorID
 	if tunnelConfig.NamedTunnel != nil {
 		clientID, err = uuid.FromBytes(tunnelConfig.NamedTunnel.Client.ClientID)
 		if err != nil {
 			// set to nil for classic tunnels
 			clientID = uuid.Nil
 		}
 	}
 	// Disable ICMP packet routing for quick tunnels
 	if quickTunnelURL != "" {
-		tunnelConfig.PacketConfig = nil
+		tunnelConfig.ICMPRouterServer = nil
 	}
-	internalRules := []ingress.Rule{}
+	serviceIP := c.String("service-op-ip")
-	if features.Contains(features.FeatureManagementLogs) {
+	if edgeAddrs, err := edgediscovery.ResolveEdge(log, tunnelConfig.Region, tunnelConfig.EdgeIPVersion); err == nil {
-		serviceIP := c.String("service-op-ip")
+		if serviceAddr, err := edgeAddrs.GetAddrForRPC(); err == nil {
-		if edgeAddrs, err := edgediscovery.ResolveEdge(log, tunnelConfig.Region, tunnelConfig.EdgeIPVersion); err == nil {
+			serviceIP = serviceAddr.TCP.String()
 			if serviceAddr, err := edgeAddrs.GetAddrForRPC(); err == nil {
 				serviceIP = serviceAddr.TCP.String()
 			}
 		}
 		mgmt := management.New(
 			c.String("management-hostname"),
 			c.Bool("management-diagnostics"),
 			serviceIP,
 			clientID,
 			c.String(connectorLabelFlag),
 			logger.ManagementLogger.Log,
 			logger.ManagementLogger,
 		)
 		internalRules = []ingress.Rule{ingress.NewManagementRule(mgmt)}
 	}
 	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
 	var isFEDEndpoint bool
 	if err != nil {
 		isFEDEndpoint = false
 	} else {
 		isFEDEndpoint = userCreds.IsFEDEndpoint()
 	}
 	var managementHostname string
 	if isFEDEndpoint {
 		managementHostname = credentials.FedRampHostname
 	} else {
 		managementHostname = c.String(cfdflags.ManagementHostname)
 	}
 	mgmt := management.New(
 		managementHostname,
 		c.Bool("management-diagnostics"),
 		serviceIP,
 		connectorID,
 		c.String(cfdflags.ConnectorLabel),
 		logger.ManagementLogger.Log,
 		logger.ManagementLogger,
 	)
 	internalRules := []ingress.Rule{ingress.NewManagementRule(mgmt)}
 	orchestrator, err := orchestration.NewOrchestrator(ctx, orchestratorConfig, tunnelConfig.Tags, internalRules, tunnelConfig.Log)
 	if err != nil {
 		return err
 	}
-	metricsListener, err := listeners.Listen("tcp", c.String("metrics"))
+	metricsListener, err := metrics.CreateMetricsListener(&listeners, c.String("metrics"))
 	if err != nil {
 		log.Err(err).Msg("Error opening metrics server listener")
 		return errors.Wrap(err, "Error opening metrics server listener")
 	}
 	defer metricsListener.Close()
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		readinessServer := metrics.NewReadyServer(log, clientID)
+		tracker := tunnelstate.NewConnTracker(log)
-		observer.RegisterSink(readinessServer)
+		observer.RegisterSink(tracker)
 		ipv4, ipv6, err := determineICMPSources(c, log)
 		sources := make([]string, 0)
 		if err == nil {
 			sources = append(sources, ipv4.String())
 			sources = append(sources, ipv6.String())
 		}
 		readinessServer := metrics.NewReadyServer(connectorID, tracker)
 		cliFlags := nonSecretCliFlags(log, c, nonSecretFlagsList)
 		diagnosticHandler := diagnostic.NewDiagnosticHandler(
 			log,
 			0,
 			diagnostic.NewSystemCollectorImpl(buildInfo.CloudflaredVersion),
 			tunnelConfig.NamedTunnel.Credentials.TunnelID,
 			connectorID,
 			tracker,
 			cliFlags,
 			sources,
 		)
 		metricsConfig := metrics.Config{
 			ReadyServer:         readinessServer,
 			DiagnosticHandler:   diagnosticHandler,
 			QuickTunnelHostname: quickTunnelURL,
 			Orchestrator:        orchestrator,
 		}
 		errC <- metrics.ServeMetrics(metricsListener, ctx, metricsConfig, log)
 	}()
-	reconnectCh := make(chan supervisor.ReconnectSignal, c.Int(haConnectionsFlag))
+	reconnectCh := make(chan supervisor.ReconnectSignal, c.Int(cfdflags.HaConnections))
 	if c.IsSet("stdin-control") {
 		log.Info().Msg("Enabling control through stdin")
 		go stdinControl(reconnectCh, log)
@ -503,8 +568,10 @@ func waitToShutdown(wg *sync.WaitGroup,
 		log.Debug().Msg("Graceful shutdown signalled")
 		if gracePeriod > 0 {
 			// wait for either grace period or service termination
 			ticker := time.NewTicker(gracePeriod)
 			defer ticker.Stop()
 			select {
-			case <-time.Tick(gracePeriod):
+			case <-ticker.C:
 			case <-errC:
 			}
 		}
@ -532,7 +599,7 @@ func waitToShutdown(wg *sync.WaitGroup,
 func notifySystemd(waitForSignal *signal.Signal) {
 	<-waitForSignal.Wait()
-	daemon.SdNotify(false, "READY=1")
+	_, _ = daemon.SdNotify(false, "READY=1")
 }
 func writePidFile(waitForSignal *signal.Signal, pidPathname string, log *zerolog.Logger) {
@ -584,31 +651,31 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 	flags = append(flags, []cli.Flag{
 		credentialsFileFlag,
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:   "is-autoupdated",
+			Name:   cfdflags.IsAutoUpdated,
 			Usage:  "Signal the new process that Cloudflare Tunnel connector has been autoupdated",
 			Value:  false,
 			Hidden: true,
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
-			Name:    "edge",
+			Name:    cfdflags.Edge,
 			Usage:   "Address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment.",
 			EnvVars: []string{"TUNNEL_EDGE"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "region",
+			Name:    cfdflags.Region,
 			Usage:   "Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region.",
 			EnvVars: []string{"TUNNEL_REGION"},
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "edge-ip-version",
+			Name:    cfdflags.EdgeIpVersion,
 			Usage:   "Cloudflare Edge IP address version to connect with. {4, 6, auto}",
 			EnvVars: []string{"TUNNEL_EDGE_IP_VERSION"},
 			Value:   "4",
 			Hidden:  false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "edge-bind-address",
+			Name:    cfdflags.EdgeBindAddress,
 			Usage:   "Bind to IP address for outgoing connections to Cloudflare Edge.",
 			EnvVars: []string{"TUNNEL_EDGE_BIND_ADDRESS"},
 			Hidden:  false,
@ -632,7 +699,7 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "lb-pool",
+			Name:    cfdflags.LBPool,
 			Usage:   "The name of a (new/existing) load balancing pool to add this origin to.",
 			EnvVars: []string{"TUNNEL_LB_POOL"},
 			Hidden:  shouldHide,
@ -656,21 +723,21 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "api-url",
+			Name:    cfdflags.ApiURL,
 			Usage:   "Base URL for Cloudflare API v4",
 			EnvVars: []string{"TUNNEL_API_URL"},
 			Value:   "https://api.cloudflare.com/client/v4",
 			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    "metrics-update-freq",
+			Name:    cfdflags.MetricsUpdateFreq,
 			Usage:   "Frequency to update tunnel metrics",
 			Value:   time.Second * 5,
 			EnvVars: []string{"TUNNEL_METRICS_UPDATE_FREQ"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
-			Name:    "tag",
+			Name:    cfdflags.Tag,
 			Usage:   "Custom tags used to identify this tunnel via added HTTP request headers to the origin, in format `KEY=VALUE`. Multiple tags may be specified.",
 			EnvVars: []string{"TUNNEL_TAG"},
 			Hidden:  true,
@ -689,64 +756,64 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden: true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:   "max-edge-addr-retries",
+			Name:   cfdflags.MaxEdgeAddrRetries,
 			Usage:  "Maximum number of times to retry on edge addrs before falling back to a lower protocol",
 			Value:  8,
 			Hidden: true,
 		}),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:    "retries",
+			Name:    cfdflags.Retries,
 			Value:   5,
 			Usage:   "Maximum number of retries for connection/protocol errors.",
 			EnvVars: []string{"TUNNEL_RETRIES"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:   haConnectionsFlag,
+			Name:   cfdflags.HaConnections,
 			Value:  4,
 			Hidden: true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:   rpcTimeout,
+			Name:   cfdflags.RpcTimeout,
 			Value:  5 * time.Second,
 			Hidden: true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    writeStreamTimeout,
+			Name:    cfdflags.WriteStreamTimeout,
 			EnvVars: []string{"TUNNEL_STREAM_WRITE_TIMEOUT"},
 			Usage:   "Use this option to add a stream write timeout for connections when writing towards the origin or edge. Default is 0 which disables the write timeout.",
 			Value:   0 * time.Second,
 			Hidden:  true,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    quicDisablePathMTUDiscovery,
+			Name:    cfdflags.QuicDisablePathMTUDiscovery,
 			EnvVars: []string{"TUNNEL_DISABLE_QUIC_PMTU"},
 			Usage:   "Use this option to disable PTMU discovery for QUIC connections. This will result in lower packet sizes. Not however, that this may cause instability for UDP proxying.",
 			Value:   false,
 			Hidden:  true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:    quicConnLevelFlowControlLimit,
+			Name:    cfdflags.QuicConnLevelFlowControlLimit,
 			EnvVars: []string{"TUNNEL_QUIC_CONN_LEVEL_FLOW_CONTROL_LIMIT"},
 			Usage:   "Use this option to change the connection-level flow control limit for QUIC transport.",
 			Value:   30 * (1 << 20), // 30 MB
 			Hidden:  true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:    quicStreamLevelFlowControlLimit,
+			Name:    cfdflags.QuicStreamLevelFlowControlLimit,
 			EnvVars: []string{"TUNNEL_QUIC_STREAM_LEVEL_FLOW_CONTROL_LIMIT"},
 			Usage:   "Use this option to change the connection-level flow control limit for QUIC transport.",
 			Value:   6 * (1 << 20), // 6 MB
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:  connectorLabelFlag,
+			Name:  cfdflags.ConnectorLabel,
 			Usage: "Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.",
 			Value: "",
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    "grace-period",
+			Name:    cfdflags.GracePeriod,
 			Usage:   "When cloudflared receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shutdown. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received.",
 			Value:   time.Second * 30,
 			EnvVars: []string{"TUNNEL_GRACE_PERIOD"},
@ -782,14 +849,14 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Value:   false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "name",
+			Name:    cfdflags.Name,
 			Aliases: []string{"n"},
 			EnvVars: []string{"TUNNEL_NAME"},
 			Usage:   "Stable name to identify the tunnel. Using this flag will create, route and run a tunnel. For production usage, execute each command separately",
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:   uiFlag,
+			Name:   cfdflags.Ui,
 			Usage:  "(depreciated) Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys.",
 			Value:  false,
 			Hidden: true,
@ -807,11 +874,10 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden:  true,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    "post-quantum",
+			Name:    cfdflags.PostQuantum,
 			Usage:   "When given creates an experimental post-quantum secure tunnel",
 			Aliases: []string{"pq"},
 			EnvVars: []string{"TUNNEL_POST_QUANTUM"},
 			Hidden:  FipsEnabled,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    "management-diagnostics",
@ -836,29 +902,35 @@ func configureCloudflaredFlags(shouldHide bool) []cli.Flag {
 			Hidden: shouldHide,
 		},
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    credentials.OriginCertFlag,
+			Name:    cfdflags.OriginCert,
 			Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 			EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 			Value:   credentials.FindDefaultOriginCertPath(),
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:   "autoupdate-freq",
+			Name:   cfdflags.AutoUpdateFreq,
 			Usage:  fmt.Sprintf("Autoupdate frequency. Default is %v.", updater.DefaultCheckUpdateFreq),
 			Value:  updater.DefaultCheckUpdateFreq,
 			Hidden: shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    "no-autoupdate",
+			Name:    cfdflags.NoAutoUpdate,
 			Usage:   "Disable periodic check for updates, restarting the server with the new version.",
 			EnvVars: []string{"NO_AUTOUPDATE"},
 			Value:   false,
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "metrics",
+			Name:  cfdflags.Metrics,
-			Value:   "localhost:",
+			Value: metrics.GetMetricsDefaultAddress(metrics.Runtime),
-			Usage:   "Listen address for metrics reporting.",
+			Usage: fmt.Sprintf(
 				`Listen address for metrics reporting. If no address is passed cloudflared will try to bind to %v.
 If all are unavailable, a random port will be used. Note that when running cloudflared from an virtual
 environment the default address binds to all interfaces, hence, it is important to isolate the host
 and virtualized host network stacks from each other`,
 				metrics.GetMetricsKnownAddresses(metrics.Runtime),
 			),
 			EnvVars: []string{"TUNNEL_METRICS"},
 			Hidden:  shouldHide,
 		}),
@ -985,7 +1057,7 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 			Value:   false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "management-hostname",
+			Name:    cfdflags.ManagementHostname,
 			Usage:   "Management hostname to signify incoming management requests",
 			EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 			Hidden:  true,
@ -1014,62 +1086,62 @@ func legacyTunnelFlag(msg string) string {
 func sshFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    sshPortFlag,
+			Name:    cfdflags.SshPort,
 			Usage:   "Localhost port that cloudflared SSH server will run on",
 			Value:   "2222",
 			EnvVars: []string{"LOCAL_SSH_PORT"},
 			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    sshIdleTimeoutFlag,
+			Name:    cfdflags.SshIdleTimeout,
 			Usage:   "Connection timeout after no activity",
 			EnvVars: []string{"SSH_IDLE_TIMEOUT"},
 			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    sshMaxTimeoutFlag,
+			Name:    cfdflags.SshMaxTimeout,
 			Usage:   "Absolute connection timeout",
 			EnvVars: []string{"SSH_MAX_TIMEOUT"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    bucketNameFlag,
+			Name:    cfdflags.SshLogUploaderBucketName,
 			Usage:   "Bucket name of where to upload SSH logs",
 			EnvVars: []string{"BUCKET_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    regionNameFlag,
+			Name:    cfdflags.SshLogUploaderRegionName,
 			Usage:   "Region name of where to upload SSH logs",
 			EnvVars: []string{"REGION_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    secretIDFlag,
+			Name:    cfdflags.SshLogUploaderSecretID,
 			Usage:   "Secret ID of where to upload SSH logs",
 			EnvVars: []string{"SECRET_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    accessKeyIDFlag,
+			Name:    cfdflags.SshLogUploaderAccessKeyID,
 			Usage:   "Access Key ID of where to upload SSH logs",
 			EnvVars: []string{"ACCESS_CLIENT_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    sessionTokenIDFlag,
+			Name:    cfdflags.SshLogUploaderSessionTokenID,
 			Usage:   "Session Token to use in the configuration of SSH logs uploading",
 			EnvVars: []string{"SESSION_TOKEN_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    s3URLFlag,
+			Name:    cfdflags.SshLogUploaderS3URL,
 			Usage:   "S3 url of where to upload SSH logs",
 			EnvVars: []string{"S3_URL"},
 			Hidden:  true,
 		}),
 		altsrc.NewPathFlag(&cli.PathFlag{
-			Name:    hostKeyPath,
+			Name:    cfdflags.HostKeyPath,
 			Usage:   "Absolute path of directory to save SSH host keys in",
 			EnvVars: []string{"HOST_KEY_PATH"},
 			Hidden:  true,
@ -1109,7 +1181,7 @@ func sshFlags(shouldHide bool) []cli.Flag {
 func configureProxyDNSFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    "proxy-dns",
+			Name:    cfdflags.ProxyDns,
 			Usage:   "Run a DNS over HTTPS proxy server.",
 			EnvVars: []string{"TUNNEL_DNS"},
 			Hidden:  shouldHide,
@ -1189,3 +1261,46 @@ reconnect [delay]
 		}
 	}
 }
 func nonSecretCliFlags(log *zerolog.Logger, cli *cli.Context, flagInclusionList []string) map[string]string {
 	flagsNames := cli.FlagNames()
 	flags := make(map[string]string, len(flagsNames))
 	for _, flag := range flagsNames {
 		value := cli.String(flag)
 		if value == "" {
 			continue
 		}
 		isIncluded := isFlagIncluded(flagInclusionList, flag)
 		if !isIncluded {
 			continue
 		}
 		switch flag {
 		case cfdflags.LogDirectory, cfdflags.LogFile:
 			{
 				absolute, err := filepath.Abs(value)
 				if err != nil {
 					log.Error().Err(err).Msgf("could not convert %s path to absolute", flag)
 				} else {
 					flags[flag] = absolute
 				}
 			}
 		default:
 			flags[flag] = value
 		}
 	}
 	return flags
 }
 func isFlagIncluded(flagInclusionList []string, flag string) bool {
 	for _, include := range flagInclusionList {
 		if include == flag {
 			return true
 		}
 	}
 	return false
 }
--- a/cmd/cloudflared/tunnel/config_test.go
+++ b/cmd/cloudflared/tunnel/config_test.go
@ -1,15 +0,0 @@
 package tunnel
 import (
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/cloudflare/cloudflared/features"
 )
 func TestDedup(t *testing.T) {
 	expected := []string{"a", "b"}
 	actual := features.Dedup([]string{"a", "b", "a"})
 	require.ElementsMatch(t, expected, actual)
 }
--- a/cmd/cloudflared/tunnel/configuration.go
+++ b/cmd/cloudflared/tunnel/configuration.go
@ -10,20 +10,23 @@ import (
 	"strings"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"golang.org/x/term"
 	"github.com/cloudflare/cloudflared/client"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/edgediscovery"
 	"github.com/cloudflare/cloudflared/edgediscovery/allregions"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/cloudflare/cloudflared/ingress/origins"
 	"github.com/cloudflare/cloudflared/orchestration"
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
@ -36,23 +39,23 @@ const (
 )
 var (
 	developerPortal = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup"
 	serviceUrl      = developerPortal + "/tunnel-guide/local/as-a-service/"
 	argumentsUrl    = developerPortal + "/tunnel-guide/local/local-management/arguments/"
 	secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
-	configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version", "edge-bind-address"}
+	configFlags = []string{
-)
+		flags.AutoUpdateFreq,
-
+		flags.NoAutoUpdate,
-func generateRandomClientID(log *zerolog.Logger) (string, error) {
+		flags.Retries,
-	u, err := uuid.NewRandom()
+		flags.Protocol,
-	if err != nil {
+		flags.LogLevel,
-		log.Error().Msgf("couldn't create UUID for client ID %s", err)
+		flags.TransportLogLevel,
-		return "", err
+		flags.OriginCert,
 		flags.Metrics,
 		flags.MetricsUpdateFreq,
 		flags.EdgeIpVersion,
 		flags.EdgeBindAddress,
 		flags.MaxActiveFlows,
 	}
-	return u.String(), nil
+)
 }
 func logClientOptions(c *cli.Context, log *zerolog.Logger) {
 	flags := make(map[string]interface{})
@ -109,8 +112,8 @@ func isSecretEnvVar(key string) bool {
 }
 func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.TunnelProperties) bool {
-	return c.IsSet("proxy-dns") &&
+	return c.IsSet(flags.ProxyDns) &&
-		!(c.IsSet("name") || // adhoc-named tunnel
+		!(c.IsSet(flags.Name) || // adhoc-named tunnel
 			c.IsSet(ingress.HelloWorldFlag) || // quick or named tunnel
 			namedTunnel != nil) // named tunnel
 }
@ -123,62 +126,44 @@ func prepareTunnelConfig(
 	observer *connection.Observer,
 	namedTunnel *connection.TunnelProperties,
 ) (*supervisor.TunnelConfig, *orchestration.Config, error) {
-	clientID, err := uuid.NewRandom()
+	transportProtocol := c.String(flags.Protocol)
 	isPostQuantumEnforced := c.Bool(flags.PostQuantum)
 	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, c.StringSlice(flags.Features), isPostQuantumEnforced, log)
 	if err != nil {
-		return nil, nil, errors.Wrap(err, "can't generate connector UUID")
+		return nil, nil, errors.Wrap(err, "Failed to create feature selector")
 	}
-	log.Info().Msgf("Generated Connector ID: %s", clientID)
+
-	tags, err := NewTagSliceFromCLI(c.StringSlice("tag"))
+	clientConfig, err := client.NewConfig(info.Version(), info.OSArch(), featureSelector)
 	if err != nil {
 		return nil, nil, err
 	}
 	log.Info().Msgf("Generated Connector ID: %s", clientConfig.ConnectorID)
 	tags, err := NewTagSliceFromCLI(c.StringSlice(flags.Tag))
 	if err != nil {
 		log.Err(err).Msg("Tag parse failure")
 		return nil, nil, errors.Wrap(err, "Tag parse failure")
 	}
-	tags = append(tags, pogs.Tag{Name: "ID", Value: clientID.String()})
+	tags = append(tags, pogs.Tag{Name: "ID", Value: clientConfig.ConnectorID.String()})
-	transportProtocol := c.String("protocol")
+	clientFeatures := featureSelector.Snapshot()
-
+	pqMode := clientFeatures.PostQuantum
 	clientFeatures := features.Dedup(append(c.StringSlice("features"), features.DefaultFeatures...))
 	staticFeatures := features.StaticFeatures{}
 	if c.Bool("post-quantum") {
 		if FipsEnabled {
 			return nil, nil, fmt.Errorf("post-quantum not supported in FIPS mode")
 		}
 		pqMode := features.PostQuantumStrict
 		staticFeatures.PostQuantumMode = &pqMode
 	}
 	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, staticFeatures, log)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "Failed to create feature selector")
 	}
 	pqMode := featureSelector.PostQuantumMode()
 	if pqMode == features.PostQuantumStrict {
 		// Error if the user tries to force a non-quic transport protocol
 		if transportProtocol != connection.AutoSelectFlag && transportProtocol != connection.QUIC.String() {
 			return nil, nil, fmt.Errorf("post-quantum is only supported with the quic transport")
 		}
 		transportProtocol = connection.QUIC.String()
 		clientFeatures = append(clientFeatures, features.FeaturePostQuantum)
 		log.Info().Msgf(
 			"Using hybrid post-quantum key agreement %s",
 			supervisor.PQKexName,
 		)
 	}
 	namedTunnel.Client = pogs.ClientInfo{
 		ClientID: clientID[:],
 		Features: clientFeatures,
 		Version:  info.Version(),
 		Arch:     info.OSArch(),
 	}
 	cfg := config.GetConfiguration()
 	ingressRules, err := ingress.ParseIngressFromConfigAndCLI(cfg, c, log)
 	if err != nil {
 		return nil, nil, err
 	}
-	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), c.Bool("post-quantum"), edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)
+	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), isPostQuantumEnforced, edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)
 	if err != nil {
 		return nil, nil, err
 	}
@ -204,11 +189,11 @@ func prepareTunnelConfig(
 	if err != nil {
 		return nil, nil, err
 	}
-	edgeIPVersion, err := parseConfigIPVersion(c.String("edge-ip-version"))
+	edgeIPVersion, err := parseConfigIPVersion(c.String(flags.EdgeIpVersion))
 	if err != nil {
 		return nil, nil, err
 	}
-	edgeBindAddr, err := parseConfigBindAddress(c.String("edge-bind-address"))
+	edgeBindAddr, err := parseConfigBindAddress(c.String(flags.EdgeBindAddress))
 	if err != nil {
 		return nil, nil, err
 	}
@ -221,48 +206,82 @@ func prepareTunnelConfig(
 		log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version")
 	}
 	region := c.String(flags.Region)
 	endpoint := namedTunnel.Credentials.Endpoint
 	var resolvedRegion string
 	// set resolvedRegion to either the region passed as argument
 	// or to the endpoint in the credentials.
 	// Region and endpoint are interchangeable
 	if region != "" && endpoint != "" {
 		return nil, nil, fmt.Errorf("region provided with a token that has an endpoint")
 	} else if region != "" {
 		resolvedRegion = region
 	} else if endpoint != "" {
 		resolvedRegion = endpoint
 	}
 	warpRoutingConfig := ingress.NewWarpRoutingConfig(&cfg.WarpRouting)
 	// Setup origin dialer service and virtual services
 	originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
 		DefaultDialer:   ingress.NewDialer(warpRoutingConfig),
 		TCPWriteTimeout: c.Duration(flags.WriteStreamTimeout),
 	}, log)
 	// Setup DNS Resolver Service
 	originMetrics := origins.NewMetrics(prometheus.DefaultRegisterer)
 	dnsResolverAddrs := c.StringSlice(flags.VirtualDNSServiceResolverAddresses)
 	dnsService := origins.NewDNSResolverService(origins.NewDNSDialer(), log, originMetrics)
 	if len(dnsResolverAddrs) > 0 {
 		addrs, err := parseResolverAddrPorts(dnsResolverAddrs)
 		if err != nil {
 			return nil, nil, fmt.Errorf("invalid %s provided: %w", flags.VirtualDNSServiceResolverAddresses, err)
 		}
 		dnsService = origins.NewStaticDNSResolverService(addrs, origins.NewDNSDialer(), log, originMetrics)
 	}
 	originDialerService.AddReservedService(dnsService, []netip.AddrPort{origins.VirtualDNSServiceAddr})
 	tunnelConfig := &supervisor.TunnelConfig{
 		ClientConfig:    clientConfig,
 		GracePeriod:     gracePeriod,
-		ReplaceExisting: c.Bool("force"),
+		EdgeAddrs:       c.StringSlice(flags.Edge),
-		OSArch:          info.OSArch(),
+		Region:          resolvedRegion,
 		ClientID:        clientID.String(),
 		EdgeAddrs:       c.StringSlice("edge"),
 		Region:          c.String("region"),
 		EdgeIPVersion:   edgeIPVersion,
 		EdgeBindAddr:    edgeBindAddr,
-		HAConnections:   c.Int(haConnectionsFlag),
+		HAConnections:   c.Int(flags.HaConnections),
-		IsAutoupdated:   c.Bool("is-autoupdated"),
+		IsAutoupdated:   c.Bool(flags.IsAutoUpdated),
-		LBPool:          c.String("lb-pool"),
+		LBPool:          c.String(flags.LBPool),
 		Tags:            tags,
 		Log:             log,
 		LogTransport:    logTransport,
 		Observer:        observer,
 		ReportedVersion: info.Version(),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
-		Retries:                             uint(c.Int("retries")),
+		Retries:                             uint(c.Int(flags.Retries)), // nolint: gosec
 		RunFromTerminal:                     isRunningFromTerminal(),
 		NamedTunnel:                         namedTunnel,
 		ProtocolSelector:                    protocolSelector,
 		EdgeTLSConfigs:                      edgeTLSConfigs,
-		FeatureSelector:                     featureSelector,
+		MaxEdgeAddrRetries:                  uint8(c.Int(flags.MaxEdgeAddrRetries)), // nolint: gosec
-		MaxEdgeAddrRetries:                  uint8(c.Int("max-edge-addr-retries")),
+		RPCTimeout:                          c.Duration(flags.RpcTimeout),
-		RPCTimeout:                          c.Duration(rpcTimeout),
+		WriteStreamTimeout:                  c.Duration(flags.WriteStreamTimeout),
-		WriteStreamTimeout:                  c.Duration(writeStreamTimeout),
+		DisableQUICPathMTUDiscovery:         c.Bool(flags.QuicDisablePathMTUDiscovery),
-		DisableQUICPathMTUDiscovery:         c.Bool(quicDisablePathMTUDiscovery),
+		QUICConnectionLevelFlowControlLimit: c.Uint64(flags.QuicConnLevelFlowControlLimit),
-		QUICConnectionLevelFlowControlLimit: c.Uint64(quicConnLevelFlowControlLimit),
+		QUICStreamLevelFlowControlLimit:     c.Uint64(flags.QuicStreamLevelFlowControlLimit),
-		QUICStreamLevelFlowControlLimit:     c.Uint64(quicStreamLevelFlowControlLimit),
+		OriginDNSService:                    dnsService,
 		OriginDialerService:                 originDialerService,
 	}
-	packetConfig, err := newPacketConfig(c, log)
+	icmpRouter, err := newICMPRouter(c, log)
 	if err != nil {
 		log.Warn().Err(err).Msg("ICMP proxy feature is disabled")
 	} else {
-		tunnelConfig.PacketConfig = packetConfig
+		tunnelConfig.ICMPRouterServer = icmpRouter
 	}
 	orchestratorConfig := &orchestration.Config{
-		Ingress:            &ingressRules,
+		Ingress:             &ingressRules,
-		WarpRouting:        ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
+		WarpRouting:         warpRoutingConfig,
-		ConfigurationFlags: parseConfigFlags(c),
+		OriginDialerService: originDialerService,
-		WriteTimeout:       c.Duration(writeStreamTimeout),
+		ConfigurationFlags:  parseConfigFlags(c),
 	}
 	return tunnelConfig, orchestratorConfig, nil
 }
@ -280,9 +299,9 @@ func parseConfigFlags(c *cli.Context) map[string]string {
 }
 func gracePeriod(c *cli.Context) (time.Duration, error) {
-	period := c.Duration("grace-period")
+	period := c.Duration(flags.GracePeriod)
 	if period > connection.MaxGracePeriod {
-		return time.Duration(0), fmt.Errorf("grace-period must be equal or less than %v", connection.MaxGracePeriod)
+		return time.Duration(0), fmt.Errorf("%s must be equal or less than %v", flags.GracePeriod, connection.MaxGracePeriod)
 	}
 	return period, nil
 }
@ -351,33 +370,39 @@ func adjustIPVersionByBindAddress(ipVersion allregions.ConfigIPVersion, ip net.I
 	}
 }
-func newPacketConfig(c *cli.Context, logger *zerolog.Logger) (*ingress.GlobalRouterConfig, error) {
+func newICMPRouter(c *cli.Context, logger *zerolog.Logger) (ingress.ICMPRouterServer, error) {
-	ipv4Src, err := determineICMPv4Src(c.String("icmpv4-src"), logger)
+	ipv4Src, ipv6Src, err := determineICMPSources(c, logger)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
+		return nil, err
 	}
 	icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, logger, icmpFunnelTimeout)
 	if err != nil {
 		return nil, err
 	}
 	return icmpRouter, nil
 }
 func determineICMPSources(c *cli.Context, logger *zerolog.Logger) (netip.Addr, netip.Addr, error) {
 	ipv4Src, err := determineICMPv4Src(c.String(flags.ICMPV4Src), logger)
 	if err != nil {
 		return netip.Addr{}, netip.Addr{}, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
 	}
 	logger.Info().Msgf("ICMP proxy will use %s as source for IPv4", ipv4Src)
-	ipv6Src, zone, err := determineICMPv6Src(c.String("icmpv6-src"), logger, ipv4Src)
+	ipv6Src, zone, err := determineICMPv6Src(c.String(flags.ICMPV6Src), logger, ipv4Src)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy")
+		return netip.Addr{}, netip.Addr{}, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy")
 	}
 	if zone != "" {
 		logger.Info().Msgf("ICMP proxy will use %s in zone %s as source for IPv6", ipv6Src, zone)
 	} else {
 		logger.Info().Msgf("ICMP proxy will use %s as source for IPv6", ipv6Src)
 	}
-	icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, zone, logger, icmpFunnelTimeout)
+	return ipv4Src, ipv6Src, nil
 	if err != nil {
 		return nil, err
 	}
 	return &ingress.GlobalRouterConfig{
 		ICMPRouter: icmpRouter,
 		IPv4Src:    ipv4Src,
 		IPv6Src:    ipv6Src,
 		Zone:       zone,
 	}, nil
 }
 func determineICMPv4Src(userDefinedSrc string, logger *zerolog.Logger) (netip.Addr, error) {
@ -407,13 +432,12 @@ type interfaceIP struct {
 func determineICMPv6Src(userDefinedSrc string, logger *zerolog.Logger, ipv4Src netip.Addr) (addr netip.Addr, zone string, err error) {
 	if userDefinedSrc != "" {
-		userDefinedIP, zone, _ := strings.Cut(userDefinedSrc, "%")
+		addr, err := netip.ParseAddr(userDefinedSrc)
 		addr, err := netip.ParseAddr(userDefinedIP)
 		if err != nil {
 			return netip.Addr{}, "", err
 		}
 		if addr.Is6() {
-			return addr, zone, nil
+			return addr, addr.Zone(), nil
 		}
 		return netip.Addr{}, "", fmt.Errorf("expect IPv6, but %s is IPv4", userDefinedSrc)
 	}
@ -494,3 +518,19 @@ func findLocalAddr(dst net.IP, port int) (netip.Addr, error) {
 	localAddr := localAddrPort.Addr()
 	return localAddr, nil
 }
 func parseResolverAddrPorts(input []string) ([]netip.AddrPort, error) {
 	// We don't allow more than 10 resolvers to be provided statically for the resolver service.
 	if len(input) > 10 {
 		return nil, errors.New("too many addresses provided, max: 10")
 	}
 	addrs := make([]netip.AddrPort, 0, len(input))
 	for _, val := range input {
 		addr, err := netip.ParseAddrPort(val)
 		if err != nil {
 			return nil, err
 		}
 		addrs = append(addrs, addr)
 	}
 	return addrs, nil
 }
--- a/cmd/cloudflared/tunnel/credential_finder.go
+++ b/cmd/cloudflared/tunnel/credential_finder.go
@ -4,6 +4,7 @@ import (
 	"fmt"
 	"path/filepath"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
@ -57,7 +58,7 @@ func newSearchByID(id uuid.UUID, c *cli.Context, log *zerolog.Logger, fs fileSys
 }
 func (s searchByID) Path() (string, error) {
-	originCertPath := s.c.String(credentials.OriginCertFlag)
+	originCertPath := s.c.String(cfdflags.OriginCert)
 	originCertLog := s.log.With().
 		Str("originCertPath", originCertPath).
 		Logger()
--- a/cmd/cloudflared/tunnel/fips.go
+++ b/cmd/cloudflared/tunnel/fips.go
@ -1,3 +0,0 @@
 package tunnel
 var FipsEnabled bool
--- a/cmd/cloudflared/tunnel/login.go
+++ b/cmd/cloudflared/tunnel/login.go
@ -12,6 +12,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
@ -19,8 +20,31 @@ import (
 )
 const (
-	baseLoginURL     = "https://dash.cloudflare.com/argotunnel"
+	baseLoginURL         = "https://dash.cloudflare.com/argotunnel"
-	callbackStoreURL = "https://login.cloudflareaccess.org/"
+	callbackURL          = "https://login.cloudflareaccess.org/"
 	fedBaseLoginURL      = "https://dash.fed.cloudflare.com/argotunnel"
 	fedCallbackStoreURL  = "https://login.fed.cloudflareaccess.org/"
 	fedRAMPParamName     = "fedramp"
 	loginURLParamName    = "loginURL"
 	callbackURLParamName = "callbackURL"
 )
 var (
 	loginURL = &cli.StringFlag{
 		Name:  loginURLParamName,
 		Value: baseLoginURL,
 		Usage: "The URL used to login (default is https://dash.cloudflare.com/argotunnel)",
 	}
 	callbackStore = &cli.StringFlag{
 		Name:  callbackURLParamName,
 		Value: callbackURL,
 		Usage: "The URL used for the callback (default is https://login.cloudflareaccess.org/)",
 	}
 	fedramp = &cli.BoolFlag{
 		Name:    fedRAMPParamName,
 		Aliases: []string{"f"},
 		Usage:   "Login with FedRAMP High environment.",
 	}
 )
 func buildLoginSubcommand(hidden bool) *cli.Command {
@ -30,6 +54,11 @@ func buildLoginSubcommand(hidden bool) *cli.Command {
 		Usage:     "Generate a configuration file with your login details",
 		ArgsUsage: " ",
 		Hidden:    hidden,
 		Flags: []cli.Flag{
 			loginURL,
 			callbackStore,
 			fedramp,
 		},
 	}
 }
@ -38,15 +67,25 @@ func login(c *cli.Context) error {
 	path, ok, err := checkForExistingCert()
 	if ok {
-		fmt.Fprintf(os.Stdout, "You have an existing certificate at %s which login would overwrite.\nIf this is intentional, please move or delete that file then run this command again.\n", path)
+		log.Error().Err(err).Msgf("You have an existing certificate at %s which login would overwrite.\nIf this is intentional, please move or delete that file then run this command again.\n", path)
 		return nil
 	} else if err != nil {
 		return err
 	}
-	loginURL, err := url.Parse(baseLoginURL)
+	var (
 		baseloginURL     = c.String(loginURLParamName)
 		callbackStoreURL = c.String(callbackURLParamName)
 	)
 	isFEDRamp := c.Bool(fedRAMPParamName)
 	if isFEDRamp {
 		baseloginURL = fedBaseLoginURL
 		callbackStoreURL = fedCallbackStoreURL
 	}
 	loginURL, err := url.Parse(baseloginURL)
 	if err != nil {
 		// shouldn't happen, URL is hardcoded
 		return err
 	}
@ -58,10 +97,28 @@ func login(c *cli.Context) error {
 		callbackStoreURL,
 		false,
 		false,
 		c.Bool(cfdflags.AutoCloseInterstitial),
 		isFEDRamp,
 		log,
 	)
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "Failed to write the certificate due to the following error:\n%v\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", err, path)
+		log.Error().Err(err).Msgf("Failed to write the certificate.\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", path)
 		return err
 	}
 	cert, err := credentials.DecodeOriginCert(resourceData)
 	if err != nil {
 		log.Error().Err(err).Msg("failed to decode origin certificate")
 		return err
 	}
 	if isFEDRamp {
 		cert.Endpoint = credentials.FedEndpoint
 	}
 	resourceData, err = cert.EncodeOriginCert()
 	if err != nil {
 		log.Error().Err(err).Msg("failed to encode origin certificate")
 		return err
 	}
@ -69,7 +126,7 @@ func login(c *cli.Context) error {
 		return errors.Wrap(err, fmt.Sprintf("error writing cert to %s", path))
 	}
-	fmt.Fprintf(os.Stdout, "You have successfully logged in.\nIf you wish to copy your credentials to a server, they have been saved to:\n%s\n", path)
+	log.Info().Msgf("You have successfully logged in.\nIf you wish to copy your credentials to a server, they have been saved to:\n%s\n", path)
 	return nil
 }
--- a/cmd/cloudflared/tunnel/quick_tunnel.go
+++ b/cmd/cloudflared/tunnel/quick_tunnel.go
@ -3,6 +3,7 @@ package tunnel
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"strings"
 	"time"
@ -10,15 +11,13 @@ import (
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/connection"
 )
 const httpTimeout = 15 * time.Second
-const disclaimer = "Thank you for trying Cloudflare Tunnel. Doing so, without a Cloudflare account, is a quick way to" +
+const disclaimer = "Thank you for trying Cloudflare Tunnel. Doing so, without a Cloudflare account, is a quick way to experiment and try it out. However, be aware that these account-less Tunnels have no uptime guarantee, are subject to the Cloudflare Online Services Terms of Use (https://www.cloudflare.com/website-terms/), and Cloudflare reserves the right to investigate your use of Tunnels for violations of such terms. If you intend to use Tunnels in production you should use a pre-created named tunnel by following: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps"
 	" experiment and try it out. However, be aware that these account-less Tunnels have no uptime guarantee. If you " +
 	"intend to use Tunnels in production you should use a pre-created named tunnel by following: " +
 	"https://developers.cloudflare.com/cloudflare-one/connections/connect-apps"
 // RunQuickTunnel requests a tunnel from the specified service.
 // We use this to power quick tunnels on trycloudflare.com, but the
@ -47,8 +46,17 @@ func RunQuickTunnel(sc *subcommandContext) error {
 	}
 	defer resp.Body.Close()
 	// This will read the entire response into memory so we can print it in case of error
 	rsp_body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return errors.Wrap(err, "failed to read quick-tunnel response")
 	}
 	var data QuickTunnelResponse
-	if err := json.NewDecoder(resp.Body).Decode(&data); err != nil {
+	if err := json.Unmarshal(rsp_body, &data); err != nil {
 		rsp_string := string(rsp_body)
 		fields := map[string]interface{}{"status_code": resp.Status}
 		sc.log.Err(err).Fields(fields).Msgf("Error unmarshaling QuickTunnel response: %s", rsp_string)
 		return errors.Wrap(err, "failed to unmarshal quick Tunnel")
 	}
@ -75,13 +83,13 @@ func RunQuickTunnel(sc *subcommandContext) error {
 		sc.log.Info().Msg(line)
 	}
-	if !sc.c.IsSet("protocol") {
+	if !sc.c.IsSet(flags.Protocol) {
-		sc.c.Set("protocol", "quic")
+		_ = sc.c.Set(flags.Protocol, "quic")
 	}
 	// Override the number of connections used. Quick tunnels shouldn't be used for production usage,
 	// so, use a single connection instead.
-	sc.c.Set(haConnectionsFlag, "1")
+	_ = sc.c.Set(flags.HaConnections, "1")
 	return StartServer(
 		sc.c,
 		buildInfo,
--- a/cmd/cloudflared/tunnel/subcommand_context.go
+++ b/cmd/cloudflared/tunnel/subcommand_context.go
@ -9,22 +9,26 @@ import (
 	"strings"
 	"github.com/google/uuid"
 	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cfapi"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 )
-type errInvalidJSONCredential struct {
+const fedRampBaseApiURL = "https://api.fed.cloudflare.com/client/v4"
 type invalidJSONCredentialError struct {
 	err  error
 	path string
 }
-func (e errInvalidJSONCredential) Error() string {
+func (e invalidJSONCredentialError) Error() string {
 	return "Invalid JSON when parsing tunnel credentials file"
 }
@ -51,7 +55,12 @@ func newSubcommandContext(c *cli.Context) (*subcommandContext, error) {
 // Returns something that can find the given tunnel's credentials file.
 func (sc *subcommandContext) credentialFinder(tunnelID uuid.UUID) CredFinder {
 	if path := sc.c.String(CredFileFlag); path != "" {
-		return newStaticPath(path, sc.fs)
+		// Expand path if CredFileFlag contains `~`
 		absPath, err := homedir.Expand(path)
 		if err != nil {
 			return newStaticPath(path, sc.fs)
 		}
 		return newStaticPath(absPath, sc.fs)
 	}
 	return newSearchByID(tunnelID, sc.c, sc.log, sc.fs)
 }
@ -64,7 +73,16 @@ func (sc *subcommandContext) client() (cfapi.Client, error) {
 	if err != nil {
 		return nil, err
 	}
-	sc.tunnelstoreClient, err = cred.Client(sc.c.String("api-url"), buildInfo.UserAgent(), sc.log)
+
 	var apiURL string
 	if cred.IsFEDEndpoint() {
 		sc.log.Info().Str("api-url", fedRampBaseApiURL).Msg("using fedramp base api")
 		apiURL = fedRampBaseApiURL
 	} else {
 		apiURL = sc.c.String(cfdflags.ApiURL)
 	}
 	sc.tunnelstoreClient, err = cred.Client(apiURL, buildInfo.UserAgent(), sc.log)
 	if err != nil {
 		return nil, err
 	}
@ -73,7 +91,7 @@ func (sc *subcommandContext) client() (cfapi.Client, error) {
 func (sc *subcommandContext) credential() (*credentials.User, error) {
 	if sc.userCredential == nil {
-		uc, err := credentials.Read(sc.c.String(credentials.OriginCertFlag), sc.log)
+		uc, err := credentials.Read(sc.c.String(cfdflags.OriginCert), sc.log)
 		if err != nil {
 			return nil, err
 		}
@ -94,13 +112,13 @@ func (sc *subcommandContext) readTunnelCredentials(credFinder CredFinder) (conne
 	var credentials connection.Credentials
 	if err = json.Unmarshal(body, &credentials); err != nil {
-		if strings.HasSuffix(filePath, ".pem") {
+		if filepath.Ext(filePath) == ".pem" {
 			return connection.Credentials{}, fmt.Errorf("The tunnel credentials file should be .json but you gave a .pem. " +
 				"The tunnel credentials file was originally created by `cloudflared tunnel create`. " +
 				"You may have accidentally used the filepath to cert.pem, which is generated by `cloudflared tunnel " +
 				"login`.")
 		}
-		return connection.Credentials{}, errInvalidJSONCredential{path: filePath, err: err}
+		return connection.Credentials{}, invalidJSONCredentialError{path: filePath, err: err}
 	}
 	return credentials, nil
 }
@ -122,7 +140,7 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 		if err != nil {
 			return nil, errors.Wrap(err, "Couldn't decode tunnel secret from base64")
 		}
-		tunnelSecret = []byte(decodedSecret)
+		tunnelSecret = decodedSecret
 		if len(tunnelSecret) < 32 {
 			return nil, errors.New("Decoded tunnel secret must be at least 32 bytes long")
 		}
@ -137,10 +155,12 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 	if err != nil {
 		return nil, err
 	}
 	tunnelCredentials := connection.Credentials{
 		AccountTag:   credential.AccountID(),
 		TunnelSecret: tunnelSecret,
 		TunnelID:     tunnel.ID,
 		Endpoint:     credential.Endpoint(),
 	}
 	usedCertPath := false
 	if credentialsFilePath == "" {
@ -160,7 +180,7 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 			errorLines = append(errorLines, fmt.Sprintf("Cloudflared tried to delete the tunnel for you, but encountered an error. You should use `cloudflared tunnel delete %v` to delete the tunnel yourself, because the tunnel can't be run without the tunnelfile.", tunnel.ID))
 			errorLines = append(errorLines, fmt.Sprintf("The delete tunnel error is: %v", deleteErr))
 		} else {
-			errorLines = append(errorLines, fmt.Sprintf("The tunnel was deleted, because the tunnel can't be run without the credentials file"))
+			errorLines = append(errorLines, "The tunnel was deleted, because the tunnel can't be run without the credentials file")
 		}
 		errorMsg := strings.Join(errorLines, "\n")
 		return nil, errors.New(errorMsg)
@ -189,7 +209,7 @@ func (sc *subcommandContext) list(filter *cfapi.TunnelFilter) ([]*cfapi.Tunnel,
 }
 func (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error {
-	forceFlagSet := sc.c.Bool("force")
+	forceFlagSet := sc.c.Bool(cfdflags.Force)
 	client, err := sc.client()
 	if err != nil {
@ -229,7 +249,7 @@ func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Cre
 	var err error
 	if credentialsContents := sc.c.String(CredContentsFlag); credentialsContents != "" {
 		if err = json.Unmarshal([]byte(credentialsContents), &credentials); err != nil {
-			err = errInvalidJSONCredential{path: "TUNNEL_CRED_CONTENTS", err: err}
+			err = invalidJSONCredentialError{path: "TUNNEL_CRED_CONTENTS", err: err}
 		}
 	} else {
 		credFinder := sc.credentialFinder(tunnelID)
@ -245,7 +265,7 @@ func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Cre
 func (sc *subcommandContext) run(tunnelID uuid.UUID) error {
 	credentials, err := sc.findCredentials(tunnelID)
 	if err != nil {
-		if e, ok := err.(errInvalidJSONCredential); ok {
+		if e, ok := err.(invalidJSONCredentialError); ok {
 			sc.log.Error().Msgf("The credentials file at %s contained invalid JSON. This is probably caused by passing the wrong filepath. Reminder: the credentials file is a .json file created via `cloudflared tunnel create`.", e.path)
 			sc.log.Error().Msgf("Invalid JSON when parsing credentials file: %s", e.err.Error())
 		}
--- a/cmd/cloudflared/tunnel/subcommands.go
+++ b/cmd/cloudflared/tunnel/subcommands.go
@ -5,6 +5,8 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"path/filepath"
 	"regexp"
@ -14,28 +16,40 @@ import (
 	"time"
 	"github.com/google/uuid"
-	homedir "github.com/mitchellh/go-homedir"
+	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"golang.org/x/net/idna"
-	yaml "gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v3"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/diagnostic"
 	"github.com/cloudflare/cloudflared/fips"
 	"github.com/cloudflare/cloudflared/metrics"
 )
 const (
-	allSortByOptions     = "name, id, createdAt, deletedAt, numConnections"
+	allSortByOptions        = "name, id, createdAt, deletedAt, numConnections"
-	connsSortByOptions   = "id, startedAt, numConnections, version"
+	connsSortByOptions      = "id, startedAt, numConnections, version"
-	CredFileFlagAlias    = "cred-file"
+	CredFileFlagAlias       = "cred-file"
-	CredFileFlag         = "credentials-file"
+	CredFileFlag            = "credentials-file"
-	CredContentsFlag     = "credentials-contents"
+	CredContentsFlag        = "credentials-contents"
-	TunnelTokenFlag      = "token"
+	TunnelTokenFlag         = "token"
-	overwriteDNSFlagName = "overwrite-dns"
+	TunnelTokenFileFlag     = "token-file"
 	overwriteDNSFlagName    = "overwrite-dns"
 	noDiagLogsFlagName      = "no-diag-logs"
 	noDiagMetricsFlagName   = "no-diag-metrics"
 	noDiagSystemFlagName    = "no-diag-system"
 	noDiagRuntimeFlagName   = "no-diag-runtime"
 	noDiagNetworkFlagName   = "no-diag-network"
 	diagContainerIDFlagName = "diag-container-id"
 	diagPodFlagName         = "diag-pod-id"
 	LogFieldTunnelID = "tunnelID"
 )
@ -47,7 +61,7 @@ var (
 		Usage:   "Include deleted tunnels in the list",
 	}
 	listNameFlag = &cli.StringFlag{
-		Name:    "name",
+		Name:    flags.Name,
 		Aliases: []string{"n"},
 		Usage:   "List tunnels with the given `NAME`",
 	}
@ -95,7 +109,7 @@ var (
 		EnvVars: []string{"TUNNEL_LIST_INVERT_SORT"},
 	}
 	featuresFlag = altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
-		Name:    "features",
+		Name:    flags.Features,
 		Aliases: []string{"F"},
 		Usage:   "Opt into various features that are still being developed or tested.",
 	})
@ -113,18 +127,23 @@ var (
 	})
 	tunnelTokenFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    TunnelTokenFlag,
-		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence.",
+		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence. Also takes precedence over token-file",
 		EnvVars: []string{"TUNNEL_TOKEN"},
 	})
 	tunnelTokenFileFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    TunnelTokenFileFlag,
 		Usage:   "Filepath at which to read the tunnel token. When provided along with credentials, this will take precedence.",
 		EnvVars: []string{"TUNNEL_TOKEN_FILE"},
 	})
 	forceDeleteFlag = &cli.BoolFlag{
-		Name:    "force",
+		Name:    flags.Force,
 		Aliases: []string{"f"},
 		Usage: "Deletes a tunnel even if tunnel is connected and it has dependencies associated to it. (eg. IP routes)." +
 			" It is not possible to delete tunnels that have connections or non-deleted dependencies, without this flag.",
 		EnvVars: []string{"TUNNEL_RUN_FORCE_OVERWRITE"},
 	}
 	selectProtocolFlag = altsrc.NewStringFlag(&cli.StringFlag{
-		Name:    "protocol",
+		Name:    flags.Protocol,
 		Value:   connection.AutoSelectFlag,
 		Aliases: []string{"p"},
 		Usage:   fmt.Sprintf("Protocol implementation to connect with Cloudflare's edge network. %s", connection.AvailableProtocolFlagMessage),
@ -132,11 +151,11 @@ var (
 		Hidden:  true,
 	})
 	postQuantumFlag = altsrc.NewBoolFlag(&cli.BoolFlag{
-		Name:    "post-quantum",
+		Name:    flags.PostQuantum,
 		Usage:   "When given creates an experimental post-quantum secure tunnel",
 		Aliases: []string{"pq"},
 		EnvVars: []string{"TUNNEL_POST_QUANTUM"},
-		Hidden:  FipsEnabled,
+		Hidden:  fips.IsFipsEnabled(),
 	})
 	sortInfoByFlag = &cli.StringFlag{
 		Name:    "sort-by",
@ -168,15 +187,65 @@ var (
 		EnvVars: []string{"TUNNEL_CREATE_SECRET"},
 	}
 	icmpv4SrcFlag = &cli.StringFlag{
-		Name:    "icmpv4-src",
+		Name:    flags.ICMPV4Src,
 		Usage:   "Source address to send/receive ICMPv4 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to 0.0.0.0.",
 		EnvVars: []string{"TUNNEL_ICMPV4_SRC"},
 	}
 	icmpv6SrcFlag = &cli.StringFlag{
-		Name:    "icmpv6-src",
+		Name:    flags.ICMPV6Src,
 		Usage:   "Source address and the interface name to send/receive ICMPv6 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to ::.",
 		EnvVars: []string{"TUNNEL_ICMPV6_SRC"},
 	}
 	metricsFlag = &cli.StringFlag{
 		Name:  flags.Metrics,
 		Usage: "The metrics server address i.e.: 127.0.0.1:12345. If your instance is running in a Docker/Kubernetes environment you need to setup port forwarding for your application.",
 		Value: "",
 	}
 	diagContainerFlag = &cli.StringFlag{
 		Name:  diagContainerIDFlagName,
 		Usage: "Container ID or Name to collect logs from",
 		Value: "",
 	}
 	diagPodFlag = &cli.StringFlag{
 		Name:  diagPodFlagName,
 		Usage: "Kubernetes POD to collect logs from",
 		Value: "",
 	}
 	noDiagLogsFlag = &cli.BoolFlag{
 		Name:  noDiagLogsFlagName,
 		Usage: "Log collection will not be performed",
 		Value: false,
 	}
 	noDiagMetricsFlag = &cli.BoolFlag{
 		Name:  noDiagMetricsFlagName,
 		Usage: "Metric collection will not be performed",
 		Value: false,
 	}
 	noDiagSystemFlag = &cli.BoolFlag{
 		Name:  noDiagSystemFlagName,
 		Usage: "System information collection will not be performed",
 		Value: false,
 	}
 	noDiagRuntimeFlag = &cli.BoolFlag{
 		Name:  noDiagRuntimeFlagName,
 		Usage: "Runtime information collection will not be performed",
 		Value: false,
 	}
 	noDiagNetworkFlag = &cli.BoolFlag{
 		Name:  noDiagNetworkFlagName,
 		Usage: "Network diagnostics won't be performed",
 		Value: false,
 	}
 	maxActiveFlowsFlag = &cli.Uint64Flag{
 		Name:    flags.MaxActiveFlows,
 		Usage:   "Overrides the remote configuration for max active private network flows (TCP/UDP) that this cloudflared instance supports",
 		EnvVars: []string{"TUNNEL_MAX_ACTIVE_FLOWS"},
 	}
 	dnsResolverAddrsFlag = &cli.StringSliceFlag{
 		Name:    flags.VirtualDNSServiceResolverAddresses,
 		Usage:   "Overrides the dynamic DNS resolver resolution to use these address:port's instead.",
 		EnvVars: []string{"TUNNEL_DNS_RESOLVER_ADDRS"},
 	}
 )
 func buildCreateCommand() *cli.Command {
@ -279,7 +348,7 @@ func listCommand(c *cli.Context) error {
 	if !c.Bool("show-deleted") {
 		filter.NoDeleted()
 	}
-	if name := c.String("name"); name != "" {
+	if name := c.String(flags.Name); name != "" {
 		filter.ByName(name)
 	}
 	if namePrefix := c.String("name-prefix"); namePrefix != "" {
@ -373,7 +442,6 @@ func formatAndPrintTunnelList(tunnels []*cfapi.Tunnel, showRecentlyDisconnected
 }
 func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected bool) string {
 	// Count connections per colo
 	numConnsPerColo := make(map[string]uint, len(connections))
 	for _, connection := range connections {
@ -390,13 +458,51 @@ func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected boo
 	sort.Strings(sortedColos)
 	// Map each colo to its frequency, combine into output string.
-	var output []string
+	output := make([]string, 0, len(sortedColos))
 	for _, coloName := range sortedColos {
 		output = append(output, fmt.Sprintf("%dx%s", numConnsPerColo[coloName], coloName))
 	}
 	return strings.Join(output, ", ")
 }
 func buildReadyCommand() *cli.Command {
 	return &cli.Command{
 		Name:               "ready",
 		Action:             cliutil.ConfiguredAction(readyCommand),
 		Usage:              "Call /ready endpoint and return proper exit code",
 		UsageText:          "cloudflared tunnel [tunnel command options] ready [subcommand options]",
 		Description:        "cloudflared tunnel ready will return proper exit code based on the /ready endpoint",
 		Flags:              []cli.Flag{},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func readyCommand(c *cli.Context) error {
 	metricsOpts := c.String(flags.Metrics)
 	if !c.IsSet(flags.Metrics) {
 		return errors.New("--metrics has to be provided")
 	}
 	requestURL := fmt.Sprintf("http://%s/ready", metricsOpts)
 	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
 	if err != nil {
 		return err
 	}
 	res, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return err
 	}
 	defer res.Body.Close()
 	if res.StatusCode != 200 {
 		body, err := io.ReadAll(res.Body)
 		if err != nil {
 			return err
 		}
 		return fmt.Errorf("http://%s/ready endpoint returned status code %d\n%s", metricsOpts, res.StatusCode, body)
 	}
 	return nil
 }
 func buildInfoCommand() *cli.Command {
 	return &cli.Command{
 		Name:        "info",
@ -613,8 +719,11 @@ func buildRunCommand() *cli.Command {
 		selectProtocolFlag,
 		featuresFlag,
 		tunnelTokenFlag,
 		tunnelTokenFileFlag,
 		icmpv4SrcFlag,
 		icmpv6SrcFlag,
 		maxActiveFlowsFlag,
 		dnsResolverAddrsFlag,
 	}
 	flags = append(flags, configureProxyFlags(false)...)
 	return &cli.Command{
@ -652,12 +761,22 @@ func runCommand(c *cli.Context) error {
 			"your origin will not be reachable. You should remove the `hostname` property to avoid this warning.")
 	}
 	tokenStr := c.String(TunnelTokenFlag)
 	// Check if tokenStr is blank before checking for tokenFile
 	if tokenStr == "" {
 		if tokenFile := c.String(TunnelTokenFileFlag); tokenFile != "" {
 			data, err := os.ReadFile(tokenFile)
 			if err != nil {
 				return cliutil.UsageError("Failed to read token file: %s", err.Error())
 			}
 			tokenStr = strings.TrimSpace(string(data))
 		}
 	}
 	// Check if token is provided and if not use default tunnelID flag method
-	if tokenStr := c.String(TunnelTokenFlag); tokenStr != "" {
+	if tokenStr != "" {
 		if token, err := ParseToken(tokenStr); err == nil {
 			return sc.runWithCredentials(token.Credentials())
 		}
 		return cliutil.UsageError("Provided Tunnel token is not valid.")
 	} else {
 		tunnelRef := c.Args().First()
@ -862,8 +981,10 @@ func lbRouteFromArg(c *cli.Context) (cfapi.HostnameRoute, error) {
 	return cfapi.NewLBRoute(lbName, lbPool), nil
 }
-var nameRegex = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
+var (
-var hostNameRegex = regexp.MustCompile("^[*_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
+	nameRegex     = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
 	hostNameRegex = regexp.MustCompile("^[*_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
 )
 func validateName(s string, allowWildcardSubdomain bool) bool {
 	if allowWildcardSubdomain {
@ -951,3 +1072,78 @@ SUBCOMMAND OPTIONS:
 `
 	return fmt.Sprintf(template, parentFlagsHelp)
 }
 func buildDiagCommand() *cli.Command {
 	return &cli.Command{
 		Name:        "diag",
 		Action:      cliutil.ConfiguredAction(diagCommand),
 		Usage:       "Creates a diagnostic report from a local cloudflared instance",
 		UsageText:   "cloudflared tunnel [tunnel command options] diag [subcommand options]",
 		Description: "cloudflared tunnel diag will create a diagnostic report of a local cloudflared instance. The diagnostic procedure collects: logs, metrics, system information, traceroute to Cloudflare Edge, and runtime information. Since there may be multiple instances of cloudflared running the --metrics option may be provided to target a specific instance.",
 		Flags: []cli.Flag{
 			metricsFlag,
 			diagContainerFlag,
 			diagPodFlag,
 			noDiagLogsFlag,
 			noDiagMetricsFlag,
 			noDiagSystemFlag,
 			noDiagRuntimeFlag,
 			noDiagNetworkFlag,
 		},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func diagCommand(ctx *cli.Context) error {
 	sctx, err := newSubcommandContext(ctx)
 	if err != nil {
 		return err
 	}
 	log := sctx.log
 	options := diagnostic.Options{
 		KnownAddresses: metrics.GetMetricsKnownAddresses(metrics.Runtime),
 		Address:        sctx.c.String(flags.Metrics),
 		ContainerID:    sctx.c.String(diagContainerIDFlagName),
 		PodID:          sctx.c.String(diagPodFlagName),
 		Toggles: diagnostic.Toggles{
 			NoDiagLogs:    sctx.c.Bool(noDiagLogsFlagName),
 			NoDiagMetrics: sctx.c.Bool(noDiagMetricsFlagName),
 			NoDiagSystem:  sctx.c.Bool(noDiagSystemFlagName),
 			NoDiagRuntime: sctx.c.Bool(noDiagRuntimeFlagName),
 			NoDiagNetwork: sctx.c.Bool(noDiagNetworkFlagName),
 		},
 	}
 	if options.Address == "" {
 		log.Info().Msg("If your instance is running in a Docker/Kubernetes environment you need to setup port forwarding for your application.")
 	}
 	states, err := diagnostic.RunDiagnostic(log, options)
 	if errors.Is(err, diagnostic.ErrMetricsServerNotFound) {
 		log.Warn().Msg("No instances found")
 		return nil
 	}
 	if errors.Is(err, diagnostic.ErrMultipleMetricsServerFound) {
 		if states != nil {
 			log.Info().Msgf("Found multiple instances running:")
 			for _, state := range states {
 				log.Info().Msgf("Instance: tunnel-id=%s connector-id=%s metrics-address=%s", state.TunnelID, state.ConnectorID, state.URL.String())
 			}
 			log.Info().Msgf("To select one instance use the option --metrics")
 		}
 		return nil
 	}
 	if errors.Is(err, diagnostic.ErrLogConfigurationIsInvalid) {
 		log.Info().Msg("Couldn't extract logs from the instance. If the instance is running in a containerized environment use the option --diag-container-id or --diag-pod-id. If there is no logging configuration use --no-diag-logs.")
 	}
 	if err != nil {
 		log.Warn().Msg("Diagnostic completed with one or more errors")
 	} else {
 		log.Info().Msg("Diagnostic completed")
 	}
 	return nil
 }
--- a/cmd/cloudflared/tunnel/teamnet_subcommands.go
+++ b/cmd/cloudflared/tunnel/teamnet_subcommands.go
@ -22,7 +22,7 @@ var (
 		Usage:   "The ID or name of the virtual network to which the route is associated to.",
 	}
-	routeAddError = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete")
+	errAddRoute = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete")
 )
 func buildRouteIPSubcommand() *cli.Command {
@ -32,7 +32,7 @@ func buildRouteIPSubcommand() *cli.Command {
 		UsageText: "cloudflared tunnel [--config FILEPATH] route COMMAND [arguments...]",
 		Description: `cloudflared can provision routes for any IP space in your corporate network. Users enrolled in
 your Cloudflare for Teams organization can reach those IPs through the Cloudflare WARP
-client. You can then configure L7/L4 filtering on https://dash.teams.cloudflare.com to
+client. You can then configure L7/L4 filtering on https://one.dash.cloudflare.com to
 determine who can reach certain routes.
 By default IP routes all exist within a single virtual network. If you use the same IP
 space(s) in different physical private networks, all meant to be reachable via IP routes,
@ -187,7 +187,7 @@ func deleteRouteCommand(c *cli.Context) error {
 	}
 	if c.NArg() != 1 {
-		return routeAddError
+		return errAddRoute
 	}
 	var routeId uuid.UUID
@ -195,7 +195,7 @@ func deleteRouteCommand(c *cli.Context) error {
 	if err != nil {
 		_, network, err := net.ParseCIDR(c.Args().First())
 		if err != nil || network == nil {
-			return routeAddError
+			return errAddRoute
 		}
 		var vnetId *uuid.UUID
--- a/cmd/cloudflared/updater/update.go
+++ b/cmd/cloudflared/updater/update.go
@ -14,13 +14,15 @@ import (
 	"github.com/urfave/cli/v2"
 	"golang.org/x/term"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 )
 const (
 	DefaultCheckUpdateFreq        = time.Hour * 24
-	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/"
+	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/"
 	noUpdateOnWindowsMessage      = "cloudflared will not automatically update on Windows systems."
 	noUpdateManagedPackageMessage = "cloudflared will not automatically update if installed by a package manager."
 	isManagedInstallFile          = ".installedFromPackageManager"
@ -31,12 +33,13 @@ const (
 )
 var (
-	version                string
+	buildInfo              *cliutil.BuildInfo
 	BuiltForPackageManager = ""
 )
 // BinaryUpdated implements ExitCoder interface, the app will exit with status code 11
 // https://pkg.go.dev/github.com/urfave/cli/v2?tab=doc#ExitCoder
 // nolint: errname
 type statusSuccess struct {
 	newVersion string
 }
@ -49,16 +52,16 @@ func (u *statusSuccess) ExitCode() int {
 	return 11
 }
-// UpdateErr implements ExitCoder interface, the app will exit with status code 10
+// statusError implements ExitCoder interface, the app will exit with status code 10
-type statusErr struct {
+type statusError struct {
 	err error
 }
-func (e *statusErr) Error() string {
+func (e *statusError) Error() string {
 	return fmt.Sprintf("failed to update cloudflared: %v", e.err)
 }
-func (e *statusErr) ExitCode() int {
+func (e *statusError) ExitCode() int {
 	return 10
 }
@ -78,11 +81,11 @@ type UpdateOutcome struct {
 }
 func (uo *UpdateOutcome) noUpdate() bool {
-	return uo.Error == nil && uo.Updated == false
+	return uo.Error == nil && !uo.Updated
 }
-func Init(v string) {
+func Init(info *cliutil.BuildInfo) {
-	version = v
+	buildInfo = info
 }
 func CheckForUpdate(options updateOptions) (CheckResult, error) {
@ -100,11 +103,12 @@ func CheckForUpdate(options updateOptions) (CheckResult, error) {
 		cfdPath = encodeWindowsPath(cfdPath)
 	}
-	s := NewWorkersService(version, url, cfdPath, Options{IsBeta: options.isBeta,
+	s := NewWorkersService(buildInfo.CloudflaredVersion, url, cfdPath, Options{IsBeta: options.isBeta,
 		IsForced: options.isForced, RequestedVersion: options.intendedVersion})
 	return s.Check()
 }
 func encodeWindowsPath(path string) string {
 	// We do this because Windows allows spaces in directories such as
 	// Program Files but does not allow these directories to be spaced in batch files.
@ -151,7 +155,7 @@ func Update(c *cli.Context) error {
 		log.Info().Msg("cloudflared is set to update from staging")
 	}
-	isForced := c.Bool("force")
+	isForced := c.Bool(cfdflags.Force)
 	if isForced {
 		log.Info().Msg("cloudflared is set to upgrade to the latest publish version regardless of the current version")
 	}
@ -164,7 +168,7 @@ func Update(c *cli.Context) error {
 		intendedVersion: c.String("version"),
 	})
 	if updateOutcome.Error != nil {
-		return &statusErr{updateOutcome.Error}
+		return &statusError{updateOutcome.Error}
 	}
 	if updateOutcome.noUpdate() {
@ -196,10 +200,9 @@ func loggedUpdate(log *zerolog.Logger, options updateOptions) UpdateOutcome {
 // AutoUpdater periodically checks for new version of cloudflared.
 type AutoUpdater struct {
-	configurable     *configurable
+	configurable *configurable
-	listeners        *gracenet.Net
+	listeners    *gracenet.Net
-	updateConfigChan chan *configurable
+	log          *zerolog.Logger
 	log              *zerolog.Logger
 }
 // AutoUpdaterConfigurable is the attributes of AutoUpdater that can be reconfigured during runtime
@ -210,10 +213,9 @@ type configurable struct {
 func NewAutoUpdater(updateDisabled bool, freq time.Duration, listeners *gracenet.Net, log *zerolog.Logger) *AutoUpdater {
 	return &AutoUpdater{
-		configurable:     createUpdateConfig(updateDisabled, freq, log),
+		configurable: createUpdateConfig(updateDisabled, freq, log),
-		listeners:        listeners,
+		listeners:    listeners,
-		updateConfigChan: make(chan *configurable),
+		log:          log,
 		log:              log,
 	}
 }
@ -232,19 +234,27 @@ func createUpdateConfig(updateDisabled bool, freq time.Duration, log *zerolog.Lo
 	}
 }
 // Run will perodically check for cloudflared updates, download them, and then restart the current cloudflared process
 // to use the new version. It delays the first update check by the configured frequency as to not attempt a
 // download immediately and restart after starting (in the case that there is an upgrade available).
 func (a *AutoUpdater) Run(ctx context.Context) error {
 	ticker := time.NewTicker(a.configurable.freq)
 	for {
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
 		case <-ticker.C:
 		}
 		updateOutcome := loggedUpdate(a.log, updateOptions{updateDisabled: !a.configurable.enabled})
 		if updateOutcome.Updated {
-			Init(updateOutcome.Version)
+			buildInfo.CloudflaredVersion = updateOutcome.Version
 			if IsSysV() {
 				// SysV doesn't have a mechanism to keep service alive, we have to restart the process
 				a.log.Info().Msg("Restarting service managed by SysV...")
 				pid, err := a.listeners.StartProcess()
 				if err != nil {
 					a.log.Err(err).Msg("Unable to restart server automatically")
-					return &statusErr{err: err}
+					return &statusError{err: err}
 				}
 				// stop old process after autoupdate. Otherwise we create a new process
 				// after each update
@ -254,25 +264,9 @@ func (a *AutoUpdater) Run(ctx context.Context) error {
 		} else if updateOutcome.UserMessage != "" {
 			a.log.Warn().Msg(updateOutcome.UserMessage)
 		}
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
 		case newConfigurable := <-a.updateConfigChan:
 			ticker.Stop()
 			a.configurable = newConfigurable
 			ticker = time.NewTicker(a.configurable.freq)
 			// Check if there is new version of cloudflared after receiving new AutoUpdaterConfigurable
 		case <-ticker.C:
 		}
 	}
 }
 // Update is the method to pass new AutoUpdaterConfigurable to a running AutoUpdater. It is safe to be called concurrently
 func (a *AutoUpdater) Update(updateDisabled bool, newFreq time.Duration) {
 	a.updateConfigChan <- createUpdateConfig(updateDisabled, newFreq, a.log)
 }
 func isAutoupdateEnabled(log *zerolog.Logger, updateDisabled bool, updateFreq time.Duration) bool {
 	if !supportAutoUpdate(log) {
 		return false
--- a/cmd/cloudflared/updater/update_test.go
+++ b/cmd/cloudflared/updater/update_test.go
@ -9,8 +9,14 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 func init() {
 	Init(cliutil.GetBuildInfo("TEST", "TEST"))
 }
 func TestDisabledAutoUpdater(t *testing.T) {
 	listeners := &gracenet.Net{}
 	log := zerolog.Nop()
--- a/cmd/cloudflared/updater/workers_service.go
+++ b/cmd/cloudflared/updater/workers_service.go
@ -3,6 +3,7 @@ package updater
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"runtime"
 )
@ -79,6 +80,10 @@ func (s *WorkersService) Check() (CheckResult, error) {
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != 200 {
 		return nil, fmt.Errorf("unable to check for update: %d", resp.StatusCode)
 	}
 	var v VersionResponse
 	if err := json.NewDecoder(resp.Body).Decode(&v); err != nil {
 		return nil, err
--- a/cmd/cloudflared/updater/workers_update.go
+++ b/cmd/cloudflared/updater/workers_update.go
@ -3,7 +3,6 @@ package updater
 import (
 	"archive/tar"
 	"compress/gzip"
 	"crypto/sha256"
 	"errors"
 	"fmt"
 	"io"
@ -11,11 +10,15 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"text/template"
 	"time"
 	"github.com/getsentry/sentry-go"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 const (
@ -27,9 +30,9 @@ const (
 	// start the service
 	// exit with code 0 if we've reached this point indicating success.
 	windowsUpdateCommandTemplate = `sc stop cloudflared >nul 2>&1
 del "{{.OldPath}}"
 rename "{{.TargetPath}}" {{.OldName}}
 rename "{{.NewPath}}" {{.BinaryName}}
 del "{{.OldPath}}"
 sc start cloudflared >nul 2>&1
 exit /b 0`
 	batchFileName = "cfd_update.bat"
@ -86,8 +89,25 @@ func (v *WorkersVersion) Apply() error {
 		return err
 	}
-	// check that the file is what is expected
+	downloadSum, err := cliutil.FileChecksum(newFilePath)
-	if err := isValidChecksum(v.checksum, newFilePath); err != nil {
+	if err != nil {
 		return err
 	}
 	// Check that the file downloaded matches what is expected.
 	if v.checksum != downloadSum {
 		return errors.New("checksum validation failed")
 	}
 	// Check if the currently running version has the same checksum
 	if downloadSum == buildInfo.Checksum {
 		// Currently running binary matches the downloaded binary so we have no reason to update. This is
 		// typically unexpected, as such we emit a sentry event.
 		localHub := sentry.CurrentHub().Clone()
 		err := errors.New("checksum validation matches currently running process")
 		localHub.CaptureException(err)
 		// Make sure to cleanup the new downloaded file since we aren't upgrading versions.
 		os.Remove(newFilePath)
 		return err
 	}
@ -114,7 +134,7 @@ func (v *WorkersVersion) Apply() error {
 	if err := os.Rename(newFilePath, v.targetPath); err != nil {
 		//attempt rollback
-		os.Rename(oldFilePath, v.targetPath)
+		_ = os.Rename(oldFilePath, v.targetPath)
 		return err
 	}
 	os.Remove(oldFilePath)
@ -161,7 +181,7 @@ func download(url, filepath string, isCompressed bool) error {
 		tr := tar.NewReader(gr)
 		// advance the reader pass the header, which will be the single binary file
-		tr.Next()
+		_, _ = tr.Next()
 		r = tr
 	}
@ -178,7 +198,7 @@ func download(url, filepath string, isCompressed bool) error {
 // isCompressedFile is a really simple file extension check to see if this is a macos tar and gzipped
 func isCompressedFile(urlstring string) bool {
-	if strings.HasSuffix(urlstring, ".tgz") {
+	if path.Ext(urlstring) == ".tgz" {
 		return true
 	}
@ -186,28 +206,7 @@ func isCompressedFile(urlstring string) bool {
 	if err != nil {
 		return false
 	}
-	return strings.HasSuffix(u.Path, ".tgz")
+	return path.Ext(u.Path) == ".tgz"
 }
 // checks if the checksum in the json response matches the checksum of the file download
 func isValidChecksum(checksum, filePath string) error {
 	f, err := os.Open(filePath)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	h := sha256.New()
 	if _, err := io.Copy(h, f); err != nil {
 		return err
 	}
 	hash := fmt.Sprintf("%x", h.Sum(nil))
 	if checksum != hash {
 		return errors.New("checksum validation failed")
 	}
 	return nil
 }
 // writeBatchFile writes a batch file out to disk
@ -250,7 +249,6 @@ func runWindowsBatch(batchFile string) error {
 		if exitError, ok := err.(*exec.ExitError); ok {
 			return fmt.Errorf("Error during update : %s;", string(exitError.Stderr))
 		}
 	}
 	return err
 }
--- a/cmd/cloudflared/windows_service.go
+++ b/cmd/cloudflared/windows_service.go
@ -26,7 +26,7 @@ import (
 const (
 	windowsServiceName        = "Cloudflared"
 	windowsServiceDescription = "Cloudflared agent"
-	windowsServiceUrl         = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/windows/"
+	windowsServiceUrl         = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/windows/"
 	recoverActionDelay      = time.Second * 20
 	failureCountResetPeriod = time.Hour * 24
@ -190,7 +190,7 @@ func installWindowsService(c *cli.Context) error {
 	log := zeroLogger.With().Str(LogFieldWindowsServiceName, windowsServiceName).Logger()
 	if err == nil {
 		s.Close()
-		return fmt.Errorf(serviceAlreadyExistsWarn(windowsServiceName))
+		return errors.New(serviceAlreadyExistsWarn(windowsServiceName))
 	}
 	extraArgs, err := getServiceExtraArgsFromCliArgs(c, &log)
 	if err != nil {
@ -238,7 +238,7 @@ func uninstallWindowsService(c *cli.Context) error {
 	defer m.Disconnect()
 	s, err := m.OpenService(windowsServiceName)
 	if err != nil {
-		return fmt.Errorf("Agent service %s is not installed, so it could not be uninstalled", windowsServiceName)
+		return fmt.Errorf("agent service %s is not installed, so it could not be uninstalled", windowsServiceName)
 	}
 	defer s.Close()
--- a/component-tests/README.md
+++ b/component-tests/README.md
@ -1,9 +1,9 @@
 # Requirements
-1. Python 3.7 or later with packages in the given `requirements.txt`
+1. Python 3.10 or later with packages in the given `requirements.txt`
-   - E.g. with conda:
+   - E.g. with venv:
-   - `conda create -n component-tests python=3.7`  
+   - `python3 -m venv ./.venv`  
-   - `conda activate component-tests`
+   - `source ./.venv/bin/activate`
-   - `pip3 install -r requirements.txt`
+   - `python3 -m pip install -r requirements.txt`
 2. Create a config yaml file, for example:
 ```
--- a/component-tests/test_management.py
+++ b/component-tests/test_management.py
@ -107,7 +107,13 @@ class TestManagement:
            assert resp.status_code == 404, "Expected cloudflared to return 404 for /metrics"
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
 def send_request(url, headers={}):
    with requests.Session() as s:
-        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        resp = s.get(url, timeout=BACKOFF_SECS, headers=headers)
        if resp.status_code == 530:
            LOGGER.debug(f"Received 530 status, retrying request to {url}")
            raise Exception(f"Received 530 status code from {url}")
        return resp
--- a/component-tests/test_pq.py
+++ b/component-tests/test_pq.py
@ -1,7 +1,6 @@
-from util import LOGGER, nofips, start_cloudflared, wait_tunnel_ready
+from util import LOGGER, start_cloudflared, wait_tunnel_ready
@nofips
 class TestPostQuantum:
    def _extra_config(self):
        config = {
@ -12,6 +11,11 @@ class TestPostQuantum:
    def test_post_quantum(self, tmp_path, component_tests_config):
        config = component_tests_config(self._extra_config())
        LOGGER.debug(config)
-        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["run", "--post-quantum"], new_process=True):
+        with start_cloudflared(
-            wait_tunnel_ready(tunnel_url=config.get_url(),
+            tmp_path,
-                              require_min_connections=1)
+            config,
            cfd_pre_args=["tunnel", "--ha-connections", "1"],
            cfd_args=["run", "--post-quantum"],
            new_process=True,
        ):
            wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)
--- a/component-tests/test_service.py
+++ b/component-tests/test_service.py
@ -9,7 +9,7 @@ import pytest
 import test_logging
 from conftest import CfdModes
-from util import select_platform, start_cloudflared, wait_tunnel_ready, write_config
+from util import select_platform, skip_on_ci, start_cloudflared, wait_tunnel_ready, write_config
 def default_config_dir():
@ -82,6 +82,7 @@ class TestServiceMode:
        os.remove(default_config_file())
        self.launchctl_cmd("list", success=False)
    @skip_on_ci("we can't run sudo command on CI")
    @select_platform("Linux")
    @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                        reason=f"There is already a config file in default path")
@ -98,6 +99,7 @@ class TestServiceMode:
        self.sysv_service_scenario(config, tmp_path, assert_log_file)
    @skip_on_ci("we can't run sudo command on CI")
    @select_platform("Linux")
    @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                        reason=f"There is already a config file in default path")
@ -116,6 +118,7 @@ class TestServiceMode:
        self.sysv_service_scenario(config, tmp_path, assert_rotating_log)
    @skip_on_ci("we can't run sudo command on CI")
    @select_platform("Linux")
    @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                        reason=f"There is already a config file in default path")
--- a/component-tests/test_termination.py
+++ b/component-tests/test_termination.py
@ -45,9 +45,10 @@ class TestTermination:
            with connected:
                connected.wait(self.timeout)
            # Send signal after the SSE connection is established
-            self.terminate_by_signal(cloudflared, signal)
+            with self.within_grace_period():
-            self.wait_eyeball_thread(
+                self.terminate_by_signal(cloudflared, signal)
-                in_flight_req, self.grace_period + self.timeout)
+                self.wait_eyeball_thread(
                    in_flight_req, self.grace_period + self.timeout)
    # test cloudflared terminates before grace period expires when all eyeball
    # connections are drained
@ -66,7 +67,7 @@ class TestTermination:
            with connected:
                connected.wait(self.timeout)
-            with self.within_grace_period():
+            with self.within_grace_period(has_connection=False):
                # Send signal after the SSE connection is established
                self.terminate_by_signal(cloudflared, signal)
                self.wait_eyeball_thread(in_flight_req, self.grace_period)
@ -78,7 +79,7 @@ class TestTermination:
        with start_cloudflared(
                tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True, capture_output=False) as cloudflared:
            wait_tunnel_ready(tunnel_url=config.get_url())
-            with self.within_grace_period():
+            with self.within_grace_period(has_connection=False):
                self.terminate_by_signal(cloudflared, signal)
    def terminate_by_signal(self, cloudflared, sig):
@ -92,13 +93,21 @@ class TestTermination:
    # Using this context asserts logic within the context is executed within grace period
    @contextmanager
-    def within_grace_period(self):
+    def within_grace_period(self, has_connection=True):
        try:
            start = time.time()
            yield
        finally:
            # If the request takes longer than the grace period then we need to wait at most the grace period.
            # If the request fell within the grace period cloudflared can close earlier, but to ensure that it doesn't
            # close immediately we add a minimum boundary. If cloudflared shutdown in less than 1s it's likely that
            # it shutdown as soon as it received SIGINT. The only way cloudflared can close immediately is if it has no
            # in-flight requests
            minimum = 1 if has_connection else 0
            duration = time.time() - start
-            assert duration < self.grace_period
+            # Here we truncate to ensure that we don't fail on minute differences like 10.1 instead of 10
            assert minimum <= int(duration) <= self.grace_period
    def stream_request(self, config, connected, early_terminate):
        expected_terminate_message = "502 Bad Gateway"
--- a/component-tests/test_token.py
+++ b/component-tests/test_token.py
@ -1,7 +1,7 @@
 import base64
 import json
-from setup import get_config_from_file, persist_origin_cert
+from setup import get_config_from_file
 from util import start_cloudflared
--- a/component-tests/test_tunnel.py
+++ b/component-tests/test_tunnel.py
@ -33,13 +33,20 @@ class TestTunnel:
        LOGGER.debug(config)
        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"],  cfd_args=["run"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
-            resp = send_request(config.get_url()+"/")
+            expected_status_code = 503
-            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            resp = send_request(config.get_url()+"/", expected_status_code)
-            resp = send_request(config.get_url()+"/test")
+            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
-            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            resp = send_request(config.get_url()+"/test", expected_status_code)
            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
 def retry_if_result_none(result):
    '''
    Returns True if the result is None, indicating that the function should be retried.
    '''
    return result is None
-@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
+@retry(retry_on_result=retry_if_result_none, stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
-def send_request(url, headers={}):
+def send_request(url, expected_status_code=200):
    with requests.Session() as s:
-        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        resp = s.get(url, timeout=BACKOFF_SECS)
        return resp if resp.status_code == expected_status_code else None
--- a/component-tests/util.py
+++ b/component-tests/util.py
@ -10,7 +10,6 @@ import pytest
 import requests
 import yaml
 import json
 from retrying import retry
 from constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS
@ -35,6 +34,12 @@ def fips_enabled():
 nofips = pytest.mark.skipif(
        fips_enabled(), reason=f"Only runs without FIPS (COMPONENT_TESTS_FIPS=0)")
 def skip_on_ci(reason):
    env_ci = os.getenv("CI")
    running_in_ci = env_ci is not None and env_ci != "0"
    return pytest.mark.skipif(
        running_in_ci, reason=f"This test can't run on CI due to: {reason}")
 def write_config(directory, config):
    config_path = directory / "config.yml"
    with open(config_path, 'w') as outfile:
@ -111,6 +116,7 @@ def inner_wait_tunnel_ready(tunnel_url=None, require_min_connections=1):
    metrics_url = f'http://localhost:{METRICS_PORT}/ready'
    with requests.Session() as s:
        LOGGER.debug("Waiting for tunnel to be ready...")
        resp = send_request(s, metrics_url, True)
        ready_connections = resp.json()["readyConnections"]
--- a/config/configuration.go
+++ b/config/configuration.go
@ -155,7 +155,7 @@ func FindOrCreateConfigPath() string {
 // i.e. it fails if a user specifies both --url and --unix-socket
 func ValidateUnixSocket(c *cli.Context) (string, error) {
 	if c.IsSet("unix-socket") && (c.IsSet("url") || c.NArg() > 0) {
-		return "", errors.New("--unix-socket must be used exclusivly.")
+		return "", errors.New("--unix-socket must be used exclusively.")
 	}
 	return c.String("unix-socket"), nil
 }
@ -242,6 +242,8 @@ type AccessConfig struct {
 	// AudTag is the AudTag to verify access JWT against.
 	AudTag []string `yaml:"audTag" json:"audTag"`
 	Environment string `yaml:"environment" json:"environment,omitempty"`
 }
 type IngressIPRule struct {
@ -260,6 +262,7 @@ type Configuration struct {
 type WarpRoutingConfig struct {
 	ConnectTimeout *CustomDuration `yaml:"connectTimeout" json:"connectTimeout,omitempty"`
 	MaxActiveFlows *uint64         `yaml:"maxActiveFlows" json:"maxActiveFlows,omitempty"`
 	TCPKeepAlive   *CustomDuration `yaml:"tcpKeepAlive" json:"tcpKeepAlive,omitempty"`
 }
--- a/config/model.go
+++ b/config/model.go
@ -1,7 +1,7 @@
 package config
 import (
-	"crypto/md5"
+	"crypto/sha256"
 	"fmt"
 	"io"
 	"strings"
@ -16,6 +16,7 @@ type Forwarder struct {
 	TokenClientID string `json:"service_token_id" yaml:"serviceTokenID"`
 	TokenSecret   string `json:"secret_token_id" yaml:"serviceTokenSecret"`
 	Destination   string `json:"destination"`
 	IsFedramp     bool   `json:"is_fedramp" yaml:"isFedramp"`
 }
 // Tunnel represents a tunnel that should be started
@ -46,24 +47,24 @@ type Root struct {
 // Hash returns the computed values to see if the forwarder values change
 func (f *Forwarder) Hash() string {
-	h := md5.New()
+	h := sha256.New()
-	io.WriteString(h, f.URL)
+	_, _ = io.WriteString(h, f.URL)
-	io.WriteString(h, f.Listener)
+	_, _ = io.WriteString(h, f.Listener)
-	io.WriteString(h, f.TokenClientID)
+	_, _ = io.WriteString(h, f.TokenClientID)
-	io.WriteString(h, f.TokenSecret)
+	_, _ = io.WriteString(h, f.TokenSecret)
-	io.WriteString(h, f.Destination)
+	_, _ = io.WriteString(h, f.Destination)
 	return fmt.Sprintf("%x", h.Sum(nil))
 }
 // Hash returns the computed values to see if the forwarder values change
 func (r *DNSResolver) Hash() string {
-	h := md5.New()
+	h := sha256.New()
-	io.WriteString(h, r.Address)
+	_, _ = io.WriteString(h, r.Address)
-	io.WriteString(h, strings.Join(r.Bootstraps, ","))
+	_, _ = io.WriteString(h, strings.Join(r.Bootstraps, ","))
-	io.WriteString(h, strings.Join(r.Upstreams, ","))
+	_, _ = io.WriteString(h, strings.Join(r.Upstreams, ","))
-	io.WriteString(h, fmt.Sprintf("%d", r.Port))
+	_, _ = io.WriteString(h, fmt.Sprintf("%d", r.Port))
-	io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
+	_, _ = io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
-	io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
+	_, _ = io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
 	return fmt.Sprintf("%x", h.Sum(nil))
 }
--- a/connection/connection.go
+++ b/connection/connection.go
@ -26,16 +26,29 @@ const (
 	MaxGracePeriod         = time.Minute * 3
 	MaxConcurrentStreams   = math.MaxUint32
-	contentTypeHeader = "content-type"
+	contentTypeHeader      = "content-type"
-	sseContentType    = "text/event-stream"
+	contentLengthHeader    = "content-length"
-	grpcContentType   = "application/grpc"
+	transferEncodingHeader = "transfer-encoding"
 	sseContentType     = "text/event-stream"
 	grpcContentType    = "application/grpc"
 	sseJsonContentType = "application/x-ndjson"
 	chunkTransferEncoding = "chunked"
 )
 var (
 	switchingProtocolText = fmt.Sprintf("%d %s", http.StatusSwitchingProtocols, http.StatusText(http.StatusSwitchingProtocols))
-	flushableContentTypes = []string{sseContentType, grpcContentType}
+	flushableContentTypes = []string{sseContentType, grpcContentType, sseJsonContentType}
 )
 // TunnelConnection represents the connection to the edge.
 // The Serve method is provided to allow clients to handle any errors from the connection encountered during
 // processing of the connection. Cancelling of the context provided to Serve will close the connection.
 type TunnelConnection interface {
 	Serve(ctx context.Context) error
 }
 type Orchestrator interface {
 	UpdateConfig(version int32, config []byte) *pogs.UpdateConfigurationResponse
 	GetConfigJSON() ([]byte, error)
@ -44,7 +57,6 @@ type Orchestrator interface {
 type TunnelProperties struct {
 	Credentials    Credentials
 	Client         pogs.ClientInfo
 	QuickTunnelUrl string
 }
@ -53,6 +65,7 @@ type Credentials struct {
 	AccountTag   string
 	TunnelSecret []byte
 	TunnelID     uuid.UUID
 	Endpoint     string
 }
 func (c *Credentials) Auth() pogs.TunnelAuth {
@ -67,13 +80,16 @@ type TunnelToken struct {
 	AccountTag   string    `json:"a"`
 	TunnelSecret []byte    `json:"s"`
 	TunnelID     uuid.UUID `json:"t"`
 	Endpoint     string    `json:"e,omitempty"`
 }
 func (t TunnelToken) Credentials() Credentials {
 	// nolint: gosimple
 	return Credentials{
 		AccountTag:   t.AccountTag,
 		TunnelSecret: t.TunnelSecret,
 		TunnelID:     t.TunnelID,
 		Endpoint:     t.Endpoint,
 	}
 }
@ -263,6 +279,22 @@ type ConnectedFuse interface {
 // Helper method to let the caller know what content-types should require a flush on every
 // write to a ResponseWriter.
 func shouldFlush(headers http.Header) bool {
 	// When doing Server Side Events (SSE), some frameworks don't respect the `Content-Type` header.
 	// Therefore, we need to rely on other ways to know whether we should flush on write or not. A good
 	// approach is to assume that responses without `Content-Length` or with `Transfer-Encoding: chunked`
 	// are streams, and therefore, should be flushed right away to the eyeball.
 	// References:
 	// - https://datatracker.ietf.org/doc/html/rfc7230#section-4.1
 	// - https://datatracker.ietf.org/doc/html/rfc9112#section-6.1
 	if contentLength := headers.Get(contentLengthHeader); contentLength == "" {
 		return true
 	}
 	if transferEncoding := headers.Get(transferEncodingHeader); transferEncoding != "" {
 		transferEncoding = strings.ToLower(transferEncoding)
 		if strings.Contains(transferEncoding, chunkTransferEncoding) {
 			return true
 		}
 	}
 	if contentType := headers.Get(contentTypeHeader); contentType != "" {
 		contentType = strings.ToLower(contentType)
 		for _, c := range flushableContentTypes {
@ -271,7 +303,6 @@ func shouldFlush(headers http.Header) bool {
 			}
 		}
 	}
 	return false
 }
--- a/connection/connection_test.go
+++ b/connection/connection_test.go
@ -2,13 +2,19 @@ package connection
 import (
 	"context"
 	"crypto/rand"
 	"fmt"
 	"io"
-	"math/rand"
+	"math/big"
 	"net/http"
 	"testing"
 	"time"
 	pkgerrors "github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/require"
 	cfdflow "github.com/cloudflare/cloudflared/flow"
 	"github.com/cloudflare/cloudflared/stream"
 	"github.com/cloudflare/cloudflared/tracing"
@ -77,7 +83,7 @@ func (moc *mockOriginProxy) ProxyHTTP(
 			return wsFlakyEndpoint(w, req)
 		default:
 			originRespEndpoint(w, http.StatusNotFound, []byte("ws endpoint not found"))
-			return fmt.Errorf("Unknwon websocket endpoint %s", req.URL.Path)
+			return fmt.Errorf("unknown websocket endpoint %s", req.URL.Path)
 		}
 	}
 	switch req.URL.Path {
@ -95,7 +101,6 @@ func (moc *mockOriginProxy) ProxyHTTP(
 		originRespEndpoint(w, http.StatusNotFound, []byte("page not found"))
 	}
 	return nil
 }
 func (moc *mockOriginProxy) ProxyTCP(
@ -103,6 +108,10 @@ func (moc *mockOriginProxy) ProxyTCP(
 	rwa ReadWriteAcker,
 	r *TCPRequest,
 ) error {
 	if r.CfTraceID == "flow-rate-limited" {
 		return pkgerrors.Wrap(cfdflow.ErrTooManyActiveFlows, "tcp flow rate limited")
 	}
 	return nil
 }
@ -178,7 +187,8 @@ func wsFlakyEndpoint(w ResponseWriter, r *http.Request) error {
 	wsConn := websocket.NewConn(wsCtx, NewHTTPResponseReadWriterAcker(w, w.(http.Flusher), r), &log)
-	closedAfter := time.Millisecond * time.Duration(rand.Intn(50))
+	rInt, _ := rand.Int(rand.Reader, big.NewInt(50))
 	closedAfter := time.Millisecond * time.Duration(rInt.Int64())
 	originConn := &flakyConn{closeAt: time.Now().Add(closedAfter)}
 	stream.Pipe(wsConn, originConn, &log)
 	cancel()
@ -201,3 +211,48 @@ func (mcf mockConnectedFuse) Connected() {}
 func (mcf mockConnectedFuse) IsConnected() bool {
 	return true
 }
 func TestShouldFlushHeaders(t *testing.T) {
 	tests := []struct {
 		headers     map[string]string
 		shouldFlush bool
 	}{
 		{
 			headers:     map[string]string{contentTypeHeader: "application/json", contentLengthHeader: "1"},
 			shouldFlush: false,
 		},
 		{
 			headers:     map[string]string{contentTypeHeader: "text/html", contentLengthHeader: "1"},
 			shouldFlush: false,
 		},
 		{
 			headers:     map[string]string{contentTypeHeader: "text/event-stream", contentLengthHeader: "1"},
 			shouldFlush: true,
 		},
 		{
 			headers:     map[string]string{contentTypeHeader: "application/grpc", contentLengthHeader: "1"},
 			shouldFlush: true,
 		},
 		{
 			headers:     map[string]string{contentTypeHeader: "application/x-ndjson", contentLengthHeader: "1"},
 			shouldFlush: true,
 		},
 		{
 			headers:     map[string]string{contentTypeHeader: "application/json"},
 			shouldFlush: true,
 		},
 		{
 			headers:     map[string]string{contentTypeHeader: "application/json", contentLengthHeader: "-1", transferEncodingHeader: "chunked"},
 			shouldFlush: true,
 		},
 	}
 	for _, test := range tests {
 		headers := http.Header{}
 		for k, v := range test.headers {
 			headers.Add(k, v)
 		}
 		require.Equal(t, test.shouldFlush, shouldFlush(headers))
 	}
 }
--- a/connection/control.go
+++ b/connection/control.go
@ -6,9 +6,11 @@ import (
 	"net"
 	"time"
 	"github.com/pkg/errors"
 	"github.com/cloudflare/cloudflared/management"
 	"github.com/cloudflare/cloudflared/tunnelrpc"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 // registerClient derives a named tunnel rpc client that can then be used to register and unregister connections.
@ -34,7 +36,7 @@ type controlStream struct {
 // ControlStreamHandler registers connections with origintunneld and initiates graceful shutdown.
 type ControlStreamHandler interface {
 	// ServeControlStream handles the control plane of the transport in the current goroutine calling this
-	ServeControlStream(ctx context.Context, rw io.ReadWriteCloser, connOptions *tunnelpogs.ConnectionOptions, tunnelConfigGetter TunnelConfigJSONGetter) error
+	ServeControlStream(ctx context.Context, rw io.ReadWriteCloser, connOptions *pogs.ConnectionOptions, tunnelConfigGetter TunnelConfigJSONGetter) error
 	// IsStopped tells whether the method above has finished
 	IsStopped() bool
 }
@ -76,11 +78,11 @@ func NewControlStream(
 func (c *controlStream) ServeControlStream(
 	ctx context.Context,
 	rw io.ReadWriteCloser,
-	connOptions *tunnelpogs.ConnectionOptions,
+	connOptions *pogs.ConnectionOptions,
 	tunnelConfigGetter TunnelConfigJSONGetter,
 ) error {
 	registrationClient := c.registerClientFunc(ctx, rw, c.registerTimeout)
-
+	c.observer.logConnecting(c.connIndex, c.edgeAddress, c.protocol)
 	registrationDetails, err := registrationClient.RegisterConnection(
 		ctx,
 		c.tunnelProperties.Credentials.Auth(),
@ -100,7 +102,7 @@ func (c *controlStream) ServeControlStream(
 	c.observer.metrics.regSuccess.WithLabelValues("registerConnection").Inc()
 	c.observer.logConnected(registrationDetails.UUID, c.connIndex, registrationDetails.Location, c.edgeAddress, c.protocol)
-	c.observer.sendConnectedEvent(c.connIndex, c.protocol, registrationDetails.Location)
+	c.observer.sendConnectedEvent(c.connIndex, c.protocol, registrationDetails.Location, c.edgeAddress)
 	c.connectedFuse.Connected()
 	// if conn index is 0 and tunnel is not remotely managed, then send local ingress rules configuration
@ -116,27 +118,32 @@ func (c *controlStream) ServeControlStream(
 		}
 	}
-	c.waitForUnregister(ctx, registrationClient)
+	return c.waitForUnregister(ctx, registrationClient)
 	return nil
 }
-func (c *controlStream) waitForUnregister(ctx context.Context, registrationClient tunnelrpc.RegistrationClient) {
+func (c *controlStream) waitForUnregister(ctx context.Context, registrationClient tunnelrpc.RegistrationClient) error {
 	// wait for connection termination or start of graceful shutdown
 	defer registrationClient.Close()
 	var shutdownError error
 	select {
 	case <-ctx.Done():
 		shutdownError = ctx.Err()
 		break
 	case <-c.gracefulShutdownC:
 		c.stoppedGracefully = true
 	}
 	c.observer.sendUnregisteringEvent(c.connIndex)
-	registrationClient.GracefulShutdown(ctx, c.gracePeriod)
+	err := registrationClient.GracefulShutdown(ctx, c.gracePeriod)
 	if err != nil {
 		return errors.Wrap(err, "Error shutting down control stream")
 	}
 	c.observer.log.Info().
 		Int(management.EventTypeKey, int(management.Cloudflared)).
 		Uint8(LogFieldConnIndex, c.connIndex).
 		IPAddr(LogFieldIPAddress, c.edgeAddress).
 		Msg("Unregistered tunnel connection")
 	return shutdownError
 }
 func (c *controlStream) IsStopped() bool {
--- a/connection/errors.go
+++ b/connection/errors.go
@ -1,8 +1,6 @@
 package connection
 import (
 	"github.com/cloudflare/cloudflared/edgediscovery"
 	"github.com/cloudflare/cloudflared/h2mux"
 	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
@ -54,28 +52,26 @@ func serverRegistrationErrorFromRPC(err error) ServerRegisterTunnelError {
 	}
 }
-type muxerShutdownError struct{}
+type ControlStreamError struct{}
-func (e muxerShutdownError) Error() string {
+var _ error = &ControlStreamError{}
-	return "muxer shutdown"
+
 func (e *ControlStreamError) Error() string {
 	return "control stream encountered a failure while serving"
 }
-var errMuxerStopped = muxerShutdownError{}
+type StreamListenerError struct{}
-func isHandshakeErrRecoverable(err error, connIndex uint8, observer *Observer) bool {
+var _ error = &StreamListenerError{}
 	log := observer.log.With().
 		Uint8(LogFieldConnIndex, connIndex).
 		Err(err).
 		Logger()
-	switch err.(type) {
+func (e *StreamListenerError) Error() string {
-	case edgediscovery.DialError:
+	return "accept stream listener encountered a failure while serving"
-		log.Error().Msg("Connection unable to dial edge")
+}
-	case h2mux.MuxerHandshakeError:
+
-		log.Error().Msg("Connection handshake with edge server failed")
+type DatagramManagerError struct{}
-	default:
+
-		log.Error().Msg("Connection failed")
+var _ error = &DatagramManagerError{}
-		return false
+
-	}
+func (e *DatagramManagerError) Error() string {
-	return true
+	return "datagram manager encountered a failure while serving"
 }
--- a/connection/event.go
+++ b/connection/event.go
@ -1,12 +1,15 @@
 package connection
 import "net"
 // Event is something that happened to a connection, e.g. disconnection or registration.
 type Event struct {
-	Index     uint8
+	Index       uint8
-	EventType Status
+	EventType   Status
-	Location  string
+	Location    string
-	Protocol  Protocol
+	Protocol    Protocol
-	URL       string
+	URL         string
 	EdgeAddress net.IP
 }
 // Status is the status of a connection.
--- a/connection/h2mux.go
+++ b/connection/h2mux.go
@ -1,32 +0,0 @@
 package connection
 import (
 	"time"
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/h2mux"
 )
 const (
 	muxerTimeout = 5 * time.Second
 )
 type MuxerConfig struct {
 	HeartbeatInterval  time.Duration
 	MaxHeartbeats      uint64
 	CompressionSetting h2mux.CompressionSetting
 	MetricsUpdateFreq  time.Duration
 }
 func (mc *MuxerConfig) H2MuxerConfig(h h2mux.MuxedStreamHandler, log *zerolog.Logger) *h2mux.MuxerConfig {
 	return &h2mux.MuxerConfig{
 		Timeout:            muxerTimeout,
 		Handler:            h,
 		IsClient:           true,
 		HeartbeatInterval:  mc.HeartbeatInterval,
 		MaxHeartbeats:      mc.MaxHeartbeats,
 		Log:                log,
 		CompressionQuality: mc.CompressionSetting,
 	}
 }
--- a/connection/h2mux_header.go
+++ b/connection/h2mux_header.go
@ -1,128 +0,0 @@
 package connection
 import (
 	"fmt"
 	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
 	"github.com/pkg/errors"
 	"github.com/cloudflare/cloudflared/h2mux"
 )
 // H2RequestHeadersToH1Request converts the HTTP/2 headers coming from origintunneld
 // to an HTTP/1 Request object destined for the local origin web service.
 // This operation includes conversion of the pseudo-headers into their closest
 // HTTP/1 equivalents. See https://tools.ietf.org/html/rfc7540#section-8.1.2.3
 func H2RequestHeadersToH1Request(h2 []h2mux.Header, h1 *http.Request) error {
 	for _, header := range h2 {
 		name := strings.ToLower(header.Name)
 		if !IsH2muxControlRequestHeader(name) {
 			continue
 		}
 		switch name {
 		case ":method":
 			h1.Method = header.Value
 		case ":scheme":
 			// noop - use the preexisting scheme from h1.URL
 		case ":authority":
 			// Otherwise the host header will be based on the origin URL
 			h1.Host = header.Value
 		case ":path":
 			// We don't want to be an "opinionated" proxy, so ideally we would use :path as-is.
 			// However, this HTTP/1 Request object belongs to the Go standard library,
 			// whose URL package makes some opinionated decisions about the encoding of
 			// URL characters: see the docs of https://godoc.org/net/url#URL,
 			// in particular the EscapedPath method https://godoc.org/net/url#URL.EscapedPath,
 			// which is always used when computing url.URL.String(), whether we'd like it or not.
 			//
 			// Well, not *always*. We could circumvent this by using url.URL.Opaque. But
 			// that would present unusual difficulties when using an HTTP proxy: url.URL.Opaque
 			// is treated differently when HTTP_PROXY is set!
 			// See https://github.com/golang/go/issues/5684#issuecomment-66080888
 			//
 			// This means we are subject to the behavior of net/url's function `shouldEscape`
 			// (as invoked with mode=encodePath): https://github.com/golang/go/blob/go1.12.7/src/net/url/url.go#L101
 			if header.Value == "*" {
 				h1.URL.Path = "*"
 				continue
 			}
 			// Due to the behavior of validation.ValidateUrl, h1.URL may
 			// already have a partial value, with or without a trailing slash.
 			base := h1.URL.String()
 			base = strings.TrimRight(base, "/")
 			// But we know :path begins with '/', because we handled '*' above - see RFC7540
 			requestURL, err := url.Parse(base + header.Value)
 			if err != nil {
 				return errors.Wrap(err, fmt.Sprintf("invalid path '%v'", header.Value))
 			}
 			h1.URL = requestURL
 		case "content-length":
 			contentLength, err := strconv.ParseInt(header.Value, 10, 64)
 			if err != nil {
 				return fmt.Errorf("unparseable content length")
 			}
 			h1.ContentLength = contentLength
 		case RequestUserHeaders:
 			// Do not forward the serialized headers to the origin -- deserialize them, and ditch the serialized version
 			// Find and parse user headers serialized into a single one
 			userHeaders, err := DeserializeHeaders(header.Value)
 			if err != nil {
 				return errors.Wrap(err, "Unable to parse user headers")
 			}
 			for _, userHeader := range userHeaders {
 				h1.Header.Add(userHeader.Name, userHeader.Value)
 			}
 		default:
 			// All other control headers shall just be proxied transparently
 			h1.Header.Add(header.Name, header.Value)
 		}
 	}
 	return nil
 }
 func H1ResponseToH2ResponseHeaders(status int, h1 http.Header) (h2 []h2mux.Header) {
 	h2 = []h2mux.Header{
 		{Name: ":status", Value: strconv.Itoa(status)},
 	}
 	userHeaders := make(http.Header, len(h1))
 	for header, values := range h1 {
 		h2name := strings.ToLower(header)
 		if h2name == "content-length" {
 			// This header has meaning in HTTP/2 and will be used by the edge,
 			// so it should be sent as an HTTP/2 response header.
 			// Since these are http2 headers, they're required to be lowercase
 			h2 = append(h2, h2mux.Header{Name: "content-length", Value: values[0]})
 		} else if !IsH2muxControlResponseHeader(h2name) || IsWebsocketClientHeader(h2name) {
 			// User headers, on the other hand, must all be serialized so that
 			// HTTP/2 header validation won't be applied to HTTP/1 header values
 			userHeaders[header] = values
 		}
 	}
 	// Perform user header serialization and set them in the single header
 	h2 = append(h2, h2mux.Header{Name: ResponseUserHeaders, Value: SerializeHeaders(userHeaders)})
 	return h2
 }
 // IsH2muxControlRequestHeader is called in the direction of eyeball -> origin.
 func IsH2muxControlRequestHeader(headerName string) bool {
 	return headerName == "content-length" ||
 		headerName == "connection" || headerName == "upgrade" || // Websocket request headers
 		strings.HasPrefix(headerName, ":") ||
 		strings.HasPrefix(headerName, "cf-")
 }
 // IsH2muxControlResponseHeader is called in the direction of eyeball <- origin.
 func IsH2muxControlResponseHeader(headerName string) bool {
 	return headerName == "content-length" ||
 		strings.HasPrefix(headerName, ":") ||
 		strings.HasPrefix(headerName, "cf-int-") ||
 		strings.HasPrefix(headerName, "cf-cloudflared-")
 }
--- a/connection/h2mux_header_test.go
+++ b/connection/h2mux_header_test.go
@ -1,642 +0,0 @@
 package connection
 import (
 	"fmt"
 	"math/rand"
 	"net/http"
 	"net/url"
 	"reflect"
 	"regexp"
 	"strings"
 	"testing"
 	"testing/quick"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/cloudflare/cloudflared/h2mux"
 )
 type ByName []h2mux.Header
 func (a ByName) Len() int      { return len(a) }
 func (a ByName) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
 func (a ByName) Less(i, j int) bool {
 	if a[i].Name == a[j].Name {
 		return a[i].Value < a[j].Value
 	}
 	return a[i].Name < a[j].Name
 }
 func TestH2RequestHeadersToH1Request_RegularHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
 	assert.NoError(t, err)
 	mockHeaders := http.Header{
 		"Mock header 1": {"Mock value 1"},
 		"Mock header 2": {"Mock value 2"},
 	}
 	headersConversionErr := H2RequestHeadersToH1Request(createSerializedHeaders(RequestUserHeaders, mockHeaders), request)
 	assert.True(t, reflect.DeepEqual(mockHeaders, request.Header))
 	assert.NoError(t, headersConversionErr)
 }
 func createSerializedHeaders(headersField string, headers http.Header) []h2mux.Header {
 	return []h2mux.Header{{
 		Name:  headersField,
 		Value: SerializeHeaders(headers),
 	}}
 }
 func TestH2RequestHeadersToH1Request_NoHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
 	assert.NoError(t, err)
 	emptyHeaders := make(http.Header)
 	headersConversionErr := H2RequestHeadersToH1Request(
 		[]h2mux.Header{{
 			Name:  RequestUserHeaders,
 			Value: SerializeHeaders(emptyHeaders),
 		}},
 		request,
 	)
 	assert.True(t, reflect.DeepEqual(emptyHeaders, request.Header))
 	assert.NoError(t, headersConversionErr)
 }
 func TestH2RequestHeadersToH1Request_InvalidHostPath(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
 	assert.NoError(t, err)
 	mockRequestHeaders := []h2mux.Header{
 		{Name: ":path", Value: "//bad_path/"},
 		{Name: RequestUserHeaders, Value: SerializeHeaders(http.Header{"Mock header": {"Mock value"}})},
 	}
 	headersConversionErr := H2RequestHeadersToH1Request(mockRequestHeaders, request)
 	assert.Equal(t, http.Header{
 		"Mock header": []string{"Mock value"},
 	}, request.Header)
 	assert.Equal(t, "http://example.com//bad_path/", request.URL.String())
 	assert.NoError(t, headersConversionErr)
 }
 func TestH2RequestHeadersToH1Request_HostPathWithQuery(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com/", nil)
 	assert.NoError(t, err)
 	mockRequestHeaders := []h2mux.Header{
 		{Name: ":path", Value: "/?query=mock%20value"},
 		{Name: RequestUserHeaders, Value: SerializeHeaders(http.Header{"Mock header": {"Mock value"}})},
 	}
 	headersConversionErr := H2RequestHeadersToH1Request(mockRequestHeaders, request)
 	assert.Equal(t, http.Header{
 		"Mock header": []string{"Mock value"},
 	}, request.Header)
 	assert.Equal(t, "http://example.com/?query=mock%20value", request.URL.String())
 	assert.NoError(t, headersConversionErr)
 }
 func TestH2RequestHeadersToH1Request_HostPathWithURLEncoding(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com/", nil)
 	assert.NoError(t, err)
 	mockRequestHeaders := []h2mux.Header{
 		{Name: ":path", Value: "/mock%20path"},
 		{Name: RequestUserHeaders, Value: SerializeHeaders(http.Header{"Mock header": {"Mock value"}})},
 	}
 	headersConversionErr := H2RequestHeadersToH1Request(mockRequestHeaders, request)
 	assert.Equal(t, http.Header{
 		"Mock header": []string{"Mock value"},
 	}, request.Header)
 	assert.Equal(t, "http://example.com/mock%20path", request.URL.String())
 	assert.NoError(t, headersConversionErr)
 }
 func TestH2RequestHeadersToH1Request_WeirdURLs(t *testing.T) {
 	type testCase struct {
 		path string
 		want string
 	}
 	testCases := []testCase{
 		{
 			path: "",
 			want: "",
 		},
 		{
 			path: "/",
 			want: "/",
 		},
 		{
 			path: "//",
 			want: "//",
 		},
 		{
 			path: "/test",
 			want: "/test",
 		},
 		{
 			path: "//test",
 			want: "//test",
 		},
 		{
 			// https://github.com/cloudflare/cloudflared/issues/81
 			path: "//test/",
 			want: "//test/",
 		},
 		{
 			path: "/%2Ftest",
 			want: "/%2Ftest",
 		},
 		{
 			path: "//%20test",
 			want: "//%20test",
 		},
 		{
 			// https://github.com/cloudflare/cloudflared/issues/124
 			path: "/test?get=somthing%20a",
 			want: "/test?get=somthing%20a",
 		},
 		{
 			path: "/%20",
 			want: "/%20",
 		},
 		{
 			// stdlib's EscapedPath() will always percent-encode ' '
 			path: "/ ",
 			want: "/%20",
 		},
 		{
 			path: "/ a ",
 			want: "/%20a%20",
 		},
 		{
 			path: "/a%20b",
 			want: "/a%20b",
 		},
 		{
 			path: "/foo/bar;param?query#frag",
 			want: "/foo/bar;param?query#frag",
 		},
 		{
 			// stdlib's EscapedPath() will always percent-encode non-ASCII chars
 			path: "/a␠b",
 			want: "/a%E2%90%A0b",
 		},
 		{
 			path: "/a-umlaut-ä",
 			want: "/a-umlaut-%C3%A4",
 		},
 		{
 			path: "/a-umlaut-%C3%A4",
 			want: "/a-umlaut-%C3%A4",
 		},
 		{
 			path: "/a-umlaut-%c3%a4",
 			want: "/a-umlaut-%c3%a4",
 		},
 		{
 			// here the second '#' is treated as part of the fragment
 			path: "/a#b#c",
 			want: "/a#b%23c",
 		},
 		{
 			path: "/a#b␠c",
 			want: "/a#b%E2%90%A0c",
 		},
 		{
 			path: "/a#b%20c",
 			want: "/a#b%20c",
 		},
 		{
 			path: "/a#b c",
 			want: "/a#b%20c",
 		},
 		{
 			// stdlib's EscapedPath() will always percent-encode '\'
 			path: "/\\",
 			want: "/%5C",
 		},
 		{
 			path: "/a\\",
 			want: "/a%5C",
 		},
 		{
 			path: "/a,b.c.",
 			want: "/a,b.c.",
 		},
 		{
 			path: "/.",
 			want: "/.",
 		},
 		{
 			// stdlib's EscapedPath() will always percent-encode '`'
 			path: "/a`",
 			want: "/a%60",
 		},
 		{
 			path: "/a[0]",
 			want: "/a[0]",
 		},
 		{
 			path: "/?a[0]=5 &b[]=",
 			want: "/?a[0]=5 &b[]=",
 		},
 		{
 			path: "/?a=%22b%20%22",
 			want: "/?a=%22b%20%22",
 		},
 	}
 	for index, testCase := range testCases {
 		requestURL := "https://example.com"
 		request, err := http.NewRequest(http.MethodGet, requestURL, nil)
 		assert.NoError(t, err)
 		mockRequestHeaders := []h2mux.Header{
 			{Name: ":path", Value: testCase.path},
 			{Name: RequestUserHeaders, Value: SerializeHeaders(http.Header{"Mock header": {"Mock value"}})},
 		}
 		headersConversionErr := H2RequestHeadersToH1Request(mockRequestHeaders, request)
 		assert.NoError(t, headersConversionErr)
 		assert.Equal(t,
 			http.Header{
 				"Mock header": []string{"Mock value"},
 			},
 			request.Header)
 		assert.Equal(t,
 			"https://example.com"+testCase.want,
 			request.URL.String(),
 			"Failed URL index: %v %#v", index, testCase)
 	}
 }
 func TestH2RequestHeadersToH1Request_QuickCheck(t *testing.T) {
 	config := &quick.Config{
 		Values: func(args []reflect.Value, rand *rand.Rand) {
 			args[0] = reflect.ValueOf(randomHTTP2Path(t, rand))
 		},
 	}
 	type testOrigin struct {
 		url string
 		expectedScheme   string
 		expectedBasePath string
 	}
 	testOrigins := []testOrigin{
 		{
 			url:              "http://origin.hostname.example.com:8080",
 			expectedScheme:   "http",
 			expectedBasePath: "http://origin.hostname.example.com:8080",
 		},
 		{
 			url:              "http://origin.hostname.example.com:8080/",
 			expectedScheme:   "http",
 			expectedBasePath: "http://origin.hostname.example.com:8080",
 		},
 		{
 			url:              "http://origin.hostname.example.com:8080/api",
 			expectedScheme:   "http",
 			expectedBasePath: "http://origin.hostname.example.com:8080/api",
 		},
 		{
 			url:              "http://origin.hostname.example.com:8080/api/",
 			expectedScheme:   "http",
 			expectedBasePath: "http://origin.hostname.example.com:8080/api",
 		},
 		{
 			url:              "https://origin.hostname.example.com:8080/api",
 			expectedScheme:   "https",
 			expectedBasePath: "https://origin.hostname.example.com:8080/api",
 		},
 	}
 	// use multiple schemes to demonstrate that the URL is based on the
 	// origin's scheme, not the :scheme header
 	for _, testScheme := range []string{"http", "https"} {
 		for _, testOrigin := range testOrigins {
 			assertion := func(testPath string) bool {
 				const expectedMethod = "POST"
 				const expectedHostname = "request.hostname.example.com"
 				h2 := []h2mux.Header{
 					{Name: ":method", Value: expectedMethod},
 					{Name: ":scheme", Value: testScheme},
 					{Name: ":authority", Value: expectedHostname},
 					{Name: ":path", Value: testPath},
 					{Name: RequestUserHeaders, Value: ""},
 				}
 				h1, err := http.NewRequest("GET", testOrigin.url, nil)
 				require.NoError(t, err)
 				err = H2RequestHeadersToH1Request(h2, h1)
 				return assert.NoError(t, err) &&
 					assert.Equal(t, expectedMethod, h1.Method) &&
 					assert.Equal(t, expectedHostname, h1.Host) &&
 					assert.Equal(t, testOrigin.expectedScheme, h1.URL.Scheme) &&
 					assert.Equal(t, testOrigin.expectedBasePath+testPath, h1.URL.String())
 			}
 			err := quick.Check(assertion, config)
 			assert.NoError(t, err)
 		}
 	}
 }
 func randomASCIIPrintableChar(rand *rand.Rand) int {
 	// smallest printable ASCII char is 32, largest is 126
 	const startPrintable = 32
 	const endPrintable = 127
 	return startPrintable + rand.Intn(endPrintable-startPrintable)
 }
 // randomASCIIText generates an ASCII string, some of whose characters may be
 // percent-encoded. Its "logical length" (ignoring percent-encoding) is
 // between 1 and `maxLength`.
 func randomASCIIText(rand *rand.Rand, minLength int, maxLength int) string {
 	length := minLength + rand.Intn(maxLength)
 	var result strings.Builder
 	for i := 0; i < length; i++ {
 		c := randomASCIIPrintableChar(rand)
 		// 1/4 chance of using percent encoding when not necessary
 		if c == '%' || rand.Intn(4) == 0 {
 			result.WriteString(fmt.Sprintf("%%%02X", c))
 		} else {
 			result.WriteByte(byte(c))
 		}
 	}
 	return result.String()
 }
 // Calls `randomASCIIText` and ensures the result is a valid URL path,
 // i.e. one that can pass unchanged through url.URL.String()
 func randomHTTP1Path(t *testing.T, rand *rand.Rand, minLength int, maxLength int) string {
 	text := randomASCIIText(rand, minLength, maxLength)
 	re, err := regexp.Compile("[^/;,]*")
 	require.NoError(t, err)
 	return "/" + re.ReplaceAllStringFunc(text, url.PathEscape)
 }
 // Calls `randomASCIIText` and ensures the result is a valid URL query,
 // i.e. one that can pass unchanged through url.URL.String()
 func randomHTTP1Query(rand *rand.Rand, minLength int, maxLength int) string {
 	text := randomASCIIText(rand, minLength, maxLength)
 	return "?" + strings.ReplaceAll(text, "#", "%23")
 }
 // Calls `randomASCIIText` and ensures the result is a valid URL fragment,
 // i.e. one that can pass unchanged through url.URL.String()
 func randomHTTP1Fragment(t *testing.T, rand *rand.Rand, minLength int, maxLength int) string {
 	text := randomASCIIText(rand, minLength, maxLength)
 	u, err := url.Parse("#" + text)
 	require.NoError(t, err)
 	return u.String()
 }
 // Assemble a random :path pseudoheader that is legal by Go stdlib standards
 // (i.e. all characters will satisfy "net/url".shouldEscape for their respective locations)
 func randomHTTP2Path(t *testing.T, rand *rand.Rand) string {
 	result := randomHTTP1Path(t, rand, 1, 64)
 	if rand.Intn(2) == 1 {
 		result += randomHTTP1Query(rand, 1, 32)
 	}
 	if rand.Intn(2) == 1 {
 		result += randomHTTP1Fragment(t, rand, 1, 16)
 	}
 	return result
 }
 func stdlibHeaderToH2muxHeader(headers http.Header) (h2muxHeaders []h2mux.Header) {
 	for name, values := range headers {
 		for _, value := range values {
 			h2muxHeaders = append(h2muxHeaders, h2mux.Header{Name: name, Value: value})
 		}
 	}
 	return h2muxHeaders
 }
 func TestParseRequestHeaders(t *testing.T) {
 	mockUserHeadersToSerialize := http.Header{
 		"Mock-Header-One":   {"1", "1.5"},
 		"Mock-Header-Two":   {"2"},
 		"Mock-Header-Three": {"3"},
 	}
 	mockHeaders := []h2mux.Header{
 		{Name: "One", Value: "1"}, // will be dropped
 		{Name: "Cf-Two", Value: "cf-value-1"},
 		{Name: "Cf-Two", Value: "cf-value-2"},
 		{Name: RequestUserHeaders, Value: SerializeHeaders(mockUserHeadersToSerialize)},
 	}
 	expectedHeaders := []h2mux.Header{
 		{Name: "Cf-Two", Value: "cf-value-1"},
 		{Name: "Cf-Two", Value: "cf-value-2"},
 		{Name: "Mock-Header-One", Value: "1"},
 		{Name: "Mock-Header-One", Value: "1.5"},
 		{Name: "Mock-Header-Two", Value: "2"},
 		{Name: "Mock-Header-Three", Value: "3"},
 	}
 	h1 := &http.Request{
 		Header: make(http.Header),
 	}
 	err := H2RequestHeadersToH1Request(mockHeaders, h1)
 	assert.NoError(t, err)
 	assert.ElementsMatch(t, expectedHeaders, stdlibHeaderToH2muxHeader(h1.Header))
 }
 func TestIsH2muxControlRequestHeader(t *testing.T) {
 	controlRequestHeaders := []string{
 		// Anything that begins with cf-
 		"cf-sample-header",
 		// Any http2 pseudoheader
 		":sample-pseudo-header",
 		// content-length is a special case, it has to be there
 		// for some requests to work (per the HTTP2 spec)
 		"content-length",
 		// Websocket request headers
 		"connection",
 		"upgrade",
 	}
 	for _, header := range controlRequestHeaders {
 		assert.True(t, IsH2muxControlRequestHeader(header))
 	}
 }
 func TestIsH2muxControlResponseHeader(t *testing.T) {
 	controlResponseHeaders := []string{
 		// Anything that begins with cf-int- or cf-cloudflared-
 		"cf-int-sample-header",
 		"cf-cloudflared-sample-header",
 		// Any http2 pseudoheader
 		":sample-pseudo-header",
 		// content-length is a special case, it has to be there
 		// for some requests to work (per the HTTP2 spec)
 		"content-length",
 	}
 	for _, header := range controlResponseHeaders {
 		assert.True(t, IsH2muxControlResponseHeader(header))
 	}
 }
 func TestIsNotH2muxControlRequestHeader(t *testing.T) {
 	notControlRequestHeaders := []string{
 		"mock-header",
 		"another-sample-header",
 	}
 	for _, header := range notControlRequestHeaders {
 		assert.False(t, IsH2muxControlRequestHeader(header))
 	}
 }
 func TestIsNotH2muxControlResponseHeader(t *testing.T) {
 	notControlResponseHeaders := []string{
 		"mock-header",
 		"another-sample-header",
 		"upgrade",
 		"connection",
 		"cf-whatever", // On the response path, we only want to filter cf-int- and cf-cloudflared-
 	}
 	for _, header := range notControlResponseHeaders {
 		assert.False(t, IsH2muxControlResponseHeader(header))
 	}
 }
 func TestH1ResponseToH2ResponseHeaders(t *testing.T) {
 	mockHeaders := http.Header{
 		"User-header-one":       {""},
 		"User-header-two":       {"1", "2"},
 		"cf-header":             {"cf-value"},
 		"cf-int-header":         {"cf-int-value"},
 		"cf-cloudflared-header": {"cf-cloudflared-value"},
 		"Content-Length":        {"123"},
 	}
 	mockResponse := http.Response{
 		StatusCode: 200,
 		Header:     mockHeaders,
 	}
 	headers := H1ResponseToH2ResponseHeaders(mockResponse.StatusCode, mockResponse.Header)
 	serializedHeadersIndex := -1
 	for i, header := range headers {
 		if header.Name == ResponseUserHeaders {
 			serializedHeadersIndex = i
 			break
 		}
 	}
 	assert.NotEqual(t, -1, serializedHeadersIndex)
 	actualControlHeaders := append(
 		headers[:serializedHeadersIndex],
 		headers[serializedHeadersIndex+1:]...,
 	)
 	expectedControlHeaders := []h2mux.Header{
 		{Name: ":status", Value: "200"},
 		{Name: "content-length", Value: "123"},
 	}
 	assert.ElementsMatch(t, expectedControlHeaders, actualControlHeaders)
 	actualUserHeaders, err := DeserializeHeaders(headers[serializedHeadersIndex].Value)
 	expectedUserHeaders := []h2mux.Header{
 		{Name: "User-header-one", Value: ""},
 		{Name: "User-header-two", Value: "1"},
 		{Name: "User-header-two", Value: "2"},
 		{Name: "cf-header", Value: "cf-value"},
 	}
 	assert.NoError(t, err)
 	assert.ElementsMatch(t, expectedUserHeaders, actualUserHeaders)
 }
 // The purpose of this test is to check that our code and the http.Header
 // implementation don't throw validation errors about header size
 func TestHeaderSize(t *testing.T) {
 	largeValue := randSeq(5 * 1024 * 1024) // 5Mb
 	largeHeaders := http.Header{
 		"User-header": {largeValue},
 	}
 	mockResponse := http.Response{
 		StatusCode: 200,
 		Header:     largeHeaders,
 	}
 	serializedHeaders := H1ResponseToH2ResponseHeaders(mockResponse.StatusCode, mockResponse.Header)
 	request, err := http.NewRequest(http.MethodGet, "https://example.com/", nil)
 	assert.NoError(t, err)
 	for _, header := range serializedHeaders {
 		request.Header.Set(header.Name, header.Value)
 	}
 	for _, header := range serializedHeaders {
 		if header.Name != ResponseUserHeaders {
 			continue
 		}
 		deserializedHeaders, err := DeserializeHeaders(header.Value)
 		assert.NoError(t, err)
 		assert.Equal(t, largeValue, deserializedHeaders[0].Value)
 	}
 }
 func randSeq(n int) string {
 	randomizer := rand.New(rand.NewSource(17))
 	var letters = []rune(":;,+/=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
 	b := make([]rune, n)
 	for i := range b {
 		b[i] = letters[randomizer.Intn(len(letters))]
 	}
 	return string(b)
 }
 func BenchmarkH1ResponseToH2ResponseHeaders(b *testing.B) {
 	ser := "eC1mb3J3YXJkZWQtcHJvdG8:aHR0cHM;dXBncmFkZS1pbnNlY3VyZS1yZXF1ZXN0cw:MQ;YWNjZXB0LWxhbmd1YWdl:ZW4tVVMsZW47cT0wLjkscnU7cT0wLjg;YWNjZXB0LWVuY29kaW5n:Z3ppcA;eC1mb3J3YXJkZWQtZm9y:MTczLjI0NS42MC42;dXNlci1hZ2VudA:TW96aWxsYS81LjAgKE1hY2ludG9zaDsgSW50ZWwgTWFjIE9TIFggMTBfMTRfNikgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzg0LjAuNDE0Ny44OSBTYWZhcmkvNTM3LjM2;c2VjLWZldGNoLW1vZGU:bmF2aWdhdGU;Y2RuLWxvb3A:Y2xvdWRmbGFyZQ;c2VjLWZldGNoLWRlc3Q:ZG9jdW1lbnQ;c2VjLWZldGNoLXVzZXI:PzE;c2VjLWZldGNoLXNpdGU:bm9uZQ;Y29va2ll:X19jZmR1aWQ9ZGNkOWZjOGNjNWMxMzE0NTMyYTFkMjhlZDEyOWRhOTYwMTU2OTk1MTYzNDsgX19jZl9ibT1mYzY2MzMzYzAzZmM0MWFiZTZmOWEyYzI2ZDUwOTA0YzIxYzZhMTQ2LTE1OTU2MjIzNDEtMTgwMC1BZTVzS2pIU2NiWGVFM05mMUhrTlNQMG1tMHBLc2pQWkloVnM1Z2g1SkNHQkFhS1UxVDB2b003alBGN3FjMHVSR2NjZGcrWHdhL1EzbTJhQzdDVU4xZ2M9;YWNjZXB0:dGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQ"
 	h2, _ := DeserializeHeaders(ser)
 	h1 := make(http.Header)
 	for _, header := range h2 {
 		h1.Add(header.Name, header.Value)
 	}
 	h1.Add("Content-Length", "200")
 	h1.Add("Cf-Something", "Else")
 	h1.Add("Upgrade", "websocket")
 	h1resp := &http.Response{
 		StatusCode: 200,
 		Header:     h1,
 	}
 	b.ReportAllocs()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		_ = H1ResponseToH2ResponseHeaders(h1resp.StatusCode, h1resp.Header)
 	}
 }
--- a/connection/header.go
+++ b/connection/header.go
@ -7,33 +7,40 @@ import (
 	"strings"
 	"github.com/pkg/errors"
 	"github.com/cloudflare/cloudflared/h2mux"
 )
 var (
-	// h2mux-style special headers
+	// internal special headers
 	RequestUserHeaders  = "cf-cloudflared-request-headers"
 	ResponseUserHeaders = "cf-cloudflared-response-headers"
 	ResponseMetaHeader  = "cf-cloudflared-response-meta"
-	// h2mux-style special headers
+	// internal special headers
 	CanonicalResponseUserHeaders = http.CanonicalHeaderKey(ResponseUserHeaders)
 	CanonicalResponseMetaHeader  = http.CanonicalHeaderKey(ResponseMetaHeader)
 )
 var (
 	// pre-generate possible values for res
-	responseMetaHeaderCfd    = mustInitRespMetaHeader("cloudflared")
+	responseMetaHeaderCfd                = mustInitRespMetaHeader("cloudflared", false)
-	responseMetaHeaderOrigin = mustInitRespMetaHeader("origin")
+	responseMetaHeaderCfdFlowRateLimited = mustInitRespMetaHeader("cloudflared", true)
 	responseMetaHeaderOrigin             = mustInitRespMetaHeader("origin", false)
 )
-type responseMetaHeader struct {
+// HTTPHeader is a custom header struct that expects only ever one value for the header.
-	Source string `json:"src"`
+// This structure is used to serialize the headers and attach them to the HTTP2 request when proxying.
 type HTTPHeader struct {
 	Name  string
 	Value string
 }
-func mustInitRespMetaHeader(src string) string {
+type responseMetaHeader struct {
-	header, err := json.Marshal(responseMetaHeader{Source: src})
+	Source          string `json:"src"`
 	FlowRateLimited bool   `json:"flow_rate_limited,omitempty"`
 }
 func mustInitRespMetaHeader(src string, flowRateLimited bool) string {
 	header, err := json.Marshal(responseMetaHeader{Source: src, FlowRateLimited: flowRateLimited})
 	if err != nil {
 		panic(fmt.Sprintf("Failed to serialize response meta header = %s, err: %v", src, err))
 	}
@ -46,7 +53,8 @@ var headerEncoding = base64.RawStdEncoding
 func IsControlResponseHeader(headerName string) bool {
 	return strings.HasPrefix(headerName, ":") ||
 		strings.HasPrefix(headerName, "cf-int-") ||
-		strings.HasPrefix(headerName, "cf-cloudflared-")
+		strings.HasPrefix(headerName, "cf-cloudflared-") ||
 		strings.HasPrefix(headerName, "cf-proxy-")
 }
 // isWebsocketClientHeader returns true if the header name is required by the client to upgrade properly
@ -104,10 +112,10 @@ func SerializeHeaders(h1Headers http.Header) string {
 }
 // Deserialize headers serialized by `SerializeHeader`
-func DeserializeHeaders(serializedHeaders string) ([]h2mux.Header, error) {
+func DeserializeHeaders(serializedHeaders string) ([]HTTPHeader, error) {
 	const unableToDeserializeErr = "Unable to deserialize headers"
-	var deserialized []h2mux.Header
+	deserialized := make([]HTTPHeader, 0)
 	for _, serializedPair := range strings.Split(serializedHeaders, ";") {
 		if len(serializedPair) == 0 {
 			continue
@ -130,7 +138,7 @@ func DeserializeHeaders(serializedHeaders string) ([]h2mux.Header, error) {
 			return nil, errors.Wrap(err, unableToDeserializeErr)
 		}
-		deserialized = append(deserialized, h2mux.Header{
+		deserialized = append(deserialized, HTTPHeader{
 			Name:  string(deserializedName),
 			Value: string(deserializedValue),
 		})
--- a/connection/header_test.go
+++ b/connection/header_test.go
@ -1,18 +1,17 @@
 package connection
 import (
 	"fmt"
 	"net/http"
 	"reflect"
 	"sort"
 	"testing"
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 func TestSerializeHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	mockHeaders := http.Header{
 		"Mock-Header-One":        {"Mock header one value", "three"},
@ -39,33 +38,55 @@ func TestSerializeHeaders(t *testing.T) {
 	serializedHeaders := SerializeHeaders(request.Header)
 	// Sanity check: the headers serialized to something that's not an empty string
-	assert.NotEqual(t, "", serializedHeaders)
+	require.NotEqual(t, "", serializedHeaders)
 	// Deserialize back, and ensure we get the same set of headers
 	deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
-	assert.NoError(t, err)
+	require.NoError(t, err)
-	assert.Equal(t, 13, len(deserializedHeaders))
+	require.Len(t, deserializedHeaders, 13)
-	h2muxExpectedHeaders := stdlibHeaderToH2muxHeader(mockHeaders)
+	expectedHeaders := headerToReqHeader(mockHeaders)
 	sort.Sort(ByName(deserializedHeaders))
-	sort.Sort(ByName(h2muxExpectedHeaders))
+	sort.Sort(ByName(expectedHeaders))
-	assert.True(
+	require.True(
 		t,
-		reflect.DeepEqual(h2muxExpectedHeaders, deserializedHeaders),
+		reflect.DeepEqual(expectedHeaders, deserializedHeaders),
-		fmt.Sprintf("got = %#v, want = %#v\n", deserializedHeaders, h2muxExpectedHeaders),
+		"got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders,
 	)
 }
 type ByName []HTTPHeader
 func (a ByName) Len() int      { return len(a) }
 func (a ByName) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
 func (a ByName) Less(i, j int) bool {
 	if a[i].Name == a[j].Name {
 		return a[i].Value < a[j].Value
 	}
 	return a[i].Name < a[j].Name
 }
 func headerToReqHeader(headers http.Header) (reqHeaders []HTTPHeader) {
 	for name, values := range headers {
 		for _, value := range values {
 			reqHeaders = append(reqHeaders, HTTPHeader{Name: name, Value: value})
 		}
 	}
 	return reqHeaders
 }
 func TestSerializeNoHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	serializedHeaders := SerializeHeaders(request.Header)
 	deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
-	assert.NoError(t, err)
+	require.NoError(t, err)
-	assert.Equal(t, 0, len(deserializedHeaders))
+	require.Empty(t, deserializedHeaders)
 }
 func TestDeserializeMalformed(t *testing.T) {
@ -80,21 +101,22 @@ func TestDeserializeMalformed(t *testing.T) {
 	for _, malformedValue := range malformedData {
 		_, err = DeserializeHeaders(malformedValue)
-		assert.Error(t, err)
+		require.Error(t, err)
 	}
 }
 func TestIsControlResponseHeader(t *testing.T) {
 	controlResponseHeaders := []string{
-		// Anything that begins with cf-int- or cf-cloudflared-
+		// Anything that begins with cf-int-, cf-cloudflared- or cf-proxy-
 		"cf-int-sample-header",
 		"cf-cloudflared-sample-header",
 		"cf-proxy-sample-header",
 		// Any http2 pseudoheader
 		":sample-pseudo-header",
 	}
 	for _, header := range controlResponseHeaders {
-		assert.True(t, IsControlResponseHeader(header))
+		require.True(t, IsControlResponseHeader(header))
 	}
 }
@ -108,6 +130,6 @@ func TestIsNotControlResponseHeader(t *testing.T) {
 	}
 	for _, header := range notControlResponseHeaders {
-		assert.False(t, IsControlResponseHeader(header))
+		require.False(t, IsControlResponseHeader(header))
 	}
 }
--- a/connection/http2.go
+++ b/connection/http2.go
@ -16,8 +16,10 @@ import (
 	"github.com/rs/zerolog"
 	"golang.org/x/net/http2"
 	"github.com/cloudflare/cloudflared/client"
 	cfdflow "github.com/cloudflare/cloudflared/flow"
 	"github.com/cloudflare/cloudflared/tracing"
 	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 // note: these constants are exported so we can reuse them in the edge-side code
@ -37,7 +39,7 @@ type HTTP2Connection struct {
 	conn         net.Conn
 	server       *http2.Server
 	orchestrator Orchestrator
-	connOptions  *tunnelpogs.ConnectionOptions
+	connOptions  *client.ConnectionOptionsSnapshot
 	observer     *Observer
 	connIndex    uint8
@ -52,7 +54,7 @@ type HTTP2Connection struct {
 func NewHTTP2Connection(
 	conn net.Conn,
 	orchestrator Orchestrator,
-	connOptions *tunnelpogs.ConnectionOptions,
+	connOptions *client.ConnectionOptionsSnapshot,
 	observer *Observer,
 	connIndex uint8,
 	controlStreamHandler ControlStreamHandler,
@ -116,7 +118,7 @@ func (c *HTTP2Connection) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	var requestErr error
 	switch connType {
 	case TypeControlStream:
-		requestErr = c.controlStreamHandler.ServeControlStream(r.Context(), respWriter, c.connOptions, c.orchestrator)
+		requestErr = c.controlStreamHandler.ServeControlStream(r.Context(), respWriter, c.connOptions.ConnectionOptions(), c.orchestrator)
 		if requestErr != nil {
 			c.controlStreamErr = requestErr
 		}
@ -156,7 +158,7 @@ func (c *HTTP2Connection) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		c.log.Error().Err(requestErr).Msg("failed to serve incoming request")
 		// WriteErrorResponse will return false if status was already written. we need to abort handler.
-		if !respWriter.WriteErrorResponse() {
+		if !respWriter.WriteErrorResponse(requestErr) {
 			c.log.Debug().Msg("Handler aborted due to failure to write error response after status already sent")
 			panic(http.ErrAbortHandler)
 		}
@ -209,8 +211,9 @@ func NewHTTP2RespWriter(r *http.Request, w http.ResponseWriter, connType Type, l
 			w:   w,
 			log: log,
 		}
-		respWriter.WriteErrorResponse()
+		err := fmt.Errorf("%T doesn't implement http.Flusher", w)
-		return nil, fmt.Errorf("%T doesn't implement http.Flusher", w)
+		respWriter.WriteErrorResponse(err)
 		return nil, err
 	}
 	return &http2RespWriter{
@ -295,7 +298,7 @@ func (rp *http2RespWriter) WriteHeader(status int) {
 		rp.log.Warn().Msg("WriteHeader after hijack")
 		return
 	}
-	rp.WriteRespHeaders(status, rp.respHeaders)
+	_ = rp.WriteRespHeaders(status, rp.respHeaders)
 }
 func (rp *http2RespWriter) hijacked() bool {
@ -328,12 +331,16 @@ func (rp *http2RespWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
 	return conn, readWriter, nil
 }
-func (rp *http2RespWriter) WriteErrorResponse() bool {
+func (rp *http2RespWriter) WriteErrorResponse(err error) bool {
 	if rp.statusWritten {
 		return false
 	}
-	rp.setResponseMetaHeader(responseMetaHeaderCfd)
+	if errors.Is(err, cfdflow.ErrTooManyActiveFlows) {
 		rp.setResponseMetaHeader(responseMetaHeaderCfdFlowRateLimited)
 	} else {
 		rp.setResponseMetaHeader(responseMetaHeaderCfd)
 	}
 	rp.w.WriteHeader(http.StatusBadGateway)
 	rp.statusWritten = true
@ -385,8 +392,7 @@ func determineHTTP2Type(r *http.Request) Type {
 func handleMissingRequestParts(connType Type, r *http.Request) {
 	if connType == TypeHTTP {
 		// http library has no guarantees that we receive a filled URL. If not, then we fill it, as we reuse the request
-		// for proxying. We use the same values as we used to in h2mux. For proxying they should not matter since we
+		// for proxying. For proxying they should not matter since we control the dialer on every egress proxied.
 		// control the dialer on every egress proxied.
 		if len(r.URL.Scheme) == 0 {
 			r.URL.Scheme = "http"
 		}
--- a/connection/http2_test.go
+++ b/connection/http2_test.go
@ -20,17 +20,18 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/net/http2"
 	"github.com/cloudflare/cloudflared/client"
 	"github.com/cloudflare/cloudflared/tracing"
 	"github.com/cloudflare/cloudflared/tunnelrpc"
 	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
-var (
+var testTransport = http2.Transport{}
 	testTransport = http2.Transport{}
 )
 func newTestHTTP2Connection() (*HTTP2Connection, net.Conn) {
 	edgeConn, cfdConn := net.Pipe()
-	var connIndex = uint8(0)
+	connIndex := uint8(0)
 	log := zerolog.Nop()
 	obs := NewObserver(&log, &log)
 	controlStream := NewControlStream(
@ -49,7 +50,7 @@ func newTestHTTP2Connection() (*HTTP2Connection, net.Conn) {
 		cfdConn,
 		// OriginProxy is set in testConfigManager
 		testOrchestrator,
-		&pogs.ConnectionOptions{},
+		&client.ConnectionOptionsSnapshot{},
 		obs,
 		connIndex,
 		controlStream,
@ -60,24 +61,23 @@ func newTestHTTP2Connection() (*HTTP2Connection, net.Conn) {
 func TestHTTP2ConfigurationSet(t *testing.T) {
 	http2Conn, edgeConn := newTestHTTP2Connection()
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(t.Context())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		http2Conn.Serve(ctx)
+		_ = http2Conn.Serve(ctx)
 	}()
 	edgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)
 	require.NoError(t, err)
 	endpoint := fmt.Sprintf("http://localhost:8080/ok")
 	reqBody := []byte(`{
 "version": 2,
 "config": {"warp-routing": {"enabled": true},  "originRequest" : {"connectTimeout": 10}, "ingress" : [ {"hostname": "test", "service": "https://localhost:8000" } , {"service": "http_status:404"} ]}}
 `)
 	reader := bytes.NewReader(reqBody)
-	req, err := http.NewRequestWithContext(ctx, http.MethodPut, endpoint, reader)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPut, "http://localhost:8080/ok", reader)
 	require.NoError(t, err)
 	req.Header.Set(InternalUpgradeHeader, ConfigurationUpdate)
@ -85,11 +85,11 @@ func TestHTTP2ConfigurationSet(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, http.StatusOK, resp.StatusCode)
 	bdy, err := io.ReadAll(resp.Body)
 	defer resp.Body.Close()
 	require.NoError(t, err)
 	assert.Equal(t, `{"lastAppliedVersion":2,"err":null}`, string(bdy))
 	cancel()
 	wg.Wait()
 }
 func TestServeHTTP(t *testing.T) {
@ -129,12 +129,12 @@ func TestServeHTTP(t *testing.T) {
 	http2Conn, edgeConn := newTestHTTP2Connection()
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(t.Context())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		http2Conn.Serve(ctx)
+		_ = http2Conn.Serve(ctx)
 	}()
 	edgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)
@ -153,6 +153,7 @@ func TestServeHTTP(t *testing.T) {
 			require.NoError(t, err)
 			require.Equal(t, test.expectedBody, respBody)
 		}
 		_ = resp.Body.Close()
 		if test.isProxyError {
 			require.Equal(t, responseMetaHeaderCfd, resp.Header.Get(ResponseMetaHeader))
 		} else {
@ -192,8 +193,9 @@ func (mc mockNamedTunnelRPCClient) RegisterConnection(
 	}, nil
 }
-func (mc mockNamedTunnelRPCClient) GracefulShutdown(ctx context.Context, gracePeriod time.Duration) {
+func (mc mockNamedTunnelRPCClient) GracefulShutdown(ctx context.Context, gracePeriod time.Duration) error {
 	close(mc.unregistered)
 	return nil
 }
 func (mockNamedTunnelRPCClient) Close() {}
@ -258,7 +260,7 @@ func (w *wsRespWriter) close() {
 func TestServeWS(t *testing.T) {
 	http2Conn, _ := newTestHTTP2Connection()
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(t.Context())
 	respWriter := newWSRespWriter()
 	readPipe, writePipe := io.Pipe()
@ -280,10 +282,11 @@ func TestServeWS(t *testing.T) {
 	respBody, err := wsutil.ReadServerBinary(respWriter.RespBody())
 	require.NoError(t, err)
-	require.Equal(t, data, respBody, fmt.Sprintf("Expect %s, got %s", string(data), string(respBody)))
+	require.Equal(t, data, respBody, "expect %s, got %s", string(data), string(respBody))
 	cancel()
 	resp := respWriter.Result()
 	defer resp.Body.Close()
 	// http2RespWriter should rewrite status 101 to 200
 	require.Equal(t, http.StatusOK, resp.StatusCode)
 	require.Equal(t, responseMetaHeaderOrigin, resp.Header.Get(ResponseMetaHeader))
@ -292,18 +295,18 @@ func TestServeWS(t *testing.T) {
 	require.False(t, respWriter.panicked)
 }
-// TestNoWriteAfterServeHTTPReturns is a regression test of https://jira.cfops.it/browse/TUN-5184
+// TestNoWriteAfterServeHTTPReturns is a regression test of https://jira.cfdata.org/browse/TUN-5184
 // to make sure we don't write to the ResponseWriter after the ServeHTTP method returns
 func TestNoWriteAfterServeHTTPReturns(t *testing.T) {
 	cfdHTTP2Conn, edgeTCPConn := newTestHTTP2Connection()
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(t.Context())
 	var wg sync.WaitGroup
 	serverDone := make(chan struct{})
 	go func() {
 		defer close(serverDone)
-		cfdHTTP2Conn.Serve(ctx)
+		_ = cfdHTTP2Conn.Serve(ctx)
 	}()
 	edgeTransport := http2.Transport{}
@ -318,13 +321,16 @@ func TestNoWriteAfterServeHTTPReturns(t *testing.T) {
 			readPipe, writePipe := io.Pipe()
 			reqCtx, reqCancel := context.WithCancel(ctx)
 			req, err := http.NewRequestWithContext(reqCtx, http.MethodGet, "http://localhost:8080/ws/flaky", readPipe)
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			req.Header.Set(InternalUpgradeHeader, WebsocketUpgrade)
 			resp, err := edgeHTTP2Conn.RoundTrip(req)
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			_ = resp.Body.Close()
 			// http2RespWriter should rewrite status 101 to 200
-			require.Equal(t, http.StatusOK, resp.StatusCode)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
 			wg.Add(1)
 			go func() {
@ -372,12 +378,12 @@ func TestServeControlStream(t *testing.T) {
 	)
 	http2Conn.controlStreamHandler = controlStream
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(t.Context())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		http2Conn.Serve(ctx)
+		_ = http2Conn.Serve(ctx)
 	}()
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:8080/", nil)
@ -390,7 +396,8 @@ func TestServeControlStream(t *testing.T) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		edgeHTTP2Conn.RoundTrip(req)
+		// nolint: bodyclose
 		_, _ = edgeHTTP2Conn.RoundTrip(req)
 	}()
 	<-rpcClientFactory.registered
@ -425,12 +432,12 @@ func TestFailRegistration(t *testing.T) {
 	)
 	http2Conn.controlStreamHandler = controlStream
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(t.Context())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		http2Conn.Serve(ctx)
+		_ = http2Conn.Serve(ctx)
 	}()
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:8080/", nil)
@ -441,9 +448,10 @@ func TestFailRegistration(t *testing.T) {
 	require.NoError(t, err)
 	resp, err := edgeHTTP2Conn.RoundTrip(req)
 	require.NoError(t, err)
 	defer resp.Body.Close()
 	require.Equal(t, http.StatusBadGateway, resp.StatusCode)
-	assert.NotNil(t, http2Conn.controlStreamErr)
+	require.Error(t, http2Conn.controlStreamErr)
 	cancel()
 	wg.Wait()
 }
@ -475,12 +483,12 @@ func TestGracefulShutdownHTTP2(t *testing.T) {
 	http2Conn.controlStreamHandler = controlStream
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(t.Context())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		http2Conn.Serve(ctx)
+		_ = http2Conn.Serve(ctx)
 	}()
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:8080/", nil)
@ -493,6 +501,7 @@ func TestGracefulShutdownHTTP2(t *testing.T) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
 		// nolint: bodyclose
 		_, _ = edgeHTTP2Conn.RoundTrip(req)
 	}()
@ -523,15 +532,45 @@ func TestGracefulShutdownHTTP2(t *testing.T) {
 	})
 }
-func benchmarkServeHTTP(b *testing.B, test testRequest) {
+func TestServeTCP_RateLimited(t *testing.T) {
 	ctx, cancel := context.WithCancel(t.Context())
 	http2Conn, edgeConn := newTestHTTP2Connection()
 	ctx, cancel := context.WithCancel(context.Background())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		http2Conn.Serve(ctx)
+		_ = http2Conn.Serve(ctx)
 	}()
 	edgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)
 	require.NoError(t, err)
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:8080", nil)
 	require.NoError(t, err)
 	req.Header.Set(InternalTCPProxySrcHeader, "tcp")
 	req.Header.Set(tracing.TracerContextName, "flow-rate-limited")
 	resp, err := edgeHTTP2Conn.RoundTrip(req)
 	require.NoError(t, err)
 	defer resp.Body.Close()
 	require.Equal(t, http.StatusBadGateway, resp.StatusCode)
 	require.Equal(t, responseMetaHeaderCfdFlowRateLimited, resp.Header.Get(ResponseMetaHeader))
 	cancel()
 	wg.Wait()
 }
 func benchmarkServeHTTP(b *testing.B, test testRequest) {
 	http2Conn, edgeConn := newTestHTTP2Connection()
 	ctx, cancel := context.WithCancel(b.Context())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
 		_ = http2Conn.Serve(ctx)
 	}()
 	endpoint := fmt.Sprintf("http://localhost:8080/%s", test.endpoint)
--- a/connection/metrics.go
+++ b/connection/metrics.go
@ -2,11 +2,8 @@ package connection
 import (
 	"sync"
 	"time"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/cloudflare/cloudflared/h2mux"
 )
 const (
@ -16,27 +13,6 @@ const (
 	configSubsystem  = "config"
 )
 type muxerMetrics struct {
 	rtt              *prometheus.GaugeVec
 	rttMin           *prometheus.GaugeVec
 	rttMax           *prometheus.GaugeVec
 	receiveWindowAve *prometheus.GaugeVec
 	sendWindowAve    *prometheus.GaugeVec
 	receiveWindowMin *prometheus.GaugeVec
 	receiveWindowMax *prometheus.GaugeVec
 	sendWindowMin    *prometheus.GaugeVec
 	sendWindowMax    *prometheus.GaugeVec
 	inBoundRateCurr  *prometheus.GaugeVec
 	inBoundRateMin   *prometheus.GaugeVec
 	inBoundRateMax   *prometheus.GaugeVec
 	outBoundRateCurr *prometheus.GaugeVec
 	outBoundRateMin  *prometheus.GaugeVec
 	outBoundRateMax  *prometheus.GaugeVec
 	compBytesBefore  *prometheus.GaugeVec
 	compBytesAfter   *prometheus.GaugeVec
 	compRateAve      *prometheus.GaugeVec
 }
 type localConfigMetrics struct {
 	pushes       prometheus.Counter
 	pushesErrors prometheus.Counter
@ -53,7 +29,6 @@ type tunnelMetrics struct {
 	regFail    *prometheus.CounterVec
 	rpcFail    *prometheus.CounterVec
 	muxerMetrics        *muxerMetrics
 	tunnelsHA           tunnelsForHA
 	userHostnamesCounts *prometheus.CounterVec
@ -91,252 +66,6 @@ func newLocalConfigMetrics() *localConfigMetrics {
 	}
 }
 func newMuxerMetrics() *muxerMetrics {
 	rtt := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "rtt",
 			Help:      "Round-trip time in millisecond",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(rtt)
 	rttMin := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "rtt_min",
 			Help:      "Shortest round-trip time in millisecond",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(rttMin)
 	rttMax := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "rtt_max",
 			Help:      "Longest round-trip time in millisecond",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(rttMax)
 	receiveWindowAve := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "receive_window_ave",
 			Help:      "Average receive window size in bytes",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(receiveWindowAve)
 	sendWindowAve := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "send_window_ave",
 			Help:      "Average send window size in bytes",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(sendWindowAve)
 	receiveWindowMin := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "receive_window_min",
 			Help:      "Smallest receive window size in bytes",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(receiveWindowMin)
 	receiveWindowMax := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "receive_window_max",
 			Help:      "Largest receive window size in bytes",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(receiveWindowMax)
 	sendWindowMin := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "send_window_min",
 			Help:      "Smallest send window size in bytes",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(sendWindowMin)
 	sendWindowMax := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "send_window_max",
 			Help:      "Largest send window size in bytes",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(sendWindowMax)
 	inBoundRateCurr := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "inbound_bytes_per_sec_curr",
 			Help:      "Current inbounding bytes per second, 0 if there is no incoming connection",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(inBoundRateCurr)
 	inBoundRateMin := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "inbound_bytes_per_sec_min",
 			Help:      "Minimum non-zero inbounding bytes per second",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(inBoundRateMin)
 	inBoundRateMax := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "inbound_bytes_per_sec_max",
 			Help:      "Maximum inbounding bytes per second",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(inBoundRateMax)
 	outBoundRateCurr := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "outbound_bytes_per_sec_curr",
 			Help:      "Current outbounding bytes per second, 0 if there is no outgoing traffic",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(outBoundRateCurr)
 	outBoundRateMin := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "outbound_bytes_per_sec_min",
 			Help:      "Minimum non-zero outbounding bytes per second",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(outBoundRateMin)
 	outBoundRateMax := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "outbound_bytes_per_sec_max",
 			Help:      "Maximum outbounding bytes per second",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(outBoundRateMax)
 	compBytesBefore := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "comp_bytes_before",
 			Help:      "Bytes sent via cross-stream compression, pre compression",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(compBytesBefore)
 	compBytesAfter := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "comp_bytes_after",
 			Help:      "Bytes sent via cross-stream compression, post compression",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(compBytesAfter)
 	compRateAve := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
 			Subsystem: muxerSubsystem,
 			Name:      "comp_rate_ave",
 			Help:      "Average outbound cross-stream compression ratio",
 		},
 		[]string{"connection_id"},
 	)
 	prometheus.MustRegister(compRateAve)
 	return &muxerMetrics{
 		rtt:              rtt,
 		rttMin:           rttMin,
 		rttMax:           rttMax,
 		receiveWindowAve: receiveWindowAve,
 		sendWindowAve:    sendWindowAve,
 		receiveWindowMin: receiveWindowMin,
 		receiveWindowMax: receiveWindowMax,
 		sendWindowMin:    sendWindowMin,
 		sendWindowMax:    sendWindowMax,
 		inBoundRateCurr:  inBoundRateCurr,
 		inBoundRateMin:   inBoundRateMin,
 		inBoundRateMax:   inBoundRateMax,
 		outBoundRateCurr: outBoundRateCurr,
 		outBoundRateMin:  outBoundRateMin,
 		outBoundRateMax:  outBoundRateMax,
 		compBytesBefore:  compBytesBefore,
 		compBytesAfter:   compBytesAfter,
 		compRateAve:      compRateAve,
 	}
 }
 func (m *muxerMetrics) update(connectionID string, metrics *h2mux.MuxerMetrics) {
 	m.rtt.WithLabelValues(connectionID).Set(convertRTTMilliSec(metrics.RTT))
 	m.rttMin.WithLabelValues(connectionID).Set(convertRTTMilliSec(metrics.RTTMin))
 	m.rttMax.WithLabelValues(connectionID).Set(convertRTTMilliSec(metrics.RTTMax))
 	m.receiveWindowAve.WithLabelValues(connectionID).Set(metrics.ReceiveWindowAve)
 	m.sendWindowAve.WithLabelValues(connectionID).Set(metrics.SendWindowAve)
 	m.receiveWindowMin.WithLabelValues(connectionID).Set(float64(metrics.ReceiveWindowMin))
 	m.receiveWindowMax.WithLabelValues(connectionID).Set(float64(metrics.ReceiveWindowMax))
 	m.sendWindowMin.WithLabelValues(connectionID).Set(float64(metrics.SendWindowMin))
 	m.sendWindowMax.WithLabelValues(connectionID).Set(float64(metrics.SendWindowMax))
 	m.inBoundRateCurr.WithLabelValues(connectionID).Set(float64(metrics.InBoundRateCurr))
 	m.inBoundRateMin.WithLabelValues(connectionID).Set(float64(metrics.InBoundRateMin))
 	m.inBoundRateMax.WithLabelValues(connectionID).Set(float64(metrics.InBoundRateMax))
 	m.outBoundRateCurr.WithLabelValues(connectionID).Set(float64(metrics.OutBoundRateCurr))
 	m.outBoundRateMin.WithLabelValues(connectionID).Set(float64(metrics.OutBoundRateMin))
 	m.outBoundRateMax.WithLabelValues(connectionID).Set(float64(metrics.OutBoundRateMax))
 	m.compBytesBefore.WithLabelValues(connectionID).Set(float64(metrics.CompBytesBefore.Value()))
 	m.compBytesAfter.WithLabelValues(connectionID).Set(float64(metrics.CompBytesAfter.Value()))
 	m.compRateAve.WithLabelValues(connectionID).Set(float64(metrics.CompRateAve()))
 }
 func convertRTTMilliSec(t time.Duration) float64 {
 	return float64(t / time.Millisecond)
 }
 // Metrics that can be collected without asking the edge
 func initTunnelMetrics() *tunnelMetrics {
 	maxConcurrentRequestsPerTunnel := prometheus.NewGaugeVec(
@ -408,7 +137,6 @@ func initTunnelMetrics() *tunnelMetrics {
 	return &tunnelMetrics{
 		serverLocations:     serverLocations,
 		oldServerLocations:  make(map[string]string),
 		muxerMetrics:        newMuxerMetrics(),
 		tunnelsHA:           newTunnelsForHA(),
 		regSuccess:          registerSuccess,
 		regFail:             registerFail,
@ -418,10 +146,6 @@ func initTunnelMetrics() *tunnelMetrics {
 	}
 }
 func (t *tunnelMetrics) updateMuxerMetrics(connectionID string, metrics *h2mux.MuxerMetrics) {
 	t.muxerMetrics.update(connectionID, metrics)
 }
 func (t *tunnelMetrics) registerServerLocation(connectionID, loc string) {
 	t.locationLock.Lock()
 	defer t.locationLock.Unlock()
--- a/connection/observer.go
+++ b/connection/observer.go
@ -46,8 +46,16 @@ func (o *Observer) RegisterSink(sink EventSink) {
 	o.addSinkChan <- sink
 }
 func (o *Observer) logConnecting(connIndex uint8, address net.IP, protocol Protocol) {
 	o.log.Debug().
 		Int(management.EventTypeKey, int(management.Cloudflared)).
 		Uint8(LogFieldConnIndex, connIndex).
 		IPAddr(LogFieldIPAddress, address).
 		Str(LogFieldProtocol, protocol.String()).
 		Msg("Registering tunnel connection")
 }
 func (o *Observer) logConnected(connectionID uuid.UUID, connIndex uint8, location string, address net.IP, protocol Protocol) {
 	o.sendEvent(Event{Index: connIndex, EventType: Connected, Location: location})
 	o.log.Info().
 		Int(management.EventTypeKey, int(management.Cloudflared)).
 		Str(LogFieldConnectionID, connectionID.String()).
@ -63,8 +71,8 @@ func (o *Observer) sendRegisteringEvent(connIndex uint8) {
 	o.sendEvent(Event{Index: connIndex, EventType: RegisteringTunnel})
 }
-func (o *Observer) sendConnectedEvent(connIndex uint8, protocol Protocol, location string) {
+func (o *Observer) sendConnectedEvent(connIndex uint8, protocol Protocol, location string, edgeAddress net.IP) {
-	o.sendEvent(Event{Index: connIndex, EventType: Connected, Protocol: protocol, Location: location})
+	o.sendEvent(Event{Index: connIndex, EventType: Connected, Protocol: protocol, Location: location, EdgeAddress: edgeAddress})
 }
 func (o *Observer) SendURL(url string) {
--- a/Show More
+++ b/Show More