Release 2026.3.0

fix: Update go-sentry and go-oidc to address CVE's
chore: Addressing small fixes and typos
2026-03-06 12:53:40 +00:00 · 2026-03-05 19:10:16 +00:00 · 2026-03-05 16:53:48 +00:00 · 2026-03-05 16:31:24 +00:00 · 2026-02-24 11:17:27 +00:00 · 2026-02-23 14:22:02 +00:00
1475 changed files with 94300 additions and 89705 deletions
--- a/.ci/apt-internal.gitlab-ci.yml
+++ b/.ci/apt-internal.gitlab-ci.yml
@ -0,0 +1,151 @@
 .register_inputs: &register_inputs
  stage: release-internal
  runOnBranches: "^master$"
  COMPONENT: "common"
 .register_inputs_stable_bookworm: &register_inputs_stable_bookworm
  <<: *register_inputs
  runOnChangesTo: ['RELEASE_NOTES']
  FLAVOR: "bookworm"
  SERIES: "stable"
 .register_inputs_stable_trixie: &register_inputs_stable_trixie
  <<: *register_inputs
  runOnChangesTo: ['RELEASE_NOTES']
  FLAVOR: "trixie"
  SERIES: "stable"
 .register_inputs_next_bookworm: &register_inputs_next_bookworm
  <<: *register_inputs
  FLAVOR: "bookworm"
  SERIES: next
 .register_inputs_next_trixie: &register_inputs_next_trixie
  <<: *register_inputs
  FLAVOR: "trixie"
  SERIES: next
 ################################################
 ### Generate Debian Package for Internal APT ###
 ################################################
 .cloudflared-apt-build: &cloudflared_apt_build
  stage: package
  needs:
    - ci-image-get-image-ref
    - linux-packaging # For consistency, we only run this job after we knew we could build the packages for external delivery
  image: $BUILD_IMAGE
  cache: {}
  script:
    - make cloudflared-deb
  artifacts:
    paths:
      - cloudflared*.deb
 ##############
 ### Stable ###
 ##############
 cloudflared-amd64-stable:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-release]
  variables: &amd64-stable-vars
    GOOS: linux
    GOARCH: amd64
    FIPS: true
    ORIGINAL_NAME: true
    CGO_ENABLED: 1
 cloudflared-arm64-stable:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-release]
  variables: &arm64-stable-vars
    GOOS: linux
    GOARCH: arm64
    FIPS: false # TUN-7595
    ORIGINAL_NAME: true
    CGO_ENABLED: 1
 ############
 ### Next ###
 ############
 cloudflared-amd64-next:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *amd64-stable-vars
    NIGHTLY: true
 cloudflared-arm64-next:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *arm64-stable-vars
    NIGHTLY: true
 include:
  - local: .ci/commons.gitlab-ci.yml
  ##########################################
  ### Publish Packages to Internal Repos ###
  ##########################################
  # Bookworm AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_bookworm
      jobPrefix: cloudflared-bookworm-amd64
      needs: &amd64-stable ["cloudflared-amd64-stable"]
  # Bookworm ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_bookworm
      jobPrefix: cloudflared-bookworm-arm64
      needs: &arm64-stable ["cloudflared-arm64-stable"]
  # Trixie AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_trixie
      jobPrefix: cloudflared-trixie-amd64
      needs: *amd64-stable
  # Trixie ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_trixie
      jobPrefix: cloudflared-trixie-arm64
      needs: *arm64-stable
  ##################################################
  ### Publish Nightly Packages to Internal Repos ###
  ##################################################
  # Bookworm AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_bookworm
      jobPrefix: cloudflared-nightly-bookworm-amd64
      needs: &amd64-next ['cloudflared-amd64-next']
  # Bookworm ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_bookworm
      jobPrefix: cloudflared-nightly-bookworm-arm64
      needs: &arm64-next ['cloudflared-arm64-next']
  # Trixie AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_trixie
      jobPrefix: cloudflared-nightly-trixie-amd64
      needs: *amd64-next
  # Trixie ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_trixie
      jobPrefix: cloudflared-nightly-trixie-arm64
      needs: *arm64-next
--- a/.ci/ci-image.gitlab-ci.yml
+++ b/.ci/ci-image.gitlab-ci.yml
@ -0,0 +1,31 @@
 # Builds a custom CI Image when necessary
 include:
  #####################################################
  ############## Build and Push CI Image ##############
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
    inputs:
      stage: pre-build
      jobPrefix: ci-image
      runOnChangesTo: [".ci/image/**"]
      runOnMR: true
      runOnBranches: '^master$'
      commentImageRefs: false
      runner: vm-linux-x86-4cpu-8gb
      EXTRA_DIB_ARGS: "--manifest=.ci/image/.docker-images"
  #####################################################
  ## Resolve the image reference for downstream jobs ##
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/get-image-ref@~latest
    inputs:
      stage: pre-build
      jobPrefix: ci-image
      runOnMR: true
      runOnBranches: '^master$'
      IMAGE_PATH: "$REGISTRY_HOST/stash/tun/cloudflared/ci-image/master"
      VARIABLE_NAME: BUILD_IMAGE
      needs:
        - job: ci-image-build-push-image
          optional: true
--- a/.ci/commons.gitlab-ci.yml
+++ b/.ci/commons.gitlab-ci.yml
@ -0,0 +1,45 @@
 ## A set of predefined rules to use on the different jobs
 .default-rules:
  # Rules to run the job only on the master branch
  run-on-master:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - when: never
  # Rules to run the job only on merge requests
  run-on-mr:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: on_success
    - when: never
  # Rules to run the job on merge_requests and master branch
  run-always:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - when: never
  # Rules to run the job only when a release happens
  run-on-release:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      changes:
          - 'RELEASE_NOTES'
      when: on_success
    - when: never
 .component-tests:
  image: $BUILD_IMAGE
  rules:
    - !reference [.default-rules, run-always]
  variables:
    COMPONENT_TESTS_CONFIG: component-test-config.yaml
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZC5leGUKY3JlZGVudGlhbHNfZmlsZTogY3JlZC5qc29uCm9yaWdpbmNlcnQ6IGNlcnQucGVtCnpvbmVfZG9tYWluOiBhcmdvdHVubmVsdGVzdC5jb20Kem9uZV90YWc6IDQ4Nzk2ZjFlNzBiYjc2NjljMjliYjUxYmEyODJiZjY1
  secrets:
    DNS_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/component_tests_token/data@kv
      file: false
    COMPONENT_TESTS_ORIGINCERT:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/component_tests_cert_pem/data@kv
      file: false
  cache: {}
--- a/.ci/github.gitlab-ci.yml
+++ b/.ci/github.gitlab-ci.yml
@ -0,0 +1,17 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ######################################
 ### Sync master branch with Github ###
 ######################################
 push-github:
  stage: sync
  rules:
    - !reference [.default-rules, run-on-master]
  script:
    - ./.ci/scripts/github-push.sh
  secrets:
    CLOUDFLARED_DEPLOY_SSH_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv
      file: false
  cache: {}
--- a/.ci/image/.docker-images
+++ b/.ci/image/.docker-images
@ -0,0 +1,2 @@
 images:
  - name: ci-image
--- a/.ci/image/Dockerfile
+++ b/.ci/image/Dockerfile
@ -0,0 +1,39 @@
 ARG CLOUDFLARE_DOCKER_REGISTRY_HOST
 FROM ${CLOUDFLARE_DOCKER_REGISTRY_HOST:-registry.cfdata.org}/stash/cf/debian-images/trixie/main:2026.1.0@sha256:e32092fd01520f5ae7de1fa6bb5a721720900ebeaa48e98f36f6f86168833cd7
 RUN apt-get update && \
  apt-get upgrade -y && \
  apt-get install --no-install-recommends --allow-downgrades -y \
  build-essential \
  git \
  go-boring=1.24.13-1 \
  libffi-dev \
  procps \
  python3-dev \
  python3-pip \
  python3-setuptools \
  python3-venv \
  # tool to create msi packages
  wixl \
  # install ruby and rpm which are required to install fpm package builder
  rpm \
  ruby \
  ruby-dev \
  rubygems \
  # create deb and rpm repository files
  reprepro \
  createrepo-c \
  # gcc for cross architecture compilation in arm
  gcc-aarch64-linux-gnu \
  libc6-dev-arm64-cross && \
  rm -rf /var/lib/apt/lists/* && \
  # Install fpm gem
  gem install fpm --no-document && \
  # Initialize rpm repository, SQL Lite DB
  mkdir -p /var/lib/rpm && \
  rpm --initdb && \
  chmod -R 777 /var/lib/rpm && \
  # Create work directory
  mkdir -p opt
 WORKDIR /opt
--- a/.ci/linux.gitlab-ci.yml
+++ b/.ci/linux.gitlab-ci.yml
@ -0,0 +1,122 @@
 .golang-inputs: &golang_inputs
  runOnMR: true
  runOnBranches: "^master$"
  outputDir: artifacts
  runner: linux-x86-8cpu-16gb
  stage: build
  golangVersion: "boring-1.24"
  imageVersion: "3462-0b23466e0715@sha256:42e8533370666a2463041572293a79e1449001ef803a993e6a860be00858c806"
  CGO_ENABLED: 1
 .default-packaging-job: &packaging-job-defaults
  stage: package
  needs:
    - ci-image-get-image-ref
  rules:
    - !reference [.default-rules, run-on-master]
  image: $BUILD_IMAGE
  cache: {}
  artifacts:
    paths:
      - artifacts/*
 include:
  ###################
  ### Linux Build ###
  ###################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      jobPrefix: linux-build
      GOLANG_MAKE_TARGET: ci-build
  ########################
  ### Linux FIPS Build ###
  ########################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      jobPrefix: linux-fips-build
      GOLANG_MAKE_TARGET: ci-fips-build
  #################
  ### Unit Tests ##
  #################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      stage: test
      jobPrefix: test
      GOLANG_MAKE_TARGET: ci-test
  ######################
  ### Unit Tests FIPS ##
  ######################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      stage: test
      jobPrefix: test-fips
      GOLANG_MAKE_TARGET: ci-fips-test
  #################
  ### Vuln Check ##
  #################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      runOnBranches: "^$"
      stage: validate
      jobPrefix: vulncheck
      GOLANG_MAKE_TARGET: vulncheck
 #################################
 ### Run Linux Component Tests ###
 #################################
 linux-component-tests: &linux-component-tests
  stage: test
  extends: .component-tests
  needs:
    - ci-image-get-image-ref
    - linux-build-boring-make
  script:
    - ./.ci/scripts/component-tests.sh
  variables: &component-tests-variables
    CI: 1
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkCmNyZWRlbnRpYWxzX2ZpbGU6IGNyZWQuanNvbgpvcmlnaW5jZXJ0OiBjZXJ0LnBlbQp6b25lX2RvbWFpbjogYXJnb3R1bm5lbHRlc3QuY29tCnpvbmVfdGFnOiA0ODc5NmYxZTcwYmI3NjY5YzI5YmI1MWJhMjgyYmY2NQ==
  tags:
    - linux-x86-8cpu-16gb
  artifacts:
    reports:
      junit: report.xml
 ######################################
 ### Run Linux FIPS Component Tests ###
 ######################################
 linux-component-tests-fips:
  <<: *linux-component-tests
  needs:
    - ci-image-get-image-ref
    - linux-fips-build-boring-make
  variables:
    <<: *component-tests-variables
    COMPONENT_TESTS_FIPS: 1
 ################################
 ####### Linux Packaging ########
 ################################
 linux-packaging:
  <<: *packaging-job-defaults
  parallel:
    matrix:
      - ARCH: ["386", "amd64", "arm", "armhf", "arm64"]
  script:
    - ./.ci/scripts/linux/build-packages.sh ${ARCH}
 ################################
 ##### Linux FIPS Packaging #####
 ################################
 linux-packaging-fips:
  <<: *packaging-job-defaults
  script:
    - ./.ci/scripts/linux/build-packages-fips.sh
--- a/.ci/mac.gitlab-ci.yml
+++ b/.ci/mac.gitlab-ci.yml
@ -0,0 +1,66 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ###############################
 ### Defaults for Mac Builds ###
 ###############################
 .mac-build-defaults: &mac-build-defaults
  rules:
    - !reference [.default-rules, run-on-mr]
  tags:
    - "macstadium-${RUNNER_ARCH}"
  parallel:
    matrix:
      - RUNNER_ARCH: [arm, intel]
  cache: {}
 ######################################
 ### Build Cloudflared Mac Binaries ###
 ######################################
 macos-build-cloudflared: &mac-build
  <<: *mac-build-defaults
  stage: build
  artifacts:
    paths:
      - artifacts/*
  script:
    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
    - ARCH=$(uname -m)
    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
    - ./.ci/scripts/mac/install-go.sh "$MAC_GO_VERSION"
    - BUILD_SCRIPT=.ci/scripts/mac/build.sh
    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
    - set -euo pipefail
    - echo "Executing ${BUILD_SCRIPT}"
    - exec ${BUILD_SCRIPT}
 ###############################################
 ### Build and Sign Cloudflared Mac Binaries ###
 ###############################################
 macos-build-and-sign-cloudflared:
  <<: *mac-build
  rules:
    - !reference [.default-rules, run-on-master]
  secrets:
    APPLE_DEV_CA_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
      file: false
    CFD_CODE_SIGN_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
      file: false
    CFD_INSTALLER_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
      file: false
    CFD_INSTALLER_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
      file: false
    CFD_INSTALLER_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
      file: false
--- a/.ci/release.gitlab-ci.yml
+++ b/.ci/release.gitlab-ci.yml
@ -0,0 +1,133 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
  ######################################
  ### Build and Push DockerHub Image ###
  ######################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
    inputs:
      stage: release
      jobPrefix: docker-hub
      runOnMR: false
      runOnBranches: '^master$'
      runOnChangesTo: ['RELEASE_NOTES']
      needs:
        - generate-version-file
        - release-cloudflared-to-r2
      commentImageRefs: false
      runner: vm-linux-x86-4cpu-8gb
      # Based on if the CI reference is protected or not the CI component will
      # either use _BRANCH or _PROD, therefore, to prevent the pipelines from failing
      # we simply set both to the same value.
      DOCKER_USER_BRANCH: &docker-hub-user svcgithubdockerhubcloudflar045
      DOCKER_PASSWORD_BRANCH: &docker-hub-password gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data
      DOCKER_USER_PROD: *docker-hub-user
      DOCKER_PASSWORD_PROD: *docker-hub-password
      EXTRA_DIB_ARGS: --overwrite
 .default-release-job: &release-job-defaults
  stage: release
  image: $BUILD_IMAGE
  cache:
    paths:
      - .cache/pip
  variables: &release-job-variables
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
    # KV Vars
    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
    KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963
    # R2 Vars
    R2_BUCKET: cloudflared-pkgs
    R2_ACCOUNT_ID: *cf-account
    # APT and RPM Repository Vars
    GPG_PUBLIC_KEY_URL: "https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
    PKG_URL: "https://pkg.cloudflare.com/cloudflared"
    BINARY_NAME: cloudflared
  secrets:
    KV_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
      file: false
    API_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
      file: false
    R2_CLIENT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv
      file: false
    R2_CLIENT_SECRET:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv
      file: false
    LINUX_SIGNING_PUBLIC_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv
      file: false
    LINUX_SIGNING_PRIVATE_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv
      file: false
    LINUX_SIGNING_PUBLIC_KEY_2:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv
      file: false
    LINUX_SIGNING_PRIVATE_KEY_2:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv
      file: false
 ###########################################
 ### Push Cloudflared Binaries to Github ###
 ###########################################
 release-cloudflared-to-github:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
    - linux-packaging
    - linux-packaging-fips
    - macos-build-and-sign-cloudflared
    - windows-package-sign
  script:
    - ./.ci/scripts/release-target.sh github-release
 #########################################
 ### Upload Cloudflared Binaries to R2 ###
 #########################################
 release-cloudflared-to-r2:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
    - linux-packaging # We only release non-FIPS binaries to R2
    - release-cloudflared-to-github
  script:
    - ./.ci/scripts/release-target.sh r2-linux-release
 #################################################
 ### Upload Cloudflared Nightly Binaries to R2 ###
 #################################################
 release-cloudflared-nightly-to-r2:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *release-job-variables
    R2_BUCKET: cloudflared-pkgs-next
    GPG_PUBLIC_KEY_URL: "https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
    PKG_URL: "https://next.pkg.cloudflare.com/cloudflared"
  needs:
    - ci-image-get-image-ref
    - linux-packaging # We only release non-FIPS binaries to R2
  script:
    - ./.ci/scripts/release-target.sh r2-linux-release
 #############################
 ### Generate Version File ###
 #############################
 generate-version-file:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
  script:
    - make generate-docker-version
  artifacts:
    paths:
      - versions
--- a/.ci/scripts/component-tests.sh
+++ b/.ci/scripts/component-tests.sh
@ -0,0 +1,25 @@
 #!/bin/bash
 set -e -u -o pipefail
 # Fetch cloudflared from the artifacts folder
 mv ./artifacts/cloudflared ./cloudflared
 python3 -m venv env
 . env/bin/activate
 pip install --upgrade -r component-tests/requirements.txt
 # Creates and routes a Named Tunnel for this build. Also constructs
 # config file from env vars.
 python3 component-tests/setup.py --type create
 # Define the cleanup function
 cleanup() {
    # The Named Tunnel is deleted and its route unprovisioned here.
    python3 component-tests/setup.py --type cleanup
 }
 # The trap will call the cleanup function on script exit
 trap cleanup EXIT
 pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
--- a/.ci/scripts/fmt-check.sh
+++ b/.ci/scripts/fmt-check.sh
@ -0,0 +1,13 @@
 #!/bin/bash
 set -e -u -o pipefail
 OUTPUT=$(go run -mod=readonly golang.org/x/tools/cmd/goimports@v0.30.0 -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
 if [ -n "$OUTPUT" ] ; then
  PAGER=$(which colordiff || echo cat)
  echo
  echo "Code formatting issues found, use 'make fmt' to correct them"
  echo
  echo "$OUTPUT" | $PAGER
  exit 1
 fi
--- a/.ci/scripts/github-push.sh
+++ b/.ci/scripts/github-push.sh
@ -0,0 +1,31 @@
 #!/bin/bash
 set -e -u -o pipefail
 BRANCH="master"
 TMP_PATH="$PWD/tmp"
 PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key"
 PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub"
 mkdir -p $TMP_PATH
 # Setup Private Key
 echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH
 chmod 400 $PRIVATE_KEY_PATH
 # Download GitHub Public Key for KnownHostsFile
 ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH
 # Setup git ssh command with the right configurations
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH"
 # Add GitHub as a new remote
 git remote add github git@github.com:cloudflare/cloudflared.git || true
 # GitLab doesn't pull branch references, instead it creates a new one on each pipeline.
 # Therefore, we need to manually fetch the reference to then push it to GitHub.
 git fetch origin $BRANCH:$BRANCH
 git push -u github $BRANCH
 if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then
  git push -u github "$TAG"
 fi
--- a/.ci/scripts/linux/build-packages-fips.sh
+++ b/.ci/scripts/linux/build-packages-fips.sh
@ -1,4 +1,5 @@
 #!/bin/bash
 set -e -u -o pipefail
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
--- a/.ci/scripts/linux/build-packages.sh
+++ b/.ci/scripts/linux/build-packages.sh
@ -0,0 +1,60 @@
 #!/bin/bash
 set -e -u -o pipefail
 # Check if architecture argument is provided
 if [ $# -eq 0 ]; then
    echo "Error: Architecture argument is required"
    echo "Usage: $0 <architecture>"
    exit 1
 fi
 # Parameters
 arch=$1
 # Get Version
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 export TARGET_OS=linux
 unset TARGET_ARM
 export TARGET_ARCH=$arch
 ## Support for arm platforms without hardware FPU enabled
 if [[ $arch == arm ]] ; then
    export TARGET_ARCH=arm
    export TARGET_ARM=5
 fi
 ## Support for armhf builds
 if [[ $arch == armhf ]] ; then
    export TARGET_ARCH=arm
    export TARGET_ARM=7
 fi
 make cloudflared-deb
 mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
 # rpm packages invert the - and _ and use x86_64 instead of amd64.
 RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
 RPMARCH=$arch
 if [ $arch == "amd64" ];then
    RPMARCH="x86_64"
 fi
 if [ $arch == "arm64" ]; then
    RPMARCH="aarch64"
 fi
 make cloudflared-rpm
 mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
 # finally move the linux binary as well.
 mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
--- a/.ci/scripts/mac/build.sh
+++ b/.ci/scripts/mac/build.sh
@ -49,7 +49,7 @@ import_certificate() {
      echo -n -e ${CERTIFICATE_ENV_VAR} | base64 -D > ${CERTIFICATE_FILE_NAME}
      # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
      # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
-      local out=$(security import ${CERTIFICATE_FILE_NAME} -A 2>&1) || true
+      local out=$(security import ${CERTIFICATE_FILE_NAME} -T /usr/bin/pkgbuild -A 2>&1) || true
      local exitcode=$?
      # delete the certificate from disk
      rm -rf ${CERTIFICATE_FILE_NAME}
@ -68,6 +68,28 @@ import_certificate() {
    fi
 }
 create_cloudflared_build_keychain() {
  # Reusing the private key password as the keychain key
  local PRIVATE_KEY_PASS=$1
  # Create keychain only if it doesn't already exist
  if [ ! -f "$HOME/Library/Keychains/cloudflared_build_keychain.keychain-db" ]; then
    security create-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
  else
    echo "Keychain already exists: cloudflared_build_keychain"
  fi
  # Append temp keychain to the user domain
  security list-keychains -d user -s cloudflared_build_keychain $(security list-keychains -d user | sed s/\"//g)
  # Remove relock timeout
  security set-keychain-settings cloudflared_build_keychain
  # Unlock keychain so it doesn't require password
  security unlock-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
 }
 # Imports private keys to the Apple KeyChain
 import_private_keys() {
    local PRIVATE_KEY_NAME=$1
@ -83,7 +105,7 @@ import_private_keys() {
        echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}
        # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
        # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
-        local out=$(security import ${PRIVATE_KEY_FILE_NAME} -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
+        local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k cloudflared_build_keychain -P "$PRIVATE_KEY_PASS" -T /usr/bin/pkgbuild -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
        local exitcode=$?
        rm -rf ${PRIVATE_KEY_FILE_NAME}
        if [ -n "$out" ]; then
@ -100,6 +122,9 @@ import_private_keys() {
    fi
 }
 # Create temp keychain only for this build
 create_cloudflared_build_keychain "${CFD_CODE_SIGN_PASS}"
 # Add Apple Root Developer certificate to the key chain
 import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}"
@ -119,8 +144,8 @@ import_certificate "Developer ID Installer" "${CFD_INSTALLER_CERT}" "${INSTALLER
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
-  if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
+  if [[ -n "$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
-    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
+    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
  else
    CODE_SIGN_NAME=""
  fi
@ -130,8 +155,8 @@ fi
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
-  if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
+  if [[ -n "$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
-    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
+    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
  else
    PKG_SIGN_NAME=""
  fi
@ -142,9 +167,16 @@ rm -rf "${TARGET_DIRECTORY}"
 export TARGET_OS="darwin"
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 # This allows apple tools to use the certificates in the keychain without requiring password input.
 # This command always needs to run after the certificates have been loaded into the keychain
 if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
  security set-key-partition-list -S apple-tool:,apple: -s -k "${CFD_CODE_SIGN_PASS}" cloudflared_build_keychain
 fi
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
-  codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
+  codesign --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
 # notarize the binary
 # TODO: TUN-5789
@ -165,11 +197,13 @@ tar czf "$FILENAME" "${BINARY_NAME}"
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
  pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      --keychain cloudflared_build_keychain \
      --sign "${PKG_SIGN_NAME}" \
      ${PKGNAME}
@ -187,3 +221,8 @@ fi
 # cleanup build directory because this script is not ran within containers,
 # which might lead to future issues in subsequent runs.
 rm -rf "${TARGET_DIRECTORY}"
 # cleanup the keychain
 security default-keychain -d user -s login.keychain-db
 security list-keychains -d user -s login.keychain-db
 security delete-keychain cloudflared_build_keychain
--- a/.ci/scripts/mac/install-go.sh
+++ b/.ci/scripts/mac/install-go.sh
@ -0,0 +1,14 @@
 rm -rf /tmp/go
 export GOCACHE=/tmp/gocache
 rm -rf $GOCACHE
 if [ -z "$1" ]
  then
    echo "No go version supplied"
 fi
 brew install "$1"
 go version
 which go
 go env
--- a/.ci/scripts/package-windows.sh
+++ b/.ci/scripts/package-windows.sh
@ -1,19 +1,25 @@
 #!/bin/bash
 set -e -u -o pipefail
 python3 -m venv env
 . env/bin/activate
 pip install pynacl==1.4.0 pygithub==1.55
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
-export BUILT_ARTIFACT_DIR=built_artifacts/
+export BUILT_ARTIFACT_DIR=artifacts/
 export FINAL_ARTIFACT_DIR=artifacts/
 mkdir -p $BUILT_ARTIFACT_DIR
 mkdir -p $FINAL_ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
    export TARGET_ARCH=$arch
-    # Copy exe into final directory
+    # Copy .exe from artifacts directory
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
    make cloudflared-msi
    # Copy msi into final directory
    mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.exe 
 done
--- a/.ci/scripts/release-target.sh
+++ b/.ci/scripts/release-target.sh
@ -0,0 +1,18 @@
 #!/bin/bash
 set -e -u -o pipefail
 # Check if a make target is provided as an argument
 if [ $# -eq 0 ]; then
    echo "Error: Make target argument is required"
    echo "Usage: $0 <make-target>"
    exit 1
 fi
 MAKE_TARGET=$1
 python3 -m venv venv
 source venv/bin/activate
 # Our release scripts are written in python, so we should install their dependecies here.
 pip install pynacl==1.4.0 pygithub==1.55 boto3==1.42.30 python-gnupg==0.4.9
 make $MAKE_TARGET
--- a/.ci/scripts/vuln-check.sh
+++ b/.ci/scripts/vuln-check.sh
@ -0,0 +1,53 @@
 #!/bin/bash
 set -e -u
 # Define the file to store the list of vulnerabilities to ignore.
 IGNORE_FILE=".vulnignore"
 go version
 # Check if the ignored vulnerabilities file exists. If not, create an empty one.
 if [ ! -f "$IGNORE_FILE" ]; then
  touch "$IGNORE_FILE"
  echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE"
  echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >>"$IGNORE_FILE"
  echo "# You can also add comments on the same line after the ID." >>"$IGNORE_FILE"
  echo "" >>"$IGNORE_FILE"
 fi
 # Run govulncheck and capture its output.
 VULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true)
 # Print the govuln output
 echo "====================================="
 echo "Full Output of govulncheck:"
 echo "====================================="
 echo "$VULN_OUTPUT"
 echo "====================================="
 echo "End of govulncheck Output"
 echo "====================================="
 # Process the ignore file to remove comments and empty lines.
 # The 'cut' command gets the vulnerability ID and removes anything after the '#'.
 # The 'grep' command filters out empty lines and lines starting with '#'.
 CLEAN_IGNORES=$(grep -v '^\s*#' "$IGNORE_FILE" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true)
 # Filter out the ignored vulnerabilities.
 UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability' || true)
 # If the list of ignored vulnerabilities is not empty, filter them out.
 if [ -n "$CLEAN_IGNORES" ]; then
  UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true)
 fi
 # If there are any vulnerabilities that were not in our ignore list, print them and exit with an error.
 if [ -n "$UNIGNORED_VULNS" ]; then
  echo "🚨 Found new, unignored vulnerabilities:"
  echo "-------------------------------------"
  echo "$UNIGNORED_VULNS"
  echo "-------------------------------------"
  echo "Exiting with an error. ❌"
  exit 1
 else
  echo "🎉 No new vulnerabilities found. All clear! ✨"
  exit 0
 fi
--- a/.ci/scripts/windows/builds.ps1
+++ b/.ci/scripts/windows/builds.ps1
@ -0,0 +1,29 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $env:TARGET_OS = "windows"
 $env:LOCAL_OS = "windows"
 $TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 New-Item -Path ".\artifacts" -ItemType Directory
 Write-Output "Building for amd64"
 $env:TARGET_ARCH = "amd64"
 $env:LOCAL_ARCH = "amd64"
 $env:CGO_ENABLED = 1
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
 # Sign build
 azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-amd64.exe
 Write-Output "Building for 386"
 $env:TARGET_ARCH = "386"
 $env:LOCAL_ARCH = "386"
 $env:CGO_ENABLED = 0
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
 ## Sign build
 azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-386.exe
--- a/.ci/scripts/windows/component-test.ps1
+++ b/.ci/scripts/windows/component-test.ps1
@ -0,0 +1,40 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $env:TARGET_OS = "windows"
 $env:LOCAL_OS = "windows"
 $env:TARGET_ARCH = "amd64"
 $env:LOCAL_ARCH = "amd64"
 $env:CGO_ENABLED = 1
 python --version
 python -m pip --version
 Write-Host "Building cloudflared"
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
 Write-Host "Running unit tests"
 # Not testing with race detector because of https://github.com/golang/go/issues/61058
 # We already test it on other platforms
 go test -failfast -v -mod=vendor ./...
 if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 # On Gitlab runners we need to add all of this addresses to the NO_PROXY list in order for the tests to run.
 $env:NO_PROXY = "pypi.org,files.pythonhosted.org,api.cloudflare.com,argotunneltest.com,argotunnel.com,trycloudflare.com,${env:NO_PROXY}"
 Write-Host "No Proxy: ${env:NO_PROXY}"
 Write-Host "Running component tests"
 try {
    python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
    python component-tests/setup.py --type create
    python -m pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
    if ($LASTEXITCODE -ne 0) {
        throw "Failed component tests"
    }
 } finally {
    python component-tests/setup.py --type cleanup
 }
--- a/.ci/scripts/windows/go-wrapper.ps1
+++ b/.ci/scripts/windows/go-wrapper.ps1
@ -0,0 +1,69 @@
 Param(
    [string]$GoVersion,
    [string]$ScriptToExecute
 )
 # The script is a wrapper that downloads a specific version
 # of go, adds it to the PATH and executes a script with that go
 # version in the path.
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 # Get the path to the system's temporary directory.
 $tempPath = [System.IO.Path]::GetTempPath()
 # Create a unique name for the new temporary folder.
 $folderName = "go_" + (Get-Random)
 # Join the temp path and the new folder name to create the full path.
 $fullPath = Join-Path -Path $tempPath -ChildPath $folderName
 # Store the current value of PATH environment variable.
 $oldPath = $env:Path
 # Use a try...finally block to ensure the temporrary folder and PATH are cleaned up.
 try {
    # Create the temporary folder.
    Write-Host "Creating temporary folder at: $fullPath"
    $newTempFolder = New-Item -ItemType Directory -Path $fullPath -Force
    # Download go
    $url = "https://go.dev/dl/$GoVersion.windows-amd64.zip"
    $destinationFile = Join-Path -Path $newTempFolder.FullName -ChildPath "go$GoVersion.windows-amd64.zip"
    Write-Host "Downloading go from: $url"
    Invoke-WebRequest -Uri $url -OutFile $destinationFile
    Write-Host "File downloaded to: $destinationFile"
    # Unzip the downloaded file.
    Write-Host "Unzipping the file..."
    Expand-Archive -Path $destinationFile -DestinationPath $newTempFolder.FullName -Force
    Write-Host "File unzipped successfully."
    # Define the go/bin path wich is inside the temporary folder
    $goBinPath = Join-Path -Path $fullPath -ChildPath "go\bin"
    # Add the go/bin path to the PATH environment variable.
    $env:Path = "$goBinPath;$($env:Path)"
    Write-Host "Added $goBinPath to the environment PATH."
    go env
    go version
    & $ScriptToExecute
 } finally {
    # Cleanup: Remove the path from the environment variable and then the temporary folder.
    Write-Host "Starting cleanup..."
    $env:Path = $oldPath
    Write-Host "Reverted changes in the environment PATH."
    # Remove the temporary folder and its contents.
    if (Test-Path -Path $fullPath) {
        Remove-Item -Path $fullPath -Recurse -Force
        Write-Host "Temporary folder and its contents have been removed."
    } else {
        Write-Host "Temporary folder does not exist, no cleanup needed."
    }
 }
--- a/.ci/scripts/windows/sign-msi.ps1
+++ b/.ci/scripts/windows/sign-msi.ps1
@ -0,0 +1,26 @@
 # Sign Windows artifacts using azuretool
 # This script processes MSI files from the artifacts directory
 $ErrorActionPreference = "Stop"
 # Define paths
 $ARTIFACT_DIR = "artifacts"
 $TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 Write-Host "Looking for Windows artifacts to sign in $ARTIFACT_DIR..."
 # Find all Windows MSI files
 $msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter "cloudflared-windows-*.msi" -ErrorAction SilentlyContinue
 if ($msiFiles.Count -eq 0) {
    Write-Host "No Windows MSI files found in $ARTIFACT_DIR"
    exit 1
 }
 Write-Host "Found $($msiFiles.Count) file(s) to sign:"
 foreach ($file in $msiFiles) {
    Write-Host "Running azuretool sign for $($file.Name)"
    azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\\$ARTIFACT_DIR\\$($file.Name)
 }
 Write-Host "Signing process completed"
--- a/.ci/windows.gitlab-ci.yml
+++ b/.ci/windows.gitlab-ci.yml
@ -0,0 +1,114 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ###################################
 ### Defaults for Windows Builds ###
 ###################################
 .windows-build-defaults: &windows-build-defaults
  rules:
    - !reference [.default-rules, run-always]
  tags:
    - windows-x86
  cache: {}
 ##########################################
 ### Build Cloudflared Windows Binaries ###
 ##########################################
 windows-build-cloudflared:
  <<: *windows-build-defaults
  stage: build
  script:
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${WIN_GO_VERSION}" ".\.ci\scripts\windows\builds.ps1"
  artifacts:
    paths:
      - artifacts/*
 ######################################################
 ### Load Environment Variables for Component Tests ###
 ######################################################
 windows-load-env-variables:
  stage: pre-build
  extends: .component-tests
  script:
    - echo "COMPONENT_TESTS_CONFIG=$COMPONENT_TESTS_CONFIG" >> windows.env
    - echo "COMPONENT_TESTS_CONFIG_CONTENT=$COMPONENT_TESTS_CONFIG_CONTENT" >> windows.env
    - echo "DNS_API_TOKEN=$DNS_API_TOKEN" >> windows.env
    # We have to encode the `COMPONENT_TESTS_ORIGINCERT` secret, because it content is a file, otherwise we can't export it using gitlab
    - echo "COMPONENT_TESTS_ORIGINCERT=$(echo "$COMPONENT_TESTS_ORIGINCERT" | base64 -w0)" >> windows.env
    - echo "KEY_VAULT_URL=$KEY_VAULT_URL" >> windows.env
    - echo "KEY_VAULT_CLIENT_ID=$KEY_VAULT_CLIENT_ID" >> windows.env
    - echo "KEY_VAULT_TENANT_ID=$KEY_VAULT_TENANT_ID" >> windows.env
    - echo "KEY_VAULT_SECRET=$KEY_VAULT_SECRET" >> windows.env
    - echo "KEY_VAULT_CERTIFICATE=$KEY_VAULT_CERTIFICATE" >> windows.env
  variables:
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkLmV4ZQpjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
  secrets:
    KEY_VAULT_URL:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_url@kv
      file: false
    KEY_VAULT_CLIENT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_client_id@kv
      file: false
    KEY_VAULT_TENANT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_tenant_id@kv
      file: false
    KEY_VAULT_SECRET:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv
      file: false
    KEY_VAULT_CERTIFICATE:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate/key_vault_certificate@kv
      file: false
  artifacts:
    access: 'none'
    reports:
      dotenv: windows.env
 ###################################
 ### Run Windows Component Tests ###
 ###################################
 windows-component-tests-cloudflared:
  <<: *windows-build-defaults
  stage: test
  needs: ["windows-load-env-variables"]
  script:
    # We have to decode the secret we encoded on the `windows-load-env-variables` job
    - $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${WIN_GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
  artifacts:
    reports:
      junit: report.xml
 ################################
 ### Package Windows Binaries ###
 ################################
 windows-package:
  rules:
    - !reference [.default-rules, run-on-master]
  stage: package
  needs:
    - ci-image-get-image-ref
    - windows-build-cloudflared
  image: $BUILD_IMAGE
  script:
    - .ci/scripts/package-windows.sh
  cache: {}
  artifacts:
    paths:
      - artifacts/*
 #############################
 ### Sign Windows Binaries ###
 #############################
 windows-package-sign:
  <<: *windows-build-defaults
  rules:
    - !reference [.default-rules, run-on-master]
  stage: package
  needs:
    - windows-package
    - windows-load-env-variables
  script:
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\sign-msi.ps1"
  artifacts:
    paths:
      - artifacts/*
--- a/.gitignore
+++ b/.gitignore
@ -18,3 +18,4 @@ ssh_server_tests/.env
 /.cover
 built_artifacts/
 component-tests/.venv
 /artifacts
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,69 @@
 variables:
  GO_VERSION: "1.24.13"
  MAC_GO_VERSION: "go@$GO_VERSION"
  WIN_GO_VERSION: "go$GO_VERSION"
  GIT_DEPTH: "0"
 default:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.cfdata.org
 stages:
  [
    sync,
    pre-build,
    build,
    validate,
    test,
    package,
    release,
    release-internal,
    review,
  ]
 include:
  #####################################################
  ########## Import Commons Configurations ############
  #####################################################
  - local: .ci/commons.gitlab-ci.yml
  #####################################################
  ########### Sync Repository with Github #############
  #####################################################
  - local: .ci/github.gitlab-ci.yml
  #####################################################
  ############# Build or Fetch CI Image ###############
  #####################################################
  - local: .ci/ci-image.gitlab-ci.yml
  #####################################################
  ################## Linux Builds ###################
  #####################################################
  - local: .ci/linux.gitlab-ci.yml
  #####################################################
  ################## Windows Builds ###################
  #####################################################
  - local: .ci/windows.gitlab-ci.yml
  #####################################################
  ################### macOS Builds ####################
  #####################################################
  - local: .ci/mac.gitlab-ci.yml
  #####################################################
  ################# Release Packages ##################
  #####################################################
  - local: .ci/release.gitlab-ci.yml
  #####################################################
  ########## Release Packages Internally ##############
  #####################################################
  - local: .ci/apt-internal.gitlab-ci.yml
  #####################################################
  ############## Manual Claude Review #################
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/ai/review@~latest
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -27,7 +27,7 @@ linters:
    - sloglint         # Ensure consistent code style when using log/slog.
    - sqlclosecheck    # Checks that sql.Rows, sql.Stmt, sqlx.NamedStmt, pgx.Query are closed.
    - staticcheck      # It's a set of rules from staticcheck. It's not the same thing as the staticcheck binary.
-    - tenv             # Tenv is analyzer that detects using os.Setenv instead of t.Setenv since Go1.17.
+    - usetesting       # Reports uses of functions with replacement inside the testing package.
    - testableexamples # Linter checks if examples are testable (have an expected output).
    - testifylint      # Checks usage of github.com/stretchr/testify.
    - tparallel        # Tparallel detects inappropriate usage of t.Parallel() method in your Go test codes.
--- a/.teamcity/install-cloudflare-go.sh
+++ b/.teamcity/install-cloudflare-go.sh
@ -1,8 +0,0 @@
 # !/usr/bin/env bash
 cd /tmp
 git clone -q https://github.com/cloudflare/go
 cd go/src
 # https://github.com/cloudflare/go/tree/af19da5605ca11f85776ef7af3384a02a315a52b is version go1.22.5-devel-cf
 git checkout -q af19da5605ca11f85776ef7af3384a02a315a52b
 ./make.bash
--- a/.teamcity/mac/install-cloudflare-go.sh
+++ b/.teamcity/mac/install-cloudflare-go.sh
@ -1,10 +0,0 @@
 rm -rf /tmp/go
 export GOCACHE=/tmp/gocache
 rm -rf $GOCACHE
 ./.teamcity/install-cloudflare-go.sh
 export PATH="/tmp/go/bin:$PATH"
 go version
 which go
 go env
--- a/.teamcity/windows/builds.ps1
+++ b/.teamcity/windows/builds.ps1
@ -1,28 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 # Relative path to working directory
 $CloudflaredDirectory = "go\src\github.com\cloudflare\cloudflared"
 cd $CloudflaredDirectory
 Write-Output "Building for amd64"
 $env:TARGET_OS = "windows"
 $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 go env
 go version
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
 copy .\cloudflared.exe .\cloudflared-windows-amd64.exe
 Write-Output "Building for 386"
 $env:CGO_ENABLED = 0
 $env:TARGET_ARCH = "386"
 make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
 copy .\cloudflared.exe .\cloudflared-windows-386.exe
--- a/.teamcity/windows/component-test.ps1
+++ b/.teamcity/windows/component-test.ps1
@ -1,47 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $WorkingDirectory = Get-Location
 $CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
 go env
 go version
 $env:TARGET_OS = "windows"
 $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 python --version
 python -m pip --version
 cd $CloudflaredDirectory
 go env
 go version
 Write-Output "Building cloudflared"
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
 echo $LASTEXITCODE
 Write-Output "Running unit tests"
 # Not testing with race detector because of https://github.com/golang/go/issues/61058
 # We already test it on other platforms
 & go test -failfast -mod=vendor ./...
 if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 Write-Output "Running component tests"
 python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
 python component-tests/setup.py --type create
 python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
 if ($LASTEXITCODE -ne 0) {
    python component-tests/setup.py --type cleanup
    throw "Failed component tests"
 }
 python component-tests/setup.py --type cleanup
--- a/.teamcity/windows/install-cloudflare-go.ps1
+++ b/.teamcity/windows/install-cloudflare-go.ps1
@ -1,16 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 Write-Output "Downloading cloudflare go..."
 Set-Location "$Env:Temp"
 git clone -q https://github.com/cloudflare/go
 Write-Output "Building go..."
 cd go/src
 # https://github.com/cloudflare/go/tree/af19da5605ca11f85776ef7af3384a02a315a52b is version go1.22.5-devel-cf
 git checkout -q af19da5605ca11f85776ef7af3384a02a315a52b
 & ./make.bat
 Write-Output "Installed"
--- a/.teamcity/windows/install-go-msi.ps1
+++ b/.teamcity/windows/install-go-msi.ps1
@ -1,20 +0,0 @@
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $GoMsiVersion = "go1.22.5.windows-amd64.msi"
 Write-Output "Downloading go installer..."
 Set-Location "$Env:Temp"
 (New-Object System.Net.WebClient).DownloadFile(
    "https://go.dev/dl/$GoMsiVersion",
    "$Env:Temp\$GoMsiVersion"
 )
 Write-Output "Installing go..."
 Install-Package "$Env:Temp\$GoMsiVersion" -Force
 # Go installer updates global $PATH
 go env
 Write-Output "Installed"
--- a/.vulnignore
+++ b/.vulnignore
@ -0,0 +1,2 @@
 # Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.
 # You can also add comments on the same line after the ID.
--- a/AGENTS.md
+++ b/AGENTS.md
@ -0,0 +1,251 @@
 # Cloudflared
 Cloudflare's command-line tool and networking daemon written in Go.
 Production-grade tunneling and network connectivity services used by millions of
 developers and organizations worldwide.
 ## Essential Commands
 ### Build & Test (Always run before commits)
 ```bash
 # Full development check (run before any commit)
 make test lint
 # Build for current platform
 make cloudflared
 # Run all unit tests with coverage
 make test
 make cover
 # Run specific test
 go test -run TestFunctionName ./path/to/package
 # Run tests with race detection
 go test -race ./...
 ```
 ### Platform-Specific Builds
 ```bash
 # Linux
 TARGET_OS=linux TARGET_ARCH=amd64 make cloudflared
 # Windows
 TARGET_OS=windows TARGET_ARCH=amd64 make cloudflared
 # macOS ARM64
 TARGET_OS=darwin TARGET_ARCH=arm64 make cloudflared
 # FIPS compliant build
 FIPS=true make cloudflared
 ```
 ### Code Quality & Formatting
 ```bash
 # Run linter (38+ enabled linters)
 make lint
 # Auto-fix formatting
 make fmt
 gofmt -w .
 goimports -w .
 # Security scanning
 make vet
 # Component tests (Python integration tests)
 cd component-tests && python -m pytest test_file.py::test_function_name
 ```
 ## Project Knowledge
 ### Package Structure
 - Use meaningful package names that reflect functionality
 - Package names should be lowercase, single words when possible
 - Avoid generic names like `util`, `common`, `helper`
 ### Function and Method Guidelines
 ```go
 // Good: Clear purpose, proper error handling
 func (c *Connection) HandleRequest(ctx context.Context, req *http.Request) error {
    if req == nil {
        return errors.New("request cannot be nil")
    }
    // Implementation...
    return nil
 }
 ```
 ### Error Handling
 - Always handle errors explicitly, never ignore them
 - Use `fmt.Errorf` for error wrapping
 - Create meaningful error messages with context
 - Use error variables for common errors
 ```go
 // Good error handling patterns
 if err != nil {
    return fmt.Errorf("failed to process connection: %w", err)
 }
 ```
 ### Logging Standards
 - Use `github.com/rs/zerolog` for structured logging
 - Include relevant context fields
 - Use appropriate log levels (Debug, Info, Warn, Error)
 ```go
 logger.Info().
    Str("tunnelID", tunnel.ID).
    Int("connIndex", connIndex).
    Msg("Connection established")
 ```
 ### Testing Patterns
 - Use `github.com/stretchr/testify` for assertions
 - Test files end with `_test.go`
 - Use table-driven tests for multiple scenarios
 - Always use `t.Parallel()` for parallel-safe tests
 - Use meaningful test names that describe behavior
 ```go
 func TestMetricsListenerCreation(t *testing.T) {
    t.Parallel()
    // Test implementation
    assert.Equal(t, expected, actual)
    require.NoError(t, err)
 }
 ```
 ### Constants and Variables
 ```go
 const (
    MaxGracePeriod       = time.Minute * 3
    MaxConcurrentStreams = math.MaxUint32
    LogFieldConnIndex    = "connIndex"
 )
 var (
    // Group related variables
    switchingProtocolText = fmt.Sprintf("%d %s", http.StatusSwitchingProtocols, http.StatusText(http.StatusSwitchingProtocols))
    flushableContentTypes = []string{sseContentType, grpcContentType, sseJsonContentType}
 )
 ```
 ### Type Definitions
 - Define interfaces close to their usage
 - Keep interfaces small and focused
 - Use descriptive names for complex types
 ```go
 type TunnelConnection interface {
    Serve(ctx context.Context) error
 }
 type TunnelProperties struct {
    Credentials    Credentials
    QuickTunnelUrl string
 }
 ```
 ## Key Architectural Patterns
 ### Context Usage
 - Always accept `context.Context` as first parameter for long-running operations
 - Respect context cancellation in loops and blocking operations
 - Pass context through call chains
 ### Concurrency
 - Use channels for goroutine communication
 - Protect shared state with mutexes
 - Prefer `sync.RWMutex` for read-heavy workloads
 ### Configuration
 - Use structured configuration with validation
 - Support both file-based and CLI flag configuration
 - Provide sensible defaults
 ### Metrics and Observability
 - Instrument code with Prometheus metrics
 - Use OpenTelemetry for distributed tracing
 - Include structured logging with relevant context
 ## Boundaries
 ### ✅ Always Do
 - Run `make test lint` before any commit
 - Handle all errors explicitly with proper context
 - Use `github.com/rs/zerolog` for all logging
 - Add `t.Parallel()` to all parallel-safe tests
 - Follow the import grouping conventions
 - Use meaningful variable and function names
 - Include context.Context for long-running operations
 - Close resources in defer statements
 ### ⚠️ Ask First Before
 - Adding new dependencies to go.mod
 - Modifying CI/CD configuration files
 - Changing build system or Makefile
 - Modifying component test infrastructure
 - Adding new linter rules or changing golangci-lint config
 - Making breaking changes to public APIs
 - Changing logging levels or structured logging fields
 ### 🚫 Never Do
 - Ignore errors without explicit handling (`_ = err`)
 - Use generic package names (`util`, `helper`, `common`)
 - Commit code that fails `make test lint`
 - Use `fmt.Print*` instead of structured logging
 - Modify vendor dependencies directly
 - Commit secrets, credentials, or sensitive data
 - Use deprecated or unsafe Go patterns
 - Skip testing for new functionality
 - Remove existing tests unless they're genuinely invalid
 ## Dependencies Management
 - Use Go modules (`go.mod`) exclusively
 - Vendor dependencies for reproducible builds
 - Keep dependencies up-to-date and secure
 - Prefer standard library when possible
 - Cloudflared uses a fork of quic-go always check release notes before bumping
  this dependency.
 ## Security Considerations
 - FIPS compliance support available
 - Vulnerability scanning integrated in CI
 - Credential handling follows security best practices
 - Network security with TLS/QUIC protocols
 - Regular security audits and updates
 - Post quantum encryption
 ## Common Patterns to Follow
 1. **Graceful shutdown**: Always implement proper cleanup
 2. **Resource management**: Close resources in defer statements
 3. **Error propagation**: Wrap errors with meaningful context
 4. **Configuration validation**: Validate inputs early
 5. **Logging consistency**: Use structured logging throughout
 6. **Testing coverage**: Aim for comprehensive test coverage
 7. **Documentation**: Comment exported functions and types
 Remember: This is a mission-critical networking tool used in production by many
 organizations. Code quality, security, and reliability are paramount.
--- a/CHANGES.md
+++ b/CHANGES.md
@ -1,3 +1,18 @@
 ## 2026.2.0
 ### Breaking Change
 - Removes the `proxy-dns` feature from cloudflared. This feature allowed running a local DNS over HTTPS (DoH) proxy.
  Users who relied on this functionality should migrate to alternative solutions.
  Removed commands and flags:
  - `cloudflared proxy-dns`
  - `cloudflared tunnel proxy-dns` 
  - `--proxy-dns`, `--proxy-dns-port`, `--proxy-dns-address`, `--proxy-dns-upstream`, `--proxy-dns-max-upstream-conns`, `--proxy-dns-bootstrap`
  - `resolver` section in configuration file
 ## 2025.7.1
 ### Notices
 - `cloudflared` will no longer officially support Debian and Ubuntu distros that reached end-of-life: `buster`, `bullseye`, `impish`, `trusty`.
 ## 2025.1.1
 ### New Features
 - This release introduces the use of new Post Quantum curves and the ability to use Post Quantum curves when running tunnels with the QUIC protocol this applies to non-FIPS and FIPS builds.
@ -277,7 +292,7 @@ of uptime. Previous cloudflared versions will soon be unable to run legacy tempo
 ### Bug Fixes
 - Tunnel create and delete commands no longer use path to credentials from the configuration file.
-  If you need ot place tunnel credentials file at a specific location, you must use `--credentials-file` flag.
+  If you need to place tunnel credentials file at a specific location, you must use `--credentials-file` flag.
 - Access ssh-gen creates properly named keys for SSH short lived certs.
--- a/15
+++ b/15
@ -1,7 +1,7 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.22.10 as builder
+FROM golang:1.24.13 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  TARGET_GOOS=${TARGET_GOOS} \
@ -16,21 +16,22 @@ WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
-RUN PATH="/tmp/go/bin:$PATH" make cloudflared
+RUN make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian12:nonroot
+FROM gcr.io/distroless/base-debian13:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
-# run as non-privileged user
+# run as nonroot user
-USER nonroot
+# We need to use numeric user id's because Kubernetes doesn't support strings:
 # https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.22.10 as builder
+FROM golang:1.24.13 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
@ -11,21 +11,22 @@ WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
-RUN GOOS=linux GOARCH=amd64 PATH="/tmp/go/bin:$PATH" make cloudflared
+RUN GOOS=linux GOARCH=amd64 make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian12:nonroot
+FROM gcr.io/distroless/base-debian13:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
-# run as non-privileged user
+# run as nonroot user
-USER nonroot
+# We need to use numeric user id's because Kubernetes doesn't support strings:
 # https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.22.10 as builder
+FROM golang:1.24.13 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
@ -11,21 +11,22 @@ WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
-RUN GOOS=linux GOARCH=arm64 PATH="/tmp/go/bin:$PATH" make cloudflared
+RUN GOOS=linux GOARCH=arm64 make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian12:nonroot-arm64
+FROM gcr.io/distroless/base-debian13:nonroot-arm64
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
-# run as non-privileged user
+# run as nonroot user
-USER nonroot
+# We need to use numeric user id's because Kubernetes doesn't support strings:
 # https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/78
+++ b/78
@ -24,13 +24,19 @@ else
 	DEB_PACKAGE_NAME := $(BINARY_NAME)
 endif
-DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
+# Use git in windows since we don't have access to the `date` tool
 ifeq ($(TARGET_OS), windows)
 	DATE := $(shell git log -1 --format="%ad" --date=format-local:'%Y-%m-%dT%H:%M UTC' -- RELEASE_NOTES)
 else
 	DATE := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H:%M UTC')
 endif
 VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
 ifdef PACKAGE_MANAGER
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
 endif
-ifdef CONTAINER_BUILD 
+ifdef CONTAINER_BUILD
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/metrics.Runtime=virtual"
 endif
@ -56,8 +62,6 @@ PACKAGE_DIR    := $(CURDIR)/packaging
 PREFIX         := /usr
 INSTALL_BINDIR := $(PREFIX)/bin/
 INSTALL_MANDIR := $(PREFIX)/share/man/man1/
 CF_GO_PATH     := /tmp/go
 PATH           := $(CF_GO_PATH)/bin:$(PATH)
 LOCAL_ARCH ?= $(shell uname -m)
 ifneq ($(GOARCH),)
@ -66,6 +70,8 @@ else ifeq ($(LOCAL_ARCH),x86_64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),amd64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),386)
    TARGET_ARCH ?= 386
 else ifeq ($(LOCAL_ARCH),i686)
    TARGET_ARCH ?= amd64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
@ -113,7 +119,7 @@ ifneq ($(TARGET_ARM), )
 	ARM_COMMAND := GOARM=$(TARGET_ARM)
 endif
-ifeq ($(TARGET_ARM), 7) 
+ifeq ($(TARGET_ARM), 7)
 	PACKAGE_ARCH := armhf
 else
 	PACKAGE_ARCH := $(TARGET_ARCH)
@ -122,6 +128,8 @@ endif
 #for FIPS compliance, FPM defaults to MD5.
 RPM_DIGEST := --rpm-digest sha256
 GO_TEST_LOG_OUTPUT = /tmp/gotest.log
 .PHONY: all
 all: cloudflared test
@ -129,6 +137,10 @@ all: cloudflared test
 clean:
 	go clean
 .PHONY: vulncheck
 vulncheck:
 	@./.ci/scripts/vuln-check.sh
 .PHONY: cloudflared
 cloudflared:
 ifeq ($(FIPS), true)
@ -150,11 +162,9 @@ generate-docker-version:
 .PHONY: test
 test: vet
-ifndef CI
+	$Q go test -json -v -mod=vendor -race $(LDFLAGS) ./... 2>&1 | tee $(GO_TEST_LOG_OUTPUT)
-	go test -v -mod=vendor -race $(LDFLAGS) ./...
+ifneq ($(FIPS), true)
-else
+	@go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest -input $(GO_TEST_LOG_OUTPUT)
 	@mkdir -p .cover
 	go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
 endif
 .PHONY: cover
@ -172,26 +182,17 @@ fuzz:
 	@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
 	@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
 	@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
-	@go test -fuzz=FuzzSessionServe -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzSessionRead -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzNewIdentity -fuzztime=600s ./tracing
 	@go test -fuzz=FuzzNewAccessValidator -fuzztime=600s ./validation
 .PHONY: install-go
 install-go:
 	rm -rf ${CF_GO_PATH}
 	./.teamcity/install-cloudflare-go.sh
 .PHONY: cleanup-go
 cleanup-go:
 	rm -rf ${CF_GO_PATH}
 cloudflared.1: cloudflared_man_template
 	sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1
-install: install-go cloudflared cloudflared.1 cleanup-go
+install: cloudflared cloudflared.1
 	mkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR)
 	install -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared
 	install -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1
@ -220,10 +221,6 @@ cloudflared-deb: cloudflared cloudflared.1
 cloudflared-rpm: cloudflared cloudflared.1
 	$(call build_package,rpm)
 .PHONY: cloudflared-pkg
 cloudflared-pkg: cloudflared cloudflared.1
 	$(call build_package,osxpkg)
 .PHONY: cloudflared-msi
 cloudflared-msi:
 	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
@ -234,13 +231,18 @@ github-release-dryrun:
 .PHONY: github-release
 github-release:
-	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
+	python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
 	python3 github_message.py --release-version $(VERSION)
 .PHONY: r2-linux-release
 r2-linux-release:
 	python3 ./release_pkgs.py
 .PHONY: r2-next-linux-release
 # Publishes to a separate R2 repository during GPG key rollover, using dual-key signing.
 r2-next-linux-release:
 	python3 ./release_pkgs.py --upload-repo-file
 .PHONY: capnp
 capnp:
 	which capnp  # https://capnproto.org/install.html
@ -249,7 +251,7 @@ capnp:
 .PHONY: vet
 vet:
-	go vet -mod=vendor github.com/cloudflare/cloudflared/...
+	$Q go vet -mod=vendor github.com/cloudflare/cloudflared/...
 .PHONY: fmt
 fmt:
@ -258,7 +260,7 @@ fmt:
 .PHONY: fmt-check
 fmt-check:
-	@./fmt-check.sh
+	@./.ci/scripts/fmt-check.sh
 .PHONY: lint
 lint:
@ -267,3 +269,23 @@ lint:
 .PHONY: mocks
 mocks:
 	go generate mocks/mockgen.go
 .PHONY: ci-build
 ci-build:
 	@GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
 	@mkdir -p artifacts
 	@mv cloudflared artifacts/cloudflared
 .PHONY: ci-fips-build
 ci-fips-build:
 	@FIPS=true GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
 	@mkdir -p artifacts
 	@mv cloudflared artifacts/cloudflared
 .PHONY: ci-test
 ci-test: fmt-check lint test
 	@go run -mod=readonly github.com/jstemmer/go-junit-report/v2@latest -in $(GO_TEST_LOG_OUTPUT) -parser gojson -out report.xml -set-exit-code
 .PHONY: ci-fips-test
 ci-fips-test:
 	@FIPS=true $(MAKE) ci-test
--- a/README.md
+++ b/README.md
@ -3,14 +3,14 @@
 Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
 This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
 via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
-Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
+Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel) of the Cloudflare Docs.
 All usages related with proxying to your origins are available under `cloudflared tunnel help`.
 You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
 at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
 Such usages are available under `cloudflared access help`.
-You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
+You can instead use [WARP client](https://developers.cloudflare.com/warp-client/)
 to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
@ -19,41 +19,41 @@ to access private origins behind Tunnels for Layer 4 traffic without requiring `
 Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
 website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
 routing), but for legacy reasons this requirement is still necessary:
-1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
+1. [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/)
-2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
+2. [Change your domain nameservers to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/)
 ## Installing `cloudflared`
 Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
-* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
+* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
-* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
+* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
-* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
+* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#windows)
-* To build from source, first you need to download the go toolchain by running `./.teamcity/install-cloudflare-go.sh` and follow the output. Then you can run `make cloudflared`
+* To build from source, install the required version of go, mentioned in the [Development](#development) section below. Then you can run `make cloudflared`.
-User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
+User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/
 ## Creating Tunnels and routing traffic
 Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
-* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
+* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/)
 * Route traffic to that Tunnel:
-  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
+  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/)
-  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
+  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/)
-  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
+  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)
 ## TryCloudflare
-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/).
+Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/).
 ## Deprecated versions
-Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
+Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/update-cloudflared/).
 For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
@ -62,7 +62,7 @@ For example, as of January 2023 Cloudflare will support cloudflared version 2023
 ### Requirements
 - [GNU Make](https://www.gnu.org/software/make/)
 - [capnp](https://capnproto.org/install.html)
- [cloudflare go toolchain](https://github.com/cloudflare/go)
+- [go >= 1.24](https://go.dev/doc/install)
 - Optional tools:
  - [capnpc-go](https://pkg.go.dev/zombiezen.com/go/capnproto2/capnpc-go)
  - [goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports)
--- a/133
+++ b/133
@ -1,3 +1,136 @@
 2026.3.0
 - 2026-03-05 TUN-10292: Add cloudflared management token command
 - 2026-03-03 chore: Addressing small fixes and typos
 - 2026-03-03 fix: Update go-sentry and go-oidc to address CVE's
 - 2026-02-24 TUN-10258: add agents.md
 - 2026-02-23 TUN-10267: Update mods to fix CVE GO-2026-4394
 - 2026-02-20 TUN-10247: Update tail command to use /management/logs endpoint
 - 2026-02-11 TUN-9858: Add more information to proxy-dns removal message
 2026.2.0
 - 2026-02-06 TUN-10216: TUN fix cloudflare vulnerabilities GO-2026-4340 and GO-2026-4341
 - 2026-02-02 TUN-9858: Remove proxy-dns feature from cloudflared
 2026.1.2
 - 2026-01-23 Revert "TUN-9863: Update pipelines to use cloudflared EV Certificate"
 - 2026-01-21 Revert "TUN-9886 notarize cloudflared"
 - 2025-12-12 TUN-9886 notarize cloudflared
 2026.1.1
 - 2026-01-19 fix: Update boto3 to run on trixie
 - 2026-01-19 fix: Fix wixl bundling tool for windows msi packages
 - 2026-01-19 fix: rpm bundling and rpm key import
 2026.1.0
 - 2026-01-13 TUN-10162: Update go to 1.24.11 and Debian distroless to debian13
 - 2025-11-21 Replace jira.cfops.it with jira.cfdata.org in connection/http2_test.go
 - 2025-11-19 TUN-9863: Update pipelines to use cloudflared EV Certificate
 - 2025-11-07 TUN-9800: Migrate apt internal builds to Gitlab
 - 2025-11-04 TUN-9998: Don't need to read origin cert to determine if the endpoint is fedramp
 - 2025-10-13 TUN-9910: Make the metadata key to carry HTTP status over QUIC transport a constant
 2025.11.1
 - 2025-11-07 TUN-9800: Fix docker hub push step
 2025.11.0
 - 2025-11-06 TUN-9863: Introduce Code Signing for Windows Builds
 - 2025-11-06 TUN-9800: Prefix gitlab steps with operating system
 - 2025-11-04 chore: Update cloudflared signing key name in index.html
 - 2025-10-31 chore: add claude review
 - 2025-10-31 Chore: Update documentation links in README
 - 2025-10-31 TUN-9800: Add pipelines for linux packaging
 2025.10.1
 - 2025-10-30 chore: Update ci image to use goboring 1.24.9
 - 2025-10-28 TUN-9849: Add cf-proxy-* to control response headers
 - 2025-10-24 TUN-9961: Add pkg.cloudflared.com index.html to git repo
 - 2025-10-23 TUN-9954: Update from go1.24.6 to go1.24.9
 - 2025-10-23 Fix systemd service installation hanging
 - 2025-10-21 TUN-9941: Use new GPG key for RPM builds
 - 2025-10-21 TUN-9941: Fix typo causing r2-release-next deployment to fail
 - 2025-10-21 TUN-9941: Lookup correct key for RPM signature
 - 2025-10-15 TUN-9919: Make RPM postinstall scriplet idempotent
 - 2025-10-14 TUN-9916: Fix the cloudflared binary path used in the component test
 2025.10.0
 - 2025-10-14 chore: Fix upload of RPM repo file during double signing
 - 2025-10-13 TUN-9882: Bump datagram v3 write channel capacity
 - 2025-10-10 chore: Fix import of GPG keys when two keys are provided
 - 2025-10-10 chore: Fix parameter order when uploading RPM .repo file to R2
 - 2025-10-10 TUN-9883: Add new datagram v3 feature flag
 - 2025-10-09 chore: Force usage of go-boring 1.24
 - 2025-10-08 TUN-9882: Improve metrics for datagram v3
 - 2025-10-07 GRC-16749: Add fedramp tags to catalog
 - 2025-10-07 TUN-9882: Add buffers for UDP and ICMP datagrams in datagram v3
 - 2025-10-07 TUN-9882: Add write deadline for UDP origin writes
 - 2025-09-29 TUN-9776: Support signing Debian packages with two keys for rollover
 - 2025-09-22 TUN-9800: Add pipeline to sync between gitlab and github repos
 2025.9.1
 - 2025-09-22 TUN-9855: Create script to ignore vulnerabilities from govuln check
 - 2025-09-19 TUN-9852: Remove fmt.Println from cloudflared access command
 2025.9.0
 - 2025-09-15 TUN-9820: Add support for FedRAMP in originRequest Access config
 - 2025-09-11 TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI
 - 2025-09-04 TUN-9803: Add windows builds to gitlab-ci
 - 2025-08-27 TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token
 2025.8.1
 - 2025-08-19 AUTH-7480 update fed callback url for login helper
 - 2025-08-19 CUSTESC-53681: Correct QUIC connection management for datagram handlers
 - 2025-08-12 AUTH-7260: Add support for login interstitial auto closure
 2025.8.0
 - 2025-08-07 vuln: Fix GO-2025-3770 vulnerability
 - 2025-07-23 TUN-9583: set proper url and hostname for cloudflared tail command
 - 2025-07-07 TUN-9542: Remove unsupported Debian-based releases
 2025.7.0
 - 2025-07-03 TUN-9540: Use numeric user id for Dockerfiles
 - 2025-07-01 TUN-9161: Remove P256Kyber768Draft00PQKex curve from nonFips curve preferences
 - 2025-07-01 TUN-9531: Bump go-boring from 1.24.2 to 1.24.4
 - 2025-07-01 TUN-9511: Add metrics for virtual DNS origin
 - 2025-06-30 TUN-9470: Add OriginDialerService to include TCP
 - 2025-06-30 TUN-9473: Add --dns-resolver-addrs flag
 - 2025-06-27 TUN-9472: Add virtual DNS service
 - 2025-06-23 TUN-9469: Centralize UDP origin proxy dialing as ingress service
 2025.6.1
 - 2025-06-16 TUN-9467: add vulncheck to cloudflared
 - 2025-06-16 TUN-9495: Remove references to cloudflare-go
 - 2025-06-16 TUN-9371: Add logging format as JSON
 - 2025-06-12 TUN-9467: bump coredns to solve CVE
 2025.6.0
 - 2025-06-06 TUN-9016: update go to 1.24
 - 2025-06-05 TUN-9171: Use `is_default_network` instead of `is_default` to create vnet's
 2025.5.0
 - 2025-05-14 TUN-9319: Add dynamic loading of features to connections via ConnectionOptionsSnapshot
 - 2025-05-13 TUN-9322: Add metric for unsupported RPC commands for datagram v3
 - 2025-05-07 TUN-9291: Remove dynamic reloading of features for datagram v3
 2025.4.2
 - 2025-04-30 chore: Do not use gitlab merge request pipelines
 - 2025-04-30 DEVTOOLS-16383: Create GitlabCI pipeline to release Mac builds
 - 2025-04-24 TUN-9255: Improve flush on write conditions in http2 tunnel type to match what is done on the edge
 - 2025-04-10 SDLC-3727 - Adding FIPS status to backstage
 2025.4.0
 - 2025-04-02 Fix broken links in `cmd/cloudflared/*.go` related to running tunnel as a service
 - 2025-04-02 chore: remove repetitive words
 - 2025-04-01 Fix messages to point to one.dash.cloudflare.com
 - 2025-04-01 feat: emit explicit errors for the `service` command on unsupported OSes
 - 2025-04-01 Use RELEASE_NOTES date instead of build date
 - 2025-04-01 chore: Update tunnel configuration link in the readme
 - 2025-04-01 fix: expand home directory for credentials file
 - 2025-04-01 fix: Use path and filepath operation appropriately
 - 2025-04-01 feat: Adds a new command line for tunnel run for token file
 - 2025-04-01 chore: fix linter rules
 - 2025-03-17 TUN-9101: Don't ignore errors on `cloudflared access ssh`
 - 2025-03-06 TUN-9089: Pin go import to v0.30.0, v0.31.0 requires go 1.23
 2025.2.1
 - 2025-02-26 TUN-9016: update base-debian to v12
 - 2025-02-25 TUN-8960: Connect to FED API GW based on the OriginCert's endpoint
--- a/build-packages.sh
+++ b/build-packages.sh
@ -1,48 +0,0 @@
 #!/bin/bash
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
 export TARGET_OS=linux
 for arch in ${linuxArchs[@]}; do
    unset TARGET_ARM
    export TARGET_ARCH=$arch
    ## Support for arm platforms without hardware FPU enabled
    if [[ $arch == arm ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=5
    fi
    ## Support for armhf builds 
    if [[ $arch == armhf ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=7 
    fi
    make cloudflared-deb
    mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
    # rpm packages invert the - and _ and use x86_64 instead of amd64.
    RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
    RPMARCH=$arch
    if [ $arch == "amd64" ];then
        RPMARCH="x86_64"
    fi
    if [ $arch == "arm64" ]; then
        RPMARCH="aarch64"
    fi
    make cloudflared-rpm
    mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
    # finally move the linux binary as well.
    mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
 done
--- a/carrier/carrier.go
+++ b/carrier/carrier.go
@ -26,11 +26,13 @@ const (
 )
 type StartOptions struct {
-	AppInfo         *token.AppInfo
+	AppInfo               *token.AppInfo
-	OriginURL       string
+	OriginURL             string
-	Headers         http.Header
+	Headers               http.Header
-	Host            string
+	Host                  string
-	TLSClientConfig *tls.Config
+	TLSClientConfig       *tls.Config
 	AutoCloseInterstitial bool
 	IsFedramp             bool
 }
 // Connection wraps up all the needed functions to forward over the tunnel
@ -46,7 +48,6 @@ type StdinoutStream struct{}
 // Read will read from Stdin
 func (c *StdinoutStream) Read(p []byte) (int, error) {
 	return os.Stdin.Read(p)
 }
 // Write will write to Stdout
@ -139,7 +140,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 		return nil, err
 	}
-	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, log)
+	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, options.AutoCloseInterstitial, options.IsFedramp, log)
 	if err != nil {
 		return nil, err
 	}
--- a/catalog-info.yaml
+++ b/catalog-info.yaml
@ -13,3 +13,8 @@ spec:
  type: "service"
  lifecycle: "Active"
  owner: "teams/tunnel-teams-routing"
  cf:
    compliance:
      fedramp-high: "pending"
      fedramp-moderate: "yes"
    FIPS: "required"
--- a/cfapi/base_client.go
+++ b/cfapi/base_client.go
@ -45,9 +45,7 @@ type baseEndpoints struct {
 var _ Client = (*RESTClient)(nil)
 func NewRESTClient(baseURL, accountTag, zoneTag, authToken, userAgent string, log *zerolog.Logger) (*RESTClient, error) {
-	if strings.HasSuffix(baseURL, "/") {
+	baseURL = strings.TrimSuffix(baseURL, "/")
 		baseURL = baseURL[:len(baseURL)-1]
 	}
 	accountLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/cfd_tunnel", baseURL, accountTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create account level endpoint")
@ -68,7 +66,7 @@ func NewRESTClient(baseURL, accountTag, zoneTag, authToken, userAgent string, lo
 		TLSHandshakeTimeout:   defaultTimeout,
 		ResponseHeaderTimeout: defaultTimeout,
 	}
-	http2.ConfigureTransport(&httpTransport)
+	_ = http2.ConfigureTransport(&httpTransport)
 	return &RESTClient{
 		baseEndpoints: &baseEndpoints{
 			accountLevel:  *accountLevelEndpoint,
@ -161,7 +159,6 @@ func fetchExhaustively[T any](requestFn func(int) (*http.Response, error)) ([]*T
 		if envelope.Pagination.Count < envelope.Pagination.PerPage || len(fullResponse) >= envelope.Pagination.TotalCount {
 			break
 		}
 	}
 	return fullResponse, nil
 }
@ -179,14 +176,13 @@ func fetchPage[T any](requestFn func(int) (*http.Response, error), page int) (*r
 		}
 		var parsedRspBody []*T
 		return envelope, parsedRspBody, parseResponseBody(envelope, &parsedRspBody)
 	}
 	return nil, nil, errors.New(fmt.Sprintf("Failed to fetch page. Server returned: %d", pageResp.StatusCode))
 }
 type response struct {
 	Success    bool            `json:"success,omitempty"`
-	Errors     []apiErr        `json:"errors,omitempty"`
+	Errors     []apiError      `json:"errors,omitempty"`
 	Messages   []string        `json:"messages,omitempty"`
 	Result     json.RawMessage `json:"result,omitempty"`
 	Pagination Pagination      `json:"result_info,omitempty"`
@ -206,19 +202,19 @@ func (r *response) checkErrors() error {
 	if len(r.Errors) == 1 {
 		return r.Errors[0]
 	}
-	var messages string
+	var messagesBuilder strings.Builder
 	for _, e := range r.Errors {
-		messages += fmt.Sprintf("%s; ", e)
+		messagesBuilder.WriteString(fmt.Sprintf("%s; ", e))
 	}
-	return fmt.Errorf("API errors: %s", messages)
+	return fmt.Errorf("API errors: %s", messagesBuilder.String())
 }
-type apiErr struct {
+type apiError struct {
 	Code    json.Number `json:"code,omitempty"`
 	Message string      `json:"message,omitempty"`
 }
-func (e apiErr) Error() string {
+func (e apiError) Error() string {
 	return fmt.Sprintf("code: %v, reason: %s", e.Code, e.Message)
 }
--- a/cfapi/client.go
+++ b/cfapi/client.go
@ -8,7 +8,7 @@ type TunnelClient interface {
 	CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error)
 	GetTunnel(tunnelID uuid.UUID) (*Tunnel, error)
 	GetTunnelToken(tunnelID uuid.UUID) (string, error)
-	GetManagementToken(tunnelID uuid.UUID) (string, error)
+	GetManagementToken(tunnelID uuid.UUID, resource ManagementResource) (string, error)
 	DeleteTunnel(tunnelID uuid.UUID, cascade bool) error
 	ListTunnels(filter *TunnelFilter) ([]*Tunnel, error)
 	ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error)
--- a/cfapi/tunnel.go
+++ b/cfapi/tunnel.go
@ -15,6 +15,27 @@ import (
 var ErrTunnelNameConflict = errors.New("tunnel with name already exists")
 type ManagementResource int
 const (
 	Logs ManagementResource = iota
 	Admin
 	HostDetails
 )
 func (r ManagementResource) String() string {
 	switch r {
 	case Logs:
 		return "logs"
 	case Admin:
 		return "admin"
 	case HostDetails:
 		return "host_details"
 	default:
 		return ""
 	}
 }
 type Tunnel struct {
 	ID          uuid.UUID    `json:"id"`
 	Name        string       `json:"name"`
@ -50,10 +71,6 @@ type newTunnel struct {
 	TunnelSecret []byte `json:"tunnel_secret"`
 }
 type managementRequest struct {
 	Resources []string `json:"resources"`
 }
 type CleanupParams struct {
 	queryParams url.Values
 }
@ -137,15 +154,16 @@ func (r *RESTClient) GetTunnelToken(tunnelID uuid.UUID) (token string, err error
 	return "", r.statusCodeToError("get tunnel token", resp)
 }
-func (r *RESTClient) GetManagementToken(tunnelID uuid.UUID) (token string, err error) {
+// managementEndpointPath returns the path segment for a management resource endpoint
 func managementEndpointPath(tunnelID uuid.UUID, res ManagementResource) string {
 	return fmt.Sprintf("%v/management/%s", tunnelID, res.String())
 }
 func (r *RESTClient) GetManagementToken(tunnelID uuid.UUID, res ManagementResource) (token string, err error) {
 	endpoint := r.baseEndpoints.accountLevel
-	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/management", tunnelID))
+	endpoint.Path = path.Join(endpoint.Path, managementEndpointPath(tunnelID, res))
-	body := &managementRequest{
+	resp, err := r.sendRequest("POST", endpoint, nil)
 		Resources: []string{"logs"},
 	}
 	resp, err := r.sendRequest("POST", endpoint, body)
 	if err != nil {
 		return "", errors.Wrap(err, "REST request failed")
 	}
--- a/cfapi/tunnel_test.go
+++ b/cfapi/tunnel_test.go
@ -2,7 +2,6 @@ package cfapi
 import (
 	"bytes"
 	"fmt"
 	"net"
 	"reflect"
 	"strings"
@ -11,6 +10,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 var loc, _ = time.LoadLocation("UTC")
@ -52,7 +52,6 @@ func Test_unmarshalTunnel(t *testing.T) {
 }
 func TestUnmarshalTunnelOk(t *testing.T) {
 	jsonBody := `{"success": true, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}`
 	expected := Tunnel{
 		ID:          uuid.Nil,
@ -61,12 +60,11 @@ func TestUnmarshalTunnelOk(t *testing.T) {
 		Connections: []Connection{},
 	}
 	actual, err := unmarshalTunnel(bytes.NewReader([]byte(jsonBody)))
-	assert.NoError(t, err)
+	require.NoError(t, err)
-	assert.Equal(t, &expected, actual)
+	require.Equal(t, &expected, actual)
 }
 func TestUnmarshalTunnelErr(t *testing.T) {
 	tests := []string{
 		`abc`,
 		`{"success": true, "result": abc}`,
@ -76,7 +74,73 @@ func TestUnmarshalTunnelErr(t *testing.T) {
 	for i, test := range tests {
 		_, err := unmarshalTunnel(bytes.NewReader([]byte(test)))
-		assert.Error(t, err, fmt.Sprintf("Test #%v failed", i))
+		assert.Error(t, err, "Test #%v failed", i)
 	}
 }
 func TestManagementResource_String(t *testing.T) {
 	tests := []struct {
 		name     string
 		resource ManagementResource
 		want     string
 	}{
 		{
 			name:     "Logs",
 			resource: Logs,
 			want:     "logs",
 		},
 		{
 			name:     "Admin",
 			resource: Admin,
 			want:     "admin",
 		},
 		{
 			name:     "HostDetails",
 			resource: HostDetails,
 			want:     "host_details",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			assert.Equal(t, tt.want, tt.resource.String())
 		})
 	}
 }
 func TestManagementResource_String_Unknown(t *testing.T) {
 	unknown := ManagementResource(999)
 	assert.Equal(t, "", unknown.String())
 }
 func TestManagementEndpointPath(t *testing.T) {
 	tunnelID := uuid.MustParse("b34cc7ce-925b-46ee-bc23-4cb5c18d8292")
 	tests := []struct {
 		name     string
 		resource ManagementResource
 		want     string
 	}{
 		{
 			name:     "Logs resource",
 			resource: Logs,
 			want:     "b34cc7ce-925b-46ee-bc23-4cb5c18d8292/management/logs",
 		},
 		{
 			name:     "Admin resource",
 			resource: Admin,
 			want:     "b34cc7ce-925b-46ee-bc23-4cb5c18d8292/management/admin",
 		},
 		{
 			name:     "HostDetails resource",
 			resource: HostDetails,
 			want:     "b34cc7ce-925b-46ee-bc23-4cb5c18d8292/management/host_details",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got := managementEndpointPath(tunnelID, tt.resource)
 			assert.Equal(t, tt.want, got)
 		})
 	}
 }
@ -97,6 +161,6 @@ func TestUnmarshalConnections(t *testing.T) {
 		}},
 	}
 	actual, err := parseConnectionsDetails(bytes.NewReader([]byte(jsonBody)))
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, []*ActiveClient{&expected}, actual)
 }
--- a/cfapi/virtual_network.go
+++ b/cfapi/virtual_network.go
@ -16,7 +16,7 @@ import (
 type NewVirtualNetwork struct {
 	Name      string `json:"name"`
 	Comment   string `json:"comment"`
-	IsDefault bool   `json:"is_default"`
+	IsDefault bool   `json:"is_default_network"`
 }
 type VirtualNetwork struct {
--- a/cfsetup.yaml
+++ b/cfsetup.yaml
@ -1,257 +1,2 @@
-pinned_go: &pinned_go go-boring=1.22.10-1
+# A valid cfsetup.yaml is required but we dont have any real config to specify
-
+dummy_key: true
 build_dir: &build_dir /cfsetup_build
 default-flavor: bookworm
 bullseye: &bullseye
  build-linux:
    build_dir: *build_dir
    builddeps: &build_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - golangci-lint
    pre-cache: &build_pre_cache
      - export GOCACHE=/cfsetup_build/.cache/go-build
      - go install golang.org/x/tools/cmd/goimports@latest
    post-cache:
      # Linting
      - make lint
      - make fmt-check
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  build-linux-fips:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
      - export FIPS=true
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  cover:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
      - make cover
  # except FIPS and macos
  build-linux-release:
    build_dir: *build_dir
    builddeps: &build_deps_release
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - python3-dev
      - python3-pip
      - python3-setuptools
      - wget
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . /cfsetup_build/env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
      # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
      - ./build-packages.sh
  # handle FIPS separately so that we built with gofips compiler
  build-linux-fips-release:
    build_dir: *build_dir
    builddeps: *build_deps_release
    post-cache:
      # same logic as above, but for FIPS packages only
      - ./build-packages-fips.sh
  generate-versions-file:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
    post-cache:
      - make generate-docker-version
  build-deb:
    build_dir: *build_dir
    builddeps: &build_deb_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - make cloudflared-deb
  build-fips-internal-deb:
    build_dir: *build_dir
    builddeps: &build_fips_deb_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-amd64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export NIGHTLY=true
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-arm64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - export NIGHTLY=true
      # - export FIPS=true # TUN-7595
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-deb-arm64:
    build_dir: *build_dir
    builddeps: *build_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - make cloudflared-deb
  package-windows:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
      - python3-venv
    pre-cache:
      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
      - chmod a+x /usr/local/bin/wixl
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55
      - .teamcity/package-windows.sh
  test:
    build_dir: *build_dir
    builddeps: &build_deps_tests
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - gotest-to-teamcity
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export PATH="$HOME/go/bin:$PATH"
      - make test | gotest-to-teamcity
  test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_tests
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export PATH="$HOME/go/bin:$PATH"
      - make test | gotest-to-teamcity
  component-test:
    build_dir: *build_dir
    builddeps: &build_deps_component_test
      - *pinned_go
      - python3
      - python3-pip
      - python3-setuptools
      # procps installs the ps command which is needed in test_sysv_service
      # because the init script uses ps pid to determine if the agent is
      # running
      - procps
      - python3-venv
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    post-cache: &component_test_post_cache
      - python3 -m venv env
      - . env/bin/activate
      - pip install --upgrade -r component-tests/requirements.txt
      # Creates and routes a Named Tunnel for this build. Also constructs
      # config file from env vars.
      - python3 component-tests/setup.py --type create
      - pytest component-tests -o log_cli=true --log-cli-level=INFO
      # The Named Tunnel is deleted and its route unprovisioned here.
      - python3 component-tests/setup.py --type cleanup
  component-test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_component_test
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    post-cache: *component_test_post_cache
  github-release-dryrun:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55
      - make github-release-dryrun
  github-release:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55
      - make github-release
  r2-linux-release:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - wget
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - reprepro
      - createrepo-c
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
      - make r2-linux-release
 bookworm: *bullseye
 trixie: *bullseye
--- a/client/config.go
+++ b/client/config.go
@ -0,0 +1,74 @@
 package client
 import (
 	"fmt"
 	"net"
 	"github.com/google/uuid"
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 // Config captures the local client runtime configuration.
 type Config struct {
 	ConnectorID uuid.UUID
 	Version     string
 	Arch        string
 	featureSelector features.FeatureSelector
 }
 func NewConfig(version string, arch string, featureSelector features.FeatureSelector) (*Config, error) {
 	connectorID, err := uuid.NewRandom()
 	if err != nil {
 		return nil, fmt.Errorf("unable to generate a connector UUID: %w", err)
 	}
 	return &Config{
 		ConnectorID:     connectorID,
 		Version:         version,
 		Arch:            arch,
 		featureSelector: featureSelector,
 	}, nil
 }
 // ConnectionOptionsSnapshot is a snapshot of the current client information used to initialize a connection.
 //
 // The FeatureSnapshot is the features that are available for this connection. At the client level they may
 // change, but they will not change within the scope of this struct.
 type ConnectionOptionsSnapshot struct {
 	client              pogs.ClientInfo
 	originLocalIP       net.IP
 	numPreviousAttempts uint8
 	FeatureSnapshot     features.FeatureSnapshot
 }
 func (c *Config) ConnectionOptionsSnapshot(originIP net.IP, previousAttempts uint8) *ConnectionOptionsSnapshot {
 	snapshot := c.featureSelector.Snapshot()
 	return &ConnectionOptionsSnapshot{
 		client: pogs.ClientInfo{
 			ClientID: c.ConnectorID[:],
 			Version:  c.Version,
 			Arch:     c.Arch,
 			Features: snapshot.FeaturesList,
 		},
 		originLocalIP:       originIP,
 		numPreviousAttempts: previousAttempts,
 		FeatureSnapshot:     snapshot,
 	}
 }
 func (c ConnectionOptionsSnapshot) ConnectionOptions() *pogs.ConnectionOptions {
 	return &pogs.ConnectionOptions{
 		Client:              c.client,
 		OriginLocalIP:       c.originLocalIP,
 		ReplaceExisting:     false,
 		CompressionQuality:  0,
 		NumPreviousAttempts: c.numPreviousAttempts,
 	}
 }
 func (c ConnectionOptionsSnapshot) LogFields(event *zerolog.Event) *zerolog.Event {
 	return event.Strs("features", c.client.Features)
 }
--- a/client/config_test.go
+++ b/client/config_test.go
@ -0,0 +1,50 @@
 package client
 import (
 	"net"
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/cloudflare/cloudflared/features"
 )
 func TestGenerateConnectionOptions(t *testing.T) {
 	version := "1234"
 	arch := "linux_amd64"
 	originIP := net.ParseIP("192.168.1.1")
 	var previousAttempts uint8 = 4
 	config, err := NewConfig(version, arch, &mockFeatureSelector{})
 	require.NoError(t, err)
 	require.Equal(t, version, config.Version)
 	require.Equal(t, arch, config.Arch)
 	// Validate ConnectionOptionsSnapshot fields
 	connOptions := config.ConnectionOptionsSnapshot(originIP, previousAttempts)
 	require.Equal(t, version, connOptions.client.Version)
 	require.Equal(t, arch, connOptions.client.Arch)
 	require.Equal(t, config.ConnectorID[:], connOptions.client.ClientID)
 	// Vaidate snapshot feature fields against the connOptions generated
 	snapshot := config.featureSelector.Snapshot()
 	require.Equal(t, features.DatagramV3, snapshot.DatagramVersion)
 	require.Equal(t, features.DatagramV3, connOptions.FeatureSnapshot.DatagramVersion)
 	pogsConnOptions := connOptions.ConnectionOptions()
 	require.Equal(t, connOptions.client, pogsConnOptions.Client)
 	require.Equal(t, originIP, pogsConnOptions.OriginLocalIP)
 	require.False(t, pogsConnOptions.ReplaceExisting)
 	require.Equal(t, uint8(0), pogsConnOptions.CompressionQuality)
 	require.Equal(t, previousAttempts, pogsConnOptions.NumPreviousAttempts)
 }
 type mockFeatureSelector struct{}
 func (m *mockFeatureSelector) Snapshot() features.FeatureSnapshot {
 	return features.FeatureSnapshot{
 		PostQuantum:     features.PostQuantumPrefer,
 		DatagramVersion: features.DatagramV3,
 		FeaturesList:    []string{features.FeaturePostQuantum, features.FeatureDatagramV3_2},
 	}
 }
--- a/cmd/cloudflared/access/carrier.go
+++ b/cmd/cloudflared/access/carrier.go
@ -47,6 +47,7 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 	options := &carrier.StartOptions{
 		OriginURL: forwarder.URL,
 		Headers:   headers, //TODO: TUN-2688 support custom headers from config file
 		IsFedramp: forwarder.IsFedramp,
 	}
 	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
@ -92,6 +93,7 @@ func ssh(c *cli.Context) error {
 		OriginURL: url.String(),
 		Headers:   headers,
 		Host:      url.Host,
 		IsFedramp: c.Bool(fedrampFlag),
 	}
 	if connectTo := c.String(sshConnectTo); connectTo != "" {
@ -104,7 +106,7 @@ func ssh(c *cli.Context) error {
 		case 3:
 			options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1])
 			options.TLSClientConfig = &tls.Config{
-				InsecureSkipVerify: true,
+				InsecureSkipVerify: true, // #nosec G402
 				ServerName:         parts[0],
 			}
 			log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0])
@ -141,6 +143,5 @@ func ssh(c *cli.Context) error {
 		logger := log.With().Str("host", url.Host).Logger()
 		s = stream.NewDebugStream(s, &logger, maxMessages)
 	}
-	carrier.StartClient(wsConn, s, options)
+	return carrier.StartClient(wsConn, s, options)
 	return nil
 }
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@ -51,6 +51,7 @@ Host {{.Hostname}}
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
 {{end}}
 `
 	fedrampFlag = "fedramp"
 )
 const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
@ -79,6 +80,10 @@ func Commands() []*cli.Command {
 			Aliases:  []string{"forward"},
 			Category: "Access",
 			Usage:    "access <subcommand>",
 			Flags: []cli.Flag{&cli.BoolFlag{
 				Name:  fedrampFlag,
 				Usage: "use when performing operations in fedramp account",
 			}},
 			Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access
 			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are
 			able to reach sensitive resources. The commands provided here allow you to interact with Access protected
@ -104,6 +109,10 @@ func Commands() []*cli.Command {
 							Name:  "no-verbose",
 							Usage: "print only the jwt to stdout",
 						},
 						&cli.BoolFlag{
 							Name:  "auto-close",
 							Usage: "automatically close the auth interstitial after action",
 						},
 						&cli.StringFlag{
 							Name: appURLFlag,
 						},
@ -322,7 +331,7 @@ func curl(c *cli.Context) error {
 			log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
 			return run("curl", cmdArgs...)
 		}
-		tok, err = token.FetchToken(appURL, appInfo, log)
+		tok, err = token.FetchToken(appURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
 		if err != nil {
 			log.Err(err).Msg("Failed to refresh token")
 			return err
@ -442,7 +451,7 @@ func sshGen(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, log)
+	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
 	if err != nil {
 		return err
 	}
@ -542,7 +551,7 @@ func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context,
 	if c.IsSet(sshTokenSecretFlag) {
 		headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
-	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers}
+	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers, AutoCloseInterstitial: c.Bool(cfdflags.AutoCloseInterstitial), IsFedramp: c.Bool(fedrampFlag)}
 	if valid, err := isTokenValid(options, log); err != nil {
 		return err
--- a/cmd/cloudflared/app_resolver_service.go
+++ b/cmd/cloudflared/app_resolver_service.go
@ -1,87 +0,0 @@
 package main
 import (
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/tunneldns"
 )
 const (
 	// ResolverServiceType is used to identify what kind of overwatch service this is
 	ResolverServiceType = "resolver"
 	LogFieldResolverAddress          = "resolverAddress"
 	LogFieldResolverPort             = "resolverPort"
 	LogFieldResolverMaxUpstreamConns = "resolverMaxUpstreamConns"
 )
 // ResolverService is used to wrap the tunneldns package's DNS over HTTP
 // into a service model for the overwatch package.
 // it also holds a reference to the config object that represents its state
 type ResolverService struct {
 	resolver config.DNSResolver
 	shutdown chan struct{}
 	log      *zerolog.Logger
 }
 // NewResolverService creates a new resolver service
 func NewResolverService(r config.DNSResolver, log *zerolog.Logger) *ResolverService {
 	return &ResolverService{resolver: r,
 		shutdown: make(chan struct{}),
 		log:      log,
 	}
 }
 // Name is used to figure out this service is related to the others (normally the addr it binds to)
 // this is just "resolver" since there can only be one DNS resolver running
 func (s *ResolverService) Name() string {
 	return ResolverServiceType
 }
 // Type is used to identify what kind of overwatch service this is
 func (s *ResolverService) Type() string {
 	return ResolverServiceType
 }
 // Hash is used to figure out if this forwarder is the unchanged or not from the config file updates
 func (s *ResolverService) Hash() string {
 	return s.resolver.Hash()
 }
 // Shutdown stops the tunneldns listener
 func (s *ResolverService) Shutdown() {
 	s.shutdown <- struct{}{}
 }
 // Run is the run loop that is started by the overwatch service
 func (s *ResolverService) Run() error {
 	// create a listener
 	l, err := tunneldns.CreateListener(s.resolver.AddressOrDefault(), s.resolver.PortOrDefault(),
 		s.resolver.UpstreamsOrDefault(), s.resolver.BootstrapsOrDefault(), s.resolver.MaxUpstreamConnectionsOrDefault(), s.log)
 	if err != nil {
 		return err
 	}
 	// start the listener.
 	readySignal := make(chan struct{})
 	err = l.Start(readySignal)
 	if err != nil {
 		_ = l.Stop()
 		return err
 	}
 	<-readySignal
 	resolverLog := s.log.With().
 		Str(LogFieldResolverAddress, s.resolver.AddressOrDefault()).
 		Uint16(LogFieldResolverPort, s.resolver.PortOrDefault()).
 		Int(LogFieldResolverMaxUpstreamConns, s.resolver.MaxUpstreamConnectionsOrDefault()).
 		Logger()
 	resolverLog.Info().Msg("Starting resolver")
 	// wait for shutdown signal
 	<-s.shutdown
 	resolverLog.Info().Msg("Shutting down resolver")
 	return l.Stop()
 }
--- a/cmd/cloudflared/app_service.go
+++ b/cmd/cloudflared/app_service.go
@ -8,7 +8,7 @@ import (
 )
 // AppService is the main service that runs when no command lines flags are passed to cloudflared
-// it manages all the running services such as tunnels, forwarders, DNS resolver, etc
+// it manages all the running services such as tunnels, forwarders, etc
 type AppService struct {
 	configManager    config.Manager
 	serviceManager   overwatch.Manager
@ -73,14 +73,6 @@ func (s *AppService) handleConfigUpdate(c config.Root) {
 		activeServices[service.Name()] = struct{}{}
 	}
 	// handle resolver changes
 	if c.Resolver.Enabled {
 		service := NewResolverService(c.Resolver, s.log)
 		s.serviceManager.Add(service)
 		activeServices[service.Name()] = struct{}{}
 	}
 	// TODO: TUN-1451 - tunnels
 	// remove any services that are no longer active
--- a/cmd/cloudflared/cliutil/logger.go
+++ b/cmd/cloudflared/cliutil/logger.go
@ -4,25 +4,32 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
-	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 )
 var (
 	debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
 		"This can expose sensitive information in your logs."
 	FlagLogOutput = &cli.StringFlag{
 		Name:    flags.LogFormatOutput,
 		Usage:   "Output format for the logs (default, json)",
 		Value:   flags.LogFormatOutputValueDefault,
 		EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT", "TUNNEL_LOG_OUTPUT"},
 	}
 )
 func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    cfdflags.LogLevel,
+			Name:    flags.LogLevel,
 			Value:   "info",
 			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
 			EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    cfdflags.TransportLogLevel,
+			Name:    flags.TransportLogLevel,
 			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
 			Value:   "info",
 			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
@ -30,22 +37,23 @@ func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    cfdflags.LogFile,
+			Name:    flags.LogFile,
 			Usage:   "Save application log to this file for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGFILE"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    cfdflags.LogDirectory,
+			Name:    flags.LogDirectory,
 			Usage:   "Save application log to this directory for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    cfdflags.TraceOutput,
+			Name:    flags.TraceOutput,
 			Usage:   "Name of trace output file, generated when cloudflared stops.",
 			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
 			Hidden:  shouldHide,
 		}),
 		FlagLogOutput,
 	}
 }
--- a/cmd/cloudflared/cliutil/management.go
+++ b/cmd/cloudflared/cliutil/management.go
@ -0,0 +1,84 @@
 package cliutil
 import (
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"time"
 	"github.com/google/uuid"
 	"github.com/mattn/go-colorable"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cfapi"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/credentials"
 )
 // Error definitions for management token operations
 var (
 	ErrNoTunnelID      = errors.New("no tunnel ID provided")
 	ErrInvalidTunnelID = errors.New("unable to parse provided tunnel id as a valid UUID")
 )
 // GetManagementToken acquires a management token from Cloudflare API for the specified resource
 func GetManagementToken(c *cli.Context, log *zerolog.Logger, res cfapi.ManagementResource, buildInfo *BuildInfo) (string, error) {
 	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
 	if err != nil {
 		return "", err
 	}
 	var apiURL string
 	if userCreds.IsFEDEndpoint() {
 		apiURL = credentials.FedRampBaseApiURL
 	} else {
 		apiURL = c.String(cfdflags.ApiURL)
 	}
 	client, err := userCreds.Client(apiURL, buildInfo.UserAgent(), log)
 	if err != nil {
 		return "", err
 	}
 	tunnelIDString := c.Args().First()
 	if tunnelIDString == "" {
 		return "", ErrNoTunnelID
 	}
 	tunnelID, err := uuid.Parse(tunnelIDString)
 	if err != nil {
 		return "", fmt.Errorf("%w: %v", ErrInvalidTunnelID, err)
 	}
 	token, err := client.GetManagementToken(tunnelID, res)
 	if err != nil {
 		return "", err
 	}
 	return token, nil
 }
 // CreateStderrLogger creates a logger that outputs to stderr to avoid interfering with stdout
 func CreateStderrLogger(c *cli.Context) *zerolog.Logger {
 	level, levelErr := zerolog.ParseLevel(c.String(cfdflags.LogLevel))
 	if levelErr != nil {
 		level = zerolog.InfoLevel
 	}
 	var writer io.Writer
 	switch c.String(cfdflags.LogFormatOutput) {
 	case cfdflags.LogFormatOutputValueJSON:
 		// zerolog by default outputs as JSON
 		writer = os.Stderr
 	case cfdflags.LogFormatOutputValueDefault:
 		// "default" and unset use the same logger output format
 		fallthrough
 	default:
 		writer = zerolog.ConsoleWriter{
 			Out:        colorable.NewColorable(os.Stderr),
 			TimeFormat: time.RFC3339,
 		}
 	}
 	log := zerolog.New(writer).With().Timestamp().Logger().Level(level)
 	return &log
 }
--- a/cmd/cloudflared/flags/flags.go
+++ b/cmd/cloudflared/flags/flags.go
@ -111,9 +111,6 @@ const (
 	// ICMPV6Src is the command line flag to set the source address and the interface name to send/receive ICMPv6 messages
 	ICMPV6Src = "icmpv6-src"
 	// ProxyDns is the command line flag to run DNS server over HTTPS
 	ProxyDns = "proxy-dns"
 	// Name is the command line to set the name of the tunnel
 	Name = "name"
@ -138,6 +135,11 @@ const (
 	// LogDirectory is the command line flag to define the directory where application logs will be stored.
 	LogDirectory = "log-directory"
 	// LogFormatOutput allows the command line logs to be output as JSON.
 	LogFormatOutput             = "output"
 	LogFormatOutputValueDefault = "default"
 	LogFormatOutputValueJSON    = "json"
 	// TraceOutput is the command line flag to set the name of trace output file
 	TraceOutput = "trace-output"
@ -152,4 +154,13 @@ const (
 	// ApiURL is the command line flag used to define the base URL of the API
 	ApiURL = "api-url"
 	// Virtual DNS resolver service resolver addresses to use instead of dynamically fetching them from the OS.
 	VirtualDNSServiceResolverAddresses = "dns-resolver-addrs"
 	// Management hostname to signify incoming management requests
 	ManagementHostname = "management-hostname"
 	// Automatically close the login interstitial browser window after the user makes a decision.
 	AutoCloseInterstitial = "auto-close"
 )
--- a/cmd/cloudflared/generic_service.go
+++ b/cmd/cloudflared/generic_service.go
@ -3,11 +3,38 @@
 package main
 import (
 	"fmt"
 	"os"
 	cli "github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
 		Usage: "Manages the cloudflared system service (not supported on this operating system)",
 		Subcommands: []*cli.Command{
 			{
 				Name:   "install",
 				Usage:  "Install cloudflared as a system service (not supported on this operating system)",
 				Action: cliutil.ConfiguredAction(installGenericService),
 			},
 			{
 				Name:   "uninstall",
 				Usage:  "Uninstall the cloudflared service (not supported on this operating system)",
 				Action: cliutil.ConfiguredAction(uninstallGenericService),
 			},
 		},
 	})
 	app.Run(os.Args)
 }
 func installGenericService(c *cli.Context) error {
 	return fmt.Errorf("service installation is not supported on this operating system")
 }
 func uninstallGenericService(c *cli.Context) error {
 	return fmt.Errorf("service uninstallation is not supported on this operating system")
 }
--- a/cmd/cloudflared/linux_service.go
+++ b/cmd/cloudflared/linux_service.go
@ -4,6 +4,7 @@ package main
 import (
 	"fmt"
 	"io"
 	"os"
 	"github.com/rs/zerolog"
@ -15,7 +16,7 @@ import (
 	"github.com/cloudflare/cloudflared/logger"
 )
-func runApp(app *cli.App, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, _ chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
 		Usage: "Manages the cloudflared system service",
@ -35,7 +36,7 @@ func runApp(app *cli.App, graceShutdownC chan struct{}) {
 			},
 		},
 	})
-	app.Run(os.Args)
+	_ = app.Run(os.Args)
 }
 // The directory and files that are used by the service.
@ -59,7 +60,7 @@ After=network-online.target
 Wants=network-online.target
 [Service]
-TimeoutStartSec=0
+TimeoutStartSec=15
 Type=notify
 ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
 Restart=on-failure
@ -97,6 +98,7 @@ WantedBy=timers.target
 var sysvTemplate = ServiceTemplate{
 	Path:     "/etc/init.d/cloudflared",
 	FileMode: 0755,
 	// nolint: dupword
 	Content: `#!/bin/sh
 # For RedHat and cousins:
 # chkconfig: 2345 99 01
@ -184,13 +186,11 @@ exit 0
 `,
 }
-var (
+var noUpdateServiceFlag = &cli.BoolFlag{
-	noUpdateServiceFlag = &cli.BoolFlag{
+	Name:  "no-update-service",
-		Name:  "no-update-service",
+	Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
-		Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
+	Value: false,
-		Value: false,
+}
 	}
 )
 func isSystemd() bool {
 	if _, err := os.Stat("/run/systemd/system"); err == nil {
@ -430,3 +430,38 @@ func uninstallSysv(log *zerolog.Logger) error {
 	}
 	return nil
 }
 func ensureConfigDirExists(configDir string) error {
 	ok, err := config.FileExists(configDir)
 	if !ok && err == nil {
 		err = os.Mkdir(configDir, 0755)
 	}
 	return err
 }
 func copyFile(src, dest string) error {
 	srcFile, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer srcFile.Close()
 	destFile, err := os.Create(dest)
 	if err != nil {
 		return err
 	}
 	ok := false
 	defer func() {
 		destFile.Close()
 		if !ok {
 			_ = os.Remove(dest)
 		}
 	}()
 	if _, err := io.Copy(destFile, srcFile); err != nil {
 		return err
 	}
 	ok = true
 	return nil
 }
--- a/cmd/cloudflared/macos_service.go
+++ b/cmd/cloudflared/macos_service.go
@ -120,7 +120,7 @@ func installLaunchd(c *cli.Context) error {
 		log.Info().Msg("Installing cloudflared client as an user launch agent. " +
 			"Note that cloudflared client will only run when the user is logged in. " +
 			"If you want to run cloudflared client at boot, install with root permission. " +
-			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service")
+			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/macos/")
 	}
 	etPath, err := os.Executable()
 	if err != nil {
--- a/cmd/cloudflared/main.go
+++ b/cmd/cloudflared/main.go
@ -13,6 +13,7 @@ import (
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/management"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tail"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
@ -91,6 +92,7 @@ func main() {
 	tracing.Init(Version)
 	token.Init(Version)
 	tail.Init(bInfo)
 	management.Init(bInfo)
 	runApp(app, graceShutdownC)
 }
@ -149,9 +151,10 @@ To determine if an update happened in a script, check for error code 11.`,
 		},
 	}
 	cmds = append(cmds, tunnel.Commands()...)
-	cmds = append(cmds, proxydns.Command(false))
+	cmds = append(cmds, proxydns.Command()) // removed feature, only here for error message
 	cmds = append(cmds, access.Commands()...)
 	cmds = append(cmds, tail.Command())
 	cmds = append(cmds, management.Command())
 	return cmds
 }
--- a/cmd/cloudflared/management/cmd.go
+++ b/cmd/cloudflared/management/cmd.go
@ -0,0 +1,105 @@
 package management
 import (
 	"encoding/json"
 	"fmt"
 	"os"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/credentials"
 )
 var buildInfo *cliutil.BuildInfo
 // Init initializes the management package with build info
 func Init(bi *cliutil.BuildInfo) {
 	buildInfo = bi
 }
 // Command returns the management command with its subcommands
 func Command() *cli.Command {
 	return &cli.Command{
 		Name:     "management",
 		Usage:    "Monitor cloudflared tunnels via management API",
 		Category: "Management",
 		Hidden:   true,
 		Subcommands: []*cli.Command{
 			buildTokenSubcommand(),
 		},
 	}
 }
 // buildTokenSubcommand creates the token subcommand
 func buildTokenSubcommand() *cli.Command {
 	return &cli.Command{
 		Name:        "token",
 		Action:      cliutil.ConfiguredAction(tokenCommand),
 		Usage:       "Get management access jwt for a specific resource",
 		UsageText:   "cloudflared management token --resource <resource> TUNNEL_ID",
 		Description: "Get management access jwt for a tunnel with specified resource permissions (logs, admin, host_details)",
 		Hidden:      true,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:     "resource",
 				Usage:    "Resource type for token permissions: logs, admin, or host_details",
 				Required: true,
 			},
 			&cli.StringFlag{
 				Name:    cfdflags.OriginCert,
 				Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 				EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 				Value:   credentials.FindDefaultOriginCertPath(),
 			},
 			&cli.StringFlag{
 				Name:    cfdflags.LogLevel,
 				Value:   "info",
 				Usage:   "Application logging level {debug, info, warn, error, fatal}",
 				EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			},
 			cliutil.FlagLogOutput,
 		},
 	}
 }
 // tokenCommand handles the token subcommand execution
 func tokenCommand(c *cli.Context) error {
 	log := cliutil.CreateStderrLogger(c)
 	// Parse and validate resource flag
 	resourceStr := c.String("resource")
 	resource, err := parseResource(resourceStr)
 	if err != nil {
 		return fmt.Errorf("invalid resource '%s': %w", resourceStr, err)
 	}
 	// Get management token
 	token, err := cliutil.GetManagementToken(c, log, resource, buildInfo)
 	if err != nil {
 		return err
 	}
 	// Output JSON to stdout
 	tokenResponse := struct {
 		Token string `json:"token"`
 	}{Token: token}
 	return json.NewEncoder(os.Stdout).Encode(tokenResponse)
 }
 // parseResource converts resource string to ManagementResource enum
 func parseResource(resource string) (cfapi.ManagementResource, error) {
 	switch resource {
 	case "logs":
 		return cfapi.Logs, nil
 	case "admin":
 		return cfapi.Admin, nil
 	case "host_details":
 		return cfapi.HostDetails, nil
 	default:
 		return 0, fmt.Errorf("must be one of: logs, admin, host_details")
 	}
 }
--- a/cmd/cloudflared/management/cmd_test.go
+++ b/cmd/cloudflared/management/cmd_test.go
@ -0,0 +1,71 @@
 package management
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/cloudflare/cloudflared/cfapi"
 )
 func TestParseResource_ValidResources(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		input    string
 		expected cfapi.ManagementResource
 	}{
 		{"logs", cfapi.Logs},
 		{"admin", cfapi.Admin},
 		{"host_details", cfapi.HostDetails},
 	}
 	for _, tt := range tests {
 		t.Run(tt.input, func(t *testing.T) {
 			t.Parallel()
 			result, err := parseResource(tt.input)
 			require.NoError(t, err)
 			assert.Equal(t, tt.expected, result)
 		})
 	}
 }
 func TestParseResource_InvalidResource(t *testing.T) {
 	t.Parallel()
 	invalid := []string{"invalid", "LOGS", "Admin", "", "metrics", "host-details"}
 	for _, input := range invalid {
 		t.Run(input, func(t *testing.T) {
 			t.Parallel()
 			_, err := parseResource(input)
 			require.Error(t, err)
 			assert.Contains(t, err.Error(), "must be one of")
 		})
 	}
 }
 func TestCommandStructure(t *testing.T) {
 	t.Parallel()
 	cmd := Command()
 	assert.Equal(t, "management", cmd.Name)
 	assert.True(t, cmd.Hidden)
 	assert.Len(t, cmd.Subcommands, 1)
 	tokenCmd := cmd.Subcommands[0]
 	assert.Equal(t, "token", tokenCmd.Name)
 	assert.True(t, tokenCmd.Hidden)
 	// Verify required flags exist
 	var hasResourceFlag bool
 	for _, flag := range tokenCmd.Flags {
 		if flag.Names()[0] == "resource" {
 			hasResourceFlag = true
 			break
 		}
 	}
 	assert.True(t, hasResourceFlag, "token command should have --resource flag")
 }
--- a/cmd/cloudflared/proxydns/cmd.go
+++ b/cmd/cloudflared/proxydns/cmd.go
@ -1,115 +1,54 @@
 package proxydns
 import (
-	"context"
+	"errors"
 	"net"
 	"os"
 	"os/signal"
 	"syscall"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/metrics"
 	"github.com/cloudflare/cloudflared/tunneldns"
 )
-func Command(hidden bool) *cli.Command {
+const removedMessage = "dns-proxy feature is no longer supported"
 	return &cli.Command{
 		Name:   "proxy-dns",
 		Action: cliutil.ConfiguredAction(Run),
-		Usage: "Run a DNS over HTTPS proxy server.",
+func Command() *cli.Command {
-		Flags: []cli.Flag{
+	return &cli.Command{
-			&cli.StringFlag{
+		Name:            "proxy-dns",
-				Name:    "metrics",
+		Action:          cliutil.ConfiguredAction(Run),
-				Value:   "localhost:",
+		Usage:           removedMessage,
-				Usage:   "Listen address for metrics reporting.",
+		SkipFlagParsing: true,
 				EnvVars: []string{"TUNNEL_METRICS"},
 			},
 			&cli.StringFlag{
 				Name:    "address",
 				Usage:   "Listen address for the DNS over HTTPS proxy server.",
 				Value:   "localhost",
 				EnvVars: []string{"TUNNEL_DNS_ADDRESS"},
 			},
 			// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 			&cli.IntFlag{
 				Name:    "port",
 				Usage:   "Listen on given port for the DNS over HTTPS proxy server.",
 				Value:   53,
 				EnvVars: []string{"TUNNEL_DNS_PORT"},
 			},
 			&cli.StringSliceFlag{
 				Name:    "upstream",
 				Usage:   "Upstream endpoint URL, you can specify multiple endpoints for redundancy.",
 				Value:   cli.NewStringSlice("https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query"),
 				EnvVars: []string{"TUNNEL_DNS_UPSTREAM"},
 			},
 			&cli.StringSliceFlag{
 				Name:    "bootstrap",
 				Usage:   "bootstrap endpoint URL, you can specify multiple endpoints for redundancy.",
 				Value:   cli.NewStringSlice("https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query"),
 				EnvVars: []string{"TUNNEL_DNS_BOOTSTRAP"},
 			},
 			&cli.IntFlag{
 				Name:    "max-upstream-conns",
 				Usage:   "Maximum concurrent connections to upstream. Setting to 0 means unlimited.",
 				Value:   tunneldns.MaxUpstreamConnsDefault,
 				EnvVars: []string{"TUNNEL_DNS_MAX_UPSTREAM_CONNS"},
 			},
 		},
 		ArgsUsage: " ", // can't be the empty string or we get the default output
 		Hidden:    hidden,
 	}
 }
 // Run implements a foreground runner
 func Run(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	err := errors.New(removedMessage)
 	log.Error().Msg("DNS Proxy is no longer supported since version 2026.2.0 (https://developers.cloudflare.com/changelog/2025-11-11-cloudflared-proxy-dns/). As an alternative consider using https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/dns-over-https-client/")
 	metricsListener, err := net.Listen("tcp", c.String("metrics"))
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to open the metrics listener")
 	}
 	go metrics.ServeMetrics(metricsListener, context.Background(), metrics.Config{}, log)
 	listener, err := tunneldns.CreateListener(
 		c.String("address"),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 		uint16(c.Int("port")),
 		c.StringSlice("upstream"),
 		c.StringSlice("bootstrap"),
 		c.Int("max-upstream-conns"),
 		log,
 	)
 	if err != nil {
 		log.Err(err).Msg("Failed to create the listeners")
 		return err
 	}
 	// Try to start the server
 	readySignal := make(chan struct{})
 	err = listener.Start(readySignal)
 	if err != nil {
 		log.Err(err).Msg("Failed to start the listeners")
 		return listener.Stop()
 	}
 	<-readySignal
 	// Wait for signal
 	signals := make(chan os.Signal, 10)
 	signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
 	defer signal.Stop(signals)
 	<-signals
 	// Shut down server
 	err = listener.Stop()
 	if err != nil {
 		log.Err(err).Msg("failed to stop")
 	}
 	return err
 }
 // Old flags used by the proxy-dns command, only kept to not break any script that might be setting these flags
 func ConfigureProxyDNSFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name: "proxy-dns",
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name: "proxy-dns-port",
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name: "proxy-dns-address",
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
 			Name: "proxy-dns-upstream",
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name: "proxy-dns-max-upstream-conns",
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
 			Name: "proxy-dns-bootstrap",
 		}),
 	}
 }
--- a/cmd/cloudflared/service_template.go
+++ b/cmd/cloudflared/service_template.go
@ -1,18 +1,16 @@
 package main
 import (
 	"bufio"
 	"bytes"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
-	"path"
+	"path/filepath"
 	"text/template"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/cloudflare/cloudflared/config"
 )
 type ServiceTemplate struct {
@ -44,7 +42,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 		return err
 	}
 	if _, err = os.Stat(resolvedPath); err == nil {
-		return fmt.Errorf(serviceAlreadyExistsWarn(resolvedPath))
+		return errors.New(serviceAlreadyExistsWarn(resolvedPath))
 	}
 	var buffer bytes.Buffer
@ -57,7 +55,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 		fileMode = st.FileMode
 	}
-	plistFolder := path.Dir(resolvedPath)
+	plistFolder := filepath.Dir(resolvedPath)
 	err = os.MkdirAll(plistFolder, 0o755)
 	if err != nil {
 		return fmt.Errorf("error creating %s: %v", plistFolder, err)
@ -109,114 +107,3 @@ func runCommand(command string, args ...string) error {
 	}
 	return nil
 }
 func ensureConfigDirExists(configDir string) error {
 	ok, err := config.FileExists(configDir)
 	if !ok && err == nil {
 		err = os.Mkdir(configDir, 0755)
 	}
 	return err
 }
 // openFile opens the file at path. If create is set and the file exists, returns nil, true, nil
 func openFile(path string, create bool) (file *os.File, exists bool, err error) {
 	expandedPath, err := homedir.Expand(path)
 	if err != nil {
 		return nil, false, err
 	}
 	if create {
 		fileInfo, err := os.Stat(expandedPath)
 		if err == nil && fileInfo.Size() > 0 {
 			return nil, true, nil
 		}
 		file, err = os.OpenFile(expandedPath, os.O_RDWR|os.O_CREATE, 0600)
 	} else {
 		file, err = os.Open(expandedPath)
 	}
 	return file, false, err
 }
 func copyCredential(srcCredentialPath, destCredentialPath string) error {
 	destFile, exists, err := openFile(destCredentialPath, true)
 	if err != nil {
 		return err
 	} else if exists {
 		// credentials already exist, do nothing
 		return nil
 	}
 	defer destFile.Close()
 	srcFile, _, err := openFile(srcCredentialPath, false)
 	if err != nil {
 		return err
 	}
 	defer srcFile.Close()
 	// Copy certificate
 	_, err = io.Copy(destFile, srcFile)
 	if err != nil {
 		return fmt.Errorf("unable to copy %s to %s: %v", srcCredentialPath, destCredentialPath, err)
 	}
 	return nil
 }
 func copyFile(src, dest string) error {
 	srcFile, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer srcFile.Close()
 	destFile, err := os.Create(dest)
 	if err != nil {
 		return err
 	}
 	ok := false
 	defer func() {
 		destFile.Close()
 		if !ok {
 			_ = os.Remove(dest)
 		}
 	}()
 	if _, err := io.Copy(destFile, srcFile); err != nil {
 		return err
 	}
 	ok = true
 	return nil
 }
 func copyConfig(srcConfigPath, destConfigPath string) error {
 	// Copy or create config
 	destFile, exists, err := openFile(destConfigPath, true)
 	if err != nil {
 		return fmt.Errorf("cannot open %s with error: %s", destConfigPath, err)
 	} else if exists {
 		// config already exists, do nothing
 		return nil
 	}
 	defer destFile.Close()
 	srcFile, _, err := openFile(srcConfigPath, false)
 	if err != nil {
 		fmt.Println("Your service needs a config file that at least specifies the hostname option.")
 		fmt.Println("Type in a hostname now, or leave it blank and create the config file later.")
 		fmt.Print("Hostname: ")
 		reader := bufio.NewReader(os.Stdin)
 		input, _ := reader.ReadString('\n')
 		if input == "" {
 			return err
 		}
 		fmt.Fprintf(destFile, "hostname: %s\n", input)
 	} else {
 		defer srcFile.Close()
 		_, err = io.Copy(destFile, srcFile)
 		if err != nil {
 			return fmt.Errorf("unable to copy %s to %s: %v", srcConfigPath, destConfigPath, err)
 		}
 	}
 	return nil
 }
--- a/cmd/cloudflared/tail/cmd.go
+++ b/cmd/cloudflared/tail/cmd.go
@ -12,11 +12,11 @@ import (
 	"time"
 	"github.com/google/uuid"
 	"github.com/mattn/go-colorable"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"nhooyr.io/websocket"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/credentials"
@ -49,8 +49,9 @@ func buildTailManagementTokenSubcommand() *cli.Command {
 }
 func managementTokenCommand(c *cli.Context) error {
-	log := createLogger(c)
+	log := cliutil.CreateStderrLogger(c)
-	token, err := getManagementToken(c, log)
+
 	token, err := cliutil.GetManagementToken(c, log, cfapi.Logs, buildInfo)
 	if err != nil {
 		return err
 	}
@ -98,13 +99,7 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 				EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
 			},
 			&cli.StringFlag{
-				Name:    "output",
+				Name:    cfdflags.ManagementHostname,
 				Usage:   "Output format for the logs (default, json)",
 				Value:   "default",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT"},
 			},
 			&cli.StringFlag{
 				Name:    "management-hostname",
 				Usage:   "Management hostname to signify incoming management requests",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 				Hidden:  true,
@ -128,6 +123,7 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 				EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 				Value:   credentials.FindDefaultOriginCertPath(),
 			},
 			cliutil.FlagLogOutput,
 		},
 		Subcommands: subcommands,
 	}
@ -164,20 +160,6 @@ func handleValidationError(resp *http.Response, log *zerolog.Logger) {
 	}
 }
 // logger will be created to emit only against the os.Stderr as to not obstruct with normal output from
 // management requests
 func createLogger(c *cli.Context) *zerolog.Logger {
 	level, levelErr := zerolog.ParseLevel(c.String(cfdflags.LogLevel))
 	if levelErr != nil {
 		level = zerolog.InfoLevel
 	}
 	log := zerolog.New(zerolog.ConsoleWriter{
 		Out:        colorable.NewColorable(os.Stderr),
 		TimeFormat: time.RFC3339,
 	}).With().Timestamp().Logger().Level(level)
 	return &log
 }
 // parseFilters will attempt to parse provided filters to send to with the EventStartStreaming
 func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
 	var level *management.LogLevel
@ -222,46 +204,30 @@ func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
 	}, nil
 }
 // getManagementToken will make a call to the Cloudflare API to acquire a management token for the requested tunnel.
 func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
 	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
 	if err != nil {
 		return "", err
 	}
 	client, err := userCreds.Client(c.String(cfdflags.ApiURL), buildInfo.UserAgent(), log)
 	if err != nil {
 		return "", err
 	}
 	tunnelIDString := c.Args().First()
 	if tunnelIDString == "" {
 		return "", errors.New("no tunnel ID provided")
 	}
 	tunnelID, err := uuid.Parse(tunnelIDString)
 	if err != nil {
 		return "", errors.New("unable to parse provided tunnel id as a valid UUID")
 	}
 	token, err := client.GetManagementToken(tunnelID)
 	if err != nil {
 		return "", err
 	}
 	return token, nil
 }
 // buildURL will build the management url to contain the required query parameters to authenticate the request.
-func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
+func buildURL(c *cli.Context, log *zerolog.Logger, res cfapi.ManagementResource) (url.URL, error) {
 	var err error
-	managementHostname := c.String("management-hostname")
+
 	token := c.String("token")
 	if token == "" {
-		token, err = getManagementToken(c, log)
+		token, err = cliutil.GetManagementToken(c, log, res, buildInfo)
 		if err != nil {
 			return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
 		}
 	}
 	claims, err := management.ParseToken(token)
 	if err != nil {
 		return url.URL{}, fmt.Errorf("failed to determine if token is FED: %w", err)
 	}
 	var managementHostname string
 	if claims.IsFed() {
 		managementHostname = credentials.FedRampHostname
 	} else {
 		managementHostname = c.String(cfdflags.ManagementHostname)
 	}
 	query := url.Values{}
 	query.Add("access_token", token)
 	connector := c.String("connector-id")
@ -295,7 +261,7 @@ func printJSON(log *management.Log, logger *zerolog.Logger) {
 // Run implements a foreground runner
 func Run(c *cli.Context) error {
-	log := createLogger(c)
+	log := cliutil.CreateStderrLogger(c)
 	signals := make(chan os.Signal, 10)
 	signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
@ -317,7 +283,7 @@ func Run(c *cli.Context) error {
 		return nil
 	}
-	u, err := buildURL(c, log)
+	u, err := buildURL(c, log, cfapi.Logs)
 	if err != nil {
 		log.Err(err).Msg("unable to construct management request URL")
 		return nil
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@ -15,7 +15,6 @@ import (
 	"github.com/coreos/go-systemd/v22/daemon"
 	"github.com/facebookgo/grace/gracenet"
 	"github.com/getsentry/sentry-go"
 	"github.com/google/uuid"
 	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
@ -40,7 +39,6 @@ import (
 	"github.com/cloudflare/cloudflared/signal"
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
 	"github.com/cloudflare/cloudflared/tunneldns"
 	"github.com/cloudflare/cloudflared/tunnelstate"
 	"github.com/cloudflare/cloudflared/validation"
 )
@ -98,7 +96,7 @@ var (
 		"no-tls-verify",
 		"no-chunked-encoding",
 		"http2-origin",
-		"management-hostname",
+		cfdflags.ManagementHostname,
 		"service-op-ip",
 		"local-ssh-port",
 		"ssh-idle-timeout",
@ -116,12 +114,6 @@ var (
 		cfdflags.LogFile,
 		cfdflags.LogDirectory,
 		cfdflags.TraceOutput,
 		cfdflags.ProxyDns,
 		"proxy-dns-port",
 		"proxy-dns-address",
 		"proxy-dns-upstream",
 		"proxy-dns-max-upstream-conns",
 		"proxy-dns-bootstrap",
 		cfdflags.IsAutoUpdated,
 		cfdflags.Edge,
 		cfdflags.Region,
@ -182,8 +174,7 @@ func Commands() []*cli.Command {
 		buildCleanupCommand(),
 		buildTokenCommand(),
 		buildDiagCommand(),
-		// for compatibility, allow following as tunnel subcommands
+		proxydns.Command(), // removed feature, only here for error message
 		proxydns.Command(true),
 		cliutil.RemovedCommand("db-connect"),
 	}
@ -208,7 +199,7 @@ then protect with Cloudflare Access).
  B) Locally reachable TCP/UDP-based private services to Cloudflare connected private users in the same account, e.g.,
 those enrolled to a Zero Trust WARP Client.
-You can manage your Tunnels via dash.teams.cloudflare.com. This approach will only require you to run a single command
+You can manage your Tunnels via one.dash.cloudflare.com. This approach will only require you to run a single command
 later in each machine where you wish to run a Tunnel.
 Alternatively, you can manage your Tunnels via the command line. Begin by obtaining a certificate to be able to do so:
@ -259,9 +250,8 @@ func TunnelCommand(c *cli.Context) error {
 	// Run a quick tunnel
 	// A unauthenticated named tunnel hosted on <random>.<quick-tunnels-service>.com
 	// We don't support running proxy-dns and a quick tunnel at the same time as the same process
 	shouldRunQuickTunnel := c.IsSet("url") || c.IsSet(ingress.HelloWorldFlag)
-	if !c.IsSet(cfdflags.ProxyDns) && c.String("quick-service") != "" && shouldRunQuickTunnel {
+	if c.String("quick-service") != "" && shouldRunQuickTunnel {
 		return RunQuickTunnel(sc)
 	}
@ -275,16 +265,6 @@ func TunnelCommand(c *cli.Context) error {
 		return errDeprecatedClassicTunnel
 	}
 	if c.IsSet(cfdflags.ProxyDns) {
 		if shouldRunQuickTunnel {
 			return fmt.Errorf("running a quick tunnel with `proxy-dns` is not supported")
 		}
 		// NamedTunnelProperties are nil since proxy dns server does not need it.
 		// This is supported for legacy reasons: dns proxy server is not a tunnel and ideally should
 		// not run as part of cloudflared tunnel.
 		return StartServer(sc.c, buildInfo, nil, sc.log)
 	}
 	return errors.New(tunnelCmdErrorMessage)
 }
@ -394,24 +374,12 @@ func StartServer(
 	go waitForSignal(graceShutdownC, log)
 	if c.IsSet(cfdflags.ProxyDns) {
 		dnsReadySignal := make(chan struct{})
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
 			errC <- runDNSProxyServer(c, dnsReadySignal, ctx.Done(), log)
 		}()
 		// Wait for proxy-dns to come up (if used)
 		<-dnsReadySignal
 	}
 	connectedSignal := signal.New(make(chan struct{}))
 	go notifySystemd(connectedSignal)
 	if c.IsSet("pidfile") {
 		go writePidFile(connectedSignal, c.String("pidfile"), log)
 	}
 	// update needs to be after DNS proxy is up to resolve equinox server address
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
@ -421,11 +389,8 @@ func StartServer(
 		errC <- autoupdater.Run(ctx)
 	}()
-	// Serve DNS proxy stand-alone if no tunnel type (quick, adhoc, named) is going to run
+	if namedTunnel == nil {
-	if dnsProxyStandAlone(c, namedTunnel) {
+		return fmt.Errorf("namedTunnel is nil")
 		connectedSignal.Notify()
 		// no grace period, handle SIGINT/SIGTERM immediately
 		return waitToShutdown(&wg, cancel, errC, graceShutdownC, 0, log)
 	}
 	logTransport := logger.CreateTransportLoggerFromContext(c, logger.EnableTerminalLog)
@ -433,10 +398,7 @@ func StartServer(
 	observer := connection.NewObserver(log, logTransport)
 	// Send Quick Tunnel URL to UI if applicable
-	var quickTunnelURL string
+	quickTunnelURL := namedTunnel.QuickTunnelUrl
 	if namedTunnel != nil {
 		quickTunnelURL = namedTunnel.QuickTunnelUrl
 	}
 	if quickTunnelURL != "" {
 		observer.SendURL(quickTunnelURL)
 	}
@ -446,14 +408,7 @@ func StartServer(
 		log.Err(err).Msg("Couldn't start tunnel")
 		return err
 	}
-	var clientID uuid.UUID
+	connectorID := tunnelConfig.ClientConfig.ConnectorID
 	if tunnelConfig.NamedTunnel != nil {
 		clientID, err = uuid.FromBytes(tunnelConfig.NamedTunnel.Client.ClientID)
 		if err != nil {
 			// set to nil for classic tunnels
 			clientID = uuid.Nil
 		}
 	}
 	// Disable ICMP packet routing for quick tunnels
 	if quickTunnelURL != "" {
@ -467,11 +422,19 @@ func StartServer(
 		}
 	}
 	isFEDEndpoint := namedTunnel.Credentials.Endpoint == credentials.FedEndpoint
 	var managementHostname string
 	if isFEDEndpoint {
 		managementHostname = credentials.FedRampHostname
 	} else {
 		managementHostname = c.String(cfdflags.ManagementHostname)
 	}
 	mgmt := management.New(
-		c.String("management-hostname"),
+		managementHostname,
 		c.Bool("management-diagnostics"),
 		serviceIP,
-		clientID,
+		connectorID,
 		c.String(cfdflags.ConnectorLabel),
 		logger.ManagementLogger.Log,
 		logger.ManagementLogger,
@ -503,14 +466,14 @@ func StartServer(
 			sources = append(sources, ipv6.String())
 		}
-		readinessServer := metrics.NewReadyServer(clientID, tracker)
+		readinessServer := metrics.NewReadyServer(connectorID, tracker)
 		cliFlags := nonSecretCliFlags(log, c, nonSecretFlagsList)
 		diagnosticHandler := diagnostic.NewDiagnosticHandler(
 			log,
 			0,
 			diagnostic.NewSystemCollectorImpl(buildInfo.CloudflaredVersion),
 			tunnelConfig.NamedTunnel.Credentials.TunnelID,
-			clientID,
+			connectorID,
 			tracker,
 			cliFlags,
 			sources,
@ -640,7 +603,7 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 	flags := configureCloudflaredFlags(shouldHide)
 	flags = append(flags, configureProxyFlags(shouldHide)...)
 	flags = append(flags, cliutil.ConfigureLoggingFlags(shouldHide)...)
-	flags = append(flags, configureProxyDNSFlags(shouldHide)...)
+	flags = append(flags, proxydns.ConfigureProxyDNSFlags(shouldHide)...) // removed feature, only kept to not break any script that might be setting these flags
 	flags = append(flags, []cli.Flag{
 		credentialsFileFlag,
 		altsrc.NewBoolFlag(&cli.BoolFlag{
@ -1050,7 +1013,7 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 			Value:   false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "management-hostname",
+			Name:    cfdflags.ManagementHostname,
 			Usage:   "Management hostname to signify incoming management requests",
 			EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 			Hidden:  true,
@ -1171,57 +1134,6 @@ func sshFlags(shouldHide bool) []cli.Flag {
 	}
 }
 func configureProxyDNSFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    cfdflags.ProxyDns,
 			Usage:   "Run a DNS over HTTPS proxy server.",
 			EnvVars: []string{"TUNNEL_DNS"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:    "proxy-dns-port",
 			Value:   53,
 			Usage:   "Listen on given port for the DNS over HTTPS proxy server.",
 			EnvVars: []string{"TUNNEL_DNS_PORT"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "proxy-dns-address",
 			Usage:   "Listen address for the DNS over HTTPS proxy server.",
 			Value:   "localhost",
 			EnvVars: []string{"TUNNEL_DNS_ADDRESS"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
 			Name:    "proxy-dns-upstream",
 			Usage:   "Upstream endpoint URL, you can specify multiple endpoints for redundancy.",
 			Value:   cli.NewStringSlice("https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query"),
 			EnvVars: []string{"TUNNEL_DNS_UPSTREAM"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
 			Name:    "proxy-dns-max-upstream-conns",
 			Usage:   "Maximum concurrent connections to upstream. Setting to 0 means unlimited.",
 			Value:   tunneldns.MaxUpstreamConnsDefault,
 			Hidden:  shouldHide,
 			EnvVars: []string{"TUNNEL_DNS_MAX_UPSTREAM_CONNS"},
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
 			Name:  "proxy-dns-bootstrap",
 			Usage: "bootstrap endpoint URL, you can specify multiple endpoints for redundancy.",
 			Value: cli.NewStringSlice(
 				"https://162.159.36.1/dns-query",
 				"https://162.159.46.1/dns-query",
 				"https://[2606:4700:4700::1111]/dns-query",
 				"https://[2606:4700:4700::1001]/dns-query",
 			),
 			EnvVars: []string{"TUNNEL_DNS_BOOTSTRAP"},
 			Hidden:  shouldHide,
 		}),
 	}
 }
 func stdinControl(reconnectCh chan supervisor.ReconnectSignal, log *zerolog.Logger) {
 	for {
 		scanner := bufio.NewScanner(os.Stdin)
--- a/cmd/cloudflared/tunnel/config_test.go
+++ b/cmd/cloudflared/tunnel/config_test.go
@ -1,15 +0,0 @@
 package tunnel
 import (
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/cloudflare/cloudflared/features"
 )
 func TestDedup(t *testing.T) {
 	expected := []string{"a", "b"}
 	actual := features.Dedup([]string{"a", "b", "a"})
 	require.ElementsMatch(t, expected, actual)
 }
--- a/cmd/cloudflared/tunnel/configuration.go
+++ b/cmd/cloudflared/tunnel/configuration.go
@ -10,13 +10,14 @@ import (
 	"strings"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"golang.org/x/term"
 	"github.com/cloudflare/cloudflared/client"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
@ -25,6 +26,7 @@ import (
 	"github.com/cloudflare/cloudflared/edgediscovery/allregions"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/cloudflare/cloudflared/ingress/origins"
 	"github.com/cloudflare/cloudflared/orchestration"
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
@ -34,7 +36,6 @@ import (
 const (
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
 	fedRampRegion     = "fed" // const string denoting the region used to connect to FEDRamp servers
 )
 var (
@ -110,13 +111,6 @@ func isSecretEnvVar(key string) bool {
 	return false
 }
 func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.TunnelProperties) bool {
 	return c.IsSet(flags.ProxyDns) &&
 		!(c.IsSet(flags.Name) || // adhoc-named tunnel
 			c.IsSet(ingress.HelloWorldFlag) || // quick or named tunnel
 			namedTunnel != nil) // named tunnel
 }
 func prepareTunnelConfig(
 	ctx context.Context,
 	c *cli.Context,
@ -125,27 +119,29 @@ func prepareTunnelConfig(
 	observer *connection.Observer,
 	namedTunnel *connection.TunnelProperties,
 ) (*supervisor.TunnelConfig, *orchestration.Config, error) {
-	clientID, err := uuid.NewRandom()
+	transportProtocol := c.String(flags.Protocol)
 	isPostQuantumEnforced := c.Bool(flags.PostQuantum)
 	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, c.StringSlice(flags.Features), isPostQuantumEnforced, log)
 	if err != nil {
-		return nil, nil, errors.Wrap(err, "can't generate connector UUID")
+		return nil, nil, errors.Wrap(err, "Failed to create feature selector")
 	}
-	log.Info().Msgf("Generated Connector ID: %s", clientID)
+
 	clientConfig, err := client.NewConfig(info.Version(), info.OSArch(), featureSelector)
 	if err != nil {
 		return nil, nil, err
 	}
 	log.Info().Msgf("Generated Connector ID: %s", clientConfig.ConnectorID)
 	tags, err := NewTagSliceFromCLI(c.StringSlice(flags.Tag))
 	if err != nil {
 		log.Err(err).Msg("Tag parse failure")
 		return nil, nil, errors.Wrap(err, "Tag parse failure")
 	}
-	tags = append(tags, pogs.Tag{Name: "ID", Value: clientID.String()})
+	tags = append(tags, pogs.Tag{Name: "ID", Value: clientConfig.ConnectorID.String()})
-	transportProtocol := c.String(flags.Protocol)
+	clientFeatures := featureSelector.Snapshot()
-	isPostQuantumEnforced := c.Bool(flags.PostQuantum)
+	pqMode := clientFeatures.PostQuantum
 	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, c.StringSlice("features"), c.Bool("post-quantum"), log)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "Failed to create feature selector")
 	}
 	clientFeatures := featureSelector.ClientFeatures()
 	pqMode := featureSelector.PostQuantumMode()
 	if pqMode == features.PostQuantumStrict {
 		// Error if the user tries to force a non-quic transport protocol
 		if transportProtocol != connection.AutoSelectFlag && transportProtocol != connection.QUIC.String() {
@ -154,12 +150,6 @@ func prepareTunnelConfig(
 		transportProtocol = connection.QUIC.String()
 	}
 	namedTunnel.Client = pogs.ClientInfo{
 		ClientID: clientID[:],
 		Features: clientFeatures,
 		Version:  info.Version(),
 		Arch:     info.OSArch(),
 	}
 	cfg := config.GetConfiguration()
 	ingressRules, err := ingress.ParseIngressFromConfigAndCLI(cfg, c, log)
 	if err != nil {
@ -223,11 +213,30 @@ func prepareTunnelConfig(
 		resolvedRegion = endpoint
 	}
 	warpRoutingConfig := ingress.NewWarpRoutingConfig(&cfg.WarpRouting)
 	// Setup origin dialer service and virtual services
 	originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
 		DefaultDialer:   ingress.NewDialer(warpRoutingConfig),
 		TCPWriteTimeout: c.Duration(flags.WriteStreamTimeout),
 	}, log)
 	// Setup DNS Resolver Service
 	originMetrics := origins.NewMetrics(prometheus.DefaultRegisterer)
 	dnsResolverAddrs := c.StringSlice(flags.VirtualDNSServiceResolverAddresses)
 	dnsService := origins.NewDNSResolverService(origins.NewDNSDialer(), log, originMetrics)
 	if len(dnsResolverAddrs) > 0 {
 		addrs, err := parseResolverAddrPorts(dnsResolverAddrs)
 		if err != nil {
 			return nil, nil, fmt.Errorf("invalid %s provided: %w", flags.VirtualDNSServiceResolverAddresses, err)
 		}
 		dnsService = origins.NewStaticDNSResolverService(addrs, origins.NewDNSDialer(), log, originMetrics)
 	}
 	originDialerService.AddReservedService(dnsService, []netip.AddrPort{origins.VirtualDNSServiceAddr})
 	tunnelConfig := &supervisor.TunnelConfig{
 		ClientConfig:    clientConfig,
 		GracePeriod:     gracePeriod,
 		ReplaceExisting: c.Bool(flags.Force),
 		OSArch:          info.OSArch(),
 		ClientID:        clientID.String(),
 		EdgeAddrs:       c.StringSlice(flags.Edge),
 		Region:          resolvedRegion,
 		EdgeIPVersion:   edgeIPVersion,
@ -246,13 +255,14 @@ func prepareTunnelConfig(
 		NamedTunnel:                         namedTunnel,
 		ProtocolSelector:                    protocolSelector,
 		EdgeTLSConfigs:                      edgeTLSConfigs,
 		FeatureSelector:                     featureSelector,
 		MaxEdgeAddrRetries:                  uint8(c.Int(flags.MaxEdgeAddrRetries)), // nolint: gosec
 		RPCTimeout:                          c.Duration(flags.RpcTimeout),
 		WriteStreamTimeout:                  c.Duration(flags.WriteStreamTimeout),
 		DisableQUICPathMTUDiscovery:         c.Bool(flags.QuicDisablePathMTUDiscovery),
 		QUICConnectionLevelFlowControlLimit: c.Uint64(flags.QuicConnLevelFlowControlLimit),
 		QUICStreamLevelFlowControlLimit:     c.Uint64(flags.QuicStreamLevelFlowControlLimit),
 		OriginDNSService:                    dnsService,
 		OriginDialerService:                 originDialerService,
 	}
 	icmpRouter, err := newICMPRouter(c, log)
 	if err != nil {
@ -261,10 +271,10 @@ func prepareTunnelConfig(
 		tunnelConfig.ICMPRouterServer = icmpRouter
 	}
 	orchestratorConfig := &orchestration.Config{
-		Ingress:            &ingressRules,
+		Ingress:             &ingressRules,
-		WarpRouting:        ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
+		WarpRouting:         warpRoutingConfig,
-		ConfigurationFlags: parseConfigFlags(c),
+		OriginDialerService: originDialerService,
-		WriteTimeout:       tunnelConfig.WriteStreamTimeout,
+		ConfigurationFlags:  parseConfigFlags(c),
 	}
 	return tunnelConfig, orchestratorConfig, nil
 }
@ -501,3 +511,19 @@ func findLocalAddr(dst net.IP, port int) (netip.Addr, error) {
 	localAddr := localAddrPort.Addr()
 	return localAddr, nil
 }
 func parseResolverAddrPorts(input []string) ([]netip.AddrPort, error) {
 	// We don't allow more than 10 resolvers to be provided statically for the resolver service.
 	if len(input) > 10 {
 		return nil, errors.New("too many addresses provided, max: 10")
 	}
 	addrs := make([]netip.AddrPort, 0, len(input))
 	for _, val := range input {
 		addr, err := netip.ParseAddrPort(val)
 		if err != nil {
 			return nil, err
 		}
 		addrs = append(addrs, addr)
 	}
 	return addrs, nil
 }
--- a/cmd/cloudflared/tunnel/credential_finder.go
+++ b/cmd/cloudflared/tunnel/credential_finder.go
@ -63,12 +63,14 @@ func (s searchByID) Path() (string, error) {
 		Str("originCertPath", originCertPath).
 		Logger()
-	// Fallback to look for tunnel credentials in the origin cert directory
+	if originCertPath != "" {
-	if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {
+		// Look for tunnel credentials in the origin cert directory if the flag is provided
-		originCertDir := filepath.Dir(originCertPath)
+		if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {
-		if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
+			originCertDir := filepath.Dir(originCertPath)
-			if s.fs.validFilePath(filePath) {
+			if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
-				return filePath, nil
+				if s.fs.validFilePath(filePath) {
 					return filePath, nil
 				}
 			}
 		}
 	}
--- a/cmd/cloudflared/tunnel/login.go
+++ b/cmd/cloudflared/tunnel/login.go
@ -12,6 +12,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
@ -19,11 +20,10 @@ import (
 )
 const (
-	baseLoginURL = "https://dash.cloudflare.com/argotunnel"
+	baseLoginURL         = "https://dash.cloudflare.com/argotunnel"
-	callbackURL  = "https://login.cloudflareaccess.org/"
+	callbackURL          = "https://login.cloudflareaccess.org/"
-	// For now these are the same but will change in the future once we know which URLs to use (TUN-8872)
+	fedBaseLoginURL      = "https://dash.fed.cloudflare.com/argotunnel"
-	fedBaseLoginURL      = "https://dash.cloudflare.com/argotunnel"
+	fedCallbackStoreURL  = "https://login.fed.cloudflareaccess.org/"
 	fedCallbackStoreURL  = "https://login.cloudflareaccess.org/"
 	fedRAMPParamName     = "fedramp"
 	loginURLParamName    = "loginURL"
 	callbackURLParamName = "callbackURL"
@ -97,6 +97,8 @@ func login(c *cli.Context) error {
 		callbackStoreURL,
 		false,
 		false,
 		c.Bool(cfdflags.AutoCloseInterstitial),
 		isFEDRamp,
 		log,
 	)
 	if err != nil {
--- a/cmd/cloudflared/tunnel/server.go
+++ b/cmd/cloudflared/tunnel/server.go
@ -1,37 +0,0 @@
 package tunnel
 import (
 	"fmt"
 	"github.com/cloudflare/cloudflared/tunneldns"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 )
 func runDNSProxyServer(c *cli.Context, dnsReadySignal chan struct{}, shutdownC <-chan struct{}, log *zerolog.Logger) error {
 	port := c.Int("proxy-dns-port")
 	if port <= 0 || port > 65535 {
 		return errors.New("The 'proxy-dns-port' must be a valid port number in <1, 65535> range.")
 	}
 	maxUpstreamConnections := c.Int("proxy-dns-max-upstream-conns")
 	if maxUpstreamConnections < 0 {
 		return fmt.Errorf("'%s' must be 0 or higher", "proxy-dns-max-upstream-conns")
 	}
 	listener, err := tunneldns.CreateListener(c.String("proxy-dns-address"), uint16(port), c.StringSlice("proxy-dns-upstream"), c.StringSlice("proxy-dns-bootstrap"), maxUpstreamConnections, log)
 	if err != nil {
 		close(dnsReadySignal)
 		listener.Stop()
 		return errors.Wrap(err, "Cannot create the DNS over HTTPS proxy server")
 	}
 	err = listener.Start(dnsReadySignal)
 	if err != nil {
 		return errors.Wrap(err, "Cannot start the DNS over HTTPS proxy server")
 	}
 	<-shutdownC
 	_ = listener.Stop()
 	log.Info().Msg("DNS server stopped")
 	return nil
 }
--- a/cmd/cloudflared/tunnel/subcommand_context.go
+++ b/cmd/cloudflared/tunnel/subcommand_context.go
@ -9,6 +9,7 @@ import (
 	"strings"
 	"github.com/google/uuid"
 	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
@ -54,7 +55,12 @@ func newSubcommandContext(c *cli.Context) (*subcommandContext, error) {
 // Returns something that can find the given tunnel's credentials file.
 func (sc *subcommandContext) credentialFinder(tunnelID uuid.UUID) CredFinder {
 	if path := sc.c.String(CredFileFlag); path != "" {
-		return newStaticPath(path, sc.fs)
+		// Expand path if CredFileFlag contains `~`
 		absPath, err := homedir.Expand(path)
 		if err != nil {
 			return newStaticPath(path, sc.fs)
 		}
 		return newStaticPath(absPath, sc.fs)
 	}
 	return newSearchByID(tunnelID, sc.c, sc.log, sc.fs)
 }
@ -106,7 +112,7 @@ func (sc *subcommandContext) readTunnelCredentials(credFinder CredFinder) (conne
 	var credentials connection.Credentials
 	if err = json.Unmarshal(body, &credentials); err != nil {
-		if strings.HasSuffix(filePath, ".pem") {
+		if filepath.Ext(filePath) == ".pem" {
 			return connection.Credentials{}, fmt.Errorf("The tunnel credentials file should be .json but you gave a .pem. " +
 				"The tunnel credentials file was originally created by `cloudflared tunnel create`. " +
 				"You may have accidentally used the filepath to cert.pem, which is generated by `cloudflared tunnel " +
@ -149,10 +155,12 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 	if err != nil {
 		return nil, err
 	}
 	tunnelCredentials := connection.Credentials{
 		AccountTag:   credential.AccountID(),
 		TunnelSecret: tunnelSecret,
 		TunnelID:     tunnel.ID,
 		Endpoint:     credential.Endpoint(),
 	}
 	usedCertPath := false
 	if credentialsFilePath == "" {
--- a/cmd/cloudflared/tunnel/subcommands.go
+++ b/cmd/cloudflared/tunnel/subcommands.go
@ -41,6 +41,7 @@ const (
 	CredFileFlag            = "credentials-file"
 	CredContentsFlag        = "credentials-contents"
 	TunnelTokenFlag         = "token"
 	TunnelTokenFileFlag     = "token-file"
 	overwriteDNSFlagName    = "overwrite-dns"
 	noDiagLogsFlagName      = "no-diag-logs"
 	noDiagMetricsFlagName   = "no-diag-metrics"
@ -126,9 +127,14 @@ var (
 	})
 	tunnelTokenFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    TunnelTokenFlag,
-		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence.",
+		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence. Also takes precedence over token-file",
 		EnvVars: []string{"TUNNEL_TOKEN"},
 	})
 	tunnelTokenFileFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    TunnelTokenFileFlag,
 		Usage:   "Filepath at which to read the tunnel token. When provided along with credentials, this will take precedence.",
 		EnvVars: []string{"TUNNEL_TOKEN_FILE"},
 	})
 	forceDeleteFlag = &cli.BoolFlag{
 		Name:    flags.Force,
 		Aliases: []string{"f"},
@ -235,6 +241,11 @@ var (
 		Usage:   "Overrides the remote configuration for max active private network flows (TCP/UDP) that this cloudflared instance supports",
 		EnvVars: []string{"TUNNEL_MAX_ACTIVE_FLOWS"},
 	}
 	dnsResolverAddrsFlag = &cli.StringSliceFlag{
 		Name:    flags.VirtualDNSServiceResolverAddresses,
 		Usage:   "Overrides the dynamic DNS resolver resolution to use these address:port's instead.",
 		EnvVars: []string{"TUNNEL_DNS_RESOLVER_ADDRS"},
 	}
 )
 func buildCreateCommand() *cli.Command {
@ -708,9 +719,11 @@ func buildRunCommand() *cli.Command {
 		selectProtocolFlag,
 		featuresFlag,
 		tunnelTokenFlag,
 		tunnelTokenFileFlag,
 		icmpv4SrcFlag,
 		icmpv6SrcFlag,
 		maxActiveFlowsFlag,
 		dnsResolverAddrsFlag,
 	}
 	flags = append(flags, configureProxyFlags(false)...)
 	return &cli.Command{
@ -748,12 +761,22 @@ func runCommand(c *cli.Context) error {
 			"your origin will not be reachable. You should remove the `hostname` property to avoid this warning.")
 	}
 	tokenStr := c.String(TunnelTokenFlag)
 	// Check if tokenStr is blank before checking for tokenFile
 	if tokenStr == "" {
 		if tokenFile := c.String(TunnelTokenFileFlag); tokenFile != "" {
 			data, err := os.ReadFile(tokenFile)
 			if err != nil {
 				return cliutil.UsageError("Failed to read token file: %s", err.Error())
 			}
 			tokenStr = strings.TrimSpace(string(data))
 		}
 	}
 	// Check if token is provided and if not use default tunnelID flag method
-	if tokenStr := c.String(TunnelTokenFlag); tokenStr != "" {
+	if tokenStr != "" {
 		if token, err := ParseToken(tokenStr); err == nil {
 			return sc.runWithCredentials(token.Credentials())
 		}
 		return cliutil.UsageError("Provided Tunnel token is not valid.")
 	} else {
 		tunnelRef := c.Args().First()
--- a/cmd/cloudflared/tunnel/teamnet_subcommands.go
+++ b/cmd/cloudflared/tunnel/teamnet_subcommands.go
@ -22,7 +22,7 @@ var (
 		Usage:   "The ID or name of the virtual network to which the route is associated to.",
 	}
-	routeAddError = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete")
+	errAddRoute = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete")
 )
 func buildRouteIPSubcommand() *cli.Command {
@ -32,7 +32,7 @@ func buildRouteIPSubcommand() *cli.Command {
 		UsageText: "cloudflared tunnel [--config FILEPATH] route COMMAND [arguments...]",
 		Description: `cloudflared can provision routes for any IP space in your corporate network. Users enrolled in
 your Cloudflare for Teams organization can reach those IPs through the Cloudflare WARP
-client. You can then configure L7/L4 filtering on https://dash.teams.cloudflare.com to
+client. You can then configure L7/L4 filtering on https://one.dash.cloudflare.com to
 determine who can reach certain routes.
 By default IP routes all exist within a single virtual network. If you use the same IP
 space(s) in different physical private networks, all meant to be reachable via IP routes,
@ -187,7 +187,7 @@ func deleteRouteCommand(c *cli.Context) error {
 	}
 	if c.NArg() != 1 {
-		return routeAddError
+		return errAddRoute
 	}
 	var routeId uuid.UUID
@ -195,7 +195,7 @@ func deleteRouteCommand(c *cli.Context) error {
 	if err != nil {
 		_, network, err := net.ParseCIDR(c.Args().First())
 		if err != nil || network == nil {
-			return routeAddError
+			return errAddRoute
 		}
 		var vnetId *uuid.UUID
--- a/cmd/cloudflared/updater/update.go
+++ b/cmd/cloudflared/updater/update.go
@ -22,7 +22,7 @@ import (
 const (
 	DefaultCheckUpdateFreq        = time.Hour * 24
-	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/"
+	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/"
 	noUpdateOnWindowsMessage      = "cloudflared will not automatically update on Windows systems."
 	noUpdateManagedPackageMessage = "cloudflared will not automatically update if installed by a package manager."
 	isManagedInstallFile          = ".installedFromPackageManager"
--- a/cmd/cloudflared/updater/workers_update.go
+++ b/cmd/cloudflared/updater/workers_update.go
@ -10,9 +10,9 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"text/template"
 	"time"
@ -134,7 +134,7 @@ func (v *WorkersVersion) Apply() error {
 	if err := os.Rename(newFilePath, v.targetPath); err != nil {
 		//attempt rollback
-		os.Rename(oldFilePath, v.targetPath)
+		_ = os.Rename(oldFilePath, v.targetPath)
 		return err
 	}
 	os.Remove(oldFilePath)
@ -181,7 +181,7 @@ func download(url, filepath string, isCompressed bool) error {
 		tr := tar.NewReader(gr)
 		// advance the reader pass the header, which will be the single binary file
-		tr.Next()
+		_, _ = tr.Next()
 		r = tr
 	}
@ -198,7 +198,7 @@ func download(url, filepath string, isCompressed bool) error {
 // isCompressedFile is a really simple file extension check to see if this is a macos tar and gzipped
 func isCompressedFile(urlstring string) bool {
-	if strings.HasSuffix(urlstring, ".tgz") {
+	if path.Ext(urlstring) == ".tgz" {
 		return true
 	}
@ -206,7 +206,7 @@ func isCompressedFile(urlstring string) bool {
 	if err != nil {
 		return false
 	}
-	return strings.HasSuffix(u.Path, ".tgz")
+	return path.Ext(u.Path) == ".tgz"
 }
 // writeBatchFile writes a batch file out to disk
@ -249,7 +249,6 @@ func runWindowsBatch(batchFile string) error {
 		if exitError, ok := err.(*exec.ExitError); ok {
 			return fmt.Errorf("Error during update : %s;", string(exitError.Stderr))
 		}
 	}
 	return err
 }
--- a/cmd/cloudflared/windows_service.go
+++ b/cmd/cloudflared/windows_service.go
@ -26,7 +26,7 @@ import (
 const (
 	windowsServiceName        = "Cloudflared"
 	windowsServiceDescription = "Cloudflared agent"
-	windowsServiceUrl         = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/windows/"
+	windowsServiceUrl         = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/windows/"
 	recoverActionDelay      = time.Second * 20
 	failureCountResetPeriod = time.Hour * 24
@ -190,7 +190,7 @@ func installWindowsService(c *cli.Context) error {
 	log := zeroLogger.With().Str(LogFieldWindowsServiceName, windowsServiceName).Logger()
 	if err == nil {
 		s.Close()
-		return fmt.Errorf(serviceAlreadyExistsWarn(windowsServiceName))
+		return errors.New(serviceAlreadyExistsWarn(windowsServiceName))
 	}
 	extraArgs, err := getServiceExtraArgsFromCliArgs(c, &log)
 	if err != nil {
@ -238,7 +238,7 @@ func uninstallWindowsService(c *cli.Context) error {
 	defer m.Disconnect()
 	s, err := m.OpenService(windowsServiceName)
 	if err != nil {
-		return fmt.Errorf("Agent service %s is not installed, so it could not be uninstalled", windowsServiceName)
+		return fmt.Errorf("agent service %s is not installed, so it could not be uninstalled", windowsServiceName)
 	}
 	defer s.Close()
--- a/component-tests/cli.py
+++ b/component-tests/cli.py
@ -30,7 +30,7 @@ class CloudflaredCli:
        listed = self._run_command(cmd_args, "list")
        return json.loads(listed.stdout)
-    def get_management_token(self, config, config_path):
+    def get_management_token(self, config, config_path, resource):
        basecmd = [config.cloudflared_binary]
        if config_path is not None:
            basecmd += ["--config", str(config_path)]
@ -38,18 +38,35 @@ class CloudflaredCli:
        if origincert:
            basecmd += ["--origincert", origincert]
-        cmd_args = ["tail", "token", config.get_tunnel_id()]
+        cmd_args = ["management", "token", "--resource", resource, config.get_tunnel_id()]
        cmd = basecmd + cmd_args
        result = run_subprocess(cmd, "token", self.logger, check=True, capture_output=True, timeout=15)
        return json.loads(result.stdout.decode("utf-8").strip())["token"]
-    def get_management_url(self, path, config, config_path):
+    def get_tail_token(self, config, config_path):
-        access_jwt = self.get_management_token(config, config_path)
+        """
        Get management token using the 'tail token' command.
        Returns a token scoped for 'logs' resource.
        """
        basecmd = [config.cloudflared_binary]
        if config_path is not None:
            basecmd += ["--config", str(config_path)]
        origincert = get_config_from_file()["origincert"]
        if origincert:
            basecmd += ["--origincert", origincert]
        cmd_args = ["tail", "token", config.get_tunnel_id()]
        cmd = basecmd + cmd_args
        result = run_subprocess(cmd, "tail-token", self.logger, check=True, capture_output=True, timeout=15)
        return json.loads(result.stdout.decode("utf-8").strip())["token"]
    def get_management_url(self, path, config, config_path, resource):
        access_jwt = self.get_management_token(config, config_path, resource)
        connector_id = get_tunnel_connector_id()
        return f"https://{MANAGEMENT_HOST_NAME}/{path}?connector_id={connector_id}&access_token={access_jwt}"
-    def get_management_wsurl(self, path, config, config_path):
+    def get_management_wsurl(self, path, config, config_path, resource):
-        access_jwt = self.get_management_token(config, config_path)
+        access_jwt = self.get_management_token(config, config_path, resource)
        connector_id = get_tunnel_connector_id()
        return f"wss://{MANAGEMENT_HOST_NAME}/{path}?connector_id={connector_id}&access_token={access_jwt}"
--- a/component-tests/config.py
+++ b/component-tests/config.py
@ -5,7 +5,7 @@ import base64
 from dataclasses import dataclass, InitVar
-from constants import METRICS_PORT, PROXY_DNS_PORT
+from constants import METRICS_PORT
 # frozen=True raises exception when assigning to fields. This emulates immutability
@ -99,10 +99,3 @@ class QuickTunnelConfig(BaseConfig):
        object.__setattr__(self, 'full_config',
                           self.merge_config(additional_config))
@dataclass(frozen=True)
 class ProxyDnsConfig(BaseConfig):
    full_config = {
        "port": PROXY_DNS_PORT,
        "no-autoupdate": True,
    }
--- a/component-tests/conftest.py
+++ b/component-tests/conftest.py
@ -5,15 +5,14 @@ from time import sleep
 import pytest
 import yaml
-from config import NamedTunnelConfig, ProxyDnsConfig, QuickTunnelConfig
+from config import NamedTunnelConfig, QuickTunnelConfig
-from constants import BACKOFF_SECS, PROXY_DNS_PORT
+from constants import BACKOFF_SECS
 from util import LOGGER
 class CfdModes(Enum):
    NAMED = auto()
    QUICK = auto()
    PROXY_DNS = auto()
@pytest.fixture(scope="session")
@ -26,16 +25,7 @@ def component_tests_config():
        config = yaml.safe_load(stream)
        LOGGER.info(f"component tests base config {config}")
-        def _component_tests_config(additional_config={}, cfd_mode=CfdModes.NAMED, run_proxy_dns=True, provide_ingress=True):
+        def _component_tests_config(additional_config={}, cfd_mode=CfdModes.NAMED, provide_ingress=True):
            if run_proxy_dns:
                # Regression test for TUN-4177, running with proxy-dns should not prevent tunnels from running.
                # So we run all tests with it.
                additional_config["proxy-dns"] = True
                additional_config["proxy-dns-port"] = PROXY_DNS_PORT
            else:
                additional_config.pop("proxy-dns", None)
                additional_config.pop("proxy-dns-port", None)
            # Allows the ingress rules to be omitted from the provided config
            ingress = []
            if provide_ingress:
@ -51,8 +41,6 @@ def component_tests_config():
                                         credentials_file=config['credentials_file'],
                                         ingress=ingress,
                                         hostname=hostname)
            elif cfd_mode is CfdModes.PROXY_DNS:
                return ProxyDnsConfig(cloudflared_binary=config['cloudflared_binary'])
            elif cfd_mode is CfdModes.QUICK:
                return QuickTunnelConfig(additional_config=additional_config, cloudflared_binary=config['cloudflared_binary'])
            else:
--- a/component-tests/constants.py
+++ b/component-tests/constants.py
@ -3,7 +3,6 @@ MAX_RETRIES = 5
 BACKOFF_SECS = 7
 MAX_LOG_LINES = 50
 PROXY_DNS_PORT = 9053
 MANAGEMENT_HOST_NAME = "management.argotunnel.com"
--- a/component-tests/test_management.py
+++ b/component-tests/test_management.py
@ -1,10 +1,11 @@
 #!/usr/bin/env python
 import json
 import requests
 from conftest import CfdModes
 from constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS
 from retrying import retry
 from cli import CloudflaredCli
-from util import LOGGER, write_config, start_cloudflared, wait_tunnel_ready, send_requests
+from util import LOGGER, write_config, start_cloudflared, wait_tunnel_ready, send_requests, decode_jwt_payload
 import platform
 """
@ -25,7 +26,7 @@ class TestManagement:
        # Skipping this test for windows for now and will address it as part of tun-7377
        if platform.system() == "Windows":
            return
-        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
+        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        headers = {}
        headers["Content-Type"] = "application/json"
@ -35,7 +36,7 @@ class TestManagement:
                              require_min_connections=1)
            cfd_cli = CloudflaredCli(config, config_path, LOGGER)
            connector_id = cfd_cli.get_connector_id(config)[0]
-            url = cfd_cli.get_management_url("host_details", config, config_path)
+            url = cfd_cli.get_management_url("host_details", config, config_path, resource="host_details")
            resp = send_request(url, headers=headers)
            # Assert response json.
@ -52,13 +53,13 @@ class TestManagement:
        # Skipping this test for windows for now and will address it as part of tun-7377
        if platform.system() == "Windows":
            return
-        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
+        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        config_path = write_config(tmp_path, config.full_config)
        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
            cfd_cli = CloudflaredCli(config, config_path, LOGGER)
-            url = cfd_cli.get_management_url("metrics", config, config_path)
+            url = cfd_cli.get_management_url("metrics", config, config_path, resource="admin")
            resp = send_request(url)
            # Assert response.
@ -73,13 +74,13 @@ class TestManagement:
        # Skipping this test for windows for now and will address it as part of tun-7377
        if platform.system() == "Windows":
            return
-        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
+        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        config_path = write_config(tmp_path, config.full_config)
        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
            cfd_cli = CloudflaredCli(config, config_path, LOGGER)
-            url = cfd_cli.get_management_url("debug/pprof/heap", config, config_path)
+            url = cfd_cli.get_management_url("debug/pprof/heap", config, config_path, resource="admin")
            resp = send_request(url)
            # Assert response.
@ -94,20 +95,59 @@ class TestManagement:
        # Skipping this test for windows for now and will address it as part of tun-7377
        if platform.system() == "Windows":
            return
-        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
+        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        config_path = write_config(tmp_path, config.full_config)
        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1", "--management-diagnostics=false"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
            cfd_cli = CloudflaredCli(config, config_path, LOGGER)
-            url = cfd_cli.get_management_url("metrics", config, config_path)
+            url = cfd_cli.get_management_url("metrics", config, config_path, resource="admin")
            resp = send_request(url)
            # Assert response.
            assert resp.status_code == 404, "Expected cloudflared to return 404 for /metrics"
    def test_tail_token_command(self, tmp_path, component_tests_config):
        """
        Validates that 'cloudflared tail token' command returns a token 
        scoped for 'logs' and 'ping' resources.
        """
        # TUN-7377: wait_tunnel_ready does not work properly in windows
        if platform.system() == "Windows":
            return
        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        config_path = write_config(tmp_path, config.full_config)
        cfd_cli = CloudflaredCli(config, config_path, LOGGER)
        token = cfd_cli.get_tail_token(config, config_path)
        # Verify token was returned
        assert token, "Expected non-empty token to be returned"
        # Decode JWT payload to verify resource claims
        claims = decode_jwt_payload(token)
        resource_tag = 'res'
        # Verify the token has 'logs' and 'ping' in resource array
        assert resource_tag in claims, f"Expected {resource_tag} claim in token"
        assert isinstance(claims['res'], list), f"Expected {resource_tag} to be an array"
        assert 'logs' in claims[resource_tag], \
            f"Expected 'logs' in resource array, got: {claims[resource_tag]}"
        assert 'ping' in claims[resource_tag], \
            f"Expected 'ping' in resource array, got: {claims[resource_tag]}"
        LOGGER.info(f"Tail token successfully verified with resources: {claims[resource_tag]}")
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
 def send_request(url, headers={}):
    with requests.Session() as s:
-        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        resp = s.get(url, timeout=BACKOFF_SECS, headers=headers)
        if resp.status_code == 530:
            LOGGER.debug(f"Received 530 status, retrying request to {url}")
            raise Exception(f"Received 530 status code from {url}")
        return resp
--- a/component-tests/test_proxy_dns.py
+++ b/component-tests/test_proxy_dns.py
@ -1,62 +0,0 @@
 #!/usr/bin/env python
 import socket
 from time import sleep
 import constants
 from conftest import CfdModes
 from util import start_cloudflared, wait_tunnel_ready, check_tunnel_not_connected
 # Sanity checks that test that we only run Proxy DNS and Tunnel when we really expect them to be there.
 class TestProxyDns:
    def test_proxy_dns_with_named_tunnel(self, tmp_path, component_tests_config):
        run_test_scenario(tmp_path, component_tests_config, CfdModes.NAMED, run_proxy_dns=True)
    def test_proxy_dns_alone(self, tmp_path, component_tests_config):
        run_test_scenario(tmp_path, component_tests_config, CfdModes.PROXY_DNS, run_proxy_dns=True)
    def test_named_tunnel_alone(self, tmp_path, component_tests_config):
        run_test_scenario(tmp_path, component_tests_config, CfdModes.NAMED, run_proxy_dns=False)
 def run_test_scenario(tmp_path, component_tests_config, cfd_mode, run_proxy_dns):
    expect_proxy_dns = run_proxy_dns
    expect_tunnel = False
    if cfd_mode == CfdModes.NAMED:
        expect_tunnel = True
        pre_args = ["tunnel", "--ha-connections", "1"]
        args = ["run"]
    elif cfd_mode == CfdModes.PROXY_DNS:
        expect_proxy_dns = True
        pre_args = []
        args = ["proxy-dns", "--port", str(constants.PROXY_DNS_PORT)]
    else:
        assert False, f"Unknown cfd_mode {cfd_mode}"
    config = component_tests_config(cfd_mode=cfd_mode, run_proxy_dns=run_proxy_dns)
    with start_cloudflared(tmp_path, config, cfd_pre_args=pre_args, cfd_args=args, new_process=True, capture_output=False):
        if expect_tunnel:
            wait_tunnel_ready()
        else:
            check_tunnel_not_connected()
        verify_proxy_dns(expect_proxy_dns)
 def verify_proxy_dns(should_be_running):
    # Wait for the Proxy DNS listener to come up.
    sleep(constants.BACKOFF_SECS)
    had_failure = False
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect(('localhost', constants.PROXY_DNS_PORT))
        sock.send(b"anything")
    except:
        if should_be_running:
            assert False, "Expected Proxy DNS to be running, but it was not."
        had_failure = True
    finally:
        sock.close()
    if not should_be_running and not had_failure:
        assert False, "Proxy DNS should not have been running, but it was."
--- a/component-tests/test_quicktunnels.py
+++ b/component-tests/test_quicktunnels.py
@ -6,7 +6,7 @@ from util import LOGGER, start_cloudflared, wait_tunnel_ready, get_quicktunnel_u
 class TestQuickTunnels:
    def test_quick_tunnel(self, tmp_path, component_tests_config):
-        config = component_tests_config(cfd_mode=CfdModes.QUICK, run_proxy_dns=False)
+        config = component_tests_config(cfd_mode=CfdModes.QUICK)
        LOGGER.debug(config)
        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["--hello-world"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
@ -15,22 +15,10 @@ class TestQuickTunnels:
            send_requests(url, 3, True)
    def test_quick_tunnel_url(self, tmp_path, component_tests_config):
-        config = component_tests_config(cfd_mode=CfdModes.QUICK, run_proxy_dns=False)
+        config = component_tests_config(cfd_mode=CfdModes.QUICK)
        LOGGER.debug(config)
        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["--url", f"http://localhost:{METRICS_PORT}/"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
            time.sleep(10)
            url = get_quicktunnel_url()
            send_requests(url+"/ready", 3, True)
    def test_quick_tunnel_proxy_dns_url(self, tmp_path, component_tests_config):
        config = component_tests_config(cfd_mode=CfdModes.QUICK, run_proxy_dns=True)
        LOGGER.debug(config)
        failed_start = start_cloudflared(tmp_path, config, cfd_args=["--url", f"http://localhost:{METRICS_PORT}/"], expect_success=False)
        assert failed_start.returncode == 1, "Expected cloudflared to fail to run with `proxy-dns` and `hello-world`"
    def test_quick_tunnel_proxy_dns_hello_world(self, tmp_path, component_tests_config):
        config = component_tests_config(cfd_mode=CfdModes.QUICK, run_proxy_dns=True)
        LOGGER.debug(config)
        failed_start = start_cloudflared(tmp_path, config, cfd_args=["--hello-world"], expect_success=False)
        assert failed_start.returncode == 1, "Expected cloudflared to fail to run with `proxy-dns` and `url`"
--- a/component-tests/test_service.py
+++ b/component-tests/test_service.py
@ -9,7 +9,7 @@ import pytest
 import test_logging
 from conftest import CfdModes
-from util import select_platform, start_cloudflared, wait_tunnel_ready, write_config
+from util import select_platform, skip_on_ci, start_cloudflared, wait_tunnel_ready, write_config
 def default_config_dir():
@ -82,6 +82,7 @@ class TestServiceMode:
        os.remove(default_config_file())
        self.launchctl_cmd("list", success=False)
    @skip_on_ci("we can't run sudo command on CI")
    @select_platform("Linux")
    @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                        reason=f"There is already a config file in default path")
@ -98,6 +99,7 @@ class TestServiceMode:
        self.sysv_service_scenario(config, tmp_path, assert_log_file)
    @skip_on_ci("we can't run sudo command on CI")
    @select_platform("Linux")
    @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                        reason=f"There is already a config file in default path")
@ -116,6 +118,7 @@ class TestServiceMode:
        self.sysv_service_scenario(config, tmp_path, assert_rotating_log)
    @skip_on_ci("we can't run sudo command on CI")
    @select_platform("Linux")
    @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                        reason=f"There is already a config file in default path")
--- a/component-tests/test_tail.py
+++ b/component-tests/test_tail.py
@ -19,13 +19,13 @@ class TestTail:
        with the access token and start and stop streaming on-demand.
        """
        print("test_start_stop_streaming")
-        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
+        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        config_path = write_config(tmp_path, config.full_config)
        with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True):
            wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)
            cfd_cli = CloudflaredCli(config, config_path, LOGGER)
-            url = cfd_cli.get_management_wsurl("logs", config, config_path)
+            url = cfd_cli.get_management_wsurl("logs", config, config_path, resource="logs")
            async with connect(url, open_timeout=5, close_timeout=3) as websocket:
                await websocket.send('{"type": "start_streaming"}')
                await websocket.send('{"type": "stop_streaming"}')
@ -38,13 +38,13 @@ class TestTail:
        Validates that a streaming logs connection will stream logs
        """
        print("test_streaming_logs")
-        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
+        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        config_path = write_config(tmp_path, config.full_config)
        with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True):
            wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)
            cfd_cli = CloudflaredCli(config, config_path, LOGGER)
-            url = cfd_cli.get_management_wsurl("logs", config, config_path)
+            url = cfd_cli.get_management_wsurl("logs", config, config_path, resource="logs")
            async with connect(url, open_timeout=5, close_timeout=5) as websocket:
                # send start_streaming
                await websocket.send(json.dumps({
@ -65,13 +65,13 @@ class TestTail:
        but not http when filters applied.
        """
        print("test_streaming_logs_filters")
-        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
+        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        config_path = write_config(tmp_path, config.full_config)
        with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True):
            wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)
            cfd_cli = CloudflaredCli(config, config_path, LOGGER)
-            url = cfd_cli.get_management_wsurl("logs", config, config_path)
+            url = cfd_cli.get_management_wsurl("logs", config, config_path, resource="logs")
            async with connect(url, open_timeout=5, close_timeout=5) as websocket:
                # send start_streaming with tcp logs only
                await websocket.send(json.dumps({
@ -92,13 +92,13 @@ class TestTail:
        Validates that a streaming logs connection will stream logs with sampling.
        """
        print("test_streaming_logs_sampling")
-        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
+        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        config_path = write_config(tmp_path, config.full_config)
        with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True):
            wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)
            cfd_cli = CloudflaredCli(config, config_path, LOGGER)
-            url = cfd_cli.get_management_wsurl("logs", config, config_path)
+            url = cfd_cli.get_management_wsurl("logs", config, config_path, resource="logs")
            async with connect(url, open_timeout=5, close_timeout=5) as websocket:
                # send start_streaming with info logs only
                await websocket.send(json.dumps({
@ -120,13 +120,13 @@ class TestTail:
        Validates that a streaming logs session can be overriden by the same actor 
        """
        print("test_streaming_logs_actor_override")
-        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
+        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        config_path = write_config(tmp_path, config.full_config)
        with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True):
            wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)
            cfd_cli = CloudflaredCli(config, config_path, LOGGER)
-            url = cfd_cli.get_management_wsurl("logs", config, config_path)
+            url = cfd_cli.get_management_wsurl("logs", config, config_path, resource="logs")
            task = asyncio.ensure_future(start_streaming_to_be_remotely_closed(url))
            override_task = asyncio.ensure_future(start_streaming_override(url))
            await asyncio.wait([task, override_task])
--- a/component-tests/test_token.py
+++ b/component-tests/test_token.py
@ -1,7 +1,7 @@
 import base64
 import json
-from setup import get_config_from_file, persist_origin_cert
+from setup import get_config_from_file
 from util import start_cloudflared
--- a/component-tests/test_tunnel.py
+++ b/component-tests/test_tunnel.py
@ -11,14 +11,14 @@ class TestTunnel:
    '''Test tunnels with no ingress rules from config.yaml but ingress rules from CLI only'''
    def test_tunnel_hello_world(self, tmp_path, component_tests_config):
-        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
+        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"],  cfd_args=["run", "--hello-world"], new_process=True):
            wait_tunnel_ready(tunnel_url=config.get_url(),
                              require_min_connections=1)
    def test_tunnel_url(self, tmp_path, component_tests_config):
-        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
+        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"],  cfd_args=["run", "--url", f"http://localhost:{METRICS_PORT}/"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
@ -29,17 +29,24 @@ class TestTunnel:
        Running a tunnel with no ingress rules provided from either config.yaml or CLI will still work but return 503
        for all incoming requests.
        '''
-        config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
+        config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
        LOGGER.debug(config)
        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"],  cfd_args=["run"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
-            resp = send_request(config.get_url()+"/")
+            expected_status_code = 503
-            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            resp = send_request(config.get_url()+"/", expected_status_code)
-            resp = send_request(config.get_url()+"/test")
+            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
-            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            resp = send_request(config.get_url()+"/test", expected_status_code)
            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
 def retry_if_result_none(result):
    '''
    Returns True if the result is None, indicating that the function should be retried.
    '''
    return result is None
-@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
+@retry(retry_on_result=retry_if_result_none, stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
-def send_request(url, headers={}):
+def send_request(url, expected_status_code=200):
    with requests.Session() as s:
-        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        resp = s.get(url, timeout=BACKOFF_SECS)
        return resp if resp.status_code == expected_status_code else None
--- a/component-tests/util.py
+++ b/component-tests/util.py
@ -10,7 +10,6 @@ import pytest
 import requests
 import yaml
 import json
 from retrying import retry
 from constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS
@ -35,6 +34,12 @@ def fips_enabled():
 nofips = pytest.mark.skipif(
        fips_enabled(), reason=f"Only runs without FIPS (COMPONENT_TESTS_FIPS=0)")
 def skip_on_ci(reason):
    env_ci = os.getenv("CI")
    running_in_ci = env_ci is not None and env_ci != "0"
    return pytest.mark.skipif(
        running_in_ci, reason=f"This test can't run on CI due to: {reason}")
 def write_config(directory, config):
    config_path = directory / "config.yml"
    with open(config_path, 'w') as outfile:
@ -111,6 +116,7 @@ def inner_wait_tunnel_ready(tunnel_url=None, require_min_connections=1):
    metrics_url = f'http://localhost:{METRICS_PORT}/ready'
    with requests.Session() as s:
        LOGGER.debug("Waiting for tunnel to be ready...")
        resp = send_request(s, metrics_url, True)
        ready_connections = resp.json()["readyConnections"]
@ -179,3 +185,49 @@ def send_request(session, url, require_ok):
    if require_ok:
        assert resp.status_code == 200, f"{url} returned {resp}"
    return resp if resp.status_code == 200 else None
 def decode_jwt_payload(token):
    """
    Decode the payload section of a JWT token without signature verification.
    JWT Structure:
    ==============
    A JWT consists of three Base64URL-encoded parts separated by dots:
        HEADER.PAYLOAD.SIGNATURE
    The payload contains the JWT claims (the actual data/permissions).
    Args:
        token (str): The complete JWT token string
    Returns:
        dict: The decoded payload as a dictionary containing JWT claims
    Raises:
        ValueError: If the token doesn't have exactly 3 parts
    Note:
        This function does NOT verify the signature - it only decodes the payload.
        Use this only when you trust the token source (e.g., tokens you just generated).
    """
    import base64
    import json
    # Split JWT into its three components
    parts = token.split('.')
    if len(parts) != 3:
        raise ValueError(f"Invalid JWT format: expected 3 parts, got {len(parts)}")
    # Extract and decode the payload (middle section)
    # Base64 requires padding to be a multiple of 4 characters
    payload_encoded = parts[1]
    remainder = len(payload_encoded) % 4
    if remainder != 0:
        payload_padded = payload_encoded + '=' * (4 - remainder)
    else:
        payload_padded = payload_encoded
    # Decode from Base64URL format and parse JSON
    decoded_payload = base64.urlsafe_b64decode(payload_padded)
    return json.loads(decoded_payload)
--- a/config/configuration.go
+++ b/config/configuration.go
@ -242,6 +242,8 @@ type AccessConfig struct {
 	// AudTag is the AudTag to verify access JWT against.
 	AudTag []string `yaml:"audTag" json:"audTag"`
 	Environment string `yaml:"environment" json:"environment,omitempty"`
 }
 type IngressIPRule struct {
--- a/config/model.go
+++ b/config/model.go
@ -1,12 +1,9 @@
 package config
 import (
-	"crypto/md5"
+	"crypto/sha256"
 	"fmt"
 	"io"
 	"strings"
 	"github.com/cloudflare/cloudflared/tunneldns"
 )
 // Forwarder represents a client side listener to forward traffic to the edge
@ -16,6 +13,7 @@ type Forwarder struct {
 	TokenClientID string `json:"service_token_id" yaml:"serviceTokenID"`
 	TokenSecret   string `json:"secret_token_id" yaml:"serviceTokenSecret"`
 	Destination   string `json:"destination"`
 	IsFedramp     bool   `json:"is_fedramp" yaml:"isFedramp"`
 }
 // Tunnel represents a tunnel that should be started
@ -25,89 +23,22 @@ type Tunnel struct {
 	ProtocolType string `json:"type"`
 }
-// DNSResolver represents a client side DNS resolver
+// Root is the base options to configure the service.
 type DNSResolver struct {
 	Enabled                bool     `json:"enabled"`
 	Address                string   `json:"address,omitempty"`
 	Port                   uint16   `json:"port,omitempty"`
 	Upstreams              []string `json:"upstreams,omitempty"`
 	Bootstraps             []string `json:"bootstraps,omitempty"`
 	MaxUpstreamConnections int      `json:"max_upstream_connections,omitempty"`
 }
 // Root is the base options to configure the service
 type Root struct {
 	LogDirectory string      `json:"log_directory" yaml:"logDirectory,omitempty"`
 	LogLevel     string      `json:"log_level" yaml:"logLevel,omitempty"`
 	Forwarders   []Forwarder `json:"forwarders,omitempty" yaml:"forwarders,omitempty"`
 	Tunnels      []Tunnel    `json:"tunnels,omitempty" yaml:"tunnels,omitempty"`
-	Resolver     DNSResolver `json:"resolver,omitempty" yaml:"resolver,omitempty"`
+	// `resolver` key is reserved for a removed feature (proxy-dns) and should not be used.
 }
 // Hash returns the computed values to see if the forwarder values change
 func (f *Forwarder) Hash() string {
-	h := md5.New()
+	h := sha256.New()
-	io.WriteString(h, f.URL)
+	_, _ = io.WriteString(h, f.URL)
-	io.WriteString(h, f.Listener)
+	_, _ = io.WriteString(h, f.Listener)
-	io.WriteString(h, f.TokenClientID)
+	_, _ = io.WriteString(h, f.TokenClientID)
-	io.WriteString(h, f.TokenSecret)
+	_, _ = io.WriteString(h, f.TokenSecret)
-	io.WriteString(h, f.Destination)
+	_, _ = io.WriteString(h, f.Destination)
 	return fmt.Sprintf("%x", h.Sum(nil))
 }
 // Hash returns the computed values to see if the forwarder values change
 func (r *DNSResolver) Hash() string {
 	h := md5.New()
 	io.WriteString(h, r.Address)
 	io.WriteString(h, strings.Join(r.Bootstraps, ","))
 	io.WriteString(h, strings.Join(r.Upstreams, ","))
 	io.WriteString(h, fmt.Sprintf("%d", r.Port))
 	io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
 	io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
 	return fmt.Sprintf("%x", h.Sum(nil))
 }
 // EnabledOrDefault returns the enabled property
 func (r *DNSResolver) EnabledOrDefault() bool {
 	return r.Enabled
 }
 // AddressOrDefault returns the address or returns the default if empty
 func (r *DNSResolver) AddressOrDefault() string {
 	if r.Address != "" {
 		return r.Address
 	}
 	return "localhost"
 }
 // PortOrDefault return the port or returns the default if 0
 func (r *DNSResolver) PortOrDefault() uint16 {
 	if r.Port > 0 {
 		return r.Port
 	}
 	return 53
 }
 // UpstreamsOrDefault returns the upstreams or returns the default if empty
 func (r *DNSResolver) UpstreamsOrDefault() []string {
 	if len(r.Upstreams) > 0 {
 		return r.Upstreams
 	}
 	return []string{"https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query"}
 }
 // BootstrapsOrDefault returns the bootstraps or returns the default if empty
 func (r *DNSResolver) BootstrapsOrDefault() []string {
 	if len(r.Bootstraps) > 0 {
 		return r.Bootstraps
 	}
 	return []string{"https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query"}
 }
 // MaxUpstreamConnectionsOrDefault return the max upstream connections or returns the default if negative
 func (r *DNSResolver) MaxUpstreamConnectionsOrDefault() int {
 	if r.MaxUpstreamConnections >= 0 {
 		return r.MaxUpstreamConnections
 	}
 	return tunneldns.MaxUpstreamConnsDefault
 }
--- a/connection/connection.go
+++ b/connection/connection.go
@ -26,14 +26,20 @@ const (
 	MaxGracePeriod         = time.Minute * 3
 	MaxConcurrentStreams   = math.MaxUint32
-	contentTypeHeader = "content-type"
+	contentTypeHeader      = "content-type"
-	sseContentType    = "text/event-stream"
+	contentLengthHeader    = "content-length"
-	grpcContentType   = "application/grpc"
+	transferEncodingHeader = "transfer-encoding"
 	sseContentType     = "text/event-stream"
 	grpcContentType    = "application/grpc"
 	sseJsonContentType = "application/x-ndjson"
 	chunkTransferEncoding = "chunked"
 )
 var (
 	switchingProtocolText = fmt.Sprintf("%d %s", http.StatusSwitchingProtocols, http.StatusText(http.StatusSwitchingProtocols))
-	flushableContentTypes = []string{sseContentType, grpcContentType}
+	flushableContentTypes = []string{sseContentType, grpcContentType, sseJsonContentType}
 )
 // TunnelConnection represents the connection to the edge.
@ -51,7 +57,6 @@ type Orchestrator interface {
 type TunnelProperties struct {
 	Credentials    Credentials
 	Client         pogs.ClientInfo
 	QuickTunnelUrl string
 }
@ -274,6 +279,22 @@ type ConnectedFuse interface {
 // Helper method to let the caller know what content-types should require a flush on every
 // write to a ResponseWriter.
 func shouldFlush(headers http.Header) bool {
 	// When doing Server Side Events (SSE), some frameworks don't respect the `Content-Type` header.
 	// Therefore, we need to rely on other ways to know whether we should flush on write or not. A good
 	// approach is to assume that responses without `Content-Length` or with `Transfer-Encoding: chunked`
 	// are streams, and therefore, should be flushed right away to the eyeball.
 	// References:
 	// - https://datatracker.ietf.org/doc/html/rfc7230#section-4.1
 	// - https://datatracker.ietf.org/doc/html/rfc9112#section-6.1
 	if contentLength := headers.Get(contentLengthHeader); contentLength == "" {
 		return true
 	}
 	if transferEncoding := headers.Get(transferEncodingHeader); transferEncoding != "" {
 		transferEncoding = strings.ToLower(transferEncoding)
 		if strings.Contains(transferEncoding, chunkTransferEncoding) {
 			return true
 		}
 	}
 	if contentType := headers.Get(contentTypeHeader); contentType != "" {
 		contentType = strings.ToLower(contentType)
 		for _, c := range flushableContentTypes {
@ -282,7 +303,6 @@ func shouldFlush(headers http.Header) bool {
 			}
 		}
 	}
 	return false
 }
--- a/connection/connection_test.go
+++ b/connection/connection_test.go
@ -7,10 +7,12 @@ import (
 	"io"
 	"math/big"
 	"net/http"
 	"testing"
 	"time"
 	pkgerrors "github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/require"
 	cfdflow "github.com/cloudflare/cloudflared/flow"
@ -209,3 +211,48 @@ func (mcf mockConnectedFuse) Connected() {}
 func (mcf mockConnectedFuse) IsConnected() bool {
 	return true
 }
 func TestShouldFlushHeaders(t *testing.T) {
 	tests := []struct {
 		headers     map[string]string
 		shouldFlush bool
 	}{
 		{
 			headers:     map[string]string{contentTypeHeader: "application/json", contentLengthHeader: "1"},
 			shouldFlush: false,
 		},
 		{
 			headers:     map[string]string{contentTypeHeader: "text/html", contentLengthHeader: "1"},
 			shouldFlush: false,
 		},
 		{
 			headers:     map[string]string{contentTypeHeader: "text/event-stream", contentLengthHeader: "1"},
 			shouldFlush: true,
 		},
 		{
 			headers:     map[string]string{contentTypeHeader: "application/grpc", contentLengthHeader: "1"},
 			shouldFlush: true,
 		},
 		{
 			headers:     map[string]string{contentTypeHeader: "application/x-ndjson", contentLengthHeader: "1"},
 			shouldFlush: true,
 		},
 		{
 			headers:     map[string]string{contentTypeHeader: "application/json"},
 			shouldFlush: true,
 		},
 		{
 			headers:     map[string]string{contentTypeHeader: "application/json", contentLengthHeader: "-1", transferEncodingHeader: "chunked"},
 			shouldFlush: true,
 		},
 	}
 	for _, test := range tests {
 		headers := http.Header{}
 		for k, v := range test.headers {
 			headers.Add(k, v)
 		}
 		require.Equal(t, test.shouldFlush, shouldFlush(headers))
 	}
 }
--- a/connection/control.go
+++ b/connection/control.go
@ -10,7 +10,7 @@ import (
 	"github.com/cloudflare/cloudflared/management"
 	"github.com/cloudflare/cloudflared/tunnelrpc"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 // registerClient derives a named tunnel rpc client that can then be used to register and unregister connections.
@ -36,7 +36,7 @@ type controlStream struct {
 // ControlStreamHandler registers connections with origintunneld and initiates graceful shutdown.
 type ControlStreamHandler interface {
 	// ServeControlStream handles the control plane of the transport in the current goroutine calling this
-	ServeControlStream(ctx context.Context, rw io.ReadWriteCloser, connOptions *tunnelpogs.ConnectionOptions, tunnelConfigGetter TunnelConfigJSONGetter) error
+	ServeControlStream(ctx context.Context, rw io.ReadWriteCloser, connOptions *pogs.ConnectionOptions, tunnelConfigGetter TunnelConfigJSONGetter) error
 	// IsStopped tells whether the method above has finished
 	IsStopped() bool
 }
@ -78,11 +78,11 @@ func NewControlStream(
 func (c *controlStream) ServeControlStream(
 	ctx context.Context,
 	rw io.ReadWriteCloser,
-	connOptions *tunnelpogs.ConnectionOptions,
+	connOptions *pogs.ConnectionOptions,
 	tunnelConfigGetter TunnelConfigJSONGetter,
 ) error {
 	registrationClient := c.registerClientFunc(ctx, rw, c.registerTimeout)
-
+	c.observer.logConnecting(c.connIndex, c.edgeAddress, c.protocol)
 	registrationDetails, err := registrationClient.RegisterConnection(
 		ctx,
 		c.tunnelProperties.Credentials.Auth(),
--- a/connection/errors.go
+++ b/connection/errors.go
@ -1,7 +1,6 @@
 package connection
 import (
 	"github.com/cloudflare/cloudflared/edgediscovery"
 	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
@ -53,26 +52,26 @@ func serverRegistrationErrorFromRPC(err error) ServerRegisterTunnelError {
 	}
 }
-type muxerShutdownError struct{}
+type ControlStreamError struct{}
-func (e muxerShutdownError) Error() string {
+var _ error = &ControlStreamError{}
-	return "muxer shutdown"
+
 func (e *ControlStreamError) Error() string {
 	return "control stream encountered a failure while serving"
 }
-var errMuxerStopped = muxerShutdownError{}
+type StreamListenerError struct{}
-func isHandshakeErrRecoverable(err error, connIndex uint8, observer *Observer) bool {
+var _ error = &StreamListenerError{}
 	log := observer.log.With().
 		Uint8(LogFieldConnIndex, connIndex).
 		Err(err).
 		Logger()
-	switch err.(type) {
+func (e *StreamListenerError) Error() string {
-	case edgediscovery.DialError:
+	return "accept stream listener encountered a failure while serving"
-		log.Error().Msg("Connection unable to dial edge")
+}
-	default:
+
-		log.Error().Msg("Connection failed")
+type DatagramManagerError struct{}
-		return false
+
-	}
+var _ error = &DatagramManagerError{}
-	return true
+
 func (e *DatagramManagerError) Error() string {
 	return "datagram manager encountered a failure while serving"
 }
--- a/connection/header.go
+++ b/connection/header.go
@ -53,7 +53,8 @@ var headerEncoding = base64.RawStdEncoding
 func IsControlResponseHeader(headerName string) bool {
 	return strings.HasPrefix(headerName, ":") ||
 		strings.HasPrefix(headerName, "cf-int-") ||
-		strings.HasPrefix(headerName, "cf-cloudflared-")
+		strings.HasPrefix(headerName, "cf-cloudflared-") ||
 		strings.HasPrefix(headerName, "cf-proxy-")
 }
 // isWebsocketClientHeader returns true if the header name is required by the client to upgrade properly
--- a/Show More
+++ b/Show More
		`@ -0,0 +1,2 @@`
							`# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.`
							`# You can also add comments on the same line after the ID.`