TUN-9800: Migrate apt internal builds to Gitlab

Release 2025.11.1
TUN-9800: Fix docker hub push step
2025-11-10 14:43:10 +00:00 · 2025-11-07 16:30:58 +00:00 · 2025-11-07 15:26:22 +00:00 · 2025-11-07 08:15:20 +00:00 · 2025-11-06 16:00:05 +00:00 · 2025-11-06 11:41:21 +00:00
83 changed files with 2351 additions and 1054 deletions
--- a/.ci/apt-internal.gitlab-ci.yml
+++ b/.ci/apt-internal.gitlab-ci.yml
@ -0,0 +1,151 @@
 .register_inputs: &register_inputs
  stage: release-internal
  runOnBranches: "^master$"
  COMPONENT: "common"
 .register_inputs_stable_bookworm: &register_inputs_stable_bookworm
  <<: *register_inputs
  runOnChangesTo: ['RELEASE_NOTES']
  FLAVOR: "bookworm"
  SERIES: "stable"
 .register_inputs_stable_trixie: &register_inputs_stable_trixie
  <<: *register_inputs
  runOnChangesTo: ['RELEASE_NOTES']
  FLAVOR: "trixie"
  SERIES: "stable"
 .register_inputs_next_bookworm: &register_inputs_next_bookworm
  <<: *register_inputs
  FLAVOR: "bookworm"
  SERIES: next
 .register_inputs_next_trixie: &register_inputs_next_trixie
  <<: *register_inputs
  FLAVOR: "trixie"
  SERIES: next
 ################################################
 ### Generate Debian Package for Internal APT ###
 ################################################
 .cloudflared-apt-build: &cloudflared_apt_build
  stage: package
  needs:
    - ci-image-get-image-ref
    - linux-packaging # For consistency, we only run this job after we knew we could build the packages for external delivery
  image: $BUILD_IMAGE
  cache: {}
  script:
    - make cloudflared-deb
  artifacts:
    paths:
      - cloudflared*.deb
 ##############
 ### Stable ###
 ##############
 cloudflared-amd64-stable:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-release]
  variables: &amd64-stable-vars
    GOOS: linux
    GOARCH: amd64
    FIPS: true
    ORIGINAL_NAME: true
    CGO_ENABLED: 1
 cloudflared-arm64-stable:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-release]
  variables: &arm64-stable-vars
    GOOS: linux
    GOARCH: arm64
    FIPS: false # TUN-7595
    ORIGINAL_NAME: true
    CGO_ENABLED: 1
 ############
 ### Next ###
 ############
 cloudflared-amd64-next:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *amd64-stable-vars
    NIGHTLY: true
 cloudflared-arm64-next:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *arm64-stable-vars
    NIGHTLY: true
 include:
  - local: .ci/commons.gitlab-ci.yml
  ##########################################
  ### Publish Packages to Internal Repos ###
  ##########################################
  # Bookworm AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_bookworm
      jobPrefix: cloudflared-bookworm-amd64
      needs: &amd64-stable ["cloudflared-amd64-stable"]
  # Bookworm ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_bookworm
      jobPrefix: cloudflared-bookworm-arm64
      needs: &arm64-stable ["cloudflared-arm64-stable"]
  # Trixie AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_trixie
      jobPrefix: cloudflared-trixie-amd64
      needs: *amd64-stable
  # Trixie ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_trixie
      jobPrefix: cloudflared-trixie-arm64
      needs: *arm64-stable
  ##################################################
  ### Publish Nightly Packages to Internal Repos ###
  ##################################################
  # Bookworm AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_bookworm
      jobPrefix: cloudflared-nightly-bookworm-amd64
      needs: &amd64-next ['cloudflared-amd64-next']
  # Bookworm ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_bookworm
      jobPrefix: cloudflared-nightly-bookworm-arm64
      needs: &arm64-next ['cloudflared-arm64-next']
  # Trixie AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_trixie
      jobPrefix: cloudflared-nightly-trixie-amd64
      needs: *amd64-next
  # Trixie ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_trixie
      jobPrefix: cloudflared-nightly-trixie-arm64
      needs: *arm64-next
--- a/.ci/ci-image.gitlab-ci.yml
+++ b/.ci/ci-image.gitlab-ci.yml
@ -0,0 +1,31 @@
 # Builds a custom CI Image when necessary
 include:
  #####################################################
  ############## Build and Push CI Image ##############
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
    inputs:
      stage: pre-build
      jobPrefix: ci-image
      runOnChangesTo: [".ci/image/**"]
      runOnMR: true
      runOnBranches: '^master$'
      commentImageRefs: false
      runner: vm-linux-x86-4cpu-8gb
      EXTRA_DIB_ARGS: "--manifest=.ci/image/.docker-images"
  #####################################################
  ## Resolve the image reference for downstream jobs ##
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/get-image-ref@~latest
    inputs:
      stage: pre-build
      jobPrefix: ci-image
      runOnMR: true
      runOnBranches: '^master$'
      IMAGE_PATH: "$REGISTRY_HOST/stash/tun/cloudflared/ci-image/master"
      VARIABLE_NAME: BUILD_IMAGE
      needs:
        - job: ci-image-build-push-image
          optional: true
--- a/.ci/commons.gitlab-ci.yml
+++ b/.ci/commons.gitlab-ci.yml
@ -0,0 +1,45 @@
 ## A set of predefined rules to use on the different jobs
 .default-rules:
  # Rules to run the job only on the master branch
  run-on-master:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - when: never
  # Rules to run the job only on merge requests
  run-on-mr:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: on_success
    - when: never
  # Rules to run the job on merge_requests and master branch
  run-always:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - when: never
  # Rules to run the job only when a release happens
  run-on-release:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      changes:
          - 'RELEASE_NOTES'
      when: on_success
    - when: never
 .component-tests:
  image: $BUILD_IMAGE
  rules:
    - !reference [.default-rules, run-always]
  variables:
    COMPONENT_TESTS_CONFIG: component-test-config.yaml
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZC5leGUKY3JlZGVudGlhbHNfZmlsZTogY3JlZC5qc29uCm9yaWdpbmNlcnQ6IGNlcnQucGVtCnpvbmVfZG9tYWluOiBhcmdvdHVubmVsdGVzdC5jb20Kem9uZV90YWc6IDQ4Nzk2ZjFlNzBiYjc2NjljMjliYjUxYmEyODJiZjY1
  secrets:
    DNS_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/component_tests_token/data@kv
      file: false
    COMPONENT_TESTS_ORIGINCERT:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/component_tests_cert_pem/data@kv
      file: false
  cache: {}
--- a/.ci/github.gitlab-ci.yml
+++ b/.ci/github.gitlab-ci.yml
@ -0,0 +1,17 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ######################################
 ### Sync master branch with Github ###
 ######################################
 push-github:
  stage: sync
  rules:
    - !reference [.default-rules, run-on-master]
  script:
    - ./.ci/scripts/github-push.sh
  secrets:
    CLOUDFLARED_DEPLOY_SSH_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv
      file: false
  cache: {}
--- a/.ci/image/.docker-images
+++ b/.ci/image/.docker-images
@ -0,0 +1,2 @@
 images:
  - name: ci-image
--- a/.ci/image/Dockerfile
+++ b/.ci/image/Dockerfile
@ -0,0 +1,35 @@
 ARG CLOUDFLARE_DOCKER_REGISTRY_HOST
 FROM ${CLOUDFLARE_DOCKER_REGISTRY_HOST:-registry.cfdata.org}/stash/cf/debian-images/bookworm/main:2025.7.0@sha256:6350da2f7e728dae2c1420f6dafc38e23cacc0b399d3d5b2f40fe48d9c8ff1ca
 RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install --no-install-recommends --allow-downgrades -y \
        build-essential \
        git \
        go-boring=1.24.9-1 \
        libffi-dev \
        procps \
        python3-dev \
        python3-pip \
        python3-setuptools \
        python3-venv \
        # libmsi and libgcab are libraries the wixl binary depends on.
        libmsi-dev \
        libgcab-dev \
        # deb and rpm build tools
        rubygem-fpm \
        rpm \
        # create deb and rpm repository files
        reprepro \
        createrepo-c \
        # gcc for cross architecture compilation in arm
        gcc-aarch64-linux-gnu \
        libc6-dev-arm64-cross && \
    rm -rf /var/lib/apt/lists/* && \
    # Install wixl
    curl -o /usr/local/bin/wixl -L https://pkg.cloudflare.com/binaries/wixl && \
    chmod a+x /usr/local/bin/wixl && \
    mkdir -p opt
 WORKDIR /opt
--- a/.ci/linux.gitlab-ci.yml
+++ b/.ci/linux.gitlab-ci.yml
@ -0,0 +1,122 @@
 .golang-inputs: &golang_inputs
  runOnMR: true
  runOnBranches: '^master$'
  outputDir: artifacts
  runner: linux-x86-8cpu-16gb
  stage: build
  golangVersion: "boring-1.24"
  imageVersion: "3371-f5539bd6f83d@sha256:a2a68f580070f9411d0d3155959ed63b700ef319b5fcc62db340e92227bbc628"
  CGO_ENABLED: 1
 .default-packaging-job: &packaging-job-defaults
  stage: package
  needs:
    - ci-image-get-image-ref
  rules:
    - !reference [.default-rules, run-on-master]
  image: $BUILD_IMAGE
  cache: {}
  artifacts:
    paths:
      - artifacts/*
 include:
  ###################
  ### Linux Build ###
  ###################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      jobPrefix: linux-build
      GOLANG_MAKE_TARGET: ci-build
  ########################
  ### Linux FIPS Build ###
  ########################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      jobPrefix: linux-fips-build
      GOLANG_MAKE_TARGET: ci-fips-build
  #################
  ### Unit Tests ##
  #################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      stage: test
      jobPrefix: test
      GOLANG_MAKE_TARGET: ci-test
  ######################
  ### Unit Tests FIPS ##
  ######################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      stage: test
      jobPrefix: test-fips
      GOLANG_MAKE_TARGET: ci-fips-test
  #################
  ### Vuln Check ##
  #################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      runOnBranches: '^$'
      stage: validate
      jobPrefix: vulncheck
      GOLANG_MAKE_TARGET: vulncheck
 #################################
 ### Run Linux Component Tests ###
 #################################
 linux-component-tests: &linux-component-tests
  stage: test
  extends: .component-tests
  needs:
    - ci-image-get-image-ref
    - linux-build-boring-make
  script:
    - ./.ci/scripts/component-tests.sh
  variables: &component-tests-variables
    CI: 1
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkCmNyZWRlbnRpYWxzX2ZpbGU6IGNyZWQuanNvbgpvcmlnaW5jZXJ0OiBjZXJ0LnBlbQp6b25lX2RvbWFpbjogYXJnb3R1bm5lbHRlc3QuY29tCnpvbmVfdGFnOiA0ODc5NmYxZTcwYmI3NjY5YzI5YmI1MWJhMjgyYmY2NQ==
  tags:
    - linux-x86-8cpu-16gb
  artifacts:
    reports:
      junit: report.xml
 ######################################
 ### Run Linux FIPS Component Tests ###
 ######################################
 linux-component-tests-fips:
  <<: *linux-component-tests
  needs:
    - ci-image-get-image-ref
    - linux-fips-build-boring-make
  variables:
    <<: *component-tests-variables
    COMPONENT_TESTS_FIPS: 1
 ################################
 ####### Linux Packaging ########
 ################################
 linux-packaging:
  <<: *packaging-job-defaults
  parallel:
    matrix:
      - ARCH: ["386", "amd64", "arm", "armhf", "arm64"]
  script:
    - ./.ci/scripts/linux/build-packages.sh ${ARCH}
 ################################
 ##### Linux FIPS Packaging #####
 ################################
 linux-packaging-fips:
  <<: *packaging-job-defaults
  script:
    - ./.ci/scripts/linux/build-packages-fips.sh
--- a/.ci/mac.gitlab-ci.yml
+++ b/.ci/mac.gitlab-ci.yml
@ -0,0 +1,66 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ###############################
 ### Defaults for Mac Builds ###
 ###############################
 .mac-build-defaults: &mac-build-defaults
  rules:
    - !reference [.default-rules, run-on-mr]
  tags:
    - "macstadium-${RUNNER_ARCH}"
  parallel:
    matrix:
      - RUNNER_ARCH: [arm, intel]
  cache: {}
 ######################################
 ### Build Cloudflared Mac Binaries ###
 ######################################
 macos-build-cloudflared: &mac-build
  <<: *mac-build-defaults
  stage: build
  artifacts:
    paths:
      - artifacts/*
  script:
    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
    - ARCH=$(uname -m)
    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
    - ./.ci/scripts/mac/install-go.sh
    - BUILD_SCRIPT=.ci/scripts/mac/build.sh
    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
    - set -euo pipefail
    - echo "Executing ${BUILD_SCRIPT}"
    - exec ${BUILD_SCRIPT}
 ###############################################
 ### Build and Sign Cloudflared Mac Binaries ###
 ###############################################
 macos-build-and-sign-cloudflared:
  <<: *mac-build
  rules:
    - !reference [.default-rules, run-on-master]
  secrets:
    APPLE_DEV_CA_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
      file: false
    CFD_CODE_SIGN_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
      file: false
    CFD_INSTALLER_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
      file: false
    CFD_INSTALLER_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
      file: false
    CFD_INSTALLER_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
      file: false
--- a/.ci/release.gitlab-ci.yml
+++ b/.ci/release.gitlab-ci.yml
@ -0,0 +1,133 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
  ######################################
  ### Build and Push DockerHub Image ###
  ######################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
    inputs:
      stage: release
      jobPrefix: docker-hub
      runOnMR: false
      runOnBranches: '^master$'
      runOnChangesTo: ['RELEASE_NOTES']
      needs:
        - generate-version-file
        - release-cloudflared-to-r2
      commentImageRefs: false
      runner: vm-linux-x86-4cpu-8gb
      # Based on if the CI reference is protected or not the CI component will
      # either use _BRANCH or _PROD, therefore, to prevent the pipelines from failing
      # we simply set both to the same value.
      DOCKER_USER_BRANCH: &docker-hub-user svcgithubdockerhubcloudflar045
      DOCKER_PASSWORD_BRANCH: &docker-hub-password gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data
      DOCKER_USER_PROD: *docker-hub-user
      DOCKER_PASSWORD_PROD: *docker-hub-password
      EXTRA_DIB_ARGS: --overwrite
 .default-release-job: &release-job-defaults
  stage: release
  image: $BUILD_IMAGE
  cache:
    paths:
      - .cache/pip
  variables: &release-job-variables
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
    # KV Vars
    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
    KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963
    # R2 Vars
    R2_BUCKET: cloudflared-pkgs
    R2_ACCOUNT_ID: *cf-account
    # APT and RPM Repository Vars
    GPG_PUBLIC_KEY_URL: "https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
    PKG_URL: "https://pkg.cloudflare.com/cloudflared"
    BINARY_NAME: cloudflared
  secrets:
    KV_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
      file: false
    API_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
      file: false
    R2_CLIENT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv
      file: false
    R2_CLIENT_SECRET:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv
      file: false
    LINUX_SIGNING_PUBLIC_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv
      file: false
    LINUX_SIGNING_PRIVATE_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv
      file: false
    LINUX_SIGNING_PUBLIC_KEY_2:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv
      file: false
    LINUX_SIGNING_PRIVATE_KEY_2:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv
      file: false
 ###########################################
 ### Push Cloudflared Binaries to Github ###
 ###########################################
 release-cloudflared-to-github:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
    - linux-packaging
    - linux-packaging-fips
    - macos-build-and-sign-cloudflared
    - windows-package-sign
  script:
    - ./.ci/scripts/release-target.sh github-release
 #########################################
 ### Upload Cloudflared Binaries to R2 ###
 #########################################
 release-cloudflared-to-r2:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
    - linux-packaging # We only release non-FIPS binaries to R2
    - release-cloudflared-to-github
  script:
    - ./.ci/scripts/release-target.sh r2-linux-release
 #################################################
 ### Upload Cloudflared Nightly Binaries to R2 ###
 #################################################
 release-cloudflared-nightly-to-r2:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *release-job-variables
    R2_BUCKET: cloudflared-pkgs-next
    GPG_PUBLIC_KEY_URL: "https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
    PKG_URL: "https://next.pkg.cloudflare.com/cloudflared"
  needs:
    - ci-image-get-image-ref
    - linux-packaging # We only release non-FIPS binaries to R2
  script:
    - ./.ci/scripts/release-target.sh r2-linux-release
 #############################
 ### Generate Version File ###
 #############################
 generate-version-file:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
  script:
    - make generate-docker-version
  artifacts:
    paths:
      - versions
--- a/.ci/scripts/component-tests.sh
+++ b/.ci/scripts/component-tests.sh
@ -0,0 +1,25 @@
 #!/bin/bash
 set -e -o pipefail
 # Fetch cloudflared from the artifacts folder
 mv ./artifacts/cloudflared ./cloudflared
 python3 -m venv env
 . env/bin/activate
 pip install --upgrade -r component-tests/requirements.txt
 # Creates and routes a Named Tunnel for this build. Also constructs
 # config file from env vars.
 python3 component-tests/setup.py --type create
 # Define the cleanup function
 cleanup() {
    # The Named Tunnel is deleted and its route unprovisioned here.
    python3 component-tests/setup.py --type cleanup
 }
 # The trap will call the cleanup function on script exit
 trap cleanup EXIT
 pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
--- a/.ci/scripts/fmt-check.sh
+++ b/.ci/scripts/fmt-check.sh
@ -1,8 +1,7 @@
 #!/bin/bash
 set -e -o pipefail
-OUTPUT=$(goimports -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
+OUTPUT=$(go run -mod=readonly golang.org/x/tools/cmd/goimports@v0.30.0 -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
 if [ -n "$OUTPUT" ] ; then
  PAGER=$(which colordiff || echo cat)
--- a/.ci/scripts/github-push.sh
+++ b/.ci/scripts/github-push.sh
@ -0,0 +1,31 @@
 #!/bin/bash
 set -e -o pipefail
 BRANCH="master"
 TMP_PATH="$PWD/tmp"
 PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key"
 PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub"
 mkdir -p $TMP_PATH
 # Setup Private Key
 echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH
 chmod 400 $PRIVATE_KEY_PATH
 # Download GitHub Public Key for KnownHostsFile
 ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH
 # Setup git ssh command with the right configurations
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH"
 # Add GitHub as a new remote
 git remote add github git@github.com:cloudflare/cloudflared.git || true
 # GitLab doesn't pull branch references, instead it creates a new one on each pipeline.
 # Therefore, we need to manually fetch the reference to then push it to GitHub.
 git fetch origin $BRANCH:$BRANCH
 git push -u github $BRANCH
 if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then
  git push -u github "$TAG"
 fi
--- a/.ci/scripts/linux/build-packages-fips.sh
+++ b/.ci/scripts/linux/build-packages-fips.sh
--- a/.ci/scripts/linux/build-packages.sh
+++ b/.ci/scripts/linux/build-packages.sh
@ -0,0 +1,59 @@
 #!/bin/bash
 # Check if architecture argument is provided
 if [ $# -eq 0 ]; then
    echo "Error: Architecture argument is required"
    echo "Usage: $0 <architecture>"
    exit 1
 fi
 # Parameters
 arch=$1
 # Get Version
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 export TARGET_OS=linux
 unset TARGET_ARM
 export TARGET_ARCH=$arch
 ## Support for arm platforms without hardware FPU enabled
 if [[ $arch == arm ]] ; then
    export TARGET_ARCH=arm
    export TARGET_ARM=5
 fi
 ## Support for armhf builds
 if [[ $arch == armhf ]] ; then
    export TARGET_ARCH=arm
    export TARGET_ARM=7
 fi
 make cloudflared-deb
 mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
 # rpm packages invert the - and _ and use x86_64 instead of amd64.
 RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
 RPMARCH=$arch
 if [ $arch == "amd64" ];then
    RPMARCH="x86_64"
 fi
 if [ $arch == "arm64" ]; then
    RPMARCH="aarch64"
 fi
 make cloudflared-rpm
 mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
 # finally move the linux binary as well.
 mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
--- a/.ci/scripts/mac/build.sh
+++ b/.ci/scripts/mac/build.sh
--- a/.ci/scripts/mac/install-go.sh
+++ b/.ci/scripts/mac/install-go.sh
--- a/.ci/scripts/package-windows.sh
+++ b/.ci/scripts/package-windows.sh
@ -1,19 +1,23 @@
 #!/bin/bash
 python3 -m venv env
 . env/bin/activate
 pip install pynacl==1.4.0 pygithub==1.55
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
-export BUILT_ARTIFACT_DIR=built_artifacts/
+export BUILT_ARTIFACT_DIR=artifacts/
 export FINAL_ARTIFACT_DIR=artifacts/
 mkdir -p $BUILT_ARTIFACT_DIR
 mkdir -p $FINAL_ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
    export TARGET_ARCH=$arch
-    # Copy exe into final directory
+    # Copy .exe from artifacts directory
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
    make cloudflared-msi
    # Copy msi into final directory
    mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.exe 
 done
--- a/.ci/scripts/release-target.sh
+++ b/.ci/scripts/release-target.sh
@ -0,0 +1,18 @@
 #!/bin/bash
 set -e -o pipefail
 # Check if a make target is provided as an argument
 if [ $# -eq 0 ]; then
    echo "Error: Make target argument is required"
    echo "Usage: $0 <make-target>"
    exit 1
 fi
 MAKE_TARGET=$1
 python3 -m venv venv
 source venv/bin/activate
 # Our release scripts are written in python, so we should install their dependecies here.
 pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
 make $MAKE_TARGET
--- a/.ci/scripts/vuln-check.sh
+++ b/.ci/scripts/vuln-check.sh
@ -0,0 +1,52 @@
 #!/bin/bash
 set -e
 # Define the file to store the list of vulnerabilities to ignore.
 IGNORE_FILE=".vulnignore"
 # Check if the ignored vulnerabilities file exists. If not, create an empty one.
 if [ ! -f "$IGNORE_FILE" ]; then
    touch "$IGNORE_FILE"
    echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE"
    echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >> "$IGNORE_FILE"
    echo "# You can also add comments on the same line after the ID." >> "$IGNORE_FILE"
    echo "" >> "$IGNORE_FILE"
 fi
 # Run govulncheck and capture its output.
 VULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true)
 # Print the govuln output
 echo "====================================="
 echo "Full Output of govulncheck:"
 echo "====================================="
 echo "$VULN_OUTPUT"
 echo "====================================="
 echo "End of govulncheck Output"
 echo "====================================="
 # Process the ignore file to remove comments and empty lines.
 # The 'cut' command gets the vulnerability ID and removes anything after the '#'.
 # The 'grep' command filters out empty lines and lines starting with '#'.
 CLEAN_IGNORES=$(grep -v '^\s*#' "$IGNORE_FILE" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true)
 # Filter out the ignored vulnerabilities.
 UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability')
 # If the list of ignored vulnerabilities is not empty, filter them out.
 if [ -n "$CLEAN_IGNORES" ]; then
    UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true)
 fi
 # If there are any vulnerabilities that were not in our ignore list, print them and exit with an error.
 if [ -n "$UNIGNORED_VULNS" ]; then
    echo "🚨 Found new, unignored vulnerabilities:"
    echo "-------------------------------------"
    echo "$UNIGNORED_VULNS"
    echo "-------------------------------------"
    echo "Exiting with an error. ❌"
    exit 1
 else
    echo "🎉 No new vulnerabilities found. All clear! ✨"
    exit 0
 fi
--- a/.ci/scripts/windows/builds.ps1
+++ b/.ci/scripts/windows/builds.ps1
@ -0,0 +1,29 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $env:TARGET_OS = "windows"
 $env:LOCAL_OS = "windows"
 $TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 New-Item -Path ".\artifacts" -ItemType Directory
 Write-Output "Building for amd64"
 $env:TARGET_ARCH = "amd64"
 $env:LOCAL_ARCH = "amd64"
 $env:CGO_ENABLED = 1
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
 # Sign build
 azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-amd64.exe
 Write-Output "Building for 386"
 $env:TARGET_ARCH = "386"
 $env:LOCAL_ARCH = "386"
 $env:CGO_ENABLED = 0
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
 ## Sign build
 azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-386.exe
--- a/.ci/scripts/windows/component-test.ps1
+++ b/.ci/scripts/windows/component-test.ps1
@ -0,0 +1,40 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $env:TARGET_OS = "windows"
 $env:LOCAL_OS = "windows"
 $env:TARGET_ARCH = "amd64"
 $env:LOCAL_ARCH = "amd64"
 $env:CGO_ENABLED = 1
 python --version
 python -m pip --version
 Write-Host "Building cloudflared"
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
 Write-Host "Running unit tests"
 # Not testing with race detector because of https://github.com/golang/go/issues/61058
 # We already test it on other platforms
 go test -failfast -v -mod=vendor ./...
 if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 # On Gitlab runners we need to add all of this addresses to the NO_PROXY list in order for the tests to run.
 $env:NO_PROXY = "pypi.org,files.pythonhosted.org,api.cloudflare.com,argotunneltest.com,argotunnel.com,trycloudflare.com,${env:NO_PROXY}"
 Write-Host "No Proxy: ${env:NO_PROXY}"
 Write-Host "Running component tests"
 try {
    python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
    python component-tests/setup.py --type create
    python -m pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
    if ($LASTEXITCODE -ne 0) {
        throw "Failed component tests"
    }
 } finally {
    python component-tests/setup.py --type cleanup
 }
--- a/.ci/scripts/windows/go-wrapper.ps1
+++ b/.ci/scripts/windows/go-wrapper.ps1
@ -0,0 +1,69 @@
 Param(
    [string]$GoVersion,
    [string]$ScriptToExecute
 )
 # The script is a wrapper that downloads a specific version
 # of go, adds it to the PATH and executes a script with that go
 # version in the path.
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 # Get the path to the system's temporary directory.
 $tempPath = [System.IO.Path]::GetTempPath()
 # Create a unique name for the new temporary folder.
 $folderName = "go_" + (Get-Random)
 # Join the temp path and the new folder name to create the full path.
 $fullPath = Join-Path -Path $tempPath -ChildPath $folderName
 # Store the current value of PATH environment variable.
 $oldPath = $env:Path
 # Use a try...finally block to ensure the temporrary folder and PATH are cleaned up.
 try {
    # Create the temporary folder.
    Write-Host "Creating temporary folder at: $fullPath"
    $newTempFolder = New-Item -ItemType Directory -Path $fullPath -Force
    # Download go
    $url = "https://go.dev/dl/$GoVersion.windows-amd64.zip"
    $destinationFile = Join-Path -Path $newTempFolder.FullName -ChildPath "go$GoVersion.windows-amd64.zip"
    Write-Host "Downloading go from: $url"
    Invoke-WebRequest -Uri $url -OutFile $destinationFile
    Write-Host "File downloaded to: $destinationFile"
    # Unzip the downloaded file.
    Write-Host "Unzipping the file..."
    Expand-Archive -Path $destinationFile -DestinationPath $newTempFolder.FullName -Force
    Write-Host "File unzipped successfully."
    # Define the go/bin path wich is inside the temporary folder
    $goBinPath = Join-Path -Path $fullPath -ChildPath "go\bin"
    # Add the go/bin path to the PATH environment variable.
    $env:Path = "$goBinPath;$($env:Path)"
    Write-Host "Added $goBinPath to the environment PATH."
    go env
    go version
    & $ScriptToExecute
 } finally {
    # Cleanup: Remove the path from the environment variable and then the temporary folder.
    Write-Host "Starting cleanup..."
    $env:Path = $oldPath
    Write-Host "Reverted changes in the environment PATH."
    # Remove the temporary folder and its contents.
    if (Test-Path -Path $fullPath) {
        Remove-Item -Path $fullPath -Recurse -Force
        Write-Host "Temporary folder and its contents have been removed."
    } else {
        Write-Host "Temporary folder does not exist, no cleanup needed."
    }
 }
--- a/.ci/scripts/windows/sign-msi.ps1
+++ b/.ci/scripts/windows/sign-msi.ps1
@ -0,0 +1,26 @@
 # Sign Windows artifacts using azuretool
 # This script processes MSI files from the artifacts directory
 $ErrorActionPreference = "Stop"
 # Define paths
 $ARTIFACT_DIR = "artifacts"
 $TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 Write-Host "Looking for Windows artifacts to sign in $ARTIFACT_DIR..."
 # Find all Windows MSI files
 $msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter "cloudflared-windows-*.msi" -ErrorAction SilentlyContinue
 if ($msiFiles.Count -eq 0) {
    Write-Host "No Windows MSI files found in $ARTIFACT_DIR"
    exit 1
 }
 Write-Host "Found $($msiFiles.Count) file(s) to sign:"
 foreach ($file in $msiFiles) {
    Write-Host "Running azuretool sign for $($file.Name)"
    azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\\$ARTIFACT_DIR\\$($file.Name)
 }
 Write-Host "Signing process completed"
--- a/.ci/windows.gitlab-ci.yml
+++ b/.ci/windows.gitlab-ci.yml
@ -0,0 +1,114 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ###################################
 ### Defaults for Windows Builds ###
 ###################################
 .windows-build-defaults: &windows-build-defaults
  rules:
    - !reference [.default-rules, run-always]
  tags:
    - windows-x86
  cache: {}
 ##########################################
 ### Build Cloudflared Windows Binaries ###
 ##########################################
 windows-build-cloudflared:
  <<: *windows-build-defaults
  stage: build
  script:
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\builds.ps1"
  artifacts:
    paths:
      - artifacts/*
 ######################################################
 ### Load Environment Variables for Component Tests ###
 ######################################################
 windows-load-env-variables:
  stage: pre-build
  extends: .component-tests
  script:
    - echo "COMPONENT_TESTS_CONFIG=$COMPONENT_TESTS_CONFIG" >> windows.env
    - echo "COMPONENT_TESTS_CONFIG_CONTENT=$COMPONENT_TESTS_CONFIG_CONTENT" >> windows.env
    - echo "DNS_API_TOKEN=$DNS_API_TOKEN" >> windows.env
    # We have to encode the `COMPONENT_TESTS_ORIGINCERT` secret, because it content is a file, otherwise we can't export it using gitlab
    - echo "COMPONENT_TESTS_ORIGINCERT=$(echo "$COMPONENT_TESTS_ORIGINCERT" | base64 -w0)" >> windows.env
    - echo "KEY_VAULT_URL=$KEY_VAULT_URL" >> windows.env
    - echo "KEY_VAULT_CLIENT_ID=$KEY_VAULT_CLIENT_ID" >> windows.env
    - echo "KEY_VAULT_TENANT_ID=$KEY_VAULT_TENANT_ID" >> windows.env
    - echo "KEY_VAULT_SECRET=$KEY_VAULT_SECRET" >> windows.env
    - echo "KEY_VAULT_CERTIFICATE=$KEY_VAULT_CERTIFICATE" >> windows.env
  variables:
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkLmV4ZQpjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
  secrets:
    KEY_VAULT_URL:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_url@kv
      file: false
    KEY_VAULT_CLIENT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_client_id@kv
      file: false
    KEY_VAULT_TENANT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_tenant_id@kv
      file: false
    KEY_VAULT_SECRET:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv
      file: false
    KEY_VAULT_CERTIFICATE:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate/key_vault_certificate@kv
      file: false
  artifacts:
    access: 'none'
    reports:
      dotenv: windows.env
 ###################################
 ### Run Windows Component Tests ###
 ###################################
 windows-component-tests-cloudflared:
  <<: *windows-build-defaults
  stage: test
  needs: ["windows-load-env-variables"]
  script:
    # We have to decode the secret we encoded on the `windows-load-env-variables` job
    - $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
  artifacts:
    reports:
      junit: report.xml
 ################################
 ### Package Windows Binaries ###
 ################################
 windows-package:
  rules:
    - !reference [.default-rules, run-on-master]
  stage: package
  needs:
    - ci-image-get-image-ref
    - windows-build-cloudflared
  image: $BUILD_IMAGE
  script:
    - .ci/scripts/package-windows.sh
  cache: {}
  artifacts:
    paths:
      - artifacts/*
 #############################
 ### Sign Windows Binaries ###
 #############################
 windows-package-sign:
  <<: *windows-build-defaults
  rules:
    - !reference [.default-rules, run-on-master]
  stage: package
  needs:
    - windows-package
    - windows-load-env-variables
  script:
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\sign-msi.ps1"
  artifacts:
    paths:
      - artifacts/*
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,172 +1,58 @@
 variables:
-  # Define GOPATH within the project directory to allow GitLab CI to cache it.
+  GO_VERSION: "go1.24.9"
-  # By default, Go places modules in GOMODCACHE, often outside the project.
+  GIT_DEPTH: "0"
  # Explicitly setting GOMODCACHE ensures it's within the cached path.
  GOPATH: "$CI_PROJECT_DIR/.go"
  GOMODCACHE: "$GOPATH/pkg/mod"
  GO_BIN_DIR: "$GOPATH/bin"
 cache:
  # Cache Go modules and the binaries.
  # The 'key' ensures a unique cache per branch, or you can use a fixed key
  # for a shared cache across all branches if that fits your workflow.
  key: "$CI_COMMIT_REF_SLUG"
  paths:
    - ${GOPATH}/pkg/mod/ # For Go modules
    - ${GO_BIN_DIR}/
 stages: [build, release]
 default:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.cfdata.org
-# This before_script is injected into every job that runs on master meaning that if there is no tag the step
+stages: [sync, pre-build, build, validate, test, package, release, release-internal, review]
 # will succeed but only write "No tag present - Skipping" to the console.
 .check_tag:
  before_script:
    - |
      # Check if there is a Git tag pointing to HEAD
      echo "Tag found: $(git tag --points-at HEAD | grep .)"
      if git tag --points-at HEAD | grep .; then
        echo "Tag found: $(git tag --points-at HEAD | grep .)"
        export "VERSION=$(git tag --points-at HEAD | grep .)"
      else
        echo "No tag present — skipping."
        exit 0
      fi
-## A set of predefined rules to use on the different jobs
+include:
-.default_rules:
+  #####################################################
-  # Rules to run the job only on the master branch
+  ########## Import Commons Configurations ############
-  run_on_master:
+  #####################################################
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  - local: .ci/commons.gitlab-ci.yml
      when: always
    - when: never
  # Rules to run the job only on branches that are not master. This is needed because for now
  # we need to keep a similar behavior due to the integration with teamcity, which requires us
  # to not trigger pipelines on tags and/or merge requests.
  run_on_branch:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE != "merge_request_event" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      when: always
    - when: never
  #####################################################
  ########### Sync Repository with Github #############
  #####################################################
  - local: .ci/github.gitlab-ci.yml
-# Template for Go setup, including caching and installation
+  #####################################################
-.go_setup:
+  ############# Build or Fetch CI Image ###############
-  image: docker-registry.cfdata.org/stash/devtools/ci-builders/golang-1.24/master:3090-3e32590@sha256:fc81df4f8322f022d93712ee40bb1e5752fdbe9868d1e5a23fd851ad6fbecb91
+  #####################################################
-  before_script:
+  - local: .ci/ci-image.gitlab-ci.yml
    - mkdir -p ${GOPATH} ${GOMODCACHE} ${GO_BIN_DIR}
    - export PATH=$PATH:${GO_BIN_DIR}
    - go env -w GOMODCACHE=${GOMODCACHE} # Ensure go uses the cached module path
-    # Check if govulncheck is already installed and install it if not
+  #####################################################
-    - if [ ! -f ${GO_BIN_DIR}/govulncheck ]; then
+  ################## Linux Builds ###################
-      echo "govulncheck not found in cache, installing...";
+  #####################################################
-      go install golang.org/x/vuln/cmd/govulncheck@latest;
+  - local: .ci/linux.gitlab-ci.yml
      else
      echo "govulncheck found in cache, skipping installation.";
      fi
-# -----------------------------------------------
+  #####################################################
-# Stage 1: Build on every PR
+  ################## Windows Builds ###################
-# -----------------------------------------------
+  #####################################################
-build_cloudflared_macos: &build
+  - local: .ci/windows.gitlab-ci.yml
  stage: build
  rules:
    - !reference [.default_rules, run_on_branch]
  tags:
    - "macstadium-${RUNNER_ARCH}"
  parallel:
    matrix:
      - RUNNER_ARCH: [arm, intel]
  artifacts:
    paths:
      - artifacts/*
  script:
    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
    - ARCH=$(uname -m)
    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
    - ./.teamcity/mac/install-go.sh
    - BUILD_SCRIPT=.teamcity/mac/build.sh
    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
    - set -euo pipefail
    - echo "Executing ${BUILD_SCRIPT}"
    - exec ${BUILD_SCRIPT}
-vulncheck:
+  #####################################################
-  stage: build
+  ################### macOS Builds ####################
-  extends: .go_setup
+  #####################################################
-  rules:
+  - local: .ci/mac.gitlab-ci.yml
    - !reference [.default_rules, run_on_branch]
  script:
    - make vulncheck
-# -----------------------------------------------
+  #####################################################
-# Stage 1: Build and sign only on releases
+  ################# Release Packages ##################
-# -----------------------------------------------
+  #####################################################
-build_and_sign_cloudflared_macos:
+  - local: .ci/release.gitlab-ci.yml
  <<: *build
  rules:
    - !reference [.default_rules, run_on_master]
  secrets:
    APPLE_DEV_CA_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
      file: false
    CFD_CODE_SIGN_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
      file: false
    CFD_INSTALLER_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
      file: false
    CFD_INSTALLER_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
      file: false
    CFD_INSTALLER_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
      file: false
-# -----------------------------------------------
+  #####################################################
-# Stage 2: Release to Github after building and signing
+  ########## Release Packages Internally ##############
-# -----------------------------------------------
+  #####################################################
-release_cloudflared_macos_to_github:
+  - local: .ci/apt-internal.gitlab-ci.yml
-  stage: release
+
-  image: docker-registry.cfdata.org/stash/tun/docker-images/cloudflared-ci/main:6-8616fe631b76-amd64@sha256:96f4fd05e66cec03e0864c1bcf09324c130d4728eef45ee994716da499183614
+  #####################################################
-  extends: .check_tag
+  ############## Manual Claude Review #################
-  dependencies:
+  #####################################################
-    - build_and_sign_cloudflared_macos
+  - component: $CI_SERVER_FQDN/cloudflare/ci/ai/review@~latest
-  rules:
+    inputs:
-    - !reference [.default_rules, run_on_master]
+      whenToRun: "manual"
  cache:
    paths:
      - .cache/pip
  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
    KV_ACCOUNT: 5ab4e9dfbd435d24068829fda0077963
  secrets:
    KV_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
      file: false
    API_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
      file: false
  script:
    - python3 --version ; pip --version  # For debugging
    - python3 -m venv venv
    - source venv/bin/activate
    - pip install pynacl==1.4.0 pygithub==1.55
    - echo $VERSION
    - echo $TAG_EXISTS
    - echo "Running release because tag exists."
    - make macos-release
--- a/.teamcity/windows/builds.ps1
+++ b/.teamcity/windows/builds.ps1
@ -1,28 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 # Relative path to working directory
 $CloudflaredDirectory = "go\src\github.com\cloudflare\cloudflared"
 cd $CloudflaredDirectory
 Write-Output "Building for amd64"
 $env:TARGET_OS = "windows"
 $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 go env
 go version
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
 copy .\cloudflared.exe .\cloudflared-windows-amd64.exe
 Write-Output "Building for 386"
 $env:CGO_ENABLED = 0
 $env:TARGET_ARCH = "386"
 make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
 copy .\cloudflared.exe .\cloudflared-windows-386.exe
--- a/.teamcity/windows/component-test.ps1
+++ b/.teamcity/windows/component-test.ps1
@ -1,47 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $WorkingDirectory = Get-Location
 $CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
 go env
 go version
 $env:TARGET_OS = "windows"
 $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 python --version
 python -m pip --version
 cd $CloudflaredDirectory
 go env
 go version
 Write-Output "Building cloudflared"
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
 echo $LASTEXITCODE
 Write-Output "Running unit tests"
 # Not testing with race detector because of https://github.com/golang/go/issues/61058
 # We already test it on other platforms
 go test -failfast -v -mod=vendor ./...
 if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 Write-Output "Running component tests"
 python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
 python component-tests/setup.py --type create
 python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
 if ($LASTEXITCODE -ne 0) {
    python component-tests/setup.py --type cleanup
    throw "Failed component tests"
 }
 python component-tests/setup.py --type cleanup
--- a/.vulnignore
+++ b/.vulnignore
@ -0,0 +1,3 @@
 # Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.
 # You can also add comments on the same line after the ID.
 GO-2025-3942 # Ignore core-dns vulnerability since we will be removing the proxy-dns feature in the near future
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.24.4 AS builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  TARGET_GOOS=${TARGET_GOOS} \
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.24.4 AS builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.24.4 AS builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
--- a/63
+++ b/63
@ -24,7 +24,13 @@ else
 	DEB_PACKAGE_NAME := $(BINARY_NAME)
 endif
-DATE          := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H%M UTC')
+# Use git in windows since we don't have access to the `date` tool
 ifeq ($(TARGET_OS), windows)
 	DATE := $(shell git log -1 --format="%ad" --date=format-local:'%Y-%m-%dT%H:%M UTC' -- RELEASE_NOTES)
 else
 	DATE := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H:%M UTC')
 endif
 VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
 ifdef PACKAGE_MANAGER
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
@ -64,6 +70,8 @@ else ifeq ($(LOCAL_ARCH),x86_64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),amd64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),386)
    TARGET_ARCH ?= 386
 else ifeq ($(LOCAL_ARCH),i686)
    TARGET_ARCH ?= amd64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
@ -120,6 +128,8 @@ endif
 #for FIPS compliance, FPM defaults to MD5.
 RPM_DIGEST := --rpm-digest sha256
 GO_TEST_LOG_OUTPUT = /tmp/gotest.log
 .PHONY: all
 all: cloudflared test
@ -129,7 +139,7 @@ clean:
 .PHONY: vulncheck
 vulncheck:
-	@govulncheck ./...
+	@./.ci/scripts/vuln-check.sh
 .PHONY: cloudflared
 cloudflared:
@ -152,11 +162,9 @@ generate-docker-version:
 .PHONY: test
 test: vet
-ifndef CI
+	$Q go test -json -v -mod=vendor -race $(LDFLAGS) ./... 2>&1 | tee $(GO_TEST_LOG_OUTPUT)
-	go test -v -mod=vendor -race $(LDFLAGS) ./...
+ifneq ($(FIPS), true)
-else
+	@go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest -input $(GO_TEST_LOG_OUTPUT)
 	@mkdir -p .cover
 	go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
 endif
 .PHONY: cover
@ -174,7 +182,7 @@ fuzz:
 	@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
 	@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
 	@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
-	@go test -fuzz=FuzzSessionServe -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzSessionRead -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
@ -213,10 +221,6 @@ cloudflared-deb: cloudflared cloudflared.1
 cloudflared-rpm: cloudflared cloudflared.1
 	$(call build_package,rpm)
 .PHONY: cloudflared-pkg
 cloudflared-pkg: cloudflared cloudflared.1
 	$(call build_package,osxpkg)
 .PHONY: cloudflared-msi
 cloudflared-msi:
 	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
@ -227,17 +231,18 @@ github-release-dryrun:
 .PHONY: github-release
 github-release:
 	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
 	python3 github_message.py --release-version $(VERSION)
 .PHONY: macos-release
 macos-release:
 	python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
 	python3 github_message.py --release-version $(VERSION)
 .PHONY: r2-linux-release
 r2-linux-release:
 	python3 ./release_pkgs.py
 .PHONY: r2-next-linux-release
 # Publishes to a separate R2 repository during GPG key rollover, using dual-key signing.
 r2-next-linux-release:
 	python3 ./release_pkgs.py --upload-repo-file
 .PHONY: capnp
 capnp:
 	which capnp  # https://capnproto.org/install.html
@ -246,7 +251,7 @@ capnp:
 .PHONY: vet
 vet:
-	go vet -mod=vendor github.com/cloudflare/cloudflared/...
+	$Q go vet -mod=vendor github.com/cloudflare/cloudflared/...
 .PHONY: fmt
 fmt:
@ -255,7 +260,7 @@ fmt:
 .PHONY: fmt-check
 fmt-check:
-	@./fmt-check.sh
+	@./.ci/scripts/fmt-check.sh
 .PHONY: lint
 lint:
@ -264,3 +269,23 @@ lint:
 .PHONY: mocks
 mocks:
 	go generate mocks/mockgen.go
 .PHONY: ci-build
 ci-build:
 	@GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
 	@mkdir -p artifacts
 	@mv cloudflared artifacts/cloudflared
 .PHONY: ci-fips-build
 ci-fips-build:
 	@FIPS=true GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
 	@mkdir -p artifacts
 	@mv cloudflared artifacts/cloudflared
 .PHONY: ci-test
 ci-test: fmt-check lint test
 	@go run -mod=readonly github.com/jstemmer/go-junit-report/v2@latest -in $(GO_TEST_LOG_OUTPUT) -parser gojson -out report.xml -set-exit-code
 .PHONY: ci-fips-test
 ci-fips-test:
 	@FIPS=true $(MAKE) ci-test
--- a/README.md
+++ b/README.md
@ -3,14 +3,14 @@
 Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
 This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
 via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
-Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
+Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel) of the Cloudflare Docs.
 All usages related with proxying to your origins are available under `cloudflared tunnel help`.
 You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
 at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
 Such usages are available under `cloudflared access help`.
-You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
+You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/)
 to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
@ -19,41 +19,41 @@ to access private origins behind Tunnels for Layer 4 traffic without requiring `
 Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
 website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
 routing), but for legacy reasons this requirement is still necessary:
-1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
+1. [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/)
-2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
+2. [Change your domain nameservers to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/)
 ## Installing `cloudflared`
 Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
-* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
+* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
-* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
+* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
-* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
+* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#windows)
 * To build from source, install the required version of go, mentioned in the [Development](#development) section below. Then you can run `make cloudflared`.
-User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
+User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/
 ## Creating Tunnels and routing traffic
 Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
-* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/)
+* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/)
 * Route traffic to that Tunnel:
-  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
+  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/)
-  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
+  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/)
-  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
+  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)
 ## TryCloudflare
-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/).
+Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/).
 ## Deprecated versions
-Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
+Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/update-cloudflared/).
 For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
--- a/52
+++ b/52
@ -1,3 +1,55 @@
 2025.11.1
 - 2025-11-07 TUN-9800: Fix docker hub push step
 2025.11.0
 - 2025-11-06 TUN-9863: Introduce Code Signing for Windows Builds
 - 2025-11-06 TUN-9800: Prefix gitlab steps with operating system
 - 2025-11-04 chore: Update cloudflared signing key name in index.html
 - 2025-10-31 chore: add claude review
 - 2025-10-31 Chore: Update documentation links in README
 - 2025-10-31 TUN-9800: Add pipelines for linux packaging
 2025.10.1
 - 2025-10-30 chore: Update ci image to use goboring 1.24.9
 - 2025-10-28 TUN-9849: Add cf-proxy-* to control response headers
 - 2025-10-24 TUN-9961: Add pkg.cloudflared.com index.html to git repo
 - 2025-10-23 TUN-9954: Update from go1.24.6 to go1.24.9
 - 2025-10-23 Fix systemd service installation hanging
 - 2025-10-21 TUN-9941: Use new GPG key for RPM builds
 - 2025-10-21 TUN-9941: Fix typo causing r2-release-next deployment to fail
 - 2025-10-21 TUN-9941: Lookup correct key for RPM signature
 - 2025-10-15 TUN-9919: Make RPM postinstall scriplet idempotent
 - 2025-10-14 TUN-9916: Fix the cloudflared binary path used in the component test
 2025.10.0
 - 2025-10-14 chore: Fix upload of RPM repo file during double signing
 - 2025-10-13 TUN-9882: Bump datagram v3 write channel capacity
 - 2025-10-10 chore: Fix import of GPG keys when two keys are provided
 - 2025-10-10 chore: Fix parameter order when uploading RPM .repo file to R2
 - 2025-10-10 TUN-9883: Add new datagram v3 feature flag
 - 2025-10-09 chore: Force usage of go-boring 1.24
 - 2025-10-08 TUN-9882: Improve metrics for datagram v3
 - 2025-10-07 GRC-16749: Add fedramp tags to catalog
 - 2025-10-07 TUN-9882: Add buffers for UDP and ICMP datagrams in datagram v3
 - 2025-10-07 TUN-9882: Add write deadline for UDP origin writes
 - 2025-09-29 TUN-9776: Support signing Debian packages with two keys for rollover
 - 2025-09-22 TUN-9800: Add pipeline to sync between gitlab and github repos
 2025.9.1
 - 2025-09-22 TUN-9855: Create script to ignore vulnerabilities from govuln check
 - 2025-09-19 TUN-9852: Remove fmt.Println from cloudflared access command
 2025.9.0
 - 2025-09-15 TUN-9820: Add support for FedRAMP in originRequest Access config
 - 2025-09-11 TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI
 - 2025-09-04 TUN-9803: Add windows builds to gitlab-ci
 - 2025-08-27 TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token
 2025.8.1
 - 2025-08-19 AUTH-7480 update fed callback url for login helper
 - 2025-08-19 CUSTESC-53681: Correct QUIC connection management for datagram handlers
 - 2025-08-12 AUTH-7260: Add support for login interstitial auto closure
 2025.8.0
 - 2025-08-07 vuln: Fix GO-2025-3770 vulnerability
 - 2025-07-23 TUN-9583: set proper url and hostname for cloudflared tail command
--- a/build-packages.sh
+++ b/build-packages.sh
@ -1,48 +0,0 @@
 #!/bin/bash
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
 export TARGET_OS=linux
 for arch in ${linuxArchs[@]}; do
    unset TARGET_ARM
    export TARGET_ARCH=$arch
    ## Support for arm platforms without hardware FPU enabled
    if [[ $arch == arm ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=5
    fi
    ## Support for armhf builds 
    if [[ $arch == armhf ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=7 
    fi
    make cloudflared-deb
    mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
    # rpm packages invert the - and _ and use x86_64 instead of amd64.
    RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
    RPMARCH=$arch
    if [ $arch == "amd64" ];then
        RPMARCH="x86_64"
    fi
    if [ $arch == "arm64" ]; then
        RPMARCH="aarch64"
    fi
    make cloudflared-rpm
    mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
    # finally move the linux binary as well.
    mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
 done
--- a/carrier/carrier.go
+++ b/carrier/carrier.go
@ -31,6 +31,8 @@ type StartOptions struct {
 	Headers               http.Header
 	Host                  string
 	TLSClientConfig       *tls.Config
 	AutoCloseInterstitial bool
 	IsFedramp             bool
 }
 // Connection wraps up all the needed functions to forward over the tunnel
@ -46,7 +48,6 @@ type StdinoutStream struct{}
 // Read will read from Stdin
 func (c *StdinoutStream) Read(p []byte) (int, error) {
 	return os.Stdin.Read(p)
 }
 // Write will write to Stdout
@ -139,7 +140,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 		return nil, err
 	}
-	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, log)
+	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, options.AutoCloseInterstitial, options.IsFedramp, log)
 	if err != nil {
 		return nil, err
 	}
--- a/catalog-info.yaml
+++ b/catalog-info.yaml
@ -14,4 +14,7 @@ spec:
  lifecycle: "Active"
  owner: "teams/tunnel-teams-routing"
  cf:
    compliance:
      fedramp-high: "pending"
      fedramp-moderate: "yes"
    FIPS: "required"
--- a/cfsetup.yaml
+++ b/cfsetup.yaml
@ -1,256 +1,2 @@
-pinned_go: &pinned_go go-boring=1.24.4-1
+# A valid cfsetup.yaml is required but we dont have any real config to specify
-
+dummy_key: true
 build_dir: &build_dir /cfsetup_build
 default-flavor: bookworm
 bookworm: &bookworm
  build-linux:
    build_dir: *build_dir
    builddeps: &build_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - golangci-lint=1.64.8-2
    pre-cache: &build_pre_cache
      - export GOCACHE=/cfsetup_build/.cache/go-build
      - go install golang.org/x/tools/cmd/goimports@v0.30.0
    post-cache:
      # Linting
      - make lint
      - make fmt-check
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  build-linux-fips:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
      - export FIPS=true
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  cover:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
      - make cover
  # except FIPS and macos
  build-linux-release:
    build_dir: *build_dir
    builddeps: &build_deps_release
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - python3-dev
      - python3-pip
      - python3-setuptools
      - wget
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . /cfsetup_build/env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
      # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
      - ./build-packages.sh
  # handle FIPS separately so that we built with gofips compiler
  build-linux-fips-release:
    build_dir: *build_dir
    builddeps: *build_deps_release
    post-cache:
      # same logic as above, but for FIPS packages only
      - ./build-packages-fips.sh
  generate-versions-file:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
    post-cache:
      - make generate-docker-version
  build-deb:
    build_dir: *build_dir
    builddeps: &build_deb_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - make cloudflared-deb
  build-fips-internal-deb:
    build_dir: *build_dir
    builddeps: &build_fips_deb_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-amd64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export NIGHTLY=true
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-arm64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - export NIGHTLY=true
      # - export FIPS=true # TUN-7595
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-deb-arm64:
    build_dir: *build_dir
    builddeps: *build_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - make cloudflared-deb
  package-windows:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
      - python3-venv
    pre-cache:
      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
      - chmod a+x /usr/local/bin/wixl
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55
      - .teamcity/package-windows.sh
  test:
    build_dir: *build_dir
    builddeps: &build_deps_tests
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - gotest-to-teamcity
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export PATH="$HOME/go/bin:$PATH"
      - make test | gotest-to-teamcity
  test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_tests
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export PATH="$HOME/go/bin:$PATH"
      - make test | gotest-to-teamcity
  component-test:
    build_dir: *build_dir
    builddeps: &build_deps_component_test
      - *pinned_go
      - python3
      - python3-pip
      - python3-setuptools
      # procps installs the ps command which is needed in test_sysv_service
      # because the init script uses ps pid to determine if the agent is
      # running
      - procps
      - python3-venv
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    post-cache: &component_test_post_cache
      - python3 -m venv env
      - . env/bin/activate
      - pip install --upgrade -r component-tests/requirements.txt
      # Creates and routes a Named Tunnel for this build. Also constructs
      # config file from env vars.
      - python3 component-tests/setup.py --type create
      - pytest component-tests -o log_cli=true --log-cli-level=INFO
      # The Named Tunnel is deleted and its route unprovisioned here.
      - python3 component-tests/setup.py --type cleanup
  component-test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_component_test
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    post-cache: *component_test_post_cache
  github-release-dryrun:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55
      - make github-release-dryrun
  github-release:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55
      - make github-release
  r2-linux-release:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - wget
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - reprepro
      - createrepo-c
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
      - make r2-linux-release
 trixie: *bookworm
--- a/client/config_test.go
+++ b/client/config_test.go
@ -45,6 +45,6 @@ func (m *mockFeatureSelector) Snapshot() features.FeatureSnapshot {
 	return features.FeatureSnapshot{
 		PostQuantum:     features.PostQuantumPrefer,
 		DatagramVersion: features.DatagramV3,
-		FeaturesList:    []string{features.FeaturePostQuantum, features.FeatureDatagramV3_1},
+		FeaturesList:    []string{features.FeaturePostQuantum, features.FeatureDatagramV3_2},
 	}
 }
--- a/cmd/cloudflared/access/carrier.go
+++ b/cmd/cloudflared/access/carrier.go
@ -47,6 +47,7 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 	options := &carrier.StartOptions{
 		OriginURL: forwarder.URL,
 		Headers:   headers, //TODO: TUN-2688 support custom headers from config file
 		IsFedramp: forwarder.IsFedramp,
 	}
 	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
@ -92,6 +93,7 @@ func ssh(c *cli.Context) error {
 		OriginURL: url.String(),
 		Headers:   headers,
 		Host:      url.Host,
 		IsFedramp: c.Bool(fedrampFlag),
 	}
 	if connectTo := c.String(sshConnectTo); connectTo != "" {
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@ -51,6 +51,7 @@ Host {{.Hostname}}
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
 {{end}}
 `
 	fedrampFlag = "fedramp"
 )
 const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
@ -79,6 +80,10 @@ func Commands() []*cli.Command {
 			Aliases:  []string{"forward"},
 			Category: "Access",
 			Usage:    "access <subcommand>",
 			Flags: []cli.Flag{&cli.BoolFlag{
 				Name:  fedrampFlag,
 				Usage: "use when performing operations in fedramp account",
 			}},
 			Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access
 			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are
 			able to reach sensitive resources. The commands provided here allow you to interact with Access protected
@ -104,6 +109,10 @@ func Commands() []*cli.Command {
 							Name:  "no-verbose",
 							Usage: "print only the jwt to stdout",
 						},
 						&cli.BoolFlag{
 							Name:  "auto-close",
 							Usage: "automatically close the auth interstitial after action",
 						},
 						&cli.StringFlag{
 							Name: appURLFlag,
 						},
@ -322,7 +331,7 @@ func curl(c *cli.Context) error {
 			log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
 			return run("curl", cmdArgs...)
 		}
-		tok, err = token.FetchToken(appURL, appInfo, log)
+		tok, err = token.FetchToken(appURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
 		if err != nil {
 			log.Err(err).Msg("Failed to refresh token")
 			return err
@ -442,7 +451,7 @@ func sshGen(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, log)
+	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
 	if err != nil {
 		return err
 	}
@ -542,7 +551,7 @@ func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context,
 	if c.IsSet(sshTokenSecretFlag) {
 		headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
-	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers}
+	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers, AutoCloseInterstitial: c.Bool(cfdflags.AutoCloseInterstitial), IsFedramp: c.Bool(fedrampFlag)}
 	if valid, err := isTokenValid(options, log); err != nil {
 		return err
--- a/cmd/cloudflared/flags/flags.go
+++ b/cmd/cloudflared/flags/flags.go
@ -163,4 +163,7 @@ const (
 	// Management hostname to signify incoming management requests
 	ManagementHostname = "management-hostname"
 	// Automatically close the login interstitial browser window after the user makes a decision.
 	AutoCloseInterstitial = "auto-close"
 )
--- a/cmd/cloudflared/linux_service.go
+++ b/cmd/cloudflared/linux_service.go
@ -60,7 +60,7 @@ After=network-online.target
 Wants=network-online.target
 [Service]
-TimeoutStartSec=0
+TimeoutStartSec=15
 Type=notify
 ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
 Restart=on-failure
--- a/cmd/cloudflared/tunnel/configuration.go
+++ b/cmd/cloudflared/tunnel/configuration.go
@ -36,7 +36,6 @@ import (
 const (
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
 	fedRampRegion     = "fed" // const string denoting the region used to connect to FEDRamp servers
 )
 var (
--- a/cmd/cloudflared/tunnel/login.go
+++ b/cmd/cloudflared/tunnel/login.go
@ -12,6 +12,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
@ -21,9 +22,8 @@ import (
 const (
 	baseLoginURL         = "https://dash.cloudflare.com/argotunnel"
 	callbackURL          = "https://login.cloudflareaccess.org/"
-	// For now these are the same but will change in the future once we know which URLs to use (TUN-8872)
+	fedBaseLoginURL      = "https://dash.fed.cloudflare.com/argotunnel"
-	fedBaseLoginURL      = "https://dash.cloudflare.com/argotunnel"
+	fedCallbackStoreURL  = "https://login.fed.cloudflareaccess.org/"
 	fedCallbackStoreURL  = "https://login.cloudflareaccess.org/"
 	fedRAMPParamName     = "fedramp"
 	loginURLParamName    = "loginURL"
 	callbackURLParamName = "callbackURL"
@ -97,6 +97,8 @@ func login(c *cli.Context) error {
 		callbackStoreURL,
 		false,
 		false,
 		c.Bool(cfdflags.AutoCloseInterstitial),
 		isFEDRamp,
 		log,
 	)
 	if err != nil {
--- a/cmd/cloudflared/tunnel/subcommand_context.go
+++ b/cmd/cloudflared/tunnel/subcommand_context.go
@ -155,10 +155,12 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 	if err != nil {
 		return nil, err
 	}
 	tunnelCredentials := connection.Credentials{
 		AccountTag:   credential.AccountID(),
 		TunnelSecret: tunnelSecret,
 		TunnelID:     tunnel.ID,
 		Endpoint:     credential.Endpoint(),
 	}
 	usedCertPath := false
 	if credentialsFilePath == "" {
--- a/component-tests/test_management.py
+++ b/component-tests/test_management.py
@ -107,7 +107,13 @@ class TestManagement:
            assert resp.status_code == 404, "Expected cloudflared to return 404 for /metrics"
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
 def send_request(url, headers={}):
    with requests.Session() as s:
-        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        resp = s.get(url, timeout=BACKOFF_SECS, headers=headers)
        if resp.status_code == 530:
            LOGGER.debug(f"Received 530 status, retrying request to {url}")
            raise Exception(f"Received 530 status code from {url}")
        return resp
--- a/component-tests/test_service.py
+++ b/component-tests/test_service.py
@ -9,7 +9,7 @@ import pytest
 import test_logging
 from conftest import CfdModes
-from util import select_platform, start_cloudflared, wait_tunnel_ready, write_config
+from util import select_platform, skip_on_ci, start_cloudflared, wait_tunnel_ready, write_config
 def default_config_dir():
@ -82,6 +82,7 @@ class TestServiceMode:
        os.remove(default_config_file())
        self.launchctl_cmd("list", success=False)
    @skip_on_ci("we can't run sudo command on CI")
    @select_platform("Linux")
    @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                        reason=f"There is already a config file in default path")
@ -98,6 +99,7 @@ class TestServiceMode:
        self.sysv_service_scenario(config, tmp_path, assert_log_file)
    @skip_on_ci("we can't run sudo command on CI")
    @select_platform("Linux")
    @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                        reason=f"There is already a config file in default path")
@ -116,6 +118,7 @@ class TestServiceMode:
        self.sysv_service_scenario(config, tmp_path, assert_rotating_log)
    @skip_on_ci("we can't run sudo command on CI")
    @select_platform("Linux")
    @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                        reason=f"There is already a config file in default path")
--- a/component-tests/test_token.py
+++ b/component-tests/test_token.py
@ -1,7 +1,7 @@
 import base64
 import json
-from setup import get_config_from_file, persist_origin_cert
+from setup import get_config_from_file
 from util import start_cloudflared
--- a/component-tests/test_tunnel.py
+++ b/component-tests/test_tunnel.py
@ -33,13 +33,20 @@ class TestTunnel:
        LOGGER.debug(config)
        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"],  cfd_args=["run"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
-            resp = send_request(config.get_url()+"/")
+            expected_status_code = 503
-            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            resp = send_request(config.get_url()+"/", expected_status_code)
-            resp = send_request(config.get_url()+"/test")
+            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
-            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            resp = send_request(config.get_url()+"/test", expected_status_code)
            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
 def retry_if_result_none(result):
    '''
    Returns True if the result is None, indicating that the function should be retried.
    '''
    return result is None
-@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
+@retry(retry_on_result=retry_if_result_none, stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
-def send_request(url, headers={}):
+def send_request(url, expected_status_code=200):
    with requests.Session() as s:
-        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        resp = s.get(url, timeout=BACKOFF_SECS)
        return resp if resp.status_code == expected_status_code else None
--- a/component-tests/util.py
+++ b/component-tests/util.py
@ -10,7 +10,6 @@ import pytest
 import requests
 import yaml
 import json
 from retrying import retry
 from constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS
@ -35,6 +34,12 @@ def fips_enabled():
 nofips = pytest.mark.skipif(
        fips_enabled(), reason=f"Only runs without FIPS (COMPONENT_TESTS_FIPS=0)")
 def skip_on_ci(reason):
    env_ci = os.getenv("CI")
    running_in_ci = env_ci is not None and env_ci != "0"
    return pytest.mark.skipif(
        running_in_ci, reason=f"This test can't run on CI due to: {reason}")
 def write_config(directory, config):
    config_path = directory / "config.yml"
    with open(config_path, 'w') as outfile:
@ -111,6 +116,7 @@ def inner_wait_tunnel_ready(tunnel_url=None, require_min_connections=1):
    metrics_url = f'http://localhost:{METRICS_PORT}/ready'
    with requests.Session() as s:
        LOGGER.debug("Waiting for tunnel to be ready...")
        resp = send_request(s, metrics_url, True)
        ready_connections = resp.json()["readyConnections"]
--- a/config/configuration.go
+++ b/config/configuration.go
@ -242,6 +242,8 @@ type AccessConfig struct {
 	// AudTag is the AudTag to verify access JWT against.
 	AudTag []string `yaml:"audTag" json:"audTag"`
 	Environment string `yaml:"environment" json:"environment,omitempty"`
 }
 type IngressIPRule struct {
--- a/config/model.go
+++ b/config/model.go
@ -1,7 +1,7 @@
 package config
 import (
-	"crypto/md5"
+	"crypto/sha256"
 	"fmt"
 	"io"
 	"strings"
@ -16,6 +16,7 @@ type Forwarder struct {
 	TokenClientID string `json:"service_token_id" yaml:"serviceTokenID"`
 	TokenSecret   string `json:"secret_token_id" yaml:"serviceTokenSecret"`
 	Destination   string `json:"destination"`
 	IsFedramp     bool   `json:"is_fedramp" yaml:"isFedramp"`
 }
 // Tunnel represents a tunnel that should be started
@ -46,24 +47,24 @@ type Root struct {
 // Hash returns the computed values to see if the forwarder values change
 func (f *Forwarder) Hash() string {
-	h := md5.New()
+	h := sha256.New()
-	io.WriteString(h, f.URL)
+	_, _ = io.WriteString(h, f.URL)
-	io.WriteString(h, f.Listener)
+	_, _ = io.WriteString(h, f.Listener)
-	io.WriteString(h, f.TokenClientID)
+	_, _ = io.WriteString(h, f.TokenClientID)
-	io.WriteString(h, f.TokenSecret)
+	_, _ = io.WriteString(h, f.TokenSecret)
-	io.WriteString(h, f.Destination)
+	_, _ = io.WriteString(h, f.Destination)
 	return fmt.Sprintf("%x", h.Sum(nil))
 }
 // Hash returns the computed values to see if the forwarder values change
 func (r *DNSResolver) Hash() string {
-	h := md5.New()
+	h := sha256.New()
-	io.WriteString(h, r.Address)
+	_, _ = io.WriteString(h, r.Address)
-	io.WriteString(h, strings.Join(r.Bootstraps, ","))
+	_, _ = io.WriteString(h, strings.Join(r.Bootstraps, ","))
-	io.WriteString(h, strings.Join(r.Upstreams, ","))
+	_, _ = io.WriteString(h, strings.Join(r.Upstreams, ","))
-	io.WriteString(h, fmt.Sprintf("%d", r.Port))
+	_, _ = io.WriteString(h, fmt.Sprintf("%d", r.Port))
-	io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
+	_, _ = io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
-	io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
+	_, _ = io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
 	return fmt.Sprintf("%x", h.Sum(nil))
 }
--- a/connection/control.go
+++ b/connection/control.go
@ -82,7 +82,7 @@ func (c *controlStream) ServeControlStream(
 	tunnelConfigGetter TunnelConfigJSONGetter,
 ) error {
 	registrationClient := c.registerClientFunc(ctx, rw, c.registerTimeout)
-
+	c.observer.logConnecting(c.connIndex, c.edgeAddress, c.protocol)
 	registrationDetails, err := registrationClient.RegisterConnection(
 		ctx,
 		c.tunnelProperties.Credentials.Auth(),
--- a/connection/errors.go
+++ b/connection/errors.go
@ -1,7 +1,6 @@
 package connection
 import (
 	"github.com/cloudflare/cloudflared/edgediscovery"
 	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
@ -53,26 +52,26 @@ func serverRegistrationErrorFromRPC(err error) ServerRegisterTunnelError {
 	}
 }
-type muxerShutdownError struct{}
+type ControlStreamError struct{}
-func (e muxerShutdownError) Error() string {
+var _ error = &ControlStreamError{}
-	return "muxer shutdown"
+
 func (e *ControlStreamError) Error() string {
 	return "control stream encountered a failure while serving"
 }
-var errMuxerStopped = muxerShutdownError{}
+type StreamListenerError struct{}
-func isHandshakeErrRecoverable(err error, connIndex uint8, observer *Observer) bool {
+var _ error = &StreamListenerError{}
 	log := observer.log.With().
 		Uint8(LogFieldConnIndex, connIndex).
 		Err(err).
 		Logger()
-	switch err.(type) {
+func (e *StreamListenerError) Error() string {
-	case edgediscovery.DialError:
+	return "accept stream listener encountered a failure while serving"
-		log.Error().Msg("Connection unable to dial edge")
+}
-	default:
+
-		log.Error().Msg("Connection failed")
+type DatagramManagerError struct{}
-		return false
+
-	}
+var _ error = &DatagramManagerError{}
-	return true
+
 func (e *DatagramManagerError) Error() string {
 	return "datagram manager encountered a failure while serving"
 }
--- a/connection/header.go
+++ b/connection/header.go
@ -53,7 +53,8 @@ var headerEncoding = base64.RawStdEncoding
 func IsControlResponseHeader(headerName string) bool {
 	return strings.HasPrefix(headerName, ":") ||
 		strings.HasPrefix(headerName, "cf-int-") ||
-		strings.HasPrefix(headerName, "cf-cloudflared-")
+		strings.HasPrefix(headerName, "cf-cloudflared-") ||
 		strings.HasPrefix(headerName, "cf-proxy-")
 }
 // isWebsocketClientHeader returns true if the header name is required by the client to upgrade properly
--- a/connection/header_test.go
+++ b/connection/header_test.go
@ -1,18 +1,17 @@
 package connection
 import (
 	"fmt"
 	"net/http"
 	"reflect"
 	"sort"
 	"testing"
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 func TestSerializeHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	mockHeaders := http.Header{
 		"Mock-Header-One":        {"Mock header one value", "three"},
@ -39,22 +38,22 @@ func TestSerializeHeaders(t *testing.T) {
 	serializedHeaders := SerializeHeaders(request.Header)
 	// Sanity check: the headers serialized to something that's not an empty string
-	assert.NotEqual(t, "", serializedHeaders)
+	require.NotEqual(t, "", serializedHeaders)
 	// Deserialize back, and ensure we get the same set of headers
 	deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
-	assert.NoError(t, err)
+	require.NoError(t, err)
-	assert.Equal(t, 13, len(deserializedHeaders))
+	require.Len(t, deserializedHeaders, 13)
 	expectedHeaders := headerToReqHeader(mockHeaders)
 	sort.Sort(ByName(deserializedHeaders))
 	sort.Sort(ByName(expectedHeaders))
-	assert.True(
+	require.True(
 		t,
 		reflect.DeepEqual(expectedHeaders, deserializedHeaders),
-		fmt.Sprintf("got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders),
+		"got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders,
 	)
 }
@ -82,12 +81,12 @@ func headerToReqHeader(headers http.Header) (reqHeaders []HTTPHeader) {
 func TestSerializeNoHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	serializedHeaders := SerializeHeaders(request.Header)
 	deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
-	assert.NoError(t, err)
+	require.NoError(t, err)
-	assert.Equal(t, 0, len(deserializedHeaders))
+	require.Empty(t, deserializedHeaders)
 }
 func TestDeserializeMalformed(t *testing.T) {
@ -102,21 +101,22 @@ func TestDeserializeMalformed(t *testing.T) {
 	for _, malformedValue := range malformedData {
 		_, err = DeserializeHeaders(malformedValue)
-		assert.Error(t, err)
+		require.Error(t, err)
 	}
 }
 func TestIsControlResponseHeader(t *testing.T) {
 	controlResponseHeaders := []string{
-		// Anything that begins with cf-int- or cf-cloudflared-
+		// Anything that begins with cf-int-, cf-cloudflared- or cf-proxy-
 		"cf-int-sample-header",
 		"cf-cloudflared-sample-header",
 		"cf-proxy-sample-header",
 		// Any http2 pseudoheader
 		":sample-pseudo-header",
 	}
 	for _, header := range controlResponseHeaders {
-		assert.True(t, IsControlResponseHeader(header))
+		require.True(t, IsControlResponseHeader(header))
 	}
 }
@ -130,6 +130,6 @@ func TestIsNotControlResponseHeader(t *testing.T) {
 	}
 	for _, header := range notControlResponseHeaders {
-		assert.False(t, IsControlResponseHeader(header))
+		require.False(t, IsControlResponseHeader(header))
 	}
 }
--- a/connection/observer.go
+++ b/connection/observer.go
@ -46,6 +46,15 @@ func (o *Observer) RegisterSink(sink EventSink) {
 	o.addSinkChan <- sink
 }
 func (o *Observer) logConnecting(connIndex uint8, address net.IP, protocol Protocol) {
 	o.log.Debug().
 		Int(management.EventTypeKey, int(management.Cloudflared)).
 		Uint8(LogFieldConnIndex, connIndex).
 		IPAddr(LogFieldIPAddress, address).
 		Str(LogFieldProtocol, protocol.String()).
 		Msg("Registering tunnel connection")
 }
 func (o *Observer) logConnected(connectionID uuid.UUID, connIndex uint8, location string, address net.IP, protocol Protocol) {
 	o.log.Info().
 		Int(management.EventTypeKey, int(management.Cloudflared)).
--- a/connection/quic_connection.go
+++ b/connection/quic_connection.go
@ -3,6 +3,7 @@ package connection
 import (
 	"bufio"
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"net"
@ -12,7 +13,6 @@ import (
 	"sync/atomic"
 	"time"
 	"github.com/pkg/errors"
 	"github.com/quic-go/quic-go"
 	"github.com/rs/zerolog"
 	"golang.org/x/sync/errgroup"
@ -65,7 +65,7 @@ func NewTunnelConnection(
 	streamWriteTimeout time.Duration,
 	gracePeriod time.Duration,
 	logger *zerolog.Logger,
-) (TunnelConnection, error) {
+) TunnelConnection {
 	return &quicConnection{
 		conn:                 conn,
 		logger:               logger,
@ -77,10 +77,11 @@ func NewTunnelConnection(
 		rpcTimeout:           rpcTimeout,
 		streamWriteTimeout:   streamWriteTimeout,
 		gracePeriod:          gracePeriod,
-	}, nil
+	}
 }
 // Serve starts a QUIC connection that begins accepting streams.
 // Returning a nil error means cloudflared will exit for good and will not attempt to reconnect.
 func (q *quicConnection) Serve(ctx context.Context) error {
 	// The edge assumes the first stream is used for the control plane
 	controlStream, err := q.conn.OpenStream()
@ -88,16 +89,16 @@ func (q *quicConnection) Serve(ctx context.Context) error {
 		return fmt.Errorf("failed to open a registration control stream: %w", err)
 	}
 	// If either goroutine returns nil error, we rely on this cancellation to make sure the other goroutine exits
 	// as fast as possible as well. Nil error means we want to exit for good (caller code won't retry serving this
 	// connection).
 	// If either goroutine returns a non nil error, then the error group cancels the context, thus also canceling the
-	// other goroutine as fast as possible.
+	// other goroutines. We enforce returning a not-nil error for each function started in the errgroup by logging
-	ctx, cancel := context.WithCancel(ctx)
+	// the error returned and returning a custom error type instead.
 	errGroup, ctx := errgroup.WithContext(ctx)
-	// In the future, if cloudflared can autonomously push traffic to the edge, we have to make sure the control
+	// Close the quic connection if any of the following routines return from the errgroup (regardless of their error)
-	// stream is already fully registered before the other goroutines can proceed.
+	// because they are no longer processing requests for the connection.
 	defer q.Close()
 	// Start the control stream routine
 	errGroup.Go(func() error {
 		// err is equal to nil if we exit due to unregistration. If that happens we want to wait the full
 		// amount of the grace period, allowing requests to finish before we cancel the context, which will
@ -114,16 +115,26 @@ func (q *quicConnection) Serve(ctx context.Context) error {
 				}
 			}
 		}
-		cancel()
+		if err != nil {
-		return err
+			q.logger.Error().Err(err).Msg("failed to serve the control stream")
 		}
 		return &ControlStreamError{}
 	})
 	// Start the accept stream loop routine
 	errGroup.Go(func() error {
-		defer cancel()
+		err := q.acceptStream(ctx)
-		return q.acceptStream(ctx)
+		if err != nil {
 			q.logger.Error().Err(err).Msg("failed to accept incoming stream requests")
 		}
 		return &StreamListenerError{}
 	})
 	// Start the datagram handler routine
 	errGroup.Go(func() error {
-		defer cancel()
+		err := q.datagramHandler.Serve(ctx)
-		return q.datagramHandler.Serve(ctx)
+		if err != nil {
 			q.logger.Error().Err(err).Msg("failed to run the datagram handler")
 		}
 		return &DatagramManagerError{}
 	})
 	return errGroup.Wait()
@ -140,7 +151,6 @@ func (q *quicConnection) Close() {
 }
 func (q *quicConnection) acceptStream(ctx context.Context) error {
 	defer q.Close()
 	for {
 		quicStream, err := q.conn.AcceptStream(ctx)
 		if err != nil {
@ -230,7 +240,7 @@ func (q *quicConnection) dispatchRequest(ctx context.Context, stream *rpcquic.Re
 			ConnIndex: q.connIndex,
 		}), rwa.connectResponseSent
 	default:
-		return errors.Errorf("unsupported error type: %s", request.Type), false
+		return fmt.Errorf("unsupported error type: %s", request.Type), false
 	}
 }
--- a/connection/quic_connection_test.go
+++ b/connection/quic_connection_test.go
@ -847,7 +847,7 @@ func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8)
 		&log,
 	}
-	tunnelConn, err := NewTunnelConnection(
+	tunnelConn := NewTunnelConnection(
 		ctx,
 		conn,
 		index,
@ -860,7 +860,6 @@ func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8)
 		0*time.Second,
 		&log,
 	)
 	require.NoError(t, err)
 	return tunnelConn, datagramConn
 }
--- a/connection/quic_datagram_v2.go
+++ b/connection/quic_datagram_v2.go
@ -98,24 +98,17 @@ func NewDatagramV2Connection(ctx context.Context,
 }
 func (d *datagramV2Connection) Serve(ctx context.Context) error {
-	// If either goroutine returns nil error, we rely on this cancellation to make sure the other goroutine exits
+	// If either goroutine from the errgroup returns at all (error or nil), we rely on its cancellation to make sure
-	// as fast as possible as well. Nil error means we want to exit for good (caller code won't retry serving this
+	// the other goroutines as well.
 	// connection).
 	// If either goroutine returns a non nil error, then the error group cancels the context, thus also canceling the
 	// other goroutine as fast as possible.
 	ctx, cancel := context.WithCancel(ctx)
 	errGroup, ctx := errgroup.WithContext(ctx)
 	errGroup.Go(func() error {
 		defer cancel()
 		return d.sessionManager.Serve(ctx)
 	})
 	errGroup.Go(func() error {
 		defer cancel()
 		return d.datagramMuxer.ServeReceive(ctx)
 	})
 	errGroup.Go(func() error {
 		defer cancel()
 		return d.packetRouter.Serve(ctx)
 	})
--- a/credentials/credentials.go
+++ b/credentials/credentials.go
@ -23,6 +23,10 @@ func (c User) AccountID() string {
 	return c.cert.AccountID
 }
 func (c User) Endpoint() string {
 	return c.cert.Endpoint
 }
 func (c User) ZoneID() string {
 	return c.cert.ZoneID
 }
--- a/features/features.go
+++ b/features/features.go
@ -10,9 +10,10 @@ const (
 	FeaturePostQuantum       = "postquantum"
 	FeatureQUICSupportEOF    = "support_quic_eof"
 	FeatureManagementLogs    = "management_logs"
-	FeatureDatagramV3_1      = "support_datagram_v3_1"
+	FeatureDatagramV3_2      = "support_datagram_v3_2"
 	DeprecatedFeatureDatagramV3   = "support_datagram_v3"   // Deprecated: TUN-9291
 	DeprecatedFeatureDatagramV3_1 = "support_datagram_v3_1" // Deprecated: TUN-9883
 )
 var defaultFeatures = []string{
@ -26,6 +27,7 @@ var defaultFeatures = []string{
 // List of features that are no longer in-use.
 var deprecatedFeatures = []string{
 	DeprecatedFeatureDatagramV3,
 	DeprecatedFeatureDatagramV3_1,
 }
 // Features set by user provided flags
@ -58,7 +60,7 @@ const (
 	// DatagramV2 is the currently supported datagram protocol for UDP and ICMP packets
 	DatagramV2 DatagramVersion = FeatureDatagramV2
 	// DatagramV3 is a new datagram protocol for UDP and ICMP packets. It is not backwards compatible with datagram v2.
-	DatagramV3 DatagramVersion = FeatureDatagramV3_1
+	DatagramV3 DatagramVersion = FeatureDatagramV3_2
 )
 // Remove any duplicate features from the list and remove deprecated features
--- a/features/selector.go
+++ b/features/selector.go
@ -23,9 +23,10 @@ const (
 // If the TXT record is missing a key, the field will unmarshal to the default Go value
 type featuresRecord struct {
-	DatagramV3Percentage uint32 `json:"dv3_1"`
+	DatagramV3Percentage uint32 `json:"dv3_2"`
 	// DatagramV3Percentage int32 `json:"dv3"` // Removed in TUN-9291
 	// DatagramV3Percentage uint32 `json:"dv3_1"` // Removed in TUN-9883
 	// PostQuantumPercentage int32 `json:"pq"` // Removed in TUN-7970
 }
@ -105,7 +106,7 @@ func (fs *featureSelector) postQuantumMode() PostQuantumMode {
 func (fs *featureSelector) datagramVersion() DatagramVersion {
 	// If user provides the feature via the cli, we take it as priority over remote feature evaluation
-	if slices.Contains(fs.cliFeatures, FeatureDatagramV3_1) {
+	if slices.Contains(fs.cliFeatures, FeatureDatagramV3_2) {
 		return DatagramV3
 	}
 	// If the user specifies DatagramV2, we also take that over remote
--- a/features/selector_test.go
+++ b/features/selector_test.go
@ -22,15 +22,15 @@ func TestUnmarshalFeaturesRecord(t *testing.T) {
 		expectedPercentage uint32
 	}{
 		{
-			record:             []byte(`{"dv3_1":0}`),
+			record:             []byte(`{"dv3_2":0}`),
 			expectedPercentage: 0,
 		},
 		{
-			record:             []byte(`{"dv3_1":39}`),
+			record:             []byte(`{"dv3_2":39}`),
 			expectedPercentage: 39,
 		},
 		{
-			record:             []byte(`{"dv3_1":100}`),
+			record:             []byte(`{"dv3_2":100}`),
 			expectedPercentage: 100,
 		},
 		{
@ -40,7 +40,7 @@ func TestUnmarshalFeaturesRecord(t *testing.T) {
 			record: []byte(`{"kyber":768}`), // Unmarshal to default struct if key is not present
 		},
 		{
-			record: []byte(`{"pq": 101,"dv3":100}`), // Expired keys don't unmarshal to anything
+			record: []byte(`{"pq": 101,"dv3":100,"dv3_1":100}`), // Expired keys don't unmarshal to anything
 		},
 	}
@ -111,10 +111,10 @@ func TestFeaturePrecedenceEvaluationDatagramVersion(t *testing.T) {
 		},
 		{
 			name:             "user_specified_v3",
-			cli:              []string{FeatureDatagramV3_1},
+			cli:              []string{FeatureDatagramV3_2},
 			remote:           featuresRecord{},
-			expectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeatureDatagramV3_1)),
+			expectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeatureDatagramV3_2)),
-			expectedVersion:  FeatureDatagramV3_1,
+			expectedVersion:  FeatureDatagramV3_2,
 		},
 	}
@ -150,6 +150,12 @@ func TestDeprecatedFeaturesRemoved(t *testing.T) {
 			remote:           featuresRecord{},
 			expectedFeatures: defaultFeatures,
 		},
 		{
 			name:             "support_datagram_v3_1",
 			cli:              []string{DeprecatedFeatureDatagramV3_1},
 			remote:           featuresRecord{},
 			expectedFeatures: defaultFeatures,
 		},
 	}
 	for _, test := range tests {
--- a/ingress/ingress.go
+++ b/ingress/ingress.go
@ -317,7 +317,7 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq
 				return Ingress{}, err
 			}
 			if access.Required {
-				verifier := middleware.NewJWTValidator(access.TeamName, "", access.AudTag)
+				verifier := middleware.NewJWTValidator(access.TeamName, access.Environment, access.AudTag)
 				handlers = append(handlers, verifier)
 			}
 		}
--- a/ingress/middleware/jwtvalidator.go
+++ b/ingress/middleware/jwtvalidator.go
@ -6,6 +6,8 @@ import (
 	"net/http"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/cloudflare/cloudflared/credentials"
 )
 const (
@ -14,6 +16,7 @@ const (
 var (
 	cloudflareAccessCertsURL    = "https://%s.cloudflareaccess.com"
 	cloudflareAccessFedCertsURL = "https://%s.fed.cloudflareaccess.com"
 )
 // JWTValidator is an implementation of Verifier that validates access based JWT tokens.
@ -22,10 +25,14 @@ type JWTValidator struct {
 	audTags []string
 }
-func NewJWTValidator(teamName string, certsURL string, audTags []string) *JWTValidator {
+func NewJWTValidator(teamName string, environment string, audTags []string) *JWTValidator {
-	if certsURL == "" {
+	var certsURL string
 	if environment == credentials.FedEndpoint {
 		certsURL = fmt.Sprintf(cloudflareAccessFedCertsURL, teamName)
 	} else {
 		certsURL = fmt.Sprintf(cloudflareAccessCertsURL, teamName)
 	}
 	certsEndpoint := fmt.Sprintf("%s/cdn-cgi/access/certs", certsURL)
 	config := &oidc.Config{
--- a/ingress/origin_dialer.go
+++ b/ingress/origin_dialer.go
@ -11,6 +11,8 @@ import (
 	"github.com/rs/zerolog"
 )
 const writeDeadlineUDP = 200 * time.Millisecond
 // OriginTCPDialer provides a TCP dial operation to a requested address.
 type OriginTCPDialer interface {
 	DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error)
@ -141,6 +143,21 @@ func (d *Dialer) DialUDP(dest netip.AddrPort) (net.Conn, error) {
 	if err != nil {
 		return nil, fmt.Errorf("unable to dial udp to origin %s: %w", dest, err)
 	}
-
+	return &writeDeadlineConn{
-	return conn, nil
+		Conn: conn,
 	}, nil
 }
 // writeDeadlineConn is a wrapper around a net.Conn that sets a write deadline of 200ms.
 // This is to prevent the socket from blocking on the write operation if it were to occur. However,
 // we typically never expect this to occur except under high load or kernel issues.
 type writeDeadlineConn struct {
 	net.Conn
 }
 func (w *writeDeadlineConn) Write(b []byte) (int, error) {
 	if err := w.SetWriteDeadline(time.Now().Add(writeDeadlineUDP)); err != nil {
 		return 0, err
 	}
 	return w.Conn.Write(b)
 }
--- a/postinst.sh
+++ b/postinst.sh
@ -1,5 +1,5 @@
 #!/bin/bash
 set -eu
-ln -s /usr/bin/cloudflared /usr/local/bin/cloudflared
+ln -sf /usr/bin/cloudflared /usr/local/bin/cloudflared
 mkdir -p /usr/local/etc/cloudflared/
 touch /usr/local/etc/cloudflared/.installedFromPackageManager || true
--- a/quic/v3/datagram_test.go
+++ b/quic/v3/datagram_test.go
@ -1,6 +1,7 @@
 package v3_test
 import (
 	"crypto/rand"
 	"encoding/binary"
 	"errors"
 	"net/netip"
@ -14,12 +15,18 @@ import (
 func makePayload(size int) []byte {
 	payload := make([]byte, size)
-	for i := range len(payload) {
+	_, _ = rand.Read(payload)
 		payload[i] = 0xfc
 	}
 	return payload
 }
 func makePayloads(size int, count int) [][]byte {
 	payloads := make([][]byte, count)
 	for i := range payloads {
 		payloads[i] = makePayload(size)
 	}
 	return payloads
 }
 func TestSessionRegistration_MarshalUnmarshal(t *testing.T) {
 	payload := makePayload(1280)
 	tests := []*v3.UDPSessionRegistrationDatagram{
--- a/quic/v3/metrics.go
+++ b/quic/v3/metrics.go
@ -10,27 +10,58 @@ import (
 const (
 	namespace      = "cloudflared"
-	subsystem = "udp"
+	subsystem_udp  = "udp"
 	subsystem_icmp = "icmp"
 	commandMetricLabel = "command"
 	reasonMetricLabel  = "reason"
 )
 type DroppedReason int
 const (
 	DroppedWriteFailed DroppedReason = iota
 	DroppedWriteDeadlineExceeded
 	DroppedWriteFull
 	DroppedWriteFlowUnknown
 	DroppedReadFailed
 	// Origin payloads that are too large to proxy.
 	DroppedReadTooLarge
 )
 var droppedReason = map[DroppedReason]string{
 	DroppedWriteFailed:           "write_failed",
 	DroppedWriteDeadlineExceeded: "write_deadline_exceeded",
 	DroppedWriteFull:             "write_full",
 	DroppedWriteFlowUnknown:      "write_flow_unknown",
 	DroppedReadFailed:            "read_failed",
 	DroppedReadTooLarge:          "read_too_large",
 }
 func (dr DroppedReason) String() string {
 	return droppedReason[dr]
 }
 type Metrics interface {
 	IncrementFlows(connIndex uint8)
 	DecrementFlows(connIndex uint8)
-	PayloadTooLarge(connIndex uint8)
+	FailedFlow(connIndex uint8)
 	RetryFlowResponse(connIndex uint8)
 	MigrateFlow(connIndex uint8)
 	UnsupportedRemoteCommand(connIndex uint8, command string)
 	DroppedUDPDatagram(connIndex uint8, reason DroppedReason)
 	DroppedICMPPackets(connIndex uint8, reason DroppedReason)
 }
 type metrics struct {
 	activeUDPFlows            *prometheus.GaugeVec
 	totalUDPFlows             *prometheus.CounterVec
 	payloadTooLarge           *prometheus.CounterVec
 	retryFlowResponses        *prometheus.CounterVec
 	migratedFlows             *prometheus.CounterVec
 	unsupportedRemoteCommands *prometheus.CounterVec
 	droppedUDPDatagrams       *prometheus.CounterVec
 	droppedICMPPackets        *prometheus.CounterVec
 	failedFlows               *prometheus.CounterVec
 }
 func (m *metrics) IncrementFlows(connIndex uint8) {
@ -42,8 +73,8 @@ func (m *metrics) DecrementFlows(connIndex uint8) {
 	m.activeUDPFlows.WithLabelValues(fmt.Sprintf("%d", connIndex)).Dec()
 }
-func (m *metrics) PayloadTooLarge(connIndex uint8) {
+func (m *metrics) FailedFlow(connIndex uint8) {
-	m.payloadTooLarge.WithLabelValues(fmt.Sprintf("%d", connIndex)).Inc()
+	m.failedFlows.WithLabelValues(fmt.Sprintf("%d", connIndex)).Inc()
 }
 func (m *metrics) RetryFlowResponse(connIndex uint8) {
@ -58,52 +89,74 @@ func (m *metrics) UnsupportedRemoteCommand(connIndex uint8, command string) {
 	m.unsupportedRemoteCommands.WithLabelValues(fmt.Sprintf("%d", connIndex), command).Inc()
 }
 func (m *metrics) DroppedUDPDatagram(connIndex uint8, reason DroppedReason) {
 	m.droppedUDPDatagrams.WithLabelValues(fmt.Sprintf("%d", connIndex), reason.String()).Inc()
 }
 func (m *metrics) DroppedICMPPackets(connIndex uint8, reason DroppedReason) {
 	m.droppedICMPPackets.WithLabelValues(fmt.Sprintf("%d", connIndex), reason.String()).Inc()
 }
 func NewMetrics(registerer prometheus.Registerer) Metrics {
 	m := &metrics{
 		activeUDPFlows: prometheus.NewGaugeVec(prometheus.GaugeOpts{
 			Namespace: namespace,
-			Subsystem: subsystem,
+			Subsystem: subsystem_udp,
 			Name:      "active_flows",
 			Help:      "Concurrent count of UDP flows that are being proxied to any origin",
 		}, []string{quic.ConnectionIndexMetricLabel}),
 		totalUDPFlows: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
 			Namespace: namespace,
-			Subsystem: subsystem,
+			Subsystem: subsystem_udp,
 			Name:      "total_flows",
 			Help:      "Total count of UDP flows that have been proxied to any origin",
 		}, []string{quic.ConnectionIndexMetricLabel}),
-		payloadTooLarge: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
+		failedFlows: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
 			Namespace: namespace,
-			Subsystem: subsystem,
+			Subsystem: subsystem_udp,
-			Name:      "payload_too_large",
+			Name:      "failed_flows",
-			Help:      "Total count of UDP flows that have had origin payloads that are too large to proxy",
+			Help:      "Total count of flows that errored and closed",
 		}, []string{quic.ConnectionIndexMetricLabel}),
 		retryFlowResponses: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
 			Namespace: namespace,
-			Subsystem: subsystem,
+			Subsystem: subsystem_udp,
 			Name:      "retry_flow_responses",
 			Help:      "Total count of UDP flows that have had to send their registration response more than once",
 		}, []string{quic.ConnectionIndexMetricLabel}),
 		migratedFlows: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
 			Namespace: namespace,
-			Subsystem: subsystem,
+			Subsystem: subsystem_udp,
 			Name:      "migrated_flows",
 			Help:      "Total count of UDP flows have been migrated across local connections",
 		}, []string{quic.ConnectionIndexMetricLabel}),
-		unsupportedRemoteCommands: prometheus.NewCounterVec(prometheus.CounterOpts{
+		unsupportedRemoteCommands: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
 			Namespace: namespace,
-			Subsystem: subsystem,
+			Subsystem: subsystem_udp,
 			Name:      "unsupported_remote_command_total",
-			Help:      "Total count of unsupported remote RPC commands for the ",
+			Help:      "Total count of unsupported remote RPC commands called",
 		}, []string{quic.ConnectionIndexMetricLabel, commandMetricLabel}),
 		droppedUDPDatagrams: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
 			Namespace: namespace,
 			Subsystem: subsystem_udp,
 			Name:      "dropped_datagrams",
 			Help:      "Total count of UDP dropped datagrams",
 		}, []string{quic.ConnectionIndexMetricLabel, reasonMetricLabel}),
 		droppedICMPPackets: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
 			Namespace: namespace,
 			Subsystem: subsystem_icmp,
 			Name:      "dropped_packets",
 			Help:      "Total count of ICMP dropped datagrams",
 		}, []string{quic.ConnectionIndexMetricLabel, reasonMetricLabel}),
 	}
 	registerer.MustRegister(
 		m.activeUDPFlows,
 		m.totalUDPFlows,
-		m.payloadTooLarge,
+		m.failedFlows,
 		m.retryFlowResponses,
 		m.migratedFlows,
 		m.unsupportedRemoteCommands,
 		m.droppedUDPDatagrams,
 		m.droppedICMPPackets,
 	)
 	return m
 }
--- a/quic/v3/metrics_test.go
+++ b/quic/v3/metrics_test.go
@ -1,10 +1,15 @@
 package v3_test
 import v3 "github.com/cloudflare/cloudflared/quic/v3"
 type noopMetrics struct{}
 func (noopMetrics) IncrementFlows(connIndex uint8)                              {}
 func (noopMetrics) DecrementFlows(connIndex uint8)                              {}
 func (noopMetrics) FailedFlow(connIndex uint8)                                  {}
 func (noopMetrics) PayloadTooLarge(connIndex uint8)                             {}
 func (noopMetrics) RetryFlowResponse(connIndex uint8)                           {}
 func (noopMetrics) MigrateFlow(connIndex uint8)                                 {}
 func (noopMetrics) UnsupportedRemoteCommand(connIndex uint8, command string)    {}
 func (noopMetrics) DroppedUDPDatagram(connIndex uint8, reason v3.DroppedReason) {}
 func (noopMetrics) DroppedICMPPackets(connIndex uint8, reason v3.DroppedReason) {}
--- a/quic/v3/muxer.go
+++ b/quic/v3/muxer.go
@ -17,6 +17,9 @@ const (
 	// Allocating a 16 channel buffer here allows for the writer to be slightly faster than the reader.
 	// This has worked previously well for datagramv2, so we will start with this as well
 	demuxChanCapacity = 16
 	// This provides a small buffer for the PacketRouter to poll ICMP packets from the QUIC connection
 	// before writing them to the origin.
 	icmpDatagramChanCapacity = 128
 	logSrcKey      = "src"
 	logDstKey      = "dst"
@ -66,6 +69,7 @@ type datagramConn struct {
 	metrics          Metrics
 	logger           *zerolog.Logger
 	datagrams        chan []byte
 	icmpDatagramChan chan *ICMPDatagram
 	readErrors       chan error
 	icmpEncoderPool sync.Pool // a pool of *packet.Encoder
@ -82,6 +86,7 @@ func NewDatagramConn(conn QuicConnection, sessionManager SessionManager, icmpRou
 		metrics:          metrics,
 		logger:           &log,
 		datagrams:        make(chan []byte, demuxChanCapacity),
 		icmpDatagramChan: make(chan *ICMPDatagram, icmpDatagramChanCapacity),
 		readErrors:       make(chan error, 2),
 		icmpEncoderPool: sync.Pool{
 			New: func() any {
@ -168,6 +173,9 @@ func (c *datagramConn) Serve(ctx context.Context) error {
 	readCtx, cancel := context.WithCancel(connCtx)
 	defer cancel()
 	go c.pollDatagrams(readCtx)
 	// Processing ICMP datagrams also monitors the reader context since the ICMP datagrams from the reader are the input
 	// for the routine.
 	go c.processICMPDatagrams(readCtx)
 	for {
 		// We make sure to monitor the context of cloudflared and the underlying connection to return if any errors occur.
 		var datagram []byte
@ -175,23 +183,22 @@ func (c *datagramConn) Serve(ctx context.Context) error {
 		// Monitor the context of cloudflared
 		case <-ctx.Done():
 			return ctx.Err()
-		// Monitor the context of the underlying connection
+		// Monitor the context of the underlying quic connection
 		case <-connCtx.Done():
 			return connCtx.Err()
 		// Monitor for any hard errors from reading the connection
 		case err := <-c.readErrors:
 			return err
-		// Otherwise, wait and dequeue datagrams as they come in
+		// Wait and dequeue datagrams as they come in
 		case d := <-c.datagrams:
 			datagram = d
 		}
 		// Each incoming datagram will be processed in a new go routine to handle the demuxing and action associated.
 		go func() {
 		typ, err := ParseDatagramType(datagram)
 		if err != nil {
 			c.logger.Err(err).Msgf("unable to parse datagram type: %d", typ)
-				return
+			continue
 		}
 		switch typ {
 		case UDPSessionRegistrationType:
@ -199,20 +206,23 @@ func (c *datagramConn) Serve(ctx context.Context) error {
 			err := reg.UnmarshalBinary(datagram)
 			if err != nil {
 				c.logger.Err(err).Msgf("unable to unmarshal session registration datagram")
-					return
+				continue
 			}
 			logger := c.logger.With().Str(logFlowID, reg.RequestID.String()).Logger()
 			// We bind the new session to the quic connection context instead of cloudflared context to allow for the
 			// quic connection to close and close only the sessions bound to it. Closing of cloudflared will also
 			// initiate the close of the quic connection, so we don't have to worry about the application context
 			// in the scope of a session.
-				c.handleSessionRegistrationDatagram(connCtx, reg, &logger)
+			//
 			// Additionally, we spin out the registration into a separate go routine to handle the Serve'ing of the
 			// session in a separate routine from the demuxer.
 			go c.handleSessionRegistrationDatagram(connCtx, reg, &logger)
 		case UDPSessionPayloadType:
 			payload := &UDPSessionPayloadDatagram{}
 			err := payload.UnmarshalBinary(datagram)
 			if err != nil {
 				c.logger.Err(err).Msgf("unable to unmarshal session payload datagram")
-					return
+				continue
 			}
 			logger := c.logger.With().Str(logFlowID, payload.RequestID.String()).Logger()
 			c.handleSessionPayloadDatagram(payload, &logger)
@ -221,18 +231,17 @@ func (c *datagramConn) Serve(ctx context.Context) error {
 			err := packet.UnmarshalBinary(datagram)
 			if err != nil {
 				c.logger.Err(err).Msgf("unable to unmarshal icmp datagram")
-					return
+				continue
 			}
 			c.handleICMPPacket(packet)
 		case UDPSessionRegistrationResponseType:
 			// cloudflared should never expect to receive UDP session responses as it will not initiate new
 			// sessions towards the edge.
 			c.logger.Error().Msgf("unexpected datagram type received: %d", UDPSessionRegistrationResponseType)
-				return
+			continue
 		default:
 			c.logger.Error().Msgf("unknown datagram type received: %d", typ)
 		}
 		}()
 	}
 }
@ -243,24 +252,21 @@ func (c *datagramConn) handleSessionRegistrationDatagram(ctx context.Context, da
 		Str(logDstKey, datagram.Dest.String()).
 		Logger()
 	session, err := c.sessionManager.RegisterSession(datagram, c)
 	if err != nil {
 		switch err {
 	case nil:
 		// Continue as normal
 		case ErrSessionAlreadyRegistered:
 			// Session is already registered and likely the response got lost
 			c.handleSessionAlreadyRegistered(datagram.RequestID, &log)
 		return
 		case ErrSessionBoundToOtherConn:
 			// Session is already registered but to a different connection
 			c.handleSessionMigration(datagram.RequestID, &log)
 		return
 		case ErrSessionRegistrationRateLimited:
 			// There are too many concurrent sessions so we return an error to force a retry later
 			c.handleSessionRegistrationRateLimited(datagram, &log)
 		return
 		default:
 			log.Err(err).Msg("flow registration failure")
 			c.handleSessionRegistrationFailure(datagram.RequestID, &log)
 		}
 		return
 	}
 	log = log.With().Str(logSrcKey, session.LocalAddr().String()).Logger()
@ -362,30 +368,54 @@ func (c *datagramConn) handleSessionRegistrationRateLimited(datagram *UDPSession
 func (c *datagramConn) handleSessionPayloadDatagram(datagram *UDPSessionPayloadDatagram, logger *zerolog.Logger) {
 	s, err := c.sessionManager.GetSession(datagram.RequestID)
 	if err != nil {
 		c.metrics.DroppedUDPDatagram(c.index, DroppedWriteFlowUnknown)
 		logger.Err(err).Msgf("unable to find flow")
 		return
 	}
-	// We ignore the bytes written to the socket because any partial write must return an error.
+	s.Write(datagram.Payload)
 	_, err = s.Write(datagram.Payload)
 	if err != nil {
 		logger.Err(err).Msgf("unable to write payload for the flow")
 		return
 	}
 }
-// Handles incoming ICMP datagrams.
+// Handles incoming ICMP datagrams into a serialized channel to be handled by a single consumer.
 func (c *datagramConn) handleICMPPacket(datagram *ICMPDatagram) {
 	if c.icmpRouter == nil {
 		// ICMPRouter is disabled so we drop the current packet and ignore all incoming ICMP packets
 		return
 	}
 	select {
 	case c.icmpDatagramChan <- datagram:
 	default:
 		// If the ICMP datagram channel is full, drop any additional incoming.
 		c.metrics.DroppedICMPPackets(c.index, DroppedWriteFull)
 		c.logger.Warn().Msg("failed to write icmp packet to origin: dropped")
 	}
 }
 // Consumes from the ICMP datagram channel to write out the ICMP requests to an origin.
 func (c *datagramConn) processICMPDatagrams(ctx context.Context) {
 	if c.icmpRouter == nil {
 		// ICMPRouter is disabled so we ignore all incoming ICMP packets
 		return
 	}
 	for {
 		select {
 		// If the provided context is closed we want to exit the write loop
 		case <-ctx.Done():
 			return
 		case datagram := <-c.icmpDatagramChan:
 			c.writeICMPPacket(datagram)
 		}
 	}
 }
 func (c *datagramConn) writeICMPPacket(datagram *ICMPDatagram) {
 	// Decode the provided ICMPDatagram as an ICMP packet
 	rawPacket := packet.RawPacket{Data: datagram.Payload}
 	cachedDecoder := c.icmpDecoderPool.Get()
 	defer c.icmpDecoderPool.Put(cachedDecoder)
 	decoder, ok := cachedDecoder.(*packet.ICMPDecoder)
 	if !ok {
 		c.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)
 		c.logger.Error().Msg("Could not get ICMPDecoder from the pool. Dropping packet")
 		return
 	}
@ -393,6 +423,7 @@ func (c *datagramConn) handleICMPPacket(datagram *ICMPDatagram) {
 	icmp, err := decoder.Decode(rawPacket)
 	if err != nil {
 		c.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)
 		c.logger.Err(err).Msgf("unable to marshal icmp packet")
 		return
 	}
@ -400,6 +431,7 @@ func (c *datagramConn) handleICMPPacket(datagram *ICMPDatagram) {
 	// If the ICMP packet's TTL is expired, we won't send it to the origin and immediately return a TTL Exceeded Message
 	if icmp.TTL <= 1 {
 		if err := c.SendICMPTTLExceed(icmp, rawPacket); err != nil {
 			c.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)
 			c.logger.Err(err).Msg("failed to return ICMP TTL exceed error")
 		}
 		return
@ -411,6 +443,7 @@ func (c *datagramConn) handleICMPPacket(datagram *ICMPDatagram) {
 	// connection context which will have no tracing information available.
 	err = c.icmpRouter.Request(c.conn.Context(), icmp, newPacketResponder(c, c.index))
 	if err != nil {
 		c.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)
 		c.logger.Err(err).
 			Str(logSrcKey, icmp.Src.String()).
 			Str(logDstKey, icmp.Dst.String()).
--- a/quic/v3/muxer_test.go
+++ b/quic/v3/muxer_test.go
@ -13,6 +13,7 @@ import (
 	"testing"
 	"time"
 	"github.com/fortytw2/leaktest"
 	"github.com/google/gopacket/layers"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
@ -92,7 +93,7 @@ func TestDatagramConn_New(t *testing.T) {
 		DefaultDialer:   testDefaultDialer,
 		TCPWriteTimeout: 0,
 	}, &log)
-	conn := v3.NewDatagramConn(newMockQuicConn(), v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
+	conn := v3.NewDatagramConn(newMockQuicConn(t.Context()), v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
 	if conn == nil {
 		t.Fatal("expected valid connection")
 	}
@ -104,7 +105,9 @@ func TestDatagramConn_SendUDPSessionDatagram(t *testing.T) {
 		DefaultDialer:   testDefaultDialer,
 		TCPWriteTimeout: 0,
 	}, &log)
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
 	payload := []byte{0xef, 0xef}
@ -123,7 +126,9 @@ func TestDatagramConn_SendUDPSessionResponse(t *testing.T) {
 		DefaultDialer:   testDefaultDialer,
 		TCPWriteTimeout: 0,
 	}, &log)
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
 	err := conn.SendUDPSessionResponse(testRequestID, v3.ResponseDestinationUnreachable)
@ -149,7 +154,9 @@ func TestDatagramConnServe_ApplicationClosed(t *testing.T) {
 		DefaultDialer:   testDefaultDialer,
 		TCPWriteTimeout: 0,
 	}, &log)
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
 	ctx, cancel := context.WithTimeout(t.Context(), 1*time.Second)
@ -166,7 +173,9 @@ func TestDatagramConnServe_ConnectionClosed(t *testing.T) {
 		DefaultDialer:   testDefaultDialer,
 		TCPWriteTimeout: 0,
 	}, &log)
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	ctx, cancel := context.WithTimeout(t.Context(), 1*time.Second)
 	defer cancel()
 	quic.ctx = ctx
@ -195,15 +204,17 @@ func TestDatagramConnServe_ReceiveDatagramError(t *testing.T) {
 func TestDatagramConnServe_SessionRegistrationRateLimit(t *testing.T) {
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	sessionManager := &mockSessionManager{
 		expectedRegErr: v3.ErrSessionRegistrationRateLimited,
 	}
 	conn := v3.NewDatagramConn(quic, sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
 	// Setup the muxer
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancelCause(t.Context())
-	defer cancel()
+	defer cancel(context.Canceled)
 	done := make(chan error, 1)
 	go func() {
 		done <- conn.Serve(ctx)
@ -223,9 +234,12 @@ func TestDatagramConnServe_SessionRegistrationRateLimit(t *testing.T) {
 	require.EqualValues(t, testRequestID, resp.RequestID)
 	require.EqualValues(t, v3.ResponseTooManyActiveFlows, resp.ResponseType)
 	assertContextClosed(t, ctx, done, cancel)
 }
 func TestDatagramConnServe_ErrorDatagramTypes(t *testing.T) {
 	defer leaktest.Check(t)()
 	for _, test := range []struct {
 		name     string
 		input    []byte
@ -250,7 +264,9 @@ func TestDatagramConnServe_ErrorDatagramTypes(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			logOutput := new(LockedBuffer)
 			log := zerolog.New(logOutput)
-			quic := newMockQuicConn()
+			connCtx, connCancel := context.WithCancelCause(t.Context())
 			defer connCancel(context.Canceled)
 			quic := newMockQuicConn(connCtx)
 			quic.send <- test.input
 			conn := v3.NewDatagramConn(quic, &mockSessionManager{}, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@ -289,8 +305,11 @@ func (b *LockedBuffer) String() string {
 }
 func TestDatagramConnServe_RegisterSession_SessionManagerError(t *testing.T) {
 	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	expectedErr := errors.New("unable to register session")
 	sessionManager := mockSessionManager{expectedRegErr: expectedErr}
 	conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@ -324,8 +343,11 @@ func TestDatagramConnServe_RegisterSession_SessionManagerError(t *testing.T) {
 }
 func TestDatagramConnServe(t *testing.T) {
 	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	session := newMockSession()
 	sessionManager := mockSessionManager{session: &session}
 	conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@ -372,8 +394,11 @@ func TestDatagramConnServe(t *testing.T) {
 // instances causes inteference resulting in multiple different raw packets being decoded
 // as the same decoded packet.
 func TestDatagramConnServeDecodeMultipleICMPInParallel(t *testing.T) {
 	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	session := newMockSession()
 	sessionManager := mockSessionManager{session: &session}
 	router := newMockICMPRouter()
@ -413,11 +438,15 @@ func TestDatagramConnServeDecodeMultipleICMPInParallel(t *testing.T) {
 	wg := sync.WaitGroup{}
 	var receivedPackets []*packet.ICMP
 	go func() {
-		for ctx.Err() == nil {
+		for {
-			icmpPacket := <-router.recv
+			select {
 			case <-ctx.Done():
 				return
 			case icmpPacket := <-router.recv:
 				receivedPackets = append(receivedPackets, icmpPacket)
 				wg.Done()
 			}
 		}
 	}()
 	for _, p := range packets {
@ -452,8 +481,11 @@ func TestDatagramConnServeDecodeMultipleICMPInParallel(t *testing.T) {
 }
 func TestDatagramConnServe_RegisterTwice(t *testing.T) {
 	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	session := newMockSession()
 	sessionManager := mockSessionManager{session: &session}
 	conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@ -514,12 +546,17 @@ func TestDatagramConnServe_RegisterTwice(t *testing.T) {
 }
 func TestDatagramConnServe_MigrateConnection(t *testing.T) {
 	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	session := newMockSession()
 	sessionManager := mockSessionManager{session: &session}
 	conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
-	quic2 := newMockQuicConn()
+	conn2Ctx, conn2Cancel := context.WithCancelCause(t.Context())
 	defer conn2Cancel(context.Canceled)
 	quic2 := newMockQuicConn(conn2Ctx)
 	conn2 := v3.NewDatagramConn(quic2, &sessionManager, &noopICMPRouter{}, 1, &noopMetrics{}, &log)
 	// Setup the muxer
@ -597,8 +634,11 @@ func TestDatagramConnServe_MigrateConnection(t *testing.T) {
 }
 func TestDatagramConnServe_Payload_GetSessionError(t *testing.T) {
 	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	// mockSessionManager will return the ErrSessionNotFound for any session attempting to be queried by the muxer
 	sessionManager := mockSessionManager{session: nil, expectedGetErr: v3.ErrSessionNotFound}
 	conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@ -624,9 +664,12 @@ func TestDatagramConnServe_Payload_GetSessionError(t *testing.T) {
 	assertContextClosed(t, ctx, done, cancel)
 }
-func TestDatagramConnServe_Payload(t *testing.T) {
+func TestDatagramConnServe_Payloads(t *testing.T) {
 	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	session := newMockSession()
 	sessionManager := mockSessionManager{session: &session}
 	conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@ -639,15 +682,26 @@ func TestDatagramConnServe_Payload(t *testing.T) {
 		done <- conn.Serve(ctx)
 	}()
-	// Send new session registration
+	// Send session payloads
-	expectedPayload := []byte{0xef, 0xef}
+	expectedPayloads := makePayloads(256, 16)
-	datagram := newSessionPayloadDatagram(testRequestID, expectedPayload)
+	go func() {
 		for _, payload := range expectedPayloads {
 			datagram := newSessionPayloadDatagram(testRequestID, payload)
 			quic.send <- datagram
 		}
 	}()
-	// Session should receive the payload
+	// Session should receive the payloads (in-order)
-	payload := <-session.recv
+	for i, payload := range expectedPayloads {
-	if !slices.Equal(expectedPayload, payload) {
+		select {
-		t.Fatalf("expected session receieve the payload sent via the muxer")
+		case recv := <-session.recv:
 			if !slices.Equal(recv, payload) {
 				t.Fatalf("expected session receieve the payload[%d] sent via the muxer: (%x) (%x)", i, recv[:16], payload[:16])
 			}
 		case err := <-ctx.Done():
 			// we expect the payload to return before the context to cancel on the session
 			t.Fatal(err)
 		}
 	}
 	// Cancel the muxer Serve context and make sure it closes with the expected error
@ -655,8 +709,11 @@ func TestDatagramConnServe_Payload(t *testing.T) {
 }
 func TestDatagramConnServe_ICMPDatagram_TTLDecremented(t *testing.T) {
 	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	router := newMockICMPRouter()
 	conn := v3.NewDatagramConn(quic, &mockSessionManager{}, router, 0, &noopMetrics{}, &log)
@ -701,8 +758,11 @@ func TestDatagramConnServe_ICMPDatagram_TTLDecremented(t *testing.T) {
 }
 func TestDatagramConnServe_ICMPDatagram_TTLExceeded(t *testing.T) {
 	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
 	defer connCancel(context.Canceled)
 	quic := newMockQuicConn(connCtx)
 	router := newMockICMPRouter()
 	conn := v3.NewDatagramConn(quic, &mockSessionManager{}, router, 0, &noopMetrics{}, &log)
@ -821,9 +881,9 @@ type mockQuicConn struct {
 	recv chan []byte
 }
-func newMockQuicConn() *mockQuicConn {
+func newMockQuicConn(ctx context.Context) *mockQuicConn {
 	return &mockQuicConn{
-		ctx:  context.Background(),
+		ctx:  ctx,
 		send: make(chan []byte, 1),
 		recv: make(chan []byte, 1),
 	}
@ -841,7 +901,12 @@ func (m *mockQuicConn) SendDatagram(payload []byte) error {
 }
 func (m *mockQuicConn) ReceiveDatagram(_ context.Context) ([]byte, error) {
-	return <-m.send, nil
+	select {
 	case <-m.ctx.Done():
 		return nil, m.ctx.Err()
 	case b := <-m.send:
 		return b, nil
 	}
 }
 type mockQuicConnReadError struct {
@ -905,11 +970,10 @@ func (m *mockSession) Serve(ctx context.Context) error {
 	return v3.SessionCloseErr
 }
-func (m *mockSession) Write(payload []byte) (n int, err error) {
+func (m *mockSession) Write(payload []byte) {
 	b := make([]byte, len(payload))
 	copy(b, payload)
 	m.recv <- b
 	return len(b), nil
 }
 func (m *mockSession) Close() error {
--- a/quic/v3/session.go
+++ b/quic/v3/session.go
@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"net"
 	"os"
 	"sync"
 	"sync/atomic"
 	"time"
@ -22,6 +23,11 @@ const (
 	// this value (maxDatagramPayloadLen).
 	maxOriginUDPPacketSize = 1500
 	// The maximum amount of datagrams a session will queue up before it begins dropping datagrams.
 	// This channel buffer is small because we assume that the dedicated writer to the origin is typically
 	// fast enought to keep the channel empty.
 	writeChanCapacity = 512
 	logFlowID        = "flowID"
 	logPacketSizeKey = "packetSize"
 )
@ -49,7 +55,7 @@ func newSessionIdleErr(timeout time.Duration) error {
 }
 type Session interface {
-	io.WriteCloser
+	io.Closer
 	ID() RequestID
 	ConnectionID() uint8
 	RemoteAddr() net.Addr
@ -58,6 +64,7 @@ type Session interface {
 	Migrate(eyeball DatagramConn, ctx context.Context, logger *zerolog.Logger)
 	// Serve starts the event loop for processing UDP packets
 	Serve(ctx context.Context) error
 	Write(payload []byte)
 }
 type session struct {
@ -67,9 +74,15 @@ type session struct {
 	originAddr     net.Addr
 	localAddr      net.Addr
 	eyeball        atomic.Pointer[DatagramConn]
 	writeChan      chan []byte
 	// activeAtChan is used to communicate the last read/write time
 	activeAtChan chan time.Time
-	closeChan    chan error
+	errChan      chan error
 	// The close channel signal only exists for the write loop because the read loop is always waiting on a read
 	// from the UDP socket to the origin. To close the read loop we close the socket.
 	// Additionally, we can't close the writeChan to indicate that writes are complete because the producer (edge)
 	// side may still be trying to write to this session.
 	closeWrite  chan struct{}
 	contextChan chan context.Context
 	metrics     Metrics
 	log         *zerolog.Logger
@ -89,10 +102,12 @@ func NewSession(
 	log *zerolog.Logger,
 ) Session {
 	logger := log.With().Str(logFlowID, id.String()).Logger()
-	// closeChan has two slots to allow for both writers (the closeFn and the Serve routine) to both be able to
+	writeChan := make(chan []byte, writeChanCapacity)
-	// write to the channel without blocking since there is only ever one value read from the closeChan by the
+	// errChan has three slots to allow for all writers (the closeFn, the read loop and the write loop) to
 	// write to the channel without blocking since there is only ever one value read from the errChan by the
 	// waitForCloseCondition.
-	closeChan := make(chan error, 2)
+	errChan := make(chan error, 3)
 	closeWrite := make(chan struct{})
 	session := &session{
 		id:             id,
 		closeAfterIdle: closeAfterIdle,
@ -100,10 +115,12 @@ func NewSession(
 		originAddr:     originAddr,
 		localAddr:      localAddr,
 		eyeball:        atomic.Pointer[DatagramConn]{},
 		writeChan:      writeChan,
 		// activeAtChan has low capacity. It can be full when there are many concurrent read/write. markActive() will
 		// drop instead of blocking because last active time only needs to be an approximation
 		activeAtChan: make(chan time.Time, 1),
-		closeChan:    closeChan,
+		errChan:      errChan,
 		closeWrite:   closeWrite,
 		// contextChan is an unbounded channel to help enforce one active migration of a session at a time.
 		contextChan: make(chan context.Context),
 		metrics:     metrics,
@ -111,9 +128,12 @@ func NewSession(
 		closeFn: sync.OnceValue(func() error {
 			// We don't want to block on sending to the close channel if it is already full
 			select {
-			case closeChan <- SessionCloseErr:
+			case errChan <- SessionCloseErr:
 			default:
 			}
 			// Indicate to the write loop that the session is now closed
 			close(closeWrite)
 			// Close the socket directly to unblock the read loop and cause it to also end
 			return origin.Close()
 		}),
 	}
@ -154,7 +174,13 @@ func (s *session) Migrate(eyeball DatagramConn, ctx context.Context, logger *zer
 }
 func (s *session) Serve(ctx context.Context) error {
-	go func() {
+	go s.writeLoop()
 	go s.readLoop()
 	return s.waitForCloseCondition(ctx, s.closeAfterIdle)
 }
 // Read datagrams from the origin and write them to the connection.
 func (s *session) readLoop() {
 	// QUIC implementation copies data to another buffer before returning https://github.com/quic-go/quic-go/blob/v0.24.0/session.go#L1967-L1975
 	// This makes it safe to share readBuffer between iterations
 	readBuffer := [maxOriginUDPPacketSize + DatagramPayloadHeaderLen]byte{}
@ -166,20 +192,19 @@ func (s *session) Serve(ctx context.Context) error {
 		// Read from the origin UDP socket
 		n, err := s.origin.Read(readBuffer[DatagramPayloadHeaderLen:])
 		if err != nil {
-				if errors.Is(err, io.EOF) ||
+			if isConnectionClosed(err) {
-					errors.Is(err, io.ErrUnexpectedEOF) {
+				s.log.Debug().Msgf("flow (read) connection closed: %v", err)
 					s.log.Debug().Msgf("flow (origin) connection closed: %v", err)
 			}
-				s.closeChan <- err
+			s.closeSession(err)
 			return
 		}
 		if n < 0 {
 			s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedReadFailed)
 			s.log.Warn().Int(logPacketSizeKey, n).Msg("flow (origin) packet read was negative and was dropped")
 			continue
 		}
 		if n > maxDatagramPayloadLen {
-				connectionIndex := s.ConnectionID()
+			s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedReadTooLarge)
 				s.metrics.PayloadTooLarge(connectionIndex)
 			s.log.Error().Int(logPacketSizeKey, n).Msg("flow (origin) packet read was too large and was dropped")
 			continue
 		}
@ -190,30 +215,74 @@ func (s *session) Serve(ctx context.Context) error {
 		// will cause back-pressure to the kernel buffer if the writes are not fast enough to the edge.
 		err = eyeball.SendUDPSessionDatagram(readBuffer[:DatagramPayloadHeaderLen+n])
 		if err != nil {
-				s.closeChan <- err
+			s.closeSession(err)
 			return
 		}
 		// Mark the session as active since we proxied a valid packet from the origin.
 		s.markActive()
 	}
 	}()
 	return s.waitForCloseCondition(ctx, s.closeAfterIdle)
 }
-func (s *session) Write(payload []byte) (n int, err error) {
+func (s *session) Write(payload []byte) {
-	n, err = s.origin.Write(payload)
+	select {
 	case s.writeChan <- payload:
 	default:
 		s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedWriteFull)
 		s.log.Error().Msg("failed to write flow payload to origin: dropped")
 	}
 }
 // Read datagrams from the write channel to the origin.
 func (s *session) writeLoop() {
 	for {
 		select {
 		case <-s.closeWrite:
 			// When the closeWrite channel is closed, we will no longer write to the origin and end this
 			// goroutine since the session is now closed.
 			return
 		case payload := <-s.writeChan:
 			n, err := s.origin.Write(payload)
 			if err != nil {
-		s.log.Err(err).Msg("failed to write payload to flow (remote)")
+				// Check if this is a write deadline exceeded to the connection
-		return n, err
+				if errors.Is(err, os.ErrDeadlineExceeded) {
 					s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedWriteDeadlineExceeded)
 					s.log.Warn().Err(err).Msg("flow (write) deadline exceeded: dropping packet")
 					continue
 				}
 				if isConnectionClosed(err) {
 					s.log.Debug().Msgf("flow (write) connection closed: %v", err)
 				}
 				s.log.Err(err).Msg("failed to write flow payload to origin")
 				s.closeSession(err)
 				// If we fail to write to the origin socket, we need to end the writer and close the session
 				return
 			}
 			// Write must return a non-nil error if it returns n < len(p). https://pkg.go.dev/io#Writer
 			if n < len(payload) {
-		s.log.Err(io.ErrShortWrite).Msg("failed to write the full payload to flow (remote)")
+				s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedWriteFailed)
-		return n, io.ErrShortWrite
+				s.log.Err(io.ErrShortWrite).Msg("failed to write the full flow payload to origin")
 				continue
 			}
-	// Mark the session as active since we proxied a packet to the origin.
+			// Mark the session as active since we successfully proxied a packet to the origin.
 			s.markActive()
-	return n, err
+		}
 	}
 }
 func isConnectionClosed(err error) bool {
 	return errors.Is(err, net.ErrClosed) || errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF)
 }
 // Send an error to the error channel to report that an error has either happened on the tunnel or origin side of the
 // proxied connection.
 func (s *session) closeSession(err error) {
 	select {
 	case s.errChan <- err:
 	default:
 		// In the case that the errChan is already full, we will skip over it and return as to not block
 		// the caller because we should start cleaning up the session.
 		s.log.Warn().Msg("error channel was full")
 	}
 }
 // ResetIdleTimer will restart the current idle timer.
@ -240,7 +309,8 @@ func (s *session) Close() error {
 func (s *session) waitForCloseCondition(ctx context.Context, closeAfterIdle time.Duration) error {
 	connCtx := ctx
-	// Closing the session at the end cancels read so Serve() can return
+	// Closing the session at the end cancels read so Serve() can return, additionally, it closes the
 	// closeWrite channel which indicates to the write loop to return.
 	defer s.Close()
 	if closeAfterIdle == 0 {
 		// Provided that the default caller doesn't specify one
@ -260,7 +330,10 @@ func (s *session) waitForCloseCondition(ctx context.Context, closeAfterIdle time
 			// still be active on the existing connection.
 			connCtx = newContext
 			continue
-		case reason := <-s.closeChan:
+		case reason := <-s.errChan:
 			// Any error returned here is from the read or write loops indicating that it can no longer process datagrams
 			// and as such the session needs to close.
 			s.metrics.FailedFlow(s.ConnectionID())
 			return reason
 		case <-checkIdleTimer.C:
 			// The check idle timer will only return after an idle period since the last active
--- a/quic/v3/session_fuzz_test.go
+++ b/quic/v3/session_fuzz_test.go
@ -4,20 +4,24 @@ import (
 	"testing"
 )
-// FuzzSessionWrite verifies that we don't run into any panics when writing variable sized payloads to the origin.
+// FuzzSessionWrite verifies that we don't run into any panics when writing a single variable sized payload to the origin.
 func FuzzSessionWrite(f *testing.F) {
 	f.Fuzz(func(t *testing.T, b []byte) {
 		testSessionWrite(t, b)
 	})
 }
 // FuzzSessionServe verifies that we don't run into any panics when reading variable sized payloads from the origin.
 func FuzzSessionServe(f *testing.F) {
 	f.Fuzz(func(t *testing.T, b []byte) {
 		// The origin transport read is bound to 1280 bytes
 		if len(b) > 1280 {
 			b = b[:1280]
 		}
-		testSessionServe_Origin(t, b)
+		testSessionWrite(t, [][]byte{b})
 	})
 }
 // FuzzSessionRead verifies that we don't run into any panics when reading a single variable sized payload from the origin.
 func FuzzSessionRead(f *testing.F) {
 	f.Fuzz(func(t *testing.T, b []byte) {
 		// The origin transport read is bound to 1280 bytes
 		if len(b) > 1280 {
 			b = b[:1280]
 		}
 		testSessionRead(t, [][]byte{b})
 	})
 }
--- a/quic/v3/session_test.go
+++ b/quic/v3/session_test.go
@ -31,60 +31,61 @@ func TestSessionNew(t *testing.T) {
 	}
 }
-func testSessionWrite(t *testing.T, payload []byte) {
+func testSessionWrite(t *testing.T, payloads [][]byte) {
 	log := zerolog.Nop()
 	origin, server := net.Pipe()
 	defer origin.Close()
 	defer server.Close()
-	// Start origin server read
+	// Start origin server reads
-	serverRead := make(chan []byte, 1)
+	serverRead := make(chan []byte, len(payloads))
 	go func() {
-		read := make([]byte, 1500)
+		for range len(payloads) {
-		_, _ = server.Read(read[:])
+			buf := make([]byte, 1500)
-		serverRead <- read
+			_, _ = server.Read(buf[:])
-	}()
+			serverRead <- buf
 	// Create session and write to origin
 	session := v3.NewSession(testRequestID, 5*time.Second, origin, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)
 	n, err := session.Write(payload)
 	defer session.Close()
 	if err != nil {
 		t.Fatal(err)
 		}
-	if n != len(payload) {
+		close(serverRead)
-		t.Fatal("unable to write the whole payload")
+	}()
 	// Create a session
 	session := v3.NewSession(testRequestID, 5*time.Second, origin, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)
 	defer session.Close()
 	// Start the Serve to begin the writeLoop
 	ctx, cancel := context.WithCancelCause(t.Context())
 	defer cancel(context.Canceled)
 	done := make(chan error)
 	go func() {
 		done <- session.Serve(ctx)
 	}()
 	// Write the payloads to the session
 	for _, payload := range payloads {
 		session.Write(payload)
 	}
 	// Read from the origin to ensure the payloads were received (in-order)
 	for i, payload := range payloads {
 		read := <-serverRead
 		if !slices.Equal(payload, read[:len(payload)]) {
-		t.Fatal("payload provided from origin and read value are not the same")
+			t.Fatalf("payload[%d] provided from origin and read value are not the same (%x) and (%x)", i, payload[:16], read[:16])
 		}
 	}
 	_, more := <-serverRead
 	if more {
 		t.Fatalf("expected the session to have all of the origin payloads received: %d", len(serverRead))
 	}
 	assertContextClosed(t, ctx, done, cancel)
 }
 func TestSessionWrite(t *testing.T) {
 	defer leaktest.Check(t)()
 	for i := range 1280 {
 		payloads := makePayloads(i, 16)
 		testSessionWrite(t, payloads)
 	}
 }
-func TestSessionWrite_Max(t *testing.T) {
+func testSessionRead(t *testing.T, payloads [][]byte) {
 	defer leaktest.Check(t)()
 	payload := makePayload(1280)
 	testSessionWrite(t, payload)
 }
 func TestSessionWrite_Min(t *testing.T) {
 	defer leaktest.Check(t)()
 	payload := makePayload(0)
 	testSessionWrite(t, payload)
 }
 func TestSessionServe_OriginMax(t *testing.T) {
 	defer leaktest.Check(t)()
 	payload := makePayload(1280)
 	testSessionServe_Origin(t, payload)
 }
 func TestSessionServe_OriginMin(t *testing.T) {
 	defer leaktest.Check(t)()
 	payload := makePayload(0)
 	testSessionServe_Origin(t, payload)
 }
 func testSessionServe_Origin(t *testing.T, payload []byte) {
 	log := zerolog.Nop()
 	origin, server := net.Pipe()
 	defer origin.Close()
@ -100,12 +101,15 @@ func testSessionServe_Origin(t *testing.T, payload []byte) {
 		done <- session.Serve(ctx)
 	}()
-	// Write from the origin server
+	// Write from the origin server to the eyeball
-	_, err := server.Write(payload)
+	go func() {
-	if err != nil {
+		for _, payload := range payloads {
-		t.Fatal(err)
+			_, _ = server.Write(payload)
 		}
 	}()
 	// Read from the eyeball to ensure the payloads were received (in-order)
 	for i, payload := range payloads {
 		select {
 		case data := <-eyeball.recvData:
 			// check received data matches provided from origin
@ -113,24 +117,26 @@ func testSessionServe_Origin(t *testing.T, payload []byte) {
 			_ = v3.MarshalPayloadHeaderTo(testRequestID, expectedData[:])
 			copy(expectedData[17:], payload)
 			if !slices.Equal(expectedData[:v3.DatagramPayloadHeaderLen+len(payload)], data) {
-			t.Fatal("expected datagram did not equal expected")
+				t.Fatalf("expected datagram[%d] did not equal expected", i)
 			}
 		cancel(errExpectedContextCanceled)
 		case err := <-ctx.Done():
 			// we expect the payload to return before the context to cancel on the session
 			t.Fatal(err)
 		}
 	err = <-done
 	if !errors.Is(err, context.Canceled) {
 		t.Fatal(err)
 	}
-	if !errors.Is(context.Cause(ctx), errExpectedContextCanceled) {
+
-		t.Fatal(err)
+	assertContextClosed(t, ctx, done, cancel)
 }
 func TestSessionRead(t *testing.T) {
 	defer leaktest.Check(t)()
 	for i := range 1280 {
 		payloads := makePayloads(i, 16)
 		testSessionRead(t, payloads)
 	}
 }
-func TestSessionServe_OriginTooLarge(t *testing.T) {
+func TestSessionRead_OriginTooLarge(t *testing.T) {
 	defer leaktest.Check(t)()
 	log := zerolog.Nop()
 	eyeball := newMockEyeball()
@ -317,6 +323,8 @@ func TestSessionServe_IdleTimeout(t *testing.T) {
 	closeAfterIdle := 2 * time.Second
 	session := v3.NewSession(testRequestID, closeAfterIdle, origin, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)
 	err := session.Serve(t.Context())
 	// Session should idle timeout if no reads or writes occur
 	if !errors.Is(err, v3.SessionIdleErr{}) {
 		t.Fatal(err)
 	}
--- a/release/index.html
+++ b/release/index.html
@ -0,0 +1,212 @@
 <!-- TODO(TUN-9963): Create pipeline to push this file to repo automatically -->
 <html>
 <body>
 <h1>Cloudflare packages</h1>
 <ul>
    <li><a href="#cloudflared-packages">Cloudflared packages</a></li>
    <li><a href="#gokeyless-packages">Gokeyless Packages</a></li>
 </ul>
 <br>
 <h2><a name="cloudflared-packages">Cloudflared</a></h2>
 <ul>
    <li><a href="#debian-any">Any Debian Based Distribution (Recommended)</a></li>
    <li><a href="#debian-bookworm">Debian Bookworm</a></li>
    <li><a href="#ubuntu-focal">Ubuntu 20.04 (Focal Fossa)</a></li>
    <li><a href="#ubuntu-jammy">Ubuntu 22.04 (Jammy Jellyfish)</a></li>
    <li><a href="#ubuntu-noble">Ubuntu 24.04 (Noble Numbat)</a></li>
    <li><a href="#Amazon-Linux">Amazon Linux</a></li>
    <li><a href="#RHEL-generic">RHEL Generic</a></li>
    <li><a href="#centos-7">Centos 7</a></li>
    <li><a href="#centos-8">Centos 8</a></li>
    <li><a href="#centos-stream">Centos Stream</a></li>
 </ul>
 <h3 style="color: #d9534f;">Warning: Public Key Rollover (30 October 2025)</h3>
 <p style="background-color: #fff3cd; border-left: 4px solid #ffc107; padding: 10px; margin: 10px 0;">
    <strong>We have rolled our public key for package signing.</strong> If you are using RPM-based distributions (RHEL,
    CentOS, Amazon Linux, etc.) or Debian Trixie and have the old key installed, RPM/Deb packages will no longer work with the old key.
    Please update your repository configuration using the instructions below to ensure you can continue receiving
    package updates. The previous keys will still work for other distributions for the time being, but it is now DEPRECATED and will be removed on 30 April 2026
 </p>
 <h3><a name="debian-any">Any Debian Based Distribution (Recommended)</a></h3>
 <pre>
 # Add cloudflare gpg key
 sudo mkdir -p --mode=0755 /usr/share/keyrings
 curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 # Add this repo to your apt repositories
 # Stable
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared any main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # Nightly
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared any main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # install cloudflared
 sudo apt-get update && sudo apt-get install cloudflared
 </pre>
 <h3><a name="debian-bookworm">Debian Bookworm</a></h3>
 <pre>
 # Add cloudflare gpg key
 sudo mkdir -p --mode=0755 /usr/share/keyrings
 curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 # Add this repo to your apt repositories
 # Stable
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared bookworm main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # Nightly
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared bookworm main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # install cloudflared
 sudo apt-get update && sudo apt-get install cloudflared
 </pre>
 <h3><a name="ubuntu-focal">Ubuntu 20.04 (Focal Fossa)</a></h3>
 <pre>
 # Add cloudflare gpg key
 sudo mkdir -p --mode=0755 /usr/share/keyrings
 curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 # Add this repo to your apt repositories
 # Stable
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared focal main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # Nightly
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared focal main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # install cloudflared
 sudo apt-get update && sudo apt-get install cloudflared
 </pre>
 <h3><a name="ubuntu-jammy">Ubuntu 22.04 (Jammy Jellyfish)</a></h3>
 <pre>
 # Add cloudflare gpg key
 sudo mkdir -p --mode=0755 /usr/share/keyrings
 curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 # Add this repo to your apt repositories
 # Stable
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # Nightly
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # install cloudflared
 sudo apt-get update && sudo apt-get install cloudflared
 </pre>
 <h3><a name="ubuntu-noble">Ubuntu 24.04 (Noble Numbat)</a></h3>
 <pre>
 # Add cloudflare gpg key
 sudo mkdir -p --mode=0755 /usr/share/keyrings
 curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 # Add this repo to your apt repositories
 # Stable
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # Nightly
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # install cloudflared
 sudo apt-get update && sudo apt-get install cloudflared
 </pre>
 <h3><a name="Amazon-Linux">Amazon Linux</a></h3>
 <pre>
 # Add cloudflared.repo to /etc/yum.repos.d/
 # Stable
 curl -fsSl https://pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
 # Nightly
 curl -fsSl https://next.pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
 #update repo
 sudo yum update
 # install cloudflared
 sudo yum install cloudflared
 </pre>
 <h3><a name="RHEL-generic">RHEL Generic</a></h3>
 <pre>
 # Add cloudflared.repo to /etc/yum.repos.d/
 # Stable
 curl -fsSl https://pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
 # Nightly
 curl -fsSl https://next.pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
 #update repo
 sudo yum update
 # install cloudflared
 sudo yum install cloudflared
 </pre>
 <h3><a name="centos-7">Centos 7</a></h3>
 <pre>
 # This requires yum config-manager
 sudo yum install yum-utils
 # Add cloudflared.repo to config-manager
 # Stable
 sudo yum-config-manager --add-repo https://pkg.cloudflare.com/cloudflared.repo
 # Nightly
 sudo yum-config-manager --add-repo https://next.pkg.cloudflare.com/cloudflared.repo
 # install cloudflared
 yum install cloudflared
 </pre>
 <h3><a name="centos-8">Centos 8</a></h3>
 <pre>
 # This requires dnf config-manager
 # Add cloudflared.repo to config-manager
 # Stable
 sudo dnf config-manager --add-repo https://pkg.cloudflare.com/cloudflared.repo
 # Nightly
 sudo dnf config-manager --add-repo https://next.pkg.cloudflare.com/cloudflared.repo
 # install cloudflared
 sudo dnf install cloudflared
 </pre>
 <h3><a name="centos-stream">Centos Stream</a></h3>
 <pre>
 # This requires dnf config-manager
 # Add cloudflared.repo to config-manager
 # Stable
 sudo dnf config-manager --add-repo https://pkg.cloudflare.com/cloudflared.repo
 # Nightly
 sudo dnf config-manager --add-repo https://next.pkg.cloudflare.com/cloudflared.repo
 # install cloudflared
 sudo dnf install cloudflared
 </pre>
 <h2><a name="gokeyless-packages"></a>Gokeyless</a></h2>
 <h3><a name="go-keyless-debian">Debian</a></h3>
 <pre>
 sudo mkdir -p --mode=0755 /usr/share/keyrings
 curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 # Add this repo to your apt repositories
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/gokeyless buster main' | sudo tee /etc/apt/sources.list.d/cloudflare.list
 # install gokeyless
 sudo apt-get update && sudo apt-get install gokeyless
 </pre>
 <h3><a name="go-keyless-centos">Centos 8</a></h3>
 <pre>
 # This requires dnf config-manager
 # Add gokeyless.repo to config-manager
 sudo dnf config-manager --add-repo https://pkg.cloudflare.com/gokeyless.repo
 # install gokeyless
 sudo dnf install gokeyless
 </pre>
 </body>
 </html>
--- a/release_pkgs.py
+++ b/release_pkgs.py
@ -50,7 +50,7 @@ class PkgUploader:
            config=config,
        )
-        print(f"uploading asset: {filename} to {upload_file_path} in bucket{self.bucket_name}...")
+        print(f"uploading asset: {filename} to {upload_file_path} in bucket {self.bucket_name}...")
        try:
            r2.upload_file(filename, self.bucket_name, upload_file_path)
        except ClientError as e:
@ -133,16 +133,19 @@ class PkgCreator:
    """
    def create_repo_file(self, file_path, binary_name, baseurl, gpgkey_url):
-        with open(os.path.join(file_path, binary_name + '.repo'), "w+") as repo_file:
+        repo_file_path = os.path.join(file_path, binary_name + '.repo')
-            repo_file.write(f"[{binary_name}-stable]")
+        with open(repo_file_path, "w+") as repo_file:
-            repo_file.write(f"{binary_name}-stable")
+            repo_file.write(f"[{binary_name}-stable]\n")
-            repo_file.write(f"baseurl={baseurl}/rpm")
+            repo_file.write(f"name={binary_name}-stable\n")
-            repo_file.write("enabled=1")
+            repo_file.write(f"baseurl={baseurl}/rpm\n")
-            repo_file.write("type=rpm")
+            repo_file.write("enabled=1\n")
-            repo_file.write("gpgcheck=1")
+            repo_file.write("type=rpm\n")
-            repo_file.write(f"gpgkey={gpgkey_url}")
+            repo_file.write("gpgcheck=1\n")
            repo_file.write(f"gpgkey={gpgkey_url}\n")
        return repo_file_path
-    def _sign_rpms(self, file_path):
+
    def _sign_rpms(self, file_path, gpg_key_name):
        p = Popen(["rpm", "--define", f"_gpg_name {gpg_key_name}", "--addsign", file_path], stdout=PIPE, stderr=PIPE)
        out, err = p.communicate()
        if p.returncode != 0:
@ -150,7 +153,7 @@ class PkgCreator:
            raise
    def _sign_repomd(self):
-        p = Popen(["gpg", "--batch", "--detach-sign", "--armor", "./rpm/repodata/repomd.xml"], stdout=PIPE, stderr=PIPE)
+        p = Popen(["gpg", "--batch", "--yes", "--detach-sign", "--armor", "./rpm/repodata/repomd.xml"], stdout=PIPE, stderr=PIPE)
        out, err = p.communicate()
        if p.returncode != 0:
            print(f"sign repomd result => {out}, {err}")
@ -176,7 +179,7 @@ class PkgCreator:
                        old_path = os.path.join(root, file)
                        new_path = os.path.join(new_dir, file)
                        shutil.copyfile(old_path, new_path)
-                        self._sign_rpms(new_path)
+                        self._sign_rpms(new_path, gpg_key_name)
    """
        imports gpg keys into the system so reprepro and createrepo can use it to sign packages.
@ -186,11 +189,34 @@ class PkgCreator:
    def import_gpg_keys(self, private_key, public_key):
        gpg = gnupg.GPG()
        private_key = base64.b64decode(private_key)
-        gpg.import_keys(private_key)
+        import_result = gpg.import_keys(private_key)
        if not import_result.fingerprints:
            raise Exception("Failed to import private key")
        public_key = base64.b64decode(public_key)
        gpg.import_keys(public_key)
        imported_fingerprint = import_result.fingerprints[0]
        data = gpg.list_keys(secret=True)
-        return (data[0]["fingerprint"], data[0]["uids"][0])
+
        # Find the specific key we just imported by comparing fingerprints
        for key in data:
            if key["fingerprint"] == imported_fingerprint:
                return (key["fingerprint"], key["uids"][0])
        raise Exception(f"Could not find imported key with fingerprint {imported_fingerprint}")
    def import_multiple_gpg_keys(self, primary_private_key, primary_public_key, secondary_private_key=None, secondary_public_key=None):
        """
        Import one or two GPG keypairs. Returns a list of (fingerprint, uid) with the primary first.
        """
        results = []
        if primary_private_key and primary_public_key:
            results.append(self.import_gpg_keys(primary_private_key, primary_public_key))
        if secondary_private_key and secondary_public_key:
            # Ensure secondary is imported and appended
            results.append(self.import_gpg_keys(secondary_private_key, secondary_public_key))
        return results
    """
        basically rpm --import <key_file>
@ -234,7 +260,7 @@ def upload_from_directories(pkg_uploader, directory, release, binary):
 """ 
-    1. looks into a built_artifacts folder for cloudflared debs
+    1. looks into a artifacts folder for cloudflared debs
    2. creates Packages.gz, InRelease (signed) files
    3. uploads them to Cloudflare R2 
@ -247,11 +273,13 @@ def upload_from_directories(pkg_uploader, directory, release, binary):
 """
-def create_deb_packaging(pkg_creator, pkg_uploader, releases, gpg_key_id, binary_name, archs, package_component,
+def create_deb_packaging(pkg_creator, pkg_uploader, releases, primary_gpg_key_id, secondary_gpg_key_id, binary_name, archs, package_component,
                         release_version):
    # set configuration for package creation.
    print(f"initialising configuration for {binary_name} , {archs}")
    Path("./conf").mkdir(parents=True, exist_ok=True)
    # If in rollover mode (secondary provided), tell reprepro to sign with both keys.
    sign_with_ids = primary_gpg_key_id if not secondary_gpg_key_id else f"{primary_gpg_key_id} {secondary_gpg_key_id}"
    pkg_creator.create_distribution_conf(
        "./conf/distributions",
        binary_name,
@ -260,13 +288,13 @@ def create_deb_packaging(pkg_creator, pkg_uploader, releases, gpg_key_id, binary
        archs,
        package_component,
        f"apt repository for {binary_name}",
-        gpg_key_id)
+        sign_with_ids)
    # create deb pkgs
    for release in releases:
        for arch in archs:
            print(f"creating deb pkgs for {release} and {arch}...")
-            pkg_creator.create_deb_pkgs(release, f"./built_artifacts/cloudflared-linux-{arch}.deb")
+            pkg_creator.create_deb_pkgs(release, f"./artifacts/cloudflared-linux-{arch}.deb")
    print("uploading latest to r2...")
    upload_from_directories(pkg_uploader, "dists", None, binary_name)
@ -287,15 +315,19 @@ def create_rpm_packaging(
        gpg_key_name,
        base_url,
        gpg_key_url,
        upload_repo_file=False,
 ):
    print(f"creating rpm pkgs...")
    pkg_creator.create_rpm_pkgs(artifacts_path, gpg_key_name)
-    pkg_creator.create_repo_file(artifacts_path, binary_name, base_url, gpg_key_url)
+    repo_file = pkg_creator.create_repo_file(artifacts_path, binary_name, base_url, gpg_key_url)
    print("Uploading repo file")
    pkg_uploader.upload_pkg_to_r2(repo_file, binary_name + ".repo")
    print("uploading latest to r2...")
    upload_from_directories(pkg_uploader, "rpm", None, binary_name)
-    if release_version:
+    if upload_repo_file:
        print(f"uploading versioned release {release_version} to r2...")
        upload_from_directories(pkg_uploader, "rpm", release_version, binary_name)
@ -336,6 +368,14 @@ def parse_args():
            signing packages"
    )
    # Optional secondary keypair for key rollover
    parser.add_argument(
        "--gpg-private-key-2", default=os.environ.get("LINUX_SIGNING_PRIVATE_KEY_2"), help="Secondary GPG private key for rollover"
    )
    parser.add_argument(
        "--gpg-public-key-2", default=os.environ.get("LINUX_SIGNING_PUBLIC_KEY_2"), help="Secondary GPG public key for rollover"
    )
    parser.add_argument(
        "--gpg-public-key-url", default=os.environ.get("GPG_PUBLIC_KEY_URL"), help="GPG public key url that\
            downloaders can use to verify signing"
@ -355,6 +395,10 @@ def parse_args():
            it is the caller's responsiblity to ensure that these debs are already present in a directory. This script\
            will not build binaries or create their debs."
    )
    parser.add_argument(
        "--upload-repo-file", action='store_true', help="Upload RPM repo file to R2"
    )
    args = parser.parse_args()
    return args
@ -368,21 +412,51 @@ if __name__ == "__main__":
        exit(1)
    pkg_creator = PkgCreator()
-    (gpg_key_id, gpg_key_name) = pkg_creator.import_gpg_keys(args.gpg_private_key, args.gpg_public_key)
+    # Import one or two keypairs; primary first
    key_results = pkg_creator.import_multiple_gpg_keys(
        args.gpg_private_key,
        args.gpg_public_key,
        args.gpg_private_key_2,
        args.gpg_public_key_2,
    )
    if not key_results or len(key_results) == 0:
        raise SystemExit("No GPG keys were provided for signing")
    primary_gpg_key_id, primary_gpg_key_name = key_results[0]
    secondary_gpg_key_id = None
    secondary_gpg_key_name = None
    if len(key_results) > 1:
        secondary_gpg_key_id, secondary_gpg_key_name = key_results[1]
    if args.gpg_private_key_2:
        print(f"signing RPM with secondary gpg_key: {secondary_gpg_key_id}")
        pkg_creator.import_rpm_key(args.gpg_public_key_2)
    else:
        print(f"signing RPM with primary gpg_key: {primary_gpg_key_name}")
        pkg_creator.import_rpm_key(args.gpg_public_key)
    pkg_uploader = PkgUploader(args.account, args.bucket, args.id, args.secret)
-    print(f"signing with gpg_key: {gpg_key_id}")
+    print(f"signing deb with primary gpg_key: {primary_gpg_key_id} and secondary gpg_key: {secondary_gpg_key_id}")
-    create_deb_packaging(pkg_creator, pkg_uploader, args.deb_based_releases, gpg_key_id, args.binary, args.archs,
+    create_deb_packaging(
-                         "main", args.release_tag)
+        pkg_creator,
        pkg_uploader,
        args.deb_based_releases,
        primary_gpg_key_id,
        secondary_gpg_key_id,
        args.binary,
        args.archs,
        "main",
        args.release_tag,
    )
    create_rpm_packaging(
        pkg_creator,
        pkg_uploader,
-        "./built_artifacts",
+        "./artifacts",
        args.release_tag,
        args.binary,
-        gpg_key_name,
+        secondary_gpg_key_name,
        args.gpg_public_key_url,
        args.pkg_upload_url,
        args.gpg_public_key_url,
        args.upload_repo_file,
    )
--- a/supervisor/supervisor.go
+++ b/supervisor/supervisor.go
@ -132,6 +132,7 @@ func (s *Supervisor) Run(
 		if err == errEarlyShutdown {
 			return nil
 		}
 		s.log.Logger().Error().Err(err).Msg("initial tunnel connection failed")
 		return err
 	}
 	var tunnelsWaiting []int
@ -154,6 +155,7 @@ func (s *Supervisor) Run(
 		// (note that this may also be caused by context cancellation)
 		case tunnelError := <-s.tunnelErrors:
 			tunnelsActive--
 			s.log.ConnAwareLogger().Err(tunnelError.err).Int(connection.LogFieldConnIndex, tunnelError.index).Msg("Connection terminated")
 			if tunnelError.err != nil && !shuttingDown {
 				switch tunnelError.err.(type) {
 				case ReconnectSignal:
@ -166,7 +168,6 @@ func (s *Supervisor) Run(
 				if _, retry := s.tunnelsProtocolFallback[tunnelError.index].GetMaxBackoffDuration(ctx); !retry {
 					continue
 				}
 				s.log.ConnAwareLogger().Err(tunnelError.err).Int(connection.LogFieldConnIndex, tunnelError.index).Msg("Connection terminated")
 				tunnelsWaiting = append(tunnelsWaiting, tunnelError.index)
 				s.waitForNextTunnel(tunnelError.index)
@ -285,7 +286,10 @@ func (s *Supervisor) startFirstTunnel(
 			*quic.IdleTimeoutError,
 			*quic.ApplicationError,
 			edgediscovery.DialError,
-			*connection.EdgeQuicDialError:
+			*connection.EdgeQuicDialError,
 			*connection.ControlStreamError,
 			*connection.StreamListenerError,
 			*connection.DatagramManagerError:
 			// Try again for these types of errors
 		default:
 			// Uncaught errors should bail startup
@ -301,13 +305,9 @@ func (s *Supervisor) startTunnel(
 	index int,
 	connectedSignal *signal.Signal,
 ) {
 	var err error
 	defer func() {
 		s.tunnelErrors <- tunnelError{index: index, err: err}
 	}()
 	// nolint: gosec
-	err = s.edgeTunnelServer.Serve(ctx, uint8(index), s.tunnelsProtocolFallback[index], connectedSignal)
+	err := s.edgeTunnelServer.Serve(ctx, uint8(index), s.tunnelsProtocolFallback[index], connectedSignal)
 	s.tunnelErrors <- tunnelError{index: index, err: err}
 }
 func (s *Supervisor) newConnectedTunnelSignal(index int) *signal.Signal {
--- a/supervisor/tunnel.go
+++ b/supervisor/tunnel.go
@ -556,6 +556,7 @@ func (e *EdgeTunnelServer) serveQUIC(
 	pqMode := connOptions.FeatureSnapshot.PostQuantum
 	curvePref, err := curvePreference(pqMode, fips.IsFipsEnabled(), tlsConfig.CurvePreferences)
 	if err != nil {
 		connLogger.ConnAwareLogger().Err(err).Msgf("failed to get curve preferences")
 		return err, true
 	}
@ -627,7 +628,7 @@ func (e *EdgeTunnelServer) serveQUIC(
 	}
 	// Wrap the [quic.Connection] as a TunnelConnection
-	tunnelConn, err := connection.NewTunnelConnection(
+	tunnelConn := connection.NewTunnelConnection(
 		ctx,
 		conn,
 		connIndex,
@ -640,17 +641,13 @@ func (e *EdgeTunnelServer) serveQUIC(
 		e.config.GracePeriod,
 		connLogger.Logger(),
 	)
 	if err != nil {
 		connLogger.ConnAwareLogger().Err(err).Msgf("Failed to create new tunnel connection")
 		return err, true
 	}
 	// Serve the TunnelConnection
 	errGroup, serveCtx := errgroup.WithContext(ctx)
 	errGroup.Go(func() error {
 		err := tunnelConn.Serve(serveCtx)
 		if err != nil {
-			connLogger.ConnAwareLogger().Err(err).Msg("Failed to serve tunnel connection")
+			connLogger.ConnAwareLogger().Err(err).Msg("failed to serve tunnel connection")
 		}
 		return err
 	})
--- a/token/token.go
+++ b/token/token.go
@ -185,18 +185,18 @@ func Init(version string) {
 // FetchTokenWithRedirect will either load a stored token or generate a new one
 // it appends the full url as the redirect URL to the access cli request if opening the browser
-func FetchTokenWithRedirect(appURL *url.URL, appInfo *AppInfo, log *zerolog.Logger) (string, error) {
+func FetchTokenWithRedirect(appURL *url.URL, appInfo *AppInfo, autoClose bool, isFedramp bool, log *zerolog.Logger) (string, error) {
-	return getToken(appURL, appInfo, false, log)
+	return getToken(appURL, appInfo, false, autoClose, isFedramp, log)
 }
 // FetchToken will either load a stored token or generate a new one
 // it appends the host of the appURL as the redirect URL to the access cli request if opening the browser
-func FetchToken(appURL *url.URL, appInfo *AppInfo, log *zerolog.Logger) (string, error) {
+func FetchToken(appURL *url.URL, appInfo *AppInfo, autoClose bool, isFedramp bool, log *zerolog.Logger) (string, error) {
-	return getToken(appURL, appInfo, true, log)
+	return getToken(appURL, appInfo, true, autoClose, isFedramp, log)
 }
 // getToken will either load a stored token or generate a new one
-func getToken(appURL *url.URL, appInfo *AppInfo, useHostOnly bool, log *zerolog.Logger) (string, error) {
+func getToken(appURL *url.URL, appInfo *AppInfo, useHostOnly bool, autoClose bool, isFedramp bool, log *zerolog.Logger) (string, error) {
 	if token, err := GetAppTokenIfExists(appInfo); token != "" && err == nil {
 		return token, nil
 	}
@ -249,18 +249,18 @@ func getToken(appURL *url.URL, appInfo *AppInfo, useHostOnly bool, log *zerolog.
 			return appToken, nil
 		}
 	}
-	return getTokensFromEdge(appURL, appInfo.AppAUD, appTokenPath, orgTokenPath, useHostOnly, log)
+	return getTokensFromEdge(appURL, appInfo.AppAUD, appTokenPath, orgTokenPath, useHostOnly, autoClose, isFedramp, log)
 }
 // getTokensFromEdge will attempt to use the transfer service to retrieve an app and org token, save them to disk,
 // and return the app token.
-func getTokensFromEdge(appURL *url.URL, appAUD, appTokenPath, orgTokenPath string, useHostOnly bool, log *zerolog.Logger) (string, error) {
+func getTokensFromEdge(appURL *url.URL, appAUD, appTokenPath, orgTokenPath string, useHostOnly bool, autoClose bool, isFedramp bool, log *zerolog.Logger) (string, error) {
 	// If no org token exists or if it couldn't be exchanged for an app token, then run the transfer service flow.
 	// this weird parameter is the resource name (token) and the key/value
 	// we want to send to the transfer service. the key is token and the value
 	// is blank (basically just the id generated in the transfer service)
-	resourceData, err := RunTransfer(appURL, appAUD, keyName, keyName, "", true, useHostOnly, log)
+	resourceData, err := RunTransfer(appURL, appAUD, keyName, keyName, "", true, useHostOnly, autoClose, isFedramp, log)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to run transfer service")
 	}
--- a/token/transfer.go
+++ b/token/transfer.go
@ -16,6 +16,7 @@ import (
 const (
 	baseStoreURL  = "https://login.cloudflareaccess.org/"
 	fedStoreURL   = "https://login.fed.cloudflareaccess.org/"
 	clientTimeout = time.Second * 60
 )
@ -25,12 +26,12 @@ const (
 // The "dance" we refer to is building a HTTP request, opening that in a browser waiting for
 // the user to complete an action, while it long polls in the background waiting for an
 // action to be completed to download the resource.
-func RunTransfer(transferURL *url.URL, appAUD, resourceName, key, value string, shouldEncrypt bool, useHostOnly bool, log *zerolog.Logger) ([]byte, error) {
+func RunTransfer(transferURL *url.URL, appAUD, resourceName, key, value string, shouldEncrypt bool, useHostOnly bool, autoClose bool, fedramp bool, log *zerolog.Logger) ([]byte, error) {
 	encrypterClient, err := NewEncrypter("cloudflared_priv.pem", "cloudflared_pub.pem")
 	if err != nil {
 		return nil, err
 	}
-	requestURL, err := buildRequestURL(transferURL, appAUD, key, value+encrypterClient.PublicKey(), shouldEncrypt, useHostOnly)
+	requestURL, err := buildRequestURL(transferURL, appAUD, key, value+encrypterClient.PublicKey(), shouldEncrypt, useHostOnly, autoClose)
 	if err != nil {
 		return nil, err
 	}
@ -45,8 +46,14 @@ func RunTransfer(transferURL *url.URL, appAUD, resourceName, key, value string,
 	var resourceData []byte
 	storeURL := baseStoreURL
 	if fedramp {
 		storeURL = fedStoreURL
 	}
 	if shouldEncrypt {
-		buf, key, err := transferRequest(baseStoreURL+"transfer/"+encrypterClient.PublicKey(), log)
+		buf, key, err := transferRequest(storeURL+"transfer/"+encrypterClient.PublicKey(), log)
 		if err != nil {
 			return nil, err
 		}
@ -62,7 +69,7 @@ func RunTransfer(transferURL *url.URL, appAUD, resourceName, key, value string,
 		resourceData = decrypted
 	} else {
-		buf, _, err := transferRequest(baseStoreURL+encrypterClient.PublicKey(), log)
+		buf, _, err := transferRequest(storeURL+encrypterClient.PublicKey(), log)
 		if err != nil {
 			return nil, err
 		}
@ -75,7 +82,7 @@ func RunTransfer(transferURL *url.URL, appAUD, resourceName, key, value string,
 // BuildRequestURL creates a request suitable for a resource transfer.
 // it will return a constructed url based off the base url and query key/value provided.
 // cli will build a url for cli transfer request.
-func buildRequestURL(baseURL *url.URL, appAUD string, key, value string, cli, useHostOnly bool) (string, error) {
+func buildRequestURL(baseURL *url.URL, appAUD string, key, value string, cli, useHostOnly bool, autoClose bool) (string, error) {
 	q := baseURL.Query()
 	q.Set(key, value)
 	q.Set("aud", appAUD)
@ -90,6 +97,10 @@ func buildRequestURL(baseURL *url.URL, appAUD string, key, value string, cli, us
 	q.Set("redirect_url", baseURL.String()) // we add the token as a query param on both the redirect_url and the main url
 	q.Set("send_org_token", "true")         // indicates that the cli endpoint should return both the org and app token
 	q.Set("edge_token_transfer", "true")    // use new LoginHelper service built on workers
 	if autoClose {
 		q.Set("close_interstitial", "true") // Automatically close the success window.
 	}
 	baseURL.RawQuery = q.Encode() // and this actual baseURL.
 	baseURL.Path = "cdn-cgi/access/cli"
 	return baseURL.String(), nil
@ -127,7 +138,12 @@ func poll(client *http.Client, requestURL string, log *zerolog.Logger) ([]byte,
 	// ignore everything other than server errors as the resource
 	// may not exist until the user does the interaction
 	if resp.StatusCode >= 500 {
-		return nil, "", fmt.Errorf("error on request %d", resp.StatusCode)
+		buf := new(bytes.Buffer)
 		if _, err := io.Copy(buf, resp.Body); err != nil {
 			return nil, "", err
 		}
 		return nil, "", fmt.Errorf("error on request %d: %s", resp.StatusCode, buf.String())
 	}
 	if resp.StatusCode != 200 {
 		log.Info().Msg("Waiting for login...")
Author	SHA1	Message	Date
João "Pisco" Fernandes	31f45fb505	TUN-9800: Migrate apt internal builds to Gitlab	2025-11-10 14:43:10 +00:00
João "Pisco" Fernandes	17533b124c	Release 2025.11.1	2025-11-07 16:30:58 +00:00
João "Pisco" Fernandes	9ce16c5aac	TUN-9800: Fix docker hub push step	2025-11-07 15:26:22 +00:00
GoncaloGarcia	29e8d936f2	Release 2025.11.0	2025-11-07 08:15:20 +00:00
João "Pisco" Fernandes	4cfebb8319	TUN-9800: Prefix gitlab steps with operating system	2025-11-06 16:00:05 +00:00
Gonçalo Garcia	eedbcf46d4	TUN-9863: Introduce Code Signing for Windows Builds * TUN-9863: Introduce Code Signing for Windows Builds This commit adds a signing step to the build script for windows binaries. Since we package the MSI on Linux, this commit adds another CI step that depends on package-windows and signs all of the windows packages. To do so, we use azuresigntool which relies on a certificate stored in Azure Vault. Closes TUN-9863	2025-11-06 11:41:21 +00:00
João "Pisco" Fernandes	a8fdbb83d0	TUN-9800: Add pipelines for linux packaging	2025-11-05 10:45:04 +00:00
Gonçalo Garcia	70658b863b	chore: Update cloudflared signing key name in index.html * chore: Update cloudflared signing key name in index.html We want to preserve the old key name so that we don't have to update the dev docs. We will have the same key under this name and the v2 name to account for everyone who has already updated.	2025-11-04 16:59:30 +00:00
Chung-Ting	334300bae7	Chore: Update documentation links in README	2025-10-31 19:45:17 +00:00
Luis Neto	e9f0628555	chore: add claude review * chore: add claude review	2025-10-31 14:03:45 +00:00
João "Pisco" Fernandes	0caf31c543	Release 2025.10.1	2025-10-30 16:38:01 +00:00
GoncaloGarcia	4faa03dfed	TUN-9961: Add pkg.cloudflared.com index.html to git repo This makes it easier to track changes and allows us to update it in a gitlab pipeline if we choose to in the future	2025-10-30 16:37:33 +00:00
João "Pisco" Fernandes	58519d1268	chore: Update ci image to use goboring 1.24.9	2025-10-30 16:37:04 +00:00
chungthuang	1367b967b3	TUN-9849: Add cf-proxy-* to control response headers These headers will not be returned to the eyeball	2025-10-28 09:17:05 -05:00
Christopher Meng	114683f49e	Fix systemd service installation hanging * Fix systemd service installation hanging --- This kills the hanging when there is a network issue (port blocking or no Internet) and the installation cannot be completed with no error sent to the output. Before (killed manually since it hangs forever): ![499987567-de9003f9-4aaa-4667-9495-1d4b01069bed](/uploads/01063e6c2cf81fdd91ac8fbcd7f04a1b/499987567-de9003f9-4aaa-4667-9495-1d4b01069bed.png){width=817 height=69} After: ![499986549-f031035f-1633-46c0-a896-d9fd37054e83](/uploads/00c273f37d415617104b44736921b3d7/499986549-f031035f-1633-46c0-a896-d9fd37054e83.png){width=825 height=78} ---	2025-10-23 14:38:09 +00:00
João "Pisco" Fernandes	2b456b9a79	TUN-9954: Update from go1.24.6 to go1.24.9	2025-10-23 10:54:18 +01:00
Gonçalo Garcia	3a71c1bcd8	TUN-9941: Lookup correct key for RPM signature * TUN-9941: Lookup correct key for RPM signature Closes TUN-9941	2025-10-21 15:51:57 +00:00
Gonçalo Garcia	95642486c6	TUN-9941: Fix typo causing r2-release-next deployment to fail * TUN-9941: Fix typo causing r2-release-next deployment to fail Closes TUN-9941	2025-10-21 13:11:33 +00:00
Gonçalo Garcia	691550a6f2	TUN-9941: Use new GPG key for RPM builds * TUN-9941: Use new GPG key for RPM builds Closes TUN-9941	2025-10-21 09:57:22 +00:00
chungthuang	12c2a8e144	TUN-9916: Fix the cloudflared binary path used in the component test	2025-10-15 14:34:54 +00:00
Gonçalo Garcia	d943602d21	TUN-9919: Make RPM postinstall scriplet idempotent * TUN-9919: Make RPM postinstall scriplet idempotent Before this commit the postinstall scriptlet isn't idempotent, meaning the users see this error in their upgrade logs: `ln: failed to create symbolic link '/usr/local/bin/cloudflared': File exists warning: %post(cloudflared-2025.10.0-1.x86_64) scriptlet failed, exit status 1` This doesn't break the upgrade (which is why we haven't touched this in 5 years), but adding the -f (force) flag to the symlink command prevents this issue from happening Closes TUN-9919	2025-10-15 14:33:43 +00:00
Devin Carr	e10e072599	Release 2025.10.0	2025-10-14 09:16:36 -07:00
Gonçalo Garcia	686347cf91	chore: Fix upload of RPM repo file during double signing * chore: Fix upload of RPM repo file during double signing This commit fixes a variable that was supposed to hold the path of the repo file, but instead was being overwritten with the repo file handle	2025-10-14 09:12:54 +00:00
Devin Carr	f45b3a1baf	TUN-9882: Bump datagram v3 write channel capacity Bumping from 16 to 512 gives each flow a bit more buffer if the local OS is having trouble writing to the origin. Closes TUN-9882	2025-10-13 17:18:22 -07:00
Devin Carr	1ac6c45dad	TUN-9883: Add new datagram v3 feature flag After the previous rollout was reverted, the original `support_datagram_v3_1` is deprecated and replaced with `support_datagram_v3_2`. Closes TUN-9883	2025-10-10 13:55:31 -07:00
Gonçalo Garcia	d78e64c8cc	chore: Fix parameter order when uploading RPM .repo file to R2 * chore: Fix parameter order when uploading RPM .repo file to R2	2025-10-10 15:44:28 +00:00
Gonçalo Garcia	7987d01a6e	chore: Fix import of GPG keys when two keys are provided * chore: Fix import of GPG keys when two keys are provided We were only retrieving the first output of gpg.list keys because previously we were only running import_gpg_keys once. Now that we run it twice we need to ensure that the key we select from the list matches the one we've imported.	2025-10-10 07:58:55 +00:00
Gonçalo Garcia	e1dacbcea8	chore: Force usage of go-boring 1.24 * chore: Force usage of go-boring 1.24	2025-10-09 13:18:29 +00:00
Devin Carr	1cc15c6ffa	TUN-9882: Improve metrics for datagram v3 Adds new metrics for: - Dropped UDP datagrams for reads and write paths - Dropped ICMP packets for write paths - Failures that preemptively close UDP flows Closes TUN-9882	2025-10-08 12:17:23 -07:00
Devin Carr	51c5ef726c	TUN-9882: Add write deadline for UDP origin writes Add a deadline for origin writes as a preventative measure in the case that the kernel blocks any writes for too long. In the case that the socket exceeds the write deadline, the datagram will be dropped. Closes TUN-9882	2025-10-07 19:54:42 -07:00
Devin Carr	1fb466941a	TUN-9882: Add buffers for UDP and ICMP datagrams in datagram v3 Instead of creating a go routine to process each incoming datagram from the tunnel, a single consumer (the demuxer) will process each of the datagrams in serial. Registration datagrams will still be spun out into separate go routines since they are responsible for managing the lifetime of the session once started via the `Serve` method. UDP payload datagrams will be handled in separate channels to allow for parallel writing inside of the scope of a session via a new write loop. This channel will have a small buffer to help unblock the demuxer from dequeueing other datagrams. ICMP datagrams will be funneled into a single channel across all possible origins with a single consumer to write to their respective destinations. Each of these changes is to prevent datagram reordering from occurring when dequeuing from the tunnel connection. By establishing a single demuxer that serializes the writes per session, each session will be able to write sequentially, but in parallel to their respective origins. Closes TUN-9882	2025-10-07 16:14:01 -07:00
João Oliveirinha	fff1fc7390	GRC-16749: Add fedramp tags to catalog * GRC-16749: Add fedramp tags to catalog	2025-10-07 11:27:41 +00:00
Gonçalo Garcia	9551f2a381	TUN-9776: Support signing Debian packages with two keys for rollover * TUN-9776: Support signing Debian packages with two keys for rollover Debian Trixie doesn't support the SHA-1 algo for GPG keys. This commit leverages the ability of providing two keys in the reprepro configuration in order to have two signatures in InRelease and Release.gpg files. This allows users that have the old key to continue fetching the binaries with the old key while allowing us to provide a new key that can be used in Trixie. Unfortunately current versions of RPM (since 2002) don't support double signing, so we can't apply the same logic for RPM Closes TUN-9776	2025-09-29 14:48:12 +00:00
João "Pisco" Fernandes	71448c1f7f	TUN-9800: Add pipeline to sync between gitlab and github repos	2025-09-22 16:34:33 +01:00
João "Pisco" Fernandes	80b1634515	Release 2025.9.1	2025-09-22 13:02:11 +01:00
João "Pisco" Fernandes	4ac0c1f2d7	TUN-9852: Remove fmt.Println from cloudflared access command	2025-09-22 12:01:48 +01:00
João "Pisco" Fernandes	4dafc15f22	TUN-9855: Create script to ignore vulnerabilities from govuln check	2025-09-22 12:01:38 +01:00
João "Pisco" Fernandes	92ef55650f	Release 2025.9.0	2025-09-17 17:29:52 +01:00
Gonçalo Garcia	9e94122d2b	TUN-9820: Add support for FedRAMP in originRequest Access config * TUN-9820: Add support for FedRAMP in originRequest Access config Closes TUN-9820	2025-09-15 11:11:23 +00:00
João "Pisco" Fernandes	173396be90	TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI ## Summary This commit migrates the cloduflared ci pipelines, that built, tested and component tested the linux binaries to gitlab ci. The only thing that is remaining to move from teamcity to gitlab are now the release pipelines that run on master. Relates to TUN-9800	2025-09-11 11:33:24 +01:00
João "Pisco" Fernandes	d9e13ab2ab	TUN-9803: Add windows builds to gitlab-ci	2025-09-10 11:23:41 +01:00
Gonçalo Garcia	9e6d58aaea	TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token * TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token Closes TUN-9755	2025-08-27 15:57:58 +00:00
João "Pisco" Fernandes	f9c2bd51ae	Release 2025.8.1	2025-08-21 10:53:31 +01:00
Devin Carr	41dffd7f3c	CUSTESC-53681: Correct QUIC connection management for datagram handlers Corrects the pattern of using errgroup's and context cancellation to simplify the logic for canceling extra routines for the QUIC connection. This is because the extra context cancellation is redundant with the fact that the errgroup also cancels it's own provided context when a routine returns (error or not). For the datagram handler specifically, since it can respond faster to a context cancellation from the QUIC connection, we wrap the error before surfacing it outside of the QUIC connection scope to the supervisor. Additionally, the supervisor will look for this error type to check if it should retry the QUIC connection. These two operations are required because the supervisor does not look for a context canceled error when deciding to retry a connection. If a context canceled from the datagram handler were to be returned up to the supervisor on the initial connection, the cloudflared application would exit. We want to ensure that cloudflared maintains connection attempts even if any of the services on-top of a QUIC connection fail (datagram handler in this case). Additional logging is also introduced along these paths to help with understanding the error conditions from the specific handlers on-top of a QUIC connection. Related CUSTESC-53681 Closes TUN-9610	2025-08-19 16:10:00 -07:00
Kyle Hiller	8825ceecb5	AUTH-7480 update fed callback url for login helper * AUTH-7480 update fed callback url for login helper	2025-08-19 18:54:31 +00:00
Kevin Marshall	50104548cf	AUTH-7260: Add support for login interstitial auto closure Adds a switch `--auto-close` which automatically closes Access login interstitial windows/tabs immediately after the user chooses Approve or Deny.	2025-08-12 20:41:12 +00:00